Cheat Sheets & Tips/Tricks

Give me six hours to chop down a tree and I will spend the first four sharpening the axe.

Abraham Lincoln

Recent Posts

Exploiting PHP Based LFI

Different PHP Methods There are two different methods that will create an LFI if not used correctly. Those two are: file_get_contents() – This is going to just display the text within the file by reading the contents as a string, and will not interpret PHP code for execution. If the LFI is using this method, […]

Quickly Formatting Nmap Output to Comma Separate Open Ports

There are times where you want to run a quick Nmap scan to see what ports are open, and then rerun a more in-depth Nmap scan on those specific ports. Doing it this way will allow you to lessen the amount of time it takes to run the scan, as you aren’t wasting time trying […]

Getting Shells With CrackMapExec

I love CrackMapExec. Seriously, it’s one of my favorite tools to use for internal Active Directory pentesting. Once you find valid credentials, you can throw it into this tool to pass it around the network and see where else those creds are valid. Let’s say you find a password within a log file, but don’t […]

Changing Active Directory Password Using smbpasswd

If you’re able to get valid user credentials, but you’re unable to login because the password has expired and/or needs to be changed, you can leverage this tool in Kali Linux. smbpasswd -U <username> -r <domainController> Note: You can use either the FQDN of the Domain Controller, or it’s IP address. This tool will prompt […]

Using Hashcat Rules to Create Custom Wordlists

When on an engagement, it is common to need a custom wordlists for either Password Spraying, or Password Cracking when you have captured some hashes. This post intends to serve as a quick guide for leveraging Hashcat rules to help you build effective custom wordlists. To start, let’s begin with setting the scenario up. In […]

Installing Git Bash for Windows

Git Bash for Windows allows you to leverage Unix commands, such as; ls, cat, grep, find, etc. It also allows you to easily download tools from Github using the Git Clone syntax. Navigate over to the following URL and download the necessary installer. https://git-scm.com/download/win Save the installer, and then Run as Admin. Then go through […]

Excellent OSINT Questions for Social Engineering Engagements

Please note that this list came from Christopher Hadnagy’s book, Social Engineering The Science of Human Hacking. Questions for a Corporation:How does the corporation use the internet?How does the corporation use social media?Does the corporation have policies in place for what its people can put on the internet?How many vendors does that corporation have?What vendors […]

Using Text Editors to Replace New Lines w/ Comma

Using Vi Open the file in Vi editor Switch to command mode. To replace all newline characters with comma use:1,$s/\n/, /g Press Enter Using NotePad++ Open a NotePad++ window. Insert Find and Replace mode. Within the Find What field, enter the following:\r\n Within the Replace with field, enter a comma.

Listing AD Group Membership of Multiple Users in PowerShell

I recently was on an engagement where I was able to successfully compromise a large list of user accounts. I wanted to leverage PowerShell to quickly see which groups these users are a part of to help me decide who to enumerate first. I through the users into a text file and this is the […]

Enabling XP_CMDSHELL in SQL Server

If you ever get access to SQL credentials, you may be able to use a tool to connect to it via commandline and execute system commands via “XP_CMDSHELL”. However, this feature is not always enabled by default. We’ll start by connecting to our target w/ the following command. sqsh -S <ipAddress> -U <user> -P <password> […]

Enumerating FTP for Pentesting (Port 21)

Basic Enumeration Attempt to connect anonymously by issuing the below command and specifying the following credentials; anonymous:anonymous. ftp <ipAddress> You can perform banner grabbing w/ the following Metasploit module. use auxiliary/scanner/ftp/ftp_version You can perform brute force with the following Metasploit module. use auxiliary/scanner/ftp/ftp_login Transferring Files If you have valid credentials, you can use the following […]

Dealing w/ Gobuster “WildCard” and “Status Code” Errors

Have you ever encountered the following error within Gobuster? Error: the server returns a status code that matches the provided options for non existing urls. http://ipaddress/9b9353c0-3de2-4df5-abd7-0f618e4d70ab => 200. To force processing of Wildcard responses, specify the ‘–wildcard’ switch Likely, the webserver you’re attacking is configured to always respond with a 200 response code. For example, […]

Popping Remote Shells w/ winexe & pth-winexe on Windows

If you’re able to come across credentials or NTLM hashes for a Windows box that has SMB enabled, you may be able to leverage the tool called winexe to gain a shell. If you have captured a NTLM hash, say from dumping a SAM database, you may be able to pass-the-hash. Basic syntax w/ credentials. […]

Windows File Transfer Cheatsheet

Wanted to provide a single place to go for all file upload/download techniques when attacking a Windows machine from Kali Linux. This will be updated as I come across new ones and/or the next time I need to use them. Uploading and Hosting Files Python Web Server The following will start a webserver in the […]

