Just a quick and dirty video of a FritzBox attack. Forgive my lack of video editing skills. But im certain that the majority of us can appreciate the gritty view of this:
Please feel free to post a comment.
I would rather spend my time learning and pwning than editing the videos to make them more impressive. Although i intend fully to get into it, but since im studying for an exam retake. I thought this would be justified given my present schedule.
Sunday, September 11, 2011
Thursday, September 1, 2011
Upgrading, coach to firstclass.
Hello all, and welcome back.
I have been forced to do alot of privledge escalation as of late. With windows, its a breeze, in my opinion anyways. But you give me a shell on a linux box, and I will need a map, an Iphone to Google from, and maybe even a direct link to Ms Chleo. Another words, im not very good at it.
So earlier I landed a shell via an old Tomcat vulnerability. A few ls and cd .. and cat commands later, Im thinking about how much I miss meterpreter. Thought for a moment and said I think Ill just give myself a Meterpreter session. So maybe this is common knowledge, maybe its not. Either way Im gonna give my method of doing this. Hopefully its helpful, informative, and at the very least, not boring for those taking the time to read my post. So here goes...
First i decided what kinda of session I wanted.
I prefer reverse_tcp
So I call up my old friend msfpayload, and tell it my prefered session.
msfpayload "payload type" "options" R | <----for raw format so that we can pipe it our other friend:
msfencode "options" "output name"
Now there are more than just one option of getting our payload onto our victim. I went the easier route, moved my encoded payload output to /var/www/ (on local machine ) so that i could start up Apache and just use a little wget magic and then had my payload onto the victim machine. Then its just a matter of a simple "chmod +x" then its ready to go. But before you execute your brand new meterpreter payload. Your going to need to setup a listener. SO fireup another msfconsole or background your current session. Obviously "exploit/multi/handler" is going to be your choice, so choose that. Then whatever your initial payload was, your going to want to add to your multi handler. So for the usual
set PAYLOAD "payload choice"
show options.... ***Ensure the options you set here, are the same that you used with msfpayload/msfencode****
Set the options. Now check your settings one last time to be on the safe side. If all is well, issue the "exploit" command.
Now youll see that your handler is started and listening. So now move back to your linux shell. Now you have a meterpreter payload, a listener/handler waiting for the connection. All thats left is to issue the command within your remote linux shell. Now look over to your handler... If all went well you should something along these lines :
Sending stage (1249280 bytes) to 192.168.1.119
[*] Meterpreter session 1 opened (192.168.1.102:4321 192.168.1.119:47566)
Now after a quick "sessions -l" youll get to see the session number. Issue another quick command, "sessions -i "number" " then youll get the upgraded view:
sf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > BinaryMischief
Now you have just been upgraded from coach to firstclass. I enjoy having the two seperate shells, it gives you the option to see the information from two different angles. Now i will take this moment to to say, im sorry to those who came here looking for an exact, step-by-step tutorial you could cut and paste, but after my cohort and I discussed it, we will not be posting exact step by step guides. But if you have any questions, comments or corrections, please leave a comment. I will discuss it with Pad and more than likely i will post your correction/s, The same day. Well thanks again for reading,.Try to give it a go. Have a good time.
I look forward to your comments. And please forgive my grammar.
Your friendly neighborhood
g11tch
I have been forced to do alot of privledge escalation as of late. With windows, its a breeze, in my opinion anyways. But you give me a shell on a linux box, and I will need a map, an Iphone to Google from, and maybe even a direct link to Ms Chleo. Another words, im not very good at it.
So earlier I landed a shell via an old Tomcat vulnerability. A few ls and cd .. and cat commands later, Im thinking about how much I miss meterpreter. Thought for a moment and said I think Ill just give myself a Meterpreter session. So maybe this is common knowledge, maybe its not. Either way Im gonna give my method of doing this. Hopefully its helpful, informative, and at the very least, not boring for those taking the time to read my post. So here goes...
First i decided what kinda of session I wanted.
I prefer reverse_tcp
So I call up my old friend msfpayload, and tell it my prefered session.
msfpayload "payload type" "options" R | <----for raw format so that we can pipe it our other friend:
msfencode "options" "output name"
Now there are more than just one option of getting our payload onto our victim. I went the easier route, moved my encoded payload output to /var/www/ (on local machine ) so that i could start up Apache and just use a little wget magic and then had my payload onto the victim machine. Then its just a matter of a simple "chmod +x" then its ready to go. But before you execute your brand new meterpreter payload. Your going to need to setup a listener. SO fireup another msfconsole or background your current session. Obviously "exploit/multi/handler" is going to be your choice, so choose that. Then whatever your initial payload was, your going to want to add to your multi handler. So for the usual
set PAYLOAD "payload choice"
show options.... ***Ensure the options you set here, are the same that you used with msfpayload/msfencode****
Set the options. Now check your settings one last time to be on the safe side. If all is well, issue the "exploit" command.
Now youll see that your handler is started and listening. So now move back to your linux shell. Now you have a meterpreter payload, a listener/handler waiting for the connection. All thats left is to issue the command within your remote linux shell. Now look over to your handler... If all went well you should something along these lines :
Sending stage (1249280 bytes) to 192.168.1.119
[*] Meterpreter session 1 opened (192.168.1.102:4321 192.168.1.119:47566)
Now after a quick "sessions -l" youll get to see the session number. Issue another quick command, "sessions -i "number" " then youll get the upgraded view:
sf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > BinaryMischief
Now you have just been upgraded from coach to firstclass. I enjoy having the two seperate shells, it gives you the option to see the information from two different angles. Now i will take this moment to to say, im sorry to those who came here looking for an exact, step-by-step tutorial you could cut and paste, but after my cohort and I discussed it, we will not be posting exact step by step guides. But if you have any questions, comments or corrections, please leave a comment. I will discuss it with Pad and more than likely i will post your correction/s, The same day. Well thanks again for reading,.Try to give it a go. Have a good time.
I look forward to your comments. And please forgive my grammar.
Your friendly neighborhood
g11tch
Subscribe to:
Posts (Atom)