I recently covered my Firefox setup, which is a standard setup I use for day2day as well as CTF's. Over the Advent of Christmas 2 I started using Ubuntu as my base OS instead of Kali. In this post I will be describing the tools I install and how I install them.
After running a
apt-get update I run the below to download tools from the Ubuntu Repos..
sudo apt-get install wireshark vim binutils dnsutils tmux zsh python3-pip john hashcat docker.io docker-compose lxd-tools lxd chromium-browser openvpn radare2 gdb tcpdump mtr-tiny aircrack-ng nikto gobuster steghide stegosuite p7zip dirb remmina virtualbox virtualbox-dkms virtualbox-ext-pack virtualbox-guest-additions-iso nmap curl wget git htop vim ruby ruby-dev netcat cifs-utils smbclient libssl-dev libbz2-1.0 libbz2-dev libbz2-ocaml libbz2-ocaml-dev hydra -y
This installs a number or required packages for some of the tools below as well as some tools.
Even though I prefer
Firefox it is always good to have
chromium just in-case there is any weirdness. As well as the above I also install Visual Studio Code via snap
sudo snap install code --classic
Recently I have been enjoying
zsh. To get
zsh working in a nice way I use OhMyZsh which can be installed via the below command.
sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
$ sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" Cloning Oh My Zsh... Cloning into '/home/tony/.oh-my-zsh'... remote: Enumerating objects: 1194, done. remote: Counting objects: 100% (1194/1194), done. remote: Compressing objects: 100% (1162/1162), done. remote: Total 1194 (delta 19), reused 1134 (delta 16), pack-reused 0 Receiving objects: 100% (1194/1194), 827.35 KiB | 1.88 MiB/s, done. Resolving deltas: 100% (19/19), done. Looking for an existing zsh config... Using the Oh My Zsh template file and adding it to ~/.zshrc. Time to change your default shell to zsh: Do you want to change your default shell to zsh? [Y/n] y Changing the shell... Password: Shell successfully changed to '/usr/bin/zsh'. __ __ ____ / /_ ____ ___ __ __ ____ _____/ /_ / __ \/ __ \ / __ `__ \/ / / / /_ / / ___/ __ \ / /_/ / / / / / / / / / / /_/ / / /_(__ ) / / / \____/_/ /_/ /_/ /_/ /_/\__, / /___/____/_/ /_/ /____/ ....is now installed! Before you scream Oh My Zsh! please look over the ~/.zshrc file to select plugins, themes, and options. • Follow us on Twitter: https://twitter.com/ohmyzsh • Join our Discord server: https://discord.gg/ohmyzsh • Get stickers, shirts, coffee mugs and other swag: https://shop.planetargon.com/collections/oh-my-zsh ➜ ~ vim .zshrc
In the above I run
vim .zshrc to change the theme to
fino-time which is the theme I prefer.
# Set name of the theme to load --- if set to "random", it will # load a random theme each time oh-my-zsh is loaded, in which case, # to know which specific one was loaded, run: echo $RANDOM_THEME # See https://github.com/ohmyzsh/ohmyzsh/wiki/Themes ZSH_THEME="fino-time"
You can browse the theme here https://github.com/ohmyzsh/ohmyzsh/wiki/Themes.
Rustscan is great addition to the tool box. It is a hell of a lot faster
nmap . You can get Rustscan from their GitHub Release Page as a debian package, once downloaded you can use
dpkg to install.
╰─○ sudo dpkg -i Downloads/rustscan_2.0.1_amd64.deb Selecting previously unselected package rustscan. (Reading database ... 203841 files and directories currently installed.) Preparing to unpack .../rustscan_2.0.1_amd64.deb ... Unpacking rustscan (2.0.0) ... Setting up rustscan (2.0.0) ...
Burp is key tool for many CTF's and web based testing. First we need to download the latest release from https://portswigger.net/burp/communitydownload . The Community downlod is a shell script that launches the installer.
sh -x Downloads/burpsuite_community_linux_v2020_12_1.sh
Once installed you can search the launch for it
One of the useful things in Kali is the wordlists that it comes with, to get these onto our Ubuntu box we can run the below.
╰─○ git clone https://github.com/danielmiessler/SecLists.git Cloning into 'SecLists'... remote: Enumerating objects: 9535, done. Receiving objects: 100% (9535/9535), 779.68 MiB | 9.24 MiB/s, done. Resolving deltas: 100% (4948/4948), done. Updating files: 100% (5336/5336), done.
