diff --git a/.trash/Untitled.md b/.trash/Untitled.md new file mode 100644 index 0000000000..e69de29bb2 diff --git a/docs/OWASP/WSTG-CONF-06.md b/docs/OWASP/WSTG-CONF-06.md index 0c571cbde7..0ebb7caa3a 100644 --- a/docs/OWASP/WSTG-CONF-06.md +++ b/docs/OWASP/WSTG-CONF-06.md @@ -13,7 +13,7 @@ tags: # Test HTTP Methods -!!! quote "" +!!! quote "OWASP" [OWASP Web Security Testing Guide 4.2](index.md) > 2. Configuration and Deploy Management Testing> 2.6. Test HTTP Methods |ID|Link to Hackinglife|Link to OWASP|Description| diff --git a/docs/OWASP/WSTG-INPV-03.md b/docs/OWASP/WSTG-INPV-03.md index 1a0777726c..2c84830913 100644 --- a/docs/OWASP/WSTG-INPV-03.md +++ b/docs/OWASP/WSTG-INPV-03.md @@ -12,7 +12,7 @@ tags: # Testing for HTTP Verb Tampering -!!! quote "" +!!! quote "OWASP" [OWASP Web Security Testing Guide 4.2](index.md) > 7. Data Validation Testing > 7.3. Testing for HTTP Verb Tampering |ID|Link to Hackinglife|Link to OWASP|Description| diff --git a/docs/cpts-index.md b/docs/cpts-index.md index bd8f72f0b5..dacaba73fe 100644 --- a/docs/cpts-index.md +++ b/docs/cpts-index.md @@ -33,7 +33,7 @@ tags: | 19 | File Inclusion | | 8 hours | Web Exploitation | | | 20 | File Upload Attacks | | 8 hours | Web Exploitation | | | 21 | Command Injections | | 6 hours | Web Exploitation | | -| 22 | Web Attacks | | 2 days | Web Exploitation | | +| 22 | Web Attacks | [Web exploitation](webexploitation/index.md) | 2 days | Web Exploitation | | | 23 | Attacking Common Applications | | 4 days | Web Exploitation | | | 24 | Linux Privilege Escalation | | 8 hours | Post-Exploitation | | | 25 | Windows Privilege Escalation | | 4 days | Post-Exploitation | | diff --git a/docs/cpts-labs.md b/docs/cpts-labs.md index 71d5995d1c..89e7d2c7d5 100644 --- a/docs/cpts-labs.md +++ b/docs/cpts-labs.md @@ -1476,36 +1476,137 @@ Results: nginx **What is the API key in the hidden admin directory that you have discovered on the target system?** ``` -ffuz -w /usr/share/seclists/Discovery/DNS/namelist.txt -u http://$ip -H "HOST: FUZZ.inlanefreight.htb" -fs 120 -# Consider the following: -# Do not add $ip and domain to /etc/hosts -# +# 1. Add $ip inlanefreight.htb to /etc/hosts + +# 2. Create variable $port + +# 3. Do a vhost scan. For instance +ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://inlanefreight.htb:$port -H "HOST:FUZZ.inlanefreight.htb" -fs 120 + +# 4. Add the discovered VHOST to /etc/hosts + +# 5. Enumerate the site +dirb http://web1337.inlanefreight.htb:$port + +# 6. There is a robots.txt file in the results, with a hiden admin panel. Trying to access directly the panel returns a 404. However we could try to fuzz it deeper: +ffuf -recursion -recursion-depth 1 -u http://web1337.inlanefreight.htb:53178/admin_h1dd3n/FUZZ -w /usr/share/seclists//Discovery/Web-Content/common.txt + +# 7. There is one result: index.html. Go to http://web1337.inlanefreight.htb:$port/admin_h1dd3n/index.html to retrieve the flag. + + ``` -Results: +Results: e963d863ee0e82ba7080fbf558ca0d3f  **After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb.** ``` +# 1. Following the previous question, additional vhost discovery could be done: +ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://inlanefreight.htb:$port -H "HOST:FUZZ.web1337.inlanefreight.htb" -fs 120 +# Add the second discovered VHOST (`dev`) to /etc/host, and visit the site http://dev.web1337.inlanefreight.htb/index.html. Notice that there is a next button, that takes you to a http://dev.web1337.inlanefreight.htb/index-123.html. Set-up an intruder attack with Numbered payload ``` -Results: +![pay](img/payload_00.png) + +![pay](img/payload_02.png) + +Results: 1337testing@inlanefreight.htb + **What is the API key the inlanefreight.htb developers will be changing too?