Tips & tricks
Below are some of the tips and tricks that are good to keep in mind when using Exegol.
Change a container’s time
Changing a container’s time with date
requires elevated permissions on the container, and messes up with the host’s time.
There is however and alternative, using faketime
(see faketime ubuntu manpage) that allows to change the time of the container easily, without needing particular permissions, without affecting the host. This is especially useful when working with Kerberos targets that are out of sync.
Faketime manipulates the system time for a given child command. For example with zsh
, a new shell is opened with a spoofed time that will only be spoofed for this extact shell session and commands executed in it.
faketime 'YYYY-MM-DD hh:mm:ss' zsh
The following examples automate the synchronization of a remote domain controller’s clock to initiate a corresponding zsh session.
faketime "$(rdate -n $DC_IP -p | awk '{print $2, $3, $4}' | date -f - "+%Y-%m-%d %H:%M:%S")" zsh
faketime "$(date +'%Y-%m-%d') $(net time -S $DC_IP | awk '{print $4}')"
Note
Here is an example of how faketime
can be used.
When doing Active Directory attacks against Kerberos targets, a clock skew error could be raised such as KRB_AP_ERR_SKEW
. This means the authenticating machine (operator) and the destination (Key Distribution Center, a.k.a. KDC) are not in sync, clock-wise.
Running any Impacket with the -debug
flag will print the server time. The operator can then use faketime
to open a new zsh
shell with the right time and timezone and conduct the scenario as previously intended.
The following command can be used to print the time in UTC format and compare it with the server time: date --utc
.
Note: careful with the timezones. If they differ between the operator and the KDC, the delta needs to be taken into account
Dynamic history commands
Many commands in the pre-filled history rely on environment variables such as $DOMAIN
, $USER
, $PASSWORD
, etc.
Those variables can be set manually or by using the profile.sh
file in /opt/tools/Exegol-history/
.
The proper lines can be filled and uncommented, and then the shell can be reloaded with exec zsh
in order to apply the changes.
This allows users to easily look for, and use, commands in the history, without changing the values every time.
The best reverse shells
shellerator
can be used to generate a reverse shell command dynamicallyon the attacker’s side, a reverse shell obtained through a
netcat
tunnel can be improved (see ropnop.com or 0xffsec.com)simple alternative way to have an upgrade netcat reverse shell: use
rlwrap <netcat listener command>
instead of using
netcat
and “upgrade” the shell manually,pwncat-cs
(calebstewart/pwncat) can be used to obtain an even better reverse shell experience (especially with UNIX-like targets).
Keyboard shortcuts
ctrl+q
: when writing a command, let’s say a user misses an information (e.g. IP address). The shortcut can be used to save the half-typed command, look for the value, and then finish the command. The user doesn’t have to cancel the command, look for the info, and write the command all over again. This is known as thepush-line
feature (see sgeb.io).ctrl + r
: look for something in the historyctrl + t
: look for a file or directory with a fuzzy finderctrl + a
: move to the beginning of the linectrl + e
: move to the end of the linectrl + ←
: move one word backwardctrl + →
: move one word forwardctrl + l
: clear the screen
Useful aliases
Tip
To see every alias in your exegol image, run the command:
alias
Tip
You can see the complete command configured for an alias with the command:
alias <alias_name>
Warning
Some aliases are not available before image 3.1.5
.
Here’s a list of useful aliases designed to save you time:
Shell
ws
: Shortcut tocd /workspace
_
: Shortcut tosudo
xcopy
: Copy a file to clipboardxpaste
: Create a file from clipboardxshow
: Print clipboardsed-empty-line
: Removes empty linessed-comment-line
: Removes commented lineshistory-dump
: Export full history of commands with date and time of execution
Quick service
http-put-server
: Python web serverput
capablehttp-server
: Shortcut to classic Python web serverphp-server
: Server a PHP webserver on current directory using port 8080
Tools optimization
hcat
: Automatic hashcat format solver with fuzzy finder wordlisthjohn
: Automatic john the ripper format solver with fuzzy finder wordlistscan-range
: Nmap shortcut to find host in a specified network rangense
: Find nmap NSE scripturlencode
: Encodes arguments in URL formaturldecode
: Decodes arguments from URL format