GitBook: [master] 12 pages and 24 assets modified
Before Width: | Height: | Size: 72 KiB After Width: | Height: | Size: 72 KiB |
Before Width: | Height: | Size: 72 KiB After Width: | Height: | Size: 72 KiB |
Before Width: | Height: | Size: 93 KiB After Width: | Height: | Size: 93 KiB |
Before Width: | Height: | Size: 93 KiB After Width: | Height: | Size: 93 KiB |
Before Width: | Height: | Size: 40 KiB After Width: | Height: | Size: 40 KiB |
Before Width: | Height: | Size: 5.2 KiB After Width: | Height: | Size: 5.2 KiB |
Before Width: | Height: | Size: 13 KiB After Width: | Height: | Size: 13 KiB |
Before Width: | Height: | Size: 13 KiB After Width: | Height: | Size: 13 KiB |
Before Width: | Height: | Size: 4.6 KiB After Width: | Height: | Size: 4.6 KiB |
Before Width: | Height: | Size: 766 KiB After Width: | Height: | Size: 766 KiB |
Before Width: | Height: | Size: 766 KiB After Width: | Height: | Size: 766 KiB |
Before Width: | Height: | Size: 766 KiB After Width: | Height: | Size: 766 KiB |
|
@ -10,7 +10,7 @@ dht udp "DHT Nodes"
|
||||||
|
|
||||||
![](.gitbook/assets/image%20%28182%29.png)
|
![](.gitbook/assets/image%20%28182%29.png)
|
||||||
|
|
||||||
![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
|
![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
|
||||||
|
|
||||||
InfluxDB
|
InfluxDB
|
||||||
|
|
||||||
|
|
|
@ -16,7 +16,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h
|
||||||
**If you want to** share some tricks with the community **you can also submit** pull requests **to \[**[https://github.com/carlospolop/hacktricks\*\*\]\(https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks**]%28https://github.com/carlospolop/hacktricks)\) that will be reflected in this book.
|
**If you want to** share some tricks with the community **you can also submit** pull requests **to \[**[https://github.com/carlospolop/hacktricks\*\*\]\(https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks**]%28https://github.com/carlospolop/hacktricks)\) that will be reflected in this book.
|
||||||
Don't forget to\*\* give ⭐ on the github to motivate me to continue developing this book.
|
Don't forget to\*\* give ⭐ on the github to motivate me to continue developing this book.
|
||||||
|
|
||||||
![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%286%29.png)
|
![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%283%29.png)
|
||||||
|
|
||||||
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)
|
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)
|
||||||
|
|
||||||
|
|
|
@ -367,7 +367,7 @@ Partition Record Format:
|
||||||
|
|
||||||
In order to mount a MBR in Linux you first need to get the start offset \(you can use `fdisk` and the the `p` command\)
|
In order to mount a MBR in Linux you first need to get the start offset \(you can use `fdisk` and the the `p` command\)
|
||||||
|
|
||||||
![](../../.gitbook/assets/image%20%28413%29%20%281%29.png)
|
![](../../.gitbook/assets/image%20%28413%29%20%283%29%20%281%29.png)
|
||||||
|
|
||||||
An then use the following code
|
An then use the following code
|
||||||
|
|
||||||
|
|
|
@ -146,7 +146,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h
|
||||||
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
|
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
|
||||||
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
|
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
|
||||||
|
|
||||||
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%284%29.png)
|
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%285%29.png)
|
||||||
|
|
||||||
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
|
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
|
||||||
|
|
||||||
|
|
|
@ -354,7 +354,7 @@ int main(int argc, char * argv[]) {
|
||||||
I exploit needs to find a pointer to something mounted on the host. The original exploit used the file `/.dockerinit` and this modified version uses `/etc/hostname`. **If the exploit isn't working** maybe you need to set a different file. To find a file that is mounted in the host just execute `mount` command:
|
I exploit needs to find a pointer to something mounted on the host. The original exploit used the file `/.dockerinit` and this modified version uses `/etc/hostname`. **If the exploit isn't working** maybe you need to set a different file. To find a file that is mounted in the host just execute `mount` command:
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
![](../../.gitbook/assets/image%20%28172%29.png)
|
![](../../.gitbook/assets/image%20%28407%29.png)
|
||||||
|
|
||||||
**The code of this technique was copied from the laboratory of "Abusing DAC\_READ\_SEARCH Capability" from** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com/)\*\*\*\*
|
**The code of this technique was copied from the laboratory of "Abusing DAC\_READ\_SEARCH Capability" from** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com/)\*\*\*\*
|
||||||
|
|
||||||
|
|
|
@ -76,7 +76,7 @@ When checking the code of the Content Provider **look** also for **functions** n
|
||||||
|
|
||||||
![](../../../.gitbook/assets/image%20%28211%29.png)
|
![](../../../.gitbook/assets/image%20%28211%29.png)
|
||||||
|
|
||||||
![](../../../.gitbook/assets/image%20%28254%29%20%281%29%20%281%29%20%281%29%20%281%29.png)
|
![](../../../.gitbook/assets/image%20%28254%29%20%281%29%20%281%29%20%281%29%20%281%29%20%281%29.png)
|
||||||
|
|
||||||
Because you will be able to call them
|
Because you will be able to call them
|
||||||
|
|
||||||
|
|
|
@ -41,5 +41,5 @@ The good news is that **this payload is executed automatically when the file is
|
||||||
|
|
||||||
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
|
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
|
||||||
|
|
||||||
![](../.gitbook/assets/image%20%2825%29%20%282%29%20%282%29%20%281%29.png)
|
![](../.gitbook/assets/image%20%2825%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
|
||||||
|
|
||||||
|
|
|
@ -115,6 +115,8 @@ ldapdomaindump <IP> [-r <IP>] -u '<domain>\<username>' -p '<password>' [--authty
|
||||||
|
|
||||||
### Manual
|
### Manual
|
||||||
|
|
||||||
|
#### ldapsearch
|
||||||
|
|
||||||
Check null credentials or if your credentials are valid:
|
Check null credentials or if your credentials are valid:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
@ -200,6 +202,51 @@ To see if you have access to any password you can use grep after executing one o
|
||||||
|
|
||||||
Please, notice that the passwords that you can find here could not be the real ones...
|
Please, notice that the passwords that you can find here could not be the real ones...
|
||||||
|
|
||||||
|
#### pbis
|
||||||
|
|
||||||
|
You can download **pbis** from here: [https://github.com/BeyondTrust/pbis-open/](https://github.com/BeyondTrust/pbis-open/) and it's usually installed in `/opt/pbis`.
|
||||||
|
**Pbis** allow you to get basic information easily:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
#Get known domains info
|
||||||
|
./get-status
|
||||||
|
./lsa get-status
|
||||||
|
|
||||||
|
#Get basic metrics
|
||||||
|
./get-metrics
|
||||||
|
./lsa get-metrics
|
||||||
|
|
||||||
|
#Get users
|
||||||
|
./enum-users
|
||||||
|
./lsa enum-users
|
||||||
|
|
||||||
|
#Get groups
|
||||||
|
./enum-groups
|
||||||
|
./lsa enum-groups
|
||||||
|
|
||||||
|
#Get all kind of objects
|
||||||
|
./enum-objects
|
||||||
|
./lsa enum-objects
|
||||||
|
|
||||||
|
#Get groups of a user
|
||||||
|
./list-groups-for-user <username>
|
||||||
|
./lsa list-groups-for-user <username>
|
||||||
|
#Get gorups of each user
|
||||||
|
./enum-users | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do ./list-groups-for-user "$name"; echo -e "========================\n"; done
|
||||||
|
|
||||||
|
#Get users of a group
|
||||||
|
./enum-members --by-name "domain admins"
|
||||||
|
./lsa enum-members --by-name "domain admins"
|
||||||
|
