Ubuntu 4 TryHackMe
I recently covered my Firefox setup, which is a standard setup I use for day2day as well as CTF's. Over the Advent of Christmas 2 I started using Ubuntu as my base OS instead of Kali. In this post I will be describing the tools I install and how I install them.
APT/Snap Packages
After running a apt-get update
I run the below to download tools from the Ubuntu Repos..
sudo apt-get install wireshark vim binutils dnsutils tmux zsh python3-pip john hashcat docker.io docker-compose lxd-tools lxd chromium-browser openvpn radare2 gdb tcpdump mtr-tiny aircrack-ng nikto gobuster steghide stegosuite p7zip dirb remmina virtualbox virtualbox-dkms virtualbox-ext-pack virtualbox-guest-additions-iso nmap curl wget git htop vim ruby ruby-dev netcat cifs-utils smbclient libssl-dev libbz2-1.0 libbz2-dev libbz2-ocaml libbz2-ocaml-dev hydra -y
This installs a number or required packages for some of the tools below as well as some tools.
Even though I prefer Firefox
it is always good to have chromium
just in-case there is any weirdness. As well as the above I also install Visual Studio Code via snap
sudo snap install code --classic
OhMyZsh
Recently I have been enjoying zsh
. To get zsh
working in a nice way I use OhMyZsh which can be installed via the below command.
sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
$ sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
Cloning Oh My Zsh...
Cloning into '/home/tony/.oh-my-zsh'...
remote: Enumerating objects: 1194, done.
remote: Counting objects: 100% (1194/1194), done.
remote: Compressing objects: 100% (1162/1162), done.
remote: Total 1194 (delta 19), reused 1134 (delta 16), pack-reused 0
Receiving objects: 100% (1194/1194), 827.35 KiB | 1.88 MiB/s, done.
Resolving deltas: 100% (19/19), done.
Looking for an existing zsh config...
Using the Oh My Zsh template file and adding it to ~/.zshrc.
Time to change your default shell to zsh:
Do you want to change your default shell to zsh? [Y/n] y
Changing the shell...
Password:
Shell successfully changed to '/usr/bin/zsh'.
__ __
____ / /_ ____ ___ __ __ ____ _____/ /_
/ __ \/ __ \ / __ `__ \/ / / / /_ / / ___/ __ \
/ /_/ / / / / / / / / / / /_/ / / /_(__ ) / / /
\____/_/ /_/ /_/ /_/ /_/\__, / /___/____/_/ /_/
/____/ ....is now installed!
Before you scream Oh My Zsh! please look over the ~/.zshrc file to select plugins, themes, and options.
• Follow us on Twitter: https://twitter.com/ohmyzsh
• Join our Discord server: https://discord.gg/ohmyzsh
• Get stickers, shirts, coffee mugs and other swag: https://shop.planetargon.com/collections/oh-my-zsh
➜ ~ vim .zshrc
In the above I run vim .zshrc
to change the theme to fino-time
which is the theme I prefer.
# Set name of the theme to load --- if set to "random", it will
# load a random theme each time oh-my-zsh is loaded, in which case,
# to know which specific one was loaded, run: echo $RANDOM_THEME
# See https://github.com/ohmyzsh/ohmyzsh/wiki/Themes
ZSH_THEME="fino-time"
You can browse the theme here https://github.com/ohmyzsh/ohmyzsh/wiki/Themes.
Rustscan
Rustscan is great addition to the tool box. It is a hell of a lot faster nmap
. You can get Rustscan from their GitHub Release Page as a debian package, once downloaded you can use dpkg
to install.
╰─○ sudo dpkg -i Downloads/rustscan_2.0.1_amd64.deb
Selecting previously unselected package rustscan.
(Reading database ... 203841 files and directories currently installed.)
Preparing to unpack .../rustscan_2.0.1_amd64.deb ...
Unpacking rustscan (2.0.0) ...
Setting up rustscan (2.0.0) ...
BurpSuite
Burp is key tool for many CTF's and web based testing. First we need to download the latest release from https://portswigger.net/burp/communitydownload . The Community downlod is a shell script that launches the installer.
sh -x Downloads/burpsuite_community_linux_v2020_12_1.sh
Once installed you can search the launch for it
SecLists
One of the useful things in Kali is the wordlists that it comes with, to get these onto our Ubuntu box we can run the below.
╰─○ git clone https://github.com/danielmiessler/SecLists.git
Cloning into 'SecLists'...
remote: Enumerating objects: 9535, done.
Receiving objects: 100% (9535/9535), 779.68 MiB | 9.24 MiB/s, done.
Resolving deltas: 100% (4948/4948), done.
Updating files: 100% (5336/5336), done.