Passwords directory of
SecLists the infamous
rockyou.txt is conatined with a compressed
tar.gz. To decompress this and put it to the root of
SecLists ( lets face it we want it in a quick to access directory as we use it loads... ) we can run the below commands.
╭─tony at jumper1 in ~ ╰─○ tar -zxvf SecLists/Passwords/Leaked-Databases/rockyou.txt.tar.gz rockyou.txt ╭─tony at jumper1 in ~ ╰─○ mv rockyou.txt SecLists/
Ghidra has become a great too from the NSA which can be used for reverse engineering and can be downloaded from https://ghidra-sre.org/, once downloaded we will need to unzip.
╰─○ unzip Downloads/ghidra_9.2.1_PUBLIC_20201215.zip Archive: Downloads/ghidra_9.2.1_PUBLIC_20201215.zip creating: ghidra_9.2.1_PUBLIC/
Before running we will need to install Java Developement kit ( JDK ) from APT.
sudo apt-get install default-jdk -y
Once installed we can run the below to launch
This is the like Burp is a corner stone of pen testing / CTF's. The easiest way to install this is to use the installer from the Rapid7 GitHub Page.
─tony at jumper1 in ~ 21-01-19 - 1:14:07 ╰─○ cd Downloads ╭─tony at jumper1 in ~/Downloads 21-01-19 - 1:17:25 ╰─○ curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \ chmod 755 msfinstall && \ ./msfinstall % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 5922 100 5922 0 0 18859 0 --:--:-- --:--:-- --:--:-- 18859
This installs the repo to allow it to be managed and updated via APT.
Switching to root user to update the package Adding metasploit-framework to your repository list..OK Updating package cache..OK Checking for and installing update.. Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: libfprint-2-tod1 libllvm10 Use 'sudo apt autoremove' to remove them. The following NEW packages will be installed metasploit-framework 0 to upgrade, 1 to newly install, 0 to remove and 21 not to upgrade. Need to get 248 MB of archives. After this operation, 599 MB of additional disk space will be used. Get:1 http://downloads.metasploit.com/data/releases/metasploit-framework/apt lucid/main amd64 metasploit-framework amd64 6.0.27+20210116112445~1rapid7-1 [248 MB] Fetched 248 MB in 20s (12.4 MB/s) Selecting previously unselected package metasploit-framework. (Reading database ... 204630 files and directories currently installed.) Preparing to unpack .../metasploit-framework_6.0.27+20210116112445~1rapid7-1_amd64.deb ... Unpacking metasploit-framework (6.0.27+20210116112445~1rapid7-1) ... Setting up metasploit-framework (6.0.27+20210116112445~1rapid7-1) ... update-alternatives: using /opt/metasploit-framework/bin/msfbinscan to provide /usr/bin/msfbinscan (msfbinscan) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfconsole to provide /usr/bin/msfconsole (msfconsole) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfd to provide /usr/bin/msfd (msfd) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfdb to provide /usr/bin/msfdb (msfdb) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfelfscan to provide /usr/bin/msfelfscan (msfelfscan) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfmachscan to provide /usr/bin/msfmachscan (msfmachscan) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfpescan to provide /usr/bin/msfpescan (msfpescan) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfrop to provide /usr/bin/msfrop (msfrop) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfrpc to provide /usr/bin/msfrpc (msfrpc) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfrpcd to provide /usr/bin/msfrpcd (msfrpcd) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfupdate to provide /usr/bin/msfupdate (msfupdate) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfvenom to provide /usr/bin/msfvenom (msfvenom) in auto mode Run msfconsole to get started
At first run you will be prompted to setup a database which I recommend doing.
╰─○ msfconsole ** Welcome to Metasploit Framework Initial Setup ** Please answer a few questions to get started. Would you like to use and setup a new database (recommended)? yes ==================================================================== Running the 'init' command for the database: Creating database at /home/tony/.msf4/db Starting database at /home/tony/.msf4/db...success Creating database users Writing client authentication configuration file /home/tony/.msf4/db/pg_hba.conf Stopping database at /home/tony/.msf4/db Starting database at /home/tony/.msf4/db...success Creating initial database schema ====================================================================
It also sets up a username/password for the Metasploit webserver, however I have never used this.
