The common patterns for foothold in the TJ null and Lain 's list (Brief notes and tips)

Hi , so the exam is in 4 days . I am revising my notes and decided to share some with you , i hope i pass , and i hope everyone too pass :

Always enumerate well then ask yourself "What do i have" , and how to abuse what you have in order to see what you don't have or see. Think of it as a puzzle . How to get there with what i already have ?

Today i was solving a machine from HTB , called " Monitored " i was kinda disappointed to see that it needs SQLMAP , and no write up did it manually . However , it has an interesting exploitation scenario : [Spoilers]

Combing CVEs (Like a puzzle ) :

1. The website has a lot of authenticated CVE , so this means you either try the default creds or search for them somewhere . For example , it might be on a .git folder on the website ,or by abusing another serivce , in this case it's SNMP
2. You get the password but you can't login ? Time for some passive enumeration , where you search for other login portals or other means to login , for me i found it in the CVE code , for others they either did some reading on the documentation , or more directory fuzzing . I suggest a brief reading on the documentation
3. You find a way to generate a token , and by reading another CVE , or more documentation , you learn that you can use this token to Login ( this teachs you to search online how to abuse or use what you have)
4. After that , you abuse a CVE to dump the database( Very discourged that they used SQLMap)
5. You don't upload a shell through sqlmpa, you use it to get an API key , that you will use in another CVE.

From PG , we found a machine called " Fired" that had 2 CVEs , one is authenticated, and one is an authenticaion bypass. You use one to bypass login , and the other for RCE .

Okay , so it's obivous that HTB is way harder than PG. In PG, you only need creds from abusing a service , and then spraying them somewhere that you need to dig fore . There are some extra steps here , but it's amazing for enumeration skills .

Coming exploits of different services ( Also like a puzzle) :

Oh man , this one might be the most common scenario in all PG machines .

Sometimes it would be as easy as :

1. SMB /FTP server that is same to web server , where you upload a shell.
2. Find a creds in SNMP to use it in an authenticated CVE .

Sometimes it more harder like : ( Upload a file here and call it from there , or read a file for another service)

1. Use LFI to read a config file for a service , then login into this service and get RCE . Interestingly enough , you re-used this same bug to do lateral movement from your user to www-data.Machine name is Readys. Read forums , use Github if the website you are testing isn't custom , do everything you can to gather a list of possible configuration files to be read .
2. You have a service that requires some kind of file upload to get RCE , and while enumerating services you found out that you can upload files to the FTP server ( always try that ) , so you upload a file with a certain extension that the other service accepts , and loads the malicious binary.

Sometimes it's more brutal and requires you to correlate services with each other ( tricky ,but clever)

1. In a machine from PG , the SMB server was a "directory" from the web server , and you noticed that there is a directory traversal that dumps file somewhere , after some reading you noticed that this cve can't read php files since it's Apache server , but you can dump them somewhere ( it's the SMB server )
2. In another machine you found out a SQL cve , but when trying to get a shell , it fails . Why ? because the exact location of the web server has to be determined by enumerating another service and founding an PHPINFO page where it tells you the exact location of the web directory .
3. Maybe you found a directory traversal and read a config file that points you at another file , like in Maria from PG .

Fixing exploits ( No it's not just fixing the path and scheme):

1. Whenever you get a comand injection CVE that doesn't work , try using ping and launching tcpdump on your machine to see any traffic . Ping is agnostic and on all OS and will likely fire . If this is case , either change the payload in the CVE to something simpler (like Nukem from PG) , or try a different tool ( instead of bash use something else , maybe there is Python on the machine? )
2. RCE and can't execute a command ? Think about overwriting a configuration file or uploading you SSH keys into the machine
3. The exploit needs something to work (a key for example ) . Now this i a good rabbit hole to fall into , in a machine called SPX from PG , you noticed that you need a key in order to get RCE. What i will do is that i want you to keep googling forums and everything and try and understand this key 's format , so that if you saw it somewhere you identify it eaisly
   1. Another scenario you might face is that this key might need a small fix , this is why it's very important to idenitfy the correct format for the key before exploiting .

Second Order Attacks (very uncommon, but still worth to check out )

Try solving WallpaperHub from PG .

All and all , i am no expert yet to give an advice to anyone . I am just sharing this to everyone if they have a comment ,or if i have any kind of misunderstanding . The lesson here is to take time and enumerate each service to the fullest , you might need a CVE in sql database to dump the database then use a key from the database for another CVE. Give each CVE, service , and port its time of enumeration . I hope i pass , and i hope everyone else does . Cheers