25.01.2021

Category: Hackthebox dns enumeration

Hackthebox dns enumeration

It helps to have some background on DNS, as this post and the video covered. So 2, 3 means there will be no more bruteforcing.

Sneakymailer – HackTheBox Walkthrough

Why list it if outside scope? As usual we begin with a ping sweep to uncover hosts in the So we found hosts 10,30, Though the lab said not to touch What a wealth of information.

We can see that the host Similarly the other two hosts are Win XP and Win 7 machines in the diagram. The scan yields surprisingly little new information. It tells us that The whole bunch of SRV service records simply tells us The reverse DNS lookup yields a bunch of reverse pointer records. Wow that was far more informative than the forward lookups, where we had to bruteforce likely hostnames to check if A records exist.

hackthebox dns enumeration

From the outside with only the DNS server address we can only guess hostnames to check if they exist, but once inside its a lot easier to do a reverse lookup with the network addresses to see what we missed!

The SMB relay attack vector is essentially a replay attack where credentials sent over the local LAN are intercepted by the pentester machine and replayed. To do this, the lab suggests sending an email with a loaded hyperlink to our attack machine.

Lets figure out how to send an email via the Linux command line. The lab points to using the SMTP server on We can do this with Telnetwhich allows script writers to spam email. Our inputs highlighted above. The SMTP server responds after each input with codes Change it back if you need to. Our email has been sent.

So lets check it by hopping over to the victim email client machine this lab makes us play both roles via Remote Desktop use credentials provided by lab. Click to enlarge. So we did receive an email! This is where it gets a bit screwed up for me. The lab is supposed to work by having the victim click the hyperlinked URL which links back to the attacker laptop with our MITM smb relay server standing by.

Supply it with the creds provided by the lab. Once you enter them the smb relay server standing by will presumably intercept it and launch a meterpreter session.Welcome back everyone. We start by running a DNS Zone Transfer to enumerate some hidden domains, then we follow it up with a basic SQL injection attack to bypass an authentication page.

The privilege escalation is done by modifying a PHP script that gets executed by root as part of a scheduled cron job. When it comes to HackTheBox, it seems the hostnames always tend to following this format. Unfortunately, there was nothing of interest on this site either. I ran the usual directory brute forcing tools, and tried to manually poke around at it with little success. Normally, this functionality should be locked down to only allow other trusted DNS servers the ability to request a transfer.

However, you will occasionally run into poorly configured servers that allow anyone to request a zone transfer.

Ssh weak mac algorithms enabled tenable

This will allow us to enumerate hidden domains that we can look further into. We are brought to an authentication page.

Supercharged 351w

At this point, we should try the simple default credentials such as admin:admin or admin:password. For the attack to work, you must have this space. This essentially transforms the SQL statement to no longer even check for a password.

Well if it can run ping, maybe it can run other system commands as well. We have code execution. The next step is to throw ourselves a reverse shell. Awesome, we got a connection. I also went ahead and upgraded our shell to allow for tab-completion by running the following commands:.

We can now cat out the user. Indeed, here is something interesting. We have a cron job being run by root. We have write access to this file! We can just replace this file with a PHP reverse shell script, and we should get a root shell once the cron job executes it. Now, all we have to do is set up a listener on whatever port we specified in the PHP reverse shell file, and wait…. And there it is. We have ourselves a root shell.

You are commenting using your WordPress. You are commenting using your Google account. You are commenting using your Twitter account.As of HTB is a platform with well over 40 machines made for exploitation and honing of your penetration testing skills. Well, what can one do at this point? If you look closely at the nmap scan from before, you will notice that port has an alternative DNS name of DNS:admin-portal.

End result:. Manual injection was a lengthy process of trial and error, crying into my pillow and frustration. In there you can start tinkering with SQL commands and various injection methods you think may work or might give good results. One which worked for me is right below. If everything is done correctly you will see a redirect response which will grant us an authenticated cookie. This allows us to refresh the login page in our browser or forward the previous captured request right into the admin dashboard.

Alternatively, SQLmap can be used to extract the password hashes of the administrator and cracking them. SQLmap clearly tells us that the webpage is vulnerable. Chaining these commands we are able to extract needed information:. Check out this cheatsheet if you want to learn SQLmap! Eventually, SQLmap will obtain password hashes for you which can then be cracked.

hackthebox dns enumeration

Upon successfully authenticating, click on Tools tab on the left of the admin dashboard which puts us here:. Experimenting with the functionality of the VPNGenerator, it is easy to spot what it does. I suggest doing your own research on the function if you are unfamiliar with php.

