72 lines
1.4 KiB
Markdown
72 lines
1.4 KiB
Markdown
|
## How to work through a vulnerable host
|
||
|
|
#### Scan for vulnerabilities
|
||
|
|
We're searching for vulnerabilities in the host, application, or information leakage.
|
||
|
|
|
||
|
|
- NMAP scanning
|
||
|
|
- vhost enumeration
|
||
|
|
- Gobuster
|
||
|
|
- Ping scanning
|
||
|
|
- Google Dorking
|
||
|
|
|
||
|
|
---
|
||
|
|
#### Determine Versions
|
||
|
|
After gathering information about the host and applications, we need to determine what versions they have.
|
||
|
|
|
||
|
|
- Banner grabbing
|
||
|
|
- netcat / telnet
|
||
|
|
- Shodan and Censys
|
||
|
|
- Inspect headers
|
||
|
|
- Throw intentional errors
|
||
|
|
|
||
|
|
---
|
||
|
|
#### Find Exploits
|
||
|
|
Find exploits for identified versions and software on host
|
||
|
|
|
||
|
|
- searchsploit
|
||
|
|
- exploit-db
|
||
|
|
- Google
|
||
|
|
- Shodan
|
||
|
|
|
||
|
|
---
|
||
|
|
#### Craft Payload
|
||
|
|
Create malicious payload through identified exploit. Allows further exploitation through reverse shells or other similar exploitation routes.
|
||
|
|
|
||
|
|
- msfvenom
|
||
|
|
- searchsploit
|
||
|
|
|
||
|
|
---
|
||
|
|
#### Execute Payload
|
||
|
|
Execute the payload we made, there can be some very interesting and creative ways to achieve this!
|
||
|
|
|
||
|
|
- Invoke-Command
|
||
|
|
- runas
|
||
|
|
- sudo
|
||
|
|
|
||
|
|
---
|
||
|
|
#### Establish Persistence
|
||
|
|
Ensure that our exploits will stay persistent on the host
|
||
|
|
|
||
|
|
- service takeovers
|
||
|
|
- cron jobs
|
||
|
|
- startup scripts
|
||
|
|
|
||
|
|
---
|
||
|
|
#### Escalate Privileges
|
||
|
|
Move from a foothold to root!
|
||
|
|
|
||
|
|
- get-process
|
||
|
|
- PowerUp.ps1
|
||
|
|
- LinEnum.sh
|
||
|
|
- LinPEAS
|
||
|
|
- WinPEAS
|
||
|
|
- suid/guid
|
||
|
|
- sudo -l
|
||
|
|
|
||
|
|
---
|
||
|
|
#### Exfiltrate Data
|
||
|
|
Steal the data on the host!
|
||
|
|
|
||
|
|
- Invoke-WebRequest
|
||
|
|
- iwr
|
||
|
|
- curl
|
||
|
|
- Imagination!!
|