Security

About JSON Web Token According to official website, JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA. Step 2. Pentesting Checklist Pentesting Workflow Gather information about the client organization Foundation Objectives of the Company Products Employee Information Business Partners Clients Client Organization Premises Network Equipments Server Room Information Gathering Information Gathering ...

version scan nmap -Pn -n -p- doctor.htb --min-rate=1000 | tee port_scan.txt ports=$(cat port_scan.txt | grep "open" | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) nmap -sC -sV -p $ports worker.htb -oA version_scan nmap -sS -Pn -sV --open -nvvv -T4 -iL scope.txt -oA 1024 nmap -sT -Pn -sV --open -nvvv -T4 -iL scope.txt -oA full -O -p- check for smb signing nmap --script smb-security-mode.nse -p445 -iL scope.txt -oA smb-signing check for ms17 vulnerability nmap -p445 --script smb-vuln-ms17-010 -iL scope.txt -oA ms17-010 nmap cheat sheet ...

Step 1. Reconnaissance & Enumeration Let’s start with the nmap scan nmap -Pn -n -p- obscurity.htb --min-rate=1000 | grep "open" | cut -d '/' -f 1 | sort -n > port_scan.txt cat port_scan.txt | tr '\n' ',' | sed s/,$// > port_scan.txt Version scan reports following information. ▶ nmap -Pn -n -sC -sV -p `cat port_scan.txt` obscurity.htb -oA version_scan PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 33:d3:9a:0d:97:2c:54:20:e1:b0:17:34:f4:ca:70:1b (RSA) | 256 f6:8b:d5:73:97:be:52:cb:12:ea:8b:02:7c:34:a3:d7 (ECDSA) |_ 256 e8:df:55:78:76:85:4b:7b:dc:70:6a:fc:40:cc:ac:9b (ED25519) 8080/tcp open http-proxy BadHTTPServer | fingerprint-strings: | GetRequest: | HTTP/1.1 200 OK | Date: Mon, 11 May 2020 06:37:57 | Server: BadHTTPServer | Last-Modified: Mon, 11 May 2020 06:37:57 | Content-Length: 4171 | Content-Type: text/html | Connection: Closed | <!DOCTYPE html> | <html lang="en"> | <head> | <meta charset="utf-8"> | <title>0bscura</title> nmap shows two ports open, SSH (22) and HTTP (8080). On visiting the page at 8080 we come to know that page doesn’t do much, but gives information about the Obscura Webserver. When I try to run gobuster things break. ...

Installing Vagrant on Ubuntu Introduction In this hands-on lab, we will be setting up both Vagrant and Docker — our desired provider. This will let us create code-based Docker environments that we can use and share multiple times as needed. Solution Begin by logging in to the lab server using the credentials provided on the hands-on lab page: ssh cloud_user@PUBLIC_IP_ADDRESS Install Docker Add the prerequisite packages: sudo apt-get install apt-transport-https ca-certificates gnupg-agent software-properties-common Add Docker’s GPG key: ...

Responder used for LLMNR protocol NBT-NS protocol Captures hashes and passwords from several protocols such as SMB, MSSQL, HTTP, LDAP & much more Installation - git clone responder cd responder responder.py -I eth0 -rf when user tries to access wrong share name, hashesh are saved in responder.db and logs folder. Using Responder for Multirelay attacks cd responder/tools TO find out which servers have SMB signing false. runfinger.py -i 192.168.1.0/24 multirelay.py -t 192.168.1.154 -u ALL ...

Step 1. Reconnaissance & Enumeration Let’s start with the nmap scan nmap -Pn -n -p- control.htb --min-rate=1000 | tee port_scan.txt cat port_scan.txt | grep "open" | tr '/' ' ' > port_scan.txt cat port_scan.txt | cut -d ' ' -f 1 | sort -n > port_scan.txt cat port_scan.txt | tr '\n' ',' | sed s/,$// > port_scan.txt Version scan reports following information. ▶ nmap -Pn -n -sC -sV -p `cat port_scan.txt` 10.10.10.167 -oA version_scan PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Fidelity 135/tcp open msrpc Microsoft Windows RPC 3306/tcp open mysql? | fingerprint-strings: | Help, RPCCheck, oracle-tns: |_ Host '10.10.16.14' is not allowed to connect to this MariaDB server 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port3306-TCP:V=7.80%I=7%D=4/7%Time=5E8C5811%P=x86_64-pc-linux-gnu%r(RPC SF:Check,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.14'\x20is\x20not\x20al SF:lowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Help,4A," SF:F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.14'\x20is\x20not\x20allowed\x20t SF:o\x20connect\x20to\x20this\x20MariaDB\x20server")%r(oracle-tns,4A,"F\0\ SF:0\x01\xffj\x04Host\x20'10\.10\.16\.14'\x20is\x20not\x20allowed\x20to\x2 SF:0connect\x20to\x20this\x20MariaDB\x20server"); Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows WhatWeb reveals that PHP version 7.3.7 is installed. The IIS version is 10.0, which indicates that this is Windows Server 2016 or Windows Server 2019. ...

