diff --git a/README.md b/README.md index 169eda9..5e00d39 100644 --- a/README.md +++ b/README.md @@ -35,14 +35,15 @@ sudo nmap -sSV -p- IP -oA nmap/initial -T4 sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv ``` -• the flag -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports -• the -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000) -• -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE" -• -iL INPUTFILE tells Nmap to use the provided file as inputs + * -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports + * -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000) + * -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE" + * -iL INPUTFILE tells Nmap to use the provided file as inputs + * CTF Scan ``` -nmap -sV -sC -oA nmap/initial IP +nmap -sV -sC -oA nmap/basic IP • -sV : Probe open ports to determine service/version info • -sC : to enable the script @@ -83,5 +84,72 @@ masscan IP -p 1-65535 --rate 100 -oX masscan.xml ``` -## Stage 2 +## Stage 2 - Attacking +### Get a Shell + + + + + +To check if the shell is a tty shell, just enter tty command like the following. + +```bash +tty +``` +not a tty + +```bash +tty +``` +/dev/pts/0 + +Here are some commands which will enable you to spawn a tty shell: +Python: + +This is the most popular method for spawning a tty shell. The target server should have python or python3 installed. +``` +python -c "import pty;pty.spawn('/bin/bash')" +``` + +Echo: +``` +echo 'os.system('/bin/bash')' +``` + +sh: +``` +/bin/sh -i +``` + +Bash: +``` +/bin/bash -i +``` + +Perl: +``` +perl -e 'exec "/bin/sh";' +``` + +Ruby: +``` +ruby: exec "/bin/sh" +``` + +Lua: +``` +lua: os.execute('/bin/sh') +``` + +From within vi: +``` +:!bash + +:set shell=/bin/bash:shell +``` + +From within nmap: +``` +!sh +```