VIM Privilege Escalation with Server Client Mode

Background Recently, I’ve developed this work flow which involves using the server client mode of vim. For further information about server client mode of vim, there’re tons of articles about that. The main problem is that, if I run vim server with non-root user, I cannot edit system files which belong to root. To solve…

Tricks

Table of Contents General Linux Metasploit Port Forwarding Sed Less SSH SSH Tunnel Bash NetCat Nmap Wget PHP File Upload Script and Web Server Tcpdump Windows Burp Suite General Put GIF8; on top of payload to make it a GIT image file type. Linux Metasploit Import xml to database. nmap -Pn -sS -A -oX Subnet1…

Databases

Table of Contents MySQL Enumeration Manual SQL Injection Sqlmap Foothold Sqlmap Mysqldump MSSQL Enumeration Mssql_ping Mssql_enum Mssql_enum_logins Mssql_schemadump Brute Forcing Mssql_login Jtr_mssql_fast Foothold Mssqlclient.py Mssql_payload Lateral Movement Mssql_hashdump XP_cmdshell Privilege Escalation Mssql_escalate_dbowner Mssql_escalate_execute_as MySQL Enumeration Manual SQL Injection If some search field is vulnerable to injection. Use below techniques # in burp suite check the…

Avoiding Detection

Table of Contents Msfvenom Packer Veil References Msfvenom Link to Msfvenom. Use with multiple encoders to evade detection. Packer Install upx to pack the executable. Here is a link to PolyPack Project which talks about packing in more detail. Veil For MeterHTTPSContained payload ./Veil.py use 20 set LHOST <ip> set LPORT <port> generate use the…

ActiveDirectory

Table of Contents Enumeration Overall Information Enum4linux PowerView Module Domain Objects DNS Info System Relationship BloodHound-python SharpHound.ps1 GPP Policy Foothold Asrep Roasting Lateral Movement Pass the Password Pass the Hash Dump NTLM Hashes Dump SAM/LSA Token Impersonation DLL Hijacking Dump NTDS Enumeration Overall Information Enum4linux You have nothing, just want a overview of the system…

PrivilegeEscalation

Table of Contents Linux Find SetUID Files Check User Privileges Interactive Programs with SUDO Privilege RottenPotato Kernel 2.6 LXD LXC Privilege Escalation Priv Escalation Through Sudoers Conf Exploit Suggester Rational Love VNC Linux Find SetUID Files find / -perm -4000 -type f 2>/dev/null Check User Privileges sudo -l -l Interactive Programs with SUDO Privilege sudo…

JuicyFiles

Table of Contents Linux Password Hash Files History Configuration Files Windows Coinfiguration Files Hash Files Windows System Info Linux Password Hash Files passwd, shadow Content – User passwod hashes Features – SHA256Crypt hash Location – /etc Handle – unshadow <passfile> <shadowfile> then hashcat or john History bash_history Content – bash history Features – may contain…

Services

Table of Contents Samba Enumeration Smbclient Crackmapexec Psexec_command or Usermap_script Msf Foothold MS_17_010 Psexec.py Psexec Msf Smb_login Msf DistCC Foothold CVE-2004-2687 Samba Enumeration Smbclient List all shares smbclient -L \\\\<URL>\\ Crackmapexec List all shares crackmapexec smb <ip> -u <username> -p <password> –shares Psexec_command or Usermap_script Msf Execute smb command auxiliary/admin/smb/psexec_command set COMMAND [command you want…

WebApplication

Table of Contents General Check List Initial Steps With Unprivileged User Account OWASP’s Guide HeartBleed Enumeration BurpSuite Dirbuster Gobuster Dirsearch Wfuzz PHP Info Page PHP Filter PHP Remote File Inclusion PHP Log Poisoning Wpscan Other Tools Foothold Identity Brute Forcing SQL Injection – URL SQL Injection – Web Form Directory Traversal XXE Injection Type Juggling…