🔐
HackTheBox Writeups
  • kashz HTB Writeups
  • HTB BOXES
    • ACCESS
      • 5 admin
      • 4 user
      • 3 telnet
      • 2 http
      • 1 recon
    • ADMIRER
      • 5 root
      • 4 adminer-php
      • 3 ftp
      • 2 http
      • 1 recon
    • ARCHETYPE
      • 3 :1433 mssql
      • 2 :139 :445 smb
      • 1 recon
    • ARMAGEDDON
      • 8 privesc dirty_sockv2
      • 7 privesc
      • 6 box enum bruce
      • 5 :80 drupalgeddon2
      • 4 :80 droopescan
      • 3 :80
      • 2 :80 robots.txt
      • 1 recon
    • ATOM
      • 4 privesc
      • 3 box enum jason
      • 2 :139 :445 smb
      • 1 recon
    • BANK
      • 5 privesc
      • 4 box enum
      • 3 :80
      • 2 :53 dns
      • 1 recon
    • BANKROBBER
      • 6 privesc brute force PIN > BOF
      • 5 privesc bankv2.exe
      • 4 box enum cortin
      • 3 admin backdoorchecker.php
      • 2 :80 :443 XSS > admin
      • 1 recon
    • BASHED
      • 2 :80
      • 1 recon
    • BASTARD
      • 6 privesc_2 ms10-059
      • 5 privesc_1 ms15-051
      • 4 box enum KE
      • 3 :80 drupalgeddon2
      • 2 :80 drupal7
      • 1 recon
    • BASTION
      • 3 box enum > privesc
      • 2 :139 :445 smb
      • 1 recon
    • BEEP
      • 7 :80 elastix 2.2.0 RCE + privesc
      • 6 :10000 webmin
      • 5 :25 smtp
      • 4 :80 vtigercrm
      • 3 :80 admin
      • 2 :80
      • 1 recon
    • BLOCKY
      • 3 :22 ssh
      • 2 :80
      • 1 recon
    • BLUE
      • 3 ms17-010
      • 2 :139 :445 smb
      • 1 recon
    • BLUNDER
      • 5 www-data > hugo > root
      • 4 box enum
      • 3 bludit 3.9.2 file_upload RCE
      • 2 :80
      • 1 recon
    • BOUNTY
      • 4 JuicyPotato
      • 3 privesc check
      • 2 :80
      • 1 recon
    • BOUNTYHUNTER
      • 4 privesc
      • 3 :22 ssh development
      • 2 :80 xxe
      • 1 recon
    • BRAINFUCK
      • 5 privesc
      • 5 :443 sup3rs3cr3t.brainfuck.htb
      • 4 :143 imap
      • 3 :443 wpscan
      • 2 :443
      • 1 recon
    • BRAINPAN1
      • 4 privesc
      • 3 BOF
      • 2 :10000
      • 1 recon
    • BUCKET
      • 6 privesc
      • 5 dynamodb roy
      • 4 box enum www-data
      • 3 :80 s3.bucket.htb
      • 2 :80 bucket.htb
      • 1 recon
    • BUFF
      • 4 privesc
      • 3 :80
      • 2 :8080
      • 1 recon
    • CAP
      • 4 privesc
      • 3 :22 ssh
      • 2 :80
      • 1 recon
    • CHATTERBOX
      • 5 privesc autologon creds
      • 4 privesc w/ grant perm
      • 3 box enum
      • 2 :9256 achat chat system
      • 1 recon
    • CONCEAL
      • 9 privesc
      • 8 :80
      • 7 :21 ftp
      • 6 post vpn recon
      • 5 ipsec conn config
      • 4 ipsec summary
      • 3 :500/udp ipsec
      • 2 :161/udp snmp
      • 1 recon
    • CRONOS
      • 6 post enum
      • 5 privesc cronjob
      • 4 box enum
      • 3 :53 dns
      • 2 :80
      • 1 recon
    • DELIVERY
      • 4 :3306 mysql > privesc
      • 3 :8065 mattermost
      • 2 :80
      • 1 recon
    • DEVEL
      • 4 privesc_2 ms11-046
      • 3 privesc_1 JuicyPotato
      • 2 :21 ftp
      • 1 recon
    • DOCTOR
      • 7 post enum
      • 6 :8089 privesc splunk > root
      • 5 web > shaun
      • 4 box enum web
      • 3 :80 SSTI
      • 2 :80 splunkd
      • 1 recon
    • DYNSTR
      • 6 privesc
      • 5 box enum > bindmgr
      • 4 nsupdate exploit
      • 3 :80
      • 2 :53 dns
      • 1 recon
    • EXPLORE
      • 3 :2222 ssh kristi > root
      • 2 :59777 es file explorer
      • 1 recon
    • FRIENDZONE
      • 7 privesc
      • 6 administrator1.friendzone.red
      • 5 dns
      • 4 smb
      • 3 :443
      • 2 :80
      • 1 recon
    • FUSE
      • 7 privesc SeLoadDriverPrivilege
      • 6 rpc
      • 5 spray passwd
      • 4 :389 ldap
      • 3 :80 PaperCut Logger
      • 2 :139 :445 smb
      • 1 recon
    • GRANDPA
      • 4 privesc
      • 3 webdav exploit
      • 2 :80
      • 1 recon
    • GRANNY
      • 4 privesc
      • 3 :80 webdav exploit
      • 2 :80
      • 1 recon
    • HAIRCUT
      • 5 post enum
      • 4 privesc www-data > root
      • 3 box enum www-data
      • 2 :80
      • 1 recon
    • IRKED
      • 4 box enum
      • 3 :6697 irc
      • 2 :80
      • 1 recon
    • JARVIS
      • 9 post enum
      • 8 pepper > root
      • 7 www-data > pepper
      • 6 box enum www-data
      • 5 phpMyAdmin 4.8 LFI
      • 4 :80 sqli
      • 3 :64999
      • 2 :80
      • 1 recon
    • JEEVES
      • 2 :50000
      • 1 recon
    • JERRY
      • 4 manual
      • 3 tomcatWarDeployer
      • 2 :8080 tomcat
      • 1 recon
    • KNIFE
      • 3 privesc
      • 2 :80 php 8.1.0 dev
      • 1 recon
    • LABORATORY
      • 6 privesc
      • 5 gitlab admin dexter
      • 4 stable shell
      • 3 :443 gitlab shell
      • 2 :443 gitlab
      • 1 recon
    • LACASADEPAPEL
      • 4 box enum > privesc
      • 3 :80 > :443
      • 2 :21 ftp
      • 1 recon
    • LAME
      • 4 :139 :445 smb exploit
      • 3 :3632 distccd
      • 2 :139 :445 smb
      • 1 recon
    • LEGACY
      • 4 MS-17-010
      • 3 MS08-067
      • 2 :139 :445 smb
      • 1 recon
    • LOVE
      • 3 privesc
      • 2 :80
      • 1 recon
    • MAGIC
      • 5 post enum
      • 4 privesc theseus > root
      • 3 box enum www-data
      • 2 :80
      • 1 recon
    • MANGO
      • 6 post enum
      • 5 privesc admin > root
      • 4 mango > admin
      • 3 box enum mango
      • 2 :80 :443
      • 1 recon
    • MIRAI
      • 3 :22 ssh
      • 2 :80
      • 1 recon
    • MONITORS
      • 12 post enum
      • 11 docker breakout > root
      • 10 Apache Tomcat/9.0.31 deserialization RCE > docker root
      • 9 box enum marcus
      • 8 manual enum www-data
      • 7 :8443
      • 6 box enum www-data
      • 5 cacti-admin.monitors.htb
      • 4 wp with spritz exploit
      • 3 :80 wpscan
      • 2 :80
      • 1 recon
    • NETWORKED
      • 7 post enum
      • 6 box enum guly > privesc > root
      • 5 check_attack.php
      • 4 box enum
      • 3 :80 upload.php & lib.php
      • 2 :80
      • 1 recon
    • NIBBLES
      • 4 privesc
      • 3 fileUpload exploit
      • 2 :80
      • 1 recon
    • NINEVEH
      • 6 post enum
      • 5 privesc amrois > root
      • 4 box enum www-data > amrois
      • 3 :443
      • 2 :80
      • 1 recon
    • NODE
      • 7 post enum
      • 6 privesc tom > root
      • 5 mark > tom
      • 4 box enum mark
      • 3 :3000 login
      • 2 :3000
      • 1 recon
    • OMNI
      • 5 cracking user.txt | root.txt
      • 4 dump SAM SYSTEM
      • 3 box enum ?
      • 2 :8080
      • 1 recon
    • OOPSIE
      • 4 post enum
      • 3 box enum > privesc
      • 2 :80
      • 1 recon
    • OPENADMIN
      • 6 joanna > root
      • 5 jimmy > joanna
      • 4 manual enum > jimmy
      • 3 openNetAdmin 18.1.1
      • 2 :80
      • 1 recon
    • OPHIUCHI
      • 4 privesc
      • 3 yaml deserialization exploit
      • 2 :8080
      • 1 recon
    • OPTIMUM
      • 3 box enum > privesc
      • 2 :80
      • 1 recon
    • PASSAGE
      • 7 post enum
      • 6 privesc dbus com.ubuntu.USBCreator.conf
      • 5 box enum nadav
      • 4 box enum paul
      • 3 box enum www-data
      • 2 :80 cutenews
      • 1 recon
    • POISON
      • 6 foothold_3 log poisoning
      • 5 foothold_2 phpinfo.php + LFI
      • 4 privesc vncviewer > root
      • 3 box enum charix
      • 2 :80
      • 1 recon
    • POPCORN
      • 7 post enum
      • 6 privesc_2 rds
      • 5 privesc_1 full-nelson
      • 4 manual privesc > root
      • 3 box enum www-data
