Posted on

     Recon

# Systeminfo
systeminfo
hostname 

# Especially good with hotfix info
wmic qfe get Caption,Description,HotFixID,InstalledOn

# What users/localgroups are on the machine?
net users
net localgroups
net user morph3

# To see domain groups if we are in a domain
net group /domain
net group /domain 

# Network information
ipconfig /all
route print
arp -A

# To see what tokens we have 
whoami /priv

# Recursive string scan
findstr /spin "password" *.*

# Running processes
tasklist /SVC

# Network connections
netstat -ano

# Search for writeable directories
dir /a-r-d /s /b

### Some good one-liners

# Obtain the path of the executable called by a Windows service (good for checking Unquoted Paths):
sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @echo --------- & @sc qc %i | findstr "BINARY_PATH_NAME" & @echo.) & del a 2>nul & del b 2>nul

Elevation of Privileges

     General

# PowerShellMafia
# Use always dev branch others are shit.
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
powershell.exe -c "Import-Module C:\Users\Public\PowerUp.ps1; Invoke-AllChecks"
powershell.exe -c "Import-Module C:\Users\Public\Get-System.ps1; Get-System"

# Sherlock
https://github.com/rasta-mouse/Sherlock
# Unquoted paths
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

     Kerberoast

Read more »

Posted on

Introduction

There are many things to be done in binary analyzation but I will just mainly focus on Ret2Libc attack.
You can use many other tools but I will use those mainly.

  • pwntools (python library)
  • A reverse engineering tool (gHidra , IDA etc.)
  • gdb-peda
  • ldd
  • readelf
  • strings
  • objdump
  • ropper
  • one_gadget

Analyzation

First thing first,
We need to analyze our binary in order to determine what kind of attack vector we need to use.

Read more »

Posted on

How Buffer Overflow Works

        Overwriting the return address of the stack with overflowing the buffer allows us to return another malicious address which ends up with code execution.

Keep that in mind if NX is enabled we can't just directly jump to shellcode

Stack state

1
2
3
4
5
6
7
8
9
10
11
12
|                  |        
|                  |        |
|                  |        |
|      BUFFER      |        |  
|                  |        |
|                  |        |
|                  |        | Oops, I overflowed it
|__________________|        |
|_______esb________| -------|---> Junk buffer ends here
|_______ret________| -------V----> We overwrite the ret address with the one we want to call
|                  |        
|__________________|

1
2
3
4
5
6
7
8
junk_buf + system_call + exit_addr + /bin/sh 
             | |              ^         ^
             | |              |         |
             | |first argument|         |
             | |______________|         |
             |                          |
             |        second argument   |
             |__________________________|
Read more »

Posted on

Fuzzing Directories with LFI

LFI stands for Local File Inclusion. It allows attackers to include,view other files on the web server.

In this post, I will try to explain how to exploit LFI even further.
Since LFI vulnerability allows us to move between upper and lower directories. We can abuse it to understand which files are under which directories by using a simple dictionary attack.
This will allow us to have a better understanding of the webserver that we are attacking.

A basic vulnerable PHP parameter works like this.

1
2
3
if(isset($vuln)){
    include(“$_GET["vuln"]);
}
Read more »