114 | exploit -j #-j to run as background
115 | ```
116 |
117 | ### Web Shells
118 |
119 | Some websites allow the ability to upload an executable file to active a reverse or bind shell. They are typically run inside a webserver in a language like PHP.
120 |
121 | ## Bind Shells
122 |
123 | The code executed is a listener attached to a shell directly on the target.
124 |
125 | {% hint style="info" %}
126 | May be protected by firewalls and is far less common.
127 | {% endhint %}
128 |
129 | On target machine: `nc -lvnp -e "cmd.exe"`
130 |
131 | On attacker machine: `nc MACHINE_IP`
132 |
--------------------------------------------------------------------------------
/information-gathering/service-enumeration/ftp.md:
--------------------------------------------------------------------------------
1 | # Theory
2 |
3 | The File Transfer Protocol (FTP) runs on the application. In an FTP connection, two channels are opened, the client and server establish a control channel through **TCP port 21** then both participants establish the data channel via **TCP port 20**. Two variants exist
4 | * `active` where the client established the connection. Often blocked by firewall blocking all incoming connections to server.
5 | * `passive` where the server announces a port through which the client can establish the data channel.
6 |
7 | `vsFTPd` is the most common distribution of FTP. The config `/etc/vsftpd.conf` file reveals the settings. As well as `/etc/ftpusers` revealing the denied users.
8 |
9 | | **Setting** | **Description** |
10 | | ------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------- |
11 | | `listen=NO` | Run from inetd or as a standalone daemon? |
12 | | `listen_ipv6=YES` | Listen on IPv6 ? |
13 | | `anonymous_enable=NO` | **(DANGEROUS)** Enable Anonymous access? |
14 | | `local_enable=YES` | Allow local users to login? |
15 | | `dirmessage_enable=YES` | Display active directory messages when users go into certain directories? |
16 | | `use_localtime=YES` | Use local time? |
17 | | `xferlog_enable=YES` | Activate logging of uploads/downloads? |
18 | | `connect_from_port_20=YES` | Connect from port 20? |
19 | | `secure_chroot_dir=/var/run/vsftpd/empty` | Name of an empty directory |
20 | | `pam_service_name=vsftpd` | This string is the name of the PAM service vsftpd will use. |
21 | | `rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem` | The last three options specify the location of the RSA certificate to use for SSL encrypted connections. |
22 | | `rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key` | |
23 | | `ssl_enable=NO` | |
24 | | (optional) `anon_upload_enable=YES` | Allowing anonymous to upload files? |
25 | | (optional) `anon_mkdir_write_enable=YES` | Allowing anonymous to create new directories? |
26 | | (optional) `no_anon_password=YES` | Do not ask anonymous for password? |
27 | | (optional) `anon_root=/home/username/ftp` | Directory for anonymous. |
28 | | (optional) `write_enable=YES` | Allow the usage of FTP commands: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and SITE? |
29 |
30 | ---
31 | # Practice
32 |
33 | ```shell
34 | # anonymous login
35 | ftp $HOST
36 |
37 | # status
38 | ftp> status
39 |
40 | # detailed output(debug and packet trace)
41 | ftp> debug
42 | ftp> trace
43 |
44 | # download file
45 | ftp> get $FILE
46 |
47 | # download all available files
48 | wget -m --no-passive ftp://anonymous:anonymous@$HOST
49 |
50 | # upload a file
51 | ftp> put $FILE
52 |
53 | # if FTP is running FTP TLS/SSL
54 | openssl s_client -connect $HOST:21 -starttls ftp
55 | ```
--------------------------------------------------------------------------------
/post-exploitation/windows.md:
--------------------------------------------------------------------------------
1 | ---
2 | icon: windows
3 | ---
4 |
5 | # Windows
6 |
7 | ## Enumeration
8 |
9 | * [WinPeas](https://github.com/peass-ng/PEASS-ng): Windows Privilege Escalation Awesome Scripts
10 | * [PrivescCheck](https://github.com/itm4n/PrivescCheck)
11 | * [WES-NG](https://github.com/bitsadmin/wesng): Windows Exploit Suggester
12 | * Metasploit. If you have a meterpreter shell you can run `multi/recon/local_exploit_suggester`
13 |
14 | ## Abusing Dangerous Privileges
15 |
16 | `whoami /priv` allows you to view what privileges your user has.
