- This machine is very simillar to reality
- We can learn how to distinguish between crashing the system and being banned. This is crucial in real-world penetration testing scenarios.
- Concepts
1. nibble: A unit of digital information that consists of 4 bits. (e.g., Binary: 1010 -> Hexadecimal: A)
2. ASCII (American Standard Code for Information Interchange): Character Encoding standard used to represent text in computers.
3. BSD (Berkeley Software Distribution): A Unix-like OS. Many modern systems (e.g., macOS, FreeBSD) are derived from BSD.
4. CSRF magic token: A security measure used to protect web applciations from Cross-Site Request Forgery attacks. This token is generated by the server for each user session. This token is embedded in requests, and the server verifies it to ensure the request is legitimate.
- Commands
1. nmap -sT
- TCP Connect Scan.
- Initiate a full TCP connection with the target.
- It involves completing the three-way handshake (SYN, SYN-ACK, ACK) for every port.
- It's slower and more detectable than a SYN scan (-sS).
2. ssh -D8080: Dynamic port forwarding. Configures a local port on your machine to act as a SOCKS proxy. Traffic sent to this port is forwarded securely through the SSH server. This is particualrly useful for routing browser traffic or applications through a remote server for anonymity or bypassing restrictions.
- SOCKS proxy: Socket Secure protocol is used. It is a type of proxy server that routes network traffic between a client and a server through itself. Unlike HTTP proxies, SOCKS proxies are not limited to web traffic. They can route traffic for Browsers, Email clients, FTP, P2P applications, or Gamings servers.
- SOCKS4 is for Metasploit and SOCKS5 is for SSH.
- /etc/proxychains.conf: In here, we can change the version of SOCKS.
- proxychains {command}: route your network traffic through a proxy
- key: If we got banned, we can just establish a proxy connection to another host and try it there. It is really helpful when we can't revert the box and need to find a way around the ban.
3. echo ${x:13:1}:
- x: A variable that holds a string value.
- 13: The starting position of the substring (0-based index)
- 1: The length of the substring to extract.
4. man ascii: shows ascii table
5. vi command
1) :%s/\-/${x}/g
-:% : Apply the command th the entire file.
- s: Substitute
- /\-/
- /: Separate the search pattern
- \-: Search for a literal hyphen (-). \ escapes the hypen to ensure it's treated as a literal character and not part of a regex pattern.
- /${x}/
- ${x}: Replace each occurrence of the hypen with the value of a shell variable x. This assumes we have defined the variable x before opening the editor.
- g: Global. Replace all occurrences in each line. Without g, only the first match in each line would be replaced.
2) :%s/;/\r/g: Replace every semicolon (;) with a newline (\r)
6. nc -lvnp 9001 vs nc -lvnp 9001 < cmd
* Here, cmd is the reverse shell file.
1) nc -lvnp 9001: simply catch the shell and interact with the target
2) nc -lvnp 9001 < cmd: The contents of cmd are automatically sent to the target as soon as they connect.
7. msfconsole: Command-line interface for the Metasploit Framework. A tool for vulnerability exploitation.
- metasploit framwork requires PostgreSQL because it uses a database to store and manage information about vulnerabiltiies, exploits, sessions, and hosts.
8. service postgresql status: check the status of services
9. Regular expressions
- ( : capture group paretheses
- . : match any character (except newline)
- * : zero or more occurrences of the preceding character or pattern
- ? : non-greedy. match the shortest possible sequence that satisfies the pattern.
