Hello Forum, I started 3-4 weeks ago with little experience before this. I have only obtained root on 1 box so far and have obtained users on 2 other boxes. I am to lazy to get root on one other box and am working towards another root. I feel like my process is flawed, I would like to hear others processes in obtaining creds or finding exploits if possible, without spoilers, please.
My process
Nmap Port scan common ports
System Identification
Is there a web panel?
Is SSH open?
If there is a web panel is there an admin panel?
Is there a very obvious exploit? such as CVE or write-up for the system or
web server?
Are there default creds assigned?
Find First user
Can it su? (pipe dream)
what files can it access?
What commands can it use?
What other users are on the system?
What processes are running? And by whom?
Can I upload files?
Search for common priv escalation related to system
Is there anything else I am missing or that I should look for? let me know
Look at IppSec’s videos. There you get more good ideas.
When you see what sort of technology there is, search for information specifically about that. Like, if there is XML file handling involved, google for something like “Exploiting XML” or “Exploit XML parser”.
Finally, don’t nmap just common ports. I do an initial scan first, but I do a full scan also. Sometimes there is something in some non-standard port lurking.
as @lokori said look at ippsec videos. they are great for getting ideas for initial foothold on machines.
you get a vast exposure to tools that may do similar things but one can be better than the other in different situations.
about root my feeling from the 2-3 months that i have been playing in here is that creators try to make it unique.
so there is no default way that will help you figure out how to become root. only good enumeration and researching everything you find
I create a folder for each box I do and copy into it short simple shell scripts to quickly run any type of enumeration (dirb, gobuster, nmap) and dump all to local log files. I typically have a netcat listening on a random port, fire up a simple HTTP server (usually the Python SimpleHTTPServer) and grab LinEnum from my Kali (wget) once I have some kind of user access. I have some snippets in text files to quickly copy / paste (e.g spawning a shell or different variations of reverse shells). I try to keep notes in Evernote but usually it’s a mix of online notes and offline log files.
@hendrikvb said:
I create a folder for each box I do and copy into it short simple shell scripts to quickly run any type of enumeration (dirb, gobuster, nmap) and dump all to local log files. I typically have a netcat listening on a random port, fire up a simple HTTP server (usually the Python SimpleHTTPServer) and grab LinEnum from my Kali (wget) once I have some kind of user access. I have some snippets in text files to quickly copy / paste (e.g spawning a shell or different variations of reverse shells). I try to keep notes in Evernote but usually it’s a mix of online notes and offline log files.
I really like this idea, I need to do some automating and setup logging… When I want to do a writeup on a box thats being retired I always end up having to go back and redo it because my notes are incomplete and I never have output saved from scans like gobuster… new mini project!
Use your shell history, use tee to send output both to STDOUT and files, terminal app may have log files, so may TMUX. At this point, I just use standard Terminal application and open bunch of tabs. Find a process that works for you. I have tools folder with the scripts and have a symlink to wordlists in there too. I sometimes move my tasks to a physical machine (JtR or hashcat for instance) as opposed to virtual, just for speed purposes. Look at how others do it (@ippsec videos have already been mentioned).
@hendrikvb said:
I create a folder for each box I do and copy into it short simple shell scripts to quickly run any type of enumeration (dirb, gobuster, nmap) and dump all to local log files. I typically have a netcat listening on a random port, fire up a simple HTTP server (usually the Python SimpleHTTPServer) and grab LinEnum from my Kali (wget) once I have some kind of user access. I have some snippets in text files to quickly copy / paste (e.g spawning a shell or different variations of reverse shells). I try to keep notes in Evernote but usually it’s a mix of online notes and offline log files.
@hendrikvb said:
I create a folder for each box I do and copy into it short simple shell scripts to quickly run any type of enumeration (dirb, gobuster, nmap) and dump all to local log files. I typically have a netcat listening on a random port, fire up a simple HTTP server (usually the Python SimpleHTTPServer) and grab LinEnum from my Kali (wget) once I have some kind of user access. I have some snippets in text files to quickly copy / paste (e.g spawning a shell or different variations of reverse shells). I try to keep notes in Evernote but usually it’s a mix of online notes and offline log files.
@hendrikvb said:
I create a folder for each box I do and copy into it short simple shell scripts to quickly run any type of enumeration (dirb, gobuster, nmap) and dump all to local log files. I typically have a netcat listening on a random port, fire up a simple HTTP server (usually the Python SimpleHTTPServer) and grab LinEnum from my Kali (wget) once I have some kind of user access. I have some snippets in text files to quickly copy / paste (e.g spawning a shell or different variations of reverse shells). I try to keep notes in Evernote but usually it’s a mix of online notes and offline log files.
I really like this idea, I need to do some automating and setup logging… When I want to do a writeup on a box thats being retired I always end up having to go back and redo it because my notes are incomplete and I never have output saved from scans like gobuster… new mini project!
I participate in a competition for school every year and there is a red team that does this to us Definitely want to learn how to automate task like that. Thank you! @bulbafett & @hendrikvb