# Explore Attack Surface ```bash #enumerate the host and look for vulnerable apps/services sudo nmap -sC -sV <target_ip> -T4 -p- ``` # Adding an Exploit Module to MSF ```bash locate exploits #MSF exploits stored in /usr/share/metasploit-framework/modules/exploits ``` - for example add a module form the MSF GitHub repo to `/usr/share/metasploit-framework/modules/exploits/linux/http` as a `.rb` file - all MSF exploit modules written in Ruby # Spawning a TTY Shell with Python - after dropping into a system-shell, if no prompt is present it's most likely a non-tty shell - aka a "jail shell" - manually spawn an interactive tty shell using python ```bash which python #confirm python is present on system python -c 'import pty; pty.spawn("/bin/sh")' ``` # Spawning a TTY Shell with Other Languages/Tools ```bash /bin/sh -i #execute the shell interpreter specified in the path in interactive mode /bin/bash -i #execute the shell interpreter specified in the path in interactive mode perl —e 'exec "/bin/sh";' awk 'BEGIN {system("/bin/sh")}' find / -name nameoffile -exec /bin/awk 'BEGIN {system("/bin/sh")}' \; find . -exec /bin/sh \; -quit #find command uses the execute option to initiate the shell interpreter directly vim -c ':!/bin/sh' ``` ```bash #open vim and enter lkines in command mode to spawn an interactive shell vim :set shell=/bin/sh :shell ``` ## Check Permissions ```bash ls -la /bin/sh #check perms for a binary using its absolute path sudo -l #check current user's sudo perms ``` ## Commands to be run within scripts ```bash exec "/bin/sh" #can be run from within a Ruby or Perl script os.execute('/bin/sh') #can be run from within a Lua script ```