      • 2 :80
      • 1 recon
    • POSTMAN
      • 6 webmin (matt > root)
      • 5 Matt > root
      • 4 redis > Matt
      • 3 :6379 redis
      • 2 :80
      • 1 recon
    • QUERIER
      • 6 privesc GPP CachedPassword
      • 5 privesc
      • 4 mssql using msf
      • 3 mssql
      • 2 smb
      • 1 recon
    • READY
      • 4 PEAS > docker > escape > root
      • 3 :5080 gitlab
      • 2 :5080 robots.txt
      • 1 recon
    • REMOTE
      • 8 privesc teamviewer
      • 7 privesc UsoSvc
      • 6 privesc
      • 5 RCE
      • 4 :111 rpc
      • 3 :80
      • 2 :21 ftp
      • 1 recon
    • SCRIPTKIDDIE
      • 2 :5000
      • 1 recon
    • SECNOTES
      • 9 privesc_3 bash.exe
      • 8 privesc_2 UsoSvc
      • 7 privesc_1 PrintSpoofer
      • 6 box enum iis apppool
      • 5 :445 smb
      • 4 :80 CSRF
      • 3 :8808 IIS
      • 2 :80 IIS
      • 1 recon
    • SENSE
      • 2 :80 pfsense
      • 1 recon
    • SERVMON
      • 5 privesc
      • 4 box enum nadine
      • 3 :80 NVMS
      • 2 :21 ftp
      • 1 recon
    • SHIELD
      • 3 privesc
      • 2 :80
      • 1 recon
    • SHOCKER
      • 2 :80 shellshock
      • 1 recon
    • SILO
      • 6 odat shell
      • 5 sqlplus
      • 4 :1521 orcale tns listener
      • 3 :8080 XDB
      • 2 :80
      • 1 recon
    • SNEAKYMAILER
      • 11 post enum
      • 10 privesc low > root
      • 9 localhost:5000 > low
      • 8 box enum developer
      • 7 box enum www-data
      • 6 :21 ftp
      • 5 :143 imap
      • 4 :25 smtp
      • 3 :8080
      • 2 :80
      • 1 recon
    • SNIPER
      • 8 box enum chris + privesc
      • 7 iusr > chris
      • 6 privesc_1 PrintSpoofer
      • 5 box enum nt authority\iusr
      • 4 :80 /blog > LFI > smbRFI
      • 3 :80 /user
      • 2 :80
      • 1 recon
    • SOLIDSTATE
      • 7 privesc
      • 6 :22 ssh mindy
      • 5 :110 pop3
      • 4 apache james 2.3.2 RCE
      • 3 :4555 JAMES RAT 2.3.2
      • 2 :80
      • 1 recon
    • SPECTRA
      • 4 nginx shell > katie
      • 3 wordpress
      • 2 :80
      • 1 recon
    • SPIDER
      • 8 post enum
      • 7 localhost:8080 XXE
      • 6 box enum chiv manual
      • 5 box enum chiv
      • 4 :80 chiv login + SSTI
      • 3 :80 sqlmap via flask cookie
      • 2 :80 SSTI via /register to /user
      • 1 recon
    • SWAGSHOP
      • 3 privesc
      • 2 :80
      • 1 recon
    • TABBY
      • 5 tomcat > ash > root
      • 4 box enum
      • 3 :8080 tomcat9
      • 2 :80
      • 1 recon
    • TARTARSAUCE
      • 10 post enum
      • 9 privesc omuna > root
      • 8 box enum onuma
      • 7 www-data > onuma
      • 6 box enum www-data
      • 5 :80 monstra
      • 4 :80 wpscan
      • 3 :80 monstra
      • 2 :80
      • 1 recon
    • TENET
      • 4 privesc
      • 3 php file injection (deserialization exploit)
      • 2 :80 wordpress
      • 1 recon
    • THENOTEBOOK
      • 5 privesc docker runC exploit
      • 4 shell
      • 3 :80 JWT exploitation
      • 2 :80
      • 1 recon
    • TRAVEREXEC
      • 5 david > root
      • 4 www-data > david
      • 3 box enum
      • 2 :80 nostromo 1.9.6
      • 1 recon
    • VACCINE
      • 4 privesc
      • 3 :80
      • 2 :21 ftp
      • 1 recon
    • VALENTINE
      • 6 privesc dirtyc0w
      • 5 privesc tmux
      • 4 box enum
      • 3 heartbleed
      • 2 :80
      • 1 recon
    • WORKER
      • 11 evil-winrim robisl :5985
      • 10 box manual enum
      • 9 box enum iis apppool\defaultapppool
      • 8 privesc PrintSoofer FAIL
      • 7 :80 spectral.worker.htb shell
      • 6 :80 devops.worker.htb
      • 5 explore domains
      • 4 :80 dimension.worker.htb
      • 3 :3690 subversion
      • 2 :80 IIS 10.0
      • 1 recon
Powered by GitBook
On this page
  1. HTB BOXES
  2. CONCEAL

