This is just a exploit framework which have many many modules that can be used for exploitation, pivoting,scanning, etc etc
What is Meterpreter ?
This is the feature of metasploit, it's have payload that offers a shell connection on the victim's computer but with extra features
Approach Privilege Escalation in windows/Linux ⇒
goal is -> to become super admin of system , so from restricted/low shell to administrator/high shell
For Linux we check for :->
- Kernel exploits
- Programs running as root
- Installed software
- Weak/reused/plaintext passwords
- Inside service
- Suid misconfiguration
- Abusing sudo-rights
- World writable scripts invoked by root
- Bad path configuration
- Cronjobs
- Unmounted filesystems
For windows we check for ->
- First is checking software version
- 2nd checking for their network [domain or workgroup]
- Checking for Active Directory related things
- Checking for their SMB,Kerberos, their SAM etc etc
- Finding files
- Checking registry
- Checking what services available
- Trying to run some exploits like hotpotato etc
What is Pivoting ?
In simple words, when you gain command execution on one box, then you can try pivot on that box to explore the networks from same box which can lead to give you access to additional areas of network
So , you actually try to gain into the internal network access
EXAMPLE ⇒
Suppose you gain the shell on victim machine which having ip like -> 192.168.1.12
After checking their network you see there is another network range is open like 10.10.10.2,
so just checking the whole network of 10.10.10.x and if you got the one ip range is open then you try to pivoting that network[10.10.10.3 suppose open] using 192.168.1.12 because directly 10.10.10.3 network is not accessible from your own network[hackers], so we now use pivoting technique
Steps for stack based buffer overflow →
Here are the steps ->
- First fuzzing service's parameter and the locate EIP
- Then finding bad characters
- Then finding return address and exploitation
Limited shell to full root shell ⇒ [Mean from Restricted Shell to Full Root Shell]
Common Restricted Shell ⇒ rbash, rzsh, rksh
Step 1 ⇒ Gathering Environment Information
- Check available commands either by trying them out by hand, hitting TAB key twice or listing files and directories
- Check for commands configured with SUID permissions, specially if they are owned by root user.
- Check the list of commands you can use with sudo. This will let us execute commands with other user’s permissions by using our own password.
- Check what languages are at your disposal, such as python, expect, perl, ruby, etc
- Check if redirect operators are available, such as '|' (pipe), “>”, “>>”, “<”
- Check for escape characters and execution tags such as: “;” (colon), “&” (background support), “’” (single quotes), “” (double-quotes), “$(“ (shell execution tag), “${“
Step 2 ⇒ Common Initial Techniques
- Console Editors ⇒ ed,ne,nano,pico,vim ⇒ we can try ⇒ in vim ⇒
- :set shell=/bin/bash
- :shell
- :!/bin/bash
- Pager Commands ⇒ more or less
- man and pinfo Commands
- find command
- nmap command
Step 3 ⇒ Programming Techniques
- awk, expect, python, ruby, perl, php
In these above techniques , we need to use shell things and other techniques to get root shell