Windows CTF

Step 1. Reconnaissance & Enumeration Let’s start with the nmap scan nmap -Pn -n -p- obscurity.htb --min-rate=1000 | grep "open" | cut -d '/' -f 1 | sort -n > port_scan.txt cat port_scan.txt | tr '\n' ',' | sed s/,$// > port_scan.txt Version scan reports following information. ▶ nmap -Pn -n -sC -sV -p `cat port_scan.txt` obscurity.htb -oA version_scan PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 33:d3:9a:0d:97:2c:54:20:e1:b0:17:34:f4:ca:70:1b (RSA) | 256 f6:8b:d5:73:97:be:52:cb:12:ea:8b:02:7c:34:a3:d7 (ECDSA) |_ 256 e8:df:55:78:76:85:4b:7b:dc:70:6a:fc:40:cc:ac:9b (ED25519) 8080/tcp open http-proxy BadHTTPServer | fingerprint-strings: | GetRequest: | HTTP/1.1 200 OK | Date: Mon, 11 May 2020 06:37:57 | Server: BadHTTPServer | Last-Modified: Mon, 11 May 2020 06:37:57 | Content-Length: 4171 | Content-Type: text/html | Connection: Closed | <!DOCTYPE html> | <html lang="en"> | <head> | <meta charset="utf-8"> | <title>0bscura</title> nmap shows two ports open, SSH (22) and HTTP (8080). On visiting the page at 8080 we come to know that page doesn’t do much, but gives information about the Obscura Webserver. When I try to run gobuster things break. ...

Installing Vagrant on Ubuntu Introduction In this hands-on lab, we will be setting up both Vagrant and Docker — our desired provider. This will let us create code-based Docker environments that we can use and share multiple times as needed. Solution Begin by logging in to the lab server using the credentials provided on the hands-on lab page: ssh cloud_user@PUBLIC_IP_ADDRESS Install Docker Add the prerequisite packages: sudo apt-get install apt-transport-https ca-certificates gnupg-agent software-properties-common Add Docker’s GPG key: ...

Responder used for LLMNR protocol NBT-NS protocol Captures hashes and passwords from several protocols such as SMB, MSSQL, HTTP, LDAP & much more Installation - git clone responder cd responder responder.py -I eth0 -rf when user tries to access wrong share name, hashesh are saved in responder.db and logs folder. Using Responder for Multirelay attacks cd responder/tools TO find out which servers have SMB signing false. runfinger.py -i 192.168.1.0/24 multirelay.py -t 192.168.1.154 -u ALL ...

Step 1. Reconnaissance & Enumeration Let’s start with the nmap scan nmap -Pn -n -p- control.htb --min-rate=1000 | tee port_scan.txt cat port_scan.txt | grep "open" | tr '/' ' ' > port_scan.txt cat port_scan.txt | cut -d ' ' -f 1 | sort -n > port_scan.txt cat port_scan.txt | tr '\n' ',' | sed s/,$// > port_scan.txt Version scan reports following information. ▶ nmap -Pn -n -sC -sV -p `cat port_scan.txt` 10.10.10.167 -oA version_scan PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Fidelity 135/tcp open msrpc Microsoft Windows RPC 3306/tcp open mysql? | fingerprint-strings: | Help, RPCCheck, oracle-tns: |_ Host '10.10.16.14' is not allowed to connect to this MariaDB server 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port3306-TCP:V=7.80%I=7%D=4/7%Time=5E8C5811%P=x86_64-pc-linux-gnu%r(RPC SF:Check,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.14'\x20is\x20not\x20al SF:lowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Help,4A," SF:F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.14'\x20is\x20not\x20allowed\x20t SF:o\x20connect\x20to\x20this\x20MariaDB\x20server")%r(oracle-tns,4A,"F\0\ SF:0\x01\xffj\x04Host\x20'10\.10\.16\.14'\x20is\x20not\x20allowed\x20to\x2 SF:0connect\x20to\x20this\x20MariaDB\x20server"); Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows WhatWeb reveals that PHP version 7.3.7 is installed. The IIS version is 10.0, which indicates that this is Windows Server 2016 or Windows Server 2019. ...

Step 1. Installing Additional Tools Step 2. Pentesting Checklist Information Gathering External Tesing External Network Penetration Testing Web Penetration Testing Internal Pentesting Workflow Step 1. Installing Additional Tools Figlet ( figlet company name) Scrub bum apt-file OR dpkg -s bleachbit Step 2. Pentesting Checklist Pentesting Workflow Gather information about the client organization Foundation Objectives of the Company Products Employee Information Business Partners Clients Client Organization Premises Network Equipments Server Room Information Gathering Information Gathering ...

Step 1. Reconnaissance & Enumeration It was found that nmap is taking long time. Therefore used masscan to scan all ports of forest machine. masscan -e tun0 -p1-65535,U:1-65535 10.10.10.161 --rate=1000 nmap -Pn -n -sC -sV -p<port numbers></port> 10.10.10.151 -oA version_scan Host script results: |_clock-skew: mean: 2h29m01s, deviation: 4h02m30s, median: 9m01s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: FOREST | NetBIOS computer name: FOREST\x00 | Domain name: htb.local | Forest name: htb.local | FQDN: FOREST.htb.local |_ System time: 2020-03-31T04:29:33-07:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-03-31T11:29:38 |_ start_date: 2020-03-31T09:14:45 Interesting. An Active Directory forest as the name suggests with one domain HTB? We find the users using one of the below method. ...