Tips & Tricks

Give me six hours to chop down a tree and I will spend the first four sharpening the axe.

Abraham Lincoln

Recent Posts

How to Export List of Domain Users in Active Directory Without AD Cmdlets

If you find yourself on a workstation that doesn’t have AD Cmdlets installed, you won’t be able to run things like “Get-ADUser. However, you can use the following commands in PowerShell to output a list of domain users and format it in a way that is helpful for password spraying attacks.

Adding/Fixing Color Within Tmux on Ubuntu

I’ve found that anytime I spin up an Ubuntu system, whether in Digital Ocean, Google Cloud, or even through Windows Subsystem for Linux, color doesn’t seem to be working properly. To fix this, there is a handy workaround that is very simple to implement. First, let’s create a bash alias so that launching Tmux will…

Tcpdump Cheatsheet

This post contains various commands that may come in useful when utilizing tcpdump. This article will be expanded upon as time goes on. Basic Usage Run tcpdump to collect traffic:sudo tcpdump -i <interface> Run tcpdump with verbosity:sudo tcpdump -i <interface> -v Disable DNS Conversation:sudo tcpdump -i <interface> -n Quieter output:sudo tcpdump -i <interface> -q Specify…

Pivoting to Attack Remote Networks Through Meterpreter Sessions and Proxychains

How to configure the tools Once you have a Meterpreter session for a compromised machine, you can utilize Metasploit to start leveraging that machine as a proxy. This is very useful, as you will be able to run tools from your attacker system, outside the network, against systems that are local to the network you’ve…

Port Forwarding Through SSH Connections

There are multiple ways to configure SSH for port forwarding, and this post intends to serve as a handy cheatsheet that you can reference the next time you need this functionality. When SSH is Already Established If you already have an SSH connection up, you can insert SSH command mode by typing the following on…

Improving Windows PowerShell Reverse Shells For Up/Down Arrows

When you use Netcat to catch a PowerShell reverse shell, like Nishang, you’ll notice that you won’t have the ability to use up/down arrow keys. This could be a huge pain when you’re stuck in this type of shell. However, there is a tool that we can leverage that should improve your experience with these…

Using Ping TTLs Values to Fingerprint Operating Systems

Using Ping You can start by pinging your target system. ping <targetIP> Take a look at the returned TTL value. As long as you’re able to ping the host directly without going through dozens of hops, the returned TTL should give you a hint as to what OS the system is running. Windows by default…

Tunneling Through Windows Machines with Chisel

Chisel is an application that makes port forwarding simple when you’re going against a Windows host. This is especially useful in instances where there is a service running and only available on the loopback interface of a compromised Windows computer. Using Chisel in a setup like this will allow you to use any tools you…

How to Route Public Python Exploit Code Through Burp Suite

When you come across public exploit code written in Python, it is sometimes easiest to just route the exploit through Burpsuite so you can understand what it’s doing — especially in cases where the code interacts with web applications. To do this, we can simple add some code that instructs the script to use a…

Extracting Password Policy From Domain Machines

Before you start a Password Spraying or Brute Force attack, you always want to check what the password policy is first so you don’t start locking accounts out. This post intends to serve as a guide that lists a handful of ways to enumerate this. Using CrackMapExec: crackmapexec smb <targetIP> –pass-pol If that doesn’t work,…

Exploiting PHP Based LFI

Different PHP Methods There are two different methods that will create an LFI if not used correctly. Those two are: file_get_contents() – This is going to just display the text within the file by reading the contents as a string, and will not interpret PHP code for execution. If the LFI is using this method,…

Dropping SSH Keys on Compromised Linux Hosts

Once you have a reverse shell, you may want to consider dropping a SSH key so that you can return at a later time. This guide intends to serve as a quick tutorial on how to do this. From the Compromised Remote Host: Navigate to and/or create the following directory. /home/<user>/.ssh Change into it, and…