Here are some links to help you:. We use netcat for a reverse shell connection, however because -e option is unavailable, we are forced to use a workaround. Check the reverse shell link above for more information. Note: The previous reverse shell is an URL encoded version of the original one, found on pentestmonkey.

Content of clearlogs:. Clearlogs script clears access. Because we can write to the file, we can control what is written in it. Long story short, we can easily control what will be executed as root each time the cron job runs.

Hope you liked my writeup! It took me about 3 hours to fully root this box and therefore would consider it a good medium-like challenge. If you have any questions feel free to comment down below or reach out to me via the about page. As always, any feedback is appreciated! Nmap done: 1 IP address 1 host up scanned in It is the end user's responsibility to obey all applicable local, state and federal laws.

These files also have username fields, that none of the other crontabs do. Please enable JavaScript to view the comments powered by Disqus.Scavenger is a hard difficulty machine and the first I have attempted on HackTheBox. Be sure to checkout the Basic Setup section before you get started. Like always, enumeration is our first port of call. From the information we gather from the page as well as our nmap scan we have all versions for the stack:. Along with OpenSSH 7. We also see a couple more domains listed for the DNS server dns.

Since this is a hosting service and also self proclaimed First authorized registrar for new. We can see here from the error output that the query contains a parantheses. However, a fellow HTB user kindly informed me that it does in fact work without that flag. To be honest I am quite happy I missed this because I learnt a lot going the long winded way as follows.

With the error information we can start mapping our structure with union :. Adding two null inputs gives us no output at all. Adding three causes another error. So two it is! As we can see the query has returned our input so we know that this entry is vulnerable. Testing the other position returns no output so it is not vulnerable.

A l l d a d d y 5

Within this output we find a table called customers. Looks like we have three columns. The domain column will hopefully point us to some other domains to enumerate! We find that we need to include www like we did for supersechosting.

hackthebox dns enumeration

Taking a look we see that justanotherblog. From a quick glance at exploits relating to these Prestashop and Wordpress the most recents require Admin access. So we may be looking for creds. Taking a closer look at rentahacker. We may need to enumerate for subdomains. We may have to scavenge for things the previous hacker has left behind! Since we know that supersechosting. We will use the AXFR protocol which is used for DNS zone transfers and will hopefully allow us to dump all information about the given domain:.

We see that we reveal the subdomain sec They mentioned it was a bugtracking webapp. Knowing that the webapp is potentially written in PHP navigating to index. At the login page we see the message: Warning: You should disable the default 'administrator' account or change its password.

This tells us that the default credentials may not have been changed! Trying the default login administrator:root we get access:.In this walkthrough, i will explain the steps to capture the flag of Hackthebox machine — Sneakymailer, This is an interesting box which helps us to understand the exploitation process of vulnerable SMTP server and gaining privilege access through PyPi repository.

Based on nmap result, we can see the port for ftp,ssh,smtp,http,imap and http are open. However, Lets try to gather more information from Site which is running in http port. The credentials are URL encoder, hence i decoded the details using online decoder. Lets configure an email client and check the mail box using this credentials to see if there are any useful information. I have used Evolution mail client and configured the Paul Byrd user mail box.

In the sent items, we can see some credentials sent with Administrator. I have tried to SSH login using this credentials, but it didnt worked. So i have tried to connect with ftp, using this credentials and it worked successfully.

How to extract boot img

Follow below steps for ftp login. Hence i started subdomain enumeration using wget tool. Below is the script i have used for subdomain enum. To understand the current active process in the target machine, i transferred the LinEnum. Based on above link, we can create a python package and that packagecan be deployed or stored inside the Pypi repository.

And the stored packagecan be accessed using pypiserver. I have followed the same steps as given in the reference link to create and access pypi server repository. Read the above article to understand the steps. Using this process, We will introduce our custom code into setup. To find the root privilege escalation vector, Run sudo -l as user low. So here our privilege escalation vector is exploitation of sudo rights.

The exploitation is very easy just by entering three line of codes one by one. You are commenting using your WordPress. You are commenting using your Google account.

Google maps without left panel

You are commenting using your Twitter account. You are commenting using your Facebook account. Notify me of new comments via email.

hackthebox dns enumeration

Notify me of new posts via email. Skip to content In this walkthrough, i will explain the steps to capture the flag of Hackthebox machine — Sneakymailer, This is an interesting box which helps us to understand the exploitation process of vulnerable SMTP server and gaining privilege access through PyPi repository.

