BasicPentesting.md

[Basic Pentesting]

This is a machine that allows you to practise web app hacking and privilege escalation Web App Testing and Privilege Escalation In these set of tasks you'll learn the following: brute forcing hash cracking service enumeration Linux Enumeration Find the services exposed by the machine. nmap -sV <target> What is the name of the hidden directory on the web server (enter name without /) gobuster dir -u <target> -w <path/to/wordlist> User brute-forcing to find the username & password What is the username? enum4linux -a <target> What is the password? What service do you use to access the server(answer in abbreviation in all caps)? hydra -t 4 -l <user> -P /usr/share/wordlists/rockyou.txt <service>://<IP>> Enumerate the machine to find any vectors for privilege escalation find / -perm -4000 2> /dev/null To the entirely command, search the vector for privesc on https://gtfobins.github.io/ What is the name of the other user you found(all lower case)? If you have found another user, what can you do with this information? What is the final password you obtain? Summary nmap nmap -sV <target> Portscan to open ports and active services. gobuster gobuster dir -u <target> -w /path/to/wordlist Enumerate directories. Ports 139/445 (Samba - Windows) These doors indicate that the Samba server is being used. Samba allows the management and sharing of resources in networks formed by Windows-based computers. Thus, it is possible to use Linux as a file server, print server, among others, as if the network used Windows servers (NT, 2000, XP, Server 2003). enum4linux enum4linux -a <target> Allows extraction of information where Samba is being used. hydra hydra -t 4 -L /usr/share/wordlists/rockyou.txt -P /usr/share/wordlists/rockyou.txt ssh://<IP> Using hydra to brute-force the user and password. If the user has already been identified, follow the syntax: hydra -t 4 -l <nomedouser> -P /usr/share/wordlists/rockyou.txt SSH After getting the user with (enum4linux) or (hydra) + the password with (hydra), we make the connection via ssh. ssh <user>@<IP> Find executable programs find / -perm -4000 2> /dev/null To check which executable programs are active on the machine. Creating a gap for possible privilege escalation. https://gtfobins.github.io/ To find the bypass for the executable identified in the previous step find / -perm -4000 2> /dev/null <y0uC4n’tSt0pUs4ll/>