Hack the box

docx

School

Concordia University Portland *

*We aren’t endorsed by this school

Course

543

Subject

Computer Science

Date

Jun 24, 2024

Type

docx

Pages

17

Uploaded by chanduRapolu123

Report
I've used wordlists in different situations before. This time, I need lists of common words and phrases used in web directories. These lists can be found in the /SecLists/ directory on GitHub. To find the commonly used list on PwnBox, I'll use the command: locate directory-list-2.3-small.txt. This will give me the full path to the list, such as /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt. I used the command sudo sed -i 's/^#.*$//g' /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt && sudo sed -i '/^$/d' /opt/useful/SecLists/Discovery/Web-Content/directory-list- 2.3-small.txt to remove all comments and empty lines from the file. For basic directory fuzzing, I use the command: ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ - u http://SERVER_IP:PORT/FUZZ. In the lesson, /blog/ is mentioned, so my answer is /forum/, which is in the top left corner of the screenshot. I run this command:
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3- small.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php I get a few 200 responses. The page blog/index.php has a size of 0, meaning it's empty, while blog/REDACTED.php has content. I can visit these pages to confirm this. I start with directory fuzzing:
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3- small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ Page fuzzing finds: /blog/home.php and /blog/index.php. However, /index.php is empty since its size is 0. But /blog/home.php gives me our final flag. Now, I'll use recursive fuzzing: ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3- small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 - e .php -v
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Domain Fuzzing: DNS Records Domain Fuzzing: Sub-Domain Fuzzing For the HackTheBox Swag Shop, I'd run a sub-domain fuzzing test on 'hackthebox.eu' using the command: ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million- 5000.txt:FUZZ -u https://FUZZ.hackthebox.eu/ This would help me find any potential sub-domains related to 'hackthebox.eu'. After running the command, I'd look for any discovered sub- domains related to the Swag Shop. Similarly, for finding a customer sub-domain portal for 'inlanefreight.com', I'd run a sub-domain fuzzing test using the same approach: ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million- 5000.txt:FUZZ -u https://FUZZ.inlanefreight.com/ After running the command, I'd check for any sub-domains that might indicate a customer portal for 'inlanefreight.com'.
To find other VHosts on 'academy.htb', I did a VHost fuzzing scan using this command: ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million- 5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs 900 This command filtered out response sizes of 900, helping me identify different VHosts. After running the scan, I found the VHost 'test.academy.htb'.
GET Request Fuzzing To run a parameter fuzzing scan on the webpage, I used this command: ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter- names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php? FUZZ=key -fs 900 I made sure to update the -fs flag with the correct number. Since I was using a new instance with a different IP and PORT, I added the 'admin', 'faculty', and 'test' subdomains to my /etc/hosts file with this command: sudo nano /etc/hosts. After running the scan, I used the -fw flag to filter the results by specifying - fw 227. This helped me narrow down the results. The parameter accepted by the webpage is 'key'.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Parameter Fuzzing — POST To create the 'ids.txt' wordlist, I used a Bash command to write all numbers from 1 to 1000 to a file: for i in $(seq 1 1000); do echo $i >> ids.txt; done Next, I performed value fuzzing using the 'ids.txt' wordlist with the following command:
ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:32558/admin/admin.php -X POST -d ‘id=FUZZ’ -H ‘Content-Type: application/x-www-form-urlencoded’ -fs 768 After running the scan, I observed a wall of 1000 code 200 successes. To identify the accepted value, I scrolled through and filtered the results at size 768. The accepted value for the 'id' parameter was identified as '73'. Finally, I executed a cURL request with 'id=73' to collect the flag: curl http://admin.academy.htb:32558/admin/admin.php -X POST -d ‘id=73’ -H ‘Content-Type: application/x-www-form-urlencoded’ The content of the flag retrieved from the POST request was not provided. I ran a sub-domain/vhost fuzzing scan on '*.academy.htb' using the following command:
ffuf -w Downloads/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:56904/ -H 'HOST: FUZZ.academy-htb' -c -i -u After running the scan, I identified the following sub-domains: admin test faculty I used this command to run an extension fuzzing scan:
