CC: Pen Testing
Date: 16, May, 2021
Author: Dhilip Sanjay S
Click Here to go to the TryHackMe room.
Nmap (Network Utilities)
What does nmap stand for?
Answer: Network Mapper
How do you specify which port(s) to scan?
Answer: -p
How do you do a "ping scan"(just tests if the host(s) is up)?
Answer: -sn
What is the flag for a UDP scan?
Answer: -sU
How do you run default scripts?
Answer: -sC
How do you enable "aggressive mode"(Enables OS detection, version detection, script scanning, and traceroute)
Answer: -A
What flag enables OS detection
Answer: -O
How do you get the versions of services running on the target machine?
Answer: -sV
How many ports are open on the machine?
Answer: 1
Steps to Reproduce:
What service is running on the machine?
Answer: Apache
What is the version of the service?
Answer: 2.4.18
What is the output of the http-title script(included in default scripts)
Answer: Apache2 Ubuntu Default Page: It works
Netcat (Network Utilities)
Netcat aka nc is an extremely versatile tool. It allows users to connect to specific ports and send and receive data. It also allows machines to receive data and connections on specific ports, which makes nc a very popular tool to gain a Reverse Shell.
How do you listen for connections?
Answer: -l
How do you enable verbose mode(allows you to see who connected to you)?
Answer: -v
How do you specify a port to listen on
Answer: -p
How do you specify which program to execute after you connect to a host(One of the most infamous)?
Answer: -e
How do you connect to udp ports
Answer: -u
Gobuster (Web Enumeration)
How do you specify directory/file brute forcing mode?
Answer: dir
How do you specify dns bruteforcing mode?
Answer: dns
What flag sets extensions to be used?
Answer: -x
What flag sets a wordlist to be used?
Answer: -w
How do you set the Username for basic authentication(If the directory requires a username/password)?
Answer: -U
How do you set the password for basic authentication?
Answer: -P
How do you set which status codes gobuster will interpret as valid?
Answer: -s
How do you skip ssl certificate verification?
Answer: -k
How do you specify a User-Agent?
Answer: -a
How do you specify a HTTP header?
Answer: -H
What flag sets the URL to bruteforce?
Answer: -u
What is the name of the hidden directory
Answer: secret
Steps to Reproduce:
What is the name of the hidden file with the extension xxa?
Answer: password
Steps to Reproduce:
Nikto (Web Enumeration)
How do you specify which host to use?
Answer: -h
What flag disables ssl?
Answer: -nossl
How do you force ssl?
Answer: -ssl
How do you specify authentication(username + pass)?
Answer: -id
How do you select which plugin to use?
Answer: -plugins
Which plugin checks if you can enumerate apache users?
Answer: apacheusers
How do you update the plugin list?
Answer: -update
How do you list all possible plugins to use?
Answer: -list-plugins
Metasploit - Setting Up
Metasploit is one of the most popular penetration testing frameworks around. It contains a large database of almost every major CVE, which you can easily use against a machine.
What command allows you to search modules?
Answer: search
How do you select a module?
Answer: use
How do you display information about a specific module?
Answer: info
How do you list options that you can set?
Answer: options
What command lets you view advanced options for a specific module?
Answer: advanced
How do you show options in a specific category?
Answer: show
Metasploit - selecting a module
How do you select the eternalblue module?
Answer: use exploit/windows/smb/ms17_010_eternalblue
What option allows you to select the target host(s)?
Answer: RHOSTS
How do you set the target port?
Answer: RPORT
What command allows you to set options?
Answer: set
How would you set SMBPass to "username"?
Answer: set SMBPass username
How would you set the SMBUser to "password"?
Answer: set SMBUser password
What option sets the architecture to be exploited?
Answer: arch
What option sets the payload to be sent to the target machine?
Answer: payload
Once you've finished setting all the required options, how do you run the exploit?
Answer: -J
What flag do you set if you want the exploit to run in the foreground?
Answer: exploit
How do you list all current sessions?
Answer: sessions
What flag allows you to go into interactive mode with a session? ("drops you either into a meterpreter or regular shell")
Answer: -i
Metasploit - meterpreter
What command allows you to download files from the machine?
Answer: download
What command allows you to upload files to the machine?
Answer: upload
How do you list all running processes?
Answer: ps
How do you change processes on the victim host? (Ideally it will allow you to change users and gain the perms associated with that user)
Answer: migrate
What command lists files in the current directory on the remote machine?
Answer: ls
How do you execute a command on the remote host?
Answer: execute
What command starts an interactive shell on the remote host?
Answer: shell
How do you find files on the target host? (Similar function to the linux command "find")
Answer: search
How do you get the output of a file on the remote host?
