Powershell

Powershell commands are cmdlets

Powershell can view Alternate Data Streams (ADS)
$DATA
Windows explorer doesnt allow this
Used to Hide malware

Commands

Get-Help = obtain cmdlet info
Get-ChildItem = list contents of directory
Get-FileHash = Append w/ desired algo
Get-Content = Reads contents of a file
-Path = Specifies path
-File / -Directory = list flies/directories
-Filter = Qualify Path paremeter
-Recurse = Gets items in locations
-Hidden = Get only hidden items
-Algorythm = Sets the algo for GetHash
Measure-Object = Counts output of file
-Word = Used with | to output
Set-Location = Change directories
Select-String = Search for a pattern
ErrorAction SilentlyContinue = Handles errors

EX:
To view all hidden files in current directory
_{Get-ChildItem -File -Hidden -ErrorAction SilentlyContinue}

To change location to admins desktop
Set-Location -Path c:\users\administrator\desktop

To get the number of words in a file
Get-Content -Path file.txt | MeasureObject -Word

To look for PDF's in the admins desktop
Select-String -Path 'c:\users\administrator\desktop’ -Pattern ‘*.pdf’

-Filter '*3*'

Command line examples:
Getting the string for redryder

Finding hidden files

Looking at contents of hidden files

ADS

You can use the strings tool to view ADS binaries


You can find hidden things inside of files by parsing through the string

ReverseEngineering

How to go through assembly x86-64 to look through system memory

Using the tool rdare2 that dissassembles the bianaries

How to use the .NET framework

How to use Remmina and ILSpy

rdare2

Use the command
r2 -d ./file1

Then to analyze it use
aa

to find a list of functions use
afl

to examine assembly code use
pdf@ main



set a breakpoint using
db 0x00400b55

verify using print dissassembly function
pdf @main

now run the program using (continue)
dc

run print dissassembly function again
pdf @main

tells cpu where we are in the the code
rip is 64 bit version instruction
mov – transfers values
moves to a double word variable
value of 4 (look @ table)

enter the command for the var int local
px @rbp-0xc

prints in hex use the command step to move on to the next instruction
ds

user the display register command to see contents
dr


they correspond to the local_ch and move through the instructions at that rate.

.NET

Use RDP and ILSpy to decompite .NET malware

Remmina

Open up remmina to connect to an RDP client on Linux

ILSpy

Open up IL spy




1. Navigate to the TBFC App
2. Found the CrackMe interesting and looked inside
3. Found an interesting thing labeled unsafe



Opened it up and found a password and a flag

John

John The Ripper

Using with a wordlist


To convert an ssh passphrase to John format



Use format to force a format crack (md5)


use the hash-id.py script to get the format

Samba

Share service for Windows
uses ports 445 and 139
Verify with Nmap general scan
use nmap scripts to enum

Enumerating SMB shares

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.0.252



3 shares open

connecting to a share


Downloading a share

FTP

port 21

can use nc to connect to

ProFTPD module

Very exploitable
– Check version

– Info
http://www.proftpd.org/docs/contrib/mod_copy.html

use commands to copy a file

This copied the RSA ID key to a file on my local machine
SITE
CPFR
CPTO

NFS

Install the nfs-common suite
sudo apt install nfs-common

scan the target with nmap to verify
nmap -A -p- <ip>
show the nfs shares
/usr/sbin/showmount -e [IP]
make a directort in tmp to mount the enumed share
mkdir /tmp/mount
sudo mount -t nfs 10.10.76.163:home /tmp/mount/ -nolock

SMTP

Uses port 25

use Metasploit to enumerate/exploit
Modules:
auxiliary/scanner/smtp/smtp_version
auxiliary/scanner/smtp/smtp_enum

MySQL

Database system

to login: (assuming you have creds)
mysql -h <IP> -u <Username> -p


Use metasploit to attack



the mysql_schema dump and mysql_sql modules to enumerate

set RHOSTS, PASSWORD, USERNAME

Use hashdump to get a hash



You can grab a user hash and run it against John to get a password. Use this info to login to SSH (password reuse exploit)


Put the user/hash into a txt so John can crack it

SSRF

Server Side Request Forgery

– Forces a web app to make request to resources that it normally would not

EX: Web app can produce screenshots of other websites when user submits a URL and the attacker could submit internal IP address to get a screenshot of internal resources





The TLD here is not a FQDN and points to something on the inside
Use a URL decoder to get better info



Try and get root with
http://10.10.244.9/?proxy=http%3A%2F%2Flist.hohoho%3A8080%2F
The result is the page can not be found
It is an indicator the site may be vulerable to SSRF

Next try and change the port to 22 instead of 8080
http://10.10.244.9/?proxy=http%3A%2F%2Flist.hohoho%3A22
This will attempt to exectue and indicate that the port is open. However because we are just using a web browser we cannot SSH into it and the page will error out.


Net try and connect to the local host


We have been blocked but can try and bypass that

Set the name to
http://10.10.166.162/?proxy=http%3A%2F%2Flist.hohoho.localtest.me


This will treat us as a local user and possibly display some useful info

Cryptography

Modulo



Symmetric vs Asymmetric
same key diff key
AES RSA
DES EC

Digital Signatures/Certificates
Root CA

RSA

Rivest Shamir Adleman

RSA decryption tools

https://github.com/Ganapati/RsaCtfTool

https://github.com/ius/rsatool

Goole RSA calculator

RSA for CTF
“p” “q” are large prime numbers
“n” is the product of p & q
The public key is “n” and “d”
The private key is “n” and “e”
“m” represents the num in plaintext
“c” represents cyphertext

GPG

GNU Pretty Good Privacy

Man page

https://www.gnupg.org/gph/de/manual/r1023.html

Crack using gpg2john

1. Import the secret key
2. Verify
3. Decrypt using the key