Rock You
Under the Passwords
directory of SecLists
the infamous rockyou.txt
is conatined with a compressed tar.gz
. To decompress this and put it to the root of SecLists
( lets face it we want it in a quick to access directory as we use it loads... ) we can run the below commands.
╭─tony at jumper1 in ~
╰─○ tar -zxvf SecLists/Passwords/Leaked-Databases/rockyou.txt.tar.gz
rockyou.txt
╭─tony at jumper1 in ~
╰─○ mv rockyou.txt SecLists/
Ghidra
Ghidra has become a great too from the NSA which can be used for reverse engineering and can be downloaded from https://ghidra-sre.org/, once downloaded we will need to unzip.
╰─○ unzip Downloads/ghidra_9.2.1_PUBLIC_20201215.zip
Archive: Downloads/ghidra_9.2.1_PUBLIC_20201215.zip
creating: ghidra_9.2.1_PUBLIC/
Before running we will need to install Java Developement kit ( JDK ) from APT.
sudo apt-get install default-jdk -y
Once installed we can run the below to launch Ghidra
╰─○ ~/ghidra_9.2.1_PUBLIC/ghidraRun
MetaSploit
This is the like Burp is a corner stone of pen testing / CTF's. The easiest way to install this is to use the installer from the Rapid7 GitHub Page.
─tony at jumper1 in ~ 21-01-19 - 1:14:07
╰─○ cd Downloads
╭─tony at jumper1 in ~/Downloads 21-01-19 - 1:17:25
╰─○ curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
chmod 755 msfinstall && \
./msfinstall
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5922 100 5922 0 0 18859 0 --:--:-- --:--:-- --:--:-- 18859
This installs the repo to allow it to be managed and updated via APT.
Switching to root user to update the package
Adding metasploit-framework to your repository list..OK
Updating package cache..OK
Checking for and installing update..
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
libfprint-2-tod1 libllvm10
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed
metasploit-framework
0 to upgrade, 1 to newly install, 0 to remove and 21 not to upgrade.
Need to get 248 MB of archives.
After this operation, 599 MB of additional disk space will be used.
Get:1 http://downloads.metasploit.com/data/releases/metasploit-framework/apt lucid/main amd64 metasploit-framework amd64 6.0.27+20210116112445~1rapid7-1 [248 MB]
Fetched 248 MB in 20s (12.4 MB/s)
Selecting previously unselected package metasploit-framework.
(Reading database ... 204630 files and directories currently installed.)
Preparing to unpack .../metasploit-framework_6.0.27+20210116112445~1rapid7-1_amd64.deb ...
Unpacking metasploit-framework (6.0.27+20210116112445~1rapid7-1) ...
Setting up metasploit-framework (6.0.27+20210116112445~1rapid7-1) ...
update-alternatives: using /opt/metasploit-framework/bin/msfbinscan to provide /usr/bin/msfbinscan (msfbinscan) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfconsole to provide /usr/bin/msfconsole (msfconsole) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfd to provide /usr/bin/msfd (msfd) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfdb to provide /usr/bin/msfdb (msfdb) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfelfscan to provide /usr/bin/msfelfscan (msfelfscan) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfmachscan to provide /usr/bin/msfmachscan (msfmachscan) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfpescan to provide /usr/bin/msfpescan (msfpescan) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfrop to provide /usr/bin/msfrop (msfrop) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfrpc to provide /usr/bin/msfrpc (msfrpc) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfrpcd to provide /usr/bin/msfrpcd (msfrpcd) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfupdate to provide /usr/bin/msfupdate (msfupdate) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfvenom to provide /usr/bin/msfvenom (msfvenom) in auto mode
Run msfconsole to get started
At first run you will be prompted to setup a database which I recommend doing.
╰─○ msfconsole
** Welcome to Metasploit Framework Initial Setup **
Please answer a few questions to get started.
Would you like to use and setup a new database (recommended)? yes
====================================================================
Running the 'init' command for the database:
Creating database at /home/tony/.msf4/db
Starting database at /home/tony/.msf4/db...success
Creating database users
Writing client authentication configuration file /home/tony/.msf4/db/pg_hba.conf
Stopping database at /home/tony/.msf4/db
Starting database at /home/tony/.msf4/db...success
Creating initial database schema
====================================================================
It also sets up a username/password for the Metasploit webserver, however I have never used this.
** Metasploit Framework Initial Setup Complete **
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\
=[ metasploit v6.0.27-dev- ]
+ -- --=[ 2093 exploits - 1127 auxiliary - 355 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Use the resource command to run
commands from a file
msf6 >
WPScan
wpscan
is a ruby application for scanning wordpress sites. Again this is a key one for CTF's and can installed via
╰─○ sudo gem install wpscan
Evil-winrm
Evil-winrm
is a util for exploiting windows boxes. Again this a ruby application that can installed via
╰─○ sudo gem install evil-winrm
John The Ripper
Although we installed john
above the default Ubuntu install seems to be missing things like gpg2john
... To fix this we can install the latest version from GitHub.
