All notes
Linux pentesting notes
- 1. Links, sources, wikis, tricks
- 2. Quick tools
- 3. Kali Linux resources
- 4. Remote password bruteforcing
- 5. Reverse shells
- 6. Exploits
- 7. MySQL
- 8. AJP - Apache JServ Protocol
- 9. Interesting files to loot
- 10. Shell tricks
- 11. Privilege escalation
- 12. Hash cracking
- 13. Connecting
- 14. Add user SSH key
1. Links, sources, wikis, tricks
- Ired - red-team tricks
- HackTricks - hack tricks
- ss64 - all Powershell and Linux commands
2. Quick tools
python3 -m http.server <port> # Simple HTTP server
dnschef # Simple configurable DNS server
echo "str" | base64 # Encode with base64
echo "str" | base64 -d # Decode with base643. Kali Linux resources
3.1. Wordlists
/usr/share/wordlists # Location of wordlists
/usr/share/wordlists/rockyou.txt # Most common passwords
/usr/share/seclists # Well grouped wordlists3.2. Binaries
sqlitebrowser <db-file> # Nice browser for SQLite DB4. Remote password bruteforcing
# Check all combinations (protocols: ssh, smb, mssql, ldap, winrm)
crackmapexec <protocol> <ip> -u <usernames> -p <passwords>
# FTP credentials bruteforcing
hydra -L <username-file> -P <passwords-file> ftp://<ip>5. Reverse shells
RevShells - reverse shells generator
nc -lvnp <port> # Listener
rlwrap nc [...] # Fix arrows functionality6. Exploits
6.1. Searchsploit
searchsploit --update # Update local DB
searchsploit <phrase> # Search in Exploit-DB
searchsploit -m <exploit-path> # Copy exploit to cwd
usr/share/exploitdb/exploits/ # Default path of Exploit-DB6.2. Metasploit
msfdb init # Init Metasploit DB
msfconsole # Run metasploit
> search <regex> # Search for exploit
> use <exploit-path> # Use exploit
> options # Lists options
> set <OPTION> <VALUE> # Set option
> run # Run exploit
> back # Exit exploit view
# To get reverse shell (run listener): exploit/multi/handler
> CTRL + z # Background current session
> sessions # List all sessions
> sessions <num> # Restore session7. MySQL
mysql -h <host> -u <user> [-p] # Connect to SQL server
> show databases; # Get all databases
> use <db-name>; # Select database
> show tables; # Get all tables
> select user(); # Get current user
> show grants; # Get current permissions7.1. SqlMap
List of MySQL DBMS privileges.
# Some params to speed up process
sqlmap <params> --batch --threads 10 --dbms mysql
sqlmap -r <file.req> # Use request from file
# Try to get shell by SQLi (POST and GET)
# There is also "--sql-shell" flag to get SQL shell
sqlmap -u <domain> --data "<param>=*" --method POST --os-shell
sqlmap -u <domain?param=*> --os-shell
# Dump selected columns (-C) from table (-T) from DB (-D)
sqlmap <params> -D <db> -T <table> -C <c1>,<c2> --dump
# Discover
-dbs # Show databases
-D <db> --tables # Show tables
sqlmap <params>:
--file-read <path> # Read file
--file-write <file> --file-dest <to> # Upload file
--current-user # Get current username
--current-db # Get current DB
--privileges # List user privileges
--proxy <http://ip:port> # Send requests via proxy
--random-agent # Random user-agentSqlMap middleware: To extend SqlMap capabilities you can write a simple HTTP server as a middleware. It gets payloads from SqlMap and passes them further doing some magic on the fly. With the middleware you can help SqlMap with complex behaviours and responses.
8. AJP - Apache JServ Protocol
nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -Pn -p 8009 <IP>Known exploit: GhostCat (LFI)
9. Interesting files to loot
# System configs
/etc/shadow # Password hashes (root)
/etc/sudoers # List of sudoers (root)
/etc/passwd # All users
/etc/group # All groups
/etc/hostname # Hostname
/etc/issue # Linux distro
/etc/*-release # Linux distro
/etc/crontab # CRON
/etc/hosts # Routing
/etc/syslog.conf #
/etc/resolv.conf # DNS
/etc/sysctl.conf # Kernel
/etc/aliases # Aliases
/var/run/utmp # Current user info
/var/log/wtmp # Login and logouts info
# Logs
/var/log/auth.log # Auth attempts logs
/var/log/nginx/access.log # Nginx HTTP logs
/var/log/apache2/access.log # Apache HTTP logs
/var/log/syslog # OS events
/var/log/faillog # Failed login attempts
# User's information
/home/<u>/.viminfo
/home/<u>/.bash_history
/home/<u>/.mysql_history
/home/<u>/.ssh/id_rsa # SSH private key
/home/<u>/.ssh/authorized_keys
/home/<u>/.ssh/known_hosts
# Software configs
/etc/nginx/sites-enabled/default # Nginx website settings
/etc/nginx/nginx.conf # Nginx
/etc/http.conf # Apache
/etc/samba/smb.conf # SMB
/etc/mysql/my.cnf # MySQL
/etc/postfix/main.cf # Postfix SMTP
/etc/ssh/sshd_config # SSHd
/var/run/sshd.pid # SSHd PID
# Apache sites config
/etc/apache2/sites-available/000-default.conf
.ssh/authorized_keysplaye
.ssh/authorized_keys2
/etc/ssh/ssh_host_rsa_key
/home/<u>/.rhosts
/home/<u>/.shosts
/var/run/sshd.pid
/usr/lib/openssh/sftp-server
# Current (self) process
/proc/self/comm # Command
/proc/self/status # Detailed info
/proc/self/environ # Environment variables10. Shell tricks
This tricks might be used to bypass some command-injection filters etc.
10.1. Spaces without actual ,[object Object], character
{echo,test1,test2} == echo 'test1' 'test2'
echo${IFS}test1 == echo 'test1
CMD=$'\x20test1\x20test2';echo$CMD == echo 'test1' 'test2'11. Privilege escalation
GTFO Bins - commands to perform priv-escalation.
11.1. Shell upgrading
which python python2 python3
python3 -c "import pty; pty.spawn('/usr/bin/bash')"
script /dev/null -c bash11.2. Weakness discovering
sudo -ll # List user's privileges
sudo -v # Check sudo rights for user
find <dir> -perm /u=s 2>/dev/null # Find SUID files
w # Show logged-in users
last # Show last logged-in users12. Hash cracking
- CrackStation - crack common MD5 hashes
hashid -m <hash-string> # Identify hash algorithm
john --wordlist=<wordlist> <hash-file> # Brute-force hash
zip2john <file.zip> > hash # Get pass hash from zip
hashcat <hash-file> <wordlist> # Crack hash (auto-detect)
hashcat -m 0 <hash-file> <wordlist> # Crack hash (MD5 mode)
hashcat -h | grep "Hash modes" -A400 # Get all modes13. Connecting
ssh <user>@<ip> -i <private-key-file> # SSH using private key
ftp anonymous@<ip> # FTP as a guest14. Add user SSH key
# 1. Generate RSA keys pair (without passphrase)
ssh-keygen -t rsa -N ""
# 2. Change user and hostname at the end of key.pub
# 3. Copy key.pub to /home/<user>/.ssh/authorized_keys file (on the server)
# 3. Use key.prv with SSH
chmod 600 key.prv
ssh -i key.prv $user@$ip