Expand my hacking skills

Day 12 - Active Directory Basics

Today was just a learning day for Active Directory. Active Directory is a system that is used to organize networks so they are easier to be managed. As an attacker it is important to understand how active directory works in order to be able to exploit it when you are in a network. It is one of the easiest ways to move around a network once you have gained initial access.

Lab

1. What is the name of the Windows 10 operating system? Windows 10 Enterprise Evaluation
2. What is the second “Admin” name? Admin2
3. Which group has a capital “V” in the group name? Hyper-V Administrators
4. When was the password last set for the SQLService user? 5/13/2020 8:26:58 PM

Day 11 - Network Services 2

Today was very similar to yesterday but exploiting NFS, SMTP and MySQL.

Exploiting NFS

1. Now, we’re going to add the SUID bit permission to the bash executable we just copied to the share using “sudo chmod +[permission] bash”. What letter do we use to set the SUID bit set using chmod? s
2. Let’s do a sanity check, let’s check the permissions of the “bash” executable using “ls -la bash”. What does the permission set look like? Make sure that it ends with -sr-x. -rwSr-Sr-x
3. Now, SSH into the machine as the user. List the directory to make sure the bash executable is there. Now, the moment of truth. Lets run it with “./bash -p”. The -p persists the permissions, so that it can run as root with SUID- as otherwise bash will sometimes drop the permissions.
4. Great! If all’s gone well you should have a shell as root! What’s the root flag? THM{nfs_got_pwned}

Exploiting SMTP

1. What is the password of the user we found during our enumeration stage? alejandro
2. Great! Now, let’s SSH into the server as the user, what is contents of smtp.txt THM{who_knew_email_servers_were_c00l?}

Exploiting MySQL

1. First, let’s search for and select the “mysql_schemadump” module. What’s the module’s full name? auxiliary/scanner/mysql/mysql_schemadump
2. Great! Now, you’ve done this a few times by now so I’ll let you take it from here. Set the relevant options, run the exploit. What’s the name of the last table that gets dumped? x$waits_global_by_latency
3. Awesome, you have now dumped the tables, and column names of the whole database. But we can do one better… search for and select the “mysql_hashdump” module. What’s the module’s full name? auxiliary/scanner/mysql/mysql_hashdump
4. Again, I’ll let you take it from here. Set the relevant options, run the exploit. What non-default user stands out to you? carl
5. Another user! And we have their password hash. This could be very interesting. Copy the hash string in full, like: bob:*HASH to a text file on your local machine called “hash.txt”. What is the user/hash combination string? carl:*EA031893AA21444B170FC2162A56978B8CEECE18
6. Now, we need to crack the password! Let’s try John the Ripper against it using: “john hash.txt” what is the password of the user we found? doggie
7. Awesome. Password reuse is not only extremely dangerous, but extremely common. What are the chances that this user has reused their password for a different service? What’s the contents of MySQL.txt THM{congratulations_you_got_the_mySQL_flag}

Day 10 - Network Services

This was a great room for learning about SMB, telnet and FTP. It provided a walkthrough for exploiting each of those services. I think smb was the most interesting to me.

Exploiting SMB

1. What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port? smbclient //10.10.10.2/secret -U suit
2. Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to? john cactus
3. What service has been configured to allow him to work from home? ssh
4. Okay! Now we know this, what directory on the share should we look in? .ssh
5. This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us? id_rsa
6. What is the smb.txt flag? THM{smb_is_fun_eh?}

Exploiting Telnet

1. Great! It’s an open telnet connection! What welcome message do we receive? SKIDY'S BACKDOOR.
2. Let’s try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N) n
3. Start a tcpdump listener on your local machine using: “sudo tcpdump ip proto \icmp -i tun0” This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on.
4. Now, use the command “ping [local tun0 ip] -c 1” through the telnet session to see if we’re able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N) y
5. We’re going to generate a reverse shell payload using msfvenom.This will generate and encode a netcat reverse shell for us. What word does the generated payload start with? mkfifo
6. What would the command look like for the listening port we selected in our payload? nc -lvp 4444
7. Success! What is the contents of flag.txt? THM{y0u_g0t_th3_t3ln3t_fl4g}

