Docker and Penetration Testing

Create a custom Kali container Begin by cloning into the official repository: git clone https://github.com/offensive-security/kali-linux-docker.git Now let’s modify the Dockerfile to include packages that we want: FROM kalilinux/kali-linux-docker MAINTAINER steev@kali.org RUN echo "deb http://http.kali.org/kali kali-rolling main contrib non-free" > /etc/apt/sources.list && \ echo "deb-src http://http.kali.org/kali kali-rolling main contrib non-free" >> /etc/apt/sources.list ENV DEBIAN_FRONTEND noninteractive RUN apt-get -y update && apt-get -y dist-upgrade && \ apt-get -y install metasploit-framework \ vim \ nfs-common \ cifs-utils \ snmp \ x11-apps \ imagemagick \ && apt-get clean Keep adding packages under imagemagick as you see fit, or remove any that you’re not particularly interested in....

Jayson Grace

Docker Cheatsheet

Installation Ubuntu install_docker(){ sudo apt-get update sudo apt-get install -y \ ca-certificates \ curl \ gnupg \ lsb-release # Add docker's official GPG key sudo mkdir -p /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) \ stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt-get update sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin } set_docker_user(){ sudo usermod -aG docker ubuntu } install_docker set_docker_user Resource: https://docs....

Jayson Grace

DVWA Notes

Fix file upload vuln on DVWA docker container By default, the proper permissions are not set to be able to do the file upload vulnerability properly with something like a PHP backdoor. To fix this, pop onto the container: docker exec -it <name of the container> /bin/bash Once you’re on, run this command: chown -R www-data:www-data /app At this point, you should be able to upload a backdoor like Laudanum and go to town like so (once you’ve uploaded the backdoor):...

Jayson Grace

ELK Cheatsheet

Elasticsearch Get version of ES curl http://localhost:9200/ Get all indices in a cluster curl http://localhost:9200/_aliases Get all indices in a cluster (pretty): curl http://localhost:9200/_aliases?pretty=true Show index creation time curl http://localhost:9200/_cat/indices?h=health,status,index,id,pri,rep,docs.count,docs.deleted,store.size,creation.date.string&v= Resource: https://stackoverflow.com/questions/17426521/list-all-indexes-on-elasticsearch-server Get number of docs in a cluster curl http://localhost:9200/_cat/count?v Get number of docs in an index curl http://localhost:9200/index/_count Get Roles This is where you can get answers to questions like “what do I have access to?” curl http://localhost:9200/_security/role Resource: https://www....

Jayson Grace

Frida Cheatsheet

IOS List running applications: frida-ps -Ua Run a script on a plugged in phone (and spawn the application): frida -U -l <script>.js --no-pause -f <application>

Jayson Grace

GCP Cheatsheet

Thanks, I hate it. Getting Started Install gcloud on MacOS First install the SDK: brew install --cask google-cloud-sdk Once that’s done, you’ll be prompted to make some slight modifications to your ~/.zshrc file: echo '\n# Google Cloud' | tee -a ~/.zshrc echo 'source /usr/local/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/ path.zsh.inc' \ | tee -a ~/.zshrc echo 'source /usr/local/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/ completion.zsh.inc' \ | tee -a ~/.zshrc source ~/.zshrc Install gcloud on Ubuntu echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" \ | sudo tee -a /etc/apt/sources....

Jayson Grace

GDB Notes

Compile This will compile in debug mode and include symbols gcc -ggdb cprog.c -o cprog Load exec in gdb gdb ./exec Set breakpoint on main b main Show instructions for main function disassemble Show all functions info functions Show all variables This will only work if the program is compiled in debug mode (with symbols) info variables List breakpoints i b Break on a specific memory address b *0x8048417 Show register values i r Show multiple register values i r ebp esp View value for a particular register String value:...

Jayson Grace

Git Notes

Add directory to an empty git repo Create the repo Go to the folder and run: git init -b main git add . git commit -m 'Initial commit' git remote add origin git@github.com:youruser/yourrepo.git git push -u origin main Resource: https://docs.github.com/en/github/importing-your-projects-to-github/adding-an-existing-project-to-github-using-the-command-line Set global pull strategy to rebase git config --global pull.rebase true Commit executable file FILE=.hooks/go-vet.sh chmod +x $FILE git add $FILE Commit empty directory to repo mkdir directory touch directory/.gitkeep git add directory git commit -m "Adding directory" git push origin main Resource: https://www....

Jayson Grace

Golang Notes

Installation Ubuntu dl_link='https://dl.google.com/go/go1.15.7.linux-amd64.tar.gz' wget -c $dl_link -O - | sudo tar -xz -C /usr/local echo "" >> ~/.bashrc echo '# Golang exports' >> ~/.bashrc echo 'export PATH="$PATH:$:/usr/local/go/bin"' >> ~/.bashrc echo 'export GOPATH=$HOME/go' >> ~/.bashrc echo 'export PATH=$PATH:$GOPATH/bin' >> ~/.bashrc source ~/.bashrc # Test: go version Resource: https://golang.org/doc/install MacOS Install it: brew install golang Add the following to ~/.zshrc: export GOPATH=$HOME/programs/go # Set GOROOT since we're using brew export GOROOT="$(brew --prefix golang)/libexec" # Add go to PATH - so we can run executables from anywhere export PATH="$PATH:${GOPATH}/bin:${GOROOT}/bin" Resource: https://medium....

Jayson Grace

Google Dorks

Find instances of a string in a site site:techvomit.net intext:"penetration" Find all pdfs in a site site:tacticaltech.org filetype:pdf Resource: https://exposingtheinvisible.org/guides/google-dorking/ Search for emails in xlsx files intext:@<domain> filetype:xlsx Search for subdomain takeover reports on h1 site:hackerone.com intext:"subdomain takeover"

Jayson Grace