journals

spells

Access the Windows Registry using PowerShell

Add Windows users at the command line

Aircrack-NG

ARP scanning

ARP

AS-REP roasting with Impacket

AS-REP roasting With Rubeus

AS-REP roasting

Automate Netlify builds with IFTTT

Automatically stabilize a reverse shell with socat

Avoid dropping privileges with SUID Bash

awk

Backdoor Visual Basic Scripts

basenc

Bash reverse shell

Bash scripting

Bulk edit Windows permissions

Burp Suite

Bypass the PowerShell execution policy

Bypass Windows antivirus with C Sharp

Calculate a file hash on Windows with CertUtil

Call Mimikatz from a meterpreter shell

cat

cewl

Change a branch name in Git

Change an RSA key passphrase with OpenSSL

Cisco IOS

Common Windows user types

Compact VM disk images

Confirm the existence of a Gmail address

crackmapexec

Create a GPG key with SSH support

Create a zip bomb

CUPP

Day One to Obsidian conversion script

DCERPC

Debugging Bash scripts

Easy reverse DNS lookups

enum4linux

Enumerate AD CS templates with CertUtil

Equivalent Windows and UNIX commands

Evil-WinRM

Exploit LD_LIBRARY_PATH

Exploit LD_PRELOAD

Exploit local Windows services

Exploit local Windows tasks

Exploit remote Windows services

Exploit remote Windows tasks

Exploit the Bash PS4 prompt

Exploit the Windows DLL search order

Exploit the Windows FoDHelper

Exploit the WinLogon initialization sequence

Exploit VBA scripts with msfvenom

Exploit weak etc-passwd permissions

Exploit weak etc-shadow permissions

Exploit Windows file associations

Exploit Windows HTML applications with msfvenom

Exploit Windows services

Exploit Windows shortcut files

Exploit Windows tasks

Export highlights and annotations from Kobo eReaders

Extract the webpage title from a URL

ffmpeg

Find and replace a single line in a large text file

Find executables with SUID capabilities

find

findstr

finger

Fix EXIF data on Google Photos exports

Gemini compatible markdown

Get a shell from ViM

Get an SSL certificate

Golden and silver ticket attacks

IIS configuration data

Kerberoasting with Impacket

Kerberoasting with Rubeus

Load a shell with a simple executable

Local file inclusion attacks

Look up unicode symbols and emojis

MAC address

Magic numbers

man

Match files to packages in Debian-based operating systems

Match files to packages in Red Hat-based operating systems

Metasploit MS SQL modules

meterpreter

Mimikatz

MITRE ATTaCK emulation plans

PHP local file inclusion attacks

PHP

ping

Poison null byte attack

Poison null byte in PHP

Polkit

Pop a SYSTEM shell on the Windows login screen using sticky keys

Pop a SYSTEM shell on the Windows login screen using Utilman

POP3

Port scanning with Bash

POSIX process signals

Powercat

PowerShell reverse shell

PowerView

Pull SSL certificates from an external server

Python

Quick-n-dirty Python web server

Quickly bypass ssh-agent

Quickly find the canonical path of a file

RCE via XXE in PHP

Read a file beginning with a dash

reg

RegEx metacharacters

Remotely install a Windows package with PowerShell

Remove duplicate lines in Bash

Retrieve AIX fileset information

Retrieve AIX system information

Rubeus

Ruby

Run a remote Windows command using PowerShell

Run commands directly with PowerShell

RunAs

Send a command using OpenSSL

Set the PATH in a session on UNIX-like operating systems

Set the PATH in a session on Windows

Set up WMI in PowerShell

SQL injection attacks

Transfer files over FTP using netcat

UDP

unbuffer

Uniform resource locators

UNIX file descriptors

UNIX password hashes

UNIX permissions

Unquoted path handling in Windows

Upgrade PostgreSQL

Use a Raspberry Pi 4B as hacking accessory

Use an alternate SSH key with Git

Use Bash functions to backdoor executables

Use Burp Suite with Firefox

Use Burp Suite with mobile apps

Use curl and jq with web APIs

Use OpenSSL to encrypt and decrypt files

Use the Windows Firewall to relay ports

Use unsupported display resolutions with Samsung DeX

Use WinRM with PowerShell

Useful built-in commands for Linux reconnaissance

Useful built-in commands for Windows reconnaissance

Useful Linux reconnaissance scripts

Useful scripts for Windows reconnaissance

ViM

Visual Basic for Applications

wfuzz

whoami

Wi-Fi

Windows DLL search order

Windows event IDs

Windows event logs

Windows local service accounts

Windows logon scripts

Windows permissions

Windows reconnaissance with PowerShell

Windows Remote Management

Windows Run and RunOnce Registry keys

Windows Scripting Host

Windows SeBackup and SeRestore permissions

Windows SeImpersonate and SeAssignPrimaryToken permissions

Windows service ACLs

Windows services

Windows SeTakeOwnership permission

Windows Startup folder

Windows unattended installation data

winrs

Wireshark

wmic

Work with base64 encoding using PowerShell

Work with remote services using WMI and PowerShell

Work with remote tasks using WMI and PowerShell

Working with services in PowerShell

Cardboard Iguana Security

tags:
  - Application/find
  - AttackCycle/Reconnaissance
  - Application/sudo
  - AttackCycle/PrivEsc

find

Basics

Some useful find flags related to file metadata.

Ownership

The -user and -group flags match files and folders owned by a particular user or group (both numeric and symbolic-readable names are allowed).

File size

The -size flag matches files of size n.

Prefix n with + or - to match files strictly greater than or less than n in size. To specify useful sizes, use a suffix.

c - Bytes
k - Kilobytes
M - Megabytes
G - Gigabytes

For example, use -size +4G to find files over 4 GB (i.e., those that can't be written to a FAT32 file system).

Permissions

The -perm flag matches files and folders with a given permission. Both numeric and symbolic permissions are allowed.

Use the / or - prefix to match files with any of the specified permissions or at least the specified permissions. For example, -perm -644 will match any file where the current user has at least read + write access and any other user has at least read access (so, - requires the specified permissions, but is agnostic as to the presence/absence of additional permissions). Likewise, -perm /666 will match files where the current user has read + write access and/or the current group has read + write access and/or everyone has read + write access (so, / requires that at least one of the specified permissions groups matches exactly, but is agnostic to the state of any other group outside of that match).

Timestamps

The -Xmin and -Xtime flags match files accessed (a), had their contents modified (m), or had their inode changed (c) n minutes (-Xmin) or days (-Xtime) ago.

All mtime changes are ctime changes, but the reverse is not necessarily true.

Prefix n with + or - to match files strictly before or after the specified time in the past.

For example:

# Matches files accessed *more* than 30 minutes ago
#
find . -type f -amin +30

# Matches files modified *less* than 7 days ago
#
find . -type f -mtime -7

# Matches files modified *today*
#
find . -type f -mtime 0

Reconnaissance

Find SUID and SGID executables

find / -type f \
       -a \( -perm -u+s -o -perm -g+s \) \
       -exec ls -l {} \; 2> /dev/null

Find world writable/executable folders

find / -type d -a \( -perm -o+w -perm -o+x \) 2>/dev/null

Shell escape

If find can be run with NOPASSWD via sudo, then try:

sudo find . -exec /bin/sh \; -quit

find

Interactive graph

On this page

find

Basics

Ownership

File size

Permissions

Timestamps

Reconnaissance

Find SUID and SGID executables

Find world writable/executable folders

Shell escape