Tabby is a linux box rate as easy. We need to get /etc/tomcat9/tomcat-users.xml file to collect credential through LFI. Then, we could upload WAR file to victim to gain initial shell. To move into ash shell, we have to crack the backup zip file. To escalate into root, we could abusing lxd group membership to obtain root privilege.
Blunder is a linux box rate as easy. We need to obtain credential of Bludit v3.9.2 by bruteforce login in order to get a shell. Then, enumerate Bludit files to get user password to switch user into hugo. From there, we could abuse sudo vulnerability to gain root shell.
Monteverde was an Active Directory box that requires enumerating user accounts via smb then bruteforce smb login via msf module to log in as user shell. Then we find more credentials by enumerating the machine and abusing Azure Admin to retrieve plain text credential in order to gain Admin shell.
Resolute was a medium level Windows computer that included a list of users and login discoveries for the SMB system. This password has been pulsed into the SMB login via hydra to the usernames identified. The listing of the privilege escalation led us to another member of the DnsAdmins group. Then, by violating his admin’s right to charge the DLL injection to obtain the Admin shell.
Admirer is an easy box that need to exploit Adminer 4.6.2 to get credential for initial shell then abusing shutil module for python library hijacking to escalate into root shell.
It was a medium-difficulties Linux box that allowed players to spot an initial access bug on the python-based web server. Once we have initial access to the reverse shell, another script to encrypt the password would have to be examined to gain higher privilege
Linux box of medium difficulty. The early shell used MongoDB to brute the user’s passwords using NoSQL bypass. To raise root privilege, it was enough for a system equipped with a permissive SUID.
It has an OpenNetAdmin Web-based framework vulnerable to execution of Remote Code. We will compromise all users on the box after collecting some passwords and recon. One account has a sudo entry with nano root permissions which allows root privileges to raise.
It’s an easy-rate box. We will exploit the Redis service to obtain the first interactive shell. Then, we will go up to the next user by reviewing further. We will use the documented CVE 2019–12840 vulnerability on the root shell to exploit the Webmin server.
Discover live hosts in subnet and scan for open ports.
tool bash scannerHttp Login Bruteforce python script with WAF fingerprint and Web Protection fingerprint
tool python scanner bruteforceI got a task to clean some malicious files in Windows. Instead of removing manually the malicious files, im going to do simple batch script to automated the task. Due to the privacy, im just write the dummy malicious samples.
tool bash scannerI got a task to make a simple script to scan for open ports during my class HACKING-TECHNIQUES-AND-PREVENTION project.
tool python scannerI got a task to make a simple script to brute force Caesar Cipher using Python during my class HACKING-TECHNIQUES-AND-PREVENTION project.
tool python caesar decryptionNotes i gathered after reading Practical Web Penetration Testing - Gus Khawaja. Service probing and enumeration. In the preceding step, we used the Nmap script to quickly probe each service that we found. In this step, we will take this information to the next step and try to probe aggressively. This script is too noisy in production environment. Hence, know your target is crucial. The Nmap scripts that we will use in the following examples are both very aggressive and time-consuming:
note htb nmapsome references i made after enrolled udemy course by Zaid Sabih (Learn Website Hacking / Penetration Testing From Scratch)
note htb websome notes i gathered online when doing ctf pentesting. Super credit to all pages that have been mentioned. https://book.hacktricks.xyz/ https://sushant747.gitbooks.io/total-oscp-guide/ https://www.hackingarticles.in/penetration-testing/ https://guide.offsecnewbie.com/ https://github.com/swisskyrepo/PayloadsAllTheThings
note htb pentestA beginner friendly walkthrough for internet of things (IoT) pentesting from TryHackMe CTF
TryHackMe CTF: 99% of Corporate networks run off of AD. But can you exploit a vulnerable Domain Controller?
In order to gain root shell, we need to escalate our privilege from local user to root to have best permission on the current system. Privilege escalation could be exploit by different techniques depending on how the linux system is configured by system admin. Here, we can learn different techniques to obtain root shell.