Quickly Formatting Nmap Output to Comma Separate Open Ports

There are times where you want to run a quick Nmap scan to see what ports are open, and then rerun a more in-depth Nmap scan on those specific ports. Doing it this way will allow you to lessen the amount of time it takes to run the scan, as you aren’t wasting time trying…

Getting Shells With CrackMapExec

I love CrackMapExec. Seriously, it’s one of my favorite tools to use for internal Active Directory pentesting. Once you find valid credentials, you can throw it into this tool to pass it around the network and see where else those creds are valid. Let’s say you find a password within a log file, but don’t…

Changing Active Directory Password Using smbpasswd

If you’re able to get valid user credentials, but you’re unable to login because the password has expired and/or needs to be changed, you can leverage this tool in Kali Linux. smbpasswd -U <username> -r <domainController> Note: You can use either the FQDN of the Domain Controller, or it’s IP address. This tool will prompt…

Using Hashcat Rules to Create Custom Wordlists

When on an engagement, it is common to need a custom wordlists for either Password Spraying, or Password Cracking when you have captured some hashes. This post intends to serve as a quick guide for leveraging Hashcat rules to help you build effective custom wordlists. To start, let’s begin with setting the scenario up. In…

Installing Git Bash for Windows

Git Bash for Windows allows you to leverage Unix commands, such as; ls, cat, grep, find, etc. It also allows you to easily download tools from Github using the Git Clone syntax. Navigate over to the following URL and download the necessary installer. https://git-scm.com/download/win Save the installer, and then Run as Admin. Then go through…

Excellent OSINT Questions for Social Engineering Engagements

Please note that this list came from Christopher Hadnagy’s book, Social Engineering The Science of Human Hacking. Questions for a Corporation:How does the corporation use the internet?How does the corporation use social media?Does the corporation have policies in place for what its people can put on the internet?How many vendors does that corporation have?What vendors…

Using Text Editors to Replace New Lines w/ Comma

Using Vi Open the file in Vi editorSwitch to command mode.To replace all newline characters with comma use:1,$s/\n/, /gPress Enter Using NotePad++ Open a NotePad++ window.Insert Find and Replace mode.Within the Find What field, enter the following:\r\nWithin the Replace with field, enter a comma.

Listing AD Group Membership of Multiple Users in PowerShell

I recently was on an engagement where I was able to successfully compromise a large list of user accounts. I wanted to leverage PowerShell to quickly see which groups these users are a part of to help me decide who to enumerate first. I through the users into a text file and this is the…

Enabling XP_CMDSHELL in SQL Server

If you ever get access to SQL credentials, you may be able to use a tool to connect to it via commandline and execute system commands via “XP_CMDSHELL”. However, this feature is not always enabled by default. We’ll start by connecting to our target w/ the following command. sqsh -S <ipAddress> -U <user> -P <password>…

Dealing w/ Gobuster “WildCard” and “Status Code” Errors

Encrypt and Anonymize Your Internet Connection for as Little as $3/mo with PIA VPN. Learn More Have you ever encountered the following error within Gobuster? Error: the server returns a status code that matches the provided options for non existing urls. http://ipaddress/9b9353c0-3de2-4df5-abd7-0f618e4d70ab => 200. To force processing of Wildcard responses, specify the ‘–wildcard’ switch Likely, the…

Popping Remote Shells w/ winexe & pth-winexe on Windows

If you’re able to come across credentials or NTLM hashes for a Windows box that has SMB enabled, you may be able to leverage the tool called winexe to gain a shell. If you have captured a NTLM hash, say from dumping a SAM database, you may be able to pass-the-hash. Basic syntax w/ credentials.…

Windows File Transfer Cheatsheet

Wanted to provide a single place to go for all file upload/download techniques when attacking a Windows machine from Kali Linux. This will be updated as I come across new ones and/or the next time I need to use them. Uploading and Hosting Files Python Web Server The following will start a webserver in the…