Using ps.py To Monitor Linux Processes

While working through TheCyberMentor’s Linux Privesc course, I learned something new and wanted to place this here so I can refer to it later. There’s a box on TryHackMe called ConvertMyVideo. This post does not intend to serve as a walk-through or write-up of that box, but rather is a using it as an example […]

Command Injection Tips

While working through TheCyberMentor’s Linux Privesc course, I learned something new and wanted to place this here so I can refer to it later. There’s a box on TryHackMe called ConvertMyVideo. This post does not intend to serve as a walk-through or write-up of that box, but rather is a using it as an example […]

Enumerating HTTP Ports (80, 443, 8080, etc.)

When enumerating, we want to be able to identify the software/versions that are fulfilling the following roles. This document intends to serve as a guide for hunting for the answers. Web Application – WordPress, CMS, Drupal, etc. Web Technologies – Node.js, PHP, Java, etc. Web Server – Apache, IIS, Nginx, etc. Database – MySQL, MariaDB, […]

Setting Up BurpSuite

Once Burp loads up, there are a few things we need to configure to make our lives easier. Installing and Configuring FoxyProxy First, to make our lives easier, let’s install the Firefox add-in for FoxyProxy. With the add-in installed, let’s head into the Options. Now we can Add a new entry. Let’s create the New […]

Enumerating SMB for Pentesting (Ports 445, 139)

Using NMAP Scan for popular RCE exploits. sudo nmap -p 139,445 –script smb-vuln* <ip-addr> -oA nmap/smb-vuln Identify the SMB/OS version. nmap -v -p 139,445 –script=smb-os-discovery.nse <ip-addr> Using SMBMAP To list out the shares and associated permissions: smbmap -H <ip-addr> To list out the shares recursively: smbmap -R <sharename> -H <ip-addr> To list shares as an […]

File Transfer in Linux: Uploading & Executing in Memory

This example will show us uploading LinEnum.sh to a victim machine and executing the file straight into memory so that we write nothing to the hard-drive. On our attacking box, find the executable you wish to transfer and run the following command: cat <filename> | nc -nvlp 9002 On the victim machine, change into the […]

Using PHP Wrappers within LFI to Obtain PHP Script Source Code

You find a Local File Inclusion (LFI) running PHP, you’re able to leverage a PHP wrapper to convert the file to Base64, which you can then decode on your own machine to view the source-code of the page. In this example, we’ll be using FRIENDZONE on HackTheBox. Confirming LFI on our example At the following […]

Transferring Files via Base64

Depending on the size of the file, you may not want to go through the hassle of transferring it via Netcat, FTP, or some other file transfer method. In some cases, you can convert a file to Base64 code, and then simply copy/paste the code between the machines. We’ll do that here. There is a […]

Upgrading Simple Shells to Interactive TTYs w/ Python

This is a quick and easy post, mainly for my own reference moving forward. It will showcase how to upgrade and improve your reverse shells so that they are more user friendly. Once you have a reverse shell, start by running the command python -c ‘import pty;pty.spawn(“/bin/bash”)’ Now we’ll background the window with Ctrl + […]

Tmux Cheatsheet for Splitting Terminal Panes and More

Note: <PrefixKey> by default is Ctrl + B Creating Tmux Sessions and Windows tmux new -s Example Create a new tmux session titled “Example” <PrefixKey> + C Create a new window within the session <PrefixKey> + Number Take you to your different windows. Windows are identified by the banner down below. <PrefixKey> + , Rename […]

Hacking Methodology Cheatsheet

This post is going to contain a list of common tools, vulnerabilities, & methodology tactics broken down by category and contains links to references that will showcase examples. This document will be updated often as I work through more and more resources. Enumerating Common Services Enumerating SMB 139,445 Using smbmap and smbclient to crawl and […]

Unzipping Rockyou.txt.gz in Kali Linux

Stupid simple post. Creating this as I never remember the syntax and have to look it up each time I spin up a new VM. Posting the command here for my own personal gain in the future. sudo gzip -d /usr/share/wordlists/rockyou.txt.gz

MSFVenom Reverse Shell Payload Cheatsheet (with & without Meterpreter)

There are tons of cheatsheets out there, but I couldn’t find a comprehensive one that includes non-Meterpreter shells. I will include both Meterpreter, as well as non-Meterpreter shells for those studying for OSCP. Table of Contents:– Non Meterpreter Binaries– Non Meterpreter Web Payloads– Meterpreter Binaries– Meterpreter Web Payloads Non-Meterpreter Binaries Staged Payloads for Windows x86 […]


Stay Involved

Get new content delivered directly to your inbox.