Third step - Exploitation
Exploitation π₯ is the third step of the pentester activities. We attempt to exploit a vulnerability discovered during investigation.
Some activities are:
- π Brute forcing credentials
- π Exploiting a known (unpatched) vulnerability
- in a service
- in an application
- in a website/an api
- ...
- ...
π The goal is to get remote access to the target.
You will usually look for an unpatched vulnerability, and try to exploit it to upload or run commands to create a remote shell.
Vulnerabilities can be categorized in 5 categories:
- πͺΈ Operating System
- π₯ Misconfigurations (Version Disclosure, Sensitive Data Exposure, Security Misconfigurations)
- π Weak credentials
- π Logic flaws (Insecure Deserialization)
- π§ Human errors
Note that not all vulnerabilities are exploitable, and not all vulnerabilities have a public exploit to exploit them.
Remote shell β
In CTFs, you will most of the time be able to get a remote shell access to the target, similarily to a SSH access. There is a need for a
- server which is accepting connections (most likely the hacker host)
- client which is connecting to the server (most likely the victim)
There are 3 kind of ways to get a remote shell:
β‘οΈ To avoid alerting IDS, a bind/reverse shell should use a protocol that would not be suspected such as HTTPS (443).
β οΈ Most of the time, bind/reverse shells are blocked by firewalls.
πΈ See msfvenom to generate shells, and msfconsole to catch them.
Most remote shells that we create are instable:
- π₯ you can't use commands requiring user input (ex:
sudo) - π You can't clear nor resize your terminal
- π¦₯ There is no auto-completion, you can't use arrows...
- β CTRL+C kill the shell, not the command
We can use a wrapper for the client/server (the one on your machine) to make things really nice, or we can try to manually patch the shell.
Not every shell can be upgraded (test another client...). A wrapper, may be available both as client or server depending on what you do.
Vulnerability databases
Vulnerabilities identifiers
To identify and classify vulnerabilities, you can use:
-
π CVE (Common Vulnerabilities and Exposures) is a dictionary of every known vulnerability. The format is CVE-YEAR-ID.
-
π CWE (Common Weakness Enumeration) is a list of common weaknesses in applications, grouped in categories.
Vulnerability scoring
There are 2 well-known systems to rank vulnerabilities.
-
π CVSS (Common Vulnerability Scoring System) which was released in 2005, and is free and open-source. It calculated from 3 factors: Base, Temporal, and Environmental. Only the base is shown for a CVE. Use the calculator to compute your company-specific value.
-
π΅ VPR (Vulnerability Priority Rating) is a modern way based on the risk for the organization that uses it. It ranges from 0 to 100.
Proof Of Concept
When a vulnerability is discovered, a proof of concept (PoC) may be written to demonstrate that the vulnerability is exploitable. As a pentester, you may look for them to exploit a vulnerability.
β‘οΈ Use GitHub, GitLab, and Google to look for them...
There are many vulnerability databases. You should use 2-3 as they may have different information (community info, list of exploits...).
- Exploit DB - CVE with exploits
- Attacker KB - community reviews
- CVE details - every CVE
- CVE.ORG (MITRE) - every CVE
- Snyk - focus on web applications
- Rapid7 - a bit of focus on metasploit
- Circl - simplified information for each CVE
- NVD - NIST vulnerability database (NVD)
- MSRC - Microsoft CVEs
- vulners - Vulnerabilty search engine
- Trickest/CVE - CVE + PoC
- CVEList - GIT with every CVE
- InTheWild - CVE used in the "wild"
- cxsecurity - CVE with exploits
- packetstormsecurity - CVE with exploits
- GitHub Advisory Database - GitHub CVE Database
- vulnerability-lab - Vulnerability Labs List of CVEs
- 0day.today - find or purchase exploits π΅
- opencve - CVE database aggregator
Use the Metasploit Framework to use pre-written exploits usually leading to an enhanced reverse shell called meterpreter.
Common vulnerabilities πͺ¦
Websites π
- Cross-site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Server-Site Request Forgery (SSRF)
- Command injection
- Path traversal
- File inclusion (LFI/RFI)
- Open Redirect and Session Fixation
- File upload
- Server-Side Template Injection (SSTI)
- HTTP Attacks (CRLF, Verb Tampering, Request Smuggling)
- Server Side Includes/Edge Side Includes (ESI/SSI)
Databases π°
- Access the file system
- SQL injection (SQLi)
- NoSQL injection (NoSQLi)
- SQL truncation
- KeePass (KbDx)
Serialization π§ͺ
- XML External Entity (XXE)
- Insecure Deserialization
- Recursive Regular Expression DoS
Memory π₯
- Video Game Cheating
- Buffer Overflow
- Format Strings
- Memory leaks
- Race condition
Network π
If you gain access to the source code, look back for logic flaws.
Common Failures
Identification and Authentication Failure π
- The website does not prevent brute force
- The website allows users to use weak passwords
- The website does not encrypt passwords
Broken Access Control π (users can access files/URLs they shouldn't)
- The principle of the least privilege is not applied correctly
- Someone can use someone else token/ID to do something
- A user can access "logged-only" pages/features without logging in
Injections πͺ€
- There is insufficient or no validation at all
- There is insufficient or no sanitization at all
Cryptographic Failures π
- The server is using clear text
- The server allows/uses HTTP instead of HTTPS
- The server uses a weak cryptographic algorithm
π» To-do π»
Stuff that I found, but never read/used yet.
Websites
- Same-Site Attacks: CanITakeYourSubDomain
- Session_fixation