Pentest CTF starter template

starter.md

BOX_NAME

export TARGET_IP=10.10.10.xxx

Footprinting

nmap -A $TARGET_IP > full-nmap
#nmap -sV --script banner $TARGET_IP > nmap-banner
#nmap -Pn --script vuln $TARGET_IP > nmap-vuln

# Data found

interesting

# More notes and findings

Things to remember

• Easy stuff that i was too lazy to look into
• OSINT

Exploit

searchsploit

# findings

LSE.sh || PEAS

---

Foothold

USER

FLAG

LSE.sh || PEAS

---

passwords

---

---

Privelege Escalation

su -l https://gtfobins.github.io/

find / -user root -perm -4000 -print 2>/dev/null
find / -perm -g=s -type f 2>/dev/null

ROOT

FLAG

Random Notes

// maybe useful or interesting that doesn't fit above

---

Enum

scripts

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh

snippets

sqlmap -u $TARGET_IP --dbs > enum-sqlmap

gobuster dir -k -u https://$TARGET_IP -w /usr/share/wordlists/dirb/common.txt > gobuster-443-common
gobuster dir -u http://$TARGET_IP -w /usr/share/wordlists/dirb/common.txt > gobuster-80-common

apache-users -h $TARGET_IP -l /usr/share/wordlists/metasploit/unix_users.txt -p 80 -s 0 -e 403 -t 10 > apache-users.log

Crack snippets

hashcat -m 0 ona_default_hashes /usr/share/wordlists/rockyou.txt

/usr/share/john/ssh2john.py id_rsa > id_rsa.hashes

john --wordlist=/usr/share/wordlists/rockyou.txt hashes

Local tunnels

ssh -N -L 9080:$TARGET_IP:80 kali
ssh -N -L 9443:$TARGET_IP:443 kali

# named tunnels
ssh -f -N -M -S kali80 -L 9080:$TARGET_IP:80 kali
ssh -f -N -M -S kali443 -L 9443:$TARGET_IP:443 kali

ssh -S <path-to-socket> -O exit <server>

MetaSploit

post

# post(multi/recon/local_exploit_suggester)
use multi/recon/local_exploit_suggester

# msf5 post(multi/recon/sudo_commands)
use multi/recon/sudo_commands