Nmap has it’s own scripting language with which complex or recurring tasks can be automatized. See the manpage. And share/nmap/scripts. Vulnerability scan # nmap -sV -T5 -F $victim --script vuln | tee nmap-vuln.txt Better vulnerability scans (thanks to this source) cd /usr/share/nmap/scripts/vulscan/utilities/updater/ && ./updateFiles.sh nmap --script nmap-vulners -sV -sC -p22 $victim nmap --script vulscan -sV…
Mandatory Optional Use this script to list all endpoints for further research:
high performance, open source universal RPC framework GRPC Client CLI Download the CLI via https://github.com/vadimi/grpc-client-cli. Then: ./grpc-client-cli $target:50051 GRPC Curl Download via https://github.com/fullstorydev/grpcurl. gRPC UI Download via https://github.com/fullstorydev/grpcui. Graphical command line interface. See also
Enumeration Mandatory Optional
Enumeration Mandatory Try to perform a zone transfer:dig axfr @10.10.11.166 trick.htb
(!) If upload does not seem to work, change the suffix e.g. from .php to .pHp. More: File uploads / images
Create file to execute code via meta data: https://github.com/convisolabs/CVE-2021–22204-exiftool
See https://www.infosecmatter.com/firebird-database-exploitation/
First, try to determine the shell echo $PATH echo $SHELL Try to set the PATH variable export PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin Upload the escape_from_restricted_shell.c program (scripts directory). Have a look into a local bin directory and see if you can use any binary there to escape.
If you can register, do this, create a repo and go to settings -> githooks and there add a command as post-receive hook like a reverse shell. See https://www.cvedetails.com/vulnerability-list/vendor_id-19185/product_id-49829/Gitea-Gitea.html
UDP 623 https://book.hacktricks.xyz/pentesting/623-udp-ipmi Metasplot: scanner/ipmi/ipmi_version scanner/ipmi/ipmi_dumphashes ipmitool Tool for managing IPMI See hacktricks article
Registers General purpose registers Register x86 Register x64 Name Description EAX RAX Accumulator For results of calculations and return codes EBX RBX Base register General purpose ECX RCX Count register For number of iterations, often used for loops EDX RDX Data register For data of calculations or a pointer to large data ESI RSI Source index Pointer to a…
Keyboard functions CTRL+S Find sequence of commands SHIFT+F9 Pass exception
Assume you have a buffer overflow vulnerability. You can control the EIP. But your shellcode is never executed. Your shellcode is executed when a ret instruction is executed which calls the address you overwrite. But maybe the ret at the end of the function where the buffer overflow occurs is never reached, because you overwrote the…
SID Security Identifiers All elements have attributes. They are identified via a Security Identifier SID. The structure of a SID: Example: The Domain Identifier ist the SID without the last RID part. Examples for well-known SIDs: Basic Windows security access control Security context Mandatory Integrity Control and integrity levels Windows (from Vista on) has five integrity levels:…
ASLR Address Space Layout Randomization is a technique which randomizes addresses in the stack and heap. If addresses of functions are randomized (e.g. from shared libraries like libc), then an attacker cannot use a predefined exploit with hard-coded addresses. Linux Disable ASLR: echo 0 > /proc/sys/kernel/randomize_va_space Enable ASLR: echo 2 > /proc/sys/kernel/randomize_va_space In GDB, ASLR is…
On the return-to-libc post, we described the process of injecting a system call with parameters via environment variables to start a new process. But this requires to execute another program (which maybe no available on the target). Instead of calling system we can call other instructions from somewhere in the memory. But it would be…
Assume that we detected a buffer overflow vulnerability, but we don’t have enough space on the stack for our shellcode or the binary’s stack is marked as not-executable (DEP enabled). Then we can try to call a common library which is also loaded (wie the plt). Walkthrough of a ret2lib attack Before we start, disable ASLR as…
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';