╰─○ git clone https://github.com/openwall/john.git
Cloning into 'john'...
remote: Enumerating objects: 31, done.
remote: Counting objects: 100% (31/31), done.
remote: Compressing objects: 100% (28/28), done.
remote: Total 92929 (delta 13), reused 7 (delta 3), pack-reused 92898
Receiving objects: 100% (92929/92929), 115.62 MiB | 8.22 MiB/s, done.
Resolving deltas: 100% (72952/72952), done.
Once cloned we can drop into the directory and compile it.
╭─tony at jumper1 in ~
╰─⠠⠵ cd john/src
╭─tony at jumper1 in ~/Downloads/john/src on bleeding-jumbo✘✘✘
╰─⠠⠵ ./configure
╭─tony at jumper1 in ~/Downloads/john/src on bleeding-jumbo✘✘✘
╰─⠠⠵ make && sudo make install
This will generate the required binaries which will be stored under ~/Downloads/john/run/
1password2john.py* calc_stat* gpg2john@ lion2john-alt.pl* pdf2john.pl* signal2john.py*
7z2john.pl* ccache2john.py* hccap2john* lion2john.pl* pem2john.py* sipdump2john.py*
adxcsouf2john.py* cisco2john.pl* hccapx2john.py* lotus2john.py* pfx2john.py* ssh2john.py*
aem2john.py* codepage.pl* hextoraw.pl* luks2john.py* pgpdisk2john.py* sspr2john.py*
aix2john.pl* cprepair* htdigest2john.py* mac2john-alt.py* pgpsda2john.py* staroffice2john.py*
aix2john.py* cracf2john.py* ibmiscanner2john.py* mac2john.py* pgpwde2john.py* strip2john.py*
andotp2john.py* dashlane2john.py* ikescan2john.py* mailer* potcheck.pl* telegram2john.py*
androidbackup2john.py* deepsound2john.py* ios7tojohn.pl* makechr* prosody2john.py* tezos2john.py*
androidfde2john.py* diskcryptor2john.py* itunes_backup2john.pl* mcafee_epo2john.py* pse2john.py* tgtsnarf*
ansible2john.py* dmg2john* iwork2john.py* mkvcalcproba* ps_token2john.py* truecrypt2john.py*
apex2john.py* dmg2john.py* john* monero2john.py* putty2john* uaf2john*
applenotes2john.py* dns/ kdcdump2john.py* money2john.py* pwsafe2john.py* unafs@
aruba2john.py* DPAPImk2john.py* keepass2john* mozilla2john.py* racf2john* undrop@
atmail2john.pl* ecryptfs2john.py* keychain2john.py* multibit2john.py* radius2john.pl* unique@
axcrypt2john.py* ejabberd2john.py* keyring2john.py* neo2john.py* radius2john.py* unrule.pl*
base64conv@ electrum2john.py* keystore2john.py* netntlm.pl* rar2john@ unshadow@
benchmark-unify* encfs2john.py* kirbi2john.py* netscreen.py* raw2dyna* vdi2john.pl*
bestcrypt2john.py* enpass2john.py* known_hosts2john.py* network2john.lua* relbench* vmx2john.py*
bip-0039/ enpass5tojohn.py* krb2john.py* office2john.py* restic2john.py* wpapcap2john*
bitcoin2john.py* ethereum2john.py* kwallet2john.py* openbsd_softraid2john.py* rexgen2rules.pl* zed2john.py*
bitlocker2john* filezilla2john.py* lastpass2john.py* opencl/ rules/ zip2john@
bitshares2john.py* fuzz_option.pl* ldif2john.pl* openssl2john.py* rulestack.pl* ztex/
bitwarden2john.py* geli2john.py* leet.pl* padlock2john.py* sap2john.pl*
bks2john.py* genincstats.rb* lib/ pass_gen.pl* sha-dump.pl*
blockchain2john.py* genmkvpwd* libreoffice2john.py* pcap2john.py* sha-test.pl*
Impacket
impacket
is another one of those tools like evil-winrm
for Windows boxes. This can be installed via pip3
╰─○ sudo pip3 install impacket
If you have issues ( again like with john
sometimes the Ubuntu packages are not 100% ) you can install from GitHub
via the below commands
╰─○ git clone https://github.com/SecureAuthCorp/impacket.gitCloning into 'impacket'...remote: Enumerating objects: 11, done.remote: Counting objects: 100% (11/11), done.remote: Compressing objects: 100% (11/11), done.remote: Total 18856 (delta 3), reused 4 (delta 0), pack-reused 18845Receiving objects: 100% (18856/18856), 6.24 MiB | 2.69 MiB/s, done.Resolving deltas: 100% (14353/14353), done
After cloning we change into the directory and then run pip3 install .
to install.
