Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • Keylogging Any Terminal Which Belongs To You
  • Virtual Machine Setup
  • VirtualBox
  • Hyper-V
  • Resolving Linux Problems
  • Linux Clock is Wrong
  • Steganography
  • Exif Data
  • Binwalk For Embedded Files or Code
  • OS Install
  • Windows
  • Persistent Kali

Was this helpful?

  1. Various

Non-Hacking

Keylogging Any Terminal Which Belongs To You

Can be used on hackthebox, for example, since you and other users frequently use the same terminal. You can also use it if you have high privileges, for example if you are root, and you want to spy on a different user's terminal.

If you run the tty command, then you’ll get something like /dev/pts/14. This tells you what your pty number is 14.

Assuming there is a user whose pty number is 15, and you have the privileges to read /dev/pts/15, then you can do cat /dev/pts/15, and you will receive (some part of, not all of) the input of user 15’s terminal.

If you do echo hello > /dev/pts/15, then you will write to his terminal.

Note that when you snatch a character from another user’s input, then it will not appear on his terminal. So you should echo back any characters you cat from him.

It seems the characters you manage to snatch/not to snatch are random (race condition). So possibly if you use more than one user for cating /dev/pts/15, then you will receive a larger percentage of the input

Note that this cannot be used to capture passwords, since the letters do not appear in the terminal window when typing out a password.

Virtual Machine Setup

VirtualBox

Settings -> network -> bridged or host-only adapter. You can see the range of the adapter in file->host network manager. It’s 192.168.56.1 by default.

Host Only

Connecting to the VM: Edit /etc/interfaces to make the ip static. Make the ip be in the same range as the adapter and set the gateway to the adapter

sudo nano /etc/network/interfaces

# Interfaces configuration
iface eth0 inet static
address 192.168.56.20
netmask 255.255.255.0
gateway 192.168.56.1

# Restart the interface
sudo ifdown eth0
sudo ifup eth0

Bridged

Make sure virtualbox is running a dchp service.

sudo nano /etc/network/interfaces

# interfaces file configuration
iface eth0 inet dhcp

# Restart the interface
sudo ifdown eth0
sudo ifup eth0

Hyper-V

See what the gateway IP is by doing cmd -> ipconfig.

If you can ping 8.8.8.8 but not google.com, then you have no DNS.

nano resolv.conf

# resolv.conf configuration:
nameserver 8.8.8.8

Resolving Linux Problems

Linux Clock is Wrong

Update the clock:

sudo ntpdate -s time.nist.gov

Steganography

Stego-toolkit is pretty good for CTF excercises.

Exif Data

Use exiftool to extract exif data. Sometimes it will tell you there's some extra encoded data you can extract. You can extract it or binwalk it

exiftool filename.jpg

If you extract something using the -b flag, then you can binwalk whatever you've extracted

Binwalk For Embedded Files or Code

Binwalk is a tool for searching binary images for embedded files and executable code. Super useful for finding whether an image contains extra files or code.

binwalk file.ext

You can extract the detected data using:

binwalk -e file.jpg 

OS Install

Windows

HWIDGEN is frequently used to illegally activate Windows for free.

Persistent Kali

Use this guide

When writing persistence.conf, instead of following the instructions, go there with cd and write the file using touch and nano.

PreviousCryptographyNextMalware

Last updated 2 years ago

Was this helpful?

Though, keep in mind that

A non-activated official version of Windows can be installed from Microsoft’s website. Use either windows’ own tool (didn’t work for me) or to install onto USB. Use a good USB that has at least 8GB space.

it's normal for images to contain zlib compressed data.
Rufus
GitHub - DominicBreuker/stego-toolkit: Collection of steganography tools - helps with CTF challengesGitHub
How-To: Kali Linux 2021 Live USB with Persistence and Optional Encryption (Windows) - DevAnswers.coDevAnswers.co
Logo
Logo