r0kit's blog
Posts Tags Categories
r0kit's blog
https://www.gravatar.com/avatar/736719b4118d6f0fcad2c7d52ef9863f?s=240&d=mp

Security Researcher | Independent Penetration Tester | CTF Player | Good Vibes ✌️

OSCP Prep - SQL Injection Cheat Sheet

 published on  included in Oscp Prep Infosec

Before you start

  • Make sure to tell the differnence between numeric and string-based SQL Injection!
  • Try both ', " quotes for string prefixes for string based injection.
  • Try both -- and # for suffixes in all injections.
  • Do simple subtraction for numeric based injection.

Count enumerable columns

' ORDER BY 1;--

Render data from the database onto the webpage

' UNION ALL SELECT 1,2;--

List all databases

The techniques below demonstrates how to smuggle multiple returned fields into a single row since the application may limit the amount of rows rendered. This technique is also limited to 1024 characters, so be aware of that.

Read More
 Sql Injection

HackTheBox - Valentine

 published on  included in Hackthebox Infosec

/images/htb-valentine/valentine.png

Machine Release Date: February 17, 2018

Summary

Valentine was an easy machine that happened to be running an outdated version of Ubuntu Server (12.04 LTS). This version of Ubuntu Server was running SSL on port 443 which was vulnerable to Heartbleed which is an infamous memory disclosure vulnerability in outdated versions of OpenSSL. I was able to leverage the Heartbleed vulnerability to disclose a password for a private SSH key I discovered through basic web enumeration techniques to compromise the hype user. After compromising the hype user, I also took advantage of the outdated tmux software installed on the server to hijack a tmux session beloning to the root user and become root.

Read More
 HeartbleedIdentifying End of Life Software ReleasesWeb EnumerationTmux Session Hijacking

HackTheBox - Irked

 published on  included in Hackthebox Infosec

/images/htb-irked/irked.png

Machine Release Date: November 17, 2018

Summary

Irked was an easy machine that required manually troubleshooting an exploit to abuse a backdoor trojan. After abusing the backdoor trojan, I was able to own the djmardov user by getting a hint that he was using steganography to hide his password somewhere. I was able to recover djmardov’s SSH password by downloading the only JPG image from the web server using the secret text from /home/djmardov/Documents/.backup. I was also able to own the root user by abusing a custom SUID binary installed on the system.

Read More
 Troubleshooting Exploit CodeAvoiding Rabbit HolesSteganography

OSCP Prep - Vulnhub's OSCP Voucher VM

 published on  included in Oscp Prep Infosec

If you wish to follow along, you can access the machine here.

Summary

This was a very easy machine originally created as a 30 day give away voucher for the OSCP lab, lab materials, and exam attempt. A hidden file was found on this machine’s web server which happened to be a user’s private SSH key. The private key was then used to log in to the machine as the oscp user which happened to be part of the lxd group. Users that are part of the lxd group implicitly have read/write/execute privileges as root.

Read More
 Web EnumerationSensitive Information DisclosureLxd Jailbreak

HackTheBox - Active

 published on  included in Hackthebox Infosec

Active

/images/htb-active/active.png

Machine Release Date: July 28, 2018

Skills Learned

  • Active Directory Enumeration
  • SMB Enumeration
  • Active Directory groups.xml Decryption
  • Kerberoasting
  • Hash Cracking

Active Ports

sudo nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,49152,49153,49154,49155,49157,49158,49169,49171,49182 -T4 -sC -sV -oA nmap/full-tcp-version 10.10.10.100

Nmap scan report for 10.10.10.100
Host is up (0.036s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-09-10 19:30:22Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49169/tcp open  msrpc         Microsoft Windows RPC
49171/tcp open  msrpc         Microsoft Windows RPC
49182/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 2m50s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-09-10T19:31:19
|_  start_date: 2020-09-10T19:27:31

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep 10 15:30:33 2020 -- 1 IP address (1 host up) scanned in 188.70 seconds

SMB Enumeartion (Sensitive Groups.xml leaked from SYSVOL Replication)

I was able to list SMB shares with anonymous access:

Read More
 Active Directory EnumerationSmb EnumerationActive Directory Groups.xml DecryptionActive Directory MisconfigurationKerberoastingHash Cracking

HackTheBox - Forest

 published on  included in Hackthebox Infosec

/images/htb-forest/forest.png

Machine Release Date: Octover 12, 2019

Skills Learned

  • Active Directory Enumeration
  • AS-REP Roasting
  • Hash Cracking
  • Finding Privilege Escalation Paths with Bloodhound
  • Abusing WriteDACL from Windows Exchange Privileges

Active Ports

sudo nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49676,49677,49684,49703 -sC -sV -oA nmap/full-tcp-version 10.10.10.161

Nmap scan report for 10.10.10.161
Host is up (0.064s latency).

PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-09-09 16:09:49Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49676/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc        Microsoft Windows RPC
49684/tcp open  msrpc        Microsoft Windows RPC
49703/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=9/9%Time=5F58FC10%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h29m39s, deviation: 4h02m32s, median: 9m37s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2020-09-09T09:12:10-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-09-09T16:12:07
|_  start_date: 2020-09-09T16:05:33

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep  9 12:04:42 2020 -- 1 IP address (1 host up) scanned in 279.02 seconds

Active Directory User Enumeartion Via RPC/NetBIOS

As seen from the nmap scan above, the combination of ports 53,88,389,3268 hint that this host represents an Active Directory domain controller. I like to see which users exist in the Active Directory forest via RPC/NetBIOS since it provides me with a quick, concise, and stealthier way to enumerate users. Note that I was able to do this because I was able to establish NULL sessions with NetBIOS without providing any sort of credential:

Read More
 Active Directory EnumerationAs-Rep RoastingHash CrackingBloodhoundAbusing Overly Permissive Groups