Try   HackMD

Hack the Box Academy: Getting Started, Knowledge Check

Difficulty Level: Easy
Challenge link Getting Started

Table of Contents

Background

Information security is a broad field that has many specializations like:

  • Network and infrastructure security
  • Application security
  • Security testing
  • Systems auditing
  • Business continuity planning
  • Digital forensics
  • Incident detection and response

If you are here, you have probably just started exploring these domains and have (hopefully) completed the Getting Started module on HTB academy up to the Knowledge check section. Congratulations for taking the first step in your infosec career. This module introduces the following foundation concepts which you will use to complete the challenge:

  • Enumeration/Scanning tools
  • Web footprinting/Fuzzing
  • Exploitation
  • Privilege Escalation

Although this module does a great job in explaining how to exploit a simple web app, in a real-world pen test there will be more detailed steps. I recommend finding a penetration testing [framework](https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies#:~:text=The Penetration Testing Framework (PTF,Discovery %26 Probing) to follow and teach yourself how to document each stage.

Walkthrough

Say we were using the PTES to do our 'pen test'.

The Penetration Testing Execution Standard PTES defines penetration testing as 7 phases. Particularly, PTES Technical Guidelines give hands-on suggestions on testing procedures, and recommendation for security testing tools. These stages are:

  • Pre-engagement Interactions
  • Intelligence Gathering
  • Threat Modeling
  • Vulnerability Analysis
  • Exploitation
  • Post Exploitation
  • Reporting

Pre-engagement Interactions

During this pre-phase, the penetration tester outlines the logistics of the test, expectations, legal implications, objectives and goals the customer would like to achieve.

During the Pre-Engagement phase, the penetration tester should work with the client to fully understand any risks, organizational culture, and the best pentesting strategy. The client may want a white box, black box, or gray box penetration test. It’s at this stage when the planning occurs along with aligning goals to specific pentesting outcomes.

In our case, we will be doing a gray-box testing since we already have some information about the target. The pre-engagement phase will include gathering the tools required to perform our challenge. These are:

  • Operating system: Kali Linux
  • Software: Nmap, Metasploit Framework, Feroxbuster, FFUF, Python

Intelligence Gathering

Open Source Intelligence (OSINT) in the simplest of terms is locating, and analyzing publicly (open) available sources of information. The key component here is that this intelligence gathering process has a goal of producing current and relevant information that is valuable to either an attacker or competitor. For the most part, OSINT is more than simply performing web searches using various sources.

We begin with an nmap scan of the IP address that is provided in the challenge. The results of the scan are:

  • The machine IP is: 10.129.133.157
  • Active scanning using Nmap to find open ports
  • Port 22 running an ssh service to an Ubuntu server
  • Port 80 which is the default port for http. This is running an Apache server version 2.4.41

Whatweb confirms the following services running on the target:

  • Apache/2.4.41 (Ubuntu)
  • Script[text/javascript], Title[Welcome to GetSimple! - gettingstarted]

Gathering victim host information

Navigating to the ip address on port 80 reveals a web service called getsimple running on the target IP

Clicking on the hyperlinks provided in the home page does not give much information about the target so we move on to other tactics

We check if there is a robots.txt file that could give further information about the web service. This reveals a disallowed /admin/ directory which we navigate to and find a login page

Scanning & Enumeration

Wordlist scanning on the root directory reveals the following directories and pages:

  • Admin. Here we have the login page
  • Backups contains stuff similar to the data directory
  • Data.
    • Under /data/other/logs there is a file showing filed logins and we notice that the login failed because of a wrong password. The username admin was not rejected
    • Under data/users we find xml files that reveal credentials to be used on the login page
    • Under data/cache we have a .txt file that gives a warning that the version of the service is outdated. Version 3.3.15 and the latest is 3.3.16
  • Plugins. We notice many php files uploaded to this directory. This could be valuable to us later
  • Robots.txt. This shows the disallowed admin directory that contains the admin login page
  • Server-status
  • Sitemap.xml
  • Theme. This doesn't seem to have valuable info that can be used to attack the target

So far: we have a username admin, a potential password d033e22ae348aeb5660fc2140aec35850c4da997, a version 3.3.15, and a suspicion that the web app allows php uploads but we are yet to figure out an interface to use to make the upload

Threat Intelligence and Vulnerability assessment

We can check if there are vulnerabilities associated with the version of the web service running in our target. Let's also search for public exploits related to getsimple version 3.3.15. There are many but the 2 that I select are GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit) and GetSimpleCMS PHP File Upload Vulnerability

Resource development

  • We have our username, a password, and an exploit that we can use to gain access to the target
  • I suspect that the password given is a hash so I save it to hash.txt and use john to crack the password. The cracked password is admin
  • We now have everything we need to exploit the target and gain initial foothold

Exploitation

Let us log in to IP:PORT/admin using the credentials that we found earlier admin:admin.

tags: HTB Getting Started Web Exploitation
Last changed by 
stelthintitan
0
7068

Read more

Use of Collaborative Technologies in Business

Use of Collaborative Technologies in Business Table of Contents [TOC] Intro Modern information technologies have enabled companies to obtain, stock, process, and share data as well as knowledge. Powerful networking systems such as Intranets allow shareholders of a company to communicate and share complimentary information through the use of collaborative technologies. Group communication and information processing have become common with the emergence of e-collaborating tools. Throughout the corporate processes, collaboration has been a significant factor in determining business success. Traditionally most businesses focused on a specific geographical location; very few of them spanned multiple locations, especially internationally. However globalization opened the world to distributed production, exports, and the ability to have many business branches. With this development came the need to have communication channels that did not necessitate face-to-face meetings.Recent developments in software creation have developed tools that allow instant collaboration between people in different nations and continents. Video Conferencing

Dec 6, 2022
Workplace Communication

Professional Communication Table of Contents [TOC] Beginners Guide Effective communication in the workplace is what separates high performing companies among the rest. A company that has strong relationships established at its foundation not only drastically reduces employee turnover but dramatically increases production and efficiency. As an individual, whatever job you have or aspire to, good presentation skills are a key to success.Hence, mastering the art of presenting and communicating in a convincing, credible and persuasive manner is an asset that will be of benefit to you. At the workplace, you will majorly communicate in professional language under various rules or policies created by the organization.

Nov 22, 2022
SOC Operations

SOC Operations 101 Table of Contents [TOC] Introduction A Security Operations Center (SOC) is a team of IT security professionals tasked with monitoring, preventing , detecting , investigating, and responding to threats within a company’s network and systems. SOC operations can combine several tools and techniques like: EDR: This is an end point detection and response solution that contains the following key functionalities in a network end-points:

Nov 22, 2022
HawkEye Walkthrough

Cyber Defenders: HawkEye Walkthrough Difficulty Level: Very Easy challenge link: HawkEye Table of Contents [TOC] Scenario: An accountant at your organization received an email regarding an invoice with a download link. Suspicious network traffic was observed shortly after opening the email. As a SOC analyst, investigate the network trace and analyze exfiltration attempts.

Nov 22, 2022
Read more from stelthintitan
Published on HackMD