Exploiting FTP

1. What is the password for the user “mike”? password
2. Bingo! Now, let’s connect to the FTP server as this user using “ftp [IP]” and entering the credentials when prompted
3. What is ftp.txt? THM{y0u_g0t_th3_ftp_fl4g}

Day 9 - Introductory Networking

This room felt like my networking class in college. It went through the OSI model and tcp/ip model. Then we looked at some basic tools like ping and traceroute. I already knew almost all this information so I just filled out the little quizes at the end of each section. It was nice to be able to get a room done quickly as I was not really wanting to do it today. Hopefully I’ll be up for some more actual learning tomorrow.

Day 8 - Vulnversity

This has been my favorite room so far. It was a full walkthrough of exploiting a server. We started with recon. Then moved to exploiting a vulnerability we found in the recon stage. Then once on the server we escalated our privilege to be the root user.

Recon

The recon stage was easy, just used a simple nmap scan. nmap -sV 10.10.56.222

1. Scan the box, how many ports are open? 6
2. What version of the squid proxy is running on the machine? 3.5.12
3. How many ports will nmap scan if the flag -p-400 was used? 400
4. Using the nmap flag -n what will it not resolve? DNS
5. What is the most likely operating system this machine is running? Ubuntu
6. What port is the web server running on? 3333

Locating Directories

This was a new recon technique. Gobuster is a tool that looks for directories on web servers. It can find directories and files that maybe you are not supposed to be able to access. In this case we find a place to upload files to the server.

gobuster dir -u http://10.10.56.222:3333 -w /usr/share/wordlists/directory-list-2.3-medium.txt

1. What is the directory that has an upload form page? /internal/

Compromise

The file upload part of the website is a little tricky because it doesn’t allow the normal types of files we would want to use to exploit the server. But once we find a file type that is allowed a quick google search is all it takes to find an exploit.

1. Try upload a few file types to the server, what common extension seems to be blocked? .php
2. Run this attack, what extension is allowed? .phtml
3. What is the name of the user who manages the webserver? bill
4. What is the user flag? 8bd7992fbe8a6ad22a63361004cfcedb

Privilege Escalation

Now that we have a shell on the server we want to escalate to be the root user. This was the part I had to do the most googleing but I eventually understood how this exploit works and could get it to run on the server!

1. On the system, search for all SUID files. What file stands out? /bin/systemctl
2. Its challenge time! We have guided you through this far, are you able to exploit this system further to escalate your privileges and get the final answer? a58ff8579f0a9270368d33a9966c7fd5

Day 7 - OWASP Juice Shop

This room looks at the top 10 vulnerabilities in web applications. OWASP has made their own website to show off the different types of vulnerabilities. This room walks you through how to exploit a website highlighting some of the things OWASP built into their site. It was a good blend of reading and hands on learning but I didn’t really do anything on my own, just followed the directions and answered the questions.

Day 6 - Web Fundamentals

This room had a lot of reading about how the internet works. I already knew most of that information so I skimmed the reading and when right for the hands on stuff at the end. The questions at the end were testing my ability to use the tool curl which is a command line tool used to interact with websites.

Mini CTF

1. What’s the GET flag?

• Command: curl 10.10.100.86/ctf/get
• Answer: thm{162520bec925bd7979e9ae65a725f99f}

2. What’s the POST flag?

• Command: curl -X POST -data "flag_please" 10.10.100.86/ctf/post
• Answer: thm{3517c902e22def9c6e09b99a9040ba09}

3. What’s the “Get a cookie” flag?

• Command: curl -c cookie.txt 10.10.100.86/ctf/getcookie
• Answer: thm{91b1ac2606f36b935f465558213d7ebd}

4. What’s the “Set a cookie” flag

• Command: curl -b "flagpls=flagpls" 10.10.100.86/ctf/sendcookie
• Answer: thm{c10b5cb7546f359d19c747db2d0f47b3}

Day 5 - Hydra

Hydra is a really nice password bruteforcing tool. It has built in support for many different protocols including SSH, FTP, and web forms to name a few. This room was some good hands on learning with two passwords to brute force.