3 :500/udp ipsec

Using https://book.hacktricks.xyz/pentesting/ipsec-ike-vpn-pentesting

# finding out what server uses
$ ike-scan -M 10.10.10.116
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.10.116    Main Mode Handshake returned
        HDR=(CKY-R=48e4f117f9520cfd)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
        VID=1e2b516905991c7d7c96fcbfb587e46100000009 (Windows-8)
        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
        VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
        VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation)
        VID=fb1de3cdf341b7ea16b7e5be0855f120 (MS-Negotiation Discovery Capable)
        VID=e3a5966a76379fe707228231e5ce8652 (IKE CGA version 1)

Ending ike-scan 1.9.4: 1 hosts scanned in 0.075 seconds (13.28 hosts/sec).  1 returned handshake; 0 returned notify
# 1 returned handshake; 0 returned notify

# find a valid transformation
# generate all possible transformations
for ENC in 1 2 3 4 5 6 7/128 7/192 7/256 8; do for HASH in 1 2 3 4 5 6; do for AUTH in 1 2 3 4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003 65004 65005 65006 65007 65008 65009 65010; do for GROUP in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do echo "--trans=$ENC,$HASH,$AUTH,$GROUP" >> ike-dict.txt ;done ;done ;done ;done
# brute force
$ while read line; do (echo "Valid trans found: $line" && sudo ike-scan -M $line 10.10.10.116) | grep -B14 "1 returned handshake" | grep "Valid trans found" ; done < ike-dict.txt
| will try aggressive scan if this doesn't give output
Valid trans found: --trans=5,2,1,2
Valid trans found: --trans=7/128,2,1,2

# server fingerprinting with both --trans is same
$ ike-scan -M --showbackoff 10.10.10.116 --trans=5,2,1,2
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.10.116    Main Mode Handshake returned
        HDR=(CKY-R=e3673e4fc68ed2b4)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
        VID=1e2b516905991c7d7c96fcbfb587e46100000009 (Windows-8)
        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
        VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
        VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation)
        VID=fb1de3cdf341b7ea16b7e5be0855f120 (MS-Negotiation Discovery Capable)
        VID=e3a5966a76379fe707228231e5ce8652 (IKE CGA version 1)

IKE Backoff Patterns:

IP Address      No.     Recv time               Delta Time
10.10.10.116    1       1632466790.012245       0.000000
10.10.10.116    Implementation guess: Linksys Etherfast

Ending ike-scan 1.9.4: 1 hosts scanned in 60.099 seconds (0.02 hosts/sec).  1 returned handshake; 0 returned notify

# find correct ID (group name)
$ ike-scan -P -M -A -n fakeID 10.10.10.116
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9.4: 1 hosts scanned in 2.441 seconds (0.41 hosts/sec).  0 returned handshake; 0 returned notify

# no hash is returned, brute forcing the ID(group name)

$ sudo /opt/ike/iker.py conceal.htb
iker v. 1.1

Starting iker (http://labs.portcullis.co.uk/tools/iker) at Fri, 08 Oct 2021 18:41:30 +0000
[*] Discovering IKE services, please wait...
[*] IKE service identified at: 10.10.10.116
[*] Checking for IKE version 2 support...
[*] Vendor ID identified for IP 10.10.10.116 with transform Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080: IKE CGA version 1

[*] Trying to fingerprint the devices. This proccess is going to take a while (1-5 minutes per IP). Be patient...
[*] Implementation guessed for IP 10.10.10.116: Linksys Etherfast

[*] Looking for accepted transforms at 10.10.10.116
[*] Transform found: Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080
[*] Transform found: Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080
[====================] 100% - Current transform: 7/256,2,65001,5
[*] Looking for accepted transforms in aggressive mode at 10.10.10.116
[====================] 100% - Current transform: 7/256,2,65001,5

Results:
--------
Resuls for IP 10.10.10.116:

[+] The IKE service could be discovered (Risk: LOW)
[+] The IKE service could be fingerprinted by analysing the vendor ID (VID) returned (Risk: LOW)
        IKE CGA version 1
[+] The IKE service could be fingerprinted by analysing the responses received (Risk: LOW): Linksys Etherfast
iker finished at Fri, 08 Oct 2021 18:47:35 +0000
Previous4 ipsec summaryNext2 :161/udp snmp

Last updated 3 years ago