mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-29 08:01:00 +00:00
GitBook: [#3511] No subject
This commit is contained in:
parent
7b3818fd68
commit
ba748bd1ce
14 changed files with 41 additions and 16 deletions
|
@ -22,7 +22,7 @@ dht udp "DHT Nodes"
|
||||||
|
|
||||||
![](<.gitbook/assets/image (273).png>)
|
![](<.gitbook/assets/image (273).png>)
|
||||||
|
|
||||||
![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
|
![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
|
||||||
|
|
||||||
InfluxDB
|
InfluxDB
|
||||||
|
|
||||||
|
|
|
@ -61,7 +61,7 @@ From the **bytes 440 to the 443** of the MBR you can find the **Windows Disk Sig
|
||||||
|
|
||||||
In order to mount an MBR in Linux you first need to get the start offset (you can use `fdisk` and the `p` command)
|
In order to mount an MBR in Linux you first need to get the start offset (you can use `fdisk` and the `p` command)
|
||||||
|
|
||||||
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (1).png>)
|
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
|
||||||
|
|
||||||
And then use the following code
|
And then use the following code
|
||||||
|
|
||||||
|
|
|
@ -156,7 +156,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
|
||||||
|
|
||||||
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`).
|
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`).
|
||||||
|
|
||||||
![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (3).png>)
|
![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (12).png>)
|
||||||
|
|
||||||
### USB Detective
|
### USB Detective
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10).png" alt="" data-size="original">\
|
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png" alt="" data-size="original">\
|
||||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||||
|
|
||||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||||
|
@ -159,7 +159,7 @@ echo bye >> ftp.txt
|
||||||
ftp -n -v -s:ftp.txt
|
ftp -n -v -s:ftp.txt
|
||||||
```
|
```
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10).png" alt="" data-size="original">\
|
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png" alt="" data-size="original">\
|
||||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||||
|
|
||||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||||
|
@ -371,7 +371,7 @@ Now we just copy-paste the text into our windows-shell. And it will automaticall
|
||||||
|
|
||||||
* [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil)
|
* [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil)
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10).png" alt="" data-size="original">\
|
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png" alt="" data-size="original">\
|
||||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||||
|
|
||||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||||
|
|
|
@ -595,6 +595,20 @@ _Note that the tools that expect to run all the database using the regular Googl
|
||||||
|
|
||||||
If you find **valid leaked** credentials or API tokens, this is a very easy win.
|
If you find **valid leaked** credentials or API tokens, this is a very easy win.
|
||||||
|
|
||||||
|
## Public Code Vulnerabilities
|
||||||
|
|
||||||
|
If you found that the company has **open-source code** you can **analyse** it and search for **vulnerabilities** on it.
|
||||||
|
|
||||||
|
**Depending on the language** there are different **tools** you can use:
|
||||||
|
|
||||||
|
{% content-ref url="../../network-services-pentesting/pentesting-web/code-review-tools.md" %}
|
||||||
|
[code-review-tools.md](../../network-services-pentesting/pentesting-web/code-review-tools.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
There are also free services that allow you to **scan public repositories**, such as:
|
||||||
|
|
||||||
|
* ****[**Snyk**](https://app.snyk.io/)****
|
||||||
|
|
||||||
## [**Pentesting Web Methodology**](../../network-services-pentesting/pentesting-web/)
|
## [**Pentesting Web Methodology**](../../network-services-pentesting/pentesting-web/)
|
||||||
|
|
||||||
The **majority of the vulnerabilities** found by bug hunters resides inside **web applications**, so at this point I would like to talk about a **web application testing methodology**, and you can [**find this information here**](../../network-services-pentesting/pentesting-web/).
|
The **majority of the vulnerabilities** found by bug hunters resides inside **web applications**, so at this point I would like to talk about a **web application testing methodology**, and you can [**find this information here**](../../network-services-pentesting/pentesting-web/).
|
||||||
|
|
|
@ -337,7 +337,7 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke
|
||||||
* Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
|
* Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
|
||||||
* You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
|
* You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10).png>)
|
![](<../../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
|
||||||
|
|
||||||
{% hint style="info" %}
|
{% hint style="info" %}
|
||||||
It's recommended to use the "**Send Test Email**" functionality to test that everything is working.\
|
It's recommended to use the "**Send Test Email**" functionality to test that everything is working.\
|
||||||
|
|
|
@ -142,7 +142,7 @@ The response is a JSON dictionary with some important data like:
|
||||||
* Signed using the **device identity certificate (from APNS)**
|
* Signed using the **device identity certificate (from APNS)**
|
||||||
* **Certificate chain** includes expired **Apple iPhone Device CA**
|
* **Certificate chain** includes expired **Apple iPhone Device CA**
|
||||||
|
|
||||||
![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
|
![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
|
||||||
|
|
||||||
### Step 6: Profile Installation
|
### Step 6: Profile Installation
|
||||||
|
|
||||||
|
|
|
@ -723,7 +723,7 @@ You can collect console logs through the Xcode **Devices** window as follows:
|
||||||
5. Reproduce the problem.
|
5. Reproduce the problem.
|
||||||
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
|
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10).png>)
|
![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
|
||||||
|
|
||||||
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:
|
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:
|
||||||
|
|
||||||
|
|
|
@ -86,7 +86,13 @@ Invoke-Command -ComputerName <computername> -ScriptBlock {cmd /c "powershell -ep
|
||||||
|
|
||||||
Or, if you want to drop right into an interactive PowerShell session, use the `Enter-PSSession` function:
|
Or, if you want to drop right into an interactive PowerShell session, use the `Enter-PSSession` function:
|
||||||
|
|
||||||
```ruby
|
```powershell
|
||||||
|
#If you need to use different creds
|
||||||
|
$password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force
|
||||||
|
## Note the ".\" in the suername to indicate it's a local user (host domain)
|
||||||
|
$creds2=New-Object System.Management.Automation.PSCredential(".\student41", $password)
|
||||||
|
|
||||||
|
# Enter
|
||||||
Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local [-Credential username]
|
Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local [-Credential username]
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -109,6 +115,11 @@ Now we can enter a remote PS session on the victim.
|
||||||
This **won't work** if the the **language** is **constrained** in the remote computer.
|
This **won't work** if the the **language** is **constrained** in the remote computer.
|
||||||
|
|
||||||
```ruby
|
```ruby
|
||||||
|
#If you need to use different creds
|
||||||
|
$password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force
|
||||||
|
## Note the ".\" in the suername to indicate it's a local user (host domain)
|
||||||
|
$creds2=New-Object System.Management.Automation.PSCredential(".\student41", $password)
|
||||||
|
|
||||||
#You can save a session inside a variable
|
#You can save a session inside a variable
|
||||||
$sess1 = New-PSSession -ComputerName <computername> [-SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)]
|
$sess1 = New-PSSession -ComputerName <computername> [-SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)]
|
||||||
#And restore it at any moment doing
|
#And restore it at any moment doing
|
||||||
|
|
|
@ -332,7 +332,7 @@ C:\xampp\tomcat\conf\server.xml
|
||||||
|
|
||||||
If you see an error like the following one:
|
If you see an error like the following one:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10).png>)
|
![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png>)
|
||||||
|
|
||||||
It means that the server **didn't receive the correct domain name** inside the Host header.\
|
It means that the server **didn't receive the correct domain name** inside the Host header.\
|
||||||
In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one.
|
In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one.
|
||||||
|
|
|
@ -211,7 +211,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t
|
||||||
</methodCall>
|
</methodCall>
|
||||||
```
|
```
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
|
![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (102).png>)
|
![](<../../.gitbook/assets/image (102).png>)
|
||||||
|
|
||||||
|
|
|
@ -55,7 +55,7 @@ The good news is that **this payload is executed automatically when the file is
|
||||||
|
|
||||||
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
|
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
|
||||||
|
|
||||||
![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
|
![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
|
||||||
|
|
||||||
### More
|
### More
|
||||||
|
|
||||||
|
|
|
@ -22,7 +22,7 @@
|
||||||
|
|
||||||
## Attacks Graphic
|
## Attacks Graphic
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10).png>)
|
![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png>)
|
||||||
|
|
||||||
## Tool
|
## Tool
|
||||||
|
|
||||||
|
|
|
@ -522,7 +522,7 @@ In this case, `John@corp.local` has `GenericWrite` over `Jane@corp.local`, and w
|
||||||
|
|
||||||
First, we obtain the hash of `Jane` with for instance Shadow Credentials (using our `GenericWrite`).
|
First, we obtain the hash of `Jane` with for instance Shadow Credentials (using our `GenericWrite`).
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (13) (1) (1) (1) (3) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (13) (1) (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Next, we change the `userPrincipalName` of `Jane` to be `Administrator`. Notice that we’re leaving out the `@corp.local` part.
|
Next, we change the `userPrincipalName` of `Jane` to be `Administrator`. Notice that we’re leaving out the `@corp.local` part.
|
||||||
|
|
||||||
|
@ -553,7 +553,7 @@ In this case, `John@corp.local` has `GenericWrite` over `Jane@corp.local`, and w
|
||||||
|
|
||||||
First, we obtain the hash of `Jane` with for instance Shadow Credentials (using our `GenericWrite`).
|
First, we obtain the hash of `Jane` with for instance Shadow Credentials (using our `GenericWrite`).
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (13) (1) (1) (1) (3) (2).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (13) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Next, we change the `userPrincipalName` of `Jane` to be `DC$@corp.local`.
|
Next, we change the `userPrincipalName` of `Jane` to be `DC$@corp.local`.
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue