THM - Vulnersity

These are notes taken while doing the vulnersity course in THM

General Theory

NMAP

  • first run two scans : First for low hanging fruit (default 1000 ports)

  • Next run the full 65535 using -p- run in background

-T<paranoid | sneaky | polite | normal | aggressive | insane>:

  • first 2 for IDS evasion (0, 1)

  • Polite mode 2 slows down scan to use less bandwidth and target machine resources

  • Normal mode is default 3

  • Aggressive mode speeds scan up by assuming a fast network

  • Insane mode sacrifices accuracy for speed

Enumeration

dirbuster - commonly used in a lot of hacking challenge videos/write-ups though it’s popularity seems to be fading in favor of Gobuster. Can run multi-threaded and has a (not great) GUI interface.

dirb - operates similarly to dirbuster but is CLI only. Some people think it’s slower than dirbuster while others say dirb gives them more consistent results. Your mileage may vary.

gobuster - the new hotness. Written in golang and meant to address the failings of both dirbuster and dirb.

dirsearch - I came across this one while reading another write-up for this challenge. It seems to perform well enough so it’s included here and you can make your own decision whether you like it or not.

Example use :

  • Wordlists are usually in /usr/share/wordlists/dirb

gobuster dir -e -u http://10.10.164.121:3333 -w /usr/share/wordlists/dirb/common.txt dir: uses directory/file brute forcing mode -e: expanded mode, print full URLs -u: the target URL or domain -w: path to word list

Fuzzing and Compromise :

Using Burp Suite

When it’s active it functions as a web proxy so you need to configure your browser to use it. It also helps to install Burp’s CA certificate in your browser’s trust store.

If you are a Firefox user then a good quality of life companion to use with Burp is FoxyProxy. It’s an add-on that once configured will allow you to easily switch between web proxies with a single click.

The last component to set up are SecLists (you’ll see why in a minute). These are also super easy to install, just use APT to pull it from the repos. --> example : /usr/share/seclists/Fuzzing/extensions-most-common.fuzz.txt

  • use burp intruder to fuzz the target and find file extension the server will accept

  • specify payloads, type of attack

  • Now check for length column that stands out from the rest

Reverse Shell :

Kali comes preloaded with a bunch of useful web shells located in /usr/share/webshells.

  • upload file via the fuzzed /internal/ subdomain page

  • using phtml extension as fuzzed

  • now callback the URL to activate : http://IP ADDRS/internal/uploads/nameofshell.phtml

Privilege Escalation

Now that we have a remote shell on our target the next step is to try to escalate our privileges to root. A common technique for privesc when doing CTFs or online challenges like this is to look for files that have the SUID bit set. Here is a great article that explains in-depth what the SUID bit is and includes several examples to break it down further.

PreviousTryHackMeNextCapture the Flags (CTF)

Last updated