Ajdin's blog Tags Github RSS

HTB Cheatsheet

5 Oct 2020

Recon

Nmap

Get all open ports.

nmap -p- --min-rate=1000 -T4 <IP>

Get more info on open ports. (eg. 21, 22, 80)

sudo nmap -p21,22,80 -sC -sV -O -oA nmap/scan <IP>

Some servers could be blocking pings, this can be bypassed by using -Pn flag.


Directory busting

Gobuster

If hosts uses /index.php scan with -x php, for /index.html use -x html. Sometimes using big.txt can also find something that directory-list-2.3-medium.txt didn’t.

Scanning Windows machines should be done with all lowercase letters as Windows Server doesn’t differentiate between uppercase and lowercase paths.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u <IP> -x php,html,txt -t 100

FFUF

Same can be achieved with ffuf, sometimes if I get a lot of errors with gobuster I run ffuf.

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://<IP>/FUZZ

Find hidden Virtual Hosts

First grab a subdomain which doesn’t exist and get the length, in this case its 4242.

Grabbing the length

Piping curl to wc, we can count the chars with -c flag

curl -H 'Host: randomsubdomain.target.com' http://<IP> | wc -c

Fuzzing the subdomains

ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242

FTP

Get all files from FTP to local machine.

wget -m --user=<USERNAME> --password='<PASSWD>' ftp://<IP>

Process spying

pspy

pspy is a command line tool designed to snoop on processes without need for root permissions.

Get all processes by root:

./pspy -c false | grep "UID=0"

Privesc

General

SUID or sudo -l

If something can be ran with higher privileges, GTFOBins can be useful for exploiting such scripts/programs.

Finding specific strings in whole directory

Using grep you can recursively search all directories below you.

$ grep  -nriE 'password|passwd|admin|sha|hash|config|creds'