Scripting access

I don’t have a lot of free time and one thing that gets tiring is repeating steps on a machine required to get back to where you left off last time. This is where scripting one’s access seems to make sense. Does anyone do this? I’m largely interested in how you do it when one of the steps involves a reverse shell, as typically this requires multiple terminal windows when doing it manually or, better yet, when you have to trigger a reverse shell from within another reverse shell.

I’d also love to be linked to anything you might think relevant.

I’m still pretty green when it comes to scripting this kind of stuff. I’ve scripted configuring a new Linux install and stuff, but haven’t really messed with mechanized browser or anything.

I found this forum post through a search ( The last post looks relevant:
gnome-terminal -e ‘bash -c “./FileName; sleep 999999999d”’

I don’t know if you could sub in the filepath for netcat plus some option args for ‘./FileName’, but even if you couldn’t you could make a sh script that opens nc and reference that file I guess. End result would be netcat listening in a new terminal window.

Checkout alamot’s auto_pwn scripts. Might help you.

I personally try to automatize as much as possible. Like instead of using burp I usually start with curl for simple ones and go for requests@python immediately with more complex ones. When I have a sketch I usually write a script in python. Like with Kryptos it would all have been possible without any coding involved but I believe it was worth the extra ~20 mins writing an interactive shell for the enum part that must’ve spared me hours.

I don’t think it’s necessarily always possible or feasible to try creating a shortcut but usually you can at least code smaller parts that make it that much quicker

Alamot 's scripts are amazing, hands down but clearly made /after/ he pwnd the boxes for demonstration purposes with knowledge you don’t necessarily have during the proccess.

Thanks guys/gals for the responses. Alamot’s GitHub was particularly instructive. I think the real takeaway for me is to look more closely into pwntools as that’s clearly what Alamot is relying on for the interactive shell part.

I agree @rowra that Alamot clearly writes the scripts once he’s pwned the box and I often use curl and requests too - I suck at escaping special characters, but that’s a whole other issue.

Thanks again everyone ?

IppSec just released Kryptos box video which includes a lot of scripting.
My implementations were a bit different, but just due to lack of experience in python coding =)

Well, I just stumpled upon this thread… The truth is that I usually write most parts of my autopwn scripts WHILE I am trying to pwn a machine. And the reason for that is very simple: I am too lazy. For me it’s always more fun if I can automate a repetitive and/or tedious process. After I have pwned the machine, I write/add some additional parts into my autopwn scripts for completeness sake and/or demonstration purposes. :slight_smile:

Oh hey @alamot thanks for the correction, straight from the horse’s mouth as they say :).

I just wrote a script for Control to get me straight to user in Bash, although I’m having issues involving background/foreground nc listeners, so I think I’ll rewrite it in Python.