** Metasploit Framework Initial Setup Complete ** _ _ / \ /\ __ _ __ /_/ __ | |\ / | _____ \ \ ___ _____ | | / \ _ \ \ | | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -| |_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_ |/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\ =[ metasploit v6.0.27-dev- ] + -- --=[ 2093 exploits - 1127 auxiliary - 355 post ] + -- --=[ 592 payloads - 45 encoders - 10 nops ] + -- --=[ 7 evasion ] Metasploit tip: Use the resource command to run commands from a file msf6 >
wpscan is a ruby application for scanning wordpress sites. Again this is a key one for CTF's and can installed via
╰─○ sudo gem install wpscan
Evil-winrm is a util for exploiting windows boxes. Again this a ruby application that can installed via
╰─○ sudo gem install evil-winrm
John The Ripper
Although we installed
john above the default Ubuntu install seems to be missing things like
gpg2john... To fix this we can install the latest version from GitHub.
╰─○ git clone https://github.com/openwall/john.git Cloning into 'john'... remote: Enumerating objects: 31, done. remote: Counting objects: 100% (31/31), done. remote: Compressing objects: 100% (28/28), done. remote: Total 92929 (delta 13), reused 7 (delta 3), pack-reused 92898 Receiving objects: 100% (92929/92929), 115.62 MiB | 8.22 MiB/s, done. Resolving deltas: 100% (72952/72952), done.
Once cloned we can drop into the directory and compile it.
╭─tony at jumper1 in ~ ╰─⠠⠵ cd john/src ╭─tony at jumper1 in ~/Downloads/john/src on bleeding-jumbo✘✘✘ ╰─⠠⠵ ./configure ╭─tony at jumper1 in ~/Downloads/john/src on bleeding-jumbo✘✘✘ ╰─⠠⠵ make && sudo make install
This will generate the required binaries which will be stored under
1password2john.py* calc_stat* gpg2john@ lion2john-alt.pl* pdf2john.pl* signal2john.py* 7z2john.pl* ccache2john.py* hccap2john* lion2john.pl* pem2john.py* sipdump2john.py* adxcsouf2john.py* cisco2john.pl* hccapx2john.py* lotus2john.py* pfx2john.py* ssh2john.py* aem2john.py* codepage.pl* hextoraw.pl* luks2john.py* pgpdisk2john.py* sspr2john.py* aix2john.pl* cprepair* htdigest2john.py* mac2john-alt.py* pgpsda2john.py* staroffice2john.py* aix2john.py* cracf2john.py* ibmiscanner2john.py* mac2john.py* pgpwde2john.py* strip2john.py* andotp2john.py* dashlane2john.py* ikescan2john.py* mailer* potcheck.pl* telegram2john.py* androidbackup2john.py* deepsound2john.py* ios7tojohn.pl* makechr* prosody2john.py* tezos2john.py* androidfde2john.py* diskcryptor2john.py* itunes_backup2john.pl* mcafee_epo2john.py* pse2john.py* tgtsnarf* ansible2john.py* dmg2john* iwork2john.py* mkvcalcproba* ps_token2john.py* truecrypt2john.py* apex2john.py* dmg2john.py* john* monero2john.py* putty2john* uaf2john* applenotes2john.py* dns/ kdcdump2john.py* money2john.py* pwsafe2john.py* unafs@ aruba2john.py* DPAPImk2john.py* keepass2john* mozilla2john.py* racf2john* undrop@ atmail2john.pl* ecryptfs2john.py* keychain2john.py* multibit2john.py* radius2john.pl* unique@ axcrypt2john.py* ejabberd2john.py* keyring2john.py* neo2john.py* radius2john.py* unrule.pl* base64conv@ electrum2john.py* keystore2john.py* netntlm.pl* rar2john@ unshadow@ benchmark-unify* encfs2john.py* kirbi2john.py* netscreen.py* raw2dyna* vdi2john.pl* bestcrypt2john.py* enpass2john.py* known_hosts2john.py* network2john.lua* relbench* vmx2john.py* bip-0039/ enpass5tojohn.py* krb2john.py* office2john.py* restic2john.py* wpapcap2john* bitcoin2john.py* ethereum2john.py* kwallet2john.py* openbsd_softraid2john.py* rexgen2rules.pl* zed2john.py* bitlocker2john* filezilla2john.py* lastpass2john.py* opencl/ rules/ zip2john@ bitshares2john.py* fuzz_option.pl* ldif2john.pl* openssl2john.py* rulestack.pl* ztex/ bitwarden2john.py* geli2john.py* leet.pl* padlock2john.py* sap2john.pl* bks2john.py* genincstats.rb* lib/ pass_gen.pl* sha-dump.pl* blockchain2john.py* genmkvpwd* libreoffice2john.py* pcap2john.py* sha-test.pl*
impacket is another one of those tools like
evil-winrm for Windows boxes. This can be installed via
╰─○ sudo pip3 install impacket
If you have issues ( again like with
john sometimes the Ubuntu packages are not 100% ) you can install from
GitHub via the below commands
╰─○ git clone https://github.com/SecureAuthCorp/impacket.gitCloning into 'impacket'...remote: Enumerating objects: 11, done.remote: Counting objects: 100% (11/11), done.remote: Compressing objects: 100% (11/11), done.remote: Total 18856 (delta 3), reused 4 (delta 0), pack-reused 18845Receiving objects: 100% (18856/18856), 6.24 MiB | 2.69 MiB/s, done.Resolving deltas: 100% (14353/14353), done
After cloning we change into the directory and then run
pip3 install . to install.
