This tool provides a structured process to complete capture the flag challenges. The idea is to quickly bring your attention to the places where you’re mostly likely to find vulnerabilities, in an optimal order that applies to all challenges. I’ll continue updating this with every challenge I do.
TARGET environment variable, so set that to your target in your shell. To have it apply across sessions, I recommend setting this variable in your .zshrc and updating it every time you’re switching targets. An alias for doing this is shown in section Set Target.rustscan on the targetsettarget
Add the following to your ~/.zshrc. Note: If you’re not using zsh replace with the appropriate shell profile configuration file.
function settarget {
sed -i "/^export TARGET/c\export TARGET=\"$1\"" ~/.zshrc && source ~/.zshrc
}
export TARGET="192.168.2.1"
Then you can use it like targetset 192.168.2.1, echo $TARGET
rustscan -a $TARGET -- -A -sC
Vertical Order: Highest == Most likely to provide a higher CVE rating exploit
Horizontal Order: Leftmost == Quicker path to RCE
| Service:Port | Level 1 | Level 2 | Level 3 |
|---|---|---|---|
| FTP:21 | Anonymous Login | Banner Grabbing | Deep Dive |
| HTTP:80,443 | Enumeration | Burp Suite | WIP: Playbook |
| SSH|SFTP:22 | Automated Audit | Banner Grabbing | Deep Dive |
| Telnet:23 | Enumeration | Brute Force | Deep Dive |
| Unknown:Random` | Port Banner Grabbing | Port Search |
A Misconfigured FTP server will allow anonymous passwordless login:
# You can connect via browser:
$ open "ftp://anonymous:anonymous@$TARGET"
# Or use ftp CLI
$ ftp $TARGET 21
ftp> account
# Try Anonymous||anonymous
ftp> ls -a
Try to quickly determine FTP version and look for known vulnerabilities
$ nc -vn $TARGET 21
$ searchsploit <FTP Server Version>
Try to quickly determine FTP version and look for known vulnerabilities
$ nc -vn $TARGET 22
$ searchsploit <SSH Server Version>
Use nmap script to gather all the useful information:
nmap -n -sV -Pn --script "*telnet* and safe" -p 23 $TARGET
hydra -l root -P passwords.txt [-t 32] $TARGET telnet
ncrack -p 23 --user root -P passwords.txt $TARGET [-T 5]
medusa -u root -P 500-worst-passwords.txt -h $TARGET -M telnet
nikto --host $TARGET --port 80
Basic
dirb http://$TARGET/
Generally start up Burp, Open the embedded browser and start manually navigating through the site and using the tool to drill at interesting areas. To learn more, check out Something like this.
rdesktop -u "" -f <TARGET>
We want to try to learn what is running on this port… there are two quick methods available to us:
netcat:
nc -nv $TARGET PORT
curl:
curl -v $TARGET:port
Based on the results of this, you may be able to determine what service is on the port and can move to the relevant section of this guide to explore it.
If you cannot figure it out, it never hurts to search something like ‘service on port X’, or use a site like adminsub.net. This may provide useful information to pivot.