Box Notes

/dev/shm does not write to disk

sqlmap

• grab the login request from burp

• paste it into a .req file

• run sqlmap -r [filename].req --level 4 --risk 3

ssl

• grab certificate from server:

  • openssl s_client -connect [ip]:443

• compare private key to crt:

  • openssl pkey -in ca.key -pubout

  • openssl x509 -in ca.crt -pubkey -noout

• generate key:

  • openssl genrsa -out client.key 4096

• make csr:

  • openssl req -new -key client.key -out client.csr

• make cert:

  • openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -set_serial 9001 -extensions client -days 9002 -outform PEM -out client.cer

• convert to PKCS12 format:

  • openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12

• verify cert:

  • openssl verify -CAfile ca.crt client.cer

• if having other issues with cert, check server and host time

ssh port forwarding

• ssh -L[port]:127.0.0.1:[port] user@[IP] opens port on local box, makes tunnel through that IP

  • -N can also be used with this command to define no commands to run in the ssh sesion - just forwarding

  • server has open port, only accessible through localhost, we're opening that port on our box and forwarding it to that port on the remote box. thus we can visit our localhost on said port, which forwards to the remote

shell usage notes

• when getting a bash reverse shell through nc, this helps the formatting and keybinds:

  • python -c 'import pty;pty.spawn("/bin/bash")'

• ctrl+z can suspend a shell from nc

• stty raw -echo

• fg [enter] [enter] will bring the process back

• export TERM=xterm from shell

mount smb share

• mount -t cifs //[IP]/[share] enter for guest auth

mount network share

• discovered by --script=nfs-ls,nfs-statfs,nfs-showmount flag on nmp

• mount ip:/share /mnt/dir

listing contents of vhd file

• 7z -l [vhdfile]

mount vhd file

• guestmount --add [vhdfile] --inspector --ro -v [mountdir]