Step 1. Reconnaissance & Enumeration nmap -Pn -n -p- -g 53 mango.htb --min-rate 1000 -oA port_scan cat port_scan.nmap | grep "open" | cut -d '/' -f 1 > port_scan.txt cat port_scan.txt | tr '\n' ',' | sed s/,$// > port_scan.txt nmap -Pn -n -sC -sV -p `cat port_scan.txt` mango.htb -oA version_scan PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA) | 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA) |_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: 403 Forbidden 443/tcp open ssl/ssl Apache httpd (SSL-only mode) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Mango | Search Base | ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN | Not valid before: 2019-09-27T14:21:19 |_Not valid after: 2020-09-26T14:21:19 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel The Nmap scan reveals ports 22, 80 and 443 running their usual services. Additionally, Nmap found a vhost named staging-order.mango.htb referred to in the SSL certificate. Let’s add mango.htb and staging-order.mango.htb to /etc/hosts , and proceed with our enumeration. ...

Step 1. Reconnaissance & Enumeration nmap -Pn -n -p- -g 53 traverxec.htb --min-rate 1000 -oA port_scan cat port_scan.nmap | grep "open" | cut -d '/' -f 1 > port_scan.txt cat port_scan.txt | tr '\n' ',' | sed s/,$// > port_scan.txt nmap -Pn -n -sC -sV -p `cat port_scan.txt` traverxec.htb -oA version_scan PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0) | ssh-hostkey: | 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA) | 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA) |_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519) 80/tcp open http nostromo 1.9.6 |_http-server-header: nostromo 1.9.6 |_http-title: TRAVERXEC Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel On looking for nostromo exploit we found RCE vulnerability. ...

Step 1. Reconnaissance & Enumerati It was found that nmap is taking long time. Therefore used masscan to scan all ports of forest machine. nmap -Pn -n -p- -g 53 registry.htb --min-rate 1000 -oA port_scan cat port_scan.nmap | grep "open" | cut -d '/' -f 1 > port_scan.txt cat port_scan.txt | tr '\n' ',' | sed s/,$// > port_scan.txt nmap -Pn -n -sC -sV -p `cat port_scan.txt` registry.htb -oA version_scan PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 72:d4:8d:da:ff:9b:94:2a:ee:55:0c:04:30:71:88:93 (RSA) | 256 c7:40:d0:0e:e4:97:4a:4f:f9:fb:b2:0b:33:99:48:6d (ECDSA) |_ 256 78:34:80:14:a1:3d:56:12:b4:0a:98:1f:e6:b4:e8:93 (ED25519) 80/tcp open http nginx 1.14.0 (Ubuntu) |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-title: Welcome to nginx! 443/tcp open ssl/http nginx 1.14.0 (Ubuntu) |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-title: Welcome to nginx! | ssl-cert: Subject: commonName=docker.registry.htb | Not valid before: 2019-05-06T21:14:35 |_Not valid after: 2029-05-03T21:14:35 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Interesting. An Active Directory forest as the name suggests with one domain HTB? We find the users using one of the below method. ...

Step 1. Installing Additional Tools Step 2. Pentesting Checklist Information Gathering External Tesing External Network Penetration Testing Web Penetration Testing Internal Pentesting Workflow Step 1. Installing Additional Tools Figlet ( figlet company name) Scrub bum apt-file OR dpkg -s bleachbit Step 2. Pentesting Checklist Pentesting Workflow Gather information about the client organization Foundation Objectives of the Company Products Employee Information Business Partners Clients Client Organization Premises Network Equipments Server Room Information Gathering Information Gathering ...

Step 1. Reconnaissance & Enumeration It was found that nmap is taking long time. Therefore used masscan to scan all ports of forest machine. masscan -e tun0 -p1-65535,U:1-65535 10.10.10.161 --rate=1000 nmap -Pn -n -sC -sV -p<port numbers></port> 10.10.10.151 -oA version_scan Host script results: |_clock-skew: mean: 2h29m01s, deviation: 4h02m30s, median: 9m01s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: FOREST | NetBIOS computer name: FOREST\x00 | Domain name: htb.local | Forest name: htb.local | FQDN: FOREST.htb.local |_ System time: 2020-03-31T04:29:33-07:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-03-31T11:29:38 |_ start_date: 2020-03-31T09:14:45 Interesting. An Active Directory forest as the name suggests with one domain HTB? We find the users using one of the below method. ...