Welcome to the blog's Post-Exploitation Cheat Sheet! I will be actively updating it through commits as needed.
Post-Exploitation
| Linux PrivEsc |
Description |
./linpeas.sh |
Linux enumeration binary |
./lse.sh |
Linux enumeration binary |
sudo -l |
List available sudo privileges |
sudo -u user /bin/echo pwned |
Run a command with sudo |
sudo su - |
Switch to root user (if we have access to sudo su) |
sudo su user - |
Switch to a user (if we have access to sudo su) |
find / -perm -4000 -ls 2>/dev/null |
Find SUID binaries |
ssh-keygen -f key |
Create a new SSH key |
echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys |
Once key.pub it's in the system, add the generated public key to the user |
ssh user@10.10.10.10 -i key |
SSH to the server with the generated private key |
chmod 600 id_rsa
ssh user@10.10.10.10 -i id_rsa |
If you have read acces to the user's SSH private key, copy it in a file, chmod it and ssh the server |
crontab -l |
Cron jobs of my user |
systemctl list-timers |
Time left to execute each job |
/etc/crontab
/etc/cron.d
/var/spool/cron/crontabs/root |
Write access to any of those files will allow us to to add new cron jobs. Also if we can write to a directory called by a cron job, we can write a reverse shell and it will be executed. |
./pspy |
Analyze running cron jobs |
getcap .r & 2>/dev/null |
Capabilities search in the system |
| https://gtfobins.org/ |
GTFOBins |