Skip to content

Commit

Permalink
feat: CPTS Information gathering labs
Browse files Browse the repository at this point in the history
  • Loading branch information
@amandaguglieri
amandaguglieri committed Sep 16, 2024
1 parent 77b6137 commit d80dc84
Show file tree
Hide file tree
Showing 14 changed files with 204 additions and 38 deletions.
Empty file added .trash/Untitled.md
View file
Empty file.
2 changes: 1 addition & 1 deletion docs/OWASP/WSTG-CONF-06.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ tags:

# Test HTTP Methods

!!! quote ""
!!! quote "OWASP"
[OWASP Web Security Testing Guide 4.2](index.md) > 2. Configuration and Deploy Management Testing> 2.6. Test HTTP Methods

|ID|Link to Hackinglife|Link to OWASP|Description|
Expand Down
2 changes: 1 addition & 1 deletion docs/OWASP/WSTG-INPV-03.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ tags:

# Testing for HTTP Verb Tampering

!!! quote ""
!!! quote "OWASP"
[OWASP Web Security Testing Guide 4.2](index.md) > 7. Data Validation Testing > 7.3. Testing for HTTP Verb Tampering

|ID|Link to Hackinglife|Link to OWASP|Description|
Expand Down
2 changes: 1 addition & 1 deletion docs/cpts-index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ tags:
| 19 | File Inclusion | | 8 hours | Web Exploitation | |
| 20 | File Upload Attacks | | 8 hours | Web Exploitation | |
| 21 | Command Injections | | 6 hours | Web Exploitation | |
| 22 | Web Attacks | | 2 days | Web Exploitation | |
| 22 | Web Attacks | [Web exploitation](webexploitation/index.md) | 2 days | Web Exploitation | |
| 23 | Attacking Common Applications | | 4 days | Web Exploitation | |
| 24 | Linux Privilege Escalation | | 8 hours | Post-Exploitation | |
| 25 | Windows Privilege Escalation | | 4 days | Post-Exploitation | |
Expand Down
153 changes: 144 additions & 9 deletions docs/cpts-labs.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1476,36 +1476,137 @@ Results: nginx
**What is the API key in the hidden admin directory that you have discovered on the target system?**

```
ffuz -w /usr/share/seclists/Discovery/DNS/namelist.txt -u http://$ip -H "HOST: FUZZ.inlanefreight.htb" -fs 120
# Consider the following:
# Do not add $ip and domain to /etc/hosts
#
# 1. Add $ip inlanefreight.htb to /etc/hosts
# 2. Create variable $port
# 3. Do a vhost scan. For instance
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://inlanefreight.htb:$port -H "HOST:FUZZ.inlanefreight.htb" -fs 120
# 4. Add the discovered VHOST to /etc/hosts
# 5. Enumerate the site
dirb http://web1337.inlanefreight.htb:$port
# 6. There is a robots.txt file in the results, with a hiden admin panel. Trying to access directly the panel returns a 404. However we could try to fuzz it deeper:
ffuf -recursion -recursion-depth 1 -u http://web1337.inlanefreight.htb:53178/admin_h1dd3n/FUZZ -w /usr/share/seclists//Discovery/Web-Content/common.txt
# 7. There is one result: index.html. Go to http://web1337.inlanefreight.htb:$port/admin_h1dd3n/index.html to retrieve the flag.
```

Results:
Results: e963d863ee0e82ba7080fbf558ca0d3f

 **After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., [email protected].**

```
# 1. Following the previous question, additional vhost discovery could be done:
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://inlanefreight.htb:$port -H "HOST:FUZZ.web1337.inlanefreight.htb" -fs 120
# Add the second discovered VHOST (`dev`) to /etc/host, and visit the site http://dev.web1337.inlanefreight.htb/index.html. Notice that there is a next button, that takes you to a http://dev.web1337.inlanefreight.htb/index-123.html. Set-up an intruder attack with Numbered payload
```

Results:
![pay](img/payload_00.png)

![pay](img/payload_02.png)

Results: [email protected]


**What is the API key the inlanefreight.htb developers will be changing too?**


![pay](img/payload_01.png)

Results: ba988b835be4aa97d068941dc852ff33




## [Vulnerability Assessment](https://academy.hackthebox.com/module/details/108)

### Nesus

#### Nessus Skills assessment


**What is the name of one of the accessible SMB shares from the authenticated Windows scan? (One word)**

Authenticate to port 22  with user "htb-student" and password "HTB_@cademy_student!". Start nessus and go to the IP:8834 url. Have a look at the windows scan.

