CTF-Notes icon indicating copy to clipboard operation
CTF-Notes copied to clipboard

Published 20 hours ago verified publisher icon purplestormctf

Metadata

From Zero To Hero

CTF-Notes

From Zero To Hero

About this repository

This repository will contain various notes, code snippets, hints and different sources related to all kinds of cybersecurity topics, dropped by our team members.

Table of Contents

  • Where to start
  • Basic Knowledge
  • First Steps
  • Checklist
  • Tool Recommendations
  • Trainings
  • Hacking Resources & Tutorials

Where to Start

Basic Knowledge

  • It is recommended to work in a virtual environment like an Kali Linux instance running on VirtualBox or VMware Player.
  • Make sure you downloaded the correct .ovpn file to connect to the network and access your box.
$ sudo openvpn /PATH/TO/OVPNFILE/<USERNAME>.ovpn
  • Wordlists are usually located in /usr/share/wordlists/. The mostly used ones are:
    • rockyou.txt (sudo gunzip /usr/share/wordlists/rockyou.txt.gz)
    • /usr/share/wordlists/seclists (https://github.com/danielmiessler/SecLists)
  • If you are missing some tools, try to install them from the Kali Linux repository.
$ sudo apt-get install kali-linux-everything
  • If a website is not reachable via IP address and redirects you, try to add it to the /etc/hosts file.
  • Always familiarize yourself with the tools you use and checkout their documentation as well as the parameter -h.
  • Don't run exploits from the internet without understanding what they are doing.

First Steps

There are some basic things you should be aware about when you approaching a new box.

  • Make sure to take proper notes. Probably you want to concider to write them in Markdown and Obsidian for example. Here are a few alternatives:
  • Always keep some sort of reconnaissance running in the background like directory busting with Gobuster, which can take some time.
  • Make sure to enumerate every service and every endpoint properly. On a website for example, check for usernames, email address schemes, check the source of the website click or hover over every link you can find to see if they lead to something.
  • Check for already known vulnerabilities and exploits. Therefore you can just use Google. Here are a few examples:
    • <APPLICATION> vulnerability
    • <APPLICATION> <VERSION> vulnerability
    • <APPLICATION> <VERSION> exploit
    • <APPLICATION> <VERSION> poc
    • <APPLICATION> <VERSION> github
    • <APPLICATION> <VERSION> github poc Alternatively check Exploit Database, Sploitus or use searchsploit from the command line.
$ searchsploit <APPLICATION>
  • Try default credentials (https://github.com/ihebski/DefaultCreds-cheat-sheet) or admin:admin. Especially on web applications.
  • If you find credentials or just a password, always go for credential reuse and try if they work for another user as well.

Checklist

Depending on what a box offers to you, you can go through the following checklist.

  1. Run nmap!
$ sudo nmap -sC -sV -p- <RHOST>
$ sudo nmap -sC -sV -Pn -p- <RHOST>
$ sudo nmap -sV -sU <RHOST>
  1. If a webserver is available, check robots.txt.

http://RHOST/robots.txt

  1. Also, give whatweb a try.
$ whatweb http://<RHOST>
  1. Ob websites, try directory busting with different wordlists.
$ gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
  1. Checking for subdomains. If a box offers you a vhost entry like http://openadmin.htb/ for example, it is always worth it to see if there are more vhosts configured.
$ gobuster vhost -u <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
$ gobuster vhost -u <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain

$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.openadmin.htb" -u http://openadmin.htb --mc all --fs <NUMBER>
  1. Intercept web requests with Burp Suite. Without getting to deep into the usage of Burp Suite, here are the steps to configure it in your browser.
  • Start Burp Suite and open your browser on http://burp.
  • Then download the CA Certificate.
  • Depending on your browser, switch to settings and then to certificates.
  • Import the certificate.
  • We recommend to use FoxyProxy and configure it there but you can also go with the proxy settings of your browser.
Setting Value
Proxy Type HTTP
Proxy IP address or DNS name 127.0.0.1
Port 8080
  • In Burp Suite switch to Target > Proxy settings and select Use advanced scope control.
  • Add the IP address of the box you are approaching.
  • Switch to the Proxy tab, move to Intercept and click on Intercept is off to enable it.
  • At last switch the proxy in FoxyProxy to the Burp Suite configuration and access the website. Now you can intercept the web traffic coming from and going to the box and modify as you want.

Tool Recommendations

Below you find just a few tools to start with. Of course this is not a complete list and there are always better tools for the job out there. Take small steps and get comfy with tools and techniques to develop and at last improve your unique approach on a system.

Information Gathering
Vulnerability Analysis
Web Application Analysis
Database Assessment
Password Attacks
Exploitation / Post Exploitation Tools

Trainings

If you feel you need to learn fundamentals of a new topic or to improve you knowledge in specific areas, I would recommend checking out TryHackMe which provides valuable learning paths to various topics.

Here are a few room recommendations for beginners.

Hacking Resources & Tutorials

Here are a few resources and knowledgebases to cover various topics. Starting with writeup videos of IppSec is always a good call.

Also feel free to get in touch with us on our Discord, we are all willing to help!

Metadata

16
Stars
10
Forks
Watchers

Owner

verified publisher icon purplestormctf

Metadata

From Zero To Hero

Back