╰─○ cd impacket ╰─⠠⠵ pip3 install .
Following this you should be able to run commands like
secretsdump.py as they get added to the
This is a flask application that I have developed as I got fed of having to change ip's/ports of reverse shells. The default page returns the reverse shells with the IP you hit the application on making it dynamic, it also has a upload function for data exfiltration.
This can be install by cloning the repo, installing the requirement and then using the
run.sh to start the application.
─○ git clone firstname.lastname@example.org:apjone/pyctf-helper.git Cloning into 'pyctf-helper'... remote: Enumerating objects: 45, done. remote: Counting objects: 100% (45/45), done. remote: Compressing objects: 100% (32/32), done. remote: Total 45 (delta 18), reused 29 (delta 10), pack-reused 0 Receiving objects: 100% (45/45), 177.89 KiB | 1.06 MiB/s, done. Resolving deltas: 100% (18/18), done. ╰─○ cd pyctf-helper ╰─⠠⠵ pip3 install -r requirements.txt Requirement already satisfied: Click==7.0 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (7.0) Requirement already satisfied: Flask==1.1.2 in /usr/local/lib/python3.8/dist-packages (from -r requirements.txt (line 2)) (1.1.2) Requirement already satisfied: itsdangerous==1.1.0 in /usr/local/lib/python3.8/dist-packages (from -r requirements.txt (line 3)) (1.1.0) Requirement already satisfied: Jinja2==2.11.2 in /usr/local/lib/python3.8/dist-packages (from -r requirements.txt (line 4)) (2.11.2) Collecting MarkupSafe==1.1.1 Downloading MarkupSafe-1.1.1-cp38-cp38-manylinux1_x86_64.whl (32 kB) Requirement already satisfied: Werkzeug==1.0.1 in /usr/local/lib/python3.8/dist-packages (from -r requirements.txt (line 6)) (1.0.1) Installing collected packages: MarkupSafe Successfully installed MarkupSafe-1.1.1 ╰─⠠⠵ ./run.sh mkdir: created directory 'uploads' LinPeas is older than 7 days or does not exist, update LinPeas? [y/n]: y --2021-01-19 02:04:33-- https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 220.127.116.11 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|18.104.22.168|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 319969 (312K) [text/plain] Saving to: ‘static/linpeas.sh’ static/linpeas.sh 100%[=======================================================================================>] 312.47K 1.87MB/s in 0.2s 2021-01-19 02:04:34 (1.87 MB/s) - ‘static/linpeas.sh’ saved [319969/319969] WinPeas is older than 7 days or does not exist, update WinPeas? [y/n]: y --2021-01-19 02:04:35-- https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/winPEAS/winPEASbat/winPEAS.bat Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 22.214.171.124 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|126.96.36.199|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 35107 (34K) [text/plain] Saving to: ‘static/winPEAS.bat’ static/winPEAS.bat 100%[=======================================================================================>] 34.28K --.-KB/s in 0.009s 2021-01-19 02:04:35 (3.84 MB/s) - ‘static/winPEAS.bat’ saved [35107/35107] * Serving Flask app "pyctf-helper" (lazy loading) * Environment: development * Debug mode: on * Running on http://0.0.0.0:9999/ (Press CTRL+C to quit) * Restarting with stat * Debugger is active! * Debugger PIN: 175-110-743
To enable IPv4 forward we have two options. We can set it runtime using
╰─○ sudo sysctl -w net.ipv4.ip_forward=1
or we can set it so it gets activated at boot
╰─○ sudo sed 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' -i /etc/sysctl.conf
╰─○ sudo sh -x Downloads/ZAP_2_10_0_unix.sh
burp this launches a
Again you can search the launcher for
zap and launch
Thats All For Now
That is all for now but as I continue to use Ubuntu for TryHackMe I will add to this post, so keep checking back!
Now this is a rough and ready, you will find different guides that suggest
/opt for installing the items we installed from source. If you want to you can read more here about the Linux File System Layout
If you have any suggestions, corrections or questions then drop me a tweet or dm @apjone