17 |
18 | #### SeBackup / SeRestore
19 |
20 | Allows user to read and write to any file in the system, ignore DACL. If enabled we can exfiltrate SAM and SYSTEM hashes and retrieve them with Impacket and perform a Pass-the-Hash (PtH) attack:
21 |
22 | ```
23 | reg save hklm\system C:\Users\THMBackup\system.hive
24 | reg save hklm\sam C:\Users\THMBackup\sam.hive
25 | ```
26 |
27 | #### SeTakeOwnership
28 |
29 | Allows user to taken ownership of any object on the system. We can take a service or executable that is run with `SYSTEM` privileges and replace the original binary for any payload we like.
30 |
31 | {% hint style="info" %}
32 | Being owner of a file does not mean you have privileges but mean you can assign privileges.
33 | {% endhint %}
34 |
35 | #### SeImpersonate / SeAssignPrimaryToken
36 |
37 | Allows user to run a process that "borrows" the identity and permissions of another user that connects to it. Is necessary for many services. Most of the time can be leveraged with a Potato exploit (check system version).
38 |
39 | ## Service Misconfigurations
40 |
41 | Windows services are managed by Service Control Manager (SCM). Manages state of service and current status. Each service has an associated executable run by SCM with special function ran by SCM.
42 |
43 | `sc qc SERVICE` to view the structure of a service. `binary_path_name` can allow us to access the Discretionary Access Control List (DACL) which indicates who has permissions start, stop, and pause a service.
44 |
45 | `reg query HKLM\SYSTEM\CurrentControlSet\Services\` to view service configurations.
46 |
47 | If a service has weak permissions that allows an attacker to modify or replace the service. An attacker can overwrite the legitimate file with a malicious one to gain those privileges. Involves restarting the service.
48 |
49 | #### Insecure Service Permissions
50 |
51 | If the DACL service (not the executable DACL) is modifiable, you can point to any executable with any level of permissions (even `SYSTEM`).
52 |
53 | #### Unquoted Service Permissions
54 |
55 | If a service is configured to an unquoted executable and spaces exists, the CMD does not know how to properly parse the path because a space defines a new argument. Instead of failing it will try every possibility with or without spaces. We can leverage this by placing a payload at one of the earlier paths it tries.
56 |
57 | {% hint style="info" %}
58 | This is not easily done because most services are stored in the `Program Files` directory. Which is unwritable for unprivileged users.
59 | {% endhint %}
60 |
61 | ## Quick Wins (More common in CTF)
62 |
63 | #### Vulnerable Software
64 |
65 | `wimc product get name,version,vendor` shows software installed on machine (Note: may not show all programs, as some are installed differently)
66 |
67 | `reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall` to view installed applications via the Windows Registry
68 |
69 | #### Unattended Windows Installations
70 |
71 | Administrators need to install Windows on a large number of hosts so they use Windows Deployment Services to deploy a single OS image to a lot of hosts through the network. Requires an Administrator account to perform initial setup, which may be stored on local machine:
72 |
73 | ```
74 | C:\Unattend.xml
75 | C:\Windows\Panther\Unattend.xml
76 | C:\Windows\Panther\Unattend\Unattend.xml
77 | C:\Windows\system32\sysprep.inf
78 | C:\Windows\system32\sysprep\sysprep.xml
79 | ```
80 |
81 | #### Powershell History
82 |
83 | `type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt`
84 |
85 | #### Saved Windows Credentials
86 |
87 | `cmdkey /list` lists all credentials stored in the Windows Credential Manager (Note: won't allow you to view them directly)
88 |
89 | `runas /savecred /user:admin cmd.exe` run a cmd.exe as the user stored in the Credential Manager
90 |
91 | `reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v keyword` to view if auto-log on is stored in the Windows registry
92 |
93 | `reg query HKLM /f "password" /t REG_SZ /s` to search the registry for anything related to the password
94 |
95 | #### Internet Information Services (IIS) Configuration
96 |
97 | Is responsible for the default web server on Windows installs. Will sometimes store password for databases or configurated authentications.
98 |
99 | ```
100 | C:\inetpub\wwwroot\web.config
101 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
102 | ```
103 |
104 | #### Retrieve Credentials from software
105 |
106 | PuTTY (SSH client on windows): stores connection parameters such as IPs and SSH passwords. Only accessible with Proxy `reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s`
107 |
108 | #### AlwaysInstallElevated
109 |
110 | Windows Installer Files (or .msi) are used to install applications on system. They are usually run with the privilege level of the user that starts it. They can be configured to run with higher privilege accounts.
111 |
112 | ```
113 | #Two registry values have to be set
114 | reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
115 | reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
116 | ```
117 |
118 | Make a malicious .msi file to exploit.
