Miscellaneaous

UTILS

Unzip encrypted zips

zip2john file > zip.file john zip.file -wordlist:/wordlistPath

Create user list with names

username-anarchy --input-file names.txt --select-format first,flast,first.last,firstl > usernames.txt

Kepass Master Password decode

keepass2john data.kdbx > hash.txt

DECODE BASE64

echo -n "cadena" | base64 -d; echo

CRACK SHADOW TXT

We need the passwd and the shadow file

unshadow passwd.txt shadow.txt > unshadowed.txt

CMD Lateral Movement

$user = "machineName\user"
$password = ConvertTo-SecureString "butterfly!#1" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($user, $password)

Invoke-Command -Credential $cred -ComputerName SNIPER -ScriptBlock { whoami }

TTY Treatment

Para poder tener una terminal interactiva debemos seguir estos pasos:

  1. Una vez ganamos acceso al sistema añadimos el siguiente comando:

  1. CTRL + Z

  2. Ponemos el siguiente comando:

  1. Reseteamos el xterm

  1. Exportamos variables TERM y BASH

  1. Ajustamos el tamaño de la ventana. Para esto deberemos saber el tamaño de nuestra terminal con el comando:

Upgrade Powershell to pty

https://github.com/antonioCoco/ConPtyShell

Spawning Interactive Shells

/bin/sh -i

Perl

Ruby

Lua

AWK

Find

VIM

Vim escape

CURL

Verbose output

POST Method

PUT Method

Use --path-as-is to handle /../ or /./ in the given URL

File Upload

Detect if CMD or Powershell is used

We can use a handy snippet, published by PetSerAl that displays "CMD" or "PowerShell" depending on where it is executed.

Compile an exploit

Run binaries in Linux

Web shell paths

Web Server
Default Webroot

Apache

/var/www/html/

Nginx

/usr/local/nginx/html/

IIS

c:\inetpub\wwwroot|

XAMPP

C:\xampp\htdocs|

Default Credentials Search

Automated wordlist generator

We can manually create our list(s) or use an automated list generator such as the Ruby-based tool Username Anarchy to convert a list of real names into common username formats.

PreviousMetasploitNextUseful Files

Last updated