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
ffuf -w Downloads/web-extensions.txt:FUZZ -u http://archive.academy.htb:56904/indexFUZZ -c -ic -t 200 After running the scan, I found that the following extensions are accepted by the domains: .php .phps .php7 I used the following command to run a directory fuzzing scan: ffuf -w Downloads/directory-list-2.3-small.txt:FUZZ -u http://faculty.academy.32136/FUZZ -e .php,.php7,.phps -recursion -recursion- depth 1 -c -ic -t 200 After running the scan, I identified a page with the URL: http://faculty.academy.htb:PORT/courses/linux-security.php7
I used these commands to run parameter fuzzing scans on the page: ffuf -w Downloads/burp-parameter-names.txt:FUZZ -u http://faculty.academy.htb:56904/courses/linux-security-php7 -c -ic -t 200 -H 'Content-Type: application/x-www-form-urlencoded' -d 'FUZZ-key' -X POST ffuf -w Downloads/burp-parameter-names.txt:FUZZ -u http://faculty.academy.htb:56904/courses/linux-security-php7 -c -ic -t 200 -H 'Content-Type: application/x-www-form-urlencoded' -d 'FUZZ-key' -X POST -fs 774 After running these scans, I found multiple parameters accepted by the page. They are: User Username
I used this command to fuzz the parameters I found earlier for valid values: ffuf -w Downloads/usernames.txt:FUZZ -u http://faculty.academy.htb:56904/courses/linux-security.php7 -c -ic -t 200 -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=FUZZ' -X POST -fs 781 curl http://faculty.academy.htb:56904/courses/linux-security-php7 -X POST -H 'Content-Type: application/x-w-form-urlencoded' -d 'username=harry' After running the fuzzing scan, I found that one of the parameters returned a flag. The flag is: HTB{w3b_fuzz1n6_m4573r}
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
INTRODUCTION I calculated the decimal representation of the subnet mask for the CIDR notation 10.200.20.0/27. This notation indicates a subnet mask of 27 bits. To convert this into decimal, I noted that in a subnet mask, the first 27 bits are set to 1 for the network portion, and the remaining bits are set to 0 for the host portion. This gives us a binary subnet mask of 11111111.11111111.11111111.11100000, which converts to 255.255.255.224 in decimal. Therefore, the decimal representation of the subnet mask for the CIDR 10.200.20.0/27 is 255.255.255.224. To determine the broadcast address for the CIDR notation 10.200.20.0/27, I used a bitwise OR operation between the network address and the inverted subnet mask. The subnet mask for /27 is 255.255.255.224, which in binary is 11111111.11111111.11111111.11100000. Inverting this mask gives us 00000000.00000000.00000000.00011111.
Starting with the network address 10.200.20.0 in binary, which is 00001010.11001000.00010100.00000000, I performed a bitwise OR with the inverted subnet mask: 00001010.11001000.00010100.00000000 (Network address) OR 00000000.00000000.00000000.00011111 (Inverted subnet mask) This operation yields: 00001010.11001000.00010100.00011111 Converting the binary result to decimal gives us 10.200.20.31. Therefore, the broadcast address for the CIDR 10.200.20.0/27 is 10.200.20.31. To divide the network 10.200.20.0/27 into 4 smaller subnets, each with a /29 subnet mask, we need to borrow 2 additional bits from the host part of the original network. This adjustment creates subnets with fewer host addresses but more networks. Here's how the subnets break down: Subnet 1: 10.200.20.0/29 Network Address: 10.200.20.0 Usable IP Range: 10.200.20.1 to 10.200.20.6 Broadcast Address: 10.200.20.7 Subnet 2: 10.200.20.8/29 Network Address: 10.200.20.8 Usable IP Range: 10.200.20.9 to 10.200.20.14 Broadcast Address: 10.200.20.15 Subnet 3: 10.200.20.16/29 Network Address: 10.200.20.16 Usable IP Range: 10.200.20.17 to 10.200.20.22 Broadcast Address: 10.200.20.23 Subnet 4: 10.200.20.24/29
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Network Address: 10.200.20.24 Usable IP Range: 10.200.20.25 to 10.200.20.30 Broadcast Address: 10.200.20.31 The question asked specifically for the network address of the third subnet, which is 10.200.20.16. Therefore, the answer is 10.200.20.16. This subnetting allows the original network to be segmented into smaller, more manageable parts while efficiently utilizing IP addresses within each subnet. We previously divided the network 10.200.20.0/27 into 4 subnets. In that process, we calculated that the broadcast address of the second subnet is 10.200.20.15. This remains unchanged from our earlier determination. Therefore, the answer remains the same: 10.200.20.15. This subnetting approach allows us to allocate smaller portions of the original network for specific purposes, optimizing IP address usage and network efficiency across different segments. Finally I would like to mention this beginner's networking course has given me a lot of useful information. Now, I feel like I can easily set up a network at home, manage networks for companies, and learn more about cybersecurity.

