search

THM - Vulnersity

These are notes taken while doing the vulnersity course in THM

hashtag
General Theory

hashtag
NMAP

  • first run two scans : First for low hanging fruit (default 1000 ports)

  • Next run the full 65535 using -p- run in background

-T<paranoid | sneaky | polite | normal | aggressive | insane>:

  • first 2 for IDS evasion (0, 1)

  • Polite mode 2 slows down scan to use less bandwidth and target machine resources

  • Normal mode is default 3

  • Aggressive mode speeds scan up by assuming a fast network

  • Insane mode sacrifices accuracy for speed

hashtag
Enumeration

dirbusterarrow-up-right - commonly used in a lot of hacking challenge videos/write-ups though it’s popularity seems to be fading in favor of Gobuster. Can run multi-threaded and has a (not great) GUI interface.

dirbarrow-up-right - operates similarly to dirbuster but is CLI only. Some people think it’s slower than dirbusterarrow-up-right while others say dirb gives them more consistent results. Your mileage may vary.

gobusterarrow-up-right - the new hotness. Written in golang and meant to address the failings of both dirbuster and dirb.

dirsearcharrow-up-right - I came across this one while reading another write-uparrow-up-right for this challenge. It seems to perform well enough so it’s included here and you can make your own decision whether you like it or not.

hashtag
Example use :

  • Wordlists are usually in /usr/share/wordlists/dirb

gobuster dir -e -u http://10.10.164.121:3333 -w /usr/share/wordlists/dirb/common.txt dir: uses directory/file brute forcing mode -e: expanded mode, print full URLs -u: the target URL or domain -w: path to word list

hashtag
Fuzzing and Compromise :

hashtag
Using Burp Suite

When it’s active it functions as a web proxy so you need to configure your browser to use itarrow-up-right. It also helps to install Burp’s CA certificatearrow-up-right in your browser’s trust store.

If you are a Firefox user then a good quality of life companion to use with Burp is FoxyProxy.arrow-up-right It’s an add-on that once configured will allow you to easily switch between web proxies with a single click.

The last component to set up are SecListsarrow-up-right (you’ll see why in a minute). These are also super easy to install, just use APT to pull it from the repos. --> example : /usr/share/seclists/Fuzzing/extensions-most-common.fuzz.txt

  • use burp intruder to fuzz the target and find file extension the server will accept

  • specify payloads, type of attack

  • Now check for length column that stands out from the rest

hashtag
Reverse Shell :

Kali comes preloaded with a bunch of useful web shells located in /usr/share/webshells.

  • upload file via the fuzzed /internal/ subdomain page

  • using phtml extension as fuzzed

  • now callback the URL to activate : http://IP ADDRS/internal/uploads/nameofshell.phtml

hashtag
Privilege Escalation

Now that we have a remote shell on our target the next step is to try to escalate our privileges to root. A common technique for privesc when doing CTFs or online challenges like this is to look for files that have the SUID bit set. Here is a great articlearrow-up-right that explains in-depth what the SUID bit is and includes several examples to break it down further.

PreviousTryHackMeNextCapture the Flags (CTF)

Last updated