THM: Researching — Tools and Commands

You'll explore the basics of researching vulnerabilities, finding relevant CVEs, and learning about Linux commands useful for cybersecurity tasks.

---

1. Burp Suite Mode for Manual Requests

• Tool: Burp Suite

• Description: Burp Suite is a popular tool for testing web application security. It offers various modes to analyze, manipulate, and exploit requests.

• Mode - Repeater: The Repeater tool allows you to manually send a single HTTP request multiple times. This is useful when testing parameters, payloads, or authentication schemes by modifying and re-sending requests.

• Command Summary: In Burp Suite, open Repeater mode from the top menu to resend requests and view responses, adjusting each request manually.

2. Windows Password Hash Format

• Concept: NTLM (NT LAN Manager) is a Microsoft protocol for storing Windows login passwords.

• Explanation: NTLM hashes are cryptographic representations of user passwords, primarily used by Windows. Although the hash is not reversible, NTLM has some weaknesses, especially if hashes are captured from network traffic.

3. Automated Tasks in Linux

• Concept: Cron Jobs

• Explanation: Cron is a job scheduler in Unix-like systems, allowing automated tasks to run periodically, like backups, updates, or custom scripts.

• Common Commands:

  • crontab -e: Opens the cron table editor to define tasks.

  • Cron Job Syntax: * * * * * command_to_run

    • Example: 0 5 * * * /home/user/backup.sh (runs a backup daily at 5 AM).

4. Shorthand Number Base

• Concept: Hexadecimal (Base 16)

• Explanation: Hexadecimal (base 16) is often used as shorthand for binary (base 2) as it compresses binary sequences. Each hex digit represents four binary bits, making it easier to read and write large binary values.

• Example: The binary 1010 1111 is equivalent to the hexadecimal AF.

5. Unix Password Hash Format

• Concept: SHA512crypt

• Explanation: SHA512crypt is a hash format used in Unix systems for securely storing passwords in a salted manner. The prefix $6$ in Unix password hashes indicates SHA-512 as the hashing algorithm.

---

Common Vulnerabilities and Exposures (CVE) Research

1. WPForms 2020 XSS Vulnerability

• Concept: Cross-Site Scripting (XSS)

• CVE-2020-10385: This vulnerability allowed attackers to inject malicious scripts into WPForms, a WordPress plugin, enabling script execution when a user viewed a vulnerable form entry.

• CVE Search Command Example:

  • searchsploit WPForms CVE-2020-10385 (if using Exploit-DB or similar databases).

2. Apache Tomcat Privilege Escalation (2016)

• CVE-2016-1240: Found in Debian’s version of Apache Tomcat, this vulnerability allowed local privilege escalation due to insecure permissions on configuration files.

• Command to Check CVEs:

  • searchsploit CVE-2016-1240

3. First VLC Media Player CVE

• CVE-2007-0017: The earliest vulnerability for VLC involved a buffer overflow, allowing remote attackers to execute arbitrary code.

• Note: Understanding the impact of such vulnerabilities is crucial for penetration testers assessing application security.

4. 2020 Buffer Overflow in Sudo Program

• CVE-2019-18634: This vulnerability in the sudo program (a Unix command for executing commands as another user) could allow attackers with certain configurations to gain root access.

• Sudo Command Use Example:

  • To test for buffer overflow vulnerabilities in sudo, sometimes sudo -l is used to check permissions, but CVE-2019-18634 requires a more complex exploitation setup.

---

Common Linux Commands for Pentesting

1. Copying Directories with SCP

• Command: scp -r <source_directory> <user>@<target_host>:<target_directory>

• Explanation: The -r flag in SCP (Secure Copy Protocol) is used to copy entire directories. SCP allows secure file transfer between hosts over SSH.

• Example: scp -r /local/dir user@192.168.1.10:/remote/dir

2. Viewing Disk Partitions with fdisk

• Command: fdisk -l

• Explanation: The -l flag with fdisk lists the current disk partitions, helping system administrators or penetration testers understand the target’s storage layout.

• Example Output: Shows partition types, sizes, and filesystem identifiers.

3. Making Backups with nano

• Command: nano -b <file>

• Explanation: The -b flag in nano creates a backup of the original file before editing. This is useful for cautious editing, especially in sensitive files like configurations.

• Backup Example: Editing /etc/hosts with nano -b /etc/hosts creates a backup in the same directory.

4. Listening on a Port with Netcat

• Command: nc -l -p <port_number>

• Explanation: Netcat (nc) is often referred to as the "Swiss army knife" of networking, allowing users to establish simple connections. The -l flag starts Netcat in listening mode, and -p specifies the port. This setup is useful for setting up listeners to catch reverse shells.

• Example: nc -l -p 12345 will wait for connections on port 12345.

---