Web password brute force

The command I used to brute force the web password is: hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.7.10 http-post-form "/login:username=^USER^&password=^PASS^:incorrect" -V

molly is the username which is given to us in the question. Then we have a list of passwords in the rockyou.txt file. We put the ip address next with the protocol we are attacking, in this case it was http-post-form. Then because this is an web attack we have to tell hydra the URL to use. /login is the web page for the login screen. The username and password’s are just variables that refer to the username and password we put earlier in the command. Then the last part is what to look for to know we failed. In this case the website will give us an error message of “username or password is incorrect” so I just used the word incorrect. Once that command runs hydra gives us the password “sunshine” which we can use to login on the web page and get the flag.

1. Use Hydra to bruteforce molly’s web password. What is flag 1? THM{2673a7dd116de68e85c48ec0b1f2612e}

SSH password brute force

The command I used to brute force the SSH password is: hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.7.10 ssh

This command is basically the same as the one above. We have the username and password list followed by the ip address to attack. Then we just specify that we want to guess passwords for the ssh protocol and thats it. The password this time was butterfly and we can use that to login via ssh and find the next flag.

2. Use Hydra to bruteforce molly’s SSH password. What is flag 2? THM{c8eeb0468febbadea859baeb33b2541b}

Day 4 - Nessus

Nessus is a vulnerability scanner tool. I use a tool like this at work to check the security of our servers. This room was very basic in its introduction which would be great to learn how vulnerability scanners work. It was mostly unnecessary for me though.

Section 1 - Introduction

1. As we log into Nessus, we are greeted with a button to launch a scan, what is the name of this button? new scan
2. Nessus allows us to create custom templates that can be used during the scan selection as additional scan types, what is the name of the menu where we can set these? policies
3. Nessus also allows us to change plugin properties such as hiding them or changing their severity, what menu allows us to change this? plugin rules
4. Nessus can also be run through multiple ‘Scanners’ where multiple installations can work together to complete scans or run scans on remote networks, what menu allows us to see all of these installations? scanners
5. Let’s move onto the scan types, what scan allows us to see simply what hosts are ‘alive’? host discovery
6. One of the most useful scan types, which is considered to be ‘suitable for any host’? basic network scan
7. Following a few basic scans, it’s often useful to run a scan wherein the scanner can authenticate to systems and evaluate their patching level. What scan allows you to do this? credentialed patch audit
8. When performing Web App tests it’s often useful to run which scan? This can be incredibly useful when also using nitko, zap, and burp to gain a full picture of an application. web application tests

Section 2 - Scanning

1. Create a new ‘Basic Network Scan’ targeting the deployed VM. What option can we set under ‘BASIC’ to set a time for this scan to run? This can be very useful when network congestion is an issue. schedule
2. Under discovery set the scan to cover ports 1-65535. What is this type called? port scan(all ports)
3. As we are connected to the network via a VPN, it may be to our benefit to ‘tone down’ the scan a bit. What scan type can we change to under ‘ADVANCED’ for this lower bandwidth connection? scan low bandwidth links
4. After the scan completes, which ‘Vulnerability’ can we view the details of to see the open ports on this host? nessus syn scanner
5. There seems to be a chat server running on this machine, what port is it on? 6667
6. Looks like we have a medium level vulnerability relating to SSH, what is this vulnerability named? ssh weak algorithms supported
7. What web server type and version is reported by Nessus? apache/2.4.99

Section 3 - Web application scanning

1. What is the plugin id of the plugin that determines the HTTP server type and version? 10107
2. What authentication page is discovered by the scanner that transmits credentials in cleartext? login.php
3. What is the file extension of the config backup? .bak
4. Which directory contains example documents? (This will be in a php directory) /external/phpids/0.6/docs/examples
5. What vulnerability is this application susceptible to that is associated with X-Frame-Options? clickjacking
6. What version of php is the server using? 5.5.9-1ubuntu4.26

Day 3 - Metasploit

This room continues the intro learning path that I am on. Metasploit is one of the most popular “hacker” tool. It is an open-source framework focused on exploiting vulnerable machines. I have used it a tiny bit before so its good to learn more about all the things I can do with this tool.

