Always use the name of the box for burteforce
directory enum
passwords
usernames
Reflected output on a webpage?
-> check for XSS
-> check for template injection
1+1
{{1+1}}
${7*7}
New AD credentials?
-> password spraying
-> check where user got access (crackmapexec)
Windows ssh keys
c:\users\<user>\.ssh\id_rsa
Windows runas
powershell script if no gui access
Unix: single command as root
chmod u+s /bin/bash
make /bin/bash a suid binary
run as root: /bin/bash -p
Custom Wordlist based on website
cewl
-> consider flag —lowercase
Read files as root
How to obtain RCE?
Root ssh key?
/etc/shadow
/root/
Mass parameter assignment
update parameters which are not intended:
e.g. add param to json
ruby rails: user[is_admin]=true
Key takeaways “Assembling the Pieces”
enumeration: get as much information as possible to find the most promising attack vector
do not shortcud
take notes
do not forget post exploitation once you have privileged access
combine information from different machines
Leaking ssh key
“id_rsa” only for RSA keys
leak “../.ssh/authorized_keys” to list public keys
then find respective private keys
double check port scans!
nmapAutomator
autorecon
-> consistent?
HTTP service, do not forget
check response heders (curl)
check ssl certificate if existing
try different http methods
directory bruteforce
Windows reverse shell not working?
check your msfvenom command
try “powershell reverse tcp”
try “shell reverse tcp”
Windows shell no commands found
Update path:
PATH=%PATH%C:\Windows\System32;C:\Windows\System32\WindowsPowerShell\v1.0;
Windows RCE commands not working?
Try basics commands:
whoami
dir
cmd /c dir
powershell -c dir
dir c:/users
dir c://users
dir c:\users
dir c:\\users
certutil -h
curl -h
RC4_HMAC vs NTLM
They are the same and interchangeable!!!
Docker
consider that application runs in docker continaer
/etc/passwd might not be the actual users of the box
/etc/hostname is the container id
Last changed8 months ago