Using ps.py To Monitor Linux Processes

While working through TheCyberMentor’s Linux Privesc course, I learned something new and wanted to place this here so I can refer to it later. There’s a box on TryHackMe called ConvertMyVideo. This post does not intend to serve as a walk-through or write-up of that box, but rather is a using it as an example…

Command Injection Tips

While working through TheCyberMentor’s Linux Privesc course, I learned something new and wanted to place this here so I can refer to it later. There’s a box on TryHackMe called ConvertMyVideo. This post does not intend to serve as a walk-through or write-up of that box, but rather is a using it as an example…

Setting Up BurpSuite

Once Burp loads up, there are a few things we need to configure to make our lives easier. This guide intends to serve as a list of steps that I like to do after a fresh install of Burp Suite. Installing Java to Launch Burp via CLIInstalling and Configuring FoxyProxyDisabling Firefox’s Captive PortalInstalling the Burp’s…

Searching for NSE Scripts Built-in to Nmap

Using the following line of code will help you search through the available NSE scripts built into the nmap tool. locate -r nse$|grep <term> For example, we could search through LDAP related scripts with: locate -r nse$|grep ldap You can then use one of the scripts using — script <scriptname> For example, if we wanted…

File Transfer in Linux: Uploading & Executing in Memory

These example will show us uploading LinEnum.sh to a victim machine and executing the file straight into memory so that we write nothing to the hard-drive. Method A: Using Netcat On our attacking box, find the executable you wish to transfer and run the following command: cat <filename> | nc -nvlp 9002 On the victim…

Using PHP Wrappers within LFI to Obtain PHP Script Source Code

You find a Local File Inclusion (LFI) running PHP, you’re able to leverage a PHP wrapper to convert the file to Base64, which you can then decode on your own machine to view the source-code of the page. In this example, we’ll be using FRIENDZONE on HackTheBox. Confirming LFI on our example At the following…

Transferring Files via Base64

Depending on the size of the file, you may not want to go through the hassle of transferring it via Netcat, FTP, or some other file transfer method. In some cases, you can convert a file to Base64 code, and then simply copy/paste the code between the machines. We’ll do that here. There is a…

Upgrading Simple Shells to Interactive TTYs w/ Python

This is a quick and easy post, mainly for my own reference moving forward. It will showcase how to upgrade and improve your reverse shells so that they are more user friendly. Once you have a reverse shell, start by running the command python -c ‘import pty;pty.spawn(“/bin/bash”)’ Now we’ll background the window with Ctrl +…

Tmux Cheatsheet for Splitting Terminal Panes and More

Note: <PrefixKey> by default is Ctrl + B Creating Tmux Sessions and Windows tmux new -s ExampleCreate a new tmux session titled “Example”<PrefixKey> + CCreate a new window within the session<PrefixKey> + NumberTake you to your different windows. Windows are identified by the banner down below.<PrefixKey> + ,Rename the current Window. <PrefixKey> + DDetach your tmux…

Hacking Methodology Cheatsheet

This post is going to contain a list of common tools, vulnerabilities, & methodology tactics broken down by category and contains links to references that will showcase examples. This document will be updated often as I work through more and more resources. Enumerating Common Services Enumerating SMB 139,445 Using smbmap and smbclient to crawl and…

Unzipping Rockyou.txt.gz in Kali Linux

Encrypt and Anonymize Your Internet Connection for as Little as $3/mo with PIA VPN. Learn More Stupid simple post. Creating this as I never remember the syntax and have to look it up each time I spin up a new VM. Posting the command here for my own personal gain in the future. sudo gzip…

MSFVenom Reverse Shell Payload Cheatsheet (with & without Meterpreter)

Encrypt and Anonymize Your Internet Connection for as Little as $3/mo with PIA VPN. Learn More There are tons of cheatsheets out there, but I couldn’t find a comprehensive one that includes non-Meterpreter shells. I will include both Meterpreter, as well as non-Meterpreter shells for those studying for OSCP. Table of Contents:- Non Meterpreter Binaries-…


Stay Involved

Get new content delivered directly to your inbox.