Spawning a TTY: ​https://netsec.ws/?p=337

Privilege Escalation
​https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh

gobuster dir -u <IP Address> -w <Wordlist> -e -s "200,301,302,401" -t 100

Python 3.8

​import os
os.setuid(0)
os.system("/bin/bash")

“If you know the enemy and know yourself, your victory will not stand in doubt.”
- Art of War, Sun Tzu taught. Threat Intelligence is the key for Blue Team while Reconnaissance is the key for the success of the Red Team.

Tools for getting the publicly available information of the Target. This will not trigger/alert the target.
Common tools:
- whois
- nslookup

#whois: Most of the Unix/Linux will have the whois client by default. whois search will give you information about the registrar, nameservers etc. 

commmand: whois <domainname>

#nslookup
command: nslookup -type=<> <domainname> 1.1.1.1

Type
a or A - ipv4
aaaa or AAAA -ipv6
mx or MX for mailserver
txt or TXT for txt file 

server
1.1.1.1 - cloudflare
8.8.8.8 - google
​

Nmap is an amazing tools used by Red and Blue teamer for offensive and defensive purposes.To run the Nmap command you'll need a target machine or a list of target machines. 

• nmap -iL list_of_hosts.txt.

​
- Used at the recon stage.
- ​Most command command is nmap -sV -sC <target ip-address>
* this command is too noisy. 

• nmap -Pn <target ip-address>
• ​nmap -sV -sC -p 22,80 -T4 10.129.189.116

Script:
​
ports=$(nmap -p- --min-rate=1000 -Pn -T4 <IP ADDRESS> | grep '^[0-9]' | cut -d '/' -f 1| tr '\n' ',' | sed s/,$//)
nmap -p$ports-Pn-sC-sV <IP ADDRESS>