—Writeup—

Core Commands

1. The help menu has a very short one-character alias, what is it? -?
2. Finding various modules we have at our disposal within Metasploit is one of the most common commands we will leverage in the framework. What is the base command we use for searching? search
3. Once we’ve found the module we want to leverage, what command we use to select it as the active module? use
4. How about if we want to view information about either a specific module or just the active one we have selected? info
5. Metasploit has a built-in netcat-like function where we can make a quick connection with a host simply to verify that we can ‘talk’ to it. What command is this? connect
6. Entirely one of the commands purely utilized for fun, what command displays the motd/ascii art we see when we start msfconsole (without -q flag)? banner
7. We’ll revisit these next two commands shortly, however, they’re two of the most used commands within Metasploit. First, what command do we use to change the value of a variable? set
8. Metasploit supports the use of global variables, something which is incredibly useful when you’re specifically focusing on a single box. What command changes the value of a variable globally? setg
9. Now that we’ve learned how to change the value of variables, how do we view them? There are technically several answers to this question, however, I’m looking for a specific three-letter command which is used to view the value of single variables. get
10. How about changing the value of a variable to null/no value? unset
11. When performing a penetration test it’s quite common to record your screen either for further review or for providing evidence of any actions taken. This is often coupled with the collection of console output to a file as it can be incredibly useful to grep for different pieces of information output to the screen. What command can we use to set our console output to save to a file? spool
12. Leaving a Metasploit console running isn’t always convenient and it can be helpful to have all of our previously set values load when starting up Metasploit. What command can we use to store the settings/active datastores from Metasploit to a settings file? This will save within your msf4 (or msf5) directory and can be undone easily by simply removing the created settings file. save

Modules

1. Easily the most common module utilized, which module holds all of the exploit code we will use? exploit
2. Used hand in hand with exploits, which module contains the various bits of shellcode we send to have executed following exploitation? payload
3. Which module is most commonly used in scanning and verification machines are exploitable? This is not the same as the actual exploitation of course. auxiliary
4. One of the most common activities after exploitation is looting and pivoting. Which module provides these capabilities? post
5. Commonly utilized in payload obfuscation, which module allows us to modify the ‘appearance’ of our exploit such that we may avoid signature detection? encoder
6. Last but not least, which module is used with buffer overflow and ROP attacks? NOP
7. Not every module is loaded in by default, what command can we use to load different modules? load

Move that Shell

In this section we walked through the process of scanning and exploiting a machine.

We’re in, now what?

This section showed off some of the things you can do with a metreperter shell on the victim machine. We looked at the info of the victim computer and the privileges we have with the current shell. We can also deploy lots of extra modules from metasploit to seal credentials or run a server on the victim machine.

Day 2 - Burp Suite

This room was another guide to learning a hacking tool. This time the tool is Burp Suite which is a framework of web application pentesting tools. I have never used this tool before so I’m excited to lean a lot. This room was more of a walkthrough teaching me about all the things burp suite can do so the writeup is weird as I just followed along with most of the questions. I put the questions that did have answers below.

—Writeup—

Section 1 - Target

The target section of burp suite allows you to define your scope and view a map of the site you are testing.

1. Browse around the rest of the application to build out our page structure in the target tab. Once you’ve visited most of the pages of the site return to Burp Suite and expand the various levels of the application directory. What do we call this representation of the collective web application? site map
2. What is the term for browsing the application as a normal user prior to examining it further? happy path
3. The issue definitions found here are how Burp Suite defines issues within reporting. While getting started, these issue definitions can be particularly helpful for understanding and categorizing various findings we might have. Which poisoning issue arises when an application behind a cache process input that is not included in the cache key? web cache poisoning

Section 2 - Repeater

The repeater section allows you to repeat requests to the site you are testing while being able to easily change variables in the request.