About Sneakymailer, IP: Lets start the hack with enumerating the target using Nmap. Fig 7: Ftp login. Fig Pypi credentails. Fig PyPi repository creation. Fig Root Privilege. Leave a Reply Cancel reply Enter your comment here Fill in your details below or click an icon to log in:.

Email Address never made public. Create your website at WordPress.In this write-up, we will explain the exploitation of Cronos machine and the detailed overview on DNS zone transfer and the Privilege escalation using Cron jobs. Hence i started to enumerate from Port 80, to check if there is any site running using that port.

But i got landed in the Apache server default landing page. So, Lets move on to the next open port Port Number : DNS uses the port The possible reason for running the DNS on TCP would be data packet size could be too high and considering the fall back measures. Based on the name-server details, we can assume that Hostname of this machine should be cronos.

At once the host file is updated, the port 80 server misconfiguration issue is resolved and we can see the site running in cronos. When i am clicking any of the links mentioned in this page, it is taking me to the laravel related sites. That is out of scope for this challenge.

However, i came to an understanding that this site is built using PHP laravel framework. Now i started to enumerate deeper into this domain, as we can see port 53 is open. What is DNS zone transfer? Using this mechanism, we are going to pretend us as the slave server and ask the master server for a copy of the zone records.

If DNS allows zone transfer,it sends you them.

CronOS – HackTheBox Walkthrough

Lets breakdown the command and understand it, axfr is the DNS query type for zone transfer and we passed the hostname and IP address as the parameters for target machine. Lets see whats is running in the admin. Before that, lets add all the subdomains in our local hosts file.

As we expected, its the login page for admin panel, so lets try to break the authentication mechanism.

HackTheBox - Bank

Based on sqlmap, the username field is injectable, and its redirecting us to the welcome page. So, lets try to login with some basis sqli scripts. As we can see in the above image, the landing page is very simple, its having the field for selecting the command, placeholder for command and execute option.

So, i started to analyze this process using burp intercept. Based on it, i can see that if we are changing the parameter in the command value, it is executing the tampered command value and showing the result. So, Lets try to execute some Reverse shell commands, I got the below script for reverse shell from pentestmonkey cheat sheet.

The reverse shell is successfully created, Please note, i passed the script in URL encoded format. We got the successful shell, but make this simple reverse shell into fully interactive shell. You can learn more from on this Blog. Now we need to look for root flag, It requires the root permission to capture the flag. Hence lets try to do the privilege escalation, for that i need some more information about the target.

When running on LinEnum. So i started to read more about cronjobs in the laravel framework. Cron schedules tasks based on a pre-specified time period like numbers of days, weeks, months, or even a specific date and time.

Based on the above image, we are having read, write and execute permission in the artisan file.Doing hackthebox machines I have learned things which I have never used before for system administration. The hackthebox exercises also help me to understand the consequences if there are misconfigurations in the system. SSH itself is not so easy, there is one username enumeration vulnerability but I would try to avoid brute forcing as it takes a long time if the password is strong and it depends on the name list with weak passwords.

After some time there is no any other directories in the web, see below:. Check to see if Use dig to find more A records from the cronos. Because I am not changing my own dns server, hence I will add the newly found sub domains into the hosts file. Test if the field is vulnerable to command injection. For reverse connection I am setting up a server with netcat — nc -lvnp To test if the server has python python -c "print 'python exists' " if your text appears in the web site means there is a python interpreter.

I am trying to use sudo -l but I cannot get the permission list…. To be honest I was stucked here… so I read the guide. The ownership of the file — artisan — is www-datawhich means the user I gained can be used to modify the file.

A look into the php file artisan the application will exit hence I cannot append the reverse shell code in the php file. To make a php reverse shell meterpreter use msfvenom. This is the payload i used:. Also need to make sure the php code uses all double quotes, this is because single quote within the php code will be removed if double quotes within the php code is not used. I modify the lhost and the lport then i type run to start listening for incoming meterpreter connection.

View all posts by cyruslab. You are commenting using your WordPress. You are commenting using your Google account.

You are commenting using your Twitter account. You are commenting using your Facebook account.

Cronos Writeup

Notify me of new comments via email. Notify me of new posts via email. Skip to content. Read this for different types of comment syntax supported. Port scanning with nmap. Basic command injection, which can be learned from DVWA.


thoughts on “Hackthebox dns enumeration

Leave a Reply

Your email address will not be published. Required fields are marked *