Privilege Escalation and Post Exploitation

Windows Privilege Escalation Fundamentals

From <http://www.fuzzysecurity.com/tutorials/16.html>
Basic Linux Privilege Escalation

From <https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/>

Linuxprivchcker needs python on the system which usually is there. If not, one could do the similar thing using bash. Will have to serach in gethub site

python -c 'import pty; pty.spawn("/bin/sh")'

……emulate bash session from an hacked session so one can enter root pwd. If you try w/o it, you may get a message "su: must be run from a terminal"
From <https://netsec.ws/?p=337>
Linux Post Exploitation Command List

From <https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List>
Escaping Restricted Linux Shells

From <https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells>
Offensive Security’s Exploit Database Archive

From <https://www.exploit-db.com/>
Escaping restricted shell :

If I can run the command echo, I can easily “escape” and bypass the limited shell by using the command echo os.system('/bin/bash')
Password cracker Last 50 successful MD5 decryptions / founds
From <https://hashkiller.co.uk/>
1. The following python script appeared to create the above string in cryptedpass.txt: /encode & decode pwd
sh-4.1$ cat cryptpass.py
cat cryptpass.py
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys

def encodeString(str):
    base64string= base64.b64encode(str)
    return codecs.encode(base64string[::-1], 'rot13')

cryptoResult=encodeString(sys.argv[1])
print cryptoResult

The above script was modified on the attacking machine to decode the string:

#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys

def encodeString(str):
    base64string= base64.b64encode(str)
    return codecs.encode(base64string[::-1], 'rot13')

def decodeString(str):
    string = str[::-1]
    string = string.encode("rot13")
    return base64.b64decode(string)

print decodeString(sys.argv[1])

String successfully decoded:

[root:~]# python reverse.py "=RFn0AKnlMHMPIzpyuTI0ITG"
LetThereBeFristi!

From <https://highon.coffee/blog/fristileaks-walkthrough/>

Comments

VM 13 : Basic Pentest 1 csec

Notes: Walkthru: 1. https://medium.com/@evire/basic-pentesting-1-7251fb3e3f9e [ w/metasploi t using Wordpress t] 2. https://prasannakumar.in/infosec/vulnhub-basic-pentesting-1-writeup/ [ w/metasploit using ftp ] 3. https://www.ceos3c.com/hacking/basic-pentesting-1-walkthrough/ [ by uploading php-reverse-shell in wordpress ] 4. http://k3ramas.blogspot.com/2018/02/basic-pentesting-1-walkthrough.html [ access wordpress config file to get pwd and access the DB ] 5. https://cowsayroot.com/walkthrough-basic-pentesting-1/ [ Wpscan, ftp metasploit vulnerability, phpbash ] 6. http://www.hackingarticles.in/hack-the-basic-penetration-vm-boot2root-challenge/ [use msfvenom to create to create php shell to be uploaded in Wordpress ] 7. https://d7x.promiselabs.net/2018/01/30/ctf-basic-pentesting-a-guide-for-beginners/ [adding command using using PHP] Notes: Ports - 21...ProFTPD 1.3.3c - 22 openSSH 7.2p2 ubuntu ...

VM 5: Vulnix :

Walkthru: A. https://mrh4sh.github.io/vulnix-solution [SMTP and Finger enumeration, creating linux user with specific UID, root squashing, ssh pwd cracking using medusa & hydra, logging using ssh keys, updating /usr/sbin/exportfs] B. http://overflowsecurity.com/hacklab-vulnix/ [ same as above. create ssh keys for root and copied to victim to login as root w/o recovering pwd] C. https://www.rebootuser.com/?p=988[ local bash shell from nfs] B. https://www.vulnhub.com/?q=vulnix&sort=date-des&type=vm [list of solutions] D. https://www.rebootuser.com/?p=988 [User Enumeration #1 – SMTP, Finger; Entry Point including hydra, Putty(using rlogin service), nfs (showmount,mount) ] Notes: - As you can see the root user is the only account which is logged on the remote host.Now that we have a specific username we can use it in order to obtain more information about this user with the command finger root@host . - Another effective use of the finger...

VM: pWnOS 2.0

Walkthru A. http://defsecurityjam.blogspot.co.uk/2015/07/pwnos-version-2-walkthrough.html [reading source page, Simple PHP Blog Perl exploit, Python revershell using oneliner, looking around ] b. https://blog.g0tmi1k.com/2012/09/pwnos-2-php-web-application/ [metasploit using PHP Blog exploit] c. http://netsec.ws/?p=430 [burpsuite, sql porxy] d. https://blog.g0tmi1k.com/2012/09/pwnos-2-sql-injection/ [sql injection, union. Very good explanation of the process of what is being done. Didnt try cmds] e. https://www.youtube.com/watch?v=ytzZfI27ueU [sql injection, sqlmap read file and upload reverse shell using sqlmap] f. https://ub3rsec.github.io/pages/2016/pwnosv2-sqli.html [sql injection, union using burp Very good . It list all email field that we are passing and modifying thru burp suite/proxy/intercept. One could enter those union statements in the email field but in this case, the field truncates and remove the later part of union statment which is why we...

nagpentest

Search This Blog