1. Try logging in with invalid credentials. What error is generated when login fails? invalid email or password
2. Now that we’ve sent the request to Repeater, let’s try adjusting the request such that we are sending a single quote (’) as both the email and password. What error is generated from this request?sqlite_error
3. What field do we have to modify in order to submit a zero-star review? rating
4. Submit a zero-star review and complete this challenge!

Section 3 - Intruder

Intruder is the module of burp suite that does a lot of attacking work. There are 4 different modes that all allow you to brute force fields in a website (like usernames and passwords)

1. Which attack type allows us to select multiple payload sets (one per position) and iterate through them simultaneously? pitchfork
2. How about the attack type which allows us to use one payload set in every single position we’ve selected simultaneously? battering ram
3. Which attack type allows us to select multiple payload sets (one per position) and iterate through all possible combinations? cluster bomb
4. Perhaps the most commonly used, which attack type allows us to cycle through our payload set, putting the next available payload in each position in turn? sniper

Section 4 - Sequencer

The sequencer module is an interesting one that I don’t really understand. It does something with analyzing the quality of the randomness of things on the website that should be completely random.

Section 5 - Decoder and Comparer

The decoder is pretty straight forward. It is a tool that decodes encrypted data. The comparer tests the difference between responses or other pieces of data.

Day 1 - Nmap room

The first room for the month has simple tasks meant to teach me how to use the nmap tool. I have used this tool before so I am hoping to know most of the info and maybe learn something new.

—Writeup—

Section 1 - Quiz The quiz section for this room requires you to look at the help page for the nmap tool and find the different options the author wants you to be familiar with. I have the questions and my answers below. Not much explanation needed, I just looked up the answers. The first question helps you get to the help page with the command nmap -h

1. First, how do you access the help menu? -h
2. Often referred to as a stealth scan, what is the first switch listed for a ‘Syn Scan’? -SS
3. Not quite as useful but how about a ‘UDP Scan’? -sU
4. What about operating system detection? -O
5. How about service version detection? -sV
6. Most people like to see some output to know that their scan is actually doing things, what is the verbosity flag? -v
7. What about ‘very verbose’? (A personal favorite) -vv
8. Sometimes saving output in a common document format can be really handy for reporting, how do we save output in xml format? -oX
9. Aggressive scans can be nice when other scans just aren’t getting the output that you want and you really don’t care how ‘loud’ you are, what is the switch for enabling this? -A
10. How do I set the timing to the max level, sometimes called ‘Insane’? -T5
11. What about if I want to scan a specific port? -p
12. How about if I want to scan every port? -p-
13. What if I want to enable using a script from the nmap scripting engine? For this, just include the first part of the switch without the specification of what script to run. --script
14. What if I want to run all scripts out of the vulnerability category? --script vuln
15. What switch should I include if I don’t want to ping the host? -pn

Section 2 - Nmap Scanning Now in this section I actually got to run some commands and use the tool against the server. The server tryhackme gave me to attack was had the ip address 10.10.135.113.

1. Let’s go ahead and start with the basics and perform a syn scan on the box provided. What will this command be without the host IP address? nmap -SS
2. After scanning this, how many ports do we find open under 1000? Command: nmap -sS 10.10.135.113 -- Answer: 2
3. What communication protocol is given for these ports following the port number? tcp
4. Perform a service version detection scan, what is the version of the software running on port 22? Command: nmap -sV 10.10.153.113 -- Answer: 6.6.1p1
5. Perform an aggressive scan, what flag isn’t set under the results for port 80? Command: nmap -A 10.10.153.113 -- Answer: httponly
6. Perform a script scan of vulnerabilities associated with this box, what denial of service (DOS) attack is this box susceptible to? Answer with the name for the vulnerability that is given as the section title in the scan output. A vuln scan can take a while to complete. In case you get stuck, the answer for this question has been provided in the hint, however, it’s good to still run this scan and get used to using it as it can be invaluable. Command: nmap -sC -sV -T4 --script vuln 10.10.135.113 -- Answer: http-slowloris-check

And that was the end of the room. On to day 2!