Notes i gathered after reading Practical Web Penetration Testing - Gus Khawaja. Service probing and enumeration. In the preceding step, we used the Nmap script to quickly probe each service that we found. In this step, we will take this information to the next step and try to probe aggressively. This script is too noisy in production environment. Hence, know your target is crucial. The Nmap scripts that we will use in the following examples are both very aggressive and time-consuming:
note htb nmapsome notes i gathered online when doing ctf pentesting. Super credit to all pages that have been mentioned. https://book.hacktricks.xyz/ https://sushant747.gitbooks.io/total-oscp-guide/ https://www.hackingarticles.in/penetration-testing/ https://guide.offsecnewbie.com/ https://github.com/swisskyrepo/PayloadsAllTheThings
note htb pentestBlind SQL injection vulnerability in the cookie header. Able to retrieve the contents of the table to obtain the username and password of administrator.
some references i made after enrolled udemy course by Zaid Sabih (Learn Website Hacking / Penetration Testing From Scratch)
note htb webnoobuser@attackdefense:~$ id uid=999(noobuser) gid=999(noobuser) groups=999(noobuser) noobuser@attackdefense:~$ sudo -l Matching Defaults entries for noobuser on attackdefense: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, env_keep+=LD_PRELOAD User noobuser may run the following commands on attackdefense: (root) NOPASSWD: /usr/sbin/apache2
privesc LD_PRELOAD linuxhttps://www.ctf.live/challengedetails?cid=21 escape restricted shell fesal@rbash_attackdefense:~$ :set shell=/bin/bash :shell export PATH=.bin:/usr/bin/ echo $PATH use wget SUID to transfer file to /etc/sudoers cd /tmp vi sudoers :i[enter] - to edit file fesal ALL=(ALL) NOPASSWD:ALL :wq - - to save exit file python -m SimpleHTTPServer 8009 & -O /etc/sudoers ~~[why need '&' - to use terminal and simpleServer works in bg]~~ export URL=http://127.0.0.1:8009/sudoers export LFILE=/etc/sudoers wget $URL -O $LFILE sudo -i root@rbash_attackdefense:~$
privesc wget SUIDnoobuser@attackdefense:~$ id uid=999(noobuser) gid=999(noobuser) groups=999(noobuser) noobuser@attackdefense:~$ sudo -l Matching Defaults entries for noobuser on attackdefense: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, env_keep+=LD_PRELOAD User noobuser may run the following commands on attackdefense: (root) NOPASSWD: /usr/sbin/apache2
privesc LD_PRELOAD linuxhttps://www.ctf.live/challengedetails?cid=21 escape restricted shell fesal@rbash_attackdefense:~$ :set shell=/bin/bash :shell export PATH=.bin:/usr/bin/ echo $PATH use wget SUID to transfer file to /etc/sudoers cd /tmp vi sudoers :i[enter] - to edit file fesal ALL=(ALL) NOPASSWD:ALL :wq - - to save exit file python -m SimpleHTTPServer 8009 & -O /etc/sudoers ~~[why need '&' - to use terminal and simpleServer works in bg]~~ export URL=http://127.0.0.1:8009/sudoers export LFILE=/etc/sudoers wget $URL -O $LFILE sudo -i root@rbash_attackdefense:~$
privesc wget SUIDhomepage
HackerTest.net is your own online hacker simulation. With 20 levels that require different skills to get to another step of the game, this new real-life imitation will help you advance your security knowledge. HackerTest.net will help you improve your JavaScript, PHP, HTML and graphic thinking in a fun way that will entertain any visitor! Have a spare minute? Log on! Each level will provide you with a new, harder clue to find a way to get to another level. Will you crack HackerTest.net?_
ctf web javascript phpThe best protection for everyday web users who loves to stream online content. Secures Windows, Mac, Android, and Linux devices.
malware antivirusIn order to gain root shell, we need to escalate our privilege from local user to root to have best permission on the current system. Privilege escalation could be exploit by different techniques depending on how the linux system is configured by system admin. Here, we can learn different techniques to obtain root shell.
TryHackMe CTF: 99% of Corporate networks run off of AD. But can you exploit a vulnerable Domain Controller?
A beginner friendly walkthrough for internet of things (IoT) pentesting from TryHackMe CTF
The adversary is attempting to keep their foothold. Persistence refers to strategies used by adversaries to maintain access to systems despite restarts, changing credentials, and other disruptions that may terminate their access.