cd
change directory
cd ..
change directory, go back up tree
pwd
print working directory
find
When you don't know the name of a file
find / -name Foo.txt
When you know the name of a file but can't remember where you saved it, use find to search your home directory
Use 2>/dev/null
to silence permission errors (or use sudo to gain all permissions).
grep
search for matching patterns in a file
ls
list
ls -la
list all
cat
#concatenate command, reads data from the file and gives output
su [username]
switch user
run strings
on the file to see the text inside a binary or data file
ps
Process Status, used to view information about active processes on the system.
ps -edf
Process Status, to display information about all processes, including those that belong to other users, include the processes that are running as daemons (background processes) and display a full format listing.
tar -zxvf filename
extract file to currect directory
tar -jxvf filename
extract bzip file to currect directory
bunzip2 backup.bz2
extract bzip .bz2
file type
cpio -idv --no-absolute-filename < [filename]
cpio archive extract
mysql -u root
access mysql
mysql -u root -p
access mysql with password
show databases;
show available databases
use [DATABASE];
show tables;
select * from [TABLE];
Select * from table
select load_file('[FILENAME]');
read the content of the file using the load_file(...) MySQL function. Newer versions are locked down/ more restricted.
the show
and use
command will not work in SQL injections, they are internal command that are not part of SQL
when logged in system user mysql
, then it is possible to access the data through the backend instead of through the database
openssl enc -aes256 -k [KEY] -in /tmp/backup.tgz -out /tmp/backup.tgz.enc
encode with passcode
openssl enc -d -aes256 -k [KEY] -in /tmp/backup.tgz.enc -out /tmp/backup.tgz
decode, (remember need to decompress tgz file!)
john [FILE] --format=descrypt
john the ripper, where [FILE] is the filename you picked.
victim:yX.TlL2TaIM3Y:19520:0:99999:7:::
Here the algorithm used is DES (you can tell by the size and format of it).
This is common on very old systems and it's very weak (especially since only the first 8 bytes of the password are kept).
victim:$1$x83NbBxt$E7AQumyC9qhT3TaIUe1Bx1:19520:0:99999:7:::
This time MD5 is used. It can be detected by the prefix of the password: $1$
.
Use john [FILE] --format=md5crypt
If you look at other files, you can tell that:
if the hash starts by $2$
or $2a$
, Blowfish is used;
if the hash starts by $5$
, SHA-256 is used;
if the hash starts by $6$
, SHA-512 is used.
How many requests yielded a 200 status? cat access.log | cut -d '"' -f3 | cut -d ' ' -f2 | sort | uniq -c | sort -rn