Results: wsus


**What was the target for the authenticated scan?**

Results: 172.16.16.100


**What is the plugin ID of the highest criticality vulnerability for the Windows authenticated scan?**

Results: 156032



 **What is the name of the vulnerability with plugin ID 26925 from the Windows authenticated scan? (Case sensitive)**

Results: VNC Server Unauthenticated Access



 **What port is the VNC server running on in the authenticated Windows scan?**


Results: 5900


### Openvass

#### Openvass Skills assessment

**What type of operating system is the Linux host running? (one word)**

Results: Ubuntu


**What type of FTP vulnerability is on the Linux host? (Case Sensitive, four words)**

Results: Anonymous FTP Login Reporting


**What is the IP of the Linux host targeted for the scan?**

Results: 172.16.16.160


**What vulnerability is associated with the HTTP server? (Case-sensitive)**

Results: Cleartext Transmission of Sensitive Information via HTTP



Question

```
```

Results:
Results:





Question

```
```

Results:


## [Vulnerability Assessment](https://academy.hackthebox.com/module/details/108)


Question
Expand All @@ -1514,7 +1615,41 @@ Question
```

Results:
Results:




Question

```
```

Results:




Question

```
```

Results:




Question

```
```

Results:



## [File Transfers](https://academy.hackthebox.com/module/details/24)
Expand Down
1 change: 0 additions & 1 deletion finalrecon.md → docs/finalrecon.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ tags:
- "161"
- tools
---

# Final recon


Expand Down
Binary file added docs/img/payload_00.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/img/payload_01.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/img/payload_02.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
13 changes: 11 additions & 2 deletions docs/nessus.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ tags:
- scanner
- vulnerability assessment
---

# Nessus

Nessus has a client and a server. We use the client to configure the scans and the server to actually perform the scanning processes and report back the result to the client.
Expand Down Expand Up @@ -48,4 +47,14 @@ Scripts such as the [nessus-report-downloader](https://raw.githubusercontent.com

**3.** Unless specifically requested, we should never perform Denial of Service checks. The "safe checks" setting allows Nessus users to enable a set of plugins within Nessus' library of vulnerability checks which Tenable feels can have negative effects on the network, device or application being tested.

**4.** It is also essential to keep in mind the potential impact of vulnerability scanning on a network, especially on low bandwidth or congested links. This can be measured using [vnstat](https://humdi.net/vnstat/):
**4.** It is also essential to keep in mind the potential impact of vulnerability scanning on a network, especially on low bandwidth or congested links. This can be measured using [vnstat](https://humdi.net/vnstat/).

```shell-session
sudo vnstat -l -i eth0
```

### Nessus plugins

Nessus works with plugins written in the [Nessus Attack Scripting Language (NASL)](https://en.wikipedia.org/wiki/Nessus_Attack_Scripting_Language) and can target new vulnerabilities and CVEs.  These plugins contain information such as the vulnerability name, impact, remediation, and a way to test for the presence of a particular issue.


3 changes: 0 additions & 3 deletions docs/openvas.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,9 @@ sudo apt-get install gvm && openvas
# Initiate setup process
sudo gvm-setup
# Check installation
sudo gvm-check-setup
# Start OpenVAS
sudo gvm-start
```
Expand Down
8 changes: 8 additions & 0 deletions docs/vulnerability-assessment.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,4 +50,12 @@ OWASP maintains a few different standards and helpful guides for assessment vari
- [Firmware Security Testing Methodology](https://github.com/scriptingxss/owasp-fstm)


### How to asset a risk

One tool is the [Common Vulnerability Scoring System](cvss-common-vulnerability-scoring-system.md).

Additionally. we have Common Vulnerabilities and Exposures (CVE), a publicly available catalog of security issues sponsored by the United States Department of Homeland Security (DHS). Each security issue has a unique CVE ID number assigned by the CVE Numbering Authority (CNA).



Tools: [nessus](nessus.md), [openvas](openvas.md)
19 changes: 19 additions & 0 deletions docs/webexploitation/http-verb-tampering.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
---
title: HTTP Verb Tampering
draft: false
TableOfContents: true
tags:
- pentesting
- web
- pentesting
---
# HTTP Verb Tampering

!!! quote "OWASP"
[OWASP Web Security Testing Guide 4.2](../OWASP/index.md) > 2. Configuration and Deploy Management Testing> 2.6. Test HTTP Methods

| ID | Link to Hackinglife | Link to OWASP | Description |
| :-- | :------------- | :----------- | :-------- |
| 2.6 | [WSTG-CONF-06](WSTG-CONF-06.md) | [Test HTTP Methods](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods) | - Enumerate supported HTTP methods using OPTIONS. - Test for access control bypass (GET->HEAD->FOO). - Test HTTP method overriding techniques. |


Loading

0 comments on commit d80dc84

Please sign in to comment.