119 |
120 | #### Scheduled Tasks
121 |
122 | `schtasks` to view scheduled tasks. We can view `Task to Run` and `Run as User` , changing either might get a payload to be run by a user with higher privileges.
123 |
124 | #### Service Configurations
125 |
126 | `reg query HKLM\SYSTEM\CurrentControlSet\Services\` to view service configurations to learn about a service.
127 |
128 | #### Psexec
129 |
130 | `psexec.exe -s cmd.exe` To elevate a shell to `SYSTEM`
131 |
132 |
--------------------------------------------------------------------------------
/exploitation/web-exploitation/xss.md:
--------------------------------------------------------------------------------
1 | # XSS
2 |
3 | Cross-site scripting, injection attacker where malicious Javascript gets injected into a web app and gets returned to users.
4 |
5 | Types of payloads:
6 |
7 | * Proof of concept: show that you achieved CSS on a website, usually with `alert`
8 | * Session Stealing: details of user session ⇒ login tokens, kept in cookies, take over the session and use to login
9 | * Key Logger: anything typed gets sent to a website used by hacker
10 | * Business Logic: calling a particular network or JS function
11 |
12 | ### Reflected XSS
13 |
14 | * user-supplied data in an HTTP request is included in webpage source without validation. Not persistent.
15 | * attacker could send links or embed them into iframe containing JS payload
16 |
17 | {% hint style="info" %}
18 | Suppose a website has a search function which receives the user-supplied search term in a URL parameter:
19 |
20 | `https://insecure-website.com/search?term=gift`\
21 | The application echoes the supplied search term in the response to this URL:
22 |
23 | You searched for: gift
24 |
25 | Assuming the application doesn't perform any other processing of the data, an attacker can construct an attack like this:
26 |
27 | `https://insecure-website.com/search?term=/+Bad+stuff+here...+/` \
28 | This URL results in the following response:
29 |
30 | You searched for: `/* Bad stuff here... */`
31 |
32 | If another user of the application requests the attacker's URL, then the script supplied by the attacker will execute in the victim user's browser, in the context of their session with the application.
33 | {% endhint %}
34 |
35 | #### Methodology
36 |
37 | * **Test every endpoint.** Every parameter within the URL query string / file path. Even HTTP Headers.
38 | * For each entry point use random values (that won't trigger any form of input filtering)
39 | * **Determine the reflection context.** Could be between HTML tags, quoted. etc.
40 | * Can used Burp Repeater to test some candidate payloads and see the HTML response.
41 |
42 | ### Stored XSS
43 |
44 | * XSS payload is stored on the web application and then gets run when other users visit the site or web page (persistent)
45 | * any data that is stored in the web application can be tried to run javascript payload
46 |
47 | {% hint style="info" %}
48 | Suppose a website allows users to submit comments on blog posts, which are displayed to other users. Users submit comments using an HTTP request like the following:
49 |
50 | `POST /post/comment HTTP/1.1 Host: vulnerable-website.com Content-Length: 100 postId=3&comment=This+post+was+extremely+helpful.&name=Carlos+Montoya&email=carlos%40normal-user.net`
51 |
52 | After this comment has been submitted, any user who visits the blog post will receive the following within the application's response:
53 |
54 | `This post was extremely helpful.
`
55 |
56 | Assuming the application doesn't perform any other processing of the data, an attacker can submit a malicious comment like this:
57 |
58 | ``
59 |
60 | Within the attacker's request, this comment would be URL-encoded as:
61 |
62 | `comment=%3Cscript%3E%2F*%2BBad%2Bstuff%2Bhere...%2B*%2F%3C%2Fscript%3E`
63 |
64 | Any user who visits the blog post will now receive the following within the application's response:
65 |
66 | ``
67 |
68 | The script supplied by the attacker will then execute in the victim user's browser, in the context of their session with the application.
69 | {% endhint %}
70 |
71 | #### Methodology
72 |
73 | * **Test every endpoint.**
74 | * Parameters or other data within URL query string and message body
75 | * **Find links between entry and exit points.**
76 | * **Systematically work through all data entry points, submitting a specific value into each one and monitoring the application's responses to detect cases where the submitted value appears.**
77 |
78 | ### DOM Based XSS
79 |
80 | * Manipulating the way the JS interacts with the DOM. Typically only run on the client side.
81 | * Document Object model ⇒ programming interface for HTML documents
82 | * JS execution happens directly in the browser without new pages being loaded
83 | * any variable that an attacker can have control over can be leveraged
84 | * e.g used in Juice Box ` (1).png)
.png)