Answer: cat
How do you put a meterpreter shell into "background mode"(allows you to run other msf modules while also keeping the meterpreter shell as a session)?
Answer: background
Metasploit - Final Walkthrough
Select the module that needs to be exploited
Answer: use exploit/multi/http/nostromo_code_exec
What variable do you need to set, to select the remote host?
Answer: RHOSTS
How do you set the port to 80?
Answer: set RPORT 80
How do you set listening address?
Answer: LHOST
Exploit the machine!
What is the name of the secret directory in the /var/nostromo/htdocs directory?
Answer: s3cretd1r
What are the contents of the file inside of the directory?
Answer: Woohoo!
Hashcat - Hash Cracking
What flag sets the mode?
Answer: -m
What flag sets the "attack mode"?
Answer: -a
What is the attack mode number for Brute-force?
Answer: 3
What is the mode number for SHA3-512?
Answer: 17600
Crack This Hash: 56ab24c15b72a457069c5ea42fcfc640
Answer: happy
Steps to Reproduce:
Since it's an MD5 hash, we can use it directly without providing the -m option. Because hashcat's default option is MD5.
Crack this hash: 4bc9ae2b9236c2ad02d81491dcb51d5f
Answer: nootnoot
Steps to Reproduce:
JohnTheRipper - Hash Cracking
What flag let's you specify which wordlist to use?
Answer: -wordlist
What flag lets you specify which hash format(Ex: MD5,SHA1 etc.) to use?
Answer: --FORMAT
How do you specify which rule to use?
Answer: --rules
Crack this hash: 5d41402abc4b2a76b9719d911017c592
Answer:
Steps to Reproduce:
Crack this hash: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
Answer: password
Steps to Reproduce:
SQLMAP - SQL Injection
How do you specify which url to check?
Answer: -u
What about which google dork to use?
Answer: -g
How do you select(lol) which parameter to use?(Example: in the url http://ex.com?test=1 the parameter would be test.)
Answer: -p
What flag sets which database is in the target host's backend?(Example: If the flag is set to mysql then sqlmap will only test mysql injections).
Answer: --dbms
How do you select the level of depth sqlmap should use(Higher = more accurate and more tests in general).
Answer: --level
How do you dump the table entries of the database?
Answer: --dump
Which flag sets which db to enumerate?
Answer: -D
Which flag sets which table to enumerate?
Answer: -T
Which flag sets which column to enumerate?
Answer: -C
How do you ask sqlmap to try to get an interactive os-shell?
Answer: --os-shell
What flag dumps all data from every table
Answer: --dump-all
How many types of sqli is the site vulnerable to?
Answer: 3
Type: boolean-based blind
Type: error-based
Type: time-based blind
What is the name of the database?
Answer: tests
How many tables are in the database?
Answer: 2
msg
lol
What is the value of the flag?
Answer: found_me
Smbmap - Samba
How do you set the username to authenticate with?
Answer: -u
What about the password?
Answer: -p
How do you set the host?
Answer: -H
What flag runs a command on the server(assuming you have permissions that is)?
Answer: -x
How do you specify the share to enumerate?
Answer: -s
How do you set which domain to enumerate?
Answer: -d
What flag downloads a file?
Answer: --download
What about uploading one?
Answer: --upload
Given the username "admin", the password "password", and the ip "10.10.10.10", how would you run ipconfig on that machine
Answer: smbmap -u "admin" -p "password" -H 10.10.10.10 -x "ipconfig"
Smbclient - Samba
How do you specify which domain(workgroup) to use when connecting to the host?
Answer: -w
How do you specify the ip address of the host?
Answer: -l
How do you run the command "ipconfig" on the target machine?
Answer: -c "ipconfig"
How do you specify the username to authenticate with?
Answer: -u
How do you specify the password to authenticate with?
Answer: -p
What flag is set to tell smbclient to not use a password?
Answer: -N
While in the interactive prompt, how would you download the file test, assuming it was in the current directory?
Answer: get test
In the interactive prompt, how would you upload your /etc/hosts file
Answer: put /etc/hosts
Privilege Escalation
Check the useful links
Final Exam
Nmap Enumeration
Gobuster Enumeration of HTTP server
Gobuster enumeration of secret directory with txt extension
Cracking the Hash in nyan.txt
user.txt
Answer: supernootnoot
Steps to Reproduce:
Login using ssh
nyan:nyan
:
Privilege Escalation - Abusing SUID
Locate the files with SUID bit set:
Abusing the SUID bit of sudo to get root access.
root.txt
Answer: congratulations!!!!
Steps to Reproduce:
References
Last updated