Oscp on rchitect

Powerview usage for privilege escalation

Mon, 18 Jul 2022 00:00:00 +0000

Powerview Script usage for privilege escalation Link to heading

Powerview script can be for enumeration and privilege escalation.

The script can be downloaded from here.

I will explain few scenrios which i have used poweview for enumeration and privilege escalation. Most of times I will upload the file like this to windows( location C:\ProgramData)

Make sure to activate the script by using below command

Import-Module .\PowerView.ps1

Hackthebox Jarvis

Mon, 25 Apr 2022 00:00:00 +0000

This post is about the Walkthrough of the hackthebox machine: Jarvis

Hackthebox Brainfuck

Thu, 14 Apr 2022 00:00:00 +0000

Hackthebox Brainfuck Walkthrough Link to heading

Initial Enumeration Link to heading

Port Scan Link to heading

sudo nmap -sS -p- -Pn -T4 --min-rate 10000 -oN alltcp.txt 10.10.10.17 1 ⨯
[sudo] password for rocky: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-07 21:40 EDT
Nmap scan report for 10.10.10.17
Host is up (0.051s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
110/tcp open pop3
143/tcp open imap
443/tcp open https


$ sudo nmap -sU -p- -Pn -T4 --min-rate 10000 -oN alludp.txt 10.10.10.17 1 ⨯
HHost discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-07 21:41 EDT
Nmap scan report for 10.10.10.17
Host is up (0.045s latency).
Not shown: 65532 open|filtered ports
PORT STATE SERVICE
110/udp closed pop3
143/udp closed imap
443/udp closed https

Vulnarability Scan Link to heading

ocky㉿kali)-[~/hckbox/node]
└─$ nmap -Pn -p 22,25,110,143,443 -sC -sV -oN details.txt 10.10.10.17 
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-07 21:43 EDT
Nmap scan report for 10.10.10.17
Host is up (0.042s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
| 256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_ 256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: CAPA RESP-CODES USER AUTH-RESP-CODE TOP SASL(PLAIN) PIPELINING UIDL
143/tcp open imap Dovecot imapd
|_imap-capabilities: ID LOGIN-REFERRALS more AUTH=PLAINA0001 have listed LITERAL+ capabilities IMAP4rev1 post-login Pre-login SASL-IR OK IDLE ENABLE
443/tcp open ssl/http nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017-04-13T11:19:29
|_Not valid after: 2027-04-11T11:19:29
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_ http/1.1
| tls-nextprotoneg: 
|_ http/1.1
Service Info: Host: brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel

There was a certificate warning on https service. The site looks like below( seems ngnix is running)

Hackthebox Node

Tue, 05 Apr 2022 00:00:00 +0000

Hackthebox Node Walkthrough Link to heading

Initial Enumeration Link to heading

Port Scan Link to heading

sudo nmap -sS -p- -Pn -T4 --min-rate 10000 -oN alltcp.txt 10.10.10.58 1 ⨯
[sudo] password for rocky: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-30 19:43 EDT
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 24.10% done; ETC: 19:43 (0:00:09 remaining)
Nmap scan report for 10.10.10.58
Host is up (0.049s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp

$ sudo nmap -sU -p- -Pn -T4 --min-rate 10000 -oN alludp.txt 10.10.10.58 1 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-30 19:57 EDT
Nmap scan report for 10.10.10.58
Host is up.
All 65535 scanned ports on 10.10.10.58 are open|filtered

Vulnarability Scan Link to heading

ocky㉿kali)-[~/hckbox/node]
└─$ nmap -Pn -p 22,3000 -sC -sV -oN details.txt 10.10.10.58
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-30 20:04 EDT
Nmap scan report for 10.10.10.58
Host is up (0.049s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
| 256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_ 256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open hadoop-tasktracker Apache Hadoop
| hadoop-datanode-info: 
|_ Logs: /login
| hadoop-tasktracker-info: 
|_ Logs: /login
|_http-title: MyPlace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see 2 ports open and on port 3000 apache service seems running. This is how the page lookes on port 3000

Privilege Escalation in Linux

Thu, 17 Mar 2022 00:00:00 +0000

Privilege Escalation for Linux machines before running scripts like linpeas Link to heading

I am trying explain the few commands which i use before i use any privilege escalation scripts like linpeas,linenum etc.