** + +![pay](img/payload_01.png) + +Results: ba988b835be4aa97d068941dc852ff33 + + + + +## [Vulnerability Assessment](https://academy.hackthebox.com/module/details/108) + +### Nesus + +#### Nessus Skills assessment + +  +**What is the name of one of the accessible SMB shares from the authenticated Windows scan? (One word)** + +Authenticate to port 22  with user "htb-student" and password "HTB_@cademy_student!". Start nessus and go to the IP:8834 url. Have a look at the windows scan. + +Results: wsus + + +**What was the target for the authenticated scan?** + +Results: 172.16.16.100 + + +**What is the plugin ID of the highest criticality vulnerability for the Windows authenticated scan?** + +Results: 156032 + + + + **What is the name of the vulnerability with plugin ID 26925 from the Windows authenticated scan? (Case sensitive)** + +Results: VNC Server Unauthenticated Access + + + + **What port is the VNC server running on in the authenticated Windows scan?** + + +Results: 5900 + + +### Openvass + +#### Openvass Skills assessment + +**What type of operating system is the Linux host running? (one word)** + +Results: Ubuntu + + +**What type of FTP vulnerability is on the Linux host? (Case Sensitive, four words)** + +Results: Anonymous FTP Login Reporting + + +**What is the IP of the Linux host targeted for the scan?** + +Results: 172.16.16.160 + + +**What vulnerability is associated with the HTTP server? (Case-sensitive)** + +Results: Cleartext Transmission of Sensitive Information via HTTP + + + +Question + ``` ``` -Results: +Results: +Question + +``` + +``` + +Results: + -## [Vulnerability Assessment](https://academy.hackthebox.com/module/details/108) Question @@ -1514,7 +1615,41 @@ Question ``` -Results: +Results: + + + + +Question + +``` + +``` + +Results: + + + + +Question + +``` + +``` + +Results: + + + + +Question + +``` + +``` + +Results: + ## [File Transfers](https://academy.hackthebox.com/module/details/24) diff --git a/finalrecon.md b/docs/finalrecon.md similarity index 99% rename from finalrecon.md rename to docs/finalrecon.md index ba7b4aaa73..f57d630c5a 100644 --- a/finalrecon.md +++ b/docs/finalrecon.md @@ -10,7 +10,6 @@ tags: - "161" - tools --- - # Final recon diff --git a/docs/img/payload_00.png b/docs/img/payload_00.png new file mode 100644 index 0000000000..d9611b8f92 Binary files /dev/null and b/docs/img/payload_00.png differ diff --git a/docs/img/payload_01.png b/docs/img/payload_01.png new file mode 100644 index 0000000000..ab9dedcc9b Binary files /dev/null and b/docs/img/payload_01.png differ diff --git a/docs/img/payload_02.png b/docs/img/payload_02.png new file mode 100644 index 0000000000..f32376dc65 Binary files /dev/null and b/docs/img/payload_02.png differ diff --git a/docs/nessus.md b/docs/nessus.md index d4a028e06b..4f689a4357 100644 --- a/docs/nessus.md +++ b/docs/nessus.md @@ -8,7 +8,6 @@ tags: - scanner - vulnerability assessment --- - # Nessus Nessus has a client and a server. We use the client to configure the scans and the server to actually perform the scanning processes and report back the result to the client. @@ -48,4 +47,14 @@ Scripts such as the [nessus-report-downloader](https://raw.githubusercontent.com **3.** Unless specifically requested, we should never perform Denial of Service checks. The "safe checks" setting allows Nessus users to enable a set of plugins within Nessus' library of vulnerability checks which Tenable feels can have negative effects on the network, device or application being tested. -**4.