Privilege Escalation and Post Exploitation

Windows Privilege Escalation Fundamentals

From <http://www.fuzzysecurity.com/tutorials/16.html>
Basic Linux Privilege Escalation

From <https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/>

Linuxprivchcker needs python on the system which usually is there. If not, one could do the similar thing using bash. Will have to serach in gethub site

python -c 'import pty; pty.spawn("/bin/sh")'

……emulate bash session from an hacked session so one can enter root pwd. If you try w/o it, you may get a message "su: must be run from a terminal"
From <https://netsec.ws/?p=337>
Linux Post Exploitation Command List

From <https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List>
Escaping Restricted Linux Shells

From <https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells>
Offensive Security’s Exploit Database Archive

From <https://www.exploit-db.com/>
Escaping restricted shell :

If I can run the command echo, I can easily “escape” and bypass the limited shell by using the command echo os.system('/bin/bash')
Password cracker Last 50 successful MD5 decryptions / founds
From <https://hashkiller.co.uk/>
1. The following python script appeared to create the above string in cryptedpass.txt: /encode & decode pwd
sh-4.1$ cat cryptpass.py
cat cryptpass.py
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys

def encodeString(str):
    base64string= base64.b64encode(str)
    return codecs.encode(base64string[::-1], 'rot13')

cryptoResult=encodeString(sys.argv[1])
print cryptoResult

The above script was modified on the attacking machine to decode the string:

#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys

def encodeString(str):
    base64string= base64.b64encode(str)
    return codecs.encode(base64string[::-1], 'rot13')

def decodeString(str):
    string = str[::-1]
    string = string.encode("rot13")
    return base64.b64decode(string)

print decodeString(sys.argv[1])

String successfully decoded:

[root:~]# python reverse.py "=RFn0AKnlMHMPIzpyuTI0ITG"
LetThereBeFristi!

From <https://highon.coffee/blog/fristileaks-walkthrough/>

Comments

VM 13 : Basic Pentest 1 csec

Notes: Walkthru: 1. https://medium.com/@evire/basic-pentesting-1-7251fb3e3f9e [ w/metasploi t using Wordpress t] 2. https://prasannakumar.in/infosec/vulnhub-basic-pentesting-1-writeup/ [ w/metasploit using ftp ] 3. https://www.ceos3c.com/hacking/basic-pentesting-1-walkthrough/ [ by uploading php-reverse-shell in wordpress ] 4. http://k3ramas.blogspot.com/2018/02/basic-pentesting-1-walkthrough.html [ access wordpress config file to get pwd and access the DB ] 5. https://cowsayroot.com/walkthrough-basic-pentesting-1/ [ Wpscan, ftp metasploit vulnerability, phpbash ] 6. http://www.hackingarticles.in/hack-the-basic-penetration-vm-boot2root-challenge/ [use msfvenom to create to create php shell to be uploaded in Wordpress ] 7. https://d7x.promiselabs.net/2018/01/30/ctf-basic-pentesting-a-guide-for-beginners/ [adding command using using PHP] Notes: Ports - 21...ProFTPD 1.3.3c - 22 openSSH 7.2p2 ubuntu ...

VM 9 : PHP Include And Post Exploitation

Walkthrough 1. https://medium.com/@Kan1shka9/pentesterlab-php-include-and-post-exploitation-walkthrough-8a85bcfa7b1d 2. Ine [] 3. http://megwhite.com.au/pentester-lab-bootcamp-walkthrough-php-include-post-exploitation/ 4. http://fallensnow-jack.blogspot.com/2014/07/pentester-lab-php-lfi-post-exploitation.html Notes: root@kali:~# nmap 10.0.0.12 Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-30 12:23 EDT Nmap scan report for 10.0.0.12 Host is up (0.00035s latency). Not shown: 999 filtered ports PORT STATE SERVICE 80/tcp open http MAC Address: 08:00:27:1F:12:24 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 5.31 seconds root@kali:~# Enumerating port 80 Run dirb root@kali:~# dirb http://10.0.0.12/ ----------------- DIRB v2.22 By The Dark Raver...

VM 5: Vulnix :

Walkthru: A. https://mrh4sh.github.io/vulnix-solution [SMTP and Finger enumeration, creating linux user with specific UID, root squashing, ssh pwd cracking using medusa & hydra, logging using ssh keys, updating /usr/sbin/exportfs] B. http://overflowsecurity.com/hacklab-vulnix/ [ same as above. create ssh keys for root and copied to victim to login as root w/o recovering pwd] C. https://www.rebootuser.com/?p=988[ local bash shell from nfs] B. https://www.vulnhub.com/?q=vulnix&sort=date-des&type=vm [list of solutions] D. https://www.rebootuser.com/?p=988 [User Enumeration #1 – SMTP, Finger; Entry Point including hydra, Putty(using rlogin service), nfs (showmount,mount) ] Notes: - As you can see the root user is the only account which is logged on the remote host.Now that we have a specific username we can use it in order to obtain more information about this user with the command finger root@host . - Another effective use of the finger...

nagpentest

Search This Blog