Sudo Privilege Link to heading

Check for any commands which are enabled with Sudo privilege and no password required to run. Remember that some time, you may have to erminate and re-initiate existing session, if no suo command is enabled.

File transfer between Windows and Linux

Thu, 10 Mar 2022 00:00:00 +0000

Cheat sheet for OSCP Link to heading

Reconnaisance Link to heading

Nmap Commands for Port scan Link to heading

The below 2 nmap scan used to find out the TCP ports opened on server

nmap -sT -p- -Pn -T4–min-rate 10000 -oN alltcp1.txt 10.10.10.58( faster)

nmap -sT -p- -Pn -T4–min-rate 10000 -oN alltcp1.txt 10.10.10.58( little slower)

Memory Dump Analysis usining Volatility3

Sun, 27 Feb 2022 00:00:00 +0000

Memory Dump Analysis-Volatility3 Link to heading

We have memeory dump file which we will use Volatility3 for analysis for sensitive information like username/process

There is tool Volatility to analayze the mempry dump. However in previous blogs posts it was Volatility2 which was working with python2 and after searching i have found volatility3 which works with python3.

git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
python3 setup.py install
python3 vol.py —h
Cloning into 'volatility3'...
remote: Enumerating objects: 26002, done.
remote: Counting objects: 100% (3001/3001), done.
remote: Compressing objects: 100% (1021/1021), done.
remote: Total 26002 (delta 2253), reused 2596 (delta 1968), pack-reused 23001
Receiving objects: 100% (26002/26002), 5.14 MiB | 200.00 KiB/s, done.


Volatility 3 Framework 2.0.2
usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]] [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG] [-o OUTPUT_DIR] [-q]
 [-r RENDERER] [-f FILE] [--write-config] [--clear-cache] [--cache-path CACHE_PATH] [--offline] [--single-location SINGLE_LOCATION]
 [--stackers [STACKERS ...]] [--single-swap-locations [SINGLE_SWAP_LOCATIONS ...]]
 plugin ...
volatility: error: argument plugin: invalid choice —h (choose from banners.Banners, configwriter.ConfigWriter, frameworkinfo.FrameworkInfo, isfinfo.IsfInfo, layerwriter.LayerWriter, linux.bash.Bash, linux.check_afinfo.Check_afinfo, linux.check_creds.Check_creds, linux.check_idt.Check_idt, linux.check_modules.Check_modules, linux.check_syscall.Check_syscall, linux.elfs.Elfs, linux.keyboard_notifiers.Keyboard_notifiers, linux.kmsg.Kmsg, linux.lsmod.Lsmod, linux.lsof.Lsof, linux.malfind.Malfind, linux.proc.Maps, linux.pslist.PsList, linux.pstree.PsTree, linux.tty_check.tty_check, mac.bash.Bash, mac.check_syscall.Check_syscall, mac.check_sysctl.Check_sysctl, mac.check_trap_table.Check_trap_table, mac.ifconfig.Ifconfig, mac.kauth_listeners.Kauth_listeners, mac.kauth_scopes.Kauth_scopes, mac.kevents.Kevents, mac.list_files.List_Files, mac.lsmod.Lsmod, mac.lsof.Lsof, mac.malfind.Malfind, mac.mount.Mount, mac.netstat.Netstat, mac.proc_maps.Maps, mac.psaux.Psaux, mac.pslist.PsList, mac.pstree.PsTree, mac.socket_filters.Socket_filters, mac.timers.Timers, mac.trustedbsd.Trustedbsd, mac.vfsevents.VFSevents, timeliner.Timeliner, windows.bigpools.BigPools, windows.cachedump.Cachedump, windows.callbacks.Callbacks, windows.cmdline.CmdLine, windows.crashinfo.Crashinfo, windows.dlllist.DllList, windows.driverirp.DriverIrp, windows.driverscan.DriverScan, windows.dumpfiles.DumpFiles, windows.envars.Envars, windows.filescan.FileScan, windows.getservicesids.GetServiceSIDs, windows.getsids.GetSIDs, windows.handles.Handles, windows.hashdump.Hashdump, windows.info.Info, windows.ldrmodules.LdrModules, windows.lsadump.Lsadump, windows.malfind.Malfind, windows.memmap.Memmap, windows.mftscan.MFTScan, windows.modscan.ModScan, windows.modules.Modules, windows.mutantscan.MutantScan, windows.netscan.NetScan, windows.netstat.NetStat, windows.poolscanner.PoolScanner, windows.privileges.Privs, windows.pslist.PsList, windows.psscan.PsScan, windows.pstree.PsTree, windows.registry.certificates.Certificates, windows.registry.hivelist.HiveList, windows.registry.hivescan.HiveScan, windows.registry.printkey.PrintKey, windows.registry.userassist.UserAssist, windows.sessions.Sessions, windows.skeleton_key_check.Skeleton_Key_Check, windows.ssdt.SSDT, windows.statistics.Statistics, windows.strings.Strings, windows.svcscan.SvcScan, windows.symlinkscan.SymlinkScan, windows.vadinfo.VadInfo, windows.vadyarascan.VadYaraScan, windows.verinfo.VerInfo, windows.virtmap.VirtMap, yarascan.YaraScan)