╰─○ cd impacket
╰─⠠⠵ pip3 install .
Following this you should be able to run commands like smbclient.py
and secretsdump.py
as they get added to the /usr/local/bin
directory.
PyCTF-Helper
This is a flask application that I have developed as I got fed of having to change ip's/ports of reverse shells. The default page returns the reverse shells with the IP you hit the application on making it dynamic, it also has a upload function for data exfiltration.
This can be install by cloning the repo, installing the requirement and then using the run.sh
to start the application.
─○ git clone git@github.com:apjone/pyctf-helper.git
Cloning into 'pyctf-helper'...
remote: Enumerating objects: 45, done.
remote: Counting objects: 100% (45/45), done.
remote: Compressing objects: 100% (32/32), done.
remote: Total 45 (delta 18), reused 29 (delta 10), pack-reused 0
Receiving objects: 100% (45/45), 177.89 KiB | 1.06 MiB/s, done.
Resolving deltas: 100% (18/18), done.
╰─○ cd pyctf-helper
╰─⠠⠵ pip3 install -r requirements.txt
Requirement already satisfied: Click==7.0 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (7.0)
Requirement already satisfied: Flask==1.1.2 in /usr/local/lib/python3.8/dist-packages (from -r requirements.txt (line 2)) (1.1.2)
Requirement already satisfied: itsdangerous==1.1.0 in /usr/local/lib/python3.8/dist-packages (from -r requirements.txt (line 3)) (1.1.0)
Requirement already satisfied: Jinja2==2.11.2 in /usr/local/lib/python3.8/dist-packages (from -r requirements.txt (line 4)) (2.11.2)
Collecting MarkupSafe==1.1.1
Downloading MarkupSafe-1.1.1-cp38-cp38-manylinux1_x86_64.whl (32 kB)
Requirement already satisfied: Werkzeug==1.0.1 in /usr/local/lib/python3.8/dist-packages (from -r requirements.txt (line 6)) (1.0.1)
Installing collected packages: MarkupSafe
Successfully installed MarkupSafe-1.1.1
╰─⠠⠵ ./run.sh
mkdir: created directory 'uploads'
LinPeas is older than 7 days or does not exist, update LinPeas? [y/n]: y
--2021-01-19 02:04:33-- https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.232.56.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.232.56.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 319969 (312K) [text/plain]
Saving to: ‘static/linpeas.sh’
static/linpeas.sh 100%[=======================================================================================>] 312.47K 1.87MB/s in 0.2s
2021-01-19 02:04:34 (1.87 MB/s) - ‘static/linpeas.sh’ saved [319969/319969]
WinPeas is older than 7 days or does not exist, update WinPeas? [y/n]: y
--2021-01-19 02:04:35-- https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/winPEAS/winPEASbat/winPEAS.bat
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.232.56.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.232.56.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 35107 (34K) [text/plain]
Saving to: ‘static/winPEAS.bat’
static/winPEAS.bat 100%[=======================================================================================>] 34.28K --.-KB/s in 0.009s
2021-01-19 02:04:35 (3.84 MB/s) - ‘static/winPEAS.bat’ saved [35107/35107]
* Serving Flask app "pyctf-helper" (lazy loading)
* Environment: development
* Debug mode: on
* Running on http://0.0.0.0:9999/ (Press CTRL+C to quit)
* Restarting with stat
* Debugger is active!
* Debugger PIN: 175-110-743
IPv4 Forwarding
To enable IPv4 forward we have two options. We can set it runtime using
╰─○ sudo sysctl -w net.ipv4.ip_forward=1
or we can set it so it gets activated at boot
╰─○ sudo sed 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' -i /etc/sysctl.conf
OWASP ZAP
Another Web Application Scanner, this can be downloaded from https://www.zaproxy.org/
╰─○ sudo sh -x Downloads/ZAP_2_10_0_unix.sh
Again like burp
this launches a GUI
installer
Again you can search the launcher for zap
and launch
Thats All For Now
That is all for now but as I continue to use Ubuntu for TryHackMe I will add to this post, so keep checking back!
Now this is a rough and ready, you will find different guides that suggest /usr/local/bin
or /opt
for installing the items we installed from source. If you want to you can read more here about the Linux File System Layout
If you have any suggestions, corrections or questions then drop me a tweet or dm @apjone