Commands
The following is a list of commands for both Linux and Windows, with a mouseover popup containing an "About" section that gives a brief description of the command, and a "Usage" section which displays a screenshot of the output. I hope that this will assist you when looking for a possible plan of attack.
Example output will display when you mouseover the code below
Operating systems used for screenshots: Kali Linux 2017.3/2018.1, CentOS 5.7/7
Operating System, kernel version, or service pack info:
Find user information:
1 | idAbout: Current user ID and group associations Usage: ![]() |
2 | whoamiAbout: Current user Usage: ![]() |
3 | lastAbout: Last logged in user Usage: ![]() |
Check installed programs, permissions, and hidden files:
Manual escalation commands:
Evaluate running services:
Check for scheduled tasks/jobs:
Operating systems used for screenshots: Win 10 Pro, Win XP Pro SP2, Win 7 Pro SP1
Find Operating System, kernel version, or service pack info:
Find user information:
Check installed programs, permissions, and hidden files:
Manual escalation commands:
Evaluate running services:
Check for scheduled tasks/jobs:
1 | schtasks /query /v /fo LISTAbout: Show scheduled tasks Usage: ![]() |
2 | Get-ScheduledTask | Where State -EQ 'Ready'About: List scheduled tasks using Powershell Usage: ![]() |
Exploits
Below are several exploits, tools, and scripts that you may want to run when presented with a specific target.
- Kernel 2.26.x: Udev 1.4.1: https://www.exploit-db.com/exploits/8478/
- Kernel 2.26.22 - 3.9: Dirtycow: https://www.exploit-db.com/exploits/40839/
- Kernel 3.13.0-32: Overlayfs: https://www.exploit-db.com/exploits/37292/
- Samba 2.2.*: Remote buffer overflow: https://www.exploit-db.com/exploits/7/
- Kernel 2.6.39-3.2.2 or Ubuntu 11.10: Mempodipper: https://www.exploit-db.com/exploits/35161/
- Kernel 2.6.37 ubuntu 10.04: Full-nelson: https://www.exploit-db.com/exploits/15704/
- Kernel under 2.6.32.2 Ubuntu 10.04: Half-nelson: https://www.exploit-db.com/exploits/17787/
- FreeBSD 9.0/9.1: mmap/ptrace: https://www.exploit-db.com/exploits/26368/
- Kernel 2.4.x/2.6.x: https://www.exploit-db.com/exploits/9545/ - compile as: gcc -Wall -o 9545 9545.c -Wl,--hash-style=both
- Linuxprivchecker.py: http://www.securitysift.com/download/linuxprivchecker.py
- LinEnum.sh: https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
- 7, 8.1, 2008 R2, 2012 R2, 2016 R2 SMB w/o firewall: Eternalblue (MS17-010): https://www.exploit-db.com/docs/english/42280-how-to-exploit-eternalblue-on-windows-server-2012-r2.pdf
- XP MS08-067: 40279 : https://www.exploit-db.com/exploits/40279/
- Hashing: FGdump/PWdump (Workgroup) or WCE32/64 (Domain) wce32.exe -w, password returned
- XP Pro SP3, 2003 SP2 (use with GUI) - MS11-080: https://www.exploit-db.com/exploits/18176/
- Novell Client 2 SP3 on Windows 7 and 8: https://www.exploit-db.com/exploits/27191/
- Weak services IIS exploit: churrasco - https://www.exploit-db.com/exploits/6705/
Usage: churrasco.exe -d cmd.exe - Win7 x86 32bit: GDI Objects - MS17-017 - https://www.exploit-db.com/exploits/42432/
- Powerup: https://raw.githubusercontent.com/HarmJ0y/PowerUp/master/PowerUp.ps1