cd change directory
cd .. change directory, go back up tree
pwd print working directory
find When you don't know the name of a file
find / -name Foo.txt When you know the name of a file but can't remember where you saved it, use find to search your home directory
Use 2>/dev/null to silence permission errors (or use sudo to gain all permissions).
grep search for matching patterns in a file
ls list
ls -la list all
cat #concatenate command, reads data from the file and gives output
su [username] switch user
run strings on the file to see the text inside a binary or data file
ps Process Status, used to view information about active processes on the system.
ps -edf Process Status, to display information about all processes, including those that belong to other users, include the processes that are running as daemons (background processes) and display a full format listing.
tar -zxvf filename extract file to currect directory
tar -jxvf filename extract bzip file to currect directory
bunzip2 backup.bz2 extract bzip .bz2 file type
cpio -idv --no-absolute-filename < [filename] cpio archive extract
mysql -u root access mysql
mysql -u root -p access mysql with password
show databases; show available databases
use [DATABASE];
show tables;
select * from [TABLE]; Select * from table
select load_file('[FILENAME]'); read the content of the file using the load_file(...) MySQL function. Newer versions are locked down/ more restricted.
the show and use command will not work in SQL injections, they are internal command that are not part of SQL
when logged in system user mysql, then it is possible to access the data through the backend instead of through the database
openssl enc -aes256 -k [KEY] -in /tmp/backup.tgz -out /tmp/backup.tgz.enc encode with passcode
openssl enc -d -aes256 -k [KEY] -in /tmp/backup.tgz.enc -out /tmp/backup.tgz decode, (remember need to decompress tgz file!)
john [FILE] --format=descrypt john the ripper, where [FILE] is the filename you picked.
victim:yX.TlL2TaIM3Y:19520:0:99999:7:::
Here the algorithm used is DES (you can tell by the size and format of it).
This is common on very old systems and it's very weak (especially since only the first 8 bytes of the password are kept).
victim:$1$x83NbBxt$E7AQumyC9qhT3TaIUe1Bx1:19520:0:99999:7:::
This time MD5 is used. It can be detected by the prefix of the password: $1$.
Use john [FILE] --format=md5crypt
If you look at other files, you can tell that:
if the hash starts by $2$ or $2a$, Blowfish is used;
if the hash starts by $5$, SHA-256 is used;
if the hash starts by $6$, SHA-512 is used.
How many requests yielded a 200 status? cat access.log | cut -d '"' -f3 | cut -d ' ' -f2 | sort | uniq -c | sort -rn