HTB

About JSON Web Token According to official website, JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA. Step 2. Pentesting Checklist Pentesting Workflow Gather information about the client organization Foundation Objectives of the Company Products Employee Information Business Partners Clients Client Organization Premises Network Equipments Server Room Information Gathering Information Gathering...

Step 1. Reconnaissance & Enumeration Let’s start with the nmap scan nmap -Pn -n -p- obscurity.htb --min-rate=1000 | grep "open" | cut -d '/' -f 1 | sort -n > port_scan.txt cat port_scan.txt | tr '\n' ',' | sed s/,$// > port_scan.txt Version scan reports following information. ▶ nmap -Pn -n -sC -sV -p `cat port_scan.txt` obscurity.htb -oA version_scan PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2....

Installing Vagrant on Ubuntu Introduction In this hands-on lab, we will be setting up both Vagrant and Docker — our desired provider. This will let us create code-based Docker environments that we can use and share multiple times as needed. Solution Begin by logging in to the lab server using the credentials provided on the hands-on lab page: ssh cloud_user@PUBLIC_IP_ADDRESS Install Docker Add the prerequisite packages: sudo apt-get install apt-transport-https ca-certificates gnupg-agent software-properties-common Add Docker’s GPG key:...

Responder used for LLMNR protocol NBT-NS protocol Captures hashes and passwords from several protocols such as SMB, MSSQL, HTTP, LDAP & much more Installation - git clone responder cd responder responder.py -I eth0 -rf when user tries to access wrong share name, hashesh are saved in responder.db and logs folder. Using Responder for Multirelay attacks cd responder/tools TO find out which servers have SMB signing false. runfinger.py -i 192.168.1.0/24 multirelay.py -t 192....

Step 1. Reconnaissance & Enumeration Let’s start with the nmap scan nmap -Pn -n -p- control.htb --min-rate=1000 | tee port_scan.txt cat port_scan.txt | grep "open" | tr '/' ' ' > port_scan.txt cat port_scan.txt | cut -d ' ' -f 1 | sort -n > port_scan.txt cat port_scan.txt | tr '\n' ',' | sed s/,$// > port_scan.txt Version scan reports following information. ▶ nmap -Pn -n -sC -sV -p `cat port_scan....

Step 1. Reconnaissance & Enumeration nmap -Pn -n -p- -g 53 mango.htb --min-rate 1000 -oA port_scan cat port_scan.nmap | grep "open" | cut -d '/' -f 1 > port_scan.txt cat port_scan.txt | tr '\n' ',' | sed s/,$// > port_scan.txt nmap -Pn -n -sC -sV -p `cat port_scan.txt` mango.htb -oA version_scan PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA) | 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA) |_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519) 80/tcp open http Apache httpd 2....

Step 1. Reconnaissance & Enumeration nmap -Pn -n -p- -g 53 traverxec.htb --min-rate 1000 -oA port_scan cat port_scan.nmap | grep "open" | cut -d '/' -f 1 > port_scan.txt cat port_scan.txt | tr '\n' ',' | sed s/,$// > port_scan.txt nmap -Pn -n -sC -sV -p `cat port_scan.txt` traverxec.htb -oA version_scan PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0) | ssh-hostkey: | 2048 aa:99:a8:16:68💿41:cc:f9:6c:84:01:c7:59:09:5c (RSA) | 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA) |_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519) 80/tcp open http nostromo 1....

Step 1. Reconnaissance & Enumerati It was found that nmap is taking long time. Therefore used masscan to scan all ports of forest machine. nmap -Pn -n -p- -g 53 registry.htb --min-rate 1000 -oA port_scan cat port_scan.nmap | grep "open" | cut -d '/' -f 1 > port_scan.txt cat port_scan.txt | tr '\n' ',' | sed s/,$// > port_scan.txt nmap -Pn -n -sC -sV -p `cat port_scan.txt` registry.htb -oA version_scan PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7....

Step 1. Installing Additional Tools Step 2. Pentesting Checklist Information Gathering External Tesing External Network Penetration Testing Web Penetration Testing Internal Pentesting Workflow Step 1. Installing Additional Tools Figlet ( figlet company name) Scrub bum apt-file OR dpkg -s bleachbit Step 2. Pentesting Checklist Pentesting Workflow Gather information about the client organization Foundation Objectives of the Company Products Employee Information Business Partners Clients Client Organization Premises Network Equipments Server Room Information Gathering Information Gathering...

Step 1. Reconnaissance & Enumeration It was found that nmap is taking long time. Therefore used masscan to scan all ports of forest machine. masscan -e tun0 -p1-65535,U:1-65535 10.10.10.161 --rate=1000 nmap -Pn -n -sC -sV -p<port numbers></port> 10.10.10.151 -oA version_scan Host script results: |_clock-skew: mean: 2h29m01s, deviation: 4h02m30s, median: 9m01s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: FOREST | NetBIOS computer name: FOREST\x00 | Domain name: htb....