./enum-groups | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do echo "$name"; ./enum-members --by-name "$name"; echo -e "========================\n"; done
|
||||||
|
|
||||||
|
#Get description of each user
|
||||||
|
./adtool -a search-user --name CN="*" --keytab=/etc/krb5.keytab -n <Username> | grep "CN" | while read line; do
|
||||||
|
echo "$line";
|
||||||
|
./adtool --keytab=/etc/krb5.keytab -n <username> -a lookup-object --dn="$line" --attr "description";
|
||||||
|
echo "======================"
|
||||||
|
done
|
||||||
|
```
|
||||||
|
|
||||||
## Graphical Interface
|
## Graphical Interface
|
||||||
|
|
||||||
### Apache Directory
|
### Apache Directory
|
||||||
|
|
|
@ -183,7 +183,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t
|
||||||
</methodCall>
|
</methodCall>
|
||||||
```
|
```
|
||||||
|
|
||||||
![](../../.gitbook/assets/image%20%28107%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
|
![](../../.gitbook/assets/image%20%28107%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
|
||||||
|
|
||||||
![](../../.gitbook/assets/image%20%28224%29.png)
|
![](../../.gitbook/assets/image%20%28224%29.png)
|
||||||
|
|
||||||
|
|
|
@ -320,7 +320,7 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke
|
||||||
* Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
|
* Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
|
||||||
* You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
|
* You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
|
||||||
|
|
||||||
![](../.gitbook/assets/image%20%28253%29%20%281%29.png)
|
![](../.gitbook/assets/image%20%28253%29%20%281%29%20%282%29.png)
|
||||||
|
|
||||||
{% hint style="info" %}
|
{% hint style="info" %}
|
||||||
It's recommended to use the "**Send Test Email**" functionality to test that everything is working.
|
It's recommended to use the "**Send Test Email**" functionality to test that everything is working.
|
||||||
|
|
|
@ -118,7 +118,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h
|
||||||
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
|
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
|
||||||
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
|
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
|
||||||
|
|
||||||
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%283%29.png)
|
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%284%29.png)
|
||||||
|
|
||||||
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
|
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
|
||||||
|
|
||||||
|
|
|
@ -102,7 +102,7 @@ find, findstr, [x]copy, move, replace, del, rename and many more!
|
||||||
|
|
||||||
## Auto-Complete
|
## Auto-Complete
|
||||||
|
|
||||||
You just need to type ‘\\host\’ the auto-complete will do the trick under the explorer and the run dialog box.
|
You just need to type ‘\host\’ the auto-complete will do the trick under the explorer and the run dialog box.
|
||||||
|
|
||||||
![](https://osandamalith.files.wordpress.com/2017/03/explorer.png?w=640)
|
![](https://osandamalith.files.wordpress.com/2017/03/explorer.png?w=640)
|
||||||
|
|
||||||
|
@ -258,7 +258,6 @@ Here’ the encoded version. You can encode and save this as something.vbe
|
||||||
|
|
||||||
```text
|
```text
|
||||||
#@~^ZQAAAA==jY~6?}'ZM2mO2}4%+1YcEUmDb2YbxocorV?H/O+h6(LnmDE#=?nO,sksn{0dWcGa+U:+XYsbVcJJzf*cF*cF*2 yczmCE~8#XSAAAA==^#~@
|
#@~^ZQAAAA==jY~6?}'ZM2mO2}4%+1YcEUmDb2YbxocorV?H/O+h6(LnmDE#=?nO,sksn{0dWcGa+U:+XYsbVcJJzf*cF*cF*2 yczmCE~8#XSAAAA==^#~@
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
You can apply this in html files too. But only works with IE. You can save this as something.hta which will be an HTML Application under windows, which mshta.exe will execute it. By default it uses IE.
|
You can apply this in html files too. But only works with IE. You can save this as something.hta which will be an HTML Application under windows, which mshta.exe will execute it. By default it uses IE.
|
||||||
|
|