CTF

I rarely get a chance to play HTB these days šŸ™ but today I thought i’d get back on it.. then I had a three hour battle with a graphics driver and Vmware Workstation so that basically ruined that idea…. but I thouht I’d try and remember how to CTF again.. and boy do you get slow fast! Well to try and help people and myself I’ve started to write down some notes to get my mind back into the CTF world of HTB!

Setup & Scope

Ok this is the setup phase. Letā€™s grab the details

  • Take note of the machine name
    • Remember most boxes are called .htb or .htb.local
    • Thereā€™s not an ā€œinternetā€ dns inside the arena so you need to update hosts files
  • Take note of the box author
    • This is useful for OSINT
  • Take note of the IP
    • This is your scope
  • Take note of the OS version
  • Get you digital notebook ready

Tool Prep

Now you will likely need the following:

A windows VM for exploit development

A Linux VM for staging your attacks

Defending yourself

Remember you are in hostile territory, whilst itā€™s against the rules remember someone may attack your offensive infra. So:

  • Patch your offensive environment
  • Firewall yourself off (windows firewall/UFW/Iptables etc.)
  • Use a NATā€™d dedicated CTF virtual machine/s

OSINT

  • Go and research the box author
  • Go and check their github accounts, blogs etc.

VPN

  • Connect to the VPN
  • Confirm comms with the target (ICMP might be disabled so be mindful of this)

Port Scanning

  • Kick off a quick TCP scan
  • Kick off a full TCP scan as well

Nmap

Nmap is the most common starting point. Now if you work in the industry you can also kick off a vuln scan (its good practice) with a pro tool. You can also use something like OpenVAS (I think that is still freeā€¦)

So letā€™s think about what we want. We want speed but also we want intel!

  • Letā€™s kick off a quick port scan
  • Letā€™s also look for service enumeration

So we are gonna want to do something like:

nmap -Pn -T5 -vvv -oA targetname -sV 10.x.x.x

nmap vulnerability scanning

nmap -sV –script=vulscan/vulscan.nse 10.x.x.x

Now you can also chain this with xml output into funky reports and also use searchsploit.

Now you can do a cool oneliner on this:

nmap -p- -sV -oX target.xml 10.x.x.x; searchsploit –nmap target.xml

HTTP Service Enumeration

Now before we start getting all pew pew. We need to mindful of a few things:

  • IP Connectivity
  • HTTP Host Header Records
  • Subdomain Enumeration

Areas to consider:

  • HTTP Enumeration
    • Forced Browsing/Content Discovery
    • Client Side Code Review
    • Crawling
    • robots.txt
    • security.txt
    • sitemap.xml
  • HTTPS Enumeration
    • Platform Versions
    • Applications and Frameworks
  • TLS Certificate Metadata
    • TLS CA Chain
    • Certificate Subject Alternative Names
    • Certificate Contact Metadata

Tools

Web Application Testing Tools

Now people still use DIRB and WFUZZ for forced browsing, I tend to use Burp suite PRO content discovery but also OWASP Zap (itā€™s freee!)

  • Dirbuster
  • OWASP ZAP
  • Burp Community
  • Wafw00f
  • Brup Suite Pro
    • Burp Apps
  • Nikto
  • Wfuzz
  • Dirb
  • Wpscan
  • cmsscan

Browser ToolsS

  • Cookie Editor
  • Developer Mode
  • Foxy Proxy (or another proxy switching tool)
  • A hacker toolbar
  • A HTTP request replay/modification browser extension

Exploit Database

Penetration testing involves finding known misconfiguration, known vulnerabilities and often known exploits in commercial products or open source libraries etc.

  • Searchsploit
    • This can be used to search on the command line for known exploits. So get enumerating those version numbers, manufacturer names and product versions.

#################### TO BE CONTINUED ###################

Related articles

Leave a Reply

Copyright (c) Xservus Limited