Below are some of the tips and tricks that are good to keep in mind when using Exegol.
Changing a container's time with date requires elevated permissions on the container, and messes up with the host's time. There is however and alternative, using faketime (see faketime ubuntu manpage) that allows to change the time of the container easily, without needing particular permissions, without affecting the host. This is especially useful when working with Kerberos targets that are out of sync.
Faketime manipulates the system time for a given child command. For example with zsh, a new shell is opened with a spoofed time that will only be spoofed for this extact shell session and commands executed in it.
faketime 'YYYY-MM-DD hh:mm:ss' zshNote
Here is an example of how faketime can be used.
When doing Active Directory attacks against Kerberos targets, a clock skew error could be raised such as KRB_AP_ERR_SKEW. This means the authenticating machine (operator) and the destination (Key Distribution Center, a.k.a. KDC) are not in sync, clock-wise.
Running any Impacket with the -debug flag will print the server time. The operator can then use faketime to open a new zsh shell with the right time and timezone and conduct the scenario as previously intended.
The following command can be used to print the time in UTC format and compare it with the server time: date --utc.
Note: careful with the timezones. If they differ between the operator and the KDC, the delta needs to be taken into account
The following tools or commands can be used to pop a temporary file or http server: updog, goshs, http-server, http-put-server, ftp-server, smbserver.py.
In order to shares notes during an engagement, trilium (https://github.com/zadam/trilium) can be used.
Many commands in the pre-filled history rely on environment variables such as $DOMAIN, $USER, $PASSWORD, etc. Those variables can be set manually or by using the profile.sh file in /opt/tools/Exegol-history/. The proper lines can be filled and uncommented, and then the shell can be reloaded with exec zsh in order to apply the changes. This allows users to easily look for, and use, commands in the history, without changing the values every time.
shelleratorcan be used to generate a reverse shell command dynmically- on the attacker's side, a reverse shell obtained through a
netcattunnel can be improved (see ropnop.com or 0xffsec.com) - simple alternative way to have an upgrade netcat reverse shell: use
rlwrap <netcat listener command> - instead of using
netcatand "upgrade" the shell manually,pwncat-cs(calebstewart/pwncat) can be used to obtain an even better reverse shell experience (especially with UNIX-like targets).
ctrl+q: when writing a command, let's say a user misses an information (e.g. IP address). The shortcut can be used to save the half-typed command, look for the value, and then finish the command. The user doesn't have to cancel the command, look for the info, and write the command all over again. This is known as thepush-linefeature (see sgeb.io).ctrl + r: look for something in the historyctrl + t: look for a file or directory with a fuzzy finderctrl + a: move to the beginning of the linectrl + e: move to the end of the linectrl + ←: move one word backwardctrl + →: move one word forwardctrl + l: clear the screen
Tip
To see every alias in your exegol image, run the command:
aliasTip
You can see the complete command configured for an alias with the command:
alias <alias_name>Warning
Some aliases are not available before image 3.1.5.
Here's a list of useful aliases designed to save you time:
ipa: List network interfaces in short and colorful wayipr: List network routes in short and colorful waypc: Shortcut toproxychainsncvz: Shortcut to test an open TCP port
ws: Shortcut tocd /workspace_: Shortcut tosudoxcopy: Copy a file to clipboardxpaste: Create a file from clipboardxshow: Print clipboardsed-empty-line: Removes empty linessed-comment-line: Removes commented lineshistory-dump: Export full history of commands with date and time of execution
http-put-server: Python web serverputcapablehttp-server: Shortcut to classic Python web serverphp-server: Server a PHP webserver on current directory using port 8080
hcat: Automatic hashcat format solver with fuzzy finder wordlisthjohn: Automatic john the ripper format solver with fuzzy finder wordlistscan-range: Nmap shortcut to find host in a specified network rangense: Find nmap NSE scripturlencode: Encodes arguments in URL formaturldecode: Decodes arguments from URL format