Tools to start with

Hey!
Complete noob here. I was fascinated by ippsec’s YT videos, so I decided to give it a try.
But I have no knowledge on how to do even the simplest stuff. Just to give you an example, in machine “Safe” I was able just to find open ports with nmap, but I don’t know what to do next

So I’m asking you:
-is there something you do every time, no matter the machine you are working on, just to search for something (like ippsec who do nmap)
-can you please suggest some tools so I can learn how to use them?

Thank you

It depends on what ports are open. If its web ports (80,443), then I like run dirbuster and zap in the background while I manually play with the site and look for vulns.

thank you @WiseGuy ! I didn’t know zap.
And as a ‘attack list’, what do you usually do after? I mean, what should I look for? I know it depends case by case, but what do you usually do in order to find vulnerabilities?

Type your comment> @ohfuck said:

thank you @WiseGuy ! I didn’t know zap.
And as a ‘attack list’, what do you usually do after? I mean, what should I look for? I know it depends case by case, but what do you usually do in order to find vulnerabilities?

Unfortunately, what he said is accurate. I like to start with nmap to get an idea of what ports are open. Then move to other programs as appropriate. Sparta is another program that runs some of these basic scans for you.

Gobuster, dirbuster and sometimes dirb to enumerate the directories on port 80(or any HTTP port)
Burpsuite, to see what happens with the request and play with it and see if there’s anything that could get me somthing
Nikto, sometimes works on some of the boxes, shows some stuff that could be useful but that depends on the machine
Nmap/Masscan/Zenmap - Basically to scan available ports of the machine or to automate half of the enumeration automatically
exploit-db, searchsploit, to find any available exploits for a certain service (say SSHd for example)
Hydra, to bruteforce any login page (even though it’s not that needed, most of the time you will find login creds/hints after enumerating, but there are some machines that include that, so that could be useful to learn as well)
Metasploit/Rapid7, could get you somewhere useful if you’re talking about time, you can get it on your own as well, be sure to read the exploit in Rapid7
For priv esc you can use that: Basic Linux Privilege Escalation - g0tmi1k
pspy, to read crontabs on Linux
Also; https://netsec.ws/?p=309
There’s a lot of ways to do a machine, each machine is unique in it’s own way. The best you can do in my opinion is to get a VIP and work on retired machines, that way if you get stuck - you can read a write up. Also watching Ippsec’s videos could help you with the flow/methodology
Always ask google or any search engine, you can get pretty useful things from there and understand stuff better, because most of the time you will be spending your time there, learning about a new thing that the box will require. Good luck 3:

Wow, thank you very much @xd3m0n !!!
I think my main problem is that I don’t know how things work, because if you understand how things interact together, you have a bigger picture in your mind of what you can do.
But I will start learning about these programs and eventually I will learn more!

Personally I always start off with an nmap verbose service detection scan, before running Nikto and dirb on any web services (and gobuster if dirb doesn’t pick up anything).

I’ve always worked on the creed of “abuse whatever advantage is available to you”, so please accept my apologies when what I do goes against the spirit of the experience, but remember: These machines are made to be hacked. Usually, in a real life situation, you’re dealing with machines that the admin configured to the best of his abilities to not be hacked. These here have (at least) intentionally left you one way in. Not only that, but usually there is at least a hint left for you to find so you find that way in.

Use that as a guide for what to do.

What I list down there will probably not get you any “blood” any time soon because it’s slow. But I’d guess what matters for now is to get the machines at all, not to do them fast. Speed comes with experience.

nmap will give you a list of ports. Since the machines here (usually) don’t employ any kind of IDS or IPS, at least none that permanently burn your IP address, what you get back from nmap is generally fairly reliable, at least in the lower difficulty levels. These machines also (generally) only open ports that you’ll make use of. If you, e.g., find something listening on port 53, be prepared that DNS will play a role in the exploit. If it shows you an open high port, poke it with nc or whatever is your favorite “send a sync and listen for replies” tool to see what’s coming back. You might also throw a “tcp port [xxxx]” into google and see if there’s some known service that you might be dealing with.

You will more often than not get a reply on port 80. Fire up your browser (preferably through burp or your favorite intercepting proxy) and take a look. Not at the page, but at what burp gives you so you see the headers and html source. Is it a default page? Well, is it really? Sometimes a hint is put into the comments. I have a collection of default pages by now that I simply diff whatever the server returns so I can quickly see if there’s anything (those default pages tend to be spammy). If it’s not a default page, does it drop any hints? Any content management systems used? Any frameworks? What version of them, if they tell you? Version of the Apache/nginx/whatever server? Do the headers set anything out of the ordinary? Any additional headers that might hint at something? Any cookies that belong to known bboard or content management software?

Start dirb against the page to enumerate the content while you take the information to searchsploit. Are there known exploits for the versions of the frameworks/servers you just found? You are now looking for those that you can use without any credentials and without being able to do anything that requires you to already be on the box, like local file inclusion or the like. Anything that remotely works would be good. But keep a note for everything else, for when you have a foothold on the server, remember: This box was made to be exploited, so if a particularly curious version of something is used, maybe there is a reason for this.

What you do from here depends mostly on what you find. If you see pages on the webserver that take parameters, try putting garbage in them and see how the page reacts. Some servers have misconfigured error pages you can exploit. If it’s something that looks like an index (e.g. if a parameter is 1, 2, 3, 4, and the page changes if you change that index), what happens if you use an index that’s probably out of bounds? What happens if you try to include “active” characters (e.g. try to put something in there that is javascript code, or php code, there are examples about code inclusion in parameters all over the web). What happens if you change the verb? Intercept the request with burp and change that GET for a POST. Or an OPTIONS. Or HEAD.

Above all: Google, google, google. And read the forum here if you get stuck. There’s no shame in asking for a hint when you’re thorougly stuck (there’s only shame in asking for flags ;)).

“Safe” is also probably not the machine you want to start with, it is labeled “easy”, I know, but I dare say that it might not be the best place to start from. Try Networked or Writeup as your first machine. Don’t get me wrong, Safe was a machine I absolutely loved doing, but mostly because my background is in reverse engineering.

(And since the board is about to ban me for being to spammy, I close here :))

wow this is gold! @BT1483 thank you very much for your detailed explanation!
I will for sure check everything you said!
I change machine then, maybe I will be luckier lol

Assuming that you are also new to linux you could casually read (and reference whenever you need):
-The Linux Command Line A Complete Introduction by William Shotts and
-How Linux Works What Every Superuser Should Know by Brian Ward
-g0tmi1k’s blog is a great place to learn about penetration testing stuff as a beginner.
Go to his oldest posts and start doing what he does.
Give it time and dont overflow your self with information