** It is also essential to keep in mind the potential impact of vulnerability scanning on a network, especially on low bandwidth or congested links. This can be measured using [vnstat](https://humdi.net/vnstat/): \ No newline at end of file +**4.** It is also essential to keep in mind the potential impact of vulnerability scanning on a network, especially on low bandwidth or congested links. This can be measured using [vnstat](https://humdi.net/vnstat/). + +```shell-session +sudo vnstat -l -i eth0 +``` + +### Nessus plugins + +Nessus works with plugins written in the [Nessus Attack Scripting Language (NASL)](https://en.wikipedia.org/wiki/Nessus_Attack_Scripting_Language) and can target new vulnerabilities and CVEs.  These plugins contain information such as the vulnerability name, impact, remediation, and a way to test for the presence of a particular issue. + + diff --git a/docs/openvas.md b/docs/openvas.md index 8b6fe70670..a921b19180 100644 --- a/docs/openvas.md +++ b/docs/openvas.md @@ -28,12 +28,9 @@ sudo apt-get install gvm && openvas # Initiate setup process sudo gvm-setup - # Check installation sudo gvm-check-setup - - # Start OpenVAS sudo gvm-start ``` diff --git a/docs/vulnerability-assessment.md b/docs/vulnerability-assessment.md index 038833957a..8ffb67e9f0 100644 --- a/docs/vulnerability-assessment.md +++ b/docs/vulnerability-assessment.md @@ -50,4 +50,12 @@ OWASP maintains a few different standards and helpful guides for assessment vari - [Firmware Security Testing Methodology](https://github.com/scriptingxss/owasp-fstm) +### How to asset a risk + +One tool is the [Common Vulnerability Scoring System](cvss-common-vulnerability-scoring-system.md). + +Additionally. we have Common Vulnerabilities and Exposures (CVE), a publicly available catalog of security issues sponsored by the United States Department of Homeland Security (DHS). Each security issue has a unique CVE ID number assigned by the CVE Numbering Authority (CNA). + + + Tools: [nessus](nessus.md), [openvas](openvas.md) \ No newline at end of file diff --git a/docs/webexploitation/http-verb-tampering.md b/docs/webexploitation/http-verb-tampering.md new file mode 100644 index 0000000000..4415f82951 --- /dev/null +++ b/docs/webexploitation/http-verb-tampering.md @@ -0,0 +1,19 @@ +--- +title: HTTP Verb Tampering +draft: false +TableOfContents: true +tags: + - pentesting + - web + - pentesting +--- +# HTTP Verb Tampering + +!!! quote "OWASP" + [OWASP Web Security Testing Guide 4.2](../OWASP/index.md) > 2. Configuration and Deploy Management Testing> 2.6. Test HTTP Methods + + | ID | Link to Hackinglife | Link to OWASP | Description | + | :-- | :------------- | :----------- | :-------- | + | 2.6 | [WSTG-CONF-06](WSTG-CONF-06.md) | [Test HTTP Methods](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods) | - Enumerate supported HTTP methods using OPTIONS. - Test for access control bypass (GET->HEAD->FOO). - Test HTTP method overriding techniques. | + + diff --git a/docs/webexploitation/index.md b/docs/webexploitation/index.md index 4f8c766e24..10c956a6de 100644 --- a/docs/webexploitation/index.md +++ b/docs/webexploitation/index.md @@ -9,29 +9,9 @@ tags: - pentesting - exploitation --- - # Web exploitation guide - -| OWASP | Attack | Tools | Payloads | -| ---------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| [WSTG-INPV-12](../OWASP/WSTG-INPV-12.md) | [Command injection attack](../OWASP/WSTG-INPV-12.md) | |