Lets search for command format for Vol3 and i found this.Some cammnds I have tried and results uploaded [here](Rchitect/vol3-output at Yoda · tcprks/Rchitect · GitHub).

Hackthebox Silo

Thu, 24 Feb 2022 00:00:00 +0000

Hackthebox Silo Walkthrough Link to heading

Initial Enumeration Link to heading

Port Scan Link to heading

─$ nmap -sT -p- -min-rate 10000 -Pn -oN alltcp.txt 10.10.10.82
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-23 19:46 EST
Nmap scan report for 10.10.10.82
Host is up (0.091s latency).
Not shown: 65261 filtered ports, 269 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8080/tcp open http-proxy

Nmap done: 1 IP address (1 host up) scanned in 121.90 seconds

┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ nmap -sT -p- -min-rate 10000 -Pn -oN alltcp.txt 10.10.10.82
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-23 19:48 EST
Nmap scan report for 10.10.10.82
Host is up (0.100s latency).
Not shown: 65268 filtered ports, 262 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8080/tcp open http-proxy

Nmap done: 1 IP address (1 host up) scanned in 13.36 seconds

┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ sudo nmap -sU -p- -min-rate 10000 -Pn -oN alludp.txt 10.10.10.82
[sudo] password for rocky: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-23 19:49 EST
Warning: 10.10.10.82 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.82
Host is up (0.16s latency).
All 65535 scanned ports on 10.10.10.82 are open|filtered (65460) or closed (75)

Nmap done: 1 IP address (1 host up) scanned in 75.11 seconds

┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ sudo nmap -p 80,135,139,445,8080 -Pn -sC -sV -oN detailed.txt 10.10.10.82
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-23 19:53 EST
Nmap scan report for 10.10.10.82
Host is up (0.16s latency).

PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
8080/tcp open http Oracle XML DB Enterprise Edition httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=XDB
|_http-server-header: Oracle XML DB/Oracle Database
|_http-title: 400 Bad Request
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 3s, deviation: 0s, median: 3s
| smb-security-mode: 
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled but not required
| smb2-time: 
| date: 2022-02-24T00:53:53
|_ start_date: 2022-02-24T00:28:20

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.89 seconds

Vulnrability Scan Link to heading

$ sudo nmap -p 80,135,139,445,8080 -script VULN 10.10.10.82
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-23 19:54 EST
Nmap scan report for 10.10.10.82
Host is up (0.057s latency).

PORT STATE SERVICE
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8080/tcp open http-proxy
| http-enum: 
|_ /i/: Potentially interesting folder

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: No accounts left to try

Nmap done: 1 IP address (1 host up) scanned in 342.38 seconds

SMB enumeration Link to heading

It seems we may not get any information from SMB ports.

Hackthebox Buff

Wed, 23 Feb 2022 00:00:00 +0000

This post is about the Walkthrough of the hackthebox machine: Buff

Hackthebox Bastard

Thu, 17 Feb 2022 00:00:00 +0000

This post is about the Walkthrough of the hackthebox machine: Bastard

Hackthebox Cascade

Thu, 17 Feb 2022 00:00:00 +0000

This post is about the Walkthrough of the hackthebox machine: Cascade

Hackthebox Friendzone

Wed, 16 Feb 2022 00:00:00 +0000

This post is about the Walkthrough of the hackthebox machine: Friendzone