Related Documents

ABA 624 WEEK 1 SAFMEDS.docx
Requirements.docx
ABA 624 WEEK 2 SAFMEDS.docx
The K-mean Clustering Analysis .docx
BUSINESS 13 - Machine Learning Practice Quiz.docx
Lab-3 forensics.docx
Assignment1 P1, CPSC5207E Virtualization and s24 v7.pdf
CTS1133C-M03Prt01-NETLAB15.8-202210.pdf
W08 Quiz_ Chapter 9 Reading Check_ Child Development.pdf
Lab Wireshark Packet Capture Assignment Complete.docx
Project 2 Full Documentiation.docx
Quiz 3.docx
Recommended textbooks for you
Text book image
EBK JAVA PROGRAMMING
Computer Science
ISBN:9781337671385
Author:FARRELL
Publisher:CENGAGE LEARNING - CONSIGNMENT
Text book image
Np Ms Office 365/Excel 2016 I Ntermed
Computer Science
ISBN:9781337508841
Author:Carey
Publisher:Cengage
Text book image
LINUX+ AND LPIC-1 GDE.TO LINUX CERTIF.
Computer Science
ISBN:9781337569798
Author:ECKERT
Publisher:CENGAGE L
Text book image
C++ Programming: From Problem Analysis to Program...
Computer Science
ISBN:9781337102087
Author:D. S. Malik
Publisher:Cengage Learning
Text book image
Programming with Microsoft Visual Basic 2017
Computer Science
ISBN:9781337102124
Author:Diane Zak
Publisher:Cengage Learning
Text book image
Microsoft Visual C#
Computer Science
ISBN:9781337102100
Author:Joyce, Farrell.
Publisher:Cengage Learning,
SEE MORE TEXTBOOKS
Recommended textbooks for you
Text book image
EBK JAVA PROGRAMMING
Computer Science
ISBN:9781337671385
Author:FARRELL
Publisher:CENGAGE LEARNING - CONSIGNMENT
Text book image
Np Ms Office 365/Excel 2016 I Ntermed
Computer Science
ISBN:9781337508841
Author:Carey
Publisher:Cengage
Text book image
LINUX+ AND LPIC-1 GDE.TO LINUX CERTIF.
Computer Science
ISBN:9781337569798
Author:ECKERT
Publisher:CENGAGE L
Text book image
C++ Programming: From Problem Analysis to Program...
Computer Science
ISBN:9781337102087
Author:D. S. Malik
Publisher:Cengage Learning
Text book image
Programming with Microsoft Visual Basic 2017
Computer Science
ISBN:9781337102124
Author:Diane Zak
Publisher:Cengage Learning
Text book image
Microsoft Visual C#
Computer Science
ISBN:9781337102100
Author:Joyce, Farrell.
Publisher:Cengage Learning,
SEE MORE TEXTBOOKS